Keywords

1 Introduction

Secret sharing schemes allow a dealer, \({D}\), to split a secret s into n shares \(s_1, \dots , s_n\) and distribute these shares to a set \(\mathcal {P}\) of n users, \({P}_1, \dots , {P}_n\), according to an access structure \(\varGamma \subset 2^{\mathcal {P}}\) such that a subset \(\mathcal {A}\subseteq \mathcal {P}\) of users can form the secret using their shares if and only if \(\mathcal {A}\in \varGamma \). Moreover the secret sharing scheme is called a (t, n) threshold secret sharing scheme if the access structure \(\varGamma \) is defined by

$$ \mathcal {A}\in \varGamma ~\Longleftrightarrow ~ |\mathcal {A}| \ge t \,, $$

for some \(t \in \{1, 2, \dots , n\}\). Otherwise it is called a generalized secret sharing scheme.

Blakley [2] and Shamir [13] independently proposed secret sharing schemes in 1979. Shamir’s scheme utilises the standard Lagrange interpolation and linear algebra whereas Blakley’s scheme uses the concept of intersection of hyperplanes in finite geometries. Both of these schemes were threshold secret sharing schemes, that is, they restricted users in such a way that if and only if the number of users exceeds the threshold, they could recover the secret. Ito et al. [8] introduced the notion of a secret sharing scheme with a generalized access structure. A generalized access structure consists of arbitrary subsets of users (irrespective of each subset’s size), who could find the secret. They proposed a scheme in which the dealer assigned several copies of a (tn)-threshold secret sharing scheme to every user. The dealer chooses two positive integers m and t and a prime power q satisfying \(t \le m < q\) and

  • chooses \(\alpha _{t-1} \in {{\,\mathrm{GF}\,}}(q) - \{0\}\) and \(\alpha _1, \dots , \alpha _{t-2}\) from \({{\,\mathrm{GF}\,}}(q)\) and computes \(f(x) = s + \alpha _1x + \alpha _2x^{2} + \dots + \alpha _{t-1}x^{t-1}\), where \({{\,\mathrm{GF}\,}}(q)\) is the Galois Field of order q and \(f(0) = s \in {{\,\mathrm{GF}\,}}(q)\) is the secret;

  • chooses \(x_1, \dots , x_m \in {{\,\mathrm{GF}\,}}(q) - \{0\}\) and computes \(s_j = f(x_j)\) (\(1 \le j \le m\));

  • and finally, assigns a subset \(S_i \subset \{ (x_1,s_1), \dots , (x_m, s_m) \}\) to the user \({P}_i\), \(1 \le i \le n\).

The access structure of this scheme contains all those sets for which the size of the union of the users’ shares \({\ge }t\). In the worst case, the share size is exponential in the size of the set of users. Benaloh and Leichter [1] proposed a secret sharing scheme with a generalized access structure which was simpler than that of the Ito et al.’s scheme [8]. Their construction utilizes the monotonicity property inherent in secret sharing schemes. They create a composition of multiple schemes with simple access structures and realize all access structures which can be defined using a small monotone formula. Although this scheme is simpler and more efficient than Ito et al.’s scheme [8], the share length is still exponential in the number of users.

Considering the secret sharing scheme proposed by Shamir once again, note that although a cheating user can not recover the secret by providing an incorrect share, but by getting a wrong key, he can misguide the honest users. Various ways of detecting and correcting the secret have been suggested by scholars. Some consider that there are only t shareholders for secret recovery and to check that the shares are not fake, the dealer gives an additional information such as using some check vectors to which will act like some kind of certificate for each user. Others have suggested to use error correcting codes where fake shares can be assumed to be errors and corrected like error correction of codes. Most of the initial schemes had concerns over cheater detection and identification and use of trusted third parties (combiners and dealers). Lein et al. [6] proposed a modification of Shamir’s scheme [13] which allowed for cheater detection and identification. If \(m > t\) users come together, where t is the threshold, then there are \(\left( {\begin{array}{c}m\\ t\end{array}}\right) \) ways for the users to pool their shares and for each such way, a \(t-1\) degree recovery polynomial can be constructed through interpolation. The original polynomial can be then compared with the interpolated polynomial. Users who could not recover the original polynomial and are in the majority of groups are marked as possible cheaters and then the shares are corrected recursively until no cheater is left. This cheater detection and identification algorithm trades off space and time-complexities for secret recovery.

Researchers also observed that instead of using arbitrary matrices, using linear codes provided the following advantages

  • A single generator matrix is sufficient to represent them.

  • They enable easy transmission and easier error detection.

  • Even though features for cheater detection, identification, and verification were added, schemes were still efficient.

McEliece and Sarwate [10] constructed a secret sharing scheme from Reed-Solomon codes and showed it to be essentially the same as the Shamir threshold scheme [13]. Later, Massey [9] gave a general construction of linear secret sharing schemes from linear codes (or linear matroids). Blakley and Kabatiansky [3] and Dijk [4] gave a generalization of Massey’s scheme to multidimensional subspaces instead of vectors. Pieprzyk and Zhang [12] used Maximum Distance Separable (\({{\,\mathrm{MDS}\,}}\)) codes to construct a secret sharing scheme in which, an Maximum Distance Separable matrix \(G\) of dimension \((t \times n)\) along with a message vector \(\mathbf {v}\) of dimension \(1 \times t\) is chosen by the dealer. The dealer then finds the desired codeword by computing \(\mathbf {v}\times G\). The secret is the first element of the codeword.

It was shown in [9] that the access structure of the resulting secret sharing schemes is determined by the minimal codewords in the dual code. However, determining the minimal codewords in a linear code and hence, the access structure, is hard. Dodunekov [5] proposed using \({{\,\mathrm{NMDS}\,}}\) codes instead of \({{\,\mathrm{MDS}\,}}\) codes to construct a secret sharing scheme while observing the following advantages:

  • They are less space consuming and easier to implement.

