How to Build Robust Shared Control Systems

Designs, Codes and Cryptography, 15, 111?? (1998)c© 1998 Kluwer Academic Publishers, Boston. Manufactured in The Netherlands.

How to Build Robust Shared Control Systems

ROSS ANDERSON [email protected] Laboratory, Cambridge University, Pembroke Street, Cambridge, CB2 3QG, U.K.

CUNSHENG DING [email protected] of Information Systems and Computer Science, National University of Singapore, Lower Kent RidgeRoad, Singapore 119260

TOR HELLESETH [email protected]

TORLEIV KLøVE [email protected] of Informatics, University of Bergen, HIB, N-5020 Bergen, Norway

Communicated by: D. Jungnickel

Received February 14, 1997; Revised February 14, 1997; Accepted January 27, 1998

Abstract. Previous researchers have designed shared control schemes with a view to minimising the likelihoodthat participants will conspire to perform an unauthorised act. But, human nature being what it is, systemsinevitably fail; so shared control schemes should also be designed so that the police can identify conspirators afterthe fact. This requirement leads us to search for schemes with sparse access structures. We show how this can bedone using ideas from coding theory. In particular, secret sharing schemes based on geometric codes whose dual[n, k, d] codes haved andn as their only nonzero weights are suitable. We determine their access structures andanalyse their properties. We have found almost all of them, and established some relations among codes, designsand secret-sharing schemes.

Keywords: designs, geometric codes, secret sharing, cryptography

1. The problems with existing shared control schemes

The origins of shared control schemes are lost in the mists of time. For generations, bankshave had dual keys for strongrooms, and rules that instruments over a certain threshold ofvalue needed to be signed by two or more managers. Such schemes do not just protect thebank; they also protect managers from having their families taken hostage.

With the advent of electronic banking, similar functionality has often been implementedusing obvious mechanisms. For example, the cryptographic keys used to initialise auto-matic teller machines are typically constructed by exclusive-or’ing two 56 bit componentstogether. The components are kept on paper under the physical control of two differentpeople — typically the branch manager and the branch accountant. More sensitive keys,such as interbank master keys, are similarly broken into three components [?].

Some problems with such schemes are described in [?]. It is inconvenient to have a reallystrict separation between (say) “orange” and “blue” tellers, so someone who has had accessto one half of a key or password one month may get access to the other half the next month.This problem has led to real losses.

A more sophisticated approach,secret sharing, was introduced in 1979 by Blakley [?]and Shamir [?] simultaneously. Their idea was to construct schemes in which a dealer

112 ANDERSON ET AL.

can split up a secret into a number of shares and distribute them to a group of participants.Certain authorised subsets of this group —access sets— can then combine their shares torecover the secret (the set of access sets is called theaccess structure). Such schemes alloweach participant to have his own unique secret information; the custody of passwords andkeys never has to pass from one individual to another, and thus hopefully we can avoid therisks mentioned above.

The simplest kind of secret sharing system is thethreshold schemein which anym out ofn participants can recover the secret. A practical construction for sharing digital signaturekeys in this way is given by Desmedt and Frankel [?]; this is used, for example, in theOmega key management service [?].

However, threshold schemes are not ideal in the banking world, and a simple examplewill make this clear. Suppose we have a vault with an access structure of “any three out ofsix tellers”. One day, the vault is empty. The police investigate and find that precisely oneof the tellers has a watertight alibi. This leaves

(53

)= 10 possible ‘minimal conspiracies’,

and in the absence of further information, the conspirators may well get away with it.But suppose the vault’s access structure had been{1,2,4}, {3,4,5}, {2,5,6}, {1,3,6}Then if, for example, it was teller 1 who had a solid alibi, we know that the conspiracy

must include either tellers 3, 4 and 5, or tellers 2, 5 and 6. So we know that teller 5 is guiltyfor sure; hopefully he can be persuaded to name his accomplices by the carrot of a morelenient jail sentence.

Note also that the above access structure is still fairly resilient in that it always allowsaccess to the vault if one teller is off sick, while if two are off simultaneously, it can stillbe opened 80% of the time (the blocking combinations are{1, 5}, {2, 3}, and{4, 6}—and this is clearly optimal, if an alibi for one teller is to mean a conviction for another).So it is indeed a practical approach to shared control. But how did we find this particularaccess structure, and how can we construct shared control schemes with any desired (andpractical) combination of resilience and cheater detection?

