A New Secret Sharing Scheme Based on Polynomials over Finite Fields

Abstract

In this paper, we examine a secret sharing scheme based on polynomials over finite fields. In the presented scheme, the shares can be used for the reconstruction of the secret using polynomial multiplication. This scheme is both ideal and perfect.

1. Introduction

Secret sharing schemes were first proposed by Blakley [1] and Shamir [2] in 1979. They represent an important cryptographic primitive that is still used in many security network protocols or for secure multi-party computations. A secret sharing scheme involves a dealer who holds a secret. This dealer distributes pieces of its secret (called shares) to a set of participants (also called users) in order that each party holds a share of that secret. Some subsets of participants can reconstruct the secret while some cannot. The groups which can reconstruct the secret are called qualified (or sometimes authorized), and the other groups are called rejected.

Threshold secret sharing scheme is one of the important class of secret sharing schemes. The main concept of $(t,n)$-threshold secret sharing scheme is that t out of n participants can retrieve the secret, but $(t-1)$ cannot. Shamir and Blakley’s schemes are threshold schemes. Shamir’s scheme was based on polynomial interpolation and Blakley used the hyperplane geometry to solve the secret sharing problem.

Pedersen [3] proves the Shamir scheme: The n shares (one for each shareholder) can be confirmed by the n shareowners. Moreover, several authors have investigated the general secret sharing schemes [4,5,6,7,8,9,10].

It is well known that polynomials play an important role in the development of the theory of algebraic structure of finite fields. Sun and Shieh [11] presented a polynomial-based secret sharing scheme. They used the Diffie-Hellman’s principle to construct their scheme. Hwang and Chang [12] also employed polynomials to construct their secret sharing scheme.

In this paper, we present a secret sharing scheme based on polynomials over $GF\left(q\right)$, exploiting the structure of field extension of degree $d+1$. For concreteness, we give some numerical examples. We prove that the scheme is both ideal and perfect. We give conditions on q and d to thwhart passive attacks.

The material is organized as follows. The next section gives some necessary information about algebraic topics. In Section 3 we construct our secret sharing scheme and explain its security. Section 4 concludes our work.

2. Polynomials over Finite Fields

Polynomials over finite fields form an important class of finite rings which is heavily used in cryptography. We start by recalling some background helpful when working with polynomials.

Definition 1

([13]). Let $f\left(x\right)={\sum }_{i=0}^n{a}_i{x}^i$ be a non-zero polynomial of degree n over an arbitrary field $GF\left(q\right)$, q being a prime. Then $a_n$ is said to be the $leading$ $coefficient$ of $f\left(x\right)$ and $a_0$ is the $constant$ $term$.

In fact, the polynomials we consider belong to the field F of $q^{d+1}$ elements, d being an arbitrary positive integer. To define F, we need to consider an irreducible polynomial $Q\in GF\left(q\right)\left[x\right]$ of degree $d+1$ and set $F=GF\left(q\right)\left[x\right]/\left(Q\right(x\left)\right)$. Therefore, the protocol uses the operations (addition and multiplication) of the field F. In the sequel, we use indifferently the notations P or $P\left(x\right)$ as an element of the field.

3. The Scheme

In this section, we present a secret sharing scheme based on operations in the field F. The secret space and the sharing space are both equal to $GF{\left(q^{d+1}\right)}^{\ast }$, the non-zero polynomials of degree d over $GF\left(q\right).$

The secret, denoted s, is a polynomial of degree d over $GF\left(q\right)$, and as a polynomial, it can also be denoted $s\left(x\right)$. The protocol uses a trusted dealer T to deliver the shares of the secret s to the m participants.

The setup is as follows:

• The shares, denoted $P_i\left(x\right)$, are randomly chosen by T.
• T chooses a primitive irreducible polynomial Q of degree $d+1$, then computes the product of the m shares modulo $Q\left(x\right)$:

  $$P\left(x\right)=\prod _{i=1}^m{P}_i\left(x\right)modQ\left(x\right).$$
  Thus, $P\left(x\right)$ is of degree $\le d.$
• T computes the polynomial $D\left(x\right)$ such that $D\left(x\right)=s\left(x\right)-P\left(x\right)$ and makes public $Q\left(x\right)$ and $D\left(x\right)$.
• The dealer sends the share $P_i\left(x\right)$, using a channel which preserves confidentiality, to user i for $(1\le i\le m).$

The reconstruction phase is as follows:

The m users pool their shares to compute $P\left(x\right)={\prod }_{i=1}^m{P}_i\left(x\right)modQ\left(x\right)$ then $s\left(x\right)=D\left(x\right)+P\left(x\right).$

Example 1.

Suppose that $q=2$, $d=2$, $m=3$, $Q\left(x\right)=x^3+x+1,$ and $F=GF\left(2\right)\left[x\right]/\left(Q\right(x\left)\right)$. Take the shares as

$$P_1\left(x\right)=x^2+1,P_2\left(x\right)=x^2+x+1,P_3\left(x\right)=x^2+x$$

and the secret as $s\left(x\right)=x^2+x+1.$

The dealer T calculates $P\left(x\right)$ in the field F.

$$P\left(x\right)=\prod _{i=1}^3{P}_i\left(x\right)=P_1\left(x\right).P_2\left(x\right).P_3\left(x\right)$$

$$=x^6+x^4+x^3+x$$

$$=x.$$

Then T makes public $D\left(x\right)=s\left(x\right)+P\left(x\right).$ Please note that the characteristic of the field is 2, hence subtraction and addition are the same. The calculation of $D\left(x\right)$ in this example gives

$$D\left(x\right)=(x^2+x+1)+\left(x\right)$$

$$D\left(x\right)=x^2+1.$$

The reconstruction phase is as follows. The m participants pool their shares to obtain $P\left(x\right)$, and then add the public value $D\left(x\right)$

$$s\left(x\right)=P\left(x\right)+D\left(x\right)$$

$$s\left(x\right)=x^2+x+1.$$

Example 2.

Suppose that $q=3,$ $d=3$, $m=4$, $Q\left(x\right)=x^4+2\ast x^3+2,$ and $F=GF\left(3\right)\left[x\right]/\left(Q\right(x\left)\right)$. Take the shares as

$$P_1\left(x\right)=x^3+2x^2,P_2\left(x\right)=x^3+x+1,$$

$$P_3\left(x\right)=x^3+2x,P_4\left(x\right)=x^3+x^2+2$$

and the secret $s\left(x\right)=x^3+x^2+1.$

$$P\left(x\right)=\prod _{i=1}^4{P}_i\left(x\right)=P_1\left(x\right).P_2\left(x\right).P_3\left(x\right).P_4\left(x\right)$$

$$=x^{12}+2x^{10}+x^7+2x^3=1$$

The dealer makes public

$$D\left(x\right)=s\left(x\right)-P\left(x\right)$$

$$=(x^3+x^2+1)-1$$

$$=x^3+x^2.$$

The reconstruction phase gives

$$s\left(x\right)=P\left(x\right)+D\left(x\right)$$

$$=x^3+x^2+1.$$

Properties and Security

In a secret sharing scheme, a large number of participants may increase the security. We can explain this situation using the information rate $\rho$ [14]. This parameter is an important parameter determining the security and the efficiency of a secret sharing scheme.

Proposition 1.

The size of the secret is ${log}_q(q^{d+1}-1)$.

Proof. 

The secret space consists of the non-zero polynomials of degree d over $GF\left(q\right)$ and the number of these polynomials is $q^{d+1}-1.$ Therefore, the secret can be written using $d+1$ elements of ${\mathbb{F}}_q$. □

In our scheme, the size of a share is exactly equal to the size of the secret. The information rate is

$$\rho =\frac{{log}_q(q^{d+1}-1)}{{log}_q(q^{d+1}-1)}=1.$$

We recall that if the size of the shares of all participants are less than or equal to the size of the secret, then the secret sharing scheme is said to be ideal [15]. Therefore, we have the following theorem:

Theorem 1.

The constructed scheme is ideal.

For the property of perfect privacy, we have to show [16] that every rejected set cannot learn anything about the secret (in the information theoretic sense) from their shares. In terms of entropy function, it means that the entropy of the secret knowing the shares of any rejected set is equal to the entropy of the secret. In fact, the security of our scheme relies on the equation $s\left(x\right)=D\left(x\right)+P\left(x\right)$. Since $P\left(x\right)$ is a product of random polynomials, it can also be considered to be random. Moreover, $s,D$ and P are of same size. This equation is therefore the same as the one of One Time Pad which has a perfect secrecy. It means that knowing D, an adversary cannot know any information about the secret. Moreover, an adversary who knows strictly less than m shares gets no information about the secret.

So this scheme has the property of perfect privacy [15] and it has a secure access structure. Moreover, the scheme is robust against passive adversaries. It means that if all the participants follow the protocol honestly, no attacker can retrieve the secret with a probability greater than $1/(q^{d+1}-1)$. Indeed, suppose that $m-1$ users collude, pool their shares, and try to guess the share of order m picking a random element of $F^{\ast }$. The probability of success of such an attack is $\frac{1}{(q^{d+1}-1)}$. More generally if r users with $r<m-1$ try to mount an attack, with less information than $m-1$ users, the probability of success of that attack will be strictly less than the above quantity.

Remark 1.

This scheme is not a $(m,m)$—threshold secret sharing scheme since the factorization in the field is not unique. Suppose, for example, that a share is equal to the product of all the shares. In this case, this share is theoretically able to recover the secret. This fact means that there is no predefined threshold to recover the secret from the shares, but it does not affect the security of the scheme.

It is also easy to see that the scheme is not monotone since the authorized coalition is unique.

4. Conclusions

In this paper, we have studied a new secret sharing scheme based on polynomial multiplications over $GF\left(q\right).$ We have determined its access structure and computed its information rate. Our scheme is ideal and secure against passive attacks. Our scheme could be used in embedded systems because multiplications in a field are easily optimized and therefore the computational costs are lower than schemes using interpolation.