Threshold Changeable Secret Sharing Scheme and Its Application to Group Authentication
TTightly Coupled Secret Sharing and Its Application toGroup Authentication
Fuyou Miao, Keju Meng, Yue Yu, Wenchao Huang, Yan Xiong, XingfuWang
University of Science and Technology of China, No.96, JinZhai Road BaoheDistrict,Hefei,Anhui, 230026,P.R.China
Abstract
Group oriented applications are getting more and more popular in today’smobile Internet and call for secure and efficient (t,n) threshold secret sharingscheme (or (t,n)-SS) to meet their requirements. A (t,n)-SS divides a secretinto n shares such that any t or more than t shares can recover the secretwhile less than t shares cannot. However, an adversary, even without a validshare, may obtain the secret by mounting Illegal Participant (IP) attack orHalf Threshold Channel Cracking (HTCC) attack. Therefore, 1) the paperpresents the notion and generic framework of (t,m,n)-Tightly Coupled Se-cret Sharing ((t,m,n)-TCSS). Prior to recovering the secret, it requires m ( m ≥ t ) participants to form a tightly coupled group by each independentlyconstructing a component with the share. All m components have to be usedto recover the secret and thus both attacks can be thwarted more directlyand simply. Furthermore, following the framework, threshold changeable se-cret sharing can also be easily constructed. 2) As an implementation of theframework, a linear code based (t,m,n)-TCSS scheme is proposed. Analysesshow that the scheme can prevent IP, HTCC and ( t − Keywords:
Tightly Coupled, Secret Sharing, Components, Linear Code,
Preprint submitted to Elsevier August 7, 2019 a r X i v : . [ c s . CR ] A ug roup Authentication
1. Introduction
With the development of mobile Internet, network applications don’t limitto 1-to-1 or 1-to-m (i.e., client/server) interaction pattern any more. Grouporiented applications with m-to-m interaction pattern are getting more andmore popular especially in mobile social apps. Group chat is one of grouporiented applications provided by most social apps, and it is actually anonline meeting system and allows a user to invite his/her friends to havea meeting anytime and anywhere. For example, WeChat, the most popularmobile social app with over 600 million users in Asia, enables a user to initiatea group for an ad hoc session on demand. In the group, any user is allowedto send/receive messages, start an audio/video chat or invite his/her friendsinto the group. Consequently, a user may not be familiar with some otherusers. However, a main concern about the online meeting is authentication.That is, each user needs to make sure that any other user in the group has theright identity, especially when the meeting is confidential. That is becauseany user at a confidential meeting is responsible for the information he/shereleases, and never wants any wrong person to have access to it. In this case,each user needs to authenticate all the others successfully, or else the meetingmust be aborted.Traditionally, one user employs a 1-to-1 authentication scheme to verifyanother user’s identity. In such a scheme, one user (verifier) gets convincedthat the other user (prover) is the right one it claims to be. If the 1-to-1scheme is trivially applied to mutual authentication within a group of m users, there are totally m ( m −
1) rounds of authentication. Nevertheless, m rounds are sufficient for the same case if m-to-m authentication scheme isemployed, because the new authentication allows each user to verify whetherall users are legal group members at once. Therefore, it is of great importanceto find a proper cryptographic tool in designing secure and efficient m-to-mauthentication schemes for group oriented applications.As a group oriented cryptographic primitive, (t,n)-threshold secret shar-ing scheme (or (t,n)-SS) divides a secret into n shares and allocates eachshare to a shareholder, such that at least t shareholders (i.e., participants)are qualified to recover the secret but less than t are not. In a group of2xact t shareholders, each shareholder can verify whether all t shareholdersare legal at once if they mutually exchange shares, independently reconstructthe secret and check the correctness. Therefore, (t,n)-SSs have potential inbuilding m-to-m authentication schemes.Since (t,n)-SS was first introduced separately by Shamir [1] and Blakley[22] in 1979, it has been studied extensively in the literature [23] [21] [24][26] [25] and widely used in many applications, such as secure multipartycomputation [27], threshold signature [28], group key agreement [29], groupauthentication [20] etc. al. As the most popular (t,n)-SS, Shamir’s scheme [1]is constructed based on a polynomial of degree at most ( t −
1) in a finite field.Blakley’s scheme [22] is based on hyperplane while Asmuth-Bloom’s scheme[23] and Mignotte’s scheme [21] are both based on Chinese Remainder The-orem. Linear code is another tool to construct (t,n)-SSs. In 1981, McElieceand Sarwate [24] proposed a formulation of (t,n) threshold secret sharingscheme based on maximum-distance-separable (MDS) codes, and pointedout that Shamir’s (t,n) threshold scheme can be constructed equivalently byusing Reed-Solomon code. Subsequently, many secret sharing schemes basedon linear codes were proposed [26] [19] [18]. In [26] [19], Massey utilized thelinear code to construct a secret sharing scheme, meanwhile he also presentedthe relationship between the access structure of secret sharing and the min-imal code word of the dual code in linear code. All the above (t,n)-SSs donot depend on any computational assumption of hard problem or one wayfunction.In general, a (t,n)-SS scheme consists of share generation and secretreconstruction . In share generation , the dealer generates n shares fromthe secret to be shared and allocates each shareholder a share securely. In secret reconstruction , t or more than t shareholders (also called partic-ipants or players) exchange shares privately and thus each participant canrecover the secret from collected shares. Actually, these above traditional (t,n)-SSs are not secure in practice. Inthe following, we consider 2 attacks against secret reconstruction withmore than t participants, 1) Illegal Participant (or IP) attack and 2) HalfThreshold private Channel Cracking (or HTCC) attack.Both IP and HTCC attacks enable an adversary to obtain the secretwithout having any valid share.
1) IP attack m , ( m ≥ t + 1), participants in secret reconstruction,and one of them is an adversary without any valid share. If participantsare not required to release their shares simultaneously and the adversary,in the name of some legal shareholder, (e.g. Shareholder in Fig.1) maycommunicate with the others, it could wait to collect enough (i.e., m − ≥ t )valid shares from the other participants and thus recover the secret. Withthese shares, the adversary can also forge a valid share and then act as alegal participant without being detected. We call it Illegal Participant (IP)Attack. Shareholder :s Shareholder :s Shareholder :s Illegal Participant impersonating Shareholder s ,s ,s s:Private channel Figure 1: Example of IP attack with threshold 3
One countermeasure against the IP attack is user authentication [17] [16].It guarantees that only right shareholders are allowed to participate in secretreconstruction, but user authentication makes (t,n)-SS more complicated be-cause each participant needs to be authenticated by the others. Moreover,whether a secret can be recovered should depend on the share a participantholds rather than his/her identity.
2) HTCC attack
In traditional (t,n)-SSs, there usually exists a private channel betweeneach pair of participants, by which 2 participants exchange shares privately.Once an adversary cracks a private channel, it can intercept any informationthrough the channel, including 2 shares of the involved participants. Con-sequently, an adversary may recover the secret if it manages to crack (cid:100) t/ (cid:101) distinct private channels, even though the number of participant m may bemuch larger than the threshold t . We called it Half Threshold private Chan-nel Cracking (or HTCC) attack.Similarly, if each participant, say A, sends its share to participant B via4 private channel while receives share from B via another private channel,an adversary may recover the secret if it manages to crack t distinct privatechannels.That is, the robustness of ( t, n )-SS against private channel cracking attackdepends on t rather than m . Obviously, it is more desirable if the robustnessdepends on the number of participant m instead of t due to m ≥ t .Note that, for the convenience of discussion, the paper just takes theformer case (i.e., HTCC attack) as example since the latter case is highlysimilar to the former. Remark 1.1.
Although adversaries in IP and HTCC attacks both haveno valid share and need to collect enough shares by mounting attack beforeobtaining the secret, they are different in substance. An IP adversary mayactively participate in secret reconstruction while a HTCC adversary merelyeavesdrops cracked private channels passively and stays out of secret recon-struction. In other words, the information (i.e.,fake share) of the adverary inIP attack is used by all the other participants in secret reconstruction andthus leads to error, while all information used by participants is correct inHTCC attack. This results in the fact that a countmeasure valid for oneattack is not always valid for the other. For example, user authentication[17] [16] can prevent IP attack but cannot thwart HTCC attack; In contrast,Harn’s secure secret reconstruction [13] is resistant to HTCC attack but failsto prevent IP attack in most cases.
