Two Optimum Secret Sharing Schemes Revisited (original) (raw)

Nearly optimal robust secret sharing

2016 IEEE International Symposium on Information Theory (ISIT), 2016

We prove that a known general approach to improve Shamir's celebrated secret sharing scheme; i.e., adding an information-theoretic authentication tag to the secret, can make it robust for n parties against any collusion of size δn, for any constant δ ∈ (0, 1/2). Shamir's original scheme is robust for all δ ∈ (0, 1/3). Beyond that, we employ the best known list decoding algorithms for Reed-Solomon codes and show that, with high probability, only the correct secret maintains the correct information-theoretic tag if an algebraic manipulation detection (AMD) code is used to tag secrets. This result holds in the so-called "non-rushing" model in which the n shares are submitted simultaneously for reconstruction. We thus obtain a fully explicit and robust secret sharing scheme in this model that is essentially optimal in all parameters including the share size which is k(1 + o(1)) + O(κ), where k is the secret length and κ is the security parameter. Like Shamir's scheme, in this modified scheme any set of more than δn honest parties can efficiently recover the secret. Using algebraic geometry codes instead of Reed-Solomon codes, the share length can be decreased to a constant (only depending on δ) while the number of shares n can grow independently. In this case, when n is large enough, the scheme satisfies the "threshold" requirement in an approximate sense; i.e., any set of δn(1 + ρ) honest parties, for arbitrarily small ρ > 0, can efficiently reconstruct the secret. From a practical perspective, the main importance of our result is in showing that existing systems employing Shamir-type secret sharing schemes can be made much more robust than previously thought with minimal change, essentially only involving the addition of a short and simple checksum to the original data.

Cheater Identifiable Secret Sharing Schemes via Multi-Receiver Authentication

We introduce two publicly cheater identifiable secret sharing (CISS) schemes with efficient reconstruction, tolerating t < k/2 cheaters. Our constructions are based on (k, n) threshold Shamir scheme, and they feature a novel application of multi-receiver authentication codes to ensure integrity of shares. The first scheme, which tolerates rushing cheaters, has the share size |S|(n−t) n+t+2 / n+t+2 in the general case, that can be ultimately reduced to |S|(k−t) k+t+2 / k+t+2 assuming that all the t cheaters are among the k reconstructing players. The second scheme, which tolerates non-rushing cheaters, has the share size |S|(n − t) 2t+2 / 2t+2. These two constructions have the smallest share size among the existing CISS schemes of the same category, when the secret is a single field element. In addition, we point out that an improvement in the share size to |S|/ n− (k−1)/3 +1 can be achieved for a CISS tolerating t < k/3 rushing cheaters presented by Xu et al. at IWSEC 2013.

Hash function-based secret sharing scheme designs

Security and Communication Networks, 2012

Secret sharing schemes create an effective method to safeguard a secret by dividing it among several participants. By using hash functions and the herding hashes technique, we first set up a (t + 1, n) threshold scheme which is perfect and ideal, and then extend it to schemes for any general access structure. The schemes can be further set up as proactive or verifiable if necessary. The setup and recovery of the secret is efficient due to the fast calculation of the hash function. The proposed scheme is flexible because of the use of existing hash functions.

Dynamic Threshold and Cheater Resistance for Shamir Secret Sharing Scheme

Lecture Notes in Computer Science, 2006

In this paper, we investigate the problem of increasing the threshold parameter of the Shamir (t, n)-threshold scheme without interacting with the dealer. Our construction will reduce the problem of secret recovery to the polynomial reconstruction problem which can be solved using a recent algorithm by Guruswami and Sudan. In addition to be dealer-free, our protocol does not increase the communication cost between the dealer and the n participants when compared to the original (t, n)-threshold scheme. Despite an increase of the asymptotic time complexity at the combiner, we show that recovering the secret from the output of the previous polynomial reconstruction algorithm is still realistic even for large values of t. Furthermore the scheme does not require every share to be authenticated before being processed by the combiner. This will enable us to reduce the number of elements to be publicly known to recover the secret to one digest produced by a collision resistant hash function which is smaller than the requirements of most verifiable secret sharing schemes.

