Results 21  30
of
184
Protecting Secret Keys with Personal Entropy
 Future Generation Computer Systems
, 1999
"... Conventional encryption technology often requires users to protect a secret key by selecting a password or passphrase. While a good passphrase will only be known to the user, it also has the flaw that it must be remembered exactly in order to recover the secret key. As time passes, the ability to re ..."
Abstract

Cited by 40 (0 self)
 Add to MetaCart
Conventional encryption technology often requires users to protect a secret key by selecting a password or passphrase. While a good passphrase will only be known to the user, it also has the flaw that it must be remembered exactly in order to recover the secret key. As time passes, the ability to remember the passphrase fades and the user may eventually lose access to the secret key. We propose a scheme whereby a user can protect a secret key using the "personal entropy" in his own life, by encrypting the passphrase using the answers to several personal questions. We designed the scheme so the user can forget answers to a subset of the questions and still recover the secret key, while an attacker must learn the answer to a large subset of the questions in order to recover the secret key. 1 Introduction "Humans are incapable of securely storing highquality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large,...
Decomposition Constructions for Secret Sharing Schemes
 IEEE Trans. Inform. Theory
, 1998
"... The purpose of this paper is to decribe a very powerful decomposition construction for perfect secret sharing schemes. We give several applications of the construction, and improve previous results by showing that for any graph G of maximum degree d, there is a perfect secret sharing scheme for G w ..."
Abstract

Cited by 40 (4 self)
 Add to MetaCart
(Show Context)
The purpose of this paper is to decribe a very powerful decomposition construction for perfect secret sharing schemes. We give several applications of the construction, and improve previous results by showing that for any graph G of maximum degree d, there is a perfect secret sharing scheme for G with information rate 2=(d + 1). As a corollary, the maximum information rate of secret sharing schemes for paths on more than three vertices and for cycles on more than four vertices is shown to be 2=3. Keywords secret sharing scheme, graph access structure, information rate, linear programming. 1 Introduction and Terminology Informally, a secret sharing scheme is a method of sharing a secret key K among a finite set of participants in such a way that certain specified subsets of participants can compute the secret key K. The value K is chosen by a special participant called the dealer. We will use the following notation. Let P = fP i : 1 i wg be the set of participants. The dealer is ...
Hierarchical threshold secret sharing
 J. Cryptol
, 2007
"... We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants i ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
(Show Context)
We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants is authorized if it has at least k0 members from the highest level, as well as at least k1> k0 members from the two highest levels and so forth. Such problems may occur in settings where the participants differ in their authority or level of confidence and the presence of higher level participants is imperative to allow the recovery of the common secret. Even though secret sharing in hierarchical groups has been studied extensively in the past, none of the existing solutions addresses the simple setting where, say, a bank transfer should be signed by three employees, at least one of whom must be a department manager. We present a perfect secret sharing scheme for this problem that, unlike most secret sharing schemes that are suitable for hierarchical structures, is ideal. As in Shamir’s scheme, the secret is represented as the free coefficient of some polynomial. The novelty of our scheme is the usage of polynomial derivatives in order to generate lesser shares for participants of lower levels. Consequently, our scheme uses Birkhoff interpolation, i.e., the construction of a polynomial according to an unstructured set of point and derivative values. A substantial part of our discussion is dedicated to the question of how to assign identities to the participants from the underlying finite field so that the resulting Birkhoff interpolation problem will be well posed. In addition, we devise an ideal and efficient secret sharing scheme for the closely related hierarchical threshold access structures that were studied by Simmons and Brickell.
On the Information Rate of Secret Sharing Schemes
 Theoretical Computer Science
, 1992
"... We derive new limitations on the information rate and the average information rate of secret sharing schemes for access structure represented by graphs. We give the first proof of the existence of access structures with optimal information rate and optimal average information rate less that 1=2 + ff ..."
Abstract

Cited by 30 (5 self)
 Add to MetaCart
(Show Context)
We derive new limitations on the information rate and the average information rate of secret sharing schemes for access structure represented by graphs. We give the first proof of the existence of access structures with optimal information rate and optimal average information rate less that 1=2 + ffl, where ffl is an arbitrary positive constant. We also consider the problem of testing if one of these access structures is a substructure of an arbitrary access structure and we show that this problem is NPcomplete. We provide several general lower bounds on information rate and average information rate of graphs. In particular, we show that any graph with n vertices admits a secret sharing scheme with information rate\Omega\Gammate/3 n)=n). 1 Introduction A secret sharing scheme is a method to distribute a secret s among a set of participants P in such a way that only qualified subsets of P can reconstruct the value of s whereas any other subset of P ; nonqualified to know s; cannot ...
Tight Bounds on the Information Rate of Secret Sharing Schemes
 Designs, Codes and Cryptography
, 1997
"... A secret sharing scheme is a protocol by means of which a dealer distributes a secret s among a set of participants P in such a way that only qualified subsets of P can reconstruct the value of s whereas any other subset of P; nonqualified to know s; cannot determine anything about the value of ..."
Abstract

Cited by 30 (0 self)
 Add to MetaCart
A secret sharing scheme is a protocol by means of which a dealer distributes a secret s among a set of participants P in such a way that only qualified subsets of P can reconstruct the value of s whereas any other subset of P; nonqualified to know s; cannot determine anything about the value of the secret. In this paper we provide a general technique to prove upper bounds on the information rate of secret sharing schemes. The information rate is the ratio between the size of the secret and the size of the largest share given to any participant. Most of the recent upper bounds on the information rate obtained in the literature can be seen as corollaries of our result. Moreover, we prove that for any integer d there exists a dregular graph for which any secret sharing scheme has information rate upper bounded by 2=(d + 1). This improves on van Dijk's result [14] and matches the corresponding lower bound proved by Stinson in [22]. Index terms : Secret Sharing, Data Security,...
Characterizing Ideal Weighted Threshold Secret Sharing
 Second Theory of Cryptography Conference, TCC 2005. Lecture Notes in Comput. Sci. 3378
, 2005
"... Abstract. Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret sharing. In such settings, there is a set of users where each user is assigned a positive weight. A dealer wishes to distribute a secret among those users so that a subset of users may reconstruct the ..."
Abstract

Cited by 28 (6 self)
 Add to MetaCart
(Show Context)
Abstract. Weighted threshold secret sharing was introduced by Shamir in his seminal work on secret sharing. In such settings, there is a set of users where each user is assigned a positive weight. A dealer wishes to distribute a secret among those users so that a subset of users may reconstruct the secret if and only if the sum of weights of its users exceeds a certain threshold. On one hand, there are nontrivial weighted threshold access structures that have an ideal scheme – a scheme in which the size of the domain of shares of each user is the same as the size of the domain of possible secrets (this is the smallest possible size for the domain of shares). On the other hand, other weighted threshold access structures are not ideal. In this work we characterize all weighted threshold access structures that are ideal. We show that a weighted threshold access structure is ideal if and only if it is a hierarchical threshold access structure (as introduced by Simmons), or a tripartite access structure (these structures generalize the concept of bipartite access structures due to Padró and Sáez), or a composition of two ideal weighted threshold access structures that are defined on smaller sets of users. We further show that in all those cases the weighted threshold access structure may be realized by a linear ideal secret sharing scheme. The proof of our characterization relies heavily on the strong connection between ideal secret sharing schemes and matroids, as proved by Brickell and Davenport.
Optimal BlackBox Secret Sharing over Arbitrary Abelian Groups
 In Proc. of CRYPTO '02, LNCS 2442
, 2002
"... Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vector ..."
Abstract

Cited by 28 (7 self)
 Add to MetaCart
(Show Context)
Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the blackbox secret sharing problem as the problem of devising, for an arbitrary given Tt,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multiparty computation over blackbox rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the blackbox secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given Tt,n with 0 < t < n − 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with coprime determinants, we construct, for arbitrary given Tt,n with 0 < t < n − 1, a blackbox secret sharing scheme with expansion factor O(log n), which we show is minimal. 1
Share Conversion, Pseudorandom SecretSharing and Applications to Secure Computation
 In TCC’05, LNCS 3378
, 2005
"... Abstract. We present a method for converting shares of a secret into shares of the same secret in a different secretsharing scheme using only local computation and no communication between players. In particular, shares in a replicated scheme based on a CNF representation of the access structure ca ..."
Abstract

Cited by 24 (2 self)
 Add to MetaCart
(Show Context)
Abstract. We present a method for converting shares of a secret into shares of the same secret in a different secretsharing scheme using only local computation and no communication between players. In particular, shares in a replicated scheme based on a CNF representation of the access structure can be converted into shares from any linear scheme for the same structure. We show how this can be combined with any pseudorandom function to create, from initially distributed randomness, any number of Shamir secretsharings of (pseudo)random values without communication. We apply this technique to obtain efficient noninteractive protocols for secure computation of lowdegree polynomials, which in turn give rise to other applications in secure computation and threshold cryptography. For instance, we can make the CramerShoup threshold cryptosystem by Canetti and Goldwasser fully noninteractive, or construct noninteractive threshold signature schemes secure without random oracles. The latter solutions are practical only for a relatively small number of players. However, in our main applications the number of players is typically small, and furthermore it can be argued that no solution that makes a blackbox use of a pseudorandom function can be more efficient. 1
General Constructions for InformationTheoretic Private Information Retrieval
, 2003
"... A Private Information Retrieval (PIR) protocol enables a user to retrieve a data item from a database while hiding the identity of the item being retrieved; specifically, in a tprivate, kserver PIR protocol the database is replicated among k servers, and the user's privacy is protected from a ..."
Abstract

Cited by 23 (0 self)
 Add to MetaCart
A Private Information Retrieval (PIR) protocol enables a user to retrieve a data item from a database while hiding the identity of the item being retrieved; specifically, in a tprivate, kserver PIR protocol the database is replicated among k servers, and the user's privacy is protected from any collusion of up to t servers. The main costmeasure of such protocols is the communication complexity of retrieving asingle bit of data. This work addresses the informationtheoretic setting for PIR, where the user's privacy should be unconditionally protected against computationally unbounded servers. We present a general construction, whose abstract components can be instantiated to yield both old and new families of PIR protocols. Amain ingredient in the new protocols is a generalization of a solution by Babai, Kimmel, and Lokam for a communication complexity problem in the multiparty simultaneous messages model.Our protocols simplify and improve upon previous ones, and resolve some previous anomalies. In particular, we get: (1) 1private kserver PIR protocols with O(k3n1=(2k\Gamma 1)) communication bits, where n is the database size; (2) tprivate kserver protocols with O(n1=b(2k\Gamma 1)=tc) communication bits, for anyconstant integers k? t * 1; and (3) tprivate kserver protocols in which the user sends O(log n) bitsto each server and receives O(nt=k+ffl) bits in return, for any constant integers k? t * 1 and constant ffl? 0. The latter protocols have applications to the construction of efficient families of locally decodablecodes over large alphabets and to PIR protocols with reduced work by the servers.
Universally Ideal Secret Sharing Schemes
 IEEE Trans. on Information Theory
, 1994
"... Given a set of parties f1; : : : ; ng, an access structure is a monotone collection of subsets of the parties. For a certain domain of secrets, a secret sharing scheme for an access structure is a method for a dealer to distribute shares to the parties. These shares enable subsets in the access stru ..."
Abstract

Cited by 21 (8 self)
 Add to MetaCart
(Show Context)
Given a set of parties f1; : : : ; ng, an access structure is a monotone collection of subsets of the parties. For a certain domain of secrets, a secret sharing scheme for an access structure is a method for a dealer to distribute shares to the parties. These shares enable subsets in the access structure to reconstruct the secret, while subsets not in the access structure get no information about the secret. A secret sharing scheme is ideal if the domains of the shares are the same as the domain of the secrets. An access structure is universally ideal if there exists an ideal secret sharing scheme for it over every finite domain of secrets. An obvious necessary condition for an access structure to be universally ideal is to be ideal over the binary and ternary domains of secrets. In this work, we prove that this condition is also sufficient. We also show that being ideal over just one of the two domains does not suffice for universally ideal access structures. Finally, we give an exac...