Showing papers on "Secret sharing published in 1997"
TL;DR: Two general k out of n constructions that are related to those of maximum size arcs or MDS codes and the notion of coloured visual secret sharing schemes is introduced and a general construction is given.
Abstract: The idea of visual k out of n secret sharing schemes was introduced in Naor. Explicit constructions for k = 2 and k = n can be found there. For general k out of n schemes bounds have been described.
Here, two general k out of n constructions are presented. Their parameters are related to those of maximum size arcs or MDS codes. Further, results on the structure of k out of n schemes, such as bounds on their parameters, are obtained. Finally, the notion of coloured visual secret sharing schemes is introduced and a general construction is given.
349 citations
19 Oct 1997
TL;DR: A threshold function sharing scheme with proactive security for general functions with a "homomorphic property" (a class which includes all RSA variants and Discrete logarithm variants) and enables computation of the function by the servers assuring high availability, security and efficiency.
Abstract: We introduce new efficient techniques for sharing cryptographic functions in a distributed dynamic fashion. These techniques dynamically and securely transform a distributed function (or secret sharing) representation between t-out-of-l (polynomial sharing) and t-out-of-t (additive sharing). We call the techniques poly-to-sum and sum-to-poly, respectively. Employing these techniques, we solve a number of open problems in the area of cryptographic function sharing. We design a threshold function sharing scheme with proactive security for general functions with a "homomorphic property" (a class which includes all RSA variants and Discrete logarithm variants). The sharing has "optimal resilience" (server redundancy) and enables computation of the function by the servers assuring high availability, security and efficiency. Proactive security enables function sharing among servers while tolerating an adversary which is mobile and which dynamically corrupts and abandons servers (and perhaps visits all of them over the lifetime of the system, as long as the number of corruptions (faults) is bounded within a time period). Optimal resilience assures that the adversary can corrupt any minority of servers at any time-period.
261 citations
TL;DR: It is proved that for each n there exists an access structure on n participants so that any perfect sharing scheme must give some participant a share which is at least about $n/\log n times the secret size.
Abstract: A secret sharing scheme permits a secret to be shared among participants of an n-element group in such a way that only qualified subsets of participants can recover the secret. If any nonqualified subset has absolutely no information on the secret, then the scheme is called perfect. The share in a scheme is the information that a participant must remember.
In [3] it was proved that for a certain access structure any perfect secret sharing scheme must give some participant a share which is at least 50\percent larger than the secret size. We prove that for each n there exists an access structure on n participants so that any perfect sharing scheme must give some participant a share which is at least about $n/\log n$ times the secret size.^1 We also show that the best possible result achievable by the information-theoretic method used here is n times the secret size.
^1 All logarithms in this paper are of base 2.
242 citations
01 Nov 1997
TL;DR: This paper provides an exposition of methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message.
Abstract: This paper provides an exposition of methods by which a trusted authority can distribute keys and/or broadcast a message over a network, so that each member of a privileged subset of users can compute a specified key or decrypt the broadcast message Moreover, this is done in such a way that no coalition is able to recover any information on a key or broadcast message they are not supposed to know The problems are studied using the tools of information theory, so the security provided is unconditional (ie, not based on any computational assumption)
We begin by surveying some useful schemes for key distribution that have been presented in the literature, giving background and examples (but not too many proofs) In particular, we look more closely at the attractive concept of key distribution patterns, and present a new method for making these schemes more efficient through the use of resilient functions Then we present a general approach to the construction of broadcast schemes that combines key predistribution schemes with secret sharing schemes We discuss the Fiat-Naor Broadcast Scheme, as well as other, new schemes that can be constructed using this approach
192 citations
TL;DR: In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper who is an opponent as discussed by the authors, but in threshold cryptography the adversary is an organization.
Abstract: In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper who is an opponent. Depending from the application the sender or the receiver (or both) need to use a secret key. Often we are not dealing with an individual sender/receiver, but the sender/receiver is an organization. The goal of threshold cryptography is to present practical schemes to solve such problems without the need to use the more general methods of mental games.
160 citations
TL;DR: It is proved that for any integer d there exists a d-regular graph for which any secret sharing scheme has information rate upper bounded by 2/(d+1), which improves on van Dijk's result dik and matches the corresponding lower bound proved by Stinson in [22].
Abstract: A secret sharing scheme is a protocol by means of which a dealer distributes a secret s among a set of participants P in such a way that only qualified subsets of P can reconstruct the value of s whereas any other subset of P, non-qualified to know s, cannot determine anything about the value of the secret.
