New results and applications for multi-secret sharing schemes

In a multi-secret sharing scheme (MSSS), $$\ell $$ℓ different secrets are distributed among the players in some set $$\mathcal{P }=\{P_1,\ldots ,P_n\}$$P={P1,…,Pn}, each one according to an access structure. The trivial solution to this problem is to run $$\ell $$ℓ independent instances of a standard secret sharing scheme, one for each secret. In this solution, the length of the secret share to be stored by each player grows linearly with $$\ell $$ℓ (when keeping all other parameters fixed). Multi-secret sharing schemes have been studied by the cryptographic community mostly from a theoretical perspective: different models and definitions have been proposed, for both unconditional (information-theoretic) and computational security. In the case of unconditional security, there are two different definitions. It has been proved that, for some particular cases of access structures that include the threshold case, a MSSS with the strongest level of unconditional security must have shares with length linear in $$\ell $$ℓ. Therefore, the optimal solution in this case is equivalent to the trivial one. In this work we prove that, even for a more relaxed notion of unconditional security, and for some kinds of access structures (in particular, threshold ones), we have the same efficiency problem: the length of each secret share must grow linearly with $$\ell $$ℓ. Since we want more efficient solutions, we move to the scenario of MSSSs with computational security. We propose a new MSSS, where each secret share has constant length (just one element), and we formally prove its computational security in the random oracle model. To the best of our knowledge, this is the first formal analysis on the computational security of a MSSS. We show the utility of the new MSSS by using it as a key ingredient in the design of two schemes for two new functionalities: multi-policy signatures and multi-policy decryption. We prove the security of these two new multi-policy cryptosystems in a formal security model. The two new primitives provide similar functionalities as attribute-based cryptosystems, with some advantages and some drawbacks that we discuss at the end of this work.

[1]  G. R. Blakley,et al.  Safeguarding cryptographic keys , 1899, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[2]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[3]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[4]  Ernest F. Brickell,et al.  Some Ideal Secret Sharing Schemes , 1990, EUROCRYPT.

[5]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[6]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[7]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[8]  Giovanni Di Crescenzo,et al.  Multi-Secret Sharing Schemes , 1994, CRYPTO.

[9]  J. He,et al.  Multisecret-sharing scheme based on one-way function , 1995 .

[10]  Keith M. Martin,et al.  A Construction for Multisecret Threshold Schemes , 1996, Des. Codes Cryptogr..

[11]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[12]  Jean-Sébastien Coron,et al.  On the Exact Security of Full Domain Hash , 2000, CRYPTO.

[13]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[14]  Rosario Gennaro,et al.  Securing Threshold Cryptosystems against Chosen Ciphertext Attack , 1998, Journal of Cryptology.

[15]  Hugo Krawczyk,et al.  Robust Threshold DSS Signatures , 1996, Inf. Comput..

[16]  David Pointcheval,et al.  The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes , 2001, Public Key Cryptography.

[17]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[18]  Germán Sáez,et al.  Verifiable Secret Sharing for General Access Structures, with Application to Fully Distributed Proxy Signatures , 2003, Financial Cryptography.

[19]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[20]  Antoine Joux,et al.  Separating Decision Diffie–Hellman from Computational Diffie–Hellman in Cryptographic Groups , 2003, Journal of Cryptology.

[21]  Hovav Shacham,et al.  Short Signatures from the Weil Pairing , 2001, J. Cryptol..

[22]  Barbara Masucci Sharing Multiple Secrets: Models, Schemes and Analysis , 2006, Des. Codes Cryptogr..

[23]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[24]  Hugo Krawczyk,et al.  Secure Distributed Key Generation for Discrete-Log Based Cryptosystems , 1999, Journal of Cryptology.

[25]  Y. Yeh,et al.  Dynamic Multi-Secret Sharing Scheme , 2008 .

[26]  Allison Bishop,et al.  Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption , 2010, EUROCRYPT.

[27]  László Csirmaz How to share secrets simultaneously , 2011, IACR Cryptol. ePrint Arch..

[28]  Manoj Prabhakaran,et al.  Attribute-Based Signatures , 2011, CT-RSA.

[29]  Gábor Tardos,et al.  On-line secret sharing , 2011, Designs, Codes and Cryptography.

[30]  Javier Herranz,et al.  Short Attribute-Based Signatures for Threshold Predicates , 2012, CT-RSA.

[31]  Javier Herranz,et al.  Attribute-based encryption schemes with constant-size ciphertexts , 2012, Theor. Comput. Sci..