Performing Computations on Hierarchically Shared Secrets

Abstract

Hierarchical secret sharing schemes distribute a message to a set of shareholders with different reconstruction capabilities. In distributed storage systems, this is an important property because it allows to grant more reconstruction capability to better performing storage servers and vice versa. In particular, Tassa’s conjunctive and disjunctive hierarchical secret sharing schemes are based on Birkhoff interpolation and perform equally well as Shamir’s threshold secret sharing scheme. Thus, they are promising candidates for distributed storage systems. A key requirement is the possibility to perform function evaluations over shared data. However, practical algorithms supporting this have not been provided yet with respect to hierarchical secret sharing schemes. Aiming at closing this gap, in this work, we show how additions and multiplications of shares can be practically computed using Tassa’s conjunctive and disjunctive hierarchical secret sharing schemes. Furthermore, we provide auditing procedures for operations on messages shared hierarchically, which allow to verify that functions on the shares have been performed correctly. We close this work with an evaluation of the correctness, security, and efficiency of the protocols we propose.

Appendices

Appendix

A Computation of Shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\)

Algorithm \(\mathsf {RandShares}\) computes random shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\) reconstructing to messages \(\alpha , \beta \), respectively. It is the first step of algorithm \(\mathsf {PreMult}\) of Sect. 5. We present \(\mathsf {RandShares}\) to compute shares \(\sigma _{i,j}(\alpha )\) for \(\alpha \), but it can be run analogously to generate shares \(\sigma _{i,j}(\beta )\) for \(\beta \).

\(\mathsf {RandShares}.\) The algorithm takes as input values \(\alpha _{i,j} \in \mathbb {F}_q\) chosen uniformly at random by shareholders \(s_{i,j} \in S\). It outputs shares \(\sigma _{i,j}(\alpha )\) of message \(\alpha \in \mathbb {F}_q\) for shareholders \(s_{i,j} \in S\). To do that, each shareholder \(s_{i,j} \in S\) has to perform the following steps.

1. (1)

   It chooses a secret message \(\alpha _{i,j} \in \mathbb {F}_q\) uniformly at random.

2. (2)

   It runs algorithm \(\mathsf {Share}\) to generate a polynomial \(f_{\alpha _{i,j}}(x)\) of degree \(t-1\) defined as \(f_{\alpha _{i,j}}(x):= a_{0,(i,j)} + a_{1,(i,j)}x +\dots + a_{t-1,(i,j)}x^{t-1}\), where \(a_{0,(i,j)}= \alpha _{i,j}\) (\(a_{t-1,(i,j)}=\alpha _{i,j}\)) and coefficients \(a_{1,(i,j)}, \dots , a_{t-1,(i,j)} \in \mathbb {F}_q\) (\(a_{0,(i,j)}, \dots , a_{t-2,(i,j)} \in \mathbb {F}_q\)) are chosen uniformly at random. Shares \(\sigma _{i',j'}(\alpha _{i,j})\) for shareholders \(s_{i',j'} \in S\) with ID \((i',j') \ne (i,j)\) are computed as \(\sigma _{i',j'}(\alpha _{i,j}):=f_{\alpha _{i,j}}^{j'}(i')\). Share \(\sigma _{i,j}(\alpha _{i,j})\) for shareholder \(s_{i,j}\) itself is computed as \(\sigma _{i,j}(\alpha _{i,j}):=f_{\alpha _{i,j}}^{j}(i)\).

3. (3)

   It sends shares \(\sigma _{i',j'}(\alpha _{i,j})\) to shareholders \(s_{i',j'} \in S\) with ID \((i',j') \ne (i,j)\) using a private channel and keeps share \(\sigma _{i,j}(\alpha _{i,j})\).

4. (4)

   It runs algorithm \(\mathsf {Linear}\) of Sect. 4.2 to compute share \(\sigma _{i,j}(\alpha )\) using share \(\sigma _{i,j}(\alpha _{i,j})\) and all the shares \(\sigma _{i,j}(\alpha _{i',j'})\) received from shareholders \(s_{i',j'}\) as \(\sigma _{i,j}(\alpha ):= \sum _{(i',j') \ne (i,j)} \sigma _{i,j}(\alpha _{i',j'}) + \sigma _{i,j}(\alpha _{i,j})\).

In the following, we prove correctness of algorithm \(\mathsf {RandShares}\) and we show that perfect secrecy, according to Definition 1, is provided.

Theorem 4

The algorithm \(\mathsf {RandShares}\) for conjunctive (disjunctive) hierarchical secret sharing introduced above computes the shares \(\sigma _{i,j}(\alpha )\) correctly. More precisely, on input random secret messages \(\alpha _{i,j}\), the shares computed by algorithm \(\mathsf {RandShares}\) reconstruct to a common value \(\alpha \). Furthermore, perfect secrecy, according to Definition 1, is maintained while performing \(\mathsf {RandShares}\).

