Showing papers on "Verifiable secret sharing published in 1995"
27 Aug 1995
TL;DR: In order to guarantee the availability and integrity of the secret, this work provides mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct shares when modification is detected.
Abstract: Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire life-time of the secret the adversary is restricted to compromise less than k of the n locations. For long-lived and sensitive secrets this protection may be insufficient.We propose an efficient proactive secret sharing scheme, where shares are periodically renewed (without changing the secret) in such a way that information gained by the adversary in one time period is useless for attacking the secret after the shares are renewed. Hence, the adversary willing to learn the secret needs to break to all k locations during the same time period (e.g., one day, a week, etc.). Furthermore, in order to guarantee the availability and integrity of the secret, we provide mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct shares when modification is detected.
842 citations
01 May 1995
TL;DR: It is shown that, with this relaxation of the security requirement, secret sharing and some related secret-sharing problems, such as cheater detection and secret broadcasting, can be solved very efficiently.
Abstract: Instead of using the conventional m-out-of-n perfect secret sharing scheme to protect a single secret among n users, the authors propose a secret sharing scheme based on one cryptographic assumption to protect multiple secrets. It is shown that, with this relaxation of the security requirement, secret sharing and some related secret-sharing problems, such as cheater detection and secret broadcasting, can be solved very efficiently.
113 citations
Patent•
IBM1
TL;DR: A proactive threshold secret sharing cryptosystem using a set of servers using a verifiable secret sharing mechanism to get the security requirements during the update between two rounds was proposed in this article.
Abstract: A proactive threshold secret sharing cryptosystem using a set of servers. The cryptosystem is a threshold cryptosystem, in the sense that service is maintained if at least (k+1) out of n servers are active and honest. The secret signature key is compromised only if the adversary breaks into at least (k+1) servers. It is robust in the sense that the honest servers detect faulty ones and the service is not disrupted. It is recoverable, because if the adversary erases all the local information on the server it compromised, the information can be restored as soon as the server comes back to performing the correct protocol. The method and system has proactiveness, which means that in order to learn the secret, the adversary has to break into (k+1) servers during the same round of the algorithm because the shares of the secret are periodically redistributed and rerandomized. The present invention uses a verifiable secret sharing mechanism to get the security requirements during the update between two rounds. The security of the scheme depends on the assumption of intractability of computing logarithms in a field of a big prime order and the EIGamal signature scheme.
82 citations
18 Dec 1995
TL;DR: A new construction for computationally secure secret sharing schemes with general access structures where all shares are as short as the secret, which provides the capability to share multiple secrets and to dynamically add participants on-line, without having to re-distribute new shares secretly.
Abstract: We propose a new construction for computationally secure secret sharing schemes with general access structures where all shares are as short as the secret Our scheme provides the capability to share multiple secrets and to dynamically add participants on-line, without having to re-distribute new shares secretly to the current participants These capabilities are gained by storing additional authentic (but not secret) information at a publicly accessible location
81 citations
TL;DR: This paper presents a similar scheme, but one in which the information distributed to each participant is smaller, and considers the problem of identifying cheaters in secret sharing schemes.
Abstract: In this paper we consider the problem of identifying cheaters in secret sharing schemes. Rabin and Ben-Or presented a perfect and unconditionally secure secret sharing scheme in which the honest participants are able to identify the cheaters. We present a similar scheme, but one in which the information distributed to each participant is smaller.
71 citations
Journal Article•
TL;DR: The author shows an alternative implementation of MSS which requires the same number of secrets for each participant to keep; but there are only a total of k(n-t) public values.
67 citations
TL;DR: In this article, the authors proposed an alternative implementation which requires the same number of secrets for each participant to keep; but there are only a total of k(n-t) public values.
Abstract: He and Dawson recently proposed a multistage (t, n) secret sharing (MSS) scheme (see ibid., vol. 30, no. 19, p. 1591-2, 1994) to share multiple secrets based on any one-way function. The public shift technique is used to implement MSS. For k secrets shared among n participants, each participant has to keep only one secret; but there are a total of kn public values. In this Letter, the author shows an alternative implementation which requires the same number of secrets for each participant to keep; but there are only a total of k(n-t) public values. This implementation becomes very attractive, especially when the threshold value t is very close to the number of participants n.
