A Generalized Secret Sharing Scheme Realizing Ordered Access Structures
全文
(2) 2.1. Preparation Phase Initially, the dealer D prepares a noticeboard that is publicly readable to all participants in the system, but only he has the access privilege to update the contents of the noticeboard. After that, D performs the following steps:. If the equality fails, then identify u i( j −1) as a cheater and stop this phase. (2-2). Compute a subshare s2. Aij = Ai ( j −1) s1ij ⋅ g ij mod p . (3) Then, present it to the next participant ui ( j +1) .. Step 1. Define system parameters: (1-1). Select two large primes p and q, such that q | ( p − 1) . (1-2). Select a generator g modulo p with order q. (1-3). Publish a one-way hash function h. (1-4). Put { p , q , g } in the noticeboard.. Step 3. The last participant u im first verifies Ai (m−1) as. Step 2. Generate a share S j =. from the noticeboard and verifies Aim as in Step (2-1). Step 5. Every participant uij ∈ Qi gets t 2 i from the noticeboard and reconstructs the shared secret k by computing k = t 2 i + Aim mod p .. u j ∈G , where. (s1 j , s 2 j ). s1 j , s 2 j ∈ Z *q. for each. are randomly. chosen, and then send S j to u j via a secure channel. Step 3. For each qualified subset Q i in Γk , generate a check vector Vi and a ticket Ti as follows: (3-1).. * Randomly select an integer wi 0 ∈ Z q .. (3-2). Let (s1ij , s 2ij ) be the share for u ij ∈ Qi . For j = 1, 2,...,m , compute. in. Step. Aim = Ai(m −1). (2-1), s1im. ⋅g. and s 2 im. then. computes. mod p and presents it all. the other participants in Qi . Step 4. Every participant. uij ∈ Qi − < uim > gets. vim. Note that from Steps 2 to 3, the violation of subshare presentation will be effectively identified, because the subshares Aij ’s sequentially presented by the participants. (1). of the qualified subset are publicly verifiable. Once the shared secret k has been reconstructed, all these subshares are useless.. (3-3). Compute t1i and t 2 i as t1 i = g wi 0 mod p. Here, we will give a brief sketch to show that the proposed scheme works correctly. By raising both sides of Equation 1 to exponents with base g, it yields the result of Equation. wij = wi ( j −1) ⋅ s1ij + s 2ij mod q , v ij = h ( g. wij. ) mod p .. and t 2 i = k − g wim mod p . (3-4). Denote Vi and Ti by V i = (v i1 , vi 2 ,..., vim ) and Ti = (t1 i , t 2 i ) , and put Vi and Ti in the noticeboard.. 3. Based on the fact that Aij = g. wij. (mod p ) , one can. easily deduce the correctness of the proposed scheme from Equation 3. 3. SECURITY ANALYSIS. 2.2. Secret Reconstruction Phase Suppose that the participants of the qualified subset Qi = < u i1 , u i 2 ,..., u im > want to reconstruct the secret k and the communication channels among them are noise-free. These participants cooperatively perform the following steps: Step 1. The first participant. u i1 gets. t1i. noticeboard, computes the subshare. from the Ai1. by. Ai1 = t1i s1i1 ⋅ g s 2i 1 mod p and then presents it to the subsequent participant u i 2 . Step 2. The subsequent participants uij ’s (for j= 2 ,3,..., m − 1 ) do the following tasks in accordance with the sequence < ui2 ,...,ui (m−1) > : (2-1). Get v i( j −1) from the noticeboard and verify. Ai ( j−1) by testing if h( Ai ( j −1) ) = vi ( j −1) (mod p) .. (2). It is believed that solving the discrete logarithm problem (DLP) over GF(p) is computationally infeasible when p is large (e.g., more than 512 bits) [8]. On the other hand, a one-way hash function h is considered robust enough if it produces a large enough output (e.g. at least 128 bits [11]) and has the following properties [7]: (i) h can be applied to an argument of any size and produces a fixed-size output. (ii) Given x, it is easy to compute h(x). (iii) Given h(x), it is computationally infeasible to deter mine x. (iv) h(x) is collision free, i.e. it is computationally infeasible to find distinct x and y with h(x) = h(y). The security of the proposed scheme depends on the achievement of the following two issues: Security issue 1: Under the cryptographic assumption the DLP, any adversary cannot reveal the share held by the participant from its derived subshare. Analysis:.
(3) From Equations 1 and 3, it can be seen that the share Sij = (s1ij , s 2ij ) for u ij ∈ Qi is protected by the secret parameters wij ’s chosen by D. However, it is computationally infeasible to solve wij ’s form the public check vector Vi or the ticket Ti under the cryptographic assumption of the DLP. Security issue 2: Under the robustness of a one-way hash function, the cheating trick by pooling a fake subshare will be effectively identified. Analysis: From Step (2-1) of the reconstruction phase, it is to see that a fake subshare will be regarded as valid if it can pass the verification check, i.e., Equation 2, performed by the subsequent participant. However, under the assumption of a robust one-way hash function, it is computationally infeasible for an adversary or a malicious participant to find the input value corresponding to a specific output (i.e. the check value vij in the check vector Vi ) from the one-way hash function h. 4. CONCLUSIONS We have addressed a new application for a generalized secret sharing scheme that realizes an ordered access structure, in which the participants of a qualified subset can reconstruct the shared secret only if they present their subshares in a seriate order specified by the dealer in advance. The security of the proposed scheme is based on the intractability of the discrete logarithm problem and the robustness of the one-way hash function. Besides, the proposed scheme provides the solution for identifying the cheating trick by presenting a fake subshare or violating the seriate order of subshare presentation during the secret reconstruction phase. 5. ACKNOWLEDGEMENT Part of this work is supported by the National Science Council, Republic of China, under the contract number NSC 89-2416-H011-014. 6. REFERENCES [1] L.M. Adleman and K.S. McCurley, “Open problems in number-theoretic complexity, II”, Proceedings of First Algorithmic Number Theory Symposium (ANTS-I), Springer-Verlag, 1994, pp. 291-322 [2] J. Benaloh and J. Leichter, “ Generalized secret sharing and monotone functions”, Advances in Cryptology - CRYPTO '88, Springer-Verlag, 1988, pp. 27-35. [3] G.R. Blakley, “Safeguarding cryptographic keys”, Proceedings of American Federation of Information Processing Societies (AFIPS) 1979 National Computer Conference, Vol. 48, 1979, pp. 313-317. [4] E.F. Brickell and D.R. Stinson, “The detection of cheaters in threshold schemes”, Advances in Cryptology - CRYPTO '88, Springer-Verlag, 1988, pp.. 564-577. [5] C. Cachin, “On-line secret sharing”, Proceedings of Cryptography and Coding: 5-th IMA (the Institute of Mathematics and its Applications) Conference, Springer- Verlag, 1994, pp.190-198. [6] C.C. Chang and R.J. Hwang, “Efficient cheater identification method for threshold schemes”, IEE Proceedings Computers and Digital Techniques, Vol. 144, No. 1, 1997, pp. 23-27. [7] D.W. David and W.L. Price, Security for computer networks, Wiley, 1984. [8] W. Diffie and M.E. Hellman “New directions in cryptography”, IEEE Transactions on Information Theory, Vol. IT-22, No. 6, 1976, pp. 644-654. [9] M. Ito, A. Saito, and T. Nishizeki, “Secret sharing scheme realizing general access structure”, Proceedings of IEEE Global Telecommunications Conference: Globecom'87, IEEE, 1987, pp. 99-102. [10] H.Y. Lin and L. Ham, “A generalized secret sharing scheme with cheater detection”, Advances in Cryptology - ASIACRYPT'91, Springer-Verlag, 1991, pp. 22-26. [11] R.C. Merkle, “One-way hash functions and DES”, Advances in Cryptology: CRYOTO’88, SpringerVerleg, 1988, pp. 564-577. [12] R.G.E. Pinch, “Online multiple secret sharing”, Electronics Letters, Vol.32, No.12, 1996, pp. 10871088. [13] A. Shamir, “How to share a secret”, Communications of the ACM, Vol.22, No.11, 1979, pp. 612-613. [14] K.J. Tan, H.W. Zhu and S.J. Gu, “Cheating identification in (t, n) threshold scheme”, Computer Communications, Vol. 22, No. 8, 1999, pp. 762-765. [15] M. Tompa and H. Woll, “How to share a secret with cheaters”, Journal of Cryptology, Vol.1. No.1, 1988, pp. 133-138. [16] T.C. Wu and T.S. Wu, “Cheating detection and cheater identification in secret sharing schemes”, IEE Proceedings Computers and Digital Techniques, Vol. 142, No. 5, 1995, pp. 367-369..
(4)
相關文件
Prize-presentation Ceremony cum Sharing Sessions of the Junior Secondary History e-Reading Award Scheme 2019 and Highlights of learning & teaching strategies in History
Prize-presentation Ceremony cum Sharing Sessions of the Junior Secondary History e-Reading Award Scheme 2019 and Highlights of learning & teaching strategies in History
Students are asked to collect information (including materials from books, pamphlet from Environmental Protection Department...etc.) of the possible effects of pollution on our
We explicitly saw the dimensional reason for the occurrence of the magnetic catalysis on the basis of the scaling argument. However, the precise form of gap depends
It is well known that the Fréchet derivative of a Fréchet differentiable function, the Clarke generalized Jacobian of a locally Lipschitz continuous function, the
Miroslav Fiedler, Praha, Algebraic connectivity of graphs, Czechoslovak Mathematical Journal 23 (98) 1973,
Prize-presentation Ceremony cum Sharing Sessions of the Junior Secondary History e-Reading Award Scheme 2019 and Highlights of learning & teaching strategies in History
Summarising the whole study, the authors believe that with the evidence, a liberal-arts mathematics course with an emphasis on the culture and history of the discipline can