On asymptotically good ramp secret sharing schemes

On asymptotically good ramp secret sharing schemes ∗

arXiv:1502.05507v5 [cs.IT] 2 Nov 2015

Olav Geil†1 , Stefano Martin‡1 , Umberto Martínez-Peñas§1 , Ryutaroh Matsumoto2 and Diego Ruano¶1 1

Department of Mathematical Sciences, Aalborg University, Denmark Department of Communications and Computer Engineering, Tokyo Institute of Technology, Japan

2

November 3, 2015

Abstract Asymptotically good sequences of ramp secret sharing schemes have been intensively studied by Cramer et al. in [6, 7, 8, 9, 10, 11, 12, 13]. In those works the focus is on full privacy and full reconstruction. We propose an alternative definition of asymptotically good sequences of ramp secret sharing schemes where a small amount of information leakage is allowed (and possibly also non-full recovery). By a non-constructive proof we demonstrate the existence of sequences that – following our definition of goodness – have parameters arbitrary close to the optimal ones. Moreover – still using our definition – we demonstrate how to concretely construct asymptotically good sequences of schemes from sequences of algebraic geometric codes related to a tower of function fields. Our study involves a detailed treatment of the (relative) generalized Hamming weights of the involved codes. Keywords: Algebraic geometric codes, asymptotically good ramp secret sharing schemes, generalized Hamming weights, relative generalized Hamming weights, secret sharing. MSC: 94A62, 94B27, 94B65. ∗

Part of this work was presented at WCC-2015. [email protected] ‡ [email protected] § [email protected] ¶ [email protected] †

1

1

Introduction

A secret sharing scheme [11, 19, 24] is a cryptographic method to encode a secret s into multiple shares c1 , c2 , . . . , cn so that only from specified subsets of the shares one can recover s. Often it is assumed that n participants each receive a share, no two different participants receiving the same. The secret and the share vector c = (c1 , c2 , . . . , cn ) corresponding to it are assumed to be taken at random with some given distributions (usually uniform), and the recovery capability of a set of shares is measured from an informationtheoretical point of view (see, for instance, [6, 8, 18, 19]). The term ramp secret sharing scheme [11, Section 2.2] is used for those schemes where some sets of shares partially determine the secret, but not completely. This allows the shares to be of smaller size than the secret. It is usual in the literature to consider the following two threshold values of secret sharing schemes [11, 19]: • The privacy threshold of the scheme is the maximum integer t such that from no set of shares of size t one can deduce any information about the secret. • The reconstruction threshold of the scheme is the minimum integer r such that from any set of shares of size r one can uniquely determine s. In this paper we will only treat linear secret sharing schemes with uniform distribution on the secret and uniform distribution on the share vector conditioned to the secret, which is widely considered in the literature (see, for instance, [6, 8, 10, 11, 12, 13, 16, 19]). In this case, the secret is a vector s ∈ Fℓq (for some finite field Fq , where q is a prime power), and we assume that the shares are elements c1 , c2 , . . . , cn ∈ Fq . Define a q-bit of information to be log2 (q) bits of information. Then, for the schemes that we consider, the mutual information between the secret and a set of shares is an integer between 0 and ℓ if measured in q-bits (see [19, Proof of Theorem 4] or [16, Equation (2)]). Therefore, for each m = 1, 2, . . . , ℓ, we may define the following threshold values [16, Definition 2]: • The m-th privacy threshold of the scheme as the maximum integer tm such that from no set of shares of size tm one can recover m q-bits of information about the secret. • The m-th reconstruction threshold of the scheme as the minimum integer rm such that from any set of size rm one can obtain m q-bits of information about s. Note that t = t1 and r = rℓ . The asymptotic properties of secret sharing schemes have been intensively studied in the literature [6, 7, 8, 9, 10, 11, 12, 13]. More concretely, bounding 2

the sequences of privacy and reconstruction rates, t/ni and r/ni , respectively, for sequences of linear schemes over a fixed finite field Fq has been considered, together with the existence of sequences of schemes with good rates, where ni is the number of participants of the i-th scheme and goes to infinity. However, such studies only focus on full privacy and full reconstruction, since only the threshold values t and r are considered. The purposes and main contributions of this paper are to give a new definition of asymptotically good sequences of linear ramp secret sharing schemes, which does not request full privacy (nor necessarily full reconstruction), study the sequences of privacy and reconstruction rates, tmi /ni and rm′i /ni , respectively, of these sequences, and give existential and constructive results on sequences with good rates. This problem has not been considered in the literature before. We should mention that in [6, 7, 8, 9, 10, 11, 12, 13] the schemes are requested to have certain multiplicative properties. We do not request our schemes to have such properties. Allowing some information to be leaked (and possibly not being able to recover the whole secret) allows more participants to be corrupted. Twisting the problem, when a scheme is constructed and run, possibly more participants than expected are corrupted. Therefore, we study how much information is leaked in such a case. Privacy and reconstruction sequences of the form tmi /ni and rm′i /ni , respectively, measure how resistant the scheme is to information leakage and non-full recovery. As is well-known, all linear ramp secret sharing schemes can be constructed from a pair of linear codes C2 C1 ⊂ Fnq [11, Section 4.2]. This allows us, by means of the material in [16, 19], to translate the informationtheoretical properties of a linear scheme to coding-theoretical properties of the pair C2 C1 . In particular, bounding generalized Hamming weights (introduced in [29]) of C1 and C2⊥ and relative generalized Hamming weights (introduced in [20]) of the pair C2 C1 implies bounds on the privacy and reconstruction rates mentioned before. The paper is organized as follows. We start in Section 2 by giving the new definition. In Section 3, we provide a non-constructive proof of the existence of asymptotically good sequences of schemes with parameters arbitrarily close to the optimal ones (extending the results in [22]). The remaining part of the paper concentrates on explicit constructions of asymptotically good schemes from algebraic geometric codes. As a starting point in Section 4, we investigate what can be said about their relative generalized Hamming weights, as well as their generalized Hamming weights, using material from the appendix. In Section 5, we derive asymptotic consequences of the results in the previous section. Next, in Section 6, the parameters obtained so far are compared. Finally in Section 7 we translate the findings from Section 5 into results on asymptotically good sequences of secret sharing schemes. We give a conclusion in Section 8.

