Evolving Ramp Secret-Sharing Schemes

Abstract

Evolving secret-sharing schemes, introduced by Komargodski, Naor, and Yogev (TCC 2016b), are secret-sharing schemes in which the dealer does not know the number of parties that will participate. The parties arrive one by one and when a party arrives the dealer gives it a share; the dealer cannot update this share when other parties arrive. Komargodski and Paskin-Cherniavsky (TCC 2017) constructed evolving \(a\cdot i\)-threshold secret-sharing schemes (for every \(0< a <1\)), where any set of parties whose maximum party is the i-th party and contains at least ai parties can reconstruct the secret; any set such that all its prefixes are not an a-fraction of the parties should not get any information on the secret. The length of the share of the i-th party in their scheme is \(O(i^4 \log i)\). As the number of parties is unbounded, this share size can be quite large.

In this work we suggest studying a relaxation of evolving threshold secret-sharing schemes; we consider evolving (a, b)-ramp secret-sharing schemes for \(0< b< a <1\). Again, we require that any set of parties whose maximum party is the i-th party and contains at least ai parties can reconstruct the secret; however, we only require that any set such that all its prefixes are not a b-fraction of the parties should not get any information on the secret. For all constants \(0< b< a <1\), we construct an evolving (a, b)-ramp secret-sharing scheme where the length of the share of the i-th party is O(1). Thus, we show that evolving ramp secret-sharing schemes offer a big improvement compared to the known constructions of evolving \(a\cdot i\)-threshold secret-sharing schemes.

Research supported by ISF grant 152/17, the BGU Cyber Security Research Center, and by the Frankel center for computer science.

A Proof of Claim 4.8

We next prove Claim 4.8, i.e., we prove that for every constants \(b <a\) there exists a ramp secret-sharing scheme with share size O(1).

Proof

Chen et al. [6] proved the claim for the case when \(a = 1/2+\epsilon \) and \(b=1/2-\epsilon \) for every \(\epsilon >0\), see Claim 2.7. We use two standard transformations to prove it for every \(b<a\). Let \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), for some \( \epsilon < 1/2\), be a ramp secret-sharing scheme with share size \(\ell \) with N parties. If \(a>1/2\) and \(b <1/2\), the scheme \(\varPi ^n_{1/2+\epsilon , 1/2-\epsilon }\), where \(\epsilon =\min \{a-1/2,1/2-b\}\), is an (a, b)-ramp secret-sharing with share size O(1). Otherwise, there are two cases; in each case we show the existence of an (a, b)-ramp secret-sharing scheme with n parties, denoted \(\varPi ^n_{a, b}\), with share size \(\ell \).

The case \(b \ge 1/2\). We use the scheme \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), where \(N =\alpha n\) for some constants \(\alpha > 1\) and \(\epsilon <1/2\) to be fixed later. We only use the shares of the first n parties of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\). In \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), a set of size \(N(1/2+\epsilon ) = \alpha n (1/2+\epsilon )\) can reconstruct the secret. In \(\varPi ^n_{a, b}\), we require that an parties can reconstruct the secret, thus, we take \(\alpha \) such that \(\alpha n(1/2+\epsilon ) = an\), i.e., \(\alpha = \frac{2a}{1+2\epsilon }\). By the security of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), any set of parties of size less than \(N(1/2 - \epsilon ) =\alpha n(1/2 - \epsilon ) =\frac{2a}{1+2\epsilon }n(1/2 - \epsilon )\) cannot learn any information on the secret. In \(\varPi ^n_{a, b}\), we require that bn parties cannot learn any information on the secret, thus, we require that \(\frac{2a}{1+2\epsilon }(1/2 - \epsilon )=b\), i.e., \(\epsilon =\frac{a-b}{2(a+b)}\). Notice that \(\alpha = \frac{2a}{1+2\epsilon }=\frac{2a}{1+\frac{a-b}{a+b}}=a+b>1\) (since \(a >b \ge 1/2\)), thus, we have enough shares in \(\varPi ^{\alpha n}_{1/2+\epsilon , 1/2-\epsilon }\) to give to the n parties. Furthermore, \(\epsilon < 1/2\) as required by Claim 2.7.

The case \(a \le 1/2\). Again, we use the scheme \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\), where \(N =\alpha n\) for some constants \(\alpha > 1\) and \(\epsilon <1/2\) to be fixed later. We use the shares of the first n parties of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) as the shares in \(\varPi ^n_{a, b}\). However, in this case we publish \(N-n = (\alpha -1)n\) shares on a public blackboard (we later explain how to get rid of this public blackboard). In \(\varPi ^n_{a, b}\), we require that an parties can reconstruct the secret. As the number of shares of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) that an parties in \(\varPi ^n_{a, b}\) have is \(an + (\alpha -1)n\), we require that \(an + (\alpha -1)n=N(1/2+\epsilon )=\alpha n (1/2+\epsilon )\), i.e., \(\alpha = (2-2a)/(1-2\epsilon )\). In \(\varPi ^n_{a, b}\), we require that bn parties cannot learn any information on the secret. As the number of shares of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) that bn parties in \(\varPi ^n_{a, b}\) have is \(bn + (\alpha -1)n\), we require that \(bn + (\alpha -1)n=\alpha n(1/2 - \epsilon )\), i.e., \(\alpha (1+2\epsilon )=2-b\). Solving the requirements on \(\alpha \), we get that \(\epsilon =\frac{a-b}{2(2-a-b)}\) and \(\alpha =2-a-b\). Note that \(\alpha > 1\) since \(b <a \le 1/2\) and \(\epsilon < 1/2\).

To get rid of the shares published on the blackboard, we fix possible shares \(s_{n+1},\dots ,s_{\alpha n}\) of the last \((\alpha -1)n\) parties in \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) (e.g., in the scheme of Chen et al. [6], we can fix \(s_{n+1}=\cdots =s_{\alpha n}=0\)). To share the secret, the dealer chooses only vectors of shares of \(\varPi ^N_{1/2+\epsilon , 1/2-\epsilon }\) such that the shares of the last \((\alpha -1)n\) parties are the fixed shares \(s_{n+1},\dots ,s_{\alpha n}\). \(\square \)