2. Sparse access structures based on linear codes

In the above section, we motivated the need for secret sharing schemes with sparse accessstructures. We could always construct them by choosingk access sets ofm participantsat random from a total ofn participants, but schemes would be inefficient (the details areleft as an exercise for the reader). In what follows, we will develop techniques for thesystematic construction of secret sharing schemes with sparse access structures.

The inspiration comes from the following observation. In them out of n thresholdscheme, there are

(nm

)minimal access sets(access sets of which no proper subset is also

an access set). It is this large number of minimal access sets that makes it hard for thepolice to identify conspirators. Now recall that an[m,m, 1] linear code overGF (q) hasthe maximum possible number of codewords, and because of this the code has no capacityto detect (let alone correct) errors. In some sensem out of n threshold schemes are like[m,m, 1] linear codes.

This suggests that we should turn to the theory of linear codes to look for systematicconstructions.

ROBUST SHARED CONTROL SYSTEMS 113

2.1. Notation and previous work

Now let the set of participants beP and the access structure beΓ ⊆ 2P. Recall that an[n, k; q] code is ak-dimensional subspace ofGF (q)n whose elements are called codewords.The (Hamming) weight of a codewordc is the number of nonzero positions inc. Theminimum distanced of the code is the smallest (Hamming) distance between any twodistinct code words. Because of linearity, this is also the smallest weight of a nonzerocodeword. Sometimes we included in the notation and describe the code as an[n, k, d; q]code. A generator matrixG of an[n, k; q] codeC is ak×nmatrix overGF (q) whose rowsform a basis forC.

One approach to the construction of secret-sharing schemes based on linear codes is asfollows. Choose an[n+ 1, k; q] codeC. LetG be a generator matrix ofC. Let s ∈ GF (q)denote the secret, andg0 = (g00, g10, · · · , gk−1,0)T be the first column of the generatormatrixG. Then the information vectors = (s0, · · · , sk−1) is chosen to be any vector ofGF (q)k such thats = sg0 =

∑k−1i=0 sigi0.

The codeword corresponding to this information vectors is t = (t0, t1, · · · , tn) = sG.We giveti to the partypi as their share, and the first componentt0 = s of the codewordtis the secret.

It is not hard to prove that in the secret sharing scheme based on a generator matrixG = [g0g1 · · ·gn] of an[n+ 1, k; q] linear code such thatg0 is a linear combination of theothern columnsg1, · · · ,gn, the secrett0 is determined by the set of shares{ti1 , · · · , tim}if and only if g0 is a linear combination of the vectorsgi1 , · · · ,gim , where1 ≤ i1 < · · · <im ≤ n andm ≤ n.

Computing the secret is straightforward: solve the linear equation

g0 =m∑j=1

xjgij

to findxj , and the secret is then given by

t0 = sg0 =m∑j=1

xjsgij =m∑j=1

xjtij .

Secret sharing schemes based on this general approach were considered by Karnin, Greenand Hellman [?], and by Massey [?, ?]. The approach of McEliece and Sarwate is differentbut closely related [?].

2.2. Massey’s lemma

For secret sharing schemes based on the Karnin-Green-Hellman approach, Massey intro-duced the concept of minimal codewords and characterised the resulting access structures[?, ?]. We state his characterization in the following lemma which will be needed in latersections.

Lemma 1 LetG be a generator matrix of an[n+ 1, k; q] codeC, and letC⊥ be the dualcode ofC. In the secret-sharing scheme based onG, a set of shares{ti1 , ti2 , · · · , tim}determines the secret if and only if there is a codeword

114 ANDERSON ET AL.

(1, 0, · · · , 0, ci1 , 0, · · · , 0, cim , 0, · · · , 0)

in the dual codeC⊥, where allcij 6= 0 for j = 1, 2, · · · ,m, 1 ≤ i1 < · · · < im ≤ n and1 ≤ m ≤ n.

We also mention the fact that for secret sharing schemes based on the above approach, aset of shares either determines the secret or gives no information about it, i.e., such schemesareperfect. This fact and Massey’s lemma will be used to determine the access structureof some schemes based on Reed-Muller, Hamming and other codes.

