Page 1

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive SetsConclusion

Black-Box Secret Sharing from Primitive Sets

in Algebraic Number Fields

Ronald Cramer1,2

Serge Fehr1

Martijn Stam3

1CWI (Amsterdam)

2Mathematical Institute, Leiden University

3Department of Computer Science, University of Bristol

17 August 2005

Page 2

What is Black Box Secret Sharing?

Using Algebraic Number Fields New Approach: Primitive SetsConclusion

Outline

What is Black Box Secret Sharing?

Threshold Secret Sharing

Example: Shamir Secret Sharing

Black Box Secret Sharing Schemes

Using Algebraic Number Fields

Weak Black Box Secret Sharing

Two Previous Proposals

New Approach: Primitive Sets

In Theory

In Practice

Conclusion

Page 3

What is Black Box Secret Sharing?

Using Algebraic Number Fields New Approach: Primitive SetsConclusion

Threshold Secret Sharing

Dealing

n the number of participants;

s the secret;

siA share, 0 < i ≤ n

distribution phase

players

shares

s1

s2

...

...

sn

s

dealer

secret

Page 4

What is Black Box Secret Sharing?

Using Algebraic Number Fields New Approach: Primitive SetsConclusion

Threshold Secret Sharing

Requirements

n the number of participants;

t the threshold;

s the secret;

siA share, 0 < i ≤ n

Completeness: Any qualified subset A (of at least t + 1

participants) can recover the secret;

Privacy: No non-qualified subset (of at most t participants)

obtains any Shannon information about the secret.

Share Expansion: The average length of a share:

?n

i=1(length of si)

n × length of s

Page 5

What is Black Box Secret Sharing?

Using Algebraic Number Fields New Approach: Primitive SetsConclusion

Shamir Secret Sharing

Based on polynomial evaluation.

Setting: s ∈ F, where F any finite field.

Dealing: Pick (g0,...,gt−1) ∈ Ftat random. Let gt= s.

g(x) := g0+ g1x + ··· + gtxt

Participant i gets share si= g(αi), where αi∈ F.

Reconstruction: Lagrange Interpolation,

s = gt=

?

i∈A

?

j∈A,j?=i

1

αi− αj

si

Page 6

What is Black Box Secret Sharing?

Using Algebraic Number Fields New Approach: Primitive SetsConclusion

Defining Black Box Secret Sharing Schemes

A linear threshold secret sharing scheme for s ∈ G where G

can be an arbitrary finite abelian group (additive).

• Shares are computed as Z-linear comb.’s (independent of

G) of s ∈ G and random group elements. Expansion factor

equals the average number of group elements per share.

• Reconstruction works by Z-linear comb.’s (independent of

G) of the shares, and

• Correctness and Privacy must hold regardless of group G.

Page 32

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive Sets Conclusion

The Proof (Simplified Sketch)

Rewrite αi: Write down αiin basis of R, so

αi= a0+ a1X + ··· + am−1Xm−1

Consider the coefficients ajas unknowns Aj.

Rewrite ∆i: Write down ∆iin basis of R in unknowns Ai.

∆i= ∆i−1(G0(A0,A1,...,Am−1)+···+Gm−1(A0,...,Am−1)Xm−1)

Use Algebra: ∆i≡ 0 mod p iff Gj(A0,...,Am−1) ≡ 0 mod p for

all j. Then also all linear combinations of the polynomials Gj.

Find Univariate Polynomial: Construct a univariate polynomial

P(A0) ∈ Z[A0] that is a linear comb. of the Gj.

Pick a non-root: Then instantiate with a0such that P(a0) ?= 0 as

integer. Then for all p not dividing P(a0) we have that

∆i?≡ 0 mod p.

Page 33

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive Sets Conclusion

The Proof (Simplified Sketch)

Rewrite αi: Write down αiin basis of R, so

αi= a0+ a1X + ··· + am−1Xm−1

Consider the coefficients ajas unknowns Aj.

Rewrite ∆i: Write down ∆iin basis of R in unknowns Ai.

∆i= ∆i−1(G0(A0,A1,...,Am−1)+···+Gm−1(A0,...,Am−1)Xm−1)

Use Algebra: ∆i≡ 0 mod p iff Gj(A0,...,Am−1) ≡ 0 mod p for

all j. Then also all linear combinations of the polynomials Gj.

Find Univariate Polynomial: Construct a univariate polynomial

P(A0) ∈ Z[A0] that is a linear comb. of the Gj.

Pick a non-root: Then instantiate with a0such that P(a0) ?= 0 as

integer. Then for all p not dividing P(a0) we have that

∆i?≡ 0 mod p.

Page 34

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive SetsConclusion

The New Scheme in Practice

Relevant Complexities

Cramer & Fehr: αi’s may be chosen with coeffs in {0,1}, but

f(X)’s coeffs seem to be bound to bitlength n.

?˜O(n3)

Cramer, Fehr & Stam: Evidence that αi’s may be chosen with

coeffs in {0,1} and f(X) with coeffs in {−1,0,1} (Shown for n

up to 4096, but no general proof).

?˜O(n2)

Page 35

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive SetsConclusion

The New Scheme in Practice

Relevant Complexities

Cramer & Fehr: αi’s may be chosen with coeffs in {0,1}, but

f(X)’s coeffs seem to be bound to bitlength n.

?˜O(n3)

Cramer, Fehr & Stam: Evidence that αi’s may be chosen with

coeffs in {0,1} and f(X) with coeffs in {−1,0,1} (Shown for n

up to 4096, but no general proof).

?˜O(n2)

Page 36

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive SetsConclusion

The New Scheme in Practice

Relevant Complexities

Cramer & Fehr: αi’s may be chosen with coeffs in {0,1}, but

f(X)’s coeffs seem to be bound to bitlength n.

?˜O(n3)

Cramer, Fehr & Stam: Evidence that αi’s may be chosen with

coeffs in {0,1} and f(X) with coeffs in {−1,0,1} (Shown for n

up to 4096, but no general proof).

?˜O(n2)

Page 37

What is Black Box Secret Sharing?

Using Algebraic Number FieldsNew Approach: Primitive SetsConclusion

Conclusion

• Constructing black box secret sharing schemes is

intricately entwined with finding certain number fields

(orders).

• DF: Initially invertible ∆;

• CF: Huge improvement using coprime ∆αand ∆β;

• New: Further improvement using primitive ∆.

Additive factor of at most 2 away from the best known lower

bound.

• Proved existence of number fields with sufficiently large

primitive sets. Efficiency is questionable.

• But experimental results indicate ’good’ ones are around

abundantly.

• Provided tight lower and upper bounds on the amount of

random elements required.