Secret sharing with public reconstruction

IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998 1887

Secret Sharing with Public ReconstructionAmos Beimel and Benny Chor

Abstract—All known constructions of information theoretict-out-of-n secret-sharing schemes requiresecure, privatecommu-nication channels among the parties for the reconstruction ofthe secret. In this work we investigate the cost of performingthe reconstruction over public communication channels. A naiveimplementation of this task distributes 2n� 2 one times pads toeach party. This results in shares whose size is2n� 1 times thesecret size. We present three implementations of such schemesthat are substantially more efficient.

• A scheme enabling multiple reconstructions of the secret bydifferent subsets of parties, with factorO (n=t) increase inthe shares’ size.

• A one-time scheme, enabling a single reconstruction of thesecret, with O (log (n=t)) increase in the shares’ size.

• A one-time scheme, enabling a single reconstruction by a setof sizeexactlyt, with factor O (1) increase in the shares’ size.

We prove that the first implementation is optimal (up to constantfactors) by showing a tight(n=t) lower bound for the increasein the shares’ size.

Index Terms—Cryptography, public and private channels, se-cret sharing, space efficiency, unrestricted and one-time schemes.

I. INTRODUCTION

SECRET sharing schemes were introduced by Blakley [1]and Shamir [2], and were the subject of a considerable

amount of work, e.g., [3]–[7]. In these schemes, a dealer holdsa secret piece of information. Upon system initialization, thedealer gives one “share” of the secret to each ofparties.These shares are distributed privately, and are kept by eachparty in a secure way. Later on, any authorized subset of theparties (a subset containing at leastparties) collects theirshares, and uses them to reconstruct the secret. All knownschemes that guarantee information-theoretic secrecy requirethe use of secure, private communication channels betweenthe parties that participate in the reconstruction.

The question we raise in this work is whether reconstructioncan be done without assuming that the channels are secure,while maintaining the security of the schemes. We require thatafter a reconstruction, only the parties who took part will knowthe secret. We consider the worst case scenario: the “bad”parties can overhear any communication, so from their point

Manuscript received February 6, 1996; revised March 23, 1998. This workwas supported by Technion VPR funds. The work of A. Beimel was performedwhile a Ph.D. student at the Department of Computer Science, Technion–IsraelInstitute of Technology, Haifa, Israel. The material in this paper was presentedin part at CRYPTO’95, Santa Barbara, CA, and appears inAdvances inCryptography—CRYPTO’95, D. Coppersmith, Ed. (Springer, Lecture Notesin Computer Science, vol. 963), pp. 353–366.

A. Beimel is with the Division of Engineering and Applied Sciences, Har-vard University, Cambridge, MA 02138 USA (e-mail: [email protected]).

B. Chor is with the Department of Computer Science, Technion–IsraelInstitute of Technology, Haifa 32000, Israel (e-mail: [email protected]).

Publisher Item Identifier S 0018-9448(98)05279-1.

of view the channels are public. On the other hand, “good”parties hear only messages sent to them. (In particular, fromthe point of view of the “good guys,” the channels do not carryany of the potential advantages of a broadcast channel.)

The simplest way to implement such public reconstructionsecurely is to hand to each party upon system initialization, inaddition to his original share, one time pads. Thesepads are used in order to simulate a private channel on apublic one. In the private channel scenario, reconstruction istypically done by exchanging shares among parties. To enablesuch exchange with every other participant, each party willneed two pads per participant: one for receiving a share, andone for sending the share. Thus the simple implementationresults in an multiplicative factor increase in the sizeof each share.

We design substantially more efficient schemes of threetypes. The first type isunrestricted schemes. In these schemes,any number of authorized sets (each containing at leastparties) may reconstruct the secret, after communicating onthe public channel. Any disjoint coalition of at mostparties does not gain any partial information on the secret,given the coalition’s shares and the communication of the setsthat reconstructed the secret. We describe unrestricted schemesin which the size of the shares is times the size of theoriginal secret. We complement this result by proving a tight

lower bound on the increase in the shares’ size forany unrestricted scheme. In order to participate in more thanone reconstruction, every party that has already reconstructedthe secret must store it. This is problematic in applicationswhere an adversary might break into the computer of the secretholder. (One of the advantages of traditional secret sharing isthat breaking into the computer of a “share holder” does notcompromise the secret.) The unrestricted nonreactive schemesof Section V solve this problem, but the share size istimesthe secret size.

The second type isone-time schemes, in which only a singleauthorized set (containing at leastparties) will reconstruct thesecret securely. It is not known during system initializationwhich set will reconstruct the secret, and the dealer has to ac-commodate any possible set. For example, these schemes canbe used to enable one-time activities like the firing of a ballisticmissile or the opening of a sealed safe. We describe one-timeschemes in which the size of the shares is timesthe original secret size. Next, we consider one-time schemeswhere one authorized set of sizeexactly will reconstructthe secret. Additional parties in supersets with more than

parties jointly have enough information to reconstruct thesecret. However, they cannot reconstruct the secret over thepublic channel, because communicating it from members of

0018–9448/98$10.00 1998 IEEE

1888 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 44, NO. 5, SEPTEMBER 1998

the authorized set is not possible in a secure way. This meansthat the authorized sets that can securely reconstruct the secretdo not form amonotoneaccess structure. We design suchschemes with just multiplicative increase in the sharesize (for any threshold).

