Showing papers on "Secret sharing published in 2014"

Secure Deduplication with Efficient and Reliable Convergent Key Management

Abstract: Data deduplication is a technique for eliminating duplicate copies of data, and has been widely used in cloud storage to reduce storage space and upload bandwidth. Promising as it is, an arising challenge is to perform secure deduplication in cloud storage. Although convergent encryption has been extensively adopted for secure deduplication, a critical issue of making convergent encryption practical is to efficiently and reliably manage a huge number of convergent keys. This paper makes the first attempt to formally address the problem of achieving efficient and reliable key management in secure deduplication. We first introduce a baseline approach in which each user holds an independent master key for encrypting the convergent keys and outsourcing them to the cloud. However, such a baseline key management scheme generates an enormous number of keys with the increasing number of users and requires users to dedicatedly protect the master keys. To this end, we propose Dekey , a new construction in which users do not need to manage any keys on their own but instead securely distribute the convergent key shares across multiple servers. Security analysis demonstrates that Dekey is secure in terms of the definitions specified in the proposed security model. As a proof of concept, we implement Dekey using the Ramp secret sharing scheme and demonstrate that Dekey incurs limited overhead in realistic environments.

Data protection in a storage system using external secrets

Abstract: A system, method, and computer-readable storage medium for protecting a set of storage devices using a secret sharing scheme in combination with an external secret. An initial master secret is generated and then transformed into a final master secret using an external secret. A plurality of shares are generated from the initial master secret and distributed to the storage devices. The data of each storage device is encrypted with a device-specific key, and this key is encrypted using the final master secret. In order to read the data on a given storage device, the initial master secret reconstructed from a threshold number of shares and the external secret is retrieved. Next, the initial master secret is transformed into the final master secret using the external secret, and then the final master secret is used to decrypt the encrypted key of a given storage device.

Round-Optimal Password-Protected Secret Sharing and T-PAKE in the Password-Only Model

Abstract: In a Password-Protected Secret Sharing (PPSS) scheme with parameters (t,n) (formalized by Bagherzandi et al.[2]), a user Alice stores secret information among n servers so that she can later recover the information solely on the basis of her password. The security requirement is similar to a (t,n)-threshold secret sharing, i.e., Alice can recover her secret as long as she can communicate with t + 1 honest servers but an attacker gaining access to t servers cannot learn any information about the secret. In particular, the system is secure against offline password attacks by an attacker controlling up to t servers. On the other hand, accounting for inevitable on-line attacks one allows the attacker an advantage proportional to the fraction of dictionary passwords tested in on-line interactions with the user and servers.

A More Efficient AES Threshold Implementation

Abstract: Threshold Implementations provide provable security against first-order power analysis attacks for hardware and software implementations Like masking, the approach relies on secret sharing but it differs in the implementation of logic functions At Eurocrypt 2011 Moradi et al published the to date most compact Threshold Implementation of AES-128 encryption Their work shows that the number of required random bits may be an additional evaluation criterion, next to area and speed We present a new Threshold Implementation of AES-128 encryption that is 18% smaller, 75% faster and that requires 8% less random bits than the implementation from Eurocrypt 2011 In addition, we provide results of a practical security evaluation based on real power traces in adversary-friendly conditions They confirm the first-order attack resistance of our implementation and show good resistance against higher-order attacks

On the Cryptographic Complexity of the Worst Functions

Abstract: We study the complexity of realizing the “worst” functions in several standard models of information-theoretic cryptography. In particular, for the case of security against passive adversaries, we obtain the following main results.

On the Relation of Random Grid and Deterministic Visual Cryptography

Abstract: Visual cryptography is a special type of secret sharing. Two models of visual cryptography have been independently studied: 1) deterministic visual cryptography, introduced by Naor and Shamir, and 2) random grid visual cryptography, introduced by Kafri and Keren. In this paper, we show that there is a strict relation between these two models. In particular, we show that to any random grid scheme corresponds a deterministic scheme and vice versa. This allows us to use results known in a model also in the other model. By exploiting the (many) results known in the deterministic model, we are able to improve several schemes and to provide many upper bounds for the random grid model and by exploiting some results known for the random grid model, we are also able to provide new schemes for the deterministic model. A side effect of this paper is that future new results for any one of the two models should not ignore, and in fact be compared with, the results known in the other model.

