Using Ciphertext Policy Attribute Based Encryption for
Verifiable Secret Sharing
Nishant Doshi 1, Devesh Jinwala
2
1,2 Computer Engineering Department, S V National Institute of Technology, Surat, India
Abstract - Threshold secret sharing schemes are used to
divide a given secret by a dealer in parts such that no less
than the threshold number of shareholders can reconstruct the
secret. However, these schemes are susceptible to the
malicious behavior of a shareholder or a dealer. To prevent
such attacks, it is necessary to make a provision for
verification of the integrity of the shares distributed by the
dealer. Such verification would ensure fair reconstruction of
the secret. In this paper, we present a novel approach for
verifiable secret sharing wherein the dealer and the
shareholders are not assumed to be honest. Our proposed
scheme uses attribute based encryption (ABE) to provide
verifiability and for the semantically correct reconstruction of
the secret. We call the new protocol as AB-VSS (Attribute
Based Verifiable Secret Sharing).
Keywords: Attribute, Attribute based cryptography, Network
Security, Verifiable secret sharing.
1 Introduction
In modern cryptography, the security of a cipher is
heavily dependent on the secrecy of the cryptographic key
used by the cipher. Hence, the key is required to be carefully
guarded - needs to be stored super-securely. Obviously, one of
the most secure ways to do so is to keep the key in a single
well-guarded location. However, once the “well-guarded”
location is compromised, the system fails completely. Hence,
the other extreme is to distribute the secret at multiple
locations. However, such a de-centralized approach increases
the vulnerability to failure and makes the task of the potential
attackers a bit easier. Additionally, in real world, the
stakeholders and the key distributor may not trust each other.
Secret sharing then, appears to be a good solution to deal with
such problems. In secret sharing, a secret is distributed and
shared across a number of shareholders with the caveat that,
no less a designated number of shareholders would be able to
reconstruct the secret. Secret sharing as such is a bit of
misnomer. In secret sharing, the shares of a secret are
distributed among a set of participants, and not the entire
secret, to deal with the mutual mistrust. Hence, the scheme be
better termed as threshold secret sharing.
Adi Shamir [1] and G. Blakley [2] in 1979
independently introduced the concept of the threshold secret
sharing. As per these proposals, a dealer D who holds a secret
s would distribute it amongst n shareholders in such a way
that a quorum of less than t shareholders cannot regenerate the
secret. That is, any combination of at least t shareholders is
required to regenerate the same secret correctly. An interesting
real-world example to illustrate this scenario was given in the
Time Magazine as per which, the erstwhile USSR used a two-
out-of-three access control mechanism to control their nuclear
weapons in the early 1980s. The three parties, viz. the
President, the Defense Minister and the Defense Ministry,
were involved to execute this scheme.
Shamir‟s threshold secret sharing scheme [1] has
been extensively studied in the literature. The Shamir‟s
threshold secret sharing scheme is information theoretic
secure but it does not provide any security against cheating; as
it assumes that the dealer and shareholders are honest.
However, in real world one may encounter the dealers and the
shareholders in an otherwise. A misbehaving dealer can
distribute inconsistent shares to the participants or
misbehaving shareholders can submit fake shares, during
reconstruction. To prevent such malicious behavior of
cheaters, we need a Verifiable Secret Sharing(VSS) scheme.
The VSS was first proposed in 1985 by Benny Chor et al [3].
In their scheme, the validity of shares distributed by a dealer
is verified by shareholders without being revealed any
information about the secret. The initial VSSs were interactive
verifiable secret sharing schemes that it required interaction
amongst the dealer and the shareholders to verify the validity
of shares [4]. This scheme used homomorphism and
probability encryption function. However, as we observe this
scheme only verifies the share provided by dealer to
shareholders and does not verify the shares at secret
reconstruction time. The interaction required itself imposes
enormous amount of extra overhead on the dealer, as a single
dealer may have to deal with a large number of shareholders.
Later, non-interactive verifiable secret sharing schemes were
proposed to remove the extra overhead on the dealer [5][6][7].
The non-interactive VSS proposed by Paul Feldman
in [5] relies on the share proving its own validity. The one
proposed in [6] tries to verify the reconstructed secret by
maximally matching the secret. This scheme works in the
same was as [1] when a threshold numbers of parts are given
to reconstruct secret. The scheme proposed in [7] suggests
iterating the process of secret sharing m times with one secret
as S and others as dummy secrets - so with each shareholder
there are m shares. This approach increases storage
requirements, communication and computation cost. The
schemes in [8] [9] are based on the use of a hashing function.
The flaws in these schemes are already discussed in [10].
Thus, as per our observations, these schemes assume
that the dealer is honest and the shareholders accept their
shares without any verification. The shareholders simply
cannot identify cheaters in the system. The existing
approaches for verifiable secret sharing either verify the
shares, distributed by a dealer or submitted by shareholders
for secret reconstruction, or verify the reconstructed secret but
not both.
In order to verify shares, a dealer either transfers
some additional information like check vectors [11] or
certificate vectors or it uses different encryption mechanisms.
If the VSSs do not use the check vectors or certificate vectors,
the security of such schemes depend on the intractability of a
number theoretic problem in one way or another. If the
scheme uses check vector or certificate vectors, then it
increases an extra overhead on a dealer to compute and
distribute that extra information among a large number of
participants.
In this paper, we use and extend the verifiable secret
sharing approach to not only verify the validity of shares
distributed by a dealer but to verify the shares submitted by
shareholders for secret reconstruction, and to verify the
reconstructed secret. We use the notions of the Attribute Based
Encryption to deal with the limitations of the existing schemes
– at the same time offering user verification, secret
distribution and secret regeneration using valid threshold
secret parts.
In the scheme proposed in [12] the problem of
cheater detection is discussed when there are cheaters in
n=2t-1 shareholders. However, this scheme is vulnerable to
attacks. In the scheme proposed in [13], an Elliptic Curve
Cryptography based approach is used for VSS. However, this
scheme requires the dealer to hide the secret in a secure place.
Hence, if the dealer is compromised the secret is also lost
forever. As compared in our approach anyone having
threshold shares can regenerate the secret. In the scheme
proposed in [14], the Chinese Remainder Theorem (CRT) is
used for devising secret sharing. However, a malicious
shareholder can change its own share and submit a fake share
and help reconstruct a fake secret – rendering the scheme
useless.
Thus, as compared our scheme that employs the notions
of the Attribute Based Encryption is free from all these
attacks. In fact, as per our modest belief, ours is the first
attempt at using the Attribute Based Encryption for the
purpose of secret sharing.
1.1 Attribute Based Cryptography (ABC)
In this section, we review the state of the art in ABC
and discuss the justification of the scheme used in our
approach.
The ABC has actually been motivated from the Identity
Based Encryption, which in turn was motivated by
overcoming the limitations of the certificate management in
the traditional Public Key Cryptography. The basic focus in
ABC is on using some of the publicly known attributes of a
user as his public key. In the traditional IBE systems, the
identity of a user is specified using either the name, the email
ID, or the network address – a string of characters. This
makes it cumbersome to establish the necessary correlation
between a user‟s identity (in his private key) and the same
associated in the ciphertext that he intends to decrypt. This is
so, because even slight mismatch would render the match as a
failure. Hence, in a variant of the traditional IBE, the identity
is specified in the form of descriptive attributes. In the first of
such scheme proposed as Fuzzy Identity Based Encryption
(FIBE) in [15], a user with identity W could decrypt the
ciphertext meant for a user with identity W’, if and only if
|W - W‟| > d, where d is some threshold value defined
initially.
