User:CryptoBm/crt

Secret sharing consists of recovering a secret S from a set of shares, each containing partial information about the secret. The Chinese Remainder Theorem (CRT) states that for a given system of simultaneous congruence equations, the solution is unique in some $$\mathbb{Z} / n \mathbb{Z}$$, with $$n > 0$$ under some appropriate conditions. Secret sharing can thus use the CRT to produce the shares presented in the congruence equations and the secret could be recovered by solving the system of congruences to get the unique solution, which will be the secret to recover.

Secret Sharing Schemes: Several Types
There are several types of secret sharing schemes. The most basic types are called the threshold schemes, where only the cardinality of the set of shares matters. In other words, given a secret S, and n shares, any set of t shares is a set with the smallest cardinality from which the secret can be recovered, in the sense that any set of t-1 shares is not enough to give S. We call such schemes (t,n) threshold secret sharing schemes.

Threshold secret sharing schemes differ from one another by the method of recovering the secret from the given set of shares. The first ones are Shamir's threshold secret sharing scheme, which is based on polynomial interpolation in order to find S from a given set of shares, and George Blakley's geometric secret sharing scheme, which uses geometric methods to recover the secret S. Threshold secret sharing schemes based on the CRT are due to Mignotte and Asmuth-Bloom, they use special sequences of integers along with the CRT.

Chinese Remainder Theorem
Let $$ k \geqslant 2 $$, $$m_1,...,m_k \geqslant 2$$, and $$b_1,...,b_k \in \mathbb{Z}$$. The system of equations

$$ \begin{cases}

x \equiv & b_1 \ mod \ m_1 \\ & . \\ & . \\ & . \\ x \equiv & b_k \ mod \ m_k \\

\end{cases} $$

has solutions in $$\mathbb{Z}$$ if and only if $$b_i \equiv b_j mod (m_i,m_j)$$ for all $$1 \leqslant i,j \leqslant k$$, where $$(m_i,m_j)$$ denotes the greatest common divisor (GCD) of $$m_i$$ and $$m_j$$. Furthermore, under these conditions, the system has a unique solution in $$\mathbb{Z}_{[m_1,...,m_k]}$$ where $$[m_1,...,m_k]$$ denotes the least common multiple (LCM) of $$m_1,...,m_k$$.

Secret Sharing using the CRT
Since the Chinese Remainder Theorem provides us with a method to uniquely determine a number m modulo k many relatively prime integers $$p_1, p_2, ..., p_k$$, given that $$m < \prod_{i=1}^k p_i$$, then, the idea is to construct a scheme that will determine the secret m given any k shares (in this case, the remainder of m modulo each of the primes), but will not reveal the secret given less than k of such shares. This is known as a threshold access structure.

Ultimately, we choose n relatively prime integers $$p_1< p_2< ...< p_n$$ such that m is smaller than the product of any choice of k of these integers, but at the same time is greater than any choice of k-1 of them. Then the shares $$s_1, s_2, ..., s_n$$ are defined by $$s_i = m \ mod \ p_i$$ for $$i=1, 2, ..., n$$. In this manner, thanks to the CRT, we can uniquely determine m from any set of k or more shares, but not from less than k.

This condition on m can also be regarded as $$\prod_{i=n-k+2}^n p_i < m < \prod_{i=1}^k p_i$$. Since it is smaller than the smallest product of k of the integers, it will be smaller than the product of k of them. Also, being greater than the product of the greatest k-1 integers, it will be greater than the product of any k-1 of them.

There are two Secret Sharing Schemes that utilize essentially this idea, Mignotte's and Asmuth-Bloom's Schemes, which are explained below.

Mignotte's Threshold Secret Sharing Scheme
As said before, the Mignotte's threshold secret sharing scheme uses, along with the CRT, special sequences of integers called the (k,n)-Mignotte sequences which consist of n integers, pairwise coprime, such that the product of the smallest k of them is greater than the product of the k-1 biggest ones. This condition is crucial because the scheme is built on choosing the secret as an integer between the two products, and this condition ensures that at least k shares are needed to recover the secret, no matter how they are chosen.

Formally, let $$n \geqslant 2$$ be an integer, and k be an integer such that $$2 \leqslant k \leqslant n$$. A (k,n)-Mignotte sequence is a sequence of positive integers $$m_1 < ... < m_n$$, with $$(m_i,m_j)=1$$ for all $$1 \leqslant i < j \leqslant n$$, such that $$m_{n-k+2}...m_n < m_1...m_n$$. We call this range the authorized range. Now, the scheme works as follows: We intend a (k,n)-threshold secret sharing scheme. We choose the secret S as a random integer in the authorized range. We compute, for every $$1 \leqslant i \leqslant n$$, the remainder of the Euclidean division of S by $$m_i$$ that we call $$I_i = S mod m_i $$, these are the shares. Now, for any k different shares $$I_{i_1},...,I_{i_k}$$, we consider the system of congruencies: $$\begin{cases}

x \equiv & I_{i_1} \ mod \ m_{i_1} \\ & . \\ & . \\ & . \\ x \equiv & I_{i_k} \ mod \ m_{i_k} \\

\end{cases}$$

By the Chinese remainder theorem, since $$m_{i_1}, ..., m_{i_k}$$ are pairwise coprime, then the system has a unique solution modulo $$m_{i_1}...m_{i_k}$$. By the construction of our shares, this solution is nothing but the secret S to recover.

Asmuth-Bloom's Threshold Secret Sharing Scheme
This scheme also uses special sequences of integers. Let $$n \geqslant 2$$ be an integer, and k be an integer such that $$2 \leqslant k \leqslant n$$. We consider a sequence of pairwise coprime positive integers $$m_0 < ... < m_k$$ such that $$m_0.m_{n-k+2}...m_n < m_1...m_k$$. For this given sequence, we choose the secret S as a random integer in the set $$\mathbb{Z}_r$$.

We then pick a random integer $$\alpha$$ such that $$S + \alpha.m_0 < m_1...m_k$$. We compute the remainders of the Euclidean division of $$S + \alpha.m_0$$ by $$m_i$$, for all $$1 \leqslant i \leqslant n$$, these are the shares $$I_i$$. Now, for any k different shares $$I_{i_1},...,I_{i_k}$$, we consider the system of congruences:

$$\begin{cases}

x \equiv & I_{i_1} \ mod \ m_{i_1} \\ & . \\ & . \\ & . \\ x \equiv & I_{i_k} \ mod \ m_{i_k} \\

\end{cases}$$

By the Chinese Remainder Theorem, since $$m_{i_1}, ..., m_{i_k}$$ are pairwise coprime, then the system has a unique solution $$S_0$$ modulo $$m_{i_1}...m_{i_k}$$. By the construction of our shares, the secret S is the remainder of the Euclidean division of $$S_0$$ by $$m_0$$

It is important to notice that the Mignotte and Asmuth-Bloom (k,n)-threshold secret-sharing schemes are not perfect schemes, in the sense that a set of less than ‘‘k’’ shares contains some information about the secret. Nevertheless, by a suitable choice of the sequences and the parameters ($$\alpha$$ in the Asmuth-Bloom case), one can get a reasonable security factor. This is why the Asmuth-Bloom scheme is more secure, for it involves more random parameters.

Example
The following is an example on the Asmuth-Bloom's Scheme. For practical purposes we choose small values for all parameters. We choose k=3 and n=4. Our pairwise coprime integers being $$m_0 =$$3, $$m_1 =$$ 11, $$m_2 =$$ 13, $$m_3 =$$ 17 and $$m_4 =$$ 19. They satisfy the Asmuth-Bloom required sequence because $$3.17.19 < 11.13.17$$. Say our secret S is 2. Pick $$\alpha = 51$$, satisfying the required condition for the Asmuth-Bloom scheme. Now we compute the shares for each of the integers 11, 13, 17 and 19. They are respectively 1, 12, 2 and 3. We consider two possible sets of 3 shares, among the $$4 \choose 3 $$ possible sets, and show that they recover the same secret S=2. Consider, for example, the following system of congruences:

$$\begin{cases}

x \equiv & 1 \ mod \ 11 \\ x \equiv & 12 \ mod \ 13 \\ x \equiv & 2 \ mod \ 17 \\

\end{cases}$$

To solve the system, let $$M = 11 \cdot 13 \cdot 17$$. From a constructive algorithm for solving such a system, we know that a solution to the system is $$x_0 = 1 \cdot e_1 + 12\cdot e_2 + 2\cdot e_3$$, where each $$e_i$$ is found as follows: By Bezout's theorem, since $$(m_i,M/m_i) = 1$$, there exist positive integers $$r_i$$ and $$s_i$$, that can be found using the Euclidean algorithm, such that $$r_i.m_i+s_i.M/m_i = 1$$. Set $$e_i=s_i\cdot M_i/m_i$$. From the identities $$1 = 1\cdot 221 - 20\cdot 11 = (-5)\cdot 187 + 72\cdot 13 = 5\cdot 143 + (-42)\cdot 17$$, we get that $$e_1 = 221, e_2=-935, e_3=715$$, and the unique solution modulo $$11\cdot 13\cdot 17 $$ is $$155$$. Finally, $$S = 155 -3\cdot 51 = 2$$.