Showing papers on "Verifiable secret sharing published in 2007"
TL;DR: A scheme to improve authentication ability that prevents dishonest participants from cheating is presented and the arrangement of embedded bits is defined to improve the quality of stego-image.
287 citations
TL;DR: A probabilistic (2,n) scheme for binary images and a deterministic (n,n), which provides a better contrast and significantly smaller recognized areas than other methods and gives an exact reconstruction.
240 citations
TL;DR: A perfect secret sharing scheme for threshold secret sharing in groups with hierarchical structure that uses Birkhoff interpolation, i.e., the construction of a polynomial according to an unstructured set of point and derivative values.
Abstract: We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants is authorized if it has at least k0 0 members from the highest level, as well as at least k1 > k0 members from the two highest levels and so forth. Such problems may occur in settings where the participants differ in their authority or level of confidence and the presence of higher level participants is imperative to allow the recovery of the common secret. Even though secret sharing in hierarchical groups has been studied extensively in the past, none of the existing solutions addresses the simple setting where, say, a bank transfer should be signed by three employees, at least one of whom must be a department manager. We present a perfect secret sharing scheme for this problem that, unlike most secret sharing schemes that are suitable for hierarchical structures, is ideal. As in Shamir's scheme, the secret is represented as the free coefficient of some polynomial. The novelty of our scheme is the usage of polynomial derivatives in order to generate lesser shares for participants of lower levels. Consequently, our scheme uses Birkhoff interpolation, i.e., the construction of a polynomial according to an unstructured set of point and derivative values. A substantial part of our discussion is dedicated to the question of how to assign identities to the participants from the underlying finite field so that the resulting Birkhoff interpolation problem will be well posed. In addition, we devise an ideal and efficient secret sharing scheme for the closely related hierarchical threshold access structures that were studied by Simmons and Brickell.
233 citations
TL;DR: This paper proposes a visual secret sharing scheme that encodes a set of x≥2 secrets into two circle shares such that none of any single share leaks the secrets and the x secrets can be obtained one by one by stacking the first share and the rotated second shares with x different rotation angles.
222 citations
20 May 2007
TL;DR: A homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous, and allows efficient proofs that a committed plaintext is encrypted under a committed key.
Abstract: We present an efficient construction of Yao's "garbled circuits" protocol for securely computing any two-party circuit on committed inputs. The protocol is secure in a universally composable way in the presence of maliciousadversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (four-five in the standard model, two-three in the random oracle model, depending on whether both parties receive the output), O(|C|) modular exponentiations per player, and a bandwidth of O(|C|) group elements, where |C| is the size of the computed circuit.
Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous(it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key.
Our second tool is a practical four-round (two-round in ROM) protocol for committedoblivious transfer on strings(string-COT) secure against malicious participants. The string-COT protocol takes a few exponentiations per player, and is UC-secure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (non-committed) OT on strings.
196 citations
TL;DR: A practical verifiable multi-secret sharing scheme, which is based on the YCH scheme and the intractability of the discrete logarithm, is proposed in this paper and can be used in practice widely.
103 citations
15 Apr 2007
TL;DR: This paper presents proof sketches, a compact verification mechanism that combines cryptographic signatures and Flajolet-Martin sketches to guarantee acceptable aggregation error bounds with high probability, and evaluates the practical use of proof sketches.
Abstract: A work on distributed, in-network aggregation assumes a benign population of participants. Unfortunately, modern distributed systems are plagued by malicious participants. In this paper we present a first step towards verifiable yet efficient distributed, in-network aggregation in adversarial settings. We describe a general framework and threat model for the problem and then present proof sketches, a compact verification mechanism that combines cryptographic signatures and Flajolet-Martin sketches to guarantee acceptable aggregation error bounds with high probability. We derive proof sketches for count aggregates and extend them for random sampling, which can be used to provide verifiable approximations for a broad class of data-analysis queries, e.g., quantiles and heavy hitters. Finally, we evaluate the practical use of proof sketches, and observe that adversaries can often be reduced to much smaller violations in practice than our worst-case bounds suggest.
