### Robust Secret Sharing Schemes Against Local Adversaries

We study robust secret sharing schemes in which between one third and one half of the players are corrupted. In this scenario, robust secret sharing is possible only with a share size larger than the secrets, and allowing a positive probability of reconstructing the wrong secret. We focus on the most challenging case where the number corruptions is just one less than the number of honest players. In the standard model, it is known that at least $$m+k$$ bits per share are needed to robustly share a secret of bit-length m with an error probability of $$2^{-k}$$; however, to the best of our knowledge, no efficient scheme matches this lower bound: the one that gets closest has share size $$m+\widetilde{O}n+k$$, where n is the number of players in the scheme. We show that it is possible to obtain schemes with close to minimal share size in a model of local adversaries, i.e. in which corrupt players cannot communicate between receiving their respective honest shares and submitting corrupted shares to the reconstruction procedure, but may coordinate before the execution of the protocol and can also gather information afterwards. In this limited adversarial model, we prove a lower bound of roughly $$m+k$$ bits on the minimal share size, which is somewhat surprisingly similar to the lower bound in the standard model, where much stronger adversaries are allowed. We then present efficient scheme that essentially meets our lower bound, and has shorter share size than any known efficient construction in the standard model for the same set of parameters. For our construction, we introduce a novel procedure that compiles an error correcting code into a new randomized one, with the following two properties: a single local portion of a codeword leaks no information on the encoded message itself, and any set of portions of a codeword reconstructs the message with error probability exponentially low in the set size.

[1]  Ronald Fagin,et al.  Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005 , 2005, STOC.

[2]  Alfredo De Santis,et al.  Size of Shares and Probability of Cheating in Threshold Schemes , 1993, EUROCRYPT.

[3]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.

[4]  Abhi Shelat,et al.  Collusion-Free Multiparty Computation in the Mediated Model , 2009, CRYPTO.

[5]  Tal Rabin,et al.  Verifiable secret sharing and multiparty protocols with honest majority , 1989, STOC '89.

[6]  Ivan Damgård,et al.  On the Cost of Reconstructing a Secret, or VSS with Optimal Reconstruction Phase , 2001, CRYPTO.

[8]  Rafail Ostrovsky,et al.  Unconditionally-Secure Robust Secret Sharing with Compact Shares , 2012, EUROCRYPT.

[9]  Harald Niederreiter,et al.  Probability and computing: randomized algorithms and probabilistic analysis , 2006, Math. Comput..

[10]  Alfredo De Santis,et al.  Lower Bounds for Robust Secret Sharing Schemes , 1997, Inf. Process. Lett..

[11]  Stefan Dziembowski,et al.  Leakage-Resilient Cryptography , 2008, 2008 49th Annual IEEE Symposium on Foundations of Computer Science.

[12]  Ueli Maurer,et al.  Collusion-Preserving Computation , 2012, IACR Cryptol. ePrint Arch..

[13]  Jørn Justesen,et al.  Class of constructive asymptotically good algebraic codes , 1972, IEEE Trans. Inf. Theory.

[14]  Thomas Johansson,et al.  On the Relation between A-Codes and Codes Correcting Independent Errors , 1993, EUROCRYPT.

[15]  Bert den Boer A Simple and Key-Economical Unconditional Authentication Scheme , 1993, J. Comput. Secur..

[16]  G. R. BLAKLEY Safeguarding cryptographic keys , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[18]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[19]  Ivan Damgård,et al.  Linear Secret Sharing Schemes from Error Correcting Codes and Universal Hash Functions , 2015, EUROCRYPT.

[20]  Allison Bishop,et al.  Storing Secrets on Continually Leaky Devices , 2011, 2011 IEEE 52nd Annual Symposium on Foundations of Computer Science.

[22]  Ran Canetti,et al.  Universally Composable Security with Local Adversaries , 2012, SCN.

[23]  Adi Shamir IP = PSPACE , 1992, JACM.

[24]  Alfonso Cevallos,et al.  Reducing the Share Size in Robust Secret Sharing , 2011 .

[25]  Abhi Shelat,et al.  Collusion-free protocols , 2005, STOC '05.

[26]  Richard Taylor An Integrity Check Value Algorithm for Stream Ciphers , 1993, CRYPTO.

[27]  Carsten Lund,et al.  Non-deterministic exponential time has two-prover interactive protocols , 2005, computational complexity.