Towards Optimal Robust Secret Sharing with Security Against a Rushing Adversary

Abstract

Robust secret sharing enables the reconstruction of a secret-shared message in the presence of up to t (out of n) incorrect shares. The most challenging case is when \(n = 2t+1\), which is the largest t for which the task is still possible, up to a small error probability \(2^{-\kappa }\) and with some overhead in the share size.

Recently, Bishop, Pastro, Rajaraman and Wichs [3] proposed a scheme with an (almost) optimal overhead of \(\widetilde{O}(\kappa )\). This seems to answer the open question posed by Cevallos et al. [6] who proposed a scheme with overhead of \(\widetilde{O}(n+\kappa )\) and asked whether the linear dependency on n was necessary or not. However, a subtle issue with Bishop et al.’s solution is that it (implicitly) assumes a non-rushing adversary, and thus it satisfies a weaker notion of security compared to the scheme by Cevallos et al. [6], or to the classical scheme by Rabin and BenOr [13].

In this work, we almost close this gap. We propose a new robust secret sharing scheme that offers full security against a rushing adversary, and that has an overhead of \(O(\kappa n^\varepsilon )\), where \(\varepsilon > 0\) is arbitrary but fixed. This \(n^\varepsilon \)-factor is obviously worse than the \(\mathrm {polylog}(n)\)-factor hidden in the \(\widetilde{O}\) notation of the scheme of Bishop et al. [3], but it greatly improves on the linear dependency on n of the best known scheme that features security against a rushing adversary (when \(\kappa \) is substantially smaller than n).

A small variation of our scheme has the same \(\widetilde{O}(\kappa )\) overhead as the scheme of Bishop et al. and achieves security against a rushing adversary, but suffers from a (slightly) superpolynomial reconstruction complexity.

A Appendix

1.1 A.1 Folded Reed-Solomon Codes

Instead of using the Reed-Solomon codes to share our secret, our robust secret sharing scheme is encoded by the folded Reed-Solomon codes. Since the folded Reed-Solomon code is a class of MDS codes, it is an eligible candidate for threshold secret sharing scheme. Moreover, the folded Reed-Solomon codes first introduced by Guruswami and Rudra [10] can be list decoded up to \(1-R-\gamma \) fraction of errors for any constant \(\gamma \). This extra nice property allows us to divide our reconstruction scheme into two scenarios, one with small number of passive parties and another with big one. Let us first introduce the formal definition of fold Reed-Solomon codes.

Let q be a prime power, \(n+1\le \frac{q-1}{s}\) and \(\beta \) be a primitive element of \(\mathbb {F}_q\). The folded Reed-Solomon code \(\mathsf {FRS}_{q,s}(n+1,d)\) is a code over \(\mathbb {F}_q^s\). To every polynomial \(P(X)\in \mathbb {F}_q[X]\) of degree at most d, the encoding algorithm goes as follows:

$$ P(X) \mapsto \mathbf{c}_P=\left( \begin{array}{cccc} \left[ \begin{array}{c} P(\beta ) \\ P(\beta ^2) \\ \vdots \\ P(\beta ^{s-1}) \\ \end{array} \right] , &{} \left[ \begin{array}{c} P(\beta ^s) \\ P(\beta ^{s+1}) \\ \vdots \\ P(\beta ^{2s-1}) \\ \end{array} \right] , &{} \cdots , &{} \left[ \begin{array}{c} P(\beta ^{ns}) \\ P(\beta ^{ns+1}) \\ \vdots \\ P(\beta ^{(n+1)s-1}) \\ \end{array} \right] \\ \end{array} \right) . $$

It is easy to verify that \(\mathsf {FRS}_{q,s}(n+1,d)\) is an \(\mathbb {F}_q\)-linear code with code length \(n+1\), rate \(\frac{d+1}{(n+1)s}\) and distance at least \((n+1)-\lfloor \frac{d}{s}\rfloor \). The folded Reed-Solomon code is a class of MDS code when \(d+1\) is divisible by s. In our robust secret sharing scheme, we set \(n=2t+1\) and \(d+1=(t+1)s\). For every secret \(\mathbf{s}\in \mathbb {F}_q^s\), we find the P(X) of degree at most d uniform at random such that \(\mathbf{s}=(P(\beta ), P(\beta ^2),\ldots , P(\beta ^{s-1}))\). The party i receives the \(i+1\)-th component of \(\mathbf{c}_P\). It is easy to verify that this scheme is a threshold secret sharing scheme with t-privacy and \(t+1\)-reconstruction. Moreover, if we write the n shares as

$$ (P(\beta ^s), P(\beta ^{s+1}),\ldots , P(\beta ^{(n+1)s-1}))\in \mathbb {F}_q^{ns}. $$

Then, it becomes a classic Reed-Solomon codes with length ns, dimension \((t+1)s\) and distance \((n-(t+1))s+1\). We will use this fact in our robust secret sharing scheme.