2.3. Democratic secret sharing schemes

For a perfect secret sharing scheme, a group of participants can determine the secret if andonly if it contains one minimal access set. Thus, the determination of the access structureis simply that of the minimal access sets. We call a secret-sharing schemedemocraticifeach party serves on the same number of minimal access sets; so it is democratic if thesesets form a 1-design.

In this paper we describe some perfect and democratic secret-sharing schemes based onReed-Muller and Hamming codes and analyse their properties. Our schemes are based on[n, k, d; q] codes such that all the nonzero codewords have weightd or n. We have foundalmost all secret sharing schemes based on such codes whose minimal access sets form a1-design. We have also established some connections between linear codes, designs andsecret sharing schemes.

3. Designs, codes and secret sharing

LetX be av-set (i.e., a set withv elements) whose elements are called points. At-(v, k, λ)design is a collection of distinctk-subsets (called blocks) ofX with the property that anyt-subset ofX is contained in exactlyλ blocks. A Steiner system is at-design withλ = 1andt ≥ 2.

To prove the main theorem of this section, we need a number of known results in designtheory which are summarized in the following two lemmas.

Lemma 2 [?, p.59] In a t-(v, k, λ) design, letp1, p2, · · · , pt be anyt distinct points. Letλi be the number of blocks containingp1, · · · , pi for 1 ≤ i ≤ t, and letλ0 be the totalnumber of blocks. Thenλi is independent of the choice ofp1, · · · , pi and

λi =λ(v−it−i)(

k−it−i) , for 0 ≤ i ≤ t.

By this lemma at-(v, k, λ) design is also ani-(v, k, λi) design for1 ≤ i ≤ t. One wayto get a(t − 1)-(v − 1, k − 1, λ) design from at-(v, k, λ) design is the following. LetD = (P,B) be at-(v, k, λ) design, whereP andB are the set of points and the set of blocksrespectively. Take all the blocks ofB that contain a pointp ∈ B, and omit the point in thoseblocks. Denote the new blocks byD2. Then we have the following result.


Lemma 3 [?, p.62]D2 = (P − {p},B2) forms a(t− 1)-(v − 1, k − 1, λ) design.

LetC be an[n+1, k; q] code, and letAi be the number of codewords ofC with Hammingweight i. The sequence{Ai} is called the weight distribution ofC. Obviously,A0 = 1.The weights0, σ1, · · · , σs are the subscripts of thoseAi 6= 0. Let c = (c0, c1, · · · , cn) bea codeword overGF (q) with Hamming weightw. The set ofw subscriptsi with ci 6= 0 iscalled the support ofc. Clearly, allq − 1 multiples of a codeword have the same support.It is also possible that two linearly independent codewords have the same support. In thesequel a support is counted only once.

Our main result on secret sharing in this section is the following.

Theorem 1 LetC⊥ be an[n+1, n−k+1, d; q] code withd andn+1 as its only nonzeroweights, wheren + 1 > d ≥ 3, andC⊥ is the dual code ofC. Suppose there is an integert with 2 ≤ t < d such that there are at mostd − t σi‘s in the range1 ≤ σi ≤ n + 1 − t,where theseσi are the weights ofC. Let t be the largest sucht. Then the secret-sharingscheme based onC has the following properties:

1. There aredAd/(n+ 1)(q−1) minimal access sets consisting ofd−1 participants thatcan determine the secret, and any group of participants can determine the secret if andonly if it contains one of them (thus, no group of less thand− 1 parties can determinethe secret).

2. Every set oft− 1 parties serves on exactly(dt

)Ad(

n+1t

)(q − 1)

minimal access sets.

Proof: By the Assmus-Mattson Theorem [?, p.177], the supports of the codewords ofweightd in C⊥ form at-(n+ 1, d, λ) design. By Lemma 2

Adq − 1

=λ(n+1t

)(dt

) .

Hence

λ =Ad(dt

)(n+1t

)(q − 1)

.

Let 0, 1, · · · , n be the subscripts of the coordinates of the codewords ofC⊥ and let

E = {E1, E2, · · · , EAd/(q−1)}

be the set of all supports of codewords of weightd in C⊥. By Lemma 2 the number ofsupports inE containing the point 0 is

116 ANDERSON ET AL.

λ(nt−1

)(d−1t−1

) =

(nt−1

)(dt

)(q − 1)

=dAd

(n+ 1)(q − 1).

