The present application is related to U.S. patent application Ser. No. 14/577,206, filed Dec. 19, 2014 (now U.S. Pat. No. 9,455,968, issued on Sep. 27, 2016), entitled “Protection of a Secret on a Mobile Device Using a Secret-Splitting Technique with a Fixed User Share;” and U.S. patent application Ser. No. 14/672,507, filed May 30, 2015 (now U.S. Pat. No. 9,813,243, issued on Nov. 7, 2017), entitled “Methods and Apparatus for Password-Based Secret Sharing Scheme,” each incorporated by reference herein.
The present invention relates to the protection of secret keys and other information in devices.
To strengthen the security of computer systems against network intrusions and server compromises, key splitting is often applied in order to split the secret state of the system (typically a key) into a number of (typically randomly chosen) “partial states,” or shares, which are then dispersed into a number of devices. Then, an attacker's task is much harder: Leakage of the full secret state requires that the attacker gets access to a sufficiently large number of the shares.
Recently, U.S. patent application Ser. No. 14/672,507, filed May 30, 2015 (now U.S. Pat. No. 9,813,243, issued on Nov. 7, 2017), entitled “Methods and Apparatus for Password-Based Secret Sharing Scheme,” incorporated by reference herein, disclosed password-based secret sharing (PBSS) for threshold and exclusive OR (XOR)-based secret sharing. The disclosed PBSS techniques allow for one or more of these shares to be fixed (e.g., to take predetermined values that are independent of the split key and not necessarily randomly chosen). PBSS, in particular, enables key splitting to employ a user's password or other personal secret information as a share into which the key is split, as described in the key-splitting framework disclosed in U.S. patent application Ser. No. 14/577,206, filed Dec. 19, 2014 (now U.S. Pat. No. 9,455,968, issued on Sep. 27, 2016), entitled “Protection of a Secret on a Mobile Device Using a Secret-Splitting Technique with a Fixed User Share,” incorporated by reference herein.
Nonetheless, a need remains for password-based secret sharing schemes for richer classes of sharing schemes (beyond, for example, Shamir's threshold scheme or XOR-based secret sharing).
Illustrative embodiments of the present invention provide methods and apparatus for generalized password-based secret sharing. In one embodiment, an exemplary secret sharing method comprises obtaining a secret; obtaining m fixed values from one or more parties, where m is greater than or equal to one; setting a first element of a column vector of a password-based linear secret sharing scheme having a size t to a value that depends on the secret; randomly selecting values from a field for t−m−1 additional elements of the column vector; setting remaining elements of the colunm vector to values that ensure that a product of an m-by-t matrix and the column vector, for each of the one or more parties, is equal to the fixed value of the corresponding party; and distributing non-fixed shares based on the product to additional parties using a labeling function.
In another embodiment, an exemplary secret sharing method comprises obtaining a secret; obtaining at least one fixed value from one or more parties in a set of parties; obtaining a defining matrix corresponding to the secret for a threshold secret sharing scheme with a threshold and a field of both the secret and a plurality of shares of the secret; setting a given share for each party in the set of parties to the corresponding obtained fixed value for all parties in the set of parties; randomly selecting a row in the defining matrix from all rows of the defining matrix such that an element in the row corresponding to each of the one or more parties in the set of parties is equal to the corresponding obtained fixed value; and distributing non-fixed shares from the elements of the selected row to corresponding parties not in the set of parties. The random row selection optionally further requires that an element in the row corresponding to the secret is equal to the secret.
In one or more embodiments, each fixed value comprises one or more of secret information related to the one or more parties; a password of the one or more parties; and a hash function applied to a password of the one or more parties.
In one or more embodiments, reconstruction of the secret can be based on a minimum number of shares that must be obtained in a predefined order to reconstruct the secret; or an access structure comprising one or more authorized sets of parties. The authorized sets of parties comprise an ordered set of parties that need to combine shares in a predefined order to reconstruct the secret.
Embodiments of the invention can be implemented in a wide variety of different devices and applications for the protection of key material or other protected material using password-based secret sharing schemes.
Illustrative embodiments of the present invention will be described herein with reference to exemplary communication systems and associated servers, clients and other processing devices. It is to be appreciated, however, that the invention is not restricted to use with the particular illustrative system and device configurations shown.
Aspects of the invention provide a number of exemplary secret sharing schemes, collectively referred to herein as password-based secret sharing schemes. One or more embodiments of the invention recognize that fixed (e.g., password-based) shares can be substantially securely supported by two larger classes of secret sharing schemes, namely, linear secret sharing schemes (LSSS) and for threshold secret sharing schemes that are based on orthogonal arrays. That is, substantially any linear secret sharing scheme or substantially any threshold sharing scheme based on orthogonal arrays (where each constitutes a different, possibly larger, class of sharing schemes than Shamir's or XOR-based schemes), can be adapted in one or more embodiments to substantially securely allow support of fixed shares (e.g., can be extended to become a password-based linear secret sharing scheme or password-based orthogonal-array sharing scheme). See, for example, Adi Shamir, “How to Share a Secret,” Commun. ACM, Vol. 22, No. 11, 612-613 (November 1979), incorporated by reference herein.
