Asymptotically perfect secret sharing in modular rings

Texto completo

(1)Asymptotically Perfect Secret Sharing in Modular Rings. Edgar Fajardo Department of Mathematics Universidad de los Andes Bogotá, Colombia. Advisor: José Iovino September 2010.

(2) This thesis is submitted to Universidad de los Andes in partial fulfillment of the requirement for the degree of Mathematician Bogotá c 2010. ii.

(3) Abstract We use information-theoretic entropy to prove that the secret sharing schemes of Mignotte and Asmuth-Bloom are asymptotically perfect.. iii.

(4)

(5) Contents Introduction. 1. Chapter 1. Preliminaries 1. Convex Functions 2. Probability and Random Variables 3. Independent Random Variables 4. Entropy of a Random Variable 5. The Chinese Remainder Theorem 6. Primitive Roots and Discrete Logarithms 7. Commitment Schemes. 3 3 4 6 8 9 10 11. Chapter 2. Threshold Schemes and their Security. 13. Chapter 3. Shamir’s Secret Sharing Scheme 1. Description of the Scheme 2. Security of Shamir’s Secret Sharing Scheme. 15 15 16. Chapter 4. Secret Sharing Using the Chinese Remainder Theorem 1. Description of the Scheme. Mignotte Sequences 2. The Chinese Remainder Theorem and the Number of Possible Extensions of a Secret 3. Asymptotic Analysis of Secret Sharing Using Mignotte Sequences 4. Security of the Threshold Scheme Based on the Chinese Remainder Theorem. 19 19 21 22 26. Bibliography. 31. v.

(6)

(7) Introduction The thesis deals with the cryptographic concept of secret sharing. A secret sharing scheme is a method of distributing a given secret among a group of n parties, where n is a positive integer. Each of the parties has a share that can later be used to recover the secret. If k is an integer such that 1 ≤ k ≤ n and a collaboration of at least k parties is necessary and sufficient to recover the secret, then the scheme is called a (k, n)-threshold scheme; the integer k is called the threshold of the scheme. In a (k, n)-threshold scheme, the information disclosed by k or fewer shares should be insufficient to reconstruct the secret in a computationally feasible way. The notion of secret sharing was introduced in 1979 by Shamir [Sha79] and Blakely [BB79], independently. Shamir’s secret sharing scheme is based on the fact that a polynomial of degree n over a field is completely determined by n + 1 points on its graph, and fewer than n + 1 such points are insufficient to recover the polynomial. Shamir’s secret sharing scheme relies on polynomial interpolation to recover the secret. A disadvantage of polynomial interpolation is that it requires division, so the arithmetic computations must be carried out in a field. In 1983, Mignotte [Mig83] and Asmuth and Bloom [AB83] proposed secret sharing schemes based on the Chinese Remainder Theorem. The Chinese Remainder Theorem is valid in any commutative ring. The mathematical foundations of information theory were developed in the late 1940’s independently by Shannon [Sha48, SW49] and Wiener [Wie49]. However, it has been only recently that information theory has become a standard tool to quantify the security of cryptosystems. The fundamental concept in this context is Shannon’s notion of entropy. Intuitively, the entropy of a random measure is a measure of the amount of uncertainty associated with a random variable. An (k, n)-threshold scheme is said to be information theoretically perfect if knowledge of fewer than k shares reveal no information about the secret S, that is, if knowledge of fewer than k shares does not reduce the entropy of the random variable S. Shamir’s threshold scheme is easily seen to be information theoretically perfect. However the secret sharing schemes of Mignotte and Asmuth-Bloom are not perfect. In 2002, Quisquater, Preneel, and Vandewalle [QPV02] claimed a proof that the Asmuth-Bloom and Mignotte are asymptotically perfect. However the argument in [QPV02] is marred by a large number of errors. In this thesis we present a correct proof of the asymptotical perfection of the the schemes of Mignotte and Asmuth-Bloom. The exposition is self-contained, and it should be accessible not only to mathematicians, but also to engineers and scientists who are comfortable with mathematical rigor. The necessary background material is provided in Chapter 1. The exposition is organized as follows. 1.

(8) Chapter 1: This chapter contains background definitions and basic facts on random variables, entropy, primitive roots, discrete logs, and cryptographic commitments that will be needed in subsequent chapters. This material is included here as reference and it may be skipped at leisure without loss of continuity. Chapter 2: Here we introduce the most important definitions of the thesis, namely, those of threshold cryptosystem, perfect threshold cryptosystem, and asymptotically perfect threshold cryptosystem. Chapter 3: We introduce Shamir’s secret sharing scheme and we prove that it is perfect. The fact that Shamir’s scheme is perfect is not new, but we include a proof (which is rather brief) both for for completeness and as motivation for the material that follows. Chapter 4: We introduce the classical secret sharing schemes based on the Chinese Remainder Theorem, namely, those by Mignotte and Asmuth-Bloom, and prove that they are asymptotically perfect. Since both schemes are similar, we focus mainly on Mignotte’s. The asymptotic perfection of Mignotte’s scheme is presented from two different points of view: an informal but intuitive one, given in Section 3, and a formal one, given in Section 4. The first argument is due to Eduardo Dueñez. We thank Dueñez for allowing us to include his argument here. The estimates obtained in Section 2 play a fundamental role in the rest of the chapter. Chapters 1–4 evolved from notes taken by Shruthi Sreekanta during a student seminar on cryptography and information theory led by Eduardo Dueñez and José Iovino at The University of Texas at San Antonio during the academic year 2007–2008. The author’s interest in this field was motivated by a course taught by José Iovino at Universidad de los Andes in July of 2008. The author is foremost grateful to José Iovino for the patience, time and dedication spent during the preparation of this thesis. The author would like to express his gratitude to his parents Edgar and Aura for the support provided through these years, and to his sister Margarita for her love and company. Special thanks to Nicolas, Daniel and Juan, with whom we shared a class, an idea or just a discussion. Finally the author would like to thank his soccer team for the sportsmanship, courage and integrity that they showed in all the victories and defeats.. 2.

(9) CHAPTER 1. Preliminaries 1. Convex Functions Definition 1.1. A function f : (a, b) → R is said to be convex if for any two points x, y in (a, b) and any λ ∈ [0, 1], one has f (λx + (1 − λ)y) ≤ λf (x) + (1 − λ)f (y). If the inequality is strict, f is said to be strictly convex. Geometrically, the condition states that if (x, f (x)) and (y, f (y)) are points on the graph of f and x < t < y, then the point (t, f (t)) lies below the line segment connecting the points, (x, f (x)) and (y, f (y)). Definition 1.2. A function f : (a, b) → R is concave if −f is convex and strictly concave if −f is strictly convex. The following well known fact will be used in Section 4. The proof is elementary, but it is included here for completeness. Proposition 1.3. Let f : (a, b) → R. If f is twice differentiable on (a, b) and f 00 (t) ≥ 0 for t ∈ (a, b), then f is convex. If f 00 (t) > 0, for t ∈ (a, b) then f is strictly convex. Proof. Let a < s < t < u < b. By the Mean Value Theorem, there exists ζ ∈ (s, t), η ∈ (t, u) such that f (t) − f (s) , t−s f (u) − f (t) . f 0 (η) = u−t f 0 (ζ) =. Since f 00 ≥ 0 on (a, b), f 0 is increasing on (a, b). Hence, f (t) − f (s) f (u) − f (t) ≤ , t−s u−t i.e., (1). f (t) − f (s) ≤. t−s (f (u) − f (t)). u−t. Let t = λs + (1 − λ)u, where 0 < λ < 1. Then rewritten as (2). t−s u−t. =. 1−λ , λ. so the preceding line can be. f (λs + (1 − λ)u) ≤ λf (s) + (1 − λ)f (u). 3.

