Dynamic and Verifiable Hierarchical Secret Sharing

Abstract

In this work we provide a framework for dynamic secret sharing and present the first dynamic and verifiable hierarchical secret sharing scheme based on Birkhoff interpolation. Since the scheme is dynamic it allows, without reconstructing the message distributed, to add and remove shareholders, to renew shares, and to modify the conditions for accessing the message. Furthermore, each shareholder can verify its share received during these algorithms protecting itself against malicious dealers and shareholders. While these algorithms were already available for classical Lagrange interpolation based secret sharing, corresponding techniques for Birkhoff interpolation based schemes were missing. Note that Birkhoff interpolation is currently the only technique available that allows to construct hierarchical secret sharing schemes that are efficient and allow to provide shares of equal size for all shareholder in the hierarchy. Thus, our scheme is an important contribution to hierarchical secret sharing.

This work was in part funded by the European Commission through grant agreement no. 644962 (PRISMACLOUD). Furthermore, it received funding from the DFG as part of project S6 within the CRC 1119 CROSSING.

Appendices

Appendix

A Requirements for Birkhoff Interpolation Matrices Interpolation

In this section the necessary requirements and a sufficient condition for the interpolation matrix E are presented, such that the corresponding Birkhoff interpolation problem is well posed. For the corresponding proofs we refer to [22].

Lemma 1

Let \(A \subset S\) be an authorized subset of shareholders, i.e. \(A \in \varGamma \), and E the corresponding interpolation matrix, where the entries \(e_{i,j}\) of the matrix E satisfy the following condition:

$$\begin{aligned} \sum _{j=0}^{k} \sum _{i=1}^{r} e_{i,j} \ge k+1, \quad 0 \le k \le d, \end{aligned}$$

(1)

where d is the highest derivative order in the problem and \(r:= \vert A \vert \) is the number of interpolating points.

Before providing the sufficient condition (Theorem 3), the following definition is needed.

Definition 6

[22]. In the interpolation matrix E a 1-sequence is a maximal run of consecutive 1s in a row of the matrix E itself. Namely, it is a triplet of the form \((i, j_0, j_1)\) where \(1 \le i \le r\) and \(0 \le j_0 \le j_1 \le d\), such that \(e_{i,j}=1\) for all \(j_0 \le j \le j_1\), while \(e_{i, j_0 -1}= e_{i, j_1 +1}=0\). A 1-sequence \((i, j_0, j_1)\) is called supported if E has 1s both to the northwest and southwest of the leading entry in the sequence, i.e. there exist indexes nw and sw, where \(i_{nw}< i < i_{sw}\) and \(j_{nw}, j_{sw} < j_0\) such that \(e_{i_{nw}, j_{nw}}=e_{i_{sw}, j_{sw}}=1\).

Theorem 3

The interpolation Birkhoff problem for an authorized subset A and the corresponding interpolation matrix E has a unique solution, if the interpolation matrix E satisfies (1) and contains no supported 1-sequence of odd length.

In case the Birkhoff interpolation problem is instantiated over a finite field \(\mathbb {F}_q\) with \(q>0\) a prime number, then also the following condition has to hold.

Theorem 4

The Birkhoff interpolation problem for an interpolation matrix E has a unique solution over the finite field \(\mathbb {F}_q\), if Theorem 3 holds and in addition also the following inequality is satisfied:

$$\begin{aligned} q > 2^{- d +2} \cdot (d -1)^{\frac{(d -1)}{2}} \cdot (d -1)! \cdot x_{r}^{\frac{(d -1)(d -2)}{2}}, \end{aligned}$$

(2)

where d is the highest derivative order of the problem.

