Abstract
Threshold secret sharing allows a dealer to share a secret among n players so that any coalition of t players learns nothing about the secret, but any t+1 players can reconstruct the secret in its entirety. Robust secret sharing (RSS) provides the additional guarantee that even if t malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret. In this work, we construct a simple RSS protocol for \(t = \left ({ \frac {1}{2} - \epsilon }\right )n\) that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of \(\mathcal {O}(\kappa + \log n)\), and reconstruction succeeds except with probability at most 2−κ. Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC ’89) and Cevallos et al. (Eurocrypt ’12) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the n players as nodes in an expander graph, each player only checks its neighbors in the expander graph.
Similar content being viewed by others
Notes
The work of Lewko and Pastro [44] can be seen as interpolating between these two models.
If the message space is \(\mathcal {M}\), then any secret sharing scheme must have shares of size at least \(\log |\mathcal {M}|\) to obtain privacy. When \(\mathcal {M}\) is larger than n, then Shamir sharing achieves this bound. Since many RSS protocols (including ours) use Shamir sharing plus additional check information, we us the term “overhead” to denote the size of the check information. Thus the overhead of an RSS scheme is the share size (in bits) minus \(\log |\mathcal {M}|\).
A Maximum Distance Separable (MDS) code is an error correcting code that meets the singleton bound, i.e., it has minimum distance d = n−k−1 where k is the dimension of the code, and n is the block-length.
In the work of Fitzi et al. the “committees” are not constructed according to nodes in an expander graph, but instead every committee of size d is constructed, resulting n d committees of the n underlying players. Fitzi et al. are primarily concerned with Perfectly Secure Message Transmission, and so their construction requires two rounds of communication (a message from receiver to sender, and then a message from sender to receiver). By contrast, when viewed as a message transmission scheme, our construction has only one round, but has a negligible probability of failure.
References
Beimel, A: Secure schemes for secret sharing and key distribution. PhD thesis, Technion (1996)
Beimel, A: Secret-sharing schemes: a survey. In: Chee, Y, Guo, Z, Ling, S, Shao, F, Tang, Y, Wang, H, Xing, C (eds.) Coding and cryptology, volume 6639 of lecture notes in computer science, pp 11–46. Springer, Berlin (2011)
Benaloh, J, Leichter, J: Generalized secret sharing and monotone functions. In: Goldwasser, S (ed.) Advances in cryptology — CRYPTO’ 88, volume 403 of lecture notes in computer science, pp 27–35. Springer, New York (1988)
Bertilsson, M, Ingemarsson, I: A construction of practical secret sharing schemes using linear block codes. In: Seberry, J, Zheng, Y (eds.) Advances in cryptology — AUSCRYPT ’92, volume 718 of Lecture Notes in Computer Science, pp 67–79. Springer, Berlin (1993)
Bishop, A, Pastro, V, Rajaraman, R, Wichs, D: Essentially optimal robust secret sharing with maximal corruptions. In: Eurocrypt, pp. 58–86 (2016)
Blakley, GR: Safeguarding cryptographic keys. In: International workshop on managing requirements knowledge, volume 0, p. 313. IEEE Computer Society, Los Alamitos (1979)
Bracha, G: An o(l o g n) expected rounds randomized byzantine generals protocol. J. ACM 34(4), 910–920 (1987)
Brickell, EF: Some ideal secret sharing schemes. In: Quisquater, J-J, Vandewalle, J (eds.) Advances in cryptology — EUROCRYPT ’89, volume 434 of Lecture Notes in Computer Science, chapter 45, pp 468–475. Springer, Berlin (1989)
Cabello, S, Padró, C, Sáez, G: Secret sharing schemes with detection of cheaters for a general access structure. In: Ciobanu, G, Păun, G (eds.) Fundamentals of Computation Theory, volume 1684, pp 185–194. Springer, Berlin (1999)
Cabello, S, Padró, C, Germán, S: Secret sharing schemes with detection of cheaters for a general access structure. Des. Codes Crypt. 25(2), 175–188 (2002)
