0308:cs0308027/cs0308027

1: \documentclass[11pt]{article}

2: \usepackage{latexsym}

3: \usepackage{epsfig}

4: \usepackage{amsmath}

5: \usepackage{graphics}

6: \usepackage{amssymb}

7: \usepackage{amsthm}

8: \usepackage{amsfonts}

9: \usepackage{amsopn}

10: \usepackage{amscd}

11: \usepackage{fullpage}

12:

13: \newtheorem{thm}{Theorem}

14: \newtheorem{cor}[thm]{Corollary}

15: \newtheorem{lem}[thm]{Lemma}

16: \newtheorem{prop}[thm]{Proposition}

17: \newtheorem{defn}[thm]{Definition}

18: \newtheorem{rem}[thm]{Remark}

19: \newtheorem{exm}[thm]{Example}

20: \numberwithin{equation}{section}

21: \numberwithin{figure}{section}

22: \numberwithin{thm}{section}

23: %\linespread{1.6}

24: \begin{document}

25: \pagenumbering{arabic}

26: \begin{center}

27: \textbf{A Comparison of Secret Sharing Schemes Based on Latin Squares and RSA}\\

28: \textbf{Liam Wagner\footnote[1]{Corresponding address: \\Department of

29: Mathematics The University of Queensland, St Lucia 4072 Qld Australia

30:  Email: LDW@maths.uq.edu.au}\\Department of Mathematics and\\

31: St John's College within\\ The University of Queensland}

32: \end{center}

33:

34:

35: \begin{abstract}

36: \noindent In recent years there has been a great deal of work done on secret sharing

37: schemes. Secret Sharing Schemes allow for the division of keys so that an

38: authorised set of users may access information. In this paper we wish to

39: present a critical comparison of two of these Schemes based on Latin

40: Squares \cite{cpr} and RSA \cite{shoup}. These two protocols will be examined

41: in terms of their positive and negative aspects of their security.

42: \end{abstract}

43:

44: \noindent \textit{Keywords:} Cryptography and Secure Communication;

45: Secret Sharing Schemes; Distributed Systems; RSA Digital Signature Algorithm; Latin Squares.

46:

47: \section{Introduction}

48: In communications networks which require security, it is important that

49: secrets be protected by more than one key. Furthermore a system of several

50: keys with more than one way for their combination may allow for the unique

51: recovery of a secret. Schemes that have a group of participants that could

52: recover a secret are known as \textit{Secret Sharing Schemes}.

53: \\

54: The idea of secret sharing is to start with a secret, divide it into pieces

55: called \emph{shares}, which are then distributed amongst users such that the

56: pooled shares are specific subsets of users allowed to reconstruct the

57: original secret, \cite{men}.

58: \\\\

59: \textbf{Threshold Schemes}\\

60: \noindent Shamir \cite{sham}, describes threshold schemes as being very helpful in the

61: management of cryptographic keys. The most secure key management scheme keeps the key in a single place. This sort of scheme may not

62: always be appropriate, and an obvious solution to this may be to make multiple

63: copies of the key. This may increase the risk associated in keeping

64: multiple keys secret. By using Shamir's \cite{sham} threshold scheme concept we

65: can get a very robust key management scheme.

66: \\

67: Threshold schemes are well suited to applications in which a group of

68: individuals with conflicting interests must cooperate \cite{sham}. By following

69: Shamir's \cite{sham} protocol and choosing the correct $t$ and $w$ parameters we can give any

70: sufficiently large majority the authority to take some action while giving any

71: sufficiently large minority veto powers. We shall now use the definition outlined in \cite{stin} to describe

72: what a threshold secret sharing scheme is.

73: \begin{defn}

74: Let $t$ and $w$ be positive integers, $t\leq w$. A $(t,w)-$threshold scheme is

75: a method of sharing a key $K$ among a set of $w$ players (denoted by

76: $\mathcal{P}$), in such a way that any $t$ participants can compute the value of

77: $K$, but no group of $t-1$ participants can do so.

78: \end{defn}

79: \noindent The value of $K$ is chosen by a special participant which is referred to by

80: \cite{stin} as the $dealer$. The dealer is denoted by $D$ and we must assume

81: that $D \notin \mathcal{P}$. When $D$ wants to share the key $K$ among the

82: participants in $\mathcal{P}$, $D$ gives each participant some partial information

83: referred to earlier as a share. The shares should be distributed secretly, so no

84: participant knows the share given to any other participant.

