How to Share a Secret, Infinitely

Transcription

1 How to Share a Secret, Infntely Ilan Komargodsk Mon Naor Eylon Yogev Abstract Secret sharng schemes allow a dealer to dstrbute a secret pece of nformaton among several partes such that only qualfed subsets of partes can reconstruct the secret. The collecton of qualfed subsets s called an access structure. The best known example s the k-threshold access structure, where the qualfed subsets are those of sze at least k. When k = 2 and there are n partes, there are schemes for sharng an l-bt secret n whch the share sze of each party s roughly max{l, log n} bts, and ths s tght even for secrets of 1 bt. In these schemes, the number of partes n must be gven n advance to the dealer. In ths work we consder the case where the set of partes s not known n advance and could potentally be nfnte. Our goal s to gve the t th party arrvng the smallest possble share as a functon of t. Our man result s such a scheme for the k-threshold access structure and 1-bt secrets where the share sze of party t s (k 1) log t + poly(k) o(log t). For k = 2 we observe an equvalence to prefx codes and present matchng upper and lower bounds of the form log t + log log t + log log log t + O(1). Fnally, we show that for any access structure there exsts such a secret sharng scheme wth shares of sze 2 t 1. A prelmnary verson of ths paper appeared n the 14th Internatonal Conference on Theory of Cryptography (TCC 2016-B) [KNY16]. Department of Computer Scence and Appled Mathematcs, Wezmann Insttute of Scence Israel, Rehovot 76100, Israel. Emal: {lan.komargodsk,mon.naor,eylon.yogev}@wezmann.ac.l. Research supported n part by grants from the Israel Scence Foundaton (grants no. 1255/12 and 950/16), BSF and from the I-CORE Program of the Plannng and Budgetng Commttee and the Israel Scence Foundaton (grant no. 4/11). Mon Naor s the ncumbent of the Judth Kleeman Professoral Char. Ilan Komargodsk s supported n part by a Levzon fellowshp.

2 1 Introducton 640K ought to be enough for anybody Msattrbuted to Bll Gates, 1981 Secret sharng s a method by whch a secret pece of nformaton can be dstrbuted among n partes so that any qualfed subset of partes can reconstruct the secret, whle every unqualfed subset of partes learns nothng about the secret. The collecton of qualfed subsets s called an access structure. Secret sharng schemes are a basc prmtve and have found applcatons n cryptography and dstrbuted computng; see the extensve survey of Bemel [Be11]. A sgnfcant goal n secret sharng s to mnmze the share sze, namely, the amount of nformaton dstrbuted to the partes. Secret sharng schemes were ntroduced n the late 1970s by Shamr [Sha79] and Blakley [Bla79] for the k-out-of-n threshold access structures that ncludes all subsets of cardnalty at least k for 1 k n. Ther constructons are farly effcent both n the sze of the shares and n the computaton requred for sharng and reconstructon. Ito, Sato, and Nshzek [ISN93] showed the exstence of a secret sharng scheme for every (monotone) access structure. In ther scheme the sze of the shares s proportonal to the depth 2 complexty of the access structure when vewed as a Boolean functon (and hence shares are exponental for most structures). Benaloh and Lechter [BL88] gave a scheme wth share sze polynomal n the monotone formula complexty of the access structure. Karchmer and Wgderson [KW93] generalzed ths constructon so that the sze s polynomal n the monotone span program complexty. All of these schemes requre that an upper bound on the number of partcpants s known n advance. However, n many scenaros ths s ether unrealstc or prone to dsaster. Moreover, even f a crude upper bound n s known n advance, t s preferable to have shares as small as possble f the eventual number of partcpants s much smaller than ths bound on n. In ths work we consder the well motvated, yet almost unexplored 1, case where the set of partes s not known n advanced and could potentally be nfnte. Our goal s to gve the t th party arrvng the smallest possble share as a functon of t. We requre that n each round, as a new party arrves, there s no communcaton to the partes that have already receved shares,.e. the dealer dstrbutes a share only to the new party. We call such access structures evolvng: the partes arrve one by one and, n the most general case, a qualfed subset s revealed to the dealer only when all partes n that subset are present (n specal cases the dealer knows the access structure to begn wth, just does not have an upper bound on the number of partes). For ths to make sense, we assume that the changes to the access structure are monotone, namely, partes are only added and qualfed sets reman qualfed. Our frst result s a constructon of a secret sharng scheme for any evolvng access structure. 2 Theorem 1.1. For every evolvng access structure there s a secret sharng scheme for a 1-bt secret where the share sze of the t th party s 2 t 1. Then, we construct more effcent schemes for specfc access structures. We focus on the evolvng k-threshold access structure for k N, where at any pont n tme any k partes can reconstruct the secret but no k 1 partes can learn anythng about the secret. 1 But see the work of Csrmaz and Tardos [CT12] dscussed below. 2 A comparson wth the work of Csrmaz and Tardos [CT12] s gven below n Secton

3 Theorem 1.2. For every k, l N, there s a secret sharng scheme for the evolvng k-threshold access structure and an l-bt secret n whch for every t N the share sze of the t th party s (k 1) log t + poly(k, l) o(log t). For k = 2, we present a tght connecton to prefx codes for the ntegers. A prefx code s a code n whch no codeword s a prefx of any other codeword. These codes are wdely used, for example n country callng codes, the UTF-8 system for encodng Uncode characters, and more. Theorem 1.3. Let σ : N N. A prefx code for the ntegers n whch the length of the t th codeword s σ(t) exsts f and only f a secret sharng scheme for the evolvng 2-threshold access structure and 1-bt secret n whch the share sze of the t th party s σ(t). As a corollary, we get that there s a secret sharng scheme for the evolvng 2-threshold access structure and a 1-bt secret n whch the share sze of the t th party s log t+2 log log t+2. Moreover, ths s optmal: there s no secret sharng scheme for ths access structure n whch the share sze of the t th party s bounded by log t + log log t + O(1) bts. See Corollares 4.2 and 4.3 for the precse statements. 1.1 Dscusson Schemes for general access structures. In the classcal settng of secret sharng many schemes are known for general access structures, dependng on ther representaton [ISN93, BL88, KW93]. All of these schemes result wth shares of exponental sze for general access structures. One of the most mportant open problems n the area of secret sharng s to prove the necessty of long shares, namely, fnd an access structure (even a non-explct one) that requres exponental sze shares. Our scheme for general evolvng access structures also results wth exponental sze shares. Snce any access structure can be made evolvng, we cannot hope to obtan anythng better than exponental n general (unless we have a major breakthrough n the classcal settng). Threshold schemes. In the classcal settng there are several dfferent schemes for the threshold access structure. One of the best such schemes (n terms of the computaton needed for sharng and reconstructon and n terms of the share sze) s due to Shamr [Sha79]. In ths scheme, to share a 1-bt secret among n partes, roughly log n bts have to be dstrbuted to each party. It s known that log n bts are essentally requred, so Shamr s scheme s optmal (see [CCX13] for the orgnal proof of Klan and Nsan [KN90], an mprovement, and a dscusson of the hstory; see also [BGK16]). Let us revew Shamr s scheme for the k-out-of-n threshold access structure. The dealer holdng a secret bt s, samples a random polynomal p( ) of degree k 1 wth coeffcents over GF(q), where the free coeffcent s fxed to be s, and gves party [n] the feld element p(). The feld sze, q, s chosen to be the smallest prme (or a power of a prme) larger than n. Correctness of the scheme follows by the fact that k ponts on a polynomal of degree k 1 completely defne the polynomal and allow for computng p(0) = s. Securty follows by a countng argument showng that gven less than k ponts, both possbltes for the free coeffcent are equally lkely. The share of each party s an element n the feld GF(q) that can be represented usng log q log n bts. Notce that the share sze s ndependent of k. As a frst attempt one mght try to adapt ths procedure to the evolvng settng. But snce n s not fxed, what q should we choose? A natural dea s to use an extenson feld. Roughly, we 2

4 would smulate the dealer for Shamr s scheme, sample a random polynomal of degree k 1 and ncrease the feld sze from whch we compute shares as more partes arrve. Ideally, for the share of the t th party we wll use a feld of sze O(t). Ths mples that the share sze of party t would be log(o(t)) log t + log log t for large enough t. The lower bound n Corollary 4.3 means that no such soluton can work! We take a dfferent path for obtanng effcent schemes. For example, for k = 2, our scheme results wth optmal share sze (up to addtve lower order terms) for the t th party: the frst term s log t (wthout hdden constant factors) and there s an addtonal lower order term that depends on log log t. See Secton 4 for detals. Lnearty of our schemes. In a lnear scheme the secret s vewed as an element of a fnte feld, and the shares are obtaned by applyng a lnear mappng to the secret and several ndependent random feld elements. Equvalently, a lnear scheme s defned by requrng that each qualfed set reconstructs the secret by applyng a lnear functon to ts shares [Be96, Secton 4.1]. Most of the known schemes are lnear (see [BI01] for an excepton). Lnear schemes are very useful for updatng and manpulatng secret shares (cf. proactve secret sharng [HJKY95]) and have many applcatons, most notably for secure mult-party computaton [BGW88, CDM00]. Our schemes from Theorems 1.1 and 1.2 are lnear, whereas the scheme based on prefx codes from Theorem 1.3 s non-lnear. 1.2 Related Work The work of Csrmaz and Tardos. Most smlar to our settng s the noton of on-lne secret sharng of Csrmaz and Tardos [CT12]. Csrmaz and Tardos present a scheme for any evolvng access structure wth the restrcton that every party partcpates n at most d qualfed sets, where d s an upper bound known n advance. The share sze of every party n ther scheme s lnear n d. In comparson, Theorem 1.1 works wthout any such restrcton but the share sze s larger. In addton, Csrmaz and Tardos presented a scheme for the evolvng 2-threshold access structure n whch the share sze of party t s lnear n t. We use ths scheme as a base for our 2-threshold scheme (Theorem 1.2) whch gves an exponental mprovement on ther scheme. Other evolvng settngs. There are numerous areas where systems are desgned to work wthout any fxed upper bound on the sze or the duraton they wll be used. A few examples nclude prefx codes of the ntegers (a.k.a. prefx-free encodngs), such as the Elas code [El75] or the onlne encodng of Dods et al. [DPT10], labelng nodes for testng adjacency n possbly nfnte graphs [KNR92], forward-secure sgnatures wth an unbounded number of tme perods [MMM02], and data structures for approxmate set membershp (Bloom flters) for sets of unknown sze [PSW13]. Other connectons to prefx codes. There are other settng n whch problems were shown to be tghtly related to prefx codes. For example, Bentley and Yao [BY76] studed the unbounded search problem (.e. the problem of comparson-based search n an array of unbounded sze) and showed an effcent determnstc algorthm for the problem. Moreover, they observed that every such algorthm mples a prefx-free encodng of the ntegers. Another work wth related deas was of Even and Rodeh [ER78] who showed a method for nsertng delmters n a contguous sequence of strngs wthout addng new symbols and wth mnmal overhead. 3

5 1.3 Overvew of Our Constructons and Technques Frst, we overvew our constructon for general evolvng access structures. Then, we descrbe our constructon for the evolvng 2-threshold access structure. Ths serves as a warm-up for our more general constructon for k-threshold access structures. Lastly, we dscuss the connecton wth prefx codes. General evolvng access structures. Let A be any evolvng access structure and let A t = A [t] be the qualfed sets at tme t. Note that the dealer does not know A n advance but s only gven A t when the t th party arrves. Let s {0, 1} be the secret to be shared. The share of party t N conssts of 2 t 1 bts, each denoted by r A for A [t 1]. The r A s are generated as follows: f party t completes a mnmal qualfed set wth A = { 1,..., k }, namely A {t} A t, then the dealer gves party t the bt r A {t} = r {1 }... r {1,..., k } s. Otherwse, f A {t} s unqualfed, then the dealer sets r A {t} {0, 1} to be a unformly random bt. Thus, by XORng the approprate shares a qualfed set can recover s. Detals can be found n Secton 3. Prefx codes and evolvng 2-threshold. Gven any prefx code n whch the length of the t th codeword s σ(t), we construct a secret sharng scheme for the evolvng 2-threshold access structure n whch the share sze of the t th party s σ(t). The dealer mantans an nfntely (random) growng strng w and gves the t th party arrvng ether the strng w[1 : σ(t)] (f the secret to share s 0), or w[1 : σ(t)] Σ(t), where w[1 : σ(t)] s the σ(t)-bt length prefx of w and Σ(t) s the encodng of the number t usng the prefx code. One can verfy that each sngle share does not leak any nformaton about the secret whle any two partes can together decde f one s share s a prefx of the other s and thus recover the secret. Usng Elas s prefx code constructons [El75] we get a scheme n whch the share sze s roughly log t + 2 log log t bts. On the other hand, any secret sharng scheme for the evolvng 2-threshold access structure n whch the share sze of the t th party s σ(t), mples the exstence of a prefx code n whch the length of the t th codeword s σ(t). Ths comes from the fact that the share lengths n a 2-threshold scheme must satsfy Kraft s nequalty whch s a suffcent condton to yeld prefx codes. Evolvng 2-threshold, drectly. The scheme that results from the connecton to prefx codes s optmal when sharng a 1-bt secret. Our next step s to consder a drect constructon of a scheme for ths access structure whch has several advantages: (1) t supports sharng long secrets much more effcently, (2) t serves as a warm-up to our constructon for the evolvng k-threshold access structure, and (3) t s lnear (a property that may be mportant n applcatons). We focus on sharng a sngle bt n ths overvew and refer to Secton 4.2 for the general case. The approach of [CT12] for the evolvng 2-threshold access structure s to gve party t a random bt b t and all bts s b 1,..., s b t 1. Ths clearly allows for each par of partes to reconstruct the secret and ensures that for every sngle party the secret remans hdden. The share sze of the t th party n ths scheme s t. (Essentally the same scheme also follows from our general constructon n Secton 3 wth a smple effcency mprovement descrbed towards the end of that secton.) Generalzng ths dea to larger values of k results wth shares of sze roughly t k 1. Whereas the above approach s somewhat nave (and very neffcent n terms of share sze), our constructon s more subtle and results wth exponentally shorter shares. Our man buldng block s a doman reducton technque whch allows us to start wth a nave soluton and apply t only on a small number of partes to get an overall mproved constructon. Detals follow. We assgn each party a generaton, where the g th generaton conssts of 2 g partes (.e. the generatons are of geometrcally ncreasng sze). Wthn each generaton we execute a standard 4

6 secret sharng scheme for 2-threshold. Notce that here we know exactly how many partes are n the same generaton: party t s part of generaton g = log t and the sze of that generaton s sze(g) t. A standard secret sharng scheme for 2-out-of-t costs roughly log t bts (usng Shamr s scheme; see Clam 2.4). Ths solves the case n whch both partes come from the same generaton. To handle the case where the two partes come from dfferent generatons we use a (possbly nave) scheme for the evolvng 2-threshold access structure. For each generaton we generate one share for the evolvng scheme and gve t to each party n that generaton. Thus, f two partes from dfferent generatons come together they hold two dfferent shares for the evolvng scheme that allow them to reconstruct the secret. Snce we generate one share of the evolvng scheme per generaton, party t holds the share of the (g = log t) th party of the evolvng scheme! Summng up, f we start wth a scheme n whch the share sze of the t th party s σ(t), then we end up wth a scheme wth share sze roughly σ (t) = log t + σ(log t). To get our result we start wth a scheme n whch σ(t) = t (descrbed above) and teratvely apply ths argument to get better and better schemes. Evolvng k-threshold. There are several deas underlyng the generalzaton of the 2-threshold scheme to work for any threshold k. As before, we assgn each party to a generaton, but now the g th generaton s roughly of sze 2 (k 1) g. Ths means that party t s n generaton g = (log t)/(k 1) that ncludes sze(g) = t 2 k 1 partes. Agan, wthn a generaton we apply a standard k-out-ofsze(g) secret sharng scheme. Ths costs us log(sze(g)) log t + k bts usng Shamr s scheme. Ths solves the problem f k partes come from the same generaton. We are left wth the case where the k partes come from at least two dfferent generatons. For ths we use a (possbly nave) scheme for the evolvng k-threshold access structure. For each generaton we generate k 1 shares s 1,..., s k 1 for the evolvng scheme and share each s usng a standard -out-of-sze(g) secret sharng scheme. Thus, f w k 1 partes from some generaton come together, they can reconstruct s 1,..., s w whch are w shares for the evolvng scheme. Therefore, any k partes (that come from at least two generatons) can reconstruct k shares for the evolvng k-threshold scheme that enable them to reconstruct the secret. Snce we generate k 1 shares of the evolvng scheme per generaton, party t holds (roughly) the share of the (log t + k) th party of the evolvng scheme. The share sze needed to share each s s max{log(sze(g)), s } max{log t + k, σ(log t + k)} (usng Shamr s scheme; see Clam 2.4). Summng up, f we start wth a scheme n whch the share sze of the t th party s σ(t), then we end up wth a scheme wth share sze roughly σ (t) = log t + (k 1) max{log t + k, σ(log t + k)}. A small optmzaton s that sharng s 1 costs just s 1, as we can gve s 1 to each party (smlarly to what we dd n the k = 2 case). We want to teratvely apply ths doman reducton procedure. For ths we have to specfy the ntal scheme. If we start wth the scheme that results from the constructon n Theorem 1.1 whch has share sze roughly 2 t (or roughly t k wth a mnor optmzaton), then the resultng scheme wll have a factor that depends exponentally on k. Ths makes the scheme mpractcal even for small values of k. To get around ths we present a talor-made constructon for the evolvng k-threshold n whch the share sze of party t has almost lnear dependence on t and k. Specfcally, the share sze n ths scheme s kt log(kt). For ths, we use a varant of the scheme for general access structures such that we group partes nto generatons and use the fact that we only care about the number of partes n each generaton and not ther denttes. We assocate wth each generaton g bts r A for A = (c 0,..., c g ) {0,..., k} g, where each c ndcates how many partes arrve from generaton. For 5