  • Their access structure is richer than \({{\,\mathrm{MDS}\,}}\) secret sharing.

  • The generator matrix of the code is hard to identify by an adversary.

  • Shares the same properties of cheating detection and cheater identification with \({{\,\mathrm{MDS}\,}}\) codes based schemes.

Mehta et al. [11] proposed an \({{\,\mathrm{NMDS}\,}}\) code-based secret sharing scheme having a richer access structure than the traditional (tn) threshold secret sharing schemes and an access structure constructed using two mutually nonmonotonic sets of user groups having sizes, t and \(t-1\) respectively, where n corresponds to the total number of users.

1.1 Our Contribution

We have proposed an efficient generalized secret sharing scheme based on \({{\,\mathrm{N^{\mu }MDS}\,}}\) codes. The use of the \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices allows us to have authorized sets of varying sizes thus allowing the scheme to have a generalized and richer access structure. The proposed secret sharing scheme is perfect and ideal and has robust cheating detection and cheater identification features. The time complexity for the share distribution and share recovery phases is just \(O(n^3)\), where n is the order of users. The proposed scheme has a finer access structure and provides a direction towards a fully generalized secret sharing scheme. The scheme constructs the access structure using \(\mu +1\) mutually nonmonotonic sets of user groups of sizes, \(t, t-1, \dots , t-\mu \), respectively, where \(1 \le \mu < t\), and the parameter t defines the threshold such that all user groups of size greater than t can recover the secret.

2 Preliminaries

We denote the Galois Field, \({{\,\mathrm{GF}\,}}(q)\), of order q where \(q = p^{m}\) is a prime power by \(\mathbb {F}_q\). For \(a_i \in \mathbb {F}_q\), \(1 \le i \le n\), \((a_1,\dots ,a_n)\) denotes a vector in \(\mathbb {F}_q^n\). We will also use the same notation, \((a_1,\dots ,a_n)\), to denote to denote a \(n \times 1\) matrix (column) over \(\mathbb {F}_q\). On the other hand, \([\begin{array}{@{}*{5}{@{~}c@{~}}@{}} a_1&a_2&\dots&a_{n-1}&a_{n} \end{array}]\) denotes a \(1 \times n\) matrix (row) over \(\mathbb {F}_q\). For vectors \(\mathbf {v}_i=(v_{i1},\dots ,v_{it}) \in \mathbb {F}_q^t\), \(1 \le i \le n\), \([\begin{array}{@{}*{5}{@{~}c@{~}}@{}} \mathbf {v}_1&\mathbf {v}_2&\dots&\mathbf {v}_{n-1}&\mathbf {v}_{n} \end{array}]\) denotes the \(t \times n\) matrix over \(\mathbb {F}_q\) formed by considering \(\mathbf {v}_i\) as columns. For a \(t \times n\) matrix \(G\) over \(\mathbb {F}_q\), the ith column of \(G\) is denoted \(G[i] \in \mathbb {F}_q^{t}\), \(0 \le i \le n\).

2.1 Coding Theory

Definition 1

A non-empty subset \(\mathbf {C}\) of \(\mathcal {A}^n\), where \(\mathcal {A}= \{a_0, \dots a_{q-1}\}\), is called a q-ary block code of length n over \(\mathcal {A}\), and a string in \(\mathbf {C}\) is called a codeword.

Definition 2

The number of positions in which x and y differ is known as Hamming distance d(xy) between x and y. The minimum distance of a code \(\mathbf {C}\) is defined as

$$ d(\mathbf {C}) = \min _{x \ne y \in \mathbf {C}} d(x,y) \,.$$

Definition 3

A linear code, \(\mathbf {L}\), of length n is a linear subspace of \(\mathbb {F}_q^{n}\). If dimension of \(\mathbf {L}\) is t then we call it an [nt]-code (over \(\mathbb {F}_q\)). Further, if the minimum distance of \(\mathbf {L}\) is d then we call it an [ntd]-code (over \(\mathbb {F}_q\)).

Definition 4

The set of non-zero coordinate positions of a codeword \(c \in \mathbf {C}\) is called its support, \({{\,\mathrm{Supp}\,}}(c)\). The support of a code \(\mathbf {C}\), \({{\,\mathrm{Supp}\,}}(\mathbf {C})\), is defined as

$$ {{\,\mathrm{Supp}\,}}(\mathbf {C}) = \cup _{c \in \mathbf {C}} {{\,\mathrm{Supp}\,}}(c) \,. $$

Definition 5

The \(r^{th}\) generalized Hamming distance, \(d_{r}(\mathbf {C})\), is the cardinality of the minimum support of an [nr]-subcode of [nt]-code \(\mathbf {C}\), where, \(1 \le r \le t\).

$$ d_{r}(\mathbf {C}) = \min \lbrace \vert {{\,\mathrm{Supp}\,}}\mathbf {D}\vert :\mathbf {D}\text { is } [n, r]_{q} \text { subcode of } \mathbf {C}\rbrace \,. $$

Remark 1

The Hamming Distance of \(\mathbf {C}\) \(d(\mathbf {C}) = d_{1}(\mathbf {C})\).

Definition 6

For an [ntd]-code \(\mathbf {C}\), the Singleton bound states that the parameters of \(\mathbf {C}\) must satisfy

$$ q^{t} \le q^{n-d+1} \,. $$

In other words, \(d \le n-t+1\).

Definition 7

The \(r^{th}\) generalized Singleton bound \(d_r (\mathbf {C})\) states that

$$ d_{r} (\mathbf {C}) \le n-t+r \text { where } r = 1, 2, \dots , t \,. $$

Definition 8

A maximum distance separable (\({{\,\mathrm{MDS}\,}}\)) code is an [nt]-linear code which achieves the Singleton bound, that is, it is an \([n, t,n-t+1]\)-code.

Proposition 1

For an [ntd] \({{\,\mathrm{MDS}\,}}\) code \(\mathbf {L}\) over \(\mathbb {F}_q\), let \(H\) be any of its parity check matrix of \(\mathbf {L}\) and let \(G= (I_t\mid A)\) be any of its generator matrix in standard form (ref. Remark 2). Then

  1. 1.

    Any \(n-t\) columns of \(H\) are linearly independent.

  2. 2.

    Any t columns of \(G\) are linearly independent.

  3. 3.

    Any square submatrix of \(A\) is non singular.

Definition 9

The class of [nt]-codes with

$$ d_1(\mathbf {C}) = n-t $$

are called almost-MDS (\({{\,\mathrm{AMDS}\,}}\)) codes.

Definition 10

The class of [nt]-codes with

$$\begin{aligned} d_{1} (\mathbf {C})&= n-t,&\\ \text {and } d_{i} (\mathbf {C})&= n-t+i,&\text {for } i=2,3,\dots ,t, \end{aligned}$$

are called near-MDS (\({{\,\mathrm{NMDS}\,}}\)) codes.

Definition 11

The class of [nt]-codes with

$$\begin{aligned} d_{i} (\mathbf {C})&= n-t+2i - \mu - 1,&\text {for } i=1, 2, \dots , \mu \\ \text {and } d_{i} (\mathbf {C})&=n-t+i,&\text {for } i=\mu + 1,\dots , t, \end{aligned}$$

are called \({{\,\mathrm{N^{\mu }MDS}\,}}\) codes.

Remark 2

For the purposes of this work, we will assume that the generator matrices \(G\) are in their standard form, that is, \(G= (I_t\mid A)\), where \(I_t\) is the identity matrix of size \(t \times t\). Moreover, the \({{\,\mathrm{MDS}\,}}\) (or the \({{\,\mathrm{N^{\mu }MDS}\,}}\)) matrices correspond to the matrix \(A\).

A detailed characterization of \({{\,\mathrm{N^{\mu }MDS}\,}}\) codes was provided in [14]. The relevant properties of \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices required for this paper are as follows.

Proposition 2

(Properties of \({{\,\mathrm{N^{\mu }MDS}\,}}\) Codes). The matrix characterization of an \({{\,\mathrm{N^{\mu }MDS}\,}}\) code with a generator matrix \(G\) is as follows:

  1. 1.

    For all \(i=1, 2, \dots , \mu \),

    1. (i)

      for \(i<l\le min\{d_i-1,t\}\), every \((l-2i+2+\mu ,l)\) submatrix has rank \(\ge (l-i+1)\).

    2. (ii)

      there exists an l, \(i<l \le min\{d_i,t\}\), and an \((l-2i+1+\mu , l)\) submatrix with rank equal to \((l-i)\).

  2. 2.

    For all \(i=\mu + 1, \dots , t\),

    1. (i)

      for \(1 < l \le min\{(n-t),(t - \mu )\}\), every \((l, l + \mu )\) submatrix has rank l.

Corollary 1

(Properties of \({{\,\mathrm{N^{\mu }MDS}\,}}\) Matrices.) The standard generator matrix for an [nt] \({{\,\mathrm{N^{\mu }MDS}\,}}\) code has the following properties:

  1. 1.

    labelNmusps1sps Any \(t-\mu +2i\) columns of the generator matrix have rank \(\ge t-\mu +i\), where \(i=0, 1, \dots , \mu -1\).

  2. 2.

    There exists a set of \(t-\mu +2i+1\) columns with rank \(t-\mu +i\), for \(i=0, 1, \dots , \mu -1\).

  3. 3.

    Any \(t+\mu \) columns of the generator matrix have rank t and are linearly independent.

2.2 Secret Sharing

Let \(\mathcal {P}= {P}_1, \dots , {P}_n\) be a set of n users. We call a subset \(\mathcal {A}\) of \(\mathcal {P}\) a group of users.

Definition 12

A collection \(\varGamma \subseteq 2^{\mathcal {P}}\) is called monotone if \(\mathcal {A}\in \varGamma \) and \(\mathcal {A}\subseteq \mathcal {B}\) then \(\mathcal {B}\in \varGamma \).

Definition 13

We call two collections (sets) \(\mathcal {G}^i, \mathcal {G}^j\subseteq 2^{\mathcal {P}}\) mutually nonmonotonic sets if for all \(\mathcal {A}\in \mathcal {G}^i\), there is no \(\mathcal {B}\in \mathcal {G}^j\), such that \(\mathcal {B}\subset \mathcal {A}\) and vice versa.

Definition 14

\(\varGamma \subseteq 2^{\mathcal {P}}\) is called an access structure if it is a monotone collection such that only the subsets of users in \(\varGamma \) are authorized to recover the secret. Subsets not in \(\varGamma \) are termed to be unauthorized sets.

Definition 15

A distribution scheme is denoted by \(\varPi \) with \(\mathcal {S}\), the domain of secrets, and \(\mathcal {R}\), a set of strings. For a secret \(t \in \mathcal {S}\) and a string \(r \in \mathcal {R}\) sampled randomly observing \(\Delta \), where \(\Delta \) is the probability distribution on \(\mathcal {R}\), a share vector \(\varPi (t, r) = (s_1, s_2, \dots , s_j)\) is computed and each share \(s_j\) is communicated to \({P}_j\) via a secure channel.

Definition 16

A distribution scheme along with domain of secrets \(\mathcal {S}\) realizing access structure \(\varGamma \) is called a secret sharing scheme \(\varSigma = \langle \varPi , \Delta \rangle \).

