ACA 2015: Applications of Computer Algebra pp 267-272

# Geometric and Computational Approach to Classical and Quantum Secret Sharing

Conference paper
Part of the Springer Proceedings in Mathematics & Statistics book series (PROMS, volume 198)

## Abstract

Secret sharing is a cryptographic scheme to encode a secret to multiple shares being distributed to participants, so that only qualified (or authorized) sets of participants can reconstruct the original secret from their shares. It is also known that every linear ramp secret sharing can be expressed by a nested pair of linear codes $$C_2 \subset C_1 \subset \mathbf {F}_q^n$$. On the other hand, a nest code pair $$C_2 \subset C_1 \subset \mathbf {F}_q^n$$ can also give a quantum secret sharing. Since $$C_1$$ and $$C_2$$ are linear codes, it is natural to use algebraic geometry codes to construct $$C_1$$ and $$C_2$$. The purpose of this work is to find sufficient conditions for qualified or forbidden sets by using geometric properties of the set of points.

### Keywords

Algebraic geometry codes Quantum secret sharing Access structure

## 1 Introduction

Secret sharing (SS) [15] is a cryptographic scheme to encode a secret to multiple shares being distributed to participants, so that only qualified (or authorized) sets of participants can reconstruct the original secret from their shares. Traditionally both secret and shares were classical information (bits). Several authors [5, 7, 16] extended the traditional SS to a quantum one so that a quantum secret can be encoded to quantum shares.

When we require unqualified sets of participants to have zero information of the secret, the size of each share must be larger than or equal to that of the secret. By tolerating partial information leakage to unqualified sets, the size of shares can be smaller than that of the secret. Such an SS is called a ramp (or non-perfect) SS [2, 13, 17]. The quantum ramp SS was proposed by Ogawa et al. [14]. In their construction [14] as well as its improvement [18], the size of shares can be L times smaller relative to quantum secret than its previous construction [5, 7, 16], where L is the number of qudits in quantum secret.

Classical secret sharing is said to be linear if a linear combination of shares corresponds to the linear combination of the original secrets [3]. It is also known that every linear ramp secret sharing can be expressed by a nested pair of linear codes $$C_2 \subset C_1 \subset \mathbf {F}_q^n$$. On the other hand, a nest code pair $$C_2 \subset C_1 \subset \mathbf {F}_q^n$$ can also give a quantum secret sharing as described in [10]. A share set is said to be forbidden if it has no information about the secret. It is natural to express conditions for qualified and forbidden sets in terms of $$C_2 \subset C_1$$, and the following is known:

### Theorem 1

([1, 9, 10]) Let $$J \subseteq \{1$$, ..., $$n\}$$, and define $$P_J : \mathbf {F}_q^n \rightarrow \mathbf {F}_q^{|J|}$$, $$(x_1$$, ..., $$x_n) \mapsto (x_j : j \in J)$$. We consider classical and quantum secret sharing constructed from $$C_2 \subset C_1$$. J can be regarded as a share set, and J is qualified in the classical secret sharing if and only if
\begin{aligned} \dim P_J(C_1)/P_J(C_2) = \dim C_1 / C_2, \end{aligned}
(1)
and J is forbidden in the classical secret sharing if and only if
\begin{aligned} P_J(C_1) = P_J(C_2). \end{aligned}
(2)
Let $$\overline{J} = \{1$$, ..., $$n\} \setminus J$$. In the quantum secret sharing, J is qualified if and only if
\begin{aligned} \text {both } \left\{ \begin{array}{l} \text {(1) is true},\\ P_{\overline{J}}(C_1) = P_{\overline{J}}(C_2) \end{array}\right. \text { i.e., } \left\{ \begin{array}{l} J \text { is classically qualified},\\ \overline{J} \text { is classically forbidden}\\ \end{array}\right. \end{aligned}
(3)
hold, and J is forbidden if and only if $$\overline{J}$$ is qualified.

Since $$C_1$$ and $$C_2$$ are linear codes, it is natural to use algebraic geometry codes to construct $$C_1$$ and $$C_2$$ [4]. Let F be an algebraic function field of one variable with genus g(F), $$P_1$$, ..., $$P_n$$ its rational places, $$G_1 \ge G_2$$ divisors whose support contain none of $$P_1$$, ..., $$P_n$$. Define $$C(P_1+ \cdots + P_n$$, $$G_1) = \{(f(P_1)$$, ..., $$f(P_n)) \mid f \in \mathscr {L}(G_1)\}$$. By the Riemann–Roch theorem, for $$C_1 = C(P_1+ \cdots + P_n$$, $$G_1)$$ and $$C_2 = C(P_1+ \cdots + P_n$$, $$G_2)$$, it is straightforward to see

### Theorem 2

Equation (1) holds if
\begin{aligned} |J| \ge 1 + \deg G_1. \end{aligned}
(4)
Equation (2) holds if
\begin{aligned} |J| \le \deg G_2 - 2g(F)+1. \end{aligned}
(5)
Equation (3) holds if
\begin{aligned} |J| \ge \max \{1 + \deg G_1, n-(\deg G_2 - 2g(F)+1)\}. \end{aligned}
(6)

The purpose of this work is to find sufficient conditions less demanding than (4)–(6) by using geometric properties of the set of points $$\{ P_j \mid j \in J\}$$.