3

2

A new definition of asymptotically good sequences of schemes

In this paper, we consider the following general definition of a secret sharing scheme. All schemes in this paper will be “ramp” schemes, therefore we will omit this term for brevity. Definition 1. A secret sharing scheme with secret set S is a family of disjoint nonempty subsets of Fnq , S = {Cs }s∈S , together with probability distribution over S and each of the sets Cs . A secret s ∈ S is taken and then encoded into a vector of shares c ∈ Cs (the shares are the components of c), both chosen at random with the given distributions. We will assume that these distributions are uniform. Moreover, the scheme is said to be linear if S = Fℓq , for some 0 < ℓ ≤ n, and a1 c1 + a2 c2 ∈ Ca1 s1 +a2 s2 ,

(1)

for all a1 , a2 ∈ Fq , all s1 , s2 ∈ Fℓq , and all c1 ∈ Cs1 , c2 ∈ Cs2 . In [11, Section 4.2], the following construction of linear secret sharing schemes is given: Choose linear codes (i.e. linear subspaces) C2 C1 ⊂ Fnq and W ⊂ Fnq , with ℓ = dim(C1 ) − dim(C2 ) and C1 = C2 ⊕ W , and fix a linear vector space isomorphism ψ : Fℓq −→ W . Then the secret sharing scheme is defined by Cs = ψ(s) + C2 . In other words, given s ∈ Fℓq , we choose uniformly at random a vector c2 ∈ C2 and define as vector of shares the vector c = ψ(s) + c2 . Observe that dim(C2 ) measures the introduced uncertainty of the scheme. It is stated in [11, Section 4.2] that this description includes all linear secret sharing schemes. We formally establish this in the next proposition, whose proof is straightforward and which also implies that linear secret sharing schemes and linear code pairs correspond bijectively: Proposition 2. Given a linear secret sharing scheme S = {Cs }s∈S , define S C1 = s∈S Cs and C2 = C0 (recall that S = Fℓq ). Then, C1 and C2 are linear codes in Fnq satisfying C2 C1 and 1. Define the equivalent relation ∼ in C1 by c ∼ d if, and only if, there exists s ∈ Fℓq such that c, d ∈ Cs . Then it holds that c ∼ d if, and only if, c − d ∈ C2 . In particular, S = C1 /C2 . 2. The map Fℓq −→ S = C1 /C2 : s 7−→ Cs is a vector space isomorphism. Moreover, if we take a subspace W ⊂ C1 such that C1 = C2 ⊕ W , then we can canonically define an isomorphism ψ : Fℓq −→ W by Cs ∩ W = {ψ(s)}, which satisfies that Cs = ψ(s) + C2 .

4

Fix a linear code pair C2 C1 ⊂ Fnq , for which k1 = dim(C1 ), k2 = dim(C2 ) and ℓ = k1 − k2 , and denote by S the secret sharing scheme constructed from it (for some vector space W and isomorphism ψ as before). On the other hand, for m = 1, 2, . . . , ℓ, recall the definition of the m-th relative generalized Hamming weight (RGHW) [20] of C2 C1 : Mm (C1 , C2 ) = {#Supp(D) | D ⊂ C1 is a linear space with dim(D) = m and D ∩ C2 = {0}},

(2)

where Supp(D) = {i ∈ {1, 2, . . . , n} | ∃d ∈ D, di 6= 0}. Recall that, for m = 1, 2, . . . , k1 , the m-th generalized Hamming weight (GHW) [29] of C1 is defined as dm (C1 ) = Mm (C1 , {0}). The following theorem, which is [16, Theorem 3], gives a characterization of the threshold numbers tm and rm in terms of the RGHWs of the pair C2 C1 , where C ⊥ denotes the dual of the linear code C. Theorem 3. The threshold numbers of the scheme S are characterized by the RGHWs of C2 C1 (Proposition 2) in the following way. For each m = 1, 2, . . . , ℓ, tm = Mm (C2⊥ , C1⊥ ) − 1,

rm = n − Mℓ−m+1 (C1 , C2 ) + 1. From this discussion it follows that a study of the threshold values of any linear secret sharing scheme is equivalent to the study of the RGHWs of the corresponding linear code pair. Now we turn to asymptotic properties. Consider a sequence of linear secret sharing schemes (Si )∞ i=1 = (S1 , S2 , . . .), all of them defined over the same fixed finite field Fq . By Proposition 2, the i-th scheme is built from a linear code pair C2 (i) C1 (i) ⊂ Fnq i , where we define k1 (i) = dim(C1 (i)), k2 (i) = dim(C2 (i)) and ℓi = k1 (i) − k2 (i). We will only consider sequences that satisfy (S.1) ni → ∞, (S.2) ℓi /ni → L, and (S.3) k1 (i)/ni → Ω, as i → ∞, for some numbers 0 ≤ L ≤ Ω ≤ 1. The number L represents the asymptotic information rate, whereas the number Ω − L = limi→∞ (k2 (i)/ni ) represents the asymptotic introduced uncertainty of the schemes. We may now define asymptotically good sequences of linear (ramp) secret sharing schemes:

5

Definition 4. Let 0 ≤ L ≤ Ω ≤ 1, 0 ≤ ε1 , ε2 ≤ 1, −ε1 L ≤ Λ1 and −ε2 L ≤ Λ2 . We say that a sequence of secret sharing schemes (Si )∞ i=1 is asymptotically good with deficiencies Λ1 , Λ2 and defects ε1 , ε2 if there exist sequences of ∞ positive integers (m1 (i))∞ i=1 and (m2 (i))i=1 such that 1 ≤ m1 (i), m2 (i) ≤ ℓi , m1 (i)/ni → ε1 L, m2 (i)/ni → ε2 L and: lim inf i→∞

tm1 (i) ≥ Ω − L − Λ1 , ni

and

lim sup i→∞

rℓi −m2 (i)+1 ≤ Ω + Λ2 . ni

The numbers ε1 , ε2 represent an asymptotic fraction of q-bits of the secret. Full privacy and reconstruction mean ε1 = 0 and ε2 = 0, respectively. On the other hand, recall the Singleton bound [20, Section IV] for a linear code pair C2 C1 ⊂ Fnq : for each m = 1, 2, . . . , ℓ, Mm (C1 , C2 ) ≤ n − k1 + m.

