An Efficient Robust Secret Sharing Scheme with Optimal Cheater Resiliency (original) (raw)

Efficient Threshold Secret Sharing Schemes Secure Against Rushing Cheaters

Lecture Notes in Computer Science

In this paper, we consider three very important issues namely detection, identification and robustness of k-out-of-n secret sharing schemes against rushing cheaters who are allowed to submit (possibly forged) shares after observing shares of the honest users in the reconstruction phase. Towards this we present five different schemes. Among these, first we present two k-out-of-n secret sharing schemes, the first one being capable of detecting (k − 1)/3 cheaters such that |Vi| = |S|/ 3 and the second one being capable of detecting n − 1 cheaters such that |Vi| = |S|/ k+1 , where S denotes the set of all possible secrets, denotes the successful cheating probability of cheaters and Vi denotes set all possible shares. Next we present two k-out-of-n secret sharing schemes, the first one being capable of identifying (k − 1)/3 rushing cheaters with share size |Vi| that satisfies |Vi| = |S|/ k. This is the first scheme whose size of shares does not grow linearly with n but only with k, where n is the number of participants. For the second one, in the setting of public cheater identification, we present an efficient optimal cheater resilient k-out-of-n secret sharing scheme against rushing cheaters having the share size |Vi| = (n − t) n+2t |S|/ n+2t. The proposed scheme achieves flexibility in the sense that the security level (i.e. the cheater(s) success probability) is independent of the secret size. Finally, we design an efficient (k, δ) robust secret sharing secure against rushing adversary with optimal cheater resiliency. Each of the five proposed schemes has the smallest share size having the mentioned properties among the existing schemes in the respective fields.

An Efficient t-Cheater Identifiable Secret Sharing Scheme with Optimal Cheater Resiliency

2014

In this paper, we present an efficient k-out-of-n secret sharing scheme, which can identify up to t rushing cheaters, with probability at least 1 − , where 0 < < 1/2, provided t < k/2. This is the optimal number of cheaters that can be tolerated in the setting of public cheater identification, on which we focus in this work. In our scheme, the set of all possible shares Vi satisfies the condition that |Vi| = (t+1) 2n+k−3|S| 2n+k−3 , where S denotes the set of all possible secrets. In PODC-2012, Ashish Choudhury came up with an efficient t-cheater identifiable k-out-of-n secret sharing scheme, which was a solution of an open problem proposed by Satoshi Obana in EUROCRYPT-2011. The share size, with respect to a secret consisting of one field element, of Choudhury’s proposal in PODC-2012 is |Vi| = (t+1) |S| 3n . Therefore, our scheme presents an improvement in share size over the above construction. Hence, to the best of our knowledge, our proposal currently has the minimal sh...

Nearly optimal robust secret sharing

2016 IEEE International Symposium on Information Theory (ISIT), 2016

We prove that a known general approach to improve Shamir's celebrated secret sharing scheme; i.e., adding an information-theoretic authentication tag to the secret, can make it robust for n parties against any collusion of size δn, for any constant δ ∈ (0, 1/2). Shamir's original scheme is robust for all δ ∈ (0, 1/3). Beyond that, we employ the best known list decoding algorithms for Reed-Solomon codes and show that, with high probability, only the correct secret maintains the correct information-theoretic tag if an algebraic manipulation detection (AMD) code is used to tag secrets. This result holds in the so-called "non-rushing" model in which the n shares are submitted simultaneously for reconstruction. We thus obtain a fully explicit and robust secret sharing scheme in this model that is essentially optimal in all parameters including the share size which is k(1 + o(1)) + O(κ), where k is the secret length and κ is the security parameter. Like Shamir's scheme, in this modified scheme any set of more than δn honest parties can efficiently recover the secret. Using algebraic geometry codes instead of Reed-Solomon codes, the share length can be decreased to a constant (only depending on δ) while the number of shares n can grow independently. In this case, when n is large enough, the scheme satisfies the "threshold" requirement in an approximate sense; i.e., any set of δn(1 + ρ) honest parties, for arbitrarily small ρ > 0, can efficiently reconstruct the secret. From a practical perspective, the main importance of our result is in showing that existing systems employing Shamir-type secret sharing schemes can be made much more robust than previously thought with minimal change, essentially only involving the addition of a short and simple checksum to the original data.

Cheater Identifiable Secret Sharing Schemes via Multi-Receiver Authentication

We introduce two publicly cheater identifiable secret sharing (CISS) schemes with efficient reconstruction, tolerating t < k/2 cheaters. Our constructions are based on (k, n) threshold Shamir scheme, and they feature a novel application of multi-receiver authentication codes to ensure integrity of shares. The first scheme, which tolerates rushing cheaters, has the share size |S|(n−t) n+t+2 / n+t+2 in the general case, that can be ultimately reduced to |S|(k−t) k+t+2 / k+t+2 assuming that all the t cheaters are among the k reconstructing players. The second scheme, which tolerates non-rushing cheaters, has the share size |S|(n − t) 2t+2 / 2t+2. These two constructions have the smallest share size among the existing CISS schemes of the same category, when the secret is a single field element. In addition, we point out that an improvement in the share size to |S|/ n− (k−1)/3 +1 can be achieved for a CISS tolerating t < k/3 rushing cheaters presented by Xu et al. at IWSEC 2013.

