Fact-checked by Grok 2 weeks ago

Secret sharing

Secret sharing is a cryptographic method for distributing a secret among a group of participants, each of whom receives a share, such that the secret can be reconstructed only by combining a predefined minimum number of shares—known as the threshold—while any smaller number of shares provides no information about the secret. The concept was independently introduced in 1979 by Adi Shamir and George Blakley as a solution to the problem of secure key distribution without relying on a single trusted party. Shamir's scheme, often called Shamir's Secret Sharing, employs polynomial interpolation over a finite field: a random polynomial of degree k-1 is constructed with the secret as the constant term, and shares are points on this polynomial evaluated at distinct integers, allowing reconstruction via Lagrange interpolation when k points are available. In contrast, Blakley's geometric approach represents the secret as a point in a k-dimensional vector space, with each share being a hyperplane passing through that point; the secret is recovered at the unique intersection of any k such hyperplanes. In a general (k, n)-threshold secret sharing scheme, the secret is divided into n shares distributed to n participants, and any subset of at least k shares suffices to reconstruct it, while subsets of size less than k yield no information due to the scheme's perfect secrecy properties. These schemes can be extended beyond thresholds to arbitrary access structures, where specific authorized coalitions can reconstruct the secret, often using monotone span programs or linear algebra over fields. Secret sharing forms a foundational primitive in modern cryptography, enabling applications such as secure multi-party computation, threshold signatures and decryption, distributed storage systems, and blockchain consensus mechanisms by mitigating single points of failure and enhancing resilience against adversarial compromise. Variants include verifiable secret sharing to detect malicious dealers or participants, proactive schemes for share refreshment over time, and quantum-resistant constructions based on lattice problems.

Fundamentals

Definition and Basic Concepts

Secret sharing is a cryptographic method for distributing a secret among a group of participants such that the secret can only be reconstructed by authorized subsets of those participants, while unauthorized subsets gain no information about it. Formally, in a secret sharing scheme, a dealer distributes shares of a secret S to n participants, ensuring that only qualified subsets can recover S, and any unqualified subset learns nothing about S. This concept was independently introduced in 1979 by Adi Shamir and George Blakley as a solution to securely safeguarding sensitive information like cryptographic keys. A prominent form is threshold secret sharing, parameterized by integers (t, n) with $1 \leq t \leq n, where any group of at least t participants can reconstruct the secret S, but any group of fewer than t participants obtains no information about it. The dealer generates the shares during a share distribution phase, assigning one unique share to each of the n participants, who are assumed to hold their shares privately. This setup ensures perfect secrecy for unauthorized coalitions in information-theoretic schemes, meaning security holds unconditionally against unbounded adversaries. More generally, secret sharing can be defined over arbitrary access structures, which specify the qualified subsets authorized to reconstruct the secret. An access structure is typically monotone, meaning that if a subset is qualified, then any superset of it is also qualified; the minimal qualified subsets, known as minimal authorized sets, fully characterize the structure. In such schemes, shares are distributed so that participants in any qualified set can pool their shares to recover S, while those in unauthorized sets cannot. Basic notation in secret sharing often assumes the secret S is an element from a finite field \mathbb{F}, with shares represented as points on a polynomial or vectors in a vector space over \mathbb{F}. Schemes are classified by security type: information-theoretic (or perfect) security, where unauthorized sets have zero information about S regardless of computational power, versus computational security, where security relies on the hardness of computational problems and unauthorized sets have negligible information under polynomial-time attacks.

Importance and Motivations

Secret sharing schemes address critical needs in distributed systems where a single point of failure or compromise could lead to catastrophic loss of confidentiality, by distributing a secret among multiple parties such that reconstruction requires collaboration from a predefined threshold of participants. This motivation stems from the desire to mitigate risks associated with collusion or unauthorized access in multi-party environments, such as key escrow systems where no single entity holds full control over sensitive cryptographic keys. Originally proposed in 1979 by Adi Shamir and George Blakley independently, these schemes were designed to protect high-stakes secrets from partial disclosures, ensuring that even if some shares are compromised, the secret remains secure. In practice, secret sharing underpins threshold cryptography, enabling operations like multi-signature schemes where a group must collectively authorize actions, such as in secure multiparty computation protocols that tolerate faulty or malicious participants up to a certain threshold. It enhances data protection in cloud environments by fragmenting sensitive information across distributed storage, preventing any single provider from accessing the full secret and thus improving resilience against breaches. Unlike simple replication, which duplicates the secret and exposes it fully upon any compromise, secret sharing maintains confidentiality by rendering individual shares meaningless without the required quorum, thereby balancing availability with security in fault-tolerant systems. Real-world applications illustrate its versatility, for instance in conceptual designs for the safeguarding of nuclear launch codes, where shares are distributed among authorized personnel to prevent unilateral action. In corporate settings, it supports quorum-based decision-making for confidential board actions, ensuring that collective agreement is needed without risking exposure from isolated leaks. Blockchain consensus mechanisms leverage secret sharing for threshold signatures in decentralized networks, enhancing privacy and resistance to node failures in protocols like those used for cryptocurrency wallets. The evolution of secret sharing reflects its integration into modern standards, from early cryptographic primitives to its formal inclusion in ISO/IEC 11889 for Trusted Platform Modules (TPMs), which use it for secure key management and attestation in hardware-based security. This standardization underscores its role in building reliable systems for Byzantine fault tolerance, where it helps maintain agreement among distributed parties despite potential adversities.

Security Classifications

Secure Versus Insecure Schemes

Secret sharing schemes are classified as secure or insecure based on the strength of their security guarantees against adversaries. Secure schemes, often termed perfect or information-theoretic, ensure that any unauthorized set of at most t-1 participants reveals no information about the secret S, even if the adversary possesses unlimited computational power. This absolute privacy is formalized using entropy measures, where the conditional entropy H(S | shares of unauthorized set) equals the entropy H(S), meaning the shares provide zero mutual information about S. Such schemes satisfy two core criteria: the reconstruction property, where any qualified set of at least t participants can exactly recover S, and the privacy property, where the distribution of shares for unauthorized sets is independent of S. In contrast, insecure schemes offer weaker protections, typically relying on computational or statistical assumptions rather than unconditional security. Computational secret sharing provides security only against polynomial-time adversaries, where distinguishing the secret from random is computationally infeasible, often based on hardness assumptions like pseudorandom functions or encryption schemes. Statistical security allows negligible leakage, measured by small statistical distance or epsilon-approximate privacy, where unauthorized sets gain only a tiny amount of information about S with overwhelming probability. These models are considered insecure in the information-theoretic sense because a sufficiently powerful adversary could potentially extract the secret. Adversary models further delineate security levels in secret sharing. Passive adversaries, also known as honest-but-curious, eavesdrop on or collude with up to t-1 participants but follow the protocol without tampering, aiming solely to infer information from observed shares. Active adversaries, conversely, may maliciously alter shares or deviate from the protocol to disrupt reconstruction or inject faulty information, requiring additional mechanisms like verification for robustness. Many secure schemes assume an honest majority, where more than t participants remain uncorrupted, ensuring that qualified sets can still reconstruct S despite adversarial interference. Trivial examples illustrate insecure schemes lacking proper obfuscation. In direct distribution, the secret S is simply replicated and given to all n participants without encoding, violating the privacy property as any single participant (an unauthorized set for t > 1) immediately knows S. Alternatively, distributing S only to one participant fails the reconstruction property, as groups of t > 1 cannot recover it, rendering the scheme insecure for threshold access. These cases highlight how basic schemes without mathematical randomization expose S to unauthorized access or prevent legitimate recovery.