Random-Grid-Based Visual Cryptography Schemes

Abstract: This paper discusses a random-grid-based nonexpanded visual cryptography scheme for generating both meaningful and noise-like shares. First, the distribution of black pixels on the share images and the stack image is analyzed. A probability allocation method is then proposed that is capable of producing the best contrast in both the share images and the stack image. With our method, not only can different cover images be used to hide the secret image, but the contrast can be adjusted as needed. The most important result is the improvement of the visual quality of both the share images and the stack image to their theoretical maximum. Our meaningful visual secret sharing method is shown in experiments to be superior to past methods.

Protection of a secret on a mobile device using a secret-splitting technique with a fixed user share

Abstract: A method includes (1) receiving, by a mobile computing device (MCD), user-specific data from a user, (2) processing (a) a user share of a cryptographic key, the user share being fixed based on the received user-specified data, and (b) a local share of the cryptographic key to recreate the cryptographic key, wherein the local share was created by applying a secret splitting algorithm to the cryptographic key and the user share to yield a set of non-fixed shares including the local share, the user share and the set of non-fixed shares making up a set of shares of the cryptographic key, the cryptographic key being recreatable from a strict subset of the set of shares, and (3) decrypting encrypted data stored on the MCD using the recreated cryptographic key, thereby providing access, using the decrypted encrypted data, to the resource.

Enhancing the security of free-space optical communications with secret sharing and key agreement

Abstract: Security issues of free-space optical (FSO) communications are discussed. Based on a subcarrier intensity-modulated air-to-ground FSO system model, we first analyze the coherence time of the air-to-ground FSO link and show that under practical assumptions, scintillation reciprocity holds in the FSO communication system. A private secret-key-based cryptosystem with key management is introduced to enhance FSO security, and a key agreement approach is proposed based on statistics of the random atmospheric-turbulence-induced fading channel measurements. The secret key rate of the key agreement scheme is investigated for the gamma-gamma turbulence model. Practical key agreement protocols based on bidirectional channel identification are designed for different FSO communication scenarios. Our numerical results reveal that the key rate is not sensitive to the strength of the atmospheric turbulence; the per-symbol signal-to-noise ratio and the training sequence length are the dominating factors.

How to withstand mobile virus attacks, revisited

Abstract: In PODC 1991 Ostrovsky and Yung [35] introduced the proactive security model, where corruptions spread throughout the network, analogous to the spread of a virus or a worm. PODC 2006 distinguished lecture by Danny Dolev, that also appears in the PODC06 proceedings, lists the above work as one of PODC's "Century Papers at the First Quarter-Century Milestone" [22]. At the very center of this work is the notion of proactive secret sharing schemes. Secret sharing schemes allow a dealer to distribute a secret among a group of parties such that while the group of parties jointly possess the secret, no sufficiently small subset of the parties can learn any information about the secret. The secret can be reconstructed only when a sufficient number of shares are combined together. Most secret sharing schemes assume that an adversary can only corrupt some fixed number of the parties over the entire lifetime of the secret; such a model is unrealistic in the case where over a long enough period of time, an adversary can eventually corrupt all parties or a large enough fraction that exceeds such a threshold. More specifically, in the proactive security model, the adversary is not limited in the number of parties it can corrupt, but rather in the rate of corruption with respect to a "rebooting" rate. Ostrovsky and Yung proposed the first proactive secret sharing scheme, which received a lot of follow-up attention. In the same paper, Ostrovsky and Yung also showed that constructing a general purpose secure multiparty computation (MPC) protocol in the proactive security model is feasible as long as the rate of corruption is a constant fraction of the parties. Their result, however, was shown only for stand-alone security and incurred a large polynomial communication overhead for each gate of the computation. Following the initial work defining the proactive security model, numerous cryptographic primitives and distributed protocols have been adapted to the proactive security model, such as proactively secure threshold encryption, proactive Byzantine agreement, proactive key management, proactive digital signatures, and many others. All these results use proactive secret sharing schemes. In this paper, we introduce a new "packed" proactive secret sharing (PPSS) scheme, where the amortized communication and the amortized computational cost of maintaining each individual secret is optimal (e.g., a constant rate), resolving a long standing problem in this area. Assuming secure point-to-point channels and authenticated, reliable broadcast over a synchronous network, our PPSS scheme can tolerate a 1/3-e (resp. 1/2-e) corruption rate against a malicious adversary, and is perfectly (resp. statistically) UC-secure, whereas all previous proactive secret sharing schemes have been secure under cryptographic assumptions only. As an application of our PPSS scheme, we show how to construct a proactive multiparty computation (PMPC) protocol with the same threshold as the PPSS scheme and near-linear communication complexity. PMPC problem is very general and implies, for example, proactive Byzantine Agreement. Our PMPC result also matches the asymptotic communication complexity of the best known MPC results in the "classical" model of stationary faults [19].

