Abstract
In this work we provide a framework for dynamic secret sharing and present the first dynamic and verifiable hierarchical secret sharing scheme based on Birkhoff interpolation. Since the scheme is dynamic it allows, without reconstructing the message distributed, to add and remove shareholders, to renew shares, and to modify the conditions for accessing the message. Furthermore, each shareholder can verify its share received during these algorithms protecting itself against malicious dealers and shareholders. While these algorithms were already available for classical Lagrange interpolation based secret sharing, corresponding techniques for Birkhoff interpolation based schemes were missing. Note that Birkhoff interpolation is currently the only technique available that allows to construct hierarchical secret sharing schemes that are efficient and allow to provide shares of equal size for all shareholder in the hierarchy. Thus, our scheme is an important contribution to hierarchical secret sharing.
This work was in part funded by the European Commission through grant agreement no. 644962 (PRISMACLOUD). Furthermore, it received funding from the DFG as part of project S6 within the CRC 1119 CROSSING.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
\(\mathcal{{P}}(S)\) denotes the partition of the set S.
- 2.
To renew the shares, the algorithm \(\mathsf {Reset}\) is run with the old set of shareholder S and the old access structure \(\varGamma \) as input.
- 3.
There exists solutions [2, 9, 10, 14] for VSS providing both information-theoretic confidentiality and bindingness. However, they are not secure against a mobile adversary that is able to collect over time enough share to retrieve the message. The solution proposed in [2] is an interactive protocol while we only consider non-interactive protocol having less communication complexity.
References
Agarwal, M., Mehr, R.: Review of matrix decomposition techniques for signal processing applications. Int. J. Eng. Res. Appl. 4(1), 90–93 (2014). www.ijera.com
Backes, M., Kate, A., Patra, A.: Computational verifiable secret sharing revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 590–609. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-25385-0_32
Baron, J., Defrawy, K.E., Lampkins, J., Ostrovsky, R.: Communication-optimal proactive secret sharing for dynamic groups. In: Malkin, T., Kolesnikov, V., Lewko, A.B., Polychronakis, M. (eds.) ACNS 2015. LNCS, vol. 9092, pp. 23–41. Springer, Heidelberg (2015). http://dx.doi.org/10.1007/978-3-319-28166-7_2
Blundo, C., Cresti, A., Santis, A., Vaccaro, U.: Fully dynamic secret sharing schemes. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 110–125. Springer, Heidelberg (1994). http://dx.doi.org/10.1007/3-540-48329-2_10
Brickell, E.F.: Some ideal secret sharing schemes. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 468–475. Springer, Heidelberg (1990). doi:10.1007/3-540-46885-4_45
Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract). In: 26th Annual Symposium on Foundations of Computer Science, Portland, Oregon, USA, 21–23 October 1985, pp. 383–395 (1985). http://dx.doi.org/10.1109/SFCS.1985.64
Doganay, M.C., Pedersen, T.B., Saygin, Y., Savaş, E., Levi, A.: Distributed privacy preserving k-means clustering with additive secret sharing. In: Proceedings of 2008 International Workshop on Privacy and Anonymity in Information Society, pp. 3–11. ACM (2008)
Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th Annual Symposium on Foundations of Computer Science, pp. 427–438. IEEE (1987)
Fitzi, M., Garay, J.A., Gollakota, S., Rangan, C.P., Srinathan, K.: Round-optimal and efficient verifiable secret sharing. In: Proceedings of 3rd Theory of Cryptography Conference Theory of Cryptography, TCC 2006, New York, NY, USA, 4–7 March 2006, pp. 329–342 (2006). http://dx.doi.org/10.1007/11681878_17
Gennaro, R., Ishai, Y., Kushilevitz, E., Rabin, T.: The round complexity of verifiable secret sharing and secure multicast. In: Proceedings on 33rd Annual ACM Symposium on Theory of Computing, 6–8 July 2001, Heraklion, Crete, Greece, pp. 580–589 (2001). http://doi.acm.org/10.1145/380752.380853
