Secret sharing schemes based on graphical codes ...

Secret sharing schemes based on graphical codes

Ying Gao & Romar dela Cruz

Cryptography and Communications Discrete Structures, Boolean Functions and Sequences ISSN 1936-2447 Volume 6 Number 2 Cryptogr. Commun. (2014) 6:137-155 DOI 10.1007/s12095-013-0092-z

1 23

Your article is protected by copyright and all rights are held exclusively by Springer Science +Business Media New York. This e-offprint is for personal use only and shall not be selfarchived in electronic repositories. If you wish to self-archive your article, please use the accepted manuscript version for posting on your own website. You may further deposit the accepted manuscript version in any repository, provided it is only made publicly available 12 months after official publication or later and provided acknowledgement is given to the original source of publication and a link is inserted to the published article on Springer's website. The link must be accompanied by the following text: "The final publication is available at link.springer.com”.

1 23

Author's personal copy Cryptogr. Commun. (2014) 6:137–155 DOI 10.1007/s12095-013-0092-z

Secret sharing schemes based on graphical codes Ying Gao · Romar dela Cruz

Received: 24 March 2013 / Accepted: 25 September 2013 / Published online: 19 October 2013 © Springer Science+Business Media New York 2013

Abstract We study the access structure and multiplicativity of linear secret sharing schemes based on codes from complete graphs. First, we describe the access structure of the schemes based on cut-set and cycle codes. Second, we show that the class of access structures based on odd cycles cannot be realized by ideal multiplicative linear secret sharing schemes over any finite field. This can be seen as a contribution to the characterization of access structures of ideal multiplicative schemes. The access structure based on odd cycles corresponds to the scheme based on the dual of the extended cycle code. Finally, we show that we can obtain ideal multiplicative linear secret sharing scheme based on the dual of an augmented extended cycle code. Keywords Secret sharing · Linear code · Matroid · Graph Mathematics Subject Classifications (2010) 94A62 · 94B05 · 05C50 1 Introduction A secret sharing scheme is a protocol which involves a dealer (one who knows the secret) distributing shares (piece of information related to the secret) to a group of Y. Gao (B) School of Mathematics and Systems Science, Beihang University, LMIB of the Ministry of Education, Beijing 100191, People’s Republic of China e-mail: [email protected] R. dela Cruz Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, 21 Nanyang Link, Singapore 637371, Singapore e-mail: [email protected] R. dela Cruz Institute of Mathematics, College of Science, University of the Philippines Diliman, C.P. Garcia St., Quezon City, Philippines 1101 e-mail: [email protected]

Author's personal copy 138

Cryptogr. Commun. (2014) 6:137–155

players. The distribution method is designed in such a way that only those player subsets in the access structure can recover the secret. The first constructions of such schemes were the threshold schemes of Blakley [5] and Shamir [22]. In a (t, n)threshold scheme, any t out of n players can determine the secret. Massey presented in [18] a construction of secret sharing schemes using linear codes. He also proved that there is a correspondence between the minimal access structure and the set of minimal codewords of the dual code. One important application of secret sharing schemes is in the construction of secure protocols for multi-party computation (MPC). In a secure MPC protocol [12, 26], there are n players who jointly compute a function of their secret inputs. The protocol must guarantee the correctness of the output and the privacy of the inputs even when some of the players are corrupted. In [8], Cramer et al. showed how to construct secure MPC protocols using linear secret sharing schemes (LSSS). The general idea is that first, secure computation of a function can be reduced to secure addition and secure multiplication. Now, secure addition can be performed using LSSS. To do secure multiplication, the authors in [8] introduced the concept of multiplicative LSSS. A multiplicative LSSS can be constructed from any LSSS for the same access structure, though in general, the process involves doubling the share size [8]. It is an open problem to determine the cases in which the increase in the share size is necessary and the cases in which it is not. A special case of this problem is the characterization of access structures that admit ideal multiplicative LSSS. This problem was considered in [9, 21] for some self-dual access structures. Many authors also considered the construction of ideal multiplicative LSSS [7, 9, 16, 17, 19]. Some examples are the Shamir threshold scheme, algebraic geometric secret sharing schemes and LSSS based on self-dual codes. The authors in [17] constructed ideal multiplicative LSSS based on graph connectivity. Most of these schemes belong to the class of LSSS based on linear codes. In this work, we continue the study of the multiplicativity of LSSS based on linear codes. In particular, we consider the schemes based on some graphical codes. In Section 2, we give some background on secret sharing schemes and graphical codes. Some fundamental results on the connection of secret sharing schemes with matroids, monotone span programs, and linear codes are presented in the Appendix. In Section 3, we describe the access structure of LSSS based on cut-set and cycle codes. In Section 4, we study the access structure based on odd cycles and prove that it does not admit any ideal multiplicative LSSS. This is the access structure of the scheme based on the dual of the extended cycle code. This access structure have been considered before in [3] in connection with computational complexity. In Section 5, we expand the access structure based on odd cycles and show that it can be realized by ideal multiplicative LSSS. The access structure in Section 5 corresponds to the scheme based on the dual of an augmented extended cycle code.

2 Preliminaries We let P = {P1 , . . . , Pn } denote the set of n players and let D be the dealer. The family of authorized or qualified subsets  ⊆ 2P is called the access structure of the scheme. The access structure satisfies the monotone increasing property, that is, if

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

139

A ∈  and A ⊆ B, then B ∈ . It follows that  is determined by the minimum access structure  − = {A ∈  | ∀B ⊂ A ⇒ B ∈ / }. The collection of unqualified subsets of players is called the adversary structure A = P \ . The adversary structure is monotone decreasing, that is, for any B ∈ A, A ⊆ B implies A ∈ A. Hence, A can be described by the maximum adversary structure A+ = {A ∈ A | ∀B ⊃ A ⇒ B ∈ / A}. We now present the definition of perfect secret sharing scheme. Definition 1 [24] A perfect secret sharing scheme realizing the access structure  is a method of sharing a secret among a set of players P , in such a way that the following two properties are satisfied: i. If an authorized subset of players B ⊆ P pool their shares, then they can determine the secret. ii. If an unauthorized subset of players B ⊆ P pool their shares, then they can determine nothing about the secret. The information rate of a scheme is the ratio of the size of the secret and the maximum size of the shares. It is well-known that for perfect schemes, the information rate is at most 1. A secret sharing scheme is called ideal if the information rate is equal to 1. An access structure  is said to be ideal if it can be realized by an ideal secret sharing scheme. Given an access structure , we define the dual access structure as  ⊥ = {A ⊆ P | A = P \ A ∈ / }. An access structure  is said to be selfdual if it is equal to its dual. 2.1 Multiplicative linear secret sharing schemes Let Fq be the finite field of order q, a prime power. We use the notation X T for the transpose of a matrix X. In this paper, we only consider linear secret sharing schemes (LSSS for short) where the set of possible secrets is Fq and the set of possible shares of every player Pi ∈ P is a vector space over Fq . We can describe LSSS using monotone span programs (see Appendix). Informally speaking, an LSSS is multiplicative if each player Pi can, from his shares of secrets a and b , compute a value ci , such that the product ab can be computed as a linear combination of all the ci ’s. It is strongly multiplicative if ab can be obtained using only values from honest players. Definition 2 [8] An ideal MSP M is said to be multiplicative if there exists a vector r, called a recombination vector, such that for any two secrets s, s and respective share vectors (x1 , . . . , xn ) = M(s, ρ)T , (x 1 , . . . , x n ) = M(s , ρ )T where ρ, ρ are random vectors, it holds that ss = r, (x1 x 1 , . . . , yn y n ). We say that M is strongly multiplicative if for any player subset A that is rejected by M, M A is multiplicative. Definition 3 Let d ≥ 2 be an integer. An adversary structure A is called Qd if every d sets in A cannot cover the whole player set P . For simplicity, when an adversary structure A is Qd we also say that the corresponding access structure  = A is Qd .

Author's personal copy 140

Cryptogr. Commun. (2014) 6:137–155

For example, the (t, n)-threshold access structure is Q2 if n ≥ 2t − 1 and is Q3 if n ≥ 3t − 2. Multiplicative MSP is possible if and only if the access structure is of type Q2 , and strongly multiplicative MSP is possible if and only if the access structure is of type Q3 [8]. In this work, we consider ideal multiplicative LSSS. The Shamir (t, n)-threshold scheme with n ≥ 2t − 1 is an example of such a scheme. Ideal multiplicative schemes can also be obtained from algebraic geometric LSSS [7] and LSSS based on self-dual codes [9]. A construction for hierarchical access structures can be found in [16]. The authors in [17] and in [19] presented constructions of ideal multiplicative schemes of some access structures based on graphs. We show in Section 5 ideal multiplicative schemes for a different graph-based access structures. We will use the following alternative way to decide whether or not an ideal MSP is multiplicative [17]. First, we define an operation ∗ on any matrix. Definition 4 Let P be an n × l matrix over Fq and suppose that pi = ( p1i , . . . , pni )T is the i-th column of P. Let P∗ be the matrix constituted by all the column vectors pi ∗ p j , 1 ≤ i ≤ j ≤ l, where pi ∗ p j = ( p1i p1 j, . . . , pni pnj)T . Thus P∗ is a n × l(l+1) 2 matrix given by P∗ = ( p1 ∗ p1 , p1 ∗ p2 , . . . , p1 ∗ pl , p2 ∗ p2 , p2 ∗ p3 , . . . , p2 ∗ pl , . . . , pl ∗ pl ). In particular, suppose v = (v1 , . . . , vl ) ∈ Flq then v ∗ is defined as v ∗ = (v1 v1 , v1 v2 , . . . , v2 v2 , . . . , v2 vl , . . . , vl vl ). Proposition 1 [17] An ideal MSP (Fq , M, ε, ψ) is multiplicative if and only if the system of linear equations zM∗ = ε∗ is solvable. Moreover, the solution z is a recombination vector. Given a LSSS realizing a Q2 access structure, it can be transformed into a multiplicative scheme for the same access structure [8]. In general, the transformation involves doubling the size of the shares in the original scheme. It is an open problem to determine the LSSS which do not require share expansion to obtain the multiplicative property. A particular case of this problem is the characterization of access structures of ideal multiplicative LSSS. The (t, n)-threshold access structures with n ≥ 2t − 1 can be realized by an ideal multiplicative LSSS (e.g. Shamir scheme). Given a self-dual access structure which can be realized by an ideal LSSS, the question of whether it admits an ideal multiplicative scheme was studied in [9, 21]. It was shown in [9], using the relation between matroids and codes, that the answer is affirmative for such access structures which are bipartite. It was proven in [21] that such access structures with at most seven players admit an ideal multiplicative LSSS. We present in Section 4 a family of access structures defined on odd cycles that cannot be realized by an ideal multiplicative LSSS. 2.2 Graphs Let G(V, E) be a connected undirected graph with vertex set V = {v1 , . . . , vm } and edge set E = {e1 , . . . , en }. Every subgraph G of G can be described by a binary characteristic vector g = (g1 , · · · , gn ), where gi = 1 if ei is an edge of G and gi = 0

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

141

otherwise, 1 ≤ i ≤ n. In this paper, we will not distinguish between a subgraph and its characteristic vector. Then symmetric difference of subgraphs amounts to the addition of the corresponding characteristic vectors. The set of all subgraphs, including the empty graph ∅, forms an n-dimensional vector space W (G) over F2 . There are two well-known subspaces of W (G). The first one is the cut-set space or bond space of G which we denote by C (G). By a cut-set (or a bond), we mean a minimal edge cut of G. The elements of C (G) are the cut-sets and the union of edgedisjoint cut-sets. The second subspace is the cycle space C ∗ (G) of G. The cycle space is generated by all the cycles of the graph. Its elements are the cycles and the union of edge-disjoint cycles. Consider a spanning tree T of G. Each edge of G not in T will form a cycle with T and the characteristic vectors of these n − m + 1 cycles are linearly independent. On the other hand, each edge of T is associated with a cut-set of G and these m − 1 cut-sets are also linearly independent. Hence, the dimensions of C (G) and C ∗ (G) are at least m − 1 and n − m + 1, respectively. It can be shown that a cycle and a cutset have an even number of common edges. Thus, C (G) and C ∗ (G) are orthogonal to each other with respect to the inner product in the binary field. Since these are subspaces of an n-dimensional vector space then the dimension of C (G) is equal to m − 1 and the dimension of C ∗ (G) is equal to n − m + 1. The incidence matrix H = (hij )m×n of G is defined over F2 by  1 if vi ∈ e j . hij = 0 otherwise The incidence set of a vertex vi in G is the cut-set consisting of the set of edges that are incident with v. This set can be represented by the row in the incidence matrix H which corresponds to the vertex vi (called the incidence vector of vi ). The incidence vectors of any m − 1 vertices of a connected m-vertex graph G form a basis of the cut-set space C (G). For i = 1, . . . , n, let Hi be the submatrix of H formed by removing the incidence vector of vi . We call Hi a reduced incidence matrix. Without loss of generality, we fix removing the vertex vm and then always use the notation Hm since any transformation of the vertex set yields an isomorphic graph. Many researchers focused on studying the secret sharing schemes for graph-based access structure with the minimal access structure being the collection of the pairs of players corresponding to edges, i.e., associate each player with a vertex of the underlying graph, and any two players can recover the secret if there is an edge connecting them. See [23] and its references. Another way to construct an access structure based on a graph G is first to associate each player with an edge and then consider certain subsets of the edge set E. For example, Karchmer and Wigderson [15] considered access structures based on the connectivity of two designated vertices. For complete graphs, Liu et al. [17] considered the set of all spanning trees while Beimel [3] considered the set of all odd cycles.

3 Secret sharing schemes based on cut-set and cycle codes Let G(V, E) be a connected undirected graph with vertex set V = {v1 , . . . , vm } and edge set E = {e1 , . . . , en }. The cut-set space C (G) can be viewed as an [n, m − 1]

Author's personal copy 142

Cryptogr. Commun. (2014) 6:137–155

binary linear code (called the cut-set code). In addition, the reduced incidence matrix Hm is a generator matrix for C (G). We can assume that Hm is a generator matrix in standard form, i.e. the first m − 1 columns form the identity matrix. Similarly, the cycle space C ∗ (G) is an [n, n − m + 1] binary linear code (called the cycle code) and we have C ∗ (G) = C ⊥ (G). Now, let G = Km , the complete graph on m vertices. We consider the secret sharing schemes based on cut-set codes and cycle codes associated with Km . Note that the coordinate positions are indexed by the edges of the graph. The dealer D is associated with the edge corresponding to the first coordinate position and each of the n − 1 players is associated with the rest of the edges/coordinate positions. First, we describe the access structure of the secret sharing scheme based on the cut-set code C (Km ). Proposition 2 Let vs and vt be the vertices of the edge corresponding to the f irst coordinate position. In the secret sharing scheme based on C (Km), a set of shares {ci1 , ci2 , . . . , cir } can determine the secret if and only if the corresponding set of edges contains a path from vs to vt . Proof It follows from Lemma 7 that a set of shares {ci1 , ci2 , . . . , cir } can determine the secret if and only if there exists a codeword z = (z0 , . . . , zn−1 ) ∈ C ⊥ (Km ) such that z0 = 1 and supp(z) ⊆ {0, i1 , . . . , ir }. Since the dual code of C (Km) is the cycle code C ∗ (Km ) then the support of z corresponds to a cycle or a union of edge-disjoint cycles. Therefore, a set of shares {ci1 , ci2 , . . . , cir } can determine the secret if and only if the corresponding set of edges contains a path from vs to vt .   The access structure realized by the secret sharing scheme based on C (Km ) is the undirected s-t connectivity access structure ustcon on Km . In [2], a MSP computing ustcon was presented. By using Lemma 6, we can get a generator matrix of C (Km ) from the MSP. We give an example to embody the method of obtaining the access structures. Example 1 Let m = 4 , n = 6, V = {v1 , v2 , v3 , v4 }, P = {P1 , P2 , P3 , P4 , P5 , P6 }. Consider the complete graph K4 (see Fig. 1). Since each player is associated with an edge, without loss of generality, assume that the dealer D is associated with the edge v1 v4 , i.e., P1 is the dealer. Then according to Proposition 2, to get the access structure we need to find all the paths from v1 to v4 : v1 − v2 − v4 , v1 − v3 − v4 , v1 − v3 − v2 − v4 , v1 − v2 − v3 − v4 .

Fig. 1 Complete graph K4

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

143

Then the minimal access structure of of the secret sharing based on C (K4 ) is {{P2 , P4 }, {P3 , P5 }, {P2 , P5 , P6 }, {P3 , P4 , P6 }}. Now, we consider the access structure of the secret sharing scheme based on the cycle code C ∗ (Km ). Proposition 3 Every nonzero codeword of the cut-set code C (Km ) is minimal. Proof By looking at the generator matrix Hm , we can see that for any two nonzero codewords c 1 , c 2 ∈ C (Km), supp(c1 ) ∩ supp(c 2 ) is non-empty. The proposition now follows from Lemma 2.1 (5) in [1]. Actually, this means that C (Km ) is a binary intersecting code.   Corollary 1 In the secret sharing scheme based on C ∗ (Km ), there are 2m−2 minimal authorized sets and each player Pi belongs to 2m−3 out of 2m−2 minimal authorized sets. Proof The result follows from the preceding proposition and Proposition 2 in [10].   If we want to know whether we can get multiplicative linear secret sharing schemes based on the linear codes above, then the following propositions say that it is not the case. Proposition 4 Consider the access structure ustcon based on the complete graph Km . Then ustcon is not Q2 . Proof First, let the edge v1 vm correspond to the dealer. Hence, to prove the proposition, we need to find two unauthorized sets of edges whose union cover the set E \ {v1 vm }. Let A1 be the subset of E \ {v1 vm } containing the edges incident with v1 but not with vm . Then A1 ∈ / ustcon since it does not contain a path from v1 to vm . Let A2 = E \ ({v1 vm } ∪ A1 ). Then A2 is also not an authorized set. Now, A1 ∪ A2 is the whole player set E \ {v1 vm }. Therefore, ustcon is not Q2 .   Proposition 5 The access structure realized by the secret sharing scheme based on the cycle code C ∗ (Km ) is not Q2 for m ≥ 4. Proof Let  be the access structure realized by the secret sharing scheme based on C ∗ (Km ) and let v1 vm be the edge associated with the dealer. First, we note that A ⊆ P is in the minimal access structure  − if and only if A ∪ {v1 vm } is a bond (minimal cutset) [4]. The secret sharing scheme based on C ∗ (K3) is a (1, 2)-threshold scheme. Hence, the corresponding access structure is Q2 and we know that the corresponding Shamir scheme is ideal and multiplicative. Now let m ≥ 4. Suppose, for a contradiction, that  is Q2 . Then it follows that the dual access structure  ⊥ ⊆  (see [9]). Now,  ⊥ is the access structure realized by the secret sharing scheme based on C (Km ). Let A ∈  ⊥ such that A ∪ {v1 vm } is a 3-cycle. Then A ∈ / , contradicting the assumption that  is Q2 .  

