Nearly optimal robust secret sharing

• Published in: Designs, codes, and cryptography Vol. 87; no. 8; pp. 1777 - 1796
• Main Author: Cheraghchi, Mahdi
• Format: Journal Article
• Language: English
• Published: New York Springer US 15.08.2019; Springer Nature B.V
• Subjects: Algebra; Algorithms; Circuits; Codes; Coding and Information Theory; Computer Science; Cryptology; Data Structures and Information Theory; Decoding; Discrete Mathematics in Computer Science; Information and Communication; Information theory; Mathematical models; Parameter modification; Reed-Solomon codes; Robustness; Coding and information theory; 68P30; Algebraic coding theory; 94A60; 11T71; Cryptography
• ISSN: 0925-1022; 1573-7586; 1573-7586
• DOI: 10.1007/s10623-018-0578-y

We prove that a known general approach to improve Shamir’s celebrated secret sharing scheme; i.e., adding an information-theoretic authentication tag to the secret, can make it robust for n parties against any collusion of size δ n , for any constant δ ∈ ( 0 , 1 / 2 ) . Shamir’s original scheme is robust for all δ ∈ ( 0 , 1 / 3 ) . Beyond that, we employ the best known list decoding algorithms for Reed-Solomon codes and show that, with high probability, only the correct secret maintains the correct information-theoretic tag if an algebraic manipulation detection (AMD) code is used to tag secrets. This result holds in the so-called “non-rushing” model in which the n shares are submitted simultaneously for reconstruction. We thus obtain a fully explicit and robust secret sharing scheme in this model that is essentially optimal in all parameters including the share size which is k ( 1 + o ( 1 ) ) + O ( κ ) , where k is the secret length and κ is the security parameter. Like Shamir’s scheme, in this modified scheme any set of more than δ n honest parties can efficiently recover the secret. Using algebraic geometry codes instead of Reed-Solomon codes, the share length can be decreased to a constant (only depending on δ ) while the number of shares n can grow independently. In this case, when n is large enough, the scheme satisfies the “threshold” requirement in an approximate sense; i.e., any set of δ n ( 1 + ρ ) honest parties, for arbitrarily small ρ > 0 , can efficiently reconstruct the secret. From a practical perspective, the main importance of our result is in showing that existing systems employing Shamir-type secret sharing schemes can be made much more robust than previously thought with minimal change, essentially only involving the addition of a short and simple checksum to the original data.