Verifiably Multiplicative Secret Sharing

A $d$ -multiplicative secret sharing ( $d$ -MSS) scheme allows the players to multiply $d$ shared secrets without recovering the secrets by converting their shares locally into an additive sharing of the product. It has been proved that the $d$ -MSS among $n$ players is possible if and only if no $d$ unauthorized sets of players cover the whole set of players (type $Q_{d}$ ). Although this result implies some limitations on SS in the context of MPC, the $d$ -multiplicative property is still useful for simplifying complex tasks of MPC by computing the product of $d$ field elements directly and non-interactively without any setup. This paper aims to improve the usefulness of the $d$ -MSS by enhancing the security against malicious adversaries. First, we introduce the notion of verifiably multiplicative SS, verifiably MSS for short, which is mainly formalized for detecting malicious behaviors. Informally, an SS scheme is verifiably $d$ -multiplicative if the scheme is $d$ -multiplicative and further enables the players to locally generate a share of a proof that the summed value is correct (i.e., the product of $d$ shared secrets). Secondly, we prove that there is no error-free verifiably MSS scheme whose decoder of the proof is additive, and that by accepting an error probability that can be chosen arbitrarily, there exists a verifiably $d$ -MSS scheme realizing a given access structure if and only if the access structure is of type $Q_{d}$ . In the proposed construction, each share of a proof consists of only two field elements . This result means that we can efficiently achieve the optimal resiliency of the standard $d$ -MSS even against malicious adversaries. We note that by allowing a general class of decoders that includes a linear one, there is an error-free verifiably $d$ -MSS scheme if the access structure is of type $Q_{d+1}$ . Finally, we generalize the $d$ -multiplicative property to a $d$ -or-less version where the number $d'$ of multiplied secrets with $d'\leq d$ is not known in advance. We show that a $d$ -or-less MSS scheme can be constructed from any $d$ -MSS scheme of the same access structure with a constant overhead, and the feasibility of (verifiably) $d$ -MSS implies that of (verifiably) $d$ -or-less MSS.