A General Threshold Encryption Scheme Based on

New Secret Sharing Measure

Hongwei Liu, Weixin Xie, Jianping Yu, Peng Zhang, Sisi Liu

School of Information Engineering

Shenzhen University

Shenzhen, China

liuhw@szu.edu.cn

Abstract—A dynamic secret sharing scheme on general access

structure is proposed based on bilinear maps. Combining it with

the identity-based cryptography, a general threshold encryption

scheme is proposed. The threshold encryption scheme can realize

the secure transmission of secret in insecure channel, compared

with other secret sharing schemes. This scheme is without secret

exchange, so the decryption group changes according to the

message importance level and this scheme can meet demand of

the multi-task system. The security analysis shows that the

proposed schemes have higher security.

Keywords-bilinear maps; general access structure; secret

sharing; identity-based cryptography; general threshold encryption

I. INTRODUCTION

Secret sharing is an important tool in information security, which can avoid power overcentralization and guarantee the security of information storage, transmission and legal usage. It is applied to key management, data security, finance and military.

Shamir[1]

and Blakley[2]

proposed the concept of secret sharing independently, and (t, n) threshold secret sharing schemes based on lagrange interpolation algorithm and the properties of multidimensional space points individually. Then, lots of related researches are selected and many schemes are proposed

[3]. However, threshold schemes only solve a

small part of secret sharing problems, and the general access structure secret sharing schemes

[4] are more universal.

Therefore, many this kind of schemes have been proposed, such as dynamic scheme

[5], multi-secret sharing scheme

[6],

weighted scheme [7]

, etc. Most of the secret sharing schemes are based on the discrete logarithm problem or improved RSA, but using bilinear parings can consume less storage space and bandwidth, and be more secure. In view of this, an efficient dynamic secret sharing scheme based on the general access structure and bilinear parings is proposed in this paper.

Obviously, no secret sharing scheme can be used in the following cases. 1) If the secret is a key, it can’t be recovered at any point because of the intrusion tolerance characteristic. 2) If the secret is message, it can be transmitted in insecure channel because of the practical characteristic. An encryption scheme for secret sharing was proposed in [8] based on the discrete logarithm problem, and it could solve the problem in case 2

efficiently. However, it is not intrusion tolerant, and the processes of secret distribution and reconstruction are both sequential and inefficient. After introducing the threshold idea of the secret sharing scheme into the encryption scheme, the threshold encryption algorithms can cope with the above two cases efficiently.

Another actual demand is considered in this paper. A group is needed to decrypt the cipertext in threshold encryption algorithms, and the group differs because of the message secret level. The secret level is higher, and the threshold is bigger, and the number of group is larger, and the intrusion tolerance is stronger, and the security is higher. The secret level is lower, the threshold is smaller, and the computing efficiency is higher. The threshold cryptosystem is not adapted to this kind of applications with different security levels

[9].

Therefore, a threshold encryption scheme with alterable access structure, called general threshold encryption scheme is proposed based on the identity-based encryption

[10]. This

scheme can guarantee the security of using and transmitting secret and the threshold is alterable.

II. BILINEAR MAP

Bilinear map is defined to a relative linear map between two

cyclic groups. There is an additive group 1G whose order is a

big prime q and generator is P . 2G is a multiplicative group

whose order also is q . It is difficult to solve the discrete

logarithm problem both in 1G and 2G . Bilinear

map211

:ˆ GGGe →× , for 1, GQP ∈∀ and *

, qba Ζ∈∀ ,

satisfies the following properties:

1. Bilinearity: abQPebQaPe ),(ˆ),(ˆ = ;

2. Non-degeneracy: if P is the generator of 1G , then,

),(ˆ PPe is the generator of 2G ;

3. Computability: there is an efficient algorithm to

calculate ),(ˆ QPe .

The relative difficult math problems are defined based on

bilinear map as follows.

1. Discrete logarithm problem (DLP): Given 1, GQP ∈ ,

2235978-1-4244-8756-1/11/$26.00 c©2011 IEEE

find an integer n, which satisfies nPQ = .

2. Computable Diffie-Hellman problem (CDHP):

Given P , aP , bP ,*

, qZba ∈ , calculate abP 1G∈ .

3. Bilinear Diffie-Hellman problem (BDHP):

Given P , aP , bP , cP ,*

,, qZcba ∈ , calculate

2),(ˆ GPPe abc ∈ .

