### BibTeX

@MISC{Shamir_howto,

author = {Adi Shamir},

title = {How to Share a Secret},

year = {}

}

### Years of Citing Articles

### OpenURL

### Abstract

In this paper we show how to divide data D into n pieces in such a way that D is easily reconstructable from any k pieces, but even complete knowledge of k- 1 pieces reveals absolutely no information about D. This technique enables the construction of robust key management schemes for cryptographic systems that can function securely and reliably even when misfor-tunes destroy half the pieces and security breaches ex-pose all but one of the remaining pieces. Key Words and Phrases: cryptography, key manage-ment, interpolation

### Citations

3043 | A Method for Obtaining Digital Signatures and Public Key Cryptosystems
- Rivest, Shamir, et al.
- 1978
(Show Context)
Citation Context ...s A1, A2, ..., Ar, where the signer Alice is As, for some value of s, 1≤ s ≤ r. To simplify the presentation and proof, we first describe a ring signature scheme in which all the ring members use RSA =-=[9]-=- as their individual signature schemes. The same construction can be used for any other trapdoor one way permutation, but we have to modify it slightly in order to use trapdoor one way functions (as i... |

2823 | New directions in cryptography
- Diffie, Hellman
- 1976
(Show Context)
Citation Context ...ation fi of Zni : fi(x) =x ei (mod ni) . We assume that only Ai knows how to compute the inverse permutation f −1 i efficiently, using trap-door information; this is the original Diffie-Hellman model =-=[4]-=- for public-key cryptography.How to Leak a Secret 557 Extending trap-door permutations to a common domain The trap-door RSA permutations of the various ring members will have domains of different siz... |

2252 | The Art of Computer Programming - Knuth - 1981 |

505 | Undeniable signatures - Chaum, Antwerpen - 1989 |

413 | Safeguarding cryptographic keys - Blakley - 1979 |

295 |
How to construct pseudorandom permutations from pseudorandom functions
- Luby, Rackoff
- 1988
(Show Context)
Citation Context ...provides truly random answers to new queries of the form Ek(x) and E −1 k (y), provided only that they are consistent with previous answers and with the requirement that Ek be a permutation (e.g. see =-=[7]-=-). 3.3 Hash Functions We assume the existence of a publicly defined collision-resistant hash function h that maps arbitrary inputs to strings of length l, which are used as keys for E. We model h as a... |

275 | Proofs of partial knowledge and simplified design of witness hiding protocols
- Cramer, Damgård, et al.
- 1994
(Show Context)
Citation Context ...e schemes. However the former schemes require zero-knowledge proofs with each signature, and the latter schemes require as many modular exponentiations as there are members in the ring. Cramer et al. =-=[3]-=- shows how to produce witness-indistinguishable interactive proofs. Such proofs could be combined with the Fiat-Shamir technique to produce ring signature schemes. Similarly, DeSantis et al. [10] show... |

256 | New Directions in Cryptography - e, Hellman - 1976 |

140 | T.: Designated verifier proofs and their applications
- Jakkobsson, Sako, et al.
- 1996
(Show Context)
Citation Context ...a signature scheme in which signatures can only be verified by a single “designated verifier” chosen by the signer. This concept was first introduced by Jakobsson Sako and Impagliazzo at Eurocrypt 96 =-=[6]-=-. A typical application is to enable users to authenticate casual emails without being legally bound to their contents. For example, two companies may exchange drafts of proposed contracts. They wish ... |

118 | Introduction to Combinatorial Mathematics - Liu - 1968 |

70 | Efficient and Generalized Group Signatures
- Camenisch
(Show Context)
Citation Context ... signatures or multiparty constructions, which are quite inefficient. For example, Chaum et al. [2]’s schemes three and four, and the two signature schemes in Definitions 2 and 3 of Camenisch’s paper =-=[1]-=- can be viewed as ring signature schemes. However the former schemes require zero-knowledge proofs with each signature, and the latter schemes require as many modular exponentiations as there are memb... |

44 |
Chaum and Eugène van Heyst. Group signatures
- David
- 1991
(Show Context)
Citation Context ...r-ambiguous signature scheme, group signature scheme, designated verifier signature scheme. 1 Introduction The general notion of a group signature scheme was introduced in 1991 by Chaum and van Heyst =-=[2]-=-. In such a scheme, a trusted group manager predefines certain groups of users and distributes specially designed keys to their members. Individual members can then use these keys to anonymously sign ... |

41 | On Monotone Formula Closure of SZK
- Santis, Crescenzo, et al.
- 1994
(Show Context)
Citation Context ...t al. [3] shows how to produce witness-indistinguishable interactive proofs. Such proofs could be combined with the Fiat-Shamir technique to produce ring signature schemes. Similarly, DeSantis et al. =-=[10]-=- show that interactive SZK for random self-reducible languages are closed under monotone boolean operations, and show the applicability of this result to the construction of a ring signature scheme (a... |

22 |
Digitized Signatures as Intractable as Factorization
- Rabin
- 1979
(Show Context)
Citation Context ...he same construction can be used for any other trapdoor one way permutation, but we have to modify it slightly in order to use trapdoor one way functions (as in, for example, Rabin’s signature scheme =-=[8]-=-). 3.1 RSA Trap-Door Permutations Each ring member Ai has an RSA public key Pi =(ni,ei) which specifies the trapdoor one-way permutation fi of Zni : fi(x) =x ei (mod ni) . We assume that only Ai knows... |

12 |
An Introduction to the Theory of Numbers. Oxford, fifth edition
- Hardy, Wright
- 1979
(Show Context)
Citation Context ... to exist in other natural combining functions such as addition mod 2 b . Assume that we use the RSA trapdoor functions gi(xi) =x 3 i (mod ni) where all the moduli ni have the same size b. Itis known =-=[5]-=- that any nonnegative integer z can be efficiently represented as the sum of exactly nine nonnegative integer cubes x3 1 + x3 2 + ...+ x3 9.Ifz is a b-bit target value, we can expect each one of the x... |

3 | Designated veri proofs and their applications - Jakobsson, Sako, et al. - 1996 |

3 | The Design and Analysis of Computer AIgorithms - Aho, Hopcroft, et al. - 1974 |

1 | An Introduction to the Theory of Numbers. Oxford, edition - Hardy, Wright - 1979 |