(10) Since s, t, u are arbitrary, this inequality holds for all t ∈ (a, b). This show that f is convex on (a, b). If f 00 > 0 on (a, b), then f 0 is strictly increasing on (a, b), so the inequalities (1) and (2) are strict. Corollary 1.4. If f is twice differentiable on (a, b) and f 00 (t) ≤ 0 for t ∈ (a, b), then f is concave. If f 00 (t) < 0 for t ∈ (a, b), then f is strictly concave. Theorem 1.5. (1) Let f be a convex function on an open interval (a, b) in R. Then for any x1 , . . . , xn ∈ P (a, b) and λ1 , . . . , λn ∈ [0, 1] such that ni=1 λi = 1, we have f (λ1 x1 + · · · + λn xn ) ≤ λ1 f (x1 ) + · · · + λn f (xn ).. (2) Let f be a strictly convex functionP on (a, b) in R. Let x1 , . . . , xn ∈ (a, b) and n λ1 , . . . , λn ∈ [0, 1] be given, where i=1 λi = 1. If there exist 1 ≤ i < j ≤ n such that λi , λj 6= 0 and xi 6= xj , then f (λ1 x1 + · · · + λn xn ) < λ1 f (x1 ) + · · · + λn f (xn ).. Proof. We prove (1) by induction on n. By Definition 1.1, the statement is true for Pn+1 n i=1 λi = 1, we have Pn= 2. Suppose the statement is true for some n ≥ 2. Since λ = 1 − λ ; hence, n+1 i=1 i λ1 x 1 + · · · + λn x n + λn+1 xn+1 . f (λ1 x1 + λ2 x2 + · · · + λn xn + λn+1 xn+1 ) = f (1 − λn+1 ) λ1 + · · · + λn Using Definition 1.1 (in Step 3 below) and the induction hypothesis (in Step 4 below), we obtain λ1 x 1 + · · · + λn x n f (1 − λn+1 ) + λn+1 xn+1 λ1 + · · · + λn λ1 x 1 + · · · + λn x n (3) + λn+1 f (xn+1 ) ≤(1 − λn+1 )f λ1 + · · · + λn λn λ1 (4) f (x1 ) + · · · + f (xn ) + λn+1 f (xn+1 ) ≤(1 − λn+1 ) 1 − λn+1 1 − λn+1 =λ1 f (x1 ) + · · · + λn f (xn ) + λn+1 f (xn+1 ). The proof of (2) is similar. Remark 1.6. Theorem 1.5 is actually a particular case of Jensen’s Inequality. For the general form, see [Rud87, page 62]. 2. Probability and Random Variables If X is a nonempty set, a σ-algebra on X is a set M of subsets of X such that (1) X ∈ M, (2) If E ∈ M, then E c ∈ M, 4.

(11) (3) If E1 , E2 , . . . is a countable family of sets in M, [ Ei ∈ M. i∈N. The pair (X , M) is called a measurable space and the sets in M are called measurable subsets of X . Note that if E1 , E2 , . . . are measurable subsets of M, then !c \ [ c Ei = Ei i∈N. i∈N. is measurable. A (positive) measure on (X , M) is a function P : M → [0, ∞] which is σ-additive, i.e., if E1 , E2 , . . . are measurable, then ! [ X P Ei = (5) P (Ei ). i∈N. i∈N. If P (X ) = 1, the function P is said to be a probability measure (or just a probability) on (X , M). In this case, the measurable sets comprising M are called events and the triple (X , M, P ) is called a probability space. An event of the form {x}, where x ∈ X , is called an elementary event. Informally, one often identifies the elementary event {x} with the element x. If X is finite and nonempty, the uniform probability on X is the unique probability measure PU on (X , M) such that PU (x) = |X1 | for every x ∈ X . Let (X , M, P ) be a probability space and let E, F be events such that P (F ) 6= 0. The probability of E given F , denoted P (E | F ), is defined as follows: P (E | F ) =. P (E ∩ F ) . P (F ). Notice that the function E 7→ P (E | F ) is a probability measure on (X , M). Suppose that (X , M, P ) is a probability space. Given any function τ : X → S, we can define a probability space (S, MS , PS ) as follows: (1) If E ⊆ S, E ∈ MS , if and only if τ −1 (E) ∈ M, (2) If E ∈ MS , then PS (E) = P (τ −1 (E)). It is not difficult to see that (S, MS , PS ) is indeed a probability space. We will call PS the probability induced by τ on S. It is common practice to drop the sub index and denote the probability measure PS as P . If (X , M, P ) is a probability space and (S, N ) is a measurable space, a random variable is a function S : X → S such that whenever F is a measurable subset of S, the set S −1 (F ) is a measurable subset of X . We will assume that the target space S is such that all of its finite subsets are measurable. In fact, cryptographic applications, S can often be taken as a finite subset of R. If range(S) is a nonempty, topologically discrete subset of R, we will say that S is discrete. 5.

(12) If S : X → S is a random variable, the push-forward of P to S by S is the probability measure, PS , on (S, N ) defined by PS (F ) = P (S −1 (F )) for every F measurable in S. If F is a measurable subset of S, it is customary to write P (S ∈ F ) in place of P (S −1 (F )); similarly, if {s} is a measurable subset of S, it is customary to write P (S = s) in place of P (S −1 (s)). Let (X , M, P ) be a probability space and let S, T be random variables on X which take values in measurable spaces S, T respectively. If s ∈ S and t ∈ T , we write P (S = s and T = t) to denote P (S −1 (s) ∩ T −1 (t)). Similarly, if (Si )i∈I is a family of random variables on X such that Si takes values in a measurable space Si and si ∈ Si for i ∈ I, we write P ((Si )i∈I = (si )i∈I ) to denote the value P. \. !. Si−1 (si ) .. i∈I. A random variable S is said to be uniformly distributed , or simply uniform, if range(S) is a finite and nonempty measurable subset of S and for every s ∈ range(S) we have P (S = s) =. 1 . | range(S)|. We will say that S is determined if there exists s ∈ S such that {s} is measurable and range(S) = {s}. 3. Independent Random Variables Definition 1.7. Let (X , M, P ) be a probability space and let S, T be random variables on X which take values in measurable spaces S, T respectively. Then S, T are said to be independent if whenever E is a measurable subset of S and F is measurable subset of T , P (S −1 (E) ∩ T −1 (F )) = P (S −1 (E)) · P (T −1 (F )). Lemma 1.8. Let (X , M, P ) be a probability space and let S, T be independent real-valued random variables on X . Then, (1) For every nonzero c ∈ R the random variables cS and cT are independent. (2) The random variables bSc and bT c are independent. 6.

