Threshold Blockwise Secret Sharing Schemes

A Coding Theorem for Cheating-Detectable (2, 2)-Threshold Blockwise Secret Sharing Schemes Mitsugu Iwamoto

Hirosuke Yamamoto

Hiroki Koga

Graduate School of Information Systems University of Electro-Communications 1-5-1, Chofu-gaoka, Chofu-shi, Tokyo 182-8585, Japan Email: [email protected]

Graduate School of Frontier Sciences, University of Tokyo 5-1-5 Kashiwanoha, Kashiwa-shi, Chiba 277-8561, Japan Email: [email protected]

Graduate School of Systems and Information Engineering, University of Tsukuba 1-1-1 Tennoudai, Tsukuba-shi, Ibaraki 305-8573, Japan Email: [email protected]

Abstract—It is known that a secret sharing scheme (SSS) with perfect cheating detection cannot be realized because such a SSS requires infinite share rates. However, this impossibility comes from the fact that block coding is not used and any decoding error is not allowed in the SSS. Hence, in this paper, we consider a SSS constructed by block coding with an arbitrarily small decoding error probability. It is shown that the perfect cheating detection with finite rates is possible for the 2-out-of-2 SSS in a certain asymptotic sense. Furthermore, the supremum of the achievable exponent in the maximum success probability of impersonation attack turns out to be the mutual information between the two shares.

I. I NTRODUCTION A secret sharing scheme (SSS, [1], [2]) is a well-known cryptographic technique that enables us to share a secret data among some users. In (t, m)-threshold SSSs, for example, a secret S is encoded into m shares, and S is recovered by collecting arbitrary t out of m shares although any information of S cannot be obtained from arbitrary t − 1 or less shares in the sense of unconditional security. In this paper, we focus on the SSS with cheating detection, SSSCD for short1 , which is firstly discussed by McElieceSarwate [3] and Karnin-Greene-Hellman [4] from the viewpoint of error-correcting codes. Then, Tompa-Woll [5] clarified that it is impossible for Shamir’s SSS [1] to detect cheating. In addition, they proposed a construction of SSSCD as an extension of Shamir’s SSS in [5] although it is much inefficient. Ogata-Kurosawa-Stinson [6] derived the tight lower bound of the share size for given maximum success probability of substitution attack denoted by PS . According to [6], it is shown that |Wi | ≥

|S| − 1 + 1, PS

(1)

holds where | · | denotes the cardinality, and W1 , W2 , . . . , Wm and S are the sets of m shares and a secret, respectively. In addition, the construction that achieves this bound is given in 1 In SSSCDs, it is sufficient to detect the existence of cheating. On the other hand, note that the so-called verifiable SSS aims to identify the cheater among participants and a dealer.

[6]. It is easy to see from this inequality that lim

PS →0

|Wi | 1 − 1/|S| > lim = ∞, PS →0 |S| PS

(2)

which implies that SSSCD cannot be realized since share rates diverge if the success probability of the substitution attack approaches to 0. Intuitively, it is natural that share size must be large in order to achieve small success probability of substitution attack since the substitution attack happens to succeed if the shares take values in finite sets. But, we note that this impossibility comes from the fact that the SSSCDs in [3]–[6] are studied in a non-asymptotic setting, i.e., block coding is not used and any decoding error is not allowed in the SSSCDs. Hence, in this paper, an asymptotic setting is introduced in SSSCDs. That is, we consider a (2, 2)-threshold SSSCD constructed by block coding with an arbitrary small decoding error probability. We treat the so-called impersonation attack according to [7]–[10] which is weaker than the substitution attack. Then, it is shown that the maximum success probability of impersonation attacks converges to 0 even if share rate is finite, and the supremum of achievable exponent in the success probabilities of impersonation attack is determined by the mutual information of two shares. Furthermore, the construction of encoders and decoders can be simplified compared to [6] in the asymptotic setting. This paper is organized as follows: In Section II, a (2, 2)SSSCD is formulated with introducing notation. A coding theorem of the (2, 2)-SSSCD, which is the main result of this paper, is also presented. The direct part and the converse part of the coding theorem are proved in Sections III and IV, respectively. II. P RELIMINARIES Let W1 , W2 and S be random variables taking values in finite sets W1 , W2 , and S, respectively. Define W1 = {0, 1, . . . , M − 1}, W2 = {0, 1, . . . , M − 1}, S = {0, 1, . . . , MS − 1},

(3) (4) (5)

where M and MS are positive integers satisfying M ≥ MS .

Opponent

W1′ n

Participant 1

S

˜ 1n W

W1n

Encoder

Decoder

ψ (n)

ϕ(n)

n

U

˜ 2n W

W2n

n

Sˆn or Λ

Participant 2

W2′ n

Random Number Generator

Opponent

Fig. 1 (2, 2)-SSSCD

As is shown in Fig.1, an encoder of a (2, 2)-SSSCD is assumed to be a deterministic map ϕ(n) : S n ×U n → W1n ×W2n where U is a finite set. Let U be a random variable which is uniformly distributed in the set U and is independent of S. We def def assume that S n = S1 S2 . . . Sn and U n = U1 U2 · · · Un are i.i.d. copies of S and U , respectively, and the encoder ϕ(n) is realized by the repeated application of F : S × U → W1 × W2 to (Si , Ui ), i = 1, 2, . . . , n. That is, ϕ(n) can be written as def

ϕ(n) (sn , un ) = F (s1 , u1 )F (s2 , u2 ) · · · F (sn , un ),

(6)

def

def

where sn = s1 s2 · · · sn ∈ S n and un = u1 u2 · · · un ∈ U n are a secret and random numbers, respectively. Hence, shares denoted by W1n and W2n are i.i.d. copies of W1 and W2 , respectively, where (W1 , W2 ) = F (S, U ). For the security of (2, 2)-threshold SSSs, it is sufficient to require that any information of S must not leak out from Wi . Hence, we impose H(S|Wi ) = H(S), i = 1, 2, on F , which leads to H(S addition, we impose

n

|Win )

= H(S ) for i = 1, 2. In

G(n) (w1n , w2n ) = G(w1,1 , w2,1 )G(w1,2 , w2,2 ) · · · G(w1,n , w2,n ).

(9)

(10)

where R[ψ (n) ] ⊂ W1n × W2n is an acceptance region of ˜2n ) specified by the decoder ψ (n) , and Λ means that (w ˜1n , w ˜2n ̸= w2n , is detected. In this the cheating, i.e., w ˜1n ̸= w1n or w setting, the decoding error of ψ (n) for the legitimate shares happens only when ψ (n) outputs Λ, which can be represented as def

ε(n) = Pr{ψ (n) (ϕ(n) (S n , U n )) = Λ},

(11)

and it must satisfy lim ε(n) = 0.

(8)

on F so that (W1 , W2 ) can be correctly decoded to S. We assume that an opponent impersonates one of the participants 1 and 2 by injecting wi′n instead of win . Such attack is called an impersonation attack according to [7]–[10]. A decoder denoted by ψ (n) judges whether the shares are legitimate or not and decodes the shares if they are judged as legitimate. Now, let G : W1 ×W2 → S ∪{λ} be a decoder corresponding to F and satisfying G(w1 , w2 ) = λ for every (w1 , w2 ) that does not belong to the range of F . Furthermore, from the requirement given by (8), G can reproduce S without error from legitimate shares. Then, we can define the decryption for the legitimate shares (w1n , w2n ) by def

˜n ) ψ (n) (w ˜n, w { 1(n) 2 n n ˜2n ) ∈ R[ψ (n) ], ˜1n , w ˜2 ) if (w G (w ˜1 , w = Λ otherwise,

(7)

n

H(S|W1 W2 ) = 0.

Due to the definitions of F and ϕ(n) , the secret S n can be reproduced without error from the legitimate shares, i.e., H(S n |W1n W2n ) = 0. Let (w ˜1n , w ˜2n ) be the shares received by the decoder ψ (n) where we assume that ψ (n) does not know whether w ˜in is equal n ′n n n to wi or wi . Then, it is clear that (w ˜1 , w ˜2 ) is judged to be ˜2n ) ̸∈ S n . Therefore, the decoder impersonated if G(n) (w ˜1n , w ψ (n) : W1n × W2n → S n ∪ {Λ} is required to satisfy

n→∞

(12)

We call (ϕ(n) , ψ (n) ) a code, and assume that the code construction of (ϕ(n) , ψ (n) ) is known to the opponent. Note that an impersonation attack succeeds when the decoder does not output Λ from invalid shares (w1′n , w2n ) or (w1n , w2′n ) since the opponent attacks without knowing the shares. Then, the maximum success probabilities of impersonation attack can be defined as ∑ (n) def PI1 = ′n max n PW2n (w2n )χR[ψ(n) ] (w1′n , w2n ), (13) w1 ∈W1

(n) def

w2n ∈W2n

PI2 = ′n max n w2 ∈W2

∑

PW1n (w1n )χR[ψ(n) ] (w1n , w2′n ),

(14)

w1n ∈W1n

where χR[ψ(n) ] (w1n , w2n ) is the indicator function for the region R[ψ (n) ] ⊂ W1n × W2n defined as follows: { 1 if (w1n , w2n ) ∈ R[ψ (n) ], n n def χR[ψ(n) ] (w1 , w2 ) = (15) 0 otherwise.

(n)

We are now interested in the smaller exponent of PIi , i = 1, 2 because we assume that the opponent is wise enough to choose a participant 1 or 2 so that he can succeed in impersonation with the maximum probability. Hence, we define an achievable exponent of the success probability of impersonation attack as follows: Definition 1. In the (2, 2)-SSSCD, r is said to be achievable if there exists a sequence of codes {(ϕ(n) , ψ (n) )}∞ n=1 which satisfies2 } { 1 1 (n) (n) ≥ r, (16) lim inf min − log PI1 , − log PI2 n→∞ n n

TABLE I Example of (w1 , w2 , s) when MS = 2 and M = 3 w2 \w1 0 1 2

0 0 1 λ

1 1 λ 0

2 λ 0 1

¤

M − 1. Note that the encoder ϕ(n)∗ of (2, 2)-SSSCD can be constructed by (6) and F ∗ defined in (19). Then, the decoder G∗ can be written as { 〈w1 + w2 〉M if 〈w1 + w2 〉M ∈ S, ∗ (20) G (w1 , w2 ) = λ otherwise.

Theorem 2. Let r∗ be the supremum of achievable r in the (2, 2)-SSSCD. Then, it holds that

Note that the secret s can be decoded by G∗ without errors. Furthermore, we note that the shares (W1 , W2 ) are generated according to the conditional probability distribution

in addition to (7), (8) and (12). The following theorem is the main result of this paper:

r∗ = log M − H(S).

(17) ¤

Remark 3. In the SSSCDs in the non-asymptotic setting (e.g., [3]–[6]), it is shown that any ideal SSS cannot detect cheating with probability 1. Furthermore, as is shown in [11], we note that the ideal SSSs can be realized if and only if M = MS and S is uniformly distributed. Similarly, in the asymptotic setting discussed in this paper, it is impossible for any ideal (2, 2)-SSS to achieve exponentially fast cheating detection because Theorem 2 implies that r∗ = 0 holds if and only if M = MS and S is uniformly distributed. On the other hand, we note that r∗ is positive for arbitrary distribution of S if M > MS . ¤ III. P ROOF OF THE D IRECT PART In this section, we show the direct part of Theorem 2 which immediately follows from the lemma below. Lemma 4. In the (2, 2)-SSSCDs, there exists a sequence of codes {(ϕ(n)∗ , ψ (n)∗ )}∞ n=1 that satisfies (7), (8), (12) and { } 1 1 (n) (n) lim inf min − log PI1 , − log PI2 ≥ log M − H(S). n→∞ n n (18) As a consequence, r∗ ≥ log M − H(S) is obtained.

¤

A. Constructions of the Encoder and the Decoder In order to construct the code (ϕ(n)∗ , ψ (n)∗ ), we use an encoder and a decoder of an ordinary (2, 2)-SSS such that F ∗ : S × U → W1 × W2 and G∗ : W1 × W2 → S ∪ {λ}, respectively, where U = {0, 1, . . . , M −1}. Define the encoder F ∗ for a secret s ∈ S and a random number u ∈ U as F ∗ (s, u) = (〈s − u〉M , u), def

(19)

where 〈u〉v for u ∈ Z and v ∈ N is defined to be the nonnegative integer ℓ satisfying ℓ ≡ u mod v and 0 ≤ ℓ ≤ 2 Throughout

the paper, the base of logarithm is 2.

PW1 W2 |S (w1 , w2 |s) { 1/M if s = 〈w1 + w2 〉M ∈ S, = 0 otherwise,

(21)

if we apply the encoder F ∗ defined in (19) to the secret S with an arbitrary probability distribution PS (·). Hence, the following discussion holds for an arbitrary distribution on S. This idea is based on the SSS for non-uniform secret distribution studied in [11]. Furthermore, SSSCDs for non-uniform secret distribution in non-asymptotic setting are discussed in [12]. Next, we define the support of the probability distribution PW1 W2 by def

Supp(PW1 W2 ) = {(w1 , w2 ) : PW1 W2 (w1 , w2 ) > 0}. (22) Then, it is easy to check that (w1 , w2 ) ∈ Supp(PW1 W2 ) and G∗ (w1 , w2 ) ∈ S are equivalent, i.e., it holds that Supp(PW1 W2 ) = {(w1 , w2 ) : G∗ (w1 , w2 ) ∈ S}.

(23)

Example 5. Let us consider the case of MS = 2 and M = 3. Table I shows the secret s obtained from shares (w1 , w2 ) by (19). We can check that (21) is satisfied, i.e., the shares (W1 , W2 ) are generated from F ∗ according to PW1 W2 |S (w1 , w2 |s) { 1/3 for 〈w1 + w2 〉M = 0 or 1, = 0 for 〈w1 + w2 〉M = 2, for an arbitrary secret distribution on S = {0, 1}.

(24) ¤

In what follows, we calculate information-theoretic quantities related to W1 and W2 generated by F ∗ . First, for every fixed wi ∈ Wi and s ∈ S, we can check that there exists a unique wj ∈ Wj , j ̸= i, satisfying s = G∗ (w1 , w2 ). Hence, it holds from (21) that PWi |S (wi |s) =

∑ wj ∈Wj

PW1 W2 |S (w1 , w2 |s) =

1 , (25) M

for every (wi , s) ∈ Wi × S. Then, we have ∑ PWi (wi ) = PWi |S (wi |s)PS (s)

B. Evaluations of Error and Success Probabilities The decoding error probability of ψ (n)∗ defined in (33) for the legitimate shares (W1n , W2n ) can be evaluated as

s∈S

=

∑ 1 1 · PS (s) = . M M

(n)

s∈S

From (25) and (26), it is shown that S and Wi are statistically independent, i.e., (7) is satisfied. Furthermore, it is shown that (a)

(27)

where the marked equalities (a) and (b) hold from the following reasons: (a) There exists a bijection between U × S and W1 × W2 . (b) U and S are statistically independent. Therefore, we obtain from (26) and (27) that I(W1 ; W2 ) = H(W1 ) + H(W2 ) − H(W1 W2 ) = 2 log M − {log M + H(S)} = log M − H(S).

Next, we show how to construct the decoder ψ (n)∗ . For an arbitrary small θ > 0, define a region for the authentication by { (n) def Aθ = (w1n , w2n ) ∈ W1n × W2n : } PW1n W2n (w1n , w2n ) 1 > I(W1 ; W2 ) − θ . log n PW1n (w1n )PW2n (w2n ) (29) (n)

which satisfies limn→∞ ε = 0 from the weak law of large numbers, and hence, (12) holds. Next, we evaluate the success probability of impersonation attack by ∑ (n) max n PW2n (w2n )χR[ψ(n) ] (w1′n , w2n ) PI1 = ′n

that

PW2n (w2n ) PW1n W2n (w1n , w2n ) < exp2 [−n{I(W1 ; W2 ) − θ}]. (30) PW1n (w1n )

w2n ∈W2n

{ } (n) ′n n max Pr (w , W ) ∈ A 1 2 θ w1′n ∈W1n ∑ = ′n max n PW2n (w2n ) =

w1 ∈W1

(n)

w2n :(w1n ,w2n )∈Aθ

∑

(⋆)

≤

≤ (28)

max n ′n

w1 ∈W1

max

w1′n ∈W1n

w2n :(w1′n ,w2n )∈Aθ

(n)

PW1n W2n (w1′n , w2n ) PW1n (w1′n )

· exp2 [−n{log M − H(S) − θ}] ∑ PW n W n (w1′n , w2n ) 1

w2n ∈W2n

2

PW1n (w1′n )

· exp2 [−n{log M − H(S) − θ}] = exp2 [−n{log M − H(S) − θ}], (35) where (⋆) follows from (28) and (30). Similarly, we have (n)

PI2 ≤ exp2 [−n{log M − H(S) − θ}].

IV. P ROOF OF THE C ONVERSE PART In this section, we begin with the following lemma to prove the converse part of Theorem 2. Lemma 6. For any sequence of codes {(ϕ(n) , ψ (n) )}∞ n=1 for the (2, 2)-SSSCD satisfying (7), (8), and (12), it holds that } { 1 1 (n) (n) ≤ I(W1 ; W2 ). lim sup max − log PI1 , − log PI2 n n n→∞ (37) ¤

(n)∗

G (w1n , w2n ) def = G∗ (w1,1 , w2,1 )G∗ (w1,2 , w2,2 ) · · · G∗ (w1,n , w2,n ).

(31)

In the same way as (23), we can check that

Proof of Lemma 6: To prove Lemma 6, we describe the relation between the (2, 2)-SSSCD and hypothesis testing according to [8]–[10]. We consider the following two hypotheses ˜ 1n , W ˜ 2n ) ∼ PW n W n , H0 : ( W (38) 1

def

(n)∗

:G

(w1n , w2n )

2

˜ 1n , W ˜ 2n ) ∼ PW n PW n . H1 : ( W 1 2

Supp(PW1n W2n ) = {(w1n , w2n ) : PW1n W2n (w1n , w2n ) > 0} =

(36)

Hence, we obtain (18) since θ > 0 is arbitrary.

Furthermore, define from (9) that

{(w1n , w2n )

(34)

(n)

w1 ∈W1

(b)

H(W1 W2 ) = H(U S) = H(U ) + H(S) = log M + H(S),

Then, it holds for any (w1n , w2n ) ∈ Aθ

ε(n) = Pr{(W1n , W2n ) ̸∈ Aθ },

(26)

∈ S }. (32) n

(n)

In addition, it is easy to see from (30) that (w1n , w2n ) ∈ Aθ implies (w1n , w2n ) ∈ Supp(PW1n W2n ). Hence, from (32), every (w1n , w2n ) ∈ A(n) satisfies G(n)∗ (w1n , w2n ) ∈ S n . Therefore, def (n)∗ we can define the decoder ψ (n)∗ = ψθ for θ > 0 as follows: { (n) (n)∗ (n)∗ (w ˜1n , w ˜2n ) if (w ˜1n , w ˜2n ) ∈ Aθ , n n def G ψθ (w ˜1 , w ˜2 ) = (33) Λ otherwise.

(39)

Define an acceptance region for the hypothesis H0 as R[ψ (n) ] ⊂ W1n × W2n . Then, the error probability of the first kind and the error probability of the second kind are represented by ∑ def α(n) = PW1n W2n (w ˜1n , w ˜2n ), (40) (w ˜1n ,w ˜2n )∈(R[ψ (n) ])c def

β (n) =

∑

(w ˜1n ,w ˜2n )∈R[ψ (n) ]

PW1n PW2n (w ˜1n , w ˜2n ).

(41)

It is easy to see that the error of the first kind is equivalent to decoding error of ψ (n) defined in (11). Hence, for arbitrary integer n ≥ 1, it holds that α(n) = ε(n) .

(42)

Furthermore, we have the following relation: ∑ (n) PI1 = ′n max n PW2n (w2n )χR[ψ(n) ] (w1′n , w2n ) w1 ∈W1

≥

w2n ∈W2n

∑

∑

w1′n ∈W1n

w2n ∈W2n

PW1n (w1′n )PW2n (w2n )χR[ψ(n) ] (w1′n , w2n )

= β (n) .

(43)

Similarly, we also have (n)

β (n) ≤ PI2 .

(44)

def

min

β (n) .

n ×W n R[ψ (n) ]⊂W1 2 α(n) ≤ε

(45)

Then, we note from (12) that α(n) ≤ ε is satisfied for an arbitrary ε > 0 if n is sufficiently large. Hence, from (43) and (44), it holds for any acceptance region R[ψ (n) ] that 1 1 (n) (46) − log β (n) (ε) ≥ − log PIi , n n if n is sufficiently large. Therefore, we obtain { } 1 1 1 (n) (n) − log β (n) (ε) ≥ max − log PI1 , − log PI2 . (47) n n n Recall that Stein’s lemma (e.g., [13]) guarantees 1 lim − log β (n) (ε) = D(PW1 W2 ||PW1 PW2 ) n→∞ n = I(W1 ; W2 ),

(48)

for an arbitrary ε > 0. Hence, by taking the limit superior of both sides of (47), (37) is established. ¤ From the conditions of (2, 2)-threshold SSSs, the following inequality holds: I(W1 ; W2 ) = ≤ = =

H(Wi ) − H(Wj |Wi ) H(Wi ) − H(Wj |Wi ) + H(Wj |SWi ) H(Wi ) − I(Wj ; S|Wi ) H(Wi ) − H(S|Wi ) + H(S|W1 W2 )

(†)

≤ H(Wi ) − H(S),

(49)

where (†) follows from (7) and (8). Hence, we have I(W1 ; W2 ) ≤ min{H(W1 ), H(W2 )} − H(S), ≤ log M − H(S).

(50)

From (37), (50), and

} { 1 1 (n) (n) r ≤ lim inf min − log PI1 , − log PI2 n→∞ n n } { 1 1 (n) (n) ≤ lim sup max − log PI1 , − log PI2 , n n n→∞

Lemma 7. In the (2, 2)-SSSCDs, any achievable exponent r of the impersonation attack satisfies r ≤ log M − H(S). Hence, it holds that r∗ ≤ log M − H(S). ¤ Remark 8. From (18), (37), (50), and (51), it is shown that the limits 1 (n) def lim − log PIi = ri∗ , i = 1, 2, (52) n→∞ n exist for the sequence of codes which attains the supremum of the achievable exponent on the success probability of the impersonation attack. Furthermore, we note that they satisfy r1∗ = r2∗ = log M − H(S),

(53)

which is achieved by the sequence of codes {(ϕ(n) , ψ (n) )}∞ n=1 given in the proof of Lemma 4. ¤

Now, we define for ε > 0 that β (n) (ε) =

we obtain the following lemma. Theorem 2 is proved by combining Lemmas 4 and 7.

(51)

ACKNOWLEDGMENT The authors would like to thank Prof. Hiroshi Nagaoka in the University of Electro-Communications, for pointing out the relation between Lemma 6 and Stein’s lemma. R EFERENCES [1] A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979. [2] G. R. Blakley, “Safeguarding cryptographic keys,” AFIPS 1979 National Computer Conference, vol. 48, pp. 313–317, 1979. [3] R. J. McEliece and D. V. Sarwate, “On sharing secrets and Reed Solomon codes,” Communications of the ACM, vol. 24, no. 9, pp. 583– 584, 1981. [4] E. D. Karnin, J. W. Greene, and M. E. Hellman, “On secret sharing systems,” IEEE Trans. Inform. Theory, vol. 29, no. 1, pp. 35–41, 1983. [5] M. Tompa and H. Woll, “How to share a secret with cheaters,” Journal of Cryptology, vol. 1, no. 3, pp. 133–138, 1988. Preliminary version: CRYPTO’86, LNCS 263, pp.262–265. [6] W. Ogata, K. Kurosawa, and D. R. Stinson, “Optimum secret sharing scheme secure against cheating,” SIAM Journal of Discrete Mathematics, vol. 20, no. 1, pp. 79–95, 2006. Preliminary version: EUROCRYPT’96, LNCS 1070, pp.200–211. [7] G. J. Simmons, “Authentication theory/coding theory,” Advances in Cryptology-CRYPTO’84, LNCS 196, Springer-Verlag, pp. 411–431, 1985. [8] H. Koga and H. Yamamoto, “Coding theorems for secret-key authentication systems,” IEICE Trans. Fundamentals, vol. E83–A, no. 8, pp. 1691– 1703, 2000. [9] H. Koga, “A generalization of the Simmons’ bounds on secret-key authentication systems,” IEICE Trans. Fundamentals, vol. E83–A, no. 10, pp. 1983–1985, 2000. [10] U. Maurer, “Authentication theory and hypothesis testing,” IEEE Trans. on Information Theory, vol. 46, no. 4, pp. 1350–1356, 2000. Preliminary version: STACS’96, LNCS 1046, pp.387–398, 1996. [11] C. Blundo, A. D. Santis, and U. Vaccaro, “On secret sharing schemes,” Information Processing Letters, no. 65, pp. 25–32, 1998. [12] S. Obana and T. Araki, “Secret sharing schemes secure against cheating for arbitrary secret distribution,” Advances in Cryptology-ASIACRYPT, LNCS 4284, Springer-Verlag, pp. 364–379, 2006. [13] R. E. Blahut, Principles and Practice of Information Theory. Addison Wesley, 1991.