proof cover sheet

PROOF COVER SHEET Author(s):

Selda Çalkavur

Article title: Multisecret sharing schemes and bounded distance decoding of linear codes Article no:

GCOM1091071

Enclosures:

1) Query sheet 2) Article proofs

Dear Author, 1. Please check these proofs carefully. It is the responsibility of the corresponding author to check these and approve or amend them. A second proof is not normally provided. Taylor & Francis cannot be held responsible for uncorrected errors, even if introduced during the production process. Once your corrections have been added to the article, it will be considered ready for publication. Please limit changes at this stage to the correction of errors. You should not make trivial changes, improve prose style, add new material, or delete existing material at this stage. You may be charged if your corrections are excessive (we would not expect corrections to exceed 30 changes). For detailed guidance on how to check your proofs, please paste this address into a new browser window: http://journalauthors.tandf.co.uk/production/checkingproofs.asp Your PDF proof file has been enabled so that you can comment on the proof directly using Adobe Acrobat. If you wish to do this, please save the file to your hard disk first. For further information on marking corrections using Acrobat, please paste this address into a new browser window: http://journalauthors.tandf.co.uk/production/acrobat.asp

2. Please review the table of contributors below and confirm that the first and last names are structured correctly and that the authors are listed in the correct order of contribution. This check is to ensure that your name will appear correctly online and when the article is indexed. Sequence 1. 2.

Prefix Given name(s) Surname Suffix Selda Çalkavur Patrick Solé

Queries are marked in the margins of the proofs, and you can also click the hyperlinks below.

AUTHOR QUERIES General points: (1) Permissions: You have warranted that you have secured the necessary written permission from the appropriate copyright owner for the reproduction of any text, illustration, or other material in your article. Please see http://journalauthors.tandf.co.uk/permissions/usingThird PartyMaterial.asp. (2) Third-party content: If there is third-party content in your article, please check that the rightsholder details for re-use are shown correctly. (3) Affiliation: The corresponding author is responsible for ensuring that address and email details are correct for all the co-authors. Affiliations given in the article should be the affiliation at the time the research was conducted. Please see http://journalauthors.tandf.co.uk/preparation/ writing.asp. (4) Funding: Was your research for this article funded by a funding agency? If so, please insert ‘This work was supported by ’, followed by the grant number in square brackets ‘[grant number xxxx]’. (5) Supplemental data and underlying research materials: Do you wish to include the location of the underlying research materials (e.g. data, samples or models) for your article? If so, please insert this sentence before the reference section: ‘The underlying research materials for this article can be accessed at / description of location [author to complete]’. If your article includes supplemental data, the link will also be provided in this paragraph. See for further explanation of supplemental data and underlying research materials. (6) The CrossRef database (www.crossref.org/) has been used to validate the references. Mismatches will have resulted in a query.

QUERY NO. AQ1 AQ2 AQ3 AQ4 AQ5 AQ6 AQ7

QUERY DETAILS The AMS codes, year and keywords have been included from the pdf file. Please check and provide revisions if it is not correct. Please spell out “SSS” in full at the first mention. Please provide missing citation for Refs [1,9,12,14]. Please provide missing editor, publisher and city names for Ref. [3]. Please provide missing city name for Ref. [13]. Please provide missing city name for Ref. [15]. Please provide missing editor, publisher and city names for Ref. [17].