85: At some later time, a subset of participants $B \subseteq \mathcal{P}$ will pool

86: their shares or return them to the dealer in an attempt to compute the key $K$.

87: If $|B| \geq t$, then they should be able to compute the value of

88: $K$ as a function of the shares they collectively hold. Furthermore if $|B| <

89: t$, then they should not be able to compute $K$. If we follow the notation of

90: Stinson \cite{stin},

91: \begin{equation}

92: \mathcal{P} = \{P_{i}: 1 \leq i \leq w \}

93: \end{equation} as the set of participants, $\mathcal{K}$ is the set of keys and

94: $\mathcal{S}$ as the set of secrets. A useful point proposed by Shamir \cite{sham} is that a hierarchical scheme may

95: be created, so that some players may have shares which are of more importance

96: (weight).

97:

98: \subsection{Access Structures}

99: In our outline of threshold schemes, we wanted $t$ out of $w$ players to be able to

100: determine the key. A more general situation is to specifically exactly which subsets

101: of players should be able to determine the key and those that should not

102: \cite{stin}. If we describe $\Gamma$ as being a set of subsets of $\mathcal{P}$, and the

103: subsets in $\Gamma$ as being the subset of players that should be able to

104: compute the key. $\Gamma$ is denoted as being the access structure and the

105: subsets in $\Gamma$ are called authorised subsets.

106: \\

107: Furthermore if we let $\mathcal{K}$ be the set of keys and $\mathcal{S}$ be the share set.

108: We shall continue to use the dealer $D$ who wants to share a key $k\in

109: \mathcal{K}$, and then gives each player a share $S\in \mathcal{S}$.

110: Some time later a subset of players will attempt to determine $K$ from the

111: shares they collectively hold. If we notice that a $(t,w)$-threshold scheme creates the access structure $\{B

112: \subseteq \mathcal{P}| \; |B| \geq t\}$, which is referred to by

113: Stinson \cite{stin} as the \emph{threshold access structure}.

114: \\

115: If $\Gamma$ is an access structure, then $B \in \Gamma$ is a minimal authorized

116: subset and $A \notin \Gamma$ whenever $A \subseteq B, A \neq B$. The set of

117: minimal authorized subsets of $\Gamma$ is denoted by $\Gamma_{0}$ and is called

118: the basis of $\Gamma$. Since $\Gamma$ consists of all subsets of $\mathcal{P}$

119: that are supersets of a subset in the basis $\Gamma_{0}$. Thus $\Gamma$ is

120: determined uniquely as a function of $\Gamma_{0}$ such that:

121: \begin{equation}

122: \Gamma = \{C \subseteq \mathcal{P}, \; B \subseteq C, \; B \in \Gamma_{0}\}

123: \end{equation}

124:

125:

126: \section{Latin Squares}

127: In their 1994 paper Cooper, Donovan and Seberry \cite{cpr} laid the foundation

128: for the use of critical sets as a combinatorial structure which could be used to

129: construct a secret sharing scheme. We should begin this section by defining a

130: Latin Square and the concept of a critical set.

131: \begin{defn}

132: A $n \times n$ Latin Square is an $n \times n$ matrix whose entries are taken

133: from a set of $n$ objects so that no object occurs twice in any row or column.

134: \end{defn}

135:

136: \begin{defn}

137: A critical set of a Latin Square L defined over the set $X =\{ 1,\dots,n\}$

138: where,

139: \begin{equation}

140: C = \{(i,j,k) \in X \times X \times X\}

141: \end{equation}

142: such that L is the only square of order n with $i$ in the $(j,k)$th for every

143: $(i,j,k) \in C$. Furthermore no proper subset of C may satisfies this condition

144: \end{defn}

145: \noindent An important construction which we need to define is the

146: concept of a strong critical set for a Latin Square.

