Showing papers on "Secret sharing published in 2003"

Covering and secret sharing with linear codes

Abstract: Secret sharing has been a subject of study for over twenty years, and has had a number of real-world applications. There are several approaches to the construction of secret sharing schemes. One of them is based on coding theory. In principle, every linear code can be used to construct secret sharing schemes. But determining the access structure is very hard as this requires the complete characterisation of the minimal codewords of the underlying linear code, which is a difficult problem. In this paper we present a sufficient condition under which we are able to determine all the minimal codewords of certain linear codes. The condition is derived using exponential sums. We then construct some linear codes whose covering structure can be determined, and use them to construct secret sharing schemes with interesting access structures.

New bounds in secret-key agreement: the gap between formation and secrecy extraction

Abstract: Perfectly secret message transmission can be realized with only partially secret and weakly correlated information shared by the parties as soon as this information allows for the extraction of information-theoretically secret bits. The best known upper bound on the rate S at which such key bits can be generated has been the intrinsic information of the distribution modeling the parties', including the adversary's, knowledge. Based on a new property of the secret-key rate S, we introduce a conditional mutual information measure which is a stronger upper bound on S. Having thus seen that the intrinsic information of a distribution P is not always suitable for determining the number of secret bits extractable from P, we prove a different significance of it in the same context: It is a lower bound on the number of key bits required to generate P by public communication. Taken together, these two results imply that sometimes, (a possibly arbitrarily large fraction of) the correlation contained in distributed information cannot be extracted in the form of secret keys by any protocol.

New bounds in secret-key agreement: The gap between formation and secrecy extraction

Abstract: Perfectly secret message transmission can be realized with only partially secret and weakly correlated information shared by the parties as soon as this information allows for the extraction of information-theoretically secret bits. The best known upper bound on the rate S at which such key bits can be generated has been the intrinsic information of the distribution modeling the parties', including the adversary's, knowledge. Based on a new property of the secret-key rate S, we introduce a conditional mutual information measure which is a stronger upper bound on S. Having thus seen that the intrinsic information of a distribution P is not always suitable for determining the number of secret bits extractable from P, we prove a different significance of it in the same context: It is a lower bound on the number of key bits required to generate P by public communication. Taken together, these two results imply that sometimes, (a possibly arbitrarily large fraction of) the correlation contained in distributed information cannot be extracted in the form of secret keys by any protocol.

Intransitive non-interference for cryptographic purposes

Abstract: Information flow and non-interference have recently become very popular concepts for expressing both integrity and privacy properties. Because of the enormous potential of transmitting information using probabilistic methods of cryptography, interest arose in capturing probabilistic non-interference. We investigate the notion of intransitive probabilistic non-interference in reactive systems, i.e., downgrading of probabilistic information and detection of probabilistic information flow by one or more involved third parties. Based on concrete examples, we derive several definitions that comprise cryptography-related details like error probabilities and computational restrictions. This makes the definitions applicable to systems involving real cryptography. Detection of probabilistic information flow is significantly more complicated to define if several third parties are involved because of the possibilities of secret sharing. We solve this problem by graph-theoretic techniques.

Responsive security for stored data

Abstract: We present the design of a distributed store that offers various levels of security guarantees while tolerating a limited number of nodes that are compromised by an adversary. The store uses secret sharing schemes to offer security guarantees, namely, availability, confidentiality, and integrity. However, a pure secret sharing scheme could suffer from performance problems and high access costs. We integrate secret sharing with replication for better performance and to keep access costs low. The trade offs involved between availability and access cost on one hand and confidentiality and integrity on the other are analyzed. Our system differs from traditional approaches such as state machine or quorum-based replication that have been developed to tolerate Byzantine failures. Unlike such systems, we augment replication with secret sharing and offer weaker consistency guarantees. We demonstrate that such a hybrid scheme offers additional flexibility that is not possible with replication alone.

On the Power of Computational Secret Sharing

Abstract: Secret sharing is a very important primitive in cryptography and distributed computing. In this work, we consider computational secret sharing (CSS) which provably allows a smaller share size (and hence greater efficiency) than its information-theoretic counterparts. Extant CSS schemes result in succinct share-size and are in a few cases, like threshold access structures, optimal. However, in general, they are not efficient (share-size not polynomial in the number of players n), since they either assume efficient perfect schemes for the given access structure (as in [10]) or make use of exponential (in n) amount of public information (like in [5]). In this paper, our goal is to explore other classes of access structures that admit of efficient CSS, without making any other assumptions. We construct efficient CSS schemes for every access structure in monotone P. As of now, most of the efficient information-theoretic schemes known are for access structures in algebraic NC 2. Monotone P and algebraic NC 2 are not comparable in the sense one does not include other. Thus our work leads to secret sharing schemes for a new class of access structures. In the second part of the paper, we introduce the notion of secret sharing with a semi-trusted third party, and prove that in this relaxed model efficient CSS schemes exist for a wider class of access structures, namely monotone NP.

New traitor tracing schemes using bilinear map

Abstract: Mitsunari et al [15] presented a new traitor tracing scheme which uses Weil pairing in elliptic curves. To the best of our knowledge this is the first scheme that uses bilinear map. The claimed advantage of the scheme is that the ciphertext size is independent of the number of traitors. It is shown that the problem of constructing a pirate key by k colluders is as hard as the so-called "k-weak Diffie-Hellman problem".In this paper, we show an attack on this scheme in which traitors find a linear combination of their keys to construct a pirate key that can be used to decrypt the ciphertext. We identify a class of schemes, that includes MSK, with the property that correct tracing requires the ciphertext size to depend on the collusion threshold. We derive a lower bound on the size of the ciphertext that depends on the number of colluders.We propose a modification to MSK scheme, Scheme 1, which not only ensures constructing a pirate decoder is hard, but also has a number of significant advantages over the initial proposal. In particular, it is a public key traitor tracing scheme while the original scheme is a secret key traitor tracing scheme; it has a black box tracing algorithm while MSK scheme only has an open box tracing algorithm, and finally its security is provable (semantic secure against passive adversary) while there was no security proof for MSK.We also propose two other schemes based on bilinear pairing. Scheme~2, is a generic scheme and can be used with any linear error correcting code. Scheme~3 uses Shamir's secret sharing scheme and has the added property that the encrypted message can be targeted to a subset of users. This is by including user revocation property and allowing selected users to be revoked from the original set of users. We also give proof of security, similar to Scheme 1, and also a tracing algorithm for the two schemes. Finally we give an efficiency comparison for the three schemes against the most efficient schemes with similar security and traceability properties and show that all three schemes are the most efficient ones of their kind.

Unified criterion for security of secret sharing in terms of violation of Bell inequalities

Abstract: In secret sharing protocols, a secret is to be distributed among several partners such that leaving out any number of them, the rest do not have the complete information. Strong multiqubit correlations in the state by which secret sharing is carried out had been proposed as a criterion for security of such protocols against individual attacks by an eavesdropper. However we show that states with weak multiqubit correlations can also be used for secure secret sharing. That our state has weak multiqubit correlations is shown from the perspective of violation of local realism, and also by showing that its higher-order correlations are described by lower ones. We then present a unified criterion for security of secret sharing in terms of violation of local realism, which works when the secret sharing state is the Greenberger-Horne-Zeilinger state (with strong multiqubit correlations), as well as states of a different class (with weak multiqubit correlations).

Secret image sharing with capability of share data reduction

Abstract: A novel approach to secret image sharing based on a (k,n)-threshold scheme with the additional capability of share data re- duction is proposed. A secret image is first transformed into the fre- quency domain using the discrete cosine transform (DCT), which is ap- plied in most compression schemes. Then all the DCT coefficients except the first 10 lower frequency ones are discarded. And the values of the 2nd through the 10th coefficients are disarranged in such a way that they cannot be recovered without the first coefficient and that the inverse DCT of them cannot reveal the details of the original image. Finally, the first coefficient is encoded into a number of shares for a group of secret- sharing participants and the remaining nine manipulated coefficients are allowed to be accessible to the public. The overall effect of this scheme is achievement of effective secret sharing with good reduction of share data. The scheme is thus suitable for certain application environments, such as the uses of mobile or handheld devices, where only a small amount of network traffic for shared transmission and a small amount of space for data storage are allowed. Good experimental results proving the feasibility of the proposed approach are also included. © 2003 Society

A practical revocation scheme for broadcast encryption using smart cards

Abstract: We present an anti-pirate revocation scheme for broadcast encryption systems (e.g., pay TV), in which the data is encrypted to ensure payment by users. In the systems we consider decryption of keys is done on smart cards and key management is done in-band. Our starting point is a recent scheme of Naor and Pinkas. The basic scheme uses secret sharing to remove up to t parties, is information theoretic secure against coalitions of size t, and is capable of creating a new group key. However with current smart card technology, this scheme is only feasible for small system parameters, allowing up to about 100 pirates to be revoked before all the smart cards need to be replaced. We first present a novel implementation method of their basic scheme that distributes the work in novel ways among the smart card, set-top terminal, and center. Based on this, we construct several improved schemes for many stateful revocation rounds that scale to realistic system sizes. We allow up to about 10000 pirates to be revoked using current smart card technology before re-carding is needed. The transmission lengths of our constructions are on a par with those of the best tree-based schemes. However, our constructions have much lower smartcard CPU complexity: only O(1) smartcard operations per revocation round, as opposed to a poly-logarithmic complexity of the best tree-based schemes. We evaluate the system behavior via an exhaustive simulation study. Our simulations show that with mild assumptions on the piracy discovery rate, our constructions can perform effective pirate revocation for realistic broadcast encryption scenarios.

Spread: improving network security by multipath routing

Abstract: This paper considers the delivery of secret information across insecure networks. A novel end-to-end multipath secure data delivery scheme, secure protocol for reliable data delivery (SPREAD), is proposed as a complementary mechanism for the data confidentiality service in the public networks. The idea behind SPREAD is to improve the confidentiality by enforcing the secret sharing principle in the network via multipath routing. With a (T,N) secret sharing scheme, the message to be protected can be divided into N shares such that from any T or more shares, it can easily recover the message, while from any T-1 or less shares, it should be impossible to recover the message. Then using multipath routing, the shares are delivered across the network via multiple independent paths. The destination node reconstructs the original message upon receiving T or more shares. This paper presents the system architecture of the SPREAD scheme, including how to divide the secret message into multiple shares using the secret sharing scheme, how to find the desired multiple secure paths, as well as how to allocate the message shares onto each selected path such that maximum security can be achieved. The discussion on the optimal share allocations reveals that redundant SPREAD scheme is not only more secure but also more error-tolerant and fault-tolerant. The simulation results show that significantly reduced message interception ratio can be achieved by SPREAD.

A Practical Revocation Scheme for Broadcast Encryption Using Smart Cards Extended Abstract

Abstract: We present an anti-pirate revocation scheme for broadcast encryption systems (e.g., pay TV), in which the data is encrypted to ensure payment by users. In the systems we consider, decryption of keys is done on smartcards, and key management is done in-band. Our starting point is a recent scheme of Naor and Pinkas. The basic scheme uses secret sharing to remove up to t parties, is information theoretic secure against coalitions of size t, and is capable of creating a new group key. However, with current smartcard technology, this scheme is only feasible for small system parameters, allowing up to about 100 pirates to be revoked before all the smartcards need to be replaced. We first present a novel implementation method of their basic scheme that distributes the work in novel ways among the smartcard, set-top terminal, and center. Based on this, we construct several improved schemes for many stateful revocation rounds that scale to realistic system sizes. We allow up to about 10000 pirates to be revoked using current smartcard technology before re-carding is needed. The transmission lengths of our constructions are on par with those of the best tree-based schemes. However, our constructions have much lower smartcard CPU complexity: only O(1) smartcard operations per revocation round, as opposed to a poly-logarithmic complexity of the best treebased schemes. We evaluate the system behavior via an exhaustive simulation study. Our simulations show that with mild assumptions on the piracy discovery rate, our constructions can perform effective pirate revocation for realistic broadcast encryption scenarios.

