A SHORT NOTE ON SECRET SHARING USING ELLIPTIC CURVES

Volker M¨uller

University of Luxembourg, Faculty of Sciences, Technology and Communication

6, rue Richard Coudenhove-Kalergi, L-1359, Luxembourg

Keywords:

Elliptic curve, threshold scheme, veriﬁable secret sharing, bilinear map.

Abstract:

In this short note, we describe a variant of Shamir’s (n,t)-threshold scheme based on elliptic curves. Moreover,

we show how pairings of elliptic curves can be used to also provide veriﬁability for the new elliptic curve based

threshold scheme.

1 INTRODUCTION

Sharing a secret between a group of participants is

a well-known and long solved problem in cryptogra-

phy. A (n,t)-threshold scheme is a method by which

a trusted third party computes n secret shares from

a secret and distributes these shares secretly to the

n participants. If t or more participants pool their

shares, then the secret can be determined, otherwise

no substantial information about the secret is given

(Menezes et al., 1997). Shamir ﬁrst described a (n,t)-

threshold scheme based on polynomial interpolation

over ﬁnite ﬁelds (Shamir, 1979). In this short note, we

describe how the ideas of Shamir’s threshold scheme

can be slightly modiﬁed to obtain a (n,t)-threshold

scheme based on elliptic curves. An additional prop-

erty of this new scheme is the fact that any already

existing elliptic curve related cryptographic informa-

tion can be reused and existing security devices like

smartcards can easily be adapted to the new threshold

scheme.

We assume that the reader is already familiar with

elliptic curves and their usage in public key crypto-

graphy; descriptions of ECC in theory and prac-

tice can be found in, e.g., (Hankerson et al., 2004),

(Koblitz, 1987), (Certicom, 2000), and many other

publications. In the following, we assume that K de-

notes a ﬁnite prime ﬁeld with q elements, and E is

a cryptographically secure elliptic curve deﬁned over

K. The group of points on E deﬁned over K is denoted

as E(K).

2 SECRET SHARING USING

ELLIPTIC CURVES

Shamir’s scheme for secret sharing (Shamir, 1979)

uses polynomial arithmetic and interpolation. The

scheme encodes a secret as the constant term of an

otherwise randomly chosen polynomial f(x) of de-

gree t − 1 deﬁned over a ﬁxed ﬁnite ﬁeld K. A share

of the secret is then a pair (x

i

, f(x

i

)) ∈ K

2

. The ﬁrst

component x

i

of this share can even be made public

and directly depend on the identity of the correspond-

ing participant, but the second component f(x

i

) must

be absolutely kept secret. Any t different such pairs

are sufﬁcient to reconstruct the secret using polyno-

mial interpolation; on the other hand, the knowledge

of less than t pairs does not yield the polynomial f,

and therefore does not open the shared secret.

There exist several algorithms for polynomial in-

terpolation over a ﬁeld (see, e.g., (Stoer and Burlirsch,

1991)). Using the polynomial ω(x) =

∏

t

j=1

(x− x

j

),

the Lagrange interpolating polynomial f(x) for t pairs

(x

i

, f(x

i

)),1 ≤ i ≤ t, is given as

f(x) =

t

∑

i=1

ω(x)

(x− x

i

) · ω

′

(x

i

)

· f(x

i

) . (1)

Interestingly for elliptic curves, formula (1) is linear

in f(x

i

), and therefore easy to apply also in the group

of points on an elliptic curve. We assume that from

an ECC setup we already know a cryptographically

strong elliptic curve E deﬁned over a ﬁnite prime ﬁeld

K of q elements and a base point P ∈ E(K) with order

larger than q. For simplicity, we assume that E(K) is

cyclic, and P is a generator of the group. Addition-

359

Müller V. (2008).

A SHORT NOTE ON SECRET SHARING USING ELLIPTIC CURVES.

In Proceedings of the International Conference on Security and Cryptography, pages 359-362

DOI: 10.5220/0001918303590362

Copyright

c

SciTePress

ally, for every participant i in the threshold scheme

there exists a public key point Q

i

= d

i

· P, where the

integer 0 < d

i

< ord(P) deﬁnes the secret key of that

participant.

The general idea of the elliptic curve (n,t)-thres-

hold scheme is based on the fact that with (1) we

can determine f(λ) · P for P and any integer 0 ≤ λ <

q if we know t different points f(x

i

) · P for mod-

ulo q pairwise different integers x

i

6≡ 0 mod ord(P).

