Patent Grant
11956350
Secret sharing allows a secret to be shared amongst a plurality of parties in a secret sharing scheme so that an authorized subset of parties specified by an access structure can reconstruct the secret by combining shares of the secret from the authorized subset of parties. Secret sharing may be utilized in computer networks to share secrets in the form of data shares provided to participating entities or computer devices in a network. Prior to secret reconstruction using the shares of the authorized subset of parties, the secret cannot be reconstructed by any individual ones of the parties. In one example of a secret sharing scheme, a threshold is established corresponding to a given number of participants who must participate in an effort to reconstruct the secret to successfully reconstruct the secret. In such a scheme, a total number of parties (n) are provided shares such that a threshold number of parties (t) must provide their shares for secret reconstruction to be successful. This is often referred to as a threshold access structure or a (t, n)-threshold scheme. In the traditional (t, n)-threshold scheme, the authorized subset of participates required to reconstruct the secret is defined by a publicly known access structure. That is, all parties know that so long as a threshold (t) or greater number of participants provide shares, the secret can be reconstructed.
The present disclosure relates to a secret sharing scheme that includes yes and no secret sharing in which hidden access structures are provided. Through such a secret sharing scheme, each party in the secret sharing scheme receives a yes share and a no share. Yes shares of a minimal authorized subset defined by a hidden access structure is needed to reconstruct a secret. However, the minimal authorized subset is not publicly known amongst the parties of the secret sharing scheme. Moreover, a given party's yes share and no share is indistinguishable to other parties in the scheme. Therefore, the exploitability address above may be resolved as participants attempting to reconstruct a secret may not simply discard participant shares in an attempt to reach a threshold number of yes shares as is the case in the threshold access structure.
Moreover, the secret sharing scheme described herein allows participants to have deniability regarding whether a yes share or a no share was provided. Thus, a qualified minority of participants may deny secret reconstruction without providing any information to the other participants regarding the objective of a participant. This is because a given party's yes and no share is indistinguishable to other participants and the access structure is not revealed until and unless the secret is reconstructed.
Accordingly, the present disclosure generally relates to a yes and no secret sharing scheme with a hidden access structure. The disclosure includes choosing a random basis for a vector space. The random basis includes a plurality of basis vectors that can be used to form any given vector in the vector space in a unique manner. A target vector is calculated that corresponds to a secret from a target subset of the plurality of basis vectors. Also, a random vector is chosen from the vector space.
In turn, for a plurality of participating entities participating in the secret sharing scheme, a corresponding plurality of yes shares are generated as a function of a basis vector from the plurality of basis vectors and the random vector. The plurality of yes shares comprise authorized yes shares generated as a function of a basis vector from the target subset of the plurality of basis vectors. The secret is only reconstructable by a computation of the target vector in an operation including all of the authorized yes shares. However, also generated are, for each of a plurality of entities participating in the secret sharing scheme, a no share as a function of a basis vector outside the target subset of the plurality basis vectors and the random vector. A yes share and a no share is distributed to each of the plurality of entities participating in the secret sharing scheme. The authorized yes shares are distributed to a minimal authorized subset of the plurality of entities participating in the secret sharing scheme.
In turn, secret reconstruction may be attempted by obtaining shares of unknown characteristic from a participating subset of the participants in the secret sharing scheme. The shares are processed in a reconstruction algorithm in an attempt to reconstruct the secret. Only if the shares obtained include the yes shares of a minimal authorized subset is the secret reconstructable. Prior to secret reconstruction, the characteristic of the shares provided as well as the identity of the minimal authorized subset is not known and no failed attempt at secret reconstruction provides information regarding the access structure or characteristic of shares provided in a failed attempt.
This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Other implementations are also described and recited herein.
While the invention is susceptible to various modifications and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and are herein described in detail. It should be understood, however, that it is not intended to limit the invention to the particular form disclosed, but rather, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the invention as defined by the claims.
In many situations, it may be desirable that participants be able to deny secret reconstruction. For example, one or more participants may want to deactivate a master key during certain times. Secret sharing schemes that include “yes and no” secret sharing have been proposed where a qualified minority is able to deny reconstruction of the secret. In yes and no secret sharing, each party in the secret sharing scheme receives both a yes share and a no share. The yes share of a participant is used to participate in secret reconstruction with an input towards the secret reconstruction. In contrast, a no share provides an option to participate, even if secret reconstruction is not desired by the participant providing the no share. If a sufficient number of parties contribute their no shares, the secret should not be reconstructable.
While yes and no secret sharing has been proposed in a relatively simple form, the need to further improve on such secret sharing schemes continues to exist. For instance, proposed approaches to yes and no secret sharing only support the threshold access structure illustrated above that are publicly known to the participating entities. For instance, in a (3, 5) threshold scheme, it is publicly known amongst the parties that any three participants out of the total five parties in the scheme comprise an authorized subset capable of reconstructing a secret. In this case, it is possible to reconstruct a secret, even in the presence of a qualified minority of participants providing a no share by discarding the no shares of the minority of participants through combinations of any or threshold number of participants (t) until a sufficient number of yes shares are combined. Hence, by attempting to combine the shares of all t-subsets of the participants, it is possible to re-construct the secret as long as there are enough yes shares, regardless of whether there are participants who contribute their no shares. Such an attack can be carried out efficiently when the threshold value (t) is either small or close to the total number of parties (n). Given this potential exploitability as well as other disadvantages discussed more below of prior approaches to yes and no secret sharing, continued improvement in secret sharing is needed.
The present disclosure generally relates to a secret sharing scheme that includes hidden access structures and provides for yes and no shares. Such a scheme may provide the advantages of yes and no shares to allow a qualified minority of participants in the secret sharing scheme to deny secret reconstruction by providing no shares. In addition, through the use of hidden access structures, circumvention of the no shares of the qualified minority by other participants in the scheme may be avoided as the access structure for the secret sharing scheme remains hidden until and unless the secret is successfully reconstructed.
In addition to facilitating a solution to the circumvention of provided no shares in a scheme with a public access structure, the present disclosure facilitates a secret sharing scheme which provides complete deniability to participants who want to prevent secret reconstruction. That is, through use of a hidden access structure and by providing no shares that are indistinguishable from yes shares to other participants, none of the participants sharing a no share may be detected by the other participants. Deniability is useful to prevent retaliatory actions from other parties who may wish to reconstruct the secret.
In the following discussion, support for a secret sharing scheme with hidden access structures is supported. Thereafter, a secret sharing scheme in which hidden access structures is generalized to include yes and no secret sharing.
Initially, an access structure may be defined. Let ={P1, . . . ,
} be a set of parties in the secret sharing scheme. A collection Γ⊆
is monotone if
∈Γ and
⊆
imply that
∈Γ. Accordingly, an access structure Γ⊆
may be defined that is a monotone collection of non-empty subsets of
. Sets in the access structure (Γ) are called authorized, and sets not in the access structure (Γ) are called unauthorized. The access structure may comprise a hidden access structure such as the secret sharing scheme described in U.S. patent application Ser. No. 17/018,899 entitled “PRIVACY PRESERVING SECRET SHARING FROM NOVEL COMBINATORIAL OBJECTS” filed on 11 Sep. 2020 and designated by the entirety of which is incorporated by reference herein.
If the access structure (Γ) consists of all subsets of the participants with size greater than or equal to a fixed threshold t (1≤t≤
), then the access structure (Γ) is called a t-threshold access structure. Also, a minimal authorized subset may be defined. For an access structure (Γ), the family of minimal authorized subsets Γ0⊆Γ is defined as:
Γ0={∈Γ:
ƒ or all
∈Γ\{
}}.
The family of minimal authorized subsets (Γ0) uniquely determines the access structure (Γ), and it holds that Γ=cl(Γ0), where cl denotes closure.
With the access structure (Γ) having been defined with a family of minimal authorized subsets (Γ0), a perfect secret sharing scheme with hidden access structures may be created with respect to a collection of access structures (), a set of
number of parties (
={P1, . . . ,
}), and a set of secrets (
). The secret sharing scheme includes a pair of polynomial-time algorithms. The first is an algorithm that creates shares in the scheme and is referred to as Share. The second algorithm is a deterministic algorithm used to attempt to reconstruct the secret and is referred to as Recon. Specifically, Share is a randomized algorithm that gets a secret (k) that belongs to the set of secrets (
). Stated differently, k∈
. Share also receives an access structure (Γ) that is an element of the set of access structures (
). That is, Γ∈
. As noted above, the access structure (Γ) may be a hidden access structure that defines a minimal authorized subset of participants, which is not publicly known prior to secret reconstruction. The secret (k) and access structure (Γ) are inputs to Share, which outputs a number of yes shares (Π) of the secret (k) corresponding to the number of participants (
). The shares may be referred to as {Π1(Γ,k), . . . ,
}.