(3)

From this bound and Theorem 3, it follows that rm ≥ k2 + m,

and tm ≤ k2 + m − 1,

(4)

for the corresponding linear secret sharing scheme S (Proposition 2). Therefore, from the inequalities (4), we have that Ω − L − Λ1 ≤ lim inf i→∞

tm1 (i) ≤ Ω − L + ε1 L. ni

Similarly for reconstruction. Hence, the deficiency numbers need to satisfy Λ1 ≥ −ε1 L and Λ2 ≥ −ε2 L,

(5)

being Λj = −εj L, for j = 1, 2, the optimal case, and they asymptotically measure how far the privacy and reconstruction numbers are from the bounds (4). We will usually consider a symmetric definition. That is, we will consider sequences where ε1 = ε2 , Λ1 = Λ2 and m1 (i) = m2 (i), for all i. In that case, we will simply write ε, Λ and mi for ε1 , Λ1 and m1 (i), respectively. The motivation behind this is the fact that if a number of participants are corrupted, then typically they can use their shares to obtain some information about the secret and also make it impossible to use their shares to recover the whole secret. Remark 5. Observe that, from the monotonicity of the RGHWs, if a sequence (Si )∞ i=1 is asymptotically good with deficiencies Λ1 , Λ2 and defects ε1 , ε2 , then it is also asymptotically good with deficiencies Λj − ηj L and defects εj + ηj , if 0 ≤ ηj ≤ 1 − εj , j = 1, 2.

6

3

The existence of sequences with arbitrarily low Λ and ε

To demonstrate the existence of asymptotically good sequences of ramp secret sharing schemes with arbitrarily low deficiency Λ and defect ε, we will give an extended version of [22, Theorem 9], since this theorem only deals with either primary or dual code pairs, but not both simultaneously. We use the notation and results in [20], [21], and [22]. In particular, we use the concept of relative dimension length profile (RDLP) as appears in [20, Section III]. For 1 ≤ d ≤ n, and linear codes C2 ( C1 ⊂ Fnq define Kd (C1 , C2 ) =

max

{dim(C1 ∩ VI ) − dim(C2 ∩ VI ) | dim(VI ) = d},

I⊂{1,2,...,n}

where VI = {x ∈ Fnq | xi = 0 if i ∈ / I}. The sequence (Kd (C1 , C2 ))nd=1 is then the RDLP and it is known to be non-decreasing [20, Proposition 1]. Our interest in the RDLP comes from the following result corresponding to the first part of [20, Theorem 3]: Mm (C1 , C2 ) = min{d | Kd (C1 , C2 ) ≥ m}.

(6)

Following [21] we next define the numbers N1 , N2 and N3 , for integers a, u, v, w: Qv−1 w Qu−1 w u+i ) i i=0 (q − q i=0 (q − q ) , N2 (w, u, v) = Q , and N1 (w, u) = Qu−1 v−1 v u i i i=0 (q − q ) i=0 (q − q ) N3 (w, u, v, a) = N1 (u, a)N2 (w − a, u − a, v − a).

From [21, Lemma 9] we have: Lemma 6. For fixed 1 ≤ k2 < k1 < n and I ⊂ {1, 2, . . . , n}, the number of linear code pairs C2 C1 ⊂ Fnq such that dim(C1 ) = k1 , dim(C2 ) = k2 , and dim(C1 ∩ VI ) − dim(C2 ∩ VI ) = s, is m X a=0

N1 (d, a)N2 (n − a, d − a, k2 − a)N3 (n − k2 , d − a, k1 − k2 , s),

where d = #I, s ≤ min{d, k1 − k2 } and m = min{d − s, k1 − s, k2 }. Theorem 7 below is an extended and modified version of [21, Corollary 3]. Unfortunately, the proof in [21] of this latter mentioned corollary is slightly wrong as it relies on [21, Proposition 2], which is false. As will be clear from Theorem 7 and its proof, this problem is easily overcome by applying (6) instead of [21, Proposition 2], and by replacing in [21, Corollary 3] the condition [21, Equation (4)] with a slightly stronger condition (one more term in the summation). 7

Theorem 7. For fixed 1 ≤ k2 < k1 < n, 1 ≤ d ≤ n, 1 ≤ d⊥ ≤ n, 1 ≤ s ≤ min{d, k1 − k2 − 1}, 1 ≤ s⊥ ≤ min{d⊥ , k1 − k2 − 1}, there exists a linear code pair C2 C1 ⊂ Fnq such that dim(C1 ) = k1 , dim(C2 ) = k2 , Ms (C1 , C2 ) ≥ d and Ms⊥ (C2⊥ , C1⊥ ) ≥ d⊥ , if N1 (n, k2 )N1 (n − k2 , k1 − k2 )   kX −k mσ n 1 2X N1 (d, a)N2 (n − a, d − a, k2 − a)N3 (n − k2 , d − a, k1 − k2 , σ) > d σ=s

(7)

a=0

+



 kX m⊥ 1 −k2 X σ n

d⊥

σ⊥ =s⊥ a=0

(8)

N1 (d⊥ , a)N2 (n − a, d⊥ − a, n − k1 − a)N3 (k1 , d⊥ − a, k1 − k2 , σ ⊥ ), (9)

⊥ ⊥ ⊥ where mσ = min{d−σ, k1 −s, k2 }, m⊥ σ = min{d −σ , (n−k2 )−σ , n−k1 }.

Proof. The term (7) is the total number of pairs C2 C1 ⊂ Fnq such that dim(C1 ) = k1 and dim(C2 ) = k2 [21, Equation (A.3)]. On the other hand, by Lemma 6, the number of pairs C2 C1 ⊂ Fnq such that dim(C1 ) = k1 , dim(C2 ) = k2 and Kd (C1 , C2 ) ≥ s is at most the term (8). Similarly, the number of pairs C2 C1 ⊂ Fnq such that dim(C1 ) = k1 , dim(C2 ) = k2 and Kd⊥ (C2⊥ , C1⊥ ) ≥ s⊥ is at most the term (9). As the RDLP is non-decreasing, this implies the existence of a code pair C2 C1 ⊂ Fnq with Kd−1 (C1 , C2 ) < s and Kd⊥ −1 (C2⊥ , C1⊥ ) < s⊥ . The theorem now follows from (6). The following theorem is an improvement of [22, Theorem 9], which states that the RGHWs of both primary and dual nested code pairs can get simultaneously asymptotically as close to the Singleton bound as wanted. Theorem 8. For 0 ≤ R2 < R1 ≤ 1, 0 ≤ δ ≤ 1, 0 ≤ δ⊥ ≤ 1, 0 < τ ≤ min{δ, R1 − R2 } and 0 < τ ⊥ ≤ min{δ⊥ , R1 − R2 }, if R1 + δ < 1 + τ, (1 − R2 ) + δ

⊥

⊥

< 1+τ ,

(10) (11)

then for any prime power q and sufficiently large n, there exist a linear code pair C2 C1 ⊂ Fnq such that dim(C1 ) = ⌊nR1 ⌋, dim(C2 ) = ⌈nR2 ⌉, M⌈nτ ⌉ (C1 , C2 ) ≥ ⌊nδ⌋, and M⌈nτ ⊥ ⌉ (C2⊥ , C1⊥ ) ≥ ⌊nδ⊥ ⌋. Proof. We will look for sufficient conditions for Theorem 7 to hold when n is large, using (10) and (11). In the same way as in the proof of [22, Theorem 9], we can ignore polynomial factors in Theorem 7, take logq , and divide it by n2 (not n). Then by using [22, Equations (6)–(8)] and notation as in

8

Theorem 7, we see that      k2 k1 k2 k2 k1 − 1− + 1− n n n n n ( 1 max max{a(d − a) + (k2 − a)(n − k2 ) > n2 +σ(d − a − σ) + (k1 − k2 − σ)(n − k1 )

| s + 1 ≤ σ ≤ k1 − k2 , 0 ≤ a ≤ min{d − σ, k1 − σ, k2 }},

(12)

⊥

max{a(d − a) + (k2 − a)(n − k2 )

+σ ⊥ (d⊥ − a − σ ⊥ ) + (k1 − k2 − σ ⊥ )(n − k1 )

| s⊥ + 1 ≤ σ ⊥ ≤ k1 − k2 , ⊥

⊥

⊥

)

0 ≤ a ≤ min{d − σ , n − k2 − σ , n − k1 }}

(13)

is a sufficient condition for the assumption of Theorem 7 when n is large. Observe that the maximums in (12) and (13) are always achieved at σ = s+1 and σ ⊥ = s⊥ + 1, respectively. By identifying R1 , R2 , α, δ, δ⊥ , τ and τ ⊥ with k1 /n, k2 /n, a/n, d/n, d⊥ /n, σ/n and σ ⊥ /n, respectively, we see that R2 (1 − R2 ) + (R1 − R2 )(1 − R1 ) (

> max

max

0≤α≤min{δ−τ,R1 −τ,R2 }

(α(δ − α) + (R2 − α)(1 − R2 )

+τ (δ − α − τ ) + (R1 − R2 − τ )(1 − R1 )),

(α(δ − α) + (1 − R1 − α)R1 )

max

0≤α≤min{δ⊥ −τ ⊥ ,1−R2 −τ ⊥ ,1−R1 }

(14)

⊥

+τ ⊥ (δ⊥ − α − τ ⊥ ) + (R1 − R2 − τ )R2 )

(15)

is a sufficient condition for the assumption of Theorem 7 when n is sufficiently large. Since δ ≥ τ and δ⊥ ≥ τ ⊥ , we see that the maximums in (14) and (15) are achieved at α = 0, simultaneously. Substituting α = 0 yields R2 (1 − R2 ) + (R1 − R2 )(1 − R1 )

> max{R2 (1 − R2 ) + τ (δ − τ ) + (R1 − R2 − τ )(1 − R1 ), ⊥

⊥

⊥

(1 − R1 )R1 + τ (δ − τ ) + (R1 − R2 − τ )R2 }

(16) (17)

When (16) ≥ (17), we may ignore (17). Ignoring (17) and subtracting R2 (1 − R2 ) + (R1 − R2 )(1 − R1 ) from both sides yields 0 > τ (R1 + δ − 1 − τ ). 9

(18)

Since we have assumed τ > 0, we can divide (18) by τ and obtain (10). When (16) < (17), we may ignore (16). Ignoring (16) and subtracting R2 (1 − R2 ) + (R1 − R2 )(1 − R1 ) from both sides yields 0 > τ ⊥ (δ⊥ − τ ⊥ − R2 ).

(19)

Since we have assumed τ ⊥ > 0, we can divide (19) by τ ⊥ and obtain (11). Using the above theorem we now establish the following existence result for asymptotically good sequences of secret sharing schemes: Theorem 9. For any 0 ≤ L < Ω ≤ 1, any 0 < ε1 , ε2 < 1 and any Λ1 , Λ2 with −εj L < Λj ≤ Ω − (1 + εj )L, j = 1, 2, there exists an asymptotically good sequence of secret sharing schemes (Si )∞ i=1 with deficiencies Λ1 , Λ2 and defects ε1 , ε2 . Proof. Let R1 = Ω and R2 = Ω − L. Define τ = ε2 L, τ ⊥ = ε1 L, δ = ∞ 1 − R1 − Λ2 and δ⊥ = R2 − Λ1 . Take sequences (m1 (i))∞ i=1 and (m2 (i))i=1 ⊥ such that mj (i)/ni → εj L, j = 1, 2, and m2 (i) ≥ ⌈ni τ ⌉ and m1 (i) ≥ ⌈ni τ ⌉. By the previous theorem, there exists a sequence of pairs of codes C2 (i) C1 (i) with the previous parameters, and thus the corresponding sequence of secret sharing schemes satisfies lim inf i→∞

Mm1 (i) (C2⊥ (i), C1⊥ (i)) tm1 (i) = lim inf ≥ δ⊥ = Ω − L − Λ1 , i→∞ ni ni

and similarly for reconstruction. Note that the hypotheses of the previous theorem are satisfied, since δ⊥ < R2 + ε1 L = R2 + τ ⊥ and τ ⊥ = ε1 L ≤ R2 − Λ1 = δ⊥ , and similarly for reconstruction.

