a lattice-based changeable threshold multi-secret...

10

Upload: others

Post on 19-Jun-2020

1 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

Scientia Iranica D (2017) 24(3), 1448{1457

Sharif University of TechnologyScientia Iranica

Transactions D: Computer Science & Engineering and Electrical Engineeringwww.scientiairanica.com

A lattice-based changeable threshold multi-secretsharing scheme and its application to thresholdcryptography

H. Pilarama and T. Eghlidosb;�

a. School of Electrical Engineering, Sharif University of Technology, Tehran, P.O. Box 11155-8639, Iran.b. Electronics Research Institute, Sharif University of Technology, Tehran, P.O. Box 11155-8639, Iran.

Received 6 March 2016; received in revised form 17 August 2016; accepted 29 October 2016

KEYWORDSThreshold multi-stagesecret sharing;Changeable thresholdsecret sharing;Threshold decryption;Lattice-basedcryptography.

Abstract. In this paper, we propose a threshold increasing algorithm for a (t; n) lattice-based Threshold Multi-Stage Secret Sharing (TMSSS) scheme. To realize the changeabilityfeature, we use the zero addition protocol to construct a new (t0; n) TMSSS scheme.Therefore, the new scheme enjoys the signi�cant feature of threshold changeability alongwith the inherited features of being multi-stage, multi-use, and veri�able derived fromour previously proposed lattice-based TMSSS scheme. Furthermore, we use the improvedTMSSS scheme to propose a threshold decryption algorithm for the Learning With Error(LWE) based public key encryption scheme based on the study of Lindner and Peikert.For threshold decryption, each authorized subset of participants decrypts the ciphertextpartially and sends the result to the combiner. The combiner can decrypt the ciphertextusing the partial decryptions. The security of both schemes is based on hardness of latticeproblems, i.e. LWE and Inhomogeneous Small Integer Solution (ISIS) problems, which arebelieved to resist against the quantum algorithms. The proposed schemes are e�cient,especially on the participants' side, making them suitable for the applications in which theparticipants have limited processing capacities.© 2017 Sharif University of Technology. All rights reserved.

1. Introduction

Secret sharing is a cryptographic primitive with manyapplications such as key management in sensor net-works [1], electronic cash [2], electronic voting [3], andcloud computing [4]. A secret sharing scheme splits asecret among a set of parties, called participants, insuch a way that some authorized subsets of the partic-ipants can reconstruct the secret using their assignedvalues, called shares, by a trusted third party nameddealer. A (t; n) Threshold Secret-Sharing Scheme(TSSS) is a special case of secret sharing schemes, in

*. Corresponding author. Tel.: +98 21 66164960E-mail addresses: h [email protected] (H. Pilaram);[email protected] (T. Eghlidos)

which at least t participants are required to recover thesecret. The �rst of such a scheme was introduced byBlakley and Shamir, independently, in 1979 [5,6]. Sincethen, some new features have been added to the secretsharing schemes such as veri�ability of the shares [7,8],resistance of the scheme in the presence of a numberof cheaters [9,10], and dynamic change of the thresholdand/or the number of participants [11,12].

To share more than one secret, multi-secretsharing schemes have been introduced, which is ageneralization of the secret sharing schemes [13]. Inthese schemes, each participant is given one share torecover all the secrets, the size of which is the sameas the size of the secrets. These schemes only providecomputational security [14]. Pang et al. [15] proposed amulti-secret sharing scheme for general access structure

Page 2: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457 1449

in 2006. In this scheme, when an authorized subsetof participants pulls their shares together, all of thesecrets are revealed at the same time. In 1994, He andDawson [16] proposed a (t; n) TMSSS scheme. A multi-secret sharing scheme is called multi-stage if the secretsare not revealed at the same time, i.e. in recovering anumber of secrets, the recovered secrets do not leak anyinformation about the unrecovered secrets. In 2007,Geng et al. [17] showed that the He-Dawson's schemeis actually one-time-use and vulnerable to collusionattacks. They proposed a multi-use threshold secretsharing scheme using a one-way hash function. Theterm \multi-use" in this paper implies that the sameshares are used by some technical measures when anew set of secrets is to be shared. For this purpose, thefollowing two security requirements are to be realized:

1. While recovering the secret(s), the participantsmust not reveal the original shares;

2. The secrecy of the other unrecovered secrets shouldbe computationally independent from the recoveredsecrets.

For constructing a TMSSS scheme, the partici-pants should send the pseudo-secret shares instead ofthe original ones to the combiner, in which the pseudo-secret shares depend on the original shares and thedesired secret which is to be recovered. All the existingTMSSS schemes are based on one-way (hash) func-tions [14,18,19], two-variable one-way functions [20,21],and assumptions such as di�culty of solving discretelogarithm problem [22], which can now be threatenedby quantum algorithms.

