A Latin square autotopism secret sharing scheme

We present a novel secret sharing scheme where the secret is an autotopism (a symmetry) of a Latin square. Previously proposed secret sharing schemes involving Latin squares have many drawbacks: (a) Latin squares contain n2\documentclass[12pt]{minimal} \usepackage{amsmath} \usepackage{wasysym} \usepackage{amsfonts} \usepackage{amssymb} \usepackage{amsbsy} \usepackage{mathrsfs} \usepackage{upgreek} \setlength{\oddsidemargin}{-69pt} \begin{document}$$n^2$$\end{document} entries, which may be too large, (b) partial information about the secret may be directly revealed, (c) a subsequently discovered subtle “flaw”, (d) difficulty in initialization and reconstruction, (e) difficulty in verification, and (f) difficulty in generalizing to a multi-level scheme. We carefully analyze the security of the proposed scheme, and identify how it overcomes all of these problems.

The concept of secret sharing schemes goes back to Shamir [20] and Blakey [1] (see also [21]). In this work, we present and analyze a secret sharing scheme based on symmetries of Latin squares.
We will consider the case of when the secret message θ can be reconstructed from knowledge of l shares, which are distributed to the l participants, that is, every participant must cooperate to recover the secret L. The primary obstacle in attacking this scheme is the huge number of Latin squares and the huge number of symmetries they might have.

Introduction
A Latin square of order n is an n × n array L = (l i, j ) of n symbols such that the symbols in every row and in every column are distinct. We will index the rows and columns of L by the elements of Z n and take the symbol set to be Z n . The orthogonal array of L is the set of ordered triples O(L) = (i, j, l i, j ) : i, j ∈ Z n .

Symmetries
Let S n be the symmetric group acting on Z n . We can act on the set of Latin squares L = (l i, j ) of order n with θ := (α, β, γ ) ∈ S n × S n × S n such that the rows of L are permuted according to α, the columns of L are permuted according to β, and the symbols of L are permuted according to γ . In terms of entries, we have θ (i, j, l i, j ) = α(i), β( j), γ (l i, j ) for all i, j ∈ Z n .
The mapping θ is called an isotopism, we call L and θ(L) isotopic, and the set of Latin squares isotopic to L is its isotopism class.
If θ(L) = L, then θ is said to be an autotopism of L. Autotopism are the symmetries we will consider in this paper.
If (i, j, l i, j ) is an entry in a Latin square that admits an autotopism (α, β, γ ), then its orbit is the set α k (i), β k ( j), γ k (l i, j ) : k ≥ 0 of entries of L. An orbit will have size dividing the order of (α, β, γ ). Importantly, we can reconstruct the whole orbit from knowledge of a single entry in the orbit and (α, β, γ ).
We will primarily focus on isotopisms in which each component decomposes into two disjoint (n/2)-cycles, which we will call suitable. The purpose of this restriction is to permit a simpler security analysis.

Partial Latin squares and contours
A partial Latin square of order n is an n × n array P = ( p i, j ) of n + 1 symbols Z n ∪ {·} such that each symbol in Z n occurs at most once in each row and at most once in each column. We say an entry (i, j, p i, j ) is defined if p i, j ∈ Z n and undefined otherwise. The definitions of "entry", "orthogonal array", and "isotopism" extend naturally to partial Latin squares by restricting to the defined entries. Algorithm 1 Generate L from contour C and suitable autotopism θ .
Require: contour C, suitable autotopism θ set L to be the empty n × n matrix for each entry e in C do for t ∈ {0, 1, . . . , n/2 − 1} do add entry θ t (e) to L end for end for return L We can reconstruct a Latin square L from knowledge of an autotopism θ and a partial Latin square with exactly one entry in each orbit in O(L) under θ (the group generated by θ ); we call this partial Latin square a contour C. In this case, we say (C, θ) generates L.
Generating the Latin square from (C, θ) Algorithm 1 describes how to generate the Latin square from (C, θ) for an arbitrary suitable autotopism θ . An example is illustrated in Fig. 1.
Algorithm 1 fills in n 2 cells, so takes time O(n 2 ), but it assumes that (C, θ) generates a Latin square L. Naively, it would take O(n 3 log n) time to verify that L is indeed a Latin square: for each of the O(n) rows and columns, there are O(n 2 ) pairs of entries, and we compare their symbols for equality, requiring time O(log n).
Verifying (C, θ) generates a Latin square While it takes time O(n 3 log n) to verify a matrix is a Latin square, we can verify that (C, θ), for suitable θ , generates a Latin square (without constructing it) in time O(n 2 log n), as we will now explain.
There is flexibility in the choice of leading entry (based on how we write the cycles), but to be concrete, we assume row 1 = col 1 = 0 and that row 2 and col 2 are the minimum elements in their respective cycles. The rows indexed by row 1 and row 2 are the leading rows and the columns indexed by col 1 and col 2 are the leading columns. To verify that (C, θ) generates a Latin square, it is sufficient to check that there would be no clashes in the leading rows and columns; if there were a clash in a non-leading row or column, the action of θ would imply one of the leading rows or columns also contains a clash.
Algorithm 2 describes how we can check the leading rows and columns for clashes without generating the whole Latin square. We can perform this in (worst case) time O(n 2 log n): for each entry we compute the entry in its orbit in row row 1 or row 2 and column col 1 or col 2 , and check that no clash arises with earlier inspected entries. Thus we check equality (requiring time O(log n)) of 4 n 2 = O(n 2 ) pairs of entries. Algorithm 2 Verify that a contour C and suitable autotopism θ generate a Latin square.