Inherent Limitations

In information-theoretically secure secret sharing schemes, a fundamental constraint is that the size of each share must be at least as large as the size of the secret itself. This lower bound arises from the perfect privacy requirement, where any unauthorized set of shares reveals no information about the secret, implying that the entropy of an individual share cannot be smaller than that of the secret. Consequently, schemes achieving this bound, such as those based on polynomials over finite fields, are considered ideal in terms of share efficiency. Reconstruction in threshold secret sharing requires collaboration among at least t participants out of n, which introduces significant communication overhead. In typical models where shares are elements of a finite field of size greater than n to ensure distinct evaluation points, each share has size O(log n) bits. Thus, when t parties transmit their shares to a reconstructor, the total communication cost is O(t log n) bits. This cost scales linearly with the threshold t, making high-threshold schemes particularly burdensome in distributed settings with limited bandwidth. A core limitation of perfect threshold secret sharing is its binary nature: authorized sets recover the full secret, while unauthorized sets obtain no information whatsoever, precluding partial or graded reconstruction without additional mechanisms. This all-or-nothing property ensures strong privacy but limits flexibility in applications requiring incremental access or hierarchical information release. Secret sharing schemes are inherently vulnerable to share loss or unavailability, as the secret becomes irrecoverable if more than n - t shares are lost. In a (t, n)-threshold scheme, this tolerance threshold means that even a small number of failures or compromises beyond n - t can render the system useless, highlighting the need for redundancy in deployment. For general access structures beyond simple thresholds, realizing arbitrary monotone collections of authorized sets often leads to exponential growth in share sizes. The seminal construction decomposes the access structure into its minimal authorized subsets and applies threshold sharing to each, resulting in shares whose size is proportional to the number of such subsets containing a given participant, which can be up to 2^{n-1} in the worst case. Moreover, optimizing share sizes or finding minimal representations for these structures, such as through linear span programs, is NP-hard in general. This scalability issue restricts the practical use of general schemes to access structures with limited complexity.

Trivial Schemes

Extreme Threshold Cases (t=1 and t=n)

In the extreme threshold case where t = 1 in a (t, n)-threshold secret sharing scheme, the secret S is simply replicated and distributed identically to all n participants, such that any single participant possesses the full secret and can reconstruct it unilaterally. This approach requires no encoding or computational overhead, as each share is exactly S, making it mathematically trivial with a constant "polynomial" of degree 0 in generalized schemes like Shamir's. However, it offers no privacy protection, as even one compromised participant reveals the entire secret, rendering it insecure against individual breaches but useful in scenarios demanding immediate solo access or broadcast distribution in fully trusted groups. At the opposite extreme, where t = n, the scheme ensures that only the complete set of all n participants can reconstruct the secret, while any subset of n-1 or fewer reveals no information about S. A trivial realization uses additive (or XOR) sharing: the dealer selects n-1 random values s_1, s_2, \dots, s_{n-1} from the appropriate domain (e.g., a finite field or bit strings for XOR), computes s_n = S \oplus (s_1 \oplus \dots \oplus s_{n-1}) (or equivalently for addition), and distributes s_i to participant i. Reconstruction involves combining all shares via XOR (or summation modulo the field size), yielding S. This provides perfect privacy for subsets, as each individual share is uniformly random and independent of S, but it lacks collusion resistance beyond n-1 and offers redundancy only through full participation. Both cases achieve threshold reconstruction by design but highlight fundamental trade-offs in secret sharing: the t=1 variant prioritizes accessibility at the cost of all privacy, suitable for non-adversarial distribution like key broadcasts in small trusted teams, while t=n emphasizes maximal security against defection, ideal for consensus-driven applications such as unanimous board approvals where no partial group should access sensitive data. Their simplicity—no advanced cryptography or polynomial interpolation needed—makes them baseline implementations, though they fail to balance privacy and efficiency for intermediate thresholds.

Intermediate Threshold Schemes (1 < t < n)

In intermediate threshold schemes, where 1 < t < n, the goal is to distribute a secret S among n parties such that any group of t parties can reconstruct S, while any group of t-1 parties obtains no information about S. A trivial method to achieve this uses a combinatorial construction based on the minimal authorized sets, which are all possible t-subsets of the n parties. For each such t-subset, the dealer creates an independent (t, t)-threshold sharing of S and distributes the shares only to the parties in that subset. This ensures that only complete t-subsets can reconstruct S from their dedicated sharing, while smaller groups lack sufficient pieces from every instance, and the independence of the sharings provides perfect information-theoretic security. A simple way to implement the (t, t)-sharing for each subset is additive sharing modulo a prime p (with p > n \cdot |S| to avoid wrap-around issues in practice). The dealer selects t-1 random values r_1, \dots, r_{t-1} \in {0, \dots, p-1}, computes r_t = S - (r_1 + \dots + r_{t-1}) \mod p, and assigns r_i to the i-th party in the subset. The t parties in the subset can then sum their r_i values modulo p to recover S. However, this additive approach in isolation is insecure for the full (t, n)-threshold if applied naively to all n parties (e.g., splitting S into n random addends summing to S mod p), as it only enforces reconstruction with all n shares; partial sums from fewer than n reveal no information but fail to allow reconstruction with just t shares, violating the threshold requirement. The combinatorial repetition amplifies this to support any t-subset, but at a severe cost: each party belongs to exactly \binom{n-1}{t-1} t-subsets and thus receives \binom{n-1}{t-1} additive shares (one per relevant instance), making the total share size per party \binom{n-1}{t-1} times the size of S. For intermediate t (e.g., t \approx n/2), this binomial coefficient grows exponentially as \Theta(2^n / \sqrt{\pi n / 2}) by Stirling's approximation, rendering the scheme computationally and storage-intensive for even moderate n (e.g., for n=20, t=10, \binom{19}{9} \approx 92{,}000). Unauthorized sets of t-1 parties cannot reconstruct any instance fully, preserving security, but the exponential overhead makes the approach suitable only for tiny n or theoretical analysis. These trivial methods are occasionally useful in low-security, small-scale contexts, such as simple data backups where n is small and exponential growth is tolerable, but they offer no protection against collusion beyond the threshold and lack randomization against adaptive adversaries without additional layers. The inherent inefficiencies—large share sizes, high distribution complexity, and vulnerability to partial information leakage in non-modular variants—highlight the necessity for non-trivial encodings to enable practical deployment in cryptographic applications.

