Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content

Traceable Secret Sharing: Strong Security and Efficient Constructions

  • Conference paper
  • First Online:
Advances in Cryptology – CRYPTO 2024 (CRYPTO 2024)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14924))

Included in the following conference series:

  • 970 Accesses


Suppose Alice uses a t-out-of-n secret sharing to store her secret key on n servers. Her secret key is protected as long as t of them do not collude. However, what if a less-than-t subset of the servers decides to offer the shares they have for sale? In this case, Alice should be able to hold them accountable, or else nothing prevents them from selling her shares. With this motivation in mind, Goyal, Song, and Srinivasan (CRYPTO 21) introduced the concept of traceable secret sharing. In such schemes, it is possible to provably trace the leaked secret shares back to the servers who leaked them. Goyal et al. presented the first construction of a traceable secret sharing scheme. However, secret shares in their construction are quadratic in the secret size, and their tracing algorithm is quite involved as it relies on Goldreich-Levin decoding.

In this work, we put forth new definitions and practical constructions for traceable secret sharing. In our model, some \(f < t\) servers output a reconstruction box R that may arbitrarily depend on their shares. Given additional \(t-f\) shares, R reconstructs and outputs the secret. The task is to trace R back to the corrupted servers given black-box access to R. Unlike Goyal et al., we do not assume that the tracing algorithm has any information on how the corrupted servers constructed R from the shares in their possession.

We then present two very efficient constructions of traceable secret sharing based on two classic secret sharing schemes. In both of our schemes, shares are only twice as large as the secret, improving over the quadratic overhead of Goyal et al. Our first scheme is obtained by presenting a new practical tracing algorithm for the widely-used Shamir secret sharing scheme. Our second construction is based on an extension of Blakley’s secret sharing scheme. Tracing in this scheme is optimally efficient, and requires just one successful query to R. We believe that our constructions are an important step towards bringing traceable secret-sharing schemes to practice. This work also raises several interesting open problems that we describe in the paper.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 119.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. 1.

    In the model of Goyal et al. this restriction is captured by requiring that all colluding subsets \(\mathcal {I}_1, \ldots , \mathcal {I}_k\) are of size less than t.

  2. 2.

    If R may sometimes err, then our tracing algorithm requires just one successful query to R, which is again optimal.

  3. 3.

    In the original definition of [42], the sharing process is done by running a generic two-party computation protocol between the dealer and each of the shareholders. We chose to abstract this process away. We elaborate on the differences between the definitions below.

  4. 4.

    We allow \(\kappa \) to depend on n for generality, but in our constructions, \(\kappa \) will only be a function of \(\lambda \) and t. This allows for sampling of shares “on the fly”, without knowing n in advance. Throughout the paper, \(\kappa \) will always refer to the bit-length of the correlation string, and when clear from context, we will not mention this explicitly.

  5. 5.

    In the syntax of Goyal et al.  each party i may submit a different, party-specific, function \(f_i\) of its share. In our setting, however, any information that pertains to the identity of the party who owns the share is considered part of the share. Hence, using just one function f for all shares is without loss of generality.

  6. 6.

    If \(x_i\) is a deterministic function of some identity information associated with the party, then \(x_i\) need not be explicitly included as part of the share. Looking ahead, we will choose the \(x_i\)s randomly, and hence they will need to be included in the share.

  7. 7.

    To solve the list decoding problem with probability 1, the Guruswami-Sudan algorithm runs in expected polynomial time. If we insist that it runs in strict polynomial time, this incurs a negligible error probability. To avoid over-cluttering notation, we will ignore this negligible error in our analysis.

  8. 8.

    Brikell [16] made this observation with respect to Blakley’s original scheme, but it equally applies to our scheme.

  9. 9.

    In our full-fledged scheme with non-imputability, it is not possible to publish all \(\boldsymbol{a_{i,j}}\)s in the clear to obtain an ideal secret sharing scheme. However, for secrets in \(\{ 0,1\}^\lambda \), our derandomization approach gives shares of size \(2\lambda \), coming close to it.

  10. 10.

