An improvement on the Lin-Wu (t, n) threshold verifiable multi-secret sharing scheme

An improvement on the Lin–Wu

ðt; nÞ threshold verifiable multi-secret

sharing scheme

q

Ting-Yi Chang

, Min-Shiang Hwang

, Wei-Pang Yang

a_{Department of Computer and Information Science, National Chiao Tung University,}

1001 Ta Hsueh Road, Hsinchu, Taiwan, ROC

b_{Department of Management Information System, National Chung Hsing University,}

250 Kuo Kuang Road, 402 Taichung, Taiwan, ROC

Abstract

Lin and Wu [IEE Proc. Comput. Digit. Tech. 146 (1999) 264] have proposed an efficient ðt; nÞ threshold verifiable multi-secret sharing (VMSS) scheme based on the factorization problem and the discrete logarithm modulo a large composite problem. In their scheme, the dealer can arbitrarily give any set of multiple secrets to be shared, and only one reusable secret shadowis to be kept by every participant. On the other hand, they have claimed that their scheme can provide an efficient solution to the cheating problems between the dealer and any participant. However, He and Wu [IEE Proc. Comput. Digit. Tech. 148 (2001) 139] have shown that Lin and Wu’s scheme is in fact insecure against a cheating participant. In this paper, we shall try to improve the security of Lin and Wu’s scheme while providing more efficient performance than other VMSS schemes in terms of computational complexity.

2004 Elsevier Inc. All rights reserved.

Keywords: Cryptosystem; Cheater identification; Threshold scheme; Verifiable secret sharing

q

This research was partially supported by the National Science Council, Taiwan, ROC, under contract no. NSC90-2213-E-324-004.

*

Corresponding author.

E-mail addresses: mshwang@nchu.edu.tw (M.-S. Hwang), wpyang@cis.nctu.edu.tw (W.-P. Yang).

0096-3003/$ - see front matter
2004 Elsevier Inc. All rights reserved. doi:10.1016/j.amc.2004.01.029

1. Introduction

The first ðt; nÞ threshold secret sharing schemes, based on the Lagrange interpolating polynomial and linear project geometry, were proposed by Sha-mir [20] and Blakley [2], respectively. In their schemes, the dealer first splits the secret into n different pieces, called shadows, which are given to the participants over a secret channel. At least t or more participants can use their shadows to collaboratively reconstruct the secret, but only t 1 or fewer participants will not be enough. However, there are several common drawbacks in both secret-sharing schemes [2,20] as follows:

(1) Only one secret can be shared during one secret sharing process [11]. (2) Once the secret has been reconstructed, it is required that the dealer

redis-tributes a fresh shadowover a secret channel to every participant [16]. (3) A dishonest dealer may distribute a fake shadowto a certain participant,

and then that participant would subsequently never obtain the true secret [8].

(4) A malicious participant may provide a fake shadowto other participants, which makes the malicious participant the only one who gets to reconstruct the true secret [23].

To overcome the drawback in (1), some efficient ðt; nÞ multi-secret sharing schemes have been proposed [7,10,11] to share multiple secrets. To deal with the drawback in (2), Jakson et al. [16] have further classified multi-secret sharing scheme into two types: one-time-use scheme and multi-use scheme. The difference between one-time-use scheme and multi-use scheme is that the sha-dowkept by each participant in a multi-use scheme is reusable after secret reconstruction while the shadow kept by each participant in a one-time-use scheme is not. To redistribute shadows is a very costly process with respect to both time and resources. However, both types of schemes still have the com-mon drawbacks in (3) and (4).

To do away with the drawback in (3), Chor et al. [8] have proposed a ver-ifiable secret sharing (VSS) scheme to detect cheating by a dishonest dealer. In Chor et al.’s VSS scheme [8], every participant can verify the validity of his/her own shadow distributed by the dealer, which allows the honest participants to ensure that the secret to be reconstructed is unique. However, the drawback in (4) still exists in their scheme. Years ago, Stadler [21] provided a solution to the problems in (3) and (4). Stadler’s VSS scheme [21] is not only robust against the cheating by the dealer [9] but also against the cheating by any participant [3,4,17,22,23]. Nevertheless, both VSS schemes can only deal with one secret in one secret sharing process.