A secret sharing scheme is a pair of algorithms (Share, Rec) that allow the sharing of a secret Y into a number of shares, or sharing, S−{s1,s2, . . . ,sn}, which are distributed to a number of entities, or parties, P={p1,p2, . . . ,pn′}, n′≤n, so that each party collectively receives at least one share, such that reconstruction of secret Y is allowed from at least one subset of shares, only under certain conditions on this subset being met. Such conditions on subsets of shares that allow secret reconstruction may depend on the subset size or generally on the exact members of the subset, i.e., on the exact combination of shares and, therefore, on a corresponding combination of parties. These conditions are typically expressed by an access structure (AS) that characterizes the exact subsets of shares, or corresponding subset of parties, that allow reconstruction of the secret for a given scheme. Any such subset in the access structure of a scheme is often called an authorized set of shares or parties. Then, a secret sharing scheme should necessarily limit secret reconstruction only to authorized sets in its access structure and disallow secret reconstruction from any subset of shares or parties not in its access structure.
Generally, a secret sharing scheme can support an arbitrary such set of conditions defined by the access structure AS containing authorized sets of parties that result from any set-operation formula over the parties in P={p1,p2, . . . ,pn′}. For example,
AS={{p1∪p2}, {(p1∪p2∪p3)∩(p2∪p3∪p4)}}.
Often, for secret sharing to be more efficient and secret reconstruction conditions to be meaningful, the access structure should be expressed by a monotone formula, so that, for example, if subset {p2,p3} is included in AS, then all proper supersets of it are also included.
Generic Schemes
Generic secret sharing schemes for general monotone access structures are known to exist. See, for example, J. Benaloh and J. Leichter, “Generalized Secret Sharing and Monotone Functions,” Proc. on Advances in Cryptology, CRYPTO '88, pages 27-35 (1990); M. Ito et al., “Multiple Assignment Scheme for Sharing Secret,” J. of Cryptology. Vol. 6, No. 1, 15-20 (1993); and/or M. Ito et al., “Secret Sharing Schemes Realizing General Access Structure,” Proc. of the IEEE Global Telecommunication Conference, Globecom 1987, pages 99-102 (1987).
For example, the two referenced schemes by M. Ito et al. support a general monotone access structure AS by separately masking the shared secret Y for each authorized set Ai ∈ AS as follows: One or more “mask” shares Ri
Sk={Ri,Φ(k,i) | Ai ∈ AS,pk ∈ Ai},
where function Φ(k,i) returns the rank of pk ∈ Ai in set Ai={pi
Existing generic schemes of the above design paradigm are both ideal (that is, each share has a size that is exactly the size of the secret) and perfectly private (that is, any unauthorized set learns nothing about the secret in an information-theoretic sense).
Similarly, the above-referenced scheme by Benaloh and Leichter recursively applies additive secret sharing to a collection of elementary access structures (or authorized sets) and a collection of secondary access structures (or authorized sets) defined as the intersection of elementary access structures, with the overall goal of removing redundancies among the elementary access structures and, thus, reducing the total number of shares used in the scheme.. For example, a secret Y can be shared to secondary authorized set A1 Λ A2 defined over elementary sets A1={p1,p2,p3} and A2={p2,p3,p4} by first choosing randomly and independently secrets Y1 and Y2 such that Y=Y1⊕Y2 (or Y=Y1+Y2 mod m if secrets come from the domain 0,1, . . . ,m−1) and then additively sharing Y1 and Y2 to sets {p1,p2,p3} and {p2,p3,p4} respectively. Then, only members of A1 Λ A2 can reconstruct “sub-secrets” Y1 and Y2, both of which are needed for the reconstruction of secret Y, and such recursive scheme can generally lead to efficiency improvements compared to the “flat” generic scheme discussed above [6,5].
Threshold Schemes
Threshold secret sharing schemes, on the other hand, are special schemes with corresponding access structures where reconstruction depends only on the number of available parties (or combined shares), namely, by including only authorized sets of size at least a given threshold value. Specifically, in a typical (t,n) or t-out-of-n secret sharing scheme, 2≤t≤n, the secret is split into n shares where each party pi is provided with exactly one share si, and secret reconstruction is allowed by any set of parties (equivalently, set of shares) of size t or more, that is, any set reaching a size of the reconstruction threshold value t.
Shamir's secret sharing scheme is the most widely used threshold scheme and is based on polynomials. For a description of Shamir's secret sharing scheme, see, for example, Adi Shamir, “How to Share a Secret,” Commun. ACM, Vol. 22, No. 11, 612-613 (November 1979), incorporated by reference herein.