    Tracing may be quadratic, since the bilinear map can be used to compute quadratic functions in the exponent. Reconstruction, however, cannot be quadratic, since the output of the VUF needs to be an element of the source group to allow for efficient verification.

  11. 11.

    If the code supports decoding from any n coordinates, indices can be assigned deterministically.

  12. 12.

    If \(m \ll n^2\), it becomes hard to even make the reconstruction box R output anything other than \(\bot \), since it requires an exponential number of queries in expectation to query R on a subset of positions such that none of which is corrupted. If \(m = \varOmega (n^2)\), though, a random subset will not intersect the corrupted subset with high probability.


  1. Alon, N., Goldreich, O., Håstad, J., Peralta, R.: Simple constructions of almost k-wise independent random variables. In: 31st FOCS, pp. 544–553. IEEE Computer Society Press. St. Louis, MO, USA (1990)

    Google Scholar 

  2. Applebaum, B., Nir, O., Pinkas, B.: How to recover a secret with \(o(n)\) additions. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023 Part I. LNCS, vol. 14081, pp. 236–262. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38557-5_8

    Chapter  Google Scholar 

  3. Asmuth, C., Bloom, J.: A modular approach to key safeguarding. IEEE Trans. Inf. Theory 29(2), 208–210 (1983)

    Article  MathSciNet  Google Scholar 

  4. Berlekamp, E.R.: Factoring polynomials over large finite fields. Math. Comput. 24(111), 713–735 (1970)

    Article  MathSciNet  Google Scholar 

  5. Blakley, G.R.: Safeguarding cryptographic keys. In: 1979 International Workshop on Managing Requirements Knowledge (MARK), pp. 313–318 (1979)

    Google Scholar 

  6. Boneh, D., Franklin, M.: An efficient public key traitor tracing scheme. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 338–353. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_22

    Chapter  Google Scholar 

  7. Boneh, D., Kiayias, A., Montgomery, H.W.: Robust fingerprinting codes: a near optimal construction. In: Proceedings of the Tenth Annual ACM Workshop on Digital Rights Management, DRM 2010, pp. 3–12. Association for Computing Machinery, New York (2010)

    Google Scholar 

  8. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30

    Chapter  Google Scholar 

  9. Boneh, D., Naor, M.: Traitor tracing with constant size ciphertext. In: Ning, P., Syverson, P.F., Jha, S., (eds.) ACM CCS 2008, pp. 501–510. ACM Press, Alexandria, Virginia (2008)

    Google Scholar 

  10. Boneh, D., Partap, A., Rotem, L.: Accountability for misbehavior in threshold decryption via threshold traitor tracing. Cryptology ePrint Archive, Paper 2023/1724 (2023). https://eprint.iacr.org/2023/1724. To be published in CRYPTO 2024

  11. Boneh, D., Partap, A., Rotem, L.: Traceable secret sharing: Strong security and efficient constructions. Cryptology ePrint Archive, Paper 2024/405 (2024). https://eprint.iacr.org/2024/405

  12. Boneh, D., Sahai, A., Waters, B.: Fully collusion resistant traitor tracing with short ciphertexts and private keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006). https://doi.org/10.1007/11761679_34

    Chapter  Google Scholar 

  13. Boneh, D., Shaw, J.: Collusion-secure fingerprinting for digital data. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 452–465. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-44750-4_36

    Chapter  Google Scholar 

  14. Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014 Part I. LNCS, vol. 8616, pp. 480–499. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44371-2_27

    Chapter  Google Scholar 

  15. Bootle, J., Cerulli, A., Chaidos, P., Groth, J., Petit, C.: Efficient zero-knowledge arguments for arithmetic circuits in the discrete log setting. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016 Part II. LNCS, vol. 9666, pp. 327–357. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49896-5_12

    Chapter  Google Scholar 

  16. Brickell, E.F.: Some ideal secret sharing schemes. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 468–475. Springer, Heidelberg (1990). https://doi.org/10.1007/3-540-46885-4_45

    Chapter  Google Scholar 

  17. Chabanne, H., Phan, D.H., Pointcheval, D.: Public traceability in traitor tracing schemes. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 542–558. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_32

