Improved Latin Square based Secret Sharing Scheme
aa r X i v : . [ c s . CR ] J u l Improved Latin Square based Secret Sharing Scheme
Chi Sing Chum and Xiaowen Zhang , Computer Science Dept., Graduate Center / CUNY,365 Fifth Ave., New York, NY 10016, U.S.A. Computer Science Dept., College of Staten Island / CUNY,2800 Victory Blvd, Staten Island, NY 10314, U.S.A.
Abstract.
This paper first reviews some basic properties of cryptographic hash function, secretsharing scheme, and Latin square. Then we discuss why Latin square or its critical set is a goodchoice for secret representation and its relationship with secret sharing scheme. Further we enu-merate the limitations of Latin square in a secret sharing scheme. Finally we propose how to applycryptographic hash functions, herding attack technique to a Latin square based secret sharingscheme to overcome these limitations.
Key words:
Secret sharing scheme, Latin square, partial Latin square, critical set, hash functions,herding and Nostradamus attack.
How to set up an effective procedure to keep a secret is important. However, how to represent the secretis equally important. If we can discover the secret by exhaustive search, then we can bypass the secretsharing scheme, no matter how good it is. Also, it would be efficient to keep the secret short, and diffi-cult to discover at the same time. Latin square is a good candidate in a secret sharing scheme. We canuse a Latin square to represent the secret, because of the huge number of different Latin squares for areasonably large order. For example, there are about 10 different Latin squares of order 10. This makesoutsiders difficult to discover the secret without any knowledge due to the tremendous possibilities. Wecan even improve the efficiency by distributing the shares of the critical set, instead of the full Latinsquare, to the participants. Whenever any group of the participants join together to form any critical set,the original Latin square and hence the secret can be recovered.There are Latin square based secret sharing schemes in the literature. Cooper, Donovan, Seberry [5]used critical sets of Latin square in the design of secret sharing schemes. Their schemes are not perfectbecause each share of a participant is a component of a critical set. Therefore each share contains partialinformation of the secret. Chaudhry and Seberry [3] had another secret sharing scheme based on criticalsets of Room squares. This scheme is not perfect, either. Distributing shares of a critical set is fast andefficient. However it’s not easy to reconstruct the full Latin square, which is the shared secret, from thecritical set. Chaudhry, Ghodosi, Seberry [2] proposed a perfect secret sharing scheme from Room squares,but the scheme is not flexible, nor ideal. Each participant needs to have different share for different autho-rized set he/she belongs to. It’s not flexible to set up a verifiable, or proactive secret sharing scheme by justusing Latin square or its critical sets, because it’s hard to verify a critical set for a large order Latin square. Improved Latin Square based Secret Sharing Scheme
In order to conquer the aforementioned limitations of Latin square in a secret sharing scheme, wepropose to apply cryptographic hash functions, herding attack technique to Latin square based secretsharing schemes. We can use hash function to store a partial Latin square in a hash, such partial Latinsquare is easily extended to the full Latin square. Then we set up a Latin square based ideal perfect( t + 1 , n ) threshold scheme, which utilizes the herding hash function and Nostradamus attack techniqueto iterative hash functions. Finally we use two hash functions to set up a verifiable secret sharing scheme,the method applies to any general secret sharing schemes, including Latin square based schemes. Thesecurity of our newly proposed schemes are dramatically improved.In this section we review some basic properties of cryptographic hash functions, herding attacks,and secret sharing schemes. In Section 2 we discuss Latin square, partial Latin square, critical set, andother concepts of Latin square. Section 3 presents applications of critical set in secret sharing schemes.Section 4 discusses the limitations of Latin square in a secret sharing scheme. In Section 5 we propose theapplications of hash functions to Latin square based secret sharing schemes with three examples. Section5 concludes the paper and summarizes the advantages of the schemes we have designed. A cryptographic hash function [19,20] takes an input string of arbitrary length and generates an outputstring of fixed length, which is called message digest, or hash value, or just “hash”. Hash functions havemany applications in information security area, such as digital signatures, message authentication codes,and authentication protocols. The following are common properties that a well designed cryptographichash function should have.1) Given an input string of arbitrary length, the output string will be of fixed length. The output isusually called a hash value or message digest.2) For all practical purposes, given any message x , the message digest h ( x ) can be calculated very quickly.3) Given a message digest y , it is computationally infeasible to find x such that h ( x ) = y . This, togetherwith b), implies that h is a one way function, or preimage resistant.4) Given an input and output pair ( x, y ) for a hash function, it should remain infeasible to find a secondpreimage x ′ such that x = x ′ but h ( x ) = h ( x ′ ) = y . This property is called second preimage resistance.5) It is infeasible to find two different inputs, x