Nearly optimal robust secret sharing
 58 Downloads
Abstract
We prove that a known general approach to improve Shamir’s celebrated secret sharing scheme; i.e., adding an informationtheoretic authentication tag to the secret, can make it robust for n parties against any collusion of size \(\delta n\), for any constant \(\delta \in (0, 1/2)\). Shamir’s original scheme is robust for all \(\delta \in (0,1/3)\). Beyond that, we employ the best known list decoding algorithms for ReedSolomon codes and show that, with high probability, only the correct secret maintains the correct informationtheoretic tag if an algebraic manipulation detection (AMD) code is used to tag secrets. This result holds in the socalled “nonrushing” model in which the n shares are submitted simultaneously for reconstruction. We thus obtain a fully explicit and robust secret sharing scheme in this model that is essentially optimal in all parameters including the share size which is \(k(1+o(1)) + O(\kappa )\), where k is the secret length and \(\kappa \) is the security parameter. Like Shamir’s scheme, in this modified scheme any set of more than \(\delta n\) honest parties can efficiently recover the secret. Using algebraic geometry codes instead of ReedSolomon codes, the share length can be decreased to a constant (only depending on \(\delta \)) while the number of shares n can grow independently. In this case, when n is large enough, the scheme satisfies the “threshold” requirement in an approximate sense; i.e., any set of \(\delta n(1+\rho )\) honest parties, for arbitrarily small \(\rho > 0\), can efficiently reconstruct the secret. From a practical perspective, the main importance of our result is in showing that existing systems employing Shamirtype secret sharing schemes can be made much more robust than previously thought with minimal change, essentially only involving the addition of a short and simple checksum to the original data.
Keywords
Coding and information theory Cryptography Algebraic coding theoryMathematics Subject Classification
68P30 94A60 11T711 Introduction
Secret sharing, introduced by the seminal works of Shamir [23] and Blakley [1], is the following problem (in its most basic formulation): suppose we wish to encode and distribute a secret \(s \in \mathbb {F}_2^k\) among n parties in such a way that (i) the n parties can reconstruct the original secret s by revealing their respective shares; and, (ii) for some integer parameter \(t > 0\) (called the privacy parameter), any group of t parties cannot infer any information about the secret from their collection of shares. In codingtheoretic terms, the goal is to encode s (using randomness) into a sequence \(Y_1, \ldots , Y_n\) over some alphabet of size Q, in a way that s can be reconstructed from the encoding and moreover, for any \(i_1, \ldots , i_t \in [n]\), the sequence \(Y_{i_1}, \ldots , Y_{i_t}\) has the same distribution regardless of the message s.
Shamir proposed a beautiful scheme that provides an optimal solution to the problem. The scheme regards the secret as an element of the finite field \(\mathbb {F}_Q\), for some prime power \(Q \ge n\), and then samples a uniformly random univariate polynomial of degree at most t over \(\mathbb {F}_Q\) with the constant term set to be s. The codingtheoretic interpretation of this solution is that s is amended with t uniformly random and independent elements of \(\mathbb {F}_Q\) and the result is encoded using a ReedSolomon code of length n and dimension \(t+1\). Shamir’s solution works even if the adversary uses an adaptive strategy; i.e., when each of the query positions \(i_1, \ldots , i_t\) depends on the observation outcomes at the previous locations. Adaptive security is a property that is generally sought after for secret sharing schemes.
Due to its codingtheoretic nature, Shamir’s scheme provides at least two additional benefits. First, any group of parties is able to recover s as long as the size of the group is larger than t. This socalled “threshold property” is due to the fact that the ReedSolomon code is an MDS code. Second, any ReedSolomon code of rate R is able to tolerate any fraction of errors up to \((1R)/2\) and this can be achieved by an efficient decoder (such as the Berlekamp–Massey decoding algorithm, cf. [22, Chap. 6]). As a result, a straightforward calculation shows that Shamir’s secret sharing scheme is robust, in the sense that it can tolerate malicious parties that submit incorrect shares. In particular, the correct secret s can be always reconstructed even if up to a third of the parties reveal their shares incorrectly. In fact, this holds true even if the malicious parties are able to arbitrarily communicate with each other and choose the incorrect shares adversarially.
Summary of results in robust secret sharing scheme, and their key features and limitations
Ref.  Share length  Efficient?  Remarks 

[23]  k  Yes  Only robust against collusions of size \(t < n/3\) 
[8]  \(k+O(\log (1/\eta ))\)  Yes  Only robust in the sense of error detection 
[2]  \(k+O(\log (1/\eta ))\)  Yes  Only secure against local adversaries 
[12]  \(k+O(n + \log (1/\eta ))\)  No  
[10]  \(k+\tilde{O}(n + \log (1/\eta ))\)  Yes  Secure against rushing adversaries 
[21]  \(k+O(n \log (1/\eta ))\)  Yes  Secure against rushing adversaries 
[24]  \(k+\tilde{O}(n^2 + n\log (1/\eta ))\)  Yes  For \(n = 2t+1\) 
[6]  O(1)  Yes  MonteCarlo, reconstruction from \(t+\Omega (n)\) of the shares, for large n, and \(\eta = \exp (\Omega (n))\). 
[3]  \(k+O(\log (1/\eta ) (\log ^4 n+(\log ^3 n) \log k))\)  Yes  For \(n = 2t+1\) 
This work  \(k(1+o(1)) + O(\log (1/\eta ))\)  Yes  Corollary 14 
This work  O(1)  Yes  Corollary 18 
Reconstruction from any \(t+\rho n\) shares, for any constant \(\rho > 0\), assuming \(\frac{t}{n} \le \frac{1}{2}  \rho \), large n and \(\eta = \exp (\Omega (n))\) (Corollary 18). 
1.1 Previous work
The robust notion of secret sharing has been studied in the literature, and some of the key results in the area are summarized in Table 1. It is known that robust secret sharing is impossible when the fraction of dishonest parties is at least 1 / 2; i.e., when \(n \le 2t\) [19]. It is also impossible to always reconstruct the secret correctly (i.e., with probability 1) when the fraction of dishonest parties may be 1 / 3 or larger, in which case a small probability of error \(\eta \) is unavoidable. Therefore, Shamir’s scheme provides optimal robustness for a scheme with zero probability of error.
When an honest majority exists, Rabin and BenOr [21] provide a secret sharing scheme based on Shamir’s scheme combined with message authentication codes. The share length \(q := \log Q\) in this scheme is, ignoring small terms, \(k + \Omega (n \log (1/\eta ))\), where \(\eta > 0\) is the probability of incorrect reconstruction. In contrast, an appealing feature of Shamir’s scheme is that the shares are compact; namely, the bit length of each share is equal to the bit length of the secret (under the natural assumption that \(n \le 2^k\)). This turns out to be optimal for schemes with perfect privacy satisfying the threshold property [25].
