Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing
11 Aug 1991-pp 129-140
TL;DR: It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other persons.
Abstract: It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other persons. Any k of these persons can later find the secret (1 ? k ? n), whereas fewer than k persons get no (Shannon) information about the secret. The information rate of the scheme is 1/2 and the distribution as well as the verification requires approximately 2k modular multiplications pr. bit of the secret. It is also shown how a number of persons can choose a secret "in the well" and distribute it veritably among themselves.
Citations
More filters
TL;DR: This article takes advantage of the inherent redundancy in ad hoc networks-multiple routes between nodes-to defend routing against denial-of-service attacks and uses replication and new cryptographic schemes to build a highly secure and highly available key management service, which terms the core of this security framework.
Abstract: Ad hoc networks are a new wireless networking paradigm for mobile hosts. Unlike traditional mobile wireless networks, ad hoc networks do not rely on any fixed infrastructure. Instead, hosts rely on each other to keep the network connected. Military tactical and other security-sensitive operations are still the main applications of ad hoc networks, although there is a trend to adopt ad hoc networks for commercial uses due to their unique properties. One main challenge in the design of these networks is their vulnerability to security attacks. In this article, we study the threats on ad hoc network faces and the security goals to be achieved. We identify the new challenges and opportunities posed by this new networking environment and explore new approaches to secure its communication. In particular, we take advantage of the inherent redundancy in ad hoc networks-multiple routes between nodes-to defend routing against denial-of-service attacks. We also use replication and new cryptographic schemes, such as threshold cryptography, to build a highly secure and highly available key management service, which terms the core of our security framework.
2,661 citations
01 Nov 1999
TL;DR: Because the fuzzy commitment scheme is tolerant of error, it is capable of protecting biometric data just as conventional cryptographic techniques, like hash functions, are used to protect alphanumeric passwords.
Abstract: We combine well-known techniques from the areas of error-correcting codes and cryptography to achieve a new type of cryptographic primitive that we refer to as a fuzzy commitment scheme. Like a conventional cryptographic commitment scheme, our fuzzy commitment scheme is both concealing and binding: it is infeasible for an attacker to learn the committed value, and also for the committer to decommit a value in more than one way. In a conventional scheme, a commitment must be opened using a unique witness, which acts, essentially, as a decryption key. By contrast, our scheme is fuzzy in the sense that it accepts a witness that is close to the original encrypting witness in a suitable metric, but not necessarily identical.This characteristic of our fuzzy commitment scheme makes it useful for applications such as biometric authentication systems, in which data is subject to random noise. Because the scheme is tolerant of error, it is capable of protecting biometric data just as conventional cryptographic techniques, like hash functions, are used to protect alphanumeric passwords. This addresses a major outstanding problem in the theory of biometric authentication. We prove the security characteristics of our fuzzy commitment scheme relative to the properties of an underlying cryptographic hash function.
1,744 citations
Cites background from "Non-Interactive and Information-The..."
...Commitment protocols were first introduced by Blum [1] in 1982; many more Commitment Schemes were later developed with improved features [5, 6, 7, 8, 12, 13]....
[...]
[...]
TL;DR: In this article, the authors describe a fuzzy vault construction that allows Alice to place a secret value /spl kappa/ in a secure vault and lock it using an unordered set A of elements from some public universe U. If Bob tries to "unlock" the vault using B, he obtains the secret value if B is close to A, i.e., only if A and B overlap substantially.
Abstract: We describe a simple and novel cryptographic construction that we call a fuzzy vault. Alice may place a secret value /spl kappa/ in a fuzzy vault and "lock" it using an unordered set A of elements from some public universe U. If Bob tries to "unlock" the vault using an unordered set B, he obtains /spl kappa/ only if B is close to A, i.e., only if A and B overlap substantially.
1,481 citations
15 Aug 2004
TL;DR: This work proposes a new and efficient signature scheme that is provably secure in the plain model and provides efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signatureon a committed message.
Abstract: We propose a new and efficient signature scheme that is provably secure in the plain model. The security of our scheme is based on a discrete-logarithm-based assumption put forth by Lysyanskaya, Rivest, Sahai, and Wolf (LRSW) who also showed that it holds for generic groups and is independent of the decisional Diffie-Hellman assumption. We prove security of our scheme under the LRSW assumption for groups with bilinear maps. We then show how our scheme can be used to construct efficient anonymous credential systems as well as group signature and identity escrow schemes. To this end, we provide efficient protocols that allow one to prove in zero-knowledge the knowledge of a signature on a committed (or encrypted) message and to obtain a signature on a committed message.
1,051 citations
Cites methods from "Non-Interactive and Information-The..."
...Recall the Pedersen commitment scheme [33]: given a group G of prime order q with generators g and h, a commitment to x ∈ Zq is formed by choosing a random r ← Zq and setting the commitment C = gh....
[...]
06 Jan 2003
TL;DR: It turns out that most of the constructions are simpler, more efficient and have more useful properties than similar existing constructions.
Abstract: We propose a robust proactive threshold signature scheme, a multisignature scheme and a blind signature scheme which work in any Gap Diffie-Hellman (GDH) group (where the Computational Diffie-Hellman problem is hard but the Decisional Diffie-Hellman problem is easy). Our constructions are based on the recently proposed GDH signature scheme of Boneh et al. [8]. Due to the instrumental structure of GDH groups and of the base scheme, it turns out that most of our constructions are simpler, more efficient and have more useful properties than similar existing constructions. We support all the proposed schemes with proofs under the appropriate computational assumptions, using the corresponding notions of security.
975 citations
Cites background from "Non-Interactive and Information-The..."
...DKG protocol of [22] is based on the ideas similar to the protocol of [38], has comparable complexity, but provably fixes the weakness of the latter....
[...]
...threshold DSS proposed in [21] use the distributed key generation protocol (DKG) of Pedersen [38]....
[...]
...Some threshold signature scheme, e.g. threshold DSS proposed in [21] use the distributed key generation protocol (DKG) of Pedersen [38]....
[...]
...However, [22] point out the weakness of DKG of [38]....
[...]
References
More filters
TL;DR: This technique enables the construction of robust key management schemes for cryptographic systems that can function securely and reliably even when misfortunes destroy half the pieces and security breaches expose all but one of the remaining pieces.
Abstract: In this paper we show how to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D. This technique enables the construction of robust key management schemes for cryptographic systems that can function securely and reliably even when misfortunes destroy half the pieces and security breaches expose all but one of the remaining pieces.
14,340 citations
01 Dec 1979
TL;DR: Certain cryptographic keys, such as a number which makes it possible to compute the secret decoding exponent in an RSA public key cryptosystem, 1 , 5 or the system master key and certain other keys in a DES cryptos system, 3 are so important that they present a dilemma.
Abstract: Certain cryptographic keys, such as a number which makes it possible to compute the secret decoding exponent in an RSA public key cryptosystem, 1 , 5 or the system master key and certain other keys in a DES cryptosystem, 3 are so important that they present a dilemma. If too many copies are distributed one might go astray. If too few copies are made they might all be destroyed.
3,184 citations
Proceedings Article•
01 Jan 1988
TL;DR: The above bounds on t , where t is the number of players in actors, are tight!
Abstract: Every function of n inputs can be efficiently computed by a complete network of n processors in such a way that:t are tight!
- If no faults occur, no set of size
t <n /2 of players gets any additional information (other than the function value), - Even if Byzantine faults are allowed, no set of size
t <n /3 can either disrupt the computation or get additional information.
2,298 citations
01 Jan 1988
TL;DR: In this article, the authors show that every function of n inputs can be efficiently computed by a complete network of n processors in such a way that if no faults occur, no set of size t can be found.
Abstract: Every function of n inputs can be efficiently computed by a complete network of n processors in such a way that: If no faults occur, no set of size t
2,207 citations
01 Jan 1988
TL;DR: It is shown that any reasonable multiparty protocol can be achieved if at least 2n/3 of the participants are honest and the secrecy achieved is unconditional.
Abstract: Under the assumption that each pair of participants can communicate secretly, we show that any reasonable multiparty protocol can be achieved if at least 2n/3 of the participants are honest. The secrecy achieved is unconditional. It does not rely on any assumption about computational intractability.
1,663 citations