Keywords

1 Introduction

A secret sharing scheme (SSS) is a technique of allocating access to a secret among a set of participants in such a way that only certain subsets are allowed to determine the secret. It was introduced independently by Shamir [30] and Blakley [1] for the protection of cryptographic keys. It is now a fundamental primitive as it is used to construct cryptographic protocols such as for secure multiparty computation [12] and oblivious transfer [32].

In general, an SSS starts with the share distribution phase followed by the secret reconstruction phase. In the share distribution phase, there is a dealer who produces the shares to be given to the participants. In the secret reconstruction phase, a subset of participants attempt to determine the secret using their shares. We consider the setting wherein the participants submit their shares to a trusted combiner who reconstructs the secret. We assume that the dealer and combiner are honest but the participants can cheat during secret reconstruction.

Tompa and Woll [33] showed that if a secret sharing scheme is linear, then it can be subjected to an attack from dishonest participants. During the secret reconstruction phase, the cheaters can submit invalid shares to the combiner. As a result, the combiner returns an invalid secret and the cheaters are able to compute the valid secret using their valid shares and the invalid secret. This attack also prevents the honest participants from knowing the valid secret. Several approaches to counter this attack can be found in the literature (for instance see [2, 6, 11, 19, 21, 25, 29]). The survey article by Martin [24] is a comprehensive analysis of the different types of SSS that handle dishonest participants, dealers and combiners.

This work deals with cheating-immune secret sharing schemes proposed by Pieprzyk and Zhang [28]. This type of SSS is capable of preventing the dishonest participants of gaining an advantage over the honest ones in the attack described above. In a cheating-immune scheme, the cheaters will not be able to determine the secret even if they submit invalid shares during reconstruction. If we compare with the other SSS that deal with cheating, there is no detection or identification of cheaters in a cheating-immune scheme. There is also no correction of the submitted invalid shares which means that the honest participants also do not recover the secret. A nice property of cheating-immune schemes is that the share size is the same as the secret size (in other schemes, either we have large shares or the recovery of the secret requires more than the minimum number of shares). The main problem in the theory of cheating-immune schemes is the construction of such schemes for any access structure. Properties and constructions of such schemes are studied in [4, 13, 14, 22, 23, 26, 27].

In this paper, we show that the class of Maiorana-McFarland Boolean functions can be used to construct cheating-immune schemes and we present new schemes. We used the techniques in the work of Carlet [9]. Our method of construction can be seen as a generalization of the method in [14]. This paper is organized as follows. Section 2 contains the definition and model of binary cheating-immune schemes. In Sect. 3, we present the relation between cheating-immune schemes and Boolean functions. Sections 4, 5 and 6 contain the main results of the paper. We summarize the work in the last section.

2 Cheating-Immune Secret Sharing Schemes

Let \(\mathcal {P}=\{P_1,P_2,\dots ,P_{n}\}\) be the set of n participants. The set of all authorized or qualified subsets \(\varGamma \subseteq 2^{\mathcal {P}}\) is called the access structure.

Definition 1

A secret sharing scheme realizing an access structure \( \varGamma \) is a method to distribute shares of a secret K such that

  1. i.

    if a subset of participants \( A\in \varGamma \) then A can reconstruct the secret K

  2. ii.

    if a subset of participants \( B\notin \varGamma \) then B cannot reconstruct the secret K.

We say that a secret sharing scheme is perfect if unauthorized subsets obtain no information about the secret. Otherwise, the scheme is non-perfect, that is, it is possible for an unauthorized subset to obtain partial information about the secret. A measure of efficiency of a secret sharing scheme is the so-called information rate which is the ratio of the size of the secret and the size of the shares. We assume that the dealer selects the secrets uniformly at random.

We use the model of a cheating-immune (nn)-SSS over \(\mathbb {F}_2\) introduced in [26]. The scheme is represented by a defining function \(f:\mathbb {F}_2^n \rightarrow \mathbb {F}_2\) that maps each possible vector of shares \(\alpha =(\alpha _1,\alpha _2,\dots ,\alpha _{n})\) to a secret K. All participants must submit their shares to the combiner in order to reconstruct the secret. Let \(\alpha , \beta \in \mathbb {F}_2^n\). We say that \(\beta \) covers \(\alpha \), denoted by \(\alpha \preceq \beta \), if whenever \(\alpha _i\ne 0\) then \(\beta _i\ne 0\), \(1\le i\le n\). The Hamming weight of a vector \(\alpha \) will be denoted by \(wt(\alpha )\).

We represent the cheaters by a cheating vector \(\delta \) with \(\delta _i=1\) if \(P_i\) is a cheater and 0 otherwise. Hence, \(wt(\delta )\) gives the number of cheaters. Given two vectors x and \(\delta \), we distinguish the shares of the cheaters from the honest participants using the following vectors:

  1. i.

    \(x_\delta ^+=(x_1^+,\ldots ,x_n^+)\) with \(x_i^+=x_i \) if \(\delta _i=1\) and \(x_i^+=0 \) if \(\delta _i=0\)

  2. ii.

    \(x_\delta ^-=(x_1^-,\ldots ,x_n^-)\) with \(x_i^-=x_i\) if \(\delta _i=0\) and \(x_i^-=0\) if \(\delta _i=1\)

The vector \(x_\delta ^+\) represents the cheaters’ valid shares while \(x_\delta ^-\) represents the honest participants’ shares.

