Threshold Secret Sharing Requires a Linear Size Alphabet

Conference paper

DOI: 10.1007/978-3-662-53644-5_18

Part of the Lecture Notes in Computer Science book series (LNCS, volume 9986)
Cite this paper as:
Bogdanov A., Guo S., Komargodski I. (2016) Threshold Secret Sharing Requires a Linear Size Alphabet. In: Hirt M., Smith A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science, vol 9986. Springer, Berlin, Heidelberg


We prove that for every n and \(1< t < n\) any t-out-of-n threshold secret sharing scheme for one-bit secrets requires share size \(\log (t + 1)\). Our bound is tight when \(t = n - 1\) and n is a prime power. In 1990 Kilian and Nisan proved the incomparable bound \(\log (n - t + 2)\). Taken together, the two bounds imply that the share size of Shamir’s secret sharing scheme (Comm. ACM ’79) is optimal up to an additive constant even for one-bit secrets for the whole range of parameters \(1< t < n\).

More generally, we show that for all \(1< s< r < n\), any ramp secret sharing scheme with secrecy threshold s and reconstruction threshold r requires share size \(\log ((r + 1)/(r - s))\).

As part of our analysis we formulate a simple game-theoretic relaxation of secret sharing for arbitrary access structures. We prove the optimality of our analysis for threshold secret sharing with respect to this method and point out a general limitation.

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.Chinese University of Hong KongHong KongChina
  2. 2.New York UniversityNew YorkUSA
  3. 3.Weizmann Institute of ScienceRehovotIsrael

Personalised recommendations