Definition 17

A secret sharing scheme is correct if an authorized subset of users can always recover the secret. In other words, for any set \(\mathcal {A}\in \varGamma \), there exists a recovery function or algorithm \(\textsf {SRA}\) such that for a key \(k \in \mathcal {S}\),

$$ {{\,\mathrm{Pr}\,}}[\textsf {SRA}(\mathcal {A})\text { is }k] = 1 \,.$$

Definition 18

If \(\mathcal {T}\) is the set of all possible shares and \(\mathcal {S}\) is the set of all possible secrets, then the information rate \(\rho \) of the secret sharing scheme is defined to be

$$ \rho = \dfrac{\log (|\mathcal {S}|)}{\log (|\mathcal {T}|)} \,. $$

Definition 19

A secret sharing scheme is ideal if the set of all secrets, \(\mathcal {S}\), and the set of all shares, \(\mathcal {T}\), are of same cardinality. That is, a secret sharing scheme is ideal if its information rate is one.

Definition 20

A secret sharing scheme is perfect if an unauthorized group of users, \(\mathcal {C}\), cannot obtain any information about the secret from their pool of shares. That is, the probability of \(\mathcal {C}\) recovering the secret using their pool of shares is equivalent to the probability of recovering the secret without using their pool of shares. In other words, for any subset \(\mathcal {B}\not \in \varGamma \), two secrets b and c \(\in \mathcal {S}\) and every possible share vector \(\langle s_j \rangle _{{P}_j \in \mathcal {B}}\),

$$ {{\,\mathrm{Pr}\,}}[\varPi (b, r)_{\mathcal {B}} = \langle s_j \rangle _{{P}_j \in \mathcal {B}}] = {{\,\mathrm{Pr}\,}}[\varPi (c, r)_{\mathcal {B}} = \langle s_j \rangle _{{P}_j \in \mathcal {B}}] $$

Definition 21

A secret sharing scheme \(\varSigma \) is said to be linear over \(\mathbb {F}_q\) if there exists a vector \(\mathbf {v}=(v_0, v_1, \dots , v_{t-1}) \in \mathbb {F}_q^t\) and a matrix \(A\in \mathbb {F}_q^{t \times n}\), such that \(\mathbf {v}\times A= (s_0, s_1, \dots , s_{n-1})\) where \(s_0\) is the secret and \((s_1, \dots , s_{n-1})\) is the share vector.

Definition 22

During the secret recovery phase of a secret sharing scheme by an authorized subset of users \(\mathcal {A}_c\), if a user \({P}_i\) provides a wrong share, \(\hat{s}_i\), instead of the correct one, \(s_i\), it was assigned by the dealer during the share distribution phase, then the subset may fail to recover the secret, or worse, recover a wrong secret. Such a user is called a cheater and detection of occurrence of such an attack is called cheating detection.

Definition 23

Identification, with negligible error probability \(\epsilon \), of the user(s) providing wrong inputs while recovering the secret is called cheater identification.

3 Proposed Secret Sharing Scheme

Though the scheme proposed in [11] has a richer access structure than the traditional (tn) threshold secret sharing schemes, it only allows an access structure consisting of two mutually nonmonotonic sets of user groups of sizes, t and \(t-1\), respectively. We propose a secret sharing scheme which admits a finer access structure based on \(\mu +1\), \(1 \le \mu \le n-t\), mutually nonmonotonic sets of user groups of sizes, \(t-\mu +1+i\), \(1 \le i \le \mu +1\), respectively. The proposed scheme is based on the properties of \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices which allow us to have an access structure which is richer and independent of the field size.

3.1 Access Structure

The access structure of the proposed secret sharing scheme is definded using the properties of \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices [14] and is a generalization of the one proposed in [11]. Let

$$ G= \left[ \begin{array}{@{}*{7}{@{~}c@{~}}@{}} G[0]&G[1]&\dots&G[{t-1}]&G[{t}]&\dots&G[{n}] \end{array} \right] $$

be a standard generator matrix of an \([n+1,t,n-t-\mu +2]\) \({{\,\mathrm{N^{\mu }MDS}\,}}\) code over \(\mathbb {F}_q\) where \(G[i] \in \mathbb {F}_q^{t}\), \(0 \le i \le n\).

Given a set \(\mathcal {P}\) of n users, \({P}_1, \dots , {P}_n\), we say that the column \(G[i]\) corresponds to the user \({P}_i\) and we define an access structure \(\varGamma _\mu \subset 2^{\mathcal {P}}\) consisting of \(\mu +1\) mutually nonmonotonic sets, namely, \(\mathcal {G}^0\), \(\mathcal {G}^1\), ..., \(\mathcal {G}^\mu \) defined as as follows:

  1. 1.

    \(\mathcal {G}^i\), \(i < \mu \), consists of all \((t\!-\!\mu \!+\!i)\) users whose corresponding columns in \(G\), along with the first column, form \(t-\mu +i+1\) linearly dependent columns, and for all \(\mathcal {A}\in \mathcal {G}^i\), there is no \(\mathcal {B}\in \mathcal {G}^j, j < i\), such that \(\mathcal {B}\subset \mathcal {A}\).

  2. 2.

    \(\mathcal {G}^\mu \) consists of all (t) users whose corresponding columns in \(G\) are linearly independent, and for all \(\mathcal {A}\in \mathcal {G}^\mu \), there is no \(\mathcal {B}\in \mathcal {G}^j, j < \mu \), such that \(\mathcal {B}\subset \mathcal {A}\).

Note that the access structure \(\varGamma _\mu \) as defined above is a generalized access structure and satisfies the monotonicity property. Thus, the secret sharing scheme based on \(\varGamma _\mu \) is a generalized secret sharing scheme.

3.2 Share Construction

To compute the n shares of a given secret \(s_0 \in \mathbb {F}_q\), the dealer chooses \(t-1\) random elements \(\alpha _1, \dots , \alpha _{t-1}\) from \(\mathbb {F}_q\) and computes the codeword \((s_0, s_1, \dots , s_{n})\) by multiplying the generator matrix \(G\) by the t-length vector \((s_0,\alpha _1, \dots , \alpha _{t-1})\). That is,

$$ (s_0, s_1, \dots , s_{n}) = (s_0, \alpha _1, \dots , \alpha _{t-1}) \cdot G\,.$$

The elements \(s_i \in \mathbb {F}_q\), \(1 \le i \le n\), are the shares of the users \({P}_1, \dots , {P}_n\) respectively. We say that the first column of \(G\), \(G[0]\), corresponds to the secret \(s_0\) and the remaining columns \(G[i]\), \(1 \le i \le n\), correspond to the shares \(s_i\) of the users \({P}_i\).

3.3 Secret Recovery

The secret recovery algorithm \(\textsf {SRA}_\mu \) is similar to the method proposed in [11] with modifications in the algorithm to allow for recovery of secret by user subsets of various sizes. Given a set of m users \(\mathcal {B}= \{ {P}_{j_1}, \dots , {P}_{j_{m}} \} \in \varGamma _\mu \) and their respective shares \(\{s_{j_1}, \dots , s_{j_{m}}\}\), \(\textsf {SRA}_\mu \) computes the secret as follows:

  1. 1.

    Construct the matrix

    $$ G^\prime = \left[ \begin{array}{@{}*{4}{@{~}c@{~}}@{}} G[j_1]&\dots&G[j_m]&G[0] \end{array} \right] $$

    formed by the columns which correspond to the shares of the users and the column which corresponds to the secret.

  2. 2.

    Row-reduce the matrix \(G^\prime \) to make its first m (or t, whichever is minimum) rows and columns an identity matrix and denote the last column of this row-reduced matrix \(G^\prime \) by \(G[0]^\prime \).

  3. 3.

    If \(m<t\), add \(t-m\) zeros to construct the pooled codeword

    $$\begin{aligned} \mathsf {pool}=(s_{t_0}, s_{t_1}, \dots , s_{t_{m-1}},0, \dots ,0) \end{aligned}$$

    and multiply \(\mathsf {pool}\) to \(G[0]^\prime \) to obtain the secret.

  4. 4.

    Else multiply its sub-codeword \( (s_{t_0}, s_{t_1}, \dots , s_{t_{t-1}})\) to \(G[0]^\prime \) to obtain the secret.

Here, \(t_i\)’s correspond to the t (or m) columns forming an identity matrix.

4 Analysis of the Proposed Scheme

Lemma 1

For any \((t-\mu +2i+1)\) linearly dependent columns of an \([n,t,n-t-\mu +1]\) \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrix, \(G\), with rank \((t-\mu +i)\) where \(0 \le i \le \mu -1\), each of the remaining \(n-(t-\mu +2i+1)\) columns is linearly independent of them.

Proof

Without loss of generality, suppose the given \((t-\mu +2i+1)\) linearly dependent columns with rank \((t-\mu +1)\) are \(G[0], G[1], \dots , G[{t-\mu +2i}]\) and let \(0 \le j \le (t -\mu +2i)\) be such that

$$ G[j] = \sum _{i=0, i\ne j}^{t-\mu +2i}a_iG[i], \text { not all } a_i=0 \,.$$

Now, let \(G[\ell ]\) be a column from the remaining \(n-(t -\mu +2i+1)\) columns of the matrix which is linearly dependent on the given \((t-\mu +2i+1)\) columns. That is,

$$ G[\ell ] = \sum _{i=0}^{t-\mu +2i}b_iG[i], \text { not all } b_i=0 \,.$$

Substituting the value of \(G[j]\), we get

$$ G[\ell ] = \sum _{i=0, i \ne j}^{t-\mu +2i}(a_ib_j+b_i)G[i], $$

where \(0 \le j \le t-\mu +2i\) and not all \(a_i=0\) and not all \(b_i=0\). Hence \(G[\ell ]\) is a linear combination of the remaining \((t -\mu +2i)\) columns \(G[i]\) \((0\le i \le t-\mu +2i\), \(i\ne j)\).

Since both the columns \(G[j]\) and \(G[\ell ]\) are a linear combination of remaining the \((t -\mu +2i)\) columns, it makes the rank of these \((t -\mu +2i+2)\) columns less than or equal to \((t -\mu +i)\). But, from Property 1 of \({{\,\mathrm{N^{\mu }MDS}\,}}\) codes, any \((t -\mu +2i+2)\) columns have rank \(\ge (t -\mu +i+1)\). Thus, our hypothesis is wrong and \(G[\ell ]\) must be linearly independent of the given \((t -\mu +2i+1)\) columns.

Proposition 3

There exists a group of \((t -\mu +2i+1)\) users, \(0 \le i \le \mu -1\) which is unauthorized.

Proof

By Lemma 1, for any \((t -\mu +2i+1)\) linearly dependent columns

$$ \{G[{j_1}], G[{j_2}], \dots , G[{j_{t-\mu +2i+1}}]\} $$

with rank \((t -\mu +i)\), the column \(G[0]\) is linearly independent of them. Thus the secret \(s_0\) cannot be recovered using just the shares

$$ \{s_{j_1}, s_{j_2}, \dots , s_{j_{t-\mu +2i+1}}\} \,.$$

Hence the users

$$ \{ {P}_{j_1}, \dots , {P}_{j_{t-\mu +2i+1}}\} $$

form an unauthorized set.

