Abstract
Hierarchical secret sharing schemes distribute a message to a set of shareholders with different reconstruction capabilities. In distributed storage systems, this is an important property because it allows to grant more reconstruction capability to better performing storage servers and vice versa. In particular, Tassa’s conjunctive and disjunctive hierarchical secret sharing schemes are based on Birkhoff interpolation and perform equally well as Shamir’s threshold secret sharing scheme. Thus, they are promising candidates for distributed storage systems. A key requirement is the possibility to perform function evaluations over shared data. However, practical algorithms supporting this have not been provided yet with respect to hierarchical secret sharing schemes. Aiming at closing this gap, in this work, we show how additions and multiplications of shares can be practically computed using Tassa’s conjunctive and disjunctive hierarchical secret sharing schemes. Furthermore, we provide auditing procedures for operations on messages shared hierarchically, which allow to verify that functions on the shares have been performed correctly. We close this work with an evaluation of the correctness, security, and efficiency of the protocols we propose.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Note that this is different from the notion of fully dynamic secret sharing discussed in [5], where one scheme supports different access structures for different secrets.
- 2.
For a formal definition of bilinear maps we refer to [6].
- 3.
For conjunctive (disjunctive) hierarchical secret sharing schemes the interpolation vector is composed of the entries \(w_l:=(-1)^{l-1} \frac{\det (A_{l-1,0}(E,X,\varphi ))}{\det (A(E,X,\varphi ))} \quad \big (w_l:=(-1)^{l+t-2} \frac{\det (A_{l-1,t-1}(E,X,\varphi ))}{\det (A(E,X,\varphi ))}\big )\) according to the notation of Sect. 3.
- 4.
Here the definition of bilinear maps is used.
References
Beaver, D.: Efficient multiparty protocols using circuit randomization. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 420–432. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_34
Beimel, A.: Secret-sharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20901-7_2
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: STOC 1988 (1988)
Blakley, G.R., et al.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference (1979)
Blundo, C., Cresti, A., De Santis, A., Vaccaro, U.: Fully dynamic secret sharing schemes. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 110–125. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_10
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Brickell, E.F.: Some ideal secret sharing schemes. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 468–475. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_45
Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols. In: STOC 1988 (1988)
Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.: Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract). In: FOCS (1985)
Cramer, R., Damgård, I., Maurer, U.: General secure multi-party computation from any linear secret-sharing scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-45539-6_22
Damgård, I., Nielsen, J.B.: Scalable and unconditionally secure multiparty computation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 572–590. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_32
Desmedt, Y., Jajodia, S.: Redistributing secret shares to new access structures and its applications. Technical report ISSE TR-97-01, George Mason University (1997)
Doganay, M.C., Pedersen, T.B., Saygin, Y., Savas, E., Levi, A.: Distributed privacy preserving k-means clustering with additive secret sharing. In: PAIS (2008)
Farràs, O., Padró, C.: Ideal hierarchical secret sharing schemes. In: TCC (2010)
Feldman, P.: A practical scheme for non-interactive verifiable secret sharing. In: 28th Annual Symposium on Foundations of Computer Science (1987)
Gennaro, R., Rabin, M.O., Rabin, T.: Simplified VSS and fact-track multiparty computations with applications to threshold cryptography. In: PODC 1998 (1998)
Ghodosi, H., Pieprzyk, J., Safavi-Naini, R.: Secret sharing in multilevel and compartmented groups. In: Boyd, C., Dawson, E. (eds.) ACISP 1998. LNCS, vol. 1438, pp. 367–378. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0053748
