Threshold Changeable Ramp Secret Sharing

Abstract

Threshold changeable secret sharing studies the problem of changing the thresholds of a secret sharing scheme after the shares of the initial scheme have been distributed to players. We focus on the most studied scenario of dealer-free threshold increase in the absence of secure channels with an outsider adversary. Previous theoretical works in this scenario only consider an unchanged privacy threshold and define optimal threshold changeable secret sharing schemes as ones meeting the bounds in this case. We highlight increasing the privacy threshold as an independent design goal on top of increasing the reconstruction threshold. We prove new bounds for the above threshold increase scenario with respect to a new privacy threshold that is possibly bigger than the initial privacy threshold. We similarly define an optimal threshold changeable secret sharing scheme as one that achieves equality in all these bounds. A trade-off between the new privacy threshold and the required combiner communication complexity is discovered and new optimal schemes for the case when privacy threshold also increases are identified. These theoretical results put our new construction of threshold changeable secret sharing on a firm ground. Our threshold changeable ramp scheme does not need a priori knowledge of the targeted thresholds to design the protocol and allow the conversion into a ramp scheme with arbitrary new reconstruction thresholds while the privacy threshold grows proportionally as the reconstruction threshold grows. Previous such schemes were only known from lattice-based constructions that use a non-standard privacy definition. Our new schemes are statistical secret sharing schemes that guarantee indistinguishability of shares up to the new privacy threshold.

Appendices

Appendices

A Proof of Lemma 2

Proof

For each participant \(P_i\), \(i\in [n]\), let the original share of \(P_i\) be \(\mathbf {S}_i\) and the new share of \(P_i\) be \(\mathbf {S}'_i\). Here \(\mathbf {S}_i\) and \(\mathbf {S}'_i\) are random variables, \(i\in [n]\). Then the quantity \(\mathsf {H}(\mathbf {S}_i)\) is referred to as the size of \(\mathbf {P}_i\)’s initial share and \(\mathsf {H}(\mathbf {S}'_i)\) as the size of \(P_i\)’s new share.

We first prove \(t'\ge t\). Since the new shares are generated from the initial shares through applying deterministic functions, no information can be generated other than those already contained in the initial shares. We then have that any set of t new shares does not contain information about the secret, hence \(t'\ge t\).

We next prove \(r'-t'>r-t\). Assume by contradiction that we have \(r'-t'\le r-t\). Since \(\mathsf {\Pi }\) and \(\mathsf {\Pi }^{\prime }\) both have minimum share size, we have \(\mathsf {H}(\mathbf {S}_i)= \mathsf {H}(\mathbf {S})/(r-t)\) and \(\mathsf {H}(\mathbf {S'}_i)= \mathsf {H}(\mathbf {S})/(r'-t')\) from [18]. We then have \(\mathsf {H}(\mathbf {S}_i)\le \mathsf {H}(\mathbf {S'}_i)\). Since the conversion function \(h_i\) is deterministic, we know that \(\mathsf {H}(\mathbf {S}'_i\mid \mathbf {S}_i)=0\). On the other hand, by the chain rule of mutual information, we have

$$\begin{aligned} \mathsf {I}(\mathbf {S}_i;\mathbf {S}'_{i})&= \mathsf {H}(\mathbf {S}_i)-\mathsf {H}(\mathbf {S}_i\mid \mathbf {S}'_i)\\&= \mathsf {H}(\mathbf {S}'_i)-\mathsf {H}(\mathbf {S}'_i\mid \mathbf {S}_i). \end{aligned}$$

Substituting \(\mathsf {H}(\mathbf {S}'_i\mid \mathbf {S}_i)=0\), we deduce that

$$ \mathsf {H}(\mathbf {S}_i\mid \mathbf {S}'_i)=\mathsf {H}(\mathbf {S}_i)-\mathsf {H}(\mathbf {S'}_i)\le 0, $$

where the inequality follows from the fact that \(\mathsf {H}(\mathbf {S}_i)\le \mathsf {H}(\mathbf {S'}_i)\). It is obvious that \(\mathsf {H}(\mathbf {S}_i\mid \mathbf {S}'_i)\) can not be negative. We are left with \(\mathsf {H}(\mathbf {S}_i\mid \mathbf {S}'_i)=0\), which means there is a one-to-one correspondence between shares from \(\mathsf {\Pi }\) and \(\mathsf {\Pi }^{\prime }\). That is, the smallest number of new shares that can reconstruct the full secret in \(\mathsf {\Pi }^{\prime }\) must be r, which contradicts the fact that \(r'>r\).

B Semi-insider Secure \((t,r,n)\rightarrow (t',r',n)\) Ramp Scheme

The following construction is a simple adaption of a construction of optimal communication efficient secret sharing [9].

Let \(g=r-t\) and \(g'=r'-t\). We first parse the secret into v parts: \(\mathbf {s}^{(1)}||\ldots ||\mathbf {s}^{(v)}\), where each \(\mathbf {s}^{(j)}\in \mathbb {F}_q^g\). Now we share \(\mathbf {s}^{(1)}\) using a (t, r, n)-ramp scheme \(\mathsf {\Pi }^{(1)}\) with minimum share size, such as the polynomial based construction. We denote the share vector thus obtained by \((s_1^{(1)},\ldots ,s_n^{(1)})\). Then we share \(\mathbf {s}^{(1)}||\mathbf {s}^{(2)}\) using the \((t,r+g,n)\)-ramp scheme \(\mathsf {\Pi }^{(2)}\) with randomness independent from the randomness in the previous step. We denote the share vector thus obtained by \((s_1^{(2)},\ldots ,s_n^{(2)})\). We iterate this process for positive integer \(j\le v\) and share \(\mathbf {s}^{(1)}||\ldots ||\mathbf {s}^{(j)}\) using the \((t,r+(j-1)g,n)\)-ramp scheme \(\mathsf {\Pi }^{(j)}\) with randomness independent from the randomness in all previous steps. We denote the share vector thus obtained by \((s_1^{(j)},\ldots ,s_n^{(j)})\). Finally, for \(i\in [n]\), we let

$$ S_i=(s_i^{(1)},\ldots ,s_i^{(v)}) $$

be the share of the ith player and obtain a ramp scheme \(\mathsf {\Pi }\) with share vector \((S_1,\ldots ,S_n)\).

We now show that \(\mathsf {\Pi }\) is a (t, r, n)-ramp scheme with minimum share size. Firstly, the t-privacy follows from the fact that all \(\mathsf {\Pi }^{(j)}\)’s have privacy threshold t and they use independent randomness. Secondly, from any r shares \(S_{i_1},\ldots ,S_{i_r}\) of \(\mathsf {\Pi }\), we can extract r shares of \(s_{i_1}^{(j)},\ldots ,s_{i_r}^{(j)}\) of \(\mathsf {\Pi }^{(j)}\) for each \(j\in [v]\). Now given r shares \(s_{i_1}^{(1)},\ldots ,s_{i_r}^{(1)}\) of \(\mathsf {\Pi }^{(1)}\), its secret \(\mathbf {s}^{(1)}\) can be fully recovered. The knowledge of \(\mathbf {s}^{(1)}\) together with r shares \(s_{i_1}^{(2)},\ldots ,s_{i_r}^{(2)}\) of \(\mathsf {\Pi }^{(2)}\) uniquely determine its secret \(\mathbf {s}^{(1)}||\mathbf {s}^{(2)}\). By iterating this process, the full secret \(\mathbf {s}^{(1)}||\ldots ||\mathbf {s}^{(v)}\) can be reconstructed. A dealer algorithm \(\mathsf {D}\) and a combiner algorithm \(\mathsf {C}\) for \(\mathsf {\Pi }\) can be built from the dealer algorithms \(\{\mathsf {D}^{(j)}\}_{j\in [v]}\) and combiner algorithms \(\{\mathsf {C}^{(j)}\}_{j\in [v]}\) of \(\{\mathsf {\Pi }^{(j)}\}_{j\in [v]}\), respectively. Finally, the secret is consist of \(g'=vg\) finite field elements while each share of \(\mathsf {\Pi }\) is consist of v finite field elements. The scheme \(\mathsf {\Pi }\) obviously has the minimum share size.

We next define a share conversion algorithm \(\{h_i\}_{i\in [n]}\) to transform the scheme \(\mathsf {\Pi }\) into \(\mathsf {\Pi }'\) that is a \((t,r',n)\)-ramp scheme. Let

$$ h_i(S_i)=s_i^{(v)}. $$

The new combiner algorithm is \(\mathsf {C}'=\mathsf {C}^{(v)}\).

We show that \(\mathsf {\Pi }'\) with share vector \((S'_1,\ldots ,S'_n)\), where \(S'_i=h_i(S_i)\), is a \((t,r',n)\)-ramp scheme with minimum share size. This is trivial, since \((S'_1,\ldots ,S'_n)\) is just the share vector of \(\mathsf {\Pi }^{(v)}\), which is a \((t,r',n)\)-ramp scheme with minimum share size by construction.

Let us re-examine the construction above and show security against semi-insider adversary. A share of the packed scheme \(\mathsf {\Pi }\) is consist of shares from distinct schemes \(\mathsf {\Pi }^{(1)},\ldots ,\mathsf {\Pi }^{(v)}\) sharing related secrets using independent randomness. One special advantage of this structure is that a subset \(\mathcal {A}^{(j_1)}\) of the shares of \(\mathsf {\Pi }^{(j_1)}\) and a subset \(\mathcal {A}^{(j_2)}\) of the shares of \(\mathsf {\Pi }^{(j_2)}\) for \(j_1\ne j_2\) are independent if one subset is of size at most t. This means that even if at most t shareholders do not erase their original shares of \(\mathsf {\Pi }\) after the transformation from \(\mathsf {\Pi }\) into \(\mathsf {\Pi }'\) through applying the transformation algorithm \(\{h_i\}_{i\in [n]}\), the dishonestly kept at most t shares of \(\mathsf {\Pi }\) contribute the same amount of information as the transformed partial shares to the transformed scheme \(\mathsf {\Pi }'\), since the dishonestly kept extra partial content of the original shares are independent of the share vectors of \(\mathsf {\Pi }'\).