Therefore, the trusted third party can set up the sys-

tem by choosing a random polynomial f(x) ∈ K[x]

of degree t − 1, and secretly distributing the shares

(x

i

, f(x

i

) · P),1 ≤ i ≤ n, to the n participants. The n

integers 0 < x

i

< q must be pairwise different, but

as in Shamir’s system they can be made public or

directly computable from the identity of the partici-

pants. Secure distribution of the secret part f (x

i

) · P

of the shares to the participants can be done by en-

crypting it with the ECC public key of the correspond-

ing participant. Then this ciphertext is either commu-

nicated to that participant over an insecure channel,

or it can be published, since only the owner of the

correct ECC secret key can open that partial share.

When at least t participants pool their shares, then

they can determine the point f(0) · P using (1). In

contrast to Shamir’s system, we do not encode the

global secret m as one of the coordinates of a point,

but we use f(0) · P as a secret key for some ﬁxed se-

cret key cryptosystem to encrypt m. More precisely,

we proceed as in the Elliptic Curve Integrated Encryp-

tion Scheme (e.g., (Certicom, 2000)) and apply a se-

cret key cryptosystem ENC, a key derivation function

KDF and a message authentication code MAC to ﬁrst

ﬁnd k

E

||k

M

= KDF(x( f(0) · P)) and then publish the

encrypted secret as c||d where c = ENC(k

E

,m) and

d = MAC(k

M

,c). It is obvious that anybody who can

determine the secret point f(0)·P can also easily open

the encrypted global secret by ﬁrst computing k

E

and

k

M

and then applying the secret key decryption pro-

cedure.

Theorem 1

. Knowledge of t or more shares opens the

g

lobal secret m. On the other hand, knowledge of

less than t shares only yields at least q/2 many pos-

sibilities for the input of the KDF if the order of P is

greater than q.

Proof: The proof is essentially equal to the proof

of Shamir’s system. As described above, the point

f(0) · P can be determined easily with polynomial

interpolation for t or more known shares. On the

other hand, there are q possible constant terms for

polynomials of degree t − 1 given at most t − 1 pairs

(x

i

, f(x

i

)). If the order of P is greater than q, then this

leads to q possibilities for the point f(0) · P. Since

we are using only the x-coordinate of that point to en-

crypt the global secret, there remain at least q/2 many

possible inputs to the KDF.

It should be noted that KDF and ENC should be

chosen with appropriate parameters (especially pro-

viding a sufﬁciently large key space for ENC) since

otherwise the total system will be insecure. After the

setup of the threshold scheme, the following protocol

can be started by a dedicated participant (with index

1) to open the shared secret with the help of t −1 other

participants:

• Participant 1 chooses a random point H ∈ E(K),

decrypts his encrypted share f (x

1

)·P using his se-

cret ECC key and determines with his share the

result H −

ω(0)

x

1

·ω

′

(x

1

)

·( f(x

1

)·P). Then he sends this

information to the next participant. Note that if all

values x

i

are publicly known, then ω(0) and ω

′

(x

i

)

can be precomputed.

• The second participant decrypts his secret share

f(x

2

) · P with his secret ECC key, subtracts the

point

ω(0)

x

2

·ω

′

(x

2

)

·( f(x

2

)·P) from his input point and

sends the result to the next participant. All other

participants do the same with their shares, respec-

tively. The last participants forwards the result to

participant 1 that started the whole protocol.

• Participant 1 subtracts the randomly chosen initial

point H from his input point and obtains the secret

point f(0) · P. He can then open the global secret.

The proof that this scheme really determines f(0) · P

directly follows from (1). Note that this EC threshold

scheme is neither ideal nor perfect, but nevertheless it

is practical since it does not require knowledge of any

additional secret key.

3 VERIFIABLE SECRET

SHARING VARIANTS

In the last 10 years, bilinear maps for elliptic curves

(also denoted pairings) have been applied to various

cryptographic applications (CL, 2008). We can also

use such maps for the EC (n,t)-threshold scheme to

provide additional properties. Assume that for a given

cryptographically strong elliptic curve E there exists

a some small positive integer s and a bilinear map e

e : E(K) × E(K) −→ K

s

; e(a· P, b· Q) = e(P,Q)

ab

with the additional property that for points P 6= O we

have e(P,P) 6= 1. Such maps are for example given by

the Weil pairing or the Tate pairing (Galbraith et al.,

2002). The importance of these maps for crypto-

graphic applications is the fact that they “link” the

discrete logarithm in the elliptic curve point group to

SECRYPT 2008 - International Conference on Security and Cryptography

360

a discrete logarithm in the ﬁnite ﬁeld K

s

. Therefore,

the security of the ECC system enforces certain con-

ditions on E and K such that the discrete logarithm

problem in K

s

is also difﬁcult to solve. In the follow-

ing, we will make use of such maps to add veriﬁca-

tion procedures to the EC threshold scheme described

above (note that similar techniques were also used in

(Baek and Zheng, 2004) and (Liu et al., 2007)).