Author's personal copy 144

Cryptogr. Commun. (2014) 6:137–155

4 Access structure based on odd cycles We revisit a class of access structures which appears in [3] and where the minimal authorized sets correspond to odd cycles. These access structures are related to the dual of the extended cycle code and can be realized by multiplicative linear secret sharing schemes (unlike in the case of the access structures in the previous section). One drawback is that we will prove that there is no ideal multiplicative linear secret sharing scheme over Fq that realize them. The negative result, though, is a contribution to the characterization of access structures which admit ideal multiplicative LSSS. 4.1 Definition and some properties An edge-induced subgraph is a subset of the edges of a graph together with any vertices that are their endpoints. We use G[S] to denote the edge-induced subgraph of G(V, E) whose edge set is S and whose vertex set is the subset of V consisting of those vertices incident with any edge in S. A bipartite graph is a graph whose vertices can be divided into two disjoint sets U and V such that every edge connects a vertex in U to one in V. The next lemma is a characterization of bipartite graphs using odd cycles (cycles consisting of an odd number of vertices). Lemma 1 [25] A graph is bipartite if and only if it contains no odd cycle. Definition 5 Let Km be the complete graph with m vertices and let n be the number of edges. For i = 1, . . . , n, every player Pi is assigned to an edge. Define oc = {A ⊆ P | Km [A] contains an odd cycle} Then oc is an access structure. It follows from the definition that the adversary structure is given by

Aoc = {B ⊆ P | Km [B] does not contain an odd cycle}. We can see that oc is monotone increasing while Aoc is monotone decreasing. Using Lemma 1, we can also define oc and Aoc in terms of bipartite graphs. Proposition 6 The adversary structure Aoc is Qd if and only if m ≥ 2d + 1. Proof The complete graph Km can be expressed as the union of k bipartite graphs if and only if m ≤ 2k (cf. [25]). The proposition now follows.   It follows from the proposition that for m ≥ 5, the access structure oc on Km can be realized by a multiplicative LSSS.

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

145

4.2 Appropriate matroid Let G(V, E) be a connected undirected graph. By attaching a sign to each edge of G, we obtain a signed graph Gs . The sign of a cycle is the product of the signs of its edges. The graphic matroid associated with G is the matroid M(G) on the edge set E(G) whose circuits are the cycles of G. As a binary matroid, M(G) can be represented by the vertex-edge incidence matrix H of G. We consider two matroids defined on the edge set of a signed graph Gs . The lift matroid L(Gs ) is the matroid wherein a circuit is a positive cycle of Gs or the disjoint union of two negative cycles of Gs that meet in at most one vertex. The complete lift matroid L0 (Gs ) is an extension of L(Gs ) obtained by adding an extra point e0 (which acts like a a negative loop) to E(Gs ) (the point set of L(Gs )). A circuit of L0 (Gs ) is a circuit of L(Gs ) or the union of e0 and a negative cycle. Given M(G) and the incidence matrix H of G, we can obtain the binary representation of the complete lift matroid L0 (Gs ) [11]. First, we define the row incidence vector d of the signs of the edges. For i = 1, . . . , n, let di = 1 if the corresponding edge is negative, and 0 otherwise. The binary representation of L0 (Gs ) is given by ⎡ ⎤ 1 d ⎢0 ⎥ ⎢ ⎥ H = ⎢ . ⎥. ⎣ .. H ⎦ 0 Note that we can replace H by the reduced incidence matrix Hm . Example 2 Let Gs be the complete graph Km with all edges negative, denoted by −Km . Suppose we add a negative loop e0 at the vertex vm . A circuit of L0 (−Km) is the disjoint union of two odd cycles that meet in at most one vertex or the union of e0 and an odd cycle. The binary representation of L0 (−Km ) is given by H above, with the vector d equal to the all-one vector. Based on the preceding example, we can see that L0 (−Km ) is the appropriate matroid for the access structure oc on Km . Consider the extended cycle code C ∗ (Km ). The binary representation H with the matrix H replaced by Hm is a parity check matrix of C ∗ (Km ). Hence, oc is the access structure realized by the secret sharing scheme based on the dual of C ∗ (Km ). Next, we want to show that for m ≥ 4, L0 (−Km ) is only representable over a field with characteristic 2. We will use the following proposition taken from [11] (Note: For the meaning of the concept of minor and F7∗ , the reader may refer to [20].): Proposition 7 Let Gs be a signed graph. Then L0 (Gs ) has an F7∗ minor using e0 if and only if Gs contains −K4 . Corollary 2 For m ≥ 4, L0 (−Km ) is only representable over a f ield with characteristic 2. Proof From the preceding proposition, L0 (−Km ) has an F7∗ minor using e0 . If a matroid is representable over a field Fq then its minor is also representable over

Author's personal copy 146

Cryptogr. Commun. (2014) 6:137–155

the same field. It is well-known that F7∗ can only be represented over a field with characteristic 2.   Corollary 3 The access structure oc def ined on Km , m ≥ 4, can only be realized by an ideal LSSS over a f ield of characteristic 2. 4.3 LSSS realizing the access structure based on odd cycles By Lemma 5 and using the binary representation of the complete lift matroid L0 (−Km ), we get an ideal MSP realizing oc over F2 . We show that the same MSP computes oc over any field of characteristic 2. Proposition 8 Let Km be the complete graph on m vertices and Fq be a f ield of  T , characteristic 2. Suppose M is an (n × m) matrix over Fq def ined as: M = 1T Hm where 1 is the all-one row vector and Hm is a reduced incidence matrix of Km . Then M(Fq , M, ε = (1, 0, . . . , 0)) is an ideal MSP computing the access structure oc . T T Proof Assume Hm = (h1T · · · hm−1 ) where hi is the incidence vector of the vertex vi . Given a secret s, the shares are generated by choosing m − 1 random values r1 , . . . , rm−1 and then computing M(s, r1 , . . . , rm−1 )T . If a participant corresponds to an edge (vk , vl ) where k, l are both not equal to m then its share is given by xkl = s + rk + rl . If a participant corresponds to an edge (vk , vm ) then its share is given by xkm = s + rk . Let A ⊆ P . Suppose A corresponds to an odd cycle. Then the first column of M A have an odd number of 1’s while the other columns have an even number of 0’s. Hence, taking the sum of the rows of M A gives us the target vector (1, 0, . . . , 0). Therefore, A ∈ oc . Suppose A does not contain an odd cycle, or equivalently, A is bipartite. For a secret s, let {xkl : (vk , vl ) ∈ A} be the set of shares of participants in A. We want to show that the number of random values to generate the shares {xkl : (vk , vl ) ∈ A} given the secret s is equal to the number of random values that generate the same set of shares given the secret s where s = s . Since A is bipartite then we can partition the set of vertices corresponding to A into two sets V1 , V2 such that for any edge in A, one of its endpoints is in V1 while the other is in V2 . Choose one Vi which does not contain vm . Note that it is possible that vm is not contained in both V1 and V2 . In this case, simply choose any set. Let V be the selected set. For i = 1, . . . , m − 1, define ri = ri + (s − s ) if vi ∈ V and ri = ri otherwise. We will show that r1 , . . . , rm−1 generate the shares {xkl : (vk , vl ) ∈ A}. Let (vk , vl ) be an edge in A where k, l are both not equal to m. Then only one of the endpoints, say vk , is in V . It follows that

