Secret Sharing Schemes. Hariharan Shankar Rahul (CS 93118) under the guidance of. Prof. C. Pandu Rangan. March 20, 1997

Transcription

1 Secret Sharing Schemes Hariharan Shankar Rahul (CS 93118) under the guidance of Prof. C. Pandu Rangan March 20, Introduction 1.1 The Need for Secret Sharing 1. A bank has a vault to be opened daily. The bank has three senior tellers, but cannot give the combination to any individual teller. We need a system whereby any two of the three tellers can open the vault, but no individual teller can. 2. Control of nuclear weapons in Russia involves a similar \two-out-ofthree" access mechanism involving the President, the Defence Minister and the Defence Ministry. Both these situations call for some scheme for secret sharing of a key among certain participants. 1

2 1.2 Overview In section 2, we discuss a simple scheme to achieve secret sharing proposed by Shamir. Section 3 introduces the concept of perfect secret sharing and related notions, and formalizes these ideas. Section 4 discusses a mechanism to evaluate the eciency of a secret sharing scheme, known as the information rate. Section 5 then gives constructive mechanisms to realize arbitrary perfect secret sharing schemes. Section 6 discusses a detailed example illustrating the use of the construction mechanisms explained in Section 5, and also discusses upper bounds achievable for certain perfect secret sharing schemes. Sections 8 and 9 discuss key-sharing methods based on matrices and identities respectively. Section 10 then summarizes the results of the report. 2 Threshold Scheme Denition 1 Let t; w be positive integers, t w. A (t; w)-threshold scheme is a method of sharing a key K among a set of w participants (denoted by P), in such a way that any t participants can compute the value of K, but no group of t 1 participants can do so. The two scenarios described in Section 1 are (2; 3)-threshold schemes. The value of K is chosen by a special participant called the dealer, denoted by D. We assume D 62 P. When D wants to share the key K among the participants in P, he gives each participant some partial information known as a share. At a later time, a subset of participants B P will pool their shares in an attempt to compute K. If jbj t, then they should be able 2

3 to compute K from the shares they collectively hold, if jbj < t, then they should not. We denote P = fp i : 1 i wg : The set of w participants. K : The key set. S : The share set. 2.1 Shamir Threshold Scheme In the Shamir threshold Scheme(1979), K = Z p where p w+1 is prime. Let S = Z p. Then the key as well as the share of each participant is an element of Z p. The Shamir threshold scheme is presented below. Initialization Phase 1. D chooses w distinct, non-zero elements of Z p, denoted x i ; 1 i w. For 1 i w, D gives the value x i to P i. The values x i are public. Share Distribution 2. Suppose D wants to share a key K 2 Z p. D secretly chooses (independently at random) t 1 elements of Z p ; a 1 ; : : : ; a t For 1 i w, D computes y i = a(x i ), where we have a(x) = K + P t 1 j=1 a jx j mod p. 4. For 1 i w, D gives the share y i to P i. 3

4 2.1.1 Key Reconstruction by a subset B of t participants Method 1: Participants P i1 ; : : : ; P it want to determine K. They know that y ij = a(x ij ); 1 j t where a(x) 2 Z p [x] is the secret polynomial of degree t 1 chosen by D; i.e. a(x) = P t 1 i=0 a i x i ; a i 2 Z p 8i; 0 i t 1 and a 0 = K is the key. B obtains t linear equations in t unknowns. If the equations are linearly independent (as is proved in the following theorem), there will be a unique solution, and a 0 will be revealed as the key. Theorem 1 The system of t linear equations always has a unique solution. Proof: In general, we have y ij linear equations (in Z p ) is the following: = a(x ij ); 1 j t. The system of a 0 + a 1 x i1 + a 2 x 2 i 1 + : : : + a t 1 x t 1 i 1 = y i1 a 0 + a 1 x i2 + a 2 x 2 i 2 + : : : + a t 1 x t 1 i 2 = y i2 a 0 + a 1 x it + a 2 x 2 i t + : : : + a t 1 x t 1 i t = y it : : : This can be written in the matrix form AX = B where the coecient matrix A is a Vandermonde matrix. There is a well-known for- 4

