dddddddddddddddddd
TRANSCRIPT
Secure Schemes for Secret Sharing and Key
Distribution
N. Chandramowliswaran, P. Muralikrishna and S. Srinivasan
School of Advanced Sciences,Vellore Institute of Technology,
Vellore 632 014,India.
e-mail: [email protected]
Abstract
In resent years the security of operations taking place over a computer
network become very important. It is necessary to protect such actions
against bad users who may try to misuse the system (e.g. steal credit
card numbers, read personal mail, or impersonate other users.) Many
protocols and schemes were designed to solve problem of this type. This
paper deals with two fundamental cryptographic tools that are useful in such
contexts: generalized secret sharing scheme and key distribution schemes.
Both secret sharing schemes and key distribution schemes are used in multi-
party systems. secret sharing schemes enables some predetermined sets of
parties to reconstruct a given secret. In this paper we have shown a novel
key pre distribution algorithm based on number theory which uses Chineese
Remainder Theorem (CRT), Continued fractions (CF) and pell’s equation.
1 Introduction
Secret sharing (also called secret splitting) refers to method for distributing a
secret amongst a group of participants, each of whom is allocated a share of the
1
2
secret. The secret can be reconstructed only when a sufficient number, of possibly
different types, of shares are combined together; individual shares are of no use
on their own.
Secret sharing was invented independently by Adi Shamir [6] and George
Blakley [7] in 1979. Secret sharing schemes are ideal for storing information that is
highly sensitive and highly important. Examples include: encryption keys, missile
launch codes, and numbered bank accounts. Each of these pieces of information
must be kept highly confidential, as their exposure could be disastrous, however,
it is also critical that they not be lost. Traditional methods for encryption are
ill-suited for simultaneously achieving high levels of confidentiality and reliability.
This is because when storing the encryption key, one must choose between keeping
a single copy of the key in one location for maximum secrecy, or keeping multiple
copies of the key in different locations for greater reliability. Increasing reliability
of the key by storing multiple copies lowers confidentiality by creating additional
attack vectors; there are more opportunities for a copy to fall into the wrong
hands. Secret sharing schemes address this problem, and allow arbitrarily high
levels of confidentiality and reliability to be achieved.
A secure secret sharing scheme distributes shares so that anyone with fewer
than t shares has no extra information about the secret than someone with 0
shares.
Consider for example the secret sharing scheme in which the secret phrase
security is divided into the shares se−−−−−−,−− cu−−−−,−−−− ri−−,
and − − − − − − ty. A person with 0 shares knows only that the password
consists of eight letters. He would have to guess the password from 268 = 208
billion possible combinations. A person with one share, however, would have to
guess only the six letters, from 266 = 308 million combinations, and so on as
more persons collude. Consequently this system is not a secure secret sharing
scheme, because a player with fewer than t secret-shares is able to reduce the
problem of obtaining the inner secret without first needing to obtain all of the
necessary shares.
More generally, (n; k) secret sharing is the problem of distributing a secret
3
number s among n people so that no k − 1 of them have any information
about s but k of them can determine s. Shamir’s secret sharing does this by
giving the n -th party f(n), where f is an appropriately chosen polynomial. The
dealer Dan picks random field elements a1, a2, . . . , ak−1, and uses the polynomial
f(t) = s + a1t + a2t2 + ⋅ ⋅ ⋅ + ak−1t
k−1. He gives the n -th person f(n). For
k people to recover the secret, they just pool their shares and use Lagrange
interpolation to find the unique degree k − 1 polynomial passing through the k
points. (Lagrange interpolation works over any field. In practice, a large finite
field would probably be used.) The secret is just the constant term. Any k − 1
people have no knowledge about s. They have k − 1 points on the polynomial,
but there is a degree k − 1 polynomial going through their k − 1 points and
(0, t) for any integer t, so their combined knowledge reveals nothing about s.
The current trend towards cloud computing means that more and more data
is being processed and stored by online resources beyond physical and logical
control of the owner. It is a simple task for an adversary to intercept, copy, and
store any data sent across a public network and from this point on, confidentiality
is determined solely by the original encryption scheme. Hence re-encryption is
useless, and even deletion of data cannot be guaranteed.
