Results 1  10
of
311
How to leak a secret
 PROCEEDINGS OF THE 7TH INTERNATIONAL CONFERENCE ON THE THEORY AND APPLICATION OF CRYPTOLOGY AND INFORMATION SECURITY: ADVANCES IN CRYPTOLOGY
, 2001
"... In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and ..."
Abstract

Cited by 1754 (4 self)
 Add to MetaCart
In this paper we formalize the notion of a ring signature, which makes it possible to specify a set of possible signers without revealing which member actually produced the signature. Unlike group signatures, ring signatures have no group managers, no setup procedures, no revocation procedures, and no coordination: any user can choose any set of possible signers that includes himself, and sign any message by using his secret key and the others ’ public keys, without getting their approval or assistance. Ring signatures provide an elegant way to leak authoritative secrets in an anonymous way, to sign casual email in a way which can only be verified by its intended recipient, and to solve other problems in multiparty computations. The main contribution of this paper is a new construction of such signatures which is unconditionally signerambiguous, provably secure in the random oracle model, and exceptionally efficient: adding each ring member increases the cost of signing or verifying by a single modular multiplication and a single symmetric encryption.
PROACTIVE SECRET SHARING Or: How to Cope With Perpetual Leakage
, 1998
"... Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For ..."
Abstract

Cited by 183 (12 self)
 Add to MetaCart
Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of n threshold schemes, security is assured if throughout the entire lifetime of the secret the adversary is restricted to compromise less than k of the n locations. For longlived and sensitive secrets this protection may be insufficient. We propose an efficient proactive secret sharing scheme, where shares are periodically renewed (without changing the secret) in such a way that information gained by the adversary in one time period is useless for attacking the secret after the shares are renewed. Hence, the adversary willing to learn the secret needs to break to all k locations during the same time period (e.g., one day, a week, etc.). Furthermore, in order to guarantee the availability and integrity of the secret, we provide mechanisms to detect maliciously (or accidentally) corrupted shares, as well as mechanisms to secretly recover the correct...
Attributebased encryption for finegrained access control of encrypted data
 In Proc. of ACMCCS’06
, 2006
"... As more sensitive data is shared and stored by thirdparty sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarsegrained level (i.e., giving another party your private key). We develop ..."
Abstract

Cited by 177 (17 self)
 Add to MetaCart
As more sensitive data is shared and stored by thirdparty sites on the Internet, there will be a need to encrypt data stored at these sites. One drawback of encrypting data, is that it can be selectively shared only at a coarsegrained level (i.e., giving another party your private key). We develop a new cryptosystem for finegrained sharing of encrypted data that we call KeyPolicy AttributeBased Encryption (KPABE). In our cryptosystem, ciphertexts are labeled with sets of attributes and private keys are associated with access structures that control which ciphertexts a user is able to decrypt. We demonstrate the applicability of our construction to sharing of auditlog information and broadcast encryption. Our construction supports delegation of private keys which subsumes Hierarchical IdentityBased Encryption (HIBE). E.3 [Data En
A forwardsecure digital signature scheme
, 1999
"... Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. Thi ..."
Abstract

Cited by 175 (13 self)
 Add to MetaCart
Abstract. We describe a digital signature scheme in which the public key is fixed but the secret signing key is updated at regular intervals so as to provide a forward security property: compromise of the current secret key does not enable an adversary to forge signatures pertaining to the past. This can be useful to mitigate the damage caused by key exposure without requiring distribution of keys. Our construction uses ideas from the FiatShamir and OngSchnorr identification and signature schemes, and is proven to be forward secure based on the hardness of factoring, in the random oracle model. The construction is also quite efficient. 1
Ciphertextpolicy attributebased encryption
 In Proceedings of the IEEE Symposium on Security and Privacy (To Appear
, 2007
"... ..."
Publicly Verifiable Secret Sharing
, 1996
"... . A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody, not only t ..."
Abstract

Cited by 119 (1 self)
 Add to MetaCart
. A secret sharing scheme allows to share a secret among several participants such that only certain groups of them can recover it. Verifiable secret sharing has been proposed to achieve security against cheating participants. Its first realization had the special property that everybody, not only the participants, can verify that the shares are correctly distributed. We will call such schemes publicly verifiable secret sharing schemes, we discuss new applications to escrow cryptosystems and to payment systems with revocable anonymity, and we present two new realizations based on ElGamal's cryptosystem. 1 Introduction A secret sharing scheme [20, 2] allows to split a secret into different pieces, called shares, which are given to the participants, such that only certain groups of them can recover the secret. The first secret sharing schemes have been threshold schemes, where only groups of more than a certain number of participants can recover the secret. Verifiable secret sharing (V...
Proactive Public Key and Signature Systems
, 1996
"... Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for worldwide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of p ..."
Abstract

Cited by 85 (18 self)
 Add to MetaCart
Emerging applications like electronic commerce and secure communications over open networks have made clear the fundamental role of public key cryptography as a unique enabler for worldwide scale security solutions. On the other hand, these solutions clearly expose the fact that the protection of private keys is a security bottleneck in these sensitive applications. This problem is further worsened in the cases where a single and unchanged private key must be kept secret for very long time (such is the case of certification authority keys, bank and ecash keys, etc.). One crucial defense against exposure of private keys is offered by threshold cryptography where the private key functions (like signatures or decryption) are distributed among several parties such that a predetermined number of parties must cooperate in order to correctly perform these operations. This protects keys from any single point of failure. An attacker needs to break into a multiplicity of locations before it ca...
Simplified VSS and Fasttrack Multiparty Computations with Applications to Threshold Cryptography
, 1998
"... The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret ..."
Abstract

Cited by 84 (5 self)
 Add to MetaCart
The goal of this paper is to introduce a simple verifiable secret sharing scheme, to improve the efficiency of known secure multiparty protocols and, by employing these techniques, to improve the efficiency of applications which use these protocols. First we present a very simple Verifiable Secret Sharing protocol which is based on fast cryptographic primitives and avoids altogether the need for expensive zeroknowledge proofs. This is followed by a highly simplified protocol to compute multiplications over shared secrets. This is a major component in secure multiparty computation protocols and accounts for much of the complexity of proposed solutions. Using our protocol as a plugin unit in known protocols reduces their complexity. We show how to achieve efficient multiparty computations in the computational model, through the application of homomorphic commitments. Finally, we present fasttrack multiparty computation protocols. In a model in which malicious faults are rare we s...
On the Size of Shares for Secret Sharing Schemes
 Journal of Cryptology
"... A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of participants can recover the secret, but any nonqualified subset has absolutely no information on the secret. The set of all qualified subsets defines the access structure to the se ..."
Abstract

Cited by 66 (7 self)
 Add to MetaCart
A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of participants can recover the secret, but any nonqualified subset has absolutely no information on the secret. The set of all qualified subsets defines the access structure to the secret. Sharing schemes are useful in the management of cryptographic keys and in multyparty secure protocols. We analyze the relationships among the entropies of the sample spaces from which the shares and the secret are chosen. We show that there are access structures with 4 participants for which any secret sharing scheme must give to a participant a share at least 50% greater than the secret size. This is the first proof that there exist access structures for which the best achievable information rate (i.e., the ratio between the size of the secret and that of the largest share) is bounded away from 1. The bound is the best possible, as we construct a secret sharing scheme for the above a...
Anonymous Secret Sharing Schemes
 Designs, Codes and Cryptography
, 1996
"... In this paper we study anonymous secret sharing schemes. Informally, in an anonymous secret sharing scheme the secret can be reconstructed without knowledge of which participants hold which shares. In such schemes the computation of the secret can be carried out by giving the shares to a black box t ..."
Abstract

Cited by 62 (7 self)
 Add to MetaCart
In this paper we study anonymous secret sharing schemes. Informally, in an anonymous secret sharing scheme the secret can be reconstructed without knowledge of which participants hold which shares. In such schemes the computation of the secret can be carried out by giving the shares to a black box that does not know the identities of the participants holding those shares. Phillips and Phillips gave necessary and sufficient conditions for there to exist an anonymous secret sharing scheme where the size of the shares given to each participant is equal to the size of the secret. In this paper, we provide lower bounds on the size of the share sets in any (t; w) threshold scheme, and for an infinite class of nonthreshold access structures. We also discuss constructions for anonymous secret sharing schemes, and apply them to access structures obtained from complete multipartite graphs. 1 Introduction Informally, a secret sharing scheme is a method of distributing a secret key among a set ...