Paper 2022/1578

Weighted Secret Sharing from Wiretap Channels

Fabrice Benhamouda, Algorand Foundation
Shai Halevi, Algorand Foundation
Lev Stambler

Secret-sharing allows splitting a piece of secret information among a group of shareholders, so that it takes a large enough subset of them to recover it. In \emph{weighted} secret-sharing, each shareholder has an integer weight, and it takes a subset of large-enough weight to recover the secret. Schemes in the literature for weighted threshold secret sharing either have share sizes that grow linearly with the total weight, or ones that depend on huge public information (essentially a garbled circuit) of size (quasi)polynomial in the number of parties. To do better, we investigate a relaxation, $(\alpha, \beta)$-ramp weighted secret sharing, where subsets of weight $\beta W$ can recover the secret (with $W$ the total weight), but subsets of weight $\alpha W$ or less cannot learn anything about it. These can be constructed from standard secret-sharing schemes, but known constructions require long shares even for short secrets, achieving share sizes of $\max\big(W,\frac{|\mathrm{secret}|}{\epsilon}\big)$, where $\epsilon=\beta-\alpha$. In this note we first observe that simple rounding let us replace the total weight $W$ by $N/\epsilon$, where $N$ is the number of parties. Combined with known constructions, this yields share sizes of $O\big(\max(N,|\mathrm{secret}|)/{\epsilon}\big)$. Our main contribution is a novel connection between weighted secret sharing and wiretap channels, that improves or even eliminates the dependence on~$N$, at a price of increased dependence on $1/\epsilon$. We observe that for certain additive-noise $(R,A)$ wiretap channels, any semantically secure scheme can be naturally transformed into an $(\alpha,\beta)$-ramp weighted secret-sharing, where $\alpha,\beta$ are essentially the respective capacities of the channels $A,R$. We present two instantiations of this type of construction, one using Binary Symmetric wiretap Channels, and the other using additive Gaussian Wiretap Channels. Depending on the parameters of the underlying wiretap channels, this gives rise to $(\alpha, \beta)$-ramp schemes with share sizes $|\mathrm{secret}|/\mathrm{poly}(\epsilon\log N)$ or even just $|\mathrm{secret}|/\mathrm{poly}(\epsilon)$.

Available format(s)
Publication info
Weighted Secret SharingWiretap Channels
Contact author(s)
fbenhamo102 @ gmail com
shai halevi @ gmail com
lstamble @ andrew cmu edu
2023-02-10: revised
2022-11-14: received
See all versions
Short URL
Creative Commons Attribution


      author = {Fabrice Benhamouda and Shai Halevi and Lev Stambler},
      title = {Weighted Secret Sharing from Wiretap Channels},
      howpublished = {Cryptology ePrint Archive, Paper 2022/1578},
      year = {2022},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.