95 citations
04 Oct 2007
TL;DR: A new verifiable and coercion-free voting scheme Bingo Voting is presented, which is based on a trusted random number generator, which shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.
Abstract: It is debatable if current direct-recording electronic votingmachines can sufficiently be trusted for a use in elections. Reports about malfunctions and possible ways ofmanipulation abound. Voting schemes have to fulfill seemingly contradictory requirements: On one hand the election process should be verifiable to prevent electoral fraud and on the other hand each vote should be deniable to avoid coercion and vote buying.
This work presents a new verifiable and coercion-free voting scheme Bingo Voting, which is based on a trusted random number generator. As a motivation for the new scheme two coercion/vote buying attacks on voting schemes are presented which show that it can be dangerous to let the voter contribute randomness to the voting scheme.
A proof-of-concept implementation of the scheme shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.
94 citations
TL;DR: In this paper, Asmuth et al. showed that the Chinese remainder theorem can be used for realizing more general access structures, such as the compartmented or the weighted threshold ones.
92 citations
28 Oct 2007
TL;DR: In this article, the authors give a unified account of classical secret sharing goals from a modern cryptographic vantage, including perfect, statistical, and computational secret sharing; static and dynamic adversaries; schemes with or without robustness; schemes where a participant recovers the secret and those where an external party does so.
Abstract: We give a unified account of classical secret-sharing goals from a modern cryptographic vantage. Our treatment encompasses perfect, statistical, and computational secret sharing; static and dynamic adversaries; schemes with or without robustness; schemes where a participant recovers the secret and those where an external party does so. We then show that Krawczyk's 1993 protocol for robust computational secret sharing (RCSS) need not be secure, even in the random-oracle model and for threshold schemes, if the encryption primitive it uses satisfies only one-query indistinguishability (ind1), the only notion Krawczyk defines. Nonetheless, we show that the protocol is secure (in the random-oracle model, for threshold schemes) if the encryption scheme also satisfies one-query key-unrecoverability (key1). Since practical encryption schemes are ind1+key1 secure, our result effectively shows that Krawczyk's RCSS protocol is sound (in the random-oracle model, for threshold schemes). Finally, we prove the security for a variant of Krawczyk's protocol, in the standard model and for arbitrary access structures, assuming ind1 encryption and a statistically-hiding, weakly-binding commitment scheme.
90 citations
Posted Content•
TL;DR: Bingo Voting as mentioned in this paper is a voting scheme based on a trusted random number generator that allows the voter to contribute randomness to the voting scheme, which can be used to avoid vote buying attacks.
Abstract: It is debatable if current direct-recording electronic voting machines can sufficiently be trusted for a use in elections. Reports about malfunctions and possible ways of manipulation abound. Voting schemes have to fulfill seemingly contradictory requirements: On one hand the election process should be verifiable to prevent electoral fraud and on the other hand each vote should be deniable to avoid coercion and vote buying. This work presents a new verifiable and coercion-free voting scheme Bingo Voting, which is based on a trusted random number generator. As a motivation for the new scheme two coercion/vote buying attacks on voting schemes are presented which show that it can be dangerous to let the voter contribute randomness to the voting scheme. A proof-of-concept implementation of the scheme shows the practicality of the scheme: all costly computations can be moved to a non time critical pre-voting phase.
21 Feb 2007
TL;DR: This work constructs public-key obfuscations of a decryption shuffle based on the Boneh-Goh-Nissim (BGN) cryptosystem and a re-encryption shufflebased on the Paillier cryptos system that allow efficient distributed verifiable decryption.
Abstract: We show how to obfuscate a secret shuffle of ciphertexts: shuffling becomes a public operation. Given a trusted party that samples and obfuscates a shuffle before any ciphertexts are received, this reduces the problem of constructing a mix-net to verifiable joint decryption.
We construct public-key obfuscations of a decryption shuffle based on the Boneh-Goh-Nissim (BGN) cryptosystem and a re-encryption shuffle based on the Paillier cryptosystem. Both allow efficient distributed verifiable decryption.