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 1990 (1990)
Gupta, V., Gopinath, K.: \({\rm G}_{\rm its}^{2}\) VSR: an information theoretical secure verifiable secret redistribution protocol for long-term archival storage. In: SISW 2007 (2007)
Heather, J., Lundin, D.: The append-only web bulletin board. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 242–256. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-01465-9_16
Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_27
Käsper, E., Nikov, V., Nikova, S.: Strongly multiplicative hierarchical threshold secret sharing. In: Desmedt, Y. (ed.) ICITS 2007. LNCS, vol. 4883, pp. 148–168. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10230-1_13
Loruenser, T., Happe, A., Slamanig, D.: ARCHISTAR: towards secure and robust cloud based data sharing. In: CloudCom 2015 (2015)
Nojoumian, M., Stinson, D.R.: Social secret sharing in cloud computing using a new trust function. In: PST 2012 (2012)
Nojoumian, M., Stinson, D.R., Grainger, M.: Unconditionally secure social secret sharing scheme. Inf. Secur. IET 4, 202–211 (2010)
Pakniat, N., Eslami, Z., Nojoumian, M.: Ideal social secret sharing using Birkhoff interpolation method. IACR 2014 (2014)
Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129–140. Springer, Heidelberg (1992). https://doi.org/10.1007/3-540-46766-1_9
Schabhüser, L., Demirel, D., Buchmann, J.A.: An unconditionally hiding auditing procedure for computations over distributed data. In: CNS 2016 (2016)
Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)
Simmons, G.J.: How to (really) share a secret. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 390–448. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_30
Tassa, T.: Hierarchical threshold secret sharing. J. Cryptology 20, 237–264 (2007)
Traverso, G., Demirel, D., Buchmann, J.: Dynamic and verifiable hierarchical secret sharing. In: Nascimento, A.C.A., Barreto, P. (eds.) ICITS 2016. LNCS, vol. 10015, pp. 24–43. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49175-2_2
Traverso, G., Demirel, D., Habib, S.M., Buchmann, J.A.: As\({}^{\text{3}}\): adaptive social secret sharing for distributed storage systems. In: PST 2016 (2016)
Acknowledgments
The authors thank Lucas Schabüser and Denis Butin for useful discussions. This work was in part funded by the European Commission through grant agreement no. 644962 (PRISMACLOUD). Furthermore, it received funding from the DFG as part of project S6 within the CRC 1119 CROSSING.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
A Computation of Shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\)
Algorithm \(\mathsf {RandShares}\) computes random shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\) reconstructing to messages \(\alpha , \beta \), respectively. It is the first step of algorithm \(\mathsf {PreMult}\) of Sect. 5. We present \(\mathsf {RandShares}\) to compute shares \(\sigma _{i,j}(\alpha )\) for \(\alpha \), but it can be run analogously to generate shares \(\sigma _{i,j}(\beta )\) for \(\beta \).
\(\mathsf {RandShares}.\) The algorithm takes as input values \(\alpha _{i,j} \in \mathbb {F}_q\) chosen uniformly at random by shareholders \(s_{i,j} \in S\). It outputs shares \(\sigma _{i,j}(\alpha )\) of message \(\alpha \in \mathbb {F}_q\) for shareholders \(s_{i,j} \in S\). To do that, each shareholder \(s_{i,j} \in S\) has to perform the following steps.
-
(1)
It chooses a secret message \(\alpha _{i,j} \in \mathbb {F}_q\) uniformly at random.
-
(2)
It runs algorithm \(\mathsf {Share}\) to generate a polynomial \(f_{\alpha _{i,j}}(x)\) of degree \(t-1\) defined as \(f_{\alpha _{i,j}}(x):= a_{0,(i,j)} + a_{1,(i,j)}x +\dots + a_{t-1,(i,j)}x^{t-1}\), where \(a_{0,(i,j)}= \alpha _{i,j}\) (\(a_{t-1,(i,j)}=\alpha _{i,j}\)) and coefficients \(a_{1,(i,j)}, \dots , a_{t-1,(i,j)} \in \mathbb {F}_q\) (\(a_{0,(i,j)}, \dots , a_{t-2,(i,j)} \in \mathbb {F}_q\)) are chosen uniformly at random. Shares \(\sigma _{i',j'}(\alpha _{i,j})\) for shareholders \(s_{i',j'} \in S\) with ID \((i',j') \ne (i,j)\) are computed as \(\sigma _{i',j'}(\alpha _{i,j}):=f_{\alpha _{i,j}}^{j'}(i')\). Share \(\sigma _{i,j}(\alpha _{i,j})\) for shareholder \(s_{i,j}\) itself is computed as \(\sigma _{i,j}(\alpha _{i,j}):=f_{\alpha _{i,j}}^{j}(i)\).
