Verifiable Secret Sharing Scheme Based on Certain Projective Transformation ()
1. Introduction
Secret sharing is a method proposed to solve the problem of key management. It is mainly used to prevent important information from being lost, destroyed, changed or falling into the wrong hands. It is an important subject in information security and cryptography. It is widely used in data management, financial network, e-commerce, e-government and many other fields [1] [2]. The basic idea of secret sharing is to share the master key in a group of participants, which enables members of the authorized subset of participants to recover the master key through the subkey they get, while members of any participant’s unauthorized subset cannot recover the master key through the subkey they get.
As early as 1979, Shamir [3] and Blakley [4] proposed
-threshold secret sharing scheme respectively. The algorithm given by Shamir system is based on polynomial interpolation, while Blakley system is based on finite geometry. The
-threshold secret sharing scheme requires that any
or more than
members of
participants cooperate to derive the master key, while no
members cooperate to derive the master key. After these two masters, more secret sharing schemes have been proposed one after another, which are constructed by using mathematical knowledge and methods in different fields. For example, Article [5] uses Reed-Solomon code to construct secret sharing scheme, Article [6] uses Chinese Remainder Theorem to construct secret sharing scheme, Article [7] uses matrix operation on finite field to construct secret sharing scheme, Article [8] uses one-way function to construct secret sharing scheme, Article [9] uses vector space to construct secret sharing scheme, etc. Especially in recent years, people have made some gratifying achievements in the design and research of more complex secret sharing schemes [10] [11] [12] [13]. It should be pointed out that there may be dishonest participants in the actual use of these schemes. In view of how to effectively prevent fraud, many authors have conducted in-depth research on them. In Article [14] - [22], different schemes of secret sharing that can prevent fraud are proposed respectively.
However, none of the schemes mentioned above gives the probability of successful fraud accurately. Moreover, some schemes are complex in design, lack of intuition and conciseness, and fail to grasp the design principles of secret sharing schemes. The design principle of secret sharing scheme is not only to ensure its correctness, but also to pay attention to its security and effectiveness. According to this principle, this paper designs a kind of secret sharing scheme based on certain projective transformation. This scheme uses the special projective transformation in projective space to build the relationship between the master key and the subkey, so that the dealer (that is, the subkey distributor) can find the subkey through the master key to distribute the participants. Members of the authorized subset can gather their subkeys to find the relationship between the components of the shadow subkey vector, and recover the shadow subkey together with the residual vector of the intersecting line equations formed by the projection plane of the shadow subkey point in the space, so as to synthesize the master key. The secret sharing scheme designed in this way accords with the idea of
-threshold secret sharing, which is simple, intuitive, practical and easy to implement.
Organization of this paper is as follows. We introduce related definitions and preliminaries in Section 2. In Section 3, we propose our construction by using certain projective transformation method. Section 4 describes our security analysis and effectiveness analysis respectively. We draw the conclusion in Section 5.
2. Definitions and Preliminaries
If the projective plane is extended to the
-dimensional projective space and the infinite point is regarded as a common point, then according to the projective coordinate system established in Article [23], we can get the
-dimensional projective coordinate system
.
Definition 1. Under the projective coordinate system
, let the coordinate of point
be
and the coordinate of point
be
in the
-dimensional projective space. If the transformation from point
to point
is
, (1)
Then
is called a projective transformation in the
-dimensional projective space, where
is called the transformation matrix of
.
Because of
, the projective transformation
has inverse transformation, that is
(2)
Under projective transformation
, if the coordinates of the original image point
are known, then the coordinates of the unique image point
can be obtained; conversely, if the coordinates of the image point
are known, then the coordinates of the unique original image point
can also be obtained.
Let
(3)
be the equations of
hyperplanes which are not parallel to each other in the
-dimensional projective space. It means that the vector group composed of the normal vectors
of these hyperplanes is linearly independent, so the intersecting line of these hyperplanes is unique, and the system of equations about the unknown number
is
(4)
Since the determinant
of coefficient matrix
of this system of equations is not equal to zero, it can be seen from Gramer’s law that the system of Equations (4) can be reduced to
(5)
Equation (5) is the system of hyperplane intersecting line Equations (3), which consists of
equations.
