Provably secure verifiable multi‐stage secret sharing scheme based on monotone span program
2017; Institution of Engineering and Technology; Volume: 11; Issue: 6 Linguagem: Inglês
10.1049/iet-ifs.2017.0111
ISSN1751-8717
AutoresSamaneh Mashhadi, Massoud Hadian Dehkordi, Niloofar Kiamari,
Tópico(s)Blockchain Technology Applications and Security
ResumoIET Information SecurityVolume 11, Issue 6 p. 326-331 Research ArticleFree Access Provably secure verifiable multi-stage secret sharing scheme based on monotone span program Samaneh Mashhadi, Corresponding Author Samaneh Mashhadi smashhadi@iust.ac.ir Cryptography and Data Security Laboratory, Department of Mathematics, Iran University of Science & Technology, Narmak, Tehran, 16846-13114 IranSearch for more papers by this authorMassoud Hadian Dehkordi, Massoud Hadian Dehkordi Cryptography and Data Security Laboratory, Department of Mathematics, Iran University of Science & Technology, Narmak, Tehran, 16846-13114 IranSearch for more papers by this authorNiloofar Kiamari, Niloofar Kiamari Cryptography and Data Security Laboratory, Department of Mathematics, Iran University of Science & Technology, Narmak, Tehran, 16846-13114 IranSearch for more papers by this author Samaneh Mashhadi, Corresponding Author Samaneh Mashhadi smashhadi@iust.ac.ir Cryptography and Data Security Laboratory, Department of Mathematics, Iran University of Science & Technology, Narmak, Tehran, 16846-13114 IranSearch for more papers by this authorMassoud Hadian Dehkordi, Massoud Hadian Dehkordi Cryptography and Data Security Laboratory, Department of Mathematics, Iran University of Science & Technology, Narmak, Tehran, 16846-13114 IranSearch for more papers by this authorNiloofar Kiamari, Niloofar Kiamari Cryptography and Data Security Laboratory, Department of Mathematics, Iran University of Science & Technology, Narmak, Tehran, 16846-13114 IranSearch for more papers by this author First published: 01 November 2017 https://doi.org/10.1049/iet-ifs.2017.0111Citations: 6AboutSectionsPDF ToolsRequest permissionExport citationAdd to favoritesTrack citation ShareShare Give accessShare full text accessShare full-text accessPlease review our Terms and Conditions of Use and check box below to share full-text version of article.I have read and accept the Wiley Online Library Terms and Conditions of UseShareable LinkUse the link below to share a full-text version of this article with your friends and colleagues. Learn more.Copy URL Share a linkShare onFacebookTwitterLinkedInRedditWechat Abstract In multi-secret sharing (MSS) scheme, a dealer distributes multiple secrets among a set of participants, each of them according to an access structure. In this study, the authors propose a novel linear MSS with computational verifiability that provide many functions for practical applications in comparison with the previous works focusing on MSS schemes in the general scenario. This scheme has the same advantages as previous schemes; moreover, it is verifiable and multi-use secret sharing. Furthermore, in this scheme the secret reconstruction is according to the dealer's preassigned order. Also, they prove the security of the authors' scheme in the standard model. 1 Introduction A general access structure secret sharing scheme is a protocol by means of which a dealer distributes a secret s among a set of participants in such a way that only authorised subsets of can reconstruct the value of s whereas any other subset of , non-qualified to know s, cannot determine anything about the value of the secret. The first proposed secret sharing schemes by Shamir [1] and by Blakley [2] have threshold access structures, i.e. the qualified subsets are those having at least a certain number of participants. Threshold schemes [1, 2] have the implicit assumption that all participants in the scheme have the same level of power or influence. However, there exists many situations in which all of the participants do not have the same power or the same probability to be dishonest. In these cases, secret sharing based on the general access structure is required [3-5]. Verifiable secret sharing (VSS) scheme is a secret sharing scheme dealing with possible cheating by the dealer and the participants. VSS is known to play important roles in various cryptographic protocols such as the multiparty protocols [6, 7] and key-escrow cryptosystems [8]. In the literature, VSS schemes are categorised based on the adversarial computational power: computational VSS schemes [9-16] and unconditional VSS schemes [5, 17-19]. In the former, the adversary is computationally bounded by a security parameter, while in the latter the adversary may possess unbounded computational power. Naturally, the computational VSS schemes are significantly more practical and efficient in terms of message and communication complexities as compared to the unconditional (information-theoretic) schemes. Multi-secret sharing (MSS) scheme extends secret sharing scheme, in which multiple secrets are distributed among the participants according to an access structure for each of them. There are two types of MSS schemes with respect to the secret reconstruction process: the multi-stage secret sharing (MSSS) scheme and the general MSS (GMSS) scheme and each of them can be useful depending on the situation. In a GMSS scheme, all of the secrets are reconstructed synchronous [10, 11, 17, 20, 21], while, in an MSSS scheme, It is possible to reconstruct only one secret in each stage [22-28]. MSSS is also divided into two types: the first type is (MSSST1), in which secrets are reconstructed without any predefined order, e.g. the schemes [23-25]. In the second type (MSSST2), the secret reconstruction must be executed stage by stage in a special order previously defined by the dealer, e.g. [22, 26, 28]. MSSST1 schemes are very useful for situations where different running of a secret task (like signature or decryption) may have different levels of importance or security. Besides, in the real-world applications, MSSST2 schemes are very practical. For example, there may be a security system of bank's confidential database where one must pass through checkpoints before the database can be accessed. To distribute the power of a single authority and the security policy, the checkpoints should be opened and passed in sequence by at least t participants together. If the checkpoints (secrets) do not follow the proper order, it will harm the security of the system. 1.1 Motivation and contribution Different models and definitions of verifiable MSS schemes have been proposed for the threshold scenario [9, 11, 13-16, 19]. While, as our best knowledge, until now, linear MSS (LMSS) schemes with general access structure, such as [4, 5, 18, 29-31] Are mostly MSSST1. Do not have computational verification property for dealer and participants. The share is not reusable when the shared secrets are reconstructed. Do not have formal proof. To bridge these gaps, we propose a new LMSS scheme that has the following properties: i Have general access structure. ii The secrets are reconstructed stage by stage in predefined order (MSSST2). iii Have computational verification property for dealer and participants (verifiable MSS). iv The share is reusable when all of the shared secrets are reconstructed (multi-use). v Is provably secure in the standard model. Moreover, other linear secret sharing schemes can be improved by a similar algorithm to have the above advantages. 1.2 Organisation This paper is organised as follows. Section 2 contains some preliminaries. We review the formal model of an MSSST2 scheme in Section 3. We present new verifiable MSSST2 scheme in Section 4, and its security is analysed in Section 5. Finally, we give some comparative results in Section 6. 2 Preliminaries In this section, we present some preliminary concepts. We first briefly review the definitions of monotone span program (MSP) and LMSS scheme. We then describe how multi-party computations (MPCs) are used to have multi-use secret sharing scheme. Finally, we review the formal model of a private-key encryption scheme. 2.1 Access structure Definition 1.Given a set of participants , a monotone access structure on is a set of non-empty subsets of participants which is closed under upward-inclusion (monotone increasing) The sets in are called the authorised sets, and the sets not in are called the unauthorised sets. The set of the unauthorised sets is called an adversary structure , i.e. and is monotone decreasing. The set consists of minimal elements in and set consists of maximal elements in . 2.2 Monotone span program MSP was introduced as a model of computation by Karchmer and Wigderson [32] in 1993. Definition 2.An MSP with target vectors is a quadruple , where is a finite field, M is a matrix over is a surjective function. Definition 3. is an MSP for an -tuple of access structures, if and only if for all the following holds. , if and only if there is a vector such that where denotes the restriction of M to rows jointly owned by A. Hence, , where is the space spanned by the row vectors of M distributed to according to . 2.3 LMSS scheme In the following we show how any MSP can be used to build a LMSS scheme [30, 33]. Given an MSP , we can define a LMSS which tolerates the -tuple of access structures induced by MSP. Distribution phase: The dealer D, has secrets . He makes a distribution vector such that The dealer gives the i th component of to . Reconstruction phase: For any authorised set , there exists such that . So (1)i.e. the participants in A can reconstruct the secret by computing a linear computation of their shares. 2.4 Multi-party computation Secure MPC can be defined as the problem of t players to compute an agreed function of their inputs in a secure way, where security means guaranteeing the correctness of the output as well as the privacy of the players' inputs, even when some players cheat. Let the participants in a qualified set would like to compute where is the private input of , i.e. they execute an MPC protocol for additions and at the end of the protocol Every participant gets the correct result . Any of participant knows nothing except the input and output . An MPC protocol for additions can be designed as follows: randomly selects for and sets . Then secretly transmits to . locally computes and publishes . Finally, every participant computes . The security is guaranteed by Cramer et al. [34] 2.5 Private-key encryption scheme A private-key encryption scheme is a tuple of such that The randomised key-generation algorithm Gen take as input a security parameter and output a random key k; . The randomised encryption algorithm Enc take as input a key k and a plaintext message m, and output a random ciphertext c; . The deterministic decryption algorithm Dec take as input a key k and a ciphertext c, and output a message m, such that For correctness, must hold, for any k, m [10, 20]. 2.5.1 Multiple-message eavesdropping indistinguishability experiment Security of a private-key encryption scheme under eavesdropper attacks, is defined by the following game between an adversary and a challenger [20]: Game i The challenger chooses a random bit ii chooses the number of keys in the game. iii The challenger runs times , to produce secret keys . iv chooses tuples , and sends these queries to challenger, where and have the same length, for all , and is the number of challenges. v The challenger runs and sends back to for . vi outputs a bit . vii The output of the game is defined to be 1 if , and 0 otherwise. We write if the output is 1 and in this case we say that succeeded. A private-key encryption scheme has indistinguishable multiple encryptions in the presence of an eavesdropper (or is M.Eav-secure) in the computational scenario, if for any polynomial-time -adversary there exists a negligible function negl such that 3 Computational MSS schemes In this section, we review the formal model of computational MSSS schemes [20]. 3.1 Formal model of computational MSSST2 In an MSSST2, the dealer wants to share secrets , according to access structures , respectively, (such that , for ). The secrets are reconstructed stage-by-stage in special order . In the following, we will propose the definition of a CSA -secure computational MSSST2 and the game-based security definition model. 3.1.1 MSSS schemes A computational MSSST2 is a tuple of such that The setup algorithm Stp take as input a security parameter , the set of participants and the different level access structures , such that , for and output some public and common parameters pms for the scheme; . The distribution algorithm Dist take as input pms and the global secret to be shared, and generate the set of secret shares and possibly some pubic output ; . The reconstruction algorithm Rec take as input pms , an index , a possible value for the th secret; and the shares of the participants in some subset and output a possible value for the j th secret; . For correctness, we require that for any index and any subset , it holds . 3.1.2 Chosen secret attack indistinguishability experiment We now define a game for any MSSS scheme , between an adversary and a challenger [10, 20]. Game i The challenger chooses a random bit . ii publishes the set of participants and access structures s.t. . iii The challenger runs and sends pms to . iv broadcasts a subset of corrupted participants. v broadcasts two different global secrets with the following restriction: for all j s.t. . vi The challenger runs and sends to . vii outputs a bit . viii The output of the game is defined to be 1 if , and 0 otherwise. We write if the output is 1 and in this case we say that succeeded. An MSSS scheme has indistinguishability against chosen secret attacks (or is CSA-secure) in the computational scenario, if for any polynomial-time adversary there exists a negligible function negl such that 4 Verifiable linear MSSS scheme Here we describe our verifiable linear MSSST2, , based on MSPs. In this scheme, a dealer D wants to share secrets among the participants of in such a way that Secrets are reconstructed one by one in different stages in the dealer's predefined order . In the i th stage, every qualified subsets of can reconstruct the value of whereas any other subset of , non-qualified to know , cannot determine the value of . It allows the honest participants to ensure that they can recover a unique secret in each stage. Each participant can check the validity of his share. Each participant can check the validity of other participants' share. The share is reusable when all of the shared secrets are reconstructed (multi-use). Moreover, other linear secret sharing schemes can be improved by a similar algorithm to have the above advantages. 4.1 Setup phase Let denote the set of participants and q > n be a big prime number. The discrete logarithm problem is considered to be computationally intractable in . The dealer D wants to share secrets , among , according to the access structures , respectively. The secrets are reconstructed one by one in different stages, according to order to . D chooses a secure private-key encryption scheme . Each participant is assigned the value i. The public parameters are . 4.2 Distribution phase The dealer times , to produce secret keys . The dealer constructs an MSP in the following way: Associate vectors , for positive integer d, to each participant such that , where , the space generated by vector . Consider matrix , and the function . Arbitrarily chooses target vectors for . The dealer considers an one-way function f (x) and chooses a random vector such that The dealer chooses a primitive element and computes for . Then he sends share to each participant through a private channel, where is the j th row of M. Finally, the dealer computes the values for and for . The public output of the protocol is . 4.3 Verification of shares Participant checks the following equation to verify whether his share is valid: (2) 4.4 Reconstruction phase 4.4.1 Reconstruction phase of Suppose that in the first stage, participants in a qualified set would like to reconstruct secret . Since and target vector , there exists a vector such that (3) Let . 2. Each participant chooses a random integer and broadcasts and his pseudo secret-shares . Verifiability of the shares in the reconstruction: Participant can check whether other participant 's share is valid by the following equation: (4) 3. All participants compute based on MPC (Section 2.4). 4. Participants in reconstruct by the following equation: (5) 4.4.2 Reconstruction phase of for Suppose that in the i th stage, after reconstruction of the previous secrets, participants in a qualified set would like to reconstruct secret . Since and target vector , there exists a vector such that (6) Let . 2. Each participant chooses a random integer and broadcasts and his pseudo secret-shares . 3. All participants compute based on MPC (Section 2.4). Verifiability of the shares in the reconstruction: Participant can check whether other participant ' share is valid by the following equation: (7) 4. Participants in reconstruct the secret by the following equation: (8) 5. They take from and compute . 5 Correctness and security 5.1 Correctness The correctness of (5) is as follow. For any authorised set there exists a vector such that . So Similarly, the correctness of (8) is as follows. For any authorised set there exists a vector such that . So 5.2 Verifiability In this section, we determine the verifiability of our scheme in the following. 5.2.1 Verifiability of the distribution Theorem 1.If accepts his share, then there exists a unique value such that . Proof.Assume that the share of is equal to and dealer sends the value to . If accepts dealer's value , then which leads to , since . □ 5.2.2 Verifiability of the shares in the reconstruction Theorem 2.If accepts 's pseudo-secret share, then there exists a unique value such that Proof.We have Suppose that sends the value in the reconstruction phase. If accepts 's value , then (9)which lead to , since . □ 5.3 Security Here, we are going to reduce the computational security of our scheme to the security of the underlying symmetric encryption scheme in the multi-user setting. Theorem 3.For any adversary against the chosen secret attacks security of MSSST2, , that chooses corrupts participants in a set of n participants and chooses global secrets , there exists a adversary against the eavesdropper attacks security of private-key encryption scheme , such that Proof.The proof is by reduction. Let be an adversary against the computational security of the described linear MSSST2 scheme . We are going to construct an adversary against the multiple eavesdropper attacks security of private-key encryption scheme , which will use as a sub-routine as follows: The challenger of the game , starts this game by choosing a random bit . starts the game by choosing the set of participants and access structures s.t. . acts as the challenger of the game and chooses a prime number q > n, and sends to . broadcasts a subset of corrupted participants such that . broadcasts two different global secrets with the following restriction: for any i s.t. . Let . Note that if , then . runs , to produce secret keys . constructs an MSP and considers an one-way function . chooses random vectors s.t. for . computes the shares , for all participants. chooses a primitive element and publishes for . computes the values for and for . defines the number of keys in the game . The challenger of game runs times , to produce secret keys . chooses tuples for and sends these queries to . The challenger runs and sends back to for . publishes and sends for to . In this way, is perfectly simulating an execution of the distribution protocol , where . outputs a bit as his final output (game ). outputs the same bit as his final output (game ). Hence we have The second equality above is due to and . This completes the proof. □ 5.3.1 Multi-stage feature According to (8), participants in an authorised subset of must provide their shares and reconstruct the secret in the i th stage. Since f (x) is a one-way function, if they do not have the previous secret first, they cannot obtain the secret . For this reason, they must reconstruct the secrets in the special order: . 5.3.2 Multi-use scheme We see that in the reconstruction phase of each secret , each participant uses his pseudo-secret share . According to the security of the MSP, and will never be revealed. So, can use in the reconstruction phase of other secrets. Hence, this scheme is a multi-use scheme. 6 Comparative results In this section, we compare the basic properties in our scheme with other linear secret sharing schemes in the literature [4, 5, 18, 29-31]. The detailed summary of the these schemes is given in Table 1. This scheme has the following properties: The secret is reconstructed stage by stage in a special order previously defined by the dealer. So, it is very practical. For example, there may be a security system of bank's confidential database where one must pass through checkpoints before the database can be accessed. To distribute the power of a single authority and the security policy, the checkpoints should be opened and passed in sequence by qualified set of participants. If the checkpoints (secrets) do not follow the proper order, it will harm the security of the system. Our scheme will not disclose participants' real secret share even after multiple secret reconstructions because every participant uses his pseudo-secret share for reconstructing secrets. So, it is a multi-use secret sharing. It is impossible for the dealer to cheat, since every participant can check reality of his share. It is impossible for every participant to cheat, since everyone can check reality of pseudo-secret shares that they give. It is very practical, when all of the participants do not have the same power or the same probability to be dishonest. It has indistinguishability against chosen secret attacks in the standard model. The authors of the previous linear MSS schemes [4, 18, 29-31] introduced new construction of schemes without providing formal proofs of their schemes. Table 1. Basic comparison between the linear secret sharing schemes Property Hsu et al. [4, 29, 30] Liu et al. [31] Ma and Ding [18], Zhang and Zhang [5] New category of linear scheme MSS MSS SS MSS category of MSS MSSST1 MSSST1 — MSSST2 the share is multi-use when shared secrets are reconstructed no yes no yes the secrets are reconstructed in predefined order no no — yes secrets revealing order any any — predetermined general access structure yes yes yes yes have verification property for dealer no no yes yes have verification property for participants no no yes yes need secure channel yes yes yes yes have indistinguishability against chosen secret attacks no no no yes Furthermore, considering computational complexity, we compare proposed MSSST2 with the linear MSS schemes proposed in [4, 29, 30], and summarise the result in Table 2. For convenience, the following notations are used to analyse the computational complexity: is the time for one one-way function computation. is the time for one multiplication computation. is the time for one exponentiation computation. is the time for one inverse computation. Table 2. Computational complexity of linear MSS schemes Scheme Hsu et al. [29] Hsu et al. [4, 30] Proposed scheme setup — distribution verification — — reconstruction 7 References 1Shamir, A.: 'How to share a secret', Commun. ACM, 1979, 22, (11), pp. 612– 613 2Blakley, G.R.: 'Safeguarding cryptographic keys'. Proc. AFIPS 1979 National Computer Conf., June 1979, pp. 313– 317 3Das, A., Adhikari, A.: 'An efficient multi-use multi-secret sharing scheme based on hash function', Appl. Math. Lett., 2010, 23, pp. 993– 996 4Hsu, C.