Showing papers on "Verifiable secret sharing published in 2006"

Our data, ourselves: privacy via distributed noise generation

Abstract: In this work we provide efficient distributed protocols for generating shares of random noise, secure against malicious participants. The purpose of the noise generation is to create a distributed implementation of the privacy-preserving statistical databases described in recent papers [14,4,13]. In these databases, privacy is obtained by perturbing the true answer to a database query by the addition of a small amount of Gaussian or exponentially distributed random noise. The computational power of even a simple form of these databases, when the query is just of the form ∑if(di), that is, the sum over all rows i in the database of a function f applied to the data in row i, has been demonstrated in [4]. A distributed implementation eliminates the need for a trusted database administrator. The results for noise generation are of independent interest. The generation of Gaussian noise introduces a technique for distributing shares of many unbiased coins with fewer executions of verifiable secret sharing than would be needed using previous approaches (reduced by a factor of n). The generation of exponentially distributed noise uses two shallow circuits: one for generating many arbitrarily but identically biased coins at an amortized cost of two unbiased random bits apiece, independent of the bias, and the other to combine bits of appropriate biases to obtain an exponential distribution.

Our data, ourselves : Privacy via distributed noise generation

Abstract: In this work we provide efficient distributed protocols for generating shares of random noise, secure against malicious participants. The purpose of the noise generation is to create a distributed implementation of the privacy-preserving statistical databases described in recent papers [14,4,13]. In these databases, privacy is obtained by perturbing the true answer to a database query by the addition of a small amount of Gaussian or exponentially distributed random noise. The computational power of even a simple form of these databases, when the query is just of the form Σ i f(d i ), that is, the sum over all rows i in the database of a function f applied to the data in row i, has been demonstrated in [4]. A distributed implementation eliminates the need for a trusted database administrator. The results for noise generation are of independent interest. The generation of Gaussian noise introduces a technique for distributing shares of many unbiased coins with fewer executions of verifiable secret sharing than would be needed using previous approaches (reduced by a factor of n). The generation of exponentially distributed noise uses two shallow circuits: one for generating many arbitrarily but identically biased coins at an amortized cost of two unbiased random bits apiece, independent of the bias, and the other to combine bits of appropriate biases to obtain an exponential distribution.

Secret sharing schemes from three classes of linear codes

Abstract: Secret sharing has been a subject of study for over 20 years, and has had a number of real-world applications. There are several approaches to the construction of secret sharing schemes. One of them is based on coding theory. In principle, every linear code can be used to construct secret sharing schemes. But determining the access structure is very hard as this requires the complete characterization of the minimal codewords of the underlying linear code, which is a difficult problem in general. In this paper, a sufficient condition for all nonzero codewords of a linear code to be minimal is derived from exponential sums. Some linear codes whose covering structure can be determined are constructed, and then used to construct secret sharing schemes with nice access structures.

Rational secret sharing, revisited

Abstract: We consider the problem of secret sharing among n rational players. This problem was introduced by Halpern and Teague (STOC 2004), who claim that a solution is impossible for n=2 but show a solution for the case n≥3. Contrary to their claim, we show a protocol for rational secret sharing among n=2 players; our protocol extends to the case n≥3, where it is simpler than the Halpern-Teague solution and also offers a number of other advantages. We also show how to avoid the continual involvement of the dealer, in either our own protocol or that of Halpern and Teague. Our techniques extend to the case of rational players trying to securely compute an arbitrary function, under certain assumptions on the utilities of the players.

Receipt-free universally-verifiable voting with everlasting privacy

Abstract: We present the first universally verifiable voting scheme that can be based on a general assumption (existence of a non-interactive commitment scheme). Our scheme is also the first receipt-free scheme to give “everlasting privacy” for votes: even a computationally unbounded party does not gain any information about individual votes (other than what can be inferred from the final tally). Our voting protocols are designed to be used in a “traditional” setting, in which voters cast their ballots in a private polling booth (which we model as an untappable channel between the voter and the tallying authority). Following in the footsteps of Chaum and Neff [7,16], our protocol ensures that the integrity of an election cannot be compromised even if the computers running it are all corrupt (although ballot secrecy may be violated in this case). We give a generic voting protocol which we prove to be secure in the Universal Composability model, given that the underlying commitment is universally composable. We also propose a concrete implementation, based on the hardness of discrete log, that is slightly more efficient (and can be used in practice).

Simple verifiable elections

Abstract: Much work has been done in recent decades to apply sophisticated cryptographic techniques to achieve strong end-to-end verifiability in election protocols. The properties of these protocols are much stronger than in any system in general use; however, the complexity of these systems has retarded their adoption. This paper describes a relatively simple but still effective approach to cryptographic elections. Although not as computationally efficient as previously proposed cryptographic approaches, the work presented herein is intended to be more accessible and therefore more suitable for comparison with other voting systems.

Cheating in Visual Cryptography

Abstract: A secret sharing scheme allows a secret to be shared among a set of participants, P, such that only authorized subsets of P can recover the secret, but any unauthorized subset cannot recover the secret. In 1995, Naor and Shamir proposed a variant of secret sharing, called visual cryptography, where the shares given to participants are xeroxed onto transparencies. If X is an authorized subset of P, then the participants in X can visually recover the secret image by stacking their transparencies together without performing any computation. In this paper, we address the issue of cheating by dishonest participants, called cheaters, in visual cryptography. The experimental results demonstrate that cheating is possible when the cheaters form a coalition in order to deceive honest participants. We also propose two simple cheating prevention visual cryptographic schemes.

Secure Multiparty Quantum Computation with (Only) a Strict Honest Majority

Abstract: Secret sharing and multiparty computation (also called "secure function evaluation") are fundamental primitives in modern cryptography, allowing a group of mutually distrustful players to perform correct, distributed computations under the sole assumption that some number of them will follow the protocol honestly. This paper investigates how much trust is necessary -- that is, how many players must remain honest -- in order for distributed quantum computations to be possible. We present a verifiable quantum secret sharing (VQSS) protocol, and a general secure multiparty quantum computation (MPQC) protocol, which can tolerate any \left[ {\frac{{n - 1}} {2}} \right] cheaters among n players. Previous protocols for these tasks tolerated \left[ {\frac{{n - 1}} {4}} \right] and \left[ {\frac{{n - 1}} {6}} \right] cheaters, respectively. The threshold we achieve is tight -- even in the classical case, "fair" multiparty computation is not possible if any set of n/2 players can cheat. Our protocols rely on approximate quantum errorcorrecting codes, which can tolerate a larger fraction of errors than traditional, exact codes. We introduce new families of authentication schemes and approximate codes tailored to the needs of our protocols, as well as new state purification techniques along the lines of those used in faulttolerant quantum circuits.

Prêt à Voter with Re-encryption Mixes

Abstract: We present a number of enhancements to the voter verifiable election scheme Pret a Voter [CRS05]. Firstly, we propose a mechanism for the distributed construction by a set of independent clerks of the ballot forms. This construction leads to proto-ballot forms with the candidate list encrypted and ensures that only a collusion of all the clerks could determine the cryptographic seeds or the onion/candidate list association. This eliminates the need to trust a single authority to keep this information secret. Furthermore, it allows the on-demand decryption and printing of the ballot forms, so eliminating chain of custody issues and the chain voting style attacks against encrypted receipt schemes identified in [RP05]. The ballot forms proposed here use ElGamal randomised encryption so enabling the use of re-encryption mixes for the anonymising tabulation phase in place of the decryption mixes. This has a number of advantages over the RSA decryption mixes used previously: tolerance against failure of any of the mix tellers, full mixing of terms over the Z * p space and enabling the mixes and audits to be fully independently rerun if necessary.

Prêt à voter with re-encryption mixes

Abstract: We present a number of enhancements to the voter verifiable election scheme Pret a Voter [CRS05]. Firstly, we propose a mechanism for the distributed construction by a set of independent clerks of the ballot forms. This construction leads to proto-ballot forms with the candidate list encrypted and ensures that only a collusion of all the clerks could determine the cryptographic seeds or the onion/candidate list association. This eliminates the need to trust a single authority to keep this information secret. Furthermore, it allows the on-demand decryption and printing of the ballot forms, so eliminating chain of custody issues and the chain voting style attacks against encrypted receipt schemes identified in [RP05]. The ballot forms proposed here use ElGamal randomised encryption so enabling the use of re-encryption mixes for the anonymising tabulation phase in place of the decryption mixes. This has a number of advantages over the RSA decryption mixes used previously: tolerance against failure of any of the mix tellers, full mixing of terms over the Zp* space and enabling the mixes and audits to be fully independently rerun if necessary.

A strong ramp secret sharing scheme using matrix projection

Abstract: This paper presents a strong (k,n) threshold-based ramp secret sharing scheme with k access levels The secrets are the elements represented in a square matrix S The secret matrix S can be shared among n different participants using a matrix projection technique where: i) any subset of k participants can collaborate together to reconstruct the secret, and ii) any subset of (k-1) or fewer participants cannot partially discover the secret matrix The primary advantages are its large compression rate on the size of the shares and its strong protection of the secrets

k -times anonymous authentication with a constant proving cost

Abstract: A k-Times Anonymous Authentication (k-TAA) scheme allows users to be authenticated anonymously so long as the number of times that they are authenticated is within an allowable number. Some promising applications are e-voting, e-cash, e-coupons, and trial browsing of contents. However, the previous schemes are not efficient in the case where the allowable number k is large, since they require both users and verifiers to compute O(k) exponentiation in each authentication. We propose a k-TAA scheme where the numbers of exponentiations required for the entities in an authentication are independent of k. Moreover, we propose a notion of public detectability in a k-TAA scheme and present an efficient publicly verifiable k-TAA scheme, where the number of modular exponentiations required for the entities is O(log(k)).

Round-Optimal and efficient verifiable secret sharing

Abstract: We consider perfect verifiable secret sharing (VSS) in a synchronous network of n processors (players) where a designated player called the dealer wishes to distribute a secret s among the players in a way that no t of them obtain any information, but any t + 1 players obtain full information about the secret. The round complexity of a VSS protocol is defined as the number of rounds performed in the sharing phase. Gennaro, Ishai, Kushilevitz and Rabin showed that three rounds are necessary and sufficient when n > 3t. Sufficiency, however, was only demonstrated by means of an inefficient (i.e., exponential-time) protocol, and the construction of an efficient three-round protocol was left as an open problem. In this paper, we present an efficient three-round protocol for VSS. The solution is based on a three-round solution of so-called weak verifiable secret sharing (WSS), for which we also prove that three rounds is a lower bound. Furthermore, we also demonstrate that one round is sufficient for WSS when n > 4t, and that VSS can be achieved in 1 + e amortized rounds (for any e > 0 ) when n>3t.

Robust multiparty quantum secret key sharing over two collective-noise channels

Abstract: Based oil a polarization-based quantum key distribution Protocol over a collective-noise channel [Phys. Rev. Lett. 92 (2004) 017901], a robust (n,n)-threshold scheme of multiparty quantum secret sharing of key over two collective-noise channels (i.e., the collective dephasing channel and the collective rotating channel) is proposed. In this scheme the sharer entirety can establish a joint key with the message sender only if all the sharers collaborate together. Since Bell singlets are enough for use and only single-photon polarization needs to be identified, this scheme is feasible according to the present-day technique. (c) 2005 Elsevier B.V. All rights reserved.

System and method for securely duplicating digital documents

Abstract: A system and method is provided for securely duplicating digital documents of disparate types, such that there is a cryptographically secure link between the duplicate and the original. The system also provides each document with a serial number that is both sequential with all other copied documents and cryptographically linked with the document itself, and which includes verifiable proof against tampering and modification. The system further produces copies of documents in a canonical format suitable for indexing and searching using automated processing tools.

A Reliable (k, n) Image Secret Sharing Scheme

Abstract: This paper presents a reliable image secret sharing method which incorporates two k-out-of-n secret sharing schemes: i) Shamir's secret sharing scheme and ii) matrix projection secret sharing scheme. The technique allows a colored secret image to be divided as n image shares so that: i) any k image shares (k \leqslant n) are sufficient to reconstruct the secret image in the lossless manner and ii) any (k - 1) or fewer image shares cannot get enough information to reveal the secret image. It is an effective, reliable and secure method to prevent the secret image from being lost, stolen or corrupted. In comparison with other image secret sharing methods, this approach's advantages are its large compression rate on the size of the image shares, its strong protection of the secret image and its ability for the realtime processing.

Round-optimal and efficient verifiable secret sharing

Abstract: We consider perfect verifiable secret sharing (VSS) in a synchronous network of n processors (players) where a designated player called the dealer wishes to distribute a secret s among the players in a way that no t of them obtain any information, but any t + 1 players obtain full information about the secret. The round complexity of a VSS protocol is defined as the number of rounds performed in the sharing phase. Gennaro, Ishai, Kushilevitz and Rabin showed that three rounds are necessary and sufficient when n > 3t. Sufficiency, however, was only demonstrated by means of an inefficient (i.e., exponential-time) protocol, and the construction of an efficient three-round protocol was left as an open problem. In this paper, we present an efficient three-round protocol for VSS. The solution is based on a three-round solution of so-called weak verifiable secret sharing (WSS), for which we also prove that three rounds is a lower bound. Furthermore, we also demonstrate that one round is sufficient for WSS when n > 4t, and that VSS can be achieved in 1 + e amortized rounds (for any e > 0) when n > 3t.

Secret Sharing Schemes with Applications in Security Protocols.

Abstract: Preface A secret sharing scheme starts with a secret and then derives from it certain shares (or shadows) which are distributed to users. The secret may be recovered only by certain predetermined groups which belong to the access structure. Secret sharing schemes have been independently introduced by Blakley [12] and Shamir [134] as a solution for safeguarding cryptographic keys. Secret sharing schemes can be used for any situation in which the access to an important resource has to be restricted. We mention here the case of opening bank vaults or launching a nuclear missile. In the first secret sharing schemes only the number of the participants in the reconstruction phase was important for recovering the secret. Such schemes have been referred to as threshold secret sharing schemes. There are secret sharing schemes that deal with more complex access structures than the threshold ones. We mention here the weighted threshold secret sharing schemes in which a positive weight is associated to each user and the secret can be reconstructed if and only if the sum of the weights of the participants is greater than or equal to a fixed threshold, the hierarchical (or multilevel) secret sharing schemes in which the set of users is partitioned into some levels and the secret can be recovered if and only if there is an initialization level such that the number of the participants from this level or higher levels is greater than or equal to the initialization level threshold, the compartmented secret sharing schemes in which the set of users is partitioned into compartments and the secret can be recovered if and only if the number of participants from any compartment is greater than or equal to a compartment threshold and the total number of participants is greater than or equal to a global threshold. Ito, Saito, and Nishizeki [90], Benaloh and Leichter [9] have proposed constructions for realizing any monotone (i.e., if a group belongs to the access structure, so does a larger group) access iii iv structure. The schemes in which the unauthorized groups gain no information about the secret are referred to as perfect. Karnin, Greene, and Hellman [97] have proved, using the concept of entropy, that in any perfect threshold secret sharing scheme the shares must be at least as long as the secret and, later on, Capocelli, De Santis, Gargano, and Vaccaro [27] have extended this result to the …

Publicly verifiable ownership protection for relational databases

Abstract: Today, watermarking techniques have been extended from the multimedia context to relational databases so as to protect the ownership of data even after the data are published or distributed. However, all existing watermarking schemes for relational databases are secret key based, thus require a secret key to be presented in proof of ownership. This means that the ownership can only be proven once to the public (e.g., to the court). After that, the secret key is known to the public and the embedded watermark can be easily destroyed by malicious users. Moreover, most of the existing techniques introduce distortions to the underlying data in the watermarking process, either by modifying least significant bits or exchanging categorical values. The distortions inevitably reduce the value of the data. In this paper, we propose a watermarking scheme by which the ownership of data can be publicly proven by anyone, as many times as necessary. The proposed scheme is distortion-free, thus suitable for watermarking any type of data without fear of error constraints. The proposed scheme is robust against typical database attacks including tuple/attribute insertion/deletion, random/selective value modification, data frame-up, and additive attacks.

Authenticated ID-based cryptosystem with no key escrow

Abstract: A method and system are provided for determining a shared secret between two entities in a cryptosystem. A first random secret is selected that is known to the first entity and unknown to the second entity. A first intermediate shared secret component is determined using the first random secret and a system parameter. The first intermediate shared secret component is communicated to the second entity. A second random secret is selected that is known to the second entity, but unknown to the first entity. A second intermediate shared secret component is determined using the second random secret and the system parameter. The second intermediate shared secret component is communicated to the first entity. It is confirmed that both the first entity and the second entity know a non-interactive shared secret. An interactive shared secret is determined using the first random secret, the second random secret, and the system parameter.

Efficient Multiparty Quantum Secret Sharing with Greenberger?Horne?Zeilinger States

Abstract: An efficient multiparty quantum secret sharing scheme is proposed with Greenberger–Horne–Zeilinger (GHZ) states following some ideas in quantum dense coding. The agents take the single-photon measurements on the photons received for eavesdropping check and exploit the four local unitary operations I, σz, σx and iσy to code their message. This scheme has the advantage of high capacity as each GHZ state can carry two bits of information. The parties do not need to announce the measuring bases for almost all the photons, which will reduce the classical information exchanged largely. The intrinsic efficiency for qubits and the total efficiency both approach the maximal values.

Compact E-cash from bounded accumulator

Abstract: Known compact e-cash schemes are constructed from signature schemes with efficient protocols and verifiable random functions. In this paper, we introduce a different approach. We construct compact e-cash schemes from bounded accumulators. A bounded accumulator is an accumulator with a limit on the number of accumulated values. We show a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties and instantiate it using an existing pairing-based accumulator and a new signature scheme. Our scheme revokes the secret key of the double-spender directly and thus supports more efficient coin tracing. The new signature scheme has an interesting property that is has the message space of a cyclic group G 1 equipped with a bilinear pairing, with efficient protocol to show possession of a signature without revealing the signature nor the message. We show that the new scheme is secure in the generic group model. The new signature scheme may be of independent interest.

Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution

Abstract: We consider the problem of cheating in secret sharing schemes, cheating in which individuals submit forged shares in the secret reconstruction phase in an effort to make another participant reconstruct an invalid secret. We introduce a novel technique which uses universal hash functions to detect such cheating and propose two efficient secret sharing schemes that employ the functions. The first scheme is nearly optimum with respect to the size of shares; that is, the size of shares is only one bit longer than its existing lower bound. The second scheme possesses a particular merit in that the parameter for the probability of successful cheating can be chosen without regard to the size of the secret. Further, the proposed schemes are proven to be secure regardless of the probability distribution of the secret.

Comment on 'Quantum secret sharing between multiparty and multiparty without entanglement'

Abstract: Recently, Yan and Gao [Phys. Rev. A 72, 012304 (2005)] presented a quantum secret sharing protocol which allows a secret message to be shared between two groups of parties (m parties in group 1 and n parties in group 2). Their protocol is claimed to be secure that, except with the cooperation of the entire group 1 or group 2, no subgroup of either group 1 or group 2 can extract the secret message. However, this study points out that the mth party (the last party to process the quantum state) of group 1 can maliciously replace the secret message with an arbitrary message without the detection of the other parties.

Almost Optimum Secret Sharing Schemes Secure Against Cheating for Arbitrary Secret Distribution

Abstract: We consider the problem of cheating in secret sharing schemes, cheating in which individuals submit forged shares in the secret reconstruction phase in an effort to make another participant reconstruct an invalid secret. We introduce a novel technique which uses universal hash functions to detect such cheating and propose two efficient secret sharing schemes that employ the functions. The first scheme is nearly optimum with respect to the size of shares; that is, the size of shares is only one bit longer than its existing lower bound. The second scheme possesses a particular merit in that the parameter for the probability of successful cheating can be chosen without regard to the size of the secret. Further, the proposed schemes are proven to be secure regardless of the probability distribution of the secret.

Time-Lapse Cryptography

Abstract: The notion of “sending a secret message to the future” has been around for over a decade. Despite this, no solution to this problem is in common use, or even attained widespread acceptance as a fundamental cryptographic primitive. We name, construct and specify an implementation for this new cryptographic primitive, “Time-Lapse Cryptography”, with which a sender can encrypt a message so that it is guaranteed to be revealed at an exact moment in the future, even if this revelation turns out to be undesirable to the sender. Our solution combines new ideas with Pedersen distributed key generation, Feldman verifiable threshold secret sharing, and ElGamal encryption, all of which rest upon the single, broadly accepted Decisional Diffie-Hellman assumption. We develop a Time-Lapse Cryptography Service (“the Service”) based on a network of parties who jointly perform the service. The protocol is practical and secure: at a given time T the Service publishes a public key so that anyone can use it, even anonymously. Senders encrypt their messages with this public key whose private key is not known to anyone – not even a trusted third party – until a predefined and specific future time T + δ, at which point the private key is constructed and published. At or after that time, anyone can decrypt the ciphertext using this private key. The Service is envisioned as a public utility publishing a continuous stream of encryption keys and subsequent corresponding time-lapse decryption keys. We complement our theoretical foundation with descriptions of specific attacks and defenses, and describe important applications of our service in sealed bid auctions, insider stock sales, clinical trials, and electronic voting. ∗Supported in part by National Science Foundation grant CNS-0205423.

Externally verifiable code execution

Abstract: Using hardware- and software-based techniques to realize a primitive for externally verifiable code execution.

An extended verifiable secret redistribution protocol for archival systems

Abstract: Existing protocols for archival systems make use of verifiability of shares in conjunction with a proactive secret sharing scheme to achieve high availability and long term confidentiality, besides data integrity. In this paper, we extend an existing protocol (Wong et al. [2002]) to take care of more realistic situations. For example, it is assumed in the protocol of Wong et al. that the recipients of the secret shares are all trustworthy; we relax this by requiring that only a majority is trustworthy.

Rfid security system

Abstract: A process for handling secret data In an RPID tag, a cryptography key protecting the secret data is written while with a first holder, a threshold cryptography share is stored, or an arbitrary value is obtained for an identity-based encryption (IBE) algorithm The cryptography key can then be read and used by a second holder to access the secret data, the threshold cryptography shares can be read and aggregated with other shares to access the secret data, or the arbitrary value can be used as the basis for a public key to protect the secret data and with a corresponding private key to access the secret data