Critical set scheme
Cooper et al. [10] proposed a secret sharing scheme based on critical sets of Latin squares. Related secret sharing schemes were proposed in [5,6,13,19] which use other combinatorial objects.
A Latin square L = (l i, j ) is described as a completion of the partial Latin square P = ( p i, j ) if, for all i, j ∈ Z n , either p i, j = l i, j or p i, j is undefined. A critical set of a Latin square L is a partial Latin square P that has a unique completion L, and any partial Latin square P with O(P ) O(P) admits more than one completion. Figure 3 gives an example of a critical set (sourced from [10]).
In [10], the secret is a Latin square L of order n. A critical set S is found, and split into l shares (each of cardinality less than |S|) and one share is given to each of the l participants.
The key idea is that without full knowledge of S, that is, without the cooperation of every participant, we cannot uniquely recover the Latin square L (since any proper subset of S admits multiple completions). There have been several issues raised with this secret sharing scheme, which we list and expand upon below: Why a Latin square? There have been many proposed secret sharing schemes using a variety of combinatorial objects as secrets [22]; why would we want a secret Latin square? The number of Latin squares grows rapidly [17,23] and they have some useful redundancy, but so do many other combinatorial objects.
Verification If the participants cooperate and recover a Latin square X , how can they be sure that X = L, the secret Latin square? It may be that one or more of the returned shares is erroneous due to e.g. transmission error or deceit.

Initialization and reconstruction complexity
Typically, it is difficult to find a critical set C, and given a critical set C, it is difficult to find the completion of C [8] (determining if a partial Latin square admits a completion is NP-complete [9]). A possible workaround for this issue is restricting to certain classes of Latin squares where working with their critical sets is significantly easier [11]. However, this also makes attacking the scheme easier.

Partial information
The shares reveal partial information about the secret Latin square to the participants.
A subtle "flaw" It was shown in [11] that it is possible that the critical set C could be discovered if a large proportion of the participants collude (see also [16]). Worse still, it is conceivable that if enough participants collude, then they could deceive the remaining participant(s) into believing a false message (such a tactic was raised in [27] regarding Shamir's secret sharing scheme).
Additionally, a proper subset of a critical set is assumed only to admit ≥ 2 completions. It may be possible to find a short list of completions that are consistent with a given collection of shares.
Multi-level scheme A multi-level version of the critical set scheme was also considered in [10]. In it, several critical sets are instead distributed to the participants in such a way that some prescribed subsets of the l participants could jointly access some critical set of L without the cooperation of the remaining participants. However, implementing this generalized scheme would require careful selection of the Latin square L, its critical sets, and how the critical sets are partitioned.

Variations on the critical set scheme
Attempts have been made at modifying the critical set scheme to overcome (some of) these problems.
Chum and Zhang [8] (see also [7]) presented a scheme where cryptographic hash values can be pooled to recover a secret via a so-called Nostradamus attack; they describe the application of this method to a secret 10 × 10 partial Latin square with a unique completion.
Fitina and Lal [12] instead attempt to overcome some of these problems by using "transformed" critical sets. A related idea of transforming critical sets was mentioned in [8] involving a modification of a technique of Chaudhry et al. [6] to Latin squares: simply make the sum of the shares be equal to the critical set.

An earlier autotopism scheme
A secret sharing scheme involving Latin square autotopisms was briefly mentioned by Ganfornina [15] (see also [14]). However, implementation, complexity, and security of this scheme were not analyzed. Moreover, the method we propose differs in two key aspects: (a) Instead of having a secret Latin square that admits an autotopism, we have a secret autotopism (and we use the Latin square for verification). (b) We enforce particular cycle structures for the autotopism; this allows a concrete theoretical analysis.

The proposed secret sharing scheme 2.1 Initialization
We begin in the initialization phase, illustrated in Fig. 4. A dealer (who will be a certified authority) constructs a random contour C for a random suitable isotopism θ for which (C, θ) generate a Latin square L. The dealer then generates l isotopisms σ 1 , σ 2 , . . . , σ l uniformly at random such that their product is θ ; these isotopisms are the shares. The dealer also computes ξ := σ l σ l−1 · · · σ 1 and makes public C public = ξ(C). Afterwards, the dealer retains no knowledge.
We propose performing this using a four-step protocol. We will consider Latin squares that admit suitable autotopisms which requires n to be even. However, we will further require n ≡ 2 (mod 4) for the proposed construction to work. 1 Note that at no point do we actually need to construct a whole Latin square, as they will be determined by a contour and an autotopism. However, for the readers' sake, we include the Latin squares in our description.
This process is illustrated in an example below.
In many cases, finding a Latin square that admits a given autotopism is difficult, particularly when n is large. Moreover, often an arbitrary isotopism is not an autotopism of any Latin square of order n [26]. This motivates our choice to use the specific cycle structure.
Step 2: Randomly generate contour and autotopism We randomly generate an isotopism ϕ. If L prior is a Latin square that admits the autotopism ζ , then L := ϕ(L prior ) admits the autotopism θ := ϕζ ϕ −1 . We compute the contour C := ϕ(C prior ) of L by applying the isotopism ϕ to C prior . Moreover, θ is conjugate to ζ , so each component has the same cycle structure (that is, two (n/2)-cycles) [3, p. 25].
For security, we check if θ = ξ . If this occurs, we restart the initialization from scratch.
Share distribution After the completion of all Steps 1-4, the i-th isotopism σ i is given to the i-th participant, and we make public C public = ξ(C).
We're not obligated to make C public public; for increased security, we could instead e.g. split it into l parts and add these parts to the shares.

Recovery
When all l participants decide to cooperate, we enter the reconstruction phase. The l participants securely send the sharesσ 1 ,σ 2 , . . . ,σ l to a combiner. The shares may or may not be returned correctly: if share i is correctly sent, we haveσ i = σ i .
-If L cand is not a Latin square, then we return fail. Otherwise θ cand is revealed to the participants.
Afterwards, the dealer retains no knowledge. It will be assumed that θ cand = θ if (C, θ cand ) generates a Latin square. In Sect. 3.2, we will analyze the chance of this happening without θ cand = θ , along with other security matters.

Overhead
There are some potential bottlenecks with this scheme: (a) number of memory accesses, (b) number of transfers and transfer size, and (c) random number generation.
Our unit of time complexity will be a memory read/write; we separate random number generation from this calculation. We note that both isotopism multiplication and inversion can be performed in time 3n. Acting on a contour with an isotopism can be performed by acting entry-by-entry, requiring time 6n in total.

Initialization
We describe the computational complexity of the initialization phase in Table 1. Here RN 1 refers to the number of binary random numbers required and RN 2 refers to the number of random numbers in {0, 1, . . . , n/2 − 1} required. 2 We detail how Table 1 comes about below.
To generate C prior , we need to generate n/2 random binary numbers to determine d (n/2−1−i)i for i ∈ {0, 1, . . . , n/2 − 1}, and 2n random numbers in {0, 1, . . . , n/2 − 1} to determine which entry in each orbit is retained. To calculate the entries in C prior , we will need to add 6n pairs of numbers modulo n/2. However, addition of these numbers will always result in a number in {0, 1, . . . , n/2 − 1}, so we need only subtract n/2 in some cases, individually requiring time O(log n). This requires O(n log n) time in total.
Thus, we require O(ln) random numbers and O(ln + n log n) time in the initialization phase. There are 3n numbers from Z n transferred to each participant (the shares), and 6n numbers from Z n are made public (C public ).
In comparison with [10], in the proposed scheme, the length of each share σ i is linear in n, whereas the size of the smallest critical sets in Latin squares of order n is conjectured to be n 2 /4 = (n 2 ) (see e.g. [4]). The computational complexity of generating critical sets that could be used in a secret sharing scheme is unclear.