In light of our results, one may wonder if the initialdistribution of shares can also be done over public channels.By the properties of “regular” schemes, each participant re-quires a share whose conditional mutual information with thesecret (given the information of parties) is at least theentropy of the secrets [4]. If the parties start with shares ofsmaller conditional entropy, then the parties and the dealercannot increase it by communicating over public channels,even if interaction is allowed [8], [9]. Thus in our model,it is necessary to have secure initial distribution of sharesfrom the dealer to the participants. However, from a practicalpoint of view, the distribution stage is an off-line processwhich is typically done upon system initialization (unlike thereconstruction stage). Thus assuming private initial distributionis reasonable.

Some bibliographical remarks: a similar setting of publicinteraction was considered for interactive key distributionschemes (e.g., [10]–[12]). Our schemes employ key distribu-tion schemes, though not interactive ones. Another solutionfor eliminating the use of secure private channels assumesthat the parties have limited computing power. A commonassumption is that the parties are probabilistic polynomial-time Turing machines, and the security of the channels isachieved by means of public key cryptography [13], [14].Public channels have been used in secret sharing (in additionto private channels) in dynamic sharing of secrets. Theseare schemes where the dealer enables parties to reconstructdifferent secrets in different time instants (e.g., [7], [15], [16]).A different scenario in which a public broadcast channel isused (in addition to private channels) is to protect againstByzantine parties [17], [18]. Unlike our scenario, in thoseworks the broadcast channel is heard byall parties.

The rest of this paper is organized as follows: in SectionII, we define the model, secret-sharing schemes, and key dis-tribution schemes. In Section III, we describe the unrestrictedschemes, and in Section IV, the one-time schemes. In SectionV, we introduce nonreactive, unrestricted schemes. In SectionVI, we provide the lower bound for unrestricted schemes.Finally, in Section VII, we summarize our results and givetwo numerical examples of the sizes of shares in our variousschemes.

II. DEFINITIONS

In this section we define our model, secret-sharing schemes(traditional and public channels), and key distribution schemes.

A. The Model

We consider a system with parties, denoted by. In addition to the parties, there is a

dealer in the system, who has a secret inputtaken fromsome finite domain . A distribution schemeis a probabilisticmapping (namely, a mapping which depends on the secret and

on an independent random input), which the dealer appliesto the input, and generates pieces of information. Thesepieces of information are called shares, and theth pieces iscalled the share of . For every , the dealer gives thethshare to . The dealer is only active in this initial stage.After the initial stage, subsets of the parties can communicate,according to some pre-defined, possibly randomized, protocol.The parties arehonest, that is, they follow their protocols.However, a subset, disjoint of the communicating subsets,is curious and after the protocol has ended the members ofthe subset collude and try to gain some partial informationabout the secret.

Definition 1: Let be a disjoint coalition (set of parties),and the input of the dealer. Theview of , aftera distribution of the input and an execution of a protocol,denoted by , is all the information the coalitiongets. This information includes the shares of the parties inthe coalition and the messages exchanged by parties over thecommunication channels to which the coalition has access.(This definition can accommodate different levels of securityof the communication medium.) The view of is a proba-bilistic function of the input (since the ensemble of shares ofthe parties is a function of the input).

The coalition has no informationon the inputs if for everytwo values and every value of the view:

The probability is taken over the random input of the dealer,and the random inputs of the members outside the coalition.

Notice that we do not make any assumptions on the proba-bility distribution of the inputs . This is desirable since thedesigner of a scheme does not necessarily know the probabilitydistribution of the inputs that will be used (e.g., there mightbe only two possible inputs). This idea is inspired by thedefinition of probabilistic encryption [14]. An alternative defi-nition assumes that there is some probability distribution on theinputs, and requires that for every probability distribution theprobability of the input, given the view of the coalition, is thea priori probability of the input. It can be proved that these twodefinitions are equivalent [19]. The alternative definition canbe rephrased to state that the conditional entropy of the inputsgiven the view of the coalition is equal to the original entropyof the inputs. This is a common definition of secret-sharingschemes [4], [20]. We use this latter definition in Section VI.Another comment is that in general the view of the parties ina coalition includes their local random inputs. However, sincewe consider only disjoint coalitions which only listen and donot participate in any computation, we can ignore their localrandom inputs.

B. Secret Sharing Schemes

We define both traditional secret-sharing scheme, i.e., withprivate channels, and secret-sharing schemes with public re-construction.

Definition 2: Let be a finite set of secrets. A-out-of-secret-sharing schemeis a distribution scheme, in which the

BEIMEL AND CHOR: SECRET SHARING WITH PUBLIC RECONSTRUCTION 1889

dealer’s input is a secret taken from, and which satisfies thefollowing two conditions:

Reconstructability:Any set of parties whose size is at leastcan reconstruct the value of the secret after communicating

among themselves. Every party in the reconstructing set getsthe value of the secret with certainty.

Security: Every disjoint coalition of size at mosthas no information on the secret as defined in Definition 1.There are three variants we consider:

1) Traditional secret-sharing schemes in which the recon-struction takes place via secure, private channels. In thiscase, the view of a disjoint coalition is only its shares.