4

RGHWs and GHWs of algebraic geometric codes

The proof of Theorem 8 being non-constructive, we cannot specify the sequence of schemes treated in Theorem 9. Also, the deficiency numbers of these schemes can get as close as we want to the bound (5), but they do not reach it. In the remaining part of the paper we shall therefore concentrate on algebraic geometric codes, for which these problems can be overcome. Recall that, given a linear code pair C2 C1 , lower bounding privacy numbers and upper bounding reconstruction numbers of the corresponding scheme are equivalent to lower bounding the RGHWs of C2 C1 and C2⊥ , respectively. Since the GHWs of C1 and C2⊥ lower bound the C1⊥ C2⊥ , respectively, in many cases it will be RGHWs of C2 C1 and C1⊥ sufficient to lower bound the corresponding GHWs. Therefore, in this section we derive general non-asymptotic results on RGHWs and GHWs of algebraic 10

geometric codes, whose asymptotic consequences are given in the next section. Let F be an algebraic function field over Fq of transcendence degree one. Throughout the rest of the paper we consider divisors D = P1 + P2 + · · · + Pn and G with disjoint supports, where the places Pi are rational and pairwise distinct. For any divisor E, we define the Riemann-Roch space L(E) of functions f ∈ F such that the divisor (f ) + E is effective (see also [17, Definition 2.36]). We denote by CL (D, G) the evaluation code of length n obtained by evaluating functions f ∈ L(G) in the places Pi . An algebraic geometric code is a code of the form CL (D, G) or CL (D, G)⊥ (the latter being sometimes written CΩ (D, G)). Next we recall the Goppa bound ([17, Theorem 2.65] and [27, Theorem 4.3]) on their minimum distance, together with [27, Corollary 4.2], on the GHWs that reach the Singleton bound (3): Theorem 10. Let C be an algebraic geometric code of dimension k defined from a function field of genus g. Then, d1 (C) ≥ n − k + 1 − g and, for all g + 1 ≤ m ≤ k, it holds that dm (C) = n − k + m. For algebraic geometric codes C2 C1 , the above theorem exactly gives dm (C1 ) and Mm (C1 , C2 ) when g < m. In Proposition 14 and Proposition 15 below we will improve it in the case m ≤ g for one-point codes. Before, we mention an easy corollary to Theorem 10 regarding the socalled threshold gaps rm − tm′ . We shall not use this corollary later in the paper, but the threshold gap r − t = rℓ − t1 (ℓ = dim(C1 /C2 )) having already been studied intensively in [8], we believe that the corollary has some interest in itself. Corollary 11. Let C2 ( C1 ⊂ Fnq be algebraic geometric codes defined from a function field of genus g. Write k1 = dim(C1 ), k2 = dim(C2 ) and ℓ = k1 −k2 . The corresponding secret sharing scheme (Proposition 2) satisfies 1. k2 + m ≤ rm ≤ k2 + g + m, 2. k2 − g + m − 1 ≤ tm ≤ k2 + m − 1, for all 1 ≤ m ≤ ℓ. In particular, for all 1 ≤ m, m′ ≤ ℓ, we have that (m − m′ ) + 1 ≤ rm − tm′ ≤ (m − m′ ) + 2g + 1. Moreover, if ℓ ≥ 2g, then for 1 ≤ m ≤ ℓ, we have that 1 ≤ rm − tm ≤ g + 1, and, if g + 1 ≤ m ≤ ℓ − g, then rm − tm = 1.

11

Proof. Only the last part needs a proof. Since ℓ ≥ 2g, we have that m ≤ g implies that ℓ − m + 1 ≥ g + 1, and ℓ − m + 1 ≤ g implies that m ≥ g + 1. In both cases, either rm = k2 + m or tm = k2 + m − 1, since at least one reaches the bound (4). Thus, one term g is subtracted and we obtain the first bound. On the other hand, if g + 1 ≤ m ≤ ℓ − g, then both rm and tm reach the Singleton bound and the last equality is obtained. From now on we will concentrate on one-point algebraic geometric codes. These are codes CL (D, G) or CL (D, G)⊥ , where G = µQ, Q is a rational place and µ ≥ −1. Writing νQ for the valuation at Q, the Weierstrass semigroup corresponding to Q is   ∞ [ H(Q) = −νQ  L(µQ) = {µ ∈ N0 | L(µQ) 6= L((µ − 1)Q)}. µ=0

As is well-known, the number of missing positive numbers in H(Q) equals the genus g of the function field. The conductor c is by definition the smallest element in H(Q) such that all integers greater than or equal to that number belong to the set. Consider the related subset H ∗ (Q) = {µ ∈ N0 | CL (D, µQ) 6= CL (D, (µ − 1)Q)}.

The following lemma is well-known (see [17, Theorem 2.65] and [12, Theorem 3]): Lemma 12. For µ ≥ −1, the dimension k = dim(CL (D, µQ)) satisfies: • k ≥ µ + 1 − g if µ ≤ 2g − 2, • k = µ + 1 − g if 2g − 2 < µ < n, and • k ≤ µ + 1 − g if n ≤ µ. If µ = n + 2g − 1, then CL (D, µQ) = Fnq , which implies that #H ∗ (Q) = n. Moreover, we have that H ∗ (Q) ∩ [0, n) = H(Q) ∩ [0, n). From [16, Theorems 19, 20] we have the following method for estimating RGHWs of one-point algebraic geometric codes. Theorem 13. Let C1 = CL (D, µ1 Q) and C2 = CL (D, µ2 Q), with −1 ≤ µ2 < µ1 . Write k1 = dim(C1 ), k2 = dim(C2 ) and ℓ = k1 − k2 . If 1 ≤ m ≤ ℓ, then 1. Mm (C1 , C2 ) ≥ n − µ1 + min{#{α ∈ ∪m−1 / H(Q)} | s=1 (is + H(Q)) | α ∈ −(µ1 − µ2 ) + 1 ≤ i1 < i2 < . . . < im−1 ≤ −1}. 2. Mm (C2⊥ , C1⊥ ) ≥ min{#{α ∈ ∪m s=1 (is + (µ1 − H(Q))) | α ∈ H(Q)} | −(µ1 − µ2 ) + 1 ≤ i1 < i2 < . . . < im ≤ 0}. 12