(13) Proof. If s, t ∈ R, t s P (cS = s, cT = t) = P S = , T = c c t s ·P T = =P S= c c = P (cS = s) · P (cT = t) . . This proves (1). The proof of (2) is similar: # P (bSc = s, bT c = t) = P S −1 ([s, s + 1)) ∩ T −1 ([t, t + 1)) # # = P S −1 ([s, s + 1)) · P T −1 ([t, t + 1)) = P (bSc = s) · P (bT c = t) .. Remark 1.9. Let X, Y be two independent discrete random variables taking values in Z and let Z = X + Y . Then the probability distribution of Z is given by P (Z = z) =. ∞ X. P (X = k)P (Y = z − k).. k=−∞. Lemma 1.10. Let (X , M, P ) be a probability space and let X1 , . . . , Xn , Y1 , . . . , Yn be integer-valued random variables on X . Suppose that • Xi , Xj are independent for all i 6= j in {1, . . . , n}, • Yi , Yj are independent for i 6= j in {1, . . . , n}, • Xi is independent of Yj for all i, j ∈ {1, . . . , n}. Then, (1) The averages Pn Pn i=1 Yi i=1 Xi , n n are independent. (2) The integer averages Pn Pn i=1 Xi i=1 Yi , n n are independent. Pn Pn Proof. By Lemma 1.8 we need only show that the sums i=1 Xi and i=1 Yi are independent. We will proceed by induction on n. The base case isP given by the P assumption that X1 , Y1 are independent. Suppose that the random variables ni=1 Xi and ni=1 Yi are independent. By Remark 1.9, ! ! n ∞ n+1 X X X Xi = z − k P (Xn+1 = k)P Xi = z = P i=1. i=1. k=−∞. 7.

(14) and P. n+1 X. Yi = z 0. i=1. Hence, P. n+1 X i=1. Xi = z. !. ·P. !. n+1 X i=1. =. ∞ X. P (Yn+1 = j)P. Yi = z 0. Yi = z 0 − j. i=1. j=−∞. !. n X. =. ∞ X. P (Xn+1 = k)P. =. .. Xi = z − k. i=1. k=−∞. ·. n X. !. ∞ X. P (Yn+1 = j)P. j=−∞ ∞ ∞ X X. n X. !. Yi = z 0 − j. i=1. !. P (Xn+1 = k, Yn+1 = j). k=−∞ j=−∞. ·P. n X. Xi = z − k,. =P. i=1. Xi = z,. Yi = z 0 − j. i=1. i=1. n+1 X. n X. n+1 X. Yi = z 0. i=1. !. !. . . 4. Entropy of a Random Variable If S is a random variable, the Shannon entropy of S, denoted by H(S), is a measure of the amount of “surprise” that the outcome of S would produce on the observer. Intuitively, H(S) = 0 when the value of S is determined (Proposition 1.12-(2)), and H(S) increases as the “unpredictability” of S increases, attaining its maximum when all possible outcomes S have the same probability (Proposition 1.12-(4)). Definition 1.11. Let S be a random variable of finite range. The entropy of S, denoted H(S), is defined as X 1 . H(S) = P (S = s) log P (S = s) s∈range(S) P (S=s)6=0. Proposition 1.12. Let S be a random variable with range(S) = {s1 , . . . , sn }. Then H(S) satisfies the following properties: (1) H(S) ≥ 0. (2) If is determined, i.e., if there exists 1 ≤ i ≤ n such that ( 1, if j = i P (S = sj ) = 0, if j 6= i, then, H(S) = 0. (3) If there exist B, C > 0 such that B ≤ P (S = s) ≤ C, for all s ∈ range(S), then 1 1 log ≤ H(S) ≤ log . C B 8.

(15) (4) H(S) ≤ log n. Equality holds if and only if the probability distribution of S is uniform, i.e., if P (S = si ) = 1/n for i = 1, . . . , n. Proof. Parts (1)–(3) follow immediately from the definitions, so we only prove (4). Let pi = P (S = si ) for i = 1, . . . , n. The entropy of S is H(S) =. n X. h(pi ) =. n X. pi log 1/pi .. i=1 pi 6=0. i=1. By Corollary 1.4, the logarithmic function is strictly concave on R. Hence, by Theorem 1.5 (with f (t) = log t, λi = pi , and xi = 1/pi for i = 1, . . . , n), we have H(S) ≤ log n. If there exist integers i, j with 1 ≤ i < j ≤ n such that pi 6= pj , then, by Theorem 1.5-(2), H(S) < log. n X. i=1 pi 6=0. pi ·. 1 pi. < log n. Otherwise, p1 = · · · = pn = 1/n, in which case H(S) = log n.. . Definition 1.13. Let (X , M, P ) be a probability space and let S be a random variable on X with finite range. The conditional entropy of S given that (Yi )i∈I = (yi )i∈I , denoted H(S | (Yi )i∈I = (yi )i∈I ), is defined as X. P (S = s | (Yi )i∈I = (yi )i∈I ) log. s∈range(S) P (S=s|(Yi )i∈I =(yi )i∈I )6=0. 1 . P (S = s | (Yi )i∈I = (yi )i∈I ). 5. The Chinese Remainder Theorem If n is a positive integer, the ring of residue classes modulo n is denoted by Zn . The following fact is immediate from the definitions. Theorem 1.14. If m1 , . . . , mn are any pairwise relatively prime positive integers and m = m1 m2 . . . mn , there is a bijection ϕ : Zm → Zm1 × Zm2 × · · · × Zmn such that ϕ(a (mod m)) = (a (mod m1 ), a (mod m2 ), . . . , a (mod mn )). i.e., the following diagram commutes: where πmi ,m sends the equivalence class of a modulo m to the equivalence class of a modulo mi and πi is the projection onto the i-th coordinate. Theorem 1.14 is an abstract statement of the classical Chinese Remainder Theorem: 9.

(16) Zm. ϕ. /. Zm1 × · · · × Zmn. {{ {{ { {{ {{ { {{ πi {{ { {} {. πmi ,m. . Zmi Theorem 1.15 (Chinese Remainder Theorem). Let m1 , m2 , . . . , mn be pairwise relatively prime integers. The system x ≡ a1. (mod m1 ). x ≡ a2 .. .. (mod m2 ). x ≡ an. (mod mn ). has a unique solution modulo m1 m2 . . . mn . 6. Primitive Roots and Discrete Logarithms Definition 1.16. If n ≥ 1, ϕ(n) is the number of integers k, such that 1 ≤ k < n and gcd(k, n) = 1. For convenience ϕ(1) is defined as 1. Theorem 1.17. Let m ∈ N and g ∈ Z, such that gcd(g, m) = 1. Then, g ϕ(m) ≡ 1 (mod m). Definition 1.18. Let m, g be integers such that m is posivite and gcd(g, m) = 1. Then the least positive integer n such that g n ≡ 1 (mod m) is called the order of g modulo m. The order of g modulo m will be denoted by ordm g. Definition 1.19. Let m, g be integers such that m is posivite and gcd(g, m) = 1. Then g is called a primitive root for m if ordm g = ϕ(m). Proposition 1.20. Let g be a primitive root for p with p an odd prime. Then either g or g + p, whichever is odd, is a primitive root modulo p2 . Moreover if g is a primitive root for p2 then its also a primitive root for pt for all t. Proof. See Theorems 8.8 and 8.9 of [Ros84].. . The following theorem is due to Gauss. Theorem 1.21 (The Primitive Root Theorem). Let m be a positive integer, then m has primitive root if and only if m is of the following forms 2, 4, pt or 2pt , where p is an odd prime and t ∈ N. 10.

