Showing papers on "Verifiable secret sharing published in 2000"
14 May 2000
TL;DR: It is shown that verifiable secret sharing (VSS) and secure multi-party computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all.
Abstract: We show that verifiable secret sharing (VSS) and secure multi-party computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC.
Our approach to secure MPC is generic and applies to both the information-theoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all).
The protocols are efficient. In contrast to all previous information-theoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for non-threshold adversaries provably have super-polynomial complexity.
561 citations
14 May 2000
TL;DR: This paper presents a new proof, which is both efficient and exact, for proving that a committed number lies in a specific interval.
Abstract: Alice wants to prove that she is young enough to borrow money from her bank, without revealing her age. She therefore needs a tool for proving that a committed number lies in a specific interval. Up to now, such tools were either inefficient (too many bits to compute and to transmit) or inexact (i.e. proved membership to a much larger interval). This paper presents a new proof, which is both efficient and exact. Here, "efficient" means that there are less than 20 exponentiations to perform and less than 2 Kbytes to transmit. The potential areas of application of this proof are numerous (electronic cash, group signatures, publicly verifiable secret encryption, etc ...).
560 citations
TL;DR: It is shown that any mixed state quantum secret sharing scheme can be derived by discarding a share from a pure state scheme, and that the size of each share in a quantumSecretSharing scheme must be at least as large as thesize of the secret.
Abstract: I present a variety of results on the theory of quantum secret sharing. I show that any mixed state quantum secret sharing scheme can be derived by discarding a share from a pure state scheme, and that the size of each share in a quantum secret sharing scheme must be at least as large as the size of the secret. I show that the only constraints on the existence of quantum secret sharing schemes with general access structures are monotonicity (if a set is authorized, so are larger sets) and the no-cloning theorem. I also discuss some aspects of sharing classical secrets using quantum states. In this situation, the size of each share can sometimes be half the size of the classical secret.
547 citations
20 Feb 2000
TL;DR: A distributed version of the Paillier cryptosystem presented at Eurocrypt '99 is proposed, which can be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.
Abstract: Several public key cryptosystems with additional homomorphic properties have been proposed so far. They allow to perform computation with encrypted data without the knowledge of any secret information. In many applications, the ability to perform decryption, i.e. the knowledge of the secret key, gives a huge power. A classical way to reduce the trust in such a secret owner, and consequently to increase the security, is to share the secret between many entities in such a way that cooperation between them is necessary to decrypt. In this paper, we propose a distributed version of the Paillier cryptosystem presented at Eurocrypt '99. This shared scheme can for example be used in an electronic voting scheme or in a lottery where a random number related to the winning ticket has to be jointly chosen by all participants.
340 citations
RSA1
TL;DR: A practical, mix-and-match-based auction protocol that is fully private and non-interactive and may be readily adapted to a wide range of auction strategies, including sealed-bid auctions.
Abstract: We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underlying private key is shared by participants in the computation. The benefits of this protocol include a high degree of conceptual and structural simplicity, low message complexity, and substantial flexibility with respect to input and output value formats. We refer to this new approach as mix and match.
While the atomic operations in mix and match are logical operations, rather than full field operations as in previous approaches, the techniques we introduce are nonetheless highly practical for computations involving intensive bitwise manipulation. One application for which mix and match is particularly well suited is that of sealed-bid auctions. Thus, as another contribution in this paper, we present a practical, mix-and-match-based auction protocol that is fully private and non-interactive and may be readily adapted to a wide range of auction strategies.
315 citations
03 Dec 2000
TL;DR: The basic protocol of Asokan et al. is extended to a new primitive called verifiable group encryption, which can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification and encryption schemes already in use.
Abstract: We generalize and improve the security and efficiency of the verifiable encryption scheme of Asokan et al, such that it can rely on more general assumptions, and can be proven secure without assuming random oracles We extend our basic protocol to a new primitive called verifiable group encryption We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use In particular, we achieve perfect separability for all these applications, ie, all participants can choose their signature and encryption schemes and the keys there of independent of each other, even without having these applications in mind
195 citations
TL;DR: A new construction for the colored VSS scheme is proposed that can be easily implemented on basis of a black & white V SS scheme and get much better block length than the Verheul-Van Tilborg scheme.
Abstract: Visual secret sharing (VSS) schemes are used to protect the visual secret by sending n transparencies to different participants so that k-1 or fewer of them have no information about the original image, but the image can be seen by stacking k or more transparencies. However, the revealed secret image of a conventional VSS scheme is just black and white. The colored k out of n VSS scheme sharing a colored image is first introduced by Verheul and Van Tilborg [1]. In this paper, a new construction for the colored VSS scheme is proposed. This scheme can be easily implemented on basis of a black & white VSS scheme and get much better block length than the Verheul-Van Tilborg scheme.
147 citations
Patent•
07 Jan 2000
TL;DR: In this paper, a secret is computed into N shares using a threshold encryption scheme such that any M of the shares (M less than or equal to N) can be used to reconstruct the secret.
Abstract: Threshold cryptography (secret sharing) is used for exchanging a secret between a server and a client over an unreliable network. Specifically, a secret is computationally divided into N shares using a threshold encryption scheme such that any M of the shares (M less than or equal to N) can be used to reconstruct the secret. The N shares are spread over a number of transmitted messages, with the assumption that some number of the messages including a total of at least M shares will be received by the client. Upon receiving at least M shares, the client uses the at least M shares to reconstruct the secret using the threshold encryption scheme.
147 citations
TL;DR: Both upper and lower bounds on the optimal information rate of bipartite access structures are given and these results are applied to the particular case of weighted threshold access structure with two weights.
Abstract: We study the information rate of secret sharing schemes whose access structure is bipartite. In a bipartite access structure there are two classes of participants and all participants in the same class play an equivalent role in the structure. We characterize completely the bipartite access structures that can be realized by an ideal secret sharing scheme. Both upper and lower bounds on the optimal information rate of bipartite access structures are given. These results are applied to the particular case of weighted threshold access structure with two weights.
119 citations
IBM1
TL;DR: In this paper, the authors present an efficient and fair protocol for secure two-party computation in the optimistic model, where a partially trusted third party T is available, but not involved in normal protocol executions.
Abstract: We present an efficient and fair protocol for secure two-party computation in the optimistic model, where a partially trusted third party T is available, but not involved in normal protocol executions. T is needed only if communication is disrupted or if one of the two parties misbehaves. The protocol guarantees that although one party may terminate the protocol at any time, the computation remains fair for the other party. Communication is over an asynchronous network. All our protocols are based on efficient proofs of knowledge and involve no general zero-knowledge tools. As intermediate steps we describe efficient verifiable oblivious transfer and verifiable secure function evaluation protocols, whose security is proved under the decisional Diffie-Hellman assumption.
112 citations
Patent•
29 Jun 2000TL;DR: In this paper, the authors propose an approach for regenerating a strong secret for a user based on input of a weak secret, such as a password, assisted by communications exchanges with a set of independent servers, each server holds a distinct secret value (i.e., server secret data).
Abstract: Methods for regenerating a strong secret for a user, based on input of a weak secret, such as a password, are assisted by communications exchanges with a set of independent servers. Each server holds a distinct secret value (i.e., server secret data). The strong secret is a function of the user's weak secret and of the server secret data, and a would-be attacker cannot feasible compute the strong secret without access to both the user's weak secret and the server secret data. Any attacker has only a limited opportunity to guess the weak secret, even if he has access to all messages transmitted in the generation and regeneration processes plus a subset (but not all) of the server secret data.
Posted Content•
TL;DR: This work shows that quantum secret-sharing is possible for any structure for which no two disjoint sets can reconstruct the secret, and shows that a large class of linear classical SS schemes can be converted into quantum schemes of the same efficiency.
Abstract: We explore the conversion of classical secret-sharing schemes to quantum ones, and how this can be used to give efficient QSS schemes for general adversary structures. Our first result is that quantum secret-sharing is possible for any structure for which no two disjoint sets can reconstruct the secret (this was also proved, somewhat differently, by D. Gottesman). To obtain this we show that a large class of linear classical SS schemes can be converted into quantum schemes of the same efficiency.
