Secret sharing is a powerful cryptographic primitive that can ensure data integrity, privacy, and availability with a variety of applications. This primitive involves a cryptographic situation in which a secret piece of information is divided among multiple parties. In this situation, each participant has a share of the secret. Reconstructing the full secret requires some number of participants to contribute their share; if not enough participants contribute, the secret cannot be reconstructed.
Cloud computing is ”the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer” (6). Security is important in all computer applications, but it is especially important to consider when working with cloud computing, where resources are shared by multiple parties and a single party may be using resources in multiple places.. For customers accessing cloud technology, secret sharing can be a helpful tool to ensure key security features such as data privacy, availability and integrity, while allowing computation on encrypted data.
To understand the benefits and drawbacks of different secret sharing schemes used for cloud security, it is crucial to understand the mathematical properties underlying these schemes. Attributes such as data privacy, availability, and integrity are determined by a secret sharing scheme’s structure and influence the security of cloud technologies that use a given scheme. It is also important to consider properties such as time-complexity and storage space required; these properties are also determined by the structure of a scheme and influence the performance and reliability of cloud technologies.
Secret sharing has many variants (”schemes”), each with its own objectives and resulting structure that achieves those objectives. Shamir’s Secret Sharing Scheme (SSSS) is one of the most well-known secret sharing schemes, and can be used as part of a security measures in the cloud. However, considering the diverse challenges posed by computation in a cloud environment, alternative secret sharing schemes may be better suited to protect data. One of these alternatives is the family of Verifiable Secret Sharing Schemes (VSSS). While VSSS builds on SSSS, VSSS assumes that some participants may not be truthful in reporting about their shares. As a result, VSSS functions include verification of data correctness. This necessitates additional structures to verify the correctness of keys and data during the secret reconstruction process. A further modification is the family of Verifiable Multi-Secret Sharing Schemes (VMSSS). This family maintains the privacy, availability and integrity present within VSSS, but also includes reduced storage cost and is specifically designed for cloud applications.
This paper will examine the differing mathematical structures of SSSS, VSSS, and VMSSS, and analyze how these differences affect their levels of security and performance provided in a cloud setting.
Secret Sharing in the Cloud
The essential difference between cloud and other models of computing is that cloud computing necessarily entails sharing of one or more computing resources among many parties. The sharing of resources leads to higher availability and capacity, while lowering costs. This feature has led to the expansion of cloud computing as a business service.
However, this expansion opens up new vulnerabilities. In cloud contexts, multiple users share access to common resources, a single user’s data is distributed across many resources, and a cloud service provider (CSP) has the responsibility of transmitting and storing data within its infrastructure. Shamir’s paper notes that ”Threshold schemes are ideally suited to applications in which a group of mutually suspicious individuals with conflicting interests must cooperate” (1).
In today’s cloud environment, security-conscious users must be ”suspicious” of other users utilizing the same resources, as well as the CSP’s infrastructure, as both of these have the potential to be used maliciously.
Various methods exist to provide data security in the cloud, from differential privacy to data anonymization. Unfortunately, many of these methods cannot guarantee multiple measures of security (i.e. they can guarantee availability but not integrity). Secret sharing schemes present a powerful opportunity to ensure data privacy, integrity, and availability simultaneously, while also maintaining low data costs. These schemes have the ability to transform sensitive data into individually meaningless segments of data (shares) that are distributed to n participants (in the cloud context, n CSPs). Computations can then be performed on shares, which will still yield meaningless results when viewed individually. The global result can only be reconstructed knowing individual results from a sufficient number of participants (more than the threshold, t ≤ n).
Moreover, some secret sharing variants simultaneously enforce data privacy, availability and integrity, which no other security scheme achieves. Eventually, secret sharing can be used by both CSPs, with data being shared within their cloud infrastructure, and users, who can dispatch sensitive data over several providers. Since some secret sharing schemes also support homomorphism, they allow data analysis on shares, which facilitates the optimization of data costs.
Secret sharing schemes mainly aim at enforcing data security as measured by privacy, availability and integrity. However, in the context of cloud data processing, efficient data access (such as update, search and aggregation operations) must also be made possible by secret sharing schemes. Thus, some secret sharing schemes allow computation (e.g., sums and averages in VMSSS) over encrypted data through homomorphic operations. Below, some key security and performance concepts are defined in order to provide a framework for understanding cloud security. The security of various secret sharing schemes will be discussed after the schemes are presented.
Defining security in the cloud
Data Privacy
Privacy refers to the ability to restrict data such that it is only accessible to those who have been allowed access. In a cloud computing context, this is essential.
Users of a cloud application expect that the data they store and send will only be shared with those they authorize to view it. Since multiple users and CSPs can handle data in the cloud, adequate precautions are needed to ensure that shared data is guaranteed to be shared with only those authorized. Since all secret sharing schemes divide data into n shares such that each individual share is meaningless, they enforce data privacy by design.
Data availability
Data availability is the ability to provide reliable data access to authorized users.
Availability is especially important in cloud secret sharing contexts, since one of the competitive advantages of cloud technology is an extremely high rate of availability. It is essential that measures enacted to ensure integrity and privacy do not compromise availability. When using secret sharing schemes in the cloud, data availability is guaranteed as long as t out of n participants are available, since t participants are enough to reconstruct secrets. In this paper, we evaluate schemes’ availability without regard to attacks on infrastructure that would deny availability to users, i.e. an attack on a network or denial-ofservice to a cloud server. Such attacks do not target the cryptographic scheme but rather the machinery used to enable the scheme, so we only consider the availability provided by the scheme itself.
Data Integrity
Data integrity is the ability to ensure that data is accurate and unchanged from its original secure representation. Integrity requires ensuring the consistency, accuracy and trustworthiness of data over its entire lifecycle. In the cloud, challenges to integrity arise when data can be corrupted (lose integrity) due to accidental errors in transmission and configuration or due to malicious actions on the part of CSPs or other users.
Computational complexity
The cost of cloud computing depends heavily on the time to compute and storage used. Thus, a low amount of time and space complexity is desired. While complexity and cost are not security measures, higher-security systems often have a higher amount of space and time complexity, leading users to choose less-secure systems. With this tradeoff in mind, the ideally-usable cloud security system will combine a low complexity with high data privacy, availability, and integrity.
Shamir’s Secret Sharing
Overview
One of the earliest forms of secret sharing, Shamir’s Secret Sharing Scheme, relies on distributing a secret S among n shares S1, S2, …, Sn. Once the shares have been distributed, knowledge of k or more Si shares must enable the reconstruction of S. However, knowledge of k − 1 or less Si shares of the secret must leave S ”completely undetermined”. For this reason, SSSS is often called (k, n) secret sharing. By splitting the secret data into multiple parts, the scheme ensures greater reliability than storing the data in one place or storing multiple copies of the secret in one location (2).
How can we model a scheme that distributes a secret among many parties and requires k of n parties to be present for secret reconstruction? Shamir’s answer was to model the scheme on polynomial interpolation. Just as two points determine a line, three points determine a parabola, etc, this can be generalized to say that d + 1 points determine a unique polynomial of degree d, and this is true even working modulo a prime. The following theorem, proof, and related algorithms demonstrate the case for polynomial interpolation as a secret sharing reconstruction method. Polynomial interpolation is also used to reconstruct the secret in other secret sharing variants, including VSSS and VMSSS.
Let p be a prime, and let (x1, y1), …,(xd+1, yd+1) ⊆ (Zp) 2 be a set of points
whose xi values are all distinct. Then there is a unique polynomial f of degree d with coefficients in Zp that satisfies yi ≡ pf(xi) for all i.
Let f(x) = Pd
i=0 fix
i be a degree-d polynomial. Consider the problem of evaluating f on a set of points x1, …, xd+1. We can express outputs of f as a linear function of the coefficients of f in the following way:
f(x1)
f(x2)
…
f(xd+1)
=
1 x1 (x1)
2
(x1)
3
… (x1)
d
1 x2 (x2)
2
(x2)
3
… (x2)
d
… … … … … …
1 xd+1 (xd+1)
2
(xd+1)
3
… (xd+1)
d
∗
f0
f1
f2
f3
…
fd
The Vandermonde matrix V in our expression is square, having dimensions (d + 1) × (d + 1). Also, since all of the xi values are distinct, the expression for the determinant must be non-zero. That means V is invertible. Thus, knowing {(x1, y1), …,(xd+1, yd+1)}, we can solve for the coefficients of f in the following equation:
y1
y2
…
yd+1
=
1 x1 x
2
1
… (x1)
d
1 x2 x
2
2
… (x2)
d
… … … … …
1 xd+1 x
2
d+1 … (xd+1)
d
∗
f0
f1
f2
…
fd
which yields:
f0
f1
f2
…
fd
=
1 x1 x
2
1
… (x1)
d
1 x2 x
2
2
… (x2)
d
… … … … …
1 xd+1 x
2
d+1 … (xd+1)
d
−1
∗
y1
y2
…
yd+1
To share a secret m ∈ Zp with threshold t, first choose a polynomial f of degree t − 1 that satisfies f(0) ≡ m, with all other coefficients chosen uniformly in Zp.
The i
th user receives the point (i, f(i)%p) on the polynomial. The interpolation process shows that any t shares can uniquely determine the polynomial f, and thus recover the secret f(0) ≡ m.
Algorithms
SSSS consists of two algorithms: secret sharing and reconstruction. These algorithms can be represented as follows, where the message space is the finite field Zp, p is prime, n < p, t ≤ n:
SHARE(m):
f1, …, ft−1 ← Zp
f(x) = m +
Pt−1
j=1 fjx
j
for i = 1 to n:
si = (i, f(i)%p)
returns = (s1, …, sn)
RECONSTRUCT({si|i ∈ U}):
f(x) := unique degree (t − 1) polynomial mod p passing through points {si
|i ∈ U}
return f(0)
Properties
Because SSSS is based on polynomial interpolation, its security is based on the difficulty of reconstructing a polynomial of degree d given less than d+ 1 points.
For example, it is near-impossible to construct a line (polynomial of degree 2) given only 1 point. Thinking back to the n secret shares produced using the SHARE algorithm, let us assume that k − 1 of these n pieces are revealed to an adversary. For each possible value D0 in [0, p) the adversary can attempt
to construct just one polynomial q
0
(x) of degree k − 1 such that q
0
(0) = D0
and q
0
(i) = Di for the k − 1 given arguments. By construction, each of the p possible polynomials are equally likely, and thus there is absolutely nothing the opponent can deduce about the real value of D.
When considering a situation involving adversaries, we see that availability is maintained: the secret is available if and only if t or more participants contribute their (legitimate, unchanged) shares. In addition, SSSS guarantees privacy as individual shares will not give away any information about the secret, and the secret can only be reconstructed using polynomial interpolation when the threshold number of participants contribute. However, integrity is not guaranteed because individual participants could manipulate their shares to create an incorrect secret during reconstruction. There is no check for such manipulation present in SSSS. One major negative of SSSS is the amount of storage required; since each secret leads to the creation of an equal-volume share for each participant, the overall storage cost has a lower bound of n multiplied by the size of the secret. Overall, SSSS handles data security and availability (not necessarily integrity) with high sharing/reconstruction time and storage costs.
Verifiable Secret Sharing
Overview
Verifiable secret sharing schemes (VSSS) include additional information that helps parties verify their shares as consistent. While SSSS assumes that the party distributing shares of S (the ”dealer”) is consistent, VSSS removes the necessity of a trusted party, allowing for and protecting against the possibility of a dishonest dealer. By including additional information, VSSS ensures that S can still be reconstructed even with a dishonest dealer (3).
Algorithms Much like SSSS, VSSS relies on two component functions: sharing and reconstruction.
SHARE: To share secret d at P Ti
, a random polynomial function fi
is created
such that d =
Pn
i=1 wi,0:
fi(x)
Xt−1
v=0
wi,v × x
v
Then, t signatures {s di,v}v=0,…,t−1 are created and shared publicly: s di,v =
(
yi
if v = 0
p
wi,v otherwise
(where p is a prime and d = logp
Qn
i=1 yi
.)
After the signatures are created, shares {ui,a}a=1,…,n are created using the equation ui,a = fi(a) and distributed to other participants.
If other participants’ shares are correct, (p ua,i =
Qt−1
v=0(s da, v)
i
v
), P Ti
’s actual
share ei
is created by summing other participants’ shares: ei =
Xn
a=1
= ua,i
RECONSTRUCT: Secrets are reconstructed by polynomial interpolation (as in SSSS).
Properties
While SSSS is built on the classic secret sharing structure to provide privacy and availability, it is still possible for bad actors to influence the reconstruction of a secret by providing bad information. There are no checks within SSSS to prevent this kind of action. In the VSSS algorithms above, the check that other participants’ shares are correct must pass for reconstruction to start (4). If the check does not pass, the sharing is aborted and must start again. For these checks to work, it is necessary to operate (multiply/add) on encrypted data.
Due to this constraint, homomorphic encryption (which allows computation on encryption data) must be used. Overall, we can say that VSSS acts as an extension of SSSS with added homomorphic encryption to allow for verification of participants’ shares.
Verifiable Multi-Secret Sharing
Overview
While VSSS provides verified secret sharing, it has one major drawback: the amount of storage required to complete the scheme. VSSS has the potential to create storage costs of approximately n times the size of the secret data.
This is because it creates a share that has the same size as the secret, and does this for each participant. VMSSS has a different structure (and resulting sharing/reconstruction algorithms) to decrease the amount of storage needed.
VMSSS extends from SSSS by sharing each secret at fewer than n participants.
The scheme prevents participant group cheating by creating a new constraint: no participant group can hold enough shares to reconstruct the secret when n < 2t − 2. VMSSS also checks participant honesty and share correctness. In addition, this scheme introduces outer signature creation and verification that are separate from the sharing and reconstruction processes. This provides a ”buffer” allowing the scheme to ensure that both secrets (protected by inner signatures) and participant shares (protected by outer signatures) are correct, and prevent cheating and/or transferring incorrect shares to participants (5).
Within VMSSS, each secret is shared and reconstructed independently. Inner signature s dj of secret dj is created with the help of an homomorphic function.
Next, participants are assigned to two groups: n − t + 2 participants in group G1 and t + 2 participants in group G2. Then, t + 2 pseudo shares {ej , i}P Ti∈G2 (G2’s shares created to construct polynomial f2 but not stored at P Ti ∈ G2) are created from dj ’s identifier d idj and identifiers IDiP Ti∈G2 of participants
in G2 with an homomorphic function: ej,i = f1(d idj , IDi) Next, a polynomial f2 of degree t − 1 is created from dj , inner signatures dj , pseudo-shares {ej,i}P Ti∈G2 and participant identifiers {IDi}P Ti∈G2 by polynomial interpolation, where
(x1, y2), …,(xt, yt) = (H(Kd), dj ),(H(Ks), sdj ) ∪ {(H(IDi), ej,i)P Ti∈G2 } Shares {ej, i}P Ti∈G1 are created where ej,i = f2(H(IDi)) and stored at P Ti ∈ G1. To reconstruct dj , t out of n participants from G1 and G2 are selected.
Secrets are reconstructed by polynomial interpolation from both shares and pseudo-shares: ej,i = f1(d idj , IDi).
Algorithms
To achieve the above steps, VMSSS incorporates algorithms for initialization, sharing, and reconstruction as laid out below: INITIALIZE
1. Initialize values of p (a large prime), n and t.
2. Define a one-variable hash function HF1(a) where a is an integer and hash values HF1(a) must be small integers.
3. Define a one-variable homomorphic function HE1(h) such that HE1(h) and h are reals and HE1(h1) ± HE1(h2) = HE1(h1 ± h2).
4. Define a two-variable homomorphic function HE2(a, b), where HE2(a, b), a and b are reals and HE2(a1, b) + HE2(a2, b) = HE2(a1 + a2, b).
5. Initialize the values of CSP identifiers IDi=1..n, Kd and Ks such that their values range in [0, p]. All HF1(IDi) must be unique and different from HF1(Kd) and HF1(Ks).
SHARE
1. Determine the group of CSPs SGjk that will store Rjk’s n − t + 2 shares.
Let UGjk be the group of CSPs that do not store Rjk’s shares, i.e., UGjk = {CSPi}i=1..n − SGjk.
2. For each attribute Ajl:
(a) Compute djkl’s inner signature: s injkl = HE1(djkl).
(b) Create polynomial fjkl(x) of degree t − 1 by polynomial interpolation: fjkl(x) = Xt
α=1
Y
1≤β≤t,α=β
x − xβ
x − xα
× yα
where
{(x1, y2), …,(xt, yt)}
= {(HF1(Kd), djkl),(HF1(Ks), s injkl)CSPi∈SGjk } ∪{(HF1(IDi), HE2(pkjk, IDi))CSPi∈UGjk }(HF1(IDi), HE2(pkjk, IDi)) are pseudo shares.
(c) Compute the set of djkl’s n − t + 2 shares {eijgl}.
∀CSPi ∈ SGjk : eijgl = fjkl(HF1(IDi)), with pkjk = pkijg.
Following this routine, record Rjk is shared into n − t + 2 records ERijg at CSPs in SGjk. The relationship between Rjk and ERijg is maintained through primary keys pkjk = pkijg. Finally, the data corresponding to Rjk is stored in the index server(s) at this time, knowing SGjk and UGjk. Finally, since each data piece is shared independently, it is easy to handle the usual data types featured in DBs.
RECONSTRUCT
Any attribute value djkl is reconstructed as follows.
1. Select t CSPs to form reconstruction group RG.
2. For each CSPi ∈ RG, if outer data verification (Section 3.3) outputs an error, replace CSPi by another CSP selected from {CSPi}i=1..n − RG.
3. For each CSPi ∈ SGjk ∩ RG, load share eijgl into yi where pkjk = pkijg .
4. For each CSPi ∈ UGjk ∩ RG, compute pseudo share yi = HE2(pkjk, IDi).
5. Create polynomial fjkl(x) of degree t − 1 (Equation 1) with xi = HF1(IDi).
6. Compute value djkl = fjkl(HF1(Kd)).
7. Compute inner signature s injkl = fjkl(HF1(Ks)).
8. Verify djkl’s correctness: if s injkl 6= HE1(djkl), then restart reconstruction process from the first step with a new RG.
Properties
One main innovation in VMSSS is the introduction of inner and outer signatures to ensure data integrity throughout the sharing process. Inner signatures are signatures that help verify secret correctness after reconstruction. If one or more shares are incorrect, then reconstructed secrets do not match with their inner signatures. Outer signatures are share signatures. The correctness of shares is checked before reconstructing secrets. This provides a stronger level of security and efficiency by preventing the secret reconstruction process from proceeding when inaccurate or malicious shares have been input.
Evaluating the Security of Cloud Secret Sharing Secret sharing schemes range from the classic, simpler variants such as SSSS to the cloud-optimized variants like VMSSS. Developments in secret sharing have extended the original concepts as laid out in SSSS to further the goal of increased security at lower costs. The differing structures of these resulting variants provide different levels of security and utility in the cloud. As demonstrated in the table below, all variants maintain high levels of security in the cloud, though they provide this security in different ways.
Scheme Privacy Availability Integrity
SSSS Yes Yes No
VSSS Yes Yes Yes
VMSSS Yes Yes Yes
Data Privacy
Privacy is a primary objective of all secret sharing schemes. SSSS, VSSS, and VMSSS all provide privacy by ensuring that the secret is only reconstructed when the threshold number of participants are present. While all schemes discussed use a similar structure involving polynomial representation of the secret, distributing shares of the polynomial to participants, and using interpolation to reconstruct the secret, they accomplish this in different ways, leading to their differing relative levels of privacy. While SSSS and VSSS provide privacy from an outside attacker, they are still vulnerable to insider threats. In SSSS and VSSS, the secret can still be broken if at least t participants are compromised.
VMSSS provides an additional level of privacy by protecting data from participant group cheating. VMSSS achieves additional privacy by having a number of shares at all participants that is lower than t. In VMSSS, no group of participants can possess enough shares to reconstruct the original data if n < 2×t−2.
