Abstract
We prove that a known general approach to improve Shamir’s celebrated secret sharing scheme; i.e., adding an information-theoretic authentication tag to the secret, can make it robust for n parties against any collusion of size delta n, for any constant delta in (0, 1/2). Shamir’s original scheme is robust for all delta in (0,1/3). Beyond that, we employ the best known list decoding algorithms for Reed-Solomon codes and show that, with high probability, only the correct secret maintains the correct information-theoretic tag if an algebraic manipulation detection (AMD) code is used to tag secrets. This result holds in the so-called “non-rushing” model in which the n shares are submitted simultaneously for reconstruction. We thus obtain a fully explicit and robust secret sharing scheme in this model that is essentially optimal in all parameters including the share size which is k(1+o(1)) + O(kappa ), where k is the secret length and kappa is the security parameter. Like Shamir’s scheme, in this modified scheme any set of more than delta n honest parties can efficiently recover the secret. Using algebraic geometry codes instead of Reed-Solomon codes, the share length can be decreased to a constant (only depending on delta ) while the number of shares n can grow independently. In this case, when n is large enough, the scheme satisfies the “threshold” requirement in an approximate sense; i.e., any set of delta n(1+rho ) honest parties, for arbitrarily small rho > 0, can efficiently reconstruct the secret. From a practical perspective, the main importance of our result is in showing that existing systems employing Shamir-type secret sharing schemes can be made much more robust than previously thought with minimal change, essentially only involving the addition of a short and simple checksum to the original data.
Highlights
Secret sharing, introduced by the seminal works of Shamir [23] and Blakley [1], is the following problem: suppose we wish to encode and distribute a secret s ∈ Fk2 among n parties in such a way that (i) the n parties can reconstruct the original secret s by revealing their respective shares; and, (ii) for some integer parameter t > 0, any group of t parties cannot infer any information about the secret from their collection of shares
In coding-theoretic terms, the goal is to encode s into a sequence Y1, . . . , Yn over some alphabet of size Q, in a way that s can be reconstructed from the encoding and for any i1, . . . , it ∈ [n], the sequence Yi1, . . . , Yit has the same distribution regardless of the message s
The error in each share corrupted by the adversary can only depend on the particular share being corrupted. This corresponds to the case where a number of adversaries take control of different shares and have to decide on submitting an incorrect share only based on the local information that they possess
Summary
Secret sharing, introduced by the seminal works of Shamir [23] and Blakley [1], is the following problem (in its most basic formulation): suppose we wish to encode and distribute a secret s ∈ Fk2 among n parties in such a way that (i) the n parties can reconstruct the original secret s by revealing their respective shares; and, (ii) for some integer parameter t > 0 (called the privacy parameter), any group of t parties cannot infer any information about the secret from their collection of shares. The correct secret s can be always reconstructed even if up to a third of the parties reveal their shares incorrectly This holds true even if the malicious parties are able to arbitrarily communicate with each other and choose the incorrect shares adversarially. In the rushing setting ( known as “secret sharing with reconstructor”), reconstruction is done by each party broadcasting their (possibly corrupted) shares in an order determined by the protocol This means that the adversary may attempt to, adaptively, manipulate shares at any point in the reconstruction phase (up to its allotted budget) based on its (adaptive) observation of up to t shares as well as all the shares (including those of the honest parties) that are revealed so far. The parameter t is the privacy parameter, n is the number of shares and η is the error probability of reconstruction
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
