1 Shamir门限秘密共享的加法同态性
Shamir门限秘密共享方案具有(+,+)(+, +)(+,+)同态的性质,即:
SA+SB=FI(S1A,…,StA)+FI(S1B,…,StB)=FI(S1A+S1B,…,StA+StB)\begin{array}{l} S^A + S^B &=& F_I(S_1^A, \dots, S_t^A) + F_I(S_1^B, \dots, S_t^B)\\ &=&F_I(S_1^A + S_1^B, \dots, S_t^A + S_t^B) \\ \end{array} SA+SB==FI(S1A,…,StA)+FI(S1B,…,StB)FI(S1A+S1B,…,StA+StB)
2 具体实现
2.1 秘密分割
对于主密钥 SA∈GF(p)S^A \in GF(p)SA∈GF(p), p>np > np>n, 选取任意的 a1,a2,..,at−1∈GF(p)a_{1}, a_{2}, . ., a_{t-1} \in GF(p)a1,a2,..,at−1∈GF(p), 构造 t−1t-1t−1 次多项式:
f(x)=SA+∑i=1t−1aixi(modp)f(x)=S^A +\sum_{i=1}^{t-1} a_{i} x^{i}(\bmod p)f(x)=SA+i=1∑t−1aixi(modp)
并计算 f(x1),f(x2)..,f(xn)f\left(x_{1}\right), f\left(x_{2}\right) . ., f\left(x_{n}\right)f(x1),f(x2)..,f(xn), 然后将 (xi,f(xi))\left(x_{i}, f\left(x_{i}\right)\right)(xi,f(xi)) 秘密地发送给参与者iii 。
对于主密钥 SB∈GF(p)S^B \in GF(p)SB∈GF(p), p>np > np>n, 选取任意的 a1′,a2′,..,at−1′∈GF(p)a_{1}^{\prime}, a_{2}^{\prime}, . ., a_{t-1}^{\prime} \in GF(p)a1′,a2′,..,at−1′∈GF(p),构造 t−1t-1t−1 次多项式:
f′(x)=SB+∑i=1t−1ai′xi(modp)f^{\prime}(x)=S^B +\sum_{i=1}^{t-1} a_{i}^{\prime} x^{i}(\bmod p)f′(x)=SB+i=1∑t−1ai′xi(modp)
并计算 f′(x1),f′(x2)..,f′(xn)f^{\prime}\left(x_{1}\right), f^{\prime}\left(x_{2}\right) . ., f^{\prime}\left(x_{n}\right)f′(x1),f′(x2)..,f′(xn), 然后将 (xi,f′(xi))\left(x_{i}, f^{\prime}\left(x_{i}\right)\right)(xi,f′(xi)) 秘密地发送给参与者iii 。
2.2 秘密重构
每个参与者iii对自己所持有的子份额进行加法运算得到 Si=f(xi)+f′(xi)S_{i}=f\left(x_{i}\right)+f^{\prime}\left(x_{i}\right)Si=f(xi)+f′(xi) 。密钥重构阶段我们假设 i1,i2,…,il,(l≥t)i_{1}, i_{2}, \ldots, i_{l},(l \geq t)i1,i2,…,il,(l≥t)是参与重构的合作者, 因为
f(x)+f′(x)=(SA+SB)+(a1+a1′)x+⋯+(at−1+at−1′)xt−1(modp)f(x)+f^{\prime}(x)=\left(S^A + S^B\right)+\left(a_{1}+a_{1}^{\prime}\right) x+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x^{t-1}(\bmod p) f(x)+f′(x)=(SA+SB)+(a1+a1′)x+⋯+(at−1+at−1′)xt−1(modp)
那么利用
(i1,S1),…,(il,Sl)\left(i_{1}, S_1\right), \ldots,\left(i_{l}, S_l\right)(i1,S1),…,(il,Sl)
构造线性方程组:
{SA+SB+(a1+a1′)x1+(a2+a2′)x12+⋯+(at−1+at−1′)x1t−1=f(x1)+f′(x1)SA+SB+(a1+a1′)x2+(a2+a2′)x22+⋯+(at−1+at−1′)x2t−1=f(x2)+f′(x2)⋮SA+SB+(a1+a1′)xl+(a2+a2′)xl2+⋯+(at−1+at−1′)xlt−1=f(xl)+f′(xl)\left\{\begin{array}{c} S^A + S^B+\left(a_{1}+a_{1}^{\prime}\right) x_1+\left(a_{2}+a_{2}^{\prime}\right) x_1^{2}+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x_1^{t-1}=f\left(x_1\right)+f^{\prime}\left(x_1\right) \\ S^A + S^B +\left(a_{1}+a_{1}^{\prime}\right) x_2 +\left(a_{2}+a_{2}^{\prime}\right) x_2^{2}+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x_2^{t-1}=f\left(x_2\right)+f^{\prime}\left(x_2\right) \\ \vdots \\ S^A + S^B +\left(a_{1}+a_{1}^{\prime}\right) x_l +\left(a_{2}+a_{2}^{\prime}\right) x_l^{2}+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x_l^{t-1}=f\left(x_l\right)+f^{\prime}\left(x_l\right) \end{array}\right. ⎩⎪⎪⎪⎨⎪⎪⎪⎧SA+SB+(a1+a1′)x1+(a2+a2′)x12+⋯+(at−1+at−1′)x1t−1=f(x1)+f′(x1)SA+SB+(a1+a1′)x2+(a2+a2′)x22+⋯+(at−1+at−1′)x2t−1=f(x2)+f′(x2)⋮SA+SB+(a1+a1′)xl+(a2+a2′)xl2+⋯+(at−1+at−1′)xlt−1=f(xl)+f′(xl)
SA+SB,a1+a1′,…,at−1+at−1′S^A + S^B, a_{1}+a_{1}^{\prime}, \ldots, a_{t-1}+a_{t-1}^{\prime}SA+SB,a1+a1′,…,at−1+at−1′ 是方程组的ttt个末知数。解这个方程组就可以得到秘密的和SA+SBS^A + S^BSA+SB , 从而实现了加法同态性, 即对份额做加法运算可以重构出秘密的加。同理, 可以实现任意多个秘密的加法运算。
3 秘密重构的正确性分析
根据Shamir门限秘密共享原理,SA,a1,a2,..,at−1S^{A}, a_{1}, a_{2}, . ., a_{t-1}SA,a1,a2,..,at−1是下列线性方程组的解:
{SA+a1x1+a2x12+⋯+ai−1x1t−1=f(x1)SA+a1x2+a2x22+⋯+at−1x2t−1=f(x2)⋮SA+a1xl+a2xl2+⋯+at−1xlt−1=f(xl)\left\{\begin{array}{c} S^A+a_{1} x_1 +a_{2} x_1^{2}+\cdots+a_{i-1} x_1^{t-1}=f\left(x_1\right) \\ S^A +a_{1} x_2 +a_{2} x_2^{2}+\cdots+a_{t-1}x_2^{t-1}=f\left(x_2\right) \\ \vdots \\ S^A +a_{1} x_l +a_{2} x_l^{2}+\cdots+a_{t-1} x_l^{t-1}=f\left(x_l\right) \end{array}\right. ⎩⎪⎪⎪⎨⎪⎪⎪⎧SA+a1x1+a2x12+⋯+ai−1x1t−1=f(x1)SA+a1x2+a2x22+⋯+at−1x2t−1=f(x2)⋮SA+a1xl+a2xl2+⋯+at−1xlt−1=f(xl)
SB,a1′,a2′,..,at−1′S^{B}, a_{1}^{\prime}, a_{2}^{\prime}, . ., a_{t-1}^{\prime}SB,a1′,a2′,..,at−1′是下列线性方程组的解:
{SB+a1′x1+a2′x12+⋯+at−1′x1t−1=f′(x1)SB+a1′x2+a2′x22+⋯+at−1′x2t−1=f′(x2)⋮SB+a1′xl+a2′xl2+⋯+at−1′xlt−1=f′(xl)\left\{\begin{array}{c} S^B +a_{1}^{\prime} x_1 +a_{2}^{\prime} x_1^{2}+\cdots+a_{t-1}^{\prime}x_1^{t-1}=f^{\prime}\left(x_1\right) \\ S^B +a_{1}^{\prime} x_2 +a_{2}^{\prime} x_2^{2}+\cdots+a_{t-1}^{\prime}x_2^{t-1}=f^{\prime}\left(x_2\right) \\ \vdots \\ S^B +a_{1}^{\prime} x_l +a_{2}^{\prime}x_l^{2}+\cdots+a_{t-1}^{\prime}x_l^{t-1}=f^{\prime}\left(x_l\right) \end{array}\right. ⎩⎪⎪⎪⎨⎪⎪⎪⎧SB+a1′x1+a2′x12+⋯+at−1′x1t−1=f′(x1)SB+a1′x2+a2′x22+⋯+at−1′x2t−1=f′(x2)⋮SB+a1′xl+a2′xl2+⋯+at−1′xlt−1=f′(xl)
将这两个线性方程组对应的方程分别相加便可以得到如下的线性方程组:
{SA+SB+(a1+a1′)x1+(a2+a2′)x12+⋯+(at−1+at−1′)x1t−1=f(x1)+f′(x1)SA+SB+(a1+a1′)x2+(a2+a2′)x22+⋯+(at−1+at−1′)x2t−1=f(x2)+f′(x2)⋮SA+SB+(a1+a1′)xl+(a2+a2′)xl2+⋯+(at−1+at−1′)xlt−1=f(xl)+f′(xl)\left\{\begin{array}{c} S^A + S^B+\left(a_{1}+a_{1}^{\prime}\right) x_1+\left(a_{2}+a_{2}^{\prime}\right) x_1^{2}+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x_1^{t-1}=f\left(x_1\right)+f^{\prime}\left(x_1\right) \\ S^A + S^B +\left(a_{1}+a_{1}^{\prime}\right) x_2 +\left(a_{2}+a_{2}^{\prime}\right) x_2^{2}+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x_2^{t-1}=f\left(x_2\right)+f^{\prime}\left(x_2\right) \\ \vdots \\ S^A + S^B +\left(a_{1}+a_{1}^{\prime}\right) x_l +\left(a_{2}+a_{2}^{\prime}\right) x_l^{2}+\cdots+\left(a_{t-1}+a_{t-1}^{\prime}\right) x_l^{t-1}=f\left(x_l\right)+f^{\prime}\left(x_l\right) \end{array}\right. ⎩⎪⎪⎪⎨⎪⎪⎪⎧SA+SB+(a1+a1′)x1+(a2+a2′)x12+⋯+(at−1+at−1′)x1t−1=f(x1)+f′(x1)SA+SB+(a1+a1′)x2+(a2+a2′)x22+⋯+(at−1+at−1′)x2t−1=f(x2)+f′(x2)⋮SA+SB+(a1+a1′)xl+(a2+a2′)xl2+⋯+(at−1+at−1′)xlt−1=f(xl)+f′(xl)
SA+SB,a1+a1′,…,at−1+at−1′S^A + S^B, a_{1}+a_{1}^{\prime}, \ldots, a_{t-1}+a_{t-1}^{\prime}SA+SB,a1+a1′,…,at−1+at−1′应该是这个线性方程组的解。
上述线性方程组含有ttt 个末知数, 即SA+SB,a1+a1′,…,at−1+at−1′S^A + S^B, a_{1}+a_{1}^{\prime}, \ldots, a_{t-1}+a_{t-1}^{\prime}SA+SB,a1+a1′,…,at−1+at−1′, 系数矩阵的秩是 ttt。因此该方程组存在唯一解。可以通过求解方程组得到SA+SBS^A + S^BSA+SB , 即在保证初始秘密隐私的情况下得到了两个共享秘密的和。