Re: Attack on Verifiable Secret Sharing scheme

• Previous message: Crypto_at_S.M.S: "Re: Multiple Encryption (was a lot of things)"
• In reply to: Ann Brandon: "Re: Attack on Verifiable Secret Sharing scheme"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 29 Jul 2005 03:55:18 +0000 (UTC)

Ann Brandon wrote:
>So, there are n partys P_1, ... , P_n and a dealer, who shares a secret
>x in a verifiable (t+1,n)-threshold manner. That means party P_i gets
>share s_i = f(i) from the dealer.
>Now the dealer is destroyed. Some time later a new party P_{n+1} wants
>to have a share s_{n+1}, so what to do now? The dealer can't do the job,
>cause it is not available anymore.
>A possibility to solve this problem is that P_{n+1} chooses a set of
>(t+1)-partys T. Each party P_i of T sends the value ss_i = l_i(n+1)*s_i
>(where l_i(n+1) is the lagrange factor for polynomial interpolation for
>the value s_{n+1}) to P_{n+1}, who then can calculate her share as:
>s_{n+1} = \sum_{P_i \in T} ss_i.
>The problem with this scheme is now that the values l_i(n+1) are known
>to each party, so P_{n+1} can calculate the shares of all partys from T.
>If P_{n+1} is corrupted, then the adversary gets all shares from honest
>partys from T. This is a very big problem.

Can we do the following? Have each party of T, say party i, compute a
random t+1-out-of-n+1 verifiable sharing of zero, say
  0 ---> (r_{i,1},..,r_{i,n+1}).
For j=1,..,n, send r_{i,j} to party j, who adds r_{i,j} to their share.
Also send send l_i(n+1)*s_i + r_{j,n+1} to party n+1, whose share is the
sum of all of these quantities. Since this is a VSS, parties 1,..,n can
verify that each quantity r_{i,j} they receive is accurate, and after the
whole thing is finished, party n+1 can verify that their final share is
accurate. Does this work?

This requires O(t) broadcasts of messages of size O(t) (you would say
O(t^2) broadcasts (of messages of size O(1)), along with O(tn) unicasts
of messages of size O(1).

BTW, the literature on "proactive security" may be relevant here.

• Previous message: Crypto_at_S.M.S: "Re: Multiple Encryption (was a lot of things)"
• In reply to: Ann Brandon: "Re: Attack on Verifiable Secret Sharing scheme"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Scott Charles Pinball Party near the Allentown Show ... Just wanted to thank you for the invite to your "3 day Party". ... I only came over to verify the fact that all the machines ... truly appreciate all your efforts (and the expense) to ensure a good ... (rec.games.pinball) jointly create a random value for corrupted party ... Now the parties B,C,D want ... to create a random value r for A, so that each party B,C,D can verify ... which yield to g^r with last bit zero. ... (sci.crypt) Re: NPC-Final comments after 10 years of this NG ... > ad infinitum jumping on me anymore ... Rowr. ... Party at Carrie's place! ... (rec.music.gdead) Re: Jointly calculating the sum ... >>knows its own value and the sum r. ... > each party sum up their shares and publish the sum; ... Ok, but I hoped there is something more efficient, cause such a scheme ... first step each party has to do n broadcasts, ... (sci.crypt) Re: Totally OT to misc rural but How do you tell ... really there's NO difference between the 2 main parties ... anymore. ... we need a good strong thrird party ... (misc.rural)