Strategies of Proactive (k, n) Threshold Secret Sharing and Applications in a Secure Message Exchange System

in a Secure Message Exchange System

Shiuh-Jeng Wang1,* Yuh-Ren Tsai2 Pin-You Chen2

1 _{Department of Information Management}

Central Police University TaoYuan 33304, Taiwan

2

Institute of Communications Engineering National Tsing Hua University

Hsinchu 30013, Taiwan sjwang@mail.cpu.edu.tw

Received 8 November 2007; Revised 18 December 2007; Accepted 12 January 2008

Abstract. A secret sharing scheme protects the secret by distributing it to a group of participants (nodes), and it allows for some groups of participants to collaborate together to reconstruct this secret. With regard to the (k, n) threshold scheme, k out of n or more participants can reconstruct the secret. The proactive secret sharing scheme periodically updates the distributed secret (shadow). Based on such a proactive secret sharing scheme, we propose a completely mobile proactive secret sharing scheme, which not only allows for the changing of participant number n, but also arbitrarily changes the threshold k. Furthermore, we apply our technical idea to a specified project exploitation in the real commerce transaction systems to fulfill a trust-based delivery.

Keywords: Threshold secret sharing, proactive secret sharing, sharing polynomial, decision-making, distributed certificate authority

1 Introduction

A secret sharing scheme protects a secret by distributing it to a group of participants (called nodes), and are held in by the nodes so the authorized group can collaborate together to reconstruct the secret. In the (k, n)-threshold scheme, we generate n shares (called shadows) and distribute them to n different nodes, at which point k or more nodes can reconstruct the secret. Thereby an intruder would need to compromise more than k-1 nodes to figure out the secret. The first (k, n)-threshold scheme was proposed by Shamir [1] and Blakley [2], and in order to prevent an inconsistent shadow from destroying the system, Feldman [3] and Pederson [4] expanded on this idea by also implementing a verifiable secret sharing (VSS) system based on Shamir’s scheme. In the VSS scheme, nodes can verify any shadow that they have received.

For an important or long-term secret, the original (k, n)-threshold scheme may be insufficient. Herzberg et al. [5] proposed a proactive secret sharing scheme (PSS) based on Shamir’s scheme. In the PSS scheme, the nodes update the shadows periodically, and the shadows from the previous periods are invalid for the current period and any subsequent period. Any intruder would need to compromise more than k-1 nodes in a single period to obtain the secret.

Herzberg et al.’s PSS scheme provides a recovery protocol, which k out of n nodes can collaborate on to help the node that loses its shadow by reconstructing it. This recovery protocol is a good method for generating new shadows for new, joining nodes. By including this protocol, we can allow the membership of the group of nodes to change.

Based on Herzberg et al.’s scheme, we propose an extended (k, n)-threshold scheme, which can not only change the membership of the group of nodes n, but the threshold k. For this adaptive scheme, we can change the threshold according to the amount of nodes to achieve complete mobility. The method of changing the threshold is also proposed in the Schultz’s scheme [6]. Schultz’s scheme reduces the threshold by using “virtual nodes” that hold shadows publicly, and increases the threshold by increasing the degree of the sharing polynomial. This method however has some limits, which will be discussed in Section 4.

The paper is organized as follows: In Section 2, we describe some methods that were used in our scheme. Our proposed protocols are introduced in Section 3. Some discussions are shown in Section 4. The applied scene with our scheme is given in Section 5. Finally, the conclusion is given in Section 6.

*

2 Preliminaries

In this section, we briefly describe the methods, such as Shamir’s secret sharing scheme [1], Feldman’s verifiable secret sharing scheme [3], and Herzberg et al.’s proactive secret sharing scheme [5], related to our work to guide us in the deployment of our contribution presentations.

