\(AC^0\) Constructions of Secret Sharing Schemes – Accommodating New Parties

Abstract

The possibility of implementing secret sharing in the complexity class \(AC^0\) was shown in a recent work by Bogdanov et al. (Crypto’16) who provided constructions of ramp schemes. Cheng-Ishai-Li (TCC’17) forwarded the work by achieving robustness for such schemes. In this paper we construct secret sharing schemes which can include new parties over time keeping the entire construction implementable by \(AC^0\) circuits. We provide \(AC^0\) constructions of a dynamic secret sharing scheme and an evolving secret sharing scheme. The constructions are more flexible than similar existing schemes, use less resources and have several notable advantages.

S. S. Chaudhury is financially supported by Indian Statistical Institute, Kolkata, India under a research fellowship program. The work presented in this paper was carried out while the first author visited Kyushu University, Japan.

S. Dutta is grateful to the National Institute of Information and Communications Technology (NICT), Japan for financial support under the NICT International Exchange Program during 2018–19 when the preliminary draft was prepared.

Appendix A : Security Proof Outlines of Theorem 1

Theorem 3

\(Share_1\) and \(Rec_1\) can be computed by \(AC^0\) circuits.

Proof

We know that construction 1 can be done in \(AC^0\). The extra functions that we are computing during adding a new participant are :

1. 1.

   Generating the share S(T) of the new participant. This can be done in \(AC^0\) since copying and concatenating string are \(AC^0\)-implementable operations.

2. 2.

   Concatenating the share S(T) to y1. This operation can be done in \(AC^0\).

3. 3.

   Applying a random permutation which is in \(AC^0\).

For the reconstruction procedure, in our construction, the functions which we are computing other than those of [10] are

1. 1.

   Inverse permutation \(\sigma _{T}^{-1}\).

2. 2.

   Restoring the original shares of the old participants.

3. 3.

   Deleting the shares of some of the old participants.

Now the inverse permutation can be computed in \(AC^0\). Restoring the share involves dividing a share into two halves and concatenating to the half of another share. Clearly this whole operation can be done in \(AC^0\). The remaining deletion operation can be done in \(AC^0\) too. Hence the \(Share_1\) and \(Rec_1\) functions can be computed in \(AC^0\).

Theorem 4

Let the error during reconstruction of (Share; Rec) be \(\eta \), then the error during reconstruction of \((Share_1, Rec_1)\) is \(n' = \bar{n}\eta \).

Proof

The reconstruction is done in two phases. First the shares of the new participants are used to restore the shares of the old participants. Next the old participants are used to reconstruct the secret. Although we need all the participants to reconstruct the secret, in the second phase it is the old participants who actually recover the secret. Hence our reconstruction error is essentially same as that of [10]. The proof is a simple application of the union bound in probability.

Note: We stipulated that the adversary does not have any information regarding the order of the participants. So, from the adversary’s point the old participants whose shares are modified when a new participant arrives is completely random and the share of the new participant is independent of the previous shares. Hence concatenating the share of the new participant does not affect the privacy of our scheme. Coupling this with the random permutation effectively results only in an increase in the length of the string. Hence our construction does not affect the privacy of the original scheme of Fig. 1.

The overall effect is that the adversary only sees an increase in the number of repeated alphabets. Since the adversary sees only a constant fraction of shares, due to the repetitions and random permutations, it cannot infer any information about the secret. The details are given next.

In order to show privacy, the following Chernoff Bound is needed.

Negative Correlation. Binary random variables \(X_1, X_2,\ldots , X_n\) are said to be negatively correlated if for any subset I of [n],

$$Pr[\wedge _{i \in I}(X_i = 1)] \le \prod _{i \in I}Pr[X_i = 1]$$

and

$$Pr[\wedge _{i \in I}(X_i = 0)] \le \prod _{i \in I}Pr[X_i = 0]$$

.

Theorem 5

(Negative Correlation Chernoff Bound). Let \(X_1, X_2, ..., X_n\) be random variables which are negatively correlated with \(X =\sum _{i=1}^{n}X_i\), \(\mu = \mathbb {E}(X)\). Then

1. 1.

   for any \(\delta \in (0,1),\) \(Pr[X \le (1-\delta )\mu ] \le e^{-\delta ^{2} \mu /2}\) and \(Pr[X \ge (1+\delta )\mu ] \le e^{-\delta ^{2} \mu /3}\).

2. 2.

   for any \(d \ge 6\mu \), \(Pr[X \ge d] \le 2^{-d}\).

Here we mention two lemmas regarding random permutations using which we can show the privacy of our scheme. For exact statements and proofs of these lemmas we refer the reader to Lemmas 3.7 and 3.8 of [10].

Lemma 1

[10]. Given \(\pi \) a random permutation of [n]. For any pair of sets \(S,W \subseteq [n]\), let \(u = \frac{|W|}{n}|S|\). The following items hold.

1. 1.

   for any \(\delta \in (0,1),\) \(Pr[|\pi (S)\cap W| \le (1-\delta )\mu ] \le e^{-\delta ^{2} \mu /2}\) and \(Pr[|\pi (S)\cap W| \ge (1+\delta )\mu ] \le e^{-\delta ^{2} \mu /3}\).

2. 2.

   for any \(d \ge 6\mu \), \(Pr[|\pi (S)\cap W| \ge d] \le 2^{-d}\).

Lemma 2

[10]. Let \(\pi \) be a random permutation of [n]. Let \(W \subseteq [n]\) with \(|W| = \gamma n\). Let \(\delta \) be constant \(\delta \in (0, 1)\). Let \(t, l \in \mathbb {N}^{+}\) such that \(tl \le \frac{0.96}{1+0.96}\gamma n\). Let S be a collection of subsets \(\{S_1,...,S_l\}\) such that for each \(i \in [l]\), the sets \(S_i \subseteq [n]\) are disjoint and \(|S_i| = t\). Finally, let \(X_i\) be the indicator random variable such that \(X_i = 1\) is the event \(|\pi (S_i) \cap Wj| \ge (1 + \delta )\gamma t\). Taking \(X = \sum _{i \in [l]} X_i\), we have for any \(d \ge 0\), \(Pr[X \ge d] \le e^{-2d + (e^{2} - 1)e^{- \omega (\gamma t)l}}\).

Using the above lemmas one can show privacy of the secret sharing scheme as follows.

Lemma 3

[10]. Let \(\varSigma \) be a set of alphabets and let \(n, k \in \mathbb {N}\) with \(k \le n\). Given a distribution \(X = (X_1, ..., X_n)\) over \(\varSigma ^n\), let Y be the distribution obtained by the action of \(\pi ^{-1}\) on X where \(\pi : [n] \rightarrow [n]\) is a random permutation. If an adaptive adversary observes a set of coordinates W with \(|W| = k\) then \(Y_W\) is the same distribution \(Y_{[k]}\).

Note: This lemma essentially says that due to the random permutation the adversary observing a constant fraction of the secret cannot learn anything about the secret.

Utilizing the above-mentioned lemmas we have the following theorem estimating the parameters in our case.

Theorem 6

Let \(n, m \in \mathbb {N}\), with \(m \le n\), \(\epsilon , \eta \in [0; 1]\) and constant \(a \ge 1\),\( \alpha \in (0; 1]\). Suppose we have an explicit \((n' = O(n^{a} log n); (1 - \alpha )n')\) secret sharing scheme computable in \(AC^0\) with share alphabet \(\varSigma \times [n']\), message alphabet \(\varSigma _0\), message length \(\varOmega (mn^{a-1})\), adaptive privacy error \(O(n^{a-1})(\epsilon + 2^{-\varOmega (k)}) )\) and reconstruction error \(O(n^{a-1}\eta )\), then, assuming a predefined order on the participants and a small storage to keep the information of the order of the participants, an explicit \((n' + O(log^{3} n); (1 - \alpha )n')\) dynamic secret sharing scheme with privacy error \(O(n^{a-1})(\epsilon + 2^{-\varOmega (k)}) )\) (adaptive) and error of reconstruction \(O(n^{a-1}\eta )\) can be constructed.