Secure Schemes for Secret Sharing and Key

Distribution

N. Chandramowliswaran, P. Muralikrishna and S. Srinivasan

School of Advanced Sciences,Vellore Institute of Technology,

Vellore 632 014,India.

e-mail: smrail@gmail.com

Abstract

In resent years the security of operations taking place over a computer

network become very important. It is necessary to protect such actions

against bad users who may try to misuse the system (e.g. steal credit

card numbers, read personal mail, or impersonate other users.) Many

protocols and schemes were designed to solve problem of this type. This

paper deals with two fundamental cryptographic tools that are useful in such

contexts: generalized secret sharing scheme and key distribution schemes.

Both secret sharing schemes and key distribution schemes are used in multi-

party systems. secret sharing schemes enables some predetermined sets of

parties to reconstruct a given secret. In this paper we have shown a novel

key pre distribution algorithm based on number theory which uses Chineese

Remainder Theorem (CRT), Continued fractions (CF) and pell’s equation.

1 Introduction

Secret sharing (also called secret splitting) refers to method for distributing a

secret amongst a group of participants, each of whom is allocated a share of the

1

2

secret. The secret can be reconstructed only when a sufficient number, of possibly

different types, of shares are combined together; individual shares are of no use

on their own.

Secret sharing was invented independently by Adi Shamir [6] and George

Blakley [7] in 1979. Secret sharing schemes are ideal for storing information that is

highly sensitive and highly important. Examples include: encryption keys, missile

launch codes, and numbered bank accounts. Each of these pieces of information

must be kept highly confidential, as their exposure could be disastrous, however,

it is also critical that they not be lost. Traditional methods for encryption are

ill-suited for simultaneously achieving high levels of confidentiality and reliability.

This is because when storing the encryption key, one must choose between keeping

a single copy of the key in one location for maximum secrecy, or keeping multiple

copies of the key in different locations for greater reliability. Increasing reliability

of the key by storing multiple copies lowers confidentiality by creating additional

attack vectors; there are more opportunities for a copy to fall into the wrong

hands. Secret sharing schemes address this problem, and allow arbitrarily high

levels of confidentiality and reliability to be achieved.

A secure secret sharing scheme distributes shares so that anyone with fewer

than t shares has no extra information about the secret than someone with 0

shares.

Consider for example the secret sharing scheme in which the secret phrase

security is divided into the shares se−−−−−−,−− cu−−−−,−−−− ri−−,

and − − − − − − ty. A person with 0 shares knows only that the password

consists of eight letters. He would have to guess the password from 268 = 208

billion possible combinations. A person with one share, however, would have to

guess only the six letters, from 266 = 308 million combinations, and so on as

more persons collude. Consequently this system is not a secure secret sharing

scheme, because a player with fewer than t secret-shares is able to reduce the

problem of obtaining the inner secret without first needing to obtain all of the

necessary shares.

More generally, (n; k) secret sharing is the problem of distributing a secret

3

number s among n people so that no k − 1 of them have any information

about s but k of them can determine s. Shamir’s secret sharing does this by

giving the n -th party f(n), where f is an appropriately chosen polynomial. The

dealer Dan picks random field elements a1, a2, . . . , ak−1, and uses the polynomial

f(t) = s + a1t + a2t2 + ⋅ ⋅ ⋅ + ak−1t

k−1. He gives the n -th person f(n). For

k people to recover the secret, they just pool their shares and use Lagrange

interpolation to find the unique degree k − 1 polynomial passing through the k

points. (Lagrange interpolation works over any field. In practice, a large finite

field would probably be used.) The secret is just the constant term. Any k − 1

people have no knowledge about s. They have k − 1 points on the polynomial,

but there is a degree k − 1 polynomial going through their k − 1 points and

(0, t) for any integer t, so their combined knowledge reveals nothing about s.

The current trend towards cloud computing means that more and more data

is being processed and stored by online resources beyond physical and logical

control of the owner. It is a simple task for an adversary to intercept, copy, and

store any data sent across a public network and from this point on, confidentiality

is determined solely by the original encryption scheme. Hence re-encryption is

useless, and even deletion of data cannot be guaranteed.

