Optimal Ramp Schemes and Related Combinatorial Objects

Similar documents
Latin Squares and Orthogonal Arrays

arxiv: v1 [math.co] 13 Apr 2018

Additional Constructions to Solve the Generalized Russian Cards Problem using Combinatorial Designs

Some results on the existence of t-all-or-nothing transforms over arbitrary alphabets

Some recent results on all-or-nothing transforms, or All or nothing at all

A Unified Approach to Combinatorial Key Predistribution Schemes for Sensor Networks

A Unified Approach to Combinatorial Key Predistribution Schemes for Sensor Networks

Perfect Secret Sharing Schemes from Room Squares

Perfect Secret Sharing Schemes from Room. Squares. Ghulam-Rasool Chaudhry. Centre for Computer Security Research. University of Wollongong

arxiv: v1 [cs.cr] 1 May 2012

Secret sharing schemes

Secret Sharing CPT, Version 3

Geometrical Constructions for Ordered Orthogonal Arrays and (T, M, S)-Nets

Orthogonal arrays of strength three from regular 3-wise balanced designs

Efficient Secret Sharing Schemes Achieving Optimal Information Rate

Mathematics for Cryptography

A Short Overview of Orthogonal Arrays

Secret Sharing for General Access Structures

Notes 10: Public-key cryptography

Optimal Linear Secret Sharing Schemes for Graph Access Structures on Six Participants

Lecture 04: Secret Sharing Schemes (2) Secret Sharing

Construction of latin squares of prime order

Perfect Secret Sharing Schemes Based on Generalized Kirkman Squares

New quasi-symmetric designs constructed using mutually orthogonal Latin squares and Hadamard matrices

A Tutorial on Orthogonal Arrays: Constructions, Bounds and Links to Error-correcting Codes

Solutions of Exam Coding Theory (2MMC30), 23 June (1.a) Consider the 4 4 matrices as words in F 16

Communication Efficient Secret Sharing

Secret Sharing. Qi Chen. December 14, 2015

Mutually Orthogonal Latin Squares: Covering and Packing Analogues

Communication Efficient Secret Sharing

Applications of Galois Geometries to Coding Theory and Cryptography

Interpolating Accuracy without underlying f (x)

On Encoding Symbol Degrees of Array BP-XOR Codes

The decomposability of simple orthogonal arrays on 3 symbols having t + 1 rows and strength t

Optimal algebraic manipulation detection codes and difference families

Mutually orthogonal latin squares (MOLS) and Orthogonal arrays (OA)

Computational results on invertible matrices with the maximum number of invertible 2 2 submatrices

Affine designs and linear orthogonal arrays

Class-r hypercubes and related arrays

Roux-type Constructions for Covering Arrays of Strengths Three

Detection of Cheaters in Non-interactive Polynomial Evaluation

Math 1314 Week #14 Notes

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

4F5: Advanced Communications and Coding

A Combinatorial Approach to Key Predistribution. for Distributed Sensor Networks

Multipartite entangled states, orthogonal arrays & Hadamard matrices. Karol Życzkowski in collaboration with Dardo Goyeneche (Concepcion - Chile)

Arrangements, matroids and codes

Covering Arrays. Lucia Moura School of Electrical Engineering and Computer Science University of Ottawa

The distribution of run lengths in integer compositions

Nonexistence of (9, 112, 4) and (10, 224, 5) binary orthogonal arrays

ORTHOGONAL SETS OF LATIN SQUARES AND. CLASS-r HYPERCUBES GENERATED BY FINITE ALGEBRAIC SYSTEMS. A Dissertation in. Mathematics. Daniel R.

Secure RAID Schemes from EVENODD and STAR Codes

A TWOOA Construction for Multi-Receiver Multi-Message Authentication Codes

Characterisations of optimal algebraic manipulation detection codes

Reducing the Share Size in Robust Secret Sharing

Orthogonal Arrays & Codes

Efficient Conversion of Secret-shared Values Between Different Fields

Universal hash families and the leftover hash lemma, and applications to cryptography and computing

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

COMBINATORIAL COUNTING

Minimal and Maximal Critical Sets in Room Squares

Honeycomb Arrays. Anastasia Panoui Maura B. Paterson Douglas R. Stinson

Construction of some new families of nested orthogonal arrays

CSL361 Problem set 4: Basic linear algebra

A Brief Retrospective Look at the Cayley-Purser Public-key Cryptosystem, 19 Years Later

ORBIT-HOMOGENEITY. Abstract

On the decomposition of orthogonal arrays

Lecture Introduction. 2 Linear codes. CS CTT Current Topics in Theoretical CS Oct 4, 2012

Visual Cryptography Schemes with Optimal Pixel Expansion

The lattice of N-run orthogonal arrays

Characterizing Ideal Weighted Threshold Secret Sharing

Lecture 14. Outline. 1. Finish Polynomials and Secrets. 2. Finite Fields: Abstract Algebra 3. Erasure Coding

Part 23. Latin Squares. Contents. 1 Latin Squares. Printed version of the lecture Discrete Mathematics on 4. December 2012

