Multipartite Secret Sharing by Bivariate Interpolationestudy.openu.ac.il/opus/static/binaries/upload/bank8/multipartite_0.pdfCompartmented access structures with lower bounds, (4),

Multipartite Secret Sharing by Bivariate Interpolation∗

Tamir Tassa† Nira Dyn‡

July 3, 2006

Abstract

Given a set of participants that is partitioned into distinct compartments, a mul-tipartite access structure is an access structure that does not distinguish between par-ticipants that belong to the same compartment. We examine here three types of suchaccess structures: two that were studied before – compartmented access structures andhierarchical threshold access structures, and a new type of compartmented access struc-tures that we present herein. We design ideal perfect secret sharing schemes for thesetypes of access structures that are based on bivariate interpolation. The secret sharingschemes for the two types of compartmented access structures are based on bivariateLagrange interpolation with data on parallel lines. The secret sharing scheme for thehierarchical threshold access structures are based on bivariate Lagrange interpolationwith data on lines in general position. The main novelty of this paper is the introduc-tion of bivariate Lagrange interpolation and its potential power in designing schemes formultipartite settings, as different compartments may be associated with different linesin the plane. In particular, we show that the introduction of a second dimension maycreate the same hierarchical effect as polynomial derivatives and Birkhoff interpolationwere shown to do in [13].

Keywords. Secret sharing, multipartite access structures, compartmented access struc-tures, hierarchical threshold access structures, bivariate interpolation, monotone span pro-grams.

AMS (2000) Subject Classification: Primary: 94A60 Secondary: 65D05

Abbreviated title: Secret Sharing by Bivariate Interpolation

∗A preliminary version of this paper appears in The Proceedings of ICALP 2006†Division of Computer Science, The Open University, Ra’anana, Israel.‡Department of Applied Mathematics, Tel Aviv University, Tel Aviv, Israel.

1

1 Introduction

Let U be a set of participants and assume that it is partitioned into m disjoint subsets, towhich we refer hereinafter as compartments. An m-partite access structure on U is any accessstructure that does not distinguish between members of the same compartment. Weightedthreshold access structures [11, 1], multilevel access structures [12, 3], hierarchical thresholdaccess structures [13], compartmented access structures [3, 8], bipartite access structure [10],and tripartite access structures [1, 5, 8] are typical examples of such multipartite accessstructures. 1

Definition 1.1 Let U be a set of participants and assume that it is partitioned into mdisjoint compartments,

U =m⋃

i=1

Ci . (1)

Let Γ ∈ 2U be a monotone access structure (namely, if A ∈ Γ then also B ∈ Γ for allB ⊃ A) and assume that for all permutations π : U → U such that π(Ci) = Ci, 1 ≤ i ≤ m,A ∈ Γ if and only if π(A) ∈ Γ. Then Γ is called m-partite or multipartite with respect topartition (1). A corresponding m-partite secret sharing scheme is a scheme that realizesthis access structure; namely, a method of assigning each participant u ∈ U a share σ(u) ofa given secret S such that authorized subsets V ∈ Γ may recover the secret from the sharespossessed by their participants, σ(V) = {σ(u) : u ∈ V}, while the shares of unauthorizedsubsets V /∈ Γ do not reveal any information about the value of the secret. Viewing the secretS as a random variable that takes values in a finite domain S, these two requirements maybe stated as follows:

H(S|σ(V)) = 0 ∀V ∈ Γ (accessibility) (2)

andH(S|σ(V)) = H(S) ∀V /∈ Γ (perfect security) . (3)

Letting Σu denote the set of possible shares for participant u ∈ U , the information rate ofthe scheme is

ρ = minu∈U

log2 |S|log2 |Σu| .

If ρ = 1, the scheme is called ideal.In this paper we show how to utilize bivariate interpolation in order to realize some

multipartite access structures. What makes bivariate interpolation suitable for multipartitesettings is the ability to associate each compartment with a different line in the plane.Namely, participants from a given compartment are associated with points that lie on thesame line, where each compartment is associated with a different line.

1Of-course, every access structure may be viewed as a multipartite access structure with singleton com-partments; however, that term is reserved to non-degenerate cases where the number of compartments issmaller than the number of participants.

2

In Section 2 we deal with compartmented access structures. We distinguish betweentwo types of such structures: one that agrees with the type that was presented and studiedby Brickell in [3], and another that we present here for the first time. We design forthose access structures ideal secret sharing schemes that are based on bivariate Lagrangeinterpolation with data on parallel lines. In Section 3 we deal with hierarchical thresholdaccess structures and we realize them by bivariate Lagrange interpolation with data on linesin general position. In [13], those access structures were realized by introducing polynomialderivatives and Birkhoff interpolation in order to create the desired hierarchy between thedifferent compartments (that are called levels in that context). Here, we show that we mayachieve the same hierarchical effect by introducing a second dimension, in lieu of polynomialderivatives. All necessary background from bivariate interpolation theory is provided herein.Section 4 holds the proofs of all our claims. Finally, in Section 5, we contemplate on thepossible advantages of using more involved interpolation settings.

Hereinafter, F is a finite field of size q = |F|. The field size is large enough so that thedomain of all possible secrets may be embedded in F. The secret S ∈ F will be encoded bythe coefficients of an unknown polynomial P (x, y) ∈ F[x, y]. We also adopt the followingnotation convention: vectors are denoted by bold-face letters while their components aredenoted with the corresponding italic-type indexed letter. In addition, N stands for thenonnegative integers.

Throughout this study we use the following basic lemma that provides an upper boundfor the number of zeros of a multivariate polynomial over a finite field.Lemma 1.1 Let G(z1, . . . , zk) be a nonzero polynomial of k variables over a finite field Fof size q. Assume that the highest degree of each of the variables zj in G is no larger thand. Then the number of zeros of G in Fk is bounded from above by kdqk−1.

2 Compartmented Access Structures

The original compartmented access structure that was presented in [3] is defined as follows.Let ti ∈ N, 1 ≤ i ≤ m, and t ∈ N be thresholds such that t ≥ ∑m

i=1 ti. Then

Γ = {V ⊆ U : ∃W ⊆ V such that |W ∩ Ci| ≥ ti, 1 ≤ i ≤ m, and |W| = t} . (4)

Such access structures are suitable for situations in which the size of an authorized subsetmust be at least some threshold t, but, in addition to that, we wish to guarantee that everycompartment is represented by at least some number of participants in the authorizedsubset. In other situations, however, an opposite demand may occur: while the size of anauthorized subset must be at least t, we would like to limit the number of participants thatrepresent each of the compartments; namely,

∆ = {V ⊆ U : ∃W ⊆ V such that |W ∩ Ci| ≤ si, 1 ≤ i ≤ m, and |W| = s} , (5)

where si, s ∈ N and s ≤ ∑mi=1 si. We refer to Γ as a compartmented access structure with

lower bounds, while ∆ is referred to hereinafter as a compartmented access structure withupper bounds.

