Some Multisecret-Sharing Schemes over Finite Fields

Abstract

A secret sharing scheme is a method of assigning shares for a secret to some participants such that only some distinguished subsets of these subsets can recover the secret while other subsets cannot. Such schemes can be used for sharing a private key, for digital signatures or sharing the key that can be used to decrypt the content of a file. There are many methods for secret sharing. One of them was developed by Blakley. In this work, we construct a multisecret-sharing scheme over finite fields. The reconstruction algorithm is based on Blakley’s method. We determine the access structure and obtain a perfect and ideal scheme.

1. Introduction

A cryptosystem is an implementation of cryptographic techniques providing information security services. Encryption is the process of scrambling a message and can provide a means of securing information. A secret sharing scheme is an encryption method. The secret s is divided into n pieces called shares. The pieces alone have no information about the secret, but the secret can be reached by combining some pieces.

Secret sharing was first introduced by Shamir [1] and Blakley [2] in 1979. Shamir’s scheme is constructed based on the Lagrange interpolation polynomial, as a $(t,n)$-threshold secret sharing scheme. In a $(t,n)$-threshold secret sharing scheme, the secret is divided into n shares and distributed each share to one of n parties called shareholders. Only t or more shareholders combining their shares together can recover the secret while $t-1$ or fewer shareholders cannot obtain any information about the secret. There are several schemes [3,4,5,6,7] based on Shamir’s scheme.

Blakley’s method is based on finite geometry. In this scheme, the geometry of hyperplanes over a finite field is used to solve the secret sharing problem [8]. To generate a $(t,n)$-threshold scheme, each of the n participants is given a hyperplane equation in a t-dimensional space over a finite field. In some cases, each hyperplane passes through a certain point. The secret is the intersection point of the hyperlanes. Once participants need to reconstruct the secret by solving the system of equations [9].

Multisecret-sharing schemes are one of the most important families of secret sharing schemes, since the secret has been constructed as multi party not single party. Thus, it is more difficult to reach the secret than for a single secret sharing scheme. Some multisecret-sharing schemes are constructed in [6,7,10,11,12,13]. In these schemes [6,13,14], there is a set of which consists of r secrets. The elements of this set can be shared and reconstructed at the same time or none of the r secrets can be retrieved. However, every $(r,m,n)$-multisecret-sharing scheme gives r single secret $(m,n)$-threshold schemes [15]. Especially, we presented in [10] a multisecret sharing scheme based on error correcting codes. Moreover, in [16], we constructed a new multisecret-sharing scheme based on LCD codes. The reconstruction algorithm is given by using Blakley’s method.

In cryptosystems, the secure storage of private keys is an important problem. Secret sharing satisfies the distribution the private keys to the participants safely and does not trust a creature and central system. One type of such systems is blockchain systems. The private keys check the important seeds such as money and identities in this system. Their loss can have serious consequences. Thus, the distributed storage blockchain (DSB) scheme is introduced in [17,18]. Krawczyk [19] consolidated the DSB scheme with Shamir’s [1] secret sharing scheme and private key encryption and information dispersal algorithm (IDA) [20]. The DSB scheme decreases the storage to a part of the original blockchain’s impose.

Proactive secret sharing (PSS) was proposed by Herzberg et al. [21]. This is a stronger scheme by means of security. PSS is effective in the sharing of the shares to the participants when the secret s is kept. The participants get the new pieces of the secret $s.$ These pieces are independent of the old ones and then the old pieces are removed. PSS protects the secret s from possible attacks.

Maram et al. [22] presented CHURP (CHUrn-Robust Proactive Secret Sharing). CHURP satisfies a secure secret sharing in dynamic setting. The collection of nodes keeps the secret changes in this scheme. It is also constructed for blockchains and has a simpler structure.

In the area of cryptocurrency, and blockchain design, secret sharing schemes (SSS) are used extensively, in particular in electronic voting [23], data storage [18], and wallet management [24]. The most used of these schemes is the Shamir scheme [1]. In this note, we explore a variant of an alternative scheme, the Blakley scheme. We show that the Blakley scheme is not adapted to finite fields. We give a multisecret scheme which exploits similar ideas.

