Ronald Cramer, Ivan Damgrd, and Ueli Maurer. Span programs and general multiparty computation. Most recent version available from authors, 1998.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....extended to more general adversary structures by Hirt and Maurer in [HM97] However, maintaining an exponentially small probability of error entailed a superpolynomial loss of efficiency. We present a more efficient version of their protocol using monotone span programs, following the ideas of [CDM98] The relevant definitions as well as a precise statement of our results are presented in the remainder of this section. School of Computer Science, McGill University, Montreal (Quebec) Canada, asmith cs.mcgill.ca Departement d Informatique et R.O. Universite de Montreal, Montreal ....

.... e , where w is the size of the smallest monotone formula consisting of [ QQpJ gates which rejects the adversary structure 0 . 1. 3 Monotone span programs Span programs were introduced as a model of computation in [KW93] They were first used as a tool for multiparty computation in [CDM98] In this section we define the concepts related to monotone span programs relevant to this report. Definition 3 A monotone span program (MSP) over a set is a triple r W where is a finite field, is a , matrix over and VA h q FO is a surjective function. ....

[Article contains additional citation context not shown here]

Ronald Cramer, Ivan Damgard, and Ueli Maurer. Span programs and general multiparty computation. Preliminary version appeared as BRICS tech. report number BRICS-RS-97-28, 1998.

.... t a accusations against the dealer (in this case, the dealer is disqualified, see below) or every player holds his share, and a share of the share of each other player (called a share share) The set of the share shares of a given share can be considered as a shared commitment of that share (cf. [CDM98]) In order to reconstruct the secret, every player must reveal his share by broadcasting the polynomial used for sharing his share, and every player verifies that his corresponding share share really lies on the broadcast polynomial. If not, the player broadcasts a complaint against the revealing ....

....share and use the technique described in [BGW88] to prove that this shared value is equal to the product of his two shares (if the player fails to prove this, he is disqualified; see below) Due to the linearity of the rest of the computation, the invariant is preserved. Note that, as used in [CDM98], this multiplication protocol does not involve error correction but error detection (in contrast to the multiplication protocol of [BGW88] Disqualifying players. One major issue of the above protocol is how to deal with disqualified players. In [BGW88] the disqualified players data is ....

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computation. Manuscript, 1998.

....multiparty computations using constructions based on homomorphic commitments. These commitments have been used for the problem of verifiable secret sharing, by Feldman and Pedersen [Fel87, Ped91a] who exhibit efficient VSS protocols. Some of these techniques have been independently devised by [CDM97], yet they use them in the context of span programs. Fast track. Secure multiparty protocols pay a heavy cost in terms of communication computation in order to guarantee robustness against malicious adversaries who may cause players to behave arbitrarily during the protocol. It is a well known ....

....This idea originated in [CCD88] in the information theoretic model, where such commitments were achieved by a second layer of input sharings. In the cryptographic model we use homomorphic commitments to generate the same effect. Some of these techniques have been independently devised by [CDM97], yet they use them in the context of span programs. In the following sections we will concentrate on the multiplication protocol. Given two secrets ff and fi shared via some form of VSS, which generated some representation of the secrets, we want to compute a sharing of fl = fffi resulting in the ....

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computations. Manuscript, 1997.

.... t a accusations against the dealer (in this case, the dealer is disqualified, see below) or every player holds his share, and a share of the share of each other player (called a share share) The set of the share shares of a given share can be considered as a shared commitment of that share (cf. [CDM98]) In order to reconstruct the secret, every player must reveal his share by broadcasting the polynomial used for sharing his share, and every player verifies that his corresponding share share really lies on the broadcast polynomial. If not, the player broadcasts a complaint against the revealing ....

....share and use the technique described in [BGW88] to prove that this shared value is equal to the product of his two shares (if the player fails to prove this, he is disqualified; see below) Due to the linearity of the rest of the computation, the invariant is preserved. Note that, as used in [CDM98], this multiplication protocol does not involve error correction but error detection (in contrast to the multiplication protocol of [BGW88] Disqualifying players. One major issue of the above protocol is how to deal with disqualified players. In [BGW88] the disqualified players data is ....

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computation. Manuscript, 1998.

....factor of at least 2. When used inside our general multiparty protocol, gains are even greater. EFFICIENT PROTOCOLS COMPUTATIONAL MODEL. We achieve efficient multiparty computations using constructions based on homomorphic commitments. Some of these techniques have been independently devised by [CDM97], yet they use them in the context of span programs. FAST TRACK. The following observation leads to an additional contribution. Secure multiparty protocols pay a heavy cost in terms of communication computationin order to guarantee robustnessagainst malicious adversaries who may cause players to ....

....This idea originated in [CCD88] in the information theoretic model, where such commitments were achieved by a second layer of input sharings. In the cryptographic model we use homomorphic commitments to generate the same effect. Some of these techniques have been independently devised by [CDM97], yet they use them in the context of span programs. In the following sections we will concentrate on the multiplication protocol. Given two secrets ff and fi shared via some form of VSS, which generated some representation of the secrets, we want to compute a sharing of fl = fffi resulting in ....

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computations. Manuscript, 1997.

....Montr al (Qu bec) Canada, asmith cs.mcgill.ca y D partement d Informatique et R.O. Universit de Montr al, Montr al (Qu bec) Canada, stiglic iro.umontreal.ca We present a more e cient version of an extension of the [RB89] protocol using monotone span programs, following the ideas of [CDM98] 1 . The relevant de nitions as well as a precise statement of our results are presented in the remainder of this section. 1.2 Adversary structures and monotone functions Given a set of players P , an adversary structure A over P is a set of subsets of players which is downwardclosed under ....

....of the smallest monotone formula consisting of majority accepting gates which rejects the adversary structure A. 1. 3 Monotone span programs Span programs were introduced as a model of computation in [KW93] They were rst used as a tool for multiparty computation by Cramer, Damg rd and Maurer [CDM98] In this section we de ne the concepts related to monotone span programs relevant to this paper. De nition 3 A monotone span program (MSP) over a set P is a triple (K; M; where K is a nite eld, M is a d e matrix over K and : f1; dg P is a surjective function. 1 Results ....

[Article contains additional citation context not shown here]

Ronald Cramer, Ivan Damgård, and Ueli Maurer. Span programs and general multiparty computation. Most recent version available from authors, 1998.

....Z . In the above example, Z = Phi fp 1 g; fp 2 ; p 4 g; fp 3 ; p 5 g; fp 3 ; p 6 g; fp 2 ; p 5 ; p 6 g; fp 4 ; p 5 ; p 6 g Psi : When our results are applied to reliable broadcast (Byzantine agreement) they provide the first nonthreshold broadcast protocol, as required for example in [CDM98] (where later solutions [FM98] are more efficient) Applying the results to verifiable secret sharing, they provide a nonthreshold verifiable secret sharing scheme as first proposed in [Gen96] The primary emphasis of this paper is on the existence of protocols. Indeed, all proposed protocols have ....

....tree for any given adversary structure. 1.6 Subsequent Work Subsequently to [HM97] several extensions and improvements for general adversaries were suggested. In [BW98] a more efficient protocol for the passive model is proposed, and the results are formulated in terms of quorum systems. In [CDM98] efficient and modular protocols secure against general adversaries are given for the active and passive model with unconditional and computational security. The efficiency of the protocols for the active model with broadcast is improved in [SS98] Finally, in [FHM99] a new model with general ....

[Article contains additional citation context not shown here]

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multi-party computation. Manuscript, 1998.

.... t a accusations against the dealer (in this case, the dealer is disqualified, see below) or every player holds his share, and a share of the share of each other player (called a share share) The set of the share shares of a given share can be considered as a shared commitment of that share (cf. [CDM98]) In order to reconstruct the secret, every player must reveal his share by broadcasting the polynomial used for sharing his share, and every player verifies that his corresponding share share really lies on the broadcast polynomial. If not, the player broadcasts a complaint against the revealing ....

....share and use the technique described in [BGW88] to prove that this shared value is equal to the product of his two shares (if the player fails to prove this, he is disqualified; see below) Due to the linearity of the rest of the computation, the invariant is preserved. Note that, as used in [CDM98], this multiplication protocol does not involve error correction but error detection (in contrast to the multiplication protocol of [BGW88] Disqualifying players. One major issue of the above protocol is how to deal with disqualified players. In [BGW88] the disqualified players data is ....

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computation. Manuscript, 1998.

.... t a accusations against the dealer (in this case, the dealer is disqualified, see below) or every player holds his share, and a share of the share of each other player (called a share share) The set of the share shares of a given share can be considered as a shared commitment of that share (cf. [CDM98]) In order to reconstruct the secret, every player must reveal his share by broadcasting the polynomial used for sharing his share, and every player verifies that his corresponding share share really lies on the broadcast polynomial. If not, the player broadcasts a complaint against the revealing ....

....share and use the technique described in [BGW88] to prove that this shared value is equal to the product of his two shares (if the player fails to prove this, he is disqualified; see below) Due to the linearity of the rest of the computation, the invariant is preserved. Note that, as used in [CDM98], this 4 This construction only covers global reconstruction where every player learns the shared secret. If some result must be revealed to only certain players, then the reconstruction protocol must be slightly modified: Every player sends his share, the polynomial with which his share was ....

R. Cramer, I. Damgard, and U. Maurer. Span programs and general multiparty computation. Manuscript, 1998.

No context found.

Ronald Cramer, Ivan Damgrd, and Ueli Maurer. Span programs and general multiparty computation. Most recent version available from authors, 1998.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC