A Dynamic Secret Sharing Scheme Based on Factorization

A dynamic (t, n)-threshold secret sharing scheme based on factorization is proposed in this paper. It has following properties: (1) the dealer can renew the secret key of the system without renewing the shadows of the participants; (2) when some participants’ shadows are revealed, they can be renewed without any effect on the others; (3) a new shadow can be generated for a new participant without any effect on others; (4) the shadows can be reused for many times; (5) the secret key of the system can be recovered in a parallel process.


Introduction
In the modern society, with the popularization of the computer system, the secret communication becomes more and more important.To realize the safety of information, the secret keys are mainly used to encrypt information, and when the cryptographic technology is used to protect information, the core protection is the protection of secret keys, not the protection of the algorithm or the hardware (Wang, 1989), so it is very important to effectively manage the secrete keys in the cryptography.In 1979, Shamir (Shamir, A. 1979, P.612-613) and Backly (Backly, 1979, P.313-317) respectively put forward the concept of secret key decentralized management, and the mechanism to realize this idea was called as the (t, n)-threshold scheme.In this scheme, one secret key (system secret key) is divided into n parts (n shadows) respectively kept by n persons, to make the certain integer t (t<n) satisfy: (1) in n persons, any r ( t r  ) persons could recover the system secret key by the cooperation; (2) it is not helpful to recover the system secret key by r ( t r  ) persons through the cooperation.This idea makes the secret key management more safe and flexible.At present, except for the secret key management, this idea could also be applied in many aspects of the cryptography such as the group signature and the group authentication.
After the (t, n)-threshold idea was proposed, many scholars studied this idea, and put forward many schemes (Shamir, 1979, P.612-613 & Backly, 1979, P.313-317 & Liu, 1999, P.612-613 & Harn, 1995, P.262-263 & R. G. E. Piuch, 1999, P.81-84 & Tan, 1999, P.81-84) to realized it.But the early (t, n)-threshold schemes all had following deficiencies, (1) when the system secret key needs to be renewed (for example, the original secret key has been recovered or the secret key needs to be exchanged because of certain cause), the dealer must redistribute the shadows for each participant (even if these shadows may not be used ever), i.e. each shadow only be used once at most; (2) when the shadow of certain one participant is revealed, the dealer could not redistribute the shadow for this participant without any effect on other participants' shadows; (3) when new participant joins, the dealer must redistribute shadows to each participant.To overcome above disadvantages, scholars proposed many (t, n)-threshold schemes which could repeatedly use the shadows (Liu, 1999, P.612-613 & Harn, 1995, P.262-263), but these shadows could only save or recover the secret keys in the key set predefined by the dealer, and to save one new secret key (the secret key out of the key set), the dealer must renew the shadows of each participant.
When t=n, the (n, n)-threshold scheme which could use the shadow unlimitedly was proposed (R. G. E. Piuch, 1999, P.81-84 & Tan, 1999, P.81-84), but to recover the system secret key, all participants must recover the system secret key according to a compulsory sequence (i.e. a series process) Aiming at above deficiencies, many solutions have been proposed (Liu, 2002, P.1009-1012& Liu, 2002, P.276-279).Here, a dynamic (t, n)-threshold secret key sharing scheme based on factorization is proposed in this paper.It has following properties: (1) the shadows can be used repeatedly without limitation; (2) the dealer can renew the secret key of the system without renewing the shadows of the participants when the shadow of certain participant is revealed; (3) when some participants' shadows are revealed, they can be renewed without any effect on the others; (4) the dealer could confirm the cheaters; (5) the dealer could add or delete one participant conveniently; (6) the secret key of the system can be recovered in a parallel process.
In addition, the scheme in this article only needs one multiplying operation to each user in the system initialization and the secret key recovering process, i.e.
, and the power operation only is needed when confirming the cheaters, i.e. (Liu, 2002, P.276-279), the power operations ( ) should be implemented in two stages, so from the running speed, the scheme in this article is obviously better than the scheme proposed in Liu's article.

New scheme
Supposing that GF(P) is the finite field, and n P P P , , , 2 1  are n participants in the system.

System initialization
(1) The system randomly selects different prime pairs p i , q i ( i  , and then p i , q i are secretly transferred to P i ( ) by the safety channel.For the safety, the prime numbers p i , q i should be binary numbers with 1024 bits at least.
(2) The system randomly selects one element , and K is the secret key of the system which should be saved, then computes ) ( (3) The system opens  and the ordered array ) , , ( 21 n y y y  on the bulletin board.

Secret key recover
When any t shadow holders ( t P P P , , , 2 1  ) want to recover the secret keys of the system, each participant only needs check  and i y on the bulletin board, and computes , and submits i x ( i x is called as the screening shadow of P i , and correspondingly, p i , q i is called as the secret shadow pair of P i ).For , use the Lagrange interpolation formula ) ( , to confirm ) (x h , and then recover the secret key of the system, ) 0 ( h K  .

Analysis of properties
(1) Feasibility -order polynomial, so these t points can be confirmed, so the secret key of the system ) 0 ( h K  could be recovered.The above scheme is feasible. (2) Safety The safety of this scheme is based on the characteristic that the factorization could not be inverted.First, when recovering the secret key, for each participant, , and because of the non-reversibility of factorization, other participants could not recover the shadow pair p i , q i of P i through  and i x , i.e. each participant's shadow has not been opened because of the recover of the secret key of the system, and they can continue to be used.Second, according to the non-reversibility of factorization, any participant could not obtain other participants' shadows and screening shadows by the opening information  and the ordered array , , ( needed large time expenditure.
The secret key of system K has not been recovered, and because of certain cause, the secret key of system needs to be replaced.Here, the dealer only needs to reselect one is the new secret key of system, and then the new ) (x h could be used to renew the ordered the bulletin board.(b)The secret key of system K has been recovered, and the new secret key of system K  needs to be saved.Here, the dealer would select one new original element   ( And because  is the original