x kl = s + rk + rl = s + rk + (s − s ) + rl = s + rk + rl = xkl . Suppose now that (vk , vm ) is an edge in A. Then we have x km = s + rk = s + rk + (s − s ) = s + rk = xkm . By construction, we can see that the MSP is ideal.

 

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

147

4.4 Multiplicativity We now consider the question: Can the access structure oc be realized by an ideal multiplicative LSSS? If m < 5 then we know from Proposition 6 that the adversary structure Aoc is not Q2 . Hence, we assume that m ≥ 5. Proposition 9 Let Fq be a f ield of characteristic 2. Then the ideal MSP M(Fq, M, ε) def ined in Proposition 8 is not multiplicative. Proof By Proposition 1, the ideal MSP M(Fq , M, ε) is multiplicative if and only if ∗ T the system of linear equations zM∗ = ε∗ is solvable. This means that r((M

T ) )T =  ∗ T ∗ T r((M ) , (ε ) ) where r(.) denotes the rank of a matrix. Since M = 1 Hm , 

T T ∗ . It is not difficult to see that r(H T )∗ ) = n over F , so then M∗ = 1T Hm (Hm ) q m ∗ T ∗ r((M ) ) = r(M ) = n. We can check that r((M∗)T , (ε∗ )T ) = n + 1. Therefore the MSP M(Fq , M, ε) is not multiplicative.   Proposition 10 The access structure oc does not admit an ideal MLSSS over any f ield. Proof First, we consider the case over a field Fq of characteristic not equal to 2. By Corollary 3, there is no ideal MLSSS realizing oc over Fq . Next, we consider the case over F2 . We can deduce from Lemmas 3 and 6 that if an access structure can be realized by an ideal LSSS over F2 then this scheme is unique over F2 . Hence, by Propositions 8 and 9, oc does not admit an ideal MLSSS over F2 . Lastly, we look at the case over a nonbinary field Fq of characteristic 2. By Proposition 8, we have an ideal LSSS realizing oc over Fq . Now Lemmas 4 and 6 tell us that the ideal LSSS is unique. Thus, by Proposition 9, oc does not admit an ideal MLSSS over Fq .  

5 Ideal multiplicative LSSS based on graphical codes In this section, we present the ideal multiplicative LSSS that we were able to find by using the incidence matrix and Lemma 1. We describe the corresponding access structure in terms of graphs and we show the connection to some graphical codes. 5.1 Access structure Let G(V, E) be a connected undirected graph with V = {v1 , . . . , vm } and E = {e1 , . . . , en }. Given F ⊆ E, we define d F (v) to be the number of edges in F incident with the vertex v. Let Y be the collection of all F ⊆ E such that |F| is even and d F (vi ) is odd for 1 ≤ i ≤ m − 1. Definition 6 Let Km be the complete graph with m vertices and let n be the number of edges. For i = 1, . . . , n, every player Pi is assigned to an edge. Define ocy = {A ⊆ P | Km [A] contains an odd cycle or Km [A] contains a set in Y}. Then ocy is an access structure.

Author's personal copy 148

Cryptogr. Commun. (2014) 6:137–155

Based on the definition, ocy satisfies the monotone increasing property. Example 3 Consider the complete graph K4 (see Fig. 1). The minimal access structure based on odd cycles is − oc = {{P1 , P3 , P5 }, {P1 , P2 , P4 }, {P2 , P3 , P6 }, {P4 , P5 , P6 }}

while the minimal access structure based on odd cycles and Y-sets is − ocy ={{P1 , P3 , P5 }, {P1 , P2 , P4 }, {P2 , P3 , P6 }, {P4 , P5 , P6 },

{P1 , P6 }, {P3 , P4 }, {P2 , P5 }}. We can check that the first one is not Q2 while the second one is Q2 . Proposition 11 The access structure ocy satisf ies the following properties: i. Let d ≥ 2 be an integer. If m ≥ 2d + 1 then the access structure ocy is Qd . ii. If m ≥ 4 then the access structure ocy is Q2 but is not self-dual. Proof Since oc ⊆ ocy then the first part of the proposition follows from Proposition 6. For the second part, first we recall that self-dual access structures coincide with the minimally Q2 access structures [8]. We claim that Km contains a subset of edges belonging to the set Y. Indeed, if m is odd then {v1 vm , v2 vm , · · · , vm−1 vm } ∈ Y while if m is even then {v1 v4 , v1 v5 , · · · , v1 vm , v2 v3 } ∈ Y. When m ≥ 5, we have oc is Q2 and oc ⊂ ocy , which means that ocy is not minimal. When m = 4, we can directly check that ocy is not self-dual.   5.2 Linear secret sharing scheme realizing ocy Proposition 12 Suppose M is an n × (m − 1) matrix over F2 given by ⎛

⎞T 1 + h1 ⎜ 1 + h2 ⎟ ⎜ ⎟ M=⎜ . ⎟ , ⎝ .. ⎠ 1 + hm−1 where 1 is the all-one vector, hi is the incidence vector of vertex vi , 1 ≤ i ≤ m − 1, and + is the usual binary vector addition. Then M(F2 , M, ε = (1, . . . , 1)) is an ideal MSP computing the access structure ocy . Proof Let A ⊆ P and for simplicity, we denote by Km [A] the subgraph induced by the edges corresponding to A. We shall prove that A ∈ ocy if and only if ε ∈ span(M A ). Note that ε ∈ span(M A ) if and only if there exists a recombination vector w such that ε = w M A . Equivalently, there exists an n-dimensional vector w

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

149

such that wM = ε and with w A = w , w A = 0. This means that w(1 + hi )T = 1 for i = 1, . . . , m − 1. Now w(1 + hi )T = 1 if and only if: (1) w · 1T = 1 and w · hi T = 0, or (2) w · 1T = 0 and w · hi T = 1. The first case means that Km [A] contains an odd cycle while the second case means that Km [A] contains a set in Y.   Consider again the extended cycle code C ∗ (Km ). Let F ⊆ E be an element in the set Y and let f be the characteristic vector of the subgraph induced by F. We will augment C ∗ (Km ) by adjoining the vector (1, f ). We denote the resulting space by D(Km ). The technique of augmenting graphical codes have been considered before in [13, 14] to increase the number of codewords and to improve the decoding of graphical codes. The following proposition implies that the secret sharing scheme based on the dual of D(Km ) realizes the access structure ocy . Proposition 13 A parity check matrix of D(Km ) is given by ⎛

⎞ 1 1 + h1 ⎜ 1 1 + h2 ⎟ ⎜ ⎟ P=⎜. ⎟, .. ⎝ .. ⎠ . 1 1 + hm−1 where hi is the incidence vector of vertex vi , 1 ≤ i ≤ m − 1, and + is the usual binary vector addition. Proof First, note that it is not difficult to show that P(1, f )T = 0T . Let G be a generator matrix of C ∗ (Km ). We know that Hm GT = 0 where Hm is the reduced incidence matrix and 0 is the zero matrix. Then a generator matrix of C ∗ (Km ) is given = (bT G) where the entries in the first column bT are the parity check bits by G T = 0. Therefore, P is a parity check of the rows of G. We can then verify that PG matrix of D(Km ).   5.3 Multiplicativity Let M(F2 , M, ε) be the ideal MSP constructed in Proposition 12. Since the graph is complete then the number of rows of M is n = m(m − 1)/2. Thus, M∗ is an n × n matrix. Using Lemma 1, to prove that M is multiplicative, we need to show that zM∗ = ε∗ is solvable. In particular, we are going to look at the rank of the matrix M∗ . Proposition 14 Let M(F2 , M, ε) be the ideal MSP that computes the access structure ocy . Then the system of linear equations zM∗ = ε∗ is solvable if and only if m ≡ 0, 1 mod 4.

Author's personal copy 150

Cryptogr. Commun. (2014) 6:137–155

T ∗ Proof The matrix M∗ is column equivalent to the matrix J + (Hm ) , where J is the n × n all-one matrix and Hm is the reduced incidence matrix. Let V = {v1 , . . . , vm }. Without loss of generality, we label the edges as follows.

ei = vi vm , 1 ≤ i ≤ m − 1 e(m−1)+i−1 = v1 vi , 2 ≤ i ≤ m − 1 e(m−1)+(m−2)+i−2 = v2 vi , 3 ≤ i ≤ m − 1 .. . e(m−1)+(m−2)+···+(m−k)+i−k = vk vi , k + 1 ≤ i ≤ m − 1 .. . e(m−1)+···+2+1 = vm−2 vm−1 .   Im−1 P T ∗ T where I is the ) ] can be expressed in the form Then [(Hm 0 In−m+1 identity matrix, 0 is the zero matrix and P is an (m − 1) × (n − m + 1) matrix, in which each row has m − 2 nonzero entries and each column has 2 nonzero entries. T ∗ T Let D be the row transformation matrix such that D[(Hm ) ] = In , then (M∗ )T is row equivalent to DJ + In . Note that the system of linear equations zM∗ = ε∗ is equivalent to the system of linear equations D(M∗)T zT = D(ε∗ )T where D is a nonsingular matrix. We consider two cases. (1) When m is even, i.e., m − 2 is even, then D(ε∗ )T = (ε∗ )T , DJ = J, and ⎞ ⎛ 0 1 1 ... 1 ⎜1 0 1 ... 1⎟ ⎟ ⎜ ⎟ ⎜ DJ + In = ⎜ 1 1 0 . . . 1 ⎟ . ⎜ .. .. .. . . .. ⎟ ⎝. . . . .⎠ 1 1 1 ... 0 Since

 n r(DJ + In ) = n−1

when n is even when n is odd

and r(DJ + In , (ε∗ )T ) = n, then the system of linear equations zM∗ = ε∗ is solvable if and only if n is even. Now, n is even if and only if m ≡ 0 mod 4. (2) When m is odd, i.e., m − 2 is odd, ⎞ ⎛ 0 0 ... 0 ⎜0 0 ... 0⎟ ⎟ ⎜ ⎜ .. .. . . .. ⎟ ⎜. . . .⎟ ⎟ ⎜ ⎟ DJ = ⎜ ⎜0 0 ... 0⎟, ⎜1 1 ... 1⎟ ⎟ ⎜ ⎜. . . .⎟ ⎝ .. .. . . .. ⎠ 1 1 ... 1

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

151

where there are m − 1 all-zero rows and there are n − m + 1 all-one rows. Similarly, D(ε∗ )T = (0 0 . . . 0 1 1 . . . 1)T where the vector at the right hand of the equation contains m − 1 zeros. Thus the system of linear equations zM∗ = ε∗ is equivalent to the system of linear equations 

Im−1 J(n−m+1)×(m−1)

0 E



zT = D(ε∗ )T ,

where ⎛

0 ⎜1 ⎜ ⎜ E = ⎜1 ⎜ .. ⎝. 1

1 0 1 .. . 1

1 1 0 .. . 1

... ... ... .. . ...

⎞ 1 1⎟ ⎟ 1⎟ ⎟ is an (n − m + 1) × (n − m + 1) square matrix. .. ⎟ .⎠ 0

Using a similar argument as in the previous case, we can see that when m is odd, the system of linear equations zM∗ = ε∗ is solvable if and only if n is even. This means that m ≡ 1 mod 4.   Corollary 4 Let M(F2, M, ε) be the ideal MSP that computes the access structure ocy . Then M is multiplicative if and only if m ≡ 0, 1 mod 4.

