Showing papers on "Secure multi-party computation published in 1991"

Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing

Abstract: It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking with other persons. Any k of these persons can later find the secret (1 ? k ? n), whereas fewer than k persons get no (Shannon) information about the secret. The information rate of the scheme is 1/2 and the distribution as well as the verification requires approximately 2k modular multiplications pr. bit of the secret. It is also shown how a number of persons can choose a secret "in the well" and distribute it veritably among themselves.

Foundations of Secure Interactive Computing

Abstract: The problem of secure multiparty computation is usually described as follows: each of n players in a network holds a private input xi. Together they would like to compute a function F(x1,...,xn) without revealing the inputs, even though no particular player can be trusted. Attempts to contrive formal definitions for the problem have treated properties of the solution separately (correctness, privacy, etc.), giving an ad hoc collection of desirable properties and varied definitions that do not support clear or comparable proofs.We propose a clear, concise, and unified definition for security and reliability in interactive computations. We develop a reduction called relative resilience that captures all desired properties at a single blow. Relative resilience allows one to classify and compare arbitrary protocols in terms of security and reliability, in the same way that Turing reductions allow one to classify and compare algorithms in terms of complexity. Security and reliability reduce to a simple statement: a protocol for F is resilient if it is as resilient as an ideal protocol in which a trusted host is available to compute F. Relative resilience captures the notions of security and reliability for a wide variety of interactive computations, including zero-knowledge proof systems, Byzantine Agreement, oblivious transfer, two-party oblivious circuit evaluation, among others.Relative resilience provides modular proof techniques that other approaches lack: one may compare a sequence of protocols ranging from the real-world protocol to the ideal protocol, proving the relative resilience of each successive protocol with greater clarity and less complexity. Folk theorems about the "transitivity" of security and the security of concatenated protocols are now provable; and the proofs reveal that such folk theorems fail under subtle conditions that have previously gone unnoticed. The conciseness and modularity of our definitions and proof techniques provide great clarity in designing and reasoning about protocols and have already lead to provably secure protocols that are significantly more efficient than those appearing in the literature.

How to broadcast a secret

Abstract: A single transmitter wishes to broadcast a secret to some subset of his listeners He does not wish to perform, for each of the intended recipients, a separate encryption either of the secret or of a single key with which to protect the secret A general method for such a secret broadcasting scheme is proposed It is based on "k out of n" secret sharing An example using polynomial interpolation is presented as well as a related vector formulation

On the classification of ideal secret sharing schemes

Abstract: In a secret sharing scheme a dealer has a secret key. There is a finite set P of participants and a set ? of subsets of P. A secret sharing scheme with ? as the access structure is a method which the dealer can use to distribute shares to each participant so that a subset of participants can determine the key if and only if that subset is in ?. The share of a participant is the information sent by the dealer in private to the participant. A secret sharing scheme is ideal if any subset of participants who can use their shares to determine any information about the key can in fact actually determine the key, and if the set of possible shares is the same as the set of possible keys. In this paper we show a relationship between ideal secret sharing schemes and matroids.

Distributed provers with applications to undeniable signatures

Abstract: This paper introduces distributed prover protocols. Such a protocol is a proof system in which a polynomially bounded prover is replaced by many provers each having partial information about the witness owned by the original prover. As an application of this concept, it is shown how the signer of undeniable signatures can distribute part of his secret key to n agents such that any k of these can verify a signature. This facility is useful in most applications of undeniable signatures, and as the proposed protocols are practical, the results in this paper makes undeniable signatures more useful. The first part of the paper describes a method for verifiable secret sharing, which allows non-interactive verification of the shares and is as secure as the Shamir secret sharing scheme in the proposed applications.

