## Abstract

A computational secret-sharing scheme is a method that enables a dealer, that has a secret, to distribute this secret among a set of parties such that a “qualified” subset of parties can efficiently reconstruct the secret while any “unqualified” subset of parties cannot efficiently learn anything about the secret. The collection of “qualified” subsets is defined by a monotone Boolean function. It has been a major open problem to understand which (monotone) functions can be realized by a computational secret-sharing scheme. Yao suggested a method for secret-sharing for any function that has a polynomial-size monotone circuit (a class which is strictly smaller than the class of monotone functions in \({\mathsf {P}}\)). Around 1990 Rudich raised the possibility of obtaining secret-sharing for all monotone functions in \({\mathsf {NP}}\): in order to reconstruct the secret a set of parties must be “qualified” and provide a witness attesting to this fact. Recently, Garg et al. (Symposium on theory of computing conference, STOC, pp 467–476, 2013) put forward the concept of witness encryption, where the goal is to encrypt a message relative to a statement \(x\in L\) for a language \(L\in {\mathsf {NP}}\) such that anyone holding a witness to the statement can decrypt the message; however, if \(x\notin L\), then it is computationally hard to decrypt. Garg et al. showed how to construct several cryptographic primitives from witness encryption and gave a candidate construction. One can show that computational secret-sharing implies witness encryption for the same language. Our main result is the converse: we give a construction of a computational secret-sharing scheme for *any* monotone function in \({\mathsf {NP}}\) assuming witness encryption for \({\mathsf {NP}}\) and one-way functions. As a consequence we get a completeness theorem for secret-sharing: computational secret-sharing scheme for any *single* monotone \({\mathsf {NP}}\)-complete function implies a computational secret-sharing scheme for *every* monotone function in \({\mathsf {NP}}\).

## Keywords

Secret-sharing Witness encryption Obfuscation## Notes

### Acknowledgments

We are grateful to Amit Sahai for suggesting to base our construction on witness encryption. We thank Zvika Brakerski for many helpful discussions and insightful ideas. The second author thanks Steven Rudich for sharing with him his ideas on secret-sharing beyond \({\mathsf {P}}\). We thank the anonymous referees for many helpful remarks.

