Secret sharing schemes based on graphical codes

Abstract

We study the access structure and multiplicativity of linear secret sharing schemes based on codes from complete graphs. First, we describe the access structure of the schemes based on cut-set and cycle codes. Second, we show that the class of access structures based on odd cycles cannot be realized by ideal multiplicative linear secret sharing schemes over any finite field. This can be seen as a contribution to the characterization of access structures of ideal multiplicative schemes. The access structure based on odd cycles corresponds to the scheme based on the dual of the extended cycle code. Finally, we show that we can obtain ideal multiplicative linear secret sharing scheme based on the dual of an augmented extended cycle code.

Appendix A: Some definitions and basic results on SSS

We present in this appendix the relation between secret sharing schemes, monotone span programs, matroids and linear codes.

1.1 A.1 Linear secret sharing schemes and monotone span programs

We describe the relation between LSSS and monotone span programs (MSP).

Definition 7

[15] A Monotone Span Program (MSP) \(\mathcal{M}\) is a quadruple \((\mathbb{F}_q, M, \boldsymbol{\varepsilon}, \psi)\), where M is a matrix over \(\mathbb{F}_q\) with l rows and e ≤ l columns, ψ: {1,..., l}→{1, ..., e} is a surjective (labelling) function and \(\boldsymbol{\varepsilon} = (1, 0, \ldots, 0)\in \mathbb{F}_q^e\) is called a target vector. The size of \(\mathcal{M}\) is defined as size\((\mathcal{M})=l\).

We can think of ψ as a function assigning one or more rows to a player in \(\mathcal{P}\). Given the matrix M of an MSP and a subset A of players, we denote by M _A the matrix M restricted to those rows i such that ψ(i) ∈ A. Similarly, if w is an e-vector then we use the notation w _A for the restriction of w to the coordinates i such that ψ(i) ∈ A. In general, any nonzero vector can serve as a target vector for an MSP.

LSSS and MSP are equivalent [3, 15]. From an MSP \(\mathcal{M}(\mathbb{F}_q, M, \boldsymbol{\varepsilon}, \psi)\), we can obtain a linear secret sharing scheme. To share a secret \(s\in \mathbb{F}\), the dealer first chooses at random a vector \(\boldsymbol{\rho}\in \mathbb{F}_q^{e-1}\) then computes \(M(s, \boldsymbol{\rho})^T\). The ith coordinate of \(M(s, \boldsymbol{\rho})^T\) is given to player P _ψ(i). A group of players can reconstruct the secret if and only if the target vector \(\boldsymbol{\varepsilon}\) is in the linear span of the rows assigned to the members of the group. An MSP is said to compute an access structure Γ when \(\boldsymbol{\varepsilon} \in \mbox{span}(M_A)\) if and only if A is a member of Γ. We say that A is accepted by \(\mathcal{M}\) if and only if A ∈ Γ, otherwise we say that \(\mathcal{A}\) is rejected by \(\mathcal{M}\). Hence, when a set A is accepted by \(\mathcal{M}\), there exists a so-called recombination vector \(\boldsymbol{\lambda}\) such that \(\boldsymbol{\lambda} M_A=\boldsymbol{\varepsilon}\). Using the recombination vector \(\boldsymbol{\lambda}\), the following relations holds: \(\langle\boldsymbol{\lambda}, (s, \boldsymbol{\rho})M_A^T\rangle = \langle\boldsymbol{\lambda} M_A, (s, \boldsymbol{\rho})\rangle = \langle\boldsymbol{\varepsilon}, (s, \boldsymbol{\rho})\rangle = s\) for any secret s and vector \(\boldsymbol{\rho}\).

1.2 A.2 Secret sharing schemes and matroids

We discuss here the connection between access structures and matroids. The material here on matroid theory is taken from [20]. There are many different but equivalent definitions for the concept of a matroid. Here we use the definition in terms of rank functions.

Let Q = {0, 1, ⋯ , n} be a finite set and let 2^Q denote the power set of Q. A matroid \(\mathcal{F}\) is a pair (Q, r) where \(r:\mathcal{P}(Q)\rightarrow \mathbb{Z}\) is a rank function satisfying the following three properties:

1. 1.

