ECCC-Report TR16-023https://eccc.weizmann.ac.il/report/2016/023Comments and Revisions published for TR16-023en-usTue, 08 May 2018 17:51:18 +0300
Revision 4
| How to Share a Secret, Infinitely |
Ilan Komargodski,
Moni Naor,
Eylon Yogev
https://eccc.weizmann.ac.il/report/2016/023#revision4Secret sharing schemes allow a dealer to distribute a secret piece of information among several parties such that only qualified subsets of parties can reconstruct the secret. The collection of qualified subsets is called an access structure. The best known example is the $k$-threshold access structure, where the qualified subsets are those of size at least $k$. When $k=2$ and there are $n$ parties, there are schemes for sharing an $\ell$-bit secret in which the share size of each party is roughly $\max\{\ell,\log n\}$ bits, and this is tight even for secrets of 1 bit. In these schemes, the number of parties $n$ must be given in advance to the dealer.
In this work we consider the case where the set of parties is not known in advance and could potentially be infinite. Our goal is to give the $t$-th party arriving the smallest possible share as a function of $t$. Our main result is such a scheme for the $k$-threshold access structure and 1-bit secrets where the share size of party $t$ is $(k-1)\cdot \log t + \mathsf{poly}(k)\cdot o(\log t)$. For $k=2$ we observe an equivalence to prefix codes and present matching upper and lower bounds of the form $\log t + \log\log t + \log\log\log t + O(1)$. Finally, we show that for any access structure there exists such a secret sharing scheme with shares of size $2^{t-1}$.Tue, 08 May 2018 17:51:18 +0300https://eccc.weizmann.ac.il/report/2016/023#revision4
Revision 3
| How to Share a Secret, Infinitely |
Ilan Komargodski,
Moni Naor,
Eylon Yogev
https://eccc.weizmann.ac.il/report/2016/023#revision3Secret sharing schemes allow a dealer to distribute a secret piece of information among several parties such that only qualified subsets of parties can reconstruct the secret. The collection of qualified subsets is called an access structure. The best known example is the $k$-threshold access structure, where the qualified subsets are those of size at least $k$. When $k=2$ and there are $n$ parties, there are schemes where the size of the share each party gets is roughly $\log n$ bits, and this is tight even for secrets of 1 bit. In these schemes, the number of parties $n$ must be given in advance to the dealer.
In this work we consider the case where the set of parties is not known in advance and could potentially be infinite. Our goal is to give the $t$-th party arriving the smallest possible share as a function of $t$. Our main result is such a scheme for the $k$-threshold access structure where the share size of party $t$ is $(k-1)\cdot \log t + poly(k)\cdot o(\log t)$. For $k=2$ we observe an equivalence to prefix codes and present matching upper and lower bounds of the form $\log t + \log\log t + \log\log\log t + O(1)$. Finally, we show that for any access structure there exists such a secret sharing scheme with shares of size $2^{t-1}$.Thu, 25 Aug 2016 09:34:38 +0300https://eccc.weizmann.ac.il/report/2016/023#revision3
Revision 2
| How to Share a Secret, Infinitely |
Ilan Komargodski,
Moni Naor,
Eylon Yogev
https://eccc.weizmann.ac.il/report/2016/023#revision2Secret sharing schemes allow a dealer to distribute a secret piece of information among several parties such that only qualified subsets of parties can reconstruct the secret. The collection of qualified subsets is called an access structure. The best known example is the $k$-threshold access structure, where the qualified subsets are those of size at least $k$. When $k=2$ and there are $n$ parties, there are schemes where the size of the share each party gets is roughly $\log n$ bits, and this is tight even for secrets of 1 bit. In these schemes, the number of parties $n$ must be given in advance to the dealer.
In this work we consider the case where the set of parties is not known in advanced and could potentially be infinite. Our goal is to give the $t$-th party arriving a small share as possible as a function of $t$. Our main result is such a scheme for the $k$-threshold access structure where the share size of party $t$ is $(k-1)\cdot \log t + poly(k)\cdot o(\log t)$. For $k=2$ we observe an equivalence to prefix codes and present matching upper and lower bounds of the form $\log t + \log\log t + \log\log\log t + O(1)$. Finally, we show that for any access structure there exists such a secret sharing scheme with shares of size $2^{t-1}$.Tue, 22 Mar 2016 15:33:53 +0200https://eccc.weizmann.ac.il/report/2016/023#revision2
Revision 1
| How to Share a Secret, Infinitely |
Ilan Komargodski,
Moni Naor,
Eylon Yogev
https://eccc.weizmann.ac.il/report/2016/023#revision1Secret sharing schemes allow a dealer to distribute a secret piece of information among several parties so that any qualified subset of parties can reconstruct the secret, while every unqualified subset of parties learns nothing about the secret. The collection of qualified subsets is called an access structure. The best known access structure is the $k$-threshold one, where any subset of size $k$ or more is qualified and all smaller subsets are not qualified. A major issue is the size of the shares needed to assure this property. For the threshold access structure, when $k=2$ and there are $n$ parties it is known that the share size must be $\log n$ even for secrets of 1 bit.
In this work we consider the case where the set of parties is not known in advanced and could potentially be infinite. We would still like to give the $t$-th party arriving a small share as possible as a function of $t$. We show that for any access structure it is possible to do so by giving shares of size $2^{t-1}$. Our main result is a scheme for $k$-threshold access structure with shares of size $(k-1)\cdot \log t + {poly}(k)\cdot o(\log t)$ bits. Finally, we prove that no secret sharing scheme for the 2-threshold access structure with share size at most $\log{t} + \log\log t + O(1)$ exists.Wed, 24 Feb 2016 09:03:54 +0200https://eccc.weizmann.ac.il/report/2016/023#revision1
Paper TR16-023
| How to Share a Secret, Infinitely |
Ilan Komargodski,
Moni Naor,
Eylon Yogev
https://eccc.weizmann.ac.il/report/2016/023Secret sharing schemes allow a dealer to distribute a secret piece of information among several parties so that any qualified subset of parties can reconstruct the secret, while every unqualified subset of parties learns nothing about the secret. The collection of qualified subsets is called an access structure. The best known access structure is the $k$-threshold one, where any subset of size $k$ or more is qualified and all smaller subsets are not qualified. A major issue is the size of the shares needed to assure this property. For the threshold access structure, when $k=2$ and there are $n$ parties it is known that the share size must be $\log n$ even for secrets of 1 bit.
In this work we consider the case where the set of parties is not known in advanced and could potentially be infinite. We would still like to give the $t$-th party arriving a small share as possible as a function of $t$. We show that for any access structure it is possible to do so by giving shares of size $2^{t-1}$. Our main result is a scheme for $k$-threshold access structure with shares of size $(k-1)\cdot \log t + {poly}(k)\cdot o(\log t)$ bits. Finally, we prove that no secret sharing scheme for the 2-threshold access structure with share size at most $\log{t} + \log\log t + O(1)$ exists.Tue, 23 Feb 2016 22:16:34 +0200https://eccc.weizmann.ac.il/report/2016/023