5 mula for the determinant of a Vandermonde matrix, namely det A = 1j<kt (x ik x ij )mod p. Since the x i 's are distinct, no term x ij x ik is zero. Since the product is computed in Z p (which is a eld since p is prime) and the product of non-zero terms in a eld is non-zero, the system has a unique solution over z p. If a group of t 1 participants attempts to compute K, they will obtain a system of t 1 equations in t unknowns. If they hypothesize a value for y 0, there will be a unique solution a 0 for every hypothesized value by the previous argument. Method 2: This uses Lagrange Polynomial Interpolation. Since it is sucient for the participants to compute the constant term, we have the result K = a(0) = P t j=1 y ij b j where b j = 1kt;k6=j x ik x ik x ij. Note: The values b j are public and can be precomputed. Example 1 Suppose p = 17, t = 3 and w = 5. The public x-coordinates are x i = i; 1 i 5. Suppose B = fp 1 ; P 3 ; P 5 g pool their shares, which are 8, 10 and 11 respectively. By Method 1, writing a(x) = a 0 + a 1 x + a 2 x 2 and computing a(1), a(3) and a(5), the following equations in Z 17 are obtained. a 0 + a 1 + a 2 = 8 a 0 + 3a 1 + 9a 2 = 10 a 0 + 5a 1 + 8a 2 = 11 5

6 The system has the solution a 0 = 13, a 1 = 10 and a 2 = 2 in Z 17. The key is therefore K = a 0 = 13. By Method 2, the participants compute b 1, b 2 and b 3. b 1 = x 3 x 5 (x 1 x 3 )(x 1 x 5 ) mod 17 = 3 5 ( 2) 1 ( 4) 1 mod 17 = 4. Similarly b 2 = 3 and b 3 = 11. Then K = ( ) mod 17 = Special Case of Shamir's Scheme We have a simplied construction scheme when w = t. This construction works for any key set K = Z m algorithm: with S = Z m. D then uses the following 1. D secretly chooses (independently at random) t 1 elements of Z m ; y 1 ; : : : ; y t D computes y t = K P t 1 i=1 y i mod m. 3. For 1 i t, D gives the share y i to P i. Theorem 2 The t participants can compute K = P t i=1 y i mod m but no set of t 1 participants can compute K. Proof: Clearly the rst t 1 participants cannot compute K as they receive t 1 independent random numbers as their shares. Consider the t 1 participants in the set PnP i, where 1 i t 1. These t 1 participants possess the shares y 1 ; : : : ; y i 1 ; y i+1 ; : : : ; y t 1 and K P t 1 i=1 y i. By summing their shares, they can compute k y i. Since they do not know the random value y i, they have no information to the value of K. 6

7 3 General Secret Sharing In the previous section, we desired that any t of the w participants should be able to compute the key. A more general situation would be to specify exactly which subsets of participants should be able to determine the key. Let be a set of subsets of P; the subsets in are those subsets of participants that can compute the key. is called an access structure and the subsets in are called authorized subsets. Denition 2 A perfect secret sharing scheme realizing the access structure is a method of sharing the key K among a set of w participants (denoted P), in such a way that the following two properties are satised: If an authorized subset of participants B P pool their shares, then they can determine the value of K. If an unauthorized subset of participants B P pool their shares, then they can determine nothing about the value of K. A (t; w)-threshold scheme realizes the access structure fb P : jbj tg. We study the unconditional security of secret sharing schemes. An access structure should satisfy the monotone property : If B 2 and B C P, then C 2. This is because C can determine K by ignoring the shares of the participants in CnB. Stated another way, any superset of an authorized set is again an authorized set. B 2 is a minimal authorized subset if A 62 whenever A B; A 6= B. The set of minimal authorized subsets of, denoted 0, is called the basis 7

8 of. is called the closure of 0 and is written = cl( 0 ) = fc P : B C; B 2 0 g. Example 2: If P = fp 1 ; P 2 ; P 3 ; P 4 g and 0 = ffp 1 ; P 2 ; P 4 g; fp 1 ; P 3 ; P 4 g; fp 2 ; P 3 gg, then = 0 [ ffp 1 ; P 2 ; P 3 g; fp 2 ; P 3 ; P 4 g; fp 1 ; P 2 ; P 3 ; P 4 gg. In the case of a (t; w)-threshold access structure, the basis consists of all subsets of (exactly) t participants. 3.1 Formal Mathematical Denitions A secret sharing scheme is represented by a set of distribution rules. A Distribution rule is a function f : P! S and represents a possible distribution of shares to the participants where f(p i ) is the share given to P i. For each K 2 K, let F K be a set of distribution rules corresponding to the key having the value K. These sets are public. Dene F = [ K2K F K as the complete set of distribution rules of the scheme. If K 2 K is the value of the key that D wishes to share, D will choose a distribution rule f 2 F K. We need conditions to ensure that a set of distribution rules for a scheme realizes a specied access structure. We suppose a probability distribution p K on K whose entropy is H(K). For every K 2 K, let D choose a distribution rule in F K with a probability distribution p FK. We now compute the probability distribution on the list of shares given to an arbitrary subset of participants, B P. Dene S(B) = ffj B : f 2 Fg where fj B : B! S is dened by 8