147: \begin{defn}

148: A critical set L is a strong critical set if there exists a set

149: $\{P_{1},\dots,P_{m}\}$ of $m=n^{2} - \|A\|$ partitions of order n, which satisfy

150: the following properties:

151: \begin{itemize}

152: \item $L \supset P_{m} \supset P_{m-1} \supset \dots \supset P_{2} \supset P_{1}

153: =A$

154: \item $\forall$ $i$, $1\leq i \leq m-1$, $P_{i} \cup \{(r_{i},c_{i},e_{i})\} =

155: P_{i+1}$

156: \item $P_{i} \cup \{(r_{i},c_{i},e_{i})\}$ is not a partial Latin Square such

157: that $\nexists e \in N \ \{e_{i}\}$

158: \end{itemize}

159: \end{defn}

160:

161: \begin{defn}

162: A critical set is referred to as being semi-strong, if there exists a set

163: $\{P_{1},\dots,P_{m}\}$ of $m=n^{2} -|A|$ partial Latin Squares, of order $n$,

164: which satisfy the following properties:

165: \begin{enumerate}

166: \item $L \supset P_{m} \supset P_{m-1} \supset \dots \supset P_{2} \supset P_{1}=A$

167: \item $\forall i$, $1 \leq i \leq m-1$, $P_{i} \cup \{(r_{i},c_{i};e_{i})\}=P_{i+1}$

168: such that one of $P_{i} \cup \{(r_{i},c_{i};e_{i}\}$ or

169: $P_{i} \cup \{(r_{i},c;e_{i}\}$ or $P_{i} \cup \{(r,c_{i};e_{i}\}$ is not a partial

170: Latin Square for any $e\in N / \{e_{i}\}$or $c\in N / \{c_{i}\}$ or $r\in N /

171: \{r_{i}\}$ respectively.

172: \end{enumerate}

173: \end{defn}

174:

175: \subsection{The Proposed Scheme}

176: In Cooper \cite{cpr} a secret sharing scheme is constructed with a secret key

177: made from a Latin Square $L$, of order $n$. Furthermore \cite{cpr} notes the

178: following characteristics:

179: \begin{itemize}

180: \item The Latin Square $L$ is kept private, but its order however is made public.

181: \item The Shares are based on a partial Latin Square $S=\{ \cup A_{i}| A_{i} \in

182: L\}$ where $A_{i}$ is a critical set. With the union is taken over all possible critical sets in $L$ over some subset

183: of critical sets.

184: \item The number of critical sets used depends on the size of the Latin Square

185: and the number of shares.

186: \item The access structure is defined as $\Gamma = \{ B|B \subseteq \mathcal{S}

187: \; \& A \subseteq B\}$ where A is some critical set in $L$. Where $\Gamma$ is monotone

188: \end{itemize}

189: We shall now outline the basic protocol presented by Cooper \cite{cpr}:

190: \begin{itemize}

191: \item A Latin Square $L$ of order $n$ is chosen. The number $n$ is made public, but the Latin Square $L$ is kept secret and taken to be the key.

192: \item The set $S$ which is the union of a number of critical sets in $L$

193: \item For each $(i,j;k) \in S$, the share $(i,j;k)$ is distributed privately to a participant.

194: \item When a critical set of shares are brought together, they can reconstruct

195: the Latin Square $L$ and thus the secret key.

196: \end{itemize}

197:

198: \subsection{The Ranking Problem}

199: The constructions proposed by \cite{cpr,aps,bean}, are such that each user is

200: given one element from a Latin Square and a subset of these elements may be

201: combined to form a critical set. In Donovan \cite{dcns}, a more general

202: construction is given such that, a set $S$ is the union of a number of critical

203: sets in a Latin Square. Elements from the set $S$ are dealt out to each player,

204: so that a group of players wish to reconstruct the critical set and the secret

205: can be recovered. This gives rise to the question to that complex issue in Latin

206: Squares of there being some positions which are more important than others.

207: \\

208: An intruder who knew C's share and the location

209: of the other shares, what the player did next would depend upon their knowledge

210: of the concurrence scheme.  If our player knew the scheme then one would

211: start by guessing at two of the other shares (A and B, or D and E,

212: or A and D) in which case it is an disadvantage compared to an

213: intruder who knows a share other than C's.

214: \\

215: If our player does not know the scheme, it would seem most logical to try

216: to guess D's share before trying to guess two other shares at once.

217: Again, in this case, our player is at a disadvantage compared to an

218: intruder who knows a share other than C's.

219:

220: \subsection{Security of a Latin Square Based Scheme}

221: The main security issues with this type of scheme were investigated

222: heavily by Cooper \cite{cpr}. We shall now examine these vulnerabilities:

223: \begin{itemize}

224: \item An unauthorized players knows one $n$th of the critical set.

225: \item A group of unauthorized players have a greater chance of reconstructing

226: the critical set with their group of shares.

227: \item The security of this scheme is based on the number of possible latin

228: squares which contain the partial Latin Square defined by a disloyal group of

229: players. It has been estimated that the number of Latin Squares containing the

230: set $C$ for $\{(i,j;k)\}$ such that for a square of order $n=11$, $\geq 19000000$

231: \end{itemize}

232:

233: \noindent The complexity of completing partial Latin Squares has been

234: investigated by Colbourn \cite{col}. The computational complexity of this problem

235: is NP-Complete. However even for a Latin Square of order $n=11$ there are still a

236: measurable number of solutions which can be generated by brute force.

237:

238: \section{RSA Threshold System}

239: Threshold schemes however are by no means perfect despite their proponents

240: \cite{shoup}. Many of these schemes have a great

241: many short falls which include at least one of the following:

242: \begin{enumerate}

243: \item The scheme has no rigorous security proof

244: \item Share generation and verification is interactive and requires synchronous

245: communications network

246: \item The size of each share increases linearly with respect to the number of

247: players.

248: \end{enumerate}

249: In an effort to rectify this situation \cite{shoup} presents a new RSA threshold

250: scheme that exhibits the following:

251: \begin{enumerate}

252: \item Unforgeable and robust if we assume that the RSA problem is hard

253: \cite{riv}

254: \item Share generation and verification is completely non-interactive

255: \cite{riv}

256: \item The size of the share is bounded by a constant and the size of the

257: discrete logarithm problem \cite{sham} and \cite{men}

258: \end{enumerate} Shoup \cite{shoup} further stresses the fact that the share is a standard RSA

259: signature. This is underpinned by the fact that the public key and verification

260: algorithm are the same as for an RSA signature \cite{sham,riv}.

261: The refined model examined in this paper and in \cite{shoup} where there is one

262: threshold $t$ for the maximum number of traitors and $k$ is the minimum quorum

263: size.

264:

265: \subsection{The RSA threshold Scheme}

266: We must first establish a set of players $w$, denoted $1,\ldots, w$, a trusted

267: designer/dealer, and traitor. This systems also has a signature verification,

268: a share verification and share combining algorithms. Shoup \cite{shoup} only

269: uses 2 variables, however in our investigation we must remain consistent with

270: the majority of the literature and consider 3 parameters. So we denote the number of corrupted players as $c$, the number of shares needed to produce a

271: signature as $t$ and the set of all users $w$. We also mention the requirement

272: for these parameters is, $t \geq c+1$ and $w-c \geq t$.

273: \\

274: The dealing phase is initiated by the dealer generating a public key, along

275: with a set of secret key shares and a set of verification keys. The corrupt

276: player obtains the secret key shares of the corrupted players, the public and

277: verification keys. The post dealing phase is when the corrupt player acts by

278: submitting a signing request to the loyal players for a message. After the

279: request has been submitted, a player outputs a signature share for the submitted

280: message.

281: \\

282: The signature verification algorithm takes an input message, a signature and a

283: public key to determine if the signature is valid. The signature

284: verification algorithm takes an input message, and  signature share on that message from player $i$, to

285: determine if that signature share is valid. The share combining algorithm takes

286: a message and $t$ valid signature shares on the message with the public key and

287: the verification keys. The algorithm then outputs a valid signature on that

288: message.

289: \\

290: The non-forgeability of signatures protocol dictates that if an adversary forges a

291: signature at the end of the protocol our player outputs a valid signature on a

292: message that was not submitted as a signing request to at least $t-c$ loyal

293: players. Furthermore we must stress that the threshold signature scheme is

294: non-forgeable if it is computationally infeasible for the corrupt adversary to forge

295: a signature.

296:

297: \subsection{Security of RSA Threshold}

298:

299: \begin{thm}

300: For $t=w+1$, in the random oracle model for $H'$, the above protocol is a secure

301: threshold signature scheme which is robust and non-forgeable. Thus we assume that

302: the standard RSA signature scheme is secure.

303: \end{thm}

304:

305: \noindent We shall only outline a very short comment on the proof for this theorem. One

306: should consult Shoup \cite{shoup} for a more detailed approach.

307: The robustness of the threshold signature scheme is cemented in its

308: non-forgeable. We assume that the standard RSA signature scheme is secure

309: because of the difficulty in solving the adaptive message attack. This statement

310: can be justified by the random oracle model of \cite{men} such that given some

311: random $x \in \mathbf{Z}^{*}_{n}$, it is hard to compute $y$ such that $y^{e}=x$

312:

313: \section{Analysis}

314: We shall put forward the merits of a Latin Square SSS and the RSA

315: based system to examine

316:

317: \begin{itemize}

318: \item A Latin Square Scheme, can provide good security when the critical set on

319: which the scheme is founded is not based on strong critical or semi-strong

320: critical partial Latin Squares.

