1
How not to share a set of secrets
K. R. Sahasranand
1
, Nithin Nagaraj
1
, Rajan S.
2
1
Department of Electronics and Communication Engineering,
2
Department of Mathematics,Amrita Vishwa Vidyapeetham, Amritapuri Campus,Kollam-690525, Kerala, India.
Email: sanandkr@gmail.com, nithin@am.amrita.edu, rajans@am.amrita.edu
Abstract
—This note analyzes a space efficient secret sharingscheme for a set of secrets, proposed by Parakh
et al.
[2], andsuggests vulnerabilities in its design. The algorithm fails forcertain choices of the set of secrets and there is no reason forpreferring this particular scheme over alternative schemes. Thepaper also elaborates the adoption of a scheme proposed by HugoKrawczyk [5] as an extension of Shamir’s scheme, for a set of secrets. Such an implementation overcomes the drawbacks of thefirst scheme and works for all choices of secrets. However, wedemonstrate that both the schemes turn out to be
conditionallyinsecure
. We introduce two new methods of attack which arevalid under certain assumptions, to this end. We observe that itis the elimination of random values that facilitates these kindsof attacks.
Index Terms
—cryptography, secret sharing, set of secrets,attack.
I. I
NTRODUCTION
A
T times, we come across situations wherein we wantto share a secret among a set of people in such a waythat if more than a particular number of people from that setcome together, the secret could be reconstructed. However,any number of people less than that particular number, albeitfrom the same set, should not be able to learn anything aboutthe secret. Such a scheme is called a threshold secret sharingscheme. If the size of the whole set of people is
n
and thethreshold is
k
, we call that scheme a
(
k,n
)
threshold secretsharing scheme. In such a scheme,
n
shares are generatedand distributed among
n
people, any
k
of them enough forreconstruction of the original secret while any
k
−
1
or lesswill not be able to recover the secret. We might also comeacross cases where we have a set of secrets rather than a singlepiece of secret, to be shared among a set of people. This set of secrets contains elements which may or may not be distinct.In a (
k
,
n
) secret sharing scheme by Shamir [1], there resultsan
n
-fold increase in the total storage requirement. Further, incases where
k
secrets have to be shared among
n
individualsfor a (
k
,
n
) scheme, the storage requirement explodes to
k
.
n
times the original. One of the proposed schemes [2]which claims to be space efficient, however, is found tocompromise usability as well as security for efficiency, withoutreally achieving efficiency. An obvious better solution whichovercomes these drawbacks is also found to be
conditionallyinsecure
. In this paper, we describe the vulnerabilities in thedesign of the first scheme and also suggest two new methods of attack which demonstrate the insecurity of both the schemes.II. R
EVIEW OF THE SCHEME PROPOSED BY
P
ARAKH
et al.
The scheme proposed by Parakh
et al.
[2] works in thefollowing manner:Consider a polynomial
y
=
q
(
x
)
of degree
k
−
1
, the coef-ficients of powers of
x
from
Z
p
. The secrets
s
0
,s
1
,...,s
k
−
1
are treated as
y
values with
x
= 0
,
1
,...,k
−
1
. Then, they areinterpolated to form a
k
−
1
degree polynomial and the value of
q
(
x
)
at
n
different
x
are calculated, where
x
= 0
,
1
,...,k
−
1
.Each of the
n
values thus obtained, along with the correspond-ing
x
value is a share and they are distributed one each to
n
people. For reconstruction, any
k
people out of the
n
cometogether, obtain
q
(
x
)
through interpolation and calculate thevalue of
q
(
x
)
at
x
= 0
,
1
,...,k
−
1
, which are the secrets.Note that the number of secrets,
k
is the same as the thresholdvalue
k
in this particular
(
k,n
)
scheme.A number of problems identified with this scheme follow:1) The scheme cannot be used to implement a (
k
,
n
)scheme when the
k
secrets to be distributed are inher-ently generated from a polynomial of order less than
k
−
1
. This may be demonstrated using an example.Let
s
0
,
s
1
,
s
2
and
s
3
be four secrets from a finite field
Z
p
to be shared in a (4,
n
) scheme. If
s
0
= 2,
s
1
= 6,
s
2
= 12,
s
3
= 20, and
p
= 31, the scheme
expects
a cubicpolynomial to be the result of interpolation. However,the polynomial resulting out of interpolation happensto be
x
2
+ 3
x
+ 2
, which is quadratic. If the shares aregenerated from this polynomial, it requires only
3
peoplefor reconstruction; therefore a (
4
,
n
) scheme cannot beimplemented.One solution to this problem appears to be changingthe order of secrets or changing the indices
i
’s of
s
i
’s. However it costs a round of interpolation becauseit is impossible to guess such a relation betweenthe seemingly
innocent
secrets without interpolating.Besides, changing the order may not always be feasible(for example, when these secrets are pieces of a largersecret) and changing the indices may not always work.2) The scheme does not work if all of the secrets to beshared are the same. This case is quite possible; whenthe
k
secrets are part of a large secret like it is mentionedin [2]. But, for the scheme to work there should be atleast one
s
i
=
s
j
among all
s
i
,s
j
to be shared. This is bydefinition of interpolation. For successful interpolationover a finite field, at least two distinct values are needed.
