Showing papers on "Verifiable secret sharing published in 1999"
TL;DR: This work shows how GHZ states can be used to split quantum information into two parts so that both parts are necessary to reconstruct the original qubit.
Abstract: Secret sharing is a procedure for splitting a message into several parts so that no subset of parts is sufficient to read the message, but the entire set is. We show how this procedure can be implemented using Greenberger-Horne-Zeilinger (GHZ) states. In the quantum case the presence of an eavesdropper will introduce errors so that his presence can be detected. We also show how GHZ states can be used to split quantum information into two parts so that both parts are necessary to reconstruct the original qubit.
2,789 citations
17 Oct 1999
TL;DR: This work efficiently combines unpredictability and verifiability by extending the Goldreich-Goldwasser-Micali (1986) construction of pseudorandom functions f/sub s/ from a secret seed s to provide an NP-proof that the value f/ sub s/(x) is indeed correct without compromising the unpredictability of f/ Sub s/ at any other point for which no such a proof was provided.
Abstract: We efficiently combine unpredictability and verifiability by extending the Goldreich-Goldwasser-Micali (1986) construction of pseudorandom functions f/sub s/ from a secret seed s, so that knowledge of s not only enables one to evaluate f/sub s/ at any point x, but also to provide an NP-proof that the value f/sub s/(x) is indeed correct without compromising the unpredictability of f/sub s/ at any other point for which no such a proof was provided.
609 citations
Journal Article•
TL;DR: A new construction for PVSS schemes is presented, which compared to previous solutions by Stadler and later by Fujisaki and Okamoto, achieves improvements both in efficiency and in the type of intractability assumptions.
Abstract: A publicly verifiable secret sharing (PVSS) scheme is a verifiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares. We present a new construction for PVSS schemes, which compared to previous solutions by Stadler and later by Fujisaki and Okamoto, achieves improvements both in efficiency and in the type of intractability assumptions. The running time is O(nk), where k is a security parameter, and n is the number of participants, hence essentially optimal. The intractability assumptions are the standard Diffie-Hellman assumption and its decisional variant. We present several applications of our PVSS scheme, among which is a new type of universally verifiable election scheme based on PVSS. The election scheme becomes quite practical and combines several advantages of related electronic voting schemes, which makes it of interest in its own right.
503 citations
Journal Article•
TL;DR: In this paper, a bit commitment scheme, BC(.), and efficient statistical zero knowledge (SZK) protocols are proposed, in which, for any given multi-variable polynomial f(X 1,...,X t ) and any given modulus n, prover P gives (I 1,..,I t ) to verifier V and can convince V that P knows (x 1,...,x t ) satisfying f(x 1,...x t ), 0 (mod n) and I i = BC(x i ), (i = 1
Abstract: This paper proposes a bit commitment scheme, BC(.), and efficient statistical zero knowledge (in short, SZK) protocols in which, for any given multi-variable polynomial f(X 1 ,...,X t ) and any given modulus n, prover P gives (I 1 ,...,I t ) to verifier V and can convince V that P knows (x 1 ,...,x t ) satisfying f(x 1 ,...x t )? 0 (mod n) and I i = BC(x i ), (i = 1,.., t). The proposed protocols are O(|n|) times more efficient than the corresponding previous ones [Dam93, Dam95, Oka95]. The (knowledge) soundness of our protocols holds under a computational assumption, the intractability of a modified RSA problem (see Def.3), while the (statistical) zero-knowledgeness of the protocols needs no computational assumption. The protocols can be employed to construct various practical cryptographic protocols, such as fair exchange, untraceable electronic cash and verifiable secret sharing protocols.
431 citations
01 Jan 1999
TL;DR: It is shown that the minimal codewords in the dual code completely specify the access structure of the secret-sharing scheme, and conversely, the apparently new notion of minimal codEWords in a linear code.
Abstract: The use of a linear code to "split" secrets into equal-size shares is considered. The determination of which sets of shares can be used to obtain the secret leads to the apparently new notion of minimal codewords in a linear code. It is shown that the minimal codewords in the dual code completely specify the access structure of the secret-sharing scheme, and conversely.
314 citations
Proceedings Article•
01 Feb 1999
TL;DR: A method of probabilistic encryption in which the ratio of ciphertext text size to plain text size and the proportion of random bits to plaintext can both be made arbitrarily close to one is developed.
