Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

In 1979, Shamir [30] and Blakley [11] presented a method for sharing a piece of secret information among n parties such that any \(1<t<n\) parties can recover the secret while any \(t-1\) parties learn nothing about the secret. These methods are called (tn)-threshold secret sharing schemes. This sharp threshold between secrecy and reconstruction is fundamental in applications where a group of mutually suspicious individuals with conflicting interests must cooperate. Indeed, threshold secret sharing schemes have found many applications in cryptography and distributed computing; see the extensive survey of Beimel [3] and the recent book of Cramer et al. [17].

Threshold secret sharing was generalized by Ito et al. [23] to allow more general structures of subsets to learn the secret, while keeping the secret perfectly hidden from all other subsets. The collection of qualified subsets is called an access structure.

A significant goal in secret sharing is to minimize the share size, namely, the amount of information distributed to the parties. Despite the long history of the subject, there are significant gaps between lower and upper bounds both for general access structures and for the special case of threshold structures.

Threshold Access Structures. For (tn)-threshold access structures (denoted by \(\mathsf {THR}_{t}^{n}\)) and a 1-bit secret, Shamir [30] gave a very elegant and efficient scheme: the dealer picks a random polynomial of degree \(t-1\) conditioned on setting the free coefficient to be the secret, and gives the i-th party the evaluation of the polynomial at the point i. The computation is done over a field \(\mathbb F\) of size \(q>n\).

The correctness follows because one can recover the unique polynomial from any t points (and thus recover the secret). Security follows by a counting argument showing that given less than t points, all possibilities for the free coefficient are equally likely. The share of each party is an element in the field \(\mathbb F\) that can be represented using \(\log q\approx \log n\) bits (all our logarithms are base 2). The efficiency of this scheme makes it very attractive for applications.

A natural question to ask is whether \(\log {n}\)-bit shares are necessary for sharing a 1-bit secret for threshold access structures. Kilian and Nisan [25]Footnote 1 showed that \(\log n\) bits are necessary when t is not too large. Specifically, they showed a \(\log (n-t+2)\) lower bound on share size for (tn)-threshold schemes. For large values of t, especially those close to n, their bound does not rule out schemes with shares much shorter than \(\log n\) bits. Their bound leaves open the possibility that, in particular, \((n-1,n)\)-threshold schemes with two-bit shares exist.

Ramp schemes are a generalization of threshold schemes that allow for a gap between the secrecy and reconstruction parameters. In an (srn)-ramp scheme, we require that any subset of at least r parties can recover the secret, while any subset of size at most s cannot learn anything about the secret.Footnote 2 When \(r=s+1\), an (srn)-ramp scheme is exactly an (rn)-threshold scheme. Ramp schemes, defined by Blakley and Meadows [10], are useful for various applications (see e.g. [15, 27, 31]) since if \(r-s\) is large, they can sometimes be realized with shorter shares than standard threshold schemes (especially in the case of long secret).

Generalizing the lower bound of Kilian and Nisan, Cascudo et al. [14] showed that \(\log ((n-s+1)/(r-s))\)-bit shares are necessary to realize an (srn)-ramp scheme. When \(s = n - O(1)\), however, their share size bound is a constant independent of n. Paterson and Stinson [29] showed that this bound is tight for specific small values of s.

General Access Structures. For most access structures, the best known secret sharing schemes require shares of size \(2^{O(n)}\) for sharing a 1-bit secret. Specifically, viewing the access structure as a Boolean indicator function for qualified subsets, the schemes of [9, 23, 24] result with shares of size proportional to the DNF/CNF size, monotone formula size, or monotone span program size of the function, respectively. Thus, even for many access structures that can be described by a small monotone uniform circuit, the best schemes have exponential size shares.Footnote 3 On the other hand, the best known lower bound on share size for sharing an \(\ell \)-bit secret is \(\ell \cdot n/\log {n}\) bits, by Csirmaz [19] (improving on [13]).

Bridging the exponential gap between upper and lower bounds is the major open problems in the study of secret sharing schemes. While it is widely believed that the lower bound should be exponential (see e.g. [2, 3]), no major progress has been obtained in the last two decades. Moreover, a non-explicit linear lower bound is not known, that is, whether there exists an access structure that requires linear size shares.Footnote 4

1.1 Our Results

Share Size Lower Bound. We close the gap in share size for threshold secret sharing up to a small additive constant. We assume for simplicity that all parties are given equally long shares.

Theorem 1

For every \(n\in \mathbb {N}\) and \(1< t < n\), any (tn)-threshold secret sharing scheme for a 1-bit secret requires shares of at least \(\log (t+1)\) bits.

The assumption \(1< t < n\) is necessary, as (1, n)-threshold and (nn)-threshold secret sharing schemes with share size 1 do exist.

Our bound is tight when \(t = n - 1\) and n is the power of a prime; see Appendix A. By combining Theorem 1 with the lower bound of Kilian and Nisan, we determine the share size of threshold schemes up to a small additive constant. That is, we get that any such scheme requires shares of size

$$\begin{aligned} \max \{\log (n-t+2), \log (t+1)\} \ge \log \frac{n+3}{2}. \end{aligned}$$
(1)

Theorem 1 is a special case of the following theorem, which applies more generally to ramp schemes.

Theorem 2

For every \(n\in \mathbb {N}\) and \(1 \le s< r < n\), any (srn)-ramp secret sharing scheme for a 1-bit secret requires shares of at least \(\log ((r + 1)/(r-s))\) bits.

By combining Theorem 2 with the lower bound of [14], we get that any (srn)-ramp secret sharing scheme must have share size at least

$$\begin{aligned} \max \left\{ \log \frac{n-s+1}{r-s}, \log \frac{r + 1}{r - s}\right\} \ge \log \frac{n+r-s+2}{2\cdot (r-s)}. \end{aligned}$$
(2)

Proof Technique and Limitations. We prove our lower bounds by analyzing a new game-theoretic relaxation of secret sharing. Here, we focus on threshold schemes, although our argument also applies to ramp schemes.

Given an access structure \(\mathcal {A}\) and a real-valued parameter \(\theta > 0\) we consider the following zero-sum game \(G(\mathcal {A}, \theta )\): Alice and Bob pick sets A and B in the access structure \(\mathcal {A}\), respectively, and the payoff is \((-\theta )^{|A \setminus B|}\), where \(A \setminus B\) denotes set difference. We say Alice wins if she has a strategy with non-negative expected payoff, and Bob wins otherwise.

We show (in Lemma 2) that if Bob wins in the game \(G(\mathcal {A}, 1/(q-1))\), then no secret sharing scheme with share size \(\log q\) exists. We prove Theorem 2 by constructing such a strategy for Bob.

On the negative side, we show that our analysis is optimal for threshold access structures, so the lower bound in Theorem 1 is tight with respect to this method:

Theorem 3

For all \(1< t < n\) and \(0 < \theta \le 1/t\), Alice wins in the game \(G(\mathsf {THR}_{t}^{n}, \theta )\).

We also show that, for any total access structure \(\mathcal {A}\), this method cannot prove a lower bound exceeding \(\log |\min \mathcal {A}|\le \log \left( {\begin{array}{c}n\\ \lfloor n/2\rfloor \end{array}}\right) = n-\varOmega (\log {n})\), where \(\min \mathcal {A}=\{A\in \mathcal {A}:\forall B\in \mathcal {A}, B\not \subset A\}\) is the set of min-terms in \(\mathcal {A}\).

Theorem 4

For every access structure \(\mathcal {A}\) and every \(0 < \theta \le 1/(|\min \mathcal {A}| - 1)\) Alice wins in the game \(G(\mathcal {A}, \theta )\).

1.2 Related Work

Known Frameworks for Proving Lower Bounds. The method of Csirmaz [19] is one of the only previously known general frameworks for proving lower bounds on share size in various access structures.Footnote 5 Csirmaz’s framework is a linear programming relaxation whose variables are the entropies of the joint distributions of the shares, one for each subset of the parties. Using several Shannon information inequalities, Csirmaz was able to prove an \(n/\log n\) lower bound on the entropy of shares (in a specific access structure) which, in turn, imply the same lower bound on share size (for a 1-bit secret).

We note that Csirmaz’s framework does not give any non-trivial lower bounds on share size for sharing a 1-bit secret for the threshold access structure. Indeed, Csirmaz’s method gives a lower bound on the information ratio of an access structure,Footnote 6 namely on the ratio between the size of the shares and the size of the secret, and for threshold schemes this ratio is 1 (using Shamir’s scheme for a long enough secret; see Claim 5). Kilian and Nisan’s [25] proof is the only known argument for threshold schemes and it does not seem to be useful for any other access structure, including the (tn)-threshold access structures with t being close to n.

Csirmaz [19] showed that his framework cannot be used to show a super-linear lower bound on share size for any access structure. This claim was strengthened by Beimel and Orlov [8] who showed that certain additional “non-Shannon type” information inequalities cannot bypass the linear share size barrier (see [28] for a follow-up).

Linear Schemes. A secret sharing scheme is linear if the reconstruction procedure is a linear function of the shares (over some abelian group). Most previously known schemes are linear (see [7, 12, 26] for exceptions) and super-polynomial lower bounds for linear schemes were given in [1, 6, 22] via its equivalence to monotone span programs [24]. In a very recent work, Cook et al. [16] gave the first exponential lower bound for linear secret sharing schemes by giving an exponential lower bound for monotone span programs.

For linear (2, n)-threshold secret sharing schemes for a 1-bit secret, a \(\log n\) lower bound on share size was proven by Karchmer and Wigderson [24]. This was generalized by Cramer et al. [18] (via a duality argument) to get a lower bound as in Equaiton (1). For linear (srn)-ramp secret sharing schemes, Cramer et al. obtained a lower bound as in Eq. (2). We emphasize that our lower bounds match the lower bounds of [18] but are not restricted to linear (ramp) secret sharing schemes.

2 Access Structures and Secret Sharing

Let \(\mathcal P\triangleq \{1,\dots ,n\}\) be a set of n parties. A collection of subsets \(\mathcal {A}\subseteq 2^\mathcal P\) is monotone (upward-closed) if for every \(B\in \mathcal {A}\) and \(B\subseteq C\) it holds that \(C\in \mathcal {A}\). The collection is anti-monotone if for every \(B\in \mathcal {A}\) and \(C \subseteq B\) it holds that \(C\in \mathcal {A}\).

Definition 1

A (partial) access structure \(\mathcal {A}= (\mathcal {S}, \mathcal {R})\) is a pair of non-empty disjoint collections of subsets \(\mathcal {R}\) and \(\mathcal {S}\) of \(2^\mathcal P\) such that \(\mathcal {R}\) is monotone and \(\mathcal {S}\) is anti-monotone. Subsets in \(\mathcal {R}\) are called qualified and subsets in \(\mathcal {S}\) are called unqualified.

The access structure is total if \(\mathcal {R}\) and \(\mathcal {S}\) form a partition of \(2^{\mathcal P}\). If \(\mathcal {A}= (\mathcal {S}, \mathcal {R})\) is total we write \(R \in \mathcal {A}\) for \(R \in \mathcal {R}\) and \(S \not \in \mathcal {A}\) for \(S \in \mathcal {S}\). Our work is mostly about the following two types of access structures:

  • The threshold access structure \(\mathsf {THR}_{t}^{n}\) is a total access structure over n parties in which any t parties can reconstruct and secrecy is guaranteed against any subset of \(t - 1\) parties:

    $$\begin{aligned} \mathcal {S}= \{S:|S| \le t - 1\} \qquad \mathcal {R}= \{R:|R| \ge t\}. \end{aligned}$$

  • More generally, in the ramp access structure \(\mathsf {RAMP}_{s,r}^{n}\), any r parties can reconstruct and secrecy is guaranteed against any s parties:

    $$\begin{aligned} \mathcal {S}= \{S:|S| \le s\} \qquad \mathcal {R}= \{R:|R| \ge r\}. \end{aligned}$$

A secret sharing scheme involves a dealer who has a secret, a set of n parties, and a partial access structure \(\mathcal {A}= (\mathcal {S},\mathcal {R})\). A secret sharing scheme for \(\mathcal {A}=(\mathcal {S},\mathcal {R})\) is a method by which the dealer distributes shares to the parties such that any subset in \(\mathcal {R}\) can reconstruct the secret from its shares, while any subset in \(\mathcal {S}\) cannot reveal any information on the secret. We restrict our definition to 1-bit secrets.

Definition 2

(Secret sharing). A secret sharing scheme of a 1-bit secret for a partial access structure \(\mathcal {A}=(\mathcal {S},\mathcal {R})\) over n parties over share alphabet \(\Sigma \) is a pair of probability distributions \(p_0\) and \(p_1\) over \(\Sigma ^n\) with the following properties:

 

Reconstruction: :

For every \(R \in \mathcal {R}\) the marginal distributionsFootnote 7 of \(p_0\) and \(p_1\) on the set R are disjoint.

Secrecy: :

For every \(S \in \mathcal {S}\) the marginal distributions of \(p_0\) and \(p_1\) on the set S are identical.

An implementation of a secret sharing scheme consists of a sharing algorithm that samples the shares from the probability distribution \(p_0\) or \(p_1\) depending on the value of the secret and of a reconstruction algorithm that recovers the secret from the joint values of the shares of any qualified subsets of parties. The disjointness requirement ensures that recovery by qualified subsets of parties is possible with probability 1. The secrecy requirement ensures that unqualified subsets of parties can extract no information about the secret. Thus, our definition is equivalent to the ones given, for example, in [2, Definition 3.6] and in [3, Definitions 2 and 3].

An Alternative Formulation of Secret Sharing. Here is an equivalent formulation of secret sharing. For \(x \in \mathbb Z_q^n\), we use [x] to denote the set of non-zero entries of x, namely \([x] = \{i:x_i \ne 0\}\), and \([x]^{\complement }\) for the complementary set of zero entries. In this notation, \([x - y]\) is the set of coordinates that x and y differ on and \([x - y]^{\complement }\) is the set of coordinates that they agree on. A function \(\phi _S :\mathbb Z_q^n \rightarrow \mathbb {C}\) is an S-junta if the value \(\phi _S(x_1, \dots , x_n)\) is determined by the inputs \(x_i:i \in S\).

Lemma 1

A secret sharing scheme of a 1-bit secret for a partial access structure \(\mathcal {A}=(\mathcal {S},\mathcal {R})\) over share alphabet \(\mathbb Z_q\) exists if and only if there exists a function \(f:\mathbb Z_q^n \rightarrow \mathbb R\) that is not identically zero satisfying the following properties:

 

Reconstruction: :

For all \(x, y \in \mathbb {Z}_q^n\) such that \([x - y]^{\complement } \in \mathcal {R}\), \(f(x)\cdot f(y) \ge 0\).

Secrecy: :

For every \(S \in \mathcal {S}\) and every S-junta \(\phi _S:\mathbb Z_q^n \rightarrow \mathbb {C}\), \(\mathbf {E}[f(x) \phi _S(x)] = 0\), where the expectation is over the uniform probability distribution of \(x\in \mathbb Z_q^n\).

Proof

For a secret sharing scheme \(p_0, p_1\), we set \(f(x) = p_0(x) - p_1(x)\). The functions \(p_0\) and \(p_1\) have disjoint support (otherwise even reconstruction by all parties is impossible) so f cannot be identically zero. The reconstruction implies that if \([x - y]^{\complement } \in \mathcal {R}\), then at least one of \(p_0\) and \(p_1\) must assign zero probability to both x and y, so \(f(x) \cdot f(y)\) equals either \(p_0(x) \cdot p_0(y)\) or \((-p_1(x)) \cdot (-p_1(y))\). In either case \(f(x) \cdot f(y) \ge 0\). For secrecy, since \(p_0\) and \(p_1\) have the same marginals on \(S \in \mathcal {S}\), \(\mathbf {E}[p_0(x) \phi _S(x)] = \mathbf {E}[p_1(x) \phi _S(x)]\) so \(\mathbf {E}[f(x) \phi _S(x)] = 0\).

In the other direction, let \(p_0(x) = C\cdot \max \{f(x), 0\}\) and let \(p_1(x) = C\cdot \max \{-f(x),0\}\) for a suitable scaling constant \(C > 0\) that makes \(p_0\) and \(p_1\) be valid probability distributions (it exists since f is nonzero). We show reconstruction by contrapositive: If \(p_0\) and \(p_1\) did not have disjoint support on some set \(R \in \mathcal {R}\), there would exist \(x, y \in \mathbb Z_q^n\) such that \(p_0(x) > 0\), \(p_1(y) > 0\), and \([x - y]^{\complement } = R\), implying \(f(x) > 0\), \(f(y) < 0\), and therefore \(f(x) \cdot f(y) < 0\). For secrecy, by construction we have \(f = (p_0 - p_1)/C\), so \(\mathbf {E}[p_0(x) \phi _S(x)] = \mathbf {E}[p_1(x) \phi _S(x)]\) for every test function \(\phi _S\) that only depends on coordinates in \(S \in \mathcal {S}\). Since no \(\phi _S\) can distinguish between \(p_0\) and \(p_1\) on S, the statistical distance between the marginal distribution of \(p_0\) and \(p_1\) on S is zero, so the two are identical.

3 A Zero-Sum Game and Proof of Theorem 2

Given a partial access structure \(\mathcal {A}= (\mathcal {S}, \mathcal {R})\) and a real parameter \(\theta > 0\) we define the following zero-sum game \(G(\mathcal {A}, \theta )\) between Alice and Bob. The actions are a set \(A \not \in \mathcal {S}\) for Alice and a set \(B \in \mathcal {R}\) for Bob. The payoff of the game is \((-\theta )^{|A \setminus B|}\). We say Alice wins if she has a strategy with non-negative expected payoff and we say Bob wins if he has a strategy with negative expected payoff (the expectations are over the randomness of Alice and Bob, respecively). By von Neumann’s minimax theorem the game has a unique winner.

Lemma 2

If there exists a secret sharing scheme for \(\mathcal {A}\) with alphabet size \(q\in \mathbb {N}\), then Alice wins in the game \(G(\mathcal {A}, 1/(q-1))\).

Our proof of Lemma 2 uses Fourier analysis, which we briefly recall here. The characters of the group \(\mathbb Z_q^n\) are the complex-valued functions \(\chi _a:\mathbb Z_q^n \rightarrow \mathbb {C}\), where a ranges over \(\mathbb Z_q^n\), defined as \(\chi _a(x) = \omega ^{\langle a, x\rangle }\), \(\omega = e^{2\pi i/q}\). The characters are an orthonormal basis with respect to the inner product \(\langle f, g \rangle = \mathbf {E}_{x}[f(x) \cdot \overline{g(x)}]\) with x chosen uniformly from \(\mathbb Z_q^n\). The characters inherit the group structure: \(\chi _a \cdot \chi _b = \chi _{a+b}\) and \(\chi _a^{-1} = \overline{\chi _a} = \chi _{-a}\). Every function \(f:\mathbb Z_q^n \rightarrow \mathbb {C}\) can then be uniquely written as a linear combination \(f = \sum _{a \in \mathbb Z_q^n} \hat{f}(a) \cdot \chi _a\) with the Fourier coefficients \(\hat{f}(a)\) given by \(\hat{f}(a) = \langle f,\chi _a \rangle = \mathbf {E}_{x}[f(x)\cdot \overline{\chi _a(x)}]\).

Proof of Lemma 2

We show that Alice has a winning strategy. That is, we show that Alice has a strategy such that for every possible action of Bob, the expected payoff of the game is non-negative.

We identify the alphabet with the elements of the group \(\mathbb Z_q\). Let \(f:\mathbb Z_q^n \rightarrow \mathbb R\) be the function \(f(x) = p_0(x) - p_1(x)\). Alice plays set A with probability proportional to \(\sum _{a:[a] = A} |\hat{f}(a)|^2\). By the secrecy part of Lemma 1, \(\mathbf {E}[f(x) \cdot \overline{\chi _a(x)}] = 0\) whenever \([a] \in \mathcal {S}\), so Alice’s strategy is indeed supported on sets outside \(\mathcal {S}\).

Now let B be an arbitrary set in \(\mathcal {R}\). By the reconstruction part of Lemma 1 and the fact that f is real-valued, for every \(x\in \mathbb Z_n^q\) and every \(z\in \mathbb Z_n^q\) such that \([z]^{\complement } = B\), we have that

$$\begin{aligned} f(x) \cdot \overline{f(x - z)} = f(x) \cdot f(x - z) \ge 0. \end{aligned}$$
(3)

Let x be uniform in \(\mathbb Z_q^n\) and z be uniform in \(\mathbb Z_q^n\) conditioned on \([z]^{\complement } = B\). Averaging over this distribution, we have

$$\begin{aligned} \mathbf {E}_{x,z}[f(x) \cdot \overline{f(x - z)}]&= \sum _{a, b\in \mathbb Z_q^n} \hat{f}(a) \cdot \overline{\hat{f}(b)} \cdot \mathbf {E}_{x, z}[\chi _a(x) \cdot \overline{\chi _b(x - z)}] \\&= \sum _a |\hat{f}(a)|^2 \cdot \mathbf {E}_z[\chi _a(z)] \\&= \sum _a |\hat{f}(a)|^2 \cdot \prod _{i \in [a]} \mathbf {E}_z[\omega ^{a_iz_i}], \end{aligned}$$

where the first equality follows by writing f(x) and \(\overline{f(x-z)}\) using their Fourier representation and using linearity of expectation, the second equality follows since x and z are independent and since \(\mathbf {E}_{x}[\chi _a(x) \cdot \overline{\chi _b(x)}] = 0\) for \(a\ne b\), and the last equality follows since z is chosen from a product distribution.

The expression \(\mathbf {E}[\omega ^{a_iz_i}]\) evaluates to one when i is in B (since \(z_i\) is fixed to zero). Otherwise, \(z_i\) is uniformly distributed over the set \(\mathbb Z_q \setminus \{0\}\) and

$$ \mathbf {E}_z[\omega ^{a_iz_i}] = \frac{1}{q - 1} \sum _{z_i \in \mathbb Z_q \setminus \{0\}} \omega ^{a_iz_i} = \frac{1}{q - 1}\left( \sum \nolimits _{z_i \in \mathbb Z_q} \omega ^{a_iz_i} - 1\right) = -\frac{1}{q-1}. $$

Therefore, \(\prod _{i \in [a]} \mathbf {E}_z[\omega ^{a_iz_i}] = (-1/(q-1))^{|[a] \setminus B|}\), and by Eq. (3)

$$\begin{aligned} \sum _a |\hat{f}(a)|^2 \cdot \left( \frac{-1}{q-1}\right) ^{|[a] \setminus B|} \ge 0. \end{aligned}$$

Grouping all a’s for which \([a] = A\), we get that

$$\begin{aligned} \sum _A \left( \sum \nolimits _{a:[a] = A} |\hat{f}(a)|^2\right) \cdot \left( -\frac{1}{q-1} \right) ^{|A \setminus B|} \ge 0 \qquad \text {for all}\, B \in \mathcal {R}. \end{aligned}$$

Therefore, Alice’s strategy has non-negative expected payoff with respect to every possible action of Bob.   \(\blacksquare \)

Proof of Theorem 2

It is sufficient to prove Theorem 2 in the case \(n = r + 1\): If a secret sharing scheme for \(\mathsf {RAMP}_{s, r}^{n}\) existed, then a secret sharing for \(\mathsf {RAMP}_{s, r}^{r + 1} \) over the same alphabet can be obtained by discarding the remaining \(n - r - 1\) parties and their shares.

We now give a winning strategy for Bob in the game \(G(\mathsf {RAMP}_{s, r}^{r + 1}, \theta )\) for any \(\theta > (r - s)/(s + 1)\). By Lemma 2 it then follows that no secret sharing scheme over an alphabet of size \((r + 1)/(r - s)\) exists.

Bob’s strategy is to uniformly choose a set B of size r (which is in \(\mathcal {R}\)). Then for every set \(A \not \in \mathcal {S}\), either \(A \subseteq B\) and then \(|A\setminus B| = 0\), or \(A\not \subseteq B\) and then \(|A\setminus B| = 1\) (since B includes all parties except one). Thus, for every \(A\not \in \mathcal {S}\), the expected payoff is

$$\begin{aligned} \mathbf {E}_B\left[ (-\theta )^{|A \setminus B|}\right]&= 1 \cdot \mathbf Pr _B[A \subseteq B] - \theta \cdot \mathbf Pr _B[A \not \subseteq B] \nonumber \\&= 1 \cdot \frac{r + 1 - |A|}{r + 1} - \theta \cdot \frac{|A|}{r + 1} \nonumber \\&\le \frac{r - s}{r + 1} - \theta \cdot \frac{s + 1}{r + 1}, \end{aligned}$$
(4)

where the inequality follows since \(|A| \ge s+1\). If \(\theta > (r - s)/(s + 1)\) this expression is less than zero, i.e., Bob wins.   \(\blacksquare \)

It is also possible to deduce Theorem 2 directly from Lemma 2 by showing the existence of a winning strategy for Bob in the game \(G(\mathsf {RAMP}_{s, r}^{n}, \theta )\) whenever \(\theta > (r - s)/(s + 1)\) (rather than for \(G(\mathsf {RAMP}_{s, r}^{r+1}, \theta )\), as we did above). Let R be a random subset of \(r + 1\) parties. Bob’s strategy has the form \(B = B_0 \cup B_1\), where \(B_0\) is a uniformly random subset of R of size r and \(B_1\) is a random subset of \(R^{\complement }\) obtained by including each element independently with probability \(p = \theta /(1 + \theta )\). The value of p is chosen so that a random variable that equals 1 with probability p and \(-\theta \) with probability \(1 - p\) is unbiased.