9 fj B (P i ) = f(p i )8P i 2 B. The probability distribution on S(B), denoted p S(B) (with entropy H(B)), is computed as follows: Let f B 2 S(B). Then p S(B) (f B ) = P K2K p K (K) P ff2f K :fj B =f B g p FK (f). p S(B) (f B jk) = P ff2f K :fj B =f B g p FK (f). for all f B 2 S B and K 2 K. Denition 3 Suppose is an access structure and F = [ K2K F K is a set of distribution rules. Then F is a perfect secret sharing scheme realizing the access structure provided that the following two properties are satised. For any authorized subset of participants B P, there do not exist two distribution rules f 2 F K and f 0 2 F K 0 with K 6= K 0, such that fj B = f 0 j B. (Any distribution of shares to the participants in an authorized subset B determines the value of the key.) For any unauthorized subset of participants B P and for any distribution of shares f B 2 S B ; p K (Kjf B ) = p K (K) for every K 2 K. (The conditional probability distribution on K, given a distribution of shares f B to an unauthorized subset B, is the same as the a priori probability distribution on K i.e. the distribution of shares to B provides no information as to the value of the key). Note: p K (Kjf B ) can be computed from known distributions by Bayes' Theorem. p K (Kjf B ) = p S(B)(f B jk)p K (K) p S(B) f (B). 9

10 4 Information Rate This notion is used to measure the eciency of a secret sharing system. Denition 4 Suppose we have a perfect secret sharing scheme realizing an access structure. The information rate for P i is the ratio i = lg jkj lg js(p i )j. (S(P i ) denotes the set of possible shares that P i might receive). The information rate of the scheme is denoted by and is dened as = minf i : 1 i wg. Theorem 3 In any perfect scheme realizing an access structure, 1. Proof: Suppose we have a perfect secret sharing scheme that realizes the access structure. Let B 2 0 and choose any participant P j 2 B. Dene B 0 = BnP j. Let g 2 S B. Now, B 0 62, so the distribution of shares gj B 0 provides no information about the key. Hence, for each K 2 K, there is a distribution rule g K 2 F K such that g K j B 0 = gj B 0. Since B 2, it must be the case that g K (P j ) 6= g K0 (P j ) if K 6= K 0. Hence js(p j )j jkj, and thus 1. Denote by = ( ) the maximum information rate for any perfect secret sharing scheme realizing access structure. A scheme with = 1 (optimal) is called an ideal scheme. e.g. The Shamir Scheme. 10

11 5 Constructions 5.1 The Monotone Circuit Construction This construction due to Benaloh and Leichter shows that any monotone access structure can be realized by a perfect sharing scheme. Consider a Boolean Circuit C with w boolean inputs x 1 ; : : : ; x w and one boolean output y(x 1 ; : : : ; x w ). C consists of OR gates and AND gates, but no NOT gates. Such a circuit is called a monotone circuit. The reason for this nomenclature is that changing any input x i from \0"(false) to \1"(true) can never result in the output y changing from \1" to \0". Each gate has arbitrary fan-in, but has fan-out equal to 1. Dene B(x 1 ; : : : ; x w ) = fp i : x i = 1g i.e. the subset of P corresponding to the true inputs. If C is monotone, dene (C) = fb(x 1 ; : : : ; x w ) : y(x 1 ; : : : ; x w ) = 1g. (C) is a monotone set of subsets of P. Clearly, there is a one-to-one correspondence between monotone circuits of this type and boolean formulae which contain only the operators _ and ^. Given a monotone set of subsets, we can easily construct a monotone circuit C such that (C) =. Let 0 be the basis. Then construct the disjunctive normal form formula _ B2 0 (^Pi 2BP i ). Example 3: In Example 2, we would obtain the formula (P 1 ^ P 2 ^ P 4 ) _ (P 1 ^ P 3 ^ P 4 ) _ (P 2 ^ P 3 ). Let C be any monotone circuit that recognizes (not necessarily of the form in Example 3). We now describe an algorithm which enables D, the 11