## References

- 1.N. Alon, J. Spencer,
*The Probabilistic Method (3rd ed.)*(Wiley, 2008)Google Scholar - 2.A. Beimel, Secret-sharing schemes: a survey, in
*3rd International Workshop, IWCC*(2011), pp. 11–46Google Scholar - 3.B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs, in
*CRYPTO*. Lecture Notes in Computer Science, vol. 2139 (Springer, 2001), pp. 1–18Google Scholar - 4.B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. P. Vadhan, K. Yang, On the (im)possibility of obfuscating programs.
*J. ACM***59**(2), 6 (2012). Preliminary version appeared in CRYPTO 2001Google Scholar - 5.B. Barak, S. Garg, Y. T. Kalai, O. Paneth, A. Sahai, Protecting obfuscation against algebraic attacks, in
*33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, EYROCRYPTO*(2014), pp. 221–238Google Scholar - 6.A. Beimel, Y. Ishai, On the power of nonlinear secrect-sharing.
*SIAM J. Discrete Math.***19**(1), 258–280 (2005)Google Scholar - 7.J. C. Benaloh, J. Leichter, Generalized secret sharing and monotone functions, in
*8th Annual International Cryptology Conference, CRYPTO*(1988), pp. 27–35Google Scholar - 8.G. R. Blakley, Safeguarding cryptographic keys.
*Proc. AFIPS Natl. Comput. Conf.***22**, 313–317 (1979)Google Scholar - 9.M. Bellare, P. Rogaway, Robust computational secret sharing and a unified account of classical secret-sharing goals, in
*ACM Conference on Computer and Communications Security*(ACM, 2007), pp. 172–184Google Scholar - 10.Z. Brakerski, G. N. Rothblum, Black-box obfuscation for \(d\)-CNFs, in
*Innovations in Theoretical Computer Science, ITCS*(2014), pp. 235–250Google Scholar - 11.Z. Brakerski, G. N. Rothblum, Virtual black-box obfuscation for all circuits via generic graded encoding, in
*11th Theory of Cryptography Conference, TCC*(2014), pp. 1–25Google Scholar - 12.D. Boneh, M. Zhandry, Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation, in
*34th Annual Cryptology Conference, CRYPTO*(2014), pp. 480–499Google Scholar - 13.C. Dwork, M. Naor, O. Reingold, L. J. Stockmeyer, Magic functions.
*J. ACM***50**(6), 852–921 (2003)Google Scholar - 14.S. Garg, C. Gentry, S. Halevi, M. Raykova, A. Sahai, B. Waters, Candidate indistinguishability obfuscation and functional encryption for all circuits, in
*54th Annual IEEE Symposium on Foundations of Computer Science, FOCS*(2013), pp. 40–49Google Scholar - 15.S. Garg, C. Gentry, A. Sahai, B. Waters, Witness encryption and its applications, in
*Symposium on Theory of Computing Conference, STOC*(2013), pp. 467–476Google Scholar - 16.C. Gentry, A. B. Lewko, A. Sahai, B. Waters, Indistinguishability obfuscation from the multilinear subgroup elimination assumption.
*IACR Cryptol. ePrint Arch.***2014**, 309 (2014)Google Scholar - 17.C. Gentry, A. B. Lewko, B. Waters, Witness encryption from instance independent assumptions, in
*34th Annual Cryptology Conference, CRYPTO*(2014), pp. 426–443Google Scholar - 18.S. Goldwasser, S. Micali, Probabilistic encryption.
*J. Comput. Syst. Sci.***28**(2), 270–299 (1984)Google Scholar - 19.M. Grigni, M. Sipser, Monotone complexity, in
*LMS Workshop on Boolean Function Complexity*(1992), pp. 57–75Google Scholar - 20.J. Håstad, R. Impagliazzo, L. A. Levin, M. Luby, A pseudorandom generator from any one-way function.
*SIAM J. Comput.***28**(4), 1364–1396 (1999)Google Scholar - 21.R. Impagliazzo, A personal view of average-case complexity, in
*10th Annual Structure in Complexity Theory Conference*(1995), pp. 134–147Google Scholar - 22.M. Ito, A. Saito, T. Nishizeki, Multiple assignment scheme for sharing secret.
*J. Cryptol.***6**(1), 15–20 (1993)Google Scholar - 23.I. Komargodski, T. Moran, M. Naor, R. Pass, A. Rosen, E. Yogev, One-way functions and (im)perfect obfuscation, in
*55th IEEE Annual Symposium on Foundations of Computer Science, FOCS*(2014), pp. 374–383Google Scholar - 24.H. Krawczyk, Secret sharing made short, in
*13th Annual International Cryptology Conference, CRYPTO*(1993), pp. 136–146Google Scholar - 25.M. Karchmer, A. Wigderson, On span programs, in
*8th Annual Structure in Complexity Theory Conference*(1993), pp. 102–111Google Scholar - 26.I. Komargodski, M. Zhandry, Cutting-edge cryptography through the lens of secret sharing.
*IACR Cryptol. ePrint Arch.***2015**, 735 (2015). To appear in TCC 2016-AGoogle Scholar - 27.
- 28.M. Naor, On cryptographic assumptions and challenges, in
*23rd Annual International Cryptology Conference, CRYPTO*(2003), pp. 96–109Google Scholar - 29.M. Naor, Secret sharing for access structures beyond \({\sf P}\) (2006). Slides: http://www.wisdom.weizmann.ac.il/~naor/PAPERS/minicrypt.html
- 30.R. Pass, K. Seth, S. Telang, Indistinguishability obfuscation from semantically-secure multilinear encodings, in
*34th Annual Cryptology Conference, CRYPTO*(2014), pp. 500–517Google Scholar - 31.A. A. Razborov, Lower bounds for the monotone complexity of some Boolean functions.
*Dokl. Ak. Nauk. SSSR***281**, 798–801 (1985). English translation in:*Soviet Math. Dokl.***31**, 354–357 (1985)Google Scholar - 32.
- 33.A. Sahai, B. Waters, How to use indistinguishability obfuscation: deniable encryption, and more, in
*Symposium on Theory of Computing, STOC*(2014), pp. 475–484Google Scholar - 34.V. Vinod, A. Narayanan, K. Srinathan, C. P. Rangan, K. Kim, On the power of computational secret sharing, in
*4th International Conference on Cryptology in India, INDOCRYPT*(2003), pp. 162–176Google Scholar