Showing papers on "Secret sharing published in 1994"
[...]
01 Jun 1994
TL;DR: In this paper, a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations, is proposed, which is called k-out-of-n secret sharing.
Abstract: In this paper we consider a new type of cryptographic scheme, which can decode concealed images without any cryptographic computations. The scheme is perfectly secure and very easy to implement. We extend it into a visual variant of the k out of n secret sharing problem, in which a dealer provides a transparency to each one of the n users; any k of them can see the image by stacking their transparencies, but any k-1 of them gain no information about it.
1,908 citations
21 Aug 1994
TL;DR: In this paper, the authors show how to transform a proof of knowledge P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by a secret sharing scheme S on n participants.
Abstract: Suppose we are given a proof of knowledge P in which a prover demonstrates that he knows a solution to a given problem instance. Suppose also that we have a secret sharing scheme S on n participants. Then under certain assumptions on P and S, we show how to transform P into a witness indistinguishable protocol, in which the prover demonstrates knowledge of the solution to some subset of n problem instances out of a collection of subsets denned by S. For example, using a threshold scheme, the prover can show that he knows at least d out of n solutions without revealing which d instances are involved. If the instances axe independently generated, we get a witness hiding protocol, even if P did not have this property. Our results can be used to efficiently implement general forms of group oriented identification and signatures. Our transformation produces a protocol with the same number of rounds as P and communication complexity n times that of P. Our results use no unproven complexity assumptions.
1,299 citations
IBM1
TL;DR: An m-threshold scheme is presented, where m shares recover the secret but m - 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size |S|/m plus a short piece of information whose length does not depend on thesecret size but just in the security parameter.
Abstract: A well-known fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret sharing if the notion of secrecy is computational, namely, against resource bounded adversaries. In this note we observe that, indeed, one can do much better in the computational model (which is the one used in most applications).We present an m-threshold scheme, where m shares recover the secret but m - 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size |S|/m plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of |S|/m is clearly optimal if the secret is to be recovered from m shares). Therefore, for moderately large secrets (a confidential file, a long message, a large data base) the savings in space and communication over traditional schemes is remarkable.The scheme is very simple and combines in a natural way traditional (perfect) secret sharing schemes, encryption, and information dispersal. It is provable secure given a secure (e.g., private key) encryption function.
421 citations
TL;DR: It is shown that for any graph G of maximum degree d, there is a perfect secret-sharing scheme for G with information rate 2/(d+1), as a corollary, the maximum information rate of secret- sharing schemes for paths on more than three vertices and for cycles on morethan four vertices is shown to be 2/3.
Abstract: The paper describes a very powerful decomposition construction for perfect secret-sharing schemes. The author gives several applications of the construction and improves previous results by showing that for any graph G of maximum degree d, there is a perfect secret-sharing scheme for G with information rate 2/(d+1). As a corollary, the maximum information rate of secret-sharing schemes for paths on more than three vertices and for cycles on more than four vertices is shown to be 2/3. >
207 citations
TL;DR: The concept of multistage secret sharing (MSS) is proposed and a general implementation of MSS schemes given.
Abstract: The concept of multistage secret sharing (MSS) is proposed and a general implementation of MSS schemes given. In such a scheme, many secrets are shared in such a way that all secrets can be reconstructed separately. Each share is of the same size as that of any single shared secret.
167 citations
27 Jun 1994
TL;DR: A method to derive information-theoretical upper bounds on the optimal information rate and the optimal average information rate of perfect secret sharing schemes based on connected graphs on six vertices is discussed.
Abstract: We present a method to derive information theoretical upper bounds on the information rate and average information rate of perfect secret sharing schemes. One of the applications is that in perfect secret sharing schemes for some access structures the shares need to be impractically large. >
158 citations
TL;DR: The authors prove that being ideal over just one of the two domains does not suffice for universally ideal access structures, and give an exact characterization for each of these two conditions.
Abstract: Given a set of parties {1, /spl middot//spl middot//spl middot/, n}, an access structure is a monotone collection of subsets of the parties. For a certain domain of secrets, a secret-sharing scheme for an access structure is a method for a dealer to distribute shares to the parties. These shares enable subsets in the access structure to reconstruct the secret, while subsets not in the access structure get no information about the secret. A secret-sharing scheme is ideal if the domains of the shares are the same as the domain of the secrets. An access structure is universally ideal if there exists an ideal secret-sharing scheme for it over every finite domain of secrets. An obvious necessary condition for an access structure to be universally ideal is to be ideal over the binary and ternary domains of secrets. The authors prove that this condition is also sufficient. They also show that being ideal over just one of the two domains does not suffice for universally ideal access structures. Finally, they give an exact characterization for each of these two conditions. >
121 citations
TL;DR: The problem of Verifiable Secret Sharing is the following: A dealer, who may be honest or cheating, can share a secret s, among n ≥ 2t + 1 players, where t players at most are cheaters.
Abstract: The problem of Verifiable Secret Sharing (VSS) is the following: A dealer, who may be honest or cheating, can share a secret s, among n ≥ 2t + 1 players, where t players at most are cheaters. The sharing process will cause the dealer to commit himself to a secret s. If the dealer is honest, then, during the sharing process, the set of dishonest players will have no information about s. When the secret is reconstructed, at a later time, all honest players will reconstruct s. The solution that is given is a constant round protocol, with polynomial time local computations and polynomial message size. The protocol assumes private communication lines between every two participants, and a broadcast channel. The protocol achieves the desired properties with an exponentially small probability of error.A new tool, called Information Checking, which provides authentication and is not based on any unproven assumptions, is introduced, and may have wide application elsewhere.For the case in which it is known that the dealer is honest, a simple constant round protocol is proposed, without assuming broadcast.A weak version of secret sharing is defined: Weak Secret Sharing (WSS). WSS has the same properties as VSS for the sharing process. But, during reconstruction, if the dealer is dishonest, then he might obstruct the reconstruction of s. A protocol for WSS is also introduced. This protocol has an exponentially small probability of error. WSS is an essential building block for VSS. For certain applications, the much simpler WSS protocol suffice.All protocols introduced in this paper are secure in the Information Theoretic sense.
104 citations
02 Jan 1994
TL;DR: It is shown that any (k, n) threshold secret sharing algorithm in which any coalition of less than k participants has probability of successful cheating less than some ?
Abstract: In this paper we study the amount of secret information that must be given to participants in any secret sharing scheme that is secure against coalitions of dishonest participants in the model of Tompa and Woll [20]. We show that any (k, n) threshold secret sharing algorithm in which any coalition of less than k participants has probability of successful cheating less than some ? > 0 it must give to each participant shares whose sizes are at least the size of the secret plus log 1/?.
103 citations
TL;DR: The Simmons model is formalized and it is shown that given a geometric scheme for a particular access structure it is possible to find another geometric scheme whose access structure is the dual of the original scheme, and which has the same average and worst-case information rates as the original schemes.
Abstract: Given a set of participants we wish to distribute information relating to a secret in such a way that only specified groups of participants can reconstruct the secret. We consider here a special class of such schemes that can be described in terms of finite geometries as first proposed by Simmons. We formalize the Simmons model and show that given a geometric scheme for a particular access structure it is possible to find another geometric scheme whose access structure is the dual of the original scheme, and which has the same average and worst-case information rates as the original scheme. In particular this shows that if an ideal geometric scheme exists then an ideal geometric scheme exists for the dual access structure.
102 citations
21 Aug 1994
TL;DR: This paper puts forward a general theory of multi-secret sharing schemes by using an information theoretical framework and proves lower bounds on the size of information held by each participant for various access structures.
Abstract: A multi-secret sharing scheme is a protocol to share m arbitrarily related secrets s1,, sm among a set of participants P In this paper we put forward a general theory of multi-secret sharing schemes by using an information theoretical framework We prove lower bounds on the size of information held by each participant for various access structures Finally, we prove the optimality of the bounds by providing protocols
02 Jan 1994
TL;DR: This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes.
Abstract: This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes. We define natural classes of NSS and derive a lower bound of |Vi| for those classes. "Ideal" nonperfect schemes are defined based on this lower bound. We prove that every such ideal secret sharing scheme has a matroid structure. The rank function of the matroid is given by the entropy divided by some constant. It satisfies a simple equation which represents the access level of each subset of participants.
TL;DR: A concept of {zero-knowledge sharing scheme} is introduced to prove that the distributor does not reveal anything, even from a computational viewpoint, and it is proven that ideal homomorphic threshold schemes do not always exist.
Abstract: A threshold scheme is an algorithm in which a distributor creates $l$ shares of a secret such that a fixed minimum number ($t$) of shares are needed to regenerate the secret. A perfect threshold scheme does not reveal anything new from an information theoretical viewpoint to $t-1$ shareholders {about the secret}. When the entropy of the secret is zero all sharing schemes are perfect, so perfect sharing loses its intuitive meaning. The concept of {zero-knowledge sharing scheme} is introduced to prove that the distributor does not reveal anything, even from a computational viewpoint. New homomorphic perfect secret threshold schemes over any finite Abelian group for which the group operation and inverses are computable in polynomial time are developed. One of the new threshold schemes also satisfies the zero-knowledge property. A generalization toward a homomorphic zero-knowledge general sharing scheme over any finite Abelian group is discussed and it is proven that ideal homomorphic threshold schemes do not always exist.
01 Jan 1994
TL;DR: Cooper and Seberry as mentioned in this paper demonstrate how critical sets can be used in the design of secret sharing schemes arising from latin squares and demonstrate how a critical set in a latin square is a partial,..latin square which has a unique completion.
Abstract: A critical set in a latin square is a partial latin square which has a unique completion. In this paper we demonstrate how critical sets can be used in the design of secret sharing schemes. Disciplines Physical Sciences and Mathematics Publication Details Joan Cooper, Diane Donovan, Jennifer Seberry, Secret sharing schemes arising from latin squares, Bulletin of the Institute of Combinatorics and its Applications, 12, (1994), 33-43. This journal article is available at Research Online: http://ro.uow.edu.au/infopapers/1096 Secret Sharing Schemes Arising From Latin Squares Joan Cooper* Department of Information and Communication Technology University of Wollongong Wollongong, 2500, Australia Diane Donovan t Centre for Combinatorics Mathematics Department The University of Queenland Brisbane, 4072, Australia Jennifer Seberry* Computer Science Department University of Wollongong Wollongong, 2500, Australia ABSTRACT. A critical set in a latin square is a partial,..latin square which has a unique completion. In this paper we demonstrate how critical sets can be used in the design of secret sharing schemes. A critical set in a latin square is a partial,..latin square which has a unique completion. In this paper we demonstrate how critical sets can be used in the design of secret sharing schemes.
TL;DR: The authors give new constructions for multipart, multilevel, democratic and prepositioned schemes and demonstrate how known methods for detecting cheaters and disenrolling participants can be incorporated into Shamir's scheme.
28 Nov 1994
TL;DR: This work considers secret sharing schemes which, through an initial issuing of shares to a group of participants, permit a number of different secrets to be protected and provides a general method of construction for such schemes.
Abstract: We consider secret sharing schemes which, through an initial issuing of shares to a group of participants, permit a number of different secrets to be protected Each secret is associated with a (potentially different) access structure and a particular secret can be reconstructed by any group of participants from its associated access structure without the need for further broadcast information Two distinct problems are addressed Firstly we consider ideal secret sharing schemes in this more general environment In particular, we classify the collections of access structures that can be combined in such an ideal secret sharing scheme and we provide a general method of construction for such schemes We also explore the extent to which the results that connect ideal secret sharing schemes to matroids can be appropriately generalised Secondly we consider secret sharing schemes that can be used more than once This problem can be considered as a type of secret sharing scheme wi! th different secrets but with the same access structure for each of the secrets
28 Nov 1994
TL;DR: It is shown how to construct a perfect zero-knowledge threshold proof of knowledge of an isomorphism between two graphs, and this result is extended to general access structures.
Abstract: We show how to construct a perfect zero-knowledge threshold proof of knowledge of an isomorphism between two graphs, and extend this result to general access structures. The provers work sequentially and are not allowed to interact among themselves, so the number of message communications each prover sends is the same as with the Goldreich-Micali-Wigderson [12] scheme. Our construction is based on multiplicative sharing schemes in which the secret belongs to a group which is not necessarily Abelian.
02 Nov 1994
TL;DR: A conceptual framework for true broadcasting is introduced and its design with a secure key broadcast scheme based on probabilistic encryption is illustrated, which provides for a system requiring user anonymity, as a result of the absence of addressing for the broadcast message.
