Efficient robust secret sharing from expander graphs

Abstract

Threshold secret sharing allows a dealer to share a secret among n players so that any coalition of t players learns nothing about the secret, but any t+1 players can reconstruct the secret in its entirety. Robust secret sharing (RSS) provides the additional guarantee that even if t malicious players mangle their shares, they cannot cause the honest players to reconstruct an incorrect secret. In this work, we construct a simple RSS protocol for \(t = \left ({ \frac {1}{2} - \epsilon }\right )n\) that achieves logarithmic overhead in terms of share size and simultaneously allows efficient reconstruction. Our shares size increases by an additive term of \(\mathcal {O}(\kappa + \log n)\), and reconstruction succeeds except with probability at most 2^−κ. Previous efficient RSS protocols like that of Rabin and Ben-Or (STOC ’89) and Cevallos et al. (Eurocrypt ’12) use MACs to allow each player to check the shares of each other player in the protocol. These checks provide robustness, but require significant overhead in share size. Our construction identifies the n players as nodes in an expander graph, each player only checks its neighbors in the expander graph.

Appendices

Appendix A: Authentication schemes

1.1 A.1 Message authentication codes (MACs)

In this section, we recall the notion unforgeability under chosen message attack for Message Authentication Codes. This is the standard notion of security for MACs. For our purposes, we need a much weaker notion of security (see Theorem 2). We include the standard definition for reference purposes only.

Definition 7

A Message Authentication Code (MAC) is a pair of deterministic algorithms (M A C,V e r)

$$\begin{array}{@{}rcl@{}} \mathsf{MAC} : \mathcal{K} \times \mathcal{M} &\rightarrow \mathcal{T} \\ (\mathsf{k},m) &\mapsto \tau \end{array} $$

and

$$\begin{array}{@{}rcl@{}} \mathsf{Ver} : \mathcal{K} \times \mathcal{T} \times \mathcal{M} &\rightarrow \{0,1\} \\ \end{array} $$

such that

$$\mathsf{Ver}(\mathsf{k}, \mathsf{MAC}(\mathsf{k},m), m ) = 1 $$

for all \(m \in \mathcal {M}\).

Security is defined through the following experiment

Experiment \(\mathbf {exp}_{\mathsf {MAC}}^{\mathsf {uf-cma}}(\mathcal {A})\)

• \(\mathsf {k} \gets \mathcal {K}\)

• The adversary, \(\mathcal {A}\) can make repeated queries to the oracles M A C(k,⋅) and V e r(k,⋅,⋅).

• If \(\mathcal {A}\) makes a query τ,m to M A C v e r(k,⋅,⋅) such that

  • M A C v e r(k,τ,m)=1

  • The message, m, was never made as a query to the oracle M A C(k,⋅).

  then return 1, otherwise, return 0

The MAC is called secure (existentially unforgeable against a chosen message attack) if

$$\Pr \left[ \mathbf{exp}_{\mathsf{MAC}}^{\mathsf{uf-cma}} = 1 \right] < \nu $$

for some negligible function \(\nu (\log |\mathcal {K}|)\).

1.2 A.2 Algebraic manipulation detection (AMD) codes

An Algebraic manipulation detection (AMD) code is means of encoding information so that tampering by an oblivious adversary is detectable. AMD have been widely used, but were first formalized by Cramer et al. in [20].

Definition 8 (AMD Codes)

A pair of functions (A M D,V e r) is called a \((\mathcal {M},\mathcal {T},\delta )\)-algebraic manipulation detection (AMD) code if A M D is a probabilistic map \(\mathsf {AMD}: \mathcal {M} \rightarrow \mathcal {T}\), and V e r is a deterministic map \(\mathsf {Ver} : \mathcal {T} \rightarrow \mathcal {M} \cup \{\bot \}\) such that for \(\mathcal {T}\) is a group and for all \(m \in \mathcal {M}\) and \({\Delta } \in \mathcal {T}\)

$$\Pr \left[ \mathsf{Ver}(\mathsf{AMD}(m ) + {\Delta} ) \not \in \{ m, \bot \} \right] < \delta $$

We briefly recall a simple construction of AMD Codes given in [20].

Theorem 4 (Theorem 2 in 20)

Let p be prime, d an integer such that p∤d+2 and q a power of p. Then

$$\mathsf{AMD}(m ) = \left( m, x, x^{d+2} + \sum\limits_{i=1}^{d} s_{i} x^{i} \right) $$

is an \(\left ({\mathbb {F}_{q}^{d}, {\mathbb {F}_{q}^{d}} \times \mathbb {F}_{q} \times \mathbb {F}_{q}, \frac {d+1}{q} }\right )\) -AMD code.

Appendix B: Calculating share size in existing schemes

There are three parameters of interest when calculating the size of shares

δ :

The probability of reconstruction failure

n :

The number of participants

m :

The bit length of the message

We will be using these parameters to define the share size s.

Ignoring robustness, to ensure correctness we need s≥m. Using Shamir sharing also introduces the requirement s≥ log(n).

• [51] In this scheme, the secret \(s \in \mathbb {F}\) is shared using Shamir sharing resulting in shares s ₁,…,s _n . Then random, b _{i j} ≠0 and y _{i j} are created and c _{i j} = s _i + b _{i j} y _{i j} mod p where \(p \ge |\mathbb {F}|\). Then player i receives the shares (s _i ,{y _{i j} } _j ,{b _{j i} ,c _{j i} } _j ). These shares are of size \(\log |\mathbb {F}| + 3n \log p\). The probability that player i catches player j cheating is 1−p ⁻¹, thus the probability that all cheaters are caught by all honest players is at least 1−t(n−t)/p. Thus the cheating probability is bounded by t(n−t)/p≈n ²/p. So we need to choose \(p = \frac {n^{2}}{\delta }\), which results in share size

  $$\mathsf{s} = m + 3n \log \frac{n^{2}}{\delta} $$

• [14] This scheme is very similar to [51], except the MAC used to authenticate shares is weaker, and the reconstruction algorithm is more complex. In particular, the secret, s is Shamir shared into {s _i }, and the shares are signed τ _{i j} =M A C(k _{i j} ,s _i ). Player i then receives (s _i ,{k _{j i} } _j ,{τ _{i j} } _j ). If M A C has security δ ^′, then the security of the overall scheme is e((t+1)δ ^′)^(t+1)/2. Standard MACs can achieve security 2^−κ m with tags of length λ and keys of length 2λ, and messages of length m. Setting \(\kappa = \log (t+1) + \log m + \frac {2}{t+1} (\log \frac {1}{\delta }) + \log e\) yields a scheme with security δ and the resulting share size is

  $$\mathsf{s} = \max\left( { m + 12 \log \frac{1}{\delta} + 3n (\log(t+1) + \log m + 3 ), \log n}\right) $$

• [9, 10] A secret, \(s \in \mathbb {F}\) is encoded as \((s,r,r \cdot s) \in \mathbb {F}^{3}\), and then shared using a t+1 out-of-n Shamir sharing scheme. Given a set of t+1 shares, the probability that the adversary can cause this to decode to (s ^′,r ^′ r ^′⋅s ^′) is \(1/|\mathbb {F}|\). Taking a union bound over all subsets of size t+1 gives an error probability of \(\{0,1\}om{n}{t+1} |\mathbb {F}|^{-1}\). Thus we need \(|\mathbb {F}| \ge \{0,1\}om{n}{t+1} \delta ^{-1}\). This yields

  $$\mathsf{s} \ge 3 \max \left( { m, \log \left( { \{0,1\}om{n}{t+1} \delta^{-1}, n}\right) }\right) $$

• [20] A secret, \(s \in \mathbb {F}\) is encoded as A M D(s), and then shared using a t+1 out-of-n Shamir sharing scheme. Using the AMD codes proposed in that paper, \(\mathsf {AMD}(s) = x^{\ell +2} + {\sum }_{i=1}^{\ell } s_{i} x^{i}\) for (\(s \in \mathbb {F}^{d}\) and \(x \in \mathbb {F}\)) yields a code with detection probability \((\ell +1)/|\mathbb {F}|\). Since reconstruction requires testing all subsets of t+1 shares, we have to union bound over {0,1}o m n t+1 subsets, so the error probability is at most \(\{0,1\}om{n}{t+1} (\ell +1) |\mathbb {F}|^{-1}\). Thus we need \(|\mathbb {F}| \ge (\ell +1) \{0,1\}om{n}{t+1} \delta ^{-1}\), but this extra parameter, ℓ, gives us flexibility. Since the message space is now \(\mathbb {F}^{\ell }\), the resulting shares are of size

  $$\mathsf{s} \ge \max\left( { (\ell+2) \log\left( { \{0,1\}om{n}{t+1} (\ell+1) \delta^{-1}}\right), \frac{\ell+2}{\ell} m, \log(n)}\right) $$

  When m is very large, we can use the parameter ℓ to balance the first and second terms in the expression.

• [39] A secret, \(s \in \mathbb {F}\) is shared using a t+1 out-of- t+1 Shamir sharing scheme. Then this vector in \(\mathbb {F}^{t+1}\) is encoded using a (t+1,n) MDS code, and each player receives one symbol of the resulting codeword, thus the shares are of size \(\mathbb {F}\). Like the previous schemes, the probability of error is \(\{0,1\}om{n}{t+1} |\mathbb {F}|^{-1}\).

  $$\mathsf{s} \ge \max\left( { m, \log \left( { \{0,1\}om{n}{t+1} \delta^{-1}, n}\right) }\right) $$

  (but this scheme works only when n≥2t+2 instead of n≥2t+1)