International Association for Cryptologic Research

International Association
for Cryptologic Research

CryptoDB

Nearly Optimal Robust Secret Sharing against Rushing Adversaries

Authors:
Pasin Manurangsi , Google Research
Akshayaram Srinivasan , UC Berkeley
Prashant Nalini Vasudevan , UC Berkeley
Download:
DOI: 10.1007/978-3-030-56877-1_6 (login may be required)
Search ePrint
Search Google
Conference: CRYPTO 2020
Abstract: Robust secret sharing is a strengthening of standard secret sharing that allows the shared secret to be recovered even if some of the shares being used in the reconstruction have been adversarially modified. In this work, we study the setting where out of all the $n$ shares, the adversary is allowed to adaptively corrupt and modify up to $t$ shares, where $n = 2t+1$.\footnote{Note that if the adversary is allowed to modify any more shares, then correct reconstruction would be impossible.} Further, we deal with \emph{rushing} adversaries, meaning that the adversary is allowed to see the honest parties' shares before modifying its own shares. It is known that when $n = 2t+1$, to share a secret of length $m$ bits and recover it with error less than $2^{-\sec}$, shares of size at least $m+\sec$ bits are needed. Recently, Bishop, Pastro, Rajaraman, and Wichs (EUROCRYPT 2016) constructed a robust secret sharing scheme with shares of size $m + O(\sec\cdot\polylog(n,m,\sec))$ bits that is secure in this setting against non-rushing adversaries. Later, Fehr and Yuan (EUROCRYPT 2019) constructed a scheme that is secure against rushing adversaries, but has shares of size $m + O(\sec\cdot n^{\eps}\cdot \polylog(n,m,\sec))$ bits for an arbitrary constant $\eps > 0$. They also showed a variant of their construction with share size $m + O(\sec\cdot\polylog(n,m,\sec))$ bits, but with super-polynomial reconstruction time. We present a robust secret sharing scheme that is simultaneously close-to-optimal in all of these respects -- it is secure against rushing adversaries, has shares of size $m+O(\sec \log{n} (\log{n}+\log{m}))$ bits, and has polynomial-time sharing and reconstruction. Central to our construction is a polynomial-time algorithm for a problem on semi-random graphs that arises naturally in the paradigm of local authentication of shares used by us and in the aforementioned work.
Video from CRYPTO 2020
BibTeX
@inproceedings{crypto-2020-30427,
  title={Nearly Optimal Robust Secret Sharing against Rushing Adversaries},
  publisher={Springer-Verlag},
  doi={10.1007/978-3-030-56877-1_6},
  author={Pasin Manurangsi and Akshayaram Srinivasan and Prashant Nalini Vasudevan},
  year=2020
}