1、BS ISO/IEC 19592-1:2016 Information technology Security techniques Secret sharing Part 1: General BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06BS ISO/IEC 19592-1:2016 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 195
2、92-1:2016. The UK participation in its preparation was entrusted to Technical Committee IST/33/2, Cryptography and Security Mechanisms. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all the necessary pr
3、ovisions of a contract. Users are responsible for its correct application. The British Standards Institution 2016. Published by BSI Standards Limited 2016 ISBN 978 0 580 91585 7 ICS 35.040 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was pub
4、lished under the authority of the Standards Policy and Strategy Committee on 30 November 2016. Amendments/Corrigenda issued since publication Date Text affectedBS ISO/IEC 19592-1:2016 Information technology Security techniques Secret sharing Part 1: General Technologies de linformation Techniques de
5、 scurit Partage de secret Partie 1: Gnral INTERNATIONAL STANDARD ISO/IEC 19592-1 Reference number ISO/IEC 19592-1:2016(E) First edition 2016-11-15 ISO/IEC 2016 BS ISO/IEC 19592-1:2016ii ISO/IEC 2016 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2016, Published in Switzerland All rights re
6、served. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either
7、ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 19592-1:2016(E)BS ISO/IEC 19592-1:2016ISO/IEC 19592-1:201
8、6(E)Foreword iv Introduction v 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 General model of secret sharing 2 4.1 Parties involved 2 4.2 Parameters . 3 4.2.1 Overview . 3 4.2.2 Message space 3 4.2.3 Share space . 3 4.2.4 Number of shares 3 4.2.5 Access structure . 3 4.3 Messag
9、e sharing process 4 4.4 Message reconstruction process . 4 5 Properties of secret sharing schemes 5 5.1 Fundamental requirements . 5 5.1.1 Overview . 5 5.1.2 Message confidentiality . 6 5.1.3 Message recoverability . 6 5.2 Optional requirements . 6 5.2.1 Overview . 6 5.2.2 Homomorphicity 6 5.2.3 Ver
10、ifiability . 6 5.3 Other properties 7 5.3.1 Overview . 7 5.3.2 Confidentiality guarantees 7 5.3.3 Complexity 7 5.3.4 Information rate . 7 ISO/IEC 2016 All rights reserved iii Contents PageBS ISO/IEC 19592-1:2016ISO/IEC 19592-1:2016(E) Foreword ISO (the International Organization for Standardization)
11、 and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal
12、 with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC
13、 have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should b
14、e noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible fo
15、r identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the
16、convenience of users and does not constitute an endorsement. For an explanation on the meaning of ISO specific terms and expressions related to conformit y assessment, as well as information about ISOs adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT
17、) see the following URL: www.iso.org/iso/foreword.html. The committee responsible for this document is ISO/IEC JTC 1, Information Technology, Subcommittee SC 27, IT Security techniques. A list of all parts in the ISO/IEC 19592 series can be found on the ISO website.iv ISO/IEC 2016 All rights reserve
18、dBS ISO/IEC 19592-1:2016ISO/IEC 19592-1:2016(E) Introduction A secret sharing scheme is a cryptographic technique used to protect the confidentiality of a message by dividing it into a number of pieces called shares. A secret sharing scheme has two main parts: a message sharing algorithm for dividin
19、g the message into shares and a message reconstruction algorithm for recovering the message from all or a subset of the shares. Secret sharing can be used to store data (for example, confidential values or cryptographic keys) securely in distributed systems. Moreover, secret sharing is a fundamental
20、 technology for secure multi-party computation that can be used to protect the processing of data in a distributed system. To facilitate the effective use of the technology and to maintain interoperability, ISO/IEC 19592 (all parts) specifies secret sharing and related technology. ISO/IEC 2016 All r
21、ights reserved vBS ISO/IEC 19592-1:2016BS ISO/IEC 19592-1:2016Information technology Security techniques Secret sharing Part 1: General 1 Scope ISO/IEC 19592 (all parts) specifies cryptographic secret sharing schemes and their properties. This document defines the parties involved in a secret sharin
22、g scheme, the terminology used in the context of secret sharing schemes, the parameters and the properties of such a scheme. 2 Normative references There are no normative references in this document. 3 T erms a nd definiti ons For the purposes of this document, the following terms and definitions ap
23、ply. ISO and IEC maintain terminological databases for use in standardization at the following addresses: IEC Electropedia: available at http:/ /www.electropedia.org/ ISO Online browsing platform: available at http:/ /www.iso.org/obp 3.1 access structure set of subsets of all share-holders (3.11), A
24、 S | S 1,n, such that for all S,T A, S is not a subset of T and T is not a subset of S and the shares (3.10) held by share-holders in S are sufficient to successfully reconstruct the message (3.4) using the message reconstruction algorithm (3.5) 3.2 adversary structure set of subsets of all share-ho
25、lders (3.11), D S | S 1,n, such that for all S,T D, S is not a subset of T and T is not a subset of S and it is not possible to reconstruct the message (3.4) from the shares (3.10) held by share-holders in S 3.3 dealer party running the message sharing algorithm (3.6) 3.4 message secret information
26、that is to be protected EXAMPLE A confidential value or cryptographic key. 3.5 message reconstruction algorithm process which transforms a recoverable subset of elements in a share vector (3.13) into the original message (3.4) INTERNATIONAL ST ANDARD ISO/IEC 19592-1:2016(E) ISO/IEC 2016 All rights r
27、eserved 1BS ISO/IEC 19592-1:2016ISO/IEC 19592-1:2016(E) 3.6 message sharing algorithm process which transforms messages (3.4) into a share vector (3.13) 3.7 message space set of messages (3.4) that can be shared by a secret sharing scheme (3.9) 3.8 receiver party running the message reconstruction a
28、lgorithm (3.5) 3.9 secret sharing scheme cryptographic technique used to protect the confidentiality of a message (3.4) by dividing it into a number of pieces called shares (3.10) Note 1 to entry: It consists of two component processes: a message sharing algorithm and a message reconstruction algori
