Some Secret Sharing Schemes and Further Studies Some Secret Shari… · Visual Cryptography...
Transcript of Some Secret Sharing Schemes and Further Studies Some Secret Shari… · Visual Cryptography...
Some Secret Sharing Schemes and Further Studies
Avishek Adhikariwebsite: www.imbic.org/avishek.html
Research Team MembersPartha Sarathi Roy, Angsuman Das,Ushnish Sarkar, Sabyasachi Dutta
Department of Pure MathematicsUniversity of Calcutta, Kolkata.
TWC 2011Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 1 / 39
Introduction to Secret Sharing What is secret sharing?
What is secret sharing?
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 2 / 39
Introduction to Secret Sharing What is secret sharing?
What is secret sharing?
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 2 / 39
Introduction to Secret Sharing What is secret sharing?
What is secret sharing?
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 2 / 39
Introduction to Secret Sharing What is secret sharing?
What is secret sharing?
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 2 / 39
Introduction to Secret Sharing What is secret sharing?
(t ,w) threshold scheme
Let t and w be two positive integers, such that t ≤ w .A (t ,w) threshold scheme is a method of sharing ascheme key k among a set of w participants in such away that any t participants can compute the value ofk , but no group of (t − 1) participants can do so.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 3 / 39
Introduction to Secret Sharing What is secret sharing?
Simple Way!
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 4 / 39
Introduction to Secret Sharing What is secret sharing?
Perfectly Secure (2,2)-SSS
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 5 / 39
Introduction to Secret Sharing Shamir’s (t, n) threshold scheme
Shamir’s (k ,n)-Secret Sharing Scheme
It takes two points to define a straight line,three points to fully define a quadratic, fourpoints to define a cubic, and so on.One can fit a unique polynomial of degree(k − 1) to any set of k points that lie on thepolynomial.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 6 / 39
Introduction to Secret Sharing Shamir’s (t, n) threshold scheme
Shamir’s (k ,n)-Secret Sharing Scheme
It takes two points to define a straight line,three points to fully define a quadratic, fourpoints to define a cubic, and so on.One can fit a unique polynomial of degree(k − 1) to any set of k points that lie on thepolynomial.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 6 / 39
Introduction to Secret Sharing Shamir’s (t, n) threshold scheme
Shamir’s (3, 4) threshold scheme
Let P={P1,P2,P3,P4} be a set of 4participants.The key set, K=Zp, where p = 5 is a prime &p > n Ket the secret be 1.The set of all possible shares, S=Z5.The dealer constructs a random polynomialf (x) ∈ Z5[x ] of degree t − 1 = 3− 1 = 2, inwhich the constant term is the secret K = 1.
f (x) = 1 + 2x + 3x2
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 7 / 39
Introduction to Secret Sharing Shamir’s (t, n) threshold scheme
Shamir’s (3, 4) threshold scheme
Every participant Pi obtains a point (xi , yi) on this polynomial,where yi = f (xi) and distinct xi ∈ Zp.P1 gets (1,a(1)=6=1), (P2) gets (2,2), P3 gets (3,4) and P4 gets(4,2).
Recovery of Secret
Suppose a subset B of t = 3 participants wants to recollect thesecret.Let the participants P1,P2,P3 want to determine K = 1.They know that 1 = f (1), 2 = f (2) and 4 = f (3).They will assume the form of the secret polynomial asy = f (x) = a0 + a1x + a2x2, where a0,a1 and a2 are unknown andbelong to Z.Thus, these participants can obtain 3 linear equations in the 3unknowns a0,a1,a2.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 8 / 39
Introduction to Secret Sharing Shamir’s (t, n) threshold scheme
Shamir’s (t, n) threshold scheme
1 1 12
1 2 22
1 3 32
a0a1a2
=
f (1)f (2)f (3)
Now, the coefficient matrix A is the so called Vandermonde’smatrix.
detA =∏
1≤j<k≤t
(xik−xij ) mod p = (1−2)(2−3)(3−1) = 4∗4∗2 = 2 6= 0
Thus multiplying both sides by the inverse of A, we can find the a0 = 1.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 9 / 39
Introduction to Secret Sharing Shamir’s (t, n) threshold scheme
Shamir’s (t, n) threshold scheme
1 1 12
1 2 22
1 3 32
a0a1a2
=
f (1)f (2)f (3)
Now, the coefficient matrix A is the so called Vandermonde’smatrix.
detA =∏
1≤j<k≤t
(xik−xij ) mod p = (1−2)(2−3)(3−1) = 4∗4∗2 = 2 6= 0
Thus multiplying both sides by the inverse of A, we can find the a0 = 1.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 9 / 39
Visual Cryptography Shamir’s Scheme
Example of (2,2)-VCS
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 10 / 39
Visual Cryptography Shamir’s Scheme
Example of (2,2)-VCS
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 10 / 39
Visual Cryptography Shamir’s Scheme
Visual Cryptography
The Visual cryptographic scheme, introduced byNaor and Shamir in 1994, for a set P of nparticipants is a cryptographic paradigm that enablesa secret image to be split into n shadow images calledshares, where each participant in P receives oneshare. Certain qualified subsets of participants can“visually" recover the secret image with some loss ofcontrast, but other forbidden sets of participants haveno information about the secret image.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 11 / 39
Visual Cryptography Shamir’s Scheme
(2,2)-VCS
For Black pixel
For White pixel
S1 =
[0 11 0
]and S0 =
[0 10 1
].