321: \item Latin Squares of large order i.e. $\geq 11$ provide for a relatively

322: secure system.

323: \item The current literature believes that the RSA problem is hard to compute

324: \item The Decision Diffie-Hellman (DDH) assumption-given some random $g, \; h

325: \in Q_{n}$, along with $g^{n}$ and $h^{b}$, it is hard to decide if $a \equiv b

326: \; mod \; m$.

327: \item Finding a correct authorized group of shares from one given share is

328: computationally difficult.

329: \end{itemize}

330:

331: \noindent If we were to look at a computational attack against the Latin Square Scheme,

332: one would need only to find one disloyal player and simply generate a

333: completion for that share \cite{bean}. Although the prospect of finding a

334: solution to this problem becomes more difficult as the size of the scheme

335: increases beyond 11 players \cite{don}, it is still possible. Without a scheme

336: that allows for a disenrollment procedure \cite{don}, a brute force attack for

337: computing the completion of the Latin Square is a viable attack.

338: \\

339: If one already holds one of the other share then, there is a $1$ in $4$

340: chance of completing the critical set and discovering the secret by

341: simply picking one share at random \cite{cpr}. A $25$ percent chance of

342: completing a critical set given one player is disloyal, is a risk not worth

343: taking in our view. If one player were somehow compelled or convinced that

344: becoming disloyal was appropriate then a scheme that placed so much trust in one

345: player is too risky.

346: \\

347: Although the Latin Square model is entirely theoretical, it must be asked why

348: one would use such a scheme that has two major faults. Unless one can ensure

349: that no players will defect and become disloyal, then this scheme is far from

350: desirable. In contrast RSA based protocols are one of the best methods available

351: to ensure the security of a multiparty scheme for digital signatures

352: \cite{men,shoup}.

353:

354:

355: \begin{thebibliography}{199}

356:

357: \bibitem{bean} Bean, R., \textit{Secret Sharing Schemes based on Geometric

358: Construction and Latin Squares}, (1997) Department of Mathematics,

359: The University of Queensland

360:

361: \bibitem{col} Colbourn, C.J., \textit{The Complexity of Completing Partial Latin

362: Squares} (1984) Discrete Applied Mathematics, vol. 8., pp.25-30

363:

364: \bibitem{cpr} Cooper, J., Donovan, D., Seberry, J., \textit{Secret Sharing Schemes Arising From Latin Squares} (1994), Bulletin of the ICA, vol.\textbf{12} pp33-43.

365:

366: \bibitem{dcns} Donovan, D., Cooper, J., Nott, D.J., and Seberry, J.,

367: \textit{Latin Squares: Critical Sets and Their Lower Bounds} (1995) Ars

368: Combinatorica vol.\textbf{39}, pp.33-48

369:

370: \bibitem{don} Donovan, D., \textit{Some Interesting Constructions for Secret

371: Sharing Schemes} Austrasian Journal of Combinatorics, vol \textbf{9} (1994),

372: pp37-65

373:

374: \bibitem{men} Menezes, A., van Oorschot, P.C., Vanstone, S.A.,

375: \textit{Handbook of Applied Cryptography} CRC Press 1996

376:

377: \bibitem{riv} Rivest, R.L., Shamir, A., Aldermen, L., \textit{A Method for

378: Obtaining Digital Signatures and Public-Key Cryptosystems} (1978) Communications

379: of the ACM, vol.21, no.2

380:

381: \bibitem{sham} Shamir, A., \textit{How to Share a Secret} (1979) Communications

382: of the ACM, vol.\textbf{22}, no. 11

383:

384: \bibitem{shoup} Shoup, V., \textit{Practical Threshold Signatures} Eurocrypt

385: 2000, Lecture Notes in Computer Science, vol.\textbf{1807}, pp207-220

386:

387: \bibitem{stin} Stinson, D.R., \textit{Cryptography: Theory and Practice} (1995)

388: CRC Press.

389:

390: \bibitem{aps} Street, A.P., \textit{Defining sets for t-designs and critical

391: sets for Latin Squares} (1992) New Zealand Journal of Mathematics,

392: vol.\textbf{21}, pp.133-144

393:

394: \end{thebibliography}

395: \end{document}

396: