No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Classification of Ideal Homomorphic Threshold Schemes over Finite Abelian Groups (Extended Abstract).
Abstract
Threshold schemes allow any t out of l individuals to recompute a secret (key). General sharing schemes are a generalization. In homomorphic sharing schemes the "product" of shares of the keys gives a share of the product of the keys. We prove that there exist infinitely many Abelian groups over which there does not exist an ideal homomorphic threshold scheme. Additionally we classify ideal homomorphic general sharing schemes. We discuss the potential impact of our result on the construction of general sharing schemes.
... Frankel and Desmedt [16] have shown that in IHSSSs the share spaces are isomorphic to the secret space and are abelian. Furthermore, they introduced a technique that enables one to reduce the secret space of an IHSSS into any of its characteristic subgroups. ...
... For the reader who is not familiar with the concept of characteristic subgroups in group theory, we refer to Section 2.1. The majority of contributions on IHSSSs [17,16,14,27] involve characterizing the groups that can be the secret space in an IHSSS. For example, the result of Frankel and Desmedt is equivalent to the following statement: A group G is the secret space of an IHSSS for an access structure if and only if any Sylow subgroup of G is the secret space of an IHSSS for that access structure. ...
... Let S = (S i ) i∈Q be an IHSSS realizing Γ . As every participant is important in Γ , then it holds that S i S 0 , for all i ∈ P [16], implying that all S i 's are abelian. In the rest of paper, for simplicity, we assume that S i = S 0 for every i ∈ P in IHSSSs. ...
In 1992, Frankel and Desmedt introduced a technique that enables one to reduce the secret space of an ideal homomorphic secret sharing scheme (IHSSS) into any of its characteristic subgroups. In this paper, we propose a similar technique to reduce the secret space of IHSSSs called the quotient technique. By using the quotient technique, we show that it is possible to yield an ideal linear scheme from an IHSSS for the same access structure, providing an alternative proof of a recent result by Jafari and Khazaei. Moreover, we introduce the concept of decomposition of secret sharing schemes. We give a decomposition for IHSSSs, and as an application, we present a necessary and sufficient condition for an IHSSS to be mixed-linear. Continuing this line of research, we explore the decomposability of some other scheme classes.
... Our next result shows that the duality holds for ideal homomorphic SSSs. 3. On ideal homomorphic SSSs: In another seminal work [39], Frankel and Desmedt showed that in ideal (perfect) homomorphic schemes, the share spaces are isomorphic to the secret space and are abelian. Subsequently, several works addressed the characterization of ideal homomorphic SSSs [23,31,40,57,79]. ...
... We need the following lemma in order to prove our main result of this section. Part (II) has been proved by Frankel, Desmedt and Burmester in [40] and Part (III) was proved in a subsequent work by Frankel and Desmedt in [39]. For completeness, we provide a simple and clean proof. ...
Homomorphic (resp. abelian) secret sharing is a generalization of ubiquitous linear secret sharing in which the secret value and the shares are taken from finite (resp. abelian) groups instead of vector spaces over a finite field. Homomorphic secret sharing was first defined by Benaloh and, later in the early nineties, Frankel and Desmedt presented some relevant results. Except for a few other related topics such as black-box secret sharing and secret sharing over rings, the subject has remained dormant for about three decades. The study of homomorphic secret sharing is resumed in this paper and three main results are presented: (1) mixed-linear schemes, a subclass of abelian schemes to be introduced in this paper, are more powerful than linear schemes in terms of the best achievable information ratio (the claim is proved for the port of a well-known almost entropic matroid), (2) the information ratios of dual access structures are equal for the class of abelian schemes and (3) every ideal homomorphic scheme can be transformed into an ideal linear scheme with the same access structure.
... In 1992, Frankel, Desmedt and Burmester [22] proved that in perfect HSSSs, the secret space is an abelian group. In a subsequent work, Frankel and Desmedt [21] showed that when the scheme is ideal (i.e., all share sizes are the same as the secret size), the share spaces are all isomorphic to the secret space, and hence abelian too. Despite several subsequent attempts [17,37,42,14], characterization of ideal perfect HSSSs remained an open problem for a long time. ...
A group-characterizable (GC) random variable is induced by a finite group, called main group, and a collection of its subgroups. The notion extends directly to secret sharing schemes (SSSs). It is known that linear and abelian SSSs can be equivalently described in terms of GC SSSs. In this paper, we present a necessary and sufficient condition for a SSS to be equivalent to a GC one. Using this result, we show that homomorphic SSSs (HSSSs) are equivalent to GC SSSs whose subgroups are normal in the main group. We also present two applications for this equivalent description of HSSSs. One concerns lower bounding the information ratio of access structures for the class of HSSSs, and the other is about the coincidence between statistical, almost-perfect and perfect security notions for the same class.
... Introduced by Shamir and Blakley independently in [50] and [9], secret sharing is a very well studied, as well as practically implemented, primitive. Due to its ample applications in secure multiparty computation [8,16,27], threshold cryptography [21,25], private information retrieval [19,28] and many other primitives, secret sharing has gained humongous popularity in the past four decades. ...
A (k, L, n) ramp secret sharing scheme allows a dealer to share a secret vector with a lesser share size compared to threshold secret sharing schemes. In this work, we formalize the definition of cheating in ramp secret sharing schemes and propose two constructions. The proposed constructions of ramp secret sharing scheme are capable of cheating detection even if 𝑛−1 out of n participants conspire against the single honest participant and try to convince him of a valid but incorrect secret. This is the strongest possible adversarial setup known as the CDV𝑛−1 model of cheating. Moreover, we consider arbitrary secret distribution on the space of secrets. To the best of our knowledge, we are the first to address cheating in ramp setup against 𝑛−1 cheaters. Both the constructions proposed in this work are optimal cheating resilient against a centralized adversary with unbounded computational resources.
... Karnin, Greene and Hellman [9] were the first to consider such schemes, their work was concentrated in the area of Galois fields. Some examples of recent work in the area of linear secret sharing occurs in [7,6,8]. ...
In a k out of n threshold signature scheme the secret key is distributed to n participants, so that any subset B of participants, with |B| ≥ k, can combine their shares to form a signature, while any subset of cardinality ≤ k−1 gain no information about the signature. In democratic organizations the number of users vary temporally while maintaining the relationship k = ⌊n/2⌋+1. The manner in which a legislature votes is similar to a threshold signature scheme, and the power to sign is similar to possessing shares to sign. The transfer of power to sign is an integral part of democracy. In recent work, redistribution schemes have been developed that allow one to vary the threshold k and the number of users n. However, these solutions require parties to delete their shares, which is often an unrealistic assumption. Here we provide a model for democratic bodies and solve the related problem of assuring an orderly and verifiable transfer of power as the size of the body varies.
... Homomorphic secret sharing schemes were introduced in [1]. Since then a number of papers have provided examples and discussed applications, for example, [2], [8], [10], and [11]. The definition we present here is slightly more general and rigorous than those appearing in previous papers. ...
. Traditional secret sharing schemes involve the use of a mutually trusted authority to assist in the generation and distribution
of shares that will allow a secret to be protected among a set of participants. In contrast, this paper addresses the problem
of establishing secret sharing schemes for a given access structure without the use of a mutually trusted authority. A general protocol is discussed and several implementations of this protocol are
presented. Several efficiency measures are proposed and we consider how to refine the general protocol in order to improve
the efficiency with respect to each of the proposed measures. Special attention is given to mutually trusted authority-free
threshold schemes. Constructions are presented for such threshold schemes that are shown to be optimal with respect to each
of the proposed efficiency measures.
... Secret sharing schemes that are linear are also easy to construct. In particular schemes that are homomorphic [1,9] are useful, because schemes that are homomorphic to themselves (informally, two sets of shares, and secret, can be combined to obtain a third set of shares, and secret, in the same scheme) are linear [11]. Of particular interest are schemes that are homomorphic to themselves with respect to addition over Z p . ...
