Showing papers on "Secure multi-party computation published in 1994"
IBM1
TL;DR: An m-threshold scheme is presented, where m shares recover the secret but m - 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size |S|/m plus a short piece of information whose length does not depend on thesecret size but just in the security parameter.
Abstract: A well-known fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret sharing if the notion of secrecy is computational, namely, against resource bounded adversaries. In this note we observe that, indeed, one can do much better in the computational model (which is the one used in most applications).We present an m-threshold scheme, where m shares recover the secret but m - 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size |S|/m plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of |S|/m is clearly optimal if the secret is to be recovered from m shares). Therefore, for moderately large secrets (a confidential file, a long message, a large data base) the savings in space and communication over traditional schemes is remarkable.The scheme is very simple and combines in a natural way traditional (perfect) secret sharing schemes, encryption, and information dispersal. It is provable secure given a secure (e.g., private key) encryption function.
421 citations
23 May 1994
TL;DR: A Minimal Model for Secure Computation as discussed by the authors is a secure model for secure computation in the context of secure computing. But it is not secure computing for all applications, however.
Abstract: A Minimal Model for Secure Computation
288 citations
TL;DR: The concept of multistage secret sharing (MSS) is proposed and a general implementation of MSS schemes given.
Abstract: The concept of multistage secret sharing (MSS) is proposed and a general implementation of MSS schemes given. In such a scheme, many secrets are shared in such a way that all secrets can be reconstructed separately. Each share is of the same size as that of any single shared secret.
167 citations
27 Jun 1994
TL;DR: A method to derive information-theoretical upper bounds on the optimal information rate and the optimal average information rate of perfect secret sharing schemes based on connected graphs on six vertices is discussed.
Abstract: We present a method to derive information theoretical upper bounds on the information rate and average information rate of perfect secret sharing schemes. One of the applications is that in perfect secret sharing schemes for some access structures the shares need to be impractically large. >
158 citations
TL;DR: The problem of Verifiable Secret Sharing is the following: A dealer, who may be honest or cheating, can share a secret s, among n ≥ 2t + 1 players, where t players at most are cheaters.
Abstract: The problem of Verifiable Secret Sharing (VSS) is the following: A dealer, who may be honest or cheating, can share a secret s, among n ≥ 2t + 1 players, where t players at most are cheaters. The sharing process will cause the dealer to commit himself to a secret s. If the dealer is honest, then, during the sharing process, the set of dishonest players will have no information about s. When the secret is reconstructed, at a later time, all honest players will reconstruct s. The solution that is given is a constant round protocol, with polynomial time local computations and polynomial message size. The protocol assumes private communication lines between every two participants, and a broadcast channel. The protocol achieves the desired properties with an exponentially small probability of error.A new tool, called Information Checking, which provides authentication and is not based on any unproven assumptions, is introduced, and may have wide application elsewhere.For the case in which it is known that the dealer is honest, a simple constant round protocol is proposed, without assuming broadcast.A weak version of secret sharing is defined: Weak Secret Sharing (WSS). WSS has the same properties as VSS for the sharing process. But, during reconstruction, if the dealer is dishonest, then he might obstruct the reconstruction of s. A protocol for WSS is also introduced. This protocol has an exponentially small probability of error. WSS is an essential building block for VSS. For certain applications, the much simpler WSS protocol suffice.All protocols introduced in this paper are secure in the Information Theoretic sense.
104 citations
02 Jan 1994
TL;DR: It is shown that any (k, n) threshold secret sharing algorithm in which any coalition of less than k participants has probability of successful cheating less than some ?
Abstract: In this paper we study the amount of secret information that must be given to participants in any secret sharing scheme that is secure against coalitions of dishonest participants in the model of Tompa and Woll [20]. We show that any (k, n) threshold secret sharing algorithm in which any coalition of less than k participants has probability of successful cheating less than some ? > 0 it must give to each participant shares whose sizes are at least the size of the secret plus log 1/?.
103 citations
02 Jan 1994
TL;DR: This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes.
Abstract: This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes. We define natural classes of NSS and derive a lower bound of |Vi| for those classes. "Ideal" nonperfect schemes are defined based on this lower bound. We prove that every such ideal secret sharing scheme has a matroid structure. The rank function of the matroid is given by the entropy divided by some constant. It satisfies a simple equation which represents the access level of each subset of participants.
100 citations
TL;DR: The authors give new constructions for multipart, multilevel, democratic and prepositioned schemes and demonstrate how known methods for detecting cheaters and disenrolling participants can be incorporated into Shamir's scheme.
62 citations
02 Nov 1994
TL;DR: The paper describes an implementation of Shamir secret sharing schemes based on exponentiation in Galois fields that has the disenrollment capability and examines a problem of covert channels which are present in any secret sharing scheme.
