- Email: [email protected]
Standardization of Carbon Fiber Composite Core Aluminum Conductor
Hindawi Security and Communication Networks Volume 2019, Article ID 2387358, 7 pages https://doi.org/10.1155/2019/2387358
Research Article A Novel (π‘, π) Secret Sharing Scheme Based upon Eulerβs Theorem Hefeng Chen 1
1
and Chin-Chen Chang
2
Computer Engineering College, Jimei University, Xiamen 361021, China Department of Information Engineering and Computer Science, Feng Chia University, Taichung 407, Taiwan
2
Correspondence should be addressed to Chin-Chen Chang; [email protected] Received 13 August 2018; Accepted 13 March 2019; Published 1 April 2019 Academic Editor: Salvatore DβAntonio Copyright Β© 2019 Hefeng Chen and Chin-Chen Chang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The (π‘, π) secret sharing scheme is used to protect the privacy of information by distribution. More specifically, a dealer splits a secret into n shares and distributes them privately to n participants, in such a way that any t or more participants can reconstruct the secret, but no group of fewer than t participants who cooperate can determine it. Many schemes in literature are based on the polynomial interpolation or the Chinese remainder theorem. In this paper, we propose a new solution to the system of congruences different from Chinese remainder theorem and propose a new scheme for (π‘, π) secret sharing; its secret reconstruction is based upon Eulerβs theorem. Furthermore, our generalized conclusion allows the dealer to refresh the shared secret without changing the original share of the participants.
1. Introduction Secret sharing is used as one of basic cryptographic primitives in computer science including electronic voting [1], distributed cloud computing [2], key management [3], and data hiding [4]. The (π‘, π) secret sharing (SS) was first introduced by Shamir [5] based on the Lagrange interpolating polynomial and Blakley [6] based on the hyperplane geometry in 1979, independently. In 1983, Mignotteβs scheme [7] and Asmuth-Bloomβs scheme [8] were proposed based on the Chinese remainder theorem (CRT). A perfect (π‘, π) secret sharing scheme [5] has two properties: (1) Any π‘ or more shares can recover the secret. (2) Any π‘ β 1 or fewer shares reveal no information about the secret. The research on secret sharing has become the subject of many researchers; different types of secret sharing scheme have been designed to address different application requirements. For example, verifiable secret sharing [9, 10] allows the participants to verify the correctness of their share without leaking the confidentiality of both shares and the secret; weighted secret sharing [11] allows the participants with different privileges by holding the shares with different weights; multi-secret sharing [12] allows more than one secret to be shared. However, the major
techniques used can still be categorized in the above three methods. The CRT is to reconstruct a positive integer from its remainders modulo a series of integer moduli. It is widely used in the calculation of large integers, because it allows replacing a calculation for which one knows a bound on the size of the result by several similar computations on small integers. The CRT has many applications in various areas, like secret sharing [3, 4], the RSA decryption algorithm [13], the discrete logarithm algorithm [14], and the radio interferometric positioning system [15], etc. The main contributions of our paper are summarized as follows: (a) Using Eulerβs theorem to present a new method of the solution to the system of congruence (b) First proposing a new type of secret sharing scheme based upon Eulerβs theorem (c) Using Eulerβs theorem to present a new method of the solution to the system of congruence in the generalized CRT
2
Security and Communication Networks (d) Proposing a refreshable secret sharing scheme to implement the secret refresh mechanism with the same shares.
Based on the equivalence between the conclusion of this paper and the CRT, our method is sufficient to be directly applied with the CRT-based scheme to achieve the same goal. The rest of this paper is organized as follows. In Section 2, we describe some preliminaries on number theory and prove that the system of congruence has another solution form which is different from the CRT. In Section 3, we review the Asmuth-Bloomβs scheme. In Section 4, we propose the secret sharing scheme based upon Eulerβs theorem. In Section 5, the security and performance analysis are given. In Section 6, we generalize the conclusion in Section 2 and propose a refreshable secret sharing scheme. In Section 7, we conclude the paper.
Theorem 3. Suppose π1 , π2 , β β β , ππ are pairwise relatively prime positive integers (i.e., if π =ΜΈ π then gcd(ππ , ππ ) = 1), and suppose π1 , π2 , β β β , ππ are integers. Then the system of π congruences π₯ β‘ π1 mod π1 π₯ β‘ π2 mod π2
π₯ β‘ ππ mod ππ
π
In this section, we describe the CRT and Eulerβs theorem firstly. Then we present another method to give the unique solution of the congruent system, by utilizing the properties of them. The Chinese remainder theorem states that if the remainders of the Euclidean division of an integer π₯ by several integers are known, then the remainder of the division of this integer π₯ by the product of these integers can be uniquely determined, under the condition that the divisors are pairwise coprime. Lemma 1 (Chinese remainder theorem (CRT) [16]). Suppose π1 , π2 , β β β , ππ are pairwise relatively prime positive integers, and suppose π1 , π2 , β β β , ππ are integers. Then the system of π congruences π₯ β‘ ππ (mod ππ ) (1 β€ π β€ π) has a unique solution modulo π = βππ=1 ππ , which is given by π
(1)
π=1
where ππ = π/ππ and π¦π = ππβ1 mod ππ for 1 β€ π β€ π. Eulerβs theorem is a generalization of Fermatβs little theorem and is further generalized by Carmichaelβs theorem [17].
π₯ = βππ (ππ )
(2)
where π(π) called Eulerβs phi function is the number of positive integers less than π and relatively prime to π. An efficient way to calculate Eulerβs phi function π(π) is the following Euler product formula [17]: π (π) = π β (1 β π|π
1 ), π
(3)
π(ππ )
mod π,
(5)
π=1
where ππ = π/ππ for 1 β€ π β€ π. Proof. The Chinese remainder theorem shows that the function π : Zπ σ³¨β Zπ1 Γ Zπ2 Γ β β β Γ Zππ π (π₯) = (π1 mod π1 , π2 mod π2 , β β β , ππ mod ππ )
(6)
is a bijection. Now, define a function π : Zπ1 Γ Zπ2 Γ β β β Γ Zππ σ³¨β Zπ as follows: π
π(ππ )
π (π1 , π2 , β β β , ππ ) = βππ (ππ )
mod π.
(7)
π=1
It amounts to show that the function π = πβ1 . Denote π₯ = π(π1 , π2 , β β β , ππ ), and let 1 β€ π β€ π. Consider a term ππ (ππ )π(ππ ) in the above summation, reduced modulo ππ . π1 , π2 , β β β , ππ are pairwise relatively prime positive integers, and ππ = β1β€π‘β€π,π‘=πΜΈ ππ‘ , for 1 β€ π β€ π. If π = π, it is obvious that gcd(ππ , ππ ) = 1; by Eulerβs theorem, we have
Lemma 2 (Eulerβs theorem [17]). If π and π½ are coprime positive integers, then π½π(π) β‘ 1 (mod π) ,
(4)
.. .
has a unique solution modulo π = βππ=1 ππ , which is given by
2. New Solution to the Congruence System
π₯ = βππ ππ π¦π mod π,
where the product is over the distinct prime numbers dividing π. Now, we give another method of solving the systems of congruence and prove its correctness.
π(ππ )
(ππ )
mod ππ = 1.
(8)
On the other hand, if π =ΜΈ π, because ππ | ππ , we have π(ππ )
mod ππ = 0.
π(ππ )
mod ππ = ππ mod ππ .
(ππ )
(9)
Then π
π₯ β‘ βππ (ππ ) π=1
(10)
Since this is true for all π, 1 β€ π β€ π, π₯ is a solution to the system of congruences.
Security and Communication Networks
3
Example 4. Suppose π = 3, π1 = 7, π2 = 11, and π3 = 13. Then π = 1001, π(π1 ) = 6, π(π2 ) = 10, and π(π3 ) = 12. We compute π1 = 143, π2 = 91, and π3 = 77, and then π(π1 )
mod π = 1436 mod 1001 = 715,
π(π2 )
mod π = 9110 mod 1001 = 364,
π(π3 )
mod π = 7712 mod 1001 = 924.
(π1 ) (π2 ) (π3 )
Example 5. Consider Asmuth-Bloomβs (2, 4) secret sharing scheme. We have a pairwise relatively prime integer set {5, 7, 11, 12, 13}. The shared secret π is 4. Let π σΈ = π + πΌπ0 = 4 + 5 Γ 18 = 94. Then, four shares are generated as
(11)
(π1 , π 1 ) = (7, 3) , (π2 , π 2 ) = (11, 6) ,
Then the function π : Z7 Γ Z11 Γ Z13 σ³¨β Z1001 is π (π1 , π2 , π3 ) = (715π1 + 364π2 + 924π3 ) mod 1001.
(12)
For example, if π₯ β‘ 5 mod 7, π₯ β‘ 3 mod 11, and π₯ β‘ 10 mod 13, then this formula tells us that π₯ = (715 Γ 5 + 364 Γ 3 + 924 Γ 10) mod 1001 = 13907 mod 1001 = 894.
(π3 , π 3 ) = (12, 10) ,
(13)
(π4 , π 4 ) = (13, 3) . It is easy to recover the shared secret π by using two shares (π3 , π 3 ) = (12, 10), (π4 , π 4 ) = (13, 3) and the CRT, as shown below. By Euclidean Algorithm, we get π¦3 = 13β1 mod 12 = 1,
This can be verified by reducing 894 modulo 7, 11, and 13.
π¦4 = 12β1 mod 13 = 12,
3. Review of Asmuth-Bloomβs Secret Sharing In 1983, Asmuth and Bloom [8] proposed a novel (π‘, π) SS, in which the shares are the congruence classes of the secret and the corresponding modulus is broadcasted as the participantβs public key. The secret reconstruction is based on CRT. 3.1. Initialization. The π + 1 distinct positive integers π0 , π1 , β β β , ππ are chosen subject to the following conditions: (1) π1 < π2 < β β β < ππ (2) gcd(ππ , ππ ) = 1 for 0 β€ π =ΜΈ π β€ π
3.2. Secret Generation. Suppose the shared secret is the integer π β [0, π0 ). Let π σΈ = π + πΌπ0 where πΌ β Z is subject to the condition π σΈ β [0, π1 β π2 β β β β β ππ‘ ). Then let π π β‘ π σΈ mod ππ (π = 1, 2, β β β , π) be the private shares. 3.3. Secret Reconstruction. If π π1 , π π2 , β β β , π ππ‘ are known, π σΈ is obtained by π‘
(14)
π=1
mod πππ . where π = βπ‘π=1 πππ , πππ = π/πππ , and π¦ππ = ππβ1 π Then the shared secret is π = π σΈ mod π0 .
(17)
and then π σΈ = (13 Γ 1 Γ 10 + 12 Γ 12 Γ 3) mod 156 = 562 mod 156 = 94,
(18)
and the secret π = 94 mod 5 = 4 is revealed. Besides, Hwang and Chang [19] proposed a method to generate a pairwise relative prime integer set which satisfies the requirements of Asmuth-Bloomβs and our schemes, and this specific integer set is not unique.
4. Proposed Secret Sharing Scheme
(3) βπ‘π=1 ππ > π0 β βπ‘β1 π=1 ππβπ‘+π+1
π σΈ = βπ ππ πππ π¦ππ mod π,
(16)
(15)
3.4. Security Analysis. However, Harn et al. [18] pointed out that the value π σΈ need be in the t-threshold range (ππβπ‘+2 β ππβπ‘+3 β β β β β ππ , π1 β π2 β β β β β ππ‘ ); otherwise, it could be obtained by fewer than t participants. In the following, we give an example to illustrate this vulnerability.
The traditional (π‘, π) secret sharing scheme is composed of a trusted dealer D and π participants π1 , π2 , β β β , ππ . Our secret sharing scheme consists of three phases, that is, initialization phase, share generation phase, and secret reconstruction phase. In secret generation phase, we improve AsmuthBloomβs scheme by considering the π‘-threshold range. We do the secret reconstruction by Eulerβs phi function, and the correctness is based upon Theorem 3 in Section 2. 4.1. Initialization. The dealer D chooses π + 1 distinct positive integers π0 , π1 , π2 , β β β , ππ such that (1) π1 < π2 < β β β < ππ (2) gcd(ππ , ππ ) = 1 for 0 β€ π =ΜΈ π β€ π (3) βπ‘π=1 ππ > (π0 + 1) β βπ‘β1 π=1 ππβπ‘+π+1 The dealer D broadcasts the value π0 and sends the value ππ to participant ππ as his/her public information, for 1 β€ π β€ π. 4.2. Share Generation. Suppose the dealer D wants to share the secret π β Zπ0 .
4
Security and Communication Networks
The dealer D selects an integer πΌ β π‘ [ββπ‘β1 π /π β, β π /π β 1); then let π β‘ 0 0 π π=1 πβπ+1 π=1 π (π + πΌπ0 )mod ππ be the private share of the participant ππ , for 1 β€ π β€ π.
has one unique solution as
4.3. Secret Reconstruction. If π‘ participants pool their shares and corresponding modulus, (π π1 , ππ1 ), (π π2 , ππ2 ), β β β , (π ππ‘ , πππ‘ ), the shared secret can be reconstructed as π = π σΈ mod π0 , where
where π = βπ‘π=1 πππ . As π β₯ π, this uniquely determines π σΈ = π₯ and thus
π‘
π σΈ = β π ππ ( β πππ ) π=1
π(πππ )
mod ( β πππ ) .
1β€πβ€π‘,π=πΜΈ
(19)
1β€πβ€π‘
5. Security and Performance Analysis In this section, we first give security analysis of the scheme proposed in Section 4 and then compare the performance of our proposed secret sharing with that of two types of classical secret sharing. 5.1. Security Analysis. Now we analyze the fact that our proposed (π‘, π) secret sharing is perfect, secure as follows. Theorem 6. Our proposed (π‘, π) secret sharing scheme described in Section 4 is perfect, that is, the following two properties are satisfied: (1) If any π‘ participants pool their shares, then they can determine the value of π . (2) If any π‘ β 1 participants pool their shares, then they can determine nothing about the value of π . Proof. Based on the conditions of our scheme, σΈ
π = π + πΌπ0 ,
βπ‘β1 π=1 ππβπ+1 β π0 β€ π + πΌπ0 < π0 + (π β π0 ) , π0 π‘β1
(20)
(21)
β ππβπ+1 + 1 β€ π < π. π=1
(1) If any π‘ participants pool their shares π π1 , π π2 , β β β , π ππ‘ , as described in Theorem 3, the system of π‘ congruences π₯ β‘ π π1 mod ππ1 π₯ β‘ π π2 mod ππ2
π₯ β‘ π ππ‘ mod πππ‘
mod π,
π = π σΈ mod π0 .