Another scheme, due to Cramer et al. [7] (and based on [12] and also using Shamir’s scheme) improves the share length to \(\max \{k, O(n + \log (1/\eta ))\}\). However, the reconstruction time for this scheme is in general exponential in n (more precisely, at least \(\left( {\begin{array}{c}n\\ t\end{array}}\right) \)), and the scheme is insecure against rushing adversaries (cf. [10]).
Cevallos et al. [10] propose a scheme similar to [21] that achieves more compact shares, namely of length \(k + O(\log (1/\eta ) + n(\log n + \log k))\). This scheme provides efficient share and reconstruction procedures and is also secure against rushing adversaries.
Cramer et al. [8] introduce the notion of algebraic manipulation detection (AMD) codes, which is a natural variant of errordetection codes in situations where the adversary’s perturbations on a codeword are chosen independently of the codeword. By using this primitive as a precode in Shamir’s secret sharing scheme (or any secret sharing scheme with linear decoder), they are able to make the scheme robust against adversarial manipulations. The key difference in their model is the notion of robustness; i.e., the requirement is that if the adversary corrupts any of the shares, the reconstruction should detect the adversary and fail (rather than output the correct share) with high probability.
More recently, Lewko and Pastro [2] defined a variation of robust secret sharing in which the robustness requirement is against local adversaries. That is, the error in each share corrupted by the adversary can only depend on the particular share being corrupted. Intuitively, this corresponds to the case where a number of adversaries take control of different shares and have to decide on submitting an incorrect share only based on the local information that they possess (the adversaries may agree on a strategy beforehand but cannot communicate after observing their respective shares). They show that even in this restricted model, the minimum required share length is \(k+\log (1/\eta )O(1)\) (under the standard threshold assumption that any set of \(t+1\) must reconstruct the secret with probability at least \(1\eta \)). Furthermore, they construct efficient schemes in the local model that attains a nearly optimal share length of \(k+O(\log (1/\eta ))\).
In another recent work, Cramer et al. [6] combine AMD codes with universal hash functions and (folded) list decodable codes to construct a secret sharing scheme with potentially constant share length (more precisely, share length \(\Theta (1+\log (1/\eta )/n)\)). Their construction is with respect to a randomly chosen hash function from a universal family and is thus a MonteCarlo construction. That is, the code construction relies on the probabilistic method (and thus may not result in the desired secret sharing scheme with unfortunate choices of the randomness), however the encoder and decoders are efficient once the randomness of the code construction is set to an appropriate choice. Moreover, this construction considers the “ramp model” in which it is not necessary to be able to reconstruct the secret from any \(t+1\) of the shares. This relaxation is in fact necessary for any secret sharing scheme with share length smaller than the secret length k.
Finally, SafaviNaini and Wang [24] construct secret sharing schemes based on codes for the wiretap channel problem for the case \(n = 2t+1\). This construction is based on wiretap codes that are in turn based on list decodable ReedSolomon codes, subspaceevasive sets and AMD codes, and attains a share length of \(k+O(n^2 (\log n) (\log \log n)+ n\log (1/\eta ))\).
Subsequent to a preliminary draft of the present work, Bishop et al. [3] construct an efficient and nearly optimal robust secret sharing scheme for \(n = 2t+1\) that achieves share length \(k+O(\log (1/\eta ) (\log ^4 n+(\log ^3 n) \log k))\). In general, this is incomparable with the bound we achieve (while both being very close to the optimal \(k+O(\log (1/\eta ))\). This work follows the authentication graph idea of Rabin and BenOr [21] (in which a MAC signature is used for every party in each share to authenticate the shares for every other party) and its improvement by Cevallos et al. [10]. In particular, [3] considers a subsampled authentication graph, leading to nearly optimal share lengths, which is then shown to provide robustness via a delicate analysis based on the approximation algorithms for the minimum graph bisection problem. It is, however, not shown whether this improvement maintains robustness against rushing adversaries.
1.2 Our contributions
In this work, we construct an essentially optimal robust secret sharing scheme against possibly adaptive, but nonrushing, adversaries. Somewhat surprisingly, our construction turns out to be strikingly similar to some of the known constructions mentioned in Sect. 1.1 and involves a simple modification of Shamir’s original secret sharing scheme.
More precisely, the construction first amends the secret with a tag using an AMD code (such as the one in [8]). Then, it uses Shamir’s scheme to encode the result into mn shares, for a carefully chosen integer parameter \(m > 1\). Finally, the resulting shares are bundled into n groups of size m each which are distributed among the n parties. In other words, we use a variant of Shamir’s scheme based on folded ReedSolomon codes (instead of plain ReedSolomon codes) combined with an AMD precode. This is very similar to what used in [8] to provide robustness in the sense of errordetection, as well as the codingtheoretic construction of SafaviNaini and Wang [24] (the latter additionally uses subspaceevasive sets that we do not need). Combining Shamir’s scheme with some type of informationtheoretic precode (such as a message authentication code) can also be seen as the underlying idea of other existing constructions such as [7].
The techniques that we use are remarkably simple to describe as well. To prove robustness, we first use an efficient list decoding algorithm of folded ReedSolomon codes [15] to show that the reconstruction procedure always outputs a short list containing an AMD encoding of the correct secret. Second, we use an elegant observation by Guruswami and Smith [16] that was used by them to construct “stochastic” errorcorrecting codes. The observation is that, for any list decodable code that is linear over some base field, the list of potential messages corresponding to any given received word is the translation of the original message by elements of a set that only depends on the noise vector. In particular, the list of potential messages, shifted by the correct message, is only determined by the code and the error vector chosen by the adversary. For our application in secret sharing, privacy of Shamir’s scheme implies that the perturbations of the adversary, and thus the set of error vectors in the message domain, must be independent of the original message and the internal randomness of the AMD code. As a result, the error detection guarantee of the AMD code ensures that, with high probability, all the incorrect potential messages are correctly identified by the reconstruction procedure so that only the correct secret remains at the end.
Our construction and underlying ideas share an overlap with the abovementioned recent result of Cramer et al. [6] in which the authors construct a MonteCarlo secret sharing scheme with small share length in the ramp model (where obtaining a sharp threshold; i.e., reconstructability from any \(t+1\) shares, is not a requirement^{1}). The construction in that work can be described as follows: First, the secret s is encoded with an AMD code, and then the result x is mapped to a random element in \(h^{1}(x)\), where h is a fixed and appropriately chosen linear hash function. The resulting sequence is finally encoded using a list decodable code. Unfortunately, this result does not determine an explicit suitable choice for h. However it shows, using the probabilistic method, that most functions in a universal family of hash functions are suitable choices for the hash function h. In other words, if h is randomly^{2} picked from a universal family of hash functions, with high probability over the choice of h the resulting scheme is robust with the desired parameters. Therefore, the hash function h is determined by the code construction once and for all, and the probabilistic method shows that most choices of h would result in equally good secret sharing schemes. It is not clear, however, whether one can efficiently and deterministically find a suitable choice for the hash function h without running an exponentialtime computation (as is usual in random coding arguments). Compared with this result, our work completely eliminates the need for the hash function, and thus we finally obtain a fully explicit construction of efficient secret sharing schemes with nearly optimal parameters in all aspects. Namely, our main result in this work can be stated as follows.
