Results 1  10
of
11
General Secure MultiParty Computation from any Linear SecretSharing Scheme
, 2000
"... Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neith ..."
Abstract

Cited by 162 (23 self)
 Add to MetaCart
Abstract. We show that verifiable secret sharing (VSS) and secure multiparty computation (MPC) among a set of n players can efficiently be based on any linear secret sharing scheme (LSSS) for the players, provided that the access structure of the LSSS allows MPC or VSS at all. Because an LSSS neither guarantees reconstructability when some shares are false, nor verifiability of a shared value, nor allows for the multiplication of shared values, an LSSS is an apparently much weaker primitive than VSS or MPC. Our approach to secure MPC is generic and applies to both the informationtheoretic and the cryptographic setting. The construction is based on 1) a formalization of the special multiplicative property of an LSSS that is needed to perform a multiplication on shared values, 2) an efficient generic construction to obtain from any LSSS a multiplicative LSSS for the same access structure, and 3) an efficient generic construction to build verifiability into every LSSS (always assuming that the adversary structure allows for MPC or VSS at all). The protocols are efficient. In contrast to all previous informationtheoretically secure protocols, the field size is not restricted (e.g, to be greater than n). Moreover, we exhibit adversary structures for which our protocols are polynomial in n while all previous approaches to MPC for nonthreshold adversaries provably have superpolynomial complexity. 1
Hierarchical threshold secret sharing
 J. Cryptol
, 2007
"... We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants i ..."
Abstract

Cited by 33 (3 self)
 Add to MetaCart
(Show Context)
We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants is authorized if it has at least k0 members from the highest level, as well as at least k1> k0 members from the two highest levels and so forth. Such problems may occur in settings where the participants differ in their authority or level of confidence and the presence of higher level participants is imperative to allow the recovery of the common secret. Even though secret sharing in hierarchical groups has been studied extensively in the past, none of the existing solutions addresses the simple setting where, say, a bank transfer should be signed by three employees, at least one of whom must be a department manager. We present a perfect secret sharing scheme for this problem that, unlike most secret sharing schemes that are suitable for hierarchical structures, is ideal. As in Shamir’s scheme, the secret is represented as the free coefficient of some polynomial. The novelty of our scheme is the usage of polynomial derivatives in order to generate lesser shares for participants of lower levels. Consequently, our scheme uses Birkhoff interpolation, i.e., the construction of a polynomial according to an unstructured set of point and derivative values. A substantial part of our discussion is dedicated to the question of how to assign identities to the participants from the underlying finite field so that the resulting Birkhoff interpolation problem will be well posed. In addition, we devise an ideal and efficient secret sharing scheme for the closely related hierarchical threshold access structures that were studied by Simmons and Brickell.
Optimal BlackBox Secret Sharing over Arbitrary Abelian Groups
 In Proc. of CRYPTO '02, LNCS 2442
, 2002
"... Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vector ..."
Abstract

Cited by 29 (7 self)
 Add to MetaCart
(Show Context)
Abstract. A blackbox secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the blackbox secret sharing problem as the problem of devising, for an arbitrary given Tt,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multiparty computation over blackbox rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the blackbox secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given Tt,n with 0 < t < n − 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with coprime determinants, we construct, for arbitrary given Tt,n with 0 < t < n − 1, a blackbox secret sharing scheme with expansion factor O(log n), which we show is minimal. 1
On Arithmetic Branching Programs
 IN PROC. OF THE 13TH ANNUAL IEEE CONFERENCE ON COMPUTATIONAL COMPLEXITY
, 1998
"... The model of arithmetic branching programs is an algebraic model of computation generalizing the model of modular branching programs. We show that, up to a polynomial factor in size, arithmetic branching programs are equivalent to complements of dependency programs, a model introduced by Pudl&apo ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
The model of arithmetic branching programs is an algebraic model of computation generalizing the model of modular branching programs. We show that, up to a polynomial factor in size, arithmetic branching programs are equivalent to complements of dependency programs, a model introduced by Pudl'ak and Sgall [20]. Using this equivalence we prove that dependency programs are closed under conjunction over every field, answering an open problem of [20]. Furthermore, we show that span programs, an algebraic model of computation introduced by Karchmer and Wigderson [16], are at least as strong as arithmetic programs; every arithmetic program can be simulated by a span program of size not more than twice the size of the arithmetic program. Using the above results we give a new proof that NL/poly ` \PhiL/poly, first proved by Wigderson [25]. Our simulation of NL/poly is more efficient, and it holds for logspace counting classes over every field.
Multipartite Secret Sharing by Bivariate Interpolation
 33rd International Colloquium on Automata, Languages and Programming, ICALP 2006, Lecture Notes in Comput. Sci. 4052
, 2006
"... Abstract. Given a set of participants that is partitioned into distinct compartments, a multipartite access structure is an access structure that does not distinguish between participants that belong to the same compartment. We examine here three types of such access structures compartmented access ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
(Show Context)
Abstract. Given a set of participants that is partitioned into distinct compartments, a multipartite access structure is an access structure that does not distinguish between participants that belong to the same compartment. We examine here three types of such access structures compartmented access structures with lower bounds, compartmented access structures with upper bounds, and hierarchical threshold access structures. We realize those access structures by ideal perfect secret sharing schemes that are based on bivariate Lagrange interpolation. The main novelty of this paper is the introduction of bivariate interpolation and its potential power in designing schemes for multipartite settings, as different compartments may be associated with different lines in the plane. In particular, we show that the introduction of a second dimension may create the same hierarchical effect as polynomial derivatives and Birkhoff interpolation were shown to do in [13].
Generalized oblivious transfer by secret sharing
 Des. Codes Cryptography
"... The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds a set 푈 of messages. A decreasing monotone collection of subsets of 푈 defines the retrieval restrictions. Bob is allowed to learn any permissable subset of messages fro ..."
Abstract

Cited by 9 (0 self)
 Add to MetaCart
(Show Context)
The notion of Generalized Oblivious Transfer (GOT) was introduced by Ishai and Kushilevitz in [12]. In a GOT protocol, Alice holds a set 푈 of messages. A decreasing monotone collection of subsets of 푈 defines the retrieval restrictions. Bob is allowed to learn any permissable subset of messages from that collection, but nothing else, while Alice must remain oblivious regarding the selection that Bob made. We propose a simple and efficient GOT protocol that employs secret sharing. We compare it to another secret sharing based solution for that problem that was recently proposed in [18]. In particular, we show that the access structures that are realized by the two solutions are related through a dualitytype relation that we introduce here. We show that there are examples which favor our solution over the second one, while in other examples the contrary holds. Two applications of GOT are considered — priced oblivious transfer, and oblivious evaluation of multivariate polynomials.
Efficient Construction of the Dual Span Program
, 1999
"... We consider monotone span programs as a tool for representing, we will say computing, general access structures. It is known that if an access structure \Gamma is computed by a monotone span program M, then the dual access structure \Gamma is computed by a monotone span program M of the same size. ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
We consider monotone span programs as a tool for representing, we will say computing, general access structures. It is known that if an access structure \Gamma is computed by a monotone span program M, then the dual access structure \Gamma is computed by a monotone span program M of the same size. We will strengthen this result by proving that such an M not only exists, but can be efficiently computed from M. 1 Introduction Monotone span programs, introduced by Karchmer and Wigderson in [KW93], are a model of computation, based on linear algebra, for computing monotone functions. Since there is a natural onetoone correspondence between monotone functions f0; 1g n ! f0; 1g and access structures over the set P = f1; : : : ; ng, every access structure \Gamma can be represented, we will say computed, by a monotone span program M. Every access structure \Gamma has a natural dual access structure \Gamma . This concept was first defined in [SJM91] and found various occurances like...
Multiparty computation unconditionally secure against adversary structures,” Cryptology SOCS98.2
, 1998
"... ..."
Share Computing Protocols over Fields and Rings
"... In this thesis, we explain linear secret sharing schemes, in particular multiplicative threshold linear secret sharing schemes, over fields and rings in a compact and concise way. We explain two characterisations of linear secret sharing schemes, and in particular, we characterise threshold linear s ..."
Abstract
 Add to MetaCart
(Show Context)
In this thesis, we explain linear secret sharing schemes, in particular multiplicative threshold linear secret sharing schemes, over fields and rings in a compact and concise way. We explain two characterisations of linear secret sharing schemes, and in particular, we characterise threshold linear secret sharing schemes. We develop an algorithm to generate all multiplicative (t + 1)outofn threshold linear secret sharing schemes over a field Zp. For the ring Z232, we explain the generation of secret sharing schemes for threshold access structures and prove the nonexistence of (t+1)outofn threshold
Energy Bounds for FaultTolerant Nanoscale Designs
"... Abstract The problem of determining lower bounds for the energy cost of a given nanoscale design is addressed via a complexity theorybased approach. This paper provides a theoretical framework that is able to assess the tradeoffs existing in nanoscale designs between the amount of redundancy need ..."
Abstract
 Add to MetaCart
(Show Context)
Abstract The problem of determining lower bounds for the energy cost of a given nanoscale design is addressed via a complexity theorybased approach. This paper provides a theoretical framework that is able to assess the tradeoffs existing in nanoscale designs between the amount of redundancy needed for a given level of resilience to errors and the associated energy cost. Circuit size, logic depth and error resilience are analyzed and brought together in a theoretical framework that can be seamlessly integrated with automated synthesis tools and can guide the design process of nanoscale systems comprised of failure prone devices. The impact of redundancy addition on the switching energy and its relationship with leakage energy is modeled in detail. Results show that 99 % error resilience is possible for faulttolerant designs, but at the expense of at least 40 % more energy if individual gates fail independently with probability of 1%. 1.