In a TSSS, the importance of the secret as wellas the mutual trust between the participants or theorganizational structure of the participants may vary.Hence, it might be required that the TSSS be changedin such a way that the larger number of participants areneeded to recover the secret. Therefore, the thresholdshould be increased. A Changeable TSSS (CTSSS)is a TSSS in which the shares generated initially bythe dealer should be changed in such a way that thesecret can be recovered with a larger threshold t0 (i.e.,t < t0). In 1999, Martin et al. proposed the �rstCTSSS [11]. Later on, di�erent CTSSSs have beenproposed. Such schemes are classi�ed into three types:The schemes based on a linear polynomial [23,24],the hyperplane geometrical based schemes [11], andthe schemes based on the Chinese Reminder Theorem(CRT) [25,26]. In 2004, Steinfeld et al. [23] proposeda lattice-based CTSSS to increase the threshold inthe standard Shamir's secret sharing scheme. Theirscheme is dealer-free which does not need any securechannel. However, their scheme uses a lattice-basedmethod to recover the secret instead of the conventional

polynomial interpolation used in the Shamir's TSSS.The security of the currently used public key

cryptosystems based on \integer factorization" and\discrete logarithm" has been threatened since inven-tion of Shor's quantum algorithm in 1994 [27]. Eversince Ajtai's introduction of the lattice-based one-wayfunctions [28], the �eld of lattice-based cryptographyplays a signi�cant role in the world of post-quantumcryptography. Ajtai proposed a family of one-wayfunctions whose security is based on the worst-casehardness of the lattice problems such as ShortestVector Problem (SVP) known to be NP-hard [29].Lattice-based cryptosystems enjoy provable securitybased on the worst-case hardness of lattice problems.Furthermore, they only need linear computations onrelatively small integers.

In 2005, Regev proposed a public key cryptosys-tem based on the LWE problem [30]. Regev and Peikertindependently showed that, for certain parameters,LWE is as hard as classical lattice problems, such asthe Shortest Independent Vector Problem (SIVP), inthe worst case. It follows that LWE-based schemesare provably secure assuming the worst-case hardnessof classical lattice problems. The LWE problem hasbeen the source of great progress in the lattice-basedcryptography. In 2010, Lindner and Peikert proposedan LWE-based cryptosystem enjoying the advantagesof having substantially smaller key and ciphertextsizes than those of the more well-known cryptosystemsproposed in the literature [31].

In recent years, some lattice-based TSSSs havebeen proposed. Georgescu [32] proposed an (n; n) TSSSbased on the hardness of the LWE problem. In2012, Bansarkhani et al. [33] proposed a veri�able(n; n) TSSS using linear lattice-based hash functionsto enable each participant to verify their share as wellas the recovered secret. The security of this schemerelies on the hardness of nc-approximate SVP. Aminiet al. [34] and Asaad et al. [35] proposed the �rst(t; n) TSSSs with asymptotic security in 2014. Later,we have proposed an e�cient lattice-based veri�ableTMSSS using Ajtai's one-way function in 2015 [36].

In a threshold cryptosystem, the private key isshared among the participants in which at least acertain number of them are required to decrypt or signthe message. Bendlin et al. proposed the �rst lattice-based threshold cryptographic scheme in threshold de-cryption of one-bit message [37] based on Regev's LWEpublic key encryption scheme. Frederiksen extendedthis scheme for multi-bit messages [38]. Singh et al. [39]proposed an e�cient lattice-based threshold public keyencryption scheme based on Lindner's work [31]. In2013, Bendlin et al. [40] proposed a threshold signatureand an identity-based encryption scheme. The above-mentioned schemes have used Shamir's TSSS to sharethe private key as an array. Hence, each entry of the

Page 3: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

1450 H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457

private key is shared independently in these schemes.However, this method seems to be ine�cient.

Contributions. In this paper, the authors' con-tribution is twofold. First, we propose a thresh-old increasing algorithm for our previously-introducedlattice-based TMSSS scheme [36]. It should benoted that the already supported features, such asbeing multi-stage, multi-use and veri�able remain un-changed. For realization of the changeability feature,we share the zero secret with the new threshold andcombine the new parameter arrays with the previousones. Second, using the improved TMSSS scheme,we introduce a threshold decryption algorithm for theLWE-based public key encryption scheme based onLindner and Peikert's. Here, we consider the columnvectors of the private key matrix as the secrets andshare them using the proposed lattice-based TMSSSscheme. For threshold decryption, the participantsdo partial decryption on the ciphertext using theirshares and send the results to the combiner. Usingadditive homomorphic property of the TSSS and linearproperty of the decryption, the combiner can decryptthe ciphertext using the partial decryptions.

The security of the proposed schemes is based onthe hardness of lattice problems which are believedto resist against the quantum algorithms [41]. Theproposed threshold public key decryption algorithminherits the desired features from the improved TMSSSscheme. In the context of threshold public key cryptog-raphy, multi-stage feature implies that the participantscan decrypt each bit of the message in di�erent stages,where the other bits remain undisclosed. Moreover,both schemes are e�cient, especially on the partic-ipants' side, because simple matrix operations areused in the secret sharing and threshold decryptionprotocols. Hence, they are suitable for the mobileapplications such as smart cards and sensor networks,in which low processing capability is a dominant factor.

This paper is organized as follows: Section 2provides a brief review of lattices, our previous multi-stage secret sharing scheme, and the LWE-based pub-lic key encryption scheme proposed by Lindner andPeikert. Section 3 presents the proposed lattice-basedchangeable TMSSS scheme including the algorithm.Section 4 provides the proposed threshold decryptionalgorithm for Lindner and Peikert's scheme. Sections 5and 6 discuss the security and e�ciency of the proposedschemes, respectively. Finally, a brief conclusion drawsall the points together.

2. Preliminaries

In this section, we introduce some basic concepts oflattice, our previous multi-stage secret sharing scheme,

and the LWE-based public key encryption schemeproposed by Lindner and Peikert [31].

2.1. NotationsIn this paper, we assume column vectors for our case.Lowercase and uppercase letters denote vectors andmatrices, respectively. Matrix In refers to n�n identitymatrix, and matrix 0m�n represents zero matrix ofsize m � n. The transpose of a rectangular matrixis denoted by (�)T . Also, R, Z, and Zq denote thesets of reals, integers, and the �nite �eld modulo q,respectively. If S is a set of numbers, Sn denotesthe set of vectors of size n, and Sm�n denotes theset of m � n matrices, whose entries are chosen fromS. The operator b�e denotes rounding operation tothe nearest integer. The operator k � k denotes anarbitrary norm. The most important class of norms is`p norms, de�ned for any p � 1 and a vector x 2 Rn askxkp =

�Pni=1 jxijp�1=p. The standard big-O and little-

o notations are used to classify the growth of functions.Function negl(n) denotes a negligible function which isde�ned as f(n) = o(n�c) for every �xed constant c.

2.2. LatticesHere, a lattice is a regular array of points in m-dimensional real vector space.

De�nition 1. [29] Let b1; b2; � � � ; bn be n linearlyindependent vectors in vector space Rm. L(b1; � � � ; bn)is de�ned to be the set of all integer linear combinationsof b1; b2; � � � ; bn as follows:

� = L(b1; � � � ; bn) =

(nXi=1

xibi : xi 2 Z): (1)

The set of vectors fb1; � � � ; bng is called a basis forlattice �, and n is called the rank of the lattice.

Lattice-based cryptosystems are based on thehardness of lattice problems, SVP and Closest VectorProblem (CVP) are the most popular ones amongthem [29]. In the lattice-based cryptography, weusually use the approximate version of these problems,denoted by approximation factor, . For example, in -approximate SVP, we want to �nd a vector in thelattice whose length is within factor of the shortestvector; in -approximate CVP, we seek a vector in thelattice whose distance from the target vector is at most times that of the closest vector.

De�nition 2. [41] A q-ary lattice is lattice � satis-fying qZn � � � Zn for some (possibly prime) integerq.

For instance, given integer matrix A 2 Zn�mqand modulus q, the set of vectors x 2 Zm satisfyingequation Ax = 0 mod q forms a lattice of dimensionm, which is closed under congruence modulo q. Thislattice is denoted by �?q (A).

Page 4: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457 1451

In [28], Ajtai introduced one-way functionfA(x) = Ax mod q, where A 2 Zn�mq and x 2f0; 1gm. To invert this function, the following problemis concluded:

Parameters: n, m, q 2 N, such that m > n log q, andq = O(nc) for some constant c;

Input: A uniformly random matrix A 2 Zn�mq andvector y = Ax for some random vector x 2 f0; 1gm;

Output: A vector x 2 f0; 1gm, such that Ax = ymod q.

Ajtai proved that solving this problem with non-negligible probability leads to an algorithm whichsolves any instance of nc-approximate SVP and is notvulnerable to quantum algorithms in polynomial time.

This problem is a special case of the ISIS problem,in which condition x 2 f0; 1gm is replaced by kxk �� for real parameter �. Solving ISIS is equivalent todecoding arbitrary integer target point, t 2 Zm, withindistance � on q-ary lattice �?q (A) = fx 2 ZmjAx = 0mod qg, where the syndrome of the target point is u =At mod q [42].

2.3. Lindner and Peikert's LWE-based publickey encryption scheme

Here, we explain the LWE-based public key encryp-tion scheme proposed by Lindner and Peikert [31].The scheme uses uniformly random public matrix,Q 2 Zn1�n2

q . The cryptosystem uses the followingalgorithms for the key generation, encryption, anddecryption, respectively:

- Gen(Q; 1l): Choose R1 Dn1�lZ;sk and R2 Dn2�lZ;skand let P = R1�QR2 2 Zn1�l

q . DZ;sk is the discreteGaussian distribution on integer numbers with zeromean and standard deviation of sk. l is the numberof bits in message m. Parameters fP;Qg and R2represent the public and private keys, respectively.The relation between the public and private keys canbe written as:�

Q P� �R2

I

�= R1 mod q: (2)

- Enc(Q;P;m 2 f0; 1gl): Choose e = (e1; e2; e3) 2Zn1 �Zn2 �Zl whose entries are chosen from DZ;se .The ciphertext can be obtained by:

cT =�cT1 cT2

�=�eT1 eT2 eT3 +mT bq=2e� :24 Q P

In2 00 Il

352 Z1�(n2+l)

q : (3)

- Dec(cT ; R2): output decode(cT1 R2 + cT2 ) 2 f0; 1gl,where decode(x) returns 0 if jxj < bq=4e, elsereturns 1:

cT1 R2+cT2 =�cT1 cT2

�:�R2I

�=eTR+mT bq=2e; (4)

where R =

24R1R2I

35 and e =

24e1e2e3

35.

The decryption will be correct as long as theabsolute value of each entry of eTR is smaller thanbq=4e.

2.4. Secret sharingIn a secret sharing scheme, the goal is to share a secretamong a set of parties, called participants, denotedby P. A trusted third party, named dealer, assignsa private value, called share, to each participant.

Only the authorized subsets of participants canrecover the secret by running a pre-speci�ed algorithm.The set of all authorized subsets is called an accessstructure. In general, an access structure is a subsetof the power set of P. A speci�c instance of generalaccess structure is the threshold structure, which, forgiven t, consists of all subsets of at least t elements ofthe power set of P.

A secret sharing scheme usually consists of twophases:

� Share distribution: In this phase, the shares arecomputed by a dealer using a pre-speci�ed algorithmand are sent securely to the participants;

� Secret reconstruction: In this phase, the authorizedsubset of participants send their shares to a com-biner to obtain the secret by running the algorithm.

