Germán Sáez

Forking Lemmas for Ring Signature Schemes

Pointcheval and Stern introduced in 1996 some forking lemmas useful to prove the security of a family of digital signature schemes. This family includes, for example, Schnorr’s scheme and a modification of ElGamal signature scheme.

Secret sharing schemes with bipartite access structure

We study the information rate of secret sharing schemes whose access structure is bipartite. In a bipartite access structure there are two classes of participants and all participants in the same class play an equivalent role in the structure. We characterize completely the bipartite access structures that can be realized by an ideal secret sharing scheme. Both upper and lower bounds on the optimal information rate of bipartite access structures are given. These results are applied to the particular case of weighted threshold access structure with two weights.

Secret Sharing Schemes with Detection of Cheaters for a General Access Structure

In a secret sharing scheme, some participants can lie about the value of their shares when reconstructing the secret in order to obtain some illicit benefit. We present in this paper two methods to modify any linear secret sharing scheme in order to obtain schemes that are unconditionally secure against that kind of attack. The schemes obtained by the first method are robust, that is, cheaters are detected with high probability even if they know the value of the secret. The second method provides secure schemes, in which cheaters that do not know the secret are detected with high probability. When applied to ideal linear secret sharing schemes, our methods provide robust and secure schemes whose relation between the probability of cheating and the information rate is almost optimal. Besides, those methods make it possible to construct robust and secure schemes for any access structure.

New Identity-Based Ring Signature Schemes

Identity-based (ID-based) cryptosystems avoid the necessity of certificates to authenticate public keys in a digital communications system. This is desirable, specially for these applications which involve a large number of public keys in each execution. For example, any computation and verification of a ring signature, where a user anonymously signs a message on behalf of a set of users including himself, requires to authenticate the public keys of all the members of the set.

Weighted threshold secret sharing schemes

In a secret sharing scheme, each participant receives a share of a secret in such a way that only authorized subsets can reconstruct the secret. The information rate of a secret sharing scheme is the ratio between the size of the secret and the size of the shares given to the participants. In a weighted threshold scheme each participant has his or her own weight. A subset of participants is authorized to reconstruct the secret if the sum of their weights is greater than or equal to the threshold. This paper deals with weighted threshold schemes, mainly the properties related to the information rate. A complete characterization of the access structures of weighted threshold schemes when all the minimal authorized subsets have at most two elements is presented. Lower bounds for the optimal information rate of these access structures are given.

On threshold self-healing key distribution schemes

Self-healing key distribution schemes enables a large and dynamic group of users to establish a group key over an unreliable network. A group manager broadcasts in every session some packet of information in order to provide a common key to members in the session group. The goal of self-healing key distribution schemes is that even if in a certain session the broadcast is lost, the group member can recover the key from the broadcast packet received before and after the session. This approach to key distribution is quite suitable for wireless networks, mobile wireless ad-hoc networks and in several Internet-related settings, where high security requirements need to be satisfied. In this work we provide a generalization of previous definitions in two aspects. The first one is to consider general monotone decreasing structures for the family of subsets of users that can be revoked instead of a threshold one. The objective of this generalization is to reach more flexible performances of the scheme. In the second one, the distance between the broadcasts used to supply the lost one is limited in order to shorten the length of the broadcast information by the group manager. After giving the formal definition of threshold self-healing key distribution schemes, we find some lower bounds on the amount of information used for the system. We also give a general construction that gives us a family of threshold self-healing key distribution schemes by means of a linear secret sharing scheme. We prove the security of the schemes constructed in this way and we analyze the efficiency.

Generation of key predistribution schemes using secret sharing schemes

In a key predistribution scheme a trusted authority distributes pieces of information among a set of users in such a way that users belonging to a specified privileged subset can compute individually a secret key common to this subset. In such a scheme, a family of forbidden subsets of users cannot obtain any information about the value of the secret. In this paper, we present a new construction of a key predistribution scheme using a family of vector space secret sharing schemes. The set of privileged users and the family of forbidden subsets is described in terms of the family of vector space access structures. A generalization using linear secret sharing schemes is given. We show that a particular case of this construction is any key predistribution scheme in which pieces of information and secrets are linear combinations of random numbers. Using this result, we show explicitly that the most important key predistribution schemes can be seen as a particular case of this construction. For this construction, the question of when given secrets can be predistributed is discussed.

Revisiting fully distributed proxy signature schemes

In a proxy signature scheme, a potential signer delegates his capabilities to a proxy signer, who can sign documents on behalf of him. The recipient of the signature verifies both identities: that of the delegator and that of the proxy signer. There are many proposals of proxy signature schemes, but security of them has not been considered in a formal way until the appearance of [2,8]. If the entities which take part in a proxy signature scheme are formed by sets of participants, then we refer to it as a fully distributed proxy signature scheme [4]. In this work, we extend the security definitions introduced in [2] to the scenario of fully distributed proxy signature schemes, and we propose a specific scheme which is secure in this new model.

New results and applications for multi-secret sharing schemes

In a multi-secret sharing scheme (MSSS),