Abstract
Evolving secret-sharing schemes, introduced by Komargodski, Naor, and Yogev (TCC 2016b), are secret-sharing schemes in which the dealer does not know the number of parties that will participate. The parties arrive one by one and when a party arrives the dealer gives it a share; the dealer cannot update this share when other parties arrive. Komargodski and Paskin-Cherniavsky (TCC 2017) constructed evolving \(a\cdot i\)-threshold secret-sharing schemes (for every \(0< a <1\)), where any set of parties whose maximum party is the i-th party and contains at least ai parties can reconstruct the secret; any set such that all its prefixes are not an a-fraction of the parties should not get any information on the secret. The length of the share of the i-th party in their scheme is \(O(i^4 \log i)\). As the number of parties is unbounded, this share size can be quite large.
In this work we suggest studying a relaxation of evolving threshold secret-sharing schemes; we consider evolving (a, b)-ramp secret-sharing schemes for \(0< b< a <1\). Again, we require that any set of parties whose maximum party is the i-th party and contains at least ai parties can reconstruct the secret; however, we only require that any set such that all its prefixes are not a b-fraction of the parties should not get any information on the secret. For all constants \(0< b< a <1\), we construct an evolving (a, b)-ramp secret-sharing scheme where the length of the share of the i-th party is O(1). Thus, we show that evolving ramp secret-sharing schemes offer a big improvement compared to the known constructions of evolving \(a\cdot i\)-threshold secret-sharing schemes.
Research supported by ISF grant 152/17, the BGU Cyber Security Research Center, and by the Frankel center for computer science.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Blakley, G.R.: Safeguarding cryptographic keys. In: AFIPS, p. 313 (1979)
Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 242–268. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_20
Bogdanov, A., Guo, S., Komargodski, I.: Threshold secret sharing requires a linear size alphabet. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 471–484. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_18
Cachin, C.: On-line secret sharing. In: Boyd, C. (ed.) Cryptography and Coding 1995. LNCS, vol. 1025, pp. 190–198. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60693-9_22
Cascudo Pueyo, I., Cramer, R., Xing, C.: Bounds on the threshold gap in secret sharing and its applications. IEEE Trans. Inf. Theory 5600–5612 (2013)
Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure computation from random error correcting codes. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 291–310. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_17
Csirmaz, L., Tardos, G.: On-line secret sharing. Des. Codes Crypt. 63(1), 127–147 (2012)
Franklin, M.K., Yung, M.: Communication complexity of secure computation. In: STOC 1992, pp. 699–710 (1992)
Ito, M., Saito, A., Nishizeki, T.: Secret sharing schemes realizing general access structure. In: Proceedings of Globecom 1987, pp. 56–64 (1987)
Kilian, J., Nisan, N.: Private communication (1990)
Komargodski, I., Naor, M., Yogev, E.: How to share a secret, infinitely. In: Hirt, M., Smith, A. (eds.) TCC 2016. LNCS, vol. 9986, pp. 485–514. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-53644-5_19
Komargodski, I., Paskin-Cherniavsky, A.: Evolving secret sharing: dynamic thresholds and robustness. In: Kalai, Y., Reyzin, L. (eds.) TCC 2017. LNCS, vol. 10678, pp. 379–393. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70503-3_12
Martin, K.M., Paterson, M.B., Stinson, D.R.: Error decodable secret sharing and one-round perfectly secure message transmission for general adversary structures. Cryptography Commun. 65–86 (2011)
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Stinson, D.R., Wei, R.: An application of ramp schemes to broadcast encryption. Inform. Process. Lett. 131–135 (1999)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proof of Claim 4.8
A Proof of Claim 4.8
We next prove Claim 4.8, i.e., we prove that for every constants \(b <a\) there exists a ramp secret-sharing scheme with share size O(1).
Proof
Chen et al. [6] proved the claim for the case when \(a = 1/2+\epsilon \) and \(b=1/2-\epsilon \) for every \(\epsilon >0\), see Claim 2.7. We use two standard transformations to prove it for every \(b<a\). Let \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), for some \( \epsilon < 1/2\), be a ramp secret-sharing scheme with share size \(\ell \) with N parties. If \(a>1/2\) and \(b <1/2\), the scheme \(\varPi ^n_{1/2+\epsilon , 1/2-\epsilon }\), where \(\epsilon =\min \{a-1/2,1/2-b\}\), is an (a, b)-ramp secret-sharing with share size O(1). Otherwise, there are two cases; in each case we show the existence of an (a, b)-ramp secret-sharing scheme with n parties, denoted \(\varPi ^n_{a, b}\), with share size \(\ell \).
The case \(b \ge 1/2\). We use the scheme \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), where \(N =\alpha n\) for some constants \(\alpha > 1\) and \(\epsilon <1/2\) to be fixed later. We only use the shares of the first n parties of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\). In \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), a set of size \(N(1/2+\epsilon ) = \alpha n (1/2+\epsilon )\) can reconstruct the secret. In \(\varPi ^n_{a, b}\), we require that an parties can reconstruct the secret, thus, we take \(\alpha \) such that \(\alpha n(1/2+\epsilon ) = an\), i.e., \(\alpha = \frac{2a}{1+2\epsilon }\). By the security of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), any set of parties of size less than \(N(1/2 - \epsilon ) =\alpha n(1/2 - \epsilon ) =\frac{2a}{1+2\epsilon }n(1/2 - \epsilon )\) cannot learn any information on the secret. In \(\varPi ^n_{a, b}\), we require that bn parties cannot learn any information on the secret, thus, we require that \(\frac{2a}{1+2\epsilon }(1/2 - \epsilon )=b\), i.e., \(\epsilon =\frac{a-b}{2(a+b)}\). Notice that \(\alpha = \frac{2a}{1+2\epsilon }=\frac{2a}{1+\frac{a-b}{a+b}}=a+b>1\) (since \(a >b \ge 1/2\)), thus, we have enough shares in \(\varPi ^{\alpha n}_{1/2+\epsilon , 1/2-\epsilon }\) to give to the n parties. Furthermore, \(\epsilon < 1/2\) as required by Claim 2.7.
The case \(a \le 1/2\). Again, we use the scheme \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), where \(N =\alpha n\) for some constants \(\alpha > 1\) and \(\epsilon <1/2\) to be fixed later. We use the shares of the first n parties of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) as the shares in \(\varPi ^n_{a, b}\). However, in this case we publish \(N-n = (\alpha -1)n\) shares on a public blackboard (we later explain how to get rid of this public blackboard). In \(\varPi ^n_{a, b}\), we require that an parties can reconstruct the secret. As the number of shares of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) that an parties in \(\varPi ^n_{a, b}\) have is \(an + (\alpha -1)n\), we require that \(an + (\alpha -1)n=N(1/2+\epsilon )=\alpha n (1/2+\epsilon )\), i.e., \(\alpha = (2-2a)/(1-2\epsilon )\). In \(\varPi ^n_{a, b}\), we require that bn parties cannot learn any information on the secret. As the number of shares of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) that bn parties in \(\varPi ^n_{a, b}\) have is \(bn + (\alpha -1)n\), we require that \(bn + (\alpha -1)n=\alpha n(1/2 - \epsilon )\), i.e., \(\alpha (1+2\epsilon )=2-b\). Solving the requirements on \(\alpha \), we get that \(\epsilon =\frac{a-b}{2(2-a-b)}\) and \(\alpha =2-a-b\). Note that \(\alpha > 1\) since \(b <a \le 1/2\) and \(\epsilon < 1/2\).
To get rid of the shares published on the blackboard, we fix possible shares \(s_{n+1},\dots ,s_{\alpha n}\) of the last \((\alpha -1)n\) parties in \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) (e.g., in the scheme of Chen et al. [6], we can fix \(s_{n+1}=\cdots =s_{\alpha n}=0\)). To share the secret, the dealer chooses only vectors of shares of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) such that the shares of the last \((\alpha -1)n\) parties are the fixed shares \(s_{n+1},\dots ,s_{\alpha n}\). \(\square \)
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Beimel, A., Othman, H. (2018). Evolving Ramp Secret-Sharing Schemes. In: Catalano, D., De Prisco, R. (eds) Security and Cryptography for Networks. SCN 2018. Lecture Notes in Computer Science(), vol 11035. Springer, Cham. https://doi.org/10.1007/978-3-319-98113-0_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-98113-0_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-98112-3
Online ISBN: 978-3-319-98113-0
eBook Packages: Computer ScienceComputer Science (R0)