(17) Proof. See [Ros84, Page 251].. . Proposition 1.22. Let g be a primitive root for m. Then, if i, j are positive integers, g ≡ g j (mod m) if and only if i ≡ j (mod ϕ(m)). i. Proposition 1.22 implies that if g is a primitive root for m, then for every b ∈ Z such that gcd(b, m) = 1, there exists exactly one 0 ≤ i ≤ ϕ(m) such that g i ≡ b (mod m). Definition 1.23. The unique i ∈ {0, . . . , ϕ(m)} such that b ≡ g i (mod m) is called the discrete logarithm of b modulo m in base g, and it is denoted logg b. No general purpose algorithm is known for computing discrete logarithms efficiently. It is believed that no such algorithm exists. However, for certain values of m discrete logarithms in Zm can be computed efficiently, for example, if m equals a prime p and p − 1 has only small factors [PH78]. The difficulty of computing discrete logarithms was regarded as a curiosity until Diffie and Hellman proposed a Key-Exchange Protocol [DH76] based on the infeasability of computing discrete logarithms. Later, ElGamal [ElG85] proposed an asymmetric public key cryptosystem based on the same assumption. 7. Commitment Schemes Suppose parties A and B need to choose elements from a set. Knowledge of the value A has chosen might influence B’s choice. Therefore A’s choice needs to be hidden from B. However, A should be bound to the choice he has made and not be allowed to change it later. This is analogous to A hiding an object in a box, locking it, and giving B the key. Let us say A chooses the value x ∈ X . A commitment scheme enables A to hide the value while binding A to it, that is, ensuring that A commits to the chosen value. The hiding property of the scheme enables A to release some information about x in such a way that B cannot find x in a computationally feasible way. The binding property of the scheme provides the guarantee that later, when A is ready to reveal x, B should be able to verify the value using the information revealed earlier. A common bit commitment protocol, using random strings, is as follows: Let h be the bit that A wishes to commit to. • B sends A a randomly generated string r. A uses a random key k to encrypt the pair (h, r) and sends the commitment Ck (h, r) to B. • When A is ready to reveal the bit h, he sends the key k to B. Now B can decipher Ck (h, r) to find the secret bit h. Note that the key should not only decipher the commitment to reveal the secret bit but also the random string that was sent by B. This strengthens the verification process.. 11.

(18)

(19) CHAPTER 2. Threshold Schemes and their Security A secret sharing scheme is a method of distributing a given secret among a group of l parties, where l is an integer greater than 1. Each of the l parties has a share that can later be used to recover the secret. If t is an integer such that 1 ≤ t < l and a collaboration of at least t + 1 parties is necessary and sufficient to recover the secret, then the scheme is called a (t, l)-threshold scheme, and t is called the threshold of the scheme. In a (t, l)-threshold scheme, the information disclosed by t shares or fewer should be insufficient to recover the secret in a computationally feasible way. We will assume that the secret to be shared can be identified with an element of a set S, which is called the secret space. In the absence of direct knowledge of it, the secret should be regarded as a random variable S that takes values in S. Some schemes go a step further and work with a space X , larger than S, in order to introduce “noise” that masks out the information about the secret provided by knowledge of t or fewer shares. Mignotte [Mig83] and Asmuth and Bloom [AB83] introduced this concept of using a larger space. We will call X the extended secret space. The shares provide information about the extended secret and not about the secret directly. Any given element in the extended secret space X determines the secret in S uniquely; we will denote by τ the function from X into S that takes the extended secret, “throws away” the noise, and outputs the secret in S. We will denote by σ the function that produces all the shares from any x ∈ X , i.e., σ(x) = (yi )i∈{1,...,l} . The share yi is in the share space Yi . If I ⊆ {1, . . . , l}, the function Y Y πI : Yi → Yi i∈I. i∈{1,...,l}. denotes the natural projection, and σI denotes the composition πI ◦ σ. We thus have the following diagram. σI. ! σ. X. /. l Y. Yi. /. Y i∈I. i=1. τ. πI. . S 13. Yi.

(20) Given I with |I| ≥ t+1 and knowledge of shares (yi )i∈I , x can be computed as σI−1 ((yi )i∈I ). Thus, the secret can be recovered as τ (σI−1 ((yi )i∈I )). The following conventions will be used throughout: • The extended secret space X is a uniform probability space, • The sets S and Yi for i ∈ I are regarded as probability spaces, with the probabilities induced by the functions τ and σI , respectively (see Section 2), • The extended secret is a random variable X taking values in X , • The secret S is the random variable τ (X), • The share Yi is the share variable σi (X), for i = 1, . . . , l. Definition 2.1. Let S be a random variable on S. The loss of entropy of the secret s ∈ S given the knowledge of shares (yi : i ∈ I) is defined by ∆(S | (Yi )i∈I = (yi )i∈I ) = H(S) − H(S | (Yi )i∈I = (yi )i∈I ), where H is the entropy function (see Definition 1.11). Definition 2.2. A (t, l)-threshold scheme is said to be perfect with respect to the probability P if the following holds: (1) The secret is not determined (see Section 2), (2) For all I ⊆ {1, . . . , l}, with |I| ≤ t, we have ∆(S | (Yi )i∈I = (yi )i∈I ) = 0. Definition 2.3. A threshold scheme is asymptotically perfect with respect to the probability P if for every > 0 and every t ∈ N there exists l0 > t ∈ N with the following property: there exists N0 ∈ N such that if • |S| ≥ N0 , • |Yi | ≥ N0 for i ∈ {1, . . . , l0 }, and • I ⊆ {1, . . . , l0 } satisfies |I| ≤ t, then |∆(S | (Yi )i∈I = (yi )i∈I )| ≤ .. 14.

(21) CHAPTER 3. Shamir’s Secret Sharing Scheme The concept of threshold scheme was introduced in cryptography independently by Shamir [Sha79] and Blakely [BB79]. Shamir’s secret sharing scheme is based on the fact that a polynomial of degree n over a field is completely determined by n + 1 points on its graph, and fewer than n + 1 such points are insufficient to recover the polynomial. 1. Description of the Scheme Shamir’s secret sharing scheme is based on the following elementary fact: Fact 3.1. Let p be a prime integer. Given x0 , . . . , xn , y0 , . . . , yn ∈ Zp with x0 , . . . , xn distinct, there exists a unique polynomial f (x) of degree at most n and with coefficients in Zp , such that f (xi ) = yi , for 0 = 1, . . . , n. Proof. We wish to find coefficients c0 , . . . , c0 ∈ Zp such that t X. cj xjj = yi ,. for 0 = 1, . . . , n.. j=0. In other words, if  1 x1 x21 . . . xn1  1 x2 x22 . . . xn2  A= , .. ..   ... ... . . 1 xn x2n . . . xnn .   y0  y2   y=  ...  yn. we need to find a solution c = (c0 , . . . , cn ) to the linear system. Ac = y. Q Now, A is a Vandermonde matrix, so det(A) = 0≤i<j≤n (xi − xj ). Thus, if x1 , . . . , xn are distinct, det(A) 6= 0 and a unique solution exists. Remark 3.2. Note that in the proof of Fact 3.1, Zp can be replaced by any field. We now describe the threshold scheme introduced by Shamir [Sha79]. Let t, l be integers such that 1 ≤ t < l. In Shamir’s (t, l)-threshold scheme, the secret space S and the share spaces Yi , for i = 1, . . . , l, are defined as Zp , where p is a prime integer. The extended secret space X is the set of polynomials of degree t with coefficients in Zp . The function τ :X →S 15.

