Generalized threshold secret sharing and finite geometry

In the history of secret sharing schemes many constructions are based on geometric objects. In this paper we investigate generalizations of threshold schemes and related finite geometric structures. In particular, we analyse compartmented and hierarchical schemes, and deduce some more general results, especially bounds for special arcs and novel constructions for conjunctive 2-level and 3-level hierarchical schemes.

users can use infinite computational power. As a consequence of this, the efficiency of a scheme can be measured by the amount of information the participants have to maintain per secret bit, i.e. the size of the shares related to the size of the secret. It is easy to see, that in the most optimal setting, every share has the same size as the secret itself. These are the so-called ideal secret sharing schemes.
Secret sharing was first introduced independently by Blakley [3] and Shamir [14] in 1979. In both papers perfect t-threshold schemes were presented, when every t-element subset of n participants is qualified, but neither of the t − 1-element subsets is. Let us recall the main ideas of the constructions: Example 1 (Blakley [3]) Let V be a t-dimensional vector space over a finite field. Choose a point R ∈ V uniformly at random and let the secret be the first coordinate of R. The shares are the hyperplanes of V containing R defined by their normal vectors. The normalvectors chosen for the participants must satisfy certain properties to make this a perfect secret sharing scheme.
Example 2 (Shamir [14]) Let the participants be indexed by the non-zero elements of a finite field F and let p be a polynomial of degree at most t − 1 over F chosen uniformly at random. The share of participant i is p(i) and the secret is the the constant term of p(x), i.e. p(0). Note that the second example is a special case of the first, as the polynomials of degree at most t − 1 form a vectorspace of dimension t and the polynomials p for which p(i) = s i for some fixed i and s i form a hyperplane. On the other hand, all shares and the secret are vectors from the same vectorspace, hence the above constructions are ideal schemes as well.
In this work we are dealing with some generalizations of the t-threshold schemes called multilevel schemes, where the users are partitioned into subsets (i.e. the levels) such that within every level the users are equal from the scheme point of view. Simple examples are department members in a committee or different levels of hierarchy in a company. These generalizations have several applications, like sharing a key to a central vault in a bank, triggering mechanisms of nuclear weapons, key escrow or building blocks in sophisticated crypto-systems, e.g. advanced access control mechanisms, like attribute-based encryption or secure multiparty computation.

Preliminaries
Let P be a finite set of participants and let a special participant D / ∈ P be called the dealer. The access structure is a monotone subset of sets, more precisely: The set of minimal elements of the access structure is denoted by A * Note that every access structure can be defined by its minimal elements only as a consequence of the monotonic property. If only A * is specified, then the access structure is the set of all elements containing any minimal elements. The precise definition of secret sharing schemes uses random variables and independence: Definition 2 A perfect secret sharing scheme realizing A is a set of random variables ξ i for every i ∈ P and furthermore ξ D , with In this paper we use the constructive model of secret sharing introduced by Brickell and Stinson [6]. Let S be the set of possible secrets and let S i be the set of possible shares of participant i for all i ∈ P. We assume that the secret s and the shares s i are chosen from finite sets S and S i , respectively, hence they can be represented as bit-strings of length log 2 |S| and log 2 |S i |. A perfect secret sharing scheme is ideal, if all the shares and the secret are chosen from domains of the same size, i.e. log 2 |S| = log 2 |S i | for every i ∈ P.
Perfect secret sharing schemes can described by a collection of distribution methods describing the generation of the secrets and the respective shares.
Let F denote the set of all possible distribution methods from {D} ∪ P to S ∪ i∈P S i and F s = { f ∈ F : f (D) = s} for every s ∈ S. As a first step of the generation process, the dealer chooses a secret s ∈ S uniformly at random. Next, the dealer chooses a distribution method f ∈ F s uniformly at random as well and use this method for generating the shares. Apart from that, the dealer does not participate in any communication or computation.
Finally, let us recall the simplest case of the linear algebraic construction by Blakley and Kabatianskii [4]. Let us assume that the dealer and the participants are assigned vectors d, v i ∈ F k q for i ∈ P. In a (one-dimensional) linear secret sharing generated by G = (d, v 1 , . . . , v |P| ) the dealer chooses e ∈ F k q uniformly at random and let the secret be the inner product of vectors e and d and the share of participant i be the inner product of vectors e and v i . Note that however more general linear constructions are proposed in [4] and [20], we will use the following rather simple and useful result only: 1. ∀X ∈ A the vector d is a linear combination of the vectors v x , x ∈ X; 2. ∀Y / ∈ A the vector d is disjoint from the subspace generated by vectors v y , y ∈ Y .

