A new multi-use multi-secret sharing scheme based on the duals of minimal linear codes

Transcription

1 SEURITY AND OMMUNIATION NETWORKS Security omm Networks 215; 8: Published online 19 March 214 in Wiley Online Library (wileyonlinelibrarycom) 972 RESEARH ARTILE A new multi-use multi-secret sharing scheme based on the duals of minimal linear codes Yun Song 1, Zhihui Li 1 *, Yongming Li 1 and Jing Li 2 1 ollege of Mathematics and Information Science, Shaanxi Normal University, Xi an, 7162, hina 2 State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing, 1876, hina ABSTRAT There are several methods to construct multi-secret sharing schemes, one of which is based on coding theory Generally, however, it is very hard to determine the minimal access structures of the schemes based on linear codes In this paper, we first propose the concept of minimal linear codes so as to make it easier to determine the access structures of the schemes based on the duals of minimal linear codes It is proved that the shortening codes of minimal linear codes are also minimal ones Then we present the algorithm to determine whether a class of linear codes are minimal On the basis of our aforementioned studies, we further devise a new multi-use multi-secret sharing scheme based on the dual code of a minimal linear code, where each participant has to carry only one share Furthermore, we study the minimal access structures of the multi-secret sharing scheme and present specific examples through programming opyright 214 John Wiley & Sons, Ltd KEYWORDS multi-secret sharing; minimal linear codes; minimal access structures; j- minimal codewords; irreducible cyclic codes *orrespondence Zhihui Li, ollege of Mathematics and Information Science, Shaanxi Normal University, Xi an, 7162, hina lizhihuisnnueducn 1 INTRODUTION 11 Single-secret sharing schemes In 1979, Shamir [1] and Blakley [2] independently introduced secret sharing schemes for the original motivation of safeguarding cryptographic keys from loss Because of their important roles in protecting secret information, the Single-secret sharing schemes (SSSS) have been studied by several authors [3 6] A secret sharing scheme allows one to split a secret s into different pieces, called shares, which are distributed to the set of participants P such that only certain authorized subsets of participants are able to reconstruct the secret by using their respective shares The collection of these authorized sets of participants is called the access structure A group of participants is called a minimal authorized subset if they can recover the secret with their shares, and any of its proper subgroups cannot do so Then the access structure is determined by the family of minimal authorized subsets ( ) min 12 Multi-secret sharing schemes However, the schemes [1 6] dealt with a single secret, and once the secret was updated to a new one, the system had to reissue a new share to each participant To eliminate this weakness, several schemes have been proposed for multiple secret sharing [7 14] Multi-secret sharing can be seen as a natural generalization of single-secret sharing schemes In 1994, Blundo et al [15] studied the more general case in which the set of participants share more than one secret and different secrets are associated with different access structures Let =( 1, :::, n ) be the n-tuple of access structures on P, and let S 1 S 2 S n be the set from which the secrets are chosen, where for any 1 j n, each secret s j to be shared is chosen in S j In the definition of a multi-secret sharing scheme (MSSS), an n-tuple of secrets (s 1, :::, s n ) 2 S 1 S n is shared in an n-tuple =( 1, :::, n ) of access structures on P in such a way that, for each 1 j n, the set of all subsets of P in the access structure j can recover secret s j In a multi-use MSSS, each participant only needs to keep one share, and many secrets can be shared independently without refreshing the share In order to recover the secret, every involved participant only needs to submit a pseudo-secret share computed from the real share instead of the real share itself Several (t, n) multi-use MSSS based on Shamir s secret sharing have been presented [8 12] In 2, hien et al [16] proposed a new type of (t, n) multi- 22 opyright 214 John Wiley & Sons, Ltd

