Abstract
A localised multisecret sharing scheme is a multisecret sharing scheme for an ordered set of players in which players in the smallest sets who are authorised to access secrets are close together in the underlying ordering. We define threshold versions of localised multisecret sharing schemes, we provide lower bounds on the share size of perfect localised multisecret sharing schemes in an information theoretic setting, and we give explicit constructions of schemes to show that these bounds are tight. We then analyse a range of approaches to relaxing the model that provide tradeoffs between the share size and the level of security guarantees provided by the scheme, in order to permit the construction of schemes with smaller shares. We show how these techniques can be used in the context of an application to key distribution for RFIDbased supplychain management motivated by the proposal of Juels, Pappu and Parno from USENIX 2008.
Keywords
Multisecret sharing Informationtheoretic security Ramp schemes RFIDMathematics Subject Classification (2010)
94A60 94A621 Introduction
A secret sharing scheme is a means of distributing some information (shares) to a set of players so that authorised subsets of players can recover a unique secret, whereas the shares belonging to unauthorised subsets do not reveal any information about the secret. For example, a (t;n)threshold scheme involves a set of n players, with the authorised subsets being all sets of t or more players and the unauthorised subsets being all sets of t − 1 or fewer players. Such schemes were proposed independently by Blakley and Shamir in 1979 [2, 18]. More generally, given a set \(\mathcal {U}\) of players we can define an access structure Γ to be the collection of all authorised subsets of \(\mathcal {U}\), with all other subsets of \(\mathcal {U}\) being unauthorised. We require Γ to be monotone, in the sense that for \(A,B\subseteq {\mathcal {U}}\) with A ⊆ B then if A ∈ Γ we have B ∈ Γ also. A multisecret sharing scheme is a generalisation of secret sharing in which several secrets are shared according to different access structures on the same set of participants [3, 4, 7, 9, 14]. In this paper we consider a specific class of multisecret sharing schemes that are suited to an application in RFID security proposed by Juels, Pappu and Parno in USENIX 2008 [10]. We motivate the definition of these schemes initially through the following toy example:
Scenario 1 (Distributed signing key for a committee with changing membership)
A learned society is lead by a committee with seven members. The members each serve a seven year term on the committee; each year one member leaves the committee and a new member is elected to replace them. Every year the society holds a conference in a different city and committee meetings occur at these conferences. A meeting is deemed quorate as long as at least three committee members are present.
The society wishes to distribute a signing key among the committee members that allows them to sign the reports of their meetings at which at least three members are present. The key will need to change each year to reflect the changed membership of the committee. However they wish to avoid the need to change the members’ shares, since the shares are handed out at the committee meetings, but not every member attends each meeting. Furthermore, the shares belonging to any members who have left the committee should not reveal any information about the current value of the committee’s signing key.
The requirements of Scenario 1 lead us to the following definition:
Definition 1 (Localised threshold multisecret sharing scheme)

for any i = 0, 1, 2, … the set of shares associated with the players in a set \(U\subseteq {\mathcal {U}}\) allow the secret k _{ i } to be recovered uniquely whenever U ∩ W _{ i }≥t;

