Showing papers on "Secret sharing published in 1991"

Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing

Abstract: It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other persons. Any k of these persons can later find the secret (1 ? k ? n), whereas fewer than k persons get no (Shannon) information about the secret. The information rate of the scheme is 1/2 and the distribution as well as the verification requires approximately 2k modular multiplications pr. bit of the secret. It is also shown how a number of persons can choose a secret "in the well" and distribute it veritably among themselves.

Efficient Multiparty Protocols Using Circuit Randomization

Abstract: The difference between theory and practice often rests on one major factor: efficiency. In distributed systems, communication is usually expensive, and protocols designed for practical use must require as few rounds of communication and as small messages as possible.A secure multiparty protocol to compute function F is a protocol that, when each player i of n players starts with private input xi, provides each participant i with F(x1,...xn) without revealing more information than what can be derived from learning the function value. Some number l of players may be corrupted by an adversary who may then change the messages they send. Recent solutions to this problem have suffered in practical terms: while theoretically using only polynomially-many rounds, in practice the constants and exponents of such polynomials are too great. Normally, such protocols express F as a circuit CF, call on each player to secretly share xi, and proceed to perform "secret addition and multiplication" on secretly shared values. The cost is proportional to the depth of CF times the cost of secret multiplication; and multiplication requires several rounds of interaction.We present a protocol that simplifies the body of such a protocol and significantly reduces the number of rounds of interaction. The steps of our protocol take advantage of a new and counterintuitive technique for evaluating a circuit: set every input to every gate in the circuit completely at random, and then make corrections. Our protocol replaces each secret multiplication -- multiplication that requires further sharing, addition, zero-knowledge proofs, and secret reconstruction -- that is used during the body of a standard protocol by a simple reconstruction of secretly shared values, thereby reducing rounds by an order of magnitude. Furthermore, these reconstructions require only broadcast messages (but do not require Byzantine Agreement). The simplicity of broadcast and reconstruction provides efficiency and ease of implementation. Our transformation is simple and compatible with other techniques for reducing rounds.

Shared generation of authenticators and signatures

Abstract: Often it is desired that the power to sign or authenticate messages is shared. This paper presents methods to collectively generate RSA signatures, provably secure authenticators and unconditionally secure authenticators. In the new schemes, l individuals are given shares such that k ≤ l are needed to generate a signature (authenticator) but less than k can not. When the k people have finished signing (authenticating), nobody can perform an impersonation or substitution attack. These schemes are called threshold signature (authentication) schemes. Clearly these schemes are better than each of the k individuals sending a separate authenticator for each message or if each of the k individuals each send their share to a “trusted” person who will sign for them.

How to broadcast a secret

Abstract: A single transmitter wishes to broadcast a secret to some subset of his listeners He does not wish to perform, for each of the intended recipients, a separate encryption either of the secret or of a single key with which to protect the secret A general method for such a secret broadcasting scheme is proposed It is based on "k out of n" secret sharing An example using polynomial interpolation is presented as well as a related vector formulation

Secure multiparty protocols and zero-knowledge proof systems tolerating a faulty minority

Abstract: A multiparty protocol to compute a function f(x 1, ..., x n ) operates as follows: each of n processors holds an input x i , and jointly they must compute and reveal f(x 1, ..., x n ) without revealing any additional information about the inputs. The processors are connected by secure communication lines but some number of processors may be corrupted by a resource-unbounded adversary that may attempt to interfere with the protocol or to gain extra information. Ben-Or, Goldwasser, Wigderson, Chaum, Crepeau, and Damgard have given protocols tolerating faults in t

On the classification of ideal secret sharing schemes

Abstract: In a secret sharing scheme a dealer has a secret key. There is a finite set P of participants and a set ? of subsets of P. A secret sharing scheme with ? as the access structure is a method which the dealer can use to distribute shares to each participant so that a subset of participants can determine the key if and only if that subset is in ?. The share of a participant is the information sent by the dealer in private to the participant. A secret sharing scheme is ideal if any subset of participants who can use their shares to determine any information about the key can in fact actually determine the key, and if the set of possible shares is the same as the set of possible keys. In this paper we show a relationship between ideal secret sharing schemes and matroids.