Definition 2. The system of equations composed of any
equations in the system of hyperplane intersecting line Equations (5) is called a
-residue of the system of this intersecting line equations, which can be expressed as
(6)
where
.
Obviously,
-residue is determined by the constant
, we call the vector
composed of these constants the corresponding
-residual vector. There are
-residues in a
system of hyperplane intersecting line equations.
For the convenience of this study, we might as well take the permutation
, that is, the
–residue is
(7)
the corresponding residual vector is
.
For the
-dimensional projective space, under the given projective coordinate system
, let the plane coordinate of hyperplane
be
, and the point coordinate of space point
be
, using the combination sign
, we analyze the geometric meaning of the following formula
(8)
If
is regarded as a definite array and
as a variable array, then formula (8) represents the algebraic condition of the motion of moving point
on the definite hyperplane
, and formula (8) is the equation of hyperplane
. On the contrary, If
is regarded as a definite array and
as a variable array, then formula (8) represents the algebraic condition of the rotation of the moving hyperplane
through the fixed point
, at this time, formula (8) is the equation of point
, that is, the equation of the hyperplane bundle with
as its center. It can be seen that formula (7) as
-residue is a part of hyperplane bundle equation of passing point
.
Let
be prime number and
be the original root of
, that is,
generates all values from 1 to
under module
. Since
, and the necessary and sufficient condition of
(where
denotes congruence with respect to prime number
) is
, there is a unique
for any
that makes
hold,
is called the discrete logarithm of
with
as the base under module
. The so-called discrete logarithm problem is such a mathematical problem: when
is a large prime number, given the integer
, it is easy to calculate
; on the contrary, given the integer
, it is very difficult to calculate the integer
, which makes
hold.
We know that if
is an
-order matrix, let
any
-row and
-column of
are taken, and
elements at the intersection of
-row and
-column form a
-order determinant in the original order, then this
-order determinant is a
-order minor of matrix.
Definition 3. Let
be a prime number,
be a
-element finite field, and
be a
-order matrix over
. If
and any
-order minor of
is not equal to zero, then matrix
is a nonzero
-submatrix.
When the transformation matrix
is a nonzero
-submatrix, the
corresponding projective transformation (1) is a special projective transformation. The scheme in this paper is based on this kind of projective transformation.
Theorem 1. Let
be prime,
be a
-element finite field, and the
-order matrix
over
be a nonzero
-submatrix, where
,
. If
is known in projective transformation (1), the coordinate
of point
can be determined by the
-residual vector
of the system of hyperplane intersecting line equations of any passing point
and projective transformation (1).
Proof. From projective transformation (1), the following system of equations can be obtained.
(9)
where
.
The coefficient matrix of the system of equations composed of
equations in front of the system of Equations (9) is
(10)
Because matrix
is a nonzero
-submatrix, so
. In the coefficient determinant
, let the algebraic cofactor of element
be
, let
, (11)
represent the determinant after the j-th column element in
is replaced, where
.
Calculate
(12)
(13)
from Gramer’s law.
Similarly, we can get
(14)
Put
into the next
equations in the system of Equations (9), and get the following system of equations about
after finishing.
(15)
It is known that the
-residue corresponding to the
-residual vector
is
(16)
The system of Equation (15) contains
equations and the system of Equations (16) contains
equations. Combining the system of Equations (15) with the system of Equations (16), a linear system of equations with
equations and
unknows
is obtained. Since the coefficient determinant
of this system of linear equations satisfies
, there is only one set of solutions for this system of linear equations. According to Gramer’s law,
can be obtained. Certificate completion.
If we change the condition “known
” of Theorem 1 to the more general condition “known
”, we can get the following more general theorem according to the similar proof method of Theorem 1.