Current cryptographic schemes in wide deployment today, such as RSA, Dife
Hellman, and AES, do not over long term confidentiality guarantees. This
is because concrete security is based on the current infeasibility of a specific
computational problem, such as factoring a 1024 -bit RSA modulus or computing
a 128 -bit AES key, and there are no known techniques to prove the hardness of
such problems.
We mention several related survey articles which overlap to some extent with
our exposition [1][2][3][4][5]
One of the standard topics in a first course in number theory is the Euler �
function, with �(n) defined as the number of positive integers less than n and
relatively prime to n. A famous theorem involving � is that suppose a and b
are any two positive integers with (a, b) = 1 then a�(b)+b�(a) ≡ 1(mod ab). The
Chinese Remainder Theorem (CRT) can also be used in secret sharing, there are
4
two secret sharing schemes that make use of the Chinese Remainder Theorem,
Mignotte’s and Asmuth-Bloom’s Schemes. They are threshold secret sharing
schemes, in which the shares are generated by reduction modulo the integers
mi, and the secret is recovered by essentially solving the system of congruences
using the Chinese Remainder Theorem.
Theorem 1.0. (Chinese Remainder Theorem)
Suppose that m1,m2, . . . ,mr are pairwise relatively prime positive integers, and
let a1, a2, . . . , ar be integers. Then the system of congruences, x ≡ ai(mod mi)
for 1 ≤ i ≤ r, has a unique solution modulo M = m1 ×m2 × . . .×mr, which is
given by: x ≡ a1M1y1 + a2M2y2 + . . .+ arMryr(mod M), where Mi =Mmi
and
yi ≡ (Mi)−1(mod mi) for 1 ≤ i ≤ r.
2 Main Results
Lemma 2.1. Let p, q and r be three given distinct odd primes. Then there exist
integers k1, k2 and k3 such that
k1p(qr−1 + rq−1) + k2q(p
r−1 + rq−1) + k3r(pq−1 + qp−1) + 2 ≡ 0 (mod pqr).
Proof:
Define: X = (pq−1 + qp−1) + (pr−1 + rp−1) + (qr−1 + rq−1)− 2. Then
X ≡ (qr−1 + rq−1)(modp)
X ≡ (pr−1 + rp−1)(modq) and
X ≡ (pq−1 + qp−1)(modr).
By CRT, the above system of congruences has exactly one solution modulo the
product pqr.
Define M = pqr
Mp = Mp
= qr,Mq = Mq
= pr and Mr = Mr
= pq.
Since (Mp, p) = 1, then there is a unique M ′p such that MpM
′p ≡ 1 (mod p).
Similarly there are unique M ′q and M ′
r such that
MqM′q ≡ 1 (mod q) and MrM
′r ≡ 1 (mod r).
Consider
X ≡ ((pq−1+qp−1)MrM′r+(pr−1+rp−1)MqM
′q+(qr−1+rq−1)MpM
′p) (mod pqr)
5
pq−1 + qp−1 + pr−1 + rp−1 + qr−1 + rq−1 − 2
≡ ((pq−1+ qp−1)MrM′r+(pr−1+ rp−1)MqM
′q+(qr−1+ rq−1)MpM
′p) (mod pqr)
−2 ≡ ((pq−1 + qp−1)(MrM′r − 1) + (pr−1 + rp−1)(MqM
′q − 1)
+(qr−1 + rq−1)(MpM′p − 1)) (mod pqr)
Thus
k1p(qr−1 + rq−1) + k2q(p
r−1 + rq−1) + k3r(pq−1 + qp−1) + 2 ≡ 0 (mod pqr).
Theorem 2.0. Let S be the given secret and N = pqr where p, q and r are
distinct large odd primes. Define three secret shareholders Y1, Y2, Y3 as follows:
Y1 ≡ (−Sk1p(qr−1 + rq−1)) (mod N), Y2 ≡ (−Sk2q(p
r−1 + rp−1)) (mod N) and
Y3 ≡ (−S(k3r(pq−1 + qp−1) + 1)) (modN) then S = Y1 + Y2 + Y3(mod N)
Proof: By the above Lemma 2.1, we have
k1p(qr−1 + rq−1) + k2q(p
r−1 + rq−1) + k3r(pq−1 + qp−1) + 2 ≡ 0 (mod N).
1 ≡ (−(k1p(qr−1+rq−1))− (k2q(p
r−1+rq−1))− (k3r(pq−1+qp−1)+1)) (mod N)
Thus S = Y1 + Y2 + Y3(mod N).
Algorithm 1.
∙ Choose two secret very large odd primes r1, r2 with r1 > r2
∙ Construct x2 + 1 = (r21 + r22)y
∙ Select two large odd primes p and q
∙ Define n = pq then �(n) = (p−1)(q−1) Where �(n) is Euler phi function
∙ Select a random e such that [ 1 < e < �(n) ] (e, �(n)) = 1
∙ For an e there is a unique d such that ed ≡ 1(mod �(n))
∙ consider a = (r21 + r22)(y + d)− (x+ �(n))2
a = (r21 + r22)y − x2 + (r21 + r22)d− [�(n)]2 − 2x�(n)
= 1 + (r21 + r22)d− [�(n)]2 − 2x�(n)
a ≡ 1 + (r21 + r22)d(mod �(n))
ae ≡ e+ (r21 + r22)(mod �(n))
s ≡ e(mod �(n)) where s = ae− (r21 + r22)
6
∙ Public key: (s, n)
∙ Represent the message m in the interval [0, n− 1] with (m,n) = 1
∙ Encryption
E ≡ ms(mod n)
≡ mk�(n)+e(mod n)
≡ mk�(n)me(mod n)
≡ [m�(n)]kme(mod n)
≡ me(mod n)
∙ Key distribution: Choose ℓ share holders then e = k1 + k2 + ⋅ ⋅ ⋅+ kℓ
E ≡ me(mod n)
E ≡ mk1+k2+⋅⋅⋅+kℓ(mod n)
E ≡ mk1mk2 . . .mkℓ(mod n)
∙ For ℓ share holders we can distribute ℓ key’s such as mk1 ,mk2 , . . . ,mkℓ .
Algorithm 2.
∙ Select a secret odd prime integer r
∙ Consider the Diophantine Equation:
y2 − rx2 = 1 (1)
∙ Let (x0, y0) be the least positive integral solution of (1). Here x0, y0 are
kept secret
∙ Select two large odd primes p and q
∙ Define n = pq then �(n) = (p−1)(q−1) Where �(n) is Euler phi function
∙ Select a random e such that [ 1 < e < �(n) ] such that (e, �(n)) = 1
∙ For an e there is a unique d such that ed ≡ 1(mod �(n))
∙ consider a = (y0 + �(n))2 − r(x0 + e)2 (2)
∙ e3 is not congruent to 1(mod �(n)) and d3 is not congruent to
1(mod �(n))
7
∙ From (2) ad3 + rd+ 2x0d2r ≡ d3 (mod �(n))
∙ Let S = ad3 + 2x0d2r + rd then S ≡ d3 (mod �(n))
∙ Public key: (s, n)
∙ Represent the message m in the interval [0, n− 1] with (m,n) = 1
∙ Encryption
E ≡ ms(mod n)
≡ mk�(n)+d3(mod n)
≡ mk�(n)md3(mod n)
≡ [m�(n)]kmd3(mod n)
≡ md3(mod n)
∙ Key distribution: Choose ℓ share holders then d3 = k1 + k2 + ⋅ ⋅ ⋅+ kℓ
E ≡ md3(mod n)
E ≡ mk1+k2+⋅⋅⋅+kℓ(mod n)
E ≡ mk1mk2 . . .mkℓ(mod n)
∙ For ℓ share holders we can distribute ℓ key’s such as mk1 ,mk2 , . . . ,mkℓ .
Algorithm 3.
∙ Let p, q, r and s be the given distinct secrete odd primes.
∙ Define u = p q and v = r s
∙ Select a, b such that (a, u) = 1 and (b, v) = 1
∙ Select two positive integers e, f such that
(e, (p− 1)(q − 1)) = 1 and (f, (r − 1)(s− 1)) = 1
∙ Select a common secret t with p, q, r, s should not divide H
∙ Define x1, x2 as follows:
x1 ≡ ate(mod U)
x2 ≡ btf (mod V )
∙ Solve t uniquely under (mod UV ) using Chineese Remainder Theorem
8
∙ t is the common secret shared by x1 and x2
BC code
∙ Let N be a fixed positive integer
∙ Define �(i,N) =∣ {x ∣ i ≤ x ≤ N witℎ (x,N) = 1} ∣ where i ∈ {1, 2, . . . , N}
∙ Define the BC code for N (BCN ) as follows:
BCN = (�(1,N), �(2,N), . . . , �(N−1,N), �(N,N))
Remark
For every positive integer N we can write a unique BC code
Theorem 2.0. Let N be any positive integer. Then N is a prime if and only
if there exist a unique BC code such that BCN = (N − 1, N − 2, . . . , 2, 1, 0).
