A Secret Sharing Scheme from a Chain Ring Linear Code H. Tapia-Recillas Departamento de Matem´aticas Universidad Aut´onoma Metropolitana-I 09340 M´exico, D.F., MEXICO (
[email protected]) Abstract After the seminal papers [3] and [11] the secret sharing problem has received the attention of numerous researchers for several reasons such as real-world applications as well as theoretical relations with several areas including Coding Theory. In this note an access structure of a secret sharing scheme associated to a linear code which is the Gray image of a two-weight linear code over a finite chain ring is presented.
1
Introduction
After the seminal papers [3] and [11] the secret sharing problem has received the attention of numerous researchers and many constructions have been proposed. The relation between linear error detecting-correcting codes over finite fields, particularly Reed-Solomon codes and secret sharing schemes was pointed out in [8]. After this result several authors have considered the use of linear codes (over finite fields) to provide secret sharing schemes ([9], [10], [4]). An important concept in secret sharing schemes is the access structure. In [9], [10] the relation between linear codes and these access structures was pointed out which led to determining the minimal codewords of a linear code. This is a difficult problem in coding theory and its complete determination is only known in just a few cases for a special classes of codes ([1]). The study of minimal vectors of a linear code has been undertaken by various authors and has several applications including minimumdistance algorithms of linear codes ([1]). In recent years, after the results on linear (cyclic) codes over the ring of integers ZZ4 and the relation of the Gray image of these codes with the non-linear binary Kerdock and Preparata codes ([6]), the study of codes over finite chain rings has been an important issue in coding theory. It is an important question to provide examples of access structures of secret sharing schemes, particularly associated to linear codes. In this note, using a two-weight linear code defined over the chain ring IFq [x]/hxr i introduced in [7] it is shown that the image of this code under the Gray map is also a two-weight linear code over a finite field such that all its codewords are minimal, providing an access structure of a secret sharing scheme determined by this code.
2
Secret sharing schemes and linear codes
Basic concepts about secret sharing schemes determined by linear codes and their access structure are recalled. For details we refer the interested reader to [11], [9], [8], [4], [1]. Let IFq be a finite field with q = pr elements and let C be a [n, k, d]-linear code defined over IFq . Let G = (g0 , g1 , ..., gn−1 ) be a k × n generating matrix of C, where gi 6= 0 for i = 0, 1, ..., n − 1. In [9] the following secret sharing scheme based on linear codes was introduced. The secret s to share is an element of the field IFq , there are n − 1 participants, P1 , ..., Pn−1 and a dealer P0 , which is assumed to be a trusted party. In order to obtain the n − 1 shares of the secret s, the dealer
randomly takes an element u = (u0 , u1 , ..., uk−1 ) ∈ IFkq such that s = ug0 . The element u can be treated as an information vector and the corresponding codeword can be computed as: v = uG = (v0 , v1 , ..., vn−1 ), vi = ugi and the dealer gives the share vi to participant Pi . Since s = v0 = ug0 , a subset {vi1 , ...vim } of the shares {v1 , v2 , ..., vn−1 } determines the secret s if and only if the column g0 of the generating matrix G of the linear code C is a linear combination of the columns {gi1 , ..., gim } of G. Hence we have the following result ([9]): Proposition 1 Let C be a [n, k, d]-linear code over the finite field IFq and let C ⊥ be its dual code. In the secret sharing scheme determined by C, a subset of shares {vi1 , ..., vim }, 1 6 i1 < · · · < im 6 n − 1, 1 6 m 6 n − 1, determines the secret if and only if there is a codeword (1, 0, ..., 0, ci1 , 0, ..., 0, ..., 0, cim ) in C ⊥ with cij 6= 0 for at least one j. If there is a codeword as in the above proposition, then g0 = ai1 gi1 + · · · + aim gim and the secret s can be recovered: s = ai1 vi1 + · · · + aim vim . A group of participants is said to be a minimal access set if they can recover the secret with their shares but none of its proper subgroups can recover the secret. Then in the secret sharing scheme one is interested in the minimal access sets. In order to determine these minimal access sets the concept of minimal codeword of a linear code is introduced. We recall that the support of a codeword c = (c0 , ..., cn−1 ) ∈ C is defined as follows: supp(c) = {0 6 ileqn − 1 : ci 6= 0}. Let c1 and c2 be two codewords of the code C. We say that c1 covers c2 if supp(c1 ) ⊇ supp(c2 ). Definition 2 A non-zero codeword c ∈ C is said to be minimal if the only codewords it covers are its scalar multiples. From the above proposition and definition it follows that there is a one-to-one correspondence between the set of minimal access structures of a secret sharing scheme based on the code C and the set of minimal codewords of the dual code C ⊥ whose first coordinate is equal to one. The covering problem of a linear code is to determine the set of such minimal codewords.
3
Finite chain rings and the Gray map
A finite chain ring is a local finite ring (commutative with 1). If R is such a ring with maximal ideal M = hπi then all the ideals of the ring are of the form Mj = hπ j i and there is a chain of ideals: R = hπ 0 i ⊃ hπi ⊃ hπ 2 i ⊃ · · · ⊃ hπ s−1 i ⊃ hπ s i = (0) for some integer s, called the depth of R. The residue field R/M is isomorphic to a finite field IFq with q elements and hπ j i has q s−j elements. In particular R has cardinality q s . For a finite chain ring as introduced above, a homogeneous weight is given in as follows ([5]): Definition 3 The homogeneous weight is the arithmetic function wth : R −→ ZZ given by k p pk−1 (p − 1) wth (x) = 0
if if if
x ∈ hπ s−1 i − {0} x∈ / hπ s−1 i x = 0.
Pn−1 If c = (c0 , ..., cn−1 ) ∈ Rn , then wth (c) = i=0 wth (ci ) and the homogeneous distance between c and d is defined as dh (c, d) = wth (c − d). Let IFq be a finite field with q = pt elements (p a prime). Let u be the q-tuple that lists all the elements of IFq and let 1 be the all 1 q-tuple. For a fixed positive integer m let ci = (1 + δi,0 (u − 1)) ⊗ · · · ⊗ (1 + δi,m−1 (u − 1)) for i = 0, 1, ..., m where δi,j is the Kronecker delta and ⊗ is the tensor product (of matrices over IFq ) taken from right to left. Let C be the subspace of IFqm ' (IFq )m generated by the set of vectors {c0 , c1 , ..., cm } with parameters m [q , m + 1, (q − 1)q m−1 ]. Let R be a finite chain ring with residue field IFq of depth s. Let ν : R −→ IFq be the canonical mapping and let T ⊂ R be a Teichm¨ uller set of representatives of R. Then any element of α ∈ R has a (unique) π-adic representation: α = a0 + a1 π + · · · + as−1 π s−1 with ai ∈ T . If a(i) = ν(ai ) ∈ IFq , the Gray map on the ring R is defined as: φ : R −→ C, φ(α) = a(o) + a(1) c1 + · · · + a(s−1) cs−1 . Let dH be the Hamming distance on IFq and let dh be the homogeneous distance on R. The main property of the Gray map is given in the following (cf [5]): Theorem 4 With the notation as above the Gray map is an isometry between (R, dh ) and (IFqs−1 , dH ).
4
A two-weight linear code over a finite chain ring and its Gray image
For the rest of this note we consider the finite chain ring R = IFq [x]/hxt i. We recall the definition and the weight distribution of the linear code over the chain ring R as introduced in [7]. Let R = {r1 , r2 , ..., rN } where N = q s . Let G1 = (1) and for r > 2 let Gr−1 Gr−1 · · · Gr−1 G0r−1 Gr = r 1 · · · r 1 r2 · · · r 2 · · · r N · · · r N 1 · · · 1 where G0r−1 is the (r − 1) × q (s−1)(r−1) matrix whose columns are all the elements of πRr−1 . In [7] the following result is proved. Theorem 5 Let R be the finite chain ring as introduced above. Then the R-linear code Cr with generating matrix Gr has length q (s−1)(r−1) (q r −1)/(q −1), has q rs −q r codewords of homogeneous weight q (s−1)r−1 (q r − 1), q r − 1 codewords of homogeneous weight q sr−1 and the zero-codeword. Since the Gray map is an isometry we have the following, Proposition 6 Let R = IFq [x]/hxs i, let Cr be the R-linear code introduced above. Then the Gray image φ(Cr ) is a IFq -linear code of length q (s−1)r (q r − 1)/(q − 1), q sr − q r codewords of Hamming weight q (s−1)r−1 (q r − 1), q r − 1 codewords of Hamming weight q sr−1 and the zero-codeword.
5
The access structure
As it was mentioned in the introduction, the covering problem of a linear code, i.e., determining the set of minimal codewords, is a difficult task and has been solved in just a few classes of special linear codes. By invoking the following result of Ashikhmin and Barg ([1], see also [4]), it is shown that all non-zero codewords of the linear code φ(Cr ) are minimal. Lemma 7 Let C be a [n, k, d] linear code over the finite field IFq . Let wmin and wmax be the minimum and maximum non-zero weights of C, respectively. If q−1 wmin > wmax q then all nonzero codewords of C are minimal. Now it can be seen that the linear code φ(Cr ), which is the Gray image of the linear code over a finite chain ring introduced in §2, provides a secret sharing scheme. Proposition 8 Let IFq be a finite field with q elements, R = IFq [x]/hxt i, t a positive integer, let Cr be the R-linear code and let φ be the Gray map, both as introduced in Section 2. Then the Gray image φ(C) of Cr is a linear code over a finite field all of whose nonzero codewords are minimal and hence it provides an access structure of a secret sharing scheme based on this last code.
References [1] A. Ashikhmin and A. Barg, “Minimal vectors in linear codes”, IEEE Trans. Inform. Theory, vol. 44, No.5, pp. 2010-2017, Sep. 1998. [2] A. Ashikhmin and A. Barg, “Minimal vectors in linear codes and sharing of secrets”, Univ. Bielefeld, SFB 343 DiiskreteStrukturen in der mathematil, preprint 94-113, 1994 (www.mathematik.unibielefeld.de/sfb343/preprints. [3] G.R. Blakley, “Safeguarding cryptographic keys”, in Proc. 1979 national Computer Conf., New York, pp. 313-317, 1979. [4] J. Yuan and C. Ding, “Secret Sharing Schemes From Three Classes of Linear Codes”, IEEE Trans. Inform. Theory, vol. 52, No. 1, pp. 206-212, Jan. 2006. [5] M. Greferath and S.E. Schmidt, “Gray isometries for Finite Chain rings and a Nonlinear Ternary (36, 312 , 15) Code”, IEEE Trans. Inform. Theory, vol. 45, pp.2522-2524, Nov., 1999. [6] A. R. Hammons, Jr., P. V. Kumar, A. R. Calderbank, N. J. A. Sloane, and P. Sol´e, “The Z4 -linearity of Kerdock, Preparata, Goethals, and related codes”, IEEE Trans. Inform. Theory, vol. 40, pp.301-319, 1994. [7] S. Ling and P. Sol´e, “Two-Weight Codes over Chain Rings and Partial Difference Sets”, Rapport de recherche I3S/RR-2002-40FR, http://www.i3s.unice.fr/I3S/FR [8] J.L. Massey and D.V. Sarwate, “On sharing secrets and Reed-Solomon codes”, Comm. Assoc. Comp. Mach. (ACM), vol.24, pp.583-584, 1981. [9] J.L. Massey, “Minimal codewords and secret sharing”, in Procc. 6th Joint Swedish-Russian Workshop on Information Theory, M¨ olle, Sweden, Aug., 1993, pp. 276-279. [10] J.L. Massey, “Some applications of coding theory in Cryptography, Codes and Ciphers: Cryptography and Coding IV”, Formara Ltd, Esses, Engalnd, pp.33-47, 1995. [11] A. Shamir, “How to share a secret”, Commmun. Assoc. Comp. Mach. (ACM), vol.22, pp.612-613, 1979.