Patent Grant
12362920
The described technology provides cryptographic sharing of a cryptographic secret among multiple parties. A share of the cryptographic secret is generated for each party of the multiple parties. Multiple threshold access structure tokens are generated for each party of the multiple parties, the threshold access structure tokens being generated for a party from one or more random token polynomials selected from a finite field based on numbers of the multiple parties capable of attempting to reconstruct the cryptographic secret. The share of the cryptographic secret and the multiple threshold access structure tokens generated for each party are distributed to the corresponding party, wherein at least a threshold number of the parties can reconstruct the cryptographic secret using the shares of the cryptographic secret and threshold access structure tokens corresponding to at least a threshold number of the parties attempting to reconstruct the cryptographic secret and less than the threshold number of the parties cannot reconstruct the cryptographic secret using the shares of the cryptographic secret and the threshold access structure tokens corresponding to the less than the threshold number of the parties.
This summary is provided to introduce a selection of concepts in a simplified form that is further described below in the Detailed Description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter.
Other implementations are also described and recited herein.
Generally, secret sharing refers to cryptographic methods for taking a secret (e.g., a cryptographic key), breaking it up into multiple shares, and distributing the shares among multiple parties, so that only when the parties bring together their respective shares can the secret be reconstructed. More specifically, with threshold secret sharing, the holder of a secret, sometimes referred to as the dealer, creates n shares of a secret and defines a threshold t for the number of shares that are required to reconstruct the secret. The dealer then proceeds to distribute the n shares, so they are controlled by n different parties, and at least t of those parties are required to reconstruct the secret. Threshold secret sharing may be used, for example, to ensure that a required number of authorized parties agree to complete a large money transfer, launch nuclear missiles, or access a top-secret database.
In secure secret sharing schemes, an attacker that gains access to fewer shares of the secret than defined by the threshold t cannot gain information about the secret. Accordingly, a secret sharing scheme allows a dealer to share a secret so that strictly an authorized subset of parties, specified by an access structure, can reconstruct the secret.
In addition to the shares of the secret, the described technology enhances secure secret sharing by having the dealer also distribute threshold access structure tokens to the parties. In this manner, a subset of the n parties that is attempting to reconstruct the secret can successfully reconstruct the secret if the subset numbers at least the threshold t number of parties using their respective shares and their access structure tokens corresponding to the number of parties in the subset. In contrast, a subset of the n parties that is attempting to reconstruct the secret cannot successfully reconstruct the secret if the subset numbers less than the threshold t number of parties using their respective shares and their access structure tokens corresponding to the number of parties in the subset. Furthermore, the threshold t is hidden (e.g., not known by the n parties or other parties), being securely encoded in the threshold access structure tokens. In this manner, a dealer may share a secret among n parties in such a way that an adversary (including potentially one of the n parties) will not know the threshold number of parties that need to be compromised in order to obtain the secret.
Generally, reconstruction involves multiple parties coming together with their respective shares of the secret. In the case of threshold secret sharing, at least a threshold number of the parties are required to decrypt the secret. Parties less than the threshold are not authorized to decrypt the secret, and therefore an attempt to decrypt the secret with fewer than the threshold number of parties fails. An example secret reconstruction process involves selecting a unique polynomial s(X) of degree≤r−1 such that s(i)=si for all i∈S and returns s(0) as the reconstructed secret x, where r the number of parties attempting to reconstruct the secret. In an example hidden access structure implementation, the threshold is not known by the parties P but is enforced by an authorization testing operation that evaluates access structure tokens associated with each party and their shares.
However, a malicious actor (or adversary, which is potentially one of the parties P) may attempt to compromise the security of the transaction by obtaining the shares of one or more other parties. In such an activity, the adversary has an advantage if he or she knows the threshold t, as it specifies the minimum number of shares that must be obtained in order to reconstruct the secret 102 as the reconstructed secret 106. When the threshold number t is known, an adversary will be able to better plan their attack by identifying t vulnerable parties of the parties P before carrying out the attack. By doing so, the parties will have less time to discover and to respond to the attack. However, when the threshold t is not known, the risk to the adversary increases. If the adversary is only able to attack four of the six parties, for example, it is riskier to carry out the attack because if the threshold is higher than four, then the attack fails and may alert the parties to the attack. On the other hand, it might take a lot more time and effort for the adversary to compromise all six parties (which would guarantee success). As such, when the threshold number is small, hiding t conceals this fact, and thus conceals that it is an “easy” target. Accordingly, hiding the threshold t from malicious actors presents security advantages.
In one implementation, a mechanism of this hiding is effected, at least in part, by generating multiple threshold access structure tokens for each party of the multiple parties and communicating the secret share and multiple threshold access structure tokens to each corresponding party. The described technology will be disclosed herein with both formal notation and proofs, as well as a narrative technical description.
As for the formal notation, the following definitions are presented.
Definition 1 (Access Structure) Let ={P1, . . . , Pn} be a set of parties. A collection Γ⊆
is monotone if
∈Γ and
∈
imply that
∈Γ. An access structure Γ⊆
is a monotone collection of non-empty subsets of
. Subsets in Γ are called authorized, and subsets not in Γ are called unauthorized.
Definition 2 (Threshold Access Structure) A threshold access structure Γ is an access structure that contains all subsets of of size≥t for some fixed t, i.e.
Γ={⊆
:|
|≥t}.
Definition 3 (Perfect Secret Sharing Scheme with Hidden Access Structures) A perfect secret sharing scheme with hidden access structures with respect to a collection of access structures , a set of n parties
={P1, . . . , Pn}, and a set of secrets
, consists of a pair of polynomial-time algorithms (Share,Recon), where:
Given an access structure Γ and the parties P, the dealer 100 can generate a set of access structure tokens or each party in P, such that any authorized subset of parties can use their sets of access structure tokens to identify themselves as members of the access structure Γ.
Relying on this notation and the accompanying definitions, the described technology provides a sharing function that allows the dealer 100 to allocate shares (e.g., a set of n shares, {Π1(Γ,κ), . . . , Πn(Γ,κ)}) of a secret 102 (e.g., a secret κ∈) to the parties 104. (e.g., a set of n parties
={P1, . . . , Pn}). The dealer 100 also uses an access structure Γ∈
to define the authorized subsets of parties capable of authorized reconstruction of the secret 102. Using an access structure encoding operation (e.g., based on an Access Structure Encoding Scheme or ASES), the dealer 100 can generate a set of access structure tokens ωi for each party in P. As shown in
An example threshold secret sharing scheme with hidden access structures may be implemented based on the following concepts.
Let ={P1, P2 . . . , Pn} be the set of parties, and
={Γt: 1≤t≤n} be a collection of access structures, wherein Γt={
⊆
:|A|≥t}, and with
=
where
is prime and
is the finite field with
α elements, and let
⊂
be a proper subfield with
>n, and an injection
: {1, 2, . . . , n}→
\{0}⊂
. The injection
is used to identify elements of the set {1, 2, . . . , n} with elements of
\{0}.
Lemma 1 Let 1≤k≤n and p(X)=pk−1Xk−1+ . . . +p0∈[X] be a polynomial of degree k−1. Let S⊂{1, 2, . . . , n} be a subset of size k−1 and q(X)∈
[X] be the unique polynomial of degree≤k−2 such that q(i)=p(i) for all i∈S. Then q(0)≠p(0). Furthermore,
Proof. If q(0)=p(0), then the polynomials p(X) and q(X) agree on the k points in the set S∪{0}. Since both p(X) and q(X) have degree≤k−1, then p(X)=q(X). But p(X) has degree k−1 by assumption, while the degree of q(X) is ≤k−2, a contradiction.
Next, since p(X) and q(X) agree on the k−1 points in S and the polynomial p(X)−q(X) has degree exactly k−1,
It follows that
In case (i), since p(0)∈ and pk−1∈
pk−1 Πi∈S (−i)∈
, their difference q(0)∈
. In case (ii), since p(0)∉
and pk−1∈
pk−1 Πi∈S (−i)∈
, their difference q(0)∉
. Case (iii) is similar since pk−1∉
pk−1Πi∈S (−i)∉
.
[X] of degree≤t−1 such that s(0)=κ. As such, the share generating operation 202 generates the share s(i) of the secret κ for each party pi. using a random share polynomial in the finite field
.
A token generating operation 204 generates multiple threshold access structure tokens for each party of the n parties P. In one implementation, the number of unique multiple threshold access structure tokens is compressed by generating unique threshold access structure tokens for only for odd values of j, as shown by the operations listed below, where is the finite field and
is a subfield the finite field:
Operation 1 pertains to the scenario where fewer than t parties are attempting to reconstruct the secret. In this case, the random token polynomial p(X) of degree j is selected such that pj∈\{0} represents that pj is in the subfield
, and p0∈
\
represents that p0 is in the finite field
but not in the subfield
. As such, if the number of parties coming together to reconstruct the secret is less than the threshold, then, using the access structure tokens for j (less than t) generated from operation 1 for each of the j parties, the constant q0 (the constant term of the polynomial q(x) reconstructed from these access structure tokens) is not in the subfield, which indicates that the parties are not authorized (because they number less than the threshold). The random token polynomial p(X) is referred to as a token polynomial for each odd integer j<t−1.
Note that the reconstructed polynomial q(x) is equal to p(x) when the number of parties attempting the reconstruction is even, but it will be different from p(x) when the number of parties attempting the reconstruction is odd. This is because q(x) always has degree equal to the (number of parties)−1 (which can have an odd or even degree depending on the number of parties performing the reconstruction), while p(x) is always an odd degree polynomial.
Operation 3 generally pertains to the scenario where t parties or more are attempting to reconstruct the secret. In this case, the random token polynomial p(X) of degree j is selected such that pj∈\{0} represents that pj is in the subfield
, and p0∈
\
represents that p0 is in the subfield
. As such, if the number of parties coming together to reconstruct the secret is more than the threshold, then, using the access structure tokens for j (greater than t) generated from operation 3 for each of the j parties, the constant q0 (of the reconstructed polynomial q(x)) is in the subfield, which indicates that the parties are not authorized (because they number more than the threshold).
Operation 2 pertains to an edge scenario resulting from the compression referenced above, where the number of parties attempting to reconstruct the secret is odd, and the threshold is even (i.e., j=t−1 is an odd integer). In this case, the random token polynomial p(X) of degree j is selected such that pj∈\
represents that pj is not in the subfield
, and p0∈
\{0} represents that p0 is in the subfield
. As such, if the number of parties coming together to reconstruct the secret is an odd integer that is one less than the threshold, then, using the access structure tokens for j=t−1 is an odd integer generated from operation 2 for each of the j parties, the coefficient qj is not in the subfield, which indicates that the parties are not authorized (because they number fewer than the threshold).
Other implementations of generating unique threshold access structure tokens may be employed, including the non-compressed approach of generating unique threshold access structure tokens for every j. In the uncompressed approach, for example, operation 2 above may be omitted because the edge scenario introduced by compression is absent.
A distributing operation 206 distributes aggregated shares of the cryptographic secret and corresponding threshold access structure tokens to the corresponding parties. “Aggregated share” refers to a combination of the secret share and the access structure tokens distributed to a party. As such, each party receives multiple tokens ω in association with the secret share s(i). Accordingly, for each Pi∈, its aggregated share is Πi=(s(i), ωi1, . . . , ωi┌n/2┐), wherein the superscripts correspond to values of j.
A token generator 306 generates multiple threshold access structure tokens for each pi of the n parties P. In one implementation, the number of unique multiple threshold access structure tokens is compressed by generating unique threshold access structure tokens for only every other pi, where is the finite field and
is a subfield of the finite field, as discussed with regard to token generating operation 204 in
A share distributor 308 distributes aggregated shares of the cryptographic secret and corresponding threshold access structure tokens to the corresponding parties through a communications interface 310, such as a network interface, a data bus, etc. “Aggregated share” refers to a combination of the secret share and the access structure tokens distributed to a party. As such, each party receives multiple tokens ω in association with the secret share s(i). Accordingly, for each Pi∈, its aggregated share is Πg=(s(i), ωi1, . . . , ωi┌n/2┐), wherein the superscripts correspond to values of j.
A receiving operation 402 receives r aggregated shares, each of which includes a secret share s(i) and multiple threshold access structures ωi1, . . . , ωi┌n/2┐. For example, one of the parties or a trusted third party can execute the role of a reconstructor entity. A token processing operation 404 selects a unique token polynomial q(X)∈[X] of degree≤r−1 such that q(i)=ωi┌r/2┐ for all i∈S. As such, the selected token polynomial has a degree less than or equal to r−1, and its coefficients are within the finite field
. It should be understood that the r/2 notation associated with the threshold access structure token ωi┌r/2┐ accommodates the compression aspect discussed above. In other implementations, the accommodation of compression and its odd integer condition for j and the division of r by two may be omitted.
An authorization testing operation 406 determines whether q(0)∈. If so, then the threshold number of parties needed to reconstruct the secret has been satisfied, and a reconstruction operation 408 selects a unique share polynomial s(X)∈
[X] of degree≤r−1 such that s(i)=si for all i∈S and returns s(0) as the reconstruct secret κ 410. Alternatively, if q(0)∉
, a denial operation 412 returns ⊥, known as an up tack or falsum, indicating that the r parties are not authorized to reconstruct the secret κ.
A communications interface 502 receives r aggregated shares, each of which includes a secret share s(i) and multiple threshold access structures ωi1, . . . , ωi┌n/2┐, as described with regard to the receiving operation 402 of [X] of degree≤r−1 such that q(i)=ωi┌r/2┐ for all i∈S, as described with regard to the token processing operation 404 of
An authorization tester 506 determines whether q(0)∈. If so, then the threshold number of parties needed to reconstruct the secret has been satisfied, and a reconstructor 508 selects a unique polynomial s(X)∈
[X] degree≤r−1 such that s(i)=si for all i∈S and returns s(0) as the reconstructed secret κ. Alternatively, if q(0)∉
, the reconstructor 508 returns ⊥, indicating that the r parties are not authorized to reconstruct the secret κ.
The secret reconstruction scheme described above is a perfect secret sharing scheme with hidden access structures for the collection of access structures. Theorem 2, described below, supports the validity of the secret reconstruction.
Theorem 2={Γt: 1≤t≤n},
where Γt={⊆
:|A|≥t}.
The following definitions and lemmas are introduced.
Definition 4 Let S⊆{1, 2, . . . , n}, and C⊆[X]. A sequence of elements (γi)i∈S that are indexed by elements of S is admissible for C if there exists some p(X)∈C such that p(i)=γi for all i∈S.
The following classes of polynomials are defined
C1(j)={p(X)=pjXj+ . . . +p0∈[X]:pj∈
\{0} and p0∉
},
C2(j)={p(X)=pjXj+ . . . +p0∈[X]:pj∉
and p0∈
\{0}},
C3(j)={p(X)=pjXj+ . . . +p0∈[X]:pj∈
\{0} and p0∈
}.
Lemma 3 Let S⊆{1, 2, . . . , n} be of size |S|=k, and let (γi)i∈S be any sequence of elements of .
1. Suppose (γi)i∈S is admissible for C1(k). This means there is some polynomial p(X)=pkXk+ . . . +p0∈[X] with pk∈
\{0} and p0∉
such that p(i)=γi for all i∈S.