2.1 Shamir’s Secret Sharing Scheme

Shamir’s secret sharing scheme is a (k, n)-threshold scheme. In the initial state, a dealer chooses a large prime number q, and makes q public. The following calculation is performed on Zq: A secret, s

∈

Zq exists, so the dealer randomly generates a (k-1)th degree polynomial, in Zq:

( )

2 1

(

)

1 2 k 1 k mod

f x ≡ +s f x+ f x L+ f ₋x − q ,

where f

( )

0 =s is the secret. The dealer distributes the shadow, x_i ≡ f i

( )

(

mod q

)

to node Pi, where i is the ID number for Pi. Finally, in the secret reconstruction phase, k or more nodes can obtain the sharing polynomial f by using Lagrange interpolation, and learn the secret s by the output of f(0).

2.2 Feldman’s Verifiable Secret Sharing Scheme

In order to prevent inconsistent shadows fruiom destroying the system, Feldman proposes a scheme based on Shamir’s secret sharing scheme in which the node can verify the shadow it has received. Feldman’s scheme chooses two prime numbers p and q such that q = mp + 1, where m is an integer. It lets g be an element of Zq of order p. For a piece of information, x, it lets y≡ gx (mod q) become public, but it remains difficult for outsiders to compute x from y directly, because of it’s logarithmic complexity: The dealer allows the valuesg , s _gf1_{, …,}

1 k

f

g − _{, to be made public, (where s is the secret, and f}

1, …, fk-1 are the coefficients for sharing polynomial). When the node Pi receives the shadow from the dealer, it can verify the shadow by checking the equation:

( )

( ) ( )

1 2 2

( )

1 1

(

)

? mod k i k i i i x s f f f g g g g g q − − ≡ L . (1)

The sign, “?”, above the equal sign means that if the equal hold. If the equation holds, the shadow it has received is correct.

2.3 Herzberg et al.’s Proactive Secret Sharing Scheme

For a long-term or otherwise important secret, the original secret sharing schemes may be insufficient. Herzberg et al. propose a proactive concept based on Shamir’s secret sharing scheme. In Herzberg et al.’s scheme, all time is divided into shadow saving periods and shadow update phases. A shadow saving period is the time during which nodes hold their shadows, and a shadow update phase is the time during which all nodes engage in some interaction to update their shadows. This scheme needs to work under the constraints of a synchronous network. When the system triggers the update phase, all nodes need to execute the update phase simultaneously. All nodes finish their update phase and go into a new shadow saving period, at which point they discard their old shadows from the previous period. The old shadows from the previous period are invalid for the current period, and if an intruder does not destroy more than (n-k) nodes or discover more than (k-1) shadows from a single period, the system will be safe.

Before going through our scheme, we will briefly describe the protocols in Herzberg et al.’s scheme for a (k, n) threshold scheme. In the following, we use superscript (t) to denote the shadows and sharing polynomials computed during period t. It assumes that there is a pair of keys for each pair of nodes, and any two nodes send messages under their pairwise key.

2.3.1 The Initial Protocol

a. Shamir’s secret sharing scheme is used to share the secret. For a secret s, the dealer randomly generates a (k-1)th degree sharing polynomial,

( )

0

_{( )}

2 1

₍

₎

1 2 1 mod

t k

k

publicizes the coefficients of the sharing polynomial gs

(

mod q and

)

_gfh

(

_{mod q , where h = 1, 2, …,}

)

k-1, and distributes the shadow ( )t0

i

x ≡ _f

( )

t0

( )

_i

(

_{mod q to node P}

)

i.

b. When the node Pi receives the shadow, it can verify the shadow by checking (1). If the equation holds, the shadow it has received is deemed correct.

c. The dealer then discards the sharing polynomial _f

( )

t0

( )

_{x and secret s.}

2.3.2 The Shadow Update Protocol

a. During the update phase, of time t, there exists an honest nodes set, A; their ID numbers form a set, A’. Each honest node Pi

∈

A randomly generates a (k-1)th degree polynomial

( )

_{( )}

( )

( )

2

( )

1

₍

₎

,1 ,2 , 1 mod

t t t t k

i x i x i x i k x q

δ ≡δ +δ +L+δ ₋ − ,

where δ_i

( )

t

( )

0 ≡0

(

mod q

)

, and publicizes ( )

, t i h

gδ

(

mod q

)

, where h = 1, 2, …, k-1, which ( )0

, t i h

δ are the coefficients of polynomial δ_i

( )

t . Pi computes

( )

( )

( )

t t

ij i

u ≡δ j

(

mod q and sends it to node P

)

j

∈

A, where j is the ID number for node Pj.

b. As each honest node Pi

∈

A receives the message

( )

t ji

u from each honest node Pj

∈

A, Pi verifies the message using the equation

( ) ( ) ( ) ( )

(

)

2 1 ,1 ,2 , 1 ? mod k t t t t ji j j j k i i i u g gδ gδ gδ q − −       ≡_  _{ } _ L_ _ .

If the equation holds true, Pi updates the shadow by adding the received messages to the previous shadow. The new shadow is therefore

( )

( )

1

( )

₍

₎

' mod t t t i i _{j A} ji x x − u q ∈ ≡ +

∑

.

c. During every period, the new shadows add a random number, and each node discards their previous shadows. An intruder does not have the chance to discover more previous shadows during current period and furthermore, the previous shadows are invalid in current period.

2.3.3 The Shadow Recovery Protocol

If the node Pr loses the shadow, k or more honest nodes can help Pr with the recovery of its shadow, where k is the threshold.

a. The node Pi

∈

A randomly generates a (k-1)th de gree polynomial,

( )

( )

( )

_,0

( )

_,1

( )

_{, 1} 1

t t t t k

i x i i x i k x

α ≡α +α + +L α ₋ −

(mod q), where α_i

( )

t

( )

r ≡0

(

mod q , and publicizes

)

( ) , t i h gα

(

mod q , h = 0, 1,…, k-1. P

)

i computes

( )

t ij w

( )

t

_{( )}

i j α

≡

(

mod q and sends

)

w_ij( )t to node Pj

∈

A, where j is the id number for Pj. b. As node Pi

∈

A receives the message,

( )

t ji

w , from each node Pj

∈

A, Pi verifies the message by way of

( ) ( ) ( ) ( )

(

)

1 ,0 ,1 , 1 ? mod k t t t t ji j j j k i i w g gα gα gα q − −      ≡_ _ _ L_ _ and ( ) ( ) ( )

(

)

1 ,0 ,1 , 1 ? 1 mod k t t t i i i k r r gα gα gα q − −      _≡         L  .

If the equations hold, Pi computes the virtual shadow by adding the received messages to the shadow, where

the virtual shadow is

( )

( )

( )

(

)

' '_it _it _jit mod j A x x w q ∈ ≡ +

∑

, and sends it to Pr.

c. Until node Pr receives k or more virtual shadows, Pr verifies the virtual shadow '

( )

t i

( )

_{( )}

( ) ( ) ( )

(

)

1 ,0 ,1 , 1 ? ' ' mod k t t t t j j j k i i i t x i _{j A} g y gα gα gα q − − ∈  _{    }   _{ } ≡_ _ _ _ _ _ _{ } 

∏

 L where

( )

( ) mod

(

)

t i t x i

y ≡g q . If all virtual shadows are correct, Pr uses Lagrange interpolation to compute the virtual polynomial

( )

_{( )}

( )

_{( )}

( )

_{( ) (}

₎

' 't t _it mod i A f x f x α x q ∈ ≡ +

∑

,

and the recovered shadow is therefore

( )

( )

( )

( )

( )

( )

( )

( )

( )(

)

' ' t mod t t t t r _{i A} i x f r f r α r f r q ∈ ≡ ≡ +

∑

≡ .

2.3.4 Reconstructing the secret

If the nodes want to reconstruct the secret, k or more nodes can reconstruct the polynomial

( )

_{all time periods '}( )t

( )

( )

mod

(

)

t i t i A f x δ x q ∈ ∈ +

∑

∑

by using Lagrange interpolation, where A'

( )

t is the honest nodes’ ID set at time period, t. Finally, the secret is yielded by calculating

( )

0 _{all time periods '}( )t

( )

( )

0

( )(

0 mod

)

t i t i A s f δ f q ∈ ∈ ≡ +

∑

∑

≡ .

