Recursive Secret Sharing for Distributed Storage and Information Hiding

This paper presents a recursive computational multi-secret sharing technique that hides k-2 secrets of size b each into n shares of a single secret S of size b, such that any k of the n shares suffice to recreate the secret S as well as all the hidden secrets. This may act as a steganographic channel to transmit hidden information or used for authentication and verification of shares and the secret itself. Further, such a recursive technique may be used as a computational secret sharing technique that has potential applications in secure and reliable storage of information on the Web, in sensor networks and information dispersal schemes. The presented technique, unlike previous computational techniques, does not require the use of any encryption key or storage of public information.

💡 Research Summary

The paper introduces a novel computational multi‑secret sharing scheme called Recursive Secret Sharing (RSS). Unlike traditional secret‑sharing methods that protect a single secret, RSS embeds k‑2 additional secrets of the same size as the primary secret S into the same set of n shares. Any subset of k shares is sufficient to reconstruct not only S but also all hidden secrets, thereby providing a built‑in steganographic channel and a means of authenticating the shares themselves.

The construction proceeds in a series of recursive steps. First, a random polynomial f₁(x) of degree k‑1 is generated with f₁(0)=S; evaluating f₁ at points i=1…n yields the initial shares C_i. In the second step a new polynomial f₂(x) of the same degree is built such that f₂(0)=s₁ (the first hidden secret) and f₂(i)=C_i for i=1…n. This process is repeated k‑2 times, each time using the shares from the previous level as the interpolation points for the next polynomial. The final shares are the evaluations of the last polynomial f_{k‑1}(x).

Reconstruction works in reverse. Given any k of the final shares, the dealer (or any authorized party) interpolates f_{k‑1}(x) using Lagrange interpolation, extracts s_{k‑2}=f_{k‑1}(0), then reconstructs f_{k‑2}(x) from the known points, obtains s_{k‑3}, and so on until f₁(0)=S is recovered. Because each reconstruction step requires at least k points, an adversary possessing fewer than k shares cannot recover any of the secrets; the problem reduces to solving a polynomial interpolation with insufficient data, which is computationally hard when the field size and degree are large.

Key security properties stem from the computational hardness of polynomial interpolation rather than information‑theoretic guarantees. No external encryption key or public parameters are needed; all necessary information is implicitly stored in the shares. Consequently, key‑management overhead is eliminated, and the scheme is resistant to key‑exposure attacks.

Performance analysis shows that share generation and reconstruction each require O(k·n) field operations, and the storage overhead grows linearly with the number of hidden secrets. Specifically, if each secret has size b bits, the total storage is roughly (k‑1)·b·n/k, which is modest for typical values of k and n. The authors argue that this overhead is acceptable given the added functionality of hidden‑secret transmission and built‑in authentication.

Potential applications highlighted include:

1. Steganographic channels – hidden secrets can be transmitted covertly within ordinary secret‑sharing traffic, making detection by an eavesdropper difficult.
2. Authentication and verification – the hidden data can embed hash values or MACs, allowing recipients to verify the integrity of shares without separate metadata.
3. Distributed storage – files can be split across web servers or cloud nodes, each fragment containing multiple secrets; an attacker must compromise a threshold of nodes to obtain any useful information.
4. Sensor networks – limited‑resource nodes can embed sensor readings and authentication codes together, reducing communication overhead.

The scheme assumes a trusted dealer who creates the initial shares. If the dealer is malicious, the entire system’s integrity can be compromised; thus, future work should explore dealer‑less or verifiable‑dealer extensions. Moreover, because security is computational, advances in algorithms or quantum computing could affect the hardness assumptions, suggesting a need for quantum‑resistant variants.

In summary, Recursive Secret Sharing offers a practical way to hide multiple secrets without extra keys, providing both confidentiality and authenticity in a single set of shares. While it introduces additional storage and computational costs compared with single‑secret schemes, its unique capabilities make it attractive for scenarios where covert communication, built‑in verification, or multi‑secret dispersal are required. Further research is needed to address dealer trust, optimize performance for large‑scale deployments, and strengthen the scheme against emerging cryptographic threats.