Secret sharing using the Chinese remainder theorem

Secret sharing consists of recovering a secret SScript error: No such module "Check for unknown parameters". from a set of shares, each containing partial information about the secret. The Chinese remainder theorem (CRT) states that for a given system of simultaneous congruence equations, the solution is unique in some Z/nZScript error: No such module "Check for unknown parameters"., with n > 0Script error: No such module "Check for unknown parameters". under some appropriate conditions on the congruences. Secret sharing can thus use the CRT to produce the shares presented in the congruence equations and the secret could be recovered by solving the system of congruences to get the unique solution, which will be the secret to recover.

Secret sharing schemes: several types

Script error: No such module "Labelled list hatnote". There are several types of secret sharing schemes. The most basic types are the so-called threshold schemes, where only the cardinality of the set of shares matters. In other words, given a secret SScript error: No such module "Check for unknown parameters"., and nScript error: No such module "Check for unknown parameters". shares, any set of tScript error: No such module "Check for unknown parameters". shares is a set with the smallest cardinality from which the secret can be recovered, in the sense that any set of t − 1Script error: No such module "Check for unknown parameters". shares is not enough to give SScript error: No such module "Check for unknown parameters".. This is known as a threshold access structure. We call such schemes (t, n)Script error: No such module "Check for unknown parameters". threshold secret sharing schemes, or tScript error: No such module "Check for unknown parameters".-out-of-nScript error: No such module "Check for unknown parameters". scheme.

Threshold secret sharing schemes differ from one another by the method of generating the shares, starting from a certain secret. The first ones are Shamir's threshold secret sharing scheme, which is based on polynomial interpolation in order to find SScript error: No such module "Check for unknown parameters". from a given set of shares, and George Blakley's geometric secret sharing scheme, which uses geometric methods to recover the secret SScript error: No such module "Check for unknown parameters".. Threshold secret sharing schemes based on the CRT are due to Mignotte and Asmuth–Bloom, they use special sequences of integers along with the CRT.

Chinese remainder theorem

Script error: No such module "Labelled list hatnote". Let ${\displaystyle k⩾2,m_1,...,m_k⩾2}$, and ${\displaystyle b_1,...,b_k\in \mathbf{𝐙}}$. The system of congruences

${\displaystyle \{\begin{array}{ll}x\equiv & b_{1}mod{m}_1\\ & ⋮\\ x\equiv & b_{k}mod{m}_k\\ \end{array}}$

has solutions in ZScript error: No such module "Check for unknown parameters". if and only if ${\displaystyle b_i\equiv b_{j}mod(m_i,m_j)}$ for all ${\displaystyle 1⩽i,j⩽k}$, where ${\displaystyle (m_i,m_j)}$ denotes the greatest common divisor (GCD) of m_iScript error: No such module "Check for unknown parameters". and m_jScript error: No such module "Check for unknown parameters".. Furthermore, under these conditions, the system has a unique solution in Z/nZScript error: No such module "Check for unknown parameters". where ${\displaystyle n=[m_1,...,m_k]}$, which denotes the least common multiple (LCM) of ${\displaystyle m_1,...,m_k}$.

Secret sharing using the CRT

Since the Chinese remainder theorem provides us with a method to uniquely determine a number S modulo k-many relatively prime integers ${\displaystyle m_1,m_2,...,m_k}$, given that $S<{\prod }_{i=1}^k{m}_i$, then, the idea is to construct a scheme that will determine the secret SScript error: No such module "Check for unknown parameters". given any kScript error: No such module "Check for unknown parameters". shares (in this case, the remainder of SScript error: No such module "Check for unknown parameters". modulo each of the numbers m_iScript error: No such module "Check for unknown parameters".), but will not reveal the secret given less than kScript error: No such module "Check for unknown parameters". of such shares.

Ultimately, we choose nScript error: No such module "Check for unknown parameters". relatively prime integers ${\displaystyle m_1<m_2<...<m_n}$ such that SScript error: No such module "Check for unknown parameters". is smaller than the product of any choice of kScript error: No such module "Check for unknown parameters". of these integers, but at the same time is greater than any choice of k − 1Script error: No such module "Check for unknown parameters". of them. Then the shares ${\displaystyle s_1,s_2,...,s_n}$ are defined by ${\displaystyle s_i=Smod{m}_i}$ for ${\displaystyle i=1,2,...,n}$. In this manner, thanks to the CRT, we can uniquely determine SScript error: No such module "Check for unknown parameters". from any set of kScript error: No such module "Check for unknown parameters". or more shares, but not from less than kScript error: No such module "Check for unknown parameters".. This provides the so-called threshold access structure.