   0 ≤ r(X) ≤ |X| for every \(X\subseteq Q\);

2. 2.

   r is monotone increasing: if \(X\subseteq Y\subseteq Q\), then r(X) ≤ r(Y), and

3. 3.

   r is submodular: r(X ∪ Y) + r(X ∩ Y) ≤ r(X) + r(Y) for every pair of subsets X, Y of Q.

The subsets \(X\subseteq Q\) with r(X) = |X| are said to be independent. The bases of the matroid are the maximal independent sets. All bases have the same number of elements, which is defined to be the rank of \(\mathcal{F}\). The dependent sets are those that are not independent, and a circuit is a minimal dependent set. A matroid \(\mathcal{F}\) is said to be connected if, for every two points in Q (which is called the ground set), there exists a circuit containing them.

The next definition relates access structures and matroids (cf. [4]).

Definition 8

Let Γ be an access structure on n players {1, ⋯ , n} and let \(\mathcal{F}=(Q, r)\) be a connected matroid. We say that the matroid \(\mathcal{F}\) is appropriate for the access structure Γ if Q = {0, 1, ⋯ , n} and

$$ \Gamma^-=\{C\setminus \{0\}\;|\; 0\in C\mbox{ and }C\mbox{ is a circuit of }\mathcal{F}\}. $$

An access structure is said to be connected if every player belongs to at least one minimal qualified set. We can assume that the access structures considered in this paper are connected. For a connected access structure, if there is a matroid appropriate for it, then the matroid is connected. Moreover, if a connected matroid is appropriate for an access structure, then that matroid is unique [4]. For an ideal access structure, we have the following lemma from [6].

Lemma 2

If an access structure is ideal, then it has an appropriate matroid.

A matroid \(\mathcal{F}=(Q, r)\) is said to be \(\mathbb{F}_q\) -representable if there exists a matrix G over \(\mathbb{F}_q\) with n + 1 columns (labelled 0,1,...,n) such that for every \(X\subseteq Q\), r(X) is defined to be the rank of the submatrix formed by the columns of G corresponding to X. A binary matroid is one that is representable over \(\mathbb{F}_2\). A rank-k matroid \(\mathcal{F}\) on an n + 1-element set is called uniquely \(\mathbb{F}_q\) -representable if all of the k×n + 1 matrices representing \(\mathcal{F}\) over \(\mathbb{F}_q\) are equivalent. We will need the following well-known results on binary matroids (cf. [20]).

Lemma 3

A binary matroid is uniquely \(\mathbb{F}_2\) -representable.

Lemma 4

If a binary matroid is representable over a field \(\mathbb{F}_q\) , then it is uniquely \(\mathbb{F}_q\) -representable.

Suppose we have an ideal access structure which has a representable appropriate matriod. The next two lemmas describe a relation between a matrix representation of the matroid and an MSP computing the access structure.

Lemma 5

Assume Γ is an ideal access structure for n players and \(\mathcal{F}\) is the \(\mathbb{F}_q\) -representable matroid appropriate for Γ. Let \(G=({\boldsymbol g}_0\;{\boldsymbol g}_1\;\cdots\;{\boldsymbol g}_n)\) be a representation of \(\mathcal{F}\) over \(\mathbb{F}_q\) , where \({\boldsymbol g}_i\) is the i th column of G . Let \(M=({\boldsymbol g}_1\;\cdots\;{\boldsymbol g}_n)^T\) , \(\boldsymbol{\varepsilon}={\boldsymbol g}_0^T\) , and ψ the one-to-one map. Then the MSP \(\mathcal{M}(\mathbb{F}_q, M, \boldsymbol{\varepsilon}, \psi)\) computes Γ.

Lemma 6

Assume Γ is an ideal access structure for n players and \(\mathcal{F}\) is the \(\mathbb{F}_q\) -representable matroid appropriate for Γ. Let \(\mathcal{M}(\mathbb{F}_q, M, \boldsymbol{\varepsilon}, \psi)\) be an ideal MSP computing Γ . Then the matrix \(G=(\boldsymbol{\varepsilon}^T\;M^T)\) is a representation of \(\mathcal{F}\) over \(\mathbb{F}_q\).

