Scientific knowledge map · Paper #52
Communication-Efficient Proactive Secret Sharing for Dynamic Groups with Dishonest Majorities
2020 · 18th International Conference on Applied Cryptography and Network Security (ACNS)
- Theory
- protocol
- scheme
Research question
What does the paper try to establish?
Can proactive secret sharing simultaneously tolerate a mobile dishonest majority, batch many secrets without a linear threshold loss, reduce communication, and redistribute shares as the participant set changes?
Central answer
What is the proposed answer?
The paper builds a computationally secure dynamic proactive secret-sharing scheme from bivariate-polynomial batching, gradual reconstruction, and dedicated increase/decrease protocols. For batches of up to n minus 2 secrets it reports O(n squared) amortized communication per secret, while preserving mixed-adversary secrecy and fairness under explicitly stated thresholds.
Full paper abstract
Abstract
In standard Secret Sharing (SS), a dealer shares a secret s among n parties such that an adversary corrupting no more than t parties does not learn s, while any t + 1 parties can efficiently recover s. Proactive Secret Sharing (PSS) retains confidentiality of s even when a mobile adversary corrupts all parties over the lifetime of the secret, but no more than a threshold t in each epoch (called a refresh period). Withstanding such adversaries has become of increasing importance with the emergence of settings where private (cryptographic) keys are secret shared and used to sign cryptocurrency transactions, among other applications. Feasibility of single-secret PSS for static groups with dishonest majorities was demonstrated but with a protocol that requires inefficient communication of O(n⁴). In this work, we improve over prior work in three directions: batching without incurring a linear loss in corruption threshold, communication efficiency, and handling dynamic groups. While each of properties we improve upon appeared independently in the context of PSS and in other previous work, handling them simultaneously (and efficiently) in a single scheme faces non-trivial challenges. Some PSS protocols can handle batching of ℓ ∼ n secrets, but all of them are for the honest majority setting. Techniques typically used to accomplish such batching decrease the tolerated corruption threshold bound by a linear factor in ℓ, effectively limiting the number of elements that can be batched with dishonest majority. We solve this problem by reducing the threshold decrease to √ℓ instead, allowing us to deal with the dishonest majority setting when ℓ ∼ n. This is accomplished based on new bivariate-polynomials-based techniques for sharing, and refreshing and recovering of shares, that allow batching of up to n − 2 secrets in our PSS. To tackle the efficiency bottleneck the constructed PSS protocol requires only O(n³/ℓ) communication for ℓ secrets, i.e., an amortized communication complexity of O(n²) when the maximum batch size is used. To handle dynamic groups we develop three new sub-protocols to deal with parties joining and leaving the group.
Provenance: Transcribed from the checked-in full-text PDF; mathematical symbols were normalized to plain Unicode, and only typography, discretionary hyphenation, and line-break artifacts were otherwise normalized.
Evidence profile
Six dimensions, kept separate
The chart summarizes documented evidence and process. It is not a correctness probability, confidence score, or ranking, and no composite score is calculated.
LowMediumHighN/A = not assessed
A smaller value means less documented support for that dimension, not that the paper is false or unimportant.
- Epistemic evidence High
-
The complete source gives formal definitions, protocol specifications, threshold statements, ideal functionalities, and full proofs. The rating reflects documented theoretical support, not an independent proof verification or empirical deployment test.
Static batched-PSS correctness, secrecy, and communication Ideal functionalities, simulators, and full proofs - Auditability High
-
A complete checked-in author copy with recorded page count and SHA-256, plus archive and DOI identities, makes assumptions and proof claims directly inspectable from this map.
Problem, contributions, and asymptotic comparison Official ACNS publication identity - Production provenance Medium
-
Authorship, venue, date, official identity, archive version, and author copy are documented; contributor roles, revision history, and tool use are not.
Official ACNS publication identity Problem, contributions, and asymptotic comparison - External scrutiny Medium
-
ACNS publication establishes venue review, while review reports, independent proof checking, and reproduction evidence are unavailable here.
Official ACNS publication identity - Reception Low
-
The dated OpenAlex record located 0 citations for the DOI-identified work. Under the author-defined corpus rule, 0 through 8 located citations is Low; counts are index- and date-dependent.
