Universal Construction of Cheater-Identifiable Secret Sharing Against Rushing Cheaters without Honest Majority Masahito Hayashi Takeshi Koshiba Graduate School of Mathematics, Nagoya Univeristy Graduate School of Science and Engineering Centre for Quantum Technologies, National University of Singapore Saitama University Email: [email protected] Email: [email protected] 7 Abstract—For conventional secret sharing, if cheaters can sharing (CDSS) [3] and cheater-identifiable secret sharing 1 submit possibly forged shares after observing shares of the (CISS) [4] have been proposed. A protocol is called a (t,ǫ)- 0 honest users in the reconstruction phase then they cannot only 2 cheater-detectable secret sharing (CDSS) when it detects the disturb the protocol but also only they may reconstruct the existenceofcheatersamongplayersinvolvedinreconstruction n true secret. To overcome the problem, secret sharing scheme a with properties of cheater-identification have been proposed. with probability 1−ǫ under the condition that the number of J Existingprotocolsforcheater-identifiablesecretsharingassumed cheaters is not greater than t. A protocol is called a (t,ǫ)- 6 non-rushing cheaters or honest majority. In this paper, we cheater-identifiable secret sharing (CISS) when it identifies 1 remove both conditions simultaneously, and give its universal who submitted incorrect shares with probability 1−ǫ under ] ceonnds,twruectpiornopofrsoemtheancyonsceecprtestosfha“rinindgivisdcuhaelmied.enTtoificraestioolnve” athnids the condition that the number of cheaters is not greater than R “agreed identification”. t. C Index Terms—secret sharing, universal construction, rushing However, cheaters may submit their shares after observing cheater, cheater-identification, without honest majority shares of honest players. Such cheaters is called rushing . s cheaters.Thepapers[8],[9],[10],[6]proposedCISSprotocols [c I. INTRODUCTION to properly works against such rushing cheaters. To achieve Secret sharing is a basic primitive for secure information this task, their sharing phase is composed of two rounds. 1 transmission[1].ItinvolvesadealerwhohasasecretS inthe Unfortunately, these protocols cannot identify the cheaters v 0 secretset S and a set ofplayers. Thedealer dividesthe secret when the number of cheaters is more than the half of players 7 S intonsharesanddistributesshareston playerssuchthatif involved in reconstruction. In this situation, only the protocol 4 a set of players is qualified then all the players in the set can in [6] can detect the existence of cheaters without identifying 4 reconstruct the secret and if the set of players is not qualified them. Ishai et al [5] proposed another CISS protocol identi- 0 thenanyplayerinthesetcannotobtainanyinformationabout fying them even when the number of cheaters is more than . 1 the secret. In case of (k,n)-threshold scheme, any set of k the half of players involved in reconstruction.To achieve this 0 players can be qualified. Generally, a family A of subsets of task, they proposea locally-identifiablesecret sharing(LISS), 7 {1,...,n} is the access structure of a secret sharing protocol inwhichaserveridentifiesthecheatersinsteadofeachplayer, 1 : whenanysubsetsinA canreconstructthesecretS andothers but their LISS is not robust against rushing cheaters. In their v canlearnnothingaboutit.ItisknownthatwhenafamilyAof protocol,the playerssubmittheir sharesto the server,and the i X subsetisclosedwith respecttothe union,thereexistsa secret server recovers the secret and identifies the cheaters for each r sharingprotocolwhoseaccessstructureisAwhenthemessage player. While the server sends each player an information to a sizeandthesharesizearesufficientlylarge[2].Further,when identify the cheaters, this information depends on the player. a non-qualified set of players obtains a part of information, That is, this information is correct only when the player is the protocol is called a ramp scheme secret sharing protocol honest. cheaters. Hence, their identifications do not agree in [11]. this protocol. Forconventionalsecretsharingprotocols,itisassumedthat In a real scenario, it is not easy to prepare the server. everyone involved in the protocols is honest or semi-honest. Therefore, it is strongly required to propose a protocol to However,inarealscenario,someparticipantsmaymaliciously identify the rushingcheaters even when more than half of the behaveintheexecutionoftheprotocol.Inparticular,apartof playersinvolvedinreconstructionarecheaters.Inthispaper,to playersmaysubmitincorrectsharessoastoyieldanincorrect resolve this problem, we propose the concepts of “individual secret in the reconstruction phase. To overcome the problem, identification” and “agreed identification”. A CISS protocol additional propertiesto conventionalsecret sharing have been with individual identification privately identifies the cheaters consideredand newschemessuch ascheater-detectablesecret so that the identification depends on individual players. A TABLEI COMPARISONOFPROPOSEDCISSPROTOCOLWITHEXISTINGCISSPROTOCOLS Numberof Universal Large Rushing Efficiency Flexibility Cheaters Construction FiniteField [5] t<n No Yes O(ℓlogℓ) No Need [8],[9],[10] t<k/2 Yes No O(ℓlogℓ) No Need [6] t<k/2 Yes No O(ℓlogℓ) Yes Need Proposed t<n Yes Yes O(ℓlogℓ) Yes Needless n is the number ofthe players. t is the number of the cheaters. k is the number of qualified players. 1−e−ℓ is the successful probability to identify the cheaters.Efficiencyshowsthecalculation complexityoftheprotocol.Flexibilityistheindependenceofthechoiceofthesecurityparameterℓfromthesecret sizeortheformoforiginal protocol. CISS protocolwith agreed identification commonly identifies identify the cheaters with probability 1−e−ℓ, the calculation the cheaters so that the identification is independent of the complexity of the protocols given in [6] is O(ℓlogℓ). When player. The difference between these two types of protocols the protocol is universally constructed, the total calculation is based on whether their identifications agree or not. The complexitydependsontheoriginalsecretsharingprotocol.In protocolin[5]belongsto theformer,andtheprotocolsin [8], this case, we focus on the calculation complexity except for [9], [10], [6] do to the latter. However, we do not need to the part of the original protocol. In this sense, the protocol in distinguish CDSS protocols in this way because there is no [5] is O(ℓlogℓ), and our protocol is also O(ℓlogℓ). advantage even when a CDSS protocol individually detects However,wecannotnecessarilychoosethesecurityparam- the existence of the cheaters. eter ℓ freely. In the protocols in [8], [9], [10], the security We propose a CISS protocol with individual identification parameter ℓ depends on the size of secret. Hence, it is as well as a CISS protocol with agreed identification. Both desired to flexibly choose the security parameter ℓ. We call protocolswell work evenwith rushingcheaters, and the latter a protocol flexible, when the security parameter ℓ can be set is composed of two rounds as well as the protocol in [6]. independently, i.e., independent of the secret size. Flexibility The former can identify the cheaters even when more than provides the power of partial customization of length of halfoftheplayersinvolvedinreconstructionarecheaters.The randomstrings, accordingto the requirement.The protocolin latter can detect the existence of the cheaters under the same [6] can flexibly choose the security parameter ℓ by adjusting situation, but can identify the cheaters only when less than the finite field with prime size. Also, the protocol in [5] half of the players in reconstruction are cheaters. When less can flexibly choose the security parameter ℓ by adjusting the thanhalfoftheplayersinvolvedinreconstructionarecheaters, finite field appearing in the original protocol. Although these even the latter can identify the cheaters. This performance is protocolsoffertheflexibility,thesecurityparameterℓdepends the same as the protocol given in [6]. onthesizeofthefinitefield.Theabovecalculationcomplexity Next, we discuss the construction of protocols. Algebraic O(ℓlogℓ) can be realized by suitable choices of the size of structuresunderliemanyCISSprotocols[8],[9],[10],[6]asin the finite field in these