## Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups (2002)

### Cached

### Download Links

- [www.iacr.org]
- [www.iacr.org]
- [eprint.iacr.org]
- [homepages.cwi.nl]
- DBLP

### Other Repositories/Bibliography

Venue: | In Proc. of CRYPTO '02, LNCS 2442 |

Citations: | 26 - 8 self |

### BibTeX

@INPROCEEDINGS{Cramer02optimalblack-box,

author = {Ronald Cramer and Serge Fehr},

title = {Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups},

booktitle = {In Proc. of CRYPTO '02, LNCS 2442},

year = {2002},

pages = {272--287},

publisher = {Springer-Verlag}

}

### Years of Citing Articles

### OpenURL

### Abstract

Abstract. A black-box secret sharing scheme for the threshold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares are sampled. This means that perfect completeness and perfect privacy are guaranteed regardless of which group G is chosen. We define the black-box secret sharing problem as the problem of devising, for an arbitrary given Tt,n, a scheme with minimal expansion factor, i.e., where the length of the full vector of shares divided by the number of players n is minimal. Such schemes are relevant for instance in the context of distributed cryptosystems based on groups with secret or hard to compute group order. A recent example is secure general multi-party computation over black-box rings. In 1994 Desmedt and Frankel have proposed an elegant approach to the black-box secret sharing problem based in part on polynomial interpolation over cyclotomic number fields. For arbitrary given Tt,n with 0 < t < n − 1, the expansion factor of their scheme is O(n). This is the best previous general approach to the problem. Using certain low degree integral extensions of Z over which there exist pairs of sufficiently large Vandermonde matrices with co-prime determinants, we construct, for arbitrary given Tt,n with 0 < t < n − 1, a black-box secret sharing scheme with expansion factor O(log n), which we show is minimal. 1

### Citations

9359 |
Elements of information theory
- Cover, Thomas
- 1991
(Show Context)
Citation Context ... other hand, {i, j} # T 1,n . Hence, by Remark 1, we have kerM i # kerM j # H 1 = #, for all i, j with 1 # is# n. By counting and normalizing, 2 -d1 + + 2 -dn # 1. By the Log Sum Inequality (see e.g. =-=[CT]-=-), d = d 1 + + d n # n log n. # Theorem 1 [KW93] n (#log n# + 1) # msp 2 (T t,n ) # n+3 2 log n+3 2 , for all t, n with 0s- 1. Proof. The upper bound, which is not needed for our purposes, follows by ... |

1968 | How to share a secret
- Shamir
(Show Context)
Citation Context ...s were first considered by Desmedt and Frankel [DF89] in the context of distributed cryptosystems based on groups with secret order. Shamir's polynomial based secret sharing scheme over finite fields =-=[Sha79]-=- cannot immediately be adapted to the setting of black-box secret sharing. In [DF94], Desmedt and Frankel [DF94] showed a black-box secret sharing scheme that elegantly circumvents integer polynomial ... |

440 |
Safeguarding cryptographic keys
- Blakley
(Show Context)
Citation Context ...shold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field; see e.g. =-=[5, 24, 6, 3, 2, 20, 19, 1, 16, 8]-=-) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares may be sampled. In other words, the deale... |

272 |
Threshold cryptosystems
- Desmedt, Frankel
- 1990
(Show Context)
Citation Context ...pansion factor 1. The cases t = 0, n have no meaning for secret sharing. For the rest of this discussion we assume 0s- 1. Black-box secret sharing schemes were first considered by Desmedt and Frankel =-=[DF89]-=- in the context of distributed cryptosystems based on groups with secret order. Shamir's polynomial based secret sharing scheme over finite fields [Sha79] cannot immediately be adapted to the setting ... |

218 | Practical Threshold Signatures
- Shoup
- 2000
(Show Context)
Citation Context ...unctions, including RSA. The interest in application of the result of [DF94] to practical distributed RSA-based protocols seems to have decreased somewhat due to recent developments, see for instance =-=[Sho00]-=- and the references therein. However, apart from the fact that optimal black-box secret sharing is perhaps interesting in its own right, we note that in [CFIK02] our black-box secret sharing scheme is... |

155 |
Generalized secret sharing and monotone functions
- Benaloh, Leichter
- 1990
(Show Context)
Citation Context ...her direction trivially holds regardless of S. Using (generally ine#cient) representations of monotone access structures as monotone Boolean formulas and using induction in a similar style as in e.g. =-=[BL88]-=-, it is straightforward to verify that for all # and for all S, there is a monotone span program over S that computes #. Definition 7 For any # and for any S, msp S (#) denotes the minimal size of a m... |

131 | U.M.: General Secure Multi-Party Computation from Any Linear Secret-Sharing Scheme
- Cramer, Damg̊ard, et al.
- 2000
(Show Context)
Citation Context ...l extension ring of Z to an ISP. As an aside, monotone span programs over rings are the basis for multiparty computation over black-box rings, as studied in [CFIK02]. In particular, the techniques of =-=[CDM00]-=- for secure multiplication and VSS apply to this flavor of monotone span program as well. Throughout this paper, S denotes a (not necessarily finite) commutative ring with 1. Let # be a monotone acces... |

127 |
On the classification of ideal secret sharing schemes
- Brickell, Davenport
- 1991
(Show Context)
Citation Context ...shold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field; see e.g. =-=[5, 24, 6, 3, 2, 20, 19, 1, 16, 8]-=-) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares may be sampled. In other words, the deale... |

124 | On span programs
- Karchmer, Wigderson
- 1993
(Show Context)
Citation Context ... co-prime determinants and show how this allows us to construct, for arbitrary given T t,n , a black-box secret sharing scheme with expansion factor O(log n). Using a result of Karchmer and Wigderson =-=[KW93]-=-, we show that this is minimal. 1 It is not hard to find an exceptional set of size p in this ring. To see that the maximal size of such a set is p, let K be a number field of degree m, and let ZK den... |

69 | M.: How to share a function securely - Santis, Desmedt, et al. - 1994 |

59 |
Secure schemes for secret sharing and key distribution
- Beimel
- 1996
(Show Context)
Citation Context ...shold access structure Tt,n is one which works over any finite Abelian group G. Briefly, such a scheme differs from an ordinary linear secret sharing scheme (over, say, a given finite field; see e.g. =-=[5, 24, 6, 3, 2, 20, 19, 1, 16, 8]-=-) in that distribution matrix and reconstruction vectors are defined over Z and are designed independently of the group G from which the secret and the shares may be sampled. In other words, the deale... |

51 |
M.: Optimal resilience proactive public-key cryptosystems
- Frankel, Gemmell, et al.
- 1997
(Show Context)
Citation Context ...ious observation. It follows that ∆ 2 1 ∈ (R/(∆ 2 0)) ∗ as well, or equivalently, there exist r0, r1 ∈ R such that r0 · ∆ 2 0 + r1 · ∆ 2 1 = 1. 9 A similar property was first noticed and exploited in =-=[17, 18]-=- and later in [25].s284 R. Cramer and S. Fehr Set m = ⌊log n⌋ + 1. Let ˆ f(X) ∈ Z[X] be any monic, irreducible polynomial of degree m such that for all p ∈ Πn, ˆ fp(X) (the polynomial ˆ f(X) with its ... |

21 |
Homomorphic zero-knowledge threshold schemes over any finite abelian group
- Desmedt, Frankel
- 1994
(Show Context)
Citation Context ...ryptosystems based on groups with secret order. Shamir's polynomial based secret sharing scheme over finite fields [Sha79] cannot immediately be adapted to the setting of black-box secret sharing. In =-=[DF94]-=-, Desmedt and Frankel [DF94] showed a black-box secret sharing scheme that elegantly circumvents integer polynomial interpolation problems by passing to an integral extension ring of Z over which a 2 ... |

17 |
A construction of practical secret sharing schemes using linear block codes
- Bertilson, Ingemarsson
- 1993
(Show Context)
Citation Context |

15 | Efficient multi-party computation over rings
- Cramer, Fehr, et al.
- 2003
(Show Context)
Citation Context ...o recent developments, see for instance [Sho00] and the references therein. However, apart from the fact that optimal black-box secret sharing is perhaps interesting in its own right, we note that in =-=[CFIK02]-=- our black-box secret sharing scheme is applied in protocols for secure general multi-party computation over black-box rings. Also, optimal black-box secret sharing may very well be relevant to new di... |

13 |
Efficient multiplicative sharing schemes
- Burmester, Desmedt, et al.
- 1996
(Show Context)
Citation Context ...is an open problem of algebraic number theory (see also [12] and the references therein). Except for some quite special cases, namely when t is constant or when t (resp. n − t) is small compared to n =-=[14, 4]-=- or the constant factor gain from [15], no substantial improvement on the general black-box secret sharing problem has been reported since. The crucial difference with our approach to the black-box se... |

13 |
Multiplicative nonabelian sharing schemes and their application to threshold cryptography
- Desmedt, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...is an open problem of algebraic number theory (see also [12] and the references therein). Except for some quite special cases, namely when t is constant or when t (resp. n − t) is small compared to n =-=[14, 4]-=- or the constant factor gain from [15], no substantial improvement on the general black-box secret sharing problem has been reported since. The crucial difference with our approach to the black-box se... |

11 |
Secret key sharing and secret key generation
- Dijk
- 1997
(Show Context)
Citation Context |

11 | Combinatorial methods in Boolean function complexity
- Gál
- 1995
(Show Context)
Citation Context |

4 | A comment on the efficiency of secret sharing scheme over any finite Abelian group
- Desmedt, King, et al.
- 1998
(Show Context)
Citation Context ...eory (see also [12] and the references therein). Except for some quite special cases, namely when t is constant or when t (resp. n − t) is small compared to n [14, 4] or the constant factor gain from =-=[15]-=-, no substantial improvement on the general black-box secret sharing problem has been reported since. The crucial difference with our approach to the black-box secret sharing problem is that we avoid ... |

3 |
Some results in linear secret sharing
- King
- 2001
(Show Context)
Citation Context ... exists g ′ ∈ Ze m such that g ′ 1 ≡ s−1 and sA ≡ MAg ′ . Setting κ ≡ g − g ′ ∈ Ze m, we have MAκ ≡ 0 with κ1 ≡ 1. In other words, NAx = y is solvable over Zm for all integers m �= 0. ⊓⊔ We note that =-=[21]-=- also gives a characterization. Although there are some similarities in the technical analysis, the conditions stated there are still in terms of the black-box secret sharing scheme, rather than by pr... |

2 |
Randomness required for linear threshold sharing schemes defined over any finite abelian group
- King
- 2001
(Show Context)
Citation Context ... . . , αn) 2 = 1. This assumption implies the existence of a monotone span program over R for Tt,n with size 2n, as we now show. Define ∆0 = ∆(1, . . . , n) ∈ Z, and ∆1 = ∆(α1, . . . , αn) ∈ R. 8 See =-=[21, 22]-=- for lower bounds on the randomness required in black-box secret sharing schemes.sOptimal Black-Box Secret Sharing over Arbitrary Abelian Groups 283 Let N0 ∈ Rn,t+1 (resp. N1 ∈ Rn,t+1 ) be the matrix ... |

1 |
A comment on the e#ciency of secret sharing scheme over any finite Abelian group
- Desmedt, King, et al.
- 1998
(Show Context)
Citation Context ...e also [DF94] and the references therein). Except for some quite special cases, namely when t is constant or when t (resp. n-t) is small compared to n [DCB94, BBDW96] or the constant factor gain from =-=[DKKK98]-=-, no substantial improvement on the general black-box secret sharing problem has been reported since. Our result builds on [DF94] in that we also study the problem over certain integral extensions. Ho... |

1 |
Existence of Multiplicative Secret Sharing Schemes with Polynomial Share Expansion
- Crescenzo, Frankel
- 1999
(Show Context)
Citation Context ...nation of the technique of Benaloh-Leichter [2] with the classical result of complexity theory that all monotone threshold functions are representable by poly-size monotone Boolean formulas. See also =-=[10]-=-. 2 It is not hard to find an exceptional set of size p in this ring. To see that the maximal size of such a set is p, let K be a number field of degree m, and let ZK denote its ring of algebraic inte... |