-
(3)
It sends shares \(\sigma _{i',j'}(\alpha _{i,j})\) to shareholders \(s_{i',j'} \in S\) with ID \((i',j') \ne (i,j)\) using a private channel and keeps share \(\sigma _{i,j}(\alpha _{i,j})\).
-
(4)
It runs algorithm \(\mathsf {Linear}\) of Sect. 4.2 to compute share \(\sigma _{i,j}(\alpha )\) using share \(\sigma _{i,j}(\alpha _{i,j})\) and all the shares \(\sigma _{i,j}(\alpha _{i',j'})\) received from shareholders \(s_{i',j'}\) as \(\sigma _{i,j}(\alpha ):= \sum _{(i',j') \ne (i,j)} \sigma _{i,j}(\alpha _{i',j'}) + \sigma _{i,j}(\alpha _{i,j})\).
In the following, we prove correctness of algorithm \(\mathsf {RandShares}\) and we show that perfect secrecy, according to Definition 1, is provided.
Theorem 4
The algorithm \(\mathsf {RandShares}\) for conjunctive (disjunctive) hierarchical secret sharing introduced above computes the shares \(\sigma _{i,j}(\alpha )\) correctly. More precisely, on input random secret messages \(\alpha _{i,j}\), the shares computed by algorithm \(\mathsf {RandShares}\) reconstruct to a common value \(\alpha \). Furthermore, perfect secrecy, according to Definition 1, is maintained while performing \(\mathsf {RandShares}\).
Proof
Let \(\sigma _{i,j}(\alpha ) \in \mathbb {F}_q\) be the shares computed using algorithm \(\mathsf {RandShares}\) and held by shareholders \(s_{i,j} \in R\), where \(R \in \varGamma \) is an authorized set. To prove correctness, we have to show that algorithm \(\mathsf {Reconstruct}\) outputs a message \(\alpha \) when it takes as input shares \(\sigma _{i,j}(\alpha )\) held by shareholders of an authorized set R. This means that correctness holds provided that algorithm \(\mathsf {Reconstruct}\) can be successfully run by shareholders of any authorized set. This is implied by the correctness of algorithm \(\mathsf {Linear}\), presented in Sect. 4.2. In fact, each share \(\sigma _{i,j}(\alpha )\) is computed as a sum of shares \(\sigma _{i,j}(\alpha _{i',j'})\) and share \(\sigma _{i,j}(\alpha _{i,j})\). Thus, for the homomorphic property of polynomials, shares \(\sigma _{i,j}(\alpha )\) is either a point of polynomial \(f_{\alpha }(x):= a_{0,\alpha } + a_{1, \alpha }x + \dots + a_{t-1,\alpha }x^{t-1}= \sum _{(i,j)} f_{\alpha _{i,j}}(x)\) or a point on one of its derivatives, where \(a_{0,\alpha }= \sum _{(i,j)} \alpha _{i,j} (a_{t-1,\alpha }= \sum _{(i,j)} \alpha _{i,j})\). Because of the underlying conjunctive (disjunctive) hierarchical secret sharing scheme, any authorized set R of shareholders can run algorithm \(\mathsf {Reconstruct}\) over their shares and retrieve message \(\alpha := \sum _{(i,j)} \alpha _{i,j}\). This proves correctness. With respect to perfect secrecy, the underlying conjunctive (disjunctive) hierarchical secret sharing scheme guarantees that shares \(\sigma _{i,j}(\alpha )\) are computed without leaking information about the secret messages \(\alpha _{i,j}\). Furthermore, this implies that unauthorized sets of shareholders not only cannot successfully run algorithm \(\mathsf {Reconstruct}\) to retrieve \(\alpha \), but also no information about it is gained.