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 12 / 39
Visual Cryptography Shamir’s Scheme
(2,2)-VCS
For Black pixel
For White pixel
S1 =
[0 11 0
]and S0 =
[0 10 1
].
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 12 / 39
Visual Cryptography Shamir’s Scheme
(2,2)-VCS
For Black pixel
For White pixel
S1 =
[0 11 0
]and S0 =
[0 10 1
].
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 12 / 39
Visual Cryptography Shamir’s Scheme
Relative contrast
Let us consider a (2,n)-VCS on a set P ={1,2, . . . ,n}of n participants with basis matrices S0 and S1 andhaving pixel expansion m. Then the relative contrastfor the participants corresponding to X , X ⊆ P, isdenoted by αX (m) and is defined as
w(S1X )− w(S0
X )
m.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 13 / 39
Visual Cryptography Shamir’s Scheme
(2,n)-VCS by Naor and Shamir
S0 =
1 0 0 01 0 0 01 0 0 01 0 0 0
and S1 =
1 0 0 00 1 0 00 0 1 00 0 0 1
.Here the relative contrast for any two participants is 1
4and the pixel expansion is 4.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 14 / 39
Visual Cryptography Shamir’s Scheme
(2,n)-VCS by Stinson at el
Let v , k and λ be positive integers such thatv > k ≥ 2.a (v , k , λ)-balanced incomplete block design(BIBD) is a pair ( X ,A) such that the followingproperties are satisfied :
1 X is a set of v elements called points,2 A is a collection of subsets of X called block,3 each block contains exactly k points,and4 every pair of distinct points is contained in exactly λ blocks.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 15 / 39
Visual Cryptography Shamir’s Scheme
(2,n)-VCS by Stinson at el
Example of a (v = 7,b = 7, r = 3, k = 3, λ = 1)-BIBD:X = {1,2,3,4,5,6,7}.A= {{1,2,4}, {2,3,5}, {3,4,6},{4,5,7}, {1,5,6}, {2,6,7}, {1,3,7}}.
the incidence matrix is :
1 0 0 0 1 0 11 1 0 0 0 1 00 1 1 0 0 0 11 0 1 1 0 0 00 1 0 1 1 0 00 0 1 0 1 1 00 0 0 1 0 1 1
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 16 / 39
Visual Cryptography Shamir’s Scheme
Example of a (2,7)-VCS using BIBD
S1 =
1 0 0 0 1 0 11 1 0 0 0 1 00 1 1 0 0 0 11 0 1 1 0 0 00 1 0 1 1 0 00 0 1 0 1 1 00 0 0 1 0 1 1
& S0 =
1 1 1 0 0 0 01 1 1 0 0 0 01 1 1 0 0 0 01 1 1 0 0 0 01 1 1 0 0 0 01 1 1 0 0 0 01 1 1 0 0 0 0
Here the pixel expansion is 7 and the relative contrastis 2/7.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 17 / 39
Visual Cryptography Our Proposed Scheme
Example of a (2,6)-VCS
S1 =
1 1 0 01 0 1 01 0 0 10 1 1 00 1 0 10 0 1 1
and S0 =
1 1 0 01 1 0 01 1 0 01 1 0 01 1 0 01 1 0 0
.
Clearly, pixel expansion is 4 (m = 4) and the relativecontrast is either 1
2 or 14.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 18 / 39
Visual Cryptography Our Proposed Scheme
(2,6)-VCS using PBIBD
Secret image Share 1
Share 2 Share 6
Share 1 + Share 6 Share 1 + Share 2
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 19 / 39
Visual Cryptography Our Proposed Scheme
General Access Structure
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 20 / 39
DNA Secret Sharing
Introduction
Secret Sharing Schemes,DNA Computing,Mathematics.Statistics.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 21 / 39
DNA Secret Sharing
Introduction
Secret Sharing Schemes,DNA Computing,Mathematics.Statistics.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 21 / 39
DNA Secret Sharing
Introduction
Secret Sharing Schemes,DNA Computing,Mathematics.Statistics.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 21 / 39
DNA Secret Sharing
Introduction
Secret Sharing Schemes,DNA Computing,Mathematics.Statistics.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 21 / 39
DNA Secret Sharing
Aim of Our Work
Suppose we want to distribute a secret binary stringto a set {P1,P2, . . . ,Pn} of n participants in such away that certain designated set of participants canreveal the secret by pulling their shares, but noforbidden set of participants has any informationabout the secret binary string.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 22 / 39
DNA Secret Sharing
Why DNA?
The very small size,The huge storage capacity,Easy to carry or hide,Made up of A, T, G, C,Huge parallel computing,Stable as a DNA doublestrand,High longevity,Easy to get synthesizedDNA
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 23 / 39
DNA Secret Sharing
DNA encoding of binary strings
a binary string can be represented as a set ofintegers that corresponds the positions where thebits are 1 from left to right.1011 can be represented as a set {1,3,4},each integer i can be represented in a DNAdouble strand notation as followsdsi =l (GAATT )i .
if α = 1011, the DNA double strand representationof α is the test tube T [α] = {ds1, ds3, ds4}.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 24 / 39
DNA Secret Sharing
Mixing operation
Take the content of two testtubes.Mixing can be done bydehydrating the tubecontents (if not already insolution) and thencombining the fluidstogether into a new tube, bypouring and pumping.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 25 / 39
DNA Secret Sharing
Bio-mathematical operations
Boolean “or” operation betweentwo binary stringsif α = 1011 and β = 1001,the binary “or” of two strings willbe 1011.T [α] (T [β]) the test tubecorresponding to the binary stringα (β).pore the contents of the two testtubes to get binary “or ′′.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 26 / 39
DNA Secret Sharing
Automated DNA Sequencing
To read the DNA double strands in the test tubewe need the process called DNA sequencing.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 27 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Outlay of our scheme
Consider the secret sharing scheme onP = {1,2,3,4} of 4 participants, whereΓ0 = {{1,2}, {2,3}, {2,4}, {1,4}}.ΓQual = {Y ⊆ P : X ⊆ Y for some X ∈ Γ0} andΓForb = 2P \ ΓQual .let the secret binary string be x = x1x2x3 = 011.Assume that the DNA encoding, the mixingprocess are public.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 28 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Share Distribution
The dealer chooses two Boolean matrices
G0 =
0 1 0 10 1 0 10 1 0 00 0 0 1
and G1 =
1 0 1 00 1 1 01 0 0 00 0 0 1
.
Since x1 = 0, the dealer considers the matrix G0
and apply a random permutation to the columns ofG0 and produces a matrix M1.Similarly, for x2 and x3 on G1 to produce matricesM2 and M3.Assume that the DNA encoding, the mixingprocess are public.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 29 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Share Distribution
Let M = M1||M2||M3.first row of M is α1 = 010110101010. Similarlyα2 = 010101100110, α3 = 010010001000 andα4 = 000100010001.dealer converts the binary strings to DNArepresentations to get the test tubesT [α1] = {ds2,ds4,ds5,ds7,ds9,ds11},T [α2] = {ds2,ds4,ds6,ds7,ds10,ds11},T [α3] = {ds2,ds4,ds5,ds9},T [α4] = {ds4,ds8,ds12},
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 30 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Share Distribution
T [αi ] is given to the participants Pi , i = 1,2, . . . ,nthrough a secret channel.Also the values m = 4 and k = 3 are given to theparticipants even through an insecure channel.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 31 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Decryption by the Qualified participants
Let P1,P2 come together.They use mixing procedure with test tubes T [α1]and T [α2] to get T [α1] ∪ T [α2] ={ds2,ds4,ds5,ds6,ds7,ds9,ds10,ds11}.Execute automated DNA sequencing method toread the DNA double strands.With the knowledge of decoding the DNArepresentation to the binary string, the values ofk = 3 and m = 4, the participants P1 and P2 canconvert the DNA representation to the binarystring y = 010111101110.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 32 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Decryption by the Qualified participants
Since, the value of m is known to the participants,P1 and P2 can break y asy = (0101)(1110)(1110).Next they will find the value of w as 3 and thenthey will compute z = 011, as BW (0101) < 3,BW (1110) = 3. Thus P1 and P2 can recover thesecret 011.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 33 / 39
DNA Secret Sharing Proposed DNA Secret Sharing Scheme
Forbidden set of participants
Let Y = {P3,P4} come together.They use mixing procedure with test tubes T [α3]and T [α4] to getT [α1] ∪ T [α2] = {ds2,ds4,ds5,ds8,ds9,ds12}.they will convert the DNA representation to thebinary string y = (0101)(1001)(1001).Thus looking at those it is not possible to predictwhether they correspond to 0 or 1.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 34 / 39
Further Studies Secure Multiparty Computation
Secure Multiparty Computation: An Example
Yao’s Two Millionaires Problem
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 35 / 39
Further Studies Verifiable Secret Sharing
Verifiable Secret Sharing
The dealer distributes a secret value “s”among the players, where the dealer and/orsome of the players may be cheating.It is guaranteed that if the dealer is honest,then the cheaters obtain no informationabout s, and all honest players are later ableto reconstruct s, even against the actions ofcheating players.Even if the dealer cheats, a unique suchvalue s will be determined already atdistribution time, and again this value isreconstructable even against the actions ofthe cheaters.
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 36 / 39
Further Studies Verifiable Secret Sharing
Questions
Questions???
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 37 / 39
Further Studies Verifiable Secret Sharing
Avishek Adhikari (University of Calcutta) Secret Sharing Schemes 16.07.11 38 / 39