Verifiable Secret Sharing for General Access Structures, with Application to Fully Distributed Proxy Signatures

Abstract: Secret sharing schemes are an essential part of distributed cryptographic systems. When dishonest participants are considered, then an appropriate tool are verifiable secret sharing schemes. Such schemes have been traditionally considered for a threshold scenario, in which all the participants play an equivalent role. In this work, we generalize some protocols dealing with verifiable secret sharing, in such a way that they run in a general distributed scenario for both the tolerated subsets of dishonest players and the subsets of honest players authorized to execute the different phases of the protocols.

Responsive security for stored data

Abstract: We present the design of a distributed store that offers various levels of security guarantees while tolerating a limited number of nodes that are compromised by an adversary. The store uses secret sharing schemes to offer security guarantees namely availability, confidentiality and integrity. However, a pure secret sharing scheme could suffer from performance problems and high access costs. We integrate secret sharing with replication for better performance and to keep access costs low. The tradeoffs involved between availability and access cost on one hand and confidentiality and integrity on the other are analyzed. Our system differs from traditional approaches such as state machine or quorum based replication that have been developed to tolerate Byzantine failures. Unlike such systems, we augment replication with secret sharing and demonstrate that such a hybrid scheme offers additional flexibility that is not possible with replication alone.

Sharing one secret vs. sharing many secrets

Abstract: A secret sharing scheme is a method for distributing a secret among several parties in such a way that only qualified subsets of the parties can reconstruct it and unqualified subsets receive no information about the secret. A multi-secret sharing scheme is the natural extension of a secret sharing scheme to the case in which many secrets need to be shared, each with respect to possibly different subsets of qualified parties. A multi-secret sharing scheme can be trivially realized by realizing a secret sharing scheme for each of the secrets.In this paper we address the natural questions of whether this simple construction is the most efficient as well, and, if not, how much improvement is possible over it, with respect to both efficiency measures used in the literature; namely, the maximum piece of information and the sum of all pieces of information distributed to all parties. We completely answer these questions, as follows. We show the first instance for which an improvement is possible; we prove a bound on how much improvement is possible with respect to both measures; and we show instances of multi-secret sharing schemes which achieve this improvement, with respect to both measures, thus showing that the above bound is tight.

Visual secret sharing schemes for plural secret images

Abstract: In this paper, a new method is proposed to construct a visual secret sharing scheme with a general access structure for plural secret images. Although the proposed scheme can be considered as an extension of Droste’s method that can encode only black-white images, it can encode plural gray-scale and/or color secret images. key words: visual secret sharing schemes, plural secret images, general access structures

A novel approach to digital image watermarking based on a generalized secret sharing scheme

Abstract: In the digital image watermarking community, the problem of joint ownership has not been adequately addressed. This paper proposes a novel algorithm that makes use of a generalized secret sharing scheme in cryptography to address this problem. Given that multiple owners create an image jointly, distinct keys are given to only an authorized group of owners so that only when all the members in the group present their keys can the ownership of the image be verified. Any owner alone cannot verify the image ownership. In addition, experimental results show that the proposed algorithm has the desired properties such as invisibility, reliable detection, and robustness against a wide range of image-processing operations.

A Representation of a Family of Secret Sharing Matroids

Abstract: Deciding whether a matroid is secret sharing or not is a well-known open problem. In Ng and Walker [6] it was shown that a matroid decomposes into uniform matroids under strong connectivity. The question then becomes as follows: when is a matroid m with N uniform components secret sharing? When N e 1, m corresponds to a uniform matroid and hence is secret sharing. In this paper we show, by constructing a representation using projective geometry, that all connected matroids with two uniform components are secret sharing

A new (t, n) threshold image hiding scheme for sharing a secret color image

Abstract: The objective of this research is to develop a method to hide a secret color image inside a set of meaningful color images. It allows a group of n members to share the secret image such that any t or more members can cooperatively construct the secret color image, but (t-1) or less members cannot. In addition, this technique has some outstanding properties. The embedded image can be 512 colors, and the size can be as big as that of the cover images. On the other hand, prior schemes have a secret weakness that some members may cheat other members to obtain their shares. Our new scheme can withstand the cheating attack. Therefore, the new technique is superior to previous works. Finally, our experimental results will also reveal that the distortion between our stego-image and cover image is inconspicuous.

