Threshold secret sharing requires a linear size alphabet

Andrej Bogdanov*, Siyao Guo, Ilan Komargodski

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

17 Scopus citations


We prove that for every n and 1 < t < n any t-out-of-n threshold secret sharing scheme for one-bit secrets requires share size log(t + 1). Our bound is tight when t = n − 1 and n is a prime power. In 1990 Kilian and Nisan proved the incomparable bound log(n−t+2). Taken together, the two bounds imply that the share size of Shamir’s secret sharing scheme (Comm. ACM ’79) is optimal up to an additive constant even for one-bit secrets for the whole range of parameters 1 < t < n. More generally, we show that for all 1 < s < r < n, any ramp secret sharing scheme with secrecy threshold s and reconstruction threshold r requires share size log((r + 1)/(r − s)). As part of our analysis we formulate a simple game-theoretic relaxation of secret sharing for arbitrary access structures. We prove the optimality of our analysis for threshold secret sharing with respect to this method and point out a general limitation.

Original languageAmerican English
Title of host publicationTheory of Cryptography - 14th International Conference, TCC 2016-B, Proceedings
EditorsAdam Smith, Martin Hirt
PublisherSpringer Verlag
Number of pages14
ISBN (Print)9783662536438
StatePublished - 2016
Externally publishedYes
Event14th International Conference on Theory of Cryptography, TCC 2016-B - Beijing, China
Duration: 31 Oct 20163 Nov 2016

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9986 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference14th International Conference on Theory of Cryptography, TCC 2016-B

Bibliographical note

Publisher Copyright:
© International Association for Cryptologic Research 2016.


Dive into the research topics of 'Threshold secret sharing requires a linear size alphabet'. Together they form a unique fingerprint.

Cite this