A Group Identification Protocol with Leakage Resilience of Secret Sharing Scheme

Li, Ping; Li, Shengjun; Yan, Hongyang; Ke, Lishan; Huang, Teng; Hassan, Alzubair

doi:https://doi.org/10.1155/2020/1784276

Complexity

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Disclosure Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Collaborative Big Data Management and Analytics in Complex Systems with Edge

View this Special Issue

Research Article | Open Access

Volume 2020 | Article ID 1784276 | https://doi.org/10.1155/2020/1784276

A Group Identification Protocol with Leakage Resilience of Secret Sharing Scheme

Ping Li,^1,2Shengjun Li ,³Hongyang Yan,²Lishan Ke,⁴Teng Huang,²and Alzubair Hassan²

Guest Editor: Xuyun Zhang

Received07 Nov 2019

Revised15 Jan 2020

Accepted29 Jan 2020

Published13 Mar 2020

Abstract

Secret sharing has been study for many years and has had a number of real-word applications. There are several methods to construct the secret-sharing schemes. One of them is based on coding theory. In this work, we construct a secret-sharing scheme that realizes an access structure by using linear codes, in which any element of the access structure can reconstruct the secret key. We prove that our scheme is a multiprover zero-knowledge proof system in the random oracle model, which shows that a passive adversary gains no information about the secret key. Our scheme is also a leakage-resilient secret-sharing scheme (LRSS) in the bounded-leakage model, which remain provably secure even if the adversary learns a bounded amount of leakage information about their secret key. As an application, we propose a new group identification protocol (GID-scheme) from our LRSS. We prove that our GID-scheme is a leakage-resilient scheme. In our leakage-resilient GID-scheme, the verifier believes the validity of qualified group members and tolerates l bits of adversarial leakage in the distribution protocol, whereas for unqualified group members, the verifier cannot believe their valid identifications in the proof protocol.

1. Introduction

The secret-sharing scheme, originally and independently introduced by Shamir [1] and Blakley [2], is a method in which a dealer selects a secret and distributes it as shares among a set of parties in the distribution stage. Only the predefined subsets of parties can reconstruct the secret from their shares, while others learning nothing about the secret in the reconstruction stage. These subsets are called qualified, and the monotonic collection of qualified subsets is called an access structure of the secret-sharing scheme. As a basic primitive in cryptography, the secret-sharing scheme has been used widely in security applications and protocols, such as threshold cryptography [3], secure multiparty computation [4], cloud computing [5–7], oblivious transfer [8], and access control [9].

In general, in the secret-sharing scheme (n parties and access structures are known in advance), there are two types of access structures: threshold and nonthreshold. In the threshold access structure, at least qualified parties can reconstruct the secret key. In [10], the authors constructed an evolving secret-sharing scheme for a dynamic threshold access structure. In their scheme, the size of the qualified set increases if the number of parties increases. However, in the nonthreshold access structure, the size of the qualified set is not limited, i.e., any collection of the qualified subsets can reconstruct the secret key. If the nonthreshold access structure (a small monotonic span program) can be described, then an efficient secret-sharing scheme is realized [11]. For instance, given the forbidden graph access structure, Beimel et al. [12] proposed a linear secret-sharing scheme for forbidden graph access structures.

1.1. Secret-Sharing Scheme from Linear Codes

There is a natural correspondence between linear codes and a secret-sharing scheme. McEliece and Sarwate noted the relationship between Shamir–Blakley’s secret-sharing scheme and Reed–Solomon codes in [13]. Since then, several secret-sharing schemes have been constructed in terms of linear error-correcting codes [14–16]. To construct a secret-sharing scheme from linear codes, Massey pointed out the relationship between the access structure and the minimal codewords of the dual code of the underlying code [17, 18]. Therefore, when designing a secret-sharing scheme based on linear codes, it is necessary to consider the open problem of how to determine the minimal codewords for certain linear codes. In this work, we assume that the codes and their dual codes are efficiently encodable and decodable, respectively. In this work, the relationship between secret-sharing scheme and linear codes is presented in Section 2.1.

1.2. Leakage-Resilient Secret-Sharing Scheme

In the application of secret-sharing scheme realizing the access structure, some parties exist that might cheat others by providing false secret keys under the sharing control, and the information about the secret key is leaked. To avoid this situation, it is necessary to consider the challenge of protecting the secret key of the dealer and the shares of parties against information leakage, i.e., in previous work, most researchers generally used leakage-resilient cryptographic primitives [19–24] and leakage-resilient devices [25, 26] to protect the security of the secret key. The cryptographic primitives and computational devices are said to be leakage-resilient if it remains secure in the presence of bounded-leakage of an internal (secret) state. In the work presented in [27], the authors defined the assumption that only the computation leaks information. In other words, there is no leakage without computation. However, this assumption does not guarantee security in the model because cold-boot attacks [28] may work [29]. Therefore, motivated by the work of Dziembowski and Pietrzak [30], we describe the leakage assumptions considered in this work as follows: Independent leakage: the computation can be organized into rounds, and the leaks in each round are independent Bounded leakage: in each round, the number of leakages are bound to some parameters,whereas the total leakage bit is bounded by l Bounded domain: in fact, the leakage function takes as input only the secret state during the invocation

Formally, in the bounded-leakage model, an attacker can repeatedly and adaptively access to a leakage oracle and learn information about the secret key, as long as the total number of information leaked is bounded by some parameter l. An attacker chooses a sequence of polynomial-time-computable leakage functions and obtains , where is the party P’s secret state information at the end beginning of each round i and .