    Chapter  Google Scholar 

  18. Chainlink vrf: On-chain verifiable randomness. link

  19. Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure computation from random error correcting codes. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 291–310. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_17

    Chapter  Google Scholar 

  20. Chen, Y., Vaikuntanathan, V., Waters, B., Wee, H., Wichs, D.: Traitor-tracing from LWE made simple and attribute-based. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018. LNCS, vol. 11240, pp. 341–369. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_13

    Chapter  Google Scholar 

  21. Choi, K., Manoj, A., Bonneau, J.: SoK: distributed randomness beacons. In: 2023 IEEE Symposium on Security and Privacy, pp. 75–92 IEEE Computer Society Press, San Francisco (2023)

    Google Scholar 

  22. Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48658-5_25

    Chapter  Google Scholar 

  23. Cramer, R., Damgård, I.B., Döttling, N., Fehr, S., Spini, G.: Linear secret sharing schemes from error correcting codes and universal hash functions. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015 Part II. LNCS, vol. 9057, pp. 313–336. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_11

    Chapter  Google Scholar 

  24. Cramer, R., Xing, C.: Blackbox secret sharing revisited: a coding-theoretic approach with application to expansionless near-threshold schemes. In: Canteaut, A., Ishai, Y. (eds.) EUROCRYPT 2020 Part I. LNCS, vol. 12105, pp. 499–528. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-45721-1_18

    Chapter  Google Scholar 

  25. Das, P., Faust, S., Loss, J.: A formal treatment of deterministic wallets. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J., (eds) ACM CCS 2019, pp. 651–668 ACM Press London (2019)

    Google Scholar 

  26. Das, S., Pinkas, B., Tomescu, A., Xiang, Z.: Distributed randomness using weighted vrfs. Cryptology ePrint Archive, Paper 2024/198 (2024). https://eprint.iacr.org/2024/198

  27. Dodis, Y.: Efficient construction of (distributed) verifiable random functions. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 1–17. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_1

    Chapter  Google Scholar 

  28. Dodis, Y., Fazio, N.: Public key trace and revoke scheme secure against adaptive chosen ciphertext attack. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 100–115. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36288-6_8

    Chapter  Google Scholar 

  29. Dodis, Y., Yampolskiy, A.: A verifiable random function with short proofs and keys. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 416–431. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30580-4_28

    Chapter  Google Scholar 

  30. Fiat, A., Tassa, T.: Dynamic traitor tracing. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 354–371. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_23

    Chapter  Google Scholar 

  31. Galindo, D., Liu, J., Ordean, M., Wong, J.M.: Fully distributed verifiable random functions and their application to decentralised random beacons. In: 2021 IEEE European Symposium on Security and Privacy (EuroS &P), pp. 88–102 (2021)

    Google Scholar 

  32. Garg, S., Jain, A., Mukherjee, P., Sinha, R., Wang, M., Zhang, Y.: Cryptography with weights: MPC, encryption and signatures. In: Handschuh, H., Lysyanskaya, A. (eds.) CRYPTO 2023, Part I. LNCS, vol. 14081, pp. 295–327. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-38557-5_10

    Chapter  Google Scholar 

  33. Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusion-resilient traitor tracing and revocation schemes. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V., (eds.) ACM CCS 2010, pp. 121–130. ACM Press, Chicago (2010)

    Google Scholar 

  34. Goldreich, O.: Foundations of Cryptography. Cambridge University Press, Cambridge (2001)

    Book  Google Scholar 

  35. Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st ACM STOC, pp. 25–32. ACM Press, Seattle (1989 )

    Google Scholar 

  36. Goldreich, O., Ron, D., Sudan, M.: Chinese remaindering with errors. In: 31st ACM STOC, pp. 225–234. ACM Press, Atlanta (1999)

    Google Scholar 

  37. Goldreich, O., Rubinfeld, R., Sudan, M.: Learning polynomials with queries: the highly noisy case. In: 36th FOCS, pp. 294–303. IEEE Computer Society Press, Milwaukee (1995)