Under Shamir's secret sharing scheme, given a secret Y in the appropriate range, a random polynomial ƒ(·) of degree t−1 is chosen by selecting randomly and independently t−1 polynomial coefficients so that ƒ(0)=Y, where arithmetic modulo a (large) prime of an appropriate length is used to evaluate the polynomial, and the produced sharing takes the form S={si=(i,ƒ(i)) | i ∈ [1:n]}. Then, secret reconstruction is allowed through polynomial interpolation (and evaluation of ƒ(0)) for any subset of shares of size at least t, based on the fact that any k points uniquely define a polynomial of degree (at most) k−1 passing through all these points. Shamir's scheme is both ideal (that is, each share is the size of the secret) and perfectly private (that is, any unauthorized set of at most t−1 shares learns nothing about the secret in an information-theoretic sense).
The XOR-based additive secret sharing scheme discussed above is essentially a (n,n) or n-out-of-n threshold scheme.
As noted above, aspects of the invention provide a number of secret sharing schemes, collectively referred to herein as generalized password-based secret sharing schemes. In various embodiments of the invention, the exemplary generalized password-based secret sharing schemes achieve the property of substantially securely supporting selection of predetermined fixed shares. A predetermined fixed share is associated with a predetermined fixed value, such as a user's password.
As shown in
Γ is used to denote the access structure, which is the set of qualified sets for a secret sharing scheme S.
Shamir's Secret Sharing Scheme:
Secret sharing was first proposed by Shamir. See, e.g., A. Shamir, “How to Share a Secret,” Communications of the Association of Computer Machinery, Vol. 22, No. 11, 612-13 (1979). The model is that a trusted dealer has a secret and wants to distribute one share of the secret to each party so that any adversary with up to t−1 shares can gain no information about the secret, while anyone with t shares can reconstruct the secret. Shamir's scheme works as follows. The secret w lies in a finite field q, where q is a large prime. The dealer randomly chooses a1,a2, . . . ,at−1 ∈ q to define a polynomial ƒ(·) of degree t−1 with ƒ(x)=w+a1x+a2x2+. . . +at−1xt−1, and privately delivers to party Pi ∈ {P1,P2, . . . ,Pn} the share si=(i,ƒ(i)). Then, t (or more) shares suffice to reconstruct the polynomial ƒ by Lagrange interpolation and thus, the secret w=ƒ(0); but any t−1 shares are fully and equi-probably consistent with any possible value w′ ∈ q of the secret, thus, any t−1 or less shares leak substantially no information about the secret.
Linear Secret Sharing Schemes as Generalization of Shamir's Scheme:
Shamir's Scheme can be viewed as computing each share si as the i th element (row) yi of vector y=Nx, where x is the vector (w a1. . . at−1)T and N is a n×t matrix whose i th row is (1 i . . . it−1). In Shamir's scheme, each row corresponds to the shares of a party, although, as discussed below, multiple rows can be assigned to a given party. In particular, a linear secret sharing scheme (LSSS) for sharing a secret w to n parties Pi, can be viewed as the generalization of Shamir's Scheme (e.g., as described in R. Cramer et al., “Secure Multiparty Computation and Secret Sharing,” Cambrigde University Press (2015)). The generalization of Shamir's Scheme is defined by an m×t matrix M, where m≥n, and also m>t without loss of generality, and a labeling function Φ:{1, . . . ,m}→{1, . . . ,n} that assings rows to parties, such that party PΦ(i) owns the i th row of M and the i th share (thus, a party may receive more than one share). For a subset A of the parties, let MA be the matrix consisting of the rows owned by parties in A. To share a secret s ∈ , where is an appropriate finite field, a column vector rs is constructed that contains s as its first element and t−1 other elements a1, . . . ,at−1 randomly chosen in , and the vector of shares Mrs is computed and distributed by privately delivering share (Mrs)i to party PΦ(i). Here, Mrs is a column vector of size m, that is, m numbers in one column, which correspond to the shares of the secret that are distributed amongst the n parties.
As described in R. Cramer et al., “Secure Multiparty Computation and Secret Sharing,” Cambrigde University Press (2015), a linear secret sharing scheme S with n parties over a field z,901 can be defined by a matrix M. M has m≥n rows and t columns, and there is a labeling function Φ:{1, . . . ,m}→{1, . . . ,n} such that party PΦ(i) owns the i th row of M and the i th share. For a subset A of the parties, let MA be the matrix consisting of the rows owned by parties in A.
To share a secret s ∈ , a column vector ri is constructed such that the first element is s, and the other elements a1, . . . , at−1 are randomly chosen in . Finally the vector of shares Mrs is computed and distributed by giving (Mrs)i to party PΦ(i).
A linear secret sharing scheme is considered substantially secure for an access structure Γ, as long as the matrix M satisfies the following properties: (1) (Correctness) for all qualified subsets A ∈ Γ, it holds that the vector e=(1,0, . . . ,0)T is in the row space of MA, i.e., e=(1,0, . . . ,0)T ∈ Im(MAT); and (2) (Privacy) for all unqualified subsets A ∉ Γ, it holds that e ∉ Im(MAT). Therefore, in one or more embodiments, shares owned by A give no information about the secret.
Note that, for any matrix M, ker(M)⊥=Im(MT). For any vector e, e ∉ Im(MT) if and only if there exists w ∈ ker(M) and wT·e≠0.