(23)
(24)
(2) If only π‘ β 1 participants pool their shares, π π1 , π π1 , β β β , π ππ‘β1 , then all we have is π β = π σΈ mod π, where σΈ β β β π = βπ‘β1 π=1 πππ . The real secret π β {π , π + π, β β β , π + βπ/π β 1βπ}; since gcd(π, π0 ) = 1 and π/π > π0 , the set of possible values is greater than that of possible secret. Hence, no useful information is compromised. Example 7. Consider the proposed (2, 4) secret sharing scheme. In initialization phase, the dealer D chooses 5 distinct positive integers, π0 = 5, π1 = 7, π2 = 11, π3 = 12, and π4 = 13, which satisfies the conditions on initialization listed in Section 4.1. The minimum value π0 = 5 is broadcasted. And ππ (1 β€ π β€ 4) is sent as the public key of ππ . In sharing phase, suppose the shared secret π = 4. Then dealer D selects an integer πΌ = 18 β [14, 183]. So the private shares of π1 , π2 , π3 , and π4 , are generated as follows: π 1 = 4 + 18 Γ 5 (mod 7) = 3, π 2 = 4 + 18 Γ 5 (mod 11) = 6, π 3 = 4 + 18 Γ 5 (mod 12) = 10,
(25)
In reconstructing phase, suppose that π3 and π4 cooperate; by (19) we have π σΈ = π 4 π3 π(π4 ) + π 3 π4 π(π3 ) mod (π4 β π3 ) = 3 Γ 12π(13) + 10 Γ 13π(12) mod (13 Γ 12) = 94,
(26)
and, then, the secret can be reconstructed as
σΈ
.. .
π(πππ )
π ) π₯ = βπ ππ ( πππ π=1
π 4 = 4 + 18 Γ 5 (mod 13) = 3.
π‘ where ββπ‘β1 π=1 ππβπ+1 /π0 β β€ πΌ < βπ=1 ππ /π0 β 1 and 0 β€ π < π0 . Let π = βπ‘π=1 ππ , we have
0+β
π‘
(22)
π = π σΈ mod π0 = 94 mod 5 = 4.
(27)
As in many literatures, we assume that all participants pool the real shares when they collaborate to recover the shared secret. To enhance the security, it can be combined with other cheater detection mechanisms to check the validity of the shares before recovery of the secret. 5.2. Performance Analysis. In this section, we analyze the computational cost of our proposed scheme and compare it with the other two classic secret sharing schemes, as summarized in Table 1. In Shamirβs (π‘, π) scheme, the secret recovery using the usual polynomial interpolation requires O(π‘ log2 π‘) operations. In the Asmuth-Bloomβs scheme, the modular
Security and Communication Networks
5
Table 1: Comparison of computational cost. Scheme Shamirβs scheme [5] Asmuth-Bloomβs scheme [8] Our scheme
Secret recovery O (π‘ log2 π‘) O (π‘) O (π‘)
because π(ππ )π(ππ ) + ππππ = π. On the other hand, if π =ΜΈ π, because ππ | ππ , we have π(ππ )
(ππ )
mod ππ = 0,
i.e., π π π(ππ )π(ππ ) mod πππ = 0. Therefore, π(ππ )
π
method of secret recovery requires only O(π‘) operations. In our scheme, the computation complexity of (ππ )π(ππ ) mod π requires at most O(log ππ ) operations. However, this can be improved at the cost of storage room by keeping a table. Once the value of (ππ )π(ππ ) mod π (1 β€ π β€ π) is known, it requires only O(π‘) operations to recover the secret.
6. Renewable Secret Sharing Scheme The generalized Chinese remainder theorem (GCRT) [9, 10] is a variation of CRT with an additional integer π introduced as a common modulus. Inspired by GCRT, we have the following result. Theorem 8. Suppose π1 , π2 , β β β , ππ are pairwise relatively prime positive integers (i.e., if π =ΜΈ π then gcd(ππ , ππ ) = 1), and π1 , π2 , β β β , ππ are integers. Suppose π is an integer satisfying max1β€πβ€π {ππ } < π < min1β€πβ€π {ππ }. Let π = βππ=1 ππ . Then the system of π congruences β
π₯ β β‘ π1 mod π π1
β
π₯ β β‘ π2 mod π π2 .. .
β π π (ππ ) π₯ β β mod π = β π=1 π ππ ππ
π₯ β β β‘ ππ mod π ππ
β mod π
π(ππ ) ] [ ] [ π π π (ππ ) ] mod π, [ = ππ ] [
(32)
because π π π(ππ )π(ππ ) /ππ mod π = 0 for π =ΜΈ π. Since π(ππ )π(ππ ) mod πππ = π and π < ππ , we have π(ππ )π(ππ ) /ππ mod π = π/ππ . If ππ ππ is a multiple of π, then π π = βππ β
ππ π
β = ππ β
ππ π
,
(33)
and we have β
π(ππ ) π₯ β mod π = ππ (ππ ) mod π = ππ . ππ
(34)
If ππ ππ is not a multiple of π, then β
(28)
(31)
βππ β ππ /πβ π (1 + π½ππ ) π₯ β mod π = β β mod π ππ ππ =β
βππ β ππ /πβ π
= βππ +
ππ
β mod π
(1 β ((ππ β ππ mod π) /π)) π ππ
(35) β mod π
= ππ ,
has a unique solution modulo ππ, which is given by
because (1 β ((ππ β ππ mod π)/π))π/ππ < 1 and ππ < π.