The above-de�ned protocol is simple and cannot beused in real application directly. Depending on thefeatures, TSSSs can be extended as follows:

- Veri�able secret sharing: In a veri�able secretsharing scheme, the dealer commits the distributedshares to each participant, and the participants canverify the validity of the recovered secrets by thecombiner [19];

- Multi-secret sharing: In a multi-secret sharingscheme, more than one secret is shared amongthe participants, and it is desirable to give theparticipants only one share for recovering all thesecrets [13];

- Multi-stage secret sharing: A multi-stage secret shar-ing scheme is a special case of multi-secret sharingschemes in which the secrets can be recovered atdi�erent stages, and the reconstructed secrets donot leak any information about the unrecoveredsecrets [18,43];

Page 5: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

1452 H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457

- Multi-use secret sharing: For sharing a new set ofsecrets, the old shares and the old public informationcan be used, such that sending the new shares tothe participants through a secure channel is notrequired [18,43];

- Changeable threshold secret sharing: The scheme iscapable of increasing the threshold in such a waythat resharing the secret is not necessary by usingthe new threshold.

2.5. Threshold multi-stage secret sharingscheme

In this section, we introduce the lattice-based (t; n)TMSSS scheme [36], where t participants are requiredto recover each of the secrets. This scheme enables theparticipants to recover each secret independently, andit is computationally di�cult to use them for obtainingany information about unrecovered secrets. In thisscheme, there are m secrets si 2 Ztq, i = 1; � � � ;m,where q is a prime number and t is the threshold. Thedealer randomly selects vector v 2 Ztq and publishes it.Then, for each secret si, he �nds private lattice-basisBi, such that:

si = Biv; i = 1; � � � ;m; (5)

where Bi 2 Zt�tq is a basis for the t-dimensional lattice.After computing the private lattice basis, Bi,

i = 1; � � � ;m, the dealer chooses n public vectors�j 2 Ztq, j = 1; � � � ; n, such that every t of these vectorsis linearly independent. Then, the dealer must �ndpublic matrices, Ai 2 Zt�rq , i = 1; � � � ;m, and privateshares sj 2 f0; 1gr, j = 1; � � � ; n, such that equalityAisj = Bi�j holds for i = 1; � � � ;m and j = 1; � � � ; n,where r � max (t log t; n). Hence, the dealer �rstrandomly chooses n items of shares sj from f0; 1gr,and then solves a system of linear equations to �ndmatrices Ai; i = 1; � � � ;m for each secret.

For veri�cation of the shares by the participants,the dealer chooses random matrix F 2 Zt�rq andpublishes it along with the hash values of the sharesas the vectors of hj = Fsj , j = 1; � � � ; n. In addition,the dealer publishes H(si), i = 1; � � � ;m for veri�cationof the recovered secrets by the participants, where H(�)is a public hash function.

Distribution phase� The dealer distributes share vector, sj , to partic-

ipant Pj through a secure channel and publishesmatrices Ai, i = 1; � � � ;m, and vectors �j , j =1; � � � ; n, on the bulletin board;

� Participant Pj veri�es whether the hash value of thereceived share from the dealer is the same as thaton the bulletin board, i.e. Fsj

?= hj .

Combination phaseHere, di�erent secrets are reconstructed independently.Suppose that subset fj1; � � � ; jtg � f1; � � � ; ng of the

participants intend to recover secret si, i 2 f1; � � � ;mg.For this purpose, participant jl, l = 1; � � � ; t, computesvector dijl = Aisjl , l = 1; � � � ; t, as his pseudo-secret share and sends the result to the combiner ina secure manner. The combiner constructs matrixDi =

�dj1 � � � djt

�, and then recovers secret si by

computing si = Di��1v, where � =��j1 � � � �jt

�.

The participants can verify the recovered secret usingthe corresponding hash value, H(si), published on thebulletin board.

3. Threshold increasing algorithm

In this section, we improve our previously introducedlattice-based (t; n) TMSSS scheme [36] by proposing analgorithm for increasing the threshold from t to t0 > t.It should be noted that a trusted party, who might notknow the secret, runs the threshold increase protocol.For the realization of this purpose, we use the zeroaddition protocol [44], in which we share the zero secretamong the participants using the new threshold, t0, andcombine the temporary results with the correspondingparameters of the (t; n) TMSSS scheme in such a waythat the new scheme is (t0; n) TMSSS scheme. Thealgorithm consists of the following phases.

Phase 1. Extending the dimensions from t to t0First, we increase the size of the arrays of parametersof the original scheme from t to t0 in such a way thatthe original equations remain correct.

sit�1 = Bit�tvt�1 )�

si0(t0�t)�1

�t0�1

=�Bi 00 0

� �vv00�t0�1

;

Ait�rsjr�1 = Bit�t�jt�1 )�Ai 00 0

�t0�r0

�sjs00j

�r0�1

=�Bi 00 0

�t0�t0

��j�00j

�t0�1

; (6)

where v00 and �00j , j = 1; � � � ; n, are chosen randomlyfrom Z(t0�t)�1

q and s00j , j = 1; � � � ; n, is chosen randomlyfrom f0; 1g(r0�r)�1, where r0 = max (t0 log t0; n).

