Multiple Ramp Schemes - CiteSeerX

Multiple Ramp Schemes Alfredo De Santis and Barbara Masucci Abstract

A (t; k; n; S ) ramp scheme is a protocol to distribute a secret s chosen in S among a set P of n participants in such a way that: 1) sets of participants of cardinality greater than or equal to k can reconstruct the secret s; 2) sets of participants of cardinality less than or equal to t have no information on s, whereas 3) sets of participants of cardinality greater than t and less than k might have \some" information on s. In this correspondence we analyze multiple ramp schemes, which are protocols to share many secrets among a set P of participants, using dierent ramp schemes. In particular we prove a tight lower bound on the size of the shares held by each participant and on the dealer's randomness in multiple ramp schemes.

Index terms: Cryptography, Data Security, Secret Sharing Schemes, Ramp Schemes, Random-

ness.

1 Introduction Secret Sharing Schemes

A secret sharing scheme is a technique to share a secret among a set P of participants in such a way that only quali ed subsets of participants, pooling together their information, can reconstruct the secret; but subsets of participants that are not enabled to recover the secret have no information on it. Secret sharing schemes were introduced by Shamir [21] and Blakley [1]. They analyzed the case when only subsets of P of cardinality at least k, for a xed integer k  jPj, can reconstruct the secret. These schemes are called (k; n) threshold schemes, where n = jPj. Subsequently, Ito, Saito, and Nishizeki [13] and Benaloh and Leichter [2] described a more general method of secret sharing. They showed how to realize a secret sharing scheme for any access structure, where the access structure is the family of all subsets of participants that are able to reconstruct the secret. The survey by Stinson [23] contains an uni ed description of results in the area of secret sharing  Dipartimento di Informatica ed Applicazioni, Universita di Salerno, 84081 Baronissi (SA), Italy. E-mail:

g

masucci @dia.unisa.it

1

fads,

schemes. The reader can also pro tably see the book [25]; while, for an updated bibliography on secret sharing schemes we refer the reader to [24]. The problem of establishing bounds on the size of the shares to be given to participants in secret sharing schemes is one of the basic problem in the area and has received considerable attention by several researchers. The practical relevance of this issue is based on the following observations: Firstly, the security of any system tends to degrade as the amount of information that must be kept secret, i.e., the shares of the participants, increases. Secondly, if the shares given to participants are too long, the memory requirements for the participants will be too severe and, at the same time, the shares distribution algorithms will become inecient. Therefore, it is important to derive signi cant upper and lower bounds on the information distributed to participants. The problem of estimating the amount of random bits necessary to set up the schemes has also received considerably attention. This is due to the fact that the amount of randomness needed by an algorithm is to be considered a computational resource, analogously to the amount of time and space needed. The quantitative study of the number of random bits needed by secret sharing schemes has been initiated in [8], where the optimality of several secret sharing schemes according to this measure has been proved. Some other result on this topic can be found in [6, 9]. There are several situations in which more than one secret is to be shared among participants. As an example, consider the following situation, described by Simmons [22]: There is a missile battery and not all of the missiles have the same launch enable code. The problem is to devise a scheme which will allow any one, or any selected subset, of the launch enable codes to be activated in this scheme. What is needed is an algorithm such that the same pieces of private information could be used to recover dierent secrets. This problem could be trivially solved by realizing dierent secret sharing schemes, one for each of the launch enable codes, but in this case each participant should remember too much information. Another scenario in which the sharing of many secrets is important was considered by Franklin and Yung [12]. They investigated the communication complexity of unconditionally secure multi{ party computation and its relations with various fault{tolerant models. They presented a general technique for parallelizing non{cryptographic computation protocols, at a small cost in fault{ tolerance. Their technique replaces polynomial{based (single) secret sharing with a technique allowing multiple secrets to be hidden in a single polynomial. The technique applies to all of the protocols for secure computation which use polynomial{based threshold schemes and applies to all fault{tolerant models. The problem of sharing more than one secret was also considered in 2

[4, 5, 7, 14, 16, 17, 18]. Ramp Schemes

There are several practical situations in which it is not possible to give to participants all the secret information required to preserve perfect security, since they allow to achieve a certain amount of data compression at the cost of some degradation in the security (see [20]). Blakley and Meadows [3] were the rst authors to de ne schemes useful in such situations, called ramp schemes. Ramp schemes are useful in protocols for secure computation in fault{tolerant models. In fact the protocol proposed by Franklin and Yung [12] can be viewed as a ramp scheme. Another example of ramp schemes can be found in [19, 20]. More precisely, the authors of [20] considered the problem of sharing a secret by giving to participants share of size strictly smaller than the size of the secret. This requirement directly implies that absolute security it is not possible, that is, sets of participants not enabled to reconstruct the secret still could gain some information on it. Blundo, De Santis and Vaccaro [7, 8] proved a tight lower bound on the size of the shares and on the dealer's randomness in ramp schemes. In this paper we formally de ne multiple ramp schemes, to share many secrets among a set of participants, by using the entropy approach, as done in [4] to analyze usual multi{secret sharing schemes. We prove a tight lower bound on the size of the shares held by each participant and on the dealer's randomness in multiple ramp schemes. A simple method to realize a multiple ramp scheme is the following, which we call basic multiple ramp scheme. We use many dierent and independent single ramp schemes, one for each of the secrets, and we distribute to each participant a share from each scheme. We show that, if each scheme in a basic multiple ramp scheme is optimal both with respect to the information given to each participant and with respect to the number of random bits used, then the basic multiple ramp scheme is optimal both with respect to the information given to each participant and with respect to the number of random bits used, too. Organization

The paper is organized as follows. In Section 2 we formally de ne multiple ramp schemes. In Section 3 we present some results that will be useful to prove our limitations. In Section 4 we prove a tight lower bound on the size of the shares distributed to each participant in multiple ramp schemes. In Section 5 we prove a tight lower bound on the dealer's randomness in multiple ramp schemes. 3

2 The Model A (t; k; n; S ) ramp scheme is a protocol to distribute a secret s chosen in S among a set P of n participants in such a way that: 1) sets of participants of cardinality greater than or equal to k can reconstruct the secret s; 2) sets of participants of cardinality less than or equal to t have no information on s, whereas 3) sets of participants of cardinality greater than t and less than k might have \some" information on s. In this section we consider the case in which we want to share many secrets among a set P of n participants, using dierent ramp schemes. Let P = fP1; : : :; Pn g be the set of participants. Let SC = S1 


 S` be the set where the secrets are chosen from and let fPrSC (s1 ; : : :; s` )g(s ;:::;s` )2SC be a probability distribution on SC . Let a multiple ramp scheme for secrets in SC be xed. For any participant P 2 P , let us denote by C (P ) the set of all possible shares given to participant P . Suppose a dealer D wants to share the secrets (s1 ; : : :; s` ) 2 SC among the participants in P (we will assume that D 62 P ). He does this by giving each participant P 2 P a share from C (P ) chosen according to some, non necessarily uniform, probability distribution. Given a set of participants A = fPi ; : : :; Pir g  P , where i1 < i2 < : : : < ir , let C (A) = C (Pi ) 


 C (Pir ). Given a set of indices R = fi1; : : :; irg  f1; : : :; `g, where i1 < i2 : : : < ir, let SR = Si 


 Sir . Any multiple ramp scheme for secrets in SC and a probability distribution fPrSC (s1; : : :; s`)g(s ;:::;s`)2SC naturally induce probability distributions on C (A) and on SR , for any A  P and for any R  f1; : : :; `g. Denote such probability distributions by fPrC A (a)ga2C(A), and by fPrSR (r)gr2SR , respectively. To avoid overburdening the notation, with the same symbol A we will denote both a subset of participants and the random variable taking values on C (A) according to the probability distribution fPrC A (a)ga2C (A); whereas, with SR we will denote both the subset of secrets and the random variable taking values on SR according to the probability distribution fPrSR (r)gr2SR . For j = 1; : : :`, denote by H (Sj ) the entropy (for some basic properties of the entropy consult the Appendix) of fPrSj (sj )gsj 2Sj , for any A  P , denote by H (A) the entropy of fPrC A (a)ga2C(A), and for any R  f1; : : :; `g, denote by H (SR ) the entropy of fPrSR (r)gr2SR . We formally de ne multiple ramp schemes by using the entropy function, as done in [4] to analyze usual multi{secret sharing schemes, mainly because this leads to a compact and simple description of the schemes and because the entropy approach takes into account all probability distributions on the secrets. A multiple ramp scheme is de ned as follows. 1

1

1

1

1

( )

( )

( )

4

De nition 2.1 (Multiple Ramp Scheme) A multiple ramp scheme R = (ftj ; kj ; n; Sj gj=1;:::;` ), where tj and kj are positive integers such that 1  tj < kj  n, is a sharing of the secrets (s1 ; : : :; s` ) 2 S1 


 S` among participants in P in such a way that, for j = 1; : : :; `, 1. Any set of at least kj participants can recover sj . Formally, for all A  P with jAj  kj , it holds that H (Sj jA) = 0. 2. Any set of at most tj participants, even knowing an arbitrary set of secrets, has no more information on sj , than that already conveyed by the known secrets. Formally, for all A  P with jAj  tj and R  fS1; : : :S` g, it holds that H (Sj jAR) = H (Sj jSI A R); where I (A) = fi : jAj  ki g: ( )

Throughout this paper we assume, without loss of generality, that t1  t2  : : :  t` . Notice that in this case, for any A  P such that jAj  tj , the set I (A) will be equal to I (A) = fi < j : jAj  kig  f1; : : :; j ? 1g. Notice that Property 1: means that each set of values of the shares in C (A) corresponds to a unique value of the secret sj 2 Sj . In fact H (Sj jA) = 0 is equivalent to the fact that for all a 2 C (A) with Pr(A = a) > 0 a unique sj 2 Sj exists such that Pr(Sj = sj jA = a) = 1. Moreover, Property 2: is equivalent to state that for all a 2 C (A) and for all r 2 J (R), it holds that Pr(Sj = sj jA = a; R = r) = Pr(Sj = sj jSI A = s; R = r). Therefore, the probability that a secret is equal to sj , given that the shares held by A, enabling it to recover the set of secrets s, are equal to a and the subset of secrets A knows is equal to r, is the same as the probability of the secret sj , given the sets of secrets s and r. ( )

The scheme introduced by Franklin and Yung in [12] can be viewed as a multiple ramp scheme (ft; k; n; Sj gj =1;:::;`), to distribute ` secrets among n participants in such a way that: 1) any subset of at least k participants can recover all the secrets; 2) any subset of at most t participants can deduce anything about the secrets. Franklin and Yung gave a construction of such a scheme with t = k ? `, by generalizing Shamir's scheme [21]. Their construction is the following. Let s1 ; : : :; s` be ` secrets each belonging to GF (2q ), where n + ` < 2q . To set up the scheme the dealer independently and uniformly chooses t = k ? ` elements a1; :::; at in GF (2q ) and constructs the polynomial f (y ) = s1 + s2 y + s3 y 2 + ::: + s` y `?1 + a1 y ` + ::: + at y k?1 : The share distributed to the i-th participant is equal to f (i): It is easy to see that any k participants can interpolate their shares to recover f (y ), and hence recover all the ` secrets, whereas any t = k ? ` participants have no information on the ` secrets. Notice that such multiple ramp scheme can be viewed as a 5

(t; k; n; S ) ramp scheme, by considering all the ` secrets as a unique \super-secret". In this scheme the total information given to participants is equal to nq = k?n t q` bits, and the total number of random bits used is equal to kq . The choice of the secrets s1 ; :::; s` requires q` bits, while the remaining tq = k?t t q` bits are used by the dealer to set up the scheme, that is, to choose the coecients a1 ; :::; at 2 GF (2q ): Thus, given the secrets, the dealer uses tq bits of randomness. A simple method to realize a multiple ramp scheme using Franklin and Yung's construction, is the following, which we call basic multiple ramp scheme. We use ` dierent and independent single ramp schemes, one for each secret, and we distribute to each participant a share from each scheme. In this scheme the total information given to participants is equal to

n

` X

H (Sj ) : j =1 kj ? tj

The number of random bits needed by the dealer to set up the scheme, that is, the number of random bits he uses to generate the shares, is equal to ` X

tj H (S ): j j =1 kj ? tj We prove that, if the secrets are statistically independent, these quantities are the best possible: that is, the protocol consisting of realizing dierent ramp schemes, one for each secret, is optimal both with respect to the size of the shares given to participants and with respect to the number of random bits used.

Lemma 2.2 Let R = (ftj ; kj ; n; Sj gj=1;:::;`) be a multiple ramp scheme, and let W  P be such that jW j  tj . Then, it holds that H (Sj : : :S` jWS1 : : :Sj?1 ) = H (Sj : : :S` jS1 : : :Sj?1 ):

Proof. We have that H (Sj : : :S`jWS1 : : :Sj?1 ) = = =

` X i=j ` X i=j ` X i=j

H (SijS1 : : :Sj?1 Sj : : :Si?1 W ) (from (11) of Appendix ) H (SijS1 : : :Sj?1 Sj : : :Si?1 SI W ) (from 2: of De nition 2.1) (

)

H (SijS1 : : :Sj?1 Sj : : :Si?1 ) (since I (W )  f1; : : :; j ? 1g)

= H (Sj : : :S` jS1 : : :Sj ?1 ) (from (10) of Appendix ). Thus, the lemma holds. 6

3 Useful Lemmas In this section we present some results that will be useful to prove our limitations.

De nition 3.1 (' notation) Let P be a family of n random variables and let k  n be a positive integer. We denote with ' (k; P ) the set of all k-element families of P . Let K = Pi : : :Pik 2 ' (k; P ), where 1  i1 < : : : < ik  n: We denote with H (K ) the entropy of k distinct variables of P , that is H (K ) = H (Pi : : :Pik ): 1

1

Lemma 3.2 Let a; b; c be positive integers with a  b  c and let C be a family of c random

variables. Then, it holds that

a H (A) = cb ? ?a B 2'(b;C ) A2'(a;B ) X

X

!

X

A2'(a;C )

H (A):

Proof. It is easy to see that a xed set A 2 '(a; C ) appears exactly ?cb??aa
times in the double sum on left hand side. Thus, the lemma holds.

Lemma 3.3 Let a; b; c be positive integers such that c > b and let P be a family of n random variables such that n  maxfa; b; cg. Then, it holds that ! ! X X X n?a?b X c H ( A j B )  c ? b B2'(b;P ) A2'(a;P?B) b C2'(c;P ) A2'(a;P?C) H (AjC ): Proof. Fix a set C of c random variables in P and a set A of a variables in P ? C . From (15) of Appendix we have that H (AjB )  H (AjC ). Summing up over B 2 '(b; C ) we get !

H (AjB)  cb H (AjC ): B 2'(b;C ) X

Summing up over C 2 '(c; P ) and over A 2 '(a; P ? C ) we obtain !

H (AjB)  cb C 2'(c;P ) A2'(a;P?C ) B 2'(b;C ) X

X

X

X

X

C 2'(c;P ) A2'(a;P?C )

H (AjC ):

(1)

Notice that a xed pair of sets A; B appears exactly n?c?a?b b times in the triple sum on left hand side, hence the left hand side triple sum of (1) is equal to ?

n?a?b c?b

!

X




X

B 2'(b;P ) A2'(a;P?B )

Thus, the lemma holds. 7

H (AjB):

Lemma 3.4 Let A; B be two families of random variables and let n; ` be integers such that jAj = n and 0  `  n ? 1. Then, it holds that ! n ? 1 H (AjB)  X H (C jB): `

C 2'(n?`;A)

Proof. For simplicity we prove the lemma without the variable B. The proof is trivial for ` = 0, since both terms are equal to H (AjB ): The proof is by induction on `  1. Assume ` = 1 and let X 2 A be a xed variable in A. We have that X

C 2'(n?1;A)

H (C ) = =

 =

X

X 2A

H (A ? fX g)

X

X 2A?fX g X

X 2A?fX g X

X 2A?fX g

H (A ? fX g) + H (A ? fX g) H (A ? fX g) +

X

X 2A?fX g

H (X jA ? fX g)

(from (11) and (15) of Appendix)

H (A) (from (10) of Appendix)

= (n ? 1)H (A): Therefore the lemma is true for ` = 1. Suppose the lemma true for ` ? 1, that is ! X n ? 1 H (A)  H (D): `?1 D2'(n?(`?1);A) Applying the lemma to a family D with ` = 1 we get X H (C ): H (D)  jDj1? 1 C 2'(jDj?1;D) Therefore, by the inductive hypothesis and from (2), we obtain !

X X n ? 1 H (A)  1 n ? ` D2'(n?(`?1);A) C2'(n?`;D) H (C ) `?1 X = n ?` ` H (C ) (from Lemma 3.2). C 2'(n?`;A) ?
?
Since n`??11 n?` ` = n?` 1 , we have that

!

n ? 1 H (A)  X H (C ): ` C 2'(n?`;A) Thus, the lemma holds. 8

(2)

Lemma 3.5 Let A; B be families of random variables and let n; ` be integers such that jAj = n and 0  `  n ? 1. Then, it holds that ! n ? 1 H (AjB)  X H (C jA ? C; B): `

C 2'(n?`;A)

Proof. For simplicity we prove the lemma without the variable B. The proof is trivial for ` = 0, since both terms are equal to H (AjB ): The proof is by induction on `  1. Assume ` = 1 and let X be a xed variable of A. We have that (n ? 1)H (A) = =

