On the complexity of arithmetic secret sharing

Since the mid 2000s, asymptotically-good strongly-multiplicative linear (ramp) secret sharing schemes over a fixed finite field have turned out as a central theoretical primitive in numerous constant-communication-rate results in multi-party cryptographic scenarios, and, surprisingly, in two-party cryptography as well. Known constructions of this most powerful class of arithmetic secret sharing schemes all rely heavily on algebraic geometry (AG), i.e., on dedicated AG codes based on asymptotically good towers of algebraic function fields defined over finite fields. It is a well-known open question since the first (explicit) constructions of such schemes appeared in CRYPTO 2006 whether the use of “heavy machinery” can be avoided here. i.e., the question is whether the mere existence of such schemes can also be proved by “elementary” techniques only (say, from classical algebraic coding theory), even disregarding effective construction. So far, there is no progress. In this paper we show the theoretical result that, (1) no matter whether this open question has an affirmative answer or not, these schemes can be constructed explicitly by elementary algorithms defined in terms of basic algebraic coding theory. This pertains to all relevant operations associated to such schemes, including, notably, the generation of an instance for a given number of players n, as well as error correction in the presence of corrupt shares. We further show that (2) the algorithms are quasi-linear time (in n); this is (asymptotically) significantly more efficient than the known constructions. That said, the analysis of the mere termination of these algorithms does still rely on algebraic geometry, in the sense that it requires “blackbox application” of suitable existence results for these schemes. Our method employs a nontrivial, novel adaptation of a classical (and ubiquitous) paradigm from coding theory that enables transformation of existence results on asymptotically good codes into explicit construction of such codes via concatenation, at some constant loss in parameters achieved. In a nutshell, our generating idea is to combine a cascade of explicit but “asymptotically-bad-yet-good-enough schemes” with an asymptotically good one in such a judicious way that the latter can be selected with exponentially small number of players in that of the compound scheme. This opens the door t

Subquadratic time encodable codes beating the Gilbert-Varshamov bound

We construct explicit algebraic geometry codes built from the Garcia-Stichtenoth function field tower beating the Gilbert-Varshamov bound for alphabet sizes at least 192. Messages are identied with functions in certain Riemann-Roch spaces associated with divisors supported on multiple places. Encoding amounts to evaluating these functions at degree one places. By exploiting algebraic structures particular to the Garcia-Stichtenoth tower, we devise an intricate deterministic \omega/2 < 1.19 runtime exponent encoding and 1+\omega/2 < 2.19 expected runtime exponent randomized (unique and list) decoding algorithms. Here \omega < 2.373 is the matrix multiplication exponent. If \omega = 2, as widely believed, the encoding and decoding runtimes are respectively nearly linear and nearly quadratic. Prior to this work, encoding (resp. decoding) time of code families beating the Gilbert-Varshamov bound were quadratic (resp. cubic) or worse

Linear Secret Sharing Schemes from Error Correcting Codes and Universal Hash Functions

We present a novel method for constructing linear secret sharing schemes (LSSS) from linear error correcting codes and linear universal hash functions in a blackbox way. The main advantage of this new construction is that the privacy property of the resulting secret sharing scheme essentially becomes independent of the code we use, only depending on its rate. This allows us to fully harness the algorithmic properties of recent code constructions such as efficient encoding and decoding or efficient list-decoding. Choosing the error correcting codes and universal hash functions involved carefully, we obtain solutions to the following open problems: - A linear near-threshold secret sharing scheme with both linear time sharing and reconstruction algorithms and large secrets (i.e. secrets of size $\Omega(n)$). Thus, the computational overhead per shared bit in this scheme is *constant*. - An efficiently reconstructible robust secret sharing scheme for $n/3 \leq t 0$) with shares of optimal size $O(1 + \lambda / n)$ and secrets of size $\Omega(n + \lambda)$, where $\lambda$ is the security parameter

Algebraic Techniques for Low Communication Secure Protocols

Internet communication is often encrypted with the aid of mathematical problems that are hard to solve. Another method to secure electronic communication is the use of a digital lock of which the digital key must be exchanged first. PhD student Robbert de Haan (CWI) researched models for a guaranteed safe communication between two people without the exchange of a digital key and without assumptions concerning the practical difficulty of solving certain mathematical problems. In ancient times Julius Caesar used secret codes to make his messages illegible for spies. He upped every letter of the alphabet with three positions: A became D, Z became C, and so on. Usually, cryptographers research secure communication between two people through one channel that can be monitored by malevolent people. De Haan studied the use of multiple channels. A minority of these channels may be in the hands of adversaries that can intercept, replace or block the message. He proved the most efficient way to securely communicate along these channels and thus solved a fundamental cryptography problem that was introduced almost 20 years ago by Dole, Dwork, Naor and Yung

Improved Bounds on the Threshold Gap in Ramp Secret Sharing

Producción CientíficaAbstract: In this paper we consider linear secret sharing schemes over a finite field Fq, where the secret is a vector in Fℓq and each of the n shares is a single element of Fq. We obtain lower bounds on the so-called threshold gap g of such schemes, defined as the quantity r−t where r is the smallest number such that any subset of r shares uniquely determines the secret and t is the largest number such that any subset of t shares provides no information about the secret. Our main result establishes a family of bounds which are tighter than previously known bounds for ℓ≥2. Furthermore, we also provide bounds, in terms of n and q, on the partial reconstruction and privacy thresholds, a more fine-grained notion that considers the amount of information about the secret that can be contained in a set of shares of a given size. Finally, we compare our lower bounds with known upper bounds in the asymptotic setting.Danish Council for Independent Research (grant DFF-4002- 00367)Ministerio de Economía, Industria y Competitividad (grants MTM2015-65764-C3-2-P / MTM2015-69138- REDT)RYC-2016-20208 (AEI/FSE/UE)Junta de Castilla y León (grant VA166G18

Generic Secure Repair for Distributed Storage

This paper studies the problem of repairing secret sharing schemes, i.e., schemes that encode a message into $n$ shares, assigned to $n$ nodes, so that any $n-r$ nodes can decode the message but any colluding $z$ nodes cannot infer any information about the message. In the event of node failures so that shares held by the failed nodes are lost, the system needs to be repaired by reconstructing and reassigning the lost shares to the failed (or replacement) nodes. This can be achieved trivially by a trustworthy third-party that receives the shares of the available nodes, recompute and reassign the lost shares. The interesting question, studied in the paper, is how to repair without a trustworthy third-party. The main issue that arises is repair security: how to maintain the requirement that any colluding $z$ nodes, including the failed nodes, cannot learn any information about the message, during and after the repair process? We solve this secure repair problem from the perspective of secure multi-party computation. Specifically, we design generic repair schemes that can securely repair any (scalar or vector) linear secret sharing schemes. We prove a lower bound on the repair bandwidth of secure repair schemes and show that the proposed secure repair schemes achieve the optimal repair bandwidth up to a small constant factor when $n$ dominates $z$, or when the secret sharing scheme being repaired has optimal rate. We adopt a formal information-theoretic approach in our analysis and bounds. A main idea in our schemes is to allow a more flexible repair model than the straightforward one-round repair model implicitly assumed by existing secure regenerating codes. Particularly, the proposed secure repair schemes are simple and efficient two-round protocols