2

Given a symmetric encryption scheme with $|K| = |C| = |M|$ that provides perfect secrecy, it is possible to share a secret $s ∈ M$ between two players by giving one player a key $k ∈ K$ and the other player the ciphertext $c =$ Enc$(k$, $m)$. Show that this construction results in a perfect $(2; 2)$-threshold scheme.

I don't know how to do this. Would I go down the route of Shamir's threshold scheme?I know since $|K| = |C| = |M|$ provides perfect secrecy then for every choice of $m$ and $c$, there exists a unique key $k$ but can't see if that helps in any way..

harry55
  • 139
  • 1
  • 7

2 Answers2

1

You don't need to adress Shamir's, that is just needed for $k<n$. What you do here is along the lines of the proof that OTP is perfectly secure - actually OTP is one example for this (it is not the general case you are given).

Also see Wikipedia the section "trivial secret sharing", which does list elementwise-XOR with a truly random value for the $2,2$ case (also works for $n,n$. There you just choose $n-1$ shares randomly, and calculate the last one).

tylo
  • 12,654
  • 24
  • 39
  • I'm afraid I'm quite new to cryptography and don't know how I would prove that a OTP is secure. Do I need to go down the lines of showing Pr$(m|c)=$Pr$(m)$? – harry55 Apr 07 '17 at 14:54
  • @harry55 You are already given an encryption scheme with perfect secrecy, so no you don't need that step. In a scheme with perfect secrecy and $|K|=|C|=|M|$ you can argue that for every fixed $K$ then every $c$ matches exactly one $m$. And for every $c$ there is exactly one $k$ for every $m$. In your case $m$ is the secret, $k,c$ are the shares. – tylo Apr 10 '17 at 08:00
  • I understand a symmetric encryption scheme is perfect iff for every $m$,$c$, theres one $K$ with Enc$(k, m) = c$ and also that each key is chosen with Pr= $\frac{1}{|K|}$.. But I don't quite see how to incorporate this into the proof. My current attempt is that the player given $c$ clearly learns nothing about $s$ since Pr$(m|c)$=Pr$(m)$ and must be the same for the player given $k$? Thus since no player gains information upon obtaining either $k$ or $c$, it must be a perfect scheme. Is this going down the right tracks? If so how can I show the player given $k$ learns nothing about $s$? – harry55 Apr 12 '17 at 15:41
  • There is a certain symmetry in the perfect secrecy definition:By using the definitons of condition probability and Bayes theorem you should be able to get $P(k|c)=P(k)$, and similarly $P(c|m) = P(c)$, etc. Basically knowing just knowing one part of the triple $(m,k,c)$ does not help at all, knowing two parts fixed the third. – tylo Apr 13 '17 at 12:05
  • Is it necessary to show $P(c|m) = P(c)$? Since both players are given either $k$ or $c$, none of them are actually given the secret $m$.

    Would it be better to show the following: For the player given $k$, then $P(c|k) = P(c)$ and $P(m|k) = P(m)$.

    And then for the player given $c$, $P(k|c) = P(k)$, as you said, and $P(m|c) = P(m)$? (which of course we already know given the perfect scheme) Or is this unnecessary work?

     – harry55 Apr 13 '17 at 14:49
1

The question is asking you to show that, for any secret sharing scheme constructed in the manner it describes, the following two properties will hold:

  1. the two shareholders, together, will be able to reconstruct the secret, and
  2. neither of the shareholders alone can obtain any information about the secret.

In this case, the first property is trivial: since one shareholder has the ciphertext, and the other one has the key, they can use the key to decrypt the ciphertext and thus recover the original secret.

It's also obvious that the shareholder who only has the key cannot learn anything about the secret on their own, since the key does not depend on the secret in any way.

What remains to be shown, therefore, is that the shareholder who only has the ciphertext also cannot learn anything about the secret without access to the key. For that part, you will need to know something about the encryption scheme being used.

(After all, many practical real-world encryption schemes don't satisfy this property, since a hypothetical shareholder with access to sufficient computing power could rule out some potential secrets simply by exhaustively testing all possible keys and observing that none of them decrypts the ciphertext to those candidate secrets.)

Fortunately, even though you haven't been told anything specific about how the encryption scheme described in the exercise actually works, you have been told that it provides perfect secrecy. At this point, you should be able to present a reasonably formal argument for why this implies that the resulting secret sharing scheme will have the required properties. So as not to entirely spoil the exercise, I'll leave that part for you to write down in your own words.

(Hint: It's generally easiest to show the contrapositive, i.e. that, if the shareholder with the ciphertext could learn something about the secret without knowing the key, then the encryption scheme would not have perfect secrecy. Indeed, phrased like that, the argument is nearly trivial anyway.)

Ilmari Karonen
  • 46,120
  • 5
  • 105
  • 181