Two-Level Threshold Secret Sharing Scheme and Monotone
Functions
Jen-Chun Chang∗ Hsin-Lung Wu∗ Wah-Song Yeap†
Abstract
The threshold secret sharing scheme(SSS) has been studied widely in the last few years. The traditional threshold SSS such as Shamir’s can only handle some simple monotone access structures. But there are some cases of monotone access structures are unable to be realized by traditional (one-level) threshold SSS. However those results are under the assumption of applying the traditional threshold SSS or one-level threshold SSS to monotone access structure. In this paper, we apply the two-level threshold SSS to monotone access structure. The main purpose of using two-level threshold secret scheme is trying to divide a secret through two levels. In the first level, it only concerns on generating the shares based on the number of user groups. In the second level, it subdivides the secret share from the first level to each user inside the group. We consider the disjoint case where a user can be randomly assigned into a group only. In this paper, we prove that some monotone access structure cannot be realized by two-level threshold SSS.
1
Introduction
The computer networks and data communication systems play important roles in our life. Various types of data are transferred or accessed through the networks everyday. Therefore information security becomes an important issue. The threshold SSS is a powerful tool that is used to keep a data secret unless the number of cooperated shares reaches the threshold.
The concepts of Shamir (𝑡, 𝑛) threshold SSS is introduced by Adi Shamir[Sha79]. It used a 𝑡 − 1 degree polynomial function to generate the shares and distributes among the users. The secret can only be reconstructed by a group of qualified users where the number of users is greater or equal to 𝑡. In the past few years, many people tried to apply the Shamir threshold SSS to the digital signature. The traditional digital signature is based on a public key cryptosystem that only involves one signer and one verifier. By applying the threshold concepts, the digital signature will be valid only when the number of qualified signers is at least 𝑡 where 𝑡 is the threshold. The paper [Har94] applied the Shamir threshold SSS to modified Elgamal digital signature.
Another way of threshold secret sharing is based on the Chinese Remainder Theorem, and the shares are the remainders through a set of prime modulo. The Asmuth-Bloom SSS is an exam-ple of applying Chinese Remainder Theorem to threshold secret sharing. The Chinese Remainder
∗
Department of Computer Science and Information Engineering, National Taipei University, Taipei Country 237, Taiwan. E-mail: {jcchang, hsinlung@mail.ntpu.edu.tw}. This work was supported in part by the National Science Council of Taiwan under contract NSC-97-2218-E-305-001-MY2.
†
Graduate Institute of Communication Engineering, National Taipei University, Taipei County 237, Taiwan. E-mail: song.raymond@gmail.com.
Theorem has been applied into SSS in the papers [KST06],[Ift06],[IG07]. Some papers tried to implement different access structures in threshold SSS. The weighted access structure in [IG07] assumes there are different weights assigned to each user. The secret can only be reconstructed by a set of qualified users where the total weight of the users is greater than or equal to the threshold. In the paper [Ift06], the compartmented access structure was studied where the users are as-signed to different groups and share the secret in two levels, the first level is global level and the second, compartment level. The secret has been separated into a global share and a set of com-parment shares. There have two shares for each user which are the global secret shares and the compartment shares. The secret can only be reconstructed when the number of qualified users greater than or equal to the threshold of the global level and also the compartment level. Here the secret sharing appeared twice and we can call it as two-level SSS for applying the compartmented access structure which considers a more complicated access structure.
Josh Benaloh and Jerry Leichter[BL88] proposed a general method for constructing SSS for any given secret sharing function. But they also proved that there exist monotone access structures for which there is no threshold scheme by giving a counterexample.
This paper makes a further study on two-level threshold SSS for the monotone access structure. The concept of two-level threshold secret sharing scheme is to try to divide a secret value 𝑠 among two levels. Let 𝑚 denote the total number of groups and 𝑛 denote the total number of users and each user is assigned into a group only (disjoint case). In the first level, a (𝑡, 𝑚) threshold SSS is used to transform the secret 𝑠 into a set of shares {𝑠1, 𝑠2, . . . , 𝑠𝑚} and distribute the shares among
the 𝑚 groups. In the second level, each group 𝑖 performs a (𝑡𝑖, 𝑛𝑖) threshold SSS to subdivide the
group secret 𝑠𝑖 into a set of shares {𝑠𝑖,1, 𝑠𝑖,2, . . . , 𝑠𝑖,𝑛𝑖} and distribute the share to each user inside
the group.
2
Preliminaries
First, we need to define the access structure.
Definition 1. Given a set of users 𝑃 = {𝑢1, 𝑢2, . . . , 𝑢𝑛}, a monotone access structure on 𝑃 is a
family of subsets Γ ⊆ 2𝑃 such that
𝐴 ∈ Γ, 𝐴 ⊆ 𝐴′⊆ 𝑃 −→ 𝐴′ ∈ Γ
Definition 2. Let 𝑆 be a set of possible secret values, a (𝑡, 𝑛)-threshold scheme on 𝑆 is a method of dividing each 𝑠 ∈ 𝑆 into a set of shares {𝑠1, 𝑠2, . . . , 𝑠𝑛} such that
𝑖. The secret value 𝑠 can be reconstructed by any set of 𝑠𝑖 whose size is 𝑡 or more.
𝑖𝑖. The secret value 𝑠 is completely undetermined in an information theoretic sense for any set of 𝑠𝑖 whose size is less than 𝑡.
There are some useful (𝑡, 𝑛)-threshold scheme available such as Shamir SSS. Shamir SSS is a polynomial-based threshold scheme which generates shares by using a polynomial function which consists of 𝑡 − 1 degree. The Lagrange Interpolation is applied by Shamir SSS to reconstruct the secret. Another way of SSS generates shares through a set of prime modulo and recovers the secret by Chinese Remainder Theorem.
group and try to divide the secret 𝑠 among the 𝑛 users. But it has some limitations while applied to the monotone access structure and it is proved to be insufficient by Benaloh.
Definition 3. Let 𝑆 be a set of possible secret values, a two-level threshold scheme is a method of dividing each 𝑠 ∈ 𝑆 through two levels such that
i. In the first level, a (𝑡, 𝑚) threshold scheme is used to divide a secret value 𝑠 ∈ 𝑆 into a set of shares {𝑠1, 𝑠2, . . . , 𝑠𝑚}, where 𝑚 denotes the number of groups of users.
ii. In the second level, each group 𝑖 applies a (𝑡𝑖, 𝑛𝑖) threshold scheme to subdivide the sub-secret
value 𝑠𝑖, where 𝑡𝑖 is a threshold value for group 𝑖 and 𝑛𝑖 is the total number of users assigned
to the group.
3
Monotone Functions which cannot be implemented by two-level
threshold scheme
Let’s consider the function
𝑓 (𝐴, 𝐵, 𝐶, 𝐷, 𝐸)= (𝐴 ∧ 𝐵) ∨ (𝐵 ∧ 𝐶) ∨ (𝐶 ∧ 𝐷) ∨ (𝐷 ∧ 𝐸) ∨ (𝐸 ∧ 𝐴)..
The function 𝑓 defines a monotone function on variables labeled by a set of users 𝑃 = {𝐴, 𝐵, 𝐶, 𝐷, 𝐸}. The access structure defined by 𝑓 is the set of subsets 𝑇 of 𝑃 for which 𝑓 is true precisely when the variables labeled by 𝑇 are set to true.
Theorem 1. The access structure 𝑓 cannot be realized by a two-level threshold secret sharing scheme.
Proof. Assume that there is a threshold SSS which can divide a secret value 𝑠 among 𝐴, 𝐵, 𝐶, 𝐷, and 𝐸 such that only those subset of {𝐴, 𝐵, 𝐶, 𝐷, 𝐸} which fulfill the function 𝑓 can reconstruct the secret.
Let 𝑤𝑎, 𝑤𝑏, 𝑤𝑐, 𝑤𝑑, and 𝑤𝑒 denote the weight or number of shares for each of 𝐴, 𝐵, 𝐶, 𝐷, and
𝐸. There has 𝑚 groups and each group has a threshold value 𝑡𝑖 and a weight of group 𝑤𝐺𝑖. We
try to apply a two-level threshold scheme by assigning the users into different groups. Now we try to prove that for any assignment of the users into groups, the function 𝑓 cannot be realized by a two-level threshold SSS.