Let A, where \(|A| \ge s + 1\), be any action of Alice. For a fixed choice of R, if \(A \setminus R\) is nonempty, by our choice of probability p the expected payoff is zero. Otherwise, A is a subset of R, and by Eq. (4) the expected payoff is at most \(-(s + 1) \cdot \theta + (r - s) < 0\). Since the event \(A \subseteq R\) has positive probability the expected payoff is negative and Bob wins.

4 Limitations of the Game Relaxation

In the case of threshold access structures Theorem 2 shows that Bob has a winning strategy in the game \(G(\mathsf {THR}_{t}^{n}, \theta )\) whenever \(\theta > 1/t\). We now prove Theorem 3, which states that our analysis is optimal: There exists a winning strategy for Alice when \(\theta \le 1/t\).

We also prove Theorem 4: For every total access structure \(\mathcal {A}\) over n parties, Alice has a winning strategy in \(G(\mathcal {A}, \theta )\) for every \(\theta \le 1/(|\mathcal {A}|-1)\). As the proof of Theorem 4 is simpler we present that one first. We remark Theorem 4 can be generalized to any partial access structure \((\mathcal {S},\mathcal {R})\) by replacing \(\mathcal {A}\) by \(\mathcal {R}\) in the proof.

Proof of Theorem 4

Alice’s strategy is uniformly random over all minterms \(A \in \min \mathcal {A}\). Then, for every \(B \in \mathcal {A}\) and \(\theta <1\), it holds that

$$\begin{aligned} {\mathbf {E}}_A[(-\theta )^{|A \setminus B|}] =&{\mathbf {E}}_A[(-\theta )^{|A \setminus B|} \mid A\subseteq B]\cdot \mathbf{Pr }_A[A\subseteq B] + \\&{\mathbf {E}}_A[(-\theta )^{|A \setminus B|} \mid A\not \subseteq B]\cdot \mathbf{Pr }_A[A\not \subseteq B] \\ \ge&1 \cdot \mathbf{Pr }_A[A \subseteq B] - \theta \cdot \mathbf{Pr }_A[A \not \subseteq B]\\ =&(1+\theta )\cdot \mathbf{Pr }_A[A \subseteq B] - \theta \\ \ge&(1+\theta )\cdot \frac{1}{|\min \mathcal {A}|} - \theta . \end{aligned}$$

This is non-negative when \(\theta \le 1/(|\min \mathcal {A}| - 1)\).   \(\blacksquare \)

Proof of Theorem 3

Let \(a_0, \dots , a_n\) be the following sequence of integers:

$$\begin{aligned} a_0=\dots =a_{t-1}=0, \quad a_t=1, \quad a_s = k_t \cdot a_{s-1} + \dots + k_0 \cdot a_{s-t-1} \end{aligned}$$

for \(t+1\le s\le n\), where \(k_j\) is the coefficient of \(x^j\) in the formal expansion of \((x+1)^t\cdot (1/\theta - x)\). By expanding this expression according to the Binomial formula, we see that the numbers \(k_0, \dots , k_t\) are non-negative when \(\theta \le 1/t\) because

$$\begin{aligned} k_j = \left( {\begin{array}{c}t\\ j\end{array}}\right) \left( \frac{1}{\theta } - \frac{j}{t-j+1}\right) \ge 0 \end{aligned}$$

for all \(0\le j\le t\). Therefore \(a_s\) is also non-negative for all s.

Alice plays set A with probability proportional to the number \(a_{|A|}\). We will prove that this is a winning strategy for Alice. When \(B = \{1, \dots , n\}\), then \(\mathbf {E}_A[(-\theta )^{|A \setminus B|}] = 1\) and Alice wins. Now let \(B\subseteq \{1, \dots , n\}\) be any set such that \(t \le |B| < n\). Let

$$\begin{aligned} \theta _j = {\left\{ \begin{array}{ll}1, &{}\text {if }\, j \in B, \\ -\theta , &{}\text {if }\, j \not \in B.\end{array}\right. } \end{aligned}$$

Then,

$$\begin{aligned} \mathbf {E}_A[(-\theta )^{|A \setminus B|}] \propto \sum _A a_{|A|} \prod _{j \in A} \theta _j = \sum _{s = 0}^n a_s w_s \quad \text {where}\quad w_s = \sum _{A:|A| = s} \prod \nolimits _{j \in A} \theta _j. \end{aligned}$$

The number \(w_s\) can be represented as the coefficient of \(z^s\) in the formal expansion of \(g_0(z) = \prod _{j=1}^n (1 + \theta _j z)\). Since exactly \(|B|\) of the \(\theta _j\)’s equal 1 and the other \(n - |B|\) equal \(-\theta \), it follows that

$$\begin{aligned} g_0(z)=(1+z)^{|B|} \cdot (1 - \theta z)^{n-|B|}. \end{aligned}$$
(5)

The numbers \(a_0,\dots ,a_n\) (as defined in the beginning of the proof) are defined by an order t homogeneous linear degree relation with constant coefficients whose characteristic equation is \((x + 1)^t \cdot (1/\theta - x) = 0\). This equation has roots \(-1\) (with multiplicity t) and \(1/\theta \) (with multiplicity 1). Therefore,

$$\begin{aligned} a_s = C \cdot \theta ^{-s} + \sum _{i=0}^{t-1} c_i \cdot s^i \cdot (-1)^s \end{aligned}$$

where \(c_0, \dots , c_{t-1}\) and C are constants determined by the initial conditions on \(a_0, \dots , a_t\). We can now write

$$ \sum _{s=0}^n a_s \cdot w_s = C \cdot \sum _{s=0}^n w_s \cdot \theta ^{-s} + \sum _{i=0}^{t-1} c_i \cdot \sum _{s=0}^n w_s \cdot s^i \cdot (-1)^s. $$

Recall that \(g_0\) is the generating function of \(w_s\) which means that \(g_0(z) = \sum ^n_{s=0} w_s \cdot z^s\). So, the term \(\sum _{s=0}^n w_s \cdot \theta ^{-s}\) equals \(g_0(1/\theta ) = 0\). To finish the proof, we show that \(\sum _{s=0}^n w_s \cdot s^i \cdot (-1)^s = 0\) for all \(i \le t - 1\) (this implies that Alice’s strategy has a 0 payoff, which means that she wins the game). Let \(g_i(z) = z\cdot g'_{i-1}(z)\) for \(1 \le i \le t - 1\) where \(g'_{i-1}\) is the derivative of \(g_{i-1}\). On the one hand, since \(-1\) is a root of \(g_0\) of multiplicity t, \(g_i(-1) = 0\) for all \(i \le t - 1\). On the other hand, \(g_i(z)\) has the formal expansion \(\sum _{s=0}^n w_s \cdot s^i \cdot z^s\). Therefore, \(\sum _{s=0}^n w_s \cdot s^i \cdot (-1)^s\) must equal zero.    \(\blacksquare \)

5 Concluding Remarks

Theorem 1 requires that the shares given to all parties have the same length. Its proof extends easily to yield the following generalization: For every n, every \(1< t < n\), and every (tn)-threshold secret sharing scheme in which party i receives a \(\log q_i\)-bit share and \(q_1 \le q_2 \le \dots \le q_n\) it must hold that

$$\begin{aligned} \frac{1}{q_1} + \dots + \frac{1}{q_{t+1}} \le 1. \end{aligned}$$
(6)

In particular, inequality (6) implies that the average share size must be at least \(\log {(t+1)}\). We sketch the Proof in Appendix B. Kilian and Nisan [25] prove the same for \((n - t + 1, n)\)-threshold access structures.

By Theorem 3 our analysis of threshold secret sharing is tight within the game-theoretic relaxation that we introduce here. As the lower bound of Kilian and Nisan [25] is incomparable with ours, their analysis cannot be cast in terms of a winning strategy in our game. It is, however, possible to capture both our analysis and that of Kilian and Nisan by a single linear program. We performed computer experiments to investigate the feasibility of one such family of linear programs, but were unable to obtain better lower bounds on share size.

We do not know what is the best possible lower bound on share size that our method can give among all access structures on n parties. Theorem 1 shows a lower bound of \(\log (n - 1)\) is attainable, while Theorem 4 shows that a lower bound of \(\log \left( {\begin{array}{c}n\\ \lfloor n/2\rfloor \end{array}}\right) \) cannot be proved. The best possible bound is the logarithm of

$$\begin{aligned} b_n = \hbox {min}_{\mathcal {A}} \max \left\{ q:\text {Bob wins in}\, G(\mathcal {A}, 1/(q-1))\right\} , \end{aligned}$$

where the minimum is taken over all access structures \(\mathcal {A}\) on n parties. We can prove that if the payoff function is replaced by \((-\theta )^{|A \triangle B|}\), where \(\triangle \) is symmetric set difference, then the quantity analogous to \(b_n\) is upper bounded by \(O(n^2)\).