3 Our Scheme

If a node was compromised, it may be insufficient to recover the shadow to it, because the intruder may stay in the node in order to discover its shadow. Replacing it with a new node is better. The recovery protocol is a good method by which to redistribute a new shadow to a new, joining node. At this time we have already developed a mobile membership of nodes. Our scheme can maintain the safety of the (k, n) threshold scheme by properly changing the threshold k according to the amount of nodes. When the nodes become fewer in number, we need to decrease the threshold and let the scheme satisfy with the condition 2k-1≤n.

Our scheme stores the random value, which is generated at each node during each update phase, by distributing some information to all nodes. Until we want to change the threshold, each node collects the distributed information, and computes accumulated random values. Before exchanging information, each node subtracts this value. Finally, the new shadows are generated from the new degree polynomial. Our scheme changes the threshold by changing the degree of the sharing polynomial directly, and the needed memories and computation amount adapt to the threshold.

In the following, we use superscript (t) to denote the shadows and sharing polynomials computed during period t. We assume that there is a pair of keys for each pair of nodes, and that any two nodes will send messages under their associated pairwise key. All time is divided in to shadow saving periods and shadow update phases, therefore the scheme needs to work under the confines of a synchronous network. Our scheme must maintain that k, the threshold number of nodes are safe and do not leave. When there are only k safe nodes, the system triggers the shadow update protocol or the threshold change protocol. Our proposal for such a protocol for a (k, n) threshold scheme is as follows.

3.1. The Initial Protocol

a. There are n nodes that form a set A, and they plan to share a secret s. We select k honest nodes from n nodes to form a set B. For a selected node Pi, where its ID number is i, we let Nu(l) = i and Nu(1)≤ Nu(2)≤ L ≤ Nu(k), and those Nu(l) form an ordered set B’.

b. Each node Pi

∈

B randomly generates a (k-1)th degree polynomial ( )0

t l

δ , where ( )t0

( )

_{0 0}

l

δ

≡ (mod q) and Pi’s ID number is i = Nu(l), and simultaneously sends it to the dealer. Pi publicizes

( )0 , t l h

gδ (mod q), h = 1, 2,…, k-1. Finally Pi selects n random numbers mla∈Zq, where a = 1, 2,…, n, computes ( )0

t la v ≡ ( )t0

( )

l mla δ ≡ ( )t0

( )

l mla γ

(

mod q

)

, and sends a triple number

(

( )0

)

, la, lat

c. When the dealer receives all polynomials from each node in B, the sharing polynomial is computed as: ( ) ( ) ( )

(

)

0 0 ' mod t t l g l B f ≡ +s

∑

_∈ δ q .

Then the dealer distributes shadows to each node Pa

∈

A, and publicizes gs (mod q).

d. When node Pa

∈

A receives the shadow and triple message, it can verify the shadow by equation ( )

( )

( )

( )

( )

( )

( )

(

)

1 0 0 0 ,1 , 1 ? ' mod k t t t l l k a a a x s g l B g g gδ gδ q − − ∈ ≡

∏

L ,

and the value ( )t0

la

v which is in triple message by

( ) ( )

( )

( )

( )

( )

( )

(

)

2 1 0 0 0 0 ,1 ,2 , 1 ? mod k t la t la t la t l l l k la m m m v g gδ gδ gδ q − − ≡ L . (2)

If the equation (2) holds, Pa saves

(

, ( )0

)

t la la m v to ( )0 , t a l C , and ( )t0 a C is an 1×k vector. e. Dealer discards the sharing polynomial ( )t0

f and secret s, and the nodes discard ( )t0

l

δ and ( )t0

l

γ . 3.2. Shadow Update Protocol

a. During update phase, of time t1, we select k honest nodes from n nodes to form sets B and B’ as former ones. One method of discriminating between safe and wrong nodes is proposed in [5].

b. Each node Pi

∈

B sends (1 )

1 , t i o

C − to each node Pj

∈

B, where Pj’s ID number j = Nu(o). As node Pi, with ID number i = Nu(l), receives (1 1)

, t j l

C − from each node Pj

∈

B, Pi verifies the messages by (2) and uses Lagrange interpolation to compute (t1 1)

l

γ −

. Then node Pi randomly generates a (k-1)th degree polynomial, ( )1

t l δ , where ( )1

_{( )}

0 0 t l

δ

≡

(

mod q

)

