# [Cryptography] About Secret Sharing Schemes and a Question

Osman Kuzucu bizbucaliyiz at hotmail.com
Mon Jun 3 04:42:31 EDT 2019

Hello,

I am a cryptography fan and a beginner in the field and I wanted to hear opinions from the Cryptography mailing list members. I have been searching about the "Secret Sharing Schemes" and came across to the Shamir's Secret Sharing Scheme. The idea/method seems pretty smart, and it seems like this scheme has been being widely used. However, about the security aspect of the scheme, I am a little worried. A study I read about the scheme's weakness from a paper by Tompa & Woll (http://www.cs.nccu.edu.tw/~raylin/UndergraduateCourse/ComtenporaryCryptography/Spring2009/Tompa.pdf) shows that it is possible to cheat in that scheme when asynchronous secret share exchange happens. The paper also suggest a better approach, but again, the paper is from 1989, and could be outdated.

What I actually want to ask is, what would be the best way of distributing a secret to n amount of people and allowing k of them being able to read, where k=<n, the secret and any collaboration of k-1 people having little to no information about the secret? I am asking because I am not expert, I haven't worked, in the field, and maybe experienced members might have a better approach to the problem than Shamir's scheme.

Also, as for the application of the scheme, I wanted to ask one more situation. Assuming we have a secret S (a private key maybe?) distributed to n different secret share holders by using a secret sharing scheme, and we are periodically (say every month) producing data, namely D1, D2, D3 ... Dn. Our rule is, if k amount of people come together, they should be able to produce a data Di, which would be verifiable by the public that it was generated by at least k amount of share holders' collaboration. However, we do not want any share holder, or anyone from public to learn the actual secret S, so that no share holder, who contributed to the data production, will not be able to produce any other data Di+1 in the future without other share holders' help. As far as I know, at all secret sharing schemes collaborating once is enough for share holders to learn the main secret S (in the case of the papers, it was almost an integer number). Is there a way that we could use, or maybe combine public-private viewkeys, or make the secret S some encrypted data, or any other thing that would allow such real life application?

What I am exactly trying to achieve could be explained like this, 10 knights, holding 10 different amulets, once a year they gather at a secret temple, and there are 7 holes at the entrance door of the temple, so any 7 of those knights gathering together would be enough for them to access the temple, have the annual secret meeting, and part away for meeting next year. However, if next year 6 of those knights who were at the last year's gathering again come to the temple, they will not be able to open the door because they are missing the 7th amulet to activate the mechanism. What I need is exactly this. I know, in that case the amulet is a physical matter which is not duplicable but our secret keys are data that has to be shared with a centralized application, or other share holders, digitally at least at one point, so the keys of other share holders could be stored, accessed later, by the malicious participant. For the sake of the analogy, assume that such key stealing, excess storing is not possible, and the users come together at a secret office underground every year, type their share on the computer one by one, and it reveals them a text box to enter data, and later sign the data with keys, and broadcast secret agenda to the other members of the organization, and members all around the world are able to verify it is indeed coming from the organization, and at least 7 of them were there at the time of the production of the data.

My approach there was that our secret S is actually a PGP Private Key, and at the moment of the generation of shares, the key master (the person who creates the keys from the secret) publishes the Public View Key of the PGP Private Key, on the internet. Once minimum 7 people (out of 10) come together, they get the PGP Private Key, write a message, sign the message with the key, publish it and it is verifiable easily. The problem here is, once 7 people come together, they actually see the PGP Private Key, which could be used later on by any of these members to generate more messages, which I am trying to prevent.

As English is not my native language, I sincerely apologize for the language mistakes I have made, and ask for you forgiveness on the matter. Sorry for taking your time and asking, possibly very amateur, question.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190603/0233ab40/attachment.html>