Indeed, n < 2 × t − 2 ↔ n − t + 2 < t, i.e., the number of shares is lower than the number of shares necessary for reconstruction. In the cloud, multiple cloud providers or participants could collude to mount a group cheating attack, making VMSSS a more favorable choice to protect data privacy.
Data Integrity
As mentioned previously, SSSS cannot guarantee the data integrity of the reconstructed secret. This is because there is no additional information stored, and no checks within the algorithm, to verify participants’ shares. The reconstruction process in secret sharing schemes always produces the correct result if secrets, shares and sharing and reconstruction functions are correctly defined over the chosen finite field. However, if shares are altered, reconstructed secrets will be incorrect. VSSSs and VMSSSs have been introduced to enforce data integrity. Unlike SSSS, VSSS verifies the correctness of data and/or keys in the reconstruction process. This ensures that VSSS enforces data integrity as well as privacy and availability. However, a coalition of t or more malicious participants can break any secret. VMSSSs verify the correctness of shares across all relevant participants using outer signatures before reconstruction, preventing modification of the message. It is important to note that VMSSS requires extra storage for signatures.
Data Availability
The availability of SSSS, VSSS, and VMSSS is dependent on the difference between two parameters, n and t. The secret can be recovered although up to n − t participants disappear. Nevertheless, computing time and storage costs become prohibitive when n is significantly greater than t. Thus, n should be only slightly greater than t to achieve data availability at an acceptable cost.
The design of secret sharing schemes ensures that the secret can always be constructed when up to n − t participants fail. In other words, availability is provided by all secret sharing schemes. VMSSS can insert new data into the scheme, maintaining the possibility for secret reconstruction even though some participants disappear. This results in a higher level of availability. Unlike SSSS and VSSS, VMSSS can update participants’ shares even when CSPs or other participants, simply by not selecting the failing participants when sharing new data. This is again possible because data is shared at n − t + 2 CSPs instead of n.
Complexity
Scheme Sharing Time Reconstruction Time Verification Time SSSS O(mnt) O(mt2
) N/A
VSSS O(mn2
t) O(mt3
) O(mt2
)
VMSSS O(mnt) O(mt2
) O(mt)
Scheme Share Storage Volume Signature Storage Volume SSSS mn||d|| N/A
VSSS mn||d|| mt||s|
VMSSS m(n − t + 2)||d|| logm(n − t + 2)||s|| As mentioned previously, low time complexity (time to access data) and space complexity (storage volume) are desirable attributes for secret sharing schemes in the cloud. Time and space complexity depend on a few parameters: m (number of secrets shared), n (number of shares), and t (number of shares needed to reconstruct the secret). To determine time complexity and storage volume, we assume that m is big. Other parameters n and t will be relatively small, because they relate to the number of participants, i.e., the number of cloud service providers, which is typically small.
SSSS has a relatively moderate time complexity: O(mnt) as it loops once through each of the secrets to be shared, number of participants, and number of shares needed to reconstruct each secret. SSSS also has a large space complexity as the distributed shares are all equal in size to the original secret. VSSS and VMSSS also have must verify the correctness of keys and/or data. Thus, extra computation time is required. In the case of VMSSS, this added time pales in comparison to the improvement in storage volume achieved: VMSSS’ total storage volume (keys, shares and signatures) is lower than n times that of secret data, which few other secret sharing schemes achieve.
Conclusion
Secret sharing schemes are a cryptographic primitive that can provide data privacy, availability, with some variants providing integrity. Variants include Shamir’s, Verifiable, and Verifiable Multi-Secret Sharing Schemes. It is essential to understand the structure of Shamir’s Secret Sharing Scheme, which underlies many more recent schemes. However, more recent schemes possess properties which make them more advantageous for implementation in the cloud. While Verifiable Secret Sharing adds a crucial level of data integrity, it also produces a storage cost which is unacceptable for cloud applications. Verifiable Multi Sharing innovates on the two aforementioned schemes with its flexible, verifiable structure providing high levels of data integrity, availability, and privacy while keeping storage and time costs low. VMSSS has the potential to be a powerful secret-sharing variant for the cloud, providing security for cloud
2018-12-18-1545120080