Abstract. Suppose Alice uses a t-out-of-n secret sharing to store her secret key on n servers. Her
secret key is protected as long as t of them do not collude. However, what if a less-than-t subset of
the servers decides to offer the shares they have for sale? In this case, Alice should be able to hold
them accountable, or else nothing prevents them from selling her shares. With this motivation in mind,
Goyal, Song, and Srinivasan (CRYPTO 21) introduced the concept of traceable secret sharing. In such
schemes, it is possible to provably trace the leaked secret shares back to the servers who leaked them.
Goyal et al. presented the first construction of a traceable secret sharing scheme. However, secret shares
in their construction are quadratic in the secret size, and their tracing algorithm is quite involved as it
relies on Goldreich-Levin decoding.
In this work, we put forth new definitions and practical constructions for traceable secret sharing. In
our model, some f < t servers output a reconstruction box R that may arbitrarily depend on their
shares. Given additional t − f shares, R reconstructs and outputs the secret. The task is to trace R
back to the corrupted servers given black-box access to R. Unlike Goyal et al., we do not assume that
the tracing algorithm has any information on how the corrupted servers constructed R from the shares
in their possession.
We then present two very efficient constructions of traceable secret sharing based on two classic secret
sharing schemes. In both of our schemes, shares are only twice as large as the secret, improving over the
quadratic overhead of Goyal et al. Our first scheme is obtained by presenting a new practical tracing
algorithm for the widely-used Shamir secret sharing scheme. Our second construction is based on an
extension of Blakley’s secret sharing scheme. Tracing in this scheme is optimally efficient, and requires
just one successful query to R. We believe that our constructions are an important step towards bringing
traceable secret-sharing schemes to practice. This work also raises several interesting open problems
that we describe in the paper.