3

When m = 1 both types of compartmented access structures coincide with the standardthreshold access structures of Shamir [11]. When m = 2 the two types of access structuresagree: a compartmented access structure with lower bounds t1, t2 and t is a compartmentedaccess structure with upper bounds s1 = t− t2, s2 = t− t1 and s = t; conversely, an accessstructure of type (5) with bounds s1, s2 and s may be viewed as an access structure of type(4) with bounds t1 = s− s2, t2 = s− s1 and t = s. However, when m ≥ 3, these two typesof compartmented access structures differ. As an example, consider an access structure oftype (4) where m = 3, t1 = 1, t2 = 1, t3 = 2, and t = 5. Then the minimal subsets V are oftypes (1, 1, 3) (namely, |V ∩C1| = 1, |V ∩C2| = 1, and |V ∩C3| = 3), (1, 2, 2), or (2, 1, 2). Thiscollection of minimal subsets does not fall within the framework (5) for any choice of si ands. Indeed, if that collection of subsets was to fall under framework (5) then we should haves1 = s2 = 2, s3 = 3, and s = 5; but then that collection should have included also subsets oftype (0,2,3), which it doesn’t. Hence, there is no way of fitting that compartmented accessstructure with lower bounds within the framework with upper bounds.

Compartmented access structures with lower bounds, (4), are already known to be ideal.We design here ideal linear schemes for these access structures, as well as for the correspond-ing access structures with upper bounds, (5), that are based on bivariate interpolation.

2.1 Ideal Secret Sharing for Compartmented Access Structures with Up-per Bounds

In this section we describe a linear secret sharing scheme for compartmented access struc-tures with upper bounds, (5). Let xi, 1 ≤ i ≤ m, be m distinct points in F and let Pi(y) bea polynomial of degree si − 1 over F. Define

P (x, y) =m∑

i=1

Pi(y)Li(x) =m∑

i=1

si−1∑

j=0

ai,j · yjLi(x) , (6)

where Li(x) is the Lagrange polynomial of degree m− 1 over {xi : 1 ≤ i ≤ m}, namely,

Li(x) =∏

1≤j≤m

j 6=i

x− xj

xi − xj. (7)

These polynomials are orthogonal in the sense that Li(xj) = δi,j for all 1 ≤ i, j ≤ m. Thenthe secret sharing scheme is as follows:

Secret Sharing Scheme 1:

1. The secret is S =∑m

i=1

∑si−1j=0 ai,j .

2. Each participant ui,j from compartment Ci will be identified by a unique public point(xi, yi,j), where yi,j 6= 1, and his private share will be the value of P at that point.

3. In addition, we publish the value of P at k :=∑m

i=1 si − s points (x′i, zi), wherex′i /∈ {x1, . . . , xm}, 1 ≤ i ≤ k.

4

F

F

x = x1 x = x2 x = x3

(x1’,z1)

(x2’,z2)

(x3’,z3)

Figure 1: Secret Sharing Scheme 1

Figure 1 illustrates that scheme for the case of m = 3 compartments and k = s1 + s2 +s3− s = 3. The k = 3 public point values are denoted by full bullets. The point values thatcorrespond to the participants are marked by empty circles along the three random parallellines, x = xi, 1 ≤ i ≤ 3.

Clearly, this is an ideal scheme since the private shares of all users are taken fromthe domain of secrets F. The number of unknowns in the polynomial P is

∑mi=1 si (the

coefficients of each of the univariate polynomials Pi(y), 1 ≤ i ≤ m). Since we are given forfree k :=

∑mi=1 si−s point values, we need additional s points for full recovery. Moreover, we

cannot use more than si points from the line x = xi, 1 ≤ i ≤ m, because any si points fromalong that line already fully recover Pi(y), but they do not contribute anything towards therecovery of Pj(y) for j 6= i. In view of the above, this scheme agrees with the constraints in(5). We proceed to show that, with high probability, the resulting scheme is perfect.Theorem 2.1 With probability 1−O(q−1), the ideal Secret Sharing Scheme 1 is a perfectscheme that realizes the compartmented access structure with upper bounds (5).

We would like to stress that the probability here is with respect to the choices of thepoints in the plane. Once such a choice was made, the dealer may check that all authorizedsubsets may recover the secret while all non-authorized subsets may not learn a thing aboutthe secret. If all subsets pass that test then the resulting scheme is perfectly secure. In therare event (of probability O(q−1)) that one of the subsets did not pass the test, the dealerhas only to try another selection.

2.2 Ideal Secret Sharing for Compartmented Access Structures with LowerBounds

In this section we describe a linear secret sharing scheme for compartmented access struc-tures with lower bounds, (4). To that end, we construct a scheme for the dual access

5

structure Γ∗. Let us begin with a brief overview of what are dual access structures andrecall the main result concerning duality that we need for the design of our scheme.

Karchmer and Wigderson [9] introduced monotone span programs as a linear algebraicmodel of computation for computing monotone functions. A monotone span program (MSPhereinafter) is a quintupleM = (F,M,U , φ, e) where F is a field, M is a matrix of dimensionsa × b over F, U = {u1, . . . , un} is a finite set, φ is a surjective function from {1, . . . , a} toU , and e is some target row vector from Fb. The MSP M realizes the monotone accessstructure Γ ⊂ 2U when V ∈ Γ if and only if e is spanned by the rows of the matrix Mwhose labels belong to V. The size of M is a, the number of rows in M . Namely, in theterminology of secret sharing, the size of the MSP is the total number of shares that weredistributed to all participants in U . An MSP is ideal if a = n.

If Γ is a monotone access structure over U , its dual is defined by Γ∗ = {V : Vc /∈ Γ}.It is easy to see that Γ∗ is also monotone. In [7] it was shown that if M = (F,M,U , φ, e)is an MSP that realizes a monotone access structure Γ, then there exists an MSP M∗ =(F,M∗,U , φ, e∗) of the same size like M that realizes the dual access structure Γ∗. Hence,an access structure is ideal if and only if its dual is. An efficient construction of the MSPfor the dual access structure was proposed in [6].

2.2.1 Realizing the dual access structure

The dual access structure of (4) is given by Γ∗ = {V : Vc /∈ Γ}. Hence, V ∈ Γ∗ if and onlyif |Vc| < t or |Vc ∩ Ci| < ti for some 1 ≤ i ≤ m. Introducing the notations n = |U| andni = |Ci|, 1 ≤ i ≤ m, we infer that V ∈ Γ∗ if and only if |V| ≥ n−t+1 or |V ∩Ci| ≥ ni−ti+1for some 1 ≤ i ≤ m. Namely,

Γ∗ = {V ⊆ U : |V| ≥ r or |V ∩ Ci| ≥ ri for some 1 ≤ i ≤ m} , (8)

wherer = n− t + 1 and ri = ni − ti + 1 , 1 ≤ i ≤ m . (9)

Since t ≥ ∑mi=1 ti and n =

∑mi=1 ni, we see that

m∑

i=1

ri =m∑

i=1

ni −m∑

i=1

ti + m ≥ n− t + m = r + m− 1 .

Therefore, the thresholds in the dual access structure (8) satisfym∑

i=1

ri ≥ r + m− 1 . (10)

We proceed to describe a linear ideal secret sharing scheme for realizing such access struc-tures and then prove that, with high probability, it is perfect.

Let xi, 1 ≤ i ≤ m, be m distinct points in F and let Pi(y) be a polynomial of degreeri − 1 over F, such that

P1(0) = · · · = Pm(0) . (11)

6

Define

P (x, y) =m∑

i=1

Pi(y)Li(x) =m∑

i=1

ri−1∑

j=0

ai,j · yjLi(x) , (12)

where Li(x), 1 ≤ i ≤ m, are, as before, the Lagrange polynomials of degree m − 1 over{xi : 1 ≤ i ≤ m}, (7). Note that condition (11) implies that a1,0 = · · · = am,0 and,consequently, that the number of unknown coefficients in the representation of P (x, y) withrespect to the basis Li(x)yj , 1 ≤ i ≤ m, 0 ≤ j ≤ ri− 1, is g =

∑mi=1 ri− (m− 1). Note that

by (10), g ≥ r.Our secret sharing scheme for the realization of the dual access structure Γ∗, (8), is as

follows:


1. The secret is S = a1,0 = · · · = am,0.

2. Each participant ui,j from compartment Ci will be identified by a unique public point(xi, yi,j), where yi,j 6= 0, and his private share will be the value of P at that point.

3. In addition, we publish the value of P at k = g − r points (x′i, zi), where x′i /∈{x1, . . . , xm}, 1 ≤ i ≤ k.

Theorem 2.2 With probability 1−O(q−1), the ideal Secret Sharing Scheme 2 is a perfectscheme that realizes the access structure (8).

2.2.2 A scheme for compartmented access structures with lower bounds

Using the results of Section 2.2.1 we may now easily construct an ideal secret sharing schemefor compartmented access structures with lower bounds, (4). Given such an access structure,Γ, we construct the ideal linear secret sharing scheme for its dual, (8)-(9). Then we translatethat ideal scheme (equivalently, MSP) into an ideal scheme (MSP) for Γ = (Γ∗)∗, using theexplicit construction that is described in [6]. We omit further details.

3 Hierarchical Threshold Access Structures

3.1 Lagrange Interpolation with Data on Lines in General Positions

Let{Li}1≤i≤n , Li = {(x, y) ∈ F2 : Li(x, y) := aix + biy + ci = 0} ,

be a collection of n lines in F2 in general position. Namely, for every pair 1 ≤ i < j ≤ n,Li and Lj intersect in a point Ai,j = (xi,j , yi,j) and Ai,j 6= Ak,` whenever {i, j} 6= {k, `}(Figure 2 illustrates the case n = 4). Let f(x, y) be a function on F2. Then there exists aunique polynomial of degree n− 2,

P (x, y) =∑

0≤i+j≤n−2

ai,jxiyj ∈ F[x, y] , (13)

7

that satisfiesP (xi,j , yi,j) = f(xi,j , yi,j) 1 ≤ i < j ≤ n . (14)

That polynomial is given by

P (x, y) =∑

1≤i<j≤n

f(xi,j , yi,j)Li,j(x, y) (15)

whereLi,j(x, y) =

∏

1≤k≤n

k 6=i,j

Lk(x, y)Lk(xi,j , yi,j)

. (16)

The bivariate Lagrange polynomials Li,j(x, y) are of degree n−2, and they form an orthog-onal set in the sense that Li,j(xi,j , yi,j) = 1 while Li,j(xk,`, yk,`) = 0 for all {k, `} 6= {i, j}(because the point (xk,`, yk,`) lies on a line other than Li or Lj , whence the numerator in(16) becomes zero). Note that the number of independent terms (monoms) in (13) agreeswith the number of constraints in (14), i.e.,

(n2

).

This type of bivariate interpolation was studied first in [4]. We shall be using thisbivariate interpolation in a slightly different manner hereinafter. As described above, inorder to recover a polynomial P (x, y) of degree k, we need its values at the intersectionpoints of k + 2 lines in general position. Assume, however, that we have only k + 1 linesin general position, but we were able to fully recover the restriction of P (x, y) to each ofthese lines (the restriction of a bivariate polynomial of degree k to a line is the univariatepolynomial of degree k that is obtained by replacing x and y in P (x, y) with their linearparameterization along that line). Then that information is also sufficient for the fullrecovery of P (x, y) since we may add a (k +2)th line that intersects all of the original k +1lines and then, as we know the value of P along each of those k+1 lines, we know its value inall of the

(k+22

)intersection points of the k +2 lines; this enables the full recovery of P (x, y)

through (15)-(16). For example, in order to recover a quadratic polynomial P (x, y) (k = 2),we need its values in the 6 intersection points of k + 2 = 4 lines in general position (L1,L2, L3 and L4 in Figure 2); alternatively, we may compute its restriction to only k + 1 = 3of those lines, say L1, L2, and L3, and that is sufficient for finding the value of P in all 6intersection points of L1, L2, L3 and L4. Hence, while in this section our setting includedn lines and a polynomial P (x, y) of degree n− 2, in the following sections our settings willinclude n lines and a polynomial P (x, y) of degree n− 1.

3.2 Constructibility and Non-constructibility Results

Let:

• F be a finite field;

• {Li}1≤i≤n, Li = {(x, y) ∈ F2 : Li(x, y) := aix+ biy + ci = 0}, be a collection of n linesin F2 in general position;

8

L4 L3

L1

L2

A2, 4

A2, 3

A3, 4

A1, 4 A1, 2 A1, 3

Figure 2: Four lines in general position and the corresponding interpolation points

• P (x, y) =∑

0≤i+j≤n−1 ai,jxiyj be a polynomial of degree (at most) n − 1 in F[x, y];

and

• V ⊂ ⋃ni=1 Li be a set of points on the given lines, none of which is an intersection

point of two of those lines.

The question that we address here is the amount of information that D := P |V reveals onS := P (0, 0). Since the underlying model is that of a monotone span program, it is clearthat either the given data, D, uniquely determines the unknown, S, or the former does notreveal any information about the latter.

In order to answer that question, we define the type of a set V (Definition 3.1) and anorder on such types (Definition 3.2).

Definition 3.1 Let {Li}1≤i≤n be n lines in general position in F2. A subset

V ⊂(

n⋃

i=1

Li

)\

⋃

1≤i<j≤n

Li ∩ Lj

(17)

is said to be of type v ∈ Nn, where v is a monotone vector in the sense that 0 ≤ v1 ≤ v2 ≤· · · ≤ vn, if there exists a permutation π ∈ Sn such that |V ∩ Lπ(i)| = vi for all 1 ≤ i ≤ n.

For example, the two subsets depicted in Figure 3 are of type v = (2, 2, 3).

Definition 3.2 A vector u ∈ Nn dominates the vector v ∈ Nn, denoted u º v, if for all1 ≤ i ≤ n,

∑ij=1 uj ≥

∑ij=1 vj.

For example, (1, 3, 3, 3) º (1, 2, 3, 4) while (1, 1, 4, 5) � (1, 2, 3, 4).

9

L3

L1

L2 L2L3

L1

Figure 3: Two point sets of the same type

Definition 3.3 Let {Li}1≤i≤n be n lines in general position in F2, and let V be a set ofpoints on those lines, (17). The vector set that corresponds to V is the set of vectors

RV = {r(x,y),n : (x, y) ∈ V} (18)

where

r(x,y),n := (1, x, y, x2, xy, y2, . . . , xn−1, xn−2y, . . . , xyn−2, yn−1) ∈ Fn(n+1)/2 (19)

Theorem 3.1 Let {Li}1≤i≤n be n lines in general position in F2, none of which goesthrough the origin (0, 0). Let V be a randomly selected set of points on those lines, (17),and let v be the type of that set. Then the following claim holds in probability 1−O(q−1):

1. If v º (1, 2, . . . , n) then e1 ∈ Span{RV}.2. If v � (1, 2, . . . , n) then e1 /∈ Span{RV}.This theorem actually characterizes the sets of data points that allow the construction

of a polynomial P (x, y) ∈ Fn−1[x, y]. Given the values of the polynomial in the points ofV, P |V , it is possible (with almost certainty) to reconstruct the entire polynomial (and notjust the free coefficient P (0, 0) that corresponds to the vector e1) if the type of the dataset, v, dominates the vector (1, 2, . . . , n). If, on the other hand, v � (1, 2, . . . , n), then thereis not enough data to reconstruct the polynomial, and this implies (with almost certainty)that we cannot learn any information about P (0, 0).

