Faulty share detection in Shamir’s secret sharing Текст научной статьи по специальности «Математика»

UDC 621.394.147 Вестник СПбГУ. Прикладная математика. Информатика... 2019. Т. 15. Вып. 2 MSC 94A62

Faulty share detection in Shamir's secret sharing*

A. Yu. Uteshev1, A. V. Marov2

1 St. Petersburg State University, 7—9, Universitetskaya nab., St. Petersburg, 199034, Russian Federation

2 RAIDIX, 33 (A), nab. reki Smolenki, St. Petersburg, 199178, Russian Federation

For citation: Uteshev A. Yu., Marov A. V. Faulty share detection in Shamir's secret sharing. Vestnik of Saint Petersburg University. Applied Mathematics. Computer Science. Control Processes, 2019, vol. 15, iss. 2, pp. 274-282. https://doi.org/10.21638/11702/spbul0.2019.210

For Shamir's secret key sharing algorithm, we develop the procedure for detection of faulty shares. This procedure consists of the error locator polynomial construction for the data set {(Xj,yj)}j=i with y values generated from x ones by a polynomial interpolant of a degree n < N — 1 with possible occurrence of some errors. The error locator polynomial is sought out in the form of an appropriate Hankel polynomial

Hl(x; {t}) : =

To T1

T1 T2

T2 T3

TL-1 TL TL+1 1 X x2

TL

TL+1

T2L-1 L

where t¿ := ^^ yj

j=1

W'(Xj)

; w(x) :=H(X - Xj).

j=1

Keywords: Shamir's secret sharing, polynomial interpolation, Hankel polynomials, error correction.

1. Introduction. Let the secret integer number (key) S should be split into N pieces, i. e. integers Si,..., SN (shares) should be created to be distributed between the N distinct members of some consortium (shareholders). The sharing should be organized in such a way that, for a given number k < N (threshold), the key S can be restored from any subset of k shares Sil ,...,Sik, but cannot be restored from a fewer number of shares. The secret S, as well as computation of its shares and their distribution between the consortium members, are entrusted to an honest dealer.

Several constructive schemes were suggested for the secret share management like, for instance, those based on multidimensional hyperplane intersection or Chinese Remainder Theorem. In the present paper we deal with Shamir's algorithm [1] based on solution of the polynomial interpolation problem. The classical univariate polynomial interpolation problem (over an infinite field, say R) is formulated as follows. Given the data set of values for the variables x and y

X Х\ Х2 xN

У У1 У2 Ум

{xj y }N=1 c R,

(1)

* This work is supported by the Russian Foundation for Basic Research (project N 17-29-04288). © Санкт-Петербургский государственный университет, 2019

X

with distinct nodes {xj }N=i, find a polynomial f (x) such that {f (xj) = yj }N=i • If deg f < N — 1 then the problem has a unique solution which can be represented in several forms. Set

W(x):= f[(x-xA w.(x):=iKifI for j e {1,..., N} .

x xj

j=i j Then interpolation polynomial in Lagrange form is computed as

In Shamir's algorithm, to share the secret key S, the dealer first chooses an arbitrary prime number p > S, p ^ n and constructs arbitrary polynomial over Zp:

f (x) := S + aix + a,2x2 +-----+ au—ixk—i, {ai,...,afc—i}c{0, l,...,p— 1} . (3)

Next he enumerates the members of the consortium by consecutive integers 1, 2,...,n and supplies the j-th of them with the value yj := f (j) (mod p), with this value treated as the j-th share of the secret value S. To restore the secret S, the shareholders needs to collect at least k pares (j,yj). Lagrange formula (2) computes the polynomial (3) modulo p; its free term coincides with S. The only specifics of computation in Zp is that the division operation by the integers involved in (2) should be interpreted as computation of inversion of these integers modulo p.

The algorithm fails if one of the shares is corrupted (accidentally or intentionally) either in transmission or at storage. Assuming that the number of uncorrupted shares exceeds that of corrupted ones, is it possible to restore the secret S? We will demonstrate that the answer is positive if some redundancy in the number of true shares over false ones can be guaranteed.

