Showing papers on "Secret sharing published in 2000"
14 May 2000
TL;DR: It is shown that verifiable secret sharing (VSS) and secure multi-party computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all.
Abstract: We show that verifiable secret sharing (VSS) and secure multi-party computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC.
Our approach to secure MPC is generic and applies to both the information-theoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all).
The protocols are efficient. In contrast to all previous information-theoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for non-threshold adversaries provably have super-polynomial complexity.
561 citations
TL;DR: It is shown that any mixed state quantum secret sharing scheme can be derived by discarding a share from a pure state scheme, and that the size of each share in a quantumSecretSharing scheme must be at least as large as thesize of the secret.
Abstract: I present a variety of results on the theory of quantum secret sharing. I show that any mixed state quantum secret sharing scheme can be derived by discarding a share from a pure state scheme, and that the size of each share in a quantum secret sharing scheme must be at least as large as the size of the secret. I show that the only constraints on the existence of quantum secret sharing schemes with general access structures are monotonicity (if a set is authorized, so are larger sets) and the no-cloning theorem. I also discuss some aspects of sharing classical secrets using quantum states. In this situation, the size of each share can sometimes be half the size of the classical secret.
547 citations
TL;DR: In this paper, the authors present two optimal methods of teleporting an unknown qubit using any pure entangled state and discuss how such methods can also have successful application in quantum secret sharing with pure multipartite entangled states.
Abstract: We present two optimal methods of teleporting an unknown qubit using any pure entangled state. We also discuss how such methods can also have successful application in quantum secret sharing with pure multipartite entangled states.
237 citations
TL;DR: Visual cryptography and (k, n)-visual secret sharing schemes were introduced by Naor and Shamir in [NaSh1].
163 citations
TL;DR: A new construction for the colored VSS scheme is proposed that can be easily implemented on basis of a black & white V SS scheme and get much better block length than the Verheul-Van Tilborg scheme.
Abstract: Visual secret sharing (VSS) schemes are used to protect the visual secret by sending n transparencies to different participants so that k-1 or fewer of them have no information about the original image, but the image can be seen by stacking k or more transparencies. However, the revealed secret image of a conventional VSS scheme is just black and white. The colored k out of n VSS scheme sharing a colored image is first introduced by Verheul and Van Tilborg [1]. In this paper, a new construction for the colored VSS scheme is proposed. This scheme can be easily implemented on basis of a black & white VSS scheme and get much better block length than the Verheul-Van Tilborg scheme.
147 citations
Patent•
07 Jan 2000
TL;DR: In this paper, a secret is computed into N shares using a threshold encryption scheme such that any M of the shares (M less than or equal to N) can be used to reconstruct the secret.
Abstract: Threshold cryptography (secret sharing) is used for exchanging a secret between a server and a client over an unreliable network. Specifically, a secret is computationally divided into N shares using a threshold encryption scheme such that any M of the shares (M less than or equal to N) can be used to reconstruct the secret. The N shares are spread over a number of transmitted messages, with the assumption that some number of the messages including a total of at least M shares will be received by the client. Upon receiving at least M shares, the client uses the at least M shares to reconstruct the secret using the threshold encryption scheme.
147 citations
Journal Article•
141 citations
TL;DR: A scheme whereby a user can protect a secret key using the "personal entropy" in his own life, by encrypting the passphrase using the answers to several personal questions, while an attacker must learn the answer to a large subset of the questions in order to recover the secret key.
128 citations
TL;DR: Both upper and lower bounds on the optimal information rate of bipartite access structures are given and these results are applied to the particular case of weighted threshold access structure with two weights.
Abstract: We study the information rate of secret sharing schemes whose access structure is bipartite. In a bipartite access structure there are two classes of participants and all participants in the same class play an equivalent role in the structure. We characterize completely the bipartite access structures that can be realized by an ideal secret sharing scheme. Both upper and lower bounds on the optimal information rate of bipartite access structures are given. These results are applied to the particular case of weighted threshold access structure with two weights.
119 citations
TL;DR: This paper addresses the more general problem of secure storage and retrieval of information (SSRI), and guarantees that also the process of storing the information is correct even when some of the servers fail, and extends SSRI to a “proactive” setting, where an adversary may corrupt all the servers during the lifetime of the system, but only a fraction during any given time interval.