The Recon algorithm is a deterministic algorithm that gets as input the shares (Π) of a subset of participants (⊆
), denoted by {
. In turn, Recon outputs a pair (b, k) where b∈{0,1} and k∈
∪{⊥}. Specifically, the Recon algorithm outputs the pair (b, k) such that, four conditions may be satisfied as discussed below.
The first condition may be perfect authorization verification. In this condition, for all secrets belonging to the set of secrets (k∈) and every subset of participants or all participants (
⊆P), Recon may return a true value (1) when the shares of the participant subset of participants ({
) include shares of a minimal authorized subset. Otherwise, Recon may return a false (0) value. Stated mathematically:
Pr[Recon({,
)[1]=1]=1 if
∈Γ,
and
Pr[Recon({,
)[1]=0]=1 if
∉Γ,
The Recon algorithm may also exhibit perfect correctness. That is, for all secrets belonging to the set of secrets (k∈) and every authorized set belonging to the access structure (
∈Γ), Recon returns the secret (k) from inputs of the shares (Π) or
Pr[Recon({,
)=(1,k)]=1,
The Recon algorithm may also have perfect secrecy. That is, for every unauthorized subset not belonging to the access structure (∉Γ) and all secrets belonging to the set of secrets (k1, k2∈
), the distributions {
and {
may be identical.
The Recon algorithm may also exhibit perfect access structure hiding. That is, for every unauthorized subset not belonging to the access structure (∉Γ), every access structure belonging to the set of access structures (Γ′∈
) with unauthorized subsets not belonging to the access structure (
∉Γ′) and all secrets of the set of secrets (k∈
), the distributions {
and {
and may be identical.
Have set forth a secret sharing scheme with hidden access structures, the foregoing scheme may be generalized to include “yes and no” secret sharing. Specifically, the scheme may be defined with respect to a collection of access structures (), a set of a number (
) of parties (
={P1, . . . ,
}), and a set of secrets
, consists of a pair of polynomial-time algorithms Share and Recon.
With respect to the Share algorithm, Share receives as an input a secret belonging to the set of secrets (k∈) and access structure belonging to a set of access structures (Γ∈
). In turn, Share outputs a number of shares equal to the number of participating parties (
) in ordered pairs of yes and no shares of the secret defined as {(Π1(Γ,k)), . . . , (
,
)}.
One example of how the Share algorithm generates the yes shares (Π) and no shares (Ψ) is presented. In an example, the Share algorithm may be performed by an entity referred to as a dealer. The dealer may or may not be a party of the secret sharing scheme. In the secret sharing scheme, the set of parties is defined as ={P1, P2, . . . , Pn}. As described above, the scheme also includes hidden access structures. In the example described, the family of access structures include access structures which have only a single minimal authorized subset defined as:
={Γ⊆
: Γ is an access structure with |Γ0|=1}.
In turn, the dealer determines a particular access structure (Γ) selected from the family of access structures in which m is the size of the unique minimal authorized subset. Without loss of generality,
Γ={A∈: A⊇{P1,P2 . . . , Pm}}.
The dealer chooses a random basis (B) from a vector space (2n) of a finite field (
). The random basis (B) comprises a plurality of basis vectors ({e1, e2, . . . , e2n}). The basis vectors can be used to form any given vector in the vector space in a unique manner. Stated mathematically, the dealer chooses a random basis B={e1, e2, . . . , e2n}.
The dealer also computes a target vector (s) using basis vectors from the random basis (B). Specifically, the target vector (s) is calculated from a target subset of the basis vectors, where the target subset corresponds to the unique minimal authorized subset. That is, s=e1+e2+ . . . +em. As will be described in greater detail below, the target vector (s) is related to the secret in that the secret is a function of the target vector.
The dealer also chooses a random vector (h) from the vector space (2n) or, stated mathematically, h∈
2n. In turn, the secret may be defined as a function of the target vector and the random vector to generate a scalar belonging to the finite field or
s, h
∈
. In one example, the function may comprise an inner product or dot product of the target vector and the random vector to generate the secret from the target vector and the random vector.
