Showing papers on "Secret sharing published in 2002"

Secure network coding

Abstract: Recent work on network coding renders a new view on multicasting in a network In the paradigm of network coding, the nodes in a network are allowed to encode the information received from the input links The usual function of switching at a node is a special case of network coding The advantage of network coding is that the full capacity of the network can be utilized In this paper, we propose a new model which incorporates network coding and information security Specifically, a collection of subsets of links is given, and a wiretapper is allowed to access any one (but not more than one) of these subsets without being able to obtain any information about the message transmitted Our model includes secret sharing as a special case We present a construction of secure linear network codes provided a certain graph-theoretic sufficient condition is satisfied

Introduction to Cryptography with Coding Theory

Abstract: From the Publisher: This book assumes a minimal background in programming and a level of math sophistication equivalent to a course in linear algebra. It provides a flexible organization, as each chapter is modular and can be covered in any order. Using Mathematica, Maple, and MATLAB, computer examples included in an Appendix explain how to do computation and demonstrate important concepts. A full chapter on error correcting codes introduces the basic elements of coding theory. Other topics covered: Classical cryptosystems, basic number theory, the data encryption standard, AES: Rijndael, the RSA algorithm, discrete logarithms, digital signatures, e-commerce and digital cash, secret sharing schemes, games, zero knowledge techniques, key establishment protocols, information theory, elliptic curves, error correcting codes, quantum cryptography. For professionals in cryptography and network security.

Asynchronous verifiable secret sharing and proactive cryptosystems

Abstract: Verifiable secret sharing is an important primitive in distributed cryptography. With the growing interest in the deployment of threshold cryptosystems in practice, the traditional assumption of a synchronous network has to be reconsidered and generalized to an asynchronous model. This paper proposes the first practical verifiable secret sharing protocol for asynchronous networks. The protocol creates a discrete logarithm-based sharing and uses only a quadratic number of messages in the number of participating servers. It yields the first asynchronous Byzantine agreement protocol in the standard model whose efficiency makes it suitable for use in practice. Proactive cryptosystems are another important application of verifiable secret sharing. The second part of this paper introduces proactive cryptosystems in asynchronous networks and presents an efficient protocol for refreshing the shares of a secret key for discrete logarithm-based sharings.

Entanglement swapping of generalized cat states and secret sharing

Abstract: We introduce generalized cat states for d-level systems and obtain concise formulas for their entanglement swapping with generalized Bell states. We then use this to provide both a generalization to the d-level case and a transparent proof of validity for an already proposed protocol of secret sharing based on entanglement swapping.

Threshold Visual Cryptography Schemes with Specified Whiteness Levels of Reconstructed Pixels

Abstract: In 1994, Naor and Shamir introduced an unconditionally secure method for encoding black and white images. This method, known as a threshold visual cryptography scheme (VCS), has the benefit of requiring no cryptographic computation on the part of the decoders. In a (k, n)-VCS, a share, in the form of a transparency, is given to n users. Any k users can recover the secret simply by stacking transparencies, but k-1 users can gain no information about the secret whatsoever. In this paper, we first explore the issue of contrast, by demonstrating that the current definitions are inadequate, and by providing an alternative definition. This new definition motivates an examination of minimizing pixel expansion subject to fixing the VCS parameters h and l. New bounds on pixel expansion are introduced, and connections between these bounds are examined. The best bound presented is tighter than any previous bound. An analysis of connections between (2, n) schemes and designs such as BIBD's, PBD's, and (r, λ)-designs is performed. Also, an integer linear program is provided whose solution exactly determines the minimum pixel expansion of a (2, n)-VCS with specified h and l.

Secure multi-party computation made simple

Abstract: A simple approach to secure multi-party computation is presented. Unlike previous approaches, it is based on essentially no mathematical structure (like bivariate polynomials) or sophisticated subprotocols (like zero-knowledge proofs). It naturally yields protocols secure for mixed (active and passive) corruption and general (as opposed to threshold) adversary structures, confirming the previous tight bounds in a simpler formulation and with simpler proofs. Due to their simplicity, the described protocols are well-suited for didactic purposes, which is a main goal of this paper.

Efficient 1-Out-n Oblivious Transfer Schemes

Abstract: In this paper we propose an efficient (string) OTn1 scheme for any n ? 2. We build our OTn1 scheme from fundamental cryptographic techniques directly. It achieves optimal efficiency in terms of the number of rounds and the total number of exchanged messages for the case that the receiver's choice is unconditionally secure. The computation time of our OTn1 scheme is very efficient, too. The receiver need compute 2 modular exponentiations only no matter how large n is, and the sender need compute 2n modular exponentiations. The distinct feature of our scheme is that the system-wide parameters are independent of n and universally usable, that is, all possible receivers and senders use the same parameters and need no trapdoors specific to each of them. For our OTn1 scheme, the privacy of the receiver's choice is unconditionally secure and the secrecy of the un-chosen secrets is based on hardness of the decisional Diffie-Hellman problem.We extend our OTn1 scheme to distributed oblivious transfer schemes. Our distributed OTn1 scheme takes full advantage of the research results of secret sharing and is conceptually simple. It achieves better security than Naor and Pinkas's scheme does in many aspects. For example, our scheme is secure against collusion of the receiver R and t-1 servers and it need not restrict R to contact at most t servers, which is difficult to enforce.For applications, we present a method of transforming any singledatabase PIR protocol into a symmetric PIR protocol with only one extra unit of communication cost.

Secret Sharing Schemes with Detection of Cheaters for a General Access Structure

Abstract: In a secret sharing scheme, some participants can lie about the value of their shares when reconstructing the secret in order to obtain some illicit benefit. We present in this paper two methods to modify any linear secret sharing scheme in order to obtain schemes that are unconditionally secure against that kind of attack. The schemes obtained by the first method are robust, that is, cheaters are detected with high probability even if they know the value of the secret. The second method provides secure schemes, in which cheaters that do not know the secret are detected with high probability. When applied to ideal linear secret sharing schemes, our methods provide robust and secure schemes whose relation between the probability of cheating and the information rate is almost optimal. Besides, those methods make it possible to construct robust and secure schemes for any access structure.

Optimal black-box secret sharing over arbitrary Abelian groups

Abstract: A black-box secret sharing scheme for the threshold access structure T t,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the black-box secret sharing problem as the problem of devising, for an arbitrary given T t,n , a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multi-party computation over black-box rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the black-box secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given T t,n with 0 < t < n - 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with co-prime determinants, we construct, for arbitrary given T t,n with 0 < t < n - 1, a black-box secret sharing scheme with expansion factor O(logn), which we show is minimal.

Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups.

Abstract: A black-box secret sharing scheme for the threshold access structure T t,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the black-box secret sharing problem as the problem of devising, for an arbitrary given T t,n , a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multi-party computation over black-box rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the black-box secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given T t,n with 0 < t < n - 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with co-prime determinants, we construct, for arbitrary given T t,n with 0 < t < n - 1, a black-box secret sharing scheme with expansion factor O(logn), which we show is minimal.

Sharing a secret gray image in multiple images

Abstract: In a traditional visual cryptography scheme, a shared secret image can be revealed with no cryptographic computations. Unfortunately, the revealed secret image of a conventional visual cryptography scheme is almost black and white. Colored visual cryptography schemes based on modified visual cryptography were recently proposed. By means of a few additional computations, users can hide a colored secret image. However, the implementation complexity in these schemes depends on the number of colors appearing in the secret image. In other words, when the secret image contains a large number of colors, these schemes will become impractical. In this paper, we propose a new secret color image sharing scheme based on modified visual cryptography. This scheme provides a more efficient way of hiding a gray image (256 colors) in different shares. Furthermore, the size of the shares is fixed; it does not vary when the number of colors appearing in the secret image differs.

A New Approach for Visual Cryptography

Abstract: Visual cryptography is to encrypt a secret image into some shares (transparencies) such that any qualified subset of the shares can recover the secret “visually.” The conventional definition requires that the revealed secret images are always darker than the backgrounds. We observed that this is not necessary, in particular, for the textual images. In this paper, we proposed an improved definition for visual cryptography based on our observation, in which the revealed images may be darker or lighter than the backgrounds. We studied properties and obtained bounds for visual cryptography schemes based on the new definition. We proposed methods to construct visual cryptography schemes based on the new definition. The experiments showed that visual cryptography schemes based on our definition indeed have better pixel expansion in average.

The Optimal n-out-of-n Visual Secret Sharing Scheme for Gray-Scale Images

Abstract: SUMMARY In this paper, a method is proposed to construct an n-out-of-n visual secret sharing scheme for gray-scale images, for short an (n, n)-VSS-GS scheme, which is optimal in the sense of contrast and pixel expansion, i.e., resolution. It is shown that any (n, n)-VSS-GS scheme can be constructed based on the socalled polynomial representation of basis matrices treated in [15], [16]. Furthermore, it is proved that such construction can attain the optimal (n, n)-VSS-GS scheme.

On Unconditionally Secure Robust Distributed Key Distribution Centers

Abstract: A Key Distribution Center enables secure communications among groups of users in a network by providing common keys that can be used witha symmetric encryption algorithm to encrypt and decrypt messages the users wish to send to each other. A Distributed Key Distribution Center is a set of servers of a network that jointly realize a Key Distribution Center. In this paper we propose an unconditionally secure scheme to set up a robust Distributed Key Distribution Center. Such a distributed center keeps working even if some minority of the servers malfunction or misbehave under the control of a mobile adversary. Our scheme for a distributed key distribution center is constructed using unconditionally secure proactive verifiable secret sharing schemes. We review the unconditionally secure verifiable secret sharing scheme described by Stinson and Wei, discuss a problem with the proactive version of that scheme, and present a modified version which is proactively secure.

A key transport protocol based on secret sharing applications to information security

Abstract: Digital multimedia content is delivered to homes via the Internet, satellite, terrestrial and cable networks. Scrambling is a common approach used by conditional access systems to prevent unauthorized access to audio/visual data. The descrambling keys are securely distributed to the receivers in the same transmission channel. Their protection is an important part of the key management problem. Although public-key cryptography provides a viable solution, alternative methods are sought for economy and efficiency. Message authentication is an important objective of information security in modern electronic distribution networks. This objective is met by providing the receiver of a message an assurance of the sender's identity. As physical protection such as sealed envelopes is not possible for messages expressed as binary sequences, digital tools have been developed using cryptography. A major limitation of all cryptographic methods for message authentication lies in their use of algorithms with fixed symmetric or public keys. This paper presents a key transport protocol based on secret sharing. Conditional access and message authentication are two important application areas for which the advantages of the proposed protocol are discussed. The protocol eliminates the need for a cipher, yet effectively combines the advantages of symmetric and public-key ciphers. It can be used to build a new key management scheme that allows the service providers to generate different keys for different sets of receivers, and to renew these keys in a convenient way.

Weighted decomposition construction for perfect secret sharing schemes

Abstract: The purpose of this paper is to present a new decomposition technique, called the weighted decomposition construction, for perfect secret sharing schemes with general access structures. This construction is more general than previous constructions. Based on the weighted decomposition construction, we improve the information rates in four cases out of the 18 cases of secret sharing schemes left unsolved for connected graphs on six vertices.

System and method for processing a shared secret

Abstract: A method of constructing shares in a secret is disclosed. The method operates in a network comprising a number of computing devices, each arranged to securely store at least one share in the secret k for which n shares are required to reconstruct the secret and to which access to a number m of the shares can be reliably provided at any given time. The method comprises the steps of: determining n shares for an n-of-n secret sharing sheme, each share comprising a value y; storing at least some of the shares in the computing devices such that at least m of the n shares are reliably accessible; determining the shared secret k according to the shares y; determining a further (n-m) shares consistent with the shared secret k and the shares y; and storing the additional shares in a reliably accessible location.

Ideal threshold schemes from MDS codes

Abstract: We observe that MDS codes have interesting properties that can be used to construct ideal threshold schemes. These schemes permit the combiner to detect cheating, identify cheaters and recover the correct secret. The construction is later generalised so the resulting secret sharing is resistant against the Tompa-Woll cheating.

Digital image watermarking for joint ownership

Abstract: Though many image watermarking schemes have been proposed, none of them can resolve the problem of joint ownership. This paper proposes two novel algorithms that make use of a secret sharing scheme in cryptography to address this problem. The first one applies Shamir's (2, 2) threshold scheme to the watermarking algorithm. A watermark, which is a gaussian distributed random vector determined by two keys, is embedded to selected coefficients in all middle bands in the wavelet domain of an image, so that only when the two keys are put together can the ownership be verified. The second algorithm is a modification of the first one. Three random watermarks are embedded to middle bands in the wavelet domain of an image. For the watermark detection, two thresholds are set, so the watermark detector can verify partial ownership as well as full ownership. Experimental results show that both algorithms have the desired properties such as invisibility, reliable detection and robustness against a wide range of imaging processing operations.

Method and apparatus for secure key management using multi-threshold secret sharing

Abstract: A method and apparatus are disclosed for managing components of a secret key according to a secret sharing scheme. The disclosed secret sharing scheme divides a secret value, R, into n secret components (Rl, R2, ..., Rn) and one super component, S, in such a way that R can be computed from (i) any k or more Ri components (k < n); or (ii) S and anyone component of Ri. The secret components (Rl, R2, ..., Rn) are distributed to a number of authorized users. A multiple threshold secret sharing scheme assigns various users in a group into one of a number of classes. Each user class has a corresponding threshold level that indicates the number of users that must come together with their assigned components to obtain access to the shared secret. The multiple threshold scheme divides the secret into n components each having an assigned threshold level (i.e., the number of such components that are required to obtain the secret). Any component having a lower threshold level can satisfy the role of a component having a higher threshold level. The multiple threshold scheme provides a hierarchical scheme that allows the secret, R, to be shared among different groups of people with different thresholds.

Applying General Access Structure to Proactive Secret Sharing Schemes

Abstract: Verifiable secret sharing schemes (VSS) are secret sharing schemes (SSS) dealing with possible cheating by participants. In this paper we use the VSS proposed by Cramer, Damgard and Maurer [6, 7, 5]. They introduced a purely linear algebraic method to transform monotone span program (MSP) based secret sharing schemes into VSS. In fact, the monotone span program model of Karchmer and Wigderson [14] deals with arbitrary monotone access structures and not just threshold ones. Stinson and Wei [17] proposed a proactive SSS based on threshold (polynomial) VSS. The purpose of this paper is to build unconditionally secure proactive SSS over any access structure, as long as it admits a linear secret sharing scheme (LSSS).

Linear VSS and Distributed Commitments Based on Secret Sharing and Pairwise Checks

Abstract: We present a general treatment of all non-cryptographic (i.e., information-theoretically secure) linear verifiable-secret-sharing (VSS) and distributed-commitment (DC) schemes, based on an underlying secret sharing scheme, pairwise checks between players, complaints, and accusations of the dealer. VSS and DC are main building blocks for unconditional secure multi-party computation protocols. This general approach covers all known linear VSS and DC schemes. The main theorem states that the security of a scheme is equivalent to a pure linear-algebra condition on the linear mappings (e.g. described as matrices and vectors) describing the scheme. The security of all known schemes follows as corollaries whose proofs are pure linear-algebra arguments, in contrast to some hybrid arguments used in the literature. Our approach is demonstrated for the CDM DC scheme, which we generalize to be secure against mixed adversary settings (some curious and some dishonest players), and for the classical BGW VSS scheme, for which we show that some of the checks between players are superfluous, i.e., the scheme is not optimal. More generally, our approach, establishing the minimal conditions for security (and hence the common denominator of the known schemes), can lead to the design of more efficient VSS and DC schemes for general adversary structures.

Non-interactive distributed-verifier proofs and proving relations among commitments

