Weakly-private secret sharing schemes

Abstract

Secret-sharing schemes are an important tool in cryptography that is used in the construction of many secure protocols. However, the shares' size in the best known secret-sharing schemes realizing general access structures is exponential in the number of parties in the access structure, making them impractical. On the other hand, the best lower bound known for sharing of an ℓ-bit secret with respect to an access structure with n parties is Ω(ℓn/log n) (Csirmaz, EUROCRYPT 94). No major progress on closing this gap has been obtained in the last decade. Faced by our lack of understanding of the share complexity of secret sharing schemes, we investigate a weaker notion of privacy in secrets sharing schemes where each unauthorized set can never rule out any secret (rather than not learn any "probabilistic" information on the secret). Such schemes were used previously to prove lower bounds on the shares' size of perfect secret-sharing schemes. Our main results is somewhat surprising upper-bounds on the shares' size in weakly-private schemes. - For every access structure, we construct a scheme for sharing an ℓ-bit secret with (ℓ + c)-bit shares, where c is a constant depending on the access structure (alas, c can be exponential in n). Thus, our schemes become more efficient as ℓ - the secret size - grows. For example, for the above mentioned access structure of Csirmaz, we construct a scheme with shares' size ℓ + n log n. - We construct efficient weakly-private schemes for threshold access structures for sharing a one bit secret. Most impressively, for the 2-out-of-n threshold access structure, we construct a scheme with 2-bit shares (compared to Ω(log n) in any perfect secret sharing scheme). © International Association for Cryptologic Research 2007.