2. Error detection in interpolation table. In the present section we detail the algorithm of error location dealing with the interpolation problem over R, while in the next one it is modified for Zp.

Theorem 1 (Euler, Lagrange). For the polynomial F(x) £ R[x] with the leading coefficient equal to A0, the following equalities are valid:

V = i 0, if AegF<N-l,

f^W'ixj) \ Aq, if degF = N — 1. 1 '

If the data set (1) is generated by a polynomial of a degree n < N — 1 then the set is redundant for computation of this polynomial. Any subset of the data set containing n +1 entries is sufficient for the polynomial restoration.

Define the sequences of symmetric functions from the data set (1):

N £

xj

for t € {0,1,... } . (5)

The following result is a trivial consequence of theorem 1.

Theorem 2. If the data set (1) is generated by a polynomial of a degree n < N — 1,

then

To =0,...,TN-n-2 =0,rN—n — i =0 . (6)

Suppose now that some of the values y1,...,yN generated by a polynomial of a degree n < N — 1 are corrupted, but we do know neither their amount nor their position. One may then expect that generically the degree of the interpolant formally constructed by (2) would be greater than n, and, therefore, some of equalities (6) would be violated. This provides one with a sufficient condition for the existence of an error in the data set.

In order to locate the erroneous values, generate by (5) the two sequences of Hankel determinants:

Hl({t}) := det [ri+j-2]

то T1

T1 T2 T2 T3

TL-1 TL TL+1

TL-1 TL

T2L-2

LxL

and

Hl(x; {t}) := det [n+j-2x - n+j-1]i j=1

for L e N. The last determinant can be represented in an alternative form as

Hl(x; {t}) =

то T1

T1 T2 T2 T3

TL-1 TL TL+1 1 x x2

TL

TL+1

T2L-1 „L

(7)

(L+1)x(L+1)

and is sometimes referred to as the L-th Hankel polynomial generated by (5). Example 1. The data set

X -2 -1 0 1 2 3 4

У 30 12 8 9 18 35 60

is generated by the polynomial f (x) =4 x2 — 3 x+8 with the exception of a single erroneous value at the node x2 = —1. The sequence of polynomials (7) is as follows:

1 2 7ii(x;{r}) = —(x + l), n2(x;{r})= 0, H3(x; {r}) = --(x + 1),...

4U 5

and one may watch the expression for the error position as a zero of both polynomials Tii(x] {t}) and Ti.3(x] {r}). □

Theorem 3. Let e e {1, 2,..., N}. Let the polynomial f (x) = a0xn + ••• + an be of a degree n < N — 2. Let the data set (1) satisfy the conditions

(a) yj = f (xj) for j e{1,...,N}\{e},

(b) ye := f (xe) = ye,

then

(ye — Ve) ,

H1(x; {t}) =

W '(xe)

■ (X •

(8)

Proof. We assume xe = xi and set e := yi — y\. With the aid of (4), one obtains

xlN Vn _

= Х\У\ x2 y2 U ~ W'(xi) W'(x2)

+ ••• +

W >(xN)

L

x\y i еж

) W'(x1) J W'(x2)

+ x2y2 ^_____^ xNyN

f(xj)xj

Ej v-*-

+

j=i

W'(xj) W'(x1) W'(x1)

W '(xn ) for £ € {0,1} .

Thus,

to t 1 £/W'(x1) £x1/W'(x1) £

1x 1x ~ W'{xi)

-(x — xi) .

Hi(x; {t}) =

and (8) is proved. □

We now turn to the case of the occurrence of several errors in the data set. We denote the number of erroneous values by E. Example 2. The data set

X -2 -1 0 1 2 3 4

У 30 -7 8 9 11 35 60

is generated by the polynomial f (x) := 4 x2 — 3 x + 8 with the exception of two erroneous values at x2 = —1 and x5 = 2. The sequence of polynomials (7) is as follows:

1 77

Wiix; {r}) + 38), H2(x; {r}) = - — (x + l)(x - 2),...

and this time the erroneous nodes are detected as the zeros of the polynomial H2(x; {r}).