3.3 Hierarchical Threshold Access Structures

Let U be a set of participants that is partitioned into m disjoint levels, (1), and let k1 <k2 < · · · < km be a sequence of thresholds. The corresponding hierarchical threshold accessstructure is defined by

Γ ={V ⊂ U :

∣∣V ∩ (∪ij=1Cj

)∣∣ ≥ ki for all 1 ≤ i ≤ m}

. (20)

10

Those access structures were presented and studied in [13]. They are realized there by anideal secret sharing scheme that is based on Birkhoff interpolation, namely, interpolationin which the given values of the unknown polynomial, P (x), include also derivative values.Specifically, participants from level Ci, 1 ≤ i ≤ m, receive the value of the (ki−1)th derivativeof P at the point x that identifies them (where hereinafter k0 := 0). As participants fromhigher levels (namely, Ci for lower values of i) have shares that equal derivatives of P oflower orders, those shares carry more information on the coefficients of P than shares ofparticipants from lower levels.

Here we show how to realize such hierarchical access structures using bivariate Lagrangeinterpolation on lines in general position. The scheme that we present here does not usederivatives, as the Birkhoff interpolation-based scheme of [13] did, but instead it adds onemore dimension in order to achieve the same hierarchical effect.

Let {Lj}1≤j≤n be n := km lines in general position in F2, none of which goes throughthe origin (0, 0). Let

P (x, y) =∑

0≤i+j≤n−1

ai,jxiyj

be a random polynomial in Fn−1[x, y].


1. The secret is S = P (0, 0).

2. Each participant from level Ci will be identified by a unique public point on Lki\(⋃

1≤j≤n

j 6=ki

Lj

)and his private share will be the value of P at that point.

3. In addition, we publish the value of P at:

• ki−1 additional points on Lki , 2 ≤ i ≤ m; and

• j points on Lj for all j ∈ {1, 2, . . . , n} \ {ki : 1 ≤ i ≤ m}.

Example. Assume that there are m = 3 levels with thresholds k1 = 2, k2 = 4 and k3 = 5(namely, V ∈ Γ if and only if it has at least 2 participants from the highest level C1, at least4 participants from the two highest levels C1 ∪ C2, and at least 5 participants altogether).Then we select 5 random lines in general position: Li, 1 ≤ i ≤ 5. The allocation of privateshares will be as follows:

1. Participants from C1 will be given polynomial shares on L2 (since k1 = 2).



The corresponding points are marked in Figure 4 by empty circles. The public values willbe:

11

L4

L3

L1

L2

L5

Figure 4: Secret Sharing Scheme 3

1. 2 point values on L4, and 4 point values on L5 (those points are marked by full bulletsin Figure 4).

2. 1 point value on L1 and 3 point values on L3 (those points are marked by full squaresin Figure 4).

Theorem 3.2 With probability 1−O(q−1), the ideal Secret Sharing Scheme 3 is a perfectscheme that realizes the hierarchical threshold access structure (20).

4 Proofs

4.1 Proof of Lemma 1.1

The claim is obviously true for k = 1. Proceeding by induction, we assume that it holdsfor k − 1 variables and prove the claim for k variables. The polynomial G may be writtenas follows:

G(z1, . . . , zk) =d∑

j=0

Gj(z1, . . . , zk−1)zjk .

For every selection of (z1, . . . , zk−1) ∈ Fk−1 there are two possibilities: Either Gj(z1, . . . , zk−1) 6=0 for at least one 0 ≤ j ≤ d, or Gj(z1, . . . , zk−1) = 0 for all 0 ≤ j ≤ d. In the first case, thereare at most d values of zk for which G(z1, . . . , zk−1, zk) = 0; in the second case, on the other

12

hand, G(z1, . . . , zk−1, zk) = 0 for all zk ∈ F. By the induction assumption, the number ofpoints (z1, . . . , zk−1) ∈ Fk−1 of the second kind, denoted herein `, satisfies ` ≤ (k−1)dqk−2.Hence, the number of points (z1, . . . , zk) ∈ Fk in which G(z1, . . . , zk) = 0 is bounded by

(qk−1 − `) · d + ` · q = dqk−1 + ` · (q − d) < dqk−1 + (k − 1)dqk−1 = kdqk−1 .

¤

4.2 Proof of Theorem 2.1

Theorem 2.1 is proved by the following two lemmas.

Lemma 4.1 If A ∈ ∆ it may recover the secret S with probability 1−O(q−1).

Proof. Let A be a minimal set in ∆. Let us assume that |A ∩ Ci| = ki ≤ si, 1 ≤ i ≤ m.Then the system of equations in the unknown coefficients of P (x, y), (6), namely {ai,j : 1 ≤i ≤ m, 0 ≤ j ≤ si − 1} that A may construct has a matrix of coefficients of the followingform:

M =

M1 0 0 · · · 00 M2 0 · · · 00 0 M3 · · · 0...

......

......

0 0 0 · · · Mm

H1 H2 H3 · · · Hm

(21)

Here, Mi is a block of size ki× si that represents the equations that are contributed by theki participants from compartment Ci. If A ∩ Ci = {ui,1, . . . , ui,ki} and ui,j is characterizedby the point (xi, yi,j) then

Mi =

1 yi,1 y2i,1 · · · ysi−1

i,1

1 yi,2 y2i,2 · · · ysi−1

i,2...

......

......

1 yi,kiy2

i,ki· · · ysi−1

i,ki

(22)

Clearly, the first s =∑m

i=1 ki rows in M are independent. As for the last k =∑m

i=1 si − srows in the matrix, denoted in (21) by the row of H-blocks, they represent the additionalk equations that result from the k public values of P that were published by the dealer.These k values are of the form P (x′j , zj), 1 ≤ j ≤ k. Then the jth row within the last rowof blocks in M has the following form:(

L1(x′j) L1(x′j)zj · · · L1(x′j)zs1−1j · · · · · · Lm(x′j) Lm(x′j)zj · · · Lm(x′j)z

sm−1j

)

We may view the determinant of M as a k-variate polynomial G(z1, . . . , zk) whose coeffi-cients depend on Li(x′j), 1 ≤ i ≤ m, 1 ≤ j ≤ k, and on all s × s minors of M that are

13

contained within its first s rows. All those values are nonzero. Nevertheless, it is possiblethat the polynomial G(z1, . . . , zk) is identically zero, since the coefficient of each monom∏k

j=1 zrj

j is a linear combination of nonzero s× s minors of M .Let us assume first that G(z1, . . . , zk) is not identically zero. Assuming, without loss

of generality, that s1 ≤ · · · ≤ sm, we conclude, in view of Lemma 1.1, that the number ofzeros of G in Fk is bounded by k(sm − 1)qk−1. Since zj , 1 ≤ j ≤ k, were randomly selectedfrom F, we infer that the probability of (z1, . . . , zk) being one of the zeros of G is boundedfrom above by k(sm − 1)q−1 = O(q−1).

Regarding the case where G(z1, . . . , zk) ≡ 0, we claim that the probability for such anevent is O(q−1). Let us exemplify how such an event may occur. Assume, for example, thatm = 2, s1 = s2 = 3 and s = 5, whence, k = 1. Then, if A is a minimal authorized set with|A ∩ C1| = 3 and |A ∩ C2| = 2, the corresponding matrix has the following form:

M =

1 y1 y21 0 0 0

1 y2 y22 0 0 0

1 y3 y23 0 0 0

0 0 0 1 y4 y24

0 0 0 1 y5 y25

L1(x′1) L1(x′1)z1 L1(x′1)z21 L2(x′1) L2(x′1)z1 L2(x′1)z

21

.

Then G(z1) = a0 + a1z1 + a2z21 where the coefficients a0, a1, a2 depend on L1(x′1), L2(x′1),

and yi, 1 ≤ i ≤ 5. For example,

a2 = L2(x′1) ·

∣∣∣∣∣∣∣∣∣∣

1 y1 y21 0 0

1 y2 y22 0 0

1 y3 y23 0 0

0 0 0 1 y4

0 0 0 1 y5

∣∣∣∣∣∣∣∣∣∣

− L1(x′1) ·

∣∣∣∣∣∣∣∣∣∣

1 y1 0 0 01 y2 0 0 01 y3 0 0 00 0 1 y4 y2

4

0 0 1 y5 y25

∣∣∣∣∣∣∣∣∣∣

.

Then G ≡ 0 if and only if a0 = a1 = a2 = 0. In general, G is identically zero if and only ifall of its coefficients are zero, where each of the coefficients is a polynomial in ` :=

∑mi=1 si

variables (the s values of yi,j and x′1, . . . , x′k) whose degree with respect to each of its

variables is bounded by d = max{sm − 1,m− 1}. Hence, the number of selections of those` variables that would make a single coefficient of G zero is bounded by ` · d · q`−1. Thenumber of choices of the yi,j ’s and x′j ’s, on the other hand, is O(q`). Hence, we get that theprobability of each of the coefficients to be zero is O(q−1). This implies that the probabilitythat G ≡ 0 is also O(q−1). ¤

Lemma 4.2 If A /∈ ∆ then with probability 1 − O(q−1) it may not learn any informationabout the secret S.

Proof. Assume that A /∈ ∆. Without loss of generality we may assume that |A ∩ Ci| =ki ≤ si, 1 ≤ i ≤ m, since if |A∩ Ci| > si for some 1 ≤ i ≤ m, we may discard the redundant

14

participants from that compartment without reducing the row space of the correspondingmatrix. Furthermore, we may assume that |A| = s − 1, since if |A| < s − 1 we may finda superset A′ ⊃ A such that |A′ ∩ Ci| ≤ si, 1 ≤ i ≤ m, and |A′| = s − 1 and prove thatA′ cannot learn a thing about the secret with probability 1 − O(q−1); since A′ has moreinformation than A does, that will settle our claim.

The matrix that corresponds to the information that A has regarding the coefficients ofthe polynomial is given by (21). As in the proof of Lemma 4.1, Mi is a Vandermonde block(22) of size ki× si that represents the equations that are contributed by the ki participantsfrom compartment Ci. The last k =

∑mi=1 si − s rows correspond to the public values of

the polynomial. However, here M has only∑m

i=1 si − 1 rows. We need to show that thevector (1, . . . , 1) is, most probably, not spanned by the rows of M . In order to show that weaugment M by adding to it that vector as a first row, and then show that the augmentedM has, most probably, full rank.

First, we note that also in this case the first s rows in the augmented M are independent,because of the Vandermonde block diagonal form, the fact that each block has a full rank,and the fact that none of the y values equals 1, so that the first row (1, . . . , 1) is independentof the others. The remainder of the proof that the augmented M has, with probability1−O(q−1), a full rank of

∑mi=1 si is the same as in the proof of Lemma 4.1. ¤


Theorem 2.2 is proved by the following two lemmas.

Lemma 4.3 If A ∈ Γ∗ it may recover the secret S with probability 1−O(q−1).

Proof. Let A be an authorized set in Γ∗. Then either |A ∩ Ci| ≥ ri for some 1 ≤ i ≤ m,or |A| ≥ r. In the first case the claim is straightforward. Indeed, if |A ∩ Ci| ≥ ri for some1 ≤ i ≤ m then it may fully recover Pi(y), and, consequently, it may learn the value ofS = Pi(0).

Hence, we assume hereinafter that |A ∩ Ci| = ki < ri, 1 ≤ i ≤ m, and that A is aminimal authorized subset, namely, |A| = r. Then the system of equations in the

∑mi=1 ri

unknown coefficients of P (x, y) that A may construct has a matrix of coefficients of thefollowing form:

M =

M1 G1,2 0 0 · · · 00 M2 G2,3 0 · · · 00 0 M3 G3,4 · · · 0...

......

......

...0 0 0 · · · Mm−1 Gm−1,m

0 0 0 · · · 0 Mm

H1 H2 H3 · · · Hm−1 Hm

(23)

The pair of blocks Mi and Gi,i+1, 1 ≤ i ≤ m − 1, represents the equations that arecontributed by the ki participants from compartment Ci, plus the additional equation

15

ai,0 = ai+1,0. If A ∩ Ci = {ui,1, . . . , ui,ki} and ui,j is characterized by the point (xi, yi,j)

then this pair of blocks has the following form:

(Mi Gi,i+1

)=

1 yi,1 y2i,1 · · · yri−1

i,1 0 0 · · · 01 yi,2 y2

i,2 · · · yri−1i,2 0 0 · · · 0

......

......

......

... · · · ...1 yi,ki y2

i,ki· · · yri−1

i,ki0 0 · · · 0

1 0 0 · · · 0 −1 0 · · · 0

(24)

Here, Mi is a block of size (ki + 1)× ri and Gi,i+1 is a block of size (ki + 1)× ri+1.Mm represents the equations that are contributed by the km participants from compart-

ment Cm. Assuming that they are identified by the points (xm, ym,j), 1 ≤ j ≤ km,

Mm =

1 ym,1 y2m,1 · · · yrm−1

m,1

1 ym,2 y2m,2 · · · yrm−1

m,2...

......

......

1 ym,km y2m,km

· · · yrm−1m,km

. (25)

As for the last k = g− r =∑m

i=1 ri− (m− 1)− r rows in the matrix, denoted in (23) bythe row of H-blocks, they represent the additional k equations that result from the k publicvalues of P that were published by the dealer. These k values are of the form P (x′j , zj),1 ≤ j ≤ k. Then, as in the previous section, the jth row within the last row of blocks in Mhas the following form:(

L1(x′j) L1(x′j)zj · · · L1(x′j)zr1−1j · · · · · · Lm(x′j) Lm(x′j)zj · · · Lm(x′j)z

rm−1j

)

We claim that the first∑m

i=1 ki + (m− 1) rows in M are independent. This stems fromthe Vandermonde structure of the blocks and from the fact that yi,j 6= 0 for all 1 ≤ i ≤ mand 1 ≤ j ≤ ki. Indeed, by applying Gaussian elimination within each of the first m block-rows in M , (23), we may arrive at a row-reduced echelon form for the first

∑mi=1 ki +(m−1)

rows in M thanks to our assumptions on the choices of yi,j .Next, we aim at showing that all of the rows in M are linearly independent, with

probability 1 − O(q−1). To that end, we may view the determinant of M as a k-variatepolynomial G(z1, . . . , zk) whose coefficients depend on Li(x′j), 1 ≤ i ≤ m, 1 ≤ j ≤ k, and onall (

∑mi=1 ri− k)× (

∑mi=1 ri− k) minors of M that are contained within its first

∑mi=1 ri− k

rows. Arguing along the same lines as in the proof of Lemma 4.1, we claim, omitting furtherdetails, that G(z1, . . . , zk) vanishes in probability O(q−1). This completes the proof. ¤

Lemma 4.4 If A /∈ Γ∗ then with probability 1− O(q−1) it may not learn any informationabout the secret S.

