Showing papers on "Verifiable secret sharing published in 1998"
IBM1
TL;DR: A very simple Verifiable Secret Sharing protocol is presented which is based on fast cryptographic primitives and avoids altogether the need for expensive zero-knowledge proofs and a highly simplified protocol to compute multiplications over shared secrets.
Abstract: The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic primitives and avoids altogether the need for expensive zero-knowledge proofs. This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a major component in secure multiparty computation protocols and accounts for much of the complexity of proposed solutions. Using our protocol as a plug-in unit in known protocols reduces their complexity. We show how to achieve efficient multiparty computations in the computational model, through the application of homomorphic commitments. Finally, we present fast-track multiparty computation protocols. In a model in which malicious faults are rare we show that it is possible to carry out a simpler and more efficient protocol which does not perform all the expensive checks needed to combat a malicious adversary from foiling the computation. Yet, the protocol still enables detection of faults and recovers the computation when faults occur without giving any information advantage to the adversary. This results in protocols which are much more efficient under normal operation of the system i.e. when there are no faults. As an example of the practical impact of our work we show how our techniques can be used to greatly improve the speed and the fault-tolerance of existing threshold cryptography protocols. * IBM T.J. Watscm Research Center, PO Box 704, Yorktowo Heights, New York 10598, USA Email: rosarioOwatsotl.ibnl.coln. + Harvard University sod Hebrew University. Email: rabin@cs.huii.ac.il * IBM ‘f.J. Watsoo Research Center, PO Box 704, Yorktowo Heights, New York 10598, USA Email: talrOwatsoll.ibtn.corlr. Contact author Permission to make digital or hard copies of all or part of this work for pelmal cr ClassroOm use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear tbii notice and the fit11 citation on the fti page. To copy otherwise, to republish, to post on servers or to redisbibute to lists, requires prior specific permission a&or a fee. PODC 98 Fkerto Vallarta Mexico Copyright ACM 1998th89791.97%7/9816...$5.00
529 citations
31 May 1998
TL;DR: In this article, the authors constructed a universally verifiable mix-net, where the amount of work done by a verifier is independent of the number of mix-servers.
Abstract: In this paper we construct a universally verifiable Mix-net where the amount of work done by a verifier is independent of the number of mix-servers. Furthermore, the computational task of each mix-server is constant against the number of mix-servers except for some negligible tasks like addition. The scheme is robust, too.
240 citations
05 Feb 1998
TL;DR: Zheng's scheme is modified so that the recipient's private key is no longer needed in signature verification, and the computational cost is higher than that of Zheng's scheme but lower than that that of the signature-then-encryption approach.
Abstract: Signcryption, first proposed by Zheng [4, 5], is a cryptographic primitive which combines both the functions of digital signature and public key encryption in a logical single step, and with a computational cost siginficantly lower than that needed by the traditional signature-then-encryption approach. In Zheng's scheme, the signature verification can be done either by the recipient directly (using his private key) or by engaging a zero-knowledge interative protocol with a third party, without disclosing recipient's private key. In this note, we modify Zheng's scheme so that the recipient's private key is no longer needed in signature verification. The computational cost of the modified scheme is higher than that of Zheng's scheme but lower than that of the signature-then-encryption approach.
221 citations
31 May 1998
TL;DR: This paper presents a practical and provably secure PVSS scheme which is O(¦v¦) times more efficient than Stadler's PVSS schemes where ¦V¦ denotes the size of the secret.
Abstract: A publicly verifiable secret sharing (PVSS) scheme, named by Stadler in [Sta96], is a special VSS scheme in which anyone, not only the shareholders, can verify that the secret shares are correctly distributed. The property of public verifiability is what the first proposed VSS scheme [CGMA85] incorporated but later protocols [GMW87, Fel87, Ped91] failed to include. PVSS can provide some interesting properties in the systems using VSS. For instance, it gives a practical solution to (k, l)-threshold VSS assuming no broadcast channel. Stadler proposed two PVSS protocols: one is as secure as the Decision-Diffie-Hellman problem and the other is not formally discussed about security. This paper presents a practical and provably secure PVSS scheme which is O(¦v¦) times more efficient than Stadler's PVSS schemes where ¦v¦ denotes the size of the secret. It can be incorporated into various cryptosystems based on the factoring and the discrete logarithm to transform them into publicly verifiable key escrow (PVKE) systems. In addition, those key escrow cryptosystems can be easily modified into the verifiable partial key escrow (VPKE) ones with the property of delayed recovery [BG97]. To the best of our knowledge, this is the first realization of a VPKE cryptosystem based on the factoring with the delayed recovery.
159 citations
01 Jul 1998
TL;DR: The paper proposes efficient solutions to two long standing open problems related to secret sharing schemes in multilevel and compartmented access structures using a sequence of related Shamir threshold schemes with overlapping shares and the secret.
Abstract: The paper proposes efficient solutions to two long standing open problems related to secret sharing schemes in multilevel (or hierarchical) and compartmented access structures. The secret sharing scheme in multilevel access structures uses a sequence of related Shamir threshold schemes with overlapping shares and the secret. The secret sharing scheme in compartmented access structures applies Shamir schemes first to recover partial secrets and second to combine them into the requested secret. Both schemes described in the paper are ideal and perfect.
79 citations
TL;DR: An efficient, computationally secure on-line secret sharing scheme that provides great capabilities for many practical applications and is the same as that of the RSA cryptosystem and Shamir's (r,n)-threshold scheme.
73 citations
Journal Article•
66 citations
18 Oct 1998
TL;DR: A new efficient protocol is proposed, which allows a pair of potentially mistrusting parties to exchange digital signatures over the Internet in a fair way, such that after the protocol is running, either each party obtains the other's signature, or neither of them does.
Abstract: We propose a new efficient protocol, which allows a pair of potentially mistrusting parties to exchange digital signatures over the Internet in a fair way, such that after the protocol is running, either each party obtains the other's signature, or neither of them does. The protocol relies on an off-line Trusted Third Party (TTP), which does not take part in the exchange unless any of the parties behaves improperly or other faults occur. Efficiency of the protocol is achieved by using a cryptographic primitive, called confirmable signatures (or designated confirmer signatures in its original proposal [9]). We recommend using a new efficient confirmable signature scheme in the proposed fair exchange protocol. This scheme combines the family of discrete logarithm (DL) based signature algorithms and a zero-knowledge (ZK) proof on the equality of two DLs. The protocol has a practical level of performance: only a moderate number of communication rounds and ordinary signatures are required. The security of the protocol can be established from that of the underlying signature algorithms and that of the ZK proof used.
64 citations
Journal Article•
TL;DR: It is shown that a compact NSS has some special access hierarchy and it is closely related to a matroid, which means that it meets the equalities of both the bounds and the entropy type bound.
Abstract: Nonperfect secret sharing schemes (NSSs) have an advantage such that the size of shares can be shorter than that of perfect secret sharing schemes. This paper shows some basic properties of general NSS. First, we present a necessary and su cient condition on the existence of an NSS. Next, we show two bounds of the size of shares, a combinatorial type bound and an entropy type bound. Further, we de ne a compact NSS as an NSS which meets the equalities of both our bounds. Then we show that a compact NSS has some special access hierarchy and it is closely related to a matroid. Veri able nonperfect secret sharing schemes are also presented.
52 citations
31 May 1998
TL;DR: This work characterize completely the bipartite access structures that can be realized by an ideal secret sharing scheme and upper and lower bounds on the optimal information rate of bipartites access structures are given.
Abstract: We study the information rate of secret sharing schemes whose access structure is bipartite. In a bipartite access structure there are two classes of participants and all participants in the same class play an equivalent role in the structure. We characterize completely the bipartite access structures that can be realized by an ideal secret sharing scheme. Both upper and lower bounds on the optimal information rate of bipartite access structures are given.
50 citations
TL;DR: It is proved that the entropy of the shares of any non-qualified set is independent from the probability distribution according to which the secret is chosen.
TL;DR: An improved method of constructing the visual secret sharing scheme is proposed that can conceal some images in a series of transparencies, in such a way that different images are seen as the number of stackingtransparencies increases.
Abstract: A visual secret sharing scheme [1] permits a secret to be shared among participants using transparencies. In this paper, we consider an extended scheme for visual secret sharing. We propose an improved method of constructing the visual secret sharing scheme that can conceal some images in a series of transparencies, in such a way that different images are seen as the number of stacking transparencies increases.
Furthermore, we describe applications of the visual secret sharing scheme to copy machines and human identification schemes. In the identification scheme, users recognize messages from an identification terminal by stacking their transparencies on the display. A great advantage of this scheme is that users can validate the authenticity of the terminal without consulting a computer or calculator. © 1998 Scripta Technica. Electron Comm Jpn Pt 3, 81(7): 55–63, 1998
TL;DR: This paper presents a more precise definition of secret sharing schemes in terms of information theory, and a new decomposition theorem that generalizes previous decomposition theorems and also works for a more general class of access structures.
