Robust computational secret sharing and a unified account of classical secret-sharing goals

We give a unified account of classical secret-sharing goals from a modern cryptographic vantage. Our treatment encompasses perfect, statistical, and computational secret sharing; static and dynamic adversaries; schemes with or without robustness; schemes where a participant recovers the secret and those where an external party does so. We then show that Krawczyk's 1993 protocol for robust computational secret sharing (RCSS) need not be secure, even in the random-oracle model and for threshold schemes, if the encryption primitive it uses satisfies only one-query indistinguishability (ind1), the only notion Krawczyk defines. Nonetheless, we show that the protocol is secure (in the random-oracle model, for threshold schemes) if the encryption scheme also satisfies one-query key-unrecoverability (key1). Since practical encryption schemes are ind1+key1 secure, our result effectively shows that Krawczyk's RCSS protocol is sound (in the random-oracle model, for threshold schemes). Finally, we prove the security for a variant of Krawczyk's protocol, in the standard model and for arbitrary access structures, assuming ind1 encryption and a statistically-hiding, weakly-binding commitment scheme.

[1]  Rafail Ostrovsky,et al.  Perfect Zero-Knowledge Arguments for NP Using Any One-Way Permutation , 1998, Journal of Cryptology.

[2]  Moni Naor,et al.  Universal one-way hash functions and their cryptographic applications , 1989, STOC '89.

[3]  Philippe Béguin,et al.  General Short Computational Secret Sharing Schemes , 1995, EUROCRYPT.

[4]  Markus Stadler,et al.  Publicly Verifiable Secret Sharing , 1996, EUROCRYPT.

[5]  H. S. WITSENHAUSEN,et al.  The zero-error side information problem and chromatic numbers (Corresp.) , 1976, IEEE Trans. Inf. Theory.

[6]  Moni Naor,et al.  Magic functions , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[7]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[8]  Robert S. Cahn,et al.  Design and Implementation of a Secure Distributed Data Repository , 1998 .

[9]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[10]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[11]  Amos Beimel,et al.  Universally ideal secret-sharing schemes , 1994, IEEE Trans. Inf. Theory.

[12]  Mitsuru Ito,et al.  Secret sharing scheme realizing general access structure , 1989 .

[13]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[14]  Douglas R Stinson,et al.  Some improved bounds on the information rate of perfect secret sharing schemes , 1990, Journal of Cryptology.

[15]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[16]  Silvio Micali,et al.  Practical and Provably-Secure Commitment Schemes from Collision-Free Hashing , 1996, CRYPTO.

[17]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[18]  Martin Tompa,et al.  How to share a secret with cheaters , 1988, Journal of Cryptology.

[19]  Gustavus J. Simmons,et al.  Contemporary Cryptology: The Science of Information Integrity , 1994 .

[20]  Pradeep K. Khosla,et al.  Survivable Information Storage Systems , 2000, Computer.

[21]  Lorrie Faith Cranor,et al.  The architecture of robust publishing systems , 2001, TOIT.

[22]  Ivan Damgård,et al.  On the existence of statistically hiding bit commitment schemes and fail-stop signatures , 1994, Journal of Cryptology.

[23]  Kaoru Kurosawa,et al.  Optimum Secret Sharing Scheme Secure against Cheating , 2006, SIAM J. Discret. Math..

[24]  Mihir Bellare,et al.  Collision-Resistant Hashing: Towards Making UOWHFs Practical , 1997, CRYPTO.

[25]  Ernest F. Brickell,et al.  The Detection of Cheaters in Threshold Schemes , 1990, SIAM J. Discret. Math..

[26]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[27]  K. Srinathan,et al.  On the Power of Computational Secret Sharing , 2003, INDOCRYPT.

[28]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[29]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[30]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[31]  Gustavus J. Simmons,et al.  An Introduction to Shared Secret and/or Shared Control Schemes and Their ApplicationThis work was performed at Sandia National Laboratories and supported by the U.S. Department of Energy under contract number DEAC0476DPOO789. , 1992 .

[32]  Douglas R. Stinson,et al.  An explication of secret sharing schemes , 1992, Des. Codes Cryptogr..

[33]  Giovanni Di Crescenzo,et al.  Multi-Secret Sharing Schemes , 1994, CRYPTO.

[34]  Gustavus J. Simmons,et al.  How to (Really) Share a Secret , 1988, CRYPTO.

[35]  Moni Naor,et al.  Magic Functions: In Memoriam: Bernard M. Dwork 1923--1998 , 2003, JACM.

[36]  Ehud D. Karnin,et al.  On secret sharing systems , 1983, IEEE Trans. Inf. Theory.

[37]  Joan Boyar,et al.  A discrete logarithm implementation of perfect zero-knowledge blobs , 1990, Journal of Cryptology.

[38]  R. J. McEliece,et al.  On sharing secrets and Reed-Solomon codes , 1981, CACM.

[39]  Hugo Krawczyk,et al.  Proactive Secret Sharing Or: How to Cope With Perpetual Leakage , 1995, CRYPTO.

[40]  H. Venkateswaran,et al.  Responsive Security for Stored Data , 2003, IEEE Trans. Parallel Distributed Syst..

[41]  Hugo Krawczyk,et al.  Secret Sharing Made Short , 1994, CRYPTO.

[42]  Craig A. N. Soules,et al.  Survivable storage systems , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[43]  Alfredo De Santis,et al.  On the size of shares for secret sharing schemes , 1991, Journal of Cryptology.

[44]  John Rompel,et al.  One-way functions are necessary and sufficient for secure signatures , 1990, STOC '90.

[45]  Alfredo De Santis,et al.  Size of Shares and Probability of Cheating in Threshold Schemes , 1994, EUROCRYPT.

[46]  Hugo Krawczyk Distributed fingerprints and secure information dispersal , 1993, PODC '93.

[47]  Moti Yung,et al.  Generalized secret sharing and group-key distribution using short keys , 1997, Proceedings. Compression and Complexity of SEQUENCES 1997 (Cat. No.97TB100171).

[48]  Keith M. Martin,et al.  Combinatorial models for perfect secret sharing schemes , 1998 .

[49]  Josh Benaloh,et al.  Generalized Secret Sharing and Monotone Functions , 1990, CRYPTO.

[50]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[51]  Omer Reingold,et al.  Statistically-hiding commitment from any one-way function , 2007, STOC '07.

[52]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[53]  Arnab Paul,et al.  Design of a Secure and Fault Tolerant Environment for Distributed Storage , 2004 .