Secure sessions from weak secrets

Abstract: Sometimes two parties who already share a weak secret k such as a password wish to share also a strong secret s such as a session key without revealing information about k to an active attacker. We assume that both parties can generate strong random numbers and forget secrets, and present new protocols for secure strong secret sharing, based on RSA, Diffie-Hellman, and El-Gamal. As well as being simpler and quicker than their predecessors, our protocols also have stronger security properties. In particular, our protocols make no cryptographic use of s and so do not impose subtle restrictions upon the use which is subsequently made of s by other protocols. Neither do we rely upon the existence of hash functions with serendipitous properties. In the course of presenting these protocols, we also consider how to frustrate some new types of cryptographic and system attack.

Whisper: Local Secret Maintenance in Sensor Networks

Abstract: : A challenge in resource-constrained sensor networks is to provide secure communication in an efficient manner, even in the presence of denial-of-service attacks. In this paper, we present a simple protocol for secret maintenance between a pair of network neighbors. We prove that Dolev-Yao adversaries cannot compromise the current secret shared by the neighbors, nor can they cause the neighbors to unduly waste resources. Moreover, we show that if the current secret between the pair is somehow disclosed, previous secrets are not compromised nor can future secrets be compromised. Finally, we propose several ways of bootstrapping the initial secrets of the neighbors.

Separating the power of monotone span programs over different fields

Abstract: Monotone span programs are a linear-algebraic model of computation. They are equivalent to linear secret sharing schemes and have various applications in cryptography and complexity. A fundamental question is how the choice of the field in which the algebraic operations are performed effects the power of the span program. In this paper we prove that the power of monotone span programs over finite fields of different characteristics is incomparable; we show a super-polynomial separation between any two fields with different characteristics, answering an open problem of Pudlak and Sgall (1998). Using this result we prove a super-polynomial lower bound for monotone span programs for a function in uniform - /spl Nscr/;/spl Cscr/;/sup 2/ (and therefore in /spl Pscr/;), answering an open problem of Babai, Wigderson, and Gal (1999). Finally, we show that quasi-linear schemes, a generalization of linear secret sharing schemes introduced in Beimel and Ishai (2001), are stronger than linear secret sharing schemes. In particular, this proves, without any assumptions, that non-linear secret sharing schemes are more efficient than linear secret sharing schemes.

Digital image watermarking for joint ownership verification without a trusted dealer

Abstract: In this paper, we propose a novel watermarking algorithm that makes use of a secret sharing scheme to address the problem of joint ownership verification for a digital image without a trusted dealer, which has not be addressed so far. Given that multiple owners create an image jointly, they collaboratively compute their own distinct keys without anyone else involved. For the watermarking detection, only when certain number of owners present their keys, can the ownership of the image be verified. Any owner alone can not verify the image ownership. In addition, experimental results show that the proposed algorithm has the desired properties such as invisibility, reliable detection and robustness against a wide range of imaging processing operations.

Secret sharing schemes on sparse homogeneous access structures with rank three.

Abstract: One of the main open problems in secret sharing is the characterization of the ideal access structures. This problem has been studied for several families of access structures with similar results. Namely, in all these families, the ideal access structures coincide with the vector space ones and, besides, the optimal information rate of a non-ideal access structure is at most $2/3$. An access structure is said to be $r$-homogeneous if there are exactly $r$ participants in every minimal qualified subset. A first approach to the characterization of the ideal $3$-homogeneous access structures is made in this paper. We show that the results in the previously studied families can not be directly generalized to this one. Nevertheless, we prove that the equivalences above apply to the family of the sparse $3$-homogeneous access structures, that is, those in which any subset of four participants contains at most two minimal qualified subsets. Besides, we give a complete description of the ideal sparse $3$-homogeneous access structures.