Recovery
In the reconstruction phase, the participants transfer σ 1 , σ 2 , . . . , σ l to a certified authority: so 3n numbers from Z n are transferred. The contour C public is retrieved, comprising 6n numbers from Z n .
The shares are then multiplied together to find θ and ξ , requiring time 6n(l − 1). We compute ξ −1 in time 3n. We compute C = ξ −1 (C public ) in time 6n. We verify that L cand is a Latin square using Algorithm 2, which requires time O(n 2 log n).
Thus we take time O(ln + n 2 log n) in the recovery phase.

Remark about practical computation
We remark that the operations required to implement this scheme are simple (mostly random number generation, modular arithmetic, and table lookups). Moreover, the modular additions can be performed as a conditioned regular addition; e.g. typically we want to compute a (mod n/2) where a ∈ {0, 1, . . . , n − 1}, so, if a ≥ n/2, then we replace a with a − n/2, and no change is required otherwise.

Security
Collusion Each σ i is a random isotopism (distributed uniformly at random from S n ×S n ×S n ); knowledge of fewer than all l isotopisms σ i is of no more use in recovering θ or C than is a random suitable isotopism. No partial information about the secret θ is revealed.
Brute-force attack An attacker could attempt to crack the scheme by brute force, e.g., by computing all Latin squares that admit the autotopism ζ , and testing all isotopic Latin squares for correctness. The number of Latin squares that admit the autotopism ζ was computed in [25] in small cases, given in Table 2. The number of suitable isotopisms is (2(n − 1)!/n) 3 (see "Number of suitable isotopisms" in Appendix), which we also include in Table 2. These numbers grow very rapidly, so a brute force attack, even for n = 10, seems prohibitively expensive. Attack by finding a completion of C public If an attacker managed to find L, they could compute its autotopism group using the method in [18], and find the secret θ . So we need to ensure C public cannot be used to find L.
Assuming an attacker managed to find a completion of C public , this would at most give the attacker knowledge of the isotopism class containing L. If the attacker attempted to randomly guess L from knowledge of M, their probability of being correct is 1/is(L); a lower bound on is(L) is listed in Table 2 (see "Autotopism group and isotopism class sizes" in Appendix). This probability is prohibitively small, even for n = 10.
Partial information about L Since the isotopisms σ i are random, they provide no information about L. The public contour C public might give some information about the isotopism class that L belongs to (such as the existence of subsquares), but as we just noted, even full knowledge of the isotopism class is of limited use. This is a benefit to the schemes proposed in [10,15] (if left unmodified) which give away partial information about the secret.
Attack by replacing shares One or several participants might return incorrect shares. Typically this would result in the scheme returning fail during the reconstruction phase. If it didn't, it would require that θ cand be a suitable isotopism, and that the generated matrix L cand is a Latin square. If this happens to occur, then the isotopism θ cand = θ is returned.
If used as a method of attack, it would be particularly dangerous e.g. in the case of a malicious first or last participant, since, if it succeeds, they could use θ cand to recover θ . For example, ifσ 1 was the only erroneous share returned, then θ = σ 1σ1 −1 θ cand , so participant 1 could recover the real secret, while the remaining participants believe a false secret. We argue that this attack is unlikely to succeed. Specifically, the ability of the combiner to check whether or not θ cand is correct (by checking that L cand is a Latin square) effectively prevents this kind of attack, and is a key reason for the proposed Latin square autotopism scheme (instead of, say, a simpler scheme were participants are assigned random permutations whose product is the secret). Obstacle 1 If participant i returns the shareσ i chosen uniformly at random from those whose components are even permutations, we have Pr[θ cand suitable |σ i returned] = 64 n 6 (see "Probability of suitability" in Appendix for the details). Obstacle 2 Let p denote the probability of a successful attack assuming Obstacle 1 is overcome, where C is distributed according to the scheme and θ cand is distributed uniformly at random from the set of all suitable isotopisms. We have the lower bound p ≥ n 6 ϕ(n/2) 8n! 3 (1) where ϕ is the Euler phi function, since the right-hand side is the probability of θ cand = θ t for t coprime to n/2. We expect (1) to be not too far away from the correct p-value. 3 Such small probabilities are difficult to estimate empirically, so we give estimates for p only for n ∈ {6, 10}, as given in Table 3. The experimental details are given in "Probability (C, θ cand ) generates a Latin square, when θ cand is random" in Appendix.
For sensibly chosen n, this attack will likely require millions of repeated attempts, each of which requiring all participants to return their shares for reconstruction.
Initialization with θ = ξ There is a chance that θ = ξ , i.e., σ 1 σ 2 · · · σ l = σ l σ l−1 · · · σ 1 , which could conceivably be of use to an attacker. To avoid this, if θ = ξ occurs we restart from scratch. The probability of this occurring for l = 2 is small: e.g. 3×10 −5 for n = 6, and 2 × 10 −14 for n = 10 (see "Random isotopisms commuting" in Appendix for the details). Experiments suggest this is close to the probability of θ = ξ for larger l, as we would expect. This ensures that we won't need a large number of restarts in the initialization phase.