Dated citation-count snapshot - Contribution significance Medium
-
The source reports a quadratic amortized improvement and a new combination of dishonest-majority batching and dynamic groups, but priority and downstream impact have not been independently established by this map.
Problem, contributions, and asymptotic comparison Increase, Decrease, DecreaseCorrupt, and Redistribute
Assessment: Ai draft author review pending · 2026-07-11 · rubric 0.2. These dimensions describe documented support and process, not truth, correctness, or a universal ranking. No composite score is calculated.
Top-down and bottom-up view
Hierarchical knowledge map
Collapse a branch for a top-level reading, or follow its source links and child nodes to audit the evidence and boundaries underneath it.
Communication-Efficient Proactive Secret Sharing for Dynamic Groups with Dishonest Majorities
A formally analyzed dynamic PSS construction that batches secrets with bivariate polynomials, supports a mobile mixed adversary and changing membership, and reduces amortized communication relative to earlier dishonest-majority schemes.
Problem, contributions, and asymptotic comparison-
question Research question
research questionCan one combine dishonest-majority proactive security, large batches, fair reconstruction, efficient communication, and dynamic group membership in one secret-sharing scheme?
Problem, contributions, and asymptotic comparison -
contribution Central construction
source assertedEncode a batch on the diagonal of a bivariate polynomial, use specialized masking and gradual-reconstruction procedures for proactive maintenance, and change the sharing degree through redistribution protocols when parties join or leave.
Problem, contributions, and asymptotic comparison Bivariate Share, Recover, Reconstruct, and Refresh Increase, Decrease, DecreaseCorrupt, and Redistribute -
scope System and adversary model defined
The parties operate synchronously over pairwise secure channels and authenticated broadcast. A polynomial-time mixed adversary may passively observe and actively control parties within each phase, and its corrupted set may move between refresh periods.
Network, mixed adversary, and security properties-
threat model Separate secrecy, correctness, fairness, and robustness thresholds
definedThe paper assigns distinct multi-thresholds to secrecy, correctness, fairness, and robustness; a claim at one threshold must not be read as establishing the others. Robustness is generally limited to one or two active faults.
Network, mixed adversary, and security properties Robustness, threshold, batching, and synchrony boundaries -
assumption Commitment and erasure assumptions
computational assumptionActive-fault checking uses Pedersen-style homomorphic commitments and computational security under discrete-log hardness; proactive security also relies on phase separation, reset or recovery, and disposal of obsolete state.
Commitments and bivariate-polynomial assumptions Network, mixed adversary, and security properties
-
-
method Batched bivariate proactive sharing specified
A degree-d bivariate polynomial stores secrets at public diagonal points. A party holds a univariate slice, enabling the batch to be refreshed, recovered, reconstructed, and redistributed without exposing the embedded secrets.
Batched and dynamic proactive secret-sharing definitions Bivariate Share, Recover, Reconstruct, and Refresh-
scheme Sublinear threshold loss under batching
specifiedThe bivariate encoding replaces the usual linear loss in corruption tolerance with a square-root dependence on batch size and supports up to n minus 2 embedded secrets in the maximum batch.
Problem, contributions, and asymptotic comparison Static batched-PSS correctness, secrecy, and communication -
protocol Share, Recover, Reconstruct, and Refresh
specifiedShare distributes polynomial slices; Recover replaces a missing slice with blinded assistance; Reconstruct builds a gradual ladder for fair release; and Refresh adds a zero-encoding random bivariate sharing to rerandomize state.
Bivariate Share, Recover, Reconstruct, and Refresh -
protocol Dynamic membership protocols
specifiedIncrease and Decrease adjust the sharing degree as parties join or cooperate in leaving, while DecreaseCorrupt handles one non-participating failed or corrupted departure; Redistribute composes these operations for group changes.
Increase, Decrease, DecreaseCorrupt, and Redistribute
-
-
claim group Main stated guarantees formally analyzed
Theorems establish static and dynamic PSS correctness and secrecy under stated mixed-adversary thresholds, together with fairness and amortized communication results.
Static batched-PSS correctness, secrecy, and communication Increase, Decrease, DecreaseCorrupt, and Redistribute-
claim O(n squared) amortized communication
asymptotic theoremWith a maximum-size batch, the paper reports O(n squared) communication per secret overall, versus O(n cubed) for its single-secret specialization and O(n to the fourth) for the compared prior dishonest-majority construction.
Problem, contributions, and asymptotic comparison Static batched-PSS correctness, secrecy, and communication Increase, Decrease, DecreaseCorrupt, and Redistribute -
claim Mixed-adversary security and fairness
proved under modelThe theorem statements give secrecy and correctness thresholds with a square-root batch-size loss and a separate gradual-reconstruction fairness region; they do not claim robustness at the full dishonest-majority threshold.
Static batched-PSS correctness, secrecy, and communication Ideal functionalities, simulators, and full proofs Robustness, threshold, batching, and synchrony boundaries -
claim Dynamic redistribution preserves the shared secret
proved under modelTheorem 3 composes the five principal protocols into a dynamic PSS scheme whose new group receives a fresh sharing of the same batch, subject to the old and new phases satisfying the stated thresholds.
Increase, Decrease, DecreaseCorrupt, and Redistribute Ideal functionalities, simulators, and full proofs
-
-
evidence group Formal evidence
proof documentedThe source supplies protocol pseudocode, definitions, ideal functionalities, simulators, intermediate lemmas, and proofs for the static and dynamic constructions. This map audits their presence and logical role but does not independently machine-check them.
Bivariate Share, Recover, Reconstruct, and Refresh Ideal functionalities, simulators, and full proofs -
limitation group Boundaries and costs material
The construction is synchronous and computational, assumes secure channels and authenticated broadcast, loses threshold as the batch grows, is not robust against a general active dishonest majority, and offers asymptotic analysis rather than an implementation or deployment evaluation.
Network, mixed adversary, and security properties Commitments and bivariate-polynomial assumptions Robustness, threshold, batching, and synchrony boundaries-
limitation Departure constraints
explicitly scopedCooperative Decrease requires leaving parties to participate, while DecreaseCorrupt handles only one non-participating departure at a time; broader churn behavior is not established by that subprotocol.
Increase, Decrease, DecreaseCorrupt, and Redistribute
-
-
artifact group Auditable resources
source availableThe complete manuscript is checked into the site with page count and SHA-256, the IACR ePrint supplies an archive identity, and the DOI identifies the ACNS publication. No implementation artifact is claimed.
Problem, contributions, and asymptotic comparison Official ACNS publication identity -
scrutiny External scrutiny
venue reviewedThe work appeared at ACNS 2020. Review reports, rebuttal material, independent proof audits, and implementations are not represented in the available record.
Official ACNS publication identity -
lineage Research lineage
documentedThe work improves the earlier dishonest-majority PSS line with batching and dynamic groups, and its bivariate sharing becomes the PSS substrate for the later proactive-MPC construction mapped as paper #61.
Problem, contributions, and asymptotic comparison Increase, Decrease, DecreaseCorrupt, and Redistribute
Audit trail
Source index
Locators state the depth of the current audit. PDF page numbers, where present, are one-based file pages; metadata-, summary-, and abstract-bounded records explicitly identify their limitations.
- Problem, contributions, and asymptotic comparison Abstract and Sections 1.2-1.4, PDF pages 1-7
- Network, mixed adversary, and security properties Sections 2.1-2.3, PDF pages 7-10
- Commitments and bivariate-polynomial assumptions Sections 2.4-2.5, PDF pages 10-11
- Batched and dynamic proactive secret-sharing definitions Section 3, PDF pages 11-14
- Bivariate Share, Recover, Reconstruct, and Refresh Sections 4.1-4.4, PDF pages 14-20
- Static batched-PSS correctness, secrecy, and communication Theorems 1-2 and Remarks 2 and 6, PDF pages 15-20
- Increase, Decrease, DecreaseCorrupt, and Redistribute Section 5 and Theorem 3, PDF pages 20-26
- Ideal functionalities, simulators, and full proofs Supplementary Material, Appendices A-D, PDF pages 29-52
- Robustness, threshold, batching, and synchrony boundaries Sections 1.3, 2.2, 4.4, 5.4, and related-work comparison, PDF pages 5-10, 19-26, and 52-53
- Official ACNS publication identity DOI 10.1007/978-3-030-57808-4_1
- Dated citation-count snapshot OpenAlex reported 0 citations when accessed 2026-07-11