General Access Structures

In secret sharing, general access structures provide a framework beyond threshold schemes, enabling arbitrary collections of participant subsets to qualify for secret reconstruction while maintaining monotonicity. Formally, an access structure \Gamma \subseteq 2^P over a participant set P = \{P_1, \dots, P_n\} is a monotone collection of non-empty subsets, where a subset B \subseteq P is qualified if B \in \Gamma and unauthorized otherwise; monotonicity requires that if B \in \Gamma and B \subseteq C \subseteq P, then C \in \Gamma. The minimal qualified sets, denoted \min \Gamma, are the members of \Gamma with no proper subsets in \Gamma, serving as the foundational building blocks for the structure. A trivial realization of a general access structure can be attempted by identifying the minimal qualified sets and distributing the secret directly (i.e., fully) to all participants within each such set. This ensures that any qualified subset, which contains at least one minimal qualified set, can access the secret. However, this approach is insecure across the overall structure, as individual participants or unauthorized subsets intersecting multiple minimal sets receive the complete secret, enabling reconstruction by sets smaller than required by \Gamma. Key challenges include the combinatorial explosion in the number of minimal qualified sets, which can reach up to \binom{n}{\lfloor n/2 \rfloor} \approx 2^n / \sqrt{\pi n/2} for certain structures, necessitating shares that simultaneously enforce privacy and correctness for exponentially many subset conditions. For instance, consider a key predistribution scenario where the qualified sets are those including a designated leader (e.g., the president) and at least two out of three supporting roles (advisors); here, the minimal qualified sets are the three-element combinations \{\text{president}, \text{advisor}_i, \text{advisor}_j\} for $1 \leq i < j \leq 3. This structure cannot be captured by a single threshold scheme but highlights the need for tailored distribution. Limitations of such trivial extensions include severe inefficiency in share size and computation without more sophisticated methods, often leading practical implementations to approximate the structure as a union of multiple threshold schemes, though this increases overhead proportionally to the number of minimal sets.

Core Efficient Schemes

Shamir's Polynomial-Based Scheme

Shamir's polynomial-based scheme, introduced in 1979, is a foundational threshold secret sharing method that enables the distribution of a secret S among n participants such that any t or more shares can reconstruct S, while any fewer than t shares reveal no information about S. The scheme leverages polynomial interpolation over a finite field, ensuring perfect security where unauthorized sets gain zero knowledge of the secret. In the share generation phase, the dealer selects a random polynomial f(x) of degree at most t-1 over a finite field \mathbb{F}_q (where q > n), with the constant term f(0) = S. The coefficients a_1, a_2, \dots, a_{t-1} are chosen uniformly at random from \mathbb{F}_q, excluding a_0 = S. For each participant i = 1 to n, a share (i, f(i)) is computed and distributed privately. This process ensures that the shares are points on the polynomial, and the secret is embedded as the y-intercept. To reconstruct the secret from any t shares (x_1, y_1), \dots, (x_t, y_t) where x_j \neq 0, the scheme employs Lagrange interpolation. The formula yields S = f(0) = \sum_{j=1}^t y_j \cdot \ell_j(0), where the Lagrange basis polynomial is \ell_j(x) = \prod_{k=1, k \neq j}^t \frac{x - x_k}{x_j - x_k}. This interpolation uniquely determines the polynomial of degree at most t-1 passing through the t points, thereby recovering S. The security of the scheme relies on the properties of polynomials over finite fields. Any set of t-1 shares determines at most a polynomial of degree at most t-2, which provides no information about the constant term f(0) = S, as the constant term can vary freely while fitting those points. Thus, the scheme achieves information-theoretic security, independent of computational assumptions. Operations must be performed in a finite field \mathbb{F}_q with q > n to ensure distinct evaluation points (typically x_i = i) and avoid singularities in interpolation. Prime fields \mathbb{F}_p with p > n are commonly used for simplicity. Regarding efficiency, share generation requires evaluating the polynomial at n points, costing O(t n) field operations, while reconstruction via Lagrange interpolation over t points costs O(t^2) operations. The scheme provides perfect security with these quadratic complexities, making it practical for moderate t and n.

Blakley's Geometric Scheme

Blakley's geometric scheme, introduced in 1979, provides a threshold-based approach to secret sharing using linear algebra over a finite field, where the secret is encoded as a point in a t-dimensional space and shares are defined as hyperplanes passing through that point. This method contrasts with algebraic techniques like polynomial interpolation by relying on the geometric property that the intersection of exactly t hyperplanes uniquely determines the point, while fewer hyperplanes yield only a higher-dimensional subspace containing infinitely many possible points when the field is sufficiently large. The scheme achieves information-theoretic security for (t, n)-threshold access structures, ensuring that unauthorized sets of t-1 or fewer participants gain no information about the secret. In the algorithm, the dealer represents the secret as the first coordinate of a point \mathbf{x} = (s, x_2, \dots, x_t) \in \mathbb{F}^t in a t-dimensional vector space over a finite field \mathbb{F} of large characteristic, with the remaining coordinates x_2, \dots, x_t chosen randomly from \mathbb{F}. For each of the n participants, the dealer generates a random coefficient vector \mathbf{a}_i = (a_{i1}, a_{i2}, \dots, a_{it}) \in \mathbb{F}^t, and computes the constant b_i = \mathbf{a}_i \cdot \mathbf{x}. The i-th share is then the pair (\mathbf{a}_i, b_i), representing the hyperplane equation \mathbf{a}_i \cdot \mathbf{x} = b_i, which contains the secret point \mathbf{x}. These shares are distributed privately, and the coefficients \mathbf{a}_i may be made public if desired, as they do not reveal information about \mathbf{x} in the presence of perfect secrecy. Reconstruction occurs when any t participants pool their shares (\mathbf{a}_i, b_i) for i \in S where |S| = t, forming the system of linear equations: \begin{pmatrix} \mathbf{a}_{i_1} \\ \vdots \\ \mathbf{a}_{i_t} \end{pmatrix} \mathbf{x} = \begin{pmatrix} b_{i_1} \\ \vdots \\ b_{i_t} \end{pmatrix}. If the t × t coefficient matrix is invertible (ensured with high probability by random choice of \mathbf{a}_i), solving this system via Gaussian elimination recovers \mathbf{x}, from which the secret s is extracted as the first coordinate. For security, any t-1 shares intersect in an affine subspace of dimension at least 1, containing |\mathbb{F}| or more points, uniformly distributed over possible secrets, thus providing no advantage to an adversary beyond random guessing when |\mathbb{F}| is large enough to embed the secret space. Despite its conceptual elegance in leveraging geometric intersections, Blakley's scheme is less efficient than polynomial-based methods like Shamir's, primarily due to share size: each share requires t+1 field elements (the vector \mathbf{a}_i and scalar b_i), compared to a single field element per share in Shamir's approach. Reconstruction also incurs higher computational cost for large t, as it involves solving a full t × t linear system rather than evaluating a degree-t-1 polynomial at t points, making it impractical for high-dimensional thresholds.

