Showing papers on "Verifiable secret sharing published in 2011"

Verifiable delegation of computation over large datasets

Abstract: We study the problem of computing on large datasets that are stored on an untrusted server. We follow the approach of amortized verifiable computation introduced by Gennaro, Gentry, and Parno in CRYPTO 2010. We present the first practical verifiable computation scheme for high degree polynomial functions. Such functions can be used, for example, to make predictions based on polynomials fitted to a large number of sample points in an experiment. In addition to the many noncryptographic applications of delegating high degree polynomials, we use our verifiable computation scheme to obtain new solutions for verifiable keyword search, and proofs of retrievability. Our constructions are based on the DDH assumption and its variants, and achieve adaptive security, which was left as an open problem by Gennaro et al (albeit for general functionalities). Our second result is a primitive which we call a verifiable database (VDB). Here, a weak client outsources a large table to an untrusted server, and makes retrieval and update queries. For each query, the server provides a response and a proof that the response was computed correctly. The goal is to minimize the resources required by the client. This is made particularly challenging if the number of update queries is unbounded. We present a VDB scheme based on the hardness of the subgroup membership problem in composite order bilinear groups.

Practical delegation of computation using multiple servers

Abstract: The current move to Cloud Computing raises the need for verifiable delegation of computations, where a weak client delegates his computation to a powerful server, while maintaining the ability to verify that the result is correct. Although there are prior solutions to this problem, none of them is yet both general and practical for real-world use. We demonstrate a relatively efficient and general solution where the client delegates the computation to several servers, and is guaranteed to determine the correct answer as long as even a single server is honest. We show: A protocol for any efficiently computable function, with logarithmically many rounds, based on any collision-resistant hash family. The protocol is set in terms of Turing Machines but can be adapted to other computation models. An adaptation of the protocol for the X86 computation model and a prototype implementation, called Quin, for Windows executables. We describe the architecture of Quin and experiment with several parameters on live clouds. We show that the protocol is practical, can work with nowadays clouds, and is efficient both for the servers and for the client.

Storing Secrets on Continually Leaky Devices

Abstract: We consider the question of how to store a value secretly on devices that continually leak information about their internal state to an external attacker. If the secret value is stored on a single device from which it is efficiently retrievable, and the attacker can leak even a single predicate of the internal state of that device, then she may learn some information about the secret value itself. Therefore, we consider a setting where the secret value is shared between multiple devices (or multiple components of a single device), each of which continually leaks arbitrary adaptively chosen predicates its individual state. Since leakage is continual, each device must also continually update its state so that an attacker cannot just leak it entirely one bit at a time. In our model, the devices update their state individually and asynchronously, without any communication between them. The update process is necessarily randomized, and its randomness can leak as well. As our main result, we construct a sharing scheme for two devices, where a constant fraction of the internal state of each device can leak in between and during updates. Our scheme has the structure of a public-key encryption, where one share is a secret key and the other is a ciphertext. As a contribution of independent interest, we also get public-key encryption in the continual leakage model, introduced by Brakerski et al. and Dodis et al. (FOCS '10). This scheme tolerates continual leakage on the secret key and the updates, and simplifies the recent construction of Lewko, Lewko and Waters (STOC '11). For our main result, we show how to update the ciphertexts of the encryption scheme so that the message remains hidden even if an attacker interleaves leakage on secret key and ciphertext shares. The security of our scheme is based on the linear assumption in prime-order bilinear groups. We also provide an extension to general access structures realizable by linear secret sharing schemes across many devices. The main advantage of this extension is that the state of some devices can be compromised entirely, while that of the all remaining devices is susceptible to continual leakage. Lastly, we show impossibility of information theoretic sharing schemes in our model, where continually leaky devices update their state individually.