2 Y Song et al Multi-use multi-secret sharing based on minimal linear codes use MSSS based on the systematic block codes However, little work has been carried out on the construction of multi-use MSSS based on the coding theory In 1993, Massey utilized linear codes to construct SSSS and pointed out the relationship between the access structure and the minimal codewords of the dual code of the underlying code [17,18] Then many SSSS based on coding theory have been studied by several authors [19 22] Unfortunately, determining the minimal codewords is extremely hard for general linear codes, which means that it is hard to obtain the minimal access structure of the SSSS based on general linear codes [19,2] Because of this, there are few studies on MSSS based on linear codes This paper puts forward the concept of the minimal linear code whose minimal codewords are easier to obtain than the other codes Thus, looking for and constructing minimal linear codes become the key point to this problem 13 Our results In this paper, we present the construction of minimal linear codes and study the algorithm to determine the minimality of a class of linear codes Then we propose a new multi-use MSSS based on the dual code of a minimal linear code, in which each secret can be reconstructed independently and different secrets corresponding to different access structures may be shared We establish a one-toone correspondence between the family of minimal access structures and the sets of j-minimal codewords in the minimal linear code for 1 j n, which can not only lead to a higher utilization rate of codewords than that of Massey s scheme but also make it easier to determine the minimal access structures because j-minimal codewords (1 j n) can be found exactly in the minimal linear code Furthermore, we discuss the minimal access structures of MSSS based on the duals of a class of minimal linear codes And finally, the algorithm applied to obtain minimal access structures is presented 2 MINIMAL LINEAR ODES AND THEIR ONSTRUTION Throughout this paper, let q = p s,where p is a prime and s a positive integer A linear [n, k, d; q] code is a k- dimensional subspace with minimum (Hamming) distance d Let G = (g 1, g 2, :::, g n ) be a generator matrix of an [n, k, d; q] code, that is, the row vectors of G generate the linear subspace Definition 21 ([2]) The support of a vector c 2 Fq n is defined to be { i n 1 : c i } A codeword c 2 covers a codeword c 1 if the support of c 2 contains that of c 1 Definition 22 Let 1 j n A codeword c is called a j- minimal codeword if its j-th coordinator is 1 and it covers no other codeword whose j-th coordinator is 1 Definition 23 ([19]) If a nonzero codeword c covers only its multiples, but no other nonzero codewords, then it is called a minimal vector Based on the preceding discussions, it is clear that a j- minimal codeword must be a minimal vector, but a minimal vector may not be a j-minimal codeword Definition 24 A linear code is called minimal if every column vector of any generator matrix is nonzero and each of the nonzero codewords in the linear code is a minimal vector Theorem 25 Let be an [n, k; q] linear code If is minimal, then there are altogether q k 1 j-minimal codewords for every 1 j n Proof By Definition 24, every column vector of any generator matrix is nonzero Hence, g j Thus, the inner product ug j takes on each element of F q exactly q k 1 times when u ranges over all elements of Fq k Therefore, there are altogether q k q k 1 codewords in whose j-th coordinator is nonzero Because each nonzero codeword is a minimal vector, a codeword covers the other one if and only if they are multiples of each other So the total number of j-minimal codewords is (q k q k 1 )/(q 1) = q k 1 for every 1 j n Next, we will show how to construct the new minimal linear codes by shortening the codewords in original minimal linear codes Let be an [n, k; q] linear code with its generator matrix 1 g 11 g 12 g 1,n 1 g 1,n G = B g 21 g 22 g 2,n 1 g 2,n A g k1 g k2 g k,n 1 g k,n Lemma 26 Let be an [n, k; q] code, and two columns of its generator matrix G are linearly independent Let (n) ={c =(c 1, c 2,, c n 1, ) c 2 }, then (a) (n) is an [n, k 1;q] code (b) The first n 1columns of the generator matrix G(n) of (n) are nonzero Proof (a) Note that every column vector of G is nonzero We assume that g 1,n, multiply the first row of G by g 1 1,n g l,n for all 2 l k, and then add the correspondent results to the l-th row We have 1 g 11 g 12 g 1,n 1 g 1,n g G 1 = B 21 g 22 g 2,n 1 A g k1 g k2 g k,n 1 Security omm Networks 215; 8: John Wiley & Sons, Ltd 23