This condition on SScript error: No such module "Check for unknown parameters". can also be regarded as

${\displaystyle {\displaystyle \prod _{i=n-k+2}^n}{m}_i<S<{\displaystyle \prod _{i=1}^k}{m}_i.}$

Since SScript error: No such module "Check for unknown parameters". is smaller than the smallest product of kScript error: No such module "Check for unknown parameters". of the integers, it will be smaller than the product of any kScript error: No such module "Check for unknown parameters". of them. Also, being greater than the product of the greatest k − 1Script error: No such module "Check for unknown parameters". integers, it will be greater than the product of any k − 1Script error: No such module "Check for unknown parameters". of them.

There are two secret sharing schemes that utilize essentially this idea, the Mignotte and Asmuth–Bloom schemes, which are explained below.

Mignotte threshold secret sharing scheme

As said before, the Mignotte threshold secret sharing scheme uses, along with the CRT, special sequences of integers called the (k, n)Script error: No such module "Check for unknown parameters".-Mignotte sequences which consist of nScript error: No such module "Check for unknown parameters". integers, pairwise coprime, such that the product of the smallest kScript error: No such module "Check for unknown parameters". of them is greater than the product of the k − 1Script error: No such module "Check for unknown parameters". biggest ones. This condition is crucial because the scheme is built on choosing the secret as an integer between the two products, and this condition ensures that at least kScript error: No such module "Check for unknown parameters". shares are needed to fully recover the secret, no matter how they are chosen.

Formally, let 2 ≤ k ≤ nScript error: No such module "Check for unknown parameters". be integers. A (k, n)Script error: No such module "Check for unknown parameters".-Mignotte sequence is a strictly increasing sequence of positive integers ${\displaystyle m_1<\cdots <m_n}$, with ${\displaystyle (m_i,m_j)=1}$ for all 1 ≤ i < j ≤ nScript error: No such module "Check for unknown parameters"., such that ${\displaystyle m_{n-k+2}\cdots m_n<m_1\cdots m_k}$. Let ${\displaystyle \alpha =m_{n-k+2}\cdots m_n}$ and ${\displaystyle \beta =m_1\cdots m_k}$; we call the integers lying strictly between ${\displaystyle \alpha }$ and ${\displaystyle \beta }$ the authorized range. We build a (k, n)Script error: No such module "Check for unknown parameters".-threshold secret sharing scheme as follows: We choose the secret SScript error: No such module "Check for unknown parameters". as a random integer ${\displaystyle \alpha <S<\beta }$ in the authorized range. We compute, for every 1 ≤ i ≤ nScript error: No such module "Check for unknown parameters"., the reduction modulo m_iScript error: No such module "Check for unknown parameters". of SScript error: No such module "Check for unknown parameters". that we call s_iScript error: No such module "Check for unknown parameters"., these are the shares. Now, for any kScript error: No such module "Check for unknown parameters". different shares ${\displaystyle s_{i_1},\dots ,s_{i_k}}$, we consider the system of congruences:

${\displaystyle \{\begin{array}{ll}x\equiv & s_{i_1}mod{m}_{i_1}\\ & ⋮\\ x\equiv & s_{i_k}mod{m}_{i_k}\\ \end{array}}$

By the Chinese remainder theorem, since ${\displaystyle m_{i_1},\dots ,m_{i_k}}$ are pairwise coprime, the system has a unique solution modulo ${\displaystyle m_{i_1}\cdots m_{i_k}}$. By the construction of our shares, this solution is nothing but the secret SScript error: No such module "Check for unknown parameters". to recover.

Asmuth–Bloom threshold secret sharing scheme

This scheme also uses special sequences of integers. Let 2 ≤ k ≤ nScript error: No such module "Check for unknown parameters". be integers. We consider a sequence of pairwise coprime positive integers ${\displaystyle m_0<...<m_n}$ such that ${\displaystyle m_0\cdot m_{n-k+2}\cdots m_n<m_1\cdots m_k}$. For this given sequence, we choose the secret S as a random integer in the set Z/m₀ZScript error: No such module "Check for unknown parameters"..

