Analysis and Design of Multiple Threshold Changeable Secret Sharing Schemes

Transcription

1 Analyss and Desgn of Multple Threshold Changeable Secret Sharng Schemes Tancheng Lou 1 and Chrstophe Tartary 1,2 1 Insttute for Theoretcal Computer Scence Tsnghua Unversty Bejng, People s Republc of Chna 2 Dvson of Mathematcal Scences School of Physcal and Mathematcal Scences Nanyang Technologcal Unversty Sngapore loutancheng860214@gmal.com ctartary@ntu.edu.sg Abstract In a r, n)-threshold secret sharng scheme, no group of r 1) colludng members can recover the secret value s. However, the number of colluders s lely to ncrease over tme. In order to deal wth ths ssue, one may also requre to have the ablty to ncrease the threshold value from r to r > r), such an ncrement s lely to happen several tmes. In ths paper, we study the problem of threshold changeablty n a dealer-free envronment. Frst, we compute a theoretcal bound on the nformaton and securty rate for such a secret sharng. Second, we show how to acheve multple threshold change for a Chnese Remander Theorem le scheme. We prove that the parameters of ths new scheme asymptotcally reach the prevous bound. Keywords: Secret Sharng Scheme, Threshold Changeablty, Informaton Rate, Securty Rate, Chnese Remander Theorem, Dealer Free Update. 1 Introducton A r, n)-threshold secret-sharng TSS) scheme s a cryptographc prmtve, allowng a dealer to dvde a secret s nto n peces of nformaton called shares or shadows), dstrbute them among a group of n partcpants n such a way that the secret s reconstructble from any r shares whle any set of r 1 shadows cannot unquely determne s. Classcal constructons for threshold secret-sharng schemes nclude the polynomal-based Shamr scheme [12], geometry-based Blaley scheme [3] and the nteger-based Chnese Remander Theorem CRT) scheme [1]. A common applcaton for TSS schemes s to acheve robustness of dstrbuted securty systems. A dstrbuted system s called robust f ts securty s mantaned aganst an attacer who manages to brea nto a certan number of components of the system. In many settngs, the attacer capabltes are lely to change over tme. Ths threat requres the securty level.e. the threshold value) to vary as well. There s a trval soluton to the problem of ncreasng the threshold parameter of a r, n)-tss scheme. The partcpants smply dscard ther old shares whle the dealer dstrbute shadows of a r,n)-tss scheme to all partcpants. However, ths soluton s not very attractve snce t requres the dealer to be nvolved after the setup stage as well as the avalablty of a secure channel between the dealer and each one of the n group members. Such secure channels may not exst or may be dffcult to establsh after the ntal setup phase. There already exst TSS schemes allowng the threshold parameters to be changed after the ntal setup. Usng secret redstrbuton [6, 11] nvolves communcaton amongst the partcpants n order to redstrbute the secret usng a new threshold parameter. Although ths technque can be appled to standard secret-sharng schemes, ts dsadvantage s the need of secure channels for communcaton between partcpants. Constructons from [2, 5, 9] do not need such secure The orgnal verson of ths paper appears n the proceedngs of the 7th Internatonal Conference on Cryptology and Networ Securty CANS 2008), Lecture Notes n Computer Scence, vol. 5339, pp , Sprnger - Verlag. 1

2 channels, but they all requre the ntal secret-sharng scheme to be a non-standard one,.e. t must specally be desgned for threshold ncrease. Ramp schemes [4, 8] use optmal sze of shares but they are not perfect. Other technques [13, 14] can be appled to exstng schemes even f they were set up wthout consderaton to future threshold ncreases. Unfortunately, those approaches have worse securty than the constructon presented n [2, 5, 9]. The secret schemes desgned n [10, 16] acheve perfect securty before and after threshold modfcaton. However, the share sze has to be at least twce of the sze of secret. Moreover, f we change to threshold c tmes, the sze of the ntal shares needs to be at least c + 1) tmes as large as the secret s. In ths paper, we frst construct an upper-bound on the securty rate rato between the entropy of a largest unauthorzed group and the entropy of the secret) and nformaton rate rato between the share sze and the secret sze) of a changeable-threshold scheme. Second, we propose a new CRT-based secret sharng scheme allowng multple threshold updates. Our constructon allows to choose the securty rate of the scheme whle havng an nformaton rate meetng the prevous bound. We wll show that our scheme can acheves perfect securty, deal ntal scheme and optmal ramp-scheme the ramp-scheme uses optmal sze of shares) easly. In Secton 2, we brefly recall some defntons about TSS schemes. In Secton 3, we dscuss the defnton of the changeable-threshold secret-sharng scheme as well as the upper-bound on the securty rate and nformaton rate for threshold change. In Secton 4, we present our constructon allowng to ncrease the threshold parameter c 1) tmes. After provng ts correctness and effcency, we present two examples: one for standard ntal scheme and one for optmal ramp-scheme. The last secton concludes the paper. 2 Prelmnares In ths secton, we revew some basc defntons related to secret sharng. Defnton 1 TSS Scheme [13]) Denote P = {P 1,P 2,,P n } a group of n partcpants. Let S be the set of secrets and let the share of P come from a set S. Denote R a set of random strngs. A r,n)-threshold Secret-Sharng TSS) scheme s a par of algorthms called the dealer and the combner worng as follows: For a gven secret from S and some random strng from R, the dealer algorthm apples the mappng: to assgn shares to partcpants from P. D r,n : S R S 1 S 2 S n The shares of a subset A P of partcpants can be nput nto the combner algorthm. Denote S A the set of shares of partcpants from A. The mappng: C r,n : S A S unquely determnes the secret when A r. Otherwse, t fals to unquely determne the secret value. The prevous defnton s rather general and t does not specfy what can occur when the secret s not reconstructed. As a consequence, one of the basc problems n the feld of secret sharng schemes s to derve bounds on the amount of nformaton revealed by at most r 1 shares. Defnton 2 Securty Rate [15]) For a r, n)-tss scheme wth secret s, the securty rate φ s the real number defned as: { } HS S1,...,S m ) φ = mn : { 1,..., m } {1,...,n} and m < r HS) where S s the -th share for {1,...,n}). Defnton 3 Perfect TSS Scheme [15]) Consder a r,n)-tss scheme wth the followng propertes: 1. f A r then HS S A ) = 0 2. f A < r then HS S A ) = HS) where s denote the secret and H s the entropy functon. Then, ths secret sharng s called perfect. Note that, for a perfect scheme, we have: φ = 1. A perfect r,n)-tss scheme allows the dealer to dstrbute a secret s amongst a group of n partcpants n such a way that any r-subgroup of members can reconstruct t whle no subsets of less than r partcpants can gan any nformaton about s. Another effcency parameter of secret sharng schemes s the amount of nformaton that the partcpants must eep secret. 2

3 Defnton 4 Informaton Rate [15]) For a r, n)-tss scheme wth secret s, we call nformaton rate of the scheme ρ, the value ρ defned as: { } HS) ρ = mn HS ) : 1 n where S s the -th share for {1,...,n}). Note that, for any perfect secret sharng scheme, we have: ρ 1 [15]. The followng defnton characterze the property that the nformaton rate s n optmal stuaton. Defnton 5 Ideal TSS Scheme [15]) A perfect r,n)-tss scheme s called deal f and only f ρ = 1. In other words, a perfect threshold scheme s deal when the sze of the shares s the same as the secret s. We can easly see that Shamr s scheme s deal. An example of non-perfect threshold scheme s gven by ramp schemes [4]. Such constructons offer a trade-off between securty and share sze. We frst revew the defntons of ramp-schemes as well as optmal ramp-schemes [7]. Defnton 6 Ramp Scheme [4]) A T, n)-threshold secret sharng scheme wth secret s s sad to be a C, T, n)-ramp scheme f t satsfes the followng propertes: 1. If A T, then HS A) = If C < A < T, then 0 < HS A) < HS). 