B Security Analysis

Conjunctive secret sharing has been introduced by Tassa in [22] and it has been proven ideal, perfect secure, and accessible. We argue that the algorithms \(\mathsf {Add}\) and \(\mathsf {Reset}\) we introduced enhance the protocol and do not affect the properties and the security of the original conjunctive secret sharing scheme. To prove that, we first provide a high level idea of the proof of perfect security and accessibility of Tassa’s conjunctive secret sharing scheme. Then, we show that our dynamic hierarchical secret sharing scheme maintains perfect security and accessibility. Furthermore, it is possible to cope with malicious dealers and shareholders including a verification protocol to the algorithm \(\mathsf {Share}, \mathsf {Add}, \mathsf {Reset},\) and \(\mathsf {Reconstruct}\). If Pedersen commitments are used in the verification protocol unconditional hidingness is maintained while bindingness can only be achieved computationally. Feldmann commitments instead ensure unconditional bindingness, i.e. the correctness of the shares can be guaranteed, but at he expenses of providing only computational hidingness for the shares. Thus, the latter solution is not suitable if data is processed for which long-term or even everlasting confidentiality is required. Similarly, it can be proven that \(\mathsf {Add}\) and \(\mathsf {Reset}\) maintain also the same properties of disjunctive secret sharing. However, for readability in the following we focus on conjunctive secret sharing only.

Roughly speaking, reconstructing a distributed message is equal to finding a solution of the Birkhoff interpolation problem for a polynomial \(f(x)= a_0 + a_1x + a_2x^2+ \dots + a_{t-1}x^{t-1}\). Thus, Tassa proved the security of his approach by showing that authorized sets of shareholders \(A \in \varGamma \) lead to interpolation matrices E for which the Birkhoff interpolation problem is well posed. Thus, accessibility is provided. Furthermore, any unauthorized set of shareholders \(U \notin \varGamma \) leads to an unsolvable system and perfect security is therefore proven.

The introduction of the protocols \(\mathsf {Add}\) and \(\mathsf {Reset}\) making the Birkhoff inter-polation based secret sharing scheme dynamic does not affect these properties. First, we show that accessibility and perfect security is provided if all shareholders act honestly. This corresponds to the setup of Tassa’s security proof. Second, we prove that our scheme even provides verifiability, i.e. can cope with malicious dealers and shareholders.

Theorem 5

The dynamic secret sharing scheme composed of the protocols \(\mathsf {Share}\), \(\mathsf {Add}\), \(\mathsf {Reset}\), and \(\mathsf {Reconstruct}\) described in Sect. 5.2 is accessible and perfectly secure according to Definition 2.

Proof

The proof for the algorithms \(\mathsf {Share}\) and \(\mathsf {Reconstruct}\) follows from Tassa’s security proof. The algorithms \(\mathsf {Add}\) and \(\mathsf {Reset}\) are discussed individually in the following.  

Add. :

