Abstract
Threshold changeable secret sharing studies the problem of changing the thresholds of a secret sharing scheme after the shares of the initial scheme have been distributed to players. We focus on the most studied scenario of dealer-free threshold increase in the absence of secure channels with an outsider adversary. Previous theoretical works in this scenario only consider an unchanged privacy threshold and define optimal threshold changeable secret sharing schemes as ones meeting the bounds in this case. We highlight increasing the privacy threshold as an independent design goal on top of increasing the reconstruction threshold. We prove new bounds for the above threshold increase scenario with respect to a new privacy threshold that is possibly bigger than the initial privacy threshold. We similarly define an optimal threshold changeable secret sharing scheme as one that achieves equality in all these bounds. A trade-off between the new privacy threshold and the required combiner communication complexity is discovered and new optimal schemes for the case when privacy threshold also increases are identified. These theoretical results put our new construction of threshold changeable secret sharing on a firm ground. Our threshold changeable ramp scheme does not need a priori knowledge of the targeted thresholds to design the protocol and allow the conversion into a ramp scheme with arbitrary new reconstruction thresholds while the privacy threshold grows proportionally as the reconstruction threshold grows. Previous such schemes were only known from lattice-based constructions that use a non-standard privacy definition. Our new schemes are statistical secret sharing schemes that guarantee indistinguishability of shares up to the new privacy threshold.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
It should be understood that the bounds in Theorem 1 are derived assuming \(\varepsilon =\delta =0\) and hence is only used here as an indication of being almost optimal.
References
Blakley, G.R., et al.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference, vol. 48 (1979)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Desmedty, Y., Jajodiay, S.: Redistributing secret shares to new access structures and its applications (1997)
Martin, K.M., Pieprzyk, J., Safavi-Naini, R., Wang, H.: Changing thresholds in the absence of secure channels. In: Pieprzyk, J., Safavi-Naini, R., Seberry, J. (eds.) ACISP 1999. LNCS, vol. 1587, pp. 177–191. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48970-3_15
Blundo, C., Cresti, A., De Santis, A., Vaccaro, U.: Fully dynamic secret sharing schemes. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 110–125. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2_10
Barwick, S.G., Jackson, W.-A., Martin, K.M.: Updating the parameters of a threshold scheme by minimal broadcast. IEEE Trans. Inf. Theory 51(2), 620–633 (2005)
Martin, K.M., Safavi-Naini, R., Wang, H.: Bounds and techniques for efficient redistribution of secret shares to new access structures. Comput. J. 42(8), 638–649 (1999)
Maeda, A., Miyaji, A., Tada, M.: Efficient and unconditionally secure verifiable threshold changeable scheme. In: Varadharajan, V., Mu, Y. (eds.) ACISP 2001. LNCS, vol. 2119, pp. 403–416. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-47719-5_32
Wang, H., Wong, D.S.: On secret reconstruction in secret sharing schemes. IEEE Trans. Inf. Theory 54(1), 473–480 (2008)
Zhang, Z., Chee, Y.M., Ling, S., Liu, M., Wang, H.: Threshold changeable secret sharing schemes revisited. Theoret. Comput. Sci. 418, 106–115 (2012)
Jia, X., Wang, D., Nie, D., Luo, X., Sun, J.Z.: A new threshold changeable secret sharing scheme based on the Chinese Remainder Theorem. Inf. Sci. 473, 13–30 (2019)
Steinfeld, R., Pieprzyk, J., Wang, H.: Lattice-based threshold changeability for standard Shamir secret-sharing schemes. IEEE Trans. Inf. Theory 53(7), 2542–2559 (2007)
Steinfeld, R., Pieprzyk, J., Wang, H.: Lattice-based threshold-changeability for standard CRT secret-sharing schemes. Finite Fields Appl. 12(4), 653–680 (2006)
Lin, F., Cheraghchi, M., Guruswami, V., Safavi-Naini, R., Wang, H.: Secret sharing with binary shares. In: 10th Innovations in Theoretical Computer Science Conference (ITCS 2019). Schloss Dagstuhl-Leibniz-Zentrum fuer Informatik (2018)
Huang, W., Langberg, M., Kliewer, J., Bruck, J.: Communication efficient secret sharing. IEEE Trans. Inf. Theory 62(12), 7195–7206 (2016)
Bitar, R., El Rouayheb, S.: Staircase codes for secret sharing with optimal communication and read overheads. IEEE Trans. Inf. Theory 64(2), 933–943 (2017)
Martínez-Peñas, U.: Communication efficient and strongly secure secret sharing schemes based on algebraic geometry codes. IEEE Trans. Inf. Theory 64(6), 4191–4206 (2018)
Blundo, C., De Santis, A., Vaccaro, U.: Efficient sharing of many secrets. In: Enjalbert, P., Finkel, A., Wagner, K.W. (eds.) STACS 1993. LNCS, vol. 665, pp. 692–703. Springer, Heidelberg (1993). https://doi.org/10.1007/3-540-56503-5_68
Acknowledgements
We thank the anonymous reviewers for their comments that improve the presentation of this work. The research is supported by Singapore Ministry of Education under Research Grant MOE2016-T2-2-014(S) and RG133/17 (S).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendices
A Proof of Lemma 2
Proof
For each participant \(P_i\), \(i\in [n]\), let the original share of \(P_i\) be \(\mathbf {S}_i\) and the new share of \(P_i\) be \(\mathbf {S}'_i\). Here \(\mathbf {S}_i\) and \(\mathbf {S}'_i\) are random variables, \(i\in [n]\). Then the quantity \(\mathsf {H}(\mathbf {S}_i)\) is referred to as the size of \(\mathbf {P}_i\)’s initial share and \(\mathsf {H}(\mathbf {S}'_i)\) as the size of \(P_i\)’s new share.