Theorem 1
(Corollary 14, rephrased) Let \(\delta <1/2\) be any fixed constant. For any \(\eta >0\), there is an efficient, robust and perfectly private secret sharing scheme with n shares, secret length k, and share length \(q \le k(1+o(1)) + O(\log (1/\eta ))\) that is secure with privacy parameter \(t = \delta n\), attaining a reconstruction error of at most \(\eta \). \(\square \)
Another feature of our work is its complete modularity and simplicity which can help retain the practicality of Shamir’s scheme. Our main result (Theorem 8) can be applied to any linear secret sharing scheme based on linear errorcorrecting codes that provides privacy via a dual distance argument (Shamir’s original scheme being a special case). As a result, we are able to instantiate the result with virtually any algebraic family of linear list decodable codes, and particularly do so for the cases of (folded) ReedSolomon and algebraic geometry codes. In contrast, the result of Cramer et al. [6] is only presented and proven when the underlying code is an algebraic geometry code, as the main goal of [6] is to obtain constant share lengths. Furthermore, as discussed above, [6] only provides a MonteCarlo construction, since the choice of the hash function that preprocesses the secret is random which, in addition to adding to the description complexity of the final scheme, may cause the entire scheme to fail with an unfortunate choice of the (unverifiable) random hash function.
Same as Shamir’s scheme and [24], our result does not necessarily require the observations of the adversary to coincide or overlap with the set of manipulated shares. In fact, the number of adaptive observations by the adversary may in general be different from the number of incorrect shares, and this is allowed as long as the total fraction of observations and incorrect shares add up to a quantity sufficiently smaller than 1.
Although a share length of at least k bits is necessary for any robust secret sharing scheme [25] (even against local, or oblivious, adversaries [2]), it is possible to obtain smaller shares at cost of slightly relaxing the threshold property. That is, instead of requiring the secret to be reconstructible (either with probability 1 or close to 1) from any set of more than t shares, we may require reconstructability from any set of more than \(t+g\) shares, for a small “gap” parameter g. A desirable level for the gap parameter is when g is a small fraction of the number of shares, and it is reasonable to argue that a secret sharing scheme that attains such a relaxed threshold property may be of interest to most applications.
We adapt our secret sharing scheme to nonzero gap parameters and, moreover, show that when g is a small fraction of n, the alphabet size may be reduced to an absolute constant (depending on the fraction g / n and assuming that t / n is smaller than 1 / 2 by some constant). This is achieved by using folded algebraic geometry codes instead of folded ReedSolomon codes and their corresponding list decoding algorithms (namely, the stateoftheart algorithm due to Guruswami and Xing [18]). Using algebraic geometry codes, we can prove the following.
Theorem 2
(Corollary 18, rephrased) For any constant \(\rho > 0\), and any \(\delta \le 1/2\rho \), there is a constant \(q=O_\rho (1)\) such that the following holds. There is a robust and perfectly private secret sharing scheme with n shares, secret length k, and share length O(q), attaining a reconstruction error of \(\eta = \exp (\Omega (\rho nq))\), provided that \(n \ge k/(\rho q)\). The scheme satisfies the threshold property in an approximate sense; namely, that the secret can be reconstructed (with probability 1) given any set of \(t+\rho n\) shares. The scheme is efficient given polynomial (in n) amount of preprocessed information about the scheme. \(\square \)
Previously, the best known construction achieving small share length was due to Cramer et al. [6] in which the share length is \(\Theta (1+\log (1/\eta )/n)\) and thus grows with the security parameter (see Table 1). Moreover, as mentioned above, this construction is not fully explicit and requires a randomly chosen hash function that is fixed once and for all and there is no clear efficient way of explicitly finding an appropriate hash function.
The efficiency of the scheme in Theorem 2 is dictated by the efficiency of the underlying list decoding algorithm for algebraic geometry codes. The encoding and list decoding algorithms in [18] that we use run in polynomial time provided that a polynomial amount of preprocessed information about the code is available to the algorithms. Naturally, any subsequent improvements in list decoding algorithms of folded algebraic geometry (and for that matter, folded ReedSolomon) codes would automatically improve the performance of the above secret sharing schemes.
We remark that the natural idea of reducing share length by using algebraic geometry codes rather than ReedSolomon codes in secret sharing schemes dates back to a result of Chen and Cramer [5] and has been extensively studied since (cf. [9]), especially in the context of arithmetic secure multiparty computation.
It should be pointed out that, as discussed before, the focus of the present work is in showing that a simple modification of the existing Shamir’s secret sharing scheme (i.e., the idea of amending the secret with an AMD tag that was actually proposed in [8] and shown to provide robustness in the sense of errordetection) essentially makes it optimally robust. This means that existing systems employing Shamir’s scheme can be easily modified to provide stronger robustness against tampering adversaries, and this can be a very appealing improvement for practitioners that use Shamir’s or related codingtheoretic schemes. In contrast, graphbased constructions such as [3, 10, 21] pursue a very different approach. Another appealing feature of codingtheoretic constructions such as our construction and Shamir’s original scheme is that they allow an imbalance between the adversarial leakages and corruptions. In particular, for our constructions the adversary can read any \(\tau \) fraction of the shares and use this information to corrupt any \(\delta \) (whether including the shares previously read or not) fraction of the shares, and both privacy and robustness can be guaranteed as long as \(\tau +\delta \) is nontrivially bounded away from 1.
Organization. The rest of the article is organized as follows. We explain the notation in Sect. 1.3. Preliminaries, including the exact notion of secret sharing schemes that we use in this work, are discussed in Sect. 2. Our general construction is presented and analyzed in Sect. 3. We then instantiate the construction using folded ReedSolomon codes in Sect. 4.1 and folded algebraic geometry codes in Sect. 4.2. Finally, Sect. 4.3 proves optimality of the obtained bounds using a reduction from the wiretap channel problem.
1.3 Notation
We use \(d_H(x, y)\) to denote the Hamming distance between two vectors x and y. For a vector \(Y=(Y_1, \ldots , Y_n)\), and \(i \in [n]\), we use the notation Y(i) to denote \(Y_i\). Moreover, for a sequence \(W = (W_1, \ldots , W_t) \in [n]^t\), we use the notation \(Y_W := (Y(W_1), \ldots , Y(W_t))\). All logarithms are to base two. For a function f and a subset S of the domain of f, we use the notation f(S) to denote the set \(\{f(s):s \in S\}\). Moreover for two sets A, B over a group \(({\mathcal {G}}, +)\), we use \(A+B\) to denote \(\{a+b:a \in A, b \in B\}\), and \(A+b\) (for \(b \in {\mathcal {G}}\)) to denote \(A+\{b\}\).
2 Preliminaries
In this section, we describe the basic notions that are used throughout the paper, including the exact definition of robust secret sharing schemes that we use. The general notion of coding schemes is defined as follows.
Definition 3
(coding scheme). A pair of functions \(({\mathsf {Enc}}, {\mathsf {Dec}})\) where \({\mathsf {Enc}}:\mathbb {F}_2^k \times \mathbb {F}_2^\ell \rightarrow \mathbb {F}_{2^q}^n\), and \({\mathsf {Dec}}:(\mathbb {F}_{2^q} \cup \{\perp \})^n \rightarrow \mathbb {F}_2^k \cup \{ \perp \}\) is called a coding scheme if for all \(s \in \mathbb {F}_2^k\) and all \(z \in \mathbb {F}_2^\ell \), we have \({\mathsf {Dec}}({\mathsf {Enc}}(s, z)) = s\). The function \({\mathsf {Enc}}\) and \({\mathsf {Dec}}\) are respectively called the encoder and the decoder, and parameters k and q are respectively called the message length and the symbol length. We use the notation \({\mathsf {Enc}}(s)\) to denote the random variable \({\mathsf {Enc}}(s, Z)\) when Z is sampled uniformly at random from \(\mathbb {F}_2^\ell \). The coding scheme is called efficient if \({\mathsf {Enc}}, {\mathsf {Dec}}\) can be computed in polynomial time in nq. The rate of the coding scheme is the quantity k / (nq). The coding scheme is binary if \(q=1\).
Using the above definition, we may now define robust secret sharing schemes as a coding scheme satisfying the privacy and robustness requirements.
Definition 4
 1.
Adaptive privacy: For a parameter t (known as the privacy parameter), and for any “secret” \(s \in \mathbb {F}_2^k\), an adversary who (possibly adaptively) observes any up to t of the shares gains (almost or absolutely) no information about the secret s. More formally, for a \(Y \in \mathbb {F}_{2^q}^n\), and a parameter t, we define an observation strategy as follows. The strategy is specified by an observation sequence \(W = (W_1, \ldots , W_t)\), where each \(W_i \in [n]\) is distinct and determined as a function of \(Y(W_1), \ldots , Y(W_{i1})\). The observation outcome with respect to Y is then the string \(Y_W\). The privacy requirement is that for every observation strategy as above, there is a distribution \({\mathcal {D}}\) over \(\mathbb {F}_{2^q}^t\) such that, for every \(s \in \mathbb {F}_2^k\), letting \(Y := \mathsf {Share}(s)\), the distribution of the observation outcome \(Y_W\) is \(\epsilon \)close in statistical distance^{3} to \({\mathcal {D}}\). The scheme satisfies perfect privacy if \(\epsilon = 0\).
 2.Robustness: For a parameter d (known as the robustness parameter), an adversary who arbitrarily corrupts up to any d of the shares (possibly after adaptively observing any t of the shares) cannot make \(\mathsf {Rec}\) output an incorrect secret with probability more than \(\eta \). More formally, consider any observation strategy resulting in an observation sequence W. Then, for any \(s \in \mathbb {F}_2^k\) the following must hold. Let \(Y := \mathsf {Share}(s)\), and suppose an adversary is given \((W, Y_W)\) and accordingly chooses an error vector \(\Delta \in \mathbb {F}_{2^q}^n\) of Hamming weight at most d. Then it must be that, for some robustness error parameter \(\eta \ge 0\),where the probability is taken over the internal randomness of \(\mathsf {Share}\). The scheme satisfies perfect robustness if \(\eta = 0\).$$\begin{aligned} \Pr (\mathsf {Rec}(Y+\Delta ) \ne s) \le \eta , \end{aligned}$$
Secret sharing schemes that do not have a sharp threshold are known in the literature as ramp schemes, and the parameter \(t+g+1\) is sometimes called reconstructability parameter (cf. [6]).
An important notion that we use in our constructions is the notion of algebraic manipulation detection (AMD) codes, defined as follows.
Definition 5
The following result is shown in [8], which we shall use in our constructions. Although, as stated in [8], the coding scheme is only defined for infinitely many values of the message length k, it can be extended to all integers \(k>0\) by trivial padding techniques without any loss in the asymptotic guarantees.
Theorem 6
We note that explicit constructions of AMD codes are known that are better than the above for certain ranges of the parameters (e.g., [13]). However, the tag length of the construction in Theorem 6 is optimal within a constant factor of two, which suffices for our purposes. Furthermore, this construction is essentially based on ReedSolomon codes (namely, the tag simply consists of a random point and evaluation of a polynomial defined by the message at that point), which fits nicely for use alongside a Shamirtype secret sharing scheme.
The notion of folded codes, following a line of work in algebraic list decoding (originally defined in [15]) is the following. Intuitively, a folded code is obtained from an errorcorrecting code by bundling groups of codeword symbols into “packets” of a certain size, thereby increasing the effective alphabet size in favor of better error resilience guarantees.
Definition 7
3 The construction
The following is the main technical tool used by our constructions, in which we prove that a combination of AMD codes with (folded) linear list decodable codes can be used to construct robust secret sharing schemes.
Theorem 8
Proof
We can write the code \(\mathcal {C}\) as a direct sum \(\mathcal {C}= \mathcal {C}' + \mathcal {C}''\) of complementary codes, where \(\mathcal {C}'' \subseteq \mathbb {F}_Q^n\) is an \(\mathbb {F}_{Q^{1/m}}\)linear subcode of \(\mathcal {C}\) of rate \(RR' > 0\). For the sake of clarity in the sequel we use \(\mathcal {C}_0, \mathcal {C}'_0 \subseteq (\mathbb {F}_{Q^{1/m}})^{nm}\) to be the codes \(\mathcal {C}, \mathcal {C}'\), respectively, when regarded as subspaces of \((\mathbb {F}_{Q^{1/m}})^{nm}\) (in other words, \(\mathcal {C}_0, \mathcal {C}'_0\) are the unfolded representations of \(\mathcal {C}, \mathcal {C}'\)). Recall that \(\mathcal {C}_0, \mathcal {C}'_0\) are linear codes over \(\mathbb {F}_{Q^{1/m}}\).
Let \(f:\mathbb {F}_2^{n_0} \rightarrow \mathcal {C}''\) be any efficient and \(\mathbb {F}_2\)linear invertible function. Such a function exists since \(\log _2 \mathcal {C}'' = (RR')nq \ge n_0\) by (1). Note that there is also an efficiently computable \(\mathbb {F}_2\)linear projection \(f':\mathbb {F}_Q^n \rightarrow \mathbb {F}_2^{n_0}\) such that for any \(w \in \mathcal {C}'\), and any \(x \in \mathbb {F}_2^{n_0}\), we have \(f'(w+f(x))=x\).

\(\mathsf {Share}\): Given \(s \in \mathbb {F}_2^k\), \(\mathsf {Share}(s)\) first computes \(S' := {\mathsf {Enc}}_0(s)\). Then, it samples a \(Z \in \mathbb {F}_Q^n\) according to the uniform distribution on \(\mathcal {C}'\) and outputs \(Y := f(S') + Z\).