Computational verifiable secret sharing revisited

Abstract: Verifiable secret sharing (VSS) is an important primitive in distributed cryptography that allows a dealer to share a secret among n parties in the presence of an adversary controlling at most t of them. In the computational setting, the feasibility of VSS schemes based on commitments was established over two decades ago. Interestingly, all known computational VSS schemes rely on the homomorphic nature of these commitments or achieve weaker guarantees. As homomorphism is not inherent to commitments or to the computational setting in general, a closer look at its utility to VSS is called for. In this work, we demonstrate that homomorphism of commitments is not a necessity for computational VSS in the synchronous or in the asynchronous communication model. We present new VSS schemes based only on the definitional properties of commitments that are almost as good as the existing VSS schemes based on homomorphic commitments. Importantly, they have significantly lower communication complexities than their (statistical or perfect) unconditional counterparts. Further, in the synchronous communication model, we observe that a crucial interactive complexity measure of round complexity has never been formally studied for computational VSS. Interestingly, for the optimal resiliency conditions, the least possible round complexity in the known computational VSS schemes is identical to that in the (statistical or perfect) unconditional setting: three rounds. Considering the strength of the computational setting, this equivalence is certainly surprising. In this work, we show that three rounds are actually not mandatory for computational VSS. We present the first two-round VSS scheme for n≥2t+1 and lower-bound the result tightly by proving the impossibility of one-round computational VSS for t≥2 or n≤3t. We also include a new two-round VSS scheme using homomorphic commitments that has the same communication complexity as the well-known three-round Feldman and Pedersen VSS schemes.

Security of a kind of quantum secret sharing with single photons

Abstract: The security of a kind of quantum secret sharing with single photons was analyzed recently, and it was shown that almost all the present schemes in this kind were not secure in the sense that an unauthorized set of participants can gain access to the dealer's secret without introducing any error. In this paper, we give a general model for this kind of quantum secret sharing. Then we analyze the conditions that make it immune to all the present attacks. Finally, we give a feasible way to design secure quantum secret sharing schemes in the model.

Utility Dependence in Correct and Fair Rational Secret Sharing

Abstract: The problem of carrying out cryptographic computations when the participating parties are rational in a game-theoretic sense has recently gained much attention. One problem that has been studied considerably is that of rational secret sharing. In this setting, the aim is to construct a mechanism (protocol) so that parties behaving rationally have incentive to cooperate and provide their shares in the reconstruction phase, even if each party prefers to be the only one to learn the secret. Although this question was only recently asked by Halpern and Teague (STOC 2004), a number of works with beautiful ideas have been presented to solve this problem. However, they all have the property that the protocols constructed need to know the actual utility values of the parties (or at least a bound on them). This assumption is very problematic because the utilities of parties are not public knowledge. We ask whether this dependence on the actual utility values is really necessary and prove that in the case of two parties, rational secret sharing cannot be achieved without it. On the positive side, we show that in the multiparty case it is possible to construct a single mechanism that works for all (polynomial) utility functions. Our protocol has an expected number of rounds that is constant, and is optimally resilient to coalitions. In addition to the above, we observe that the known protocols for rational secret sharing that do not assume simultaneous channels all suffer from the problem that one of the parties can cause the others to output an incorrect value. (This problem arises when a party gains higher utility by having another output an incorrect value than by learning the secret itself; we argue that such a scenario needs to be considered.) We show that this problem is inherent in the non-simultaneous channels model, unless the actual values of the parties’ utilities from this attack are known, in which case it is possible to prevent this from happening.

Secret sharing approaches for 3D object encryption

Abstract: In this paper, we propose two secret sharing approaches for 3D models using Blakely and Thien and Lin schemes. We show that encoding 3D models using lossless data compression algorithms prior to secret sharing helps reduce share sizes and remove redundancies and patterns that possibly ease cryptanalysis. The proposed approaches provide a higher tolerance against data corruption/loss than existing 3D protection mechanisms, such as encryption. Experimental results are provided to demonstrate the secrecy and safety of the proposed schemes. The feasibility of the proposed algorithms is demonstrated on various 3D models.

Verifiable Quantum (k,n)-threshold Secret Key Sharing

Abstract: Based on Lagrange interpolation formula and the post-verification mechanism, we show how to construct a verifiable quantum (k,n) threshold secret key sharing scheme. Compared with the previous secret sharing protocols, ours has the merits: (i) it can resist the fraud of the dealer who generates and distributes fake shares among the participants during the secret distribution phase; Most importantly, (ii) It can check the cheating of the dishonest participant who provides a false share during the secret reconstruction phase such that the authorized group cannot recover the correct secret.

Delegatable Homomorphic Encryption with Applications to Secure Outsourcing of Computation.

Abstract: In this work we propose a new cryptographic primitive called Delegatable Homomorphic Encryption (DHE). This allows a Trusted Authority to control/delegate the capability to evaluate circuits over encrypted data to untrusted workers/evaluators by issuing tokens. This primitive can be both seen as a public-key counterpart to Verifiable Computation, where input generation and output verification are performed by different entities, or as a generalisation of Fully Homomorphic Encryption enabling control over computations on encrypted data. Our primitive comes with a series of extra features as follows: 1) there is a one-time setup procedure for all circuits; 2) senders do not need to be aware of the functions which will be evaluated on the encrypted data, nor do they need to register keys; 3) tokens are independent of senders and receiver; and 4) receivers are able to verify the correctness of computation given short auxiliary information on the input data and the function, independently of the complexity of the computed circuit. We give a modular construction of such a DHE scheme from three components: Fully Homomorphic Encryption (FHE), Functional Encryption (FE), and a (customised) MAC. As a stepping stone, we first define Verifiable Functional Encryption (VFE), and then show how one can build a secure DHE scheme from a VFE and an FHE scheme. We also show how to build the required VFE from a standard FE together with a MAC scheme. All our results hold in the standard model. Finally, we show how one can build a verifiable computation (VC) scheme generically from a DHE. As a corollary, we get the first VC scheme which remains verifiable even if the attacker can observe verification results.

The torsion-limit for algebraic function fields and its application to arithmetic secret sharing

Abstract: An (n, t, d, n-t)-arithmetic secret sharing scheme (with uniformity) for Fqk over Fq is an Fq-linear secret sharing scheme where the secret is selected from Fqk and each of the n shares is an element of Fq. Moreover, there is t-privacy (in addition, any t shares are uniformly random in Fqt) and, if one considers the d-fold "component-wise" product of any d sharings, then the d-fold component-wise product of the d respective secrets is (n - t)-wise uniquely determined by it. Such schemes are a fundamental primitive in information-theoretically secure multiparty computation. Perhaps counter-intuitively, secure multi-party computation is a very powerful primitive for communication-efficient two-party cryptography, as shown recently in a series of surprising results from 2007 on. Moreover, the existence of asymptotically good arithmetic secret sharing schemes plays a crucial role in their communication-efficiency: for each d ≥ 2, if A(q) > 2d, where A(q) is Ihara's constant, then there exists an infinite family of such schemes over Fq such that n is unbounded, k = Ω(n) and t = Ω(n), as follows from a result at CRYPTO'06. Our main contribution is a novel paradigm for constructing asymptotically good arithmetic secret sharing schemes from towers of algebraic function fields. It is based on a new limit that, for a tower with a given Ihara limit and given positive integer l, gives information on the cardinality of the l-torsion sub-groups of the associated degree-zero divisor class groups and that we believe is of independent interest. As an application of the bounds we obtain, we relax the condition A(q) > 2d from the CRYPTO'06 result substantially in terms of our torsion-limit. As a consequence, this result now holds over nearly all finite fields Fq. For example, if d=2, it is sufficient that q = 8,9 or q ≥ 16.

Beyond provable security verifiable IND-CCA security of OAEP

Abstract: OAEP is a widely used public-key encryption scheme based on trapdoor permutations. Its security proof has been scrutinized and amended repeatedly. Fifteen years after the introduction of OAEP, we present a machine-checked proof of its security against adaptive chosenciphertext attacks under the assumption that the underlying permutation is partial-domain one-way. The proof can be independently verified by running a small and trustworthy proof checker and fixes minor glitches that have subsisted in published proofs. We provide an overview of the proof, highlight the differences with earlier works, and explain in some detail a crucial step in the reduction: the elimination of indirect queries made by the adversary to random oracles via the decryption oracle. We also provide--within the limits of a conference paper--a broader perspective on independently verifiable security proofs.

Multi-tasking, quality and pay for performance.

Abstract: We present a model of optimal contracting between a purchaser and a provider of health services when quality has two dimensions. We assume that: (i) the provider is (at least to some extent) altruistic; (ii) one dimension of quality is verifiable (dimension 1) and one dimension is not verifiable (dimension 2); (iii) the two quality dimensions can be either substitutes or complements. Our main result is that setting the price equal to the marginal benefit of the verifiable quality dimension can be optimal even if the two quality dimensions are substitutes.

A pairing-based publicly verifiable secret sharing scheme

Abstract: A publicly verifiable secret sharing (PVSS) scheme is a verifiable secret sharing scheme with the special property that anyone is able to verify the shares whether they are correctly distributed by a dealer. PVSS plays an important role in many applications such as electronic voting, payment systems with revocable anonymity, and key escrow. Up to now, all PVSS schemes are based on the traditional public-key systems. Recently, the pairing-based cryptography has received much attention from cryptographic researchers. Many pairing-based schemes and protocols have been proposed. However, no PVSS scheme using bilinear pairings is proposed. This paper presents the first pairing-based PVSS scheme. In the random oracle model and under the bilinear Diffie-Hellman assumption, the authors prove that the proposed scheme is a secure PVSS scheme.

How to Delegate and Verify in Public: Verifiable Computation from Attribute-based Encryption.

Abstract: The wide variety of small, computationally weak devices, and the growing number of computationally intensive tasks makes it appealing to delegate computation to data centers. However, outsourcing computation is useful only when the returned result can be trusted, which makes verifiable computation (VC) a must for such scenarios. In this work we extend the definition of verifiable computation in two important directions: public delegation and public verifiability, which have important applications in many practical delegation scenarios. Yet, existing VC constructions based on standard cryptographic assumptions fail to achieve these properties. As the primary contribution of our work, we establish an important (and somewhat surprising) connection between verifiable computation and attribute-based encryption (ABE), a primitive that has been widely studied. Namely, we show how to construct a VC scheme with public delegation and public verifiability from any ABE scheme. The VC scheme verifies any function in the class of functions covered by the permissible ABE policies (currently Boolean formulas). This scheme enjoys a very efficient verification algorithm that depends only on the output size. Efficient delegation, however, requires the ABE encryption algorithm to be cheaper than the original function computation. Strengthening this connection, we show a construction of a multi-function verifiable computation scheme from an ABE scheme with outsourced decryption, a primitive defined recently by Green, Hohenberger and Waters (USENIX Security 2011). A multi-function VC scheme allows the verifiable evaluation of multiple functions on the same preprocessed input. In the other direction, we also explore the construction of an ABE scheme from verifiable computation protocols.

Sharing a quantum secret without a trusted party

Abstract: In a conventional quantum (k, n) threshold scheme, a trusted party shares a secret quantum state with n participants such that any k of those participants can cooperate to recover the original secret, while fewer than k participants obtain no information about the secret. In this paper we show how to construct a quantum (k, n) threshold scheme without the assistance of a trusted party, who generates and distributes shares among the participants. Instead, each participant chooses his private state and contributes the same to the determination of the final secret quantum state.

Revocation for delegatable anonymous credentials

Abstract: This paper introduces and formalizes homomorphic proofs that allow 'adding' proofs and proof statements to get a new proof of the 'sum' statement. Additionally, we introduce a construction of homomorphic proofs, and show an accumulator scheme with delegatable non-membership proofs (ADNMP) as one of its applications with provable security. Finally, the proposed accumulator method extends the BC-CKLS scheme [1] to create a new provably secure revocable delegatable anonymous credential (RDAC) system. Intuitively, the new accumulator's delegatable non-membership (NM) proofs enable user A, without revealing her identity, to delegate to user B the ability to prove that A's identity is not included in a blacklist that can later be updated. The delegation is redelegatable, unlinkable, and verifiable.

Transparent virtual currency using verifiable tokens

Abstract: Users make online purchases using a virtual currency. A series of secret encryption keys is generated, where each key in the series is associated with a different epoch. A token tracking table is initialized. Whenever real currency is received from a user wanting to purchase tokens, a semantically secure encryption method is used in conjunction with the secret encryption key in the series that is associated with the current epoch to generate a set of encrypted tokens which includes one or more encrypted paid tokens. The set of encrypted tokens is sent to the user wanting to purchase tokens, and each encrypted paid token in the set is entered into the token tracking table, where the entry for each encrypted paid token includes information specifying that the token has not yet been spent and has not yet been encashed.

Benaloh's dense probabilistic encryption revisited

Abstract: In 1994, Josh Benaloh proposed a probabilistic homomorphic encryption scheme, enhancing the poor expansion factor provided by Goldwasser and Micali's scheme. Since then, numerous papers have taken advantage of Benaloh's homomorphic encryption function, including voting schemes, private multi-party trust computation, non-interactive verifiable secret sharing, online poker. In this paper we show that the original description of the scheme is incorrect, because it can result in ambiguous decryption of ciphertexts. Then we show on several applications that a bad choice in the key generation phase of Benaloh's scheme has a real impact on the behaviour of the application. For instance in an e-voting protocol, it can inverse the result of an election. Our main contribution is a corrected description of the scheme (we provide a complete proof of correctness). Moreover we also compute the probability of failure of the original scheme. Finally we show how to formulate the security of the corrected scheme in a generic setting suitable for several homomorphic encryptions.

Two 1-Round Protocols for Delegation of Computation.

Abstract: Consider a weak client that wishes to delegate computation to an untrusted server and be able to succinctly verify the correctness of the result, all within one round of interaction. We provide solutions for two relaxed variants of this problem. Specifically: We consider a model where the client delegates the computation to two or more servers, and is guaranteed to output the correct answer as long as even a single server is honest. We call this model Refereed Delegation of Computation (RDoC). In this model, we show a 1-round unconditionally statistically sound protocol for any log-space uniformNC circuit. In contrast, all known oneround delegation protocols with a single server are only computationally sound. We consider a model with a non-succinct offline stage and pubic verifiability. (Previously, this model was considered only with private verifiability, namely the client has to maintain some secret local information pertaining to the offline stage [Gennaro et al., CRYPTO 2010]). Public verifiability does away with the secret state, and so allows delegating the offline stage to a “semi-trusted” external third party that is potentially used by many clients, even mutually suspicious ones. It also allows for a stronger, more adaptive notion of soundness. In this model we show a 1-round computationally-sound protocol for any circuit C, even a nonuniform one. The client runs in timepoly(log(size(C));depth(C)), and soundness is guaranteed assuming the existence of collisions resistant hashing and poly-logarithmic PIR. Previously, publicly verifiable one round delegation protocols were known only for functions in log-space uniform NC.

Publicly verifiable secret sharing for cloud-based key management

Abstract: Running the key-management service of cryptographic systems in the cloud is an attractive cost saving proposition. Supporting key-recovery is an essential component of every key-management service. We observe that to verifiably support key-recovery in a public cloud, it is essential to use publicly verifiable secret-sharing (PVSS) schemes. In addition, a holistic approach to security must be taken by requiring that running the key-management service in the (untrusted) cloud does not violate the security of the cryptographic system at hand. This paper takes such a holistic approach for the case of public-key encryption which is one of the most basic cryptographic tasks. The approach boils down to formalizing the security of public-key encryption in the presence of PVSS. We present such a formalization and observe that the PVSS scheme of Stadler [29] can be shown to satisfy our definition, albeit in the Random Oracle Model. We construct a new scheme based on pairings which is much more efficient than Stadler's scheme. Our scheme is noninteractive and can support any monotone access structure. In addition, it is proven secure in the standard model under the Bilinear Diffie-Hellman (BDH) assumption. Interestingly, our PVSS scheme is actually the first non-interactive scheme proven secure in the standard model; all previous non-interactive PVSS schemes assume the existence of a Random Oracle. Our scheme is simple and efficient; an implementation of our scheme demonstrates that our scheme compares well with the current fastest known PVSS schemes.