Two Optimum Secret Sharing Schemes Revisited

2008 International Seminar on Future Information Technology and Management Engineering, 2008

In 2006, Obana et al proposed two optimum secret sharing schemes secure against cheating. They extend the secret s in the Shamir's scheme to an array of three elements, (s, e 0 , e 1), and construct two equations for checking validity. Each item in the equations should be reconstructed using Lagrange's interpolation. In this paper, we revisit these schemes by introducing a public hash function to construct equations for checking validity. The revisited schemes become more efficient because they only extend the secret to an array of two elements. The new scheme for a single secret saves about 1/3 cost of the original.

Leakage-Resilient Secret Sharing

Electron. Colloquium Comput. Complex., 2018

In this work, we consider the natural goal of designing secret sharing schemes that ensure security against a powerful adaptive adversary who may learn some “leaked” information about all the shares. We say that a secret sharing scheme is p-party leakage-resilient , if the secret remains statistically hidden even after an adversary learns a bounded amount of leakage, where each bit of leakage can depend jointly on the shares of an adaptively chosen subset of p parties. A lot of works have focused on designing secret sharing schemes that handle individual and (mostly) non-adaptive leakage for (some) threshold secret sharing schemes ( [DP07, DDV10, LL12,ADKO15,GK18a,BDIR18]). • We give an unconditional compiler that transforms any standard secret sharing scheme with arbitrary access structure into a p-party leakage-resilient one for p logarithmic in the number of parties. This yields the first secret sharing schemes secure against adaptive and joint leakage for more than two parties. ...

A Secret Sharing Scheme for Preventing the Cheaters from Acquiring the Secret

2005

In this paper, we propose a secret sharing scheme which prevents the cheaters from recovering the secret when the honest participants cannot, with high probability. The scheme is a (k, n) threshold scheme providing protection against less than k cheaters. It is efficient in terms of share sizes for the participants. Furthermore the total size of the individual shares per participant is less than twice the size of the secret itself. The cheaters can do successful cheating with a probability 1/t, which can be adjusted without significantly increasing the total size of the individual shares. Such a scheme can be deployed in thin client fat server systems where the server has reasonable computational power and there is a high level of mistrust among the users.

Dynamic Threshold and Cheater Resistance for Shamir Secret Sharing Scheme

Lecture Notes in Computer Science, 2006

In this paper, we investigate the problem of increasing the threshold parameter of the Shamir (t, n)-threshold scheme without interacting with the dealer. Our construction will reduce the problem of secret recovery to the polynomial reconstruction problem which can be solved using a recent algorithm by Guruswami and Sudan. In addition to be dealer-free, our protocol does not increase the communication cost between the dealer and the n participants when compared to the original (t, n)-threshold scheme. Despite an increase of the asymptotic time complexity at the combiner, we show that recovering the secret from the output of the previous polynomial reconstruction algorithm is still realistic even for large values of t. Furthermore the scheme does not require every share to be authenticated before being processed by the combiner. This will enable us to reduce the number of elements to be publicly known to recover the secret to one digest produced by a collision resistant hash function which is smaller than the requirements of most verifiable secret sharing schemes.

Leakage-Resilient Secret Sharing with Constant Share Size

ArXiv, 2021

In this work, we consider the leakage resilience of algebraic-geometric (AG for short) codes based ramp secret sharing schemes extending the analysis on the leakage resilience of linear threshold secret sharing schemes over prime fields that is done by Benhamouda et al. Since there does not exist any explicit efficient construction of AG codes over prime fields, we consider constructions over prime fields with the help of concatenation method and constructions of codes over field extensions. Extending the Fourier analysis done by Benhamouda et al., one can show that concatenated algebraic geometric codes over prime fields do produce some nice leakage-resilient secret sharing schemes. One natural and curious question is whether AG codes over extension fields produce better leakage-resilient secret sharing schemes than the construction based on concatenated AG codes. Such construction provides several advantages compared to the construction over prime fields using concatenation method...

Challenging the adversary model in secret sharing schemes

Secret sharing schemes are cryptographic primitives for distributing shares of a secret amongst a set of entities in such a way that only certain coalitions can reconstruct the secret from their shares. Secret sharing schemes are highly versatile primitives that are particularly useful in applications where there is no single point of trust. Traditionally, secret sharing schemes are studied in an environment where there is a trusted dealer who initiates the scheme, passive adversaries who do not manipulate shares, and participants who either co-operate or do not co-operate in a reconstruction attempt. These assumptions are reasonable in some situations, but do not necessarily map comfortably onto many application environments. In this paper we review work on secret sharing schemes where one or more of these assumptions is challenged.