Without loss of generality, assume thatE1, E2, · · · , EdAd/(n+1)(q−1) are the supports inE containing 0. Then thedAd/(n+ 1)(q − 1) minimal access sets are

E1 \ {0}, · · · , EdAd/(n+1)(q−1) \ {0}.

By Lemma 1 and the assumptions of the theorem, each of these minimal access sets candetermine the secret, and every group of parties determining the secret must contain one ofthem.

By Lemma 3 these minimal access sets form a(t− 1)-(n, d− 1, λ) design. Hence, everyset oft− 1 parties serves on exactly

(dt

)Ad/

(n+1t

)(q − 1) minimal access sets. 2

Thus our secret sharing schemes are ‘almost democratic’, in the sense that all groups oft − 1 parties serve on the same number of minimal access sets. The larger the parametert, the more democratic the scheme; but there is a tradeoff between the size oft and thenumber of minimal access sets. For instance, whent = n, the codeC⊥ has dimension oneand the access structure is only

{1, 2, · · · , n}.

Generally, the larger the size oft, the fewer the minimal access sets, and vice verse.The conditions in Theorem 1 are sufficient for the supports of the codewords of minimum

weight to form at-design, but they are not easy to check. Since we are mostly interested in2-designs for our secret sharing purpose, we prove the following result.

Lemma 4 Let C be an[n, k, d; q] code withd andn as its only nonzero weights, wherek ≥ 2. LetG be a generator matrix ofC such that no column ofG is a zero vector. Thenthe supports of the codewords with weightd in C form a 2-design if and only if every twocolumns ofG are linearly independent, or equivalently the minimum distanced⊥ of thedual codeC⊥ is at least 3.

Proof: Let g1,g2, · · · ,gn be the columns ofG. Sincek ≥ 2, at least two columns ofGare linearly independent. Without loss of generality, assume thatg1 andg2 are linearlyindependent. Let

A(1, 2) = [g1g2] =

a1

a2

...ak

.


whereai = (gi,1gi,2) for 1 ≤ i ≤ k. SinceA(1, 2) has rank 2, without loss of generality wecan assume thata1 anda2 are linearly independent. Clearly, the sum

∑ki=1 yiai takes on

each element ofGF (q)2 equally often, i.e.,qk−2 times, when (y1, y2, · · ·, yk) run throughGF (q)k. Let An be the number of codewords with weightn in C. Then the number ofsupports of codewords with weightsd in C containing the positions{1, 2} is

(q − 1)2qk−2 −An.

Suppose that two columnsg1 andg2 are linearly dependent, so the rank of the matrixA(1, 2) is one. Then it is easily seen that the number of supports containing the positions{1, 2} of codewords with weightd in C is

(q − 1)qk−1 −An.

Thus, the supports of codewords of weightd in C form a 2-design if and only if every twocolumns ofG are linearly independent. This proves the lemma. 2

Now letC be any[n, k, d; q] code. Define fors ≥ 2

Cs = {(s︷︸︸︷

c|c| · · · |c) : c ∈ C}.

This is a[sn, k, sd; q] code consisting ofs copies ofC.

Corollary 1 If s ≥ 2 andk ≥ 2 the supports of the codewords of weightsd of Cs arenot a 2-design.

In this paper we have only considered secret sharing schemes based on[n, k, d] codeswith nonzero weightsd andn. For secret sharing schemes based on codes with three ormore weights this lemma could show the extent of democracy.

4. On [n, k, d] codes with weights 0,d, andn

We now search for all secret-sharing schemes based on the dual codes of[n, k, d] codeswith d andn as their only nonzero weights and whose minimal access sets form a 1-design.We first need to search for all[n, k, d] codes with only weights0, d, n.

Two [n, k; q] codesC andC′ areequivalentif there exist a permutationπ of {1, 2, . . . , n}and nonzero elementsα1, α2, . . . , αn in GF (q) such that

C′ = {(α1cπ(1), α2cπ(2), . . . , αncπ(n)) | (c1, c2, . . . , cn) ∈ C}

We note that equivalent codes give rise to equivalent access structures.

