Showing papers on "Verifiable secret sharing published in 1987"

A practical scheme for non-interactive verifiable secret sharing

Abstract: This paper presents an extremely efficient, non-interactive protocol for verifiable secret sharing. Verifiable secret sharing (VSS) is a way of bequeathing information to a set of processors such that a quorum of processors is needed to access the information. VSS is a fundamental tool of cryptography and distributed computing. Seemingly difficult problems such as secret bidding, fair voting, leader election, and flipping a fair coin have simple one-round reductions to VSS. There is a constant-round reduction from Byzantine Agreement to non-interactive VSS. Non-interactive VSS provides asynchronous networks with a constant-round simulation of simultaneous broadcast networks whenever even a bare majority of processors are good. VSS is constantly repeated in the simulation of fault-free protocols by faulty systems. As verifiable secret sharing is a bottleneck for so many results, it is essential to find efficient solutions.

Verifiable secret-ballot elections

Abstract: Privacy in secret-ballot elections has traditionally been attained by using a ballot box or voting booth to disassociate voters from ballots. Although such a system might achieve privacy, there is often little confidence in the accuracy of the announced tally. This thesis describes a practical scheme for conducting secret-ballot elections in which the outcome of an election is verifiable by all participants and even by non-participating observers. All communications are public, yet under a suitable number-theoretic assumption, the privacy of votes remains intact. The tools developed here to conduct such elections have additional independent applications. Cryptographic capsules allow a prover to convince verifiers that either statement A or statement B is true without revealing substantial information as to which. Secret sharing homomorphisms enable computation on shared (secret) data and give a method of distributing shares of a secret such that each shareholder can verify the validity of all shares.

Secret sharing homomorphisms: keeping shares of a secret secret

Abstract: In 1979, Blackley and Shamir independently proposed schemes by which a secret can be divided into many shares which can be distributed to mutually suspicious agents. This paper describes a homomorphism property attained by these and several other secret sharing schemes which allows multiple secrets to be combined by direct computation on shares. This property reduces the need for trust among agents and allows secret sharing to be applied to many new problems. One application described here gives a method of verifiable secret sharing which is much simpler and more efficient than previous schemes. A second application is described which gives a fault-tolerant method of holding verifiable secret-ballot elections.

Multiparty Computations Ensuring Privacy of Each Party's Input and Correctness of the Result

Abstract: A protocol is presented that allows a set of parties to collectively perform any agreed computation, where every party is able to choose secret inputs and verify that the resulting output is correct, and where all secret inputs are optimally protected. The protocol has the following properties: ? One participant is allowed to hide his secrets unconditionally, i.e. the protocol releases no Shannon information about these secrets. This means that a participant with bounded resources can perform computations securely with a participant who may have unlimited computing power. To the best of our knowledge, our protocol is the first of its kind to provide this possibility. ? The cost of our protocol is linear in the number of gates in a circuit performing the computation, and in the number of participants. We believe it is conceptually simpler and more efficient than other protocols solving related problems ([Y1], [GoMiWi] and [GaHaYu]). It therefore leads to practical solutions of problems involving small circuits. ? The protocol is openly verifiable, i.e. any number of people can later come in and rechallenge any participant to verify that no cheating has occurred. ? The protocol is optimally secure against conspiracies: even if n - 1 out of the n participants collude, they will not find out more about the remaining participants' secrets than what they could already infer from their own input and the public output. ? Each participant has a chance of undetected cheating that is only exponentially small in the amount of time and space needed for the protocol. ? The protocol adapts easily, and with negligible extra cost, to various additional requirements, e.g. making part of the output private to some participant, ensuring that the participants learn the output simultaneously, etc. ? Participants can prove relations between data used in different instances of the protocol, even if those instances involve different groups of participants. For example, it can be proved that the output of one computation was used as input to another, without revealing more about this data. ? The protocol can be usen as an essential tool in proving that all languages in IP have zero knowledge proof systems, i.e. any statement which can be proved interactively can also be proved in zero knowledge.The rest of this paper is organised as follows: First we survey some related results. Then Section 2 gives an intuitive introduction to the protocol. In Section 3, we present one of the main tools used in this paper: bit commitment schemes. Sections 4 and 5 contain the notation, terrninology, etc. used in the paper. In Section 6, the protocol is presented, along with proofs of its security and correctness. In Section 7, we show how to adapt the protocol to various extra requirements and discuss some generalisations and optimisations. Finally, Section 8 contains some remarks on how to construct zero knowledge proof systems for any language in IP.

GRADUAL AND VERIFIABLE RELEASE OF A SECRET (Extended Abstract)

Abstract: Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit’s correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of secret discrete logs between any number of parties.

Gradual and Verifiable Release of a Secret

Abstract: Protocols are presented allowing someone with a secret discrete logarithm to release it, bit by bit, such that anyone can verify each bit's correctness as they receive it. This new notion of release of secrets generalizes and extends that of the already known exchange of secrets protocols. Consequently, the protocols presented allow exchange of secret discrete logs between any number of parties.The basic protocol solves an even more general problem than that of releasing a discrete log. Given any instance of a discrete log problem in a group with public group operation, the party who knows the solution can make public some interval I and convince anyone that the solution belongs to I, while releasing no additional information, such as any hint as to where in I the solution is.This can be used directly to release a discrete log, or to transfer it securely between different groups, i.e. prove that two instances are related such that knowledge of the solution to one implies knowledge of the solution to the other.We show how this last application can be used to implement a more efficient release protocol by transferring the given discrete log instance to a group with special properties. In this scenario, each bit of the secret can be verified by a single modular squaring, and unlike the direct use of the basic protocol, no interactive proofs are needed after the basic setup has been done.Finally, it is shown how the basic protocol can be used to release the factorization of a public composite number.

Achieving independence in logarithmic number of rounds

Abstract: Simultaneous broadcast [CGMAJ is a fundamental tool in designing secure protocols for fault tolerant distributed computing. A system that supports it enables n processes to globally commit to independently chosen values (a significantly harder task than mere agreement). It is also a basic building block in a recent %ompleteness” theorem of [GMWZ]. In this paper we present a new protocol for simultaneous broadcast. Building upon past work, we introduce a novel method of concurrently alternating and interleaving n executions of verifiable secret sharing protocols. This approach greatly improves the time complexity (number of communication rounds) of simultaneous broadcast. Previous protocols (combination of [CGMA] and [GMW]) q re uired the complete serialization of the ra verifiable secret sharings, resulting in n(n) communication rounds. Our protocol is constructive, and requires only log n + log log n serial executions of verifiable secret sharings. It preserves maximum fault tolerance (t < n/2 faults), and polynomial resource bounds (internal computation and communication bits). The same improvement appiies to the general simulation in [GMWX]. In light of its improved performance, it is significant that our our protocol has a fairly simple correctness proof. In the slippery business of distributed cryptographic protocols, simpler proofs are important. * Research supported by NSF Grant MCS81-21431 at Harvard University t Contact author. Email address: rabinQharvard.harvard.edu Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission.

Minimum disclosure proofs of knowledge

Abstract: Protocols are given for allowing a “prover” to convince a “verifier” that the prover knows some verifiable secret information, without allowing the verifier to learn anything about the secret. The secret can be probabilistically or deterministically verifiable, and only one of the prover or the verifier need have constrained resources. This paper unifies and extends models and techniques previously put forward by the authors, and compares some independent related work.