Phase 2. Sharing zero secretNow, we share the zero secret according to the originalscheme using the new threshold t0. Here, the di�erenceis that vectors v, v00, sj , s00j , �j , and �00j are the sameas those used in the current (t; n) TMSSS scheme, i.e.Eq. (6):

Page 6: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457 1453

0t0�1 = B00t0�1

�vv00�t0�1

;

A00t0�r0�sjs00j

�r0�1

=B00t0�t0��j�00j

�t0�1

; j=1; � � � ; n; (7)

where B00 is obtained from the �rst equation, and thenA00 is obtained from the second equation in Eq. (7)using computed B00.Phase 3. Parameter combinationBy adding the corresponding equations of (6) and (7)together, Eq. (8) is obtained as follows:�

si0(t0�t)�1

�t0�1

=�B00+

�Bi 00 0

��t0�t0

�vv00�t0�1

; A00 +

�Ai 00 0

�!t0�r0

�sjs00j

�r0�1

=�B00 +

�Bi 00 0

��t0�t0

��j�00j

�t0�1

: (8)

Let us de�ne:

s0it0�1=�

si0(t0�t)�1

�; i = 1; � � � ;m;

B0it0�t0 = B00 +�Bi 00 0

�; i = 1; ::;m;

v0t0�1 =�vv00�;

A0it0�r0 = A00 +�Ai 00 0

�; i = 1; ::;m;

s0jr0�1=�sjs00j

�; j = 1; � � � ; n;

�0jt0�1=��j�00j

�; j = 1; � � � ; n: (9)

Using the new de�ned parameters, the following equa-tions hold:

s0i = B0iv0; i = 1; � � � ;m;A0is0j = B0i�0j ; i = 1; � � � ;m; j = 1; � � � ; n: (10)

The above equation illustrates the new TMSSS schemeusing new threshold, t0. Vectors s0j , j = 1; � � � ; n,are the new shares and array parameters v0, �0j ,j = 1; � � � ; n, and A0i, i = 1; � � � ;m, are the publicinformation published on the bulletin board. �

It is worth mentioning that all features of theoriginal scheme, such as veri�ability, being multi-useand multi-stage, remain unchanged under the thresholdincrease.

4. Threshold decryption algorithm

In this section, we introduce a threshold decryptionalgorithm for LWE-based public key encryption schemeof Lindner and Peikert, described in Section 2.3. Thealgorithm consists of the following phases:

Phase 1. Sharing the private keyFirst, we share the private key by sharing columns ofR2, i.e. ri2, i = 1; � � � ; l, according to [36], described inSection 2.5., as follows. Let n1 = n2 = t, where t is thethreshold.

ri2 = Biv; i = 1; � � � ; l;Aisj = Bi�j ; i = 1; � � � ; l; j = 1; � � � ; n; (11)

where vectors sj , j = 1; � � � ; n, are the shares, sentsecurely to the participants. Parameters Ai, i =1; � � � ; l, and v are published on the bulletin board.

Phase 2. Threshold decryptionTDec(cT ; sj1 ; � � � ; sjt): To decrypt ciphertext cT =�cT1 cT2

�using t shares sj1 ; � � � ; sjt , each of t par-

ticipants applies partial decryption to the ciphertextand sends the result to the combiner. The partialdecryption for participant jk, k = 1; � � � ; t, is describedby:

djk =

264d1jk...dljk

375 =

264cT1 A1sjk + w1jk

...cT1 Alsjk + wljk

375=

264cT1 B1�jk + w1jk

...cT1 Bl�jk + wljk

375 ; (12)

where wijk , k = 1; � � � ; t, i = 1; � � � ; l, is a discreteGaussian noise chosen from DZ;sw . The combinercomputes:

m0=�dj1 � � � djt

���1v + c2 = RT2 c1+c2+W��1v;

where:

� =��j1 � � � �jt

�;

and:

W =

264w1j1 � � � w1

jt...

......

wlj1 � � � wljt

375 :According to Section 2.3., decode(m0T ) outputs mes-sage m if the error and kW��1vk1 are small comparedto bq=4e. �

Page 7: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

1454 H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457

5. Security analysis

In this section, we investigate the security of theproposed schemes in the standard model.

5.1. Threshold increaseIn changing the threshold from t to t0, we �rst sharethe zero secret using threshold t0. By exploiting theadditive homomorphic property of the original TMSSSscheme, we add its parameter arrays with those of thezero secret sharing scheme and obtain a new (t0; n)TMSSS scheme sharing the original secrets. Since thenew TMSSS scheme is an extension of the originalscheme using t0 dimensional lattices, it inherits thesecurity of the original scheme which has been provenin [36]. However, it is required that the new parametersful�ll the security requirements of the cryptographicprimitives used in the new scheme.

The de�nition of Ajtai's one-way function f(x) =Ax implies that matrix A is chosen uniformly atrandom. Hence, we show that matrices A0i, i =1; � � � ;m, obtained by Eq. (9) have uniform distributionon Zt0�r0q . From the proof of Lemma 1 in [36], weknow that adding or multiplying a uniformly randommatrix to/by a matrix with independently arbitrarydistribution results in a matrix with a uniform distri-bution. Furthermore, A00, obtained when sharing thezero secret, has a uniform distribution on Zt0�r0q byLemma 1 in [36]. Therefore:

A0it0�r0 = A00 +�Ai 00 0

�has a uniform distribution on Zt0�r0q .

5.2. Threshold decryptionIn this section, we analyze the security of the pro-posed threshold decryption algorithm for the LWE-based public key encryption scheme by Lindner andPeikert. The security of the TMSSS scheme andthe above-mentioned encryption scheme are provenin Section 5.1. [31,36], respectively. In a thresholddecryption algorithm, it is desired that no informationabout the private key is leaked, i.e. no one using theresults of partial decryption djk , k = 1; � � � ; t, can

obtain any information about private key R2. We provethis assertion in the following theorem:

Theorem 1. Let s1; � � � ; sn be the shares corre-sponding to private key R2. Using:

djk =�d1jk � � � dljk

�T ; k = 1; � � � ; t;private key R2 cannot be revealed in polynomial time,where:

dijk = cT1 Aisjk + wijk ; i = 1; � � � ; l; j = 1; � � � ; t:Proof. Assume that yijk = Aisjk , i = 1; � � � ; l andk = 1; � � � ; t. Solving equation dijk = cT1 Aisjk + wijk =cT1 yijk + wijk with respect to yijk leads to an LWEproblem. Furthermore, solving equation yijk = Aisjkwith respect to sjk leads to an ISIS problem. Sinceboth problems cannot be solved in polynomial time,one cannot obtain any information about the shares inpolynomial time using partial decryption dijk .

