ebook img

Space-efficient Verifiable Secret Sharing Using Polynomial Interpolation PDF

0.24 MB·
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Space-efficient Verifiable Secret Sharing Using Polynomial Interpolation

JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 1 Space-efficient Verifiable Secret Sharing Using Polynomial Interpolation MassimoCafaro*, SeniorMember, IEEE andPiergiuseppe Pelle` Abstract—Preservingdataconfidentialityincloudsisakeyissue.SecretSharing,acryptographicprimitiveforthedistribution ofasecretamongagroupofnparticipantsdesignedsothatonlysubsetsofshareholdersofcardinality0<t≤nareallowed toreconstructthesecretbypoolingtheirshares,canhelpmitigatingandminimizingtheproblem.AdesirablefeatureofSecret 5 Sharing schemes is cheater detection, i.e. the ability to detect one or more malicious shareholders trying to reconstruct the 1 secretbyobtaininglegalsharesfromtheothershareholderswhileprovidingthemwithfakeshares.VerifiableSecretSharing 0 schemes solve this problem by allowing shareholders verifying the others’ shares. We present new verification algorithms 2 providing arbitrary secret sharing schemes with cheater detection capabilities, and prove their space efficiency with regard p to other schemes appeared in the literature. We also introduce, in one of our schemes, the Exponentiating Polynomial Root e Problem(EPRP),whichisbelievedtobeNP-Intermediateandthereforedifficult. S IndexTerms—SecurityandPrivacyProtection,Cryptographiccontrols,Verification 3 ✦ ] R C s.1 INTRODUCTION Even though encryption makes harder unauthorized c disclosure of information, a better solution is based [SECRET Sharingdealswith the problemof securely distributingconfidentialinformationamongacer- on the use of Secret Sharing and multiple cloud 6 providers,ascenarioinwhicheachgeneratedshareis tain number of shareholders, in such a way that only v stored on a different cloud. The original file can still some subsets of them are able to jointly decrypt it. 1 beencryptedifrequired,thusprovidinganadditional 7Several schemes and variants of secret sharing have security guarantee. The use of multiple clouds and 4been proposed, from the seminal schemes of Shamir 7[1] and Blakley [2], which are based respectively Secret Sharing can therefore mitigate and minimize . several risks associated to the single cloud provider 1on polynomial interpolation, and hyperplanes inter- scenario, such as service availability failure, data 0section, to the newest approaches closely involving 4numbertheory,suchastheonesbasedontheChinese loss and/or corruption, loss of confidentiality, vendor 1 lock-inand thepossibility of maliciousinsidersin the Remainder Theorem [3] [4]. : single cloud. vSecret Sharing can be beneficial in many different Xiways in cloud computing, which is becoming in- One important issue in the design of a secret sharing protocol is its robustness against cheaters: common creasingly common, with rapid adoption by both r solutions proposed in the literature rely on checking aindustry, small and medium enterprises, and indi- consistency of the secretinformation afterreconstruc- vidual users. Among the many services provided by tion from more than one group of shareholders, or a cloud infrastructure, we are concerned here with on adding helpful data to the shares in order to de- cloud storage and file hosting services. Building on tect and/or identify mistrustful behaviour. Verifiable a highly virtualized infrastructure, these services are Secret Sharing (VSS) [6] is therefore secret sharing succeeding owing to economic reasons and to the augmented with features that allow only detection fact that the underlying infrastructure and physical or also identification of any cheater in a coalition, location are fully transparent to the user. However, unconditionally or with respect to the scheme pa- preservingdataconfidentialityincloudsisakeyissue rameters (threshold value, total number of dishonest [5]. The main difficulty is related to the fact that data shareholders, etc.). Several VSS schemes have been is stored on a remote server which is fully accessible proposed, including, for instance, Publicly Verifiable by the cloud service provider (and can be accessible Secret Sharing (PVSS) [7] [8] [9] [10] [11] [12] or to third-party people through a malicious attack). In schemes focusing on Asynchronous Verifiable Secret orderto achievedataconfidentiality andto overcome Sharing(AVSS)suchas[13][14][15][16][17][18][19]. this issue, it is possible to encrypt a file containing In this work, we present new verification algorithms sensitive information before storing it on a cloud. based on commitments providing arbitrary secret sharing schemes with cheater detection capabilities, • The authors are with the Departmentof Engineering for Innovation, UniversityofSalento,Lecce73100,Italy and prove their data efficiency with regard to other E-mail:[email protected], [email protected] schemes appeared in the literature. Our approach belongs to the Honest-Dealer VSS scheme category JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 2 [20] [21], since it requires a one-time honest dealer. fingerprints/signatures of the data involved. Two Our contribution is three-fold: (i) we present space- trivial algorithms for detection and identification are efficient verification protocols that does not even listed (suppose that H is a secure hash function): require storing public data for verification; (ii) our schemes can be used in conjunction with arbitrary Detection secret sharing schemes, and provide cheater detec- Dealer: Given the secret s, compute h = H(s) and tion capabilities; (iii) we also introduce, in one of make it public. our schemes, a new computational problem, namely Shareholder: After reconstructing a secret x, verify the Exponentiating Polynomial Root Problem(EPRP), whether H(x)=h. If H(x)6=h someone is cheating. which generalizes the Discrete Logarithm Problem (DLP). Identification The remainder of this paper is organized as follows. Dealer: Given the shares s ,...,s , compute the sig- 1 n Section 2 recalls related work. We present our space- naturesh =H(s ) for everyi and make them public. i i efficient verifiable schemes and analyze their security Shareholder: Before performing reconstruction, for in Section 3, along with EPRP. In Section 4, we pro- every share s received, get h and check that j j pose runtime efficiency refinements to optimize our H(s )=h . If equality does not hold, then share- j j schemes. The information rates of our schemes are holder j is cheating. discussed in Section 5, in which we also compare our The clear disadvantageof identification by hashing schemesagainstthestateoftheartschemespublished is that verification data grows linearly with n. intheliterature.Finally,wedrawourconclusionsand propose future work in Section 6. 2.2 Homomorphic commitments: Feldman’s scheme 2 RELATED WORK Feldman’s scheme [22] is a verification method ap- In this Section, we discuss related work. We begin by plicable to Shamir’s secret sharing. Like hashing, it reviewing commitments, and then proceed analyzing relies on the use of one-way functions for verifying hashing, the schemes based on homomorphic com- consistency of each share. Moreover, the homomor- mitments proposed by Feldman [22], Pedersen [23] phic property is exploited in order to decrease the and Benaloh [24] and the set coherence verification total number of verification elements from n to t method, introduced by Harn and Lin [25]. – the commitment is over the secret, not over the A commitment [26] is a statement that proves shares. Indeed, let v be a (+,·)-homomorphic one- knowledge of some information, without revealing the way function (that is, v(a+b)=v(a)v(b)); then, if v is information itself. A formal definition follows: evaluated over a polynomial, the following equation holds: Definition 2.1 (Commitment). Given a value x, a com- t−1 t−1 mitment c(x) is a value such that the following conditions v a xi = v axi (1) i i are satisfied: ! Xi=0 iY=0 (cid:16) (cid:17) • Hiding:Byknowledgeofc(x),itisimpossible(orvery The scheme steps are reported below: difficult) to obtain x — c(x) hides x; • Choose as public values primes p,q such that q • Binding: It is infeasible or impossible to find another divides p −1 and a generator α of a subgroup value y for which c(y)=c(x) — c(x) binds to x. of order q of Z∗ (q is the lowest possible integer p The two properties just defined may refer to the such thatαq ≡1 mod p);the bitsize of q is much computationalor to the unconditional security setting: if lowerthantheoneofp,andthisisdonesincenot an attacker with infinite computing power can break only findingprimitive roots, butevencomputing the former or the latter, the scheme is said to be, multiplicative orders for generic moduli, are, in respectively, computationally hiding or computationally general, hard problems (random sampling and binding.Otherwise,acommitmentschemeissaidtobe factorization of the modulus are used for better unconditionally hiding or unconditionally binding. More efficiency). Theoretically, one could also choose a precisely, it can be proved [27] that a commitment generator of order p−1; scheme cannot be simultaneously unconditionally hid- • Starting with the secret a0, generate the polyno- ing and unconditionally binding. Commitments can be mial: implemented via one-way functions, as a basis for P(x)=a0+...+at−1xt−1 verification schemes. over the field Z , from which the shares are q sampled as s =P(i), i=1,...,n; i 2.1 Hashing • Generate the public verification coefficients: The simplest method to add verification capabilities to a scheme, is to use one-way functions to obtain αj =αaj mod p, j =0,...,t−1 JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 3 • Thanks to the homomorphic property of expo- Thus, any shareholder can verify that a share nentiation, a commitment to a share s can be (y ,z ) is valid, by checking the equation: i j j written as: t−1 αsi =αP(i) =αa0+a1i+...+at−1it−1 gyjhzj ≡i=0ciji (mod p) (5) Y = αa0αa1i...αat−1it−1 Perfect hiding for a commitment gahb means that, = α αi ...αit−1 (2) for any triple a,b,a′, a value b′ exists such that 0 1 t−1 gahb ≡ga′hb′ (mod p).Thiscanbeseenbyexpressing Hence, the consistency of a share s can be veri- i h as a power of g: h=gw mod p, and it can always fied by checking the equality: be done since h∈Z∗. A commitment can then be p t−1 expressed as: αsi ≡ αij (mod p) (3) j j=0 c=ga+wb mod p (6) Y It is worth noting here that the one-way function Hence, by fixing the triple defined before, b′ can be candidate used here is modular exponentiation over found by solving: Z∗. p Feldman’s scheme is computationally hiding, since a+wb≡a′+wb′ (mod p) (7) exponentiation is done over the secret polynomial’s which is always well-defined. coefficients,sosolvingtheDLPwouldallowtoobtain the secret from the verification data (reverse hiding). It is also unconditionally binding since the mapping 2.4 Homomorphic commitments: Benaloh’s betweenvaluesandcommitmentsisinjective,somul- scheme tiple valuescommitting to the same output cannot be This scheme [24] allows shareholders verifying that found. all of the shares are collectively t–consistent (i.e., an arbitrarysubset t of n sharesyields the same, correct, 2.3 Homomorphic commitments: Pedersen’s polynomial without revealing the secret). Verification scheme is done through homomorphic algebra, without ex- With some slight modifications, proposed in [23], the posing the secret. However, the scheme requires an previous scheme can be made perfectly hiding and interactiveprooftoprovethedealer’sintegrity,which computationally binding – notice also that informa- hasbeenavoidedbydesigninourscheme.Moreover, tion rate grows, as there is more data to provide the proof involves the generation and use of a very shareholders with. large number of polynomials of degree t for a (t,n) • Choose as public parameters primes p and q as threshold scheme, making the scheme impractical. before, together with two generators of order q, namely g,h; • Let y(x)=a0+a1x+...