Unconditionally Secure Social Secret Sharing Scheme Mehrdad Nojoumian, Douglas R. Stinson, and Morgan Grainger David R. Cheriton School of Computer Science University of Waterloo, Waterloo, ON, N2L 3G1, Canada {mnojoumi, dstinson, mjgraing}@uwaterloo.ca Abstract. We introduce the notion of a Social Secret Sharing Scheme, in which shares are allocated based on a player’s reputation and the way he interacts with other participants. During the social tuning phase, weights of players are adjusted such that participants who cooperate will end up with more shares than those who defect. Alternatively, newcomers are able to be enrolled in the scheme while corrupted players are disenrolled immediately. In other words, this scheme proactively renews shares at each cycle without changing the secret, and allows trusted participants to gain more authority. Our motivation is that, in real world applications, components of a secure scheme may have different levels of importance (i.e., the number of shares a player has) as well as reputation (i.e., cooperation with other players for the share renewal or secret recovery). Therefore, a good construction should balance these two factors respectively. In the proposed schemes, both the passive and active mobile adversaries are considered in an unconditionally secure setting. 1 1 Introduction The growth of Internet has created amazing opportunities for secure multiparty computations where various users, intelligent agents, or computer servers cooperate in order to conduct computation tasks based on the private data they each provide [8]. Since these computations could be among untrusted participants or competitors, consequently, the privacy of each participant’s input is an important factor. As stated in the literature, a fundamental method used in secure multiparty computations is the secret sharing scheme [19, 3], where a secret is divided into different shares for distribution among participants (private data), and a subset of participants then cooperate in order to reveal the secret (computation result). In particular, Shamir proposed the (t,n)-threshold secret sharing scheme, in which the secret is divided into n shares for distribution among players. The shares are constructed such that any t participants can combine their shares to reveal the secret, but any set of t − 1 participants cannot learn anything about the secret. Sample applications of such schemes are: joint signature or decryption, where a group of players sign documents or decrypt messages with the intention that only if all of them or a subset of participants cooperate then a signature or a message can be generated [9], shared RSA keys, in which a number of players collaborate to jointly construct an RSA key [5], electronic auctions with private bids, where a group of agents perform sealed-bid electronic auctions while preserving the privacy of the submitted bids [10]. To construct a secure scheme, first the security model needs to be defined. We consider various types of adversaries. In the passive adversary model, participants follow protocols correctly but are 1 This paper is a postprint of a paper submitted to and accepted for publication in IET Information Security, Special Issue on Multi-Agent and Distributed Information Security (2010), and is subject to Institution of Engineering and Technology Copyright. The copy of record is available at IET Digital Library.