Theorem 2. Let
be prime,
be a matrix
over
be a nonzero
-submatrix, where
,
. If
is known in projective transformation (1), the coordinat
of point
can be determined by the
-residual vector
of the system of hyperplane intersecting line equations of any passing point
and projective transformation (1).
3. Composition of the Scheme
Based on the one to one mapping of projective transformation and the difficulty of solving the discrete logarithm problem, this paper proposes a verifiable threshold secret sharing scheme. In this scheme, the dealer who distributes the subkey needs a bulletin board (BB). Only the dealer can modify and update the content on the BB, and others can only read or download it. This scheme is composed of two parts: the distribution phase of the subkey and the reconstruction phase of the master key.
3.1. Distribution of Subkeys
At the beginning of this stage, the dealer needs to publish some system parameters. He first takes a large prime number
, finds an original root
of the module
, let
be the finite field of the module
, the dealer takes a nonzero
-submatrix
over
, and then publishes
,
and
on the BB.
Let
and
be the set of
participants. The master key
is decomposed into
different shadow subkeys by the
dealer over
, i.e.
. Then, in the
-dimensional projective
space, the dealer calculates a
–residual vector
of the system of hyperplane intersecting line equations of space point
with coordinate
, publishes the
-residual vector
on the BB, and uses the projective inverse transformation (2) to find
.
The dealer distributes
as subkeys to participants
, calculates
, and publishes vector
as verification information on the BB.
3.2. Reconstruction of Master Key
When any
members
of
participants gather together to recover the master key
, they need to verify each other’s subkeys. First calculate
, then check whether the corresponding
on the BB and
are consistent. If they are consistent, the subkey submitted by members is true. Otherwise, if some submits a false subkey, the corresponding
and
are inconsistent.
The recovery process of the master key is shown below. Let’s set the transformation matrix to
. (17)
After the verification is passed, the
members calculate the following formula together
. (18)
By projective transformation (1), a system of equations about unknown subkeys owned by the rest members of the participant set is generated, that is.
(19)
This system of equations is considered to be composed of
equations with
unknowns
, by eliminating these
,
equations
about unknowns
can be obtained, where
. Combined with the
-residue (16) corresponding to the
-residual vector published on the BB, the following system of equations are formed,
(20)
It can be seen from Theorem 2 that the unique solution
can be obtained by solving this system of equations, and then the master key
can be recovered.
3.3. Give an Example
The implementation process of this scheme can be clearly shown by the following example.
In the initial stage, the dealer takes the prime number
, sets
as the finite field of module 11, the number of participants
, the threshold value
, and selects matrix
. (21)
It is proved that
and any 2-order minor of
is not equal to zero, so
is a nonzero 2-submatrix.
Set the master key
. In the subkey distribution stage, the dealer decomposes
into
over
and obtain shadow subkeygroup
. Then, the inverse projective transformation (2) is used for the following calculation.
. (22)
From the geometric meaning of point plane combination, the hyperplane beam equation with point
as the beam center is
. (23)
In formula (23), we take four linearly independent vectors about
, which are
,
,
,
respectively, and then we get a system of equations of hyperplane intersecting line passing through point
.
(24)
Take a 2-residue of this equations
(25)
its corresponding 2-residual vector is
.
We know that 2 is the original root of module 11. Take
and calculate
,
,
,
,
respectively, so as to construct the verification information vector
.
After the above preparations, the dealer distributes
,
,
,
,
as subkeys to five participants
,
,
,
,
, and publishes the prime number
, the original root
, the threshold value
, the transformation matrix
, the 2-residual vector
and the verification information vector
on the BB.
In the reconstruction phase of the master key, any three members of the five participants gather together. Let’s assume that
,
,
gather together. They first verify whether the key
,
,
they have taken out is true. They only need to calculate
,
,
separately and compare the calculation results with the corresponding components in the verification information vector
to see whether the three corresponding quantities are consistent. If the three corresponding quantities are all consistent, then
,
,
is true. If there is inconsistency, then the corresponding members provide false subkey.