Abstract: We consider true broadcast systems for the secure communication of session keys. These schemes provide for parallel rather than serial construction of broadcast messages, while avoiding selective broadcasting. We begin by introducing a conceptual framework for true broadcasting and illustrate its design with a secure key broadcast scheme based on probabilistic encryption. The framework provides for a system requiring user anonymity, as a result of the absence of addressing for the broadcast message. We also illustrate how Shamir's threshold scheme can be altered to allow for parallel broadcasting. We then present a formal model and use information theoretic techniques to establish a lower bound on the size of the broadcast message for a class of true broadcast schemes. Finally, we improve upon the aforementioned threshold scheme such that it achieves the lower bound.
02 Nov 1994
TL;DR: The paper describes an implementation of Shamir secret sharing schemes based on exponentiation in Galois fields that has the disenrollment capability and examines a problem of covert channels which are present in any secret sharing scheme.
Abstract: The paper describes an implementation of Shamir secret sharing schemes based on exponentiation in Galois fields. It is shown how to generate shares so the scheme has the disenrollment capability. Next a family of conditionally secure Shamir schemes is defined and the disenrollment capability is investigated for the family. The paper also examines a problem of covert channels which are present in any secret sharing scheme.
TL;DR: A simple (t, w) threshold scheme is proposed based on the use of cryptographically strong pseudo-random functions and universal hash functions and a remarkable advantage of the scheme is that a shareholder can use a single string in the share of many different secrets.
Abstract: A (t, w) threshold scheme is a method for sharing a secret among w shareholders so that the collaboration of at least t shareholders is required in order to reconstruct the shared secret. This paper is concerned with the re-use of shares possessed by shareholders in threshold schemes. We propose a simple (t, w) threshold scheme based on the use of cryptographically strong pseudo-random functions and universal hash functions. A remarkable advantage of the scheme is that a shareholder can use a single string in the share of many different secrets; in particular, a shareholder need not be given a new share each time a new secret is to be shared
02 Jan 1994
TL;DR: This work gives a protocol for proving non-interactively and in perfect zero knowledge the veridicity of any "threshold" statement where atoms are statements about the quadratic character of input elements.
Abstract: In this work we study relations between secret sharing and perfect zero knowledge in the non-interactive model. Both secret sharing schemes and non-interactive zero knowledge are important cryptographic primitives with several applications in the management of cryptographic keys, in multi-party secure protocols, and many other areas. Secret sharing schemes are very well-studied objects while non-interactive perfect zero-knowledge proofs seem to be very elusive. In fact, since the introduction of the non-interactive model for zero knowledge, the only perfect zero-knowledge proof known was for quadratic non residues.In this work, we show that a large class of languages related to quadratic residuosity admits non-interactive perfect zero-knowledge proofs. More precisely, we give a protocol for proving non-interactively and in perfect zero knowledge the veridicity of any "threshold" statement where atoms are statements about the quadratic character of input elements. We show that our technique is very general and extend this result to any secret sharing scheme (of which threshold schemes are just an example).
28 Nov 1994
TL;DR: A general lower bound on ¦V i ¦ is presented, which includes the previous lower bounds for perfect SSs and nonperfect SSs as special cases and the optimum size of V i for a certain access hierarchy is determined.
Abstract: In a secret sharing scheme (SS), a dealer D distributes a piece of information V i of a secret S to each participant P i . If we desire that ¦V i ¦ < ¦S¦, a nonperfct SS must be used, in which there exists a semi-access set C that has some information on S, but cannot recover S. This paper first presents a general lower bound on ¦V i ¦ which includes the previous lower bounds for perfect SSs and nonperfect SSs as special cases. There exist, however, access hierarchies in which ¦V i ¦ must be larger than the general lower bound, of course. As our second contribution, we determine the optimum size of V i for such a certain access hierarchy.
09 May 1994
TL;DR: It is proved that for each n there exists an access structure on n participants so that any perfect sharing scheme must give some participant a share which is at least about n/log n times the secret size.
Abstract: A secret sharing scheme permits a secret to be shared among participants of an n-element group in such a way that only qualified subsets of participants can recover the secret If any non-qualified subset has absolutely no information on the secret, then the scheme is called perfect The share in a scheme is the information what a participant must remember We prove that for each n there exists an access structure on n participants so that any perfect sharing scheme must give some participant a share which is at least about n/log n times the secret size We also show that the best possible result achievable by the information theoretic method used here is n times the secret size
TL;DR: An (m, n) threshold scheme is to decompose a shared secret into n shares in such a way that the shared secret cannot be reclaimed unless any m shares are collected.
Abstract: An (m, n) threshold scheme is to decompose a shared secret into n shares in such a way that the shared secret cannot be reclaimed unless any m shares are collected. A new dynamic threshold scheme that allows the shared secret to be updated without changing the shares is proposed.
09 May 1994
TL;DR: This paper presents an outline of an algorithm for determining whether a rational number can be realized as information rate by means of the generalized vector space construction and shows a correspondence between the duality of access structures and theDuality of codes.
Abstract: In this paper, we generalize the vector space construction due to Brickell [5]. This generalization, introduced by Bertilsson [1], leads to perfect secret sharing schemes with rational information rates in which the secret can be computed efficiently by each qualified group. A one to one correspondence between the generalized construction and linear block codes is stated. It turns out that the approach of minimal codewords by Massey [15] is a special case of this construction. For general access structures we present an outline of an algorithm for determining whether a rational number can be realized as information rate by means of the generalized vector space construction. If so, the algorithm produces a perfect secret sharing scheme with this information rate. As a side-result we show a correspondence between the duality of access structures and the duality of codes.
11 Jul 1994
TL;DR: In this paper, the authors give both upper and lower bounds on the number of random bits needed by secret sharing schemes and secure key distribution schemes, and show the optimality of a recently proposed key distribution protocol.
Abstract: In this paper we give a systematic analysis of the amount of randomness needed by Secret Sharing Schemes and Secure Key Distribution Schemes. We give both upper and lower bounds on the number of random bits needed by secret sharing schemes; such bounds match for several classes of secret sharing schemes. For secure key distribution schemes we provide a lower bound on the amount of randomness needed, thus showing the optimality of a recently proposed key distribution protocol.
09 May 1994
TL;DR: A general result is proved on the randomness needed to construct a scheme for the cycle C n; when n is odd the authors' bound is tight.
Abstract: The problem we deal with in this paper is the research of upper and lower bounds on the randomness required by the dealer to set up a secret sharing scheme. We give both lower and upper bounds for infinite classes of access structures. Lower bounds are obtained using entropy arguments. Upper bounds derive from a decomposition construction based on combinatorial designs (in particular, t-(v, k, λ) designs). We prove a general result on the randomness needed to construct a scheme for the cycle C n; when n is odd our bound is tight. We study the access structures on at most four participants and the connected graphs on five vertices, obtaining exact values for the randomness for all them. Also, we analyze the number of random bits required to construct anonymous threshold schemes, giving upper bounds. (Informally, anonymous threshold schemes are schemes in which the secret can be reconstructed without knowledge of which participants hold which shares.)
Patent•
[...]
12 Aug 1994
TL;DR: In this article, the authors describe a method for enabling users of a cryptosystem to agree on secret keys, and present a hardware and software key exchange protocol based on these two techniques.
Abstract: The present invention describes a method for enabling users of a cryptosystem to agree on secret keys. In one embodiment, a trusted agent chooses at least one individual key for each user, with at least a portion of such individual key being secret. At least some of the individual keys are then stored in physically secure devices, and the pair of users i and j use their individual keys to compute a common secret key. In another embodiment, each trustee of a group of trustees chooses at least one individual key for each user, with at least some portion of such individual key being secret. The keys chosen by a sufficiently small number of such trustees, however, are insufficient for computing the common secret key of the users. Other hardware and software key exchange protocols based on these two techniques are also disclosed.
TL;DR: The authentication methods are analysed in terms of their diversity, and a framework for interoperability in a heterogeneous environment is proposed.
01 Jan 1994
TL;DR: The mathematical structures which have been used to model secret sharing schemes and variations which can be incorporated into these schemes to increase their flexibility and the detection of cheaters are discussed.
Abstract: This article documents some of the known constructions for secret sharing schemes. It includes a discussion of the mathematical structures which have been used to model secret sharing schemes, the establishment of secret sharing schemes which do not require the existence of a trusted authority to administer them, variations which can be incorporated into these schemes to increase their flexibility and the detection of cheaters.