How to share a function securely

We define the primitive of function sharing, a functional analog of secret sharing, and employ it to construct novel cryptosystems. The basic idea of function sharing is to split a hard to compute (trapdoor) function into shadow functions (or share-functions). The intractable function becomes easy to compute at a given point value when given any threshold (at least t out of i) of shadow functions evaluations at that point. Otherwise, the function remains hard. Furthermore, the function must remain intractable even after exposing up to t— 1 shadow functions and exposing values of all shadow functions at polynomially many inputs. The primitive enables the distribution of the power to perform cryptography (signature, decryption, etc.) to agents. This enables the design of various novel cryptosystems with improved integrity, availability and security properties. Our model should be contrasted with the model of secure function evaluation protocols. We require no channeIs between agents holding the shadow functions, as the agents act non-interactively on a publicly available input. Our security solely relies on secure memories (and results) as in regular cr yptosyst ems. In secure function evaluation, on the other hand, it is necessary to have private/ secured bilateral channels, interactive protocol, and security of all inputs – in addition to secure memories. *Dip. di Informatica ed Applicazioni Universit& di Salerno, Baronissi (SA), Italy. t Dept. of EE&CS, Univ. of Wisconsin Milwaukee, WI. Partially supported by NSF Grant NCR-9106327. $GTE Laboratories Incorporated, Waltham, MA. $IBM T. J. Watson Research Center, Yorktown Heights, NY. Permission to co y without fee all or part of this material is x granted provide that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association of Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. STOC 945/94 Montreal, Quebec, Canada . @ 1994 ACM 0-89791 -663-8194/0005...$3.50

[1]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[2]  Oded Goldreich,et al.  RSA and Rabin Functions: Certain Parts are as Hard as the Whole , 1988, SIAM J. Comput..

[3]  Yvo Desmedt,et al.  Shared Generation of Authenticators and Signatures (Extended Abstract) , 1991, CRYPTO.

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[6]  Tatsuaki Okamoto,et al.  A digital multisignature scheme using bijective public-key cryptosystems , 1988, TOCS.

[7]  Silvio Micali,et al.  Fair Public-Key Cryptosystems , 1992, CRYPTO.

[8]  E. Wright,et al.  An Introduction to the Theory of Numbers , 1939 .

[9]  Silvio Micali,et al.  How To Sign Given Any Trapdoor Function , 1988, CRYPTO.

[10]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[11]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[12]  Andrew Chi-Chih Yao,et al.  Theory and Applications of Trapdoor Functions (Extended Abstract) , 1982, FOCS.

[13]  Moti Yung,et al.  Minimum-Knowledge Interactive Proofs for Decision Problems , 1989, SIAM J. Comput..

[14]  Silvio Micali,et al.  The Knowledge Complexity of Interactive Proof Systems , 1989, SIAM J. Comput..

[15]  Michael Luby,et al.  Pseudorandomness and cryptographic applications , 1996, Princeton computer science notes.

[16]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[17]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[18]  Moni Naor,et al.  Public-key cryptosystems provably secure against chosen ciphertext attacks , 1990, STOC '90.

[19]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[20]  Lewis M. Branscomb,et al.  To tap or not to tap , 1993, CACM.

[21]  Matthew K. Franklin,et al.  Secure and Efficient Off-Line Digital Money (Extended Abstract) , 1993, ICALP.

[22]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[23]  Josh Benaloh,et al.  Secret sharing homomorphisms: keeping shares of a secret secret , 1987, CRYPTO 1987.

[24]  Silvio Micali,et al.  How to sign given any trapdoor permutation , 1992, JACM.

[25]  Michael K. Reiter,et al.  How to securely replicate services , 1994, TOPL.

[26]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[27]  Ronald L. Rivest,et al.  Responses to NIST's proposal , 1992, CACM.