Secrecy Computation without Changing Polynomial Degree in
Shamir’s (K, N) Secret Sharing Scheme
Takeshi Shingu
1
, Keiichi Iwamura
1
and Kitahiro Kaneda
2
1
Tokyo University of Science, Tokyo, Japan
2
Institute of Document Analysis and Knowledge Science, Osaka Prefecture University, 1-1 Naka-ku, Sakai, Osaka, Japan
Keywords: Secrecy Computation, Secrecy Multiplication, Secrecy Division, Secrecy Addition, Secrecy Subtraction,
(K, N) Secret Sharing Scheme.
Abstract: In This Paper, We Propose a New Secrecy Multiplication Scheme without Changing the Degree in Shamir’s
(K, N) Secret Sharing Scheme. This Scheme Generates a Scalar Value Called Concealed Secret, Which
Multiplies a Secret by a Random Number, and Distributes the Concealed Secret by using a Secret Sharing
Scheme. When Secrecy Multiplying, We Temporarily Reconstruct the Concealed Secret, and Multiply It with
a Share. Therefore, We Can Perform Secrecy Multiplication without Changing the Degree of Polynomials by
Multiplying a Polynomial and Scalar Value. Our Scheme Can Extend to Secrecy Division by Dividing a Share
with the Concealed Secret. in Addition, We Propose Secrecy Addition and Subtraction Schemes. We Evaluate
the Security of Our Schemes, and Show a Possible Application That Cannot Realized using the Conventional
Scheme.
1 INTRODUCTION
Cloud computing (Mell, 2011) has brought about
considerable changes in users’ data utilization. Users
can save their data on a server in a network instead of
a self-managed server, and can access it from
anywhere via a network. However, this incurs some
security risks, including server or network failure, in
which the users cannot access their data stored on the
cloud system. Furthermore, because attacks also are
concentrated on the data storage location, the risk of
information leakage increases. In particular, in
situation where confidential business information is
compromised, the leak can cause serious damage.
To counteract those risks, data encryption is
recommended. In addition, the saved encryption data
is often assumed to be applicable to secrecy
calculations without the recovery of the secret data in
the cloud system. Therefore, some cloud systems
consider applying the “secret sharing scheme”
(Shamir, 1979), (Blakley, 1984) to solve the
abovementioned problems.
Shamir’s , secret sharing scheme (Shamir,
1979) is a prototypical secret sharing scheme, that
distributes n shares of a secret and recovers the secret
from shares. This implies that no secret is revealed
if shares are not revealed, and a secret can be
restored even if shares are lost because of a
server or network failure. In addition, the secrecy
calculation based on the scheme is performed at high
speed. Therefore, Shamir’s , secret sharing
scheme is suitable for cloud computing systems.
Secrecy calculation (Asharov, 2012), (Beaver,
1991), (Ben-Sasson, 2011), (Ben-Or, 1988) is a
technique for performing a computation while
keeping the input data secret. It is well known that
secrecy addition and subtraction can be easily
realized using Shamir’s , secret sharing scheme.
However, in secrecy multiplication, the degree of
polynomial would change from 1 to 2 2
because a multiplication of shares is a multiplication
between polynomials with a degree of 1.
Therefore, the threshold value changes only when
secrecy multiplication is performed.
In this paper, we propose a new secrecy
multiplication scheme without changing the degree of
polynomials. The scheme generates a scalar value
called concealed secret, which multiplies a secret by
a random number, and distributes the concealed
secret by using a secret sharing scheme. When
multiplying, we temporarily reconstruct the
concealed secret and multiply it with a share. Thus,
we can perform secrecy multiplication without
Shingu, T., Iwaumura, K. and Kaneda, K.
Secrecy Computation without Changing Polynomial Degree in Shamir’s (K, N) Secret Sharing Scheme.
DOI: 10.5220/0005998800890094
In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications (ICETE 2016) - Volume 1: DCNET, pages 89-94
ISBN: 978-989-758-196-0
Copyright
c
2016 by SCITEPRESS – Science and Technology Publications, Lda. All rights reserved
89
changing the degree of a polynomial, because the
multiplication of two polynomials is deformed during
the multiplication of a polynomial and a scalar value.
Our scheme can be extended secrecy division by
dividing a share by the concealed secret. In addition,
we propose the secrecy addition and subtraction
schemes by considering the concealed secret, and
evaluate the security of our schemes, and show the
possible application that cannot be realized using our
schemes.
