Showing papers on "Secure multi-party computation published in 1996"
01 Jul 1996
TL;DR: This work proposes a novel property of encryption protocols and shows that if an encryption protocol enjoying this property is used, instead of a standard encryption scheme, then known constructions become adaptively secure.
Abstract: A fundamental problem in designing secure multi-party protocols is how to deal with adaptive adversaries (i.e., adversaries that may choose the corrupted parties during the course of the computation), in a setting where the channels are insecure and secure communication is achieved by cryptographic primitives based on computational limitations of the adversary. It turns out that the power of an adaptive adversary is greatly affected by the amount of information gathered upon the corruption of the party. This amount of information models the extent to which uncorrupted parties are trusted to carry out instructions that cannot be externally verified, such as erasing records of past configurations. It has been shown that if the parties are trusted to erase such records, then adaptivity secure computation can be carried out using known primitives. However, this total trust in parties may be unrealistic in many scenarios. An important question, open since 1986, is whether adaptively secure multi-party computation can be carried out in the "insecure channel" setting, even if no party is thoroughly trusted. Our main result is an affirmative resolution of this question for the case where even uncorrupted parties may deviate from the protocol by keeping record of all past configurations. We first propose a novel property of encryption protocols and show that if an encryption protocol enjoying this property is used, instead of a standard encryption scheme, then known constructions become adaptively secure. Next we constructed, based on standard RSA assumption, an encryption protocol that enjoys this property. We also consider parties that, even when corrupted, may internally deviate from their protocols in arbitrary ways, as long as no external test can detect faulty behavior. We show that in this case no non-trivial protocol can be proven adaptively secure using black-box simulation. This holds even if the communication channels are totally secure.
598 citations
12 May 1996
TL;DR: Publicly verifiable secret sharing schemes are called, new applications to escrow cryptosystems and to payment systems with revocable anonymity are discussed, and two new realizations based on ElGamal's Cryptosystem are presented.
Abstract: A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody not only the participants, can verify that Ihe shares are correctly distributed. We will call such schemes publicly verifiable secret sharing schemes, we discuss new applications to escrow cryptosystems and to payment systems with revocable anonymity, and we present two new realizations based on ElGamal's cryptosystem.
581 citations
Proceedings Article•
01 Jan 1996
325 citations
18 Aug 1996
TL;DR: A new principle of construction for k out of n secret sharing schemes is presented which is easy to apply and in most cases gives much better results than the former principlcs.
Abstract: Naor and Shamir ([1]) defined the basic problem of visual cryptography by a visual variant of the k out, of n secret sharing problem: how can an original picture be encoded by n transparencies so that less than k of them give no information about the original, but by stacking k of them the original can be seen? They described a solution to this problem by a structure called k out of n secret sharing scheme whose parameters directly correspond to quality and usability of the solution. In this paper a new principle of construction for such schemes is presented which is easy to apply and in most cases gives much better results than the former principlcs. New bounds on relevant parameters of k out of n schemes are developed, too. Furthermore, an extension of the basic problem is introduced a.nd solved in which every combination of the transparencies can contain independent information.
249 citations
TL;DR: This work establishes a connection between secure distributed computation and group-oriented cryptography, i.e., cryptographic methods in which subsets of individuals can act jointly as single agents with useful algebraic properties.
Abstract: This paper addresses the message complexity of secure computation in the (passive adversary) privacy setting. We show that O(nC) encrypted bits of communication suffice for n parties to evaluate any boolean circuit of size C privately, under a specific cryptographic assumption. This work establishes a connection between secure distributed computation and group-oriented cryptography, i.e., cryptographic methods in which subsets of individuals can act jointly as single agents. Our secure computation protocol relies on a new group-oriented probablistic public-key encryption scheme with useful algebraic properties.
93 citations
14 Oct 1996
TL;DR: The first general treatment of the coercion problem in secure computation was given in this paper, where the authors presented a general definition of protocols that provide resilience to coercion and showed that if trapdoor permutations exist then any function can be incoercibly computed (i.e., computed by a protocol that provides resilience to coercions) in the presence of computationally bounded adversaries and only public communication channels.
Abstract: Current secure multiparty protocols have the following deficiency. The public transcript of the communication can be used as an involuntary commitment of the parties to their inputs and outputs. Thus parties can be later coerced by some authority to reveal their private data. Previous work that has pointed this interesting problem out contained only partial treatment. The authors present the first general treatment of the coercion problem in secure computation. They first present a general definition of protocols that provide resilience to coercion. Their definition constitutes a natural extension of the general paradigm used for defining secure multiparty protocols. They next show that if trapdoor permutations exist then any function can be incoercibly computed (i.e., computed by a protocol that provides resilience to coercion) in the presence of computationally bounded adversaries and only public communication channels. This holds as long as less than half the parties are coerced (or corrupted). In particular, theirs are the first incoercible protocols without physical security assumptions. Also, the protocols constitute an alternative solution to the recently solved adaptive security problem. Their techniques are quite surprising and include non-standard use of deniable encryptions.
93 citations
Patent•
21 Aug 1996TL;DR: In this article, a secret sharing scheme for reconstructing a secret over a public communication channel using perfect t-out-of-n secret sharing was proposed, where the secret reconstructing procedure includes the following steps: (i) receiving over said public communication channels l-1 encoded secret shares from the l 1 participants, respectively; (ii) decoding each one of the l- 1 encoded secret share, thereby obtaining l 1 decoded secret shares; and (iii) reconstructing the secret from the L 1 decoding secret shares and from the self secret share of the recipient
Abstract: A method for reconstructing a secret, over a public communication channel, using a perfect t-out-of-n secret sharing scheme. The scheme having a dealer which utilizes a delivering procedure for privately delivering n secret shares of the secret along with n keys to n participants that are interlinked by the channel. The scheme further having a secret reconstructing procedure for being executed by selected recipient participants, for reconstructing the secret by utilizing self secret share of the recipient participant and l-1 secret shares of the other participants. The secret reconstructing procedure includes the following steps: (i) receiving over said public communication channel l-1 encoded secret shares from the l-1 participants, respectively; (ii) decoding each one of the l-1 encoded secret shares, thereby obtaining l-1 decoded secret shares; and (iii) reconstructing the secret from the l-1 decoded secret shares and from the self secret share of the recipient participant.
87 citations
TL;DR: Techniques for obtaining bounds on the information rates of perfect secret sharing schemes are discussed and illustrated using the set of monotone access structures on five participants.
Abstract: A perfect secret sharing scheme is a system for the protection of a secret among a number of participants in such a way that only certain subsets of these participants can reconstruct the secret, and the remaining subsets can obtain no additional information about the secret. The efficiency of a perfect secret sharing scheme can be assessed in terms of its information rates. In this paper we discuss techniques for obtaining bounds on the information rates of perfect secret sharing schemes and illustrate these techniques using the set of monotone access structures on five participants. We give a full listing of the known informtion rate bounds for all the monotone access structures on five participants.
78 citations
TL;DR: This paper establishes a formal setting to study secret sharing schemes in which the dealer has the feature of being able to activate a particular access structure out of a given set and/or to allow the participants to reconstruct different secrets by sending to all participants the same broadcast message.
55 citations
TL;DR: A systematic analysis of the amount of randomness needed by secret sharing schemes and secure key distribution schemes is given and a lower bound is provided, thus showing the optimality of a recently proposed key distribution protocol.
Abstract: Randomness is a useful computation resource due to its ability to enhance the capabilities of other resources. Its interaction with resources such as time, space, interaction with provers and its role in several areas of computer science has been extensively studied. In this paper we give a systematic analysis of the amount of randomness needed by secret sharing schemes and secure key distribution schemes. We give both upper and lower bounds on the number of random bits needed by secret sharing schemes. The bounds are tight for several classes of secret sharing schemes. For secure key distribution schemes we provide a lower bound on the amount of randomness needed, thus showing the optimality of a recently proposed key distribution protocol.
51 citations
Dissertation•
01 Jan 1996
TL;DR: VSS protocols satisfying the requirements of the deenition, can be proven to remain secure even when used as sub-protocols inside larger protocols, whose security does not depend on unproven computational assumptions.
Abstract: Secret Sharing is a fundamental notion for secure cryptographic design. In a Secret Sharing protocol a dealer shares a secret among n parties. In the so called threshold model, the sharing is done so that subsets of t + 1 (or more) parties can later reconstruct the secret, while subsets of t (or less) parties have no information about it. The notion can be generalized by having the dealer specify a family of subsets of the n parties, called the access structure. The dealer shares the secret in such a way that only subsets of players in such family (usually called authorized subsets) can reconstruct the secret, while non-authorized subsets have no information about it. Veriiable Secret Sharing (VSS) protocols achieve the above task in the presence of malicously behaving parties. In our thesis we present a new and stronger deenition of VSS. The novelty of the deenition is that it satisses the composition property of secure protocols. That is VSS protocols satisfying the requirements of our deenition, can be proven to remain secure even when used as sub-protocols inside larger protocols. Previous deenitions did not enjoy this property. We present also the rst VSS protocols in the access structure model, whose security does not depend on unproven computational assumptions. One of the most important application of VSS protocols is the implementation of robust shared signature schemes. Such protocols allow a group of servers to sign a document with a secret key that is shared among them. We present eecient threshold signature schemes for the Digital Signature Standard and the RSA Signature Algorithm. The protocols are fully robust, that is they tolerate the presence of a threshold of malicious servers who may try to forge signatures or impede the signature process. Acknowledgments First and foremost I would like to thank my advisor, Silvio Micali. I just cannot imagine a better person to work with. His enthusiasm makes research work always exciting. He is also an extremely supportive person, always ready to pump up your self{esteem when things do not go as well as desired. Special thanks are due to Shaa Goldwasser and Tal Rabin, for serving in my thesis committee. Shaa introduced me to cryptography and always showed a genuine interest in my research. Tal is not only a great person to work with, but also a special friend. The Theory Group at the MIT Laboratory for Computer Science has …
TL;DR: The extent to which the results that connect ideal secret sharing schemes to matroids can be appropriately generalized are explored and a general method of construction is provided for such schemes.
Abstract: We consider secret sharing schemes which, through an initial issuing of shares to a group of participants, permit a number of different secrets to be protected. Each secret is associated with a (potentially different) access structure and a particular secret can be reconstructed by any group of participants from its associated access structure without the need for further broadcast information. We consider ideal secret sharing schemes in this more general environment. In particular, we classify the collections of access structures that can be combined in such an ideal secret sharing scheme and we provide a general method of construction for such schemes. We also explore the extent to which the results that connect ideal secret sharing schemes to matroids can be appropriately generalized.
TL;DR: A protocol for computationally secure ‘on line’ secret-sharing is presented, based on the intractability of the Diffie-Hellman problem, in which the participants' shares can be reused.
Abstract: A protocol for computationally secure ‘on line’ secret-sharing is presented, based on the intractability of the Diffie-Hellman problem, in which the participants' shares can be reused.
03 Nov 1996
TL;DR: This paper uses visual secret sharing schemes to limit the space from which one can see the decoded image, and proposes a secure human identification scheme that is secure against peeping, and can detect simple fake terminals.
Abstract: In this paper, we propose new uses of visual secret sharing schemes. That is, we use visual secret sharing schemes to limit the space from which one can see the decoded image. (We call this scheme limiting the visible space visual secret sharing schemes (LVSVSS).) We investigate the visibility of the decoded image when the viewpoint is changed, and categorize the space where the viewpoint belongs according to the visibility. Finally, we consider the application of LVSVSS to human identification, and propose a secure human identification scheme. The proposed human identification scheme is secure against peeping, and can detect simple fake terminals. Moreover, it can be actualized easily at a small cost.
TL;DR: A secure voting scheme that reduces the cryptographic and communication requirements in comparison with other schemes which have been presented and can be easily implemented on any existing computer network.
Proceedings Article•
[...]