Secure secret reconstruction and multi-secret sharing schemes with unconditional security

Abstract: In Shamir's t, n secret sharing SS scheme, the secret s is divided into n shares by a dealer and is shared among n shareholders in such a way that any t or more than t shares can reconstruct this secret; but fewer than t shares cannot obtain any information about the secret s. In this paper, we will introduce the security problem that an adversary can obtain the secret when there are more than t participants in Shamir's secret reconstruction. A secure secret reconstruction scheme, which prevents the adversary from obtaining the secret is proposed. In our scheme, Lagrange components, which are linear combination of shares, are used to reconstruct the secret. Lagrange component can protect shares unconditionally. We show that this scheme can be extended to design a multi-secret sharing scheme. All existing multi-secret sharing schemes are based on some cryptographic assumptions, such as a secure one-way function or solving the discrete logarithm problem; but, our proposed multi-secret sharing scheme is unconditionally secure. Copyright © 2013 John Wiley & Sons, Ltd.

Domain-Polymorphic Programming of Privacy-Preserving Applications

Abstract: Secure Multi-party Computation (SMC) is seen as one of the main enablers for secure outsourcing of computation. Currently, there are many different SMC techniques (garbled circuits, secret sharing, homomorphic encryption, etc.) and none of them is clearly superior to others in terms of efficiency, security guarantees, ease of implementation, etc. For maximum efficiency, and for obeying the trust policies, a privacy-preserving application may wish to use several different SMC techniques for different operations it performs. A straightforward implementation of this application may result in a program that (i) contains a lot of duplicated code, differing only in the used SMC technique; (ii) is difficult to maintain, if policies or SMC implementations change; and (iii) is difficult to reuse in similar applications using different SMC techniques. In this paper, we propose a programming language called SecreC with associated compilation techniques for simple orchestration of multiple SMC techniques and multiple protection domains. It is a simple imperative language with function calls where the types of data items are annotated with protection domains and where the function declarations may be domain-polymorphic. This allows most of the program code working with private data to be written in a SMC-technique-agnostic manner. It also allows rapid deployment of new SMC techniques and implementations in existing applications. We have implemented the compiler for the language, integrated it with Sharemind SMC framework, and are currently using it for new privacy-preserving applications.

