Linear Integer Secret Sharing

In this work, we introduce the Linear Integer Secret Sharing (LISS) scheme, which is a secret sharing scheme done directly over the integers. I.e., the generation of shares is done by an integer linear combination of the secret and some random integer values. The reconstruction of the secret is done directly by a linear integer combination of the shares of a qualified subset of the parties. The goal of this thesis is to investigate the advantages of the LISS scheme. That is, we investigate the following two questions. (i) Can we generalize previous results by using the LISS scheme? (ii) Can the LISS scheme be used to solve problems with new features previously not possible? To address question (i), we show that any LISS scheme can be used to build a secure distributed protocol for exponentiation in any group. This implies, for instance, that distributed RSA protocols for arbitrary access structures and with arbitrary public exponents, which generalizes previous results. The second question (ii) is answered when we present two universally composable and practical protocols by which a dealer can, verifiably and noninteractively, secret share an integer among a set of parties. Moreover, at small extra cost and using a distributed verifier proof, it can be shown in zeroknowledge that three shared integers a, b, c satisfy ab = c. This implies by known reductions, non-interactive zero-knowledge proofs that a shared integer is in a given interval, or that one secret integer is larger than another. Such primitives are useful, e.g., for supplying inputs to a multiparty computation protocol, such as an auction or an election. The protocols use various set-up assumptions, but do not require the random oracle model. While this answers the two questions in the affirmative, we continue to investigate the LISS scheme in this work. To emphasize one main result of this thesis, we reconsider Yao’s celebrated and heavily investigated question from 1982 [89], where a set of n parties want to evaluate an integer function f(x1, . . . , xn) of n integer variables of bounded range. Initially, party Pi knows the value of xi and no other xi’s. Is it possible for the parties to compute the value of f , by computing among themselves, without leaking information about their own secret input? One common restriction on previous results is that the function f is always assumed to be represented by an arithmetic circuit over a finite field F, i.e., the arithmetic is done in F. In most scenarios f should be an integer function like Yao proposed. This is solved by choosing F such that the computations can simulate it over the integers. This introduces two problems.