On ideal homomorphic secret sharing schemes and their decomposition

Abstract

In 1992, Frankel and Desmedt introduced a technique that enables one to reduce the secret space of an ideal homomorphic secret sharing scheme (IHSSS) into any of its characteristic subgroups. In this paper, we propose a similar technique to reduce the secret space of IHSSSs called the quotient technique. By using the quotient technique, we show that it is possible to yield an ideal linear scheme from an IHSSS for the same access structure, providing an alternative proof of a recent result by Jafari and Khazaei. Moreover, we introduce the concept of decomposition of secret sharing schemes. We give a decomposition for IHSSSs, and as an application, we present a necessary and sufficient condition for an IHSSS to be mixed-linear. Continuing this line of research, we explore the decomposability of some other scheme classes.

Appendices

Appendix A: Proof of Proposition 2.2

Let \({\mathbf {S}}= ({\mathbf {S}}_i)_{i \in Q}\) be an ideal SSS with uniform distribution on its support. Since all marginal distributions are uniform on their supports too, it holds that \(\mathrm {H}({\mathbf {S}}_A)/\mathrm {H}({\mathbf {S}}_0) = \log |{\mathcal {S}}_A|/\log |{\mathcal {S}}_0| = \log _{|{\mathcal {S}}_0|} |{\mathcal {S}}_A|\) for any \(A \subseteq Q\). Therefore, Brickell and Davenport’s result implies that \(r: 2^Q \rightarrow {\mathbb {R}}\) defined by \(r(A) = \log _{|{\mathcal {S}}_0|} |{\mathcal {S}}_A|\) is the rank function of a matroid on the ground set Q.

Now, let \({\mathbf {S}}= ({\mathbf {S}}_i)_{i \in Q}\) be a SSS such that the function \(r: 2^Q \rightarrow {\mathbb {R}}\) defined by \(r(A) = \log _{|{\mathcal {S}}_0|} |{\mathcal {S}}_A|\) is the rank function of a matroid on the ground set Q. We claim that \({\mathbf {S}}\) is a perfect ideal scheme. Clearly, we have \(|{\mathcal {S}}_A| = |{\mathcal {S}}_0|^{r(A)}\) for \(A \subseteq Q\). Since r is the rank function of a matroid then it holds that \(r(\{i\}) \in \{0,1\}\) for any \(i \in P\). Since there is no redundant participant we have \(\mathrm {H}({\mathbf {S}}_i) > 0\) and hence \(|{\mathcal {S}}_i| > 1\). Therefore, \(r(\{i\}) \not = 0\) and we have \(r(\{i\}) = 1\) for any \(i \in P\). That means \(|{\mathcal {S}}_i| = |{\mathcal {S}}_0|\) for any \(i \in P\). Since the distribution of \({\mathbf {S}}\) is uniform on its support, it is straightforward to check that all marginal distributions are also uniform. Hence, for \(A \subseteq P\) we have

$$\begin{aligned} \mathrm {H}({\mathbf {S}}_0|{\mathbf {S}}_A)/\mathrm {H}({\mathbf {S}}_0)&= \mathrm {H}({\mathbf {S}}_{A\cup 0})/\mathrm {H}({\mathbf {S}}_0)-\mathrm {H}({\mathbf {S}}_A)/\mathrm {H}({\mathbf {S}}_0) \\&= \log |{\mathcal {S}}_{A\cup 0}|/\log |{\mathcal {S}}_{0}| - \log |{\mathcal {S}}_A|/\log |{\mathcal {S}}_{0}|\\&= \log _{|{\mathcal {S}}_{0}|} |{\mathcal {S}}_{A\cup 0}| - \log _{|{\mathcal {S}}_{0}|} |{\mathcal {S}}_A|\\&= r(A \cup 0) - r(A) \in \{0,1\} \end{aligned}$$

Therefore, \(\mathrm {H}({\mathbf {S}}_0|{\mathbf {S}}_A) \in \{0 , \mathrm {H}({\mathbf {S}}_0)\}\) and \({\mathbf {S}}\) is perfect.

Appendix B: Proof of Proposition 2.5

The direction that a scheme realizing \(\varGamma \) satisfies (\(\mathbf{a }\)) and (\(\mathbf{b }\)) is immediate. To see the reverse, let \({\mathbf {S}}= ({\mathbf {S}}_i)_{i \in Q}\) be a HSSS which satisfies the conditions in the proposition for the access structure \(\varGamma \). Clearly, the condition (\(\mathbf{a }\)) in the proposition implies that \(\mathrm {H}({\mathbf {S}}_0|{\mathbf {S}}_A) = 0\), for \(A \in \varGamma \). Now, let \(B \not \in \varGamma \). We show that \(\mathrm {H}({\mathbf {S}}_0|{\mathbf {S}}_B) = \mathrm {H}({\mathbf {S}}_0)\). Let \((s,b) \in {\mathcal {S}}_{0 \cup B}\) and k be the number of all distinct x’s that satisfy \((s,b,x) \in {\mathcal {S}}\). Let \(e_A = (e_i)_{i \in B}\) where \(e_i\) is the identity element of \({\mathcal {S}}_i\). Since \(B \not \in \varGamma \), for any \(s' \in {\mathcal {S}}_0\) we have \((s's^{-1},e_B) \in {\mathcal {S}}_{0 \cup B}\), according to the condition (\(\mathbf{b }\)) in the proposition. There exists \(y \in {\mathcal {S}}_{Q \setminus (0 \cup B)}\) such that \((s's^{-1},e_B,y) \in {\mathcal {S}}\). Since we have

$$\begin{aligned} (s',b,yx) = (s's^{-1},e_B,y)(s,b,x) \in {\mathcal {S}}, \end{aligned}$$

there exist at least k distinct elements z such that \((s',b,z) \in {\mathcal {S}}\). Since the distribution on \({\mathcal {S}}\) is uniform, we conclude that

$$\begin{aligned} \text {Pr}\left( {\mathbf {S}}_0=s,{\mathbf {S}}_B = b \right) \le \text {Pr}\left( {\mathbf {S}}_0=s',{\mathbf {S}}_B = b\right) . \end{aligned}$$

Similarly, we obtain \(\text {Pr}\left( {\mathbf {S}}_0=s',{\mathbf {S}}_B = b\right) \le \text {Pr}\left( {\mathbf {S}}_0=s,{\mathbf {S}}_B = b\right) \). Hence,

$$\begin{aligned} \text {Pr}\left( {\mathbf {S}}_0=s|{\mathbf {S}}_B = b \right) = \text {Pr}\left( {\mathbf {S}}_0=s'|{\mathbf {S}}_B = b \right) \end{aligned}$$

for all \(s \in {\mathcal {S}}_0\) and \(b \in {\mathcal {S}}_B\). Therefore, it holds that \(\mathrm {H}({\mathbf {S}}_0|{\mathbf {S}}_B) = \mathrm {H}({\mathbf {S}}_0)\).

Appendix C: Proof of Proposition 2.6

Let us first introduce some notation. Let \({\mathbf {S}}= ({\mathbf {S}}_i)_{i \in Q}\) be an IHSSS and \(B \cup \{i,k\}\) be a circuit for it. Let \(e_i\) be the identity element of \({\mathcal {S}}_i\) and for a subset \(A \subseteq Q\) let \(e_A = (e_i)_{i \in A}\). If for some \(x \in {\mathcal {S}}_k\) and \(y \in {\mathcal {S}}_i\) we have \((e_B,x,y) \in {\mathcal {S}}_{B \cup k \cup i}\), then we define \(f_{B,k,i}(x) = y\). If there is no confusion we drop B and i and simply write \(f_k (x) = y\).

We now return to the proof. It is easy to verify that \(f_k\) is an isomorphism between \({\mathcal {S}}_k\) and \({\mathcal {S}}_i\). Since we assumed that \({\mathcal {S}}_i = {\mathcal {S}}_0\) for every \(i \in P\) in IHSSSs, this mapping is an automorphism for \({\mathcal {S}}_0\). Since A is an independent set, for every \(k \in A\) we have \(\left( e_{A\setminus k} , a_k \right) \in {\mathcal {S}}_{(A \setminus k) \cup k} = {\mathcal {S}}_A\). By definition of \(f_k\), for \(k \in A\), we have \(\left( e_{A\setminus k} , a_{k}, f_{k} \left( a_k\right) \right) \in {\mathcal {S}}_{(A \setminus k) \cup k \cup i} = {\mathcal {S}}_{A \cup i}\). Therefore, (by an appropriate reordering of the coordinates) their product also belongs to \({\mathcal {S}}_{A \cup i}\); that is

$$\begin{aligned} \left( a, \prod _{k \in A}f_k\left( a_k\right) \right) = \left( (a_k)_{k \in A}, \prod _{k \in A}f_k\left( a_k\right) \right) \in {\mathcal {S}}_{A \cup i}. \end{aligned}$$

Since \(H\) is a characteristic subgroup of \({\mathcal {S}}_0\) and \(a_k \in H\), for every \(k \in A\), we have \(f_k\left( a_k\right) \in H\). Hence, \(\prod _{k \in A} f_k\left( a_k\right) \) belongs to \(H\) as well. Since the set \(A \cup i\) is a circuit, \(|{\mathcal {S}}_{A \cup i}| = |{\mathcal {S}}_A|\) and, hence, \(b = \prod _{k \in A} f_k\left( a_k\right) \). We conclude that \(b \in H\).