Taking all the above problems into consideration, Harn [10] has proposed a ðt; nÞ threshold verifiable multi-secret sharing (VMSS) scheme which can detect

both the cheating by the dealer and that by any participant. In Harn’s scheme [10], every participant keeps only one reusable shadow(which makes it a multi-use scheme) distributed by the dealer. When reconstructing a secret, each participant first computes a subshadow from his/her own shadow. If t or more subshadows are released, the secret can be reconstructed. The other multiple secrets can be reconstructed the same way. However, Lin and Wu [18] have pointed out that Harn’s scheme still suffers from the problems as follows: • Every participant should perform n!=ððn  tÞ!  t!Þ module exponentiations to

verify the validity of his/her own shadow against the cheating by the dealer. • The subshadows generated by the participants are not implicitly verifiable against the cheating by a participant. In the secret reconstruction process, every participant runs an interactive verification protocol with each of the other cooperators to verify that their released subshadows are valid. • Only predetermined or computed secrets can be shared. This restricts the

dealer from dynamically adding a newsecret to be shared among those n participants.

Chen et al. [6] have proposed an alternativeðt; nÞ VSS scheme to avoid the disadvantages in Harn’s scheme [10]. However, Lin and Wu [18] have also pointed out that Chen et al.’s scheme is inefficient because the dealer has to record all participants’ the shadows and take 2n modulo exponentiations to compute an dimensional verification vector for each shard secret. This n-dimensional verification vector is used to prevent any cheating by the partici-pants in the secret reconstruction process. In order to avoid the disadvantages in Harn’s scheme [10] and to reduce the computational complexity in Chen et al.’s scheme [6], Lin and Wu [18] have further proposed a ðt; nÞ threshold VMSS scheme based on the intractability of factorization and the problem of discrete logarithm module a composite [1]. However, He and Wu [12] have indicated that a malicious participant can provide a fake subshadowto cheat other honest participants. Hence, it would turn out that only the malicious participant could reconstruct the secret.

With this paper, we shall improve Lin and Wu’s scheme [18] and prevent the cheating by any malicious participant. The improved VSS scheme will still maintain the advantages of Harn’s [10] and Chen et al.’s schemes [6] while reducing the computational complexity. The improved scheme will have the following features [18]:

1. The dealer can arbitrarily give any set of multiple secrets for sharing, and only one shadow, which is reusable, should be kept by each participant. Fur-thermore, the number of public values published by the dealer for recon-structing every secret without cheating participants can be further minimized.

2. Every participant can detect any cheating by the dealer and verify his/her own shadow.

3. Every participant can detect the cheating by any other participant by using a non-interactive verification protocol and verify his/her subshadow.

The remainder of our paper is organized as follows. In Section 2, we shall propose our improvedðt; nÞ threshold VMSS scheme, which is an improvement on Lin and Wu’s scheme. In Section 3, we shall mount several possible attacks to demonstrate the security of our improvedðt; nÞ VMSS scheme. In Section 4, we shall compare the performance of our improvedðt; nÞ VMSS scheme with that of Chen et al.’s scheme. Finally, our conclusion will be in Section 5.

