Secret Sharing Using Near-MDS Codes

Abstract

We propose a generalized secret sharing scheme based on NMDS codes. The proposed scheme is efficient and the computational complexity for setup and reconstruction phase is only \(O(n^3)\), where n is the number of participants. The scheme admits an access structure based on two mutually exclusive sets of participant combinations of sizes t and \(t-1\) respectively. The parameter t for the access structure is independent of the field size. The proposed scheme is ideal and perfect and has desirable security features of cheating detection and cheater identification. We also provide a cryptanalysis of the \((t+1, n)\) threshold secret sharing scheme based on NMDS codes proposed in [12]. We show that their scheme is insecure and that there always exists a set of m participants, where \(m <t+1\), which can reconstruct the secret.

A An Instantiation of the Proposed Scheme

Consider the following NMDS matrix \(G\) having elements over \(\mathbb {F}_5\), as mentioned in [4].

$$ G=\left[ \begin{array}{@{}*{12}{@{~}c@{~}}@{}} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1\\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 4 &{} 2 &{} 0 &{} 3 &{} 1 &{} 2\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 3 &{} 1 &{} 0 &{} 2 &{} 2\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 2 &{} 4 &{} 4 &{} 3 &{} 3 &{} 2\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 4 &{} 1 &{} 2 &{} 1 &{} 3 &{} 2\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 4 &{} 2 &{} 4 &{} 2 \end{array} \right] \,.$$

If we denote the i-th row by \(\mathbf {r}_{i-1}\), and the chosen vector by \((\alpha _0, \alpha _1, \dots , \alpha _{k-1})\), then the codeword formed is of the form \(\alpha _0\mathbf {r}_0 + \alpha _1\mathbf {r}_1 + \dots + \alpha _{k-1}\mathbf {r}_{k-1}\). Therefore, the codeword c formed from the matrix \(G\) is

$$\begin{aligned} c = (&\alpha _0,\alpha _1,\alpha _2,\alpha _3,\alpha _4,\alpha _5,\\ {}&(\alpha _0+4\alpha _1+\alpha _2+2\alpha _3+4\alpha _4),\\&(\alpha _0+2\alpha _1+3\alpha _2+4\alpha _3+\alpha _4+\alpha _5),\\&(\alpha _0+\alpha _2+4\alpha _3+2\alpha _4+4\alpha _5),\\&(\alpha _0+3\alpha _1+3\alpha _3+\alpha _4+2\alpha _5),\\&(\alpha _0+\alpha _1+2\alpha _2+3\alpha _3+3\alpha _4+4\alpha _5),\\&(\alpha _0+2\alpha _1+2\alpha _2+2\alpha _3+2\alpha _4+2\alpha _5))\,. \end{aligned}$$

Hence, the first element of the codeword, that is, \(\alpha _0\) forms the secret while the rest of the elements become the shares for the participants.

1.1 A.1 Secret Reconstruction

Now any 5 participants from Group I or any 6 participants from Group II or more can find the secret.

• 1. 5 participants: \({P}_1, {P}_2, {P}_3, {P}_4\) and \({P}_6\). The pooled codeword \(\mathsf {pcw}\) is \((\alpha _1, \alpha _2, \alpha _3, \alpha _4, \alpha _0+4\alpha _1+\alpha _2+2\alpha _3+4\alpha _4)\) and the corresponding submatrix \(G^\prime \) is:

  $$ G^\prime = \left[ \begin{array}{@{}*{6}{@{~}c@{~}}@{}} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1\\ 1 &{} 0 &{} 0 &{} 0 &{} 4 &{} 0\\ 0 &{} 1 &{} 0 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 1 &{} 0 &{} 2 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 &{} 4 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 \end{array} \right] \,.$$

  After elementary row operations,

  $$ (G^\prime )^\prime = \left[ \begin{array}{@{}*{6}{@{~}c@{~}}@{}} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1\\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 4\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 3\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 \end{array} \right] \implies \mathbf {g}_{0G}^\prime = \left[ \begin{array}{@{}*{1}{@{~}c@{~}}@{}} 1\\ 4\\ 3\\ 1\\ 1\\ 0\end{array} \right] \,.$$

  Then

  $$\begin{aligned} \mathsf {pcw}\cdot \mathbf {g}_{0G}&= \alpha _1 + 4\alpha _2 + 3\alpha _3 + \alpha _4 + (\alpha _0+4\alpha _1+\alpha _2+2\alpha _3+4\alpha _4)\\&= \alpha _0 + 5\alpha _1 + 5\alpha _2 + 5\alpha _3 + 5\alpha _4\\&= \alpha _0 \mod 5\,. \end{aligned}$$

  Hence the secret \(s_0 = \alpha _0\) is recovered correctly.

