Showing papers on "Secure multi-party computation published in 1999"

Minimal Codewords and Secret Sharing

Abstract: The use of a linear code to "split" secrets into equal-size shares is considered. The determination of which sets of shares can be used to obtain the secret leads to the apparently new notion of minimal codewords in a linear code. It is shown that the minimal codewords in the dual code completely specify the access structure of the secret-sharing scheme, and conversely.

Non-interactive cryptocomputing for NC/sup 1/

Abstract: The area of "computing with encrypted data" has been studied by numerous authors in the past twenty years since it is fundamental to understanding properties of encryption and it has many practical applications. The related fundamental area of "secure function evaluation" has been studied since the mid 80's. In its basic two-party case, two parties (Alice and Bob) evaluate a known circuit over private inputs (or a private input and a private circuit). Much attention has been paid to the important issue of minimizing rounds of computation in this model. Namely, the number of communication rounds in which Alice and Bob need to engage in to evaluate a circuit on encrypted data securely. Advancements in these areas have been recognized as open problems and have remained open for a number of years. In this paper we give a one round, and thus round optimal, protocol for secure evaluation of circuits which is in polynomial time for NC/sup 1/ circuits. The protocol involves an input party sending encrypted input to a second party, a cryptocomputer, which evaluates the circuit (or a known circuit over its additional private input) non-interactively, securely and obliviously, and provides the output to the input party without learning it. This improves on previous (general) results that are specialized to the case of NC/sup 1/ circuits and require a constant number of communication rounds. We further suggest applications to network and mobile computing.

A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic

Abstract: A publicly verifiable secret sharing (PVSS) scheme is a veri fiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares. We present a new construction for PVSS schemes, which compared to previous solutions by Stadler and later by Fujisaki and Okamoto, achieves improvements both in efficiency and in the type of intractability assumptions. The running time is O(nk), where k is a security parameter, and n is the number of participants, hence essentially optimal. The intractability assumptions are the standard Diffie-Hellman assumption and its decisional variant. We present several applications of our PVSS scheme, among which is a new type of universally verifiable election scheme based on PVSS. The election scheme becomes quite practical and combines several advantages of related electronic voting schemes, which makes it of interest in its own right.

Image Size Invariant Visual Cryptography

Abstract: In the visual secret sharing scheme proposed by Naor and Shamir [3], a secret image is encoded into shares, of which size is larger than that of the secret image and the shares are decoded by stacking them without performing any cryptographic computation. In this paper we propose a (k, n) visual secret sharing scheme to encode a black-and-white image into the same size shares as the secret image, where the reconstructed image of the proposed scheme is visible as well as that of the conventional scheme. key words: secret sharing, visual secret sharing, visual cryptography

Efficient multiparty computations secure against an adaptive adversary

Abstract: We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the secure-channels model, where a broadcast channel is given and a non-zero error probability is allowed. In this model Rabin and Ben-Or proposed VSS and MPC protocols secure against an adversary that can corrupt any minority of the players. In this paper, we first observe that a subprotocol of theirs, known as weak secret sharing (WSS), is not secure against an adaptive adversary, contrary to what was believed earlier. We then propose new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones. Our protocols generalize easily to provide security against general Q2-adversaries.

Unconditionally Secure Proactive Secret Sharing Scheme with Combinatorial Structures

Abstract: . Verifiable secret sharing schemes (VSS) are secret sharing schemes dealing with possible cheating by the participants. In this paper, we propose a new unconditionally secure VSS. Then we construct a new proactive secret sharing scheme based on that VSS. In a proactive scheme, the shares are periodically renewed so that an adversary cannot get any information about the secret unless he is able to access a specified number of shares in a short time period. Furthermore, we introduce some combinatorial structure into the proactive scheme to make the scheme more efficient. The combinatorial method might also be used to improve some of the previously constructed proactive schemes.

