Linear (k, n) secret sharing scheme with cheating detection
|
|
- Garey Shaw
- 6 years ago
- Views:
Transcription
1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9: Published online 20 March 2016 in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE Linear (k, n) secret sharing scheme with cheating detection Yanxiao Liu* Xi an University of Technology, China ABSTRACT Linear (k, n) secret sharing scheme with the capability of detecting cheating is considered in this paper. Linear (k, n) secret sharing scheme is a class of (k, n) secret sharing, where all the n shares of a secret satisfy a linear relationship. It plays an important role in other cryptographic systems, such as multi-party computation and function sharing schemes. On the other hand, cheating problem in (k, n) secret sharing is an important issue, such that cheaters (dishonest players) submit forged shares during secret reconstruction to fool honest players. During decades of research on cheating prevention, vast (k, n) secret sharing schemes against cheating have been proposed. However, most of these schemes are not linear schemes because it contains redundant information in their shares to achieve cheating detection. Because linear (k, n) secret sharing is an important primitive in threshold cryptography, linear (k, n) secret sharing scheme with the capability of cheating detection is also worthwhile to be discussed. In this paper, we propose a linear (k, n) secret sharing scheme against cheating based on Shamir s original scheme, which possesses the following merits: (1) Our scheme is just a combination of two Shamir s schemes. Therefore, our scheme can be used in other threshold cryptographic systems, which are based on Shamir s scheme. (2) The size of share in the proposed scheme almost reaches its theoretic lower bound in (k, n) secret sharing with cheating detection. (3) In the phase of cheating detection, only one honest player can detect the cheating from other k 1 cheaters, which achieves a stronger detection effective than the previous linear secret sharing schemes against cheating. Copyright 2016 John Wiley & Sons, Ltd. KEYWORDS secret sharing; linear; cheating; detection *Correspondence Yanxiao Liu, Faculty of Computer Science and Engineering, XI AN University of Technology. liuyanxiao@xaut.edu.cn 1. INTRODUCTION Secret sharing scheme is a branch of threshold cryptography, which deals with secure storage of sensitive secret. In 1979, Shamir [1] introduced the landmark polynomial based (k, n) secret sharing scheme. In his scheme, a trusted dealer divides a secret into n shares and distributes each share to a player. Any set of k or more players can reconstruct the secret, but any set that contains less than k players cannot obtain any information about the secret. Because of the high efficiency of computing shares and reconstructing secret, Shamir s scheme was discussed most in the field of secret sharing. Linear secret sharing [2] is a special type of secret sharing where all shares satisfy a linear relationship. For instance, Shamir s scheme is just a linear secret sharing scheme. As we know, linear secret sharing scheme is an important tool to constructing other complicated cryptographic systems, such as multi-party computation [3 5], and function sharing schemes [6 9]. The cheating problem in (k, n) secret sharing is first proposed by Tompa and Woll [10] in They pointed that in the phase of secret reconstructing, dishonest players (cheaters) release forged shares, making the honest players reconstruct a fake secret. On the contrary, the cheaters can reconstruct the valid secret exclusively. It is obvious that Shamir s original (k, n) secret sharing scheme does not have the ability to resist such cheating, even one cheater can successfully fool all the other honest players. To safeguard the equities of honest players, secret sharing scheme with the capability of cheating prevention is indispensable. The simplest method to detect cheating is to publish a hash value w = H(s) of the secret s, then players can detect cheating by checking whether w equals to H(s * ) (where s * is the reconstructed secret). However, the security of this type of schemes is based on the hash function (or other math problems), it is not unconditional secure. During decades of discussion, vast unconditional secure secret sharing scheme with cheating prevention were proposed. The schemes [11 14] solved Copyright 2016 John Wiley & Sons, Ltd. 2115
2 Cheating detection in secret sharing Y. Liu the problem of cheating detection. As we know, in secret sharing scheme without cheating detection, the size of share can be the same as the size of secret (we use the symbols V and S to denote the sizes of share and secret, respectively). However, in those schemes capable of detecting cheating, the size of share V is expanded from the size of secret S. Meanwhile, the cheating has only a small success probability, in other words, the honest players can detect the cheating behavior with the probability 1. The other category of cheating prevention is to identify cheaters [15 18]. In those schemes, the honest players involved in secret reconstruction not only can detect the cheating behavior, but can also figure out the identities of all cheaters. However, in secret sharing schemes with cheater identification, the size of share V is much larger than those in secret sharing scheme capable of just detect cheating. Hence, we only focus on the problem cheating detection in our work. As we know, most secret sharing schemes with cheating prevention are not linear schemes. For instance, the secret sharing schemes [10,11,13,14,19] can detect cheating, and they are all based on Shamir s original linear secret sharing scheme. However, they are still not linear schemes because the shares in those schemes contain redundant information to achieving cheating detection. Therefore, the shares do not satisfy the linear relationship any more. Because linear (k, n) secret sharing is an important primitive in threshold cryptography, linear (k, n) secret sharing scheme with the capability of cheating prevention is also worthwhile to be discussed. In [20], Pieprzyk and Zhang proposed a linear secret sharing scheme against cheating. However, the cheating detection works only when there is a single cheater in secret reconstruction. In [21], Harn and Lin presented a linear secret sharing scheme that is secure against cheating from multiple cheaters. The restriction of Harn-Lin s scheme is that more than k players are required in secret reconstruction for cheating prevention. But later, the literature [22] showed that this scheme can be broken by an easy attack. In [23], a linear secret sharing scheme with cheating detection for a general access structure was proposed, and it can be applied on (k, n) secret sharing schemes. In this paper, we propose a new linear (k, n) secret sharing scheme against cheating based on Shamir s original scheme, which possesses the following merits: (1) Our schemes are just combination of two Shamir s schemes. Therefore, our schemes can be used in other threshold cryptographic systems, which are based on Shamir s scheme. (2) The size of share V in the proposed schemes reaches its theoretic lower bound in (k, n) secret sharing with cheating detection. (3) Only one honest player can detect the cheating from other k 1 cheaters, which achieves a stronger detection effective than the previous linear secret sharing schemes against cheating. In addition, we give an extension to our scheme where the successful cheating probability can be chosen regardless of the size of secret S. The rest of this paper is organized as follows. In Section 2, we give some preliminaries, including the definitions of secret sharing, linear secret sharing, and secret sharing with cheating detection. In Section 3, we list some previous results of cheating detection in secret sharing scheme. In Section 4, we propose our new linear (k, n) secret sharing scheme with cheating detection and make a comparison between our scheme and the scheme in [23]. In Section 5, we propose the revised version of the proposed scheme. We conclude in Section PRELIMINARIES 2.1. (k,n) Secret sharing schemes The participants of a (k, n) secret sharing scheme consist of a dealer D and n players P 1, P 2,..., P n. The model consists of two steps: Share Generation step and Secret reconstruction step. In step 1, a dealer D divides a secret s into n shares, v 1, v 2,..., v n, and each share v i, i = 1, 2,..., n is sent to a player P i secretly. In step 2, any qualified sets that contain at least k players can reconstruct the secret s. A(k, n) secret sharing scheme is a perfect scheme if it satisfies the following: (1) Any k or more players can reconstruct the secret correctly. (2) Any k 1 or less players cannot get any information on the secret. Here, we briefly introduce Shamir s original (k, n) secret sharing scheme. Let p be a prime number, and the secret s is in Z p. The Share Generation step and Secret reconstruction step of Shamir s scheme are described as follows. Share Generation step: Input a secret s 2 Z p. (1) The dealer D generates a random polynomial f (x) = a 0 + a 1 x + + a k 1 x k 1, a 0, a 1,..., a k 1 2 Z p such that a 0 = s. (2) The dealer D computes v i = f (i), i = 1, 2,..., n, and then distributes each share v i to the player P i privately. Secret reconstruction step: Input a list of shares (v i1, v i2,..., v il )(l k). Reconstruct the (k 1)-th degree polynomial f (x) from the l points (i 1, v i1 ), (i 2, v i2 ),..., (i l, v il ) using Lagrange interpolation f (x) = X l Y v iu u=1 w u x i w i u i w The secret is s = f (0). Obviously, Shamir s scheme is a perfect (k, n) secret sharing scheme. Here, we introduce the meaning of the size of share (secret) (denoted as V or S ). Let A be a set that consists of all possible shares (secrets), then the size of A is the size of the share (secret). For example, in Shamir s scheme, the sizes of share and secret are V = S =p. The information rate of a secret sharing scheme is the ratio between the length of the secret size and the length 2116 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.
3 Y. Liu Cheating detection in secret sharing log S of the share size, =. When designing secret sharing scheme, the information rate is an important parameter log V to be taken account. A secret sharing scheme is said to be ideal if its information rate equals to 1, which is the maximum possible value of this parameter Linear secret sharing scheme Linear (k, n) secret sharing scheme is a special type of secret sharing scheme where all the n shares of a secret satisfy a linear relationship. The definition of linear secret sharing scheme is given as follows: Definition 1 ([20]). A (k, n) secret sharing scheme is a linear secret sharing scheme where the n shares, v 1, v 2,..., v n can be presented as follows. (v 1, v 2,..., v n )=(r 1, r 2,..., r k )H H is a public k n matrix whose any k k sub matrix is nonsingular. The vector (r 1, r 2,..., r k ) is randomly chosen by the dealer. According to the Definition 1, we can see that Shamir s (k, n) secret sharing scheme is a linear scheme. Let f (x) = a 0 + a 1 x + a 2 x a k 1 x k 1, the shares v i = f (i), i = 1, 2,..., n can be presented as (v 1, v 2,..., v n )=(a 0, a 1, a 2,..., a k 1 )H where h i,j = j i 1 (h i,j denotes the entry at ith row and jth column of matrix H). As we know, linear schemes can achieve higher information rate in all kinds of secret sharing schemes [23]. This is one of the reasons that we are interested in designing linear secret sharing schemes with cheating detection Secret sharing scheme with cheating detection It is easy to understand that secret sharing scheme with cheating detection is a category of secret sharing scheme where the honest players have the ability to detect cheating behavior in secret reconstruction. The model also consists of two steps: Share Generation step and Secret reconstruction step. The Share Generation step is just same as in the ordinary secret sharing scheme. However, Secret reconstruction step is different from the ordinary one, it takes a list of k shares as input, and outputs a secret s or a symbol?. Secret reconstruction step outputs? only when the cheating is detected. Otherwise, if the secret is verified to be valid, Secret reconstruction step outputs a secret s, all players accept this secret. The cheating is successful only a fake secret is verified to be valid. The successful cheating possibility is an important characteristic in a secret sharing scheme with cheating detection. Here, we give the description of the successful cheating possibility. Without loss of generality, we suppose P 1, P 2,..., P k participate in secret reconstruction, P 1, P 2,..., P t are t cheaters who aim to nfool honest oplay- ers P t+1, P t+2,..., P k. Suppose V c = v 0 1, v0 2,..., v0 t {v 1, v 2,..., v t } be a group of forged shares, and V h = {v t+1, v t+2,..., v k } be the valid shares of honest players. Let s 0 be the output of the Secret reconstructed step from the shares {V c, V h }, the successful cheating possibility is that = Pr[s 0 {s,?}], where s is the valid secret. 3. PREVIOUS WORKS ON CHEATING DETECTION The first secret sharing scheme with cheating detection is proposed by Tompa and Woll in [10]. In their scheme, a single honest player can detect cheating. Carpentieri, De Santis, and Vaccaro [12] first consider a cheating model in which k 1 cheaters who know the secret try to cheat another honest player. We call it CDV assumption. A lower bound of size of shares under CDV assumption was given as follows. Proposition 1 ([12]). In CDV assumption, the size of shares satisfies V S, where is the successful cheating probability. The scheme proposed in [10] can be proved secure against cheating in CDV assumption, where the size of shares is V = ( S 1)(k 1) 2. + k In [14], Ogata, Kurosawa, and Stinson proposed a new model that k 1 cheaters do not know the secret try to cheat another player, which is denoted as OKS assumption. A lower bound of size of shares in OKS assumption was also presented in [14]. Proposition 2. [14] In OKS assumption, the size of shares satisfies V S In [14], they also proposed an optimum scheme secure against cheating where the size of share meets the equality of the lower bound in Proposition 2. However, in [13], Obana and Araki pointed out a drawback of the scheme [14], such that the scheme in [14] is secure only if the secret is uniformly distributed, when there exists a secret that occurs with high probability, the successful cheating cheating probability would be larger than what is expected. Those schemes [11 14] capable of detecting cheating are not linear secret sharing schemes, they use some detection tools like hash functions to detect cheating. In [19], Pieprzyk and Zhang constructed a linear secret sharing scheme against cheating. In their scheme, the size of share V i is optimum, V = S, and the shares can be split into sub-shares to detect cheating. However, the cheating detection works only when there is one cheater in secret reconstruction. In [21], Harn and Lin extended Shamir s (k, n) secret sharing scheme into a cheating detection scheme when there are more than k shareholders in Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 2117
4 Cheating detection in secret sharing Y. Liu secret reconstruction. Because Shamir s scheme is a linear scheme, Harn-Lin s scheme is also a linear scheme, which is secure against cheating from multiple cheaters. But later, the literature [22] showed that this scheme can be broken by an easy attack. 4. PROPOSED SCHEME In this section, we propose a new linear (k, n) secret sharing scheme with cheating detection under OKS assumption. Because in OKS assumption, k 1 cheaters do not know the information on the secret, which is coincidence with the definition of (k, n) secret sharing, and the size of share under OKS assumption would be smaller than the size of share under CDV assumption. In addition, the cheaters already know the information on secret; somehow, they do not have to cheat in secret reconstruction. Instead, they can choose not participating in secret reconstruction at all. Therefore, cheating occurs more likely under OKS assumption than CDV assumption; accordingly, cheating detection under OKS assumption is more practical. Our proposed linear (k, n) secret sharing scheme with cheating detection is based on Shamir s scheme, and the cheating can be detected when there is only a single honest players. The Share Generation step and Secret reconstruction step of our scheme is described as follows, where p is a prime number. Notice in Secret reconstruction step, without loss of generality, we suppose the k involved players are just P 1, P 2,..., P k. Share Generation step: Input a secret s 2 Z p. (1) The dealer D chooses a random polynomial f (x) = a 0 + a 1 x + + a k 1 x k 1, a 0, a 1,..., a k 1 2 Z p such that a 0 = s. (2) The dealer D chooses a random value r 2 Z p and a polynomial g(x) = b 0 + b 1 x + + b k 1 x k 1, b 0, b 1,..., b k 1 2 Z p, where ra 0 + b 0 = 0 and ra 1 + b 1 =0. (3) The dealer D computes v i ={m i, d i }, i = 1, 2,..., n, where m i = f (i) and d i = g(i), and then distributes each share v i to the player P i privately. Secret reconstruction step: Input a list of shares (v 1, v 2,..., v k ). (1) Reconstruct f (x) from (1, m 1 ), (2, m 2 ),..., (k, m k ) using Lagrange interpolation. Reconstruct g(x) from (1, d 1 ), (2, d 2 ),..., (k, d k ) using Lagrange interpolation. (2) Let a 0, a 1, b 0, and b 1 be the coefficients of x 0 and x in f (x) and g(x), respectively. If there exist a common number r 2 Z p which satisfies that ra 0 +b 0 =0 and ra 1 + b 1 = 0, output s = f (0). Otherwise, f (0) is a invalid secret, the cheating is detected, outputs?. Observe that the share in proposed scheme is v i = (m i, d i ), where m i and d i are both shares of Shamir s (k, n) secret sharing scheme. As we illustrated previously, Shamir s scheme is a linear secret sharing scheme, our proposed scheme is also a linear (k, n) secret sharing scheme. The properties of our proposed scheme are analyzed in following theorems. In Theorem 1, we prove that our scheme is a perfect (k, n) secret sharing scheme. In the proposed scheme, the coefficients a 0, a 1, b 0, b 1 in f (x), g(x) have some relationships, it seems that some information about the secret would be leaked by these relationships. However, in the following Theorem 1, we will strongly prove that these relationships form a 0, a 1, b 0, b1 leak no information about the secret at all, and our scheme is a secure (k, n) threshold scheme. In Theorem 2, we discuss the property of cheating detection of our scheme. Theorem 1. Our proposed scheme is a perfect (k, n) secret sharing scheme. Proof. As we know, a secret sharing scheme is a perfect (k, n) threshold scheme when k or more shares can reconstruct the secret, and k 1 or less shares cannot get any information on the secret. In our scheme, the secret s is divided into n shares using Shamir s original (k, n) secret sharing scheme, it is obvious that k or more shares in our scheme can reconstruct the secret. Next, we demonstrate that k 1 shareholders cannot get any information on the secret. Because in the proposed scheme, a 0, a 1, b 0, and b 1 have the relationships that ra 0 + b 0 = 0 and ra 1 + b 1 = 0, most people would believe exhaustion may be the best method to obtain the secret. The method of exhaustion can be described as follows. Step 1. The k 1 shareholders try each possible share of the kth shareholders and can compute p corresponding polynomials f i (x) and p corresponding polynomials g j (x), i, j[1, p]. Step 2. If a polynomial f i (x) and g j (x) satisfy that ra b 0 0 = 0 and ra0 1 + b0 1 = 0 where a0 0, b0 0, a0 1, b0 1 are coefficients of x 0, x in f i (x) and g j (x). Then f i (x)andg j (x) are original polynomials selected by dealer, and s = f i (0) is the secret. Here, we show that the method of exhaustion cannot work in the proposed scheme. Suppose m * (k) is the share of kth shareholder, which is randomly selected, then the k 1 shareholders computes a k 1 degree polynomial f i (x) from (1, m 1 ), (2, m 2 ),..., (k 1,m k 1 ), k, m * k, a 0 0, a0 1 are the corresponding coefficients in f i (x). As described in the method of exhaustion previously, if there exist a k 1 degree polynomial g j (x) =b 0 0 +b0 1 x+,..., +b0 k 1 xk 1, which is inter- polated by (1, d 1 ), (2, d 2 ),..., (k 1, d k 1 ), k, d k *.(d k * could by any value in Z p ) satisfies that r 0 a 0 0 +b0 0 =0,r0 a 0 1 +b0 1 =0 (r 0 could be any value in Z p ), then s = f 0 (0) is the secret. Notice that we can regard b 0 0, b0 1,..., b0 k 1 and r0 as k +1 unknowns, and we can also establish k + 1 equations on these unknowns: g 0 (i) =d i, i = 1, 2,..., k 1,r 0 a b0 0 = 2118 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.
5 Y. Liu Cheating detection in secret sharing 0, r 0 a b0 1 = 0. (Here, a0 0, a0 1 are known to the k 1 shareholders.) Therefore, all the unknowns b 0 0, b0 1,..., b0 k 1 can be obtained from these equations, we can also get the polynomial g 0 (x). In other words, when the k 1 shareholders try d k * = g0 (k) as the possible share of the kth shareholder, they will find f 0 (x) and g 0 (x) are the original polynomials selected by dealer. Based on this observation, using the method of exhaustion, the k 1 shareholders will find the each value in Z p may be the secret. Therefore, the method of exhaustion cannot work in the proposed scheme. Here, we use an example to show the method of exhaustion cannot work in proposed scheme. Suppose k = 4, and two k 1 degree polynomials f (x) = 1+3x+4x 2 +5x 3, g(x) = 4+5x + x 2 +3x 3 over Z 7 are selected by dealer. We can observe that 3a 0 + b 0 =0,3a 1 + b 1 = 0 from the polynomials. Let P 1.P 2, P 3, P 4 be the participants, during Share Generation Step, each of them get a share (m i = f (i), d i = g(i)) from dealer. For clarity, we list the share one by one: P 1 has (m 1 =6,d 1 = 6), P 2 has (m 2 =0,d 2 = 0), P 3 has (m 3 = 6,d 3 = 4) and P 4 has (m 4 = 5,d 4 = 1). Now, P 1.P 2, P 3 want to get the secret by exhaustion. As described previously, they can first assume the sub-share of P 4 is m * 4 = 0 and compute a polynomial f 0 (x) =6+ 2x +2x 2 +3x 3 using Lagrange interpolating. Next, they can try all possible sub-share d 4 * of P 4, and verify whether it is fit. When they try d 4 * = 2, the corresponding interpolating polynomial is g 0 (x) =3+x +2x 3. The coefficients a 0 0, a0 1, b0 0, and b0 1 satisfy that 3a0 0 + b0 0 =0,3a0 1 + b0 1 =0. Then they will believe that f 0 (x), g 0 (x) would be the original polynomials selected by dealer and s 0 = f 0 (0) = 6 is the secret. Obviously, they get the wrong secret. In fact, using the method of exhaustion, they will find each possible subshare m * 4 would be the correct sub-share of P 4. Because for each possible sub-share m * 4 there exists a sub-share d* 4 that satisfies the corresponding relationships. In sum, any k 1 participants cannot get any information about the secret. End of proof. In following theorem, we discuss the properties of cheating detection in proposed scheme, including the upper bound of cheaters that can be tolerated, the successful cheating probability, and the size of share. Theorem 2. When there are k 1cheaters in secret reconstruction phase, our proposed scheme can detect the cheating with the parameters S =p, = 1 p, V =p2 = S. Proof. Suppose P 1, P 2,..., P k participate in secret reconstruction phase, and P 1, P 2,..., P k 1 are k 1 cheaters who wish to fool P k. Assume the fake shares submitted by cheaters are v * i = (m i + m * i, d i + d i *), i = 1, 2,..., k 1, together with the share v k = (m k, d k ) of P k, one can get two polynomials f ** (x) = f (x) + f * (x), g ** (x) =g(x) +g * (x) insecret reconstruction step, where f * (x) = a * 0 + a* 1 x + + a* k 1 xk 1 and g * (x) = b * 0 + b* 1 x + + b* k 1 xk 1 are interpolated polynomials on the k points 1, m * 1, (2, m * 2 k ),..., 1,m * k 1,(k,0) and 1, d 1 *, 2, d 2 *,..., k 1,d k 1 *,(k, 0), respectively. Because f * (x) and g * (x) can be decided by cheaters exclusively, they can select a random number r * and satisfiy that r * a * 0 + b* 0 = 0,r* a * 1 + b* 1 = 0. According to our algorithm, if there exists a common number r 0, satisfying r 0 a 0 + a * 0 + b 0 + b * 0 =0,r0 a 1 + a * 1 + b 1 + b * 1 = 0, the cheating cannot be detected. We can easily observe that the cheating succeeds only when r * = r. As proved in Theorem 1, these k 1 cheaters