Choosing C2 = {0} in item 1, we obtain a bound on the GHWs of C1 . Similarly, choosing C1 = Fnq in item 2, we get a bound on the GHWs of C2⊥ . Proposition 14. For 0 ≤ γ ≤ c, let hγ = # (H(Q) ∩ (0, γ]) and let µ ≥ −1 and k = dim(CL (D, µQ)). If µ < n and 1 ≤ m ≤ min{k, g}, then dm (CL (D, µQ)) ≥ n − k + 2m − c + hc−m ≥ n − k + 2m − c. Proof. We will apply item 1 in Theorem 13 for µ1 = µ and µ2 = −1. Consider numbers −µ ≤ i1 < i2 < · · · < im−1 ≤ −1. We have [c − m + 1, c] \ H(Q) ⊂ [max{0, c + i1 }, c] \ H(Q) ⊂ {α ∈ ∪m−1 / s=1 (is + H(Q)) | α ∈ H(Q)} ∩ [0, ∞), where the first inclusion comes from i1 ≤ −m + 1. Now the number of elements in [c − m + 1, c] ∩ H(Q) is at most (c − g) − hc−m , and we have that
# {α ∈ ∪m−1 / H(Q)} ∩ [0, ∞) ≥ m − (c − g) + hc−m . s=1 (is + H(Q)) | α ∈

On the other hand, we have that {i1 , i2 , . . . , im−1 } ⊂ {α ∈ ∪m−1 s=1 (is + H(Q)) | α ∈ / H(Q)} ∩ (−∞, 0). Thus, from the previous theorem, we obtain dm (CL (D, µQ)) ≥ (n − µ) + (m − 1) + (m − c + g + hc−m ).

Since k ≥ µ − g + 1 by Lemma 12, the result follows. Proposition 15. For γ ≥ 1, let h′γ = #([γ, ∞) \ H(Q)) and let µ > 2g − 2 and k = dim(CL (D, µQ)⊥ ). If 1 ≤ m ≤ min{k, g}, then dm (CL (D, µQ)⊥ ) ≥ n − k + 2m − c + h′µ−c+m ≥ n − k + 2m − c. Proof. We will apply item 2 in Theorem 13 for µ1 = n + 2g − 1 and µ2 = µ to prove that Mm (C2⊥ , C1⊥ ) ≥ k2 + 2m − c + h′µ2 −c+m , where k2 = dim(C2 ). Consider numbers −(µ1 − µ2 ) + 1 ≤ i1 < i2 < . . . < im ≤ 0. First, (im + µ1 − H(Q)) ∩ [0, µ2 ] contains the set [0, µ1 − c − (µ1 − µ2 ) + m] = [0, µ2 − c + m], since im ≥ −(µ1 − µ2 ) + m and µ1 − c − (µ1 − µ2 ) + m ≤ µ2 . Here, we used the assumption m ≤ g and the fact that g ≤ c. Thus, # ((im + µ1 − H(Q)) ∩ H(Q) ∩ [0, µ2 ]) ≥ (µ2 − c + m + 1) − (g − h′µ2 −c+m ). On the other hand, {µ1 + i1 , µ1 + i2 , . . . , µ1 + im } ⊂ {α ∈ ∪m s=1 (is + (µ1 − H(Q))) | α ∈ H(Q)}, which are m elements in the range (µ2 , µ1 ]. Thus, from the previous theorem we obtain Mm (C2⊥ , C1⊥ ) ≥ (µ2 − c + m + 1 − g + hµ2 −c+m ) + m. Since k2 ≤ µ2 − g + 1 and C1 = Fnq by Lemma 12, the result follows.

13

As mentioned at the beginning of this section we will in the following sections construct asymptotically good sequences of secret sharing schemes from sequences of codes having GHWs which relative to their code length behave well. The below proposition suggests that we do not lose too much by treating GHWs rather than RGHWs. Proposition 16. Let the notation be as in Theorem 13 and let 1 ≤ m ≤ ℓ. If ℓ < c, then Mm (C1 , C2 )−dm (C1 ) ≤ c−ℓ and Mm (C2⊥ , C1⊥ )−dm (C2⊥ ) ≤ c−ℓ. If ℓ ≥ c or if m > g, then Mm (C1 , C2 ) = dm (C1 ) and Mm (C2⊥ , C1⊥ ) = dm (C2⊥ ). Proof. The proof is given in the appendix.

5

Asymptotic analysis for one-point algebraic geometric codes

In this section we establish asymptotic results regarding GHWs of one-point algebraic geometric codes. Given a function field F, we shall write N (F) for its number of rational places and g(F) for its genus. For asymptotic purposes, we will need the well-known parameter N (F) , g(F )→∞ g(F)

A(q) = lim sup

(20)

where the limit is taken over all function fields over Fq of genus g(F) > 0. The Drinfeld-Vlăduţ bound [28] states that √ (21) A(q) ≤ q − 1, where equality holds if q is a perfect square. See [4] for the status on what is known about A(q) for q being a non-square. For convenience, we give the following definition: Definition 17. A tower of function fields (Fi )∞ i=1 over Fq is optimal if N (Fi ) → ∞ and N (Fi )/g(Fi ) → A(q) for i → ∞. On the other hand, (Ci )∞ i=1 is an optimal sequence of one-point algebraic geometric codes defined from Fi if ni /N (Fi ) → 1 for i → ∞, where ni is the length of Ci . We start our investigations by commenting on [27, Theorem 5.9], which if true would imply that from optimal towers of function fields one could construct sequences of secret sharing schemes having any parameters L, Ω, Λ1 , Λ2 , ε1 , and ε2 – in particular one could always obtain equality in (5). Below we reformulate [27, Theorem 5.9] with the needed modification that ensures that the Singleton bound is reached when 1/A(q) < ρ, in contrast to 0 ≤ ρ, as it appears in [27]. We also adapt the formulation to better fit 14