Abstract: A commitment multiplication proof, CMP for short, allows a player who is committed to secrets s, s' and s = s.s', to prove, without revealing s, s' or s, that indeed s = ss'. CMP is an important building block for secure general multi-party computation as well as threshold cryptography. In the standard cryptographic model, a CMP is typically done interactively using zero-knowledge protocols. In the random oracle model it can be done non-interactively by removing interaction using the Fiat-Shamir heuristic. An alternative non-interactive solution in the distributed setting, where at most a certain fraction of the verifiers are malicious, was presented in [1] for Pedersen's discrete log based commitment scheme. This CMP essentially consists of a few invocations of Pedersen's verifiable secret sharing scheme (VSS) and is secure in the standard model. In the first part of this paper, we improve that CMP by arguing that a building block used in its construction in fact already constitutes a CMP. This not only leads to a simplified exposition, but also saves on the required number of invocations of Pedersen's VSS. Next we show how to construct non-interactive proofs of partial knowledge [8] in this distributed setting. This allows for instance to prove non-interactively the knowledge of l out of m given secrets, without revealing which ones. We also show how to construct efficient non-interactive zero-knowledge proofs for circuit satisfiability in the distributed setting. In the second part, we investigate generalizations to other homomorphic commitment schemes, and show that on the negative side, Pedersen's VSS cannot be generalized to arbitrary (black-box) homomorphic commitment schemes, while on the positive side, commitment schemes based on q-one-way-group-homomorphism [7], which cover wide range of currently used schemes, suffice.

Non-perfect Secret Sharing over General Access Structures

Abstract: In a secret sharing protocol, a dealer shares the secret such that only the subsets of players in the (monotone) access structure can reconstruct the secret, while subsets of players that are not in the access structure cannot reconstruct the secret. The sharing is perfect if the players of any set not in the access structure have no information about the secret. Non-perfect secret sharing slackens the requirement as: the players of any set not in the access structure can have some information about the secret but cannot reconstruct the secret. All known schemes in the literature for non-perfect secret sharing are directed toward specific classes of the access hierarchy like threshold, ramp, multiple-level hierarchy etc. In this work, we initiate the study of a more general nonperfect secret sharing. We model the access hierarchy via a weighted lattice. We first give a necessary condition and a sufficient condition for the existence of a secret sharing scheme for any given weighted lattice (that defines the access hierarchy). Subsequently, we provide a framework for designing non-perfect secret sharing schemes, using generalized monotone span programs (GenMSPs). We also show how to construct new nonperfect secret sharing schemes by composition of known GenMSPs, and design an exemplary secret sharing algorithm that is based on and illustrates the above framework.

Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups

Abstract: A black-box secret sharing scheme for the threshold access structure T_t,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the black-box secret sharing problem as the problem of devising, for an arbitrary given T_t,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players, n, is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multi-party computation over black-box rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the black-box secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given T_t,n with 0 Using low degree integral extensions of Z over which there exists a pair of sufficiently large Vandermonde matrices with co-prime determinants, we construct, for arbitrary given T_t,n with 0 < t < n-1, a black-box secret sharing scheme with expansion factor O(log n), which we show is minimal.

Non-interactive Distributed-Verifier Proofs and Proving Relations among Commitments

Abstract: A commitment multiplication proof, CMP for short, allows a player who is committed to secrets s, s? and s? = s ? s?, to prove, without revealing s, s? or s?, that indeed s? = ss?. CMP is an important building block for secure general multi-party computation as well as threshold cryptography.In the standard cryptographic model, a CMP is typically done interactively using zero-knowledge protocols. In the random oracle model it can be done non-interactively by removing interaction using the Fiat-Shamir heuristic. An alternative non-interactive solution in the distributed setting, where at most a certain fraction of the verifiers are malicious, was presented in [1] for Pedersen's discrete log based commitment scheme. This CMP essentially consists ofa few invocations ofP edersen's verifiable secret sharing scheme (VSS) and is secure in the standard model.In the first part ofthis paper, we improve that CMP by arguing that a building block used in its construction in fact already constitutes a CMP. This not only leads to a simplified exposition, but also saves on the required number of invocations of Pedersen's VSS. Next we show how to construct non-interactive proofs of partial knowledge [8] in this distributed setting. This allows for instance to prove noninteractively the knowledge of l out of m given secrets, without revealing which ones. We also show how to construct efficient non-interactive zero-knowledge proofs for circuit satisfiability in the distributed setting.In the second part, we investigate generalizations to other homomorphic commitment schemes, and show that on the negative side, Pedersen's VSS cannot be generalized to arbitrary (black-box) homomorphic commitment schemes, while on the positive side, commitment schemes based on q-one-way-group-homomorphism [7], which cover wide range of currently used schemes, suffice.