Results 1  10
of
28
Hierarchical threshold secret sharing
 J. Cryptol
, 2007
"... We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants i ..."
Abstract

Cited by 34 (3 self)
 Add to MetaCart
(Show Context)
We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants is authorized if it has at least k0 members from the highest level, as well as at least k1> k0 members from the two highest levels and so forth. Such problems may occur in settings where the participants differ in their authority or level of confidence and the presence of higher level participants is imperative to allow the recovery of the common secret. Even though secret sharing in hierarchical groups has been studied extensively in the past, none of the existing solutions addresses the simple setting where, say, a bank transfer should be signed by three employees, at least one of whom must be a department manager. We present a perfect secret sharing scheme for this problem that, unlike most secret sharing schemes that are suitable for hierarchical structures, is ideal. As in Shamir’s scheme, the secret is represented as the free coefficient of some polynomial. The novelty of our scheme is the usage of polynomial derivatives in order to generate lesser shares for participants of lower levels. Consequently, our scheme uses Birkhoff interpolation, i.e., the construction of a polynomial according to an unstructured set of point and derivative values. A substantial part of our discussion is dedicated to the question of how to assign identities to the participants from the underlying finite field so that the resulting Birkhoff interpolation problem will be well posed. In addition, we devise an ideal and efficient secret sharing scheme for the closely related hierarchical threshold access structures that were studied by Simmons and Brickell.
On secret sharing schemes, matroids and polymatroids
 Journal of Mathematical Cryptology
"... The complexity of a secret sharing scheme is defined as the ratio between the maximum length of the shares and the length of the secret. The optimization of this parameter for general access structures is an important and very difficult open problem in secret sharing. We explore in this paper the co ..."
Abstract

Cited by 18 (4 self)
 Add to MetaCart
The complexity of a secret sharing scheme is defined as the ratio between the maximum length of the shares and the length of the secret. The optimization of this parameter for general access structures is an important and very difficult open problem in secret sharing. We explore in this paper the connections of this open problem with matroids and polymatroids. Matroid ports were introduced by Lehman in 1964. A forbidden minor characterization of matroid ports was given by Seymour in 1976. These results are previous to the invention of secret sharing by Shamir in 1979. Important connections between ideal secret sharing schemes and matroids were discovered by Brickell and Davenport in 1991. Their results can be restated as follows: every ideal secret sharing scheme defines a matroid, and its access structure is a port of that matroid. In spite of this, the results by Lehman and Seymour and other subsequent results on matroid ports have not been noticed until now by the researchers interested in secret sharing. Lower bounds on the optimal complexity of access structures can be found by taking into account that the joint Shannon entropies of a set of random variables define a polymatroid.
Ideal Hierarchical Secret Sharing Schemes
"... The search of efficient constructions of ideal secret sharing schemes for families of nonthreshold access structures that may have useful applications has attracted a lot of attention. Several proposals have been made for access structures with hierarchical properties, in which the participants are ..."
Abstract

Cited by 17 (3 self)
 Add to MetaCart
(Show Context)
The search of efficient constructions of ideal secret sharing schemes for families of nonthreshold access structures that may have useful applications has attracted a lot of attention. Several proposals have been made for access structures with hierarchical properties, in which the participants are distributed into levels that are hierarchically ordered. Here, we study hierarchical secret sharing in all generality by providing a natural definition for the family of the hierarchical access structures. Specifically, an access structure is said to be hierarchical if every two participants can be compared according to the following natural hierarchical order: whenever a participant in a qualified subset is substituted by a hierarchically superior participant, the new subset is still qualified. We present a complete characterization of the ideal hierarchical access structures, that is, the ones admitting an ideal secret sharing scheme. We use the well known connection between ideal secret sharing and matroids and, in particular, the fact the every ideal access structure is a matroid port. In addition, we use recent results on ideal multipartite access structures and the connection between multipartite matroids and discrete polymatroids. We prove that every ideal hierarchical access structure is the port of a representable matroid and, more specifically, we prove that every ideal structure in this family admits ideal linear secret sharing schemes over fields of all characteristics. This generalizes previous results on weighted threshold access structures. Finally, we use our results to find a new characterization of the ideal weighted threshold access structures that is more precise than the existing one.
Multipartite Secret Sharing by Bivariate Interpolation
 33RD INTERNATIONAL COLLOQUIUM ON AUTOMATA, LANGUAGES AND PROGRAMMING, ICALP 2006, LECTURE NOTES IN COMPUT. SCI. 4052
, 2006
"... Given a set of participants that is partitioned into distinct compartments, a multipartite access structure is an access structure that does not distinguish between participants that belong to the same compartment. We examine here three types of such access structures compartmented access structur ..."
Abstract

Cited by 12 (1 self)
 Add to MetaCart
(Show Context)
Given a set of participants that is partitioned into distinct compartments, a multipartite access structure is an access structure that does not distinguish between participants that belong to the same compartment. We examine here three types of such access structures compartmented access structures with lower bounds, compartmented access structures with upper bounds, and hierarchical threshold access structures. We realize those access structures by ideal perfect secret sharing schemes that are based on bivariate Lagrange interpolation. The main novelty of this paper is the introduction of bivariate interpolation and its potential power in designing schemes for multipartite settings, as different compartments may be associated with different lines in the plane. In particular, we show that the introduction of a second dimension may create the same hierarchical effect as polynomial derivatives and Birkhoff interpolation were shown to do in [13].
Ideal Multipartite Secret Sharing Schemes
 J. Cryptology
"... Multipartite secret sharing schemes are those having a multipartite access structure, in which the set of participants is divided into several parts and all participants in the same part play an equivalent role. In this work, the characterization of ideal multipartite access structures is studied wi ..."
Abstract

Cited by 12 (4 self)
 Add to MetaCart
(Show Context)
Multipartite secret sharing schemes are those having a multipartite access structure, in which the set of participants is divided into several parts and all participants in the same part play an equivalent role. In this work, the characterization of ideal multipartite access structures is studied with all generality. Our results are based on the wellknown connections between ideal secret sharing schemes and matroids and on the introduction of a new combinatorial tool in secret sharing, integer polymatroids. Our results can be summarized as follows. First, we present a characterization of multipartite matroid ports in terms of integer polymatroids. As a consequence of this characterization, a necessary condition for a multipartite access structure to be ideal is obtained. Second, we use representations of integer polymatroids by collections of vector subspaces to characterize the representable multipartite matroids. In this way we obtain a sufficient condition for a multipartite access structure to be ideal, and also a unified framework to study the open problems about the efficiency of the constructions of ideal multipartite secret sharing schemes. Finally, we apply our general results to obtain a complete characterization of ideal tripartite access structures, which was until now an open problem.
Generalized oblivious transfer by secret sharing
 DES. CODES CRYPTOGRAPHY
"... The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds a set U of messages. A decreasing monotone collection of subsets of U defines the retrieval restrictions. Bob is allowed to learn any permissable subset of messages from ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds a set U of messages. A decreasing monotone collection of subsets of U defines the retrieval restrictions. Bob is allowed to learn any permissable subset of messages from that collection, but nothing else, while Alice must remain oblivious regarding the selection that Bob made. We propose a simple and efficient GOT protocol that employs secret sharing. We compare it to another secret sharing based solution for that problem that was recently proposed in [18]. In particular, we show that the access structures that are realized by the two solutions are related through a dualitytype relation that we introduce here. We show that there are examples which favor our solution over the second one, while in other examples the contrary holds. Two applications of GOT are considered — priced oblivious transfer, and oblivious evaluation of multivariate polynomials.
On Matroids and Nonideal Secret Sharing
 in Proc. of the Third Theory of Cryptography Conference – TCC 2006, ser. Lecture Notes in Computer Science
, 2006
"... Secretsharing schemes are a tool used in many cryptographic protocols. In these schemes, a dealer holding a secret string distributes shares to the parties such that only authorized subsets of participants can reconstruct the secret from their shares. The collection of authorized sets is called an ..."
Abstract

Cited by 6 (2 self)
 Add to MetaCart
(Show Context)
Secretsharing schemes are a tool used in many cryptographic protocols. In these schemes, a dealer holding a secret string distributes shares to the parties such that only authorized subsets of participants can reconstruct the secret from their shares. The collection of authorized sets is called an access structure. An access structure is ideal if there is a secretsharing scheme realizing it such that the shares are taken from the same domain as the secrets. Brickell and Davenport (J. of Cryptology, 1991) have shown that ideal access structures are closely related to matroids. They give a necessary condition for an access structure to be ideal – the access structure must be induced by a matroid. Seymour (J. of Combinatorial Theory B, 1992) showed that the necessary condition is not sufficient: There exists an access structure induced by a matroid that does not have an ideal scheme. In this work we continue the research on access structures induced by matroids. Our main result in this paper is strengthening the result of Seymour. We show that in any secret sharing scheme realizing the access structure induced by the Vamos matroid with domain of the secrets of size k, the size of the domain of the shares is at least k + Ω ( √ k). Our second result considers nonideal secret sharing schemes realizing access structures induced by matroids. We prove that the fact that an access structure is induced by a matroid implies lower and upper bounds on the size of the domain of shares of subsets of participants even in nonideal schemes (this generalized results of Brickell and Davenport for ideal schemes).
Monotone Circuits for Monotone Weighted Threshold Functions ∗
"... Weighted threshold functions with positive weights are a natural generalization of unweighted threshold functions. These functions are clearly monotone. However, the naive way of computing them is adding the weights of the satisfied variables and checking if the sum is greater than the threshold; th ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
(Show Context)
Weighted threshold functions with positive weights are a natural generalization of unweighted threshold functions. These functions are clearly monotone. However, the naive way of computing them is adding the weights of the satisfied variables and checking if the sum is greater than the threshold; this algorithm is inherently nonmonotone since addition is a nonmonotone function. In this work we bypass this addition step and construct a polynomial size logarithmic depth unbounded fanin monotone circuit for every weighted threshold function, i.e., we show that weighted threshold functions are in mAC 1. (To the best of our knowledge, prior to our work no polynomial monotone circuits were known for weighted threshold functions.) Our monotone circuits are applicable for the cryptographic tool of secret sharing schemes. Using general results for compiling monotone circuits (Yao, 1989) and monotone formulae (Benaloh and Leichter, 1990) into secret sharing schemes, we get secret sharing schemes for every weighted threshold access structure. Specifically, we get: (1) informationtheoretic secret sharing schemes where the size of each share is quasipolynomial in the number of users, and (2) computational secret sharing schemes where the size of each share is polynomial in the number of users.
Natural Generalizations of Threshold Secret Sharing
 Advances in Cryptology, Asiacrypt 2011, Lecture Notes in Comput. Sci. 7073 (2011) 610–627. 12 S. Fujishige. Polymatroidal
, 1978
"... We present new families of access structures that, similarly to the multilevel and compartmented access structures introduced in previous works, are natural generalizations of threshold secret sharing. Namely, they admit an ideal linear secret sharing schemes over every large enough finite field, th ..."
Abstract

Cited by 4 (1 self)
 Add to MetaCart
(Show Context)
We present new families of access structures that, similarly to the multilevel and compartmented access structures introduced in previous works, are natural generalizations of threshold secret sharing. Namely, they admit an ideal linear secret sharing schemes over every large enough finite field, they can be described by a small number of parameters, and they have useful properties for the applications of secret sharing. The use of integer polymatroids makes it possible to find many new such families and it simplifies in great measure the proofs for the existence of ideal secret sharing schemes for them. Key words. Cryptography, secret sharing, ideal secret sharing schemes, multipartite secret sharing, integer polymatroids. 1
Extended Access Structures and Their Cryptographic Applications
, 2008
"... In secret sharing schemes a secret is distributed among a set of users P in such a way that only some sets, the authorized sets, can recover it. The family Γ of authorized sets is called access structure. Given such a monotone family Γ ⊂ 2 P, we introduce the concept of extended access structures, d ..."
Abstract

Cited by 4 (2 self)
 Add to MetaCart
In secret sharing schemes a secret is distributed among a set of users P in such a way that only some sets, the authorized sets, can recover it. The family Γ of authorized sets is called access structure. Given such a monotone family Γ ⊂ 2 P, we introduce the concept of extended access structures, defined over a larger set P ′ = P ∪ ˜ P, satisfying these two properties: • the set P is a minimal subset of Γ ′ , i.e. P − {Ri} / ∈ Γ ′ for every Ri ∈ P, • a subset A ⊂ P is in Γ if and only if the subset A ∪ ˜ P is in Γ ′. As our first contribution, we give an explicit construction of an extended access structure Γ ′ starting from a vector space access structure Γ, and we prove that Γ ′ is also vector space. Our second contribution is to show that the concept of extended access structure can be used to design encryption schemes which involve access structures that are chosen adhoc at the time of encryption. Specifically, we design and analyze a dynamic distributed encryption scheme and a ciphertextpolicy attributebased encryption scheme. In some cases, the new schemes enjoy better properties than the existing ones.