The remainder of this paper is organized as
follows. In section 2I, we describe the conventional
secrecy computation. In section 3, we propose new
secrecy multiplication, division, addition and
subtraction schemes. In section 4, we evaluate the
security of our schemes and discuss the possible
application. Finally, we summarize the results in
section 5.
2 CONVENTIONAL SCHEME
2.1 Shamir’s (K, N) Secret Sharing
Scheme
In this paper, is a secret to be distributed, is the
number of players, and is the threshold to restore
the secret.
[Distribution]
1. The dealer selects a prime number that
satisfies and .
2. The dealer chooses elements of GF() and
assigns them to each player as
,,⋯,
.
3. The dealer generates equation from secret
and random numbers, that is,
,,⋯,
selected from elements of
GF().
⋯
mod
4. The dealer calculates
,,⋯,
and distributes them to each player
.
[Reconstruction]
1. The shares that are used for reconstruction are
assumed to be
,,⋯,
.
The user who reconstructs the secret s obtains s
by solving simultaneous equations by using the
shares.
2.2 Secrecy Computation
Let be two secrets that are shared using
polynomials
, which are of degree
1. Each player
has
. Let (≠
0) be a scalar value. The secrecy addition and
the secrecy multiplication are easy to perform
because the degree of the polynomials that is obtained
as a result remains unchanged.
[Secrecy addition and subtraction]
1.
computes
, which is
the share of , and sends it to the user.
2. The user who reconstructs the result of
solves simultaneous equations by using
shares.
Similarly, secrecy subtraction can be realized by
changing “” to “”.
[Secrecy multiplication]
Secrecy multiplication using
is
not as simple as addition because the multiplication
of
and
of degree 1 will result in
of degree 2 2. Therefore, a degree reduction
and a randomization of
is required.
The reduction step
Let
⋯
and
. Each
has
. Define the
truncation of
to be
⋯
, and
.
Let
,⋯,
and
,⋯,
,
then there is a constant matrix A such that
・
.
Let H be an n-vector such that
,⋯,
,⋯,
,0,⋯,0
and let K be an n-vector such that
,⋯,
,0,⋯,0.
Let
,
be the (Vandermonde)
matrix, where
,
for , 0,⋯,1.
Furthermore let the linear projection P
,⋯,
,⋯,
,0,⋯,0. Then, we
have
・
・
・
・
The randomization step
To randomize the coefficients of the polynomial,
each
randomly selects a polynomial
of
degree 2 2 with a zero free coefficient and
distributes its shares among the players. Thus, instead
of using in this reduction players can use
DCNET 2016 - International Conference on Data Communication Networking
90
Which satisfies
0
0
; however, the other
coefficients of
,11 are completely
random.
3 PROPOSED SCHEME
Our scheme can be applied to any homomorphic
,
secret sharing scheme. Therefore, we used
Shamir’s secret sharing scheme. In this section, we
describe the distribution, reconstruction, and secrecy
multiplication, division, addition, and subtraction.
The variables and are secrets and are elements of
GF( ).
and
are random numbers and are
selected from the elements of GF(). The variables
and are primes, and ≧2. The secrets and
random numbers are non-zero. Computations are
performed on the field of GF(q). Our scheme assumes
a semi-honest model, and all players follow our
scheme.
3.1 Notation
: A share of for player
by using secret
sharing scheme
: A set of shares, such as
,
,⋯,
, on for player
.
,⋯,
: Distributing
to the shares
,⋯,
.
,⋯,
: Reconstructing
from the shares
,⋯,
.
3.2 Distribution
Input :
Output :
≔
,
,⋯,
0,1,⋯, 1
1. The dealer picks random numbers
,⋯,
and computes as follows:
2. The dealer then computes as a concealed
secret and distributes
,
,⋯,
to
players by using the
,
secret sharing
scheme.
,⋯,
,⋯,
⋮
,⋯,
3. Player
has
≔
,
,⋯,
as shares on secret .
3.3 Reconstruction
Input :
≔
,
,⋯,
0,1,⋯, 1
Output :
1. A user who restores secret collects
from
players.
2. The user obtains secret by reconstructing
,
,⋯,
as follows,
,⋯,
,⋯,
⋮
,⋯,
3.4 Secrecy Multiplication
We assume that player
0,1,⋯,1
has
and
for secrets and , respectively.
From
0,1,⋯, 1
of the output, we
can restore through reconstruction shown in
section 3.3.
Input :
,
0,1,⋯,1
Output :
≔
0,1,⋯,1
1.
collects
from players.
2.
reconstructs and sends it to all players.
,⋯,
3.
computes
by multiplying the share
by .