Shareholder :s Shareholder :s Shareholder :s Shareholder :s Adversarys s s s s ,s ,s s:Private channel :Eaveasdropping Figure 2: Example of HTCC attack with threshold 3
As far as we know, there are the following 3 related countermeasuresagainst IP or HTCC attack in secret sharing.5 ) Shuffling Schemes
Currently, complete shuffling [15] and partial shuffling [14] schemes areavailable to cope with HTCC as well as IP attack in (t,n)-SS.Incomplete shuffling [15] with m participants, every pair of participantsexchange a shuffling factor (i.e. random integer), and thus each finally gets( m −
1) shuffling factors in total. A participant constructs a shuffled partialshare with the ( m −
1) shuffling factors. All m shuffled partial shares arerequired to recover the secret; and thus a complete shuffling based (t,n)-SSforces an adversary to crack at least (cid:100) m/ (cid:101) distinct private channels beforefiguring out the secret. There are totally m ( m − / m . Subsequently, Zhang proposed the partial shuffling scheme [14], m participants form a loop in some order and communicate along the loop, eachof them just picks one random number as the shuffling factor such that thesum of all shuffling factors is zero. Consequently, m participants need toexchange m shuffling factors in total, and an adversary has to crack at least t private channel before obtaining the secret. However, both schemes requireextra communication to exchange shuffling factor before secret reconstruc-tion.
2) Threshold Changeable Secret Sharing ( t, n ) − threshold changeable secret sharing scheme (threshold changeableSS) allows shareholders to change threshold from t to t (cid:48) > t. In this case, t (cid:48) or more than t (cid:48) shareholders can recover the secret while less than t (cid:48) cannot.Therefore, some ( t, n ) − threshold changeable SSs can prevent IP and HTCCattacks if there are exact t (cid:48) participants with t ≤ t (cid:48) ≤ n and the thresholdis also raised to t (cid:48) . For example,the dealer in schemes [12][11], generatemultiple shares for every shareholder, each share with a distinct threshold t (cid:48) > t . Therefore, if shares with t (cid:48) threshold are used to reconstruct the secret,exact t (cid:48) participants can prevent IP and HTCC attacks. However, everyshareholder in such schemes has to hold multiple shares and thus requiresmore storage, moreover, these schemes only raise threshold to predefinedvalues.As an improvement, Ron Steinfeld et al presented a lattice-based thresh-old changeable SS [10], shareholders add some noise to their shares or deletesome bits of their share to compute subshares, which contain partial infor-mation about the original shares. As a result, a larger number t (cid:48) > t ofsubshares are required to recover the secret by using a ”error-correction”combiner algorithm. The scheme does not require communication either be-6ween the dealer and shareholders or among shareholders. However, 1) theshare combiner needs to communicate with all participants and instruct themto change threshold; 2) the scheme is lattice-based and thus is complicated incomputation; 3) it is far from a perfect scheme. In 2017, H. Pilaram and T.Eghlidos proposed a lattice based threshold changeable multi-secret sharingscheme [9].Nojoumian et al [8] presented a Shamir’s (t,n)-SS based dealer-free thresh-old changeable scheme using secure multiparty computation. The schemeremains some properties of Shamir’s (t,n)-SS, such as being unconditionallysecure and ideal, moreover, it can change the threshold to any value. Lateron, they also proposed a method of increasing threshold by zero addition [7],it increases the threshold by generating shares of a polynomial that corre-sponds to a secret with value zero and threshold t (cid:48) > t , and adding these newshares to player’s current shares. However, due to resharing operation, bothschemes require too much computation in participants and communicationamong participants. In 2016, Yuan et al [6] came up with 2 threshold change-able schemes based on Lagrange interpolation polynomial and 2-variable one-way function. Both schemes require the dealer to evaluate and store a lot ofvalues before increasing the threshold. Moreover, it needs the combiner (i.e.,the proxy of the dealer) to send each participant a distinct key to active theshare additionally.In conclusion, current threshold changeable SSs suffer from either largestorage or heavy computation/communication. In section 4, we will proposea special SS scheme which is capable of thwarting IP and HTCC attacks andefficient in storage, computation and communication.
3) Secure Secret Reconstruction
Recently, Harn [13] introduced a notion of secure secret reconstructionand proposed the (t,n)-secure secret reconstruction (or SSR) scheme. Thescheme takes advantage of the homomorphism of polynomials [3] and doesnot call for extra communication before recovering the secret. It claims thatthe secret can only be reconstructed if each participant has valid shares, andthus can defeat IP and HTCC attacks without using user authentication.Actually it is not true. Based on similar idea, Harn et al [5] also proposeda bivariate SS scheme, which has the similar problem. We will discuss it insection 3.Therefore, it is necessary to construct an efficient secret sharing schemeagainst both IP and HTCC attacks simultaneously to meet the security re-quirement of aforementioned group oriented applications.7 .4. Contributions
We summarize the contributions in 3 aspects.1) In order to cope with IP and HTCC attacks against (t,n)-SS, thepaper presents the notion and generic framework of (t,m,n)-Tightly Cou-pled Secret Sharing (or (t,m,n)-TCSS). By following the framework, mosttraditional (t,n)-SSs can be simply converted into (t,m,n)-TCSSs and thusendowed with the capability to frustrate both attacks. It should be notedthat (t,m,n)-TCSS under the framework can be applied to any scenario of(t,n)-SS. Moreover, threshold changeable secret sharing schemes can also beeasily constructed according to the framework.2) As an implementation of the framework, a concrete (t,m,n)-TCSSscheme is proposed from the traditional linear code based (t,n)-SS. The(t,m,n)-TCSS does not depend on any hard problem or one-way function.In contrast with related schemes, the (t,m,n)-TCSS is resistant to the above2 attacks without special limitations and more efficient in storage, computa-tion and communication.3) As an application of the (t,m,n)-TCSS scheme, a group authenticationprotocol is constructed to enable the rapid m-to-m authentication in grouporiented applications.The rest of this paper is organized as follows. In next section, we brieflyreview the linear code based (t,n)-SS and Harn’s Secure Secret Reconstruc-tion; section 3 gives the definition of Tightly Coupled Secret Sharing. Wedescribe our proposed (t,m,n)-TCSS and analyze the security in section 4and section 5 respectively, section 6 summarizes the properties of (t,m,n)-TCSS. As an application, the group authentication protocol is constructedin section 7. Finally, we present some discussions and conclude the paper insection 8 and section 9 respectively.
2. Preliminaries
1) Notations
Here are some notations used throughout the paper, I n denotes the integerset { , , ..., n } and is used to lable all n shareholders; I m , with the cardinality | I m | = m , ( t ≤ m ≤ n ) is a subset of I n , I m is used to lable any m out of8 shareholders; F p = { , , , ..., p − } is a finite field for large prime p , F ∗ p = { , , ..., p − } is the multiplicative group of F p ; r ∈ U F p denotes that r is a random number uniformly distributed in F p . | S | is the cardinality of set S . In (t,n)-SS, a shareholder is also called participant when it is participatingin secret recovering. So shareholder and participant will be used alternatelyduring secret reconstruction.
2) Information theoretical terms
Now we introduce some basic terms in information theory, suppose
X, Y are discrete-time discrete-valued random variables with sample space SP , SP .The entropy of X is denoted as H ( X ) = E ( − log P ( X )) = (cid:88) x ∈ SP − P ( x )log P ( x )where E is the expectation operator and P (X) is the probability distribu-tion function of X . From the view of an adversary, the secret s in (t,n)-SSis indistinguishable from a random variable uniformly distributed in secretspace. Therefore, we use H ( s ) to denote uncertainty of the secret.The mutual information of X with Y is written as I ( X ; Y ) = H ( X ) − H ( X/Y ) = (cid:88) x ∈ SP ,y ∈ SP P ( xy )log P ( x/y ) /P ( x ) .I ( X ; Y ) means the amount of information about X obtained due to theknowledge Y . In the following sections, we will write log P ( x ) as log P ( x )for simplicity.
3) Some DefinitionsDefinition 2.1. (Perfect (t,n)-SS) Let s , S and Ω be the secret, secretspace and the share set of a (t,n)-SS respectively with | Ω | = n . The (t,n)-SSis perfect with respect to probability distribution of s on the secret space S if 1) H ( s ) ≥ I ( s ; Ω J ) = H ( s ) − H ( s | Ω J ) = 0 , where Ω J denotes any subset of Ω with less than t shares, i.e. Ω J ⊆ Ω and | Ω J | < t .As a secret value, the secret s actually appears as a random variableuniformly distributed in secret space S . In a perfect (t,n)-SS, less than t t − Definition 2.2. (Asymptotically Perfect (t,n)-SS) A (t,n)-SS is asymp-totically perfect with respect to probability distribution of s on secret space S if, for all Ω J with | Ω J | < t , we have1) H ( s ) ≥
02) lim | S |→∞ I ( s ; Ω J ) = 0where | S | is the cardinality of S .Asymptotically perfect ( t, n )-SS implies that less than t shareholders getnearly no information about the secret when the secret space converges toinfinity. There are several ways to construct a (t,n)-SS scheme based on linearcode [26], one of them comes as follows:Assume that a [ n + 1 , t ] linear code LC is a subspace of F n +1 p with length n + 1 and dimension t , and G = ( (cid:126)g , (cid:126)g , ...(cid:126)g n ) is the public generator matrixof linear code LC , where (cid:126)g i ∈ F tp , (0 ≤ i ≤ n ) is a nonzero column vector, G has the rank t .In the traditional (t,n)-SS scheme based on LC , there is a dealer and n shareholders U , U , ..., U n , the secret s is a value in F p . The scheme consistsof the following two steps: Share Generation:
The dealer privately chooses a row vector (cid:126)v = ( v , v , ..., v t − ) ∈ F tp , such that the secret is s = (cid:126)v(cid:126)g mod p , it is obvious that there are totally p t − such (cid:126)v for a given pair ( s, (cid:126)g ). The dealer generates the code word (cid:126)w = ( s , s , ..., s n ) = (cid:126)vG mod p and allocates s i = (cid:126)v(cid:126)g i mod p to U i as theshare securely, i = 1 , , ..., n . Secret Reconstruction: If m , ( m ≥ t ) out of n shareholders, U I m = { U i , U i , ..., U i m } need to recover the secret s , they first find a group of param-eters { b i , b i , ..., b i m } over F p such that (cid:126)g = b i (cid:126)g i + b i (cid:126)g i + ... + b i m (cid:126)g i m mod p holds, and then pool their shares { s i , s i , ..., s i m } in private to compute thesecret as s = (cid:126)v(cid:126)g = m (cid:88) j =1 b i j (cid:126)v(cid:126)g i j = m (cid:88) j =1 b i j s i j mod p. .3. Harn’s Secure Secret Reconstruction In 2014, Harn [13] proposed a (t,n) secure secret reconstruction (or SSR)scheme. The scheme claims to be resistant to IP attack without VSS or userauthentication. Our work is partly inspired by the notion of this scheme. Itworks as follows.
1) Share generation
Suppose there are n shareholders, U = { U , U , ..., U n } , the dealer D selects k random polynomials f l ( x ), l = 1 , , .., k , over F p with degree nomore than t − k shares f l ( x ), l = 1 , , .., k , for eachshareholder U r , ( U r ∈ U ). For any secret s , the dealer can always findintegers, w l , d l , ( l = 1 , , .., k ) in F p , such that s = (cid:80) kl =1 d l f l ( w l ) , where w i (cid:54) = w j and w i , w j / ∈ { x , x , ..., x n } for every pair of i and j , x i is thepublic information of U i ( U i ∈ U ) . The dealer makes these integers w l , d l , l = 1 , , .., k , publicly known.
2) Secret reconstruction
Assume m , ( t ≤ m ≤ n ) out of n shareholders want to recover the secret,each participant U r i , i = 1 , , ..., m, U r i ∈ U uses shares f l ( x r i ), l = 1 , , .., k tocompute a Lagrange component, c r i = (cid:80) ml =1 d l f l ( x r i ) (cid:81) mv =1 ,v (cid:54) = i w l − x rv x ri − x rv mod p ,and releases c r i to all the other participants secretly.After knowing c r i , ( i = 1 , , .., m ), each participant computes the secretas s = (cid:80) mi =1 c r i mod p. Remark 2.1.
The scheme claims to require kt > n − kt Lagrange components, con-struct the k polynomials and finally recover the secret. As a matter of fact, m Lagrange components is linearly dependent in the case of k + t − < m < kt .Interested readers can refer to [4] for more detail. Therefore, it is possible foran adversary to forge a valid Lagrange component from the other m −
3. Definition of (t,m,n)-Tightly Coupled Secret Sharing
This section first presents the basic idea and overview of (t,m,n)-TightlyCoupled Secret Sharing (or (t,m,n)-TCSS), then puts forward the notion of(t,m,n)-TCSS, defines the framework and finally presents the property of thenew type of SS. 11 .1. Basic Idea and Overview of (t,m,n)-TCSS
Currently, most related work cannot effectively and efficiently deal withIP and HTCC attacks. In order to simultaneously defeat both attacks duringsecret reconstruction in traditional ( t, n )-SS, we define a new type of SS,( t, m, n )-Tightly Coupled Secret Sharing. On one hand, it is more secure( t, n )-SS and can be applied to any scenario of ( t, n )-SS; On the other hand,it provides a suitable cryptographic primitive for group oriented applications.As we know, for traditional ( t, n )-SSs, the reason why IP and HTCCattacks work lies in the direct exchange of bare shares among participants(i.e.,shareholders) during secret reconstruction. In other words, since sharesare sent from one participant to another through private channel, an illegalparticipant are able to directly collect shares from the others, or an adversarycan directly intercept shares as long as it cracks the private channel. Con-sequently, the secret may be obtained illegally if enough shares are collectedin the above 2 ways.After learning the aforementioned reason, we need to present a new typeof secret sharing which does not requires bare shares to be transmitted amongparticipants during secret reconstruction. That is, to secure secret recon-struction, the following 2 requirements need to be satisfied at the same time.1) Shares need to be protected before transmission through private channels,such that an illegal participant cannot figure out the share itself even if itobtains the protected share. By this property, IP attack can be prevented.2) All participants’ protected shares need to be directly used to recover thesecret (i.e., need not to uncover any share from the protected one), such thatan adversary has to intercept all protected shares before obtaining the secret.By this property, HTCC attack can be thwarted accordingly.In summary, we need to find a solution based on traditional ( t, n )-SSs toprotect share during share exchange among participants and guarantee thateach protected share has to be directly used to recover the secret.From the 2 requirements, we can determine the 3 steps of ( t, m, n )-TCSS,1) share generation , which is basically the same as traditional (t,n)-SS andresponsible for generating and distributing a share to each shareholder se-curely. 2) component construction , in which each participant constructsa protected share, called
Component , from its own share and all partici-pants’ public information non-interactively. 3) secret reconstruction , inwhich all participants exchange their components, each participant recoversthe secret independently from all components.12ollowing the basic idea, we can easily formulate the definition and frame-work of (t,m,n)-TCSS, which is capable of thwarting both IP and HTCCattacks and thus enables group oriented application.
Definition 3.1. (t,m,n)-Tightly coupled secret sharing
Informally, let t, m, n be positive integers with t ≤ m ≤ n . (t,m,n)-Tightlycoupled secret sharing (or (t,m,n)-TCSS ) is a special type of (t,n)-SS andsatisfies 1) any t or more than t shareholders are able to recover the secret;2) less than t shareholders cannot reconstruct the secret and 3) when m shareholders recover the secret, they form a tightly coupled group such thatthe secret can be recovered only if each participant in the group has a validshare.A (t,m,n)-TCSS consists of 3 algorithms, Share Generation SG ( s, U ),Component Construction CC ( U m , Ω m , R m ), and Secret Reconstruction SR (C m ). SG ( s, U )-it takes the secret s and the set of n shareholders, U , as in-put and generates Ω, the set of n shares as output. In this algorithm, thedealer generates n shares from the secret s and allocates each share to thecorresponding shareholder in U securely. CC ( U m , Ω m , R m )-it takes U m , Ω m as well as R m as input and outputsC m , where U m is the set of participants, denoting a subset of U with m shareholders, Ω m is the share set of U m , R m is a set of m random numbersand C m is the set of m components. In this algorithm, each participant in U m generates a component with its share in Ω m and a random number in R m non-interactively. SR (C m )-it takes C m as input and recovers the secret s as output. In thisalgorithm, each participant uses all m components of U m (i.e., C m ) to recoverthe secret independently. Formally, let S be the secret space, S H share space and I D identity spacerespectively in (t,n)-SS, s ∈ S is the secret. Assume U = { U i | U i ∈ I D , i =1 , , ..., n } are n shareholders, each shareholder U i has the private share s i ∈ S H and public identity U i .Before any m shareholders, U m , (i.e., U m ⊆ U and |U m | = m ), want torecover the secret, they need to form a tightly coupled group by constructing acomponent each. That is, each shareholder U j ∈ U m constructs a component13 j = f ( s j , r j , U m ), where f : S H × S × SU B ( I D ) → S H is a componentconstruction function; s j is the share of U j ; r j is random number uniformlyselected from S , i.e., r j ∈ U S , and SU B ( I D ) denotes the power set of I D .Therefore, C m = { c j = f ( s j , r j , U m ) | U j ∈ U m } is a valid component set of U m . The (t,n)-SS is a (t,m,n)-TCSS if I ( s ; C (cid:48) ) = (cid:26) H ( s ) if C (cid:48) = C m , t ≤ | C m | = m ≤ n ;0 or ⇒ if | C (cid:48) ∩ C m | < m. (3 − s is viewed as a random variable in S . C (cid:48) is a component setactually used in recovering s , ⇒ | S | approachesto infinity. Remark 3.1.