protocols [12]. Hence, the choice of theoriginalconstructionbyShamir.Theyarelimitedto(k,n)- the security parameter ℓ has a certain restriction when we threshold scheme protocols. However, in the community of keep the calculation complexity O(ℓlogℓ). Therefore, it is information theory, so many efficient secret sharing protocols desired to completely freely choose the security parameter were proposed when the size of secret is large [11], [2]. ℓ. Fortunately, our protocol works with any finite field, and Protocols with general access structure were constructed [2]. the security parameter ℓ can be freely chosen independently Also, ramp scheme secret sharing protocols were constructed of the size of the finite field and the secret size. Therefore, [11].Suchgeneralsecretsharingprotocolswerenotusedtoin our protocol is flexible and works even with finite field F2, these CISS protocols.Hence, it is desired to constructa CISS whichsimplifiestherealization.Overall,thecomparisonofthe protocol by converting an existing secret sharing protocol. performancesofexistingprotocolswithoursissummarizedas Such a construction is called a universal construction. The Table I. protocolin[5]isuniversalinthissense.But,itwasconstructed The remaining part of this paper is as follows. Section II byconvertinganexistingsecretsharingprotocolonlywhenthe gives our CISS protocol for individual identification. Section share is given as an element of a finite field. So, to make the IIIshowsitssecurity.SectionIVgivesourCISSprotocolsfor scheme more secure, it needs a finite field of larger size. Our agreed identification and detection. Section V compares the constructionisuniversallygivenwhentheshareoftheexisting overhead of ours with those of existing protocols. secret sharing protocolis given as an elementof vector space of a finite field. That is, it does not require a finite field of II. PROTOCOL FOR INDIVIDUAL IDENTIFICATION large size. Let n be the number of players and ℓ′ be the security Fromapracticalviewpoint,weneedtocareaboutthecalcu- parameter. That is, we will construct our protocol so that lationcomplexityoftheprotocol.A protocolisefficientwhen the verifier identifies the cheater with probability more than its calculation complexity is not so large. When the players 1−q−ℓ′. CISS for CDSS Individual Identification P identifies P and P They consider there exists 1 2 3 as cheaters. at least one cheater. CISS for Agreed Identification They identify P as cheater if P and P collude together. 1 2 3 Fig.1. ACaseofmajority cheaters. Abluecircle expressesahonestplayerandredcircles expresscheaters. Let (Sh,Rc) be a secret sharing protocol realizing access as follows. To see this fact, we assume that the j -th player, 1 structure A with Sh:S →Vn, where V is an m-dimensional the j -th player, ..., the j -th player collude together. We 2 a vector space Fm over a finite filed F . To present our CISS focus on the information X shared by the i-th player. Since q q i protocol for individual identification based on the protocol Z is independent and uniform, Y ,Y ,...,Y are j,i j1,i j2,i ja,i (Sh,Rc),wemakepreparationasfollows.ForthesecretS,we independent of T X ,T X ,...,T X . Since they obtain j1 i j1 i ja i define the random number X := Sh (S) as the share of the no information for T X ,T X ,...,T X , they obtain no i i j1 i j1 i ja i j-th player, which is sent by the dealer. For i6=j, the dealer information X . i independentlygeneratesn(n−1)randomnumbersZ taking Thus,if theoriginalprotocolwithshare X worksas secret j,i i valuesin Fℓ′. Also, the dealerindependentlygeneratesℓ′×m sharing well, our protocol also works as secret sharing well. q Toeplitz matrix T . Then, the dealer calculates the random In summary, we have the following theorem. j numberY :=T X +Z . Now, we give our CISS protocol Theorem 1: Protocol 1 is an (n −1,q−ℓ′)-CISS protocol j,i j i j,i for individual identification as Protocol 1. From Protocol 1, realizing access structure A with secret space S and share we find that its calculation complexity is O(ℓ′logℓ′). space S =F(2n−1)ℓ′+2m−1. i q Protocol 1 CISS protocol for individual identification IV. PROTOCOL FORAGREED IDENTIFICATION STEP 1: [Dealing] The dealer sends the j-th player the pub- Now, we can give our CISS protocol for agreed identifica- lishable information(X ,Q Z ) and the identification- tion as Protocol 2. j i6=j j,i information (T ,Q Y ). j i6=j j,i Protocol 2 CISS protocol for agreed identification STEP 2: [Sharing]The playerswishing to openthe informa- tion send their publishable information. STEP 1: [Dealing] The dealer sends the j-th player the pub- STEP 3: [Reconstruction] The players reconstruct the origi- lishable information(Xj,Qi6=jZj,i) and the identification- nal information from the collection of Xi′. information (Tj,Qi6=jYj,i). STEP 4: [Identification] The j-th player checks whether the STEP 2: [Sharing (Round 1)] The players wishing to open relation the information send their first part information. STEP 3: [Sharing (Round 2)] The players wishing to open Yj,i =TjXi′+Zj′,i (1) the information send their second part information. STEP 4: [Reconstruction] The players reconstruct the origi- holdswhenthe informationreceivedfromthe i-th playeris (X′,Q Z′ ). nal information from the collection of Xi′. j i6=j j,i STEP 5: [Identification] We employ the majority voting of the results of respective individual identification. III. SECURITY ANALYSIS Since the function(X ,Z )7→T X +Z is a universal2 Since the majority voting of the results of respective indi- i j,i j i j,i hashfunctionwiththerandomlychosenToeplitzmatrixT ,the vidualverificationsidentifieswhomakescheatingifmorethan j relation(1)holdswithprobabilitysmallerthanq−l′ ifthej-th half of the players wishing the reconstruction are honest, we player makes a cheat. Therefore, even though all of players have the following theorem. exceptfor the i-th playermakescheatingevenwith collusion, Theorem 2: Protocol2isa(⌈(k−1)/2⌉,q−ℓ′)-CISSproto- the i-th player can identify who makes cheating with high col realizingaccess structure A with secret space S and share probability as Fig. 1. space S =F(2n−1)ℓ′+2m−1. i q Also, even though several players collude together, they Modifying Step 5 in Protocol 2 in the following way, we cannot obtain any information for the shares by other players canmakeaCISSprotocol,whichiscalledProtocol2′.Ifthere existsa playerwhoindividuallyidentifiesatleast onecheater, We can freely choose the security parameter ℓ independently we considerthatthere exists a cheater. So, Protocol2′ detects of the secret size and share size of the original secret sharing the existence of the cheaters with probability 1−q−l′ as Fig. protocol. Also, we do not use huge finite fields. That is, we 1, which yields the following theorem. can realize any security parameter ℓ even with the finite field Theorem 3: Protocol 2′ is an (n−1,q−ℓ′)-DISS protocol F . These characteristics simplify the realization. We have 2 realizing access structure A with secret space S and share checked that the overhead of our protocols are not so huge space S =F(2n−1)ℓ′+2m−1. in comparison with existing protocols. i q Now, we consider the case when more than half players ACKNOWLEDGMENTS collude together. We assume that only the j -th player is 0 MH was supported in part by a JSPS Grant-in-Aid for honest and that the majority cheater, the j -th player, ... the 1 Scientific Research (B) No.16KT0017, the Okawa Research j -th player collude together. The cheater, the j -th player a v Grant and Kayamori Foundation of Information Science Ad- rewrites T , Z and Y for 1 ≤ v ≤ a, 0 ≤ w ≤ a jv jv,jw jv,jw vancement. TK was supported in part by JSPS Grant-in-Aids so that Y = T X + Z for 1 ≤ w ≤ a and jv,jw jv jw jv,jw for Scientific Research (A) No.16H01705, for Scientific Re- Y 6= T X + Z . Due to the majority voting, the jv,j0 jv j0 jv,j0 searchonInnovativeAreasNo.24106008,andforChallenging agreed identificationis that the honestplayer,the j -th player 0 Exploratory Research No.26540002. is a cheater. Therefore, when the majority make cheating, the identification of our CISS protocol for agreed identification REFERENCES is incorrect while the identification of our CISS protocol for [1] A. Shamir: How to share a secret, Communications of the ACM individual identification is correct, as Fig. 1. 22(11):612–613 (1979). [2] M. Iwamoto and J. Shikata: Secret sharing schemes based on min- V. COMPARISON OF OVERHEAD entropies, in Proc. of IEEE International Symposium on Information Theory(ISIT2014),pp.401–405(2014). First, we compare the overhead of the protocol in [5] with [3] M. Tompa and H. Woll: How to share a secret with cheaters, J. ours. Let u be the size of the share of the original secret Cryptology 1(3):133–138 (1989). sharing protocol. When the success probability is 1 − e−ℓ, [4] R. J. McEliece and D. V. Sarwate: On sharing secrets and Reed- Solomoncodes,Communication oftheACM24(9):583–584 (1981). the size of the share of their CISS protocol is greater [5] Y.Ishai, R.Ostrovsky,H.Seyalioglu: Identifying cheaters without an than ue−(4n+1)ℓ(n2(n + 1))4n+1. That is, their overhead is honest majority. in Proc.the 9thTheory ofCryptography Conference e(4n+1)ℓ(n2(n+1))4n+1.However,ourprotocolhasoverhead (TCC 2012), Lecture Notes in Computer Science 7194, pp.21–38, e(2n−1)ℓqm−1. That is, the their exponential coefficient with Springer(2012). [6] A. Adhikari, K. Morozov, S. Obana, P. S. Roy, K. Sakurai, and R. respect to the security parameter ℓ is twice as ours. Xu: Efficient threshold secret sharing schemes secure against rushing Next, we compare the overhead of the protocol in [6] with cheaters, in Proc. the 9th International Conference on Information Theoretic Security (ICITS 2016), Lecture Notes in Computer Scinece ours. Since their protocol is specified to the (k,n)-threshold 10015,pp.3–23,Springer(2016). scheme, we translate our overhead to the (k,n)-threshold [7] K. M. Martin, Challenging the adversary model in secret sharing scheme. When the secret size is |S|, the conventional (k,n)- schemes,http://www.isg.rhul.ac.uk/∼martin/files/Brusselsfinal.pdf [8] P. S. Roy, A. Adhikari, R. Xu, K. Morozov, and K. Sakurai: An threshold scheme has share size |S|p(n) for some polynomial efficient t-cheater identifiable secret sharing scheme with optimal p. When we construct our CISS protocol based on this secret cheater resiliency, eprint.iacr.org/2014/628.pdf sharing protocol,the share size is |S|p(n)e(2n−1)ℓqm−1. That [9] R. Xu, K. Morozov, and T. Takagi: On cheater identifiable secret sharing schemes secure against rushing adversary, in Proc. the 8th is, its exponential coefficient with respect to the security International Workshop on Security (IWSEC 2013), Lecture Notes in parameter ℓ is still (2n −1). In contrast, the (⌈k/2⌉,e−ℓ)- ComputerScience 8231,pp.258–271,Springer(2013). CISS protocol in [6] has share size v(n−⌈k/2⌉)n+ke(n+k)ℓ. [10] R.Xu,K.Morozov,andT.Takagi:Cheateridentifiable secretsharing schemesviamulti-receiverauthentication,inProc.the9thInternational That is, its exponentialcoefficientwith respectto the security Workshop on Security (IWSEC 2014), Lecture Notes in Computer parameter ℓ is n+ k. So, when k is close to n, these two Science 8639,72–87,Springer(2014). overheads are almost the same. [11] H. Yamamoto: On secret sharing systems using (k,L,n) threshold scheme, IEICETrans.,J68A(9):945–952 (1985), inJapanese. English VI. DISCUSSION translation: Electronics andCommunications inJapan, PartI,vol.69, no.9,pp.46–54,ScriptaTechnica, Inc.,1986. Firstly, we have proposed to distinguish a CISS protocol [12] M. Hayashi and T. Tsurumaru: More efficient privacy amplification for individual identification from a CISS protocol for agreed withlessrandomseedsviadualuniversal hashfunction, IEEETrans- actions onInformation Theory,62(4):2213–2232 (2016). identification. Then, based on any existing secret sharing protocol, we have universally constructed CISS protocols for individual identification and agreed identification as well as a CDSSprotocol.OurCISSprotocolforindividualidentification and our CDSS protocol well work even when more than half of the players involved in reconstruction are cheaters. Our CISS protocol for agreed well works when less than half of the players in reconstruction are cheaters. Our protocols have calculation complexity O(ℓlogℓ) when the probability of successfully identifying(detecting)the cheaters is 1−e−ℓ.