Ghodosi, H., Pieprzyk, J., Safavi-Naini, R.: Secret sharing in multilevel and compartmented groups. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp. 367–378. Springer, Heidelberg (1998). doi:10.1007/BFb0053748
Gupta, V., Gopinath, K.: \(\text{G}_{{\rm its}}^{{2}}\) VSR: : an information theoretical secure verifiable secret redistribution protocol for long-term archival storage. In: 4th International IEEE Security in Storage Workshop, SISW 2007, pp. 22–33. IEEE (2007)
Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995). doi:10.1007/3-540-44750-4_27
Katz, J., Koo, C., Kumaresan, R.: Improving the round complexity of VSS in point-to-point networks. Inf. Comput. 207(8), 889–899 (2009). http://dx.doi.org/10.1016/j.ic.2009.03.007
Kothari, S.C.: Generalized linear threshold scheme. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 231–241. Springer, Heidelberg (1985). doi:10.1007/3-540-39568-7_19
Nojoumian, M., Stinson, D.R., Grainger, M.: Unconditionally secure social secret sharing scheme. Inf. Secur. IET 4(4), 202–211 (2010)
Pakniat, N., Eslami, Z., Nojoumian, M.: Ideal social secret sharing using Birkhoff interpolation method. IACR Cryptology ePrint Archive 2014, 515 (2014). http://eprint.iacr.org/2014/515
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). doi:10.1007/3-540-46766-1_9
Schultz, D.A., Liskov, B., Liskov, M.: MPSS: mobile proactive secret sharing. ACM Trans. Inf. Syst. Secur. 13(4), 34 (2010). http://doi.acm.org/10.1145/1880022.1880028
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). http://doi.acm.org/10.1145/359168.359176
Simmons, G.J.: How to (really) share a secret. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 390–448. Springer, Heidelberg (1990). doi:10.1007/0-387-34799-2_30
Tassa, T.: Hierarchical threshold secret sharing. J. Cryptol. 20(2), 237–264 (2007)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Requirements for Birkhoff Interpolation Matrices Interpolation
In this section the necessary requirements and a sufficient condition for the interpolation matrix E are presented, such that the corresponding Birkhoff interpolation problem is well posed. For the corresponding proofs we refer to [22].
Lemma 1
Let \(A \subset S\) be an authorized subset of shareholders, i.e. \(A \in \varGamma \), and E the corresponding interpolation matrix, where the entries \(e_{i,j}\) of the matrix E satisfy the following condition:
where d is the highest derivative order in the problem and \(r:= \vert A \vert \) is the number of interpolating points.
Before providing the sufficient condition (Theorem 3), the following definition is needed.
Definition 6
[22]. In the interpolation matrix E a 1-sequence is a maximal run of consecutive 1s in a row of the matrix E itself. Namely, it is a triplet of the form \((i, j_0, j_1)\) where \(1 \le i \le r\) and \(0 \le j_0 \le j_1 \le d\), such that \(e_{i,j}=1\) for all \(j_0 \le j \le j_1\), while \(e_{i, j_0 -1}= e_{i, j_1 +1}=0\). A 1-sequence \((i, j_0, j_1)\) is called supported if E has 1s both to the northwest and southwest of the leading entry in the sequence, i.e. there exist indexes nw and sw, where \(i_{nw}< i < i_{sw}\) and \(j_{nw}, j_{sw} < j_0\) such that \(e_{i_{nw}, j_{nw}}=e_{i_{sw}, j_{sw}}=1\).
Theorem 3
The interpolation Birkhoff problem for an authorized subset A and the corresponding interpolation matrix E has a unique solution, if the interpolation matrix E satisfies (1) and contains no supported 1-sequence of odd length.
In case the Birkhoff interpolation problem is instantiated over a finite field \(\mathbb {F}_q\) with \(q>0\) a prime number, then also the following condition has to hold.
Theorem 4
The Birkhoff interpolation problem for an interpolation matrix E has a unique solution over the finite field \(\mathbb {F}_q\), if Theorem 3 holds and in addition also the following inequality is satisfied:
where d is the highest derivative order of the problem.
B Security Analysis
Conjunctive secret sharing has been introduced by Tassa in [22] and it has been proven ideal, perfect secure, and accessible. We argue that the algorithms \(\mathsf {Add}\) and \(\mathsf {Reset}\) we introduced enhance the protocol and do not affect the properties and the security of the original conjunctive secret sharing scheme. To prove that, we first provide a high level idea of the proof of perfect security and accessibility of Tassa’s conjunctive secret sharing scheme. Then, we show that our dynamic hierarchical secret sharing scheme maintains perfect security and accessibility. Furthermore, it is possible to cope with malicious dealers and shareholders including a verification protocol to the algorithm \(\mathsf {Share}, \mathsf {Add}, \mathsf {Reset},\) and \(\mathsf {Reconstruct}\). If Pedersen commitments are used in the verification protocol unconditional hidingness is maintained while bindingness can only be achieved computationally. Feldmann commitments instead ensure unconditional bindingness, i.e. the correctness of the shares can be guaranteed, but at he expenses of providing only computational hidingness for the shares. Thus, the latter solution is not suitable if data is processed for which long-term or even everlasting confidentiality is required. Similarly, it can be proven that \(\mathsf {Add}\) and \(\mathsf {Reset}\) maintain also the same properties of disjunctive secret sharing. However, for readability in the following we focus on conjunctive secret sharing only.
Roughly speaking, reconstructing a distributed message is equal to finding a solution of the Birkhoff interpolation problem for a polynomial \(f(x)= a_0 + a_1x + a_2x^2+ \dots + a_{t-1}x^{t-1}\). Thus, Tassa proved the security of his approach by showing that authorized sets of shareholders \(A \in \varGamma \) lead to interpolation matrices E for which the Birkhoff interpolation problem is well posed. Thus, accessibility is provided. Furthermore, any unauthorized set of shareholders \(U \notin \varGamma \) leads to an unsolvable system and perfect security is therefore proven.
The introduction of the protocols \(\mathsf {Add}\) and \(\mathsf {Reset}\) making the Birkhoff inter-polation based secret sharing scheme dynamic does not affect these properties. First, we show that accessibility and perfect security is provided if all shareholders act honestly. This corresponds to the setup of Tassa’s security proof. Second, we prove that our scheme even provides verifiability, i.e. can cope with malicious dealers and shareholders.
Theorem 5
The dynamic secret sharing scheme composed of the protocols \(\mathsf {Share}\), \(\mathsf {Add}\), \(\mathsf {Reset}\), and \(\mathsf {Reconstruct}\) described in Sect. 5.2 is accessible and perfectly secure according to Definition 2.
Proof
The proof for the algorithms \(\mathsf {Share}\) and \(\mathsf {Reconstruct}\) follows from Tassa’s security proof. The algorithms \(\mathsf {Add}\) and \(\mathsf {Reset}\) are discussed individually in the following.
- Add. :
-
If the shareholders follow the protocol correctly, then all shareholders, meaning the old set of shareholders together with the new shareholder, only hold shares of the polynomial \(f(x)= a_0 + a_1x + a_2x^2+ \dots + a_{t-1}x^{t-1}\) or of one of its derivatives. This prevents unauthorized subsets from reconstructing the message, meaning that perfect security is achieved. However, the share \({\sigma }_{i',j'}\) for the new shareholder \(s_{i',j'}\) is generated by old shareholders in distributed fashion. More precisely, each old shareholder uses its share to generate a piece of information from which the new shareholder \(s_{i',j'}\) can compute its own share \({\sigma }_{i',j'}\). Therefore, what is left to show is that no information about the other shares is leaked during the generation of the share \({\sigma }_{i',j'}\). To compute the share of a new shareholder \(s_{i',j'}\) each shareholder \(s_l \in A\) of an authorized subset \(A \in \varGamma \) computes \(f^{j'}_{l}(i')\), where \(f^{j'}_{l}(x)\) is the \(j'\)-th derivative of the polynomial \(f_l(x)\). Note that this value leaks information about the share of \(s_l\), since \(f^{j'}_{l}(i') = {\sigma }_{l} \sum _{k=j'}^{t-1} \frac{k!}{(k-j')!} \frac{(-1)^{l-1+k}\det (A_{l-1,k}(E,X,\varphi ))}{\det (A(E,X, \varphi ))} {i'}^{k-j'}\) and the latter part \(\sum _{k=j'}^{t-1} \frac{k!}{(k-j')!} \frac{(-1)^{l-1+k}\det (A_{l-1,k}(E,X,\varphi ))}{\det (A(E,X, \varphi ))} {i'}^{k-j'}\) can be computed from public information. Thus, it generates shares to this value using an additive secret sharing scheme [7], i.e. computes \(f^{j'}_{l}(i')=\sum _{k, s_k \in A}{\delta }_{k,l}\), and sends \({\delta }_{k,l}\) to shareholder \(s_k \in A\). Each shareholder \(s_l\) then adds all subshares received by the other shareholders, i.e. \(\delta _l=\sum _{k, s_k \in A}{\delta _{l,k}}\), and forwards only the result \(\delta _l\) to the new shareholder. Due to the use of the additive secret sharing scheme perfect security of all shares remains preserved. Since \(\sum _{l, s_l \in A}\delta _l=\sum _{l, s_l \in A}\sum _{k, s_k \in A}{\delta }_{k,l}= \sum _{k, s_k \in A}f^{j'}_{l}(i')=f^{j'}(i')\) also accessibility is provided. This ensures that the new shareholder holds together with the other shareholders a point of polynomial f(x) or of one of its derivatives and the shares of authorized subsets including the new shareholders can reconstruct the message.
- Reset. :
-
In this algorithm each shareholder \(s_l \in A\) of an authorized subset \(A \in \varGamma \) uses hierarchical secret sharing to distribute its share to a new set of shareholders. More precisely, it computes its partial Birkhoff interpolation coefficient
$$\begin{aligned} a_{l,0}:= {\sigma }_{l} (-1)^{l-1}\frac{\det (A_{l-1,0}(E,X, {\varphi }))}{\det (A(E,X, \varphi ))} \end{aligned}$$of coefficient \(a_0\) and then chooses a polynomial \(f'_l(x)= a'_{l,0}+ a'_{l,1}x + a'_{l,2}x^2+ \dots + a'_{l,t'-1}x^{t'-1}\), where \(a'_{l,0}=a_{l,0}\), containing this value in the free coefficient. In this way, shares of shares are sent to the new shareholders, since only one point of this polynomial or of one of its derivatives is sent. Therefore, perfect security follows from the perfect security of conjunctive secret sharing. Furthermore, it computes the value to be sent to a new shareholder in accordance to the new access structure and the IDs assigned to each new shareholder. Thus, any unauthorized subset \(U \notin \varGamma \) cannot reconstruct the message and perfect security is provided. Accessibility of this protocol is provided due to the homomorphic property of polynomials. More precisely each new shareholder \(s_{i,j}\) receives from each old shareholder \(s_l\) share \({f'}^{j}_l(i)\) of polynomial \(f'_l(x)= a'_{l,0}+ a'_{l,1}x + a'_{l,2}x^2+ \dots + a'_{l,t'-1}x^{t'-1}\), where \(a'_{l,0}=a_{l,0}\) is the partial Birkhoff interpolation coefficient of \(a_0\). Since the new shareholder adds all shares received to compute its new share it follows that it holds a point of polynomial \(f'(x)=\) \(\sum _{l, s_l \in A}f'_l(x)\) \(= \sum _{l, s_l \in A} (a'_{l,0} + a'_{l,1}x + \dots + a'_{l,t'-1}x^{t'-1})\) \(= \sum _{l, s_l \in A} a'_{l,0} + \sum _{l, s_l \in A} a'_{l,1} + \dots + \sum _{l, s_l \in A} a'_{l,t'-1}x^{t'-1} = a_0 + \sum _{l, s_l \in A} a'_{l,1} + \dots + \sum _{l, s_l \in A} a'_{l,t'-1}x^{t'-1}\) or of one of its derivatives. So the free coefficient of \(f'(x)\) is still \(a_0\), meaning that any authorized subset of the new access structure is still able to retrieve message \(a_0=m\).