Chinese Remainder Theorem-Based Schemes

Chinese Remainder Theorem (CRT)-based secret sharing schemes utilize modular arithmetic to distribute a secret among participants, enabling reconstruction only when all shares are combined, or in threshold variants, when a sufficient number are pooled. These schemes are particularly suited for integer secrets and leverage the uniqueness property of solutions to systems of congruences under coprime moduli. The core idea involves selecting a set of pairwise coprime positive integers m_1, m_2, \dots, m_n, where the product M = \prod_{i=1}^n m_i exceeds the secret S in magnitude, ensuring a unique representation. Shares are then computed as s_i = S \mod m_i for each participant i, providing partial information about S confined to the respective modulus. Reconstruction proceeds by solving the system of congruences x \equiv s_i \pmod{m_i} for i = 1 to n using the CRT, which guarantees a unique solution x \equiv S \pmod{M}. Since $0 \leq S < M, this yields the exact secret S. The explicit formula for the solution is S = \sum_{i=1}^n s_i \cdot M_i \cdot y_i \pmod{M}, where M_i = M / m_i and y_i is the modular inverse of M_i modulo m_i, satisfying M_i y_i \equiv 1 \pmod{m_i}. This process relies on efficient integer arithmetic and is computationally straightforward for moderate-sized moduli. From a security perspective, any single share s_i reveals S only modulo m_i, disclosing no information about S if m_i is sufficiently small relative to the possible range of S, as the entropy reduction is negligible. For fewer than all shares, the possible values for S remain broadly distributed across the interval [0, M), preserving perfect secrecy in the information-theoretic sense. This property holds because the coprimality ensures independent residue classes, preventing partial combinations from narrowing the secret's possibilities beyond the product of involved moduli. Threshold variants extend this framework to (t, n)-schemes, where reconstruction requires at least t shares. In Mignotte's approach, moduli are chosen in increasing order p_1 < p_2 < \dots < p_n as a "Mignotte sequence," with the secret S selected such that \prod_{i=n-t+2}^n p_i < S < \prod_{i=1}^t p_i. Shares are s_i = S \mod p_i, and any t shares reconstruct S via CRT modulo their product, which exceeds S, while t-1 shares constrain S only modulo a smaller product insufficient to identify it uniquely. Similarly, the Asmuth-Bloom scheme selects coprime moduli p_0 < p_1 < \dots < p_n with p_0 bounding the secret s \in [0, p_0), constructs an offset S = s + \alpha p_0 where \alpha is random to place S in a range allowing t shares to reconstruct via CRT, but fewer to yield ambiguous results. These variants enable flexible access control while maintaining CRT's modular efficiency. CRT-based schemes excel in efficiency due to fast modular exponentiation and inversion operations, which are hardware-optimized in modern processors and cryptographic libraries. They are especially advantageous in resource-constrained environments, such as embedded systems or distributed ledgers, where polynomial interpolation (as in other schemes) may incur higher overhead. For instance, reconstruction scales linearly with the number of shares and bit-length of moduli, often outperforming field-based methods for large secrets.

Advanced Security Enhancements

Proactive Secret Sharing

Proactive secret sharing addresses the vulnerability of standard threshold secret sharing schemes, such as Shamir's polynomial-based method, to long-term adversaries that gradually accumulate corrupted shares over time without ever reaching the threshold in a single instance. In conventional schemes, an adversary could compromise up to t-1 shares across extended periods, eventually reconstructing the secret after prolonged exposure, which poses risks for long-lived secrets like cryptographic keys. Proactive schemes mitigate this by periodically refreshing the shares in a distributed manner, without reconstructing or revealing the underlying secret S, thereby rendering previously leaked information obsolete and forcing the adversary to start anew after each refresh phase. The core protocol involves periodic re-sharing through additive or multiplicative updates to the existing shares. In an extension of Shamir's scheme, each participant generates a random polynomial of degree at most t-1 with constant term zero and adds it to their current share, effectively updating the share polynomial while preserving the secret. For instance, if the original shares are derived from polynomial f(x) with f(0) = S, the refresh adds a random δ(x) where δ(0) = 0, resulting in new shares from f(x) + δ(x). This process is performed collaboratively across all n participants in discrete time periods (e.g., weekly), using secure channels or encryption to distribute the updates, ensuring no single party learns others' shares. The security model assumes a mobile adversary that can corrupt different subsets of up to t-1 participants across multiple phases but never more than t-1 in total at any single time, maintaining information-theoretic security as long as corruptions per phase remain below the threshold. Herzberg et al. (1995) introduced a seminal proactive extension of Shamir's scheme that achieves semantic security and robustness under this model, with communication complexity of O(n²) per refresh round due to pairwise share updates. This ensures the scheme remains secure indefinitely, provided refresh intervals are shorter than the adversary's corruption window. Proactive secret sharing finds applications in long-lived distributed systems requiring sustained confidentiality, such as proactive digital signatures and certification authorities. It is particularly suited for environments like wireless sensor networks, where nodes face ongoing risks of partial compromises over time, enabling secure key management without centralized reconstruction. Recent advances include asynchronous dynamic-committee proactive secret sharing for scalable systems.

