32,844 research outputs found
On Polynomial Secret Sharing Schemes
Nearly all secret sharing schemes studied so far are linear or multi-linear schemes. Although these schemes allow to implement any monotone access structure, the share complexity, , may be suboptimal -- there are access structures for which the gap between the best known lower bounds and best known multi-linear schemes is exponential.
There is growing evidence in the literature, that non-linear schemes can improve share complexity for some access structures, with the work of Beimel and Ishai (CCC \u2701) being among the first to demonstrate it. This motivates further study of non linear schemes.
We initiate a systematic study of polynomial secret sharing schemes (PSSS), where shares are (multi-variate) polynomials of secret and randomness vectors respectively over some finite field \F_q.
Our main hope is that the algebraic structure of polynomials would help obtain better lower bounds than those known for the general secret sharing.
Some of the initial results we prove in this work are as follows.
\textbf{On share complexity of polynomial schemes.}\\
First we study degree (at most) 1 in randomness variables (where the degree of secret variables is unlimited).
We have shown that for a large subclass of these schemes, there exist equivalent multi-linear schemes with share complexity overhead.
Namely, PSSS where every polynomial misses monomials of exact degree in and 0 in ,
and PSSS where all polynomials miss monomials of exact degree in and 1 in .
This translates the known lower bound of for multi linear schemes
onto a class of schemes strictly larger than multi linear schemes, to contrast with the best bound known
for general schemes, with no progress since 94\u27.
An observation in the positive direction we make refers to the share complexity (per bit) of multi linear schemes (polynomial schemes of total degree 1). We observe that the scheme by Liu et. al obtaining share complexity
can be transformed into a multi-linear scheme with similar share complexity per bit, for sufficiently long secrets.
%
For the next natural degree to consider, 2 in , we have shown that PSSS where all share polynomials are of exact degree 2 in (without exact degree 1 in monomials) where \F_q has odd characteristic, can implement only trivial access structures where the minterms consist of single parties.
Obtaining improved lower bounds for degree-2 in PSSS, and even arbitrary degree-1 in PSSS is left as an interesting open question.
\textbf{On the randomness complexity of polynomial schemes.}\\
We prove that for every degree-2 polynomial secret sharing scheme, there exists an equivalent degree-2 scheme with identical share complexity with randomness complexity, , bounded by . For general PSSS, we obtain a similar bound on (preserving and \F_q but not degree). So far, bounds on randomness complexity were known only for multi linear schemes, demonstrating that is always achievable. Our bounds are not nearly as practical as those for multi-linear schemes, and should be viewed as a proof of concept. If a much better bound for some degree bound is obtained, it would lead directly to super-polynomial counting-based lower bounds for degree- PSSS over constant-sized fields.
Another application of low (say, polynomial) randomness complexity is transforming polynomial schemes with polynomial-sized (in ) algebraic formulas for each share , into a degree-3 scheme with only polynomial blowup in share complexity, using standard randomizing polynomials constructions
Алгоритм формирования матриц над примарным кольцом вычетов для построения протоколов множественного разделения секрета, реализующих заданную иерархию доступа
Perfect linear multi-secret sharing schemes over primary residue ring construction algorithm is proposed. Early known secret sharing schemes over finite field construction method is generalized by proposed algorithm. This algorithm has calculation complexity, which less compare with trivial algorithm.Предложен алгоритм формирования матриц над примарным кольцом вычетов, предназначенных для построения линейных совершенных протоколов множественного разделения секрета для заданной иерархии доступа. Указанный алгоритм обобщает известный ранее алгоритм формирования матриц над конечным полем для синтеза линейных протоколов разделения одного секрета и имеет меньшую временную сложность по сравнению с тривиальным алгоритмом
Secret sharing and duality
Secret sharing is an important building block in cryptography. All explicitly
defined secret sharing schemes with known exact complexity bounds are
multi-linear, thus are closely related to linear codes. The dual of such a
linear scheme, in the sense of duality of linear codes, gives another scheme
for the dual access structure. These schemes have the same complexity, namely
the largest share size relative to the secret size is the same. It is a
long-standing open problem whether this fact is true in general: the complexity
of any access structure is the same as the complexity of its dual. We give an
almost answer to this question. An almost perfect scheme allows negligible
errors, both in the recovery and in the independence. There exists an almost
perfect ideal scheme on 174 participants whose complexity is strictly smaller
than that of its dual
Generic Secure Repair for Distributed Storage
This paper studies the problem of repairing secret sharing schemes, i.e.,
schemes that encode a message into shares, assigned to nodes, so that
any nodes can decode the message but any colluding nodes cannot infer
any information about the message. In the event of node failures so that shares
held by the failed nodes are lost, the system needs to be repaired by
reconstructing and reassigning the lost shares to the failed (or replacement)
nodes. This can be achieved trivially by a trustworthy third-party that
receives the shares of the available nodes, recompute and reassign the lost
shares. The interesting question, studied in the paper, is how to repair
without a trustworthy third-party. The main issue that arises is repair
security: how to maintain the requirement that any colluding nodes,
including the failed nodes, cannot learn any information about the message,
during and after the repair process? We solve this secure repair problem from
the perspective of secure multi-party computation. Specifically, we design
generic repair schemes that can securely repair any (scalar or vector) linear
secret sharing schemes. We prove a lower bound on the repair bandwidth of
secure repair schemes and show that the proposed secure repair schemes achieve
the optimal repair bandwidth up to a small constant factor when dominates
, or when the secret sharing scheme being repaired has optimal rate. We
adopt a formal information-theoretic approach in our analysis and bounds. A
main idea in our schemes is to allow a more flexible repair model than the
straightforward one-round repair model implicitly assumed by existing secure
regenerating codes. Particularly, the proposed secure repair schemes are simple
and efficient two-round protocols
Secret-Sharing from Robust Conditional Disclosure of Secrets
A secret-sharing scheme is a method by which a dealer, holding a secret string, distributes shares to parties such that only authorized subsets of parties can reconstruct the secret.
The collection of authorized subsets is called an access structure.
Secret-sharing schemes are an important tool in cryptography and they are used as a building box in many secure
protocols.
In the original constructions of secret-sharing schemes by Ito et al. [Globecom 1987], the share size of each party is (where is the number of parties in the access structure).
New constructions of secret-sharing schemes followed; however, the share size in these schemes remains basically the same.
Although much efforts have been devoted to this problem, no progress was made for more than 30 years.
Recently, in a breakthrough paper, Liu and Vaikuntanathan [STOC 2018] constructed a secret-sharing scheme for a general access structure with share size .
The construction is based on new protocols for conditional disclosure of secrets (CDS).
This was improved by Applebaum et al. [EUROCRYPT 2019] to .
In this work, we construct improved secret-sharing schemes for a general access structure with share size .
Our schemes are linear, that is, the shares are a linear function of the secret and some random elements from a finite field.
Previously, the best linear secret-sharing scheme had shares of size .
Most applications of secret-sharing require linearity. Our scheme is conceptually simpler than previous schemes, using a new reduction to two-party CDS protocols (previous schemes used a reduction to multi-party CDS protocols).
In a CDS protocol for a function , there are parties and a referee; each party holds a private input and a common secret, and sends one message to the referee (without seeing the other messages).
On one hand, if the function applied to the inputs returns , then it is required that the referee, which knows the inputs, can reconstruct the secret from the messages.
On the other hand, if the function applied to the inputs returns , then the referee should get no information on the secret from the messages. However, if the referee gets two messages from a party, corresponding to two different inputs (as happens in our reduction from secret-sharing to CDS), then the referee might be able to reconstruct the secret although it should not.
To overcome this problem, we define and construct -robust CDS protocols, where the referee cannot get any information on the secret when it gets messages for a set of zero-inputs of .
We show that if a function has a two-party CDS protocol with message size , then it has a two-party -robust CDS protocol with normalized message size .
Furthermore, we show that every function has a multi-linear -robust CDS protocol with normalized message size .
We use a variant of this protocol (with slightly larger than ) to construct our improved linear secret-sharing schemes.
Finally, we construct robust -party CDS protocols for
New results and applications for multi-secret sharing schemes
In a multi-secret sharing scheme (MSSS), different secrets are distributed among the players in some set , each one according to an access structure. The trivial solution to this problem is to run independent instances of a standard secret sharing scheme, one for each secret. In this solution, the length of the secret share to be stored by each player grows linearly with (when keeping all other parameters fixed). Multi-secret sharing schemes have been studied by the cryptographic community mostly from a theoretical perspective: different models and definitions have been proposed, for both unconditional (information-theoretic) and computational security. In the case of unconditional security, there are two different definitions. It has been proved that, for some particular cases of access structures that include the threshold case, a MSSS with the strongest level of unconditional security must have shares with length linear in . Therefore, the optimal solution in this case is equivalent to the trivial one. In this work we prove that, even for a more relaxed notion of unconditional security, and for some kinds of access structures (in particular, threshold ones), we have the same efficiency problem: the length of each secret share must grow linearly with . Since we want more efficient solutions, we move to the scenario of MSSSs with computational security. We propose a new MSSS, where each secret share has constant length (just one element), and we formally prove its computational security in the random oracle model. To the best of our knowledge, this is the first formal analysis on the computational security of a MSSS. We show the utility of the new MSSS by using it as a key ingredient in the design of two schemes for two new functionalities: multi-policy signatures and multi-policy decryption. We prove the security of these two new multi-policy cryptosystems in a formal security model. The two new primitives provide similar functionalities as attribute-based cryptosystems, with some advantages and some drawbacks that we discuss at the end of this work.Peer ReviewedPostprint (author’s final draft
Multi-authority secret-ballot elections with linear work
We present new cryptographic protocols for multi-authority secret ballot elections that guarantee privacy, robustness, and universal verifiability. Application of some novel techniques, in particular the construction of witness hiding/indistinguishable protocols from Cramer, Damgaard and Schoenmakers, and the verifiable secret sharing scheme of Pedersen, reduce the work required by the voter or an authority to a linear number of cryptographic operations in the population size (compared to quadratic in previous schemes). Thus we get significantly closer to a practical election scheme
Multi-authority secret-ballot elections with linear work
We present new cryptographic protocols for multi-authority secret ballot elections that guarantee privacy, robustness, and universal verifiability. Application of some novel techniques, in particular the construction of witness hiding/indistinguishable protocols from Cramer, Damgaard and Schoenmakers, and the verifiable secret sharing scheme of Pedersen, reduce the work required by the voter or an authority to a linear number of cryptographic operations in the population size (compared to quadratic in previous schemes). Thus we get significantly closer to a practical election scheme
Совершенная схема множественного разделения секрета над кольцом вычетов по модулю m
Предложена конструкция совершенной схемы множественного разделения секрета, основанная на линейных преобразованиях над кольцом вычетов целых чисел. Установлены необходимые и достаточные условия существования рассматриваемой схемы и описан алгоритм ее построения для произвольной заранее определенной иерархии доступа. Полученные результаты обобщают известные ранее утверждения о свойствах линейных схем разделения секрета над конечными полями, векторными пространствами и кольцами Галуа.A construction of a perfect multi-secret sharing scheme, which is based on linear transformations over a residue integer ring, is proposed. The necessary and sufficient conditions of the existence of this scheme are established and its construction algorithm for any given access hierarchy are described. The obtained results generalize the known statements about properties of linear secret sharing schemes over finite fields, vector spaces and Galois rings
- …