Next we show that our verifiable and dynamic hierarchical secret sharing scheme indeed provides verifiability. For this we assume a majority of trustworthy shareholders within an authorized subset. This assumption can be weakened by letting all shareholders participate during the \(\mathsf {Add}\) and \(\mathsf {Reset}\) algorithm and choose an authorized subset among the majority. This majority can be identified during \(\mathsf {Add}\) by checking who reports the same set of commitments to function f(x) and during \(\mathsf {Reset}\) by checking who reported the same commitments \(c_0\) to the free coefficient of f(x). Note that the presence of a majority of trustworthy shareholders is a common assumption of classical secret sharing schemes that allow to reset access structures, e.g. [12].
Theorem 6
In the presence of a majority of trustworthy shareholders within an authorized subset the verifiable and dynamic secret sharing scheme composed of the protocols \(\mathsf {Share}\), \(\mathsf {Add}\), \(\mathsf {Reset}\), and \(\mathsf {Reconstruct}\) described in Sect. 5.2 is a verifiable secret sharing scheme according to Definition 3.
Proof
To prove that each authorized subset of shareholders \(A \in \varGamma \) reconstruct the same message \(a_0=m\) each shareholder must hold a point of the to-be-found polynomial \(f(x)= a_0 + a_1x + a_2x^2 + \dots + a_{t-1}x^{t-1}\) or of one of its derivatives. Furthermore, each shareholder must hold the point assigned to its ID \((i,j) \in \mathcal {I} \times \mathcal {I}\), i.e. must receive share \(\sigma _{i,j}=f^{j}(i)\), where \(f^{j}(x)\) is the j-th derivative of the polynomial f(x). In the following we show for each algorithm that generates shares, i.e. \(\mathsf {Share}\), \(\mathsf {Add}\), and \(\mathsf {Reset}\), that the shareholders receiving these shares are able to verify these conditions.
- Share. :
-
During this algorithm the dealer commits to each coefficient \(a_k\) of \(f(x)= a_0 + a_1x + a_2x^2 +\dots + a_{t-1}x^{t-1}\) by computing a commitment \(c_k:= g^{a_k} \mod p\), for \(k=0, \dots , t-1\). It broadcasts the commitments and sends each share \({\sigma }_{i,j}\) to shareholder \(s_{i,j} \in L_h\), for \(i=1, \dots , n_h\) and \(h=0, \dots , \ell \). If shareholder \(s_{i,j}\) accepts \(\sigma _{i,j}\) then the following equation holds
$$\begin{aligned} g^{\sigma _{i,j}}\equiv \prod _{k=j}^{t-1}c_k^{\frac{k!}{(k-j)!}i^{k-j}}=g^{f^{j}(i)}. \end{aligned}$$From this it follows directly that incorrect shares can be detected and rejected.
- Add. :
-
During this algorithm the shareholders \(s_l \in A\) of an authorized subset \(A \in \varGamma \) compute share \(\sigma _{i',j'}\) for a new shareholder \(s_{i',j'} \in S\) in distributed fashion. Furthermore, each shareholder broadcasts the commitments to the coefficients \(c_k:= g^{a_k} \mod p\), for \(k=0, \ldots , t-1\) received from the dealer. Under the assumption that at least a majority of these shareholders is honest the new shareholder has access to a correct set of commitments and can verify whether
$$\begin{aligned} g^{\sigma _{i',j'}}\equiv \prod _{k=j'}^{t-1}c_k^{\frac{k!}{(k-j')!}{i'}^{k-j'}}=g^{f^{j'}(i')}. \end{aligned}$$From this it follows directly that incorrect shares can be detected and rejected.
- Reset. :
-
During this algorithm the shareholders \(s_l \in A\) of an authorized subset \(A \in \varGamma \) compute shares for a set of new shareholders \(S'= \{s_1',\ldots , s'_{n'} \}\), each accompanied with a unique ID \((i',j') \in \mathcal {I} \times \mathcal {I}\), and an access structure \(\varGamma ' \subset \mathcal{{P}}(S')\). Like for the other algorithms it has to be checked that share \({\sigma }_{i',j'}\) for the shareholder \(s'_{i',j'} \in S'\) with ID \((i',j') \in \mathcal {I} \times \mathcal {I}\) are computed as \(f'^{j'}(i')\). However, this algorithm has an additional requirement for correctness. The free coefficient of the to-be-found polynomial must be equal to the message m distributed by the dealer. To verify the first condition each shareholder \(s_{i',j'}\) of the new access structure checks
$$\begin{aligned} g^{\sigma _{l,i',j'}}\equiv \prod _{k=j'}^{t'-1}{c'_{l,k}}^{\frac{k!}{(k-j')!}{i'}^{k-j'}}=g^{f'^{j'}_l(i')}, \; \text {for} \; s_l \in A, \end{aligned}$$for each share \(\sigma _{l,i',j'}\) received from shareholder l of the old set of shareholders. Finally, it checks that the sum of all shares is a point of a polynomial with free coefficient \(a_0=m\). This can be verified by multiplying all commitments to the individual free coefficients, i.e.
$$\begin{aligned} c_0 \equiv \prod _{l, s_l \in A}c'_{l,0}=\prod _{l, s_l \in A}g^{a_{l,0}}=g^{a_0}=g^m. \end{aligned}$$Under the assumption that a majority of the old shareholders sent the correct commitments incorrect shares can be detected.
Note that our scheme is also ideal. This clearly comes from the fact that each shareholder \(s_i \in R\) receives a share \({\sigma }_{i,j} \in \mathbb {F}_q\) that is a field element of the same field as the message \(m \in \mathbb {F}_q\).
C Example of Tassa’s Hierarchical Secret Sharing
In the following, an example explaining how Tassa’s hierarchical secret sharing scheme [22] works is provided. More precisely, we show a numerical instantiation of the algorithms \(\mathsf {Share}\) and \(\mathsf {Reconstruct}\) described in Definition 5 for conjunctive secret sharing. Note that we shall perform all computations assuming a finite field \(\mathbb {F}_q\) for a very large prime q. Thus, we do not perform the modulo operation assuming the values computed are always smaller than q.
\(\mathsf {Share.}\) Let us assume a hierarchy composed of three levels \(L_0, L_1, L_2\) (where \(L_0\) is the highest level and \(L_2\) is the lowest level) and thresholds \(t_1=1, t_2=2, t_3=3\). Furthermore, let us assume the set S is composed of \(n=6\) shareholders. More precisely, one shareholder \(s_{1,0}\) is assigned to level \(L_0\), two shareholders \(s_{1,1}, s_{2,1}\) are assigned to level \(L_1\), and three shareholders \(s_{1,2}, s_{2,2}\), and \(s_{3,2}\) are assigned to level \(L_2\). Finally, let us assume that a dealer wants to secretly share the message \(m:=2\). Denoted \(t:=t_3\), the dealer selects a polynomial \(f(x)=a_0+a_1x+a_2x^2\) of degree \(t-1\) setting \(a_0:=2\) and choosing the remaining two coefficients \(a_1,a_2\) uniformly at random., e.g. \(a_1=3, a_2=1\), and \(f(x)=2+3x+x^2\). The shares are computed as points over f(x) or one of its derivatives \(f'(x)=3+2x\) or \(f''(x)=2\). With respect to level \(L_0\) shareholder \(s_{1,0}\) gets share \({\sigma }_{1,0}= f(1)=6\). With respect to level \(L_1\) shareholder \(s_{1,1}\) gets share \({\sigma }_{1,1}= f'(1)=5\) and shareholder \(s_{2,1}\) gets share \({\sigma }_{2,1}=f'(2)=7\). With respect to level \(L_2\) shareholder \(s_{1,2}\) gets share \({\sigma }_{1,2}=f''(1)=2\), shareholder \(s_{2,2}\) gets share \({\sigma }_{2,2}=f''(2)=2\), and \(s_{3,2}\) gets share \({\sigma }_{3,2}=f''(3)=2\).
\(\mathsf {Reconstruct.}\) For conjunctive secret sharing, the thresholds \(0<t_0<t_1<t_2\) have to be considered as a chain. More precisely, the access structure defined is such that the message can be retrieved if at least \(t_2=3\) shareholders in total collaborate, at least \(t_1=2\) of them belong to level \(L_1\) or \(L_0\), and at least \(t_0=1\) of them belong to level \(L_0\). Without loss of generality, let us assume that the shareholders collaborating are \(s_{1,0}, s_{2,1}\), and \(s_{3,2}\). The access structure is satisfied because the corresponding interpolation matrix
leads to a Birkhoff interpolation problem with unique solution (see Appendix A). The message \(m=2\) can be retrieved as follows:
-
1.
the set containing the coordinates of E in lexicographic order is \(I(E)= \{(1,0), (2,1), (3,2)\}\) and the column containing the shares in lexicographic order is \((6,7,2)^{t}\);
-
2.
the vector of the functions involved is \(\varphi = \{1,x,x^2\}\);
-
3.
the matrices involved in the Birkhoff’s reconstruction formula are:
$$\begin{aligned} A(E,X, \varphi )= & {} \begin{pmatrix} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 4 \\ 0 &{} 0 &{} 2 \end{pmatrix}, \quad \quad A(E,X, {\varphi }_0)= \begin{pmatrix} 6 &{} 1 &{} 1 \\ 7 &{} 1 &{} 4 \\ 2 &{} 0 &{} 2 \end{pmatrix},\\ A(E,X, {\varphi }_1)= & {} \begin{pmatrix} 1 &{} 6 &{} 1 \\ 0 &{} 7 &{} 4 \\ 0 &{} 2 &{} 2 \end{pmatrix}, \quad \quad A(E,X, {\varphi }_2)= \begin{pmatrix} 1 &{} 1 &{} 6 \\ 0 &{} 1 &{} 7 \\ 0 &{} 0 &{} 2 \end{pmatrix}; \end{aligned}$$ -
4.
the determinants are \(\det (A(E,X,{\varphi }))= 2, \det (A(E,X,{\varphi }_0))= 4,\) \(\det (A(E,X,{\varphi }_1))= 6\) and \(\det (A(E,X,{\varphi }_2))=2\), respectively;
-
5.
applying Birkhoff’s reconstruction formula the coefficients \(a_0,a_1,a_2\) of polynomial f(x) are computed as:
$$\begin{aligned}&a_0 = \frac{\det (A(E,X,{\varphi }_0))}{\det (A(E,X,{\varphi }))}= \frac{4}{2}=2, a_1= \frac{\det (A(E,X,{\varphi }_1))}{\det (A(E,X,{\varphi }))} = \frac{6}{2}=3,\\&\qquad \qquad \qquad \quad a_2 = \frac{\det (A(E,X,{\varphi }_2))}{\det (A(E,X,{\varphi }))}= \frac{2}{2}=1; \end{aligned}$$ -
6.
the polynomial reconstructed is exactly \(f(x)=2+3x+x^2\) and the secret is retrieved as \(f(0)=a_0=2\).
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Traverso, G., Demirel, D., Buchmann, J. (2016). Dynamic and Verifiable Hierarchical Secret Sharing. In: Nascimento, A., Barreto, P. (eds) Information Theoretic Security. ICITS 2016. Lecture Notes in Computer Science(), vol 10015. Springer, Cham. https://doi.org/10.1007/978-3-319-49175-2_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-49175-2_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-49174-5
Online ISBN: 978-3-319-49175-2
eBook Packages: Computer ScienceComputer Science (R0)