Multipartite Secret Sharing
Carles Padró
Nanyang Technological University, Singapore
Jornadas de CriptografíaCentenario de la Real Sociedad Matemática Española
Universidad de Murcia, November 2011
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
How to Share a Secret
How to compute shares a secret is such a way that t ≤ n players canreconstruct it but t − 1 players get no information?(Threshold access structure)
A simple and brilliant idea by Shamir, 1979
Let K be a finite field with |K| ≥ n + 1
To share a secret value k ∈ K, take a random polynomial
f (x) = k + a1x + · · ·+ at−1x t−1 ∈ K[x ]
and distribute the shares
f (x1), f (x2), . . . , f (xn)
where xi ∈ K− {0} is a public value associated to player pi
Independently, Blakley proposed in 1979a geometric secret sharing scheme
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Properties of Shamir’s Secret Sharing Scheme
Shamir’s scheme is enough for most of the current applications ofsecret sharing.
1 It is a threshold scheme2 It is perfect3 It is ideal4 It is linear5 It is multiplicative6 The size of the secret value depends on the number of players
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Secret Sharing from Linear Codes
How to construct ideal linear secret sharing schemesfor non-threshold access structures
Every linear code over K defines aK-vector space secret sharing scheme
(a0,a1, . . . ,at−1)
↑ ↑ ↑π0 π1 · · · πn↓ ↓ ↓
= (k , s1, . . . , sn)
It is ideal and linear,and it can have non-threshold access structure
A ∈ Γ if and only if rank(π0, (πi )i∈A) = rank((πi )i∈A)K-vector space access structure
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Threshold Secret Sharing from Linear Codes
Shamir’s threshold scheme is a particular case: Reed-Solomon codes
(k ,a1, . . . ,at−1)
1 1 · · · 10 x1 · · · xn0 x2
1 · · · x2n
......
...0 x t−1
1 · · · x t−1n
= (k , s1, . . . , sn)
By using algebraic geometry codes, it is possible to findsecret sharing schemes with most of those propertiesover constant size fields
Chen, Cramer (2006)
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Secret Sharing for General Access Structures
But in some situations non-threshold secret sharing schemesare required
The access structure Γ is the family of qualified subsets
In his seminal paper Shamir (1979) introducedweighted threshold secret sharing
Subsequently, two lines of work have been developed1 Optimization of secret sharing schemes for
general access structures
This appeared to be an extremely difficult open problemSee the recent survey on this topic by Amos Beimel
2 Constructing efficient secret sharing schemes foruseful access structures
Initiated by Kothari (1984), Simmons (1988), and Brickell (1989)
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Natural Generalizations of Threshold Secret Sharing
Are there other natural ways of generalize Shamir’s scheme?
Specifically, we look for families of access structures with thefollowing properties
1 Multipartite: participants are divided into several parts and theparticipants in the same part play an equivalent role in thestructure.
2 They admit a very compact descriptionA small number of parameters, at most linear on the number ofparts.
3 They admit an ideal linear secret sharing scheme over everylarge enough field
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Hierarchical and Compartmented Secret Sharing
Kothari (1984) proposed a generalization ofShamir’s threshold scheme, with some hints to constructideal hierarchical secret sharing schemes
Simmons (1988) introduced themultilevel and compartmented access structuresand conjectured that they admit an ideal SSSHe presented geometric constructions for some of them
Multilevel and compartmented access structures are multipartite
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Hierarchical and Compartmented Secret Sharing
Multilevel and compartmented access structures are multipartite
The former ones are hierarchicalFor instance, players are divided in 3 levelsA subset is qualified if and only if it contains
at least 5 players in the first level, orat least 8 players in the first two levels, orat least 15 players in total
As an example of a compartmented access structure:A qualified subset must containat least 5 players in each of the 5 compartments andat least 30 participants in total
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Hierarchical and Compartmented Secret Sharing
Brickell (1989) proposed a general linear algebra methodto construct ideal secret sharing schemesIt unifies Shamir’s and Blakley’s approachesActually, Kothari (1984) anticipated some of Brickell’s ideas
In particular, Brickell constructed by using this methodideal schemes for the multilevel and compartmented structuresproposed by Simmons
Subsequently, other proposals for constructions ofideal schemes for these and similar structures appearedFor instance, Tassa (2004), Tassa & Dyn (2006)
But all of them fit in Brickell’s general method
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Natural Generalizations of Threshold Secret Sharing
Two natural problems appear at this point1 Find other interesting families of
such natural generalizations of threshold secret sharing(multipartite, compact description, ideal and linear)
2 Find criteria to decide if a givenmultipartite access structure is ideal
In addition, two important efficiency issues1 Computational time to construct the scheme2 Size of the secret value
Of course, matroids play a fundamental role in these questions
Brickell and Davenport, 1991
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Integer Polymatroids and Matroids
An integer polymatroid is a pair Z = (J,h),where the rank function h : 2J → Z satisfies
1 h(∅) = 02 X ⊆ Y =⇒ h(X ) ≤ h(Y )
3 h(X ∪ Y ) + h(X ∩ Y ) ≤ h(X ) + h(Y )
A matroid is an integer polymatroid satisfyingh(X ) ≤ |X | for every X ⊆ J
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Representing Integer Polymatroids and MatroidsSome matroidsM = (Q, r) can be representedby a family of vectors... or, equivalently, by a linear code
G =
↑ ↑ ↑π0 π1 · · · πn↓ ↓ ↓
r(X ) = rank(GX ) for every X ⊆ Q
Some integer polymatroids Z = (J,h) can be representedby a family of vector subspaces
G =
↑ ↑ ↑ ↑ ↑ ↑π0 π1 π2 π3 π4 π5↓ ↓ ↓ ↓ ↓ ↓
That is, there exist (Vi )i∈J , vector subspaces, with
h(X ) = dim
(∑i∈X
Vi
)for every X ⊆ J
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Ideal Secret Sharing and Matroids
Every linear code defines an ideal linear secret sharing scheme
(a0,a1, . . . ,at−1)
↑ ↑ ↑π0 π1 · · · πn↓ ↓ ↓
= (s0, s1, . . . , sn)
P = {p1, . . . ,pn}, Q = P ∪ {p0}
IfM = (Q, r) is the representable matroid associated to the code,
Γ = Γp0 (M) = {A ⊆ P : r(A ∪ {p0}) = r(A)}
Equivalently,
min Γ = min Γp0 (M) = {A ⊆ P : A ∪ {p0} is a circuit ofM}
That is, Γ is the port of a representable matroid
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Multipartite Access StructuresFor a partition Π = (P1, . . . ,Pm) of P,an access structure Γ on P is said to be Π-partite ifτΓ = Γ for every permutation τ on P with τPi = Pi for i = 1, . . . ,m
For a subset A ⊆ P, we define
Π(A) = (|A ∩ P1|, . . . , |A ∩ Pm|) ∈ Zm+
A Π-partite access structure Γ ⊆ 2P is determined by the points
Π(Γ) = {Π(A) : A ∈ Γ} ⊂ Zm+
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
A Unified Approach
O. Farràs, J. Martí-Farré, C. PadróIdeal Multipartite Secret Sharing SchemesEurocrypt 2007
In our work, we propose a unified frameworkto analyze those constructions
Ideal Multi-partite Access
Structures
MultipartiteMatroids
IntegerPolymatroids
Ideal LinearSchemes
RepresentableMultipartiteMatroids
RepresentableInteger
Polymatroids
(P1, . . . ,Pm)-partite on {0, . . . ,m}
n+1 vectors m+1 vector subspaces
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
A Unified Approach
This approach has lead to several results
Necessary conditions and sufficient conditions for ideality,which imply some very efficient criteriaIn particular, much shorter (but non-constructive) proof thatmultilevel and compartmented access structures are idealNew interesting families of ideal multipartite access structuresThe efficiency problems in the construction ofideal multipartite secret sharing schemesare more precisely statedCharacterization of the ideal tripartite access structuresCharacterization of theideal hierarchical access structures (TCC 2010)In particular, a new proof for the characterization ofideal weighted threshold access structures
Beimel, Tassa, Weinreb (2005)
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Some Notation
The modulus |u| of a vector u = (ui )i∈J ∈ ZJ+ is defined by
|u| =∑i∈J
ui
If u, v ∈ ZJ , we write u ≤ v if ui ≤ vi for every i ∈ J
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Independent Vectors of Integer PolymatroidsA vector u ∈ ZJ
+ is anindependent vector of the integer polymatroid Z = (J,h) if∑
i∈X
ui ≤ h(X ) for every X ⊆ J
A nonempty finite set D ⊆ ZJ+ is the
family of independent vectors of an integer polymatroid if and only if1 If u ∈ D and v ∈ ZJ
+ are such that v ≤ u, then v ∈ D.2 For every pair of vectors u, v ∈ D with |u| < |v |,
there exists i ∈ J such that ui < vi and u + ei ∈ D.
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Bases of Integer Polymatroids
The bases of Z are the maximal independent vectors
A nonempty subset B ⊆ ZJ+ is the
family of bases of an integer polymatroid if and only ifFor every u ∈ B and v ∈ B with ui > vi , there exists j ∈ J suchthat uj < vj and u − ei + ej ∈ B.
In particular, all bases have the same modulus |u| =∑
i∈J ui
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Access Structures from Integer Polymatroids
Let Π = (P1, . . . ,Pm) be a partition of P
Take J ′m = {0,1, . . . ,m} and Jm = {1, . . . ,m}
Consider an integer polymatroid Z = (J ′m,h)with h({0}) = 1 and h({i}) ≤ |Pi |
Consider Γ0(Z) = {X ⊆ Jm : h(X ∪ {0}) = h(X )}
Then the Π-partite access structure Γ = Γ0(Z,Π) is defined by
u ∈ Zm+ is in Π(Γ) if and only if there exist
an independent vector v of Z and X ∈ Γ0(Z) such thatv ≤ u∑
i∈X vi = h(X )
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Conditions for Ideality
Theorem (FMP’07)
Every ideal Π-partite access structure is of the form Γ0(Z,Π)for some integer polymatroid Z
In particular, all minimal qualified subsets with the same support havethe same cardinality
Theorem (FMP’07)
If the integer polymatroid Z is K-representable,then every multipartite access structure of the form Γ0(Z,Π) admitsan ideal linear secret sharing scheme overevery large enough finite extension L of K
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Boolean Polymatroids
Let (Bi )i∈J be a family of subsets of a finite set B
The mapping h : 2J → Z defined by
h(X ) =
∣∣∣∣∣⋃i∈X
Bi
∣∣∣∣∣is the rank function of an integer polymatroid Z = (J,h)
These are the Boolean polymatroids
Boolean polymatroids are K-representable for every field K:Identify B to a basis of a K-vector space and take Vi = 〈Bi〉
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Access Structures from Boolean Polymatroids
Given integers 1 = t0 < t1 < · · · < tm,take B = [1, tm] and Bi = [1, ti ] for i ∈ J ′m
If Z = (J ′m,h) is the corresponding Boolean polymatroid, then
u ∈ Π(Γ0(Z,Π)) if and only ifi∑
j=1
uj ≥ ti for some i ∈ Jm
That is, Γ0(Z,Π) is a multilevel access structure
This proves that those access structures admit anideal linear secret sharing schemeover every large enough finite field
Actually, every ideal hierarchical access structureis a minor of an access structure of the form Γ0(Z,Π)with Z a Boolean polymatroid (FP’10)
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Access Structures from other Integer Polymatroids
We con consider as well truncated Boolean polymatroids
h(X ) = min
{∣∣∣∣∣⋃i∈X
Bi
∣∣∣∣∣ , t}
By using Vandermonde vectors,truncated Boolean polymatroidsare representable over every large enough field
By using these and related integer polymatroids, one can prove thateverycompartmented access structure
min Π(Γ) = {u ∈ Zm+ : |u| = k and a ≤ u ≤ b}
admits an ideal linear secret sharing schemeover every large enough field
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Summarizing. . .
Our general results provide
Characterizations of ideal access structures in some familiesShorter proofs for the ideality ofmultilevel and compartmented access structuresNew useful families of ideal access structures
It is easier now to determine whethera multipartite access structure is ideal
But. . .
Our results do not improve the efficiency of the known methods toconstruct ideal linear secret sharing schemes for these accessstructures
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Constructing Ideal Multipartite SSS
Ideal Multi-partite Access
Structures
MultipartiteMatroids
IntegerPolymatroids
Ideal LinearSchemes
RepresentableMultipartiteMatroids
RepresentableInteger
Polymatroids
(P1, . . . ,Pm)-partite on {0, . . . ,m}
n+1 vectors m+1 vector subspaces
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Constructing Ideal Multipartite SSS
The problem of constructing ideal linear secret sharing schemes formultipartite access structures can be formulated as follows
Given
V1, . . . ,Vm, vector subspaces of a K-vector space EIntegers n1, . . . ,nm with ni ≥ dim Vi
Find, for i = 1, . . . ,m,
ni vectors in Vi such thatFor every basis u = (u1, . . . ,um) ∈ Zm
+
of the corresponding integer polymatroid andfor every choice of ui out of the ni vectors in Vi ,a basis of E is obtained
If the field K is not large enough,one should consider an extension field L
Problem: Determine the smallest extension field
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Known Construction Methods
Find, over some extension L ⊇ K, a matrix
M = (M1|M2| · · · |Mm)
such that Mi is a k × ni matrix with columns in Vi ⊆ Lk
and the submatrices corresponding to bases are nonsingular
Construct M step by step, checking the determinantsAvoid checkings by using some primitive element in an extensionfield. This implies that L is very large (Brickell 1989)Choose M at random. High success probability if L is largeenough (Tassa 2004)
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
On the Size of the Base Field
Given a collection of subspaces Vi ⊆ Kk
representing an integer polymatroidand integers n1, . . . ,nm with ni ≥ dim Vi
Determine the minimum size of the extension fields L ⊇ Ksuch that we can find ni vectors in Vi ⊆ Lk
with the required properties
A general upper bound from our results: |L| ≤(
nk
)Beutelspacher & Wettl (1993) Lower and upper boundsfor the case m = 2, V2 ⊆ V1, dim V2 = 2. Basically, |L| = nGiuletti & Vincenti (2010) Upper bounds for the case m = 3 andV3 ⊆ V2 ⊆ V1, dim V1 = 4, dim V2 = 3, dim V3 = 2Namely, |L| ≤ O(n2)
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011
Example: Representing Bipartite Matroids
Consider the simplest case m = 2
Given V1,V2 ⊆ E with s = dim E , ri = dim Vi
Find ni vectors in Vi such that, for every ` = 0, . . . , t = r1 + r2 − s,every r1 − ` vectors out of the n1 vectors in V1 andevery r2 − (t − `) vectors out of the n2 vectors in V2form a basis of E
1 How do we efficiently find such vectors?2 Which is the minimum size of the field?
Multipartite Secret Sharing Jornadas de Criptografía, RSME, Univ. de Murcia, November 2011