On Secret Sharing, Randomness, and Random-less Reductions for Secret Sharing

Abstract

Secret-sharing is one of the most fundamental primitives in cryptography, and has found several applications. All known constructions of secret sharing (with the exception of those with a pathological choice of parameters) require access to uniform randomness. However, in practice it is extremely challenging to generate a source of uniform randomness. This has led to a large body of research devoted to designing randomized algorithms and cryptographic primitives from imperfect sources of randomness. Motivated by this, Bosley and Dodis (TCC 2007) asked whether it is even possible to construct a 2-out-of-2 secret sharing scheme without access to uniform randomness.

In this work, we make significant progress towards answering this question. Namely, we resolve this question for secret sharing schemes with important additional properties: 1-bit leakage-resilience and non-malleability. We prove that, for not too small secrets, it is impossible to construct any 2-out-of-2 leakage-resilient or non-malleable secret sharing scheme without access to uniform randomness.

Given that the problem of whether 2-out-of-2 secret sharing requires uniform randomness has been open for more than a decade, it is reasonable to consider intermediate problems towards resolving the open question. In a spirit similar to NP-completeness, we also study how the existence of a t-out-of-n secret sharing without access to uniform randomness is related to the existence of a \(t'\)-out-of-\(n'\) secret sharing without access to uniform randomness for a different choice of the parameters \(t,n,t',n'\).

A Proof of Lemma 3

Fix an (n, k)-source X and pick a function \(F:\{0, 1\}^n\rightarrow \{0, 1\}^m\) with \(m\le k-2\log (1/\varepsilon )\) uniformly at random. It suffices to bound the probability that

$$\begin{aligned} |\Pr [F(X)\in \mathcal {T}]-\mu (\mathcal {T})|\le \varepsilon \end{aligned}$$

holds for every set \(\mathcal {T}\subseteq \{0, 1\}^m\), where \(\mu (\mathcal {T})=|\mathcal {T}|/2^m\) denotes the density of \(\mathcal {T}\). Fix such a set \(\mathcal {T}\), and let \(Z_x=\Pr [X=x]\cdot \textbf{1}_{F(x)\in \mathcal {T}}\). Then, we have \(\Pr [F(X)\in \mathcal {T}]=\sum _{x\in \{0, 1\}^n}Z_x\) and \(\mathbb {E}\left[ \sum _{x\in \{0, 1\}^n}Z_x\right] =\mu (\mathcal {T})\). As a result, since \(Z_x\in [0,\Pr [X=x]]\) for all \(x\in \{0, 1\}^n\), Hoeffding’s inequality⁴ implies that

$$\begin{aligned} \Pr \left[ \left| \sum _{x\in \{0, 1\}^n}Z_x-\mu (\mathcal {T})\right| >\varepsilon \right]&\le 2\cdot \exp \left( -\frac{2\varepsilon ^2}{\sum _{x\in \{0, 1\}^n}\Pr [X=x]^2}\right) \\&\le 2\cdot e^{-2\varepsilon ^2 2^k}. \end{aligned}$$

The last inequality follows from the fact that

$$\begin{aligned} \sum _{x\in \{0, 1\}^n}\Pr [X=x]^2 \le \max _{x\in \{0, 1\}^n}\Pr [X=x]\le 2^{-k}, \end{aligned}$$

since X is an (n, k)-source. Finally, a union bound over all \(2^{2^m}\) sets \(\mathcal {T}\subseteq \{0, 1\}^m\) shows that the event in question holds with probability at least

$$\begin{aligned} 1-2\cdot 2^{2^m}\cdot e^{-2\varepsilon ^2 2^k}\ge 1-2 e^{-\varepsilon ^2 2^k} \end{aligned}$$

over the choice of F, given the upper bound on m.