π
π(ππ )
π₯ = βπ π π (ππ )
mod ππ,
(29)
π=1
where ππ = π/ππ and π π = βππ β ππ /πβ for 1 β€ π β€ π. Proof. It amounts to showing that π₯ in (28) is a solution to the system of congruences (19). The proof of uniqueness is similar to Theorem 3. For 1 β€ π β€ π, consider a term π π π(ππ )π(ππ ) in the above summation, reduced modulo ππ . If π = π, it is obvious that gcd(ππ , ππ ) = 1, by Eulerβs theorem; then we have (ππ )π(ππ ) mod ππ = 1; i.e., there is an integerπ such that (ππ )π(ππ ) + πππ = 1; then π(ππ )
π (ππ )
mod πππ = π,
(30)
Although more computation is required, more flexible performance can be achieved. In the traditional secret sharing scheme, if we want to refresh the secret, the corresponding congruences system should be modified. However, based upon Theorem 8, we can refresh the shared secret without changing the share and the public information of the participants. Compared with the previous scheme, the refreshable secret sharing scheme adds a secret refresh phase. In share generation phase, the dealer needs to broadcast an additional parameter as follows. 6.1. Initialization. The dealer D chooses π + 1 distinct positive integers π0 , π1 , β β β , ππ such that (1) π1 < π2 < β β β < ππ
6
Security and Communication Networks (2) gcd(ππ , ππ ) = 1 for 0 β€ π =ΜΈ π β€ π (3)
βπ‘π=1 ππ
> (π0 + 1) β
Acknowledgments
βπ‘β1 π=1 ππβπ‘+π+1
The dealer D broadcasts the value π0 and sends the value ππ to participant ππ as his/her public information, for 1 β€ π β€ π. 6.2. Share Generation. Suppose the dealer D wants to share the secret π β Zπ0 . The dealer D firstly selects and broadcasts an integer π β (0, min1β€πβ€π {ππ }). Secondly, the dealer D chooses a random integer πΌ β [β
βπ‘β1 βπ‘ π π=1 ππβπ+1 β , π=1 π β 1) , π0 π0
(36)
then generating π π β‘ βπ + πΌπ0 /ππ βmod π, which is the private share of the participant ππ , for 1 β€ π β€ π. 6.3. Secret Refreshment. Suppose the dealer D wants to refresh the shared secret without changing the share and the public modulus of the participants which has been sent. The dealer D selects and broadcasts new integer Μπ β (max1β€πβ€π {ππ }, min1β€πβ€π {ππ }); then the secret π Μ = π ΜσΈ mod π0 can be shared by π participants with their original share and public modulus (π π , ππ ), where π
π ΜσΈ = β βππ β π=1
ππ Μ π(π ) β π (ππ ) π mod Μππ. Μπ
(37)
6.4. Secret Reconstruction. If π‘ participants pool their shares and public modulus, (π π1 , ππ1 ), (π π2 , ππ2 ), β β β , (π ππ‘ , πππ‘ ), with the corresponding parameter π, the shared secret can be reconstructed as π = π σΈ mod π0 , where π σΈ π‘
= ββ π=1
πππ β πππ π
π(πππ )
β π ( β πππ ) 1β€πβ€π‘ π=πΜΈ
π‘
mod (πβπππ ) .
(38)
π=1
7. Conclusions In this paper, we first show a new method to reconstruct the secret by the system of congruences utilizing Eulerβs theorem and propose a new type of perfect secret sharing scheme based on modular arithmetic. Furthermore, inspired by [20], we introduce an extra integer to help us to refresh the secret without changing the information the participant holds; only one public broadcasting parameter needs to be updated.
Data Availability The relevant analysis data used to support the findings of this study are included in the article.
Conflicts of Interest The authors declare that they have no conflicts of interest.
This work was partly supported by the National Natural Science Foundation of China (Grant No. 11804114) and the Natural Science Foundation of Fujian Province, China (Grant Nos. 2017J01761 and 2018J01537).
References [1] S. Iftene, βGeneral secret sharing based on the Chinese remainder theorem with applications in E-voting,β Electronic Notes in Theoretical Computer Science, vol. 186, pp. 67β84, 2007. [2] H. Pilaram and T. Eghlidos, βAn efficient lattice based multistage secret sharing scheme,β IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 1, pp. 2β8, 2017. [3] C. Guo and C. Chang, βAn authenticated group key distribution protocol based on the generalized Chinese remainder theorem,β International Journal of Communication Systems, vol. 27, no. 1, pp. 126β134, 2014. [4] P. Singh and B. Raman, βReversible data hiding based on Shamirβs secret sharing for color images over cloud,β Information Sciences, vol. 422, pp. 77β97, 2018. [5] A. Shamir, βHow to share a secret,β Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979. [6] G. R. Blakley, βSafeguarding cryptographic keys,β in Proceedings of the 1979 AFIPS National Computer Conference, vol. 48, pp. 313β317, New York, NY, USA, 1979. [7] M. Mignotte, βHow to share a secret,β in Proceedings of the Workshop on Cryptography, EUROCRYPT 1982: Cryptography, pp. 371β375, Burg Feuerstein, Germany, 1982. [8] C. Asmuth and J. Bloom, βA modular approach to key safeguarding,β IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 208β210, 1983. [9] B. Choc, S. Goldwasser, S. Micali, and B. Awerbuch, βVerifiable secret sharing and achieving simultaneity in the presence of faults,β in Proceedings of the 26th Annual Symposium on Foundation of Computer Science (sfcs 1985), pp. 383β395, 1985. [10] T. P. Pedersen, βNoninteractive and informationtheoretic secure verifiable secret sharing,β in Advances in CryptologyβCRYPTO β91, vol. 576 of Lecture Notes in Computer Science, pp. 129β140, 1991. [11] L. Harn and M. Fuyou, βWeighted secret sharing based on the Chinese remainder theorem,β International Journal of Network Security, vol. 16, no. 6, pp. 420β426, 2014. [12] L. Harn, βSecure secret reconstruction and multi-secret sharing schemes with unconditional security,β Security and Communication Networks, vol. 7, no. 3, pp. 567β573, 2014. [13] S. C. Pohlig and M. E. Hellman, βAn improved algorithm for computing logarithms over GF(p) and its cryptographic significance,β IEEE Transactions on Information Theory, vol. 24, no. 1, pp. 106β110, 1978. [14] J. Quisquater and C. Couvreur, βFast decipherment algorithm for RSA public-key cryptosystem,β IEEE Electronics Letters, vol. 18, no. 21, pp. 905β907, 1982. [15] X. Li, W. Wang, W. Zhang, and Y. Cao, βPhase-detection-based range estimation with robust Chinese remainder theorem,β IEEE Transactions on Vehicular Technology, vol. 65, no. 12, pp. 10132β10137, 2016. [16] H. Cohen, A Course in Computational Algebraic Number Theory, Springer Science & Business Media, 2013.
Security and Communication Networks [17] D. R. Stinson, Cryptography: Theory and Practice, CRC Press, 3rd edition, 2005. [18] L. Harn, C. Hsu, M. Zhang, T. He, and M. Zhang, βRealizing secret sharing with general access structure,β Information Sciences, vol. 367-368, pp. 209β220, 2016. [19] R. J. Hwang and C. C. Chang, βAn improved threshold scheme based on modular arithmetic,β Journal of Information Science and Engineering, vol. 15, pp. 691β699, 1999. [20] Y. Liu and C. C. Chang, βAn integratable verifiable secret sharing mechanism,β Journal of Network Security, vol. 18, no. 4, pp. 617β 624, 2016.