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010234http://sites.google.com/site/ijcsis/ISSN 1947-5500
2
For example, we want to share
3
secrets, all of themequal to
2
, taken from a finite field
Z
p
,
p
= 3
. Then,
s
0
= 2
,
s
1
= 2
,
s
2
= 2
and
p
= 3
. Interpolation isperformed as follows:
q
0
(
x
) =
x
−
10
−
1
.
x
−
20
−
2
= 2
x
2
+ 1
.
q
1
(
x
) =
x
−
01
−
0
.
x
−
21
−
2
= 2
x
2
+ 2
x
.
q
2
(
x
) =
x
−
02
−
0
.
x
−
12
−
1
= 2
x
2
+
x
.Now,
q
(
x
) =
s
0
.q
0
(
x
) +
s
1
.q
1
(
x
) +
s
2
.q
2
(
x
)
(mod
p
).
⇒
q
(
x
) = 2
.
(
q
0
(
x
) +
q
1
(
x
) +
q
2
(
x
))
(mod
3
).
⇒
q
(
x
) = 2
.Thus, we end up with a constant polynomial. Thescheme needs a quadratic polynomial for implementinga
(3
,n
)
scheme and hence does not work in such cases.It could be easily seen that
k
secrets could be chosenall of them being the same, from a field
Z
p
in
p
ways.There is a total of
p
k
ways by which any
k
secretscould be chosen from
Z
p
(the
k
secrets may or maynot be distinct). Thus, the method in [2] does not work in
p
cases out of the
p
k
cases possible.3) The percentage of cases for which the method in [2] failsmay be calculated as follows: We have assumed that theorder of secrets is important. i.e., a set of secrets, say,
{
0
,
1
,
1
,
2
}
is different from
{
0
,
1
,
2
,
1
}
.In general, there are
p
k
−
1
cases in which the
k
sharesare generated from polynomials of order less than
k
−
1
.This includes the cases in which all the secrets are thesame. The count is obtained by the following argument:We need to find the number of such instances where thesecrets
s
0
,s
1
,...,s
k
−
1
are generated from polynomialsof order strictly less than
k
−
1
. Let the polynomialbe named
f
(
x
)
. Note that all operations are performedmodulo
p
. Thus,
f
(
x
) =
a
k
−
1
x
k
−
1
+
...
+
a
2
x
2
+
a
1
x
+
a
0
;
a
k
−
1
= 0
.Now, the secrets are values of
f
(
x
)
at different values of
x
,
0
≤
x
≤
k
−
1
. i.e.,
s
0
,s
1
,...,s
k
−
1
are respectively,
s
0
=
f
(0) = 0 +
...
+ 0 + 0 +
a
0
,
s
1
=
f
(1) =
a
k
−
1
+
...
+
a
2
+
a
1
+
a
0
,...
s
k
−
1
=
f
(
k
−
1) =
a
k
−
1
(
k
−
1)
k
−
1
+
...
+
a
2
(
k
−
1)
2
+
a
1
(
k
−
1) +
a
0
.In matrix form, this looks like,
0 0
...
11 1
...
12
k
−
1
... ...
1
............
(
k
−
1)
k
−
1
... ...
1
·
a
k
−
1
a
k
−
2
...
a
1
a
0
=
s
0
s
1
...
s
k
−
2
s
k
−
1
.