If the shareholders follow the protocol correctly, then all shareholders, meaning the old set of shareholders together with the new shareholder, only hold shares of the polynomial \(f(x)= a_0 + a_1x + a_2x^2+ \dots + a_{t-1}x^{t-1}\) or of one of its derivatives. This prevents unauthorized subsets from reconstructing the message, meaning that perfect security is achieved. However, the share \({\sigma }_{i',j'}\) for the new shareholder \(s_{i',j'}\) is generated by old shareholders in distributed fashion. More precisely, each old shareholder uses its share to generate a piece of information from which the new shareholder \(s_{i',j'}\) can compute its own share \({\sigma }_{i',j'}\). Therefore, what is left to show is that no information about the other shares is leaked during the generation of the share \({\sigma }_{i',j'}\). To compute the share of a new shareholder \(s_{i',j'}\) each shareholder \(s_l \in A\) of an authorized subset \(A \in \varGamma \) computes \(f^{j'}_{l}(i')\), where \(f^{j'}_{l}(x)\) is the \(j'\)-th derivative of the polynomial \(f_l(x)\). Note that this value leaks information about the share of \(s_l\), since \(f^{j'}_{l}(i') = {\sigma }_{l} \sum _{k=j'}^{t-1} \frac{k!}{(k-j')!} \frac{(-1)^{l-1+k}\det (A_{l-1,k}(E,X,\varphi ))}{\det (A(E,X, \varphi ))} {i'}^{k-j'}\) and the latter part \(\sum _{k=j'}^{t-1} \frac{k!}{(k-j')!} \frac{(-1)^{l-1+k}\det (A_{l-1,k}(E,X,\varphi ))}{\det (A(E,X, \varphi ))} {i'}^{k-j'}\) can be computed from public information. Thus, it generates shares to this value using an additive secret sharing scheme [7], i.e. computes \(f^{j'}_{l}(i')=\sum _{k, s_k \in A}{\delta }_{k,l}\), and sends \({\delta }_{k,l}\) to shareholder \(s_k \in A\). Each shareholder \(s_l\) then adds all subshares received by the other shareholders, i.e. \(\delta _l=\sum _{k, s_k \in A}{\delta _{l,k}}\), and forwards only the result \(\delta _l\) to the new shareholder. Due to the use of the additive secret sharing scheme perfect security of all shares remains preserved. Since \(\sum _{l, s_l \in A}\delta _l=\sum _{l, s_l \in A}\sum _{k, s_k \in A}{\delta }_{k,l}= \sum _{k, s_k \in A}f^{j'}_{l}(i')=f^{j'}(i')\) also accessibility is provided. This ensures that the new shareholder holds together with the other shareholders a point of polynomial f(x) or of one of its derivatives and the shares of authorized subsets including the new shareholders can reconstruct the message.

Reset. :

In this algorithm each shareholder \(s_l \in A\) of an authorized subset \(A \in \varGamma \) uses hierarchical secret sharing to distribute its share to a new set of shareholders. More precisely, it computes its partial Birkhoff interpolation coefficient

$$\begin{aligned} a_{l,0}:= {\sigma }_{l} (-1)^{l-1}\frac{\det (A_{l-1,0}(E,X, {\varphi }))}{\det (A(E,X, \varphi ))} \end{aligned}$$

of coefficient \(a_0\) and then chooses a polynomial \(f'_l(x)= a'_{l,0}+ a'_{l,1}x + a'_{l,2}x^2+ \dots + a'_{l,t'-1}x^{t'-1}\), where \(a'_{l,0}=a_{l,0}\), containing this value in the free coefficient. In this way, shares of shares are sent to the new shareholders, since only one point of this polynomial or of one of its derivatives is sent. Therefore, perfect security follows from the perfect security of conjunctive secret sharing. Furthermore, it computes the value to be sent to a new shareholder in accordance to the new access structure and the IDs assigned to each new shareholder. Thus, any unauthorized subset \(U \notin \varGamma \) cannot reconstruct the message and perfect security is provided. Accessibility of this protocol is provided due to the homomorphic property of polynomials. More precisely each new shareholder \(s_{i,j}\) receives from each old shareholder \(s_l\) share \({f'}^{j}_l(i)\) of polynomial \(f'_l(x)= a'_{l,0}+ a'_{l,1}x + a'_{l,2}x^2+ \dots + a'_{l,t'-1}x^{t'-1}\), where \(a'_{l,0}=a_{l,0}\) is the partial Birkhoff interpolation coefficient of \(a_0\). Since the new shareholder adds all shares received to compute its new share it follows that it holds a point of polynomial \(f'(x)=\) \(\sum _{l, s_l \in A}f'_l(x)\) \(= \sum _{l, s_l \in A} (a'_{l,0} + a'_{l,1}x + \dots + a'_{l,t'-1}x^{t'-1})\) \(= \sum _{l, s_l \in A} a'_{l,0} + \sum _{l, s_l \in A} a'_{l,1} + \dots + \sum _{l, s_l \in A} a'_{l,t'-1}x^{t'-1} = a_0 + \sum _{l, s_l \in A} a'_{l,1} + \dots + \sum _{l, s_l \in A} a'_{l,t'-1}x^{t'-1}\) or of one of its derivatives. So the free coefficient of \(f'(x)\) is still \(a_0\), meaning that any authorized subset of the new access structure is still able to retrieve message \(a_0=m\).

