Remarks on the Multiple Assignment Secret Sharing ... - CiteSeerX

Remarks on the Multiple Assignment Secret Sharing Scheme Hossein Ghodosi Josef Pieprzyk  Rei Safavi-Naini Department of Computer Science Centre for Computer Security Research University of Wollongong Wollongong, NSW 2500, AUSTRALIA e-mail: hossein/josef/[email protected] Abstract

The paper analyses the multiple assignment secret sharing scheme, presented at the GLOBECOM'87 Conference. It contains three technical comments and a contribution to extend the capabilities of Shamir scheme. First it is proved that the proposed multiple assignment secret sharing scheme is not perfect. In fact, the non-perfectness of the scheme is due to the non-perfectness of a certain type of Shamir secret sharing scheme de ned in the paper. Next it is shown that both the extended multiple assignment secret sharing scheme and the extended Shamir secret sharing scheme are not secure, i.e., unauthorised sets of participants can recover the secret. Finally, we will show how to (safely) extend a Shamir scheme.

Support for this project was provided in part by the Australian Research Council under the reference number A49530480 and the ATERB grant 

1

Remarks on the Multiple Assignment Secret Sharing Scheme Abstract

The paper analyses the multiple assignment secret sharing scheme, presented at the GLOBECOM'87 Conference. It contains three technical comments and a contribution to extend the capabilities of Shamir scheme. First it is proved that the proposed multiple assignment secret sharing scheme is not perfect. In fact, the non-perfectness of the scheme is due to the non-perfectness of a certain type of Shamir secret sharing scheme de ned in the paper. Next it is shown that both the extended multiple assignment secret sharing scheme and the extended Shamir secret sharing scheme are not secure, i.e., unauthorised sets of participants can recover the secret. Finally, we will show how to (safely) extend a Shamir scheme.

1 Introduction Secret sharing schemes allow a group of participants to share a piece of secret information in such a way that only authorised subsets of the participants can recover the secret. Any unauthorised subsets is not able to determine the secret. The collection of all authorised subsets is called the access structure. Secret sharing schemes have many practical applications. For instance, they can be used to control the access to a safe so only an authorised subset of bank employees can open it by pooling their shares together and reconstructing the secret combination which unlocks the safe. Secret sharing schemes were independently introduced by Shamir [1], Blakley [2] and Chaum [3]. A particularly interesting class of secret sharing schemes includes threshold schemes with a group of n participants. Their access structure includes all subsets of t or more participants. Such schemes are called t-out-of-n threshold schemes or simply (t;n) schemes. An important question of how to realize a secret sharing scheme for an arbitrary access structure was studied by numerous authors. Ito, Saito and Nishizeki [4], Benaloh and Leichter [5], and Simmons [6, 7, 8] suggested dierent solutions for constructing such schemes. In this paper1 we consider a generalised secret sharing scheme for an arbitrary access structure, proposed by Ito, Saito and Nishizeki [4]. Their scheme, also called multiple assignment scheme, applies the Shamir threshold scheme to realize secret sharing for an arbitrary access structure. They proposed a method to extend a scheme realizing an access structure ?1 such 1 The earlier version of this paper was presented at International Conference on Information and Communications Security [9].

1

that a new scheme realizes an access structure ?2, where ?1  ?2. In order to achieve this goal, they have also proposed a method to extend a Shamir threshold scheme. We are going to demonstrate that: 1. the proposed multiple assignment secret sharing scheme is not perfect, 2. the extended multiple assignment secret sharing scheme is not secure, 3. the extended Shamir threshold secret sharing scheme is not secure, 4. how a Shamir threshold scheme (safely) can be extended.

2 Background

Let P = fPi : 1  i  ng be a set of n participants, and let K, S denote a key set and a share set, respectively. Let ? be a collection of authorised subsets of 2P , called access structure, where each A 2 ? is called an access set. A secret sharing scheme for an access structure ? is a general method of sharing a secret K 2 K among participants from P such that a subset A  P can reconstruct the secret only if A 2 ?. An access structure of (t; n) threshold scheme consists of all subsets whose cardinality is equal or larger than t. A secret sharing scheme is set up by a trusted authority, called a dealer. The dealer chooses a secret K 2 K and constructs shares si 2 S , for each participant Pi 2 P . Shares are securely delivered to the participants. The reconstruction of the secret is done by a combiner who collects shares, recomputes the secret and distributes the result to all collaborating participants via a secure channel. The system is called perfect if ( A2? H (K j A) = 0H (K ) ifif A 62 ? that is, in a perfect secret sharing scheme any unauthorised subset cannot get any information about the secret.

2.1 The Shamir Scheme

The Shamir threshold schemes is based on polynomial interpolation over a nite eld. Let K = GF (q) be a nite eld with q elements. To construct a (t; n) threshold scheme a dealer D chooses n distinct nonzero elements of GF (q), denoted by x1;


; xn, and sends xi to Pi over a public channel 2

(i = 1; : : : ; n). For a secret K 2 GF (q), D randomly chooses t ? 1 elements, a1;


;at?1 from GF (q) and constructs a polynomial t?1 X f (x) = K + aixi: i=1

The share for participant Pi is si = f (xi). The degree of f (x) is at most t ? 1. It is known (see [10]) that Shamir's scheme is perfect. That is, if a group of less that t participants collaborate, their original uncertainty about K is not reduced.

2.2 The Multiple Assignment Scheme

The multiple assignment scheme [4] is a generalised secret sharing scheme that utilises Shamir threshold scheme to realize an arbitrary access structure. The following notation is used in [4]: - For any access set A 2 ? (A  P ), any superset A0 of A (A  A0) must be an access set as well. This is the well-known monotone property [5]. Thus we have:

A 2 ? and A  A0  P imply that A0 2 ? - For any access structure ? there is a family of sets ? = 2P n ?. Any set from ? presents a collection of participants who are unauthorised to recover the secret. Given an unauthorised set B 2 ? , then any subset B0  B must be an unauthorised set as well. - The family of maximal sets in ?  2P is denoted by +?. That is,

+ ? = fA 2 ? : A 6 A0 for all A0 2 ? n Ag The multiple assignment scheme works as follows: Let ?  2P be an access structure. The dealer, D, gets t = j+ ? j and utilises a Shamir (t;t) threshold scheme to generate t shares. Then, for any unauthorised set B, B 2 +? , it assigns a distinct share to all participants in B (B = P n B). For every access set, A 2 ?, it is shown that the number of distinct shares given to the participants is equal to t, while for every unauthorised set, B 62 ?, the number of dierent shares given to its members is less than t. That is, the scheme satis es the requirement of secret sharing scheme, since the knowledge of at least t shares enables to recover the secret. The knowledge of less than t shares, however, does not allow an unauthorised set to recover the secret (for more detail see [4]). 3

Example : Let P = fP1; P2; P3; P4g be the set of participants and let ? = P1P2 + P2P3 + P3P4 be the access structure. In order to share the secret K 2 GF (q), the dealer gets +? = ffP1; P3g; fP1; P4g; fP2; P4gg: Since j+ ? j = 3, it designs a Shamir (3; 3) threshold scheme and generates three shares, s1, s2, s3. Then it assigns share s1 to P2 and P4 (that do not belong to unauthorised set fP1; P3g). It also assigns share s2 to P2 and P3 (that do not belong to unauthorised set fP1 ;P4 g). Similarly, it assigns share s3 to participants P1 and P3. In the secret reconstruction phase, every authorised set can reconstruct the secret (knowing three shares, cooperatively), while unauthorised sets cannot do so. 3

3 Multiple Assignment Scheme Made Perfect In this section we show that the proposed multiple assignment scheme [4] is not perfect. We show that the non-perfectness of the scheme is inherited from the non-perfectness of the underlying threshold secret sharing scheme. That is, the Shamir secret sharing scheme which is used in multiple assignment scheme is not perfect.