For each party in the secret sharing scheme, the dealer generates a yes share. A yes share is a function of the target vector (s), a basis vector (ei), and the random vector (h). Stated mathematically, for each Pi∈(1≤i≤n) a yes share is Πi=(s, ei,
ei, h
).
Specifically, a yes share takes the form Πi=(s, ei, ei, h
). As can be appreciated, yes shares include m authorized yes shares generated from the basis vectors from the target subset e1+e2+ . . . +em. Others of the yes shares are generated from basis vectors of the random basis outside the target subset or the (em+1, . . . , en) basis vectors of the random basis (B). However, authorized yes shares are indistinguishable from other yes shares once generated by the dealer. The m number of authorized yes shares are distributed to the minimal authorized subset of parties, although none of the parties are aware of this, as the access structure is hidden as described above.
The dealer also generates a no share for each party of the scheme. The no share is a function of basis vectors outside of the target vector (s) and the basis vectors used for the yes shares and the random vector (h). Stated mathematically, For each Pi∈(1≤i≤n) its no share is Ψi=(s, ei+n,
ei+n, h
).
Turning to share reconstruction, the algorithm Recon is provided to combine shares provided by the participants in an effort to reconstruct the secret. The participants may comprise a subset of the parties of the scheme. The participants may include all parties in the scheme or subset including fewer than all parties in the scheme. The algorithm Recon is a deterministic algorithm that gets as input one share (Φ) from each party, without a priori knowledge of whether the share (Φ) from any given party is a yes share (Π) or a no share (Ψ). The shares are provided from a subset of participants of the parties in the scheme (⊆
). The shares which are unknown to be yes shares or no shares may be denoted by {
, where each unknown share (Φi(Γ,k)) is either equal to a yes share (Πi(Γ,k)) or a no share (Ψi(Γ,k)). The algorithm Recon outputs a pair of values (b, k) where b∈{0,1} and k∈
∪{⊥}. That is, the value b is either a true value (1) or a false value (0) and the value k is the secret when the yes shares for a minimal authorized set is present in the unknown shares (Φ), else an empty value is returned.
Continuing the example above, an instance of the Recon algorithm may receive unknown yes or no shares { from a subset of parties
⊆
. Here, the unknown share may be defined as Φi=(s, ƒi, xi). The Recon algorithm determines ai's such that:
αiƒi.
In this example, if no such αi's exist, Recon returns a false value and fails to reconstruct the secret (0, ⊥). Otherwise, Recon returns a true value and returns the secret (1, αixi).
The Recon algorithm may satisfy the four conditions noted above for general secret sharing with hidden access structures. That is, Recon in this yes and no secret sharing with hidden access structures may provide perfect authorization verification, perfect correctness, perfect security, and/or perfect access structure hiding.
With specific respect to perfect authorization verification, for all secrets belonging to the set of secrets (k∈) and every subset of unknown shares {
which consists of one share from each party in a subset of parties (
⊆
):
Pr[Recon({,
)[1]=1]=1 if ƒ({
)∈Γ;
and
Pr[Recon({,
)[1]=0]=1 if ƒ({
)∉Γ;
where ƒ({)={i∈
: Φi(Γ,k)=Πi(Γ,k)}.
That is, the function applied by the Recon algorithm may only return a true value and the reconstructed secret where the set of unknown shares input to Recon include the yes shares of the minimal authorized subset of the access structure.
In some scenarios, Recon may also exhibit perfect correctness. That is, for all secrets in the subset of secrets (k∈) and every subset of unknown shares received from a participant ({
) where the yes shares are received from the minimal authorized subset of the access structure (ƒ({
)∈Γ), Recon may return a true value and the secret, or:
Pr[Recon({,
)=(1,k)]=1.
Specifically, since the basis vectors (e1) form a basis of the vector space (2n), the only linear combination of the basis vectors (ei) that result in the target vector are the basis vectors from the subset of target vectors, or:
s=e1+e2+ . . . +em.
Thus the αi's in the above secret reconstruction algorithm (Recon) will exist if and only if all of P1, P2, . . . , Pm participate and contribute their “yes” shares.
The Recon may exhibit perfect secrecy. That is, unknown shares received from participants in the Recon algorithm individually provide no information regarding the secret. That is, for every subset of unknown shares received from participants ({) such that ƒ({
)∉Γ and all secrets k1, k2∈
, the distributions {
and {
may be identical.
As noted above, if all of P1, P2, . . . , Pm participate in secret reconstruction and contribute their “yes” shares (Πi=(s, ei, ei, h
)), then performing the reconstruction algorithm (Recon), the parties obtain αi=1 for all i=1, . . . , m and αi=0 otherwise. Therefore, the reconstructed secret is equal to:
αi(ei,h)=Σi=1m
ei,h
=
Σi=1mei,h
=(s,h).
In some examples, the Recon algorithm may provide perfect access structure hiding. That is, no information regarding the nature of the access structure may be provided from any shares prior to secret reconstruction. In other words, for any access structure, upon unsuccessful reconstruction of a secret due to the provided shares of a subset of participants not including the yes shares of a minimal authorized subset, no information regarding the access structure may be provided. Stated mathematically, for all access structures Γ, Γ′∈, all subsets of participants
⊆
, all secrets k∈
, and all subsets of unknown shares {
and {
such that ƒ(
)∉Γ, ƒ({
)∉Γ′, the distributions {
and {
are identical.
Consider a subset of shares that are unknown to be yes shares or no shares ({) such that {i∈
: Φi=Πi}▪Γ. The unknown shares may be described as Φi=(s, ƒi, xi). By the above assumption, the target vector (s) does not lie in the span of
. Let
be the distribution on
that selects the total number of participants in the secret sharing scheme (
) linearly independent vectors from
2n uniformly at randomly. Note that
Indeed, since xi=ƒi, h
for linearly independent
and some uniformly random h∈
2n, the xi's are independent and uniform elements of
.
In fact, the secret is equally likely to be any element of the field () even with knowledge of 2n−1 shares which do not include all the yes shares of the minimal authorized subset (Π1, Π2, . . . , Πm). Assume, without loss of generality, that an adversary has all the yes shares Πi=(s, ei, xi) and all the no shares Ψi=(s, ei+n, yi) except the yes share Π1. Solving the equations
e2,h
=x2, . . . ,
en,h
=xn,
en+1,h
=y1, . . . ,
e2n,h
=yn
for the random vector (h), one obtains that h lies in an affine subspace of dimension 2n−(2n−1)=1.
Now, since the target vector (s) does not lie in the span of {e2, e3, . . . , e2n}, for any γ∈, adding the equation
s, h
=γ to the above system of equations always results in a unique solution for h. Hence, without any further information available to the adversary, (s, h) is equally likely to be any element of
, thus preventing the reconstruction of the secret by the adversary.
With reference to
In turn, the share generator 110 may utilize the share generation algorithm (e.g., Share described above) to generate yes shares ({Π1(k), . . . }) and no shares ({Ψ1(k), . . .
}) that are distributed to the parties 120. Specifically, a yes share (Π) and a no share (Ψ) are distributed to each of the parties 120. As described above, the yes shares for a minimal authorized subset of the parties 120 are generated from the target subset of the basis vectors used to calculate the target vector corresponding to the secret. The yes shares for parties 120 outside the minimal authorized subset are generated from basis vectors outside the target subset of basis vectors. Also, all no shares are generated using basis vectors outside the target subset of basis vectors.
The share generator 110 may comprise a computing device comprising, for example, one or more hardware processors and memory devices. The hardware processors may access the share generation algorithm, which may be stored in a memory device of the share generator 110. In turn, the one or more hardware processors of the share generator 110 may execute the share generation algorithm to generate the yes shares and no shares. The shares may be communicated to the parties 120a, 120b, . . . 120n, which themselves may be computing devices comprising one or more hardware processors and memory devices. The shares may be communicated to the parties 120 by way of a network or other digital communication methodology. In this regard, the shares may be stored in a respective memory device of the party 120 that receives the shares. As described above, the secret 130 may comprise data received at the share generator 110. A share may comprise share data that is provided to and stored in a memory device of each respective parties 120.
In turn, with further reference to ) 220 wish to attempt a secret reconstruction, the subset of the participants (
) 220 comprising the par may each provide a share (Φ) 222, which is unknown to be a yes share (Π) or a no share (Ψ) to a reconstructing entity 230. In turn, the reconstructing entity 230 may have a secret reconstructor 232, which may comprise a reconstruction algorithm such as Recon discussed above. The reconstructing entity 230 may comprise a member of the subset of participants (
) 220 or be a third party outside the subset of participants (
) 220. In the event the reconstructing entity is a member of the subset of participants (
) 220, the reconstructing entity may contribute a share (Φ) 222 as an input to the secret reconstructor 232 in addition to receiving a share (Φ) 222 from at least one other member of the subset of participants (
) 220.
