Author(s): Bruce Schneier

ISBN: 0471128457

Publication Date: 01/01/96

Previous | Table of Contents | Next |

*Asmuth-Bloom*

This scheme uses prime numbers [65]. For an (*m, n*)-threshold scheme, choose a large prime, *p,* greater than *M.* Then choose *n* numbers less than *p, d*_{1} , *d*_{2} , ..., *d*_{n}, such that:

**1.**The*d*values are in increasing order;*d*_{i}<*d*_{i+1}**2.**Each*d*_{i}is relatively prime to every other*d*_{i}**3.***d*_{1}**d*_{2}* ... **d*_{m}>*p***d*_{n-m+2}**d*_{n-m+3}* ... **d*_{n}

To distribute the shadows, first choose a random value *r* and compute

*M'*=*M*+*rp*

The shadows, *k*_{i}, are

*k*_{i}=*M'*mod*d*_{i}

Any *m* shadows can get together and reconstruct *M* using the Chinese remainder theorem, but any *m* -1 cannot. See [65] for details.

*Karnin-Greene-Hellman*

This scheme uses matrix multiplication [818]. Choose *n* +1 *m*-dimensional vectors, *V*_{0} , *V*_{1} , ..., *Vn,* such that any possible *m* * *m* matrix formed out of those vectors has rank *m.* The vector *U* is a row vector of dimension *m* +1.

*M* is the matrix product *U·V*_{0}. The shadows are the products *U·V*_{i}, where *i* is a number from 1 to *n.*

Any *m* shadows can be used to solve the *m* * *m* system of linear equations, where the unknowns are the coefficients of *U. UV*_{0} can be computed from *U.* Any *m* -1 shadows cannot solve the system of linear equations and therefore cannot recover the secret.

*Advanced Threshold Schemes*

The previous examples illustrate only the simplest threshold schemes: Divide a secret into *n* shadows such that any *m* can be used to recover the secret. These algorithms can be used to create far more complicated schemes. The following examples will use Shamir’s algorithm, although any of the others will work.

To create a scheme in which one person is more important than another, give that person more shadows. If it takes five shadows to recreate a secret and one person has three shadows while everyone else has only one, then that person and two other people can recreate the secret. Without that person, it takes five to recreate the secret.

Two or more people could get multiple shadows. Each person could have a different number of shadows. No matter how the shadows are distributed, any *m* of them can be used to reconstruct the secret. Someone with *m* -1 shadows, be it one person or a roomful of people, cannot do it.

In other types of schemes, imagine a scenario with two hostile delegations. You can share the secret so that two people from the 7 in Delegation A and 3 people from the 12 in Delegation B are required to reconstruct the secret. Make a polynomial of degree 3 that is the product of a linear expression and a quadratic expression. Give everyone from Delegation A a shadow that is the result of an evaluation of the linear equation; give everyone from Delegation B a shadow that is the evaluation of the quadratic equation.

Any two shadows from Delegation A can be used to reconstruct the linear equation, but no matter how many other shadows the group has, they cannot get any information about the secret. The same is true for Delegation B: They can get three shadows together to reconstruct the quadratic equation, but they cannot get any more information necessary to reconstruct the secret. Only when the two delegations share their equations can they be multiplied to reconstruct the secret.

In general, any type of sharing scheme that can be imagined can be implemented. All you have to do is to envision a system of equations that corresponds to the particular scheme. Some excellent papers on generalized secret-sharing schemes are [1462,1463,1464].

*Sharing a Secret with Cheaters*

This algorithm modifies the standard (*m, n*)-threshold scheme to detect cheaters [1529]. I demonstrate this using the Lagrange scheme, although it works with the others as well.

Choose a prime, *p,* that is both larger than *n* and larger than

- (
*s*- 1) (*m*- 1)/*e*+*m*

where *s* is the largest possible secret and *e* is the probability of successful cheating. You can make *e* as small as you want; it just makes the computation more complex. Construct your shadows as before, except instead of using *1, 2, 3,...,* *n* for *x*_{i}, choose random numbers between 1 and *p* - 1 for *x*_{i}.

Now, when Mallory sneaks into the secret reconstruction meeting with his false share, his share has a high probability of not being possible. An impossible secret is, of course, a fake secret. See [1529] for the math.

Unfortunately, while Mallory is exposed as a cheater, he still learns the secret (assuming that there are *m* other valid shares). Another protocol, from [1529,975], prevents that. The basic idea is to have a series of *k* secrets, such that none of the participants knows beforehand which is correct. Each secret is larger than the one before, except for the real secret. The participants combine their shadows to generate one secret after the other, until they create a secret that is less than the previous secret. That’s the correct one.

This scheme will expose cheaters early, before the secret is generated. There are complications when the participants deliver their shadows one at a time; refer to the papers for details. Other papers on the detection and prevention of cheaters in threshold schemes are [355,114,270].

**Ong-Schnorr-Shamir**

This subliminal channel (see Section 4.2), designed by Gustavus Simmons [1458,1459,1460], uses the Ong-Schnorr-Shamir identification scheme (see Section 20.5). As in the original scheme, the sender (Alice) chooses a public modulus, *n,* and a private key, *k,* such that *n* and *k* are relatively prime. Unlike the original scheme, *k* is shared between Alice and Bob, the recipient of the subliminal message.

The public key is calculated:

*h*= -*k*^{2}mod*n*

If Alice wants to send the subliminal message *M* by means of the innocuous message *M',* she first confirms that *M'* and *n* are relatively prime, and that *M* and *n* are relatively prime.

Alice calculates

*S*_{1}= 1/2 * ((*M'*/*M*+*M*)) mod*n**S*_{2}=*k*/2 * ((*M'*/*M*-*M*)) mod*n*

Together, the pair, *S*_{1} and *S*_{2}, is the signature under the traditional Ong-Schnorr-Shamir scheme and the carrier of the subliminal message.

Walter the warden (remember him?) can authenticate the message as described by the Ong-Schnorr-Shamir signature scheme, but Bob can do better. He can authenticate the message (it is always possible that Walter can make his own messages). He confirms that

*S*_{1}^{2}-*S*_{2}^{2}/*k*≡^{2}*M'*(mod*n*)

If the message is authentic, the receiver can recover the subliminal message using this formula:

*M*=*M'*/(*S*_{1}+*S*_{2}k^{-1}) mod*n*

This works, but remember that the basic Ong-Schnorr-Shamir has been broken.

Previous | Table of Contents | Next |