Secret Sharing Schemes with Applications in Security Protocols

Preface A secret sharing scheme starts with a secret and then derives from it certain shares (or shadows) which are distributed to users. The secret may be recovered only by certain predetermined groups which belong to the access structure. Secret sharing schemes have been independently introduced by Blakley [12] and Shamir [134] as a solution for safeguarding cryptographic keys. Secret sharing schemes can be used for any situation in which the access to an important resource has to be restricted. We mention here the case of opening bank vaults or launching a nuclear missile. In the first secret sharing schemes only the number of the participants in the reconstruction phase was important for recovering the secret. Such schemes have been referred to as threshold secret sharing schemes. There are secret sharing schemes that deal with more complex access structures than the threshold ones. We mention here the weighted threshold secret sharing schemes in which a positive weight is associated to each user and the secret can be reconstructed if and only if the sum of the weights of the participants is greater than or equal to a fixed threshold, the hierarchical (or multilevel) secret sharing schemes in which the set of users is partitioned into some levels and the secret can be recovered if and only if there is an initialization level such that the number of the participants from this level or higher levels is greater than or equal to the initialization level threshold, the compartmented secret sharing schemes in which the set of users is partitioned into compartments and the secret can be recovered if and only if the number of participants from any compartment is greater than or equal to a compartment threshold and the total number of participants is greater than or equal to a global threshold. Ito, Saito, and Nishizeki [90], Benaloh and Leichter [9] have proposed constructions for realizing any monotone (i.e., if a group belongs to the access structure, so does a larger group) access iii iv structure. The schemes in which the unauthorized groups gain no information about the secret are referred to as perfect. Karnin, Greene, and Hellman [97] have proved, using the concept of entropy, that in any perfect threshold secret sharing scheme the shares must be at least as long as the secret and, later on, Capocelli, De Santis, Gargano, and Vaccaro [27] have extended this result to the …