2) Unrestricted secret-sharing schemewith public recon-structionin which a coalition can overhear all commu-nications taking place. The security is guaranteed even ifseveral sets (maybe even all) reconstruct the secret usingthe public channel. In this case, the view of a disjointcoalition is its shares and all the communications thattook place.

3) One-timesecret-sharing scheme in which the security isguaranteed only if one set will reconstruct the secret. Itis not known during system initialization which set willreconstruct the secret, and the dealer has to accommo-date any possible set. In this case, the view of a disjointcoalition is its shares and the communication of onereconstructing set.

The security should hold for any coalition of at mostparties. A special case is , namely, a listener whooverhears all communications but has no shares should gainno partial information about the secret.

Shamir [2] presented a traditional secret-sharing scheme inwhich the size of the shares is the same as the size of thesecrets (for domains of secrets which contain at leastsecrets). The size of shares in Shamir’s scheme is the smallestpossible, since the size of the share has to be at least as large asthe size of the secrets [4]. In traditional secret-sharing schemes,while one set reconstructs the secret, no information is leakedto disjoint coalitions (due to the security of the channels).Hence, secure traditional schemes are always unrestricted.Furthermore, in traditional schemes, if a set can reconstructthe secret, then every superset of the set can reconstruct thesecret. However, one-time secret-sharing schemes with publicreconstruction do not necessarily have this monotone property.To satisfy monotonicity, it is required that every party of thesuperset should know the reconstructed secret. However, it isnot necessarily possible to “distribute” the secret to membersof a superset without leaking information to other parties.

C. Key Distribution Schemes

We now define unrestricted, noncommunicating key distri-bution schemes. (Other variations of key distribution schemescan be found in [10] and [11].) These key distribution schemesare used in the constructions of our secret-sharing schemes.

Definition 3: Let be a positive integer such that ,and let be a set of keys. A key distribution schemewith users and domain of keys is a distribution scheme

in which a dealer (who has only a random input) generatesshares such that the following two requirements hold.

Reconstructability:The shares of every pair of partiesdetermine a key, which is distributed uniformly over the do-main of keys, . (The key depends on the random input of thedealer.) Each member of the pair can deterministically re-construct ’s key from his share without any communication.

Security: Let be any (“bad”) coalition of cardinality atmost , and be a disjoint pair of parties. The coalitionhas no information on the key of , as defined in Definition1. In this case, their view is the collection of their shares.

The security requirement is with respect to the key ofa single pair. It does not guarantee that a coalition cannotgain information on relations between different keys (e.g., thecoalition might know that the keys of two pairs are equal).However, the security does guarantee some independencebetween keys. Consider a key distribution scheme,a coalition of parties, and a disjoint set of parties.From the point of view of the coalition, the keys of pairs ofparties in are distributed uniformly and independently (fora proof see [11]). Blom [21] constructed efficient -keydistribution schemes. For every prime-power(where )he presented a scheme in which the keys are taken from GFand the shares are taken from GF . Blundo et al. [10]proved that this is optimal, namely, the shares cannot be takenfrom smaller domains.

III. U NRESTRICTED SCHEMES

In this section we construct unrestricted secret-sharingschemes with public reconstruction, in which the size of theshare of every party is times the size of the secret.We first describe a simple scheme in which the size of theshares is times the size of the secret. Ourconstruction can be viewed as an optimization of this simplescheme. In this scheme, the dealer shares the secret usingShamir’s secret-sharing scheme [2]. The dealer also deals toevery pair of parties two random strings whose size is the sameas the size of the secret. These two random strings, which wecall keys, are given to the two parties of the pair, and will beused as one-time pads. Overall, every party receiveskeys, each one with the same size as the secret. When theparties in a set of size at leastwish to reconstruct the secret,all the parties “send” their shares to the “leader” of the set,say the party with minimal index in the set. The leader getsat least shares (including his own), which enable him toreconstruct the secret. Then, the leader “sends” the secret tothe other parties. The parties use their keys as one-time padsto simulate private channels. Specifically, let be the partywith smallest identity in the set. Every party, holding theshare from Shamir’s scheme, addsand the first key of thepair and sends this sum over the public channel (thisis an addition in the appropriate finite field). The party canreconstruct all the shares from these messages, and thereforereconstruct the secret. Now, sends messages, one messageto every party in the reconstruction set. For every party,he adds the secret and the second key of the pairand sends this sum over the public channel. Since the one-


Fig. 1. Unrestrictedt-out-of-n secret-sharing scheme.

time pads are independent, coalitions of parties disjoint to thereconstructing set do not gain any information on the sharesor the secret. Furthermore, even if many reconstructions takeplace, this does not leak any information to a disjoint set.

Suppose is the leader in a set of size at least. In theprevious scheme, during the reconstruction for this set, onlythe keys that were given to were used. To improve thespace efficiency we will use all the keys of the parties in thereconstructing set. Following [11], we partition the secret into

subsecrets, and share each subsecret using Shamir’s scheme.Now we choose parties of the reconstructing set, and eachone will be responsible for reconstructing one subsecret. Eachparty will act as the leader in the previous scheme. That is,every leader receives shares from the other leaders (this isenough), but sends his subsecret (after reconstruction) to everymember of the reconstructing set. This way we can handlesubsecrets “at the price of one.” The domain of the secretsin the scheme is GF , where is a prime-power such that

. (We require that since this is the requirementin Shamir’s scheme.) In the scheme we view the secret assubsecrets from GF . The scheme is presented in Fig. 1.

As described, the scheme has two technical points whichshould be clarified. The first is the fact that in one recon-struction two parties and might need to exchangefour different messages: Assume that is responsible forreconstructing the subsecret , and is responsible forreconstructing the sub-secret . The party has to receivefrom the share corresponding to the subsecret, and thenwill send the subsecret . Similarly, has to receive from

the share corresponding to the subsecret, and then willsend the subsecret . This is the reason for giving themfour common keys. The second difficulty is that in differentreconstructions the same party can be responsible for differentsubsecrets. This means that will have to send to twodifferent messages, using the same key as a one-time pad. Thismight leak information to disjoint coalitions. To overcome theproblem, every party that participates in one reconstructionwill remember the secret, and in later reconstructions willinform other parties (in the clear) that he knows the secret.In such case, other parties will not send him any messages.He will continue to send the messages that he has to sendaccording to the scheme (to “new” parties). Thus every key isused as a one-time pad at most once (in the first reconstructionthat the pair participates together). Therefore, the schemesatisfies the unrestricted security requirement.

Let us calculate the size of the share of every party in thisunrestricted scheme. Each party is givenshares generated byShamir’s scheme for secrets taken from GF. The dealeralso distributes to each party keys taken fromGF . Hence, each share contains elements fromGF , compared to elements from GF for the secret. Wesummarize these results in the next theorem.

Theorem 4: Let be a prime-power such that .The above mentioned scheme is an unrestricted-out-of-secret-sharing scheme with public reconstruction for secretstaken from GF . The share of each party is an element ofGF . So the size of each share istimes the size of the secrets.

IV. ONE-TIME SCHEMES

In the unrestricted scheme, we need totally independentkeys in order to guarantee the security of the scheme duringrepeated reconstructions. In this section we deal with thescenario where the secret is going to be reconstructed onlyonce. For example, to enable the firing of a ballistic missileor opening of a sealed safe. In this case, total independenceamong the keys is not needed, and weaker independencerequirements suffice. Shares can therefore be taken from asmaller sample space, which translates into smaller size shares.Specifically, we use Blom’s key distribution scheme [21] forthis purpose.

The first scheme we present enables one-time reconstructionof the secret by sets of sizeexactly . The size of the shares isa constant (less than ) times the size of the secret, namely,only increase in shares’ size. We employ this “exactly” scheme as a building block for “at least” schemes. We

use independent instances of “exact schemes”for thresholds up to , and an additional instanceof size . Now, given any set with parties , werepresent it as a union of subsets (not necessary disjoint) withcardinalities —at most two subsets of cardinality

and at most one subset of cardinality for each . Thesecret is now separately reconstructed by each subset. Anymember of takes part in at least one of these reconstructions,and thus learns the secret. On the other hand, any disjointcoalition containing at most parties gets no partial


Fig. 2. One-time for exactlyt-out-of-n secret-sharing scheme with publicreconstruction.

information on the secret from any single instance. Due to theindependence of the instances, this remains valid with respectto the joint reconstructions. We get a one-time scheme forset of size at least, with just increase in sharesize. We now describe in detail the “exactly” scheme. Thedistribution phase is depicted in Fig. 2.

The reconstruction is done exactly as in the unrestrictedscheme. The security of one reconstruction of a set of exactlyparties follows from the property of key distributionschemes discussed in Section II-C: given the shares of anydisjoint coalition of at most parties, the keys held byany set of size are distributed uniformly and independently.Thus when used as one-time pads, the reconstruction is secure(using the same arguments as in the unrestricted case). Thisscheme uses shares of Shamir’s-out-of- secret-sharingscheme with secrets taken from GF. In addition, eachparty gets a share of Blom’s key distributionscheme with keys taken from GF —these shares are takenfrom GF . Overall, the total share containselements from GF (if , then the shares areeven shorter). Recall that the secret is taken from GF, andtherefore the size of the share is less than nine times the sizeof the secrets.

In this scheme, the domain of secrets has to be GF(for some prime-power ). Restricting the domain of secretsto such cardinality can cause problems when we employsimultaneously many schemes with the same secret but withdifferent thresholds. To overcome this, given any domain ofsecrets, we consider a slightly bigger domain whose size(which can depend on the threshold) is of the desired form.That is, given a secret of size which is at least , wechoose a prime power such that , and use theprevious scheme with secrets of size . Choosing

, we have . If we assume thatthen the size of the share is .

Theorem 5: Let be a natural number such that. There exists a one-time secret-sharing

scheme with public reconstruction for exactly-out-of- , inwhich the size of the secret equals, and the size of the shareof each party is less than ten times the size of the secrets.

Fig. 3. One-timet-out-of-n secret-sharing scheme with public reconstruc-tion.

One-time schemes are a special case of traditional secret-sharing schemes even if only sets of size exactlycan securelyreconstruct the secret, since every set of at leastparties hasenough information to reconstruct the secret on secure privatechannels. Thus the size of each share has to be at least thesize of the secret [4]. Therefore, our scheme is tight up to aconstant factor. We can slightly improve this lower bound, byobserving that every one-time exactly-out-of- secret-sharingscheme with public reconstruction can be used as a one-timecommunicating key distribution scheme (for )(for definition of communicating key distribution scheme see[11]). The size of the share in every key distributionscheme is at least twice the size of the key [11]. Therefore, thesize of the share in every one-time secret-sharing scheme withpublic reconstruction is at least twice the size of the secret.

