CNS - 41 - Linear Secret Sharing

Let us now write shamir scheme in a matrix form, that is as

\[Ax = b\]

where,

• \(A\) is a given matrix of size \(n \times t\).

• \(x\) is a vector of size \(t\) made of the secret and the random values \(r_i\).

• \(b\) is another vector, this time of size \(n\), containing the resulting shares.

Example (3, 4): For example, in a three out of four secret sharing, we get the following

\[\begin{bmatrix} 1 & x_1 & x_1^2 \\ 1 & x_2 & x_2^2 \\ 1 & x_3 & x_3^2 \\ 1 & x_4 & x_4^2 \\ \end{bmatrix} \cdot \begin{bmatrix} s \\ r_1 \\ r_2 \\ \end{bmatrix} = \begin{bmatrix} y_1 \\ y_2 \\ y_3 \\ y_4 \\ \end{bmatrix}\]

Notice that the matrix we obtained is known as the Vandermonde matrix. The idea which will be explored in this lecture is that, by changing the matrix \(A\), we can get different types of secret sharing schemes, which are known as linear secret sharing schemes, in acrynonim LSSS.

Let us now offer an alternative interpretation of the scheme presented so far by using the so-called span problem. In particular consider the following scheme

Note that the linear combinations of the row vectors of the matrix \((v_1, v_2, v_3)\) \(A\) form a 3d space. That is, by changing coeficients \(c_1, c_2\) and \(c_3\) we can compute the following expression

\[c_1 \cdot \begin{bmatrix} 1 \\ x_1 \\ x_1^2 \\ \end{bmatrix} + c_2 \cdot \begin{bmatrix} 1 \\ x_2 \\ x_2^2 \\ \end{bmatrix} + c_3 \cdot \begin{bmatrix} 1 \\ x_4 \\ x_4^2 \\ \end{bmatrix}\]

and get a point in a 3D space. In this space we are particulary interested in one point, the point \(\begin{bmatrix} 1 & 0 & 0\end{bmatrix}\). Notice that if such point in contained in the space spanned by the three vectors, then there exist three values \(c_1, c_2\) and \(c_3\) such that

\[c_1 \cdot \begin{bmatrix} 1 \\ x_1 \\ x_1^2 \\ \end{bmatrix} + c_2 \cdot \begin{bmatrix} 1 \\ x_2 \\ x_2^2 \\ \end{bmatrix} + c_3 \cdot \begin{bmatrix} 1 \\ x_4 \\ x_4^2 \\ \end{bmatrix} = \begin{bmatrix} 1 \\ 0 \\ 0 \\ \end{bmatrix}\]

To find these three coefficients we have to solve the following linear system

\[\begin{bmatrix} 1 & 1 & 1 \\ x_1 & x_2 & x_4 \\ x_1^2 & x_2^2 & x_4^2 \\ \end{bmatrix} \cdot \begin{bmatrix} c_1 \\ c_2 \\ c_3 \end{bmatrix} = \begin{bmatrix} 1 \\ 0 \\ 0 \\ \end{bmatrix}\]

Notice that the solution of such system are exactly the lagrange coefficients of before, that is

\[\begin{split} c_1 = \frac{x_2 x_4}{(x_1 - x_2)(x_1 - x_4)} = \Lambda_1(0) \\ \\ c_2 = \frac{x_1 x_4}{(x_2 - x_1)(x_2 - x_4)} = \Lambda_2(0) \\ \\ c_3 = \frac{x_1 x_2}{(x_4 - x_1)(x_4 - x_2)} = \Lambda_4(0) \\ \\ \end{split}\]

Notice that this result is not a big surprise, because of the following: if we assume that \(c_1\), \(c_2\) and \(c_3\) are the solution to the previous linear system, then we get

\[\begin{split} \Bigg(&c_1 \cdot \begin{bmatrix} 1 & x_1 & x_1^2 \end{bmatrix} + c_2 \cdot \begin{bmatrix} 1 & x_2 & x_2^2 \end{bmatrix} + c_3 \cdot \begin{bmatrix} 1 & x_4 & x_4^2 \end{bmatrix}\Bigg) \cdot \begin{bmatrix} s \\ r_1 \\ r_2 \\ \end{bmatrix} = \\ \\ &= c_1 \cdot \begin{bmatrix} 1 & x_1 & x_1^2 \end{bmatrix} \cdot \begin{bmatrix} s \\ r_1 \\ r_2 \\ \end{bmatrix} + c_2 \cdot \begin{bmatrix} 1 & x_2 & x_2^2 \end{bmatrix} \cdot \begin{bmatrix} s \\ r_1 \\ r_2 \\ \end{bmatrix} + c_3 \cdot \begin{bmatrix} 1 & x_4 & x_4^2 \end{bmatrix} \cdot \begin{bmatrix} s \\ r_1 \\ r_2 \\ \end{bmatrix} = \\ \\ &= c_1 y_1 + c_2 y_2 + c_3 y_4 \\ &= \Lambda_1(0) y_1 + \Lambda_2(0) y_2 + \Lambda_4(0) y_4 \\ &= s \\ \end{split}\]

Thus, we have reconstructed the shamir secret sharing technique as a sort of a span problem, that is given a set of vectors \(v_1, v_2, v_3\) we have to find out if the span of those vectors contains a given point.

Observation: In this other formulation the three vectors do not have to be independent.

Consider a \((3, 3)\) secret sharing trivial scheme. Let us now formalize such scheme as a LSSS as follows

\[\begin{bmatrix} 1 & -1 & -1 \\ 0 & 1 & 0 \\ 0 & 0 & 1 \\ \end{bmatrix} \cdot \begin{bmatrix} s \\ r_1 \\ r_2 \\ \end{bmatrix} = \begin{bmatrix} s - r_1 - r_2 \\ r_1 \\ r_2 \end{bmatrix}\]

The span program in this case consists in finding the three coefficients \(c_1, c_2\) and \(c_3\) such that the following holds

\[ c_1 \cdot \begin{bmatrix} 1 & -1 & -1 \end{bmatrix} + c_2 \cdot \begin{bmatrix} 0 & 1 & 0 \end{bmatrix} + c_3 \cdot \begin{bmatrix} 0 & 0 & 1 \end{bmatrix} = \begin{bmatrix} 1 & 0 & 0\end{bmatrix}\]

Notice that in this case the solution is \(c_1 = c_2 = c_3 = 1\), since

\[ 1 \cdot \begin{bmatrix} 1 & -1 & -1 \end{bmatrix} + 1 \cdot \begin{bmatrix} 0 & 1 & 0 \end{bmatrix} + 1 \cdot \begin{bmatrix} 0 & 0 & 1 \end{bmatrix} = \begin{bmatrix} 1 & 0 & 0\end{bmatrix}\]

In this case the share reconstruction then is done as follows

\[c_1 (s - r_1 - r_2) + c_2 r_2 + c_3 r_2 = (s - r_1 - r_2) + r_1 + r_2 = s\]

Suppose that you have two random vectors \(x_a\) and \(x_b\) that hide two secret values, \(s_a\) and \(s_b\)

\[\begin{split} x_a = \begin{pmatrix} s_a & r_{1, a} & r_{2, a} & \cdots \end{pmatrix} \\ x_a = \begin{pmatrix} s_b & r_{1, b} & r_{2, b} & \cdots \end{pmatrix} \\ \end{split}\]

and suppose you compute the shares of both secret using a matrix, that is

\[\begin{split} A \cdot x_a = y_a = \begin{pmatrix} \text{share}_{1, a} & \text{share}_{2, a} & \cdots \end{pmatrix} \\ \\ A \cdot x_b = y_b = \begin{pmatrix} \text{share}_{1, b} & \text{share}_{2, b} & \cdots \end{pmatrix} \\ \end{split}\]

then the share of the sum of the secrets is the sum of the shares of the individual secrets

\[\begin{split} y_a + y_b &= Ax_a + Ax_b \\ &= A(x_a + x_b) \\ &= A \begin{pmatrix} s_a + s_b & \text{rand} & \text{rand} & \cdots \end{pmatrix} \\ \end{split}\]

Notice that these secret sharing schemes can be implemented in arbitrary modular arithmetic. Let us now see an example of a secret sharing scheme the a binary field GF(2) (Galois Field 2) (also known as \(\mathbb{Z}_2\)), which is made up of two elements \(\{0, 1\}\) and that only the xor operation \(\mathbin{\oplus}\) that combines the elements as follows

\[\begin{split} 0 \mathbin{\oplus} 0 = 0 \\ 0 \mathbin{\oplus} 1 = 1 \\ 1 \mathbin{\oplus} 0 = 1 \\ 1 \mathbin{\oplus} 1 = 0 \\ \end{split}\]

Consider then that we have \(5\) parties, and that one of them, \(P_2\), comes with two vectors.

\[\begin{array}{c | c | c | c | c} \hline P_2 & 1 & 0 & 1 & 1 \\ \hline P_2 & 0 & 1 & 1 & 0 \\ \hline P_1 & 0 & 1 & 1 & 0 \\ \hline P_3 & 1 & 1 & 0 & 0 \\ \hline P_4 & 0 & 0 & 1 & 1 \\ \hline \end{array}\]

The span problem says: given some of the rows of the table above, can I find some combination of these rows so that I can obtain the vector \(\langle 1, 0, 0, 0 \rangle\). Depending on the rows we choose we can get different answers:

• Assume for example that \(P_2\) and \(P_4\) get together. Can they obtain the secret? This can be expressed in terms of the following span problem: find \(c_1, c_2\) and \(c3\) such that

  \[c_1 \cdot \begin{bmatrix} 1 & 1 & 0 & 1 \end{bmatrix} + c_2 \cdot \begin{bmatrix} 0 & 1 & 1 & 0 \end{bmatrix} + c_3 \cdot \begin{bmatrix} 0 & 0 & 1 & 1 \end{bmatrix} = \begin{bmatrix} 1 & 0 & 0 & 0\end{bmatrix}\]

  in this case if \(c_1 = c_2 = c_3 = 1\) then we solved our problem.

• If instead \(P_2\) meets up with \(P_1\), then we don't find any linear combination of those three rows that lets you obtain the result wanted.

Let us now see how we construct an LSSS scheme starting from an Access Control (AC) predicate. For example assume we have the following predicate

\[P_1 \land (P_2 \lor (P_3 \land P_4))\]

we will start by constructing the tree of such predicate