[Resource Topic] 2024/405: Traceable Secret Sharing: Strong Security and Efficient Constructions

Welcome to the resource topic for 2024/405

Title:
Traceable Secret Sharing: Strong Security and Efficient Constructions

Authors: Dan Boneh, Aditi Partap, Lior Rotem

Abstract:

Suppose Alice uses a t-out-of-n secret sharing to store her secret key on n servers. Her secret key is protected as long as t of them do not collude. However, what if a less-than-t subset of the servers decides to offer the shares they have for sale? In this case, Alice should be able to hold them accountable, or else nothing prevents them from selling her shares. With this motivation in mind, Goyal, Song, and Srinivasan (CRYPTO 21) introduced the concept of {\em traceable secret sharing}. In such schemes, it is possible to provably trace the leaked secret shares back to the servers who leaked them. Goyal et al.~presented the first construction of a traceable secret sharing scheme. However, secret shares in their construction are quadratic in the secret size, and their tracing algorithm is quite involved as it relies on Goldreich-Levin decoding.

In this work, we put forth new definitions and practical constructions for traceable secret sharing. In our model, some f < t servers output a reconstruction box~R that may arbitrarily depend on their shares. Given additional t-f shares, R reconstructs and outputs the secret. The task is to trace R back to the corrupted servers given
black-box access to R. Unlike Goyal et al., we do not assume that the tracing algorithm has any information on how the corrupted servers constructed~R from the shares in their possession.

We then present two very efficient constructions of traceable secret sharing based on two classic secret sharing schemes. In both of our schemes, shares are only twice as large as the secret, improving over the quadratic overhead of Goyal et al. Our first scheme is obtained by presenting a new practical tracing algorithm for the widely-used Shamir secret sharing scheme. Our second construction is based on an extension of Blakley’s secret sharing scheme. Tracing in this scheme is optimally efficient, and requires just one successful query to R. We believe that our constructions are an important step towards bringing traceable secret-sharing schemes to practice. This work also raises several interesting open problems that we describe
in the paper.

ePrint: https://eprint.iacr.org/2024/405

See all topics related to this paper.

Feel free to post resources that are related to this paper below.

Example resources include: implementations, explanation materials, talks, slides, links to previous discussions on other websites.

For more information, see the rules for Resource Topics .