The expression (3-1) implies the 2 facts, (1) If C (cid:48) , the com-ponent set actually used in secret reconstruction, is identical with C m , theright one generated by U m , and the number of participants is no less than t ,the secret is bound to be recovered; (2) If C (cid:48) does not contain all componentsin C m , almost no information about the secret can be obtained. Remark 3.2.
In fact, U j ’s component c j = f ( s j , r j , U m ) serves as 2 func-tions, one is to hide the share s j from eavesdroppers (i.e., Outsiders in section4.1) by using r j as perturbation; the other is to bind U j (i.e. the share s j ) with all participant U m and thus make U j inseparable from the others. Inthis sense, we say that all participants in U m form a tightly coupled group,the secret can be recovered only if all participants collaborate. That is whywe name our scheme Tightly Coupled Secret Sharing. Remark 3.3.
A (t,m,n)-TCSS is an improved (t,n)-SS, it directly uses com-ponents, instead of shares, to recover the secret. On one hand, as a (t,n)-SS, it requires at least t shareholders to reconstruct the secret. On the otherhand, once m ( n ≥ m ≥ t ) shareholders decide to recover the secret, they com-pose a tightly coupled group by each generating a component independently.In this case, the secret can be recovered only if all m participants have validcomponents, which in turn means each participant has the right share.
4. Proposed (t,m,n)-TCSS based on Linear Code
This section proposes a concrete linear code based (t,m,n)-TCSS schemeby following the above definition and framework.14 .1. Entities and Model
There are 3 types of entity in our proposed (t,m,n)-TCSS scheme, theDealer, n shareholders and some adversaries. In order to facilitate group ori-ented applications or some other distributed applications, we use the samecommunication model as Harn’s scheme [13]. That is, during secret recon-struction, each pair of participants share a private channel to exchange pri-vate information (i.e., components in our scheme) and thus recover the secretindependently.
1) Dealer
The dealer is the honest coordinator trusted by all shareholders, and re-sponsible for scheme setup such as determining system parameters, choosingthe secret, generating and distributing shares and so on. We simply assumethat the dealer allocates each share to the corresponding shareholder securelysince our work merely focuses on security during secret reconstruction.
2) Shareholders
There are totally n shareholders, each with a share generated by thedealer. Every pair of them share a private channel to exchange informa-tion. Different from most security model, we assume that the channel maybe cracked in extreme cases. Consequently, information through the channelmay be intercepted by adversaries. When m , ( m ≥ t ) shareholders (i.e. par-ticipants) recover the secret, each of them first exchanges components withthe others through corresponding private channels. Then, every participantindependently recovers the secret from all components.Note that once the secret is recovered, every participant has the secret.Therefore, we assume that a shareholder only constructs a single componentin its lifetime and never generates more than one component with its share.
3) Adversaries
Our goal is to prevent an adversary, without any valid share, from accessto the secret illegally.In most cases, legal shareholders care more about secret disclosure thanrecovering the secret correctly, i.e. they would rather give up recoveringthe secret than leak it to adversaries. Therefore, in order to prevent secretdisclosure, (t,m,n)-TCSS considers the following adversaries. (1) Outsider:
It is an adversary without any valid share. An Outsiderappears in 2 forms during secret reconstruction.15 ) Outsider-1:
It impersonates a legal shareholder but without theright share. That is, in the name of some legal shareholder, it is allowed toreceive private information (i.e., components in our scheme) from the otherparticipants and send a forged component to the others. An Outsider-1 aimsto forge a valid component from received ones or obtain the secret. b) Outsider-2:
It somehow cracks private channels between some par-ticipants and thus can intercept any information ( i.e., components in ourscheme) through these cracked channels by eavesdropping. It aims to figureout shares or even the secret from components available.Note that, since a participant never generates more than one componentwith its share, an Outsider can only obtain a single component from oneparticipant at most. (2) Insider:
It is actually a legal shareholder. When less than t share-holders conspire to recover the secret, these misbehaving shareholders arecalled Insiders. They aim to recover the secret with less than t shareholdersparticipating. Remark 4.1.
In secret reconstruction of traditional ( t, n )-SS, sharesare exchanged privately among shareholders. In contrast, ( t, m, n )-TCSS re-quires components, instead of shares, to be exchanged among shareholdersduring secret reconstruction. In ( t, n )-SS, if an Outsider-2 cracks a privatechannel between 2 participants, it can easily obtain the shares through thecracked channel. Consequently, the Outsider-2 can take advantage of the in-tercepted share and act as an Insider in the future. Therefore, Outsider-2 andInsider are closely connected with each other in ( t, n )-SS . However, the caseis quite different in ( t, m, n )-TCSS. We know from section 3 that a componenthas different properties from a share and a share cannot be obtained froma given component. Moreover, an component binds a shareholder with theother participants and make them inseparable. As a result, 1) an Outsider-2 is distinct from an Insider in ( t, m, n )-TCSS, since the Outsider-2 cannotfigure out any share even if it intercepts some components by eavesdrop-ping. Therefore, if the Outsider-2 intercepts some components generated bya tightly coupled group of m, ( m > t ) shareholders, it has to further collectall the m components before obtaining the secret. In contrast, an Insideris allowed to flexibly choose any number of shareholders to form a tightlycoupled group before secret reconstruction. Of course, as long as t insidersare available, the secret can be recovered. 2) An Outsider-1 is also differentfrom Outsider-2 since Outsider-1 actively participates in secret reconstruc-tion while Outsider-2 just passively eavesdrops components. The components16ollected by Outsider-1 contain information of its own while the componentsintercepted by Outsider-2 do not have any information of itself. The proposed (t,m,n)-TCSS consists of 1)Share Generation, 2) Compo-nent Construction and 3) Secret Reconstruction (see Figure 3).In Share Generation, the dealer picks parameters to initialize the scheme,generates n shares and allocates each one to a shareholder securely. If m ,( m ≥ t ) shareholders need to recover the secret, they form a tightly cou-pled group by each constructing a component with the share, a randomnumber and all participants’ identities (i.e. Component Construction). InSecret Reconstruction, all m participants exchange components through pri-vate channels, each participant recovers the secret independently by addingup all m components. Roughly speaking, since all components are requiredin recovering the secret, the scheme are capable of frustrating IP and HTCCattacks.More detailed description are given as follows.
1) Share Generation
Suppose there are n shareholders U = { U i | U i ∈ F ∗ p , i ∈ I n } , I n = { , , ..., n } and a dealer D in the scheme, LC is a [ n + 1 , t ] linear codeof length ( n + 1), dimension t . D chooses two large primes p , q with p > nq and G t × ( n +1) = ( (cid:126)g , (cid:126)g , ..., (cid:126)g n ), the public generator matrix of LC , (cid:126)g i is acolumn vector, i = 0 , , ...n. G t × ( n +1) has rank t , i.e., any t column vectorsare linearly independent while any set of t + 1 column vectors are linearlydependent, which guarantees that any t or more than t shareholders arequalified to reconstruct the secret, but less than t shareholders are unquali-fied. The following Vandermonde matrix is an option of G t × ( n +1) for distinct U i ∈ F ∗ p , i = 0 , , ..., n . G t × ( n +1) = . . . U U . . . U n U U . . . U n ... U t − ... U t − . . .. . . ... U t − n (4 − s ∈ F q and determines anon-zero row vector (cid:126)v = ( v , ..., v t − ) ∈ F tp privately such that s = (cid:126)v(cid:126)g mod p ,17nd then generates the code word (cid:126)w = ( s, s , ..., s n ) = (cid:126)vG t × ( n +1) . Finally,the dealer allocates s i to U i as the share secretly for i = 0 , , ...n.
2) Component Construction If m , ( m ≥ t ) participants, U m = { U i | i ∈ I m } , ( I m ⊆ I n , | I m | =m ≥ t ), need to recover the secret s , they determine the corresponding publiccoefficients { b i | b i ∈ F ∗ p , i ∈ I m } non-interactively such that (cid:126)g = (cid:80) i ∈ I m b i (cid:126)g i mod p holds. { b i | b i ∈ F ∗ p , i ∈ I m } is easy to find because { (cid:126)g i | i ∈ I m } and (cid:126)g arelinearly dependent. Take I m = { , , ..., m } for example, each participant U j ∈ U m can independently determine { b i | b i ∈ F ∗ p , i ∈ I m } as follows, U j firstlet b i = 1 for i = 1 , ...m − t , and then evaluates the remaining t coefficients b m − t +1 , b m − t +2 , ..., b m , such that (cid:126)g = ( (cid:80) m − ti =1 (cid:126)g i + (cid:80) mi = m − t +1 b i (cid:126)g i ) mod p . Inthis way, all participants share { b i | b i ∈ F ∗ p , i ∈ I m } without interaction.Each participant, e.g. U i ∈ U m , picks a random number r i ∈ U F q in privateand constructs a component as c i = ( b i s i + r i q ) mod p. Remark 4.2.
As a matter of fact, b i can be directly expressed as (cid:81) j ∈ I m −{ i } U − U j U i − U j mod p due to Lagrange interpolation if the dealer chooses G t × ( n +1) as in (4-1).Therefore, c i = ( b i s i + r i q ) mod p is actually the function of s i , r i and U m ,it further means the component c i binds the participant (i.e. its share s i )with all participants U m and protects the share s i from exposure by randomnumber r i .
3) Secret Reconstruction
Each participant in U m , e.g. U i , releases the component c i to the oth-ers through corresponding private channels. After obtaining all components { c j | j ∈ I m } , U i recovers the secret as s = ( (cid:88) j ∈ I m c j mod p ) mod q. ntities: Dealer: D ; n shareholders: U = { U i | U i ∈ F ∗ p , i ∈ I n } , I n = { , , ..., n } ; U i isthe public identity of each shareholder; m out of n shareholders: U m = { U i | i ∈ I m } , I m ⊆ I n , | I m | = m ≥ t ; Parameters:
Public primes: p, q with p > nq ;Linear code: LC with length n + 1 and dimension t ;Public generator matrix of LC : G t × ( n +1) = ( (cid:126)g , (cid:126)g , ..., (cid:126)g n ) with rank t , column vector (cid:126)g i ∈ F tp , i =0 , , ..., n ;Private row vector: (cid:126)v = ( v , ..., v t − ) ∈ F tp ;Secret: s = (cid:126)v(cid:126)g mod p , s ∈ F q ; Algorithms:
1) Share Generation D randomly picks s ∈ F q , designates (cid:126)v = ( v , ..., v t − ) ∈ F tp and G t × ( n +1) , such that s = (cid:126)v(cid:126)g mod p , allocates s i = (cid:126)v(cid:126)g i mod p to U i as the share privately and securely for i = 1 , , ..., n , makes G t × ( n +1) public and keeps (cid:126)v and s in secret.
2) Component Construction
To recover the secret, m shareholders, U m form a tightly coupledgroup. That is, according to some specified rule (see step insection 4.2), each participant U i ∈ U m first determines the uniqueset of public coefficients { b i | b i ∈ F ∗ p , i ∈ I m } by itself such that (cid:126)g = (cid:80) i ∈ I m b i (cid:126)g i mod p . Then it picks a random number r i ∈ U F q privately to compute a component as c i = ( b i s i + r i q ) mod p .
3) Secret Reconstruction
Each participant U i ∈ U m releases c i to the other participantsthrough private channels. After collecting all components, eachparticipant independently recovers the secret as s = ( (cid:80) j ∈ I m c j mod p ) mod q . Fig. 3: (t,m,n)-Tightly Coupled Secret Sharing Scheme
Theorem 4.1.
In (t,m,n)-TCSS, any t or more than t shareholders areable to reconstruct the secret from all their components. That is, given19 ( m ≥ t ) shareholders U m = { U j | j ∈ I m } , each shareholder U j with thecomponent c j = ( b j s j + r j q ) mod p, j ∈ I m , the secret can be recovered as s = ( (cid:88) j ∈ I m c j mod p ) mod q. Proof. ( (cid:80) j ∈ I m c j mod p ) mod q = ( (cid:80) j ∈ I m b j s j mod p + (cid:80) j ∈ I m r j q ) mod p mod q = ( s + (cid:80) j ∈ I m r j q ) mod p mod q (4 − s + (cid:80) j ∈ I m r j q ) mod q (4 − s Note that we have s + (cid:80) j ∈ I m r j q ≤ s + m ( q − q < nq < p due to s ∈ F q , r j ∈ U F q and p > nq . As a result, (4-2) is equivalent to (4-3).
5. Security analyses of (t,m,n)-TCSS Scheme
In (t,m,n)-TCSS, we use component to protect a participant’s share. Toreconstruct the secret, adversaries must get either at least t right shares orall m , ( m ≥ t ) valid components if m participants collaborate. We show thesecurity by the following 4 theorems. Theorem 5.1 shows that one cannotfigure out the share from a given component; Theorem 5.2 proves the capa-bility of (t,m,n)-TCSS against IP attack while Theorem 5.3 guarantees thescheme is resistant to HTCC attack; Theorem 5.4 testifies to the fact thatup to t − Theorem 5.1.
In (t,m,n)-TCSS, given c i = ( b i s i + r i q ) mod p , the com-ponent of participant U i ( i ∈ I m ), the probability for an adversary to derivethe share s i is 1 /q , i.e. P( s i | c i ) = 1 /q, where are p, q large primes with p > nq , r i is uniformly distributed in F q , s i and b i are over F p and F ∗ p respectively. Proof:
From c i = ( b i s i + r i q ) mod p , we have s i = ( b − i c i − qb − i r i ) mod p, where b − i is the multiplicative inverse of b i modulo p . Note that r i , from theview of an adversary, is indistinguishable from a random variable uniformlydistributed over F q . 20bviously, the value of b − i , p and q are known, given c i , the share s i is afunction of r i from the adversary’s view. According to the property of finitefield F p , there must be different values of s i for distinct r i . Consequently,there are totally q distinct values of s i when r i varies over F q . As a result,an adversary derives s i from c i with the probability 1 /q for r i ∈ U F q .Theorem 5.1 implies that, given the component c i , an adversary never hasa chance more than 1 /q to get the covered share s i , which is as difficult asdirectly guessing the secret when it is uniformly selected from the secret space F q . The theorem shows a share can be well protected by the component.In the following, we give Lemma 5.1, Lemma 5.2 and Corollary 5.1 as the basis to prove that a component has a uniform distribution over F q ,which in turn lays the groundwork for Theorem 5.2 and 5.3. Lemma 5.1.
Suppose that random variable x is uniformly distributed in F p , for any value t ∈ F ∗ p , xt has a uniform distribution over F p . Proof: we immediately get the lemma from the property of finite field F p . Lemma 5.2.
Given prime p and random variables x i , i = 1 , , .., k, mu-tually independent and uniformly distributed in F p , (cid:80) ki =1 t i x i mod p has auniform distribution over F p if not all values t i ∈ F p , i = 1 , , ..., k , are zero. Proof:
Let us first consider the case of k = 2 then generalize the case of k being any positive integer.1) If one of t and t is zero, it is obvious that ( t x + t x ) mod p isuniformly distributed over F p from Lemma 5.1.If both t and t are nonzero, t x and t x are uniformly distributedover F p from lemma 5.1. To prove ( t x + t x ) mod p is uniformly dis-tributed in F p , we assume that x and x are any 2 different values ofvariable x . In this case, t x and t x are obviously distinct in F p forgcd( t , p ) = 1. Thus, ( t x + t x ) mod p and ( t x + t x ) mod p are 2distinct permutations of { , , , ..., p − } when x varies over F p . More gen-erally, ( t x i + t x ) mod p are distinct permutations of { , , , ..., p − } fordifferent x i , ( i = 0 , , , ..., p − x . That is,each value in { , , , ..., p − } appears with the same frequency. Therefore, t x + t x is uniformly distributed in F p .2) Now that ( t x + t x ) mod p is uniformly distributed in F p , by iteratingthe procedure in 1), we have that (cid:80) ki =1 t i x i mod p has a uniform distributionover F p . 21 orollary 5.1. ( (cid:80) ki =1 a i x i + (cid:80) lj =1 b j y j ) mod p has a uniform distributionover F p if random variables x i and y i are uniformly distributed over F p and F q respectively for i = 1 , , .., k and j = 1 , , .., l , where all variablesare mutually independent, p and q are positive primes with q ≤ p , values a i , b j ∈ F ∗ p , j, k ∈ Z. Proof: (omitted) the corollary can be proved by the method similar tolemma 5.2.
Theorem 5.2.
The proposed (t,m,n)-TCSS scheme is able to thwart IPattack. Concretely, an Outsider-1, even having collected ( m −
1) compo-nents, cannot forge a valid component to recover the secret.
Proof:
We first consider the normal case that m , m ≥ t + 1 , partici-pants, e.g. U m = { U , U , ..., U m } for simplicity, form a tightly coupled groupby constructing the corresponding components { c , c , ..., c m } . That is, eachparticipant U i ∈ U m constructs the component c i = b i s i + r i q = ( b i (cid:126)v(cid:126)g i + r i q ) mod p with the share s i . Thus, ( c , c , ..., c m ) = (cid:126)v ( b (cid:126)g , b (cid:126)g , ..., b m (cid:126)g m ) +( r q, r q, ..., r m q ) mod p where each b i , i = 1 , , ..., m , actually representedby U j , j = 1 , , ..., m , is public while (cid:126)v is secret and r i , i = 1 , , ..., m, areprivate.Suppose the Outsider-1 impersonates U m in U m , i.e., it does not have s m ,the valid share of U m , but can communicate with the others and thus receivevalid components { c , c , ..., c m − } .In the following, we first show that, for an Outsider-1, c m , the componentof U m , is indistinguishable from a random variable uniformly distributedin F p . Then, we prove that the Outsider-1 forging a valid component isnearly as difficult as directly guessing the secret within the secret space.Finally, we show that the Outsider-1 cannot get the secret by forging multiplecomponents.1) First, we show that, in the view of Outsider-1, each unknown shareand the corresponding component are uniformly distributed over F p .We have s i = (cid:126)v(cid:126)g i with non-zero vector (cid:126)v = ( v , ..., v t − ) ∈ F tp and (cid:126)g i =(1 , U i , U i , ...,U t − i ) T ∈ F tp , where each v i is an integer uniformly and privately selected bythe dealer within F p . From the view of Outsider-1, each v i is indistinguishablefrom a random variable uniformly distributed over F p ; (cid:126)g i is a nonzero columnvector for U i ∈ F ∗ p , ≤ i ≤ n . According to Lemma 5.2, each unknown share, s i = (cid:126)v(cid:126)g i mod p , is uniformly distributed over F p for an Outsider.22bviously, the corresponding component c i = ( b i s i + r i q ) mod p , ( c i ∈ C m ) and (cid:80) mi =1 c i mod p are also uniformly distributed over F p according to Corollary 5.1 . Note that, for the Outsider-1, s i and r i are uniformly dis-tributed over F p and F q respectively while b i and q are fixed values.2) In this case, the Outsider-1 is allowed to forge any value of c m , say c (cid:48) m . Assume F ( . ) is some function which takes C (cid:48) m = { c , c , ..., c m − , c (cid:48) m } orany subset of C (cid:48) m as input and produces a presumed secret, e.g., s (cid:48) = F ( C (cid:48) m )as output. In practice, F ( . ) denotes any method taken by the Outsider-1to derive a presumed secret s (cid:48) from available information, i.e., C (cid:48) m or its anysubset. Without losing the generality, suppose that the Outsider-1 derivesa value s (cid:48) = F ( C (cid:48) m ) in some way, if s (cid:48) happens to equal the secret s , theOutsider-1 succeeds. Now let examine the probability of success, P ( s (cid:48) = s ). s (cid:48) = s = ( (cid:80) m − i =1 c m + c m ) mod p mod q → s (cid:48) = ( (cid:80) m − i =1 c m + c (cid:48) m ) mod p + λq, λ ∈ Z → s (cid:48) − ( (cid:80) m − i =1 c m + c (cid:48) m ) mod p = λq, λ ∈ Z (5 − F p . Con-sequently, there are at most (cid:98) p/q (cid:99) + 1 possible values of λ satisfying theequation (5-1), and thus P ( s (cid:48) = s ), the probability for an Outsider-1 toimpersonate a legal shareholder, is not larger than ( (cid:98) p/q (cid:99) + 1) /p . Due tolim q → + ∞ ( (cid:98) p/q (cid:99) + 1) /p = 1 /q , the Outsider-1 successfully forging a compo-nent is nearly as difficult as directly guessing the secret within F q .3) Step 2) shows that every time the Outsider-1 forges a component c (cid:48) m ,it only has the probability of nearly 1 /q to obtain the secret. Moreover,forging one component does not increase the probability of success for forginganother component since the unknown component c m is uniformly distributedover F p for the Outsider-1. Consequently, the Outsider-1 theoretically hasa probability more than 1/2 to obtain the secret only when it forges morethan q/ q is a larger integer, forging q/ Theorem 5.3.
Our (t,m,n)-TCSS scheme is able to prevent HTCC at-tack. Concretely, if C m is the component set of a tightly coupled group with m ( m ≥ t ) legal participants, an Outsider-2, having cracked less than (cid:100) m/ (cid:101) private channels, obtain nearly no information about the secret, i.e.lim q → + ∞ I ( s ; C J ) = 0 f or C J ⊂ C m roof: For simplicity, suppose m ( m ≥ t ) legal participants, { U , U , ..., U m } ,form the tightly coupled group by constructing component set C m = { c , c , ..., c m } accordingly. If an Outsiders-2 cracks less than (cid:100) m/ (cid:101) private channels, it in-tercepts at most m − C J = { c , c , ..., c i , ..., c j } with c i = ( b i s i + r i q ) mod p , r i ∈ U F q , j < m .To prove the theorem, we first identify the upper bound of P ( s | C J ), theprobability of the secret s with C J . Then we complete the proof lim q → + ∞ I ( s ; C J ) =0. Finally, we show that mounting multiple HTCC attacks is impractical.In the proof of Theorem 5.2, we already showed that, for an adversary,e.g., Outsider-2, each unknown share and the corresponding component areuniformly distributed over F p .1) Now let examine the probability for the Outsider-2 to recover the secret s from C J , i.e., P ( s | C J ).Outsider-2 derives a presumed secret s (cid:48) = F ( C J ), where F ( . ) is a functionsimilar to that in the proof of Theorem 5.2, which takes C J or its subset asinput and produces a presumed value s (cid:48) as output. Successfully recoveringthe secret from C J means s (cid:48) = s = (cid:80) mi =1 c i mod p mod q , namely,( (cid:88) mi =1 c i mod p − s (cid:48) ) mod p = λq, λ ∈ F p . (5 − F p accordingto Lemma 5.2. Consequently, there are at most (cid:98) p/q (cid:99) + 1 valid values of λ satisfying (5-2).As a result, P ( s | C J ) is no larger than ( (cid:98) p/q (cid:99) + 1) /p .2) Note that the secret s is uniformly selected from F q in the view ofOutsider-2, i.e., the probability P ( s ) = 1 /q . As a result, for any small value ε , the mutual information of s with C J is I ( s ; C J ) = H ( s ) − H ( s | C J ) ≤ log q − log p (cid:98) p/q (cid:99) +1 = log q ( (cid:98) p/q (cid:99) +1) p < log p + qp =log p/q +1 p/q < ε. Thus, lim p/q → + ∞ I ( s ; C J ) = 0 , i.e., lim q → + ∞ I ( s ; C J ) = 0 due to p/q > nq .3) Similar to the case in Theorem 5.2, the Outsider-2 may obtains dif-ferent C J or subsets of C J by cracking different group of private channels,and derives a distinct value of s (cid:48) . Every time it derives a value of s (cid:48) , theprobability of success is always the same for | C J | < m −
1. Therefore, it isimpractical for the Outsider-2 to figure out the secret by mounting multipleHTCC attacks.
Remark 5.1.
Theorem 5.3 implies that an adversary, even with m − (cid:100) m/ (cid:101) private channels to intercept all m components C m = { c , c , ..., c m } . Therefore, (t,m,n)-TCSS can thwartHTCC attack and is more robust than traditional (t,n)-SSs in defeating pri-vate channel cracking attack.Insiders, who have valid shares, may conspire and try to reconstruct thesecret directly with their shares. The following theorem ensures that theproposed scheme is still secure even if t − Theorem 5.4.
In the proposed (t,m,n)-TCSS, less than t Insiders cannotobtain the secret. That is, less than t Insiders obtain nearly no informationabout the secret s , i.e. lim q → + ∞ I ( s ; S (cid:48) ) = 0 , where S (cid:48) denotes a set of less than t shares available for Insiders. Proof:
For simplicity, assume that U t − = { U , U , ..., U t − } are the ( t − S t − = { s , s , ..., s t − } , s t = (cid:126)v(cid:126)g t mod p is the unknown share for U t − and the secret is s = (cid:80) ti =1 b i s i mod p mod q ,where b i ∈ F p , i = 1 , , ..., t , can be publicly determined from the generatormatrix.Obviously, from the view of U t − , (cid:80) ti =1 b i s i mod p is indistinguishablefrom a random variable uniformly distributed over F p . The same as in The-orem 5.2 and 5.3, we assume F ( . ) is any function which takes S t − or itssubset as input and produces a presumed secret s (cid:48) as output. Suppose that U t − derives a presumed secret s (cid:48) = F ( S t − ) from S t − .Similarly, let examine the probability P ( s |S t − ), i.e., P ( s (cid:48) = s ). s (cid:48) = s → s (cid:48) = (cid:80) ti =1 b i s i mod p mod q → (cid:80) ti =1 b i s i mod p − s (cid:48) = λq (5 − F p for U t − since the unknown s t has a uniform distribution over F p . Similarly,for any less than t Insiders with the corresponding share set S (cid:48) , the propertyof uniform distribution over F p still holds.Consequently, similar to the case in Theorem 5.3, there are at most (cid:98) p/q (cid:99) + 1 values of λ satisfying (5-4) in F p , i.e., less than t Insiders ob-tain the secret with the largest probability ( (cid:98) p/q (cid:99) + 1) /p , namely, P ( s | S (cid:48) ) =( (cid:98) p/q (cid:99) + 1) /p . As a result, I ( s ; S (cid:48) ) = H ( s ) − H ( s | S (cid:48) ) ≤ log q − log p/ ( (cid:98) p/q (cid:99) + 1)and thus lim q → + ∞ I ( s ; S (cid:48) ) = 0. 25 emark 5.2. Theorem 5.2-5.4 show that (t,m,n)-TCSS is asymptoticallyperfect for both Insider and Outsider.
6. Comparisons of (t,m,n)-TCSS
The proposed scheme improves the security of traditional (t,n)-SS basedon components. As far as we know, Harn’s SSR scheme [13] is the most sim-ilar to (t,m,n)-TCSS. So we compare our scheme with Harn’s SSR and someother traditional (t,n)-SSs. Moreover, since Shuffling schemes and thresholdchangeable SSs have potential in preventing IP and HTCC attacks simulta-neously, we also make comparisons between them and (t,m,n)-TCSS.
In traditional (t,n)-SSs, a participant can reconstruct the secret as longas it obtains t or more than t shares. Consequently, a participant, evenwithout a valid share, may obtain the secret after collecting t shares fromenough participants. For the same reason, in ( t, n )-threshold changeable SSschemes, if the threshold is changed to t (cid:48) > t and there are more than t (cid:48) participants in secret reconstruction, an illegal participant is still able toobtain the secret. Similarly, in Harn’s ( t, n )-SSR, if there are over ( t + k − k is the number of polynomials), an illegalparticipant, without a valid share, may obtain the secret or forge a validLagrange component successfully without being detected [4]. Therefore, theabove 3 types of SSs are vulnerable to IP attack in general cases. The reasonis that all participants in these schemes are not tightly coupled; i.e., notall participants are required to actually contribute to secret reconstruction;in other words, even if some participant does not release a valid share orLagrange component, the secret is still can be recovered by some participant.However, if m , ( t ≤ m ≤ n ) participants want to recover the secret inour scheme, they actually first form a tightly coupled group by constructinga component each. As a result, the secret can be recovered only if all m participants in the group have valid shares and actually contribute to secretreconstruction. Therefore, our scheme is tightly coupled. The security of our scheme does not depend on any computational as-sumption, i.e., our scheme is independent of one way function or conventionalhard problems, such as Discrete Logarithm Problem, Factorization and so on.26raditional (t,n)-SSs, such as Shamir’s SS [1], Asmuth-Bloom’s SS [23],Mig-notte’s SS [21] and linear code based (t,n)-SSs [26] are vulnerable to bothHTCC and IP attacks. As mentioned above, Harn’s SSR [13] is actuallyvulnerable to IP attack when the number of participants is large enough tomake all participants’ Lagrange Components linearly dependent [4] (see Table1). Most (t,n)-Threshold changeable SS schemes are also vulnerable to IPattack in the case that the number of participants is larger than the changedthreshold t (cid:48) . In comparison, our (t,m,n)-TCSS is capable of preventing bothHTCC and IP attacks without such limitations.Obviously, Threshold changeable SSs can prevent IP and HTCC attacksonly when the current threshold t (cid:48) is equal to m , the number of participants.Therefore, we set their changed threshold in Table 2 to be m to guaranteethe capability of preventing both attacks. Table 2 shows that, in preventingHTCC attack, related threshold changeable SSs[5][9][10][6], complete shuf-fling scheme [15] and our scheme can force an Outsider-2 to crack at least (cid:100) m/ (cid:101) private channels before obtaining the secret. But for the partial shuf-fling scheme [14], the lower bound of cracked private channels is only t , whichis irrelevant to m , the number of participants, and thus is not so desirableas our scheme. Each shareholder in Harn’s SSR has k ≥ m participants in complete shuffling scheme [15] needto send m ( m − m ) extra messages before exchangingshares in secret reconstruction. Similarly, m participants in partial shuf-fling scheme [14] need to exchange m extra messages. In comparison, ourproposed scheme needs no additional message exchange before participantsrelease their components. Therefore, our scheme is as efficient as traditional(t,n)-SSs in communication.In computation, each participant needs to generate a component and thenrecover the secret from all components. To construct a component, eachparticipant, e.g., U i just needs to pick a random integer r i independentlyand evaluates the component c i = ( b i s i + r i q ) mod p without interaction.To recover the secret, a participant just needs to add all components up27imply. In total, our scheme needs about 2 m additive and 2 m multiplicativeoperations modulo p per participant during secret reconstruction, which isthe most efficient scheme. (see Table 1 and Table 2). Information rate is the size ratio of secret to share, which denotes theefficiency of a shareholder sharing a secret. In Shamir’s (t,n)-SS and thelinear code based (t,n)-SS, the information rate is 1 because the secret andshares are from the same range. But the information rate of Asmuth-Bloom’sscheme is less than 1 because each share has a bigger value domain than thesecret. The information rate of our proposed scheme is log q/ log p , which canbe confined between 1 / / p and q with q > p > nq for q is much larger than n . The information rate of our scheme is lower than thatof Shamir’s SS, which is just the cost our scheme pays for the above extrasecurity.However, the information rate of Harn’s SSR scheme [13] is 1 /k , becauseeach participant holds k shares and each share has the same range as thesecret. Harn’s SSR scheme has a lower information rate than our schemefor k >
3. Although the information rate of Harn’s SSR scheme is 1 / k = 2, which is higher than ours, the restricted condition kt > n −
1, i.e.,2 t > n − n shareholders to participate insecret reconstruction; thus, it is impractical in the case with a large numberof shareholders. For Harn’s dynamic threshold SS [5], the information rateis 1 /t since each shareholder uses a polynomial of degree t − GF ( p )as its share and the secret is a value over GF ( p ). To sum up, in security, the proposed (t,m,n)-TCSS is tightly coupledand capable of preventing IP and HTCC attacks without special limitations.Therefore, it is more secure when compared with related schemes. In storage,each participant in our scheme just needs to keep a single share, and thusour scheme is efficient in storage and has a relatively high information rate.In communication, our scheme is the same as Shamir’s ( t, n )-SS, both arethe most efficient. In computation, our scheme is also the most efficientespecially in secret reconstruction. 28 able 1: Comparisons in communication, computation and security schemes SG(for 1 shareholder) CC+SR (for 1 participant) Anti- Anti- Info.messages + mod p × mod p messages + mod p × mod p IP HTCC RateShamir’s(t,n) SS [1] 1 t t m m m no no 1Blakley’s(t,n) SS[22] 1 t t m O( m ) ∗ no no tt +1 Harn’s SS[13] (kpolynomi-als) 1 kt kt m km km no yes k Basic (t,n)-LCSS [26] 1 t t m m m no no 1Ourscheme 1 t t m m m yes yes ( , )t-threshold, n-total number of shareholder, m-number of participants.SG: Share Generation; CC: Component Construction; SR: Secret Reconstruction ∗ O( m ) is the complexity of Gaussian elimination for each participant to recover the secret. Table 2: Comparisons in communication, computation and security (t,n)-threshold schemes shares (for 1 SG(for 1 shareholder) CC+SR (for 1 participant) Extra- Anti- LCC Info.shareholder) messages + × messages + × Msgs IP RateSteinfeld et al [10] 1 1 t t m
O(( m + t ) e )* 0 yes (cid:100) m/ (cid:101) t t > m O( mt ) O( mt ) > m yes (cid:100) m/ (cid:101) m − t + 1 1 mt mt m m m m yes (cid:100) m/ (cid:101) m − t +1 Harn et al [5] t t t m m + 2 t m + 2 t (cid:100) m/ (cid:101) t Complete shuffling [15] 1 1 t t m m m m yes (cid:100) m/ (cid:101) t t m m m m yes t t t m m m (cid:100) m/ (cid:101) ( , ) SG: Share Generation; CC: Component Construction; SR: Secret Reconstruction; t : original threshold m : the number of participants and the raised threshold value;LCC: the Least private Channels to Crack before Outsider-2 obtaining the secret;Extra-Msgs: the total number of additional message exchange before m participants releasing theirshares or components to recover the secret ∗ O(( m + t ) e ): the complexity of solving the CVP in lattice, e is some fixed exponent.Note: 1) all schemes are under the communication model that each pair of shareholders/participantshas a private channel; 2) all threshold changeable SSs raise their thresholds from t to m ( m > t ). . Application to Group Authentication To facilitate authentication in group oriented applications such as groupchat in Wechat, Harn proposed the notion of Group Authentication [20],which allows each group user to check whether all users belong to the samegroup at once.Concretely, ( t, m, n )-Group Authentication can be formulated as follows.The group manager GM computes tokens, s i , i = 1 , , ..., n from a selectedsecret s , allocates each token, i.e., s i to group member U i ∈ U securelyand makes H ( s ) publicly known, where H ( . ) is a one-way hash function. In( t, m, n )-Group Authentication, there are m users, P i , i = 1 , , ..., m , eachuser P i computes a component c i from its token and releases c i to the others.( t, m, n )-Group Authentication allows each user to verify whether all releasedvalues are valid at once. That is, GA { H ( s ) ? = H ( F ( c , c , ..., c m )) } = (cid:26) → ∃ P i / ∈ U, i = 1 , , ..., n ;1 → ∀ P i ∈ U, i = 1 , , ..., n, where GA is the group authentication algorithm and F is a public function.Harn also presented an asynchronous ( t, m, n )-group authentication scheme[20]based on the aforementioned SSR [13]. Due to the disadvantages of SSR,Harn’s (t,m,n)-group authentication is inflexible due to the restriction kt >n − t, m, n ) − TCSS, which allows each group user to independentlycheck whether all users belong to the same group at once.