have no information on r; the possibility of r * = r is 1 p. As a result, the successful cheating possibility is = 1 p. For other parameters, the secret s is chosen from Z p ; the size of secret is S =p. The share is a combination of two numbers in Z p, respectively; the size of share is V =p 2 = S. Notice, if the cheaters select a * 0 = a* 1 = b* 0 = b* 1 = 0, our scheme cannot detect the cheating behavior, but the honest player can also reconstruct the valid secret because f ** (0) = f (0) = a 0. Because the aim of cheating is making honest players get a fake secret, we can regard the cheating is failed in this case. End of proof. From the above analysis, we can conclude that, comparing with previous linear secret sharing scheme with cheating detection, our scheme has two primary advantages: (1) Our scheme can detect cheating from up to k 1 cheaters. (2) The size of share almost reaches its theoretical lower bound; the size of share V = S in our scheme is only one bit longer than the existing upper bound under OKS assumption. (Proposition 2) In [23], the authors proposed another linear secret sharing scheme with cheating detecting for a general access structure. When applying their approach in Shamir s secret sharing scheme, the process of cheating detection is quite similar to our scheme and can be briefly described as follows. The dealer chooses a secret s and distributes the shares m i, i = 1, 2,..., n of s to each player P i privately. In addition, the dealer computes e = s 2 and then generates n shares d i, i = 1, 2,..., n for e. Finally, the share of each player P i is v i =(m i, d i ). In secret reconstruction, the players reconstruct two values s *, e * using their shares; if e * =(s * ) 2, s * is the valid secret, else there exist cheaters in secret reconstruction. We can see that their scheme also consists of two of Shamir s secret sharing schemes and can also detect cheating from up to k 1 cheaters. However, comparing with their scheme, our proposed scheme has two advantages. One is that our scheme has higher probability to detect cheating behavior in secret reconstruction. In the proposed scheme, as analyzed previously, the successful cheating probability of k 1 cheaters is 1 p. However, in [23], the scheme verifies whether e * =(s * ) 2 to detect cheating. We can observe that e (which is selected by dealer) is a square number in Z p, and the size of all possible e is p 2, not p. If cheaters use randomly forged shares Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 2119
6 Cheating detection in secret sharing Y. Liu Table I. Comparison of linear secret sharing schemes with cheating detection. Size of share Maximum of cheaters that can detect Probability of successful cheating Harn s scheme V = S This scheme cannot detect cheating Pieprzyk s scheme V = S 1 p = 1 p Sergio s scheme V =2 S k 1 = 2 p Proposed scheme V = S k 1 = 1 p in secret reconstruction, the probability of e = (s * ) 2 is at least 2 p. In other words, the successful cheating probability in Scheme [23] is 2 p, which is two times higher than the probability in our proposed scheme. Correspondingly, in Scheme [23], the size of share can be presented as V =2 S, which has a higher share size expansion than the proposed scheme. The other advantage is that our scheme can save time in cheating detection. As described previously, their scheme requires one multiplication operation (s * ) 2 to detect cheating. In contrary, our scheme only contains addition operation in cheating detection, which is more efficient than their scheme. We give a comparison between our proposed scheme and other three linear secret sharing scheme with cheating detection in the following Table I, where p is the size of secret and k is the threshold value. 5. REVISED VERSION According to the above analysis, we conclude that our scheme can detect cheating of up to k 1 cheaters, and the successful cheating possibility is = 1 p. We can see that the successful cheating possibility is relevant to the size of the secret, when the prime number p is not large enough, the successful cheating possibility is not acceptable. Here, we give a revised version of our proposed scheme, where the successful cheating possibility can be randomly chosen and other parameters keep their characters in our original scheme. Revised version Share Generation step: Input a secret s 2 {0, 1, 2,..., p 1}. (1) The dealer D generates a random polynomial f (x) =a 0 + a 1 x + + a k 1 x k 1, a 0, a 1,..., a k 1 2 {0, 1, 2,..., p 1} such that a 0 = s. (2) For a specific successful cheating possibility, the dealer D selects a prime number q, which satisfies that > 1 q. The dealer random chooses a value r 2 {0, 1, 2,..., q 1} and a polynomial g(x) =b 0 +b 1 x+ + b k 1 x k 1, b 0, b 1,..., b k 1 2 {0, 1, 2,..., q 1}, where ra 0 + b 0 = 0(modq) and ra 1 + b 1 = 0(modq). (Generally, we assume q > p.) (3) The dealer D computes v i ={m i, d i }, i = 1, 2,..., n, where m i = f (i)(modp) and d i = g(i)(modq), and then distributes each share v i to a player P i. Secret reconstruction step: Input a list of shares (v 1, v 2,..., v k ). (1) Reconstruct f 0 (x) from (1, m 1 ), (2, m 2 ),..., (k, m k ) using Lagrange interpolation. Reconstruct g 0 (x) from (1, d 1 ), (2, d 2 ),..., (k, d k ) using Lagrange interpolation. (2) Let a 0 0, a0 1, b0 0, and b0 1 be the coefficients of x0 and x in f 0 (x) and g 0 (x), respectively. If there exists a common number r 0 2 {0, 1, 2,..., q 1} which satisfies that r 0 a b0 0 = 0(modq) and r0 a b0 1 = 0(modq), output s = f 0 (0). Otherwise, f 0 (0) is an invalid secret, the cheating is detected, outputs?. Using the similar analysis in Theorem 1, any k 1 cheaters cannot get any information on the number r. On the other hand, according to similar discussion in Theorem 2, the successful cheating possibility of k 1 cheaters equations to guessing the number r 2 {0, 1, 2,..., q 1}. Therefore, the successful cheating possibility is * = 1 q, which is irrelevant to the size of secret. For other parameters, the size of secret is S = p, the size of share is V =pq S. 6. CONCLUSION In this paper, we discuss the significance of detecting cheating in linear secret sharing schemes and construct a new (k, n) linear secret sharing scheme with the capability of cheating detection. Our proposed scheme has the following merits: (1) Our schemes are just combination of two of Shamir s schemes. Therefore, our schemes can be used in other threshold cryptographic systems, which are based on Shamir s scheme. (2) The size of share in the proposed schemes almost reaches its theoretic lower bound in (k, n) secret sharing with cheating detection. (3) Only one honest player can detect the cheating from other k 1 cheaters, which achieves a stronger detection effective than the previous linear secret sharing schemes against cheating. At last, we give a revised version where the successful cheating possibility can be chosen regardless of the size of secret. ACKNOWLEDGEMENTS This work is supported by both the National Natural Science Foundation of China under Grant No and the PhD research startup foundation of Xi an University of Technology, Grant No Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.
