Improved Universal Thresholdizer from Iterative Shamir Secret Sharing

Abstract

The universal thresholdizer, introduced at CRYPTO’18, is a cryptographic scheme that transforms any cryptosystem into a threshold variant, thereby enhancing its applicability in threshold cryptography. It enables black-box construction of one-round threshold signature schemes based on the Learning with Errors problem, and similarly, facilitates one-round threshold ciphertext-attack secure public-key encryption when integrated with non-threshold schemes. Current constructions of universal thresholdizer are fundamentally built upon linear secret sharing schemes. One approach employs Shamir secret sharing, which lacks compactness and results in ciphertext sizes of \(O(N \log N)\), where N is the number of parties involved in the threshold system, and another approach uses the \(\{0,1\}\)-linear secret sharing scheme (\(\{0,1\}\)-LSSS), which is compact but induces high communication costs due to requiring \(O(N^{5.3})\) secret shares. In this work, we introduce a communication-efficient universal thresholdizer by revising the linear secret sharing scheme. We propose a specialized linear secret sharing scheme, called TreeSSS, which reduces the number of required secret shares to \(O(N^{3+o(1)})\) while maintaining the compactness of the universal thresholdizer. TreeSSS can also serve as a subroutine for constructing lattice-based t-out-of-N threshold cryptographic primitives such as threshold fully homomorphic encryptions and threshold signatures. In this context, TreeSSS offers the advantage of lower communication overhead due to the reduced number of secret shares involved.

Appendices

About Approximation

We first introduce a useful inequalities to provide an approximation that we used. According to [22], \(c_s\) is bounded by

$$\begin{aligned} \frac{1}{\sqrt{\pi }}\cdot \frac{2s-1}{\sqrt{s-1/2}}< \frac{2s-1}{4^{s-1}}\cdot \left( {\begin{array}{c}2s-2\\ s-1\end{array}}\right) < \frac{1}{\sqrt{\pi }}\cdot \frac{2s-1}{\sqrt{s-1}} \end{aligned}$$

Then, we have the following series of inequalities. From an upper bound of \(c_s\), we get

$$\begin{aligned} \log _{c_s} (2s-1) + \log _s (2s-1)&\le \log _{2\sqrt{\frac{{s-1/2}}{\pi }}}(2s-1)+\log _s (2s) \end{aligned}$$

Since \(2s - 1\) is represented by \(\sqrt{\frac{s-1/2}{\pi }}^2 \cdot \frac{\pi }{2}\) and \(\log _s (2s) = 1 + \log _s 2\), the right-hand side is represented by

$$\begin{aligned} 2 + \log _{2\sqrt{\frac{{s-1/2}}{\pi }}}(\pi /2) + (1+\log _s 2). \end{aligned}$$

Since we only consider \(s \ge 2\), it holds that \(\frac{(s-1/2)}{\pi } \ge s/4\), which implies

$$\begin{aligned} 2\sqrt{\frac{{s-1/2}}{\pi }} \ge \sqrt{s}. \end{aligned}$$

Thus, we have

$$\begin{aligned} 2 + \log _{2\sqrt{\frac{{s-1/2}}{\pi }}}(\pi /2) + (1+\log _s 2) \le \log _{\sqrt{s}}(\pi /2) + 3 + \frac{1}{\log s}. \end{aligned}$$

Last, using \(\log \frac{\pi }{2} = 0.65149612947\), we have

$$\begin{aligned} \log _{\sqrt{s}}(\pi /2) + 3 + \frac{1}{\log s}&\le \frac{1.30299}{\log s} + 3 + \frac{1}{\log s} \\&\le 3 + \frac{2.30299}{\log s}. \end{aligned}$$

Consequently, we have

$$\begin{aligned} \frac{1}{\sqrt{\pi }}\cdot \frac{2s-1}{\sqrt{s-1/2}} \le 3 + \frac{2.30299}{\log s} \end{aligned}$$

Observation of \(\{0,1\}\)-LSSS with [53] construction

\(\{ {0,1} \}\)-LSSS is a family of linear secret sharing schemes that utilizes binary coefficients to recover the shared secret from secret shares, as defined in [14]. The use of monotone Boolean formulas [43] was proposed as an instantiation of \(\{ {0,1} \}\)-LSSS. However, the polynomial-sized expression of threshold functions was proven by Valiant and Goldreich [35, 53]. Recently, [40] proposed using a folklore algorithm to demonstrate that monotone Boolean formulas are a part of \(\{ {0,1} \}\)-LSSS. We briefly summarize the construction of threshold functions.

We focus on a threshold function with N/2-out-of-N parties, where N is even, for simplicity. Let \(\varphi \) be a level-0 formula which takes N bit-strings as input and returns one of the i-th input bits with some probability, where i is randomly chosen, or returns 0. For each \(i \ge 1\), the level-\((i+1)\) formula is defined as \(\varphi = (\varphi _1 \wedge \varphi _2)\vee (\varphi _3 \wedge \varphi _4)\), with \(\varphi _1,\varphi _2,\varphi _3,\varphi _4\) randomly selected from a family of level-i formulas. Note that to maintain independence, the level-i formulas will not be duplicated.

In classic works [35, 53], it was proved that with \(O(N^{5.3})\) level-0 formulas, a N/2-out-of-N threshold function can be expressed with a level-t formula with non-negligible probability, where \(t = O(\log N)\). Building upon this result, [40] showed that this level-t formula can be converted into a \(\{ {0,1} \}\)-LSSS for threshold functions.

To share a secret key \({\textsf {sk}} \in {{\mathbb {Z}}}_q\), \(\{ {0,1} \}\)-LSSS constructs a matrix \(\textbf{M}\in {{\mathbb {Z}}}_q^{\ell \times m}\), called the share matrix, with \(m,\ell \gg N\), and distributes a subset of \(\{ {w_i} \}_{i \in [\ell ]}\) to each party. The vector \(\textbf{w}= (w_i) = \textbf{M}\cdot (\textsf {sk}, r_2,\ldots , r_m)^T\) is computed using randomly sampled \(r_i \leftarrow {{\mathbb {Z}}}_q\). The size of \(\ell \) is equal to the size of level-t formula, \(O(N^{5.3})\), and m is one more than the number of AND gates in level-t formula. This results in a total of \(O(N^{5.3})\) secret shares. \(\{ {0,1} \}\)-LSSS for threshold functions in [40] is constructed as follows:

1. 1.

   Consider level-0 formulas \(\varphi _i\), where \(i \in [O(N^{5.3})]\).

2. 2.

   Create a level-\((i+1)\) formula \(\varphi \) by combining \(\varphi _1 \wedge \varphi _2\) and \(\varphi _3 \wedge \varphi _4\) through an OR operation, where \(\varphi _1,\varphi _2,\varphi _3,\varphi _4\) are randomly selected level-i formulas.

3. 3.

   Repeat the process until i reaches t, which results in a level-t formula that is equivalent to the N/2-out-of-N threshold function with non-negligible probability.

4. 4.

   Use the folklore algorithm to convert the level-t formula into a share matrix \(\textbf{M}\).

Note that throughout this paper, the folklore algorithm is considered a black-box method that converts circuits consisting of only AND and OR gates into matrices, except for this section. For more insightful discussion on the algorithm, please refer to [14, 40] (Fig. 4).

Fig. 4

Folklore Algorithm in [40]

1.1 Regarding \(\{ {0,1} \}\)-LSSS as Iterations of Matrices

supp]subsec: revisit

We reinterpret a secret sharing algorithm for threshold functions by utilizing the iterative steps of Boolean formula construction described in [53]. This allows us to construct a share matrix \(\textbf{M}\) through iterative matrix multiplications.

[53] proves that the threshold circuit is an iterative construction of the Boolean monotone formulas: For i, the level-\((i+1)\) formula \(\varphi ^{(i+1)}\) is generated from four level-i formulas, \(\varphi _1^{(i)},\varphi _2^{(i)},\varphi _3^{(i)}\) and \(\varphi _4^{(i)}\). Specifically, \(\varphi ^{(i+1)} = (\varphi ^{(i)}_1 \wedge \varphi ^{(i)}_2)\vee (\varphi ^{(i)}_3 \wedge \varphi ^{(i)}_4)\).

We first claim that the relation between \(\varphi ^{(i+1)}\) and \(\{ {\varphi _j^{(i)}} \}_{j\in \{ {1,2,3,4} \}}\) can be represented as a binary tree of depth 2, as in the structure shown in Fig. 5. Since this binary tree is composed of AND and OR gates, we can directly apply the folklore algorithm to the tree. As a result, there exists a small matrix \(\textbf{D}\) that corresponds to this binary tree, with the leaf nodes being \(\{ {\varphi _j^{(i)}} \}_{j\in \{ {1,2,3,4} \}}\). Here, \(\textbf{D}\) is defined by

$$\begin{aligned} \textbf{D}= \begin{bmatrix} 1 & \quad 1 \\ 1 & \quad 1 \\ 0 & \quad -1 \\ 0 & \quad -1 \end{bmatrix} \in {{\mathbb {Z}}}_q^{4 \times 2}. \end{aligned}$$

Fig. 5

Boolean formula corresponds to secret share

Furthermore, the correspondence between the binary tree and the matrix is established through the relationship

$$\begin{aligned} \begin{bmatrix} \textsf {sk}_{\varphi ^{(i)}_1} \\ \textsf {sk}_{\varphi ^{(i)}_2} \\ \textsf {sk}_{\varphi ^{(i)}_3} \\ \textsf {sk}_{\varphi ^{(i)}_4} \end{bmatrix} = \textbf{D}\cdot \begin{bmatrix} \textsf {sk}_{\varphi ^{(i+1)}} \\ r \end{bmatrix} \end{aligned}$$

where \(r \in {{\mathbb {Z}}}_q\) is a random integer. Thus, the operation \(\varphi ^{(i+1)} = (\varphi ^{(i)}_1 \wedge \varphi ^{(i)}_2)\vee (\varphi ^{(i)}_3 \wedge \varphi ^{(i)}_4)\) can be viewed as a matrix multiplication with \(\textbf{D}\). Similarly, the representation of the formula \(\varphi ^{(i+1)}\) from 16 \(\varphi ^{(i-1)}\) formulas can be represented as a matrix \(\textbf{I}_4 \otimes \textbf{D}\in {{\mathbb {Z}}}^{16 \times 8}\), where \(\textbf{I}_4\) is the 4-dimensional identity matrix. Consequently, there is a matrix \(\textbf{M}\) which corresponds to circuit representations of level-t formula \(\varphi ^{(t)}\) from level-0 \(\varphi ^{(0)}\) formulas.

By the mathematical induction, we obtain a share matrix \(\textbf{M}\) of \(\{ {0,1} \}\)-LSSS.⁸ Furthermore, \(\textsf {Share}\) algorithm of \(\{ {0,1} \}\)-LSSS is regarded by computing \(\textbf{M}\cdot \textbf{v}\) for some \(\textbf{v}\).