29、thm. 3.10 share element of the share vector (3.13) 3.11 share-holder party storing a share output by the message sharing algorithm (3.6) 3.12 share space set of elements that can occur in a share vector (3.13) of a secret sharing scheme (3.9) 3.13 share vector vector of values output by the message
30、sharing algorithm (3.6) 3.14 threshold minimal number of unmodified elements in the share vector (3.13) that are needed to successfully reconstruct the message (3.4) 4 General model of secret sharing 4.1 Parties involved The operation of a secret sharing scheme involves the following three roles: a)
31、 the dealer; b) the share-holder; c) the receiver. The dealer is the party that has a message and runs the message sharing algorithm. After running the algorithm on the message to obtain the share vector, it distributes the shares in the share vector to the share-holders. The way in which shares are
32、 distributed to share-holders is application-specific and is outside the scope of ISO/IEC 19592 (all parts). The receiver is the party that attempts to reconstruct the message. When the receiver wants to learn the message, it collects shares from an authorized set of parties and assembles a share ve
33、ctor to pass to 2 ISO/IEC 2016 All rights reservedBS ISO/IEC 19592-1:2016ISO/IEC 19592-1:2016(E) the message reconstruction algorithm. If enough shares are available to reconstruct the message, the receiver learns the message by running the message reconstruction algorithm. The receiver may collect
34、additional shares to increase its chances of successful reconstruction. The way in which shares are collected from share-holders is application-specific and is outside the scope of ISO/IEC 19592 (all parts). A party can have more than one role. For example, among a number of parties, each may have a
35、 message that it wants to share among all the parties, including itself. In such a scenario, each party is both a dealer and share-holder. 4.2 Parameters 4.2.1 Overview The following parameters apply to all secret sharing schemes specified in ISO/IEC 19592 (all parts): a) the message space, describe
36、d in 4.2.2; b) the share space, described in 4.2.3; c) the number of shares, described in 4.2.4; d) the access structure, described in 4.2.5. 4.2.2 Message space The message space is the set of possible values for the message, i.e. the secret that is to be divided into shares by the message sharing
37、algorithm. Whilst a secret sharing scheme might permit a range of possible message spaces (e.g. for different data types) in any specific instantiation, the message space shall be fixed, and all users of the scheme shall know the details of the message space. 4.2.3 Share space The share space is the
38、 set of elements that the shares of a message are selected from. The message sharing algorithm outputs a share vector that contains elements from the share space. For many secret sharing schemes, the choice of message space directly fixes the share space. 4.2.4 Number of shares A secret sharing sche
39、me is typically able to divide an input message into any finite number of shares. In practice, schemes that divide a message into two or more shares are required. Each instantiation of a secret sharing scheme defines a message sharing algorithm that outputs a share vector containing n shares. Simila
40、rly, the instantiation of the secret sharing scheme defines a message reconstruction algorithm that accepts a share vector with this fixed number of elements. Note that some secret sharing schemes can reconstruct the message even when some values in the share vector are modified or missing. NOTE An
41、instantiation of a secret sharing scheme often fixes a range for the possible number of shares with upper and lower bounds. For example, a message sharing algorithm can be implemented so that it always outputs a share vector with n shares but, depending on the application, it could also output t sha
42、res where 2 t n. 4.2.5 Access structure The operation of a secret sharing scheme is fundamentally dependent on its associated access structure. An access structure is the minimal set of possible subsets of shares that are needed as input in order for the message reconstruction algorithm to successfu
43、lly output the message. That is, given a collection of shares, it can be used to reconstruct the message if and only if it contains one or more of the share subsets in the access structure. ISO/IEC 2016 All rights reserved 3BS ISO/IEC 19592-1:2016ISO/IEC 19592-1:2016(E) Some schemes have an associat
44、ed threshold the number of correct shares that have to be provided to the message reconstruction algorithm in order for it to successfully reconstruct the message. For example, if a secret sharing scheme supports thresholds, it might be instantiated to share the message into n shares with a threshol
45、d, k, where 2 k n. In such a setting, any k shares are sufficient for a successful completion of the message reconstruction algorithm. That is, the access structure consists of all k-subsets of shares, i.e. all subsets of cardinality k. A secret sharing scheme can also be instantiated with a custom
46、access structure containing sets of parties who can reconstruct the message by combining their shares. For example, for four share- holders, an access structure can specify that shares m 1 , m 2 , m 3are sufficient for reconstructing the secret as well as m 1and m 4or m 2and m 4 , resulting in an ac
47、cess structure A = 1, 2, 3, 1, 4, 2, 4. In this case, parties 3 and 4 or 1 and 2, for example, cannot restore the secret on their own, but all sets of parties in A, as well as their supersets, can reconstruct the message. For this example, the adversary structure in this case is D = 1, 2, 1, 3, 2, 3
48、, 3, 4. 4.3 Message sharing process The message sharing process consists of the following three steps. a) The dealer runs the message sharing algorithm on the message, m, and obtains the share vector (m 1 , m 2 , ., m n ). b) The dealer distributes the elements in the share vector to the share-holde
49、rs. c) The share-holders store the shares in a secure way. Figure 1 illustrates an example of a message sharing process. Figure 1 Example of a secret sharing process The implementer of a secret sharing scheme should consider erasing the dealers copies of the shares after share distribution, unless this is prevented by the application requirements. 4.4 Message reconstruction process The message reconstruction process consists of the fo