X

X 2A?fX g X

X 2A?fX g

H (A) H (X ) +

 H (A ? fX g) +

=

X

X 2A

X 2A?fX g X

a2A?fX g

 H (A ? fX gjX ) + =

X

H (A ? fX gjX )

H (A ? fX gjX ) (from (16) of Appendix)

X

X 2A?fX g

H (A ? fX gjX ) (from (13) of Appendix)

H (A ? fX gjX )

X

C 2'(n?1;A)

H (C jA ? C ):

Therefore the lemma is true for ` = 1. Suppose the lemma true for ` ? 1, that is ! X n ? 1 H (A)  H (DjA ? D): `?1 D2'(n?(`?1);A)

Applying the lemma to a set D with ` = 1 we get X H (C jA ? C ): H (DjA ? D)  jDj1? 1 C 2'(jDj?1;D) Therefore, by the inductive hypothesis and from (3) we obtain ! X X n ? 1 H (A)  1 n ? ` D2'(n?(`?1);A) C2'(n?`;D) H (C jA ? C ) `?1

= n ?` ` H (C jA ? C ) (from Lemma 3.2). C 2'(n?`;A) X

?
?
Since n`??11 n?` ` = n?` 1 , we have that !

Thus, the lemma holds.

n ? 1 H (A)  X H (C jA ? C ): ` C 2'(n?`;A) 9

(3)

4 A Lower Bound on the Size of the Shares A share is the information distributed to each participant in the scheme used to reconstruct the secret values. An important problem in the area of secret sharing schemes is to establish bounds on the size of the shares. In fact the security of a system degrades as the amount of information that must keep secret grows. We measure the size of the shares with the logarithm of the size of the sets from which they are taken, that is, by the number of bits necessary to their representation. In this section we prove a tight lower bound on the size of the shares for multiple ramp schemes. This bound shows that the basic multiple ramp scheme, described in Section 2, is optimal with respect to the information given to each participant.

Lemma 4.1 Let R = (ftj ; kj ; n; Sjgj=1;:::;`) be a multiple ramp scheme, let Tj 2 '(tj ; P ) and let Dj 2 '(kj ? tj ; P ? Tj ), for j = 1; :::; `. Then, it holds that H (Dj jTj S1 : : :Sj?1 ) = H (Sj jS1 : : :Sj?1 ) + H (Dj jTj S1 : : :Sj?1 ):

Proof. From (14) of Appendix we have that I (Dj ; Sj jTj S1 : : :Sj?1 ) = H (Dj jTj S1 : : :Sj?1 ) ? H (Dj jTj S1 : : :Sj ) = H (Sj jTj S1 : : :Sj ?1 ) ? H (Sj jTj Dj S1 : : :Sj ?1 ): Since jTj [ Dj j = kj , from 1: of De nition 2.1 we have that H (Sj jTj Dj S1 : : :Sj ?1 ) = 0. Moreover, from 2: of De nition 2.1 we get H (Sj jTj S1 : : :Sj ?1 ) = H (Sj jSI Tj S1 : : :Sj ?1 ). Since I (Tj )  f1; : : :; j ? 1g, it holds that H (Sj jSI Tj S1 : : :Sj?1) = H (Sj jS1 : : :Sj?1). Therefore, (

(

)

)

H (Dj jTj S1 : : :Sj?1 ) = H (Sj jS1 : : :Sj?1 ) + H (Dj jTj S1 : : :Sj ): Thus, the lemma holds.

Lemma 4.2 Let R = (ftj ; kj ; n; Sj gj=1;2) be a multiple ramp scheme and let dj = kj ? tj , for j = 1; 2. Then, it holds that X

X

?n?d
? n?1
1

H (D1jT1S1)  ?n?t d
?dn??11
1

T1 2'(t1;P ) D1 2'(d1 ;P?T1)

t2

1

2

X

X

d2 ?1 T2 2'(t2;P ) D2 2'(d2 ;P?T2)

H (D2jT2S1 ):

Proof. For simplicity we prove the lemma without the variable S1. We distinguish two cases: d1  d2 and d1 > d2 . Assume d1  d2 . From Lemma 3.4 with ` = d2 ? d1, A = D2 , and B = T1 we have that ! X d 2?1 H (D1jT1)  d ? d H (D2jT1): 2 1 D 2'(d ;D ) 1

1

2

10

Let T2 2 '(t2 ; P ). Summing up over D2 2 '(d2; P ? T2) we get

H (D1jT1)  dd2??d1 2 1 D 2'(d ;P?T ) D 2'(d ;D ) X

2

X

2

2

1

1

!

X

D2 2'(d2;P?T2 )

2

H (D2jT1):

From Lemma 3.2 with a = d1, b = d2 , and C = P ? T2, we have that

t2 ? d1 H (D1jT1) = n ? d 2 ? d1 D 2'(d ;P?T ) D 2'(d ;D ) X

2

2

X

2

Hence,

1

1

X

D1 2'(d1 ;P?T2)

2

H (D1jT1) 

Summing up over T1 2 '(t1; T2) we obtain X

X

T1 2'(t1;T2 ) D1 2'(d1;P?T2 )

!

X

D1 2'(d1 ;P?T2 )

H (D1jT1):


2 ?1 X d 2 ?d1 H (D2jT1): ?n?t ?d
2 1 d2 ?d1 D2 2'(d2 ;P?T2)

H (D1jT1) 



?d


2 ?1 X X d 2 ?d1 H (D2jT1) ?n?t ?d
2 1 d2 ?d1 T1 2'(t1;T2 ) D2 2'(d2 ;P?T2) ? d2 ?1
?t2
X d2 ?d1 t1 H (D2jT2) ?n?t2 ?d1
d2 ?d1 D2 2'(d2;P?T2 ) ?d

( from (15) of Appendix, since T1  T2):

Summing up over T2 2 '(t2; P ) we obtain X

X

X

T2 2'(t2;P ) T1 2'(t1;T2 ) D1 2'(d1 ;P?T2)

H (D1jT1) 


?t
2 ?1 2 X X d? 2 ?d1 t1
H (D2jT2): n?t2 ?d1 d2 ?d1 T2 2'(t2 ;P ) D2 2'(d2 ;P?T2 )

?d

(4)

Notice that a xed pair of sets D1; T1 appears exactly n?t t??t d times in the triple sum on left hand side, hence the left hand side triple sum of (4) is equal to ?