(22) is evaluation at x = 0, i.e., if f ∈ X , then τ (f ) = f (0). Let x1 , . . . , xl be a set of randomly chosen integers in the set {0, . . . , p − 1}. We regard x1 , . . . , xl as elements of Zp . The share Q yi is the value of the polynomial at xi , i.e., the function σ : X → li=1 Yi is defined as σ(f ) = (f (xi ))i∈{1,...,l} .. Let a0 ∈ {0, . . . , p − 1} be a secret to be shared. Integers a1 , . . . , at are chosen randomly in {0, . . . , p − 1} such that at 6= 0. Consider the polynomial f (x) of degree t f (x) = a0 + a1 x + a2 x2 + · · · + at xt . By Fact 3.1, if |I| ≥ t + 1, the coefficients of the polynomial can be recovered uniquely from the shares yi , for i ∈ I. The secret a0 can then be computed as f (0) = τ (f (x)). 2. Security of Shamir’s Secret Sharing Scheme Lemma 3.3. Let S, S, X , X, τ be as defined in Section 1. If the probability distribution of X is uniform, then the probability distribution of S is also uniform. Proof. Let f (x) = a0 + a1 x + · · · + at−1 xt−1 ∈ X . Then, P (S = a0 ) = P (X = τ −1 (a0 )) =. pt−1 1 |τ −1 (a0 )| = t = . |X | p p . Recall from Definition 2.2 that a (t, l)-threshold scheme is perfect if the following holds: • The secret is not determined, • If S, Yi , for i = 1, . . . , l, denote the secret and the shares respectively, then for every I ⊆ {1, . . . , l}, with |I| ≤ t, we have ∆(S | (Yi )i∈I = (yi )i∈I ) = 0. We now proof that Shamir’s threshold scheme is perfect. Theorem 3.4. Let S, S, X , X, Yi , τ, σ, σI , Yi for I ⊆ {1, . . . , l} be as defined in Section 1. Suppose that the probability distribution of X is uniform. Then, for |I| ≤ t, ∆(S | (Yi )i∈I = (yi )i∈I ) = 0. Proof. For i = 1, . . . , l, each of the shares yi is given by f (xi ). By Lemma 3.3, the probability distribution of S is uniform, i.e., 1 P (S = s) = . p Hence, by Proposition 1.12-(4), (6). H(S) = log p. Pt. Let f (x) = linear equations. i=0. ai xi and regard a0 , . . . , at as variables. If |I| ≤ t, then the system of f (xi ) = yi , 16. for i ∈ I.

(23) is underdetermined and the solution is not unique. The general solution comprises t + 1 − |I| free variables that can take any value in Zp ; the other |I| variables can be determined depending on the value taken by the free variables. Therefore, P (S = s | (Yi )i∈I = (yi )i∈I ) = P (τ (X) = s | (Yi )i∈I = (yi )i∈I ) | {f (x) ∈ X | f (0) = s and f (xi ) = yi , for i ∈ I} | | {f (x) ∈ X | f (xi ) = yi , for i ∈ I} | t−|I| p 1 = t+1−|I| = . p p =. By Proposition 1.12-(4), (7). H(S | (Yi )i∈I = (yi )i∈I ) = log p.. From (6) and (7), we get ∆(S | (Yi )i∈I = (yi )i∈I ) = 0. . 17.

(24)

(25) CHAPTER 4. Secret Sharing Using the Chinese Remainder Theorem Shamir’s secret sharing scheme is based on polynomial interpolation. A disadvantage of polynomial interpolation is that it requires divisions which may introduce rounding errors. In the 1980’s Mignotte [Mig83] and Asmuth and Bloom [AB83] proposed secret sharing schemes based on the Chinese Remainder Theorem. The Chinese Remainder Theorem has the advantage that it is valid in any ring. In this chapter we prove that the secret sharing schemes by Mignotte [Mig83] and Asmuth-Bloom [AB83] are asymptotically perfect. The main results of the chapter are Theorem 4.13 and Corollary 4.18 these results are new. A proof of the asymptotic perfection of the Asmuth-Bloom scheme was claimed in [QPV02]. However the argument in [QPV02] contains a large number of errors; furthermore, unnecessary assumptions are made (e.g., it is assumed that the moduli are prime numbers) and non trivial number-theoretic results are used (e.g., results about gaps between prime numbers). The proof presented here is elementary and self-contained. The necessary background material is given in Chapters 1 and 2. 1. Description of the Scheme. Mignotte Sequences We will use the following notational conventions. Notation 4.1. If t is a positive integer, ← − • t denotes the set {0, . . . , t − 1}, − → • t denotes the set {1, . . . , t}, ← → • t denotes the set {0, . . . , t}. − → Notation 4.2. Let {mi | i ∈ l } be a set of positive relatively prime integers. If − → ← → I = {i1 , . . . , ik } is a subset of l , we will write I to denote the set I ∪ {0}, and π(I) to denote the product mi1 · mi2 · · · · · mik . We now define a (t, l)-threshold scheme based on the Chinese Remainder Theorem. Fix integers t and l such that 1 ≤ t < l, and let m0 , . . . , ml be relatively prime integers. In this scheme, the secret space S will be the set of integers ← m−0 , the extended secret space X will ←− −− ← → be the set of integers π( t ), and for i = 1, . . . , l the share space Yi is ← m−i . The functions τ : X → S,. σi : X → Yi ,. σ:X →. l Y. Yi. i=1. are defined as follows: • If x ∈ X then τ (x) is the unique s ∈ S such that s ≡ x (mod m0 ). 19.

(26) − → • If x ∈ X and i ∈ l then σi (x) = yi where yi is the remainder of x modulo mi . →. • σ(x) = (σi (x))i∈− l Let s ∈ ← m−0 be the secret to be shared. An integer y is chosen randomly from the set ←−− −− → π( t ) such that y ≡ s (mod m0 ). By the Chinese Remainder Theorem, there is a solution x to the system of congruences x ≡ s (mod m0 ) (8) − → x ≡ y (mod π( t )). − → ← → Moreover, the solution is unique modulo m0 · π( t ) = π( t ). The shares y ∈ ← m− are defined uniquely by i. i. yi ≡ x. (mod mi ) for i = 1, . . . , l where each share yi is in the corresponding share space ← m−i . Now let us assume that a subset I of {1, . . . , l} is collaborating to recover the secret. By ←− −− ← → the Chinese Remainder Theorem, there is a unique solution z in π( t ) to the system ←−− z ≡ yi (mod mi ) for i ∈ I in π(I). ← → If |I| ≥ t + 1, then π( t ) < π(I), so by (8) we must have y = z. The secret is recovered by finding τ (z), i.e., s = z (mod m0 ). In order to have a valid (t, l)-threshold scheme, knowledge of fewer than t+1 shares should be insufficient to reveal the secret uniquely. Mignotte [Mig83] proposed such a scheme using special sequences of relatively prime integers, nowadays referred to as Mignotte sequences: Definition 4.3. If t ≤ l, a sequence of integers m0 , m1 , m2 , . . . , ml is a (t+1, l)-Mignotte sequence if the following conditions are satisfied (1) m0 < m1 < m2 < · · · < ml , (2) gcd(mi , mj ) = 1 if 0 ≤ i < j ≤ l, (3) l t Y Y mi . mi > i=0. i=l−t+1. Remark 4.4. By (1) and (3), the product of any t + 1 of the integers mj is greater than the product of any t of the integers. For any l and any t ≤ l, there exist (t + 1, l)-Mignotte sequences m0 , m1 , . . . , ml with m0 arbitrarily large, and they can be found efficiently. For a proof see [DDI07]. Let us assume that I is a subset of {1, . . . , l} such that |I| ≤ t and the shares yi for i ∈ I are known. Let x0 be the unique solution to the system x ≡ yi (mod mi ) for i ∈ I satisfying ←− −− ← → 0 ≤ x0 < π(I). Any solution x in the extended secret space π( t ) must satisfy x = x0 + kπ(I), ← → for some k, such that 0 ≤ k < π( t )/π(I). Note that gcd(π(I), m0 ) = 1 since gcd(mi , m0 ) = ←− −− ← → 1 for i ∈ I by Definition 4.3-(2). Hence for every x ∈ π( t ) we can find a unique k such that x ≡ x0 + kπ(I) (mod m0 ). Thus, for every x in the extended secret space, there is 20.