Secure Computation (Abstract)

Abstract: We define what it means for a network of communicating players to securely compute a function of privately held inputs. Intuitively, we wish to correctly compute its value in a manner which protects the privacy of each player's contribution, even though a powerful adversary may endeavor to disrupt this enterprise.This highly general and desirable goal has been around a long time, inspiring a large body protocols, definitions, and ideas, starting with Yao [1982, 1986] and Goldreich, Micali and Wigderson [1987]. But all the while, it had resisted a full and satisfactory formulation.Our definition is built on several new ideas. Among them: ? Closely mimicking an ideal evaluation. A secure protocol must mimic this abstraction in a run-by-run manner, our definition depending as much on individual executions as on global properties of ensembles. ? Blending privacy and correctness in a novel way, using a special type of simulator designed for the purpose. ? Requiring adversarial awareness--capturing the idea that the adversary should know, in a very strong sense, certain information associated to the execution of a protocol.Among the noteworthy and desirable properties of our definition is the reducibility of secure protocols, which we believe to be a cornerstone in a mature theory of secure computation.

On the Size of Shares for Secret Sharing Schemes

Abstract: A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of partecipants can recover the secret, but any non-qualified subset has absolutely no information on the secret. The set of all qualified subsets defines the access structure to the secret. Sharing schemes are useful in the management of cryptographic keys and in multy-party secure protocols.We analyze the relationships among the entropies of the sample spaces from which the shares and the secret are chosen. We show that there are access structures with 4 participants for which any secret sharing scheme must give to a participant a share at least 50% greater than the secret size. This is the first proof that there exist access structures for which the best achievable information rate (i.e., the ratio between the size of the secret and that of the largest share) is bounded away from 1. The bound is the best possible, as we construct a secret sharing scheme for the above access structures which meets the bound with equality.

Generalized Threshold Cryptosystems

Abstract: In a threshold cryptosystem, one can send an encrypted message to a group without knowing the internal secret sharing policy of the group. The encrypted ciphertext can only be deciphered by some users of the group according to the secret sharing policy. In this paper, we propose solutions to handle the generalized secret sharing policy. In addition, we investigate two different models for the group: one with a mutually trusted party in the group and the other one without.

A Generalized Secret Sharing Scheme With Cheater Detection

Abstract: A new secret sharing scheme is presented in this paper to realize the generalized secret sharing policy. Different from most of previous works, it is computationally secure and each participant holds only one single shadow. Any honest participant in this scheme can detect and identify who is cheating even when all of the other participants corrupt together. An extended algorithm is also proposed to protect the secret form dishonest participant without the assumption of simultaneous release of the shadows. With (x,x)-homomorphism property, it can also be used to protect individual secrets while revealing the product of these secrets.

On Verification in Secret Sharing

Abstract: Verifiable Secret Sharing (VSS) has proven to be a powerful tool in the construction of fault-tolerant distributed algorithms. Previous results show that Unverified Secret Sharing, in which there are no requirements when the dealer is faulty during distribution of the secret, requires the same number of processors as VSS. This is counterintuitive: verification that the secret is well shared out should come at a price. In this paper, by focussing on information leaked to nonfaulty processors during verification, we separate a certain strong version of Unverified Secret Sharing (USS) from its VSS analogue in terms of the required number of processors. The proof of the separation theorem yields information about communication needed for the original VSS problem. In order to obtain the separation result we introduce a new definition of secrecy, different from the Shannon definition, capturing the intuition that "information" received from faulty processors may not be informative at all.

Strong verifiable secret sharing (extended abstract)

Abstract: Verifiable secret sharing has proven to be a powerful tool in the construction of fault-tolerant distributed algorithms. Many algorithms for VSS exist in the literature. These are of two types: small-error and error-free. In the small-error solutions, there is a small probability either that the dealer has not properly distributed the secret or that the faulty players can figure out the secret before reconstruction. In the error-free solutions neither of these can occur. However, the error-free solutions of which we are aware have a small weakness: the faulty processors can force a correct dealer to publicly reveal so much information that every correct processor learns the secret prematurely. This occurs despite the fact that no faulty processor learns anything at all about the secret. We overcome this weakness with no increase in the number of processors while remaining error-free.