Abstract: The paper describes an implementation of Shamir secret sharing schemes based on exponentiation in Galois fields. It is shown how to generate shares so the scheme has the disenrollment capability. Next a family of conditionally secure Shamir schemes is defined and the disenrollment capability is investigated for the family. The paper also examines a problem of covert channels which are present in any secret sharing scheme.
38 citations
01 Jan 1994
TL;DR: This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents, and presents new protocols, both for general secure computation and for specific tasks.
Abstract: This thesis addresses the topic of secure distributed computation, a general and powerful tool for balancing cooperation and mistrust among independent agents. We study many related models, which differ as to the allowable communication among agents, the ways in which agents may misbehave, and the complexity (cryptographic) assumptions that are made. We present new protocols, both for general secure computation (i.e., of any function over a finite domain) and for specific tasks (e.g., electronic money). We investigate fundamental relationships among security needs and various resource requirements, with an emphasis on communication complexity. A number of mathematical methods are employed for our investigations, including algebraic, graph-theoretic, and cryptographic techniques.
38 citations
TL;DR: A simple (t, w) threshold scheme is proposed based on the use of cryptographically strong pseudo-random functions and universal hash functions and a remarkable advantage of the scheme is that a shareholder can use a single string in the share of many different secrets.
Abstract: A (t, w) threshold scheme is a method for sharing a secret among w shareholders so that the collaboration of at least t shareholders is required in order to reconstruct the shared secret. This paper is concerned with the re-use of shares possessed by shareholders in threshold schemes. We propose a simple (t, w) threshold scheme based on the use of cryptographically strong pseudo-random functions and universal hash functions. A remarkable advantage of the scheme is that a shareholder can use a single string in the share of many different secrets; in particular, a shareholder need not be given a new share each time a new secret is to be shared
02 Jan 1994
TL;DR: This work gives a protocol for proving non-interactively and in perfect zero knowledge the veridicity of any "threshold" statement where atoms are statements about the quadratic character of input elements.
Abstract: In this work we study relations between secret sharing and perfect zero knowledge in the non-interactive model. Both secret sharing schemes and non-interactive zero knowledge are important cryptographic primitives with several applications in the management of cryptographic keys, in multi-party secure protocols, and many other areas. Secret sharing schemes are very well-studied objects while non-interactive perfect zero-knowledge proofs seem to be very elusive. In fact, since the introduction of the non-interactive model for zero knowledge, the only perfect zero-knowledge proof known was for quadratic non residues.In this work, we show that a large class of languages related to quadratic residuosity admits non-interactive perfect zero-knowledge proofs. More precisely, we give a protocol for proving non-interactively and in perfect zero knowledge the veridicity of any "threshold" statement where atoms are statements about the quadratic character of input elements. We show that our technique is very general and extend this result to any secret sharing scheme (of which threshold schemes are just an example).
28 Nov 1994
TL;DR: A general lower bound on ¦V i ¦ is presented, which includes the previous lower bounds for perfect SSs and nonperfect SSs as special cases and the optimum size of V i for a certain access hierarchy is determined.
Abstract: In a secret sharing scheme (SS), a dealer D distributes a piece of information V i of a secret S to each participant P i . If we desire that ¦V i ¦ < ¦S¦, a nonperfct SS must be used, in which there exists a semi-access set C that has some information on S, but cannot recover S. This paper first presents a general lower bound on ¦V i ¦ which includes the previous lower bounds for perfect SSs and nonperfect SSs as special cases. There exist, however, access hierarchies in which ¦V i ¦ must be larger than the general lower bound, of course. As our second contribution, we determine the optimum size of V i for such a certain access hierarchy.
09 May 1994
TL;DR: It is proved that for each n there exists an access structure on n participants so that any perfect sharing scheme must give some participant a share which is at least about n/log n times the secret size.
Abstract: A secret sharing scheme permits a secret to be shared among participants of an n-element group in such a way that only qualified subsets of participants can recover the secret If any non-qualified subset has absolutely no information on the secret, then the scheme is called perfect The share in a scheme is the information what a participant must remember We prove that for each n there exists an access structure on n participants so that any perfect sharing scheme must give some participant a share which is at least about n/log n times the secret size We also show that the best possible result achievable by the information theoretic method used here is n times the secret size
09 May 1994
TL;DR: This paper presents an outline of an algorithm for determining whether a rational number can be realized as information rate by means of the generalized vector space construction and shows a correspondence between the duality of access structures and theDuality of codes.
Abstract: In this paper, we generalize the vector space construction due to Brickell [5]. This generalization, introduced by Bertilsson [1], leads to perfect secret sharing schemes with rational information rates in which the secret can be computed efficiently by each qualified group. A one to one correspondence between the generalized construction and linear block codes is stated. It turns out that the approach of minimal codewords by Massey [15] is a special case of this construction. For general access structures we present an outline of an algorithm for determining whether a rational number can be realized as information rate by means of the generalized vector space construction. If so, the algorithm produces a perfect secret sharing scheme with this information rate. As a side-result we show a correspondence between the duality of access structures and the duality of codes.
