Theory and practice of verifiable secret sharing

Secret Sharing is a fundamental notion for secure cryptographic design. In a Secret Sharing protocol a dealer shares a secret among n parties. In the so called threshold model, the sharing is done so that subsets of t + 1 (or more) parties can later reconstruct the secret, while subsets of t (or less) parties have no information about it. The notion can be generalized by having the dealer specify a family of subsets of the n parties, called the access structure. The dealer shares the secret in such a way that only subsets of players in such family (usually called authorized subsets) can reconstruct the secret, while non-authorized subsets have no information about it. Veriiable Secret Sharing (VSS) protocols achieve the above task in the presence of malicously behaving parties. In our thesis we present a new and stronger deenition of VSS. The novelty of the deenition is that it satisses the composition property of secure protocols. That is VSS protocols satisfying the requirements of our deenition, can be proven to remain secure even when used as sub-protocols inside larger protocols. Previous deenitions did not enjoy this property. We present also the rst VSS protocols in the access structure model, whose security does not depend on unproven computational assumptions. One of the most important application of VSS protocols is the implementation of robust shared signature schemes. Such protocols allow a group of servers to sign a document with a secret key that is shared among them. We present eecient threshold signature schemes for the Digital Signature Standard and the RSA Signature Algorithm. The protocols are fully robust, that is they tolerate the presence of a threshold of malicious servers who may try to forge signatures or impede the signature process. Acknowledgments First and foremost I would like to thank my advisor, Silvio Micali. I just cannot imagine a better person to work with. His enthusiasm makes research work always exciting. He is also an extremely supportive person, always ready to pump up your self{esteem when things do not go as well as desired. Special thanks are due to Shaa Goldwasser and Tal Rabin, for serving in my thesis committee. Shaa introduced me to cryptography and always showed a genuine interest in my research. Tal is not only a great person to work with, but also a special friend. The Theory Group at the MIT Laboratory for Computer Science has …

[1]  H. B. Mann Error-Correcting Codes , 1972 .

[2]  M. Stadler Publicly Veriiable Secret Sharing , 1996 .

[3]  Oded Goldreich,et al.  Foundations of Cryptography (Fragments of a Book) , 1995 .

[4]  Silvio Micali,et al.  An Optimal Probabilistic Protocol for Synchronous Byzantine Agreement , 1997, SIAM J. Comput..

[5]  R. J. McEliece,et al.  On sharing secrets and Reed-Solomon codes , 1981, CACM.

[6]  Ehud D. Karnin,et al.  On secret sharing systems , 1983, IEEE Trans. Inf. Theory.

[7]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[8]  H. Imai,et al.  Efficient and secure multiparty generation of digital signatures based on discrete logarithms , 1993 .

[9]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[10]  L. Harn Group-oriented (t, n) threshold digital signature scheme and digital multisignature , 1994 .

[11]  Tal Rabin,et al.  Robust sharing of secrets when the dealer is honest or cheating , 1994, JACM.

[12]  Mihir Bellare,et al.  Optimal Asymmetric Encryption , 1994, EUROCRYPT.

[13]  Silvio Micali,et al.  The knowledge complexity of interactive proof-systems , 1985, STOC '85.

[14]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[15]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[16]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[17]  Torben P. Pedersen Distributed Provers with Applications to Undeniable Signatures , 1991, EUROCRYPT.

[18]  John Bloom,et al.  A modular approach to key safeguarding , 1983, IEEE Trans. Inf. Theory.

[19]  Moti Yung,et al.  How to share a function securely , 1994, STOC '94.

[20]  Mitsuru Ito,et al.  Secret sharing scheme realizing general access structure , 1989 .

[21]  David Chaum,et al.  Convertible Undeniable Signatures , 1990, CRYPTO.

[22]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[23]  Susan K. Langford Threshold DSS Signatures without a Trusted Party , 1995, CRYPTO.

[24]  Silvio Micali,et al.  Verifiable Secret Sharing as Secure Computation , 1994, EUROCRYPT.

[25]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[26]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[27]  Douglas R. Stinson,et al.  Cryptography: Theory and Practice , 1995 .

[28]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[29]  Taher ElGamal,et al.  A public key cyryptosystem and signature scheme based on discrete logarithms , 1985 .

[30]  Hugo Krawczyk,et al.  Robust and Efficient Sharing of RSA Functions , 1996, CRYPTO.

[31]  Josh Benaloh,et al.  Generalized Secret Sharing and Monotone Functions , 1990, CRYPTO.

[32]  Douglas R. Stinson,et al.  An explication of secret sharing schemes , 1992, Des. Codes Cryptogr..

[33]  Yvo Desmedt,et al.  Society and Group Oriented Cryptography: A New Concept , 1987, CRYPTO.

[34]  Baruch Awerbuch,et al.  Verifiable secret sharing and achieving simultaneity in the presence of faults , 1985, 26th Annual Symposium on Foundations of Computer Science (sfcs 1985).

[35]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[36]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[37]  Moti Yung,et al.  Witness-based cryptographic program checking and robust function sharing , 1996, STOC '96.

[38]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[39]  Josh Benaloh,et al.  Secret Sharing Homomorphisms: Keeping Shares of A Secret Sharing , 1986, CRYPTO.

[40]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[41]  Yvo Desmedt,et al.  Threshold Cryptosystems , 1989, CRYPTO.