How to Share a Secret, Infinitely

Komargodski, Ilan; Naor, Moni; Yogev, Eylon

doi:10.1007/978-3-662-53644-5_19

Ilan Komargodski¹⁵,
Moni Naor¹⁵ &
Eylon Yogev¹⁵

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9986))

Included in the following conference series:

Theory of Cryptography Conference

2422 Accesses
18 Citations

Abstract

Secret sharing schemes allow a dealer to distribute a secret piece of information among several parties such that only qualified subsets of parties can reconstruct the secret. The collection of qualified subsets is called an access structure. The best known example is the k-threshold access structure, where the qualified subsets are those of size at least k. When $k=2$ and there are n parties, there are schemes where the size of the share each party gets is roughly $\log n$ bits, and this is tight even for secrets of 1 bit. In these schemes, the number of parties n must be given in advance to the dealer.

In this work we consider the case where the set of parties is not known in advance and could potentially be infinite. Our goal is to give the ${t}^{th}$ party arriving the smallest possible share as a function of t. Our main result is such a scheme for the k-threshold access structure where the share size of party t is $(k-1)\cdot \log t + \mathsf {poly}(k)\cdot o(\log t)$. For $k=2$ we observe an equivalence to prefix codes and present matching upper and lower bounds of the form $\log t + \log \log t + \log \log \log t + O(1)$. Finally, we show that for any access structure there exists such a secret sharing scheme with shares of size $2^{t-1}$.

I. Komargodski, et al.—Research supported in part by grants from the Israel Science Foundation grant no. 1255/12, BSF and from the I-CORE Program of the Planning and Budgeting Committee and the Israel Science Foundation (grant no. 4/11). Moni Naor is the incumbent of the Judith Kleeman Professorial Chair. Ilan Komargodski is supported in part by a Levzion fellowship.

You have full access to this open access chapter, Download conference paper PDF

Secret Sharing Lower Bound: Either Reconstruction is Hard or Shares are Long

Quadratic Secret Sharing and Conditional Disclosure of Secrets

Improved Polynomial Secret-Sharing Schemes

1 Introduction

Engineering scalable systems is a delicate business: important decisions have to be made regarding balancing scalability and efficiency when fixing system parameters (such as the representation size of a date, the number of clients the system can serve simultaneously, security parameters and more). This inherent tradeoff between scalability and efficiency has had devastating consequences. There are many Y2K [34] style horror stories such as losing contact with the NASA spacecraft “Deep Impact” when its internal clock overflowed, triggering an endless series of computer reboots [20], and the IPv4 address exhaustion problems caused by the limited allocation size for numeric Internet addresses [33]. Can we design scalable systems without suffering a great deal of efficiency costs? In this work we investigate methods that do not assume a fixed upper bound on the number of participants in the area of secret sharing.

Secret sharing is a method by which a secret piece of information can be distributed among n parties so that any qualified subset of parties can reconstruct the secret, while every unqualified subset of parties learns nothing about the secret. The collection of qualified subsets is called an access structure. Secret sharing schemes are a basic primitive and have found applications in cryptography and distributed computing; see the extensive survey of Beimel [2]. A significant goal in secret sharing is to minimize the share size, namely, the amount of information distributed to the parties.

Secret sharing schemes were introduced in the late 1970s by Shamir [31] and Blakley [8] for the k-out-of-n threshold access structures that includes all subsets of cardinality at least k for $1\le k \le n$. Their constructions are fairly efficient both in the size of the shares and in the computation required for sharing and reconstruction. Ito et al. [22] showed the existence of a secret sharing scheme for every (monotone) access structure. In their scheme the size of the shares is proportional to the depth 2 complexity of the access structure when viewed as a Boolean function (and hence shares are exponential for most structures). Benaloh and Leichter [5] gave a scheme with share size polynomial in the monotone formula complexity of the access structure. Karchmer and Wigderson [24] generalized this construction so that the size is polynomial in the monotone span program complexity.

All of these schemes require that an upper bound on the number of participants is known in advance. However, in many scenarios this is either unrealistic or prone to disaster. Moreover, even if a crude upper bound n is known in advance, it is preferable to have shares as small as possible if the eventual number of participants is much smaller than this bound on n.

In this work we consider the well motivated, yet almost unexplored^{Footnote 1}, case where the set of parties is not known in advanced and could potentially be infinite. Our goal is to give the ${t}^{th}$ party arriving the smallest possible share as a function of t. We require that in each round, as a new party arrives, there is no communication to the parties that have already received shares, i.e. the dealer distributes a share only to the new party. We call such access structures evolving: the parties arrive one by one and, in the most general case, a qualified subset is revealed to the dealer only when all parties in that subset are present (in special cases the dealer knows the access structure to begin with, just does not have an upper bound on the number of parties). For this to make sense, we assume that the changes to the access structure are monotone, namely, parties are only added and qualified sets remain qualified.

Our first result is a construction of a secret sharing scheme for any evolving access structure.

Theorem 1

For every evolving access structure there is a secret sharing scheme for a 1-bit secret where the share size of the ${t}^{th}$ party is $2^{t-1}$.

Then, we construct more efficient schemes for specific access structures. We focus on the evolving k-threshold access structure for $k\in \mathbb N$, where at any point in time any k parties can reconstruct the secret but no $k-1$ parties can learn anything about the secret.

Theorem 2

(Informal). There is a secret sharing scheme for the evolving k-threshold access structure and a 1-bit secret in which the share size of the ${t}^{th}$ party is $(k-1)\cdot \log t + \mathsf {poly}(k)\cdot o(\log t)$.

For $k=2$, we present a construction for the evolving 2-threshold access structure with slightly better low order terms. In this scheme the share size of the ${t}^{th}$ party is $\log t + \log \log t + 2\log \log \log t+ O(1)$.^{Footnote 2} To complement this construction, we prove a matching lower bound showing that our scheme is tight.

Theorem 3

For any constant $c\in \mathbb N$, there is no secret sharing scheme for the evolving 2-threshold access structure and a 1-bit secret in which the share size of the ${t}^{th}$ party is at most $\log {t} + \log \log t + c$.

Finally, we present a tight connection to prefix codes for the integers. A prefix code is a code in which no codeword is a prefix of any other codeword. These codes are widely used, for example in country calling codes, the UTF-8 system for encoding Unicode characters, and more.

Theorem 4

Let $\sigma :\mathbb N\rightarrow \mathbb N$. A prefix code for the integers in which the length of the ${t}^{th}$ codeword is $\sigma (t)$ exists if and only if a secret sharing scheme for the evolving 2-threshold access structure and 1-bit secret in which the share size of the ${t}^{th}$ party is $\sigma (t)$.

1.1 Discussion

Schemes for General Access Structures. In the classical setting of secret sharing many schemes are known for general access structures, depending on their representation [5, 22, 24]. All of these schemes result with shares of exponential size for general access structures. One of the most important open problems in the area of secret sharing is to prove the necessity of long shares, namely, find an access structure (even a non-explicit one) that requires exponential size shares.

Our scheme for general evolving access structures also results with exponential size shares. Since any access structure can be made evolving, we cannot hope to obtain anything better than exponential in general (unless we have a major breakthrough in the classical setting).

Threshold Schemes. In the classical setting there are several different schemes for the threshold access structure. One of the best such schemes (in terms of the computation needed for sharing and reconstruction and in terms of the share size) is due to Shamir [31]. In this scheme, to share a 1-bit secret among n parties, roughly $\log n$ bits have to be distributed to each party. It is known that $\log n$ bits are essentially required, so Shamir’s scheme is optimal (see [12] for the original proof of Kilian and Nisan [25], an improvement, and a discussion of the history; see also [9]).

Let us review Shamir’s scheme for the k-out-of-n threshold access structure. The dealer holding a secret bit s, samples a random polynomial $p(\cdot )$ of degree $k-1$ with coefficients over $\mathsf {GF}(q)$, where the free coefficient is fixed to be s, and gives party $i\in [n]$ the field element p(i). q is chosen to be the smallest prime (or a power of a prime) larger than n. Correctness of the scheme follows by the fact that k points on a polynomial of degree $k-1$ completely define the polynomial and allow for computing $p(0)=s$. Security follows by a counting argument showing that given less than k points, both possibilities for the free coefficient are equally likely. The share of each party is an element in the field $\mathsf {GF}(q)$ that can be represented using $\log q\approx \log n$ bits. Notice that the share size is independent of k.

As a first attempt one might try to adapt this procedure to the evolving setting. But since n is not fixed, what q should we choose? A natural idea is to use an extension field. Roughly, we would simulate the dealer for Shamir’s scheme, sample a random polynomial of degree $k-1$ and increase the field size from which we compute shares as more parties arrive. Ideally, for the share of the ${t}^{th}$ party we will use a field of size O(t). This implies that the share size of party t would be $\log (O(t)) \ll \log t + \log \log t$ for large enough t. The lower bound in Theorem 3 means that no such solution can work!

We take a different path for obtaining efficient schemes. For example, for $k=2$, our scheme results with essentially optimal share size for the ${t}^{th}$ party: the first two high order terms are $\log t + \log \log t$ (without hidden constant factors) and there is an additional lower order term of $2\log \log \log t + 6$. See the simplified scheme in Sect. 4.

Linearity of Our Schemes. In a linear scheme the secret is viewed as an element of a finite field, and the shares are obtained by applying a linear mapping to the secret and several independent random field elements. Equivalently, a linear scheme is defined by requiring that each qualified set reconstructs the secret by applying a linear function to its shares [1, Sect. 4.1]. Most of the known schemes are linear (see [3] for an exception). Linear schemes are very useful for updating and manipulating secret shares (cf. proactive secret sharing [21]) and have many applications, most notably for secure multi-party computation [4, 14]. Our schemes from Theorems 1 and 2 are linear (see Sect. 5.5 for details), whereas the scheme based on prefix codes from Theorem 4 is non-linear.

1.2 Related Work

Most similar to our setting is the notion of on-line secret sharing of Csirmaz and Tardos [15]. Csirmaz and Tardos present a scheme for any access structure in which every party participates in at most d qualified sets, where d is an upper bound known in advance. The share size of every party in this scheme is linear in d. In addition, Csirmaz and Tardos presented a scheme for the evolving 2-threshold access structure in which the share size of party t is linear in t. Our Theorem 2 is an exponential improvement on the latter.

There are numerous areas where systems are designed to work without any fixed upper bound on the size or the duration they will be used. A few examples include prefix codes of the integers (a.k.a. prefix-free encodings), such as the Elias code [17] or the online encoding of Dodis et al. [16], labeling nodes for testing adjacency in possibly infinite graphs [23], forward-secure signatures with an unbounded number of time periods [29], and data structures for approximate set membership (Bloom filters) for sets of unknown size [30].

1.3 Overview of Our Constructions and Techniques

First, we overview our construction for general evolving access structures. Then, we describe our construction for the evolving 2-threshold access structure. This serves as a warm-up for our more general construction for k-threshold access structures. Lastly, we discuss the connection with prefix codes.

General Evolving Access Structures. Let $\mathcal A= \mathcal A_1,\mathcal A_2,\ldots $ be any evolving access structure with corresponding monotone characteristic functions $f_1, f_2, \ldots $, where $f_t:\{ 0,1 \}^t\rightarrow \{ 0,1 \}$. Note that the dealer does not know $\mathcal A$ in advance but is only given $\mathcal A_t$ when the ${t}^{th}$ party arrives. Let $s\in \{ 0,1 \}$ be the secret to be shared. The share of party $t\in \mathbb N$ consists of $2^{t-1}$ bits, each denoted by $w_{(b_1,\dots , b_{t-1},1)}$, where $b_1,\dots ,b_{t-1}\in \{ 0,1 \}$. The $w_{(b_1,\dots , b_{t-1},1)}$’s are generated as follows: if party t “completes” a minimal qualified set whose indicator vector is $(b_1,\dots , b_{t-1}, 1)$, then the dealer gives party t the bit $w_{(b_1,\dots , b_{t-1},1)} = w_{(b_1,\dots , b_{t-1})} \oplus \ldots \oplus w_{(b_1)} \oplus s$ (where $w_{(b_1,\dots , b_{i},0)} = 0$), so XORing the appropriate shares will recover s. Otherwise, if $(b_1,\dots , b_{t-1}, 1)$ is unqualified, then the dealer sets $w_{(b_1,\dots , b_{t-1},1)}\leftarrow \{ 0,1 \}$ to be a uniformly random bit. See Sect. 3 for the exact details.