Verifiable Secret Sharing

Verifiable secret sharing (VSS) addresses the vulnerability in standard secret sharing schemes where a dishonest dealer might distribute inconsistent or invalid shares to participants, potentially preventing correct reconstruction of the secret or allowing malicious manipulation during the process. In such scenarios, honest participants cannot detect the dealer's cheating without additional mechanisms, which could compromise the scheme's reliability. VSS augments the sharing protocol with cryptographic proofs that enable each participant to independently verify the correctness of their received share against publicly broadcast information, ensuring that only valid shares are used in reconstruction. This verification occurs during share distribution, and if cheating is detected, the protocol aborts, maintaining security even against a dishonest dealer or colluding participants. The seminal construction for VSS, introduced by Paul Feldman in 1987, relies on computational commitments in a cyclic group of prime order q generated by g, assuming the hardness of the discrete logarithm problem. The dealer selects a secret s and constructs a degree-t polynomial f(x) = s + a_1 x + \cdots + a_t x^t over \mathbb{Z}_q, then broadcasts commitments to the coefficients as c_0 = g^s, c_1 = g^{a_1}, ..., c_t = g^{a_t}. For each participant P_i (with distinct nonzero i \in \{1, \dots, n\}), the dealer privately sends the share f(i) and the participant verifies it by checking whether g^{f(i)} = \prod_{j=0}^t c_j^{i^j} \mod p, where p is a prime such that q divides p-1. This non-interactive verification confirms that the share lies on the committed polynomial without revealing the secret. During reconstruction, any t+1 verified shares allow interpolation of f(0) = s. The protocol is efficient, requiring only broadcast of t+1 commitments and private share distribution, with verification computable in polynomial time. Feldman's scheme provides computational security, where cheating by the dealer is detectable with overwhelming probability (negligible failure chance under the discrete log assumption), but it does not offer information-theoretic security against unbounded adversaries. For information-theoretic VSS, subsequent work by Torben Pedersen in 1991 extended the approach using non-interactive proofs based on multivariate polynomials and authentication tags, ensuring that even computationally unbounded cheaters can be detected with probability 1 after a constant number of rounds, while preserving perfect secrecy for the secret. In this variant, the dealer commits to shares using information-theoretically secure commitments, allowing participants to verify consistency without relying on computational hardness. Both paradigms detect malicious behavior during sharing or reconstruction, with the information-theoretic version suitable for settings requiring unconditional security. Extensions of VSS to general access structures, beyond simple threshold schemes, incorporate commitments that respect the specified access structure, such as monotone predicates defining authorized subsets. For instance, in 2003, Javier Herranz and Germán Sáez proposed a distributed VSS protocol where multiple dealers collaboratively generate shares verifiable against the general structure, using homomorphic commitments to prove consistency for any qualified set without interaction among participants. This allows detection of cheating dealers or shareholders in scenarios like distributed proxy signatures, maintaining security for arbitrary access policies while inheriting the efficiency of threshold VSS. Such extensions ensure that only authorized coalitions can reconstruct the secret after verifying share validity. Recent post-quantum VSS schemes based on lattice problems have been proposed to resist quantum attacks.

Computationally Bounded Secure Sharing

Computationally bounded secure sharing, also known as computational secret sharing, relaxes the unconditional security of information-theoretic schemes to achieve greater efficiency, particularly in share size and computational cost. In information-theoretic secret sharing, such as Shamir's scheme, each share must be at least as long as the secret itself to ensure perfect security against unbounded adversaries. However, computational schemes assume adversaries are limited to polynomial-time computations, allowing the use of cryptographic primitives like pseudorandom functions (PRFs) and one-way functions to generate shares whose size is approximately logarithmic in the secret's domain size, often achieving shares of length O(log |S| + λ), where λ is the security parameter. This reduction in share size is crucial for practical applications involving large secrets or many parties, as it minimizes storage and communication overhead compared to the linear size required in perfect schemes. Constructions for computationally bounded secure sharing typically rely on the existence of one-way functions or stronger assumptions like the Decisional Diffie-Hellman (DDH) assumption in cyclic groups. A common approach involves splitting the secret into smaller pieces and protecting them with computationally secure encryption, while distributing decryption keys via an information-theoretic scheme. For instance, one can divide the secret S into t short pieces using an information dispersal algorithm, generate a symmetric key K, share K among the n parties using a perfect t-out-of-n threshold scheme (e.g., Shamir's), and then provide each party i with an encrypted version of the i-th piece using a PRF seeded by K. During reconstruction, t parties recover K information-theoretically and decrypt their pieces to reassemble S. This hybrid method ensures that individual shares remain compact, as the encrypted pieces are short and the key share adds only O(λ) bits. Schemes based on DDH, often used in more advanced variants like homomorphic secret sharing, generate shares as group elements where unauthorized sets cannot distinguish the shared secret from random values due to the hardness of deciding Diffie-Hellman tuples. Variants include homomorphic secret sharing allowing computations on encrypted shares under computational assumptions. The security of these schemes is defined by computational indistinguishability: for any two secrets S and S' of equal length, and any set of at most t-1 shares, no probabilistic polynomial-time adversary can distinguish the distribution of those shares under S from under S' with non-negligible advantage. This implies that t-1 shares reveal computationally negligible information about the secret, as extracting it would require inverting one-way functions or solving hard problems like DDH. The security holds as long as the underlying primitives (e.g., PRFs or encryption schemes) are secure against chosen-plaintext attacks in the appropriate model. A seminal example is Hugo Krawczyk's "Secret Sharing Made Short" scheme from 1993, which achieves t-out-of-n threshold sharing with share size roughly |S|/t + λ, assuming a secure symmetric encryption scheme derived from one-way functions. For simpler cases, early constructions leveraged the hardness of integer factorization, such as encrypting shares modulo an RSA modulus where recovering the secret from fewer than t shares equates to solving the RSA problem. These provide efficient alternatives for low-threshold settings but require careful parameter selection to match the security level. While computationally bounded schemes offer significant efficiency gains—such as reduced share sizes and faster distribution/reconstruction compared to information-theoretic methods—their security depends on unproven computational assumptions, making them susceptible to advances in algorithms or computing power, including quantum attacks like Shor's algorithm that can break factoring-based or discrete logarithm-based primitives. This trade-off prioritizes practicality over unconditional security, suitable for scenarios where adversaries are resource-limited but breakthrough attacks remain a risk.

Specialized and Efficient Variants

Multi-Secret Sharing

Multi-secret sharing schemes enable the distribution of multiple independent secrets S_1, \dots, S_k among n participants such that any qualified subset of at least t participants can reconstruct all secrets, while any subset of t-1 or fewer reveals no information about any secret, leveraging shared randomness to correlate the shares across secrets. These schemes generalize single-secret threshold sharing by allowing joint reconstruction of all secrets from the same set of shares, ensuring that the privacy of each secret is preserved individually and collectively. Constructions for multi-secret sharing extend foundational polynomial-based methods, such as Shamir's scheme, to multivariate polynomials; for instance, a bivariate polynomial F(x, y) of degree t-1 in each variable encodes the secrets as coefficients, with shares computed as F(x_i, y) for participant i at public point x_i, allowing reconstruction via interpolation over both variables. Alternatively, schemes based on the Chinese Remainder Theorem (CRT) use pairwise coprime moduli corresponding to multiple secrets, combining them into a single composite value x such that each secret a_i satisfies x \equiv a_i \pmod{m_i}, with shares distributed as modular components that enable group-specific reconstruction. These approaches achieve efficiency gains over running independent single-secret sharings, which would require share sizes linear in k; instead, multi-secret constructions yield shares of constant or O(\log k) size per participant, with reconstruction complexity dominated by O(t^2) operations for polynomial interpolation or modular solving, reducing overall storage and communication overhead for correlated data batches. For example, in the bivariate polynomial method, shares remain fixed size regardless of k \leq t, avoiding redundant randomness generation. Lower bounds establish that unconditionally secure schemes require share lengths at least proportional to the entropy of all secrets combined, but computational variants circumvent this with sublinear overhead. Applications include secure distribution of related encryption keys in multi-policy cryptographic systems, where multiple keys must be jointly managed without independent overhead, and batched database secrets in distributed storage, enabling efficient access control for interrelated data. CRT-based variants are particularly suited for scenarios with group-specific thresholds, such as hierarchical key management in networks. Security in multi-secret sharing ensures joint privacy, where any t-1 shares leak negligible information about all secrets under computational assumptions like the Computational Diffie-Hellman problem, with verifiable extensions allowing detection of malicious dealers or participants during reconstruction. Strong unconditional security, as defined in early models, protects against information-theoretic adversaries but mandates linear share sizes, while weaker notions permit more efficient designs. Recent advances include enhanced schemes using low-density parity-check (LCD) codes for improved efficiency as of 2025.

Space-Efficient and Batched Sharing

Ramp schemes represent a class of space-efficient secret sharing protocols that relax the perfect privacy condition of traditional threshold schemes to allow partial information leakage from intermediate-sized coalitions, thereby enabling smaller share sizes relative to the secret. Introduced independently by Blakley and Meadows in 1984 and by Hideki Yamamoto in 1985, these schemes balance security and efficiency by permitting no information disclosure from fewer than h shares while ensuring full reconstruction from at least t shares, where h < t ≤ n and n is the total number of participants. In a (h, t, n)-ramp scheme, the maximum secret size |S| is (t - h) times the share size, achieving an information rate of (t - h)/t under optimal conditions over large finite fields. This trade-off arises because coalitions of size between h and t - 1 may obtain partial knowledge of the secret, reducing the entropy gradually rather than abruptly. Such schemes are particularly useful in distributed storage systems, where storage efficiency is prioritized over absolute privacy, as the relaxed security model allows for compact shares without compromising reconstruction. Constructions achieving this optimal rate often rely on Reed-Solomon codes, which are maximum distance separable (MDS) codes suitable for linear secret sharing. In one such approach, the secret—a vector of length k = t - h over a finite field F_q—is treated as the message for an RS code of dimension k and length n with minimum distance n - t + 1. The shares are the n codeword symbols (evaluations at distinct points in F_q). The MDS property guarantees that any t shares suffice to decode the full message and recover the secret, while any h shares reveal no information about the secret due to the code's ability to mask the message components with random parity symbols. Batched sharing extends these ideas to efficiently distribute multiple m secrets, achieving a total share size of O(n + m \log |S|) bits by amortizing the fixed overhead across the batch, often through recursive or coding-based packing that leverages ramp properties for sublinear growth in m. A notable post-2000 construction by Parakh and Kak employs a recursive partitioning method to map m secrets into n shares, each of size comparable to a single secret element, ensuring ramp-style partial leakage while maintaining reconstruction; this yields space savings proportional to 1/(t - h) per secret in the batch. Recent advances, such as refined bounds on the threshold gap for small fields, have further optimized these rates for practical parameters, confirming asymptotic optimality for large n and q. Additional developments include efficient verifiable ramp schemes for large-scale applications as of 2024.

Broader Applications

Cryptographic Protocols Integration

Secret sharing serves as a foundational primitive in secure multiparty computation (SMPC), enabling parties to jointly evaluate functions on private inputs without revealing them. In the GMW protocol, secret sharing distributes inputs across participants using additive or Shamir shares to perform secure arithmetic operations on secret-shared values, ensuring privacy against semi-honest adversaries. Yao's garbled circuits approach complements this by handling boolean circuits, but secret sharing integrates with it for input preprocessing and output reconstruction in hybrid protocols. A key technique is the use of Beaver triples, which are precomputed multiplicative triples (a, b, c) where c = a * b, shared securely to enable multiplication of two secret-shared values x and y by computing linear combinations without interaction, reducing communication overhead in SMPC. In threshold signatures, secret sharing distributes the private signing key among n parties such that any t out of n can collaboratively generate a valid signature without reconstructing the full key, preventing single-point failures and enhancing security. Feldman's verifiable secret sharing (VSS) is commonly employed here, as it allows participants to verify share correctness via public commitments based on discrete logarithms, ensuring robustness against malicious dealers. This approach underpins threshold variants of schemes like ECDSA and Schnorr, where partial signatures from t parties are combined using Lagrange interpolation on shares. For key aggregation in BLS signatures, the private key is secret-shared using Shamir's scheme, enabling t parties to produce an aggregated multisignature that verifies under a single public key, optimizing blockchain scalability by reducing signature sizes. This distributed key generation avoids a trusted dealer through protocols like Pedersen's DKG, which builds on verifiable sharing to generate consistent shares. Ongoing developments include Zcash's work on threshold signatures via the FROST protocol, which uses Shamir secret sharing and Feldman's VSS to enable distributed signing for transactions, including shielded ones, supporting privacy-preserving proofs without key exposure. In Ethereum ecosystems, secret sharing facilitates wallet recovery mechanisms, such as splitting seed phrases into shares distributed to guardians, allowing reconstruction with a threshold (e.g., 2-of-3) for social recovery without centralized custody. The integration of secret sharing in cryptographic protocols has evolved from foundational SMPC works like Yao's 1986 garbled circuits to modern implementations in libraries such as MP-SPDZ, which supports over 30 protocols including secret-sharing-based variants for efficient, actively secure computation.

Distributed Systems and Key Management

Secret sharing schemes, particularly Shamir's, are widely employed in key management for distributed systems to enhance security in hardware security modules (HSMs) and cloud environments. In HSMs, such as those integrated with Azure Key Vault Managed HSM, the security domain is encrypted using Shamir's Secret Sharing Algorithm, allowing initialization with multiple public keys to distribute trust and prevent single-point failures during key recovery. Similarly, systems like HashiCorp Vault utilize Shamir's scheme to split the master root key into shares for unsealing, ensuring that no single administrator can unilaterally access or modify the vault without a threshold of shares. In cloud key escrow scenarios, verifiable secret sharing enables secure storage and recovery of encryption keys across distributed providers, as demonstrated in protocols that allow third-party verification without revealing the secret prematurely. Distributed storage systems leverage secret sharing to combine secrecy with redundancy, akin to erasure coding but prioritizing confidentiality over mere data recovery. Shares of sensitive data are dispersed across multiple nodes, ensuring that the original secret remains inaccessible unless a sufficient threshold is collected, while also providing resilience against node failures. For instance, the SAFE protocol employs secret sharing for long-term distributed storage, protecting data against quantum threats by encoding shares with information-theoretic security and enabling reconstruction from any qualified subset of nodes. In blockchain-integrated storage, secret sharing enhances efficiency by splitting transaction data into encrypted shares stored across a network, reducing overhead while maintaining fault tolerance up to the scheme's threshold parameter. Fault tolerance in secret sharing for distributed systems mirrors RAID-like redundancy but incorporates secrecy guarantees, allowing operations to continue despite node crashes or corruptions as long as the threshold of valid shares is available. This approach handles failures without exposing the secret, as individual shares reveal no information, and reconstruction protocols can exclude faulty nodes during recovery. Adaptive bandwidth schemes further optimize this by dynamically adjusting share sizes based on network conditions, ensuring efficient storage and retrieval in heterogeneous environments while tolerating up to t failures in an (n, t+1) threshold setup. Proactive variants briefly refresh shares periodically to extend system longevity against evolving threats, without altering the core fault-tolerant design. Practical deployments include military command systems, where secret sharing supports secure distribution of operational keys among hierarchical ranks, requiring a threshold of approvals (e.g., multiple officers) to activate commands or access intelligence. Challenges in dynamic groups, such as share migration during node additions or removals and efficient revocation of compromised participants, demand communication-efficient protocols to avoid high overhead; traditional resharing can incur O(n^3) costs, prompting optimized methods that batch updates and minimize broadcast rounds. Revocation typically involves re-encrypting shares with new polynomials, but in volatile environments, this risks temporary exposure if not paired with verifiable mechanisms.