12 dealer to construct a perfect secret sharing scheme that realizes. This scheme uses the (t; t)-scheme as a building block. Hence we take the key set K = Z m for some integer m. Algorithm for Monotone Circuit Construction 1. f(w out ) = K where W out is the output wire. 2. while there exists a wire W such that f(w ) is not dened do 3. Find a gate G of C such that f(w G ) is dened, where W G is the output wire of G, but f(w ) is not dened for any of the input wires of G. 4. if G is an OR gate then 5. f(w ) = f(w G ) for every input wire W of G. 6. else //G is an AND gate 7. Let the input wires of G be W 1 ; : : : ; W t. Choose (independently at random) t 1 elements of Z m, denoted by y G;1 ; : : : ; y G;t Compute y G;t = f(w G ) P t 1 i=1 y G;i mod m. 9. For 1 i t do f(w i ) = y G;i. 10. Each participant P i is given the list of values f(w ) such that W is an input wire of the circuit which receives input x i. Theorem 4 Let C be any monotone boolean circuit. Then the monotone circuit construction yields a perfect secret sharing scheme realizing the access structure (C). 12

13 Proof: We proceed by induction on the number of gates in the circuit C. If C contains only one gate, then the result is trivial: If C consists of one OR gate, then every participant will be given the key. This scheme realizes the access structure consisting of all non-empty subsets of participants. If C consists of a single AND gate with t inputs, then the scheme is the (t; t)- threshold scheme. Now, as an induction assumption, suppose that there is an integer j > 1 such that, for all circuits C with fewer than j gates, the construction produces a scheme that realizes (C). Let C be a circuit on j gates. Consider the \last" gate, G, in the circuit; G could be an OR gate or an AND gate. Consider the case when G is an OR gate. Denote the input wires to G by W i ; 1 i t. These t wires are the outputs of t sub-circuits of C, which we denote C i ; 1 i t. Corresponding to each C i, we have a sub-scheme that realizes the access structure Ci, by induction. Now (C) = [ t i=1 C i. Since every W i is assigned the key K, it follows that the scheme realizes (C), as desired. The analysis is similar if G is an AND gate. In this situation, we have (C) = \ t i=1 C i. This completes the proof. 13

14 Example 4: H H A A AA J H K c H 1 J a 2 H H JJ b H 2 K b1 b a 1 H 2 c b 1 1 H A A H HJ K a 1 a 2 ^ ^ ^ K K K _ Z ZZ Z ZZ K A Monotone Circuit 1. P 1 receives a 1,b P 2 receives a 2 ; c P 3 receives b 2 ; K c P 4 receives K a 1 a 2 ; K b 1 b 2. To prove that the scheme is perfect, we need only look at maximal unauthorized subsets i.e. fb : B 1 2 if B 1 Bg. For, if B 1 and B 2 are both unauthorized subsets, B 1 B 2, and B 2 cannot compute K, then neither can B 1 compute K. Information rate, 1 = lg m lg m 2 = 1 2. Example 5: If we use the CNF (P 1 _ P 2 ) ^ (P 1 _ P 3 ) ^ (P 2 _ P 3 ) ^ (P 2 _ P 4 ) ^ (P 3 _ P 4 ), we get P 1 receives a 1 ; a 2 ; P 2 receives a 1 ; a 3 ; a 4 ; P 3 receives 14

15 a 2 ; a 3 ; K a 1 a 2 a 3 a 4 ; P 4 receives a 4 ; K a 1 a 2 a 3 a 4. Information rate, 1 = lg m lg m 3 = 1 3. Theorem 5 Let C be any monotone boolean circuit.then there is a perfect secret sharing scheme realizing the access structure (C) having information rate = maxf1=r i : 1 i wg where r i is the number of input wires to C carrying input x i. 5.2 Brickell Vector Space Construction This is a construction for certain ideal schemes which generalizes the Shamir schemes. Suppose is an access structure and let (Z p ) d denote the vector space if all d-tuples over Z p, where p is prime, and d 2. Suppose there exists a function : P! (Z p ) d which satises (1; 0; : : : ; 0) 2< (P i ) : P i 2 B >, B 2 : : : P rop:1 i.e. the vector (1; 0; : : : ; 0) can be expressed as a linear combination of the vectors in the set f(p i ) : P i 2 Bg i B is an authorized subset.we construct an ideal secret sharing scheme with K = S(P i ) = Z p ; 1 i w. For every vector a = (a 1 ; : : : ; a d ) 2 (Z p ) d, dene a distribution rule f a (x) 2 F a1 where f a (x) = a:(x)8x 2 P and : is the inner product modulo p. The formal algorithm is: Initialization Phase 1. For 1 i w, D gives the vector (P i ) 2 (Z p ) d to P i. These vectors are public. Share Distribution 2. Suppose D wants to share a key K 2 Z p. D secretly chooses (indepen- 15

16 dently at random) d 1 elements of Z p ; a 2 ; : : : ; a d. 3. For 1 i w, D computes y i = a:(p i ), where a = (K; a 1 ; : : : ; a d ). 4. For 1 i w, D gives the share y i to P i. Each F K contains p d 1 distribution rules which are assumed to be equiprobable i.e. p FK (f) = 1 p d 1 for every f 2 F K. Theorem 6 Suppose satises Property 1. Then the sets of distribution rules F K ; K 2 K, comprise an ideal scheme that realizes. Proof: First, we will show that if B is an authorized subset, then the participants in B can compute K. Since (1; 0; : : : ; 0) 2< (P i ) : P i 2 B >; we can write P (1; 0; : : : ; 0) = i:p i 2B c i (P i ), where each c i 2 Z p. Denote by s i the share given to P i. Then s i = a:(p i ), where a is an unknown vector chosen by D and K P = a 1 = a:(1; 0; : : : ; 0). By the linearity of the inner-product operation, K = i:p i 2B c i s i. If B is not an authorized subset, let e be the dimension of the subspace < (P i ) : P i 2 B >, note that e jbj. Choose any K 2 K, and consider the system of equations: (P i ):a = s i ; 8P i 2 B (1; 0; : : : ; 0):a = K This is a system of linear equations in the d unknowns a 1 ; : : : ; a d. The coef- cient matrix has rank e + 1, since (1; 0; : : : ; 0) 62< (P i ) : P i 2 B >. 16

17 Provided the system of equations is consistent, the solution space has dimension d e 1. There are then precisely p d e 1 distribution rules in each F K that are consistent with any possible distribution of shares to B. It can then be seen that p K (Kjf B ) = p K (K) for every K 2 K, where f B (P i ) = s i for all P i 2 B. The rst jbj equations are consistent, since the vector a chosen by D is a solution. Since (1; 0; : : : ; 0) 62< (P i ) : P i 2 B > the last equation is consistent with the rst jbj equations. Thus the system is consistent. Theorem 7 Suppose G = (V; E) is a complete multipartite graph. Then there is an ideal scheme realizing the access structure cl(e) on participant set V. Proof: Let V 1 ; : : : ; V l be the parts of G. Let x 1 ; : : : ; x l be distinct elements of Z p, where p l. Let d = 2. For every participant v 2 V i, dene (v) = (x i ; 1). Property 1 can then be directly veried, and by the previous theorem, we have an ideal scheme. 5.3 The Decomposition Construction Denition 5 Suppose is an access structure having basis 0. Let K be a specied key set. An ideal K-decomposition of 0 consists of a set f 1 ; : : : ; n g such that the following properties are satised: k 0 for 1 k n. 17

18 [ n k=1 k = 0. For 1 k n, there exists an ideal scheme with key set K, on the subset of participants P k = [ B2 k B, for the access structure having basis k. Given an ideal K-decomposition of an access structure, we can construct a perfect secret sharing scheme as described by the following theorem. Theorem 8 Suppose is an access structure having basis 0. Let K be a specied key set and suppose f 0 ; : : : ; n g is an ideal K-decomposition of. For every participant P i, dene R i = jfk : P i 2 P k gj. Then there exists a perfect secret sharing scheme realizing, having information rate = 1=R, where R = maxfr i : 1 i wg. Proof: For 1 k n, we have an ideal scheme realizing the access structure with basis k, with key set K, having F k as its set of distribution rules. We will construct a scheme realizing, with key set K. The set of distribution rules F is constructed according to the following recipe. Suppose D wants to share a key K. Then, for 1 k n, he chooses a random distribution rule f k 2 FK k and distributes the resulting shares to the participants in P k. We omit the proof that the scheme is perfect. However it is easy to compute the information rate of the resulting scheme. Since each of the component schemes is ideal, it follows that for 1 i w. So js(p i )j = jkj R i i = 1 R i 18