16

Proof. Assume that A /∈ Γ∗. Then |A ∩ Ci| = ki < ri, 1 ≤ i ≤ m, and in addition|A| = r − 1 − ` for some ` ≥ 0. Condition (10) on the thresholds imply that we mayaugment A with ` additional participants so that its size becomes exactly r − 1 while itsnumber of participants in each compartment Ci, 1 ≤ i ≤ m, still does not reach the necessarythreshold ri. Indeed, the maximal number that the augmented A may have in compartmentCi so that it remains unauthorized is ri − 1. As, by (10),

∑mi=1(ri − 1) ≥ r − 1, the above

described procedure is possible.We proceed to show that the augmented A cannot learn a thing about the secret S

with probability 1 − O(q−1). The matrix that corresponds to A is given by (23), and itssize is (d− 1)× d where d =

∑mi=1 ri. Let ei denote the standard basis vector in Fd whose

ith component equals 1 while all the rest are zero. In addition, we introduce the notationhj = 1 +

∑j−1i=1 ri, 1 ≤ j ≤ m; hj denotes the index of the free coefficient of Pj(y) within

the vector of unknown coefficients of P (x, y) (hence, h1, . . . , hm correspond to the indicesof the m unknown coefficients that equal the secret S). We need to show that none of thevectors ehj is in the row space of the matrix M . It is easy to see that it suffices to showthat ehm is not in that row space.

To show that, we add ehm as a last row vector in the block-row ( 0 · · · 0 Mm ).Since yi,j 6= 0 for all 1 ≤ i ≤ m and 1 ≤ j ≤ ki, we may argue along the same lines as in theproof of Lemma 4.3 to conclude that the first

∑mi=1 ki + m rows in the augmented matrix

M are linearly independent. Then, the remainder of the proof that the augmented M has,with probability 1 − O(q−1), a full rank of

∑mi=1 ri is the same as in the proof of Lemma

4.3. ¤


Lemma 4.5 Let v be a monotone vector such that v º (1, 2, . . . , n). Then there exists amonotone vector u such that u ≤ v (namely, ui ≤ vi for all 1 ≤ i ≤ n), u º (1, 2, . . . , n),∑n

i=1 ui = n(n + 1)/2, and un ≤ n.

Proof. We prove the claim by induction. The claim clearly holds for n = 1. Assume it holdsfor vectors of length n−1 and let v be a monotone vector in Nn such that v º (1, 2, . . . , n).

If vn ≥ n, we define u = (u1, . . . , un) as follows: un = n while (u1, . . . , un−1) is amonotone vector such that ui ≤ vi for all 1 ≤ i ≤ n− 1, (u1, . . . , un−1) º (1, 2, . . . , n− 1),∑n−1

i=1 ui = (n− 1)n/2, and un−1 ≤ n− 1. The vector (u1, . . . , un−1) exists by the inductionhypothesis since if v º (1, 2, . . . , n) then (v1, . . . , vn−1) º (1, 2, . . . , n − 1). The vectoru = (u1, . . . , un−1, un) thus defined satisfies all of the required conditions.

Assume next that vn < n. If∑n

i=1 vi = n(n + 1)/2, we are done, since we can takeu = v. If, on the other hand,

∑ni=1 vi > n(n + 1)/2, we proceed to find a vector u =

(w1, . . . , wn−1, vn) such that wi ≤ vi, 1 ≤ i ≤ n − 1, (w1, . . . , wn−1) is a monotone vectorthat dominates (1, 2, . . . , n− 1),

∑n−1i=1 wi = (n− 1)n/2 + (n− vn) and wn−1 ≤ vn. Such a

vector would satisfy all of the required conditions. By the induction hypothesis there exists

17

a monotone vector (u1, . . . , un−1) such that ui ≤ vi for all 1 ≤ i ≤ n − 1, (u1, . . . , un−1) º(1, 2, . . . , n− 1), and

∑n−1i=1 ui = (n− 1)n/2. Hence, since

n−1∑

i=1

vi −n−1∑

i=1

ui =

(n∑

i=1

vi −n−1∑

i=1

ui

)− vn >

(n(n + 1)

2− (n− 1)n

2

)− vn = n− vn ,

there exists a monotone vector (w1, . . . , wn−1), such that ui ≤ wi ≤ vi, 1 ≤ i ≤ n− 1, and∑n−1i=1 wi = (n − 1)n/2 + (n − vn). As (w1, . . . , wn−1) º (u1, . . . , un−1) º (1, 2, . . . , n − 1)

and wn−1 ≤ vn−1 ≤ vn, we are done. ¤Lemma 4.6 Let {Li}1≤i≤n be n lines in general position in F2, let V be a set of points onthose lines, (17), and let v be the type of that set. Assume that v � (1, 2, . . . , n). Thenthere exists a subset W ⊆ V with type w ≤ v such that |W| < n(n + 1)/2, all the vectors inRW are linearly independent and

Span{RW} = Span{RV} . (26)

Proof. Since the vectors in RV are n(n + 1)/2-dimensional, there exists a subset W ⊆ V ofsize |W| ≤ n(n + 1)/2 such that the vectors in RW are linearly independent and they spanthe same subspace as the vectors in RV , (26). We proceed to show that our assumptionsimply that W must be of size strictly less than n(n + 1)/2. To that end, we assume that|W| = ∑n

i=1 wi = n(n + 1)/2 and derive a contradiction.Let k be the highest index for which wk > k. Such an index must exist, as the following

arguments shows. Assume by contradiction that there is no such index, i.e., that wk ≤ kfor all 1 ≤ k ≤ n. Then, as

∑ni=1 wi = n(n + 1)/2, we would infer that w = (1, 2, . . . , n).

But then w º (1, 2, . . . , n). This is impossible since w ≤ v and v � (1, 2, . . . , n).Next, we claim that we may reduce the number of points in W ∩ Lk from wk to only

k points without reducing Span{RW}, thereby establishing the required contradiction. In-deed, by the maximality of k,

|W ∩ Li| = i for all k + 1 ≤ i ≤ n . (27)

Let P (x, y) be a polynomial of degree n − 1 at the most. Assume that we are given thevalues of P at the points of W. We shall show that (27) implies that the value of P at anyk points along Lk is sufficient to recover the value of P along that entire line.