How to make corrections to your proofs using Adobe Acrobat/Reader Taylor & Francis offers you a choice of options to help you make corrections to your proofs. Your PDF proof file has been enabled so that you can edit the proof directly using Adobe Acrobat/Reader. This is the simplest and best way for you to ensure that your corrections will be incorporated. If you wish to do this, please follow these instructions: 1. Save the file to your hard disk. 2. Check which version of Adobe Acrobat/Reader you have on your computer. You can do this by clicking on the “Help” tab, and then “About”. If Adobe Reader is not installed, you can get the latest version free from http://get.adobe.com/reader/. 3. If you have Adobe Acrobat/Reader 10 or a later version, click on the “Comment” link at the right-hand side to view the Comments pane. 4. You can then select any text and mark it up for deletion or replacement, or insert new text as needed. Please note that these will clearly be displayed in the Comments pane and secondary annotation is not needed to draw attention to your corrections. If you need to include new sections of text, it is also possible to add a comment to the proofs. To do this, use the Sticky Note tool in the task bar. Please also see our FAQs here: http://journalauthors.tandf.co.uk/production/index.asp. 5. Make sure that you save the file when you close the document before uploading it to CATS using the “Upload File” button on the online correction form. If you have more than one file, please zip them together and then upload the zip file. If you prefer, you can make your corrections using the CATS online correction form. Troubleshooting Acrobat help: http://helpx.adobe.com/acrobat.html Reader help: http://helpx.adobe.com/reader.html Please note that full user guides for earlier versions of these programs are available from the Adobe Help pages by clicking on the link “Previous versions” under the “Help and tutorials” heading from the relevant link above. Commenting functionality is available from Adobe Reader 8.0 onwards and from Adobe Acrobat 7.0 onwards. Firefox users: Firefox’s inbuilt PDF Viewer is set to the default; please see the following for instructions on how to use this and download the PDF to your hard drive: http://support.mozilla. org/en-US/kb/view-pdf-files-firefox-without-downloading-them#w_using-a-pdf-reader-plugin

Coll: QA: CE: SV

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

INTERNATIONAL JOURNAL OF COMPUTER MATHEMATICS, 2015 http://dx.doi.org/10.1080/00207160.2015.1091071

Multisecret-sharing schemes and bounded distance decoding of linear codes Selda Çalkavura and Patrick Soléb a Department of Mathematics, Kocaeli University, Kocaeli, Turkey; b CNRS/LTCI, Telecom ParisTech, Paris, France

ABSTRACT

ARTICLE HISTORY

Error-correcting codes are used to correct errors when messages are transmitted through a noisy communication channel. Bounded distance decoding (i.e. decoding up to the error-correcting capacity) is a method of correcting errors that guarantees unique decoding. Secret sharing is a cryptographic protocol that allows a secret known from a person called the dealer to be distributed to n participants. No single participant knows the secret but some special subsets of participants called coalitions can. In this paper, we present a multisecret-sharing scheme based on an errorcorrecting code where secret reconstruction is made by using bounded distance decoding of the code. This scheme is ideal in the sense that the size of each secret equals the size of any share. Its security improves on that of multisecret-sharing schemes.

Received 8 May 2015 Revised 31 August 2015 Accepted 1 September 2015 KEYWORDS

Secret sharing; multisecret-sharing; ideal secret sharing; bounded distance decoding; linear code 2010 AMS SUBJECT CLASSIFICATIONS

14G15; 94A60

1. Introduction Secret sharing has been a subject of study for over 30 years. It is important that a secret key, passwords, informations of the map of a secret place, or an important chemical formula etc., must be kept secret. One of the ways of solving this problem is to employ secret sharing schemes. In fact, for a secret sharing, the main problem is to divide the secret into pieces instead of storing the whole. A secret sharing scheme is a way of distributing a secret among a finite set of people such that only some distinguished subsets of these subsets can recover the secret. The collection of these special subsets is called the access structure of the scheme. Secret sharing schemes were introduced by Blakley [2] and Shamir [16] in 1979. Then, many constructions were developed. One of them is based on linear codes. The relation between secret sharing schemes and linear codes was presented in [11]. Several authors have considered the construction of secret sharing schemes using error-correcting codes [4,8,10,17]. Another secret sharing system is the (m, n)-threshold systems. A (m, n)-threshold scheme is a method of distribution of information among n participants such that m > 1 participants can reconstruct the secret but m − 1 cannot. Karnin et al. [8] examined the following situation: There are k secrets s1 , s2 , . . . , sk to be shared. Such systems are called [k, m, n](multisecret-sharing) threshold schemes. Each [k, m, n] threshold scheme for multisecret-sharing gives k single-secret (m, n)-threshold schemes [5]. In this work, we first consider a multisecret-sharing scheme based on error-correcting codes with a known bounded distance decoding algorithm. We give a secret reconstruction algorithm based

CONTACT Selda Çalkavur © 2015 Taylor & Francis

[email protected]

Q1

2

52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102

S. ÇALKAVUR AND P. SOLÉ

on that algorithm. We analyse the security and performance of the scheme by means of combinatorial coding theory: weight enumerators and Pless power moments identities are the main tools. The question of democracy in the sense of [18] is analysed in the light of the properties of designs held by codewords of given weight. We conclude by a comparison between our scheme and the two main other code-based schemes in the literature: Massey’s scheme [10] and Ding et al. [5] multisecret scheme. The material is organized as follows. Section 2 recalls the necessary background in coding theory. Section 3 describes the scheme and analyses its security. Section 4 contains the said comparison. Section 5 collects concluding remarks.

