Abstract. Suppose Alice uses a t-out-of-n secret sharing to store her secret key on n servers. Her

secret key is protected as long as t of them do not collude. However, what if a less-than-t subset of

the servers decides to offer the shares they have for sale? In this case, Alice should be able to hold

them accountable, or else nothing prevents them from selling her shares. With this motivation in mind,

Goyal, Song, and Srinivasan (CRYPTO 21) introduced the concept of traceable secret sharing. In such

schemes, it is possible to provably trace the leaked secret shares back to the servers who leaked them.

Goyal et al. presented the first construction of a traceable secret sharing scheme. However, secret shares

in their construction are quadratic in the secret size, and their tracing algorithm is quite involved as it

relies on Goldreich-Levin decoding.

In this work, we put forth new definitions and practical constructions for traceable secret sharing. In

our model, some f < t servers output a reconstruction box R that may arbitrarily depend on their

shares. Given additional t − f shares, R reconstructs and outputs the secret. The task is to trace R

back to the corrupted servers given black-box access to R. Unlike Goyal et al., we do not assume that

the tracing algorithm has any information on how the corrupted servers constructed R from the shares

in their possession.

We then present two very efficient constructions of traceable secret sharing based on two classic secret

sharing schemes. In both of our schemes, shares are only twice as large as the secret, improving over the

quadratic overhead of Goyal et al. Our first scheme is obtained by presenting a new practical tracing

algorithm for the widely-used Shamir secret sharing scheme. Our second construction is based on an

extension of Blakley’s secret sharing scheme. Tracing in this scheme is optimally efficient, and requires

just one successful query to R. We believe that our constructions are an important step towards bringing

traceable secret-sharing schemes to practice. This work also raises several interesting open problems

that we describe in the paper.