Along Ln we have n point values of P (x, y). Therefore, we may fully recover P |Ln bystandard univariate interpolation. Once we have done that, we gain one more point value ofP on Ln−1 (the value of P in Ln∩Ln−1). Therefore, we may now recover P |Ln−1 . Proceedingin the same manner, we may recover P |Li for all i = n down to i = k + 1. Hence, we mayconclude the value of P (x, y) on Lk in n− k points (the intersection points of Lk with eachof the lines Li, k + 1 ≤ i ≤ n), in addition to the wk point values that we were originallygiven along that line. Therefore, any k of these wk point values of P |Lk

would suffice forthe full recovery of P |Lk

. This implies that we may shrink W to have only k points alongLk without reducing Span{RW}. ¤

18

L4 L3

L1

L2

A2, 4

A2, 3

A3, 4

A1, 4 A1, 2 A1, 3

Figure 5: A point set with redundancy

Example. Let Li, 1 ≤ i ≤ 4, be four lines in general position and let W be a set ofpoints on those lines of type w = (0, 3, 3, 4) (see Figure 5, where the points of W are markedby empty circles). As w � (1, 2, 3, 4) and |W| = 4 · (4 + 1)/2 = 10, one of the points in Wis redundant. Namely, the corresponding set of vectors

RW = {(1, x, y, x2, xy, y2, x3, x2y, xy2, y3) : (x, y) ∈ W}is linearly dependent. To prove that, we show that if P (x, y) is a polynomial of degree3, then one of the values of P |W may be inferred from the others. Indeed, along L4 wemay fully recover P (x, y) since we have 4 data points for a univariate polynomial of degree3. Consequently, we may deduce the value of P at the three intersection points that aremarked by bullets (A1,4, A2,4 and A3,4). As a result, we now know the value of P in 4 pointsalong L3 (A3,4 and the three points of W∩L3). Therefore, we may fully recover P along L3

and then deduce its value in the 2 intersection points that are marked by squares (A1,3 andA2,3). Now, we have the value of P along L1 in 5 different points. Any 4 of these pointswould suffice for the full recovery of P along L1. Hence, we can eliminate one of the threepoints in W∩L1 without reducing Span{RW}. Note that the given data is not sufficient tofully recover P along L2. As shown in Theorem 3.1, that deficiency allows P (0, 0) (almostalways) to be any value.

Proof of Theorem 3.1. Assume first that v º (1, 2, . . . , n). By Lemma 4.5, we mayassume that

∑ni=1 vi = n(n + 1)/2 and that vn ≤ n. Hence, it suffices to show that all the

n(n + 1)/2 vectors in RV are linearly independent, whence they span all of Fn(n+1)/2.The claim is obviously true for n = 1 (where P (x, y) is constant and there is only

one line). For the sake of clarity, we examine also the case n = 2: namely, the unknownpolynomial is P (x, y) = a + bx + cy, there are two intersecting lines, L1 and L2, and we are

19

given the value of P in three points: (x1, y1) ∈ L1 and (x2, y2), (x3, y3) ∈ L2 (none of whichis A1,2 := L1 ∩ L2), see Figure 6. First, we compute the restriction of P to L2 (which is alinear univariate polynomial) by standard univariate interpolation through the two points(x2, y2) and (x3, y3). As a result, we have the value of P in A1,2. This, in turn, enables usto compute the restriction of P to L1, again, by univariate interpolation, this time throughA1,2 and (x1, y1). Now, if L3 is any line that lies in a general position with respect to L1 andL2, we have the value of P in the corresponding three intersection points, Ai,j = Li ∩ Lj ,1 ≤ i < j ≤ 3. Using the techniques presented in Section 3.1, we may fully recover P (x, y).Hence, RV = {(1, xi, yi) : 1 ≤ i ≤ 3} is a basis of F3. (In the cases n = 1 and n = 2 ourstatement holds with certainty, as opposed to the cases n ≥ 3 where there is a probabilityof O(q−1) for a failure.)

We proceed by induction. Assume that U is a set with n compartments and let Vbe a subset of U of type v = (v1, . . . , vn). Without loss of generality we may assumethat |V ∩ Ci| = vi, 1 ≤ i ≤ n (namely, that the permutation π ∈ Sn in Definition 3.1is the identity). Let us assume that the participants in V are identified by the points{(xi, yi) : 1 ≤ i ≤ n(n + 1)/2}, where the last vn participants are those from Cn. Hence, weaim at showing that the matrix of size n(n + 1)/2 × n(n + 1)/2, whose rows are r(xi,yi),n,1 ≤ i ≤ n(n+1)/2, has a nonzero determinant in probability 1−O(q−1). For the simplicityof notations, we denote k =

∑n−1i=1 vi and ` = vn. We view the determinant as a polynomial

in the 2` variables, G(xk+1, yk+1, . . . , xk+`, yk+`). This polynomial is nonzero, in probability1−O(q−1), because of two reasons:

1. The first k×k minor of the matrix is nonzero in probability 1−O(q−1), as implied bythe induction hypothesis. Hence, G has at least one nonzero coefficient in probability1−O(q−1).

2. The last ` rows are linearly independent, since the data provided in those ` = vn ≤ npoints is consistent with any polynomial P (x, y) of degree ≤ n− 1.

Hence, the determinant may vanish in one of two cases: either G is identically zero, anevent that has probability O(q−1), or the point (xk+1, yk+1, . . . , xk+`, yk+`) ∈ F2` is a zeroof G, an event that, by Lemma 1.1, has probability that is bounded by 2`(n−1)q−1. Hence,the vectors in RV form a basis of Fn(n+1)/2 in probability 1−O(q−1).

Assume next that v � (1, 2, . . . , n). Then, by Lemma 4.6, we may assume that |V| <n(n + 1)/2. We need to show that e1 ∈ Span{RV} in probability of O(q−1). Intuitively,this is indeed the case since the probability that a given vector in a n(n + 1)/2-dimensionalspace is spanned by a set of less than n(n + 1)/2 vectors is O(q−1). This may be shownmore rigorously, arguing along the same lines as in the proofs of Lemmas 4.2 and 4.4. Weomit further details. ¤

20

L3

L1

L2

A2, 3

A1, 3A1, 2

(x3, y3)

(x2, y2)

(x1, y1)

Figure 6: Interpolating a linear polynomial on two intersecting lines


Given V ⊂ U , let xi = |V ∩ Ci|, 1 ≤ i ≤ m, denote the number of participants that V hasfrom the ith level. Then V knows the value of P at vj points along Lj , 1 ≤ j ≤ n, where

vj ={

ki−1 + xi j = ki for some 1 ≤ i ≤ mj otherwise

. (28)

Let us denote v := (v1, . . . , vn), and let v′ denote the monotone non-decreasing ordering ofv; namely, v′ is the type of the set of points in which V knows the value of P . In view ofTheorem 3.1 we need only to show that v′ º (1, 2, . . . , n) if and only if V ∈ Γ.

Assume that V ∈ Γ. Then, by (20),

i∑

j=1

xj ≥ ki , 1 ≤ i ≤ m . (29)

The vectors v and v′ include components of two kinds, as seen in (28): level components, thatcorrespond to positions {k1, . . . , km} in v, and separator components, that are the remainingn − m components. This induces a similar separation on the components of the vector(1, 2, . . . , n): we refer to the components in positions {k1, . . . , km} as level components, andto the remaining ones as separator components. Let w = (vk1 , vk2 , . . . , vkm) be the sub-vector of all level components within v, let w′ be its monotone non-decreasing ordering,and let (k1, k2, . . . , km) be the sub-vector of all level components within (1, 2, . . . , n). Webegin by proving that

w′ º (k1, k2, . . . , km) . (30)

21

We will then use (30) in order to establish the full domination relation, i.e.,

v′ º (1, 2, . . . , n) . (31)

In order to prove (30) we need to show that

∑

j=1

w′j ≥∑

j=1

kj , 1 ≤ ` ≤ m . (32)

Fix ` in the range 1 ≤ ` ≤ m. There are two cases to consider: If {w′1, . . . , w′`} ={vk1 , . . . , vk`

} then

∑

j=1

w′j =∑

j=1

vkj =∑

j=1

(kj−1 + xj) =`−1∑

j=1

kj +∑

j=1

xj ≥∑

j=1

kj , (33)

where the last inequality stems from (29). If, on the other hand, {w′1, . . . , w′`} 6= {vk1 , . . . , vk`}

(this may happen only when ` < m) then there exists a minimal index i, 1 ≤ i ≤ `, suchthat vki

/∈ {w′1, . . . , w′`}. Hence,

∑

j=1

w′j =i−1∑

j=1

vkj +∑

j=i

vkrj, (34)

wherei < ri < ri+1 < · · · < r` . (35)

As argued in (33),i−1∑

j=1

vkj ≥i−1∑

j=1

kj . (36)

On the other hand, (35) implies that rj ≥ j + 1 for all i ≤ j ≤ `. Hence, as k1 ≤ k2 ≤ · · · ≤km, we conclude that krj ≥ kj+1. Therefore, by the definition of vkj , (28), we conclude that

vkrj≥ kj , i ≤ j ≤ ` . (37)

Finally, (32) follows from (34), (36) and (37).