66 citations
21 May 1995
TL;DR: Efficient VΣS schemes for exponentiation based signatures and discrete log based signatures are presented that can tolerate the malicious (Byzantine) failure of the sharer and a constant fraction of the proxies.
Abstract: We introduce Verifiable Signature Sharing (VΣS), a cryptographic primitive for protecting digital signatures. VΣS enables the holder of a digitally signed document, who may or may not be the original signer, to share the signature among a set of proxies so that the honest proxies can later reconstruct it. We present efficient VΣS schemes for exponentiation based signatures (e.g., RSA, Rabin) and discrete log based signatures (e.g., ElGamal, Schnorr, DSA) that can tolerate the malicious (Byzantine) failure of the sharer and a constant fraction of the proxies. We also describe our implementation of these schemes and evaluate their performance. Among the applications of VΣS is the incorporation of digital cash into multiparty protocols, e.g., to enable cash escrow and secure distributed auctions.
61 citations
Dissertation•
01 Jan 1995
TL;DR: Thesis (S.B. and S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1996.
Abstract: Thesis (S.B. and S.M.)--Massachusetts Institute of Technology, Dept. of Electrical Engineering and Computer Science, 1996.
59 citations
Patent•
26 Jul 1995TL;DR: In this article, the authors proposed a verifiable secret sharing method in a communication system where a plurality of information processing apparatuses are connected across secret communication channels and a broadcast communication channel, an information processing apparatus d generates a secret matrix from secret information s, l1,..., lk, extracts the first information segments for individual apparatus i, and secretly transmits it to each apparatus i.
Abstract: The object of the present invention is to perform verifiable secret sharing by a practical amount of calculation and a practical amount of communication. In addition, by using this process, a shared digital signature is generated, or a shared authentication server is provided. In a communication system where a plurality of information processing apparatuses are connected across secret communication channels and a broadcast communication channel, an information processing apparatus d generates a secret matrix from secret information s, l1, . . . , lk, extracts the first information segments for individual apparatuses i, and secretly transmits it to each apparatus i. The information processing apparatus d performs hash function on the secret matrix and broadcasts the output value. Each information processing apparatus i generates and broadcasts a random number, while the information processing apparatus d generates and broadcasts the second information segment from a partial array in consonance with the random number value. Each information processing apparatus i generates the third information segment in consonance with the first information segment and the random number, and verifies that the secret information has been correctly shared by comparing the third information segment with the second. By employing this secret information sharing method, apparatuses that belong to a group of signers cooperatively generate a signature, and a plurality of apparatuses that constitute authentication servers cooperatively provide authentication.
58 citations
21 May 1995
TL;DR: Verifiable secret sharing is a fundamental primitive for secure cryptographic design as discussed by the authors, and it is a primitive that can be used as a tool within larger protocols, rather than being a goal in itself.
Abstract: Verifiable Secret Sharing is a fundamental primitive for secure cryptographic design. We present a stronger nation of verifiable secret sharing and exhibit a protocol implementing it. We show that our new notion is preferable to the old ones whenever verifiable secret sharing is used as a tool within larger protocols, rather than being a goal in itself. Indeed our definition, and so our protocol satisfying it, provably guarantees reducibilty. Applications of this new notion in the field of secure multiparty computation are also provided.
21 May 1995
TL;DR: A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of participants can recover the secret if any non qualified subset has absolutely no information about the secret, then the scheme is called perfect.
Abstract: A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of participants can recover the secret. If any non qualified subset has absolutely no information about the secret, then the scheme is called perfect. Unfortunately, in this case the size of the shares cannot be less than the size of the secret. Krawczyk [9] showed how to improve this bound in the case of computational threshold schemes by using Rabin's information dispersal algorithms [14], [15].