On the other hand, obtaining private key R2from expression

�dj1 � � � djt

���1v = RT2 c1+W��1v

computed during the threshold decryption process,leads to an LWE problem which is hard to solve inpolynomial time. �

6. Performance analysis

In this section, we investigate the performance of theproposed schemes.

6.1. Threshold increaseWe consider the changeable TMSSS scheme in whichwe deal with two phases:

1. Sharing the secret using threshold t;2. Changing the threshold from t to t0.

In the �rst phase, matrices Ai, i = 1; � � � ;m, publishedon the bulletin board, are dominant from memoryconsumption point of view. On the other hand, thememory consumption of shares sj , j = 1; � � � ; n, shouldbe taken into account. In Table 1, the memory

Table 1. Memory requirements for di�erent schemes.

Scheme Size of public valuesper secret size

Size of each shareper secret size

He & Dawson [16] m� n 1Harn [45] m� (n� t) 1Chang [18] m� n 1Das [19] m� t� n 1Harn [46] m2(n+1)

t mThe proposed TMSSS scheme m� r r=(t log q)

Page 8: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457 1455

requirements for Ai, i = 1; � � � ;m, and sj , j = 1; � � � ; n,per secret size, i.e. log2(q), are given. Table 1 illustratesthat in the proposed scheme, the size of each share persecret size is r

t log q , which equals 0.5 if we let q = t2and r = t log t. In the second phase, matrices Ai,i = 1; � � � ;m, are changed to A0i, i = 1; � � � ;m, wherethe size of public values per secret size is changed tom � r0 � t0

t . When increasing the threshold from t tot0, shares sj , j = 1; � � � ; n, are changed to:

s0j =�sjs00j

�; j = 1; � � � ; n:

In this case, we only need to send vectors s00j , j =1; � � � ; n, to the participants. In this way, the protocolneeds less data communication to the participants overa secure channel.

From complexity's point of view, in the sharedistribution phase of the (t; n) threshold scheme, thecomputational complexity of public matrices Ai, i =1; � � � ;m, is of O(t2n)+O(tn(r�n))+O(n3)+O(tn2) �O(n3) for each secret and consists of three matrixmultiplications and one matrix inversion [36]. Eachsecret recovery consists of two steps:

1. The participants' side: In computing the pseudo-secret shares, since the shares are binary arrays,computing the pseudo-secret shares only requiressimple column addition in matrix Ai, which hasthe complexity of O(tr) for each participant. Thismakes the scheme suitable for the applications withlow complexity requirements on the participants'side;

2. The combiner's side: This step has the complexityofO(t3), which consists of one matrix multiplicationand one matrix inversion.

In changing the threshold from t to t0, the dominantpart is sharing the zero secret among the participants,which is of O(t02n)+O(t0n(r0�n0))+O(n3)+O(t0n2) �O(n3) for the zero secret and consists of three matrixmultiplications and one matrix inversion. The remain-ing parts only use additions which can be ignored whencompared to the zero secret sharing.

6.2. Threshold decryption algorithmIn view of computational complexity, the proposedthreshold decryption algorithm consists of two parts:

1. The partial decryption by the participants has thecomputational complexity of O(lt2r);

2. The �nal decryption by the combiner using theoutput of the partial decryption has the complexityof O(lt2).

Both parts only use matrix operations which aremore e�cient than the exponentiations used in thetraditional schemes.

7. Conclusions

In a TSSS, when the secret is threatened by somecorrupted participants, or the organizational structureof the participants is to be changed, it might berequired that the threshold be increased. In this paper,we have proposed a threshold increasing algorithm forour previously proposed lattice-based (t; n) TMSSSscheme which supports the threshold changeabilityfeature, in addition to the inherited features of beingmulti-stage, multi-use, and veri�able. For realization ofthe new feature, we share the zero secret with the newthreshold and combine the new array parameters withthose of the original scheme. Furthermore, based onLindner and Peikert's public key encryption scheme, wehave introduced a lattice-based threshold decryptionalgorithm using the improved TMSSS scheme. Forthreshold decryption, the participants partially decryptthe ciphertext using their shares and send the resultsto the combiner, who can then decrypt the ciphertextusing the partial decryption results. We have discussedthe security of both schemes based on the hardnessof lattice problems, i.e. the LWE and ISIS problems,which are believed to resist against the quantumalgorithms. Moreover, both schemes are e�cient,especially in the participants' side, because of simplematrix operations used in the computations of thechangeable TMSSS and threshold decryption protocols.Hence, they are suitable for the mobile applications,such as smart cards and sensor networks, in which lowprocessing capability of the used devices is a dominantfactor.

References

1. Chunying, W., Shundong, L. and Yiying, Z. \Keymanagement scheme based on secret sharing for wire-less sensor network", In Emerging Intelligent Dataand Web Technologies (EIDWT), 2013 Fourth Inter-national Conference on, pp. 574-578 (2013).

2. Chang, C.-C., Chen, W.-Y. and Chang, S.-C. \Ahighly e�cient and secure electronic cash system basedon secure sharing in cloud environment", Securityand Communication Networks, 9(14), pp. 2476-2483(2016).

3. Yuan, L., Li, M., Guo, C., Hu, W. and Tan, X. \Averi�able E-voting scheme with secret sharing", In2015 IEEE 16th International Conference on Commu-nication Technology (ICCT), pp. 304-308 (2015).