\(\mathsf {Rec}\): Given \(Y' \in \mathbb {F}_Q^n\), the procedure \(\mathsf {Rec}(Y')\) first uses the list decoding algorithm of \(\mathcal {C}\) to compute a list \(M \subseteq \mathbb {F}_Q^{n}\) of size at most L consisting of all codewords of \(\mathcal {C}\) that agree with \(Y'\) in at least \(1\delta \) fraction of the positions. Let \(M' \subseteq \mathbb {F}_2^{n_0}\) be the set \(M' := f'(M)\). If the set \({\mathsf {Dec}}_0(M') \setminus \{\perp \}\) contains only one element, the algorithm outputs the unique element. Otherwise, the algorithm returns \(\perp \).
In order to see the privacy requirement, we observe that since \(\mathcal {C}'_0\) has dual distance greater than tm and \(Z \in \mathbb {F}_Q^n\) is a uniformly random codeword of \(\mathcal {C}'\) (and thus, of \(\mathcal {C}'_0\) when unfolded), the vector Z is (tm)wise independent over \((\mathbb {F}_{Q^{1/m}})^{nm}\) (and twise independent over \(\mathbb {F}_Q^n\)). That is, restriction of \(Z \in \mathbb {F}_Q^n\) to any t coordinate positions (that may be chosen adaptively) is uniformly distributed on \(\mathbb {F}_Q^t\). Therefore, since Z is independent of the randomness of the AMD code, we see that regardless of the message s (and even more generally, conditioned on any particular outcome of \(S'\)), the encoding \(Y=f(S')+Z\) is twise independent. This guarantees that the adversary gains no information about s (and in fact \(S'\)) by observing any up to t of the shares (note that this is true even if the adversary’s strategy may depend on s, see Remark 10 below).
In order to verify the threshold property, we first verify that \(ntd \ge 0\). In order to see this, note that by the Singleton bound [22, Sect. 4.1], and since \(\dim \mathcal {C}'_0 < \dim \mathcal {C}_0\), we have \(tm+1 \le nm\dim {\mathcal {C}'}_0^{\perp }+1 = \dim \mathcal {C}'_0 +1 = R'nm+1 \le Rnmm+1\). Again by the Singleton bound, we have \(Rn \le nd+1\), which combined with the previous bound gives \(t \le nd\). Now, since the minimum distance of \(\mathcal {C}\) is d, the vector Y can be uniquely recovered (in fact, with probability 1) from any set of \(nd+1\) shares. Therefore, since the privacy parameter is t, we obtain a gap of \(g=(nd+1)t1=ndt\).
Finally, we verify the robustness property. Let the random variable V denote the view of the adversary after (possibly adaptively) observing up to t shares. That is, V specifies the sequence of coordinate positions observed by the adversary (possibly adaptively and even given the knowledge of s) and the value of shares at each one of those positions. In the sequel, we consider the conditional probability space in which V attains a specific value v; i.e., we condition all random variables on \(V=v\). Our goal is to show that under any such conditioning, the robustness guarantee is satisfied. Observe that because of the privacy argument, the two random variables V and \(S'\) (where we recall that \(S' = {\mathsf {Enc}}_0(s)\) via the AMD code) are independent. Therefore, the distribution of \(S'\) remains unchanged under the conditioning \(V=v\).
Now suppose given the observation \(V=v\) (and possibly the secret s), the adversary picks a fixed error vector \(\Delta \in \mathbb {F}_Q^n\) of Hamming weight at most \(\delta n\) and perturbs Y to \(Y' = Y+\Delta \) (if the adversary picks \(\Delta \) according to a randomized function of v, we may use the following argument for any fixing of the internal randomness of the adversary; i.e., we may add the adversary’s randomness to the conditioning).
Recall that the reconstruction function \(\mathsf {Rec}\) applies \({\mathsf {Dec}}_0\) on all elements of \(M'\) and outputs a unique valid decoding if it exists (and otherwise, outputs \(\perp \)). In other words, reconstruction is successful if and only if \({\mathsf {Dec}}_0(M') \setminus \{\perp \} = 1\) (observe that it is already guaranteed that \(S' \in M'\) according to list deocdability of \(\mathcal {C}\) which ensures that the correct codeword is always on the list).
Remark 9
The minimum distance bound \(d > \delta n\) in Theorem 8 is only used to make sure that the scheme \((\mathsf {Share}, \mathsf {Rec})\) is a valid coding scheme; i.e., that \(\Pr (\mathsf {Rec}(\mathsf {Share}(s)) = s) = 1\). If instead one wishes to have \(\Pr (\mathsf {Rec}(\mathsf {Share}(s)) = s) \ge 1\eta \) (or if \(\mathcal {C}\) has a decoder that produces a list of size 1 given a correct codeword), this requirement can be eliminated.
Remark 10
As mentioned in the proof of Theorem 8, the theorem holds even if the adversary’s observation and perturbation strategies depend on the secret s. This is a property that also holds true for the original Shamir’s scheme.
4 Instantiations
4.1 Construction based on ReedSolomon codes
In this section, we instantiate Theorem 8 using folded ReedSolomon codes. When folding (Definition 7) is instantiated to the special case of ReedSolomon codes, we have the following definition of folded ReedSolomon codes.
Definition 11
Let q be a prime power. A folded ReedSolomon code with block length n, alphabet size \(Q^m\) and message length k can be specified as the image of an encoder \({\mathsf {Enc}}:(\mathbb {F}_Q^{m})^k \rightarrow (\mathbb {F}_Q^{m})^n\) where \({\mathsf {Enc}}(f)\) interprets the input f as a polynomial of degree \(mk1\) over \(\mathbb {F}_Q\) and outputs a vector \((F_1, \ldots , F_n)\) (where \(F_i \in \mathbb {F}_Q^m\)) such that \(F_i = (f(\alpha _{i, 1}), \ldots , f(\alpha _{i, m}))\) and the sequence \((\alpha _{i, j}:i \in [n], j \in [m])\) is a sequence of distinct evaluation points over \(\mathbb {F}_Q\) explicitly specified by the code design. Rate of the folded ReedSolomon code is k / n, and the code is linear over \(\mathbb {F}_Q\).
As shown in [15], folded ReedSolomon codes attain an optimal tradeoff between rate and list decoding radius. Specifically, the following is the main result proven^{4} in [15].
Theorem 12
[15, follows from^{5} Theorem 4.4] For any constant parameter \(\rho \in (0,1)\), \(c \ge 1\), and integers \(n> k > 0\), there is a \(p_0 = O(n c/\rho ^2)\) such that for any prime power \(p \ge p_0\), there is an \(\mathbb {F}_p\)linear folded ReedSolomon code with message length k and block length n such that for some \(\delta \ge 1k/n\rho \), the following hold: (1) The code is list decodable from any \(\delta \) fraction of errors with list size at most L, for some \(L=p^{\Theta (\log (1/\rho ) / \rho )}\); (2) The alphabet size of the code is \(L^{c/\rho }\); (3) The code is linear over \(\mathbb {F}_p\).
We now apply the above result in Theorem 8 to obtain the main result of this section, as follows.
Theorem 13
Proof
Let \(c_0\) be the constant from Theorem 8 and define \(c := \lceil 2 c_0 \rho /\nu \rceil \). Let \(\mathcal {C}\subseteq \mathbb {F}_Q^n\) be an \(\mathbb {F}_p\)linear folded ReedSolomon code, where \(p=\Omega (nc/\rho ^2)\) is a power of two to be determined later, as obtained by Theorem 12, of length n, message length \(k' := t+g+1\), rate \(R := k'/n\), and alphabet size that is list decodable from any \(1R\rho =\delta \) fraction of errors with list size bounded by \(L=p^{\Theta (\log (1/\rho ) / \rho )}\). Moreover, we set the alphabet size of the code is to be \(Q=L^{c/\rho }\).
We instantiate Theorem 8 with the code \(\mathcal {C}\) to obtain a secret sharing scheme \((\mathsf {Share}, \mathsf {Rec})\) with share length \(q=\log Q= c \log L/\rho \). We now verify that the requirements of Theorem 8 are satisfied for any suitable choice of the secret length k.
First, note that since any folded ReedSolomon code is on the Singleton bound, the distance d of \(\mathcal {C}\) satisfies \(d = nk'+1 = (1R)n+1> (\delta +\rho )n > \delta n\).
We remark that for any (not necessarily robust) secret sharing scheme with threshold property and gap g, it is known that the share length q must satisfy \(q \ge k/(1+g)\) (cf. [6]). Therefore, the share length achieved by Theorem 13 is essentially optimal.
For the important special case of \(\delta = t/n\) and \(g=0\) we derive the following immediate corollary from Theorem 13.
Corollary 14
Let \(\delta <1/2\) be any fixed constant. For every integer \(n>1/(12\delta )\) and parameters \(\eta >0\) and \(\nu > 0\), there is a \(k_0 = O_\nu (\log n)\) such that for any integer \(k \ge k_0\), there is an efficient and perfectly private secret sharing scheme Open image in new window with n shares, secret length k and share length q, where \(q(1\nu ) \le k + O(\log (k/\eta ))\). The scheme attains a sharp threshold, privacy and robustness \(\delta n\), and robustness error \(\eta \). \(\square \)
4.2 Reducing the share length using algebraic geometry codes
A slight drawback of the result in Corollary 14 is that the share length grows with the number of shares (i.e., \(q \rightarrow \infty \) as \(n \rightarrow \infty \)). This is a direct consequence of the fact that the alphabet size of a ReedSolomon must grow with its block length. In order to resolve this issue, we instantiate Theorem 8 with a family of folded algebraic geometry (AG) codes as described in [18]. As we see in this section, for any fixed \(\delta < 1/2\), this results in a secret sharing scheme with privacy and robustness \(\delta n\) and constant alphabet size (depending on \(12\delta \)).
Theorem 15
[18, Theoren 4.3] For any \(\rho > 0\) and a real \(R \in (0,1)\), one can construct a folded algebraic geometry code over alphabet size \(Q=(1/\rho )^{O(1/\rho ^2)}\) with rate at least R and decoding radius \(\delta = 1  R  \rho \) such that the length n of the code tends to infinity and is independent of \(\rho \). Moreover, the code is deterministically list decodable with a list size \(O(n^{1/\rho ^2})\). Given a polynomial (in n) amount of preprocessed information about the code, the algorithm runs in deterministic polynomial time.
We now instantiate the general construction of Theorem 8 using the above result.
Theorem 16
Proof
The proof is similar to that of Theorem 13, but uses the folded algebraic geometry codes of Theorem 15 instead of folded ReedSolomon codes.
Let \(\rho ' = \Theta (\rho )\) to be a parameter to be determined later. Let \(\mathcal {C}\) be a folded algebraic geometry code of length^{6} n and rate \(R = 1\delta \rho '\) over alphabet size \(Q=(1/\rho )^{\Theta (1/\rho ^2)}\) that is list decodable from any \(\delta \) fraction of errors with list size \(L = O(n^{1/{\rho '}^2})\). Let \(k' := Rn\) be the message length of \(\mathcal {C}\). We apply Theorem 8 on this code to obtain a secret sharing scheme \((\mathsf {Share}, \mathsf {Rec})\) with n shares of length \(q =\log Q = \Theta (\log (1/\rho )/\rho ^2)\). Now we set up the parameters so as to satisfy the requirements of Theorem 8.
We observe that the construction of Theorem 15 uses function fields over GarciaStichtenoth towers, and the setup of the parameters is so that the genus G of the function field can be made to be at most \(\rho ' nm\), where m is the depth of folding, or in other words, nm is the block length of the code before folding. Therefore, by the RiemannRoch Theorem ([26, Theorem 1.5.15 combined with Corollary 2.2.3]), the minimum distance of \(\mathcal {C}\) is greater than \(nk'G/m \ge nk'\rho ' n = n(1R\rho ') = \delta n\).
Finally, by Theorem 8, the scheme satisfies the threshold property with gap \(g = ntd \le n(1\frac{t}{n}\delta )\), as desired. \(\square \)
From this result, we obtain the following corollary.
Corollary 17
Proof
We simply apply Theorem 16 with constant \(\rho ' := \rho /2\) (for the parameter \(\rho \) required by Theorem 16) to obtain a secret sharing scheme \((\mathsf {Share}, \mathsf {Rec})\) with cn shares, secret length k, share length \(q_0 = O(\log (1/\rho )/\rho ^2)\), robustness \(\delta cn\), and privacy parameter \(t := \lceil \gamma cn \rceil \).
Corollary 17, in turn, immediately implies the following result on robust secret sharing with privacy and robustness parameter \(\delta n\) for any \(\delta < 1/2\).
Corollary 18
For any constant \(\rho > 0\), and any \(\delta \le 1/2\rho \), There is a \(q_0=O(\log (1/\rho )/\rho ^2)\) such that for any \(q \ge q_0\) and integers \(k > 0\) and \(n \ge k/(\rho q)\), the following holds. There is a perfectly private secret sharing scheme Open image in new window with n shares, secret length k, and share length at most 2q. The scheme attains privacy and robustness parameters equal to \(\delta n\) and error \(\eta = \exp (\Omega (\rho nq))\), and satisfies the threshold property with gap at most \(2\rho n\). The scheme is efficient given polynomial (in n) amount of preprocessed information about the scheme. \(\square \)
Compared with the result of Corollary 14 obtained from ReedSolomon codes, we see that the share length q can be chosen to be a constant (depending on the difference \(1/2\delta \)), and at the same time the number of shares can be made arbitrarily large as well. However, for this to be possible when the designed share length is small, the number of shares n needs to be large enough^{7} so that \(n \ge k/(\rho q)\) . In Sect. 4.3 we show that this is necessary for any robust secret sharing scheme with share length q that attains privacy and robustness parameters close to n / 2.