2. Improved (t, n) threshold VMSS scheme

In this section, we shall propose a new method that is an improvement on Lin and Wu’sðt; nÞ VMSS scheme [18]. Our newscheme can withstand He and Wu’s attack (see [12,18] for more details). Our improvedðt; nÞ VMSS scheme is also comprised of four phases: (1) initialization stage, (2) shadowgeneration and verification stage, (3) credit ticket generation stage, and (4) subshadowverifi-cation and secret reconstruction stage. The details of four stages are as follows: 2.1. Initialization stage

The dealer (denoted as UD) first creates a public notice board (NB) which is

used for storing necessary public parameters. The participants can access those parameters on the NB. The contents on the board can only be modified or updated by UD. The parameters are defined by UD as follows: N denotes the

product of two large primes p and q, where p¼ 2p0_{þ 1 and q ¼ 2q}0_{þ 1, with}

themselves prime; R is the product of p0 _{and q}0_{; g is denotes a generator with}

order R in ZN; e and d separately denote the pubic and private keys in the RSA

algorithm [5,14,19], where e d ¼ 1 mod /ðnÞ. After generating these parame-ters, UDputs fN ; g; eg on the NB and keeps fR; dg secret.

2.2. Shadowgeneration and verification stage

Let G¼ fU1; U2; . . . ; Ung be a group of n participants and

S¼ fS1; S2; . . . ; Smg be a set of m secrets. Every Ui has her/his identity

IDi ði ¼ 1; 2; . . . ; nÞ. UDperforms the following steps:

Step 1. Randomly generate a polynomial fðxÞ ¼ a0þ a1xþ    þ

a_t1xt1_{mod R, where each a}

k2 ZR, and compute a check vector

Vk ¼ gakmod N for k¼ 0; 1; . . . ; ðt  1Þ; ð1Þ

and put V on the NB.

Step 2. Compute a secret shadow xi for every Ui2 G as

xi¼ f ðIDiÞ  pi1mod R; ð2Þ where pi¼ Y Uk2G;Uk6¼Ui ðIDi IDkÞ mod R

and compute the associated yi¼ gximod N as this Ui’s public key to be

put on the NB.

Step 3. Distributefyi¼ gpimod N ; xig to every Ui2 G over a secret channel.

When every Ui2 G receives the secret shadow xi, he/she can check the

following equation to verify the validity of xi:

ðgpi_Þxi_¼Y t1 k¼0 ðVkÞðIDiÞ k mod N : ð3Þ

If Eq. (3) does not hold, the secret shadow xidistributed by UDis not

valid.

2.3. Credit ticket generation stage

In this phase, UD performs the following steps to compute m credit tickets

C1; C2; . . . ; Cm for each secret S1; S2; . . . ; Sm2 S.

Step 1. Randomly choose m distinct integers r1; r2; . . . ; rm2 ZR for each secret

S1; S2; . . . ; Sm2 S.

Step 2. Compute a credible ticket Cjand a value hj as

Cj¼ grjdmod N ð4Þ

and

hj¼ ðga0rjdmod NÞ  Sj for j¼ 1; 2; . . . ; m: ð5Þ

Then, the 3-tuple frj; Cj; hjg is put on the NB.

In addition, if UD wants to add a new secret Snew for sharing, he/she only

needs to generate a new3-tuplefrnew; Cnew; hnewg for Snewand put it on the NB

2.4. Subshadowverification and secret reconstruction stage

Let W ðjW j ¼ t 6 nÞ be any subset of t participants in G. Without loss of generality, assume that t participants Ui2 W cooperate to reconstruct a secret

Sj2 S. Every Ui2 W obtains the 3-tuple frj; Cj; hjg from the NB and uses his/

her secret shadow xito compute a subshadow Aij as

Aij¼ ðCjÞ xi

mod N : ð6Þ

Then, Uireleases Aijto the other cooperators in W . Any other cooperator in W

obtains Ui’s public key yiform the NB to verify the validity of Aij as

ðAijÞ e

¼ ðyiÞ rj

mod N : ð7Þ

If Eq. (7) does not hold, then they can stop this phase and announce that cheating by Uihas been identified. If all Aij’s released by the t participants in W

are valid, every participant in W can reconstruct Sjas

Sj¼ hj Y Ui2W ðAijÞ Di mod N ! ; ð8Þ where Di¼ Y Uk2G;Uk6¼Ui  IDk !  Y Uk2G;Uk62W ðIDi IDkÞ ! :

Then, all the secrets S1; S2; . . . ; Sm2 S can be reconstruct by performing this

phase repetitively.

In the rest of this section, we shall show the correctness of verifying the secret shadowdistributed by UDin Eq. (3), verifying the subshadowreleased by

any participant in Eq. (7), and the secret reconstruction in Eq. (8).

In the shadowgeneration and verification stage, any participant Ui2 G can

verify the secret shadow xidistributed by UDin Eq. (3) as follows. According to

Eqs. (1) and (2), we can rewrite Eq. (3) as ðgpi_Þxi_{¼ g}pif ðIDiÞp1i _{mod N} ¼ gfðIDiÞ_{mod N} ¼ gP t1 k¼0akðIDiÞ k mod N ¼Y t1 k¼0 ðVkÞ ðIDiÞk_{mod N :}

In the subshadowverification and secret reconstruction stage, any cooper-ator can verify the subshadowreleased by any Ui2 W in Eq. (7) as follows.

Assume that Uiis an honest participant who uses his/her shadow xito compute

Aij in Eq. (6). According to Eqs. (4) and (6), we can rewrite Eq. (7) as

ðAijÞ e ¼ ðCxi jÞ e mod N ¼ ðgrjdxi_Þe_{mod N} ¼ grjxi_{mod N} ¼ yrj i mod N :

In the subshadowverification and secret reconstruction stage, every par-ticipant in W can reconstruct Si2 S in Eq. (8) as follows. Assume that all the

Aij’s released by the t participants in W are valid. According to Eq. (5), we can

rewrite Eq. (8) as Sj¼ hj Y Ui2W ðAijÞ Di_{mod N} ! ¼ ðga0rjd_{mod NÞ  S} j Y Ui2W ðAijÞ Di_{mod N} ! ¼ ðga0rjd_{mod NÞ  S} j Y Ui2W ðCjÞ xiDi mod N ! ¼ ðga0rjd_{mod NÞ  S} j ðCjÞ fð0Þ mod N ¼ Sj: 3. Security analysis

The security of our proposed scheme is the same as that of Lin and Wu’s scheme [18], which is based on factorization and discrete logarithm modulo a composite problem. In the rest of this section, some possible attacks will be raised and fought against to demonstrate the security of our scheme.

Attack 1. An adversary tries to reveal the participants’ secret shadows xi’s

from the known information.

(a) Known the equation yi¼ gximod N and Ui’s public key yi ði ¼ 1; 2; . . . ; nÞ

and the parameters g; N : It is as difficult as breaking the discrete logarithm module a composite (DLMC) problem [1].

(b) Known the equation Aij¼ ðCjÞ

xi _{¼ g}rjdxi_{mod N and A}

ij; Cj ði ¼ 1; 2; . . . ;

n and j¼ 1; 2; . . . ; mÞ and the parameter N : As with Attack 1(a), the adver-sary should face the difficulty of the DLMC problem.

Attack 2. A malicious participant who has obtained some previously recovered secrets tries to reveal any remaining secret in S without the assistance of the other t 1 cooperators.

Known the equation hj¼ ðga0rjdmod NÞ  Sj and the check value

V0¼ ga0mod N and the 3-truple frj; Cj; hjg ðj ¼ 1; 2; . . . ; mÞ: Assume that the

malicious participant has recovered the secrets Sa2 S and Sb2 S with the other

t 1 cooperators; in other words, he/she has the knowledge of the values ga0rad_{mod N and g}a0rbd_{mod N . In order to disclose another secret S}

c2 S in Eq.

(5), the malicious participant has to first find out the value ga0d_{mod N and}

multiply the exponent rc by it. He/she has to calculate the rath root of

ga0rad_{mod N or the r}

bth root of ga0rbdmod N to obtain the value ga0dmod N .