Recall that when cheaters submit invalid shares during reconstruction, they will use the secret (sent by the combiner) to determine the true secret. Consider now the following sets of shares:

$$\begin{aligned} R(\delta ,\alpha _\delta ^+,K)&=\{ x_\delta ^-\,|\,f(x_\delta ^-\oplus \alpha _\delta ^+)=K \}\\ R(\delta ,\alpha _\delta ^+\oplus \delta ,K^*)&=\{ x_\delta ^-\,|\,f(x_\delta ^-\oplus \alpha _\delta ^+\oplus \delta )=K^* \} \end{aligned}$$

The set \(R(\delta ,\alpha _\delta ^+,K)\) consists of all possible shares of honest participants such that combined with the cheaters’ valid shares, will produce the original secret K. On the other hand, the set \(R(\delta ,\alpha _\delta ^+\oplus \delta ,K^*)\) contains all the possible shares of honest participants such that combined with the cheaters’ incorrect shares, will produce the secret \(K^*\). The probability of successful cheating with respect to \( \delta ,\alpha \) is given by

$$\rho _{\delta ,\alpha }=|R(\delta ,\alpha _\delta ^+\oplus \delta ,K^*)\cap R(\delta ,\alpha _\delta ^+,K)|/|R(\delta ,\alpha _\delta ^+\oplus \delta ,K^*)|.$$

We now define a k-cheating-immune (nn)-SSS or k-CI (nn)-SSS. Note that we assume that all cheaters submit invalid shares during reconstruction.

Definition 2

An (nn)-SSS over \(\mathbb {F}_2 \) is k-cheating-immune if for every \(\alpha , \delta \in \mathbb {F}_2^n\) with \(1\le wt(\delta )\le k\), we have \(\rho _{\delta ,\alpha }=1/2\).

The general case where not all cheaters submit invalid shares is handled by the so-called strictly cheating-immune secret sharing schemes. In this type of scheme, we use two vectors \(\delta ,\tau \in \mathbb {F}_2^n\) such that \(\delta \) represents the cheaters while \(\tau \) represents the cheaters who submitted fake shares. Note that \(\tau \preceq \delta \). The value

$$\rho _{\delta ,\tau ,\alpha }=|R(\delta ,\alpha _\delta ^+\oplus \tau ,K^*)\cap R(\delta ,\alpha _\delta ^+,K)|/|R(\delta ,\alpha _\delta ^+\oplus \tau ,K^*)|$$

is the probability of successful cheating with respect to \(\delta ,\tau ,\alpha \).

Definition 3

An (nn)-SSS over \(\mathbb {F}_2\) is strictly k-cheating-immune if, for every \(\alpha ,\delta ,\tau \in \mathbb {F}_2^n\) such that \(1\le wt(\delta )\le k\) and \(\tau \preceq \delta \), we have that \(\rho _{\delta ,\tau ,\alpha }=1/2\).

3 Cheating-Immune Schemes and Boolean Functions

We now describe the connection between Boolean functions and cheating-immune secret sharing schemes. The defining function of an (nn)-SSS over \(\mathbb {F}_2\) is a Boolean function on \(\mathbb {F}_2^n\). We recall some basic concepts in the theory of Boolean functions (for reference, see [8, 10]).

A Boolean function f is affine if \(f(x_1,x_2,\dots ,x_{n})=a_1x_1\oplus a_1x_2\oplus \dots \oplus a_nx_n\oplus c\). The affine function f is linear if \(c=0\). We say that f is balanced on \( \mathbb {F}_2^n \) if \(|f^{-1}(0)|=|f^{-1}(1)|=2^{n-1}\). A nonconstant affine function is balanced.

A Boolean function f is said to be k-resilient if for every subset \(\{ j_1,j_2,\dots ,j_{k} \}\) of \(\{ 1,2,\dots ,n\}\) and every \((a_1,a_2,\dots ,a_{k})\in \mathbb {F}_2^k\), the restricted function

$$f(x_1,x_2,\dots ,x_{n})|_{x_{j_1}=a_1,x_{j_2}=a_2,\dots ,x_{j_k}=a_k}$$

is balanced on \( \mathbb {F}_2^{n-k} \). We note that if f is k-resilient then it is also l-resilient for \( 0\le l\le k\).

We say that a Boolean function f satisfies the strengthened propagation of degree k or SP(k) if for any \(\delta \in \mathbb {F}_2^n\) such that \( 1\le wt(\delta )\le k\), and for any \(\tau \preceq \delta \), the function \(f(x_\delta ^-\oplus \tau )\oplus f(x_\delta ^-\oplus \tau \oplus \delta ) \) is balanced. A function f satisfying SP(k) also satisfies SP(l) for \( 1\le l\le k \).

The following theorems characterize cheating-immune (nn)-SSS:

Theorem 1

([27]). An (nn)-SSS over \(\mathbb {F}_2\) with defining function f is k-CI if and only if f is k-resilient and satisfies SP(k).

Theorem 2

([27]). An (nn)-SSS over \(\mathbb {F}_2\) with defining function f is strictly k-CI if and only if the following conditions are satisfied:

  1. 1.

    f is k-resilient.

  2. 2.

    For any integer l with \(0\le l\le k-1\), every function obtained from f by fixing any l input variables satisfies \(SP(k-l)\).

A bound on the number of cheaters is given by the following result:

Theorem 3

([4]). An (nn)-SSS over \(\mathbb {F}_2\) with defining function f can be k-cheating-immune only if \( 2k \le n-2\).

4 Cheating-Immune SSS from Maiorana-McFarland Boolean Functions

Theorem 1 states that constructing a k-CI (nn)-SSS over \(\mathbb {F}_2\) is equivalent to constructing a Boolean function satisfying resiliency and strengthened propagation. In this section, we will show that a class of Maiorana-McFarland Boolean functions can be used to construct cheating-immune SSS. The Maiorana-McFarland Boolean functions are well-studied and these functions are used to build Boolean functions with cryptographic properties.

Let st be positive integers and \(\phi \) be a vectorial Boolean function from \(\mathbb {F}_2^t \) to \( \mathbb {F}_2^s \), or a (ts)-vectorial function given by

$$\phi (x_1,x_2,\dots ,x_{t})=(\phi _1(x_1,x_2,\dots ,x_{t}),\phi _2(x_1,x_2,\dots ,x_{t}),\dots ,\phi _s(x_1,x_2,\dots ,x_{t}))$$

where its coordinate functions \(\phi _1,\phi _2,\dots ,\phi _{s}\) are t-variable Boolean functions. Let g be a t-variable Boolean function. An \((s+t)\)-variable Boolean function f defined by

$$f(x,y)=x\cdot \phi (y)\oplus g(y),$$

where \(x\in \mathbb {F}_2^s, y\in \mathbb {F}_2^t \) is said to be of Maiorana-McFarland form. We call f an MM function for short.

The next theorem gives a condition under which a Maiorana-McFarland function satisfies resiliency.

Theorem 4

([7]). An MM function \(f(x,y)=x\cdot \phi (y)\oplus g(y)\) is k-resilient if for every \(y\in \mathbb {F}_2^t\), we have \(wt(\phi (y))\ge k+1\).

We now show that this class of functions also satisfies strengthened propagation criterion. We will use the following lemma.

Lemma 1

A Boolean function f is balanced on \( \mathbb {F}_2^n \) if there exists a subset \(\{ i_1,i_2,\dots ,i_{k} \}\subseteq \{ 1,2,\dots ,n \}\) such that for every \(a=(a_1,a_2,\dots ,a_{k})\in \mathbb {F}_2^k \), the restricted function \(f_a\) obtained from f by substituting \(x_{i_1}=a_1,x_{i_2}=a_2,\dots ,x_{i_k}=a_k\) is balanced.

Proof

For every \(a\in \mathbb {F}_2^k\), by assumption, \(f_a\) is balanced on \(\mathbb {F}_2^{n-k}\). Hence, we have \(|f_a^{-1}(0)|=|f_a^{-1}(1)|=2^{n-k-1}\). Since there are \(2^k\) possibilities for a, then \(|f^{-1}(0)|=|f^{-1}(1)|=2^k\times 2^{n-k-1}=2^{n-1}\). Thus, f is balanced on \(\mathbb {F}_2^n\).

A modification of the construction of Boolean functions satisfying propagation criterion using Maiorana-McFarland Boolean functions considered by [9] gives us a construction of Boolean functions satisfying strengthened propagation.

Theorem 5

An MM function \(f(x,y)=x\cdot \phi (y)\oplus g(y)\) satisfies SP(k) if the following conditions are satisfied:

  1. 1.

    For any \(a\in \mathbb {F}_2^s\) such that \(1\le wt(a)\le k\), the function \(a\cdot \phi (y)\) is balanced on \(\mathbb {F}_2^t\).

  2. 2.

    For any \(y,z\in \mathbb {F}_2^t\) such that \(wt(y\oplus z)\ge 1\), we have \(wt(\phi (y)\oplus \phi (z))\ge k\).

Proof

Let \(z=(x,y)=(x_1,x_2,\dots ,x_{s},y_1,y_2,\dots ,y_{t})\). For any \(\delta ,\tau \in \mathbb {F}_2^{s+t}\) such that \(1\le wt(\delta )\le k\) and \(\tau \preceq \delta \), we denote by \(\delta =(\delta ^x,\delta ^y)\) and \(\tau =(\tau ^x,\tau ^y)\) where \( \delta ^x=(\delta _1,\delta _2,\dots ,\delta _{s}),\tau ^x=(\tau _1,\tau _2,\dots ,\tau _{s}),\delta ^y=(\delta _{s+1},\delta _{s+2},\dots ,\delta _{s+t}) \) and \( \tau ^y=(\tau _{s+1},\tau _{s+2},\dots ,\tau _{s+t}) \).

Define \( h(z_\delta ^-) = f(z_\delta ^-\oplus \tau )\oplus f(z_\delta ^-\oplus \tau \oplus \delta ) \). Then,

$$\begin{aligned} h(z_\delta ^-)&= f(x_{\delta ^x}^-\oplus \tau ^x,y_{\delta ^y}^-\oplus \tau ^y)\oplus f(x_{\delta ^x}^-\oplus \tau ^x\oplus \delta ^x,y_{\delta ^y}^-\oplus \tau ^y\oplus \delta ^y)\\&= a(y_{\delta ^y}^-)\cdot x_{\delta ^x}^-\oplus b(y_{\delta ^y}^-) \end{aligned}$$

where

$$\begin{aligned} a(y_{\delta ^y}^-)&= \phi (y_{\delta ^y}^-\oplus \tau ^y)\oplus \phi (y_{\delta ^y}^-\oplus \tau ^y\oplus \delta ^y)\\ b(y_{\delta ^y}^-)&= \tau ^x\cdot \phi (y_{\delta ^y}^-\oplus \tau ^y)\oplus (\tau ^x\oplus \delta ^x)\cdot \phi (y_{\delta ^y}^-\oplus \tau ^y\oplus \delta ^y)\oplus \\ {}&g(y_{\delta ^y}^-\oplus \tau ^y)\oplus g(y_{\delta ^y}^-\oplus \tau ^y\oplus \delta ^y) \end{aligned}$$

  • Case 1. If \(\delta ^y=0\) then \(\tau ^y=0, y_{\delta ^y}^-=y\) and \(wt(\delta ^x)=wt(\delta )\). Hence, \(h(z_\delta ^-)=\delta ^x\cdot \phi (y)\) is balanced by the first condition.

  • Case 2. If \(\delta ^y\ne 0\) then \(0\le wt(\delta ^x)\le k-1\). In other words, the number of constant coordinates of \(x_{\delta ^x}^-\) is less than or equal to \(k-1\). For every substitution of \(t-wt(\delta ^y)\) variables in \(y_{\delta ^y}^-\), by the second condition, \(wt(a(y_{\delta ^y}^-))\ge k\). Hence, the function obtained from \(h(z_\delta ^-)\) by the substitution is a non-constant affine function which is balanced. Therefore, \(h(z_\delta ^-)\) is balanced by Lemma 1.

In conclusion, the function f satisfies SP(k) .

5 Construction of CI-SSS Using Binary Systematic Codes

Similar to what was done on [9], we use binary systematic codes to come up with concrete examples of functions satisfying the conditions in Theorems 4 and 5. This method of construction is a generalization of [14] which uses linear codes. The technique used here allows us to use nonlinear codes. We start with a discussion of some basic concepts on binary codes (the reader is referred to [18, 20] for a complete treatment of codes).

A nonempty subset \(C\subseteq \mathbb {F}_2^n\) is called a binary code of length n. The Hamming distance between two vectors \(x,y\in \mathbb {F}^n\), denoted by \(d(x,y)\), is the number of positions where x and y differ. The minimum distance of C is defined as

$$d(C)=\min \{d(x,y)\;|\;x,y\in C, x\ne y\}.$$

A binary code of length n having M codewords and minimum distance d is called an (nMd)-code. The distance from a vector \(\alpha \in \mathbb {F}_2^n\) to a code C is given by \(d(\alpha ,C)=\min \{ d(\alpha ,c)\,|\,c\in C\}\). The covering radius of C is defined to be \(\rho =\max \{d(x,C)\,|\,x\in \mathbb {F}_2^n\}\).

Definition 4

A binary code C is said to be k-systematic if there exists k positions \(i_1,\ldots ,i_k\) such that every element of \(\mathbb {F}_2^k\) appears in exactly one codeword of C in the specified positions. The set \( \{ i_1,i_2,\dots ,i_{k} \} \) is called an information set of C.

Let C be a binary k-systematic code. It follows from the definition that C has \(2^k\) codewords. Let \(c=(c_1,c_2,\dots ,c_{n})\in C\). The coordinates \( c_{i_1},c_{i_2},\dots ,c_{i_{k}} \) are called information bits and the remaining coordinates are called parity-check bits. Hence, if all of the parity-check bits of a binary k-systematic code are deleted, we obtain the code \(\mathbb {F}_2^k\).

A binary linear code C is a k-dimensional subspace of \(\mathbb {F}_2^n\). A binary linear code of length n, dimension k and minimum distance d is called an [nkd]-code. A \( k\times n \) matrix whose rows form a basis of C is called a generator matrix. The dual code of C is its \( (n-k) \)-dimensional dual space \( C^\perp =\{ x\in \mathbb {F}_2^n\,|\,c\cdot x=0, \forall c\in C \} \). Note that a binary linear code is k-systematic.

Let C be an (nMd) binary code and let

$$B_i=\frac{1}{|C|}\sum _{c\in C}|\{ x\in C\,|\,d(c,x)=i \}|.$$

The list \(B_1,B_2,\dots ,B_{n}\) is called the distance distribution of C. The homogeneous polynomial \(D_C(x,y)=\sum _{i=0}^{n}B_ix^{n-i}y^i \) is called the distance enumerator of C. The dual distance of an (nMd) binary code C is the smallest positive integer \(d'\) such that the coefficient of \( x^{n-d'}y^{d'} \) of \( D_C(x+y,x-y) \) is nonzero. In the case that C is linear, the dual distance is the same as the minimum distance of \(C^{\perp }\).

Due to the notion of equivalence of codes, we can assume that the information set of a given systematic code is the set \(\{1,\ldots ,k\}\). We also assume that the generator matrix of a given linear code is in standard form, i.e. \( [I_k\;|\;A] \) where \(I_k\) is the identity matrix of order k and A is a \(k\times (n-k)\) binary matrix.

We now proceed with the construction of cheating-immune schemes using binary systematic codes.

Lemma 2

([9]). Let C be a binary code of length s with dual distance \( d' \). Then, for every \( a\in \mathbb {F}_2^s \) such that \( 1\le wt(a)\le d'-1 \), the s-variable Boolean function \( \psi (x)=a\cdot x \) is still balanced when its domain is restricted to C.

Theorem 6

An MM function \( f(x,y)=x\cdot \phi (y)\oplus g(y) \) satisfies SP(k) if the (ts) -vectorial function \( \phi \) is injective and the code \( \phi (\mathbb {F}_2^t) \) has minimum distance \( d\ge k \) and dual distance \( d'\ge k+1 \).

Proof

We will show that the conditions of Theorem 5 are satisfied. For any \( a\in \mathbb {F}_2^s \) such that \( 1\le wt(a)\le k \), the s-variable Boolean function \( \psi (x)=a\cdot x \) is balanced on \( \phi (\mathbb {F}_2^t) \) (because \( k\le d'-1 \)) thanks to Lemma 2. Since \( \phi \) is injective, for any \( z\in \phi (\mathbb {F}_2^t) \), there is a unique \( y\in \mathbb {F}_2^t \) such that \( z=\phi (y) \). Thus, the composition \( (\psi \circ \phi )(y)=a\cdot \phi (y) \) is balanced on \( \mathbb {F}_2^t \). For any \( y,z\in \mathbb {F}_2^t \) with \( wt(y\oplus z)\ge 1 \), \( wt(\phi (y)\oplus \phi (z))\ge k \) because \( \phi \) is injective and \( \phi (\mathbb {F}_2^t) \) has minimum distance \( d\ge k \).

Theorem 7

Let C be an \( (s,2^t,d) \) binary t-systematic code with dual distance \(d'\) and covering radius \( \rho \). Let \( k=\min \{ d,d'-1,\rho -1 \} \) and \( \alpha \in \mathbb {F}_2^s \) such that \( d(\alpha ,C)\ge k+1 \). Define the (ts)-vectorial function \(\phi (x)=\alpha \oplus (x,u(x))\) where u(x) is vector of \((s-t)\) parity-check bits of a codeword of C whose t information bits are represented by the vector x. Let g be an arbitrary t-variable Boolean function. Then the MM function \(f(x,y)=x\cdot \phi (y)\oplus g(y)\) defines a k-CI \((s+t,s+t)\)-SSS.

Proof

For every \( y\in \mathbb {F}_2^t \), \( wt(\phi (y))\ge d(\alpha ,C)=k+1 \). By Theorem 4, f is k-resilient. The code \( \phi (\mathbb {F}_2^t)=\alpha \oplus C \) has the same minimum distance \( d\ge k \) and the same dual distance \( d'\ge k+1 \) as C. By Theorem 5, f satisfies SP(k) . Due to Theorem 1, the \( (s+t,s+t) \)-SSS defined by f is k-CI.

We present examples of schemes obtained using the preceding theorem. The computations were performed using Magma [5]. In case that C is linear with generator matrix G, the function \(\phi \) can be written as \(\phi (y)=\alpha \oplus yG\). Then the defining function f will be \( f(x,y)=x\cdot (\alpha \oplus yG)\oplus g(y)\).

Example 1

(a new scheme). Let C be the [12, 5, 4] binary linear code with dual distance \(d'=4\), covering radius \(\rho =4\) and generator matrix

Using \(\alpha =(0,0,0,0,0,0,1,1,1,0,1,0)\) with \(d(\alpha ,C)=4\), we obtain a 3-CI (17, 17)-SSS.

Example 2

(using some classes of linear codes)

  1. a.

    1-CI \( (m+1,m+1) \)-SSS: For \( m\ge 4 \), let \( C=\mathcal {R}_m \), the [m, 1, m] binary repetition code with dual distance \( d^\perp =2 \) and covering radius \( \rho =\lfloor \frac{n}{2}\rfloor \). Choose \( \alpha \) such that \( d(\alpha ,C)=2 \).

  2. b.

    2-CI \( (2^m+m-1,2^m+m-1) \)-SSS: For \( m\ge 3 \), let \( C=\mathcal {S}_m \), the \( [2^m-1,m,2^{m-1}] \) binary Simplex code with dual distance \( d^\perp =3 \) and covering radius \( \rho =2^{m-1}-1 \). Choose \( \alpha \) such that \( d(\alpha ,C)=3 \).

  3. c.

    3-CI \( (2^m+m+1,2^m+m+1) \)-SSS: For \( m\ge 4 \), let \( C=\mathcal {R}(1,m) \), the \( [2^m,m+1,2^{m-1}] \) first-order Reed-Muller code with dual distance \( d^\perp =4 \) and covering radius \( 2^{m-1}-2^{\lceil m/2\rceil -1}\le \rho \le 2^{m-1}-2^{m/2-1} \) [17]. Choose \( \alpha \) such that \( d(\alpha ,C)\ge 4 \).

Example 3

(using nonlinear codes). For even integer \(m\ge 4\), there exists two well-known classes of binary nonlinear systematic codes [20]:

  1. i.

    \((2^m,2^{2m},2^{m-1}-2^{\frac{m}{2}-1}) \) Kerdock code \( \mathcal {K}(m) \) with dual distance 6 and covering radius \( 2^{m-1}-2^{\frac{m}{2}-1}\)

  2. ii.

    \( (2^m,2^{2^m-2m},6) \) Preparata code \( \mathcal {P}(m) \) with dual distance \( 2^{m-1}-2^{\frac{m}{2}-1} \) and covering radius 3.

We use these codes to obtain the following schemes:

  1. a.

    2-CI \( (2^{m+1}-2m,2^{m+1}-2m) \)-SSS: For even integer \( m\ge 4 \), let \( C=\mathcal {P}(m) \) and choose \(\alpha \in \mathbb {F}_2^m\) such that \(d(\alpha ,\mathcal {P}(m))=3\).

  2. b.

    5-CI \( (2^m+2m,2^m+2m) \)-SSS: For even integer \( m\ge 6 \), let \( C=\mathcal {K}(m) \) and choose \( \alpha \in \mathbb {F}_2^m \) such that \( d(\alpha ,\mathcal {K}(m))=6 \).

6 Strictly Cheating-Immune SSS

Here we consider the construction of strictly cheating-immune SSS from the class of Maiorana-McFarland Boolean functions. The goal is to construct functions satisfying the conditions given by Theorem 2. The next theorem talks about the strengthened propagation property.

Theorem 8

Let \( f(x,y)=x\cdot \phi (y)\oplus g(y) \) be an MM function satisfying the following conditions:

  1. 1.

    for any \( a\in \mathbb {F}_2^s \) with \( 1\le wt(a)\le k \), the function \(a\cdot \phi (y) \) on \( \mathbb {F}_2^t \) is \( (k-1) \)-resilient;

  2. 2.

    for any \( y,z\in \mathbb {F}_2^t \) if \( 1\le wt(y\oplus z)\le k \), we have \( wt(\phi (y)\oplus \phi (z))\ge k \).

Then, for any integer l with \( 0\le l\le k-1 \), every function obtained from f by keeping any l input variables constant satisfies \( SP(k-l) \).

Proof

Let \( z=(x,y) \). For any integer l with \( 0\le l\le k-1 \), we denote by \( \underline{x}\) and \( \underline{y}\) the vectors obtained from x and y by fixing u and v coordinates constant such that \( u+v=l \). If we let \( \underline{z}=(\underline{x},\underline{y}) \) then \( f(\underline{z}) \) is the \( (s+t-l) \)-variable Boolean function obtained from f by fixing l input variables.

Now we show that \( f(\underline{z}) \) satisfies \( SP(k-l) \). Let \( \delta ,\tau \in \mathbb {F}_2^n \), \(n=s+t\), such that \( \tau \preceq \delta , 1\le wt(\delta )\le k-l \) and the set of nonzero coordinates of \( \delta \) is a subset of the nonconstant coordinates of \( \underline{z}\). We write \( \delta =(\delta ^{\underline{x}},\delta ^{\underline{y}}) \) and \( \tau =(\tau ^{\underline{x}},\tau ^{\underline{y}}) \) where \( \delta ^{\underline{x}} \) and \( \tau ^{\underline{x}} \) are the first s coordinates of \( \delta \) and \( \tau \), and \( \delta ^{\underline{y}} \) and \( \tau ^{\underline{y}} \) are the remaining t coordinates of \( \delta \) and \( \tau \), respectively.

Define \(h(\underline{z}_\delta ^-) = f(\underline{z}_\delta ^-\oplus \tau )\oplus f(\underline{z}_\delta ^-\oplus \tau \oplus \delta ) \). Then \(h(\underline{z}_\delta ^-)= \underline{x}_{\delta ^{\underline{x}}}^-\cdot a(\underline{y}_{\delta ^{\underline{y}}}^-)\oplus b(\underline{y}_{\delta ^{\underline{y}}}^-)\) where

$$\begin{aligned} a(\underline{y}_{\delta ^{\underline{y}}}^-)= & {} \phi (\underline{y}_{\delta ^{\underline{y}}}^-\oplus \tau ^{\underline{y}})\oplus \phi (\underline{y}_{\delta ^{\underline{y}}}^-\oplus \tau ^{\underline{y}}\oplus \delta ^{\underline{y}})\\ b(\underline{y}_{\delta ^{\underline{y}}}^-)= & {} \tau ^{\underline{x}}\cdot \phi (\underline{y}_{\delta ^{\underline{y}}}^-\oplus \tau ^{\underline{y}})\oplus (\tau ^{\underline{x}}\oplus \delta ^{\underline{x}})\cdot \phi (\underline{y}_{\delta ^{\underline{y}}}^-\oplus \tau ^{\underline{y}}\oplus \delta ^{\underline{y}})\oplus \\&g(\underline{y}_{\delta ^{\underline{y}}}^-\oplus \tau ^{\underline{y}})\oplus g(\underline{y}_{\delta ^{\underline{y}}}^-\oplus \tau ^{\underline{y}}\oplus \delta ^{\underline{y}}) \end{aligned}$$

  • Case 1. If \( \delta ^{\underline{y}}=0 \) then \( \underline{y}_{\delta ^{\underline{y}}}^-=\underline{y}, \tau ^{\underline{y}}=0 \) and \( 1\le wt(\delta ^{\underline{x}})=wt(\delta )\le k-l\le k \). By the first condition, \( \delta ^{\underline{x}}\cdot \phi (y) \) is \( (k-1) \)-resilient. In addition, \( v=l-u\le l\le k-1 \). Hence, \( h(\underline{z}_\delta ^-)=\delta ^{\underline{x}}\cdot \phi (\underline{y}) \) is balanced because it is obtained from the function \( \delta ^{\underline{x}}\cdot \phi (y) \) by fixing v input variables constant.

  • Case 2. If \( \delta ^{\underline{y}}\ne 0 \) then \( 0\le wt(\delta ^{\underline{x}})<wt(\delta )\le k-l\). Hence, the number of constant coordinates of \( \underline{x}_{\delta ^{\underline{x}}}^-\) is \( u+wt(\delta ^{\underline{x}})\le l+(k-l-1)=k-1 \). For every substitution of the \( t-v-wt(\delta ^{\underline{y}}) \) variables in \( \underline{y}_{\delta ^{\underline{y}}}^-\), by the second condition, \( wt(a(\underline{y}_{\delta ^{\underline{y}}}^-))\ge k \). Hence, the function obtained from \( h(\underline{z}_\delta ^-) \) by the substitution is a non-constant affine function which is balanced. Therefore, \( h(\underline{z}_\delta ^-) \) is balanced by Lemma 1.

In conclusion, the function \( f(\underline{z}) \) satisfies \( SP(k-l) \).

An (st) -vectorial function \( \phi \) is balanced if for every \( y\in \mathbb {F}_2^t \), \( |\phi ^{-1}(y)|=2^{s-t} \). The function \(\phi \) is said to be k-resilient if it is balanced and every function obtained from \( \phi \) by keeping k input variables constant is balanced.

Lemma 3

([3]). Let \( \phi \) be a (tr) -vectorial k-resilient function and \( \psi \) be an (rs) -vectorial balanced function. Then the (ts) -vectorial function \( \psi \circ \phi \) is k-resilient.

We now look at the construction of a function \(\phi \) satisfying the conditions of Theorem 8. Similar to [9], we split \( \phi \) into a composition of two simpler vectorial functions.

Theorem 9

Suppose that \( \phi =\phi _2\circ \phi _1 \) where \( \phi _1 \) is a (tr) -vectorial function and \( \phi _2 \) is an (rs) -vectorial function with the following properties:

  1. 1.
    1. (a)

      \( \phi _1 \) is \( (k-1) \)-resilient;

    2. (b)

      for any \( y,z\in \mathbb {F}_2^t \) with \( 1\le wt(y\oplus z)\le k \), we have \( wt(\phi _1(y)\oplus \phi _1(z))\ge 1 \);

  2. 2.
    1. (a)

      for any \( a\in \mathbb {F}_2^s \) with \( 1\le wt(a)\le k \), the function \( a\cdot \phi _2(y) \) is balanced;

    2. (a)

      for any \( y,z\in \mathbb {F}_2^r \) with \( wt(y\oplus z)\ge 1 \), we have \( wt(\phi _2(y)\oplus \phi _2(z))\ge k \).

Then \( \phi \) satisfies the condition of Theorem 8.

Proof

From 1(a) and 2(a) , for any \( a\in \mathbb {F}_2^s \) with \( 1\le wt(a)\le k \), \( a\cdot \phi (y)=a\cdot (\phi _2\circ \phi _1)(y)=(a\cdot \phi _2)\circ \phi _1(y) \) is \( (k-1) \)-resilient thanks to Lemma 3. Hence, the first condition of Theorem 8 is satisfied. The 1(b) and 2(b) trivially imply the second condition of Theorem 8.

Next, we use binary systematic codes to construct \( \phi _1 \) and \( \phi _2 \). First we recall a connection between codes and orthogonal arrays. A binary \( (n,k,\lambda ) \)-orthogonal array is a \( \lambda 2^k\times n \) array such that for any k columns, every element of \( \mathbb {F}_2^k \) appears in exactly \( \lambda \) rows. A binary orthogonal array is said to be simple if no two rows are identical. A large set of binary \( (n,k,\lambda ) \)-orthogonal arrays is a set of \( 2^{n-k}/\lambda \) simple \( (n,k,\lambda ) \)-orthogonal arrays such that every element of \( \mathbb {F}_2^n \) appears in exactly one of the \( (n,k,\lambda ) \)-orthogonal arrays in the set.

Lemma 4

[15]. An \( (n,2^k,d) \)-binary k-systematic code C with dual distance \( d' \) is also a binary \( (n,d'-1,2^{k-d'+1}) \)-orthogonal array.

A relation between resilient functions and orthogonal arrays is given by the following lemma:

Lemma 5

[31]. A k-resilient (tr) -vectorial function is equivalent to a large set of binary \( (t,k,2^{t-r-k}) \)-orthogonal arrays.

The next two results concern the functions \(\phi _1\) and \(\phi _2\).

Theorem 10

Let \( C_1 \) be a \( (t,2^{t-r},d_1) \)-binary \( (t-r) \)-systematic code with \( d_1\ge k+1 \) and dual distance \( d_1'\ge k \). Let \( \phi _1(x,y)=u(x)\oplus y \) be a (tr) -vectorial function where \( x\in \mathbb {F}_2^{t-r},y\in \mathbb {F}_2^r \) and u(x) is vector of parity-check bits of a codeword of \(C_1\) whose information bits are represented by the vector x. Then \( \phi _1 \) has the following properties:

  1. 1.

    \( \phi _1 \) is \( (k-1) \)-resilient; and

  2. 2.

    for any \( y,z\in \mathbb {F}_2^t \) with \( 1\le wt(y\oplus z)\le k \), we have \( wt(\phi _1(y)\oplus \phi _1(z))\ge 1 \).

Proof

For any \( z\in \mathbb {F}_2^r \), consider \( \phi _1^{-1}(z)=\{ (x,y)\,|\,\phi _1(x,y)=z,x\in \mathbb {F}^{t-r}\text { and }y\in \mathbb {F}^r \} \). Since \( \phi _1(x,y)=z \Leftrightarrow y=u(x)\oplus z \), we get \( \phi _1^{-1}(z)=\{ (x,u(x)\oplus z)\,|\,x\in \mathbb {F}_2^{t-r} \} \). Let \( \mathbf 0 \in \mathbb {F}_2^{t-r} \) be the zero vector of length \( t-r \). Then \( \phi _1^{-1}(z)=(\mathbf 0 ,z)\oplus C_1 \) is a \( (t,2^{t-r},d_1) \)-binary \( (t-r) \)-systematic code with dual distance \( d_1' \). By Lemma 4, \( \phi _1^{-1}(z) \) is a binary \( (t,d_1'-1,2^{t-r-d_1'+1}) \)-orthogonal array. It is also a binary \( (t,k-1,2^{t-r-k+1}) \)-orthogonal array since \( k\le d_1' \). By Lemma 5, \( \phi _1 \) is \( (k-1) \)-resilient.

For any \( y,z\in \mathbb {F}_2^t \) with \( 1\le wt(y\oplus z)\le k \), suppose that \( wt(\phi _1(y)\oplus \phi _1(z))=0 \). It follows that \( y,z\in \phi _1^{-1}(w) \) for some \( w\in \mathbb {F}_2^r \). Since \(\phi _1^{-1}(w)=(\mathbf 0 ,w)\oplus C_1 \) has minimum distance \( d_1\ge k+1 \), we obtain \( wt(y\oplus z)\ge k+1 \), a contradiction. Consequently, \( wt(\phi _1(y)\oplus \phi _1(z))\ge 1 \).

Theorem 11

Let \( C_2 \) be an \( (s,2^r,d_2) \)-binary r-systematic code with \( d_2\ge k \) and dual distance \( d_2'\ge k+1 \). Let \( \phi _2(y)=\alpha \oplus (y,v(y)) \) where \( y\in \mathbb {F}_2^r,\alpha \in \mathbb {F}_2^s \) and v(y) is a vector of parity-check bits of a codeword of \(C_2\) whose information bits are represented by the vector y. Then \( \phi _2 \) has the following properties:

  1. 1.

    for any \( a\in \mathbb {F}_2^s \) with \( 1\le wt(a)\le k \), the function \( a\cdot \phi _2(y) \) is balanced; and

  2. 2.

    for any \( y,z\in \mathbb {F}_2^r \) with \( wt(y\oplus z)\ge 1 \), we have \( wt(\phi _2(y)\oplus \phi _2(z))\ge k \).

Proof

For an arbitrary \( \alpha \in \mathbb {F}_2^s \), \( \phi _2 \) is injective (see the proof of Theorem 6).

We now present a construction of strictly cheating-immune schemes from Maiorana-McFarland functions.

Theorem 12

Let \( C_1=\{(x,u(x))\,|\,x\in \mathbb {F}_2^{t-r}\} \) be a \( (t,2^{t-r},d_1) \)-binary \( (t-r) \)-systematic code with dual distance \( d_1' \) and let \( \phi _1(x,y)=u(x)\oplus y \) be a (tr) -vectorial function where \( x\in \mathbb {F}_2^{t-r},y\in \mathbb {F}_2^r \). Suppose that \( C_2=\{(x,v(x))\,|\,x\in \mathbb {F}_2^r\} \) is an \( (s,2^r,d_2) \)-binary r-systematic code with dual distance \( d_2' \) and covering radius \( \rho \). Let \( k=\min \{ d_1-1,d_1'd_2,d_2'-1,\rho -1 \} \) and let \( \phi _2(y)=\alpha \oplus (y,v(y)) \) be a (rs) -vectorial function where \( y\in \mathbb {F}_2^r,\alpha \in \mathbb {F}_2^s \) such that \( d(\alpha ,C_2)\ge k+1 \). Define \( \phi =\phi _2\circ \phi _1 \) and \( f(x,y,z)=x\cdot \phi (y,z)\oplus g(y,z) \) where \( x\in \mathbb {F}_2^s \) and g is an arbitrary t-variable Boolean function. Then the MM function f defines a k-CI \((s+t,s+t)\)-SSS.

Proof

Since \( \phi (\mathbb {F}_2^t)=\alpha \oplus C_2 \) then for any \((y,z)\in \mathbb {F}_2^t \) we must have \( wt(\phi (y,z))\ge k+1\). By Theorem 4, f is k-resilient. The functions \( \phi _1 \) and \( \phi _2 \) satisfy the conditions of Theorems 10 and 11 respectively. Hence, they also satisfy the conditions of Theorem 9. Thus, \( \phi \) satisfies the conditions of Theorem 8. Due to Theorem 2, the \( (s+t,s+t) \)-SSS defined by f is k-CI.

If \( C_1 \) and \( C_2 \) are linear codes with generator matrices \(G_1=[I_{t-r}\;|\;A]\) and G, respectively, then \( \phi _1(y,z)=yA\oplus z \) and \( \phi _2(y)=yG \). Thus, the defining function f can be written as \( f(x,y,z)=x\cdot (\alpha \oplus (yA\oplus z)G)\oplus g(y,z) \).

Example 4

(new schemes)

  1. a.

    Strictly 2-CI (13, 13) -SSS: Let \( C_1 \) be a [6, 3, 3] binary self-dual code and \( C_2 \) be the [7, 3, 4] binary Simplex code with \( d_2^\perp =3 \) and covering radius \( \rho =3 \). Consider a generator matrix \( G_1=[I_3\;|\;A] \) of \(C_1\) and a generator matrix G of \(C_2\) where

    Choose \( \alpha =(0,0,1,0,1,1,0) \), then \( d(\alpha ,C_2)=3 \).

  2. b.

    Strictly 3-CI (21, 21) -SSS: Let \( C_1 \) be a [9, 4, 4] binary linear code with \( d_1^\perp =3\) and \( C_2 \) be a [12, 5, 4] binary linear code with \( d_2^\perp =4 \) and covering radius \( \rho =4 \). We use generator matrices \(G_1=[I_4\;|\;A]\) and G where

    Choose \( \alpha =(0,0,0,0,0,0,1,1,1,0,1,0) \), then \( d(\alpha ,C_2)=4 \).

  3. c.

    Strictly 3-CI (22, 22) -SSS: Let \( C_1 \) be a [10, 5, 4] binary self-dual code and \( C_2 \) be a [12, 5, 4] binary linear code with \( d_2^\perp =4 \) and covering radius \( \rho =4\). We use generator matrices \(G_1=[I_5\;|\;A]\) and G where

    Choose \( \alpha =(0,0,0,0,0,0,1,1,1,0,1,0) \), then \( d(\alpha ,C_2)=4 \).

  4. d.

    Strictly 3-CI (23, 23) -SSS: Let \( C_1 \) be an [11, 6, 4] binary linear code with \( d_1^\perp =3 \) and generator matrix \( G_1=[I_6\;|\;A] \) and \( C_2 \) be a [12, 5, 4] binary linear code with \(d_2^\perp =4 \), covering radius \( \rho =4 \) and generator matrix G where

    Choose \( \alpha =(0,0,0,0,0,0,1,1,1,0,1,0) \), then \( d(\alpha ,C_2)=4 \).

Example 5

(using nonlinear codes)

  1. a.

    \(\underline{{\text {Strictly }} 2{\text {-CI }} (2^{m+1},2^{m+1}){\text {-SSS}}}\): For even integer \( m\ge 4 \), let \( C_1=\mathcal {K}(m) \) and \( C_2=\mathcal {P}(m) \). Choose \( \alpha \in \mathbb {F}_2^{m} \) such that \( d(\alpha ,C_2)=3 \).

  2. b.

    \(\underline{{\text {Strictly }} 5 \text {-CI } (2^{m+1},2^{m+1}) \text {-SSS}}\): For even integer \( m\ge 6 \), let \( C_1=\mathcal {P}(m) \) and \( C_2=\mathcal {K}(m) \). Choose \( \alpha \in \mathbb {F}_2^{m} \) such that \( d(\alpha ,C_2)\ge 6 \).

7 Concluding Remarks

We showed that cheating-immune secret sharing schemes can be obtained from the class of Maiorana-MacFarland Boolean functions. We presented one new cheating-immune scheme, \( k=3 \) for \( n=17 \) and four new strictly cheating-immune schemes, \( k=2 \) for \( n=13 \) and \( k=3 \) for \( n=21,22,23 \). We also gave constructions of (strictly) cheating-immune secret sharing schemes from some well-known classes of binary nonlinear codes. There are still open cases in the construction of (nn) cheating-immune secret sharing schemes. Another open problem is the construction of cheating-immune schemes for other access structures.