We show how to extend the information dispersal algorithm for general access structure (we call access structure, the set of all qualified subsets). We give bounds on the amount of information each participant must have. Then we apply this to construct computational schemes for general access structures. The size of shares each participant must have in our schemes is nearly minimal: it is equal to the minimal bound plus a piece of information whose length does not depend on the secret size but just on the security parameter.
25 Sep 1995
TL;DR: The notion of “Dynamic Re-sharing Verifiable Secret Sharing” (VSS) where the dealing of shares is dynamically and randomly refreshed (without changing or corrupting the secret) works against the threat of the recently considered mobile adversary.
Abstract: We present the notion of “Dynamic Re-sharing Verifiable Secret Sharing” (VSS) where the dealing of shares is dynamically and randomly refreshed (without changing or corrupting the secret). It works against the threat of the recently considered mobile adversary that may control all the trustees, but only a bounded number thereof at any time period.
TL;DR: New limitations on the information rate of secret sharing schemes are derived, that measures how much information is being distributed as shares as compared to the size of the secret key, and the average information rate, that is the ratio between the secret size and the arithmetic mean of the sizes of the shares.
Abstract: /spl acute/A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of participants can recover the secret, but any nonqualified subset has absolutely no information on the secret. We derive new limitations on the information rate of secret sharing schemes, that measures how much information is being distributed as shares as compared to the size of the secret key, and the average information rate, that is the ratio between the secret size and the arithmetic mean of the size of the shares. By applying the substitution technique, we are able to construct many new examples of access structures where the information rate is bounded away from 1. The substitution technique is a method used to obtain a new access structure by replacing a participant in a previous structure with a new access structure. >
TL;DR: This paper proposes a secret reconstruction protocol to solve the cheating problem without the simultaneous release constraint, which is unconditionally secure and can be incorporated with any secret sharing scheme to realize any secret share policy.
01 Jan 1995
TL;DR: In this paper, the authors presented new cryptographic protocols for multi-authority secret ballot elections that guarantee privacy, robustness, and universal verifiability, and showed how to reduce the work required by the voter or an authority to a linear number of cryptographic operations in the population size.
Abstract: We present new cryptographic protocols for multi-authority secret ballot elections that guarantee privacy, robustness, and universal verifiability. Application of some novel techniques, in particular the construction of witness hiding/indistinguishable protocols from Cramer, Damgaard and Schoenmakers, and the verifiable secret sharing scheme of Pedersen, reduce the work required by the voter or an authority to a linear number of cryptographic operations in the population size (compared to quadratic in previous schemes). Thus we get significantly closer to a practical election scheme.
TL;DR: This paper presents a (k, n) threshold scheme for sharing a secret, based on some geometric properties, which is an ideal secret sharing scheme and gives a practical algorithm to solve the problem of dividing the secret into n shadows efficiently.
Proceedings Article•
01 Jan 1995
TL;DR: This paper addresses the problem of establishing a secret sharing scheme for a given access structure without the use of a mutually trusted authority by proposing a general protocol and several implementmations of this protocol.
Abstract: Traditional secret sharing schemes involve the use of a mutually trusted authority to assist in the generation and distribution of shares that will allow a secret to be protected among a set of participants. In contrast, this paper addresses the problem of establishing a secret sharing scheme for a given access structure without the use of a mutually trusted authority. A general protocol is discussed and several implementmations of this protocol are presented. The efficiency of these implementations is considered. The protocol is then refined and constructions are presented for mutually trusted authority free threshold schemes.
27 Aug 1995
TL;DR: A general information-theoretic framework extensible to arbitrary access structures and to establish the correspondence between ideal SSS and matroids without invoking the more restrictive combinatorial definition of ideal scheme is provided.
Abstract: The purpose of this paper is to provide a general information-theoretic framework extensible to arbitrary access structures and to establish the correspondence between ideal SSS and matroids without invoking the more restrictive combinatorial definition of ideal scheme.
21 May 1995
TL;DR: In this article, the problem of establishing a secret sharing scheme for a given access structure without the use of a mutually trusted authority is addressed and a general protocol is discussed and several implementmations of this protocol are presented.
Abstract: Traditional secret sharing schemes involve the use of a mutually trusted authority to assist in the generation and distribution of shares that will allow a secret to be protected among a set of participants. In contrast, this paper addresses the problem of establishing a secret sharing scheme for a given access structure without the use of a mutually trusted authority. A general protocol is discussed and several implementmations of this protocol are presented. The efficiency of these implementations is considered. The protocol is then refined and constructions are presented for mutually trusted authority free threshold schemes.
Book•
01 Jan 1995
TL;DR: Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction and Convergence in Differential Distributions are attacked.
Abstract: Cryptanalysis.- Attacking the Chor-Rivest Cryptosystem by Improved Lattice Reduction.- Convergence in Differential Distributions.- A Generalization of Linear Cryptanalysis and the Applicability of Matsui's Piling-up Lemma.- Signatures.- On the Efficiency of Group Signatures Providing Information-Theoretic Anonymity.- Verifiable Signature Sharing.- Server(Prover/Signer)-Aided Verification of Identity Proofs and Signatures.- Number Theory.- Counting the number of points on elliptic curves over finite fields: strategies and performances.- An Implementation of the General Number Field Sieve to Compute Discrete Logarithms mod p.- A Block Lanczos Algorithm for Finding Dependencies over GF(2).- Protocol Aspects.- How to Break Another "Provably Secure" Payment System.- Quantum Oblivious Mutual Identification.- Securing Traceability of Ciphertexts - Towards a Secure Software Key Escrow System.- Secure Multiround Authentication Protocols.- Secret Sharing.- Verifiable Secret Sharing as Secure Computation.- Efficient Secret Sharing Without a Mutually Trusted Authority.- General Short Computational Secret Sharing Schemes.- Electronic Cash.- Fair Blind Signatures.- Ripping Coins for a Fair Exchange.- Restrictive Binding of Secret-Key Certificates.- Shift Registers and Boolean Functions.- Towards Fast Correlation Attacks on Irregularly Clocked Shift Registers.- Large Period Nearly deBruijn FCSR Sequences.- On Nonlinear Resilient Functions.- Authentication Codes.- Combinatorial Bounds for Authentication Codes with Arbitration.- New Hash Functions for Message Authentication.- A 2-codes from universal hash classes.- New Schemes.- A New Identification Scheme Based on the Perceptrons Problem.- Fast RSA-type Schemes Based on Singular Cubic Curves y 2 + axy ? x 3 (mod n).- Complexity Aspects.- Relationships among the Computational Powers of Breaking Discrete Log Cryptosystems.- Universal Hash Functions & Hard Core Bits.- Recycling Random Bits in Composed Perfect Zero-Knowledge.- Implementation Aspects.- On the Matsumoto and Imai's Human Identification Scheme.- Receipt-Free Mix-Type Voting Scheme.- Are Crypto-Accelerators Really Inevitable?.- Rump Session.- Anonymous NIZK Proofs of Knowledge with Preprocessing.
TL;DR: A practical solution towards anonymous and verifiable databases based on the use of smartcards and the recent Improved Leighton-Micali protocol for the distribution of keys is described, addressed particularly to public data held in separate government databases.
03 Jul 1995
TL;DR: The proposed protocol satisfies the fairness under a non-cryptographic model for the first time and is more efficient than Beaver's protocol and Rabin's protocol.
Abstract: In this paper, we propose verifiable secret sharing and multiparty protocols in a distributed system under the assumption that each participant can broadcast a message to all other participants and that each pair of participants can communicate secretly. The secrecy achieved is unconditional and does not rely on any assumption about computational intractability. Applications of these results to the Byzantine Agreement are also presented. The proposed protocol satisfies the fairness under a non-cryptographic model for the first time. The conventional non-cryptographic protocols don't satisfy the fairness. Also, the proposed protocol is more efficient than Beaver's protocol and Rabin's protocol.
03 Jul 1995
TL;DR: This paper shows how to use a slowly-information-revealing process to achieve a fair reconstruction of a shared secret and gives a detailed analysis on the advantage cheaters could gain in such a process.
Abstract: In this paper we consider the secret reconstruction problem in a secret sharing scheme. We show how to use a slowly-information-revealing process to achieve a fair reconstruction of a shared secret. We give a detailed analysis on the advantage cheaters could gain in such a process.
17 Sep 1995
TL;DR: Two different methods for attacking Tanaka's identity-based non-interactive key sharing (IDNIKS) scheme are proposed, used to find secret information using public parameters and to find the center's secret keys by collusion.
Abstract: We propose two different methods for attacking Tanaka's (see Proc SCIS'94, Jan., 1994) identity-based non-interactive key sharing (IDNIKS) scheme. One method is used to find secret information using public parameters, and the other is used to find the center's secret keys by collusion.
TL;DR: Brickell's Vector space construction is implemented as a democratic secret sharing scheme by using Sharmir's method and the participants need no more information to be kept secret than they would need in the case where the schemes are constructed by a Dealer.
TL;DR: This paper shows how to obtain secret-sharing schemes from combinatorial designs, including orthogonal arrays (OAs) and t - (v, k, 1) designs.
Abstract: In secret-sharing schemes, a secret s is encoded as v1, …, vn, and vi is distributed to member Pi. By the access sets, we mean exactly those subsets of {Pi} which can recover the secret s. Previous secret-sharing schemes have utilized the methods of polynomial interpolation [20] and projective geometry [6], among others. In this paper we show how to obtain secret-sharing schemes from combinatorial designs, including orthogonal arrays (OAs) and t - (v, k, 1) designs.
Proceedings Article•
27 Aug 1995
TL;DR: In this paper, the authors investigated the cost of performing the reconstruction over public communication channels, and showed that a naive implementation of this task distributes O(n) one times pads to each party.
Abstract: All known constructions of information theoretic t-out-of-n secret sharing schemes require secure, private communication channels among the parties for the reconstruction of the secret. In this work we investigate the cost of performing the reconstruction over public communication channels. A naive implementation of this task distributes O(n) one times pads to each party. This results in shares whose size is O(n) times the secret size. We present three implementations of such schemes that are substantially more efficient: - A scheme enabling multiple reconstructions of the secret by different subsets of parties, with factor O(n/t) increase in the shares' size. - A one-time scheme, enabling a single reconstruction of the secret, with O(log(n/t)) increase in the shares' size. - A one-time scheme, enabling a single reconstruction by a set of size exactly t, with factor O(1) increase in the shares' size. We prove that the first implementation is optimal (up to constant factors) by showing a tight ?(n/t) lower bound for the increase in the shares' size.
Patent•
26 Jul 1995TL;DR: In this paper, the authors proposed a verifiable secret sharing method in a communication system where a plurality of information processing apparatuses are connected across secret communication channels and a broadcast communication channel, where an information processing apparatus d generates a secret matrix from secret information s, l1,..., lk, extracts the first information segments for individual apparatus i, and secretly transmits it to each apparatus i. Each information processing device i generates and broadcasts a random number, while the information processing devices i generates the second information segment from a partial array in consonance with the
Abstract: An aspect of the present invention is to perform verifiable secret sharing by a practical amount of calculation and a practical amount of communication. In addition, by using this process, a shared digital signature is generated, or a shared authentication server is provided. In a communication system where a plurality of information processing apparatuses are connected across secret communication channels and a broadcast communication channel, an information processing apparatus d generates a secret matrix from secret information s, l1, . . ., lk, extracts the first information segments for individual apparatuses i, and secretly transmits it to each apparatus i. The information processing apparatus d performs hash function on the secret matrix and broadcasts the output value. Each information processing apparatus i generates and broadcasts a random number, while the information processing apparatus d generates and broadcasts the second information segment from a partial array in consonance with the random number value. Each information processing apparatus i generates the third information segment in consonance with the first information segment and the random number, and verifies that the secret information has been correctly shared by comparing the third information segment with the second. By employing this secret information sharing method, apparatuses that belong to a group of signers cooperatively generate a signature, and a plurality of apparatuses that constitute authentication servers cooperatively provide authentication.