I am trying to find an implementation or variant of a (k, n) threshold cryptosystem (as described here Shamir's Secret Sharing) where we can fix at least one of the k key parts, i.e., instead of ANY k key parts able to decrypt the ciphertext I want at least one of the k key parts to be a certain/fixed key part. So sort of a joint account cheque where k out of n signatures are required but the signature of the accountant should always be there. Any ideas?
Asked
Active
Viewed 375 times
2 Answers
6
Here's an easy way to do it:
Take your secret $S$, and select a random value $R$ of the same size, and compute $T = S \oplus R$
Give the accountant the value $R$
Use a $(k-1, n-1)$ secret sharing method to share $T$ to the other parties.
The accountant plus any set of $k-1$ other parties can reconstruct the secret. And, any smaller subset cannot get any information on the secret $S$.
poncho
- 154,064
- 12
- 239
- 382
1
As pointed out in the comments, this is a poor choice since it does not maintain the security level of the secret sharing on which it is based.
For just one person, you can use Shamir except instead of storing the secret as point $f(0)$ use the point $f(t)$, where you give $t$ to the required person.
So, set up the scheme as $(k-1,n-1)$ for the other players. Then, between $k-1$ of them they can reconstruct the polynomail, but they require person $t$ to know where to evaluate it.
Cryptographeur
- 4,357
- 2
- 29
- 40