We first prove \(t'\ge t\). Since the new shares are generated from the initial shares through applying deterministic functions, no information can be generated other than those already contained in the initial shares. We then have that any set of t new shares does not contain information about the secret, hence \(t'\ge t\).
We next prove \(r'-t'>r-t\). Assume by contradiction that we have \(r'-t'\le r-t\). Since \(\mathsf {\Pi }\) and \(\mathsf {\Pi }^{\prime }\) both have minimum share size, we have \(\mathsf {H}(\mathbf {S}_i)= \mathsf {H}(\mathbf {S})/(r-t)\) and \(\mathsf {H}(\mathbf {S'}_i)= \mathsf {H}(\mathbf {S})/(r'-t')\) from [18]. We then have \(\mathsf {H}(\mathbf {S}_i)\le \mathsf {H}(\mathbf {S'}_i)\). Since the conversion function \(h_i\) is deterministic, we know that \(\mathsf {H}(\mathbf {S}'_i\mid \mathbf {S}_i)=0\). On the other hand, by the chain rule of mutual information, we have
Substituting \(\mathsf {H}(\mathbf {S}'_i\mid \mathbf {S}_i)=0\), we deduce that
where the inequality follows from the fact that \(\mathsf {H}(\mathbf {S}_i)\le \mathsf {H}(\mathbf {S'}_i)\). It is obvious that \(\mathsf {H}(\mathbf {S}_i\mid \mathbf {S}'_i)\) can not be negative. We are left with \(\mathsf {H}(\mathbf {S}_i\mid \mathbf {S}'_i)=0\), which means there is a one-to-one correspondence between shares from \(\mathsf {\Pi }\) and \(\mathsf {\Pi }^{\prime }\). That is, the smallest number of new shares that can reconstruct the full secret in \(\mathsf {\Pi }^{\prime }\) must be r, which contradicts the fact that \(r'>r\).
B Semi-insider Secure \((t,r,n)\rightarrow (t',r',n)\) Ramp Scheme
The following construction is a simple adaption of a construction of optimal communication efficient secret sharing [9].
Let \(g=r-t\) and \(g'=r'-t\). We first parse the secret into v parts: \(\mathbf {s}^{(1)}||\ldots ||\mathbf {s}^{(v)}\), where each \(\mathbf {s}^{(j)}\in \mathbb {F}_q^g\). Now we share \(\mathbf {s}^{(1)}\) using a (t, r, n)-ramp scheme \(\mathsf {\Pi }^{(1)}\) with minimum share size, such as the polynomial based construction. We denote the share vector thus obtained by \((s_1^{(1)},\ldots ,s_n^{(1)})\). Then we share \(\mathbf {s}^{(1)}||\mathbf {s}^{(2)}\) using the \((t,r+g,n)\)-ramp scheme \(\mathsf {\Pi }^{(2)}\) with randomness independent from the randomness in the previous step. We denote the share vector thus obtained by \((s_1^{(2)},\ldots ,s_n^{(2)})\). We iterate this process for positive integer \(j\le v\) and share \(\mathbf {s}^{(1)}||\ldots ||\mathbf {s}^{(j)}\) using the \((t,r+(j-1)g,n)\)-ramp scheme \(\mathsf {\Pi }^{(j)}\) with randomness independent from the randomness in all previous steps. We denote the share vector thus obtained by \((s_1^{(j)},\ldots ,s_n^{(j)})\). Finally, for \(i\in [n]\), we let
be the share of the ith player and obtain a ramp scheme \(\mathsf {\Pi }\) with share vector \((S_1,\ldots ,S_n)\).
We now show that \(\mathsf {\Pi }\) is a (t, r, n)-ramp scheme with minimum share size. Firstly, the t-privacy follows from the fact that all \(\mathsf {\Pi }^{(j)}\)’s have privacy threshold t and they use independent randomness. Secondly, from any r shares \(S_{i_1},\ldots ,S_{i_r}\) of \(\mathsf {\Pi }\), we can extract r shares of \(s_{i_1}^{(j)},\ldots ,s_{i_r}^{(j)}\) of \(\mathsf {\Pi }^{(j)}\) for each \(j\in [v]\). Now given r shares \(s_{i_1}^{(1)},\ldots ,s_{i_r}^{(1)}\) of \(\mathsf {\Pi }^{(1)}\), its secret \(\mathbf {s}^{(1)}\) can be fully recovered. The knowledge of \(\mathbf {s}^{(1)}\) together with r shares \(s_{i_1}^{(2)},\ldots ,s_{i_r}^{(2)}\) of \(\mathsf {\Pi }^{(2)}\) uniquely determine its secret \(\mathbf {s}^{(1)}||\mathbf {s}^{(2)}\). By iterating this process, the full secret \(\mathbf {s}^{(1)}||\ldots ||\mathbf {s}^{(v)}\) can be reconstructed. A dealer algorithm \(\mathsf {D}\) and a combiner algorithm \(\mathsf {C}\) for \(\mathsf {\Pi }\) can be built from the dealer algorithms \(\{\mathsf {D}^{(j)}\}_{j\in [v]}\) and combiner algorithms \(\{\mathsf {C}^{(j)}\}_{j\in [v]}\) of \(\{\mathsf {\Pi }^{(j)}\}_{j\in [v]}\), respectively. Finally, the secret is consist of \(g'=vg\) finite field elements while each share of \(\mathsf {\Pi }\) is consist of v finite field elements. The scheme \(\mathsf {\Pi }\) obviously has the minimum share size.
We next define a share conversion algorithm \(\{h_i\}_{i\in [n]}\) to transform the scheme \(\mathsf {\Pi }\) into \(\mathsf {\Pi }'\) that is a \((t,r',n)\)-ramp scheme. Let
The new combiner algorithm is \(\mathsf {C}'=\mathsf {C}^{(v)}\).
We show that \(\mathsf {\Pi }'\) with share vector \((S'_1,\ldots ,S'_n)\), where \(S'_i=h_i(S_i)\), is a \((t,r',n)\)-ramp scheme with minimum share size. This is trivial, since \((S'_1,\ldots ,S'_n)\) is just the share vector of \(\mathsf {\Pi }^{(v)}\), which is a \((t,r',n)\)-ramp scheme with minimum share size by construction.
Let us re-examine the construction above and show security against semi-insider adversary. A share of the packed scheme \(\mathsf {\Pi }\) is consist of shares from distinct schemes \(\mathsf {\Pi }^{(1)},\ldots ,\mathsf {\Pi }^{(v)}\) sharing related secrets using independent randomness. One special advantage of this structure is that a subset \(\mathcal {A}^{(j_1)}\) of the shares of \(\mathsf {\Pi }^{(j_1)}\) and a subset \(\mathcal {A}^{(j_2)}\) of the shares of \(\mathsf {\Pi }^{(j_2)}\) for \(j_1\ne j_2\) are independent if one subset is of size at most t. This means that even if at most t shareholders do not erase their original shares of \(\mathsf {\Pi }\) after the transformation from \(\mathsf {\Pi }\) into \(\mathsf {\Pi }'\) through applying the transformation algorithm \(\{h_i\}_{i\in [n]}\), the dishonestly kept at most t shares of \(\mathsf {\Pi }\) contribute the same amount of information as the transformed partial shares to the transformed scheme \(\mathsf {\Pi }'\), since the dishonestly kept extra partial content of the original shares are independent of the share vectors of \(\mathsf {\Pi }'\).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lin, F., Ling, S., Wang, H., Zeng, N. (2019). Threshold Changeable Ramp Secret Sharing. In: Mu, Y., Deng, R., Huang, X. (eds) Cryptology and Network Security. CANS 2019. Lecture Notes in Computer Science(), vol 11829. Springer, Cham. https://doi.org/10.1007/978-3-030-31578-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-030-31578-8_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-31577-1
Online ISBN: 978-3-030-31578-8
eBook Packages: Computer ScienceComputer Science (R0)