References

  1. [1]
    [PDF] How to Share a Secret - MIT
    How to Share a Secret. Adi Shamir. Massachusetts Institute of Technology. In this paper we show how to divide data D into n pieces in such a way that D is ...
  2. [2]
    Secret sharing: A comprehensive survey, taxonomy and applications
    Secret sharing is a method that allows a trusted authority (the dealer) to distribute a secret or a number of secrets among some target participants.
  3. [3]
    (PDF) OVERVIEW OF BLAKLEYS SECRET SHARING SCHEME
    Jan 8, 2019 · A secret image sharing method based on Blakley's geometric approach is proposed in this article. The method can reconstruct secret images by ...<|control11|><|separator|>
  4. [4]
    How to share a secret | Communications of the ACM
    Nov 1, 1979 · How to share a secret. Author: Adi Shamir. Adi Shamir. Massachusetts ... PDFeReader. Contents. Communications of the ACM. Volume 22, Issue 11 ...
  5. [5]
    [PDF] Safeguarding cryptographic keys - Semantic Scholar
    Safeguarding cryptographic keys · G. Blakley · Published in International Workshop on… 30 December 1899 · Computer Science · 1979 International Workshop on Managing ...
  6. [6]
    [PDF] Summary of Lecture on Secret Sharing 1 Motivation and Definition
    Additionally, secret sharing is a useful tool in many larger cryptographic systems (notably, secure computation).
  7. [7]
    [PDF] On the Size of Shares for Secret Sharing Schemes
    Secret Sharing is an important tool in Security and Cryptography. In many cases there is a single master key that provides the access to important secret ...Missing: motivations | Show results with:motivations
  8. [8]
    [PDF] A Review of Secret Sharing Schemes - SciSpace
    Secret Sharing was proposed with the motivation of protecting and securing secret key in cryptography. Shamir (1979) formed the foundation for secret ...
  9. [9]
    Multi-Party Threshold Cryptography | CSRC
    Using a “secret sharing” mechanism, the secret key is split across multiple "parties". Then, if some (up to a threshold f out of n) of these parties are ...
  10. [10]
    (PDF) Secret-Sharing Schemes: A Survey - ResearchGate
    Aug 7, 2025 · A secret-sharing scheme is a method by which a dealer distributes shares to parties such that only authorized subsets of parties can reconstruct the secret.
  11. [11]
    [PDF] Secret sharing made short - Cornell: Computer Science
    It just combines in a natural way traditional secret sharing schemes, with encryption and information dispersal techniques. Our scheme is simple, practical and ...
  12. [12]
    CS 513 System Security -- Secret Sharing
    Imagine that you are asked to design a control mechanism for a nuclear missile launch. There is a control panel with a key board. You can enter a secret code ...
  13. [13]
    Dead Man's Switch vs. Secret Sharing Systems
    Aug 24, 2025 · What are common use cases for Secret Sharing? Cryptocurrency wallets, corporate decision-making, and digital inheritance. 10. Which system is ...
  14. [14]
    Threshold Cryptography: An Overview - Panther Protocol
    Oct 6, 2022 · Threshold cryptosystems protect information by encrypting and distributing secrets amongst a cluster of independent computers that qualify as fault-tolerant.What is threshold cryptography? · Applications of threshold... · Mitigating MEV
  15. [15]
    [PDF] INTERNATIONAL STANDARD ISO/IEC 11889-1
    Dec 15, 2015 · 9.3 Trusted Platform Module ... A.9 Secret Sharing ...
  16. [16]
    Lattice-Based Threshold Secret Sharing Scheme and Its Applications
    Jan 8, 2024 · The threshold secret sharing (TSS) scheme is an important field of cryptography and has important application value and development prospects in ...2. Lattice-Based... · 4.2. Lattice-Based Vss · 5.3. Lattice-Based...
  17. [17]
    Comparing Security Notions of Secret Sharing Schemes - MDPI
    Entropies, such as Shannon entropy and min entropy, are frequently used in the setting security notions for secret sharing schemes.
  18. [18]
    None
    ### Summary of arXiv:2502.02774 on Secret Sharing
  19. [19]
    Adversary Models for Secret Sharing Schemes
    Passive vs active. This is the most basic categorization of adversaries on a protocol level. A passive adversary is only allowed to corrupt a party in the sense ...
  20. [20]
    https://ieeexplore.ieee.org/document/705567
  21. [21]
    Secret sharing scheme realizing general access structure - Ito - 1989
    This paper shows that by providing the trustees with several information data concerning the distributed information of the (k, n) threshold method, any access ...
  22. [22]
    https://doi.org/10.1007/BF00125203
  23. [23]
    [PDF] Secret-Sharing Schemes for General and Uniform Access Structures
    For over 30 years, it was known that any (monotone) collection of authorized sets can be realized by a secret-sharing scheme whose shares are of size 2n−o(n) ...
  24. [24]
    [PDF] Lecture Notes on Secret Sharing 1 Definition
    We note that additive secret sharing can easily be extended to any t-out-of-t threshold secret sharing. The sharing algorithm chooses t strings uniformly at.
  25. [25]
    Safeguarding cryptographic keys | IEEE Conference Publication
    The paper on safeguarding cryptographic keys covers operating systems, data security, multiprocessing, software engineering, and computer networks.
  26. [26]
    [PDF] Vector space multisecret-sharing scheme based on Blakley's method
    Feb 10, 2023 · Section IV collects concluding remarks. Blakley's secret sharing scheme uses hyperplane geometry to solve the secret sharing problem. The ...Missing: explanation | Show results with:explanation
  27. [27]
    Proactive Secret Sharing Or:
    Abstract. Secret sharing schemes protect secrets by distributing them over different locations (share holders). In particular, in k out of R threshold.
  28. [28]
    [PDF] Strategies of Proactive (k, n) Threshold Secret Sharing and ...
    Abstract. A secret sharing scheme protects the secret by distributing it to a group of participants (nodes), and it allows for some groups of participants ...
  29. [29]
    A practical scheme for non-interactive verifiable secret sharing
    Published: 12 October 1987 Publication History. 222 ... This paper presents an extremely efficient, non-interactive protocol for verifiable secret sharing.
  30. [30]
    Non-Interactive and Information-Theoretic Secure Verifiable Secret ...