Carpentieri, M., De Santis, A., Vaccaro, U., Size of Shares and Probability of Cheating in Threshold Schemes. In: EUROCRYPT ’93, volume 765, pp. 118–125. Springer (1993)
Lawrence Carter, J., Wegman, M.N.: Universal classes of hash functions. J. Comput. Syst. Sci. 18(2), 143–154 (1979)
Çamtepe, SA, Yener, B, Yung, M: Expander Graph based Key Distribution Mechanisms in Wireless Sensor Networks. In: 2006 IEEE International Conference on Communications, volume 5, pp. 2262–2267 (2006)
Cevallos, A, Fehr, S, Ostrovsky, R, Rabani, Y: Unconditionally-Secure Robust Secret Sharing with Compact Shares. In: Pointcheval, D, Johansson, T (eds.) EUROCRYPT, vol. 7237, pp 195–208. Springer, Berlin (2012)
Chandran, N, Garay, J., Ostrovsky, R: Almost-Everywhere secure computation with edge corruptions. J. Cryptol. 1–24 (2013)
Chen, H, Cramer, R: Algebraic Geometric Secret Sharing Schemes and Secure Multi-Party Computations over Small Fields. In CRYPTO ’06, pp. 521–536 (2006)
Cheraghchi, M: Nearly Optimal Robust Secret Sharing. In: ISIT, pp. 2509–2513 (2016)
Cramer, R, Damgård, I, Döttling, N, Fehr, S, Spini, G: Linear secret sharing schemes from error correcting codes and universal hash functions. In: Oswald, E, Fischlin, M (eds.) Advances in Cryptology - EUROCRYPT 2015, volume 9057 of Lecture Notes in Computer Science, pp 313–336. Springer, Berlin (2015)
Cramer, R, Damgård, I, Fehr, S: On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase. In: Kilian, J (ed.) CRYPTO, volume 2139, pp 503–523. Springer, Berlin (2001)
Cramer, R, Dodis, Y, Fehr, S, Padró, C, Wichs, D: Detection of Algebraic Manipulation with Applications to Robust Secret Sharing and Fuzzy Extractors. In: Smart, NP (ed.) EUROCRYPT, volume 4965 of Lecture Notes in Computer Science, pp 471–488. Springer, Berlin (2008)
Cramer, R, Fehr, S: Optimal Black-Box Secret Sharing over Arbitrary Abelian Groups. In: Yung, M (ed.) Advances in Cryptology — CRYPTO 2002, volume 2442 of Lecture Notes in Computer Science, chapter 18 , pp 272–287. Springer, Berlin (2002)
Damgård, I, Ishai, Y: Scalable Secure Multiparty Computation. In: Dwork, C (ed.) Advances in Cryptology - CRYPTO 2006, volume 4117 of Lecture Notes in Computer Science, pp 501–520. Springer, Berlin (2006)
Damgård, I, Ishai, Y, Krøigaard, M: Perfectly Secure Multiparty Computation and the Computational Overhead of Cryptography. In: Gilbert, H (ed.) Advances in Cryptology – EUROCRYPT 2010, volume 6110 of Lecture Notes in Computer Science, pp 445–465. Springer, Berlin (2010)
Damgård, I, Ishai, Y, Krøigaard, M, Nielsen, JB, Smith, A: Scalable Multiparty Computation with Nearly Optimal Work and Resilience. In: Wagner, D (ed.) Advances in Cryptology – CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pp 241–261. Springer, Berlin (2008)
Damgård, I, Nielsen, JB: Scalable and Unconditionally Secure Multiparty Computation. In: Menezes, A (ed.) Advances in Cryptology - CRYPTO 2007, volume 4622 of Lecture Notes in Computer Science, pp 572–590. Springer, Berlin (2007)
den Boer, B: A simple and key-economical unconditional authentication scheme. J. Comput. Secur. 2(1), 65–71 (1993)
Dolev, D, Dwork, C, Waarts, O, Moti, Y: Perfectly secure message transmission. J. ACM 40(1), 17–47 (1993)
Fitzi, M, Franklin, M, Garay, J, Harsha Vardhan, S: Towards optimal and efficient perfectly secure message transmission. In: Vadhan, S (ed.) Theory of Cryptography, volume 4392 of Lecture Notes in Computer Science, pp 311–322. Springer, Berlin (2007)
Franklin, M, Moti, Y: Communication Complexity of Secure Computation (Extended Abstract). In: Proceedings of the Twenty-fourth Annual ACM Symposium on Theory of Computing, STOC ’92, pp. 699–710, ACM, New York (1992)
Gál, A: Combinatorial Methods in Boolean Function Complexity. PhD thesis, University of Chicago (1995)
Garay, J., Givens, C., Rafail, O.: Secure Message Transmission With Small Public Discussion. IEEE Trans. Inf. Theory 60(4), 2373–2390 (April 2014)
Garay, J., Ostrovsky, R: Almost-Everywhere Secure Computation. In: Smart, N (ed.) Advances in Cryptology – EUROCRYPT 2008, volume 4965 of Lecture Notes in Computer Science, pp 307–323. Springer, Berlin (2008)
Gennaro, R: Theory and Practice of Verifiable Secret Sharing. PhD thesis, MIT (1996)
Ghosh, SK: On Optimality of Key Pre-distribution Schemes for Distributed Sensor Networks. In: Security and Privacy in Ad-Hoc and Sensor Networks: Third European Workshop, ESAS 2006, Hamburg, Germany, September 20-21, 2006, Revised Selected Papers, pp. 121–135. Springer, Berlin (2006)
Gilbert, EN, MacWilliams, FJ, Sloane, NJA: Codes which detect deception. Bell Labs Technical J. 53(3), 405–424 (1974)
Hirt, M, Maurer, U: Player simulation and general adversary structures in perfect multiparty computation. J. Cryptol. 13(1), 31–60 (2000)
Hoory, S, Linial, N, Wigderson, A: Expander graphs and their applications. Bull. Am. Math. Soc. 43(4), 439–561 (2006)
Ishai, Y, Ostrovsky, R, Seyalioglu, H: Identifying Cheaters without an Honest Majority Ronald Cramer, editor, Theory of Cryptography, volume 7194 of Lecture Notes in Computer Science, pp 21–38. Springer, Berlin (2012)
Jhanwar, MP, Safavi-Naini, R: Unconditionally-Secure Robust Secret Sharing with Minimum Share Size. In: Sadeghi, A-R (ed.) Financial Cryptography, vol. 7859, pp 96–110. Springer, Berlin (2013)
Johansson, T, Kabatianskii, G, Smeets, B: On the relation between a-codes and codes correcting independent errors. In: Workshop on the Theory and Application of of Cryptographic Techniques, pp. 1–11. Springer (1993)
Kendall, M, Martin, KM: On the Role of Expander Graphs in Key Predistribution Schemes for Wireless Sensor Networks. In: Research in Cryptology: 4th Western European Workshop, WEWoRC 2011, Weimar, Germany, July 20-22, 2011, Revised Selected Papers, pp. 62–82, Springer, Berlin (2012)
Kurosawa, K: General error decodable secret sharing scheme and its application. IEEE Trans. Inf. Theory 57(9), 6304–6309 (2011)
Kurosawa, K, Kazuhiro, S: Almost Secure (1-Round, n-Channel) Message Transmission Scheme. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. E92-A (1), 105–112 (2009)
Lewko, AB, Pastro, V: Robust Secret Sharing Schemes Against Local Adversaries Cryptology ePrint Archive: Report 2014/909 (2014)
Martí-Farré, J, Padró, C: On Secret Sharing Schemes, Matroids and Polymatroids. In: Vadhan, SP (ed.) Theory of Cryptography, volume 4392 of Lecture Notes in Computer Science, pp 273–290. Springer, Berlin (2007)
Martin, KM, Paterson, MB, Stinson, DR: Error decodable secret sharing and one-round perfectly secure message transmission for general adversary structures. Cryptogr. Commun. 3(2), 65–86 (2011)
Ram Murty, M: Ramanujan graphs. J.-Ramanujan Math. Soc. 18(1), 33–52 (2003)
Ogata, W, Kurosawa, K: Optimum Secret Sharing Scheme Secure against Cheating. In: Maurer, U (ed.) EUROCRYPT, vol. 1070, pp 200–211. Springer, Berlin (1996)
Ogata, W, Kurosawa, K, Stinson, DR, Saido, H: New combinatorial designs and their applications to authentication codes and secret sharing schemes. Discret. Math. 279(1-3), 383–405 (2004)
Puder, D: Expansion of random graphs: New proofs, new results. Invent. Math. 1–64 (2015)
Rabin, T, Ben-Or, M: Verifiable secret sharing and multiparty protocols with hest majority. In: Proceedings of the twenty-first annual ACM symposium on Theory of computing, STOC ’89, pp. 73–85. ACM, New York (1989)
Safavi-Naini, R, Wang, P: A model for adversarial wiretap channels and its applications. J. Inf. Process. 23(5), 554–561 (2015)
Shamir, A: How to share a secret. Commun. ACM 22, 612–613 (1979)
Simmons, GJ: A survey of information authentication. Proc. IEEE 76(5), 603–620 (1988)
Taylor, R: An integrity check value algorithm for stream ciphers. In: Annual International Cryptology Conference, pp. 40–48. Springer (1993)
Tompa, M, Heather, W: How to share a secret with cheaters. J. Cryptol. 1 (3), 133–138 (1989)
Van Dijk, M: Secret key sharing and secret key generation. PhD thesis, Eindhoven University of Technology (1997)
Acknowledgments
This work was supported in part by NSF grants 1513671, 1619348, 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award and by DARPA Safeware program. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.
Author information
Authors and Affiliations
Corresponding author
Additional information
This article is part of the Topical Collection on Recent Trends in Cryptography.
Appendices
Appendix A: Authentication schemes
1.1 A.1 Message authentication codes (MACs)
In this section, we recall the notion unforgeability under chosen message attack for Message Authentication Codes. This is the standard notion of security for MACs. For our purposes, we need a much weaker notion of security (see Theorem 2). We include the standard definition for reference purposes only.
Definition 7
A Message Authentication Code (MAC) is a pair of deterministic algorithms (M A C,V e r)
and
such that
for all \(m \in \mathcal {M}\).
Security is defined through the following experiment
Experiment \(\mathbf {exp}_{\mathsf {MAC}}^{\mathsf {uf-cma}}(\mathcal {A})\)
-
\(\mathsf {k} \gets \mathcal {K}\)
-
The adversary, \(\mathcal {A}\) can make repeated queries to the oracles M A C(k,⋅) and V e r(k,⋅,⋅).
-
If \(\mathcal {A}\) makes a query τ,m to M A C v e r(k,⋅,⋅) such that
-
M A C v e r(k,τ,m)=1
-
The message, m, was never made as a query to the oracle M A C(k,⋅).
then return 1, otherwise, return 0
-
The MAC is called secure (existentially unforgeable against a chosen message attack) if
for some negligible function \(\nu (\log |\mathcal {K}|)\).
1.2 A.2 Algebraic manipulation detection (AMD) codes
An Algebraic manipulation detection (AMD) code is means of encoding information so that tampering by an oblivious adversary is detectable. AMD have been widely used, but were first formalized by Cramer et al. in [20].
Definition 8 (AMD Codes)
A pair of functions (A M D,V e r) is called a \((\mathcal {M},\mathcal {T},\delta )\)-algebraic manipulation detection (AMD) code if A M D is a probabilistic map \(\mathsf {AMD}: \mathcal {M} \rightarrow \mathcal {T}\), and V e r is a deterministic map \(\mathsf {Ver} : \mathcal {T} \rightarrow \mathcal {M} \cup \{\bot \}\) such that for \(\mathcal {T}\) is a group and for all \(m \in \mathcal {M}\) and \({\Delta } \in \mathcal {T}\)
We briefly recall a simple construction of AMD Codes given in [20].
Theorem 4 (Theorem 2 in 20)
Let p be prime, d an integer such that p∤d+2 and q a power of p. Then
is an \(\left ({\mathbb {F}_{q}^{d}, {\mathbb {F}_{q}^{d}} \times \mathbb {F}_{q} \times \mathbb {F}_{q}, \frac {d+1}{q} }\right )\) -AMD code.
Appendix B: Calculating share size in existing schemes
There are three parameters of interest when calculating the size of shares
- δ :
-
The probability of reconstruction failure
- n :
-
The number of participants
- m :
-
The bit length of the message
We will be using these parameters to define the share size s.
Ignoring robustness, to ensure correctness we need s≥m. Using Shamir sharing also introduces the requirement s≥ log(n).
-
[51] In this scheme, the secret \(s \in \mathbb {F}\) is shared using Shamir sharing resulting in shares s 1,…,s n . Then random, b i j ≠0 and y i j are created and c i j = s i + b i j y i j mod p where \(p \ge |\mathbb {F}|\). Then player i receives the shares (s i ,{y i j } j ,{b j i ,c j i } j ). These shares are of size \(\log |\mathbb {F}| + 3n \log p\). The probability that player i catches player j cheating is 1−p −1, thus the probability that all cheaters are caught by all honest players is at least 1−t(n−t)/p. Thus the cheating probability is bounded by t(n−t)/p≈n 2/p. So we need to choose \(p = \frac {n^{2}}{\delta }\), which results in share size
$$\mathsf{s} = m + 3n \log \frac{n^{2}}{\delta} $$ -
[14] This scheme is very similar to [51], except the MAC used to authenticate shares is weaker, and the reconstruction algorithm is more complex. In particular, the secret, s is Shamir shared into {s i }, and the shares are signed τ i j =M A C(k i j ,s i ). Player i then receives (s i ,{k j i } j ,{τ i j } j ). If M A C has security δ ′, then the security of the overall scheme is e((t+1)δ ′)(t+1)/2. Standard MACs can achieve security 2−κ m with tags of length λ and keys of length 2λ, and messages of length m. Setting \(\kappa = \log (t+1) + \log m + \frac {2}{t+1} (\log \frac {1}{\delta }) + \log e\) yields a scheme with security δ and the resulting share size is
$$\mathsf{s} = \max\left( { m + 12 \log \frac{1}{\delta} + 3n (\log(t+1) + \log m + 3 ), \log n}\right) $$ -
[9, 10] A secret, \(s \in \mathbb {F}\) is encoded as \((s,r,r \cdot s) \in \mathbb {F}^{3}\), and then shared using a t+1 out-of-n Shamir sharing scheme. Given a set of t+1 shares, the probability that the adversary can cause this to decode to (s ′,r ′ r ′⋅s ′) is \(1/|\mathbb {F}|\). Taking a union bound over all subsets of size t+1 gives an error probability of \(\{0,1\}om{n}{t+1} |\mathbb {F}|^{-1}\). Thus we need \(|\mathbb {F}| \ge \{0,1\}om{n}{t+1} \delta ^{-1}\). This yields
$$\mathsf{s} \ge 3 \max \left( { m, \log \left( { \{0,1\}om{n}{t+1} \delta^{-1}, n}\right) }\right) $$ -
[20] A secret, \(s \in \mathbb {F}\) is encoded as A M D(s), and then shared using a t+1 out-of-n Shamir sharing scheme. Using the AMD codes proposed in that paper, \(\mathsf {AMD}(s) = x^{\ell +2} + {\sum }_{i=1}^{\ell } s_{i} x^{i}\) for (\(s \in \mathbb {F}^{d}\) and \(x \in \mathbb {F}\)) yields a code with detection probability \((\ell +1)/|\mathbb {F}|\). Since reconstruction requires testing all subsets of t+1 shares, we have to union bound over {0,1}o m n t+1 subsets, so the error probability is at most \(\{0,1\}om{n}{t+1} (\ell +1) |\mathbb {F}|^{-1}\). Thus we need \(|\mathbb {F}| \ge (\ell +1) \{0,1\}om{n}{t+1} \delta ^{-1}\), but this extra parameter, ℓ, gives us flexibility. Since the message space is now \(\mathbb {F}^{\ell }\), the resulting shares are of size
$$\mathsf{s} \ge \max\left( { (\ell+2) \log\left( { \{0,1\}om{n}{t+1} (\ell+1) \delta^{-1}}\right), \frac{\ell+2}{\ell} m, \log(n)}\right) $$When m is very large, we can use the parameter ℓ to balance the first and second terms in the expression.
-
[39] A secret, \(s \in \mathbb {F}\) is shared using a t+1 out-of- t+1 Shamir sharing scheme. Then this vector in \(\mathbb {F}^{t+1}\) is encoded using a (t+1,n) MDS code, and each player receives one symbol of the resulting codeword, thus the shares are of size \(\mathbb {F}\). Like the previous schemes, the probability of error is \(\{0,1\}om{n}{t+1} |\mathbb {F}|^{-1}\).
$$\mathsf{s} \ge \max\left( { m, \log \left( { \{0,1\}om{n}{t+1} \delta^{-1}, n}\right) }\right) $$(but this scheme works only when n≥2t+2 instead of n≥2t+1)
Rights and permissions
About this article
Cite this article
Hemenway, B., Ostrovsky, R. Efficient robust secret sharing from expander graphs. Cryptogr. Commun. 10, 79–99 (2018). https://doi.org/10.1007/s12095-017-0215-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12095-017-0215-z