115 citations
Dissertation•
01 Jan 2000
TL;DR: This thesis constructs ERF's and AONT's with nearly optimal parameters in the standard model (without random oracles), in the perfect, statistical and computational settings (the latter based only on one-way functions).
Abstract: We develop the notion of Exposure-Resilient Cryptography. While standard cryptographic definitions and constructions do not guarantee any security even if a tiny fraction of the secret entity (e.g., cryptographic key) is compromised, the objective of Exposure-Resilient Cryptography is to build information structures such that almost complete (intentional or unintentional) exposure of such a structure still protects the secret information embedded in this structure.
The key to our approach is a new primitive of independent interest, which we call an Exposure-Resilient Function (ERF)—a deterministic function whose output appears random (in a perfect, statistical or computational sense) even if almost all the bits of the input are known. ERF's by themselves efficiently solve the partial exposure of secrets in the setting where the secret is simply a random value, like in the private-key cryptography. They can also be viewed as very secure pseudorandom generators and have many other applications.
To solve the general partial exposure of secrets, we use the (generalized) notion of an All-Or-Nothing Transform (AONT) introduced by Rivest [51] and refined by Boyko [16]: an invertible (randomized) transformation T which, nevertheless, reveals “no information” about x even if almost all the bits of T(x) are known. By applying an AONT to the secret entity (of arbitrary structure), we obtain security against almost total exposure of secrets. AONT's have also many other diverse applications in the design of block ciphers, secret sharing and secure communication. To date, however, the only known analyses of AONT candidates were made in the random oracle model (by Boyko [16]).
In this thesis we construct ERF's and AONT's with nearly optimal parameters in the standard model (without random oracles), in the perfect, statistical and computational settings (the latter based only on one-way functions). We also show close relationship between and examine many additional properties of what we hope will become important cryptographic primitives—Exposure-Resilient Functions and All-Or-Nothing Transforms. (Copies available exclusively from MIT Libraries, Rm. 14-0551, Cambridge, MA 02139-4307. Ph. 617-253-5668; Fax 617-253-1690.)
Patent•
29 Jun 2000TL;DR: In this paper, the authors propose an approach for regenerating a strong secret for a user based on input of a weak secret, such as a password, assisted by communications exchanges with a set of independent servers, each server holds a distinct secret value (i.e., server secret data).
Abstract: Methods for regenerating a strong secret for a user, based on input of a weak secret, such as a password, are assisted by communications exchanges with a set of independent servers. Each server holds a distinct secret value (i.e., server secret data). The strong secret is a function of the user's weak secret and of the server secret data, and a would-be attacker cannot feasible compute the strong secret without access to both the user's weak secret and the server secret data. Any attacker has only a limited opportunity to guess the weak secret, even if he has access to all messages transmitted in the generation and regeneration processes plus a subset (but not all) of the server secret data.
Posted Content•
TL;DR: This work shows that quantum secret-sharing is possible for any structure for which no two disjoint sets can reconstruct the secret, and shows that a large class of linear classical SS schemes can be converted into quantum schemes of the same efficiency.
Abstract: We explore the conversion of classical secret-sharing schemes to quantum ones, and how this can be used to give efficient QSS schemes for general adversary structures. Our first result is that quantum secret-sharing is possible for any structure for which no two disjoint sets can reconstruct the secret (this was also proved, somewhat differently, by D. Gottesman). To obtain this we show that a large class of linear classical SS schemes can be converted into quantum schemes of the same efficiency.
We also give a necessary and sufficient condiion for the direct conversion of classical schemes into quantum ones, and show that all group homomorphic schemes satisfy it.
01 Jul 2000
TL;DR: A class of multiparty key agreement protocols based on secret sharing is presented and it is proved that the protocols achieve key freshness, key confidentiality, group authentication and key confirmation.
Abstract: A class of multiparty key agreement protocols based on secret sharing is presented. The trust infrastructure necessary to achieve the intended security goals is discussed. Entity authentication is suggested to be replaced by a less expensive group authentication. Two key agreement protocols are discussed. The first is the group key agreement where all principals must be active to call the conference. The other allows a big enough subgroup (controlled by the threshold parameter t) to trigger the conference. It is proved that the protocols achieve key freshness, key confidentiality, group authentication and key confirmation. A discussion about possible modifications and extensions of the protocol concludes the paper.