Introduction to Secure Computation

Abstract: The objective of this paper is to give an elementary introduction to fundamental concepts, techniques and results of Secure Computation. Topics covered include classical results for general secure computation by Yao, Goldreich & Micali & Wigderson, Kilian, Ben-Or & Goldwasser & Wigderson, and Chaum & CrEpeau & Damgaard. We also introduce such concepts as oblivious transfer, security against malicious attacks and verifiable secret sharing, and for some of these important primitives we discuss realization. This paper is organized as follows. Part I deals with oblivious transfer and secure (general) two-party computation. Part II discusses secure general multi-party computation and verifiable secret sharing. Part III addresses information theoretic security and presents detailed but elementary explanations of some recent results in Verifiable Secret Sharing and Multi-Party Computation. The importance of theory and general techniques often lies in the fact that the true nature of security is uncovered and that this henceforth enables to explore what is "possible at all". This then motivates the search for concrete and often specialized realizations that are more efficient. Nevertheless, many principles developed as part of the general theory are fundamental to the design of practical solutions as well.

The All-or-Nothing Nature of Two-Party Secure Computation

Abstract: A function f is computationally securely computable if two computationally-bounded parties Alice, having a secret input x, and Bob, having a secret input y, can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x, y) while (2) Alice learns essentially nothing. We prove that, if any non-trivial function can be so computed, then so can every function. Consequently, the complexity assumptions sufficient and/or required for computationally securely computing f are the same for every non-trivial function f.

Changing Thresholds in the Absence of Secure Channels

Abstract: The ways the threshold parameter can be modified after the setup of a secret sharing scheme is the main theme of this work. The considerations are limited to the case when there are no secure channels. First we motivate the problem and discuss methods of threshold change when the dealer is still active and can use broadcasting to implement the change required. Next we study the case when participants themselves initiate the change of threshold without the dealer's help. A general model for threshold changeable secret sharing is developed and two constructions are given. The first generic construction allows the design of a threshold changeable secret sharing scheme which can be implemented using the Shamir approach. The second construction is geometrical in nature and is optimal in terms of the size of shares. The work is concluded by showing that any threshold scheme can be given some degree of threshold change capability.

The all-or-nothing nature of two-party secure computation

Abstract: A function f is computationally securely computable if two computationally-bounded parties Alice, having a secret input x, and Bob, having a secret input y 1 can talk back and forth so that (even if one of them is malicious) (1) Bob learns essentially only f(x,y) while (2) Alice learns essentially nothing. We prove that, if any non-trivial function can be so computed, then so can every function. Consequently, the complexity assumptions sufficient and/or required for computationally securely computing f are the same for every non-trivial function f.

Bounds and Techniques for Efficient Redistribution of Secret Shares to New Access Structures

Abstract: We consider the problem of redistributing shares in a secret sharing scheme in such a way that shareholders of a scheme with one access structure can transfer information to a new set of shareholders, resulting in a sharing of the old secret among a new access structure. We describe a number of different scenarios and applications within which such a redistribution might be required, give some techniques for conducting a redistribution, and discuss the optimisation of the efficiency of such a process.

Secret Sharing Schemes with Detection of Cheaters for a General Access Structure

Abstract: In a secret sharing scheme, some participants can lie about the value of their shares when reconstructing the secret in order to obtain some illicit benefits. We present in this paper two methods to modify any linear secret sharing scheme in order to obtain schemes that are unconditionally secure against that kind of attack. The schemes obtained by the first method are robust, that is, cheaters are detected with high probability even if they know the value of the secret. The second method provides secure schemes, in which cheaters that do not know the secret are detected with high probability. When applied to ideal linear secret sharing schemes, our methods provide robust and secure schemes whose relation between the probability of cheating and the information rate is almost optimal. Besides, those methods make it possible to construct robust and secure schemes for any access structure.

The proactive security toolkit and applications

Abstract: Existing security mechanisms focus on prevention of penetrations, detection of a penetration and (manual) recovery tools Indeed attackers focus their penetration efforts on breaking into critical modules, and on avoiding detection of the attack. As a result, security tools and procedures may cause the attackers to lose control over a specific module (computer, account), since the attacker would rather lose control than risk detection of the attack. While controlling the module, attacker may learn critical secret information or modify the module that make it much easier for the attacker to regain control over that module later. Recent results in cryptography give some hope of improving this situation; they show that many fundamental security tasks can be achieved with proactive security. Proactive security does not assume that there is any module completely secure against penetration Instead, we assume that at any given time period (day, week,.), a sufficient number of the modules in the system are secure (not penetrated). The results obtained so far include some of the most important cryptographic primitives such as signatures, secret sharing, and secure communication However, there was no usable implementation, and several critical issues (for actual use) were not addressedIn this work we report on a practical toolkit implementing the key proactive security mechanisms The toolkit provides secure interfaces to make it easy for applications to recover from penetrations. The toolkit also addresses other critical implementation issues, such as the initialization of the proactive secure system.We describe the toolkit and discuss some of the potential applications. Some applications require minimal enhancements to the existing implementations - e.g. for secure logging (especially for intrusion detection), secure end-to-end communication and timestamping. Other applications require more significant enhancements, mainly distribution over multiple servers, examples are certification authority, key recovery, and secure file system or archive

Anonymous Fingerprinting Based on Committed Oblivious Transfer

Abstract: Thwarting unlawful redistribution of information sold electronically is a major problem of information-based electronic commerce. Anonymous fingerprinting has appeared as a technique for copyright protection which is compatible with buyer anonymity in electronic transactions. However, the complexity of known algorithms for anonymous fingerprinting deters their practical implementation, since they rely either on secure multiparty computation or on general zero-knowledge proofs. A scheme for anonymous fingerprinting based on committed oblivious transfer is presented in this paper where all computations can be performed efficiently.

Secure Computation with Honest-Looking Parties: What If Nobody Is Truly Honest? (Extended Abstract).

Abstract: In a secure multi-party computation a set of mutually distrustful parties interact in order to evaluate a pre-de ned function of their inputs, without revealing the inputs to each other. In this scenario, the trust in other parties should be minimal. In the classic formulation of this problem, most of the parties are trusted to exactly follow the prescribed protocol, except for a limited number of parties that are corrupted by a centralized adversary and are allowed to deviate from the protocol in an arbitrary way. However, an assumption of a totally honest behavior of most parties can not be veri ed. In particular, if an \honest-looking" party diverges from its protocol in a way that is indistinguishable from a totally honest player, it can do so with \impunity". In this paper, we consider the situation where all parties (even uncorrupted ones) may deviate from their protocol in arbitrary ways, under the sole restriction that most of the parties do not risk being detected by other parties as deviating from the protocol execution. The question whether secure protocols exist in this scenario was raised in the past, and solutions for very limited deviations from the protocol (i. e., refraining from erasing data) were given. Yet, solving the general problem was believed hard, if at all possible. Contrary to this belief, we show that if secure communication channels are provided (and one-way functions exist) then any polynomial function can be securely computed in this scenario. IBM T.J. Watson Research Center. e-mail:canetti@watson.ibm.com Bell Communications Research, MCC-1C365B, 445 South Street, Morristown, New Jersey 07960-6438, e-mail: rafail@bellcore.com

Detection of Cheaters in Vector Space Secret Sharing Schemes

Abstract: A perfect secret sharing scheme is a method of distributing shares of a secret among a set P of participants in such a way that only qualified subsets of P can reconstruct the secret from their shares and non-qualified subsets have absolutely no information on the value of the secret. In a secret sharing scheme, some participants could lie about the value of their shares in order to obtain some illicit benefit. Therefore, the security against cheating is an important issue in the implementation of secret sharing schemes. Two new secret sharing schemes in which cheaters are detected with high probability are presented in this paper. The first one has information rate equal to 1/2 and can be implemented not only in threshold structures, but in a more general family of access structures. We prove that the information rate of this scheme is almost optimal among all schemes with the same security requirements. The second scheme we propose is a threshold scheme in which cheaters are detected with high probability even if they know the secret. The information rate is in this case 1/3. In both schemes, the probability of cheating successfully is a fixed value that is determined by the size of the secret.

Lectures on Data Security: Modern Cryptology in Theory and Practice

Abstract: Practice-Oriented Provable-Security.- to Secure Computation.- Commitment Schemes and Zero-Knowledge Protocols.- Emerging Standards for Public-Key Cryptography.- Contemporary Block Ciphers.- Primality Tests and Use of Primes in Public Key Systems.- Signing Contracts and Paying Electronically.- The State of Cryptographic Hash Functions.- The Search for the Holy Grail in Quantum Cryptography.- Unconditional Security in Cryptography.

Dealing necessary and sufficient numbers of cards for sharing a one-bit secret key

Abstract: Using a random deal of cards to players and a computationally unlimited eavesdropper, all players wish to share a one-bit secret key which is information-theoretically secure from the eavesdropper. This can be done by a protocol to make several pairs of players share one-bit secret keys so that all these pairs form a spanning tree over players. In this paper we obtain a necessary and sufficient condition on the number of cards for the existence of such a protocol. Our condition immediately yields an efficient linear-time algorithm to determine whether there exists a protocol to achieve such a secret key sharing.