4.
collects
,⋯,
and
,⋯,
from players and
reconstructs
and
.
5.
computes
and performs
.
6.
has
≔
,
,⋯,
, where
is a randomized share.
3.5 Secrecy Division
Input :
,
0,1,⋯,1
Secrecy Computation without Changing Polynomial Degree in Shamir’s (K, N) Secret Sharing Scheme
91
Output :
≔
/
0,1,⋯,1
1.
collects
from players.
2.
reconstructs and sends it to all players.
3.
computes
/
by dividing the share
by .
4.
collects
,⋯,
and
,⋯,
from players and
reconstructs
and
.
5.
computes
/
and performs
/
.
6.
has
≔
/
,
/
,⋯,
/
where
/
is a randomized share.
3.6 Secrecy Addition and Subtraction
It is possible to perform secrecy addition and
subtraction by using the concealed secret, although it
is not efficient compared to the conventional scheme.
The computation of
from
and
for
secrets and is as follows.
Input:
,
0,1,⋯,1
Output:
≔
0,1,⋯,1
1.
collects
,⋯,
and
,⋯,
, and reconstructs
,
.
picks a random number
∈/ and sends
and
to
.
2.
reconstructs and, and sends them to
all players.
3.
computes the share of
as
follows:
・
・
4.
computes
and performs
.
5.
holds
≔
,
,⋯,
Similarly, the secrecy subtraction can be realized by
changing “” to “”.
4 SECURITY EVALUATION AND
DISCUSSION
4.1 Security Analysis of Secrecy
Multiplication and Division
In secrecy multiplication, all players know , but
cannot know , because is a random number.
Namely, the expression below is realized, where
shows the entropy of .
|
Even if
0,1,⋯,2
colludes, and
are not revealed, although
knows
and
.
|
,…,
|
,…,
Next, because is multiplied by the share
,
is not revealed even if 1 players collude.
|,
,…,
In addition, is not revealed, because is not
known.
|
,…,
Let denote an arbitrary set of participants such
that || 1. Then, we have
|
|
|
where denotes a set of shares on that are
given to each participant in , denotes a set of
shares on given to each participant in , and
denotes a set of shares on and given to each
participant in .
Alternatively, let denote an arbitrary set of
participants such that || . Then, it is clear that
the reconstruction algorithm can recover the secret
from the shares given to each participant in .
In the reconstruction, although the user who
restores the result knows and , he cannot
know or . Even if the user and 1 players
collude, they cannot know or .
Secrecy division has the same security.
4.2 Security Analysis of Secrecy
Addition and Subtraction
In secrecy addition, all players know and. In
the reconstruction, the user who restores
knows and
. Therefore, if a user and
DCNET 2016 - International Conference on Data Communication Networking
92
a player collude, and are known. However, or
cannot be reconstructed, even if the user and
1 players collude. Therefore, they cannot know or
.
Secrecy subtraction has the same security.
4.3 Combination of Secrecy Addition
and Multiplication
In our scheme, a simple combination of secrecy
multiplication and addition features a problem.
Input:
,
0,1,⋯, 1
Output:
≔
,
≔
0,1,⋯, 1
1. All players perform secrecy multiplication, as
shown in section 3.4, and obtain
.
2.
All players perform secrecy addition, as shown
in section 3.6, and obtain
.
Therefore, is known in secrecy multiplication,
and and are known in secrecy addition.
Therefore, and are known.
To solve this problem, we prepare one or more
sets for a secret.
represents a different set of
shares for secret by using different random
numbers
selected independently (as in section 3.2).
For example, when
and
0,⋯,1
are
uniform random numbers,
and
are
expressed as follows;
,
,⋯,
,
,⋯,
,
By using
, we can combine secrecy
multiplication and addition as follows, (where
is
deleted after its used).
Input:
,
,
,
0,1,⋯,1
Output:
≔
,
≔
0,1,⋯, 1
1. All players perform secrecy multiplication, as
shown in section 3.4, by using
and
,
and obtain
.
2.
All players perform secrecy addition as shown
in section 3.6, by using
and
, and
obtain
.
3.
All players delete
,
,
, and
.
In this case, because the of in secrecy
multiplication and the in secrecy addition are
different, is not revealed.
In the case where
calculated using
,…,
is used twice, such as in a square
calculation,
calculated from
,…,
is
used as
.
Therefore, secrecy multiplication, division,
addition, subtraction, and the combination of secrecy
multiplication (division) and secrecy addition
(subtraction) have information theoretical security.
4.4 Possible Application
As the conventional scheme requires 21 ≦ , the
value of must be approximately twice that of . In
a cloud system, because is the number of servers
that store the shares, the composition of the cloud
system is restricted. For example,
,
2,23,33,4⋯cannot be selected. In contrast, our
scheme can select and
≦
without restriction.
As one application, we consider the diagnostic
data for patients such as their blood glucose level and
the value of hemoglobin. Such values do not take 0.
We consider the case where a medical company
wants to maintain the average blood glucose level of
certain number of patients in different hospitals,
keeping the sum of blood glucose level and total
number of patients secret. Let the number of hospitals
be three. Further, let 1, 1, and 1 be the blood
glucose levels, and 2, 2, and 2 be the number of
patients in hospitals A, B, and C, respectively. In this
case, the (3,3) secret sharing scheme is suitable.
When the conventional scheme is used, hospital A
distributes
1
and
2
, hospital B distributes
1
and
2
, and hospital C distributes
1
and
2
to the other two hospitals, where j = A, B, C.
Each hospital calculates
11 1
and
22 2
, respectively. To obtain the average,
it is necessary to divide
11 1
by
22 2
. However, division of shares is
difficult through the conventional scheme. If the three
hospitals send the shares to the company, and the
company can restore 111 and 22
2, it can obtain the average by dividing them.
However, the company knows the sum of blood
glucose level and the total number of patients of the
three hospitals. Even if the shares of the
multiplicative inverse of the total number are
obtained, the conventional scheme cannot calculate
the multiplication of shares because of (k,n)=(3,3).
In contrast, our schemes can perform secrecy
addition and division by using (3,3) secret sharing
scheme. In this case, each hospital has 1
, 1
,
Secrecy Computation without Changing Polynomial Degree in Shamir’s (K, N) Secret Sharing Scheme
93
1
, 2
, 2
, and 2
(j = A, B, C), and
calculates 111
and 222
by
using secrecy addition as shown in section 3.6. The
average is obtained using secrecy division as shown
in section 3.5, or using secrecy multiplication with the
shares of the multiplicative inverse as shown in
section 3.4. If other secrecy calculations are needed,
1
, 1
, 1
, 2
, 2
, and 2
are never
used, instead 1
, 1
, 1
, 2
, 2
, and
2
are generated and used.
5 CONCLUSIONS
We proposed a new secrecy multiplication scheme
without changing the degree of the polynomials in a
, secret sharing scheme. In this scheme, we can
set in secrecy multiplication. This scheme has
information theoretical security, and can be extended
to secrecy division, addition, and subtraction. Our
new schemes realize some applications that were not
possible by using the conventional scheme.
REFERENCES
Shamir, A. 1979. How to share a secret. Communications
of the ACM, 22, (11), pp. 612-613.
Blakley, G. R. 1984. Security of ramp schemes. CRYPTO
’84, pp. 242-268.
Mell, P., Grance, T. 2011. The NIST Definition of Cloud
Computing. National Institute of Standards and
Technology.
Asharov, G., Jain, A., López-Alt, A., Tromer, E.,
Vaikuntanathan, V., Wichs, D. 2012. Secrecy
computation with low communication, computation and
interaction via threshold FHE. In D. Pointcheval and T.
Johansson, editors, EUROCRYPT, volume 7237 of
Lecture Notes in Computer Science, pp. 483–501.
Springer.
Beaver, D., 1991. Efficient secrecy protocols using circuit
randomization. In J. Feigenbaum, editor, CRYPTO,
volume 576 of Lecture Notes in Computer Science, pp.
420–432. Springer.
Ben-Sasson, E., Fehr, S., Ostrovsky, R. 2011. Near-linear
unconditionally-secure secrecy computation with a
dishonest minority. IACR Cryptology ePrint Archive,
2011:629.
Ben-Or, M., Goldwasser, S., Wigderson, A. 1988.
Completeness theorems for non-cryptographic fault-
tolerant distributed computation. Communications of
the ACM, pp. 1-10.
Krawczyk, H. 1994. Secret sharing made short. CRYPTO
’93, pp. 136-146.
Kawamoto, Y., Yamamoto, H. 1985. (k,L,n) Ramp secret
sharing systems for functions. IEIC, vol. J68-A, no. 9,
pp. 945-952.
Ito, M., Saito, A., Nishizeki, T. 1987. Secret sharing
scheme realizing general access structure. Proceedings
of the IEEE Global Telecommunications Conference,
Globecom ’87, pp. 99-102.
DCNET 2016 - International Conference on Data Communication Networking
94