The secret reconstructor 232 may comprise a computing device comprising, for example, one or more hardware processors and memory devices. The hardware processors may access the secret reconstruction algorithm, which may be stored in a memory device of the secret reconstructor 232. In turn, the one or more hardware processors of the secret reconstructor 232 may execute the secret reconstruction algorithm with shares (Φ) 222 to attempt to reconstruct a secret. The shares (Φ) 222 may be received from the subset of participants () 220, which themselves may be computing devices comprising one or more hardware processors and memory devices. The shares (Φ) 222 may be received from the subset of participants (
) 220 by way of a network or other digital communication methodology. In this regard, the shares (Φ) 222 may be stored in a respective memory device of the reconstructing entity 230 that receives the shares.
In turn, the secret reconstructor 232 may attempt to compute the target vector corresponding to a secret (k) 234 using each of the shares (Φ) 222 as an input to a secret reconstruction algorithm. If all yes shares (Π) are present of a minimal authorized subset in the shares (Φ) 222, then the secret reconstructor 232 may output the secret (k) 234. In contrast, if not all yes shares (Π) are present of a minimal authorized subset in the shares (Φ) 222, then a failure message 236 may be returned. As may be appreciated, this may be a result when not all members of a minimal authorized subset of parties are present in the subset of participants () 220 or may result from one or more of a minimal authorized subset contributing a no share (Ψ). In addition, upon returning the failure message 326, no information regarding the access structure may be derived by any of the participants. In addition, when the failure message 236 is returned, no information regarding the nature of the shares (Φ) 222 may be derived, such that a member of the minimal authorized subset may maintain deniability regarding whether a yes share (Π) or a no share (Ψ) was provided.
With further reference to
The operations 400 also include a calculating operation 404 in which the reconstructing entity attempts to calculate a target vector using the shares obtained in the obtaining operation 402. The calculating operation 404 may include inputting the obtained shares into a reconstruction algorithm. In turn, a determining operation 406 may determine if all yes shares of a minimal authorized subset are present. If so, a reconstruction operation 408 occurs in which the secret is reconstructed. Otherwise, the determining operation 406 may result in an outputting operation 410 in which a failure message is output.
One or more applications 512 are loaded in the memory 504 and executed on the operating system 510 by the processor unit(s) 502. Applications 512 may receive input from various input local devices such as a microphone 534, input accessory 535 (e.g., keypad, mouse, stylus, touchpad, joystick, instrument mounted input, or the like). Additionally, the applications 512 may receive input from one or more remote devices such as remotely located smart devices by communicating with such devices over a wired or wireless network using more communication transceivers 530 and an antenna 538 to provide network connectivity (e.g., a mobile phone network, Wi-Fi®, Bluetooth®). The computing device 500 may also include various other components, such as a positioning system (e.g., a global positioning satellite transceiver), one or more accelerometers, one or more cameras, an audio interface (e.g., the microphone 534, an audio amplifier and speaker and/or audio jack), and storage devices 528. Other configurations may also be employed.
The computing device 500 further includes a power supply 516, which is powered by one or more batteries or other power sources and which provides power to other components of the computing device 500. The power supply 516 may also be connected to an external power source (not shown) that overrides or recharges the built-in batteries or other power sources.
In an example implementation, the computing device 500 comprises hardware and/or software embodied by instructions stored in the memory 504 and/or the storage devices 528 and processed by the processor unit(s) 502. The memory 504 may be the memory of a host device or of an accessory that couples to the host. Additionally or alternatively, the computing device 500 may comprise one or more field programmable gate arrays (FGPAs), application specific integrated circuits (ASIC), or other hardware/software/firmware capable of providing the functionality described herein.
