Designs, Codes and Cryptography

, Volume 73, Issue 3, pp 841–864 | Cite as

New results and applications for multi-secret sharing schemes

  • Javier Herranz
  • Alexandre Ruiz
  • Germán Sáez


In a multi-secret sharing scheme (MSSS), \(\ell \) different secrets are distributed among the players in some set \(\mathcal{P }=\{P_1,\ldots ,P_n\}\), each one according to an access structure. The trivial solution to this problem is to run \(\ell \) independent instances of a standard secret sharing scheme, one for each secret. In this solution, the length of the secret share to be stored by each player grows linearly with \(\ell \) (when keeping all other parameters fixed). Multi-secret sharing schemes have been studied by the cryptographic community mostly from a theoretical perspective: different models and definitions have been proposed, for both unconditional (information-theoretic) and computational security. In the case of unconditional security, there are two different definitions. It has been proved that, for some particular cases of access structures that include the threshold case, a MSSS with the strongest level of unconditional security must have shares with length linear in \(\ell \). Therefore, the optimal solution in this case is equivalent to the trivial one. In this work we prove that, even for a more relaxed notion of unconditional security, and for some kinds of access structures (in particular, threshold ones), we have the same efficiency problem: the length of each secret share must grow linearly with \(\ell \). Since we want more efficient solutions, we move to the scenario of MSSSs with computational security. We propose a new MSSS, where each secret share has constant length (just one element), and we formally prove its computational security in the random oracle model. To the best of our knowledge, this is the first formal analysis on the computational security of a MSSS. We show the utility of the new MSSS by using it as a key ingredient in the design of two schemes for two new functionalities: multi-policy signatures and multi-policy decryption. We prove the security of these two new multi-policy cryptosystems in a formal security model. The two new primitives provide similar functionalities as attribute-based cryptosystems, with some advantages and some drawbacks that we discuss at the end of this work.


Multi-secret sharing schemes Multi-policy cryptosystems Entropy  Provable security 

Mathematics Subject Classification

94A62 94A60 94A17 



Javier Herranz enjoys a Ramón y Cajal Grant, partially funded by the European Social Fund (ESF), from Spanish MICINN Ministry. The research of Javier Herranz and Germán Sáez is also supported by Projects MTM2009-07694 and ARES—CONSOLIDER INGENIO 2010 CSD2007-00004, of the same MICINN Ministry.


  1. 1.
    Attrapadung N., Herranz J., Laguillaumie F., Libert B., De Panafieu E., Ràfols C.: Attribute-based encryption schemes with constant-size ciphertexts. Theor. Comput. Sci. 422, 15–38 (2012).Google Scholar
  2. 2.
    Bellare M., Rogaway P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: Proceedings of CCS’93, pp. 62–73. ACM Press, New York (1993).Google Scholar
  3. 3.
    Blakley G.R.: Safeguarding cryptographic keys. In: Proc Natl Comput Conf Am Fed Inf Process Soc Proc 48, 313–317 (1979).Google Scholar
  4. 4.
    Blundo C., De Santis A., Di Crescenzo G., Gaggia A.G., Vaccaro U.: Multi-secret Sharing Schemes. In: CRYPTO ’94, LNCS 839, pp. 150–163. Springer, Heidelberg (1994).Google Scholar
  5. 5.
    Boldyreva A.: Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie–Hellman-Group Signature Scheme. In: Proceedings of PKC’03, LNCS 2567, pp. 31–46. Springer, Berlin (2003).Google Scholar
  6. 6.
    Boneh D., Franklin M.: Identity-based encryption from the Weil pairing. SIAM J. Comput. 32(3), 586–615 (2003).Google Scholar
  7. 7.
    BBoneh D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptol. 17(4), 297–319 (2004).Google Scholar
  8. 8.
    Brickell E.F.: Some ideal secret sharing schemes. J. Comb. Math. Comb. Comput. 9, 105–113 (1989).Google Scholar
  9. 9.
    Cachin C.: On-line Secret Sharing. In: Proceedings of IMA conference’95, LNCS 1025, pp. 190–198. Springer, New York (1995).Google Scholar
  10. 10.
    Coron J.S.: On the Exact Security of Full Domain Hash. In: Proceedings of crypto’00, LNCS 1880, pp. 229–235. Springer, Berlin (2000).Google Scholar
  11. 11.
    Cover T.M., Thomas J.A.: Elements of Information Theory. Wiley, New York (1991).Google Scholar
  12. 12.
    Csirmaz L.: How to share secrets simultaneously. Cryptol. ePrint Arch. (2011).
  13. 13.
    Feldman P.: A Practical Scheme for Non-interactive Verifiable Secret Sharing. In: Proceedings of FOCS’87, vol. 28, pp. 427–437 (1987).Google Scholar
  14. 14.
    Gennaro R., Jarecki S., Krawczyk H., Rabin T.: Robust Threshold DSS Signatures. In: Proceedings of Eurocrypt’96, LNCS 1070, pp. 354–371. Springer, Berlin (1996).Google Scholar
  15. 15.
    Gennaro R., Jarecki S., Krawczyk H., Rabin T.: Secure distributed key generation for Discrete-Log based cryptosystems. J. Cryptol. 20(1), 51–83 (2007).Google Scholar
  16. 16.
    Goyal V., Pandey O., Sahai A., Waters B.: Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data. In: Proceedings of ACM CCS’06, pp. 89–98. ACM Press, New York (2006).Google Scholar
  17. 17.
    He J., Dawson E.: Multisecret-sharing scheme based on one-way function. Electron. Lett. 31(2), 93–95 (1995).Google Scholar
  18. 18.
    Herranz J., Sáez G.: Verifiable Secret Sharing for General Access Structures, with Application to Fully Distributed Proxy Signatures. In: Proceedings of financial cryptography’03, LNCS 2742, pp. 286–302. Springer, Berlin (2003).Google Scholar
  19. 19.
    Herranz J., Laguillaumie F., Libert B., Ràfols C.: Short Attribute-Based Signatures for Threshold Predicates. In: Proceedings of CT-RSA’12, LNCS 7178, pp. 51–67. Springer, Berlin (2012).Google Scholar
  20. 20.
    Jackson W.A., Martin K.M., OKeefe C.M.: A construction for multisecret threshold schemes. Des. Codes Cryptogr. 9(3), 287–303 (1996).Google Scholar
  21. 21.
    Joux A., Nguyen K.: Separating decision Diffie-Hellman from computational Diffie-Hellman in cryptographic groups. J. Cryptol. 16(4), 239–247 (2003).Google Scholar
  22. 22.
    Lewko A., Okamoto T., Sahai A., Takashima K., Waters B.: Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption. In: Proceedings of Eurocrypt’10, pp. 62–91 (2010).Google Scholar
  23. 23.
    Lin H.Y., Yeh Y.S.: Dynamic multi-secret sharing scheme. Int. J. Contemp. Math. Sciences 3(1), 37–42 (2008).Google Scholar
  24. 24.
    Maji H.K., Prabhakaran M., RosulekM.: Attribute-Based Signatures. In: Proceedings of CT-RSA’11, LNCS 6558, pp. 376–392. Springer, Berlin (2011).Google Scholar
  25. 25.
    Masucci B.: Sharing multiple secrets: models, schemes and analysis. Des. Codes Cryptogr. 39, 89–111 (2006).Google Scholar
  26. 26.
    Okamoto T., Pointcheval D.: The Gap-Problems: A New Class of Problems for the Security of Cryptographic Schemes. In: Proceedings of PKC’01, LNCS 1992, pp. 104–118. Springer, Berlin (2001).Google Scholar
  27. 27.
    Pedersen T.: Non-interactive and Information-Theoretic Secure Verifiable Secret Sharing. In: Proceedings of crypto’91, LNCS 576, pp. 129–140. Springer, Berlin (1991).Google Scholar
  28. 28.
    Shamir A.: How to share a secret. Commun. ACM 22, 612–613 (1979).Google Scholar
  29. 29.
    Shoup V.: Lower Bounds for Discrete Alogarithms and Related Problems. In: Proceedings of eurocrypt’97, LNCS 1233, pp. 256–266. Springer, Berlin (1997).Google Scholar
  30. 30.
    Shoup V.: Practical Threshold Signatures. In: Proceedings of Eurocrypt’00, LNCS 1807, pp. 207–220. Springer, Berlin (2000).Google Scholar
  31. 31.
    Shoup V., Gennaro R.: Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2), 75–96 (2002).Google Scholar

Copyright information

© Springer Science+Business Media New York 2013

Authors and Affiliations

  1. 1.Department of Matemàtica Aplicada IVUniversitat Politècnica de Catalunya – BarcelonaTechBarcelonaSpain

Personalised recommendations