3.2: A Simple 2-out-of-2 Scheme
- Page ID
- 7328
\(3.2\) A Simple 2-out-of-2 Scheme
Believe it or not, we have already seen a simple secret-sharing scheme! In fact, it might even be best to think of one-time pad as the simplest secret-sharing scheme.
Since it’s a 2-out-of-2 scheme, the only authorized set of users is \(\{1,2\}\), so Reconstruct is written to expect both shares \(s_{1}\) and \(s_{2}\) as its inputs. Correctness follows easily from what we’ve already learned about the properties of XOR.
Example If we want to share the string \(m=1101010001\) then the Share algorithm might choose \[\begin{aligned} s_{1} &:=0110000011 \\ s_{2} &:=s_{1} \oplus m \\ &=0110000011 \oplus 1101010001=1011010010 \end{aligned}\] Then the secret can be reconstructed by XORing the two shares together, via: \[s_{1} \oplus s_{2}=0110000011 \oplus 1011010010=1101010001=m .\] Remember that this example shows just one possible execution of Share(1101010001), but Share is a randomized algorithm and many other values of \(\left(s_{1}, s_{2}\right)\) are possible.
Construction \(3.5\) is a secure 2-out-of-2 threshold secret-sharing scheme.
Proof
Let \(\Sigma\) denote Construction 3.5. We will show that \(\mathcal{L}_{\mathrm{tsss}-\mathrm{L}}^{\Sigma} \equiv \mathcal{L}_{\mathrm{tsss}-\mathrm{R}}^{\Sigma}\) using a hybrid proof.
As usual, the starting point is \(\mathcal{L}_{\mathrm{tsss}-\mathrm{L}}^{\Sigma}\), shown here with the details of the secret-sharing scheme filled in (and the types of the subroutine ar guments omitted to reduce clutter). | |
It has no effect on the library’s behavior if we duplicate the main body of the library into 3 branches of a new if-statement. The reason for doing so is that the scheme generates \(s_{1}\) and \(s_{2}\) differently. This means that our proof will eventually handle the 3 different unauthorized sets \((\{1\},\{2\}\), and \(\emptyset\) ) in fundamentally different ways. | |
The definition of \(s_{2}\) has been changed in the first if-branch. This has no effect on the library’s behavior since \(s_{2}\) is never actually used in this branch. | |
Recognizing the second branch of the if-statement as a one-time pad encryption (of \(m_{L}\) under key \(s_{1}\) ), we factor out the generation of \(s_{2}\) in terms of the library \(\mathcal{L}_{\text {ots-L }}^{\text {OTP }}\) from the one-time secrecy definition. This has no effect on the library’s behavior. Importantly, the subroutine in \(\mathcal{L}_{\text {ots-L }}^{\text {OTP }}\) expects two arguments, so that is what we must pass. We choose to pass \(m_{L}\) and \(m_{R}\) for reasons that should become clear very soon. | |
We have replaced \(\mathcal{L}_{\text {ots-L }}^{\text {OTP }}\) with \(\mathcal{L}_{\text {ots-R }}^{\text {OTP }}\). From the one-time secrecy of one-time pad (and the composition lemma), this change has no effect on the library’s behavior. | |
A subroutine has been inlined; no effect on the library’s behavior. | |
The code has been simplified. Specifically, the branches of the if-statement can all be unified, with no effect on the library’s behavior. The result is \(\mathcal{L}_{\text {tsss-R }}^{\Sigma}\). |
We showed that \(\mathcal{L}_{\mathrm{tsss}-\mathrm{L}}^{\Sigma} \equiv \mathcal{L}_{\text {hyb-1 }} \equiv \cdots \equiv \mathcal{L}_{\text {hyb-5 }} \equiv \mathcal{L}_{\mathrm{tsss}-\mathrm{R}}^{\Sigma}\), and so the secret-sharing scheme is secure.
We in fact proved a slightly more general statement. The only property of one-time pad we used was its one-time secrecy. Substituting one-time pad for any other one-time secret encryption scheme would still allow the same proof to go through. So we actually proved the following:
If \(\sum\) is an encryption scheme with one-time secrecy, then the following 2-out-of-2 threshold secret-sharing scheme \(\mathcal{S}\) is secure: