Cryptography: Theory and Practice by Douglas Stinson CRC Press, CRC Press LLC ISBN: 0849385210 Pub Date: 03/17/95 |
Previous | Table of Contents | Next |
THEOREM 11.2
Let C be any monotone boolean circuit. Then there is a perfect secret sharing scheme realizing the access structure Γ(C) having information rate
where ri denotes the number of input wires to C carrying the input xi.
With respect to threshold access structures, we observe that the Shamir scheme will have information rate 1, which we show below is the optimal value. In contrast, an implementation of a (t, w)-threshold scheme using a disjunctive normal form boolean circuit will have information rate , which is much lower (and therefore inferior) if 1 < t < w.
Obviously, a high information rate is desirable. The first general result we prove is that ρ ≤ 1 in any scheme.
THEOREM 11.3
In any perfect secret sharing scheme realizing an access structure Γ, ρ ≤ 1.
PROOF Suppose we have a a perfect secret sharing scheme that realizes the access structure Γ. Let B ∈ Γ0 and choose any participant Pj ∈ B. Define B′ = B\{Pj}. Let . Now, B′ ∉ Γ, so the distribution of shares g|B′ provides no information about the key. Hence, for each , there is a distribution rule such that gK|B′ = g|B′. Since B ∈ Γ, it must be the case that gK (Pj) ≠ gK′ (Pj) if K ≠ K′. Hence, and thus ρ ≤ 1.
Since ρ = 1 is the optimal situation, we refer to such a scheme an ideal scheme. The Shamir schemes are ideal schemes. In the next section, we present a construction for ideal schemes that generalizes the Shamir schemes.
In this section, we present a construction for certain ideal schemes known as the Brickell vector space construction.
Suppose Γ is an access structure, and let denote the vector space of all d-tuples over , where p is prime and d ≥ 2. Suppose there exists a function
which satisfies the property
Figure 11.6 The Brickell scheme
In other words, the vector (1, 0, . . . , 0) can be expressed as a linear combination of the vectors in the set {φ(Pi) : Pi ∈ B} if and only if B is an authorized subset.
Now, suppose there is a function φ that satisfies Property (11.3). (In general, finding such a function is often a matter of trial and error, though we will see some explicit constructions of suitable functions φ for certain access structures a bit later.) We are going to construct an ideal secret sharing scheme with . The distribution rules of the scheme are as follows: for every vector , define a distribution rule , where
for every , and the operation · is the inner product modulo p.
Note that each contains pd-1 distribution rules. We will suppose that each probability distribution is equiprobable: for every . The Brickell scheme is presented in Figure 11.6
We have the following result.
THEOREM 11.4
Suppose φ satisfies Property (11.3). Then the sets of distribution rules , comprise an ideal scheme that realizes Γ.
PROOF First, we will show that if B is an authorized subset, then the participants in B can compute K. Since
we can write
where each . Denote by si the share given to Pi. Then
where is an unknown vector chosen by D and
By the linearity of the inner product operation,
Thus, it is a simple matter for the participants in B to compute
What happens if B is not an authorized subset? Denote by e the dimension of the subspace 〈φ(Pi) : Pi ∈ B〉 (note that e ≤ |B|). Choose any , and consider the system of equations:
This is a system of linear equations in the d unknowns a1, . . . , ad. The coefficient matrix has rank e + 1, since
Provided the system of equations is consistent, the solution space has dimension d - e - 1 (independent of the value of K). It will then follow that there are precisely pd-e-1 distribution rules in each that are consistent with any possible distribution of shares to B. By a similar computation as was performed in Example 11.5, we see that for every , where fB(Pi) = si for all Pi ∈ B.
Why is the system consistent? The first |B| equations are consistent, since the vector chosen by D is a solution. Since
(as mentioned above) the last equation is consistent with the first |B| equations. This completes the proof.
It is interesting to observe that the Shamir (t, w)-threshold scheme is a special case of the vector space construction. To see this, define d = t and let
for 1 ≤ i ≤ w, where xi is the x-coordinate given to Pi. The resulting scheme is equivalent to the Shamir scheme; we leave the details to the reader to check.
Here is another general result that is easy to prove. It concerns access structures that have as a basis a collection of pairs of participants that forms a complete multipartite graph. A graph G = (V, E) with vertex set V and edge set E is defined to be a complete multipartite graph if the vertex set V can be partitioned into subsets such that {x, y} ∈ E if and only if x ∈ Vi, y ∈ Vj, where i ≠ j. The sets Vi are called parts. The complete multipartite graph is denoted by if . A complete multipartite graph K1, . . . , 1 (with parts) is in fact a complete graph and is denoted .
Previous | Table of Contents | Next |
Copyright © CRC Press LLC