[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Cfrg] Redistribution in Proactive Secret Sharing schemes

To: cfrg@ietf.org
Subject: [Cfrg] Redistribution in Proactive Secret Sharing schemes
From: Henrick Hellström <henrick@streamsec.se>
Date: Sun, 04 May 2003 21:32:58 +0200
List-help: <mailto:cfrg-request@ietf.org?subject=help>
List-id: Crypto Forum Research Group <cfrg.ietf.org>
List-post: <mailto:cfrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>,<mailto:cfrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>,<mailto:cfrg-request@ietf.org?subject=unsubscribe>
Organization: StreamSec
Sender: cfrg-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312

I have a problem with the Pedersen-VSS Discrete Logarithm based secret sharing protocol, I hope someone here could help me with. Forgive me and blame my ignorance if the problem I describe has already been solved, but as far as I could tell it appears to have been overlooked.

Background:

In Pedersen-VSS the shared secret x is never calculated. Instead, each of the n share holders Pi, 1 <= i <= n, generates an independent secret zi such that the sum of all zi equals x. Each share holder Pi splits zi into n shares sij, 1 <= j <= n, and transmits sij secretly to Pj. There are various methods for redistribution of the shares sij that leaves the values zi unchanged.

The problem:

I am looking for a protocol for "redistribution" of the secrets zi that would leave x unchanged. Let z'i denote the secret owned by Pi after the redistribution. One requirement is that the redistribution must be done in such way that knowledge of t-1 value pairs (zi,z'i) and the value zj, will not reveal the value z'j.

The reason for this is that I need a method for dealing with the possibility that a share holder Pi might be compromised during the reconstruction of zi, and that the adversary thereby obtains the value zi and not just the set of sub shares sji given to Pi.

Practically, I am thinking of software implementations that are swapped to the hard drive at the critical moment etc. There are also protocols that reveals zi by having the share holders broadcasting the secret shares sij in the event Pi gets corrupted, such as the DKG protocol proposed by Gennaro et al (1999). An adversary that is able to block the communication of any share holder and intercept the communication of at least two share holders, would only need to launch DoS attacks against each of the share holders in order, to obtain all of the values zi.

Citeseer context:
http://citeseer.nj.nec.com/context/7536/0
http://citeseer.nj.nec.com/context/1945661/0
http://citeseer.nj.nec.com/wong01verifiable.html

_______________________________________________
Cfrg mailing list
Cfrg@ietf.org
https://www1.ietf.org/mailman/listinfo/cfrg

Prev by Date: Re: [Cfrg] Authenticated encryption
Next by Date: [Cfrg] Request For Opinions
Previous by thread: [Cfrg] Nordic Workshop in ICT Security
Next by thread: [Cfrg] Request For Opinions
Index(es):
- Date
- Thread