In [16], the authors propose more expressive ABE
schemes in the form of two different systems viz. Key Policy
Attribute Based Encryption (KP-ABE). In KP-ABE, a
ciphertext is associated with a defined set of attributes and
user‟s secret key is associated with a defined policy
containing those attributes. Hence, the secret key could be
used successfully only if the attribute access structure policy
defined in the key matches with the attributes in the
ciphertext. As compared, to the same the authors in [17]
propose a fully functional Ciphertext Policy Attribute Based
Encryption (CP-ABE) in which a user‟s secret key is
associated with a defined set of attributes and the ciphertext is
associated with a defined policy. One of the limitations of CP-
ABE schemes is that the length of ciphertext is dependent on
the number of attributes. That is, with s being the number of
attributes involved in the policy, the ciphertext length is O(s3).
In [18], the authors propose another CP-ABE which had
positive or negative attributes. But the decryption policies in
this are limited to AND gate only. In [19][20], the authors first
overcome the limitation due to the ciphertext length and
propose a constant size ciphertext
Motivated from these efforts, in our scheme we use the
approach proposed in [17]. For large number of shares we can
use the concept of [19][20]. [21] had used time specific
encryption in which they use time as attribute and time limit
condition in policy so user can decrypt ciphertext if they have
valid attributes at right time.
In VSS we can add time attribute if we want that the
secret must be regenerated at a specific time only. After that
time passes the secret becomes invalid. For example during
war we can generate secret key to fire missile and add the
specific time limit so after the war is over the secret to fire
missile will become invalid itself. And if we want that at the
time of secret generation or verification user must be at a
particular location then we can consider an extra attribute
„location‟ in our proposed scheme. If same dealer has more
than one set of n shareholders and if two shareholders from
different sets will exchange their secret key which is based on
hash value of share, then the given attack is not possible in our
approach because if shareholder exchange key then the new
key cannot pass the policy.
Organization of the paper: The rest of the paper is organized
as follows. The second section will explain preliminaries
which we are used throughout the paper. In the third section
our proposed approach for verifiable secret sharing will be
introduced and we will analyze it in the fourth section as well
show a snapshot using the CPABE toolkit. The last section
concludes the paper followed by the references.
2 Preliminaries
2.1 Notations
Most cryptographic protocols require randomness, for
example generating random secret key. We use x RA to
represent the operation of selecting an element x randomly
and uniformly from an element set A. We use to denote the
NULL output. This paper deals with the computational
security setting where security is defined based on the string
length. For £ N where N is the set of natural numbers, 1£
denotes the strings of length £. If x is a string then | x |denotes
its length, e.g. |1£ |=£.
2.2 Secret sharing
Divide some secret into parts and
distribute them among a set of shareholders in such a way
that for any threshold value t , the knowledge of any t or
more parts computes easily but the
knowledge of any t -1 or fewer Si parts leaves S completely
undetermined. Such a scheme is called threshold
secret sharing scheme [1].
2.3 CP-ABE construction [7]
The CP-ABE toolkit consists of the following four algorithms
as follows.
1. Setup: It will take implicit security parameter and output
the public parameter PK and a master key MK.
2. KeyGen(MK, S) : The key generation algorithm run by
CA, takes as input the master key of CA and the set of
attributes for user, then generate the secret key SK.
3. Encrypt (PK, M, A): The encryption algorithm takes as
input the message M, public parameter PK and access
structure A over the universe of attributes. Generate the
output CT such that only those users who had valid set of
attributes which satisfy the access policy can only able to
decrypt. Assume that the CT implicitly contains access
structure A.
4. Decrypt(PK,CT,SK) : The decrypt algorithm run by user
takes input the public parameter, the ciphertext CT
contains access structure A and the secret key SK contain
of user attribute set S. if S satisfies the access tree then
algorithm decrypt the CT and gives M otherwise gives
“Φ”.
3 Proposed approach for VSS
3.1 Share Generation and Distribution Phase
Input: Secret S Є GF (p) and a public hash function H
Output: Shares of the secret S, Si Where i = 1, 2, 3, ...,n
1. Dealer D chooses a large prime p max(S, n )
2. Then it selects random independent coefficients,
where
3. Select the random polynomial and set
.
4. Compute the share of the secret for each shareholder and
distribute the pair to each shareholder. We
assume that every user has only one attribute „
‟ where .