## 2 Geometric and Computational Analysis of Qualified and Forbidden Sets

### 2.1 Computational Approach

Fix a rational place Q arbitrarily. When $$C_1 = C(P_1+ \cdots + P_n$$, $$G_1)$$ and $$C_2 = C(P_1+ \cdots + P_n$$, $$G_2)$$, (1) holds
\begin{aligned}\Leftrightarrow & {} C\Biggl (\sum _{j\in J} P_j, G_1\Biggr )/C\Biggl (\sum _{j\in J} P_j, G_2\Biggr ) \nonumber \simeq C( P_1+\cdots +P_n, G_1)/C( P_1+\cdots +P_n, G_2) \nonumber \\\Leftrightarrow & {} \ker (P_J) \cap C( P_1+\cdots +P_n, G_1) = \ker (P_J) \cap C( P_1+\cdots +P_n, G_2) \nonumber \\\Leftrightarrow & {} C\Biggl ( \sum _{j\notin J} P_J , G_1-\sum _{j\in J} P_j\Biggr ) = C\Biggl (\sum _{j\notin J} P_J , G_2-\sum _{j\in J} P_j\Biggr )\nonumber \\\Leftrightarrow & {} f_1 \in \mathscr {L}\Biggl (G_1-\sum _{j\in J}P_j\Biggr ) \Rightarrow \exists f_2 \in \mathscr {L}\Biggl (G_2-\sum _{j\in J}P_j\Biggr ) \text { s.t. } f_1(P_j) = f_2(P_j)\forall j \notin J \nonumber \\\Leftrightarrow & {} f_1 \in \mathscr {L}\Biggl (G_1-\sum _{j\in J}P_j\Biggr ) \Rightarrow \exists f_2 \in \mathscr {L}\Biggl (G_2-\sum _{j\in J}P_j\Biggr ) \text { s.t. } f_1 - f_2 \in \mathscr {L}\Biggl (G_1-\sum _{j\notin J}P_j\Biggr ) \nonumber \\\Leftrightarrow & {} \forall f_1 \in \mathscr {L}\Biggl (G_1-\sum _{j\in J}P_j\Biggr ) ,\exists f_2 \in \mathscr {L}\Biggl (G_2-\sum _{j\in J}P_j\Biggr ),\exists f_3 \in \mathscr {L}\Biggl (G_1-\sum _{j=1}^n P_j\Biggr ) \text { s.t. } f_1 = f_2 + f_3\nonumber \\\Leftrightarrow & {} \mathscr {L}\Biggl (G_1-\sum _{j\in J}P_j\Biggr ) \subseteq \mathscr {L}\Biggl (G_1-\sum _{j=1}^n P_j\Biggr )+\mathscr {L}\Biggl (G_2-\sum _{j\in J}P_j\Biggr )\nonumber \\\Leftrightarrow & {} v_Q\Biggl (\mathscr {L}\Biggl (G_1-\sum _{j\in J}P_j\Biggr )\Biggr ) \subseteq v_Q\Biggl (\mathscr {L}\Biggl (G_1-\sum _{j=1}^n P_j\Biggr )+\mathscr {L}\Biggl (G_2-\sum _{j\in J}P_j\Biggr )\Biggr )\nonumber \\\Leftarrow & {} v_Q\Biggl (\mathscr {L}\Biggl (G_1-\sum _{j\in J}P_j\Biggr )\Biggr )\subseteq v_Q\Biggl (\mathscr {L}\Biggl (G_1-\sum _{j=1}^n P_j\Biggr )\Biggr ) \cup v_Q\Biggl (\mathscr {L}\Biggl (G_2-\sum _{j\in J}P_j\Biggr )\Biggr ). \end{aligned}
(7)
For any rational place Q and any divisor G of F, $$v_Q(\mathscr {L}(G))$$ can be computed by Gröbner bases and the algorithm in [11], provided that the defining equation of F is in special position with respect to Q [6, 8, 12].
We turn our attention to (2). Equation (2) holds
\begin{aligned}\Leftrightarrow & {} C\Biggl (\sum _{j\in J} P_j, G_1\Biggr ) = C\Biggl (\sum _{j\in J} P_j, G_2\Biggr )\nonumber \\\Leftrightarrow & {} \forall f_1\in \mathscr {L}(G_1),\exists f_2\in \mathscr {L}(G_2) \text { s.t. } f_1-f_2 \in \mathscr {L}\Biggl (-\sum _{j\in J} P_j+G_1\Biggr )\nonumber \\\Leftrightarrow & {} \forall f_1\in \mathscr {L}(G_1),\exists f_2\in \mathscr {L}(G_2),\exists f_3 \in \mathscr {L}\Biggl (-\sum _{j\in J} P_j+G_1\Biggr ) \text { s.t. } f_1 = f_2 + f_3\nonumber \\\Leftrightarrow & {} \mathscr {L}(G_1) = \mathscr {L}(G_2) + \mathscr {L}\Biggl (G_1-\sum _{j\in J} P_j\Biggr )\nonumber \\\Leftrightarrow & {} v_Q(\mathscr {L}(G_1)) = v_Q\Biggl (\mathscr {L}(G_2) + \mathscr {L}\Biggl (G_1-\sum _{j\in J} P_j\Biggr )\Biggr )\nonumber \\\Leftarrow & {} v_Q(\mathscr {L}(G_1)) = v_Q\Biggl (\mathscr {L}(G_2)) \cup v_Q\Biggl (\mathscr {L}(G_1-\sum _{j\in J} P_j\Biggr )\Biggr ). \end{aligned}
(8)
A similar sufficient condition for (3) can be deduced from (4) and (5).

