Proceedings of CRYPTO 84 on Advances in cryptology
How to share a secret with cheaters
Journal of Cryptology
Efficient dispersal of information for security, load balancing, and fault tolerance
Journal of the ACM (JACM)
Optimal file sharing in distributed networks (preliminary version)
SFCS '91 Proceedings of the 32nd annual symposium on Foundations of computer science
Distributed fingerprints and secure information dispersal
PODC '93 Proceedings of the twelfth annual ACM symposium on Principles of distributed computing
On sharing secrets and Reed-Solomon codes
Communications of the ACM
Communications of the ACM
The Detection of Cheaters in Threshold Schemes
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
Generalized Secret Sharing and Monotone Functions
CRYPTO '88 Proceedings of the 8th Annual International Cryptology Conference on Advances in Cryptology
CRYPTO '92 Proceedings of the 12th Annual International Cryptology Conference on Advances in Cryptology
Verifiable secret sharing and achieving simultaneity in the presence of faults
SFCS '85 Proceedings of the 26th Annual Symposium on Foundations of Computer Science
Perfectly secure message transmission
SFCS '90 Proceedings of the 31st Annual Symposium on Foundations of Computer Science
Access Control and Signatures via Quorum Secret Sharing
IEEE Transactions on Parallel and Distributed Systems
Hi-index | 0.00 |
A well-known fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret sharing if the notion of secrecy is computational, namely, against resource bounded adversaries. In this note we observe that, indeed, one can do much better in the computational model (which is the one used in most applications).We present an m-threshold scheme, where m shares recover the secret but m - 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size |S|/m plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of |S|/m is clearly optimal if the secret is to be recovered from m shares). Therefore, for moderately large secrets (a confidential file, a long message, a large data base) the savings in space and communication over traditional schemes is remarkable.The scheme is very simple and combines in a natural way traditional (perfect) secret sharing schemes, encryption, and information dispersal. It is provable secure given a secure (e.g., private key) encryption function.