Besides the MDS property, the folded Reed-Solomon codes enjoy a large list decoding radius up to the Singleton bound while the list size is bounded by a polynomial in q. There are many works aimed at reducing the list size of the folded Reed-Solomon codes. Recently, Kopparty et al. [12] proved that the list size of the folded Reed-Solomon codes is at most a constant in \(\gamma \).

Theorem 12

(Theorem 3.1 [12]). Let \(\gamma >0\) such that \(\frac{16}{\gamma ^2}\le s\). The folded Reed-Solomon code \(\mathsf {FRS}_{q,s}(n,d)\) can be list decoded up to \(1-\frac{d}{sn}-\gamma \) with list size at most \((\frac{1}{\gamma })^{\frac{1}{\gamma }\log \frac{1}{\gamma }}\). Moreover, there exists a randomized algorithm that list decodes this code with above parameters in time poly\((\log q, s,d,n,(\frac{1}{\gamma })^{\frac{1}{\gamma }\log \frac{1}{\gamma }})\).

Remark 6

By running this polynomial list decoding algorithm n times and taking the union of all its output, with probability at least \(1-2^{-\varOmega (n)}\), we will find all the codewords within distance \(1-\frac{d}{sn}-\gamma \) to the corrupted vector. This error probability is good enough for our robust secret sharing scheme. Compared with the approach in [10], the new algorithm runs faster and ensures a significantly small list of candidates.

1.2 A.2 Proof of Theorem 2

Proof

We need to verify three conditions in Definition 3.

Privacy over Randomness: It suffices to consider that all the \(\ell \) keys are distinct. Otherwise, we keep one key for each value and apply the argument to these distinct keys. Let \((x_1,y_1),\ldots ,(x_\ell ,y_\ell )\in \mathbb {F}^2\) be the \(\ell \) distinct keys. Let \(\sigma _i=MAC_{(x_i,y_i)}(\mathbf{m},\mathbf{r})\). For any \(\mathbf{m}\in \mathbb {F}^a\), we will show that \((\sigma _1,\ldots ,\sigma _\ell )\in \mathbb {F}^\ell \) are distributed uniformly at random. To see this, we write

$$MAC_{x,y}(\mathbf{m}, \mathbf{r})=f_\mathbf{m}(x)+g_\mathbf{r}(x)+y$$

where \(f_\mathbf{m}(x)= \sum _{i=1}^{a}m_ix^{i+\ell }\) and \(g_\mathbf{r}(x)=\sum _{i=1}^{\ell }r_ix^i\). For any \(\ell \)-tuple \((\sigma _1,\ldots ,\sigma _\ell )\) \(\in \mathbb {F}^\ell \), we obtain the evaluation of \(g_\mathbf{r}(x)\) at \(\ell \) points, i.e., \(g_\mathbf{r}(x_i)=\sigma _i-f_\mathbf{m}(x_i)-y_i\). Since \(g_\mathbf{r}\) is a polynomial of degree \(\ell -1\), the polynomial interpolation yields an unique \(g_\mathbf{r}(x)\). This implies that for any \(\mathbf{m}\in \mathbb {F}^a\), the distribution of \((\sigma _1,\ldots ,\sigma _\ell )\) is uniform at random over \(\mathbf{r}\in \mathbb {F}^\ell \).

Authentication: For \((\mathbf{m},\mathbf{r})\ne (\mathbf{m}',\mathbf{r}')\in \mathbb {F}^a\times \mathbb {F}^\ell \), \(MAC_{(x,y)}(\mathbf{m}, \mathbf{r})\)-\(MAC_{(x,y)}(\mathbf{m}', \mathbf{r}')\) is a nonzero polynomial in x of degree at most \(t+\ell \) over \(\mathbb {F}\). Thus, for any \(b\in \mathbb {F}\), the equation

$$ MAC_{(x,y)}(\mathbf{m}, \mathbf{r})-MAC_{(x,y)}(\mathbf{m}', \mathbf{r}')=b $$

has at most \((a+\ell )|\mathbb {F}|\) pairs (x, y) as its solutions. The desired result follows as \(\frac{(a+\ell )(|\mathbb {F}|)}{|\mathbb {F}|^2}\le \epsilon \).

Uniformity: We need to show that given any \((\mathbf{m},\mathbf{r})\in \mathbb {F}^a\times \mathbb {F}^\ell \), the tag \(\sigma =MAC_{(x,y)}(\mathbf{m},\mathbf{r})\) is uniform at random over the random key \((x,y)\in \mathbb {F}^2\). Let us fix \((\mathbf{m},\mathbf{r})\). By the definition of MAC, we have

$$ \sigma =MAC_{(x,y)}(\mathbf{m},\mathbf{r})=f_\mathbf{m}(x)+g_\mathbf{r}(x)+y. $$

For each \(\sigma \in \mathbb {F}\), there exists exactly q distinct keys (x, y) to satisfy this MAC. Thus, the tag \(\sigma \) is uniform at random over the random key. The desired result follows.