7 each such A the dealer chooses the element r A such that f c g = 0, then r A = 0, f g =0 c < k, the bt r A s chosen unformly at random, and f g =0 c = k, t s set to be r A = r (c0 )... r (c0,...,c g 1 ) s. If c g > 0, the dealer shares r A among the partes n generaton g usng a Shamr c g -out-of-sze(g) scheme, where sze(g) s the number of partes n a generaton. Lettng the number of partes n generaton g be roughly k g+1, we get that the share sze of a party n generaton g s k g+1 log(k g+1 ) (snce we apply Shamr s scheme on each r A ). Party t s part of generaton g = log k t whch mples that ts share sze s kt log(kt), as requred. 2 Model and Defntons For an nteger n N we denote by [n] the set {1,..., n}. We denote by log the base 2 logarthm and assume that log 0 = 0. For a set X we denote by x X the process of samplng a value x from the unform dstrbuton over X We start by brefly recallng the standard settng of (perfect) secret sharng. Let P n = {1,..., n} be a set of n partes. A collecton of subsets A 2 Pn s monotone f for every B A, and B C t holds that C A. Defnton 2.1 (Access structure). An access structure A 2 Pn s a monotone collecton of nonempty subsets. Subsets n A are called qualfed and subsets not n A are called unqualfed. Defnton 2.2 (Threshold access structure). For every n N and 1 k n, let (k, n)-thr be the threshold access structure over n partes whch contans all subsets of sze at least k. A (standard) secret sharng scheme nvolves a dealer who has a secret, a set of n partes, and an access structure A. A secret sharng scheme for A s a method by whch the dealer dstrbutes shares to the partes such that any subset n A can reconstruct the secret from ts shares, whle any subset not n A cannot reveal any nformaton on the secret. More precsely, a secret sharng scheme for an access structure A conssts of a par of probablstc algorthms (SHARE, RECON). SHARE gets as nput a secret s (from a doman of secrets S) and a number n, and generates n shares Π (s) 1,..., Π(s) n. RECON gets as nput the shares of a subset B and outputs a strng. The requrements are: 1. For every secret s S and every qualfed set B A, t holds that Pr[RECON({Π (s) } B, B) = s] = For every unqualfed set B / A and every two dfferent secrets s 1, s 2 S, t holds that the dstrbutons ({Π (s 1) } B ) and ({Π (s 2) } B ) are dentcal. The share sze of a scheme s the maxmum number of bts each party holds n the worst case over all partes and all secrets. A useful fact that we use n some of our proofs s that concatenaton of ndependently generated shares does not harm securty. That s, for any two secrets s 0, s 1 and any two access structures A 0, A 1, f a set of partes s unqualfed n both structures, then t cannot gan any nformaton regardng the secrets. We state ths fact for two access structures and two secrets next, but t naturally generalzes to more. Fact 2.3. Fx two access structures A 0, A 1 wth correspondng secret sharng schemes, four secrets s (0) 0, s(0) 1, s(1) 0, s(1) 1, and a set of partes B / A 1, A 2 that s unqualfed both n A 0 and n A 1. 6

8 Then, the dstrbutons ({Π (s(0) 0 ) 0,, Π (s(0) 1 ) 1, } B ) and ({Π (s(1) 0 ) 0,, Π (s(1) 1 ) 1, } B ) are dentcal, where Π (s(a) c, for a, b {0, 1} and [n] s a random varable for the share of the th party when sharng the secret s (a) b accordng to A b. The well known scheme of Shamr [Sha79] for the (k, n)-thr access structure (based on polynomal nterpolaton) satsfes the followng. Clam 2.4 ([Sha79]). For every n N and 1 k n, there s a secret sharng scheme for secrets of length m and the (k, n)-thr access structure n whch the share sze s l, where l max{m, log q} and q > n s a prme number (or a power of a prme). Moreover, f k = 1 or k = n, then l = m Secret Sharng for Evolvng Access Structures We proceed wth the defnton of an evolvng access structure. Roughly speakng, the partes arrve one by one and, n the most general case, a qualfed subset s revealed only when all partes n that subset are present (n specal cases the access structure s known to begn wth, but there s no upper bound on the number of partes). To make sense of sharng a secret wth respect to such a sequence of access structures, we requre that the changes to the access structure are monotone, namely, partes are only added and qualfed sets reman qualfed. Defnton 2.5 (Evolvng access structure). An evolvng access structures A 2 N s a (possbly nfnte) monotone collecton of subsets of the natural numbers such that for any t N, the collecton of subsets A t A [t] s an access structure. Ths defnton naturally gves rse to an evolvng varant of threshold access structures (see Defnton 2.2). Here, we thnk of k as fxed, namely, ndependent of the number of partes. Defnton 2.6 (Evolvng threshold access structure). For every k N, let evolvng k-thr be the evolvng threshold access structure whch contans all subsets of 2 N of sze at least k. We generalze the defnton of a standard secret sharng scheme to apply for evolvng access structures. Intutvely, n ths settng, at any pont t N n tme, there s an access structure A t whch defnes the qualfes and unqualfed subsets of partes. Defnton 2.7 (Secret sharng for evolvng access structures). Let A be an evolvng access structure. Let S be a doman of secrets, where S 2. A secret sharng scheme for A and S conssts of a par of algorthms (SHARE, RECON). The sharng procedure SHARE and the reconstructon procedure RECON satsfy the followng requrements: 1. SHARE(s, {Π (s) 1,..., Π(s) t 1 }) gets as nput a secret s S and the secret shares of partes 1,..., t 1. It outputs a share for the t th party. For t N and secret shares Π (s) 1,..., Π(s) t 1 generated for partes {1,..., t 1}, respectvely, we let be the secret share of party t. Π (s) t SHARE(s, {Π (s) 1,..., Π(s) t 1 }) We abuse notaton and sometmes denote by Π (s) t the secret share of party t generated as above. b ) the random varable that corresponds to 3 Schemes n whch the share sze s equal to the secret sze are known as deal secret sharng schemes. 7

9 2. Correctness: For every secret s S and every t N, every qualfed subset n A t can reconstruct the secret. That s, for s S, t N, and B A t, t holds that [ ] Pr RECON({Π (s) } B, B) = s = 1, where the probablty s over the randomness of the sharng and reconstructon procedures. 3. Secrecy: For every t N, every unqualfed subset B / A t, and every two secret s 1, s 2 S, the dstrbuton of the secret shares of partes n B generated wth secret s 1 and the dstrbuton of the shares of partes n B generated wth secret s 2 are dentcal. Namely, the dstrbutons ({Π (s 1) } B ) and ({Π (s 2) } B ) are dentcal. The share sze of the t th party n a scheme for an evolvng access structure s max Π t, namely the number of bts party t holds n the worst case over all secrets and prevous assgnments. 4 On choosng the access structure adaptvely. One can also consder a stronger defnton n whch A t s chosen at tme t (rather than ahead of tme) as long as qualfed sets reman qualfed. In ths varant, the RECON procedure gets the addtonal new qualfed sets as an addtonal parameter. Our constructon of a secret sharng scheme for general evolvng access structures n Secton 3 works for ths noton as well. On the doman of secrets. Unless otherwse stated, we usually assume that the secret s a sngle bt (ether 0 or 1). One can generalze any such scheme to support longer secrets by secret sharng every bt of the secret ndependently, sufferng a multplcatve factor n share sze that depends on the length of the secret. When we generalze our schemes to support long secrets, ths nave generalzaton wll be our benchmark. 2.2 Warm-Up: Undrected st-connectvty We start wth a smple warm-up scheme. We show that the standard scheme for the st-connectvty access structure can be easly adapted to the evolvng settng. In ths access structure partes correspond to edges of an undrected graph G = (V, E). There are two fxed vertces n the graph called s and t (where s, t V ). A set of partes (.e. edges) s qualfed f and only f they nclude a path from s to t. Around 1989 Benaloh and Rudch [BR88] constructed a (standard) secret sharng for ths access structure. The dealer, gven a secret s {0, 1}, assgns wth each vertex v V a label. For v = s the label s w s = s, for v = t the label s w t = 0 and for the rest of the vertces the label s chosen ndependently unformly at random w v {0, 1}. The share of a party e = (u, v) E s w u w v. For correctness consder a set of partes that nclude a path s = v 1 v 2... v k = t from s to t. To reconstruct the secret, the partes XOR ther shares to get (w v1 w v2 ) (w v2 w v3 ) (w vk 1 w vk ) = w v1 w vk = s. For securty, one can show that any subset of partes that do not form a path from s to t, hold shares whch are ndependent of the secret. One way to prove ths s to show that the number of 4 Ths means that the share sze s bounded, whch s almost always the case. An excepton s the scheme (for ratonal secret sharng) of Kol and Naor [KN08] n whch the share sze does not have a fxed upper bound. 8

10 ways to get to the shares of the partes gven the secret 0 s equal to the number of ways to get to these shares gven the secret 1 (see [Be11, 3.2]). One can observe that ths access structure and scheme naturally generalze to the evolvng settng. In ths settng, we consder an evolvng (possbly nfnte) graph, where the set of nodes and edges are unbounded. At any pont n tme an arbtrary set of vertces and edges can be added to the graph. An addton of an edge corresponds to a new party added to the scheme. The specal vertces s and t are fxed ahead of tme and cannot change (ths s to ensure the access structure s evolvng). Intally, the dealer assgns labels for the specal vertces s and t, as before (.e. t sets w s = s and w t = 0). For the rest of the vertces the dealer assgns (unformly random) labels only on demand: When a new edge e = (u, v) s added to the graph (whch corresponds to a new party), the dealer gves the party correspondng to the edge e the XOR of the labels of the vertces u and v. Correctness and securty of ths scheme follow smlarly to the correctness and securty of the standard scheme. One can see that the share sze of each party s exactly the sze of the secret. 3 A Scheme for General Evolvng Access Structures We gve a constructon of a secret sharng scheme for every evolvng access structure. Theorem 3.1 (Theorem 1.1 restated). For every evolvng access structure there s a secret sharng scheme for a 1-bt secret, where for any t N, the share sze of the t th party s at most 2 t 1. Proof of Theorem 3.1. Let A be an evolvng access structure. Let s {0, 1} be the secret to be shared. We descrbe what the dealer stores and how t prepares a share for an arrvng party. At tme t the dealer mantans 2 t bts denoted by s A for all A [t]. Intally, we set s = s. The value of each s A for A = { 1,..., k, t} [t] s defned as follows: 1. If A / A t, the dealer samples r A {0, 1} unformly at random and sets s A = s A\{t} r A. The dealer gves party t the bt r A. 2. If A A t and A \ {t} / A t 1, the dealer gves party t the bt s A\{t}. Party t holds at most a sngle bt for every A [t] such that t A. Ths mples that the share sze of party t s at most 2 t 1 bts. Correctness and securty. We argue correctness at tme t N, where the access structure s A t. Let A = { 1,..., k, t} be a mnmal qualfed set of partes present at tme t. Snce A A t, for every j [k], party j holds the bt r {1,..., j }. Party t, by constructon, holds the bt s A = r {1 }... r {1,..., k } s. Therefore, by XOR-ng all the shares the partes n A can recover s. We prove that our scheme s secure by nducton on t. For t = 1, the scheme s secure snce ether the set consstng of frst party s qualfed, n whch case the scheme s secure (snce no nformaton s publc); f the frst party s unqualfed by tself, then the ths party smply gets a random bt r {1} whch s ndependent of the secret. Suppose that the scheme s secure for access structures over t 1 partes. Consder a set A = { 1,..., k, t} of partes that form an unqualfed set relatve to A t. Consder the dealer rght after t performs the sharng to the frst party. At ths pont the dealer mantans two bts: s and s {1}. Now, we observe that the remanng procedure of the dealer conssts of two nstances of the scheme for two access structures over t 1 partes and two secrets. 9

11 The key pont s that these secret-sharngs are done ndependently (and hence ther concatenaton s secure). Frst, the dealer shares the secret s among partes 2,..., t w.r.t the access structure A 0 t = {A {2,..., t} A A t } that contans all qualfed sets n whch the frst party does not partcpate n. Second, the dealer shares the secret s {1} among partes 2,..., t w.r.t the access structure A 1 t = {A {2,..., t} {1} A A t } that contans all qualfed sets n whch the frst party s a member. Snce the orgnal set of partes s unqualfed, t must be that (1) the remanng set of partes (.e. A \ {1}) s unqualfed n A 0 t and (2) ether 1 / A or the remanng set of partes s unqualfed n A 1 t. We can apply the nducton hypothess on the sharng accordng to A 0 t and get that the secret s ndependent of the correspondng shares. For the second part, there are two cases: (1) If 1 / A, then the shared secret (s {1} ) s ndependent of s and therefore the whole vew of the shares of A s ndependent of s. (2) If 1 A but A / A t, then the set A knows the maskng of s whch s a random bt r {1}, however, the nducton hypothess ensures that the shares of the remanng partes are ndependent of s {1} = s r {1}, whch mples that they are ndependent of the secret. Each case s ndependent of one another and n each case the resultng shares are ndependent of the secret. Usng Fact 2.3, we conclude that the secret remans perfectly hdden. The share sze n some specal cases. In some cases, dependng on the access structure, t s possble to analyze the worst case share sze more carefully. Recall that n our scheme each party gets two types of bts: 1. A bt for each unqualfed subset of [t] that party t partcpates n. For the case when the access structure s known ahead of tme, the only unqualfed sets to consder are those that can be expanded to a qualfed subset usng future partes. 2. A bt for each qualfed subset of [t] that party t completes (.e. t s the last one). Thus, when the number of unqualfed sets s small, we can get a better bound. Consder, for example, the evolvng 2-thr access structure. At tme t, there are only t unqualfed sets (the sngletons). Thus, the share sze of the t th party s exactly t (we use ths fact n Secton 4). More generally, for the evolvng k-thr access structure, there are k 2 ( t 1 ) ( =0 unqualfed sets and t 1 ) k 1 qualfed sets whch t completes, mplyng a scheme wth share sze roughly t k 1. 4 Evolvng 2-Threshold In ths secton we present an equvalence between prefx codes for the ntegers and secret sharng schemes for 1-bt secrets and the evolvng 2-threshold access structure. Ths constructon gves an effcent scheme (based on Elas s prefx code [El75]) whch we show to be optmal n terms of share sze. Theorem 4.1 (Theorem 1.3 restated). Let σ : N N. A prefx code for the ntegers n whch the length of the t th codeword s σ(t) exsts f and only f a secret sharng scheme for the evolvng 2-threshold access structure and a 1-bt secret n whch the share sze of the t th party s σ(t). Corollary 4.2. There s a secret sharng scheme for the evolvng 2-thr access structure and a 1-bt secret n whch the share sze of the t th party s log t + 2 log log t

12 Corollary 4.3. For any constants c, l N, there s no secret sharng scheme for the evolvng 2- thr access structure n whch for every t N the share sze of the t th party s at most log t + log log t log (l) t + c, where log () (t) s the -tmes repeated log of t. Furthermore, we gve a drect constructon of a secret sharng scheme the evolvng 2-threshold access structure that s more effcent when sharng longer secrets. Ths scheme has the addtonal advantages that t serves as a warm-up for our scheme for the evolvng k-thr access structure gven n Secton 5 and t s lnear (whereas the scheme from Corollary 4.2 s non-lnear). Theorem 4.4. There s a secret sharng scheme for the evolvng 2-thr access structure and an l-bt secret n whch the share sze of the t th party s log t + (l + 1) log log t + 4l The Connecton to Prefx Codes Here we prove Theorem 4.1, the tght connecton between schemes for the evolvng 2-threshold access structure and prefx codes. We also deduce Corollares 4.2 and 4.3, upper and lower bounds (respectvely) on share sze n schemes for the evolvng 2-threshold access structure. Proof of the only f part of Theorem 4.1. Let Σ: N {0, 1} be a prefx code for the ntegers. That s, for any t 1, t 2 N such that t 1 t 2, t holds that Σ(t 1 ) s not a prefx of Σ(t 2 ). For t N denote by σ(t) the length of the codeword Σ(t). The scheme. Let s {0, 1} be the secret to be shared. Let w be an nfnte random bnary strng. The dealer generates the strng as needed: at tme t N the dealer holds the prefx of length σ(t) of the strng w, denoted by w [σ(t)] (for smplcty we assume that σ(t) s monotoncally ncreasng, but ths s not necessary). The share of party t s a strng u t such that: 1. If s = 0, then u t = w [σ(t)]. 2. If s = 1, then u t = Σ(t) w [σ(t)] (bt-wse XOR). The share sze of the t th player n ths scheme s σ(t). To reconstruct the secret, any two dfferent partes t 1 and t 2, holdng shares u 1 and u 2, respectvely, where u 1 u 2, should check f u 1 s a prefx of u 2. If t s a prefx, then they output s = 0 and otherwse, they output s = 1. Correctness and securty. If s = 0, then snce u 1 and u 2 are both prefxes of the same strng w t holds that u 1 s a prefx of u 2. On the other hand, f s = 1 then u 1 = Σ(t 1 ) w [σ(t1 )] and u 2 = Σ(t 2 ) w [σ(t2 )], where w [σ(t1 )] s a prefx of w [σ(t2 )]. Snce Σ s a prefx code, Σ(t 1 ) s not a prefx of Σ(t 2 ), and thus u 1 s not a prefx of u 2. Securty follows snce for both s = 0 and for s = 1 each sngle party t holds a sngle strng u t whch s unformly dstrbuted over {0, 1} σ(t). In case s = 0 ths s true by constructon, and n case s = 1 ths s true snce all the party sees s the codeword Σ(t) XORed wth w [σ(t)] whch s unform. Proof of Corollary 4.2 (an nstantaton va Elas s code). We descrbe the prefx code of Elas [El75] as a two step soluton (for smplcty, n the descrpton we gnore roundng ssues). The frst step wll be a basc scheme and the second step wll recursvely use the basc scheme to mprove the sze of the encodng (ths s very smlar to the strategy we use n the proof of 11

13 Corollary 4.2). In the basc scheme, a number t N s encoded n two parts: the frst part s log t zeros (ths s just a unary representaton of the length of t) and the second part s the bnary representaton of t. In total, the sze of the encodng s 2 log t + 1. In the second step, we encode the frst part of the basc scheme recursvely usng the basc scheme tself. Specfcally, we encode the unary representaton of the length of t usng 2 log log t + 1 bts va the basc scheme. Ths results wth an encodng of sze log t + 2 log log t + 2 (one can recursvely apply ths transformaton and get an even shorter encodng). Proof of the f part of Theorem 4.1. Assume that we are gven a secret sharng scheme for the evolvng 2-threshold access structure and a 1-bt secret n whch the share sze of the t th party s σ(t). A property that the functon σ( ) must satsfy s mplct n the lower bound of Klan and Nsan [KN90] (that appears n [CCX13, Appendx A]) on the share sze n 2-out-of-n secret sharng schemes. It says that the share szes n such a scheme must satsfy Kraft s nequalty (see below). Clam 4.5 (Implct n [KN90] and [CCX13, Appendx A]). For any n N, n any secret sharng scheme for (2, n)-thr, t holds that n 1 t=1 1, where σ(t) s the share sze of the t th party. 2 σ(t) It s known that Kraft s nequalty gves a necessary and suffcent condton for the exstence of a prefx code for a gven set of codeword lengths. Clam 4.6 ([CT06, Theorem 5.2.1]). For any prefx code over the alphabet {0, 1}, the codeword lengths σ(1),..., σ(n) must satsfy n 1 t=1 1. Conversely, gven a set of codeword lengths that 2 σ(t) satsfy ths nequalty, there exsts a prefx code wth these word lengths. The proof of the suffcent drecton s constructve: gven the collecton of lengths of codewords t s possble to construct the code. Furthermore, we do not need to know the collecton of lengths n advance,.e. we can create the code on the fly, as long as the demand ( 1 t, where σ(t) s 2 σ(t) the sze of the encodng of the number t) does not exceed 1 [CT06, Theorem 5.2.2]. Thus, any secret sharng scheme for the evolvng 2-thr access structure n whch the share sze of the t th party s σ(t), mples the exstence of a prefx code n whch the length of the t th codeword s σ(t) (however, effcency mght not be preserved). Proof of Corollary 4.3 (the lower bound). Assume (towards contradcton) that there s a secret sharng scheme for the evolvng 2-thr access structure n whch the share sze of the t th party s at most σ(t) = log t + log log t log (l) t + c for constants c, l N. We can use ths scheme to mplement a standard secret sharng scheme for (2, n)-thr n whch the share sze of party t [n] s σ(t). By Clam 4.5, we get that 1 n t=1 1 2 σ(t) 1 2 c n t=1 1 t log t... log (l 1) t. But, as n the rght hand sde s at least 1 2 c 1 1 dt = l 1 =0 log() (t) log(l) t, whch s strctly larger than 1 for large enough t. Ths s a contradcton whch proves our clam. 4.2 A Drect Constructon Here we prove Theorem 4.4, a drect constructon of a secret sharng scheme for the evolvng 2-thr access structure. The constructon s based on the followng recursve composton lemma. 12

14 Lemma 4.7. Assume that there exsts a secret sharng scheme for the evolvng 2-thr access structure and an l-bt secret n whch the share sze of the t th party s σ(t). Then, there exsts a secret sharng scheme for the evolvng 2-thr access structure n whch the share sze of the t th party s max{l, log t} + σ(log t + 1). Proof. Let Π be a constructon of a secret sharng scheme for evolvng 2-thr n whch the share sze of the t th party when sharng an l-bt secret s σ(t). Let s {0, 1} l be the secret to be shared. Each party, when t arrves, s assgned to a generaton. The generatons are growng n sze: For g = 0, 1, 2... the g th generaton begns when the (2 g )-th party arrves. Therefore, the sze of the g th generaton, namely, the number of partes that are part of ths generaton, s sze(g) = 2 g and party t N s part of generaton g = log t. When a generaton begns the dealer prepares shares for all partes that are part of that generaton. Let us focus on the begnnng of the g th generaton and descrbe the dealer s procedure: 1. Splt s usng a secret sharng scheme for (2, sze(g))-thr. Denote the resultng shares by u (g) 1,..., u(g) sze(g). 2. Generate one share usng the secret sharng scheme Π gven the secret s and prevous shares {v () } {0,...,g 1}. Denote the resultng share by v (g). 3. Set the secret share of the j th party n the g th generaton (.e. j [sze(g)]) to be ( u (g) j, v (g)). The output of the scheme s depcted n Fgure 1. 1 v (0) Generaton 0 u 1 (0) 2 v (1) 3 v (1) Generaton 1 u 1 (1) u 2 (1) 4 v (2) 5 v (2) 6 v (2) 7 v (2) Generaton 2 u 1 (2) u 2 (2) u 3 (2) u 4 (2) 8 v (3) 9 v (3) 10 v (3) 11 v (3) 12 v (3) 13 v (3) 14 v (3) 15 v (3) Generaton 3 u 1 (3) u 2 (3) u 3 (3) u 4 (3) u 5 (3) u 6 (3) u 7 (3) u 8 (3) Fgure 1: The shares of partes 1,..., 15 from generatons 0,..., 3. 13

15 Correctness and securty. Let t 1, t 2 N be any two dfferent partes. If t 1 and t 2 are from the same generaton g (.e. f g = log t 1 = log t 2 ), then they can reconstruct the secret s usng the reconstructon procedure of the (2, sze(g))-thr scheme usng the correspondng u (g) shares. If they are from dfferent generatons g 1 g 2, then the partes can compute s usng the reconstructon procedure of the evolvng 2-thr scheme and the two shares v (g1) and v (g2). For securty consder any sngle party t N from generaton g. We use Fact 2.3 and the assumptons that the schemes (2, sze(g))-thr and evolvng 2-thr are secure, together wth the fact that the sharng accordng to both of them s done ndependently, to get that the secret s perfectly hdden and conclude the proof. Share sze analyss. Fx party t N and assume that t s the j th party of generaton g = log t. Its share s composed of two parts: 1. u (g) j generated by secret sharng s usng a scheme for (2, sze(g))-thr. Snce sze(g) = 2 g and usng Clam 2.4 we get that u (g) j max{l, log (sze(g))} max{l, log t}. 2. v (g) generated by generatng one share of a secret sharng scheme Π for evolvng 2-thr. Recall that g shares were generated for prevous generatons. Therefore, v (g) = σ(g + 1) = σ( log t + 1). Thus, the total share sze n the scheme Π s bounded by max{l, log t} + σ(log t + 1). Proof of Theorem 4.4. We start wth the scheme descrbed n the end of Secton 3 for sharng a 1-bt secret for the evolvng 2-threshold access structure. We denote by Π (0) ths scheme when used to share an l-bt secret (by sharng each bt ndependently). The share sze n ths scheme s 5 σ (0) (t) = lt. Usng Lemma 4.7 we get a scheme Π (1) n whch the share sze of the t th party s σ (1) (t) = max{l, log t} + σ (0) (log t + 1) = max{l, log t} + l log t + l (l + 1) log t + 2l. Applyng Lemma 4.7 agan we get a scheme Π (2) wth shares of sze σ (2) (t) = max{l, log t} + σ (1) (log t + 1) max{l, log t} + (l + 1) log(log t + 1) + 2l log t + (l + 1) log log t + 4l + 1. We note that by applyng Lemma 4.7 more tmes one can push the multplcatve dependence on l to even lower-order terms. 5 Alternatvely, we can use the constructon of [CT12] (see Secton 1.3) whch gves the same share sze. 14