3.1 A Non-Perfect Shamir Scheme

A Shamir (t; n) threshold scheme, which is used in the multiple assignment secret sharing scheme, is de ned as follows [4]. 1. Take a prime power q such that q > n and let K = GF (q). Select distinct elements x1; : : : ;xn 2 K ? f0g at random. 2. Choose a1; : :: ; at?2 2 K and at?1 2 K ? f0gg randomly, where t  n 3. Let f (x) = K + a1x + a2x2 +


+ at?1xt?1. 4. Let si = f (xi) and assigns (xi; si) to Pi for each i, 1  i  n.

Theorem 3.1 Given a Shamir (t;n) threshold scheme. If the degree of the associated polynomial f (x) is known to be t ? 1 then the scheme is not perfect.

4

Proof : Let P1 ;: : : ; Pt?1 be the set of (t ? 1) collaborating participants that pooling their shares s1; : : : ; st?1 in order to perform the Lagrange interpolation formula. Certainly, they can construct a unique polynomial g(x) = K 0 + b1x +


+ bt?2xt?2 of degree at most t ? 2 such that si = g(xi) for all i = 1; : : : ;t ? 1. On the other hand, they know si = f (xi) for i = 1; : : :; t ? 1, where f (x) = K + a1x +


+ at?1xt?1 is the associated polynomial to the system. So, they have the following system of equations: s1 = g(x1) = f (x1); ... st?1 = g(xt?1) = f (xt?1): The system can be transformed to: (K ? K 0) + (a1 ? b1)x1 + :: : + (at?2 ? bt?2)xt1?2 + at?1xt1?1 = 0; ... t?1 (K ? K 0) + (a1 ? b1)xt?1 + : :: + (at?2 ? bt?2)xtt?2 ?1 + at?1xt?1 = 0: Now, we show by contradiction that K 6= K 0. Suppose that K = K 0. This implies that the system becomes (a1 ? b1)x1 + : : : + (at?2 ? bt?2)xt1?2 + at?1xt1?1 = 0; ... t?1 (a1 ? b1)xt?1 + : : : + (at?2 ? bt?2)xtt?2 ?1 + at?1 xt?1 = 0: As the Vandermonde determinant of the system is dierent from zero, there is only one solution in which at?1 = 0. This contradicts that f (x) is of degree t ? 1 and proves that K 6= K 0. Since the (t ? 1) participants has been successful in nding an integer K 0 which is not the secret, their uncertainty about the secret is not equal to the uncertainty of an outsider, that is, the scheme is not perfect. 2 Corollary 3.1 The multiple assignment scheme [4] is not perfect. Proof : Let ?  2P be an arbitrary access structure, such that j+? j =

t. The multiple assignment secret sharing scheme generates a Shamir (t;t) threshold scheme and distributes the shares amongst participants in such a way that for every authorised set A 2 ? the number of dierent shares assigned to participants in a set A is equal to t. Now consider an unauthorised set B, which posses only t ? 1 shares. Although it cannot recover the secret, can reduce its uncertainty about the secret (by getting a non-secret element from the set of possible shares). That is, the multiple assignment scheme is not perfect. 2 5

In order to x the problem, the underlying Shamir scheme has to be perfect, i.e., the selection of coecients ai (1  i  t ? 1) has to be random and from all elements of GF (q).

4 Extension of a Secret Sharing Scheme

De nition 4.1 Let a secret sharing scheme realize ?1  2P on a set P1. Further assume that, P1  P2 and a scheme realizes an access structure ?2  2P . The scheme which realizes ?2 is an extension of the scheme that 1

2

realizes ?1 if:

(a) both schemes allow recovery of the same secret, (b) the collection of shares de ned in ?1 is a subset of shares generated in ?2, (c) any access set in ?1 is an access set in ?2 .

4.1 Extension of a Multiple Assignment Scheme

Let a multiple assignment scheme realize an access structure ?1  2P1 on a set P1. Further assume that, P1  P2 and a multiple assignment scheme realizes an access structure ?2  2P2 . In [4], the authors claimed that their scheme is exible for the case in which a new member joins to the group of shareholders. They considered the following problem [4, Problem 3]. \Can a scheme realizing an access structure ?1 be extended so that a new scheme realizes a access structure ?2?" The question was answered armatively provided the new access structure ?2 is a natural extension of ?1, that is, ?1  ?2 and ?1  ?2. Here we show this is not the case.

