Reimagining Secret Sharing: Creating a Safer and More Versatile Primitive by Adding Authenticity, Correcting Errors, and Reducing Randomness Requirements

Mihir Bellare 1 , Wei Dai 2 ,  and Phillip Rogaway 3
  • 1 University of California, , USA, San Diego
  • 2 University of California, , USA, San Diego
  • 3 University of California, , USA, Davis


Aiming to strengthen classical secret-sharing to make it a more directly useful primitive for human endusers, we develop definitions, theorems, and efficient constructions for what we call adept secret-sharing. Our primary concerns are the properties we call privacy, authenticity, and error correction. Privacy strengthens the classical requirement by ensuring maximal confidentiality even if the dealer does not employ fresh, uniformly random coins with each sharing. That might happen either intentionally—to enable reproducible secretsharing— or unintentionally, when an entropy source fails. Authenticity is a shareholder’s guarantee that a secret recovered using his or her share will coincide with the value the dealer committed to at the time the secret was shared. Error correction is the guarantee that recovery of a secret will succeed, also identifying the valid shares, exactly when there is a unique explanation as to which shares implicate what secret. These concerns arise organically from a desire to create general-purpose libraries and apps for secret sharing that can withstand both strong adversaries and routine operational errors.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] M. Abadi, D. Boneh, I. Mironov, A. Raghunathan, and G. Segev. Message-locked encryption for lock-dependent messages. In R. Canetti and J. A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 374–391. Springer, Heidelberg, Aug. 2013.

  • [2] G. Bai, I. Damgård, C. Orlandi, and Y. Xia. Noninteractive verifiable secret sharing for monotone circuits. In D. Pointcheval, A. Nitaj, and T. Rachidi, editors, AFRICACRYPT 16, volume 9646 of LNCS, pages 225–244. Springer, Heidelberg, Apr. 2016.

  • [3] A. Beimel. Secret-sharing schemes: A survey. In Y. M. Chee, Z. Guo, S. Ling, F. Shao, Y. Tang, H. Wang, and C. Xing, editors, Coding and Cryptology, pages 11–46, Berlin, Heidelberg, 2011. Springer Berlin Heidelberg.

  • [4] M. Bellare, A. Boldyreva, and A. O’Neill. Deterministic and efficiently searchable encryption. In A. Menezes, editor, CRYPTO 2007, volume 4622 of LNCS, pages 535–552. Springer, Heidelberg, Aug. 2007.

  • [5] M. Bellare, Z. Brakerski, M. Naor, T. Ristenpart, G. Segev, H. Shacham, and S. Yilek. Hedged public-key encryption: How to protect against bad randomness. In M. Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages 232–249. Springer, Heidelberg, Dec. 2009.

  • [6] M. Bellare, R. Canetti, and H. Krawczyk. Pseudorandom functions revisited: The cascade construction and its concrete security. In 37th FOCS, pages 514–523. IEEE Computer Society Press, Oct. 1996.

  • [7] M. Bellare, W. Dai, and L. Li. The local forking lemma and its application to deterministic encryption. In S. D. Galbraith and S. Moriai, editors, ASIACRYPT 2019, Part III, volume 11923 of LNCS, pages 607–636. Springer, Heidelberg, Dec. 2019.

  • [8] M. Bellare, M. Fischlin, A. O’Neill, and T. Ristenpart. Deterministic encryption: Definitional equivalences and constructions without random oracles. In D. Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages 360–378. Springer, Heidelberg, Aug. 2008.

  • [9] M. Bellare, V. T. Hoang, and P. Rogaway. Foundations of garbled circuits. In T. Yu, G. Danezis, and V. D. Gligor, editors, ACM CCS 2012, pages 784–796. ACM Press, Oct. 2012.

  • [10] M. Bellare, S. Keelveedhi, and T. Ristenpart. Messagelocked encryption and secure deduplication. In T. Johansson and P. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages 296–312. Springer, Heidelberg, May 2013.

  • [11] M. Bellare and C. Namprempre. Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 531–545. Springer, Heidelberg, Dec. 2000.

  • [12] M. Bellare, T. Ristenpart, P. Rogaway, and T. Stegers. Format-preserving encryption. In M. J. Jacobson Jr., V. Rijmen, and R. Safavi-Naini, editors, SAC 2009, volume 5867 of LNCS, pages 295–312. Springer, Heidelberg, Aug. 2009.

  • [13] M. Bellare and P. Rogaway. Encode-then-encipher encryption: How to exploit nonces or redundancy in plaintexts for efficient cryptography. In T. Okamoto, editor, ASIACRYPT 2000, volume 1976 of LNCS, pages 317–330. Springer, Heidelberg, Dec. 2000.

  • [14] M. Bellare and P. Rogaway. The security of triple encryption and a framework for code-based game-playing proofs. In S. Vaudenay, editor, EUROCRYPT 2006, volume 4004 of LNCS, pages 409–426. Springer, Heidelberg, May / June 2006.

  • [15] M. Bellare and P. Rogaway. Robust computational secret sharing and a unified account of classical secret-sharing goals. In P. Ning, S. De Capitani di Vimercati, and P. F. Syverson, editors, ACM CCS 2007, pages 172–184. ACM Press, Oct. 2007.

  • [16] J. C. Benaloh and J. Leichter. Generalized secret sharing and monotone functions. In S. Goldwasser, editor, CRYPTO’88, volume 403 of LNCS, pages 27–35. Springer, Heidelberg, Aug. 1990.

  • [17] G. R. Blakley. Safeguarding cryptographic keys. Proceedings of AFIPS 1979 National Computer Conference, 48:313–317, 1979.

  • [18] B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch. Verifiable secret sharing and achieving simultaneity in the presence of faults (extended abstract). In 26th FOCS, pages 383–395. IEEE Computer Society Press, Oct. 1985.

  • [19] D. Dolev, C. Dwork, and M. Naor. Nonmalleable cryptography. SIAM Journal on Computing, 30(2):391–437, 2000.

  • [20] C. Ellison. Ceremony design and analysis. Cryptology ePrint Archive, Report 2007/399, 2007.

  • [21] P. Feldman. A practical scheme for non-interactive verifiable secret sharing. In 28th FOCS, pages 427–437. IEEE Computer Society Press, Oct. 1987.

  • [22] Freedom Voices Network. Forbidden stories, webpage, visited 2019.09.19.

  • [23] V. Goyal, O. Pandey, A. Sahai, and B. Waters. Attributebased encryption for fine-grained access control of encrypted data. In A. Juels, R. N. Wright, and S. De Capitani di Vimercati, editors, ACM CCS 2006, pages 89–98. ACM Press, Oct. / Nov. 2006. Available as Cryptology ePrint Archive Report 2006/309.

  • [24] G. Greenwald. No Place to Hide. Metropolitan Books, 2014.

  • [25] X. Guang, J. Lu, and F. Fu. Repairable threshold secret sharing schemes. CoRR, abs/1410.7190, 2014.

  • [26] L. Harding. What are the Panama papers? A guide to history’s biggest data leak. The Guardian, 04 2016.

  • [27] A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung. Proactive secret sharing or: How to cope with perpetual leakage. In D. Coppersmith, editor, CRYPTO’95, volume 963 of LNCS, pages 339–352. Springer, Heidelberg, Aug. 1995.

  • [28] Z. Jafargholi, C. Kamath, K. Klein, I. Komargodski, K. Pietrzak, and D. Wichs. Be adaptive, avoid overcommitting. In J. Katz and H. Shacham, editors, CRYPTO 2017, Part I, volume 10401 of LNCS, pages 133–163. Springer, Heidelberg, Aug. 2017.

  • [29] B. Kacsmar, C. Komlo, F. Kerschbaum, and I. Goldberg. Mind the gap: Ceremonies for applied secret sharing. PoPETs, 2020(2):497–415, 2020.

  • [30] J. Katz and M. Yung. Unforgeable encryption and chosen ciphertext secure modes of operation. In B. Schneier, editor, FSE 2000, volume 1978 of LNCS, pages 284–299. Springer, Heidelberg, Apr. 2001.

  • [31] H. Krawczyk. Secret sharing made short. In D. R. Stinson, editor, CRYPTO’93, volume 773 of LNCS, pages 136–146. Springer, Heidelberg, Aug. 1994.

  • [32] T. M. Laing and D. R. Stinson. A survey and refinement of repairable threshold schemes. J. Mathematical Cryptology, 12(1):57–81, 2018.

  • [33] N. Nisan and D. Zuckerman. Randomness is linear in space. J. Comput. Syst. Sci., 52(1):43–52, 1996.

  • [34] C. Rackoff and D. R. Simon. Non-interactive zero-knowledge proof of knowledge and chosen ciphertext attack. In J. Feigenbaum, editor, CRYPTO’91, volume 576 of LNCS, pages 433–444. Springer, Heidelberg, Aug. 1992.

  • [35] A. Raghunathan, G. Segev, and S. P. Vadhan. Deterministic public-key encryption for adaptively chosen plaintext distributions. In T. Johansson and P. Q. Nguyen, editors, EUROCRYPT 2013, volume 7881 of LNCS, pages 93–110. Springer, Heidelberg, May 2013.

  • [36] L. Richard. A warning to the corrupt: if you kill a journalist, another will take their place. The Guardian, April 2016.

  • [37] P. Rogaway. Authenticated-encryption with associated-data. In V. Atluri, editor, ACM CCS 2002, pages 98–107. ACM Press, Nov. 2002.

  • [38] P. Rogaway, M. Bellare, J. Black, and T. Krovetz. OCB: A block-cipher mode of operation for efficient authenticated encryption. In M. K. Reiter and P. Samarati, editors, ACM CCS 2001, pages 196–205. ACM Press, Nov. 2001.

  • [39] C. Schaefer. Meet Sunder, a new way to share secrets, May 2018. webpage, visited 2019-02-09.

  • [40] A. Shamir. How to share a secret. Communications of the Association for Computing Machinery, 22(11):612–613, Nov. 1979.

  • [41] M. Tompa and H. Woll. How to share a secret with cheaters. In A. M. Odlyzko, editor, CRYPTO’86, volume 263 of LNCS, pages 261–265. Springer, Heidelberg, Aug. 1987.

  • [42] V. Vinod, A. Narayanan, K. Srinathan, C. P. Rangan, and K. Kim. On the power of computational secret sharing. In T. Johansson and S. Maitra, editors, INDOCRYPT 2003, volume 2904 of LNCS, pages 162–176. Springer, Heidelberg, Dec. 2003.


Journal + Issues