### 2.2 Explicit Sufficient Conditions

We explicitly write sufficient conditions for (7) and (8), and examine if they are easier to hold than (4) and (5) for one point AG codes with $$G_1 = m_1 Q$$ and $$G_2 = m_2 Q$$. For any divisor G, let $$H_Q(G) = -v_Q(\mathscr {L}(G + \infty Q) \setminus \{0\})$$. Observe that $$H_Q(0)$$ is the Weierstrass semigroup at Q. The conductor of $$H_Q(G)$$ is defined as $$\min \{ i \in H_Q(G) \mid i \le j \in \mathbf {N} \Rightarrow j \in H_Q(G) \}$$, which generalizes the conductor of the Weierstrass semigroup $$H_Q(0)$$.

Equation (7) holds if
\begin{aligned}&v_Q\Biggl (\mathscr {L}\Biggl (m_1Q-\sum _{j\in J}P_j\Biggr )\setminus \{0\}\Biggr )=\emptyset \nonumber \\\Leftrightarrow & {} m_1 \le \min H_Q\Biggl (-\sum _{j\in J}P_j\Biggr ) - 1 \end{aligned}
(9)
We see that condition (9) is less demanding than (4), because $$\min H_Q(-\sum _{j\in J}P_j) \ge |J|$$.
Similarly, (8) holds if
\begin{aligned} m_2 \ge \text {the conductor of } H_Q\Biggl (-\sum _{j\in J}P_j\Biggr )-1 \end{aligned}
(10)
We also see that condition (10) is less demanding than (5), because the conductor of $$H_Q(-\sum _{j\in J}P_j)$$ is $$\le 2g(F)$$. We can also make a similar improvement over (6): Condition (6) holds if
$$m_1 \le \min H_Q\Biggl (-\sum _{j\in J}P_j\Biggr ) - 1 \text { and } m_2 \ge \text {the conductor of } H_Q\Biggl (-\sum _{j\notin J}P_j\Biggr )-1.$$
In particular, for elliptic function fields ($$g(F)=1$$),
\begin{aligned} \text {(9)}\Leftrightarrow & {} \left\{ \begin{array}{ll} m_1+1 \le |J| &{}\text {if}\;\exists f \in \mathscr {L}(\infty Q), (f)_0 = \sum _{j \in J} P_j,\\ m_1 \le |J| &{} \text { otherwise } \end{array}\right. \end{aligned}
(11)
\begin{aligned} \text {(10)}\Leftrightarrow & {} \left\{ \begin{array}{ll} |J| \le m_2-1 &{}\text { if }\exists f \in \mathscr {L}(\infty Q), (f)_0 = \sum _{j \in J} P_j,\\ |J| \le m_2 &{} \text {otherwise} \end{array}\right. \end{aligned}
(12)

## Notes

### Acknowledgements

The authors gratefully acknowledge the support from Japan Society for the Promotion of Science (Grant Nos. 23246071 and 26289116), from the Spanish MINECO/FEDER (Grant No. MTM2012-36917-C03-03 and No. MTM2015-65764-C3-2-P), the Danish Council for Independent Research (Grant No. DFF-4002-00367) and from the “Program for Promoting the Enhancement of Research Universities” at Tokyo Institute of Technology.