=KeyGen(MK,A) where MK=master key of dealer
A=attribute set for ith
user
5. Dealer makes policy for access tree structure as follow
policy=Encrypt(PK,M,T) where PK=public key of dealer,
M=Message and T=Tree structure
Here policy makes on condition
“
”
6. Dealer broadcasts policy and t in public file.
7. Each ith
shareholder verifies their share by Decrypt
(policy, ). If message M successfully decrypted then
user accepts their share.
8. User i verify its ). anytime by sending to dealer.
Dealer compute Ski based on . No required to store
any information of share secret on dealer side other than
hash function.
9. If all the shareholders find their shares correct, then only
the dealing phase is completed successfully. Dealer
discards and policy. 10. Otherwise, it is up to the honest shareholders to decide
whether it is the Dealer or the accuser that misbehaves.
3.2 Share Reconstruction Phase
Input: Shares where and , a
public hash function H and policy.
Output: Secret S.
1. Dealer verifies each share by generating hash code for
each share and make SK and apply it to policy, accepts if
it pass the policy otherwise add in cheater set.
2. Dealer verifies that each is unique and deletes the
repetition of same share.
3. If t or more than t shares are available then the dealer
computes an interpolated polynomial f(x) at t or more
points .
Here, if we assume that we have shares than we
make two sets and
. Then generate initial secret from
and store. Replace each with in
and generate secret and compare with previously stored
secret S. If at any point secret match fails then dealer must added
forged share in policy, otherwise return S as secret.
4 Analysis
In our algorithm, we extend the Shamir‟s original threshold
secret sharing scheme [1] to verify the shares and the secret.
For a threshold value , we choose a random polynomial of
degree where the coefficients are also chosen randomly
in GF(p) of prime order p. We set the secret as a constant term
of the polynomial. Now we can use the polynomial to
generate the shares of a secret and distribute it among a set of
shareholders. Up to this point our scheme works the same as
Shamir‟s scheme [1]. Thereafter, we generate a hash function
based on the part of secret for each part. We also make a
policy using OR threshold gate, which requires any one
condition in the given policy to be true in order to successfully
decrypt the message. If the combiner (other than TA) wants to
generate the secret then after receiving the parts, it can send
each part to a dealer for generating the secret key based on the
hash value and check if it satisfies the policy. If it is so, then
the secret is allowed to be reconstructed, otherwise not.
We show a typical snapshot of the execution of our scheme
using the CP-ABE toolkit [22]. We assume that dealer D has a
secret S=30. The dealer divides S into 5 parts and gives each
shareholder , the hash of the part of the secret. In the
snapshot shown in Fig 1, the hash values of the five parts are
31, 28,43,83,61 respectively.
-
- – - – - – - – - – - –
-
-
-
Cannot Decrypt, attributes in key do not satisfy policy
Figure 1 Snapshot of execution of the proposed scheme in the CPABE toolkit
5 Conclusions and future work
In this paper we propose an innovative approach for
VSS using the ABE called AB-VSS. Our approach is resilient
against attacks which are prevalent against the existing
schemes for VSS. Currently we are using only one attribute
per user for designing the scheme. In a setup that demands
higher security, we can extend the existing scheme for other
attributes like location, time etc. Such a scheme would
employ t number of attributes for the policy. If the policy is
satisfied, then the secret may be given to the shareholders,
otherwise not.
6 References
[1] Shamir, A. “How to share a secret.” In: Communication
of the ACM, Volume 22, Issue 11, pp. 612-613, (1979).
[2] Blakley, G.R. “Safeguarding cryptographic keys.” In:
Proceedings of the AFIPS1979 NCC. Volume 48, pp.
313-317, (1979).
[3] Chor, B., Goldwasser, S., Micali, S., Awerbuch, B.
“Verifiable secret sharing and achieving simultaneity in
the presence of faults.” In: SFCS ‘85: Proceedings of the
26th Annual Symposium on Foundations of Computer
Science, pp. 383-395, 1985.
[4] Cohen Benaloh, J. “Secret sharing homomorphisms:
Keeping Shares of a Secret.” In: CRYPTO-86:
Proceedings on Advances in Cryptology, pp 251-260,
1987.
[5] Feldman, P. “A practical scheme for non-interactive
verifiable secret sharing. “ In: SFCS '87: Proceedings of
the 28th Annual Symposium on Foundations of Computer
Science, pp.427-438, 1987.
[6] Harn, L., Lin, C. “Detection and identification of cheaters
in (t, n) secret sharing scheme.”In: Des. Codes
Cryptography, Volume 52, Issue 1, pp. 15-24, 2009.
[7] Tompa, M., Woll, H. “How to share a secret with
cheaters.” In: Journal of Cryptology, Volume 1, Issue 2,
pp. 133-138, 1988.
[8] Cao, Z., Markowitch, O. “Two optimum secret sharing
schemes revisited.” In: FITME '08: Proceedings of the
2008 International Seminar on Future Information
Technology and Management Engineering, pp. 157-160,
2008.
[9] Obana, S., Araki, T. “Almost optimum secret sharing
schemes secure against cheating for arbitrary secret
distribution.” In: Advances in Cryptology ASIACRYPT
2006. Pp. 364-379, 2006.
[10] Araki, Toshinori and Obana, Satoshi. “Flaws in Some
Secret Sharing Schemes against Cheating.” In: LNCS
4586, pp. 122-132, 2007.
[11] Rabin, T., Ben-Or, M. “Verifiable secret sharing and
multiparty protocols with honest majority.” In: STOC '89:
Proceedings of the twenty-first annual ACM symposium
on Theory of computing, pp. 73-85, 1989.
[12] Ghodosi, Hossein. “Comments on Harn–Lin‟s cheating
detection scheme.” In: Designs, Codes and
Cryptography, Springer, 2010.
[13] Basu, Atanu and Sengupta, Indranil. “Verifiable (t, n)
Threshold Secret Sharing Scheme Using ECC Based
Signcryption.”In: Information Systems, Technology and
Management Communications in Computer and
Information Science, pp.133-144, Volume 54, Issue
3, 2010.
[14] T. Araki and S. Obana. “Flaws in some secret sharing
schemes against cheating.” In: Proceedings of the ACISP
2007, LNCS 4586, pp. 122–132. Springer-Verilag, 2007.
[15] Sahai A, Waters B. “Fuzzy identity-based encryption.”
In: Proceeding of EUROCRYPT 2005, pp. 457-473,
Springer, 2005.
[16] Goyal V,Pandey O,Sahai A, et al. “Attribute based
encryption for fine-grained access control of encrypted
data.” In: Proceedings of the 13th
ACM conference on
Computer and communications security, pp. 89-98,
ACM, New York, 2006.
[17] Bethencourt J,Sahai A, Waters B. “ Ciphertext-policy
attribute-based encryption.”In: Proceedings of the 2007
IEEE Symposium on Security and Privacy (S&P 2007),
pp. 321-334, IEEE, 2007.
[18] Cheung L,Newport C. “Provably secure ciphertext policy
ABE.” In: Proceedings of the 14th
ACM conference on
Computer and Communications Security, pp. 456-465,
ACM, New York, 2007.
[19] ZhibinZ., and Dijiang H. On Efficient Ciphertext-Policy
Attribute Based Encryption and Broadcast Encryption.
[Online]. Available: http://eprint.iacr.org/2010/395.pdf.
[20] Emura, K., Miyaji, A., Nomura, A., Omote, K., Soshi, M.
“A ciphertext-policy attribute-based encryption scheme
with constant ciphertext length.”In: Bao, F., Li, H., Wang,
G. (eds.) Proceedings of the ISPEC 2009. LNCS 5451,
pp. 13–23. Springer, Heidelberg 2009.
[21] Paterson, K., Quaglia, E. “Time-specific encryption.” In:
J. Garay (ed.) Proceedings of Seventh Conference on
Security and Cryptography for Networks, 2010.
[22] The CP-ABE toolkit. [Online]. Available:
http://acsc.cs.utexas.edu/cpabe/cpabe toolkit.