Cryptography Reference
In-Depth Information
4.1
The Adversary
In our DOT, the receiver contacts
k
servers during the execution of the protocol.
In addition, she is allowed to corrupt up to
k
1 servers, possibly amongst the
contacted servers. That is, the receiver plays the role of a passive adversary who
wishes to breach the sender's security by learning more than one secret from
the protocol. Like in other DOT schemes (see [8]), we assume the existence of a
mechanism preventing the receiver from contacting more than
k
servers in one
round.
On the other hand, up to
k −
−
1 servers may collaborate to learn the choice
σ
of the receiver. In this scenario, the coalition of servers may be considered as an
adversary who wishes to breach the privacy of the receiver.
4.2
Overview of the Protocol
The key idea of our model is that if a sender holds a vector
=(
ω
1
,...,ω
n
)of
n
secrets (
n>
1) and if a receiver wishes to learn the secret
ω
σ
u
(1
≤
σ
≤
n
),
then the receiver contributes with a vector
=(
δ
σ
1
,...,δ
σn
), and the servers
respond with the scalar product of these two vectors, i.e.,
v
=
i
=1
ω
i
×
u
v
δ
σi
,
which is the requested secret.
To guarantee the security of the sender and the privacy of the receiver, the
vectors involved in the scalar product are shared thanks to Shamir's [11] thresh-
old schemes. That is, the sender transmits to each server
S
i
(1
m
) a vector
u
i
=(
F
1
(
i
)
,...,F
n
(
i
)) of
n
shares, where
F
i
is the sharing polynomial related to
ω
i
. In the same way, to obtain a secret
ω
σ
, the receiver selects a subset
≤
i
≤
I
k
⊂I
m
of
k
indices, sends to each server
S
j
(
j
v
j
=(
Z
1
(
j
)
,...,Z
n
(
j
)) of
n
shares (
Z
i
is the sharing polynomial related to
δ
σi
) and receives
k
shares of the
chosen secret
ω
σ
. The shares are associated with a polynomial
μ
of degree
k
∈I
k
) a vector
−
1
and so, by interpolation, the receiver is able to determine
μ
and to calculate the
chosen secret
ω
σ
=
μ
(0).
5 Components of the System
Our protocol is mainly based on two components.
The first one is a secret sharing scheme, allowing on one hand the sender to
generate and distribute shares of the secrets he holds, and on the other hand
the receiver to generate and distribute shares of the identifier of the secret she
wishes to learn.
The second one is a mechanism which enables a set of users to redistribute
a secret to another set of users. This component requires the availability of
private communication channels between any two users involved in the protocol.
We assume that these communication channels are secure, i.e., any party is
unable to eavesdrop on them and they guarantee that communications cannot
be tampered with.
Search WWH ::
Custom Search