Obviously, ( t, m, n ) − TCSS is tightly couple. That is, to recover the se-cret, each of m participants has to necessarily hold a valid share. In thiscase, if each group member is allocated a share as the token in advance andall users ( group members or non-members) collectively run the secret re-construction in ( t, m, n ) − TCSS, the secret can be recovered only if all users30ave a valid token each. That is, recovering the secret successfully means allusers are legal group members. In this way, any user is able to authenticatethat whether all users are legal members at a time, instead of one by one.
Entities:
The Group Manager: GM ;Complete set of n group members: U = { U i | U i ∈ F ∗ p , i ∈ I n } ,I n = { , , ..., n } ; U i is the public identity of each group member. Parameters:
Public primes: p, q with p > nq ;Linear code: LC with length n + 1 and dimension t ;Public generator matrix of LC : G t × ( n +1) = ( (cid:126)g , (cid:126)g , ..., (cid:126)g n ) with rank t , column vector (cid:126)g i ∈ F tp , i =0 , , ..., n ;Private row vector: (cid:126)v = ( v , ..., v t − ) ∈ F tp ;Secret: s = (cid:126)v(cid:126)g mod p , s ∈ F q ;One way hash function: H ( . ); Algorithms:
1) Token Generation GM designates (cid:126)v , s and G t × ( n +1) , allocates s i = (cid:126)v(cid:126)g i to U i , i =1 , , ...n , as the token securely, makes H ( s ), G t × ( n +1) public whilekeeps (cid:126)v and s secret.
2) Group Authentication (1) To authenticate any m users P m = { P i | i ∈ I m ⊆ I n , | I m | = m ≥ t } at once, each user P i ∈ P m determines the public coefficients { b i | b i ∈ F ∗ p , i ∈ I m } independently such that (cid:126)g = (cid:80) i ∈ I m b i (cid:126)g i mod p , and then picks random number r i ∈ U F q privately to compute acomponent as c i = ( b i s i + r i q ) mod p .(2) Each user P i ∈ P m releases the component c i to the otherusers through private channels. After collecting all components,each user computes s (cid:48) as s (cid:48) = ( (cid:80) j ∈ I m c j mod p ) mod q . If H ( s (cid:48) ) = H ( s ), all users in P m have been authenticated successfully, i.e., allusers in P m belong to U ; otherwise there is at least one non-memberof U . Fig. 4: Group Authentication based on (t,m,n)-TCSS
In figure 4, we present a new (t,m,n)-Group Authentication scheme base31n the proposed (t,m,n)-TCSS. It consists of 2 algorithms,
Based on (t,m,n)-TCSS, the group authentication schemecan be easily converted into an authenticated group key agreement schemeby modifying step (2) in 2) as follows.(2’) Each user P i ∈ P m releases the component to the other users throughprivate channels. On collecting all components, each user computes s (cid:48) =( (cid:80) j ∈ I m c j mod p ) mod q . If H ( s (cid:48) ) = H ( s ), all users in P m belong to U andthe group key is k = (cid:80) j ∈ I m c j mod p . Otherwise, there exists at least onenon-member of U and the group key agreement is aborted. In the proposed group authentication, a user can recover the secret andthus authenticate all users at once if each user is a group member and releasesa valid component. Otherwise, if a user (i.e. non-member) does not have avalid token, it cannot construct a valid component. Consequently, the secretcannot be recovered correctly and the non-member fails to pass the groupauthentication.
Theorem 7.1.
In the proposed Group Authentication scheme, a non-member, even with m − Proof:
If a non-member, with m − m − Theorem 7.2.
In the proposed Group Authentication scheme, t − Proof:
The theorem can be immediately obtained from theorem 5.4. (1) Efficiency 32bviously, the communication overhead is limited because each user merelyneeds to release a component to the others. This can be efficiently accom-plished by broadcasting the component if all users share a private broadcast-ing channel.In authentication, each user only needs to compute a component fromthe token locally and releases it to the other users, and then adds its owncomponent and m − m participants of traditional (t,n)-SSs,each participant usually receives m − O ( m ) additive/multiplicative operations to recover the secretindependently. In comparison, although our group authentication scheme isbased on ( t, m, n )-TCSS, which further comes from traditional ( t, n )-SS, itrequires only about O ( m ) additive/multiplicative operations for each user.Besides, the proposed group authentication scheme does not depend on anypublic key system and thus is more efficient in computation if compared withTCGA [2].Moreover, distinct from conventional authentication schemes which au-thenticate a single user each time, our group authentication scheme authen-ticates all users at once.(2) FlexibilityAs a matter of fact, group authentication scheme can be constructedsimply based on traditional ( t, n )-SS if all users (i.e., participants in ( t, n )-SS) release their tokens (i.e., shares) at the same time. In this case, a non-member will be detected since it release a wrong token. In contrast, theproposed group authentication works for m ( t ≤ m ≤ n ) users and does notrequire all users to release components simultaneously.Moreover, the authentication scheme allows each user to hold only onetoken and does not have limitation, such as kt > n − t (cid:48) = m in threshold changeable SS based groupauthentication schemes.Therefore, the proposed group authentication scheme is more flexiblecompared with related schemes. Remark 7.2.
Of course, the proposed group authentication scheme canonly verify whether all users are group members, but cannot identify a non-member if it exists. However, the scheme can be used to pre-authenticateall users efficiently and conventional authentication schemes can be appliedif there is a non-member. 33 . Discussions
Section 3 actually presents a generic method of constructing (t,m,n)-TCSS based on traditional (t,n)-SSs [1][22][23][21][24][26], which endows a( t, n )-SS with new security features. The paper constructs the (t,m,n)-TCSSfrom a linear code based (t,n)-SS [26]. Similarly, we can also design (t,m,n)-TCSSs from Shamir’s (t,n)-SS [1] or Blakey’s (t,n)-SS [22] in the same way,because they are all the same in nature. Even for CRT based (t,n)-SSs[23][21], distinct from the above 3 traditional (t,n)-SSs in type, we can stillconstruct the corresponding (t,m,n)-TCSSs by adjusting the secret space andadding a proper random noise in component construction.
In essence, ( t, m, n )-TCSS dynamically changes the threshold from t to m when m participants recover the secret. That is, our ( t, m, n )-TCSS presentsa simple way to change threshold into m during secret reconstruction. More-over, the constructed scheme is asymtotically perfect, unconditionally secureand dealer-free after share generation. Compared with related thresholdchangeable SSs, the scheme is more efficient in storage, computation andcommunication.
9. Conclusion
Nowadays, group oriented applications are getting more and more pop-ular and require more secure and efficient (t,n)-SS to satisfy their securityrequirements. The paper first identifies IP and HTCC attacks against (t,n)-SS and then presents the notion and generic framework of (t,m,n)-TCSS tocope with them. Most traditional (t,n)-SSs can be conveniently convertedinto (t,m,n)-TCSSs by following the framework and thus be endowed with thenew capability of thwarting IP and HTCC attacks. Moreover, the frameworkcan also be used to construct threshold changeable SSs easily from traditional( t, n )-SS. As a matter of fact, (t,m,n)-TCSS scheme by the framework canbe applied to any scenario of traditional (t,n)-SS.As an implementation of the framework, a concrete (t,m,n)-TCSS schemeis constructed from the linear code based (t,n)-SS. The (t,m,n)-TCSS schemeis capable of preventing IP, HTCC as well as ( t −
1) Insiders conspiringattacks. Moreover, the (t,m,n)-TCSS is independent of hard problems or34ne way function. Compared with Harn’s SSR scheme, it is also more secure,more efficient in computation and higher in information rate for k >
2. Incontrast with threshold changeable SSs and Shuffling schemes, it is moreefficient in storage, communication and computation.To complete rapid m-to-m authentication in group oriented applications,a group authentication scheme is proposed from (t,m,n)-TCSS. It allows eachuser in a group to check whether all users are legal group members at once.Compared with related schemes, the proposed authentication scheme is moreflexible and efficient.