1. Introduction
Secret sharing schemes were first proposed by Blakley [
1] and Shamir [
2] in 1979. They represent an important cryptographic primitive that is still used in many security network protocols or for secure multi-party computations. A secret sharing scheme involves a
dealer who holds a secret. This dealer distributes pieces of its secret (called
shares) to a set of participants (also called
users) in order that each party holds a share of that secret. Some subsets of participants can reconstruct the secret while some cannot. The groups which can reconstruct the secret are called
qualified (or sometimes authorized), and the other groups are called
rejected.
Threshold secret sharing scheme is one of the important class of secret sharing schemes. The main concept of -threshold secret sharing scheme is that t out of n participants can retrieve the secret, but cannot. Shamir and Blakley’s schemes are threshold schemes. Shamir’s scheme was based on polynomial interpolation and Blakley used the hyperplane geometry to solve the secret sharing problem.
Pedersen [
3] proves the Shamir scheme: The
n shares (one for each shareholder) can be confirmed by the
n shareowners. Moreover, several authors have investigated the general secret sharing schemes [
4,
5,
6,
7,
8,
9,
10].
It is well known that polynomials play an important role in the development of the theory of algebraic structure of finite fields. Sun and Shieh [
11] presented a polynomial-based secret sharing scheme. They used the Diffie-Hellman’s principle to construct their scheme. Hwang and Chang [
12] also employed polynomials to construct their secret sharing scheme.
In this paper, we present a secret sharing scheme based on polynomials over , exploiting the structure of field extension of degree . For concreteness, we give some numerical examples. We prove that the scheme is both ideal and perfect. We give conditions on q and d to thwhart passive attacks.
The material is organized as follows. The next section gives some necessary information about algebraic topics. In
Section 3 we construct our secret sharing scheme and explain its security.
Section 4 concludes our work.
2. Polynomials over Finite Fields
Polynomials over finite fields form an important class of finite rings which is heavily used in cryptography. We start by recalling some background helpful when working with polynomials.
Definition 1 ([
13])
. Let be a non-zero polynomial of degree n over an arbitrary field , q being a prime. Then is said to be the of and is the . In fact, the polynomials we consider belong to the field F of elements, d being an arbitrary positive integer. To define F, we need to consider an irreducible polynomial of degree and set . Therefore, the protocol uses the operations (addition and multiplication) of the field F. In the sequel, we use indifferently the notations P or as an element of the field.
3. The Scheme
In this section, we present a secret sharing scheme based on operations in the field F. The secret space and the sharing space are both equal to , the non-zero polynomials of degree d over
The secret, denoted s, is a polynomial of degree d over , and as a polynomial, it can also be denoted . The protocol uses a trusted dealer T to deliver the shares of the secret s to the m participants.
The setup is as follows:
The shares, denoted , are randomly chosen by T.
T chooses a primitive irreducible polynomial
Q of degree
, then computes the product of the
m shares modulo
:
Thus, is of degree
T computes the polynomial such that and makes public and .
The dealer sends the share , using a channel which preserves confidentiality, to user i for
The reconstruction phase is as follows:
The m users pool their shares to compute then
Example 1. Suppose that , , , and . Take the shares asand the secret as The dealer
T calculates
in the field
F.
Then
T makes public
Please note that the characteristic of the field is 2, hence subtraction and addition are the same. The calculation of
in this example gives
The reconstruction phase is as follows. The
m participants pool their shares to obtain
, and then add the public value
Example 2. Suppose that , , and . Take the shares asand the secret The reconstruction phase gives
Properties and Security
In a secret sharing scheme, a large number of participants may increase the security. We can explain this situation using the information rate
[
14]. This parameter is an important parameter determining the security and the efficiency of a secret sharing scheme.
Proposition 1. The size of the secret is .
Proof. The secret space consists of the non-zero polynomials of degree d over and the number of these polynomials is Therefore, the secret can be written using elements of . □
In our scheme, the size of a share is exactly equal to the size of the secret. The information rate is
We recall that if the size of the shares of all participants are less than or equal to the size of the secret, then the secret sharing scheme is said to be ideal [
15]. Therefore, we have the following theorem:
Theorem 1. The constructed scheme is ideal.
For the property of perfect privacy, we have to show [
16] that every rejected set cannot learn anything about the secret (in the information theoretic sense) from their shares. In terms of entropy function, it means that the entropy of the secret knowing the shares of any rejected set is equal to the entropy of the secret. In fact, the security of our scheme relies on the equation
. Since
is a product of random polynomials, it can also be considered to be random. Moreover,
and
P are of same size. This equation is therefore the same as the one of One Time Pad which has a perfect secrecy. It means that knowing
D, an adversary cannot know any information about the secret. Moreover, an adversary who knows strictly less than
m shares gets no information about the secret.
So this scheme has the property of perfect privacy [
15] and it has a secure access structure. Moreover, the scheme is robust against passive adversaries. It means that if all the participants follow the protocol honestly, no attacker can retrieve the secret with a probability greater than
. Indeed, suppose that
users collude, pool their shares, and try to guess the share of order
m picking a random element of
. The probability of success of such an attack is
. More generally if
r users with
try to mount an attack, with less information than
users, the probability of success of that attack will be strictly less than the above quantity.
Remark 1. This scheme is not a —threshold secret sharing scheme since the factorization in the field is not unique. Suppose, for example, that a share is equal to the product of all the shares. In this case, this share is theoretically able to recover the secret. This fact means that there is no predefined threshold to recover the secret from the shares, but it does not affect the security of the scheme.
It is also easy to see that the scheme is not monotone since the authorized coalition is unique.
4. Conclusions
In this paper, we have studied a new secret sharing scheme based on polynomial multiplications over We have determined its access structure and computed its information rate. Our scheme is ideal and secure against passive attacks. Our scheme could be used in embedded systems because multiplications in a field are easily optimized and therefore the computational costs are lower than schemes using interpolation.