4. Kanai, A., Tanimoto, S. and Sato, H. \Performanceevaluation on data management approach for multipleclouds using secret sharing scheme", In 2016 IEEEInternational Conference on Consumer Electronics(ICCE), pp. 471-473 (2016).

5. Shamir, A. \How to share a secret", Commun. ACM,22(11), pp. 612-613 (1979).

Page 9: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

1456 H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457

6. Blakley, G.R. \Safeguarding cryptographic keys", InProceedings of the 1979 AFIPS National ComputerConference, 48, pp. 313-317 (1979).

7. Stadler, M. \Publicly veri�able secret sharing", InAdvances in Cryptology EUROCRYPT 96, U. Maurer,Ed., LNCS 1070, pp. 190-199, Springer Berlin Heidel-berg (1996).

8. Barletta, A., Callegari, C., Giordano, S., Pagano, M.and Procissi, G. \Privacy preserving smart grid com-munications by veri�able secret key sharing", In 2015International Conference on Computing and NetworkCommunications (CoCoNet), pp. 199-204 (2015).

9. Brickell, E. and Stinson, D. \The detection of cheatersin threshold schemes", In Advances in CryptologyCRYPTO 88, S. Goldwasser, Ed., LNCS 403, pp. 564-577, Springer New York (1990).

10. Mahmoud, Q.A. \A novel veri�able secret sharingwith detection and identi�cation of cheaters' group",International Journal of Mathematical Sciences andComputing (IJMSC), 2(2), pp. 1-13 (2016).

11. Martin, K., Safavi-Naini, R. and Wang, H. \Boundsand techniques for e�cient redistribution of secretshares to new access structures", The Computer Jour-nal, 42(8), pp. 638-649 (1999).

12. Barwick, S.G., Jackson, W.-A. and Martin, K. \Updat-ing the parameters of a threshold scheme by minimalbroadcast", Information Theory, IEEE Transactionson, 51(2), pp. 620-633 (2005).

13. Blundo, C., De Santis, A., Di Crescenzo, G., Gaggia,A.G. and Vaccaro, U. \Multi-secret sharing schemes",In Advances in Cryptology CRYPTO94, LNCS 839, pp.150-163 (1994).

14. Fatemi, M., Ghasemi, R., Eghlidos, T. and Aref,M. \E�cient multistage secret sharing scheme usingbilinear map", Information Security, IET, 8(4), pp.224-229 (2014).

15. Pang, L., Li, H. and Wang, Y. \An e�cient and securemulti-secret sharing scheme with general access struc-tures", Wuhan University Journal of Natural Sciences,11(6), pp. 1649-1652 (2006).

16. He, J. and Dawson, E. \Multistage secret shar-ing based on one-way function", Electronics Letters,30(19), pp. 1591-1592 (1994).

17. Geng, Y.J., Fan, X.H. and Fan, H. \A new multi-secretsharing scheme with multi-policy", In Advanced Com-munication Technology, the 9th International Confer-ence on, 3, pp. 1515-1517 (2007).

18. Chang, T.Y., Hwang, M.S. and Yang, W.P. \A newmulti-stage secret sharing scheme using one-way func-tion", SIGOPS Oper. Syst. Rev., 39(1), pp. 48-55(2005).

19. Das, A. and Adhikari, A. \An e�cient multi-use multi-secret sharing scheme based on hash function", AppliedMathematics Letters, 23(9), pp. 993-996 (2010).

20. Chien, H.-Y., JAN, J.-K. and Tseng, Y.-M. \Apractical (t; n) multi-secret sharing scheme", IEICE

Transactions on Fundamentals of Electronics, Com-munications and Computer Sciences, 83(12), pp. 2762-2765 (2000).

21. Yang, C.-C., Chang, T.-Y. and Hwang, M.-S. \A (t; n)multi-secret sharing scheme", Applied Mathematicsand Computation, 151(2), pp. 483-490 (2004).

22. Shao, J. and Cao, Z. \A new e�cient (t; n) veri�ablemulti-secret sharing (VMSS) based on YCH scheme",Applied Mathematics and Computation, 168(1), pp.135-140 (2005).

23. Steinfeld, R., Pieprzyk, J. and Wang, H. \Lattice-based threshold changeability for standard Shamirsecret-sharing schemes", Information Theory, IEEETransactions on, 53(7), pp. 2542-2559 (2007).

24. Zhang, Z., Chee, Y.M., Ling, S., Liu, M. and Wang,H. \Threshold changeable secret sharing schemes revis-ited", Theoretical Computer Science, 418, pp. 106-115(2012).

25. Lou, T. and Tartary, C. \Analysis and design ofmultiple threshold changeable secret sharing schemes",In Cryptology and Network Security, M. Franklin, L.Hui and D. Wong, Eds., LNCS 5339, pp. 196-213.Springer Berlin Heidelberg (2008).

26. Steinfeld, R., Pieprzyk, J. and Wang, H. \Lattice-based threshold-changeability for standard CRTsecret-sharing schemes", Finite Fields and Their Ap-plications, 12(4), pp. 653-680, Special Issue Celebrat-ing Prof. Zhe-Xian Wan's 80th Birthday (2006).

27. Shor, P.W. \Algorithms for quantum computation:Discrete logarithms and factoring", In Proceedings ofthe 35th Annual Symposium on Foundations of Com-puter Science, SFCS '94, pp. 124-134, Washington,DC, USA IEEE Computer Society (1994).

28. Ajtai, M. \Generating hard instances of lattice prob-lems (extended abstract)", In Proceedings of theTwenty-eighth Annual ACM Symposium on Theory ofComputing, STOC '96, pp. 99-108, New York, NY,USA (1996). ACM.

