Revisiting group oriented secret sharing schemes
Introduction
Threshold secret sharing schemes were independently introduced by Shamir [1] and Blakerly [2]. In a threshold scheme, a dealer D can split her secret s into n shares and send each share privately to a user (also called participant or shareholder) , for . The basic security requirement for (unconditionally secure) threshold schemes is that at least t users can reconstruct the original secret s by putting these shares together while less than t shares reveal no information regarding s. In addition to Shamir’s polynomial-based construction and Blakerly’s geometry-based construction, Asmuth and Bloom [3] also proposed an unconditionally secure threshold scheme based on the Chinese Remainder Theorem (CRT). When referring to unconditional security, we imply that it holds in an information-theoretical sense, even against adversaries with unlimited computing resources.
Secret sharing schemes have lots of applications in cryptography such as threshold cryptography [4], secure multi-party computation [5], [6] and secure data storage [7], to mention a few. Harn [8] pointed out a limitation in the original model of threshold schemes. Namely, threshold schemes typically assume that at the reconstruction phase all participants are authenticated shareholders. Thus, one cannot prevent an unauthenticated outsider, who has no valid share, from obtaining the shared secret s. Let us consider a situation where m participants join the reconstruction phase with , while one of the m participants is an outsider adversary who is an unauthenticated user with no valid share. The adversary can still obtain the secret s since she can see authentic shares during the reconstruction phase. There have been various models of secret sharing which can protect traditional secret sharing under different adversarial environments. For example, verifiable secret sharing [9], [10], threshold changeable secret sharing [11], [12] and cheater identifiable secret sharing [13]. Although the above secret sharing variants can in fact deal with the problem of unauthenticated outsider adversary, they are designed for more powerful adversaries and are thus heavy in computation and communication costs. Thus, in order to address the issue with unauthenticated users in secret sharing schemes, Harn proposed a notion called secure secret reconstruction scheme. In Harn’s secure secret reconstruction scheme [8], an outside adversary with no valid share cannot obtain the secret s, even if there are more than t authentic shares in the reconstruction phase. Unfortunately, Harn’s scheme was proved to be insecure [14].
Later, Miao et al. [15], [16] proposed a notion called Group Oriented Secret Sharing (GOSS). GOSS has the group oriented property that the secret can be reconstructed only if all m participants provide valid shares at the reconstruction phase. Thus unauthenticated users cannot obtain the secret. Besides protecting the secret from unauthenticated users, secure secret reconstruction scheme or GOSS can also be applied in group authentication schemes. In group authentication schemes, a set of group members can mutually authenticate each other effectively without relying on authenticating in a pairwise manner or sending messages to a central server. Harn [17] constructed a group authentication scheme based on his secure secret reconstruction protocol. However, as we stated earlier, due to the security vulnerability in Harn’s secure secret reconstruction, the proposed group authentication scheme is insecure [14], [18] against impersonation adversary. In fact, due to limited understanding of the security of GOSS, lots of group authentication schemes [17], [18], [19], [20] have security loopholes [21], [22] in their design.
Hence, in this work we devote ourselves in analyzing the theoretical and practical security of two concrete constructions for GOSS, one [15] based on Shamir’s scheme and the other [16] based on Asmuth-Bloom scheme. We will refer the two GOSS schemes as polynomial-based GOSS and CRT-based GOSS, respectively. Simply speaking, the two GOSS schemes use the randomized components (RCs) in the reconstruction phase, which are the original shares masked with some random value. Thus, the secret s can only be reconstructed if all RCs are correct. The GOSS scheme is claimed to guarantee the group oriented property in the unconditional security setting. Moreover, the two GOSS schemes claim that the RC can hide the share in a way that the shareholder can employ her share more than once to construct different RCs without exposing the share. Note that we only consider an outside adversary in this paper for two reasons. Firstly, the usual requirement of threshold privacy in secret sharing schemes are satisfied by the two GOSS schemes since this property follows essentially from Shamir threshold scheme and Asmuth-Bloom scheme, respectively. Secondly, it is easier for an inside adversary to break the group-oriented property than an outside adversary.
In this paper, we analyze the security of GOSS schemes of Miao et al. [15], [16] and show that these schemes do not satisfy the group oriented property required by GOSS schemes. Note that the original schemes are claimed to be unconditionally secure with share reuse. However, our analysis shows that the schemes are vulnerable against an unauthenticated adversary even in the one-time sense. Precisely, this paper presents the following contributions:
- 1.
We review the polynomial-based GOSS scheme [15] and show that this scheme does not guarantee the group oriented property. Specifically, we propose an attack which allows an outside adversary with no valid share to obtain the shared secret provided that she observes t or more honest RCs in the secret reconstruction phase. Interestingly, we can model the problem of recovering the secret after seeing RCs as solving a variant of the Learning With Errors (LWE) problem. This observation immediately disproves the claimed unconditional security of the GOSS scheme, since solving the LWE problem is assumed to be computationally hard [23]. To the best of our knowledge, we are the first to model attacking a GOSS scheme as solving an LWE instance.
- 2.
By employing knowledge on the hardness of LWE, we analyze the impact of parameter choice in the polynomial-based GOSS on the effectiveness of our attack. We further prove that under certain conditions, the adversary can successfully obtain the shared secret s with extremely high probability.
- 3.
We review the CRT-based GOSS scheme [16] and show that this scheme does not guarantee the group-oriented property. Specifically, we propose an attack method which allows an outside adversary with no valid share to obtain the shared secret provided that she gets more than t RCs in the secret reconstruction phase. We also prove that under certain conditions, the adversary can successfully obtain the shared secret with extremely high probability.
- 4.
We implement our attacks to verify their effectiveness. The experiments show that when the adversary observes t honest shares in the reconstruction phase, her probability of successfully obtaining the shared secret s is about 85% for polynomial-based GOSS and 37% for CRT-based GOSS, respectively. Moreover, this probability increases quite quickly with the number of honest RCs the adversary can obtain. For example, when , the adversary’s success probabilities for both polynomial-based GOSS and CRT-based GOSS increase to about 99% when she can see 8 honest RCs.
Section snippets
Preliminaries
We first introduce some notations. All logarithms (denoted as ) throughout this paper are to the base 2. Column vectors are used throughout this paper unless stated otherwise. We say that a function is negligible in n, if it decreases faster than any inverse polynomial in n; formally, there exists an integer N such that for all . Denote the set of all positive integers less than or equal to n. We use the expression to denote
Miao et al.’s GOSS Schemes
An unauthenticated outside adversary can join the reconstruction phase of a secret sharing scheme and obtain the secret from honest shares. In order to deal with this problem, Miao et al. proposed the notion of GOSS scheme. In this section, we first introduce the syntax and properties of GOSS and then review two concrete constructions.
Cryptanalysis of Polynomial-based GOSS Scheme
In this section, we present a detailed cryptanalysis of the polynomial-based GOSS scheme [15]. The polynomial-based GOSS scheme is claimed to be unconditionally secure with respect to the group oriented property. Claim 1 Suppose there are m () participants collaborating to reconstruct the secret s in the GOSS scheme. Let the RCs of the m participants be . Suppose the unauthenticated adversary knows a subset of k RCs, among the . Then there exists an integer Theorem 2 of Miao et al. [15]
Cryptanalysis of CRT-Based GOSS Scheme
The CRT-based GOSS scheme proposed by Miao et al. [16] has the group-oriented property as presented in Claim 2. Claim 2 Suppose there are m () participants collaborating to reconstruct the secret s in the CRT-based GOSS scheme. Let the RCs of the m participants be . Suppose the unauthenticated adversary knows a subset of k RCs, among the . Then for any positive number , we havefor sufficiently large modulus , where isTheorem 2 of Miao et al. [16]
Experimental Results
In this section we provide experimental results on our attack methods against the polynomial-based GOSS scheme and CRT-based GOSS scheme. All our attacks are implemented using SageMath [31] script and the codes are freely available online3. Since our Theorem 1 and Theorem 2 prove that the two GOSS schemes are not information-theoretically secure and we are considering a computation unbounded adversary, we illustrate our attacks on small parameters.
Conclusion
The original definition of threshold secret sharing scheme does not prevent an outside adversary who has no share but participate in the reconstruction phase from getting the shared secret. Although this problem can be resolved simply using user authentication, the overhead would be . Thus, researchers proposed a notion called group oriented secret sharing which tries to capture the issue of unauthenticated users in threshold schemes. Basically the group oriented property guarantees
CRediT authorship contribution statement
Rui Xu: Conceptualization, Methodology, Software, Validation, Writing - original draft, Writing - review & editing, Funding acquisition. Xu Wang: Methodology, Validation, Visualization. Kirill Morozov: Conceptualization, Validation, Writing - review & editing. Chi Cheng: Conceptualization, Validation, Writing - review & editing, Funding acquisition. Jintai Ding: Methodology, Validation.
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgment
The work presented in this paper was supported in part by the National Natural Science Foundation of China under Grant No. 61802354 and 62172374, and Open Research Project of The Hubei Key Laboratory of Intelligent Geo-Information Processing under Grant No. KLIGIP 2021B07. We highly appreciate the anonymous reviewers for their critical assessment and suggestive comments of our work, which helped us to improve the quality of this article.
References (34)
- et al.
Reversible data hiding based on shamirs secret sharing for color images over cloud
Information Sciences
(2018) - et al.
A verifiable threshold secret sharing scheme based on lattices
Information Sciences
(2019) - et al.
A new threshold changeable secret sharing scheme based on the chinese remainder theorem
Information Sciences
(2019) How to share a secret
Communications of the ACM
(1979)Safeguarding cryptographic keys
- et al.
A modular approach to key safeguarding
IEEE Transactions on Information Theory
(1983) Threshold cryptography
European Transactions on Telecommunications
(1994)- T. Rabin, M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority, in: Proceedings of the...
- et al.
General secure multi-party computation from any linear secret-sharing scheme
Secure secret reconstruction and multi-secret sharing schemes with unconditional security
Security and Communication Networks
(2014)
Changing thresholds in the absence of secure channels
Cheater identifiable secret sharing schemes via multi-receiver authentication
Linear subspace cryptanalysis of harn’s secret sharing-based group authentication scheme
IEEE Transactions on Information Forensics and Security
Randomized component and its application to (t, m, n)-group oriented secret sharing
IEEE Transactions on Information Forensics and Security
A (t, m, n)-group oriented secret sharing scheme
Chinese Journal of Electronics
Group authentication
IEEE Transactions on computers
Cited by (1)
Mutual Authentication between Aerial Base Stations and Core Network: A Lightweight Security Scheme
2023, 2023 33rd International Telecommunication Networks and Applications Conference, ITNAC 2023