Alfredo De Santis

Perfectly secure key distribution for dynamic conferences

Abstract In this paper we analyze perfectly secure key distribution schemes for dynamic conferences. In this setting, any member of a group of t users can compute a common key using only his private initial piece of information and the identities of the other t −1 users in the group. Keys are secure against coalitions of up to k users; that is, even if k users pool together their pieces they cannot compute anything about a key of any conference comprised of t other users. First we consider a noninteractive model where users compute the common key without any interaction. We prove the tight bound on the size of each users piece of information of[formula]times the size of the common key. Then, we consider the model where interaction is allowed in the common key computation phase and show a gap between the models by exhibiting a one-round interactive scheme in which the users information is only k + t −1 times the size of the common key. Finally, we present its adaptation to network topologies with neighbourhood constraints and to asymmetric (e.g., client-server) communication models.

Perfectly-Secure Key Distribution for Dynamic Conferences

A key distribution scheme for dynamic conferences is a method by which initially an (off-line) trusted server distributes private individual pieces of information to a set of users. Later any group of users of a given size (a dynamic conference) is able to compute a common secure key. In this paper we study the theory and applications of such perfectly secure systems. In this setting, any group of t users can compute a common key by each user computing using only his private piece of information and the identities of the other t - 1 group users. Keys are secure against coalitions of up to k users, that is, even if k users pool together their pieces they cannot compute anything about a key of any t-size conference comprised of other users.First we consider a non-interactive model where users compute the common key without any interaction. We prove a lower hound on the size of the users piece of information of (k+t-1 t-1) times the size of the common key. We then establish the optimality of this bound, by describing and analyzing a scheme which exactly meets this limitation (the construction extends the one in [2]). Then, we consider the model where interaction is allowed in the common key computation phase, and show a gap between the models by exhibiting an interactive scheme in which the users information is only k + t - 1 times the size of the common key. We further show various applications and useful modifications of our basic scheme. Finally, we present its adaptation to network topologies with neighborhood constraints.

Extended capabilities for visual cryptography

An extended visual cryptography scheme (EVCS), for an access structure (ΓQual,ΓForb) on a set of n participants, is a technique to encode n images in such a way that when we stack together the transparencies associated to participants in any set X∈ΓQual we get the secret message with no trace of the original images, but any X∈ΓForb has no information on the shared image. Moreover, after the original images are encoded they are still meaningful, that is, any user will recognize the image on his transparency. The main contributions of this paper are the following: • A trade-off between the contrast of the reconstructed image and the contrast of the image on each transparency for (k,k)-threshold EVCS (in a (k,k)-threshold EVCS the image is visible if and only if k transparencies are stacked together). This yields a necessary and sufficient condition for the existence of (k,k)-threshold EVCS for the values of such contrasts. In case a scheme exists we explicitly construct it. • A general technique to implement EVCS, which uses hypergraph colourings. This technique yields (k,k)-threshold EVCS which are optimal with respect to the pixel expansion. Finally, we discuss some applications of this technique to various interesting classes of access structures by using relevant results from the theory of hypergraph colourings.

Noninteractive zero-knowledge

This paper investigates the possibility of disposing of interaction between prover and verifier in a zero-knowledge proof if they share beforehand a short random string.Without any assumption, it i...

How to share a function securely

We define the primitive of function sharing, a functional analog of secret sharing, and employ it to construct novel cryptosystems. The basic idea of function sharing is to split a hard to compute (trapdoor) function into shadow functions (or share-functions). The intractable function becomes easy to compute at a given point value when given any threshold (at least t out of i) of shadow functions evaluations at that point. Otherwise, the function remains hard. Furthermore, the function must remain intractable even after exposing up to t— 1 shadow functions and exposing values of all shadow functions at polynomially many inputs. The primitive enables the distribution of the power to perform cryptography (signature, decryption, etc.) to agents. This enables the design of various novel cryptosystems with improved integrity, availability and security properties. Our model should be contrasted with the model of secure function evaluation protocols. We require no channeIs between agents holding the shadow functions, as the agents act non-interactively on a publicly available input. Our security solely relies on secure memories (and results) as in regular cr yptosyst ems. In secure function evaluation, on the other hand, it is necessary to have private/ secured bilateral channels, interactive protocol, and security of all inputs – in addition to secure memories. *Dip. di Informatica ed Applicazioni Universit& di Salerno, Baronissi (SA), Italy. t Dept. of EE&CS, Univ. of Wisconsin Milwaukee, WI. Partially supported by NSF Grant NCR-9106327.

Visual cryptography for grey level images

GTE Laboratories Incorporated, Waltham, MA.

On the Size of Shares for Secret Sharing Schemes

IBM T. J. Watson Research Center, Yorktown Heights, NY. Permission to co y without fee all or part of this material is x granted provide that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appear, and notice is given that copying is by permission of the Association of Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. STOC 945/94 Montreal, Quebec, Canada . @ 1994 ACM 0-89791 -663-8194/0005...

Graph decompositions and secret sharing schemes

3.50

Improved Schemes for Visual Cryptography

Visual cryptography is a cryptographic paradigm introduced by Naor and Shamir [Lecture Notes in Comput. Sci., Vol. 950, Springer, Berlin, 1995, p. 1]. Some predefined set of participants can decode a secret message (a black and white image) without any knowledge of cryptography and without performing any cryptographic computation: Their visual system will decode the message. In this paper we define and analyze visual cryptography schemes for grey level images whose pixels have g grey levels ranging from 0 (representing a white pixel) to g 1 (representing a black pixel). Moreover, we give a necessary and sufficient condition for such schemes to exist.

Constructions and Bounds for Visual Cryptography

A secret sharing scheme permits a secret to be shared among participants in such a way that only qualified subsets of partecipants can recover the secret, but any non-qualified subset has absolutely no information on the secret. The set of all qualified subsets defines the access structure to the secret. Sharing schemes are useful in the management of cryptographic keys and in multy-party secure protocols.We analyze the relationships among the entropies of the sample spaces from which the shares and the secret are chosen. We show that there are access structures with 4 participants for which any secret sharing scheme must give to a participant a share at least 50% greater than the secret size. This is the first proof that there exist access structures for which the best achievable information rate (i.e., the ratio between the size of the secret and that of the largest share) is bounded away from 1. The bound is the best possible, as we construct a secret sharing scheme for the above access structures which meets the bound with equality.