+at−1xt−1 be the poly- 2.5 Verifiabilitybysetcoherence nomial to be committed. Generate an additional This method, introducedin [25],does not requireany polynomialz(x)ofthesamedegree,withrandom additional verification data besides the shares them- non-null coefficients b0,...,bt−1; selves. However, when applied to a (t,n)-threshold • Compute the coefficients commitments as scheme,itneedsacoalitionconsistingofmsharehold- ci =gaihbi mod p and send them to every ers, m > t. Cheater detection and identification are shareholder; performed by comparing the secretsreconstructed by • Sample the points for shareholder j as all of the possible subsets of t out of m shareholders. y =y(j), z =z(j), then the share for The two algorithms follow. j j shareholder j is (y ,z ); Detection j j • As in the previous scheme, by applying the ho- • LetB be an authorized subset of size m>t for a momorphic property, a commitment to a share (t,n)-threshold scheme. For every subset A ⊂ B (yj,zj) can be expressed as: of size t, run the reconstruction algorithm with the corresponding shares. Keep a histogram of gyjhzj =gtiP−=01aijihtiP−=01biji • aIflleovferthyesusebcsreettsAfo⊂unBd;rebuilds the same secret, t−1 t−1 there is no cheating. Otherwise, run the cheater = (gai)ji · hbi ji identification algorithm. iY=0 iY=0(cid:0) (cid:1) Identification t−1 t−1 = gaihbi ji = ciji (4) • Select the majority secret sm as the one with the highest frequency in the histogram. Assume it to i=0 i=0 Y(cid:0) (cid:1) Y JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 4 TABLE1 3.1 Definitions Setcoherence:boundsfordetectionandidentification Notations related to mathematical and string opera- Independentcheaters Organized cheaters tors are listed below. The following convention will be used: any operator defined for a bitstring is valid Detection m>t m−c>t for an unsigned integer type, and vice-versa. Identification m−c>t m−c≥c+t • [s1|s2|...|sn] definesthe concatenationofthe bit- strings s ,s ,...,s ; 1 2 n • bs() denotes the bitsize of its argument. If the be the actual secret (remember that this requiresa argument is an integer n, the bitsize is bs(n) = honest majority). Take a subset A that rebuilds 1+⌊log n⌋. sm (this can be done in constant time, if the 2 If the argumentis aset, the operator refersto the histogram structure keeps track of which subsets rebuild each secret); greatestelementin the set:bs(S)=bs(maxx∈Sx). Eg.: If s = 11101 and S = {5,7,111}, then • Let A = {1,2,...,t} without loss of generality. 2 bs(s)=5 and bs(S)=bs(111)=7; SinceArebuildsthecorrectsecretbyassumption, • M(y)denotesthe bitstring consisting of the most then every share in A is posted by a honest significant n bits of the n-bit string y. For ex- shareholder, and every possible cheater must be 2 ample, if s=11101 , M(s)=111 . L(y) denotes contained in C =B/A; (cid:6) (cid:7) 2 2 the bitstring consisting of the less significant n • For every shareholder j ∈ C, check whether the 2 set A′ ={j,2,...,t} rebuilds sm. If it does not, bits of the bitstring y. Referring to the previ(cid:4)ou(cid:5)s example, L(s)=01 =1 . add shareholder j to the cheater’s list; again, 2 2 Clearly,foranystrings,s=[M(s)|L(s)]–leading this can be done in constant time, using the zerosinL(s),ifpresent,mustbekeptforacorrect augmented histogram of first step. concatenation; Distinguishing between independent cheaters and • NP(x) and np(x) refer respectively to the lowest organized ones, the bounds for detection and iden- prime number strictly greater than x and to the tification are summarized in Table 1 (c denotes the lowest prime greater than or equal to x. number of cheaters, m the cardinality of B, t the Eg.: NP(22) = np(22) = 23, while NP(11) = 13 threshold value). and np(11)=11. Remark. Besides requesting a higher threshold value for We recall here some definitions and useful results the underlying secret sharing scheme, this verification about permutations. method presents sub-exponential complexity, in a space Definition 3.1 (Permutation). Given a set I = versus time trade-off: {1,...,n}, a permutation over I is a bijective mapping • The time complexity of checking all t-subsets is σ : I → I. That is, every element of I maps to one O( m ), which is super-polynomial in m. (not necessarily different) element of I itself, and no two t • Usingtheaugmentedhistogram,alsospacecomplexity different elements can map to the same one. bec(cid:0)om(cid:1)es O( m ). t Lemma 3.1 (Permutation over a probability distribu- However, in all p(cid:0)rac(cid:1)ticalapplicationsof secret sharing, the tion). maximum number of shareholders n, and therefore, m and Let σ : A → B be a permutation, with A = t, are values of order 101, so the above considerations can {1,...,n} , B = {σ(1),...,σ(n)}; let f : A → [0,1] a be, in practice, disregarded. define a probability distribution1 for the random variable X over the set A, i.e.: A P (X =i)=f (i),i∈A A A A 3 SPACE-EFFICIENT VERIFIABILITY Then, the distribution obtained by applying the permuta- In this Section, we introduce our construction of a tion σ to the PMF fA is given by the set of probabilities new verification method for threshold secret sharing. thattherandomvariableXB takesoverthepermuteditems It is not designed for a particular scheme, nor does of the set B: it require any assumption on the shares. The de- σ(P (X =i))=P (X =σ(i)) A A B B signed verification algorithm is non-interactive (ver- ification does not require receiving additional data An immediate corollary of this is that the uniform from other shareholders, besides the shares), requires distribution maps to itself under every possible per- a one-time honest dealer, and belongs to the family mutation: of commitment-based methods, since it relieson one- way functions. It will be shown that, under certain σ(fU(i))=fU(σ(i)) ∀σ :A→B hypotheses, it is more space-efficientthan the already illustrated homomorphic VSS extensions. 1.ProbabilityMassFunction(PMF) JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 5 Lemma 3.2 (Composition of permutations). The space data. Labels of the form VSS-X will be used to better ofpermutationmatricesofsize n (Σn×n) is a groupunder identify and distinguish the variants obtained. More- matrixproduct,hencepermutationsoverinputsetsofequal over, since the final result is a commitment scheme, size are closed under composition: the security analysis will develop around the two security properties of hiding and binding. ∀σ ,σ ∈Σn×n,σ (σ )∈Σn×n i j i j Lemma 3.3. Let GF(q) be a finite field of prime size (not 3.3 Securityassumptions a polynomial field), r one of its primitive roots, and D = • There is a single, one-time, honest dealer, that dis- {1,...,q−1}. Then, the exponentiation function: tributesdatatoallofthenshareholdersinvolved e :D →D , e (x)=rx mod q in the scheme instance; r r • Thereisnotrustedshareholderintheunderlying is a permutation over D. network,andnostorageofsharedorpublicdata. That is, once provided with their shares and The following result, related to the degreeof an in- verification data, shareholders do not need any terpolatingpolynomialwithregardtoitsinterpolation other information for secret reconstruction and points,willbeusedinthePoweringpolynomial(VSS- cheater identification; POW) scheme. • Secure bidirectional channels can be established Theorem3.4. Let(xi,yi),i=1,...,tbeasetoftrandom between pairs of entities - any external attacker points with different abscissas xi, and whose coordinates can only be passive, so man-in-the-middle attacks belong to a finite field F of prime cardinality p; let y(x)= arenot consideredinthismodel; securityagainst t−1 a xi betheinterpolatingpolynomialofthegivenpoints, these kinds of attack is assumed to be addressed i i=0 by the protocols that establish communication wPith coefficients over F as well. Then, the probability that between the parties over a network (e.g., TLS); the degree of the polynomial y is strictly less than t−1 is • Client machines are fully trusted. All of the en- negligible for big p: tities (the dealer and the shareholders) run their 1 respectiveprotocolstepsontheir clientmachines P[deg(y)<t−1]= p where keys and certificates required for encryp- tion/decryption and authentication are stored. If Proof: Any set of points chosen following the a CSP (Cloud Service Provider) has to be used givenassumption,generatesafull-rankVandermonde for sharestorage,shareholdersmayencrypttheir matrixX ∈Ft×t,whichinducesabijectionofthefinite sharesusingasymmetriccipherbeforeuploading domain Ft onto itself: them. Similarly, shareholders download shares ∀y ∈Ft ∃! a∈Ft : Xa=y from CSPs to their clients and decrypt them (if needed) before engaging in secret reconstruction for thisreason,X canbe seenasapermutation ofthe and cheater identification; elements of Ft. By Lemma 3.1, the uniform discrete • CSPs are semi-trusted and modeled as Honest- distributionisinvariantwithrespecttopermutations, But-Curious adversaries. Therefore, they act ac- so the probability of obtaining a polynomial of non- cording to their prescribed actions in all of the maximum degree – with at−1 = 0 – is equal to the protocols they are involved in (they do not, as one of choosing the t-th point with null ordinate2: malicious users do, try to alter stored data and 1 communications), but it is assumed that CSPs P[y(x):at−1 =0]=P[yt =0]= p are interested in learning the contents of shares stored by shareholders, and can fully access ev- erything stored on their cloud storage infrastruc- ture. 3.2 Designingaspace-efficientVSSextension The verification scheme that is going to be designed 3.4 Designfeatures will be the result of incremental refinements of par- tially secure techniques. The main goal to achieve The main features our design attempts will insist on, duringthedesignwillbethereductionofverification are summarized below: • Commitments on shares: Verification routines 2.Notice thatthisdoes notmeanthatapointwithnullordinate ensurethatsharesarelegalindependentlyfromthe generatesasolutionawithanullcoefficient,butthatthecardinality secretthey aregenerated from, unlike homomor- ofallpointswiththefirstpropertyisequaltotheoneofpolynomi- alswiththesecondproperty;sincedomainscoincide,probabilities phic commitment schemes, that guarantee that a areequalaswell.Alsonotethatthepointindexisnotrelevant,t-th share corresponds to some secret; pointhasjustbeenchoseninordertofixaposition,todistinguish • Non-interactivity: Verification algorithms can be from the case when any one of the points could have a null y- coordinate,whichwouldleadtoawrongprobabilitycalculation. carried out in one interaction, that is, no further JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 6 communication with other parties is required Fordetailsabouttheirasymptoticruntimecomplexity, after receiving the shares; see[30].Noticehoweverthat,forVSS-POW,beingthe • Private verification: each shareholder is able to degree of V(x) − xr exponential in the field bitsize, verify the others’ shares, but not its one: this this scheme could be considered, on average, compu- is not necessary since this interaction model as- tationallyhiding,ifr ischosenrandomly.Inaddition, sumes a one-time honest dealer; moreover, ver- it may happen that V(x)=xr admits other solutions ification is performed differently by each share- than the actual shares: again, if they exist, they are holder, by taking as additional input a secret foundbyfactorizationandextractionoflinearfactors, parameter. therefore binding is, at least, only computational. 3.5 Poweringpolynomial(VSS-POW) 3.6 VerificationbyCRTsolutionisnotefficient Let S be a generic secret sharing scheme instance, One may be tempted to try the same approach by with shares s , i=1,...,n belonging to some natural using the solution of a remainder system, instead of i domain D = {0,1,...,q} and bs(D) = bs(q) the the coefficients of a polynomial. For example, if the domain’s bitsize. The following is a non-interactive sharesgeneratedares1,...,sn,verificationdatacould VSSextensionbasedonpolynomialinterpolation.The be a value x such that: dealer is in charge of doing the following steps: s i • Choose a suitable finite field F for domain D: for x≡ (mod s)i 2 example, GF(NP(q)) or GF(2bs(q)); j k for every i = 1,...,n, and verification would be • Generate with Lagrange interpolation a polyno- performedbychecking thateachshare receivedsatis- mial V(x) over F that maps the chosen shares to their powers with a random exponent r ∈F, and fiesthe correspondingequation. However,inorderto have a unique solution, Chinese Remainder Theorem make it public to all of the shareholders, i.e.: (CRT)requiresthemoduliofthesystemtobepairwise coprime: this imposes a restriction on the possible V(s )=sr,i=1,...,n (8) i i shares that can be verified. It is not feasible as well With high probability, deg(V)=n−1 (see Theo- to regenerate new shares until they are all coprimes rem3.4),sotherewillbencoefficientstoprovide among themselves, for two reasons: shareholders with. • Computational efficiency: As a corollary of the A shareholder can verify the provided share by PrimeNumberTheorem[31],theprobabilitythat checking if it satisfies (8). two integers sampled from the uniform discrete The bitsize of each coefficient is bounded by bs(q), distributionU[2,N]arecoprimestendsto6/π2 as if the field chosen is GF(2bs(q)), and by bs(q)+1 if N goestoinfinity [32].Thisprobabilitydecreases F = GF(NP(q)) (in the worst case, when NP(q) ≥ super-polynomially as the number of values in 2bs(q)).Hence,like the hashingmethod, this approach which any pair should contain coprime numbers suffers from a share expansion which is linear in the grows [33]. In principle, this could not really total number of shares generated. For example, by be a limitation, since a set of pairwise coprime applyingthisVSSextensiontoadistributed-equations numbers can be generated recursively starting Shamir scheme with no public data, and considering with two numbers, and using trial and error as inputs to be verified s = [x |y ], the augmented methods together with repeated instances of the i i i share of each shareholder (reconstruction data + ver- Greatest Common Divisor (GCD) algorithm; ification data) will be: • Spaceefficiency:aworseissuepreventsusingthe CRT-solution approach to obtain a VSS scheme: xi,yi,v0,...,vn−1 for what has just been stated, the density of sets wherev denotesthei-thcoefficientoftheverification of n pairwise coprime values is very low for a i polynomial. The total size is bounded by bs(q) + given power set P over a domain, so the scheme n(bs(q)+1). instances would need an over-dimensioning in order to result secure to search attacks (when 3.5.1 Securityanalysis they are possible), in that an attacker would not need to check every possible set of integers, Theoretically, the proposed scheme could not be con- but only the groups of mutually coprime ones, sideredsecureforhiding,inthatsharescanbediscov- whichbecomeveryfewwithrespecttothesearch ered by finding the roots of the polynomial equation: domain as n increases. V(x)−xr =0 (9) 3.7 String-splitpolynomial(VSS-SSP) Algorithms that are polynomial-time in the input polynomial’s degree exist for this task, such as The verifying-polynomial method introduced before Berlekamp [28], Cantor-Zassenhaus, and Shoup [29]. can be modified in order to decrease the domain size JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 7 of each coefficient, and so the maximum size of each 3.8.1 Securityanalysis verification element. Consider the complete set of Possible attacks against VSS-POW with private veri- sharesS ={s ,...,s }ofagenericthresholdscheme, 1 n fication are listed below: with domain D and share sizes bs(s ) ≤ bs(D). The i • If n−1 organized cheaters conspire against the distribution/verification algorithm under domain remaining shareholder, by applying polynomial reduction should run as follows: GCDtoV1(x)−xu1,...,Vn−1(x)−xun−1,theycan obtain the missing share s , since every poly- n Dealer’s steps nomial other than V passes by s . Clearly, this n n • Take the bitsize