Algebraic geometric secret sharing schemes and secure multi-party computations over small fields

Abstract

We introduce algebraic geometric techniques in secret sharing and in secure multi-party computation (MPC) in particular. The main result is a linear secret sharing scheme (LSSS) defined over a finite field double-struck F sign q, with the following properties. 1. It is ideal. The number of players n can be as large as #C(double-struck F signq), where C is an algebraic curve C of genus g defined over double-struck F signq. 2. It is quasi-threshold: it is t-rejecting and t +1 + 2g-accepting, but not necessarily t + 1-accepting. It is thus in particular a ramp scheme. High information rate can be achieved. 3. It has strong multiplication-with respect to the t-threshold adversary structure, if t < 1/3n - 4/3g. This is a multi-linear algebraic property on an LSSS facilitating zero-error multi-party multiplication, unconditionally secure against corruption by an active t-adversary. 4. The finite field over double-struck F signq can be dramatically smaller than n. This is by using algebraic curves with many over double-struck F signq-rational points. For example, for each small enough ε, there is a finite field over double-struck F signq such that for infinitely many n there is an LSSS over over double-struck F signq with strong multiplication satisfying (1/3 - ε)n ≤ t < 1/3n. 5. Shamir's scheme, which requires n > q and which has strong multiplication for t < 1/3n, is a special case by taking g = 0. Now consider the classical ("BGW") scenario of MPC unconditionally secure (with zero error probability) against an active t-adversary with t < 1/3n, in a synchronous n-player network with secure channels. By known results it now follows that there exist MPC protocols in this scenario, achieving the same communication complexities in terms of the number of field elements exchanged in the network compared with known Shamir-based solutions. However, in return for decreasing corruption tolerance by a small ε-fraction, q may be dramatically smaller than n. This tolerance decrease is unavoidable due to properties of MDS codes. The techniques extend to other models of MPC. Results on less specialized LSSS can be obtained from more general coding theory arguments. © International Association for Cryptologic Research 2006.