3 Multi-use multi-secret sharing based on minimal linear codes Y Song et al g 21 g 22 g 2,n 1 1 G(n) = A g k1 g k2 g k,n 1 It is clear that G(n) is a generator matrix of an [n, k 1; q] linear code, which is contained in (n), so dim((n)) k 1 On the other hand, (g 11, g 12, :::, g 1,n ), so dim((n)) k 1 The conclusion then follows (b) Suppose the i-th column of G(n) is zero for 1 i n 1, 1 1 then if and only if B g 2,i g k,i A = B A g 2,i g 1 1,n g 1 1 2,ng 1,i B A = B A g k,i g 1 1,n g k,ng 1,i 1 g 2,i B g k,i A = g 1 1 g 2,n 1,n g B 1,i g k,n A if and only if 1 1 g 1,i g 1,n g 1,i B A = g 1 1,n g g 2,n 1,i B A g k,i g k,n Hence, the i-th and n-th columns of G are multiples of each other, which is a contradiction Lemma 27 Let (n)[n 1] = {c = (c 1, c 2, :::, c n 1 ) (c 1, c 2, :::, c n 1,) 2 (n)} If is an [n, k; q] code, then (a) G(n)[n 1]is a generator matrix of (n)[n 1]and g 2,1 g 2,2 g 1 2,n 1 G(n)[n 1]= A g k,1 g k,21 g k,n 1 where G(n)[n 1]is a matrix formed by the first n 1 columns of G(n); and (b) (n)[n 1]is an [n 1,k 1;q] code Proof According to the proof of Lemma 26, G(n)[n 1] is a matrix of (n)[n 1] Hence, (n)[n 1]isan[n 1,k 1; q] code Theorem 28 If is an [n, k; q] minimal linear code, then (n)[n 1]is an [n 1,k 1;q] minimal linear code Proof By Lemma 27, (n)[n 1]isan[n 1,k 1;q] code Suppose (n)[n 1] is not a minimal linear code; then there exists a nonzero codeword c =(c 1, c 2, :::, c n 1 ) 2 (n)[n 1], which is not minimal Namely, there would exist a nonzero c =(c 1, c 2, :::, c,n 1 ) 2 (n)[n 1] such that c can cover c, and they are not multiples of each other onsequently, because c =(c 1, c 2, :::, c n 1, ) can cover c =(c 1, c 2,, c,n 1, ) in the linear code, c is not a minimal vector, and the linear code is not minimal This is contrary to the assumption that is a minimal linear code We need to introduce the following mark: (n, n 1,, n i) = {c = (c 1, c 2, :::, c n i 1,,:::, ) c 2 }( i n k 2) Then, (n, n 1,:::, n i)[n i 1] = {c =(c 1, :::, c n i 1 ) (c 1, :::, c n i 1,,:::,) 2 } It is easier to show that (n, n 1, :::, n i) and (n, n 1, :::, n i)[n i 1] are [n, k i 1;q] and [n i 1,k i 1;q] linear codes, respectively Then we have (n, n 1,:::, k +2) (n, n 1,:::, n i) (n), where (n) denotes that (n) is a subcode of Theorem 29 If is an [n, k; q] minimal linear code, and minimum (Hamming) distance of the dual code? >2, i n k 2,then (a) No column vector of the generator matrix of (n, n 1, :::, n i)[n i 1]is the zero vector; and (b) (n, n 1,:::, n i)[n i 1]is an [n i 1,k i 1;q] minimal linear code Proof (a) We first consider the relationship between (n, n 1, :::, n i)[n i 1]? and (n, n 1,:::, n i)[n i 2]? Let (x 1, x 2, :::, x n i 2 ) 2 (n, n 1,:::, n i 1)[n i 2]?, then x 1 c 1 + x 2 c x n i 2 c n i 2 = For any (c 1, c 2, :::, c n i 2 ) 2 (n, n 1,:::, n i 1)[n i 2]; then x 1 c 1 +x 2 c 2 ++x n i 2 c n i 2 +c n i 1 = For any (c 1, c 2, :::, c n i 2, c n i 1 ) 2 (n, n 1,:::, n i)[n i 1], we have (x 1, x 2, :::, x n i 2,) 2 (n, n 1,:::, n i)[n i 1]? ( i n k 2) Note that the minimum (Hamming) distance of? > 2 By the above, it suffices to show that the minimum (Hamming) distance of (n, n 1,:::, n i)[n i 1]? > 2 Hence, two columns of the generator matrix of (n, n 1,:::, n i)[n i 1] are linearly independent (b) If is an [n, k; q] minimal linear code, then (n, n 1, :::, n i)[n i 1]isan[n i 1,k i 1;q] linear code whose codewords are all minimal vectors The conclusion then follows In Theorems 28 and 29, the new class of minimal liner codes can be constructed by shortening all codewords of 24 Security omm Networks 215; 8: John Wiley & Sons, Ltd

4 Y Song et al Multi-use multi-secret sharing based on minimal linear codes the original minimal linear codes, which will be illustrated and used in the last two sections 3 AN ALGORITHM TO DETERMINE A LASS OF MINIMAL LINEAR ODES First, by means of the concept of the minimal linear code, we state Proposition 3 in [2] by the following theorem Theorem 31 In an [n, k; q] code, let W min and W max be minimum and maximum nonzero weights, respectively If W min /W max > q 1/q and every column vector of the generator matrix of is nonzero, then is a minimal linear code It is obvious that any 1-weight linear code is minimal in terms of Theorem 31 Next, we will present an algorithm to determine whether a class of linear codes is minimal Recall that q = p s,where p is a prime and s a positive integer Let r = q m and m be a positive integer Definition 32 ([2]) Let N > 1 be an integer dividing r 1, and put n = (r 1)/N Let be a primitive element of F q m and = N The set (q, m, N) = {(Tr r/q (ˇ), Tr r/q (ˇ), :::, Tr r/q (ˇ n 1 )) ˇ 2 F r } (1) is called an irreducible cyclic code over F q,where Tr is the trace function from F r onto F q We will study the algorithm to determine whether a given irreducible cyclic code (q, m, N) is minimal for different N by Theorem 31 Remark 1 We implement Algorithm 1 by using Mathematica 7 on a laptop with a frequency of 32 GHz and 2-GB memory The time complexity of Algorithm 1 is O(n 2 ) where n denotes the length of each minimal codeword in (q, m, N) Example 33 The set (2, 6, 3) is a [21, 6; 2] linear code over F 2 After running Algorithm 1, the operating results are shown as follows: W min =7,W max =11 This linear code is minimal It turned out that Algorithm 1 is possible and effective in determining minimality of irreducible cyclic codes 4 MULTI-SERET SHARING SHEMES FROM MINIMAL LINEAR ODES In this section, we will devise a multi-use MSSS based on the dual code of a minimal linear code, in which each participant also acts as a dealer We firstly define an n- tuple = ( 1, :::, n ) of access structures for a set of participants P ={P 1, P 2, :::, P n } 41 Definition of the minimal access structures Let be an [n, k; q] linear code and? be minimal Seeing that any minimal authorized subset in different minimal access structures ( j ) min carries different target secret, there are all n secrets s 1, :::, s n such that for any 1 j n, each secret s j distributed by P j is associated with an access structure ( j ) min on P Then we can define such an n-tuple =( 1, :::, n ) as follows: ( j ) min ={A P i 2 A i th coordinator of a j-minimal codeword in? is nonzero for all 1 i n, i j}, 1 j n Note that the proposed scheme presents a one-to-one correspondence between the family of minimal access structures and the sets of j-minimal codewords(1 j n) By Definitions 22 and 24, a codeword in a minimal linear code is j-minimal if and only if its j-th component is 1, so the j-minimal codeword can be obtained easily Hence, for a fixed j, in order to determine the minimal access structure ( j ) min of our MSSS based on, we only need to determine the set of j-minimal codewords of the dual code?, which is difficult for general linear codes but easy for minimal linear codes For any 1 j n, now we describe Algorithm 2 applied to obtain all the minimal authorized subsets in ( j ) min of the MSSS based on the duals of the minimal irreducible cyclic code (q, m, N) validated by Algorithm 1 Security omm Networks 215; 8: John Wiley & Sons, Ltd 25

5 Multi-use multi-secret sharing based on minimal linear codes Y Song et al (1) Randomly choose a vector u j =(u j1, :::, u jk ) 2 F k q such that s j = u j g j (2) Treat u j as an information vector and compute the corresponding codeword t j =(t j1, t j2, :::, t jn )=u j G (3) Send each (t ji ) e i mod n i to other participants P i publicly for i = 1,2,:::, n, i j, and note that t jj = u j g j = s j (Table I) In Table I, the blank in each column is P j s secret, which will be shared among the other participants P i, and the other public information in each column is what P j gives P i for secret sharing, where i =1,2,:::, n, i j Note that the real share of each participant P j is d j Remark 2 We implement Algorithm 2 by using Mathematica 7 on a laptop with a frequency of 32 GHz and 2- GB memory The time complexity of Algorithm 2 is O(n 2 ) where n denotes the length of each minimal codeword in (q, m, N) A specific application of Algorithm 2 that derives minimal access structures is presented in Section 5 42 onstruction of our scheme 421 Initialization phase In the secret sharing scheme constructed from an [n, k; q] code with generator matrix G = (g 1, g 2, :::, g n ) kn, s 1, :::, s n denote n secrets to be shared among n participants, where (s 1, :::, s n ) 2 S 1 S n Let 1 j n Firstly, each participant P j chooses two large primes p j1 and p j2, computes n j = p j1 p j2, and ensures min j '(n j ) > q It is certainly necessary that n j must be large enough that factoring it will be computational infeasible Then P j chooses a small integer e j, which is coprime to '(n j ) and computes the integer d j such that e j d j 1 (mod '(n j )) d j is P j s share, and each participant P j publishes {n j, e j } 422 Distribution phase Each participant P j performs the following steps: 423 Reconstruction phase In Section 41, we show that there is a one-to-one correspondence between the minimal authorized subsets in ( j ) min and the set of j-minimal codewords of the dual code?, for each 1 j n Note that the dual code? is minimal According to the definition of the minimal access structures, {P i1, :::, P im } is a minimal authorized subset in ( j ) min of the MSSS based on if there exists a j-minimal codeword (, :::,,c i1, 1,,:::,,c j im,,:::,) in?, where c i` for at least one `,1 i 1 < < i m n 1 and 1 m n 1 Then the vector g j is a linear combination of g i1, :::, g im, namely, g j = P m`=1 c i`g i` Fix 1 j n IfP j acts as a dealer, then her or his secret s j can be recovered by participants P i1, :::, P im as follows: (1) Participants P i1,, P im pool their pseudo-secret shares [(t ji`) e i` ] d i` mod n i` from Table I, for 1 (2) ` m mx c i` (tji`) e i` di` mod n i` `=1 mx = c i` (uj g i`) e i` di` mod n i` `=1 mx = c i`(u j g i`) mod n i` `=1 X m = u j c i`g i` = s j `=1 Table I The public information that P j sends to other participants, for each 1 j n P 1 P 2 P 3 P n P 1 (t 21 ) e1 mod n 1 (t 31 ) e1 mod n 1 (t n1 ) e1 mod n 1 P 2 (t 12 ) e2 mod n 2 (t 32 ) 2e mod n 2 (t n2 ) e2 mod n 2 P 3 (t 13 ) e3 mod n 3 (t 23 ) e3 mod n 3 (t n3 ) e3 mod n 3 P n (t 1n ) en mod n n (t 2n ) en mod n n (t 3n ) en mod n n 26 Security omm Networks 215; 8: John Wiley & Sons, Ltd

6 Y Song et al Multi-use multi-secret sharing based on minimal linear codes Because each shareholder can act as a dealer that shares her or his secret among the other participants, this scheme can be applied to the multi-proxy signature scheme based on general access structures, which plays an important role in electronic commerce A concrete application is considered as follows In the company s board of directors, each board member P j (1 j n) has a proxy agent in terms of access structures of the proposed scheme, and only the cooperation of members in the proxy agent can sign this file on behalf of P j (who is unable to sign it for some reasons) Therefore, our scheme is of cardinal theory significance and practical application values 5 THE AESS STRUTURES OF THE MSSS BASED ON THE DUALS OF MINIMAL LINEAR ODES Now we shall discuss the access structures of our scheme specifically Theorem 51 Let be an [n,k;q] minimal linear code, and let G = (g 1, g 2, :::, g n ) be its generator matrix Then, in the MSSS based on?, there are altogether q k 1 minimal authorized subsets in ( j ) min for each 1 j n In addition, for a fixed 1 j n, we have the following: (a) If g i is a multiple of g j, 1 i n, i j, then participant P i must be in every minimal authorized subset in ( j ) min Such a participant is called an s j -dictatorial participant (b) If g i is not a multiple of g j, 1 i n, i j, then participant P i must be in (q 1)q k 2 out of q k 1 minimal authorized subsets in ( j ) min Proof By Theorem 25, we can prove that the total number of minimal authorized subsets in ( j ) min is q k 1 for each 1 j n Fix 1 j n For any 1 i n and i j, ifg i = bg j for some b 2 F q *, then ug j = 1 implies that ug i = b Hence, participant P i is in every minimal authorized subset For any 1 i n, i j, ifg i and g j are linearly independent, (ug i, ug j ) takes on each element of F 2 q qk 2 times when the vector u ranges over F k q Thus, {u : ug j = 1 and ug i } = (q 1)q k 2, which is the number of minimal authorized subsets in which P i is involved in ( j ) min We have the following theorems in terms of Theorem 51, which not only present the interesting access structures of the proposed scheme based on the duals of a minimal irreducible cyclic code but also indicate that the MSSS obtained are democratic in the sense that every participant is involved in the same number of minimal authorized subsets Theorem 52 Let 1 j n and let be an [n, k;2]irreducible cyclic code If is a minimal linear code, then in the MSSS based on?, there are altogether 2 k 1 minimal authorized subsets in ( j ) min and n 1participants except P j serve in 2 k 2 out of 2 k 1 minimal authorized subsets in ( j ) min Namely, there exists no s j -dictators for any j Proof By Theorem 51(b), we only need to prove that the dual code? has a minimum distance of at least 3 On the contrary, suppose that? have a codeword of Hamming weight 2 Then there would exist two distinct integers i n 1 and l n 1 such that Tr L/K (ˇ i )=Tr L/K (ˇ l ) for all ˇ 2 F r This implies that i = l and then i = l This is contrary to the assumption that i and l are distinct The conclusion then follows from Theorem 51 Example 53 Let N = 3 and 1 j 21 (2, 6, 3) is a [21, 6; 2] minimal linear code by Algorithm 1 In the MSSS based on? (2, 6, 3), all the 32 authorized subsets in ( j ) min can be obtained according to Algorithm 2 As an illustration, we investigate authorized subsets in ( 3 ) min in which the participants can recover P 3 s secret s 3, which are given as follows: {1, 2, 6, 7, 8, 9, 1, 11, 13, 14, 18}, {1, 4, 5, 6, 11, 13, 14, 15, 17, 19, 21}, {4, 7, 1, 12, 18, 19, 21}, {1, 6, 7, 1, 13, 15, 21}, {1, 2, 4, 9, 11, 12, 13, 15, 17, 19, 2}, {4, 5, 6, 7, 8, 1, 11, 15, 19, 2, 21}, {1, 2, 8, 1, 11, 12, 14, 16, 18, 19, 21}, {2, 4, 5, 6, 7, 9, 1, 14, 18, 19, 2}, {5, 11, 12, 14, 17, 18, 21}, {1, 2, 4, 5, 6, 8, 9, 13, 17, 18, 19}, {2, 6, 9, 11, 17, 18, 2}, {1, 2, 4, 5, 7, 8, 12, 16, 17, 18, 21}, {1, 2, 4, 6, 7, 11, 15, 16, 17, 2, 21}, {1, 2, 5, 6, 1, 14, 15, 16, 19, 2, 21}, {5, 6, 7, 11, 13, 14, 16, 17, 18, 29}, {6, 8, 14, 15, 17, 2, 21}, {1, 4, 8, 12, 13, 14, 17, 18, 19, 2, 21}, {1, 4, 5, 7, 9, 11, 12, 14, 15, 16, 17}, {2, 7, 11, 12, 13, 16, 17, 18, 19, 2, 21}, {2, 4, 5, 1, 12, 13, 14, 16, 18, 2, 21}, {2, 4, 6, 8, 1, 11, 13, 14, 15, 16, 21}, {1, 2, 5, 7, 9, 1, 12, 13, 14, 15, 2}, {1, 9, 1, 12, 15, 16, 19}, {1, 5, 7, 8, 1, 11, 12, 13, 18, 2, 21}, {7, 8, 9, 12, 13, 14, 15, 16, 17, 19, 2}, {1, 5, 6, 8, 9, 1, 11, 16, 18, 19, 2}, {1, 4, 6, 7, 8, 9, 14, 16, 17, 18, 2}, {4, 5, 8, 9, 1, 11, 12, 13, 15, 16, 2}, {4, 6, 9, 1, 13, 16, 18}, {2, 5, 6, 7, 8, 13, 15, 16, 17, 19, 21}, {2, 4, 7, 8, 9, 1, 11, 12, 14, 15, 19}, {2, 5, 8, 9, 12, 15, 17}, Security omm Networks 215; 8: John Wiley & Sons, Ltd 27

7 Multi-use multi-secret sharing based on minimal linear codes Y Song et al where {2, 5, 8, 9, 12, 15, 17} denotes the authorized subset {P 2, P 5, P 8, P 9, P 12, P 15, P 17 } Each of the 2 participants except P 3 serves in 16 out of 32 minimal authorized subsets in ( 3 ) min without s 3 -dictators By Theorems 28 and 29, the shortening code of the minimal linear code (21) in Example 53 is a [21 i 1,k i 1; 2] minimal linear code (21, :::,21 i)[21 i 1] ( i 4) We might take i = 2 as an example and then obtain all minimal codewords in (21, 2, 19)[18] through programming as follows: then n 2 participants except P j serve in 23 k 2 minimalauthorized subsets in ( j ) min, and there exists one dictator P (n/2)+j in ( j ) min Proof Fix 1 j n For 1 i n and i j, g i is a multiple of g j if and only if i j 2 F 3 and = 2, where is a primitive element of F 3 m, namely, ord( 2(i j) ) 2 Note that ord( 2(i j) ) = 3 m 1/(3 m 1,2(i j)) If 3 m 1 = (3 m 1,2(i j)), which is a contradiction If 3 m 1 = 2(3 m 1,2(i (1, 1, 1,,, 1, 1, 1, 1, 1, 1,, 1, 1,,,, 1), (1, 1,, 1,,, 1, 1,,, 1,,, 1,, 1,, ), (, 1,, 1, 1, 1,, 1,, 1,, 1, 1,, 1, 1, 1, 1), (1,, 1, 1, 1,, 1,, 1,, 1, 1,, 1, 1, 1, 1, ), (1,,,, 1, 1, 1,,, 1, 1, 1, 1, 1, 1,, 1, 1), (,, 1, 1,, 1,,, 1, 1,,, 1,,, 1,, 1), (, 1, 1,, 1,,, 1, 1,,, 1,,, 1,, 1, ) In the MSSS based on (21, 2, 19)[18]?, there are four minimal authorized subsets in ( 3 ) min without s 3 -dictators Theorem 54 Let 1 j n (3, m,2)is an irreducible cyclic code with length n and dimension k If (3, m,2)is a minimal linear code, in the MSSS based on? (3, m,2), there are altogether 3 k 1 minimal authorized subsets in ( j ) min If2 n, then n 1participants except P j serve in 2 3 k 2 minimal authorized subsets in ( j ) min If2 n, j)), then i j = n/2, and there exists one dictator P (n/2)+j The conclusion then follows from Theorem 51 Example 55 Let N = 2 and 1 j 4 (3, 4, 2) is a [4, 4; 3] minimal linear code by Algorithm 1 In the MSSS based on? (3, 4, 2), all the 27 authorized subsets in ( j ) min can be obtained according to Algorithm 2 As an illustration, we investigate authorized subsets in ( 3 ) min in which the participants can recover P 3 s secret s 3, which are given as follows: {1, 2, 4, 5, 6, 7, 8, 9, 12, 14, 15, 16, 18, 2, 21, 22, 23, 24, 25, 26, 27, 28, 29, 32, 34, 35, 36, 38, 4}, {1, 4, 6, 1, 11, 13, 14, 15, 18, 19, 2, 21, 23, 24, 26, 3, 31, 33, 34, 35, 38, 39, 4}, {1, 2, 4, 5, 6, 7, 8, 11, 13, 14, 15, 17, 19, 2, 21, 22, 23, 24, 25, 26, 27, 28, 31, 33, 34, 35, 37, 39, 4}, {2, 5, 9, 1, 12, 13, 14, 17, 18, 19, 2, 22, 23, 25, 29, 3, 32, 33, 34, 37, 38, 39, 4}, {1, 2, 4, 5, 6, 7, 1, 12, 13, 14, 16, 18, 19, 2, 21, 22, 23, 24, 25, 26, 27, 3, 32, 33, 34, 36, 38, 39, 4}, {1, 2, 4, 5, 6, 9, 11, 12, 13, 15, 17, 18, 19, 2, 21, 22, 23, 24, 25, 26, 29, 31, 32, 33, 35, 37, 38, 39, 4}, {1, 7, 8, 1, 11, 12, 15, 16, 17, 18, 2, 21, 23, 27, 28, 3, 31, 32, 35, 36, 37, 38, 4}, {1, 2, 4, 5, 8, 1, 11, 12, 14, 16, 17, 18, 19, 2, 21, 22, 23, 24, 25, 28, 3, 31, 32, 34, 36, 37, 38, 39, 4}, {1, 2, 4, 7, 9, 1, 11, 13, 15, 16, 17, 18, 19, 2, 21, 22, 23, 24, 27, 29, 3, 31, 33, 35, 36, 37, 38, 39, 4}, {1, 2, 6, 8, 9, 1, 12, 14, 15, 16, 17, 18, 19, 2, 21, 22, 23, 26, 28, 29, 3, 32, 34, 35, 36, 37, 38, 39, 4}, {4, 6, 7, 8, 11, 12, 13, 14, 16, 17, 19, 23, 24, 26, 27, 28, 31, 32, 33, 34, 36, 37, 39}, {2, 5, 6, 7, 1, 11, 12, 13, 15, 16, 18, 22, 23, 25, 26, 27, 3, 31, 32, 33, 35, 36, 38}, {5, 6, 7, 9, 11, 12, 13, 14, 15, 16, 17, 18, 19, 2, 23, 25, 26, 27, 29, 31, 32, 33, 34, 35, 36, 37, 38, 39, 4}, {1, 4, 5, 8, 9, 1, 11, 13, 14, 16, 2, 21, 23, 24, 25, 28, 29, 3, 31, 33, 34, 36, 4}, {1, 4, 5, 7, 9, 1, 11, 12, 13, 14, 15, 16, 17, 18, 21, 23, 24, 25, 27, 29, 3, 31, 32, 33, 34, 35, 36, 37, 38}, {2, 4, 7, 8, 9, 1, 12, 13, 15, 19, 2, 22, 23, 24, 27, 28, 29, 3, 32, 33, 35, 39, 4}, {2, 4, 6, 8, 9, 1, 11, 12, 13, 14, 15, 16, 17, 2, 22, 23, 24, 26, 28, 29, 3, 31, 32, 33, 34, 35, 36, 37, 4}, {1, 2, 6, 7, 8, 9, 11, 12, 14, 18, 19, 21, 22, 23, 26, 27, 28, 29, 31, 32, 34, 38, 39}, {1, 2, 5, 7, 8, 9, 1, 11, 12, 13, 14, 15, 16, 19, 21, 22, 23, 25, 27, 28, 29, 3, 31, 32, 33, 34, 35, 36, 39}, {1, 5, 6, 7, 8, 9, 1, 11, 12, 13, 14, 17, 19, 2, 21, 23, 25, 26, 27, 28, 29, 3, 31, 32, 33, 34, 37, 39, 4}, 28 Security omm Networks 215; 8: John Wiley & Sons, Ltd

8 Y Song et al Multi-use multi-secret sharing based on minimal linear codes {4, 5, 6, 8, 9, 11, 15, 16, 18, 19, 2, 23, 24, 25, 26, 28, 29, 31, 35, 36, 38, 39, 4}, {2, 4, 5, 7, 8, 1, 14, 15, 17, 18, 19, 22, 23, 24, 25, 27, 28, 3, 34, 35, 37, 38, 39}, {1, 4, 5, 6, 7, 8, 9, 1, 11, 12, 15, 17, 18, 19, 21, 23, 24, 25, 26, 27, 28, 29, 3, 31, 32, 35, 37, 38, 39}, {1, 2, 4, 6, 7, 9, 13, 14, 16, 17, 18, 21, 22, 23, 24, 26, 27, 29, 33, 34, 36, 37, 38}, {2, 4, 5, 6, 7, 8, 9, 1, 11, 14, 16, 17, 18, 2, 22, 23, 24, 25, 26, 27, 28, 29, 3, 31, 34, 36, 37, 38, 4}, {1, 2, 5, 6, 8, 12, 13, 15, 16, 17, 2, 21, 22, 23, 25, 26, 28, 32, 33, 35, 36, 37, 4}, {1, 2, 4, 5, 6, 7, 8, 9, 1, 13, 15, 16, 17, 19, 21, 22, 23, 24, 25, 26, 27, 28, 29, 3, 33, 35, 36, 37, 39}, each of the 38 participants serves in 18 out of 27 minimal authorized subsets in ( 3 ) min with one dictator P 23 From Examples 53 and 55, we conclude that the minimal authorized subsets of the MSSS based on the duals of minimal linear codes are more vivid than those of (t, n) threshold For instance, the number of the participants involved in minimal authorized subsets in Example 53 is 11 or 7 6 PERFORMANE AND SEURITY ANALYSIS 61 Security analysis In this section, we determine the security of our scheme in the following The security of our scheme can be analyzed from the following different views (1) Our scheme will not disclose participants real secret share even after multiple secret reconstructions For 1 i n, 1 j n, and i j, even though all pseudo-secret shares [(t ji ) e i] d imod n i have been exposed among many co-operating participants, each participant s real secret share d i is well protected by the RSA cryptosystem In order to share the next n secrets, each participant who also acts as a dealer recalculates the data in each column of Table I without renewing every participant s secret share d i (2) Our scheme employs the public key cryptographic process, that is, RSA cryptosystem, which shows that a secret channel is not necessary at all in this scheme and our scheme is computationally secure and efficient (3) Each participant selects her or his secret share by herself or himself; thus, it is impossible for the dealer to cheat 62 Dynamic multi-secret sharing In our proposed scheme, the participant and the secret can be dynamically operated without updating any participant s share This is a very important question with a lot of practical applications In this section, we discuss the scheme by considering a dynamic refresh, delete, and addition in accordance with practical settings Let be an [n, k; q] code If the number of the participants is less than n, then we can construct the MSSS from an [n i, k i; q] code (n, n 1,:::, n i + 1)[n i] for 1 i n k 2 (1) Fix 1 i n k 2 When a new participant P n i+1 joins the network, she or he selects her or his own share d n i+1 and publishes {n n i+1, e n i+1 } The dealer P j computes and publishes (u j g n i+1 ) e n i+1, for 1 j n i The new participant P n i+1 publishes (u n i+1 g j ) e j to the other n i participants P j for sharing her or his secret s n i+1 In this case, the MSSS is based on the code (n, n 1,:::, n i+2)[n i + 1] (2) Fix 1 i n k 2 When we need to delete a participant P n i, each of the dealer P j only needs to erase (u j g n i ) e n i, for 1 j n i 1 In this case, the MSSS is based on the code (n, n 1,:::, n i)[n i 1] 63 Performance analysis In this section, we will discuss some important properties of the proposed scheme (1) Each participant can share any secrets with other participants by holding only one shadow; that is, our scheme is an MSSS Besides, because each shareholder can act as a dealer that shares her or his secret among the other participants, this scheme can be applied to the multi-proxy signature among all the members (2) The shadow of each participant will never be disclosed in the recovery and verification phases, and its reuse is secure Each participant P j (1 j n) who also acts as a dealer only has to choose a new vector u j such that s j = u j g j in order to perform recovery phase to publish some information of the renewed secrets In other words, the real secret shares do not need to change, and reuse of them is secure for the next construction phases Therefore, the proposed scheme is multi-use (3) ompared with Massey s scheme [17,18], our scheme presents a one-to-one correspondence between the family of minimal access structures and Security omm Networks 215; 8: John Wiley & Sons, Ltd 29

9 Multi-use multi-secret sharing based on minimal linear codes Y Song et al Table II The comparisons among the schemes in [9,16] and our scheme Features Type1 [9] Type2 [9] Scheme in [16] Our scheme Each participant holds only one share to share multi-secrets Yes Yes Yes Yes The share is reusable when participants are joining/quitting the group Yes Yes Yes Yes The share is reusable when shared secrets are reconstructed Yes Yes Yes Yes Recover multi-secrets by Lagrange interpolating polynomials Yes Yes No No The distribution phase is relevant to the coding theory No No Yes Yes Different secrets are associated with different access structures No No No Yes Access structures possess more vivid authorized sets No No No Yes No security channel Yes Yes No Yes Each participant selects her or his secret share by herself or himself Yes Yes No Yes The dealer does not know the share of each participant No Yes No Yes the sets of j-minimal codewords(1 j n) instead of the only 1-minimal codewords For this reason, the utilization rate of codewords in our scheme is much higher than that of Massey s scheme (4) The schemes in [9] and [16] are also having almost the same features as that of the proposed scheme We give a comparison of these three schemes with the proposed one in Table II Remark 3 The validity of the shares can be verified in a verifiable secret sharing scheme; thus, participants are not able to cheat Based on our scheme, we can further construct a verifiable MSSS by adding the existing verifiability methods where the intractability of a discrete logarithm problem is frequently employed [9 11] 7 ONLUSION We proposed the concept of minimal linear codes and studied the algorithm to determine whether irreducible cyclic codes are minimal Furthermore, we devised an MSSS based on the theory of minimal linear codes and characterized the access structures of the scheme The major characteristics of its construction are multi-use of the shares and that each participant acts as a dealer whose secret can be shared among the other participants, which provides more flexibility Besides, our MSSS based on minimal linear codes possess more vivid access structures depending on the diversity of the weight distribution, which may be desirable in certain applications because participants in such schemes become more democratic and powerful Because the number of participants of the minimal authorized subsets of the schemes based on minimal linear codes is relevant to the weight of minimal codewords, we shall work on the study of minimal linear codes with three weights or more than three weights in future work AKNOWLEDGEMENTS This work was supported by the National Natural Science Foundation of hina (grant no ) and the Key Technologies R & D Program of Shaanxi Province (grant no 213k611) REFERENES 1 Shamir A How to share a secret ommunications of the AM 1979; 22(11): Blakley GR Safeguarding cryptographic keys In Proceedings of AFIPS National omputer onference, Vol 48 AFIPS Press: New York, USA, 1979; Jin Y, Ding S Secret sharing schemes from three classes of linear codes IEEE Transactions on Information Theory 26; 52(1): Giulietti M, Vincenti R Three-level secret sharing schemes from the twisted cubic Discrete Mathematics 21; 31(22): Parakh A, Kak S Space efficient secret sharing for implicit data security Information Science 211; 181 (2): sirmaz L, Tardos G On-line secret sharing Designs, odes and ryptography 212; 63(1): Harn L Secure secret reconstruction and multisecret sharing schemes with unconditional security Security and ommunication Networks 213, doi: 12/sec758 8 Yang, hang TY, Hwang MS A (t, n) multi-secret sharing scheme Applied Mathematics and omputation 24; 151(2): Dehkordi MH, Mashhadi S New efficient and practical verifiable multi-secret sharing schemes Information Sciences 28; 178(9): Zhao JJ, Zhang JJ, Zhao R A practical verifiable multi-secret sharing scheme omputer Standards and Interfaces 27; 29(1): Dehkordi MH, Mashhadi S An efficient threshold verifiable multi-secret sharing omputer Standards and Interfaces 28; 3(3): Pang LJ, Wang YM A new (t, n) multi-secret sharing scheme based on Shamir s secret sharing Applied Mathematics and omputation 25; 167(2): Security omm Networks 215; 8: John Wiley & Sons, Ltd

10 Y Song et al Multi-use multi-secret sharing based on minimal linear codes 13 Hu Q, Liao XF, heng XZ Verifiable multi-secret sharing based on LFSR sequences Theoretical omputer Science 212; 445(3): Herranz J, Ruiz A, Sez G New results and applications for multi-secret sharing schemes Designs, odes and ryptography 213: Blundo, Santis AD, rescenzo GD, Gaggia AG, Vaccaro U Multi-secret sharing schemes, Advances in ryptology-rypto 94, USA, 1993; hien HY, Jan JK, Tseng YM A practical (t, n) multisecret sharing schemes IEIE Transactions 2; E83-A(12): Massey JL Minimal codewords and secret sharing, The 6th Joint Swedish-Russian Workshop on Information Theory, Sweden, 1993; Massey JL Some applications of coding theory in cryptography In ryptography and oding IV Formara Ltd: England, 1995; Li ZH, Xue T, Lai H Secret sharing schemes from binary linear codes Information Science 21; 18 (22): Ding S, Jin Y overing and secret sharing with linear codes In Discrete Mathematics and Theoretical omputer Science: Lecture Notes in omputer Science, Vol 2731 Springer Verlag: Berlin Heidelberg, 23; hen Q, Pei DY, Tang M, et al A note on ramp secret sharing schemes from error-correcting codes Mathematical and omputer Modelling 213; 57 (11-12): ruz RD, Wang HX heating-immune secret sharing schemes from codes and cumulative arrays ryptography and ommunications 213; 5 (1): Security omm Networks 215; 8: John Wiley & Sons, Ltd 211