1

2

n ? t 1 ? d1 t2 ? t1

!

X

X

T12'(t1 ;P ) D1 2'(d1 ;P?T1 )

1




1

H (D1jT1):

Therefore, we have that X

X

T1 2'(t1;P ) D1 2'(d1;P?T1 )

H (D1jT1)  =


?t
2 ?1 2 X X d t1 2 ?d1 H (D2jT2) ?n?t ?d
?n?t ?d
1 1 2 1 t2 ?t1 d2 ?d1 T2 2'(t2;P ) D2 2'(d2;P?T2 ) ?n?d
? n?1
1 X X t1 d1 ?1 H (D2jT2): ?n?d
? n?1
2 t2 d2 ?1 T2 2'(t2;P ) D2 2'(d2 ;P?T2) ?d

Assume now d1 > d2. From Lemma 3.5 with ` = d1 ? d2 , A = D1, and B = T1, we have that

H (D1jT1)  ? d 1?1


X

1

d1 ?d2 D2 2'(d2 ;D1 )

11

H (D2jD1 ? D2 ; T1):

Summing up over T1 2 '(t1; P ) and over D1 2 '(d1; P ? T1 ) we get X X X X H (D jT )  1 1

T1 2'(t1;P ) D1 2'(d1 ;P?T1)

X

H (D2jD1 ? D2 ; T1): ?1
d ?d2 T1 2'(t1;P ) D1 2'(d1 ;P?T1) D2 2'(d2;D1 )

?d

1

1 1

(5) Each term in the triple sum on the right hand side is of the form H (D2jY ), where D2 and Y are ?
disjoint sets and Y 2 '(t1 + d1 ? d2 ; P ): Each disjoint pair of sets D2; Y appears exactly t +dt ?d times in the triple sum, that is the number of ways to choose a set T1 in Y . Hence the right ?
P P hand side triple sum of (5) is equal to t +dt ?d Y 2'(t +d ?d ;P ) D 2'(d ;P?Y ) H (D2jY ): From Lemma 3.3 with a = d2, b = t1 + d1 ? d2, and c = t2 , we have that 1

1

X

X

Y 2'(t1 +d1 ?d2 ;P ) D2 2'(d2 ;P?Y ) X

T12'(t1 ;P ) D1 2'(d1;P?T1 )

H (D1jT1)  =

2

2

1

H (D2jY ) 

Then we have that X

1 1

1 1

1

2

2

2

t2
X X t 1 +d1 ?d2 H (D2jT2): ? n?t ?d
1 1 t2 ?t1 ?d1 +d2 T2 2'(t2;P ) D2 2'(d2;P?T2 ) ?

?t +d ?d
? 1 1 2

t2
X X t t + d 1 1 1 ?d2 H (D2jT2) ?d ?1
? n?t ?d
1 1 1 d2 ?1 t2 ?t1 ?d1 +d2 T2 2'(t2;P ) D2 2'(d2;P?T2 ) ?n?d1
? n?1
X X t1 d1 ?1 H (D2jT2): ?n?d
? n?1
2 t2 d2 ?1 T2 2'(t2;P ) D2 2'(d2 ;P?T2)

Thus, the lemma holds.

Lemma 4.3 Let R = (ftj ; kj ; n; Sj gj=1;:::;`) be a multiple ramp scheme and let dj = kj ? tj , for j = 1; :::; `: Then, it holds that ` H (S jS : : :S ) X X X n
X j 1 j ?1 + ?
? H (P )  n H (D`jT`S1 : : :S`): n n ? t dj d` t` d` ` T`2'(t`;P ) D` 2'(d` ;P?T`) j =1 P 2P

Proof. The proof is by induction on `. Assume ` = 1. Let T1 2 '(t1; P ) and D1 2 '(d1; P ? T1). From Lemma 4.1 we have that H (D1jT1) = H (S1) + H (D1jT1S1): From (11) and (13) of Appendix we have that X

P 2D1

H (P )  H (S1) + H (D1jT1S1):

Summing up over T1 2 '(t1; P ) and over D1 2 '(d1; P ? T1 ) we get

H (P )  tn 1 T 2'(t ;P ) D 2'(d ;P?T ) P 2D X

1

1

X

1

1

X

1

1

!

!

X n ? t1 H (S ) + X H (D1jT1S1): 1 d1 T 2'(t ;P ) D 2'(d ;P?T ) 1

12

1

1

1

1

(6)

From Lemma 3.2 we have that

!

t1 ? 1 H (P ) = n ? d 1?1 D 2'(d ;P?T ) P 2D X

1

X

1

1

1

X

P 2P?T1

H (P ):

Moreover, from Lemma 3.2 we have that

!

H (P ) = n t? 1 H (P ) = 1 T 2'(t ;P ) P 2P?T T 2'(n?t ;P ) P 2T X

1

X

1

1

X

X

1

1

1

X

P 2P

H (P ):

?
?
P Therefore the left hand side triple sum of (6) is equal to nd?t??1 1 nt?1 P 2P H (P ): From (6), ( n )(n?t ) since (n?t )(n?d t ? ) = dn ; it follows that 1

t1

1 1

1

1

1 1

d1 ?1 X

P 2P

1

1

1

H (P )  dn H (S1) + 1

d1

n

? n
?n?t


t1

d1

1

X

X

T1 2'(t1;P ) D1 2'(d1 ;P?T1)

H (D1jT1S1):

Therefore, the lemma is true for ` = 1. Now, suppose the lemma true for ` ? 1, that is X

H (P )  n

P 2P

`X ?1 H (S j =1

X X n j jS1 : : :Sj ?1 ) + H (D`?1jT`?1 S1 : : :S`?1 ): ? n
?n?t
` ? 1 dj d`?1 t`?1 d`?1 T`?1 2'(t`?1;P ) D`?1 2'(d`?1;P? T`?1 )

