Abstract
In modern cryptography, the secret sharing scheme is an important cryptographic primitive and it is used in various situations. In this paper, timed-release secret sharing (TR-SS) schemes with information-theoretic security is first studied. TR-SS is a secret sharing scheme with the property that participants more than a threshold number can reconstruct a secret by using their shares only when the time specified by a dealer has come. Specifically, in this paper we first introduce models and formalization of security for two kinds of TR-SS based on the traditional secret sharing scheme and information-theoretic timed-release security. We also derive tight lower bounds on the sizes of shares, time-signals, and entities’ secret-keys required for each TR-SS scheme. In addition, we propose direct constructions for the TR-SS schemes. Each direct construction is optimal in the sense that the construction meets equality in each of our bounds, respectively. As a result, it is shown that the timed-release security can be realized without any additional redundancy on the share size.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
If we consider a situation in which TS is trusted and has functionality of generating keys and distributing them to participants by secure private channels, we can identify TA with TS in the situation. However, there may be a situation in which the roles of TA and TS are quite different (e.g., TA is a provider of secure data storage service and TS is a time-signal broadcasting server). Therefore, we assume two entities TA and TS in our model to capture various situations.
- 2.
More precisely, there is no need to keep the specified time confidential (D only has to send shares via secure channels).
- 3.
In this sense, we have formalized the security notion stronger than the security that any set of more than \(k-1\) participants cannot obtain any information on a secret before the specified time, as is the same approach considered in [15]. Actually, if we remove \(TI^{(t+1)},\ldots ,TI^{(\tau )}\) from (ii) in Definition 2, we obtain the same lower bounds on sizes of shares, time-signals and secret keys as those in Theorem 1.
- 4.
In this optimal construction, a dealer is only allowed to choose \(k_1\) and \(k_2\) such that \(k_2-k_1\le \ell \), where \(\ell \) is determined by TA in the phase Initialize. In this sense, this construction is restricted.
References
Blakley, G.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317. AFIPS Press, Monval (1979)
Burmester, M., Desmedt, Y.G., Seberry, J.: Equitable key escrow with limited time span. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 380–391. Springer, Heidelberg (1998)
Cathalo, J., Libert, B., Quisquater, J.-J.: Efficient and non-interactive timed-release encryption. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 291–303. Springer, Heidelberg (2005)
Chalkias, K., Hristu-Varsakelis, D., Stephanides, G.: Improved anonymous timed-release encryption. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 311–326. Springer, Heidelberg (2007)
Chan, A.F., Blake, I.: Scalable, server-passive, user-anonymous timed release cryptography. In: 2005 Proceedings of the 25th IEEE International Conference on Distributed Computing Systems, ICDCS 2005, pp. 504–513 (2005)
Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley-Interscience, New York (2006)
Garay, J., Jakobsson, M.: Timed release of standard digital signatures. In: Blaze, M. (ed.) FC 2002. LNCS, vol. 2357, pp. 168–182. Springer, Heidelberg (2003)
Garay, J.A., Pomerance, C.: Timed fair exchange of standard signatures. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 190–207. Springer, Heidelberg (2003)
Jhanwar, M.P., Safavi-Naini, R.: Unconditionally-secure robust secret sharing with minimum share size. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 96–110. Springer, Heidelberg (2013)
Karnin, E., Greene, J., Hellman, M.: On secret sharing systems. IEEE Trans. Inf. Theor. 29(1), 35–41 (1983)
May, T.: Timed-release crypto (1993)
Rivest, R.L.: Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer (1999)
Rivest, R.L., Shamir, A., Wagner, D.A.: Time-lock puzzles and timed-release crypto. Technical report, Technical memo MIT/LCS/TR-684, MIT Laboratory for Computer Science (1996). (Revision 3/10/96)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Watanabe, Y., Seito, T., Shikata, J.: Information-theoretic timed-release security: key-agreement, encryption, and authentication codes. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 167–186. Springer, Heidelberg (2012)
Watanabe, Y., Shikata, J.: Timed-release computational secret sharing scheme and its applications. In: Chow, S.S.M., Liu, J.K., Hui, L.C.K., Yiu, S.M. (eds.) ProvSec 2014. LNCS, vol. 8782, pp. 326–333. Springer, Heidelberg (2014)
Acknowledgments
We would like to thank anonymous referees of BalkanCryptSec 2014 for their helpful comments. The first author is supported by JSPS Research Fellowships for Young Scientists. This work was supported by Grant-in-Aid for JSPS Fellows Grant Number 25\(\cdot \)3998.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A    Proof of Theorem 1
The proof of Theorem 1 follows from the following lemmas.
Lemma 1
\(H(U_i^{(t)}) \ge H(S)\) for any \(i \in \{1,2,\dots , n\}\) and any \(t \in \mathcal {T}\).
Proof
The proof of this lemma can be proved in a way similar to the proof of Lemma 4. For arbitrary \(i\in \{1,2,\dots ,n\}\), we take a subset \(\mathcal {B}_i \in \mathcal {PS}(\mathcal {P}\setminus \{P_i\},k-1,k-1)\) of participants. Then, for any \(t \in \mathcal {T}\), we have
where (3) follows from the correctness of (k, n)-TR-SS and (4) follows from the condition (i) in Definition 2.    \(\square \)
Lemma 2
\(H(TI^{(t)} \mid TI^{(1)}, \dots , TI^{(t-1)}) \ge H(S)\) for any \(t \in \mathcal {T}\). In particular, \(H(TI^{(t)}) \ge H(S)\) for any \(t \in \mathcal {T}\).
Proof
For any \(\mathcal {A} \in \mathcal {PS}(\mathcal {P},k,n)\) and any \(t \in \mathcal {T}\), we have
where (5) follows from the correctness of (k, n)-TR-SS and (6) follows from the condition (ii) in Definition 2.    \(\square \)
Lemma 3
\(H(SK) \ge \tau H(S)\).
Proof
We can prove in a similar way to the proof of Lemma 6. We have
where the last inequality follows from Lemma 2.    \(\square \)
Proof of Theorem 1: From Lemmas 1–3, the proof of Theorem 1 is completed.    \(\square \)
B    Proof of Theorem 3
The proof of Theorem 3 follows from the following lemmas.
Lemma 4
\(H(U_i^{(t)}) \ge H(S)\) for any \(i \in \{1,2,\dots , n\}\) and any \(t \in \mathcal {T}\).
Proof
The proof can be proved in a way similar to the proof in [10, Theorem 1]. For arbitrary \(i\in \{1,2,\dots ,n\}\), we take a subset \(\mathcal {B}_i \in \mathcal {PS}(\mathcal {P}\setminus \{P_i\},k_2-1,k_2-1)\) of participants. Then, for any \(t \in \mathcal {T}\), we have
where (8) follows from the correctness of \((k_1,k_2,n)\)-TR-SS and (9) follows from the condition (ii) in Definition 5.    \(\square \)
Lemma 5
If \(H(U_i^{(t)})=H(S)\) for any \(i\in \{1,2,\ldots ,n\}\) and \(t\in \mathcal {T}\), \(H(TI^{(t)}) \ge H(TI^{(t)} \mid TI^{(1)}, \dots ,\) \(TI^{(t-1)}) \ge (k_2-k_1)H(S)\) for any \(t \in \mathcal {T}\).
Proof
The statement is true in the case that \(k_1=k_2\), since Shannon entropy is non-negative. Therefore, in the following, we assume \(k_1<k_2\). For arbitrary \(i\in \{1,2,\dots ,n\}\), we take a subset \(\mathcal {B}_i \in \mathcal {PS}(\mathcal {P}\setminus \{P_i\},k_2-1,k_2-1)\) of participants. For any \(t \in \mathcal {T}\), we have
where (10) follows from (7) in the proof of Lemma 4, the assumption of \(H(U_i^{(t)})=H(S)\), and the following claim.
Claim
If \(k_1<k_2\) and \(H(U_i^{(t)})=H(S)\) for any \(i\in \{1,2,\ldots ,n\}\) and \(t\in \mathcal {T}\), \(H(U_i^{(t)}\mid U_{\mathcal {A}_i},TI^{(t)})=0\) for any \(i\in \{1,2,\ldots ,n\}\), any \(\mathcal {A}_i\in \mathcal {PS}(\mathcal {P}\setminus \{P_i\},k_1,k_2-1)\), and any \(t\in \mathcal {T}\).
Proof
First, for arbitrary \(i\in \{1,2,\ldots ,n\}\), we take subsets \(\mathcal {B}_i:=\mathcal {PS}(\mathcal {P}\setminus \{P_i\},k_1-1,k_1-1)\) and \(\mathcal {A}_i:=\mathcal {PS}(\mathcal {P}\setminus \{P_i\},k_1,k_2-1)\) of participants such that \(\mathcal {B}_i \subset \mathcal {A}_i\). Then, for any \(t\in \mathcal {T}\), we have
where (12) follows form the correctness of \((k_1,k_2,n)\)-TR-SS and (13) follows from the condition (i) in Definition 5.
From (11) and the assumption of \(H(U_i^{(t)})=H(S)\), we have
Therefore, we have
Hence, we have
Since \(H(U_i^{(t)}\mid U_{\mathcal {A}_i}^{(t)},TI^{(t)})\ge 0\), we have \(H(U_i^{(t)}\mid U_{\mathcal {A}_i}^{(t)},TI^{(t)})=0\). Â Â Â \(\square \)
Proof of Lemma 5: From the above claim, the proof of Lemma 5 is completed.    \(\square \)
Lemma 6
If \(H(U_i^{(t)})=H(S)\) for any \(i\in \{1,2,\ldots ,n\}\) and \(t\in \mathcal {T}\), \(H(SK) \ge \tau (k_2-k_1)H(S)\).
Proof
We have
where the last inequality follows from Lemma 5.    \(\square \)
Proof of Theorem 3: From Lemmas 4–6, the proof of Theorem 3 is completed.    \(\square \)
C Â Â Â Naive Construction of \((k_1,k_2,n)\)-TR-SS
Our idea of a naive construction is a combination of \((k_1,n)\)-TR-SS (Sect. 2.3) and Shamir’s \((k_2,n)\)-SS [14].
-
(a)
Initialize. Let q be a prime power, where \(q > \max (n, \tau )\), and \(\mathbb {F}_q\) be the finite field with q elements. We assume that the identity of each participant \(P_i\) is encoded as \(P_i \in \mathbb {F}_q \backslash \{0\}\). Also, we assume \(\mathcal {T} = \{1, 2, \dots , \tau \} \subset \mathbb {F}_q \backslash \{ 0 \}\) by using appropriate encoding. First, TA chooses uniformly at random \(\tau \) numbers \(r^{(j)} (1 \le j \le \tau )\) from \(\mathbb {F}_q\). TA sends a secret key \(sk:=(r^{(1)},\ldots ,r^{(\tau )})\) to TS and D via secure channels, respectively.
-
(b)
Share. First, D chooses a secret \(s \in \mathbb {F}_q\). Also, D specifies the time t when at least \(k_1\) participants can reconstruct the secret and chooses t-th key \(r^{(t)}\). Next, D randomly chooses two polynomials \(f_1(x) := s + r^{(t)} + \sum ^{{k_1}-1}_{i=1}a_{1i}x^i\) and \(f_2(x) := s + \sum ^{{k_2}-1}_{i=1}a_{2i}x^i\) over \(\mathbb {F}_q\), where each coefficient is randomly and uniformly chosen from \(\mathbb {F}_q\). Then, D computes \(u_i^{(t)} := (f_1(P_i),f_2(P_i))\). Finally, D sends \((u_i^{(t)}, t)\) to \(P_i (i=1, 2, \ldots , n)\) via a secure channel.
-
(c)
Extract. For sk and time \(t \in \mathcal {T}\), TS broadcasts t-th key \(r^{(t)}\) as a time-signal at time t to all participants via a (authenticated) broadcast channel.
-
(d)
Reconstruct with time-signals. First, \(\mathcal {A}=\{P_{i_1},P_{i_2},\ldots ,P_{i_{k_1}}\} \in \mathcal {PS}(\mathcal {P},k_1, k_1)\) computes \(s + r^{(t)}\) by Lagrange interpolation:
$$\begin{aligned} s + r^{(t)}=\sum _{j=1}^{k_1}(\prod _{l\ne j}\frac{P_{i_j}}{P_{i_j}-P_{i_l}})f_1(P_{i_j}), \end{aligned}$$from \((f_1(P_{i_1}),\ldots ,f_1(P_{i_{k_1}}))\). After receiving \(ts^{(t)}=r^{(t)}\), they can compute and get \(s =s+ r^{(t)}- ts^{(t)}\).
-
(e)
Reconstruct without time-signals. Any \(\hat{\mathcal {A}}=\{P_{i_1},P_{i_2},\ldots ,P_{i_{k_2}}\} \in \mathcal {PS}(\mathcal {P},k_2,k_2)\) computes
$$\begin{aligned} s=\sum _{j=1}^{k_2}(\prod _{l\ne j}\frac{P_{i_j}}{P_{i_j}-P_{i_l}})f_2(P_{i_j}), \end{aligned}$$by Lagrange interpolation from \((f_2(P_{i_1}),\ldots ,f_2(P_{i_{k_2}}))\).
It is easy to see that the above construction is secure, since this construction is a simple combination of \((k_1,n)\)-TR-SS and Shamir’s \((k_2,n)\)-SS. Also, the above construction is simple, however not optimal since the resulting share size is twice as large as that of secrets.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Watanabe, Y., Shikata, J. (2015). Timed-Release Secret Sharing Schemes with Information Theoretic Security. In: Ors, B., Preneel, B. (eds) Cryptography and Information Security in the Balkans. BalkanCryptSec 2014. Lecture Notes in Computer Science(), vol 9024. Springer, Cham. https://doi.org/10.1007/978-3-319-21356-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-319-21356-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-21355-2
Online ISBN: 978-3-319-21356-9
eBook Packages: Computer ScienceComputer Science (R0)