Abstract: This paper describes a method of dense probabilistic encryption. Previous probabilistic encryption methods require large numbers of random bits and product large amounts of ciphertext for the encryption of each bit of plaintext. This paper develops a method of probabilistic encryption in which the ratio of ciphertext text size to plaintext size and theproportion of random bits to plaintext can both be made arbitrarily close to one. The methods described here have applications which are not in any apparent way possible with previous methods. These applications include simple and efficient protocols for noninteractive verifiable secret sharing and a method for conducting practical and verifiable secret-ballot elections.
292 citations
15 Aug 1999
TL;DR: A publicly verifiable secret sharing (PVSS) scheme is a veri fiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares as discussed by the authors.
Abstract: A publicly verifiable secret sharing (PVSS) scheme is a veri fiable secret sharing scheme with the property that the validity of the shares distributed by the dealer can be verified by any party; hence verification is not limited to the respective participants receiving the shares. We present a new construction for PVSS schemes, which compared to previous solutions by Stadler and later by Fujisaki and Okamoto, achieves improvements both in efficiency and in the type of intractability assumptions. The running time is O(nk), where k is a security parameter, and n is the number of participants, hence essentially optimal. The intractability assumptions are the standard Diffie-Hellman assumption and its decisional variant. We present several applications of our PVSS scheme, among which is a new type of universally verifiable election scheme based on PVSS. The election scheme becomes quite practical and combines several advantages of related electronic voting schemes, which makes it of interest in its own right.
275 citations
Journal Article•
TL;DR: A (k, n) visual secret sharing scheme to encode a black-and-white image into the same size shares as the secret image, where the reconstructed image of the proposed scheme is visible as well as that of the conventional scheme.
Abstract: In the visual secret sharing scheme proposed by Naor and Shamir [3], a secret image is encoded into shares, of which size is larger than that of the secret image and the shares are decoded by stacking them without performing any cryptographic computation. In this paper we propose a (k, n) visual secret sharing scheme to encode a black-and-white image into the same size shares as the secret image, where the reconstructed image of the proposed scheme is visible as well as that of the conventional scheme. key words: secret sharing, visual secret sharing, visual cryptography
266 citations
02 May 1999
TL;DR: This paper observes that a subprotocol of Rabin and Ben-Or's, known as weak secret sharing (WSS), is not secure against an adaptive adversary, and proposes new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones.
Abstract: We consider verifiable secret sharing (VSS) and multiparty computation (MPC) in the secure-channels model, where a broadcast channel is given and a non-zero error probability is allowed. In this model Rabin and Ben-Or proposed VSS and MPC protocols secure against an adversary that can corrupt any minority of the players. In this paper, we first observe that a subprotocol of theirs, known as weak secret sharing (WSS), is not secure against an adaptive adversary, contrary to what was believed earlier. We then propose new and adaptively secure protocols for WSS, VSS and MPC that are substantially more efficient than the original ones. Our protocols generalize easily to provide security against general Q2-adversaries.
255 citations
01 Mar 1999
TL;DR: A scheme for quorum controlled asymmetric proxy re-encryption, based on El-Gamal encryption, is presented, proving that the scheme leaks no information as long as there is no dishonest quorum of proxy servers.
Abstract: We present a scheme for quorum controlled asymmetric proxy re-encryption, with uses ranging from efficient key distribution for pay-tv to email applications. We prove that the scheme, which is based on El-Gamal encryption, leaks no information as long as there is no dishonest quorum of proxy servers. Of potential independent interest is a method providing publicly verifiable translation certificates, proving that the input and output encryptions correspond to the same plaintext message, without leaking any information about the plaintext to either the verifier or a subset of the servers of the prover. The size of the certificate is small, and independent of the number of prover servers.
137 citations
09 Aug 1999
TL;DR: This paper proposes a new unconditionally secure VSS, then builds a new proactive secret sharing scheme based on that VSS and introduces some combinatorial structure into the proactive scheme to make the scheme more efficient.
Abstract: . Verifiable secret sharing schemes (VSS) are secret sharing schemes dealing with possible cheating by the participants. In this paper, we propose a new unconditionally secure VSS. Then we construct a new proactive secret sharing scheme based on that VSS. In a proactive scheme, the shares are periodically renewed so that an adversary cannot get any information about the secret unless he is able to access a specified number of shares in a short time period. Furthermore, we introduce some combinatorial structure into the proactive scheme to make the scheme more efficient. The combinatorial method might also be used to improve some of the previously constructed proactive schemes.
TL;DR: An elementary introduction to fundamental concepts, techniques and results of Secure Computation is given and such concepts as oblivious transfer, security against malicious attacks and verifiable secret sharing are introduced.
Abstract: The objective of this paper is to give an elementary introduction to fundamental concepts, techniques and results of Secure Computation.
Topics covered include classical results for general secure computation by Yao, Goldreich & Micali & Wigderson, Kilian, Ben-Or & Goldwasser & Wigderson, and Chaum & CrEpeau & Damgaard.
We also introduce such concepts as oblivious transfer, security against malicious attacks and verifiable secret sharing, and for some of these important primitives we discuss realization.
This paper is organized as follows. Part I deals with oblivious transfer and secure (general) two-party computation. Part II discusses secure general multi-party computation and verifiable secret sharing. Part III addresses information theoretic security and presents detailed but elementary explanations of some recent results in Verifiable Secret Sharing and Multi-Party Computation.
The importance of theory and general techniques often lies in the fact that the true nature of security is uncovered and that this henceforth enables to explore what is "possible at all". This then motivates the search for concrete and often specialized realizations that are more efficient. Nevertheless, many principles developed as part of the general theory are fundamental to the design of practical solutions as well.
Patent•
11 Jun 1999
TL;DR: In this paper, the authors proposed a method for providing publicly verifiable translation certificates comprising the steps of receiving an input encryption having a first secret key, outputting an output re-encryption of the input encryption, the output reencryption having a second secret key; and generating a translation certificate that proves the inputs and outputs are encryptions of an identical message.
Abstract: A method for providing publicly verifiable translation certificates comprising the steps of receiving an input encryption having a first secret key; outputting an output re-encryption of the input encryption, the output re-encryption having a second secret key; and generating a translation certificate that proves the input encryption and the output re-encryption are encryptions of an identical message, wherein the first secret key and the second secret key do not need to be, but are allowed to be, equal. This method and system for generating translation certificates in quorum controlled asymmetric proxy encryptions has uses, including but not limited to, Internet applications and specifically to E-mail systems. The scheme, which can use either an ElGamal encryption, an ElGamal encryption based on Elliptic Curves or an ElGamal related encryption algorithm, leaks no information as long as there is no dishonest quorum of proxy servers and produces a small, publicly verifiable translation certificate, that is independent of the number of prover servers involved in the re-encryption.
TL;DR: A complete characterization of the access structures of weighted threshold schemes when all the minimal authorized subsets have at most two elements is presented and lower bounds for the optimal information rate of these access structures are given.
09 Nov 1999
TL;DR: New publicly verifiable secret sharing schemes in which everyone, not only the shareholders, can verify that the secret shares are correctly distributed are presented and used to share discrete logarithms and integer factorizations.
Abstract: A publicly verifiable secret sharing scheme is a secret sharing scheme in which everyone, not only the shareholders, can verify that the secret shares are correctly distributed We present new such schemes and use them to share discrete logarithms and integer factorizations The shareholders will be able to recover their shares quickly (fast recovery) or after a predetermined amount of computations (delayed recovery) to prevent the recovery of all the secrets by un-trustworthy shareholders (eg if these schemes are used for escrowing secret keys) The main contribution of this paper is that all the schemes we present need much less computations and communicated bits than previous ones [BGo, FOk, Mao, Sta, YYu] By the way, we introduce in this paper several tools which are of independent interest: a proof of equality of two discrete logarithms modulo two different numbers, an efficient proof of equality of a discrete logarithm and a third root, and an efficient proof of knowledge of the factorization of any composite number n, where it is not necessary to prove previously that n is the product of two prime factors
TL;DR: A number of different scenarios and applications within which a redistribution of shares in a secret sharing scheme might be required are described, some techniques for conducting a redistribution are given, and the optimisation of the efficiency of such a process is discussed.
Abstract: We consider the problem of redistributing shares in a secret sharing scheme in such a way that shareholders of a scheme with one access structure can transfer information to a new set of shareholders, resulting in a sharing of the old secret among a new access structure. We describe a number of different scenarios and applications within which such a redistribution might be required, give some techniques for conducting a redistribution, and discuss the optimisation of the efficiency of such a process.
30 Aug 1999
TL;DR: Two methods are presented to modify any linear secret sharing scheme in order to obtain schemes that are unconditionally secure against that kind of attack, and those methods make it possible to construct robust and secure schemes for any access structure.
Abstract: In a secret sharing scheme, some participants can lie about the value of their shares when reconstructing the secret in order to obtain some illicit benefits. We present in this paper two methods to modify any linear secret sharing scheme in order to obtain schemes that are unconditionally secure against that kind of attack. The schemes obtained by the first method are robust, that is, cheaters are detected with high probability even if they know the value of the secret. The second method provides secure schemes, in which cheaters that do not know the secret are detected with high probability. When applied to ideal linear secret sharing schemes, our methods provide robust and secure schemes whose relation between the probability of cheating and the information rate is almost optimal. Besides, those methods make it possible to construct robust and secure schemes for any access structure.
01 Sep 1999
TL;DR: The proposed scheme provides efficient solutions against cheat by either the dealer or a participant, and outperforms (t, n) VMSS schemes against cheating by participants devised by Ham and Chen et al.
Abstract: A new (t, n) threshold verifiable multisecret sharing ((t, n) VMSS) scheme, based on the intractability of the factorisation and the discrete logarithm modulo a large composite problems, is proposed in which the dealer can freely give any set of multiple secrets for sharing, and the shadow held by the participant is not only reusable but also verifiable. The proposed scheme provides efficient solutions against cheating by either the dealer or a participant, and outperforms (t, n) VMSS schemes against cheating by participants devised by Ham and Chen et al.
Posted Content•
TL;DR: The security and efficiency of the verifiable encryption scheme of Asokan et al., is generalised and improved, such that it can rely on more general assumptions, and can be proven secure without relying on random oracles.
Abstract: We generalise and improve the security and efficiency of the verifiable encryption scheme of Asokan et al., such that it can rely on more general assumptions, and can be proven secure without relying on random oracles. We show a new application of verifiable encryption to group signatures with separability, these schemes do not need special purpose keys but can work with a wide range of signature and encryption schemes already in use. Finally, we extend our basic primitive to verifiable threshold and group encryption. By encrypting digital signatures this way, one gets new solutions to the verifiable signature sharing problem.
09 Dec 1999
TL;DR: Domain-verifiable signcryption scheme, which is applied to the Electronic Funds Transfer protocol, that only predetermined n participants within the domain of protocol participants can decrypt their own part of message and verify whole transaction.
Abstract: In this paper, we propose Domain-verifiable signcryption scheme, which is applied to the Electronic Funds Transfer(EFT) protocol, that only predetermined n participants within the domain of protocol participants can decrypt their own part of message and verify whole transaction. The computational cost of our scheme is as low as that of Zheng’s scheme assuming that Trusted Third Party(TTP) must be used to keep partial information for participants confidential and multi-verification. Our scheme does not require the role of TTP.
01 Jan 1999
TL;DR: This document specifies several VRF constructions that are secure in the cryptographic random oracle model, including one VRF that uses RSA and the other that uses Eliptic Curves.
Abstract: A Verifiable Random Function (VRF) is the public-key version of a
keyed cryptographic hash. Only the holder of the private key can
compute the hash, but anyone with public key can verify the
correctness of the hash. VRFs are useful for preventing enumeration of
hash-based data structures. This document specifies several VRF
constructions that are secure in the cryptographic random oracle
model. One VRF uses RSA and the other VRF uses Eliptic Curves (EC).
TL;DR: Two new secret sharing schemes in which cheaters are detected with high probability are presented and it is proved that the information rate of this scheme is almost optimal among all schemes with the same security requirements.
Abstract: A perfect secret sharing scheme is a method of distributing shares of a secret among a set P of participants in such a way that only qualified subsets of P can reconstruct the secret from their shares and non-qualified subsets have absolutely no information on the value of the secret. In a secret sharing scheme, some participants could lie about the value of their shares in order to obtain some illicit benefit. Therefore, the security against cheating is an important issue in the implementation of secret sharing schemes. Two new secret sharing schemes in which cheaters are detected with high probability are presented in this paper. The first one has information rate equal to 1/2 and can be implemented not only in threshold structures, but in a more general family of access structures. We prove that the information rate of this scheme is almost optimal among all schemes with the same security requirements. The second scheme we propose is a threshold scheme in which cheaters are detected with high probability even if they know the secret. The information rate is in this case 1/3. In both schemes, the probability of cheating successfully is a fixed value that is determined by the size of the secret.
TL;DR: A new concept of designing cheater identification methods for secret sharing is proposed in this paper which is convenient for a system which already contains a digital signature algorithm and needs to detect or identify cheaters.
02 May 1999
TL;DR: A necessary and sufficient condition on the number of cards is obtained for the existence of a protocol to achieve one-bit secret key sharing and immediately yields an efficient linear-time algorithm to determine whether there exists such a protocol.
Abstract: Using a random deal of cards to players and a computationally unlimited eavesdropper, all players wish to share a one-bit secret key which is information-theoretically secure from the eavesdropper. This can be done by a protocol to make several pairs of players share one-bit secret keys so that all these pairs form a spanning tree over players. In this paper we obtain a necessary and sufficient condition on the number of cards for the existence of such a protocol. Our condition immediately yields an efficient linear-time algorithm to determine whether there exists a protocol to achieve such a secret key sharing.
TL;DR: A method to realize general secret sharing scheme is given in this research note, it is not necessary for the group participants to store several shares but an interpolating polynomial, and suits some extensive situation that there are several secrets shared in system.
Journal Article•
TL;DR: This paper proposes a construction of perfect secret sharing schemes with uniform, generalized access structures of rank 3 in such a way that only qualified subset of participants can recover the secret, and unqualified subsets of participants obtain no information regarding the secret.
Abstract: pants in such a way that only qualified subsets of participants can recover the secret, and unqualified subsets of participants obtain no information regarding the secret In this paper, we propose a construction of perfect secret sharing schemes with uniform, generalized ac- cess structures of rank 3 Compared with other constructions, our construction has some improved lower bounds on the information rate In addition, we also generalize the con- struction to perfect secret sharing schemes with uniform, generalized access structures of constant rank
09 Nov 1999
TL;DR: The proposed construction is applicable for ElGamal signature scheme and its variations, and works for the RSA signature scheme, and is O(l) times more efficient than previously known methods.
Abstract: Demonstrating in zero-knowledge the possession of digital signatures has many cryptographic applications such as anonymous authentication, identity escrow, publicly verifiable secret sharing and group signature. This paper presents a general construction of zero-knowledge proof of possession of digital signatures. An implementation is shown for discrete logarithm settings. It includes protocols of proving exponentiation and modulo operators, which are the most interesting operators in digital signatures. The proposed construction is applicable for ElGamal signature scheme and its variations. The construction also works for the RSA signature scheme. In discrete logarithm settings, our technique is O(l) times more efficient than previously known methods.
TL;DR: A new on-line multiple secret sharing scheme based on a one-way function which has the advantages of lower computation overhead and parallel reconstruction in the secret recovery phase.
01 Jan 1999
TL;DR: In this paper, a general model for threshold changeable secret sharing is developed and two constructions are given: the first generic construction allows the design of a threshold changeability secret sharing scheme which can be implemented using the Shamir approach and the second construction is geometrical in nature and is optimal in terms of the size of shares.
Abstract: The ways the threshold parameter can be modified after the setup of a secret sharing scheme is the main theme of this work. The considerations are limited to the case when there are no secure channels. First we motivate the problem and discuss methods of threshold change when the dealer is still active and can use broadcasting to implement the change required. Next we study the case when participants themselves initiate the change of threshold without the dealer's help. A general model for threshold changeable secret sharing is developed and two constructions are given. The first generic construction allows the design of a threshold changeable secret sharing scheme which can be implemented using the Shamir approach. The second construction is geometrical in nature and is optimal in terms of the size of shares. The work is concluded by showing that any threshold scheme can be given some degree of threshold change capability.
07 Jul 1999
TL;DR: In this article, a verifiable symbolic definite integral table lookup is presented, which matches a query, comprising a definite integral with parameters and side conditions, against an entry in verifiable table and uses a call to a library of facts about the reals in the theorem prover PVS to aid in the transformation of the table entry into an answer.
Abstract: We present a verifiable symbolic definite integral table lookup: a system which matches a query, comprising a definite integral with parameters and side conditions, against an entry in a verifiable table and uses a call to a library of facts about the reals in the theorem prover PVS to aid in the transformation of the table entry into an answer. Our system is able to obtain correct answers in cases where standard techniques implemented in computer algebra systems fail. We present the full model of such a system as well as a description of our prototype implementation showing the efficacy of such a system: for example, the prototype is able to obtain correct answers in cases where computer algebra systems [CAS] do not. We extend upon Fateman's web-based table by including parametric limits of integration and queries with side conditions.