for any i = 0, 1, 2,… if \(U\subseteq {\mathcal {U}}\) is a set of players with the property that U ∩ W _{ i }<t then the shares associated with the players in U reveal no information about k _{ i }.
Example 1
The use of a (3; 7) LMSS to distribute their signing keys would allow the committee in Scenario 1 to satisfy their requirements: the first seven committee members are the players u _{0}, u _{1},…,u _{6}, and the remaining committee members are ordered by the year in which they join the committee. Each player u _{ i } is given a share s _{ i }.
The key feature of an LMSS is the fact that the set of players is ordered and every minimal authorised set of players is contained within a window of n consecutive players for some n. The aim of this paper is to analyse the security of such schemes and provide efficient techniques for their construction. In Section 2 of this paper we provide some necessary background details on secret sharing and multisecret sharing. In Section 3 we provide theoretical results on the security properties of LMSS including bounds on the share sizes, and give constructions of schemes that meet these bounds. In Section 4 we explore how the definition of a LMSS can be relaxed in order to permit schemes with smaller share sizes, and in Section 5 we show how these ideas can be applied in a natural way in designing a scheme suitable for an application in RFIDbased supply chain management motivated by a proposal of Juels, Pappu and Parno [10].
2 Background
Here we summarise some results and techniques from the literature that we use later in this paper.
2.1 Secret sharing
The earliest proposed examples of secret sharing schemes were for (t;n)threshold schemes. The following construction is due to Shamir and yields a (t;n)threshold scheme for any positive integers t,n with t≤n:
Construction 1 (Shamir’s Secret Sharing Scheme [18])
Let \(\mathcal {U}\) be a set of n players, and let p>n be a prime. For a given secret \(k \in \mathbb {Z}_{p}\) , select t−1 further values r _{1} ,r _{2} ,…,r _{ t−1 } uniformly at random from \(\mathbb {Z}_{p}\) , and let \(f\in \mathbb {Z}_{p}[x]\) be the polynomial defined by
Any set of t or more players can perform polynomial interpolation on their shares in order to recover the polynomial f and hence determine the secret k. However, for any set of t − 1 or fewer players, and for any element \(k^{\prime }\in \mathbb {Z}_{p}\), there exists a polynomial of degree at most t − 1 consistent with their shares and having constant term k ^{′}. Thus the shares of an unauthorised set of players yield no information about the true value of k. Note that it is possible to replace \(\mathbb {Z}_{p}\) by the finite field GF(q) for any prime power q > n, and that a slight adjustment can make the scheme work for q ≥ n.
The properties of secret sharing schemes are often described using information theoretic notation. Let K denote the discrete random variable corresponding to the choice of secret, and let A denote the discrete random variable corresponding to the set of shares given to the players in the set \(A\subseteq {\mathcal {U}}\). For a secret sharing scheme with access structure Γ we require H(K∣A) = 0 for any authorised set A ∈ Γ, and H(K∣B) = H(K) for any unauthorised set B ∉ Γ. A secret sharing scheme satisfying the second of these properties is said to be perfect; Shamir’s secret sharing scheme is an example of a perfect scheme. It is well known that for any perfect secret sharing scheme H(S _{ i }) ≥ H(K), where S _{ i } is the discrete random variable corresponding to the share belonging to player u _{ i }. Informally speaking, the size of each share is at least the size of the secret for any perfect scheme.
One way to allow the construction of schemes with smaller shares is to relax the requirement for the scheme to be perfect. For example, a (t _{1}, t _{2}; n)ramp scheme is a secret sharing scheme in which any t _{2} players can use their shares to uniquely recover the secret, whereas the set of shares belonging to any set of t _{1} or fewer players reveals no information about the secret. Sets of players of sizes greater than t _{1} but smaller than t _{2} may learn partial information about the secret, hence ramp schemes are not perfect. The average entropy of a player’s share in a (t _{1}, t _{2}; n)ramp scheme is known to be at least \(\frac {\log _{2}K}{t_{2}t_{1}}\) [12]. The following construction is based on Construction 1, and achieves \(\operatorname {H}(\mathbf {S_{i}})=\frac {\operatorname {H}(\mathbf {K})}{t_{2}t_{1}}\) for each player u _{ i }; it is due to McEliece and Sarwate [15].
Construction 2 ((t _{1}, t _{2}; n)ramp scheme [15])
Set s=t _{2} −t _{1} . Let \(\mathcal {U}\) be a set of n−s+1 players, and let p>n be a prime. The secret for this scheme is an element \(\mathbf {k}=(k_{1},k_{2},\dotsc ,k_{s}) \in \mathbb {Z}_{p}^{s}\) . It is shared by selecting a polynomial f uniformly from the set of all polynomials in \(\mathbb {Z}_{p}[s]\) that satisfy f(0)=k _{1} ,f(1)=k _{2} ,…,f(s−1)=k _{ s } . We identify each player with a unique nonzero element of \(\mathbb {Z}_{p}\setminus \{0,1,\dotsc ,s1\}\) , and to player i we assign the share f(i).
As before, any set of t _{2} players can perform interpolation to recover f, which enables them to recover the entire secret. In addition, it can be shown that any set of t _{1} or fewer players learns no information about the secret.
2.2 Multisecret sharing
Many authors have studied a generalisation of secret sharing in which several secrets are shared according to different access structures on the same set of participants [3, 4, 7, 9, 14]. There are various equivalent ways of defining security in such a setting; the following is due to Herranz, Ruiz and Sáez [7]:
Definition 2

(correctness) for i = 1,2,…,m and for any set \(A\subset {\mathcal {U}}\) of players we have that if A ∈ Γ_{ j } then the shares of the players in A can be used to uniquely recover secret k _{ j }. In terms of entropy, H(K _{ j }∣A) = 0 whenever A ∈ Γ_{ j }.