We also give a necessary and sufficient condiion for the direct conversion of classical schemes into quantum ones, and show that all group homomorphic schemes satisfy it.
01 May 2000
TL;DR: It is shown that even if protocols are given black-box access for free to an idealized secret sharing scheme secure for the access structure in question, it is not possible to handle all relevant access structures efficiently, not even if the adversary is passive and static.
TL;DR: The access structure and properties are determined and a secret-sharing scheme based on a class of ternary codes is described based on error-correcting codes.
Posted Content•
TL;DR: A general proof of the security against eavesdropping of a previously introduced protocol for two-party quantum key distribution based on entanglement swapping is provided and the protocol is extended to permit multiparty quantum key Distribution and secret sharing of classical information.
Abstract: A general proof of the security against eavesdropping of a previously introduced protocol for two-party quantum key distribution based on entanglement swapping [Phys. Rev. A {\bf 61}, 052312 (2000)] is provided. In addition, the protocol is extended to permit multiparty quantum key distribution and secret sharing of classical information.
18 Jan 2000
TL;DR: Improvements of the schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems.
Abstract: We propose new schemes for Certificates of Recoverability (CRs). These consist of a user’s public key and attributes, its private key encrypted in such a way that it is recoverable by one or more Key Recovery Agents (KRAs), plus a publicly verifiable proof of this (the actual CR). In the original schemes, the level of cryptographic security employed by the KRA and the users is necessarily the same. In our schemes the level of cryptographic security employed by the KRA can be set higher, in a scalable fashion, than that being employed by the users. Among the other improvements of our schemes are its applicability to create CRs for cryptosystems based on the Discrete Log problem in small subgroups, most notably the Digital Signature Standard and Elliptic Curve Crypto systems. Also, the size of the constructed proofs of knowledge can be taken smaller than in the original schemes. We additionally show several ways to support secret sharing in our scheme. Finally we present several new constructions and results on the hardness of “small parts”, in the setting of Diffie-Hellman keys in extension fields.
Journal Article•
TL;DR: It is shown that the largest possible contrast Ck, n in an k-out-of-n secret sharing scheme is approximately 4 − − ( k− − 1) in the limit when n approaches infinity.
Abstract: This paper shows that the largest possible contrast $C_{k,n}$ in a $k$-out-of-$n$ secret sharing scheme is approximately $4^{-(k-1)}$. More precisely, we show that $4^{-(k-1)} \leq C_{k,n} \leq 4^{-(k-1)}n^k/(n(n-1)\cdots(n-(k-1)))$. This implies that the largest possible contrast equals $4^{-(k-1)}$ in the limit when $n$ approaches infinity. For large $n$, the above bounds leave almost no gap. For values of $n$ that come close to $k$, we will present alternative bounds (being tight for $n=k$). The proofs of our results proceed by finding a relationship between the largest possible contrast in a secret sharing scheme and the smallest possible approximation error in problems occurring in approximation theory.
Patent•
11 Dec 2000
TL;DR: In this article, the problem of public key ciphering with a plurality of the other parties is solved by using unidirectional hash functions, where the master key is reserved so as not to be known by a third party.
Abstract: PROBLEM TO BE SOLVED: To solve the problem that it is necessary in the conventional technique that the same number of secret keys as the number of the other parties are reserved so as not to be known by a third party, when secret communication is performed with a plurality of the other parties, in public key ciphering. SOLUTION: Personal information input 101 and a master key storing part 103 are prepared. From personal information of the other party of transmission and a master key, a secret key provided with the personal information is formed (104) by using a unidirectional hash function, and reserved in a temporary storage 108 of the secret key. When the secret key is once erased after it is used, its formation is enabled again. As a result, reservation of the secret key is not necessary but the master key only is reserved so as not to be known by a third party.
Posted Content•
Abstract: We consider a 3-player model of repeated game with standard monitoring in which player’s strategies are implemented by polynomial time Turing machines. We prove that if a collection of trapdoor permutations exists, the set of equilibria of this game is the set of correlated equilibria of the original repeated game.
Patent•
19 May 2000TL;DR: In this paper, two El Gamal ciphertexts are input to a two-input two-output unit switching gates forming a permutation network, and a zero-knowledge proof is output to a verifier without revealing the random number and the random permutation.
Abstract: Two El Gamal ciphertexts, which are input to a two-input two-output unit switching gates SW forming a permutation network, are randomized with a random number and randomly permuted, and a zero-knowledge proof, which proves the correspondence between the inputs and outputs of the switching gates SW, is output to a verifier without revealing the random number and the random permutation. A decryption unit decrypts ciphertexts from a unit switching gate SW in he last column through the use of a secret key, and proves in zero-knowledge the validity of the decryption without revealing the secret key. A verification unit verifies the proof of each unit switching gate and the proof of the decryption unit.
Proceedings Article•
14 Aug 2000TL;DR: Applications for this scheme range from Web page metering, through ranking mechanisms for electronic discussion systems, to the distributed verifiable and scalable delegation of power in jointly-administrated systems.
Abstract: A large number of people digitally sign the same document. The signature collectors want to use only a small amount of memory to demonstrate to any third party approximately how many persons have signed it. The scheme described in this paper uses a non-uniform secure hash function to select a small subset of signatures that the collectors store. The size of this subset becomes a verifiable estimate for the logarithm of the number of signers.
Applications for this scheme range from Web page metering, through ranking mechanisms for electronic discussion systems, to the distributed verifiable and scalable delegation of power in jointly-administrated systems.
01 Jan 2000
TL;DR: A practical, mix-and-match-based auction protocol that is fully private and non-interactive and may be readily adapted to a wide range of auction strategies, including sealed-bid auctions.
Abstract: We introduce a novel approach to general secure multiparty computation that avoids the intensive use of verifiable secret sharing characterizing nearly all previous protocols in the literature. Instead, our scheme involves manipulation of ciphertexts for which the underly- ing private key is shared by participants in the computation. The benefits of this protocol include a high degree of conceptual and structural sim- plicity, low message complexity, and substantial flexibility with respect to input and output value formats. We refer to this new approach as mix and match. While the atomic operations in mix and match are logical operations, rather than full field operations as in previous approaches, the techniques we introduce are nonetheless highly practical for computations involving intensive bitwise manipulation. One application for which mix and match is particularly well suited is that of sealed-bid auctions. Thus, as another contribution in this paper, we present a practical, mix-and-match-based auction protocol that is fully private and non-interactive and may be readily adapted to a wide range of auction strategies.
Journal Article•
TL;DR: This work presents one way in which combinatorial designs can be used to give conditionally perfect secret sharing schemes, and studies the problem of completion of structures, given partial information, to obtain measures of how closely the behaviour of thesecret sharing schemes approaches to ideal behaviour in practice.
Abstract: We present one way in which combinatorial designs can be used to give conditionally perfect secret sharing schemes. Schemes formed in this way have the advantage over classical secret sharing schemes of being easily adapted for use as compartmentalized or hierarchical access structures. We study the problem of completion of structures, given partial information, to obtain measures of how closely the behaviour of the secret sharing schemes approaches to ideal behaviour in practice. It may happen that part of a combinatorial design can never be reconstructed from a subset of a minimal defining set. That is, to find the blocks of what is called the strongbox of a given minimal defining set of a design, we must have the whole of the minimal defining set and be able to complete the whole design. The strongbox is that part of the design which may most safely be used to hold secret information. We study the size of the strongbox.
25 Oct 2000
TL;DR: This paper proposes a method to handle the detection of that the dealer uses wrong degree of the polynomial which the dealer chooses to hide the key and asks the dealer to generate a certificate polymomial and one-bit verifying keys to provide information when participants do the detection process.
Abstract: The concept of secret sharing can be used in a wide range of business application. A secret sharing system can implement the policies of secret sharing, and control the distribution of the secrets to the participants under the secret sharing policies. But, it can be damaged when the dealer cheating occurs. If the secret sharing system is implemented by Shamir's (t, n)-threshold scheme, one of the dealer's cheatings is that the dealer uses incorrectly polynomials to generate shadows (or shares) and distributes these error shadows to the participants. How can we detect this cheating? In this paper we propose a method to handle the detection of that the dealer uses wrong degree of the polynomial which the dealer chooses to hide the key. The main idea of the proposed method is that we ask the dealer to generate a certificate polymomial and one-bit verifying keys to provide information when participants do the detection process.
01 Feb 2000
TL;DR: This paper presents the first instance for which some improvement is possible over the simple construction of a secret sharing scheme, and shows that for this instance an improvement factor equal to the number of secrets over the above simple construction is possible.
Abstract: A secret sharing scheme is a method for distributing a secret among several parties in such a way that only qualified subsets of the parties can reconstruct it and unqualified subsets receive no information about the secret. A multi secret sharing scheme is the natural extension of a secret sharing scheme to the case in which many secrets need to be shared, each with respect to possibly different subsets of qualified parties. A multi secret sharing scheme can be trivially realized by realizing a secret sharing scheme for each of the secrets. A natural question in the area is whether this simple construction is the most efficient as well, and, if not, how much improvement is possible over it.
Journal Article•
TL;DR: In this paper, the authors constructed a universally verifiable mix-net, where the amount of work done by a verifier is independent of the number of mix-servers.
Abstract: In this paper we construct a universally verifiable Mix-net where the amount of work done by a verifier is independent of the number of mix-servers. Furthermore, the computational task of each mix-server is constant against the number of mix-servers except for some negligible tasks like addition. The scheme is robust, too.
01 Jan 2000
TL;DR: This work provides lower bounds concerning the rank, the amount of randomness required and the number of subshares needed for a group independent linear threshold sharing scheme developed by Desmedt and Frankel.
Abstract: Group independent linear threshold secret sharing refers to a t out of n linear threshold secret sharing scheme which can be used with any finite Abelian group. A formal definition of a group independent linear threshold sharing is developed. Further, we provide lower bounds concerning the rank, the amount of randomness required and the number of subshares needed for a group independent linear threshold sharing scheme. Lastly, we discuss the group independent linear threshold sharing scheme developed by Desmedt and Frankel. We introduce new algorithms which will reduce the number of required arithmetic operations and group operations needed for the Desmedt-Frankel scheme.
01 Feb 2000
TL;DR: This document describes a method for making random selections in such a way that the unbiased nature of the choice is publicly verifiable and the selection of the voting members of the IETF Nominations Committee from the pool of eligible volunteers is used.
Abstract: This document describes a method for making random selections in such a way that the unbiased nature of the choice is publicly verifiable. As an example, the selection of the voting members of the IETF Nominations Committee from the pool of eligible volunteers is used. Similar techniques would be applicable to other cases.
10 Jul 2000
TL;DR: This paper studies the cheating problem in Shamir’s scheme (in the sense of Tompa and Woll attack) and presents alternative solutions to this problem, and introduces redundant secret sharing schemes and shows how they can be used for cheating prevention.
Abstract: The commonly used technique for cheating detection requires that extra information be given to each participant. However, in a secret sharing scheme when the size of shares increases the security of the system degrades. In this paper we study the cheating problem in Shamir’s scheme (in the sense of Tompa and Woll [1] attack) and present alternative solutions to this problem. First we consider cheating prevention via longer shares. Next we introduce redundant secret sharing schemes and show how they can be used for cheating prevention. Nonlinear secret sharing offers also some protection against cheaters. The work concludes with a discussion about a combined approach.
Posted Content•
TL;DR: In this article, a robust and universally verifiable membership testing scheme (MTS) was proposed that allows a collection of voters to cast votes and determine whether their tally belongs to some pre-specified small set (e.g., exceeds a given threshold).
Abstract: This work stresses the fact that all current proposals for electronic voting schemes disclose the final tally of the votes. In certain situations, like jury voting, this may be undesirable. We present a robust and universally verifiable membership testing scheme (MTS) that allows, among other things, a collection of voters to cast votes and determine whether their tally belongs to some pre-specified small set (e.g., exceeds a given threshold)--our scheme discloses no additional information than that implied from the knowledge of such membership. We discuss several extensions of our basic MTS. All the constructions presented combine features of two parallel lines of research concerning electronic voting schemes, those based on MIX-networks and in homomorphic encryption.