Robust Secret Sharing

We recall here the concept of Robust Secret Sharing; we review the different variations of the topic that have been studied, and we express the goals of our contribution.

In a nutshell, standard Secret Sharing combines two properties, namely pri- vacy and reconstruction, where reconstruction can be seen as recovery from erasures. Robust Secret Sharing combines two properties, namely privacy and recovery from errors: a secret-sharing scheme is robust if its reconstruction algorithm can recover the secret even if some of the shares are incorrect. This intuition is formalized in the following definition; notice that we speak of a

tampering function Tamper : x 7→ y over A ⊆ [n]: by this we mean that

Tamper(x) only depends on (xi:i∈ A) and that it acts as the identity on the

coordinates outsideA.

Definition 3.3.1. Let SSSbe a secret-sharing scheme with sharing algorithm

Share:S0 →$S1× · · · × Sn and reconstruction algorithm RobustRec: (S1t

{⊥})× · · · ×(Sn t {⊥}) → S0t {⊥}. Given a positive integer t and a real

number ε > 0, we say that SSSis (t, ε)-robust if the following property holds for any secret s ∈ S0, any subset A ⊆ [n] with |A| ≤ t and any tampering

function Tamper:S1× · · · × Sn→ S1× · · · × Sn overA. Ifx=Share(s), then

RobustRec(Tamper(x)) =s except with probability at mostε.

A(t, ε)-robust scheme is typically required to havet-privacy as well. We further define the overhead2 _{of the scheme to bemax}

i≥1log|Si| −log|S0|.

Whether Robust Secret Sharing is possible or not depends on the ratio between the numbertof incorrect shares and the total numbernof shares: ift < n/3, then standard error correction applied to Shamir’s scheme (cf. Section 2.5.1) provides robustness for free; on the other hand, ift≥n/2 then it is easily seen that Robust Secret Sharing cannot be achieved.

The interesting range is thus n/3 ≤ t < n/2; here, robust secret sharing is possible, but we have to allow for a small error probability and additional “checking data” needs to be appended to the actual shares. A typical goal is to optimize the tradeoff between the error probability and the increase in the share size.

Cramer, Damg˚ard and Fehr [17] gave a construction of a robust secret shar- ing scheme based on so-calledAlgebraic Manipulation Detection(AMD) codes (even though the terms robust secret-sharing and AMD codes were not used

2_{We remark that the notion of overhead is meaningful, a priori, only for threshold}

schemes, since for ramp schemes it is actually possible to have a share size smaller than the secret size.

there). Roughly speaking, an AMD code enables to detect certain manipu- lations – namelyalgebraic manipulations – of encoded messages. The robust secret-sharing scheme then simply works by sharing an AMD encoding of the secret (using a linear secret sharing scheme), and the robust reconstruction is done by going through all sets of possibly honest players, reconstruct from their shares, and verify correctness of the reconstructed AMD encoding. By making the AMD codeword large enough, resulting in an overhead in the share size of O(κ+n), this procedure finds the correct secret except with probabil- ity 2−κ_{. An obvious downside of this scheme is that the robust reconstruction}

procedure is not efficient, as there is an exponential number of sets of possibly honest players to be considered.

In [12], based on very different techniques, Cevallos, Fehr, Ostrovsky and Ra- bani proposed a robust secret-sharing scheme with similar parameters: over- headO(κ+nlogn) for an error probability of 2−κ_{, but which offers anefficient}

robust reconstruction. Both these schemes work for any fractiont/n < 1₂, and neither becomes significantly better in terms of this error probability versus the size of the checking data if we boundt/naway from 1₂ by a small constant.

Based on the paradigm of Definition 3.1.1 for building secret-sharing schemes, we construct a new robust secret sharing scheme. Our construction works whent/nis bounded away from 1₂ by an arbitrary small positive constant.

Our construction can be seen as an efficient variant of the approach from [17]: we secret-share an AMD codeword, but this time choosing the underlying code

Cto be one that allows efficientlist decoding. This means that we can consider the contributed shares as a codeword with errors and apply the list decoding algorithm. This will return a small (i.e., polynomial-sized) list of possible codewords fromC, each of these will suggest a possible AMD codeword. Thus, we only have a small number of candidates to check for correctness of the AMD encoding. This not only provides efficiency of the reconstruction (in contrast to the scheme of [17]), but also allows for better parameters, as we will see in Sections 3.3.5 and 3.3.6.

As a final remark, we stress the fact that there are several variants of and concepts related to Robust Secret Sharing. For instance, we assume that a tampering function Tamper over A acts a the identity on the coordinates outsideA, and only depends on the coordinates inA; if only the first condition is assumed, then a secret-sharing schemes satisfying Definition 3.3.1 is said to be robust against arushing adversary.

Furthermore, a related concept of special relevance is Verifiable Secret Shar- ing [15], which is a fundamental building block for Multi-Party Computation; loosely speaking, VSS can be seen as an enhanced version of Robust Secret Sharing, where security is guaranteed even if the sharing procedure is not

correctly executed.

Moreover, a scenario somewhat in between robust and verifiable secret sharing has been studied by Cramer et al. in [17]; this variant is called “single-round honest-dealer VSS”, and differs from Definition 3.3.1 in that the reconstruction algorithm is not allowed to output an incorrect value, although it can output an error message.

Finally, Ishai et al. explore in [40] the notion of identifiable secret sharing, which aims at providing some security even when half or more of the shares are incorrect.