30 May 1996
TL;DR: An architecture for a distributed key escrow system that might be suitable for deployment over very large-scale networks such as the Internet is sketched and a new cryptographic primitive, oblivious multicast, is introduced that can serve as the basis for such a system.
TL;DR: This paper presents an efficient construction of perfect secret sharing schemes for graph-based access structures where a vertex denotes a participant and an edge does a qualified pair of participants and an application of the scheme to the reduction of storage and computation loads on the communication granting server in a secure network.
Abstract: In this paper, we propose an efficient construction of perfect secret sharing schemes for graph-based access structures where a vertex denotes a participant and an edge does a qualified pair of participants. The secret sharing scheme is based on the assumptions that the pairs of participants corresponding to edges in the graph can compute the master key but the pairs of participants corresponding to nonedges in the graph cannot. The information rate of our scheme is 1 (n − 1) , where n is the number of participants. We also present an application of our scheme to the reduction of storage and computation loads on the communication granting server in a secure network.
Journal Article•
TL;DR: This paper describes secret sharing schemes based on Room squares and their critical sets, and proposes a model of sharing based on critical sets of Room squares.
Abstract: In this paper, we describe secret sharing schemes. We discuss Room squares and their critical sets. We propose a model of sharing based on critical sets of Room squares. Disciplines Physical Sciences and Mathematics Publication Details Chaudhry G R, and Seberry J, Secret Sharing schemes based on Room squares,Proceedings of DMTCS'96, December , 1996, Auckland, New Zealand, Combinatorics, Complexity and Logic, Springer-Verlag Singapore 1996, 158-167. This conference paper is available at Research Online: http://ro.uow.edu.au/infopapers/1132 Secret Sharillg Schemes Based 011 Room Squares Ghnlalll Hasool Chaudhry awl ,knnif,'r Sel)(,lTY Tilt, C"Iltr" for COlllputer S"cllrity n"s"ard, DCl'artIlll'Ilt of COllll'llter ScicIlc" \;lliversity of \\'OllollgoIlg \\'OllOIlgOllg;, !'\SW 2522, ACSTHALI.-\ Abstract, In this pal'Pr, we d"scribe secret sharing schelll"s, \\'t' disIn this pal'Pr, we d"scribe secret sharing schelll"s, \\'t' disCUS" RoolU ''l"ares and their critical sets, \\ie propose a lllodel of ,('en't sharing; based on critical sets of RoolIl sqllares,
12 May 1996
TL;DR: Oblivious Transfer protocols are analyzed and enhanced to make them provably secure against attacks by adaptive 1-adversaries, who can choose at any time whether to corrupt Alice or Bob.
Abstract: We analyze and enhance Oblivious Transfer (OT) protocols to accommodate security against adaptive attacks. Previous analysis has been static in nature, treating the security of Alice and the security of Bob as separate cases, determined in advance. It remains unclear whether existing protocols are provably secure against adaptive attacks, but we provide enhancements to make them provably secure against attacks by adaptive 1-adversaries, who can choose at any time whether to corrupt Alice or Bob. We determine circumstances under which OT can be executed "in the open," without encrypting the messages, thereby giving simple alternatives to encrypting an entire interaction. We isolate equivocation properties that provide enough flexibility for a simulator to handle adaptive attacks. These properties also provide a means for classifying OT protocols and understanding the subtle demands of security against adaptive adversaries, as well as designing protocols that can be proven secure against adaptive attacks.
24 Jun 1996
TL;DR: A nonlinear secret-sharing scheme for n parties such that any set of k−1 or more shares can determine the secret, but it is computationally hard to extract information about the secret.
Abstract: In this paper, we have described a nonlinear secret-sharing scheme for n parties such that any set of k−1 or more shares can determine the secret, any set of less than k−1 shares might give information about the secret, but it is computationally hard to extract information about the secret. The scheme is based on quadratic forms and the computation of both the shares and the secret is easy.
12 May 1996
TL;DR: A new unifying approach which uses homomorphisms of secret sharing schemes, and presents a verifiable signature sharing scheme for which as many as (n - 1)/3 processors can be faulty, and for which the number of interactions is reduced.