19 and which is what we set out to prove. = 1 maxfr i : 1iwg Sometimes we employ a generalization in which we have l ideal K-decompositions of 0, and build a scheme with key set K l. Theorem 9 Suppose is an access structure having basis 0 and l 1 is an integer. Let K be a specied key set and for 1 j l, suppose D j = f j;1 ; : : : ; j;nj g is an ideal decomposition of 0. Let P j;k denote the participant set for the access structure j;k. For every participant P i, dene R i = P l j=1 jfk : P i 2 P j;k gj. Then there exists a perfect secret sharing scheme realizing, having information rate = l=r, where R = maxfr i : 1 i wg. Proof: For 1 j l and 1 k n, we have an ideal scheme realizing the access structure with basis j;k, with key set K, having F j;k as its set of distribution rules. We construct a scheme realizing, with key set K l. The set of distribution rules F is constructed according to the following recipe. Suppose D wants to share a key K = (K 1 ; : : : ; K l ). Then for 1 j l and 1 k n, he chooses a random distribution f j;k 2 F j;k K j and distributes the resulting shares to the participants in P j;k. The information rate can be computed in a manner similar to that of the previous theorem. 19

20 6 Detailed Example We consider the possible non-isomorphic access structures on two, three and four participants. We consider only those structures which cannot be partitioned into two non-empty subsets on disjoint participation sets e.g. 0 = ffp 1 ; P 2 g; fp 3 ; P 4 gg. These structures are given in the following table. w Subsets in 0 Comments 1 2 P 1 ; P 2 1 (2; 2) 2 3 P 1 P 2 ; P 2 P 3 1 K 1;2 3 3 P 1 P 2 ; P 2 P 3 ; P 1 P 3 1 (2; 3) 4 3 P 1 P 2 P 3 1 (3; 3) 5 4 P 1 P 2 ; P 2 P 3 ; P 3 P 4 2=3 6 4 P 1 P 2 ; P 1 P 3 ; P 1 P 4 1 K 1;3 7 4 P 1 P 2 ; P 1 P 4 ; P 2 P 3 ; P 3 P 4 1 K 2;2 8 4 P 1 P 2 ; P 2 P 3 ; P 2 P 4 ; P 3 P 4 2/3 9 4 P 1 P 2 ; P 1 P 3 ; P 1 P 4 ; P 2 P 3 ; P 2 P 4 1 K 1;1; P 1 P 2 ; P 1 P 3 ; P 1 P 4 ; P 2 P 3 ; P 2 P 4 ; P 3 P 4 1 (2; 4) 11 4 P 1 P 2 P 3 ; P 1 P 4 1 Brickell 12 4 P 1 P 3 P 4 ; P 1 P 2 ; P 2 P 3 2/ P 1 P 3 P 4 ; P 1 P 2 ; P 2 P 3 ; P 2 P 4 2/ P 1 P 2 P 3 ; P 1 P 2 P 4 1 Brickell 15 4 P 1 P 2 P 3 ; P 1 P 2 P 4 ; P 3 P 4 1 Brickell 16 4 P 1 P 2 P 3 ; P 1 P 2 P 4 ; P 1 P 3 P 4 1 Brickell 17 4 P 1 P 2 P 3 ; P 1 P 2 P 4 ; P 1 P 3 P 4 ; P 2 P 3 P 4 1 (3; 4) 18 4 P 1 P 2 P 3 P 4 1 (4; 4) 20

21 Of the 18 structures, we can obtain ideal schemes for 6 using threshold schemes, whereas 4 have a basis which is a complete multipartite graph. For access structure #9, take d = 2; p = 3 and dene (P 1 ) = (0; 1); (P 2 ) = (1; 1); (P 3 ) = (P 4 ) = (2; 1). For access structures #11; #14; #15 and #16, ad hoc applications of the Brickell scheme can be used to construct ideal schemes. For access structure #11, take d = 3; p 3 and dene (P 1 ) = (0; 1; 0); (P 2 ) = (1; 0; 1); (P 3 ) = (0; 1; 1); (P 4 ) = (1; 1; 0). We now have to consider 4 access structures #5; #8; #12; #13. We show that there does not exist a scheme with > 2. To this end, we give another 3 equivalent denition of a secret sharing scheme. Denition 6 Suppose is an access structure and F is a set of distribution rules. Then F is a perfect secret sharing scheme realizing the access structure provided that the following two properties are satised: 1. For any authorized subset of participants B P; H(KjB) = For any unauthorized subset of participants B P; H(KjB) = H(K). Lemma 1 Suppose is an access structure and F is a set of distribution rules realizing. Suppose B 62 and A [ B 2, where A; B P. Then H(AjB) = H(K) + H(AjBK). Proof: By the basic entropy lemmata, we have and H(AKjB) = H(AjBK) + H(KjB) 21