02 Oct 2000
TL;DR: In this article, transaction-based pseudonyms are constructed as shares for a suitably adapted version of Shamir's cryptographic approach to secret sharing, and under sufficient suspicion, expressed as a threshold on shares, audit analyzers can perform reidentification.
Abstract: Privacy and surveillance by intrusion detection are potentially conflicting organizational and legal requirements. In order to support a balanced solution, audit data is inspected for personal data and identifiers referring to real persons are substituted by transaction-based pseudonyms.Th ese pseudonyms are constructed as shares for a suitably adapted version of Shamir's cryptographic approach to secret sharing. Under sufficient suspicion, expressed as a threshold on shares, audit analyzers can perform reidentification.
TL;DR: The access structure and properties are determined and a secret-sharing scheme based on a class of ternary codes is described based on error-correcting codes.
03 Dec 2000
TL;DR: An attack is shown for Naor and Pinkas' metering schemes such that only two malicious clients can prevent a server from computing a correct proof.
Abstract: Naor and Pinkas introduced metering schemes at Eurocrypt '98 in order to decide on advertisement fees for web servers. In the schemes, any server should be able to construct a proof to be sent to an audit agency if and only if it has been visited by at least a certain number, say k, of clients. This paper first shows an attack for their schemes such that only two malicious clients can prevent a server from computing a correct proof. We next present provably secure metering schemes. Finally, an efficient robust secret sharing scheme is derived from our metering scheme.
Posted Content•
TL;DR: A general proof of the security against eavesdropping of a previously introduced protocol for two-party quantum key distribution based on entanglement swapping is provided and the protocol is extended to permit multiparty quantum key Distribution and secret sharing of classical information.
Abstract: A general proof of the security against eavesdropping of a previously introduced protocol for two-party quantum key distribution based on entanglement swapping [Phys. Rev. A {\bf 61}, 052312 (2000)] is provided. In addition, the protocol is extended to permit multiparty quantum key distribution and secret sharing of classical information.
18 Jan 2000
TL;DR: Improvements of the schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems.
Abstract: We propose new schemes for Certificates of Recoverability (CRs). These consist of a user’s public key and attributes, its private key encrypted in such a way that it is recoverable by one or more Key Recovery Agents (KRAs), plus a publicly verifiable proof of this (the actual CR). In the original schemes, the level of cryptographic security employed by the KRA and the users is necessarily the same. In our schemes the level of cryptographic security employed by the KRA can be set higher, in a scalable fashion, than that being employed by the users. Among the other improvements of our schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems. Also, the size of the constructed proofs of knowledge can be taken smaller than in the original schemes. We additionally show several ways to support secret sharing in our scheme. Finally we present several new constructions and results on the hardness of “small parts”, in the setting of Diffie-Hellman keys in extension fields.
01 Nov 2000
TL;DR: This work presents an approach for constructing transaction-based pseudonyms as shares for a suitably adapted version of Shamir's cryptographic approach to secret sharing, where only if pseudonymous actions exceed a threshold by a predetermined purpose, can the actor's identity be recovered.
Abstract: Privacy and accountability are potentially con icting organizational and legal requirements which can be approached by allowing users to act pseudonymously. The reidenti cation of pseudonyms should be bound to a legal purpose requiring accountability. Existing solutions entrust this function to third parties. Upon good cause shown, these parties perform reidenti cation on demand. The ability to perform reidenti cation should be technically bound to the actual existence of a legal purpose, which in some applications can be interpreted as the transgression of a threshold. We present an approach for constructing transaction-based pseudonyms as shares for a suitably adapted version of Shamir's cryptographic approach to secret sharing. Only if pseudonymous actions exceed a threshold speci ed by a predetermined purpose, can the actor's identity be recovered.
Patent•
07 Nov 2000TL;DR: In this paper, the SIM card performs secret cryptographic calculations with secret numbers, and secret information is hidden from outside observation by scheduling the calculations using a precomputed, fixed randomization schedule in such a way that externally observable parameters of the device cannot be associated to particular pieces, bits, symbols or values of the secret information.