Note also that, indeed, Shamir's secret sharing scheme is an example of an LSSS scheme by setting the i th row of M as for i0,i1, . . . ,it−1 for i=1,2, . . . ,n, where t is the reconstruction threshold.
Defining Matrix:
As described in E. F. Brickell and D. M. Davenport, “On the Classification of Ideal Secret Sharing Schemes,” J. of Cryptology, Vol. 4, No. 2, pages 123-134 (1991), a secret sharing scheme. S over a secret field and a share field can be defined by a matrix M. M has m rows and n+1 columns. The first column stores values for the secret from field and the other columns store values for shares. M is public. To share a secret (randomly chosen), one row Mr=(M(r,0),M(r,1), . . . ,M(r,n)) is randomly chosen from M, where M(i,j) denotes the element in row i and column j of M. M(r,0) is the secret, and M(r,i) is the share for party Pi for i=1, . . . ,n. The shares are distributed to parties through private channels and each party only holds one share.
M is called the defining matrix of S. In order for a secret sharing scheme to be correct and secure, M should have the following properties:
Intuitively, given shares from a subset A, iterate over all rows of M to find those rows that have the same value of these shares at the corresponding columns. Property (a) guarantees that if A is a qualified set, all matching rows have the same first element, which is the secret. Property (b) guarantees that if A is an unqualified set, among those matching rows, every possible value of the secret appears exactly the same number of times, thus, no information of the secret can be learned. The detailed proof of the equivalence of Properties (a) and (b) and the security of the secret sharing scheme can be found in E. F. Brickell and D. M. Davenport, referenced above.
Defining Orthogonal Arrays:
An orthogonal array is a matrix whose elements x come from a set B of size b. M has n columns and the following parameters: the strength t and the index λ. The property of an orthogonal array is that for every selection of t out of n columns, every vector [x1, . . . ,xt] ∈ Bi appears λ times in all rows restricted to these t columns. It is not hard to see that with this property, the number of rows is λbi. OA(λbi,n,b,t) denotes an orthogonal array.
An example of OA(4,3,2,2) is shown below:
As proposed in J. Pieprzyk and X. M. Zhang, “Ideal Threshold Schemes from Orthogonal Arrays,” Information and Communications Security, pages 469-479 (Springer, 2002), a threshold secret sharing scheme can be constructed using an orthogonal array as the defining matrix. For a threshold secret sharing scheme with n parties, threshold t and the field of both the secret and the shares q, its defining matrix is constructed as M=OA(qt,n+1,q,t).
Thus, the defining matrix M=OA(qt,n+1,q,t) satisfies Properties (a) and (b) of a defining matrix for a threshold secret sharing scheme with n parties, threshold t and the field of both the secret and the shares q.
Shamir's Secret Sharing is an example, by setting the orthogonal array as follows: for each column i=0,1, . . . ,n, a vector βi=[1,i1, . . . ,it−1] is constructed. For every instance of the vector x=[x1, . . . ,xt] ∈ qt, the inner product βt·x is computed as one element of the column in order. In this way, the matrix is an orthogonal array OA(qt,n+1,q,t).
As noted above, one or more exemplary embodiments of the invention allow fixed (or password) shares to be substantially securely supported by two larger classes of secret sharing schemes, namely, for all linear secret sharing schemes (LSSS) and all threshold secret sharing schemes that are based on orthogonal arrays. That is, any linear secret sharing scheme or any threshold sharing scheme based on orthogonal arrays (where each constitutes a different, possibly larger, class of sharing schemes than Shamir's or XOR-based schemes), can be adapted to substantially securely allow support of fixed shares (e.g., can be extended to be become a password-based linear secret sharing scheme or password-based orthogonal-array sharing scheme).
Without loss of generality, one or more embodiments assume that whenever the predetermined value that is selected independently of the shared secret as a party's fixed share corresponds to this party's password, then this password is selected to be a strong password. That is, if a party selects its fixed share to be a password π, then it holds that for any unbounded power algorithm Adv,
Pr[Adv(πi)=1]−Pr└Adv(πj)=1┘=0, for any two values of password πi, πj.
A linear secret sharing scheme S with random shares is defined by a matrix M with properties described in the sub-section entitled “Linear Secret Sharing Schemes as Generalization of Shamir's Scheme.” Extensions of scheme S are considered that can support one or more fixed shares. It is noted that wherever a fixed share corresponds to a password selected by a party (i.e., a user), then the value of this fixed share can be obtained, for example, by applying an appropriate compressed-range hash function, such as a cryptographic collision-resistant hash function h or an appropriate key derivation function, to the selected password.
First consider the case where only one share of party Pφ(1) is selected to be a fixed share that takes the value s1=π. In this case, this modification (that is, selecting s1 to be a fixed share) means that the matrix M does not change, but to share a secret, the column vector rs is constructed such that (M·rs)1=π. The first element a0 of rs is accordingly set to be the secret s and the remaining elements a1,a2, . . . ,at−2,at−1 are randomly selected consistent with the fixed-share. condition (M·rs)1=π. In particular, the linear equation resulting from condition (M·rs)1=π can be solved with respect to one undetermined variable ai that appears in this equation, and all other undetermined values aj are set, where j is not i, by independently choosing random elements from the domain . S′ denotes the modified scheme.
