MATH 470 Lecture 18

« previous | Tuesday, March 26, 2013 | next »

Secret Sharing

A ${\displaystyle (T,W)}$-threshhold scheme is a way to share a message among ${\displaystyle W}$ participants so that any subset of ${\displaystyle T}$ participants can recover the message, but no smaller subset.

Small example: (2,2)-threshhold schemes have been in various movies involving nuclear missiles (e.g. War Games)

Another example: (3,55)-threshhold scheme could protect the password to some chocolate

In 1979, Adi Shamir found following scheme to hide a message ${\displaystyle M}$

1. Pick a prime ${\displaystyle p\geq \max {(W,M)}}$
2. Pick ${\displaystyle t-1}$ random numbers ${\displaystyle s_{1},\ldots ,s_{T-1}}$ in ${\displaystyle \mathbb {Z} /p\mathbb {Z} }$
3. Define ${\displaystyle p(x)=M+s_{1}\,x+\dots +s_{T-1}\,x^{T-1}}$
4. Pick distinct random numbers ${\displaystyle x,\ldots ,x_{w}}$, and to the ${\displaystyle i}$^th participant, give ${\displaystyle (x_{i},p(x_{i}))}$

Idea: ${\displaystyle n}$ points in Euclidean space define a unique ${\displaystyle n}$-degree polynomial curve.

Lemmas

1. No subset of ${\displaystyle T-1}$ participants can recover ${\displaystyle M}$.
2. Any subset of ${\displaystyle T}$ participants can recover ${\displaystyle M}$.

Proof. Take, say, the first ${\displaystyle T}$ participants ${\displaystyle (x_{1},p(x_{1})),\ldots ,(x_{T},p(x_{T}))}$. We get

${\displaystyle {\begin{aligned}M+s_{1}\,x_{1}+\dots +s_{T-1}\,x_{1}^{T-1}&=p(x_{1})\\\vdots \\M+s_{1}\,x_{T}+\dots +s_{T-1}\,x_{T}^{T-1}&=p(x_{T})\end{aligned}}}$

Which is a ${\displaystyle T\times T}$ linear system of equations, so we can solve

${\displaystyle {\begin{bmatrix}1&x_{1}&\dots &x_{1}^{T-1}\\\vdots &\ddots &&\vdots \\\vdots &&\ddots &\vdots \\1&x_{T}&\dots &x_{T}^{T-1}\end{bmatrix}}\,{\begin{bmatrix}M\\s_{1}\\\vdots \\s_{T-1}\end{bmatrix}}={\begin{bmatrix}p(x_{1})\\\vdots \\\vdots \\p(x_{T})\end{bmatrix}}}$

Claim: The preceding matrix has a nonzero determinant and thus we have a unique solution!

${\displaystyle {\begin{vmatrix}1&x_{1}&\dots &x_{1}^{T-1}\\\vdots &\ddots &&\vdots \\\vdots &&\ddots &\vdots \\1&x_{T}&\dots &x_{T}^{T-1}\end{vmatrix}}=\prod _{n\geq i>j\geq 1}(x_{i}-x_{j})}$

This matrix is a van Der Monde matrix.

Back to ChOcOlAtE

${\displaystyle {\begin{aligned}p&=131\\T&=3\\W&=55\end{aligned}}}$

So we need to solve ${\displaystyle {\begin{bmatrix}1&x_{1}&x_{1}^{2}\\1&x_{2}&x_{2}^{2}\\1&x_{3}&x_{3}^{2}\end{bmatrix}}\,{\begin{bmatrix}M\\s_{1}\\s_{2}\end{bmatrix}}={\begin{bmatrix}p(x_{1})\\p(x_{2})\\p(x_{3})\end{bmatrix}}}$

For ${\displaystyle {\vec {x}}=\left\langle 12,38,2\right\rangle }$ and ${\displaystyle {\vec {p}}({\vec {x}})=\left\langle 96,25,17\right\rangle }$, we get ${\displaystyle M=23}$

Digital Signatures

In our Iran/UN example, we used the RSA digital signature. We also have El-Gamal and DSA (which is still used today).

If Alice needs to sign a message ${\displaystyle M}$,

1. Alice sets up as in RSA ${\displaystyle (p,q,n,e,d)}$ and publishes ${\displaystyle (e,n)}$ and keeps ${\displaystyle (d,p,q)}$ private.
2. The signature ${\displaystyle M^{d}{\pmod {n}}}$ is published

Any user can verify the signature via

${\displaystyle \left(M^{d}\right)^{e}=m{\pmod {n}}}$

El Gamal

To sign a message ${\displaystyle M}$

1. Alice sets up as in El Gamal ${\displaystyle \left(p,\alpha ,a,\beta =\alpha ^{a}\right)}$ and picks a random ${\displaystyle k\in \left(\mathbb {Z} /(p-1)\mathbb {Z} \right)^{*}}$
2. Alice computes ${\displaystyle r=\alpha ^{k}{\pmod {p}}}$ and
3. ${\displaystyle s=k^{-1}\left(M-a\,r\right){\pmod {p-1}}}$
4. Alice sends ${\displaystyle (M,r,s)}$

To verify, the user must:

1. download the public part ${\displaystyle (p,\alpha ,\beta )}$ and then
2. Accept if ${\displaystyle \beta ^{r}\,r^{s}\equiv \alpha ^{M}{\pmod {p}}}$.

Verification works because

${\displaystyle {\begin{aligned}\beta ^{r}\,r^{s}&\equiv \alpha ^{m}{\pmod {p}}\\\left(\alpha ^{a}\right)^{r}\,\left(\alpha ^{k}\right)^{s}&\equiv \alpha ^{m}{\pmod {p}}\\\alpha ^{a\,r+k\,s}&\equiv \alpha ^{m}{\pmod {p}}\\\alpha ^{a\,r+k(k^{-1}(m-ar))}&\equiv \alpha ^{m}{\pmod {p}}\\\alpha ^{{\cancel {a\,r}}+m{\cancel {-a\,r}}}&\equiv \alpha ^{m}{\pmod {p}}\end{aligned}}}$

DSA

Adopmed by NIST in 1994

1. Alice finds a 160-bit prime ${\displaystyle q}$ and a larger prime ${\displaystyle p}$ with ${\displaystyle q\mid (p-1)}$
2. Alice picks a primitive root ${\displaystyle g}$ mod ${\displaystyle p}$ and sets ${\displaystyle \alpha =g^{\frac {p-1}{q}}{\pmod {p}}}$
3. Alice picks a secret ${\displaystyle a\in \left\{1,\ldots ,q-1\right\}}$ and calculates ${\displaystyle \beta =\alpha ^{a}}$
4. Pick random ${\displaystyle k\in \left\{1,\ldots ,q-2\right\}}$
5. Compute ${\displaystyle r=\left(\alpha ^{k}{\pmod {p}}\right){\pmod {q}}}$
6. Compute ${\displaystyle s=k^{-1}(m+ar){\pmod {q}}}$
7. Signature is ${\displaystyle (r,s)}$

To check signature,

1. compute ${\displaystyle u_{1}=s^{-1}\,m{\pmod {q}}}$ and ${\displaystyle u_{2}=s^{-1}\,r{\pmod {q}}}$
2. Accept signature iff ${\displaystyle \left(\alpha ^{u_{1}}\,\beta ^{u_{2}}{\pmod {p}}\right)\equiv r{\pmod {q}}}$