In this paper we provide a general technique to prove upper bounds on the information rate of secret sharing schemes. The information rate is the ratio between the size of the secret and the size of the largest share given to any participant. Most of the recent upper bounds on the information rate obtained in the literature can be seen as corollaries of our result. Moreover, we prove that for any integer d there exists a d-regular graph for which any secret sharing scheme has information rate upper bounded by 2/(d+1). This improves on van Dijk‘s result dik and matches the corresponding lower bound proved by Stinson in [22].
134 citations
IBM1
TL;DR: In this article, an enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their shares of the information, was later presented by Krawczyk.
Abstract: In his well-known Information Dispersal Algorithm paper, Rabin showed a way to distribute information among n processors in such a way that recovery of the information is possible in the presence of up to t inactive processors. An enhanced mechanism to enable construction in the presence of malicious faults, which can intentionally modify their shares of the information, was later presented by Krawczyk. Yet, this method assumed that the malicious faults occur only at reconstruction time.
88 citations
11 Nov 1997
TL;DR: Two encryption schemes are described which use their random oracles in a rather limited way and achieve semantic security and plaintext awareness under specified assumptions.
Abstract: A cryptographic scheme is “provably secure” if an attack on the scheme implies an attack on the underlying primitives it employs. A cryptographic scheme is “provably secure in the random-oracle model” if it uses a cryptographic hash function F and is provably secure when F is modeled by a public random function. Demonstrating that a crypto graphic scheme is provably secure in the random-oracle model engenders much assurance in the scheme's correctness. But there may remain some lingering fear that the concrete hash function which instantiates the random oracle differs from a random function in some significant way. So it is good to limit reliance on random oracles. Here we describe two encryption schemes which use their random oracles in a rather limited way. The schemes achieve semantic security and plaintext awareness under specified assumptions. One scheme uses the RSA primitive; another uses Diffie-Hellman. In either case messages longer than the modulus length can be safely and directly encrypted without relying on the hash functions modeled as random-oracles to be good for private-key encryption.
71 citations
Journal Article•
TL;DR: Visual cryptography and (k, n)-visual secret sharing schemes were introduced by Naor and Shamir in [NaSh1].
Abstract: Visual cryptography and (k,n)-visual secret sharing schemes were introduced by Naor and Shamir in [NaSh1]. A sender wishing to transmit a secret message distributes n transparencies among n recipients, where the transparencies contain seemingly random pictures. A (k, n)-scheme achieves the following situation: If any k recipients stack their transparencies together, then a secret message is revealed visually. On the other hand, if only k - 1 recipients stack their transparencies, or analyze them by any other means, they are not able to obtain any information about the secret message. The important measures of a scheme are its contrast, i.e., the clarity with which the message becomes visible, and the number of subpixels needed to encode one pixel of the original picture. Naor and Shamir constructed (k, k)-schemes with contrast 2 -(k-1) . By an intricate result from [LN2], they were also able to prove optimality. They also proved that for all fixed k ≤ n, there are (k, n)-schemes with contrast (2e)- k /√2πk -for k = 2, 3, 4 the contrast is approx. 1/105, 1/698 and 1/4380.) In this paper, we show that by solving a simple linear program, one is able to compute exactly the best contrast achievable in any (k,n)-scheme. The solution of the linear program also provides a representation of the corresponding scheme. For small k as well as for k = n, we are able to analytically solve the linear program. For k = 2,3,4, we obtain that the optimal contrast is at least 1/4,1/16 and 1/64. For k = n, we obtain a very simple proof of the optimality of Naor's and Shamir's (k,k)-schemes. In the case k = 2, we are able to use a different approach via coding theory which allows us to prove an optimal tradeoff between the contrast and the number of subpixels.
65 citations
Patent•
24 Dec 1997TL;DR: In this paper, a key management method, an encryption system, and a sharing digital signature system are provided, which are designed to hierarchically manage the degrees of contribution of members to a digital signature operation, so as to be suitably used for a group having a hierarchical structure.
Abstract: A key management method, an encryption system, and
a sharing digital signature system are provided, which
are designed to hierarchically manage the degrees of
contribution of members to a digital signature operation
and the like so as to be suitably used for a group
having a hierarchical structure. In an information
communication system including a plurality of
information processing apparatuses connected to each
other through a communication line, a first member (11a)
holding a secret key K and a plurality of second members
(11b - 11d) holding pieces of partial information K 1i (i
= 1, 2, ...) generated by secret sharing of the secret
key K are provided. The first member can use the secret
key K as a key for the information communication system,
but the second members can obtain a key for the
information communication system only by collecting a
predetermined number t 1 or more of pieces of partial
information K 1i .