. This paper is concerned with key escrow protocols for use in international communications environments, where communication domains do not necessarily trust one another. It is concerned particularly with systems where users place their trust collectively with groups of trusted third parties. We consider two different protocols, discuss and improve their efficiency and generalise the type of key splitting. 1 Introduction There is a great deal of current interest in key escrow protocols, loosely defined as systems that protect data using conventional cryptographic methods but, under special circumstances, make it possible for the cryptographic protection to be circumvented allowing access to either the data itself, or some cryptographic key that protects it. Such a circumstance is when law enforcement agencies have a warrant to obtain access to certain specified communications. For an introduction to many of the existing key escrow systems see [5]. Most proposed key escrow schemes rel...
Dougherty et al. introduced the common information (CI) method as a method to produce non-Shannon inequalities satisfied by linear random variables, which are called linear rank inequalities. This method is based on the fact that linear random variables have CI. Dougerthy et al. asked whether this method is complete, in the sense that it can be used to produce all linear rank inequalities. We study this question, and we attack it using the theory of secret sharing schemes. To this end, we introduce the notions of Abelian secret sharing scheme and Abelian capacity. We prove that: If there exists an access structure whose Abelian capacity is smaller than its linear capacity, then the CI method is not complete. We investigate the existence of such an access structure.
In the traditional scenario in cryptography there is one sender, one receiver and an active or passive eavesdropper who is an opponent. Large bank transactions require two people to sign, implying two senders. So the power to generate a valid transaction is shared. Threshold cryptography allows one to share the power of a cryptosystem. Threshold cryptosystems are distinct from threshold schemes in which the power to regenerate a secret key is shared. A normal threshold scheme is not directly suited for threshold signatures. Using a threshold scheme directly would require the shareholders to send their shares to a trusted person who would apply the cryptosystem for them. But the use of such a trusted person violates the main point of threshold cryptography. We motivate the need for treshold cryptosystems, overview the research in the field, and give some simple examples. We will conclude by giving a list of open problems.
For a cyclic groupG and an access structureA, the sufficient and necessary condition under whichA isG-ideal homomorphic is given by using the fine-representation of the corresponding matroid over the ring
\mathbbZm \mathbb{Z}_m . Furthermore, the clasification ofG-ideal homomorphic graphic access structures is shown.
The notion of families of ideal threshold schemes (ITS) is
introduced, their properties and applications are investigated. We
consider secret sharing schemes whose parameters can be adjusted. Our
model is a threshold scheme family (TSF) whose threshold scheme
parameters can be modified dynamically. Some applications of this model
includes schemes which have disenrollment capability, and a scheme to
resist cheating
Multiplicative threshold schemes are useful tools in thresh- old cryptography. For example, such schemes can be used with
a wide variety of practical homomorphic cryptosystems (such as the RSA, the El Gamal and elliptic curve systems) for threshold
decryption, signa- tures, or proofs. The paper describes a new recursive construction for multiplicative threshold schemes
which makes it possible to extend the number of users of such schemes for a relatively small expansion of the share size.
We discuss certain properties of the schemes, such as the information rate and zero knowledge aspects.
The paper extends the Karnin-Greene-Hellman bound on the parame- ters of ideal secret sharing schemes to schemes which are
not necessarily ideal and then uses this as a yardstick to compare the performance of currently known multiplicative sharing
schemes.
We study perfectly secure message transmission (PSMT) from a sender S to a receiver R in the general adversary model. In this model, instead of being bounded by a threshold, the Byzantine adversary in a network
is characterized by an adversary structure. By regarding monotone general access structures as linear codes, we introduce
some new properties that allow us to design efficient PSMT protocols. We give a number of efficient PSMT protocols in both
undirected and directed network graphs. These protocols comprehensively improve the transmission complexity of some previous
results in this area. More significantly, as all of our protocols are executed in either 3 or 2 rounds, our result is the
first, in the context of PSMT in the general adversary model, to have constant round complexity when using interaction.