and x ′ , that produce the same output, i.e. x = x ′ but h ( x ) = h ( x ′ ). This property is called collision resistance.A hash function must have the flexibility to process messages of arbitrary length. Most currently usedhash functions, such as MD family and SHA family, are built from iterations of a compression function C using Merkle-Damg˚ard construction [6,14], they are also called iterative hash functions . The process isas follows. (a) Pad the arbitrary length message M into multiple v -bit blocks: m , m , . . . , m b . (b) Iteratethe compression function h i = C ( h i − , m i ), where i is from 1 to b and h is the initial value (or initialvector) IV. (c) Output h b is the hash of the message M , i.e., H ( M ) = h b = C ( h b − , m b ). Iterative hash functions are also vulnerable to herding and Nostradamus attack. This attack also makesuse of the fact that it is not difficult to find intermediate hash values that can be substituted for genuineblocks during iterative application of a compression function and generate the same final hash value, h .Kelsey and Kohno [12] have a detailed analysis of this attack. Stevens, Lenstra and Weger [18] appliedthe technique to predict the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 inNovember 2007. They claimed that they have correctly predicted the next US president, and committedthe hash of the result to the public. And the correct prediction and the matching hash will be revealedafter the election. mproved Latin Square based Secret Sharing Scheme 3 The first step is to build a large set of intermediate hashes at the first level: h , h , . . . , h w . Thesecond step is to build a set of intermediate hashes at the second level: h , h , . . . , h w/ so that thefollowings are satisfied:there exists a message m such that C ( h , m ) = h there exists a message m such that C ( h , m ) = h there exists a message m such that C ( h , m ) = h there exists a message m such that C ( h , m ) = h . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . By repeating this process, message blocks are linked so that each intermediate hash at level 1 canreach the final hash, say h . This is called the diamond structure (see Fig. 1).We claim we can predict something happens in the future by announcing this hash to the public.When the result is available, we construct a message as follows: M = ( P ref ix k M ∗ k Suf f ix ) , where P ref ix contains the results that we claimed we knew before it happens. M ∗ is a block of messagewhich can link the P ref ix to one of the intermediate hash at level 1.
Suf f ix is the rest of message blockswhich linked the M ∗ to the final hash. Fig. 1.
A simplified diamond structure.
A secret sharing scheme [19,20] is a method to split and distribute a secret among a group of participants,each of whom receives a share of the secret. The secret can only be recovered when the participants jointogether to combine their shares.There are many practical applications of secret sharing schemes. For example, they can be used toprotect a private key from access by outsiders. When we examine the problem of maintaining sensitiveinformation, we will consider two issues: availability and secrecy . If only one person keeps the entiresecret, then there is a risk that the person might lose it or the person may not be available when it isneeded. We can solve the availability and reliability issues by letting more than one person keep the samesecret. But the more people who can access the secret, the higher the chance the secret will be leaked. A
Improved Latin Square based Secret Sharing Scheme secret sharing scheme is designed to solve these issues.In 1979 Shamir [16] proposed the ( t + 1 , n ) threshold scheme, in which a secret is divided into pieces(shares) and distributed among n participants whereby any group of t + 1 or more participants ( t ≤ n − t + 1 cannot recover the secret. By sharing a secret inthis way the availability and reliability issues can be solved.Shamir’s scheme allows no partial information given out even up to t participants joined together [19].In other words, any group of up to t participants cannot gather more information about the secret thanany outsider. A secret sharing scheme with this property is called a perfect secret sharing scheme . Ifthe shares and the secret come from the same domain, we call it an ideal secret sharing scheme . Inthis case, the shares and the secret have the same size.Shamir’s original sharing scheme assumes the dealer and all the participants are honest. However, inreality, we need to consider the situation that the dealer or some of the participants are malicious. Inthis case, we need to set up a verifiable secret sharing scheme so that the validity of a share of theparticipants can be verified. In order to make this possible, additional information is required for theparticipants to verify their shares as consistent. Feldman’s scheme [9] is a simple verifiable secret sharingscheme that is based on Shamir’s scheme. It is based on the homomorphic properties of the exponentia-tion function: x a + b = x a · x b . Many existing secret sharing schemes are subject to certain limitations. One particular scheme is onlyapplicable to one specific access structure. If we want to apply one scheme to another access structure,either it doesn’t work or it’s inefficient. Although Ito, Saito, and Nishizeki [11] proved that any generalaccess structure can be realized by a secret sharing scheme, but there is no guarantee that the scheme isefficient. Also, any secret sharing scheme may not have all the desired properties such as perfect, ideal,verifiable, and proactive.