57 citations
TL;DR: The vector space construction due to Brickell is generalized, and it turns out that the approach of minimal codewords by Massey is a special case of this construction.
Abstract: In this paper, we will generalize the vector space construction due to Brickell. This generalization, introduced by Bertilsson, leads to secret sharing schemes with rational information rates in which the secret can be computed efficiently by each qualified group. A one to one correspondence between the generalized construction and linear block codes is stated, and a matrix characterization of the generalized construction is presented. It turns out that the approach of minimal codewords by Massey is a special case of this construction. For general access structures we present an outline of an algorithm for determining whether a rational number can be realized as information rate by means of the generalized vector space construction. If so, the algorithm produces a secret sharing scheme with this information rate.
TL;DR: Upper and lower bounds on the randomness required by the dealer to set up a secret sharing scheme for infinite classes of access structures are provided and a general result on the Randomness of a scheme for the cycle Cn is proved.
Abstract: In this paper we provide upper and lower bounds on the randomness required by the dealer to set up a secret sharing scheme for infinite classes of access structures. Lower bounds are obtained using entropy arguments. Upper bounds derive from a decomposition construction based on combinatorial designs (in particular, t-(v,k,λ) designs). We prove a general result on the randomness needed to construct a scheme for the cycle Cn; when n is odd our bound is tight. We study the access structures on at most four participants and the connected graphs on five vertices, obtaining exact values for the randomness for all them. Also, we analyze the number of random bits required to construct anonymous threshold schemes, giving upper bounds. (Informally, anonymous threshold schemes are schemes in which the secret can be reconstructed without knowledge of which participants hold which shares.)
09 Apr 1997
TL;DR: This paper proposes an efficient construction of perfect secret sharing schemes for graph-based prohibited structures where a vertex denotes a participant and an edge denotes a pair of participants who cannot recover the master key.
Abstract: A secret sharing scheme for the prohibited structure is a method of sharing a master key among a finite set of participants in such a way that only certain pre-specified subsets of participants cannot recover the master key. A secret sharing scheme is called perfect if any subset of participants who cannot recover the master key obtain no information regarding the master key. In this paper, we propose an efficient construction of perfect secret sharing schemes for graph-based prohibited structures where a vertex denotes a participant and an edge denotes a pair of participants who cannot recover the master key. The information rate of our scheme is 2/n, where n is the number of participants.
TL;DR: This paper studies some new “candidate” asymmetric cryptosystems based on the idea of hiding one or two rounds of small S-box computations with secret functions of degreeOne or two and deduces some very different cryptanalysis of C”.
Abstract: In this paper, we study some new “candidate” asymmetric cryptosystems based on the idea of hiding one or two rounds of small S-box computations with secret functions of degree one or two. The C” scheme of [10] (when its n i values are small can be seen as a very special case of these schemes. This C” scheme was broken in [11] due to unexpected algebraic properties. In the new schemes, those algebraic properties generally do not exist. Nevertheless, we will see that most of the “new” algorithms can also be broken and we deduce some very different cryptanalysis of C”.
07 Jul 1997
TL;DR: A threshold secret sharing scheme based on polynomial interpolation and the Diffie-Hellman problem is presented, which can be used for the reconstruction of multiple secrets and shares can be individually verified during both share distribution and secret recovery.
Abstract: We present a threshold secret sharing scheme based on polynomial interpolation and the Diffie-Hellman problem In this scheme shares can be used for the reconstruction of multiple secrets, shareholders can dynamically join or leave without distributing new shares to the existing shareholders, and shares can be individually verified during both share distribution and secret recovery
11 Nov 1997
TL;DR: It is shown that distributed-object technology is an enabling technology for intelligent trade agents that roam a network, collect and analyse the data from servers on the network and make decisions to buy and sell goods on behalf of a user.
Abstract: Electronic commerce on the Internet has the potential to generate billions of transactions but the number of merchants providing goods or services on the Internet will be so large, that it will become impossible for humans to visit each site and decide where it is best to buy or sell goods. In this paper we develop intelligent trade agents that roam a network, collect and analyse the data from servers on the network and make decisions to buy and sell goods on behalf of a user. The combination of distributed-object technology and single and public key encryption mechanisms makes these agents secure intelligent trade agents. We show that distributed-object technology is an enabling technology for intelligent trade agents.
20 Aug 1997
TL;DR: The (k, n)-visual secret sharing scheme was introduced by Naor and Shamir in this paper, where a sender wishing to transmit a secret message distributes n transparencies among n recipients.
Abstract: Visual cryptography and (k, n)-visual secret sharing schemes were introduced by Naor and Shamir in [NaSh1] A sender wishing to transmit a secret message distributes n transparencies among n recipients, where the transparencies contain seemingly random pictures A (k, n)-scheme achieves the following situation: If any k recipients stack their transparencies together, then a secret message is revealed visually On the other hand, if only k - 1 recipients stack their transparencies, or analyze them by any other means, they are not able to obtain any information about the secret message
TL;DR: Lower bounds on the size of the share sets in any ( t, w ) threshold scheme, and for an infinite class of non-threshold access structures, are provided.
[...]
TL;DR: Reading is a need and a hobby at once and this condition is the on that will make you feel that you must read.
Abstract: Some people may be laughing when looking at you reading in your spare time. Some may be admired of you. And some may want be like you who have reading hobby. What about your own feel? Have you felt right? Reading is a need and a hobby at once. This condition is the on that will make you feel that you must read. If you know are looking for the book enPDFd the open secret as the choice of reading, you can find here.
TL;DR: Two basic primitives: generalized secret sharing and group-key distribution are related and it is proved that the two are related; a reduction is given showing that group- key distribution implies secret-sharing under pseudo-random functions (i.e., one-way functions).
Abstract: We relate two basic primitives: generalized secret sharing and group-key distribution. We suggest cryptographic implementations for both and show that they are provably secure according to exact definitions and assumptions given in the present paper. Both solutions require small secret space (namely, short keys). We first consider secret sharing with arbitrary access structures which is a basic primitive for controlling retrieval of secret information. We consider the computational security model, where cryptographic assumptions are allowed. Our design of a general secret-sharing scheme requires considerably less secure memory (i.e., shorter keys) than before. We then introduce the notion of a (single source) group-key distribution protocol which allows a center in an integrated network to securely and repeatedly send different keys to different groups. Such a capability is of increasing importance as it is a building block for secret information dissemination to various groups of participants in the presence of eavesdropping in a network environment. There are only a few previous investigations concerning this primitive and they either require a large amount of storage of secret information (due to their information theoretic security model) or lack rigorous definitions and proofs of security. We base both primitives on pseudo-random functions. We prove that the two are related; we give a reduction showing that group-key distribution implies secret-sharing under pseudo-random functions (i.e., one-way functions).
TL;DR: New bounds on the information distributed to participant in any (k, n, e) robust secret sharing scheme are provided which relate the size of the shares, thesize of the secret, the probability of cheating, and the probabilities of guessing.
07 Apr 1997
TL;DR: This paper first extends the result of Blakley and Kabatianski to general non-perfect SSS using information-theoretic arguments, and establishes that in the light of this generalization, ideal schemes do not always have a matroidal morphology.
Abstract: This paper first extends the result of Blakley and Kabatianski [3] to general non-perfect SSS using information-theoretic arguments Furthermore, we refine Okada and Kurosawa's lower bound [12] into a more precise information-theoretic characterization of non-perfect secret sharing idealness We establish that in the light of this generalization ideal schemes do not always have a matroidal morphology As an illustration of this result, we design an ad-hoc ideal non-perfect scheme and analyze it in the last section
TL;DR: Two cryptographic primitives are proposed: homomorphic shared commitments and linear secret sharing schemes with an additional multiplication property and new constructions for general secure multi-party computation protocols are described, both in the cryptographic and the information-theoretic setting.
Abstract: The contributions of this paper are three-fold First, as an abstraction of previously proposed cryptographic protocols we propose two cryptographic primitives: homomorphic shared commitments and linear secret sharing schemes with an additional multiplication property We describe new constructions for general secure multi-party computation protocols, both in the cryptographic and the information-theoretic (or secure channels) setting, based on any realizations of these primitives Second, span programs, a model of computation introduced by Karchmer and Wigderson, are used as the basis for constructing new linear secret sharing schemes, from which the two above-mentioned primitives as well as a novel verifiable secret sharing scheme can efficiently be realized Third, note that linear secret sharing schemes can have arbitrary (as opposed to threshold) access structures If used in our construction, this yields multi-party protocols secure against general sets of active adversaries, as long as in the cryptographic (information-theoretic) model no two (no three) of these potentially misbehaving player sets cover the full player set This is a strict generalization of the threshold-type adversaries and results previously considered in the literature While this result is new for the cryptographic model, the result for the information-theoretic model was previously proved by Hirt and Maurer However, in addition to providing an independent proof, our protocols are not recursive and have the potential of being more efficient
TL;DR: This paper addresses the problem of establishing secret sharing schemes for a given access structure without the use of a mutually trusted authority by discussing a general protocol and implementing several implementations of this protocol.