    May 18, 2001 · It is shown how to distribute a secret to n persons such that each person can verify that he has received correct information about the secret without talking ...
  31. [31]
    Verifiable Secret Sharing for General Access Structures, with ...
    In this work, we generalize some protocols dealing with verifiable secret sharing, in such a way that they run in a general distributed scenario for both the ...
  32. [32]
    Secret Sharing Made Short | SpringerLink
    Krawczyk, H., “Distributed Fingerprints and Secure Information ... About this paper. Cite this paper. Krawczyk, H. (1994). Secret Sharing Made Short.Missing: summary | Show results with:summary
  33. [33]
    How to sign digital streams
    No readable text found in the HTML.<|separator|>
  34. [34]
    [PDF] Space Efficient Computational Multi-Secret Sharing and Its ...
    Shamir. How to share a secret. Communications of the ACM, 22(22):612–613,. 1979. 26. C. Tartary, J. Pieprzyk, and H. Wang. Verifiable multi-secret sharing ...
  35. [35]
    [PDF] (t, n) Multi-Secret Sharing Scheme Based on Bivariate Polynomial
    Shares generated using a bivariate polynomial can not only be used to reconstruct multiple secrets but also be used to establish pairwise keys between any pair ...Missing: multivariate | Show results with:multivariate
  36. [36]
    [PDF] CRT Based Threshold Multi Secret Sharing Scheme
    This paper presents a novel secret sharing system that is based on Chinese remainder theorem. This scheme deals with a concept of multiple secrets to be ...
  37. [37]
    [PDF] New Results and Applications for Multi-Secret Sharing Schemes
    A trivial way of implementing multi-policy distributed cryptosystems is by running ` independent instances of a standard distributed cryptosystem, one for each ...<|control11|><|separator|>
  38. [38]
    Security of Ramp Schemes - SpringerLink
    Nov 24, 2000 · Blakley, G.R., Meadows, C. (1985). Security of Ramp Schemes. In: Blakley, G.R., Chaum, D. (eds) Advances in Cryptology. CRYPTO 1984. Lecture ...
  39. [39]
    [PDF] Improved Bounds on the Threshold Gap in Ramp Secret Sharing
    In this paper we consider linear secret sharing schemes over a finite field Fq, where the secret is a vector in F` q and each of the n shares is a single ...Missing: seminal | Show results with:seminal
  40. [40]
    [PDF] Secure Computation from Random Error Correcting Codes
    Trading corruption tolerance for small fields was first used in [6] where a class of algebraic geometric secret sharing schemes was introduced that are ideal, ...Missing: explanation | Show results with:explanation
  41. [41]
    [0901.4798] Space Efficient Secret Sharing - arXiv
    Jan 29, 2009 · Abstract: This note proposes a method of space efficient secret sharing in which k secrets are mapped into n shares (n>=k) of the same size.
  42. [42]
    [PDF] GMW87.pdf
    We present a polynomial-time algorithm that, given as a input the description of a game with incomplete information and any number of players, produces a ...
  43. [43]
    [PDF] Foundations of secure interactive computing - AMiner
    [9] R. Blakley. "Security Proofs for Information Protection Systems." Proceedings of the. 1980 Symposium on Security and Privacy, IEEE Computer Society Press, ...
  44. [44]
    [PDF] A Practical Scheme for Non-interactive Verifiable Secret Sharing
    AbJtract: This paper presents an extremely efficient, non-interactive protocol for verifiable secret sharing. Verifiable secret sharing (VSS) is a way of ...
  45. [45]
    [PDF] Threshold Signatures, Multisignatures and Blind Signatures Based ...
    In threshold signature schemes the secret key is distributed among n parties with the help of a trusted dealer or without it by running an interactive protocol ...
  46. [46]
    Frost - Zcash Foundation
    FROST is built upon the threshold Shamir secret sharing and Feldman verifiable secret sharing schemes and it relies only on the discrete logarithm assumption.
  47. [47]
    [PDF] MP-SPDZ: A Versatile Framework for Multi-Party Computation
    MP-. SPDZ aims to lower the entry barrier to secure computation by providing standalone Linux binaries for every release and extensive documentation for the ...
  48. [48]
    About the security domain in Azure Key Vault Managed HSM
    Apr 14, 2025 · The managed HSM initializes the security domain and encrypts it with the public keys that you provide by using Shamir's Secret Sharing Algorithm ...Security Domain Protection... · Storing The Security Domain... · Establishing A Security...
  49. [49]
    How HSM support changes Vault behavioral - HashiCorp Developer
    Vault usually generates a root key and splits it using Shamir's Secret Sharing to prevent a single operator from being able to modify and unseal Vault (see more ...Missing: hardware | Show results with:hardware<|separator|>
  50. [50]
    [PDF] Publicly Verifiable Secret Sharing for Cloud-based Key Management
    Oct 12, 2011 · Our work relies heavily on the techniques of secret-sharing schemes, in particular the standard exten- sion of Blakley-Shamir secret-sharing ...
  51. [51]
    [PDF] SAFE: A Secure and Efficient Long-Term Distributed Storage System
    Secret sharing-based distributed storage systems are one approach to provide long-term protection of data even against quantum com- puting. Confidentiality ...
  52. [52]
    Distributed Storage Meets Secret Sharing on the Blockchain
    We use a novel combination of distributed storage, private key encryption, and Shamirs secret sharing scheme to distribute transaction data, without significant ...
  53. [53]
    Secure Secret Sharing With Adaptive Bandwidth in Distributed ...
    Jun 9, 2020 · To solve related problems, the distributed storage schemes have been proposed. Considering security and fault tolerance, many of those schemes ...
  54. [54]
    Secret sharing scheme in defense and big data analytics - IEEE Xplore
    Secret information sharing plays one of the major factors to win wars, military operations, etc. But, it is hard to find methods of general topology or ...
  55. [55]
    [PDF] Communication-Optimal Proactive Secret Sharing for Dynamic Groups
    Such a restraint is particularly challenging in the case of long-term storage or computation, which was one of the reasons that the proactive security model was ...
  56. [56]
    [PDF] Proactive Secret Sharing in Dynamic Environments
    May 17, 2019 · It was adapted for secret sharing by Herzberg et al, whose techniques continue to be used in subsequent works,. e.g. [16, 21, 9, 25, 34, 4, 28], ...