## CryptoDB

### Aditi Partap

#### Publications

**Year**

**Venue**

**Title**

2024

CRYPTO

Traceable Secret Sharing: Strong Security and Efficient Constructions
Abstract

Suppose Alice uses a $t$-out-of-$n$ secret sharing to store her secret key on $n$ servers. Her secret key is protected as long as $t$ of them do not collude. However, what if a less-than-$t$ subset of the servers decides to offer the shares they have for sale? In this case, Alice should be able to hold them accountable, or else nothing prevents them from selling her shares. With this motivation in mind, Goyal, Song, and Srinivasan (CRYPTO 21) introduced the concept of {\em traceable secret sharing}. In such schemes, it is possible to provably trace the leaked secret shares back to the servers who leaked them. Goyal et al.~presented the first construction of a traceable secret sharing scheme. However, secret shares in their construction are quadratic in the secret size, and their tracing algorithm is quite involved as it relies on Goldreich-Levin decoding.
In this work, we put forth new definitions and practical constructions for traceable secret sharing. In our model, some $f < t$ servers output a reconstruction box~$R$ that may arbitrarily depend on their shares. Given additional $t-f$ shares, $R$ reconstructs and outputs the secret.
The task is to trace $R$ back to the corrupted servers given
black-box access to $R$.
Unlike Goyal et al., we do not assume that the tracing algorithm has any information on how the corrupted servers constructed~$R$ from the shares in their possession.
We then present two very efficient constructions of traceable secret sharing based on two classic secret sharing schemes.
In both of our schemes, shares are only twice as large as the secret, improving over the quadratic overhead of Goyal et al.
Our first scheme is obtained by presenting a new practical tracing algorithm for the widely-used Shamir secret sharing scheme.
Our second construction is based on an extension of Blakley's secret sharing scheme. Tracing in this scheme is optimally efficient, and requires just one successful query to $R$.
We believe that our constructions are an important step towards bringing traceable secret-sharing schemes to practice.
This work also raises several interesting open problems that we describe
in the paper.

2024

CRYPTO

Accountability in Threshold Decryption via Threshold Traitor Tracing
Abstract

A $t$-out-of-$n$ threshold decryption system assigns key shares to $n$ parties so that any $t$ of them can decrypt a well-formed ciphertext.
Existing threshold decryption systems are not secure when these parties are rational actors:
an adversary can offer to pay the parties for their key shares.
The problem is that a quorum of $t$~parties, working together, can sell the adversary a decryption key that reveals nothing about the identity of the traitor parties.
This provides a risk-free profit for the parties since there is no accountability for their misbehavior --- the information they sell to the adversary reveals nothing about their identity.
This behavior can result in a complete break in many applications of threshold decryption,
such as encrypted mempools, private voting, and sealed-bid auctions.
In this work we propose a solution to this problem.
Suppose a quorum of~$t$ or more parties construct a decoder algorithm~$D(\cdot)$ that takes as input a ciphertext and outputs the corresponding plaintext or $\bot$. They sell~$D$ to the adversary.
Our threshold decryption systems are equipped with a tracing algorithm that can trace~$D$ to members of the quorum that created it.
The tracing algorithm is only given blackbox access to~$D$ and will identify some members of the misbehaving quorum.
The parties can then be held accountable, which may discourage them from selling the decoder~$D$ in the first place.
Our starting point is standard (non-threshold) traitor tracing, where $n$ parties each holds a secret key.
Every party can decrypt a well-formed ciphertext on its own.
However, if a subset of parties ${\cal J} \subseteq [n]$ collude to create a pirate decoder $D(\cdot)$ that can decrypt well-formed ciphertexts, then it is possible to trace $D$ to at least one member of ${\cal J}$ using only blackbox access to the decoder~$D$.
In this work we develop the theory of traitor tracing for threshold decryption, where now only a subset ${\cal J} \subseteq [n]$ of~$t$ or more parties can collude to create a pirate decoder $D(\cdot)$.
This problem has recently become quite important due to the real-world deployment of threshold decryption in encrypted mempools, as we explain in the paper.
While there are several non-threshold traitor tracing schemes that we can leverage, adapting these constructions to the threshold decryption settings requires new cryptographic techniques.
A $t$-out-of-$n$ threshold decryption system assigns key shares to $n$ parties
so that any $t$ of them can decrypt a well-formed ciphertext.
Existing threshold decryption systems are {\em not secure}
when these parties are rational actors:
an adversary can offer to pay the parties for their key shares.
The problem is that a quorum of $t$~parties, working together,
can sell the adversary a decryption key
that reveals nothing about the identity of the traitor parties.
This provides a risk-free profit for the parties
since there is no accountability for their misbehavior ---
the information they sell to the adversary
reveals nothing about their identity.
This behavior can result in a complete break
in many applications of threshold decryption,
such as encrypted mempools, private voting, and sealed-bid auctions.
In this work we propose a solution to this problem.
Suppose a quorum of~$t$ or more parties construct a
decoder algorithm~$D(\cdot)$ that takes as input a ciphertext
and outputs the corresponding plaintext or $\bot$.
They sell~$D$ to the adversary.
Our threshold decryption systems are equipped with a tracing algorithm
that can trace~$D$ to members of the quorum that created it.
The tracing algorithm is only given blackbox access to~$D$ and will
identify some members of the misbehaving quorum.
The parties can then be held accountable,
which may discourage them from selling the decoder~$D$ in the first place.
Our starting point is standard (non-threshold) traitor tracing,
where $n$ parties each holds a secret key.
Every party can decrypt a well-formed ciphertext on its own.
However, if a subset of parties ${\cal J} \subseteq [n]$ collude to create a
pirate decoder $D(\cdot)$ that can decrypt well-formed ciphertexts,
then it is possible to trace $D$ to at least one member of ${\cal J}$
using only blackbox access to the decoder~$D$.
In this work we develop the theory of traitor tracing
for threshold decryption,
where now only a subset ${\cal J} \subseteq [n]$ of~$t$ or more parties
can collude to create a pirate decoder $D(\cdot)$.
This problem has recently become quite important
due to the real-world deployment of threshold decryption in encrypted mempools,
as we explain in the paper.
While there are several non-threshold traitor tracing schemes
that we can leverage,
adapting these constructions to the threshold decryption settings requires new cryptographic techniques.
We present a number of constructions for traitor tracing for threshold decryption,
and note that much work remains to explore the large design space.

#### Coauthors

- Dan Boneh (2)
- Aditi Partap (2)
- Lior Rotem (2)