We then pick a random integer Template:Mvar such that ${\displaystyle S+\alpha \cdot m_0<m_1\cdots m_k}$. We compute the reduction modulo m_iScript error: No such module "Check for unknown parameters". of ${\displaystyle S+\alpha \cdot m_0}$, for all 1 ≤ i ≤ nScript error: No such module "Check for unknown parameters"., these are the shares ${\displaystyle I_i=(s_i,m_i)}$. Now, for any kScript error: No such module "Check for unknown parameters". different shares ${\displaystyle I_{i_1},...,I_{i_k}}$, we consider the system of congruences:

${\displaystyle \{\begin{array}{ll}x\equiv & s_{i_1}mod{m}_{i_1}\\ & ⋮\\ x\equiv & s_{i_k}mod{m}_{i_k}\\ \end{array}}$

By the Chinese remainder theorem, since ${\displaystyle m_{i_1},...,m_{i_k}}$ are pairwise coprime, the system has a unique solution S₀Script error: No such module "Check for unknown parameters". modulo ${\displaystyle m_{i_1}\cdots m_{i_k}}$. By the construction of our shares, the secret S is the reduction modulo m₀Script error: No such module "Check for unknown parameters". of S₀Script error: No such module "Check for unknown parameters"..

It is important to notice that the Mignotte (k, n)Script error: No such module "Check for unknown parameters".-threshold secret-sharing scheme is not perfect in the sense that a set of less than kScript error: No such module "Check for unknown parameters". shares contains some information about the secret. The Asmuth–Bloom scheme is perfect: Template:Mvar is independent of the secret Template:Mvar and

${\displaystyle \begin{array}{r}{\displaystyle \prod _{i=n-k+2}^n}{m}_i\\ \alpha \end{array}\}<\frac{{\displaystyle \prod _{i=1}^k}{m}_i}{m_0}}$

Therefore Template:Mvar can be any integer modulo

${\displaystyle {\displaystyle \prod _{i=n-k+2}^n}{m}_i.}$

This product of k − 1Script error: No such module "Check for unknown parameters". moduli is the largest of any of the nScript error: No such module "Check for unknown parameters". choose k − 1Script error: No such module "Check for unknown parameters". possible products, therefore any subset of k − 1Script error: No such module "Check for unknown parameters". equivalences can be any integer modulo its product, and no information from Template:Mvar is leaked.

Example

The following is an example on the Asmuth–Bloom scheme. For practical purposes we choose small values for all parameters. We choose k = 3Script error: No such module "Check for unknown parameters". and n = 4Script error: No such module "Check for unknown parameters".. Our pairwise coprime integers being ${\displaystyle m_0=3,m_1=11,m_2=13,m_3=17}$ and ${\displaystyle m_4=19}$. They satisfy the Asmuth–Bloom required sequence because ${\displaystyle 3\cdot 17\cdot 19<11\cdot 13\cdot 17}$.

Say our secret Template:Mvar is 2. Pick ${\displaystyle \alpha =51}$, satisfying the required condition for the Asmuth–Bloom scheme. Then ${\displaystyle 2+51\cdot 3=155}$ and we compute the shares for each of the integers 11, 13, 17 and 19. They are respectively 1, 12, 2 and 3. We consider one possible set of 3 shares: among the 4 possible sets of 3 shares we take the set Template:Mset and show that it recovers the secret S = 2Script error: No such module "Check for unknown parameters".. Consider the following system of congruences:

${\displaystyle \{\begin{array}{ll}x\equiv & 1mod11\\ x\equiv & 12mod13\\ x\equiv & 2mod17\\ \end{array}}$

To solve the system, let ${\displaystyle M=11\cdot 13\cdot 17}$. From a constructive algorithm for solving such a system, we know that a solution to the system is ${\displaystyle x_0=1\cdot e_1+12\cdot e_2+2\cdot e_3}$, where each e_iScript error: No such module "Check for unknown parameters". is found as follows:

By Bézout's identity, since ${\displaystyle (m_i,M/m_i)=1}$, there exist positive integers r_iScript error: No such module "Check for unknown parameters". and s_iScript error: No such module "Check for unknown parameters"., that can be found using the Extended Euclidean algorithm, such that ${\displaystyle r_i.m_i+s_i.M/m_i=1}$. Set ${\displaystyle e_i=s_i\cdot M/m_i}$.

From the identities ${\displaystyle 1=1\cdot 221-20\cdot 11=(-5)\cdot 187+72\cdot 13=5\cdot 143+(-42)\cdot 17}$, we get that ${\displaystyle e_1=221,e_2=-935,e_3=715}$, and the unique solution modulo ${\displaystyle 11\cdot 13\cdot 17}$ is 155. Finally, ${\displaystyle S=155\equiv 2mod3}$.

See also

• Secret sharing
• Shamir's secret sharing
• Chinese remainder theorem
• Access structure

References

<templatestyles src="Refbegin/styles.css" />

External links

• https://web.archive.org/web/20091209071915/http://www.cryptolounge.org/wiki/Ronald_Cramer

ru:Схема Миньотта