In Fig. 3, we describe the one-time scheme in which everyset ofat least parties can securely reconstruct the secret.

Theorem 6: The scheme of Fig. 3 is a one-time-out-of-secret-sharing scheme with public reconstruction in which

every set of parties of size at leastcan securely recon-struct the secret. If the size of the secretsis larger than

, then the size of the shares of every partyis less than times the size of the secrets.

Remark 7: If we require that the size of the secret isgreater than , then we can construct a scheme in whichthe size of the shares is only times the sizeof the secret, i.e., a smaller leading constant. To achieve thisgoal we use a slightly weaker building block (instead of theexactly -out-of- scheme). This building block is a scheme inwhich exactly parties can reconstruct the secret, while anycoalition of size does not gain any information on thereconstructed secret. Schemes which satisfy this requirementon secure, private channels were presented by Blakley andMeadows [22] (see also [3], [4], and [23]), and are calledramp schemes. We use ramp schemes instead of regular secret-sharing schemes to design our building boxes. Assume thatsets of parties should be able to reconstruct the secret, whilesets of fewer than parties should get no information about


the secret. The size of the share in such ramp scheme istimes the size of the secret, i.e., substantially

smaller than traditional secret-sharing schemes.For the scheme with public reconstruction, assume that the

domain of secrets is GF . That is, the dealer hassecrets, each one taken from GF . The share of

each party is one share of the ramp scheme forsubsecrets,each share taken from GF . In the reconstruction of thesecret by a subset containing exactlyparties, each partywill be responsible for one subsecret. Each pair of partiesin this set first exchanges two shares of the ramp scheme.Now each party reconstructs his subsecret, and every pairof parties exchange two subsecrets. Therefore, every pair ofparties needs two keys of a -key distributionscheme with keys from GF (the domain of shares of theramp scheme), as well as two keys from a -keydistribution scheme with keys from GF (the domainof subsecrets). Overall, the share of each party is an elementtaken from GF . That is, the sizeof the share is times the size of thesecrets. In the-out-of- scheme for every set, we use theseschemes with —therefore, the size of theshare is only times the size of the secret.In this construction we require that the size of the secretis greater than , this requirement can be weakened to

.

V. UNRESTRICTEDNONREACTIVE SCHEMES

A secret-sharing scheme with public reconstruction is callednonreactiveif the messages sent by each party depend onlyon his share (and not on messages received during the recon-struction). Nonreactive schemes are simpler to implement, asthey require less synchronization. Therefore, they are desirablefrom a practical point of view. In this section we presentnonreactive, unrestricted-out-of- schemes. The size of theshares in these schemes istimes the size of the secret. Thisrepresents a slight improvement (by a factor of) over thereactive scheme of Section III for , but is strictly lessefficient (in terms of share size) for . We extend theseschemes to general access structures. The size of the sharein our public reconstruction schemes istimes the size ofthe share in the original scheme. For general-access structuresit is typically not a significant increase, as the best schemesfor most access structures to date require shares whose sizeis exponential in .

We first present a simple, nonreactive, two-out-of-secret-sharing scheme. Let be the secret which the dealerwants to share. The dealer choosesindependent randomelements from , denoted . The share of is

. Each share is uniformlydistributed in , regardless of the secret. Hence, prior to anyreconstruction every party has no information on the secret (asdefined in Definition 1). To reconstruct the secret,sends themessage , and sends the message. Now, , who holds

, hears the message, so he can reconstruct the secret.Every third party hears messages that he already knows, andgains no information on the secret. That is, the reconstruction

is secure. The size of the shares in this scheme istimes thesize of the secret. During the reconstruction in this schemeevery party is deterministic and sends only one message thatdepends only on its share.

In a general secret-sharing scheme, first suggested in [24],we are given a collection of sets of parties called anaccessstructure. We require that every set in can reconstructthe secret, while every set not in does not jointly knowanything about the secret. Secret-sharing schemes satisfyingthese requirements can exist only for monotone collections.Indeed, it is known that for every monotone collection thereexists a traditional secret-sharing scheme [24]–[26]. However,the size of the shares in these schemes is typically exponentialin the number of parties (i.e., of size where is thenumber of parties in the system andis the size of the secret).

Let be any monotone access structure. The unrestricted,nonreactive, two-out-of- scheme can be generalized to anunrestricted, nonreactive scheme realizing the access structure

. Assume there is a traditional secret-sharing scheme realiz-ing with domain of secrets and domain of shares . Inour scheme we use the following observation: denote bythe access structure . There existsa traditional secret-sharing scheme realizingin which thedomain of shares is (fix some possible share for , andshare the secret using the scheme forconditioned on thefact that the share of is ).

We now describe an unrestricted, nonreactive scheme re-alizing with domain of shares . To share asecret , the dealer chooses random independent elementsfrom , the domain of secrets, denoted . For every, the dealer distributes the share to , and shares

among using the schemerealizing with domain of shares . That is, the shareof is together with the shares of theschemes realizing with secrets

respectively. The total share is anelement taken from . Now, when a subset wishesto reconstruct the secret, every sends (in the open) theshare of the secret to every . Thus holdsand hears the shares of from the scheme realizing

with the secret . Since , the party canreconstruct , and with reconstructs the secret.

