Showing papers on "Verifiable secret sharing published in 2003"
17 Aug 2003
TL;DR: The first verifiable encryption scheme that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs was proposed in this article, based on Paillier's decision composite residuosity assumption.
Abstract: This paper addresses the problem of designing practical protocols for proving properties about encrypted data. To this end, it presents a variant of the new public key encryption of Cramer and Shoup based on Paillier’s decision composite residuosity assumption, along with efficient protocols for verifiable encryption and decryption of discrete logarithms (and more generally, of representations with respect to multiple bases). This is the first verifiable encryption system that provides chosen ciphertext security and avoids inefficient cut-and-choose proofs. The presented protocols have numerous applications, including key escrow, optimistic fair exchange, publicly verifiable secret and signature sharing, universally composable commitments, group signatures, and confirmer signatures.
540 citations
TL;DR: An idea to directly encode the qubit of quantum key distributions, and then present a quantum secret sharing scheme where only product states are employed, where the theoretic efficiency is doubled to approach 100%.
327 citations
06 Jan 2003
TL;DR: This work shows how to prove in honest verifier zero-knowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments) of ElGamal encryptions.
Abstract: We show how to prove in honest verifier zero-knowledge the correctness of a shuffle of homomorphic encryptions (or homomorphic commitments.) A shuffle consists in a rearrangement of the input cipher-texts and a reencryption of them so that the permutation is not revealed. Our scheme is more efficient than previous schemes both in terms of communication complexity and computational complexity. Indeed, in the case of shuffling ElGamal encryptions, the proof of correctness is smaller than the encryptions themselves.
149 citations
09 Jul 2003
TL;DR: The scheme inherits the attractive homomorphic properties of Paillier encryption and achieves two new properties: first, all users can use the same modulus when generating key pairs, this allows more efficient proofs of relations between different encryptions, and second, a threshold decryption protocol is constructed for the scheme that is length-flexible.
Abstract: We propose a public-key cryptosystem which is derived from the Paillier cryptosystem. The scheme inherits the attractive homomorphic properties of Paillier encryption. In addition, we achieve two new properties: First, all users can use the same modulus when generating key pairs, this allows more efficient proofs of relations between different encryptions. Second, we can construct a threshold decryption protocol for our scheme that is length-flexible, i.e., it can handle efficiently messages of arbitrary length, even though the public key and the secret key shares held by decryption servers are of fixed size. We show how to apply this cryptosystem to build a self-tallying election scheme with perfect ballot secrecy, and to build a length-flexible mix-net which is universally verifiable, where the size of keys and ciphertexts do not depend on the number of mix servers, and is robust against a corrupt minority.
145 citations
TL;DR: This paper presents a sufficient condition under which it is able to determine all the minimal codewords of certain linear codes, and constructs some linear codes whose covering structure can be determined, and uses them to construct secret sharing schemes with interesting access structures.
Abstract: Secret sharing has been a subject of study for over twenty years, and has had a number of real-world applications. There are several approaches to the construction of secret sharing schemes. One of them is based on coding theory. In principle, every linear code can be used to construct secret sharing schemes. But determining the access structure is very hard as this requires the complete characterisation of the minimal codewords of the underlying linear code, which is a difficult problem. In this paper we present a sufficient condition under which we are able to determine all the minimal codewords of certain linear codes. The condition is derived using exponential sums. We then construct some linear codes whose covering structure can be determined, and use them to construct secret sharing schemes with interesting access structures.
131 citations
30 Nov 2003
TL;DR: A slightly modified version of the Aiello-Ishai-Reingold oblivious transfer protocol from Eurocrypt 2001 is described, which will be what the authors call weakly secure when coupled with many different homomorphic semantically secure public-key cryptosystems.
Abstract: We describe slightly modified version (that we call the HOT protocol) of the Aiello-Ishai-Reingold oblivious transfer protocol from Eurocrypt 2001. In particular, the HOT protocol will be what we call weakly secure when coupled with many different homomorphic semantically secure public-key cryptosystems. Based on the HOT protocol, we construct an efficient verifiable oblivious transfer protocol and an efficient verifiable private equality test. As a concrete application of our results, we propose a novel protocol called proxy verifiable private equality test, and apply it to a cryptographic auction scheme to improve its security.
129 citations
27 Nov 2003
TL;DR: This paper gives another ID-based signcryption scheme that can provide public ciphertext authenticity and is forward and provably secure as well as publicly verifiable.
Abstract: Boyen [7] gave the first identity-based (ID-based) signcryption scheme that is forward secure, publicly verifiable as well as provably secure. However, his scheme aims at providing ciphertext unlinkability and anonymity which is not a desirable property in applications such as authentication of encrypted messages by firewalls [11], where any third party should be able to verify the origin of the ciphertext without knowing the content of the message and getting any help from the intended recipient. This requirement is referred as public ciphertext authenticity. In this paper, we give another ID-based signcryption scheme that can provide public ciphertext authenticity and is forward and provably secure as well as publicly verifiable. Our scheme is modified from Libert and Quisquater’s ID-based signcryption scheme [16] and the efficiency of our scheme is comparable to other previous ID-based signcryption schemes.
114 citations
06 Jan 2003
TL;DR: The first simple and efficient construction of verifiable random functions (VRFs) is given, based on a new variant of decisional Diffie-Hellman (DDH) assumption on certain groups where the regular DDH assumption does not hold.
Abstract: We give the first simple and efficient construction of verifiable random functions (VRFs). VRFs, introduced by Micali et al. [13], combine the properties of regular pseudorandom functions (PRFs) (i.e., indistinguishability from a random function) and digital signatures (i.e., one can provide an unforgeable proof that the VRF value is correctly computed). The efficiency of our VRF construction is only slightly worse than that of a regular PRF construction of Naor and Reingold [16]. In contrast to our direct construction, all previous VRF constructions [13, 12] involved an expensive generic transformation from verifiable unpredictable functions (VUFs).We also provide the first construction of distributed VRFs. Our construction is more efficient than the only known construction of distributed (non-verifiable) PRFs [17], but has more applications than the latter. For example, it can be used to distributively implement the random oracle model in a publicly verifiable manner, which by itself has many applications.Our construction is based on a new variant of decisional Diffie-Hellman (DDH) assumption on certain groups where the regular DDH assumption does not hold [10, 9]. Nevertheless, this variant of DDH seems to be plausible based on our current understanding of these groups. We hope that the demonstrated power of our assumption will serve as a motivation for its closer study.
105 citations
08 Dec 2003
TL;DR: This work considers computational secret sharing (CSS) which provably allows a smaller share size (and hence greater efficiency) than its information-theoretic counterparts and introduces the notion of secret sharing with a semi-trusted third party, and proves that in this relaxed model efficient CSS schemes exist for a wider class of access structures, namely monotone NP.
Abstract: Secret sharing is a very important primitive in cryptography and distributed computing. In this work, we consider computational secret sharing (CSS) which provably allows a smaller share size (and hence greater efficiency) than its information-theoretic counterparts. Extant CSS schemes result in succinct share-size and are in a few cases, like threshold access structures, optimal. However, in general, they are not efficient (share-size not polynomial in the number of players n), since they either assume efficient perfect schemes for the given access structure (as in [10]) or make use of exponential (in n) amount of public information (like in [5]). In this paper, our goal is to explore other classes of access structures that admit of efficient CSS, without making any other assumptions. We construct efficient CSS schemes for every access structure in monotone P. As of now, most of the efficient information-theoretic schemes known are for access structures in algebraic NC 2. Monotone P and algebraic NC 2 are not comparable in the sense one does not include other. Thus our work leads to secret sharing schemes for a new class of access structures. In the second part of the paper, we introduce the notion of secret sharing with a semi-trusted third party, and prove that in this relaxed model efficient CSS schemes exist for a wider class of access structures, namely monotone NP.
57 citations
TL;DR: A new (t,n) threshold proxy signature scheme based on Zhang's scheme suffered from a weakness, which is shown in this paper, and an improvement is proposed to counter it.
50 citations
Patent•
21 Jan 2003
TL;DR: In this article, the authors propose a voting system where the voter takes part of the layers as a kind of receipt and the other layers are retained and/or destroyed by the system.
Abstract: An election system provides, in one example, each voter with multiple physical 'layers' that the voter is able to choose between. The voter takes part of the layers as a kind of receipt and the other layers are retained and/or destroyed by the system. The actual vote is not readily revealed by the layers taken by the voter, thus protecting against improper influence. In the voting booth, when all the layers are combined, however, the voter is readily able to verify the vote. Moreover, posted images of the layers not taken by the voter can be used to compute the election results in a way that is verifiable by interested parties. The results cannot be changed without substantial probability of detection and privacy of votes can be maintained unless a number of parties are compromised or collude. Related techniques address remote voting, such as so-called Internet voting.
27 Dec 2003
TL;DR: A new verifiable secret sharing scheme (VSS) other than Feldman's and Pedersen's schemes suitable to protect elliptic curve secret keys and is able to tolerate n/3 malicious adversary with the cost of higher complexity.
Abstract: Robust threshold digital signature schemes are group signature schemes aiming to depart from the classical one person signer schemes. The term 'robust' means that such schemes can tolerate errors attempted by malicious adversary and the term 'threshold' means that given a total of n players, no coalition of players with cardinality less than or equal the threshold value can perform the signature while any coalition of players exceeding the threshold value can perform the signature correctly. The contributions in this paper are two fold. First, we propose a new verifiable secret sharing scheme (VSS) other than Feldman's (1987) and Pedersen's (1992) schemes suitable to protect elliptic curve secret keys. The proposed scheme utilizes a strong one way function provided by the elliptic curve cryptography based on a different type of group mathematics. Next, we employ the elliptic curve VSS to propose a robust threshold elliptic curve digital signature scheme that can withstand an n/2 eavesdropping, n/3 halting and an n/4 malicious adversary. The scheme is able to tolerate n/3 malicious adversary with the cost of higher complexity
TL;DR: A new authenticated encryption scheme with public verifiability that requires less computational costs and communication overhead than the conventional signature-then-encryption approaches and is not divulged during the public verification.
Abstract: A new authenticated encryption scheme with public verifiability is presented. The new scheme requires less computational costs and communication overhead than the conventional signature-then-encryption approaches. Furthermore the message is not divulged during the public verification.
Journal Article•
TL;DR: In this paper, the authors proposed a new DSA-verifiable signcryption scheme, which is based on the KCDSA-Verifiable Signatures (KCDSA) scheme proposed by Yum and Lee.
Abstract: In this paper, we propose new DSA-verifiable signcryption schemes. At ICISC '01, Yum and Lee first introduced the need for the public verifiability using standardized signature schemes and they proposed a KCDSA-verifiable scheme [1]. However, no DSA-verifiable signcryption schemes have been proposed. Additionally, we show some potential weakness of previous schemes proposed in [1, 2].
01 Jan 2003
TL;DR: A verifiable ring signature is introduced that not only has all the properties of a ring signature, but also the following property: if the actual signer is willing to prove to the verifier that he actually signs the signature, then the verifiers can correctly determine whether he is the actualSigner among the possible signers.
Abstract: We introduce a verifiable ring signature that not only has all the properties of a ring signature, but also the following property: if the actual signer is willing to prove to the verifier that he actually signs the signature, then the verifier can correctly determine whether he is the actual signer among the possible signers.
TL;DR: The goal is to show how the existing protocol can be used for 3D meshes to provide solutions for authentication watermarking and to combine digital signature schemes and digital water marking to provide a public verifiable integrity.
Abstract: Digital watermarking has become an accepted technology for enabling multimedia protection schemes. Based on the introduced media independent protocol schemes for invertible data authentication in references 2, 4 and 5 we discuss the design of a new 3D invertible labeling technique to ensure and require high data integrity. We combine digital signature schemes and digital watermarking to provide a public verifiable integrity. Furthermore the protocol steps in the other papers to ensure that the original data can only be reproduced with a secret key is adopted for 3D meshes. The goal is to show how the existing protocol can be used for 3D meshes to provide solutions for authentication watermarking. In our design concept and evaluation we see that due to the nature of 3D meshes the invertible function are different from the image and audio concepts to achieve invertibility to guaranty reversibility of the original. Therefore we introduce a concept for distortion free invertibility and a concept for adjustable minimum distortion invertibility.
Posted Content•
TL;DR: It is proved that the information theoretical requirements for a class of quantum secret sharing schemes reduce to only one requirement (the recoverability condition) as a consequence of the no-cloning principle.
Abstract: In this paper we introduce a quantum information theoretical model for quantum secret sharing schemes. We show that quantum information theory provides a unifying framework for the study of these schemes. We prove that the information theoretical requirements for a class of quantum secret sharing schemes reduce to only one requirement (the recoverability condition) as a consequence of the no-cloning principle. We give also a shorter proof of the fact that the size of the shares in a quantum secret sharing scheme must be at least as large as the secret itself.
27 Jan 2003
TL;DR: This work generalizes some protocols dealing with verifiable secret sharing, in such a way that they run in a general distributed scenario for both the tolerated subset of dishonest players and the subsets of honest players authorized to execute the different phases of the protocols.
Abstract: Secret sharing schemes are an essential part of distributed cryptographic systems. When dishonest participants are considered, then an appropriate tool are verifiable secret sharing schemes. Such schemes have been traditionally considered for a threshold scenario, in which all the participants play an equivalent role. In this work, we generalize some protocols dealing with verifiable secret sharing, in such a way that they run in a general distributed scenario for both the tolerated subsets of dishonest players and the subsets of honest players authorized to execute the different phases of the protocols.
24 Feb 2003
TL;DR: This paper shows the first instance for which an improvement is possible, and shows instances of multi-secret sharing schemes which achieve this improvement, with respect to both efficiency measures, thus showing that the above bound is tight.
Abstract: A secret sharing scheme is a method for distributing a secret among several parties in such a way that only qualified subsets of the parties can reconstruct it and unqualified subsets receive no information about the secret. A multi-secret sharing scheme is the natural extension of a secret sharing scheme to the case in which many secrets need to be shared, each with respect to possibly different subsets of qualified parties. A multi-secret sharing scheme can be trivially realized by realizing a secret sharing scheme for each of the secrets.In this paper we address the natural questions of whether this simple construction is the most efficient as well, and, if not, how much improvement is possible over it, with respect to both efficiency measures used in the literature; namely, the maximum piece of information and the sum of all pieces of information distributed to all parties. We completely answer these questions, as follows. We show the first instance for which an improvement is possible; we prove a bound on how much improvement is possible with respect to both measures; and we show instances of multi-secret sharing schemes which achieve this improvement, with respect to both measures, thus showing that the above bound is tight.
Patent•
15 May 2003
TL;DR: In this paper, a method for establishing a verifiable random number for use in a process that involves a random number is disclosed, the source being publicly available and publicly accepted as a source for numbers that are random.
Abstract: A method is disclosed for establishing a verifiable random number for use in a process that involves a random number. A source for a seed number is selected, the source being publicly available and publicly accepted as a source for numbers that are random. An algorithm is established that uses the seed number as a basis for determining the verifiable random number. The random number is then generated using the seed number and the algorithm. The source of the seed number and the algorithm are preferably published in advance of an existence of the seed number to enable at least one individual to reproduce a calculation of the random number.
TL;DR: This paper shows, by constructing a representation using projective geometry, that all connected matroids with two uniform components are secret sharing.
Abstract: Deciding whether a matroid is secret sharing or not is a well-known open problem. In Ng and Walker [6] it was shown that a matroid decomposes into uniform matroids under strong connectivity. The question then becomes as follows: when is a matroid m with N uniform components secret sharing? When N e 1, m corresponds to a uniform matroid and hence is secret sharing. In this paper we show, by constructing a representation using projective geometry, that all connected matroids with two uniform components are secret sharing
04 May 2003
TL;DR: The result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model and works in a somewhat "parallel repetition" manner to reduce the error probability.
Abstract: A new public-key model for resettable zero-knowledge (rZK) protocols, which is an extension and generalization of the upperbounded public-key (UPK) model introduced by Micali and Reyzin [EuroCrypt' 01, pp. 373-393], is introduced and is named weak public-key (WPK) model. The motivations and applications of the WPK model are justified in the distributed smart-card/server setting and it seems more preferable in practice, especially in E-commerce over Internet. In this WPK model a 3-round (optimal) black-box resettable zero-knowledge argument with concurrent soundness for NP is presented assuming the security of RSA with large exponents against subexponential-time adversaries. Our result improves Micali and Reyzin's result of resettable zero-knowledge argument with concurrent soundness for NP in the UPK model. Note that although Micali and Reyzin' protocol satisfies concurrent soundness in the UPK model, but it does not satisfy even sequential soundness in our WPK model.
Our protocol works in a somewhat "parallel repetition" manner to reduce the error probability and the black-box zero-knowledge simulator works in strict polynomial time rather than expected polynomial time. The critical tools used are: verifiable random functions introduced by Micali, Rabin and Vadhan [FOCS'99, pp. 120-130], zap presented by Dwork and Naor [FOCS'00, pp. 283-293] and complexity leveraging introduced by Canetti, Goldreich, Goldwasser and Micali [STOC'00, pp. 235-244].
19 Sep 2003
TL;DR: A new cryptographic primitive called Verifiable Distributed Oblivious Transfer (VDOT), which allows us to replace a single trusted party with a group of threshold trusted servers, and uses two novel techniques, consistency verification of encrypted secret shares and consistency verification through re-randomization.
Abstract: The mobile agent is a fundamental building block of the mobile computing paradigm. In mobile agent security, oblivious transfer (OT) from a trusted party can be used to protect the agent's privacy and the hosts' privacy. In this paper, we introduce a new cryptographic primitive called Verifiable Distributed Oblivious Transfer (VDOT), which allows us to replace a single trusted party with a group of threshold trusted servers. The design of VDOT uses two novel techniques, consistency verification of encrypted secret shares and consistency verification through re-randomization. VDOT protects the privacy of both the sender and the receiver against malicious attacks of the servers. We also show the design of a system to apply VDOT to protect the privacy of mobile agents. Our design partitions an agent into the general portion and the security-sensitive portion. We also implement the key components of our system. As far as we know, this is the first effort to implement a system that protects the privacy of mobile agents. Our preliminary evaluation shows that protecting mobile agents not only is possible, but also can be implemented efficiently.
TL;DR: Ma and Chen have proposed an authenticated encryption scheme with public verifiability which claims that the TTP can publicly verify the sender's signature without running a zero knowledge proof protocol.
Abstract: Ma and Chen have proposed an authenticated encryption scheme with public verifiability. The scheme claims that the TTP can publicly verify the sender's signature without running a zero knowledge proof protocol. The problem in verification which causes the TTP to reject a valid signature with non-negligible probability is pointed out.
27 Nov 2003
TL;DR: Wang et al. as mentioned in this paper proposed secure double auction protocols, which achieve full privacy protection of participants, where each bid/ask information is always kept secret, even when there is any collusion of participants.
Abstract: Many researches have been done on the strategies of double auctions, an important class of auction protocols that permit multiple buyers and sellers to trade simultaneously in a market. Some well designed dominant-strategy incentive compatible double auction protocols have been proposed. However, the security and the privacy issues in double auctions are seldom studied in the literatures. In this paper, we propose secure double auction protocols, which achieve full privacy protection of participants. That is, each bid/ask information is always kept secret, even when there is any collusion of participants. It is clear that our suggestion is stronger than other previous work in which assumptions that certain auctioneers never collude are made. To achieve full privacy protection, we employ homomorphic ElGamal encryption and distribute the private key among the all participants. In such a way, all participants jointly compute the outcome of the double auction without revealing any additional bid/ask information. Also, the proposed protocol is publicly verifiable, so that the robustness is assured. The communication and computation complexity of the proposed protocols are analyzed.
08 Apr 2003
TL;DR: In this paper, the authors present a protocol for fair document exchange between two parties, that incorporates a signature scheme based method for the recovery of a document decryption key, which is based on a verifiable and recoverable encryption of a key.
Abstract: The authors aim to present a protocol for fair document exchange between two parties, that incorporates a signature scheme based method for the recovery of a document decryption key. The principal idea for such key recovery is based on a verifiable and recoverable encryption of a key. This means that any party can verify the correctness of the key encrypted without actually viewing the key, and the party can be assured that a designated party can decrypt the encrypted key to recover the original key. A DSA (digital signature algorithm) is applied as an example to demonstrate how to implement such key encryption based on an off-line semi-trusted third party. The third party is off-line as they do not participate in an exchange in normal situations, and semi-trusted in the sense that they may misbehave but do not conspire with any party involved in the exchange. The main contribution of the paper is that it presents a fair document exchange protocol which is more efficient, simpler and easier to implement in comparison with related work.
Journal Article•
TL;DR: In this article, the authors proposed a distributed key generation protocol for discrete logarithm problem based threshold cryptosystems by introducing an efficient (publicly) verifiable encryption scheme from any homomorphic encryption with a non-interactive proof of fairness.
Abstract: We propose a distributed key generation protocol for discrete logarithm problem based threshold cryptosystems by introducing an efficient (publicly) verifiable encryption scheme from any homomorphic encryption with a non-interactive proof of fairness. Previous constructions of the same kind are either only based on a narrow definition of homomorphism or only a unique encryption scheme is considered. Our construction generalizes the scope of such design to a broader range of encryption schemes with efficient constructions of proofs of fairness. Since the protocol is round optimal (one-round) in the distributed fashion, adaptive adversary is not different from a static adversary, thus a simplified protocol design is possible. Our scheme is extremely capable for an environment with already built public key infrastructure. The verifiable encryption with fairness developed here can be used as building blocks of a variety of cryptographical applications like publicly verifiable secret sharing (PVSS), e-voting and auction schemes.
16 Oct 2003
TL;DR: The verifiable encryption with fairness developed here can be used as building blocks of a variety of cryptographical applications like publicly verifiable secret sharing (PVSS), e-voting and auction schemes.
Abstract: We propose a distributed key generation protocol for discrete logarithm problem based threshold cryptosystems by introducing an efficient (publicly) verifiable encryption scheme from any homomorphic encryption with a non-interactive proof of fairness. Previous constructions of the same kind are either only based on a narrow definition of homomorphism or only a unique encryption scheme is considered. Our construction generalizes the scope of such design to a broader range of encryption schemes with efficient constructions of proofs of fairness. Since the protocol is round optimal (one-round) in the distributed fashion, adaptive adversary is not different from a static adversary, thus a simplified protocol design is possible. Our scheme is extremely capable for an environment with already built public key infrastructure. The verifiable encryption with fairness developed here can be used as building blocks of a variety of cryptographical applications like publicly verifiable secret sharing (PVSS), e-voting and auction schemes.
TL;DR: Two new (2, n) ASS schemes are proposed, which carefully employ the technique of time division with only one cover sound and have the advantage of flexible improvement in relative contrast as needed.
Abstract: An Audio Secret Sharing (ASS) scheme is a special type of secret sharing scheme [3], which the shares of embedded messages use music as cover sound. Desmedt et al. firstly introduced the (2, 2) ASS scheme with one cover sound and also the generalized (2, n) ASS scheme with [log2n] different cover sounds. No only will more cover sounds overburden the human hearing system but also may become difficult for people to distinguish the secret bit correctly. Thus, their scheme is not practical when n is large. In this paper, we will propose two new (2, n) ASS schemes, which carefully employ the technique of time division with only one cover sound. Comparing with the first scheme, the second scheme has the advantage of flexible improvement in relative contrast as needed. To test the acoustic result, we implemented these two proposed (2, n) ASS schemes for small n using one wave-type cover sound and then obtained near expected results.
Journal Article•
TL;DR: In this paper, the optimal information rate of ideal access structures with intersection number equal to one is studied. But the optimal rate is not known for the non-ideal case.
Abstract: The characterization of ideal access structures and the search for bounds on the optimal information rate are two important problems in secret sharing. These problems are studied in this paper for access structures with intersection number equal to one, that is, access structures such that there is at most one participant in the intersection of any two minimal qualified subsets. Examples of such access structures are those defined by finite projective planes and those defined by graphs. In this work, ideal access structures with intersection number equal to one are completely characterized and bounds on the optimal information rate are provided for the non-ideal case.