Abstract: A secret sharing scheme for an incomplete access structure (\G,\D) is a method of distributing information about a secret among a group of participants in such a way that sets of participants in \G can reconstruct the secret and sets of participants in \D can not obtain any new information about the secret. In this paper we present a more precise definition of secret sharing schemes in terms of information theory, and a new decomposition theorem. This theorem generalizes previous decomposition theorems and also works for a more general class of access structures. We demonstrate some applications of the theorem.
Patent•
08 Apr 1998
TL;DR: In this paper, the authors present a system and method for publicly verifying that a session key determined according to a Diffie-Hellman key exchange can be recovered from information associated with a communication encrypted with the session key.
Abstract: The present invention is a system and method for publicly verifying that a session key determined according to a Diffie-Hellman key exchange can be recovered from information associated with a communication encrypted with the session key. More particularly, the present invention provides recovery information and verification information with the encrypted communication. A recovery agent is able to recover the session key using the recovery information. A verifier, using the verification information, is able to verify that the session key can, in fact, be recovered from the recovery information. Neither the recovery information nor the verification information alone reveal any secret or private information. Furthermore, only the recovery agent is able to recover the session key, and he does so without revealing any other private information. Thus, the verification can be performed by any member of the public.
01 Jan 1998
TL;DR: It is shown that the matroid associated with an ideal scheme is uniquely determined by the access structure of the scheme and is independent of the model being used.
Abstract: In this paper we review combinatorial models for secret sharing schemes A detailed comparison of several existing combinatorial models for secret sharing sharing schemes is conducted We pay par ticular attention to the ideal instances of these combinatorial models We show that the models under examination have a natural hierarchy but that the ideal instances of these models have a di erent hierar chy We show that in the ideal case the combinatorial structures underlying the combinatorial models are essentially independent of the model being used Further we show that the matroid associated with an ideal scheme is uniquely determined by the access structure of the scheme and is independent of the model being used We use this result to present a combinatorial classi cation of ideal threshold schemes
TL;DR: In this paper, the authors considered the secure channel model and proposed protocols for WSS, VSS, and MPC with a non-zero error probability and showed that weak secret sharing is not secure against an adaptive adversary.
Abstract: We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the secure channels model, where a broadcast channel is given and a non-zero error probability is allowed. In this model Rabin and Ben-Or proposed VSS and MPC protocols, secure against an adversary that can corrupt any minority of the players. In this paper, we rst observe that a subprotocol of theirs, known as weak secret sharing (WSS), is not secure against an adaptive adversary, contrary to what was believed earlier. We then propose new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones. Our protocols generalize easily to provide security against general Q2 adversaries.
TL;DR: In this article, the authors generalize and improve the security and efficiency of the verifiable encryption scheme of Asokan et al. such that it can rely on more general assumptions, and can be proven secure without relying on random oracles.
Abstract: We generalise and improve the security and efficiency of the verifiable encryption scheme of Asokan et al., such that it can rely on more general assumptions, and can be proven secure without relying on random oracles. We show a new application of verifiable encryption to group signatures with separability, these schemes do not need special purpose keys but can work with a wide range of signature and encryption schemes already in use. Finally, we extend our basic primitive to verifiable threshold and group encryption. By encrypting digital signatures this way, one gets new solutions to the verifiable signature sharing problem.
Journal Article•
TL;DR: The Verifiable Signature Sharing (VΣS) protocol as mentioned in this paper enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it.
Abstract: Verifiable Signature Sharing (VΣS) enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it. The original RSA and Rabin VΣS protocols were subsequently broken and the original DSS VΣS lacks a formal proof of security. We present new protocols for RSA, Rabin and DSS VΣS. Our protocols are efficient and provably secure and can tolerate the malicious behavior of up to half of the proxies. Furthermore we believe that some of our techniques are of independent interest. Some of the by-products of our main result are: a new threshold cryptosystem, a new undeniable signature scheme and a way to create binding RSA cryptosystems.
TL;DR: The class of robustly verifiable transactions over first-order logic is exactly the class of transactions that admit the local form of verifiability, and the implications of these results for the design of verifiable transaction languages are discussed.
Abstract: It is often necessary to ensure that database transactions preserve integrity constraints that specify valid database states. While it is possible to monitor for violations of constraints at run-time, rolling back transactions when violations are detected, it is preferable to verify correctness statically,beforetransactions are executed. This can be accomplished if we can verify transaction safety with respect to a set of constraints by means of calculatingweakest preconditions. We study properties of weakest preconditions for a number of transaction and specification languages. We show that some simple transactions do not admit weakest preconditions over first-order logic and some of its extensions such as first-order logic with counting and monadic?11. We also show that the class of transactions that admit weakest preconditions over first-order logic cannot be captured by any transaction language. We consider a strong local form of verifiability, and show that it is different from the general form. We define robustly verifiable transactions as those that can be statically analyzed regardless of extensions to the signature of the specification language, and we show that the class of robustly verifiable transactions over first-order logic is exactly the class of transactions that admit the local form of verifiability. We discuss the implications of these results for the design of verifiable transaction languages.
01 Jan 1998
TL;DR: A perfect secret sharing scheme arising from critical sets of Room squares is presented and it is shown that collaboration between unauthorised participants cannot reduce their uncertainty about the secret.
Abstract: Secret sharing schemes are one of the most important primitives in distributed systems. In perfect secret sharing schemes, collaboration between unauthorised participants cannot reduce their uncertainty about the secret. This paper presents a perfect secret sharing scheme arising from critical sets of Room squares. Disciplines Physical Sciences and Mathematics Publication Details This article was originally published as Chaudhry, GR, Ghodosi, H and Seberry, J, Perfect Secret Sharing Schemes from Room Squares, Journal of Combinatorial Mathematics and Combinatorial Computing, 28, 1998, 55-61. This journal article is available at Research Online: http://ro.uow.edu.au/infopapers/345 Perfect Secret Sharing Schemes from Room Squares Ghulam-Rasool Chaudhry Hossein Ghodosi Jennifer Seberry Department of Computer Science Centre for Computer Security Research University of Wollongong Wollongong, NSW 2500, AUSTRALIA chaudhry/hossein/j.seberry@uow.edu.au To Anne Penfold Street on her retirement Abstract Secret sharing schemes are one of the most important primitives in distributed systems. In perfect secret sharing schemes, collaboration between unauthorised participants cannot reduce their uncertainty about the secret. This paper presents a perfect secret sharing scheme arising from critical sets of Room squares.
18 Oct 1998
TL;DR: This work demonstrates the first (provably) adaptively secure protocol for OT, and consequently for fully general two-party interactive computations, that provably withstand attacks that may compromise Alice or Bob, or both, at any time.
Abstract: Oblivious Transfer (OT) is a ubiquitous cryptographic tool that is of fundamental importance in secure protocol design. Despite extensive research into the design and verification of secure and efficient solutions, existing OT protocols enjoy "provable" security only against static attacks, in which an adversary must choose in advance whom it will corrupt.
This model severely limits the applicability of OT, since it provides no verifiable security against attackers who choose their victims adaptively (anytime during or after the protocol) or may even corrupt both players (which is not a moot point in a larger network protocol). This issue arises even if the communication model provides absolutely secure channels. Recent attention has been given to accomplishing adaptive security for encryption, multiparty protocols (for n > 3 participants, with faulty minority), and zero-knowledge proofs.
Our work fills the remaining gap by demonstrating the first (provably) adaptively secure protocol for OT, and consequently for fully general two-party interactive computations. Based on the intractability of discrete logarithms, or more generally on a minimally restricted type of one-way trapdoor permutation, our protocols provably withstand attacks that may compromise Alice or Bob, or both, at any time.
TL;DR: A number of possible secret set constructions are presented, analyzed and contrasted according to criteria such as: security (strength) as well as bandwidth and processing overheads.
23 Aug 1998
TL;DR: Verifiable Signature Sharing enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it.
Abstract: Verifiable Signature Sharing (VσS) enables the recipient of a digital signature, who is not necessarily the original signer, to share such signature among n proxies so that a subset of them can later reconstruct it. The original RSA and Rabin VσS protocols were subsequently broken and the original DSS VσS lacks a formal proof of security.
TL;DR: A new robust secret sharing scheme is presented, which improves the previous ones in two aspects and presents a better relation between the information rate and the security against cheaters.
17 Aug 1998
TL;DR: This work constructs a scheme on exploitation of a significantly lowered complexity for factoring n = pq using a non-trivial factor of Φ(n) and proves its verifiability with confidence.