In the case of verifying that all the subkeys provided are correct, these three people use projective transformation (1) to list the following matrix equation,
(26)
Turn (26) into a system of linear equations
(27)
After eliminating
,
from (27), we get the following system of equations about the unknown number
,
,
,
,
,
(28)
Combined with the 2-residual vector
on the BB extened system of Equations (28):
(29)
These three members solve the system of Equations (29), get
,
,
,
,
, and then calculate
to get the master key
.
4. Analysis of the Scheme
Under the premise that the dealer is reliable in subkey distribution, the following conclusions are drawn.
Theorem 3. The scheme is a complete secret sharing scheme, and the information rate can be up to 1.
Proof. Any
participants can establish a system of equations by presenting their subkeys. According to theorem 2. This system of equations can uniqely determine the coordinate
of shadow subkey point
. If less than
participants gather togetuer to provide their subkeys. The number of equations in the system of equations with structure (20) is less than the number
of the unknown number
, such a system of equations has numerous solutions, and it is difficult to find the shadow subkey point
. So less than
participants can not recover the master key. The information rate of a secret
sharing scheme is defined as
where
, and
is the set of all possible subkeys that the participant
may receive [24]. In this scheme, each participant only needs to save a subkey belonging to
, at this time, the information rate can reach the maximum value of 1. Certificate completion.
Theorem 4. The probability that the fraudster obtains the master key through public information is
.
Proof. According to the design requirements of the scheme, the public information that fraudsters can obtain includes
–order nonzero
-submatrix
, large prime number
and its original root
, verification vector
, and
-residual vector
. If a fraudster solves
, he will encounter a difficult discrete logarithm problem, If the fraudster passes the
–residual system of equation (16) corresponding to the
–residual vector, but the rank of the coefficient matrix of this system of equations is
, which is smaller than the number
of unknown numbers of the system of equations, then the fraudster cannot determin its unique solution. In conclusion, it is impossible for the fraudster to obtain the subkey of the participant, and thus the master key
. In this way, the only way for fraudsters to obtain the master key
is to guess randomly from
, according to the knowledge of probability theory, it can be considered that the master key
is selected with equal probability in
, so the probability of guess success is very small, which is
. Certificate completion.
In the practical scheme, the selected
is a large prime number and
is almost zero. According to Theorem 4, it is impossible to recover the master key
only through the information on the BB. In addition, the fraud detection of this scheme is based on the difficulty of discrete logarithm problem. Anyone can verify whether the subkey provided by himself or others is correct through the verification vector
, so this scheme is secure and antifraud.
When we analyze the efficiency of the scheme, we mainly depend on the number of power operations performed in the scheme. The less the number of power operations is, the higher the efficiency is. The design of this scheme is unique. In addition to the
power operations in the verification process, other calculations are mainly some basic linear operations, matrix operations and determinant operations. The performance of the main body of the scheme mainly depends on the calculation of the determinant, which is also very convenient. Moreover, Wiedemann [25] proposes a kind of determinant probability algorithm, which can effectively improve the calculation of the determinant over the finite field. The algorithm using Wiedemann’s will further improve the operation performance of this scheme.
5. Conclusion
Verifiable secret sharing scheme is an important part of secure cryptographic protocol and an effective method to solve the safe storage, legal recovery and utilization of important sensitive information. Therefore, the research on verifiable secret sharing and its application has an important theoretical and application value. Based on the projective transformation in
-dimensional projective space, a verifiable
-threshold secret sharing scheme is proposed by using the structure of solutions of linear equations and the difficulty of discrete logarithm problem. Each participant can verify the correctness of the subkey provided by other participants before the master key is restored. The scheme can effectively identify the fraudsters, and the fraudsters can only cheat by guessing. The probability of successful fraud is only
, and the maximum information rate of the scheme can be 1. Compared with the existing secret sharing scheme, the scheme has the advantages of exquisite design, small computation complexity and less secret information. The analysis shows that the scheme is a secure and effective scheme with practical application value. This scheme is based on the threshold access structure, how to use the idea of this paper to design its secure secret sharing scheme remains to be further explored.