In (k,n) threshold scheme, Tompa and Woll considered a problem of cheaters who try to make another participant reconstruct an invalid secret. Later, some models of such cheating were formalized and lower bounds of the size of share were shown in the situation of fixing the maximum successful cheating probability to ε. Some efficient schemes in which size of share is equal to the lower bound were also proposed. Let |S| be the field size of the secret. Under the assumption that cheaters do not know the distributed secret, these sizes of share of previous schemes which can work for ε > 1/|S| are somewhat larger than the bound. In this paper, we show the bound for this case is really tight by constructing a new scheme. When distributing uniform secret, the bit length of share in the proposed scheme is only 1 bit longer than the known bound. Further, we show a tighter bound of the size of share in case of ε < 1/|S|.
Rafael DOWSLEY Jorn MULLER-QUADE Akira OTSUKA Goichiro HANAOKA Hideki IMAI Anderson C.A. NASCIMENTO
This paper presents a non-interactive verifiable secret sharing scheme (VSS) tolerating a dishonest majority based on data pre-distributed by a trusted authority. As an application of this VSS scheme we present very efficient unconditionally secure protocols for performing multiplication of shares based on pre-distributed data which generalize two-party computations based on linear pre-distributed bit commitments. The main results of this paper are a non-interactive VSS, a simplified multiplication protocol for shared values based on pre-distributed random products, and non-interactive zero knowledge proofs for arbitrary polynomial relations. The security of the schemes is proved using the UC framework.
On-line secret sharing scheme, introduced by Cachin, is a computational variation of secret sharing scheme. It supports dynamic changing of access structures and reusable shares, by grace of public bulletin board. In this paper, first we introduce a formal model of on-line secret sharing scheme, and analyze existing on-line secret sharing schemes. As a result, it is shown that they are all vulnerable by giving concrete attacks. Next, we propose a novel on-line secret sharing scheme which is provably secure.
Eitaro KOHNO Tomoyuki OHTA Yoshiaki KAKUDA Masaki AIDA
A Wireless Sensor Network has sensor nodes which have limited computational power and memory size. Due to the nature of the network, the data is vulnerable to attacks. Thus, maintaining confidentiality is an important issue. To compensate for this problem, there are many countermeasures which utilize common or public key cryptosystems that have been proposed. However, these methods have problems with establishing keys between the source and the destination nodes. When these two nodes try to establish new keys, they must exchange information several times. Also, the routes of the Wireless Sensor Networks can change frequently due to an unstable wireless connection and batteries running out on sensor nodes. These problems of security and failure become more serious as the number of nodes in the network increases. In this paper, we propose a new data distribution method to compensate for vulnerability and failure based on the Secret Sharing Scheme. In addition, we will confirm the effect of our method through experiments. Concerning security, we compare our method with the existing TinySec, which is the major security architecture of Wireless Sensor Networks.
Toshiyuki ISSHIKI Koichiro WADA Keisuke TANAKA
In this paper, we propose a rational m-out-of-n secret sharing scheme, a dealer wishes to entrust a secret with a group of n players such that any subset of m or more players can reconstruct the secret, but a subset of less than m players cannot learn anything about the secret. The reconstruction protocol of our scheme is fair and stable in the rational settings, allowing all players to obtain the designated secret. Our scheme is based on RSA-OAEP with the distributed decryption. The security of our scheme relies on a computational assumption and uses the random oracles. The size of each share in our scheme is independent of the utility function and the computation cost of the reconstruction protocol is constant. Moreover, our scheme prevents the attacks with at most m-1 coalitions.
In the model, a sender S wants to send a message to a receiver R secretly and reliably in r-round. They do not share any information like keys, but there are n independent communication channels between S and R, and an adversary A can observe and/or substitute the data which goes through some channels (but not all). In this paper, we propose almost secure (1-round, 3t+1-channel ) MTSs which have following two properties where t is the number of channels A can observe and/or forge. (1) The running time of message decryption algorithm is polynomial in n. (2) Communication cost is smaller than the previous MTSs, if the message is large to some degree.