Current cryptographic schemes in wide deployment today, such as RSA, Dife

Hellman, and AES, do not over long term confidentiality guarantees. This

is because concrete security is based on the current infeasibility of a specific

computational problem, such as factoring a 1024 -bit RSA modulus or computing

a 128 -bit AES key, and there are no known techniques to prove the hardness of

such problems.

We mention several related survey articles which overlap to some extent with

our exposition [1][2][3][4][5]

One of the standard topics in a first course in number theory is the Euler �

function, with �(n) defined as the number of positive integers less than n and

relatively prime to n. A famous theorem involving � is that suppose a and b

are any two positive integers with (a, b) = 1 then a�(b)+b�(a) ≡ 1(mod ab). The

Chinese Remainder Theorem (CRT) can also be used in secret sharing, there are

4

two secret sharing schemes that make use of the Chinese Remainder Theorem,

Mignotte’s and Asmuth-Bloom’s Schemes. They are threshold secret sharing

schemes, in which the shares are generated by reduction modulo the integers

mi, and the secret is recovered by essentially solving the system of congruences

using the Chinese Remainder Theorem.

Theorem 1.0. (Chinese Remainder Theorem)

Suppose that m1,m2, . . . ,mr are pairwise relatively prime positive integers, and

let a1, a2, . . . , ar be integers. Then the system of congruences, x ≡ ai(mod mi)

for 1 ≤ i ≤ r, has a unique solution modulo M = m1 ×m2 × . . .×mr, which is

given by: x ≡ a1M1y1 + a2M2y2 + . . .+ arMryr(mod M), where Mi =Mmi

and

yi ≡ (Mi)−1(mod mi) for 1 ≤ i ≤ r.

2 Main Results

Lemma 2.1. Let p, q and r be three given distinct odd primes. Then there exist

integers k1, k2 and k3 such that

k1p(qr−1 + rq−1) + k2q(p

r−1 + rq−1) + k3r(pq−1 + qp−1) + 2 ≡ 0 (mod pqr).

Proof:

Define: X = (pq−1 + qp−1) + (pr−1 + rp−1) + (qr−1 + rq−1)− 2. Then

X ≡ (qr−1 + rq−1)(modp)

X ≡ (pr−1 + rp−1)(modq) and

X ≡ (pq−1 + qp−1)(modr).

By CRT, the above system of congruences has exactly one solution modulo the

product pqr.

Define M = pqr

Mp = Mp

= qr,Mq = Mq

= pr and Mr = Mr

= pq.

Since (Mp, p) = 1, then there is a unique M ′p such that MpM

′p ≡ 1 (mod p).

Similarly there are unique M ′q and M ′

r such that

MqM′q ≡ 1 (mod q) and MrM

′r ≡ 1 (mod r).

Consider

X ≡ ((pq−1+qp−1)MrM′r+(pr−1+rp−1)MqM

′q+(qr−1+rq−1)MpM

′p) (mod pqr)

5

pq−1 + qp−1 + pr−1 + rp−1 + qr−1 + rq−1 − 2

≡ ((pq−1+ qp−1)MrM′r+(pr−1+ rp−1)MqM

′q+(qr−1+ rq−1)MpM

′p) (mod pqr)

−2 ≡ ((pq−1 + qp−1)(MrM′r − 1) + (pr−1 + rp−1)(MqM

′q − 1)

+(qr−1 + rq−1)(MpM′p − 1)) (mod pqr)

Thus

k1p(qr−1 + rq−1) + k2q(p

r−1 + rq−1) + k3r(pq−1 + qp−1) + 2 ≡ 0 (mod pqr).

Theorem 2.0. Let S be the given secret and N = pqr where p, q and r are

distinct large odd primes. Define three secret shareholders Y1, Y2, Y3 as follows:

Y1 ≡ (−Sk1p(qr−1 + rq−1)) (mod N), Y2 ≡ (−Sk2q(p

r−1 + rp−1)) (mod N) and

Y3 ≡ (−S(k3r(pq−1 + qp−1) + 1)) (modN) then S = Y1 + Y2 + Y3(mod N)

Proof: By the above Lemma 2.1, we have

k1p(qr−1 + rq−1) + k2q(p

r−1 + rq−1) + k3r(pq−1 + qp−1) + 2 ≡ 0 (mod N).

1 ≡ (−(k1p(qr−1+rq−1))− (k2q(p

r−1+rq−1))− (k3r(pq−1+qp−1)+1)) (mod N)

Thus S = Y1 + Y2 + Y3(mod N).

Algorithm 1.

∙ Choose two secret very large odd primes r1, r2 with r1 > r2

∙ Construct x2 + 1 = (r21 + r22)y

∙ Select two large odd primes p and q

∙ Define n = pq then �(n) = (p−1)(q−1) Where �(n) is Euler phi function

∙ Select a random e such that [ 1 < e < �(n) ] (e, �(n)) = 1

∙ For an e there is a unique d such that ed ≡ 1(mod �(n))

∙ consider a = (r21 + r22)(y + d)− (x+ �(n))2

a = (r21 + r22)y − x2 + (r21 + r22)d− [�(n)]2 − 2x�(n)

= 1 + (r21 + r22)d− [�(n)]2 − 2x�(n)

a ≡ 1 + (r21 + r22)d(mod �(n))

ae ≡ e+ (r21 + r22)(mod �(n))

s ≡ e(mod �(n)) where s = ae− (r21 + r22)

6

∙ Public key: (s, n)

∙ Represent the message m in the interval [0, n− 1] with (m,n) = 1

∙ Encryption

E ≡ ms(mod n)

≡ mk�(n)+e(mod n)

≡ mk�(n)me(mod n)

≡ [m�(n)]kme(mod n)

≡ me(mod n)

∙ Key distribution: Choose ℓ share holders then e = k1 + k2 + ⋅ ⋅ ⋅+ kℓ

E ≡ me(mod n)

E ≡ mk1+k2+⋅⋅⋅+kℓ(mod n)

E ≡ mk1mk2 . . .mkℓ(mod n)

∙ For ℓ share holders we can distribute ℓ key’s such as mk1 ,mk2 , . . . ,mkℓ .

Algorithm 2.

∙ Select a secret odd prime integer r

∙ Consider the Diophantine Equation:

y2 − rx2 = 1 (1)

∙ Let (x0, y0) be the least positive integral solution of (1). Here x0, y0 are

kept secret

∙ Select two large odd primes p and q

∙ Define n = pq then �(n) = (p−1)(q−1) Where �(n) is Euler phi function

∙ Select a random e such that [ 1 < e < �(n) ] such that (e, �(n)) = 1

∙ For an e there is a unique d such that ed ≡ 1(mod �(n))

∙ consider a = (y0 + �(n))2 − r(x0 + e)2 (2)

∙ e3 is not congruent to 1(mod �(n)) and d3 is not congruent to

1(mod �(n))

7

∙ From (2) ad3 + rd+ 2x0d2r ≡ d3 (mod �(n))

∙ Let S = ad3 + 2x0d2r + rd then S ≡ d3 (mod �(n))

∙ Public key: (s, n)

∙ Represent the message m in the interval [0, n− 1] with (m,n) = 1

∙ Encryption

E ≡ ms(mod n)

≡ mk�(n)+d3(mod n)

≡ mk�(n)md3(mod n)

≡ [m�(n)]kmd3(mod n)

≡ md3(mod n)

∙ Key distribution: Choose ℓ share holders then d3 = k1 + k2 + ⋅ ⋅ ⋅+ kℓ

E ≡ md3(mod n)

E ≡ mk1+k2+⋅⋅⋅+kℓ(mod n)

E ≡ mk1mk2 . . .mkℓ(mod n)

∙ For ℓ share holders we can distribute ℓ key’s such as mk1 ,mk2 , . . . ,mkℓ .

Algorithm 3.

∙ Let p, q, r and s be the given distinct secrete odd primes.

∙ Define u = p q and v = r s

∙ Select a, b such that (a, u) = 1 and (b, v) = 1

∙ Select two positive integers e, f such that

(e, (p− 1)(q − 1)) = 1 and (f, (r − 1)(s− 1)) = 1

∙ Select a common secret t with p, q, r, s should not divide H

∙ Define x1, x2 as follows:

x1 ≡ ate(mod U)

x2 ≡ btf (mod V )

∙ Solve t uniquely under (mod UV ) using Chineese Remainder Theorem

8

∙ t is the common secret shared by x1 and x2

BC code

∙ Let N be a fixed positive integer

∙ Define �(i,N) =∣ {x ∣ i ≤ x ≤ N witℎ (x,N) = 1} ∣ where i ∈ {1, 2, . . . , N}

∙ Define the BC code for N (BCN ) as follows:

BCN = (�(1,N), �(2,N), . . . , �(N−1,N), �(N,N))

Remark

For every positive integer N we can write a unique BC code

Theorem 2.0. Let N be any positive integer. Then N is a prime if and only

if there exist a unique BC code such that BCN = (N − 1, N − 2, . . . , 2, 1, 0).

