A perfect threshold secret sharing scheme to identify cheaters

In this paper we consider the problem of identifying cheaters in secret sharing schemes. Rabin and Ben-Or presented a perfect and unconditionally secure secret sharing scheme in which the honest participants are able to identify the cheaters. We present a similar scheme, but one in which the information distributed to each participant is smaller.     

Secret Sharing Schemes with Detection of Cheaters for a General Access Structure

In a secret sharing scheme, some participants can lie about the value of their shares when reconstructing the secret in order to obtain some illicit benefit. We present in this paper two methods to modify any linear secret sharing scheme in order to obtain schemes that are unconditionally secure against that kind of attack. The schemes obtained by the first method are robust, that is, cheaters are detected with high probability even if they know the value of the secret. The second method provides secure schemes, in which cheaters that do not know the secret are detected with high probability. When applied to ideal linear secret sharing schemes, our methods provide robust and secure schemes whose relation between the probability of cheating and the information rate is almost optimal. Besides, those methods make it possible to construct robust and secure schemes for any access structure.     

Unconditionally Secure Group Authentication

Group authentication schemes as introduced by Boyd and by Desmedt and Frankel are cryptographic schemes in which only certain designated groups can provide messages with authentication information. In this paper we study unconditionally secure group authentication schemes based on linear perfect secret sharing and authentication schemes, for which we give expressions for the probabilities of successful attacks. Furthermore, we give a construction that uses maximum rank distance codes.     

On-line secret sharing

In a perfect secret sharing scheme the dealer distributes shares to participants so that qualified subsets can recover the secret, while unqualified subsets have no information on the secret. In an on-line secret sharing scheme the dealer assigns shares in the order the participants show up, knowing only those qualified subsets whose all members she has seen. We often assume that the overall access structure (the set of minimal qualified subsets) is known and only the order of the participants is unknown. On-line secret sharing is a useful primitive when the set of participants grows in time, and redistributing the secret when a new participant shows up is too expensive. In this paper we start the investigation of unconditionally secure on-line secret sharing schemes. The complexity of a secret sharing scheme is the size of the largest share a single participant can receive over the size of the secret. The infimum of this amount in the on-line or off-line setting is the on-line or off-line complexity of the access structure, respectively. For paths on at most five vertices and cycles on at most six vertices the on-line and offline complexities are equal, while for other paths and cycles these values differ. We show that the gap between these values can be arbitrarily large even for graph based access structures. We present a general on-line secret sharing scheme that we call first-fit. Its complexity is the maximal degree of the access structure. We show, however, that this on-line scheme is never optimal: the on-line complexity is always strictly less than the maximal degree. On the other hand, we give examples where the first-fit scheme is almost optimal, namely, the on-line complexity can be arbitrarily close to the maximal degree. The performance ratio is the ratio of the on-line and off-line complexities of the same access structure. We show that for graphs the performance ratio is smaller than the number of vertices, and for an infinite family of graphs the performance ratio is at least constant times the square root of the number of vertices.     

Secret sharing schemes with partial broadcast channels

In a conventional secret sharing scheme a dealer uses secure point-to-point channels to distribute the shares of a secret to a number of participants. At a later stage an authorised group of participants send their shares through secure point-to-point channels to a combiner who will reconstruct the secret. In this paper, we assume no point-to-point channel exists and communication is only through partial broadcast channels. A partial broadcast channel is a point-to-multipoint channel that enables a sender to send the same message simultaneously and privately to a fixed subset of receivers. We study secret sharing schemes with partial broadcast channels, called partial broadcast secret sharing schemes. We show that a necessary and sufficient condition for the partial broadcast channel allocation of a (t, n)-threshold partial secret sharing scheme is equivalent to a combinatorial object called a cover-free family. We use this property to construct a (t, n)-threshold partial broadcast secret sharing scheme with O(log n) partial broadcast channels. This is a significant reduction compared to n point-to-point channels required in a conventional secret sharing scheme. Next, we consider communication rate of a partial broadcast secret sharing scheme defined as the ratio of the secret size to the total size of messages sent by the dealer. We show that the communication rate of a partial broadcast secret sharing scheme can approach 1/O(log n) which is a significant increase over the corresponding value, 1/n, in the conventional secret sharing schemes. We derive a lower bound on the communication rate and show that for a (t,n)-threshold partial broadcast secret sharing scheme the rate is at least 1/t and then we propose constructions with high communication rates. We also present the case of partial broadcast secret sharing schemes for general access structures, discuss possible extensions of this work and propose a number of open problems.      

Properties and constraints of cheating-immune secret sharing schemes

A secret sharing scheme is a cryptographic protocol by means of which a dealer shares a secret among a set of participants in such a way that it can be subsequently reconstructed by certain qualified subsets. The setting we consider is the following: in a first phase, the dealer gives in a secure way a piece of information, called a share, to each participant. Then, participants belonging to a qualified subset send in a secure way their shares to a trusted party, referred to as a combiner, who computes the secret and sends it back to the participants.Cheating-immune secret sharing schemes are secret sharing schemes in the above setting where dishonest participants, during the reconstruction phase, have no advantage in sending incorrect shares to the combiner (i.e., cheating) as compared to honest participants. More precisely, a coalition of dishonest participants, by using their correct shares and the incorrect secret supplied by the combiner, have no better chance in determining the true secret (that would have been reconstructed if they submitted correct shares) than an honest participant.In this paper we study properties and constraints of cheating-immune secret sharing schemes. We show that a perfect secret sharing scheme cannot be cheating-immune. Then, we prove an upper bound on the number of cheaters tolerated in such schemes. We also repair a previously proposed construction to realize cheating-immune secret sharing schemes. Finally, we discuss some open problems.     

Multi-party computation with conversion of secret sharing

Classical results in unconditionally secure multi-party computation (MPC) protocols with a passive adversary indicate that every n-variate function can be computed by n participants, such that no set of size t < n/2 participants learns any additional information other than what they could derive from their private inputs and the output of the protocol. We study unconditionally secure MPC protocols in the presence of a passive adversary in the trusted setup (‘semi-ideal’) model, in which the participants are supplied with some auxiliary information (which is random and independent from the participant inputs) ahead of the protocol execution (such information can be purchased as a “commodity” well before a run of the protocol). We present a new MPC protocol in the trusted setup model, which allows the adversary to corrupt an arbitrary number t < n of participants. Our protocol makes use of a novel subprotocol for converting an additive secret sharing over a field to a multiplicative secret sharing, and can be used to securely evaluate any n-variate polynomial G over a field F, with inputs restricted to non-zero elements of F. The communication complexity of our protocol is O(ℓ · n ²) field elements, where ℓ is the number of non-linear monomials in G. Previous protocols in the trusted setup model require communication proportional to the number of multiplications in an arithmetic circuit for G; thus, our protocol may offer savings over previous protocols for functions with a small number of monomials but a large number of multiplications.     

Wide minimal binary linear codes from the general Maiorana–McFarland class

Designs, Codes and Cryptography - Minimal linear codes form a special class of linear codes that have important applications in secret sharing and secure two-party computation. These codes are...     

Commitment and authentication systems

In the present paper, we answer a question raised in the paper Constructions and Bounds for Unconditionally Secure Non-Interactive Commitment Schemes, by Blundo et al., 2002, showing that there is a close relation between unconditionally secure commitment schemes and unconditionally secure authentication schemes, and that an unconditionally secure commitment scheme can be built from such an authentication scheme and an unconditionally secure cipher system. To investigate the opposite direction, we define optimal commitment systems and show that these must be resolvable design commitment schemes. Then, a proof is given that the resolvable design commitment schemes are a composition of an authentication system and a cipher system and the conclusion follows that this is the case for all optimal commitment systems. We also show how to build optimal schemes from transversal designs that are easy to build and can be more efficiently implemented than the proposal in the previously cited paper.     

Bounds and Characterizations of Authentication/Secrecy Schemes

We consider authentication/secrecy schemes from the information theoretic approach. We extend results on unconditionally secure authentication schemes and then consider unconditionally secure authentication schemes that offer perfect L-fold secrecy. We consider both ordered and unordered secrecy. We establish entropy bounds on the encoding rules for authentication schemes with these types of secrecy. We provide some combinatorial characterizations and constructions for authentication schemes having perfect L-fold secrecy that meet these bounds.     

Paillier-based publicly verifiable (non-interactive) secret sharing

A verifiable secret sharing is a secret sharing scheme with an untrusted dealer that allows participants to verify validity of their own shares. A publicly verifiable secret sharing (PVSS) scheme is a verifiable secret sharing scheme that allows a third party to verify correctness of the distributed shares. We propose an efficient non-interactive PVSS scheme using Paillier additively homomorphic encryption system, and analyze its security in a model that we define in line with the classic semantic-security definition and offering stronger security compared to the previous models. We reduce security of our PVSS scheme to the well studied decisional composite residuosity assumption in this model.     

Geometrical contributions to secret sharing theory

Finite geometry has found applications in many different fields and practical environments. We consider one such application, to the theory of secret sharing, where finite projective geometry has proved to be very useful, both as a modelling tool and as a means to establish interesting results. A secret sharing scheme is a means by which some secret data can be shared among a group of entities in such a way that only certain subsets of the entities can jointly compute the secret. Secret sharing schemes are useful for information security protocols, where they can be used to jointly protect cryptographic keys or provide a means of access control. We review the contribution of finite projective geometry to secret sharing theory, highlighting results and techniques where its use has been of particular significance.     

Constructions and Bounds for Unconditionally Secure Non-Interactive Commitment Schemes

Commitment schemes have been extensively studied since they were introduced by Blum in 1982. Rivest recently showed how to construct unconditionally secure non-interactive commitment schemes, assuming the existence of a trusted initializer. In this paper, we present a formal mathematical model for unconditionally secure non-interactive commitment schemes with a trusted initializer and analyze their binding and concealing properties. In particular, we show that such schemes cannot be perfectly binding: there is necessarily a small probability that Alice can cheat Bob by committing to one value but later revealing a different value. We prove several bounds on Alice's cheating probability, and present constructions of schemes that achieve optimal cheating probabilities. We also analyze a class of commitment schemes based on resolvable designs.     

Perfect Secret Sharing Schemes on Five Participants

A perfect secret sharing scheme is a system for the protection of a secret among a number of participants in such a way that only certain subsets of these participants can reconstruct the secret, and the remaining subsets can obtain no additional information about the secret. The efficiency of a perfect secret sharing scheme can be assessed in terms of its information rates. In this paper we discuss techniques for obtaining bounds on the information rates of perfect secret sharing schemes and illustrate these techniques using the set of monotone access structures on five participants. We give a full listing of the known information rate bounds for all the monotone access structures on five participants.     

Detection of Cheaters in Vector Space Secret Sharing Schemes

A perfect secret sharing scheme is a method of distributing shares of a secret among a set P of participants in such a way that only qualified subsets of P can reconstruct the secret from their shares and non-qualified subsets have absolutely no information on the value of the secret. In a secret sharing scheme, some participants could lie about the value of their shares in order to obtain some illicit benefit. Therefore, the security against cheating is an important issue in the implementation of secret sharing schemes. Two new secret sharing schemes in which cheaters are detected with high probability are presented in this paper. The first one has information rate equal to 1/2 and can be implemented not only in threshold structures, but in a more general family of access structures. We prove that the information rate of this scheme is almost optimal among all schemes with the same security requirements. The second scheme we propose is a threshold scheme in which cheaters are detected with high probability even if they know the secret. The information rate is in this case 1/3 In both schemes, the probability of cheating successfully is a fixed value that is determined by the size of the secret.     

Shared Secret Reconstruction

In this paper we consider the secret reconstruction problem in a secret sharing scheme. We emphasize that a shared secret should be reconstructed in a fair way, i.e., all involved participants should have the same chance to be able to reconstruct the shared secret. We propose and analyze several methods to achieve such a fair reconstruction of shared secrets.     

Linear Secret Sharing Schemes and Rearrangements of Access Structures

In this paper we study linear secret sharing schemes by monotone span programs, according to the relation between realizing access structures by linear secret sharing schemes and computing monotone Boolean functions by monotone span programs. We construct some linear secret sharing schemes. Furthermore, we study the rearrangements of access structures that is very important in practice.     

Generalised Cumulative Arrays in Secret Sharing

Cumulative arrays have played an important role in the early development of the secret sharing theory. They have not been subject to extensive study so far, as the secret sharing schemes built on them generally result in much larger sizes of shares, when compared with other conventional approaches. Recent works in threshold cryptography show that cumulative arrays may be the appropriate building blocks in non-homomorphic threshold cryptosystems where the conventional secret sharing methods are generally of no use. In this paper we study several extensions of cumulative arrays and show that some of these extensions significantly improve the performance of conventional cumulative arrays. In particular, we derive bounds on generalised cumulative arrays and show that the constructions based on perfect hash families are asymptotically optimal. We also introduce the concept of ramp perfect hash families as a generalisation of perfect hash families for the study of ramp secret sharing schemes and ramp cumulative arrays.     

Practical unconditionally secure two-channel message authentication

We investigate unconditional security for message authentication protocols that are designed using two-channel cryptography. (Two-channel cryptography employs a broadband, insecure wireless channel and an authenticated, narrow-band manual channel at the same time.) We study both noninteractive message authentication protocols (NIMAPs) and interactive message authentication protocols (IMAPs) in this setting. First, we provide a new proof of nonexistence of nontrivial unconditionally secure NIMAPs. This proof consists of a combinatorial counting argument and is much shorter than the previous proof by Wang and Safavi-Naini, which was based on probability distribution arguments. We also prove a new result which holds in a weakened attack model. Further, we propose a generalization of an unconditionally secure 3-round IMAP due to Naor, Segev and Smith. The IMAP is based on two ?-Δ universal hash families. With a careful choice of parameters, our scheme improves that of Naor et al. Our scheme is very close to optimal for most parameter situations of practical interest. Finally, a variation of the 3-round IMAP is presented, in which only one hash family is required.     

Strategy-proofness and public good provision using referenda based on unequal cost sharing

The paper studies strategy-proof cost sharing rules for public good provision based on referenda with different threshold quotas. By appropriately relaxing the assumptions of individual rationality and anonymity we provide a complete characterization of the family of quota rules with (possibly) unequal pricing. We prove that these quota rules are the only cost sharing rules satisfying four conditions: strategy-proofness, non-bossiness, weak continuity and weak anonymity. In addition, the specification of the degree to which individual rationality may be violated results in the selection of a specific “quota” for the referendum. While all these rules are “almost” always efficient when providing the public good and they are also almost everywhere coalitionally strategy-proof, only one family of rules from this class satisfies these two properties everywhere. The rules satisfying these two properties are Moulin’s Conservative Equal Costs Rule and unequal cost sharing variants of Moulin’s rule.