Abstract: It is not known to date how to partially share the factors of an integer (e.g., an RSA modulus) with verifiability. We construct such a scheme on exploitation of a significantly lowered complexity for factoring n = pq using a non-trivial factor of φ(n).
01 Jul 1998
TL;DR: This paper presents Cumulative secret sharing schemes, which provide a method to share a secret among a number of participants with arbitrary access structures.
Abstract: Secret sharing schemes are one of the most important primitives in distributed systems. Cumulative secret sharing schemes provide a method to share a secret among a number of participants with arbitrary access structures.
01 Jan 1998
TL;DR: A practical and provably secure scheme for publicly verifiable secret sharing and its applications, and a new public-key cryptosystem as secure as factoring.
Abstract: Securing threshold cryptosystems against chosen ciphertext attack.- Auto-recoverable auto-certifiable cryptosystems.- A practical and provably secure scheme for publicly verifiable secret sharing and its applications.- Equivalence of counting the number of points on elliptic curve over the ring Zn and factoring n.- Breaking RSA may not be equivalent to factoring.- Lower bounds on generic algorithms in groups.- Improved cryptanalysis of RC5.- Cryptanalysis of the ANSI X9.52 CBCM mode.- Differential-linear weak key classes of IDEA.- Divertible protocols and atomic proxy cryptography.- Optimum traitor tracing and asymmetric schemes.- On finding small solutions of modular multivariate polynomial equations.- Computing discrete logarithms with quadratic number rings.- Improved algorithms for isomorphisms of polynomials.- Visual cryptanalysis.- How to improve an exponentiation black-box.- Speeding up discrete log and factoring based schemes via precomputations.- Fast batch verification for modular exponentiation and digital signatures.- A formal treatment of remotely keyed encryption.- Luby-Rackoff backwards: Increasing security by making block ciphers non-invertible.- The chain & sum primitive and its applications to MACs and stream ciphers.- A cryptosystem based on non-maximal imaginary quadratic orders with fast decryption.- A new public-key cryptosystem as secure as factoring.- Towards a better understanding of one-wayness: Facing linear permutations.- Finding collisions on a one-way street: Can secure hash functions be based on general assumptions?.- Secure communication in minimal connectivity models.- On the foundations of oblivious transfer.- Quorum-based secure multi-party computation.- Strengthened security for blind signatures.- Generic constructions for secure and efficient confirmer signature schemes.- Security analysis of a practical "on the fly" authentication and signature generation.- Universally verifiable mix-net with verification work independent of the number of mix-servers.- A practical mix.- On the propagation criterion of degree l and order k.- Highly nonlinear balanced Boolean functions with a good correlation-immunity.- Heuristic design of cryptographically strong balanced Boolean functions.- Secret sharing schemes with bipartite access structure.- Combinatorial bounds for broadcast encryption.- New results on multi-receiver authentication codes.- Specialized integer factorization.- Security of an identity-based cryptosystem and the related reductions.- Easy come - Easy go divisible cash.- Secure and efficient metering.- Optimistic fair exchange of digital signatures.
TL;DR: For a cyclic group G and an access structure A, the sufficient and necessary condition under which A is G-ideal homomorphic is given by using the fine-representation of the corresponding matroid over the ring as discussed by the authors.
Abstract: For a cyclic groupG and an access structureA, the sufficient and necessary condition under whichA isG-ideal homomorphic is given by using the fine-representation of the corresponding matroid over the ring\(\mathbb{Z}_m \). Furthermore, the clasification ofG-ideal homomorphic graphic access structures is shown.
TL;DR: This paper proposes and analyzes several methods to achieve a fair reconstruction of shared secrets and emphasizes that all involved participants should have the same chance to be able to reconstruct the shared secret.
Abstract: In this paper we consider the secret reconstruction problem in a secret sharing scheme. We emphasize that a shared secret should be reconstructed in a fair way, i.e., all involved participants should have the same chance to be able to reconstruct the shared secret. We propose and analyze several methods to achieve such a fair reconstruction of shared secrets.
TL;DR: It is proved that a matroid is an associated matroid for a binary ideal secret sharing scheme if and only if it is representable over the binary field.
Abstract: A characterization of ideal secret sharing schemes with an arbitrary number of keys is derived in terms of balanced maximum-order correlation immune functions. In particular, it is proved that a matroid is an associated matroid for a binary ideal secret sharing scheme if and only if it is representable over the binary field. Access structure characterization of connected binary ideal schemes is established and a general method for their construction is pointed out.