1.3. Our Contributions

In this work, we construct a secret-sharing scheme for a given access structure arising from linear correcting codes. According to the definitions of security models and attack models, we prove that our protocol is an n-prover zero-knowledge proof system in the random oracle model, which reveals that the secret key can be shared repeatedly without leaking any information in the case of a passive attacker. Additionally, our protocol is a leakage-resilient secret-sharing scheme (LRSS) in the bounded-leakage model, which shows that it is leakage-resilient against -BCP.

In particular, as an application, our LRSS is a group identification scheme (GID-scheme); that is, all qualified parties can detect whether the dealer is cheating, and any verifier can detect whether unqualified parties are cheating. We also prove that our GID-scheme is leakage-resilient in the bounded-leakage model. The basic construction of our scheme relies on the following considerations: Assume that a private channel exists in the distribution protocol of our protocol between every party and the dealer and that all the parties have an individual broadcast channel Given the public key and l bits of secret key leakage, our protocol is performed between any probabilistic polynomial-time adversarial verifier and an honest prover P, maintaining information-theoretic entropy and achieving security in the bounded-leakage model For any adversarial prover, the corresponding secret key of the emulated identity’s public key should be known For one public key, the probability of an algorithm to find two distinct secret keys is negligible

1.4. Organization

This paper is organized as follows. In Section 2, we introduce some definitions and lemmas that are used in this work. We describe how to construct our protocol in Section 3 and provide several proofs of the properties of our protocol in Section 4. As an application, we propose a group identification protocol in Section 5. Finally, we provide the conclusions and future work on this topic in Section 6.

2. Preliminaries

Here, we introduce the notations and basic definitions used throughout this work. Let and be sets of natural numbers and real numbers, respectively. We write to indicate the set of natural numbers . Let denote the binary length of x.

2.1. Secret-Sharing Scheme from Linear Codes and Security Definitions

Let denote a finite field where q is a prime. We write for the set of nonzero elements of ; then, is a multiplicative cyclic group with elements, and any element in has order dividing . We use the symbol to refer to an n-dimensional linear vector space over . Let “” denote the concatenation of finite vector (bold letter), i.e., , where .

Definition 1. (linear codes). An code C is a k-dimensional linear subspace of , which means that the sum of the two codewords of C is a codeword and that the product of any codeword by a field element is a codeword.

Definition 2. (generator matrix). A matrix is called a generator matrix of an code C, if for every codeword z in C is a linear combination of the rows of G, i.e., , where for .
Let be a set of n parties. The definition of the access structure (monotone) is given as follows.

Definition 3. (access structure [31, 32]). A setis called an access structure, if it satisfies the monotone property, i.e., for any and , it holds .
Any subsets in are called qualified (or authorized), and the subsets that do not belong to are called unqualified (or unauthorized).

Definition 4. (secret-sharing scheme, SSS). Let be any probabilistic algorithm that takes as input a secret and returns n shares . Let be a deterministic algorithm that takes as input the shares of a subset and output a possible secret. Note that S is the domain of the secret key. We say that an -secret-sharing scheme over field for realizing an access structure , if it satisfies. Correctness: for every secret and every qualified set, with , and it has the equation Security: for every unqualified set, with , and two arbitrary distinct secrets , is identically distributed to , where and are the completed shares of parties in

Definition 5. (linear secret-sharing scheme, LSSS). An - over field is linear if the codomain of Share is the vector space , and is a -linear mapping and is uniformly probability distributed over for any .
Based on the work in [17], we use a linear codes to construct an as follows. An code C is a linear subspace of . Note that be the generator matrix for C, where is the column vector of . In the constructed from C, the secret s is an element of , n parties and a dealer D are involved. To compute the shares of secret s, D performs the algorithm as follows.
The dealer D chooses a random codeword satisfying . Next, D computes the corresponding codeword by the following equation:Therefore, with . Let be the shares of s. Finally, D securely sends to party , for .
To reconstruct the secret s, the algorithm of is performed as follows: recall the fact that the dual code of C can be defined using the following formula:Namely, a vector belongs to if and only if x is orthogonal to any codeword in C. If with , for any codeword , then we haveUsing equation (1), the secret s can be reconstructed from the shares .

Lemma 1. Assume that ; then, the members in A can reconstruct the secret s with their own shares if and only if the vector is a linear combination of .

Proof. “” The necessity is quite obvious.
“” Assume that is a linear combination of ; then, there exists such thatThen, the secret s is reconstructed by calculatingThe above mentioned SSS realizes that the access structure is defined as follows:where “span” means the linear space spanned by the element of the set.
Based on Definition 4 and the work of [19], we present the security definition of and the adversarial model in the following.
In this work, to model adversarial leakage attacks on a secret key s, the adversary has an opportunity to adaptively access a leakage oracle and obtains information about the secret key s. The formal definition of leakage oracle is given as follows.

Definition 6 (leakage oracle [20, 22]). Let be a leakage oracle, which is parameterized by a prover’s secret key , a leakage parameter l, and a security parameter λ. A query to the leakage oracle is constituted by a leakage function , and the oracle responds with . The oracle is restricted in the total number of l bits. For all queries received, only responds to the kth leakage query and computes the function for at most steps if , where . Otherwise, the oracle ignores the queries.

Remark 1. Note that means that there is no information leaked to the simulator in an ideal setting, whereas means that a malicious adversary (or verifier) learns nothing from the protocol other than obtaining the validity of the proven statement and obtaining the leakage information from an honest user (or prover).

Definition 7 (l-bounded adversary). Let be a subset of . We say that an adversary is l-bounded, if the corruption set selected by satisfies the following property; for each , it holds that , where denotes the length of the output of an arbitrary (leakage) function .

Definition 8. (leakage-resilient secret sharing, LRSS). Let S be any secret key domain and be any access structure on parties . We say an SSS realizing is -leakage-resilient (or -LRSS), if for every leakage protocol in -BCP, and for every pair of secrets , the following holds:where denotes the subset of . That is, the distribution of transcript learned by on sharing is statistically closed to the distribution of transcript learned by on sharing . In particular, an is said to be -leakage-resilient (or -LRSS) if it is -leakage-resilient for any subset with .
In our work, the notation -BCP) presented in Definition 4 is inspired by the work [33]. We give the program -bounded corrupted program (or -BCP) as follows. n parities and , where θ is an upper bound on the number of parties corrupted by adversary in any round. Let l be the leakage bound. Let be leakage function family , where and . We write for the total leakage seen by adversary on the shares of secret s. -BCP ON INPUT GENERATE shares of secret , SEND to for is empty at the begining of leakage-protocol is appended with the leakage and COMPUTE in each round, where and OUTPUT final transcript as leakage

2.2. Zero-Knowledge

Definition 9. (negligible functions). A function is negligible if, for any positive polynomial , there exists such that, for all ,

Definition 10 (probability ensemble). X denotes a countable set. An ensemble indexed by X indicates a sequence of random variables indexed by X. For instance, is an ensemble indexed by X, where each is a random variable.

Definition 11 (polynomial-time indistinguishability). Let and be two difference ensembles indexed by . Ifholds for any probabilistic polynomial-time (PPT) algorithm D, any positive polynomial , and any sufficiently large n, then we say that A and B are indistinguishable in polynomial time.
In the following context, we use the terminology computationally indistinguishable instead of indistinguishability in polynomial time.

Definition 12. Let λ be a security parameter and let and be the ensemble sets. Let be a witness relation associated with language L on , where L is defined as . is polynomially bounded (i.e., implies ) and recognized in polynomial time. Given , an element such that is called a witness. Suppose that is a PPT algorithm, which takes as input and outputs pairs with .
We write P and V to denote the prover and the verifier, respectively, where P and V are two interactive probabilistic polynomial turning machines.

Definition 13 (interactive proof system, [34]). A pair of interactive machines is called an interactive proof system for a language L if machine V is PPT and the following two conditions hold: Completeness: for every , it holds that Soundness: for every and every interactive machine M, it holds that Now, we consider the interactive protocol consisting of infinitely powerful n machines interacting with a PPT machine V.

Definition 14 (multiprover interactive proof system [35]). We say that the interactive turning machines in the n-prover model are called multiprover interactive proof system for language L, if an interactive PPT Turning machine V exists and the following two properties are satisfied: Completeness: for every , there is Soundness: for every and all interactive machines , there are .

Definition 15 (multiprover computational zero-knowledge [34]). Let be a multiprover interactive proof system with some language L. We say that is computational zero-knowledge if, for every interactive PPT turning machine , a PPT machine exists such that, for all , ensemble and are computationally indistinguishable.
In Definition 15, the ensemble denotes the view (or output) of the interactive machine after interacting with n interactive machines on common input x (namely, the transcript about the sequence of messages exchanged between and ). denotes the output of on input x. In this case, we call is a simulator for the interaction of with . The existence of means that does not gain any more knowledge than . Indeed, does not access and might not know whether exists. However, it is able to simulate the interaction of with .
Succinctly speaking, an interactive proof system for language L is zero-knowledge if whatever can be efficiently computed by V after interacting with on common input can also be directly computed by the simulator with input x.

2.3. Identification Schemes and Security Definitions

In this section, we first recall the standard cryptographic concepts of -protocols presented in [36, 37] and identification schemes (ID-scheme) presented in [20]. Then, we present the formal security definitions of the ID-scheme. We write to denote the transcript TR that was generated through an interactive protocol , where y is the private input of P and x is the common input of P and V. The notation denotes the output of V with input . V outputs if he accepts the proof and otherwise.

Definition 16. (protocol [36, 37]). Let be an interactive proof system for language L. The prover P takes as input and sends a witness y to verifier V. V takes as input the common input x and the received y, and it outputs 1 if and .
A -protocol for the relation is a 3-round interactive proof system that can be described as follows: Step : P first sends a commitment α to V, i.e., Step : V responds with a challenge β based on α, i.e., Step : P returns with γ based on β, i.e., Step : V outputs a bit , i.e., , where if he accepts the proof and otherwiseHere, . A -protocol satisfies the following properties: Completeness: the verifier V outputs 1 with probability 1, i.e., , where steps can be denoted by . 2-special soundness: sssume that an extractor Extor exists for every , given two valid transcripts and , where and . The Extor takes as input and outputs a witness y for the relation . Honest verifier zero-knowledge: for every PPT turning machine , a probabilistic algorithm exists such that the two ensembles and are computationally indistinguishable.