2. Definitions We shall begin with the necessary definitions to explain our scheme. 2.1. Codes and coset decoding Let q be a prime power and denote the finite field of order q by Fq . An [n, k]-linear code C over Fq is a subspace in (Fq )n , where n is the length of the code C and k is the dimension of C. The dual code of C is defined to be the set of those vectors (Fq )n which are orthogonal to every codeword of C. It is denoted by C⊥ . The code C⊥ is an [n, n − k]-linear code. A generator matrix G for a linear code C is a k × n matrix for which the rows are a basis of C. A parity-check matrix for a linear code C is a generator matrix for its dual code C⊥ . It is denoted by H. Let C be an [n, k]-linear code over Fq with generator matrix G. The code C contains qk codewords and can be used to communicate any one of qk distinct messages. We encode the message vector x = x1 x2 · · · xk as (x1 x2 · · · xk )G; hence, C = {uG|u∈ (Fq )k }. The map u → uG sends the vector space qk onto a k- dimensional subspace of (Fq )n . 2.2. Coset decoding Suppose that C is an [n, k]-linear code over Fq and a is any vector in (Fq )n . Then, the set a + C defined by a + C = {a + x|x ∈ C} is called a coset of C [4]. Suppose that a codeword x is sent, and that a vector y is received, then e = y − x (x, y ∈ (Fq )n ), e = e1 e2 · · · en , is an error vector. Theorem 1 ((Lagrange)): Suppose C is an [n, k]-code over Fq , then, (i) (ii) (iii) (iv)

every vector of (Fq )n is in some coset of C, every coset contains exactly qk vectors, two cosets either are disjoint or coincide, C contains exactly qn−k cosets [6].

2.3. Coset leader The vector having minimum weight in a coset is called the coset leader. If there is more than one vector with the minimum weight, we choose one at random and call it the coset leader.

3. Multisecret-sharing schemes and error-correcting codes 3.1. Scheme description In this section, we examine a multisecret-sharing scheme based on error-correcting codes with a known efficient bounded distance decoder.

INTERNATIONAL JOURNAL OF COMPUTER MATHEMATICS

103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

3

Consider an [n, k]- code C over Fq which is a t-error-correcting code. We construct now a multisecret-sharing scheme based on C. Let (Fq )k be the secret space and (Fq )n be the share space. In the multisecret-sharing scheme, the dealer uses a share function f : (Fq )k → (Fq )n to compute the shares among the n participants. The sharing function is chosen as f (s) = sG + h, where s = (s1 , . . . , sk ) ∈ (Fq )k is the secret and G is a k × n matrix over (Fq )n with rank k. Assume for convenience s = 0. Thus, c = sG is a nonzero codeword of the code C. The translation vector h is chosen by the leader to satisfy the following requirements: (1) the weight of h is t, (2) the support of h is included in the support of c. Then, the n participants recover the secret by combining their shares as follows: • get c + h by collecting its n coordinates (shares), • get c from c + h by decoding, • get s from c by solving the linear system sG = c of rank k. The motivation for Condition 2 is the following Proposition. Note first that we cannot allow any subset of participants indexed by the support of c + h to recover the secret by shares pooling and decoding. Proposition 1: With the above notation, there is no h of weight < t such that the support of c + h contains the support of c + h iff the support of h is included in the support of c. Proof: The condition is necessary for if there is any element x in the support of h outside the support of c then h defined as hx = 0 and hi = hi for i = x provides a contradiction. The condition is sufficient for, if true, in order to have an h such that the support of c + h contains the support of c + h , the support of h would need to contain the codesupport of h implying that h would have larger weight than h. An immediate Corollary is the following. Corollary 1: The multisecret-sharing scheme satisfied the hypothesis of the above theorems is also a (d − t, n)- threshold secret sharing scheme, where d is the minimum distance and t the error-correcting capacity of C. Proof: In this scheme, the secret is recovered thanks to the minimal access sets. The minimal access sets consist of the vectors as c + h with the support of h contained in the support of c and h of weight t. There are n participants in every set, as many as coordinates of C. The set of participants that is recovering the secret is also the support of these minimal access sets. The number of these participants in each of minimal access set is equal to the weight of c + h. So, the result follows. Example: Let C be the binary [5, 2]-linear code with generator matrix G=

1 0 1 0 1 . 0 1 0 1 1

Since the minimum distance is 3, the code C corrects a single error. Now we construct a multisecret-sharing scheme based on C by using bounded distance decoding and examine some properties of this scheme.

4

154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204


First we write the codewords of C: C = {00000, 10101, 01011, 11110} and the cosets of C are 00000 + C = {00000, 10101, 01011, 11110}, 10000 + C = {10000, 00101, 11011, 01110}, 01000 + C = {01000, 11101, 00011, 10110}, 00100 + C = {00100, 10001, 01111, 11010}, 00010 + C = {00010, 10111, 01001, 11100}, 00001 + C = {00001, 10100, 01010, 11111}, 11000 + C = {11000, 01101, 10011, 00110}, 10010 + C = {10010, 00111, 11001, 01100}. Let the message vector 10 be the secret s. So, the sharing function will be as 1 0 1 0 1 f (s) = sG + h = (10). + (10000) 0 1 0 1 1 = (10101) + (10000) = (00101). We get c = sG = (10101) from (00101) by decoding. Then, we get the secret s from c by solving the linear system sG = c of rank k = 2: 1 0 1 0 1 = (10101). (s1 , s2 ). 0 1 0 1 1 Therefore, we recover the secret as s = (10). 3.2. Statistics on coalitions Denote the number of minimal coalitions of i participants by Mi , and let M(z) = generating function of these numbers.

i Mi z

i

be the

Theorem 2: Let C be a q-ary t-error correct code with weight enumerator A(z). If A(i) (z) denotes the derivative of order i of A(z), then M(z) =

(q − 1)t A(t) (z) . t!

Proof: Recall that A(z) = w Aw zw , where Aw denotes the number of codewords of C of weight w. Given a codeword c of weight w, the number of eligible h’s is wt (q − 1)t . The weight of c + h is w − t. Differentiating t times A(z) with respect to z the result follows. Example 1: We continue with the above [5, 2] binary code. Now we calculate the number of minimal access sets in the associated scheme. First, we need the weight enumerator of C: A(z) =

5 i=1

Ai zi = 1 + 2z3 + z4 .


205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255

5

Since t = 1, we calculate the derivative of order 1 of A(z). A (z) = 6z2 + 4z3 and A (1) = 10. So, by Theorem 2, there are 10 minimal access sets, 6 of size 2 and 4 of size 3. For instance, c = 10101 yields half of those of size 2 c + h = 00101, 10001, 10100, c = 01011 yields the other half of those of size 2 c + h = 00011, 01001, 01010 and c = 11110 yields all the size 3 access sets c + h = 01110, 10110, 11010, 11100. Example 2: Let C = H8 be the extended binary Hamming code of parameters [8, 4, 4]. It is known that A(z) = 1 + 14z4 + z8 . A direct calculation shows that A (z) = 56z3 + 8z7 . So this secret sharing scheme admits 56 coalitions of size 3 and 8 coalitions of size 7. In fact, quantity M(1), the total number of coalitions, is a binomial moment of the weight distribution, a quantity known to enjoy a duality relationship. Theorem 3: Let C be a q-ary t-error-correcting code, with dual weight distribution Ai and with minimal coalition generator M(z). We have M(1) = qk−t

t n−i (−1)i (q − 1)t−i Ai . n−t i=0

In particular if the dual distance of C is > t, we have M(1) = qk−t (q − 1)t

n . t

Proof: The first relation is an immediate consequence of the MacWilliams identities. See [15, (5.2.7), p. 226]. The second relation follows by letting A0 = 1, and Ai = 0 for i = 1, . . . , t. Example 3 (continued): Let again C = H8 . The above calculations show that A (1) = 64. It is well known that H8 is self-dual, hence of dual distance 4. The preceding theorem with t = 1 shows then that M(1) = 24−1 11 81 = 64, as it should. 3.3. Democracy in secret sharing The following concept was introduced in [18]. Definition: A secret sharing scheme is democratic of degree s if every group of s participants lies in the same number of minimal access sets, where s ≥ 1.

6

Q2 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306


If the code used in the SSS is very regular, then so are the minimal coalitions. Recall that a code is s-homogeneous if the codewords of given weight hold a s-design. We shall prove a property very close to democracy. Theorem 4: If C is s-homogeneous, then the coalitions of given size are the blocks of an s-design. We shall require the following counting lemma of independent interest. Recall that λi is the number of blocks incidents with i given points. Thus, for example, λ2 = 1. Lemma 1: Let B be a t − (v, k, λ) design and consider the set family Sr obtained from its blocks by removing r points in all possible ways, assuming t + r < k, and λk−r = 1. In this situation, Sr is a t − k blocks. (v, k − r, λ k−t ) design with b r r Proof: Every of points is contained in exactly λ blocks. Every such block contains outside t-uple the t-uple k−t r-uples that can be removed to form an element of Sr . The elements so formed are r pairwise distinct, since if not, the relevant blocks of B would be distinct and intersecting in at least k − r points, which is ruled out by the condition λk−r = 1. We are now ready for the proof of the theorem. Proof: Follows by letting t = s and r = t in the notation of the Lemma.

Example: Let C be the binary [23, 12, 7]-linear code. Its packing radius is 3. Applying the above to the codewords of weight 3 which are known to hold a 4 − (23, 7, 1) Steiner system with 253 blocks we obtain a 4 − (23, 4, 1) design fortheminimal coalitions; note that λ = 1 enforces λ4 = 1. This is a complete design since 253 73 = 23 4 . A less trivial design is obtained from codewords ofweight 11 yielding a 4 − (23, 8, 73 ) design with 45, 080 blocks when the total number of 8-tuples is 23 8 = 490314.

4. Comparison with other schemes The basic secret sharing scheme is Massey’s secret sharing scheme. Massey constructed a scheme based on an [n, k]-linear code using the generator matrix of this code. Let s ∈ Fq be the secret. Let G be the generator matrix for a code C of length n. In a secret sharing scheme, a dealer has a secret. The secret is created as follows. Let u be any vector such that ug0 = s, where g0 is the first column vector of G. The vector u is the information vector. The dealer gives a share of the secret to each participant. There is a set P of subsets of the participants with the property that any subset of participants that is in P can determine the secret. This set is called minimal access set [3]. The access structure of a secret sharing scheme is the set of all minimal access sets [13]. The secret s is shared to participants. The participants recovered the secret by combining their shares. One of the secret sharing schemes is a (m, n)- threshold secret sharing schemes. In such a scheme, the secret can be constructed from any m shares, but no subset of m − 1 shares reveals any information about the secret. A special class of a (m, n)- threshold secret sharing scheme is a multisecret-sharing scheme. We remind some information about this scheme. Let the secret spaces Si (1 ≤ i ≤ k) and the share spaces Ti (1 ≤ i ≤ n) be vector spaces over a field F. Then, the product spaces S = S1 × · · · × Sk and T = T1 × · · · × Tn are also vector spaces over F. In a multisecret-sharing scheme, a dealer uses a share function f : S → T to compute the shares among the n participants. Let s = (s1 , . . . , sk ) be the secret and t = (t1 , . . . , tn ) = f (s) be the share. If for all a, a ∈ F and all s, s ∈ S, f (as + a s ) = af (s) + a f (s ), then a multisecret-sharing scheme is said to be linear.


307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357

7

Theorem 5: A multisecret-sharing scheme defined over the above secret and share spaces is linear if and only if its share function is of the form f (s) = sG, where s = (s1 , . . . , sk ) ∈ S and G is a k × n matrix over F with rank k [5]. We summarize the comparison with other code-based secret sharing schemes in the following table, where we denote by P, S, C the number of participants, the size of a secret, the number of coalitions for an [n, k] code over Fq . System

Massey

Ding et al.

P

n−1

n

S

q

qk n

C

n k

k

This paper n ≥

qk n d−t

Thus, Massey scheme is a single-secret system in contrast with the other two schemes which are k-secret sharing schemes. Both Ding scheme and our scheme are ideal in the sense that each secret is of the same size of a share [7], in these examples q. However, the reconstruction algorithm in Ding scheme is based on linear algebra, while the one in our scheme is based on decoding, a much harder problem, more resilient to algebraic attacks. Another advantage is the fact that the encoding is non deterministic because of the choice of h left to the dealer.

5. Conclusion In the present article, we have introduced a new multisecret-sharing scheme based on error-correcting codes. The reconstruction algorithm is based on bounded distance decoding. The statistics of minimal coalitions are made by using weight enumerators and Pless power moment formula. The problem of democracy is tackled via block designs. In the comparison with known systems, the new system stands well, in particular in terms of security.

Disclosure statement No potential conflict of interest was reported by the authors.

References [1] E.R. Berlekamp, R.J. McEliece, and H. van Tilborg, On the inherent intractability of some coding problems, IEEE Trans. Inform. Theory (1978), pp. 384–386 . [2] G.R. Blakley, Safeguarding cryptographic keys, in Proceedings of the 1979 National Computer Conference, New York, June, 1979, pp. 313–317. [3] E.F. Brickell, Some ideal secret sharing schemes, in Advances in Cryptology-EUROCRYPT 89, Lecture Notes in Computer Science, vol. 434, 1990, pp. 468– 475. [4] C. Ding, D. Kohel, and S. Ling, Secret-sharing with a class of ternary codes, Theor. Comp. Sci. 246 (2000), pp. 285–298. [5] C. Ding, T. Laihonen, and A. Renvall, Linear multisecret-sharing schemes and error correcting codes, J. Comput. Sci. 3(9) (1997), pp. 1023–1036. [6] R. Hill, A First Course in Coding Theory, Oxford University, Oxford, 1986. [7] W.-A. Jackson, K.M. Martin, and C. O’Keefe, Ideal secret sharing schemes with multiple secrets, J. Cryptol. 9 (1996), pp. 223–250. [8] E.D. Karnin, J.W. Greene, and M.E. Hellman, On secret sharing systems, IEEE Trans. Inf. Theory IT-29(1) (1983), pp. 35–41. [9] F.J. MacWilliams and N.J.A. Sloane, The Theory of Error Correcting Codes, North Holland, 1977. [10] J.L. Massey, Minimal codewords and secret sharing, Proceedings of the 6th Joint Swedish-Russian Workshop on Information Theory, Mölle, Sweden, 1993, pp. 276–279.

Q3

Q4

8

358 359 360 361 Q5 362 363 364 Q6 365 366 Q7 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408


[11] R.J. McEliece and D.V. Sarwate, On sharing secrets and Reed-Solomon codes, Commun. Assoc. Comp. Mach. 24 (1981), pp. 583–584. [12] K. Okada and K. Kurosawa, MDS secret sharing scheme secure against cheaters, IEEE Trans. Inf. Theory 46(3) (1997), pp. 1078–1081. [13] H. Ozadam, F. Ozbudak, and Z. Saygı, Secret sharing schemes and linear codes, in Proceedings of Information Security Cryptology Conference with International Participation, December 2007, pp. 101–106 . [14] J. Piepryzk and X.M. Zhang, Ideal threshold schemes from MDS codes, Proceedings of Information Security and Cryptology ICISC 2002, Lecture Notes in Computer Science, Vol. 2587, Springer-Verlag, Berlin, 2003, pp. 269–279. [15] S. Roman, Coding and Information Theory, Springer, 1992. [16] A. Shamir, How to share a secret, Comm. ACM 52 (1979), pp. 612–613. [17] A. Shamir, Some applications of coding theory, in Cryptography, Codes and Ciphers: Cryptography and Coding IV, 1995, pp. 33 –47. [18] J. Yuan and C. Ding, Secret sharing schemes from three classes of linear codes, IEEE Trans. Inform. Theory 52(1) (2006), pp. 206–212.

proof cover sheet

proof cover sheet

Suggest Documents