09 May 1994
TL;DR: A general result is proved on the randomness needed to construct a scheme for the cycle C n; when n is odd the authors' bound is tight.
Abstract: The problem we deal with in this paper is the research of upper and lower bounds on the randomness required by the dealer to set up a secret sharing scheme. We give both lower and upper bounds for infinite classes of access structures. Lower bounds are obtained using entropy arguments. Upper bounds derive from a decomposition construction based on combinatorial designs (in particular, t-(v, k, λ) designs). We prove a general result on the randomness needed to construct a scheme for the cycle C n; when n is odd our bound is tight. We study the access structures on at most four participants and the connected graphs on five vertices, obtaining exact values for the randomness for all them. Also, we analyze the number of random bits required to construct anonymous threshold schemes, giving upper bounds. (Informally, anonymous threshold schemes are schemes in which the secret can be reconstructed without knowledge of which participants hold which shares.)
01 Jan 1994
TL;DR: The mathematical structures which have been used to model secret sharing schemes and variations which can be incorporated into these schemes to increase their flexibility and the detection of cheaters are discussed.
Abstract: This article documents some of the known constructions for secret sharing schemes. It includes a discussion of the mathematical structures which have been used to model secret sharing schemes, the establishment of secret sharing schemes which do not require the existence of a trusted authority to administer them, variations which can be incorporated into these schemes to increase their flexibility and the detection of cheaters.
01 Dec 1994
TL;DR: A subliminal-free key distribution phase for a secret sharing scheme with a general access structure is presented and subliminals-free recomputation is discussed.
Abstract: Since Simmons (1984) discussed the fact that a secret message, which he called a subliminal channel, can be hidden inside the authenticator, many subliminal-free cryptosystems have been presented We present a subliminal-free key distribution phase for a secret sharing scheme with a general access structure and discuss subliminal-free recomputation >
12 Jun 1994
TL;DR: The authors propose an efficient construction of perfect secret sharing schemes for the access structures consisting of the closure of a graph where a vertex denotes a participant and an edge denotes a minimal qualified pairs of participants.
Abstract: A secret sharing scheme is a method which allows a secret to be shared among a finite set of participants in such a way that only qualified subsets of participants can recover it. A secret sharing scheme is called perfect if unqualified subsets of participants obtain no information about the secret. The authors propose an efficient construction of perfect secret sharing schemes for the access structures consisting of the closure of a graph where a vertex denotes a participant and an edge denotes a minimal qualified pairs of participants. The information rate of the scheme is at least 1/(2|P|), where P denotes the set of the participants, which is better than O(1/|P|/sup 2/) of existing schemes used for graph-based access structures. The authors also present an application of the scheme to the reduction of storage and computation loads on the key distribution server in a secure network. >
28 Nov 1994
TL;DR: In a perfect secret sharing scheme, it is known that log2 ¦V i ¦ ≥H(S), where S is a secret and V i is the share of user i, and if S is not uniformly distributed, log2¦Ŝ¦> H(S).
Abstract: In a perfect secret sharing scheme, it is known that log2 ¦V i ¦ ≥H(S), where S is a secret and V i is the share of user i On the other hand, log2 ¦Ŝ¦ ≥H(S), where Ŝ is the domain of S The equality holds if and only if S is uniformly distributed Therefore, if S is uniformly distributed, we have ¦V i ¦≥¦Ŝ¦ However, if S is not uniformly distributed, log2 ¦Ŝ¦> H(S) In this case, we have log2¦V i ¦≥H(S)
Journal Article•
29 Sep 1994
TL;DR: The general area of secure distributed computing and the interplay between distributed Computing and security/ cryptography research is reviewed and recent theoretical and practical developments are discussed.
Abstract: The general area of secure distributed computing and the interplay between distributed computing and security/ cryptography research is reviewed. Recent theoretical and practical developments are discussed.
Proceedings Article•
01 Jan 1994
TL;DR: An implementation of Shamir secret sharing schemes based on exponentiation in Galois fields is described and it is shown how to generate shares so that the scheme has disenrollment capability.
Abstract: The paper describes an implementation of Shamir secret sharing schemes based on exponentiation in Galois fields. It is shown how to generate shares so that the scheme has disenrollment capability. A family of conditionally secure Shamir schemes is defined and its disenrollment capability is described. We also examine the problem of covert channels which are present in any secret sharing scheme.
Journal Article•
27 Jun 1994
TL;DR: The amount of private information that must be given to participants and the amount of randomness needed to set up secret sharing schemes are studied.
Abstract: We study the amount of private information that must be given to participants and the amount of randomness needed to set up secret sharing schemes. These quantities are important from the practical point of view since the security of any systems tends to degrade as the amount of private information increases; moreover, since random bits are a natural (and hard to find) computational resource, the amount of randomness used in the computation is an important issue in the field of randomized algorithms. >