The above method can be further generalized to support more than one fixed shares, in particular a number of shares that is up to a preset known upper bound, as would be apparent to a person of ordinary skill in the art.
In particular, as described in the section entitled “Linear Secret Sharing Scheme (LSSS),” a party can have multiple shares, therefore, for each party Pi, its shares are defined as Si={Si,j, ∀j:Φ(j)=i}. Let Pπ={Pl
is the total number of fixed shares.
However, as apparent to one of ordinary skill in the art, this requirement is not necessary, and the generalized method can also support the case where, not all, but at least one share in Si for party Pi ∈ Pπ is fixed.
For a linear secret sharing scheme S defined by an matrix M, the number m′ of fixed shares is bounded by m′≤t−2. To extend the linear secret sharing scheme S to support fixed shares, upon obtaining all fixed shares Si,j=πi,j for all i,j such that i=Φ(j) and Pi ∈ Pπ, the dealer sets the first element of vector rs as the secret s and then sets the remaining t−1 elements a1, . . . ,at−1 of vector rs:(1) randomly; and (2) consistently with the fixed-shares conditions
(M·rk)j=Si,j=πi,jforalli=Φ(j):Pi ∈ Pπ.
Generally, there are a. number of ways to realize the above two goals that follow the following general pattern.
The above general pattern can be implemented by considering the linear system of equations defined by the following fixed-shares conditions:
(M·rk)j=Si,j=πi,jforalli=Φ(j):Pi ∈ Pπ,
and solving this system with respect to variables a1, . . . ,at−1 to finally get a randomized solution. Specifically, the disclosed method operates as follows. The above linear system of equations has t−1 unknown (undetermined) variables and only m′≤t−2<t−1 constraints (equations). These constraints can be linearly independent of each other, generally due to the structure of matrix M, for example, in relation to the correctness and privacy conditions satisfied by the LSSS scheme in consideration. In any case, since there are more unknown variables than equations, the system admits a large number of solutions, effectively as large as the size of the domain (field) . Therefore, it is possible to express the solution space as m′ constraints that restrict m′ of the t−1 unknown (undetermined) variables and that are parameterized by the remaining t−m′−1 variables. This can be done by solving the system of equations with respect to m′ constrained variables C={ac
Note that in the extended scheme S′, the determination of the set Pπ of parties with fixed shares as well as of the values that these fixed shares will take can be performed either individually by the involved parties or by the dealer itself. The only difference is that if the values of the fixed shares is determined by the defiler, then the dealer must distribute also these fixed shares to the parties in Pπ (in the other case, no distribution of fixed shares is needed as parties in Pπ already know the values they chose as fixed shares).
S′ denotes the extended scheme above. The secret sharing scheme S′ is substantially secure.
As noted above, Shamir's secret sharing scheme is an example of an LSSS by setting the i th row of M as i0,i1, . . . ,it−1 for i=1,2, . . . ,n, where t is the reconstruction threshold. This special structure of the matrix M allows simplification of the above general method as follows. Upon receiving all fixed shares, the dealer sets the first element a0 of vector rk as the secret k and randomly selects a1, . . . ,at−m′−1 from the field. Then, the dealer sets at−m′, . . . ,at−1 such that the following conditions are satisfied by solving with respect to the undetermined variables at−m′, . . . ,at−1 a system of linear equations: (M·rk)j=Si,j for all i=Φ(j):P1 ∈ Pπ. This system of equations corresponds to a linear system defined by a Vandermonde matrix, thus it permits unique solution because there are m′ variables with m′ independent linear constrains. The dealer then distributes non-fixed shares computed by M·rk to all P ∈ Pπ. Note that as m′≤t−2, there is at least one randomly chosen coefficient a1, which substantially guarantees that all non-fixed shares are uniformly distributed, as in the case of standard Shamir's secret sharing scheme. Therefore, the disclosed password-based LSSS construction subsumes the password-based threshold Shamir's scheme described in the U.S. patent application Ser. No. 14/672,507, filed May 30, 2015 (now U.S. Pat. No. 9,813,243, issued on Nov. 7, 2017), entitled “Methods and Apparatus for Password-Based Secret Sharing Scheme.”
Consider another example of the previously presented password-based linear secret sharing scheme. LSSS schemes are known to encompass a class of secret sharing schemes that realize any access structure defined by a monotone symmetric branching program. See, for example, A. Beimel, Secure Schemes for Secret Sharing and Key Distribution, Dept. of Computer Science, Technion, Ph.D. Thesis, 1996.
Specifically, a monotone symmetric branching program is defined as a tuple Π=(H,ρ,v0,v1) as follows:
Let x=x1, . . . ,xn ∈ {0,1}n is an n-bit binary string that specifies the labels of edges in E, where edge, labeled by xi, is set (by x) if and only if xi=1. Then, program Π=(H,ρ,v0v1) accepts x if in the sub-graph Hx=(V,Ex), defined over by the same nodes of H, but only those edges in E that are set by x, there exists a path from v0 to v1.
Then, a large class of access structures over parties P1, . . . ,Pn can be defined by some program Π=(H,ρ,v0,v1), H=(V,E), of the above type. Indeed, a specific program Π induces a specific access structure ASΠ over parties P1, . . . ,Pn as follows: a set A of parties belongs in ASΠ if and only if its characteristic vector x(A) is accepted by Π, where the characteristic vector of a set A ⊂ {A1, . . . ,An} is the n-bit binary string x(A) having the bit x(A)i of position i set to 1 if and only if Pi ∈ A. In other words, a set A is authorized if and only if the edges in E that are. labeled by the parties in A form (at least one) path from v0 to v1.
As described by Beimel, referenced above, any access structure ASΠ defined by a monotone symmetric branching program Π=(H,ρ,v0,v1), H=(V,E), with | E |=m edges and | V |=t nodes, can be realized by the following linear secret sharing scheme, which uses in total m shares. Let z,901 be the domain of secrets, let s ∈ be the secret to be shared, let a2, . . . ,at be elements that are randomly and independently of each selected from , and finally set a0=s and a1=0. Also, let every edge (vi,vj) ∈ E, i≤j be assigned with the value aj−ai. To share s, then, the shares that each party Pi gets from the dealer are the values that are assigned to the edges that are labeled by xi via the ρ labeling. To reconstruct the secret, parties of an authorized coalition simply add or subtract their shares along a (previously known) v0 -to- v1 path, that is, they add together only those shares (from the union of their individually possessed shares) that correspond to edges in a v0 -to- v1 path, where each added share is weighted by a +1 or −1 weight. It is easy to see that by doing so, the parties in an authorized set end up with learning secrets s: In this summation of shares along the path, the edge connecting to v0 contributes s, the edge connecting to v1 contributes a zero, and all edges collectively contribute zero or two (or an even number of) occurrences of random elements ai, 2≤i≤t, each time with alternating signs ai, −ai, so that all such occurrences cancel out to zero. On the other hand, by not containing at least one cut in graph H, any unauthorized set of parties cannot by definition form such a v0 -to- v1 path that would cancel the random elements ai that are contained in their shares, and therefore they cannot learn the secret s.
The above secret sharing scheme is clearly an LSSS because both the share generation and the secret recovery functions are linear. The above scheme can be cast in the form of an m×t matrix M: The i-th column corresponds to vertex (node) vi and each row corresponds to an edge (vi,vj) ∈ E, i≤j, containing a 1 in the vj position (column), a −1 in the vi position (column) and zeros in all other positions. Then, indeed, for a column vector rs that consists of elements s,0,a2, . . . ,ai, the share (Mrs)k, 1≤k≤m, that is given to party Pφ(k) is a value of the form aj−ai that is assigned to the k-th edge (vi,vj), where the labeling function Φ is essentially defined by the labeling function ρ.
Now, assume that parties P2 and P7 wish to get fixed shares that take on values π2,1,π2,2 and π7 respectively. According to the password-based LSSS scheme that was described above, 3=m′≤t−2=6 and values a2, . . . ,a7 are set so that the following m′=3 fixed-share conditions are satisfied: S2,1=π2,1, S2,2=π2,2 and S7=π7. Indeed, these three conditions define a linear system of equations consisting of the following 3 equations: π2,1=a3−a2, π2,2=a6−a5 and π7=a6−a7. This system involves five (out of the total t−2=6) undetermined values, namely values a2,a3,a5,a6 and a7. Since there are more involved variables than the available equations, the system admits a large number of solutions (essentially as large as the size of the field ). The solution space constrains m′=3 of the undetermined such variables according to the conditions set by the system above in a way that is parameterized by t−2−m′=3 other free variables. In fact, each of the m′=3 constrained variables corresponds to a distinct equation of the system, thus there are generally more than one descriptions of the solution space. For instance, the solutions space can be described as the set of constraints a3=π2,1+a2, a5=a7−π2,2−π7 and a6=a7−π2,2, parameterized by free variables a2,a4,a7. One such solution can be randomly selected by randomly selecting values a2, a4 and a1 and then appropriately setting the remaining values according to the above constraints.
Therefore, after the selection of values a1, 2≤i≤t as above, and thus the selection of the random column vector rs, the dealer can compute the non-fixed shares for parties P1,P3,P4,P5 and P6 using the same share-computation equation, that is, by giving share (Mrs)j to party PΦ(j). The dealer does not need to give the fixed shares S2,1, S2,2 and S7 to parties P2 and P7, since these are respectively known to them (because they are selected by the parties and provided to the dealer prior to the secret sharing process).
The password-based linear secret sharing process 250 of
A threshold secret sharing scheme S with random shares is defined by a defining matrix M=OA(qi,n+1,q,t). Now, the share s1 is fixed for party P1 to be π. This modification means that the defining matrix does not change, but to share a secret (randomly chosen), instead of randomly selecting a row r and giving si=M(r,i) to party Pi for i=1, . . . ,n, a row is randomly selected from all rows r, such that M(r,1)=π. S′ denotes the modified scheme.