We divided the cases as follows:
Case 1: {{𝐴, 𝐵, 𝐶, 𝐷, 𝐸}} or {{𝐴}, {𝐵}, {𝐶}, {𝐷}, {𝐸}}
The structure of {𝐴, 𝐵, 𝐶, 𝐷, 𝐸} and {{𝐴}, {𝐵}, {𝐶}, {𝐷}, {𝐸}} are the same. The subset {𝐴, 𝐵, 𝐶, 𝐷, 𝐸} considers as a special case in two-level threshold scheme by assign all member into a group. It considers as a normal SSS which only have a threshold 𝑡.
From the function 𝑓 we know that 𝐴 and 𝐵 together can compute the secret, it must be 𝑤𝑎+ 𝑤𝑏 ≥ 𝑡. Similarly, since 𝐶 and 𝐷 together can compute the secret, it is true that
𝑤𝑐+ 𝑤𝑑≥ 𝑡.
Now assume without loss of generality, 𝑤𝑎≥ 𝑤𝑏 and 𝑤𝑐≥ 𝑤𝑑. Since 𝑤𝑎+𝑤𝑏≥ 𝑡 and 𝑤𝑎≥ 𝑤𝑏,
𝑤𝑎+ 𝑤𝑎≥ 𝑤𝑎+ 𝑤𝑏 ≥ 𝑡, therefore 𝑎 ≥ 𝑡/2. Similarly, 𝑤𝑐≥ 𝑡/2, then 𝑤𝑎+ 𝑤𝑐≥ 𝑡. But for the
For the subset {{𝐴}, {𝐵}, {𝐶}, {𝐷}, {𝐸}}, each member assigned to a group in the lower level of two-level threshold scheme. It also considers as one level scheme and the proof just same with previous case by assuming the weight of user as the weight of the group. For example, 𝑤𝑎= 𝑤𝐺1, 𝑤𝑏 = 𝑤𝐺2, and etc.
Case 2: {{𝐴, 𝐵}, {𝐶, 𝐷, 𝐸}} or {{𝐴, 𝐶}, {𝐵, 𝐷, 𝐸}}
In this case, we try to assign the users into two groups by randomly assign any two users in a group and another three users as a group. We consider another two conditions which are the two users assigned in a group together can compute the secret or not.
First, we consider the subset {{𝐴, 𝐵}, {𝐶, 𝐷, 𝐸}}. Since 𝐴 and 𝐸 together can compute the secret, then it is true that 𝑤𝑎≥ 𝑡1 and 𝑤𝑒≥ 𝑡2. In the first level, 𝐴 represents as group one
that has the weight 𝑤𝐺1 and 𝐸 represent as group two that has the weight 𝑤𝐺2. Similarly, 𝐵
and 𝐶 together also can compute the secret, then 𝑤𝑏 ≥ 𝑡1 and 𝑤𝑐≥ 𝑡2. In the first level, 𝐵
also represent as group one that has the weight 𝑤𝐺1 and 𝐶 represent as group two that has
the weight 𝑤𝐺2
Of course we have 𝑤𝐺1 + 𝑤𝐺2 ≥ 𝑡. Since 𝑤𝑎 ≥ 𝑡1 ≥ 𝑤𝐺1 and 𝑤𝑐≥ 𝑡2 ≥ 𝑤𝐺2, then 𝐴 and 𝐶
together can compute the secret. But f(10100)=0. It is a contradiction. The proof for the subset {{𝐴, 𝐶}, {𝐵, 𝐷, 𝐸}} is similar.
Case 3: {{𝐴, 𝐵, 𝐶}, {𝐷}, {𝐸}} or {{𝐴, 𝐵, 𝐷}, {𝐶}, {𝐸}}
In this case, we try to assign the users in three groups by randomly assign any three users in a group and another two users as two single groups. we consider the subset {𝐴, 𝐵, 𝐶}, {𝐷}, {𝐸}. Since 𝐵 and 𝐶 together can compute the secret, it is true that 𝑤𝐺1 ≥ 𝑡. But 𝐶 and 𝐷 together
also can compute the secret, then it is true that 𝑤𝑐 ≥ 𝑡1 and 𝑤𝑑 ≥ 𝑡2. In the first level, 𝐶
can represent as group one that has the weight 𝑤𝐺1 and 𝐷 as group two that has the weight
𝑤𝐺2. Since 𝐶 can represent as group one and 𝑤𝐺1 ≥ 𝑡, this shows that C alone can compute
the secret. But f(00100)=0. It is a contradiction.
The proof for the subset {{𝐴, 𝐵, 𝐷}, {𝐶}, {𝐸}} is similar. Case 4: {{𝐴, 𝐵}, {𝐶}, {𝐷}, {𝐸}} or {{𝐴, 𝐶}, {𝐵}, {𝐷}, {𝐸}}
In this case, we try to assign the users in four groups by randomly assign any two users in a group and another three users as a single group. We consider the subset {{𝐴, 𝐵}, {𝐶}, {𝐷}, {𝐸}}. We know that 𝐴 and 𝐵 together can compute the secret, then it is true that 𝑤𝐺1 ≥ 𝑡. But 𝐴
together with 𝐸 can compute the secret as well. So 𝑤𝑎≥ 𝑡1 and 𝑤𝑒≥ 𝑡2. In the first level, 𝐴
can represent as group one that has the weight 𝑤𝐺1 and 𝐸 can represent as group four that
has the weight 𝑤𝐺4. Since 𝐴 can represent as group one and 𝑤𝐺1 ≥ 𝑡, this shows that 𝐴 alone
can compute the secret. But f(10000)=0. Again, it is a contradiction.
Another case, we consider the subset {{𝐴, 𝐶}, {𝐵}, {𝐷}, {𝐸}}. We know that 𝐴 and 𝐵 to-gether can compute the secret, then it is true that 𝑤𝑎≥ 𝑡1 and 𝑤𝑏 ≥ 𝑡2. We also know that
𝐶 and 𝐷 together can compute the secret, so it is true that 𝑤𝑐≥ 𝑡1 and 𝑤𝑑≥ 𝑡3. In the first
level, 𝐴 and 𝐶 can represent as group one that has the weight 𝑤𝐺1 while 𝐵 can represent as
group two that has the weight 𝑤𝐺2 and 𝐷 can represent as group three that has the weight
𝑤𝐺3.
Again, now we have 𝑤𝐺1 + 𝑤𝐺3 ≥ 𝑡. This shows that 𝐴 together with 𝐷 can compute the
secret. But f(10010)=0. It is a contradiction.
In this case, we assign the users in three groups by randomly assign one user in a group and another four users as two different groups. We consider the subset {{𝐴, 𝐶}, {𝐵, 𝐷}, {𝐸}}. We know that 𝐴 and 𝐵 together can compute the secret, so it is true that 𝑤𝐴≥ 𝑡1 and 𝑤𝑏 ≥ 𝑡2.
We also know that 𝐶 and 𝐷 together can compute the secret, so 𝑤𝑐 ≥ 𝑡1 and 𝑤𝑑 ≥ 𝑡2. In
the first level, 𝐴 and 𝐶 can represent as group one that has weight 𝑤𝐺1 while 𝐵 and 𝐷 can
represent as group two that has weight 𝑤𝐺2.
Now we assume 𝑤𝐺1 + 𝑤𝐺2 ≥ 𝑡. This shows that 𝐴 and 𝐶 together can compute the secret.
But f(10100)=0. So it is a contradiction.
For the subset {{𝐴, 𝐵}, {𝐶, 𝐷}, {𝐸}}. We know that 𝐴 and 𝐵 together can compute the secret, it is true that 𝑤𝐺1 ≥ 𝑡. But 𝐴 together with 𝐸 also can compute the secret as well.
So it is also true that 𝑤𝑎≥ 𝑡1 and 𝑤𝑒 ≥ 𝑡3. In the first level, 𝐴 alone can represent as group
one that has the weight 𝑤𝐺1 and 𝐸 can represent as group three that has the weight 𝑤𝐺3.
Since 𝐴 can represent as group one and 𝑤𝐺1 ≥ 𝑡, This shows that 𝐴 alone can compute the
secret. But f(10000)=0. It is a contradiction too.
The proof for the subset {{𝐴, 𝐵}, {𝐶, 𝐸}, {𝐷}} is similar with the subset {{𝐴, 𝐵}, {𝐶, 𝐷}, {𝐸}}. Case 6: {{𝐴, 𝐵, 𝐶, 𝐷}, {𝐸}}
In this case we assign the users in two groups by randomly assign one user in a group and another four users in a group. We consider the subset {𝐴, 𝐵, 𝐶, 𝐷}, {𝐸}. From the function 𝑓 we know that 𝐴 together with 𝐵 can compute the secret. It is true that 𝑤𝐺1 ≥ 𝑡. We
also know that 𝐴 and 𝐸 together can compute the secret as well. So 𝑤𝑎 ≥ 𝑡1 ≥ 𝑤𝐺1 and
𝑤𝑒≥ 𝑡2 ≥ 𝑤𝐺2.
Since 𝑤𝑎 ≥ 𝑡1 ≥ 𝑤𝐺1 and 𝑤𝐺1 ≥ 𝑡, this show that 𝐴 alone can compute the secret. But
f(10000)=0. Again, it is a contradiction.
4
Conclusion
From [BL88], we know that there exist monotone access structures for which there is no threshold scheme. They give an example by applying the traditional threshold SSS(one-level) for a group of users and it is proved to be insufficient. In this paper, we apply the two-level threshold SSS to the monotone access structure and we consider disjoint case which each user can be assigned into a group only. With a function 𝑓 which defines as a monotone function on variables labeled by a set of users 𝑃 = {𝐴, 𝐵, 𝐶, 𝐷, 𝐸}, we give the proof to show that the access structure 𝑓 cannot be realized by a two-level threshold SSS.
References
[BL88] Josh Benaloh and Jerry Leichter. “Generalized Secret Sharing and Monotone Functions”. In Crypto’88.
[IST87] Mitsuru Ito, Akira Saito, and Takao Nishizeki. “Secret Sharing Scheme Realizing Gen-eral Access Structure”. In Proc. Glob. Com,(1987).
[AB83] C. A. Asmuth and J. Bloom. “A modular approach to key safeguarding”. IEEE Trans-actions on Information Theory, IT-29(2):208V210, 1983
[Sho00] V. Shoup. “Practical threshold signatures”. In B. Preneel, editor, Advances in Cryptol-ogy - EUROCRYPT 2000, volume 1807 of Lecture Notes in Computer Science, pages 207V220. Springer-Verlag, 2000.
[IG07] S. Iftene and M. Grindei. “Weighted threshold RSA based on the Chinese Remainder Theorem”. In Proceedings of the 9th International Symposium on Symbolic and Numeric Algorithms for Scientific Computing, SYNASC 2007, pages 175V 181. IEEE Computer Society Press, 2007.
[Ift06] S. Iftene. General secret sharing based on the Chinese Remainder Theorem with ap-plications in E-voting. In C. Dima, M. Minea, and F. L. TM iplea, editors, ICS 2006, International Workshop on Information and Computer Security, Timisoara, Romania, September, 2006.
[KST06] K. Kaya, A. A. SelcMuk, and Z. Tezcan. “Threshold cryptography based on Asmuth-Bloom secret sharing”. In A. Levi, E. Savas, H. YenigLun, S. Balcisoy, and Y. Saygin, editors, Proceedings of Computer and Information Sciences - ISCIS 2006, volume 4263 of Lecture Notes in Computer Science, pages 935V942. Springer-Verlag, 2006.
[Har94] L. Harn. “Group-oriented (𝑡, 𝑛) threshold digitial signature scheme and digital multisig-nature”. IEE Proc.-Comput. Digit. Tech., 141(5):307-313, 1994.
[ELG85] T. ElGamal. “A public key cryptosystem and signature scheme based on discrete loga-rithms”. IEEE Trans. Inform. Theory, 31:469-472, 1985.
[Rab98] T. Rabin. “A simplified approach to threshold and proactive RSA”. In Advances in Cryptology-Crypto ‘98, 1998.
[RSA78] R. L. Rivest, A. Shamir, and L. M. Adleman. “A method for obtaining digital signatures and public-key cryptosystems”. Communications of the ACM, pages 120-126, 1978. [Sha79] A. Shamir. “How to Share a Secret”. In ACM 22, 11 (Nov. 1979), 612-613.
