Fair secret reconstruction in (t, n) secret sharing

Abstract

In Shamir's (t, n) threshold secret sharing scheme, one secret s is divided into n shares by a dealer and all shares are shared among n shareholders, such that knowing t or more than t shares can reconstruct this secret; but knowing fewer than t shares cannot reveal any information about the secret s. The secret reconstruction phase in Shamir's (t, n) threshold secret sharing is very simple and unconditionally secure. In 2014, Harn has shown that Shamir's secret reconstruction phase cannot prevent an outside attacker from knowing the secret if more than t participants work together in the secret reconstruction phase. Harn's paper also has proposed a reconstruction scheme which can prevent the outside adversary from knowing the secret. However, in Shamir's secret reconstruction, when shares are released asynchronously, a dishonest shareholder (an inside adversary) can always release a fake share last so the dishonest shareholder can exclusively retrieve the secret; but other honest shareholders retrieve a fake secret. In this paper, we design a secret reconstruction scheme against both inside and outside adversaries. This scheme can also be called an asynchronously rational secret sharing scheme. Unlike other rational secret sharing schemes, our scheme does not need any interactive dealer, complicate cryptographic primitives, or any assumption on the number of honest shareholders.