7
International Journal of
Advances in
Rotating Machinery
Engineering Journal of
Hindawi www.hindawi.com
Volume 2018
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com www.hindawi.com
Volume 2018 2013
Multimedia
Journal of
Sensors Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Journal of
Control Science and Engineering
Advances in
Civil Engineering Hindawi www.hindawi.com
Hindawi www.hindawi.com
Volume 2018
Volume 2018
Submit your manuscripts at www.hindawi.com Journal of
Journal of
Electrical and Computer Engineering
Robotics Hindawi www.hindawi.com
Hindawi www.hindawi.com
Volume 2018
Volume 2018
VLSI Design Advances in OptoElectronics International Journal of
Navigation and Observation Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Hindawi www.hindawi.com
Chemical Engineering Hindawi www.hindawi.com
Volume 2018
Volume 2018
Active and Passive Electronic Components
Antennas and Propagation Hindawi www.hindawi.com
Aerospace Engineering
Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Volume 2018
International Journal of
International Journal of
International Journal of
Modelling & Simulation in Engineering
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Shock and Vibration Hindawi www.hindawi.com
Volume 2018
Advances in
Acoustics and Vibration Hindawi www.hindawi.com
Volume 2018
Research Article A Novel (π‘, π) Secret Sharing Scheme Based upon Eulerβs Theorem Hefeng Chen 1
1
and Chin-Chen Chang
2
Computer Engineering College, Jimei University, Xiamen 361021, China Department of Information Engineering and Computer Science, Feng Chia University, Taichung 407, Taiwan
2
Correspondence should be addressed to Chin-Chen Chang; [email protected] Received 13 August 2018; Accepted 13 March 2019; Published 1 April 2019 Academic Editor: Salvatore DβAntonio Copyright Β© 2019 Hefeng Chen and Chin-Chen Chang. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. The (π‘, π) secret sharing scheme is used to protect the privacy of information by distribution. More specifically, a dealer splits a secret into n shares and distributes them privately to n participants, in such a way that any t or more participants can reconstruct the secret, but no group of fewer than t participants who cooperate can determine it. Many schemes in literature are based on the polynomial interpolation or the Chinese remainder theorem. In this paper, we propose a new solution to the system of congruences different from Chinese remainder theorem and propose a new scheme for (π‘, π) secret sharing; its secret reconstruction is based upon Eulerβs theorem. Furthermore, our generalized conclusion allows the dealer to refresh the shared secret without changing the original share of the participants.
1. Introduction Secret sharing is used as one of basic cryptographic primitives in computer science including electronic voting [1], distributed cloud computing [2], key management [3], and data hiding [4]. The (π‘, π) secret sharing (SS) was first introduced by Shamir [5] based on the Lagrange interpolating polynomial and Blakley [6] based on the hyperplane geometry in 1979, independently. In 1983, Mignotteβs scheme [7] and Asmuth-Bloomβs scheme [8] were proposed based on the Chinese remainder theorem (CRT). A perfect (π‘, π) secret sharing scheme [5] has two properties: (1) Any π‘ or more shares can recover the secret. (2) Any π‘ β 1 or fewer shares reveal no information about the secret. The research on secret sharing has become the subject of many researchers; different types of secret sharing scheme have been designed to address different application requirements. For example, verifiable secret sharing [9, 10] allows the participants to verify the correctness of their share without leaking the confidentiality of both shares and the secret; weighted secret sharing [11] allows the participants with different privileges by holding the shares with different weights; multi-secret sharing [12] allows more than one secret to be shared. However, the major
techniques used can still be categorized in the above three methods. The CRT is to reconstruct a positive integer from its remainders modulo a series of integer moduli. It is widely used in the calculation of large integers, because it allows replacing a calculation for which one knows a bound on the size of the result by several similar computations on small integers. The CRT has many applications in various areas, like secret sharing [3, 4], the RSA decryption algorithm [13], the discrete logarithm algorithm [14], and the radio interferometric positioning system [15], etc. The main contributions of our paper are summarized as follows: (a) Using Eulerβs theorem to present a new method of the solution to the system of congruence (b) First proposing a new type of secret sharing scheme based upon Eulerβs theorem (c) Using Eulerβs theorem to present a new method of the solution to the system of congruence in the generalized CRT
2
Security and Communication Networks (d) Proposing a refreshable secret sharing scheme to implement the secret refresh mechanism with the same shares.
Based on the equivalence between the conclusion of this paper and the CRT, our method is sufficient to be directly applied with the CRT-based scheme to achieve the same goal. The rest of this paper is organized as follows. In Section 2, we describe some preliminaries on number theory and prove that the system of congruence has another solution form which is different from the CRT. In Section 3, we review the Asmuth-Bloomβs scheme. In Section 4, we propose the secret sharing scheme based upon Eulerβs theorem. In Section 5, the security and performance analysis are given. In Section 6, we generalize the conclusion in Section 2 and propose a refreshable secret sharing scheme. In Section 7, we conclude the paper.
Theorem 3. Suppose π1 , π2 , β β β , ππ are pairwise relatively prime positive integers (i.e., if π =ΜΈ π then gcd(ππ , ππ ) = 1), and suppose π1 , π2 , β β β , ππ are integers. Then the system of π congruences π₯ β‘ π1 mod π1 π₯ β‘ π2 mod π2
π₯ β‘ ππ mod ππ
π
In this section, we describe the CRT and Eulerβs theorem firstly. Then we present another method to give the unique solution of the congruent system, by utilizing the properties of them. The Chinese remainder theorem states that if the remainders of the Euclidean division of an integer π₯ by several integers are known, then the remainder of the division of this integer π₯ by the product of these integers can be uniquely determined, under the condition that the divisors are pairwise coprime. Lemma 1 (Chinese remainder theorem (CRT) [16]). Suppose π1 , π2 , β β β , ππ are pairwise relatively prime positive integers, and suppose π1 , π2 , β β β , ππ are integers. Then the system of π congruences π₯ β‘ ππ (mod ππ ) (1 β€ π β€ π) has a unique solution modulo π = βππ=1 ππ , which is given by π
(1)
π=1
where ππ = π/ππ and π¦π = ππβ1 mod ππ for 1 β€ π β€ π. Eulerβs theorem is a generalization of Fermatβs little theorem and is further generalized by Carmichaelβs theorem [17].
π₯ = βππ (ππ )
(2)
where π(π) called Eulerβs phi function is the number of positive integers less than π and relatively prime to π. An efficient way to calculate Eulerβs phi function π(π) is the following Euler product formula [17]: π (π) = π β (1 β π|π
1 ), π
(3)
π(ππ )
mod π,
(5)
π=1
where ππ = π/ππ for 1 β€ π β€ π. Proof. The Chinese remainder theorem shows that the function π : Zπ σ³¨β Zπ1 Γ Zπ2 Γ β β β Γ Zππ π (π₯) = (π1 mod π1 , π2 mod π2 , β β β , ππ mod ππ )
(6)
is a bijection. Now, define a function π : Zπ1 Γ Zπ2 Γ β β β Γ Zππ σ³¨β Zπ as follows: π
π(ππ )
π (π1 , π2 , β β β , ππ ) = βππ (ππ )
mod π.
(7)
π=1
It amounts to show that the function π = πβ1 . Denote π₯ = π(π1 , π2 , β β β , ππ ), and let 1 β€ π β€ π. Consider a term ππ (ππ )π(ππ ) in the above summation, reduced modulo ππ . π1 , π2 , β β β , ππ are pairwise relatively prime positive integers, and ππ = β1β€π‘β€π,π‘=πΜΈ ππ‘ , for 1 β€ π β€ π. If π = π, it is obvious that gcd(ππ , ππ ) = 1; by Eulerβs theorem, we have
Lemma 2 (Eulerβs theorem [17]). If π and π½ are coprime positive integers, then π½π(π) β‘ 1 (mod π) ,
(4)
.. .
has a unique solution modulo π = βππ=1 ππ , which is given by
2. New Solution to the Congruence System
π₯ = βππ ππ π¦π mod π,
where the product is over the distinct prime numbers dividing π. Now, we give another method of solving the systems of congruence and prove its correctness.
π(ππ )
(ππ )
mod ππ = 1.
(8)
On the other hand, if π =ΜΈ π, because ππ | ππ , we have π(ππ )
mod ππ = 0.
π(ππ )
mod ππ = ππ mod ππ .
(ππ )
(9)
Then π
π₯ β‘ βππ (ππ ) π=1
(10)
Since this is true for all π, 1 β€ π β€ π, π₯ is a solution to the system of congruences.
Security and Communication Networks
3
Example 4. Suppose π = 3, π1 = 7, π2 = 11, and π3 = 13. Then π = 1001, π(π1 ) = 6, π(π2 ) = 10, and π(π3 ) = 12. We compute π1 = 143, π2 = 91, and π3 = 77, and then π(π1 )
mod π = 1436 mod 1001 = 715,
π(π2 )
mod π = 9110 mod 1001 = 364,
π(π3 )
mod π = 7712 mod 1001 = 924.
(π1 ) (π2 ) (π3 )
Example 5. Consider Asmuth-Bloomβs (2, 4) secret sharing scheme. We have a pairwise relatively prime integer set {5, 7, 11, 12, 13}. The shared secret π is 4. Let π σΈ = π + πΌπ0 = 4 + 5 Γ 18 = 94. Then, four shares are generated as
(11)
(π1 , π 1 ) = (7, 3) , (π2 , π 2 ) = (11, 6) ,
Then the function π : Z7 Γ Z11 Γ Z13 σ³¨β Z1001 is π (π1 , π2 , π3 ) = (715π1 + 364π2 + 924π3 ) mod 1001.
(12)
For example, if π₯ β‘ 5 mod 7, π₯ β‘ 3 mod 11, and π₯ β‘ 10 mod 13, then this formula tells us that π₯ = (715 Γ 5 + 364 Γ 3 + 924 Γ 10) mod 1001 = 13907 mod 1001 = 894.
(π3 , π 3 ) = (12, 10) ,
(13)
(π4 , π 4 ) = (13, 3) . It is easy to recover the shared secret π by using two shares (π3 , π 3 ) = (12, 10), (π4 , π 4 ) = (13, 3) and the CRT, as shown below. By Euclidean Algorithm, we get π¦3 = 13β1 mod 12 = 1,
This can be verified by reducing 894 modulo 7, 11, and 13.
π¦4 = 12β1 mod 13 = 12,
3. Review of Asmuth-Bloomβs Secret Sharing In 1983, Asmuth and Bloom [8] proposed a novel (π‘, π) SS, in which the shares are the congruence classes of the secret and the corresponding modulus is broadcasted as the participantβs public key. The secret reconstruction is based on CRT. 3.1. Initialization. The π + 1 distinct positive integers π0 , π1 , β β β , ππ are chosen subject to the following conditions: (1) π1 < π2 < β β β < ππ (2) gcd(ππ , ππ ) = 1 for 0 β€ π =ΜΈ π β€ π
3.2. Secret Generation. Suppose the shared secret is the integer π β [0, π0 ). Let π σΈ = π + πΌπ0 where πΌ β Z is subject to the condition π σΈ β [0, π1 β π2 β β β β β ππ‘ ). Then let π π β‘ π σΈ mod ππ (π = 1, 2, β β β , π) be the private shares. 3.3. Secret Reconstruction. If π π1 , π π2 , β β β , π ππ‘ are known, π σΈ is obtained by π‘
(14)
π=1
mod πππ . where π = βπ‘π=1 πππ , πππ = π/πππ , and π¦ππ = ππβ1 π Then the shared secret is π = π σΈ mod π0 .
(17)
and then π σΈ = (13 Γ 1 Γ 10 + 12 Γ 12 Γ 3) mod 156 = 562 mod 156 = 94,
(18)
and the secret π = 94 mod 5 = 4 is revealed. Besides, Hwang and Chang [19] proposed a method to generate a pairwise relative prime integer set which satisfies the requirements of Asmuth-Bloomβs and our schemes, and this specific integer set is not unique.
4. Proposed Secret Sharing Scheme
(3) βπ‘π=1 ππ > π0 β βπ‘β1 π=1 ππβπ‘+π+1
π σΈ = βπ ππ πππ π¦ππ mod π,
(16)
(15)
3.4. Security Analysis. However, Harn et al. [18] pointed out that the value π σΈ need be in the t-threshold range (ππβπ‘+2 β ππβπ‘+3 β β β β β ππ , π1 β π2 β β β β β ππ‘ ); otherwise, it could be obtained by fewer than t participants. In the following, we give an example to illustrate this vulnerability.
The traditional (π‘, π) secret sharing scheme is composed of a trusted dealer D and π participants π1 , π2 , β β β , ππ . Our secret sharing scheme consists of three phases, that is, initialization phase, share generation phase, and secret reconstruction phase. In secret generation phase, we improve AsmuthBloomβs scheme by considering the π‘-threshold range. We do the secret reconstruction by Eulerβs phi function, and the correctness is based upon Theorem 3 in Section 2. 4.1. Initialization. The dealer D chooses π + 1 distinct positive integers π0 , π1 , π2 , β β β , ππ such that (1) π1 < π2 < β β β < ππ (2) gcd(ππ , ππ ) = 1 for 0 β€ π =ΜΈ π β€ π (3) βπ‘π=1 ππ > (π0 + 1) β βπ‘β1 π=1 ππβπ‘+π+1 The dealer D broadcasts the value π0 and sends the value ππ to participant ππ as his/her public information, for 1 β€ π β€ π. 4.2. Share Generation. Suppose the dealer D wants to share the secret π β Zπ0 .
4
Security and Communication Networks
The dealer D selects an integer πΌ β π‘ [ββπ‘β1 π /π β, β π /π β 1); then let π β‘ 0 0 π π=1 πβπ+1 π=1 π (π + πΌπ0 )mod ππ be the private share of the participant ππ , for 1 β€ π β€ π.
has one unique solution as
4.3. Secret Reconstruction. If π‘ participants pool their shares and corresponding modulus, (π π1 , ππ1 ), (π π2 , ππ2 ), β β β , (π ππ‘ , πππ‘ ), the shared secret can be reconstructed as π = π σΈ mod π0 , where
where π = βπ‘π=1 πππ . As π β₯ π, this uniquely determines π σΈ = π₯ and thus
π‘
π σΈ = β π ππ ( β πππ ) π=1
π(πππ )
mod ( β πππ ) .
1β€πβ€π‘,π=πΜΈ
(19)
1β€πβ€π‘
5. Security and Performance Analysis In this section, we first give security analysis of the scheme proposed in Section 4 and then compare the performance of our proposed secret sharing with that of two types of classical secret sharing. 5.1. Security Analysis. Now we analyze the fact that our proposed (π‘, π) secret sharing is perfect, secure as follows. Theorem 6. Our proposed (π‘, π) secret sharing scheme described in Section 4 is perfect, that is, the following two properties are satisfied: (1) If any π‘ participants pool their shares, then they can determine the value of π . (2) If any π‘ β 1 participants pool their shares, then they can determine nothing about the value of π . Proof. Based on the conditions of our scheme, σΈ
π = π + πΌπ0 ,
βπ‘β1 π=1 ππβπ+1 β π0 β€ π + πΌπ0 < π0 + (π β π0 ) , π0 π‘β1
(20)
(21)
β ππβπ+1 + 1 β€ π < π. π=1
(1) If any π‘ participants pool their shares π π1 , π π2 , β β β , π ππ‘ , as described in Theorem 3, the system of π‘ congruences π₯ β‘ π π1 mod ππ1 π₯ β‘ π π2 mod ππ2
π₯ β‘ π ππ‘ mod πππ‘
mod π,
π = π σΈ mod π0 .
(23)
(24)
(2) If only π‘ β 1 participants pool their shares, π π1 , π π1 , β β β , π ππ‘β1 , then all we have is π β = π σΈ mod π, where σΈ β β β π = βπ‘β1 π=1 πππ . The real secret π β {π , π + π, β β β , π + βπ/π β 1βπ}; since gcd(π, π0 ) = 1 and π/π > π0 , the set of possible values is greater than that of possible secret. Hence, no useful information is compromised. Example 7. Consider the proposed (2, 4) secret sharing scheme. In initialization phase, the dealer D chooses 5 distinct positive integers, π0 = 5, π1 = 7, π2 = 11, π3 = 12, and π4 = 13, which satisfies the conditions on initialization listed in Section 4.1. The minimum value π0 = 5 is broadcasted. And ππ (1 β€ π β€ 4) is sent as the public key of ππ . In sharing phase, suppose the shared secret π = 4. Then dealer D selects an integer πΌ = 18 β [14, 183]. So the private shares of π1 , π2 , π3 , and π4 , are generated as follows: π 1 = 4 + 18 Γ 5 (mod 7) = 3, π 2 = 4 + 18 Γ 5 (mod 11) = 6, π 3 = 4 + 18 Γ 5 (mod 12) = 10,
(25)
In reconstructing phase, suppose that π3 and π4 cooperate; by (19) we have π σΈ = π 4 π3 π(π4 ) + π 3 π4 π(π3 ) mod (π4 β π3 ) = 3 Γ 12π(13) + 10 Γ 13π(12) mod (13 Γ 12) = 94,
(26)
and, then, the secret can be reconstructed as
σΈ
.. .
π(πππ )
π ) π₯ = βπ ππ ( πππ π=1
π 4 = 4 + 18 Γ 5 (mod 13) = 3.
π‘ where ββπ‘β1 π=1 ππβπ+1 /π0 β β€ πΌ < βπ=1 ππ /π0 β 1 and 0 β€ π < π0 . Let π = βπ‘π=1 ππ , we have
0+β
π‘
(22)
π = π σΈ mod π0 = 94 mod 5 = 4.
(27)
As in many literatures, we assume that all participants pool the real shares when they collaborate to recover the shared secret. To enhance the security, it can be combined with other cheater detection mechanisms to check the validity of the shares before recovery of the secret. 5.2. Performance Analysis. In this section, we analyze the computational cost of our proposed scheme and compare it with the other two classic secret sharing schemes, as summarized in Table 1. In Shamirβs (π‘, π) scheme, the secret recovery using the usual polynomial interpolation requires O(π‘ log2 π‘) operations. In the Asmuth-Bloomβs scheme, the modular
Security and Communication Networks
5
Table 1: Comparison of computational cost. Scheme Shamirβs scheme [5] Asmuth-Bloomβs scheme [8] Our scheme
Secret recovery O (π‘ log2 π‘) O (π‘) O (π‘)
because π(ππ )π(ππ ) + ππππ = π. On the other hand, if π =ΜΈ π, because ππ | ππ , we have π(ππ )
(ππ )
mod ππ = 0,
i.e., π π π(ππ )π(ππ ) mod πππ = 0. Therefore, π(ππ )
π
method of secret recovery requires only O(π‘) operations. In our scheme, the computation complexity of (ππ )π(ππ ) mod π requires at most O(log ππ ) operations. However, this can be improved at the cost of storage room by keeping a table. Once the value of (ππ )π(ππ ) mod π (1 β€ π β€ π) is known, it requires only O(π‘) operations to recover the secret.
6. Renewable Secret Sharing Scheme The generalized Chinese remainder theorem (GCRT) [9, 10] is a variation of CRT with an additional integer π introduced as a common modulus. Inspired by GCRT, we have the following result. Theorem 8. Suppose π1 , π2 , β β β , ππ are pairwise relatively prime positive integers (i.e., if π =ΜΈ π then gcd(ππ , ππ ) = 1), and π1 , π2 , β β β , ππ are integers. Suppose π is an integer satisfying max1β€πβ€π {ππ } < π < min1β€πβ€π {ππ }. Let π = βππ=1 ππ . Then the system of π congruences β
π₯ β β‘ π1 mod π π1
β
π₯ β β‘ π2 mod π π2 .. .
β π π (ππ ) π₯ β β mod π = β π=1 π ππ ππ
π₯ β β β‘ ππ mod π ππ
β mod π
π(ππ ) ] [ ] [ π π π (ππ ) ] mod π, [ = ππ ] [
(32)
because π π π(ππ )π(ππ ) /ππ mod π = 0 for π =ΜΈ π. Since π(ππ )π(ππ ) mod πππ = π and π < ππ , we have π(ππ )π(ππ ) /ππ mod π = π/ππ . If ππ ππ is a multiple of π, then π π = βππ β
ππ π
β = ππ β
ππ π
,
(33)
and we have β
π(ππ ) π₯ β mod π = ππ (ππ ) mod π = ππ . ππ
(34)
If ππ ππ is not a multiple of π, then β
(28)
(31)
βππ β ππ /πβ π (1 + π½ππ ) π₯ β mod π = β β mod π ππ ππ =β
βππ β ππ /πβ π
= βππ +
ππ
β mod π
(1 β ((ππ β ππ mod π) /π)) π ππ
(35) β mod π
= ππ ,
has a unique solution modulo ππ, which is given by
because (1 β ((ππ β ππ mod π)/π))π/ππ < 1 and ππ < π.
π
π(ππ )
π₯ = βπ π π (ππ )
mod ππ,
(29)
π=1
where ππ = π/ππ and π π = βππ β ππ /πβ for 1 β€ π β€ π. Proof. It amounts to showing that π₯ in (28) is a solution to the system of congruences (19). The proof of uniqueness is similar to Theorem 3. For 1 β€ π β€ π, consider a term π π π(ππ )π(ππ ) in the above summation, reduced modulo ππ . If π = π, it is obvious that gcd(ππ , ππ ) = 1, by Eulerβs theorem; then we have (ππ )π(ππ ) mod ππ = 1; i.e., there is an integerπ such that (ππ )π(ππ ) + πππ = 1; then π(ππ )
π (ππ )
mod πππ = π,
(30)
Although more computation is required, more flexible performance can be achieved. In the traditional secret sharing scheme, if we want to refresh the secret, the corresponding congruences system should be modified. However, based upon Theorem 8, we can refresh the shared secret without changing the share and the public information of the participants. Compared with the previous scheme, the refreshable secret sharing scheme adds a secret refresh phase. In share generation phase, the dealer needs to broadcast an additional parameter as follows. 6.1. Initialization. The dealer D chooses π + 1 distinct positive integers π0 , π1 , β β β , ππ such that (1) π1 < π2 < β β β < ππ
6
Security and Communication Networks (2) gcd(ππ , ππ ) = 1 for 0 β€ π =ΜΈ π β€ π (3)
βπ‘π=1 ππ
> (π0 + 1) β
Acknowledgments
βπ‘β1 π=1 ππβπ‘+π+1
The dealer D broadcasts the value π0 and sends the value ππ to participant ππ as his/her public information, for 1 β€ π β€ π. 6.2. Share Generation. Suppose the dealer D wants to share the secret π β Zπ0 . The dealer D firstly selects and broadcasts an integer π β (0, min1β€πβ€π {ππ }). Secondly, the dealer D chooses a random integer πΌ β [β
βπ‘β1 βπ‘ π π=1 ππβπ+1 β , π=1 π β 1) , π0 π0
(36)
then generating π π β‘ βπ + πΌπ0 /ππ βmod π, which is the private share of the participant ππ , for 1 β€ π β€ π. 6.3. Secret Refreshment. Suppose the dealer D wants to refresh the shared secret without changing the share and the public modulus of the participants which has been sent. The dealer D selects and broadcasts new integer Μπ β (max1β€πβ€π {ππ }, min1β€πβ€π {ππ }); then the secret π Μ = π ΜσΈ mod π0 can be shared by π participants with their original share and public modulus (π π , ππ ), where π
π ΜσΈ = β βππ β π=1
ππ Μ π(π ) β π (ππ ) π mod Μππ. Μπ
(37)
6.4. Secret Reconstruction. If π‘ participants pool their shares and public modulus, (π π1 , ππ1 ), (π π2 , ππ2 ), β β β , (π ππ‘ , πππ‘ ), with the corresponding parameter π, the shared secret can be reconstructed as π = π σΈ mod π0 , where π σΈ π‘
= ββ π=1
πππ β πππ π
π(πππ )
β π ( β πππ ) 1β€πβ€π‘ π=πΜΈ
π‘
mod (πβπππ ) .
(38)
π=1
7. Conclusions In this paper, we first show a new method to reconstruct the secret by the system of congruences utilizing Eulerβs theorem and propose a new type of perfect secret sharing scheme based on modular arithmetic. Furthermore, inspired by [20], we introduce an extra integer to help us to refresh the secret without changing the information the participant holds; only one public broadcasting parameter needs to be updated.
Data Availability The relevant analysis data used to support the findings of this study are included in the article.
Conflicts of Interest The authors declare that they have no conflicts of interest.
This work was partly supported by the National Natural Science Foundation of China (Grant No. 11804114) and the Natural Science Foundation of Fujian Province, China (Grant Nos. 2017J01761 and 2018J01537).
References [1] S. Iftene, βGeneral secret sharing based on the Chinese remainder theorem with applications in E-voting,β Electronic Notes in Theoretical Computer Science, vol. 186, pp. 67β84, 2007. [2] H. Pilaram and T. Eghlidos, βAn efficient lattice based multistage secret sharing scheme,β IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 1, pp. 2β8, 2017. [3] C. Guo and C. Chang, βAn authenticated group key distribution protocol based on the generalized Chinese remainder theorem,β International Journal of Communication Systems, vol. 27, no. 1, pp. 126β134, 2014. [4] P. Singh and B. Raman, βReversible data hiding based on Shamirβs secret sharing for color images over cloud,β Information Sciences, vol. 422, pp. 77β97, 2018. [5] A. Shamir, βHow to share a secret,β Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979. [6] G. R. Blakley, βSafeguarding cryptographic keys,β in Proceedings of the 1979 AFIPS National Computer Conference, vol. 48, pp. 313β317, New York, NY, USA, 1979. [7] M. Mignotte, βHow to share a secret,β in Proceedings of the Workshop on Cryptography, EUROCRYPT 1982: Cryptography, pp. 371β375, Burg Feuerstein, Germany, 1982. [8] C. Asmuth and J. Bloom, βA modular approach to key safeguarding,β IEEE Transactions on Information Theory, vol. 29, no. 2, pp. 208β210, 1983. [9] B. Choc, S. Goldwasser, S. Micali, and B. Awerbuch, βVerifiable secret sharing and achieving simultaneity in the presence of faults,β in Proceedings of the 26th Annual Symposium on Foundation of Computer Science (sfcs 1985), pp. 383β395, 1985. [10] T. P. Pedersen, βNoninteractive and informationtheoretic secure verifiable secret sharing,β in Advances in CryptologyβCRYPTO β91, vol. 576 of Lecture Notes in Computer Science, pp. 129β140, 1991. [11] L. Harn and M. Fuyou, βWeighted secret sharing based on the Chinese remainder theorem,β International Journal of Network Security, vol. 16, no. 6, pp. 420β426, 2014. [12] L. Harn, βSecure secret reconstruction and multi-secret sharing schemes with unconditional security,β Security and Communication Networks, vol. 7, no. 3, pp. 567β573, 2014. [13] S. C. Pohlig and M. E. Hellman, βAn improved algorithm for computing logarithms over GF(p) and its cryptographic significance,β IEEE Transactions on Information Theory, vol. 24, no. 1, pp. 106β110, 1978. [14] J. Quisquater and C. Couvreur, βFast decipherment algorithm for RSA public-key cryptosystem,β IEEE Electronics Letters, vol. 18, no. 21, pp. 905β907, 1982. [15] X. Li, W. Wang, W. Zhang, and Y. Cao, βPhase-detection-based range estimation with robust Chinese remainder theorem,β IEEE Transactions on Vehicular Technology, vol. 65, no. 12, pp. 10132β10137, 2016. [16] H. Cohen, A Course in Computational Algebraic Number Theory, Springer Science & Business Media, 2013.
Security and Communication Networks [17] D. R. Stinson, Cryptography: Theory and Practice, CRC Press, 3rd edition, 2005. [18] L. Harn, C. Hsu, M. Zhang, T. He, and M. Zhang, βRealizing secret sharing with general access structure,β Information Sciences, vol. 367-368, pp. 209β220, 2016. [19] R. J. Hwang and C. C. Chang, βAn improved threshold scheme based on modular arithmetic,β Journal of Information Science and Engineering, vol. 15, pp. 691β699, 1999. [20] Y. Liu and C. C. Chang, βAn integratable verifiable secret sharing mechanism,β Journal of Network Security, vol. 18, no. 4, pp. 617β 624, 2016.
7
International Journal of
Advances in
Rotating Machinery
Engineering Journal of
Hindawi www.hindawi.com
Volume 2018
The Scientific World Journal Hindawi Publishing Corporation http://www.hindawi.com www.hindawi.com
Volume 2018 2013
Multimedia
Journal of
Sensors Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Journal of
Control Science and Engineering
Advances in
Civil Engineering Hindawi www.hindawi.com
Hindawi www.hindawi.com
Volume 2018
Volume 2018
Submit your manuscripts at www.hindawi.com Journal of
Journal of
Electrical and Computer Engineering
Robotics Hindawi www.hindawi.com
Hindawi www.hindawi.com
Volume 2018
Volume 2018
VLSI Design Advances in OptoElectronics International Journal of
Navigation and Observation Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Hindawi www.hindawi.com
Chemical Engineering Hindawi www.hindawi.com
Volume 2018
Volume 2018
Active and Passive Electronic Components
Antennas and Propagation Hindawi www.hindawi.com
Aerospace Engineering
Hindawi www.hindawi.com
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Volume 2018
International Journal of
International Journal of
International Journal of
Modelling & Simulation in Engineering
Volume 2018
Hindawi www.hindawi.com
Volume 2018
Shock and Vibration Hindawi www.hindawi.com
Volume 2018
Advances in
Acoustics and Vibration Hindawi www.hindawi.com
Volume 2018