The rest of the paper is organised as follows. In Section 2, we introduce Blakley’s secret sharing scheme based on hyperplane geometry over the reals, and show it cannot work over finite fields. In Section 3, we construct a new multisecret-sharing scheme by using linear algebra over finite fields. We use Blakley’s method and determine the access structure. Section 4 collects the concluding remarks.

2. Preliminaries

2.1. Blakley Threshold Secret Sharing Scheme

In a $(t,n)$-Blakley Scheme, the dealer selects a secret point $X=(x_1,x_2,\dots ,x_t)$ from ${\mathbb{R}}^t$. The secret key to be shared is the first coordinate of X. Other coordinates of X are random. For each participant $u\in P,$ the dealer selects a random vector

$$A_u=(a_{u_1},a_{u_2},\dots ,a_{u_t})$$

(1)

from ${\mathbb{R}}^t$ and assigns the scalar

$$y_u=A_u{X}^T=\sum _{i=1}^t{a}_{u_i}{x}_i$$

as the secret share to user $u.$

In other words, the dealer assigns a hyperplane equation that is passing through X to each participant u. When a t-member coalition $W=\{u_1,u_2,\dots ,u_t\}$ is present, they have t-hyperplanes passing through $X.$ The linear system formed by the shares of $u_i\in W$ is

$$\left(\begin{array}{c}{A}_{u_1}\\ A_{u_2}\\ ⋮\\ A_{u_t}\end{array}\right).\left(\begin{array}{c}{x}_1\\ x_2\\ ⋮\\ x_t\end{array}\right)=\left(\begin{array}{c}{y}_{u_1}\\ y_{u_2}\\ ⋮\\ y_{u_t}\end{array}\right)$$

$$M_W{X}^T=Y_W^T$$

(2)

where $Y_W$ denotes the $1\times t$ vector formed by the shares of participants included in $W.$ Since all entries in $M_W$ are generated randomly, $M_W$ is nonsingular with probability one: the set of singular matrices forming a hypersurface in $n^2$ dimensions is of measure zero for the Lebesgue measure. Since $M_W$ is nonsingular, the subset W can find the secret by solving the linear system in Equation (2). When a coalition $W^{\prime }$ of size $t^{\prime }<t$ is present, it only sees $t^{\prime }$ columns of $A,$ yielding an underdetermined system to solve.

Qualified coalitions find the secret and unqualified coalitions gain no information about the secret.

Remark 1.

The Blakley scheme does not work well if we replace $\mathbb{R}$ with a finite field, because the probabilistic argument for the nonsingularity of $M_w$ breaks down. Building a matrix of order n over the finite field $GF\left(q\right)$ by choosing its rows at random will not give a nonsingular matrix with probability one, even for large matrix order. The probability $P(n,q)$ of building a nonsingular n by n matrix over $GF\left(q\right)$ by random choice is

$$P(n,q)=\left|GL(n,q)\right|q^{-n^2}=\prod _{j=1}^n(1-1/q^j),$$

by $\left|GL(n,q)\right|={\prod }_{j=1}^n(q^n-q^{n-j})$ [25]. Since the infinite product ${\prod }_{j=1}^{\infty }(1-1/q^j)$ converges, we see that $P(n,q)$ tends to a finite value $\ne 1$ for $n\to \infty .$

For instance, for $q=2$, we have the numerical approximation $P(n,2)\sim 0.29,$ for $n\to \infty .$

2.2. Ramp Secret Sharing Scheme

Ramp secret sharing scheme is a cryptographic method to encode a secret s into multiple shares $s_1,\dots ,s_n$ that only from specified subsets of the shares one can recover s. In ramp schemes, a secret can be shared among a group of participants in such a way that only sets of at least k participants can reconstruct the secret and $k-1$ participants cannot [26].