III. DYNAMIC SECRET SHARING SCHEME ON THE GENERAL

ACCESS STRUCTURE

There are a secret manager D, a participant set P, a general

access structure Γ in a secret sharing system. A secret sharing scheme is composed of system initialization, secret distribution, and secret reconstruction.

A. System initialization

Secret manager is denoted by D . },,,{21 n

PPPP = is

the participant set. Access structure },,,{ 21 Γ=Γ γγγ

( Γ is the number of authorized subsets of Γ ) is drab. Only

D can modify notice board, and other participants can only read or download the message on the notice board.

D chooses two groups 1G and 2G whose order is prime q .

qZ is a finite field with order q . Let bilinear map

be211

:ˆ GGGe →× . Let hash function be *

1:

qZGH → .

Secret is denoted by *

0 qZs ∈ ( 0/qZ ). D publishes point

P ( P is the generator of 1G ) and PsPpub 0= .

B. Secret distribution

The process of distributing secret 0s is as follows:

1) Participant iP chooses secret share *

qi Zs ∈ randomly,

and calculates Psii =ζ ,pubii Ps=σ .

iP sends ,i iζ σ to D .

2) D checks?

i jζ ζ= . Ifji ζζ = , D broadcasts a warning

and asks the sender to reselect *

qi Zs ∈ until all iζ are

different. D distributes an only identification iID to

iP , and

publishes ),( iiID ζ on notice board. iP is responsible for its

public information.

3) For any authorized subset },,,{21 tjjjj

PPP=γ

),,1( Γ=j in access structure, D calculates and publishes:

)()(10 tj

HHsH σσ −−−= (1)

For the sake of security, ≥2

nt is needed.

4) D deletes secret 0s permanently. The process of secret

distribution is completed.

C. Secret reconstruction

Suppose authorized subset to be },,,{21 tjjjj

PPP=γ .

The process of secret reconstruction is as follows:

1) Every ),,2,1( tiPij

= in jγ downloads public

message pubP from notice board.

2) Every ),,2,1( tiPij

= makes use of its secret share

is to calculate sub-secret:

pubii Ps='σ (2)

Then, ijP sends '

iσ to secret reconstruction C, which can

be anyone of the authorized subset.

3) When C receives the sub-secret'

iσ , it verifies:

),(ˆ),(ˆ '

pubii PePe ζσ = (3)

If the equation is true, the participant ijP have provided

sub-secret honestly, and iσ ′ is correct. Otherwise, C sends a

warning to ijP and asks

ijP to resend or do other errors

handling.

4) After verifying the correctness of sub-secret, calculate

)()(1

'

0 tjHHHs σσ +++= (4)

'

0s is the secret that is needed, and the process of secret

reconstruction is completed.

IV. GENERAL THRESHOLD ENCRYPTION SCHEME

In order to increase the actual availability of the proposed secret sharing scheme, a general threshold encryption scheme is proposed based on the BF IBE

[10], whose participants can

adjust dynamically according to the message secret level. The concrete process is as follows.

A. System setup

A is the sender, and B is the receiver. },,,{ 21 nPPPP =

is the participant group. In order not to influence the security of

system, the manager is the trusted center TA . nM }1,0{∈ is

the message, and nnGC }1,0{}1,0{*

1 ××= is cipertext. There is

L information processing levels.

B. System initialization

TA selects a big prime q , and two groups 1G and 2G with

order q .qZ is the finite field with order q . Select random

number *

qZs ∈ to be the master key. Using the proposed secret

2236 2011 6th IEEE Conference on Industrial Electronics and Applications

sharing scheme to distribute s . P is the generator of 1G .

Calculate public key PsPpub ⋅= .

Define bilinear map to be211

:ˆ GGGe →× . TA affirms

n and selects hash functions *

1: qZGH → ,

{ } { })0/(1,0: 1*1

*1 GGH → , { }n

GH 1,0: 22 → ,

{ } { } ***3 1,01,0: qZH →× , and { } { }nn

H 1,01,0:4 → . The

public parameters are

432121,,,,,,,,,,, HHHHHPPneGGqparam

pub= .

C. Encryption

A sends the information processing grade )1( Lff ≤≤ to

B. B calculates

= nL

fλ (5)

The bigger the f , the higher the secret grade. The bigger

the λ , the better the intrusion tolerance. B chooses λmembers λPPP ,,, 21

with lower work load. Their shared

secret portion is λsss ,,, 21 respectively.A calculates

*

11 )( GIDHQ BB ∈= (6)

*

2),(ˆ GPQeg pubBB ∈= (7)

A selects random number { }n1,0∈σ , and calculates

),(3 MHr σ= (8)

A calculates

WVUHMgHrPCr

B ,,)(),(, 42 =⊕⊕= σσ (9)

WVUC ,,= is the ciphertext of plaintext M . V is the

output of public key encryption, and W is output of

symmetric encryption.

D. Decryption

B publishes cipertext WVUC ,,= to λPPP ,,, 21.

iP calculates sPsPsipubii

==σ , )(1 BB IDHQ = , then

calculates

),)((ˆ UQHeBii

σφ = (10)

then sends iφ to B.

B calculates

iji

Bjj UQHe φφλ

1),(ˆ

=Π= (11)

VH j ⊕= )(2 φσ (12)

)(4 σHWM ⊕=′ (13)

),(3 MHr σ= (14)

B verifies

PrU ⋅= (15)

If it is true, )(4 σHWM ⊕=′ is the needed plaintext;

otherwise, the ciphertext is false.

V. ANALYSIS AND DISCUSSION

A. Analysis of the proposed secret sharing scheme

The security of the proposed secret sharing scheme in this paper is based on ellipse curve discrete logarithm problem (ECDLP). The security analysis is as follows.

Conclusion 1. It is easy to calculate the shared secret through participants’ cooperation in any authorized subset; the participants in a non-authorized subset get no information about the secret.

Proof. There are mainly additional operations in finite field in (4). If each participant in the authorized subset provided honest secret portion, the shared secret would be calculated quickly.

jH is public. There are 1+t variables. To obtain'

0s , t

equations are needed. Therefore, the participants in the non-authorized subset get no information about the secret.

Conclusion 2. The public information in notice board will not affect the security of the scheme.

Proof. Notice board is managed by D, and includes

P , PsPpub 0= , ),( iiID ζ , where Psii =ζ .

Suppose the attacker can get some information about secret

0s or portion is from notice board then it is possible to get

0s or is from the known information Ps0, Psi

and P . This

means that the attacker can solve ECDLP with non-negligible advantage in the probabilistic polynomial time, which is in contradiction with the ECDLP. So a attacker can not get any information about secret from notice board.

Conclusion 3. The participant in any authorized subset or non-authorized subset can’t cheat in the process of Secret reconstruction.

Proof. D needs to verify (3) while the secret is restructured.

In fact =),(ˆ ' Pe iσ ),(ˆ PPse pubi),(ˆ pubi Pe ζ= .

iσ ′ can be confirmed by the public infornation iζ ,

pubP ,

P and (3). In order to make the formula above be true, the

attacker who plans to forge iσ ′ has to calculate the secret

portion is from iζ and P . Based on ECDLP, it is impossible.

Conclusion 4. Leakage of any secret portion will not impact the security of other secret and system.

Proof. If is of iP is leaked, 0s can’t be calculated from is

because of (1) and (4). The secret portions are selected

randomly, so the leakage of is will not impact the security of

system. The manager should delete the iP and the iγ .

2011 6th IEEE Conference on Industrial Electronics and Applications 2237

Similarly, when the secret portion is used repeatedly, for

iP only provides pubii Ps='σ , it is difficult to get the

information about is for the attacker as well as to solve

ECDLP. So, using the secret portion repeatedly will not impact the security of system as well.

B. Analysis of the proposed encryption scheme

This encryption scheme is based on the IBE [8]

, which is IND-CCA2 in the random oracle model.

Conclusion 5. this scheme is correct.

Proof. According to properties of bilinear parings, it is easy to know

)(4 σHWM ⊕=′

))(()( 244 VHHHM j ⊕⊕⊕= φσ

⊕⊕= )(4 σHM

))),)||((),(((1

24 VUQYXHeUQHeHH Bijij

t

iBj ⊕Π

∧

=

∧

))),((()( 244 VUsQeHHHM B ⊕⊕⊕=∧

σ

))()(()( 2244rB

rB gHgHHHM ⊕⊕⊕⊕= σσ

)()( 44 σσ HHM ⊕⊕= M=

If PrU ⋅= , the M ′ calculated by (13) is the message M .

Conclusion 6. This scheme is IND-CCA2 in the random oracle model.

