Secret Sharing Schemes with General Access Structures

Abstract

Secret sharing schemes with general monotone access structures have been widely discussed in the literature. But in some scenarios, non-monotone access structures may have more practical significance. In this paper, we shed a new light on secret sharing schemes realizing general (not necessarily monotone) access structures. Based on an attack model for secret sharing schemes with general access structures, we redefine perfect secret sharing schemes, which is a generalization of the known concept of perfect secret sharing schemes with monotone access structures. Then, we provide for the first time two constructions of perfect secret sharing schemes with general access structures. The first construction can be seen as a democratic scheme in the sense that the shares are generated by the players themselves. Our second construction significantly enhances the efficiency of the system, where the shares are distributed by the trusted center (TC).

This work is supported by the National Key Basic Research Program of China under Grant 2013CB834204. Due to the limited pages, a full version of this paper is available in [24].

Appendix: An Example of Secret Sharing Scheme II

We illustrate Secret Sharing Scheme II by the following example, where the q-ary function F is constructed by Construction III in Table 5.

Example 1

Let \(\mathcal {P}=\{\mathrm {P}_1,\mathrm {P}_2,\mathrm {P}_3,\mathrm {P}_4\}\) and \(\varGamma =\{A_1=\{\mathrm {P}_1,\mathrm {P}_2,\mathrm {P}_3\},A_2=\{\mathrm {P}_1,\mathrm {P}_2,\) \(\mathrm {P}_4\},A_3=\{\mathrm {P}_3,\mathrm {P}_4\}, A_4=\{\mathrm {P}_1,\mathrm {P}_2,\mathrm {P}_3,\mathrm {P}_4\}\}\). The set of secret keys is \(\mathcal {\mathbf {K}}=\mathbb {F}_8^*=\{1,\alpha ,\alpha ^2,\ldots ,\alpha ^6\}\), where \(\alpha \) is a primitive element of \(\mathbb {F}_8\). Suppose that TC wants to share \(k=\alpha ^5\) as the secret key. Following Construction III, TC defines \(\phi : \mathbb {F}_8^*\rightarrow \mathbb {F}_{7}\) as \(\phi (\gamma )=\log _{\alpha }\gamma \), which means that if \(\gamma =\alpha ^a\in \mathbb {F}_8^*\) for some integer a, then \(\log _{\alpha }\gamma =a\). For the access structure \(\varGamma \), TC chooses

$$\begin{aligned} \left\{ \begin{array}{rcl} G_{A_1}(z_1, z_2, z_3)&{}=&{}2z_1+3z_2+z_3,\\ G_{A_2}(z_1,z_2,z_4)&{}=&{}z_1+2z_2+3z_4,\\ G_{A_3}(z_3,z_4)&{}=&{}2z_3+4z_4, \\ G_{A_4}(z_1,z_2,z_3,z_4)&{}=&{}z_1+z_2+z_3+z_4+1 \end{array}\right. \end{aligned}$$

(23)

as the 7-ary linear resilient functions (see [9] for more details). After that, TC computes and secretly transmits the shares

$$\begin{aligned} s(\mathrm {P}_1)&=\{s_1^{(A_1)}=\alpha ,s_1^{(A_2)}=\alpha ^2,s_1^{(A_4)}=\alpha \},\\ s(\mathrm {P}_2)&=\{s_2^{(A_1)}=\alpha ^2,s_2^{(A_2)}=\alpha ^3,s_2^{(A_4)}=\alpha \},\\ s(\mathrm {P}_3)&=\{s_3^{(A_1)}=\alpha ^4,s_3^{(A_3)}=\alpha ,s_3^{(A_4)}=\alpha \},\\ s(\mathrm {P}_4)&=\{s_4^{(A_2)}=\alpha ^6,s_4^{(A_3)}=\alpha ^6,s_1^{(A_4)}=\alpha \}, \end{aligned}$$

to \(\mathrm {P}_1\), \(\mathrm {P}_2\), \(\mathrm {P}_3\), \(\mathrm {P}_4\) respectively. From (23), the 8-ary function F is defined as

$$\begin{aligned} F|_{A_1}(x)&=\phi ^{-1}\circ G_{A_1}\circ \phi (\tilde{x})=x_1^2x_2^3x_3,\\ F|_{A_2}(x)&=\phi ^{-1}\circ G_{A_2}\circ \phi (\tilde{x})=x_1x_2^2x_4^3,\\ F|_{A_3}(x)&=\phi ^{-1}\circ G_{A_3}\circ \phi (\tilde{x})=x_3^2x_4^4,\\ F|_{A_4}(x)&=\phi ^{-1}\circ G_{A_4}\circ \phi (\tilde{x})=\alpha x_1x_2x_3x_4, \end{aligned}$$

where \(x\in \mathbb {F}_8^4\), \(\tilde{x}\) denotes the vector obtained by deleting all the zero coordinates of x, and for every forbidden group \(A\in \varDelta = 2^{\mathcal {P}}\setminus \varGamma \), \(F|_A=0\). Finally, TC publishes \(F(x)=(1-x_4^7)x_1^2x_2^3x_3+(1-x_3^7)x_1x_2^2x_4^3+(1-x_1^7)(1-x_2^7)x_3^2x_4^4+\alpha x_1x_2x_3x_4=x_3^2x_4^4\,+\,x_1^2x_2^3x_3\,+\,x_1x_2^2x_4^3\,-\,x_1^7x_3^2x_4^4\,-\,x_2^7x_3^2x_4^4\,+\,\alpha x_1x_2x_3x_4\,-\,x_1^2x_2^3x_3x_4^7\,-\,x_1x_2^2x_3^7x_4^3\,+\,x_1^7x_2^7x_3^2x_4^4.\)

Due to Theorem 4, this secret sharing scheme is perfect. In fact, assume that the players in the forbidden group \(B=\{\mathrm {P}_1,\mathrm {P}_3,\mathrm {P}_4\}\in \varDelta \) are collaborating to reconstruct the secret key. Their recovery algorithm defined in (15) is \(f_B(x_1,x_3,x_4)=(1-x_1^7)x_3^2x_4^4\), which equals 0 for any \((x_1,x_3,x_4)\in (\mathbb {F}_8^*)^3\). Suppose that they try to use the recovery algorithms

$$\begin{aligned} f_{A_1}(x_1,x_2,x_3)=&\,F(x_1,x_2,x_3,0)=x_1^2x_2^3x_3,\\ f_{A_2}(x_1,x_2,x_4)=&\,F(x_1,x_2,0,x_4)=x_1x_2^2x_4^3,\\ f_{A_4}(x_1,x_2,x_3,x_4)=&\,F(x_1,x_2,x_3,x_4)=x_3^2x_4^4+x_1^2x_2^3x_3+x_1x_2^2x_4^3-x_1^7x_3^2x_4^4\\ {}&-x_2^7x_3^2x_4^4+\alpha x_1x_2x_3x_4-x_1^2x_2^3x_3x_4^7 -x_1x_2^2x_3^7x_4^3+ x_1^7x_2^7x_3^2x_4^4, \end{aligned}$$

which are functions defined on \((\mathbb {F}_8^*)^3\), \((\mathbb {F}_8^*)^3\), and \((\mathbb {F}_8^*)^4\) respectively. For the players \(\mathrm {P}_1\), \(\mathrm {P}_3\), and \(\mathrm {P}_4\), the values of \(s_2^{(A_1)}\), \(s_2^{(A_2)}\), and \(s_2^{(A_4)}\) are unknown random values, thus according to (21), the secret key can be guessed correctly with probability \(1/|\mathcal {\mathbf {K}}|\), i.e., the players in B can learn nothing about the secret key. Similar discussion holds for other forbidden groups.

Moreover, it is clear that the information rate of this scheme is

$$\begin{aligned} \rho =\min \bigg \{\frac{\log _2 |\mathcal {\mathbf {K}}|}{\log _2 |\mathcal {\mathbf {S}}(\mathrm {P}_i)|}~\bigg |~1\leqslant i\leqslant 4\bigg \}=\frac{1}{3}. \end{aligned}$$