(Scalable) Multiterminal Key Agreement

In cryptography, secret key agreement is usually framed as a two-party story: Alice and Bob want to agree on a shared secret while Eve listens. But many real systems are not two-party systems. They involve teams of devices, servers, users, or sensors that need to establish the same secret key, often in the presence of public discussion and potentially powerful adversaries. A recent paper of mine, with Benjamin Kim (lead student author) and Lav Varshney, asks a simple question:

Can ideas from coding theory and secret sharing give us a clean, scalable way to do multiterminal secret key agreement?

Our answer is yes! The paper develops a simple multiterminal key agreement scheme built from maximum distance separable (MDS) codes (specifically Reed-Solomon codes) and then analyzes its secrecy and rate through the lens of secret key capacity and multivariate mutual information (MMI). The key point is that the same threshold structure that makes Reed-Solomon codes powerful for secret sharing also makes them surprisingly natural for multiterminal key agreement.

The Big Picture

The paper sits at the intersection of three ideas.

First, there is secret sharing. In a threshold secret sharing scheme, a secret is split into $n$ shares so that any $k$ shares can reconstruct the secret, but any fewer than $k$ reveal nothing about it. Shamir Secret Sharing schemes (via use of Reed-Solomon codes) are a well-studied class of techniques to realize this threshold property.

Second, there is secret key agreement (SKA). In the multiterminal SKA setting, multiple parties start with correlated private observations, publicly discuss information over an authenticated public channel, and aim to end with the same shared key while leaking essentially nothing useful to an eavesdropper. The information-theoretic performance limit is measured by the secret key capacity.

Third, there is coding theory. Error-correcting codes already encode redundancy in a structured way. MDS codes are optimal in a precise sense: they achieve the maximum possible distance for their block length and dimension. That is, they give the strongest threshold-reconstruction behavior for a given amount of redundancy.

What our paper does is connect these three threads in a particularly direct way: use an MDS codeword as the object being partially distributed across terminals, then exploit the threshold property to guarantee recoverability for the legitimate users and secrecy against the wiretapper.

Why this Connection is Interesting

At a high level, secret sharing and multiterminal key agreement share many goals/targets/techniques.

In secret sharing, you start with a secret and want to distribute it safely across many users.

In multiterminal key agreement, you start with distributed private information and want users to end up with a shared secret key.

These are not identical tasks, but they share the same core geometry: some subsets of information should be enough to reconstruct, and smaller subsets should reveal nothing. The paper’s main conceptual contribution is to push this analogy far enough to get an explicit multiterminal SKA protocol out of it. (The abstract states this clearly: the work explores the connection between secret sharing and secret key agreement, yielding “a simple and scalable multiterminal key agreement protocol” based on Reed-Solomon codes with threshold reconstruction.)

The threshold semantics of MDS codes are exactly the right structure for a scalable multiterminal key agreement design.

The Model

The paper works in the standard multiterminal communication setup. There is a set of terminals $V$ , a subset $A\subseteq V$ active users who must recover the final key, and possibly helpers in $V\setminus A$ . Each user has access to a private correlated source $Z_i$ , and everyone can participate in public discussion, which an eavesdropper also sees. The key must satisfy two conditions:

Secrecy: the public discussion should reveal essentially no information about the key.
Recoverability: every active user should be able to reconstruct the key from their private source and the public discussion.

The paper also recalls the standard definition of secret key capacity, the maximum achievable key rate over all allowed protocols in this model.

The Coding Idea

Now for the protocol idea.

Suppose we take a secret and pad it with additional uniform randomness, forming a vector $K=(s, u_1, \ldots, u_{k-1})$ ,

where $s$ is the actual secret and the $u_i$ ‘s are random pads. Then we encode $K$ using an $(n, k)$ Reed-Solomon code with generator matrix $G$ , obtaining a codeword $Z=KG$ . Each terminal receives one symbol $z_i$ of this codeword, and then the protocol publicly reveals exactly $k-1$ additional symbols. Since any $k$ symbols of an $(n,k)$ MDS code suffice to reconstruct the message, each legitimate terminal can combine its private symbol with the $k-1$ public symbols and recover the full encoded message $K$ .

This is the reconstruction side.

On the secrecy side, the protocol masks the privately delivered shares using independent random values $r_i$ . In the “secret-sharing-inspired” version of the scheme, terminal $Z_1$ has a distinct random shared value $r_i$ with each terminal $Z_i$ , and broadcasts $e_i = z_i + r_i$ .. Each intended recipient can subtract its own mask $r_i$ and recover the corresponding code symbol, but the eavesdropper only sees the masked version.

So the core protocol can be summarized as follows:

Encode the secret-plus-padding with an MDS code,
Privately give each user one share (masked),
Publicly reveal exactly $k$ additional shares,
Let each legitimate user reconstruct,
Rely on the threshold property to ensure that the eavesdropper still stays below the reconstruction threshold.

The Main Security Statements

In the paper, we show that the eavesdropper learns nothing about the secret from the entire visible transcript.

The first main theorem captures the information-theoretic secrecy of this setup. There is also a computational variant. If one uses an IND-CPA-secure public-key encryption scheme to distribute the shares to terminals, then the protocol becomes computationally secure against PPT adversaries rather than information-theoretically secure against unbounded ones. That computational extension is practically important because it shows the scheme is not tied to idealized pre-shared masks. If you are willing to step down from unconditional secrecy to computational secrecy, you can distribute shares using standard encrypted channels.

If I had to summarize the paper in one sentence, I would say this:

It shows that MDS codes are not just a convenient implementation tool for multiterminal key agreement; they are a structural bridge between secret sharing, error correction, and SKA capacity.

For further details, take a look at the paper. Feedback/comments are welcome!

Fall 2025: Topics in Information-Theoretic Cryptography

Since the beginning of this year, I have been developing a course on “Topics in Information-Theoretic Cryptography”. Recently, the course was approved for Fall 2025. I’m very excited to share some research with undergraduate/graduate students! Below, I list some relevant information for the proposed course.

Course Number and Title

ECE598DA: Topics in Information-Theoretic Cryptography

Description

In this course, we will study foundational and recent work on the use of information theory to design and analyze cryptographic protocols. We will begin by studying privacy attacks which motivate strong privacy and security definitions. Then, we will explore the basics of differential privacy and study some core works on zero-knowledge proofs. Finally, we will explore various applications, including watermarking of generative models.

Syllabus

Week 1: Introduction: motivations, one-time pad review, review of probability theory

Week 2: Attacks and Composition Theorems for Differential Privacy

Week 3: Standard Mechanisms for Differential Privacy

Week 4: Information-Theoretic Lower Bounds for Differential Privacy

Week 5: Differentially Private Statistical Estimation and Testing

Week 6: Zero-Knowledge Proofs

Week 7: Statistical Zero-Knowledge Proofs: Part I

Week 8: Statistical Zero-Knowledge Proofs: Part II

Week 9: Multi-Party Computation

Week 10: Multi-Party and Computational Differential Privacy

Week 11: Code-Based Cryptography: Part I

Week 12: Code-Based Cryptography: Part II

Week 13: More Applications

Watermarking of Generative Models
Proof Systems for Machine Learning
Bounded-Storage Cryptography
Quantum Cryptography

Week 14: Project Presentations

Commitment Schemes

Scenario: Coin Tossing Over the Phone

Imagine two people, Àdébísí and Bọ́lá, want to flip a coin to decide who should pay for drinks, but they are communicating over the phone and, thus, cannot physically toss a coin in the view of both of them. More concretely:

Àdébísí and Bọ́lá want to flip a coin.
Àdébísí secretly decides her guess for “heads” or “tails”.
Bọ́lá flips the coin and announces the result.
Àdébísí reveals her guess, proving she didn’t cheat by changing her guess after hearing the result.
Àdébísí wins the game if her guess matches the announced result.

In this scenario, Àdébísí and Bọ́lá can use a commitment scheme that allows one party to “commit” to a chosen value while keeping it hidden to the other party until an appropriate time. [1]

This ensures neither party can cheat:

Àdébísí cannot change her guess after Bọ́lá announces the result (binding).
Bọ́lá cannot deduce Àdébísí’s guess before she reveals it (hiding).

A commitment scheme is a cryptographic primitive that allows one party (the sender) to commit to a chosen value while keeping it hidden from another party (the receiver), with the ability to reveal the committed value later. Commitment schemes are essential building blocks in various cryptographic protocols, such as zero-knowledge proofs and secure multi-party computations.

Properties of Commitment Schemes

A commitment scheme must satisfy two fundamental properties:

Binding Property
- Once the sender has committed to a value, they cannot change it.
- This ensures that the commitment is “binding,” preventing the sender from lying about the value during the reveal phase.
Hiding Property
- The commitment does not reveal any information about the value to the receiver until the sender decides to reveal it.
- This ensures that the value is “hidden” until the sender discloses it.

Phases of a Commitment Scheme

A commitment scheme typically involves two phases:

Commit Phase
- The sender chooses a value $m$ and generates a commitment $C$ using a commitment function, often involving random coins $r$ .
- $C = \text{Commit}(m, r)$
- The commitment $C$ is sent to the receiver.
Reveal Phase
- The sender reveals $m$ and $r$ to the receiver.
- The receiver verifies the commitment $C$ by checking if $C = \text{Commit}(m, r)$ .

Hiding

The hiding property of a commitment scheme ensures that the commitment does not reveal any information about the committed value $m$ to the receiver until the sender decides to reveal it. In other words, the commitment conceals the value $m$ while still binding the sender to that value.

Types of Hiding

Perfect/Statistical Hiding: The commitment $C$ provides no information about $m$ at all, even with infinite computational power. This is achieved if the distribution of $C$ is independent of $m$ .
Computational Hiding: It is computationally infeasible for the receiver to deduce $m$ from $C$ (in polynomial time in relevant parameters).

Binding

The binding property in a commitment scheme ensures that once a sender commits to a value, they cannot change it later. This property prevents the sender from “cheating” by revealing a different value during the reveal phase.

Types of Binding

Perfect/Statistical Binding: It is mathematically impossible to find two different values $m_1$ and $m_2$ that produce the same commitment $C$ .
Computational Binding: Finding such a pair $(m_1, r_1)$ and $(m_2, r_2)$ , that produces the same commitment $C$ , is computationally infeasible for any adversary with limited computational resources.

Exercise

Prove that a commitment scheme cannot be both perfectly hiding and perfectly binding at the same time.

References

[1] Gilles Brassard, David Chaum, and Claude Crépeau, Minimum Disclosure Proofs of Knowledge, Journal of Computer and System Sciences, vol. 37, pp. 156–189, 1988.

[2] Manuel Blum, Coin Flipping by Telephone, Proceedings of CRYPTO 1981.

[3] Oded Goldreich, Silvio Micali, and Avi Wigderson, Proofs that yield nothing but their validity, or all languages in NP have zero-knowledge proof systems, Journal of the ACM, 38: 3, pp. 690–728, 1991

🎉 Happy New Year! 🎉

Here’s to a year filled with joy, success, and unforgettable memories. 🥂🎆

With love,
Daniel Alabi

Why (and How) Things Work

In Honor of David Blackwell

Tag Archives for cryptography