Evolving $\varvec{2}$ -Threshold Access Structure. The approach of [15] for the evolving 2-threshold access structure is to give party t a random bit $b_t$ and all bits $s\oplus b_1,\ldots , s\oplus b_{t-1}$. This clearly allows for each pair of parties to reconstruct the secret and ensures that for every single party the secret remains hidden. The share size of the ${t}^{th}$ party in this scheme is t. (Essentially the same scheme also follows from our general construction in Sect. 3 with a simple efficiency improvement described towards the end of that section.) Generalizing this idea to larger values of k results with shares of size roughly $t^{k-1}$.

Whereas the above approach is somewhat naive (and very inefficient in terms of share size), our construction is more subtle and results with exponentially shorter shares. Our main building block is a domain reduction technique which allows us to start with a naive solution and apply it only on a small number of parties to get an overall improved construction. Details follow.

We assign each party a generation, where the ${g}^{th}$ generation consists of $2^g$ parties (i.e. the generations are of geometrically increasing size). Within each generation we execute a standard secret sharing scheme for 2-threshold. Notice that here we know exactly how many parties are in the same generation: party t is part of generation $g=\lfloor \log t \rfloor $ and the size of that generation is $\textsc {size}({g}) \le t$. A standard secret sharing scheme for 2-out-of-t costs roughly $\log t$ bits (using Shamir’s scheme; see Claim 5). This solves the case in which both parties come from the same generation.

To handle the case where the two parties come from different generations we use a (possibly naive) scheme for the evolving 2-threshold access structure. For each generation we generate one share for the evolving scheme and give it to each party in that generation. Thus, if two parties from different generations come together they hold two different shares for the evolving scheme that allow them to reconstruct the secret. Since we generate one share of the evolving scheme per generation, party t holds the share of the ${(g=\log t)}^{th}$ party of the evolving scheme!

Summing up, if we start with a scheme in which the share size of the ${t}^{th}$ party is $\sigma (t)$, then we end up with a scheme with share size roughly $\sigma '(t) = \log t + \sigma (\log t)$. To get our result we start with a scheme in which $\sigma (t)=t$ (described above) and iteratively apply this argument to get better and better schemes.

Evolving $\varvec{k}$ -Threshold Access Structure. There are several ideas underlying the generalization of the 2-threshold scheme to work for any k. As before, we assign each party a generation, but now the ${g}^{th}$ generation is roughly of size $2^{(k-1)\cdot g}$. This means that party t is in generation $g=\lfloor (\log t) / (k-1)\rfloor $ that includes $\textsc {size}({g}) = t\cdot 2^{k-1}$ parties. Again, within a generation we apply a standard k-out-of-$\textsc {size}({g})$ secret sharing scheme. This costs us $\log (\textsc {size}({g})) \le \log t + k$ bits using Shamir’s scheme. This solves the problem if k parties come from the same generation.

We are left with the case where the k parties come from at least two different generations. For this we use a (possibly naive) scheme for the evolving k-threshold access structure. For each generation we generate $k-1$ shares $s_1,\dots ,s_{k-1}$ for the evolving scheme and share each $s_i$ using a standard i-out-of-$\textsc {size}({g})$ secret sharing scheme. Thus, if $\ell \le k-1$ parties from some generation come together, they can reconstruct $s_1,\dots ,s_{\ell }$ which are $\ell $ shares for the evolving scheme. Therefore, any k parties (that come from at least two generations) can reconstruct k shares for the evolving k-threshold scheme that enable them to reconstruct the secret. Since we generate $k-1$ shares of the evolving scheme per generation, party t holds (roughly) the share of the ${(\log t + k)}^{th}$ party of the evolving scheme.

The share size needed to share each $s_i$ is $\max \{\log (\textsc {size}({g})), |s_i|\} \le \max \{\log t + k , \sigma (\log t + k)\}$ (using Shamir’s scheme; see Claim 5). Summing up, if we start with a scheme in which the share size of the ${t}^{th}$ party is $\sigma (t)$, then we end up with a scheme with share size roughly $\sigma '(t) = \log t + (k-1)\cdot \max \{\log t + k , \sigma (\log t+k)\}$. A small optimization is that sharing $s_1$ costs just $|s_1|$, as we can give $s_1$ to each party (similarly to what we did in the $k=2$ case).

We want to iteratively apply this domain reduction procedure. For this we have to specify the initial scheme. If we start with the scheme that results from the construction in Theorem 1 which has share size roughly $2^t$ (or roughly $t^k$ with the optimization described above), then the resulting scheme will have a factor that depends exponentially on k. This makes the scheme impractical even for small values of k.

A Formula for the Future. To get around this we present a tailor-made construction for the evolving k-threshold in which the share size of party t has almost linear dependence on t and k. Specifically, the share size in this scheme is $kt\cdot \log (kt)$. For this, we construct, at least intuitively, a Boolean monotone formula for k-threshold that counts to k.^{Footnote 3} For this counting to make sense in the evolving setting we notice that counting to k can be done by summing up the number of 1’s so far with the number of 1’s that will come in the future. Since we are counting to k, both of these numbers can be bounded by k, so we have to prepare only k possibilities for the unknown future. To make this construction efficient, we combine it with a generation-like mechanism. See Sect. 5 for the full details.

Prefix Codes and Evolving 2-Threshold. There are several clues that point to a connection with prefix codes: the construction with the repeated domain reduction is reminiscent of the Elias code construction; the lower bound on schemes for the evolving 2-threshold access structure in Theorem 3 uses what is identical to a Kraft inequality, which is a characterization of prefix codes. We are able to formalize this tight relationship:

Given any prefix code in which the length of the ${t}^{th}$ codeword is $\sigma (t)$, we construct a secret sharing scheme for the evolving 2-threshold access structure in which the share size of the ${t}^{th}$ party is $\sigma (t)$. Using the best prefix code constructions we get a scheme in which the share size is the same as in our direct construction described above (but it is less efficient for sharing secrets longer than 1 bit). See Sect. 7 for the transformation.
On the other hand, any secret sharing scheme for the evolving 2-threshold access structure in which the share size of the ${t}^{th}$ party is $\sigma (t)$, implies the existence of a prefix code in which the length of the ${t}^{th}$ codeword is $\sigma (t)$. This comes from the fact that the sufficient condition of Kraft’s inequality yields prefix codes.

2 Model and Definitions

For an integer $n \in \mathbb {N}$ we denote by [n] the set $\{1,\ldots , n\}$. We denote by $\log $ the base 2 logarithm and assume that $\log 0=0$. For a set $\mathcal {X}$ we denote by $x \leftarrow \mathcal {X}$ the process of sampling a value x from the uniform distribution over $\mathcal {X}$

We start by briefly recalling the standard setting of (perfect) secret sharing. Let $\mathcal {P}_n = \{1,\dots ,n\}$ be a set of n parties. A collection of subsets $\mathcal A\subseteq 2^{\mathcal {P}_n}$ is monotone if for every $B\in \mathcal A$, and $B\subseteq C$ it holds that $C\in \mathcal A$.

Definition 1

(Access structure). An access structure $\mathcal A\subseteq 2^{\mathcal {P}_n}$ is a monotone collection of subsets. Subsets in $\mathcal A$ are called qualified and subsets not in $\mathcal A$ are called unqualified.

Definition 2

(Threshold access structure). For every $n\in \mathbb N$ and $1\le k \le n$, let $(k,n)\text {-}\textsc {thr}$ be the threshold access structure over n parties which contains all subsets of size at least k.

A (standard) secret sharing scheme involves a dealer who has a secret, a set of n parties, and an access structure $\mathcal A$. A secret sharing scheme for $\mathcal A$ is a method by which the dealer distributes shares to the parties such that any subset in $\mathcal A$ can reconstruct the secret from its shares, while any subset not in $\mathcal A$ cannot reveal any information on the secret.

More precisely, a secret sharing scheme for an access structure $\mathcal A$ consists of a pair of probabilistic algorithms $(\mathsf {SHARE}, \mathsf {RECON})$. $\mathsf {SHARE}$ gets as input a secret s (from a domain of secrets S) and a number n, and generates n shares $\varPi ^{(s)}_1,\dots ,\varPi ^{(s)}_n$. $\mathsf {RECON}$ gets as input the shares of a subset B and outputs a string. The requirements are:

1.
For every secret $s\in S$ and every qualified set $B\in \mathcal A$, it holds that $\Pr [\mathsf {RECON}(\{ \varPi ^{(s)}_i \}_{i\in B}, B) = s] = 1$.
2.
For every unqualified set $B\notin \mathcal A$ and every two different secrets $s_1, s_2\in S$, it holds that the distributions $(\{\varPi ^{(s_1)}_i\}_{i\in B})$ and $(\{\varPi ^{(s_2)}_i\}_{i\in B})$ are identical.

The share size of a scheme is the maximum number of bits each party holds in the worst case over all parties and all secrets.

The well known scheme of Shamir [31] for the $(k,n)\text {-}\textsc {thr}$ access structure (based on polynomial interpolation) satisfies the following.

Claim 5

([31]). For every $n\in \mathbb N$ and $1\le k\le n$, there is a secret sharing scheme for secrets of length m and the $(k,n)\text {-}\textsc {thr}$ access structure in which the share size is $\ell $, where $\ell \ge \max \{m, \log q\}$ and $q>n$ is a prime number (or a power of a prime). Moreover, if $k=1$ or $k=n$, then $\ell = m$.^{Footnote 4}

2.1 Secret Sharing for Evolving Access Structures

We proceed with the definition of an evolving access structure. Roughly speaking, the parties arrive one by one and, in the most general case, a qualified subset is revealed only when all parties in that subset are present (in special cases the access structure is known to begin with, but there is no upper bound on the number of parties). To make sense of sharing a secret with respect to such a sequence of access structures, we require that the changes to the access structure are monotone, namely, parties are only added and qualified sets remain qualified.

To define evolving access structures we need to define a restriction.

Definition 3

(Restriction). Let $\mathcal A$ be an access structure on n parties and let $0<m<n$. We denote by $\mathcal A|_m$ the restriction of $\mathcal A$ to the first m parties. That is,

$$\begin{aligned} \mathcal A|_m = \{ X \in \mathcal A\mid \{m+1,\dots ,n\} \cap X = \emptyset \}. \end{aligned}$$

Due to monotonicity of the access structure, we have the following claim.

Claim 6

If $\mathcal A$ is an access structure on n parties, then $\mathcal A|_m$ is an access structure over m parties.

Proof

By definition of $\mathcal A|_m$, it contains only parties from the set $\{1,\dots ,m\}$. Thus, to prove the claim it is enough to show that $\mathcal A|_m$ is a monotone set, namely, that if $B\in \mathcal A|_m$ then for any $B\subseteq C\subseteq \mathcal {P}_m$. Indeed, since $\mathcal A$ is an access structure, for $B\in \mathcal A|_m$ and $B\subseteq C\subseteq \mathcal {P}_m\subseteq \mathcal {P}_n$, we have that $B,C\in \mathcal A$. By definition of $\mathcal A|_m$, it holds that $C\in \mathcal A|_m$.

Definition 4

(Evolving access structure). A (possibly infinite) sequence of access structures $\{\mathcal A_t\}_{t\in \mathbb N}$ is called evolving if the following conditions hold:

1.
For every $t\in \mathbb N$, it holds that $\mathcal A_t$ is an access structure over t parties.
2.
For every $t\in \mathbb N$, it holds that $\mathcal A_t|_{{t-1}}$ is equal to $\mathcal A_{t-1}$.^{Footnote 5}

This definition naturally gives rise to an evolving variant of threshold access structures (see Definition 2). Here, we think of k as fixed, namely, independent of the number of parties.

Definition 5

(Evolving threshold access structure). For every $k\in \mathbb N$, let $\text {evolving}\text { }k\text {-}\textsc {thr}$ be the evolving threshold access structure which contains for any access structure in the sequence all subsets of size at least k.

We generalize the definition of a standard secret sharing scheme to apply for evolving access structures. Intuitively, in this setting, at any point $t\in \mathbb N$ in time, there is an access structure $\mathcal A_t$ which defines the qualifies and unqualified subsets of parties.

Definition 6

(Secret sharing for evolving access structures). Let $\mathcal A= \{\mathcal A_t\}_{t\in \mathbb N}$ be an evolving access structure. Let S be a domain of secrets, where $|S| \ge 2$. A secret sharing scheme for $\mathcal A$ and S consists of a pair of algorithms $(\mathsf {SHARE},\mathsf {RECON})$. The sharing procedure $\mathsf {SHARE}$ and the reconstruction procedure $\mathsf {RECON}$ satisfy the following requirements:

1.
$\mathsf {SHARE}(s, \{\varPi ^{(s)}_1,\dots ,\varPi ^{(s)}_{t-1}\})$ gets as input a secret $s\in S$ and the secret shares of parties $1,\dots ,t-1$. It outputs a share for the ${t}^{th}$ party. For $t\in \mathbb N$ and secret shares $\varPi ^{(s)}_{1},\dots ,\varPi ^{(s)}_{{t-1}}$ generated for parties $\{1,\dots ,{t-1}\}$, respectively, we let
$$\begin{aligned} \varPi ^{(s)}_{t} \leftarrow \mathsf {SHARE}(s, \{\varPi ^{(s)}_1,\dots ,\varPi ^{(s)}_{{t-1}}\}) \end{aligned}$$
be the secret share of party t. We abuse notation and sometimes denote by $\varPi ^{(s)}_t$ the random variable that corresponds to the secret share of party t generated as above.
2.
Correctness: For every secret $s\in S$ and every $t\in \mathbb N$, every qualified subset in $\mathcal A_t$ can reconstruct the secret. That is, for $s\in S$, $t\in \mathbb N$, and $B\in \mathcal A_t$, it holds that
$$\begin{aligned} \Pr \left[ \mathsf {RECON}(\{\varPi ^{(s)}_i\}_{i\in B}, B) = s\right] = 1, \end{aligned}$$
where the probability is over the randomness of the sharing and reconstruction procedures.
3.
Secrecy: For every $t\in \mathbb N$, every unqualified subset $B\notin \mathcal A_t$, and every two secret $s_1,s_2\in S$, the distribution of the secret shares of parties in B generated with secret $s_1$ and the distribution of the shares of parties in B generated with secret $s_2$ are identical. Namely, the distributions $(\{\varPi ^{(s_1)}_i\}_{i\in B})$ and $(\{\varPi ^{(s_2)}_i\}_{i\in B})$ are identical.

The share size of the ${t}^{th}$ party in a scheme for an evolving access structure is $\max {|\varPi _t|}$, namely the number of bits party t holds in the worst case over all secrets and previous assignments.^{Footnote 6}

On Choosing the Access Structure Adaptively. One can also consider a stronger definition in which $\mathcal A_t$ is chosen at time t (rather than ahead of time) as long as the sequence of access structures $\mathcal A= \{\mathcal A_1,\dots ,\mathcal A_t\}$ is evolving. In this variant, the $\mathsf {RECON}$ procedure gets the access structure $\mathcal A_t$ as an additional parameter. Our construction of a secret sharing scheme for general evolving access structures in Sect. 3 works for this notion as well.

On the Domain of Secrets. Unless otherwise stated, we usually assume that the secret is a single bit (either 0 or 1). One can generalize any such scheme to support longer secrets by secret sharing every bit of the secret independently, suffering a multiplicative factor in share size that depends on the length of the secret. When we generalize our schemes to support long secrets, this naive generalization will be our benchmark.

2.2 Warm-Up: Undirected s-t-Connectivity

We start with a simple warm-up scheme. We show that the standard scheme for the st-connectivity access structure can be easily adapted to the evolving setting. In this access structure parties correspond to edges of an undirected graph $G=(V,E)$. There are two fixed vertices in the graph called ${\mathsf {s}}$ and ${\mathsf {t}}$ (where ${\mathsf {s}},{\mathsf {t}}\in V$). A set of parties (i.e. edges) is qualified if and only if they include a path from ${\mathsf {s}}$ to ${\mathsf {t}}$. Around 1989 Benaloh and Rudich [6] (see also [2, Sect. 3.2]) constructed a (standard) secret sharing for this access structure. The dealer, given a secret ${s}\in \{ 0,1 \}$, assigns with each vertex $v\in V$ a label. For $v={\mathsf {s}}$ the label is $w_{\mathsf {s}}= {s}$, for $v={\mathsf {t}}$ the label is $w_{\mathsf {t}}=0$ and for the rest of the vertices the label is chosen independently uniformly at random $w_v \leftarrow \{ 0,1 \}$. The share of a party $e=(u,v)\in E$ is $w_{u}\oplus w_v$.

Consider a set of parties that include a path ${\mathsf {s}}=v_{1}v_2\dots v_k={\mathsf {t}}$ from ${\mathsf {s}}$ to ${\mathsf {t}}$. To reconstruct the secret, the parties XOR their shares to get

$$\begin{aligned} (w_{v_1}\oplus w_{v_2}) \oplus (w_{v_2} \oplus w_{v_3}) \oplus \dots \oplus (w_{v_{k-1}} \oplus w_{v_k}) = w_{v_1}\oplus w_{v_k} = {s}. \end{aligned}$$

One can observe that this access structure and scheme naturally generalize to the evolving setting. In this setting, we consider an evolving (possibly infinite) graph, where the set of nodes and edges are unbounded. At any point in time an arbitrary set of vertices and edges can be added to the graph. An addition of an edge corresponds to a new party added to the scheme. The special vertices ${\mathsf {s}}$ and ${\mathsf {t}}$ are fixed ahead of time and cannot change (this is to ensure the access structure is evolving).

Initially, the dealer assigns labels for the special vertices ${\mathsf {s}}$ and ${\mathsf {t}}$, as before (i.e. it sets $w_{\mathsf {s}}= {s}$ and $w_{\mathsf {t}}= 0$). For the rest of the vertices the dealer assigns (uniformly random) labels only on demand: When a new edge $e=(u,v)$ is added to the graph (which corresponds to a new party), the dealer gives the party corresponding to the edge e the XOR of the labels of the vertices u and v. Correctness and security of this scheme follow similarly to the correctness and security of the standard scheme. One can see that the share size of each party is exactly the size of the secret.

3 A Scheme for General Evolving Access Structures

We give a construction of a secret sharing scheme for every evolving access structure. We emphasize that our construction also works in the scenario in which the access structure is chosen adaptively; see remark after Definition 6. We focus on the case where the secret is a single bit.

Theorem 7

(Theorem 1 restated). For every evolving access structure there is a secret sharing scheme where the share size of the ${t}^{th}$ party is at most $2^{t-1}$.

The fact that our construction results with shares of exponential size should come as no surprise, as the best constructions known for standard secret sharing schemes for general access structures have shares of exponential size (in the number of parties). Proving that shares of exponential size are necessary to realize some evolving access structure is a very interesting open problem.

Proof of Theorem

7 . Let $\mathcal A=\{\mathcal A_t\}_{t\in \mathbb N}$ be an evolving access structure.^{Footnote 7} Let $\{f_t\}_{t\in \mathbb N}$ be the sequence of functions, where $f_i:\{ 0,1 \}^i\rightarrow \{ 0,1 \}$ is the (monotone) characteristic function of $\mathcal A_i$.

Let $s\in \{ 0,1 \}$ be the secret to be shared. We describe what the dealer stores and how it prepares a share for an arriving party. At time t (before party t arrives) the dealer maintains a set of bits we denote by $w_{(b_1,\dots ,b_{i})}$ for all $i \in [t-1]$ and $b_1,\dots ,b_{i}\in \{ 0,1 \}$. These bits are defined iteratively. First, the dealer sets $w_{(1)} =s$ if $f_1(1)=1$ and it is a uniformly random bit otherwise. Moreover, for every $i\ge 1$, the dealer sets $w_{(b_1,\dots , b_{i-1},0)} = 0$. The rest of the bits are defined as follows.

1.
If $f_t(b_1,\dots ,b_{t-1},1) = 1$ and $f_{t-1}(b_1,\dots ,b_{t-1}) = 0$, then the dealer sets
$$\begin{aligned} w_{(b_1,\dots , b_{t-1}, 1)} = w_{(b_1,\dots , b_{t-1})} \oplus \ldots \oplus w_{(b_1)} \oplus s. \end{aligned}$$
2.
If $f_t(b_1,\dots ,b_{t-1},1) = 1$ and $f_{t-1}(b_1,\dots ,b_{t-1}) = 1$, then the dealer sets
$$\begin{aligned} w_{(b_1,\dots , b_{t-1},1)} = 0. \end{aligned}$$
3.
If $f_t(b_1,\dots ,b_{t-1},1) = 0$, then the dealer sets
$$\begin{aligned} w_{(b_1,\dots , b_{t-1},1)}\leftarrow \{ 0,1 \}\end{aligned}$$
to be a uniformly random bit.

The share of party $t\in \mathbb N$ consists of $2^{t-1}$ bits $w_{(b_1,\dots , b_{t-1},1)}$ for all $b_1,\dots ,b_{t-1}\in \{ 0,1 \}$.

Correctness and Security. We argue correctness and security at time $t\in \mathbb N$. Let $\varvec{b} = (b_1,\dots ,b_{t})\in \{ 0,1 \}^t$ be an indicator vector of a minimal qualified set of parties at time t. For every $i\in [t-1]$ such that $b_i = 1$, party i holds the bit $w_{(b_1,\dots ,b_i)}$. Party t, by construction, holds the bit $w_{(b_1,\dots ,b_{t-1})} \oplus \dots \oplus w_{(b_1)} \oplus s$, where $w_{(b_1,\dots ,b_i,0)} = 0$ for $0\le i\le t-2$. Therefore, by XOR-ing all the shares, namely, computing

$$\begin{aligned} \bigoplus _{i=1}^t w_{(b_1, \ldots , b_i)}, \end{aligned}$$

the parties present can compute s.

For security it is instructive to give a simple example that illustrates how the scheme works and why it is secure. Consider the access structure at time $t=4$ that consists of the following qualified sets $\{ \{1,2 \}, \{1,3\}, \{1,4\}, \{2,4 \}\}$ and we will argue security for the set $\{3,4\}$. Party 1 is unqualified so its share is $w_{(1)}$ is a uniformly random bit. Party 2 completes a qualified set with party 1 and so it’s share consists of two bits $w_{(0,1)}, w_{(1,1)}$, where $w_{(0,1)}$ is a uniformly random bit and $w_{(1,1)} = w_{(1)} \oplus s$. Similarly, the share of party 3 consists of four bits $w_{(0,0,1)}, w_{(0,1,1)}, w_{(1,0,1)}, w_{(1,1,1)}$, where $w_{(0,0,1)}$ and $w_{(0,1,1)}$, uniformly random, $w_{(1,1,1)} = 0$ since $\{1,2\}$ is qualified as well, and $w_{(1,0,1)} = w_{(1)} \oplus s$. Finally, the share of party 4 consists of 8 bits most of which are either 0 or uniformly random, and the interesting ones are $w_{(1,0,0,1)} = w_{(1)} \oplus s$ and $w_{(0,1,0,1)} = w_{(0,1)} \oplus s$. Let us assume that the shares given to parties $\{1,2,3\}$ do not reveal s and show that the shares of party 4 do not reveal it as well. Indeed, all its uniformly random bits and the zero bits do not help, so we focus on $w_{(1,0,0,1)}$ and $w_{(0,1,0,1)}$. We observe that since parties 4 and 3 both complete party 1 to be a qualified set, they both have the same share $w_{(1,0,0,1)} = w_{(1,0,1)} = w_{(1)} \oplus s$, so we can ignore $w_{(1,0,0,1)}$ as well and be left with $w_{(0,1,0,1)} = w_{(0,1)} \oplus s$. Now, the point is that since party 3 does not complete party 2 to get a qualified set, the element $w_{(0,1)}$ completely masks the secret. More generally, the formal vector space generated by the share $w_{(0,1,0,1)}$ is linearly independent of all other shares.