1.3 A.3 Linear secret sharing schemes and linear codes

Given a vector \({\boldsymbol c}=(c_1,\ldots,c_n)\) in \(\mathbb{F}_q^n\), its Hamming weight, \(wt({\boldsymbol c})\), is the number of its non-zero coordinates. The support of a vector \({\boldsymbol c}\in\mathbb{F}^n_q\) is given by \(\rm{supp}({\boldsymbol c})=\{i : c_i\neq 0, 1\leq i\leq n\}\). An [n,k,d] linear code \(\mathcal{C}\) over \(\mathbb{F}_q\) is a linear subspace of \(\mathbb{F}_q^n\) where k is the dimension and d is the minimum Hamming weight. A generator matrix G for a code \(\mathcal{C}\) is a matrix whose rows form a basis for \(\mathcal{C}\). For any linear code \(\mathcal{C}\), we denote by \(\mathcal{C}^{\perp}\) its dual under the usual inner product.

Definition 9

[1, 10, 18] For any two vectors \({\boldsymbol c}_1, {\boldsymbol c}_2\in\mathbb{F}^n_q\), we say that \({\boldsymbol c}_2\) covers \({\boldsymbol c}_1\) if \(\rm{supp}({\boldsymbol c}_1)\subseteq \rm{supp}({\boldsymbol c}_2)\). A nonzero codeword of a linear code \(\mathcal{C}\) is called a minimal codeword if it covers only its scalar multiples but no other nonzero codewords.

Let \(\mathcal{C}\) be an [n + 1,k] linear code over \(\mathbb{F}_q\). Massey [18] presented the following construction of an ideal LSSS over \(\mathbb{F}_q\):

1. 1.

   Let \(s\in\mathbb{F}_q\) be a secret and let G be a generator matrix of \(\mathcal{C}\). Denote the ith column of G by \(\boldsymbol{g}_i\), i = 0, ..., n.

2. 2.

   The dealer D randomly selects a vector \(\boldsymbol{u}\in\mathbb{F}_q^k\) such that \(\boldsymbol{u}\cdot\boldsymbol{g}_0=s\).

3. 3.

   The dealer computes the corresponding codeword \(\boldsymbol{c}=(c_0, c_1, \ldots, c_n)=\boldsymbol{u}G\) (note that c ₀ = s). The share of P _i is c _i , for i = 1, ..., n.

The secret s can be determined by the set of shares \(\{c_{i_1}, c_{i_2}, \ldots, c_{i_r}\}\) if and only if \({\boldsymbol g}_0\) is a linear combination of \(\{{\boldsymbol g}_{i_1}, \ldots, {\boldsymbol g}_{i_r}\}\) where 1 ≤ i ₁ < ⋯ < i _r  ≤ n.

In [18], it was shown that there is a relationship between the minimal authorized sets of the secret sharing scheme based on \(\mathcal{C}\) and the minimal codewords of the dual code \(\mathcal{C}^{\perp}\).

Lemma 7

[18] Let \(\mathcal{C}\) be an [n + 1,k] linear code over \(\mathbb{F}_q\) . In the secret sharing scheme based on \(\mathcal{C}\) , the set \(\{P_{i_1}, \ldots, P_{i_r}\}\subseteq \mathcal{P}\) such that i ₁ < ⋯ < i _r is a minimal authorized set if and only if there exists a minimal codeword \({\boldsymbol w}=(w_0,w_1,\ldots,w_n)\in\mathcal{C}^{\perp}\) such that \(\rm{supp}({\boldsymbol w})=\{0, i_1, \ldots, i_r\}\) and w ₀ = 1.

Given an [n + 1,k] linear code \(\mathcal{C}\) over \(\mathbb{F}_q\), there is a unique matroid \(\mathcal{F}\) on the set Q = {0,1,...,n} associated with it. Any generator matrix of \(\mathcal{C}\) is a representation over \(\mathbb{F}_q\) of the matroid \(\mathcal{F}\). If Γ is the access structure realized by the secret sharing scheme based on \(\mathcal{C}\) then \(\mathcal{F}\) is the appropriate matroid for Γ. We note that a representable matroid can be associated with different codes.