Secret sharing schemes create an effective method to safeguard a secret by dividing it among several participants. By using hash functions and the herding hashes technique, we first set up a (t+1, n) threshold scheme which is perfect and ideal, and then extend it to schemes for any general access structure. The schemes can be further set up as proactive or verifiable if necessary. The setup and recovery of the secret is efficient due to the fast calculation of the hash function. The proposed scheme is flexible because of the use of existing hash functions.
A secret sharing scheme has a strong motivation on private key protection. Based on Kerchhoffs's principle [1], only the private key in an encryption scheme is the secret and not the encryption method itself. When we examine the problem of maintaining sensitive information, we will consider two issues: availability and secrecy. If only one person keeps the entire secret, then there is a risk that the person might lose the secret or the person might not be available when the secret is needed. On the other hand the more people who can access the secret, the higher the chance the secret will be leaked. A secret sharing scheme (hereafter in this paper might be simply referred to as 'scheme') is designed to solve these issues by splitting a secret into shares and distributing these shares among a group of participants. The secret can only be recovered when the participants of an authorized subset join together to combine their shares.
Secret sharing schemes have applications in the areas of security protocols, for example, database security and multiparty computation (MPC). When a client wants to have his database outsourced (or so called “Database as a Service”) to a third party, how to make sensitive information hidden from the server is a major concern. One common technique is to encrypt the data before storing it in the server. However, queries to the encrypted database are expensive. [2] suggested to use a threshold secret sharing scheme to split the data into different servers as shares to handle data privacy. MPC was first introduced in Yao’s seminal two millionaires’s problem [3]. A secure MPC can be defined as n parties P 1 , P 2 , . . . , P n join together to calculate a joint function f (x 1 , x 2 , . . . , x n ), where x i is the private input by P i , i = 1, . . . , n. After the computation, each P i will know the correct result of f but will not know other x’s. Secret sharing schemes play an important role in secure MPC as secrecy is highly required in such computations. For more MPC materials please refer to [4].
To summarize, a secret sharing scheme is a cryptographic primitive with many applications, such as PGP (Pretty Good Privacy) key recovering, visual cryptography, threshold cryptography, threshold signature, etc, in addition to those discussed above.
In this paper, we use the herding hashes technique to design a (t + 1, n) threshold scheme which is perfect and ideal. Then, we show by examples of a hierarchical threshold scheme and a compartment scheme, that any general access structure can be realized. The resulting scheme can be further implemented as proactive easily. By adding an additional hash function we can make it verifiable. The setup is simple and the secret can be recovered quickly. The implementation is flexible as we can make use of existing hash functions.
The rest of paper is organized as follows. In Section 2 and Section 3 we review cryptographic hash functions and secret sharing schemes. Section 4 analyzes the complexity of the proposed scheme, and shows how to make the implementation practical. Then, we present several secret sharing scheme setups for illustration. In Section 5 we outline an implementation plan. In section 6 we conclude the paper and summarize the advantages of the proposed schemes.
A cryptographic hash function H takes an input message M of arbitrarily length and outputs a fixed-length string h. The output h is called the hash or message digest of the message M . It should be fast, preimage, second preimage and collision resistant. Please refer to the textbooks, such as [5,6], for the details.
An iterative hash function H is basically built from iterations of a compression function C using the Merkle-Damgård construction [7,8]. Briefly, the construction repeatedly applies the compression function as follows. (a) Pad the arbitrary length message M into multiple v-bit blocks:
, where h i and h i-1 are intermediate hashes of u-bit strings, h 0 is the initial value (or initial vector) IV, and
Suppose we apply the birthday attack to get b pairs of blocks (m 1 , m ′ 1 ), . . . , (m b , m ′ b ) such that
By enumerating all possible combinations of these b-pairs blocks with each pair containing two choices, we can build up 2 b colliding messages as follows (see Fig. 1). Since it takes 2 u/2 steps for finding one pair of blocks, this process takes approximately b × 2 u/2 steps. So, it is relatively easy to find multi-collisions in an iterative hash function. Please refer to [6,9] for the details.
Fig. 1. Multicollisions in iterative hash functions.
Kelsey and Kohno [10] have a detailed analysis of this attack. Stevens, Lenstra and Weger [11] applied the technique to predict the winner of the 2008 US Presidential Elections using a Sony PlayStation 3 in November 2007. We first build a large set of intermediate hashes at the first level: h 11 , h 12 , . . . , h 1w . Then message blocks are generated, so that they are linked and each intermediate hash at l
This content is AI-processed based on open access ArXiv data.