We sketch security in the general case by induction. For $t=1$ it is immediate and assume that the scheme is secure for $t-1$. For every $(b_1,\dots ,b_{t})\in \{ 0,1 \}^t$, party t receives a bit $w_{(b_1,\dots ,b_{t-1},1)}$ which is either a uniformly random bit or the bit $w_{(b_1,\dots ,b_{t-1})} \oplus \dots \oplus w_{(b_1)} \oplus s$, depending on the value of $f_t(b_1,\dots ,b_{t-1},1)$. Let $\varvec{b} = (b_1,\dots ,b_{t})\in \{ 0,1 \}^t$ be an indicator vector of an unqualified set of parties at time t. Assume that $b_t = 1$, as the other case follows immediately from the induction hypothesis. For every $w_{(b_1,\dots ,b_{t-1},1)}$, the uniformly random bits given to party t do not give an unqualified set any additional information about the secret as they are independent of everything else this set posses, so we can ignore them. Let us consider all the bit of the form $w_{(b'_1,\dots ,b'_{i})} \oplus \dots \oplus w_{(b'_1)} \oplus s$ held by parties in $\varvec{b}$. If there are two parties i, j such that $b_i=b_j=1$ that complete the same set, then they posses the same bit so we can ignore one of them. We are left with the case in which all parties complete different subsets. In this case, one can see that all the shares are linearly independent and thus the secret remains hidden. Security follows by the hypothesis.

Share Size. The share size of party t is $2^{t-1}$ bits. $\blacksquare $

3.1 Efficiency Improvements

In some cases, depending on the access structure, it is possible to reduce the share size by slightly optimizing the above scheme. The 0 bits that occur due to Theorem 3, do not have to be remembered as they can be inferred from the access structure.

At time t, the shares of party t will consists of:

1.
A bit for each unqualified subset of [t] that party t participates in. For the case when the access structure is known ahead of time, the only unqualified sets to consider our those that can be expanded to a qualified subset using future parties.
2.
A bit for each qualified subset of [t] that party t completes (i.e. is the last one).

This optimization is useful for access structures in which the number of unqualified sets is small. For example, for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure, the fact that there are only t unqualified sets, implies a scheme in which the share size of the ${t}^{th}$ party is exactly t (we use this fact in Sect. 4). More generally, for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure, there are $\sum _{i=0}^{k-2} {t-1 \atopwithdelims ()i}$ unqualified sets and ${t-1 \atopwithdelims (){k-1}}$ qualified sets which t completes, implying a scheme with share size roughly $t^{k-1}$.

4 An Efficient Scheme for Evolving 2-Threshold

We now describe the efficient construction for a secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure. Recall that $\text {evolving}\text { }2\text {-}\textsc {thr}$ is the sequence of access structures $(2,1)\text {-}\textsc {thr}, (2,2)\text {-}\textsc {thr},(2,3)\text {-}\textsc {thr}, \dots $ which allow, at any point in time, for every pair of parties to learn the secret while disallowing singletons to learn anything about it. We first focus on the case where the secret is a single bit and discuss the more general case in Sect. 4.1.

Theorem 8

There is a secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is bounded by

$$\begin{aligned} \log t + \log \log t + 2\log \log \log t + 6. \end{aligned}$$

Recall that in the classical setting of secret sharing, where an upper bound on the number of parties is known, there is a very efficient scheme for $(2,n)\text {-}\textsc {thr}$ in which the share size of each party is roughly $\log n$ (see Claim 5). In Sect. 6 we show that in the evolving setting, for any $c\in \mathbb N$, a scheme in which the share size of the ${t}^{th}$ party is $\log t + \log \log t + c$ cannot exist. Thus, up to an additive $\log \log \log t$ term, our scheme is optimal.

Our main technical claim used to prove Theorem 8 is given in the following lemma.

Lemma 1

Assume that there exists a secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is $\sigma (t)$. Then, there exists a secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \log t + \sigma (\log t + 1). \end{aligned}$$

Proof of Theorem

8 Assuming Lemma 1 . Recall that in Sect. 3 we constructed a secret sharing scheme for any evolving access structure that results with shares of size $2^{t-1}$. However, using the efficiency improvements described in Sect. 3.1,^{Footnote 8} we get a scheme in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \sigma ^{(0)}(t) = t. \end{aligned}$$

Using Lemma 1 this gives rise to a scheme $\varPi ^{(1)}$ in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \sigma ^{(1)}(t)&= \log t + \sigma ^{(0)}(\log t + 1) \\&= 2\log t + 1. \end{aligned}$$

Applying Lemma 1 again we get a scheme $\varPi ^{(2)}$ in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \sigma ^{(2)}(t)&= \log t + \sigma ^{(1)}(\log t + 1) \\&\le \log t + 2\log \left( \log t + 1\right) + 1 \\&\le \log t + 2\log \log t + 3. \end{aligned}$$

Applying Lemma 1 one last time we get a scheme $\varPi ^{(3)}$ in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \sigma ^{(3)}(t)&= \log t + \sigma ^{(2)}(\log t + 1) \\&\le \log t + \log (\log t+1) + 2\log \log (\log t+1) +3 \\&\le \log t + \log \log t + 2\log \log \log t+ 6. \end{aligned}$$

This proves the theorem.

We note that this bound is tight according to the lower bound in Theorem 3 up to the low-order term $\log \log \log t$.

We note that by applying Lemma 1 i times we can improve the share size for large enough t. This will match the lower bound up to a low order term of $\log ^{(i)}(t)$ (See Remark 1). We choose to stop after three applications of Lemma 1 due to aesthetic reasons (but see Sect. 7). $\blacksquare $

We are left to prove Lemma 1.

Proof of Lemma

1 . Let $\varPi $ be a construction of a secret sharing scheme for $\text {evolving}\text { }2\text {-}\textsc {thr}$ in which the share size of the ${t}^{th}$ party is $\sigma (t)$. We construct a scheme $\varPi '$ for the same access structure in which the share size is $\log t + \sigma (\log t + 1)$. We proceed with the description of the scheme.

Let $s\in \{ 0,1 \}$ be the secret to be shared. Each party, when it arrives, is assigned to a generation. The generations are growing in size: For $g=0,1,2\dots $ the ${g}^{th}$ generation begins when the $2^{g}$-th party arrives. Therefore, the size of the ${g}^{th}$ generation, namely, the number of parties that are part of this generation, is $\textsc {size}({g}) = 2^{g}$ and party $t\in \mathbb N$ is part of generation $g=\lfloor \log t\rfloor $.

When a generation begins the dealer prepares shares for all parties that are part of that generation. Let us focus on the beginning of the ${g}^{th}$ generation and describe the dealer’s procedure:

1.
Split s using a secret sharing scheme for $(2,\textsc {size}({g}))\text {-}\textsc {thr}$. Denote the resulting shares by $u^{(g)}_1,\dots ,u^{(g)}_{\textsc {size}({g})}$.
2.
Generate one share using the secret sharing scheme $\varPi $ given the secret s and previous shares $\{v^{(i)}\}_{i\in \{0,\dots ,g-1\}}$. Denote the resulting share by $v^{(g)}$.
3.
Set the secret share of the ${j}^{th}$ party in the ${g}^{th}$ generation (i.e. $j\in [\textsc {size}({g})]$) to be
$$\begin{aligned} \left( {u_{j}^{{(g)}} ,v^{{(g)}} } \right) . \end{aligned}$$

The output of the scheme is depicted in Fig. 1.

Correctness and Security. Let $t_1,t_2\in \mathbb N$ be any two different parties. We show that the secret s can be computed from their shares. If $t_1$ and $t_2$ are from the same generation g (i.e. if $g=\lfloor \log t_1 \rfloor = \lfloor \log t_2 \rfloor $), then they can reconstruct the secret s using the reconstruction procedure of the $(2,\textsc {size}({g}))\text {-}\textsc {thr}$ scheme using the corresponding $u^{(g)}$ shares. If they are from different generations $g_1\ne g_2$, then the parties can compute s using the reconstruction procedure of the $\text {evolving}\text { }2\text {-}\textsc {thr}$ scheme and the two shares $v^{(g_1)}$ and $v^{(g_2)}.$

For security consider any single party $t\in \mathbb N$ from generation g. By the security of the $(2,\textsc {size}({g}))\text {-}\textsc {thr}$ scheme, the security of the $\text {evolving}\text { }2\text {-}\textsc {thr}$ scheme, and the fact that both parts of the share are generated independently, the shares cannot be used to learn anything about the secret.

Share Size Analysis. We analyze the share size of parties in the scheme ${\varPi '}$. Denote by $\sigma (t)$ the share size of party t in the scheme ${\varPi }$. We bound the size of each component in the share of party t. The share of party t that is the ${j}^{th}$ party of generation $g= \lfloor \log t\rfloor $ is $(u^{(g)}_{j},v^{(g)})$.

1.
$u^{(g)}_{j}$ – generated by secret sharing s using a scheme for $(2,\textsc {size}({g}))\text {-}\textsc {thr}$. Since $\textsc {size}({g}) = 2^g$ and using Claim 5 we get that
$$\begin{aligned} |u_{j}^{{(g)}} | \le \log (\textsc {size}({g})) \le \lfloor \log t \rfloor . \end{aligned}$$
2.
$v^{(g)}$ – generated by generating one share of a secret sharing scheme $\varPi $ for $\text {evolving}\text { }2\text {-}\textsc {thr}$. Recall that g shares were generated for previous generations. Therefore,
$$\begin{aligned} |v^{(g)}| = \sigma (g+1) = \sigma (\lfloor \log t \rfloor + 1). \end{aligned}$$

Thus, the total share size in the scheme $\varPi '$ is bounded by

$$\begin{aligned} \log t + \sigma (\log t + 1). \end{aligned}$$

$\blacksquare $

4.1 Generalization to Larger Domains of Secrets

This scheme can be generalized to larger domains of secrets in an efficient way (in particular, better than sharing each bit independently). Roughly speaking, this follows since Shamir’s threshold scheme can be used to share a secret longer than 1 bit without increasing the share size; see Claim 5. More generally, sharing a secret of $\ell $-bits long, requires shares of size roughly $\max \{\log n, \ell \}$, where n is the number of parties in the scheme.

Let the secret be a string of length $\ell $. Using the above feature of Shamir’s scheme, a slight variant of Lemma 1 still holds (following the same proof). Namely, given any secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure and $\ell $-bit secrets in which the share size of the ${t}^{th}$ party is $\sigma (t)$. Then, there exists a secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure and $\ell $-bit secrets in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \max \{\log t, \ell \} + \sigma (\log t + 1). \end{aligned}$$

We have to specify the initial scheme that supports $\ell $-bit secrets to start the recursive composition with. We use our scheme for Theorem 8 by secret sharing every bit independently. The share size will be $\sigma ^{(0)}(t) \le \ell \cdot (\log t + \log \log t + 2\log \log \log t + 6)$. For large enough t it holds that $\sigma ^{(0)}(t) \le t$ and $\max \{\log t, \ell \} = \log t$. Thus, one can follow the same outline of the proof of Theorem 8 and obtain the same share size as in Theorem 8 for large enough t. (For smaller values of t one can follow the analysis and obtain a bound as a function of t and $\ell $).

5 A Scheme for Evolving $\varvec{k}$-Threshold

In this section we give a construction for a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure for general k. As in Sect. 4, we first focus on the case where the secret is a single bit and discuss the more general case in Sect. 5.4.

Theorem 9

(Theorem 2 restated). There is a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is at most

$$\begin{aligned} (k-1)\cdot \log t + 6k^3\cdot \log \log t \cdot \log \log \log t + 7k^4\cdot \log {k}. \end{aligned}$$

As in the case of $k=2$ (see the discussion after Theorem 8), the best one could hope to obtain is a scheme in which the share of the ${t}^{th}$ party is close to $\log t$.^{Footnote 9} Our construction has a linear dependence on k and we leave open the question whether this can be improved.

We note that the bound in Theorem 9 applies for any $t\in \mathbb N$ and $k\ge 2$. For specific values of t and k it is possible to follow the analysis and obtain a better bound.

Our approach is to start with some basic scheme that has good dependency on k but high dependency on t and use a domain reduction technique in order to obtain better dependency on t.

Our main technical lemma used to prove Theorem 9 is a general transformation where we take any scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure (possibly with large share size), and convert it into a different scheme with smaller share size. Formally we prove following lemma.

Lemma 2

Let $k\in \mathbb N$. Assume that there exists a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is $\sigma (t)$. Then, there exists a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is at most

$$\begin{aligned} (k-1)\cdot \log t + k \cdot \sigma (\log t + k) + k^2. \end{aligned}$$

The proof of Theorem 9 is done via repeated applications of Lemma 2, somewhat similarly to the proof of Theorem 8. However, naively the resulting parameters are not very good. Specifically, if we start with the scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure in which the share size is exponential in t or k (which is what we get using the scheme from Theorem 7; see Sect. 3.1), then by applying Lemma 2, the share size will eventually depend exponentially on k.

To overcome this, we first present a tailor-made construction for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure in which the share size of party t has almost linear dependence on t and k. Using this scheme as a basic building block, we repeatedly apply Lemma 2 to obtain Theorem 9. The proof of the latter can be found in Sect. 5.3. The tailor-made construction for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure appears next in Sect. 5.1. Finally, the proof of Lemma 2 appears in Sect. 5.2.

5.1 The Basic Scheme for Evolving $\varvec{k}$-Threshold

The main result of this subsection is a construction of a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure and 1-bit secrets in which the share size of party t is almost linear in t and k. This scheme will be used later as the basic building block in our final scheme for $\text {evolving}\text { }k\text {-}\textsc {thr}$ satisfying Theorem 9.

Lemma 3

There is a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is bounded by $kt\cdot \log (kt)$.

In the construction used to prove Lemma 3 we will employ two secret sharing schemes: (1) Shamir’s threshold scheme and (2) a secret sharing scheme for a new access structure. The latter access structure $\mathsf {C}_{\ell }$ over 2k parties, where $\ell \le k$, is defined via its characteristic monotone function that we denote by $\mathsf {C}_{\ell }$ as well. Let $(x,y)\in \{ 0,1 \}^k\times \{ 0,1 \}^k$ be an inputs to $\mathsf {C}_{\ell }:\{ 0,1 \}^k\times \{ 0,1 \}^k\rightarrow \{ 0,1 \}$, where we think of $x$ and $y$ as unary encoding of two numbers in $\{0,\dots ,k\}$. Jumping ahead, the variable $x$ will represent the number of parties present so far and $y$ will represent the number of parties to come. The access structure contains all pairs whose sum is at least $\ell $. Formally, we define $\mathsf {C}_{\ell }(x,y) = 1$ if and only if at least one of the following conditions hold:

1.
$\exists i,j\in [\ell -1]$ such that $x_i = 1$, $y_j = 1$, and $i + j = \ell $.
2.
$y_\ell = 1$ or $x_\ell = 1$.

Claim 10

Let $\ell ,k\in \mathbb N$ such that $\ell \le k$. There exists a secret sharing scheme for the access structure $\mathsf {C}_{\ell }$ in which the share size of each party is exactly the size of the shared secret.

Proof

The following monotone formula computes $\mathsf {C}_{\ell }$:

$$\begin{aligned} \mathsf {C}_{\ell } (x,y) = \mathop \bigvee \limits _{{i = 1}}^{{\ell - 1}} (x_i \wedge y_{\ell -1}) \vee (x_\ell \vee y_\ell ). \end{aligned}$$

Notice that this formula is a DNF and every input variable appears exactly once. This formula gives rise to a simple secret sharing scheme for the access structure $\mathsf {C}_{\ell }$ using the method of [5]. Since each variable appears at most once in the formula ($x_1,\dots ,x_\ell $ and $y_1,\dots ,y_\ell $ appear once, but $x_{\ell +1}\dots ,x_{k}$ and $y_{\ell +1},\dots ,y_{k}$ do not appear), the share of each party is bounded by the length of the secret. The theorem follows by padding all shares to be of the same length.

Intuition for the Construction. Our goal is to allow any combination of k parties to learn s. The main idea is not to consider all possible combinations of k parties, but to group parties into generations, ignore the identities of the parties within a generation, and only focus on their quantity. For simplicity, let us focus on the first and second generation. How many quantities should we consider? Exactly k, since the presence of $i\le k$ parties from the first generation requires the presence of $k-i$ parties from the second generation. Therefore, the idea is to generate 2k strings $x_1,\dots ,x_k$ and $y_1,\dots ,y_k$, such that only a proper combination of $x_i$ and $y_{k-i}$ will recover the secret s (for this we use the scheme for the access structure $\mathsf {C}_k$). These 2k strings are generated when the first generation begins and the $x$’s (the values corresponding to the “present”) are shared among the parties of that generation in a way that allows any i parties to learn $x_i$. The $y$’s (the values corresponding to the “future”) will be shared among the parties of the second generation in a similar way allowing any $k-i$ parties to learn $y_{k-i}$. Together, they will be able to recover s.

To formalize the above intuition and extend it to more generation we need some notation. For a generation $g\ge 0$, we denote by $[k]^g=\{1,\ldots ,k\}^g$ the set $\underbrace{\{1,\ldots ,k\}\times \ldots \times \{1,\ldots ,k\}}_{g \text { times}}$. We will be using vectors of the form $\varvec{z} = (i_1,\dots ,i_g) \in [k]^g$ in our notation. For such a vector $\varvec{z}$ and $i_{g+1}\in [k]$, we denote by $(\varvec{z}, i_{g+1})$ the vector $(i_1,\dots ,i_g,i_{g+1})\in [k]^{g+1}$.

Proof of Lemma

3 . Let $s\in \{ 0,1 \}$ be the secret to be shared. Each party, when it arrives, is assigned to a generation. Party $t\in \mathbb N$ is assigned to generation $g=\lfloor \log _k t\rfloor $. The generations are growing in size: For $g=0,1,2\dots $ the ${g}^{th}$ generation begins when the $k^{g}$-th party arrives. Therefore, the size of the ${g}^{th}$ generation (i.e. the number of parties that are members of this generation), is

$$\begin{aligned} \textsc {size}({g}) = k^{g+1}-k^g=(k-1)\cdot k^{g}. \end{aligned}$$

When a generation g begins the dealer prepares shares for all parties that are members of that generation, and in addition, it generates $k^{g+1}$ strings $\{y_{\varvec{z}}^{(g+1)}\}_{\varvec{z}\in [k]^{g+1}}$ which it remembers for the next generation. Initially, the dealer sets $y_{\emptyset }^{(0)} = s$. Let us focus on the beginning of the ${g}^{th}$ generation and describe the dealer’s procedure (for consistency of notation we define $[k]^0=\emptyset $):

1.
1. (a)
  If $g=0$: Split the string $y_{\emptyset }^{(0)} = s$ using the secret sharing scheme for $\mathsf {C}_{k}$ of Claim 10. Denote the resulting 2k shares by $x^{(0)}_{(1)},\dots ,x^{(0)}_{(k)}, y^{(1)}_{(1)},\dots ,y^{(1)}_{(k)}$.
2. (b)
  If $g\ge 1$: For all $\varvec{z} = (i_1,\dots ,i_g)\in [k]^g$ split the string ${y_{\varvec{z}}^{(g)}}$ using the secret sharing scheme for $\mathsf {C}_{i_g}$ of Claim 10. Denote the resulting 2k shares by $x^{(g)}_{(\varvec{z},1)},\dots ,x^{(g)}_{(\varvec{z},k)}, y^{(g+1)}_{(\varvec{z},1)},\dots ,y^{(g+1)}_{(\varvec{z},k)}$.
The $x$’s will be shared amongst the parties in the current (${g}^{th}$) generation, whereas the $y$’s will be used to generate shares for parties in the next (${(g+1)}^{th}$) generation.
2.
For all $\varvec{z} = (i_1,\dots ,i_{g+1})\in [k]^{g+1}$ secret share $x^{(g)}_{\varvec{z}}$ using a scheme for $(i_{g+1},\textsc {size}({g}))\text {-}\textsc {thr}$. Denote the resulting $\textsc {size}({g})$ shares by $u^{(g)}_{\varvec{z},1},\dots ,u^{(g)}_{\varvec{z},\textsc {size}({g})}$.
3.
The secret share of the ${j}^{th}$ party in the ${g}^{th}$ generation (that is, the ${t}^{th}$ party where $t = k^g + j -1$) is composed of all the strings $u^{(g)}_{\varvec{z},j}$ for any possible $\varvec{z}$. Namely, it is the sequence of strings
$$\begin{aligned} \{u^{(g)}_{\varvec{z},j}\}_{\varvec{z}\in [k]^{g+1}}. \end{aligned}$$

Correctness and Security

Claim 11

Any $c \le k$ parties from generation g can compute $\{x^{(g)}_{(\varvec{z},i)}\}_{\varvec{z}\in [k]^g,i\in [c]}$.

Proof

Let $j_1,\dots ,j_c\in [\textsc {size}({g})]$ be the indices of parties present from that generation. Thus, the parties can compute

$$\begin{aligned} \{u^{(g)}_{\varvec{z}, j_1}, \dots , u^{(g)}_{\varvec{z}, j_{c}}\}_{\varvec{z}\in [k]^{g+1}}. \end{aligned}$$

Therefore, all the $x$ values that were shared via a threshold scheme in which the threshold was at most c can be reconstructed. Namely, the values $\{x^{(g)}_{(\varvec{z},i)}\}_{\varvec{z}\in [k]^g,i\in [c]}$.

Claim 12

Fix a generation $g\ge 0$, two numbers $c_1,c_2\in [k]$ and $\varvec{z}=(i_1,\dots ,i_g)\in [k]^g$. Then, given $x^{(g)}_{(\varvec{z},c_1)}$ and $y^{(g+1)}_{(\varvec{z},c_2)}$ such that $c_1+c_2\ge i_g$, one can compute $y^{(g)}_{\varvec{z}}$. Moreover, given $x^{(g)}_{(\varvec{z},c_1)}$ such that $c_1 \ge i_g$, one can compute $y^{(g)}_{\varvec{z}}$.

Proof

Follows from the correctness of the secret sharing scheme for $\mathsf {C}_{\ell }$.

Now, let us assume that k parties come together and try to reconstruct s. Assume that $c_0$ parties come from generation 0, $c_1$ come from generation 1 and so on. That is, for some generation g it holds that $\sum _{i=0}^gc_i=k$ and without loss of generality $c_g>0$. We show that these parties can learn $y^{(0)}_{(k)}=s$, as required. This is done by applying Claims 11 and 12 iteratively. Details follow.

By Claim 11, using the shares of the $c_i$ parties in generation $i\in \{0,\dots ,g\}$ we can compute

$$\begin{aligned} x^{(0)}_{(c_0)}, \quad \{x^{(1)}_{(\varvec{z},c_1)}\}_{\varvec{z}\in [k]^1}, \quad \ldots , \quad \{x^{(g)}_{(\varvec{z},c_g)}\}_{\varvec{z}\in [k]^g}. \end{aligned}$$

By the second part of Claim 12, using $\{x^{(g)}_{(\varvec{z},c_g)}\}_{\varvec{z}\in [k]^g}$ we can reconstruct

$$\begin{aligned} \{y^{(g)}_{\varvec{z}} \}_{\varvec{z} \in [k]^{g-1}\times \{c_g\}}. \end{aligned}$$

By the first part of Claim 12, using $\{x^{(g-1)}_{(\varvec{z},c_{g-1})}\}_{\varvec{z}\in [k]^{g-1}}$ with $\{y^{(g)}_{\varvec{z}} \}_{\varvec{z}\in [k]^{g-1}\times \{c_g\}}$ we can reconstruct

$$\begin{aligned} \{y^{(g-1)}_{\varvec{z}} \}_{\varvec{z}\in [k]^{g-2}\times \{c_g+c_{g-1}\}}. \end{aligned}$$

Using the first part of Claim 12 iteratively as above, one can eventually compute $y^{(1)}_{(\sum _{i=1}^g c_i)}$. Combining with $x^{(0)}_{(c_0)}$, one can compute $y^{(0)}_{\emptyset } = s$, as required.

To argue security, fix any set of parties as above where $\sum _{i=0}^gc_i<k$. We claim that these parties cannot learn the value $y^{(0)}_\emptyset =s$. From the security of the scheme for $\mathsf {C}_{\ell }$, it is enough to show that they cannot learn any value in $y^{(1)}_{(k-c_0)}$. Applying this logic once again, it is enough to show that they cannot learn any value in $\{y^{(2)}_{(\varvec{z},k-c_0-c_1)}\}_{\varvec{z}\in [k]}$. Applying this argument g times, we get that s cannot be learned if and only if $\{y^{(g+1)}_{(\varvec{z},k-\sum _{i=0}^g c_i)}\}_{\varvec{z}\in [k]^{g}}$ cannot be learned. Indeed, these values are independent of the shares of parties up to generation g.

Share Size Analysis. We analyze the share size of parties in the scheme $\varPi _k$ described above. The share of party t from generation g is composed of $k^{g+1}$ shares generated via standard threshold schemes over $\textsc {size}({g})$ parties. Thus, in total, the share size of party t is bounded by $k^{g+1}\cdot \log ( \textsc {size}({g}))$. Recall that $g = \lfloor \log _k t\rfloor $ and $\textsc {size}({g}) = (k-1)\cdot k^g$. Therefore, the share size is bounded by

$$\begin{aligned} k\cdot t \cdot \log ((k-1)\cdot t) \le k t \cdot \log (kt). \end{aligned}$$

$\blacksquare $

5.2 Recursive Composition: Proof of Lemma 2

Let $\varPi _k$ be a construction of a secret sharing scheme for $\text {evolving}\text { }k\text {-}\textsc {thr}$ in which the share size of the ${t}^{th}$ party is $\sigma _k(t)$. We construct a scheme $\varPi _k'$ for the same access structure in which the share size is $\sigma '_k(t) = \log t + (k-1) + \sigma (\log t + (k-1)) + (k-2)\cdot \max \{\log t + (k-1), \sigma (\log t + (k-1))\}$.

Let $s\in \{ 0,1 \}$ be the secret to be shared. Each party is assigned to a generation. The generations are growing in size: For $g=0,1,2\dots $ the ${g}^{th}$ generation begins when the $2^{(k-1)\cdot g}$-th party arrives. Thus, party $t\in \mathbb N$ is part of generation $g=\lfloor (\log t) / (k-1) \rfloor $, and the number of parties that are part of generation g, is

$$\begin{aligned} \textsc {size}({g}) = 2^{(k-1)\cdot (g+1)} - 2^{(k-1)\cdot g} = 2^{(k-1)\cdot g}\cdot (2^{k-1} - 1) \le t\cdot 2^{k-1}. \end{aligned}$$

As in Sect. 5.1, when a generation begins the dealer prepares shares for all parties that are members of that generation. We focus on the beginning of generation g and describe the dealer’s procedure:

1.
Split s using a secret sharing scheme for $(k,\textsc {size}({g}))\text {-}\textsc {thr}$. Denote the resulting shares by $u^{(g)}_1,\dots ,u^{(g)}_{\textsc {size}({g})}$.
2.
Generate $k-1$ shares using the secret sharing scheme $\varPi _{k}$ given the secret s and previous shares $\{v^{(i)}_j\}_{i\in [g-1],j\in [k-1]}$. Denote the resulting shares by $v^{(g)}_{1},\dots ,v^{(g)}_{k-1}$.
3.
For $i\in [k-1]$, split $v^{(g)}_{i}$ using a secret sharing scheme for $(i,\textsc {size}({g}))\text {-}\textsc {thr}$. Denote the resulting shares by $\{w^{(g)}_{i,1},\dots ,w^{(g)}_{i,\textsc {size}({g})}\}_{i\in [k-1]}$.
4.
Set the secret share of the ${j}^{th}$ party in the ${g}^{th}$ generation (i.e. $j\in [\textsc {size}({g})]$) to be
$$\begin{aligned} \left( u^{(g)}_{j},w^{(g)}_{1,j},\dots ,w^{(g)}_{k-1,j}\right) . \end{aligned}$$

Correctness and Security. We show that any k parties can learn the secret. If all the parties come from the same generation g, then they can use their $u^{(g)}$ in order to run the reconstruction procedure of the $(k,\textsc {size}({g}))\text {-}\textsc {thr}$ scheme and learn s. For k parties that come from at least two generations we show that they can jointly learn k shares for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ scheme $\varPi _k$. By correctness of $\varPi _k$, using these shares they can reconstruct s. Indeed, assume that $c_0$ parties come from generation 0, $c_1$ come from generation 1 and so on, where there is some generation g where $\sum _{i=0}^g c_i = k$ and for all i it holds that $c_i\le k-1$.

Claim 13

Any $c\in [\textsc {size}({g})]$ parties from generation g can compute $v_c^{(g)}$.

Proof

The c parties hold c shares for $(1,\textsc {size}({g}))\text {-}\textsc {thr}$ scheme that give $v_1^{(g)}$, c shares for the $(2,\textsc {size}({g}))\text {-}\textsc {thr}$ scheme that give $v_2^{(g)}$ and so on.

Using this claim we get that the k parties can learn $\sum _{i=0}^g c_i = k$ shares of the $\text {evolving}\text { }k\text {-}\textsc {thr}$ scheme, as required.

For security consider any set of $k-1$ parties. First, the u shares of the $(k,\textsc {size}({g}))\text {-}\textsc {thr}$ scheme are independent of the secret. Thus, to complete the proof we need to show that the parties cannot learn any k shares of the $\text {evolving}\text { }k\text {-}\textsc {thr}$ scheme $\varPi _k$. Indeed, any c parties from generation g cannot learn more than c shares $v^{(g)}_1,\dots ,v^{(g)}_c$; this follows from the security of the schemes $(c+1,\textsc {size}({g}))\text {-}\textsc {thr},\dots ,(k-1,\textsc {size}({g}))\text {-}\textsc {thr}$. Therefore, in total, the parties can learn at most $\sum _{i=0}^g c_i <k$ shares.

Share Size Analysis. We bound the size of each component in the share of party t in the scheme $\varPi '_k$. The share of party t that is the ${j}^{th}$ party of generation $g= \lfloor (\log t)/(k-1)\rfloor $ is composed of $u^{(g)}_{j}$ and $w^{(g)}_{1,j},\dots ,w^{(g)}_{k-1,j}$:

1.
$u^{(g)}_{j}$ – generated by secret sharing s using a scheme for $(k,\textsc {size}({g}))\text {-}\textsc {thr}$. By Claim 5 it holds that
$$\begin{aligned} |u^{(g)}_{j}| \le \log (\textsc {size}({g})) \le \log t + (k-1) \end{aligned}$$
2.
$w^{(g)}_{i,j}$ – generated by secret sharing $v_i^{(g)}$ using a scheme for $(i,\textsc {size}({g}))\text {-}\textsc {thr}$. By Claim 5 for $1<i\le k-1$ it holds that
$$\begin{aligned} |w^{(g)}_{i,j}| \le \max \{\log (\textsc {size}({g})), |v_i^{(g)}| \} \le \max \{\log t + (k-1), |v_i^{(g)}|\} \end{aligned}$$
and for $i=1$ it holds that
$$\begin{aligned} |w^{(g)}_{1,j}| = |v_i^{(g)}|. \end{aligned}$$
- $v_i^{(g)}$ – generated by generating a share of a sharing scheme $\varPi _{k}$ for $\text {evolving}\text { }k\text {-}\textsc {thr}$. Recall that $g\cdot (k-1) \le \log t + (k - 1)$ shares were generated for previous g generations. Therefore, for all $i\in [k-1]$
  $$\begin{aligned} |v_i^{(g)}| \le \sigma (\log t + (k-1)). \end{aligned}$$
Therefore, for $1 < i \le k-1$
$$\begin{aligned} |w^{(g)}_{i,j}| \le \max \left\{ \log t + (k-1), \sigma ( \log t +(k-1))\right\} \end{aligned}$$
and for $i=1$
$$\begin{aligned} |w^{(g)}_{1,j}| \le \sigma (\log t +(k-1)). \end{aligned}$$

Thus, the total share size in the scheme $\varPi '_k$ is bounded by:

$$\begin{aligned}&\log t + (k-1) + \sigma (\log t + (k-1)) + (k-2)\cdot \max \{\log t + (k-1), \sigma (\log t + (k-1))\} \\&\le \log t + (k-1) + \sigma (\log t + (k-1)) + (k-2)(\log t + (k-1) + \sigma (\log t + (k-1)))\nonumber \\&\le (k-1)\log t + k\cdot \sigma (\log t + k) + k^2.\nonumber \end{aligned}$$

(1)

5.3 Proof of Theorem 9 Assuming Lemma 2

Let $k\in \mathbb N$ be such that $k\ge 2$. We use the scheme for $\text {evolving}\text { }k\text {-}\textsc {thr}$ constructed in Sect. 5.1 in which the share size of the ${t}^{th}$ party is $\sigma _k^{(0)}(t) = kt\cdot \log (kt)$. Using Lemma 2 this gives rise to a scheme $\varPi _k^{(1)}$ for $\text {evolving}\text { }k\text {-}\textsc {thr}$ in which the share size of the ${t}^{th}$ party is:

$$\begin{aligned} \sigma _k^{(1)}(t) = (k-1)\cdot \log t + k \cdot \sigma _k^{(0)}(\log t + k) + k^2. \end{aligned}$$

(2)

We bound $\sigma _k^{(0)}(\log t + k)$. If $k > \log t$, then

$$\begin{aligned} \sigma _k^{(0)}(\log t + k) \le \sigma _k^{(0)}(2k) \le 2k^2\cdot \log \left( 2k^2\right) \le 4k^2\cdot \log {(2k)} \end{aligned}$$

If $k \le \log t$ then

$$\begin{aligned} \sigma _k^{(0)}(\log t + k)&\le \sigma _k^{(0)}(2\log t) \\&\le k\cdot 2\log t \cdot \log \left( k\cdot 2\log t\right) \\&\le 2k\cdot \log t\cdot \log \log t + 2k\cdot \log t\cdot \log \left( 2k\right) \\&\le 4k\cdot \log t \cdot \log \log t + 4k^2\cdot \log \left( 2k\right) , \end{aligned}$$

where the last inequality follows since $2k\cdot \log t\cdot \log \left( 2k\right) \le 2k\cdot \log t\cdot \log \log t + 4k^2\cdot \log (2k)$. Together we get that

$$\begin{aligned} \sigma _k^{(0)}(\log t + k) \le \max \{\sigma _k^{(0)}(2\log t),\sigma _k^{(0)}(2k)\} \le 4k\cdot \log t \cdot \log \log t + 4k^2\cdot \log \left( 2k\right) . \end{aligned}$$

Plugging this in Eq. (2), we get that

$$\begin{aligned} \sigma _k^{(1)}(t)&= (k-1)\cdot \log t + k\cdot \sigma _k^{(0)}(\log t + k) + k^2 \\&\le (k-1)\cdot \log t + 4k^2\cdot \log t\cdot \log \log t + 4k^3\cdot \log \left( 2k\right) + k^2 \\&\le 5k^2\cdot \log t\cdot \log \log t + 5k^3\cdot \log {k}. \end{aligned}$$

Using Lemma 2 again, we get a scheme $\varPi _k^{(2)}$ in which the share size of the ${t}^{th}$ party is

$$\begin{aligned} \sigma _k^{(2)}(t) = (k-1)\cdot \log t + k\cdot \sigma _k^{(1)}(\log t + k) + k^2. \end{aligned}$$

(3)

We bound $\sigma _k^{(1)}(\log t + k)$ as follows.

$$\begin{aligned} \sigma _k^{(1)}(\log t + k)&\le \max \{\sigma _k^{(1)}(2\log t), \sigma _k^{(1)}(2k)\} \\&\le 5k^2\cdot \log \left( 2\log t\right) \cdot \log \log \left( 2\log t\right) + 5k^2\cdot \log \left( 2k\right) \cdot \log \log \left( 2k\right) \\&\quad + 5k^3\cdot \log {k} \\&\le 6k^2\cdot \log \log t \cdot \log \log \log t + 6k^3\cdot \log {k}. \end{aligned}$$

Plugging this back in Eq. (3), we get that

$$\begin{aligned} \sigma _k^{(2)}(t)&= (k-1)\cdot \log t + k \cdot \sigma _k^{(1)}(\log t + k) + k^2 \\&\le (k-1)\cdot \log t + 6k^3\cdot \log \log t \cdot \log \log \log t + 6k^4\cdot \log {k} + k^2 \\&\le (k-1)\cdot \log t + 6k^3\cdot \log \log t \cdot \log \log \log t + 7k^4\cdot \log {k}. \end{aligned}$$

Remark. As in the proof of Theorem 8, one can iteratively apply Lemma 2 again and again to decrease the dependence on $\log \log t\cdot \log \log \log t$. However, the dependence on $\log t$ cannot be improved using this method.