Next we show that our verifiable and dynamic hierarchical secret sharing scheme indeed provides verifiability. For this we assume a majority of trustworthy shareholders within an authorized subset. This assumption can be weakened by letting all shareholders participate during the \(\mathsf {Add}\) and \(\mathsf {Reset}\) algorithm and choose an authorized subset among the majority. This majority can be identified during \(\mathsf {Add}\) by checking who reports the same set of commitments to function f(x) and during \(\mathsf {Reset}\) by checking who reported the same commitments \(c_0\) to the free coefficient of f(x). Note that the presence of a majority of trustworthy shareholders is a common assumption of classical secret sharing schemes that allow to reset access structures, e.g. [12].

Theorem 6

In the presence of a majority of trustworthy shareholders within an authorized subset the verifiable and dynamic secret sharing scheme composed of the protocols \(\mathsf {Share}\), \(\mathsf {Add}\), \(\mathsf {Reset}\), and \(\mathsf {Reconstruct}\) described in Sect. 5.2 is a verifiable secret sharing scheme according to Definition 3.

Proof

To prove that each authorized subset of shareholders \(A \in \varGamma \) reconstruct the same message \(a_0=m\) each shareholder must hold a point of the to-be-found polynomial \(f(x)= a_0 + a_1x + a_2x^2 + \dots + a_{t-1}x^{t-1}\) or of one of its derivatives. Furthermore, each shareholder must hold the point assigned to its ID \((i,j) \in \mathcal {I} \times \mathcal {I}\), i.e. must receive share \(\sigma _{i,j}=f^{j}(i)\), where \(f^{j}(x)\) is the j-th derivative of the polynomial f(x). In the following we show for each algorithm that generates shares, i.e. \(\mathsf {Share}\), \(\mathsf {Add}\), and \(\mathsf {Reset}\), that the shareholders receiving these shares are able to verify these conditions.  

Share. :

During this algorithm the dealer commits to each coefficient \(a_k\) of \(f(x)= a_0 + a_1x + a_2x^2 +\dots + a_{t-1}x^{t-1}\) by computing a commitment \(c_k:= g^{a_k} \mod p\), for \(k=0, \dots , t-1\). It broadcasts the commitments and sends each share \({\sigma }_{i,j}\) to shareholder \(s_{i,j} \in L_h\), for \(i=1, \dots , n_h\) and \(h=0, \dots , \ell \). If shareholder \(s_{i,j}\) accepts \(\sigma _{i,j}\) then the following equation holds

$$\begin{aligned} g^{\sigma _{i,j}}\equiv \prod _{k=j}^{t-1}c_k^{\frac{k!}{(k-j)!}i^{k-j}}=g^{f^{j}(i)}. \end{aligned}$$

From this it follows directly that incorrect shares can be detected and rejected.

Add. :

During this algorithm the shareholders \(s_l \in A\) of an authorized subset \(A \in \varGamma \) compute share \(\sigma _{i',j'}\) for a new shareholder \(s_{i',j'} \in S\) in distributed fashion. Furthermore, each shareholder broadcasts the commitments to the coefficients \(c_k:= g^{a_k} \mod p\), for \(k=0, \ldots , t-1\) received from the dealer. Under the assumption that at least a majority of these shareholders is honest the new shareholder has access to a correct set of commitments and can verify whether

$$\begin{aligned} g^{\sigma _{i',j'}}\equiv \prod _{k=j'}^{t-1}c_k^{\frac{k!}{(k-j')!}{i'}^{k-j'}}=g^{f^{j'}(i')}. \end{aligned}$$

From this it follows directly that incorrect shares can be detected and rejected.