.............................
9
∙ Let N be an odd positive integer
∙ Let SN = {1, 2, 3, . . . , N − 1, N}
∙ Define A = {x ∈ SN ∣ 1 ≤ x ≤ N, (x,N) = 1} where gcd{x,N} = 1 =
(x,N)
∙ For each e with (e, �(N)) = 1, the map x −→ xe is a permutation on A
∙ ∣ A ∣= �(N) = N∏
p∣N
(
1− 1p
)
, where the product is over the distinct
prime numbers dividing N
∙ Let f : A −→ A with f(x) = N − x, ∀x ∈ A
Then f is bijective on A
∙ Define S1 =∑
x∈A
x and S1 =∑
x∈A
N − x
Then 2S1 =∑
(x,N)=1
N = N�(N)
S1 = N�(N)2
∙ Define B = {x ∈ A ∣ (x+ 1, N) = 1}
∙ ∣ B ∣= (N) = N∏
p∣N
(
1− 2p
)
, where the product is over the distinct
prime numbers dividing N (B is non empty if and only if N is odd)
∙ Let g : B −→ B with g(y) = N − y − 1, ∀y ∈ B
Then g is bijective on B
∙ Define S2 =∑
y∈B
y and S2 =∑
y∈B
N − y − 1
Then 2S2 =∑
(x,N)=(x+1,N)=1
N − 1 = (N − 1) (N)
S2 = N−12 (N)
Problem 2.1 Let N ≥ 3 be a given positive integer. Define a tree TN as
follows, for each x > 1 such that (x,N) = 1, then there is a unique vertex
vx ∈ V (TN ) with deg vx = x and remaining all leaves, then prove that the number
of vertices of TN is n = �(N)2 (N − 2) + 2.
Proof:
Let N ≥ 3 be a positive integer then there exists xi such that gcd (xi, N) =
10
1, ∀i = {2, 3, . . . , �(N)}. Construct a tree TN such that for each xi there exists
a unique vertex vxiof degree xi.
Clearly,n∑
i=2
d(vxi) = 2(n− 1)
(N�(N)2 − 1) + n− (�(N)− 1) = 2n− 2 where V (TN ) = n.
Problem 2.2 Let N ≥ 3 be a positive integer. Construct a tree TN such that
for each x > 1 with (x,N) = (x+ 1, N) = 1 then there is a unique vertex vx
of degree x. Prove that the number of vertices of TN is n = (N)2 (N − 3) + 2.
Proof:
Let N ≥ 3 be a positive integer then there exists xi such that (xi, N) = 1, ∀i =
{2, 3, . . . , (N)}. Construct a tree TN such that for each xi there exists a unique
vertex vxiof degree xi.
Clearly,n∑
i=2
d(vxi) = 2(n− 1)
(N−12 ) (N)− 1 + n− ( (N)− 1) = 2n− 2 where V (TN ) = n.
Problem 2.3 Let N ≥ 3 be an odd positive integer. Construct a tree TN such
that for each x > 1 with (x,N) = (x + 1, N) = (x + 2, N) = 1 then there
is a unique vertex vx of degree x. Prove that the number of vertices of TN is
n =?.
Proof:
Let N ≥ 3 be an odd positive integer then there exists xi such that (xi, N) = 1
(xi + 1, N) = 1 and (xi + 2, N) = 1, ∀i = {2, 3, . . . , �(N)}. Construct a
tree TN such that for each xi there exists a unique vertex vxiof degree xi.
.......................................
11
Problem 2.4 Let n be a composite positive integer and let p be the smallest
prime divisor of n with np= n1. Prove that if q > n
1
3
1 then n1
qis prime where
q be the smallest prime divisor of n1.
Solution: Suppose n1
q= ab where 1 < a, b < n1
q
Let r and s be the prime divisors of a and b respectively, then r and s are
also prime divisors of n1, so that
r ≥ q and s ≥ q.