Secure communication in broadcast channels: the answer to Franklin and Wright's question

Abstract: Problems of secure communication and computation have been studied extensively in network models. Goldreich, Goldwasser, and Linial, Franklin and Yung, and Franklin and Wright have initiated the study of secure communication and secure computation in multirecipient (broadcast) models. A "broadcast channel" (such as ethernet) enables one processor to send the same message--simultaneously and privately-- to a fixed subset of processors. In their Eurocrypt '98 paper, Franklin and Wright have shown that if there are n broadcast lines between a sender and a receiver and there are at most t malicious (Byzantine style) processors, then the condition n > t is necessary and sufficient for achieving efficient probabilisticly reliable and probabilisticly private communication. They also showed that if n > ⌈3t/2⌉ then there is an efficient protocol to achieve probabilisticly reliable and perfectly private communication. And they left open the question whether there exists an efficient protocol to achieve probabilisticly reliable and perfectly private communication when ⌈3t/2⌉ ≥ n > t. In this paper, by using a different authentication scheme, we will answer this question affirmatively and study related problems.

Constructing Perfect Secret Sharing Schemes for General And Uniform Access Structures

Abstract: pants in such a way that only qualified subsets of participants can recover the secret, and unqualified subsets of participants obtain no information regarding the secret In this paper, we propose a construction of perfect secret sharing schemes with uniform, generalized ac- cess structures of rank 3 Compared with other constructions, our construction has some improved lower bounds on the information rate In addition, we also generalize the con- struction to perfect secret sharing schemes with uniform, generalized access structures of constant rank

Changing Thresholds in the Absence of Secure Channels.

Abstract: The ways the threshold parameter can be modified after the setup of a secret sharing scheme is the main theme of this work. The considerations are limited to the case when there are no secure channels. First we motivate the problem and discuss methods of threshold change when the dealer is still active and can use broadcasting to implement the change required. Next we study the case when participants themselves initiate the change of threshold without the dealer's help. A general model for threshold changeable secret sharing is developed and two constructions are given. The first generic construction allows the design of a threshold changeable secret sharing scheme which can be implemented using the Shamir approach. The second construction is geometrical in nature and is optimal in terms of the size of shares. The work is concluded by showing that any threshold scheme can be given some degree of threshold change capability.

Experimental performance of shared RSA modulus generation

Abstract: Many distributed protocols require the participants to have secret shares of an RSA modulus in order to perform distributed cryptographic computations. Until recently, a trusted party was required to generate and distribute these secret shares before the start of the protocol. Recently, Boneh and Franklin introduced a protocol whereby participants could themselves generate the secret shares without revealing any information about their shares to each other. We experimentally evaluate the performance of their protocol and we recommend good choices for certain parameters of the protocol.

Randomness in Multi-Secret Sharing Schemes.

Abstract: A m ultiisecret sharing scheme is a protocol to share a number of arbitrarily related secrets among a set of participants in such a w ay that only qualiied sets of participants can recover the secrets, whereas non-qualiied sets of participants might h a ve partial information about them. In this paper we analyze the amount o f randomness needed by m ultiisecret sharing schemes. Given an m-tuple of access structures, we give a l o wer bound on the number of random bits needed by m ultiisecret sharing schemes; the lower bound is expressed in terms of a combinatorial parameter that depends only upon the access structures and not on the particular multiisecret sharing scheme used.

Recursive constructions for perfect secret sharing schemes

Abstract: A secret sharing scheme is a method which allows a secret to be shared among a set of participants in such a way that only qualified subsets of participants can recover the secret. A secret sharing scheme is called perfect if unqualified subsets of participants obtain no information regarding the secret. The information rate of a secret sharing scheme is defined to be the ratio between the size of secret and the maximum size of the shares. In this paper, we propose some recursive constructions for perfect secret sharing schemes with access structures of constant rank. Compared with the best previous constructions, our constructions have some improved lower bounds on the information rate.

Secure Information Networks

Abstract: This paper discusses the ATM security problems, requirements, implementation issues and challenges. lt also presents a survey of the existing solutions aiming to secure the data transferred over an A TM network. Different solutions are presented analysed and compared. Details are given about the security services offered their placement within the A TM Reference Model and the techniques to provide synchronisation and dynamic key change during user data exchange.