□

Theorem 4. Let E £ {2, 3,..., |_N/2J — 1} and ei,...,eE be distinct numbers from {1, 2,..., N}. Let polynomial f (x) be of a degree n < N — 2E. Let the set (1) satisfy the conditions

(a) yj = f (xj) for j e{1,...,N}\ {eu ..., ев },

(b) y'es := f (xes ) = yes for S €{1,...,E},

then

П(Уе= — yes ) П (xet — xes )2 E He(x;{T}) = —-E ^^^-

(9)

IlW '(xes )

s = 1

s = 1

Proof. Assume, without loss of generality, that {es = s}^. Denote

£ sx s

s=1

W'(xs )'

where £j := yj — yjj for j €{1,..., E}, £ €{0,1, 2,...} .

Represent the expression for T£ in the form

E

\ "" £sXa П = > . 77777-7 +

N r t \ £ sx f (xj )xj

s s 1 ^ v 3 - ee for i G {0,..., N — n — 2} .

^ W'(xs) j=1 W'(xj)

s=1 4 ' j=1 4 J/

1

£x

£x

1

1

Rewrite the expression for HE(x; {t}):

He(x; {t}) = He (x; {0}) =

во 6\

6\ 02

0E-1 0e

1 x

0E-1 0e 0E 0E+1

02E-2 02E-1

The set of zeros of this polynomial coincides with {x1,...,xE}. This follows from the equalities

p- 1

W'(xs)

s-1 4 /

He (xs ; {в}) =

во в1

вЕ-1

e P-1

£ sx a

E

в1

E p

\ ~ £sxs

в e-1 ве

'2e-2

вЕ

в E+1

в2Е-1

E £ xg+E-2 E £ xg+E-1

s s s

W'(xs) W'(xs)

^ W'(xs) ¿=1 W'(xs )

s-1 ' s-1 4 '

E:

во в1

в1 в2

вЕ-1 вЕ

вр— 1 в g

вЕ-1 вЕ

вЕ вЕ+1

в2Е-2 в2Е-1 вр+Е-2 вр+Е-1

= 0 for t G {1E} .

These relationships compose the system of E homogeneous linear equations connecting the values {He(xs; {^})}f=1. The determinant of this system

det

W'(xs)

П

Ц £s П (xt - xp)

det [*S-4?e=1 = -1 T'""- (I«)

I[W '(xs )

I[W '(xs )

does not vanish due to the assumption (b) of the theorem. Therefore all the values {HE(xs; {#})}E=1 should be equal zero and

He(x; {t}) = C JJ(x - xs)

s-1

for some constant C G R. It turns out that the expression for the leading coefficient of HE(x; {0}) looks similar to (10):

во в1 в1 в2

вЕ-1 вЕ

вЕ-1 вЕ

в2Е-2

1

x1

1

x2

Е-1 Е-1

1

xe

„Е-1

xE-1 xE

в

Е

s

Е

1

ss

X

1

2

£1/W'(x1) 0

S2/W>(x2 )

... £e/W '(xe ) 1

Xl

X2

xe

<E-1

E-1

E-l

Ц£s П (xt - x£)2

s = 1

i<e<t<E

E

UW '(Xs )

s = 1

This concludes the proof of (9). □

The upper bound for the number of potential errors in the data set (1) from theorem 4 should be considered as a tight one. This claim is demonstrated by the following example. Example 3. The occurrence of three errors in the data set

X -2 -1 0 1 2 3 4

У 30 -7 8 9 11 -1 60

generated by the polynomial f (x) := 4 x2 — 3 x + 8 does not permit one to uniquely restore this polynomial. Indeed, the faulty table can be interpreted as the one obtained from

X -2 -1 0 1 2 3 4

У -31 -7 8 14 И -1 -22

originated by the polynomial f1(x) := —9/2 x2 + 21/2 x + 8 and further corrupted in the values/i(-2),/i(l) and/i(4). □

Remark 1. The developed approach for the error detection has a definite relationship to Coding Theory and specifically to the Berlekamp—Welch algorithm for error correction in Reed—Solomon codes [2]. In the framework of this algorithm, the polynomial (9) is referred to as the error locator polynomial, and is found via the solution of the rational interpolation problem for the data set (1). In the papers [3, 4] the Jacobi's approach for resolving the rational interpolation problem is developed consisting in independent computation of numerator and denominator of the interpolant. Computation of the error locator polynomial (9) via its representation in the Hankel polynomial form (7) is a part of that algorithm.

We conclude the present section with two extra results that aim to optimize the computational aspects of the suggested algorithm. Their proofs and further related references can be found in [3, 4].

Theorem 5. Let the conditions of theorem 4 be fulfilled. If n := deg f < N — 2E — 1,

then

Hn-n-E-i(x; {t}) = CHe(x; {t}) for some constant C = 0. If n < N — 2E — 2, then

He+i(x; {t}) = 0,..., Hn-n-E-2(x; {t}) = 0 .

The polynomial HL(x; {t}) should be interpreted as a suspicious to be the error locator one if the polynomial HL+1(x; {t}) is identically zero or coincides with HL(x; {t}) up to a numerical factor. Example 1 demonstrates this effect.

For a small number of expected errors, computation of the sequence of Hankel polynomials required for their detection, does not cause difficulties. As for the larger orders, one might expect that the algebraic time complexity for the computation of a parameter dependent determinant (7) is as great as that for the characteristic polynomial of the integer matrix, i. e. O(n3) (with n standing for the length of input). Fortunately, the Hankel structure of the determinant (7) allows one to diminish this estimation. Represent the L-th Hankel polynomial generated by any sequence {c} = {c0, c1,...,} in canonical form

Hl(x; {c}) = hLOxL + hl1xL-1 + ••• + hLL with hlo = HL({c}).

Theorem 6. Any three consecutive Hankel polynomials

Hl-2(x; {c}), Hl-1(x; {c}), Hl(x; {c}) are connected by the identity

HLHl-2(x; {c}) + (HLhL-1,1 — HL-1hL1 — HlHl-1x) Hl-1(x; {c}) +

+ HL-1Hl(x; {c}) = 0 . (11)

In the case HL-1 = 0, the identity (11) reduces the computation of HL(x; {c}) to that of HL-1(x; {c}) and HL-2(x; {c}). Similar statement is also valid for the constants involved in (11), i. e. they can be expressed via the coefficients of those polynomials:

hL0 = Hl = cL-1hL-1,L-1 + cLhL-1,L-2 + ••• + c2L-2hL-1,0 ,

hL1 = —(cLhL-1,L-1 + cL+1hL-1,L-2 +-----+ c2L-1hL-1,o) .

Thus, the complexity of the recursive procedure for computing the sequence of Hankel polynomials can be estimated as O(n2).

3. Error detection in the sequence of shares.

Example 4. Let the secret key S = 1234 has been distributed between N = 7 shareholders with k = 3 threshold. The dealer set p = 2017 and generated the shares

{yj = f (j) (mod p)}rj=1 with f (x) := 1234 + 271 x + 82 x2 .

However, later on, the attempts to restore the secret via the selection of several distinct triples of the consortium shareholders fail. On collecting together all the shares the result is as follows:

j 1 2 3 4 5 6 7

у 1587 350 768 1613 605 778 1098

Under assumption that the number of faulty shares does not exceed 2, detect them and restore the secret S.

Solution. Due to the claim of theorem 4, to correct up to 2 potential errors in the table, it is sufficient to compute 4 numbers Tj. We first perform the computations with rational numbers and at the final stage convert them to integers. Since the values

3937 1801 38333 79132

то = -Т57Г' Tl =--Г5-' T2 =--' T3 =

180 1 18 ' 2 90 3 45 are non zero, theorem 2 indicates the presence of error in the given data set. To locate them, we compute Hankel polynomials (7). The polynomial

hi(x;{t}) = —(—3937x + 18010) =p 1199(-3937x + 18010) =p 1334 x- 12 180

does not have zeros in {1,..., 7}. Next polynomial

H2(x; {t}) =p 156x2 + 769x + 1872 =p 156(x2 +2009x + 12) =p 156(x - 2)(x - 6)

possesses two zeros in this set. Therefore, the shares corresponding to j = 2 and j = 6 should be considered as erroneous. Taking any three of the five remained values for j, one can restore the polynomial f(x). □

Remark 2. As a matter of fact, to restore S from the subset of true shares, we are in need of solely the free term of the corresponding interpolation polynomial. It is worth mentioning that it directly relates to the values (5). For instance, in the case of reliability of the whole data set (1), from (2) it evidently follows the equality

N

f (0) = ( —1)N-1t-iH Xj j=i

provided that {xj = 0}NLi.

If the error locator polynomial is of a degree E then its canonical form modulo p can always be chosen with the sequence of coefficients with alternation in signs, i. e.

He(x; {t}) =p c(xE — bixE-1 + b2xE-2----+ ( — 1)EbE),

where {c, b1, b2,..., bE} c {1, 2,...,p — 1}. This permits one to reduce the problem of resolving an algebraic equation over Zp to that of finding positive integer zeros for a polynomial with integer coefficients. The latter is resolved via checking the divisors of bE.

4. Conclusion. We have suggested an approach for the detection of faulty shares in Shamir's secret sharing scheme. The developed algorithm might be useful in the decentralized voting protocol management.

The authors thank the referees for valuable suggestions that helped to improve the quality of the paper.

References

1. Shamir A. How to share a secret. Communications of the ACM, 1979, vol. 22 (11), pp. 612—613. doi:10.1145/359168.359176

2. Welch L. R., Berlekamp E. R. Error correction for algebraic block codes. US Patent N 4 633 47, Dec. 30, 1986. Available at: https://patentscope.wipo.int/search/en/detail.jsf?docId=US37599078 (accessed: 10.01.2019).

3. Uteshev A. Yu., Baravy I. Solution of interpolation problems via the Hankel polynomial construction. arXiv: cs.SC/1603.08752. 2016. Available at: https://arxiv.org/abs/1603.08752 (accessed: 10.01.2019).

4. Uteshev A. Yu., Baravy I. Solution of the rational interpolation problem via the Hankel polynomial construction. Vestnik of Saint Peterburgs University. Series 10. Applied Mathematics. Computer Science. Control Processes, 2016, iss. 4, pp. 31—43.

Received: January 30, 2019.

Accepted: March 15, 2019.

Author's information:

Alexei Yu. Uteshev — Dr. Sci. in Physics and Mathematics, Professor; a.uteshev@spbu.ru

Aleksei V. Marov — Marov.A@raidix.com

Обнаружение ошибок в схеме Шамира разделения секрета*

А. Ю. Утешев1, А. В. Маров2

1 Санкт-Петербургский государственный университет, Российская Федерация, 199034, Санкт-Петербург, Университетская наб., 7—9

2 RAIDIX, Российская Федерация,

199178, Санкт-Петербург, наб. реки Смоленки, 33 (A)

Для цитирования: Uteshev A. Yu., Marov A. V. Faulty share detection in Shamir's secret sharing // Вестник Санкт-Петербургского университета. Прикладная математика. Информатика. Процессы управления. 2019. Т. 15. Вып. 2. С. 274-282. https://doi.org/10.21638/11702/spbu10.2019.210 (In English)

Для схемы Шамира разделения секрета предлагается процедура обнаружения ошибочных долей секрета. Разработан алгоритм построения полинома локаторов ошибок для набора данных {(Xj,yj)}j=1, в котором значения yj, изначально генерируемые из Xj посредством полиномиального интерполянта степени n < N — 1, подвергаются частичным искажениям. Полином локаторов ошибок строится в виде подходящего ганкелевого полинома

hl(x; {т}) :=

То Т1

TL-1 1

Т1 Т2

TL

Т2 Т3

TL+1 X2

TL

TL+1

T2L-1 XL

при Те := ^ yj

j=1

W '(Xj)

w(x) :=h(x — xj).

j=1

Ключевые слова: схема Шамира разделения секрета, полиномиальная интерполяция, ганкелевы полиномы, исправление ошибок.

Контактная информация:

Утешев Алексей Юрьевич — д-р физ.-мат. наук, проф.; a.uteshev@spbu.ru Маров Алексей Валерьевич — Marov.A@raidix.com

X

* Работа выполнена при финансовой поддержке Российского фонда фундаментальных исследований (проект № 17-29-04288).