This implies that
q3 = q.q.q ≤ q.r.s ≤ q.a.b,
that is, q3 ≤ n1 which is a contradiction. Therefore, n1
qis prime.
Problem 2.5 Let n be a composite positive integer and let p be the smallest
prime divisor of n such that p2 ∣ n. Prove that if p2 > np2
then np2
is prime.
Solution: Suppose np2
= ab where 1 < a, b < np2
Let r and s be the prime divisors of a and b respectively, then r and s are
also prime divisors of n, so that
r ≥ p and s ≥ p.
This implies that
p4 = p2.p.p ≤ p2.r.s ≤ p2.a.b,
that is, p4 ≤ n which is a contradiction. Therefore, np2
is prime.
............................
12
∙ Let N = pq where p and q are distinct odd primes
with 3 ∤ p and 3 ∤ q
∙ �(N) = (p− 3)(q − 3)
�(N) = N − 3p− 3q + 9
3(p+ q) = N + 9− �(N)
p+ q = N+9−�(N)3
∙ Consider the quadratic equation x2 − (p+ q)x+ pq = 0
∙ Solve the equation and find their roots � and �
∙ Now give p and q
........................................
13
∙ Let T be the given graceful tree on q edges ( q is very large)
∙ Let f : V (G) −→ {0, 1, 2, . . . , q} be the graceful labeling of T (which is
kept secret)
∙ Choose: {m1,m2, . . . ,mk} ⊆ E(G)
such that (mi,mj) = 1, i ∕= j where k is largest in size
∙ FACT 1: x ≡ deg(mi) (mod mi), 1 ≤ i ≤ k
∙ FACT 2: x ≡∑2i=1( (Gi)− �(Gi) (mod mi), 1 ≤ i ≤ k
......................
3 Conclusion
This paper dealt with two fundamental cryptographic tools that are useful in
such contexts: generalized secret sharing scheme and key distribution schemes.
Both secret sharing schemes and key distribution schemes are used in multi-
party systems. secret sharing schemes enables some predetermined sets of parties
to reconstruct a given secret. These schemes make it possible to store secret
information in a network, such that only good subsets can reconstruct the
information. Furthermore, by using these schemes we can allow only better
subsets to perform action in a system.
References
[1] R. Alleaume, N. Lutkenhaus, R. Renner, P. Grangier, T. Debuisschert, G.
Ribordy, N. Gisin, P. Painchault, T. Pornin, L. Slavail, M. Riguidel, A.
Shilds, T. Langer, M. Peev, M. Dianati, A. Leverrier, A. Poppe, J. Bouda,
C. Branciard, M. Godfrey, J. Rarity, H. Weinfurter, A. Zeilinger, and C.
Monyk. Quantum key distribution and cryptography: a survey. In S. L.
Braunstein, H.-K. Lo, K. Paterson, and P. Ryan, editors, Classical and
Quantum Information Assurance Foundations and Practice, number 09311 in
14
Dagstuhl Seminar Proceedings, Dagstuhl, Germany, 2010. Schloss Dagstuhl
- Leibniz-Zentrum fuer Informatik, Germany.
[2] A. Beimel. Secret-sharing schemes: a survey. In Proceedings of the Third
international conference on Coding and cryptology, IWCC’11, pages 1146,
Berlin, Heidelberg, 2011. Springer-Verlag
[3] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography.
Rev. Mod. Phys, 74:145195, 2002.
[4] U. Maurer. Information-theoretic cryptography. In M. Wiener, editor,
Advances in Cryptology — CRYPTO ’99, volume 1666 of Lecture Notes
in Computer Science, pages 4764. Springer-Verlag, Aug. 1999.
[5] S. Wolf. Unconditional security in cryptography. In I. Damgard, editor,
Lectures on Data Security, volume 1561 of Lecture Notes in Computer
Science, pages 217250. Springer Berlin / Heidelberg, 1999.
[6] Blakley, G. R. (1979). Safeguarding cryptographic keys. Proceedings of the
National Computer Conference 48: 313317.
[7] Shamir, Adi (1979). How to share a secret. Communications of the ACM 22
(11): 612613.
[8] Knuth, Donald (1997). Seminumerical Algorithms. The Art of Computer
Programming. 2 (3 ed.). Addison-Wesley. p. 505.