Threshold cryptography based on asmuth-bloom secret sharing

In this paper, we investigate how threshold cryptography can be conducted with the Asmuth-Bloom secret sharing scheme and present two novel function sharing schemes, one for the RSA signature and the other for the ElGamal decryption functions, based on the Asmuth-Bloom scheme. To the best of our knowledge, these are the first threshold cryptosystems realized using the Asmuth-Bloom secret sharing. The proposed schemes compare favorably to the earlier function sharing schemes in performance as well as in certain theoretical aspects. © Springer-Verlag Berlin Heidelberg 2006

Lower Bounds for Leakage-Resilient Secret Sharing

Threshold secret sharing allows a dealer to split a secret into $n$ shares such that any authorized subset of cardinality at least $t$ of those shares efficiently reveals the secret, while at the same time any unauthorized subset of cardinality less than $t$ contains no information about the secret. Leakage-resilience additionally requires that the secret remains hidden even if one is given a bounded amount of additional leakage from every share. In this work, we study leakage-resilient secret sharing schemes and prove a lower bound on the share size and the required amount of randomness of any information-theoretically secure scheme. We prove that for any information-theoretically secure leakage-resilient secret sharing scheme either the amount of randomness across all shares or the share size has to be linear in $n$. More concretely, for a secret sharing scheme with $p$-bit long shares, $\ell$-bit leakage per share, where $\widehat{t}$ shares uniquely define the remaining $n - \widehat{t}$ shares, it has to hold that $$p \ge \frac{\ell (n - t)}{\widehat{t}}\ .$$ We use this lower bound to gain further insights into a question that was recently posed by Benhamouda et al. (CRYPTO\u2718), who ask to what extend existing regular secret sharing schemes already provide protection against leakage. The authors proved that Shamir\u27s secret sharing is $1$-bit leakage-resilient for reconstruction thresholds $t \geq 0.85n$ and conjectured that it is also $1$-bit leakage-resilient for any other threshold that is a constant fraction of the total number of shares. We do not disprove their conjecture, but show that it is the best one could possibly hope for. Concretely, we show that for large enough $n$ and any constant $0< c < 1$ it holds that Shamir\u27s secret sharing scheme is \emph{not} leakage-resilient for $t \leq \frac{cn}{\log n}$. In contrast to the setting with information-theoretic security, we show that our lower bound does not hold in the computational setting. That is, we show how to construct a leakage-resilient secret sharing scheme in the random oracle model that is secure against computationally bounded adversaries and violates the lower bound stated above

Impact of performance audit on the Administration: A Belgian study (2005-2010)

Purpose This study of the impact of Belgian Court of Audit on the federal Administration for the 2005 to 2010 period aims to highlight the auditors’ influence on the management of governmental organizations through the performance audits they have been conducting since 1998. A set of ten variables allows us to measure the three types of uses of performance auditors’ work by auditees: instrumental, conceptual and strategic uses. Design/methodology/approach A survey was sent out to a total of 148 respondents identified by the authorities of the targeted organizations. 47 usable questionnaires were completed (32% response rate). Findings The Court of Audit’s impact on the audited entities did not provoke radical changes in the auditees’ organizational life but the intervention of the auditors was nevertheless noticeable. The nature of the impact was rather conceptual than strategic or instrumental. And the negative consequences on auditees anticipated in the literature were not observed. Research limitations/implications Given the five-year period covered by the study which was made in 2014 (four years after 2010), it had to deal with the mortality of respondents and the loss of organizational memory. Practical implications The study gives more accurate insights about the influence that Supreme Audit Institutions actually exert on audited Administrations through their performance audits. Originality/value Since Supreme Audit Institutions have been mandated to evaluate government’s economy, efficiency and effectiveness for almost 40 years in the western democracies, it is mandatory that their actual ability to influence Administrations be documented more abundantly and independently by academic researchers.  The politics and administration of institutional chang

Practical threshold signatures with linear secret sharing schemes

Function sharing deals with the problem of distribution of the computation of a function (such as decryption or signature) among several parties. The necessary values for the computation are distributed to the participating parties using a secret sharing scheme (SSS). Several function sharing schemes have been proposed in the literature, with most of them using Shamir secret sharing as the underlying SSS. In this paper, we investigate how threshold cryptography can be conducted with any linear secret sharing scheme and present a function sharing scheme for the RSA cryptosystem. The challenge is that constructing the secret in a linear SSS requires the solution of a linear system, which normally involves computing inverses, while computing an inverse modulo φ(N) cannot be tolerated in a threshold RSA system in any way. The threshold RSA scheme we propose is a generalization of Shoup's Shamir-based scheme. It is similarly robust and provably secure under the static adversary model. At the end of the paper, we show how this scheme can be extended to other public key cryptosystems and give an example on the Paillier cryptosystem. © 2009 Springer Berlin Heidelberg

Undetachable threshold signatures

A major problem of mobile agents is their inability to authenticate transactions in a hostile environment. Users will not wish to equip agents with their private signature keys when the agents may execute on untrusted platforms. Undetachable signatures were introduced to solve this problem by allowing users to equip agents with the means to sign signatures for tightly constrained transactions, using information especially derived from the user private signature key. However, the problem remains that a platform can force an agent to commit to a sub-optimal transaction. In parallel with the work on undetachable signatures, much work has been performed on threshold signature schemes, which allow signing power to be distributed across multiple agents, thereby reducing the trust in a single entity. We combine these notions and introduce the concept of an undetachable threshold signature scheme, which enables constrained signing power to be distributed across multiple agents, thus reducing the necessary trust in single agent platforms. We also provide an RSA-based example of such a scheme based on a combination of Shoup&apos;s threshold signature scheme, [7] and Kotzanikolaou et al&apos;s undetachable signature scheme, [3]

Threshold password-authenticated key exchange

Abstract. In most password-authenticated key exchange systems there is a single server storing password verification data. To provide some resilience against server compromise, this data typically takes the form of a one-way function of the password (and possibly a salt, or other public values), rather than the password itself. However, if the server is compromised, this password verification data can be used to perform an offline dictionary attack on the user’s password. In this paper we propose an efficient password-authenticated key exchange system involving a set of servers, in which a certain threshold of servers must participate in the authentication of a user, and in which the compromise of any fewer than that threshold of servers does not allow an attacker to perform an offline dictionary attack. We prove our system is secure in the random oracle model under the Decision Diffie-Hellman assumption against an attacker that may eavesdrop on, insert, delete, or modify messages between the user and servers, and that compromises fewer than that threshold of servers.

A critical evaluation of network and pathway based classifiers for outcome prediction in breast cancer

Recently, several classifiers that combine primary tumor data, like gene expression data, and secondary data sources, such as protein-protein interaction networks, have been proposed for predicting outcome in breast cancer. In these approaches, new composite features are typically constructed by aggregating the expression levels of several genes. The secondary data sources are employed to guide this aggregation. Although many studies claim that these approaches improve classification performance over single gene classifiers, the gain in performance is difficult to assess. This stems mainly from the fact that different breast cancer data sets and validation procedures are employed to assess the performance. Here we address these issues by employing a large cohort of six breast cancer data sets as benchmark set and by performing an unbiased evaluation of the classification accuracies of the different approaches. Contrary to previous claims, we find that composite feature classifiers do not outperform simple single gene classifiers. We investigate the effect of (1) the number of selected features; (2) the specific gene set from which features are selected; (3) the size of the training set and (4) the heterogeneity of the data set on the performance of composite feature and single gene classifiers. Strikingly, we find that randomization of secondary data sources, which destroys all biological information in these sources, does not result in a deterioration in performance of composite feature classifiers. Finally, we show that when a proper correction for gene set size is performed, the stability of single gene sets is similar to the stability of composite feature sets. Based on these results there is currently no reason to prefer prognostic classifiers based on composite features over single gene classifiers for predicting outcome in breast cancer

Verifiable Elections That Scale for Free

In order to guarantee a fair and transparent voting process, electronic voting schemes must be verifiable. Most of the time, however, it is important that elections also be anonymous. The notion of a verifiable shuffle describes how to satisfy both properties at the same time: ballots are submitted to a public bulletin board in encrypted form, verifiably shuffled by several mix servers (thus guaranteeing anonymity), and then verifiably decrypted by an appropriate threshold decryption mechanism. To guarantee transparency, the intermediate shuffles and decryption results, together with proofs of their correctness, are posted on the bulletin board throughout this process. In this paper, we present a verifiable shuffle and threshold decryption scheme in which, for security parameter k, L voters, M mix servers, and N decryption servers, the proof that the end tally corresponds to the original encrypted ballots is only O(k(L + M + N)) bits long. Previous verifiable shuffle constructions had proofs of size O(kLM + kLN), which, for elections with thousands of voters, mix servers, and decryption servers, meant that verifying an election on an ordinary computer in a reasonable amount of time was out of the question. The linchpin of each construction is a controlled-malleable proof (cm-NIZK), which allows each server, in turn, to take a current set of ciphertexts and a proof that the computation done by other servers has proceeded correctly so far. After shuffling or partially decrypting these ciphertexts, the server can also update the proof of correctness, obtaining as a result a cumulative proof that the computation is correct so far. In order to verify the end result, it is therefore sufficient to verify just the proof produced by the last server

Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme

We show how to build distributed key generation and distributed decryption procedures for the LIMA Ring-LWE based post-quantum cryptosystem. Our protocols implement the CCA variants of distributed decryption and are actively secure (with abort) in the case of three parties and honest majority. Our protocols make use of a combination of problem specific MPC protocols, generic garbled circuit based MPC and generic Linear Secret Sharing based MPC. We also, as a by-product, report on the first run-times for the execution of the SHA-3 function in an MPC system