Abstract: A mobile terminal for use in a mobile communications system includes a SIM card storing subscriber related data. For security, the SIM card performs secret cryptographic calculations with secret numbers. Secret information is hidden from outside observation by scheduling the calculations using a precomputed, fixed randomization schedule in such a way that externally observable parameters of the device cannot be associated to particular pieces, bits, symbols or values of the secret information.
10 Jul 2000
TL;DR: A new scheme is proposed in which each entity computes the key with only two modular exponentiations, regardless of n and k, in which a device with low computing power cannot calculate the broadcast key within a reasonable time.
Abstract: In this paper, we examine a broadcast exclusion problem, i.e., how to distribute an encryption key over a channel shared by n entities so that all but k excluded entities can get the key. Recently, J. Anzai, N. Matsuzaki and T. Matsumoto proposed a scheme that provides a solution to the broadcast exclusion problem. Their solution is to apply (k + 1, n + k) threshold cryptosystems. In this scheme, the transmission overhead is O (k) and each entity holds a fixed amount of secret key. However, each entity must compute the encryption key with k + 1 modular exponentiations. Therefore, a device with low computing power (e.g., a mobile terminal or a smart card) cannot calculate the broadcast key within a reasonable time. In this paper, we propose a new scheme in which each entity computes the key with only two modular exponentiations, regardless of n and k. We accomplish this by assuming a trusted key distributor, while retaining the advantages of Anzai-Matsuzaki-Matsumoto scheme, i.e., the transmission overhead is O (k), and each entity holds a fixed amount of secret key regardless of n and k.
TL;DR: This work introduces and study threshold (t-out-of-n) secret sharing schemes for families of functions and examines what can be gained by allowing evaluations to be done interactively via private channels.
Abstract: In this work we introduce and study threshold (t-out-of-n) secret sharing schemes for families of functions ${\cal F}$. Such schemes allow any set of at least t parties to compute privately the value f(s) of a (previously distributed) secret s, for any $f\in {\cal F}$. Smaller sets of players get no more information about the secret than what follows from the value f(s). The goal is to make the shares as short as possible. Results are obtained for two different settings: we study the case when the evaluation is done on a broadcast channel without interaction, and we examine what can be gained by allowing evaluations to be done interactively via private channels.
01 Feb 2000
TL;DR: This paper presents an easy and universal construction of an appropriate k-out of-n secret sharing scheme that achieves contrast-optimality in the limit with a fairly small gap for finite n and argues that the problem to close the gap in general is related to a long standing open question in Approximation Theory.
Abstract: It was shown in [4] that the largest possible contrast C(k, n) in a k-out-of-n secret sharing scheme is approximately 4 -(k-l) (with equality in the limit when n approaches infinity). However, the proof of this result was not constructive and did not answer the question how schemes with almost optimal contrast might look like. In this paper, we present an easy and universal construction of an appropriate k-outof-n secret sharing scheme. The construction works for all values of k and n and achieves contrast-optimality in the limit with a fairly small gap for finite n. For small values of k (and all values of n), we get even contrast-optimality (without any gap). Finally, we argue that the problem to close the gap in general is related to a long standing open question in Approximation Theory.
Patent•
11 Dec 2000
TL;DR: In this article, the problem of public key ciphering with a plurality of the other parties is solved by using unidirectional hash functions, where the master key is reserved so as not to be known by a third party.
Abstract: PROBLEM TO BE SOLVED: To solve the problem that it is necessary in the conventional technique that the same number of secret keys as the number of the other parties are reserved so as not to be known by a third party, when secret communication is performed with a plurality of the other parties, in public key ciphering. SOLUTION: Personal information input 101 and a master key storing part 103 are prepared. From personal information of the other party of transmission and a master key, a secret key provided with the personal information is formed (104) by using a unidirectional hash function, and reserved in a temporary storage 108 of the secret key. When the secret key is once erased after it is used, its formation is enabled again. As a result, reservation of the secret key is not necessary but the master key only is reserved so as not to be known by a third party.
01 Feb 2000
TL;DR: This is the first paper which analyzes the amount of randomness needed to visually share a secret image and provides lower and upper bounds to the randomness of visual cryptography schemes.
Abstract: A visual cryptography scheme for a set P of n participants is a method to encode a secret image into n shadow images called shares each of which is given to a distinct participant. Certain qualified subsets of participants can recover the secret image, whereas forbidden subsets of participants have no information on the secret image. The shares given to participants in X ⊆ P are xeroxed onto transparencies. If X is qualified then the participants in X can visually recover the secret image by stacking their transparencies without any cryptography knowledge and without performing any cryptographic computation.
This is the first paper which analyzes the amount of randomness needed to visually share a secret image. It provides lower and upper bounds to the randomness of visual cryptography schemes. Our schemes represent a dramatic improvement on the randomness of all previously known schemes.
Journal Article•
TL;DR: This work presents one way in which combinatorial designs can be used to give conditionally perfect secret sharing schemes, and studies the problem of completion of structures, given partial information, to obtain measures of how closely the behaviour of thesecret sharing schemes approaches to ideal behaviour in practice.
Abstract: We present one way in which combinatorial designs can be used to give conditionally perfect secret sharing schemes. Schemes formed in this way have the advantage over classical secret sharing schemes of being easily adapted for use as compartmentalized or hierarchical access structures. We study the problem of completion of structures, given partial information, to obtain measures of how closely the behaviour of the secret sharing schemes approaches to ideal behaviour in practice. It may happen that part of a combinatorial design can never be reconstructed from a subset of a minimal defining set. That is, to find the blocks of what is called the strongbox of a given minimal defining set of a design, we must have the whole of the minimal defining set and be able to complete the whole design. The strongbox is that part of the design which may most safely be used to hold secret information. We study the size of the strongbox.
25 Oct 2000
TL;DR: This paper proposes a method to handle the detection of that the dealer uses wrong degree of the polynomial which the dealer chooses to hide the key and asks the dealer to generate a certificate polymomial and one-bit verifying keys to provide information when participants do the detection process.
Abstract: The concept of secret sharing can be used in a wide range of business application. A secret sharing system can implement the policies of secret sharing, and control the distribution of the secrets to the participants under the secret sharing policies. But, it can be damaged when the dealer cheating occurs. If the secret sharing system is implemented by Shamir's (t, n)-threshold scheme, one of the dealer's cheatings is that the dealer uses incorrectly polynomials to generate shadows (or shares) and distributes these error shadows to the participants. How can we detect this cheating? In this paper we propose a method to handle the detection of that the dealer uses wrong degree of the polynomial which the dealer chooses to hide the key. The main idea of the proposed method is that we ask the dealer to generate a certificate polymomial and one-bit verifying keys to provide information when participants do the detection process.
01 Feb 2000
TL;DR: This paper presents the first instance for which some improvement is possible over the simple construction of a secret sharing scheme, and shows that for this instance an improvement factor equal to the number of secrets over the above simple construction is possible.
Abstract: A secret sharing scheme is a method for distributing a secret among several parties in such a way that only qualified subsets of the parties can reconstruct it and unqualified subsets receive no information about the secret. A multi secret sharing scheme is the natural extension of a secret sharing scheme to the case in which many secrets need to be shared, each with respect to possibly different subsets of qualified parties. A multi secret sharing scheme can be trivially realized by realizing a secret sharing scheme for each of the secrets. A natural question in the area is whether this simple construction is the most efficient as well, and, if not, how much improvement is possible over it.
01 Jan 2000
TL;DR: This work provides lower bounds concerning the rank, the amount of randomness required and the number of subshares needed for a group independent linear threshold sharing scheme developed by Desmedt and Frankel.
Abstract: Group independent linear threshold secret sharing refers to a t out of n linear threshold secret sharing scheme which can be used with any finite Abelian group. A formal definition of a group independent linear threshold sharing is developed. Further, we provide lower bounds concerning the rank, the amount of randomness required and the number of subshares needed for a group independent linear threshold sharing scheme. Lastly, we discuss the group independent linear threshold sharing scheme developed by Desmedt and Frankel. We introduce new algorithms which will reduce the number of required arithmetic operations and group operations needed for the Desmedt-Frankel scheme.