3. If A C, then HS A) = HS). In a ramp scheme, each share sze can be smaller than the secret sze. However, the smaller the share sze gets, the more nformaton about the secret s revealed. We have the followng theorem presented n [7]. Theorem 1 [7]) For any C, T,n)-ramp scheme, we have: HS S A ) T R T C HS) and {1,...,n} HS ) HS) T C Defnton 7 Optmal Ramp Scheme [7]) A C, T, n)-ramp scheme s sad to be optmal, f t has the property that HS S A ) = T R HS) hold for any A {1,2,...,n} such that A = R and C R T and shares are of mnmal T C sze HS ) = HS) T C. 3 Threshold Changeablty for Secret-Sharng Scheme 3.1 Defnton and Effcency Measures As sad n Secton 1, t sometmes occurs that the securty level be changed before the secret s to be reconstructed. Let P = {P 1,...,P n } be a group of n partcpants and denote S the set of secrets. Defnton 8 Threshold Changeablty) A r,n)-threshold changeable scheme s a threshold scheme where the threshold can be ncreased c 1) tmes, r = r 1,...,r c ) wth r 1 < r for {1,...,c}. The ntal,n)-threshold scheme s denoted Π 0 and the th derved r,n)-threshold scheme s denoted Π. For any {0,...,c} and any j {1,...,n}, we let S,j denote the set of j-th shares of Π. There exsts one dealer algorthm, c combner sub-share combner) algorthms and cn sub-share generaton algorthms wth the followng propertes: For a gven secret from S and some random strng from R, the dealer algorthm apples the mappng: to assgn shares to partcpants from P. D r0,n : S R S 0,1 S 0,n For any share from S,j, there exsts a sub-share generaton algorthm: E r0 r,,j : S,j S +1,j to modfy shares for ncreasng the threshold parameter from r to r +1 for any {0,...,c 1}. 3

4 For any {0,...,c}, the shares of a subset A P of partcpants can be nput nto the combner algorthm. Let S,A denote the set of shares of A n Π, f A r then the mappng: C r0 r, : S,A S reconstructs the secret. And for any r 1 partcpants, t always faled to recover the secret. In the defntons gven above, the sub-share generaton algorthms can be probablstc dealer free). The thrd pont of Defnton 8 nvolves that, for any r -group G, there exsts j 0 G such that Hs,j0 s +1,j0 ) > 0. Indeed, n the opposte stuaton, there would be a r -group G such that: P j G Hs,j s +1,j ) = 0. Ths would mply that each of the r members of G could reconstruct hs share related to threshold r from hs share related to the new value r +1 > r ). Thus, we would not have a r +1,n)-threshold scheme after threshold update whch contradcts the defnton of threshold changeablty. Remar. We would le to call the reader s attenton to the fact that old shares are assumed to be deleted after performng any threshold update. That s, after updatng the threshold value from r to r r+1, each of the n partcpants eeps the share related to the new value r +1 and dscards the shadow related to r for {0,...,c 1}). The effcency of a TSS scheme can be measured by ts securty rate and nformaton rate. We generalze those defntons to the case of a threshold changeable scheme. Defnton 9 Securty and Informaton Rates) Let Π 0,...,Π c be a r,n)-threshold changeable scheme where r = r 1,...,r c ) wth r 1 < r for {1,...,c}. Let φ denote the securty rate of Π. The securty rate φ of the changeable scheme Π 0,...,Π c s defned as mn {φ }. Let ρ denote the nformaton rate of Π. The nformaton {0,...,c} rate ρ of the changeable scheme Π 0,...,Π c s defned as mn {ρ }. {0,...,c} We wll present the defnton of determnstc r,n)-threshold changeable scheme, where r = r 1,r 2 r c ). Defnton 10 Determnstc Threshold Changeable Scheme) Let Π 0,...,Π c be a r,n)-threshold changeable scheme. The scheme Π 0,...,Π c s called determnstc, f all the c sub-share generaton algorthms are determnstc. In other words, there exst determnstc functons h,j, such that s +1,j = h,j s,j ), where s,j s j-th shadow of Π for {0,...,c 1} and j {1,...,n}. Many exstng secret-sharng schemes le Shamr s constructon [12] and the CRT-based secret sharng [1]) are deal. We have the followng result. Lemma 1 Let Π 0,...,Π c be a determnstc r,n)-threshold changeable scheme. If the ntal,n)-tss scheme Π 0 s deal then the fnal r c,n)-tss scheme Π c cannot be deal. Proof. We demonstrate ths result by contradcton. Assume the r c,n)-tss scheme Π c s deal. We fx {1,...,n}. We have: So, we get: IS 0, ;S c, ) = HS 0, ) HS 0, S c, ) = HS c, ) HS c, S 0, ) HS 0, S c, ) = HS 0, ) HS c, ) + HS c, S 0, ) = HS c, S 0, ) Snce the algorthm to update the threshold s determnstc, we have: HS 0, S c, ) = HS c, S 0, ) = 0. Ths means that one can recover S 0, from S c, for any {1,...,n}. Thus, the resultng scheme Π c s also a,n)-threshold secretsharng scheme, whch s mpossble. 