Secret Sharing Lower Bound: Either Reconstruction is Hard or Shares are Long

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 12238)


A secret sharing scheme allows a dealer to distribute shares of a secret among a set of n parties \(P=\{p_1,\dots ,p_n\}\) such that any authorized subset of parties can reconstruct the secret, yet any unauthorized subset learns nothing about it. The family \(\mathcal {A} \subseteq 2^P\) of all authorized subsets is called the access structure. Classic results show that if \(\mathcal {A}\) contains precisely all subsets of cardinality at least t, then there exists a secret sharing scheme where the length of the shares is proportional to \(\lg n\) bits plus the length of the secret. However, for general access structures, the best known upper bounds have shares of length exponential in n, whereas the strongest lower bound shows that the shares must have length at least \(n/\lg n\). Beimel conjectured that the exponential upper bound is tight, but proving it has so far resisted all attempts. In this paper we make progress towards proving the conjecture by showing that there exists an access structure \(\mathcal {A}\), such that any secret sharing scheme for \(\mathcal {A}\) must have either exponential share length, or the function used for reconstructing the secret by authorized parties must have an exponentially long description. As an example corollary, we conclude that if one insists that authorized parties can reconstruct the secret via a constant fan-in boolean circuit of size polynomial in the share length, then there exists an access structure that requires a share length that is exponential in n.