Multi-level scheme
In a multi-level secret sharing scheme, we have a family of subsets of the participants {P j } k j=1 , say, where if the participants in any P j pool their shares, they can recover the secret. A common example is a threshold scheme, where the family would consist of all t-subsets of the participants.
Generalizing the proposed secret sharing scheme to a multi-level scheme is straightforward and can be performed "on the fly", i.e., without changing the secret and restarting the entire scheme. If the participants belonging to P j for some j ∈ {1, 2, . . . , k − 1} decide to extend the scheme to include P k , then they securely transmit the shares to a certified authority, who reconstructs θ and performs Step 3 again: generating the shares σ (k) |P j | , and distributes them to the participants in P k accordingly. Afterwards, the certified authority retains no knowledge. This is a significant advantage over the Latin square schemes of [10,15], which (a) are not naturally extensible to multi-level schemes, (b) give partial information about the secret, and hence more shares imply a larger proportion of the secret is revealed, and (c) would not be able to be performed on the fly (the participants would need to restart from scratch).
One benefit of a multi-level scheme is as a safeguard against lost shares. In a single-level scheme, a lost share would mean the secret is irretrievable, whereas in a multi-level scheme, if a share is lost, some other group of participants can still recover the secret (or a certified authority could regenerate new shares for the group that has lost a share).

Concluding remarks
We present a Latin square autotopism-based secret sharing scheme which resolves a multitude of issues arising in previous proposed Latin square secret sharing schemes. These problems are overcome primarily by having a secret autotopism (symmetry), rather than a secret Latin square. Motivated by the significant criticism Latin square secret sharing schemes have received in the past, we perform a careful analysis of the proposed scheme, in terms of both complexity and security.
This work further demonstrates that Latin squares can be useful for designing practical secret sharing schemes, and could provide a practical alternative to established schemes. The proposed scheme also has a substantial benefit over traditional schemes: verification, i.e., the participants can be sure the returned secret is indeed the correct secret.
One future direction this research could take is to look for ways of identifying which shares are incorrect, in the situation that incorrect shares are returned. One method would be to make public cryptographic hash function value of the shares, although this (a) seems to be "overkill" for the problem at hand, and (b) could be used for any secret sharing scheme. Another possibility is encoding random entries of the Latin square L into the shares, however this opens up new possible security vulnerabilities.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Autotopism group and isotopism class sizes
By the Orbit-Stabilizer Theorem, we know the size of the isotopism class of the Latin square L is given by is(L) = n! 3 /aut(L), where aut(L) is the size of the autotopism group of L. The maximum size of aut(L) in any order-n Latin square is n 2+ log 2 n [2], which enables us to give a lower bound on is(L).

Probability of suitability
We know that permutations with the cycle structure (n/2) + (n/2) are even permutations. Of the n!/2 even permutations, precisely 2(n − 1)!/n have the cycle structure (n/2) + (n/2). Thus, if we pick an isotopism uniformly at random from A n × A n × A n (where A n is the alternating group), it has probability 2(n − 1)!/n n!/2 3 = 64/n 6 of being suitable. since θ cand and ϕ −1 θ cand ϕ are equal in distribution. This was used to simplify method used in the simulations. For n = 6, we generate 10 9 pairs (C prior , β), for random suitable autotopism β, and find 43409 generate a Latin square. The upper bound on the Wald confidence interval is 4.5×10 −5 with 99.995 % confidence. For n = 10, we made N := 3.6 × 10 11 samples, and no Latin square was generated this way. Using a modified "rule of three" [28], we can be 99.995 % confident that p ≤ 7.6/N ≈ 2 × 10 −11 .

Random isotopisms commuting
The probability that two random isotopisms with components that are even permutations commute is (2 p n /n!) 3 , where p n is the number of partitions of n. This is a special case of a general result in group theory: the probability of two random finite group elements commuting is the number of conjugacy classes divided by the size of the group).

One contour generating two Latin squares
It is possible that a contour C generates a Latin square under the action of two isotopisms: Fig. 5 gives an example. This example swaps a pair of columns which don't intersect the contour; in this way we can generate larger examples.