6 Conclusion This paper dealt with linear secret sharing schemes based on the following codes from complete graphs: cut-set code, cycle code, dual of extended cycle code and dual of augmented extended cycle code. We described the access structures and determined whether the access structures admit ideal multiplicative linear secret sharing schemes. We showed that the access structure based on odd cycles, which corresponds to the scheme based on the dual of extended cycle code, does not admit any ideal multiplicative LSSS. We also showed that the ideal LSSS based on the dual of an augmented extended cycle code is multiplicative in some cases. Acknowledgements The work of Y. Gao is supported in part by the National Natural Science Foundation of China by Grant 11101019 and the Fundamental Research Funds for the Central Universities in China (No. YWF-10-02-072). Part of the work was done while she was visiting Nanyang Technological University. The work of R. dela Cruz is supported in part by the NTU PhD Research Scholarship and the Merlion PhD Grant of the French Embassy in Singapore. He would like to thank Telecom-ParisTech for its hospitality. The authors would like to thank Carles Padró and Huaxiong Wang for some helpful discussions, and the anonymous reviewers for their valuable comments and suggestions.

Author's personal copy 152

Cryptogr. Commun. (2014) 6:137–155

Appendix A: Some definitions and basic results on SSS We present in this appendix the relation between secret sharing schemes, monotone span programs, matroids and linear codes. A.1 Linear secret sharing schemes and monotone span programs We describe the relation between LSSS and monotone span programs (MSP). Definition 7 [15] A Monotone Span Program (MSP) M is a quadruple (Fq , M, ε, ψ), where M is a matrix over Fq with l rows and e ≤ l columns, ψ : {1, . . . , l} → {1, . . . , e} is a surjective (labelling) function and ε = (1, 0, . . . , 0) ∈ Feq is called a target vector. The size of M is defined as size(M) = l. We can think of ψ as a function assigning one or more rows to a player in P . Given the matrix M of an MSP and a subset A of players, we denote by M A the matrix M restricted to those rows i such that ψ(i) ∈ A. Similarly, if w is an e-vector then we use the notation w A for the restriction of w to the coordinates i such that ψ(i) ∈ A. In general, any nonzero vector can serve as a target vector for an MSP. LSSS and MSP are equivalent [3, 15]. From an MSP M(Fq , M, ε, ψ), we can obtain a linear secret sharing scheme. To share a secret s ∈ F, the dealer first chooses at random a vector ρ ∈ Fqe−1 then computes M(s, ρ)T . The ith coordinate of M(s, ρ)T is given to player Pψ(i) . A group of players can reconstruct the secret if and only if the target vector ε is in the linear span of the rows assigned to the members of the group. An MSP is said to compute an access structure  when ε ∈ span(M A ) if and only if A is a member of . We say that A is accepted by M if and only if A ∈ , otherwise we say that A is rejected by M. Hence, when a set A is accepted by M, there exists a socalled recombination vector λ such that λM A = ε. Using the recombination vector λ, the following relations holds: λ, (s, ρ)M TA  = λM A , (s, ρ) = ε, (s, ρ) = s for any secret s and vector ρ. A.2 Secret sharing schemes and matroids We discuss here the connection between access structures and matroids. The material here on matroid theory is taken from [20]. There are many different but equivalent definitions for the concept of a matroid. Here we use the definition in terms of rank functions. Let Q = {0, 1, · · · , n} be a finite set and let 2 Q denote the power set of Q. A matroid F is a pair (Q, r) where r : P (Q) → Z is a rank function satisfying the following three properties: 1. 0 ≤ r(X) ≤ |X| for every X ⊆ Q; 2. r is monotone increasing: if X ⊆ Y ⊆ Q, then r(X) ≤ r(Y), and 3. r is submodular: r(X ∪ Y) + r(X ∩ Y) ≤ r(X) + r(Y) for every pair of subsets X, Y of Q. The subsets X ⊆ Q with r(X) = |X| are said to be independent. The bases of the matroid are the maximal independent sets. All bases have the same number of elements, which is defined to be the rank of F . The dependent sets are those that are

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

153

not independent, and a circuit is a minimal dependent set. A matroid F is said to be connected if, for every two points in Q (which is called the ground set), there exists a circuit containing them. The next definition relates access structures and matroids (cf. [4]). Definition 8 Let  be an access structure on n players {1, · · · , n} and let F = (Q, r) be a connected matroid. We say that the matroid F is appropriate for the access structure  if Q = {0, 1, · · · , n} and  − = {C \ {0} | 0 ∈ C and C is a circuit of F }. An access structure is said to be connected if every player belongs to at least one minimal qualified set. We can assume that the access structures considered in this paper are connected. For a connected access structure, if there is a matroid appropriate for it, then the matroid is connected. Moreover, if a connected matroid is appropriate for an access structure, then that matroid is unique [4]. For an ideal access structure, we have the following lemma from [6]. Lemma 2 If an access structure is ideal, then it has an appropriate matroid. A matroid F = (Q, r) is said to be Fq -representable if there exists a matrix G over Fq with n + 1 columns (labelled 0, 1, . . . , n) such that for every X ⊆ Q, r(X) is defined to be the rank of the submatrix formed by the columns of G corresponding to X. A binary matroid is one that is representable over F2 . A rank-k matroid F on an n + 1-element set is called uniquely Fq -representable if all of the k × n + 1 matrices representing F over Fq are equivalent. We will need the following well-known results on binary matroids (cf. [20]). Lemma 3 A binary matroid is uniquely F2 -representable. Lemma 4 If a binary matroid is representable over a f ield Fq , then it is uniquely Fq representable. Suppose we have an ideal access structure which has a representable appropriate matriod. The next two lemmas describe a relation between a matrix representation of the matroid and an MSP computing the access structure. Lemma 5 Assume  is an ideal access structure for n players and F is the Fq representable matroid appropriate for . Let G = (g0 g1 · · · g n ) be a representation of F over Fq , where g i is the ith column of G. Let M = (g1 · · · g n )T , ε = g 0T , and ψ the one-to-one map. Then the MSP M(Fq , M, ε, ψ) computes . Lemma 6 Assume  is an ideal access structure for n players and F is the Fq representable matroid appropriate for . Let M(Fq , M, ε, ψ) be an ideal MSP computing . Then the matrix G = (εT M T ) is a representation of F over Fq .

Author's personal copy 154

Cryptogr. Commun. (2014) 6:137–155

A.3 Linear secret sharing schemes and linear codes Given a vector c = (c1 , . . . , cn ) in Fnq , its Hamming weight, wt(c), is the number of its non-zero coordinates. The support of a vector c ∈ Fnq is given by supp(c) = {i : ci = 0, 1 ≤ i ≤ n}. An [n, k, d] linear code C over Fq is a linear subspace of Fnq where k is the dimension and d is the minimum Hamming weight. A generator matrix G for a code C is a matrix whose rows form a basis for C . For any linear code C , we denote by C ⊥ its dual under the usual inner product. Definition 9 [1, 10, 18] For any two vectors c 1 , c 2 ∈ Fnq , we say that c 2 covers c 1 if supp(c1 ) ⊆ supp(c2 ). A nonzero codeword of a linear code C is called a minimal codeword if it covers only its scalar multiples but no other nonzero codewords. Let C be an [n + 1, k] linear code over Fq . Massey [18] presented the following construction of an ideal LSSS over Fq : 1. Let s ∈ Fq be a secret and let G be a generator matrix of C . Denote the ith column of G by gi , i = 0, . . . , n. 2. The dealer D randomly selects a vector u ∈ Fkq such that u · g 0 = s. 3. The dealer computes the corresponding codeword c = (c0 , c1 , . . . , cn ) = uG (note that c0 = s). The share of Pi is ci , for i = 1, . . . , n. The secret s can be determined by the set of shares {ci1 , ci2 , . . . , cir } if and only if g0 is a linear combination of {g i1 , . . . , gir } where 1 ≤ i1 < · · · < ir ≤ n. In [18], it was shown that there is a relationship between the minimal authorized sets of the secret sharing scheme based on C and the minimal codewords of the dual code C ⊥ . Lemma 7 [18] Let C be an [n + 1, k] linear code over Fq . In the secret sharing scheme based on C , the set {Pi1 , . . . , Pir } ⊆ P such that i1 < · · · < ir is a minimal authorized set if and only if there exists a minimal codeword w = (w0 , w1 , . . . , wn ) ∈ C ⊥ such that supp(w) = {0, i1 , . . . , ir } and w0 = 1. Given an [n + 1, k] linear code C over Fq , there is a unique matroid F on the set Q = {0, 1, . . . , n} associated with it. Any generator matrix of C is a representation over Fq of the matroid F . If  is the access structure realized by the secret sharing scheme based on C then F is the appropriate matroid for . We note that a representable matroid can be associated with different codes.

References 1. Ashikhmin, A., Barg, A.: Minimal vectors in linear codes. IEEE Trans. Inform. Theory IT-44, 2010–2017 (1998) 2. Beimel, A.: Secret sharing schemes: a survey. In: Coding and Cryptology, Third International Workshop, IWCC 2011. Lecture Notes in Computer Science, vol. 6639, pp. 11–46. Springer, New York (2011) 3. Beimel, A.: Secure Schemes for Secret Sharing and Key Distribution. Ph.D. dissertation, Technion-Israel Inst. Technol., Haifa, Israel (1996) 4. Beimel, A., Chor, B.: Universally ideal secret-secret sharing schemes. IEEE Trans. Inform. Theory IT-40, 786–794 (1994)

Author's personal copy Cryptogr. Commun. (2014) 6:137–155

155

5. Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317. AFIPS Press, Monval, NJ (1979) 6. Brickell, E., Davenport, D.: On the classification of ideal secret sharing schemes. J. Cryptol. 4, 123–134 (1991) 7. Chen, H., Cramer, R.: Algebraic geometric secret sharing schemes and secure multi-party computations over small fields. In: Proceedings of 26th Annual IACR CRYPTO. Lecture Notes in Computer Science, vol. 4117, pp. 521–536. Springer, New York (2006) 8. Cramer, R., Damgärd, I., Maurer, U.: General secure multi-party computation from any linear secret-sharing schemes. In: Proceedings of 19th Annual IACR EUROCRYPT. Lecture Notes in Computer Science, vol. 1807, pp. 316–334. Springer, New York (2000) 9. Cramer, R., Daza, V., Gracia, I., Urroz, J., Leander, G., Martí-Farré, J., Padró, C.: On codes, matroids, and secure multi-party computation from linear secret-sharing schemes. IEEE Trans. Inform. Theory IT-54, 2644–2657 (2008) 10. Ding, C., Yuan, J.: Covering and Secret Sharing with Linear Codes. In: Discrete Mathematics and Theoretical Computer Science. Lecture Notes in Computer Science, vol. 2731, pp. 11–25. Springer, New York (2003) 11. Gerards, A., Schrijver, A.: Signed Graph – Regular Matroids – Grafts. Research Memorandum, Faculteit der Economische Wetenschappen, Tilburg University (1986) 12. Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: Proc. 19th annual ACM Symposium on Theory of Computing, STOC’87, pp. 218–229. New York (1987) 13. Hakimi, S., Bredeson, J.: Graph-theoretic error-correcting codes. IEEE Trans. Inform. Theory IT-14, 584–591 (1968) 14. Jungnickel, D., Vanstone, S.: Graphical codes revisited. IEEE Trans. Inform. Theory IT-43, 136– 146 (1997) 15. Karchmer, M., Wigderson, A.: On span programs. In: Proc. 8th IEEE Structure in Complexity Theory, pp. 102–111. IEEE Computer Society Press, Los Alamitos, CA (1993) 16. Kasper, E., Nikova, S., Nikov, V.: Strongly multiplicative hierarchical threshold secret sharing. In: Proc. 2nd Int. Conf. on Information Theoretic Security. Lecture Notes in Computer Science, vol. 4883, pp. 148–168. Springer, New York (2007) 17. Liu, M., Xiao, L., Zhang, Z.: Multiplicative linear secret sharing schemes based on connectivity of graphs. IEEE Trans. Inform. Theory IT-53, 3973–3978 (2007) 18. Massey, J.L.: Minimal codewords and secret sharing. In: Proc. 6th Joint Swedish-Russian Workshop Inf. Theory, pp. 276–279. Molle, Sweden (1993) 19. Nikova, S., Nikov, V.: On multiplicative secret sharing schemes realizing graph access structures. In: International Workshop on Optimal Codes and Related Topics, pp. 194–199. Balchik, Bulgaria (2007) 20. Oxley, J.: Matroid Theory. Oxford Science Publications, Oxford University Press, New York (1992) 21. Padró, C., Gracia, I.: Representing small identically self-dual matroids by self-dual codes. SIAM J. Discrete Math. 20, 1046–1055 (2006) 22. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979) 23. Stinson, D.: An explication of secret sharing schemes. Des. Codes Cryptogr. 2, 357–390 (1992) 24. Stinson, D.: Cryptography Theory and Practice, 3rd edn. CRC Press, Boca Raton, FL (2005) 25. West, D.: Introduction to Graph Theory, 2nd edn. Prentice Hall, New York (2001) 26. Yao, A.: Protocols for secure computation. In: Proc. 23rd IEEE Symp. Foundation of Computer Science, FOCS ’82, IL, pp. 160–164. Chicago (1982)