3.2 Upper Bounds on the Securty Rate and the Informaton Rate Defnton 11 Suppose T s a r, n)-tss scheme wth secret s. It s called a φ, ρ) Sem-Random Dealer and Complete Randomness Recovery Combner SRDCRRC) scheme f t has the followng propertes: 1. T has securty rate φ. Ths means that we have HS S 1,...,S m ) φhs) for any { 1,..., m } {1,...,n} and m < r. 2. T has nformaton rate ρ. Ths means that we have HS ) HS) ρ for any {1,...,n}. 3. When the dealer of T wants to share s, he secretly chooses one random strng a and uses the par α = s,a) to construct the n shares. The method to output n shares usng α s determnstc. 4

5 4. The combner of T can recover the secret s f and only f t can unquely determne α. In other words, by any r shares, the combner can reconstruct not only the secret s but also all random bts a. Lemma 2 Suppose T s a r,n)-threshold secret-sharng scheme as well as a φ,ρ) SRDCRRC-scheme. Let S denote -th share of T. We have: Hα) = HS 1,...,S r ). Proof. Snce the dealer algorthm s determnstc, we have: HS 1,...,S r α) = 0. On the other hand, usng S 1,...,S r, the combner can recover the vector α. So, we have: Hα S 1,...,S r ) = 0. As a consequence, we get: Hα) = HS 1,...,S r ). Remar. The prevous result s vald for any r shares. We focused on S 1,...,S r as ths wll be used to demonstrate the followng lemma. Lemma 3 Suppose T s a r, n)-threshold secret-sharng scheme wth secret s as well as a φ, ρ) SRDCRRC-scheme. Then: Hα) rφhs). Proof. Let S denote the -th share of T. Accordng to Lemma 2, we have: We get: Hα) Hα) = HS 1,...,S r ) = HS 1 ) + HS 2,...,S n S 1 ) = HS 1 ) + HS 2 S 1 ) + HS 3,...,S n S 1,S 2 ) r = HS S 1,...,S 1 ) =1 r HS {S 1,...,S r } \ {S }). =1 Let A be a r-subset and choose any partcpant from A, defne B = A \ {} and the sze of B s r 1. Let S B denote the shares of all partcpants n B. Snce T has a securty rate φ, we have HS S B ) φhs). Usng S B, we get a set of possble secrets S S) such that s S and HS ) = φhs) where S s the set of all secrets. Hence, for each s S, there s a dstrbuton rule[15] dsts ) such that the shares of B are the same. Snce A s authorzed, we must have: S dsts1) S dsts2) when s 1 s 2 and s 1,s 2 S. Thus: HS S B ) HS ) φhs). Thus: {1,...,r} HS {S 1,...,S r } \ {S }) φhs). Ths acheves our proof. Theorem 2 Suppose that there exsts a determnstc algorthm for changng a r,n)-tss scheme T 1 to r,n)-tss scheme T 2. Assume that T 1 s a φ 1,ρ 1 ) SRDCRRC-scheme and T 2 s a φ 2,ρ 2 ) SRDCRRC-scheme. We have: mnρ 1,ρ 2 ) mnφ 1,φ 2 ) r r Proof. The dealer algorthm of T 2 s the dealer algorthm of T 1 followed by the determnstc algorthm A to change the threshold. Accordng to Lemma 3, we have: Hα) r φ 2 HS). Let S 1, denote the -th share of T 1. Accordng to Lemma 2, we have: So: Thus, we get: Therefore, we have: max HS 1,) max HS 1,) 1 1 n 1 r r HS 1,1,...,S 1,r ) = Hα) r φ 2 HS) ρ 1 r =1 HS) max HS 1,) 1 n HS 1, ) 1 r HS 1,1,...,S 1,r ) r φ 2 r HS) HS) r φ 2 r HS) r r φ 2 mnρ 1,ρ 2 ) mnφ 1,φ 2 ) ρ 1 φ 2 r r 5

6 Remar. Note that f both T 1 and T 2 are perfect secret-sharng schemes, then the nformaton rate of T 1, T 2 s at most r r. Smlarly, f both T 1 and T 2 have shares as large as the secret, then the securty rate of T 1, T 2 s at most r r. 4 Threshold Changeablty for CRT Secret-Sharng Schemes 4.1 CRT Secret Sharng Scheme We now descrbe the CRT secret sharng scheme presented n [1]. Denote S the set of -subsets of {1,...,n}. A set of parwse coprme ntegers {p,m 1,...,m n } s chosen subject to the followng: ) ) M : S S r m M and S S r 1 m M p The reader may notce that the orgnal defnton by [1] s slghtly dfferent. However, t can be shown that both defntons are equvalent. Dealer. Suppose the secret value s s, we can assume that 0 s < p. Selectng a random nteger A n [0, M p y = s + Ap. The set of shadows s y 1,...,y n ), where y = y mod m for {1,...,n}. 1] and set Combner. To recover secret s, t clearly suffces to fnd y. If y 1,...,y r are nown, then y s nown modulo N 1 = r m j CRT). As N 1 M, ths unquely determnes y and thus s. On the other hand, f only r 1 shadows were nown, j=1 essentally no nformaton about the ey can be recovered. If y 1,...,y r 1 are nown, then we have the value of y modulo N 2 = r 1 m j. Snce M N 2 p and gcdn 2,p) = 1, the collecton of numbers n wth n y mod N 2 ) and n M cover j=1 all congruence classes modulo p, wth each class contanng at most one more or one less n than any other class. The CRT sharng scheme descrbed above s perfect. However, the constructon that we wll present n the next secton wll not as ts securty rate wll not be equal to A New CRT-Based Secret Sharng Scheme In ths secton, we present our constructon whch s a modfcaton of the CRT secret sharng scheme. Let n be the number of partcpants, we choose a set of ntegers {p,q,m 1,...,m n,w 1,...,w n } as follows: 1. gcdm w,m wj j ) =gcdm,m j ) = 1 for j, 2. gcdp,m w ) =gcdp,m ) = 1 for all and q p, ) 3. M : S S r M and S S r 1 m w m w M q ). Share Constructon. Suppose the secret value s s, we can assume that 0 s < p. Selectng a random nteger A n [0, M p 1], and set y = s + Ap. The set of shadows are y 1,...,y n ), where y = y mod m w. Secret Recovery. To recover secret s, t clearly suffces to fnd y. If y 1,...,y r are nown, then y s nown modulo N 1 = r m w j j CRT). As N 1 M, ths unquely determnes y and thus s. j=1 On the other hand, f only r 1 shadows were nown, we can not unquely determne the secret s. If y 1,...,y r 1 are nown, then we have the value of y modulo N 2 = r 1 m w j. Snce M N 2 q and gcdn 2,p) = 1, the collecton of numbers j=1 j n wth n y mod N 2 ) and n M cover all congruence classes modulo q, wth each class contanng at most one more or one less n than any other class. So, the securty rate of the scheme: φ = Hx y 1,y 2,...,y r 1 ) Hx) 6 = log q log p = log p q

7 The nformaton rate of the scheme s: log p ρ = log max{m w : 1 n}) = log p max{w log m : 1 n} Remar. If the parameters p and q are equal, we can set m = mw secret sharng scheme set of parameters as defned n Secton 4.1. such that {p,m 1,...,m n} became a standard CRT 4.3 Constructon of a Multple Threshold Changeable Secret Sharng Scheme For the threshold ncrease problem, the basc dea of our method s the followng one: to ncrease the threshold parameter from r to r > r, the partcpants decrease values from w to w < w. For any φ 0,1], we can get a r,n)-threshold changeable scheme, such that the securty rate s at least φ and the nformaton rate ρ s at least. So, the bound constructed n Theorem 2 s met wth equalty. r c φ Suppose the secret value s s, we can assume that 0 s < B. Let w,j denote the value of w after the j-th transtons the -th share of scheme Π j ), for 1 n and 0 j c. Let φ be any element of 0,1]. We construct our scheme as follows: 1. GCs)Publc Parameter Generaton) r 2 c a) Pc any nteger u, set = u and d = r c. b) Pc any nteger l r c + φ log 2 B + 2log 2 n, choose n + 1 dstnct prmes m 0 < m 1 < < m n from the nterval [2 l,2 l+1 ]. Estmates of the densty of prmes show that one could easly fnd prmes m. c) Pc a prme ˆm from the nterval [2 l rc,2 l+1 rc ]. d) Set M = m d 0, q = ˆm and p = ˆm φ we have: p 2 l rc) φ 2 log 2 B B). e) Pc unformly at random a number A n [0, M p 1]. 