Efficient Masked S-Boxes Processing - A Step Forward -

Abstract: To defeat side-channel attacks, the implementation of block cipher algorithms in embedded devices must include dedicated countermeasures. To this end, security designers usually apply secret sharing techniques and build masking schemes to securely operate an shared data. The popularity of this approach can be explained by the fact that it enables formal security proofs. The construction of masking schemes thwarting higher-order side-channel attacks, which correspond to a powerful adversary able to exploit the leakage of the different shares, has been a hot topic during the last decade. Several solutions have been proposed, usually at the cost of significant performance overheads. As a result, the quest for efficient masked S-box implementations is still ongoing. In this paper, we focus on the scheme proposed by Carlet et al at FSE 2012, and latter improved by Roy and Vivek at CHES 2013. This scheme is today the most efficient one to secure a generic S-box at any order. By exploiting an idea introduced by Coron et al at FSE 2013, we show that Carlet et al’s scheme can still be improved for S-boxes with input dimension larger than four. We obtain this result thanks to a new definition for the addition-chain exponentiation used during the masked S-box processing. For the AES and DES S-boxes, we show that our improvement leads to significant efficiency gains.

Masking vs. multiparty computation: how large is the gap for AES?

Abstract: In this paper, we evaluate the performances of state-of-the-art higher order masking schemes for the AES. Doing so, we pay a particular attention to the comparison between specialized solutions introduced exclusively as countermeasures against side-channel analysis, and a recent proposal by Roche and Prouff exploiting multiparty computation (MPC) techniques. We show that the additional security features this latter scheme provides (e.g., its glitch-freeness) come at the cost of large performance overheads. We then study how exploiting standard optimization techniques from the MPC literature can be used to reduce this gap. In particular, we show that “packed secret sharing” based on a modified multiplication algorithm can speed up MPC-based masking when the order of the masking scheme increases. Eventually, we discuss the randomness requirements of masked implementations. For this purpose, we first show with information theoretic arguments that the security guarantees of masking are only preserved if this randomness is uniform, and analyze the consequences of a deviation from this requirement. We then conclude the paper by including the cost of randomness generation in our performance evaluations. These results should help actual designers to choose a masking scheme based on security and performance constraints.

Multi-linear Secret-Sharing Schemes

Abstract: Multi-linear secret-sharing schemes are the most common secret-sharing schemes. In these schemes the secret is composed of some field elements and the sharing is done by applying some fixed linear mapping on the field elements of the secret and some randomly chosen field elements. If the secret contains one field element, then the scheme is called linear. The importance of multi-linear schemes is that they provide a simple non-interactive mechanism for computing shares of linear combinations of previously shared secrets. Thus, they can be easily used in cryptographic protocols.

Memento: How to Reconstruct Your Secrets from a Single Password in a Hostile Environment

Abstract: Passwords are inherently vulnerable to dictionary attacks, but are quite secure if guessing attempts can be slowed down, for example by an online server. If this server gets compromised, however, the attacker can again perform an offline attack. The obvious remedy is to distribute the password verification process over multiple servers, so that the password remains secure as long as no more than a threshold of the servers are compromised. By letting these servers additionally host shares of a strong secret that the user can recover upon entering the correct password, the user can perform further cryptographic tasks using this strong secret as a key such as encrypting data in the cloud. Threshold password-authenticated secret sharing (TPASS) protocols provide exactly this functionality. Unfortunately, the two only known schemes by Bagherzandi et al. (CCS 2011) and Camenisch et al. (CCS 2012) leak the password if a user mistakenly executes the protocol with malicious servers. Authenticating to the wrong servers is a common scenario when users are tricked in phishing attacks. We propose the first t-out-of-n TPASS protocol for any n > t that does not suffer from this shortcoming. We prove our protocol secure in the UC framework, which for the particular case of password-based protocols offers important advantages over property-based definitions, e.g., by correctly modeling typos in password attempts.