In the classification, we will need the Griesmer bound. Let

118 ANDERSON ET AL.

gq(k, d) =k−1∑i=0

⌈d

qi

⌉.

For any[n, k, d; q] code we have

n ≥ gq(k, d).

First we describe theequidistantcodes, that are the[n, k, d; q] codes where all nonzerocodewords have weightd.

Equidistant codes

The simplex codesSq(k) are the[qk−1q−1 , k, q

k−1; q]

codes generated by thek × qk−1q−1

matricesG whose columns are nonzero and non-proportional. Without loss of generalitywe can assume that the first nonzero component in each column vector is 1, in which caseG contains all such vectors. Azero-positionfor a code is a position where all codewordsare zero. If we repeat the simplex codes ≥ 1 times and add some zero-positions, we stillget an equidistant code. It is known that all equidistant codes are obtained in this way. Forcompleteness, we include the short proof.

Equidistant codes are also studied in [?].

Lemma 5 LetC be an[n, k, d; q] code without zero-positions. ThenC is equidistant if and

only if C is an[s q

k−1q−1 , k, sq

k−1]

code for somes ≥ 1.

Proof: LetA be theqk×nmatrix containing all codewords as rows. Counting the numberof nonzero elements inA row-wise and column-wise we get

(qk − 1)d ≤∑c∈C

w(c) = (q − 1)qk−1n. (1)

SupposeC is equidistant. Then we have equality in (1). Since

gcd(qk − 1q − 1

, qk−1

)= 1,

we have

n = sqk − 1q − 1

andd = sqk−1

for some integers.

Conversely, supposen = s qk−1q−1 andd = sqk−1 for somes. Then(qk − 1)d = (q −

1)qk−1n, and so we must have equality in (1), that is,w(c) = d for all nonzeroc. In otherwords, the code is equidistant. 2


Lemma 6 Any[s q

k−1q−1 , k, sq

k−1; q]

codeC without zero-positions is equivalent to the

code obtained bys repetitions ofSq(k).

Proof: It is sufficient to show that no column occurs more thans times. Suppose onecolumn occursu ≥ s + 1 times. Then without loss of generality we may assume that thecode have a generator matrix of the form

G =

u︷︸︸︷1 1 · · · 1

0T 0T · · · 0TxG0

,wherex is some vector of lengths q

k−1q−1 − u, 0 is the all-zero vector, andG0 generates an[

s qk−1q−1 − u, k − 1, sqk−1; q

]code. This contradicts the Griesmer bound, since

g(k − 1, sqk−1) = s

(qk − 1q − 1

− 1)> s

qk − 1q − 1

− u.

2

By Lemmas 4 and 6, the only equidistant codes of interest for our secret sharing problemare the simplex codes.

Two-weight[n, k, d; q] codes containing codewords of weightn

We now go on to study two-weight codes which have codewords of weightn. Sincesecret-sharing schemes based on equivalent codes have the same access structure, we mayassume without loss of generality that1, the all one vector, is a codeword. We call suchcodesself-complementarycodes. We note that any code obtained bys ≥ 2 repetitions ofa self-complementary two-weight code is again a self-complementary two-weight code. Aself-complementary two-weight code which can not be obtained by repetitions of a shortersuch code will be calledprimitive. We remark that ifC is self-complementary, then clearlyC can not have any zero positions.

An important class of primitive, self-complementary, two-weight codes are thefirst orderReed-Muller codes,Rq(1,m). The codeRq(1,m) is the[qm,m+ 1, (q−1)qm−1; q] codewith generator matrix(

1Um

),

where the columns ofUm are exactly all the vectors inGF (q)m. We will show that mostprimitive, two-weight, self-complementary codes are of this form. In particular this is thecase ifk ≥ 4. However, fork = 2 andk = 3 there are also other such codes.

Any self-complementary two-weight[n, k, d; q] codeC has a generator matrix of the form(1V

),

120 ANDERSON ET AL.

where the first column ofV is all-zero. The code generated byV will be denoted byCV .The codeCV is a subcode ofC and all codewords have weight less thann. ThereforeCV isan[n, k − 1, d; q] equidistant code.

Lemma 7 LetC be a self-complementary two-weight[n, k, d; q] code. Thenn−d dividesn. Leta1 = a1(C) = n− d andr1 = r1(C) = n/(n− d). Each nonzero codeword inCVcontains exactlyr1 distinct elements fromGF (q), each of these elements occurs exactlya1

times in the codeword.

Proof: Let c be an nonzero codeword inCV , and letα ∈ GF (q) be an element thatappears inc. Suppose that it appears exactlyy > 0 times. Thenc − α1 ∈ C andw(c − α1) = n − y < n, where1 is the all-one codeword. Hencen − y = d, and soy = n−d = a1. Since this is independent ofαandc, c must contain exactlyn/(n−d) = r1

elements. In particular,n− d dividesn. 2

We next prove that ifr1(C) = q, thenC is equivalent to some copies of the Reed-Mullercode.

Lemma 8 LetC be a self-complementary two-weight[n, k, d; q] code. Ifr1(C) = q, thenC is equivalent to some copies of the Reed-Muller code.

Proof: The codeCV is an equidistant code. Lett be the number of zero-positions inCV .

By Lemmas 5 and 6CV is an[s q

k−1−1q−1 + t, k − 1, sqk−2

]code for somes. Hence Lemma

7 givesn/(n − d) = q which implies thatn(q − 1) = dq. Therefore,s = t(q − 1) andit follows thatt copies of each vector inGF (q)k−1 appears as columns inV . HenceC isequivalent tot copies ofRq(1, k − 1). 2

Example 1: Consider the casek = 2. We note that ifα1, α2, · · · , αr are distinct ele-ments ofGF (q), then the code generated by1 and(α1, α2, . . . , αr) is a primitive, self-complementary, two-weight[r, 2, r− 1; q] code. By Lemma 7, up to equivalence, these arethe only primitive self-complementary, two-weight codes of dimension 2.

Lemma 9 LetC be a self-complementary two-weight[n, k, d; q] code wherek ≥ 3. Thenq dividesd. Leta2 = a2(C) = a1 − d/q andr2 = r2(C) = a1/a2. For a pair of nonzerolinearly independent codewordsc, c′ in CV , consider thea1 positions{i | ci = 0}. Thereare exactlyr2 distinct elements fromGF (q) in those positions and each of these elementsoccurs exactlya2 times.

Proof: Let z be the number of positionsi such thatci = c′i = 0. Obviouslyz > 0 sincethe first coordinate of any codeword inCV is zero.

Let α ∈ GF (q) and considerc + αc′. Sincebαdef= |{i : ci + αc′i = 0}| ≥ z > 0, then

by Lemma 7 we havebα = a1. Let S =∑α∈GF (q) bα = qa1. We can determineS in

another way as follows.

• If ci 6= 0 andc′i = 0, i does not contribute to anybα; there area1 − z suchi.

• If ci = 0 andc′i = 0, i contributes to allbα, and there arez suchi.


• If c′i 6= 0 theni contributes to exactly onebα; there ared suchi.

Hencezq + d = qa1; in particular,q dividesd andz = a1 − d/q = a2. Letα ∈ GF (q)such thatci = 0 andc′i = α for somei. Applying the above argument to the pairc, c′−α1we get|{i : ci = 0, c′i = α}| = a2. Hence, there are exactlya1/a2 = r2 distinct elementsα ∈ GF (q) such thatci = 0 andc′i = α for somei. 2

Corollary 2 LetC be a self-complementary two-weight[n, k, d; q] code wherek ≥ 3.Then

q = r2(q − r1 + 1). (2)

Proof: We have

r2(q − r1 + 1) =a1

a1 − dq

(q − n

n− d + 1)

=q

qa1 − d

(qa1 − a1

d

n− d

)= q.

2

Corollary 3 Let C be a self-complementary two-weight[n, k, d; q] code wherek ≥ 3andq is a prime. ThenC is equivalent to some copies of the Reed-Muller codeRq(1, k−1).

Proof: We haver1 > 1. Hence the only solution of (??) whenq is a prime isr1 = r2 = q.The result now follows from Theorem 8. 2

The idea of Lemma 9 can be repeated to show the following result.

Theorem 2 Let C be a self-complementary two-weight[n, k, d; q] code wherek ≥ 4.ThenC is equivalent to some copies of the Reed-Muller codeRq(1, k − 1).

Proof: Let c, c′ andc′′ be three linearly independent vectors inCV .

Let u = |{i : ci = c′i = c′′i = 0}|. For eachα ∈ GF (q), let

bα = |{i : c′′i = 0, ci + αc′i = 0}| .

By Lemma 9,bα = a2, and so∑α∈GF (q)

bα = qa2.

Counting the terms in an alternative ways, as we did in the proof of Lemma 9, we get

qa2 = qu+ a1 − a2, and soq dividesa1 − a2, andu = a3def= a2 − 1

q (a1 − a2).

122 ANDERSON ET AL.

Similarly, |{i : c′i = c′′i = 0, ci = α}| is a3 or 0 for allα ∈ GF (q). Hencea3r3 = a2

for some integerr3, and this can be rewritten asq = r3(q − r2 + 1). Let q = pa wherep is some prime. Sincer1 > 1, (??) implies thatr2 = pb for some integerb > 1. Hencegcd(pa, pa − pb + 1) = 1. Thereforer3 = q. In turn this implies thatr2 = q, and by (??),r1 = q. The theorem now follows from Lemma 8. 2

We have already completely characterized the self-complementary two-weight[n, k, d; q]codes, except whenk = 3 and q is a prime power. We consider this situation next.Calderbank and Kantor [?] in their analysis of two-weight codes gave self-complementarytwo-weight[(2a + 1)(2b− 1) + 1, 3, 2a(2b− 1); 2a] codes for alla, b such that1 ≤ b < a.For b = 1 these codes are MDS codes.

As an example, we consider the casek = 3 andq = 4. LetGF (4) = {0, 1, α, β}, whereβ = α2 = α + 1. Forb = 1 we get an[6, 3, 4; 4] code. We haver1 = 3, a1 = 2, r2 = 2,a2 = 1. The code generated by the matrix

G =

1 1 1 1 1 10 0 1 1 α α0 1 1 β β 0

is such an[6, 3, 4] MDS code.

Any self-complementary two-weight[n, k, d; q] codeC with k ≥ 4 is an [sqm, 1 +m, s(q− 1)qm−1; q] code consisting ofs copies of the first-order Reed-Muller code. Thus,if s ≥ 2, the minimum distance ofC⊥ is 2. By Lemma 4 the supports of all minimum weightcodewords ofC can not form a 2-design. Thus, the only self-complementary two-weightcodes which are interesting for our secret sharing are the[r, 2, r − 1; q] code described inExample 1 and some[pm, 3, d; pl] codes.

In the following two sections we describe the access structure of the secret-sharingschemes based on the dual code of the first-order Reed-Muller codesRq(1,m) and theHamming codesHq(m).

5. With Reed-Muller codes

The access structure of the secret-sharing scheme based onRq(1,m)⊥ is described by thefollowing theorem.

Theorem 3 The secret-sharing scheme based onRq(1,m)⊥ for sharing secrets amongqm − 1 parties has the following properties:

1. there areqm − 1 minimum access sets consisting of(q − 1)qm−1 − 1 participants;

2. each participant is a member of exactly(q − 1)qm−1 − 1 minimum access sets.

Proof: By definition any two columns of a generator matrix ofRq(1,m) are linearlyindependent. It follows from Lemma 4 that the supports of the minimum weight codewordsofRq(1,m) form a 2-(qm, (q − 1)qm−1, λ) design. By Lemma 2 we obtain


λ = (q − 1)qm−1 − 1.

By Lemma 3 the minimal access sets form a 1-(qm − 1, (q − 1)qm−1 − 1, λ) design.Again by Lemma 2 we see that the number of minimum access sets isqm − 1. Since thecodeRq(1,m) has minimum distance(q − 1)qm−1, each minimum access set consists of(q − 1)qm−1 − 1 parties. 2

Example 2: Consider the binary case. It is not hard to see that the minimal access sets ofthe secret-sharing scheme based on the codeR2(1, 4)⊥ are

{1, 2, 3, 4, 5, 6, 7} {1, 2, 3, 8, 9, 10, 11} {1, 4, 5, 8, 9, 12, 13}{2, 4, 6, 8, 10, 12, 14} {1, 2, 3, 12, 13, 14, 15} {1, 4, 5, 10, 11, 14, 15}{2, 4, 6, 9, 11, 13, 15} {1, 6, 7, 8, 9, 14, 15} {2, 5, 7, 8, 10, 13, 15}{3, 4, 7, 8, 11, 12, 15} {3, 5, 6, 8, 11, 13, 14} {3, 4, 7, 9, 10, 13, 14}{2, 5, 7, 9, 11, 12, 14} {1, 6, 7, 10, 11, 12, 13} {3, 5, 6, 9, 10, 12, 15}.

In this example the minimal access sets form a 2-design, but this seems not to be true ingeneral.

6. With Hamming codes

Since the only equidistant codes such that the supports of all minimum weight codewordsform a 2-design are the simplex codes, we describe the access structure and properties ofthe secret-sharing scheme based on Hamming codes.

Theorem 4 The scheme based on the Hamming codeHq(m) is for sharing secrets amongq(qm−1 − 1)/(q − 1) parties has the following properties:

1. there areqm−1 minimum access sets consisting ofqm−1 − 1 participants;

2. each participant is a member of exactly(q − 1)qm−2 minimum access sets.

Proof: Note that any two columns of a generator matrix ofSq(m) are linearly independent.The proof is similar to that of Theorem??. 2

Example 3: The minimal access sets of the secret-sharing scheme based on the binary[7, 3, 4] Hamming code are

{1, 2, 4}, {3, 4, 5}, {2, 5, 6}, {1, 3, 6}

which form a 1-(6, 3, 2) design. This is the access structure discussed in the first section.By now the reader should be able to design schemes to suit his application in a systematic

way. We leave as an exercise the development of shared signature schemes similar toDesmedt-Frankel but which express access structures of the type described here.

124 ANDERSON ET AL.

Acknowledgments

This research was carried out when the authors were visiting the Isaac Newton Institute forMathematical Sciences, Cambridge, UK.

References

1. R.J. Anderson, Why Cryptosystems Fail,Communications of the ACM,Vol 37, No. 11 (1994) pp. 32–40.2. E.F. Assmus, Jr. and J.D. Key,Designs and Their Codes, Cambridge University Press, Cambridge (1992).3. G.R. Blakley, Safeguarding cryptographic keys, Proceedings of NCC AFIPS (1979) pp. 313–317.4. A. Bonisoli, Every equidistance linear code is a sequence of dual Hamming codes,Ars Combinatoria,Vol.

18 (1983) pp. 181–186.5. R. Calderbank, W.M. Kantor, The geometry of two-weight codes,Bulletin of the London Mathematical

Society, Vol. 18 (1986) pp. 97–122.6. Y. Desmedt, Y. Frankel, Threshold cryptosystems, Advances in Cryptology: Proceedings of Crypto 89,

Lecture Notes in Computer Science, Springer-Verlag, New York, 435 (1990) pp. 307–315.7. E.D. Karnin, J.W. Green, M. Hellman, On secret sharing systems,IEEE Transactions on Information Theory,

Vol. IT-29 (1983) pp. 644–654.8. F.J. MacWilliams, N.J.A. Sloane,The Theory of Error-Correcting Codes,North-Holland,Amsterdam (1978).9. J.L. Massey, Minimal codewords and secret sharing, Proceedings of the 6th Joint Swedish-Russian Workshop

on Information Theory, M¨olle, Sweden, August 22-27, 1993 pp. 276–279.10. J.L. Massey, Some applications of coding theory in cryptography,Codes and Ciphers: Cryptography and

Coding IV(Ed. P.G. Farrell), IMA, England (1995) pp. 33–47.11. R.J. McEliece, D.V. Sarwate, On sharing secrets and Reed-Solomon codes,Communications of the ACM,

Vol. 24 (1981) pp. 583–584.12. M.K. Reiter, M.K. Franklin, J.B. Lacy, R.A. Wright, The Omega Key Management Service, Proceedings of

3rd ACM Conference on Computer and Communications Security, ACM Press (1997) pp. 38–47.13. A. Shamir, How to share a secret,Communications of the ACM, Vol. 22 (1979) pp. 612–613.14. VISA Security Module Operations Manual, VISA, 1986

Documents

How to Build Robust Shared Control Systems