Efficient Threshold Secret Sharing Schemes Secure Against Rushing Cheaters

Lecture Notes in Computer Science

In this paper, we consider three very important issues namely detection, identification and robustness of k-out-of-n secret sharing schemes against rushing cheaters who are allowed to submit (possibly forged) shares after observing shares of the honest users in the reconstruction phase. Towards this we present five different schemes. Among these, first we present two k-out-of-n secret sharing schemes, the first one being capable of detecting (k − 1)/3 cheaters such that |Vi| = |S|/ 3 and the second one being capable of detecting n − 1 cheaters such that |Vi| = |S|/ k+1 , where S denotes the set of all possible secrets, denotes the successful cheating probability of cheaters and Vi denotes set all possible shares. Next we present two k-out-of-n secret sharing schemes, the first one being capable of identifying (k − 1)/3 rushing cheaters with share size |Vi| that satisfies |Vi| = |S|/ k. This is the first scheme whose size of shares does not grow linearly with n but only with k, where n is the number of participants. For the second one, in the setting of public cheater identification, we present an efficient optimal cheater resilient k-out-of-n secret sharing scheme against rushing cheaters having the share size |Vi| = (n − t) n+2t |S|/ n+2t. The proposed scheme achieves flexibility in the sense that the security level (i.e. the cheater(s) success probability) is independent of the secret size. Finally, we design an efficient (k, δ) robust secret sharing secure against rushing adversary with optimal cheater resiliency. Each of the five proposed schemes has the smallest share size having the mentioned properties among the existing schemes in the respective fields.

An efficient multi-use multi-secret sharing scheme based on hash function

Applied mathematics letters, 2010

In this work, a renewable, multi-use, multi-secret sharing scheme for general access structure based on the one-way collision resistant hash function is presented in which each participant has to carry only one share. As it applies the collision resistant one-way hash function, the proposed scheme is secure against conspiracy attacks even if the pseudo-secret shares are compromised. Moreover, high complexity operations like modular multiplication, exponentiation and inversion are avoided to increase its efficiency. Finally, in the proposed scheme, both the combiner and the participants can verify the correctness of the information exchanged among themselves.

An efficient multi-use multi-secret sharing scheme

Proceedings of National Workshop on Cryptology, 2009, SVNIT Surat, 2009

In this paper, a multi-secret sharing scheme for general access structures based on one-way hash function is pre- sented. The major characteristics of its design are multi-use of the shares and that different secrets can be reconstructed according to their access structure, which provides more flexibility in the practical use. By applying one-way hash function, the proposed scheme is secure against notorious conspiracy attacks even if the pseudo-secret shares are compromised. Even though it is a multi- use multi-secret sharing scheme, each participant has to carry only a single share. Analysis showed that this proposed scheme is a perfectly secure and efficient scheme. Finally, in the proposed scheme, both the combiner and the participants can verify the correctness of the information that they are receiving from each other.

An Efficient Robust Secret Sharing Scheme with Optimal Cheater Resiliency

Security, Privacy, and Applied Cryptography Engineering, 2014

In this paper, we consider the problem of (t, δ) robust secret sharing secure against rushing adversary. We design a simple tout -ofn secret sharing scheme, which can reconstruct the secret in presence of t cheating participants except with probability at most δ, provided t < n/2. The later condition on cheater resilience is optimal for the case of public reconstruction of the secret, on which we focus in this work. Our construction improves the share size of Cevallos et al. (EUROCRYPT-2012) robust secret sharing scheme by applying the "authentication tag compression" technique devised by Carpentieri in 1995. Our improvement is by a constant factor that does not contradict the asymptotic near-optimality of the former scheme. To the best of our knowledge, the proposed scheme has the smallest share size, among other efficient rushing (t, δ) robust secret sharing schemes with optimal cheater resilience.

Remarks on the multiple assignment secret sharing scheme

Lecture Notes in Computer Science, 1997

The paper analyses the multiple assignment secret sharing scheme, presented at the GLOBECOM'87 Conference. It contains three technical comments and a contribution to extend the capabilities of Shamir scheme. First it is proved that the proposed multiple assignment secret sharing scheme is not perfect. In fact, the non-perfectness of the scheme is due to the non-perfectness of a certain type of Shamir secret sharing scheme de ned in the paper. Next it is shown that both the extended multiple assignment secret sharing scheme and the extended Shamir secret sharing scheme are not secure, i.e., unauthorised sets of participants can recover the secret. Finally, we will show how to (safely) extend a Shamir scheme.