The computing device 500 may include a variety of tangible processor-readable storage media and intangible processor-readable communication signals. Tangible processor-readable storage can be embodied by any available media that can be accessed by the computing device 500 and includes both volatile and nonvolatile storage media, removable and non-removable storage media. Tangible processor-readable storage media excludes intangible communications signals and includes volatile and nonvolatile, removable and non-removable storage media implemented in any method or technology for storage of information such as processor-readable instructions, data structures, program modules or other data. Tangible processor-readable storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CDROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible medium which can be used to store the desired information, and which can be accessed by the computing device 500. In contrast to tangible processor-readable storage media, intangible processor-readable communication signals may embody processor-readable instructions, data structures, program modules or other data resident in a modulated data signal, such as a carrier wave or other signal transport mechanism. The term “modulated data signal” means an intangible communications signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, intangible communication signals include signals traveling through wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media.
Some implementations may comprise an article of manufacture. An article of manufacture may comprise a tangible storage medium to store logic. Examples of a storage medium may include one or more types of processor-readable storage media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth. Examples of the logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, operation segments, methods, procedures, software interfaces, application program interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. In one implementation, for example, an article of manufacture may store executable computer program instructions that, when executed by a computer, cause the computer to perform methods and/or operations in accordance with the described implementations. The executable computer program instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like. The executable computer program instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a computer to perform a certain operation segment. The instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.
One general aspect of the present disclosure includes a method for generating shares for a secret sharing scheme. The method includes choosing a random basis for a vector space. The random basis includes a plurality of basis vectors that can be used to form any given vector in the vector space in a unique manner. The method also includes calculating a target vector from a target subset of the plurality of basis vectors. Furthermore, the method includes choosing a random vector from the vector space. A secret of the secret sharing scheme is a function of the target vector and the random vector. In turn, the method includes generating, for a plurality of parties in the secret sharing scheme, a corresponding plurality of yes shares as a function of a basis vector from the plurality of basis vectors and the random vector. The plurality of yes shares comprise authorized yes shares generated as a function of a basis vector from the target subset of the plurality of basis vectors. The secret is only reconstructable by a computation involving the target vector in an operation including all of the authorized yes shares. The method also includes generating, for each of the plurality of parties in the secret sharing scheme, a no share as a function of a basis vector outside the target subset of the plurality basis vectors and the random vector. The method also includes distributing a yes share and a no share to each of the plurality of parties in the secret sharing scheme. The authorized yes shares are distributed to a minimal authorized subset of the plurality of parties in the secret sharing scheme.
Implementations may include one or more of the following features. For example, the minimal authorized subset of participants may be unknown to the plurality of parties in the secret sharing scheme prior to reconstruction of the secret. In addition, the yes share and the no share of any party of the plurality of parties may be indistinguishable to others of the plurality of parties. Further still, the yes share and the authorized yes shares may be indistinguishable to the plurality of parties.
In an example, the secret sharing scheme is unconditionally secure.
In an example, the method may include determining an access structure defining a number of the minimal authorized subset of participants. A number of the target vectors in the target subset may correspond to the number of the minimal authorized subset of participants. The minimal authorized subset may be a function of a hidden access structure that is not known to the plurality of parties in the scheme. In an example, no information regarding the access structure may be available to the plurality of parties participating in the secret sharing scheme prior to successful reconstruction of the secret.
In an example, the method may also include obtaining a plurality of shares. Specifically, the plurality of shares are unknown to be yes shares or no shares. The method may also include combining the plurality of shares to attempt to compute the secret and reconstructing the secret only in response to all the yes shares of the minimal authorized subset of participants being present in the plurality of shares. Otherwise the method may fail to reconstruct the secret in response to not all the yes shares of the minimal authorized subset of participants being present in the plurality of shares.
Another general aspect of the present disclosure includes a method for reconstruction of a secret in a secret sharing scheme. The method includes obtaining a plurality of shares from a corresponding plurality of participants. The plurality of shares are unknown to be yes shares or no shares. A minimal authorized subset of the plurality of participants is unknown to the plurality of participants prior to secret reconstruction. The method also includes combining the plurality of shares to attempt to compute a secret. The secret is a function of a target vector. The method includes reconstructing the secret only in response to all the yes shares of the minimal authorized subset of the participants being present in the plurality of shares, otherwise failing to reconstruct the secret in responses to not all of the yes shares of the minimal authorized subset of participants being present in the plurality of shares.
Implementations may include one or more of the following features. For example, the obtaining may include including receiving at least one share from another party in the secret sharing scheme. The minimal authorized subset of participants may be unknown to a plurality of parties participating in the secret sharing scheme.
In an example, the yes shares may be generated as a function of a basis vector from a plurality of basis vectors of a random basis for a vector space and a random vector. The yes shares may include authorized yes shares generated as a function of a basis vector from a target subset of the plurality of basis vectors. The target subset of the plurality of basis vectors may be used to calculate the target vector. The no shares may be generated as a function of a basis vector outside the target subset of the plurality basis vectors and the random vector.
In an example, the yes share and the no share of any party of the plurality of parties may be indistinguishable to others of the plurality of parties. The yes share and the authorized yes shares may be indistinguishable to the plurality of participants.
In an example, the secret sharing scheme may be unconditionally secure.
In an example, the minimal authorized subset of the participants may be determined by an access structure. In turn, a number of the target vectors in the target subset may correspond to the number of the minimal authorized subset of participants. In addition, no information regarding the access structure may be available to the plurality of parties in the secret sharing scheme prior to successful reconstruction of the secret.
The implementations described herein are implemented as logical steps in one or more computer systems. The logical operations may be implemented (1) as a sequence of processor-implemented steps executing in one or more computer systems and (2) as interconnected machine or circuit modules within one or more computer systems. The implementation is a matter of choice, dependent on the performance requirements of the computer system being utilized. Accordingly, the logical operations making up the implementations described herein are referred to variously as operations, steps, objects, or modules. Furthermore, it should be understood that logical operations may be performed in any order, unless explicitly claimed otherwise or a specific order is inherently necessitated by the claim language.
While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered as exemplary and not restrictive in character. For example, certain embodiments described hereinabove may be combinable with other described embodiments and/or arranged in other ways (e.g., process elements may be performed in other sequences). Accordingly, it should be understood that only the preferred embodiment and variants thereof have been shown and described and that all changes and modifications that come within the spirit of the invention are desired to be protected.
| Number | Name | Date | Kind |
|---|---|---|---|
| 6606663 | Liao | Aug 2003 | B1 |
| 6895501 | Salowey | May 2005 | B1 |
| 7480635 | Saar | Jan 2009 | B2 |
| 7587366 | Grim, III | Sep 2009 | B2 |
| 8340283 | Nadalin | Dec 2012 | B2 |
| 9037511 | Roth | May 2015 | B2 |
| 9483657 | Paul | Nov 2016 | B2 |
| 9536268 | Serena | Jan 2017 | B2 |
| 20020069369 | Tremain | Jun 2002 | A1 |
| 20040174875 | Geagan, III | Sep 2004 | A1 |
| 20060004662 | Nadalin | Jan 2006 | A1 |
| 20060206904 | Watkins | Sep 2006 | A1 |
| 20070171921 | Wookey | Jul 2007 | A1 |
| 20080181398 | Pappu | Jul 2008 | A1 |
| 20090119504 | van Os | May 2009 | A1 |
| 20090282266 | Fries | Nov 2009 | A1 |
| 20090288167 | Freericks | Nov 2009 | A1 |
| 20100125856 | Dash | May 2010 | A1 |
| 20100162235 | Ginzton | Jun 2010 | A1 |
| 20110016322 | Dean | Jan 2011 | A1 |
| 20110141124 | Halls | Jun 2011 | A1 |
| 20110231443 | Hannel | Sep 2011 | A1 |
| 20110302042 | Hatakeyama | Dec 2011 | A1 |
| 20110302650 | Brown | Dec 2011 | A1 |
| 20120196566 | Lee | Aug 2012 | A1 |
| 20130006840 | Cahn | Jan 2013 | A1 |
| 20130007459 | Godfrey | Jan 2013 | A1 |
| Number | Date | Country |
|---|---|---|
| 2001020562 | Mar 2001 | WO |
| Entry |
|---|
| Beutelspacher, Albrecht, “How to say \no”. In Advances in Cryptology—Eurocrypt '89, Workshop on the Theory and Application of Cryptographic Techniques, Houthalen, Belgium, Apr. 10-13, 1989, Proceedings, vol. 434, pp. 491-496, 1989. |
| Sehrawat,Vipin Sing et al. “Access structure hiding secret sharing from novel set systems and vector families”. Cocoon 2020, pp. 246-261, 2020. |
| Jackson, Wen-Ai et al. “Geometrical contributions to secret sharing theory”, Journal of Geometry, 79, pp. 102-133 (2004). |
| Number | Date | Country | |
|---|---|---|---|
| 20220329410 A1 | Oct 2022 | US |