(weak informationtheoretic security) if A ∉ Γ_{ j } then the shares of the players in A reveal no information about k _{ j }. That is, H(K _{ j } ∣ A) = H(K _{ j }).
A (k; n) LMSS is a special case of a multisecret sharing scheme; the version presented in Definition 1 corresponds to the case of a weakly information theoretically secure scheme. Our analysis of these schemes in Section 3 will require the following theorem of Herranz, Ruiz and Sáez:
Theorem 1 ([7])
 1.
B _{ j } ∈ Γ_{ j−1} whenever j > 1;
 2.
B _{ j } ∉ Γ _{ j };
 3.
B _{ j } ∪ {u _{ i }} ∈ Γ_{ j }.
Then, for any weaklyinformation theoretic secure multisecret sharing scheme for Γ _{1} ,Γ _{2} ,…,Γ _{ ℓ } , it holds that \(\operatorname {H}(\boldsymbol {S_{i}})\geq {\sum }_{i=1}^{\ell } \operatorname {H}(\boldsymbol {K_{i}})\).
3 Bounds and constructions for LMSSs
A (t; n)LMSS can be regarded as a weakly informationtheoretic secure multisecret sharing scheme with access structures Γ_{0}, Γ_{1}, Γ_{2},…, where Γ_{ i } is a (t; n)threshold access structure for the set of players within window W _{ i }. We note that it is possible to construct such a scheme by deploying a (t; n)threshold scheme in each window, as observed in [10] (the same approach has been mentioned previously in the literature as a way to construct multisecret sharing schemes for various other combinations of threshold access structures, e.g. [3]).
Construction 3 (Trivial (t; n) LMSS [10])
Let \({\mathcal {U}}=u_{0},u_{1},u_{2},\dotsc \) be an ordered set of players, and denote by W _{ i } the window {u _{ i } ,u _{ i+1 } ,…,u _{ i+n−1 } }. Let p be a prime with p>n. For each window W _{ i } we share a secret \(k_{i}\in \mathbb {Z}_{p}\) among the n players in W _{ i } using a (t;n)threshold scheme (Construction 1). This is done independently for each window; a player u _{ j } is thus assigned shares corresponding to each window that contains it, i.e. windows W _{ j−n+1 } ,W _{ j−n+2 } ,…,W _{ j } . (The secrets may or may not be independent, but the randomness used in each of the threshold schemes is chosen independently.))
It is straightforward to see that Construction 3 gives rise to a (t; n)LMSS in which the total share size for each player is nlogp. In the case where k < n this turns out to be optimal, as shown by the following theorem:
Theorem 2
Proof
For ease of notation we prove the result for j = n − 1, but the proof applies analogously to any j ≥ n − 1. Consider the sequence of players \({\mathcal {U}}=[u_{0},u_{1},\dotsc ,u_{2n2}]\). Restricting Σ to these players yields a weak informationtheoretic secure multisecret sharing scheme on \(\mathcal {P}\), where for i = 0,…n − 1 the secret k _{ i } is shared according to the access structure Γ_{ i }={S⊂W _{ i }∣S≥t}.
For r = 1,2,…,n, let B _{ r } consist of the first t − 2 + r elements of \({\mathcal {P}}\setminus \{u_{n1}\}\). Then the sets B _{ i } satisfy the conditions for Theorem 1, and so we have that \(\operatorname {H}(\boldsymbol {S_{n1}})\geq {\sum }_{i=0}^{n1} \operatorname {H}(\boldsymbol {K_{i}}) \) as required. □
If the secrets and shares are all uniformly distributed, we obtain the result that the size of the secret given to player P _{ j } with j ≥ n − 1 in a (t; n)LMSS with t < n is at least nlogK, which implies that Construction 3 is optimal. (We address the case t = n in Section 3.1.) The fact that there do not exist constructions for a (t; n)LMSS with share sizes shorter than those of Construction 3 means that these schemes are not suitable for applications that require small shares. In Section 4 we consider various approaches to relaxing the security definitions for these schemes in a controlled manner so as to allow more efficient constructions. On the positive side, we observe that if the secrets are generated independently of each other, then the optimal schemes of Construction 3 are in fact strongly informationtheoretic secure.
3.1 The case t = n
Interestingly, the restrictions of Theorem 2 do not apply in the case where t = n, as the following construction demonstrates.
Construction 4
Let \({\mathcal {U}}=u_{0},u_{1},u_{2},\dotsc \) be an ordered set of players, and denote by W _{ i } the window {u _{ i } ,u _{ i+1 } ,…,u _{ i+n−1 } }. Suppose that for i≥0 a secret k _{ i } is generated uniformly at random from the set \(\mathbb {Z}_{2}^{\lambda }\) , and that this is done independently for each i. For i = 0, 1,…,n − 2 we assign a share s _{ i } to player u _{ i } by generating s _{ i } uniformly at random from \(\mathbb {Z}_{2}^{\lambda }\). For i ≥ n − 1 we set s _{ i } = k _{ i−n+1} ⊕s _{ i−n+1} ⊕s _{ i−n+2} ⊕⋯⊕s _{ i−1 }.
Theorem 3
Construction 4 results in an (n; n)LMSS that has weak informationtheoretic security and optimal share size, but which does not possess strong informationtheoretic security.
Proof
Suppose an attacker who wishes to determine k _{ j } possesses all the shares in \(B_{\hat {i}}\).
 Strong security:

We show the construction does not have strong informationtheoretic security. In the strong security setting, in addition to the shares possessed by the players in \(B_{\hat {i}}\), we assume the adversary also knows all secrets other than k _{ j }. In the case where i ≠ j + n − 1, this includes the secret k _{ i − n+1}, and so the adversary is able to determine s _{ i } using (2), and hence recover k _{ j } using (1).
When i = j + n − 1 (that is, when the missing share is the last one in the window) the adversary does not possess k _{ i − n+1}. However, we observe that:The adversary possesses all terms in this expression other than s _{ j + n − 1} = s _{ i }, hence they can use it to recover s _{ i } and thence k _{ j } as before.$$s_{j+n} =k_{j+1} \oplus s_{j+1} \oplus s_{j+1} \oplus ... \oplus s_{j+n2} \oplus s_{j+n1}. $$  Weak security:
 In the weak information theoretic setting, the adversary does not know any secrets other than those it is able to compute using the shares in its possession. Consider the following system of equations:This is a system of n linear equations. The adversary knows all the values except for the n+1 values in the set S = {s _{ i }, k _{ i − n+1}, k _{ i − n+2},…,k _{ i }}. For every possible choice of \(k_{j}\in \mathbb {Z}_{2}^{\lambda }\) there is a choice of the values in S∖{k _{ j }} consistent with the set of shares corresponding to players in B. Hence these shares reveal no new information about the secret k _{ j }, meaning this construction has weak information theoretic security.$$\begin{array}{@{}rcl@{}} k_{in+1} &=& s_{in+1} \oplus s_{in+2} \oplus \dotsb \oplus s_{i1} \oplus s_{i},\\ k_{in+2} &=& s_{in+2} \oplus s_{in+3} \oplus \dotsb \oplus s_{i} \oplus s_{i+1},\\ &&\vdots\\ k_{i} &=& s_{i} \oplus s_{i+1} \oplus ... \oplus s_{i+n2} \oplus s_{i+n1}. \end{array} $$
 Optimality:

To see that this scheme is optimal with respect to share size, we note that restricting this construction to any window gives an (n;n)threshold scheme for that window in which the size of each share is the same as the size of the corresponding secret. Since for a perfect (n;n)threshold scheme the size of the shares must be at least as large as the size of the secrets, this is optimal.
□
The scheme of Construction 4 thus gives an example of a (k;n)−LMSS that is weakly secure, but not strongly secure. We note that it has independently generated secrets, thus demonstrating that having independently generated secrets is a necessary but not sufficient condition to guarantee that a weakly secure scheme will also be strongly secure.
3.2 Time dependent schemes
In many applications such as that of Scenario 1, the secrets k _{0}, k _{1},… of an LMSS have a natural interpretation as a sequence of secrets that change over time. In such a setting it makes sense to consider a security model that is intermediate between the strong and weak models:
Definition 3
A (weakly information theoretically secure) (k;n)−LMSS is said to have perfect backward secrecy if the shares possessed by any set A ∉ Γ_{ j } together with the set of the first j secrets T _{ j }={k _{0}, k _{1},…,k _{ j − 1}} reveals no information about the secret k _{ j } other than that already revealed by T _{ j }. In entropy terms, H(K _{ j } ∣ A,T _{ j })= H(K _{ j } ∣ T _{ j }).
Perfect backward secrecy ensures that the exposure of past secrets does not affect the security of future secrets. Note that, by definition, a (t; n)LMSS with perfect backward secrecy is also a weakly informationtheoretic (t; n)LMSS. Furthermore, a strongly informationtheoretic (t; n)LMSS necessarily has perfect backward secrecy. Thus perfect backward secrecy can be seen as an intermediate requirement between weak and strong informationtheoretic security. A strongly informationtheoretic scheme in fact possesses both perfect backward secrecy and perfect forward secrecy, where compromise of future secrets does not affect the security of past secrets. This is interesting from the point of view of motivating the strong security model, given that Scenario 1 seemed a priori only to require weak security.
It is interesting to consider whether the scheme of Construction 4 has this property. The following result shows that in fact it only has quite limited backward secrecy:
Theorem 4
Construction 4 does not have perfect backward secrecy: an adversary possessing the secrets k _{0} ,k _{1} …k _{ j−1 } and who also has shares of a maximal set of players \(B_{\hat {i}} \notin {\Gamma }_{j}\) can determine k _{ j } except in the case where i=j+n−1, where no information about k _{ j } is revealed.
Proof
4 Relaxing security requirements in order to construct more efficient schemes
The bounds on share sizes implied by Theorem 2 mean that, in order to construct a more efficient (k; n) LMSS, it is necessary to relax the security definition. There are various ways in which this could be done. The SWISS schemes proposed by Juels et al. [10] are one example; we discuss some limitations of these schemes in Section 5. In this Section we consider systematically a range of techniques that can be applied while still working in the setting of informationtheoretic security. Recall that the essential aims of a (k; n) LMSS are to ensure that any k suitably close users are able to recover a secret, and that each secret should only be accessible to players within a bounded window. The techniques we consider here allow us to maintain these goals, while relaxing the strict requirements of Definition 1 in ways that give us a well understood tradeoff between the security compromises and the resulting efficiency gains.
4.1 Shifting to a nonperfect model of secret sharing
Section 2.1 indicated that the shares of a perfect (t;n)threshold scheme have to be at least as large as the secret, but that share sizes could be reduced by the use of a (t _{1}, t _{2}; n)ramp scheme, with the increased efficiency being traded against the relaxation of the security in that sets of players of sizes between t _{1} and t _{2} can now gain partial information about the secret. The exact same technique can be applied in the context of a (t; n)LMSS, by replacing the use of Shamir’s secret sharing scheme in Construction 3 with the (t _{1}, t _{2}; n)ramp scheme of Construction 2. Reducing the sizes of sets of players that are excluded from learning any information about the secret from t _{2}−1 to t _{1} in this manner allows us to decrease the size of the shares by a factor of t _{2}−t _{1}.
4.2 Changing the access structures
 The access structure in isolation:

As previously, we consider an ordered set of players denoted by \({\mathcal {U}}=u_{0},u_{1},u_{2},\dotsc \). We define an access structure Γ on \(\mathcal {U}\) by specifying that the authorised sets in Γ are all those subsets of \(\mathcal {U}\) that contain a subset of the form \(S=\{u_{i_{1}},u_{i_{2}},\dotsc ,u_{i_{t}}\}\) where i _{1}<i _{2}<⋯<i _{ t } and i _{ t }−i _{1}≤n − 1. That is, any subset of \(\mathcal {U}\) that contains t or more players from within a window of n consecutive players is authorised. We think of the authorised sets in Γ as being those that have the right to reconstruct at least one key.
 Key windows:

The defining property of a localised secret sharing scheme is that we want any given key to be accessible by sufficiently large sets of players that are suitably close. For a given key k we suppose there is a specific key window W ^{ k } consisting of the players u _{ i }, u _{ i+1},…u _{ i + ℓ − 1} that we think of as having the potential to be involved in recovering k. Note that unlike in Section 3, we no longer require ℓ = n but we can also allow ℓ ≥ n.
 The effect of Γ within a key window:
 We now consider the restriction of the access structure Γ to the window W ^{ k }. This gives us an access structure Γ^{ k } on the players in W ^{ k } whose authorised sets are all those of the form A ∈ Γ with A ⊆ W ^{ k }. This is illustrated in Fig. 2 for the case ℓ = 4 and n = k = 2.
For ℓ > n the access structure Γ^{ k } is no longer a threshold access structure. It is possible to construct a secret sharing scheme assigning shares to the players in W ^{ k } that enable authorised sets in Γ^{ k } to recover k while preventing the shares belonging to any set S ∉ Γ^{ k } from gaining any information about k [8]. However, in general this may require the share sizes to be larger than the size of k. For example, in the case where ℓ = 4 and n = t = 2 (as depicted in Fig. 2), Capocelli et al. show that it is necessary for the largest share to be at least 50% larger than the size of the secret [5].
One approach to avoiding this issue (as suggested in [10]) is simply to use a (t;ℓ)threshold scheme to share k among the players in W ^{ k }, since this allows shares that are no larger than the size of the secret (and permits a straightforward tradeoff between security and share size through the use of a suitable ramp scheme if desired). However, in the case where ℓ is significantly larger than n (the schemes proposed in [10] have ℓ≥2n) this results in many subsets of W ^{ k } that are not authorised having shares that allow them to recover the secret, namely any set of t shares \(\{s_{i_{1}},s_{i2},\dotsc ,s_{i_{t}}\}\) with i _{1}<i _{2}<⋯<i _{ t } and i _{ t } − i _{1} > n. This can be substantially mitigated at no extra cost by the use of the following construction:
Construction 5

We share k using a (t; n)threshold scheme and assign the resulting shares s _{1} ,s _{2},…,s _{ n } to the first n players in the window.

We then assign s _{1}, s _{2},…, s _{ n } in turn to the next n players in turn and so on, cycling through the shares as necessary throughout the rest of the window.
This construction ensures that the shares possessed by any n consecutive players are precisely those of a (t;n)threshold scheme, and so the shares of any subset of t or more of those n consecutive players can recover the secret, as required by Γ^{ k }. There is potential for a small saving in the size of the shares relative to using a (t;ℓ)threshold scheme since it is possible to use a field of size n rather than ℓ. However the main advantage of this construction is in reducing the number of sets S ∉ Γ^{ k } that can recover k. For a (t;ℓ)threshold scheme, there are \(\binom {\ell }{t}\) subsets of size t that can recover the secret, whereas Γ^{ k } contains only \((\ell n)\binom {n1}{t1}+\binom {n}{t}\) authorised subsets of size t (there are \(\binom {n}{t}\) ways of choosing such a subset from among the last n players in the window; for subsets not wholly contained within the last n players there are ℓ − n possible choices for the first player in the subset and \(\binom {n1}{t1}\) ways to choose the rest of the subset from the n − 1 subsequent players.). For example, if ℓ = 4 and n = t = 2 then the threshold scheme has \(\binom {4}{2}=6\) pairs of shares that can recover the secret, whereas Γ^{ k } only has \(2\binom {1}{1}+\binom {2}{2}=3\) authorised pairs. This implies that half of the pairs of players enabled by the threshold scheme to access the secret are not in Γ^{ k }. For the scheme given in Construction 5, on the other hand, in the case where ℓ = λ n there are \(\lambda ^{t}\binom {n}{t}\) subsets of size t that can recover the secret. For ℓ = 4 and n = t = 2 this gives \(2^{2}\binom {2}{2}=4\) pairs that can recover the secret, so only a quarter of these are not in Γ^{ k }.
We note that Construction 5 can also be instantiated with a ramp scheme in place of the threshold scheme if desired.
4.3 Staggering key windows
If we were to fix ℓ = n and require a new key window of length n starting with player u _{ i } for every i = 1,2,… then we would recover Definition 1. However, by allowing distinct values of ℓ and n, and allowing more flexibility in the distribution of the key windows we can obtain a family of schemes that have the potential for much greater flexibility in tailoring their properties to suit our application requirements. One way to do this is to introduce a parameter d that describes the offset between consecutive key windows, so that key k _{0} is associated with the window \(W^{k_{0}}=\{u_{0},u_{1},u_{2},\dotsc ,u_{\ell 1}\}\), key k _{1} is associated with the window \(W^{k_{1}}=\{u_{d},u_{d+1},\dotsc ,u_{d+\ell 1}\}\), and so on. In general, key k _{ i } is associated with the window \(W^{k_{i}}=\{u_{id},u_{id+1},\dotsc ,u_{id+\ell 1}\}\).
The following lemmas describe basic properties of the scheme that arises from staggering the key windows in this fashion.
Lemma 1
An authorised set \(A=\{u_{i_{1}},u_{i_{2}},\dotsc ,u_{i_{t}}\}\) with i _{ t } −i _{1} =c for some c≤n−1 can reconstruct \(\lfloor \frac {\ell c}{d}\rfloor \) or \(\lceil \frac {\ell c}{d}\rceil \) secrets.
Proof
The shares corresponding to the players in set A allow them to recover the secret for any window W with A ⊆ W. A window of length ℓ contains A if it starts with a player between \(u_{i_{t\ell }}\) and \(u_{i_{1}}\). This is a range of \(u_{i1}u_{i_{t}\ell }=\ell (u_{i_{t}}u_{i_{1}})=\ell c\) possible starting points. If the windows have offset d then for any value of i _{ t } at least \(\lfloor \frac {\ell c}{d}\rfloor \) windows, and up to \(\lceil \frac {\ell c}{d}\rceil \) windows will start in this range. □
The share storage requirements for any individual player are given by the following lemma:
Lemma 2
Any single player is associated with either \(\lfloor \frac {\ell }{d}\rfloor \) or \(\lceil \frac {\ell }{d}\rceil \) shares.
The proof is a direct analogue of that of Lemma 1.
Example 2
Suppose we take ℓ = 2n and d = n. Then every player is associated with shares from two distinct key windows, and any authorised set is able to recover either one or two distinct window keys.
4.4 Combining techniques
Combining all the techniques discussed in this section gives us the following construction:
Construction 6 (Flexible Localised Multisecret Sharing Scheme, (t _{1}, t _{2}; n, ℓ, d)fLMSS)
Let \({\mathcal {U}}=u_{0},u_{1},u_{2},\dotsc \) be an ordered set of players, and denote by W _{ i } the window {u _{ i } ,u _{ i+1 } ,…,u _{ i+ℓ−1 } }. Let p be a prime with p>n. For each window W _{ i } for i=0,d,2d,3d,… we share a secret \(\sigma _{i}\in \mathbb {Z}_{p}\) among the ℓ players in W _{ i } using Construction 5 implemented with a (t,k,n)ramp scheme.
The following properties of this construction follow directly from the earlier results in this section.
Theorem 5

(storage) If the secrets are all independent and identically distributed according to the uniform random variable K then the size of the shares of each tag are \(\lceil \frac {\ell }{d}\rceil \frac {\log _{2}K}{t_{2}t_{1}}\) bits.

(key recovery) Any set of players \(\{u_{i_{1}},u_{i_{2}}\dotsc ,u_{i_{m}}\}\subseteq W_{i}\) for i = 0, d, 2d,… with m ≥ t _{2} and i _{ m }−i _{1} ≤ n is able to recover the secret k _{ i }.
Example 3
so each individual player is associated with either 3 or 4 shares. For example, consider the player u _{210}. This player must hold shares for the windows W _{80}, W _{120}, W _{160} and W _{200} and hence is an example of a player who holds four shares. On the other hand, player u _{235} must hold a secret for W _{120}.W _{160} and W _{200} and thus holds three shares. Both players are illustrated in Fig. 3.
5 Application to key distribution for RFIDenabled supply chains
In this section we consider the application of fLMSS to the distribution of keys for RFID tags used in supplychain management. Radio Frequency Identification (RFID) is a technology that uses radio signals to identify objects [1]. An RFID system consists of a tag, a reader and a backend server [1]. The devices are used in transportation, logistics, manufacturing and processing. Typical applications include inventory control, animal tagging, postal tracking, airline baggage management, access control, and manufacturing processes [17].
RFID tags enable the identification, tracking and verification of products in a supply chain both automatically and in real time [1], hence their use is becoming more prevalent in manufacturing. They have the potential to store information such as batch numbers, date of manufacture, and so on. In supply chains, the predominant RFID standard is known as the Electronic Product Code (EPC) [6]. EPC tags can be regarded as new generation barcodes that emit a code containing four elements [10]: a header, which denotes the EPC version number; a domain manager that details the manufacturer; an object class that specifies the item type; and a serial number, which is a universal identifier for the item. The unique serial number enables the tag to be linked to a database containing other vital information related to the product. Storing the EPC rather than all the information relevant to the product requires less memory on the tag, which is ideal as tags have a limited memory of up to 2KB of data [10].
However, the use of these tags creates new security and privacy challenges: for instance, a consumer who is in possession of a tagged product runs the risk that a passerby could scan the tag and thereby determine that they are carrying the product. There are many items such as medications for which this is potentially undesirable. One further complication is that there may not exist any prior secure channels (in the form of shared secret keys or similar) between the manufacturer and agents, such as merchants, who legitimately require access to the tags’ contents. One way to address this is to exploit differences in the way in which a legitimate user is able to access the data on a tag or tags, as opposed to the potentially more restricted access available to a casual adversary. Juels, Pappu and Parno consider the following scenario [10]:
Scenario 2 (Distributing a key over the RFID tags on all the items in a case)
Suppose a manufacturer places tags on items that are shipped in bulk to a merchant who then sells them individually to customers. The merchant (who has a legitimate need to read the tag identities) has access to many tags. On the other hand, after the items are sold, an adversary (who should be prevented from recovering the tag identities) is expected to only have access to a small number of tags.
In this scenario, the items are assumed to be shipped by the caseload to the merchant, and Juels et al. [10] suggest the use of a secret sharing scheme to distribute a key across all the tags in a case of items, with each tag receiving a single share. This ensures that the merchant who possesses the entire case can gather enough shares to recover the identity, but once the items have been sold they are sufficiently dispersed that the identity can no longer be recovered. This is an example of a situation where a threshold (or ramp) secret sharing scheme gives a natural solution to the problem of securing identities of RFID tags from adversaries with access to a small number of tags, while allowing merchants who possess entire cases of tags to access the relevant information.
Juels et al. [10] propose keeping the share sizes small by using a variation of a scheme due to Krawczyk that provides computational (rather than informationtheoretic) security [11]. In Krawczyk’s original scheme a large secret is encrypted with a (relatively) short key and the resulting ciphertext is shared using a (0,k;n)ramp scheme, while the key is shared using a (k;n)threshold scheme. Juels et al. [10] suggest sharing both the key and the ciphertext with a secret sharing scheme based on an errorcorrecting code, and claim that this enables them to ‘make the size of our shares independent of the secret’. In fact this is not correct, nor is their assertion that Krawczyk’s scheme has ‘shares with lengths independent of the secret’s size’. Rather, as Krawczyk states in his abstract [11], his scheme is ‘an mthreshold scheme... in which shares corresponding to a secret S are of size \(\frac {S}{m}\) plus a short piece of information whose length does not depend on the secret size but just in the security parameter. (The bound of \(\frac {S}{m}\) is clearly optimal if the secret is to be recovered from m shares.)’.
The use of errorcorrecting codes for secret sharing has been long studied [13, 15]; in particular it is known that a length n code with distance d and dual distance d ^{∗} gives a (t _{1}, t _{2}; n − 1)ramp scheme with t _{1} = d ^{∗}−2 and t _{2} = n − d+1 (see, for example, [16] for details). Thus if the dual distance of the code is small, then t _{1} is also small and the resulting scheme only guarantees protection of the secret against small coalitions of players. In Krawczyk’s scheme the computational security is ensured by the fact that a threshold scheme is used to share the key. Replacing the threshold scheme in this construction by one based on an errorcorrecting code leads to a similar reduction in security as would be caused by simply using a ramp scheme to share the message directly; it does not reduce the storage relative to this more straightforward approach, and it offers only computational rather than informationtheoretic security guarantees. As such, this errorcorrecting code approach does not appear to offer any clear advantages in this context.
5.1 Instantiating a solution for Scenario 2
In order to use a secretsharing based scheme for Scenario 2, it is necessary to preload the appropriate data on all the tags. Once a case has been ordered, the supplier can set up the appropriate tags and attach them to all the items in the case. However, this may be time consuming and inconvenient. Instead, it would be more convenient to be able to attach the tags to the products as they come off the production line prior to packing. This leads to the following scenario, which is essentially that considered by Juels et al. in their Example 2 [10].
Scenario 3 (Setting up a sequence of RFID tags for items coming off a production line)
Suppose a manufacturer attaches RFID tags to items as they come off the production line. The items are then packed and shipped to meet orders coming in from wholesale customers. The manufacturer wishes to distribute keys across items in an order using a (t;n)threshold secret sharing scheme, as in Scenario 2. However, the customers may order differing numbers of items, and at the time when the data is being placed on the tags the manufacturer does not yet know what these orders are going to be (either in terms of their sizes or to which customer they will be shipped). The shares on the tags in a single order must enable the wholesaler to recover a suitable key, yet adversaries who obtain fewer than t shares from a given order should learn no information about the key. (In particular, this means that the tags from a certain wholesaler’s orders should not allow that wholesaler to learn the key corresponding to another wholesale customer’s order.)
Juels et al. propose the use of a SlidingWindowInformationSecretSharing (SWISS) scheme for this purpose. Their basic SWISS scheme uses a (k;n)threshold scheme with key window length ℓ = 2n and offset d = n. They observe that this can be generalised to \(\ell =\frac {({\Psi }+1)n}{\Psi }\) with \(d=\frac {n}{\Psi }\) for Ψ<n. They further note that in place of a threshold scheme they could use the secret sharing scheme they developed for Scenario 2.
The fact that the choice of Ψ completely determines ℓ and d once n is known is unnecessarily restrictive here. We observe that the requirements of Scenario 3 are in fact essentially the same as those of Scenario 1; hence, a (t _{1}, t _{2}; n,ℓ,d) fLMSS is an appropriate solution for the manufacturer’s needs in this situation.
Example 4
In Example 3, we saw that the use of a (30, 50; 100, 150, 40) −fLMSS allowed a 64 bit secret to be distributed while only requiring each player to store a 13 bit share. This is well within the capacity of an EPC Gen2 RFID tag, and would be suitable, for example, in a situation where merchants order shipments of at least 100 items at a time.

The direct use of a ramp scheme rather than an arbitrary errorcorrecting code explicitly gives the values of the important parameters, so that the resulting tradeoff between security and efficiency is entirely clear. Furthermore, the use of Construction 2 in the fLMSS gives the essential property that both the sharing and the secret recovery can be efficiently performed.

The fLMSS provides informationtheoretic security rather than relying on computational assumptions.

The use of Construction 5 reduces the number of unauthorised sets who can access a given secret relative to a SWISS scheme of analogous parameters.

By separating the window length ℓ from the offset d, we have enabled a more flexible choice of parameters that allows for the appropriate security/efficiency tradeoff to be chosen to directly suit application requirements.
6 Conclusion
Localised multisecret sharing is a natural concept with a range of potential applications. We have showed that a fLMSS scheme provides a flexible and lightweight tool for approximating the ideal behaviour of a (t;n)LMSS in a restricted environment such as that provided by the use of RFID tags. Interesting open problems would be to find further applications for these schemes, and to determine whether their security can be further enhanced through improvements to Construction 5.
References
 1.Abughazalah, S., Markantonakis, K., Mayes, K.: Enhancing the key distribution model in the RFIDenabled supply chains. In: 28th International Conference on Advanced Information Networking and Applications Workshops (WAINA 2014), pp. 871–878 (2014)Google Scholar
 2.Blakley, G.R.: Safeguarding cryptographic keys. Federal Inf. Process. Standard Conference Proceedings 48, 313–317 (1979)Google Scholar
 3.Blundo, C., Santis, A.D., Crescenzo, G.D., Gaggia, A.G., Vaccaro, U.: Multisecret sharing schemes. In: Desmedt, Y. (ed.) CRYPTO ’94, volume 839 of LNCS, pp. 150–163. Springer (1994)Google Scholar
 4.Blundo, C., Santis, A.D., Vaccaro, U.: Efficient sharing of many secrets. In: Enjalbert, P., Finkel, A., Wagner, K.W. (eds.) STACS ’93, volume 665 of LNCS, pp. 692–703. Springer (1993)Google Scholar
 5.Capocelli, R.M., Santis, A.D., Gargano, L., Vaccaro, U.: On the size of shares for secret sharing schemes. In: Feigenbaum, J. (ed.) CRYPTO ’91, volume 576 of LNCS, pp. 101–113. Springer (1991)Google Scholar
 6.EPCglobal: Radiofrequency identity protocols class1 generation2 UHF RFID protocol for communications at 860 mhz–960 mhz version 1.0. 9. http://www.epcglobalinc.org (2004)
 7.Herranz, J., Ruiz, A., Sáez, G.: New results and applications for multisecret sharing schemes. Des. Codes Crypt. 73(3), 841–864 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 8.Ito, M., Saito, A., Nishizeki, T.: Secret sharing scheme realizing general access structure. In: IEEE Globecom, pp. 99–102 (1987)Google Scholar
 9.Jackson, W.A., Martin, K.M., O’Keefe, C.M.: Multisecret threshold schemes. In: Stinson, D.R. (ed.) CRYPTO ’93, volume 773 of LNCS, pp. 126–135. Springer (1993)Google Scholar
 10.Juels, A., Pappu, R., Parno, B.: Unidirectional key distribution across time and space with applications to RFID security. In: van Oorschot, P.C. (ed.) USENIX Security Symposium, pp. 75–90. USENIX Association (2008)Google Scholar
 11.Krawczyk, H.: Secret sharing made short. In: Stinson, D.R. (ed.) CRYPTO ’93, volume 773 of LNCS, pp. 136–146. Springer (1993)Google Scholar
 12.Martin, K., Jackson, W.A.: A combinatorial interpretation of ramp schemes. Aust. J. Commun. 14, 51–60 (1996)MathSciNetzbMATHGoogle Scholar
 13.Massey, J.: Minimal codewords and secret sharing. In: Proceedings 6th Joint SwedishRussian International Workshop on InformationTheory, pp. 276–279 (1993)Google Scholar
 14.Masucci, B.: Sharing multiple secrets: models, schemes and analysis. Des. Codes Crypt. 39(1), 89–111 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 15.McEliece, R.J., Sarwate, D.V.: On sharing secrets and R,eedSolomon codes. Commun. ACM 24(9), 583–584 (1981)CrossRefGoogle Scholar
 16.Paterson, M.B., Stinson, D.R.: A simple combinatorial treatment of constructions and threshold gaps of ramp schemes. Cryptogr. Commun. 5(4), 229–240 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 17.Roberts, C.M.: Radio frequency identification (RFID). Comput. Secur. 25(1), 18–26 (2006)CrossRefGoogle Scholar
 18.Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)MathSciNetCrossRefzbMATHGoogle Scholar