@MISC{Krawczyk88secretsharing, author = {Hugo Krawczyk}, title = {Secret sharing made short}, year = {1988} }

Share

OpenURL

Abstract

Abstract. A well-known fact in the theory of secret sharing schemes is that shares must be of length at least as the secret itself. However, the proof of this lower bound uses the notion of information theoretic secrecy. A natural (and very practical) question is whether one can do better for secret sharing if the notion of secrecy is computational, namely, against resource bounded adversaries. In this note we observe that, indeed, one can do much better in the computational model (which is the one used in most applications). We present an m-threshold scheme, where m shares recover the secret but m- 1 shares give no (computational) information on the secret, in which shares corresponding to a secret S are of size $ plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of 5 is clearly optimal if the secret is to be recovered from m shares). Therefore, for moderately large secrets (a confidential file, a long message, a large data base) the savings in space and communication over traditional schemes is remarkable. The scheme is very simple and combines in a natural way traditiond (perfect) secret sharing schemes, encryption, and information dispersal. It is provable secure given a secure (e.g., private key) encryption function. 1