Proof. Accoding to [8], BF IBE encryption scheme is IND-CCA2 in the random oracle model. In the proposed general threshold encryption scheme, the master key of BF IBE scheme is distributed furtherly and effectly, which makes both the master key and user private key are not recovered at any single point. The system is intrusion tolerant. So, the poposed general threshold encryption scheme is IND-CCA2 in the random oracle model.

Conclusion 7. this scheme can share multi-secret.

If the secret is message, such as secret files, sharing multi-secret only needs to execute the processes of encryption and decryption in section 3;

If the secret is the user private key, like the authority of decrypting higher grade military secrets, sharing the private

key of user m

BBBQQQ ,,, 21 among n participants does these:

1) Every participant iP only needs to use a self-service

secret portion is ;

2) In the process of secret usage, iP doesn’t need to

provide its secret portion is , but only need to calculate and

send ),,1)(,)((ˆ mjUQHe j

Bii== σφ .

In the proposed general threshold encryption scheme, once secret sharing can distribute multi-user private keys, and all keys are not recovered anytime anywhere.

SUMMARY

A general access structure secret sharing scheme is proposed based on bilinear parings. In this scheme, each participant chooses their secret portion by themselves. Secret is recovered by the pseudo-portions provided by participants, and it is difficult to gain the portion itself from pseudo-portion, so it can share multi-secret by the sub-portion in the same group. This scheme can verify the pseudo-portion provided by participants. The processes of key distribution and reconstruction are simple, low computation and easy to be realized.

An identity-based general threshold encryption scheme is proposed based on this secret sharing scheme, whose security is based on BF IBE scheme and secret sharing scheme, and it is IND-CCA2 in the random oracle model. In this general threshold encryption scheme, the master key and user private key are distributed by secret sharing algorithm on general access structure, and they aren’t recovered anytime anywhere during usage. The message is encrypted by identity-based public key cryptography, to an extent, insecurity of channel does not impact the security of message. Threshold idea is

introduced in the process of decryption so this scheme is

intrusion tolerant. The group of decryption participants differ from the secret levels, which makes the scheme more flexible and well applied in the field of military, the authority management of important database, and so on.

ACKNOWLEDGMENT

The research was supported by the National Natural Science Foundation of China (under Grant No. 61001058).

REFERENCES

[1] A. Shamir, “How to Share a Secret,” Communications of the ACM, 1979, 22, pp. 612-613.

[2] G. Blakley, “Safeguarding Cryptographic Keys,” In: Proc. AFIPS 1979 Nat1. Conf, New York: AFIPS Press, 1979.

[3] Tatsumi OBA and Wakaha OGATA, “Provably Secure On-Line Secret Sharing Scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Seciences, 2011, E94-A(1), pp. 139-149.

[4] Masayuki Abe, Yang Cui, and Hideki Imai, “Efficient Hybrid Encryption from ID_based Encryption,” Designs, Codes and Cryptography, 2010, 54(3), pp. 205-240.

[5] L. Pang, H. Li, and Y. Wang, “A Secure and Efficient Secret Sharing Scheme with General Access Structures,” Lecture Notes in Artificial Intelligence, Berlin: Springer-Verlag, LNAI4223, FSKD'06, 2006, pp. 646-649.

[6] L. Pang, Z. Jiang, and Y. Wang, “A Multi-Secret Sharing Scheme Based on the General Access Structure,” Journal of Computer Research and Development, 2006, 43(1), pp. 33-38.

[7] Hao Chen, San Ling, and Chaoping Xing, “Access Structures of Elliptic Secret Sharing Scheme,” IEEE Transactions on information theory, 2008, Vol. 54, pp. 850-852.

[8] Saied Hosseini Khayat, “Using Commutative Encryption to Share a Secret,” Cryptology ePrint Archive, Tech Rep: 2008/356, 2008. http://eprint.iacr.org/2008/356.

2238 2011 6th IEEE Conference on Industrial Electronics and Applications

[9] Y. Desmedt, “Society and Group Oriented Cryptography: A New Concept,” In Advances in Cryptology-Proceedings of CRYPTO’87, Berlin: Springer-Verlag, 1988, Vol.293, pp. 120-127.

[10] D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing,” Advances in Cryptology-Crypto\2001, Lecture Notes in Computer Science, Berlin: Springer-Verlag, 2001, Vol.2139, pp. 213-229.

2011 6th IEEE Conference on Industrial Electronics and Applications 2239