Showing papers on "Verifiable secret sharing published in 1996"

Publicly verifiable secret sharing

Abstract: A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody not only the participants, can verify that Ihe shares are correctly distributed. We will call such schemes publicly verifiable secret sharing schemes, we discuss new applications to escrow cryptosystems and to payment systems with revocable anonymity, and we present two new realizations based on ElGamal's cryptosystem.

Multi-authority secret-ballot elections with linear work

Abstract: We present new cryptographic protocols for multiauthority secret ballot elections that guarantee privacy, robustness, and universal verifiability. Application of some novel techniques, in particular the construction of witness hiding/indistinguishable protocols from Cramer, Damgard and Schoenmakers, and the verifiable secret sharing scheme of Pedersen, reduce the work required by the voter or an authority to a linear number of cryptographic operations in the population size (compared to quadratic in previous schemes). Thus we get significantly closer to a practical election scheme.

System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources

Abstract: A computer system includes a program executer that executes verifiable architecture neutral programs and a class loader that prohibits the loading and execution of non-verifiable programs unless (A) the non-verifiable program resides in a trusted repository of such programs, or (B) the non-verifiable program is indirectly verifiable by way of a digital signature on the non-verifiable program that proves the program was produced by a trusted source. In the preferred embodiment, verifiable architecture neutral programs are Java bytecode programs whose integrity is verified using a Java bytecode program verifier. The non-verifiable programs are generally architecture specific compiled programs generated with the assistance of a compiler. Each architecture specific program typically includes two signatures, including one by the compiling party and one by the compiler. Each digital signature includes a signing party identifier and an encrypted message. The encrypted message includes a message generated by a predefined procedure, and is encrypted using a private encryption key associated with the signing party. A digital signature verifier used by the class loader includes logic for processing each digital signature by obtaining a public key associated with the signing party, decrypting the encrypted message of the digital signature with that public key so as generate a decrypted message, generating a test message by executing the predefined procedure on the architecture specific program associated with the digital signature, comparing the test message with the decrypted message, and issuing a failure signal if the decrypted message digest and test message digest do not match.

New Results on Visual Cryptography

Abstract: Naor and Shamir ([1]) defined the basic problem of visual cryptography by a visual variant of the k out, of n secret sharing problem: how can an original picture be encoded by n transparencies so that less than k of them give no information about the original, but by stacking k of them the original can be seen? They described a solution to this problem by a structure called k out of n secret sharing scheme whose parameters directly correspond to quality and usability of the solution. In this paper a new principle of construction for such schemes is presented which is easy to apply and in most cases gives much better results than the former principlcs. New bounds on relevant parameters of k out of n schemes are developed, too. Furthermore, an extension of the basic problem is introduced a.nd solved in which every combination of the transparencies can contain independent information.

Some Remarks on a Receipt-Free and Universally Verifiable Mix-Type Voting Scheme

Abstract: At Eurocrypt'95 Sako and Kilian presented the first Mix-type voting scheme which is receipt-free and universally verifiable.

System for reconstruction of a secret shared by a plurality of participants

Abstract: A method for reconstructing a secret, over a public communication channel, using a perfect t-out-of-n secret sharing scheme. The scheme having a dealer which utilizes a delivering procedure for privately delivering n secret shares of the secret along with n keys to n participants that are interlinked by the channel. The scheme further having a secret reconstructing procedure for being executed by selected recipient participants, for reconstructing the secret by utilizing self secret share of the recipient participant and l-1 secret shares of the other participants. The secret reconstructing procedure includes the following steps: (i) receiving over said public communication channel l-1 encoded secret shares from the l-1 participants, respectively; (ii) decoding each one of the l-1 encoded secret shares, thereby obtaining l-1 decoded secret shares; and (iii) reconstructing the secret from the l-1 decoded secret shares and from the self secret share of the recipient participant.

Efficient Checking of Polynomials and Proofs and the Hardness of Approximation Problems

Abstract: The definition of the class NP (Coo71, Lev73) highlights the problem of verification of proofs as one of central interest to theoretical computer science. Recent efforts have shown that the efficiency of the verification can be greatly improved by allowing the verifier access to random bits and accepting probabilistic guarantees from the verifier (BFL91, BFLS91, FGL$\sp+$91, AS92). We improve upon the efficiency of the proof systems developed above and obtain proofs which can be verified probabilistically by examining only a constant number of (randomly chosen) bits of the proof. The efficiently verifiable proofs constructed here rely on the structural properties of low-degree polynomials. We explore the properties of these functions by examining some simple and basic questions about them. We consider questions of the form: (1) (testing) Given an oracle for a function f, is f close to a low-degree polynomial? (2) (correcting) Let f be close to a low-degree polynomial g, is it possible to efficiently reconstruct the value of g on any given input using an oracle for f? The questions described above have been raised before in the context of coding theory as the problems of error-detecting and error-correcting of codes. More recently interest in such questions has been regenerated due to its connections with the area of program result checking. We use results from coding theory as a starting point and combine these with several algorithmic techniques including pairwise independent sampling to give efficient randomized algorithms for these tasks. As a consequence we obtain fast randomized algorithms for error-detection and error-correction for some well-known codes. The expressive nature of low-degree polynomials suffices to capture the complexity of the class NP and we translate our results on the efficiency of the testing and correcting procedures into two different efficiently verifiable proof systems for deciding membership questions for NP languages. One proof system generates small and somewhat efficiently verifiable proofs and the other generates very large but very efficiently verifiable proofs. We then employ new techniques from the paper of (AS92) to compose these proof systems to obtain small proofs which can be verified by probing them in just a constant number of (randomly chosen) bits. An important consequence of this result is that for a large class of NP-complete optimization problems, it can be shown that finding even approximate solutions is an NP-hard problem. The particular class of optimization problems we consider is MAX SNP, introduced by Papadimiatriou and Yannakakis (PY91). For every MAX SNP-hard problem we show that there is a constant $\epsilon$, such that approximating the optimum to within a relative error of $\epsilon$ is NP-hard.

Perfect Secret Sharing Schemes on Five Participants

Abstract: A perfect secret sharing scheme is a system for the protection of a secret among a number of participants in such a way that only certain subsets of these participants can reconstruct the secret, and the remaining subsets can obtain no additional information about the secret. The efficiency of a perfect secret sharing scheme can be assessed in terms of its information rates. In this paper we discuss techniques for obtaining bounds on the information rates of perfect secret sharing schemes and illustrate these techniques using the set of monotone access structures on five participants. We give a full listing of the known informtion rate bounds for all the monotone access structures on five participants.

Theory and practice of verifiable secret sharing

Abstract: Secret Sharing is a fundamental notion for secure cryptographic design. In a Secret Sharing protocol a dealer shares a secret among n parties. In the so called threshold model, the sharing is done so that subsets of t + 1 (or more) parties can later reconstruct the secret, while subsets of t (or less) parties have no information about it. The notion can be generalized by having the dealer specify a family of subsets of the n parties, called the access structure. The dealer shares the secret in such a way that only subsets of players in such family (usually called authorized subsets) can reconstruct the secret, while non-authorized subsets have no information about it. Veriiable Secret Sharing (VSS) protocols achieve the above task in the presence of malicously behaving parties. In our thesis we present a new and stronger deenition of VSS. The novelty of the deenition is that it satisses the composition property of secure protocols. That is VSS protocols satisfying the requirements of our deenition, can be proven to remain secure even when used as sub-protocols inside larger protocols. Previous deenitions did not enjoy this property. We present also the rst VSS protocols in the access structure model, whose security does not depend on unproven computational assumptions. One of the most important application of VSS protocols is the implementation of robust shared signature schemes. Such protocols allow a group of servers to sign a document with a secret key that is shared among them. We present eecient threshold signature schemes for the Digital Signature Standard and the RSA Signature Algorithm. The protocols are fully robust, that is they tolerate the presence of a threshold of malicious servers who may try to forge signatures or impede the signature process. Acknowledgments First and foremost I would like to thank my advisor, Silvio Micali. I just cannot imagine a better person to work with. His enthusiasm makes research work always exciting. He is also an extremely supportive person, always ready to pump up your self{esteem when things do not go as well as desired. Special thanks are due to Shaa Goldwasser and Tal Rabin, for serving in my thesis committee. Shaa introduced me to cryptography and always showed a genuine interest in my research. Tal is not only a great person to work with, but also a special friend. The Theory Group at the MIT Laboratory for Computer Science has …

Ideal secret sharing schemes with multiple secrets

Abstract: We consider secret sharing schemes which, through an initial issuing of shares to a group of participants, permit a number of different secrets to be protected. Each secret is associated with a (potentially different) access structure and a particular secret can be reconstructed by any group of participants from its associated access structure without the need for further broadcast information. We consider ideal secret sharing schemes in this more general environment. In particular, we classify the collections of access structures that can be combined in such an ideal secret sharing scheme and we provide a general method of construction for such schemes. We also explore the extent to which the results that connect ideal secret sharing schemes to matroids can be appropriately generalized.

Time delayed key escrow

Abstract: Methods for designing encryption algorithms with different levels of security for different parties: "easier" (but requiring some work nonetheless) to break for some parties (e.g., the government) than for other parties (the adversaries at large). This is achieved by a new form of key escrow in which the government gets some information related to the secret keys of individuals but not the secret keys themselves. The information given to the government enables it to decrypt with a predetermined level of computational difficulty less than that for adversaries at large. The new key escrow methods are verifiable. Verification information can be provided to the government so that it can verify that the information escrowed is sufficient to enable it to decrypt with the predetermined level of computational difficulty. The fact that the government must perform some computation to break the encryption schemes of individual users provides a serious deterrent against massive wiretapping.

Key Escrow in Mutually Mistrusting Domains

Abstract: In this paper we present a key escrow system which meets possible requirements for international key escrow, where different domains may not trust each other. In this system multiple third parties, who are trusted collectively but not individually, perform the dual role of providing users with key management services and providing authorised agencies in the relevant domains with warranted access to the users' communications. We propose two escrowed key agreement mechanisms, both designed for the case where the pair of communicating users are in different domains, in which the pair of users and all the third parties jointly generate a cryptographic key for end-to-end encryption. The fact that all entities are involved in the key generation process helps make it more difficult for deviant users to subvert the escrowed key by using a hidden ‘shadow-key’. The first mechanism makes use of a single set of key escrow agencies moderately trusted by mutually mistrusting domains. ! The second mechanism uses a transferable and verifiable secret sharing scheme to transfer key shares between two groups of key escrow agencies, where one group is in each domain.

On-line multiple secret sharing

Abstract: A protocol for computationally secure ‘on line’ secret-sharing is presented, based on the intractability of the Diffie-Hellman problem, in which the participants' shares can be reused.

Verifiable properties of database transactions

Abstract: It is often necessary to ensure that database transactions preserve integrity constraints that specify valid database states. While it is possible to monitor for violations of constraints at run-time, rolling back transactions when violations are detected, it is preferable to verify correctness statically, before transactions are executed. This can be accomplished if we can verify transaction safety with respect to a set of constraints by means of calculating weakest preconditiorw We study properties of weakest preconditions for a number of transaction and specification languages. We show that some simple transactions do not admit weakest preconditions over first-order logic. We also show that the class of transactions that admit weakest preconditions over first-order logic cannot be captured by any transaction langttage. We consider a strong local form of verifiability, and show that it is different from the general form. We define robustly verifiable transactions as those that can be statically analyzed regardless of extensions to the signature of the specification language, and we show that the class of robustly verifiable transactions over fist order logic is exactly the class of transactions that admit the local form of verifiability. We discuss the implications of these results for the design of verifiable transaction languages.

Verifiable transaction atomicity for electronic payment protocols

Abstract: We study the transaction atomicity problem for designing electronic payment protocols in distributed systems. We observe that the techniques that are used to guarantee transaction atomicity in a database system are not robust enough to guarantee transaction atomicity in an electronic payment system, in which a set of dishonest or malicious participants may exhibit unpredictable behavior and cause arbitrary failures. We present a new concept-verifiable transaction atomicity-for designing electronic payment protocols. We give formal specifications to the verifiable atomic commitment problem. Then we design a robust electronic currency system to meet the specifications and achieve the verifiable transaction atomicity.

An efficient construction of perfect secret sharing schemes for graph-based structures

Abstract: In this paper, we propose an efficient construction of perfect secret sharing schemes for graph-based access structures where a vertex denotes a participant and an edge does a qualified pair of participants. The secret sharing scheme is based on the assumptions that the pairs of participants corresponding to edges in the graph can compute the master key but the pairs of participants corresponding to nonedges in the graph cannot. The information rate of our scheme is 1 (n − 1) , where n is the number of participants. We also present an application of our scheme to the reduction of storage and computation loads on the communication granting server in a secure network.

Secret Sharing schemes based on Room squares

Abstract: In this paper, we describe secret sharing schemes. We discuss Room squares and their critical sets. We propose a model of sharing based on critical sets of Room squares. Disciplines Physical Sciences and Mathematics Publication Details Chaudhry G R, and Seberry J, Secret Sharing schemes based on Room squares,Proceedings of DMTCS'96, December , 1996, Auckland, New Zealand, Combinatorics, Complexity and Logic, Springer-Verlag Singapore 1996, 158-167. This conference paper is available at Research Online: http://ro.uow.edu.au/infopapers/1132 Secret Sharillg Schemes Based 011 Room Squares Ghnlalll Hasool Chaudhry awl ,knnif,'r Sel)(,lTY Tilt, C"Iltr" for COlllputer S"cllrity n"s"ard, DCl'artIlll'Ilt of COllll'llter ScicIlc" \;lliversity of \\'OllollgoIlg \\'OllOIlgOllg;, !'\SW 2522, ACSTHALI.-\ Abstract, In this pal'Pr, we d"scribe secret sharing schelll"s, \\'t' disIn this pal'Pr, we d"scribe secret sharing schelll"s, \\'t' disCUS" RoolU ''l"ares and their critical sets, \\ie propose a lllodel of ,('en't sharing; based on critical sets of RoolIl sqllares,

A nonlinear secret sharing scheme

Abstract: In this paper, we have described a nonlinear secret-sharing scheme for n parties such that any set of k−1 or more shares can determine the secret, any set of less than k−1 shares might give information about the secret, but it is computationally hard to extract information about the secret. The scheme is based on quadratic forms and the computation of both the shares and the secret is easy.

A protocol for secure transactions

Abstract: Secure transactions form the computational basis for electronic commerce Many forms of commerce depend upon there being a defined and verifiable relationship between messages in a transaction We have identified three such relational properties: causality, atomicity and isolation Causality is a new property It allows the receiver of a message to deduce and verify the sequence of messages sent and received by the sender prior to that message In this paper we present a secure transaction protocol that provides relational properties in addition to the normal properties of secure messages

Homomorphisms of secret sharing schemes: a tool for verifiable signature sharing

Abstract: Franklin and Reiter introduced at Eurocrypt '95 verifiable signature sharing, a primitive for a fault tolerant distribution of signature verification. They proposed various practical protocols. For RSA signatures with exponent e = 3 and n processors their protocol allows for up to (n - 1)/5 faulty processors (in general (n - 1)/(2 + e)). We consider a new unifying approach which uses homomorphisms of secret sharing schemes, and present a verifiable signature sharing scheme for which as many as (n - 1)/3 processors can be faulty (for any value of e), and for which the number of interactions is reduced.

A dynamic secret sharing scheme with cheater detection

Abstract: We propose an efficient dynamic threshold scheme with cheater detection By our scheme, without collecting and changing any secret shadows, the secret shadows can be reused after recovering or renewing the shared secret Thus the new scheme is efficient and practical In addition, the new scheme can detect the cheaters Furthermore, the amount of public data is still proportional to the number of shadowholders

Protocols for designing a fast and perfect group-oriented secret key sharing in distributed systems

Abstract: This paper presents a fast and perfect secret key sharing scheme based on a simple geometric method to solve group-oriented secret sharing problems in distributed systems. This scheme does not need the existence of the trusted authority and can reduce the needed time of sending messages to a group of receivers due to multiplication operations only. The scheme can be shown to be very secure, because it is not only a perfect secret sharing but also when the cryptanalyst tries to compute secret values, he must solve the simultaneous trigonometric equations with t-1 equations, where t is the threshold value in the secret key sharing scheme as presented in this paper and the number of unknown valves are much more than the number of equations so that he will obtain no exact solution. Furthermore, it can dynamically insert or delete any participant in a group without affecting these original participants, and it is easy to change the shares without changing the original secret key.

Verifiable signature sharing for DSA with heuristic security

Abstract: The author points out that verifiable signature sharing (V/spl Sigma/S) for the DSA proposed by Franklin et al. at Eurocrypt'95 does not possess heuristic security, and he proposes an improved scheme which does possess heuristic security.