limit of any share, bs(D), and attack does not result in a true gain, unless the select the finite field for verification accordingly: threshold scheme to be protected is a (n,n) one. F=GF(NP(2bs(2D))) or F=GF(2bs(2D)) ; We note here that this attack can be performed • For every share si, if bs(si)<bs(D), obtain with on the original VSS-POW scheme as well; zero-padding on the left the modified share Si • The same attack works for unhiding a missing such that bs(Si)=bs(D). Otherwise, let Si =si; share from a string-split polynomial. This time, • Compute the two halves of the bitstring Si as afterGCD,thefactorretrievedwillleadtoM(sn), SiM =M(Si) and SiL =L(Si); then the missing half-share can be retrieved by • Check that no two SiM are equal. If so, run the taking the uj-th root of any available Vj(M(sn)) share generation algorithm again and go to the –efficientextractionofmodularn-throotscanbe first step; performed using a generalization of the Tonelli- • Interpolate the verification polynomial over F as Shanks algorithm [34]. V(x) such that: However, like polynomial factorization algorithms, the polynomial variant of GCD requires polynomial- V(S )=S , i=1,...,n (10) iM iL time in the input degree, which is exponential in the • Broadcast the polynomial coefficients field’s bitsize; therefore, this scheme is as secure v0,...,vn−1. againsthiding astheone withoutprivateverification. Upon receiving a share s , any shareholder i can verify it by padding it to Si and checking if 3.9 Exponentiatingpolynomial(VSS-EXP) V(S )=S . iM iL The variant that is going to be introduced now, will exploit some of the characteristics of the attempts made before, and a security assumption, in order to 3.7.1 Securityanalysis:nobinding achieve computational security. This initial attempt is completely insecure against binding, since any one knowing V can choose a Let s1,...,sn be the input shares, and random half string a, and provide the faked share D ={0,1,...,q} and bs(D)=bs(q) their domain s′ = [a|V(a)]. However, it is a good starting point and domain’s bitsize, respectively. The dealer is in for reducing the size of verification data, and it can charge of doing the following steps: bemadesecureincombinationwithotherapproaches • Choose a suitable finite field F, such as presented later. GF(NP(q)) or GF(2bs(q)); • Foreachshareholderj,selectaprimitiveelement r of the multiplicative group F∗, and generate 3.8 Enforcingbinding:privateverification j with Lagrange interpolation a polynomial V (x) j Binding security can be enhanced, by making each over F that exponentiates all of the other shares of the n shareholders verify the others’ shares, and through r 3: j assigning a different, private security parameter u j V (s )=r si, i=1,...,n , i6=j (13) to each verifier; in this environment, this would j i j meangeneratingndifferentpolynomials,oneforeach • Sendq,rj andthecoefficientsofVj toshareholder shareholder, satisfying the equation: j via a secure private channel. Vj(x)=xuj, i=1,...,n , i6=j (11) A shareholder can verify the provided share by checking if it satisfies (13). for the first method, or 3.Noticethat,while forprimeorderfieldsGF(p)thisequation Vj(M(x))=L(x)uj, i=1,...,n , i6=j (12) is well-posed, for prime power fields GF(pk) we are performing a small abuse of notation: si in the left-hand side of the formula forthe second one. Inother words,everyshareholder istheelementofthefield(whichis,actually,apolynomial),while theexponentontheright-handsiderepresentsthenaturalnumber would own a polynomial passing for the other share- corresponding to the bitstring si, since, in finite field algebra, holders’ shares (or half-shares). exponentiationbyapolynomialisnotdefined. JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 8 3.9.1 Securityanalysis verification polynomial, should try, on average, The security of this scheme relies on the following about2bs(q) values4.Also,noticethattheequation assumption. maypresentadditionalrootsotherthanthevalid shares: if this happens, an unbounded adversary Definition3.2(ExponentiatingPolynomialRootProb- could exploit the set coherencemethod (2.5), and lem (EPRP)). obtain the secret as the majority value, without Let p(x)be apolynomialwithdeg(p)≥0 withcoefficients caring about which solutions are legal or not; drawnfroma finitefield GF(q), andr a primitiveelement • Reversebinding:sincenooneexceptshareholder for that field. Then, the problem of finding roots of: j knows the primitive element r used in the j p(x)=rx (14) construction of Vj, in order to be able to deceive a verification equation, r must be guessed, and j is believed to be NP–intermediate, i.e., it is in the com- the equation must present additional solutions. plexity class NP but it is supposed not to be in P nor For commitments inwhichthe equationhasonly NP–complete. roots in the valid values, binding is perfect. It is worth noting that this problem is at least as hard as the DLP, in that it can be seen as a gener- 3.10 String-splitexponentiatingpolynomial(VSS- alization of the latter – DLP is the particular case of EXP-SSP) EPRP when deg(p) = 0 – so a poly-time algorithm The string-split approach can be applied to VSS-EXP for solving EPRP would imply solution to any DLP to reduce the total amount of data targeted to each instance.TheproblemisinNP,owingtothefactthat, shareholder.Itwillbe provedthat,bykeepingthe as- given a solution, verifying it consists in performing sumption made, security of this scheme is equivalent a number of modular additions, multiplications and to the original one’s. The dealer is in charge of doing exponentiations, which is linear in the