Related work
Multilevel secret sharing is one straightforward generalization of t-threshold schemes, where, apart from some threshold value(s), the set of participants is partitioned into smaller disjoint subsets (called groups or levels) such that the users within any given level are equivalent from the secret sharing point of view. We are focusing on two special cases, namely on compartmented access structures with upper bounds and on hierarchical threshold access structures.
In the original presentation of compartmented access structures the goal is to guarantee some proportion of members from every department. More precisely, let P = m i=1 G i , let t be the threshold and let l 1 , . . . , l m ∈ N be the lower bounds with t ≥ m i=1 l i and the minimal elements of the access structure are the following This version called compartmented access structures with lower bounds was introduced by Brickell [5], see [9,18,21] for interpolation constructions.
In compartmented access structures with upper bounds the goal is to avoid a given percentage of members from all (disjoint) groups in qualified subsets. More precisely, let P = m i=1 G i and let t ∈ N, t i ∈ N, i = 1, . . . , m be thresholds with t ≤ m i=1 t i . Then the minimal elements in access structure are the following: This problem seems to be a bit counter-intuitive for the first sight, such situation can occur if the size of a qualified subset has to exceed some threshold, but we would like to limit the number of participants representing each compartments. This problem was introduced by Tassa and Dyn [18] and the authors proposed a general solution based on bivariate interpolation techniques. Fuji-Hara and Miao [8] considered a special case of t 1 = · · · = t m = t − 1 (i.e. when there are no qualified subsets from one single group) in a slightly different interpretation (the authors refer to this case as parallel model) for a fixed small threshold (i.e. t = 3) only. We extend their result in Sect. 2 and show the limits of this method as well.
In hierarchical threshold access structures with m disjoint levels, let P = m i=1 L i and let t 1 < t 2 < · · · < t m be a sequence of thresholds. There are two main variants of generalized threshold schemes based on the logical relation between the conditions.
In conjunctive (t 1 , . . . , t m )-hierarchical schemes the access structure is the following: In disjunctive (t 1 , . . . , t m )-hierarchical schemes the access structure is the following: In the conjunctive case there are only few general solutions based on interpolation by Tassa [17], Tassa and Dyn [18], Shima and Doi [15] and on MDS codes by Tentu et al. [19]. Furthermore, there are some constructions for special cases of two levels, like a (1, 3)-scheme by Fuji-Hara and Miao [8].
In the disjunctive case there are significantly more constructions, some of them are based on finite geometry arguments, see [2,[11][12][13]. Farràs and Padrò [7] give a characterization of ideal hierarchical schemes using matroid theory.
Within this paper we give some constructions for special cases of compartmented access structures in Sect. 2. Note that the resulting geometric constructions are interesting on their own. Next, we suggest ideal construction for 2-level conjunctive (1, n + 1)−hierarchical scheme in Sect. 3.2. Furthermore, we present a novel 3-level conjunctive (1, 2, n +1) scheme using finite geometry constructions in Sect. 3.3. Apart from the general constructions [15,[17][18][19] on arbitrary levels , this is the first ideal conjunctive scheme on 3-levels. Note that neither of the above general methods yielding our geometry construction.
The proposed construction has no restrictions on the related finite field in contrast with the scheme of Tassa [17] working over fields of characteristic larger than 2, and the scheme of Shima and Doi [15] working only over fields of characteristic 2. Furthermore, the proposed constructions are unconditionally perfect in contrast with the solution of Tentu et al. [19] which is probabilistic in the sense that a non-qualified subset can compute the secret with negligible probability. The proposed scheme also improves the lower bound on the size of the underlying field in the case of 2 or 3 levels. Last, but not least, the constructions in Sects. 3.2 and 3.3 are the first for conjunctive hierarchical schemes based on finite geometry arguments.