Abstract: Traditional secret sharing schemes involve the use of a mutually trusted authority to assist in the generation and distribution of shares that will allow a secret to be protected among a set of participants. In contrast, this paper addresses the problem of establishing secret sharing schemes for a given access structure without the use of a mutually trusted authority. A general protocol is discussed and several implementations of this protocol are presented. Several efficiency measures are proposed and we consider how to refine the general protocol in order to improve the efficiency with respect to each of the proposed measures. Special attention is given to mutually trusted authority-free threshold schemes. Constructions are presented for such threshold schemes that are shown to be optimal with respect to each of the proposed efficiency measures.
01 Jul 1997
TL;DR: A V-fairness (t, n) secret sharing scheme, VFSS scheme, is proposed, such that all shareholders have an equal probability of obtaining the secret without releasing their shadows simultaneously, even if V, V
Abstract: All secret sharing schemes proposed to date are not really fair on reconstructing a secret since there exists a probability /spl epsiv/, /spl epsiv/>0, such that a dishonest shareholder can obtain the secret while honest ones cannot. The paper proposes a V-fairness (t, n) secret sharing scheme, VFSS scheme, such that all shareholders have an equal probability of obtaining the secret without releasing their shadows simultaneously, even if V, V
11 Nov 1997
TL;DR: This paper presents the idea of traceable visual cryptography schemes which allows to track down the publishing saboteurs in order to cope with this lack of security in k out of n visual cryptography systems.
Abstract: In this paper we present a new k out of n visual cryptography scheme which does not only meet the requirements of a basic visual cryptography scheme defined by Naor and Shamir [5] but is also traceable. A k out of n visual cryptography scheme is a special instance of a k out of n threshold secret sharing scheme [6]. Thus, no information about the original secret can be revealed if less than k share-holders combine their shares. In those systems it is inherently assumed that even if there are k or more share-holders with an interest in the abuse of the secret, then it is almost impossible that they can meet up as an entirety (e.g. because they are to cautious to inform too many others about their intentions) and combine their shares to misuse the secret. But in real scenarios it might not be too unlikely that the betrayers find together in small groups. Even though each one of these groups is too small to compute the original secret, the betrayers of such a group can impose a major security risk on the system by publishing the information about their shares. Suppose for example that k − 1 betrayers find each other and do the publishing. Then all the other n − k + 1 share-holders can potentially reveal the secret without ever meeting up with at least k − 1 other share-holders as is intended by the system. In order to cope with this lack of security, we present in this paper the idea of traceable visual cryptography schemes which allows to track down the publishing saboteurs.
11 Nov 1997
TL;DR: This work introduces the idea of hierarchical delegation within a secret sharing scheme and considers solutions with both conditional and unconditional security.
Abstract: We introduce the idea of hierarchical delegation within a secret sharing scheme and consider solutions with both conditional and unconditional security.
11 Nov 1997
TL;DR: This work gives two generic constructions using secret sharing schemes and authentication codes as the underlying primitives and shows that key-efficient and fast SGA-systems can be constructed by proper choice of the two primitives.
Abstract: We consider an extension of the classical model of unconditionally secure authentication in which a single transmitter is replaced by a group of transmitters such that only certain specified subsets can generate authentic messages. We provide a model and derive sufficient conditions for systems that provide perfect protection. We give two generic constructions using secret sharing schemes and authentication codes as the underlying primitives and show that key-efficient and fast SGA-systems can be constructed by proper choice of the two primitives.
11 Nov 1997
TL;DR: The paper analyses the multiple assignment secret sharing scheme, presented at the GLOBECOM'87 Conference, and shows that both the extended multiple assignmentsecret sharing scheme and the extended Shamir secret share scheme are not secure, i.e., unauthorized sets of participants can recover the secret.
Abstract: The paper analyses the multiple assignment secret sharing scheme, presented at the GLOBECOM'87 Conference, and contains three technical comments. First it is proved that the proposed multiple assignment secret sharing scheme is not perfect. In fact, the non-perfectness of the scheme is due to the non-perfectness of a certain type of Shamir secret sharing scheme defined in the paper. Next, it is shown that both the extended multiple assignment secret sharing scheme and the extended Shamir secret sharing scheme are not secure, i.e., unauthorized sets of participants can recover the secret.
TL;DR: A modified protocol is proposed which prevents cheating in the Online multiple secret sharing scheme proposed by Pinch.
Abstract: A modified protocol is proposed which prevents cheating in the Online multiple secret sharing scheme proposed by Pinch.