However, the difficulty of extracting the rath root of ga0radmod N or the rbth

root of ga0rbd_{mod N is equivalent to that of breaking the factorization (FAC)}

problem [1,15] in the RSA scheme [19]. On the other hand, if the malicious participant finds Cc¼ Ca Cbmod N , he/she can easily derive t 1 verified Aic’s

from Aia’s and Aib’s as Aic¼ Aia Aibmod N ¼ ðCaÞ xi_{ ðC} bÞ xi_{mod N} ¼ gradxi_{ g}rbdxi_{mod N} ¼ ðgdxiðraþrbÞ_{mod NÞ:}

However, the integers rj’s are randomly chosen by UD for computing distinct

Cj’s. The malicious participant still cannot succeed in this attack. (For

exam-ple, UD chooses rj’s as 3j.)

Attack 3. The dealer UD tries to distribute a fake shadow x0i to cheat

partici-pant Ui without being detected in Eq. (2).

The check vector V ¼ ½V0; V1; . . . ; Vk1 in Eq. (1) has been published by UDon

the NB, and therefore fðxÞ is unchangeable already. For this reason, any fake shadow x0

i6¼ f ðIDiÞ  pi1mod R cannot pass the shadowverification in Eq. (3).

Attack 4. A dishonest participant Uiin W tries to release a fake subshadow A0ijto

cheat the other cooperators in W without being detected in Eq. (7). The dis-honest participant Uishould first find out UD’s private key d. Then, he/she has to

modify his/her public key yior rjon the NB to pass Eq. (7). However, retrieving d

fromfN ; eg is as difficult as breaking the RSA scheme [13,19]. Furthermore, the contents of the NB can only be modified or updated by UD. Thus, the dishonest

participant Uicannot release a fake A0ijsubshadowto pass Eq. (7).

4. Performance analysis

In Lin and Wu’s paper, they have claimed that their scheme was more efficient than Harn’s scheme [10] and Chen et al.’s scheme [6]. However, He and Wu [12] showed that a malicious participant in Lin and Wu’s scheme could

provide a fake subshadowto deceive other honest participants. In Section 3, we have demonstrated that our improved scheme can withstand such an attack. Our improved scheme is even more efficient than Harn’s scheme [10] and Chen et al.’s scheme because each participant has to run an interactive verification protocol with each and every one of the other cooperators to verify their re-leased subshadows in Harn’s scheme. That is inefficient. Here, we analyze the number of modular exponentiationsðTexpÞ and compare ours with that of Chen

et al.’s scheme.

In Table 1, though the number of modular exponentiations employed to guard against cheating by Ui(done by Ui) in our scheme is greater than that in

Chen et al.’s scheme [6], our scheme outperforms Chen et al.’s scheme in the number of modular exponentiations against cheating by Ui (done by UD).

Moreover, 2n modular exponentiations are required by Chen et al.’s scheme to guard against cheating by Ui (done by UD), which increases the number of

participants in the system. Generally speaking, our scheme has a more efficient overall performance than Chen et al.’s scheme. In addition, the number of public parameters published by the dealer for reconstructing a secret is only 3 in our scheme. In contrast, Chen et al.’s scheme need as many as nþ 2. For the same reason, the number of public parameters increases the number of par-ticipants in the system in Chen et al.’s scheme.

5. Conclusion

In this article, we have proposed an improvedðt; nÞ VMSS scheme which is a modified version of Lin and Wu’s scheme. Our scheme can successfully with-stand He and Wu’s attack, and our security is based on factorization and discrete logarithm modulo a composite problem. Though modifications have been made, the original advantages are maintained.

References

[1] L. Adleman, K. McCurley, Open problems in number theoretic complexity, 2’, Lecture Notes Comput. Sci. 877 (1994) 291–322.

Table 1

Comparison between our scheme and Chen et al.’s scheme

Chen et al.’s scheme Our scheme Against cheating by UD(done by Ui) 2t Texp 2t Texp

Against cheating by Ui(done by Ui) ðt  1Þ Texp ðt  1Þ2 Texp

Against cheating by Ui(done by UD) 2n Texp 2Texp

Public values published by UDfor

reconstructing a secret

[2] G. Blakley, Safeguarding cryptographic keys, in: Proc. AFIPS 1979 Natl. Conf., NewYork, 1979, pp. 313–317.

[3] M. Carpentieri, A perfect threshold secret sharing scheme to identify cheaters, Designs, Codes and Cryptography 5 (3) (1995) 183–187.

[4] C.C. Chang, R.J. Hwang, Efficient cheater identification method for threshold schemes, IEE Proc. Comput. Digit. Tech. 144 (1) (1997) 23–27.

[5] C.-C. Chang, M.-S. Hwang, Parallel computation of the generating keys for RSA cryptosystems, IEE Electron. Lett. 32 (15) (1996) 1365–1366.

[6] L. Chen, D. Gollmann, C.J. Mitchell, P. Wild, Secret sharing with reusable polynomials, in: Proceedings of ACISP ’97, 1997, pp. 183–193.

[7] H.-Y. Chien, J.-K. Jan, Y.-M. Tseng, A practicalðt; nÞ multi-secret sharing scheme, IEICE Trans. Fundamentals E83-A (12) (2000) 2762–2765.

[8] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing and achieving simultaneity in the presence of faults, in: Proc. 26th IEEE Symp. FOCS, 1985, pp. 251–260. [9] R. Gennaro, S. Micali, Verifable secret sharing as secure computation, in: Advances in

Cryptology, EUROCRYPT’95, Lecture Notes in Computer Science, pp. 168–182, 1995. [10] L. Harn, Efficient sharing (broadcasting) of multiple secret, IEE Proc. Comput. Digit. Tech.

142 (3) (1995) 237–240.

[11] J. He, E. Dawson, Multistage secret sharing based on one-way function, Electron. Lett. 30 (19) (1994) 1591–1592.

[12] W.H. He, T.S. Wu, Comment on Lin–Wu ðt; nÞ-threshold verifiable multisecret sharing scheme, IEE Proc. Comput. Digit. Tech. 148 (3) (2001) 139.

[13] M.-S. Hwang, C.-C. Lee, Y.-C. Lai, Traceability on RSA-based partially signature with low computation, Appl. Math. Comput. (2002).

[14] M.-S. Hwang, I.-C. Lin, K.-F. Hwang, Cryptanalysis of the batch verifying multiple RSA digital signatures, Informatica 11 (1) (2000) 15–19.

[15] M.-S. Hwang, C.-C. Yang, S.-F. Tzeng, Improved digital signature scheme based on factoring and discrete logarithms, J. Discrete Math. Sci. Cryptography, in press.

[16] W.-A. Jackson, K.M. Martin, C.M. O’Keefe, On sharing many secrets, Asiacrypt’94, 1994, pp. 42–54.

[17] E.D. Karnin, J.W. Greene, M.E. Hellman, On secret sharing systems, IEEE Trans. Inform. Theory IT-29 (1) (1983) 35–41.

[18] T.Y. Lin, T.C. Wu,ðt; nÞ threshold verifiable multisecret sharing scheme based on factorisation intractability and discrete logarithm modulo a composite problems, IEE Proc. Comput. Digit. Tech. 146 (5) (1999) 264–268.

[19] R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Commun. ACM 21 (February) (1998) 120–126.

[20] A. Shamir, Howto share a secret, Commun. ACM 22 (1979) 612–613.

[21] M. Stadler, Publicly verifiable secret sharing, in: Advances in Cryptology, EUROCRYPT’96, Lecture Notes in Computer Science, 1996, pp. 190–199.

[22] K.J. Tan, H.W. Zhu, S.J. Gu, Cheater identification in ðt; nÞ threshold scheme, Comput. Commun. 22 (8) (1999) 762–765.