our purposes of constructing asymptotically good sequences of secret sharing schemes. We include the proof from [27] to explain why this modification is needed. Theorem 18. Let (Fi )∞ i=1 be an optimal tower of function fields over Fq . Consider R, ρ with 0 ≤ ρ ≤ R ≤ 1. Let (Ci )∞ i=1 be an optimal sequence of one-point algebraic geometric codes defined from (Fi )∞ i=1 such that dim(Ci )/ni → R. For all sequences of positive integers (mi )∞ with mi /ni → ρ, it holds i=1 1 that δ = lim inf i→∞ dmi (Ci )/ni ≥ 1 − R + ρ − A(q) and, if 1/A(q) < ρ, then δ = 1 − R + ρ. Proof. The first bound on δ is an easy consequence of the Goppa bound (the first part of Theorem 10). Now assume 1/A(q) < ρ. By assumption, for i large enough we have mi > g(Fi ), which by the last part of Theorem 10 implies that dmi (Ci ) = ni − dim(Ci ) + mi . Dividing by ni and taking the limit, we obtain the result. The theorem states that the Singleton bound (3) can be asymptotically √ reached when 1/A(q) < ρ, which implies 1/( q − 1) < ρ by (21). However, this leaves the cases 1/A(q) ≥ ρ undecided. In the following we shall concentrate on finding asymptotic results for the cases 1/A(q) ≥ ρ. We will need [27, Corollary 3.6] and Wei’s duality theorem [29, Theorem 3], which we now recall in this order: Lemma 19. For every linear code C ⊂ Fnq and every 1 ≤ m ≤ dim(C), we have that qm − 1 . dm (C) ≥ d1 (C) m q − q m−1

Lemma 20. Let C ⊂ Fnq be a linear code of dimension k. Write dr = dr (C) ⊥ and d⊥ s = ds (C ), for all 1 ≤ r ≤ k and all 1 ≤ s ≤ n − k. Then, ⊥ {1, 2, . . . , n} = {d1 , d2 , . . . , dk } ∪ {n + 1 − d⊥ n−k , . . . , n + 1 − d1 }.

Our first result is a strict improvement to Theorem 18. Theorem 21. Let (Fi )∞ i=1 be an optimal tower of function fields over Fq . q 1 1 Consider R, ρ with 1/A(q) ≤ R ≤ 1 and q−1 A(q) − q−1 R ≤ ρ ≤ R. Let (Ci )∞ i=1 be an optimal sequence of one-point algebraic geometric codes defined from (Fi )∞ i=1 such that dim(Ci )/ni → R. There exists a sequence of positive integers (mi )∞ i=1 such that mi /ni → ρ and dmi (Ci )/ni → δ = 1 − R + ρ. Proof. In this proof we use the notation ki = dim(Ci ). Let f : N → N be a function such that f (i) → ∞ and f (i)/ni → 0, as i → ∞. Now fix i. The Goppa bound (Theorem 10) together with Lemma 19 tell us that df (i) (Ci⊥ ) ≥

q f (i) − 1 (ki − g(Fi )). q f (i) − q f (i)−1 15

Write h(i) for the right-hand side, that is, df (i) (Ci⊥ ) ≥ ⌈h(i)⌉. Observe that ⊥ h(i) > 0, since ki > g(Fi ). If we write d⊥ s = ds (Ci ) for 1 ≤ s ≤ ni − ki , ⊥ we have that ni + 1 − ⌈h(i)⌉ ≥ ni + 1 − df (i) . From this inequality and the monotonicity of GHWs, it follows that the sets {ni + 1 − ⌈h(i)⌉, ni + 2 − ⌈h(i)⌉, ni + 3 − ⌈h(i)⌉, . . . , ni } and ⊥ ⊥ {ni + 1 − d⊥ ni −ki , ni + 1 − dni −ki −1 , . . . , ni + 1 − df (i)+1 }

are disjoint. Therefore, from Lemma 20 it follows that dki −⌈h(i)⌉+f (i) (Ci ) ≥ ni + 1 − ⌈h(i)⌉.

(22)

Now take a sequence of positive integers (mi )∞ i=1 such that ki − ⌈h(i)⌉ + f (i) ≤ mi ≤ ki

(23)

(observe that the left-hand side is smaller than ki for large i). It follows from (22), (23) and the monotonicity of GHWs that dmi (Ci ) ≥ dki −⌈h(i)⌉+f (i) (Ci ) + mi − ki + ⌈h(i)⌉ − f (i) ≥ ni − ki + mi − f (i) + 1.

(24)

Dividing by ni and letting i → ∞, (23) becomes q 1 1 − R ≤ ρ ≤ R, q − 1 A(q) q − 1 and (24) becomes δ = lim

i→∞

dmi (Ci ) = 1 − R + ρ, ni

and the result follows. Using Lemma 19, we give the following result for lower values of ρ. Theorem 22. Let (Fi )∞ i=1 be an optimal tower of function fields over Fq . Consider R, ρ with 0 ≤ ρ ≤ R ≤ 1. Let (Ci )∞ i=1 be an optimal sequence of one-point algebraic geometric codes defined from (Fi )∞ i=1 such that dim(Ci )/ni → ∞ R. For all sequences of positive integers (mi )i=1 with mi /ni → ρ, the number δ = lim inf i→∞ dmi (Ci )/ni satisfies   1 q 1−R− + ρ. δ≥ q−1 A(q) Proof. Let 0 < ε < 1 be an arbitrary fixed number. From the Goppa bound (Theorem 10) and Lemma 19 we obtain that   d⌈εmi ⌉ (Ci ) q εmi − 1 gi dim(Ci ) ≥ εm − 1 − . ni q i − q εmi −1 ni ni 16

Using again the monotonicity of GHWs we obtain that   dmi (Ci ) q εmi − 1 gi dim(Ci ) mi (1 − ε) ≥ εm − . 1 − + ni q i − q εmi −1 ni ni ni

(25)