Reset. :

During this algorithm the shareholders \(s_l \in A\) of an authorized subset \(A \in \varGamma \) compute shares for a set of new shareholders \(S'= \{s_1',\ldots , s'_{n'} \}\), each accompanied with a unique ID \((i',j') \in \mathcal {I} \times \mathcal {I}\), and an access structure \(\varGamma ' \subset \mathcal{{P}}(S')\). Like for the other algorithms it has to be checked that share \({\sigma }_{i',j'}\) for the shareholder \(s'_{i',j'} \in S'\) with ID \((i',j') \in \mathcal {I} \times \mathcal {I}\) are computed as \(f'^{j'}(i')\). However, this algorithm has an additional requirement for correctness. The free coefficient of the to-be-found polynomial must be equal to the message m distributed by the dealer. To verify the first condition each shareholder \(s_{i',j'}\) of the new access structure checks

$$\begin{aligned} g^{\sigma _{l,i',j'}}\equiv \prod _{k=j'}^{t'-1}{c'_{l,k}}^{\frac{k!}{(k-j')!}{i'}^{k-j'}}=g^{f'^{j'}_l(i')}, \; \text {for} \; s_l \in A, \end{aligned}$$

for each share \(\sigma _{l,i',j'}\) received from shareholder l of the old set of shareholders. Finally, it checks that the sum of all shares is a point of a polynomial with free coefficient \(a_0=m\). This can be verified by multiplying all commitments to the individual free coefficients, i.e.

$$\begin{aligned} c_0 \equiv \prod _{l, s_l \in A}c'_{l,0}=\prod _{l, s_l \in A}g^{a_{l,0}}=g^{a_0}=g^m. \end{aligned}$$

Under the assumption that a majority of the old shareholders sent the correct commitments incorrect shares can be detected.

Note that our scheme is also ideal. This clearly comes from the fact that each shareholder \(s_i \in R\) receives a share \({\sigma }_{i,j} \in \mathbb {F}_q\) that is a field element of the same field as the message \(m \in \mathbb {F}_q\).

C Example of Tassa’s Hierarchical Secret Sharing

In the following, an example explaining how Tassa’s hierarchical secret sharing scheme [22] works is provided. More precisely, we show a numerical instantiation of the algorithms \(\mathsf {Share}\) and \(\mathsf {Reconstruct}\) described in Definition 5 for conjunctive secret sharing. Note that we shall perform all computations assuming a finite field \(\mathbb {F}_q\) for a very large prime q. Thus, we do not perform the modulo operation assuming the values computed are always smaller than q.

\(\mathsf {Share.}\) Let us assume a hierarchy composed of three levels \(L_0, L_1, L_2\) (where \(L_0\) is the highest level and \(L_2\) is the lowest level) and thresholds \(t_1=1, t_2=2, t_3=3\). Furthermore, let us assume the set S is composed of \(n=6\) shareholders. More precisely, one shareholder \(s_{1,0}\) is assigned to level \(L_0\), two shareholders \(s_{1,1}, s_{2,1}\) are assigned to level \(L_1\), and three shareholders \(s_{1,2}, s_{2,2}\), and \(s_{3,2}\) are assigned to level \(L_2\). Finally, let us assume that a dealer wants to secretly share the message \(m:=2\). Denoted \(t:=t_3\), the dealer selects a polynomial \(f(x)=a_0+a_1x+a_2x^2\) of degree \(t-1\) setting \(a_0:=2\) and choosing the remaining two coefficients \(a_1,a_2\) uniformly at random., e.g. \(a_1=3, a_2=1\), and \(f(x)=2+3x+x^2\). The shares are computed as points over f(x) or one of its derivatives \(f'(x)=3+2x\) or \(f''(x)=2\). With respect to level \(L_0\) shareholder \(s_{1,0}\) gets share \({\sigma }_{1,0}= f(1)=6\). With respect to level \(L_1\) shareholder \(s_{1,1}\) gets share \({\sigma }_{1,1}= f'(1)=5\) and shareholder \(s_{2,1}\) gets share \({\sigma }_{2,1}=f'(2)=7\). With respect to level \(L_2\) shareholder \(s_{1,2}\) gets share \({\sigma }_{1,2}=f''(1)=2\), shareholder \(s_{2,2}\) gets share \({\sigma }_{2,2}=f''(2)=2\), and \(s_{3,2}\) gets share \({\sigma }_{3,2}=f''(3)=2\).

\(\mathsf {Reconstruct.}\) For conjunctive secret sharing, the thresholds \(0<t_0<t_1<t_2\) have to be considered as a chain. More precisely, the access structure defined is such that the message can be retrieved if at least \(t_2=3\) shareholders in total collaborate, at least \(t_1=2\) of them belong to level \(L_1\) or \(L_0\), and at least \(t_0=1\) of them belong to level \(L_0\). Without loss of generality, let us assume that the shareholders collaborating are \(s_{1,0}, s_{2,1}\), and \(s_{3,2}\). The access structure is satisfied because the corresponding interpolation matrix

$$\begin{aligned} E= \begin{pmatrix} 1 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 \\ 0 &{} 0 &{} 1 \end{pmatrix} \end{aligned}$$

leads to a Birkhoff interpolation problem with unique solution (see Appendix A). The message \(m=2\) can be retrieved as follows:

1. 1.

   the set containing the coordinates of E in lexicographic order is \(I(E)= \{(1,0), (2,1), (3,2)\}\) and the column containing the shares in lexicographic order is \((6,7,2)^{t}\);

2. 2.

   the vector of the functions involved is \(\varphi = \{1,x,x^2\}\);

3. 3.

   the matrices involved in the Birkhoff’s reconstruction formula are:

   $$\begin{aligned} A(E,X, \varphi )= & {} \begin{pmatrix} 1 &{} 1 &{} 1 \\ 0 &{} 1 &{} 4 \\ 0 &{} 0 &{} 2 \end{pmatrix}, \quad \quad A(E,X, {\varphi }_0)= \begin{pmatrix} 6 &{} 1 &{} 1 \\ 7 &{} 1 &{} 4 \\ 2 &{} 0 &{} 2 \end{pmatrix},\\ A(E,X, {\varphi }_1)= & {} \begin{pmatrix} 1 &{} 6 &{} 1 \\ 0 &{} 7 &{} 4 \\ 0 &{} 2 &{} 2 \end{pmatrix}, \quad \quad A(E,X, {\varphi }_2)= \begin{pmatrix} 1 &{} 1 &{} 6 \\ 0 &{} 1 &{} 7 \\ 0 &{} 0 &{} 2 \end{pmatrix}; \end{aligned}$$
4. 4.

   the determinants are \(\det (A(E,X,{\varphi }))= 2, \det (A(E,X,{\varphi }_0))= 4,\) \(\det (A(E,X,{\varphi }_1))= 6\) and \(\det (A(E,X,{\varphi }_2))=2\), respectively;

5. 5.

   applying Birkhoff’s reconstruction formula the coefficients \(a_0,a_1,a_2\) of polynomial f(x) are computed as:

   $$\begin{aligned}&a_0 = \frac{\det (A(E,X,{\varphi }_0))}{\det (A(E,X,{\varphi }))}= \frac{4}{2}=2, a_1= \frac{\det (A(E,X,{\varphi }_1))}{\det (A(E,X,{\varphi }))} = \frac{6}{2}=3,\\&\qquad \qquad \qquad \quad a_2 = \frac{\det (A(E,X,{\varphi }_2))}{\det (A(E,X,{\varphi }))}= \frac{2}{2}=1; \end{aligned}$$
6. 6.

   the polynomial reconstructed is exactly \(f(x)=2+3x+x^2\) and the secret is retrieved as \(f(0)=a_0=2\).