B Computation of Commitments \(c_{k,\alpha }, c_{k,\beta }\)
In this section, algorithm \(\mathsf {Audit.RandShares}\) is presented, which computes commitments \(c_{k,\alpha }, c_{k,\beta }\) to the coefficients of the polynomials sharing messages \(\alpha , \beta \), respectively. Algorithm \(\mathsf {Audit.RandShares}\) constitutes the first step of algorithm \(\mathsf {Audit.PreMult}\) of Sect. 6.1. More precisely, commitments \(c_{k,\alpha }, c_{k,\beta }\), for \(k=0, \dots , t-1\), are used to check the validity of terms \(\delta _{l,i,j}\) and \(\varepsilon _{l,i,j}\) for the computation of shares \(\sigma _{i,j}(\alpha \beta )\). Note that commitments \(c_{k,\alpha }, c_{k,\beta }\) can be correctly computed provided that an auditing procedure verifying the validity of shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\) for shareholders \(s_{i,j}\) is performed, where shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\) are the output of algorithm \(\mathsf {RandShares}\) of Appendix A. For consistency with algorithm \(\mathsf {Audit.PreMult}\), Feldman commitment is used. However, the algorithm can be easily adapted to Pedersen commitment. In the following, we present algorithm \(\mathsf {Audit.RandShares}\) to compute commitment \(c_{k,\alpha }\), for \(k=0, \dots , t-1\). Algorithm \(\mathsf {Audit.RandShares}\) can be run analogously to generate commitment \(c_{k,\beta }\), for \(k=0, \dots , t-1\).
\(\mathsf {Audit.RandShares}.\) The algorithm is run by an auditor to verify that shares \(\sigma _{i,j}(\alpha )\) was computed correctly. This is performed in the following steps.
-
(1)
Each shareholder \(s_{i,j} \in S\) running algorithm \(\mathsf {Share}\) to share the secret message \(\alpha _{i,j} \in \mathbb {F}_q\) among all other shareholders \(s_{i',j'} \in S\) for \((i',j') \ne (i,j)\) calls algorithm \(\mathsf {Commit.Share}\) and computes commitments \(c_{k,\alpha _{i,j}}:= g^{a_{k,(i,j)}} \mod p\), to coefficient \(a_{k,(i,j)}\) of polynomial \(f_{\alpha _{i,j}}(x)\), for \(k=0, \dots , t-1\). It publishes the commitments on the bulletin board.
-
(2)
Each shareholder \(s_{i,j} \in S\) has valid input \(\sigma _{i,j}(\alpha _{i',j'})\), for \((i',j') \ne (i,j)\), to compute share \(\sigma _{i,j}(\alpha )\) if and only if
$$ g^{\sigma _{i,j}(\alpha _{i',j'})}\equiv \prod _{k=j}^{t-1}{c_{k,\alpha _{i',j'}}}^{\frac{k!}{(k-j)!}{i}^{k-j}} = g^{f_{\alpha _{i',j'}}^{j}(i)}. $$If the above equality is not satisfied, then it outputs ‘0’ and aborts. Otherwise, it publishes ‘1’ on the bulletin board and Step (3) can be performed.
-
(3)
The auditor uses commitments \(c_{k,\alpha _{i,j}} \) published by shareholders \(s_{i,j} \in S\) on the bulletin board to compute commitments \(c_{k,\alpha }:= \prod _{(i,j)} c_{k,\alpha _{i,j}},\) for \(k=0, \dots , t-1\). It publishes the commitments on the bulletin board.
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Traverso, G., Demirel, D., Buchmann, J. (2018). Performing Computations on Hierarchically Shared Secrets. In: Joux, A., Nitaj, A., Rachidi, T. (eds) Progress in Cryptology – AFRICACRYPT 2018. AFRICACRYPT 2018. Lecture Notes in Computer Science(), vol 10831. Springer, Cham. https://doi.org/10.1007/978-3-319-89339-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-89339-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-89338-9
Online ISBN: 978-3-319-89339-6
eBook Packages: Computer ScienceComputer Science (R0)