Almost-perfect secret sharing

Almost-perfect secret sharing

Tarik Kaced111LIF, Univ. Aix–Marseille. Email: tarik.kaced@lif.univ-mrs.fr
Abstract

Splitting a secret between several participants, we generate (for each value of ) shares for all participants. The goal: authorized groups of participants should be able to reconstruct the secret but forbidden ones get no information about it. In this paper we introduce several notions of non-perfect secret sharing, where some small information leak is permitted. We study its relation to the Kolmogorov complexity version of secret sharing (establishing some connection in both directions) and the effects of changing the secret size (showing that we can decrease the size of the secret and the information leak at the same time).

1 Secret sharing: a reminder

Assume that we want to share a secret – say, a bit string of length – between two people in such a way that they can reconstruct it together but none of them can do this in isolation. This is simple, choose a random string of length and give and to the participants ( is a bitwise xor of and .) Both and in isolation are uniformly distributed among all -bit strings, so they have no information about .

The general setting for secret sharing can be described as follows. We consider some finite set whose elements are called secrets. We also have a finite set of participants. An access structure is a non-empty set whose elements are groups of participants, i.e., a non-empty subset of . Elements of are called authorized groups of participants (that should be able to reconstruct the secret). Other subsets of are called forbidden groups (that should get no information about the secret). We always assume that is upward-closed (it is natural since a bigger group knows more)222One can also consider a more general setting where some groups are neither allowed nor forbidden (so there is no restriction on the information they may get about the secret.) We do not consider this more general setting here..

In our initial example (the set of -bit strings), (we have two participants labeled and ), and consists of the set only.

In general, perfect secret sharing can be defined as follows. For every participant a set is fixed; its elements are ’s shares. For every we have a tuple of dependent random variables . There are two conditions:

  • for every authorized set it is possible to reconstruct uniquely the secret from the shares given to participants in (i.e., for different secrets and the projections of the corresponding random tuples onto the -coordinates have disjoint ranges);

  • for every forbidden set the participants in get no information about the secret (i.e., for different secrets and the projections of the corresponding random tuples onto -coordinates are identically distributed).

Various versions of combinatorial schemes were introduced in [6] and [7]. Note that in this definition we have no probability distribution on the set of secrets. It is natural for the setting when somebody gives us the secret (i.e., the user chooses her password) and we have to share whatever is given to us.

We consider another setting (as, first in [12] and further developed in [8]) where secret is also a random variable. Consider a family of random variables: one () for the secret and one () for each participant . This family is a perfect secret sharing scheme if

  • for every authorized set the projection determines ;

  • for every forbidden set the projection is independent with .

These conditions can be rewritten using Shannon information theory: the first condition says that , and the second says that . Here stands for conditional Shannon entropy and stands for mutual information. (To be exact, we should ignore events of probability zero when saying that determines . To avoid these technicalities, let us agree that our probability space is finite and all non-empty events have positive probabilities.)

These definitions are closely related. Namely, it is easy to see that:

  • Assume that a perfect secret sharing scheme in the sense of the first definition is given. Then for every distribution on secrets (random variable ) we get a scheme in the sense of the second definition as follows. For each secret we have a family of dependent random variables , and we use them as conditional distribution of participants’ shares if .

  • Assume that a perfect secret sharing scheme in the sense of the second definition is given, and all secrets have positive probability according to . Then the conditional distributions of with the condition form a scheme in the sense of the first definition.

This equivalence shows that in the second version of the definition the distribution on secrets is irrelevant (as far as all element in have positive probability): we can change keeping the conditional distributions, and still have a perfect secret sharing scheme. The advantage of the second definition is that we can use standard techniques from Shannon information theory (e.g., information inequalities).

The general task of secret sharing can now be described as follows: given a set of secrets and an access structure construct a secret sharing scheme. This is always possible (see [5, 11]). However, the problem becomes much more difficult if we limit the size of shares. It is known (see [8]) that in the non-degenerate case shares should be at least of the same size as the secret: for every essential participant . (A participant is essential if we remove it from some authorized group and get a forbidden group. Evidently, non-essential participants can be just ignored.) This motivates the notion of ideal secret sharing scheme where for every essential participant .

Historically, the motivating example for secret sharing was Shamir’s scheme (see [19]). It has participants, authorized groups are groups of or more participants (where is an arbitrary threshold). Secrets are elements of a finite field of size greater than . To share a secret , we construct a polynomial

where the are chosen independently and uniformly. The shares are the values for distinct nonzero field elements (for each participant a non-zero element of the field is fixed). Any participants together can reconstruct the polynomial while for any participants all combinations of shares are equally probable (for every ). This scheme is ideal.

Not every access structure allows an ideal secret sharing scheme. For example, no ideal scheme exists for four participants where the authorized groups are , and and all their supersets (see [5, 13]; it is shown there that every secret sharing scheme for this access structure satisfies ).

It is therefore natural to weaken the requirements a bit and to allow non-ideal secret sharing schemes still having shares of reasonable size. For example, we may fix some and ask whether for a given access structure there exists a perfect secret sharing scheme where . (The answer may depend on the size of .)

Unfortunately, not much is known about this. There are quite intricate lower bounds for different specific access structures (some proofs are based on non-Shannon inequalities for entropies of tuples of random variables, see [4, 17]). The best known lower bounds for sharing -bit secrets (for some fixed access scheme) are still rather weak, like (see [9]). On the other hand, the known upper bounds for general access structures are exponential in the number of participants (and rather simple, see [5, 11]).

2 Nonperfect secret sharing

The relaxation of the perfectness property is natural when efficiency is involved (see [2, 14, 20]). Our attempt here is to encapsulate existing definitions of non-perfect schemes in the Shannon framework. We consider possible relaxations of the requirements and introduce several versions of almost-perfect secret sharing. By this we mean that we allow limited “leaks” of information to forbidden groups of participants. We also consider schemes where authorized groups need some (small) additional information to reconstruct the secret. Such approximately-perfect schemes are quite natural from the practical point of view. Also, the gain in flexibility may help overcome the difficulty of constructing efficient perfect schemes which seems related to difficult problems of combinatorial or algebraic nature.

Let us discuss possible definitions for almost-perfect schemes. Now we want to measure the leak of information (or the amount of missing information), and the most natural way is to replace the equations and by inequalities and , for some bounds and (normally, a small fraction of the amount of information in the secret itself).

The problem here is that measuring the information leak and missing information in this way, we need to fix some distribution on secrets, and this looks unavoidable even from the intuitive point of view. Imagine that we have -bit secrets, and the sharing scheme works badly for secrets with trailing zeros (e.g., discloses them to all participants). If the information leak might not be huge for the uniform distribution, since leaked bits are multiplied by probability to have trailing zeros; it can however become significant if the secret is not chosen uniformly, e.g. the user chooses a short password padded with trailing zeros.

An interesting question (that we postpone for now) is how significant could be this dependence. One may expect that a good secret sharing scheme remains almost as good if we change slightly the distribution, but we cannot prove any natural statement of this kind. So we have to include the distribution on secrets in all the definitions.

Let be an access structure. Let and (for all participants ) be some random variables (on the same probability space, so we may consider their joint distribution). Such a family is called a (not necessarily perfect) secret sharing scheme, and its parameters are:

  • distribution on secrets (in particular, the entropy of is important);

  • information rate, , the entropy of the secret divided by the maximal entropy of a single share;

  • missing information ratio, the maximal value of for all authorized , divided by ;

  • information leak ratio, the maximal value of for all forbidden , divided by .

To simplify our statements, we consider asymptotic behaviors and give the following template definition of almost-perfect secret sharing:

Definition 2.1.

An access structure on the set of participants can be almost-perfectly implemented with parameters if there exists a sequence of secret sharing schemes for the secret variable , such that

  • ;

  • the of the information rates does not exceed ;

  • the missing information ratio converges to as ;

  • the information leak ratio converges to as .

In this article we introduce several definitions of almost-perfect secret sharing schemes. Two versions in the framework of Shannon entropy for which we show that the stronger definition, where we require no missing information, gives the same notion; one version in the framework of Kolmogorov complexity. We prove that all these approaches are asymptotically equivalent (have equivalent asymptotical rates of schemes for each access structure). Hence, we can combine tools of Shannon’s information theory and Kolmogorov complexity to investigate the properties of nonperfect secret sharing schemes.

Rather than providing constructions or stating trivial counterparts of known theorems, we emphasize our study on the behaviour of such schemes. Simple properties of perfect schemes provide new natural questions for nonperfect schemes which are in general not trivial. The main contribution of the paper is the proof of few of such natural properties, namely and Proposition 2.6 and Theorem 4.3 for scaling down a nonperfect scheme while keeping roughly the same information leak ratio.

We believe our modest contribution is a small step towards a promising path to discover new constructions and theorems in nonperfect secret sharing.

2.1 Definitions

We consider two different versions of the definition of approximately-perfect secret sharing schemes. In the first one, non-perfect secret sharing schemes are allowed to give some information to forbidden groups and/or not give authorized groups the entire secret:

Definition 2.2.

Let be a finite set of secrets, a -nonperfect secret sharing scheme for secrets in implementing an access structure is a tuple of jointly distributed discrete random variables such that

  • if then

  • if then

In this definition, authorized groups may fail to recover at most bits of the secret while forbidden groups can not learn more than bits. A probably more natural version of a non-perfect scheme is asymmetric: authorized groups know everything about the secret, while forbidden groups can keep not more than bits of information about the secret:

Definition 2.3.

Let be a finite set of secrets, a -nonperfect secret sharing scheme for secrets in implementing an access structure is a tuple of jointly distributed discrete random variables such that

  • if then

  • if then

By , resp. , we refer to a -nonperfect, resp. -nonperfect, secret sharing scheme implementing access structure for -bit secrets with single shares of entropy at most . We use for perfect schemes, i.e., when it is the case that and are null.

We now introduce the almost-perfect versions of secret sharing, that denotes an asymptotic sequence of nonperfect schemes for a fixed access structure where the leak can be made negligible as the size of the secret grows.

Definition 2.4.

We say that an access structure can be almost-perfectly implemented, with parameters , if there exists a sequence of nonperfect schemes in the sense of Definition 2.2 such that parameters converge to . i.e., if

Moreover, we say that can be almost-perfectly implemented without missing information when the nonperfect schemes are in the sense of Definition 2.3.

Proposition 2.5.

Let be an access structure and be a positive real, the following are equivalent

  • can be almost-perfectly implemented

  • can be almost-perfectly implemented without missing information.

This proposition is a corollary of the following result: one can transform a scheme with some missing information into a scheme without missing information by increasing the size of shares.

The natural idea to prove this is to add the missing information to authorized groups. However this is already not trivial to implement. Indeed, we want to keep the leak small, hence we can not use a perfect scheme to share the missing information. The plan is to "materialize" the missing information and add it to each participant. The small amount of information will therefore also increase the information leak by a small amount. The proposition tells us that we can indeed achieve a new leak comparable to the previous one.

Proposition 2.6.

If is an access structure on participants, then

Proof.

Assume there is a , let us transform it as follows. Take a minimal authorized set , by definition it holds that . Informally, it means that lacks bits of information about the secret. We materialize this information and add it to . More precisely, we use the following lemma about conditional descriptions:

Lemma 2.7.

Let and be two random variables defined on the same space. Then there exists a variable (defined on the same space) such that and .

Proof.

Let be distributed on a set . For each fixed value , we have a conditional distribution on values of given the condition . We can construct for this conditional distribution on values of a prefix-free binary code such that the average length of codewords is at most (e.g., we can take Huffman’s code).

Let be the corresponding codeword: if and then (the -th codeword from the code constructed for the distribution of under condition ).

Given a value of and a codeword from the corresponding code, we can uniquely determine the corresponding value of . Hence, we get . It remains to estimate entropy of .

The defined above ranges over the union of all codewords (from all codes constructed for all possible values of ). The average length of bit strings

This observation is enough to estimate the entropy of .

The union of all codewords is not necessarily prefix-free even if the codes were prefix-free for each value of . However, we can convert any set of bit strings into a prefix-free code by a simple transformation: we double each bit in each string, and add at the end of each string the pair of bits . E.g., a string is converted into . This simple trick converts the set of into a prefix-free set such that

Thus, random variable can be considered as a distribution on this prefix-free set . It is well known that for any distribution on a prefix-free set, the entropy is not greater than the average length of codewords (it follows from Kraft’s inequality). Hence, entropy of is not greater than the average length of , i.e., not greater than . ∎

We apply lemma 2.7 to encode the secret conditional to the shares of . Since this random variable has entropy at most , the encoding can be done by strings of size at most . We add this “conditional description” to any participant of . Now the participants of can together determine the secret uniquely. We do the same for all minimal authorized groups in . So, now all authorized groups have all information about the secret.

We added some additional data to several participants (some participants can obtain several different “conditional descriptions” since one participant can belong to several minimal authorized groups). However all additional information given to participants is of size only , hence, the extra information is given to forbidden groups is at most . The size of the shares in the new schemes is at most , and we are done. ∎

An interesting open question about almost-perfect secret sharing is to settle whether it is equivalent to perfect secret sharing or not:

Question 2.8.

Can we achieve essentially better information rates with almost-perfect schemes than with perfect schemes ?

A weaker form of this question where leaks are exactly zero has been answered by Beimel et al in [3] (using a result of Matúš [16]) where they construct a nearly-ideal access structure, i.e. access structure that can be implemented perfectly with an information rate as close to as we want but not equal. In fact, with the same kind of arguments we can construct an almost-perfect scheme for the same access structure with small leaks but information rate exactly one.

Proposition 2.9.

There is an access structure which can be implemented by an almost-perfect scheme with parameters and rate exactly one but has no ideal perfect scheme.

Proof.

An access structure is induced by a matroid through if is defined on the set of participants by the upper closure of the collection of subsets such that (here is the set of circuits of the matroid .) Let and be respectively the access structures induced by the Fano and by the non-Fano matroids (through any point). In [16], Matúš proved that there exist perfect ideal schemes for , resp. if and only if is even, resp. odd.

Consider an access structure consisting of disjoint copies of and . From Matúš argument, cannot be implemented ideally by a perfect scheme. Construct a scheme consisting of the concatenation of two independent schemes:

  • a , and

  • a , constructed from a for (i.e., ) where we removed one possible value of the secret.

is a perfect scheme for with rate . Now instead of using a as second scheme, we modify it into a nonperfect scheme by substituting the value of the share "" by any other possible value. Now there are exactly shares. It is not difficult to show that is, at most, a i.e., with information rate exactly one. ∎

3 Kolmogorov secret sharing

We denote "the" Kolmogorov complexity function by the letter . Since most variants are equal up to a logarithmic term and our results are asymptotic. For a complete introduction to Kolmogorov complexity and to some techniques used here, we refer the reader to the book [15] and to [21].

The problem of secret sharing could be studied also in the framework of the algorithmic information theory. The idea is that now a secret sharing scheme is not a distribution on binary strings but an individual tuple of binary strings with corresponding properties of “secrecy”. To define these “secrecy” properties for individual strings, we substitute Shannon’s entropy by Kolmogorov complexity and get algorithmic counterparts of the definition of secret sharing schemes. A similar idea was realized in Definition 21 (part 1) in [1] for a special case (for threshold access structures).

For Kolmogorov complexity there is no natural way to define an "absolutely" perfect version of secret sharing scheme. Thus, in the framework of Kolmogorov complexity we can deal only with “approximately-perfect” versions of the definition. We define approximately-perfect secret sharing schemes for Kolmogorov complexity just in the same way as we defined -nonperfect schemes for Shannon’s entropy (similarly to Definition 2.2):

Definition 3.1.

For an access structure we say that a tuple of binary strings is a Kolmogorov -perfect secret sharing scheme for secrets of size if

  • for

  • for

We reuse the template of almost-perfect secret sharing, this time in the Kolmogorov setting using the above version of secret sharing scheme. Thus, it should make sense to talk about almost-perfect secret sharing in the sense of Kolmogorov.

It turns out that problems of constructing approximately perfect secret sharing schemes in Shannon’s and Kolmogorov’s frameworks are closely related. For every access structure, in both frameworks the asymptotically optimal rates are equal to each other. More precisely, we have the following equivalence:

Theorem 3.2.

Let be an access structure over participants and be a positive real, then the following are equivalent:

  • can be almost-perfectly implemented with parameters in the sense of Shannon.

  • can be almost-perfectly implemented with parameters in the sense of Kolmogorov.

This theorem follows from a more general parallelism between Shannon entropy and Kolmogorov complexity. Below we explain this parallelism in terms of realizable complexity and entropy profiles.

The Kolmogorov complexity profile of a tuple of a binary string is defined by the vector of Kolmogorov complexities of all pairs, triples …of strings . So, it consists consists of (integer) complexity values, one for each non-empty subset of strings . In the same way we define the entropy profile of a tuple of random variables by replacing by .

Next theorem explains that the class of realizable complexity profiles and the class of entropy profiles are in some sense very similar:

Theorem 3.3.

For every the following conditions are equivalent:

  • there is a sequence of -tuple of random variables s.t.

  • there is a sequence of -tuple of binary strings s.t.

Note that Theorem 3.5 follows immediately from Theorem 3.6.

We denote "the" Kolmogorov complexity function by the letter . Since most variants are equal up to a logarithmic term and our results are asymptotic. For a complete introduction to Kolmogorov complexity and to some techniques used here, we refer the reader to the book [15] and to [21].

The problem of secret sharing could be studied also in the framework of the algorithmic information theory. The idea is that now a secret sharing scheme is not a distribution on binary strings but an individual tuple of binary strings with corresponding properties of “secrecy”. To define these “secrecy” properties for individual strings, we substitute Shannon’s entropy by Kolmogorov complexity and get algorithmic counterparts of the definition of secret sharing schemes. A similar idea was realized in Definition 21 (part 1) in [1] for a special case (for threshold access structures).

For Kolmogorov complexity there is no natural way to define an "absolutely" perfect version of secret sharing scheme. Thus, in the framework of Kolmogorov complexity we can deal only with “approximately-perfect” versions of the definition. We define approximately-perfect secret sharing schemes for Kolmogorov complexity just in the same way as we defined -nonperfect schemes for Shannon’s entropy (similarly to Definition 2.2):

Definition 3.4.

For an access structure we say that a tuple of binary strings is a Kolmogorov -perfect secret sharing scheme for secrets of size if

  • for

  • for

We reuse the template of almost-perfect secret sharing, this time in the Kolmogorov setting using the above version of secret sharing scheme. Thus, it should make sense to talk about almost-perfect secret sharing in the sense of Kolmogorov.

It turns out that problems of constructing approximately perfect secret sharing schemes in Shannon’s and Kolmogorov’s frameworks are closely related. For every access structure, in both frameworks the asymptotically optimal rates are equal to each other. More precisely, we have the following equivalence:

Theorem 3.5.

Let be an access structure over participants and be a positive real, then the following are equivalent:

  • can be almost-perfectly implemented with parameters in the sense of Shannon.

  • can be almost-perfectly implemented with parameters in the sense of Kolmogorov.

This theorem follows from a more general parallelism between Shannon entropy and Kolmogorov complexity. Below we explain this parallelism in terms of realizable complexity and entropy profiles.

The Kolmogorov complexity profile of a tuple of a binary string is defined by the vector of Kolmogorov complexities of all pairs, triples …of strings . So, it consists consists of (integer) complexity values, one for each non-empty subset of strings . In the same way we define the entropy profile of a tuple of random variables by replacing by .

Next theorem explains that the class of realizable complexity profiles and the class of entropy profiles are in some sense very similar:

Theorem 3.6.

For every the following conditions are equivalent:

  • there is a sequence of -tuple of random variables s.t.

  • there is a sequence of -tuple of binary strings s.t.

Note that Theorem 3.5 follows immediately from Theorem 3.6.

Proof.

To prove this result, we convert a sequence of -tuple of random variables into a sequence of -tuple of binary strings and visa-versa; these conversions will preserve complexity/entropy profiles: corresponding tuples of random variables and strings will have similar values in their profiles.

The main technical tools are the Kolmogorov–Levin theorem

and the “typization” trick for entropy and Kolmogorov complexity (the same technique as in [10, 18]).

[Kolmogorov Shannon] Let be an -tuple of binary strings. For a non-negative integer (to be fixed below) we consider the following set:

which is the set of -tuples of binary strings whose complexity profile is close to the one of up to a logarithmic term. Further we formulate several properties of .

Claim 3.7.

for all large enough .

Proof.

See Lemma 2 in [10] and Proposition 1 in [18]. We fix value so that Claim 3.7 holds ( depends on the size of the tuple but not on ). ∎

Claim 3.8.

Proof.

Follows from the definition of and the Kolmogorov–Levin theorem. ∎

Now, define as an -tuple of random variables uniformly distributed on . From the definition of and Claim 3.7 it follows that entropy of all is close to . We claim that in fact all components of the entropy profile of are close to the corresponding components in the complexity profile of . We prove this property in two steps. At first, we obtain /Can upper bound:

Claim 3.9.

Proof.

The number of possible values for is the number of possible substrings for . Since , there is at most such values for . Shannon’s entropy of a random variable cannot be greater than logarithm of the number of its values, and we are done. ∎

Further, we prove the lower bound:

Claim 3.10.

Proof.