Finally, we give a distributed protocol for sampling and obfuscating each of the above shuffles and show how it can be used in a trivial way to construct a universally composable mix-net. Our constructions are practical when the number of senders N is small, yet large enough to handle a number of practical cases, e.g. N = 350 in the BGN case and N = 2000 in the Paillier case.
TL;DR: This paper investigates how threshold cryptography can be conducted with the Asmuth-Bloom secret sharing scheme and presents three novel function sharing schemes for RSA, ElGamal and Paillier cryptosystems, believed to be the first provably secure threshold cryptosSystems realized using the AsMuth- Bloom secret sharing.
10 Apr 2007
TL;DR: A protocol for creating an out-of-band channel with visible laser light that is secure against man-in-the-middle attacks even when the laser transmission is not confidential is presented.
Abstract: Securing wireless channels necessitates authenticating communication partners. For spontaneous interaction, authentication must be efficient and intuitive. One approach to create interaction and authentication methods that scale to using hundreds of services throughout the day is to rely on personal, trusted, mobile devices to interact with the environment. Authenticating the resulting device-to-device interactions requires an out-of-band channel that is verifiable by the user. We present a protocol for creating such an out-of-band channel with visible laser light that is secure against man-in-the-middle attacks even when the laser transmission is not confidential. A prototype implementation shows that an appropriate laser channel can be constructed with simple off-the-shelf components
16 Apr 2007
TL;DR: A HVZK argument based on homomorphic integer commitments is suggested, which improves both on round complexity, communication complexity and computational complexity when shuffling large ciphertexts in comparison with state of the art.
Abstract: A shuffle is a permutation and rerandomization of a set of ciphertexts. Among other things, it can be used to construct mix-nets that are used in anonymization protocols and voting schemes. While shuffling is easy, it is hard for an outsider to verify that a shuffle has been performed correctly. We suggest two efficient honest verifier zero-knowledge (HVZK) arguments for correctness of a shuffle. Our goal is to minimize round-complexity and at the same time have low communicational and computational complexity.
The two schemes we suggest are both 3-move HVZK arguments for correctness of a shuffle. We first suggest a HVZK argument based on homomorphic integer commitments, and improve both on round complexity, communication complexity and computational complexity in comparison with state of the art. The second HVZK argument is based on homomorphic commitments over finite fields. Here we improve on the computational complexity and communication complexity when shuffling large ciphertexts.
TL;DR: A scheme of multiparty quantum secret sharing of classical messages (QSSCM), in which no subset of all the classical message receivers is sufficient to extract the sender’s secret classical messages but all the parties cooperate together, is proposed.
05 Feb 2007
TL;DR: In this article, a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties is presented and instantiated using an existing pairing-based accumulator and a new signature scheme.
Abstract: Known compact e-cash schemes are constructed from signature schemes with efficient protocols and verifiable random functions. In this paper, we introduce a different approach. We construct compact e-cash schemes from bounded accumulators. A bounded accumulator is an accumulator with a limit on the number of accumulated values. We show a generic construction of compact e-cash schemes from bounded accumulators and signature schemes with certain properties and instantiate it using an existing pairing-based accumulator and a new signature scheme. Our scheme revokes the secret key of the double-spender directly and thus supports more efficient coin tracing. The new signature scheme has an interesting property that is has the message space of a cyclic group $\mathbb{G}_1$ equipped with a bilinear pairing, with efficient protocol to show possession of a signature without revealing the signature nor the message. We show that the new scheme is secure in the generic group model. The new signature scheme may be of independent interest.
20 May 2007
TL;DR: The application of discrete polymatroids to secret sharing is proved to be a powerful tool to study the properties of multipartite matroids and achieves a complete characterization of ideal tripartite access structures, which was until now an open problem.
Abstract: Multipartite secret sharing schemes are those having a multipartite access structure, in which the set of participants is divided into several parts and all participants in the same part play an equivalent role. Several particular families of multipartite schemes, such as the weighted threshold schemes, the hierarchical and the compartmented schemes, and the ones with bipartite or tripartite access structure have been considered in the literature. The characterization of the access structures of ideal secret sharing schemes is one of the main open problems in secret sharing. In this work, the characterization of ideal multipartite access structures is studied with all generality. Our results are based on the well-known connections between ideal secret sharing schemes and matroids. One of the main contributions of this paper is the application of discrete polymatroids to secret sharing. They are proved to be a powerful tool to study the properties of multipartite matroids. In this way, we obtain some necessary conditions and some sufficient conditions for a multipartite access structure to be ideal.
Our results can be summarized as follows. First, we present a characterization of matroid-related multipartite access structures in terms of discrete polymatroids. As a consequence of this characterization, a necessary condition for a multipartite access structure to be ideal is obtained. Second, we use linear representations of discrete polymatroids to characterize the linearly representable multipartite matroids. In this way we obtain a sufficient condition for a multipartite access structure to be ideal. Finally, we apply our general results to obtain a complete characterization of ideal tripartite access structures, which was until now an open problem.
05 Jun 2007
TL;DR: This paper proposes a protocol for private set intersection in the information-theoretic model that correctly computes the intersection of nsets, and reveals no other information than what is implied by the intersection and the secrets sets controlled by the active adversary.
Abstract: Existing protocols for private set intersection are based on homomorphic public-key encryption and the technique of representing sets as polynomials in the cryptographic model. Based on the ideas of these protocols and the two-dimensional verifiable secret sharing scheme, we propose a protocol for private set intersection in the information-theoretic model. By representing the sets as polynomials, the set intersection problem is converted into the task of computing the common roots of the polynomials. By sharing the coefficients of the polynomials among parties, the common roots can be computed out using the shares. As long as more than 2n/3 parties are semi-honest, our protocol correctly computes the intersection of nsets, and reveals no other information than what is implied by the intersection and the secrets sets controlled by the active adversary. This is the first specific protocol for private set intersection in the information-theoretic model as far as we know.
05 Jun 2007
TL;DR: This work extends the existing CDS protocols to work over additively homomorphic cryptosystems for every set from NP/ poly and derives a new oblivious transfer protocol with log-squared communication and a millionaire's protocol withlogarithmic communication.
Abstract: Many protocols that are based on homomorphic encryption are private only if a client submits inputs from a limited range $\mathcal{S}$. Conditional disclosure of secrets (CDS) helps to overcome this restriction. In a CDS protocol for a set $\mathcal{S}$, the client obtains server's secret if and only if the client's inputs belong to $\mathcal{S}$ and thus the server can guard itself against malformed queries. We extend the existing CDS protocols to work over additively homomorphic cryptosystems for every set from NP/ poly . The new construction is modular and easy to apply. As an example, we derive a new oblivious transfer protocol with log-squared communication and a millionaire's protocol with logarithmic communication. We also implement private, universally verifiable and robust multi-candidate electronic voting so that all voters only transmit an encryption of their vote. The only hardness assumption in all these protocols is that the underlying public-key cryptosystem is IND-CPA secure and the plaintext order does not have small factors.
TL;DR: This Letter shows that any subgroup consisting of evil cooperative parties can successfully cheat other parties to obtain the secret message without being detected and improves the original Yan-Gao protocol such that the insider's cheats are prevented.
02 Jul 2007
TL;DR: This paper presents a security model for convertible undeniable signature schemes, and a new construction from bilinear pairings, which is both selectively and universally convertible and as short as BLS signature.
Abstract: Undeniable signatures, introduced by Chaum and van Antwerpen, is a useful cryptography primitive to limit the publicly verifiable property of ordinary digital signatures. In an undeniable signature scheme, the validity or invalidity of the signature can only be verified via the confirmation/disavowal protocol with the help of the signer. An extended concept, convertible undeniable signatures, was introduced by Boyar, Chaum, Damgard and Pedersen. In the new concept, the signer can publish some selective proofs to convert one or more undeniable signatures into publicly verifiable ones, or issue a universal proof to make all his undeniable signatures publicly verifiable. In this paper, we first present a security model for convertible undeniable signature schemes, and then propose a new construction from bilinear pairings. Compared with the other schemes in the literature, the new construction has three advantages: Our scheme is both selectively and universally convertible; the signature length of our scheme is as short as BLS signature; meanwhile, all the security properties are formally proven under some conventional assumptions in the random oracle model.
04 Dec 2007
TL;DR: This paper proposes and prototype a mechanism for ensuring confidentiality and authenticity of broadcast data in single-hop networks, and incorporates the security scheme into Deluge, the de facto network programming protocol in TinyOS, and quantifies the cost in terms of Broadcast data transfer time and node memory space on a TelosB mote based platform.
Abstract: Wireless sensor networks need broadcast for operations such as software updates, network queries, and command dissemination. Alongside ensuring authenticity of the source and data, keeping the broadcast data secret is vital in certain applications such as battlefield control, emergency response, and natural resource management. In this paper we propose and prototype a mechanism for ensuring confidentiality and authenticity of broadcast data in single-hop networks, and discuss possible extensions to multi-hop settings. Our scheme uses known low-complexity symmetric encryption techniques for confidentiality, while changing the encryption key on a per-packet basis in a verifiable but non-forgeable way to ensure authenticity. Message integrity, freshness, and semantic security are also provided, and the broadcast data can be dynamic and incrementally processed. We incorporate our security scheme into Deluge, the de facto network programming protocol in TinyOS, and quantify the cost in terms of broadcast data transfer time and node memory space on a TelosB mote based platform.
TL;DR: A graph G n on n vertices with average information rate below < 4/log n is constructed by determining, up to a constant factor, theaverage information rate of the d -dimensional cube.
Abstract: Given a graph G , a perfect secret sharing scheme based on G is a method to distribute a secret data among the vertices of G , the participants , so that a subset of participants can recover the secret if they contain an edge of G , otherwise they can obtain no information regarding the key. The average information rate is the ratio of the size of the secret and the average size of the share a participant must remember. The information rate of G is the supremum of the information rates realizable by perfect secret sharing schemes.Based on the entropy-theoretical arguments due to Capocelli et al [4], and extending the results of M. van Dijk [7] and Blundo et al [2], we construct a graph G n on n vertices with average information rate below < 4/log n . We obtain this result by determining, up to a constant factor, the average information rate of the d -dimensional cube.
Proceedings Article•
[...]
TL;DR: Group encryption as discussed by the authors is the encryption analogue of group signature, which is useful whenever a recipient (decryptor) within a group of legitimate receivers and possesses similar verifiability, security and privacy properties as group signature.
Abstract: We present group encryption, a new cryptographic primitive which is the encryption analogue of a group signature. It possesses similar verifiability, security and privacy properties, but whereas a group signature is useful whenever we need to conceal the source (signer) within a group of legitimate users, a group encryption is useful whenever we need to conceal a recipient (decryptor) within a group of legitimate receivers.
We introduce and model the new primitive and present sufficient as well as necessary conditions for its generic implementation. We then develop an efficient novel number theoretic construction for group encryption of discrete logarithms whose complexity is independent of the group size. As part of achieving this we construct a new public-key encryption for discrete logarithms that satisfies CCA2-key-privacy and CCA2- security in the standard model (this gives the first Pailler-based system with the above two properties proven in the standard model).
Applications of group encryption include settings where a user wishes to hide her preferred trusted third party or even impose a hidden hierarchy of trusted parties while being required to assure well-formed ciphertexts, as well as oblivious storage settings where the set of retrievers need to be verifiable but the storage distribution should be oblivious to the server.
09 Dec 2007
TL;DR: This work investigates an extension of the k-secret sharing scheme, in which the secret components are changed on the fly, independently and without (internal) communication, as a reaction to a global external trigger.
Abstract: Secret sharing is a basic fundamental cryptographic task. Motivated by the virtual automata abstraction and swarm computing, we investigate an extension of the k-secret sharing scheme, in which the secret components are changed on the fly, independently and without (internal) communication, as a reaction to a global external trigger. The changes are made while maintaining the requirement that k or more secret shares may reveal the secret and no k - 1 or fewer reveal the secret.
The application considered is a swarm of mobile processes, each maintaining a share of the secret which may change according to common outside inputs e.g., inputs received by sensors attached to the process.
The proposed schemes support addition and removal of processes from the swarm as well as corruption of a small portion of the processes in the swarm.
TL;DR: A protocol of quantum secret sharing between multiparty and multiparty with four states was presented and it was shown that this protocol can nullify the Trojan horse attack with a multi-photon signal, the fake-signal attack with Einstein-Podolsky-Rosen pairs, and the attack with invisible photons.
Abstract: A protocol of quantum secret sharing between multiparty and multiparty with four states was presented. It was shown that this protocol can nullify the Trojan horse attack with a multi-photon signal, the fake-signal attack with Einstein-Podolsky-Rosen pairs, the attack with single photons, and the attack with invisible photons. In addition, the upper bounds of the average success probabilities were given for dishonest agent eavesdropping encryption using the fake-signal attack with any two-particle entangled states.
TL;DR: An (n,n) threshold quantum secret sharing scheme of secure direct communication using Greenberger-Horne-Zeilinger state and teleportation and it is shown this scheme is secure for noise quantum channel.
Abstract: We present an (n,n) threshold quantum secret sharing scheme of secure direct communication using Greenberger-Horne-Zeilinger state and teleportation. After ensuring the security of the quantum channel, the sender encodes the secret message directly on a sequence of particle states and transmits it to the receivers by teleportation. The receivers can recover the secret message by combining their measurement results with the sender's result. If a perfect quantum channel is used, our scheme is completely secure because the transmitting particle sequence does not carry the secret message. We also show our scheme is secure for noise quantum channel.
21 Feb 2007
TL;DR: A generalization of the result by Brickell and Davenport by proving that, if the information rate of a secret sharing scheme is greater than 2/3, then its access structure is matroid-related, which generalizes several results that were obtained for particular families of access structures.
Abstract: One of the main open problems in secret sharing is the characterization of the access structures of ideal secret sharing schemes. As a consequence of the results by Brickell and Davenport, every one of those access structures is related in a certain way to a unique matroid.
Matroid ports are combinatorial objects that are almost equivalent to matroid-related access structures. They were introduced by Lehman in 1964 and a forbidden minor characterization was given by Seymour in 1976. These and other subsequent works on that topic have not been noticed until now by the researchers interested on secret sharing.
By combining those results with some techniques in secret sharing, we obtain new characterizations of matroid-related access structures. As a consequence, we generalize the result by Brickell and Davenport by proving that, if the information rate of a secret sharing scheme is greater than 2/3, then its access structure is matroid-related. This generalizes several results that were obtained for particular families of access structures.
In addition, we study the use of polymatroids for obtaining upper bounds on the optimal information rate of access structures. We prove that every bound that is obtained by this technique for an access structure applies to its dual structure as well.
Finally, we present lower bounds on the optimal information rate of the access structures that are related to two matroids that are not associated with any ideal secret sharing scheme: the Vamos matroid and the non-Desargues matroid.
TL;DR: The syntax and semantics of network code is presented, how to implement different scheduling policies, and how to use tools such as model checking to formally verify the properties ofnetwork code programs are presented.
Abstract: Distributed hard real-time systems require predictable communication at the network level and verifiable communication behavior at the application level. At the network level, communication between nodes must be guaranteed to happen within bounded time and one common approach is to restrict the network access by enforcing a time-division multiple access (TDMA) schedule. At the application level, the application's communication behavior should be verified to ensure that the application uses the predictable communication in the intended way. Network code is a domain-specific programming language to write a predictable verifiable distributed communication for distributed real-time applications. In this paper, we present the syntax and semantics of network code, how we can implement different scheduling policies, and how we can use tools such as model checking to formally verify the properties of network code programs. We also present an implementation of a runtime system for executing network code on top of RTLinux and measure the overhead incurred from the runtime system.