Abstract

The secret sharing scheme is used to protect the privacy of information by distribution. More specifically, a dealer splits a secret into n shares and distributes them privately to n participants, in such a way that any t or more participants can reconstruct the secret, but no group of fewer than t participants who cooperate can determine it. Many schemes in literature are based on the polynomial interpolation or the Chinese remainder theorem. In this paper, we propose a new solution to the system of congruences different from Chinese remainder theorem and propose a new scheme for secret sharing; its secret reconstruction is based upon Euler’s theorem. Furthermore, our generalized conclusion allows the dealer to refresh the shared secret without changing the original share of the participants.

1. Introduction

Secret sharing is used as one of basic cryptographic primitives in computer science including electronic voting [1], distributed cloud computing [2], key management [3], and data hiding [4]. The secret sharing (SS) was first introduced by Shamir [5] based on the Lagrange interpolating polynomial and Blakley [6] based on the hyperplane geometry in 1979, independently. In 1983, Mignotte’s scheme [7] and Asmuth-Bloom’s scheme [8] were proposed based on the Chinese remainder theorem (CRT). A perfect secret sharing scheme [5] has two properties: (1) Any or more shares can recover the secret. (2) Any or fewer shares reveal no information about the secret. The research on secret sharing has become the subject of many researchers; different types of secret sharing scheme have been designed to address different application requirements. For example, verifiable secret sharing [9, 10] allows the participants to verify the correctness of their share without leaking the confidentiality of both shares and the secret; weighted secret sharing [11] allows the participants with different privileges by holding the shares with different weights; multi-secret sharing [12] allows more than one secret to be shared. However, the major techniques used can still be categorized in the above three methods.

The CRT is to reconstruct a positive integer from its remainders modulo a series of integer moduli. It is widely used in the calculation of large integers, because it allows replacing a calculation for which one knows a bound on the size of the result by several similar computations on small integers. The CRT has many applications in various areas, like secret sharing [3, 4], the RSA decryption algorithm [13], the discrete logarithm algorithm [14], and the radio interferometric positioning system [15], etc.

The main contributions of our paper are summarized as follows:(a)Using Euler’s theorem to present a new method of the solution to the system of congruence(b)First proposing a new type of secret sharing scheme based upon Euler’s theorem(c)Using Euler’s theorem to present a new method of the solution to the system of congruence in the generalized CRT(d)Proposing a refreshable secret sharing scheme to implement the secret refresh mechanism with the same shares.

Based on the equivalence between the conclusion of this paper and the CRT, our method is sufficient to be directly applied with the CRT-based scheme to achieve the same goal.

The rest of this paper is organized as follows. In Section 2, we describe some preliminaries on number theory and prove that the system of congruence has another solution form which is different from the CRT. In Section 3, we review the Asmuth-Bloom’s scheme. In Section 4, we propose the secret sharing scheme based upon Euler’s theorem. In Section 5, the security and performance analysis are given. In Section 6, we generalize the conclusion in Section 2 and propose a refreshable secret sharing scheme. In Section 7, we conclude the paper.

2. New Solution to the Congruence System

In this section, we describe the CRT and Euler’s theorem firstly. Then we present another method to give the unique solution of the congruent system, by utilizing the properties of them.

The Chinese remainder theorem states that if the remainders of the Euclidean division of an integer by several integers are known, then the remainder of the division of this integer by the product of these integers can be uniquely determined, under the condition that the divisors are pairwise coprime.

Lemma 1 (Chinese remainder theorem (CRT) [16]). Suppose are pairwise relatively prime positive integers, and suppose are integers. Then the system of congruences has a unique solution modulo , which is given bywhere and for .

Euler’s theorem is a generalization of Fermat’s little theorem and is further generalized by Carmichael’s theorem [17].

Lemma 2 (Euler’s theorem [17]). If and are coprime positive integers, then where called Euler’s phi function is the number of positive integers less than and relatively prime to .

An efficient way to calculate Euler’s phi function is the following Euler product formula [17]:where the product is over the distinct prime numbers dividing .

Now, we give another method of solving the systems of congruence and prove its correctness.

Theorem 3. Suppose are pairwise relatively prime positive integers (i.e., if then ), and suppose are integers. Then the system of congruenceshas a unique solution modulo , which is given bywhere for .

Proof. The Chinese remainder theorem shows that the functionis a bijection.
Now, define a function as follows:It amounts to show that the function .
Denote , and let . Consider a term in the above summation, reduced modulo .
are pairwise relatively prime positive integers, and , for .
If , it is obvious that ; by Euler’s theorem, we haveOn the other hand, if , because , we haveThenSince this is true for all , , is a solution to the system of congruences.

Example 4. Suppose , , , and . Then , , , and . We compute , , and , and then Then the function isFor example, if , , and , then this formula tells us thatThis can be verified by reducing 894 modulo 7, 11, and 13.

3. Review of Asmuth-Bloom’s Secret Sharing

In 1983, Asmuth and Bloom [8] proposed a novel () SS, in which the shares are the congruence classes of the secret and the corresponding modulus is broadcasted as the participant’s public key. The secret reconstruction is based on CRT.

3.1. Initialization

The distinct positive integers are chosen subject to the following conditions:(1)(2) for (3)

3.2. Secret Generation

Suppose the shared secret is the integer . Let where is subject to the condition . Then let be the private shares.

3.3. Secret Reconstruction

If are known, is obtained by where , , and . Then the shared secret is

3.4. Security Analysis

However, Harn et al. [18] pointed out that the value need be in the t-threshold range ; otherwise, it could be obtained by fewer than t participants. In the following, we give an example to illustrate this vulnerability.

Example 5. Consider Asmuth-Bloom’s secret sharing scheme.
We have a pairwise relatively prime integer set . The shared secret is 4. Let . Then, four shares are generated asIt is easy to recover the shared secret by using two shares , and the CRT, as shown below.
By Euclidean Algorithm, we getand then and the secret is revealed.
Besides, Hwang and Chang [19] proposed a method to generate a pairwise relative prime integer set which satisfies the requirements of Asmuth-Bloom’s and our schemes, and this specific integer set is not unique.

4. Proposed Secret Sharing Scheme

The traditional secret sharing scheme is composed of a trusted dealer D and participants . Our secret sharing scheme consists of three phases, that is, initialization phase, share generation phase, and secret reconstruction phase. In secret generation phase, we improve Asmuth-Bloom’s scheme by considering the -threshold range. We do the secret reconstruction by Euler’s phi function, and the correctness is based upon Theorem 3 in Section 2.

4.1. Initialization

The dealer D chooses distinct positive integers such that(1)(2) for (3)

The dealer D broadcasts the value and sends the value to participant as his/her public information, for .

4.2. Share Generation

Suppose the dealer D wants to share the secret .

The dealer D selects an integer ; then let be the private share of the participant , for .

4.3. Secret Reconstruction

If participants pool their shares and corresponding modulus, , the shared secret can be reconstructed as , where

5. Security and Performance Analysis

In this section, we first give security analysis of the scheme proposed in Section 4 and then compare the performance of our proposed secret sharing with that of two types of classical secret sharing.

5.1. Security Analysis

Now we analyze the fact that our proposed secret sharing is perfect, secure as follows.

Theorem 6. Our proposed secret sharing scheme described in Section 4 is perfect, that is, the following two properties are satisfied:(1)If any participants pool their shares, then they can determine the value of .(2)If any participants pool their shares, then they can determine nothing about the value of .

Proof. Based on the conditions of our scheme, where and .
Let , we have(1) If any participants pool their shares , as described in Theorem 3, the system of congruenceshas one unique solution as where .
As , this uniquely determines and thus (2) If only participants pool their shares, , then all we have is , where . The real secret ; since and , the set of possible values is greater than that of possible secret. Hence, no useful information is compromised.

Example 7. Consider the proposed secret sharing scheme.
In initialization phase, the dealer D chooses 5 distinct positive integers, , , , , and , which satisfies the conditions on initialization listed in Section 4.1. The minimum value is broadcasted. And is sent as the public key of .
In sharing phase, suppose the shared secret . Then dealer D selects an integer . So the private shares of , , , and , are generated as follows:In reconstructing phase, suppose that and cooperate; by (19) we haveand, then, the secret can be reconstructed as As in many literatures, we assume that all participants pool the real shares when they collaborate to recover the shared secret. To enhance the security, it can be combined with other cheater detection mechanisms to check the validity of the shares before recovery of the secret.

5.2. Performance Analysis

In this section, we analyze the computational cost of our proposed scheme and compare it with the other two classic secret sharing schemes, as summarized in Table 1. In Shamir’s scheme, the secret recovery using the usual polynomial interpolation requires operations. In the Asmuth-Bloom’s scheme, the modular method of secret recovery requires only operations. In our scheme, the computation complexity of requires at most operations. However, this can be improved at the cost of storage room by keeping a table. Once the value of is known, it requires only operations to recover the secret.

6. Renewable Secret Sharing Scheme

The generalized Chinese remainder theorem (GCRT) [9, 10] is a variation of CRT with an additional integer introduced as a common modulus. Inspired by GCRT, we have the following result.

Theorem 8. Suppose are pairwise relatively prime positive integers (i.e., if then ), and are integers. Suppose is an integer satisfying . Let . Then the system of congruenceshas a unique solution modulo , which is given bywhere and for .

Proof. It amounts to showing that in (28) is a solution to the system of congruences (19). The proof of uniqueness is similar to Theorem 3.
For , consider a term in the above summation, reduced modulo .
If , it is obvious that , by Euler’s theorem; then we have ; i.e., there is an integer such that ; then because . On the other hand, if , because , we havei.e., . Therefore, because for .
Since and , we have .
If is a multiple of , thenand we haveIf is not a multiple of , then because and .

Although more computation is required, more flexible performance can be achieved. In the traditional secret sharing scheme, if we want to refresh the secret, the corresponding congruences system should be modified. However, based upon Theorem 8, we can refresh the shared secret without changing the share and the public information of the participants.

Compared with the previous scheme, the refreshable secret sharing scheme adds a secret refresh phase. In share generation phase, the dealer needs to broadcast an additional parameter as follows.

6.1. Initialization

The dealer D chooses distinct positive integers such that(1)(2) for (3)

The dealer D broadcasts the value and sends the value to participant as his/her public information, for .

6.2. Share Generation

Suppose the dealer D wants to share the secret . The dealer D firstly selects and broadcasts an integer . Secondly, the dealer D chooses a random integerthen generating , which is the private share of the participant , for .