29. Micciancio, D. and Goldwasser, S., Complexity ofLattice Problems: A Cryptographic Perspective, MilkenInstitute Series on Financial Innovation and EconomicGrowth, Springer US (2002). ISBN: 978-1-4613-5293-8(Print), 978-1-4615-0897-7 (Online).

30. Regev, O. \On lattices, learning with errors, randomlinear codes and cryptography", In Proceedings of theThirty-Seventh Annual ACM Symposium on Theory ofComputing, STOC '05, pp. 84-93, New York, NY, USAACM (2005).

31. Lindner, R. and Peikert, C. \Better key sizes (andattacks) for LWE-based encryption", In Topics inCryptology CT-RSA 2011, A. Kiayias, Ed., LNCS6558, pp. 319-339, Springer Berlin Heidelberg (2011).

32. Georgescu, A. \A LWE-based secret sharing scheme",IJCA Special Issue on Network Security and Cryptog-raphy, NSC(3), pp. 27-29, Published by Foundationof Computer Science, New York, USA (2011).

Page 10: A lattice-based changeable threshold multi-secret …scientiairanica.sharif.edu/article_4126_6d7a452961a54b3...secrets are revealed at the same time. In 1994, He and Dawson [16] proposed

H. Pilaram and T. Eghlidos/Scientia Iranica, Transactions D: Computer Science & ... 24 (2017) 1448{1457 1457

33. El Bansarkhani, R. and Meziani, M. \An e�cientlattice-based secret sharing construction", In Informa-tion Security Theory and Practice. Security, Privacyand Trust in Computing Systems and Ambient Intel-ligent Ecosystems, LNCS 7322, pp. 160-168, SpringerBerlin Heidelberg (2012).

34. Khorasgani, H.A., Asaad, S., Eghlidos, T. and Aref, M.\A lattice-based threshold secret sharing scheme", InInformation Security and Cryptology (ISCISC), 201411th International ISC Conference on, pp. 173-179(2014).

35. Asaad, S., Khorasgani, H.A., Eghlidos, T. and Aref,M. \Sharing secret using lattice construction", InTelecommunications (IST), 2014 7th InternationalSymposium on, pp. 901-906 (2014).

36. Pilaram, H. and Eghlidos, T. \An e�cient lattice basedmulti-stage secret sharing scheme", Dependable andSecure Computing, IEEE Transactions on, PrePrint(2015).

37. Bendlin, R. and Damgoard, I. \Threshold decryptionand zero-knowledge proofs for lattice-based cryptosys-tems", In Theory of Cryptography, LNCS 5978, pp.201-218, Springer (2010).

38. Frederiksen, T.K. \A multi-bit threshold variant ofRegev's LWE-based cryptosystem", Cryptology ePrintArchive (2011).

39. Singh, K., Pandu Rangan, C. and Banerjee, A.\Lattice based e�cient threshold public key encryp-tion scheme", Journal of Wireless Mobile Networks,Ubiquitous Computing, and Dependable Applications(JoWUA), 4(4), pp. 93-107 (2013).

40. Bendlin, R., Krehbiel, S. and Peikert, C. \How to sharea lattice trapdoor: Threshold protocols for signaturesand (H)IBE", In Applied Cryptography and NetworkSecurity, LNCS 7954, pp. 218-236 (2013).

41. Bernstein, D., Buchmann, J. and Dahmen, E., Post-Quantum Cryptography, Springer (2009).

42. Gentry, C., Peikert, C. and Vaikuntanathan, V.\Trapdoors for hard lattices and new cryptographicconstructions", In Proceedings of the Fortieth AnnualACM Symposium on Theory of Computing, ACM, pp.197-206 (2008).

43. Chang, T.-Y., Hwang, M.-S. and Yang, W.-P. \Animproved multi-stage secret sharing scheme based on

the factorization problem", Information Technologyand Control, 40(3), pp. 246-251 (2011).

44. Nojoumian, M. and Stinson, D.R. \On dealer-free dy-namic threshold schemes", Advances in Mathematicsof Communications, 7(1), pp. 39-56 (2013).

45. Harn, L. \Comment on multistage secret sharing basedon one-way function", Electronics Letters, 31(4), pp.262-268 (1995).

46. Harn, L. \Secure secret reconstruction and multi-secret sharing schemes with unconditional security",Security and Communication Networks, 7(3), pp. 567-573 (2014).

Acknowledgement

This work was supported by Iran National ScienceFoundation (INSF) under grant number 94017742.

Biographies

Hossein Pilaram received his BSc degree in ElectricalEngineering and the MSc degree in CommunicationSystems from the Sharif University of Technology,Tehran, Iran, in 2010 and 2012, respectively. He iscurrently working on his PhD dissertation in the De-partment of Electrical Engineering of Sharif Universityof Technology. His research interests are cryptography,coding theory, and mobile networks.

Taraneh Eghlidos received her BSc degree in Mathe-matics in 1986 from the University of Shahid Beheshti,Tehran, Iran, and the MSc degree in Industrial Math-ematics in 1991 from the University of Kaiserslautern,Germany. She received her PhD degree in Mathematicsin 2000, from the University of Giessen, Germany. Shejoined the Sharif University of Technology (SUT) in2002, and is currently an Associate Professor in theElectronics Research Institute of SUT. Her researchinterests include interdisciplinary research areas such assymmetric and asymmetric cryptography, applicationof coding theory in cryptography, and mathematicalmodeling for representing and solving real world prob-lems. Her current research interests include lattice-based cryptography and code-based cryptography.