Santis AD, Desmedt Y, Frankel Y, Yung M. How to share a function securely (Extended Summary). In Symposium on the Theory of Computation (STOC), 1994; pp. 522 -- 533.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....in both space domain and time domain. It is built and maintained on demand, and stored locally. These properties comply with the overall scalability and robustness of our architecture, and the ad hoc nature of the network. 5. 3 Cryptographic Analysis Our design and algorithms are (k, n) secure [26] in the sense that given up to k 1 shares of SK and a history of polynomial many partial results, an adversary learns no more about SK than without TTL is defined as time to live : the maximal number of hops that a packet can traverse in the network. these information. The following theorem ....

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In STOC, pages 522--533, 1994.

....a mesh of CAs can alleviate, but cannot solve the problem of service ubiquity and node mobility. Besides, these approaches suffer from the single point of compromise and DoS attack. Threshold secret sharing and proactive secret share updates have been very active research topics in cryptography [88, 37, 86, 29, 16, 28]. However, most of these proposals target a system that has a few secret share holders with rich connections. Hence, the proposed solutions do not address the scalability issue, as admitted in [16] Besides, as connections are assumed to be reliable, they do not make explicit efforts to minimize ....

....and inter theater authentication are presented in ( 4.4.3) The transition to infrastructure mode is studied in ( 4.4. 3) Distributed Certification Services Given the size of network , a system parameter ( and a centralized CA with RSA key pair , cryptographic algorithms [27, 86, 81, 89, 52] and systems [103, 110, 111] allow the functionality of the CA to be distributed into the network where each node becomes a partial CA. Each partial CA holds a secret share , and a coalition of any out of partial CAs can function as the centralized CA. During the ....

[Article contains additional citation context not shown here]

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In Symposium on the Theory of Computation (STOC), pages 522--533, 1994.

....to the localized certification services, each of these k neighboring nodes returns a partial share update. Node v i adds these k partial updates together to recover P u,v i . Node v i then updates its share and erases its old share at the end of the update phase. Our design is (k, n) secure [24] in the sense that given up to k 1 shares of SK and a history of polynomial many partial results, an adversary learns no more about SK than without these information. The following theorem shows the security of our design. Due to lack of space, we leave the detailed algorithms, communication ....

A. D. Santis, Y. Desmedt, Y. Frankel and M. Yung, "How to share a function securely," STOC 1994

....are presented in ( 3.3.2) The transition to infrastructure mode is studied in ( 3.3.3) 6 3.3. 1 Distributed Certification Services Given the size of network 9 , a system parameter ( 9 ) and a centralized CA with RSA key pair , cryptographic algorithms [7, 35, 32, 38, 24] and systems [48, 52, 53, 20] allow the functionality of the CA to be distributed into the network where each node becomes a partial CA. Each partial CA holds a secret share 9 , and a coalition of any out of 9 partial CAs can function as the centralized CA. During the ....

....into the infrastructure. Though mobile clients, especially those running low end devices, can spend less computation power in authentication services, the authentication server end still suffers the single point of compromise and single point of failure DoS attack. Threshold based secret sharing [37, 16, 35] and proactive secret share updates [16, 9, 8] have been very active topics in cryptography research. However, most of these proposals target a system that has a few secret share holders with reliable and rich connections. Hence, the proposed solutions are more suitable to wireless networks with ....

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In STOC, pages 522--533, 1994. 12

....are presented in (x 3.3.2) The transition to infrastructure mode is studied in (x 3.3.3) 3.3. 1 Distributed Certification Services Given the size of network N , a system parameter K (0 KN ) and a centralized CA with RSA key pair fSK 0 ff ; PK 0 ff g, cryptographic algorithms [7, 34, 31, 37, 23] and systems [47, 51, 52, 19] allow the functionality of the CA to be distributed into the network where each node becomes a partial CA. Each partial CA holds a secret share SK 0 ff;i (1iN) and a coalition of any K out of N partial CAs can function as the centralized CA. During the ....

....into the infrastructure. Though mobile clients, especially those running low end devices, can spend less computation power in authentication services, the authentication server end still suffers the single point of compromise and single point of failure DoS attack. Threshold based secret sharing [36, 16, 34] and proactive secret share updates [16, 9, 8] have been very active topics in cryptography research. However, most of these proposals target a system that has a few secret share holders with reliable and rich connections. Hence, the proposed solutions are more suitable to wireless networks with ....

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary) . In STOC, pages 522--533, 1994.

....security is not compromised as long as there are less than K collaborative intruders in each adversary group. To further resist intrusions over long term, we periodically (for example once every several hours) update the secret shares for all entities. The concepts of threshold secret sharing [14, 2, 4, 12, 15] and secret share updates [7, 5] are not new, and have been studied in the cryptography context. However, these proposals assume limited number of secret share holders, and are not scalable to network size. They typically involve excessive communication overhead, and assume a richlyconnected ....

....interpolation, SK is recovered from the sum d = P K j=1 SK j mod n) Instead of revealing the private exponent d to the coalition, a better security scheme is employed to accomplish certification services without constructing an explicit d. The corner stone of the multi signature protocol [2, 4, 12, 15] is the following arithmetic formula: X SK1 DeltaX SK2 Delta Delta Delta Delta DeltaX SKK = X SK1 SK2 Delta Delta Delta SK K : In this scheme each member provides a partial certificate X SK j rather than revealing its private SK j (Figure 3) 1 Lagrange coefficient in the ....

[Article contains additional citation context not shown here]

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In STOC, pages 522--533, 1994.

....security is not compromised as long as there are less than # collaborative intruders in each adversary group. To further resist intrusions over long term, we periodically (for example once every several hours) update the secret shares for all entities. The concepts of threshold secret sharing [14, 2, 4, 12, 15] and secret share updates [7, 5] are not new, and have been studied in the cryptography context. However, these proposals assume limited number of secret share holders, and are not scalable to network size. They typically involve excessive communication overhead, and assume a richlyconnected ....

....interpolation, ## is recovered from the sum # ## # # ### ## # mod ##. Instead of revealing the private exponent # to the coalition, a better security scheme is employed to accomplish certification services without constructing an explicit #. The corner stone of the multi signature protocol [2, 4, 12, 15] is the following arithmetic formula: # ## # ## ## # ## # ### ### # # ## # ### # ######## # In this scheme each member provides a partial certificate # ## # rather than revealing its private ## # (Figure 3) 1 Lagrange coefficient in the coalition is defined as # # # ### # #### # ....

[Article contains additional citation context not shown here]

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In STOC, pages 522--533, 1994.

....in Section 8. 5.3 Cryptographic Analysis We now formally prove the security of our algorithms and the robustness against the adversaries of model I as defined in Section 3.3. We first state the well known RSA assumption on which our algorithms are based. Definition 5. 1 (RSA Assumption [19]) Let h be the security parameter. Let the key generation (e, d, m) # G(1 h ) be an RSA instance with security parameter h. For any probabilistic polynomial time algorithm A and polynomial poly( P r[u e # w mod m : e, d, m) # G(1 h ) w #R 0, 1 h ; u # A(1 h , w, e, N ) ....

....poly( P r[u e # w mod m : e, d, m) # G(1 h ) w #R 0, 1 h ; u # A(1 h , w, e, N ) 1 poly(h) Since n nodes in our system share the RSA certificate signing key SK, we want to prove that our design is (k, n) secure. The formal definition is as follows: Definition 5. 2 [19] An RSA function sharing primitive is (k, n) secure when for all possible subset i 1 , i 2 , i j where 0 # j k # n, for all probabilistic polynomial time algorithms A, for any polynomial poly( for h large enough, P r[f e (u) # w mod m : e, d, m) # G(1 h ) P 1 , P n ....

[Article contains additional citation context not shown here]

A. Santis, Y. Desmedt, Y. Frankel and M. Yung. "How to share a function securely," STOC'94, 1994.

....those systems are the ones being deployed in the real world and hence they are the ones that require real protection. As of today, RSA [RSA78] and DSS [NIST91] appear as the two most used schemes in practice. For the case of RSA signatures particular examples of threshold schemes can be found in [DF91, DDFY94, FGY96, GJKR96b, Rab98]. DSS signatures turn out to be less amenable to sharing techniques than RSA or even other ElGamal type of signatures. For this reason, many variants of ElGamal type signatures, have 2 been proposed that are more suitable to being turned into threshold schemes (see for example [Har94, PK96] ....

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In Proc. 26th ACM Symp. on Theory of Computing, pages 522--533, Santa Fe, 1994. IEEE.

.... G q if value a 2 Z q is secret shared with RVSS data[a] This protocol, which we call an additive exponentiation , was used in the adaptive threshold protocols of [CGJ 99,FMY99a b] It can be contrasted with the polynomial exponentiation used in the non adaptive threshold protocols, e.g. DDFY94,GJKR96b] The difference is in how value m a is extracted from the sharing RVSS data[a] of a: In the additive method, every player P i broadcasts value m a i for its additive share a i , and then m a = Q i2Qual m a i . In the polynomial method, players broadcast values m ff i for ....

Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely. In Proc. 26th ACM Symp. on Theory of Computing, pages 522--533, Montreal, Canada, 1994. ACM.

....own preference is to refer to [27] for the definitions and to [61] for the constructions. For a very nice brief survey, the reader is referred to [72] New Directions: Incremental Cryptography [6, 7] Realizing the Random Oracle Model [28] Coercibility [30, 29] sharing of cryptographic objects [45, 44, 59], Private Information Retrieval [38, 37, 89] Cryptanalysis by induced faults [23] Visual Cryptography [104, 101] and many others. Acknowledgments I wish to thank Ran Canetti, Shafi Goldwasser and Hugo Krawczyk for helpful discussions. Special thanks to Hugo for carefully reading and commenting ....

A. De-Santis, Y. Desmedt, Y. Frankel and M. Yung. How to Share a Function Securely. In 26th ACM Symposium on the Theory of Computing, pages 522--533, 1994.

....thus is solvable in principle [98, 18, 45] 21 However, what one desires is efficient solutions, and in particular ones comparable in efficiency to standard single private key cryptosystems. Such efficient solutions, called threshold cryptosystems, were envisioned in [59, 60] and provided in [60, 58, 85] (and many other works) In addition to the conditions informally described above, it is desired that the threshold system be robust [85] and proactive [145, 42, 111] By robust we mean that proper operation is guaranteed even if some of the sites holding shares of the private key misbehave (as ....

....the constructions. The situation will hopefully be redeemed in [90] For a nice but brief survey, the reader is referred to [102] New Directions: These include Incremental Cryptography [6, 7] Realizing the Random Oracle Model [36, 39, 40] Coercibility [38, 37] sharing of cryptographic objects [60, 58, 84], Private Information Retrieval [48, 47, 120] Cryptanalysis by induced faults [27] and many others. Acknowledgments I am most grateful to Hugo Krawczyk for carefully reading and commenting on an early draft. Thanks also to Mihir Bellare, Gilles Brassard, Christian Cachin, Ran Canetti, Ronald ....

A. De-Santis, Y. Desmedt, Y. Frankel and M. Yung. How to Share a Function Securely. In 26th ACM Symposium on the Theory of Computing, pages 522--533, 1994.

....in the next section. Desmedt and Frankel have been pioneers in threshold cryptography and proposed in [6] a threshold RSA signature protocol using Shamir s polynomial secret sharing scheme in the ring Z (n) In order to hide the inverses, Desmedt and Frankel [6] followed by de Santis et al. [18] and Gennaro et al. [8] extend the ring of integers modulo (n) to another algebraic structure, a module, where the inverses can be disclosed safely. Other tentatives of Frankel et al. [7] followed by Rabin [16] have been made to avoid the use of strong primes as factors of n. Recently, Shoup ....

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In Proceedings of the 26th ACM Symposium on the Theory of Computing, pages 522--523. ACM, 1994.

.... Desmedt [11] Boyd [2] Croft and Harris [8] and Desmedt and Frankel [12] A survey of threshold cryptography techniques can be found in [13] Protocols for discrete log based threshold cryptosystems can be found in [2, 4, 12, 24, 31, 20] Protocols for RSA based threshold cryptosystems include [9, 10, 15, 19, 33]. In Appendix B we present an example of threshold cryptography applied to RSA [34] The fault tolerance of the SSRI protocols we present in this paper (n 2t) is inherited from the fault tolerance of the distributed threshold signature decryption protocols [15, 19, 21, 14, 33] which is ....

A. De Santis, Y. Desmedt, Y. Frankel, and M.Yung. How to share a function securely. In Proc. 26th Annual Symp. on the Theory of Computing, pages 522--533. ACM, 1994. 18

....RSA signatures usually lead to shared RSA decryption procedures which have various applications, e. g key escrow (cf. Mic92] and secure distributed storage (cf. GGJR97] Desmedt and Frankel initiated the study of threshold RSA [DF91] which was followed by De Santis, Desmedt, Frankel, and Yung [DDFY94]. These papers provide solutions for the problem of threshold RSA, however, they lack the robustness property. The basic paradigm followed by known threshold signature schemes is as follows. Each player 2 P i has a share d i corresponding to the signature key d. Given a message m each of the ....

....can lead to a wrong nal signature on m. Therefore, in order to add the robustness property to such a threshold signature scheme it suces to solve the problem of verifying the correctness of a single partial signature. It turns out, that in all known threshold RSA signature schemes (e.g. [DF91, DDFY94, Rab98]) checking a partial signature reduces to checking an RSA signature produced using the secret d i held by the signing player P i . In these partial signatures d i is in fact a secret RSA exponent, and the partial signature has the form m d i mod n where n is the public RSA modulus. What makes ....

[Article contains additional citation context not shown here]

Alfredo De Santis, Yvo Desmedt, Yair Frankel, and Moti Yung. How to share a function securely. In Proc. 26th Annual Symp. on the Theory of Computing, pages 522-533. ACM, 1994.

....cryptosystems are part of a general approach known as threshold cryptography, introduced by Boyd [5] Desmedt [13] and Desmedt and Frankel [14] In particular, in [14] a threshold cryptosystem based on the Diffie Hellman problem is presented. The techniques developed later by De Santis et al. [11] yield a corresponding system based on RSA [27] These schemes can be shown to withstand chosen plaintext attack, but they are not known to withstand chosen ciphertext attack. 2.3 Why isn t it trivial to secure a threshold cryptosystem against chosen ciphertext attack Our first observation is ....

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely. In 26th Annual ACM Symposium on Theory of Computing, pages 522--533, 1994.

No context found.

Santis AD, Desmedt Y, Frankel Y, Yung M. How to share a function securely (Extended Summary). In Symposium on the Theory of Computation (STOC), 1994; pp. 522 -- 533.

..... 1 Let s1 ; s2 ; s be the secrets we want to share simultaneously. Construct the concatenated 1 similar scenarios in which sharing is viewed as a form of encryption and the security is computationally bounded have been considered in [32, 3, 1] Threshold cryptography [19, 18, 17] is also a special case of secret sharing for a family of functions. 2 A typical scenario of threshold cryptography is the following: Every set B of t parties should be able to sign any document such that any coalition C of less than t parties cannot sign any other document (even if the ....

....the value secret s = s 1 s 2 : s and the functions which can be evaluated are the functions f i (s) s i . The secrets s i may be dependent: our model allows some information to leak provided it is no more than what follows from the evaluations of f(s) 2 The functions considered in [19, 18, 17] are, however, very limited and the scenario in [17] is restricted to computational security. 3 In fact, both results require to be suciently large : log n in the interactive case and log n log log n in the broadcast model. 2 f(s) Interaction seems to be useful in the computation. ....

[Article contains additional citation context not shown here]

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, How to share a function securely, in Proc. of the 26th Annu. ACM Symp. on the Theory of Computing, 1994, pp. 522-533.

....developed tools to allow proactive security [28] in discrete log based systems. They also defined the notion of a proactive public key system. Tools to allow proactive security in RSA based systems were given in [16, 15, 30] Previous work on threshold and robust threshold RSA systems is given in [10, 8, 17, 22]. None of these tools have been shown to be secure against an adaptive adversary. Recently the notion of security against adaptive adversaries in threshold public key systems was dealt with (in systems less constrained than ours) 19, 3] Our Contributions and Techniques: We base our system on ....

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely (extended summary). In Proceedings of the Twenty-Sixth Annual ACM Symposium on the Theory of Computing, pages 522--533, Montr'eal, Qu'ebec, Canada, 23--25 May 1994.

.... value (a signature or a cleartext) As long as an adversary does not corrupt a certain threshold of servers the system remains secure (as opposed to centralized cryptosystems in which the compromise of a single entity breaks the system) Function sharing (Threshold) systems were presented in [16, 17, 15]. Robust function sharing systems, in which the function can be evaluated correctly even if the adversary causes share holders it controls to misbehave arbitrarily, were presented in [30, 25, 29] Constructions of these systems are required to be efficient (e.g. they should not involve generic ....

.... can be evaluated correctly even if the adversary causes share holders it controls to misbehave arbitrarily, were presented in [30, 25, 29] Constructions of these systems are required to be efficient (e.g. they should not involve generic secure function evaluation which is assumed impractical [15]) The current trend for specific efficient solutions is reviewed in [31, 28] A fundamental problem in cryptography is coping with an adaptive adversary who may, while a protocol is running, attack the protocol using actions based on its complete view up to that point in the protocol. This ....

[Article contains additional citation context not shown here]

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to share a function securely (extended summary). In Proceedings of the Twenty-Sixth Annual ACM Symposium on the Theory of Computing, pages 522--533, Montr'eal, Qu'ebec, Canada, 23--25 May 1994.

No context found.

A. D. Santis, Y. Desmedt, Y. Frankel and M. Yung, "How to share a function securely," STOC 1994

No context found.

A. D. Santis, Y. Desmedt, Y. Frankel, and M. Yung. How to Share a Function Securely (Extended Summary). In STOC, pages 522--533, 1994.

No context found.

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, "How to Share a Function Securely," STOC '94, pp. 522-533

No context found.

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, "How to Share a Function Securely, " In Proceedings of the twenty-sixth annual ACM Symposium on Theory of Computing (STOC), 1994, pp. 522--533.

No context found.

A. De Santis, Y. Desmedt, Y. Frankel, and M. Yung, "How to Share a Function Securely," STOC '94, pp. 522-533

First 50 documents  Next 50

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC