Ideal secret sharing schemes with multiple secrets

We consider secret sharing schemes which, through an initial issuing of shares to a group of participants, permit a number of different secrets to be protected. Each secret is associated with a (potentially different) access structure and a particular secret can be reconstructed by any group of participants from its associated access structure without the need for further broadcast information. We consider ideal secret sharing schemes in this more general environment. In particular, we classify the collections of access structures that can be combined in such an ideal secret sharing scheme and we provide a general method of construction for such schemes. We also explore the extent to which the results that connect ideal secret sharing schemes to matroids can be appropriately generalized.The work of the second and third authors was supported by the Australian Research Council.     

Ideal Multipartite Secret Sharing Schemes

Multipartite secret sharing schemes are those having a multipartite access structure, in which the set of participants is divided into several parts and all participants in the same part play an equivalent role. In this work, the characterization of ideal multipartite access structures is studied with all generality. Our results are based on the well-known connections between ideal secret sharing schemes and matroids and on the introduction of a new combinatorial tool in secret sharing, integer polymatroids .     

On Codes, Matroids, and Secure Multiparty Computation From Linear Secret-Sharing Schemes

Error-correcting codes and matroids have been widely used in the study of ordinary secret sharing schemes. In this paper, the connections between codes, matroids, and a special class of secret sharing schemes, namely, multiplicative linear secret sharing schemes (LSSSs), are studied. Such schemes are known to enable multiparty computation protocols secure against general (nonthreshold) adversaries. Two open problems related to the complexity of multiplicative LSSSs are considered in this paper. The first one deals with strongly multiplicative LSSSs. As opposed to the case of multiplicative LSSSs, it is not known whether there is an efficient method to transform an LSSS into a strongly multiplicative LSSS for the same access structure with a polynomial increase of the complexity. A property of strongly multiplicative LSSSs that could be useful in solving this problem is proved. Namely, using a suitable generalization of the well-known Berlekamp-Welch decoder, it is shown that all strongly multiplicative LSSSs enable efficient reconstruction of a shared secret in the presence of malicious faults. The second one is to characterize the access structures of ideal multiplicative LSSSs. Specifically, the considered open problem is to determine whether all self-dual vector space access structures are in this situation. By the aforementioned connection, this in fact constitutes an open problem about matroid theory, since it can be restated in terms of representability of identically self-dual matroids by self-dual codes. A new concept is introduced, the flat-partition, that provides a useful classification of identically self-dual matroids. Uniform identically self-dual matroids, which are known to be representable by self-dual codes, form one of the classes. It is proved that this property also holds for the family of matroids that, in a natural way, is the next class in the above classification: the identically self-dual bipartite matroids.     

Secret sharing schemes with bipartite access structure

We study the information rate of secret sharing schemes whose access structure is bipartite. In a bipartite access structure there are two classes of participants and all participants in the same class play an equivalent role in the structure. We characterize completely the bipartite access structures that can be realized by an ideal secret sharing scheme. Both upper and lower bounds on the optimal information rate of bipartite access structures are given. These results are applied to the particular case of weighted threshold access structure with two weights     

理想的多密门限体制的拟阵结构

门限体制是秘密共享体制中最基本的一类,其特点是简洁而实用．本文讨论了门限体制的拟阵结构,得到理想的多密门限体制存在的条件．     

On Matroid Characterization of Ideal Secret Sharing Schemes

A characterization of ideal secret sharing schemes with an arbitrary number of keys is derived in terms of balanced maximum-order correlation immune functions. In particular, it is proved that a matroid is an associated matroid for a binary ideal secret sharing scheme if and only if it is representable over the binary field. Access structure characterization of connected binary ideal schemes is established and a general method for their construction is pointed out. Received 16 April 1993 and revised 10 October 1996     

一类不可表示的多部秘密共享拟阵

 一直以来,理想的存取结构具有的特性是秘密共享领域中主要的开放性问题之一,并且该问题与拟阵论有着密切的联系.多部存取结构是指将参与者集合划分为多个部分,使得同一部分中的参与者在存取结构中扮演等价的角色,由于每个存取结构都可以看作是多部的,于是多部存取结构的特性被广泛地研究.在EUROCRYPT’07上,Farras等人研究了秘密共享方案中理想多部存取结构的特性.他们的工作具有令人振奋的结果：通过研究多部拟阵和离散多拟阵之间的关系,他们得到了多部存取结构为理想存取结构的一个必要条件和一个充分条件,并且证明了一个多部拟阵是可表示的当且仅当其对应的离散多拟阵是可表示的.在文中,他们给出了一个开放性问题：可表示的离散多拟阵具有的特性,即哪些离散多拟阵是可表示的,哪些是不可表示的.本文给出并证明了一类不可表示的离散多拟阵,即给出了一个离散多拟阵为不可表示的离散多拟阵的一个充分条件.我们将这一结论应用于Vamos拟阵,于是得到了一族不可表示的多部拟阵,同时我们利用向量的线性相关和线性无关性对Vamos拟阵的不可表示性给出了新的证明.     

异或视觉密码的理想存取结构研究

该文给出异或视觉密码的理想存取结构的定义,分析了其特征,研究了理想存取结构的共享份构造方法。在此基础上,提出将通用存取结构划分为若干个理想存取结构的算法,设计了通用存取结构的秘密分享与恢复流程。与现有的方案相比,该方案实现了秘密图像的完全恢复,且明显地减小了共享份的规模。     

具有传递性质的接入结构上的秘密分享方案的构造

引入了具有传递性质的接入结构的概念,并给出一种构造具有这类接入结构的秘密分享方案的通用方法,该方法简捷易行.对要分享的一个秘密,不管一个参与者属于多少个最小合格子集,他只需保存一个秘密份额.而且用于分享多个秘密时,不需要增加分享者额外的信息保存量.因而优于已有的其他许多方法.文中还给出了实例以说明如何具体地构造具有这类接入结构的秘密分享方案.     

Some improved bounds on the information rate of perfect secret sharing schemes

In this paper we study secret sharing schemes for access structures based on graphs. A secret sharing scheme enables a secret key to be shared among a set of participants by distributing partial information called shares. Suppose we desire that some specified pairs of participants be able to compute the key. This gives rise in a natural way to a graphG which contains these specified pairs as its edges. The secret sharing scheme is calledperfect if a pair of participants corresponding to a nonedge ofG can obtain no information regarding the key. Such a perfect secret sharing scheme can be constructed for any graph. In this paper we study the information rate of these schemes, which measures how much information is being distributed as shares compared with the size of the secret key. We give several constructions for secret sharing schemes that have a higher information rate than previously known schemes. We prove the general result that, for any graphG having maximum degreed, there is a perfect secret sharing scheme realizingG in which the information rate is at least 2/(d+3). This improves the best previous general bound by a factor of almost two. The work of E. F. Brickell was performed at the Sandia National Laboratories and was supported by the U.S. Department of Energy under Contract Number DE-AC04-76DP00789. The research of D. R. Stinson was supported by NSERC Operating Grant A9287 and by the Center for Communication and Information Science, University of Nebraska.     

Multipartite Secret Sharing by Bivariate Interpolation

Given a set of participants that is partitioned into distinct compartments, a multipartite access structure is an access structure that does not distinguish between participants belonging to the same compartment. We examine here three types of such access structures: two that were studied before, compartmented access structures and hierarchical threshold access structures, and a new type of compartmented access structures that we present herein. We design ideal perfect secret sharing schemes for these types of access structures that are based on bivariate interpolation. The secret sharing schemes for the two types of compartmented access structures are based on bivariate Lagrange interpolation with data on parallel lines. The secret sharing scheme for the hierarchical threshold access structures is based on bivariate Lagrange interpolation with data on lines in general position. The main novelty of this paper is the introduction of bivariate Lagrange interpolation and its potential power in designing schemes for multipartite settings, as different compartments may be associated with different lines or curves in the plane. In particular, we show that the introduction of a second dimension may create the same hierarchical effect as polynomial derivatives and Birkhoff interpolation were shown to do in Tassa (J. Cryptol. 20:237–264, 2007). A preliminary version of this paper appeared in The Proceedings of ICALP 2006.     

Hierarchical Threshold Secret Sharing

We consider the problem of threshold secret sharing in groups with hierarchical structure. In such settings, the secret is shared among a group of participants that is partitioned into levels. The access structure is then determined by a sequence of threshold requirements: a subset of participants is authorized if it has at least k₀ 0 members from the highest level, as well as at least k₁ > k₀ members from the two highest levels and so forth. Such problems may occur in settings where the participants differ in their authority or level of confidence and the presence of higher level participants is imperative to allow the recovery of the common secret. Even though secret sharing in hierarchical groups has been studied extensively in the past, none of the existing solutions addresses the simple setting where, say, a bank transfer should be signed by three employees, at least one of whom must be a department manager. We present a perfect secret sharing scheme for this problem that, unlike most secret sharing schemes that are suitable for hierarchical structures, is ideal. As in Shamir's scheme, the secret is represented as the free coefficient of some polynomial. The novelty of our scheme is the usage of polynomial derivatives in order to generate lesser shares for participants of lower levels. Consequently, our scheme uses Birkhoff interpolation, i.e., the construction of a polynomial according to an unstructured set of point and derivative values. A substantial part of our discussion is dedicated to the question of how to assign identities to the participants from the underlying finite field so that the resulting Birkhoff interpolation problem will be well posed. In addition, we devise an ideal and efficient secret sharing scheme for the closely related hierarchical threshold access structures that were studied by Simmons and Brickell.     

Secret sharing schemes from three classes of linear codes

Secret sharing has been a subject of study for over 20 years, and has had a number of real-world applications. There are several approaches to the construction of secret sharing schemes. One of them is based on coding theory. In principle, every linear code can be used to construct secret sharing schemes. But determining the access structure is very hard as this requires the complete characterization of the minimal codewords of the underlying linear code, which is a difficult problem in general. In this paper, a sufficient condition for all nonzero codewords of a linear code to be minimal is derived from exponential sums. Some linear codes whose covering structure can be determined are constructed, and then used to construct secret sharing schemes with nice access structures.     

基于多线性Diffie-Hellman问题的秘密共享方案

秘密共享方案的信息率是衡量秘密共享通信效率的重要指标,鉴于已有的秘密共享方案效率不高的问题,本文基于多线性对提出了信息率为m/（m+1）的可验证秘密共享方案.方案中,共享秘密为m维向量,其可验证性可利用多线性映射的多线性性质来实现;同时,在多线性Diffie-Hellman问题下,方案是可证明安全的.性能分析结果表明,与已有的相同安全级别下的秘密共享方案相比,该方案具有较高的通信效率,更适用于通信受限的数据容错的应用场景.     

Generalized Access Structure Congestion System

The k-out-of-n secret sharing schemes are effective, reliable, and secure methods to prevent a secret or secrets from being lost, stolen, or corrupted. The circular sequential k-out-of-n congestion (CSknC) system , based upon this type of secret sharing scheme, is presented for reconstructing secret(s) from any k servers among n servers in circular, sequential order. When a server is connected successfully, it will not be reconnected in later rounds until the CSknC system has k distinct, successfully connected servers. An optimal server arrangement in a CSknC system is determined in where n servers have known network connection probabilities for two states, i.e., congested, and successful. In this paper, we present: i) a generalized access structure congestion (GGammaC) system that is based upon the generalized secret sharing scheme, and ii) an efficient connection procedure for the GGammaC system in terms of the minimal number of server connection attempts. The k-out-of-n secret sharing schemes are considered as simple cases of the generalized secret sharing schemes. It implies that the GGammaC system is a more general system than the CSknC system. We established an iterative connection procedure for the new system. Simulation results are used to demonstrate that the iterative connection procedure is more efficient in terms of minimizing the number of connection attempts     

适用于任意接入结构的可验证多秘密分享方案

对一般接入结构上的可验证多秘密分享进行了研究，给出了可适用于任意接入结构的一类可验证多秘密分享方案的构造方法。用这种方法构造的可验证多秘密分享方案具有以下性质：可在一组分享者中同时分享多个秘密；分发者发送给每一分享者的秘密份额都是可公开验证的；关于每一秘密的公开信息也是可公开验证的；恢复秘密时可防止分享者提供假的份额。分析表明，用此方法构造的可验证多秘密分享方案不仅是安全的，而且是高效的。     

基于双线性的无可信中心可验证秘密共享方案

针对一般秘密共享方案或可验证秘密共享方案存在的缺点,结合椭圆曲线上双线性对性质扣运用双线性Diffie-Hellman问题,构造了一个基于双线性对的无可信中心可验证秘密共享方案。在该方案中,共享秘密S是素数阶加法群G。上的一个点,在秘密分发过程中所广播的承诺C,是与双线性有关的值。利用双线性对的双线性就可以实现共享秘密的可验证性,有效地防止参与者之间的欺诈行为,而不需要参与者之间执行复杂的交互式证明,因而该方案避免了为实现可验证性而需交互大量信息的通信量和计算量,通信效率高,同时该方案的安全性等价于双线性Diffie-Hellman假设的困难性。     

利用反转实现理想对比度的密图分存

可视秘密共享的一个主要不足是重构后图像的对比度损失严重.提出了利用反转实现理想对比度的密图分存方案.编码轮数为m/h(上取整) (m和h分别是白像素加密所用基阵全部列和全白列的数量),采取像素块编码方式,每步都将m个连续相同的像素进行一次性加密编码,不产生像素扩展.对方案的正确性和安全性进行了证明,并与类似方案进行了对比分析和实验.该方案编码效率较高,系统容量较小.     

基于四粒子纠缠态的量子秘密共享方案

基于2个不同的四粒子纠缠态分别提出了三方、四方量子秘密共享方案,其中采用的秘密信息是一个相同的未知两粒子纠缠态。在量子秘密共享方案中发送者对所拥有的粒子实施适当的Bell态（或GHZ态）测量,发送者和合作者通过经典通讯把测量结果告知信息接收者,接收者在其他合作者的协助下通过实施相应的量子操作完成对初始量子态信息的重构。对所提出的2个方案进行了讨论和比较,发现四方量子秘密共享方案的安全性更加可靠。     

基于极小线性码上的秘密共享方案

从理论上说,每个线性码都可用于构造秘密共享方案,但是在一般情况下,所构造的秘密共享方案的存取结构是难以确定的.本文提出了极小线性码的概念,指出基于这种码的对偶码所构造的秘密共享方案的存取结构是容易确定的.本文首先证明了极小线性码的缩短码一定是极小线性码.然后对几类不可约循环码给出它们为极小线性码的判定条件,并在理论上研究了基于几类不可约循环码的对偶码上的秘密共享方案的存取结构.最后用编程具体求出了一些实例中方案的存取结构.