, lets ( )t1 (t11) l l γ _≡γ − ₊ ( )1

₍

₎

mod t l q δ , and publicizes ( ),1

(

)

mod t l h gδ q and ( ),1 t l h gγ (mod q), where h = 1, 2,…, k-1. Node Pi selects n random numbers mla

∈

Zq, a = 1, 2,…, n, and computes ( )1 ( )1

( )(

mod

)

t t la l u =δ a q and ( )t1 la v ( )t1

( )

l mla γ

≡ (mod q). Finally Pi sends a fourfold number

(

( )1, , , ( )1

)

t t

la la la

u l m v to node Pa

∈

A.

c. When node Pa

∈

A receives the message from each node Pi

∈

B, where Pi’s ID number is i = Nu(l), Pa verifies the message ( )t1

la u by ( ) ( )

( )

( )

( )

( )

( )

(

)

2 1 1 1 1 1 ,1 ,2 ,1 ? mod k t t t t l l l k la a a a u g gδ gδ gδ q − − ≡ L (3)

and verifies the message ( )t1

la

v by way of (2). If the equations hold, Pa updates the shadow as

( ) ( ) ( ) ( )

(

)

1 1 1 1 ' mod t t t a a _{g l B} la x ≡x − +

∑

_∈ u q ,

discards the previous shadow, and updates Ca. d. Node Pi

∈

B discards ( )1 t l δ and ( )t1 l γ . 3.3. The Threshold Change Protocol

As we consider changing the threshold from k to m, the two cases of m < k (see Fig. 1) and m > k will be discussed (see Fig. 2).

3.3.1. Case 1: When m < k

a. During threshold change protocol, of time t2, we select k honest nodes from n nodes to form sets B and B’ as former ones. In addition we let Nu(1)≤ L ≤Nu(m) form a set B’1 and let the corresponding nodes form a set B1. Finally, we let Nu(m+1)≤ L ≤Nu(k) form a set B’2 and we also let the corresponding nodes form a set B2.

b. Each node Pi

∈

B, whose ID number is i = Nu(l), sends

(t2 1) i

C − _{to each other and computes} (t2 1)

l

γ −

. c. Node Pi

∈

B1 randomly generates a (m-1)th degree polynomial

( )t2 l δ _{, where} ( )2

( ) (

)

0 0 mod t l q

δ

≡ and Pi’s ID number is i = Nu(l), lets

( )t2 ( )t2

l l

γ =δ

, and publicizes some information. Node Pi selects n random numbers as former, computes ( )t2 la u ≡ ( )t2

( )

l a δ − (t2 1)

( )

l a γ − (mod q) and ( )t2 ( )t2

_{( )}

la la la v ≡γ m

, and sends a fourfold number to node Pa

∈

A.

d. Node Pj

∈

B2, whose its ID number is j = Nu(o), sends

( )t2 (t2 1)

_{( )}

oa o

u ≡ −γ − a

(mod q) to node Pa

∈

A.

e. As node Pa

∈

A receives the message from each node Pi

∈

B1 and each node Pj

∈

B2, where Pi’s ID number is i = Nu(l) and Pj’s ID number is j = Nu(o), Pa verifies the message

( )t2 la u by equation ( ) ( )

( )

( )

( )

( )

( )

( )

( )

(

)

1 1 1 1 2 2 2 2 2 ,1 , 1 ,1 , 1 ? mod m k t t t t t l l m l l k la a a a a u g gδ gδ gγ gγ q − − − − − −     ≡      L   L  (4)

and verify the message ( )t2

oa u by way of equation ( ) ( )

( )

( )

( )

(

)

1 1 1 2 2 2 ,1 , 1 ? 1 mod k t t t o o k oa a a u g gγ gγ q − − − −   ≡ _{ }  L  .

Finally Pa updates the shadow and discards the previous ones. The new shadow is therefore,

( ) ( ) ( ) ( ) ( ) ( )

(

)

2 2 2 2 1 2 1 ' ' mod t t t t a a _{g l B} la _{g o B} oa x ≡x − +

∑

_∈ u +

∑

_∈ u q .

Moreover, Pa verify the information of ( )2

t

γ by (2) and updates table Ca. f. The node Pi

∈

B1 discards ( )2

t l δ and ( )t2 l γ . 3.3.2. Case 2: When m > k

Case 2 is similar to Case 1, and the different parts are shown in following: In part a, we select m honest nodes from n nodes to form a set B and B’, and let Nu(1)≤ L ≤Nu(k) to form sets B’1 and B1; let Nu(k+1)≤ L ≤Nu(m) to form sets B’2 and B2. In part d, node Pj randomly generates a (m-1)th degree polynomial ( )2

t o δ , and lets Node Pi Node Pj ( ) ( )

(

t2_{, , ,} t2

)

lj lj lj u l m v ( )t2 oi u (21) , t i o C − (21) , t j l C − Node Pa ( ) ( )

(

t2_{, , ,} t2

)

la la la u l m v

Fig. 1. The threshold change protocol (case 1): Pi and Pj

are two honest nodes selected from n nodes to update the shadow, where Pi’s ID number i =

Nu(l) and Pj’s ID number j = Nu(o). Pi is in set

B1 and Pj is in set B2. Pa is the node which is not

selected in set A. ( )t2 oa u Node Pi Node Pj ( ) ( )

(

t2_{, , ,} t2

)

li li lj u l m v Computes (t2 1) l γ − , generates ( )t2 l δ . Generates ( )t2 o δ . Node Pa ( ) ( )

(

t2_{, , ,} t2

)

la la la u l m v

Fig. 2. The threshold change protocol (case 2): Pi and Pj

are two honest nodes selected from n nodes to update the shadow, where Pi’s ID number i =

Nu(l) and Pj’s ID number j = Nu(o). Pi is in set

B1 and Pj is in set B2. Pa is the node which is not

selected in set A. ( ) ( )

(

t2_{, , ,} t2

)

oa oa oa u o m v ( ) ( )

(

t2_{, , ,} t2

)

oi oi oi u o m v

( )t2 ( )t2 o o γ =δ . Node Pj sends ( )2 t oa u ≡ ( )t2

( )

o a

δ (mod q) and the information of ( )t2

o

γ to Pa

∈

A. In step e, node Pa verifies the message ( )t2

la

u by using (4) and verifies the message ( )t2

oa

u by (3). Other differences are shown in Fig. 2.

3.4. Reconstruct the Secret

When the nodes want to reconstruct the secret, m or more nodes can reconstruct the sharing polynomial

( )

( ) ( )

(

)

new threshold 't mod

t l

t g l B

f +

∑

_∈

∑

_∈ δ q ,

where B’(t) is the selected node’s ID set during time period, t. The secret is therefore,

( )

( ) ( ) ( )

( )

(

)

new threshold ' 0 t 0 0 mod t l t g l B s f δ s q ∈ ∈ ≡ +

∑

∑

≡ + .

4 Discussion

At this point we now discuss the security of our scheme. During every translating period, the previous shadow is changed by adding a random number which is generated from k selected nodes, the same as table C, and therefore, an intruder would not be able to figure out the shadows of the current time from previous shadows and vice versa. The nodes discard the previous shadows after they finish updating protocol. Besides, an intruder can not figure out the polynomials γ, if he does not compromise more then k-1 table C. Under the aforementioned constraints, if the intruder does not receive more than k-1 shadows during one time period, the system is therefore secure.

Now, we consider the node number in each time period. In each time period, there are some new nodes joining the group, some that are corrupted and some that leave the group. Our scheme must maintain k, the threshold number, the number of nodes not changed in each period. When there are only k safe nodes, we trigger the shadow update protocol or the threshold change protocol.

Our scheme has some advantages. Firstly, it is an adaptive scheme in that we can change the threshold according to the amount of nodes. Secondly, we do not need a trusted third party to complete the shadow update protocol and the threshold change protocol. Those protocols are finished by k nodes collectively. Finally, our scheme is more resilient as compared to Schultz’s scheme [6]. Our scheme changes the threshold by directly changing the degree of the sharing polynomial, and the needed memories and computation amount adapt to the threshold. However, our scheme needs some rules to select k out of n honest nodes and extra memories in order to achieve a dynamic threshold.