-H., Cheng, Q., Tang, X. et al: 'An ideal multi-secret sharing scheme based on MSP', Inf. Sci., 2011, 181, pp. 1403– 1409 5Zhang, J., Zhang, F.: 'Information-theoretical secure verifiable secret sharing with vector space access structures over bilinear groups and its application', Future Gener. Comput. Syst., 2015, 52, pp. 109– 115 6Ben-Or, M., Goldwasser, Sh., Wigderson, A.: 'Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract)'. Symp. on Theory of Computing (STOC), 1988, pp. 1– 10 7Chaum, D., Crepeau, C., Damgard, I.: 'Multiparty unconditionally secure protocols (extended abstract)'. Symp. on Theory of Computing (STOC), 1988, pp. 11– 19 8Micali, S.: 'Fair public-key cryptosystems'. CRYPTO, 1992, pp. 113– 138 9Chor, B., Goldwasser, Sh., Micali, S. et al: 'Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract)'. Symp. on Foundations of Computer Science (FOCS), 1985, pp. 383– 395 10Herranz, J., Ruiz, A., Sáez, G.: 'Sharing many secrets with computational provable security', Inf. Process. Lett., 2013, 113, pp. 572– 579 11Eslami, Z., Kabiri Rad, S.: 'A new verifiable multi-secret sharing scheme based on bilinear maps', Wirel. Pers. Commun., 2012, 63, pp. 459– 467 12Liu, Y.-X.: 'Efficient t -cheater identifiable (k, n) secret-sharing scheme for ', IET Inf. Sec., 2014, 8, pp. 37– 41 13Mashhadi, S., Hadian, M.: 'Two verifiable multi secret sharing schemes based on nonhomogeneous linear recursion and LFSR public-key cryptosystem', Inf. Sci., 2015, 294, pp. 31– 40 14Shao, J., Cao, Z.-F.: 'A new efficient (t, n) verifiable multi-secret sharing (VMSS) based on YCH scheme', Appl. Math. Comput., 2005, 168, pp. 135– 140 15Tadayon, M., Khanmohammadi, H., Haghighi, M.: 'Dynamic and verifiable multi-secret sharing scheme based on Hermite interpolation and bilinear maps', IET Inf. Sec., 2015, 9, pp. 234– 239 16Wu, T.-S., Tseng, Y.-M.: 'Publicly verifiable multi-secret sharing scheme from bilinear pairings', IET Inf. Sec., 2013, 7, pp. 239– 246 17Lin, C., Harn, L.: 'Unconditionally secure verifiable secret sharing scheme', AISS: Adv. Inf. Sci. Serv. Sci., 2012, 4, pp. 514– 518 18Ma, C., Ding, X.: 'Proactive verifiable linear integer secret sharing scheme'. Information and Communications Security, 2009 (LNCS, 5927), pp. 439– 448 19Stinson, D.-R., Wei, R.: 'Unconditionally secure proactive secret sharing scheme with combinatorial structures, selected areas in cryptography', Selected Areas in Cryptography: SAC'99, 2000 (LNCS, 1758), pp. 200– 214 20Mashhadi, S.: 'Computationally-secure multiple secret sharing: models, schemes, and formal security analysis', The ISC Int. J. Inf. Sec., 2015, 7, pp. 1– 10 21Pang, L.-J., Wang, Y.-M.: 'A new (t, n) multi-secret sharing scheme based on Shamir's secret sharing', Appl. Math. Comput., 2005, 167, pp. 840– 848 22Chang, T.-Y., Hwang, M.-S., Yang, W.-P.: 'A new multi-stage secret sharing scheme using one-way function', ACM SIGOPS Oper. Syst., 2005, 39, pp. 48– 55 23Fatemi, M., Ghasemi, R., Eghlidos, T. et al: 'Efficient multistage secret sharing scheme using bilinear map', IET Inf. Sec., 2014, 8, pp. 224– 229 24Harn, L.: 'Comment multistage secret sharing based on one-way function', Electron. Lett., 1995, 31, pp. 262 25He, J., Dawson, E.: 'Multistage secret sharing based on one-way function', Electron. Lett., 1994, 30, pp. 1591– 1592 26Li, H.-X., Cheng, C.-T., Pang, L.-J.: 'An improved multi-stage (t, n)-threshold secret sharing scheme', WAIM, 2005 (LNCS, 3739), pp. 267– 274 27Liu, Y.: 'Linear (k, n) secret sharing scheme with cheating detection', Sec. Commun. Netw., 2016, 9, pp. 2115– 2121 28Mashhadi, S.: 'How to fairly share multiple secrets stage by stage', Wirel. Pers. Commun., 2016, 90, pp. 93– 107 29Hsu, C.-H., Harn, L., Cui, G.: 'An ideal multi-secret sharing scheme based on connectivity of graphs', Wirel. Pers. Commun., 2014, 77, pp. 383– 394 30Hsu, C.-H., Cui, G., Cheng, Q. et al: 'A novel linear multi-secret sharing scheme for group communication in wireless mesh networks', Netw. Comput. Appl., 2011, 34, pp. 464– 468 31Liu, M., Xiao, L., Zhang, Z.: 'Linear multi-secret sharing schemes based on multi-party computation', Finite Fields Appl., 2006, 12, pp. 704– 713 32Karchmer, M., Wigderson, A.: 'On span programs'. Proc. of the Eighth Annual Conf. on Structure in Complexity, San Diego, CA, 1993, pp. 102– 111 33Mashhadi, S.: 'Secure publicly verifiable and proactive secret sharing schemes with general access structure', Inf. Sci., 2017, 378, pp. 99– 108 34Cramer, R., Damgard, I., Maurer, U.: 'General secure multi-party computation from any linear secret sharing scheme'. Proc. of EUROCRYPT, 2000 (LNCS, 1807), pp. 316– 334, Full version available from IACR eprint archive Citing Literature Volume11, Issue6November 2017Pages 326-331 ReferencesRelatedInformation
Referência(s)