Asynchronous Byzantine Agreement with optimal resilience

Abstract: We present an efficient, optimally-resilient Asynchronous Byzantine Agreement (ABA) protocol involving $$n = 3t+1$$ parties over a completely asynchronous network, tolerating a computationally unbounded Byzantine adversary, capable of corrupting at most $$t$$ out of the $$n$$ parties. In comparison with the best known optimally-resilient ABA protocols of Canetti and Rabin (STOC 1993) and Abraham et al. (PODC 2008), our protocol is significantly more efficient in terms of the communication complexity. Our ABA protocol is built on a new statistical asynchronous verifiable secret sharing (AVSS) protocol with optimal resilience. Our AVSS protocol significantly improves the communication complexity of the only known statistical and optimally-resilient AVSS protocol of Canetti et al. Our AVSS protocol is further built on an asynchronous primitive called asynchronous weak commitment (AWC), while the AVSS of Canetti et al. is built on the primitive called asynchronous weak secret sharing (AWSS). We observe that AWC has weaker requirements than AWSS and hence it can be designed more efficiently than AWSS. The common coin primitive is one of the most important building blocks for the construction of an ABA protocol. In this paper, we extend the existing common coin protocol to make it compatible with our new AVSS protocol that shares multiple secrets simultaneously. As a byproduct, our new common coin protocol is more communication efficient than all the existing common coin protocols.

Fast and Private Genomic Testing for Disease Susceptibility

Abstract: Advances in DNA sequencing are bringing mass computational genomic testing increasingly closer to reality. The sensitivity of genetic data, however, prompts the need for carefully protecting patients' privacy. Also, it is crucial to conceal the test's specifics, which often constitute a pharmaceutical company's trade secret. This paper presents two cryptographic protocols for privately assessing a patient's genetic susceptibility to a disease, computing a weighted average of patient's genetic markers (the "SNPs") and their importance factor. We build on the architecture introduced by Ayday et al. but point out an important limitation of their model, namely, that the protocol leaks which and how many SNPs are tested. Then, we demonstrate that an alternative SNP encoding can simplify (private) computations, and make patient-side computation on a smartcard device extremely efficient. A second protocol variant, based on secret sharing, further reduces online computation.

Verifiable secret sharing based on the Chinese remainder theorem

Abstract: A t,n secret sharing scheme SS enables a dealer to divide a secret into n shares in such a way that i the secret can be recovered successfully with t or more than t shares, and ii the secret cannot be recovered with fewer than t shares. A verifiable secret sharing scheme VSS has been proposed to allow shareholders to verify that their shares are generated by the dealer consistently without compromising the secrecy of both shares and the secret. So far, there is only one secure Chinese remainder theorem-based VSS using the RSA assumption. We propose a Chinese remainder theorem-based VSS scheme without making any computational assumptions, which is a simple extension of Azimuth-Bloom t,n SS. Just like the most well-known Shamir's SS, the proposed VSS is unconditionally secure. We use a linear combination of both the secret and the verification secret to protect the secrecy of both the secret and shares in the verification. In addition, we show that no information is leaked when there are fewer than t shares in the secret reconstruction. Copyright © 2013 John Wiley & Sons, Ltd.

Utilizing error correction (ecc) for secure secret sharing

Abstract: Utilizing error correction (ECC) for secure secret sharing includes computing an encrypted key using a key and a number of random values, computing, based on a first ECC scheme, a key ECC for the encrypted key and the random values, and storing a number of key fragments on a number of storage servers, the number of key fragments includes the encrypted key, the random values, and the key ECC.

New results and applications for multi-secret sharing schemes

Abstract: In a multi-secret sharing scheme (MSSS), $$\ell $$ l different secrets are distributed among the players in some set $$\mathcal{P }=\{P_1,\ldots ,P_n\}$$ P = { P 1 , ? , P n } , each one according to an access structure. The trivial solution to this problem is to run $$\ell $$ l independent instances of a standard secret sharing scheme, one for each secret. In this solution, the length of the secret share to be stored by each player grows linearly with $$\ell $$ l (when keeping all other parameters fixed). Multi-secret sharing schemes have been studied by the cryptographic community mostly from a theoretical perspective: different models and definitions have been proposed, for both unconditional (information-theoretic) and computational security. In the case of unconditional security, there are two different definitions. It has been proved that, for some particular cases of access structures that include the threshold case, a MSSS with the strongest level of unconditional security must have shares with length linear in $$\ell $$ l . Therefore, the optimal solution in this case is equivalent to the trivial one. In this work we prove that, even for a more relaxed notion of unconditional security, and for some kinds of access structures (in particular, threshold ones), we have the same efficiency problem: the length of each secret share must grow linearly with $$\ell $$ l . Since we want more efficient solutions, we move to the scenario of MSSSs with computational security. We propose a new MSSS, where each secret share has constant length (just one element), and we formally prove its computational security in the random oracle model. To the best of our knowledge, this is the first formal analysis on the computational security of a MSSS. We show the utility of the new MSSS by using it as a key ingredient in the design of two schemes for two new functionalities: multi-policy signatures and multi-policy decryption. We prove the security of these two new multi-policy cryptosystems in a formal security model. The two new primitives provide similar functionalities as attribute-based cryptosystems, with some advantages and some drawbacks that we discuss at the end of this work.

Secret-Sharing for NP

Abstract: A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a “qualified” subset of parties can efficiently reconstruct the secret while any “unqualified” subset of parties cannot efficiently learn anything about the secret. The collection of “qualified” subsets is defined by a monotone Boolean function.

A multiparty error-correcting method for quantum secret sharing

Abstract: Quantum secret sharing (QSS) refers to the process in which the secret is divided into several sub-secrets and sent to different users utilizing quantum technology. Only the user belonging to a specific subset (authorized set) can reconstruct the initial secret correctly. In principle, the authorized set can regain the initial secret exactly via sub-secrets. However, when realizing QSS in practice, because of the interference of various noises, the secret obtained by the authorized set may not be consistent with the initial one. For a particular kind of QSS protocols, in which the bitwise XOR of sub-secrets is equal to the initial secret theoretically, we propose a feasible multiparty error-correcting method based on binary search technique and two-party Cascade error-correcting method. With this method, we can solve the problem that the authorized set cannot regain the initial secret correctly. Finally, we analyze the optimal block length, the amount of leaked information, and realize tripartite error-correcting method by experimental simulation.

An authenticated group key distribution protocol based on the generalized Chinese remainder theorem

Abstract: SUMMARY The group key distribution protocol is a mechanism for distributing a group key that is used to encrypt the communication data transmitted in an open group. Recently, a novel group key distribution protocol based on secret sharing was proposed. In their protocol, the group key information is broadcast in an open network environment, and only authorized group members can obtain the group key. However, their protocol requires each group member to broadcast a random challenge to the rest of the group members in the construction of the group key, and this may increase communication cost and cause network traffic congestion. In this paper, we propose an authenticated group key distribution protocol based on the generalized Chinese remainder theorem that drastically reduces communication costs while maintaining at least the same degree of security. Our protocol is built on the secret sharing scheme based on Chinese remainder theorem, which requires fewer computation operations than the previous work. Copyright © 2012 John Wiley & Sons, Ltd.

Digital Image Sharing by Diverse Image Media

Abstract: Conventional visual secret sharing (VSS) schemes hide secret images in shares that are either printed on transparencies or are encoded and stored in a digital form. The shares can appear as noise-like pixels or as meaningful images; but it will arouse suspicion and increase interception risk during transmission of the shares. Hence, VSS schemes suffer from a transmission risk problem for the secret itself and for the participants who are involved in the VSS scheme. To address this problem, we proposed a natural-image-based VSS scheme (NVSS scheme) that shares secret images via various carrier media to protect the secret and the participants during the transmission phase. The proposed (n,n)- NVSS scheme can share one digital secret image over n-1 arbitrary selected natural images (called natural shares) and one noise-like share. The natural shares can be photos or hand-painted pictures in digital form or in printed form. The noise-like share is generated based on these natural shares and the secret image. The unaltered natural shares are diverse and innocuous, thus greatly reducing the transmission risk problem. We also propose possible ways to hide the noise-like share to reduce the transmission risk problem for the share. Experimental results indicate that the proposed approach is an excellent solution for solving the transmission risk problem for the VSS schemes.