Coding Theory and Applications. Solved Exercises and Problems of Cyclic Codes. Enes Pasalic University of Primorska Koper, 2013

On the construction of asymmetric orthogonal arrays

CPSC 467: Cryptography and Computer Security

An Analytic Approach to the Problem of Matroid Representibility: Summer REU 2015

Inverses. Stephen Boyd. EE103 Stanford University. October 28, 2017

Simple and Asymptotically Optimal t-cheater Identifiable Secret Sharing Scheme

Anewconstructionofstrength-3coveringarraysusinglinearfeedbackshiftregister(LFSR)sequences

Characterizing Ideal Weighted Threshold Secret Sharing

Hash Families and Cover-Free Families with Cryptographic Applications

Lecture 3,4: Multiparty Computation

Lecture 12: November 6, 2017

On Secret Sharing Schemes, Matroids and Polymatroids

Section 1.1: Systems of Linear Equations

Sector-Disk Codes and Partial MDS Codes with up to Three Global Parities

Jackson and Keith M. Martin* Department of Pure Mathematics, The University of.n.ull,j.<:uu.''-', Adelaide SA 5005, Australia.

ORBIT-HOMOGENEITY IN PERMUTATION GROUPS

DM559 Linear and Integer Programming. Lecture 2 Systems of Linear Equations. Marco Chiarandini

On the representability of the bi-uniform matroid

Secure Computation. Unconditionally Secure Multi- Party Computation

Hey! You Can t Do That With My Code!

Multiplicity Free Expansions of Schur P-Functions

Hadamard matrices and strongly regular graphs with the 3-e.c. adjacency property

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

STEP Support Programme. Hints and Partial Solutions for Assignment 17

Bounding the number of affine roots

Staircase Codes for Secret Sharing with Optimal Communication and Read Overheads

3x + 1 (mod 5) x + 2 (mod 5)

Transcription:

Optimal Ramp Schemes and Related Combinatorial Objects Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo BCC 2017, Glasgow, July 3 7, 2017 1 / 18

(t, n)-threshold Schemes We informally define a (t, n)-threshold scheme Let t and n be positive integers, t n. A secret value K is split into n shares, denoted s 1,..., s n. The following two properties should hold: 1. The secret can be reconstructed, given any t of the n shares. 2. No t 1 shares reveal any information as to the value of the secret. Threshold schemes were invented independently by Blakley and Shamir in 1979. Shamir s threshold scheme is based on polynomial interpolation over Z p, where p n + 1 is prime. 2 / 18

Shamir Threshold Scheme The set of possible secrets (and shares) is Z p. x 1, x 2,..., x n are defined to be n public, distinct, non-zero elements of Z p. For a given secret K Z p, shares are created as follows: 1. Let a(x) Z p [x] be a random polynomial of degree at most t 1, such that the constant term is the secret, K. 2. For 1 i n, the share s i = a(x i ) (so the shares are evaluations of the polynomial a(x) at n non-zero points). Suppose we have t shares s ij = a(x ij ), 1 j t. Since a(x) is a polynomial of degree at most t 1, we can determine a(x) by Lagrange interpolation; then K = a(0). 3 / 18

Ideal Threshold Schemes Suppose K is the set of possible secrets and X is the set of possible shares for any (t, n) threshold scheme Then K X. If equality holds, then the threshold scheme is ideal. Clearly the Shamir scheme is ideal. We observe that the Shamir scheme is basically a Reed-Solomon code in disguise. Reed-Solomon codes are examples of maximum distance separable codes, which are equivalent to orthogonal arrays with index 1. 4 / 18

Ideal Threshold Schemes and Orthogonal Arrays An orthogonal array with index 1, denoted OA(t, k, v), is a v t by k array A defined on an alphabet X of cardinality v, such that any t of the k columns of A contain all possible k-tuples from X t exactly once. Theorem 1 (Keith Martin, 1991) There exists an ideal (t, k)-threshold scheme with v possible shares (and v possible secrets) if and only if there exists an OA(t, k + 1, v). 5 / 18

Proof Ideas Suppose A is an OA(t, k + 1, v). The first k columns are associated with the k players and the last column corresponds to the secret. Each row of A gives rise to a distribution rule which assigns shares corresponding to a particular value of the secret to the k players. The result is easily seen to be an ideal threshold scheme. 6 / 18

Proof Ideas Suppose A is an OA(t, k + 1, v). The first k columns are associated with the k players and the last column corresponds to the secret. Each row of A gives rise to a distribution rule which assigns shares corresponding to a particular value of the secret to the k players. The result is easily seen to be an ideal threshold scheme. Conversely, suppose we start with a (t, k)-threshold scheme with shares from an alphabet of size v. WLOG, suppose K = X. Write out all the possible distribution rules (which can be regarded as (k + 1)-tuples) as rows of an array. With a bit of work, the resulting array can be shown to be an OA(t, k + 1, v). 6 / 18

Example We present an OA(2, 4, 3), which gives rise to a (2, 3)-threshold scheme with shares and secrets in Z 3. There are nine distribution rules, three for each possible value of the secret. s 1 s 2 s 3 K 0 0 0 0 1 1 1 0 2 2 2 0 0 1 2 1 1 2 0 1 2 0 1 1 0 2 1 2 1 0 2 2 2 1 0 2 7 / 18

(Ideal) Ramp Schemes An (s, t, n)-ramp scheme is a generalization of a threshold scheme in which there are two thresholds s and t, where s < t. 1. The secret can be reconstructed given any t of the n shares. 2. No s shares reveal any information as to the value of the secret. If s = t 1, then we have a threshold scheme. Ramp schemes weaken the security requirement, but permit larger secrets to be shared for a given share size. If K is the set of possible secrets and X is the set of possible shares for any (s, t, n)-ramp scheme, then K X t s. If equality holds, then the ramp scheme is ideal. 8 / 18

Orthogonal Arrays and Ideal Ramp Schemes It is easy to construct an ideal ramp scheme from an orthogonal array. Suppose A is an OA(t, k + t s, v). The first k columns are associated with the k players and the last t s columns correspond to the secret. Main question: Is the converse true? Jackson and Martin (1996) showed that a strong ideal ramp scheme implies the existence of an OA(t, k + t s, v). However, the additional properties that define a strong ideal ramp scheme are rather technical, and not particularly natural. We give a new, tight characterization of general ideal ramp schemes, and we construct examples of ideal ramp schemes that are not strong, answering a question from Jackson and Martin (1996). 9 / 18

Augmented Orthogonal Arrays Definition 2 An augmented orthogonal array, denoted AOA(s, t, k, v), is a v t by k + t s array A that satisfies the following properties: 1. the first k columns of A form an orthogonal array OA(t, k, v) on a symbol set X of size v 2. the last column of A contains symbols from a set Y of size v t s 3. any s of the first k columns of A, together with the last column of A, contain all possible (s + 1)-tuples from X s Y exactly once. 10 / 18

Example We give an example of an AOA(1, 3, 3, 3). Take X = Z 3 and Y = Z 3 Z 3. The AOA is generated by the following matrix: 1 0 0 (1, 1) M = 0 1 0 (1, 0). 0 0 1 (0, 1) The first three columns generate all 27 triples over Z 3. Any one of the first three columns, together with the last column, generate all 27 ordered pairs from Z 3 (Z 3 Z 3 ). 11 / 18

Main Equivalence Theorem Theorem 3 There exists an ideal (s, t, n)-ramp scheme defined over a set of v shares if and only if there exists an AOA(s, t, n, v). Theorem 4 If there exists an OA(t, k + t s, v), then there exists an AOA(s, t, k, v). Proof. Merge the last t s columns of an OA(t, k + t s, v) to form a single column whose entries are (t s)-tuples of symbols. 12 / 18

Ramp Schemes and (Augmented) Orthogonal Arrays Summarizing, we have the following equivalences/implications: strong ideal (s, t, n)-ramp scheme defined over a set of v shares ideal (s, t, n)-ramp scheme defined over a set of v shares OA(t, n + t s, v) AOA(s, t, n, v) 13 / 18

OAs vs AOAs The converse of Theorem 4 is not always true. Consider the AOA(1, 3, 3, 3) presented earlier. Suppose we split the last column into two columns of elements from Z 3. We would get an array generated by the following matrix: M = 1 0 0 1 1 0 1 0 1 0 0 0 1 0 1 The fourth column of M is the sum of the first two columns of M, so these three corresponding columns generated by M will not contain all possible 3-tuples. In fact, there does not exist any OA(3, 5, 3), because the parameters violate the classical Bush bound. So we get an example of parameters for which an ideal ramp scheme exists but a strong ideal ramp scheme does not exist.. 14 / 18

OAs vs AOAs: Two General Results Theorem 5 Suppose q is an odd prime power and 3 t q. Then there exists an AOA(1, t, q, q) but there does not exist an OA(t, q + t 1, q). Theorem 6 Suppose q is a prime power and s q 1. Then there exists an AOA(s, q + 1, q + 1, q) but there does not exist an OA(q + 1, 2(q + 1) s, q). 15 / 18

Example We take q = 3, s = 2 in Theorem 6. Let ( 1 1 1 0 N = 0 1 2 1 This array generates a (linear) OA(2, 4, 3). ). Then the following array generates a (linear) AOA(2, 4, 4, 3): M = 1 0 0 0 (1, 0) 0 1 0 0 (1, 1) 0 0 1 0 (1, 2) 0 0 0 1 (0, 1). However, by the Bush bound, there is no OA(4, 6, 3). 16 / 18

References [1] W.A. Jackson and K.M. Martin. A combinatorial interpretation of ramp schemes. Australasian Journal of Combinatorics 14 (1996), 51 60. [2] K.M. Martin. Discrete Structures in the Theory of Secret Sharing. PhD Thesis, University of London, 1991. [3] A. Shamir. How to share a secret. Communications of the ACM 22 (1979), 612 613. [4] D.R. Stinson. Optimal ramp schemes and related combinatorial objects. ArXiv report 1705.06247, May 17, 2017. 17 / 18

Thank You For Your Attention! 18 / 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback