Revisiting group oriented secret sharing schemes

Abstract

In a $(t,n)$ threshold scheme any t or more shares can reconstruct the secret s, but less than t shares reveal no information about s. However, an unauthenticated adversary can pretend to be the shareholder at the reconstruction stage. If there were more than t honest shareholders, the unauthenticated adversary without valid share can obtain the secret. To deal with this type of attacks, a model of $(t,m,n)$ group oriented secret sharing (GOSS) scheme was proposed by Miao et al. in 2015. Here the group oriented property means that if $m>t$ parties try to reconstruct the secret, they should all have the authentic shares in advance. It was claimed by Miao et al. that the group oriented property in their GOSS schemes holds in the information-theoretic sense. In this paper, we revisit two instantiations of $(t,m,n)$ group oriented secret sharing schemes and show that these constructions cannot provide the so-called “group oriented property”. Specifically, we develop concrete attacks which allow an unauthenticated adversary with no valid share to participate in the reconstruction phase and obtain the secret provided that there are at least t honest shares presented at the reconstruction phase.

Introduction

Threshold secret sharing schemes were independently introduced by Shamir [1] and Blakerly [2]. In a $(t,n)$ threshold scheme, a dealer D can split her secret s into n shares $(s_1,\dots ,s_n)$ and send each share $s_i$ privately to a user (also called participant or shareholder) $U_i$, for $i=1,\dots ,n$. The basic security requirement for (unconditionally secure) threshold schemes is that at least t users can reconstruct the original secret s by putting these shares together while less than t shares reveal no information regarding s. In addition to Shamir’s polynomial-based construction and Blakerly’s geometry-based construction, Asmuth and Bloom [3] also proposed an unconditionally secure threshold scheme based on the Chinese Remainder Theorem (CRT). When referring to unconditional security, we imply that it holds in an information-theoretical sense, even against adversaries with unlimited computing resources.

Secret sharing schemes have lots of applications in cryptography such as threshold cryptography [4], secure multi-party computation [5], [6] and secure data storage [7], to mention a few. Harn [8] pointed out a limitation in the original model of threshold schemes. Namely, threshold schemes typically assume that at the reconstruction phase all participants are authenticated shareholders. Thus, one cannot prevent an unauthenticated outsider, who has no valid share, from obtaining the shared secret s. Let us consider a situation where m participants join the reconstruction phase with $m⩾t+1$, while one of the m participants is an outsider adversary who is an unauthenticated user with no valid share. The adversary can still obtain the secret s since she can see $m-1⩾t$ authentic shares during the reconstruction phase. There have been various models of secret sharing which can protect traditional secret sharing under different adversarial environments. For example, verifiable secret sharing [9], [10], threshold changeable secret sharing [11], [12] and cheater identifiable secret sharing [13]. Although the above secret sharing variants can in fact deal with the problem of unauthenticated outsider adversary, they are designed for more powerful adversaries and are thus heavy in computation and communication costs. Thus, in order to address the issue with unauthenticated users in secret sharing schemes, Harn proposed a notion called secure secret reconstruction scheme. In Harn’s secure secret reconstruction scheme [8], an outside adversary with no valid share cannot obtain the secret s, even if there are more than t authentic shares in the reconstruction phase. Unfortunately, Harn’s scheme was proved to be insecure [14].

Later, Miao et al. [15], [16] proposed a notion called $(t,m,n)$ Group Oriented Secret Sharing (GOSS). GOSS has the group oriented property that the secret can be reconstructed only if all m $(m>t)$ participants provide valid shares at the reconstruction phase. Thus unauthenticated users cannot obtain the secret. Besides protecting the secret from unauthenticated users, secure secret reconstruction scheme or GOSS can also be applied in group authentication schemes. In group authentication schemes, a set of group members can mutually authenticate each other effectively without relying on authenticating in a pairwise manner or sending messages to a central server. Harn [17] constructed a $(t,m,n)$ group authentication scheme based on his secure secret reconstruction protocol. However, as we stated earlier, due to the security vulnerability in Harn’s secure secret reconstruction, the proposed $(t,m,n)$ group authentication scheme is insecure [14], [18] against impersonation adversary. In fact, due to limited understanding of the security of GOSS, lots of group authentication schemes [17], [18], [19], [20] have security loopholes [21], [22] in their design.

Hence, in this work we devote ourselves in analyzing the theoretical and practical security of two concrete constructions for $(t,m,n)$ GOSS, one [15] based on Shamir’s scheme and the other [16] based on Asmuth-Bloom scheme. We will refer the two GOSS schemes as polynomial-based GOSS and CRT-based GOSS, respectively. Simply speaking, the two $(t,m,n)$ GOSS schemes use the randomized components (RCs) in the reconstruction phase, which are the original shares masked with some random value. Thus, the secret s can only be reconstructed if all RCs are correct. The GOSS scheme is claimed to guarantee the group oriented property in the unconditional security setting. Moreover, the two $(t,m,n)$ GOSS schemes claim that the RC can hide the share in a way that the shareholder can employ her share more than once to construct different RCs without exposing the share. Note that we only consider an outside adversary in this paper for two reasons. Firstly, the usual requirement of threshold privacy in secret sharing schemes are satisfied by the two GOSS schemes since this property follows essentially from Shamir threshold scheme and Asmuth-Bloom scheme, respectively. Secondly, it is easier for an inside adversary to break the group-oriented property than an outside adversary.

In this paper, we analyze the security of $(t,m,n)$ GOSS schemes of Miao et al. [15], [16] and show that these schemes do not satisfy the group oriented property required by GOSS schemes. Note that the original schemes are claimed to be unconditionally secure with share reuse. However, our analysis shows that the schemes are vulnerable against an unauthenticated adversary even in the one-time sense. Precisely, this paper presents the following contributions:

• We review the polynomial-based $(t,m,n)$ GOSS scheme [15] and show that this scheme does not guarantee the group oriented property. Specifically, we propose an attack which allows an outside adversary with no valid share to obtain the shared secret provided that she observes t or more honest RCs in the secret reconstruction phase. Interestingly, we can model the problem of recovering the secret after seeing $m-1$ RCs as solving a variant of the Learning With Errors (LWE) problem. This observation immediately disproves the claimed unconditional security of the $(t,m,n)$ GOSS scheme, since solving the LWE problem is assumed to be computationally hard [23]. To the best of our knowledge, we are the first to model attacking a GOSS scheme as solving an LWE instance.

• By employing knowledge on the hardness of LWE, we analyze the impact of parameter choice in the polynomial-based GOSS on the effectiveness of our attack. We further prove that under certain conditions, the adversary can successfully obtain the shared secret s with extremely high probability.

• We review the CRT-based $(t,m,n)$ GOSS scheme [16] and show that this scheme does not guarantee the group-oriented property. Specifically, we propose an attack method which allows an outside adversary with no valid share to obtain the shared secret provided that she gets more than t RCs in the secret reconstruction phase. We also prove that under certain conditions, the adversary can successfully obtain the shared secret with extremely high probability.

• We implement our attacks to verify their effectiveness. The experiments show that when the adversary observes t honest shares in the reconstruction phase, her probability of successfully obtaining the shared secret s is about 85% for polynomial-based GOSS and 37% for CRT-based GOSS, respectively. Moreover, this probability increases quite quickly with the number of honest RCs the adversary can obtain. For example, when $t=4$, the adversary’s success probabilities for both polynomial-based GOSS and CRT-based GOSS increase to about 99% when she can see 8 honest RCs.