Table Of ContentUniversal Construction of Cheater-Identifiable
Secret Sharing Against Rushing Cheaters without
Honest Majority
Masahito Hayashi Takeshi Koshiba
Graduate School of Mathematics, Nagoya Univeristy Graduate School of Science and Engineering
Centre for Quantum Technologies, National University of Singapore Saitama University
Email: [email protected] Email: [email protected]
7
Abstract—For conventional secret sharing, if cheaters can sharing (CDSS) [3] and cheater-identifiable secret sharing
1
submit possibly forged shares after observing shares of the (CISS) [4] have been proposed. A protocol is called a (t,ǫ)-
0
honest users in the reconstruction phase then they cannot only
2 cheater-detectable secret sharing (CDSS) when it detects the
disturb the protocol but also only they may reconstruct the
existenceofcheatersamongplayersinvolvedinreconstruction
n true secret. To overcome the problem, secret sharing scheme
a with properties of cheater-identification have been proposed. with probability 1−ǫ under the condition that the number of
J Existingprotocolsforcheater-identifiablesecretsharingassumed cheaters is not greater than t. A protocol is called a (t,ǫ)-
6 non-rushing cheaters or honest majority. In this paper, we cheater-identifiable secret sharing (CISS) when it identifies
1 remove both conditions simultaneously, and give its universal who submitted incorrect shares with probability 1−ǫ under
] ceonnds,twruectpiornopofrsoemtheancyonsceecprtestosfha“rinindgivisdcuhaelmied.enTtoificraestioolnve” athnids the condition that the number of cheaters is not greater than
R “agreed identification”. t.
C Index Terms—secret sharing, universal construction, rushing However, cheaters may submit their shares after observing
cheater, cheater-identification, without honest majority shares of honest players. Such cheaters is called rushing
.
s cheaters.Thepapers[8],[9],[10],[6]proposedCISSprotocols
[c I. INTRODUCTION to properly works against such rushing cheaters. To achieve
Secret sharing is a basic primitive for secure information this task, their sharing phase is composed of two rounds.
1
transmission[1].ItinvolvesadealerwhohasasecretS inthe Unfortunately, these protocols cannot identify the cheaters
v
0 secretset S and a set ofplayers. Thedealer dividesthe secret when the number of cheaters is more than the half of players
7 S intonsharesanddistributesshareston playerssuchthatif involved in reconstruction. In this situation, only the protocol
4 a set of players is qualified then all the players in the set can in [6] can detect the existence of cheaters without identifying
4 reconstruct the secret and if the set of players is not qualified them. Ishai et al [5] proposed another CISS protocol identi-
0
thenanyplayerinthesetcannotobtainanyinformationabout fying them even when the number of cheaters is more than
.
1 the secret. In case of (k,n)-threshold scheme, any set of k the half of players involved in reconstruction.To achieve this
0 players can be qualified. Generally, a family A of subsets of task, they proposea locally-identifiablesecret sharing(LISS),
7
{1,...,n} is the access structure of a secret sharing protocol inwhichaserveridentifiesthecheatersinsteadofeachplayer,
1
: whenanysubsetsinA canreconstructthesecretS andothers but their LISS is not robust against rushing cheaters. In their
v canlearnnothingaboutit.ItisknownthatwhenafamilyAof protocol,the playerssubmittheir sharesto the server,and the
i
X subsetisclosedwith respecttothe union,thereexistsa secret server recovers the secret and identifies the cheaters for each
r sharingprotocolwhoseaccessstructureisAwhenthemessage player. While the server sends each player an information to
a
sizeandthesharesizearesufficientlylarge[2].Further,when identify the cheaters, this information depends on the player.
a non-qualified set of players obtains a part of information, That is, this information is correct only when the player is
the protocol is called a ramp scheme secret sharing protocol honest. cheaters. Hence, their identifications do not agree in
[11]. this protocol.
Forconventionalsecretsharingprotocols,itisassumedthat In a real scenario, it is not easy to prepare the server.
everyone involved in the protocols is honest or semi-honest. Therefore, it is strongly required to propose a protocol to
However,inarealscenario,someparticipantsmaymaliciously identify the rushingcheaters even when more than half of the
behaveintheexecutionoftheprotocol.Inparticular,apartof playersinvolvedinreconstructionarecheaters.Inthispaper,to
playersmaysubmitincorrectsharessoastoyieldanincorrect resolve this problem, we propose the concepts of “individual
secret in the reconstruction phase. To overcome the problem, identification” and “agreed identification”. A CISS protocol
additional propertiesto conventionalsecret sharing have been with individual identification privately identifies the cheaters
consideredand newschemessuch ascheater-detectablesecret so that the identification depends on individual players. A
TABLEI
COMPARISONOFPROPOSEDCISSPROTOCOLWITHEXISTINGCISSPROTOCOLS
Numberof Universal Large
Rushing Efficiency Flexibility
Cheaters Construction FiniteField
[5] t<n No Yes O(ℓlogℓ) No Need
[8],[9],[10] t<k/2 Yes No O(ℓlogℓ) No Need
[6] t<k/2 Yes No O(ℓlogℓ) Yes Need
Proposed t<n Yes Yes O(ℓlogℓ) Yes Needless
n is the number ofthe players. t is the number of the cheaters. k is the number of qualified players. 1−e−ℓ is the successful probability to identify the
cheaters.Efficiencyshowsthecalculation complexityoftheprotocol.Flexibilityistheindependenceofthechoiceofthesecurityparameterℓfromthesecret
sizeortheformoforiginal protocol.
CISS protocolwith agreed identification commonly identifies identify the cheaters with probability 1−e−ℓ, the calculation
the cheaters so that the identification is independent of the complexity of the protocols given in [6] is O(ℓlogℓ). When
player. The difference between these two types of protocols the protocol is universally constructed, the total calculation
is based on whether their identifications agree or not. The complexitydependsontheoriginalsecretsharingprotocol.In
protocolin[5]belongsto theformer,andtheprotocolsin [8], this case, we focus on the calculation complexity except for
[9], [10], [6] do to the latter. However, we do not need to the part of the original protocol. In this sense, the protocol in
distinguish CDSS protocols in this way because there is no [5] is O(ℓlogℓ), and our protocol is also O(ℓlogℓ).
advantage even when a CDSS protocol individually detects However,wecannotnecessarilychoosethesecurityparam-
the existence of the cheaters. eter ℓ freely. In the protocols in [8], [9], [10], the security
We propose a CISS protocol with individual identification parameter ℓ depends on the size of secret. Hence, it is
as well as a CISS protocol with agreed identification. Both desired to flexibly choose the security parameter ℓ. We call
protocolswell work evenwith rushingcheaters, and the latter a protocol flexible, when the security parameter ℓ can be set
is composed of two rounds as well as the protocol in [6]. independently, i.e., independent of the secret size. Flexibility
The former can identify the cheaters even when more than provides the power of partial customization of length of
halfoftheplayersinvolvedinreconstructionarecheaters.The randomstrings, accordingto the requirement.The protocolin
latter can detect the existence of the cheaters under the same [6] can flexibly choose the security parameter ℓ by adjusting
situation, but can identify the cheaters only when less than the finite field with prime size. Also, the protocol in [5]
half of the players in reconstruction are cheaters. When less can flexibly choose the security parameter ℓ by adjusting the
thanhalfoftheplayersinvolvedinreconstructionarecheaters, finite field appearing in the original protocol. Although these
even the latter can identify the cheaters. This performance is protocolsoffertheflexibility,thesecurityparameterℓdepends
the same as the protocol given in [6]. onthesizeofthefinitefield.Theabovecalculationcomplexity
Next, we discuss the construction of protocols. Algebraic O(ℓlogℓ) can be realized by suitable choices of the size of
structuresunderliemanyCISSprotocols[8],[9],[10],[6]asin the finite field in these protocols [12]. Hence, the choice of
theoriginalconstructionbyShamir.Theyarelimitedto(k,n)- the security parameter ℓ has a certain restriction when we
threshold scheme protocols. However, in the community of keep the calculation complexity O(ℓlogℓ). Therefore, it is
information theory, so many efficient secret sharing protocols desired to completely freely choose the security parameter
were proposed when the size of secret is large [11], [2]. ℓ. Fortunately, our protocol works with any finite field, and
Protocols with general access structure were constructed [2]. the security parameter ℓ can be freely chosen independently
Also, ramp scheme secret sharing protocols were constructed of the size of the finite field and the secret size. Therefore,
[11].Suchgeneralsecretsharingprotocolswerenotusedtoin our protocol is flexible and works even with finite field F2,
these CISS protocols.Hence, it is desired to constructa CISS whichsimplifiestherealization.Overall,thecomparisonofthe
protocol by converting an existing secret sharing protocol. performancesofexistingprotocolswithoursissummarizedas
Such a construction is called a universal construction. The Table I.
protocolin[5]isuniversalinthissense.But,itwasconstructed The remaining part of this paper is as follows. Section II
byconvertinganexistingsecretsharingprotocolonlywhenthe gives our CISS protocol for individual identification. Section
share is given as an element of a finite field. So, to make the IIIshowsitssecurity.SectionIVgivesourCISSprotocolsfor
scheme more secure, it needs a finite field of larger size. Our agreed identification and detection. Section V compares the
constructionisuniversallygivenwhentheshareoftheexisting overhead of ours with those of existing protocols.
secret sharing protocolis given as an elementof vector space
of a finite field. That is, it does not require a finite field of II. PROTOCOL FOR INDIVIDUAL IDENTIFICATION
large size. Let n be the number of players and ℓ′ be the security
Fromapracticalviewpoint,weneedtocareaboutthecalcu- parameter. That is, we will construct our protocol so that
lationcomplexityoftheprotocol.A protocolisefficientwhen the verifier identifies the cheater with probability more than
its calculation complexity is not so large. When the players 1−q−ℓ′.
CISS for CDSS
Individual Identification
P identifies P and P They consider there exists
1 2 3
as cheaters. at least one cheater.
CISS for Agreed Identification
They identify P as cheater if P and P collude together.
1 2 3
Fig.1. ACaseofmajority cheaters. Abluecircle expressesahonestplayerandredcircles expresscheaters.
Let (Sh,Rc) be a secret sharing protocol realizing access as follows. To see this fact, we assume that the j -th player,
1
structure A with Sh:S →Vn, where V is an m-dimensional the j -th player, ..., the j -th player collude together. We
2 a
vector space Fm over a finite filed F . To present our CISS focus on the information X shared by the i-th player. Since
q q i
protocol for individual identification based on the protocol Z is independent and uniform, Y ,Y ,...,Y are
j,i j1,i j2,i ja,i
(Sh,Rc),wemakepreparationasfollows.ForthesecretS,we independent of T X ,T X ,...,T X . Since they obtain
j1 i j1 i ja i
define the random number X := Sh (S) as the share of the no information for T X ,T X ,...,T X , they obtain no
i i j1 i j1 i ja i
j-th player, which is sent by the dealer. For i6=j, the dealer information X .
i
independentlygeneratesn(n−1)randomnumbersZ taking Thus,if theoriginalprotocolwithshare X worksas secret
j,i i
valuesin Fℓ′. Also, the dealerindependentlygeneratesℓ′×m sharing well, our protocol also works as secret sharing well.
q
Toeplitz matrix T . Then, the dealer calculates the random In summary, we have the following theorem.
j
numberY :=T X +Z . Now, we give our CISS protocol Theorem 1: Protocol 1 is an (n −1,q−ℓ′)-CISS protocol
j,i j i j,i
for individual identification as Protocol 1. From Protocol 1, realizing access structure A with secret space S and share
we find that its calculation complexity is O(ℓ′logℓ′). space S =F(2n−1)ℓ′+2m−1.
i q
Protocol 1 CISS protocol for individual identification IV. PROTOCOL FORAGREED IDENTIFICATION
STEP 1: [Dealing] The dealer sends the j-th player the pub- Now, we can give our CISS protocol for agreed identifica-
lishable information(X ,Q Z ) and the identification- tion as Protocol 2.
j i6=j j,i
information (T ,Q Y ).
j i6=j j,i Protocol 2 CISS protocol for agreed identification
STEP 2: [Sharing]The playerswishing to openthe informa-
tion send their publishable information. STEP 1: [Dealing] The dealer sends the j-th player the pub-
STEP 3: [Reconstruction] The players reconstruct the origi- lishable information(Xj,Qi6=jZj,i) and the identification-
nal information from the collection of Xi′. information (Tj,Qi6=jYj,i).
STEP 4: [Identification] The j-th player checks whether the STEP 2: [Sharing (Round 1)] The players wishing to open
relation the information send their first part information.
STEP 3: [Sharing (Round 2)] The players wishing to open
Yj,i =TjXi′+Zj′,i (1) the information send their second part information.
STEP 4: [Reconstruction] The players reconstruct the origi-
holdswhenthe informationreceivedfromthe i-th playeris
(X′,Q Z′ ). nal information from the collection of Xi′.
j i6=j j,i STEP 5: [Identification] We employ the majority voting of
the results of respective individual identification.
III. SECURITY ANALYSIS
Since the function(X ,Z )7→T X +Z is a universal2 Since the majority voting of the results of respective indi-
i j,i j i j,i
hashfunctionwiththerandomlychosenToeplitzmatrixT ,the vidualverificationsidentifieswhomakescheatingifmorethan
j
relation(1)holdswithprobabilitysmallerthanq−l′ ifthej-th half of the players wishing the reconstruction are honest, we
player makes a cheat. Therefore, even though all of players have the following theorem.
exceptfor the i-th playermakescheatingevenwith collusion, Theorem 2: Protocol2isa(⌈(k−1)/2⌉,q−ℓ′)-CISSproto-
the i-th player can identify who makes cheating with high col realizingaccess structure A with secret space S and share
probability as Fig. 1. space S =F(2n−1)ℓ′+2m−1.
i q
Also, even though several players collude together, they Modifying Step 5 in Protocol 2 in the following way, we
cannot obtain any information for the shares by other players canmakeaCISSprotocol,whichiscalledProtocol2′.Ifthere
existsa playerwhoindividuallyidentifiesatleast onecheater, We can freely choose the security parameter ℓ independently
we considerthatthere exists a cheater. So, Protocol2′ detects of the secret size and share size of the original secret sharing
the existence of the cheaters with probability 1−q−l′ as Fig. protocol. Also, we do not use huge finite fields. That is, we
1, which yields the following theorem. can realize any security parameter ℓ even with the finite field
Theorem 3: Protocol 2′ is an (n−1,q−ℓ′)-DISS protocol F . These characteristics simplify the realization. We have
2
realizing access structure A with secret space S and share checked that the overhead of our protocols are not so huge
space S =F(2n−1)ℓ′+2m−1. in comparison with existing protocols.
i q
Now, we consider the case when more than half players
ACKNOWLEDGMENTS
collude together. We assume that only the j -th player is
0
MH was supported in part by a JSPS Grant-in-Aid for
honest and that the majority cheater, the j -th player, ... the
1
Scientific Research (B) No.16KT0017, the Okawa Research
j -th player collude together. The cheater, the j -th player
a v
Grant and Kayamori Foundation of Information Science Ad-
rewrites T , Z and Y for 1 ≤ v ≤ a, 0 ≤ w ≤ a
jv jv,jw jv,jw
vancement. TK was supported in part by JSPS Grant-in-Aids
so that Y = T X + Z for 1 ≤ w ≤ a and
jv,jw jv jw jv,jw
for Scientific Research (A) No.16H01705, for Scientific Re-
Y 6= T X + Z . Due to the majority voting, the
jv,j0 jv j0 jv,j0
searchonInnovativeAreasNo.24106008,andforChallenging
agreed identificationis that the honestplayer,the j -th player
0
Exploratory Research No.26540002.
is a cheater. Therefore, when the majority make cheating, the
identification of our CISS protocol for agreed identification
REFERENCES
is incorrect while the identification of our CISS protocol for
[1] A. Shamir: How to share a secret, Communications of the ACM
individual identification is correct, as Fig. 1.
22(11):612–613 (1979).
[2] M. Iwamoto and J. Shikata: Secret sharing schemes based on min-
V. COMPARISON OF OVERHEAD entropies, in Proc. of IEEE International Symposium on Information
Theory(ISIT2014),pp.401–405(2014).
First, we compare the overhead of the protocol in [5] with
[3] M. Tompa and H. Woll: How to share a secret with cheaters, J.
ours. Let u be the size of the share of the original secret Cryptology 1(3):133–138 (1989).
sharing protocol. When the success probability is 1 − e−ℓ, [4] R. J. McEliece and D. V. Sarwate: On sharing secrets and Reed-
Solomoncodes,Communication oftheACM24(9):583–584 (1981).
the size of the share of their CISS protocol is greater
[5] Y.Ishai, R.Ostrovsky,H.Seyalioglu: Identifying cheaters without an
than ue−(4n+1)ℓ(n2(n + 1))4n+1. That is, their overhead is honest majority. in Proc.the 9thTheory ofCryptography Conference
e(4n+1)ℓ(n2(n+1))4n+1.However,ourprotocolhasoverhead (TCC 2012), Lecture Notes in Computer Science 7194, pp.21–38,
e(2n−1)ℓqm−1. That is, the their exponential coefficient with Springer(2012).
[6] A. Adhikari, K. Morozov, S. Obana, P. S. Roy, K. Sakurai, and R.
respect to the security parameter ℓ is twice as ours. Xu: Efficient threshold secret sharing schemes secure against rushing
Next, we compare the overhead of the protocol in [6] with cheaters, in Proc. the 9th International Conference on Information
Theoretic Security (ICITS 2016), Lecture Notes in Computer Scinece
ours. Since their protocol is specified to the (k,n)-threshold
10015,pp.3–23,Springer(2016).
scheme, we translate our overhead to the (k,n)-threshold [7] K. M. Martin, Challenging the adversary model in secret sharing
scheme. When the secret size is |S|, the conventional (k,n)- schemes,http://www.isg.rhul.ac.uk/∼martin/files/Brusselsfinal.pdf
[8] P. S. Roy, A. Adhikari, R. Xu, K. Morozov, and K. Sakurai: An
threshold scheme has share size |S|p(n) for some polynomial
efficient t-cheater identifiable secret sharing scheme with optimal
p. When we construct our CISS protocol based on this secret cheater resiliency, eprint.iacr.org/2014/628.pdf
sharing protocol,the share size is |S|p(n)e(2n−1)ℓqm−1. That [9] R. Xu, K. Morozov, and T. Takagi: On cheater identifiable secret
sharing schemes secure against rushing adversary, in Proc. the 8th
is, its exponential coefficient with respect to the security
International Workshop on Security (IWSEC 2013), Lecture Notes in
parameter ℓ is still (2n −1). In contrast, the (⌈k/2⌉,e−ℓ)- ComputerScience 8231,pp.258–271,Springer(2013).
CISS protocol in [6] has share size v(n−⌈k/2⌉)n+ke(n+k)ℓ. [10] R.Xu,K.Morozov,andT.Takagi:Cheateridentifiable secretsharing
schemesviamulti-receiverauthentication,inProc.the9thInternational
That is, its exponentialcoefficientwith respectto the security
Workshop on Security (IWSEC 2014), Lecture Notes in Computer
parameter ℓ is n+ k. So, when k is close to n, these two Science 8639,72–87,Springer(2014).
overheads are almost the same. [11] H. Yamamoto: On secret sharing systems using (k,L,n) threshold
scheme, IEICETrans.,J68A(9):945–952 (1985), inJapanese. English
VI. DISCUSSION translation: Electronics andCommunications inJapan, PartI,vol.69,
no.9,pp.46–54,ScriptaTechnica, Inc.,1986.
Firstly, we have proposed to distinguish a CISS protocol [12] M. Hayashi and T. Tsurumaru: More efficient privacy amplification
for individual identification from a CISS protocol for agreed withlessrandomseedsviadualuniversal hashfunction, IEEETrans-
actions onInformation Theory,62(4):2213–2232 (2016).
identification. Then, based on any existing secret sharing
protocol, we have universally constructed CISS protocols for
individual identification and agreed identification as well as a
CDSSprotocol.OurCISSprotocolforindividualidentification
and our CDSS protocol well work even when more than half
of the players involved in reconstruction are cheaters. Our
CISS protocol for agreed well works when less than half
of the players in reconstruction are cheaters. Our protocols
have calculation complexity O(ℓlogℓ) when the probability
of successfully identifying(detecting)the cheaters is 1−e−ℓ.