A Latin square of order n is an array consists of n rows and n columns such that for any row and anycolumn only one out of the n symbols occurs exactly once. For simplicity, we usually use 0 , . . . , n − i, j, k ), where0 ≤ i, j, k ≤ n −
1, and i, j, k are the row, the column and the symbol, respectively. For any order n, thereexists a Latin square of this order. The addition table of the additive group Z /n Z of integers mod n isan example [15]. Suppose we use a Latin square to represent the secret and its order, n , is made public. For an empty n × n array, there are n ! ways to fill out the first row. Now consider the second row. There are n − n − n − n − n − n − n !( n − n − . . .
2! Latin squares of order n . This is just a lowerbound. For a reasonably large n , say n >
10, there are many different Latin squares of this order. This def-initely makes an outsider very difficult to figure out the secret itself without having any related knowledge.The larger the order n is, the larger the number of Latin squares will be. For instance the number ofLatin squares of order 10 and 11 are as follows [13,15]. mproved Latin Square based Secret Sharing Scheme 5 L = 10! × × , , , , , , , , L = 11! × × , , , , , , , , , , , . The number of Latin square of a given order is an open problem. By now, the number of Latin squaresof order 12 has not been determined.
A partial Latin square of order n is an array that consists of n rows and n columns such that for anyrow and any column no symbol occurs more than once and one or more cells(s) can be empty. I.e, thereexists one or more pair ( i, j ) such that there is no symbol in row i and column j .Some partial Latin squares can be extended to Latin squares of the same order, while others cannotbe. In the following example (see Tab. 1), the partial Latin square on the left can be extended into aLatin square in the middle. But the Latin square on the right cannot be extended to a Latin square. Table 1.
Partial Latin square extendibility.
In 1960, Trevor Evans conjectured that any partial Latin square of order n can be always extendedto a full Latin square if the size of the partial Latin square is up to n − n − m rows are all filled ( m < n ) and theremaining n − m rows are all empty. A Latin rectangle can always be extended to a full Latin square byadding row by row. This can be proved by Hall’s condition in prefect matching [10]. However, whetheran arbitrary partial Latin square can be extended to a full Latin square is an NP-complete problem [4].Also, given a partial Latin square, there may be different ways to extend it to different Latin squares ofthe same order. A critical set of a Latin square is a partial Latin square which can be extended to a full Latin squareuniquely. In other words, there is only one Latin square which contains the critical set. After deletion ofany entry of a critical set, the unique completion property does not hold any more. For a given Latinsquare, there may exist critical sets of different sizes.By definition, we know we can recover the original Latin square from one of its critical set and thecompletion is unique. However, whether we can complete to a Latin square from a partial Latin squareis an NP-complete problem [4]. That means the recovery of the Latin square from one of its critical setmay be time-consuming. We really need some criteria to speed up the process.Donovan, Cooper, Nott and Seberry [7] defined a strong critical set. Let L be a Latin square of order n and C one of its critical set. Let | C | be the size of C , the number of non empty cells in C . If there is asequence of partial Latin squares { P , P , . . . , P m } such that Improved Latin Square based Secret Sharing Scheme C = P ⊂ P ⊂ . . . ⊂ P m = L , where m = n − | C | ;2) for any i, ≤ i ≤ m − , P i ∪ { ( r i , c i , k i ) } = P i +1 and P i ∪ { ( r i , c i , k ) } is not a partial Latin square if k = k i .That means we start from the critical set C and enter an entry one at a time until we finish theextension to a full Latin square L . When we get a new partial Latin square P i +1 , ≤ i ≤ m − r i , c i ) that can be filled with only one symbol k i . We call such criticalset as a strong critical set if it has the above properties. In other words, the ‘force out’ process makes astrong critical set to be extended to a full Latin square easily. Cooper, Donovan, Seberry [5] proposed to form a collection of critical sets of a Latin square, say S .Elements of S are distributed to participants. Any group of participants is an authorized group if theirshares pooled together is one of the critical sets forming S .(1) For example: A (2 ,
3) threshold scheme is shown in Tab. 2.
Table 2.
A (2 ,
3) threshold secret sharing scheme. C C C L We can easily verify that all the partial Latin squares C , C , C are critical sets. They can be ex-tended uniquely to the full Latin square in L . This unique completion property does not hold any moreif any entry of any partial Latin square C , C , C is deleted.Let S be the union of the three critical sets C , C , C . Then S = { (1 , , , (2 , , , (3 , , } . Wedistribute a triple to a participant as a share. Any two participants can recover the full Latin square. Sowe have a (2, 3) threshold scheme.(2) The above simple example can be extended to the following general case. Let C , C , C , . . . , C n bethe critical sets of a given Latin square of size s , s , . . . , s n . Each C i consists of a set of triples as follows: C = { ( x , y , k ) , . . . , ( x s , y s , k s ) } C = { ( x , y , k ) , . . . , ( x s , y s , k s ) } . . . . . . . . .C n = { ( x n , y n , k n ) , . . . , ( x ns n , y ns n , k ns n ) } A triple ( x ij , y ij , k ij ) is interpreted as follow: x ij is the row of the j th element in C i , y ij is the columnof the j th element in C i , and k ij is the symbol of the j th element in C i .In general, we make S as a union of some critical sets of a given Latin square L which representsa secret. Then, the dealer distributes a share in S , in this case a triple of the Latin square, to eachparticipant. Whenever, a group of participants joins together to form a critical set, the original Latinsquare, and hence the secret can be recovered. mproved Latin Square based Secret Sharing Scheme 7 Chaudhry, Ghodosi, and Seberry [2] proposed a perfect secret sharing scheme based on Room squares.This can be applied to Latin square. The idea is to generate shares randomly for all the participants withthe exception of the last participant, whose shares will be determined by the shares of other participantsand the critical set in such a way that all the shares when summing up will be equal to the value of thecritical set. Modular arithmetic are done here.Example:Let C = { (0 , , , (1 , , } be the critical set of the Latin square L as Tab. 3. L = { (0 , , , (0 , , , (0 , , , , , (1 , , , (1 , , , , , (2 , , , (2 , , } . Table 3.
Calculation of the share for the last participant.
C L
Let { P , P , P } be an authorized set over C . Suppose we generate the following random shares S , S for P and P as: S = { (0 , , , (2 , , } and S = { (1 , , , (0 , , } . Then share S for P will becalculated as: S = { (0 − (0 + 1) , − (1 + 2) , − (2 + 1)) , (1 − (2 + 0) , − (0 + 2) , − (0 + 1)) } = { (2 , , , (2 , , } . All arithmetic are done in mod
3. It can be easily verified that P , P , P can recover the critical setwhen they pool their shares together. If any participant is missing, it makes the unauthorized set containnothing more than any outsider.To summarize, there are reasons why we want to apply critical sets to secret sharing scheme:1) Since a critical set can always be extended to a full Latin square uniquely, it would be more efficientto distribute shares of a critical set rather than a full Latin square.2) A ( t +1 , n ) threshold scheme or multilevel scheme can be implemented through critical sets, as discussedin Chaudhry, Ghodosi, and Seberry [2]. Many researches have been done since the original secret sharing ideas of Shamir [16] and Blakley [1] in1979. Latin square was suggested as a good candidate being used in secret sharing schemes. However,there are certain limitations as discussed below.1) By just distributing shares of a critical set to participants, partial information will be available to anyunauthorized group. That means there is a good chance for any unauthorized group to figure out theremaining shares by trial and error method. So, the scheme proposed by Cooper, Donovan, Seberry [5] isnot perfect.2) The scheme proposed by Chaudhry, Ghodosi, Seberry [2] is not flexible if there is only one authorizedset. In this case it is just a secret splitting scheme. If more than one authorized set exists, the secret
Improved Latin Square based Secret Sharing Scheme sharing scheme is not ideal. Each participant needs to have different share for different authorized sethe/she belongs to.3) As we know, distributing shares of a critical set instead of a Latin square is definitely more desirable.However, there are two issues need to be considered:(a) Even getting all the shares about a critical set, it may not be easy to get back the original Latinsquare, the shared secret. In order to speed up the recovering process, we should use a strong criticalset.(b) However, if the participants of an authorized group join together, it will be much easier for them tofigure out the shared secret if the chosen critical set is a strong one.4) The knowledge about the critical sets of Latin squares, especially of large order (say 10), is very limited.There are critical sets of different size. It is very difficult to verify or find a critical set. These hinder theimplementation of various secret sharing schemes based on critical sets.(a) Control: Let S be a collection of critical sets C , C , C of Latin square L . We would like to design asecret sharing scheme such that any authorized set of participants can recover C or C or C . Butthere is a possibility that S contains another critical set C . If individuals of any unauthorized set(in the sense that they cannot recover C , C or C ) can pool their shares to form C , then they canrecover L . Hence some careful controls need to be taken especially given the condition that criticalset of large order Latin square is difficult to find or verify.(b) Implementation: It would not be so flexible and easy to set up a verifiable sharing scheme, a proactivesharing scheme, or a ( t + 1 , n ) threshold scheme just by using a Latin square or some of its criticalsets to represent the secret especially when we choose a Latin square of order greater than 10 due tothe limited knowledge about its critical set. Zheng, Hardjono, and Seberry [21] discuss how to reuse shares in a secret sharing scheme by usinguniversal hash function. In this Section, we’ll show how to use general hash function properties includingherding, and Nostradamus attacks [12] to design and improve Latin square based secret sharing schemes.
If we want to use the hash to store a fixed secret, for example, a Latin square of order 10, we need to store81 numbers (since the last row and last column are not necessary). Four bits can be used to store a num-ber, so we need 324 bits. In this case, we can choose SHA-384 or SHA-512 to fulfill the requirements easily.If we need to use SHA-256, we can proceed in the following way. 10 bits can be used to represent 3numbers. So, we first use 250 bits to represent 75 numbers and then the next 4 bits to represent a singlenumber. Altogether, we can store 76 numbers. We fix the partial Latin square in the following format.We choose a Latin square of order 10 that can be recovered uniquely by removing the entries as shownin Tab. 4. The tradeoff here is that a small percentage of Latin squares of order 10 can not be recovereduniquely and hence cannot be chosen as secret.We want to recover the number in (4, 8), (5, 8), (6, 8), (7, 8), (8, 8) in the following way. Pick anyrow between 4th and 8th. If a and b are the number missed in row I (4 ≤ I ≤
8) and a ( b ) is in the 8thcolumn, we can fill in b ( a ) in the ( I,
8) cell. If we can recover (4, 8), (5, 8), (6, 8), (7, 8), and (8, 8) in mproved Latin Square based Secret Sharing Scheme 9
Table 4.
Use 10-bit to represent 3 numbers in Latin square of order 10. × × × × × × × × ×× × × × × × × × ×× × × × × × × × ×× × × × × × × × ×× × × × × × × ×× × × × × × × ×× × × × × × × ×× × × × × × × ×× × × × × × × × this way, we can recover the original Latin square uniquely.Unused bits can be filled in randomly. The above are just simple examples to demonstrate how to usehash to represent fixed secret. t + 1 , n ) threshold scheme Let’s continue with Section 5.1 and suppose the secret is the hash of a (partial) Latin square. Let’s con-sider how to apply a hash function f to set up a ( t + 1 , n ) threshold secret sharing scheme. The approachwe take is based on herding hash technique.First we randomly generate a share of more or less the same size as that of the hash to each partici-pant. Then, we set up different authorized subsets so that each subset consists of ( t + 1) or more distinctparticipants.Let N be the size of the access structure, i.e., the total number of all authorized subsets. N = C ( n, t + 1) + C ( n, t + 2) + . . . + C ( n, n ) , where C ( n, t ) = ( n !) / ( t !( n − t )!) is the combination function. That means we need to have N messagesfor these N authorized subsets. There is a one-to-one correspondence between messages and authorizedsubsets.Each participant holds a share and any combination of the shares of an authorized subset will generateone of these N messages. The next step is to herd the hashes of these N messages into the final hash asthe Nostradamus attack by setting up the linking messages.Suppose an authorized set consists of participants P , P , . . . , P b and their shares are sub-messages m , m , . . . , m b . When they join together, they can form M priv = m || . . . || m b and find the correspondinglinking message M pub , as shown in Fig. 2. Then they can recover the secret h by applying the hash function f to M priv || M pub , i.e., f ( M priv || M pub ) = h .In the Nostradamus attack, we don’t know what will happen, so we need toa) build a huge diamond structure leading to a final hash h ; Fig. 2.
Message M and sub-messages, i.e., shares m i .b) find a linking block after the result is known.In our case, the above steps are not necessary since we know the hashes of these N messages. Thisgreatly reduces the effort.For any message M priv obtained by combining the shares of the participants in an authorized subset,there is a corresponding message M pub in the diamond structure. Linking these two messages can reachthe final hash of the diamond structure. So, we have a ( t + 1 , n ) threshold scheme based on herding hashfunctions technique. The linking messages are stored in a public place which can be accessed by any par-ticipant. When any group of t + 1 or more participants join together, they can look for the correspondinglinking message and plus their shares to recover the secret.Properties of the proposed scheme include:a) Perfect: One of the basic properties of a cryptographic hash function is its randomness. Based on themessage, we cannot figure out any information about the hash. This avoids revealing partial informationto any participant. When all participants join together, they can recover the secret by applying the hashfunction f to the message M = M priv || M pub . In order to maintain the security level, the length of eachshare should be at least as long as the hash. On the other hand, increasing the length of the share does notincrease the security level. So, we would like to have each share to be generated randomly and of lengthmore or less the same as the hash. This will be the case if the message was generated randomly. Thisprovides a perfect sharing scheme because even one participant is missing, the share cannot be recoveredand no information about the secret is leaking out.b) Ideal: The scheme is ideal since each participant holds one share which has the same size of the hash.c) Fast recovery of secret: The calculation of hash function is fast, this can assure that the partial Latinsquare and hence the full Latin square can be recovered quickly.d) Avoid of critical sets: Under the new scheme, looking for critical sets of large size can be avoided. Thismakes it more efficient and better controlled as discussed above.e) Application of minimal authorized subset: We provide a complete description here. But, as we shallsee in the example, we can speed up the whole process by considering the minimal authorized subset only.f) General access structure: As we shall see in the following example, this approach can be extended togeneral access structure.Example:A (2, 3) threshold scheme. Let m , m , and m be shares of participants P , P , and P , respectively.Then, the access structure consists of four authorized subsets, also shown in Fig. 3. M pub , M pub , M pub , M pub will be the linking messages stored in the public area. mproved Latin Square based Secret Sharing Scheme 11 a) { P , P } m || m || M pub b) { P , P } m || m || M pub c) { P , P } m || m || M pub d) { P , P , P } m || m || m || M pub Fig. 3.
A (2, 3) threshold scheme example.While it would be straight forward to set up the access structure with all the authorized groups, itwould be more efficient if we only consider the minimal authorized subset of the access structure. In thiscase, we can skip m || m || m || M pub .Suppose we know P , P are family members or good friends, we don’t want them to recover thesecret. Then, a general (2 ,
3) threshold scheme doesn’t work. For our case, we can just simply skip thesetup of m || m || M pub .It is easy to show that this method is good for any general access structure. A cryptographic hash function has an application as message authentication code to certify that originalmessage was not altered. We can apply this idea to secret sharing scheme so that any dishonest participantwho does not return the original share will be found by the dealer. On the order hand, the participantscan verify whether the dealer really sends out consistent shares for them to keep. So, let us modify 5.2approach for an implementation of a verifiable secret sharing scheme.Let f, g be cryptographic hash functions. Let M be a message such that f ( M ) = s where s is theshared secret. The dealer breaks M into different sub-messages m , m , . . . , and distributes each shareto each participant and then publishes the hashes (by hash function g ) of each share as commitments: g , g , . . . , as in Feldman’s case.Participant i verifies his/her share by checking if g ( m i ) = g i holds. If all participants confirm thattaking his/her share as input to the hash function g , he/she gets the hash value equals to one of thecommitments published by the dealer, we conclude the dealer sends out consistent shares. Likewise, whenthe participants return their shares, the dealer can verify in the same way.As we can see from the above, we use two hash functions g and f . Hash function g is used to makethe scheme as an verifiable secret sharing scheme. Hash function f is used to recover the shared secret: f ( M ). Participant i can fool the party if he/she can find m ′ i such that g ( m i ) = g ( m ′ i ) = g j . If g is secondpreimage resistant, this is difficult to achieve and the scheme is safe. In this paper, we use cryptographic hash functions to improve the security and performance of secretsharing schemes based on a Latin square or its critical sets. We can store a partial Latin square in a hashfor a fast retrieval of the shared secret; we can set up an ideal perfect ( t + 1 , n ) threshold secret sharingscheme with easily extendable to have verifiable, proactive, hierarchical properties. This can also applyto any general access structure. Acknowledgments.
Authors would like to thank Prof. Michael Anshel for his valuable discussions. Wealso want to thank Prof. Joseph Vaisman for getting us many useful references.
References
1. G.R. Blakley. Safeguarding cryptographic keys. In
Proc. of the National Computer Conference, AmericanFederation of Information Processing Societies Proceedings 48 , pages 313–317, 1979.2. G. Chaudhry, H. Ghodosi, and J. Seberry. Perfect secret sharing schemes from room squares. In , pages 55–61, 1998.3. G. Chaudhry and J. Seberry. Secret sharing schemes based on room squares. In
Proc. of DMTCS’96 -Combinatorics, Complexity and Logic , pages 158–167, 1996.4. C.J. Colbourn. The complexity of completing partial latin squares.
Discrete Applied mathematics , 8:25–30,1984.5. J.A. Cooper, D. Donovan, and J. Seberry. Secret sharing schemes arising from Latin squares.
Bulletin of theICA , 12:33–43, 1994.6. I. Damg˚ard. A design principle for hash functions. In
CRYPTO 1989 , volume 435 of
LNCS .7. D. Donovan, J.A. Cooper, D.J. Nott, and J. Seberry. Latin squares: Critical sets and their lower bounds.
ArsCombinatoria , 39:33–48, 1995.8. T. Evans. Embedding incomplete latin squares.
The American Mathematical Monthly , 67:958–961, 1960.9. P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In
Proc. of the 28th IEEESymposium on the Foundations of Computer Science , pages 427–437, 1987.10. P. Hall. On representatives of subjects.
Journal of the London Mathematical Society , 10(37):26–30, 1935.11. M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. In
Proc. of IEEEGLOBECOM 1987 , pages 99–102, 1987.12. J. Kelsey and T. Kohno. Herding hash functions and the Nostradamus attack. http://eprint.iacr.org/2005/281.pdf , 2006.13. B. D. McKay and I. M. Wanless. On the number of latin squares.
Ann. Combin. , 9:335–344, 2005.14. R. C. Merkle. One way hash function and des. In
CRYPTO 1989 , volume 435 of
LNCS , pages 428–446, 1989.15. G. Mullen and C. Mummert.
Finite Fields and Applications (Student Mathematical Library) . AmericanMathematical Society, 2007.mproved Latin Square based Secret Sharing Scheme 1316. A. Shamir. How to share a secret.
Communications of the ACM , 22(11):612–613, 1979.17. B. Smetaniuk. A new construction on latin square - i: A proof of the evans’ conjecture.
Ars. Combin. ,11:155–172, 1981.18. M. Stevens, A.K. Lenstra, and B. Weger. Predicting the winner of the 2008 us presidential elections using asony playstation 3. , November 2007.19. D. Stinson.
Cryptography, Theory and Practice . Chapman and Hall/CRC, 3rd edition, 2005.20. W. Trappe and L. Washington.
Introduction to Cryptography with Coding Theory . Prentice Hall, 2nd edition,2006.21. Y. Zheng, T. Hardjono, and J. Seberry. Reusing shares in secret sharing schemes.