The secret sharing scheme S′ above is substantially secure.
Multiple Fixed Shares:
The defining matrix does not change, but to share a secret, instead of randomly selecting a row, the dealer randomly selects a row from all rows r such that M(r,li)=πl
If the secret to be shared is not randomly selected and already incorporated into the defining matrix M, then step 4 above is extended so that additionally if holds that M(r,0)=s where s is the secret to be shared.
As defined in the sub-section entitled “Linear Secret Sharing Schemes as Generalization of Shamir's Scheme,” a linear secret sharing scheme is generally a scheme such that, given a secret s coming from a domain S and some chosen randomness r={r1, . . . ,rl}, where each rΛ, 1≤Λ≤l, is an independently chosen random variable that is uniformly distributed over domain K with S⊂ K: (1) a dealer produces shares {S1, . . . ,Sn} for parties P1, . . . ,Pn, where the composite share Si of party Pi, 1≤i≤n, is of the form Si=(si,1, . . . ,si,k
Beimel, referenced above, has shown that this definition is equivalent to an alternative definition that specifies a linear secret sharing scheme to be as above but with condition (2) dictating instead that: if the scheme realizes an access structure AS, then for any authorized set A ∈ AS the reconstruction function of the secret from the shares si,j jointly possessed by the parties in A is linear. That is, for every A ∈ AS there exists constants {ai,j:Pi ∈ A, 1≤j≤ki} such that for every secret s ∈ S and every choice of random inputs r ∈ K, it holds that
s=ΣP
where the shares si,j depend on the secret s and he randomness r and where the constants ai,j and the arithmetic are over the field K.
Therefore, for any linear secret sharing scheme realizing a given access structure, there exists a reconstruction method that specifies the way that the shares, jointly owned by a given authorized set, can be linearly combined to compute the shared secret. This reconstruction method remains unchanged in our password-based linear secret sharing scheme that was described above. For instance, when the disclosed password-based linear secret sharing scheme is instantiated to a password-based threshold Shamir's scheme, secret reconstruction is possible by interpolating t or more (fixed and non-fixed) shares to compute the underlying polynomial and thus recover the secret, independently on whether or how many fixed shares were used during reconstruction.
Analogously, as defined in the sub-section entitled “Defining Matrices and Orthogonal Arrays,” defining matrices existentially describe all possible secret sharing and secret reconstruction possibilities in any given secret sharing scheme. Namely, any scheme is described by a defining matrix, where the sharing process is explicitly defined via random sampling, which is biased by (or conditioned on) a given secret that is to be shared, over the exhaustive list of possible sharings of all possible shared secrets. Here, the actual sharing process may be described to the dealer either in an implicit and more compact form (e.g., by randomly producing a polynomial that passes through the secret at point zero, in Shamir's scheme) or even in an explicit form, where the dealer has in its possession the entire defining matrix.
Similarly, the reconstruction process is explicitly defined via brute-force search, based on the shares jointly possessed by an authorized (or even unauthorized) set of parties, over the exhaustive list of possible sharings of all possible shared secrets. Here, again, the actual reconstruction process may be described to the parties either in an implicit and more compact form (e.g., through polynomial interpolation and evaluation of the computed polynomial at point zero, in Shamir's scheme) or even in an explicit form, where the parties perform a joint search over the entire defining matrix.
The above holds true even when the defining matrix is an orthogonal array. Therefore, no matter what the reconstruction method is, it remains unchanged in the disclosed password-based secret sharing scheme based on orthogonal arrays. For instance, when the disclosed password-based secret sharing scheme based on orthogonal arrays is instantiated to a password-based threshold Shamir's scheme, secret reconstruction is again possible by interpolating t or more (fixed and non-fixed) shares to compute the underlying polynomial and thus recover the secret, independently on whether or how many fixed shares were used during reconstruction.
The foregoing applications and associated embodiments should be considered as illustrative only, and numerous other embodiments can be configured using the secret sharing techniques disclosed herein, in a wide variety of different cryptography applications.
It should also be understood that the password-based secret sharing schemes, as described herein, can be implemented at least in part in the form of one or more software programs stored in memory and executed by a processor of a processing device such as a computer. As mentioned previously, a memory or other storage device having such program code embodied therein is an example of what is more generally referred to herein as a “computer program product.”
Authentication processes in other embodiments may make use of one or more operations commonly used in the context of conventional authentication processes. Examples of conventional authentication processes are disclosed in A. J. Menezes et al., Handbook of Applied Cryptography, CRC Press, 1997, which is incorporated by reference herein. These conventional processes, being well known to those skilled in the art, will not be described in further detail herein, although embodiments of the present invention may incorporate aspects of such processes.
The system may be implemented using one or more processing platforms. One or more of the processing modules or other components may therefore each run on a computer, storage device or other processing platform element. A given such element may be viewed as an example of what is more generally referred to herein as a “processing device.”
Referring now to
The cloud infrastructure 400 may encompass the entire given system or only portions of that given system, such as one or more of client, servers, controller, authentication server or relying server in the system.