22 H(AKjB) = H(KjAB) + H(AjB), so H(AjBK) + H(KjB) = H(KjAB) + H(AjB). Since by Property 2 of denition 6, we have H(KjB) = H(K), and by property 1 of denition 6, we have H(KjAB) = 0, the result follows. Lemma 2 Suppose is an access structure and F is a set of distribution rules realizing. Suppose A [ B 62, where A; B P. Then H(AjB) = H(AjBK). Proof: As in Lemma 1, we have that H(AjBK) + H(KjB) = H(KjAB) + H(AjB). Since H(KjB) = H(K) and H(KjAB) = H(K) the result follows. Theorem 10 Suppose is an access structure such that fw; Xg; fx; Y g; fw; Y; Zg 2 and fw; Y g; fxg; fw; Zg 62. Let F be any perfect secret sharing scheme realizing. Then H(XY ) 3H(K). 22

23 Proof: We establish a sequence of inequations which follow from Lemma 1 and Lemma 2: H(K) = H(Y jw Z) H(Y jw ZK) H(Y jw Z) H(Y jw ) = H(Y jw K) H(XY jw K) = H(XjW K) + H(Y jw XK) H(XjW K) + H(Y jxk) = H(XjW ) H(K) + H(Y jx) H(K) H(X) H(K) + H(Y jx) H(K) = H(XY ) 2H(K) Hence, the result follows. Corollary 1 Suppose that is an access structure satisfying the hypotheses of the above theorem, and the jkj keys are equally probable. Then 2=3. Proof: Since the keys are equiprobable, H(K) = lg jkj.. Also, we have that H(XY ) H(X) + H(Y ) lg js(x)j + lg js(y )j: 23

24 By theorem 10, we have that Hence, it follows that H(XY ) 3H(K). lg js(x) + lg js(y )j 3 lg jkj. Now, by the denition of information rate, we have and It follows that lg jkj lg js(x)j lg jkj. lg js(y )j 3 lg jkj lg js(x)j + lg js(y )j lg jkj lg jkj + = lg jkj 2 Hence, 2=3. Theorem 11 Suppose G = (V; E) is a connected graph that is not complete multipartite. Let (G) denote the access structure cl(e). Then ( (G)) 2=3. Proof: We will rst prove that any connected graph that is not a complete multipartite graph must contain four vertices w; x; y; z such that the induced subgraph G[w; x; y:z] is isomorphic to either the basis of access structure #5 or #8. Let G c denote the complement of G. Since G is not a complete multipartite graph, there must exist three vertices x; y; z such that xy; yz 2 E(G c ) 24

25 and xz 2 E(G).Dene d = mind G (y; x); d G (y; z), where d G denotes the length of a shortest path in G. Then d 2. Without loss of generality, we can assume that d = d G (y; x) by symmetry. Let y 0 ; y 1 ; : : : ; y d 1 ; x be a path in G, where y 0 = y. We have that y d 2 z; y d 2 x 2 E(G c ) and y d 2 y d 1 ; y d 1 x; xz 2 E(G). It follows that G[y d 2 ; y d 1 ; x; z] is isomorphic to the basis of access structure #5 or #8, as desired. So, we can assume that we have found four vertices w; x; y; z such that the induced subgraph G[w; x; y; z] is isomorphic to the basis of access structure #5 or #8. Now, let F be any scheme realizing the access structure (G). If we restrict the domain of the distribution rules to w; x; y; z, then we obtain a scheme F 0 realizing access structure #5 or #8. It is also obvious that (F 0 ) (F). Since (F 0 ) 2=3, it follows that (F) 2=3. This completes the proof. Using the monotone circuit construction, we can at best attain = 1=2 for access structures #5; #8; #12; #13. We use the decomposition construction to construct optimal schemes. Consider access structure #5. We know that 2=3. Let p be prime, and consider the following two ideal Z p decompositions D 1 = f 1;1 ; 1;2 g where 1;1 = ffp 1 ; P 2 gg; 1;2 = ffp 2 ; P 3 g ; fp 3 ; P 4 gg. 25