From Lemma 4.2 we have that X

X

H (D`?1jT`?1 S1 : : :S`?1 )  T`?1 2'(t`?1;P ) D`?1 2'(d`?1;P?T`?1 )

?n?d

`?1
? n?1
X t`?1 d`?1 ?1 X H (D`jT`S1 : : :S`?1 ): ?n?d
? n?1
` t` d` ?1 T`2'(t`;P ) D` 2'(d`;P?T`)

From Lemma 4.1 we get

H (D`jT` S1 : : :S`?1 ) = H (S` jS1 : : :S`?1 ) + H (D`jT` S1 : : :S` ): (n?d`? )( n )( n? ? )(n?d`t` ) 1 Since d`1? (n?t`d?` )( nt` )(dn`?? )( n?t`? ) = d` , by the inductive hypothesis we obtain t` t`? d` ? d`? 1

1

1

X

P 2P

H (P )  n

1

1 1 1 1 1

1

1

` X

X H (Sj jS1 : : :Sj?1 ) + ?
?n
X H (D`jT`S1 : : :S`): n n ? t ` dj d` t` d` T`2'(t`;P ) D` 2'(d` ;P?T`) j =1

Thus, the lemma holds. The next theorem is an immediate consequence of the previous lemma.

Theorem 4.4 Let R = (ftj ; kj ; n; Sj gj=1;:::;`) be a multiple ramp scheme. Then, it holds that X

P 2P

H (P )  n

` X

H (Sj jS1 : : :Sj?1 ) : kj ? t j j =1 13

P

For ` = 1 Theorem 4.4 implies P 2P H (P )  k?n t H (S ), that is the lower bound on the size of the shares in single ramp schemes proved in [7]. If the secrets are uniformly and independently chosen, that is, H (Sj jS1 : : :Sj ?1 ) = H (Sj ) = log jSj j, for j = 1; : : :; `, then we can bound the size of the shares distributed to participants, as stated by the next theorem.

Theorem 4.5 Let R = (ftj ; kj ; n; Sj gj=1;:::;`) be a multiple ramp scheme. If the secrets are independent and each secret sj is uniformly chosen in Sj , for j = 1; : : :; `, then it holds that X

P 2P

log jC (P )j  n

` X

log jSj j :

j =1 kj ? tj

5 Dealer's Randomness in Multiple Ramp Schemes Randomness is a fundamental resource, and plays an important role in several areas of theoretical computer science, as algorithm design, complexity and cryptography. Since truly random bits are hard to obtain, the amount of randomness used in computation is an important issue in many applications. The Shannon entropy of the random source generating the random bits represents the most general and natural measure of randomness. Indeed, Knuth and Yao [15] have shown that the entropy of a random variable X is approximatively equal to the average number of tosses of an unbiased coin necessary to simulate the outcomes of X . The quantitative study of the number of random bits needed by secret sharing schemes has been initiated in [8], where the optimality of several secret sharing schemes according to this measure has been proved. Some other result on this topic can be found in [9]. In this section we de ne and analyze the measure for the amount of randomness in a multiple ramp scheme. The total randomness present in a multiple ramp scheme R = (ftj ; kj ; n; Sj gj =1;:::;`) on a set P of n participants is equal to the entropy H (P ). This takes into account also the randomness H (S1:::S` ) of the secrets. The dealer's randomness is the randomness needed by the dealer to set up a multiple ramp scheme for secrets in SC = S1 


 S` , that is, the randomness he uses to generate the shares, given that the set SC and the probability distribution fPrSC (s1; : : :; s`)g(s ;:::;s`)2SC are known. Therefore, for the multiple ramp scheme R, the amount of randomness used by the dealer is equal to the entropy H (PjS1:::S`). This randomness is needed only to generate the shares distributed to participants. Extending Lemma 2.7 in [8] we obtain the following result, that relates the total randomness and the dealer's randomness. 1

14

Lemma 5.1 Let R = (ftj ; kj ; n; Sjgj=1;:::;`) be a multiple ramp scheme. Then, it holds that H (P ) = H (PjS1:::S`) + H (S1:::S`):

Proof. The mutual information I (P ; S1:::S`) can be written either as H (P ) ? H (PjS1:::S`) or as H (S1:::S`) ? H (S1:::S`jP ) (see formula (12) of Appendix). Hence, H (P ) = H (PjS1:::S`) + H (S1:::S`) ? H (S1:::S` jP ). Since n  kj , for j = 1; : : :; `, it follows that H (S1:::S`jP ) = 0. Hence, H (P ) = H (PjS1:::S`) + H (S1:::S`); and the lemma holds.

5.1 A Lower Bound on the Dealer's Randomness In this section we prove a tight lower bound on the dealer's randomness in multiple ramp schemes. This bound shows that the basic multiple ramp scheme, described in Section 2, is optimal with respect to the number of random bits used by the dealer to set up the scheme.

Lemma 5.2 Let R = (ftj ; kj ; n; Sj gj=1;:::;`) be a multiple ramp scheme and let 1  m  `. Then, for any W  P such that jW j  tm ? 1, there exists P 2 P ? W such that H (PjS1:::S`W ) 

` X

H (Sj jS1 : : :Sj?1 ) + H (PjS :::S WP ): 1 ` kj ? t j j =m

Proof. Given the secrets s1; :::; sm?1 and the set W  P , the ramp scheme R naturally induces a ramp scheme R0 = (ftj ? jW j; kj ? jW j; n ? jW j; Sj gj =m;:::;` ) on P ? W: In fact, from De nition 2.1 it follows that, for any A 2 '(tj ? jW j; P ? W ) and for j = m; :::; `, it holds that H (Sj jAS1 :::Sm?1W ) = H (Sj jS1:::Sm?1), that is, if tj ? jW j participants in P ? W pool together their shares, knowing the shares in W and the secrets s1 ; :::; sm?1, have no more information on sj than that already conveyed by the known secrets. Similarly, for any A 2 '(kj ? jW j; P ? W ) and for j = m; :::; `, it holds that H (Sj jAS1:::Sm?1W ) = 0, that is, if kj ? jW j participants in P ? W pool together their shares, knowing the shares in W and the secrets s1 ; :::; sm?1, can reconstruct the secret sj . Analogously to Theorem 4.4 one can easily prove that there exists P 2 P ? W such that ` H (S jS :::S S : : :S W ) X j 1 m?1 m j ?1 : H (P jS1:::Sm?1W )  k ?t j

j =m

j

From De nition 2.1, since jW j  tm ? 1 < tm  :::  t` it follows that

H (Sj jS1 :::Sm?1Sm : : :Sj?1 W ) = H (Sj jS1:::Sm?1Sm : : :Sj?1 SI W ) = H (Sj jS1:::Sm?1Sm : : :Sj ?1 ) ( since I (W )  f1; : : :; m ? 1g). (

15

)

Therefore,

H (P jS1:::Sm?1W )  From (14) of Appendix we have that

` X

H (Sj jS1 : : :Sj?1 ) : kj ? t j j =m

(7)

I (P ; S1:::S`jS1 :::Sm?1W ) = H (P jS1:::Sm?1W ) ? H (P jS1:::S`W ) = H (S1:::S`jS1:::Sm?1W ) ? H (S1:::S`jS1:::Sm?1WP ):

(8)

From (11) of Appendix we have that

H (S1:::S`jS1:::Sm?1W ) = H (S1:::Sm?1jS1 :::Sm?1W ) + H (Sm:::S`jS1:::Sm?1W ) = H (Sm:::S`jS1:::Sm?1) (from Lemma 2.2): Similarly, it holds that H (S1:::S`jS1 :::Sm?1WP ) = H (Sm:::S`jS1 :::Sm?1): From (8) it follows that

I (P ; S1:::S`jS1:::Sm?1W ) = 0 and thus

H (P jS1:::S` W ) = H (P jS1:::Sm?1W ):

(9)

Let P 0 = P ? fP g : From (11) of Appendix and (9) we have that

H (PjS1:::S`W ) = H (P jS1:::S`W ) + H (P 0jS1:::S`PW ) = H (P jS1:::Sm?1W ) + H (PjS1:::S`PW ) ? H (P jP 0S1 :::S`PW ): Making use of (7) and since H (P jP 0S1:::S` PW ) = 0, the lemma follows.

Theorem 5.3 Let R = (ftj ; kj ; n; Sj gj=1;:::;`) be a multiple ramp scheme. Then, it holds that H (PjS1:::S`) 

` X

tj H (S jS : : :S ): j 1 j ?1 j =1 kj ? tj

Proof. Let Wr 2 '(r; P ) be a set of r participants where 1  r  t` : Let t0 = 0 and Wt = ;: Let Pi 2 P ? W be a participant satisfying Lemma 5.2. Let 1  i  `. Applying ti ? ti?1 times 0

Lemma 5.2 we obtain

tX i ?1

` X

H (Sj jS1 : : :Sj?1 ) kj ? t j h=ti? j =i ` X = (ti ? ti?1 ) H (Sj kjS1?: :t:Sj ?1 ) : j j j =i

H (PjS1:::S`Wti? ) ? H (PjS1:::S`Wti )  1

1

16

Summing up over i = 1; :::; ` we obtain

H (PjS1:::S`Wt ) ? H (PjS1:::S`Wt` )  0

=

` X

(ti ? ti?1 )

i=1 ` X

` X

H (Sj jS1 : : :Sj?1 ) kj ? t j j =i

tj H (S jS : : :S ): j 1 j ?1 j =1 kj ? tj

Since H (PjS1:::S` Wt` )  0 and Wt = ;, the lemma holds. 0

For ` = 1 Theorem 5.3 implies H (PjS )  k?t t H (S ), that is the lower bound on the dealer's randomness in single ramp schemes proved in [8].

Acknowledgements We would like to thank the anonymous referees for their careful reading and useful comments.

17

Appendix Information Theory Background In this Appendix we review the basic concepts of Information Theory used in our de nitions and proofs. For a complete treatment of the subject the reader is advised to consult [11]. Given a probability distribution fPrX (x)gx2X on a set X , we de ne the entropy of X , H (X ), as X H (X ) = ? PrX (x) log PrX (x) x2X

(all logarithms in this paper are to the base 2). The entropy satis es the following property: 0  H (X )  log jX j; where H (X ) = 0 if and only if there exists x0 2 X such that PrX (x0) = 1; H (X ) = log jX j if and only if PrX (x) = 1=jX j, for all x 2 X. Given two sets X and Y and a joint probability distribution on their cartesian product, the conditional entropy H (X jY ), is de ned as

H (X jY ) = ?

X X

y2Y x2X

PrY (y)Pr(xjy) log Pr(xjy):

From the de nition of conditional entropy it is easy to see that H (X jY )  0: Given n sets X1; : : :; Xn and a joint probability distribution on their cartesian product, the entropy of X1 : : :Xn satis es

H (X1 : : :Xn) = H (X1) + H (X2jX1) +


+ H (XnjX1 : : :Xn?1 ):

(10)

Given n +1 sets X1 ; : : :; Xn; Y and a joint probability distribution on their cartesian product, the entropy of X1 : : :Xn given Y can be expressed as

H (X1 : : :XnjY ) = H (X1jY ) +

n X i=2

H (XijX1 : : :Xi?1Y ):

(11)

The mutual information I (X ; Y ) between X and Y is de ned by

I (X ; Y ) = H (X ) ? H (X jY ) = H (Y ) ? H (Y jX )

(12)

and enjoys the following property: I (X ; Y )  0; from which one gets

H (X )  H (X jY ): 18

(13)

Given n +2 sets X; Y; Z1; : : :; Zn and a joint probability distribution on their cartesian product, the conditional mutual information I (X ; Y jZ1 : : :Zn ) between X and Y given Z1 ; : : :; Zn can be written as

I (X ; Y jZ1 : : :Zn) = H (X jZ1 : : :Zn ) ? H (X jZ1 : : :Zn Y ) = H (Y jZ1 : : :Zn ) ? H (Y jZ1 : : :Zn X ):

(14)

Since the conditional mutual information is always non negative we get

H (X jZ1 : : :Zn)  H (X jZ1 : : :ZnY ):

(15)

From (11) and (15) one easily gets that for any sets Y; X1; : : :; Xn and a joint probability distribution on their cartesian product it holds that n X i=1

H (XijY )  H (X1X2 : : :XnjY ):

(16)

References [1] G. R. Blakley, \Safeguarding Cryptographic Keys", in Proceedings AFIPS 1979 National Computer Conference, pp. 313{317, June 1979. [2] J. C. Benaloh and J. Leichter, \Generalized Secret Sharing and Monotone Functions", in Advances in Cryptology - CRYPTO '88, S. Goldwasser Ed., Lecture Notes in Computer Science, Vol. 403, Springer{Verlag, Berlin, pp. 27{35, 1990. [3] G. R. Blakley and C. Meadows, \Security of Ramp Schemes", in Advances in Cryptology - CRYPTO '84, Lecture Notes in Computer Science, Vol. 196, Springer{Verlag, Berlin, pp. 242{268, 1985. [4] C. Blundo, A. De Santis, G. Di Crescenzo, A. Giorgio Gaggia, B. Masucci, and U. Vaccaro, \Secret Sharing of Many Secrets", Technical Report, University of Salerno, 1998. [5] C. Blundo, A. De Santis, G. Di Crescenzo, A. Giorgio Gaggia, and U. Vaccaro, \Multi{Secret Sharing Schemes", in Advances in Cryptology - CRYPTO '94, Lecture Notes in Computer Science, Y. Desmedt Ed., Vol. 839, Springer-Verlag, Berlin, pp. 150{163, 1994. [6] C. Blundo, A. De Santis, and B. Masucci, \Randomness in Multi{Secret Sharing Schemes", Technical Report, University of Salerno, 1998. [7] C. Blundo, A De Santis, and U. Vaccaro, \Ecient Sharing of Many Secrets", in Proceedings of STACS '93 (10th Symp. on Theoretical Aspects of Computer Science), Lecture Notes in Computer Science, P. Enjalbert, A. Finkel, and K. W. Wagner Eds., Vol. 665, Springer{Verlag, Berlin, pp. 692{703, 1993. [8] C. Blundo, A. De Santis A, and U. Vaccaro, \Randomness in Distribution Protocols", Information and Computation, Vol. 131, pp. 111{139, 1996. [9] C. Blundo, A. Giorgio Gaggia, and D. R. Stinson, \On the Dealer's Randomness Required in Secret Sharing Schemes", Design Codes and Cryptography, Vol. 11, No. 2, pp. 107{122, 1997. [10] R. M. Capocelli, A. De Santis, L. Gargano, and U. Vaccaro, \On the Size of Shares for Secret Sharing Schemes", Journal of Cryptology, Vol. 6, pp. 157{169, 1993. [11] T. M. Cover and J. A. Thomas, Elements of Information Theory. John Wiley & Sons, 1991.

19

[12] M. Franklin and M. Yung, \Communication Complexity of Secure Computation", in Proceedings of the 24th Annual ACM Symposium on Theory of Computing, pp. 699{710, 1992. [13] M. Ito, A. Saito, and T. Nishizeki, \Multiple Assignment Scheme for Sharing Secret", Journal of Cryptology, Vol. 6, pp. 15{20, 1993. [14] E. D. Karnin, J. W. Greene, and M. E. Hellman, \On Secret Sharing Systems", IEEE Trans. Inform. Theory, Vol. 29, 1983, pp. 35{41. [15] D. E. Knuth and A. C. Yao, \The Complexity of Nonuniform Random Number Generation", in Algorithms and Complexity. Academic Press, 1976, pp. 357{428. [16] W.-A. Jackson, K. M. Martin, and C. M. O'Keefe, \ Multisecret Threshold Schemes", in Advances in Cryptology - CRYPTO '93, D.R. Stinson Ed., Lecture Notes in Computer Science, Vol. 773, Springer-Verlag, Berlin, pp. 126{135, 1994. [17] W.-A. Jackson, K. M. Martin, and C. M. O'Keefe, \On Sharing Many Secrets", in Advances in Cryptology { ASIACRYPT '94, J. Pieprzyk and R. Safavi-Naini Eds., Lecture Notes in Computer Science, Vol. 917, pp. 42{54, 1995. [18] W.-A. Jackson, K. M. Martin, and C. M. O'Keefe, \Ideal Secret Sharing Schemes with Multiple Secrets", Journal of Cryptology, Vol. 9, pp. 233{250, 1996. [19] W.-A. Jackson and K. M. Martin, \A Combinatorial Interpretation of Ramp Schemes", Australasian Journal of Combinatorics, Vol. 14, pp. 51{60, 1996. [20] R. J. McEliece and D. Sarwate, \On Sharing Secrets and Reed{Solomon Codes", Communications of the ACM, Vol. 24, No. 9, pp. 583{584, September 1981. [21] A. Shamir, \How to Share a Secret", Communications of the ACM, Vol. 22, No. 11, pp. 612{613, November 1979. [22] G. J. Simmons, \ An Introduction to Shared Secret and/or Shared Control Schemes and Their Applications" in Contemporary Cryptology, IEEE Press, 1991, pp. 441{497. [23] D. R. Stinson, \An Explication of Secret Sharing Schemes", Design, Codes, and Cryptography, Vol. 2, pp. 357{390, 1992. [24] D. R. Stinson, Bibliography on Secret Sharing, Available on-line as http://cacr.math.uwaterloo.ca/dstinson/ssbib.html [25] D. R. Stinson, Cryptography Theory and Practice. CRC Press, Inc., Boca Raton, 1995.

20