A Note on the Randomness in Dynamic Threshold ... - Semantic Scholar

A Note on the Randomness in Dynamic Threshold Schemes Carlo Blundo and Barbara Masucci Dipartimento di Informatica ed Applicazioni Universita di Salerno, 84081 Baronissi (SA), Italy E-mail: fcarblu, [email protected] URL: http://www.unisa.it/fcarblu,masuccig

Abstract

In dynamic threshold schemes the dealer is able (after a preprocessing stage) to allow sets of participants of a given cardinality to reconstruct dierent secrets (in dierent time instants) by sending them the same broadcast message. In this paper we provide a tight lower bound on the number of random bits needed by the dealer to set up a dynamic threshold scheme.

Keywords: Data Security, Cryptography, Randomness, Secret Sharing Schemes, and Entropy.

1 Introduction There are many situations in cryptography in which it is important to be able to generate random numbers, random bit strings, etc. For example, cryptographic keys are to be generated at random from a speci ed keyspace, and the use of a natural source of random bits, such as an unbiased coin, a radioactive source or a noise diode, is absolutely essential. Since random bits are a natural computational resource, the amount of randomness used in a computation is an important issue in many applications. Therefore, considerable eort has been devoted to reduce the number of random bits used by probabilistic algorithms [9, 15], to study weak random sources [28, 29], to construct dierent kind of small probability spaces (which sometimes even allow to eliminate the use of randomness) [17, 21], and 1

2 to analyze the amount of randomness required in order to achieve a given performance [18, 19]. Generating random bits by means of coin tosses or other physical processes is time-consuming and expensive, so in practice it is common to use a pseudo-random bit generator that expands a short random bit-string into a much longer \random-looking" bit string. Thus, a pseudo-random bit generator reduces the amount of random bits required in an application. The Shannon entropy of the random source generating the random bits represents the most general and natural measure of randomness. Indeed, Knuth and Yao [16] have shown that the entropy of a random variable X (i.e., of a memoryless random source) is approximatively equal to the average number of tosses of an unbiased coin necessary to simulate the outcomes of X. For this and other interesting relations of the Shannon entropy with other measures of complexity, like Kolmogorov complexity, we advice the reader to consult the very readable account given in [10]. A secret sharing scheme is a technique to share a secret s among a set P of participants in such a way that only quali ed subsets, pooling together their information, referred to as shares, can reconstruct the secret s; but, subsets of participants that are not enabled to recover the secret have no information on it. Secret sharing schemes are useful in any important action that requires the concurrence of several designated people to be initiated, such as launching a missile, opening a bank vault or even opening a safety deposit box. Secret sharing schemes are also used in the management of cryptographic keys and multi-party security protocols (see [1] and [13]). Secret sharing schemes were introduced by Blakley [2] and Shamir [22]. They analyzed (k; n) threshold schemes. In such schemes any set X  P , where jPj = n, of k or more participants can recover the secret, but, sets of cardinality less than k have no information on it. The survey by Stinson [24] contains an uni ed description of results in the area of secret sharing schemes. The reader can also pro tably see the book [26]; while, for an updated bibliography on secret sharing schemes we refer the reader to [25]. Simmons [23] rst pointed out the practical relevance of secret sharing schemes having the feature of being able, after some preprocessing stage, to allow the participants to reconstruct dierent secrets (in dierent time instants) by sending

3 to all participants the same broadcast message. Blundo, Cresti, De Santis, and Vaccaro [5] established a formal setting to study such schemes, referred to as dynamic threshold schemes. Blakley, Blakley, Chan, and Massey [3] and Martin [20] considered the problem of constructing secret sharing schemes with disenrollment capability in which, by sending a broadcast message to all participants, a new secret is activated and a participant is disenrolled from the scheme. Harn, Hwang, Laih, and Lee [14] gave an algorithm to construct dynamic threshold schemes, in which, for a xed k, all sets of size at least k are allowed by the dealer to recover dierent secrets in dierent time instants. The recovering is permitted by sending the same broadcast message to all of them. Sun and Shieh [27] also analyzed dynamic threshold schemes. Blundo [4] generalized the model proposed in [27] and provided a simpler scheme, which is more ecient from a computational point of view and uses smaller broadcast messages than that in [27]. The quantitative study of the number of random bits needed by secret sharing schemes has been initiated in [6], where the optimality of several secret sharing schemes according to this measure has been proved. Some other result on this topic can be found in [7, 8, 11, 12]. In this paper we analyze the amount of randomness needed to set up a dynamic threshold scheme, measured by the entropy of the probability space from which the shares to be given to participants and the broadcast messages to be issued are taken. In particular, we prove a lower bound on the number of random bits needed to set up a dynamic threshold scheme. This bound is tight as in [4] it has been provided a protocol for dynamic threshold schemes using exactly this number of random bits.

2 Information Theory Background In this section we review the basic concepts of Information Theory used in our de nitions and proofs. For a complete treatment of the subject the reader is advised to consult [10]. In this paper with a boldface capital letter, say X, we denote a random variable taking value on a set denoted by the corresponding capital letter X according to some probability distribution fPrX (x)gx2X . The values such a random variable

4 can take are denoted by the corresponding lower letter. Given a probability distribution fPrX (x)gx2X on a set X , the Shannon entropy of X, denoted by H (X), is de ned as

H (X) = ?

X Pr (x) log Pr (x) X

x2X

X

(all logarithms in this paper are to the base 2). The entropy H (X) is a measure of the average uncertainty one has about which element of the set X has been chosen when the choices of the elements from X are made according to the probability distribution fPrX (x)gx2X . It is well known that H (X) is a good approximation to the average number of bits needed to faithfully represent the elements of X . The entropy satis es the following property 0  H (X)  jX j; where H (X) = 0 if and only if there exists x 2 X such that PrX (x ) = 1; whereas, H (X) = log jX j if and only if PrX (x) = 1=jX j for all x 2 X . Given two sets X and Y and a joint probability distribution on their cartesian product, the conditional entropy H (XjY), is de ned as 0

H (XjY) = ?

0

X X Pr (y)Pr(xjy) log Pr(xjy):

y2Y x2X

Y

From the de nition of conditional entropy it is easy to see that

H (XjY)  0:

(1)

We have that H (XjY) = 0 when the value taken from Y completely determines the value chosen from X ; whereas, H (XjY) = H (X) means that choices from X and Y are independent, that is, the probability that the value x has been chosen from X given that from Y we have chosen y is the same as the a priori probability of choosing x from X . Therefore, knowing the values chosen from Y does not enable a Bayesian opponent to modify an a priori guess regarding which element has been chosen from X . Given n + 1 sets X ; : : :; Xn ; Y and a joint probability distribution on their cartesian product, the entropy of X : : : Xn given Y can be expressed as 1

1

H (X : : : Xn jY) = H (X jY) + 1

1

Xn H (X jX : : : X Y): i i? i=2

1

1

(2)

5 The mutual information I (X; Y) between X and Y is de ned by

I (X; Y) = H (X) ? H (XjY) = H (Y) ? H (YjX)

(3)

and satis es I (X; Y)  0; from which one gets

H (X)  H (XjY):

(4)

Given n + 2 sets X; Y; Z ; : : : ; Zn and a joint probability distribution on their cartesian product, the conditional mutual information I (X; YjZ : : : Zn ) between X and Y given Z ; : : :; Zn is de ned by 1

1

1

I (X; YjZ : : : Zn ) = H (XjZ : : : Zn ) ? H (XjZ : : : Zn Y) = H (YjZ : : : Zn) ? H (YjZ : : : Zn X): 1

1

1

1

1

(5)

Since the conditional mutual information is always non negative we get

H (XjZ : : : Zn )  H (XjZ : : : Zn Y): 1

(6)

1

From (2) and (5) one easily gets that for any sets X ; : : :; Xn ; Y; Z and a joint probability distribution on their cartesian product it holds that 1

I (X : : : Xn ; YjZ) = I (X ; YjZ) + 1

1

Xn I (X ; YjX : : : X Z); i i? i=2

1

1

(7)

and, for i = 1; : : : ; n,

I (X; Y : : : Yn jZ)  I (X; YijZ):

(8)

1

3 Dynamic Threshold Schemes In this section we recall the de nition of dynamic threshold scheme given in [4]. In dynamic threshold schemes the dealer is able (after a preprocessing stage) to allow sets of participants of a given cardinality, say k, to reconstruct m dierent secrets (each secret in a dierent time instant), by sending to the participants the same broadcast message. The security of dynamic threshold schemes we consider is unconditional since they are not based on any computational assumption. Let P = fP ; : : : ; Pn g be the set of participants and let SC = S 


 Sm be the set where the secrets are chosen from (the i-th secret to be shared is chosen 1

1

6 in Si). Let SC =4 fPrSC (s ; : : :; sm)g s1;:::;sm 2SC be a probability distribution on SC . The dealer in the preprocessing stage, knowing the probability distribution on SC , generates and distributes the shares to participants in P . Afterwards, in the broadcasting stage, the dealer having as input the i-th secret si 2 Si , randomly chosen accordingly to fPrSi (si)gsi 2Si which is induced by SC , and the shares of participants, computes a message bi and broadcasts it to all participants. At the end of the broadcasting stage, only the subsets of participants of cardinality at least k are able to recover si, whereas any subset of participants of size less than k has absolutely no information on any secret, even after seeing all previous broadcast messages. Let a dynamic threshold scheme for secrets in SC be xed. For any participant P 2 P , let us denote by K (P ) the set of all possible shares given to participant P . Suppose a dealer D wants to share the secrets (s ; : : :; sm) 2 SC among the participants in P (we will assume that D 62 P ). He does this by giving each participant P 2 P a share from K (P ) chosen according to some, non necessarily uniform, probability distribution. Given a set of participants X = fPi1 ; : : : ; Pir g  P , where i < i <


< ir , let K (X ) = K (Pi1 ) 


 K (Pir ). For any i = 1; : : : ; m, denote by E (Bi ) the set of all possible broadcast messages enabling a set of participants of cardinality at least k to recover the i-th secret. Any dynamic threshold scheme for secrets in SC and a probability distribution on SC naturally induce probability distributions on K (A) and on E (Bi ), for any A  P and for any i = 1; : : : ; m, respectively. Denote such probability distributions by fPrA (a)ga2K A and by fPrBi (bi)gbi2E Bi , respectively. Finally, for i = 1; : : : ; m, denote by H (Si) and by H (Bi) the entropy of fPrSi (si)gsi2Si and fPrBi (bi)gbi2E Bi , respectively, and denote by H (A) the entropy of fPrA (a)ga2K A , for any A  P . As done in [4], we de ne (k; n; m) dynamic threshold schemes as follows. 1

(

)

1

1

2

( )

(

)

(

)

( )

De nition 3.1 Let P be a set of n participants and let m and k  n be positive integers. A (k; n; m) dynamic threshold scheme is a sharing of secrets in S 


 Sm among participants in P in such a way that, for i = 1; : : :; m, the following 1

properties are satis ed.

1. Before knowing the i-th broadcast message all the participants, even knowing all the previous broadcast messages, have no information about the i-th secret:

7 Formally, it holds that H (SijP : : : Pn B : : : Bi? ) = H (Si). 1

1

1

2. After seeing the i-th broadcast message, any subset of participants of cardinality greater than or equal to k can recover the i-th secret: Formally, for all X  P such that jX j  k, it holds that H (SijXBi) = 0. 3. After seeing the i-th broadcast message, any subset of participants of cardinality less than k, even knowing all the previous broadcast messages and all the previous secrets, has no information on the i-th secret: Formally, for all X  P such that jX j < k, it holds that H (SijXB : : : BiS : : : Si? ) = H (Si ). 1

1

1

Dynamic threshold schemes are de ned by using the entropy function mainly because this leads to a compact and simple description of the schemes and because the entropy approach takes into account all probability distributions on the secrets. An immediate consequence of De nition 3.1 is that the secrets must be independent, as stated by the next lemma.

Lemma 3.2 Let P be a set of n participants and let k and m be integers such that k  n. In any (k; n; m) dynamic threshold scheme, for i = 2; : : : ; m, it holds that H (SijS : : : Si? ) = H (Si ): 1

1

Proof. We have that H (Si)  H (SijS : : : Si? ) (from (6))  H (SijS : : : Si? XB : : : Bi) (from (6)) = H (Si) (from 3 of De nition 3.1). 1

1

1

1

1

Thus, the lemma holds. From Properties 1 and 2 of De nition 3.1 we get the following lemma, which states that the conditional mutual information between Si and Bi, given the shares held by all participants and the previous broadcast messages, is equal to the entropy H (Si).

8

Lemma 3.3 Let P be a set of n participants and let k and m be integers such that k  n. In any (k; n; m) dynamic threshold scheme, it holds that I (S ; B jP : : : Pn) = H (S ); 1

1

1

1

and, for i = 2; : : :; m, it holds that

I (Si; BijP : : : PnB : : : Bi? ) = H (Si ): 1

1

1

Proof. From (5) we have that I (S ; B jP : : : Pn )= H (S jP : : : Pn) ? H (S jP : : : Pn B ): 1

1

1

1

1

1

1

1

From De nition 3.1 we have that H (S jP : : : Pn )= H (S ) and H (S jP : : : Pn Bi) = 0. Hence, it holds that I (S ; B jP : : : Pn ) = H (S ): From (5), for i = 2; : : : ; m, we have that I (Si; BijP : : : Pn B : : : Bi? ) 1

1

1

1

1

1

1

1

1

1

1

1

= H (Si jP : : : Pn B : : : Bi? ) ? H (Si jP : : : PnB : : : Bi) = H (Si ) ? H (Si jP : : : PnB : : : Bi) (from De nition 3.1)  H (Si ) ? H (Si jP : : : PnBi) (from (6)) = H (Si ) (from De nition 3.1). 1

1

1

1

1

1

1

1

Thus, the lemma holds. The following theorem, proved in [4], states a lower bound on the size of the information that any participant holds in any (k; n; m) dynamic threshold scheme.

Theorem 3.4 ([4]) Let P be a set of n participants and let k and m be integers such that k  n. Let X  P be such that jX j = k ? 1. In any (k; n; m) dynamic threshold scheme for any participant P 2 P , it holds that m X H (PjX)  H (Si) + H (PjXB : : : BmS : : : Sm ): i=1

1

1

An immediate consequence of Theorem 3.4 is that in any (k; n; m) dynamic threshold scheme the entropy of any participant P 2 P satis es H (P)  Pmi H (Si ). This observation will be useful in determining a lower bound on the randomness in any (k; n; m) dynamic threshold scheme. =1

4 Randomness in Dynamic Threshold Schemes

9

In this section we de ne and analyze the measure for the amount of randomness needed to realize a (k; n; m) dynamic threshold scheme. The measure for the amount of randomness is formally de ned using the Shannon entropy of the random variables generating the shares and the broadcast messages. The entropy is strictly related to the measure of randomness introduced by Knuth and Yao [16]. Let A be an algorithm that generates the probability distribution fPrX (x)gx2X using only independent and unbiased random bits in input. Denote by T (A) the average number of random bits used by the algorithm A and let T (X) = minA T (A). Knuth and Yao [16] proved the following inequalities:

H (X)  T (X) < H (X) + 2: Thus, the entropy of a random source is very close to the average number of independent unbiased random bits necessary to simulate the source. The total randomness present in a (k; n; m) dynamic threshold scheme  on a set P = fP ; : : :; Pn g of participants is equal to the entropy H (P : : : Pn B : : : Bm). This takes into account also the randomness H (S : : : Sm) of the secrets the dealer wants to update, as we will see later. The dealer's randomness is the randomness needed by the dealer to set up a (k; n; m) dynamic threshold scheme for secrets in SC = S 


 Sm, that is, the randomness he uses to generate the shares and the broadcast messages, given that the probability distribution SC =4 fPrSC (s ; : : : ; sm)g s1;:::;sm 2SC on the secrets is known. The amount of randomness required by the dealer to set up a (k; n; m) dynamic threshold scheme , when the secrets to be shared are chosen in SC according to the probability distribution SC , is de ned as R[(k; n; m); SC ; ] = H (P : : : PnB : : : BmjS : : : Sm ): Notice that R[(k; n; m); SC ; ] depends also on , since the probability that users receive given shares and that the broadcast messages assume given values depends both on  and H (S : : : Sm). Since we are interested in the minimum amount possible of randomness, we give the following de nition. De nition 4.1 Let P be a set of n participants and let k and m be integers such that k  n. Let SC = S 


 Sm and let qi = jSi j, for i = 1; : : : ; m. The dealer's 1

1

1

1

1

(

)

1

1

1

1

1

1

10 randomness R[(k; n; m); (q ; : : :; qm)] of a (k; n; m) dynamic threshold scheme with secrets chosen in SC , is de ned as 1

R[(k; n; m); (q ; : : :; qm)] = Dinf;T R[(k; n; m); SC ; ]; 1

where T is the space of all probability distributions SC on the sets of secrets SC and D is the space of all (k; n; m) dynamic threshold schemes  for secrets in SC .

The total randomness and the dealer's randomness are related by the following lemma.

Lemma 4.2 Let P be a set of n participants and let k and m be integers such that k  n. In any (k; n; m) dynamic threshold scheme, it holds that H (P : : : Pn B : : : Bm) = H (P : : : Pn B : : : BmjS : : : Sm) + H (S : : : Sm ): 1

1

1

1

1

1

Proof. The mutual information I (S : : : Sm; P : : : PnB : : : Bm) can be written 1

either as

1

H (S : : : Sm ) ? H (S : : : Sm jP : : : Pn B : : : Bm) 1

or as

1

1

1

1

H (P : : : Pn B : : : Bm) ? H (P : : : Pn B : : : BmjS : : : Sm) 1

1

1

1

1

(see equation (3)). From (2) it holds that

H (S : : : SmjP : : : PnB : : : Bm) = H (S jP : : : Pn B : : : Bm) + m X H (SijP : : : Pn B : : : BmS : : : Si? ) 1

1

1

1

m X

1

1

1

i=2

1

1

1

 H (SijP : : : Pn Bi) (from (6)) i  0 (from 2 of De nition 3.1). 1

=2

Thus, the lemma holds.

4.1 A Tight Lower Bound on the Dealer's Randomness In this section we prove a tight lower bound on the randomness needed by the dealer to realize a (k; n; m) dynamic threshold scheme. We will show that the number of random bits needed by the dealer to set up a (k; n; m) dynamic threshold scheme

11

is greater than or equal to k Pmi log qi. This bound is tight, as in [4] it has been presented a protocol for dynamic threshold schemes using exactly this number of random bits. We need the following technical lemma. =1

Lemma 4.3 Let P be a set of n participants and let k and m be integers such that k  n. In any (k; n; m) dynamic threshold scheme, it holds that H (B : : : BmjP : : : Pn)  1

1

m X H (S ): i

i=1

Proof. We have that H (B : : : BmjP : : : Pn ) 1

1

 I (B : : : Bm ; S : : : SmjP : : : Pn ) (from (1) and (5)) m X = I (B ; S : : : SmjP : : : Pn ) + I (Bi; S : : : Sm jP : : : Pn B : : : Bi? ) 1

1

1

1

1

1

1

i=2

1

1

1

(from (7))

m X  I (B ; S jP : : : Pn ) + I (Bi; SijP : : : Pn B : : : Bi? ) (from (8)) i m X = H (S ) + H (S ) (from Lemma 3.3) 1

1

1

1

1

1

=2

1

=

i

i=2

m X H (S ): i

i=1

Thus, the lemma holds. The following theorem states a tight lower bound on the randomness required to realize any (k; n; m) dynamic threshold scheme.

Theorem 4.4 Let P be a set of n participants and let k and m be integers such that k  n. In any (k; n; m) dynamic threshold scheme for secrets chosen in S 


 Sm, where jSij = qi, for i = 1; : : : ; m, the dealer's randomness satis es 1

R[(k; n; m); (q ; : : : ; qm)]  k 1

m X H (S ): i=1

i

Proof. For j = 1; : : : ; k, denote with Xj the set fP ; : : : ; Pk gnfPj g. We have that H (P : : : Pn B : : : BmjS : : : Sm) 1

1

1

1

= H (P : : : Pn B : : : Bm) ? H (S : : : Sm) (from Lemma 4.2) 1

1

1

= H (P : : : Pn B : : : Bm) ? 1

1

m X H (S ) (from Lemma 3.2) i

i=1

= H (P : : : Pn ) + H (B : : : BmjP : : : Pn ) ? 1

1

1

12

m X H (S ) i=1

i

m m X X  H (P : : : Pn ) + H (Si) ? H (Si ) (from Lemma 4.3) i i k X  H (P jX ) (from (2) and (6)) 1

=1

=1

j =1 m

 k

j

j

X H (S ) (from Theorem 3.4). i=1

i

Thus, the theorem holds. If the secrets are uniformly chosen, that is H (Si) = log jSij = log qi, for i = 1; 2; : : : ; m, then we can relate the dealer's randomness of a (k; n; m) dynamic threshold scheme to the size of the sets where the secrets are chosen from, as stated by the next theorem.

Theorem 4.5 Let P be a set of n participants and let k and m be integers such that k  n. In any (k; n; m) dynamic threshold scheme, for secrets uniformly chosen in S 


 Sm, where jSij = qi, for i = 1; : : : ; m, the dealer's randomness 1

satis es

R[(k; n; m); (q ; : : :; qm)]  k 1

m X log q : i=1

i

From Theorem 4.5 it follows that the dynamic threshold scheme proposed in [4] is optimal with respect to the number of random bits used. The scheme, based on the Shamir's threshold scheme [22], is the following:

13

Preprocessing Stage

P = fP1; P2; : : :; Png, q1; : : :; qm , and k. For 1  i  m Let Fik?1[x] be the set of all k ? 1 degree polynomials with coecients in GF(qi): Randomly choose a polynomial fi (x) 2 Fik?1k[x]. For 1  j  n

Input:

Let yi;j = fi (j) be the i-th part of the share of Pj For 1  j  n Let wj = (y1;j ; y2;j ;


; ym;j ) be the share of participant Pj . Output: The shares w1 ; w2 ; : : :; wn of participants P1 ; P2; : : :; Pn , respectively.

i

Broadcasting Stage for the -th secret Input:

si 2 GF(qi), the polynomial fi (x), and w1 ; w2; : : :; wn .

Compute

bi = si + fi (0) mod qi: Output: The broadcast message bi updating the i-th secret to si .

It is easy to see that the previous protocols realize a (k; n; m) dynamic threshold scheme. Indeed, notice that the m polynomials fi(x)'s are independently constructed. Hence, at time i, all the participants can compute, by using Lagrange's interpolation, the value fi(0), but, even knowing all the previous broadcast messages, since they do not know the broadcast message bi they cannot recover the secret si. Any set X of at least k participants can compute fi(0). Hence, from bi = si +fi(0) mod qi the participants in X can compute si. On the other hand, any set X of less than k participants, even knowing all the previous broadcast messages and all the previous secrets, cannot interpolate the polynomial fi(x), thus fi(0) is equally likely to be any value in GF (qi). Hence, the participants in X do not have any information on the secret si. It easy to check that this scheme meets the bound of Theorem 4.5. Indeed, the dealer's randomness present in the scheme is

14

k Pmi log qi, which is the randomness used by the dealer to choose the coecients of the m polynomials. Since the choice of the secrets s ; :::; sm requires Pmi log qi random bits, then the total randomness present in the scheme is (k +1) Pmi log qi. =1

1

=1

=1

References [1] M. Ben-Or, S. Goldwasser, and A. Wigderson, Completeness Theorems for NonCryptographic Fault Tolerant Distributed Computation, in: Proceedings of 20th Annual ACM Symposium on Theory of Computing, 1988, pp. 1{10. [2] G. R. Blakley, Safeguarding Cryptographic Keys, in: Proceedings AFIPS 1979 National Computer Conference, 1979, pp. 313{317. [3] B. Blakley, G. R. Blakley, A. H. Chan, and J. Massey, Threshold Schemes with Disenrollment, in: Advances in Cryptology - CRYPTO '92, LNCS 740, Springer{Verlag, Berlin, 1993, pp. 546{554. [4] C. Blundo, A Note on Dynamic Threshold Schemes, Information Processing Letters 55 (1995), pp. 189{193. [5] C. Blundo, A. Cresti, A. De Santis, and U. Vaccaro, Fully Dynamic Secret Sharing Schemes, Theoretical Computer Science 155 (1996), pp. 407{410. [6] C. Blundo, A. De Santis, and U. Vaccaro, Randomness in Distribution Protocols, Information and Computation 131 (1996), pp. 111-139. [7] C. Blundo, A. Giorgio Gaggia, and D. R. Stinson, On the Dealer's Randomness Required in Secret Sharing Schemes, Design, Codes, and Cryptography 11 (1997), pp. 107{122. [8] C. Blundo and B. Masucci, Randomness in Multi{Secret Sharing Schemes, submitted, 1999. [9] A. Cohen and A. Wigderson, Dispersers, Deterministic Ampli cation and Weak Random Sources, in: Proceedings of 30th IEEE Symposium on Foundations of Computer Science, 1989, pp. 14{19. [10] T. M. Cover and J. A. Thomas, Elements of Information Theory, John Wiley & Sons, New York, 1991. [11] L. Czirimaz, The Dealer's Random Bits in Secret Sharing Schemes, Studia Sci. Math. Hungar. 32 (1996), pp. 429{437. [12] A. De Santis and B. Masucci, Multiple Ramp Schemes, IEEE Transactions on Information Theory, to appear. [13] O. Goldreich, S. Micali, and A. Wigderson, How to Play any Mental Game, in: Proceedings of 19th Annual ACM Symposium on Theory of Computing, 1987, pp. 218{229. [14] L. Harn, T. Hwang, C. Laih, and J. Lee, Dynamic Threshold Scheme Based on the Definition of Cross-Product in a N-dimensional Linear Space, in Advances in Cryptology EUROCRYPT '89 LNCS 435, Springer{Verlag, Berlin, 1990, pp. 286-298. [15] R. Impagliazzo and D. Zuckerman, How to Recycle Random Bits, in Proceedings of 30th IEEE Symposium on Foundations of Computer Science, 1989, pp. 248{255.

15 [16] D. E. Knuth and A. C. Yao, The Complexity of Nonuniform Random Number Generation, Algorithms and Complexity, Academic Press, 1976, pp. 357{428. [17] D. Koller and N. Megiddo, Constructing Small Sample Spaces Satisfying Given Constraints, in \Proceedings of 25th Annual ACM Symposium on Theory of Computing", pp. 268{277, 1993. [18] D. Krizanc, D. Peleg, and E. Upfal, A Time{Randomness Tradeo for Oblivious Routing, in Proceedings of 20th Annual ACM Symposium on Theory of Computing, 1988, pp. 93{102. [19] E. Kushilevitz and A. Rosen, A Randomness-Rounds Tradeo in Private Computation, in Advances in Cryptology - CRYPTO '94, LNCS 839, Springer{Verlag, Berlin, 1994, pp. 397{410. [20] K. M. Martin, Untrustworthy Participants in Perfect Secret Sharing Schemes, Cryptography and Coding III, Oxford University Press, 1993, pp. 255{264. [21] J. Naor and M. Naor, Small-Bias Probability Spaces: Ecient Constructions and Applications, SIAM Journal of Computing 22 (1993), pp. 838{856. [22] A. Shamir, How to Share a Secret, Communications of the ACM 22 (1979), pp. 612{613. [23] G. J. Simmons, An Introduction to Shared Secret and/or Shared Control Schemes and Their Applications, Contemporary Cryptology, IEEE Press, 1991, pp. 441{497. [24] D. R. Stinson, An Explication of Secret Sharing Schemes, Design, Codes, and Cryptography 2 (1992), pp. 357{390. [25] D. R. Stinson, Bibliography on Secret Sharing, Available on-line as http://cacr.math.uwaterloo.ca/dstinson/ssbib.html [26] D. R. Stinson, Cryptography Theory and Practice, CRC Press Inc., Boca Raton, 1995. [27] H.-U. Sun and S.-P. Shieh, On Dynamic Threshold Schemes, Information Processing Letters 52 (1994), pp. 201{206. [28] U. Vazirani and V. Vazirani, Random Polynomial Time is Equal to Slightly-Random Polynomial Time, in: Proceedings of 26th IEEE Symposium on Foundations of Computer Science, 1985, pp. 417{418. [29] D. Zuckerman, Simulating BPP Using a General Weak Random Source, in: Proceedings of 32nd IEEE Symposium on Foundations of Computer Science, 1991, pp. 79{89.