16 5 Evolvng k-threshold In ths secton we gve a constructon of a secret sharng scheme for the evolvng k-threshold access structure for general k N. The scheme that we gve s lnear. Theorem 5.1 (Theorem 1.2 restated). For every k, l N, there s a secret sharng scheme for the evolvng k-thr access structure and an l-bt secret n whch for every t N the share sze of the t th party s (k 1) log t + 6k 4 l log log t log log log t + 7k 4 l log k. Our approach follows the general blueprnt of the one from Theorem 4.4. We start wth a basc scheme that has good dependency on k but poor dependency on t, and use a doman reducton technque n order to obtan better dependency on t. The queston s whch basc scheme should we use. If we start wth the scheme for the evolvng k-threshold access structure n whch the share sze s exponental n t or k (whch s what we get usng the scheme from Theorem 3.1), then (after the recursve composton) the share sze wll depend exponentally on k. To overcome ths, n Secton 5.1, we present a talor-made constructon for the evolvng k- threshold access structure n whch the share sze of party t has almost lnear dependence on k t. The recursve composton lemma appears n Secton 5.2 and the proof of Theorem 5.1 appears n Secton The Basc Scheme The man result of ths subsecton s a constructon of a secret sharng scheme for the evolvng k- thr access structure n whch the share sze of party t s roughly lnear n k t. Lemma 5.2. For every k, l N, there s a secret sharng scheme for the evolvng k-thr access structure and an l-bt secret n whch for every t N the share sze of the t th party s bounded by kt max{l, log(kt)}. Proof. Our scheme can be vewed as a varant of the scheme for general access structures from Secton 3 wth an addtonal mechansm of generatons. Our man dea s not to consder all possble combnatons of k partes (as n Secton 3), but to group partes nto generatons, gnore the denttes of the partes wthn a generaton, and only focus on ther quantty. Each party, when t arrves, s assgned to a generaton. Party t N s assgned to generaton g = log k t. The generatons are growng n sze: For g = 0, 1, 2... the g th generaton begns when the k g -th party arrves. Therefore, the sze of the g th generaton (.e. the number of partes that are members of ths generaton), s sze(g) = k g+1 k g = (k 1) k g. Let s {0, 1} l be the secret. When a generaton g begns the dealer remembers k g l-bt strngs s A for all A = (c 0,..., c g 1 ) {0,..., k} g (where f g = 0 t remembers only the secret). Intutvely, each such s A s an l-bt strng that we share to the partes n generaton g assumng that n generaton {0,..., g 1} c partes arrved. We explan how the dealer sets the value of s A for A = (c 0,..., c g ). Notaton: let s prev(a) = s f g = 0 and s prev(a) = s (c0,...,c g 1 ) otherwse. 1. If c g = 0, set s A = s prev(a) and HALT. 2. If c c g < k, then the dealer: 15

17 (a) samples r A {0, 1} l unformly at random. (b) sets s A = s prev(a) r A. (c) shares the l-bts r A among the partes n the g th generaton usng Shamr s (c g, sze(g))-thr secret sharng scheme. 3. If c c g = k, then the dealer shares the l-bt strng s prev(a) among the partes n the g th generaton usng Shamr s (c g, sze(g))-thr secret sharng scheme. For correctness, consder any mnmal qualfed set of partes, namely a set of k partes. Let g be the generaton of the latest party and let A = (c 0,..., c g ) be a tuple of numbers that ndcates how many partes arrve from each generaton. It holds that g =0 c = k and wthout loss of generalty c g > 0. We show that these partes can recover s, as requred. Indeed, the c g partes from generaton g can recover s prev(a) whch s equal to s r (c0 ) r (c0,c 1 )... r (c0,...,c g 1 ) (or t s exactly s f g = 0 n whch case we are done). Now, the c 0 partes from generaton 0 can recover r (c0 ), the c 1 partes from generaton 1 can recover r (c0,c 1 ), and so on. Thus, all present partes together can recover s, as requred. The proof of securty s by nducton, n the sprt of the proof of securty of the scheme for general access structures gven n Secton 3. We assume (by nducton) that the scheme s secure for g generatons and all thresholds up to k and prove that the scheme s secure for g + 1 generatons and all thresholds up to k. The base case follows mmedately from the securty of Shamr s scheme. After the dealer generates shares for generaton 0, t holds k l-bt strng: s (0), s (1),..., s (k 1), where s (0) = s s the orgnal secret and where for [k 1] s () = s r () for a random r (). Namely, each such s () s an ndependent one-tme pad of the secret, where each pad s shared among the partes n the 0 th generaton such that any of them can recover t (usng Shamr s scheme). The remanng procedure of the dealer conssts of ndependently sharng each such s () va the evolvng (k )-thr access structure among g generatons. Snce the set controlled by the adversary s unqualfed, for each such secret s (), ether the padded secret or the pad cannot be recovered, ether by the securty of Shamr s scheme or by the securty of the scheme guaranteed by the nducton hypothess, respectvely. Thus, snce the sharng among dfferent secrets s done ndependently, we conclude by Fact 2.3 that the secret s perfectly hdden gven the whole set of shares seen by the adversary. Share sze analyss. The share of party t from generaton g s composed of k g+1 shares generated va standard threshold schemes over sze(g) partes. Thus, n total, the share sze of party t s bounded by k g+1 max{l, log(sze(g))}. Recall that g = log k t and sze(g) = (k 1) k g. Therefore, the share sze s bounded by k t max{l, log((k 1) t)} kt max{l, log(kt)}. 5.2 Recursve Composton Lemma 5.3. Fx k, l N. Assume that there exsts a secret sharng scheme for the evolvng k- thr access structure and an l-bt secret n whch the share sze of the t th party s σ(t). Then, there exsts a secret sharng scheme for the evolvng k-thr access structure and an l-bt secret n whch the share sze of the t th party s at most (k 1) log t + k σ(log t + k) + k 2 + l. 16