[Cryptography] About Secret Sharing Schemes and a Question
Bill Cox
waywardgeek at gmail.com
Mon Jun 3 14:06:56 EDT 2019
On Mon, Jun 3, 2019 at 8:39 AM Osman Kuzucu <bizbucaliyiz at hotmail.com>
wrote:
>
> Also, as for the application of the scheme, I wanted to ask one more
> situation. Assuming we have a secret *S* (a private key maybe?)
> distributed to *n* different secret share holders by using a secret
> sharing scheme, and we are periodically (say every month) producing data,
> namely *D1, D2, D3 ... Dn*. Our rule is, if *k* amount of people come
> together, they should be able to produce a data * Di*, which would be
> verifiable by the public that it was generated by at least *k* amount of
> share holders' collaboration. However, we do not want any share holder, or
> anyone from public to learn the actual secret *S*, so that no share
> holder, who contributed to the data production, will not be able to produce
> any other data *D*i+1 in the future without other share holders' help. As
> far as I know, at all secret sharing schemes collaborating once is enough
> for share holders to learn the main secret *S (in the case of the papers,
> it was almost an integer number). Is there a way that we could use, or
> maybe combine public-private viewkeys, or make the secret S some encrypted
> data, or any other thing that would allow such real life application? *
>
Sure, you can use partially-homomorphic ElGamal threshold encryption based
on Shamir secret sharing. You want to add a way for each member to prove
they did their end of the computation honestly, so you'll need some custom
zero-knowledge proofs. There are frameworks for generating them for code
like this. You can encrypt, decrypt, re-encrypt to a new public key, or
sign which such a scheme. No member learns anything about the shared
secret, and every so often the group can re-key, so if an attacker has some
shares < t, those shares become useless.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20190603/ecfa9eaa/attachment.html>
More information about the cryptography
mailing list