.............................

9

∙ Let N be an odd positive integer

∙ Let SN = {1, 2, 3, . . . , N − 1, N}

∙ Define A = {x ∈ SN ∣ 1 ≤ x ≤ N, (x,N) = 1} where gcd{x,N} = 1 =

(x,N)

∙ For each e with (e, �(N)) = 1, the map x −→ xe is a permutation on A

∙ ∣ A ∣= �(N) = N∏

p∣N

(

1− 1p

)

, where the product is over the distinct

prime numbers dividing N

∙ Let f : A −→ A with f(x) = N − x, ∀x ∈ A

Then f is bijective on A

∙ Define S1 =∑

x∈A

x and S1 =∑

x∈A

N − x

Then 2S1 =∑

(x,N)=1

N = N�(N)

S1 = N�(N)2

∙ Define B = {x ∈ A ∣ (x+ 1, N) = 1}

∙ ∣ B ∣= (N) = N∏

p∣N

(

1− 2p

)

, where the product is over the distinct

prime numbers dividing N (B is non empty if and only if N is odd)

∙ Let g : B −→ B with g(y) = N − y − 1, ∀y ∈ B

Then g is bijective on B

∙ Define S2 =∑

y∈B

y and S2 =∑

y∈B

N − y − 1

Then 2S2 =∑

(x,N)=(x+1,N)=1

N − 1 = (N − 1) (N)

S2 = N−12 (N)

Problem 2.1 Let N ≥ 3 be a given positive integer. Define a tree TN as

follows, for each x > 1 such that (x,N) = 1, then there is a unique vertex

vx ∈ V (TN ) with deg vx = x and remaining all leaves, then prove that the number

of vertices of TN is n = �(N)2 (N − 2) + 2.

Proof:

Let N ≥ 3 be a positive integer then there exists xi such that gcd (xi, N) =

10

1, ∀i = {2, 3, . . . , �(N)}. Construct a tree TN such that for each xi there exists

a unique vertex vxiof degree xi.

Clearly,n∑

i=2

d(vxi) = 2(n− 1)

(N�(N)2 − 1) + n− (�(N)− 1) = 2n− 2 where V (TN ) = n.

Problem 2.2 Let N ≥ 3 be a positive integer. Construct a tree TN such that

for each x > 1 with (x,N) = (x+ 1, N) = 1 then there is a unique vertex vx

of degree x. Prove that the number of vertices of TN is n = (N)2 (N − 3) + 2.

Proof:

Let N ≥ 3 be a positive integer then there exists xi such that (xi, N) = 1, ∀i =

{2, 3, . . . , (N)}. Construct a tree TN such that for each xi there exists a unique

vertex vxiof degree xi.

Clearly,n∑

i=2

d(vxi) = 2(n− 1)

(N−12 ) (N)− 1 + n− ( (N)− 1) = 2n− 2 where V (TN ) = n.

Problem 2.3 Let N ≥ 3 be an odd positive integer. Construct a tree TN such

that for each x > 1 with (x,N) = (x + 1, N) = (x + 2, N) = 1 then there

is a unique vertex vx of degree x. Prove that the number of vertices of TN is

n =?.

Proof:

Let N ≥ 3 be an odd positive integer then there exists xi such that (xi, N) = 1

(xi + 1, N) = 1 and (xi + 2, N) = 1, ∀i = {2, 3, . . . , �(N)}. Construct a

tree TN such that for each xi there exists a unique vertex vxiof degree xi.

.......................................

11

Problem 2.4 Let n be a composite positive integer and let p be the smallest

prime divisor of n with np= n1. Prove that if q > n

1

3

1 then n1

qis prime where

q be the smallest prime divisor of n1.

Solution: Suppose n1

q= ab where 1 < a, b < n1

q

Let r and s be the prime divisors of a and b respectively, then r and s are

also prime divisors of n1, so that

r ≥ q and s ≥ q.

This implies that

q3 = q.q.q ≤ q.r.s ≤ q.a.b,

that is, q3 ≤ n1 which is a contradiction. Therefore, n1

qis prime.

Problem 2.5 Let n be a composite positive integer and let p be the smallest

prime divisor of n such that p2 ∣ n. Prove that if p2 > np2

then np2

is prime.

Solution: Suppose np2

= ab where 1 < a, b < np2

Let r and s be the prime divisors of a and b respectively, then r and s are

also prime divisors of n, so that

r ≥ p and s ≥ p.

This implies that

p4 = p2.p.p ≤ p2.r.s ≤ p2.a.b,

that is, p4 ≤ n which is a contradiction. Therefore, np2

is prime.

............................

12

∙ Let N = pq where p and q are distinct odd primes

with 3 ∤ p and 3 ∤ q

∙ �(N) = (p− 3)(q − 3)

�(N) = N − 3p− 3q + 9

3(p+ q) = N + 9− �(N)

p+ q = N+9−�(N)3

∙ Consider the quadratic equation x2 − (p+ q)x+ pq = 0

∙ Solve the equation and find their roots � and �

∙ Now give p and q

........................................

13

∙ Let T be the given graceful tree on q edges ( q is very large)

∙ Let f : V (G) −→ {0, 1, 2, . . . , q} be the graceful labeling of T (which is

kept secret)

∙ Choose: {m1,m2, . . . ,mk} ⊆ E(G)

such that (mi,mj) = 1, i ∕= j where k is largest in size

∙ FACT 1: x ≡ deg(mi) (mod mi), 1 ≤ i ≤ k

∙ FACT 2: x ≡∑2i=1( (Gi)− �(Gi) (mod mi), 1 ≤ i ≤ k

......................

3 Conclusion

This paper dealt with two fundamental cryptographic tools that are useful in

such contexts: generalized secret sharing scheme and key distribution schemes.

Both secret sharing schemes and key distribution schemes are used in multi-

party systems. secret sharing schemes enables some predetermined sets of parties

to reconstruct a given secret. These schemes make it possible to store secret

information in a network, such that only good subsets can reconstruct the

information. Furthermore, by using these schemes we can allow only better

subsets to perform action in a system.

References

[1] R. Alleaume, N. Lutkenhaus, R. Renner, P. Grangier, T. Debuisschert, G.

Ribordy, N. Gisin, P. Painchault, T. Pornin, L. Slavail, M. Riguidel, A.

Shilds, T. Langer, M. Peev, M. Dianati, A. Leverrier, A. Poppe, J. Bouda,

C. Branciard, M. Godfrey, J. Rarity, H. Weinfurter, A. Zeilinger, and C.

Monyk. Quantum key distribution and cryptography: a survey. In S. L.

Braunstein, H.-K. Lo, K. Paterson, and P. Ryan, editors, Classical and

Quantum Information Assurance Foundations and Practice, number 09311 in

14

Dagstuhl Seminar Proceedings, Dagstuhl, Germany, 2010. Schloss Dagstuhl

- Leibniz-Zentrum fuer Informatik, Germany.

[2] A. Beimel. Secret-sharing schemes: a survey. In Proceedings of the Third

international conference on Coding and cryptology, IWCC’11, pages 1146,

Berlin, Heidelberg, 2011. Springer-Verlag

[3] N. Gisin, G. Ribordy, W. Tittel, and H. Zbinden. Quantum cryptography.

Rev. Mod. Phys, 74:145195, 2002.

[4] U. Maurer. Information-theoretic cryptography. In M. Wiener, editor,

Advances in Cryptology — CRYPTO ’99, volume 1666 of Lecture Notes

in Computer Science, pages 4764. Springer-Verlag, Aug. 1999.

[5] S. Wolf. Unconditional security in cryptography. In I. Damgard, editor,

Lectures on Data Security, volume 1561 of Lecture Notes in Computer

Science, pages 217250. Springer Berlin / Heidelberg, 1999.

[6] Blakley, G. R. (1979). Safeguarding cryptographic keys. Proceedings of the

National Computer Conference 48: 313317.

[7] Shamir, Adi (1979). How to share a secret. Communications of the ACM 22

(11): 612613.

[8] Knuth, Donald (1997). Seminumerical Algorithms. The Art of Computer

Programming. 2 (3 ed.). Addison-Wesley. p. 505.