Theorem 4.1 The extension of a multiple assignment scheme, proposed in [4], is not secure. That is, in the extended scheme, the secret can be reconstructed by an unauthorised set of participants.

Proof : Let P1 = fP1; : : :; Pn g and ?1  2P is an access structure. Let ?1 = fA1; :: : ; A`g and +?1 = fB1; : :: ; Btg. Assume a multiple assignment scheme realizes ?1 and we want to extend the set of shareholders to a set P2, 1

6

where P2 = fP1, : : :, Pn , Pn+1 , : : :, Pmg, that is, P1  P2. Let the access structure ?2  2P2 be as follows: ??2 = fA1;: : : ; A`; fPi; Pj g; for i < j; i = 1; : : : ; m ? 1; j = n + 1; : :: ; mg: (1) Clearly, ?1  ?2. On the other hand, since all subsets consisting of two participants in which at least one of them belongs to the set of new shareholders, are authorised sets, we have, + ?2 = fB1 : : : ; Bt; fPn+1 g; : :: ; fPm gg: That is, +?1  +?2 and therefore ?2 is an extension of ?1 . Assume that the multiple assignment scheme, which realizes the access structure ?1 on a set P1, applies the set S1 = fs1; : : : ; stg of shares. That is, s1 is assigned to participants in set P1 n B1, and in general si is assigned to participants in set P1 n Bi. In the new scheme, however, the share s1 will be assigned to participants in set P2 n B1, and in general si will be assigned to shareholders in the set P2 n Bi. So the set P2 n P1 = fPn+1; : : : ; Pmg will get the set of all shares si (i = 1; : : : ;t) from the basic scheme. Since knowing all shares of a secret sharing scheme is sucient to recreate the secret, every new shareholder solely can recreate the secret, where none of them individually are supposed to be able to recover the secret. 2

Example : Let P1 = fP1; P2; P3g and let ?1 = ffP1; P2g; fP2 ;P3 gg. Since + ?1 = ffP2g; fP1; P3gg, the dealer generates a Shamir (2; 2) threshold scheme and assigns s1 to set P1 n fP2g, that is, to participants P1 and P3. Similarly, it assigns the share s2 to set P1 n fP1; P3g, that is, to participant P2. Let P2 = fP1; P2; P3; P4; P5g and also let ?2 = ffP1; P2g, fP2; P3g, fP1; P4g, fP1; P5g, fP2; P4g, fP2; P5g, fP3;P4 g, fP3; P5g, fP4; P5gg. Hence, + ?2 = ffP2g, fP1; P3g, fP4g, fP5gg and the dealer generates a Shamir (4; 4) threshold scheme to generate four shares s1, s2, s3 and s4. However, this set of shares contains the set of shares fs1; s2g, which have been generated in the basic scheme. In this extended scheme, however, share s1 will be assigned to set P2 n fP2g = fP1; P3; P4; P5g, share s2 will be assigned to set P2 n fP1 ;P3 g = fP2; P4; P5g, share s3 will be assigned to set P2 n fP4g = fP1; P2; P3; P5g, and nally share s4 will be assigned to set P2 nfP5g = fP1; P2; P3; P4g. Note that, P1 knows the set of shares fs1; s3; s4g and P2 possesses the set of shares fs2; s3; s4g. As fP1; P2g 2 ?1, shares s1 and s2 are sucient to recover the secret. On the other hand, P4 holds the set of shares fs1; s2; s4g and P5 possesses the set of shares fs1; s2; s3g. Clearly, both P4 and P5 can individually recover the secret as both know s1 and s2.

3

7

4.2 Extension of a Shamir Scheme

Since the Ito et al's [4] scheme utilises the Shamir threshold scheme, they have claimed corresponding to their extended multiple assignment scheme it is possible to construct a Shamir scheme which is the extension of the Shamir scheme associated with the basic multiple assignment scheme. Their extension method works as follows. Let P1 = fP1; :: : ; Pn g be a set of participants and let a Shamir (t;n) threshold scheme be designed on the set P1. Assume we want to design a Shamir (`; m) threshold scheme on a set P2 = fP1 ;: : : ; Pn ; Pn+1 ;: : : ; Pm g, such that the set of old shares is still acceptable in the new scheme, that is, the new scheme is an extension of the old scheme. In [4] the authors proposed a method to achieve this goal. They have shown that; if polynomials f1(x) and f2(x) which are associated with the Shamir (t;n) and (`; m) threshold schemes satisfy the condition `  t +2, then the extension is possible by generating a polynomial f2(x) (of degree at most ` ? 1) such that the t shares generated by polynomial f1(x) still can be generated by polynomial f2(x). In this section, we show how (` ? 1) participants can collaborate to recover the secret in their extended Shamir (`; m) threshold scheme.

Theorem 4.2 The extension of a Shamir threshold scheme, proposed in [4], is not secure. That is, any subset of (` ? 1) participants can also recover the

secret.

Proof : Let a Shamir (t; n) threshold scheme be constructed on a set P1 = fP1; : : : ; Png of n participants and let the associated polynomial be f1(x) = K + a1x +


+ at?1xt?1, that is, f1(x) is a polynomial of degree at most t?1. Also, let a Shamir (`; m) threshold scheme, which is constructed on a set P2 = fP1; : : : ;Pn ; Pn+1 ; : : : ;Pm g, be an extension of the (t;n) scheme. That is, all shares of the old scheme are also acceptable shares in the new scheme. In the extended scheme, however, the associated polynomial is of degree at most ` ? 1. We assume `  t + 2, which satis es the condition given in [4]. Thus, we have,

f2(x) = K + b1x +


+ b`?1x`?1 : Although, without knowing that the Shamir (`; m) threshold scheme is an extension of a Shamir (t; n) scheme, less than ` participants obtain absolutely nothing about the secret, here we show, the knowledge of this fact enables ` ? 1 collaborating participants of the extended scheme to determine the exact value of the secret. Let B  P2 (jBj = ` ? 1) be an unauthorised set of collaborating participants. Since f2(xi) = f1(xi), (1  i  n), the collaborating participants of 8

the set B know the set of following equations (corresponding to polynomial f1(x)). K + a1x1 + : : : + at?1xt1?1 = s1 ... K + a1xt + : : : + at?1xtt?1 = st They also know the set of following equations regarding to the set P1 on polynomial f2(x).

K + b1x1 + :: : + b`?1x`1?1 = s1 ... K + b1xt + :: : + b`?1x`t?1 = st Assume the collaborating ` ? 1 participants be fPn+i1 ; : :: ; Pn+i ?1 g. So, they can provide the set of following ` ? 1 equations: `

K + b1xn+i1 + : : : + b`?1x`n?1 = sn+i1 +i1 ... K + b1xn+i ?1 + : :: + b`?1x`n?1 +i ?1 = sn+i ?1 `

`

`

It is not dicult to see that the above three sets of t + t + ` ? 1 linearly independent equations have 1+(t ? 1)+(` ? 1)+ t unknowns (corresponding to K , ais, bj s and shares, respectively). Since the number of equations is equal to the number of unknowns, the system of equations has a unique solution for K , that is ` ? 1 participants exactly can recreate the secret. 2

4.3 How to Extend a Shamir Scheme

So far we have shown that the extension of Shamir schemes given in [4] is not secure. In this section, we show how to perform this task securely. Let a Shamir (t;n) threshold scheme be constructed on a set P1 = fP1; : : :; Pn g and let f1(x) = K + a1;1x +


+ a1;t?1xt?1 of degree at most t? 1 be the polynomial associated with this scheme. Suppose we want to extend this scheme to a (`; m) threshold scheme over the set P2 = fP1; : : : ; Pn; Pn+1 , : : :, Pmg. In the following we show how to select a polynomial f2(x) of degree T such that every subset of ` or more participants from the set P2 can recover the secret, but for every subset of less that ` participants the secret remains absolutely undetermined. Let f2(x) = K + a2;1x


+ a2;T xT . Since f2(xi) = f1(xi) for all xi

9

(1  i  n), the following set of 2  n equations are known. 8 t?1 > < K + a1;1x1 +


+ a1;t?1x1 .= s1 .. From f1(x) > : K + a1;1xn +


+ a1;t?1xtn?1 = sn 8 T > s1 < K + a2;1x1 +


+ a2;T x1 = . .. From f2(x) > : K + a2;1xn +


+ a2;T xTn = sn The number of unknowns in this system of equations is 1+(t ?1)+ T + n. The system has a unique solution if the number of equations is at least equal to the number of unknowns. In the extended scheme, however, the requirement is that at least ` participants from the set P2 must collaborate in order to recover the secret. Let a set A  P2 n P1 (jAj = `) of participants includes the set of following ` equations into the system (each participant contributes with one equation). 8 T > < K + a2;1xj1 +


+ a2;T xj1 .= sj1 .. From f2(x) > : K + a2;1xj +


+ a2;T xTj = sj `

`

`

where n + 1  ji  m, 1  i  `. Now, we want that the above set of 2  n + ` equations has a unique solution for K . This requires that 2  n + ` = 1 + (t ? 1) + T + n (note that the later set of ` equations does not increases the number of unknowns). So, the dealer can select a suitable value for T (knowing t, ` and n). Although we have shown that if ` participants from the set P2 nP1 collaborate, then they can determine the secret, we must show that every subset of ` participants from the set P2 can also do so. Let only j , 0 < j < ` participants from the set P2 n P1 collaborate in the secret reconstruction process. Thus, ` ? j participants from the set P1 must collaborate in the secret reconstruction. Although this decreases the number of unknown shares s1; : : : ;sn by ` ? j , the number of unknown shares in the system is still n (since ` ? j shares regarding to the absent participants are now unknown). That is, for every subset of ` participants from the set P2 the above set of equations has n unknown shares. So, the extended scheme can be constructed if T is chosen such that ` + 2n = 1 + (t ? 1) + T + n, or simply,

T = n + (` ? t) (2) To construct the polynomial f2(x), the dealer rst selects T random coecients a2;1; : : : ;a2;T such that f2(x) = K + a2;1x +


+ a2;T xT satis es 10

f2(xi) = f1(xi), 1  i  n. Next, it selects m distinct and non zero elements xi (n + 1  i  m), such that xi 6= xj (i 6= j , 1  i;j  m) and computes shares si = f2(xi) (n + 1  i  m). Then the dealer privately sends the shares to their correspondence (only to the new m ? n participants of the extended scheme). The polynomial f2(x) can be constructed if T  t + 1. Because the condition f2(xi) = f1(xi), 1  i  n is equivalent to: 1 0 a ?a 2;1 1;1 0 1 x : :: xT ?1 1 BBB a2;2 ? a1;2 CCC 0 0 1 ... CC B C BB 1 x12 : :: x1T2 ?1 CC BBB CC BB 0 CC B C BB .. .. a ? a 2 ;t ?1 1 ;t ?1 . . CC = B@ ... CA CA BB . . .. @. . a CC B 2;t 0 1 xt?1 : :: xTt?1?1 B ... CA B@ a2;T If T  t + 1, then (t ? 1)  T matrix above has rank t ? 1 < T ? 1, and hence the dealer can select a2;1; :: : ; a2;T as desired. However, considering equation (2) and the fact that n  t (this is a basic condition in Shamir scheme) we have, T  `. Since ` > t (otherwise, the dealer just generates m ? n shares in the constructed (t; n) scheme and sends them to their correspondence), we have T > t, that is, deg(f2(x))  deg(f1(x)) + 2 and the construction of f2(x) is possible every time. Thus, we obtain the following theorem.

Theorem 4.3 For every Shamir (t; n) threshold scheme over a set P1, there exists a Shamir (`; m) threshold scheme over a set P2 (P1  P2 ) which is an extension of the (t;n) scheme.

As an example, let a Shamir (2; 2) scheme be constructed over a set

P1 = fP1 ;P2 g. Let P2 = fP1; P2; P3; P4; P5g and we want to extend the

(2; 2) scheme to a (3; 5) scheme (3 members joining the group). Further, let f1(x) = K + a1;1x of degree at most 1 be the associated polynomial with the (2; 2) scheme. In order to compute T , the degree of polynomial f2(x) = K + a2;1x +


+ a2;T xT corresponding to the extended scheme, we obtain (using equation 2)

T = 2 + 3 ? 2 = 3: Note that, in the original Shamir schemes a polynomial of degree 3 is associated with a (4; n) scheme. However, as we have shown earlier, knowing the 11

fact that a scheme is an extended scheme enables every set of 3 participants to recover the secret. For example, participants P1, P3 and P4 know that, K + a1;1  x1 = s1 K + a1;1  x2 = s2 K + a2;1  x1 + a2;2x21 + a2;3x31 = s1 K + a2;1  x2 + a2;2x22 + a2;3x32 = s2 K + a2;1  x3 + a2;2x23 + a2;3x33 = s3 K + a2;1  x4 + a2;2x24 + a2;3x34 = s4: Since the above set of 6 equations has 6 unknowns (K , a1;1, a2;1, a2;2, a2;3 and s2), the secret K can be easily computed. Note that in the Ito et al [4] method the above scenario indicates an extension of a Shamir (2; 2) scheme to a Shamir (4; 5) scheme, which is not the case.

References [1] A. Shamir, \How to Share a Secret," Communications of the ACM, vol. 22, pp. 612{613, Nov. 1979. [2] G. Blakley, \Safeguarding cryptographic keys," in Proceedings of AFIPS 1979 National Computer Conference, vol. 48, pp. 313{317, 1979. [3] D. Chaum, \Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups," tech. rep., Memorandum No. UCB/ERL M/79/10, University of California, Berkeley, CA, Feb. 1979. [4] M. Ito, A. Saito, and T. Nishizeki, \Secret Sharing Scheme Realizing General Access Structure," in Proceedings IEEE Global Telecommun. Conf., Globecom '87, Washington, pp. 99{102, IEEE Communications Soc. Press, 1987. [5] J. Benaloh and J. Leichter, \Generalized Secret Sharing and Monotone Functions," in Advances in Cryptology - Proceedings of CRYPTO '88 (S. Goldwasser, ed.), vol. 403 of Lecture Notes in Computer Science, pp. 27{35, Springer-Verlag, 1990. [6] G. Simmons, \How to (Really) Share a Secret," in Advances in Cryptology - Proceedings of CRYPTO '88 (S. Goldwasser, ed.), vol. 403 of Lecture Notes in Computer Science, pp. 390{448, Springer-Verlag, 1990. [7] G. Simmons, \Robust Shared Secret Schemes or `How to be Sure You Have the Right Answer Even Though You Don't Know the Question'," in 18th Annual Conference on Numerical mathematics and Computing, 12

vol. 68 of Congressus Numerantium, (Manitoba, Canada), pp. 215{248, Winnipeg, May 1989. [8] G. Simmons, \Prepositioned Shared Secret and/or Shared Control Schemes," in Advances in Cryptology - Proceedings of EUROCRYPT '89 (J.-J. Quisquater and J. Vandewalle, eds.), vol. 434 of Lecture Notes in Computer Science, pp. 436{467, Springer-Verlag, 1990. [9] H. Ghodosi, J. Pieprzyk, and R. Safavi-Naini, \Remarks on the Multiple Assignment Secret Sharing Scheme," in Proceedings of ICICS '97 {International Conference on Information and Communications Security, Beijing, P. R. China (Y. Han, T. Okamoto, and S. Qing, eds.), vol. 1334 of Lecture Notes in Computer Science, pp. 72{80, SpringerVerlag (Berlin), 1997. [10] D. Stinson, \An Explication of Secret Sharing Schemes," Designs, Codes and Cryptography, vol. 2, pp. 357{390, 1992.

13