• 2. 6 participants: \({P}_1, {P}_2, {P}_3, {P}_4, {P}_5\) and \({P}_7\). The pooled codeword \(\mathsf {pcw}\) is \((\alpha _1, \alpha _2, \alpha _3, \alpha _4, \alpha _5, \alpha _0+2\alpha _1+3\alpha _2+4\alpha _3+\alpha _4+\alpha _5)\) and the corresponding submatrix \(G^\prime \) is:

  $$ G^\prime = \left[ \begin{array}{@{}*{7}{@{~}c@{~}}@{}} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1\\ 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 &{} 0\\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 3 &{} 0\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 4 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 0\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 &{} 0 \end{array} \right] \,.$$

  After elementary row operations:

  $$ (G^\prime )^\prime = \left[ \begin{array}{@{}*{7}{@{~}c@{~}}@{}} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 3\\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 4\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 4\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 1 \end{array} \right] \implies \mathbf {g}_{0G}^\prime = \left[ \begin{array}{@{}*{1}{@{~}c@{~}}@{}} 3\\ 2\\ 1\\ 4\\ 4\\ 1\end{array} \right] \,.$$

  Then

  $$\begin{aligned} \mathsf {pcw}\cdot \mathbf {g}_{0G}&= 3\alpha _1 + 2\alpha _2 + \alpha _3 + 4\alpha _4 + 4\alpha _5 + \alpha _0 + (2\alpha _1+3\alpha _2+4\alpha _3+\alpha _4+\alpha _5)\\&= \alpha _0 + 5\alpha _1 + 5\alpha _2 + 5\alpha _3 + 5\alpha _4 + 5\alpha _5\\&= \alpha _0 \mod 5\,. \end{aligned}$$

  Hence the secret \(s_0 = \alpha _0\) is recovered correctly.

• 3. 7 or more participants: \({P}_4, {P}_5, {P}_6, {P}_7, {P}_8, {P}_9, {P}_{10}\) and \({P}_{11}\). The pooled codeword is

  $$\begin{aligned} \mathsf {pcw}= (&\alpha _4, \alpha _5,\\ {}&\alpha _0+4\alpha _1+\alpha _2+2\alpha _3+4\alpha _4,\\ {}&\alpha _0+2\alpha _1+3\alpha _2+4\alpha _3+\alpha _4+\alpha _5,\\ {}&\alpha _0+\alpha _2+4\alpha _3+2\alpha _4+4\alpha _5,\\ {}&\alpha _0+3\alpha _1+3\alpha _3+\alpha _4+2\alpha _5,\\ {}&\alpha _0+\alpha _1+2\alpha _2+3\alpha _3+3\alpha _4+4\alpha _5,\\ {}&\alpha _0+2\alpha _1+2\alpha _2+2\alpha _3+2\alpha _4+2\alpha _5) \end{aligned}$$

  and the corresponding submatrix \(G^\prime \) is:

  $$ \left[ \begin{array}{@{}*{9}{@{~}c@{~}}@{}} 0 &{} 0 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1 &{} 1\\ 0 &{} 0 &{} 4 &{} 2 &{} 0 &{} 3 &{} 1 &{} 2 &{} 0\\ 0 &{} 0 &{} 1 &{} 3 &{} 1 &{} 0 &{} 2 &{} 2 &{} 0\\ 0 &{} 0 &{} 2 &{} 4 &{} 4 &{} 3 &{} 3 &{} 2 &{} 0\\ 1 &{} 0 &{} 4 &{} 1 &{} 2 &{} 1 &{} 3 &{} 2 &{} 0\\ 0 &{} 1 &{} 0 &{} 1 &{} 4 &{} 2 &{} 4 &{} 2 &{} 0 \end{array} \right] \,.$$

  After elementary row operations:

  $$ (G^\prime )^\prime = \left[ \begin{array}{@{}*{9}{@{~}c@{~}}@{}} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 3 &{} 1 &{} 1\\ 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 0 &{} 2 &{} 0 &{} 1\\ 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 3 &{} 0\\ 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 0 &{} 0 &{} 1 &{} 4\\ 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 0 &{} 1 &{} 1 &{} 3\\ 0 &{} 0 &{} 0 &{} 0 &{} 0 &{} 1 &{} 4 &{} 1 &{} 4 \end{array} \right] \implies \mathbf {g}_{0G}^\prime = \left[ \begin{array}{@{}*{1}{@{~}c@{~}}@{}} 1\\ 1\\ 0\\ 4\\ 3\\ 4\end{array} \right] \,.$$

  Then

  $$\begin{aligned} \mathsf {pcw}\cdot \mathbf {g}_{0G}&= (\alpha _4) + (\alpha _5) + (4\alpha _0+3\alpha _1+2\alpha _2 +\alpha _3+4\alpha _4+4\alpha _5)\\&\quad + (3\alpha _0+3\alpha _2 +2\alpha _3+\alpha _4+2\alpha _5) + (4\alpha _0+2\alpha _1 +2\alpha _3+4\alpha _4+3\alpha _5) \\&= 11\alpha _0 + 5\alpha _1 + 5\alpha _2 + 5\alpha _3 + 10\alpha _4 + 10\alpha _5\\&= \alpha _0 \mod 5\,. \end{aligned}$$

  Hence the secret \(s_0 = \alpha _0\) is recovered correctly.

Hence in every case, the secret \(s_0\) is recovered correctly.