2. Ds,A)Dealer Setup) To share secret s, set y = s + Ap. Set w,0 = d, and the -th ntal share s s,0 = y mod m w,0 3. Es,j )Sub-share Generaton) To generate sub-shares, let s,j denote the -th share of Π j the scheme afte changes). Set w,j+1 = the sub-share s: s,j+1 = s,j mod m w,j+1.. d Cs,S,j )Combner) To recover s, t clearly suffces to fnd y. Suppose S = {v 1,...,v rj }, f s v1,j,...,s vrj,j are nown, by the Chnese remander theorem, y s nown modulo N = m wv v,j =1. We wll prove that N p n the next secton. In ths settngs, only p,q,m 1,...,m n,,r c need to be publcly nown when settng up the orgnal scheme. When the partcpants want to ncrease the threshold value r, they smply need to agree on the new value r +1. Each of them can compute hs new share wthout any other nteracton. 4.4 Scheme Analyss In ths secton, we want to proof that our scheme satsfes the followng three condtons at any step j {0,...,c}. C1 :, ) {1,...,n} {1,...,n} gcdm w,j,m w,j ) = 1 for, and C2 : {1,...,n} gcdp,m w,j ) = 1 and q p, ) C3 : S S rj : m w,j M and S S rj 1 : m w,j M q ). For any j {0,...,c}, condtons C1 and C2 are trvally satsfed due to the choce of p,q,m 1,...,m n by the dealer. The proofs of the followng two lemmas can be found n Appendx A and Appendx B respectvely. 7

8 Lemma 4 For any j {0,...,c}, Condton C3 s satsfed f the followng two nequaltes are satsfed: S S rj w,j d 1) S S rj 1 Lemma 5 For any j {0,...,c}, Inequalty 1) and Inequalty 2) hold. w,j d 2) Combnng Lemma 4 and Lemma 5, we can prove that the scheme satsfes the three condtons C1, C2, C3 for any j {0,...,c}. Our constructon s a r,n)-threshold changeable scheme. The followng theorem shows that t has securty rate φ and the nformaton rate of the scheme ρ asymptotcally equals to r0 r c φ for any 0 < φ 1. Theorem 3 Securty and Informaton Rate) For any 0 < φ 1, the r,n)-threshold changeable scheme has securty rate φ. In addton, t asymptotcally meets wth equalty the upper bounds n Theorem 2. Proof. For any 0 < φ 1, the securty rate of the scheme s: The nformaton rate ρ of the scheme s: Therefore, we have: { } HS) ρ mn 1 n HS ) ρ l r c) φ d l + 1) log p q = log q log ˆm = log p log ˆm φ log max 1 n, 0 j c l r c l + 1 ˆm φ ) = { log m w,j log ˆm = φ log ˆm φ l r c ) φ )} max {l + 1)w,j} 1 n,0 j c r c φ r c φ l r c l r0 1) r c For any j {0,,c}, t s easy to see that Π j s a SRDCRRC-scheme as defned n Secton 3.2). So, we have: ρ r c φ If l and are asymptotcally large, then we have: ρ = r c φ Note that "l large" means that u s large. So, the upper bound n Theorem 2 s met wth equalty. 4.5 Comparson In ths secton, we want to compare our constructon wth prevous methods from [7, 10, 13, 14, 16]. It should be remembered that φ s to be chosen durng the set-up phase. We wll see that for dfferent values of φ, Π 0,...,Π c can be perfectly secure φ = 1), an asymptotcally optmal ramp-scheme φ = 1 T C ) or t can use a standard ntal scheme as Π 0. The secret sharng schemes desgned n [10, 16] acheve perfect securty before and after threshold modfcaton. However, the share sze has to be at least twce of the sze of secret. Moreover, f we change to threshold c tmes, the 1 nformaton rate s at most c+1. We have the followng result for our constructon whch s a drect consequence of Theorem 3. Proposton 1 Perfect Secure Changeable Scheme) Let Π 0,...,Π c be a r,n)-threshold changeable scheme where r = r 1,...,r c )) as constructed n Secton 4.3. If we set φ = 1, then Π 0,...,Π c has securty rate 1 and nformaton rate ρ such that: r c l r c l + 1 ρ + r0 1) r c r c 8

9 Ths proposton nvolves that each,n)-tss scheme Π j acheves perfect secrecy for any j {1,...,c}). Ths means that the secret s s reconstructble from any shares whle no nformaton about s leas out from any set of r 1 shadows. Technques n [13, 14] can be appled to exstng schemes even f they were set up wthout consderaton of future threshold ncreases. Ths s called the standard ntal scheme approach. Unfortunately, those constructons have worse securty. In addton, the secret recovery s only probablstc. Our constructon always guarantees s to be recovered. We wll show how to construct a threshold changeable secret sharng scheme Π 0,...,Π c, where Π 0 s a standard CRT scheme as defned n Secton 4.1), for any gven r,n) and r =,...,r c ) wth = r. Our dea s to use the constructon from Secton 4.3 whch s vald for any n,,...,r c ). We smply need to choose the constructon parameter φ of Π 0,...,Π c so that Π 0 s standard scheme. We use the next two lemmas, the proofs of whch are n Appendx C and Appendx D respectvely. Lemma 6 For a r,n)-threshold changeable scheme Π 0,...,Π c where r = r 1,...,r c ), f we set φ = r0 r c, then the ntal scheme Π 0 has perfect securty. Lemma 7 For a r,n)-threshold changeable scheme Π 0,...,Π c where r = r 1,...,r c ), f we set φ = r0 r c, then the ntal scheme Π 0 s a standard CRT scheme. When a secret sharng s set-up, the dealer gnores what securty level wll be requred n the future. Thus, the value r c s a pror unnown. We would le to emphaszed that ths ssue can be overcome easly. Indeed, when settng-up the scheme the dealer smply consder the par,r c ) where r c = n. He can construct Π 0,Π c. When the dfferent threshold updates occur, the partcpants can recursvely construct Π 0,Π 1,Π c, Π 0,Π 1,Π 2,Π c,..., Π 0,Π 1,Π 2,...,Π c wthout nteractng wth the dealer. Note that ths technque allows to desgn an ntermedate) SSS for any threshold value from { + 1,...,n}. We can use our method to construct an asymptotcally optmal C, T,n)-ramp scheme Π. The dea of our constructon s the followng one. Set φ = 1 T C, and use our method from Secton 4.3 to construct a C 1) T,n)-threshold changeable scheme ˆπ = Π 0,Π 1 where Π = Π 1. We have the followng result, the proof of whch s n Appendx E. Theorem 4 The secret sharng scheme Π constructed by the prevous method s asymptotcally an optmal C, T, n)-ramp scheme. 5 Concluson In ths paper, we frst studed the propertes of threshold changeable schemes. We deduced some bounds on the nformaton and securty rates for these constructons. Second, we ntroduce a new CRT-based secret sharng, allowng multple threshold changes after the orgnal set-up phase wthout requrng any nteractons wth the dealer. One beneft of our constructon s that the secret s always guaranteed to be recovered after any threshold update contrary to [13, 14] where recovery s only probablstc. We also demonstrated that a sutable choce of the securty rate φ led to a perfectly secure constructon. As n [13, 14], a pont of nterest to further nvestgate s to deal wth malcous partcpants who devate from the threshold update protocol. Acnowledgments The authors would le to than Professor Xaomng Sun for valuable dscussons on secret sharng. The authors are also grateful to the anonymous revewers for ther comments to mprove the qualty of ths paper. The two authors wor was supported by the Natonal Natural Scence Foundaton of Chna grant and the Natonal Basc Research Program of Chna grants 2007CB and 2007CB Chrstophe Tartary s research was also fnanced by the Mnstry of Educaton of Sngapore under grant T206B2204. References [1] Charles Asmuth and John Bloom. A modular approach to ey safeguardng. IEEE Transactons on Informaton Theory, IT-292): , March [2] Susan G. Barwc, Wen-A Jacson, and Keth M. Martn. Updatng the parameters of a threshold scheme by mnmal broadcast. IEEE Transactons on Informaton Theory, 512): , February

10 [3] George Robert Blaley. Safeguardng cryptographc eys. In AFIPS 1979 Natonal Computer Conference, pages , New Yor, USA, June AFIPS Press. [4] George Robert Blaley and Catherne Meadows. Securty of ramp schemes. In Advances n Cryptology - Crypto 84, volume 196 of Lecture Notes n Computer Scence, pages , Santa Barbara, USA, August Sprnger - Verlag. [5] Carlo Blundo, Antonella Crest, Alfredo De Sants, and Ugo Vaccaro. Fully dynamc secret sharng schemes. In Advances n Cryptology - Crypto 93, volume 773 of Lecture Notes n Computer Scence, pages , Santa Barbara, USA, August Sprnger - Verlag. [6] Yvo Desmedt and Sushl Jajoda. Redstrbutng secret shares to new access structures and ts applcatons. Techncal Report ISSE TR-97-01, George Mason unversty, [7] Wen-A Jacson and Keth M. Martn. A combnatoral nterpretaton of ramp schemes. Australasan Journal of Combnatorcs, 14:51 60, September [8] Ayao Maeda, Atsuo Myaj, and Mtsuru Tada. Effcent and uncondtonally secure verfable threshold changeable scheme. In 6th Australasan Conference on Informaton Securty and Prvacy, volume 2119 of Lecture Notes n Computer Scence, pages , Sydney, Australa, July Sprnger - Verlag. [9] Keth Martn. Untrustworthy partcpants n secret sharng schemes. In Cryptography and Codng III, volume 45, pages Oxford Unversty Press, [10] Keth M. Martn, Josef Peprzy, Re Safav-Nan, and Huaxong Wang. Changng thresholds n the absence of secure channels. Australan Computer Journal, 31:34 43, [11] Keth M. Martn, Re Safav-Nan, and Huaxong Wang. Bounds and technques for effcent redstrbuton of secret shares to new access structures. The Computer Journal, 428): , September [12] Ad Shamr. How to share a secret. Communcatons of the ACM, 2211): , November [13] Ron Stenfeld, Josef Peprzy, and Huaxong Wang. Lattce-based threshold-changeablty for standard CRT secretsharng schemes. Fnte Feld and ther Applcatons, 12: , [14] Ron Stenfeld, Huaxong Wang, and Josef Peprzy. Lattce-based threshold-changeablty for standard Shamr secret-sharng schemes. In Advances n Cryptology - Asacrypt 04, volume 3329 of Lecture Notes n Computer Scence, pages , Jeju Island, Korea, December Sprnger - Verlag. [15] Douglas R. Stnson. Cryptography: Theory and Practce Thrd Edton). Chapman & Hall/CRC, [16] Y. Tamura, M.Tada, and Ej Oamoto. Update of access structure n Shamr s, n) threshold scheme. In The 1999 Symposum on Cryptography and Informaton Securty, volume I, pages , Kobe, Japan, January A Proof of Lemma 4 Let S be any element of S rj. We have: {1,...,n}m > m 0. Thus, f we have w,j d then we obtan: m w,j m d 0 M. Let S be any element of S r 1. Assume that w,j d. We get: m w,j 2 l+1 ) w,j 2 l+1),j w 2 l+1)d ) 2 ld 2 l+1 d ) 2 ld 2 l+1 rc ) So, we have:. m w,j M q 10

11 B Proof of Lemma 5 We frst demonstrate that Inequalty 1) holds. Let j be any element of {0,...,c} and let S be any element of S rj. We have: d w,j d Now, we want to demonstrate Inequalty 2). We consde = c. Let S be any element of S rc. We have: d w,j = r c 1) = r c 1) = d Assume that j {0,...,c 1}. We have: r 2 r c 0 1r0 r c 1 1) 2 r c 1 1) 2 1) 2 r c r c 1 r c r c 1 r c In addton, we have the followng bound: d r c d + rj 1 d + 1 Let S be any element of S rj, we have: d w,j 1) 1) d + 1 1) r c + 1) r c r c r 2 j d r c 1) 2 rc d 1) 2 ) If = 1 then, we have: Otherwse, we have: w,j d r c d w,j d r c 1) 2 d r j 1) 2 r c C Proof of Lemma 6 Let S be any element of S r0 1. Frstly, we want to prove that m w,0 d w,0 = = d M p. Snce, we have d. Therefore: We get: We obtan: m w,0 w,0 = 1) d = d d = d r c 2 l+1 ) w,0 2 l+1) w,0 2 l+1)d rc r ) 0 2 ld ) rc l+1 d rc ) 2 11

12 Fnally, we have: m w,0 2 ld 2 l+1 d ) φ M p If only 1 shares y 1,...,y were nown, then have have the value of y modulo N r0 1 3 = r0 1 m w λ λ λ=1. Snce N 3 M p and gcdn 3,p) = 1, the collecton of numbers n wth n y mod N 3 and n M cover all congruence classes mod p, wth each class contanng at most one more or one less n than any other class. Thus, no useful nformatoneven probablstc) s avalable wthout r shares. Therefore, the ntal scheme Π 0 s perfect. D Proof of Lemma 7 Set m = mw,0. Snce {p,m 1,...,m n } are parwse coprme, we always have parwse coprme ntegers {p,m 1,...,m n}. Now, we want to prove that the ntegers {p,m 1,...,m n} satsfy the followng condtons: ) ) S S r m M and S S r 1 m M p Accordng to Lemma 4 and Lemma 5, we have: S S r Usng the result n the proof of Lemma 6, we get: S S r 1 m M m M p Therefore, Π 0 s a standard CRT scheme. E Proof of Theorem 4 Let S denote the -th share of Π. For A = R, C R T, we have: log M A HS S A ) = mn 1, log ˆm φ m HS) = mn 1, d log m 0 log m ) A φ log ˆm HS) So, we have: and: HS S A ) mn { 1, { HS S A ) mn 1, If l s asymptotcally large, then we have: Therefore, the nformaton rate: So, we have: } { ld R l + 1) HS) mn 1, l T + 1)T C) } { l + 1)d R l HS) mn 1, l T )T C) HS S A ) HS) ρ = HS ) HS) = log m log ˆm φ = T R T C = log m log ˆm φ HS ) HS) l T C)l T + 1) 12 } l T Rl + 1) HS) l T + 1)T C) } l + 1) T Rl HS) l T )T C)

13 and: HS ) HS) l + 1 T C)l T ) Fnally, we deduce that, when l s asymptotcally large, we have: Therefore, the scheme Π s an optmal ramp scheme. HS ) HS) = 1 T C 13