Proc. of Int. Conf. on Recent Trends in Information, Telecommunication and Computing, ITC

A Proactive Secret Sharing in Dot Product of Linearly Independent Vectors Sonali Patil1 and Prashant Deshmukh 2 1

2

Assistant Professor, Computer Department, Pimpri Chinchwad College of Engineering, Pune, India sonalimpatil@gmail.com Professor, Computer Department, Sipna College of Engineering and Technology, Amaravati, India pr_deshmukh@yahoo.com

Abstract— Proactive Secret Sharing (PSS) is a scheme that allows periodically generating new set of shares from the old shares for the same secret. Proactive secret sharing has numerous applications to maintain data which is a long lived in scenarios where accessibility and confidentiality are vital. The Proactive secret sharing achieves both these goals by dividing secret in group of participants and by periodically updating the shares.(updation of the sahres) In this paper a proactive secret sharing in dot product of linearly independent vectors is proposed. The proposed scheme periodically renews the existing shares without altering the original secret using orthogonal vectors. The comparative study shows that proposed scheme is less complex and more secure. Index Terms— Information Security, Secret sharing, Proactive Secret Sharing, Cryptography, Network Security

I. INTRODUCTION The idea of secret sharing [1] is to divide a secret into pieces called shares, which are then distributed among the participants by the dealer. A (t, n) threshold secret sharing [2] is a scheme in which a secret is shared among n participants in such a way that any t or more number of participants can reveal the secret but any (t1) or less number of participants can’t do so. Shamir and Blakely [3] [4] embarked the concept of secret sharing. In almost all secret sharing schemes (SSS) the shares provided to the participants are prolonged shares. However the protection provided by such secret sharing schemes may be deficient. The security in a system might become exhausted due to several faults like secrets can be revealed, shares can gradually be corrupted, hardware may fail or damage of the systems where shares are kept. Also in enough time, a hacker may be able to compromise enough shares (t or more) to acquire the secret. Proactive secret sharing scheme (PSSS) [2] is introduced to mend security through periodic executions. Using PSSS, all the shares are refreshed so that old shares become useless. Thus, an adversary has to gain at least t shares between two executions of PSSS. The secret remains confidential if fewer than t shares were compromised from the start of one PSSS to the end of the next PSSS. It is necessary for a rift of security to occur before secrets are revised so the refreshment of shares should be done periodically. The goal of proactive security scheme is to forbid the adversaries from acquiring the secret or from destroying it. In particular any group of t non-faulty participant should be able to reconstruct the secret DOI: 02.ITC.2014.5.529 © Association of Computer Electronics and Electrical Engineers, 2014

whenever it is necessary. The core properties and model requirements required for implementing proactive secret sharing are discussed below: The core properties of pro-active secret sharing are [5]: To renew existing shares frequently without compromising the secret, so that old shares will become useless. To recover lost or corrupted shares without compromising the secrecy of the shares. This should be performed without any information-leak or any secret change. Pro-Active Model Requirements [6] An adversary can bring out at most t-1 shares in any time period. This time period should be synchronized with the share-renewal protocol. Secure communication channels Synchronization: the participants can access a common global clock so that the protocol can be applied in a certain time period. Shares can be erased: every honest participant can erase its shares in a manner that no attacker can gain access to erased data. To clarify the Proactive Secret Sharing (PSS) technique, consider here the simplest secret sharing scheme of splitting the secret into two shares. To generate two shares from secret S, a random number S1 is selected with the same number of bits as the secret S. S1 will be the first share. The second share S2 is calculated as the bitwise XOR between S and S1. When PSSS is executed, S1’ and S2’ will be generated from S1 and S2 as follows: a) Using S1 as the secret, two shares S11 and S12 are generated using the same scheme described above. b) Similarly, using S2 as the secret, two shares S21 and S22 are generated. c) Holder of S1 will send S12 to participant of S2 d) Holder of S2 will send S21 to participant of S1 e) S1’ is calculated as S11 ⊕ S21 f) S2’ is calculated as S12⊕ S22 When adding the new shares S1’ ⊕ S2’ = S11 ⊕ S21 ⊕ S12 ⊕ S22 = S11 ⊕ S12 ⊕ S21 ⊕ S22 = S1 ⊕ S2 = S, the original secret can be reconstructed. The two new shares are independent from the old ones because the sub-shares are randomly generated. No one knows the secret during the entire process. Holder of S 1 generates S11 and receives S21 from holder S2 . Similarly, holder of S2 generates S22 and receives S12 from holder S1. After discussion of introduction to proactive secret sharing in section I, the rest of the paper is organized as follow. Section II contains literature survey of few proactive secret sharing schemes. In section III the preliminaries of proposed scheme is discussed. Section IV explains the proposed proactive secret sharing scheme. Section V summarizes few proactive secret sharing schemes in a comparative way and section VI concludes about proposed scheme. II. LITERATURE SURVEY A. Shamir’s Secret Sharing Scheme [3] Shamir [3] developed the idea of a (t, n) threshold-based secret sharing technique where (t ≤ n). The technique is to share a secret among n participants so that at the time of reconstruction the secret can be reveal using any t participant’s shares out of n. In a (t, n) threshold secret sharing the scheme constructs a polynomial function of order (t − 1) as, f(x) = d0 + d1x + d2 x2 + … + d(t-1) x(t-1) (mod p), where the value d0 is the secret and p is a prime number. The secret shares are the pairs of values (xi , yi ) where

200

yi = f(xi ), 1 ≤ i ≤ n and 0 < x1 < x2 …< xn ≤ p − 1. The polynomial function f(x) is destroyed after each participant Pi owns a pair of values (xi, yi ) so that no single participant knows what the secret value d0 is. In fact, no groups of (t − 1) or fewer secret shares can be used to discover the secret d0. On the other hand, when t or more secret shares are available, t equations yi = f(xi ) can be set with t unknown parameters di ’s. The unique solution d0 can be solved with these equations. The following Lagrange interpolation formula is used to solve the secret value d0 ., =

⎛ ⎜

⎞ ⎟ (

)

⎝ ⎠ Where (xi, yi ) are any t shares for 1 ≤ i ≤ t. This scheme is information theoretic secure. But if the adversary is getting t shares from any t participants over a period of time the scheme is not secure. Some applications like encryption key sharing which requires keeping the secret same for long time are not secure in such scenarios. This drawback is overcome by Herzberg et al. [7]. Herzberg et al. added the proactive feature in Shamir’s scheme. B. Herzberg’s Proactive Secret Sharing scheme [7] Herzberg et al. [7] proposed Proactive Secret Sharing scheme in Shamir’s Secret Sharing to address the problem of passive and active attacks. In this scheme, after the initialization, at the beginning of each time period, all honest participants activate an update phase in which the participants performs a share renewal protocol. Assume the scheme is (t, n) threshold secret sharing. The shares are created and distributed among all participants using Shamir’s Secret Sharing. The renewal algorithm is as follows: 1. 2. 3. 4.

Each participant randomly selects a function h(x) =b1x+b2 x2+ …….+ bt-1 xt-1 Each participant computes h(i) for all i from 1 to n. The computed values h(1) to h(n) gets transmitted to participants 1 to n respectively through a secure channel. Each participant renews his/her old share f(i) as f'(i) using following equation f'(i) = f(i) + h(i).

Here the constant term in all h(i) is zero. Therefore, f’(i) will have the constant term of f(i). As f(x) is a randomly chosen polynomial of degree t-1 with the secret S as the constant term, f’(x) is a randomly chosen polynomial of degree t-1 with S as the constant term. Along with the proactive feature this scheme also provides verifiable secret sharing [8] [9]. Encryption and decryption algorithms are used by this scheme to get the verifiability of shares. The scheme prevents dishonest participants by active adversaries from refusing to change the shares during the renewal process, or launch invalid secret shares. All participants need to communicate with each other to renew the existing share which requires a secure channel for transmission. This scheme supports single secret sharing. Li Bai [10] proposed a secret sharing which can be used to share image secret or for multiple secrets. C. Matrix projection Secret Sharing [10] Li Bai [10] proposed a secret sharing scheme using matrix projection. The scheme uses invariance property of matrix projection to share color image secret or multiple secrets. The scheme supports (k, n) threshold secret sharing. Any k (k<=n) shareholders when come together can reconstruct the original secret S. But k-1 participants can not reveal anything about the secret. The scheme is ideal, perfect and reliable. Here a secret is a matrix S of size m X m which is to be distributed among n shareholders. Dealer constructs the shares of the secret and distributes to the participants. Any k participants can reconstruct the original secret by combing their shares.

201

The scheme is divided in two phases of construction of shares from the secret and reconstruction of secret from the received shares (any k shares). The two phases are explained below: Construction of Secret Shares from m X m Secret Matrix S 1. Construct a random m X k matrix A of rank k where m > 2(k - 1) – 1. 2. Choose n linearly independent k×1 random vectors xi. 3. Calculate share vi = (A X xi) (mod p) for 1 i n, where p is a prime number. 4. Compute $ = (A (A’A)-1A’) (mod p). 5. Solve R = (S - $) (mod p). 6. Destroy matrix A, xi’s, $, S, and 7. Distribute n shares vi to n participants and make matrix R publicly known. Secret Reconstruction 1. Collect k shares from any k participants, say the shares are v1, v2, . . . ., vk and construct a matrix B =v1 v2 . . . vk. 2. Calculate the projection matrix $ =(B (B’B)-1B’) (mod p). 3. Compute the secret S = ($ + R (mod p)). The scheme is extended by Bai L. and Zou X. [11] to support renewal of shares keeping the original secret same. D. Proactive Secret Sharing Scheme using matrix projection [11] Bai L. and Zou X. [11] proposed a proactive secret sharing in matrix projection secret sharing [10]. The scheme supports proactive secret sharing for the same using Pythagorean triples. The Pythagorean triples are the three integer values (Z1, Z2 and Z3) that satisfy the following equation: Z12 + Z22 = Z32. Assume that the secret matrix S of size m Xm is shared among n participants using matrix projection secret sharing scheme. The scheme [11] allows the participants to renew their shares periodically. Dealer sends some information to all participants which is used by participants to renew their shares. The procedure is explained below: At the beginning of each time interval the Dealer generates a matrix T using matrix L (below mentioned) which is generated using the Pythagorean triplets. Dealer shares this matrix T with all n participants. The participants update their shares with the received matrix T. Any k updated shares can be used to reconstruct the original secret. Combination of old and new shares will not allow the adversaries to know about the secret. Dealer uses following steps to generate the matrix T which is generated using matrix L. The above mentioned triplets (Z1, Z2 and Z3) are used to construct a k X k matrix L. 1. Generate k X k matrix L with two random indices g and h where g≠h as given in below equation.

z1 z mod p 3 z1 z mod p 3 z l 2 mod p z3 z2 - mod p z3 0

i jg i jh ig jh i h j g otherwise

2. After construction of matrix L matrix T is constructed for renewal of shares using matrix L and Identity matrix I. 202

I ( mk ) T - - - - - 0 k(m-k)

0(m-k)k - - - - - - L

3. This T matrix gets shared with all the n participants and then each participant renews his/her share by multiplying matrix T with their old shares vi as vi t= (T X vi) (mod p) for 1 i n. The secret is reconstructed from these updates shares. The reconstruction phase is explained below. Reconstruction of secret from updated shares: 1. Collect k shares from any k participants, say the shares are v1t, v2t ;, . . . .,vk t and construct a matrix Bt =v1t v2t . . . vkt. 2. Calculate the projection matrix $t =(Bt ((Bt )’Bt)-1(Bt)’) (mod p) 3. Compute the secret S = ($t + R (mod p)). The main advantage of this scheme is strong protection of secrets and smaller size of the secret shares. The scheme does not require communication among participants to renew the old shares. Also the scheme can be used for multiple secret sharing. The next section describes the secret sharing in linearly independent vectors. III. PRELIMINARIES The proposed scheme is based on secret sharing in dot product of linearly independent vectors [12]. The preliminaries for the proposed scheme are discussed below. The dot product of two vectors U and V is U.V. Dot Product of vectors:

u u 1 , u 2 , u 3 and v v 1 , v 2 , v 3 is u v u 1v1 u 2 v 2 u 3 v 3 .

The scheme uses dot product of vectors two share the secret. The scheme chooses randomly two linearly independent vectors such that their dot product is the secret to be shared among participants. If the secret is S then the two linearly independent vectors U and V gets randomly generated so that S= U. V. This adds the security to the scheme as secret is not shared directly but it is shared in the form of dot product of vectors. The properties of dot product of vectors support the extended capabilities in the existing secret sharing scheme. Properties of Dot Product: 1. The commutativ e property holds : u v v u. 2. The distributive property holds : u (v w) u v u w 3. c(u v) cu v u cv 4. 0 v 0 2 5. v v v The assumptions are given below: Secret to be shared is: S Dealer: D No of Participants: n Set of participants: P = {P1, P2 , ... ,Pn}, Threshold: t (number of minimum participants required to reconstruct the secret) Secret sharing phase Dealer D will get a secret S and create n shares for n participants using following algorithm. Here it is assumed that the channel through which the created shares are shared is secure. 203

Algorithm to create shares: 1. Choose a random vector Xi, and random vector $i, for all i=1 to t such that S=$.X, where S is the secret to be shared. 2. Choose Vander monde Matrix Yij where i=1 to n and j=1 to t. All n rows are linearly independent vectors of size t. 3. Calculate Shares Si where i=1 to n for n participant as: S1=$1.Y11 +$2.Y12+.....$t.Y1t S2=$1.Y21 +$2.Y22+.....$t.Y2t . . . . Sn = $1.Yn1 +$2.Yn2+.....$t. Ynt 4. Dealer makes Matrix Y and Vector X as public. 5. Dealer destroys Secret S and vector $. 6. Dealer distributes these created shares with n participants with a secure channel. Secret reconstruction phase Minimum t number of participants should participate to reconstruct the original secret S. Algorithm to reconstruct the secret: 1. Dealer asks the participants to submit their shares. 2. Dealer selects shares of any t participants S1, S2, …St for reconstruction of the original secret. 3. Dealer reform Vector $ from t shares and public matrix Y. (As Si =$1.Yi1 +$2.Yi2 +...$t.Yit). 4. Dealer reconstructs the original secret S by taking the dot product of vectors $ and public vector X. The scheme is extended for renewal of shares which is explained in next section. IV. PROPOSED SCHEME This section describes the proposed Proactive Secret Sharing Scheme in linearly independent vectors explained in the previous section. The proposed proactive secret sharing scheme is an extension of the scheme presented in [12]. Using the properties of dot product the scheme is extended to proactive secret sharing scheme. The scheme supports renewal of shares by keeping the original secret same. The proposed proactive technique is based on orthogonal vectors. Orthogonal vectors are the vectors whose dot product is zero. Vectors V1 and V2 are orthogonal then V1.V2=0. In this scheme, after the initialization, at the beginning of each time period, Dealer activates an update phase in which the participants performs a share renewal protocol. The share renewal protocol is run by Dealer and all participants Pi; 1<=i<= n updates their shares simultaneously. The procedure of renewal of shares and reconstruction of secret from updated shares is explained below: A. Renewal of shares Dealer randomly generates a vector R such that R.X=0, where vector X is public. Vector R is distributed to all n participants by secure channel. Each participant Pi updates their shares as S’i =Si + R. Yi Where Si is old ith share and Yi is its corresponding vector. Each participant destroys their old share and keeps only updated share values. Till the next share renewal procedure all participants uses these shares for reconstruction of secret. Below the procedure of reconstruction of secret from updated shares is explained: B. Reconstruction of Secret from updated shares:

Dealer asks the participants to submit their shares. Participants submits their updated share values S’i to Dealer. Dealer selects shares of any t participants S’1, S’2, …S’t for reconstruction of the original secret. Dealer reform Vector $ from t shares and public matrix Y The system of equation in the reconstruction phase is now S’1 = S1 +R.Y1 =$1.Y11+$2.Y12+.....$t.Y1t 204

S’2 = S2+R.Y2=$1.Y21+$2.Y22+.....$t.Y2t . . . S’n = Sn+R.Yn= $1.Yn1 +$2.Yn2+.....$t.Ynt The reformed vector $ may differ from original $ vector but product of reformed vector $ and public vector X will generate same result as secret. Dealer reconstructs the original secret S by taking the dot product of vectors $ and public vector X. This change in equations (change in reformed vector $) does not affect integer secret S, which is computed as S=$.X, as R.X=0. Thus, the renewed shares combine to the same secret as original ones. The combination of t shares using past and present shares cannot be used to reconstruct the secret. As a result, the secret is protected from being revealed by the passive adversaries. The next section discusses the comparative study of few proactive secret sharing schemes. V. COMPARATIVE ANALYSIS In this section the comparative analysis of proposed scheme with the few existing secret sharing schemes is presented. Many applications do not want to change the secret for a long time. In such applications it is very essential to periodically update the existing shares with the participants. Such more schemes are explained in [13] [14]. Proactive schemes support security for prolonged secrets. Table I presents the comparative study of Shamir’s Secret Sharing, Herzberg’s Secret Sharing and Li Bai’s Secret Sharing with proposed proactive secret sharing scheme. The comparison of these schemes is based on the parameters like whether the schemes are able to handle active attacks, are the schemes interactive while renewing the existing shares, are the schemes supporting general access structure while providing proactive feature in scheme, which technique is used for proactive secret sharing, are the schemes supporting multiple secret sharing, is there need of secure channel to transfer the shares to the participants, are the schemes verifiable and computational complexities of the schemes. The comparative study shows that the proposed scheme is better as compared to existing schemes w.r.t some parameters. TABLE I. C OMPARATIVE STUDY Comparative Parameters

Proactive Secret Sharing Schemes Shamir

Herzberg

Bai

Proposed

Handles Active Attacks

No

Yes

No

No

Interactive

Yes

Yes

No

No

Change in threshold

No

No

No

No

General Access Structure

No

No

No

No

Polynomial

Polynomial

Pythagorean Triplets

Orthogonal Vectors

Direct

Direct

Direct

In the form of Dot Product

No

Yes

No

No

No

No

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

No

No

Less

More

More

Less

Proactive technique Sharing of secret Verifiable Multiple Secret Sharing Need of Secure Channel in between Dealer and Participants Need of Secure Channel among Paticipants Computational Complexity

205

The proposed scheme has less computational complexity. It doesn’t require a secure channel among participants to update the old shares into new shares. The proactive technique of the proposed scheme is based on orthogonal vectors which makes the scheme more secure as the secret is not directly shared among participants but it is shared in the form of dot product of linearly independent vectors. The comparative study also shows that to support general access structure along with periodically renewal of shares is a challenge. There is a need of a more robust scheme to support general access structure in proactive secret sharing scheme. VI. CONCLUSIONS Some specific applications need proactive secret sharing schemes where secrets are sensitive and remain same for long time. The proactive scheme provides stronger security against an active adversary. Proactive secret sharing maintains data accessibility and confidentiality. In this paper a proactive secret sharing scheme in dot product of linearly independent vectors is proposed. The proposed proactive secret sharing scheme is non interactive so no secure channel is required among participants for the renewal of existing shares. Also the proposed scheme is less complex and secure. The paper presents the comparative study of few proactive secret sharing schemes. The comparative study shows that in near future more robust proactive secret sharing schemes are expected which will support change in threshold to achieve general access structure. REFERENCES [1] Stinson, D.R., “Decomposition constructions for secret-sharing schemes”, IEEE Trans. Inform. Theory, Vol. 40, pp.118–125, 1994. [2] Karnin, E.D., Greene, J.W. and Hellman, M.E., “On secret sharing systems”, IEEE Trans. Inform. Theory, Vol. IT29, pp.35–41, 1983. [3] Shamir, A., “How to share a secret”, Communications of the ACM, Vol. 22, pp.612–613, 1979. [4] Blakley, G., “Safeguarding cryptographic keys”, Proceedings of the AFIPS 1979 National Computer Conference, June, Arlington, VA, Vol. 48, pp.313–317, 1979. [5] Sonali Patil and Prashant Deshmukh, “An Explication of Multifarious Secret Sharing Schemes”, International Journal of Computer Applications 46(19):5-10, pp. 6-10, 2012. [6] Sonali Patil and Prashant Deshmukh, “ Analyzing Relation in Application Semantics and Extended Capabilities for Secret Sharing Schemes”, IJCSI International Journal of Computer Science Issues, Vol. 9, Issue 3, No 1, pp. 219226, 2012. [7] Herzberg, A., Jarecki, S., Krawczyk, H. and Yung, M., “Proactive secret sharing or: how to cope with perpetual leakage”, in Don Coppersmith (Ed.): Advances in Cryptology – Crypto ’95, August, Santa Barbara, CA, pp.339– 352, 1995. [8] Feldman, P., “A practical scheme for non-interactive verifiable secret sharing”, Proceedings of the 28th IEEE Symposium on Foundations of Computer Science (FOCS’ 87), 12–14 October, IEEE Computer Society, Los Angeles, California, pp.427–437, 1987. [9] Pedersen, T.P., “Non-interactive and information theoretic secure verifiable secret sharing”, in Feigenbaum, J. (Ed.): Advances in Cryptology – Crypto’91, IACR, Springer-Verlag, University of California in Santa Barbara, 11–15 August, pp.129–140, 1991. [10] Bai L., “A strong ramp secret sharing scheme using matrix projection”, Second International Workshop on Trust, Security and Privacy for Ubiquitous Computing, Niagara-Falls, Buffalo, NY, pp.652–656, 2006. [11] Bai, L. and Zou, X., “Proactive Secret Sharing Scheme in matrix projection method”, Int. J. Security and Networks, Vol. 4, No. 4, pp.201–209, 2009. [12] Sonali Patil, Prashant Deshmukh, “A Novel (t, n) Threshold Secret Sharing Using Dot Product of Linearly Independent Vectors”, International Journal of Advanced Research in Computer and Communication Engineering (IJARCCE), Volume 2, Issue 7, pp.2521-2524, 2013. [13] Beimel, A. and Chor, B., “Secret sharing with public reconstruction”, IEEE Trans. Inform. Theory, Vol. 44, pp.1887–1896, 1998. [14] LIDONG ZHOU, “APSS: Proactive Secret Sharing in Asynchronous Systems’, ACM Transactions on Information and System Security”, Vol. 8, No. 3, Pages 259–286, 2005.

206