Definition 17 (identification scheme [20]). An identification scheme (ID-scheme) contains four PPT procedures . The concrete description is as follows: : the parameter generation procedure takes as input security parameter λ and returns the system parameters of the identification scheme, denoted by params. params are common to all users and issued to , and V as inputs. (): the key generation procedure takes as input params and outputs the public key and secret key . : P denotes a prover and V denotes a verifier. V returns a judgement about P after executing the protocol. If , then V accepts P’s identity. otherwise.To obtain a secure (group) ID-scheme, we define some security definitions and models.

Definition 18. We say that (group) ID-scheme is secure if the following two conditions hold: Completeness: for each party , the probability of acceptance is Soundness: for any party and any PPT algorithm, the advantage of is negligible, where the private input of is an empty string and is defined in Definition 16 and .
Before we formally define of the leakage-resilient ID-scheme, we first consider two security games (illustrated in Table 1), which are inspired by the work presented in [20]. The first game called pre-emulation leakage security is simulated by the attack game and allows the adversary to send leakage queries before the emulation attack. The second game called arbitrary time leakage security is simulated by the attack game and allows the adversary to adaptively execute leakage attacks at an arbitrary time during an emulation attack. The key generation phase and test phase are the same in the games and . The emulation phase is divided into two separate games according to the definitions of and , respectively.

Definition 19 (leakage-resilient ID-scheme). Let be an ID-scheme, which is parameterized by security parameter λ and holds the property of completeness. We say that is secure against the pre-emulation leakage l if the advantage of any PPT adversary in the attack game is negligible in λ. Additionally, it is secure against the arbitrary time leakage l if the abovementioned adversary for the attack game is negligible in λ.

3. Our Protocol

3.1. Protocol 1: The Basic Leakproof Secret-Sharing Scheme

For self-containedness, we recall the leakproof secret-sharing scheme [38] as follows. Let D be a dealer, V be a verifier, and be n parties.

Initialization. In this stage, all the system parameters are generated. The dealer D obtains a public key corresponding to the public key encryption scheme . In addition, suppose that D holds a private channel with every party and that D and every party keep a broadcast channel.

Distribution protocol. This protocol is divided into two steps:(1)Distribution of the shares: this step is executed by the dealer D. First, for the master secret key s, D generates n shares of s and sends them to through individual private channels. Second, D calculates and publishes it by his broadcast channel.(2)Verification of the shares: every party verifies the validity of share received from D, where . If the verification condition is not satisfied, we will say that the dealer fails, and the protocol is aborted.

Proof protocol. This protocol is also divided into two steps:(1)Proof of the secret s: let be any qualified subset for parties . Each holds the secret share . Parties in run a multiprover zero-knowledge argument of knowledge with the verifier V prove that they indeed share the secret s. During this interactive proof process, is a common input of parties in between V.(2)Verification of the secret s: to check whether every keeps a valid secret , V verifies the following condition , where F stands for some certain deterministic polynomial-time function.

3.2. Protocol 2: Secret-Sharing Scheme via Linear Codes

In this section, we begin to describe how our secret-sharing scheme is constructed using linear codes in detail. First, suppose that we have obtained an access structure realized by linear codes C and that G is the corresponding generator matrix.

Initialization. Let λ be a security parameter and q be a large prime number, and p is a prime factor of . Let be a finite field. We write to indicate a cyclic group generated by an element with order and . Let C be a linear code over with length ; its generator matrix , where .

Let D be a dealer and be a party set. V denotes a verifier with . Assume that a private channel between the dealer D and each and a public channel between and exist, where and . In addition, the dealer D has a broadcast channel. We assume that the computing power of all individuals in this protocol is polynomial-time bound.

The encryption algorithm is defined as , where .

The dealer D randomly chooses s from and . The master private key and the public key .

Distribution protocol. This protocol is divided into two steps:(1)Distribution of shares: D defines and calculates and publishes by a broadcast channel. To distribute the master secret key s among n parties , D executes the algorithm of and gets . More precisely, the algorithm is described by the following program of SECRET DISTRIBUTION: D’s SECRET DISTRIBUTION ON INPUT : CHOOSE random such that COMPUTE , where COMPUTE and set , where . PUBLISH , where . GET a shares of secret

Then, D sends to , respectively.(2)Verification of the shares: for each , let denote the private key . Each performs the following program of SECRET VERIFICATION to check the validity of his own share for : ’s SECRET VERIFICATION ON INPUT : GET from D. See if ; if not, halt. IF , THEN ACCEPT the share ELSE REJECT the share and repeat the program

Proof protocol. According to the abovementioned Distribution protocol, are common inputs of parties in between V. Every party has a secret input for . Let be a size m subset of , and every party has valid secret input , where . To reconstruct the secret s, for all of , they need to determine the existence and uniqueness of the solutions to the system , where are the column vector of the generator matrix G of code C. The calculation is presented in Lemma 1.

This protocol is divided into two steps:(1)Proof of the secret s: this step can be described as follows: : every party chooses a random , computes that , and sends to V, where : V chooses a random number and then sends z to all parties : every party computes and then sends to V, where (2)Verification of the secret s: : if it holds that , then V believes that share the secret s satisfying ; otherwise, V rejects it.

4. Security Analysis of Protocol 2

In the following context, to illustrate and analyze the argument of our interactive protocol between parties and verifier V, we use prover to replace party.

4.1. Properties from PROTOCOL 2 in Random Oracle Model

4.1.1. Completeness

Assume that is a subset of . and V execute the abovementioned interactive protocol. V computes the following equation:

If the last equation in equation (13) is satisfied, then V believes that share the secret s satisfying .

4.1.2. Soundness

To prove the property of soundness, we consider the following three settings.

In the first setting, for all of the , let be the only one prover corrupted by adversary . pretends to be an honest prover , where . After interacting with V in , he randomly selects and computes ; then, he sends to V. Next, V sends the challenge z to , who randomly chooses , because he does not know the secret (held by the honest prover ), where . Then, the success probability of equalityis . If the interactive protocol executed for K times, the success probability is .

In the second setting, the adversary chooses a subset of with and get their shares. Let denote the subset of , the adversary chooses to corrupt in consecutive rounds. The honest parties are denoted by . Assume that V knows the total number of all provers. Each disguises himself as the honest provers to follow the interactive protocol with V, where . In , chooses a random element , calculates , and sends to V; in , V returns a challenge to ; in , after receiving the challenge z, randomly chooses from , since he does not know the secret key of honest ; and in , V computeswith probability . That is, the corrupted provers choose , respectively, such thatwith probability . If and V sequentially perform the PROTOCOL 2 for K times, then the success probability of the following equalityfalls to .

In the third setting, the verifier V is not certain of the number of all provers. In this case, θ corrupted provers pretend to be honest provers. Based on the proof of the second setting, we can prove that the prover set shares a secret s such that with the success probability .

In light of the foregoing, for all sufficiently large K, the probability is negligible. Consequently, the property of soundness is matched.

4.1.3. Zero-Knowledge

To prove the property of zero-knowledge, we consider passive scenarios according to the power of the adversary.

A passive verifier V does not randomly choose in the ηth time when running the protocol. Thus, he can use some -valued function f to compute in deterministic polynomial time [39]. Therefore, we define , where h is a secret input; denotes all data viewed when V executes the protocol in the -th time; denotes a message sent to V in when running PROTOCOL 2 in the ηth time. Suppose that a simulator has been constructed with the input and has successfully simulated PROTOCOL 2 times, then will simulate the ηth time according to the following program: DO FOREVER a random number of a random number of for a random number of for a random number of for COMPUTE , for , and IF THEN OUTPUT and HALT ELSE GO back to the first step and repeat again END DO

Let be an interactive protocol performed among and V. Suppose that have been executed m times. According to the description of , is denoted by , and the mth output is denoted by (if , denotes an empty set). Suppose that the output of for m times after the simulation is denoted by .

According to Definition 15, we can determine whether ensembles and are computational indistinguishability, and then the protocol which we constructed is zero-knowledge. Hence, to prove that and are computational indistinguishability, we use a mathematical induction method to perform the following steps:(1)Let the probability of be denoted by if and the probability of be denoted by if .(2)When , in the initial state of interactive proof system there is and 3F5, where is an arbitrarily small constant.(3)In the th operation, we assume that is satisfied for each .(4)In the ηth operation, we consider two models:(I)In the real model, we consider . Assume that V chooses with probability ϑ; then, V chooses with probability . Every prover selects with probability for . Additionally, the probability of is since is computed from , where . Therefore, the probability of all messages that V viewed in the ηth time, i.e., is when and otherwise when .(II)In the ideal model, we consider the simulator . In the ηth simulation, takes as input and chooses with a probability of . Later, V and choose and with a probability of , respectively. Meanwhile, V and choose and with the probability of , respectively. Suppose that or ; then, outputs the effective output in the ηth time with probability . Hence, the probability of as an effective output of is and the probability of as an effective output of is

In fact, and are selected randomly and independently, the case yields that , and results in .

Suppose in the th time that ; then, in the ηth time, we have

This is a negligible amount; thus, we know that and are computationally indistinguishable.

4.2. Theorems from PROTOCOL 2

Theorem 1. PROTOCOL 2 is an n-prover computational zero-knowledge proof system.

Proof. According to the context of Section 4.1 and Definition 15, PROTOCOL 2 satisfies completeness, soundness, and zero-knowledge. Consequently, PROTOCOL 2 is an n-prover computational zero-knowledge proof system.

Theorem 2. Let be linear code. An adversary is l-bounded. The corruption parties chosen by is , where is a subset of with . Let denote the family of leakage functions , where with . Suppose and (when ). If , then add “0” on the left of the codeword such that the length of codeword is equal to the length of . There iswhere is the uniform distribution on and . That is,

Proof. Our secret-sharing scheme is a linear (also additive) secret-sharing scheme, and the detailed proof is similar to Theorem 4.5 in [24].

Theorem 3. Under the bounded-leakage model, PROTOCOL 2 is an -LRSS.

Proof. Let C be an linear code. The secret is shared into n shares such that . Let be family of leakage functions where . For , is uniformly distributed on C and sample . Note that and compute . Then, we can obtain the coset of for the distribution . For any secret , there iswhere with and , for .
For the uniform distrubtion over C,Then, statistical distance between and is . According to the triangle inequality and two secrets , there isLet the leakage protocol is denoted by . Then,where .

5. Group Identification via PROTOCOL 2

According to Def. 17 in Section 2.3 and PROTOCOL 2, we can construct a group identification protocol GID-scheme with the following properties: the valid identities can be believed by the verifier only for the qualified group members, not the unqualified members; the verifier gains nothing other than believing that the qualified members have valid identities. Let be a group set, and let be an n-prover interactive proof system. The GID-scheme can be constructed by Table 2.

According to the work presented in [37, 40], our GID-scheme is secure against (classical) passive attacks.

Theorem 4. Let be a GID-scheme and be a hard relation with key generator . We write to denote the prover set and the verifier in a -protocol for with 2-bit challenges. Suppose that the -protocol is complete, 2-special sound, and honest verifier zero-knowledge. Then, our GID-scheme is secure against emulation under active attacks.

Proof. If we write by the notation and the transcript by the notation , then the protocol and our GID-scheme are equal, where . For details, see Theorem 5 of [41].
In the bounded-leakage model, we have the following theorem.

Theorem 5. Under the discrete logarithm assumption, our GID-scheme is actively secure under pre-emulation attacks with leakage bits. It is secure against an arbitrary time leakage attack with bits.

Proof. Through the contradiction assumption, in the pre-emulation leakage attack game there is an adversary with a nonnegligible advantage. Then, we need to detect two different secret keys and for a public key , for the randomly chosen , since is not known. In fact, in the test phase, randomly chooses the key pair and utilizes to model the leakage oracle and an honest prover oracle P for the adversary . Later, in the emulation phase, performs twice (for attack games ), with two distinct randomly chosen challenges . Because generates two valid transcripts with a nonnegligible advantage, can recover or find a secret key by using these two transcripts, according to the 2-special soundness property of the -protocol.
We now need to analyze the probability of . Table 3 presents three experiments that are performed by the adversary . In experiment , obtains and can access the oracle ; in experiment , obtains and only accesses the oracle ; in experiment , only obtains . According to the construction of , and , we obtain the following inequality:where denotes the mini-entropy of a random variable X with probability distribution over , and denotes the (average-) conditional mini-entropy of a random variable X conditioned on experiment . The detailed proof of equation (27) can be found in [20]. Due to the above mentioned equation, outputs with the upper bound of probability . Therefore, generates two different secure keys with a nonnegligible advantage.
For an arbitrary time leakage game , in the emulation phase, can access the leakage oracle with bits. Based on two distinct challenges, performs the emulation phase twice; thus, the leakage bit is . Consequently, only bits of arbitrary time leakage can be handled.

5.1. Comparisons with Other Schemes

In this section, we compare our ID-scheme with several previous works. According to the construction of the GID-schemes, we summarize the main parameters in Table 4. The first column presents the compared related works. The second column indicates the size of the public parameters shared by all parties. The third and fourth columns indicate the size of the public key and secret key, respectively. The fifth column denotes the size of each party’ s communication complexity. The last column shows the size of allowed leakage l, which was measured in bits.

The comparison of schemes in Table 4 is summaried as follows: The scheme in [42] uses m generators and can tolerate the leakage bit , where λ denotes the security parameter. This scheme only provides an adequate method for relative leakage, not for large absolute leakage l, and it does not provide a proportional increase in communication complexity. As an extension of the scheme, the researchers in [20] propose two schemes ( and ), which add two additional parameters n (the number of key pairs stored) and t (, the number of keys used). and can tolerate leakage bits and , respectively. In [38], the authors constructed a leakproof SSS by using threshold SSS, and they also proved that the master secret s can be shared an arbitrary number of times. However, their schemes do not consider the security of the scenario where there is some information leaked. Local LRLSS [24] provides a local leakage-resilience of (additive or -Shamir) SSS over field (p is a large prime), which is secure under local leakage attacks when bits are leaked from every share. Inspired by the work of [38], in our scheme, we construct a secret-sharing scheme by using linear codes for realizing a access structure, in which the master key can be shared as many times as designed in the random oracle model. Moreover, our scheme is -LRSS under the bounded-leakage model. Based on our LRSS scheme, we construct a GID-scheme, which is proven to be leakage-resilient under the attacks and .

6. Conclusions and Future Work

We proposed a secret-sharing scheme that realized access structure based on linear codes. According to the definitions of zero-knowledge proof system and security model, we proved that our protocol is a multiprover zero-knowledge proof system in the random oracle model. Our protocol is also leakage-resilient secret-sharing scheme (LRSS) in the bounded-leakage model. In our LRSS, the security is guaranteed even if the adversary learns leakage information is bounded by l bits.

Moreover, we presented a GID-scheme from our LRSS scheme, and it is leakage-resilient under the leakage attacks and in the bounded-leakage model. In our leakage-resilient GID-scheme, any authorized party sets can prove to the verifier that they share the secret key without leaking any information about their individual shares to adversary and can guarantee security even though l bits are retrieved by the malicious adversary; any authorized parties can prove themselves to keep the corresponding valid secret share.

In future work, we want to construct a practical dynamic secret-sharing scheme. In this dynamic secret-sharing scheme, there are more than one access structure, and we want to enable only one of them to be active to reconstruct the predefined secret.

Data Availability

No data were used to support this study.

Disclosure

This work is a major revision of a preprint of an article accepted by the International Symposium on Cyberspace Safety and Security (CSS 2019) and is subject to Complexity.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the Natural Science Foundation of China (Grant nos. 61702125 and 61702126).

References

A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
G. R. Blakley, “Safeguarding cryptographic keys,” in Proceedings of the National Computer Conference, vol. 48, pp. 313–317, NewYork, NY, USA, June 1979.
View at: Google Scholar
Y. Desmedt and Y. Frankel, “Shared generation of authenticators and signatures,” in Proceedings of the Annual International Cryptology Conference, pp. 457–469, Springer, Santa Barbara, CA, USA, August 1991.
View at: Publisher Site | Google Scholar
R. Cramer, I. Damgård, and U. Maurer, “General secure multi-party computation from any linear secret-sharing scheme,” in Advances in Cryptology—EUROCRYPT 2000, B. Preneel, Ed., vol. 1807, pp. 313–334, Springer, Berlin, Germany, 2000.
View at: Google Scholar
J. Li, Y. H. Huang, Y. Wei et al., “Searchable symmetric encryption with forward search privacy,” IEEE Transactions on Dependable and Secure Computing, 2019.
View at: Publisher Site | Google Scholar
L. Qi, X. Zhang, W. Dou, C. Hu, C. Yang, and J. Chen, “A two-stage locality-sensitive hashing based approach for privacy-preserving mobile service recommendation in cross-platform edge environment,” Future Generation Computer Systems, vol. 88, pp. 636–643, 2018.
View at: Publisher Site | Google Scholar
L. Qi, X. Zhang, W. Dou, and Q. Ni, “A distributed locality-sensitive hashing based approach for cloud service recommendation from multi-source data,” IEEE Journal on Selected Areas in Communications, vol. 35, no. 11, pp. 636–643, 2017.
View at: Publisher Site | Google Scholar
T. Tassa, “Generalized oblivious transfer by secret sharing,” Designs, Codes and Cryptography, vol. 58, no. 1, pp. 11–21, 2011.
View at: Publisher Site | Google Scholar
M. Naor and A. Wool, “Access control and signatures via quorum secret sharing,” IEEE Transactions on Parallel and Distributed Systems, vol. 9, no. 9, pp. 909–922, 1998.
View at: Publisher Site | Google Scholar
I. Komargodski and A. Paskin-Cherniavsky, “Evolving secret sharing: dynamic thresholds and robustness,” in Proceedings of the Theory of Cryptography Conference, pp. 379–393, Springer, Baltimore, MD, USA, November 2017.
View at: Google Scholar
M. Karchmer and A. Wigderson, “On span programs,” in Proceeding of the 8th IEEE Structure in Complexity Theory, pp. 102–111, San Diego, CA, USA, May 1993.
View at: Google Scholar
A. Beimel, O. Farràs, Y. Mintz, and N. Peter, “Linear secret-sharing schemes for forbidden graph access structures,” in Proceedings of the Theory of Cryptography Conference, pp. 394–423, Springer, Baltimore, MD, USA, November 2017.
View at: Google Scholar
R. J. McEliece and D. V. Sarwate, “On sharing secrets and reed-solomon codes,” Communications of the ACM, vol. 24, no. 9, pp. 583-584, 1981.
View at: Publisher Site | Google Scholar
G. R. Blakley and G. A. Kabatianski, “Ideal perfect threshold schemes and mds codes,” in Proceedings of 1995 IEEE International Symposium on Information Theory, p. 488, IEEE, Vancouver, Canada, September 1995.
View at: Google Scholar
R. Cramer, I. B. Damgård, N. Döttling, S. Fehr, and G. Spini, “Linear secret sharing schemes from error correcting codes and universal hash functions,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 313–336, Springer, Sofia, Bulgaria, April 2015.
View at: Google Scholar
S. Mesnager, F. Özbudak, and A. Sınak, “Linear codes from weakly regular plateaued functions and their secret sharing schemes,” Designs, Codes and Cryptography, vol. 87, no. 2-3, pp. 463–480, 2019.
View at: Publisher Site | Google Scholar
J. L. Massey, “Minimal codewords and secret sharing,” in Proceedings of the 6th Joint Swedish-Russian International Workshop on Information Theory, pp. 276–279, Citeseer, Mölle, Sweden, August 1993.
View at: Google Scholar
J. L. Massey, Some Applications of Coding Theory in cryptography. Codes and Ciphers: Cryptography and Coding IV, Eindhoven University Press, Eindhoven, Netherlands, 1995.
S. Dziembowski and K. Pietrzak, “Intrusion-resilient secret sharing,” in Proceedings of the 48th Annual IEEE Symposium on Foundations of Computer Science, pp. 227–237, IEEE, Providence, RI, USA, October 2007.
View at: Google Scholar
J. Alwen, Y. Dodis, and D. Wichs, “Leakage-resilient public-key cryptography in the bounded-retrieval model,” in Proceedings of the 29th Annual International Cryptology Conference, pp. 36–54, Springer, Santa Barbara, CA, USA, August 2009.
View at: Google Scholar
E. Kiltz and K. Pietrzak, “Leakage resilient elgamal encryption,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 595–612, Springer, Singapore, December 2010.
View at: Google Scholar
C. Hazay, A. López-Alt, H. Wee, and D. Wichs, “Leakage-resilient cryptography from minimal assumptions,” Journal of Cryptology, vol. 29, no. 3, pp. 514–551, 2016.
View at: Publisher Site | Google Scholar
V. Goyal and A. Kumar, “Non-malleable secret sharing for general access structures,” in Proceedings of the Annual International Cryptology Conference, pp. 501–530, Springer, Santa Barbara, CA, USA, August 2018.
View at: Google Scholar
F. Benhamouda, A. Degwekar, Y. Ishai, and T. Rabin, “On the local leakage resilience of linear secret sharing schemes,” in Proceedings of the 29th Annual International Cryptology Conference, pp. 531–561, Springer, Santa Barbara, CA, USA, August 2018.
View at: Google Scholar
S. Faust, T. Rabin, L. Reyzin, E. Tromer, and V. Vaikuntanathan, “Protecting circuits from leakage: the computationally-bounded and noisy cases,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 135–156, Springer, French Riviera, France, 2010.
View at: Google Scholar
M. Ajtai, “Secure computation with information leaking to an adversary,” in Proceedings of the Forty-Third Annual ACM Symposium on Theory of Computing, pp. 715–724, ACM, New York, NY, USA, 2011.
View at: Publisher Site | Google Scholar
S. Goldwasser and G. N. Rothblum, “Securing computation against continuous leakage,” in Proceedings of the Annual Cryptology Conference, pp. 59–79, Springer, Santa Barbara, CA, USA, August 2010.
View at: Google Scholar
J. A. Halderman, S. D. Schoen, N. Heninger et al., “Lest we remember,” Communications of the ACM, vol. 52, no. 5, pp. 91–98, 2009.
View at: Publisher Site | Google Scholar
S. Garg, A. Jain, and A. Sahai, “Leakage-resilient zero knowledge,” in Proceedings of the Annual Cryptology Conference, pp. 297–315, Springer, Santa Barbara, CA, USA, August 2011.
View at: Google Scholar
S. Dziembowski and K. Pietrzak, “Leakage-resilient cryptography,” in Proceedings of the 2008 49th Annual IEEE Symposium on Foundations of Computer Science, pp. 293–302, IEEE, Philadelphia, PA, USA, October 2008.
View at: Publisher Site | Google Scholar
M. Liu, L. Xiao, and Z. Zhang, “Linear multi-secret sharing schemes based on multi-party computation,” Finite Fields and Their Applications, vol. 12, no. 4, pp. 704–713, 2006.
View at: Publisher Site | Google Scholar
K. Okada and K. Kurosawa, “Mds secret-sharing scheme secure against cheaters,” IEEE Transactions on Information Theory, vol. 46, no. 3, pp. 1078–1081, 2000.
View at: Publisher Site | Google Scholar
A. Kumar, R. Meka, and A. Sahai, “Leakage-resilient secret sharing,” in Electronic Colloquium on Computational Complexity (ECCC), vol. 25, p. 200, Weizmann Institute of Science, Rehovot, Israel, 2018.
View at: Google Scholar
O. Goldreich, Foundations of Cryptography Basic Tools, vol. 1, Cambridge University Press, Cambridge, UK, 2007.
M. Ben-Or, S. Goldwasser, J. Kilian, and A. Wigderson, “Multi-prover interactive proofs: how to remove intractability assumptions,” in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, pp. 113–131, ACM, Chicago, IL, USA, 1988.
View at: Publisher Site | Google Scholar
I. Damgård, “On σ-protocols,” in Lecture Notes, University of Aarhus, Department for Computer Science, Springer, Berlin, Germany, 2002.
View at: Google Scholar
S. D. Galbraith and J. Silva, “Identification protocols and signature schemes based on supersingular isogeny problems,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, pp. 3–33, Springer, Kobe, Japan, December 2017.
View at: Google Scholar
C. Tang and S. Gao, “Leakproof secret sharing protocols with applications to group identification scheme,” Science China Information Sciences, vol. 55, no. 5, pp. 1172–1185, 2012.
View at: Publisher Site | Google Scholar
S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proof systems,” SIAM Journal on Computing, vol. 18, no. 1, pp. 186–208, 1989.
View at: Publisher Site | Google Scholar
U. Feige, A. Fiat, and A. Shamir, “Zero-knowledge proofs of identity,” Journal of Cryptology, vol. 1, no. 2, pp. 77–94, 1988.
View at: Publisher Site | Google Scholar
D. Venturi, “Zero-knowledge proofs and applications,” University of Rome, Rome, Italy, 2015.
View at: Google Scholar
T. Okamoto, “Provably secure and practical identification schemes and corresponding signature schemes,” in Proceedings of the International Cryptology Conference on Advances in Cryptology, vol. 740, pp. 31–53, Springer, Santa Barbara, CA, USA, August 1992.
View at: Google Scholar

Copyright

Copyright © 2020 Ping Li et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

318

Downloads

875

Citations