3.1 Veriﬁable Secret Sharing

`

a La

Feldman

We describe an EC variant for the veriﬁable secret

sharing scheme of Feldman (Feldman, 1987), where

additional information (so called commitments) is

provided such that the participants can verify the cor-

rectness of their shares.

The commitments in the EC variant of Feldman’s

scheme are given as the ﬁeld elements e(P,P)

a

i

∈

K

s

,0 ≤ i ≤ t − 1, where the a

i

are the coefﬁcients of

the secret polynomial f(x) used for the construction

of the shares. These commitments are published by

the trusted third party after the system setup. Using

these commitments, every participant can determine

for any λ ∈ K the value

e(P,P)

f(λ)

=

t−1

∏

i=0

e(P,P)

a

i

λ

i

. (2)

Therefore, the j-th participant can determine

e(P,P)

f(x

j

)

in two ways: either with (2), or by using

his private share f(x

j

) · P and a pairing computation.

If both values should be different, then either his

private share was wrong, or the trusted third party

cheated with the publication of the values e(P,P)

a

i

.

Lemma 1

. If the two results are equal and the trusted

t

hird party did not cheat, then the private share of the

j-th participant really equals f(x

j

) · P.

Proof: Assume that the share of the j-th participant

is incorrect, i.e. he receives a point λ · P for some in-

teger λ 6= f(x

j

), but nevertheless the test above suc-

ceeds. Then e(P, P)

f(x

j

)

= e(P,P)

λ

, or equivalently,

e(P,P)

f(x

j

)−λ

= 1. So f(x

j

) ≡ λ mod ord(P), and

λ· P = f(x

j

) · P, a contradiction.

With (2), it is obvious that everybody can deter-

mine e(P,P)

f(λ)

for every integer 0 ≤ λ < q. The

pairing inversion problem is deﬁned as the problem

to compute for given value e(P,H) a suitable point

H. If the pairing inversion problem were easy, then

it would be also easy to determine individual shares

for non-legitimate users – just determine the ﬁeld el-

ement e(P,P)

( f (x

j

)

with (2) and solve the correspond-

ing pairing inversion problem. This would break the

complete EC threshold scheme. However, pairing in-

version seems in general to be hard (Galbraith et al.,

2008).

Therefore, practical parameters for the EC thresh-

old scheme should be chosen such that no “simple”

algorithm for the pairing inversion problem is known

for the used elliptic curve.

3.2 Distributing the Global Secret to All

other Participants

The protocol presented in the last section was started

by some dedicated participant. That participant

needed the help of at least t − 1 other participants to

determine the point f(0) · P and so open the global

secret m. A disadvantage of this protocol is the fact

that only one out of the t involved participants ﬁnally

knows m. Using the commitments deﬁned above, the

dedicated participant can announce the point f(0) · P

to all other participants, of course encrypted with the

individual secret EC keys of the other participants.

Any participant can then use the commitments to de-

termine the value e(P,P)

f(0)

using (2) and a pairing

computation with the received point, such that he can

verify the correctness of the information he received

from the dedicated ﬁrst participant. Of course, knowl-

edge of the point f(0) · P is also sufﬁcient to deter-

mine the global secret. Note that directly sending an

encrypted version of m to all other participants does

not given them the possibility to verify the correctness

of m.

3.3 Verifying Intermediate Results

We can extend the veriﬁability described in the last

section such that even the validity of all intermedi-

ate results can be veriﬁed. In this variant, a cheating

participant (i.e. a participant that does not apply his

own private share) can be determined. We extend the

protocol given in Section 2 such that every partici-

pant publishes an own commitment of his contribu-

tion. Remember that the j-participant in the protocol

forwards the point R

j

= H −

∑

j

i=1

ω(0)

x

i

·ω

′

(x

i

)

· ( f(x

i

) · P)

to the next participant. The commitments of the par-

ticipants are then given as follows: the initial parti-

cipant publishes his commitment e(P,H) and e(P,R

1

),

whereas all other participant add their own commit-

ments as e(P,R

j

).

Using these participant commitments, it is easy to

check the validity of each intermediate result:

e(P,R

j

) = e(P,H) ·

j

∏

i=1

e(P,P)

f(x

i

)

−ω(0)/(x

i

·ω

′

(x

i

))

.

A SHORT NOTE ON SECRET SHARING USING ELLIPTIC CURVES

361

Since the dedicated participant that starts the protocol

is interested in obtaining the global secret, he should

have no interest in cheating, and we assume that he is

honest.

Theorem 2. If the ﬁrst participant is honest, then the

i

dentity of any cheating participant can be determined

from the participant commitments.

Proof: During the protocol, every participant com-

pares the pairing value determined with the input

point he received from the previous participant with

that participant’s commitment. If both pairing val-

ues do not match, then obviously that participant was

cheating, and the protocol exits with error. Note also

that

e(P,R

j

) = e(P,R

j− 1

) ·

e(P,P)

f(x

j

)

−ω(0)/(x

j

·ω

′

(x

j

))

,

(3)

such that the correctness of the j-th commitment de-

pends directly on the correctness of the previous com-

mitment (note that the second term in the product can

be computed using the trusted third party’s commit-

ments). Therefore, the commitment of the ﬁrst par-

ticipant can be used to successively verify the cor-

rectness of all other participants’ commitments such

that a cheating participant j must publish his correct

commitment e(P,R

j

). Assume that he cheats by for-

warding a wrong intermediate point R

′

j

6= R

j

to the

next participant. Since e(P,R

′

j

) = e(P,R

j

) implies

e(P,R

′

j

− R

j

) = 1 or R

′

j

= R

j

(note that the group

of points is cyclic), this will be detected by partici-

pant j + 1 when he compares the two possibilities for

e(P,R

j

) determined with (3) and with a pairing com-

putation based on his two input points P and R

′

j

.

4 CONCLUSIONS

In this short note we have presented a simple general-

ization of Shamir’s (n,t)-threshold scheme based on

elliptic curves and three variants of it that use bilinear

maps. This EC threshold scheme needs no additional

secret keys, since it reuses existing public and secret

ECC keys. It can therefore be directly used with ex-

isting EC security devices.

REFERENCES

Baek, J. and Zheng, Y. (2004). Identity-based threshold

decryption. In PKC 2004, LNCS 2947, pages 262–

276.

Certicom (2000). Standards for efﬁcient cryptogra-

phy, sec 1: Elliptic curve cryptography, avail-

able at http://www.secg.org/download/aid-385/

sec1 ﬁnal.pdf.

CL (2008). The pairing-based crypto lounge, web-

site at http://paginas.terra.com.br/informatica/paulo-

barreto/pblounge.html.

Feldman, P. (1987). A practical scheme for non-interactive

veriﬁable secret sharing. In IEEE Symposium on

Foundations of Computer Science, pages 427–437.

Galbraith, S., Harrison, K., and Soldera, D. (2002). Imple-

menting the tate pairing. In Algorithmic Number The-

ory Symposium – ANTS-V, Lecture Notes on Computer

Science, volume 2369, pages 324–337. Springer.

Galbraith, S., Hess, F., and Vercauteren, F. (2008). Aspects

of pairing inversion. Technical report, Katholieke

Universiteit Leuven, available at http://homes.esat.ku-

leuven.be/∼fvercaut/.

Hankerson, D., Menezes, A., and Vanstone, S. (2004).

Guide to Elliptic Curve Cryptography. Springer.

Koblitz, N. (1987). Elliptic curve cryptosystems. In Math-

ematics of Computation, volume 48, pages 203–209.

Liu, S., Chen, K., and Qiu, W. (2007). Identity-based

threshold decryption revisited. In ISPEC 2007, LNCS

4464, pages 329–343.

Menezes, A., Oorschot, P., and Vanstone, S. (1997). Hand-

book of Applied Cryptography. CRC Press.

Shamir, A. (1979). How to share a secret. In Communica-

tions of the ACM, volume 22, pages 612–613.

Stoer, J. and Burlirsch, R. (1991). Introduction to Numeri-

cal Analysis. Springer.

SECRYPT 2008 - International Conference on Security and Cryptography

362