26 D 2 = f 2;1 ; 2;2 g where 2;1 = ffp 2 ; P 3 g; fp 1 ; P 2 gg; 2;2 = ffp 3 ; P 4 gg. Each of these Z p decompositions is either a K 2 or a K 1;2 and hence ideal. We combine these two decompositions by applying the decomposition theorem with l = 2 and get a scheme with = 2=3. D chooses four random elements (independently) from Z p, say b 11 ; b 12 ; b 21 and b 22. Given a key (K 1 ; K 2 ) 2 (Z p ) 2, D distributes shares as follows P 1 receives b 11 ; b 21 ; P 2 receives b 11 + K 1 ; b 12 ; b 21 + K 2 ; P 3 receives b 12 + K 1 ; b 21 ; b 22 ; P 4 receives b 12 ; b 22 + K 2. All arithmetic is performed in Z p. 7 Matrix-based Key Sharing This can be used to achieve common key distribution between entities(users) in a large open network. There is a central Key Managing Centre(KMC) which generates a secret symmetrical square matrix G of dimension n n. When entity A joins the system, A sends his ID vector I A = fi A1 ; : : : ; I An g to the centre, which then sends him his secret information S A. The formal key-sharing algorithm is 26

27 1. The centre computes user A 0 s secret information S A as follows: S A = I A :G. User A stores the secret information S A in his card. 2. He then computes the common key k AB using user B 0 s I B such that k AB = S A :IB T = I A :G:IB. T 3. User B likewise computes the common key k AB using user A 0 s I A such that k BA = S B :IA T = I B :G:IA. T 4. Then the common key is computed as k AB = k BA. If (n + 1)=2 users conspire and share their secret information S i, the secret matrix G can be found. 8 ID-based Key Exchange Protocol This is a method proposed by Gunther and Boveri for exchanging authenticated session keys for closed user groups and public communication systems of arbitrary size. It consists of two phases: 1. Primary Preauthentication phase involving a Key Authentication Centre (KAC). 2. Key exchange phase. In the rst phase, all users who wish to join the communication network should contact the KAC ( which lays down system parameters) and identify themselves. After verifying the user's identity, the KAC sends 27

28 him the signature of his name and system parameters. The user should verify the authenticity of the signature. The most important feature of this protocol is that a user is able to authenticate himself in the key exchange phase without further communication with the KAC and without exposing the secret signature of his name. The KAC chooses a one-way function f, a primitive element g 2 GF (p) where p is prime, a random number X 2 Z p 1 such that gcd(x; p 1) = 1. X is the KAC 0 s secret key which is used to compute the public key Y g X mod p. Now, user A contacts the KAC and identies himself. If the centre accepts him, it provides A with f; GF (p); g and Y. Protocol between KAC and user A 1. User A sends his description D A to the KAC. 2. KAC chooses a random number K A 2 Z p 1 such that gcd(k A ; p 1) = 1 and computes R A = g K A mod p. KAC computes ID A such that ID A = f(d A ). The centre also solves the equation ID A XR A + K A S A mod (p 1) for S A which is A 0 s secret key. 3. The centre now transmits A 0 s secret key S A and public key R A to A. 4. Upon receipt of R A and S A, A establishes whether they are legitimate by checking g ID A Y R A:R S A A mod p. Session Key Exchange Protocol for users A and B 28

29 1. User A sends (ID A ; R A ) to user B. (Note that making R A public does not compromise S A ). 2. Upon receipt of (ID A ; R A ), B computes R S A A mod p = g ID A:(Y R A) 1 mod p. B sends (ID B ; R B ) to A who computes R S B B mod p. 3. A selects random T A 2 Z p 1 such that gcd(p 1; T A ) = 1. He computes U A = R T A B mod p and sends it to B. 4. B selects random T B 2 Z p 1 such that gcd(p 1; T B ) = 1. Using R A and T B, B computes U B = R T B A mod p. B sends U B to A. 5. Utilizing U B ; S A ; R S B B S KA = U S A B (R S B B ) T Amod p. S KB = U S B A (R S A A ) T B mod p. NOTE: S KA = S KB = R S AT B A :R S B T A B mod p. and T A, A computes the common session key Similarly, B computes the session key 9 Conclusion The report dealt with the following aspects of secret sharing The need for secret sharing. The threshold scheme for secret sharing. The idea of perfect secret sharing, and the notion of information rate used to evaluate the eciency of such schemes. Dierent constructions and methods for secret sharing. 29

30 This report emphasized a linear-algebraic and combinatorial approach to secret sharing. Secret sharing also has interesting connections with matroid theory (Brickell) and geometric techniques (Stinson). References [1] \Cryptography, Theory and Practice", Douglas R Stinson. CRC Press. [2] \Cryptography and secure communication", Man Young Rhee. McGraw Hill Series on Computer Communication. 30