Fix some γ0∈\{0}. Then, there is some polynomial q(X) of degree≤k such that q(i)=γi for all i∈S∪{0}. Now, since the polynomials p(X) and q(X) agree on all i∈S,
q(X)−p(X)=δΠi∈S(X−i)
for some δ∈. Substituting X=0 gives
Therefore, as pk∈, qk∉
, proving that q(X)∈C2(k).
To prove the converse, suppose (γi)i∈S is admissible for C2(k), so there exists some polynomial q(X)=qkXk+ . . . +q0∈[X] with qk∉
and q0∈
\{0} such that q(i)=γi for all i∈S.
Fix some pk∈\{0}. Then, there is some polynomial p(X) such that the coefficient of Xk in p(X) equals pk and such that p(i)=γi for all i∈S. Now, since the polynomials p(X) and q(X) agree on all i∈S,
p(X)−q(X)=δΠi∈S(X−i)
for some δ∈. Comparing the coefficients of Xk, pk−qk=δ, which gives δ∉
. Therefore, p(0)=q(0)+δΠi∈S (−i)∉
, proving that p(X)∈C1(k).
2. Fix any pk′∈\{0} and any p0∉
. Then there exists a unique polynomial p(X)=pk′Xk′+ . . . +p0∈
[X] with pk′−1= . . . =pk+1=0 such that p(i)=γi for all i∈S. Since p(X)∈C1(k′), this shows that (γi)i∈S is admissible for C1(k′). The proofs for C2(k′) and C3(k′) are similar.
Lemma 4 Let S⊆{1, 2, . . . , n} be of size |S|=k, and let (γi)i∈S be a sequence of elements of .
1. Suppose (γi)i∈S is admissible for C1(k) (respectively C2(k)). If p(X) is randomly and uniformly picked from C1(k) (respectively C2(k)), then
Pr[p(i)=γi for all i∈S]=(αk−
αk-a+β)−1.
In particular, there are αk−
αk−α+β admissible sequences for C1(k) (respectively C2(k)).
2. Suppose k<k′≤n. Then, for m=1, 2, 3, if p(X) is randomly and uniformly picked from Cm(k′),
Pr[p(i)=γi for all i∈S]=(αk)−1.
Proof.
1. Since (γi)i∈S is admissible for C1(k), there exists some polynomial q(X)∈C1(k) such that q(i)=γi for all i∈S.
For each choice of γ∈\{0}, there is exactly one polynomial q(γ)(X) of degree k such that its leading coefficient is γ and such that q(γ)(i)=γi for all i∈S. Now, since the polynomials q(γ)(X) and q(X) agree on all i∈S,
q(γ)(X)−q(X)=δΠi∈S(X−i)
for some δ∈. As the coefficients of Xk for both q(X) and q(γ)(X) lie in
, so does δ. Hence, it follows from q(0)∉
that q(γ)(0)=q(0)+δΠi∈S(−i)∉
.
In other words, it is shown that, given any choice of γ∈\{0}, there is exactly one polynomial q(γ)(X)∈C1(k) such that q(γ)(i)=γi for all i∈S. Since |C1(k)|=(
−1)(
α)k−1(
α−
β)=
αk−α+β(
α−β−1)(
β−1),
as desired.
The proof for C2(k) is similar.
2. Fix some set T⊆{1, 2, . . . , n}\S of size k′−k−1. Choose some pk′∈\{0}, p0∉
and γi∈
for i∈T. Then there exists a unique polynomial p(X)=pk′Xk′+ . . . +p0∈
[X] such that p(i)=γi for all i∈S∪T. This shows that
The proofs for C2(k) and C3(k) are similar.
Given this foundation, Theorem 2 can be proved by the following:
Proof of Theorem—Perfect Authorization Verification: Let S be a subset of {1, 2, . . . , n} of size k, and let q(X)∈[X] be the unique polynomial of degree≤k−1 such that q(i)=ωi┌k/2┐.
If k is even, then by construction, it is immediate that q(0)∈ or q(0)∉
depending on whether or not k≥t. If k is odd, this follows from parts (i) to (iii) of Lemma 1.
Perfect Correctness: It is proved that any authorized subset can correctly identify itself as being authorized. Thus, perfect correctness follows from perfect correctness of Shamir's secret sharing scheme.
Perfect Secrecy: Since the choices of ωij do not depend on the secret κ, perfect secrecy of our scheme follows essentially from the perfect secrecy property of Shamir's secret sharing scheme.
Perfect Access Structure Hiding: Let 1≤t<t′≤n. Let ωij denote the access structure tokens for the case where the access structure is Γt, and ω′ij denote the access structure tokens for the case where the access structure is Γt′. Suppose |S|=k=t−1. It can be proved that
{ωij}i∈S,1≤j≤┌n/2┐ and {ω′ij}i∈S,1≤j≤┌n/2┐
are identically distributed. Since ωij
Case 1: j<t/2 or j≥(t′+1)/2.
This is clear as ωij and ω′ij are constructed in the same way.
Case 2: j=t/2.
Note that ωij=p(i) where p(X) is randomly and uniformly chosen from C2(2j-1), while ω′ij=p′(i) where p′(X) is a randomly and uniformly picked from C1(2j-1).
Suppose (γi)i∈S is admissible for C1(2j-1), then, by Lemma 3(a), (γi)i∈S is also admissible for C2(2j-1). Thus, by Lemma 4(a),
Pr[p(i)=γi for all i∈S]=(αk−
αk−α+β)−1=Pr[p′(i)=γi for all i∈S],
as required.
Case 3: t/2<j<t′/2.
In this case, ωij=p(i) and ω′ij=p′(i), where p(X) and p′(X) are randomly and uniformly chosen from C3(2j-1) and C1(2j-1) respectively.
Suppose (γi)i∈S is a sequence of elements of . Since |S|=t−1<2j−1, (γi)i∈S is admissible for both C1(2j-1) and C3(2j-1) by Lemma 3(b). Furthermore, by Lemma 4(b),
Pr[p(i)=γi for all i∈S]=(αk)−1=Pr[p′(i)=γi for all i∈S].
Case 4: j=t′/2.
The proof of this case is similar to the proof of case 3.
In an example computing device 600, as shown in
The computing device 600 includes a power supply 616, which is powered by one or more batteries or other power sources and which provides power to other components of the computing device 600. The power supply 616 may also be connected to an external power source that overrides or recharges the built-in batteries or other power sources.
The computing device 600 may include one or more communication transceivers 630 that may be connected to one or more antenna(s) 632 to provide network connectivity (e.g., mobile phone network, Wi-Fi®, Bluetooth®) to one or more other servers and/or client devices (e.g., mobile devices, desktop computers, or laptop computers). The computing device 600 may further include a network adapter 636, which is a type of computing device. The computing device 600 may use the adapter and any other types of computing devices for establishing connections over a wide-area network (WAN) or local-area network (LAN). It should be appreciated that the network connections shown are exemplary and that other computing devices and means for establishing a communications link between the computing device 600 and other devices may be used.
The computing device 600 may include one or more input devices 634 such that a user may enter commands and information (e.g., a keyboard or mouse). These and other input devices may be coupled to the server by one or more interfaces 638, such as a serial port interface, parallel port, or universal serial bus (USB). The computing device 600 may further include a display 622, such as a touch screen display.
The computing device 600 may include a variety of tangible processor-readable storage media and intangible processor-readable communication signals. Tangible processor-readable storage can be embodied by any available media that can be accessed by the computing device 600 and includes both volatile and nonvolatile storage media, removable and non-removable storage media. Tangible processor-readable storage media excludes communications signals (e.g., signals per se) and includes volatile and nonvolatile, removable and non-removable storage media implemented in any method or technology for storage of information such as processor-readable instructions, data structures, program modules or other data. Tangible processor-readable storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CDROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible medium which can be used to store the desired information and which can be accessed by the computing device 600. In contrast to tangible processor-readable storage media, intangible processor-readable communication signals may embody processor-readable instructions, data structures, program modules or other data resident in a modulated data signal, such as a carrier wave or other signal transport mechanism. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, intangible communication signals include signals traveling through wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared, and other wireless media.
Various software components described herein are executable by one or more hardware processors, which may include logic machines configured to execute hardware or firmware instructions. For example, the processors may be configured to execute instructions that are part of one or more applications, services, programs, routines, libraries, objects, components, data structures, or other logical constructs. Such instructions may be implemented to perform a task, implement a data type, transform the state of one or more components, achieve a technical effect, or otherwise arrive at a desired result.
Aspects of processors and storage may be integrated together into one or more hardware logic components. Such hardware-logic components may include field-programmable gate arrays (FPGAs), program- and application-specific integrated circuits (PASIC/ASICs), program- and application-specific standard products (PSSP/ASSPs), system-on-a-chip (SOC), and complex programmable logic devices (CPLDs), for example.
The terms “module,” “program,” and “engine” may be used to describe an aspect of a remote control device and/or a physical controlled device 802 implemented to perform a particular function. It will be understood that different modules, programs, and/or engines may be instantiated from the same application, service, code block, object, library, routine, API, function, etc. Likewise, the same module, program, and/or engine may be instantiated by different applications, services, code blocks, objects, routines, APIs, functions, etc. The terms “module,” “program,” and “engine” may encompass individual or groups of executable files, data files, libraries, drivers, scripts, database records, etc.
It will be appreciated that a “service,” as used herein, is an application program executable across multiple user sessions. A service may be available to one or more system components, programs, and/or other services. In some implementations, a service may run on one or more server computing devices.
While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any inventions or of what may be claimed, but rather as descriptions of features specific to particular embodiments of particular described technology. Certain features that are described in this specification in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed combination may be directed to a subcombination or variation of a subcombination.
Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the embodiments described above should not be understood as requiring such separation in all embodiments, and it should be understood that the described program components and systems can generally be integrated together in a single software product or packaged into multiple software products.
Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous.
A number of implementations of the described technology have been described. Nevertheless, it will be understood that various modifications can be made without departing from the spirit and scope of the recited claims.
| Number | Name | Date | Kind |
|---|---|---|---|
| 8059816 | Bai | Nov 2011 | B2 |
| 9813243 | Triandopoulos et al. | Nov 2017 | B1 |
| 9929860 | Triandopoulos et al. | Mar 2018 | B1 |
| 10084596 | Triandopoulos et al. | Sep 2018 | B1 |
| 11115196 | Triandopoulos | Sep 2021 | B1 |
| 20090136024 | Schneider | May 2009 | A1 |
| 20100217986 | Schneider | Aug 2010 | A1 |
| 20110126291 | Araki | May 2011 | A1 |
| 20220085978 | Sehrawat et al. | Mar 2022 | A1 |
| 20220085979 | Sehrawat et al. | Mar 2022 | A1 |
| Entry |
|---|
| Blakley, G. R., “Safeguarding cryptographic keys”, American Federation of Information Processing, 1979, 313-317. |
| Ito, Mitsuru , et al., “Secret Sharing Scheme Realizing General Access Structure”, Globecom 1987, 99-102. |
| Sehrawat, Vipin Singh, et al., “Access Structure Hiding Secret Sharing from Novel Set Systems and Vector Families”, Cocoon, 2020, 246-261. |
| Sehrawat, Vipin Sehrawat, et al., “Extremal set theory and LWE Based Access Structure Hiding Verifiable Secret Sharing with Malicious-Majority and Free Verification”, Theoretical Computer Science, 2021, 106-138. |
| Shamir, Adi , “How to share a secret”, Communications of the ACM, vol. 22, Issue 11, Nov. 1979, 612-613. |
| Number | Date | Country | |
|---|---|---|---|
| 20230379144 A1 | Nov 2023 | US |