Although only a single hypervisor 404 is shown in the embodiment of
An example of a commercially available hypervisor platform that may be used to implement hypervisor 404 and possibly other portions of the system in one or more embodiments of the invention is the VMware® vSphere™ which may have an associated virtual infrastructure management system, such as the VMware® vCenter™. The underlying physical machines may comprise one or more distributed processing platforms that include storage products, such as VNX® storage products and Symmetrix VMAX® storage products, both commercially available from EMC Corporation of Hopkinton, Mass. A variety of other storage products may be utilized to implement at least a portion of the system.
In some embodiments, the cloud infrastructure additionally or alternatively comprises a plurality of containers implemented using container host devices. For example, a given container of cloud infrastructure illustratively comprises a Docker container or other type of LXC. The containers may be associated with respective tenants of a multi-tenant environment of one or more processing nodes, although in other embodiments a given tenant can have multiple containers. The containers may be utilized to implement a variety of different types of functionality within one or more processing nodes. For example, containers can be used to implement respective compute nodes or cloud storage nodes of a cloud computing and storage system. The compute nodes or metadata servers may be associated with respective cloud tenants of a multi-tenant environment of one or more processing nodes. Containers may be used in combination with other virtualization infrastructure such as virtual machines implemented using a hypervisor.
Another example of a processing platform is processing platform 500 shown in
The processing device 502-1 in the processing platform 500 comprises a processor 510 coupled to a memory 512. The processor 510 may comprise a microprocessor, a microcontroller, an application specific integrated circuit (ASIC), a field programmable gate array (FPGA) or other type of processing circuitry, as well as portions or combinations of such circuitry elements, and the memory 512, which may be viewed as an example of a “computer program product” having executable computer program code embodied therein, may comprise random access memory (RAM), read only memory (ROM) or other types of memory, in any combination.
Also included in the processing device 502-1 is network interface circuitry 514, which is used to interface the processing device with the network 504 and other system components, and may comprise conventional transceivers.
The other processing devices 502 of the processing platform 500 are assumed to be configured in a manner similar to that shown for processing device 502-1 in the figure.
Again, the particular processing platform 500 shown in the figure is presented by way of example only, and the given system may include additional or alternative processing platforms, as well as numerous distinct processing platforms in any combination, with each such platform comprising one or more computers, storage devices or other processing devices.
Multiple elements of system may be collectively implemented on a common processing platform of the type shown in
As is known in the art, the methods and apparatus discussed herein may be distributed as an article of manufacture that itself comprises a computer readable medium having computer readable code means embodied thereon. The computer readable program code means is operable, in conjunction with a computer system, to carry out all or some of the steps to perform the methods or create the apparatuses discussed herein. The computer readable medium may be a tangible recordable medium (e.g., floppy disks, hard drives, compact disks, memory cards, semiconductor devices, chips, application specific integrated circuits (ASICs)) or may be a transmission medium (e.g., a network comprising fiber-optics, the world-wide web, cables, or a wireless channel using time-division multiple access, code-division multiple access, or other radio-frequency channel). Any medium known or developed that can store information suitable for use with a computer system may be used. The computer-readable code means is any mechanism for allowing a computer to read instructions and data, such as magnetic variations on a magnetic media or height variations on the surface of a compact disk.
It should again be emphasized that the above-described embodiments of the invention are presented for purposes of illustration only. Many variations and other alternative embodiments may be used. For example, the techniques are applicable to a wide variety of other types of cryptographic devices and authentication systems that can benefit from the password-based secret sharing schemes as disclosed herein. Also, the particular configuration of communication system and processing device elements shown herein, and the associated authentication techniques, can be varied in other embodiments. Moreover, the various simplifying assumptions made above in the course of describing the illustrative embodiments should also be viewed as exemplary rather than as requirements or limitations of the invention. Numerous other alternative embodiments within the scope of the appended claims will be readily apparent to those skilled in the art.
Number | Name | Date | Kind |
---|---|---|---|
6788788 | Kasahara | Sep 2004 | B1 |
20020007457 | Neff | Jan 2002 | A1 |
20070294183 | Camenisch | Dec 2007 | A1 |
20100008505 | Bai | Jan 2010 | A1 |
20100054458 | Schneider | Mar 2010 | A1 |
20120317034 | Guha | Dec 2012 | A1 |
Entry |
---|
Schultz, David Andrew. Mobile proactive secret sharing. Diss. Massachusetts Institute of Technology, 2007. |
Harn, Lein, and Changlu Lin. “Strong (n, t, n) verifiable secret sharing scheme.” Information Sciences 180.16 (2010): 3059-3064. |
Cramer, Ronald, Ivan Damgård, and Ueli Maurer. “General secure multi-party computation from any linear secret-sharing scheme.” Advances in Cryptology—EUROCRYPT 2000. Springer Berlin/Heidelberg, 2000. |
Bai, Li, and XuKai Zou. “A proactive secret sharing scheme in matrix projection method.” International Journal of Security and Networks 4.4 (2009): 201-209. |