number of the following steps: coefficients; the runtime of this arithmetic is instead • Given the set of shares S, choose a suitable polynomial with respect to the field bitsize. To the field F for half-shares M(s ),L(s ) as GF(2w) or i i best of our knowledge, as of this writing, efficient bs(S) algorithmstosolve thisproblemdonotexist.Finding GF(NP(2w)),withw = anupperbound 2 roots to such equations can be done in two ways: on the shares’ half sizes;(cid:24) (cid:25) • Try all possible items x in the field, and check • Foreachshareholderj,selectaprimitiveelement whether they satisfy the equation or not. Clearly, r of F∗, and generate with Lagrange interpola- j even with randomized search, this requires expo- tion a polynomial V (x) over F such that: j nential time in the bitsize of the field modulus; • The exponential rx can be rewritten in Vj(M(si))=rjL(si), i=1,...,n , i6=j (15) polynomial form, by using Lagrange • Send w, rj and the coefficients of Vj to share- interpolation to interpolate the points holder j via a secure private channel. {(0,r0),(1,r1),...,(q−1,rq−1)}, determining a A shareholder can verify the provided share by polynomial f(x). This polynomial is identical to checking if it satisfies (15). rx precisely because we are working on a finite field. Then, the difference p(x) − f(x), can be factored in order to find the roots of the given 3.10.1 Securityequivalence equation (using Berlekamp, Cantor–Zassenhaus This scheme has the same security properties of VSS- or Shoup algorithms) and the roots read off the EXP, under the same assumptions. factors. However, this approach is even worse than exhaustive search: since, on average, a Theorem 3.5. Let V1 and V2 be two instances of VSS- polynomial passing by n given points will have EXPandVSS-EXP-SSPrespectively,withthesharesdomain n non-null coefficients, even only the input to bitsize for V being half the one for V . The two instances 1 2 Lagrange interpolation will require exponential are stochastically equivalent for hiding and binding. spacein the field bitsize. Also, notice that, in this Proof:Sharescanbeconsideredrandombitstrings case, there is no space-time tradeoff: Lagrange sampled fromthe domain {0,1}b. A randombitstring interpolation is an algorithm that uses entirely its ofsizeb–supposebeven,withoutlossofgenerality– input: this means that, for instances with inputs canbeseenasconcatenationoftworandombitstrings requiring exponential space, runtime would be of size b′ = b. Suppose n b-bitstrings are chosen exponential as well. 2 The security of this scheme can be summarized as 4.Given a domain of N strings, k of which representing valid follows: shares, the expected number of trials for the k–th success when sampling without replacement (i.e. finding all of the shares via a • Reverse hiding: A dishonest shareholder will- randomized exhaustivebrute-force attack),is k(N+1)/(k+1), a ing to obtain all of the others’ shares from his valuerapidlyapproachingN. JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 9 uniformly; the probability of not extracting the same prime order fields GF(p). Some special cases of com- string twice is: fortable prime power fields of binary form, GF(2n), will be presented later. 2b−1 2b−2 2b−n+1 (2b−1)! ... = Given a prime p and the modular multiplicative (cid:18) 2b (cid:19)(cid:18) 2b (cid:19) (cid:18) 2b (cid:19) (2b−n)!2b(n−1) group Z∗p ={1,...,p−1}, a primitive root for that Analogously,theprobabilityofchoosingnb-bitstrings group is a generator whose order is p−1. Since no s such that no two M(s ) are equal, and, indepen- efficient algorithms exist for finding primitive roots i i dently, no two L(s ) are equal, is given by: modulo a prime, random trial-and-error methods are i used: 2 (22b −1)! • Choose a random number r from the uniform (22b −n)!22b(n−1)! distribution {2,...,p−1}; note that 1 is only a generator of the trivial group {1}, since 1x is Clearly, fixing n, both probabilities approach 1 as b always1 for anyx, so it cannever be a primitive grows large. root for non-trivial groups; Since both strings and half-strings are supposed • Compute the multiplicative order of r: if it is to be extracted from a random uniform process, for equaltop−1,stop; otherwise, go tothe previous provingstochastic equivalenceitissufficienttoprove step. that solving the VSS-EXP equation: However, even computing multiplicative orders is, V(x)=rx (16) in general, a hard problem: • Any number a in the multiplicative group Z∗ p is statistically as hard as solving the equation: must have as order a divisor of p − 1; so, the V(x )=rx2 (17) standard trial-and-error technique here consists 1 in evaluating ad mod p for all of the divisors of where x,x ,x belong to the same domain D (or at p−1,andtakingasresulttheminimumargument 1 2 least to domains with the same bitsize). d for which ad ≡1 (mod p); Indeed, this is true for the following reasons: • Ifp−1ishardtofactor,forexample,ifp−1=qs, • Suppose that all of the x1 and, independently, with q,s being large primes, then it is also hard all of the x values chosen for interpolation are to compute orders. 2 different:thisispracticallyalwaystrue,giventhe Hence, in order to efficiently compute primitive probabilities defined before; then, a permutation roots, one should choose the field modulus p for the σ :D →D exists, mapping each x to one and verification polynomials, such that p − 1 is easy to 1 1 only one x ; factor. One such way is choosing p−1 as a smooth 2 • ByLemma3.3,exponentiationrx definesanother number (i.e. anumber thatfactorsinto smallprimes); permutation σ :D →D, if we exclude from D however, notice that efficient computation of discrete 2 thevalue0;again,the probabilityofextractingat logarithms can be carried out in a multiplicative least one 0 value for any x or x is negligible, if group of smooth size, thanks to the Silver-Pohlig- 1 2 b is sufficiently large; Hellman algorithm [35]. • (17) can be rewritten as: Definition 4.1 (Safe primes, Sophie Germain primes). V(x1)=rσ1(x1) =σ2(σ1(x1)) (18) Let p be a prime number; p is safe, if p−21 is also prime. Conversely, a primeq isa SophieGermainprime, if2q+1 Since, from Lemma 3.1, the uniform distribution is also prime. holds invariance with respect to permutations The number π (x) of Sophie Germain primes less (and also compositions of permutations, by clo- sg than a given x (or equivalently, of safe primes less sure of the permutation group – Lemma 3.2), the than 2x) has been conjectured [36] to be equation of VSS-EXP presents an equivalent dis- tribution of solutions of VSS-EXP-SSP, provided Cx π (x)= , C ≃1.32032 (19) input domains are equal or similar in size. Then, sg (lnx)2 iftheEPRPassumptionisvalid,thetwoschemes are cryptographically equivalent. 4.1 Advantagesofchoosingasafeprimeasmod- ulus The are some good reasons for working in a field 4 RUNTIME EFFICIENCY REFINEMENTS having a safe prime as modulus: The VSS-EXPfamily requirescomputation of random • Order computation: if p is safe, p − 1 = 2q, primitive elements, in order for exponentiation to then any number a of the multiplicative group span over the whole multiplicative group of interest. Z∗ can have as order 2, q, or p − 1. Hence, at p Theefficiencyrefinementspresentedherewillreferto most 2 exponentiations have to be performed to JOURNALOFLATEXCLASSFILES,VOL.6,NO.1,JANUARY2007 10 compute an order – for p prime, ap−1 is always Instead, using safe primes of high Hamming weight 5 6 1, by Fermat’s theorem [31]; would remain a good choice, since the derived groups are • Numberof primitiveroots: the number of prim- not suitable – at least as of this writing – for efficient itive roots in Z∗ with p safe, is: logarithm computation. With random search, safe primes p up to 2048 bits can be found in a few minutes on modern CPUs. Moreover, lists of bigger safe primes are publicly φ(φ(p))=φ(p−1)=φ(2q) available online, for example the one in [37]. = φ(2)φ(q)=q−1 Remark. Computation of primitive elements in prime = p−1 −1 (20) power fields GF(pk) requires finding a primitive polyno- 2 mialoverGF(p).Alistofprimitivepolynomialsforbinary So, by random sampling, one expects to find, fields GF(2k) up to degree k = 5000 (and, in particular, on average, a primitive root after 2 attempts. for Mersenne exponents in that range) is given in [38]. Even better, since any primitive root g modulo n generates all of the other ones as: 5 INFORMATION RATES In this Section we discuss the amount of verification ga mod n, gcd(a,φ(n))=1 (21) data sent to each shareholder by the dealer for both theVSS-EXPandVSS-EXP-SSPschemes,andcompare it is enough to choose one primitive root – for them against Feldman’s scheme. example, the lowest one – and then compute the otherswithrandomvaluesacoprimetop−1and 2, i.e.: a∈{3,5,7,,...,p−2}/{q}. 5.1 VSS-EXP Summing up, a VSS-EXP scheme exploiting safe • Public parameters: q (p1 = NSP(q) is uniquely primes should work as follows: determined) or bs(q), if p1 = NSP(2bs(q)) — • Choose asfinite fieldF,GF(p), withp=NSP(q) bs(bs(q)) bits; the nextsafeprime greaterthan q;the safe prime • Private security parameter: rj – at most bs(p1) bits; can also be chosen as p=NSP(2bs(q)); • For each shareholder j, select a primitive root rj • Polynomial coefficients: at most (n − 1)· bs(p1) of F, and generate with Lagrange interpolation a bits. polynomial V (x) over F thatexponentiatesall of j the other shares through r : 5.2 VSS-EXP-SSP j • Public parameters: w (p2 =NSP(2w) is uniquely Vj(si)=rjsi , i=1,...,n , i6=j (22) determined) – bs(w) bits; • Private security parameter: rj – at most bs(p2) • Sendp,rj andthecoefficientsofVj toshareholder bits; j via a secure private channel; • Polynomial coefficients: at most (n − 1)· bs(p2) • A provided share is verified by checking if it bits. satisfies (22). The total amount of bits is then limited by: bs(bs(q))+n·bs(p ) (23) 1 4.2 PrimepowerfieldsfromMersenneprimes for VSS-EXP and There are some special cases of prime power fields F=GF(2n), for which order computation is not bs(w)+n·bs(p2) (24) needed. for VSS-EXP-SSP. Lemma4.1. LetpbetheexponentofsomeMersenneprime 2p−1. Then, the multiplicativegroup F∗ of thefinite field 5.3 Comparison with other commitment-based F=GF(2p) contains only primitive elements, except 1. schemes Proof:Sincethe size of thegroup isaprime num- In the following, we compare our schemes against ber, no element can have an exponentiation period Feldman’s scheme (2.2). We do not take into account lower than 2p−1, so every element greater than 1 in Pedersen’s (2.3), owing to the fact that, as already the field is primitive. discussed, its verification data is bigger than Feld- man’s. Moreover, we do not compare our schemes Remark. If DLP and EPRP are polynomially equivalent, or computationally related, working in groups of smooth 5.The Hamming weight of a bitstring is the numberof its bits cardinality would result in a loss of security, since an setto1. 6.For low Hamming weight safe prime moduli, a specialized efficient discrete logarithm computation would lead to ef- algorithm, SNFS – Special Number Field Sieve –, can compute ficient root extraction for the exponentiating polynomial. discretelogarithmsmoreefficientlythaninthegeneralcase.

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.