We next claim that the reconstructions are secure. Thatis, every coalition hearing communications duringthe reconstruction of the secret by all sets in that aredisjoint to does not gain information on the secret. Thecoalition is not in for any , thus the shares of

give no information on for . Hence, prior to anyreconstruction the coalition has no information on the secreteven if it knows for every . But the information thatthe coalition gains from the communication is at most the’sfor , and it does not gain any information on the secret.That is, the reconstruction is secure. Thus

Theorem 8: Assume there exists a (traditional) secret-sharing scheme realizing with domain of secrets anddomain of shares . Then there exists an unrestricted,nonreactive secret-sharing scheme realizingwith public


reconstruction for secrets taken from. The share of eachparty is an element of . So the size of each share isat most times the size of the shares in the original scheme.

We can apply the previous construction for thresholdschemes using Shamir’s scheme.

Corollary 9: Let be a prime-power such that .There exists an unrestricted, nonreactive-out-of- secret-sharing scheme with public reconstruction for secrets takenfrom GF . The share of each party is an element of GF .So the size of each share istimes the size of the secret.

VI. L OWER BOUNDS FORUNRESTRICTEDSCHEMES

In this section we prove an lower bound on theincrease in the shares’ size for unrestricted-out-of- schemes.The specific lower bound that we prove is tight for (bythe nonreactive scheme of Section V). For our lowerbound is tight up to a constant factor (by the reactive schemeof Section III). We first prove an lower bound on theincrease in size of shares for two-out-of-schemes. Then, weshow that this lower bounds translates into an increasefor -out-of- schemes.

We start with the lower bound for . The proofuses entropy and mutual information. For definitions of theseinformation-theoretic terms, the reader can refer to [27]. Weassume an arbitrary probability distribution on the secrets, andwe denote the secret by the random variable.

The intuition behind the proof is that has to expose“new” bits of his share ineach reconstruction, and

can participate in reconstructions. After allreconstructions, the uncertainty of the share ofhas to remainat least , as an outsider who listened to all reconstructionsstill has uncertainty on the secret. Thus the originalentropy of the share has to be at least .

Without loss of generality, we prove the claim for . Toprove the lower bound on ’s share, we only use the require-ment that can reconstruct the secret together with everyother (we do not care if other pairs can or cannot reconstructthe secret). We start with some notation. Denote bytheshare given to in the initial distribution phase, and bythe messages exchanged whenand reconstruct the secret(all these are random variables). We denote ,the concatenation of all messages exchanged betweenandthe parties . Recall that the communication ,together with ’s share , enables to reconstruct thesecret . On the other hand, the communication andgive no information (to ) about the secret. These facts willimply the next claim.

Claim 10: .Proof: Since can reconstruct the secret, given his

share and the messages exchanged between and ,the conditional entropy equals . On the otherhand, gets no information about the secret from hisown share and all messages exchanged betweenand the other parties. Therefore, the conditional en-tropy equals . Now, consider the conditionalmutual information of the message and the

secret , given the share and . We have

Since the entropy is nonnegative, .

The next claim is the heart of the proof of the lower bound.It states that the mutual information betweenand giventhe “other” communication is at least . Intuitively,since does not know the secret prior to the reconstruction,and knows it after the reconstruction, has to receivebits of information which could only originate in and passedthrough the communication . Hence, must containbits of information originating from the share . Claim 11is stated for deterministic parties—the outgoing messagesare determined by the given share and previous incomingmessages. An analogous statement is proved in Section VI-A for randomized parties, whose outgoing messages could inaddition depend on random local inputs.

Claim 11: For deterministic reconstruction protocols wehave

Proof: Since and are deterministic, and theirdomain of shares is finite, there is a boundon the maxi-mum number of communication rounds which can take placeduring the reconstruction of the secret. Denote by theth message sent by to , and similarly, let be

the th message sent by to . Then, without loss ofgenerality, . The message is de-termined by the share and previous messages, that is,

. The following inequalityholds for any deterministic communication protocol:

Similarly,


Combing the two inequalities

This inequality, together with Claim 10, implies

We are now ready to prove our lower bound for .

Claim 12: In any unrestricted two-out-of- secret-sharingscheme with public reconstruction, the share of each partici-pant, , satisfies

Proof: We first note that by Definition 2 a listener, whooverhears all communication involving , gets no informationon the secret. Therefore,

On the other hand, given ’s share, this communicationdetermines the secret, so

Therefore,

and in particular

Claim 11 (or Claim 17 for the case of randomized protocols)states that

Similarly it holds that

...

Summing these inequalities, we conclude that

We next show that this lower bounds on increase in sizeof shares for two-out-of- schemes translates intoincrease for -out-of- schemes.

Theorem 13: In every unrestricted-out-of- secret-sharingscheme with public reconstruction the size of the shares ofevery party is at least times the sizeof the secrets.

Proof: Consider any-out-of- scheme. Denote the partywhose share is shortest by . We construct an unrestrictedtwo-out-of- scheme in which theentropy of —the share of —is the same. Hence, byClaim 12 its entropy is at least .Since the scheme is secure whatever the distribution onthe secrets is, we can assume uniform distribution on thesecrets. In this case , which is the size ofthe secret. Since , the size of the share of

is at least times the size of thesecrets.

The construction is simple: the dealer givesthe share ofin the original scheme, and every other party gets shares

of disjoint parties. Since every party has at mostshares, he does not gain any information on the secret evenafter hearing communications. On the other hand, every twoparties have at leastshares, therefore, they can communicateon a public channel, and securely reconstruct the secret.

A. Lower Bound for Probabilistic Parties

In the proof of Claim 11 we assumed that the parties aredeterministic during the reconstruction of the secret. In thissection we prove the same claim without this assumption.Recall that is the share of , is the communicationgenerated in the reconstruction of the secret byand ,and is the communication in previous reconstructions. Weprove that the mutual information between and given

is at least the entropy of the secret, even if the partiesmay toss coins during the reconstruction. That is, partyhas an independent local random string, denoted, andthe messages he generates are a deterministic function ofhis share, his random input, and previous messages. As theclaim concerns the share of , we can assume that otherparties in the system are deterministic (the dealer can supply arandom string to the other parties as part of their shares). Since

is independent of the shares and the secret, the mutualinformation between and the shares and the secret is zero,i.e., . We first quote a general claimfrom [8] and [9, Lemma 2.2] which states that the mutualinformation between the inputs of the parties can only decreaseby communicating over public channels.

Claim 14 [8], [9]: Let be random variables, held byparties respectively. The parties and commu-nicate on a channel according to some protocol. Denote thecommunication by the random variable. Then,

.We next prove that the mutual information betweenand

the shares of other parties, given and a communicationis zero (where is any prefix of . The claim can beproven directly by induction on the number of messages sentin (this is the way that Claim 14 is proven). We avoid thisinduction as we show that our claim can be formulated as aspecial case of Claim 14.


Claim 15: Let be a prefix of the communication ex-changed between the parties in the system. Then,

Proof: Consider a scenario in which one party holds, and a second party holds the secret and all the

shares— . They communicate via a publicchannel and the first message is sent by the second party andequals . From now on, the first player can generate themessages of and the second player can generate all othermessages. Thus the two parties can continue to communicateand generate . By Claim 14, communicating and canonly decrease the mutual information, that is,

Recall that

Since the mutual information is nonnegative

We restrict our discussion to protocols with an absolutebound on the number of rounds in each communication

. (The case where the protocol terminates after a finitenumber of rounds with probability can be handled similarly.)Denote by the th message sent by to , and similarly,

to be the th message sent by to . That is,. We next prove that the dependence ofon

and the previous messages is greater than the dependenceof on , the secret , and the previous messages. Formally

Claim 16:.

Proof: On one hand, since the entropy is nonnegative

On the other hand, using Claim 15 we can write

Thus

(1)

Since the message is completely determined by the ran-dom input , the share , and the previous messages

, it holds that

Combining this equality and Inequality (1), we get

We now prove the analogue of Claim 11, without the re-striction to deterministic reconstruction.

Claim 17: .Proof: Expressing as a sum and using the

fact that mutual information is nonnegative, we get

This inequality together with Claim 16 imply

Since the message is determined by and previousmessages,

Therefore the “internal” summands in the last sum cancel eachother out, and we are left with

(2)


Fig. 4. Summary of the complexity of our algorithms fort-out-of-n schemes.

Fig. 5. Numerical examples.

Recall that the communication and the share give noinformation (to ) about the secret, i.e., .On the other hand, holding and knowing , canreconstruct the secret, i.e., . Therefore,

Together with Inequality (2), we get , asclaimed.

Claim 17 implies that Theorem 13 holds also in the scenarioin which the parties can toss coins during the reconstructions.

VII. CONCLUSIONS

In this work we investigated the cost of performing thereconstruction overpublic communication channels. In Fig. 4we summarize our results for the various schemes. We denoteby the size of the secret, and the sizes of the shares aremultiples of (e.g., ). We also give the minimum sizeof secrets for which this share size applies. In Fig. 5 we givetwo examples of the sizes of shares in the various schemes. Inboth examples we consider a system with 1024 parties.

ACKNOWLEDGMENT

The authors wish to thank Carlo Blundo, Ehud Hausman,and Hugo Krawczyk for helpful discussions, and Arie Freundfor comments on earlier versions of this paper.

REFERENCES

[1] G. R. Blakley, “Safeguarding cryptographic keys,” inProc. AFIPS 1979NCC, June 1979, vol. 48, pp. 313–317.

[2] A. Shamir, “How to share a secret,”Commun. Assoc. Comput. Mach.,vol. 22, pp. 612–613, 1979.

[3] R. J. McEliece and D. V. Sarwate, “On sharing secrets andReed–Solomon codes,”Commun. Assoc. Comput. Mach., vol. 24, pp.583–584, Sept. 1981.

[4] E. D. Karnin, J. W. Greene, and M. E. Hellman, “On secret sharingsystems,”IEEE Trans. Inform. Theory, vol. IT-29, pp. 35–41, Jan. 1983.

[5] S. C. Kothari, “Generalized linear threshold scheme,” inAdvances inCryptology—CRYPTO’84, G. R. Blakley and D. Chaum, Eds. (LectureNotes in Computer Science, vol. 196). Berlin, Germany: Springer-Verlag, 1985, pp. 231–241.

[6] J. Benaloh, “Secret sharing homomorphisms: Keeping shares of a secretsecret,” inAdvances in Cryptology—CRYPTO’86, A. M. Odlyzko, Ed.(Lecture Notes in Computer Science, vol. 263). Berlin, Germany:Springer-Verlag, 1987, pp. 251–260.

[7] G. J. Simmons, “An introduction to shared secret and/or shared controland their application,” inContemporary Cryptology, The Science ofInformation Integrity,, G. J. Simmons, Ed. NewYork: IEEE Press,1992, pp. 441–497.

[8] U. M. Maurer, “Secret key agreement by public discussion from com-mon information,”IEEE Trans. Inform. Theory,vol. 39, pp. 733–742,May 1993.

[9] R. Ahlswede and I. Csiszar, “Common randomness in informationtheory and cryptography—Part I: Secret sharing,”IEEE Trans. Inform.Theory, vol. 39, pp. 1121–1132, July 1993.

[10] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, andM. Yung, “Perfectly-secure key distribution for dynamic conferences,”in Advances in Cryptology—CRYPTO’92, E. F. Brickell, Ed. (LectureNotes in Computer Science, vol. 740). Berlin, Germany: Springer-Verlag, 1993, pp. 471–486.

[11] A. Beimel and B. Chor, “Communication in key distribution schemes,”IEEE Trans. Inform. Theory, vol. 42, pp. 19–28, Jan. 1996.

[12] C. Blundo and A. Cresti, “Space requirement for broadcast encryption,”in Advances in Cryptology—EuroCRYPT’94, A. De Santis, Ed. (LectureNotes in Computer Science, vol. 950). Berlin, Germany: Springer-Verlag, 1995, pp. 287–298.

[13] W. Diffie and M. E. Hellman, “New directions in cryptography,”IEEETrans. Inform. Theory, vol. IT-22, pp. 644–654, Nov. 1976.

[14] S. Goldwasser and S. Micali, “Probabilistic encryption,”J. Comp. Syst.Sci., vol. 28, no. 21, pp. 270–299, 1984.

[15] B. Blakley, G. R. Blakley, A. H. Chan, and J. Massey, “Thresholdschemes with disenrollment,” inAdvances in Cryptology—CRYPTO’92,E. F. Brickell, Ed. (Lecture Notes in Computer Science, vol. 740)Berlin, Germany: Springer-Verlag, 1993, pp. 540–548.

[16] C. Blundo, A. Cresti, A. De Santis, and U. Vaccaro, “Fully dy-namic secret-sharing schemes,”Theor. Comp. Sci., vol. 165, no. 2, pp.407–440, 1996.

[17] T. Rabin and M. Ben-Or, “Verifiable secret sharing and multipartyprotocols with honest majority,” inProc. 21st Annu. ACM Symp. Theoryof Computing, 1989, pp. 73–85.

[18] T. Rabin, “Robust sharing of secrets when the dealer is honest or faulty,”J. Assoc. Comput. Mach., vol. 41, no. 6, pp. 1089–1109, 1994.

[19] E. F. Brickell and D. R. Stinson, “Some improved bounds on theinformation rate of perfect secret-sharing schemes,”J. Cryptol., vol.5, no. 3, pp. 153–166, 1992.

[20] R. M. Capocelli, A. De Santis, L. Gargano, and U. Vaccaro, “On thesize of shares for secret-sharing schemes,”J. Cryptol., vol. 6, no. 3, pp.157–168, 1993.

[21] R. Blom, “An optimal class of symmetric key generation systems,”in Advances in Cryptology—EuroCRYPT’84, T. Beth, N. Cot, and I.Ingemarsson, Eds. (Lecture Notes in Computer Science, vol. 209).Berlin, Germany: Springer-Verlag, 1985, pp. 335–338.

[22] G. R. Blakley and C. Meadows, “The security of ramp schemes,” inAdvances in Cryptology—CRYPTO’84, G. R. Blakley and D. Chaum,Eds. (Lecture Notes in Computer Science, vol. 196). Berlin, Germany:Springer-Verlag, 1985, pp. 242–268.

[23] M. K. Franklin and M. Yung, “Communication complexity of securecomputation,” inProc. 24th Annu. ACM Symp. Theory of Computing,1992, pp. 699–710.

[24] M. Ito, A. Saito, and T. Nishizeki, “Secret-sharing schemes realizinggeneral access structure,” inProc. IEEE Global TelecommunicationConf., Globecom’87, 1987, pp. 99–102. Also published as “Multipleassignment scheme for sharing secret,”J. Cryptol., vol. 6, no. 1, pp.15–20, 1993.

[25] J. Benaloh and J. Leichter, “Generalized secret sharing and monotonefunctions,” in Advances in Cryptology—CRYPTO’88,S. Goldwasser,Ed. (Lecture Notes in Computer Science, vol. 403). Berlin, Germany:Springer-Verlag, 1990, pp. 27–35.

[26] G. J. Simmons, W. Jackson, and K. M. Martin, “The geometry of sharedsecret schemes,”Bull. ICA, vol. 1, pp. 71–88, 1991.

[27] T. M. Cover and J. A. Thomas,Elements of Information Theory.NewYork: Wiley, 1991.

Documents

Secret sharing with public reconstruction