(27) → such that x = x + kπ(I). This suggests that knowledge of less a plausible value in − m 0 0 than t + 1 shares will not be sufficient to recover the extend secret x uniquely through the algorithm used with knowledge of more than t shares, since there are at least m0 possible values for x. The purpose of the remainder of this chapter is to analyze this “insufficiency” in quantitative terms. A variant of Mignotte’s scheme was studied by Asmuth and Bloom [AB83]. 2. The Chinese Remainder Theorem and the Number of Possible Extensions of a Secret The following elementary observation will play a crucial role in this chapter. Lemma 4.5. Let a, m, M be integers satisfying 0 ≤ a < m and let r be the remainder of M upon division by m such that 0 ≤ r < m. Let ← − A = { x ∈ M | x ≡ a (mod m) }. Then the cardinality of A is given by ( bM/mc + 1, if r > a, |A| = bM/mc, if r ≤ a. Proof. Let 0 ≤ r < m,. M = mq + r,. where q = bM/mc and r is the unique remainder of M upon division by m. Every element x ∈ A satisfies x = km + a for some unique k ∈ Z. In order to find the cardinality of A, we count the number of possible values of the integer k. Since 0 ≤ x < M , we have 0 ≤ km + a < mq + r, so r−a −a ≤k<q+ . m m Since 0 ≤ a < m by hypothesis, −1 < −a/m ≤ 0, so the smallest integer value that k can take is 0. To find an upper bound for k we considet two cases. < 1; hence the largest integer value Suppose first r > a. Since r < m, we have 0 < r−a m that k can take is q. Thus, in this case, this case |A| = q + 1 = bM/mc + 1. ≤ 0; hence the largest integer value that k can Suppose now r ≤ a. We have −1 < r−a m take is q − 1. Thus, in this case, |A| = q = bM/mc. Remarks 4.6. (1) By Lemma 4.5, the cardinality of the A can be written as follows: M + θ, where θ = θM,m,a satisfies |θ| < 1. m (2) If M < m, then |A| is either 0 or 1, depending on the value of a. |A| =. 21.

(28) (3) Suppose that m1 , . . . , mn are relatively prime positive integers and we need to evaluate the cardinality of ← − B = { x ∈ M | x ≡ ai (mod mi ), for i = 1, . . . , v }. Let → ϕ : Zm1 × · · · × Zmv → Zπ(− v ).. be the bijection given by Theorem 1.14. Then, ← − − → → B = { x ∈ M | x ≡ ϕ((ai )i∈− v ) (mod π( v )) } and Lemma 4.5 can be applied to estimate the cardinality of B as |B| =. M + θ, → π(− v). → → where θ = θM,π(− satisfies |θ| < 1. As in (2) above, if M < π(− v ), then − v ),ϕ((ai )i∈→ v) − → |B| is either 0 or 1, depending on the values ai , for i ∈ v . 3. Asymptotic Analysis of Secret Sharing Using Mignotte Sequences We will invoke the notational conventions introduced in Section 1, namely, the script letters S, X , Yi (i = 1, . . . , l) denote the secret space, the extended secret space, and the share spaces, respectively; the Roman letters S, X, Yi (i = 1, . . . , l) denote the secret, the extended secret, and the shares (as random variables). In order to study the security of the (t, l)-threshold scheme, one would like to quantify the information gained by a certain − → coalition of members I ⊆ l by their knowledge of the shares (Yi )i∈I . A plausible approach is to compare the distribution of the secret S against the conditional distribution of S given observed values of Yi for i ∈ I, i.e., to compare P (S = s | (Yi )i∈I = (yi )i∈I ) with P (S = s). If the quotient (9). P (S = s | (Yi )i∈I = (yi )i∈I ) P (S = s). is close to 1, little or no information is gained about the secret by the members of the coalition. In what follows, we will study the quotient (9) in the scheme based on the Chinese Remainder Theorem introduced in Section 1. We follow the notation introduced in Section 1. In Lemma 4.7 we compute P (S = s), and in Lemmas 4.11 and 4.12 we estimate P (S = s | (Yi )i∈I = (yi )i∈I ). Lemma 4.7. If the distribution of X is uniform then the distribution of S is uniform too. Proof. If s ∈ S, the probability that S takes the value s is ←− −− ← → {x ∈ π( t ) | x ≡ s (mod m0 )} P (S = s) = . ← → π( t ) 22.

(29) ← → Since m0 | π( t ), by Lemma 4.5 we have (10). P (S = s) =. ← → π( t ) m0. 1 ← → =m . 0 π( t ) . Lemma 4.8. Let m0 , m1 , . . . , ml be a (t + 1, l)-Mignotte sequence, and Let I be a subset of {1, . . . , l} with |I| = t. Then η (11) P (S = s and (Yi )i∈I = (yi )i∈I ) = ← → , π( t ) where the only possible values of η are 0 and 1. Proof. If yi ∈ Yi for i ∈ I, (12) P (S = s and (Yi )i∈I = (yi )i∈I ) ←− −− ← → {x ∈ π( t ) | x ≡ s = By Remark 4.6-(3), ←− −− ← → {x ∈ π( t ) | x ≡ s. (mod m0 ) and x ≡ yi ← → π( t ). (mod mi ) for i ∈ I}. .. ← → π( t ) ← → π( I ). +θ ← → , π( t ) ← → ← → where |θ| < 1. Since |I| ≤ t and m0 < m1 < · · · < ml , we have π( t ) ≤ π( I ). Since the numerator of the preceding fraction is an integer, we must have η P (S = s and (Yi )i∈I = (yi )i∈I ) = ← → , π( t ) (mod m0 ) and x ≡ yi ← → π( t ). (mod mi ) for i ∈ I}. =. where η = ηs,(yi )i∈I takes only the values 0 and 1. Remark 4.9. Note that Equation (11) implies that the joint variable Z = (S, (Yi )i∈I ) is uniform on its support. Lemma 4.10. If I is a subset of {1, . . . , l}, then P ((Yi )i∈I = (yi )i∈I ) =. ← → π( t ) π(I). +θ θ 1 ← → = π(I) + ← → , π( t ) π( t ). where θ = θ(yi )i∈I satisfies |θ| < 1. Proof. The probability that Yi takes the value yi for every i ∈ I is ←− −− ← → {x ∈ π( t ) | x ≡ yi (mod mi ) for i ∈ I} P ((Yi )i∈I = (yi )i∈I ) = . ← → π( t ) 23.

(30) By Remark 4.6-(3), P ((Yi )i∈I = (yi )i∈I ) =. ← → π( t ) π(I). +θ 1 θ ← → = π(I) + ← → , π( t ) π( t ). where θ = θ(yi )i∈I satisfies |θ| < 1.. . Lemma 4.11. If I is a subset of {1, . . . , l} such that |I| = t, then η P (S = s | (Yi )i∈I = (yi )i∈I ) = ← . → π( t ) + θ π(I) where |θ| < 1 and the only possible values of η are 0 and 1. Proof. By definition of conditional probability, P (S = s and (Yi )i∈I = (yi )i∈I ) P (S = s | (Yi )i∈I = (yi )i∈I ) = . P ((Yi )i∈I = (yi )i∈I ) Using lemmas 4.8 and 4.10 we get, P (S = s | (Yi )i∈I. ← → η/π( t ) . ← = (yi )i∈I ) = ← → → = π( t ) + θ π( t ) π(I). η ← → π( t ) π(I). , +θ. where |θ| < 1 and the only possible values of η are 0 and 1.. . Let supp(S | (Yi )i∈I = (yi )i∈I ) denote the support of S | (Yi )i∈I , i.e. the values where the random variable S | (Yi )i∈I is not zero. Lemma 4.12. Let I is a subset of {1, . . . , l}, with |I| = t. Then there exists θ such that |θ| < 1, which depends only on (yi )i∈I such that: ← →. t ) +θ (1) The cardinality of supp(S | (Yi )i∈I = (yi )i∈I ) is π(π(I) (2) The random variable S | (Yi )i∈I = (yi )i∈I is uniformly distributed on its support.. Proof. By Lemma 4.11, | supp(S | (Yi )i∈I. ← → π( t ) = (yi )i∈I )| = +θ π(I). where |θ| < Therefore, the cardinality of supp(S | (Yi )i∈I = (yi )i∈I ) is always either j ← l 1.← → k → m π( t ) π( t ) or π(I) , irrespective of the values taken by (yi )i∈I . This proves (1). Lemma 4.11 π(I) can be restated by saying that for all for s in supp(S | (Yi )i∈I = (yi )i∈I ), 1 , P (S = s | (Yi )i∈I = (yi )i∈I ) = ← → π( t ) + θ π(I) where θ = θ(yi )i∈I does not depend on s. Together with (1), this proves (2).. . We now combine the preceding lemmas to estimate the loss of entropy ∆(S | (Yi )i∈I = (yi )i∈I ) (See Definition 2.1). 24.

(31) Theorem 4.13. Let I be a subset of {1, . . . , l} such that |I| = t. Assume that the number − → of bits required to represent any secret s ∈ ← m−0 and any share yi ∈ ← m−i (i ∈ l ) is k + 1, where k ≥ t + 1. Then (1) The support of S | (Yi )i∈I = (yi )i∈I satisfies |S| ≤ | supp(S | (Yi )i∈I = (yi )i∈I )| ≤ |S|. 2t+1 (2) The loss of entropy of S | (Yi )i∈I = (yi )i∈I satisfies 0 ≤ ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ (t + 1) log 2. The estimate (1) can be interpreted as saying that knowledge of the shares shrinks the secret space by no more than a factor of 2t+1 , which means that the secret space loses strength − → by at most t + 1 bits. The estimate (2) implies that the coalition I ⊆ l can gain at most approximately (t + 1) bits of information about the secret. The bit length k can be made sufficiently large so that gaining t + 1 bits of information is insignificant in comparison. Proof. We have, (13). ← → 2k < mi ≤ 2k+1 , for i ∈ l .. The cardinality of S is m0 and the cardinality of supp(S | (Yi )i∈I = (yi )i∈I ) is given by Lemma 4.12. Hence − → π( t ) θ | supp(S | (Yi )i∈I = (yi )i∈I )| = + . |S| π(I) m0 Let us estimate this quotient. Suppose I = {i1 , . . . , it }. By (13), Qt Y − → t t Y π( t ) mj 2k j=1 mj (14) = Qt = 2−t . ≥ = k+1 π(I) m ij 2 j=1 mij j=1 j=1 Also, (15). 1 1 θ >− > − k. m0 m0 2. Since k ≥ t + 1, we have 2−t − 2−k ≥ 2−(t+1) , so, by (14) and (15) we obtain |S| ≤ | supp(S | (Yi )i∈I = (yi )i∈I )| ≤ |S|. 2t+1 This proves the first part of the theorem. By Lemmas 4.7 and 4.12,. (16). P (S = s) ≤ P (S = s | (Yi )i∈I = (yi )i∈I ) ≤ P (S = s) · 2t+1 , for s ∈ supp(S | (Yi )i∈I = (yi )i∈I ). Recall that P (S = s) = m10 . Thus, 1 2t+1 ≤ P (S = s | (Yi )i∈I = (yi )i∈I ) ≤ . m0 m0 25.

(32) Let us compare the probabilities using entropy. By Proposition 1.12-(3), log m0 − t log 2 ≤ H(S | (Yi )i∈I = (yi )i∈I ) ≤ log m0 .. (17). Since S is uniform on S, by Proposition 1.12-(4), (18). H(S) = log m0 .. By the definition of loss of entropy (Definition 2.1), ∆(S | (Yi )i∈I = (yi )i∈I ) = H(S) − H(S | (Yi )i∈I = (yi )i∈I ). Combining (17) and (18), we obtain 0 ≤ ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ (t + 1) log 2. 4. Security of the Threshold Scheme Based on the Chinese Remainder Theorem In this section, we study the security of the threshold scheme described in Section 1. We follow the same notational conventions as in Section 3. Lemma 4.14. The loss of entropy of the secret s ∈ ← m− given the shares {y ∈ ← m− : i ∈ I} 0. i. i. satisfies ← → ← → ← → t )/π( I ))c+1) , if π( t ) ≥ π(I), • ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ log m0 (b(π( ← → b(π( t )/π(I))c ← → • ∆(S | (Yi )i∈I = (yi )i∈I ) = log m0 , if π( t ) < π(I). ← → Proof. Let us first consider the case π( t ) ≥ π(I). By the definition of conditional probability, { X ∈ X | τ (X) = s and σI (X) = (yi )i∈I } . { X ∈ X | σI (X) = (yi )i∈I } ← → ← → − → By 4.6, the numerator is bounded above by bπ( t )/π( I )c + 1 = bπ( t )/π(I)c + 1 and the ← → denominator is bounded below by bπ( t )/π(I)c. Hence, − → bπ( t )/π(I)c + 1 P ( S = s | σI (X) = (yi )i∈I ) ≤ . ← → bπ( t )/π(I)c P ( S = s | σI (X) = (yi )i∈I ) =. Using Proposition 1.12-(3), (19). H(S | (Yi )i∈I. By Lemma 4.7, P (S = s) =. 1 m0. ← → bπ( t )/π(I)c . = (yi )i∈I ) ≥ log − → bπ( t )/π(I)c + 1. and hence Proposition 1.12-(4),. (20). H(S) = log m0 .. Thus by Definition 2.1 and (19), (20), ∆(S | (Yi )i∈I. ! − → (b(π( t )/π(I))c + 1) . = (yi )i∈I ) ≤ log m0 ← → b(π( t )/π(I))c 26.