Limitations of the method. As we have shown in this section, our framework can lead to robust secret sharing schemes against any fixed \(\tau \) fraction of leaked shares (privacy) and any fixed \(\delta \) fraction of corruptions (robustness) as long as \(\tau +\delta < 1\), and we obtain a nearly optimal guarantee in terms of the share length in all cases. It is natural to ask whether \(\rho := 1\delta \tau \) can be made subconstant. For example, in the maximum corruption scenario, where t shares are observed and corrupted for \(n=2t+1\), we have \(\rho = 1/n\), and more generally for \(n=2t+c\) we have \(\rho = c/n\). To provide such guarantees, MDStype list decodable codes of rate R and robust against any \(1R\rho \) fraction of errors with small list sizes will be required. Currently, the state of the art in explicit constructions of linear list decodable codes does not obtain sharp guarantees in the subconstant \(\rho \) regime. Furthermore, general combinatorial negative bounds are known for any (even nonlinear) list decodable code. A simple probabilistic argument shows that, for any \(\rho \), there are list decodable codes that achieve a list size of at most \(1/\rho \) and alphabet size \(\exp (O(1/\rho ))\) [14]. Furthermore, an alphabet size of \(\exp (\Omega (1/\rho ))\) is necessary even for nonlinear codes [17, Chap. 3].
Currently, it is not known whether there are linear MDStype codes matching the list decoding guarantees of fully random codes for the range of parameters discussed above. However, even if this turns out to be the case, the abovementioned combinatorial lower bound on the alphabet size limits the allowed share lengths for the resulting secret sharing scheme. For Shamir’s original scheme (as well as our scheme based on ReedSolomon codes), the number of shares n for share length k can be at most \(\exp (O(k))\), which is a reasonable restriction for cryptographic purposes (in other words, the minimum allowed share length for a give number of shares n while preserving the zero overhead in the share length is \(\Omega (\log n)\)). If we instantiate our result with an optimal list decodable code achieving \(\rho = c/n\), the share length becomes \(\Theta (1/\rho )=\Theta (n/c)\), which means that the minimum allowed secret length k becomes \(\Omega (n/c)\). In other words, for constant c (i.e., the maximum robustness regime of \(n=2t+c\)) our share length must be \(\Omega (n)\), whereas for the nonrobust Shamir’s scheme, the share length (which is equal to the secret length) can be as small as \(\log n\). Note that, for this regime, the linear dependence of the share length on n is not due to the overhead being suboptimal (the overhead always remains nearly optimal since it depends on the list size and not the alphabet size of the code). The dependence is simply due to the restriction on the allowed secret length k (which must be at least \(k_0\) for some \(k_0=\Omega (n/c)\)).
4.3 Optimality
In this section we briefly demonstrate that, for a general share length q, a robust secret sharing scheme satisfying (7) for arbitrarily small \(\rho > 0\) is essentially optimal (even if the threshold property is not a concern). This can be shown by a straightforward reduction from the wiretap channel problem.
 1.
Whether the reconstruction and secrecy requirements are defined with respect to a uniformly random secret S or, more stringently, the worst case secret,
 2.
The choice of the main and wiretap channels, and
 3.The notion of secrecy. In weak secrecy, the requirement is the mutual information security (cf. [4]) of the formwhere \(Y'\) is the wiretap channel’s output, for arbitrarily small \(\epsilon > 0\). A much stronger notion is semantic security (formalized in [4]) which requires that there must be a distribution \({\mathcal {D}}\), determined by the coding scheme, such that for every fixed secret \(s \in \mathbb {F}_2^k\), the wiretap channel’s output is statistically \(\epsilon \)close to \({\mathcal {D}}\).$$\begin{aligned} I(S;Y') \le \epsilon k, \end{aligned}$$
It is immediate that a robust secret sharing scheme (as formulated in Definition 4) satisfies the requirements of the wiretap channel problem formulated above, provided that the robustness parameters is set to be \(\delta n := (p'+\rho ')n\), for an arbitrarily small \(\rho ' > 0\), and the privacy parameter is set to be \(t :=\lceil (1p+\rho ')n \rceil \).
In fact a secret sharing scheme is a stronger object than needed since it allows for the erasure positions and also perturbations to be adaptively chosen by the adversary. Moreover, it provides secrecy for worstcase secrets as well as semantic security (in fact, recall that our constructions achieve perfect secrecy; i.e., semantic security with \(\epsilon =0\)).
By Chernoff bounds, the probability \(\eta '\) that the fraction of erasures for the adversary is less than \(p\rho '\) or the fraction of perturbations in the direct channel is more than \(p'+\rho '\) is exponentially small (i.e., at most \(\eta ' = \exp (\Omega (n))\) for any \(\rho ' > 0\) that is a constant). It follows that the correctness requirement of the wiretap channel problem can be satisfied with error at most \(\eta +\eta '=o(1)\) (provided that \(\eta =o(1)\)) and, moreover, semantic secrecy is also satisfied with a statistical error of \(\epsilon \le \eta '\) (where the choice of \({\mathcal {D}}\) would be the uniform distribution over \(\mathbb {F}_Q^t\)).
Footnotes
 1.
It should however be noted that any (robust) ramp secret sharing scheme can be modified to also satisfy a sharp thereshold by simply adding Shamir shares to each existing share, at cost of increasing the share lengths by the length of the secret.
 2.
It is important to not confuse the randomness of the choice of h with the internal randomness of the encoder; the randomness of h comes from the code construction, and once a good choice of h is fixed once and for all, the encoder and decoder are properly defined and provide the expected guarantees.
 3.
The statistical distance between two distributions \({\mathcal {D}}\) and \({\mathcal {D}}'\) over a finite support \(\Omega \) is defined as \( \mathsf {dist}({\mathcal {D}}, {\mathcal {D}}') := \frac{1}{2} \sum _{x \in \Omega } {\mathcal {D}}(x)  {\mathcal {D}}'(x) \) and the two distributions are said to be \(\epsilon \)close (denoted by \({\mathcal {D}}\approx _\epsilon {\mathcal {D}}'\)) if \(\mathsf {dist}({\mathcal {D}}, {\mathcal {D}}') \le \epsilon \). In this work, we focus on perfect privacy; i.e., \(\epsilon = 0\).
 4.
As stated in [15], the result is not shown for all choices of the block length n. However, trivially one can obtain a family of codes for all block lengths by adding additional evaluation points that are not used by the decoder, without incurring an adverse effect in the asymptotic bounds.
 5.