Distributed provers with applications to undeniable signatures

Abstract: This paper introduces distributed prover protocols. Such a protocol is a proof system in which a polynomially bounded prover is replaced by many provers each having partial information about the witness owned by the original prover. As an application of this concept, it is shown how the signer of undeniable signatures can distribute part of his secret key to n agents such that any k of these can verify a signature. This facility is useful in most applications of undeniable signatures, and as the proposed protocols are practical, the results in this paper makes undeniable signatures more useful. The first part of the paper describes a method for verifiable secret sharing, which allows non-interactive verification of the shares and is as secure as the Shamir secret sharing scheme in the proposed applications.

On the Size of Shares for Secret Sharing Schemes

Abstract: A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of partecipants can recover the secret, but any non-qualified subset has absolutely no information on the secret. The set of all qualified subsets defines the access structure to the secret. Sharing schemes are useful in the management of cryptographic keys and in multy-party secure protocols.We analyze the relationships among the entropies of the sample spaces from which the shares and the secret are chosen. We show that there are access structures with 4 participants for which any secret sharing scheme must give to a participant a share at least 50% greater than the secret size. This is the first proof that there exist access structures for which the best achievable information rate (i.e., the ratio between the size of the secret and that of the largest share) is bounded away from 1. The bound is the best possible, as we construct a secret sharing scheme for the above access structures which meets the bound with equality.

A coding theorem for secret sharing communication systems with two Gaussian wiretap channels

Abstract: A coding theorem is proved for the secret sharing communication system (SSCS) with two Gaussian wiretap channels. This communication system is an extension of both the SSCS with two noiseless channels and the Gaussian wiretap channel (GWC). The admissible region of rates and security levels for the SSCS with two GWCs is described by the capacities and secrecy capacities of two GWCs. The following three cases are considered: two wiretappers cannot cooperate with each other: they can cooperate to decipher the transmitted information; and it is not known whether they can cooperate or not. >

Generalized Threshold Cryptosystems

Abstract: In a threshold cryptosystem, one can send an encrypted message to a group without knowing the internal secret sharing policy of the group. The encrypted ciphertext can only be deciphered by some users of the group according to the secret sharing policy. In this paper, we propose solutions to handle the generalized secret sharing policy. In addition, we investigate two different models for the group: one with a mutually trusted party in the group and the other one without.

A Generalized Secret Sharing Scheme With Cheater Detection

Abstract: A new secret sharing scheme is presented in this paper to realize the generalized secret sharing policy. Different from most of previous works, it is computationally secure and each participant holds only one single shadow. Any honest participant in this scheme can detect and identify who is cheating even when all of the other participants corrupt together. An extended algorithm is also proposed to protect the secret form dishonest participant without the assumption of simultaneous release of the shadows. With (x,x)-homomorphism property, it can also be used to protect individual secrets while revealing the product of these secrets.

On Verification in Secret Sharing

Abstract: Verifiable Secret Sharing (VSS) has proven to be a powerful tool in the construction of fault-tolerant distributed algorithms. Previous results show that Unverified Secret Sharing, in which there are no requirements when the dealer is faulty during distribution of the secret, requires the same number of processors as VSS. This is counterintuitive: verification that the secret is well shared out should come at a price. In this paper, by focussing on information leaked to nonfaulty processors during verification, we separate a certain strong version of Unverified Secret Sharing (USS) from its VSS analogue in terms of the required number of processors. The proof of the separation theorem yields information about communication needed for the original VSS problem. In order to obtain the separation result we introduce a new definition of secrecy, different from the Shannon definition, capturing the intuition that "information" received from faulty processors may not be informative at all.

Strong verifiable secret sharing (extended abstract)

Abstract: Verifiable secret sharing has proven to be a powerful tool in the construction of fault-tolerant distributed algorithms. Many algorithms for VSS exist in the literature. These are of two types: small-error and error-free. In the small-error solutions, there is a small probability either that the dealer has not properly distributed the secret or that the faulty players can figure out the secret before reconstruction. In the error-free solutions neither of these can occur. However, the error-free solutions of which we are aware have a small weakness: the faulty processors can force a correct dealer to publicly reveal so much information that every correct processor learns the secret prematurely. This occurs despite the fact that no faulty processor learns anything at all about the secret. We overcome this weakness with no increase in the number of processors while remaining error-free.