Jun KURIHARA Shinsaku KIYOMOTO Kazuhide FUKUSHIMA Toshiaki TANAKA
Shamir's (k,n)-threshold secret sharing scheme (threshold scheme) has two problems: a heavy computational cost is required to make shares and recover the secret, and a large storage capacity is needed to retain all the shares. As a solution to the heavy computational cost problem, several fast threshold schemes have been proposed. On the other hand, threshold ramp secret sharing schemes (ramp scheme) have been proposed in order to reduce each bit-size of shares in Shamir's scheme. However, there is no fast ramp scheme which has both low computational cost and low storage requirements. This paper proposes a new (k,L,n)-threshold ramp secret sharing scheme which uses just EXCLUSIVE-OR(XOR) operations to make shares and recover the secret at a low computational cost. Moreover, by proving that the fast (k,n)-threshold scheme in conjunction with a method to reduce the number of random numbers is an ideal secret sharing scheme, we show that our fast ramp scheme is able to reduce each bit-size of shares by allowing some degradation of security similar to the existing ramp schemes based on Shamir's threshold scheme.
Cheng GUO Mingchu LI Kouichi SAKURAI
Almost all the existing secret sharing schemes are based on a single dealer. Maybe in some situations, the secret needs to be maintained by multiple dealers. In this paper, we proposed a novel secret sharing scheme based on the multi-dealer by means of Shamir's threshold scheme and T. Okamoto and S. Uchiyama's public-key cryptosystem. Multiple dealers can commonly maintain the secret and the secret can be dynamically renewed by any dealer. Meanwhile, the reusable secret shadows just needs to be distributed only once. In the secret updated phase, the dealer just needs to publish a little public information instead of redistributing the new secret shadows. Its security is based on the security of Shamir's threshold scheme and the intractability of factoring problem and discrete logarithm problem.
We propose two multiple assignment secret sharing schemes realizing general access structures. One is always more efficient than the secret sharing scheme proposed by Ito, Saito and Nishizeki [5] from the viewpoint of the number of shares distributed to each participant. The other is also always more efficient than the scheme I of [7].
Kunihiko HARADA Hirosuke YAMAMOTO
In a network with capacity h for multicast, information Xh=(X1, X2, , Xh) can be transmitted from a source node to sink nodes without error by a linear network code. Furthermore, secret information Sr=(S1, S2, , Sr) can be transmitted securely against wiretappers by k-secure network coding for k h-r. In this case, no information of the secret leaks out even if an adversary wiretaps k edges, i.e. channels. However, if an adversary wiretaps k+1 edges, some Si may leak out explicitly. In this paper, we propose strongly k-secure network coding based on strongly secure ramp secret sharing schemes. In this coding, no information leaks out for every (Si1, Si2, ,Sir-j) even if an adversary wiretaps k+j channels. We also give an algorithm to construct a strongly k-secure network code directly and a transform to convert a nonsecure network code to a strongly k-secure network code. Furthermore, some sufficient conditions of alphabet size to realize the strongly k-secure network coding are derived for the case of k < h-r.
Jun KURIHARA Shinsaku KIYOMOTO Kazuhide FUKUSHIMA Toshiaki TANAKA
In Shamir's (k,n)-threshold secret sharing scheme (threshold scheme)[1], a heavy computational cost is required to make n shares and recover the secret from k shares. As a solution to this problem, several fast threshold schemes have been proposed. However, there is no fast ideal (k,n)-threshold scheme, where k and n are arbitrary. This paper proposes a new fast (k,n)-threshold scheme which uses just EXCLUSIVE-OR(XOR) operations to make n shares and recover the secret from k shares. We prove that every combination of k or more participants can recover the secret, but every group of less than k participants cannot obtain any information about the secret in the proposed scheme. Moreover, the proposed scheme is an ideal secret sharing scheme similar to Shamir's scheme, in which every bit-size of shares equals that of the secret. We also evaluate the efficiency of the scheme, and show that our scheme realizes operations that are much faster than Shamir's.
Todorka ALEXANDROVA Hiroyoshi MORITA
Constructing ideal (t,n) threshold secret sharing schemes leads to some limitations on the maximum number of users, that are able to join the secret sharing scheme. We aim to remove these limitations by reducing the information rate of the constructed threshold secret sharing schemes. In this paper we propose recursive construction algorithms of (t,n) threshold secret sharing schemes, based on the generalized vector space construction. Using these algorithms we are able to construct a (t,n) threshold secret sharing scheme for any arbitrary n.
Jun KURIHARA Shinsaku KIYOMOTO Kazuhide FUKUSHIMA Toshiaki TANAKA
In Shamir's (k,n)-threshold secret sharing scheme [1], a heavy computational cost is required to make n shares and recover the secret from k shares. As a solution to this problem, several fast threshold schemes have been proposed. However, there is no fast ideal (k,n)-threshold scheme, where k ≥ 3 and n is arbitrary. This paper proposes a new fast (3,n)-threshold scheme by using just EXCLUSIVE-OR(XOR) operations to make shares and recover the secret, which is an ideal secret sharing scheme similar to Shamir's scheme. Furthermore, we evaluate the efficiency of the scheme, and show that it is more efficient than Shamir's in terms of computational cost. Moreover, we suggest a fast (k,n)-threshold scheme can be constructed in a similar way by increasing the sets of random numbers constructing pieces of shares.
Toshiyuki MIYAMOTO Sadatoshi KUMAGAI
We have been developing a secure and reliable distributed storage system, which uses a secret sharing scheme. In order to efficiently store data in the system, this paper introduces an optimal share transfer problem, and proves it to be, generally, NP-hard. It is also shown that the problem can be resolved into a Steiner tree problem. Finally, through computational experiments we perform the comparison of heuristic algorithms for the Steiner tree problem.
We propose constant-round protocols for interval tests, equality tests, and comparisons where shared secret inputs are not given bitwise. In [9]. Damgård et al. presented a novel protocol called the bit-decomposition, which can convert a polynomial sharing of an element in prime field Zp into sharings of bits. Though, by using the bit-decomposition protocol, those protocols can be constructed with constant round complexities theoretically, it involves expensive computation, leading to relatively high round and communication complexities. In this paper, we construct more efficient protocols for those protocols without relying on the bit-decomposition protocol. In the interval test protocol, checking whether a shared secret exists in the known interval is reduced to checking whether a bitwise-shared random secret exists in the appropriate interval. In the comparison protocol, comparing two shared secrets is reduced to comparing the two secrets viaindirectly where p is an odd prime for an underlying linear secret sharing scheme. In the equality test protocol, checking whether two shared secrets are equal is reduced to checking whether the difference of the two secrets is zero and furthermore checking whether the difference is a zero is reduced to checking quadratice residuosity of a random secret in a probabilistic way.
Web metering is an effective means of measuring the number of visits from clients to Web servers during a specific time frame. Naor and Pinkas, in 1998, first introduced metering schemes to evaluate the popularity of Web servers. Ogata and Kurosawa proposed two schemes that improve on the Naor-Pinkas metering schemes. This study presents a Web metering scheme which is based on the bilinear pairings and built on the GDH group. The proposed scheme can resist fraud attempts by malicious Web servers and disruptive attacks by malicious clients.
Mitsugu IWAMOTO Hirosuke YAMAMOTO Hirohisa OGAWA
It is known that for any general access structure, a secret sharing scheme (SSS) can be constructed from an (m,m)-threshold scheme by using the so-called cumulative map or from a (t,m)-threshold SSS by a modified cumulative map. However, such constructed SSSs are not efficient generally. In this paper, a new method is proposed to construct a SSS from a (t,m)-threshold scheme for any given general access structure. In the proposed method, integer programming is used to derive the optimal (t,m)-threshold scheme and the optimal distribution of the shares to minimize the average or maximum size of the distributed shares to participants. From the optimality, it can always attain lower coding rate than the cumulative maps because the cumulative maps cannot attain the optimal distribution in many cases. The same method is also applied to construct SSSs for incomplete access structures and/or ramp access structures.
Toshiyuki MIYAMOTO Yasuhiro MORITA Sadatoshi KUMAGAI
Secret sharing is a method for distributing a secret among a party of participants. Each of them is allocated a share of the secret, and the secret can only be reconstructed when the shares are combined together. We have been proposing a secret sharing distributed database system (SSDDB) that uses a secret sharing scheme to improve confidentiality and robustness of distributed database systems. This paper proposes a vertical partitioning algorithm for the SSDDB, and evaluates the algorithm by computational experiments.
Mitsugu IWAMOTO Lei WANG Kazuki YONEYAMA Noboru KUNIHIRO Kazuo OHTA
In this paper, a method is proposed to construct a visual secret sharing (VSS) scheme for multiple secret images in which each share can be rotated with 180 degrees in decryption. The proposed VSS scheme can encrypt more number of secret images compared with the normal VSS schemes. Furthermore, the proposed technique can be applied to the VSS scheme that allows to turn over some shares in decryption. From the theoretical point of view, it is interesting to note that such VSS schemes cannot be obtained from so-called basis matrices straightforwardly.
The Visual Secret Sharing (VSS) scheme proposed by Naor and Shamir is a perfectly secure scheme to share a secret image. By using m sub pixels to represent one pixel, we encrypt the secret image into several noise-like shadow images. The value of m is known as the pixel expansion. More pixel expansion increases the shadow size and makes VSS schemes impractical for real application. In this paper, we propose new size-reduced VSS schemes and dramatically decrease the pixel expansion by a half.