Proposition 4

There exists a group of \((t -\mu +2i)\) users, \(0 \le i \le \mu -1\) which is unauthorized.

Proof

If we take all columns except \(G[{j_\ell }]\), \(( 0 \le \ell \le (t -\mu +2i+1) )\), from the previous construction, we will get \((t -\mu +2i)\) linearly dependent columns

$$ \{G[{j_1}], \dots , G[{j_{\ell -1}}], G[{j_{\ell +1}}], \dots , G[{j_{(t -\mu +2i+1)}}]\} $$

with rank \((t -\mu +i)\), with the secret’s column \(G[0]\) being linearly independent from these \((t -\mu +2i)\) columns. Thus, the \((t -\mu +2i)\) users

$$ \{{P}_{j_1}, \dots , {P}_{j_{\ell -1}}, {P}_{j_{\ell +1}}, \dots , {P}_{j_{(t -\mu +2i+1)}}\} $$

form an unauthorized set.

Theorem 1

The proposed secret sharing scheme \(\varSigma _\mu \) is correct.

Proof

Let \(\mathcal {B}\in \varGamma _\mu \). Then \(\mathcal {B}\) is an authorized set and we show that \(\mathcal {B}\) can correctly recover the secret. Let \(s_{j_1}, \dots , s_{j_m}\) be the shares of the users in \(\mathcal {B}\), and \(s_0\) be the secret.

 

Case 1::

\(\mathcal {B}\) is from \(\mathcal {G}^i,i<\mu \): Note that, the column \(G[0]\) which corresponds to the secret \(s_0\) is linearly dependent on the columns which correspond to the users in \(\mathcal {B}\). Therefore, the algorithm \(\textsf {SRA}_\mu \) can find the coefficients \(a_i\)’s (by row-reducing the matrix formed by these columns and the column \(G[0]\)) such that

$$ s_0 = a_1s_{j_1} + a_2s_{j_2} + \dots a_{t-\mu +i}s_{j_{t-\mu +i}} $$

and find the secret \(s_0\).

Case 2::

\(\mathcal {B}\) is from \(\mathcal {G}^\mu \): Since columns which correspond to the users in \(\mathcal {B}\) are t linearly independent columns of \(G\), any other column of \(G\), including the column \(G[0]\), must be linearly dependent on them. Thus, the algorithm \(\textsf {SRA}_\mu \) can find the coefficients \(a_i\)’s (by row-reducing the matrix formed by these columns and the column \(G[0]\)) such that

$$ s_0 = a_1s_{j_1} + a_2s_{j_2} + \dots a_{t}s_{j_{t}} $$

and find the secret \(s_0\).

Case 3::

\(\mathcal {B}\) is a superset of a group in \(\mathcal {G}^i\) or \(\mathcal {G}^\mu \): If \(\mathcal {B}\) is a superset of a group in \(\mathcal {G}^i\), the users in \(\mathcal {B}\) have at least \(t-\mu +i\) linearly independent columns in \(G\) with the column \(G[0]\) being linearly dependent on them by definition of \(\mathcal {G}^i\). Therefore the algorithm \(\textsf {SRA}_\mu \), as in Case 1, can find the secret \(s_0\). Otherwise, if \(\mathcal {B}\) is a superset of a group in \(\mathcal {G}^\mu \), then we already have t linearly independent columns in \(G\) which correspond to the group in \(\mathcal {G}^\mu \) and the algorithm \(\textsf {SRA}_\mu \), as in Case 2, can find the secret \(s_0\).

  Hence, if \(\mathcal {B}\) is an authorized set, then \({{\,\mathrm{Pr}\,}}[\textsf {SRA}_\mu (\mathcal {B})=s_0] = 1\) and hence the secret sharing scheme \(\varSigma _\mu \) is correct.

Theorem 2

The proposed secret sharing scheme \(\varSigma _\mu \) has perfect privacy.

Proof

Let \(\mathcal {B}\) be an unauthorized set of m users which try to recover the secret. Since the secret \(s_0\overset{{~}_{\$}}{\leftarrow }\mathbb {F}_q\), the probability of randomly guessing the secret is 1/q. Also, since \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices have a high diffusion property, whenever a vector \(\mathbf {v}\in \mathbb {F}_q^t\) is multiplied to its submatrix formed by its m columns, the output generated is uniformly distributed in \(\mathbb {F}_q^m\). Hence, for any share \(s_i\), \(1 \le i \le n\), the probability of randomly guessing \(s_i\) is 1/q.

 

Case 1::

\(m\le t-\mu -1\): Note that, by Property 1 of \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices, the \(m+1 \le t-\mu \) columns in \(G\) which correspond to these m users along with the column \(G[0]\) are linearly independent. Therefore the column \(G[0]\) cannot be obtained as a linear combination of m columns which correspond to these users, that is, \(\textsf {SRA}_\mu (\mathcal {B}) \ne s_0\). Thus \(\mathcal {B}\) will require at least one more correct share to compute the secret. But the probability of \(\mathcal {B}\) guessing the correct secret (or another correct share) is 1/q. Thus the probability of \(\mathcal {B}\) obtaining the secret is less than or equal to 1/q.

Case 2::

\(m=t-\mu +i, 0\le i<\mu \): Since \(\mathcal {B}\) is unauthorized, it neither belongs in \(\mathcal {G}^i\) nor is a superset of a group in \(\mathcal {G}^j,j<i\). This implies that the column \(G[0]\) is linearly independent of the columns which correspond to the users in \(\mathcal {B}\). Therefore the column \(G[0]\) cannot be obtained as a linear combination of m columns which correspond to these users, that is, \(\textsf {SRA}_\mu (\mathcal {B}) \ne s_0\). Thus \(\mathcal {B}\) will require at least one more correct share, or replace one of the pooled shares with a forged share, to compute the secret. But the probability of \(\mathcal {B}\) guessing the correct secret (or another correct share) is 1/q. Thus the probability of \(\mathcal {B}\) obtaining the secret is less than or equal to 1/q.

Case 3::

\(m=t+i, 0 \le i < \mu \): Since \(\mathcal {B}\) is unauthorized, it neither belongs in \(\mathcal {G}^\mu \) nor is a superset of a group in \(\mathcal {G}^j,j\le \mu \). This implies that the columns which correspond to \(\mathcal {B}\) are linearly dependent and the column \(G[0]\) is independent of them (rendering any subset of \(\mathcal {B}\) not a part of \(\mathcal {G}^j\)). Therefore the column \(G[0]\) cannot be obtained as a linear combination of m columns which correspond to these users, that is, \(\textsf {SRA}_\mu (\mathcal {B}) \ne s_0\). Thus \(\mathcal {B}\) will require at least one more correct share, or replace one of the pooled shares with a forged share, to compute the secret. But the probability of \(\mathcal {B}\) guessing the correct secret (or another correct share) is 1/q. Thus the probability of \(\mathcal {B}\) obtaining the secret is less than or equal to 1/q.

 

Note that, on an input of a random set of shares to \(\textsf {SRA}_\mu \), the probability of \(\textsf {SRA}_\mu \) generating the correct secret \(s_0\) is 1/q. Therefore,

$$ {{\,\mathrm{Pr}\,}}[\textsf {SRA}_\mu (\mathcal {B}) =s_0] = {{\,\mathrm{Pr}\,}}[\textsf {SRA}_\mu (\mathcal {B}) =\overline{s_0}] $$

and hence \(\varSigma _\mu \) has perfect privacy.

Theorem 3

The proposed secret sharing scheme \(\varSigma _\mu \) is ideal.

Proof

Since both the secret and the shares are elements of \(\mathbb {F}_q\), the information rate \(\rho \) is

$$ \rho = \dfrac{\log \mid \mathbb {F}_q \mid }{\log \mid \mathbb {F}_q \mid } = 1 $$

and hence \(\varSigma _\mu \) is ideal.

Theorem 4

The proposed secret sharing scheme \(\varSigma _\mu \) is a linear secret sharing scheme.

Proof

By Definition 21 of a linear secret sharing scheme, and by the construction of the shares as in Subsect. 3.2, it is clear that the proposed secret sharing scheme is linear.

Proposition 5

The time-complexity for the share construction and the secret recovery phase of the proposed scheme is \(\mathcal {O}(n^3)\).

Proof

That the complexity of the setup phase is \(\mathcal {O} (n^3)\) is straight forward. We show that the complexity of the secret reconstruction phase is \(\mathcal {O} (n^3)\).

The Step 2 of Algorithm \(\textsf {SRA}_\mu \) computes the reduced row echelon form of the matrix \(G^\prime \) constructed in Step 1. Since \(m \le n\), \(G^\prime \) is at most a \((t\times n)\) matrix. Since row reduction of a \((t\times n)\) matrix can be done in \(\mathcal {O} (t^2n)\) operations and since \(t \le n\), the complexity of this step is \(\mathcal {O} (n^3)\). That is the most complex step of the code because the remaining steps are linear in the size of the matrix. Hence, the complexity of the reconstruction phase is \(\mathcal {O} (n^3)\).

4.1 Cheating Detection and Cheating Identification

The proofs in this section \(\varSigma _\mu \) have been adapted from [11]. The following two lemmas, Lemmas 2 and 3, state standard properties of linear codes which we will use in this section. We refer the reader to [7] for the proof of Lemma 3.

Lemma 2

Given an \([n, t, n-t-\mu +1]\) \({{\,\mathrm{N^{\mu }MDS}\,}}\) code and its generator matrix \(G\), if

$$ (s_0, s_1,\dots , s_{n-1}) = (\alpha _0, \alpha _1,\dots , \alpha _{t-1}) \cdot G$$

and

$$ (\hat{s}_0, \hat{s}_1,\dots , \hat{s}_{n-1}) = (\hat{\alpha }_0, \hat{\alpha }_1,\dots , \hat{\alpha }_{t-1}) \cdot G$$

such that

$$ (\alpha _0, \alpha _1,\dots , \alpha _{t-1}) \ne (\hat{\alpha }_0, \hat{\alpha }_1,\dots , \hat{\alpha }_{t-1}) \,,$$

then

$$ d ((s_0, s_1,\dots , s_{n-1}), (\hat{s}_0, \hat{s}_1,\dots , \hat{s}_{n-1})) \ge n-t-\mu +1 \,.$$

Proof

Since \((\alpha _0, \alpha _1, \dots , \alpha _{t-1})\) and \((\hat{\alpha }_0, \hat{\alpha }_1, \dots , \hat{\alpha }_{t-1})\) are distinct, they generate different codewords of the \({{\,\mathrm{N^{\mu }MDS}\,}}\) code. Hence, they generate different codewords \((s_0, s_1, \dots , s_{n-1})\) and \((\hat{s}_0, \hat{s}_1, \dots , \hat{s}_{n-1})\) are distinct. Thus, the Hamming distance between them must be greater than or equal to \(n-t-\mu +1\), the minimum distance of the code.

Lemma 3

Let \(\mathbf {C}\) be an [ntd] linear code over \({{\,\mathrm{GF}\,}}(q)\). Let \(\mathbf {C}^{i}\) be the punctured code defined by dropping the \(i^{th}\) coordinate, \(1 \le i \le n\), from the codewords of \(\mathbf {C}\). Then, \(\mathbf {C}^{i}\) is an \([n-1, \tilde{t}, \tilde{d}]\) code where

  • \(\tilde{t} = t\) and \(\tilde{d} = d\) if \(\mathbf {C}\) does not have any codeword of weight d with a nonzero \(i^{th}\) coordinate;

  • \(\tilde{t} = t\) and \(\tilde{d} = d-1\) if \(d > 1\) and \(\mathbf {C}\) has a codeword of weight d with a nonzero \(i^{th}\) coordinate;

  • \(\tilde{t} = t-1\) and \(\tilde{d} \ge d\) if \(d = 1\), \(t > 1\) and \(\mathbf {C}\) has a codeword of weight d with a nonzero \(i^{th}\) coordinate.

Theorem 5

The proposed scheme allows cheating detection if the number of cheaters in a group m users is less than \(m-t-1\).

Proof

Suppose \({P}_{j_1}, \dots , {P}_{j_m}\) submit the shares \(\hat{s}_{j_1} = s_{j_1} + \delta _1, \dots , \hat{s}_{j_m} = s_{j_m} + \delta _m\), \(\delta _j \in GF(q)\), to the reconstruction algorithm. Then if \(\delta _i = 0\), \({P}_{j_i}\) is honest, and if \(\delta _i \ne 0\), \({P}_{j_i}\) is a cheater. Let \(G^\prime \) be the \(t\times m\) submatrix formed by the m columns of \(G\) indexed by \(j_1, j_2, \dots j_m\). Let

$$ H_0 = \{ (s_1, \dots , s_{m}) \mid (s_1, \dots , s_{m}) = (\alpha _0, \alpha _1, \dots , \alpha _{t-1}) \cdot G^\prime , \ \alpha _i \in GF(q) \} \,. $$

Let \(\mathbf {s}= (s_{j_1}, \dots , s_{j_m})\), \(\delta = (\delta _1, \dots , \delta _m)\) and \(\hat{\mathbf {s}} = \mathbf {s}+ \delta = (\hat{s}_{j_1}, \dots , \hat{s}_{j_m})\).

By Lemma 3, any two distinct codewords in \(H_0\) have a Hamming distance of at least \(m-t-1\). Now, if the Hamming weight of \(\delta \) is less than \(m-t-1\), then the Hamming distance between \(\hat{\mathbf {s}}\) and \(\mathbf {s}\) is less than \(m-t-1\). Thus by Lemma 2, \(\hat{\mathbf {s}} \in H_0\) if and only if \(\hat{\mathbf {s}} = \mathbf {s}\), that is, when \(\delta =0\). Hence, if the number of cheating users is less than \(m-t-1\), cheating by them can be detected.

Theorem 6

The proposed scheme allows cheater identification if the number of cheaters in a group m users is less than \(\lfloor \frac{m-t-1}{2}\rfloor \).

Proof

Let \({P}_{j_i}\), \(1 \le i \le m\), \(G^\prime \), \(H_0\), \(\mathbf {s}\), \(\delta \) and \(\hat{\mathbf {s}}\) be as in Theorem 5. Let the Hamming weight of \(\delta \) is less than \(\lfloor \frac{m-t-1}{2}\rfloor \). Then the Hamming distance \(d(\hat{\mathbf {s}},\mathbf {s})\) is less than \(\lfloor \frac{m-t-1}{2}\rfloor \). For any \(\tilde{\mathbf {s}} \ne \mathbf {s}\in H_0\), by Lemma 3, \(d(\mathbf {s},\tilde{\mathbf {s}}) \ge m-t-1\). Hence using the triangle inequality, we get

$$\begin{aligned} d (\hat{\mathbf {s}}, \tilde{\mathbf {s}})&\ge d (\mathbf {s}, \tilde{\mathbf {s}}) - d (\hat{\mathbf {s}}, \mathbf {s}) \\&\ge (m-t-1)-\left\lfloor \frac{m-t-1}{2}\right\rfloor = \left\lceil \frac{m-t-1}{2}\right\rceil \ge \left\lfloor \frac{m-t-1}{2}\right\rfloor = d (\hat{\mathbf {s}}, \mathbf {s}) \,. \end{aligned}$$

Hence, \(d (\hat{\mathbf {s}}, \mathbf {s}) = \min \{d (\hat{\mathbf {s}}, \tilde{\mathbf {s}}) \mid \tilde{\mathbf {s}} \in H_0\}\). Thus standard error decoding techniques for linear codes can be used to decode \(\hat{\mathbf {s}}\) to recover the secret \(\mathbf {s}\). Then by computing \(\delta = \hat{\mathbf {s}}-\mathbf {s}\), the user \({P}_{j_i}\) is determined to be a cheater if \(\delta _i \ne 0\).

Hence, if the number of cheating users is less than \(\lfloor \frac{m-t-1}{2}\rfloor \), the secret can be reconstructed correctly and all the cheating users can be identified.

5 Conclusion and Future Work

We have proposed an efficient ideal and perfect generalized secret sharing scheme based on \({{\,\mathrm{N^{\mu }MDS}\,}}\) codes with desirable security features of cheating detection and cheater identification. The use of the \({{\,\mathrm{N^{\mu }MDS}\,}}\) matrices allows us to have authorized sets of varying sizes thus allowing the scheme to have a generalized and richer access structure. The proposed scheme allows an access structure consisting of \(\mu +1\) mutually nonmonotonic sets of user groups of sizes, \(t, t-1, \dots , t-\mu \), respectively, where \(1 \le \mu < t\), where n is the number of users and the parameter t for the access structure is independent of the field size. The proposed scheme admits a finer access structure and provides a direction towards a fully generalized secret sharing scheme. We believe a fully generalized secret sharing scheme realizing arbitrary access structures should be possible with almost MDS codes. We are studying the properties of these codes and working on generating an almost MDS code for any given access structure.