Schultz’s method has some limits: The node number can not be less than the two times the degree of the sharing polynomial. After increasing the degree of the sharing to achieve a higher threshold, more “virtual nodes” were used to decrease the threshold.

As Table 1, we therefore compare our current scheme with the original Herzberg et al.’s proactive secret sharing scheme [5] and Schultz’s scheme [6] to see how it measures up. Moreover as the threshold increases from k to m (m>k) and then decreases from m to k, the number of nodes to hold the shadow and the number of the interactive message sent during one period are also shown in Table 1.

Table 1. Comparisons in complexity

The number of the interactive message sent during one period.

Before changing the threshold. After changing the threshold. The essential number of nodes to hold shadows after changing the threshold. Our scheme k2+kn k2+kn 2k Herzberg et al.’s scheme n 2 -- -- Schultz et al. scheme 2k 2 +(n-k)k 2k 2 +(n-k)k+ (m-k)m m+k (include m- k virtual nodes)

5 Applications

Recently, the distributed systems are widely used, such as ad-hoc networks and sensor networks. How to achieve the secure message exchanges in a realistic case is an interesting issue among the network security applications. Conventionally, Public Key Infrastructure (PKI) is used in the distributed systems, where a Certificate Authority (CA) which holds many public and private keys provides certificates enables a trusted message exchange in network systems. Nevertheless, the single CA is not capable of being considered in the ad-hoc systems due to the feature of non-centralized node propagations. Therefore, Dong et al. [7] and Kong et al. [8] proposed a distributed certificate authority service scheme, instead of the single CA service in ad-hoc systems. The schemes distribute the authority of CA to n nodes based on (k, n) secret sharing scheme. In other words, the role of CA is made of a number of nodes to work in the systems whenever the threshold k does encompass. The implemented work is briefly reviewed as follows right prior to the application as our proposal.

Kong et al.’s scheme

In Kong et al.’s scheme [8], there is a key-pair of public key PK and private key SK, where the certification is signed by SK and verified by PK in use. Firstly, a dealer distributes SK to n nodes by using Shamir’s scheme [1]. The shared information, xi, called shadow, is held by a node Pi. When one node wants to request a certification, it sends requests to all neighbor nodes of k-1 asking the partial certifications back, where the partial certifications are signed by shadows associated with the nodes. The genuine certification is therefore generated whenever more than k-1 partial information is collected by the request node. The details are shown as follows:

a. The dealer randomly generates a (k-1)th degree polynomial, in Zq

( )

2 1

(

)

1 2 k 1 k mod

f x ≡SK+ f x+ f x L+ f ₋x − q ,

where f

( )

0 =SK is assigned as a private key. The dealer distributes the shadow, x_i ≡ f i

( )

(

mod q

)

to node Pi, where i is treated as the ID number for Pi.

b. Once the shadows are received by nodes, the private key SK can be reconstructed by using Lagrange interpolation as the rule:

( )

(

)

(

)

1 1 0 mod k k j j j j j SK x lc SK q = = ≡

_∑

⋅ ≡

_∑

, (5)

where lcj(0)’s are Lagrange coefficients, and are defined as

( )

(

) (

)

(

(

)

)

(

)

(

)

(

(

)

)

(

(

)

)

(

)

(

)

1 ( 1) 1 mod 1 1 1 j x x j x j x k lc x q j j j j j j k − − − − + − ≡ − − − − + − L L L L . (6)

c. When a node Pj wants to request a certification, it broadcasts a random number, X, to all neighbor nodes. The neighbor node Pi therefore computes the partial certification XSKi, where SKi is derived from shadow xi by the computations of (5) and (6).

d. The node Pj combines the k received partial certifications to generate the genuine certification, X SK as follows:

(

)

1 2 SKk _mod SK SK SK X ≡ X ⋅X ⋅ ⋅L X q . (7)

According to RSA implementations, the certification XSK can be verified by the public key PK.