Let us denote the above matrices respectively as
M
,
A
and
B
. Thus,
M
·
A
=
B
.Now, the matrix
M
is the Vandermonde matrix of order
k
and is essentially invertible [3]. Furthermore, evenunder modulo
p
, this is true since the determinant of
M
is not divisible by
p
[4]. Therefore, we can write,
A
=
M
−
1
·
B
.
a
k
−
1
a
k
−
2
...
a
1
a
0
=
M
−
1
·
s
0
s
1
...
s
k
−
2
s
k
−
1
.
If
m
0
,m
1
,...,m
k
−
1
are the elements of first row of
M
−
1
, then, since
a
k
−
1
= 0
, we have,
m
0
s
0
+
m
1
s
1
+
...
+
m
k
−
1
s
k
−
1
= 0
.Here, we have
(
k
−
1)
ways to choose the secrets
s
0
,s
1
,...,s
k
−
2
. From the above equation, the
k
-thsecret,
s
k
−
1
has to be the negative of the sum of rest of the secrets mod
p
. Thus, the resulting number of choicesfor the set of secrets is
p
k
−
1
, considering that the sameset of numbers taken in a different order is treated as adifferent set of secrets.This count may be obtained by an alternative approachas well (We thank the author of [2] for this argument).The
k
secrets being generated from a polynomial of order less than
k
−
1
occurs in the following manner.The polynomial constructed out of the remaining
k
−
1
secrets passes through the value of the
k
-th secret
s
k
−
1
at
x
=
k
−
1
. i.e., the set we consider for interpolationis an oversampling of a lower degree polynomial.Now, having chosen
k
−
1
secrets from a finite field
Z
p
,the
k
-th secret
s
k
−
1
could be just one of the possible
p
choices. This is because
s
k
−
1
is treated as the
y
value at
x
=
k
−
1
. The polynomial constructed outof the remaining
k
−
1
secrets passes through exactlyone point corresponding to
(
k
−
1
,s
k
−
1
)
. However, the
k
−
1
secrets could be chosen from
Z
p
in
p
k
−
1
ways.This value multiplied with the number of choices for the
k
-th secret
s
k
−
1
(the number of choices is equal to
1
)gives
p
k
−
1
cases in which the method fails.Thus, there are
p
k
−
1
choices of secrets out of the
p
k
choices possible which yield polynomials of degree lessthan
k
−
1
upon interpolation, thereby leaving us unableto implement a
(
k,n
)
scheme.
Percentage of failure
=
p
k
−
1
p
k
·
100 = 100
/p.
(1)
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010235http://sites.google.com/site/ijcsis/ISSN 1947-5500
3
4) For large values of
p
, the failure percentage is small asindicated by the formula. However, since the failure rateis not zero, it is absolutely necessary to verify whetherfor a particular set of secrets the method works or not.It is mentioned in [2] that the primes chosen are of theorder of
1024
bits. Then, even for small
k
, there is alarge number of choices of secrets which could not beimplemented using the scheme.For example, for
k
= 3
and
p
of the order of
1024
bits,number of cases for which the method fails,
f
=
p
k
−
1
.
f
is of the order of
2
1024
.
2
1024
= 2
2048
. The number of cases for which the scheme in [2] fails is of the orderof
2048
bits for a simple
k
= 3
. i.e., there are about
2
2048
choices of a set of
3
secrets for which the schemedoes not work (The number
2
2048
is nearly
600
digitslong) although this is only a very small percentage of the possible set of secrets. The problem lies in the factthat it is impossible to know beforehand whether or notthe method could be used for a particular
(
k,n
)
schemefor a given set of secrets.III. K
RAWCZYK
’
S ALGORITHM FOR A SET OF SECRETS
Hugo Krawczyk outlines an algorithm in [5] for informationdispersal. The same method when used for sharing a set of secrets does not have any of the drawbacks the method in [2]has and is space optimal as well. Let us consider the case inwhich
k
secrets are to be shared among
n
people in a
(
k,n
)
scheme.
Algorithm:
1) Construct a polynomial
q
(
x
)
in such a way that thesecrets are the coefficients of powers of
x
. If
s
0
,
s
1
,
s
2
,...,
s
k
−
1
are the
k
secrets, then the polynomial to beconstructed is:
q
(
x
) =
s
0
+
s
1
x
+
s
2
x
2
+
...