Proof

Let \(\sigma _{i,j}(\alpha ) \in \mathbb {F}_q\) be the shares computed using algorithm \(\mathsf {RandShares}\) and held by shareholders \(s_{i,j} \in R\), where \(R \in \varGamma \) is an authorized set. To prove correctness, we have to show that algorithm \(\mathsf {Reconstruct}\) outputs a message \(\alpha \) when it takes as input shares \(\sigma _{i,j}(\alpha )\) held by shareholders of an authorized set R. This means that correctness holds provided that algorithm \(\mathsf {Reconstruct}\) can be successfully run by shareholders of any authorized set. This is implied by the correctness of algorithm \(\mathsf {Linear}\), presented in Sect. 4.2. In fact, each share \(\sigma _{i,j}(\alpha )\) is computed as a sum of shares \(\sigma _{i,j}(\alpha _{i',j'})\) and share \(\sigma _{i,j}(\alpha _{i,j})\). Thus, for the homomorphic property of polynomials, shares \(\sigma _{i,j}(\alpha )\) is either a point of polynomial \(f_{\alpha }(x):= a_{0,\alpha } + a_{1, \alpha }x + \dots + a_{t-1,\alpha }x^{t-1}= \sum _{(i,j)} f_{\alpha _{i,j}}(x)\) or a point on one of its derivatives, where \(a_{0,\alpha }= \sum _{(i,j)} \alpha _{i,j} (a_{t-1,\alpha }= \sum _{(i,j)} \alpha _{i,j})\). Because of the underlying conjunctive (disjunctive) hierarchical secret sharing scheme, any authorized set R of shareholders can run algorithm \(\mathsf {Reconstruct}\) over their shares and retrieve message \(\alpha := \sum _{(i,j)} \alpha _{i,j}\). This proves correctness. With respect to perfect secrecy, the underlying conjunctive (disjunctive) hierarchical secret sharing scheme guarantees that shares \(\sigma _{i,j}(\alpha )\) are computed without leaking information about the secret messages \(\alpha _{i,j}\). Furthermore, this implies that unauthorized sets of shareholders not only cannot successfully run algorithm \(\mathsf {Reconstruct}\) to retrieve \(\alpha \), but also no information about it is gained.

B Computation of Commitments \(c_{k,\alpha }, c_{k,\beta }\)

In this section, algorithm \(\mathsf {Audit.RandShares}\) is presented, which computes commitments \(c_{k,\alpha }, c_{k,\beta }\) to the coefficients of the polynomials sharing messages \(\alpha , \beta \), respectively. Algorithm \(\mathsf {Audit.RandShares}\) constitutes the first step of algorithm \(\mathsf {Audit.PreMult}\) of Sect. 6.1. More precisely, commitments \(c_{k,\alpha }, c_{k,\beta }\), for \(k=0, \dots , t-1\), are used to check the validity of terms \(\delta _{l,i,j}\) and \(\varepsilon _{l,i,j}\) for the computation of shares \(\sigma _{i,j}(\alpha \beta )\). Note that commitments \(c_{k,\alpha }, c_{k,\beta }\) can be correctly computed provided that an auditing procedure verifying the validity of shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\) for shareholders \(s_{i,j}\) is performed, where shares \(\sigma _{i,j}(\alpha ), \sigma _{i,j}(\beta )\) are the output of algorithm \(\mathsf {RandShares}\) of Appendix A. For consistency with algorithm \(\mathsf {Audit.PreMult}\), Feldman commitment is used. However, the algorithm can be easily adapted to Pedersen commitment. In the following, we present algorithm \(\mathsf {Audit.RandShares}\) to compute commitment \(c_{k,\alpha }\), for \(k=0, \dots , t-1\). Algorithm \(\mathsf {Audit.RandShares}\) can be run analogously to generate commitment \(c_{k,\beta }\), for \(k=0, \dots , t-1\).

\(\mathsf {Audit.RandShares}.\) The algorithm is run by an auditor to verify that shares \(\sigma _{i,j}(\alpha )\) was computed correctly. This is performed in the following steps.

1. (1)

   Each shareholder \(s_{i,j} \in S\) running algorithm \(\mathsf {Share}\) to share the secret message \(\alpha _{i,j} \in \mathbb {F}_q\) among all other shareholders \(s_{i',j'} \in S\) for \((i',j') \ne (i,j)\) calls algorithm \(\mathsf {Commit.Share}\) and computes commitments \(c_{k,\alpha _{i,j}}:= g^{a_{k,(i,j)}} \mod p\), to coefficient \(a_{k,(i,j)}\) of polynomial \(f_{\alpha _{i,j}}(x)\), for \(k=0, \dots , t-1\). It publishes the commitments on the bulletin board.

2. (2)

   Each shareholder \(s_{i,j} \in S\) has valid input \(\sigma _{i,j}(\alpha _{i',j'})\), for \((i',j') \ne (i,j)\), to compute share \(\sigma _{i,j}(\alpha )\) if and only if

   $$ g^{\sigma _{i,j}(\alpha _{i',j'})}\equiv \prod _{k=j}^{t-1}{c_{k,\alpha _{i',j'}}}^{\frac{k!}{(k-j)!}{i}^{k-j}} = g^{f_{\alpha _{i',j'}}^{j}(i)}. $$

   If the above equality is not satisfied, then it outputs ‘0’ and aborts. Otherwise, it publishes ‘1’ on the bulletin board and Step (3) can be performed.

3. (3)

   The auditor uses commitments \(c_{k,\alpha _{i,j}} \) published by shareholders \(s_{i,j} \in S\) on the bulletin board to compute commitments \(c_{k,\alpha }:= \prod _{(i,j)} c_{k,\alpha _{i,j}},\) for \(k=0, \dots , t-1\). It publishes the commitments on the bulletin board.