  1. 1.
    Applebaum, B., Arkis, B.: On the power of amortization in secret sharing: d-uniform secret sharing and CDS with constant information rate. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11239, pp. 317–344. Springer, Cham (2018). Scholar
  2. 2.
    Applebaum, B., Arkis, B., Raykov, P., Vasudevan, P.N.: Conditional disclosure of secrets: amplification, closure, amortization, lower-bounds, and separations. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 727–757. Springer, Cham (2017). Scholar
  3. 3.
    Applebaum, B., Beimel, A., Farràs, O., Nir, O., Peter, N.: Secret-sharing schemes for general and uniform access structures. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 441–471. Springer, Cham (2019). Scholar
  4. 4.
    Babai, L., Gál, A., Wigderson, A.: Superpolynomial lower bounds for monotone span programs. Combinatorica 19(3), 301–319 (1999)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Beimel, A.: Secure schemes for secret sharing and key distribution. Technion-Israel Institute of technology, Faculty of computer science (1996)Google Scholar
  6. 6.
    Beimel, A.: Secret-sharing schemes: a survey. In: Chee, Y.M., et al. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011). Scholar
  7. 7.
    Beimel, A., Franklin, M.: Weakly-private secret sharing schemes. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 253–272. Springer, Heidelberg (2007). Scholar
  8. 8.
    Beimel, A., Ishai, Y., Kumaresan, R., Kushilevitz, E.: On the cryptographic complexity of the worst functions. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 317–342. Springer, Heidelberg (2014). Scholar
  9. 9.
    Beimel, A., Orlov, I.: Secret sharing and non-Shannon information inequalities. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 539–557. Springer, Heidelberg (2009). Scholar
  10. 10.
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: 20th Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 2–4 May 1988, pp. 1–10. ACM Press (1988)Google Scholar
  11. 11.
    Blakley, G.R.: Safeguarding cryptographic keys, pp. 313–317. AFIPS Press (1979)Google Scholar
  12. 12.
    Blundo, C., De Santis, A., Gargano, L., Vaccaro, U.: On the information rate of secret sharing schemes. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 148–167. Springer, Heidelberg (1993). Scholar
  13. 13.
    Bogdanov, A., Guo, S., Komargodski, I.: Threshold secret sharing requires a linear size alphabet. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 471–484. Springer, Heidelberg (2016). Scholar
  14. 14.
    Capocelli, R.M., De Santis, A., Gargano, L., Vaccaro, U.: On the size of shares for secret sharing schemes. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 101–113. Springer, Heidelberg (1992). Scholar
  15. 15.
    Chakraborty, D., Kamma, L., Larsen, K.G.: Tight cell probe bounds for succinct Boolean matrix-vector multiplication. In: Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing, STOC 2018, Los Angeles, CA, USA, 25–29 June 2018, pp. 1297–1306 (2018)Google Scholar
  16. 16.
    Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols (extended abstract). In: 20th Annual ACM Symposium on Theory of Computing, Chicago, IL, USA, 2–4 May 1988, pp. 11–19. ACM Press (1988)Google Scholar
  17. 17.
    Csirmaz, L.: The size of a share must be large. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 13–22. Springer, Heidelberg (1995). Scholar
  18. 18.
    Csirmaz, L.: The dealer’s random bits in perfect secret sharing schemes. Studia Scientiarum Mathematicarum Hungarica 32(3), 429–438 (1996)MathSciNetzbMATHGoogle Scholar
  19. 19.
    Gay, R., Kerenidis, I., Wee, H.: Communication complexity of conditional disclosure of secrets and attribute-based encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 485–502. Springer, Heidelberg (2015). Scholar
  20. 20.
    Gertner, Y., Ishai, Y., Kushilevitz, E., Malkin, T.: Protecting data privacy in private information retrieval schemes. In: 30th Annual ACM Symposium on Theory of Computing, Dallas, TX, USA, 23–26 May 1998, pp. 151–160. ACM Press (1988)Google Scholar
  21. 21.
    Ito, M., Saito, A., Nishizeki, T.: Secret sharing scheme realizing general access structure. Electron. Commun. Jpn. (Part III Fundam. Electron. Sci.) 72(9), 56–64 (1989)MathSciNetCrossRefGoogle Scholar
  22. 22.
    Karchmer, M., Wigderson, A.: On span programs. In: Proceedings of the Eighth Annual Structure in Complexity Theory Conference 1993, pp. 102–111. IEEE (1993)Google Scholar
  23. 23.
    Karnin, E., Greene, J., Hellman, M.: On secret sharing systems. IEEE Trans. Inf. Theory 29(1), 35–41 (1983)MathSciNetCrossRefGoogle Scholar
  24. 24.
    Larsen, K.G.: The cell probe complexity of dynamic range counting. In: Proceedings of the 44th Symposium on Theory of Computing Conference, STOC 2012, New York, NY, USA, 19–22 May 2012, pp. 85–94 (2012)Google Scholar
  25. 25.
    Larsen, K.G.: Higher cell probe lower bounds for evaluating polynomials. In: 53rd Annual IEEE Symposium on Foundations of Computer Science, FOCS 2012, New Brunswick, NJ, USA, 20–23 October 2012, pp. 293–301 (2012)Google Scholar
  26. 26.
    Larsen, K.G., Nelson, J.: Optimality of the Johnson-Lindenstrauss lemma. In: 58th IEEE Annual Symposium on Foundations of Computer Science, FOCS 2017, Berkeley, CA, USA, 15–17 October 2017, pp. 633–638 (2017)Google Scholar
  27. 27.
    Larsen, K.G., Nielsen, J.B.: Yes, there is an oblivious RAM lower bound!. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10992, pp. 523–542. Springer, Cham (2018). Scholar
  28. 28.
    Liu, T., Vaikuntanathan, V.: Breaking the circuit-size barrier in secret sharing. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th Annual ACM Symposium on Theory of Computing, Los Angeles, CA, USA, 25–29 June 2018, pp. 699–708. ACM Press (2018)Google Scholar
  29. 29.
    Liu, T., Vaikuntanathan, V., Wee, H.: Conditional disclosure of secrets via non-linear reconstruction. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 758–790. Springer, Cham (2017). Scholar
  30. 30.
    Martín, S., Padró, C., Yang, A.: Secret sharing, rank inequalities and information inequalities. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 277–288. Springer, Heidelberg (2013). Scholar
  31. 31.
    Pǎtraşcu, M., Demaine, E.D.: Logarithmic lower bounds in the cell-probe model. SIAM J. Comput. 35(4), 932–963 (2006)MathSciNetCrossRefGoogle Scholar
  32. 32.
    Pǎtraşcu, M., Viola, E.: Cell-probe lower bounds for succinct partial sums. In: Proceedings of the 21st ACM/SIAM Symposium on Discrete Algorithms (SODA), pp. 117–122 (2010)Google Scholar
  33. 33.
    Pitassi, T., Robere, R.: Lifting Nullstellensatz to monotone span programs over any field. In: Diakonikolas, I., Kempe, D., Henzinger, M. (eds.) 50th Annual ACM Symposium on Theory of Computing, Los Angeles, CA, USA, 25–29 June 2018, pp. 1207–1219. ACM Press (2018)Google Scholar
  34. 34.
    Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority (extended abstract). In: 21st Annual ACM Symposium on Theory of Computing, Seattle, WA, USA, 15–17 May 1989, pp. 73–85. ACM Press (1989)Google Scholar
  35. 35.
    Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefGoogle Scholar
  36. 36.
    Verbin, E., Zhang, Q.: The limits of buffering: a tight lower bound for dynamic membership in the external memory model. SIAM J. Comput. 42(1), 212–229 (2013)MathSciNetCrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Aarhus UniversityAarhusDenmark

Personalised recommendations