+
s
k
−
1
x
k
−
1
.Here, we have to ensure that the coefficient of the highestpower of
x
is non-zero. i.e.,
s
k
−
1
= 0
2) Compute the values of
q
(
x
)
at
n
different values of
x
other than
0
, say
x
0
,
x
1
, ...,
x
n
−
1
and distribute them asshares
(
x
0
,b
0
)
,
(
x
1
,b
1
)
, ...,
(
x
n
−
1
,b
n
−
1
)
where
b
i
=
q
(
x
i
)
,
0
≤
i
≤
n
−
1
.3) Reconstruction of secrets could be carried out using any
k
of the values generated in step 2 above, by solvingfor
s
i
s or obtaining
q
(
x
)
through interpolation.The aforementioned scheme works for all possible set of secrets except in the trivial case of all secrets being equal to
0
. If the secrets are assumed to be
truly random
, they areequivalent to the random coefficients in Shamir’s scheme [1]and hence the scheme may be assumed to be secure.IV. C
URIOUS CASES OF INSECURITY
In this section we consider a couple of cases wherein theopponent (Eve) is assumed to possess partial informationabout the secrets. The modified Krawczyk’s algorithm as wellas the method in [2] are found to be vulnerable to attack under these assumptions. This conditional insecurity could beattributed to them not employing random values.
Case 1:
Here we elaborate a case in which the modified Krawczyk’salgorithm fails. The scheme was taken to be as much secureas Shamir’s scheme under the assumption that the secretsthemselves are truly random; i.e., they come from a uniformdistribution over
Z
p
. However, this may not really be the case.The secrets might have been taken from a set whose membersare much smaller than
p
that modular arithmetic does not comeinto play at all.Consider a
(
k,n
)
scheme. Let the polynomial be
q
(
x
)
andprime
p
we use be large (compared to secrets). Suppose Evehappens to learn that the
k
secrets are all less than some
r
,
r < p
.
q
(
x
) =
a
k
−
1
x
k
−
1
+
...
+
a
2
x
2
+
a
1
x
+
a
0
Now, Eve being a shareholder as well, gets some arbitraryshare
(
u,q
(
u
))
at
x
=
u
. Knowing that the secrets, i.e., thecoefficients
a
k
−
1
,...,a
2
,a
1
,a
0
are all less than or equal to
r
, Eve infers that:
If
q
(
u
)
is a multiple of
u
, then the secret
a
0
is a multipleof
u
. The converse is also true.
Let us examine why this is so.
q
(
u
)
is the value of
q
(
x
)
sampled at
x
=
u
. Thus,
q
(
u
) =
a
k
−
1
u
k
−
1
+
...
+
a
2
u
2
+
a
1
u
+
a
0
. All the terms on the
RHS
(excluding
a
0
) beingmultiples of powers of
u
are obviously multiples of
u
. If
LHS
namely
q
(
u
)
, is a multiple of
u
, it implies
a
0
is a multiple of
u
as well and vice versa. For example,Suppose
q
(
x
) = 4
x
3
+3
x
2
+2
x
+15
and
p
= 999961
. Notethat
a
0
= 15
. Suppose Eve knows that all the secrets are lessthan
r
, say
r
= 10000
.
q
(3) = 108 + 27 + 6 + 15
mod
999961
.
q
(3) = 156
mod
999961
.
q
(3) = 156
is a multiple of
3
⇔
a
0
is a multiple of
3
.Suppose
q
(
x
) = 4
x
3
+3
x
2
+2
x
+14
and
p
= 999961
. Notethat
a
0
= 14
.
q
(3) = 108 + 27 + 6 + 14
mod
999961
.
q
(3) = 155
mod
999961
.
q
(3) = 155
is NOT a multiple of
3
⇔
a
0
is NOT amultiple of
3
.Thus, in cases where the opponent knows that all thesecrets are less than some
r
, she can safely assume thatthe statement above is true. Such a strategy works for Evebecause she can calculate the maximum value
q
max
(
u
)
,
q
(
x
)
can take for a particular
u
. Since she knows that all thesecrets are less than or equal to
r
,
q
max
(
u
) =
r.u
3
+
r.u
2
+
r.u
+
r
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 8, No. 1, April 2010236http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
How not to share a set of secrets
This note analyzes a space efficient secret sharing scheme for a set of secrets, proposed by Parakh et al. [2], and suggests vulnerabilities in its design. The algorithm fails for certain choices of the set of…
(More)
321
Reads
3
Readcasts
0
Embed Views
More From This User
Notes
Load more
