Secret Sharing Schemes

Consider the following situation. The Great Rivers Bank has a president, four vice presidents and five senior tellers. The president knows the combination to the vault, but he is rarely at the bank. It is necessary for the vault to be opened daily, so the combination needs to be known by other personnel in the bank. The president does not want the combination to be known by any individual other than himself. He would like a way to give out parts (shares) of the combination (the secret) so that any two of the vice presidents can combine their information and open the vault, or any one of the vice presidents and any three of the senior tellers can open the vault. Other combinations of personnel, such as one vice president and only two senior tellers, or all five senior tellers, should not be able to open the vault.

The solution to the president's problem would be called a Secret Sharing Scheme. The various combinations of people who could combine their information to get the secret is known as an access structure. If any group of people not in the access structure have no additional information about the secret than someone not involved in the scheme, then the secret sharing scheme is said to be perfect.

There are many ways to design perfect secret sharing schemes based on mathematical problems. The design depends on how complicated the access structure is. We will first look at one of the simplest access structures, where there are n people involved and any k of them can obtain the secret. Schemes with this access structure are called k out of n schemes (also known as (k,n)-threshold schemes).

Shamir's (k,n)-threshold scheme

This scheme uses arithmetic in the field Zp, for some prime p (although any field could be used). The secret, K, is an element of this field. The dealer (the person who wants to share the secret), randomly selects k-1 elements of Zp, say, a1, a2, ..., ak-1 and forms the polynomial,
f(x) = K + a1x + a2x2 + ... + ak-1xk-1 (mod p).
For each of the participants, the dealer picks an element xi from Zp (but not 0) and calculates f(xi). The share given to participant i is the pair (xi, f(xi).

Now, if k participants pool their information, the polynomial f(x) can be reconstructed (for instance, by using the Lagrange interpolation formula) and the constant term (i.e., the secret) can be obtained by evaluating the polynomial at 0. If less than k participants combine their information, then the polynomial is not uniquely determined, and its constant term could be any element of the field. This scheme is thus a perfect (k,n)-threshold scheme.

Geometric Threshold schemes

Geometric problems can also be used to as a basis for secret sharing schemes. Here is an example.

Let the secret be the coordinates of a fixed point on a given line in a plane (the line and the fact that the secret is a point on that line is public information). Let l be any other line which intersects the given line at the secret point. As shares, the distinct points of l can be given out. If you only know one of these points, then there is no way to determine the secret point, but if you know two of these points, then the line l is determined and its intersection with the given line will give the secret. Thus, this is a perfect (2,n)-threshold scheme for any n.

Another example. Let the secret be the coordinates of a point on a line in 3-space. Let m be a plane which intersects the line only at the secret point. Let C be any circle in m. As shares, distinct points on C can be given out. Any three points of C can be used to determine m and therefore the secret, but two or fewer points do not, and knowing them would not eliminate any possibilities for the secret point. This is therefore a perfect (3,n)-threshold scheme (for any n). The reason one uses a circle in this scheme, instead of just points on m, is that you want to make sure that any three shares will be able to determine m. If points of the plane had been used, then it would be possible that three shares could correspond to three points of m that were on a line, and then m would not be determined.

Multilevel Schemes

A multilevel scheme refers to an access structure like the bank example above, where different categories of participants are involved, each having their own criteria for obtaining the secret. For any access structure which is monotone, that is, having the property that every set of participants which contains a subset of participants that can obtain the secret, can also obtain the secret (a rather obvious requirement), we can construct a secret sharing scheme that realizes this structure. One general method utilizes Boolean circuits to construct the scheme. We will not examine this general construction, but rather present a geometric construction for a multilevel access structure.

We will construct a scheme to solve the bank problem that we started this section with. Our geometric construction will use elements of a four-dimensional Euclidean space. The only geometric fact that you may not be familiar with is that in a four-dimensional space, two distinct planes can intersect in either a line, a point or not at all. The secret S will be a point on a fixed line (l) in a fixed plane in a 4-dimensional space. Let be another plane which intersects in a point P which does not lie on l. Let m be the line in determined by P and S. Finally, let C be a circle in .

Now, as shares, each vice-president gets the coordinates of a point on m other than P or S, and each senior teller gets the coordinates of a point on the circle C. Two vice-presidents would have two points on m, so they could determine this line and calculate where it intersected l, obtaining the secret. Any three senior tellers could combine their three points and determine the plane , and then calculate where this plane intersects the plane (giving the point P). Any vice-president could then use their point together with P to determine m and hence the secret.