This section is an interlude in the sense that actually no protocol will be presented. However, the technique discussed is used also in many cryptographic protocols.
We say that t parties At, i = . . . , t, k-share a secret c, 1 < k < t, iff the following conditions (l)-(3) are satisfied.
(1) Each Ai knows some information ai not known to the parties Aj,j ^ /.
(2) The secret c can be easily computed from any k of the a-s.
(3) The knowledge of any k — 1 of the a-s, no matter which ones they are, leaves c undetermined.
A set {a,,..., a,} satisfying (2)—(3) is referred to as a (k, t) threshold scheme for c. A possible setup for managing c will be discussed in Example 6.1.
The practical applicability of threshold schemes is obvious. For instance, c might contain instructions for some crucial action. To initiate this action, the consensus of at least k parties is needed. On the other hand, any k parties may undertake the action quite independently of whether the other parties agree or disagree.
Examples from different areas of mathematics can be given, where an object is determined by k facts from a certain collection of facts, any additional facts being superfluous. Such examples can be used for the construction of threshold schemes. Perhaps the simplest and also very easily presentable example is based on modular arithmetic and the Chinese Remainder Theorem.
Let m„ i = 1, . . . , t, be integers > 1 such that (m,, mj) = 1 whenever i # j. Let at, i = 1,. .., t, be integers with 0 < a{ < mf. (In fact, a- s could equally well be arbitrary integers.) Let M be the product of all the m/s. Denote further Mi = M/m„ and let Nt be the inverse of M; (mod m;), for / = 1,.. ., t. Thus, M.-N,- = 1 (mod m;). The inverse exists and is immediately found by Euclid's algorithm because (Mi,mi)= 1.
The congruences
x = at (mod m(), i = 1,. . . , t, possess a simultaneous solution
x=t OjMjNi . i= 1
Moreover, the solution is unique in the sense that any other solution y satisfies
(y, mod M) = (x, mod M).
(Observe that this gives also a proof for the Chinese Remainder Theorem. Clearly, any two solutions must be congruent to each other (mod M). It is obvious that x is a solution because Mi is divisible by every trtj with j # i.)
Let now k be fixed, 1 < k < t. Denote by min(fc) the smallest product with k distinct factors mt. Thus, min(fc) = m1 . . . mk if the m- s are in increasing order. Similarly, denote by max(k — 1) the largest product with k — 1 factors mf. We assume that
(*) min(fc) — max(fc — 1) > 3-max(fe — 1).
(Preferably, the m,'s are chosen in such a way that this difference is large.) Let c be an integer satisfying
max(k — 1) < c < min(fc).
Define the numbers at by
Oj = (c, mod m(), i = 1,.. ., t. Theorem 6.1. The set {a1,... ,a,} is a (k, t) threshold scheme for c.
Proof. Assume first that any k of the a,'s, say alf... ,ak, are known. Denote M' = m, . .. mk, M\ = M'/mi = 1,..., k, and let N[ be the inverse of M\ (mod m;). Defining
y=t "MN'i, i= 1
we infer by the Chinese Remainder Theorem that
y = c (mod M').
Since M' > min(/c) > c, we obtain
c = (y, mod M'),
which shows how c can be computed from the numbers alt... ,ak.
Assume, secondly that only k — 1 of the a,'s, say al,. . ., ak _,, are known. We define y as before, this time using only the moduli m„ . . . ,mk_l and conclude that
y = c (mod m, ... mk_l).
But now this leaves many possibilities for c, because of (*). Indeed, there are altogether
(**) [(min(fc) - max(fc - 1) - 1 )/m, . . .
possibilities which is a very large number if the m/s are large and close to one another.
Example 6.1. Choose k = 3, t = 5 and
m, = 97, m2 = 98, m3 = 99, m4 = 101, m5 = 103 .
Then min(fc) = 941094, max(k - 1) = 10403, and (**) ranges between 89 and 97, depending on the choice of the two m- s. The highest value 97 is obtained for the product m,m2 = 9506, and the lowest value 89 for the product 10403. The secret c is a number satisfying
10403 < c < 941094 .
Assume that a general agency knows c and has given the parties At the values
ai = 62, a2 =4, a3 = 50, a4 = 50, a5 = 38 .
The moduli m, can be assumed to be public, or else one can assume that each m, is known to the party At only. In the latter case the central agency who handles the secret c and gives the partial information to the parties A{ has also taken care of that the mls satisfy the required conditions.
Assume now that A2, A3 and A4 want to combine their knowledge to find out c. First they compute