Now, letting i → ∞ in (25) first and then letting ε → 0, we conclude that   dmi (Ci ) q 1 δ = lim inf ≥ 1−R− + ρ. i→∞ ni q−1 A(q) In the following we concentrate on Garcia and Stichtenoth’s second tower [15] of function fields (Fi )∞ i=1 over Fq where q is an arbitrary perfect square. This tower has the advantage that for a known corresponding sequence of rational places there is a simple formula for the conductors of the corresponding Weierstrass semigroups. Actually, a complete and simple description of the mentioned Weierstrass semigroups was given in [23]. Furthermore, it was shown in [26, 25] how to efficiently construct the corresponding asymptotically good one-point algebraic geometric codes. As our aim is to present concrete constructions of asymptotically good sequences of secret sharing schemes, as opposed to the non-constructive existence results of Section 3, this tower suits our purpose well. We will apply the two new bounds on GHWs given in Proposition 14 and Proposition 15 to this tower. In the rest of this section, q is always a perfect square and by (Fi )∞ i=1 we mean Garcia and Stichtenoth’s second tower [15]. We will need the following properties of each Fi (see [15] and [23] for more details): its number of i−1 √ rational places satisfies N (Fi ) > q 2 (q − q), its genus is given by ( i (q 4 − 1)2 if i is even, g(Fi ) = i−1 i+1 4 4 − 1)(q − 1) if i is odd, (q and it has a rational place Qi such that the conductor of H(Qi ) is given by  i/2 q − q i/4 if i is even, ci = i/2 (i+1)/4 q −q if i is odd. In the rest of the section, (Ci )∞ i=1 is an optimal sequence of one-point algebraic geometric codes defined from (Fi )∞ i=1 – Ci being of the form CL (Di , µi Qi ) or CL (Di , µi Qi )⊥ . Recall from [26, 25] that we may assume without loss of generality that Di is chosen in such a way that Ci can be constructed using O(ni 3 log3q (ni )) operations in Fq . Theorem 23. Let (Fi )∞ i=1 be Garcia-Stichtenoth’s second tower of function fields over Fq , where q is a perfect square. Let (Ci )∞ i=1 be a corresponding optimal sequence of one-point algebraic geometric codes as described above. 17

1 1 Consider R, ρ with 0 ≤ R ≤ 1 − √q−1 and 0 ≤ ρ ≤ min{R, √q−1 }, and assume that dim(Ci )/ni → R. For all sequences of positive integers (mi )∞ i=1 with mi /ni → ρ, it holds that δ = lim inf i→∞ dmi (Ci )/ni satisfies

1 δ ≥ 1 − R + 2ρ − √ . q−1

(26)

Proof. We may assume that Ci is of the form CL (Di , µi Qi ) or CL (Di , µi Qi )⊥ , with 2g(Fi ) − 2 < µi < ni and (µi − g(Fi ))/ni → R. As lim ci /ni = lim g(Fi )/ni = √

i→∞

i→∞

1 , q−1

the result follows from Proposition 14 or Proposition 15. We next use Wei’s duality theorem (Lemma 20) to improve the previous result. Theorem 24. Let (Fi )∞ i=1 be Garcia-Stichtenoth’s second tower of function fields over Fq , where q is a perfect square. Let (Ci )∞ i=1 be a corresponding optimal sequence of one-point algebraic geometric codes as described prior to 1 1 and , 0 ≤ V ≤ √q−1 Theorem 23. Consider R, ρ, V with 0 ≤ R ≤ 1 − √q−1

1 max{0, √q−1 − 2V } ≤ ρ ≤ R, and assume that dim(Ci )/ni → R. There exists a sequence of positive integers (mi )∞ i=1 such that mi /ni → ρ and δ = lim inf i→∞ dmi (Ci )/ni satisfies

δ ≥ 1 − R + ρ − V. Proof. Let f : N → N be a function such that f (i) ≤ ki = dim(Ci ), for all i, and f (i)/ni → V . Now fix i. From Proposition 14 or Proposition 15, we have that df (i) (Ci⊥ ) ≥ ki + 2f (i) − ci . Write r(i) for the right-hand side, which may be assumed to be non-negative 1 ⊥ for large enough i (since R ≥ √q−1 − 2V ), and write d⊥ s = ds (Ci ) for 1 ≤ s ≤ ni − ki . Therefore, the set {ni − r(i) + 1, ni − r(i) + 2, . . . , ni } ⊥ ⊥ ∩{ni + 1 − d⊥ ni −ki , ni + 1 − dni −ki −1 , . . . , ni + 1 − df (i)+1 }

contains at most f (i) elements. From Lemma 20, we conclude that dmi (Ci ) ≥ ni + ki + mi − f (i), if mi ≥ ki − r(i) = ci − 2f (i). Take such a sequence (mi )∞ i=1 . Dividing by ni and letting i → ∞, we obtain the result. 18

We observe that Theorem 24 simplifies to the last bound in Theorem 18 when V = 0, and improves the first bound in the same theorem when √ 2V = 1/( q − 1). We conclude the section by discussing a recent bound that was derived in [5] for generalized Hamming weights of arbitrary one-point algebraic geometric codes CL (D, µQ)⊥ . Combining [5, Corollary 2 and (12)] we obtain, for any u > 1 and the codes we are considering, ( ') &   (i) (u − 1)n m i u−1 dmi (Ci⊥ ) ≥ dim(Ci )+2−gi +min mi − 2 + , , mi − 1 + u−1 u (i)

1

1

i+1

i

where nu = q 2 ⌊ 2 (i+1−log q (u+1))⌋ − 1 and where ni = q 2 − q 2 is the code length. We see that the method of [5] asymptotically produces nothing more than the first bound in Theorem 18 when applied to the codes of Garcia and Stichtenoth’s second tower.

6

√

Comparison of the obtained parameters

The goal of this section is to compare the parameters obtained in the theorems in the previous section. In all of them, we have the following parameters: the asymptotic rate R, the value ρ = limi→∞ mi /ni , and the corresponding limit of generalized Hamming weights δ. Since the overlap between Theorem 21 and Theorem 22 is clear, we will assume that q is a perfect square in this section. We first briefly comment on the bound in Theorem 23. Its main feature 1 and U + ρ is is that it is of the form δ ≥ U + 2ρ, where U = 1 − R − √q−1 the asymptotic Goppa bound together with monotonicity, and U does not 1 depend on ρ. On the other hand, when ρ = √q−1 , then U + 2ρ = 1 − R + ρ and the Singleton bound is reached. Thus, this bound increases additively with ρ from the Goppa bound to the Singleton bound. This means that, for every bound of the form δ ≥ A+ρ, where A does not depend on ρ, we have that A < 1 − R and there will always be a nonempty 1 ) such that A + ρ < U + 2ρ. The optimal choices interval ρ ∈ (a, b) ⊂ [0, √q−1 of a and b in such case would be a = max{0, A − U } and b =

√1 . q−1

Next, in the following two propositions, we state when the bounds in Theorem 23 and Theorem 24 are not implied by the previous ones. We omit the proofs, which are straightforward computations. Proposition 25. Assume that q is a perfect square and the parameters R and ρ satisfy the conditions in Theorems 21, 22 and 23. Then, the bound on

19

δ in Theorem 23 is not implied by the bounds in Theorems 21 and 22 if, and only if,   1 1 1 1 q − R. 1−R− √