Abstract: Franklin and Reiter introduced at Eurocrypt '95 verifiable signature sharing, a primitive for a fault tolerant distribution of signature verification. They proposed various practical protocols. For RSA signatures with exponent e = 3 and n processors their protocol allows for up to (n - 1)/5 faulty processors (in general (n - 1)/(2 + e)).
We consider a new unifying approach which uses homomorphisms of secret sharing schemes, and present a verifiable signature sharing scheme for which as many as (n - 1)/3 processors can be faulty (for any value of e), and for which the number of interactions is reduced.
TL;DR: It is proved that there exist no secret sharing schemes having a veto capability such that qualified minorities can prevent any other set of participants from reconstructing the secret if one does not assume that the reconstruction machine is trustworthy.
24 Jun 1996
TL;DR: Without collecting and changing any secret shadows, the secret shadows can be reused after recovering or renewing the shared secret and the amount of public data is still proportional to the number of shadowholders.
Abstract: We propose an efficient dynamic threshold scheme with cheater detection By our scheme, without collecting and changing any secret shadows, the secret shadows can be reused after recovering or renewing the shared secret Thus the new scheme is efficient and practical In addition, the new scheme can detect the cheaters Furthermore, the amount of public data is still proportional to the number of shadowholders
Journal Article•
12 Jun 1996
TL;DR: This paper presents a fast and perfect secret key sharing scheme based on a simple geometric method to solve group-oriented secret sharing problems in distributed systems that can reduce the needed time of sending messages to a group of receivers due to multiplication operations only.
Abstract: This paper presents a fast and perfect secret key sharing scheme based on a simple geometric method to solve group-oriented secret sharing problems in distributed systems. This scheme does not need the existence of the trusted authority and can reduce the needed time of sending messages to a group of receivers due to multiplication operations only. The scheme can be shown to be very secure, because it is not only a perfect secret sharing but also when the cryptanalyst tries to compute secret values, he must solve the simultaneous trigonometric equations with t-1 equations, where t is the threshold value in the secret key sharing scheme as presented in this paper and the number of unknown valves are much more than the number of equations so that he will obtain no exact solution. Furthermore, it can dynamically insert or delete any participant in a group without affecting these original participants, and it is easy to change the shares without changing the original secret key.
Posted Content•
TL;DR: The first general treatment of the coercion problem in secure computation was given in this article, where the authors presented a general definition of protocols that provide resilience to coercion and showed that if trapdoor permutations exist then any function can be incoercibly computed (i.e., computed by a protocol that provides resilience to coercions) in the presence of computationally bounded adversaries and only public communication channels.
Abstract: Current secure multiparty protocols have the following deficiency. The public transcript of the communication can be used as an involuntary commitment of the parties to their inputs and outputs. Thus parties can be later coerced by some authority to reveal their private data. Previous work that has pointed this interesting problem out contained only partial treatment. The authors present the first general treatment of the coercion problem in secure computation. They first present a general definition of protocols that provide resilience to coercion. Their definition constitutes a natural extension of the general paradigm used for defining secure multiparty protocols. They next show that if trapdoor permutations exist then any function can be incoercibly computed (i.e., computed by a protocol that provides resilience to coercion) in the presence of computationally bounded adversaries and only public communication channels. This holds as long as less than half the parties are coerced (or corrupted). In particular, theirs are the first incoercible protocols without physical security assumptions. Also, the protocols constitute an alternative solution to the recently solved adaptive security problem. Their techniques are quite surprising and include non-standard use of deniable encryptions.
15 Dec 1996
TL;DR: This paper proposes and analyze several methods to achieve a fair reconstruction of shared secrets in a secret sharing scheme and emphasizes that a shared secret should be reconstructed in a fair way.
Abstract: In this paper we consider the secret reconstruction problem in a secret sharing scheme. We emphasize that a shared secret should be reconstructed in a fair way. We propose and analyze several methods to achieve such a fair reconstruction of shared secrets.