Threshold Secret Sharing Requires a Linear Size Alphabet
- Cite this paper as:
- Bogdanov A., Guo S., Komargodski I. (2016) Threshold Secret Sharing Requires a Linear Size Alphabet. In: Hirt M., Smith A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science, vol 9986. Springer, Berlin, Heidelberg
We prove that for every n and \(1< t < n\) any t-out-of-n threshold secret sharing scheme for one-bit secrets requires share size \(\log (t + 1)\). Our bound is tight when \(t = n - 1\) and n is a prime power. In 1990 Kilian and Nisan proved the incomparable bound \(\log (n - t + 2)\). Taken together, the two bounds imply that the share size of Shamir’s secret sharing scheme (Comm. ACM ’79) is optimal up to an additive constant even for one-bit secrets for the whole range of parameters \(1< t < n\).
More generally, we show that for all \(1< s< r < n\), any ramp secret sharing scheme with secrecy threshold s and reconstruction threshold r requires share size \(\log ((r + 1)/(r - s))\).
As part of our analysis we formulate a simple game-theoretic relaxation of secret sharing for arbitrary access structures. We prove the optimality of our analysis for threshold secret sharing with respect to this method and point out a general limitation.