Implementation

In the distributed certificate authority service scheme, if the intrusion behavior is compassed, the attacker needs to compromise more than k-1 nodes so as to obtain the private key. It is possible to make it done as long as the systems keep running longer without any changing at shadows as well as threshold policy upon secret sharing applications. As the observations we studied, the proposed proactive secret sharing scheme is imposed to solve the compromise concerns in [8] and make the connection to the realistic managements in the network systems.

Consider a scenario that a company is composed of a managing director and some assistant managers. We model a company policy decision-making upon the secret sharing structure as follows: Initially the managing director chooses a key-pair, public key PK = {e, n} and private key SK = {d}. There are n assistant managers, P1, P2,…, and Pn in the system. The private key is shared to n different assistant managers by using our secret sharing scheme presented in Section 3, where the shadow, xi and the table, Ci, both are held by an assistant manager, Pi. We further assume that the staff members, Ej’s, in this company, who dedicate to evaluate the requirements of products or service qualities to the customers in the business market investigations. Assuming

one of staff members, Ej, discovers something benefits with this company market exploitation. Firstly he/she needs to discuss it with the assistant manager, Pi. Once the evaluations are positive, Pi will assign a commitment,

i

SK

X , to a report of project, where _XSKi_{is computed from x}

i and (6), X is a random code generated by Ej. The proposed project will finally submit to managing director via the delivery of Ej. The decision will be made as long as more than k-1 commitments are received based on (k, n) secret sharing scheme, where the threshold is set as k among n assistant manger. In other words, the staff member Ej will collect k commitments, 1

SK

X , _XSK2 _…,

and _XSKk_{, from k assistant managers, P}

i’s, and then conduct a certification Xd to adhere to the proposed project, where Xd is computed by (7). Next, the proposed project is sent off and verified by the managing director using the public key set of PK = {e, n}. All the message exchanges and computations are under the protocols proposed in Section 3. The implementation with our scheme application is shown in Fig. 3.

6 Conclusions

In this paper, we have proposed a new (k, n) threshold secret sharing scheme which allows for the changing of participant number n and arbitrarily changing the threshold k. As analyzed to our scheme, the node number comparisons are less than the past studies in terms of interactive message exchanges and shadow counting. Furthermore, we propose a sort of application on the basis of the scene of commerce transaction in a secure message exchange manner, where the trusted message deliveries, flexible shadow distributions and exchanges enable the decision of business market investigations implemented successfully.

References

[1] A. Shamir, “How to share a secret,” Communications of the ACM, Vol. 22, No.11, pp. 612-613, 1979.

[2] G. Blakley, “Safeguarding cryptographic keys,” Proceedings of the AFIPS 1979 National Computer Conference, Vol. 48, Arlington, VA, pp. 313-317, June 1997.

[3] P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” Proceedings of the 28th IEEE Symposium on Foundations of Computer Science, pp. 427-437, 1987.

[4] T. P. Pederson, “Non-interactive and information- theoretic secure verifiable secret sharing,” Advances in Cryptology, pp. 129-140, 1991. Managing director SK = {d, n}, PK = {e} P1 P2 P3 P4 P5 Pn L Ej X X X 2 SK X 3 SK X _XSK5

Fig. 3. A project generation organization upon the secret sharing application using our protocols in Sec. 3

xn x5 x4 x3 x2 x1

[5] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung, “Proactive secret sharing, or how to cope with perpetual leakage,” Proceedings of the 15th Annual International Cryptology Conference on Advances in Cryptology, pp. 339-352, August 1995.

[6] D. Schultz, B. Liskov, and M. Liskov, “MPSS: mobile proactive secret sharing,”

http://www.cs.wm.edu/~mliskov/full-paper.pdf, Nov. 2006.

[7] Y. Dong, H. W. Go, A. F. Sui, V. O. K. Li, L. C. .K. Hui, and S. M. Yiu, “Providing distributed certificate authority service in mobile ad hoc networks,” Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks, pp. 149-156, 2005.

[8] J. Kong, P. Zerfos, H. Luo, S. Lu, and L. Zhang, “Providing robust and ubiquitous security support for mobile ad-hoc networks,” Proceedings of the International Conference on Network Protocols (ICNF), pp. 251-260, 2001.