### References

1. 1.
Bains, T.: Generalized Hamming weights and their applications to secret sharing schemes. Master’s Thesis, University of Amsterdam (2008). Supervised by R. Cramer, G. van der Geer, and R. de HaanGoogle Scholar
2. 2.
Blakley, G.R., Meadows, C.: Security of ramp schemes. In: Advances in Cryptology—CRYPTO’84. Lecture Notes in Computer Science, vol. 196, pp. 242–269. Springer (1985). doi:10.1007/3-540-39568-7_20
3. 3.
Chen, H., Cramer, R., Goldwasser, S., de Haan, R., Vaikuntanathan, V.: Secure computation from random error correccting codes. In: Advances in Cryptology—EUROCRYPT 2007. Lecture Notes in Computer Science, vol. 4515, pp. 291–310. Springer (2007). doi:10.1007/978-3-540-72540-4_17
4. 4.
Chen, H., Cramer, R., de Haan, R., Cascudo Pueyo, I.: Strongly multiplicative ramp schemes from high degree rational points on curves. In: Smart, N. (ed.) Advances in Cryptology—EUROCRYPT 2008. Lecture Notes in Computer Science, vol. 4965, pp. 451–470. Springer (2008). doi:10.1007/978-3-540-78967-3_26
5. 5.
Cleve, R., Gottesman, D., Lo, H.K.: How to share a quantum secret. Phys. Rev. Lett. 83(3), 648–651 (1999). doi:10.1103/PhysRevLett.83.648
6. 6.
Geil, O., Pellikaan, R.: On the structure of order domains. Finite Fields Appl. 8, 369–396 (2002)
7. 7.
Gottesman, D.: Theory of quantum secret sharing. Phys. Rev. A 61(4), 042311 (2000). doi:10.1103/PhysRevA.61.042311
8. 8.
Heegard, C., Little, J., Saints, K.: Systematic encoding via Gröbner bases for a class of algebraic-geometric Goppa codes. IEEE Trans. Inf. Theory 41(6), 1752–1761 (1995). doi:10.1109/18.476247
9. 9.
Kurihara, J., Uyematsu, T., Matsumoto, R.: Secret sharing schemes based on linear codes can be precisely characterized by the relative generalized Hamming weight. IEICE Trans. Fundam. E95-A(11), 2067–2075 (2012). doi:10.1587/transfun.E95.A.2067
10. 10.
Matsumoto, R.: Coding theoretic construction of quantum ramp secret sharing, Version 4 or later (2014)Google Scholar
11. 11.
Matsumoto, R., Miura, S.: Finding a basis of a linear system with pairwise distinct discrete valuations on an algebraic curve. J. Symb. Comput. 30(3), 309–323 (2000). doi:10.1006/jsco.2000.0372
12. 12.
Matsumoto, R., Miura, S.: On construction and generalization of algebraic geometry codes. In: Katsura, T. et al. (eds.) Proceedings of Algebraic Geometry, Number Theory, Coding Theory, and Cryptography, pp. 3–15. University of Tokyo, Japan (2000). http://www.rmatsumoto.org/repository/weight-construct.pdf
13. 13.
Ogata, W., Kurosawa, K., Tsujii, S.: Nonperfect secret sharing schemes. In: Advances in Cryptology—AUSCRYPT ’92. Lecture Notes in Computer Science, vol. 718, pp. 56–66. Springer (1993). doi:10.1007/3-540-57220-1_52
14. 14.
Ogawa, T., Sasaki, A., Iwamoto, M., Yamamoto, H.: Quantum secret sharing schemes and reversibility of quantum operations. Phys. Rev. A 72(3), 032318 (2005). doi:10.1103/PhysRevA.72.032318
15. 15.
Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979). doi:10.1145/359168.359176
16. 16.
Smith, A.D.: Quantum secret sharing for general access structures. arXiv:quant-ph/0001087 (2000)
17. 17.
Yamamoto, H.: Secret sharing system using $$(k, l, n)$$ threshold scheme. Electron. Commun. Jpn. (Part I: Communications) 69(9), 46–54 (1986). doi:10.1002/ecja.4410690906 (The original Japanese version published in 1985)
18. 18.
Zhang, P., Matsumoto, R.: Quantum strongly secure ramp secret sharing. Quantum Inf. Process. 14(2), 715–729 (2015). doi:10.1007/s11128-014-0863-2