SplittingSecrets: Secure Secret Sharing

• SplittingSecrets is a collection of schemes that split a secret into shares allowing only authorized subsets to recover the original, while unauthorized parties gain negligible information.
• It integrates information-theoretic cryptography, secure multiparty computation, coding theory, and quantum protocols to provide robust and efficient secret sharing solutions.
• Practical implementations include optimized polynomial constructions, collaborative and compartmented schemes, and device-independent as well as semi-quantum protocols.

SplittingSecrets encompasses a range of methods, protocols, and theoretical frameworks for dividing a secret into multiple pieces ("shares" or "modules") such that only authorized subsets of parties can recover the original secret, while unauthorized subsets acquire no or negligible information. The study and practice of SplittingSecrets traverses information-theoretic cryptography, secure multiparty computation, coding theory, and software/hardware security, and extends naturally into quantum and post-quantum domains.

1. Information-Theoretic Foundations of Secret Splitting

The canonical model for SplittingSecrets is the secret-sharing scheme, which defines an access structure $\mathcal A$ (a monotone family of authorized subsets of participants) and its complement $\mathcal B$ (forbidden sets). For each secret $W$, the dealer broadcasts shares through a (possibly noisy) channel so that: (a) every $A\in\mathcal A$ can reconstruct $W$ with negligible error, (b) every $B\in\mathcal B$ gains negligible information about $W$ even if all their shares are pooled.

The work "An Information Theoretic Approach to Secret Sharing" (Zou et al., 2014) recasts secret sharing as a compound wiretap channel problem. The broadcasting dealer is analogous to a sender transmitting over a discrete memoryless channel to $K$ receivers; each authorized set is treated as a legitimate receiver $V_A$ (with access to a subset of outputs), and each forbidden set as an eavesdropper $E_B$. The secret sharing capacity, i.e., the optimal rate at which secrets can be shared per channel use, is then given by:

$$C_s = \sup_{P_{U,X}}\bigl[\min_{A\in\mathcal A} I(U;Y_{V_A}) - \max_{B\in\mathcal B} I(U;Y_{E_B})\bigr]$$

with $U\to X\to(Y_k)$, where $U$ is an auxiliary variable and $Y_{V_A}$ denotes the joint observations of receivers in $A$. These capacity expressions yield explicit operational performance bounds for classical sharing, layered multi-secret sharing (modeled as a degraded MIMO broadcast channel), and compound general-access structures.

The associated constructive codes are superpositions of nested codebooks, each layer responsible for a particular secret and providing layered secrecy and decodability guarantees. For the single-secret case, this maps to random binning and joint typicality decoders; for the multi-secret layered case (corresponding to so-called "splitting with levels"), the capacity region is characterized by mutual information differences, achieved using Gaussian auxiliary variables in the degraded MIMO scenario (Zou et al., 2014).

2. Algorithmic and Structural Variants

Several algorithmic innovations enrich the basic model, each tailored for application-specific or access-structure-specific efficiency:

• Collaborative Schemes: When splitting multiple secrets among overlapping sets of participants, the goal can be to minimize share storage for common participants. In "How to Collaborate between Threshold Schemes" (Wang et al., 2013), two threshold schemes with $u$ shared participants are reconciled such that each such participant needs only one share—the "crossover point"—rather than duplicating shares for each secret. This is accomplished by careful Lagrange interpolation of polynomials with prescribed common points.
• Gruppen Secret Sharing: The "gruppen" scheme (Csirmaz, 2013) is tailored for the scenario where each of $n$ participants holds a secret, and any group of $k$ can recover the secrets of the other $n-k$ precisely and only those, with perfect security against subsets of up to $k-1$. The entropy lower bound for each share is precisely $(n-k)s$ (with $s$ the secret size), and an explicit polynomial construction achieves this minimum by embedding all secrets evaluations in a single high-degree random polynomial.
• Space-Efficient Schemes: Sharing $k$ secrets among $n$ participants (with $n\ge k$) at minimum storage is achieved in (0901.4798) by encoding all $k$ secrets as evaluations of a single degree-$(k-1)$ polynomial, and distributing $n$ shares as evaluations at new points, requiring only $n$ elements of storage, optimal when $n=k$.
• Crucial and Redundant Shares; Compartmented Extensions: Shares can be distinguished by their necessity ("crucial"—must appear in every reconstructing set) or by redundancy amongst a group (only one of a block matters), enabling efficient realization of complex access structures, including nested AND/OR conditions in CNF forms. Compartmented schemes (Schillinger et al., 2019) allow hierarchical or organizationally structured access, wherein outer and inner secret-splitting layers obey distinct thresholds and share-roles, mapped to Shamir-style polynomials of varying degrees.
• Computation-Free Schemes: For practical distributed storage, computation-free splitting is achieved by tiling a file into overlapping modules according to a table, guaranteeing an $m$-of-$n$ threshold property without arithmetic, at the expense of partial leakage below threshold (Titov, 2010).

3. Extensions to Quantum, Device-Independent, and Semi-Quantum Secret Splitting

Quantum secret sharing (QSS) extends SplittingSecrets schemes to quantum states, leveraging entanglement and quantum correlations:

• Quantum Secret Reconstruction with Cluster States: Classical shares split via additive sharing are reused repeatedly as correction parameters in a cluster-state quantum protocol, allowing efficient (information-theoretic) reconstruction of quantum secrets, with direct implementation on superconducting hardware (Ma et al., 2023).
• Dual Quantum Information Splitting (DQIS): DQIS (H. et al., 2013) inverts the standard paradigm: the dealer distributes a fixed fiducial quantum state and encodes the secret in the entangled channel. Bell-inequality violations on the distributed (graph-state) code serve as a security certificate, with any eavesdropper reducing the observed nonlocality and thus limiting their knowledge. Degenerate code spaces guarantee maximal, exclusive nonlocality, supporting device-independent security models.
• Multiparty Hierarchical QIS: Hierarchical secret-sharing protocols (Wang et al., 2011) can assign different levels of reconstructive authority (e.g., Bobs with higher access, Charlies with restricted access) using only single-qubit local measurements and a carefully engineered graph state. Threshold requirements are made explicit in the tensor-product structure of the shared state and the recovery unitaries depend on classically broadcast measurement results.
• Device-Independent Secret Sharing: In protocols based on Svetlichny-type Bell violations (Moreno et al., 2019), security and access structure are enforced even when all devices are uncharacterized black-boxes. Only full collaboration of all shares guarantees secret recovery and security thresholds are quantified in terms of the observed multipartite nonlocality ($S_n$). Importantly, up to $n-2$ parties may collude with an external adversary without compromising security, provided the observed nonlocal correlations cross designated bounds.
• Semi-Quantum Secret Sharing and One-Way Protocols: Semi-quantum protocols (Younes et al., 2024) achieve efficient one-way sharing (from a quantum dealer to "classical" participants), robust against sophisticated attacks (DCNA, intercept-resend, collective, and Trojan-horse attacks), by embedding secrets into GHZ-like states and using Bell decoys with Hadamard tests for eavesdropper detection. Qubit efficiency is improved with analytical expressions, and the ability to share specific bits is preserved in the protocol structure.

4. Function Secret Sharing, Conditional Disclosure, and Secure Computation

The function secret sharing (FSS) paradigm generalizes secret splitting to functions: parties receive shares of a function such that only a threshold can jointly evaluate $f(x)$, with correctness and secrecy constraints (Miranda et al., 2021). "Function-private" constructions ensure the predicate (conditional disclosure) governing reconstruction is itself hidden.

• Threshold DPF and Polynomial FSS: The multi-evaluation distributed point function (t-DPF) construction enables $t$-out-of-$n$ secret sharing not only of data but of function values, e.g., allowing groups to compute $f(x)$ at multiple $x$ without leaking $f$'s structure beyond the threshold. Polynomial evaluation FSS protocols using Shamir sharing for coefficients achieve optimal information-theoretic bounds for degree-$n$ polynomials over $\mathbb F_q$.
• Split Learning + FSS: In privacy-preserving machine learning—especially split learning—recent works (Khan et al., 2024, Khan et al., 14 Jul 2025) combine FSS and additive masking strategies to split activation maps and model parameters across multiple servers. No unmasked data or intermediate feature space is ever visible to any single server, thwarting advanced attacks such as feature-space hijacking, model inversion, and label inference attacks. These hybrid schemes are both practically effective (with 2–3× communication and 7× computational savings over pure FSS alone) and provably secure in the honest-but-curious model.

5. Almost-perfect and Imperfect Splitting: Shannon, Kolmogorov, and Beyond

The perfect secret splitting model (where forbidden groups learn zero) is often overly restrictive. "Almost-perfect" secret sharing (Kaced, 2011) relaxes exact secrecy to allow vanishing or small mutual information leak to adversarial groups, captured in parameters $(\epsilon_1,\epsilon_2)$ specifying residual uncertainty and leak.

• Entropy and Complexity Connections: The equivalence between asymptotic Shannon-entropy and Kolmogorov complexity models implies that for every access structure $\Gamma$ and triple $(\rho,\epsilon_1,\epsilon_2)$, the realization of almost-perfect sharing is unaffected by moving between the two models.
• Resource Scaling: Perfect schemes scale up/down linearly in secret size, while the leakage and missing-information parameters can be managed via block-wise random partitioning. There is, however, no known access structure that admits strictly better rate in almost-perfect than in perfect secret sharing.

6. Non-standard Objects, Domains, and Efficient Representations

• Non-numeric, Heterogeneous, and Structural Secrets: Schemes based on intersection—e.g., sharing graphs or sets as secrets (Sahasranand et al., 2010)—allow perfectly secret $(2,n)$ sharing of combinatorial objects without recourse to modular arithmetic. Each share is a graph or superset with random labelings, and reconstruction is via graph intersection. This approach generalizes to sets, matrices, or hybrid objects and achieves substantial computational efficiency and accessibility.
• Practical Byte-level Splitting: For scenarios involving distributed file storage, computation-free (table-based) splitting schemes (Titov, 2010) provide $m$-of-$n$ recovery with explicit redundancy and threshold guarantees, though with partial leakage below threshold.
• Compartmented and Role-Based Structures: Enhanced schemes (Schillinger et al., 2019) map complex organizational or compartmented access requirements to polynomial construction using crucial and redundant shares at both inter- and intra-compartment levels, achieving efficiency and compactness in share distribution.

7. Open Problems, Limitations, and Outlook

• Theoretical boundaries for almost-perfect schemes remain: it is unknown whether there exist access structures with strictly better rates than perfect sharing by allowing minimal leak.
• Quantifying and interpreting higher-order redundancy in information decompositions, especially in complex structures and adversarial models, is an ongoing challenge (Rauh, 2017).
• Quantum implementations generally assume lossless, trusted entanglement delivery; extending device-independence to practical noisy scenarios remains active.
• Function secret sharing over broader function classes (beyond polynomials and point functions), adaptive or dynamic resharing, and post-quantum instantiations are active research areas (Miranda et al., 2021).
• Practical deployment of robust, compiler-automated defenses against hardware-based and data-at-rest side channels, as in the SplittingSecrets software hardening tool (Sharma et al., 18 Jan 2026), requires careful hardware-specific modeling and incurs moderate (2–3×) overhead.

---

SplittingSecrets serves as a unifying theme in modern cryptography, encompassing deep theoretical underpinnings, efficient constructions for a diverse range of access structures, and practical deployments spanning hardware, software, and quantum regimes. The landscape of SplittingSecrets continues to evolve, integrating advances in communication theory, hardware-aware cryptography, quantum information, and privacy-preserving computing.