Having shown (30) we proceed to prove (31). To that end we need to show that if weadd to the two vectors on both sides of the domination relation (30) the n −m separatorcomponents {1, 2, . . . , n} \ {k1, . . . , km}, the domination relation (31) still holds, i.e.,

i∑

j=1

v′j ≥i∑

j=1

j , 1 ≤ i ≤ n . (38)

Fix an i, let 1 ≤ ` ≤ m be the maximal index such that k` ≤ i, and let t be the number oflevel components in (v′1, . . . , v

′i). There are three cases to consider:

22

1. If t = `, then (38)i follows from (32)`. Indeed, in that case the t = ` level componentsin (v′1, . . . , v

′i) are exactly (w′1, . . . , w

′`) and the additional separator components on

the left hand side of (38)i are {1, 2, . . . , i} \ {k1, . . . , k`}. Hence, by adding the sum of{1, 2, . . . , i} \ {k1, . . . , k`} to both sides of the inequality (32)`, we arrive at (38)i.

2. If t > ` theni∑

j=1

v′j =t∑

j=1

w′j + gi−t (39)

where gr stands for the sum of the smallest r separator values, namely, the r minimalnumbers in {1, 2, . . . , n} \ {k1, . . . , km}. In view of (32), equality (39) implies that

i∑

j=1

v′j ≥t∑

j=1

kj + gi−` − (gi−` − gi−t) .

By the definition of the partial sums gr,∑`

j=1 kj + gi−` =∑i

j=1 j. Hence, it remainsto prove that

t∑

j=`+1

kj ≥ (gi−` − gi−t) (40)

in order to establish our claim (38) in this case. Indeed, as, by our assumption, theprefix {1, 2, . . . , i} includes exactly ` level components, {k1, . . . , k`}, the differencegi−` − gi−t is composed of the t − ` largest numbers in {1, 2, . . . , i} \ {k1, . . . , k`}, allof which are less than or equal to i. On the other hand,

t∑

j=`+1

kj ≥ (t− `) · k`+1 > (t− `) · i .

Hence, (40) follows and our claim in this case is settled.

3. If t < ` then equality (39) still holds. In view of (32), equality (39) implies that

i∑

j=1

v′j ≥t∑

j=1

kj + gkt−t + (gi−t − gkt−t)

(note that in this case kt < k` ≤ i). Since, by the definition of the partial sums gr,∑tj=1 kj + gkt−t =

∑ktj=1 j we need only to prove that

gi−t − gkt−t ≥i∑

j=kt+1

j (41)

in order to establish our claim (38) in this case. Indeed, as the minimal separatorvalue in gi−t − gkt−t is at least kt + 1 and each separator value is strictly larger thanits predecessor, inequality (41) holds. This settles our claim in this case as well, andthus the proof of (38) is complete.

23

Assume next that V /∈ Γ. Then there exists a minimal i ≥ 1 such that

∑

j=1

xj ≥ k` for all 1 ≤ ` < i (42)

andi∑

j=1

xj < ki . (43)

In that case, we claim thatki∑

j=1

vj <

ki∑

j=1

j . (44)

Indeed, by the definition of v, (28),

ki∑

j=1

vj =∑

1≤j≤kij /∈{k1,...,ki}

vj +i∑

j=1

vkj =∑

1≤j≤kij /∈{k1,...,ki}

j +i∑

j=1

(kj−1 + xj) =ki−1∑

j=1

j +i∑

j=1

xj <

ki∑

j=1

j ,

where the last inequality is implied by (43). Since v′ is the monotone non-decreasingordering of v, inequality (44) implies that

∑kij=1 v′j <

∑kij=1 j, whence v′ � (1, 2, . . . , n).

The proof is thus complete. ¤

5 Epilogue

The advantage of bivariate interpolation over the standard univariate one in designing lin-ear secret sharing schemes for multipartite settings is in the ability to associate differentcompartments with different lines in the plane. Bivariate interpolation on lines was ex-tended to multivariate interpolation on flats in several dimensions in [2]. By going to higherdimensions and by adequately choosing the flats that represent the compartments, it mightbe possible to design secret sharing schemes for a wide array of interesting access structures.(In several dimensions we have more flexibility in choosing the dimensions of the flats andtheir interrelation.) It would be also interesting to explore the possible advantages of usingnon-linear manifolds instead of flats.

References

[1] A. Beimel, T. Tassa and E. Weinreb, Characterizing ideal weighted threshold secretsharing, The Proceedings of the Second Theory of Cryptography Conference, TCC 2005,February 2005, MIT, pp. 600-619.

[2] C. de Boor, N. Dyn and A. Ron, Polynomial interpolation to data on flats in Rd,Journal of Approximation Theory, 105 (2000), pp. 313-343.

24

[3] E.F. Brickell, Some ideal secret sharing schemes, Journal of Combinatorial Mathematicsand Combinatorial Computing, 9 (1989), pp. 105-113.

[4] K.C. Chung and T.H. Yao, On lattices admitting unique Lagrange interpolation, SIAMJournal on Numerical Analysis, 14 (1977), pp. 735-743.

[5] M.J. Collins, A note on ideal tripartite access structures, available athttp://eprint.iacr.org/2002/193/ (2002).

[6] S. Fehr Efficient construction of the dual span program, Manuscript, May 1999.

[7] A. Gal, Combinatorial methods in Boolean function complexity, Ph.D. thesis, Universityof Chicago, 1995.

[8] J. Herranz and G. Saez, New results on multipartite access structures, available athttp://eprint.iacr.org/2006/048 (2006).

[9] M. Karchmer and A. Wigderson, On span programs, in The Proceedings of the 8thStructures in Complexity conference, (1993), pp. 102-111.

[10] C. Padro and G. Saez, Secret sharing schemes with bipartite access structure, IEEETransactions on Information Theory, 46 (2000), pp. 2596-2604.

[11] A. Shamir, How to share a secret, Communications of the ACM, 22 (1979), pp.612-613.

[12] G.J. Simmons, How to (really) share a secret, Advances in Cryptology - CRYPTO 88,LNCS 403 (1990), pp. 390-448.

[13] T. Tassa, Hierarchical threshold secret sharing, in The Proceedings of the First Theoryof Cryptography Conference, TCC 2004, February 2004, MIT, Cambridge, pp. 473-490.(To appear in Journal of Cryptology).

25

Documents

Multipartite Secret Sharing by Bivariate Interpolationestudy.openu.ac.il/opus/static/binaries/upload/bank8/multipartite_0.pdfCompartmented access structures with lower bounds, (4),