    Google Scholar 

  38. Gong, J., Luo, J., Wee, H.: Traitor tracing with \({N}^{1/3}\)-size ciphertexts and \({O}(1)\)-size keys from \(k\)-Lin. In: Hazay, C., Stam, M. (eds.) EUROCRYPT 2023, Part III. LNCS, vol. 14006, pp. 637–668. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-30620-4_21

    Chapter  Google Scholar 

  39. Goyal, R., Koppula, V., Waters, B.: Collusion resistant traitor tracing from learning with errors. In: Diakonikolas, I., Kempe, D., Henzinger, M., (eds.) 50th ACM STOC, pp. 660–670. ACM Press, Los Angeles (2018)

    Google Scholar 

  40. Goyal, V.: Reducing trust in the PKG in identity based cryptosystems. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 430–447. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74143-5_24

    Chapter  Google Scholar 

  41. Goyal, V., Lu, S., Sahai, A., Waters, B.: Black-box accountable authority identity-based encryption. In: Ning, P., Syverson, P.F., Jha, S., (eds.) ACM CCS 2008, pp. 427–436. ACM Press, Alexandria (2008)

    Google Scholar 

  42. Goyal, V., Song, Y., Srinivasan, A.: Traceable secret sharing and applications. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021 Part III. LNCS, vol. 12827, pp. 718–747. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_24

    Chapter  Google Scholar 

  43. Guruswami, V., Sudan, M.: Improved decoding of Reed-Solomon and algebraic-geometric codes. In: 39th FOCS, pp. 28–39. IEEE Computer Society Press, Palo Alto (1998)

    Google Scholar 

  44. Kiayias, A., Yung, M.: Self protecting pirates and black-box traitor tracing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 63–79. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_4

    Chapter  Google Scholar 

  45. Kiayias, A., Yung, M.: On crafty pirates and foxy tracers. In: Sander, T. (ed.) DRM 2001. LNCS, vol. 2320, pp. 22–39. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-47870-1_3

    Chapter  Google Scholar 

  46. Knuth, D.E.: Art of Computer Programming, Volume 2: Seminumerical Algorithms. Addison-Wesley Professional (2014)

    Google Scholar 

  47. Kurosawa, K., Desmedt, Y.: Optimum traitor tracing and asymmetric schemes. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 145–157. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0054123

    Chapter  Google Scholar 

  48. Lysyanskaya, A.: Unique signatures and verifiable random functions from the DH-DDH separation. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 597–612. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_38

    Chapter  Google Scholar 

  49. Massey, J.L.: Some applications of coding theory in cryptography. Codes Ciphers: Crypt. Coding IV, 33–47 (1995)

    Google Scholar 

  50. Mignotte, M.: How to share a secret. In: Beth, T. (ed.) EUROCRYPT 1982. LNCS, vol. 149, pp. 371–375. Springer, Heidelberg (1983). https://doi.org/10.1007/3-540-39466-4_27

    Chapter  Google Scholar 

  51. Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_3

    Chapter  Google Scholar 

  52. Naor, J., Naor, M.: Small-bias probability spaces: efficient constructions and applications. In: 22nd ACM STOC, pp. 213–223. ACM Press, Baltimore (1990)

    Google Scholar 

  53. Naor, M., Pinkas, B.: Threshold traitor tracing. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 502–517. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0055750

    Chapter  Google Scholar 

  54. Nick, J., Ruffing, T., Seurin, Y., Wuille, P.: MuSig-DN: schnorr multi-signatures with verifiably deterministic nonces. In: Ligatti, J., Ou, X., Katz, J., Vigna, G., (eds.) ACM CCS 2020, pp. 1717–1731. ACM Press, Virtual Event, USA (2020)

    Google Scholar 

  55. Nuida, K.: A general conversion method of fingerprint codes to (more) robust fingerprint codes against bit erasure. In: Kurosawa, K. (ed.) ICITS 2009. LNCS, vol. 5973, pp. 194–212. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14496-7_16

    Chapter  Google Scholar 

  56. Pfitzmann, B.: Trials of traced traitors. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 49–64. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61996-8_31

    Chapter  Google Scholar 

  57. Pfitzmann, B., Schunter, M.: Asymmetric fingerprinting. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 84–95. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9_8

    Chapter  Google Scholar 

  58. Pfitzmann, B., Waidner, M.: Asymmetric fingerprinting for larger collusions. In: Graveman, R., Janson, P.A., Neuman, C., Gong, L., (eds.) ACM CCS 97, pp. 151–160. ACM Press, Zurich (1997)

    Google Scholar 

  59. Phan, D.H.: Traitor tracing for stateful pirate decoders with constant ciphertext rate. In: Nguyen, P.Q. (ed.) VIETCRYPT 2006. LNCS, vol. 4341, pp. 354–365. Springer, Heidelberg (2006). https://doi.org/10.1007/11958239_24

    Chapter  Google Scholar 

  60. Rabin, M.O.: Probabilistic algorithms in finite fields. SIAM J. Comput. 9(2), 273–280 (1980)

    Article  MathSciNet  Google Scholar 

  61. Reed, I.S., Solomon, G.: Polynomial codes over certain finite fields. J. Soc. Ind. Appl. Math. 8(2), 300–304 (1960)

    Article  MathSciNet  Google Scholar 

  62. Safavi-Naini, R., Wang, Y.: Sequential traitor tracing. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 316–332. Springer, Heidelberg (2000). https://doi.org/10.1007/3-540-44598-6_20

    Chapter  Google Scholar 

  63. Shamir, A.: How to share a secret. Commun. Assoc. Comput. Mach. 22(11), 612–613 (1979)

    MathSciNet  Google Scholar 

  64. Sirvent, T.: Traitor tracing scheme with constant ciphertext rate against powerful pirates. Cryptology ePrint Archive, Paper 2006/383 (2006). https://eprint.iacr.org/2006/383

  65. Sudan, M.: Maximum likelihood decoding of reed solomon codes. In: 37th FOCS, pp. 164–172. IEEE Computer Society Press, Burlington, Vermont (1996)

    Google Scholar 

  66. Ta-Shma, A.: Explicit, almost optimal, epsilon-balanced codes. In: Hatami, H., McKenzie, P., King, V., (eds.) 49th ACM STOC, pp. 238–251. ACM Press, Montreal, QC, Canada (2017)

    Google Scholar 

  67. Tardos, G.: Optimal probabilistic fingerprint codes. J. ACM, 55(2) (2008)

    Google Scholar 

  68. Wee, H.: Functional encryption for quadratic functions from k-lin, revisited. In: Pass, R., Pietrzak, K. (eds.) TCC 2020 Part I. LNCS, vol. 12550, pp. 210–228. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64375-1_8

    Chapter  Google Scholar 

  69. Zhandry, M.: New techniques for traitor tracing: size \(N^{1/3}\) and more from pairings. In: Micciancio, D., Ristenpart, T. (eds.) CRYPTO 2020 Part I. LNCS, vol. 12170, pp. 652–682. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-56784-2_22

    Chapter  Google Scholar 

  70. Zou, X., Maino, F., Bertino, E., Sui, Y., Wang, K., Li, F.: A new approach to weighted multi-secret sharing. In: 2011 Proceedings of 20th International Conference on Computer Communications and Networks (ICCCN), pp. 1–6. IEEE (2011)

    Google Scholar 

Download references


This work was funded by NSF, DARPA, the Simons Foundation, UBRI, and NTT Research. Opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA.

Author information

Authors and Affiliations


Corresponding authors

Correspondence to Dan Boneh , Aditi Partap or Lior Rotem .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2024 International Association for Cryptologic Research

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Boneh, D., Partap, A., Rotem, L. (2024). Traceable Secret Sharing: Strong Security and Efficient Constructions. In: Reyzin, L., Stebila, D. (eds) Advances in Cryptology – CRYPTO 2024. CRYPTO 2024. Lecture Notes in Computer Science, vol 14924. Springer, Cham. https://doi.org/10.1007/978-3-031-68388-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-68388-6_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-68387-9

  • Online ISBN: 978-3-031-68388-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics