Deniable Secret Sharing
| Authors |
|
|---|---|
| Publication date | 2026 |
| Host editors |
|
| Book title | Theory of Cryptography |
| Book subtitle | 23rd International Conference, TCC 2025, Aarhus, Denmark, December 1–5, 2025, Proceedings |
| ISBN |
|
| ISBN (electronic) |
|
| Series | Lecture Notes in Computer Science |
| Event | 23rd International Conference on Theory of Cryptography, TCC 2025 |
| Volume | Issue number | II |
| Pages (from-to) | 399-427 |
| Publisher | Cham: Springer |
| Organisations |
|
| Abstract |
We introduce deniable secret sharing (DSS), which, analogously to deniable encryption, enables shareholders to produce fake shares that are consistent with a target “fake message”, regardless of the original secret. In contrast to deniable encryption, in a DSS scheme an adversary sees multiple shares, some of which might be real, and some fake. This makes DSS a more difficult task, especially in situations where the fake shares need to be generated by individual shareholders, with limited or no coordination with other shareholders. We define several desirable properties for DSS, and show both positive and negative results for each. The strongest property is fake hiding, which is a natural analogy of deniability for encryption: given a complete set of shares, an adversary cannot determine whether any shares are fake. We show a construction based on Shamir secret sharing that achieves fake hiding as long as (1) the fakers are qualified (number t or more), and (2) the set of real shares which the adversary sees is unqualified. Next we show a construction based on indistinguishability obfuscation that relaxes condition (1) and achieves fake hiding even when the fakers are unqualified (as long as they comprise more than half of the shareholders). We also extend the first construction to provide the weaker property of faker anonymity for all thresholds. (Faker anonymity requires that given some real shares and some fake shares, an adversary should not be able to tell which are fake, even if it can tell that some fake shares are present.) All of these constructions require the fakers to coordinate in order to produce fake shares. On the negative side, we first show that fake hiding is unachievable when the fakers are a minority, even if they coordinate. Further, if the fakers do not coordinate, then even faker anonymity is unachievable as soon as t<n (namely the reconstruction threshold is smaller than the number of parties), if faking is not unanimous. (If faking is unanimous, we show a construction based on indistinguishability obfuscation).
|
| Document type | Conference contribution |
| Language | English |
| Published at | https://doi.org/10.1007/978-3-032-12293-3_13 |
| Other links | https://www.scopus.com/pages/publications/105024699618 |
| Permalink to this page | |