(33) ← → Now we consider the case where π( t ) < π(I). By the remarks preceding the definition of Mignotte sequence (see Section 1), the secret can be recovered uniquely using the Chinese Remainder Theorem so, by Proposition 1.12-(2), H(S | (Yi )i∈I = (yi )i∈I ) = 0. Therefore, by (20), ∆(S | (Yi )i∈I = (yi )i∈I ) = log m0 . Definition 4.15. Let δ > 0. We will say that a sequence of integers m0 , . . . , ml is δ-tight if (1) 0 < m0 < m1 < · · · < ml , (2) m0 , . . . , ml are pairwise relatively prime, (3) ml < m1+δ 0 . Proposition 4.16. For every positive integer t and for every δ > 0, there exist arbitrarily large δ-tight sequences m0 < · · · < ml . Furthermore, if δ < 1/t, then m0 , . . . , ml is a (t+1, l)Mignotte sequence. Proof. The first part of the proposition follows from the Prime Number Theorem. The details can be found in Lemmas 1.1 and 1.2 in [DDI07]. For the second part, notice that if − → m0 , . . . , ml is δ-tight and I ⊆ l where |I| ≤ t, then ← → π( t ) mt+1 0 > 1. > (1+δ)t π(I) m0 So, m0 , . . . , ml is a (t + 1, l)-Mignotte sequence.. . Theorem 4.17. Suppose that 0 < δ < 1/t and m0 , . . . , ml is a δ-tight sequence. Then, for every > 0 there exist k ≥ 0 and δ > 0 such that if m0 , . . . , ml is δ-tight and m0 ≥ k, ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ , − → for every I ⊆ l with |I| ≤ t. Proof. To consider the worst case scenario, let us assume that |I| = t. Suppose the ← → t ) > 1 (see the second part sequence m0 , . . . , ml is δ-tight. Since δ < 1/t, it is true that π(π(I) of Proposition 4.16). Fix > 0. First, let us consider the case when the t elements in I are {1, . . . , t}. Then, P (S = s | (Si )i∈I = (si )i∈I ) = P (τ (X) = s | (Si )i∈I = (si )i∈I ) = {x ∈ X | x ≡ s. − → (mod mi ), for i ∈ t } . − → (mod mi ), for i ∈ t }. (mod m0 ) and x ≡ si. {x ∈ X | x ≡ si By 4.6, P (S = s | (Si )i∈I = (si )i∈I ) = 27. ← → π( t ) − → m0 ·π( t ) ← → π( t ) − → π( t ). =. 1 . m0.

(34) Hence, by Proposition 1.12-(4), H(S | (Si )i∈I = (si )i∈I ) = log m0 . The probability distribution of S is uniform and the entropy is H(S) = log m0 . Thus, ∆(S | (Si )i∈I = (si )i∈I )) = 0 < . Now, we consider the case when I 6= {1, . . . , t}. By Lemma 4.14, for sufficiently large m0 , ! − → (b(π( t )/π(I))c + 1) (21) . ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ log m0 ← → b(π( t )/π(I))c Notice that. − → π( t ) m1 · · · mt < = 1. π(I) m1 · · · mt. Therefore, $. ← → % − → % $ π( t ) m0 π( t ) = 1, = < π(I) m0 · π(I) m0. and hence, $. − → % π( t ) = 0. π(I). Combining this with (21), we obtain ∆(S | (Yi )i∈I. m0 = (yi )i∈I ) ≤ log ← → b(π( t )/π(I))c   m0  < log  ← → π( t ) −1 π(I) = log (1+δ). Since m0 , . . . , ml are in the interval [m0 , m0. !. m0 π(I) ← → π( t ) − π(I). !. ), we have (1+δ)t. ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ log. m 0 m0. (1+δ)t. mt+1 − m0 0 m0 mδt 0 = log . m0 − mδt 0. Let us choose m0 large enough so that (22). log. m0 ≤ /2. m0 − 1 28. ..

(35) Notice that. m0 mδt 0 m0 −mδt 0. →. m0 m0 −1. (23). as δ → 0. Choose δ small enough so that enough so that log. m0 m0 mδt 0 + /2. ≤ log δt m0 − 1 m0 − m0. Then, from (22) and (23), ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ . Recall from Definition 2.3 that a threshold scheme is asymptotically perfect if for every > 0 and every t ∈ N there exist k, l0 ≥ 0 such that if • l > l0 , • |S| ≥ k, − → • |Yi | ≥ k for i ∈ l , and − → • I ⊆ l satisfies |I| ≤ t, then |∆(S | (Yi )i∈I = (yi )i∈I )| ≤ . Corollary 4.18. Mignotte’s threshold scheme is asymptotically perfect. Proof. Fix > 0 and t ∈ N. Let l0 = t + 1. By Theorem 4.17 there exist m0 and δ > 0 such that for every l ≥ l0 and k satisfying • k ≥ m0 = |S|, • k > m1+δ > ml > |Yi | for every i ∈ {0, . . . , l}, 0 one has ∆(S | (Yi )i∈I = (yi )i∈I ) ≤ − → for every I ⊆ l such that |I| ≤ t. This proves the Corollary. . 29.

(36)

(37) Bibliography [AB83] [Bar86] [BB79] [DDI07] [DH76] [ElG85]. [Fel87]. [Mig83] [Ped91] [PH78]. [QPV02]. [Ros84] [Rud87] [Sha48] [Sha79] [SW49] [Wie49]. Charles Asmuth and John Bloom, A modular approach to key safeguarding, IEEE Trans. Inform. Theory 29 (1983), no. 2, 208–210. MR MR712377 (84k:94016) Andrew R. Barron, Entropy and the central limit theorem, Ann. Probab. 14 (1986), no. 1, 336–342. MR MR815975 (87h:60048) G. R. Blakley and I. Borosh, Safeguarding cryptographic keys, Proceedings of the National Computer Conference 48 (1979), 313–317. Stephanie Deacon, Eduardo Dueñez, and José Iovino, A public-key threshold cryptosystem based on residue rings, J. Discrete Math. Sci. Cryptogr. 10 (2007), no. 4, 559–571. MR MR2447015 Whitfield Diffie and Martin E. Hellman, New directions in cryptography, IEEE Trans. Information Theory IT-22 (1976), no. 6, 644–654. MR MR0437208 (55 #10141) Taher ElGamal, A public key cryptosystem and a signature scheme based on discrete logarithms, Advances in cryptology (Santa Barbara, Calif., 1984), Lecture Notes in Comput. Sci., vol. 196, Springer, Berlin, 1985, pp. 10–18. MR MR820009 (87b:94037) Paul Feldman, A practical scheme for non-interactive verifiable secret sharing, SFCS ’87: Proceedings of the 28th Annual Symposium on Foundations of Computer Science (Washington, DC, USA), IEEE Computer Society, 1987, pp. 427–438. Maurice Mignotte, How to share a secret, Cryptography (Burg Feuerstein, 1982), Lecture Notes in Comput. Sci., vol. 149, Springer, Berlin, 1983, pp. 371–375. MR MR707286 (85a:94025) Torben P. Pedersen, A threshold cryptosystem without a trusted party, EUROCRYPT, vol. 547, Springer-Verlag, 1991, pp. 522–526. Stephen C. Pohlig and Martin E. Hellman, An improved algorithm for computing logarithms over GF(p) and its cryptographic significance, IEEE Trans. Information Theory IT-24 (1978), no. 1, 106–110. MR MR0484737 (58 #4617) Michaël Quisquater, Bart Preneel, and Joos Vandewalle, On the security of the threshold scheme based on the chinese remainder theorem, PKC ’02: Proceedings of the 5th International Workshop on Practice and Theory in Public Key Cryptosystems (London, UK), Springer-Verlag, 2002, pp. 199–210. Kenneth H. Rosen, Elementary number theory and its applications, Addison-Wesley Publishing Company Advanced Book Program, Reading, MA, 1984. MR MR755333 (85m:11002) Walter Rudin, Real and complex analysis, third ed., McGraw-Hill Book Co., New York, 1987. MR MR924157 (88k:00002) C. E. Shannon, A mathematical theory of communication, Bell System Tech. J. 27 (1948), 379–423, 623–656. MR MR0026286 (10,133e) Adi Shamir, How to share a secret, Communications of the ACM 22 (1979), 612–613. Claude E. Shannon and Warren Weaver, The Mathematical Theory of Communication, The University of Illinois Press, Urbana, Ill., 1949. MR MR0032134 (11,258e) Norbert Wiener, Extrapolation, Interpolation, and Smoothing of Stationary Time Series. With Engineering Applications, The Technology Press of the Massachusetts Institute of Technology, Cambridge, Mass, 1949. MR MR0031213 (11,118j). 31.

(38)