Journal of Cryptology

, Volume 30, Issue 2, pp 444–469

# Secret-Sharing for NP

• Ilan Komargodski
• Moni Naor
• Eylon Yogev
Article

## Abstract

A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a “qualified” subset of parties can efficiently reconstruct the secret while any “unqualified” subset of parties cannot efficiently learn anything about the secret. The collection of “qualified” subsets is defined by a monotone Boolean function. It has been a major open problem to understand which (monotone) functions can be realized by a computational secret-sharing scheme. Yao suggested a method for secret-sharing for any function that has a polynomial-size monotone circuit (a class which is strictly smaller than the class of monotone functions in $${\mathsf {P}}$$). Around 1990 Rudich raised the possibility of obtaining secret-sharing for all monotone functions in $${\mathsf {NP}}$$: in order to reconstruct the secret a set of parties must be “qualified” and provide a witness attesting to this fact. Recently, Garg et al. (Symposium on theory of computing conference, STOC, pp 467–476, 2013) put forward the concept of witness encryption, where the goal is to encrypt a message relative to a statement $$x\in L$$ for a language $$L\in {\mathsf {NP}}$$ such that anyone holding a witness to the statement can decrypt the message; however, if $$x\notin L$$, then it is computationally hard to decrypt. Garg et al. showed how to construct several cryptographic primitives from witness encryption and gave a candidate construction. One can show that computational secret-sharing implies witness encryption for the same language. Our main result is the converse: we give a construction of a computational secret-sharing scheme for any monotone function in $${\mathsf {NP}}$$ assuming witness encryption for $${\mathsf {NP}}$$ and one-way functions. As a consequence we get a completeness theorem for secret-sharing: computational secret-sharing scheme for any single monotone $${\mathsf {NP}}$$-complete function implies a computational secret-sharing scheme for every monotone function in $${\mathsf {NP}}$$.

## Keywords

Secret-sharing Witness encryption Obfuscation

## Notes

### Acknowledgments

We are grateful to Amit Sahai for suggesting to base our construction on witness encryption. We thank Zvika Brakerski for many helpful discussions and insightful ideas. The second author thanks Steven Rudich for sharing with him his ideas on secret-sharing beyond $${\mathsf {P}}$$. We thank the anonymous referees for many helpful remarks.

## References

1. 1.
N. Alon, J. Spencer, The Probabilistic Method (3rd ed.) (Wiley, 2008)Google Scholar
2. 2.
A. Beimel, Secret-sharing schemes: a survey, in 3rd International Workshop, IWCC (2011), pp. 11–46Google Scholar
3. 3.
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs, in CRYPTO. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 1–18Google Scholar
4. 4.
B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs. J. ACM 59(2), 6 (2012). Preliminary version appeared in CRYPTO 2001Google Scholar
5. 5.
B. Barak, S. Garg, Y. T. Kalai, O. Paneth, A. Sahai, Protecting obfuscation against algebraic attacks, in 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EYROCRYPTO (2014), pp. 221–238Google Scholar
6. 6.
A. Beimel, Y. Ishai, On the power of nonlinear secrect-sharing. SIAM J. Discrete Math. 19(1), 258–280 (2005)Google Scholar
7. 7.
J. C. Benaloh, J. Leichter, Generalized secret sharing and monotone functions, in 8th Annual International Cryptology Conference, CRYPTO (1988), pp. 27–35Google Scholar
8. 8.
G. R. Blakley, Safeguarding cryptographic keys. Proc. AFIPS Natl. Comput. Conf. 22, 313–317 (1979)Google Scholar
9. 9.
M. Bellare, P. Rogaway, Robust computational secret sharing and a unified account of classical secret-sharing goals, in ACM Conference on Computer and Communications Security (ACM, 2007), pp. 172–184Google Scholar
10. 10.
Z. Brakerski, G. N. Rothblum, Black-box obfuscation for $$d$$-CNFs, in Innovations in Theoretical Computer Science, ITCS (2014), pp. 235–250Google Scholar
11. 11.
Z. Brakerski, G. N. Rothblum, Virtual black-box obfuscation for all circuits via generic graded encoding, in 11th Theory of Cryptography Conference, TCC (2014), pp. 1–25Google Scholar
12. 12.
D. Boneh, M. Zhandry, Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation, in 34th Annual Cryptology Conference, CRYPTO (2014), pp. 480–499Google Scholar
13. 13.
C. Dwork, M. Naor, O. Reingold, L. J. Stockmeyer, Magic functions. J. ACM 50(6), 852–921 (2003)Google Scholar
14. 14.
S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS (2013), pp. 40–49Google Scholar
15. 15.
S. Garg, C. Gentry, A. Sahai, B. Waters, Witness encryption and its applications, in Symposium on Theory of Computing Conference, STOC (2013), pp. 467–476Google Scholar
16. 16.
C. Gentry, A. B. Lewko, A. Sahai, B. Waters, Indistinguishability obfuscation from the multilinear subgroup elimination assumption. IACR Cryptol. ePrint Arch. 2014, 309 (2014)Google Scholar
17. 17.
C. Gentry, A. B. Lewko, B. Waters, Witness encryption from instance independent assumptions, in 34th Annual Cryptology Conference, CRYPTO (2014), pp. 426–443Google Scholar
18. 18.
S. Goldwasser, S. Micali, Probabilistic encryption. J. Comput. Syst. Sci. 28(2), 270–299 (1984)Google Scholar
19. 19.
M. Grigni, M. Sipser, Monotone complexity, in LMS Workshop on Boolean Function Complexity (1992), pp. 57–75Google Scholar
20. 20.
J. Håstad, R. Impagliazzo, L. A. Levin, M. Luby, A pseudorandom generator from any one-way function. SIAM J. Comput. 28(4), 1364–1396 (1999)Google Scholar
21. 21.
R. Impagliazzo, A personal view of average-case complexity, in 10th Annual Structure in Complexity Theory Conference (1995), pp. 134–147Google Scholar
22. 22.
M. Ito, A. Saito, T. Nishizeki, Multiple assignment scheme for sharing secret. J. Cryptol. 6(1), 15–20 (1993)Google Scholar
23. 23.
I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in 55th IEEE Annual Symposium on Foundations of Computer Science, FOCS (2014), pp. 374–383Google Scholar
24. 24.
H. Krawczyk, Secret sharing made short, in 13th Annual International Cryptology Conference, CRYPTO (1993), pp. 136–146Google Scholar
25. 25.
M. Karchmer, A. Wigderson, On span programs, in 8th Annual Structure in Complexity Theory Conference (1993), pp. 102–111Google Scholar
26. 26.
I. Komargodski, M. Zhandry, Cutting-edge cryptography through the lens of secret sharing. IACR Cryptol. ePrint Arch.  2015, 735 (2015). To appear in TCC 2016-AGoogle Scholar
27. 27.
M. Naor, Bit commitment using pseudorandomness. J. Cryptol.  4(2), 151–158 (1991)Google Scholar
28. 28.
M. Naor, On cryptographic assumptions and challenges, in 23rd Annual International Cryptology Conference, CRYPTO (2003), pp. 96–109Google Scholar
29. 29.
M. Naor, Secret sharing for access structures beyond $${\sf P}$$ (2006). Slides: http://www.wisdom.weizmann.ac.il/~naor/PAPERS/minicrypt.html
30. 30.
R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation from semantically-secure multilinear encodings, in 34th Annual Cryptology Conference, CRYPTO (2014), pp. 500–517Google Scholar
31. 31.
A. A. Razborov, Lower bounds for the monotone complexity of some Boolean functions. Dokl. Ak. Nauk. SSSR  281, 798–801 (1985). English translation in: Soviet Math. Dokl.  31, 354–357 (1985)Google Scholar
32. 32.
A. Shamir, How to share a secret. Commun. ACM  22(11), 612–613 (1979)Google Scholar
33. 33.
A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in Symposium on Theory of Computing, STOC (2014), pp. 475–484Google Scholar
34. 34.
V. Vinod, A. Narayanan, K. Srinathan, C. P. Rangan, K. Kim, On the power of computational secret sharing, in 4th International Conference on Cryptology in India, INDOCRYPT (2003), pp. 162–176Google Scholar