Applied Cryptography, Second Edition: Protocols, Algorthms, and Source Code in C (cloth)
(Publisher: John Wiley & Sons, Inc.)
Author(s): Bruce Schneier
ISBN: 0471128457
Publication Date: 01/01/96

Asmuth-Bloom

This scheme uses prime numbers . For an (m, n)-threshold scheme, choose a large prime, p, greater than M. Then choose n numbers less than p, d1 , d2 , ..., dn, such that:

1.  The d values are in increasing order; di < di+1
2.  Each di is relatively prime to every other di
3.  d1 * d2 * ... * dm > p * dn-m+2 * dn-m+3 * ... * dn

To distribute the shadows, first choose a random value r and compute

M' = M + rp

The shadows, ki, are

ki = M' mod di

Any m shadows can get together and reconstruct M using the Chinese remainder theorem, but any m -1 cannot. See  for details.

Karnin-Greene-Hellman

This scheme uses matrix multiplication . Choose n +1 m-dimensional vectors, V0 , V1 , ..., Vn, such that any possible m * m matrix formed out of those vectors has rank m. The vector U is a row vector of dimension m +1.

M is the matrix product U·V0. The shadows are the products U·Vi, where i is a number from 1 to n.

Any m shadows can be used to solve the m * m system of linear equations, where the unknowns are the coefficients of U. UV0 can be computed from U. Any m -1 shadows cannot solve the system of linear equations and therefore cannot recover the secret.

The previous examples illustrate only the simplest threshold schemes: Divide a secret into n shadows such that any m can be used to recover the secret. These algorithms can be used to create far more complicated schemes. The following examples will use Shamir’s algorithm, although any of the others will work.

To create a scheme in which one person is more important than another, give that person more shadows. If it takes five shadows to recreate a secret and one person has three shadows while everyone else has only one, then that person and two other people can recreate the secret. Without that person, it takes five to recreate the secret.

Two or more people could get multiple shadows. Each person could have a different number of shadows. No matter how the shadows are distributed, any m of them can be used to reconstruct the secret. Someone with m -1 shadows, be it one person or a roomful of people, cannot do it.

In other types of schemes, imagine a scenario with two hostile delegations. You can share the secret so that two people from the 7 in Delegation A and 3 people from the 12 in Delegation B are required to reconstruct the secret. Make a polynomial of degree 3 that is the product of a linear expression and a quadratic expression. Give everyone from Delegation A a shadow that is the result of an evaluation of the linear equation; give everyone from Delegation B a shadow that is the evaluation of the quadratic equation.

Any two shadows from Delegation A can be used to reconstruct the linear equation, but no matter how many other shadows the group has, they cannot get any information about the secret. The same is true for Delegation B: They can get three shadows together to reconstruct the quadratic equation, but they cannot get any more information necessary to reconstruct the secret. Only when the two delegations share their equations can they be multiplied to reconstruct the secret.

In general, any type of sharing scheme that can be imagined can be implemented. All you have to do is to envision a system of equations that corresponds to the particular scheme. Some excellent papers on generalized secret-sharing schemes are [1462,1463,1464].

Sharing a Secret with Cheaters

This algorithm modifies the standard (m, n)-threshold scheme to detect cheaters . I demonstrate this using the Lagrange scheme, although it works with the others as well.

Choose a prime, p, that is both larger than n and larger than

(s - 1) (m - 1)/e + m

where s is the largest possible secret and e is the probability of successful cheating. You can make e as small as you want; it just makes the computation more complex. Construct your shadows as before, except instead of using 1, 2, 3,..., n for xi, choose random numbers between 1 and p - 1 for xi.

Now, when Mallory sneaks into the secret reconstruction meeting with his false share, his share has a high probability of not being possible. An impossible secret is, of course, a fake secret. See  for the math.

Unfortunately, while Mallory is exposed as a cheater, he still learns the secret (assuming that there are m other valid shares). Another protocol, from [1529,975], prevents that. The basic idea is to have a series of k secrets, such that none of the participants knows beforehand which is correct. Each secret is larger than the one before, except for the real secret. The participants combine their shadows to generate one secret after the other, until they create a secret that is less than the previous secret. That’s the correct one.

This scheme will expose cheaters early, before the secret is generated. There are complications when the participants deliver their shadows one at a time; refer to the papers for details. Other papers on the detection and prevention of cheaters in threshold schemes are [355,114,270].

### 23.3 Subliminal Channel

Ong-Schnorr-Shamir

This subliminal channel (see Section 4.2), designed by Gustavus Simmons [1458,1459,1460], uses the Ong-Schnorr-Shamir identification scheme (see Section 20.5). As in the original scheme, the sender (Alice) chooses a public modulus, n, and a private key, k, such that n and k are relatively prime. Unlike the original scheme, k is shared between Alice and Bob, the recipient of the subliminal message.

The public key is calculated:

h = -k2 mod n

If Alice wants to send the subliminal message M by means of the innocuous message M', she first confirms that M' and n are relatively prime, and that M and n are relatively prime.

Alice calculates

S1 = 1/2 * ((M' /M + M)) mod n
S2 = k/2 * ((M' /M - M)) mod n

Together, the pair, S1 and S2, is the signature under the traditional Ong-Schnorr-Shamir scheme and the carrier of the subliminal message.

Walter the warden (remember him?) can authenticate the message as described by the Ong-Schnorr-Shamir signature scheme, but Bob can do better. He can authenticate the message (it is always possible that Walter can make his own messages). He confirms that

S12 - S2 2/k2M' (mod n)

If the message is authentic, the receiver can recover the subliminal message using this formula:

M = M'/(S1 + S2 k-1) mod n

This works, but remember that the basic Ong-Schnorr-Shamir has been broken.

[an error occurred while processing this directive]