The construction and analysis for this result is precisely as in [15] with the following additional considerations: The construction of [15] considers an mlevel folding of the ReedSolomon code with the smallest possible unfolded alphabet size (which is nm) and \(m = O(1/\rho ^2)\). Here, we consider an additional parameter \(c \ge 1\) and allow a larger folding of \(m = O(c/\rho ^2)\), to have additional control over the alphabet size of the folded code compared with its list size. We furthermore allow the unfolded alphabet size p to be possibly larger than the minimum required size of nm. Finally, we upper bound the term 1 / R in [15] by \(O(1/\rho )\), noticing that when R is small, it is always possible to design a code at a slightly higher rate first and then truncate the message space to the desired length k.
 6.
Even though Theorem 15 constructs codes for infinitely many choices of n, without loss of generality one can assume that there is a code for every n. Since the set of block lengths for which the family contains a code is sufficiently dense, this can be ensured by trivial padding without any loss in the asymptotic parameters.
 7.
Note such a requirement is not a barrier for the ReedSolomon based constructions such as Shamir’s scheme and the result of Theorem 13, since we have \(q \ge k\) in those schemes.
Notes
Acknowledgements
The author thanks Ronald Cramer, Venkatesan Guruswami, Rei SafaviNaini, and Daniel Wichs, for illuminating discussions on the their related work.
References
 1.Blakley G.R.: Safeguarding cryptographic keys. In: National Computer Conference, vol. 48, pp. 313–317. Springer (1979).Google Scholar
 2.Bishop A., Pastro V.: Robust secret sharing schemes against local adversaries. In: Proceedings of PublicKey Cryptography (PKC), pp. 327–356 (2016).CrossRefGoogle Scholar
 3.Bishop A., Pastro V., Rajaraman R., Wichs D.: Essentially optimal robust secret sharing with maximal corruptions. In: Proceedings of the 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques (EUROCRYPT 2016), pp. 58–86 (2016).CrossRefGoogle Scholar
 4.Bellare M., Tessaro S., Vardy A.: Semantic security for the wiretap channel. In: Proceedings of Advances in Cryptology CRYPTO 2012, Lecture Notes in Computer Science, vol. 7417, pp. 294–311. Springer (2012).Google Scholar
 5.Chen H., Cramer R.: Algebraic geometric secret sharing schemes and secure multiparty computations over small fields. In: Advances in Cryptology—CRYPTO 2006, Lecture Notes in Computer Science, vol. 4117, pp. 521–536. Springer (2006).Google Scholar
 6.Cramer R., Damgård I., Döttling N., Fehr S., Spini G.: Linear secret sharing schemes from error correcting codes and universal hash functions. In: Advances in Cryptology—EUROCRYPT 2015, Lecture Notes in Computer Science, vol. 9057, pp. 313–336. Springer (2015).Google Scholar
 7.Cramer R., Damgård I., Fehr S.: On the cost of reconstructing a secret, or VSS with optimal reconstruction phase. In: Proceedings of Advances in Cryptology CRYPTO 2001, Lecture Notes in Computer Science, vol. 2139, pp. 503–523. Springer (2001).Google Scholar
 8.Cramer R., Dodis Y., Fehr S., Padró C., Wichs D.: Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors. In: Advances in Cryptology  EUROCRYPT 2008, Lecture Notes in Computer Science, vol. 4965, pp. 471–488. Springer (2008).Google Scholar
 9.Cramer R., Damgård I., Nielsen J.B.: Secure Multiparty Computation and Secret Sharing. Cambridge University Press, Cambridge (2015).CrossRefGoogle Scholar
 10.Cevallos A., Fehr S., Ostrovsky R., Rabani Y.: Unconditionallysecure robust secret sharing with compact shares. In: Proceedings of Advances in Cryptology EUROCRYPT 2012, Lecture Notes in Computer Science, vol. 7237, pp. 195–208. Springer (2012).Google Scholar
 11.Csiszár I., Körner J.: Broadcast channels with confidential messages. IEEE Trans. Inf. Theory 24(3), 339–348 (1978).MathSciNetCrossRefGoogle Scholar
 12.Cabello S., Padró C., Sáez G.: Secret sharing schemes with detection of cheaters for a general access structure. In: Proceedings of Fundamentals of Computation Theory, Lecture Notes in Computer Science, vol. 1684, pp. 185–194. Springer (1999).Google Scholar
 13.Cramer R., Padró C., Xing C.: Optimal Algebraic Manipulation Detection Codes in the ConstantError Model, pp. 481–501. Springer, Berlin (2015).zbMATHGoogle Scholar
 14.Elias P.: Errorcorrecting codes for list decoding. IEEE Trans. Inf. Theory 37(1), 5–12 (1991).MathSciNetCrossRefGoogle Scholar
 15.Guruswami V., Rudra A.: Explicit codes achieving list decoding capacity: errorcorrection with optimal redundancy. IEEE Trans. Inf. Theory 54(1), 135–150 (2008).MathSciNetCrossRefGoogle Scholar
 16.Guruswami V., Smith A.: Codes for computationally simple channels: explicit constructions with optimal rate. In: Proceedings of the 51st Annual IEEE Symposium on Foundations of Computer Science (FOCS 2010), pp. 723–732 (2010).Google Scholar
 17.Guruswami V.: Algorithmic results in list decoding. Found. Trends Theor. Comput. Sci. 2(2), 107–195 (2007).MathSciNetCrossRefGoogle Scholar
 18.Guruswami, V., Xing, C.: Optimal rate list decoding of folded algebraicgeometric codes over constantsized alphabets. In: SODA, pp. 1858–1866 (2014).Google Scholar
 19.Ishai Y., Ostrovsky R., Seyalioglu H.: Identifying cheaters without an honest majority. In: Proceedings of Theory of Cryptography (TCC 2012), Lecture Notes in Computer Science, vol. 7194, pp. 21–38. Springer (2012).Google Scholar
 20.LeungYanCheong S.: On a special class of wiretap channels (corresp.). IEEE Trans. Inf. Theory 23(5), 625–627 (1977).MathSciNetCrossRefGoogle Scholar
 21.Rabin T., BenOr M.: Verifiable secret sharing and multiparty protocols with honest majority. In: Proceedings of the Twentyfirst Annual ACM Symposium on Theory of Computing (STOC ’89), pp. 73–85 (1989).Google Scholar
 22.Roth R.M.: Introduction to Coding Theory. Cambridge University Press, Cambridge (2006).CrossRefGoogle Scholar
 23.Shamir A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979).MathSciNetCrossRefGoogle Scholar
 24.SafaviNaini R., Wang P.: A model for adversarial wiretap channels and its applications. J. Inf. Process. 23(5), 554–561 (2015).Google Scholar
 25.Stinson D.R.: An explication of secret sharing schemes. Des. Codes Cryptogr. 2(4), 357–390 (1992).MathSciNetCrossRefGoogle Scholar
 26.Stichtenoth H.: Algebraic Function Fields and Codes, 2nd edn. Springer, Berlin (2009).zbMATHGoogle Scholar
 27.Wyner A.D.: The wiretap channel. Bell Syst. Tech. J. 54, 1355–1387 (1975).MathSciNetCrossRefGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.