[Cryptography] Kyber-448 and Dilithium-448
Jerry Leichter
leichter at lrw.com
Sun Feb 5 15:47:41 EST 2023
> I have running code for a threshold key infrastructure but now people want Post Quantum and there is no PQC threshold scheme I can use yet. So I am going to need to use some form of hybrid....
There's an old paper that Josh Benaloh and I wrote about secret sharing that might actually be applicable to your situation.
A secret sharing structure on a set of participants is a collection of subsets of the power set of those participants that's monotonic: If A is in the collection, and B is a superset of A, then B is also in the collection. Thresholds - the sets in the collection are all those with at least k distinct members - are a special case. But you can, for example, divide the individuals into two mutually exclusive groups G1 and G2 and construct a secret sharing structure that contains those sets that have at least one participant from G1 and also at least one from G2. This is a perfectly reasonable way to share secrets, but it can't be implemented using threshold schemes.
In turn, those sets can be described using monotonic Boolean functions, which can be written using just AND and OR, with NOT. So if we can implement shares for AND and OR, we're done.
But that's easy. If we need to share a secret S (thought of as a bit string) with P1 OR P2 - i.e., either alone is sufficient - we give S to both P1 and P2. If we want to require both P1 AND P2, we generate a fresh random value R, give R to P1 and R XOR S to P2. Continue recursively.
This is unconditionally secure (assuming the R's are indeed random and as long as the secrets that get built up). It's not very practical for large numbers of participants, but for the examples you give - which, in fact, don't particularly fit a threshold scheme anyway - it might do the trick.
-- Jerry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20230205/c5f269d9/attachment.htm>
More information about the cryptography
mailing list