Score:2

Crypto

No-dealer secret sharing scheme that prevents anonymous collaboration to reconstruct the secret

Alan Reed

4/20/23, 6:07 PM

Is there a no-dealer secret sharing scheme that allows a threshold $k$ of $n$ parties (where $k<n$) to collaborate to reconstruct a secret, but in such a way that none of those $k$ parties are able to collaborate anonymously to reconstruct it?

Imagine a scenario where a group of people agree to keep a secret encrypted until a specific time in the future. They can't be prevented from reconstructing the secret early, but can a scheme be devised to prevent them from doing it anonymously? Thus, they will at least fear the consequences of their cheating being exposed by a fellow colluder.

For example, consider a 2 of 3 scheme with Alice, Bob and Charlie. Alice anonymously contacts Bob, in order to cheat and reconstruct the secret early. We need to ensure Alice can't do that without Bob becoming aware that he's communicating with Alice, no matter what scheme Alice proposes.

Even if Alice and Bob both find a way to mutually anonymously get in contact with one another, we need to be sure that both of them will learn the other's identity no matter what scheme is proposed for reconstructing the secret together.

More information about the motivation behind this can be found here: https://www.gwern.net/Self-decrypting-files#distributed-secret-sharing-with-smart-contracts

0 + 0

multiparty-computation

secret-sharing

knaccc

4/20/23, 6:50 PM

Can your question be stated as: Is there a no-dealer secret sharing scheme that allows a threshold of parties (where <) to collaborate to reconstruct a secret, but in such a way that none of those parties are able to collaborate anonymously?

Alan Reed

4/20/23, 8:11 PM

Yes, I think that is correct. There needs to be a way to "prove" which Key Holders collaborated.

Daniel

4/20/23, 8:37 PM

Not sure this question makes sense... in a more general context: how can you know that I "used" certain secret? For example, if I get to see an encrypted messages and it turns out I could decrypt it, how can anybody learn this? Only way is by some "outside" information that shows that I somehow used the underlying data, or if I somehow go around showing what I found. With signatures, you could prove I learned a key if you ever see me signing something, but if I don't use the key, I might still know it without anybody being aware of it.

Alan Reed

4/20/23, 9:06 PM

If _k_ of _n_ parties are needed to reconstruct the secret, then _k_ parties must communicate some information with someone else in order to reconstruct the secret. Can a secret sharing scheme be created that prevents that communication from being anonymous?

Daniel

4/20/23, 9:46 PM

@AlanReed Again, still unclear. Maybe you can clarify why the following trivial solution does not satisfy what you want? Say I get a signed message from a party and I would like to claim this is their share. I can show it to the other parties and they can run a protocol that checks whether this share is indeed consistent with the underlying secret. If so, the party will be penalized. (PS use @ Daniel---and in general @ username---to get me notified).

Alan Reed

4/21/23, 1:38 AM

@Daniel, the question has been edited the clarify the intent. Please let me know if that helps.

knaccc

4/21/23, 3:03 AM

Although it's not technically an answer to your question, in practice Alice and Bob could anonymously encrypt and send their private keys to a secure enclave which would then reveal the secret to them. This, however, requires confidence in the secure enclave, and we know that secure enclaves have had flaws in the past.

Alan Reed

4/22/23, 2:46 AM

One possible solution would be to sort and concatenate all key shards then hash the result. The resulting hash could be xor'ed with the cipher text to reveal the secret. I think that would prevent anonymous collaboration but it is neither k-of-n nor no-dealer.

JAAAY

7/25/23, 7:53 PM

What prevents from building authenticated channels of communication?

Alan Reed

7/26/23, 8:18 PM

Not sure I understand your question. Authenticated channels between who specifically? What is the intent of that?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: No-dealer secret sharing scheme that prevents anonymous collaboration to reconstruct the secret

TH: รูปแบบการแบ่งปันความลับโดยไม่มีตัวแทนจำหน่ายที่ป้องกันการทำงานร่วมกันโดยไม่ระบุตัวตนเพื่อสร้างความลับใหม่

RO: Schemă de partajare a secretelor fără distribuitor care împiedică colaborarea anonimă pentru a reconstrui secretul

RU: Схема обмена секретом без дилера, которая предотвращает анонимное сотрудничество для восстановления секрета

VI: Sơ đồ chia sẻ bí mật không có đại lý ngăn cản sự hợp tác ẩn danh để tái tạo lại bí mật

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.