Compartmented access structures
In this section we use the notion of arc in a projective space PG(n, q): it is a set of points with no subset of (n + 1) points lying in a hyperplane. We will denote the maximum cardinality of an arc in PG(n, q) by M(n, q). It is known that q + 9 4 and q odd; (iv) it is generally conjectured that M(n, q) = q + 1 for 2 < n < q − 2.
Note that (ii) and (iii) can be found in Ball and De Beule [1], while (iv) is the famous MDS-conjecture by B. Segre.

Bounds for pencil arcs-bounds for |P|
Let PG(n, q) denote the projective space of dimension n over the finite field F q . Π r will be the shorthand for a projective subspace of dimension r . A pencil in Π r is the set of the ) is a k-arc if any subset of size n + 1 is independent. Note that if n = 1 it means that in PG(1, q) any set of points is an arc. The following configuration defined in [8] is the key to our constructions: Definition 4 Let Ψ 0 , . . . , Ψ q be a pencil through some Π n−2 in PG(n, q). A pencil arc (kparc) K is a set of k points, in PG(n, q) satisfying the following conditions: We note that Fuji-Hara and Miao showed that if there is a k-parc in PG(t − 1, q) as above, with k = k 0 + k 1 + ... + k m points, k i ≥ 1 for 0 ≤ i ≤ m and k 0 = min{k i }, then there exists an ideal secret sharing scheme realizing compartmented access structure with upper bounds t 1 = · · · = t m = t − 1 on |P| = k − k 0 participants, where m is the number of groups and k m+1 = · · · = k q = 0.
In [8] it was proved that in PG(2, q), a k-parc is of size at most k ≤ 2q. We extend this result to higher dimensions. Proof (i) We recall that within a line PG(1, q), any point set is an arc (so a pencil line is allowed to contain any number of points). Let be any line of the pencil with Then on any further line through a fixed P ∈ ∩ K, there is at most one point of K, hence k ≤ h + q ≤ 2q. In case of k = 2q, | ∩ K| = q for any pencil line containing at least one point of K. (ii) If n ≥ 3 then choose a point P ∈ K from a pencil-hyperplane H 0 and project K\{P} onto another pencil-hyperplane H 1 . Note that the projection is one-to-one and so the image K is a (k − 1)-arc in H 1 .
Note Though the above constructions are rather interesting from geometry point of view, there is a technical consequence for the resulting secret sharing scheme, namely a necessary condition for the size of the participants: for every ideal compartmented scheme with upper bounds t 1 = · · · = t m = t−1 arising from a parc |P| ≤ 2q−k 0 if t = 3 and |P| ≤ M(n−1, q)+1−k 0 if t = n + 1 ≥ 4.

Generalization of the Baer construction
In their paper [8], Fuji-Hara and Miao gave a construction based on Baer subplanes for 2-dimensional pencil arcs. We extend their constructions in two ways.

Parcs from planar arcs
Consider a projective plane PG(2, q h ) = AG(2, q h )∪( ∞ ). Then let's identify AG(2, q h ) ∼ X × Y , where X ∼ F h q and Y ∼ F h q are the horizontal and the vertical axes. Let's call here the translates of the first factor (horizontal axis) "the horizontal lines" 0 , . . . , q h −1 , which, together with ∞ , form "the" pencil with center P.
Let L 1 be a (h − 1)-dimensional q-subspace of the horizontal axis, i.e. X = L 0 × L 1 for some 1-dimensional q-vectorspace L 0 ⊂ X , without loss of generality L 0 = F q . Let L 2 be a 1-dimensional q-subspace of the vertical axis Y , again without loss of generality L 2 = F q . Finally, suppose without loss of generality that 0 , . . . , q−1 happen to be those pencil lines who intersect L 2 .
We remark that in the original construction, based on Baer subplanes, we have h = 2, so L 0 , L 1 and L 2 are all isomorphic to F q .
We remark that in the Baer suplane construction, i.e. when h = 2, we have A 0 = F q × F q an affine Baer subplane.
Observe that K consists of |S| 'line segments', each contained in one of the pencil lines i and of size |L 1 | = q h−1 . We claim that K is a pencil arc (of size |S|q h−1 ). To verify this we have to prove that no three distinct points (a j + λ j , y j ), j = 1, 2, 3 can be collinear if they are not contained in the same pencil line, i.e. their second coordinates are not all equal. If already two of them has equal values y i then we are done (either the third y j is different and hence it is not on the same horizontal line Y = y i so not all the three are collinear, or the third y i is the same and then they are on a pencil line). Finally, if their corresponding arc points are pairwise different: Consider the last two terms: the first one takes value from L 1 while the second one from L 0 = F q . As L 0 ∩ L 1 = {0} and the last one is nonzero because of the arc property, this sum cannot be zero.
It is well known that there exist (many) arcs of size q + 1 in AG(2, q) for q odd and arcs of size q + 2 in AG(2, q) for q even. Hence we gain (many) k-parcs with k = q h + q h−1 in planes of odd order q h ; and k-parcs with k = q h + 2q h−1 in planes of even order q h .

Parcs from caps
Let L 1 be a (h − s)-dimensional F q -subspace of the horizontal axis, i.e. X = L 0 × L 1 for some s-dimensional F q -vectorspace L 0 ⊂ X . Let L 2 be a 1-dimensional F q -subspace of the vertical axis Y , without loss of generality we may assume L 2 = F q . Suppose without loss of generality that 0 , . . . , q−1 happen to be the pencil lines who intersect L 2 .
Consider the affine space AG(s + 1, q) ∼ L 0 × L 2 and a cap S in it. (We recall that a cap is a pointset with no collinear triple of points.) Now define Observe that K consists of |S| 'line segments', each contained in one of the pencil lines i and of size |L 1 | = q h−s . We claim that K is a pencil arc (of size |S|q h−s ). To verify this we have to prove that no three distinct points (a j + v j , y j ), j = 1, 2, 3 can be collinear if they are not contained in the same pencil line, i.e. their second coordinates are not all equal. We can repeat the earlier argument that if already two of them has equal values y i then we are done (either the third y j is different and hence it is not on the same horizontal line Y = y i so not all the three are collinear, or the third y i is the same and then they are on a pencil line). Finally, if their corresponding cap points are pairwise different: Consider the last two terms: the first one takes value from L 1 while the second one from L 0 . As L 0 ∩ L 1 = {0} and the last one is nonzero because of the cap property, this sum cannot be zero and hence the three points cannot be collinear. There exist large caps in affine spaces but the constructions are not easy. Here, as an example we remark that e.g. when h = 2 then we may choose a cap (in different ways) in AG(3, q) of size q 2 , resulting in k-parcs with k = q 3 .

Definition 5
Let Ψ be a hyperplane of PG(n, q), K 1 be a set of k 1 points in PG(n, q)\Ψ , and K 2 be a set of k 2 points in Ψ . A hierarchical arc in PG(n, q) is a set K = K 1 ∪ K 2 of k 1 + k 2 points in PG(n, q), also called a (k 1 , k 2 )-harc, satisfying the following conditions: (3) Any n + 1 points of K not contained in the hyperplane Ψ are independent.
Fuji-Hara and Miao [8] showed that if there is a (k 1 , k 2 )-harc in PG(t − 1, q) with k 1 ≥ 2 and k 2 ≥ 0 then there exists an ideal conjunctive (1, t)-hierarchical scheme with |P| = k 1 + k 2 − 1. The authors also proved that in PG(2, q) for a (k 1 , k 2 )-harc its size is at most k 1 + k 2 ≤ q + 2. The following theorem extends this result to higher dimensions. We need the notion of hyperfocused arcs: an affine pointset S ⊂ AG(2, q) is called a hyperfocused arc if it is an arc and its secants determine |S| − 1 directions (which is the least possible value). Note that (i) if a hyperoval has 2 points at infinity then its q affine points (determining q−1 directions) form a hyperfocused arc; (ii) a single affine point (determining zero directions) forms a hyperfocused arc.
The term sharply focused set was introduced by Simmons for a k-set such that its secants determine k directions [16]. He investigated only finite projective planes of odd order, where the secants of a k-arc cannot determine less directions. Holder studied planes of even order, where exist k-arcs such that the secants determine (k −1) directions. Holder called them super sharply focused sets, and the term very sharply focused sets was also used in the literature. Later, Cherowitzo and Holder introduced the term hyperfocused arc for such arcs. There is a natural extension of the definition of hyperfocused arcs: a k-arc is called a generalized hyperfocused arc if there exist (k − 1) points (external to the arc) blocking each secant of the arc. For more details see [10]. Proof (i) If n = 2 then choose a point P ∈ K 1 . Then on any line through P, there is at most one further point of K, hence k ≤ 1 + (q + 1). In case of equality, let's call the points of K 2 (and the line containing them) the points at infinity. Now the pointset K 1 does not determine the points ("directions") in K 2 and so the number of directions determined by K 1 is at most q + 1 − k 2 and at least k 1 − 1. As these two bounds are equal, K 1 determines exactly k 1 − 1 directions. This is the definition of hyperfocused arcs. (ii) If n ≥ 3 then choose a point P ∈ K 1 and project K\{P} onto another hyperplane H 0 .
Note that the projection is one-to-one and so the image K 0 is a (k − 1)-arc in H 0 .

A conjunctive (1, n + 1)-scheme (n ≥ 3)
Within this section we propose a new construction for (k 1 , k 2 )-harc in PG(n, q). Though such a construction yields an ideal conjunctive (1, n + 1)-hierarchical scheme based on [8], we prove it directly as well. More precisely, the set P consists of 2 levels L 1 , L 2 . A valid subset should contain at least n + 1 elements from L 1 ∪ L 2 and at least 1 element from L 1 .
In PG(n, q) = AG(n, q) ∪ H ∞ we will choose our sets as follows. Let -|L 1 | = k 1 = c 1 q 1/n be a subset of an arc (e.g. a so-called normal rational curve) in AG(n, q) and -|L 2 | = k 2 = c 2 q 1/n be a subset of an arc, e.g. a normal rational curve in H ∞ ); -furthermore, a set D ⊂ AG(n, q) of size cq will be determined below, such that the dealer, i.e. a point D will be chosen from D.
We will calculate up to order of magnitude only. First we choose L 1 . Then let L be the set of (at most k 1 n = 1 n! c n 1 q) (n − 2)-dimensional subspaces in H ∞ which are the intersection of H ∞ and the hyperplanes determined by the n-tuples of L 1 .
Now choose an arc C in H ∞ in such a way that |C ∩ ( L)| is at most 1 n! c n 1 q and let We would like to choose the points of L 2 one-by-one from C 0 . We start with an arbitrary subset {P 1 } ⊂ C 0 . Then, if we already have {P 1 , . . . , P v }, for any n-tuple of L 1 ∪ L 2 containing at least 1 point from L 1 and at least 1 from {P 1 , . . . , P v }, we remove the intersection points of the span of these n points with C 0 \{P 1 , . . . , P v }, so at most (n − 2) points. Let d 2 = v/q 1/n . This way we remove at most k 1 +v n! q points, so if it is less than |C 0 | − v then we can choose the next point P v+1 . So we can go on until i.e. we may choose roughly Finally we can choose a set D ⊂ AG(n, q) in such a way, that it should contain no point from the union of hyperplanes spanned by n points of L 1 ∪ L 2 but not all n from L 2 .
For this we have to remove from AG(n, q) at most (c 1 +c 2 ) n −c n 2 n! q n points, so if it is significantly less than q n then there remain enough points from which we can choose our set D. It is more convenient to find an affine line intersecting this pointset in at least (1 − (c 1 +c 2 ) n −c n 2 n! )q points and choose from it our D of size cq. Now one can check easily that -any n + 1 points of L 1 ∪ L 2 , at least 1 from L 1 generate the space; -any n + 1 points from L 2 does not generate the space.
We constructed D in such a way that (1) the minimal eligible sets generate the whole space hence adding a point D ∈ D to any eligible set does not increase its rank; while (2) the non-eligible sets from L 1 ∪ L 2 span subspaces disjoint from D.
These properties, together with Theorem 1 yield that the construction realizes a conjunctive (1, n + 1)-scheme.

A conjunctive (1, 2, n + 1)-scheme (n ≥ 3)
As a generalization of the above ideas, we construct a geometric scheme composed of 3 levels L 1 , L 2 , L 3 . A valid subset should contain at least n + 1 elements from L 1 ∪ L 2 ∪ L 3 , such that at least 2 elements are from L 1 ∪ L 2 and at least 1 element from L 1 .
In PG(n, q) = AG(n, q) ∪ H ∞ we will choose our sets as follows. Let -|L 1 | = k 1 = c 1 q 1/n be a subset of an arc (e.g. a so-called normal rational curve) in AG(n, q); -|L 2 | = k 2 = c 2 q 1/n be a subset of an arc, e.g. a normal rational curve in H ∞ ) and -|L 3 | = k 3 = c 3 q 1/n be a subset of an arc, e.g. a normal rational curve in H , which is a (n − 2)-dimensional subspace of H ∞ ; -furthermore, a set D ⊂ AG(n, q) of size c 4 q will be determined below, such that the dealer, i.e. a point D will be chosen from D.
Similarly as above, we will calculate up to order of magnitude only. First we choose L 1 . Then let B be the set of the at most k 1 2 = 1 2 c 2 1 q 2/n directions determined by the pairs from L 1 and L be the set of (at most k 1 n = 1 n! c n 1 q) (n − 2)-dimensional subspaces in H ∞ which are the intersection of H ∞ and the hyperplanes determined by the n-tuples of L 1 .
Now choose an arc C in H ∞ in such a way that |C ∩ (B ∪ L)| is at most 1 n! c n 1 q and let We would like to choose the points of L 2 one-by-one from C 0 . We start with an arbitrary subset {P 1 } ⊂ C 0 . Then, if we already have {P 1 , . . . , P v }, for any n-tuple of L 1 ∪ L 2 containing at least 2 points from L 1 and at least 1 from {P 1 , . . . , P v }, we remove the intersection points of the span of these n points with C 0 . Let d 2 = v/q 1/n . This way we remove at most i.e. we may choose Next, take an (n − 2)-dimensional subspace H ⊂ H ∞ which is disjoint from B ∪ L 2 , and remove from H the points in the intersection with the hyperplanes spanned by n points of L 1 ∪ L 2 but not all n from L 2 .
This way we remove at most (c 1 +c 2 ) n −c n 2 n! q n−2 points, so if it is significantly less than q n−2 then there exists a normal rational curve in H with at least (c 1 +c 2 ) n −c n 2 n! q non-deleted points and L 3 can be chosen from it with cardinality c 3 q 1/n . (When n = 3 so H is a line then by the "normal rational curve" we mean just the complete line H .) Here is the point when we can choose a set D ⊂ AG(n, q) in such a way, that it should contain no point from the union of hyperplanes spanned by k points of L 1 ∪ L 2 ∪ L 3 but not all n from L 2 ∪ L 3 .
This way we remove at most (c 1 +c 2 +c 3 ) n −(c 2 +c 3 ) n n! q n points, so if it is significantly less than q n then there remain enough points from which we can choose our set D. It is more convenient to find an affine line intersecting this point set in at least (1 − (c 1 +c 2 +c 3 ) n −(c 2 +c 3 ) n n! )q points and choose from it our D of size c 4 q.
Note that with the suitable choice of the constants we have e.g. for c 1 = c 2 = c 3 = c 4 n = 3 : c 1 = c 2 = c 3 = c 4 = 0.529 n = 4 : c 1 = c 2 = c 3 = c 4 = 0.614 etc. Now one can check easily that -any n points of L 1 ∪ L 2 ∪ L 3 , at least 1 from L 1 and at least 2 from L 1 ∪ L 2 generate the space; -any 1 point from L 1 and n − 1 points from L 3 does not generate the space; -any n points from L 2 ∪ L 3 does not generate the space.
We constructed D in such a way that (1) the minimal eligible sets generate the whole space hence adding a point D ∈ D to any eligible set does not increase its rank; while (2) the noneligible sets span subspaces disjoint from D These properties, together with Theorem 1 yield that the construction realizes a conjunctive (1, 2, n + 1)-scheme.
Note that, this construction works if q > cn n yielding an O(n 3 ) improvement in the size of the underlying field in contrast with the best known general result of Tassa and Dyn [18].

Summary
In this paper we have investigated various generalizations of threshold secret sharing schemes and related finite geometry constructions. In particular, we analysed compartmented and hierarchical models, and deduced some more general results. The proposed results are of two-fold interests. On one hand, we achieved geometric results by proving bounds for pencil and hierarchical arcs in higher dimensions and suggesting novel constructions for pencil arcs. On the other hand, we proposed novel secret sharing schemes by giving new constructions for a ideal conjunctive (1, n +1) and (1, 2, n +1)-hierarchical schemes using a finite geometrical arguments over finite Galois fields.