7 Y. Liu Cheating detection in secret sharing REFERENCES 1. Shamir A. How to share a secret. Communications of the ACM 1979; 22(11): Karchmer M, Wigderson A. On span programs. Proceedings of 8-th Annual Structure in Complexity Theory Conference, San Diego, California, 1993; Chaum D, Crepeau C, Damgrad I. Multy-party unconditionally secure protocols. Proceedings of ACM STOC, Chicago, Illinois, 1988; Cramer R, Damgard I, Maurer U. General secure multi-party computation from any linear secret sharing scheme. Proceedings of EUROCRYPT 2000, LNCS 1807pp., Bruges, Belgium; Nikova V, Nikova S, Preneel B. Multi-party computation from any linear secret sharing scheme secure against adaptive adversary: the zero-erroe case. Proceedings of ACNS, Kuming, China, 2003; Asmuth C, Bloom J. A modular approach to key safeguarding. IEEE Transaction on Information Theory 1983; 29(2): Huang HF, Chang CC. A novel efficient (t, n) threshold proxy signature scheme. Information Science 2006; 176(10): Desmedt Y, Frankel Y. Threshold cryptosystems. Proceedings of CRYPTO, LNCS 435, San Diego, California, 1989; Desmedt Y, Frankel Y. Shared generation of authenticators and signatures. Proceedings of CRYPTO, LNCS 576, San Diego, California, 1992; Tompa M, Woll H. How to share a secret with cheaters. Journal of Cryptology 1989; 1(3): Araki T. Efficient (k, n) threshold secret sharing scheme secure against cheating from n 1 cheaters. Proceedings of ACISP, LNCS 4586, Townsville, Australia, 2007; Carpentieri M, De Santis M, Vaccaro U. Size of shares and probability of cheating in threshold schemes. Proceedings of EUROCRYPT, LNCS 765, Lofthus, Norway, 1993; Obana S, Araki T. Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution. Proceedings of ASIACRYPT, LNCS 4284, Shanghai, China, 2006; Ogata W, Kurosawa K, Stinson DR. Optimum secret sharing scheme secure against cheating. SIAM Journal on Discrete Mathematics 2006; 20(1): Carpentieri M. A perfect threshold secret sharing scheme to identify cheaters. Design Codes and Cryptography 1995; 5(3): Kurosawa K, Obana S, Ogata W. t-cheater identifiable (k, n) secret sharing schemes. Proceedings of CRYPTO, LNCS 563, San Diego, California, 1995; Obana S. Almost optimum t-cheater identifiable secret sharing schemes. Proceedings of EUROCRYPT, LNCS 6632, Tallinn, Estonia, 2011; Liu YX. Efficient t-cheater identifiable (k, n) secret sharing scheme for t b k 2 2 c. IET Information Security 2013; 8(1): Gennaro R, Jarecki S, Krawczyk H et al. Robust threshold DSS signatures. Proceedings of EURO- CRYPT, LNCS 1070, Saragossa, Spain, 1996; Pieprzyk J, Zhang XM. Cheating prevention in linear secret sharing. Proceedings of ACISP, LNCS 2384, Melbourne, Australia, 2002; Harn L, Lin C. Detection and identification of cheaters in (t, n) secret sharing scheme. Designs Codes and Cryptography 2009; 52(1): Ghodosi H. Comments on Harn-Lin s cheating detection scheme. Designs, Codes and Cryptography 2011; 60(1): Sergio C, Carles P, German S. Secret sharing schemes with detection of cheaters for a general access structure. Designs, Codes and Cryptography 2002; 25 (2): Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 2121
Sharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode
Int. J. Nonlinear Anal. Appl. 5 (2014) No. 2, 60-66 ISSN: 2008-6822 (electronic) http://www.ijnaa.semnan.ac.ir Sharing Several Secrets based on Lagrange s Interpolation formula and Cipher Feedback Mode
More informationPractical Threshold Signatures with Linear Secret Sharing Schemes
Practical Threshold Signatures with Linear Secret Sharing Schemes İlker Nadi Bozkurt, Kamer Kaya, Ali Aydın Selçuk Department of Computer Engineering Bilkent University Ankara, 06800, Turkey {bozkurti,kamer,selcuk}@cs.bilkent.edu.tr
More informationCryptanalysis of the Lee-Hwang Group-Oriented Undeniable Signature Schemes
Cryptanalysis of the Lee-Hwang Group-Oriented Undeniable Signature Schemes Guilin Wang, Jianying Zhou, and Robert H. Deng Laboratories for Information Technology 21 Heng Mui Keng Terrace, Singapore 119613
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationSecret Image Sharing Scheme Based on a Boolean Operation
BULGARIAN ACADEMY OF SCIENCES CYBERNETICS AND INFORMATION TECHNOLOGIES Volume 14, No 2 Sofia 2014 Print ISSN: 1311-9702; Online ISSN: 1314-4081 DOI: 10.2478/cait-2014-0023 Secret Image Sharing Scheme Based
More information(t, n) Multi-Secret Sharing Scheme Based on Bivariate Polynomial
Wireless Pers Commun DOI 10.1007/s11277-016-3862-z (t, n) Multi-Secret Sharing Scheme Based on Bivariate Polynomial Lein Harn 1 Ching-Fang Hsu 1,2 Springer Science+Business Media New York 2016 Abstract
More informationA New Group-based Secret Function Sharing with Variate Threshold
Int'l Conf. Security and Management SAM'16 313 A New Group-based Secret Function Sharing with Variate Threshold Anneke Soraya Hidayat, Dae-Soo Kim, Eun-Jun Yoon and Kee-Young Yoo School of Computer Science
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationA Mathematical Proof. Zero Knowledge Protocols. Interactive Proof System. Other Kinds of Proofs. When referring to a proof in logic we usually mean:
A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms. Zero Knowledge Protocols 3. Each statement is derived via the derivation rules.
More informationZero Knowledge Protocols. c Eli Biham - May 3, Zero Knowledge Protocols (16)
Zero Knowledge Protocols c Eli Biham - May 3, 2005 442 Zero Knowledge Protocols (16) A Mathematical Proof When referring to a proof in logic we usually mean: 1. A sequence of statements. 2. Based on axioms.
More informationThreshold Paillier and Naccache-Stern Cryptosystems Based on Asmuth-Bloom Secret Sharing
Threshold Paillier and Naccache-Stern Cryptosystems Based on Asmuth-Bloom Secret Sharing Kamer Kaya 1, Baha Güçlü Dündar 2, Said Kalkan 1, and Ali Aydın Selçuk 1 1 Department of Computer Engineering Bilkent
More informationZERO KNOWLEDGE UNDENIABLE SIGNATURE SCHEME OVER SEMIGROUP ACTION PROBLEM
ITALIAN JOURNAL OF PURE AND APPLIED MATHEMATICS N. 38 2017 (45 53) 45 ZERO KNOWLEDGE UNDENIABLE SIGNATURE SCHEME OVER SEMIGROUP ACTION PROBLEM Neha Goel Department of Mathematics University of Delhi Delhi
More informationAlternative Protocols for Generalized Oblivious Transfer
Alternative Protocols for Generalized Oblivious Transfer Bhavani Shankar 1, Kannan Srinathan 1, and C. Pandu Rangan 2 1 Center for Security, Theory and Algorithmic Research (C-STAR), International Institute
More informationSETUP in secret sharing schemes using random values
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9:6034 6041 Published online 3 February 2017 in Wiley Online Library (wileyonlinelibrary.com)..1755 RESEARCH ARTICLE SETUP in secret sharing
More informationMTAT Research Seminar in Cryptography Building a secure aggregation database
MTAT.07.006 Research Seminar in Cryptography Building a secure aggregation database Dan Bogdanov University of Tartu, Institute of Computer Science 22.10.2006 1 Introduction This paper starts by describing
More informationAn Overview of Secure Multiparty Computation
An Overview of Secure Multiparty Computation T. E. Bjørstad The Selmer Center Department of Informatics University of Bergen Norway Prøveforelesning for PhD-graden 2010-02-11 Outline Background 1 Background
More informationIdeal and Perfect Hierarchical Secret Sharing Schemes based on MDS codes
Ideal and Perfect Hierarchical Secret Sharing Schemes based on MDS codes Appala Naidu Tentu a, Prabal Paul b, V Ch Venkaiah c, a C. R. Rao Advanced Institute of Mathematics, Statistics, and Computer Science
More informationAttribute-based encryption with encryption and decryption outsourcing
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2014 Attribute-based encryption with encryption and decryption outsourcing
More informationEfficient identity-based GQ multisignatures
Int. J. Inf. Secur. DOI 10.1007/s10207-008-0072-z REGULAR CONTRIBUTION Efficient identity-based GQ multisignatures Lein Harn Jian Ren Changlu Lin Springer-Verlag 2008 Abstract ISO/IEC 14888 specifies a
More informationPractical RSA Threshold Decryption for Things That Think
Practical RSA Threshold Decryption for Things That Think Roel Peeters, Svetla Nikova, and Bart Preneel KULeuven, ESAT/SCD/COSIC and IBBT Kasteelpark Arenberg 10, 3001 Heverlee, Belgium {firstname.lastname}@esat.kuleuven.be
More informationAuthentication, Enhanced Security and Error Correcting Codes. (Extended Abstract) Yonatan Aumann t and Michael O. Rabin 2
Authentication, Enhanced Security and Error Correcting Codes (Extended Abstract) Yonatan Aumann t and Michael O. Rabin 2 1 Department of Mathematics and Computer Science, Bar Ilan University, Ramat-Gan,
More informationA SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS
A SIGNATURE ALGORITHM BASED ON DLP AND COMPUTING SQUARE ROOTS Ounasser Abid 1 and Omar Khadir 2 1, 2 Laboratory of Mathematics, Cryptography and Mechanics, FSTM University Hassan II of Casablanca, Morocco
More informationSequential Secret Sharing as a New Hierarchical Access Structure
as a New Hierarchical Access Structure Mehrdad Nojoumian 1 and Douglas R. Stinson 2 1 Department of Computer and Electrical Engineering and Computer Science Florida Atlantic University Boca Raton, Florida,
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationHow to securely perform computations on secret-shared data
U N I V E R S I T Y OF T A R T U Faculty of Mathematics and Computer Science Institute of Computer Science Dan Bogdanov How to securely perform computations on secret-shared data Master s Thesis Supervisor:
More informationOn the Security of a Certificateless Public-Key Encryption
On the Security of a Certificateless Public-Key Encryption Zhenfeng Zhang, Dengguo Feng State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, Beijing 100080,
More informationAn Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings
An Improved Remote User Authentication Scheme with Smart Cards using Bilinear Pairings Debasis Giri and P. D. Srivastava Department of Mathematics Indian Institute of Technology, Kharagpur 721 302, India
More informationFine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing
wwwijcsiorg 10 Fine-Grained Data Sharing Supporting Attribute Extension in Cloud Computing Yinghui Zhang 12 1 National Engineering Laboratory for Wireless Security Xi'an University of Posts and Telecommunications
More informationImprovement of Camenisch-Neven-Shelat Oblivious Transfer Scheme
Improvement of Camenisch-Neven-Shelat Oblivious Transfer Scheme Zhengjun Cao and Hanyue Cao Department of Mathematics, Shanghai University, Shanghai, China caozhj@shu.edu.cn Abstract. In 2007, Camenisch,
More informationCryptanalysis on Two Certificateless Signature Schemes
Int. J. of Computers, Communications & Control, ISSN 1841-9836, E-ISSN 1841-9844 Vol. V (2010), No. 4, pp. 586-591 Cryptanalysis on Two Certificateless Signature Schemes F. Zhang, S. Li, S. Miao, Y. Mu,
More informationA Novel Identity-based Group Signature Scheme from Bilinear Maps
MM Research Preprints, 250 255 MMRC, AMSS, Academia, Sinica, Beijing No. 22, December 2003 A Novel Identity-based Group Signature Scheme from Bilinear Maps Zuo-Wen Tan, Zhuo-Jun Liu 1) Abstract. We propose
More informationOn the security of a certificateless signature scheme in the standard model
On the security of a certificateless signature scheme in the standard model Lin Cheng, Qiaoyan Wen, Zhengping Jin, Hua Zhang State Key Laboratory of Networking and Switch Technology, Beijing University
More informationEfficient Compilers for Authenticated Group Key Exchange
Efficient Compilers for Authenticated Group Key Exchange Qiang Tang and Chris J. Mitchell Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang, c.mitchell}@rhul.ac.uk
More informationCryptographically Secure Bloom-Filters
131 139 Cryptographically Secure Bloom-Filters Ryo Nojima, Youki Kadobayashi National Institute of Information and Communications Technology (NICT), 4-2-1 Nukuikitamachi, Koganei, Tokyo, 184-8795, Japan.
More informationRecursive Information Hiding in Visual Cryptography
Proceedings of 2nd Annual Conference on Theoretical and Applied Computer Science, November 2010, Stillwater, OK 20 Recursive Information Hiding in Visual Cryptography Sandeep Katta Computer Science Department
More informationComputer Security CS 426 Lecture 35. CS426 Fall 2010/Lecture 35 1
Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs 1 Readings for This Lecture Optional: Haveli and Micali: Practical and Privably-Secure Commitment Schemes from Collision-Free Hashing
More informationDecrypting Network Traffic- Shared Access Control
Decrypting Network Traffic- Shared Access Control K.P.Vidya, Member, IAENG Abstract In this paper we propose a design to develop an engineering device for shared access to the decryption key of a public
More informationSome Algebraic (n, n)-secret Image Sharing Schemes
Applied Mathematical Sciences, Vol. 11, 2017, no. 56, 2807-2815 HIKARI Ltd, www.m-hikari.com https://doi.org/10.12988/ams.2017.710309 Some Algebraic (n, n)-secret Image Sharing Schemes Selda Çalkavur Mathematics
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationRemark on the Threshold RSA Signature Scheme
Remark on the Threshold RSA Signature Scheme Chuan-Ming Li, Tzonelih Hwang, Narn-Yih Lee Institute of Information Engineering National Cheng-Kung University Tainan, Taiwan, R.O.C. Abstract Shared generation
More informationAddition of ElGamal Plaintexts
Addition of ElGamal Plaintexts Markus Jakobsson 1 and Ari Juels 2 1 Information Sciences Research Center Bell Labs Murray Hill, New Jersey 07974 www.bell-labs.com/user/markusj/ 2 RSA Laboratories RSA Security
More informationResearch Article Improvements in Geometry-Based Secret Image Sharing Approach with Steganography
Hindawi Publishing Corporation Mathematical Problems in Engineering Volume 2009, Article ID 187874, 11 pages doi:10.1155/2009/187874 Research Article Improvements in Geometry-Based Secret Image Sharing
More informationLecture 14 Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze. 1 A Note on Adaptively-Secure NIZK. 2 The Random Oracle Model
CMSC 858K Advanced Topics in Cryptography March 11, 2004 Lecturer: Jonathan Katz Lecture 14 Scribe(s): Alvaro A. Cardenas Kavitha Swaminatha Nicholas Sze 1 A Note on Adaptively-Secure NIZK A close look
More informationOn A2-codes including arbiter's attacks
On A2-codes including arbiter's attacks Thomas Johansson, Ben Smeets Dept. of Information Theory, University of Lund, Box 118, S-221 00, Lund, Sweden ** Abstract. We comment on the work by R. Taylor presented
More informationSimple and Efficient Perfectly-Secure Asynchronous MPC
Simple and Efficient Perfectly-Secure Asynchronous MPC Zuzana Beerliová-Trubíniová and Martin Hirt ETH Zurich, Department of Computer Science, CH-8092 Zurich {bzuzana,hirt}@inf.ethz.ch Abstract. Secure
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationSolution to Problem Set 8
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #24 Felipe Saint-Jean and Michael Fischer December 13, 2005 Solution to Problem Set 8 In the problems
More informationOn the Diculty of Software Key Escrow. Abstract. At Eurocrypt'95, Desmedt suggested a scheme which allows individuals to encrypt
On the Diculty of Software Key Escrow Lars R. Knudsen Katholieke Universiteit Leuven Dept. Elektrotechniek-ESAT Kardinaal Mercierlaan 94 B-3001 Heverlee Torben P. Pedersen y Cryptomathic Arhus Science
More informationA New Attack with Side Channel Leakage during Exponent Recoding Computations
A New Attack with Side Channel Leakage during Exponent Recoding Computations Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan ysakai@iss.isl.melco.co.jp
More informationHash function-based secret sharing scheme designs
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2013; 6:584 592 Published online 21 June 2012 in Wiley Online Library (wileyonlinelibrary.com)..576 RESEARCH ARTICLE Chi Sing Chum 1 and Xiaowen
More informationAn improved proxy blind signature scheme based on ECDLP
Malaya J. Mat. 2(3)(2014) 228 235 An improved proxy blind signature scheme based on ECDLP Manoj Kumar Chande Shri Shankaracharya Institute Of Professional Management & Technology, Raipur, 492015, Chhattisgarh,
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationThreshold-Multisignature Schemes where Suspected Forgery Implies Traceability of Adversarial Shareholders
Threshold-Multisignature Schemes where Suspected Forgery Implies Traceability of Adversarial Shareholders Chuan-Ming Li, Tzonelih Hwang and Narn-Yih Lee Institute of Information Engineering, National Cheng-Kung
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationRobust EC-PAKA Protocol for Wireless Mobile Networks
International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks
More informationRemote User Authentication Scheme in Multi-server Environment using Smart Card
Remote User Authentication Scheme in Multi-server Environment using Smart Card Jitendra Kumar Tyagi A.K. Srivastava Pratap Singh Patwal ABSTRACT In a single server environment, one server is responsible
More informationSource Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network
Source Anonymous Message Authentication and Source Privacy using ECC in Wireless Sensor Network 1 Ms.Anisha Viswan, 2 Ms.T.Poongodi, 3 Ms.Ranjima P, 4 Ms.Minimol Mathew 1,3,4 PG Scholar, 2 Assistant Professor,
More informationAn Elliptic Curve On-line\Off-line Digital Signature Scheme for Internet of Things
International Journal of Engineering & Technology IJET-IJENS Vol:16 No:03 42 An Elliptic Curve On-line\Off-line Digital Signature Scheme for Internet of Things Hisham Dahshan hdahshan1@gmail.com Abstract
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationLecture 9: Zero-Knowledge Proofs
Great Ideas in Theoretical Computer Science Summer 2013 Lecture 9: Zero-Knowledge Proofs Lecturer: Kurt Mehlhorn & He Sun A zero-knowledge proof is an interactive protocol (game) between two parties, a
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationEfficient Generation of Linear Secret Sharing. Scheme Matrices from Threshold Access Trees
Efficient Generation of Linear Secret Sharing 1 Scheme Matrices from Threshold Access Trees Zhen Liu, Zhenfu Cao, and Duncan S. Wong Abstract Linear Secret Sharing Scheme (LSSS) matrices are commonly used
More informationA Self-healing Key Distribution Scheme with Novel Properties
International Journal of Network Security, Vol7, No1, PP114 119, July 2008 114 A Self-healing Key Distribution Scheme with Novel Properties Biming Tian and Mingxing He (Corresponding author: Biming Tian)
More informationMulticast Security. a multicast network is a network of users in which it is possible to send messages simultanously to all of the users
Multicast Security a multicast message is a message that has many designated receivers, i.e., one-to-many communication as opposed to one-to-one communication a multicast network is a network of users
More informationA compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems.
A compact Aggregate key Cryptosystem for Data Sharing in Cloud Storage systems. G Swetha M.Tech Student Dr.N.Chandra Sekhar Reddy Professor & HoD U V N Rajesh Assistant Professor Abstract Cryptography
More informationFlaws in Some Self-Healing Key Distribution Schemes with Revocation
Flaws in Some Self-Healing Key Distribution Schemes with Revocation Vanesa Daza 1, Javier Herranz 2 and Germán Sáez 2 1 Dept. Tecnologies de la Informació i les Comunicacions, Universitat Pompeu Fabra,
More informationBlind Signature Scheme Based on Elliptic Curve Cryptography
Blind Signature Scheme Based on Elliptic Curve Cryptography Chwei-Shyong Tsai Min-Shiang Hwang Pei-Chen Sung Department of Management Information System, National Chung Hsing University 250 Kuo Kuang Road.,
More informationForward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications
208 Forward-Secure Signatures for Unbounded Time Periods in Mobile Computing Applications N..Sunitha B.B.Amberker Prashant Koulgi Department of Computer Science Department of Computer Science Department
More informationSecurity of the Lin-Lai smart card based user authentication scheme
Security of the Lin-Lai smart card based user authentication scheme Chris J. Mitchell and Qiang Tang Technical Report RHUL MA 2005 1 27 January 2005 Royal Holloway University of London Department of Mathematics
More informationSecurity properties of two authenticated conference key agreement protocols
Security properties of two authenticated conference key agreement protocols Qiang Tang and Chris J. Mitchell Information Security Group Royal Holloway, University of London Egham, Surrey TW20 0EX, UK {qiang.tang,
More informationElliptic Curve Cryptosystem
UDC 681.8 Elliptic Curve Cryptosystem VNaoya Torii VKazuhiro Yokoyama (Manuscript received June 6, 2000) This paper describes elliptic curve cryptosystems (ECCs), which are expected to become the next-generation
More informationAn Z-Span Generalized Secret Sharing Scheme
An Z-Span Generalized Secret Sharing Scheme Computer Science Telecommunications Program University of Missouri - Kansas City Kansas City, MO 64110 Abstract. For some secret sharing applications, the secret
More informationParallel Coin-Tossing and Constant-Round Secure Two-Party Computation
Parallel Coin-Tossing and Constant-Round Secure Two-Party Computation Yehuda Lindell Department of Computer Science and Applied Math, Weizmann Institute of Science, Rehovot, Israel. lindell@wisdom.weizmann.ac.il
More informationGroup Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings
International Journal of Network Security, Vol.5, No.3, PP.283 287, Nov. 2007 283 Group Oriented Identity-Based Deniable Authentication Protocol from the Bilinear Pairings Rongxing Lu and Zhenfu Cao (Corresponding
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationAnalysis of a Redactable Signature Scheme on Data with Dependencies
Analysis of a Redactable Signature Scheme on Data with Dependencies David Bauer School of ECE Georgia Institute of Technology Email: gte810u@mail.gatech.edu Douglas M. Blough School of ECE Georgia Institute
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationFormal Methods and Cryptography
Formal Methods and Cryptography Michael Backes 1, Birgit Pfitzmann 2, and Michael Waidner 3 1 Saarland University, Saarbrücken, Germany, backes@cs.uni-sb.de 2 IBM Research, Rueschlikon, Switzerland, bpf@zurich.ibm.com
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationComputation-efficient key establishment in wireless group communications
DOI 0.007/s276-06-223- Computation-efficient key establishment in wireless group communications Ching-Fang Hsu Lein Harn 2 Yi Mu 3 Maoyuan Zhang Xuan Zhu Springer Science+Business Media New York 206 Abstract
More informationZero-Knowledge Proof and Authentication Protocols
Zero-Knowledge Proof and Authentication Protocols Ben Lipton April 26, 2016 Outline Background Zero-Knowledge Proofs Zero-Knowledge Authentication History Example Protocols Guillou-Quisquater Non-zero-knowledge
More information1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds
1/p-Secure Multiparty Computation without Honest Majority and the Best of Both Worlds Amos Beimel 1, Yehuda Lindell 2, Eran Omri 2, and Ilan Orlov 1 1 Dept. of Computer Science, Ben Gurion University 2
More informationA Simple User Authentication Scheme for Grid Computing
A Simple User Authentication Scheme for Grid Computing Rongxing Lu, Zhenfu Cao, Zhenchuai Chai, Xiaohui Liang Department of Computer Science and Engineering, Shanghai Jiao Tong University 800 Dongchuan
More informationSecurity Analysis of Batch Verification on Identity-based Signature Schemes
Proceedings of the 11th WSEAS International Conference on COMPUTERS, Agios Nikolaos, Crete Island, Greece, July 26-28, 2007 50 Security Analysis of Batch Verification on Identity-based Signature Schemes
More informationHow to Break and Repair Leighton and Micali s Key Agreement Protocol
How to Break and Repair Leighton and Micali s Key Agreement Protocol Yuliang Zheng Department of Computer Science, University of Wollongong Wollongong, NSW 2522, AUSTRALIA yuliang@cs.uow.edu.au Abstract.
More informationZero Knowledge Protocol
Akash Patel (SJSU) Zero Knowledge Protocol Zero knowledge proof or protocol is method in which a party A can prove that given statement X is certainly true to party B without revealing any additional information
More informationSpeeding Up Evaluation of Powers and Monomials
Speeding Up Evaluation of Powers and Monomials (Extended Abstract) Hatem M. Bahig and Hazem M. Bahig Computer Science Division, Department of Mathematics, Faculty of Science, Ain Shams University, Cairo,
More informationHomework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08
Homework 2 CS161 Computer Security, Spring 2008 Assigned 2/13/08 Due 2/25/08 1. Signatures and Attacks Recall that to use the ElGamal signature scheme, Alice randomly selects her private signing key x
More information(2, n)-visual Cryptographic Schemes For Color Images With Low Pixel Expansion
(2, n)-visual Cryptographic Schemes For Color Images With Low Pixel Expansion Bhaswar B. Bhattacharya, Abhishek Chakrabortty, Shirshendu Ganguly, Shyamalendu Sinha Indian Statistical Institute, Kolkata
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationAlgorithms (III) Yijia Chen Shanghai Jiaotong University
Algorithms (III) Yijia Chen Shanghai Jiaotong University Review of the Previous Lecture Factoring: Given a number N, express it as a product of its prime factors. Many security protocols are based on the
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationYet Another Secure Distance-Bounding Protocol
Yet Another Secure Distance-Bounding Protocol Ventzislav Nikov and Marc Vauclair NXP Semiconductors, Leuven, Belgium, ventzislav.nikov@nxp.com, marc.vauclair@nxp.com Abstract. Distance-bounding protocols
More informationThreshold Visual Cryptography Scheme for Color Images with No Pixel Expansion
ISBN 978-952-5726-07-7 (Print), 978-952-5726-08-4 (CD-ROM) Proceedings of the Second Symposium International Computer Science and Computational Technology(ISCSCT 09) Huangshan, P. R. China, 26-28,Dec.
More informationSECRET SHARING SECRET SPLITTING
Clemens H. Cap Universität Rostock clemens.cap (at) uni-rostock (dot) de SECRET SHARING SECRET SPLITTING BaSoTI 2012, Tartu Anecdotal Problem Trent wants to give Alice and Bob access to the safe Trent
More informationAppeared in Proc. 4th International Workshop on Selected Areas in Cryptography (SAC'97), Schemes. (Extended Abstract) Ubilab, UBS. Bahnhofstr.
Appeared in Proc. 4th International Workshop on Selected Areas in Cryptography (SAC'97), Ottawa, Canada, pp. 231{244, 1997. Ecient Convertible Undeniable Signature Markus Michels Schemes (Extended Abstract)
More informationIMPROVING SECURITY AND EFFICIENCY OF ENTERPRISE DIGITAL RIGHTS MANAGEMENT
Helwan University From the SelectedWorks of Maged Ibrahim July, 2015 IMPROVING SECURITY AND EFFICIENCY OF ENTERPRISE DIGITAL RIGHTS MANAGEMENT Ahmed Soliman Maged Ibrahim, Helwan University Adel El-Hennawy
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationA Forward-Secure Signature with Backward-Secure Detection
A Forward-Secure Signature with Backward-Secure Detection Dai-Rui Lin and Chih-I Wang Department of Computer Science and Engineering National Sun Yat-sen University, Kaohsiung 804, Taiwan June 17, 2007
More information