Secret Sharing on Superconcentrator

TL;DR

It is proved that any unrestricted arithmetic circuit computing the shares of a threshold secret sharing scheme must satisfy superconcentrator-like connectivity properties, and that any graph satisfying these properties can be transformed into a linear arithmetic circuit computing the shares of a threshold secret sharing scheme, assuming a sufficiently large field.

Abstract

We study the arithmetic circuit complexity of threshold secret sharing schemes by characterizing the graph-theoretic properties of arithmetic circuits that compute the shares. Using information inequalities, we prove that any unrestricted arithmetic circuit (with arbitrary gates and unbounded fan-in) computing the shares must satisfy superconcentrator-like connectivity properties. Specifically, when the inputs consist of the secret and $t-1$ random elements, and the outputs are the $n$ shares of a $(t, n)$-threshold secret sharing scheme, the circuit graph must be a $(t, n)$-concentrator; moreover, after removing the secret input, the remaining graph is a $(t-1, n)$-concentrator. Conversely, we show that any graph satisfying these properties can be transformed into a linear arithmetic circuit computing the shares of a threshold secret sharing scheme, assuming a sufficiently large field. As a consequence, we derive upper and lower bounds on the arithmetic circuit complexity of computing the shares in threshold secret sharing schemes.

Figures (5)

• Figure 1: unrestricted arithmetic circuit computing $n$ shares
• Figure 2: linear arithmetic circuit realizing SS distribution
• Figure 3: Construction of depth-2 superconcentrator
• Figure 4: Construction of linear-size depth-2 superconcentrator
• Figure 5: Construction of linear-size depth-3 superconcentrator

Theorems & Definitions (54)

• Theorem 1
• Theorem 2
• Theorem 3
• Theorem 4
• Definition 1
• Proposition 1
• proof
• Definition 2
• Definition 3
• Proposition 2