A linear ramp secret sharing scheme is called t-privacy if from no set of size t one can guess any information about the secret, but from some set of size $t+1$ can recover some information about it.

3. Multisecret-Sharing Schemes over Finite Fields

3.1. Notation

In this section, we consider a finite extension $\mathbb{F}={\mathbb{F}}_q^m$ of the finite field $K={\mathbb{F}}_q$ as a vector space over $K.$ Then, $\mathbb{F}$ has dimension m over K and if $\{{\alpha }_1,\dots ,{\alpha }_m\}$ is a basis of $\mathbb{F}$ over K, each element $\alpha \in \mathbb{F}$ can be uniquely represented in the form

$$\alpha =c_1{\alpha }_1+\dots +c_m{\alpha }_m$$

with $c_j\in K$ for $1\le j\le m.$

3.2. Scheme Description

In this subsection, we examine a multisecret-sharing scheme over finite fields. To explain the reconstruction method, we use Blakley’s algorithm.

• Let the vector space ${\mathbb{F}}_q^m$ be both the secret space and the participants set.
• Let any vector of ${\mathbb{F}}_q^m$ be the secret.

The m secrets are the m coordinates of a vector $X\in {\mathbb{F}}_q^m.$ Let P denote an m-subset of participants. For each participant $u\in P,$ the dealer selects a random vector

$$A_u=(a_{u_1},a_{u_2},\dots ,a_{u_t})$$

(3)

from ${\mathbb{F}}_q^m$ and assigns the scalar

$$y_u=A_u{X}^T=\sum _{i=1}^t{a}_{u_i}{x}_i$$

as the secret share to user $u.$ The linear system formed by the shares of $u_i\in W$ is

$$\left(\begin{array}{c}{A}_{u_1}\\ A_{u_2}\\ ⋮\\ A_{u_t}\end{array}\right).\left(\begin{array}{c}{x}_1\\ x_2\\ ⋮\\ x_t\end{array}\right)=\left(\begin{array}{c}{y}_{u_1}\\ y_{u_2}\\ ⋮\\ y_{u_t}\end{array}\right)$$

$$M_W{X}^T=Y_W^T$$

(4)

Thus, we obtain a linear equation system in X and the secret can be retrieved by solving this system, provided $M_W$ is non singular, or, equivalently, the family ${\left(A_u\right)}_{u\in W}$ is free.

Theorem 1.

This multisecret-sharing scheme has the following properties:

(1) 

The access structure consists of sets of m elements.

(2) 

No subset of size less than m can be used in recovering the secret.

Proof. 

The following facts are immediate by basic linear algebra. (1) Any basis of ${\mathbb{F}}_q^m$ can recover the secret by combining their shares, as the matrix of the system in nonsingular in that case.

(2) The above system is undetermined in that case, because the matrix of the system is not square. □

Corollary 1.

This multisecret-sharing scheme is a $(m,m)$-threshold secret sharing scheme.

Proof. 

The secret is recovered thanks to the basis elements of ${\mathbb{F}}_q^m$ in this scheme. Thus, each minimal access set consists of m elements. The size of secret is m, since it is any vector of ${\mathbb{F}}_q^m$. That is, in this scheme, all m secrets of X can be determined together. Therefore, the new scheme is a $(m,m)$-threshold scheme. □

Corollary 2.

The multisecret-sharing scheme satisfying the above theorem is also a ramp secret sharing scheme with $m-1$ privacy.

Proof. 

The number of participants retrieving the secret is m. This means the size of minimal access subsets is m. Thus, this scheme is also a ramp secret sharing scheme with $m-1$ privacy by definition of a ramp secret sharing scheme. □

3.3. Statistics on Coalitions

Theorem 2.

Let ${\mathbb{F}}_q^m$ be the finite extension over the finite field ${\mathbb{F}}_q$. In a multisecret-sharing scheme over ${\mathbb{F}}_q$, the number of minimal coalitions is

$$\frac{\left|GL\right(m,q\left)\right|}{m!}=\prod _{j=1}^m(q^m-q^{m-j}).$$

Proof. 

Recall that, in our scheme, the secret space is the finite extension ${\mathbb{F}}_q^m$ and the minimal access sets consist of the bases. These m participants can recover the secret together. Thus, the number of minimal coalitions is the number of rows of a nonsingular matrix of order m over ${\mathbb{F}}_q$ up to ordering. This number is calculated by the above formula. □

3.4. Security Analysis

Assume that $t<m$ participants collude together and agree to pool their share to try and guess the secret. For the attack to be better than random choice, we must assume that their corresponding vectors $A_u$ are linearly independent. Assuming they correspond to a system of t linearly independent vectors, they can be completed into a basis in $X(t,m,q)$ ways. In general, this quantity is a complicated combinatorial coefficient. Let us assume the most favorable case to the attackers, that is $t=m-1.$ In that situation, the basis extension vector is any vector that is not in the linear span of the $m-1$ vectors attached to the colluders. Thus, $X(t,m,q)=q^m-q^{m-1}.$ This vector being chosen, there are q choices for its share.

Thus, the probability of success of the attack is $\frac{1}{(q-1)(q^m-q^{m-1})}.$ To make this quantity small, we should operate the system with a large $m.$ Having a large q would increase the computational burden of the field arithmetic.

3.5. Information Theoretic Efficiency

The ratio of the size of the secret to the size of the participants gives the information rate [27] of the secret sharing scheme. In this scheme, the secret is a vector of dimension m and its size is m. The sharings are the sets of basis elements and their size is $m.$ Thus, the information rate is

$$\rho =\frac{m}{m}=1.$$

This scheme is ideal, since $\rho =1.$

3.6. Comparison with Other Schemes

In this section, we compare our scheme with other secret sharing schemes in the literature by means of, in order, the number of participants, the size of a secret, and the number of coalitions for an arithmetic over ${\mathbb{F}}_q$. We denote by $A,B,$ and C these three quantities in the Table 1. In the fourth column, the symbol t denotes the error-correcting capacity of code. As a basis of comparison, in Columns 2–4, we consider an $[n,k,d\ge 2t+1]$-code over $GF\left(q\right).$ For codes of similar alphabets and dimensions, the new scheme allows exponentially more participants and more coalitions, compared to the other schemes, for a secret size of the same order of magnitude.

Table 1. Comparison with other Schemes.

System	[28]	[15]	[10]	This Paper
A	$n-1$	n	n	$q^m$
B	q	$q^k$	$q^k$	q
C	$\left(\genfrac{}{}{0pt}{}{n}{k}\right)$	$\left(\genfrac{}{}{0pt}{}{n}{k}\right)$	$\ge \left(\genfrac{}{}{0pt}{}{n}{d-t}\right)$	$\frac{{\prod }_{i=0}^{m-1}(q^m-q^i)}{m!}$
$\rho$	1	$\frac{k}{k-1}$	1	1

Massey’s scheme has a single secret sharing system, not a multisecret-sharing. To recover the secret, the linear algebra in Ding’s scheme is used. The reconstruction algorithm is based on the decoding in Çalkavur et al. scheme [10]. In our new system, to recover the secret, we use Blakley’s method. However, the secret will be retrieved safely since the system has m independent equations and m unknowns. This means there exists a unique solution in the system.

4. Conclusions

In [29], Çalkavur et al. introduced a new multisecret-sharing scheme based on vector spaces over the $\mathbb{F}$ vector space ${\mathbb{F}}^n$ for some field $\mathbb{F}.$ In this work, we generalise the results in [29] and construct a multisecret-sharing scheme over finite fields. We use Blakley’s algorithm to explain the recovering method of a secret. We determine the access structure, examine the statistics on coalitions and show the ideality and perfectness of our scheme. Attack analysis indicates that the important security parameter is the dimension m of the vector space we consider.

Compared to other schemes based on finite fields, our scheme displays for the same order of magnitude of parameters more users and more coalitions. It is also a multisecret scheme.