First, consider for some fixed . From Claim 3.8, , thus can take at most values. This is true for all such , therefore .

Then,

Therefore, the random variable has an entropy profile close to the complexity profile of up to a logarithmic factor. The first part for the theorem is proven.

[Shannon Kolmogorov] Let be a -tuple of random variables. We fix an integer (to be specified below) and construct some table

satisfying the following properties:

  1. The columns of the table (each column is an -vector) consist of possible values for the random variable .

  2. Different -tuples are used as columns in the matrix with different frequencies; we require that each frequency is close to the corresponding probability in the distribution of . More precisely, for every -tuple of letters

  3. The table has the maximal Kolmogorov complexity among all tables satisfying (a) and (b). It implies, by a rather simple counting argument, that

Denote for all (i.e., we set to be the row of the table.) Let us verify that the -tuple of binary strings has a complexity profile close to the entropy profile of multiplied by .

Claim 3.11.

Proof.

We extract from the entire table the rows corresponding to ; count frequencies of different columns (of size ) that occur in this restricted table (of size ). Denote these frequencies by (of course, the sum of all frequencies equals ). Let be the entropy of the distribution with probabilities . By Theorem 5.1 in [21],

Further, we use the fact that frequencies are close to the corresponding probabilities of :

We get the claim by combining the two inequalities. ∎

Claim 3.12.

Proof.

Denote . We split all positions into classes corresponding to different values of . Denote the sizes of these classes by By property (c) of the table, each must be proportional to the corresponding probability: the number of positions such that is equal to

Given , we describe by an encoding separately for different classes of positions corresponding to different values of . Similarly to the previous Claim, we get

where is the number of columns of the table where . It follows that

Claim 3.13.

Proof.

Thus, we have constructed a -tuple of binary strings whose complexity profile is close to times the entropy profile of , up to some logarithmic term. ∎

4 Scaling of secret sharing schemes

Here, we attempt to show how to scale up and down any secret sharing scheme. The problem consist of, given a secret sharing for -bit secrets, constructing new secret sharing schemes for -bit secrets where can be arbitrary large or small. While this task is easy in the perfect case, it becomes much more difficult in the non-perfect case when we are concerned with efficiency and information leak.

4.1 Scaling for perfect schemes

We present some easy construction for scaling up and down in the perfect case and state what they achieve in terms of efficiency (size of the shares).

Proposition 4.1.

Let be an access structure and be a then

(a) [scaling down] For every positive integer there exists a

(b) [scaling up] For every positive integer there exists a

Proof.

(a) To scale down, we can reuse the same scheme. Simply restrict the support of the random variable to values and equip this support with the uniform distribution. Authorized groups can determine the secret uniquely since it was the case in the initial scheme. Forbidden have no information about the secret otherwise they had some information in the initial perfect scheme.

(b) For scaling up, the new scheme consists of the concatenation of independent versions of the initial scheme. Since the new scheme consists of independent copies (a serialization) of the initial scheme, every new entropy value is times the old entropy value. ∎

4.2 Scaling for non-perfect schemes

Scaling up for nonperfect schemes is similar to the case of perfect schemes.

Proposition 4.2.

Let be an access structure and be a then for every non-negative integer there exists a

Proof.

Simply reuse the construction of (b) of proposition 4.1. Then a forbidden group can have at most bits of information about the secret. ∎

Scaling down of the size of the secret becomes non-trivial for non-perfect secret sharing schemes if we want to keep the same information leak and missing information. If we can -nonperfectly share an -bit secret, then intuitively it seems that we should be able to share one single bit with information leak ratio of about . However this statement is quite non-obvious. Now we formulate and prove a slightly weaker statement (it is the most technical result of this paper):

Theorem 4.3.

For all there exists an integer such that for every access structure on participants. If for some there exist a where the secret is uniformly distributed, such that

there exists a with , where the secret is uniformly distributed

Sketch of the proof: Construct a new scheme for a -bit secret from the initial scheme in the following way. Given a for a uniformly distributed secret in , take a splitting of into two equal parts, say and . Then define a new scheme as follows: to share the bit , take a random element of and share it with the initial scheme. It is easy to see that this new scheme is indeed a for a uniformly distributed secret bit with some leak . This leak depends on the initial choice of the splitting . We will show that there exists one such splitting for which the leak is small.

We first prove a general lemma about discrete random variables.

Lemma 4.4.

Let be a finite discrete random variable over a -element set (with even) such that for some positive . Let be a random subset of of size ( is chosen uniformly, i.e., each -element subset of is chosen with probability ). Then for every , with probability at least

(probability for a random choice of ) we have

(probability for the initial distribution ), where .

(In applications of this lemma we will choose the most reasonable values of parameter .)

Proof.

For each element , denote by the non-negative weight (probability) that assigns to . Using this notation we have

A randomly chosen contains exactly one half of the points from . We need to estimate the sum of for all . We do it separately for “rather large” and for “rather small” . To make this idea more precise, fix a threshold that separates “rather large” and “rather small” values of . Denote by the total measure of all that are greater than this threshold. More formally,

We claim that is rather small. Indeed, if we need to identify some , we should specify the following information which consists of two parts:

  • We say whether or not (one bit of information).

  • If , we specify the ordinal number of this “large” point; there are at most points such that , so we need at most bits of information;

  • otherwise, , we simply specify the ordinal number of in ; here we need at most bits of information.

From the standard coding argument we get

Since , it follows that

Thus, we may assume that total measure of “rather large” values is quite small even in the entire set ; hence, “large” points do not affect seriously the measure of a randomly chosen . It remains to estimate the typical impact of “small” to the weight of .

Technically, it is useful to forget about “large” points (substitute weights by ) and denote

Now we choose exactly different elements from and estimate the sum of the corresponding . Note that expectation of this sum is one half of the sum of for all , i.e, . It remains to estimate the deviation of this sum from its expectation. We use the version of Hoeffding’s bound for samplings without replacement, which can be used to estimate deviations for a sampling of points from a -elements set, ([heoffdingineq][section 6]). The probability of the event that the sum exceeds expected value plus some can be bounded as follows:

Together with “large” values we have

Now we fix the parameter to be equal to one half of the upper bound for , i.e., . It follows that,

From this bound, we can deduce the symmetric bound for the sum of in :

Since and share the same distribution (the uniform one), this bound also holds for . Sum up the two bounds and we are done. ∎

We are now ready to prove Theorem 4.3.

Proof.

(of Theorem 4.3). Let be a random subset of the set of all secrets such that . is chosen uniformly over all possible such fair splittings of . If be the random variable for the -bit secret in the initial scheme, let us define the new secret bit as the bit defined by "" ( is indeed a bit since ). Our goal is to estimate for any be a forbidden group, and show it is large. Formally, we want to show that where .

First, we notice that for any bit constructed as above, holds for all , so we can assume that , i.e,

(1)

We know that is rather large. More precisely,

We introduce some positive parameter (to be fixed later) to separate all values of into two classes:

and

Since the entropy is large, the total measure of all “less typical” values is rather small (more precisely, it is not greater than ). We do not care about the conditional entropy of when is non-typical (the total weight of these is so small that they do not contribute essentially to ). We focus on the contribution of for a typical value . To estimate this quantity we apply lemma 4.4 to the distribution conditional to , it follows that

for some new parameter and .

This inequality true for all forbidden group and any typical share . Thus if we sum up the bad events, we obtain that the following estimation for :

holds with probability at least

(2)

where is the set of all possible shares given to the group of all participants.

Now, we choose our parameters and to deduce our result and show that our choice is valid. We take

(3)

Under these conditions

(4)

and

We want to find a simple sufficient condition that guarantees that the probability (2) is non-negative. To this end we do some (rather boring) calculations. We take the required inequality and reduce it step by step to a weaker but more suitable form:

The last inequality (which is a sufficient condition for (2) to be non-negative) holds when and for some large enough depending on . ∎

Notice that in this case we consider schemes where the secret is uniformly distributed since the dependency on the probability distribution of the secret is not trivial in the nonperfect case. Sharing exactly one bit instead of seems more difficult. We do not know whether this bound can be improved, in particular, can we achieve a leak of ? The assumption points out that the result holds for various kind of access structures defined by some trade-off between the number of participants and the size of the shares of a scheme for -bit secrets.

5 Conclusion

In this article we introduced several definitions of almost-perfect secret sharing schemes (two versions in the framework of Shannon’s entropy and another version in the framework of Kolmogorov complexity). We proved that all these approaches are asymptotically equivalent (have equivalent asymptotical rates of schemes for each access structure). This means that we can combine tools of Shannon’s information theory and Kolmogorov complexity to investigate the properties of approximately-perfect secret sharing.

The major questions remain open. The most important one is to understand: can almost perfect secret sharing schemes achieve substantially better information rates than perfect (in classic sense) secret sharing schemes? The known proofs of lower bounds for the rate of perfect secret sharing schemes are based on combinations of information inequalities; so it is not hard to check that the same type of arguments imply the same kind of bounds for almost perfect schemes. Thus, the problem of separating the information rates for almost-perfect and exactly perfect schemes looks rather hard.

Acknowledgment

The author would like to thank Andrei Romashchenko and Sasha Shen for stimulating discussions, and anonymous reviewers who helped substantially improve the manuscript. This work is partially supported by EMC ANR-09-BLAN-0164-01 and NAFIT ANR-08-EMER-008-01 grants.

References

  • [1] L. Antunes, S. Laplante, A. Pinto, and L. Salvador. Cryptographic security of individual instances. In Information Theoretic Security, volume 4883 of LNCS, pages 195–210. 2009.
  • [2] Amos Beimel and Matthew K. Franklin. Weakly-private secret sharing schemes. In Theory of Cryptography, pages 253–272, 2007.
  • [3] Amos Beimel, Noam Livne, and Carles Padró. Matroids can be far from ideal secret sharing. In TCC, pages 194–212, 2008.
  • [4] Amos Beimel and Ilan Orlov. Secret sharing and non-shannon information inequalities. In TCC, pages 539–557, 2009.
  • [5] Josh Cohen Benaloh and Jerry Leichter. Generalized secret sharing and monotone functions. In CRYPTO, pages 27–35, 1988.
  • [6] E. F. Brickell and D. R. Stinson. Some improved bounds on the information rate of perfect secret sharing schemes, 1992. 10.1007/BF02451112.
  • [7] Ernest F. Brickell and Daniel M. Davenport. On the classification of ideal secret sharing schemes. J. Cryptology, 4(2):123–134, 1991.
  • [8] R. M. Capocelli, A. De Santis, L. Gargano, and U. Vaccaro. On the size of shares for secret sharing schemes. J. of Cryptology, 6:157–168, 1993.
  • [9] László Csirmaz. The size of a share must be large. J. Cryptology, 10(4):223–231, 1997.
  • [10] Daniel Hammer, Andrei Romashchenko, Alexander Shen, and Nikolai Vereshchagin. Inequalities for shannon entropy and kolmogorov complexity. J. Comput. System Sci., 60(2):442–464, 2000.
  • [11] M. Ito, A. Saito, and T. Nishizeki. Secret sharing scheme realizing general access structure. In IEEE Globecom, pages 99–102, 1987.
  • [12] Ehud D. Karnin, Jonathan W. Greene, and Martin E. Hellman. On secret sharing systems. IEEE Trans. on Information Theory, 29:35–41, 1983.
  • [13] Kaoru Kurosawa and Koji Okada. Combinatorial lower bounds for secret sharing schemes. Inf. Process. Lett., 60(6):301–304, 1996.
  • [14] Kaoru Kurosawa, Koji Okada, Keiichi Sakano, Wakaha Ogata, and Shigeo Tsujii. Nonperfect secret sharing schemes and matroids. In Advances in cryptology, EUROCRYPT ’93, pages 126–141, 1994.
  • [15] M. Li and P. Vitányi. An Introduction to Kolmogorov complexity and its applications. Springer-Verlag, second edition, 1997.
  • [16] František Matúš. Matroid representations by partitions. Discrete Mathematics, 203(1-3):169 – 194, 1999.
  • [17] Jessica Ruth Metcalf-Burton. Improved upper bounds for the information rates of the secret sharing schemes induced by the vamos matroid. Discrete Mathematics, 311(8-9):651 – 662, 2011.
  • [18] Andrei Romashchenko. Pairs of words with nonmaterializable mutual information. Problems of Information Transmission, 36(1):1–18, 2000.
  • [19] Adi Shamir. How to share a secret. Communications of the ACM, 22(11):612–613, 1979.
  • [20] K. Srinathan, N. Tharani Rajan, and C. Pandu Rangan. Non-perfect secret sharing over general access structures. In Proc. Progress in Cryptology, INDOCRYPT ’02, pages 409–421, 2002.
  • [21] A. K. Zvonkin and L. A. Levin. The complexity of finite objects and the development of the concepts of information and randomness by means of the theory of algorithms. Russian Math. Surveys, page 11, 1970.
Comments