2

Given a symmetric encryption scheme with $|K| = |C| = |M|$ that provides perfect secrecy, it is possible to share a secret $s ∈ M$ between two players by giving one player a key $k ∈ K$ and the other player the ciphertext $c =$ Enc$(k$, $m)$. Show that this construction results in a perfect $(2; 2)$-threshold scheme.

I don't know how to do this. Would I go down the route of Shamir's threshold scheme?I know since $|K| = |C| = |M|$ provides perfect secrecy then for every choice of $m$ and $c$, there exists a unique key $k$ but can't see if that helps in any way..

harry55
  • 139
  • 1
  • 7

2 Answers2

1

You don't need to adress Shamir's, that is just needed for $k<n$. What you do here is along the lines of the proof that OTP is perfectly secure - actually OTP is one example for this (it is not the general case you are given).

Also see Wikipedia the section "trivial secret sharing", which does list elementwise-XOR with a truly random value for the $2,2$ case (also works for $n,n$. There you just choose $n-1$ shares randomly, and calculate the last one).

tylo
  • 12,864
  • 26
  • 40
1

The question is asking you to show that, for any secret sharing scheme constructed in the manner it describes, the following two properties will hold:

  1. the two shareholders, together, will be able to reconstruct the secret, and
  2. neither of the shareholders alone can obtain any information about the secret.

In this case, the first property is trivial: since one shareholder has the ciphertext, and the other one has the key, they can use the key to decrypt the ciphertext and thus recover the original secret.

It's also obvious that the shareholder who only has the key cannot learn anything about the secret on their own, since the key does not depend on the secret in any way.

What remains to be shown, therefore, is that the shareholder who only has the ciphertext also cannot learn anything about the secret without access to the key. For that part, you will need to know something about the encryption scheme being used.

(After all, many practical real-world encryption schemes don't satisfy this property, since a hypothetical shareholder with access to sufficient computing power could rule out some potential secrets simply by exhaustively testing all possible keys and observing that none of them decrypts the ciphertext to those candidate secrets.)

Fortunately, even though you haven't been told anything specific about how the encryption scheme described in the exercise actually works, you have been told that it provides perfect secrecy. At this point, you should be able to present a reasonably formal argument for why this implies that the resulting secret sharing scheme will have the required properties. So as not to entirely spoil the exercise, I'll leave that part for you to write down in your own words.

(Hint: It's generally easiest to show the contrapositive, i.e. that, if the shareholder with the ciphertext could learn something about the secret without knowing the key, then the encryption scheme would not have perfect secrecy. Indeed, phrased like that, the argument is nearly trivial anyway.)

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189