How to Recover a Secret with O(n) Additions

Benny Applebaum, Oded Nir, Benny Pinkas

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

Threshold cryptography is typically based on the idea of secret-sharing a private-key s∈ F “in the exponent” of some cryptographic group G, or more generally, encoding s in some linearly homomorphic domain. In each invocation of the threshold system (e.g., for signing or decrypting) an “encoding” of the secret is being recovered and so the complexity, measured as the number of group multiplications over G, is equal to the number of F-additions that are needed to reconstruct the secret. Motivated by this scenario, we initiate the study of n-party secret-sharing schemes whose reconstruction algorithm makes a minimal number of additions. The complexity of existing schemes either scales linearly with nlog | F| (e.g., Shamir, CACM’79) or, at least, quadratically with n independently of the size of the domain F (e.g., Cramer-Xing, EUROCRYPT ’20). This leaves open the existence of a secret sharing whose recovery algorithm can be computed by performing only O(n) additions. We resolve the question in the affirmative and present such a near-threshold secret sharing scheme that provides privacy against unauthorized sets of density at most τp, and correctness for authorized sets of density at least τc, for any given arbitrarily close constants τp< τc. Reconstruction can be computed by making at most O(n) additions and, in addition, (1) the share size is constant, (2) the sharing procedure also makes only O(n) additions, and (3) the scheme is a blackbox secret-sharing scheme, i.e., the sharing and reconstruction algorithms work universally for all finite abelian groups F. Prior to our work, no such scheme was known even without features (1)–(3) and even for the ramp setting where τp and τc are far apart. As a by-product, we derive the first blackbox near-threshold secret-sharing scheme with linear-time sharing. We also present several concrete instantiations of our approach that seem practically efficient (e.g., for threshold discrete-log-based signatures). Our constructions are combinatorial in nature. We combine graph-based erasure codes that support “peeling-based” decoding with a new randomness extraction method that is based on inner-product with a small-integer vector. We also introduce a general concatenation-like transform for secret-sharing schemes that allows us to arbitrarily shrink the privacy-correctness gap with a minor overhead. Our techniques enrich the secret-sharing toolbox and, in the context of blackbox secret sharing, provide a new alternative to existing number-theoretic approaches.

Original languageEnglish
Title of host publicationAdvances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings
EditorsHelena Handschuh, Anna Lysyanskaya
PublisherSpringer Science and Business Media Deutschland GmbH
Pages236-262
Number of pages27
ISBN (Print)9783031385568
DOIs
StatePublished - 2023
EventAdvances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings - Santa Barbara, United States
Duration: 20 Aug 202324 Aug 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14081 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceAdvances in Cryptology – CRYPTO 2023 - 43rd Annual International Cryptology Conference, CRYPTO 2023, Proceedings
Country/TerritoryUnited States
CitySanta Barbara
Period20/08/2324/08/23

Bibliographical note

Publisher Copyright:
© 2023, International Association for Cryptologic Research.

Funding

Acknowledgements. Research supported in part by an Alon Young Faculty Fellowship, by a grant from the Israel Science Foundation (ISF Grant No. 1774/20), and by a grant from the US-Israel Binational Science Foundation and the US National Science Foundation (BSF-NSF Grant No. 2020643). Acknowledgments. Anasuya Acharya and Carmit Hazay are supported by ISF grant No. 1316/18. Carmit Hazay is also supported by the Algorand Centres of Excellence programme managed by Algorand Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Algorand Foundation. The fourth author was supported by a JPMorgan Chase Faculty Research Award, Technology, and Humanity Fund from the McCourt School of Public Policy at Georgetown University, and a Google Research Award. 2055694. Vassilis Zikas’s research is supported in part by NSF grant no. 2055599 and by Sunday Group. The authors are also supported by the Algorand Centres of Excellence programme managed by Algorand Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Algorand Foundation. Grant. This material is based upon work supported by the Defense Advanced Research Projects Agency through Award HR00112020024. A. Srinivasan was supported in part by a SERB startup grant and Google India Research Award. Acknowledgment. Y. Ishai was supported in part by ERC Project NTSC (742754), BSF grant 2018393, ISF grant 2774/20, and a Google Faculty Research Award. D. Khu-rana was supported in part by NSF CAREER CNS-2238718 and DARPA SIEVE. A. Sahai was supported in part from a Simons Investigator Award, DARPA SIEVE award, NTT Research, NSF Frontier Award 1413955, BSF grant 2012378, a Xerox Faculty Research Award, a Google Faculty Research Award, and an Okawa Foundation Research tial privacy in the shuffle model and the anonymous reviewers for their comments. Y. Ishai and E. Kushilevitz were supported by ISF grant 2774/20 and BSF grant 2018393. Y. Ishai was additionally supported by ERC Project NTSC (742754). Acknowledgments. Ran Cohen’s research is supported in part by NSF grant no. 2055568. Juan Garay’s research is supported in part by NSF grants no. 2001082 and G. Garimella, M. Rosulek and J. Singh—Authors partially supported by NSF award S2356A. Acknowledgements. D. Boneh is supported by NSF, the DARPA SIEVE program, the Simons Foundation, UBRI, and NTT Research. E. Boyle is supported by AFOSR Award FA9550-21-1-0046, ERC Project HSS (852952), and a Google Research Award. H. Corrigan-Gibbs is supported by Capital One, Facebook, Google, Mozilla, Seagate, MIT’s FinTech@CSAIL Initiative, and NSF Award CNS-2054869. N. Gilboa is supported by ISF grant 2951/20, ERC grant 876110, and a grant by the BGU Cyber Center. Y. Ishai is supported by ERC Project NTSC (742754), BSF grant 2018393, and ISF grant 2774/20. Opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of DARPA. Acknowledgments. The research described in this paper received funding from: the Concordium Blockhain Research Center, Aarhus University, Denmark; the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 803096 (SPEC); the Danish Independent Research Council under Grant-ID DFF-0165-00107B (C3PO). ritos and quesadillas. He also thanks the Aarhus Crypto Group and the people at NTT Research for being amazing humans (independently of their success in research). The work of Damiano Abram was carried out during an internship funded by NTT Research. Acknowledgements. We would like to thank Alin Tomescu, Kobi Gurkan, Julian Loss, and Renas Bacho for many insightful discussions. Gilad Stern was supported by the HUJI Federmann Cyber Security Research Center in conjunction with the Israel National Cyber Directorate (INCD) in the Prime Minister’s Office. Acknowledgements. Pedro Branco was partially funded by the German Federal Ministry of Education and Research (BMBF) in the course of the 6GEM research hub under grant number 16KISK038. Nico Döttling: Funded by the European Union (ERC, LACONIC, 101041207). Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union or the European Research Council. Neither the European Union nor the granting authority can be held responsible for them. Akshayaram Srinivasan was supported in part by a SERB startup grant and Google India Research Award. Acknowledgements. This work is funded in part by National Science Foundation award 2143058.

FundersFunder number
Algorand Foundation
BSF-NSF2020643
European Unions’s Horizon 2020 research and innovation programme803096
Google India Research Award
JPMorgan
McCourt School of Public Policy
NTSC742754
Sunday Group
UBRI
US-Israel BSF2015782
National Science Foundation2001082, CNS-2001096, CNS-2154174, 2055599, CCF-2220450, CNS-2238718, S2356A, CNS-2026774, 2055568, 2143058, CNS-2246355
Air Force Office of Scientific ResearchFA9550-21-1-0046
Defense Advanced Research Projects AgencyHR0011-20-2-0025, HR00112020024
Simons Foundation
Microsoft
Cisco Systems
GoogleCNS-2054869
Aarhus Universitet
Georgetown University
NTT Research1413955, 2012378
European Commission852952
United States-Israel Binational Science Foundation2018393
Science and Engineering Research Board
Bundesministerium für Bildung und Forschung16KISK038
CarlsbergfondetCF18-112
Israel Science Foundation1774/20, 876110, 2951/20, 2774/20, 1316/18
Okawa Foundation for Information and Telecommunications
Danmarks Frie ForskningsfondDFF-0165-00107B
Ben-Gurion University of the Negev

    Keywords

    • Blackbox secret sharing
    • Secret Sharing
    • Threshold Cryptography

    Fingerprint

    Dive into the research topics of 'How to Recover a Secret with O(n) Additions'. Together they form a unique fingerprint.

    Cite this