In a perfect secret sharing scheme, it is known that log 2 |V ^ i |≥H(S), where S is a secret and V ^ i is the share of user i. On the other hand, log 2 |S|≥H(S), where S ^ is the domain of S. The equality holds if and only if S is uniformly distributed. Therefore, if S is uniformly distributed, we have |V i |≥|S|. However, if S is not uniformly distributed, log 2 |S ^|>H(S). In this case, we have log 2 |V ^ i |≥H(S)<log 2 |S ^|. Then, which is bigger, |V ^ i | or |S ^|? The answer is not known. In this paper, we first prove that |V ^ i |≥|S ^| for any distribution of S by using a combinatorial argument. This is a more sharp lower bound on |V ^ i | for not uniformly distributed S. Our proof makes it intuitively clear why |V ^ i | must be so large, also. Further, we show an extension of our combinatorial technique for some access structures.
We address the following problem: given a random seed secretly shared among a group of individuals, non-interactively generate pieces corresponding to a much longer shared pseudorandom sequence. Shared randomness is an essential resource in distributed computing and non-interactive ways of generating it can be useful in applications such as Byzantine Agreement, common coin flipping or secure computation protocols.
Our first result is negative: well known cryptographically strong pseudorandom number generators cannot be evaluated without interaction and, in particular, it is shown that constructions that recursively apply a one-way function to a random seed and output at each iteration the simultaneously hard bits in the input of the one-way function are actually incompatible with a homomorphic evaluation.
On the other hand, we show that pseudorandom generators that can be both proven cryptographically strong and sharedly evaluated without interaction do exist. A concrete implementation, under the RSA assumption, is described.
A secret sharing scheme (SSS) is homomorphic, if the products of shares of secrets are shares of the product of secrets. For
a finite abelian group G, an access structure A{\mathcal A} is G-ideal homomorphic, if there exists an ideal homomorphic SSS realizing the access structure A{\mathcal A} over the secret domain G. An access structure A{\mathcal A} is universally ideal homomorphic, if for any non-trivial finite abelian group G, A{\mathcal A} is G-ideal homomorphic.
A black-box SSS is a special type of homomorphic SSS, which works over any non-trivial finite abelian group. In such a scheme,
participants only have black-box access to the group operation and random group elements. A black-box SSS is ideal, if the
size of the secret sharing matrix is the same as the number of participants. An access structure A{\mathcal A} is black-box ideal, if there exists an ideal black-box SSS realizing A{\mathcal A}.
In this paper, we study universally ideal homomorphic and black-box ideal access structures, and prove that an access structure
A{\mathcal A} is universally ideal homomorphic (black-box ideal) if and only if there is a regular matroid appropriate for A{\mathcal A}.
This paper shows that nonperfect secret sharing schemes (NSS) have matroid structures and presents a direct link between the secret sharing matroids and entropy for both perfect and nonperfect schemes. We define natural classes of NSS and derive a lower bound of jV i j for those classes. "Ideal" nonperfect schemes are defined based on this lower bound. We prove that every such ideal secret sharing scheme has a matroid structure. The rank function of the matroid is given by the entropy divided by some constant. It satisfies a simple equation which represents the access level of each subset of participants. 1
INTRODUCTION In this chapter we continue our exposition of the crypto topics which was begun in the previous chapter. This chapter covers: Secret Sharing, Threshold Cryptography, Signature Schemes, and finally Quantum Key Distribution and Quantum Cryptography. As in the previous chapter, we have focussed only on the essentials of each topic. We have included in the bibliography sufficient items which can be consulted for further details. First we give a synopsis of the topics which are discussed in this chapter. Secret sharing is concerned with the problem of how to distribute a secret among a group of participating individuals, or entities, so that only pre-designated collections of individuals are able to recreate the secret by collectively combining the parts of the secret which were allocated to them. There are numerous applications of secret sharing schemes in practice. One example of secret sharing occurs in banking. For instance, the combination to a vault may be distributed
A presentation is made of a scheme for distributing a key to n users in such a way as to require at least k of them (k less than n) to be present to construct the original key. The scheme has the property that up to k-l defections can be tolerated. It can be implemented simply and efficiently.
A "secret sharing system" permits a secret to be shared among n trustees in such a way that any k of them can recover the secret, but any k-1 have complete uncertainty about it. A linear coding scheme for secret sharing is exhibited which subsumes the polynomial interpolation method proposed by Shamir and can also be viewed as a deterministic version of Blakley's probabilistic method. Bounds on the maximum value of n for a given k and secret size are derived for any system, linear or nonlinear. The proposed scheme achieves the lower bound which, for practical purposes, differs insignificantly from the upper bound. The scheme may be extended to protect several secrets. Methods to protect against deliberate tampering by any of the trustees are also presented.
In 1979, Blackley and Shamir independently proposed schemes by which a secret can be divided into many shares which can be
distributed to mutually suspicious agents. This paper describes a homomorphism property attained by these and several other
secret sharing schemes which allows multiple secrets to be combined by direct computation on shares. This property reduces
the need for trust among agents and allows secret sharing to be applied to many new problems. One application described here
gives a method of verifiable secret sharing which is much simpler and more efficient than previous schemes. A second application
is described which gives a fault-tolerant method of holding verifiable secret-ballot elections.
The science of information integrity deals with a number of primitive functions for information: secrecy, authentication, digital signatures, etc. One of the most important of these is a means to distribute the capability to initiate an action or to reconstitute a piece of information amongst a group of participants in such a way that only designated subsets of them will be able to do so. Simmons has shown that with no loss of generality this problem is equivalent to the construction of geometrical configurations whose incidence and spanning properties parallel the desired control properties. The truly novel result reported here, though, is that these geometrical configurations can be found through the manipulation of Boolean logical expressions. An algorithm is given which operates on the logical description of the desired control function to produce another logical expression that uniquely defines one of the desired geometrical configurations. Although there are other instances of geometrical configurations being instrumental to the solution of applied problems – notably in coding theory – the authors know of no other example of a marriage of logic and geometry analogous to the one described here.
Shamir's scheme for sharing secrets is closely related to Reed-Solomon coding schemes. Decoding algorithms for Reed-Solomon codes provide extensions and generalizations of Shamir's method.
A secret sharing scheme is one of the various methods to protect a secret datum d from leakage. In a scheme, a datum d is broken into pieces which are shared by a set P of trustees. The family P prime 21 P:P prime can reconstruct the data d is called the access structure of the secret sharing scheme. Shamir's (k,n)-threshold scheme can realize only the access structure P prime 21 P: vertical P prime vertical greater than equivalent to k. The authors provide a methodology to design a secret sharing scheme realizing any given access structure.
Secret Sharing from the perspective of threshold schemes has been well-studied over the past decade. Threshold schemes, however, can only handle a small fraction of the secret sharing
functions which we may wish to form. For example, if it is desirable to divide a secret among four participants A, B. C, and D in such a way that either A together with B can reconstruct the secret or C together with D can reconstruct the secret, then threshold schemes (even with weighting) are provably insufficient.
This paper will present general methods for constructing secret sharing schemes for any given secret sharing function. There is a natural correspondence between the set of “generalized” secret sharing functions
and the set of monotone functions, and tools developed for simplifying the latter set can be applied equally well to the former
set.
Homomorphic threshold schemes were introduced by Benaloh and have found several applications. In this paper we prove that
there do not exist perfect finite homomorphic general monotone sharing schemes for which the key space is a finite non-Abeiian
group (except for very particular access structures). This result is valid for the most general case, e.g., if each participant receives shares from different sets and when these sets are not necessarily groups.
We extend the definition of homomorphic threshold scheme to allow that the homomorphic property is valid for two-operations.
When the set of keys is a finite Boolean Algebra or a Galois field then there does not exist a perfect finite two-operation-homomorphic
general sharing scheme.
Often it is desired that the power to sign or authenticate messages is shared. This paper presents methods to collectively
generate RSA signatures, provably secure authenticators and unconditionally secure authenticators. In the new schemes, l individuals are given shares such that k ≤ l are needed to generate a signature (authenticator) but less than k can not. When the k people have finished signing (authenticating), nobody can perform an impersonation or substitution attack. These schemes
are called threshold signature (authentication) schemes. Clearly these schemes are better than each of the k individuals sending a separate authenticator for each message or if each of the k individuals each send their share to a “trusted” person who will sign for them.
In all of the schemes we assume that the shareholders (senders) and receiver have secure workstations but the network and
servers are not necessarily secure.
We investigate the combinatorial properties of threshold schemes. Informally, a (t, w)-threshold scheme is a way of distributing partial information (shadows) to w participants, so that any t of them can easily calculate a key, but no subset of fewer than t participants can determine the key. Our interest is in perfect threshold schemes: no subset of fewer than t participants can determine any partial information regarding the key. We give a combinatorial characterization of a certain type of perfect threshold scheme. We also investigate the maximum number of keys which a perfect (t, w)-threshold scheme can incorporate, as a function of t, w, and the total number of possible shadows, v. This maximum can be attained when there is a Steiner system S(t, w, v) which can be partitioned into Steiner systems S(t-1, w, v). Using known constructions for such Steiner systems, we present two new classes of perfect threshold schemes, and discuss their implementation.
In a secret sharing scheme a dealer has a secret key. There is a finite set P of participants and a set ? of subsets of P. A secret sharing scheme with ? as the access structure is a method which the dealer can use to distribute shares to each participant so that a subset of participants can determine the key if and only if that subset is in ?. The share of a participant is the information sent by the dealer in private to the participant. A secret sharing scheme is ideal if any subset of participants who can use their shares to determine any information about the key can in fact actually determine the key, and if the set of possible shares is the same as the set of possible keys. In this paper we show a relationship between ideal secret sharing schemes and matroids.
An Information Dispersal Algorithm (IDA) is developed that breaks a file F of length L = ↿ F↾ into n pieces Fi, l ≤ i ≤ n, each of length ↿Fi↾ = L/m, so that every m pieces suffice for reconstructing F. Dispersal and reconstruction are computationally efficient. The sum of the lengths ↿Fi↾ is (n/m) · L. Since n/m can be chosen to be close to l, the IDA is space efficient. IDA has numerous applications to secure and reliable storage of information in computer networks and even on single disks, to fault-tolerant and efficient transmission of information in networks, and to communications between processors in parallel computers. For the latter problem provably time-efficient and highly fault-tolerant routing on the n-cube is achieved, using just constant size buffers.
In this paper we show how to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k - 1 pieces reveals absolutely no information about D. This technique enables the construction of robust key management schemes for cryptographic systems that can function securely and reliably even when misfortunes destroy half the pieces and security breaches expose all but one of the remaining pieces.
THE problems of cryptography and secrecy systems furnish an interesting application of communication theory.1 In this paper a theory of secrecy systems is developed. The approach is on a theoretical level and is intended to complement the treatment found in standard works on cryptography.2 There, a detailed study is made of the many standard types of codes and ciphers, and of the ways of breaking them. We will be more concerned with the general mathematical structure and properties of secrecy systems.
Non-existence of homomorphic general sharing schemes for some key spaces. To be presented at Crypto’ 92, to appear in: Advances in Cryptology
- M Burmester
Basic Algebra I. W. H. Freeman and Company
- N Jacobson
Non-existence of homomorphic general sharing schemes for some key spaces. To be presented at Crypto’ 92, to appear in: Advances in Cryptology
- Y Frankel
- Y Desmedt
- M Burmester
Non-existence of homomorphic general sharing schemes for some key spaces
- Y Frankel
- Y Desmedt
- M Burmester
- Y. Frankel