5.4 Generalization to Larger Domains of Secrets

Similarly to the generalization of the scheme from Sect. 4 to support larger domains of secrets (see Sect. 5.4), we generalize the above scheme. Let the secret be of length $\ell $. Following the proof of Lemma 2, we obtain that given a scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure that supports secrets of length $\ell $ in which the share size of the ${t}^{th}$ party is $\sigma (t)$, there exists a scheme for the same access structure and same length of secrets in which the share size of the ${t}^{th}$ party is bounded by (cf. Eq. (1))

$$\begin{aligned} \max \{\log t + (k-1), \ell \} + \sigma (\log t + (k-1)) + (k-2)\cdot \\ \max \{\log t + (k-1), \sigma (\log t + (k-1))\} \end{aligned}$$

Notice that for large enough $t\in \mathbb N$ the above bound is the same as the bound we had in Eq. (1). For the recursive composition step (cf. Sect. 5.2) we start with the naive generalization of the scheme from Theorem 9 to support several input bits (i.e. bit by bit). This gives a scheme in which the share size is $\sigma ^{(0)}(t) \le \ell \cdot ((k-1)\cdot \log t + k \cdot \sigma (\log t + k) + k^2)$. For large enough t it holds that $\sigma ^{(0)}(t) \le kt\cdot \log (kt)$. Thus, one can follow the same outline of the proof of Theorem 9 (see Sect. 5.3) and obtain the same share size as in Theorem 9 for large enough t. (For smaller values of t one can follow the analysis and obtain a bound as a function of t and $\ell $).

5.5 Linearity of the Scheme

The scheme from Theorem 7 is linear over $\mathsf {GF}(2)$. In the scheme from this section the shares are composed of several different parts each being an element coming from a different scheme. Consider the scheme from Sect. 5.1 (denoted by $\varPi ^{(0)}_k$ in Sect. 5.3). Each share there is a composition of several linear schemes (the threshold scheme of Shamir and the scheme of Benaloh and Leichter). Since composition of linear schemes results with a linear scheme, the scheme is linear. Next, for the basic construction $\varPi ^{(1)}_k$ in Sect. 5.3, each share is composed of several parts each being either a share of a linear scheme (Shamir’s scheme) or a composition of linear schemes (Shamir’s scheme and the scheme $\varPi ^{(0)}_k$), resulting with a linear scheme. The same argument applies for the recursive composition which eventually gives that the final construction is linear.

6 A Lower Bound

For general access structures the best standard secret sharing schemes require exponential-size shares. Instantiating our scheme for n parties, results with the ${n}^{th}$ party holding a share of size $2^{n-1}$. Thus, any improvement in the share size on our scheme for general access structures, will imply a non-trivial improvement for general access structures in the standard setting.

In the case of k-threshold access structures, we do not know if our scheme is tight. Specifically, for $k>2$, using our scheme to implement a standard secret sharing scheme for k-out-of-n is not tight. Indeed, the most significant term in the share size in our scheme depends linearly on $k-1$, while the best schemes in the standard setting are independent of k (see Claim 5).

Thus, one may ask whether there exists a secret sharing scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ in which the share size of the ${t}^{th}$ party is roughly $\log t$. We show that such a scheme cannot exist.

Theorem 14

(Theorem 3 restated). For any constant $c\in \mathbb N$, there is no secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is at most

$$\begin{aligned} \log {t} + \log \log t + c. \end{aligned}$$

Proof

Assume (towards contradiction) that there is a secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is at most $\log {t} + \log \log t + c$ for a constant $c\in \mathbb N$. We can use this scheme to implement a standard secret sharing scheme for $(2,n)\text {-}\textsc {thr}$ in which the share size of party $t\in [n]$ is $m_t \le \log {t} + \log \log t + c$.

We use the following claim that underlies the lower bound of Kilian and Nisan. This inequality is the same as Kraft’s (see [13, Chapter 5.2]), a fact that we use in Sect. 7.

Claim 15

([25] and [12, Appendix A]). For any $n\in \mathbb N$, in any secret sharing scheme for $(2,n)\text {-}\textsc {thr}$, it holds that

$$\begin{aligned} \sum _{t=1}^n \frac{1}{2^{m_t}} \le 1, \end{aligned}$$

where $m_t$ is the share size of the ${t}^{th}$ party.

Using this claim we get that

$$\begin{aligned} 1 \ge \sum _{t=1}^n \frac{1}{2^{m_t}} \ge \sum _{t=2}^n \frac{1}{2^{\log {t} + \log \log t + c}} = \frac{1}{2^c}\cdot \sum _{t=2}^n \frac{1}{t \cdot \log t}. \end{aligned}$$

To get a contradiction we need to show that $\sum _{t=2}^n \frac{1}{t\cdot \log t} > 2^c$ for large enough n. Indeed, letting $n\rightarrow \infty $, we have that

$$\begin{aligned} \sum _{t=2}^\infty \frac{1}{t\cdot \log t}\ge \int _{2}^{\infty } \frac{1}{t\cdot \log t}dt = \log \log t \Big |_{2}^{\infty } \rightarrow \infty . \end{aligned}$$

This completes the proof.

Remark 1

(A stronger lower bound). We note that the lower bound can be strengthened to show that even schemes in which the share size is $\sum _{t=1}^{\ell } \log ^{(i)} (t) + c$ cannot exist for any $\ell \in \mathbb N$ and where $\log ^{(i)} (t)$ is the i-times repeated $\log $ of t (letting $\log ^{(0)} (t) = t$). This follows similarly to the above argument noting that for every $\ell \in \mathbb N_0$ it holds that $\int _1 ^{\infty } \frac{1}{\prod _{i=0}^{\ell } \log ^{(i)} (t)}dt = \log ^{(\ell +1)} t$ and using that $\log ^{(\ell +1)} t \ge 2^c$ for any constant $c\in \mathbb N$ and large enough t.

This is reminiscent of bounds in the literature on prefix codes [7, 18]. This is not surprising given the equivalence (in terms of complexity) between prefix codes and secret sharing for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structures developed in Sect. 7.

7 The Equivalence Between Evolving 2-Threshold and Prefix Codes

We now show the very tight connection between schemes for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure and prefix codes.

Theorem 16

(Theorem 4 restated). Let $\sigma :\mathbb N\rightarrow \mathbb N$. A prefix code for the integers in which the length of the ${t}^{th}$ codeword is $\sigma (t)$ exists if and only if a secret sharing scheme for the evolving 2-threshold access structure and 1-bit secret in which the share size of the ${t}^{th}$ party is $\sigma (t)$.

Proof of the “if” Part of Theorem 16 . Kraft’s inequality (see [13, Theorem 5.2.2]) gives a necessary and sufficient condition for the existence of a prefix code for a given set of codeword lengths. The proof of the sufficient direction is constructive: given the collection of lengths of codewords it is possible to construct the code. Furthermore, we do not need to know the collection of lengths in advance, i.e. we can create the code on the fly, as long as the demand ($\sum _{t} \frac{1}{2^{m_t}}$) does not exceed 1. This inequality is the same as the one given in Claim 15 that must be satisfied by any secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure. Thus, any secret sharing scheme for the $\text {evolving}\text { }2\text {-}\textsc {thr}$ access structure in which the share size of the ${t}^{th}$ party is $\sigma (t)$, implies the existence of a prefix code in which the length of the ${t}^{th}$ codeword is $\sigma (t)$. $\blacksquare $

Proof of the “only if” Part of Theorem 16 . Let $\varSigma :\mathbb N\rightarrow \{ 0,1 \}^*$ be a prefix code for the integers. That is, for any $t_1,t_2 \in \mathbb N$ such that $t_1 \ne t_2$, it holds that $\varSigma (t_1)$ is not a prefix of $\varSigma (t_2)$. For $t\in \mathbb N$ denote by $\sigma (t)$ the length of the codeword $\varSigma (t)$.

The Scheme. Let $s\in \{ 0,1 \}$ be the secret to be shared. Let w be an infinite random binary string. The dealer generates the string as needed: at time $t\in \mathbb N$ the dealer holds the prefix of length $\sigma (t)$ of the string w, denoted by $w_{[\sigma (t)]}$ (for simplicity we assume that $\sigma (t)$ is monotonically increasing, but this is not necessary). The share of party t is a string $u_t$ such that:

1.
If $s = 0$, then $u_t=w_{[\sigma (t)]}$.
2.
If $s = 1$, then $u_t=\varSigma (t) \oplus w_{[\sigma (t)]}$ (bit-wise XOR).

Reconstruction. Any two different parties $t_1$ and $t_2$, holding shares $u_1$ and $u_2$, respectively, where $|u_1| \le |u_2|$, should check if $u_1$ is a prefix of $u_2$. If it is a prefix, then they output $s=0$ and otherwise, they output $s=1$.

Correctness and Security. If $s=0$, then since $u_1$ and $u_2$ are both prefixes of the same string w it holds that $u_1$ is a prefix of $u_2$. On the other hand, if $s=1$ then $u_1=\varSigma (t_1) \oplus w_{[\sigma (t_1)]}$ and $u_2=\varSigma (t_2) \oplus w_{[\sigma (t_2)]}$, where $w_{[\sigma (t_1)]}$ is a prefix of $w_{[\sigma (t_2)]}$. Since $\varSigma $ is a prefix code, $\varSigma (t_1)$ is not a prefix of $\varSigma (t_2)$, and thus $u_1$ is not a prefix of $u_2$.

Security follows since for both $s=0$ and for $s=1$ each single party t holds a single string $u_t$ which is uniformly distributed over $\{ 0,1 \}^{\sigma (t)}$. In case $s=0$ this is true by construction, and in case $s=1$ this is true since all the party sees is the codeword $\varSigma (t)$ XORed with $w_{[\sigma (t)]}$ which is uniform.

Share Size. The share size of the ${t}^{th}$ player in this scheme is $\sigma (t)$. Using the best constructions of prefix codes [7, 18], we get the share size of Theorem 8.

Generalization to Larger Domains of Secrets. One can support sharing of longer secrets by sharing every bit independently. Our direct construction presented in Sect. 4 is more efficient for sharing longer secrets (see Sect. 4.1 for more details). $\blacksquare $

Efficiency Preservation. Note that the transformation from the prefix code to secret sharing preserves the efficiency of the code, i.e. dealing a share to party t is as easy as computing $\varSigma (t)$. However, the other direction, with the construction based on Kraft’s inequality, does not preserve the efficiency. That is, we cannot say that encoding the number t, i.e. computing $\varSigma (t)$, is as easy as dealing a secret to party t.

