Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [threshold-cryptography]

Threshold cryptography is the art of chopping a secret into little bits, so that the secret can only be learned by possessing more than a threshold number of those bits.

Threshold cryptography is the art of chopping a secret into little bits, so that the secret can only be learned by possessing more than a threshold number of those bits.

This is useful, for example, if you want to share a secret with a group of people (who each will receive/carry a part of the secret) and you want to make sure that no single individual can learn the secret unless two or more people combine their secret parts (depending on how many the threshold defines) to learn the secret. Practically, this can be found in military (and other) realms, where launch codes tend to be protected by threshold cryptography – so that no individual can initiate a launch, but when a launch-controller and his superior both enter their secret keys, that creates a combined and valid authorization code.

117 questions
21
votes
3 answers

Why can't the commitment schemes have both information theoretic hiding and binding properties?

The commitment schemes like Pedersen's or Hash based, either have information theoretic hiding and computational binding or computational hiding and information theoretic binding. So can we ever get both information theoretic hiding and binding? Is…
7sujit
  • 583
  • 4
  • 9
15
votes
4 answers

Why is Shamir Secret Sharing not secure against active adversaries out-of-the-box?

This linear secret sharing scheme allows us to share a secret between n parties, such that only an honest majority can reconstruct it. I understand that – because I do not allow the user to certify the authenticity of the shares nor the value they…
DaWNFoRCe
  • 892
  • 7
  • 17
14
votes
1 answer

Coefficients in Shamir's Secret Sharing Scheme

Sorry if this is a stupid question, but: in Shamir's scheme, we construct a polynomial and make our secret $S$ the zero-th coefficient $a_0$. What, if anything, necessitates this - in other words, can we make include $S$ as $a_1$ or any other…
Chiffa
  • 243
  • 2
  • 6
9
votes
2 answers

post-quantum threshold secret sharing

I am looking for a references for post-quantum threshold secret sharing schemes. I am especially interested in knowing whether any one based on one-way compressor functions or cryptographic hashes exist. The trivial secret sharing systems with $t=1$…
user239558
  • 305
  • 1
  • 7
8
votes
3 answers

How to forge a Shamir secret share?

On this website, we have a lot of questions and answers devoted to Shamir secret sharing. We make it clear that Shamir secret sharing does not guarantee integrity. When we want integrity, we need to use a verifiable threshold scheme. But it is never…
dusk
  • 1,185
  • 10
  • 27
8
votes
4 answers

Shamir's Secret Sharing vs. Asmuth-Bloom scheme

I need to make use of a secret sharing scheme and I don't really know how to decide which one to use, Shamir's or Asmuth-Bloom (using CRT). The complexity for recovering the secret seems to be linear in both cases and both schemes are perfectly…
Blub
  • 225
  • 1
  • 6
8
votes
1 answer

Does Ed25519 support cryptographic threshold signatures?

This is a loaded question so I'll list the concerns, not all of which need to be satisfied. Does there exist a threshold-signature scheme for Ed25519 that... Does not require a trusted dealer to set up the key shares (required) Does not require…
Jag the Reducer
  • 125
  • 7
6
votes
1 answer

Secure Secret Sharing to a Distributed Key

Setup There are two groups, $A$ and $B$. Each group is in a Shamir's secret sharing scheme ($t_A$ of $N_A$ and $t_B$ of $N_B$). Each group has a public key that is associated with the identity of the group. The corresponding private keys are…
Aman Grewal
  • 1,421
  • 1
  • 10
  • 24
6
votes
1 answer

Is this distributed random oracle scheme safe?

This question comes from an issue raised in another question: Non interactive threshold signature without bilinear pairing (is it possible)? Is the proposed random oracle model safe when trying to output a distinct and random $m \times G = M$…
shumy
  • 440
  • 3
  • 10
6
votes
1 answer

How to construct a yes/no election protocol, such that only the result is revealed?

Can we use a threshold scheme to construct a (yes/no)-election protocol, such that every voter can give a positive or negative vote or he can abstain, and such that only the result of the election is revealed, but the number of positives, negatives…
user4252
6
votes
1 answer

Elliptic curves with pairings at 128-bit security in libpbc?

I am using Ben Lynn's libpbc to implement a BLS threshold signature scheme and I am aiming for 128-bit security (i.e., a forgery attack should take around $2^{128}$ tries). I was wondering what curves in libpbc would provide this level of…
Alin Tomescu
  • 1,054
  • 10
  • 31
6
votes
2 answers

Shamir's Secret Scheme : Knowing the threshold

If I am decoding a key by applying shares, is it possible to know when the threshold has been reached, and the secret revealed, without having to be told what the threshold is? Also, is it possible to determine if a share is a "valid" share (ie…
jmls
  • 61
  • 1
6
votes
2 answers

An electronic voting system

This semester I am taking the course Cryptography. I will have a presentation about the topic "Voting Scheme". I am preparing myself by reading from the book “Cryptography : an Introduction” by N.Smart and I came across some points at which I am…
Mary Star
  • 193
  • 10
5
votes
2 answers

Would EdDSA be broken by replacing H(R, A, M) with H(A, M)?

An EdDSA signature is (R, S) where R = r*B and S = r + H(R, A, M)*s. Notation from Wikipedia en.wikipedia.org/wiki/EdDSA. Given that the hash function H, is indeed collision-resistant, would using S = r + H(A, M)*s be a secure variant? In the…
Frans Lundberg
  • 385
  • 1
  • 7
5
votes
2 answers

Formal Proof of Shamir's Secret Sharing Scheme Security

Shamir's Secret Sharing scheme is perfectly secure. Could you please suggest where I can read a formal proof of Shamir's Secret Sharing scheme being perfectly secure?
Natwar
  • 441
  • 3
  • 8
1
2 3 4 5 6 7 8