8 Further Work and Open Problems

This work suggests several research directions. The most evident one is to investigate the necessity of the linear dependence on k in the most significant term in our scheme for the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure. In particular, are more algebraic-oriented constructions possible?

There are several interesting access structures for which we do not have efficient constructions. For example, a very natural evolving access structure is the one in which qualified subsets are the ones which form a majority of the present parties at some point in time. The only scheme that realized this access structure we are aware of stems from our construction for general access structures from Sect. 3 which results with very long shares.

When $k=2$, we show a tight connection between evolving secret sharing and prefix codes (see Sect. 7). Is there a generalization of prefix codes that is related to the $\text {evolving}\text { }k\text {-}\textsc {thr}$ access structure for $k > 2$?

Secret sharing has had many applications in cryptography and distributed computing. One of the most notable examples is multi-party computation (MPC). Can secret sharing for evolving access structures be useful for MPC?

We focused on schemes in which correctness and security are perfect. One can relax correctness to work with high probability and to allow small statistical error in security. Can these relaxations be used to obtain more interesting and efficient schemes? Another variant of secret sharing schemes is the computational one. In these schemes security is required only against computationally bounded adversaries. Efficient computational schemes for much richer classes of access structures are known [27, 28, 32, 35]. Is there a meaningful way to define computationally secure secret sharing schemes for evolving access structures? Can this be used to obtain efficient schemes for more classes of evolving access structures? Cachin [11] studied a similar question in a model in which there is a large public bulletin board.

Other natural variants of secret sharing can be adapted to the evolving setting. For example, verifiable, robust and visual secret sharing. We leave these as interesting directions for future exploration.

Notes

1.
But see the work of Csirmaz and Tardos [15] discussed below.
2.
See Sects. 4 and 5 for efficient generalizations that support larger domains of secrets.
3.
Even though we can make our construction a monotone formula, our final construction is not phrased as a formula since we want to optimize share size. To exemplify this gap notice that the secret sharing scheme that results from the best formula for k-threshold on n parties has share size $\mathsf {poly(k)}\cdot \log n$ [10, 19], while the scheme of Shamir has size roughly $\log n$, independently of k.
4.
Schemes in which the share size is equal to the secret size are known as ideal secret sharing schemes.
5.
Recall the definition of a restriction from Definition 3.
6.
This means that the share size is bounded, which is almost always the case. An exception is the scheme (for rational secret sharing) of Kol and Naor [26] in which the share size does not have a fixed upper bound.
7.
As mentioned, our construction actually works in the setting where $\mathcal A_t$ itself is chosen at time t (and it is not known at any time $t'<t$).
8.
Alternatively, we can use the construction of [15] (see Sect. 1.3) which gives the ${t}^{th}$ party a share of size t.
9.
Shamir’s scheme for $(k,n)\text {-}\textsc {thr}$ results with shares of size roughly $\log n$. In particular, independent of k.

References

Beimel, A.: Secure Schemes for Secret Sharing and Key Distribution. Ph.D. thesis, Technion - Israel Institute of Technology (1996). http://www.cs.bgu.ac.il/beimel/Papers/thesis.ps
Beimel, A.: Secret-sharing schemes: a survey. In: Chee, Y.M., Guo, Z., Ling, S., Shao, F., Tang, Y., Wang, H., Xing, C. (eds.) IWCC 2011. LNCS, vol. 6639, pp. 11–46. Springer, Heidelberg (2011)
Chapter Google Scholar
Beimel, A., Ishai, Y.: On the power of nonlinear secrect-sharing. In: 16th Annual IEEE Conference on Computational Complexity, CCC, pp. 188–202 (2001)
Google Scholar
Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract). In: STOC, pp. 1–10 (1988)
Google Scholar
Benaloh, J.C., Leichter, J.: Generalized secret sharing and monotone functions. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 27–35. Springer, Heidelberg (1990)
Google Scholar
Benaloh, J.C., Rudich, S.: Unpublished, private Communication with Steven Rudich. (1989)
Google Scholar
Bentley, J.L., Yao, A.C.: An almost optimal algorithm for unbounded searching. Inf. Process. Lett. 5(3), 82–87 (1976)
Article MathSciNet MATH Google Scholar
Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the AFIPS National Computer Conference, vol. 22, pp. 313–317 (1979)
Google Scholar
Bogdanov, A., Guo, S., Komargodski, I.: Threshold secret sharing requires a linear size alphabet. Electronic Colloquium on Computational Complexity (ECCC) 23, 131 (2016). http://eccc.hpi-web.de/report/2016/131, to appear in TCC 2016B
Boppana, R.B.: Threshold functions and bounded depth monotone circuits. J. Comput. Syst. Sci. 32(2), 222–229 (1986)
Article MathSciNet MATH Google Scholar
Cachin, C.: On-line secret sharing. In: Boyd, C. (ed.) Cryptography and Coding 1995. LNCS, vol. 1025, pp. 190–198. Springer, Heidelberg (1995)
Chapter Google Scholar
Pueyo, C.I., Cramer, R., Xing, C.: Bounds on the threshold gap in secret sharing and its applications. IEEE Trans. Inf. Theory 59(9), 5600–5612 (2013)
Article MathSciNet Google Scholar
Cover, T.M., Thomas, J.A.: Elements of Information Theory, 2nd edn. Wiley, New York (2006)
MATH Google Scholar
Cramer, R., Damgård, I.B., Maurer, U.M.: General secure multi-party computation from any linear secret-sharing scheme. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 316–334. Springer, Heidelberg (2000)
Chapter Google Scholar
Csirmaz, L., Tardos, G.: On-line secret sharing. Des. Codes Crypt. 63(1), 127–147 (2012)
Article MathSciNet MATH Google Scholar
Dodis, Y., Patrascu, M., Thorup, M.: Changing base without losing space. In: STOC, pp. 593–602 (2010)
Google Scholar
Elias, P.: Universal codeword sets and representations of the integers. IEEE Trans. Inf. Theory 21(2), 194–203 (1975)
Article MathSciNet MATH Google Scholar
Even, S., Rodeh, M.: Economical encoding of commas between strings. Commun. ACM 21(4), 315–317 (1978)
Article MathSciNet MATH Google Scholar
Friedman, J.: Constructing ${O}(n \log n)$ size monotone formulae for the $k$-th threshold function of $n$ boolean variables. SIAM J. Comput. 15(3), 641–654 (1986)
Article MathSciNet MATH Google Scholar
Geographic, N.: NASA declares end to deep impact comet mission. http://news.nationalgeographic.com/news/2013/09/130920-deep-impact-ends-comet-mission-nasa-jpl/. Acccessed 07 Feb 2016
Herzberg, A., Jarecki, S., Krawczyk, H., Yung, M.: Proactive secret sharing or: how to cope with perpetual leakage. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 339–352. Springer, Heidelberg (1995)
Google Scholar
Ito, M., Saito, A., Nishizeki, T.: Multiple assignment scheme for sharing secret. J. Cryptol. 6(1), 15–20 (1993)
Article MathSciNet MATH Google Scholar
Kannan, S., Naor, M., Rudich, S.: Implicit representation of graphs. SIAM J. Discrete Math. 5(4), 596–603 (1992)
Article MathSciNet MATH Google Scholar
Karchmer, M., Wigderson, A.: On span programs. In: 8th Annual Structure in Complexity Theory Conference, pp. 102–111 (1993)
Google Scholar
Kilian, J., Nisan, N.: Unpublished (1990). see [12]
Google Scholar
Kol, G., Naor, M.: Games for exchanging information. In: STOC, pp. 423–432 (2008)
Google Scholar
Komargodski, I., Naor, M., Yogev, E.: Secret-sharing for NP. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 254–273. Springer, Heidelberg (2014)
Google Scholar
Krawczyk, H.: Secret sharing made short. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 136–146. Springer, Heidelberg (1994)
Google Scholar
Malkin, T., Micciancio, D., Miner, S.K.: Efficient generic forward-secure signatures with an unbounded number of time periods. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 400–417. Springer, Heidelberg (2002)
Chapter Google Scholar
Pagh, R., Segev, G., Wieder, U.: How to approximate a set without knowing its size in advance. In: 54th Annual IEEE Symposium on Foundations of Computer Science, FOCS, pp. 80–89 (2013)
Google Scholar
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)
Article MathSciNet MATH Google Scholar
Vinod, V., Narayanan, A., Srinathan, K., Pandu Rangan, C., Kim, K.: On the power of computational secret sharing. In: Johansson, T., Maitra, S. (eds.) INDOCRYPT 2003. LNCS, vol. 2904, pp. 162–176. Springer, Heidelberg (2003)
Chapter Google Scholar
Wikipedia: IPv4 address exhaustion. https://en.wikipedia.org/wiki/IPv4_address_exhaustion. Acccessed 07 Feb 2016
Wikipedia: Year 2000 problem. https://en.wikipedia.org/wiki/Year_2000_problem. Acccessed 07 Feb 2016
Yao, A.C.: Unpublished, mentioned in [2]. See also [32]
Google Scholar

Download references

Author information

Authors and Affiliations

Weizmann Institute of Science, Rehovot, Israel
Ilan Komargodski, Moni Naor & Eylon Yogev

Authors

Ilan Komargodski
View author publications
You can also search for this author in PubMed Google Scholar
Moni Naor
View author publications
You can also search for this author in PubMed Google Scholar
Eylon Yogev
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ilan Komargodski .

Editor information

Editors and Affiliations

Department of Computer Science, ETH Zurich, Zurich, Switzerland
Martin Hirt
Pennsylvania State University , University Park, Pennsylvania, USA
Adam Smith

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Komargodski, I., Naor, M., Yogev, E. (2016). How to Share a Secret, Infinitely. In: Hirt, M., Smith, A. (eds) Theory of Cryptography. TCC 2016. Lecture Notes in Computer Science(), vol 9986. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53644-5_19

Download citation

DOI: https://doi.org/10.1007/978-3-662-53644-5_19
Published: 21 October 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53643-8
Online ISBN: 978-3-662-53644-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

How to Share a Secret, Infinitely

Abstract

Similar content being viewed by others

Secret Sharing Lower Bound: Either Reconstruction is Hard or Shares are Long

Quadratic Secret Sharing and Conditional Disclosure of Secrets

Improved Polynomial Secret-Sharing Schemes

1 Introduction

Theorem 1

Theorem 2

Theorem 3

Theorem 4

1.1 Discussion

1.2 Related Work

1.3 Overview of Our Constructions and Techniques

2 Model and Definitions

Definition 1

Definition 2

Claim 5

2.1 Secret Sharing for Evolving Access Structures

Definition 3

Claim 6

Proof

Definition 4

Definition 5

Definition 6

2.2 Warm-Up: Undirected s-t-Connectivity

3 A Scheme for General Evolving Access Structures

Theorem 7

Proof of Theorem

3.1 Efficiency Improvements

4 An Efficient Scheme for Evolving 2-Threshold

Theorem 8

Lemma 1

Proof of Theorem

Proof of Lemma

4.1 Generalization to Larger Domains of Secrets

5 A Scheme for Evolving \(\varvec{k}\)-Threshold

Theorem 9

Lemma 2

5.1 The Basic Scheme for Evolving \(\varvec{k}\)-Threshold

Lemma 3

Claim 10

Proof

Proof of Lemma

Claim 11

Proof

Claim 12

Proof

5.2 Recursive Composition: Proof of Lemma 2

Claim 13

Proof

5.3 Proof of Theorem 9 Assuming Lemma 2

5.4 Generalization to Larger Domains of Secrets

5.5 Linearity of the Scheme

6 A Lower Bound

Theorem 14

Proof

Claim 15

Remark 1

7 The Equivalence Between Evolving 2-Threshold and Prefix Codes

Theorem 16

8 Further Work and Open Problems

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation