Information Processing Letters 112 (2012) 667–673

Contents lists available at SciVerse ScienceDirect

Information Processing Letters

www.elsevier.com/locate/ipl

Linear threshold multisecret sharing schemes ✩

Oriol Farràs a, Ignacio Gracia b, Sebastià Martín b,∗, Carles Padró c

a Dept. d’Eng. Informàtica i Matemàtiques, Universitat Rovira i Virgili, Tarragona, Spainb Dept. de Matemàtica Aplicada IV, Universitat Politècnica de Catalunya, Barcelona, Spainc School of Mathematical Sciences, Nanyang Technological University, Singapore

a r t i c l e i n f o a b s t r a c t

Article history:Received 24 February 2012Received in revised form 24 May 2012Accepted 25 May 2012Available online 9 June 2012Communicated by M. Yamashita

Keywords:CryptographyInformation-theoretic securityMultisecret sharing schemesThreshold access structures

In a multisecret sharing scheme, several secret values are distributed among a set of nusers, and each secret may have a different associated access structure. We consider hereinformation-theoretic secure schemes with multithreshold access structures. Namely, forevery subset P of k users there is a secret key that can only be computed when at leastt of them put together their secret information. Coalitions with at most w users with lessthan t of them in P cannot obtain any information about the secret associated to P . Themain parameters to optimize are the length of the shares and the amount of random bitsthat are needed to set up the distribution of shares, both in relation to the length of thesecret. In this paper, we provide lower bounds on this parameters. Moreover, we presentan optimal construction for t = 2 and k = 3.

© 2012 Elsevier B.V. All rights reserved.

1. Introduction

There are several different kinds of cryptographic pro-tocols with information-theoretic security that have somecommon features. Namely, they can be described as col-lections of random variables satisfying certain properties,which in general can be stated in terms of their jointShannon entropies. Secret sharing schemes form the bestknown class of such protocols, and also the one that hasbeen most extensively studied. Other examples are key

✩ A preliminary version of this paper appeared in the Proceedings of theFourth International Conference on Information Theoretic Security, ICITS 2009,and it was published in its proceedings, Lecture Notes in Comput. Sci.,vol. 5973, 2010, pp. 110–126. The authors’ work was partially supportedby the Spanish Ministry of Education and Science under projects TSI2006-02731 and MTM2009-07694. The first author’s work was partially sup-ported by the Spanish Government through projects TIN2011-27076-C03-01 and Consolider Ingenio 2010 CSD2007-00004, and by the Governmentof Catalonia under Grant 2009 SGR 1135. The fourth author’s work waspartially supported by the Singapore National Research Foundation underResearch Grant NRF-CRP2-2007-03.

* Corresponding author.E-mail addresses: oriol.farras@urv.cat (O. Farràs), ignacio@ma4.upc.edu

(I. Gracia), sebasm@ma4.upc.edu (S. Martín), carlespl@ntu.edu.sg(C. Padró).

0020-0190/$ – see front matter © 2012 Elsevier B.V. All rights reserved.http://dx.doi.org/10.1016/j.ipl.2012.05.008

predistribution schemes, broadcast encryption schemes,and multisecret sharing schemes.

In a secret sharing scheme some secret value is dis-tributed into shares among a set of users in such a waythat only the authorized sets of users can reconstruct thesecret from their shares, while the participants in a for-bidden set cannot obtain any information at all about thesecret value. The family of the authorized sets togetherwith the family of the forbidden sets form the access struc-ture of the secret sharing scheme. In a multisecret sharingscheme several secret values are distributed, every one ofthem with a different access structure. In this paper, onlythreshold multisecret sharing schemes, that is, those havinga multithreshold access structure, are considered. In such ascheme, the distributed secrets are in one-to-one corre-spondence with the sets of k-out-of-n users. The qualifiedsets for the secret corresponding to a set P are those withat least t users in P , while every set with at most wusers with less than t of them in P is forbidden. Observethat the particular case k = n corresponds to the thresh-old secret sharing schemes introduced by Shamir [17] andBlakley [2], while the case t = 1 corresponds to the keypredistribution schemes considered in [3,4].

The length of the shares and the amount of requiredrandomness, in relation to the length of the secret values,

668 O. Farràs et al. / Information Processing Letters 112 (2012) 667–673

are usually considered as a measure for the efficiency ofmultisecret sharing schemes. These parameters are called,respectively, information ratio and randomness. Their opti-mization for threshold multisecret sharing schemes is theproblem considered in this paper.

General lower bounds for the information ratio ofthreshold multisecret sharing schemes were given in[10,14]. The threshold secret sharing schemes from [2,17]attain the lower bound for the particular case k = n andw = t − 1. The same applies to the key predistributionschemes from [4] for the case t = 1. Optimal construc-tions have been presented as well for the cases t = 2 andw = n − k + 1 [11], and t = 2, k = 3 and 1 � w � n − 2 [1].The existence of optimal threshold multisecret sharingschemes for other values of the parameters (w, t,k,n) isunknown.

In this paper we apply to multisecret sharing schemestwo techniques that have been developed for secret shar-ing and, in a lesser degree, also for key predistributionschemes and broadcast encryption schemes: First, the useof polymatroids, which is derived from the fact that thejoint Shannon entropies of a collection of random variablesdefine a polymatroid [8,9]. The reader is referred to [13]and its references for more information about the use ofpolymatroids in secret sharing. And second, the use of con-structions based on linear algebra, in which the involvedrandom variables are defined by linear maps. Linear se-cret sharing schemes have been extensively studied sinceits introduction by Karnin, Greene and Hellman [12] andBrickell [5]. In a similar development as in secret sharing,linear and multilinear algebras have been used to constructkey predistribution schemes [15] and broadcast encryptionschemes [16].

By using polymatroids, we present a new general lowerbound for the randomness of threshold multisecret shar-ing schemes, and also a new proof for the lower boundon the information ratio that was given in [10]. By usingsimilar linear algebra techniques as in [15], we present alinear construction of optimal threshold multisecret shar-ing schemes for the case t = 2, k = 3 and 1 � w � n − 2.An optimal construction for this case was previously pre-sented in [1]. Nevertheless our construction is much sim-pler, and the proof is shorter. Finally, in Section 6, wepresent a general construction of multithreshold schemesfor all possible values of the parameters (w, t,k,n). In gen-eral, these are not optimal schemes, but it is the bestknown general construction.

2. The tools

2.1. Shannon entropies and polymatroids

Given a finite collection of random variables (Si)i∈Qand a subset A = {i1, . . . , ir} ⊆ Q , we use S A to denotethe random variable Si1 × · · · × Sir , and H(S A) will denoteits Shannon entropy. The reader is referred to [6] for moreinformation about Shannon entropy, but all properties thatare used in the paper are presented in the following.

For every positive real number c > 0, the mappingh : 2Q → R defined by h(A) = cH(S A) satisfies the follow-ing properties.

• h(∅) = 0.• h is monotone increasing: if A ⊆ B ⊆ Q , then h(A) �

h(B).• h is submodular: h(A ∪ B)+ h(A ∩ B) � h(A)+ h(B) for

every A, B ⊆ Q .

That is, h is the rank function of a polymatroid with groundset Q . This connection between Shannon entropy andpolymatroids was found out by Fujishige [8,9]. By analogyto the conditional entropy, we use the notation h(A|B) =h(A ∪ B) − h(B). Clearly,

h(A1 ∪ · · · ∪ Ar) =r∑

i=1

h(Ai|A1 ∪ · · · ∪ Ai−1). (1)

In particular, submodularity implies that h(X |Y )� h(X |Y ∪Z) for all X, Y , Z ⊆ Q .

Lemma 2.1. The following properties are satisfied for everyX, Y , Z ⊆ Q .

1. If h(Y |Z) = 0, then h(X |Z) = h(X |Y ∪ Z).2. If h(X |Y ) = h(X) and h(X |Y ∪ Z) = 0, then h(Z) � h(X).

Proof. The first property is a consequence of the equalityh(Y |Z) + h(X |Y ∪ Z) = h(X |Z) + h(Y |X ∪ Z), which is it-self derived from (1). For the second property we use thath(Z) + h(Y |Z) + h(X |Y ∪ Z) = h(Y ) + h(X |Y ) + h(Z |X ∪ Y ),and hence h(Z) = h(X) + h(Z |X ∪ Y ) + h(Y ) − h(Y |Z) �h(X). �2.2. Linear random variables

Consider a finite field K, a K-vector space E with finitedimension and a finite family of K-linear maps (φi)i∈Q ,where φi : E → Ei . These linear maps define a family ofrandom variables (Si)i∈Q by taking the uniform probabil-ity distribution on E . A family of random variables thatcan be defined in this way is said to be K-linear. For ev-ery A ⊆ U , consider the linear map φA : E → ∏

i∈A Ei de-fined by φA(x) = (φi(x))i∈A . Then it is clear that H(S A) =log |K| · rank φA . Take h(A) = H(S A)/ log |K| = rank φA =dim E − dim kerφA .

Lemma 2.2. For every A, B ⊆ Q ,

1. h(A|B) = 0 if and only if kerφB ⊆ kerφA ,2. h(A|B) = h(A) if and only if kerφA + kerφB = E.

Proof. Observe that kerφA∪B = kerφA ∩ kerφB , and henceh(A|B) = h(A ∪ B) − h(B) = dim kerφB − dim(kerφA ∩kerφB). Therefore, h(A|B) = 0 if and only if kerφB ⊆kerφA , and h(A|B) = h(A) if and only if

dim E = dim ker φA + dim ker φB − dim(kerφA ∩ kerφB)

= dim(kerφA + kerφB). �

O. Farràs et al. / Information Processing Letters 112 (2012) 667–673 669

2.3. Multilinear algebra

Given a vector space E with finite dimension over afield K, the dual space E∗ is the set of the linear formson E , that is, the linear maps from E to K. Clearly, E∗ isa vector space over K. Moreover, dim E = dim E∗ if E hasfinite dimension. For a vector subspace F ⊆ E , the orthog-onal subspace F ⊥ ⊆ E∗ is given by F ⊥ = {α ∈ E∗: α(v) = 0for every v ∈ F }.

An r-linear form on E is a map from Er to K thatis separately linear in each variable. A multilinear formT : Er → K is said to be symmetric if it is invariant un-der permutation of its variables, that is, T (v1, . . . , vr) =T (vσ1, . . . , vσ r) for every permutation σ on {1, . . . , r} andfor every (v1, . . . , vr) ∈ Er . The set Sr(E) of the symmet-ric r-linear forms on E is a K-vector space with dimension(m+r−1

r

), where dim E = m.

Finally, we need the following technical result, whichcan be seen as a variant of the Schwartz–Zippel Lemma.A proof for it can be found in [7, Lemma 6.2].

Lemma 2.3. Let p ∈ K[X1, . . . , XN ] be a nonzero polynomialon N variables of degree at most d < |K| on each variable. Then,there exists (x1, . . . , xN ) in KN such that p(x1, . . . , xN ) = 0.

3. Multisecret sharing schemes

Before formally defining multisecret sharing schemes,we introduce, following [10], some nomenclature and no-tation for their access structures. In a multisecret sharingscheme a number of secret values, which are indexed by afinite set J , are distributed into shares among a set U ofusers. For every j ∈J , consider the families Γ j and � j of,respectively, the authorized and forbidden sets of users forthe corresponding secret value. Naturally, Γ j is monotoneincreasing, � j is monotone decreasing and Γ j ∩ � j = ∅for every j ∈ J . The tuple (Γ j,� j) j∈J is called the ac-cess structure of the multisecret sharing scheme. Such anaccess structure is said to be complete if Γ j ∪ � j = 2U forevery j ∈J .

A multisecret sharing scheme Σ = ((K j) j∈J , (Si)i∈U )

consists of two collections of random variables. The ran-dom variables (K j) j∈J correspond to the secret values.The elements in U are the users of the scheme and therandom variables (Si)i∈U correspond to the shares. Givena positive constant c > 0, consider the polymatroid withground set Q = J ∪ U and rank function h defined byh(X) = c H((K j) j∈X∩J , (Si)i∈X∩U ) = c H(K X∩J , S X∩U ) forevery X ⊆ Q . We say that the multisecret sharing schemeΣ has access structure (Γ j,� j) j∈J if the following condi-tions are satisfied.

1. If A ⊆ U is in Γ j , then h({ j}|A) = 0.2. If B ⊆ U is in � j , then h({ j}|B) = h({ j}).

By the first condition, the secret value K j can be recoveredfrom the shares of the users in a qualified set A ∈ Γ j . Bythe second condition, the users in a forbidden set B ∈ � jcannot obtain any information about the value of K j . Ob-serve that, with this definition, we require the schemes tohave information-theoretic security.

The efficiency of a multisecret sharing scheme is usuallymeasured by the length of the shares and the total numberof random bits required to distribute the shares, both inrelation to the length of the secret values. Specifically, theinformation ratio σ and the randomness σT of a multisecretsharing scheme are defined by

σ = maxi∈U h({i})min j∈J h({ j}) , σT = h(J ∪ U )

min j∈J h({ j}) .

For a finite field K, a multisecret sharing scheme Σ

is said to be K-linear if the family of random variables((K j) j∈J , (Si)i∈U ) is K-linear, that is, these random vari-ables are defined by K-linear maps (π j) j∈J and (φi)i∈U ,respectively, defined on a K-vector space E . Because ofLemma 2.2, such a collection of linear random variablesdefines a linear multisecret sharing scheme if and only ifthe following conditions are satisfied.

1. If A ∈ Γ j , then kerφA ⊆ kerπ j .2. If B ∈ � j , then kerφB + kerπ j = E .

Moreover, the information ratio and the randomness are inthis case

σ = maxi∈U rank φi

min j∈J rankπ j, σT = dim E

min j∈J rankπ j.

In this paper, we focus on threshold multisecret shar-ing schemes, or multithreshold schemes for short, which arethe ones having a threshold access structure. Such an accessstructure is determined by four positive integers w , t , kand n such that

• 1 � t � k � n and• t − 1 � w � n − k + t − 1.

Secret values are in one-to-one correspondence with the ksubsets of a set U of n users, that is,

J = {P ⊆ U : |P | = k

}.

The qualified and forbidden sets corresponding to P ∈ Jare determined in terms of the total number of elementsand the number of elements in P . Specifically,

ΓP = {A ⊆ U : |A ∩ P |� t

}and

�P = {B ⊆ U : |B|� w, |B ∩ P |� t − 1

}.

A scheme with this access structure is called a w-secure (t,k,n)-multithreshold sharing scheme. Observe thata threshold access structure is complete if and only ifw = n − k + t − 1. In this situation we have a complete(t,k,n)-multithreshold sharing scheme. If a multithresholdscheme is complete, for every P ∈ J and B ⊆ U with|B ∩ P | < t , the subset B is in �P . The particular casesk = n and t = 1 correspond, respectively, to secret sharingschemes and key predistribution schemes.

The problem that we consider in this work is to op-timize the information ratio and the randomness of mul-tithreshold sharing schemes. Given integers w , t , k, n in

670 O. Farràs et al. / Information Processing Letters 112 (2012) 667–673

the above conditions, we define σ(w, t,k,n) as the in-fimum of the information rates of all w-secure (t,k,n)-multithreshold schemes, and σT (w, t,k,n) is defined anal-ogously. Then the problem we consider here is to deter-mine the values of σ(w, t,k,n) and σT (w, t,k,n) for allpossible values of the parameters w, t,k,n. Due to thesymmetry of the access structure, it is easy to see that thesearch of optimal schemes can be restricted to the oneswith h( j1) = h( j2) for all j1, j2 ∈ J and h(i1) = h(i2) forall i1, i2 ∈ U .

4. Lower bounds on the information ratio andrandomness

This section is devoted to prove Theorem 4.1, whichprovides lower bounds on the information ratio and ran-domness of multithreshold schemes. The proof uses thetechnical results presented in Section 2.1. The lower boundon σ(w, t,k,n) was given in [10, Theorem 5] with anotherproof. No lower bound on σT (w, t,k,n) was previouslyknown.

Theorem 4.1. The following lower bounds for the optimal in-formation ratio and the optimal randomness of multithresholdsharing schemes apply for every positive integers w, t, k, n with1 � t � k � n and t − 1 � w � n − k + t − 1.

• σ(w, t,k,n) �(w+k−2t+1

k−t

).

• σT (w, t,k,n) �(w+k−2t+2

k−t+1

) + (t − 1)(w+k−2t+1

k−t

).

Proof. Consider subsets A ⊆ U ′ ⊆ U such that |A| = t − 1and |U ′| = w + k − (t − 1), and consider the family A ={P ∈ J : A ⊆ P ⊆ U ′}. Take P ∈ A and C = (U ′ � P ) ∪ A.Then C ∈ �P because |C | = w and |C ∩ P | = t − 1. On theother hand, |C ∩ P ′| � t if P ′ ∈A� {P }, and hence C ∈ ΓP ′ .Then h(A � {P }|C) = 0, and this implies that h({P }|A �{P }) � h({P }|C) = 1. Therefore, h({P }|A� {P }) = 1 for ev-ery P ∈A. As a consequence,

|A| =∑P∈A

h({P })� h(A)�

∑P∈A

h({P }|A� {P }) = |A|

and h(A) = |A|. Consider now a participant i ∈ U ′ � A andthe set B = A ∪{i}. Consider as well the family B = {P ∈A:B ⊆ P }. Since B ⊆ A, it follows that h(B) = |B|. We affirmthat h(B|A) = h(B). For every P ∈ A, we take C P = (U ′ �P ) ∪ A. As before, C P ∈ �P and C P ∈ ΓP ′ for every P ′ ∈A� {P }. Now,

h(B|A)�∑P∈B

h({P }|A ∪ (

B� {P }))

�∑P∈B

h({P }|C P ∪ (

B� {P }))

=∑P∈B

h({P }|C P

) = |B|,

which proves our affirmation. We have used that h(B �{P }|C P ) = 0. Since h(B|A ∪ {i}) = h(B|B) = 0 and h(B|A) =h(B), we obtain that h({i}) � h(B) = |B|. This proves thelower bound on the optimal information ratio σ(w, t,k,n).

Our next step is to prove that h(A|B)� |A�B|. Indeed,

h(A|B) �∑P∈A

h({P }|B ∪ (

A� {P }))

=∑

P∈A�Bh({P }|B ∪ (

A� {P }))

=∑

P∈A�Bh({P }|B) = |A� B|.

Clearly, h({P }|B) = 0 if P ∈ B. We have used as wellthat h(A � {P }|B) = 0 if P ∈ A � B. Observe that h(U ∪J ) = h(U ). Moreover, h(U ) = h(B) + h(U |B). First, weare going to find a bound on h(B). Since h(B|A) = h(B)

and h(B|B) = h(B|A ∪ {i}) = 0, we have that h({i}|A) �h(B). Therefore, h(B) � t · h(B) = t · |B|. And second, wefind a bound on h(U |B). Since h(A|U ) = 0, we haveh(U |B) � h(A|B) � |A� B|, and the desired lower boundon σT (w, t,k,n) is obtained. �

If w = t − 1, the lower bounds in Theorem 4.1 areσ(t − 1, t,k,n) � 1 and σT (t − 1, t,k,n) � t . It is not dif-ficult to check that an ideal (t,n)-threshold secret sharingscheme as, for instance, the one proposed by Shamir [17],is a (t − 1)-secure (t,k,n)-multithreshold scheme attainingthese bounds. Observe that w = t −1 if k = n. If t = 1, thenwe have the lower bounds

• σ(w,1,k,n) �(w+k−1

k−1

)and

• σT (w,1,k,n) �(w+k

k

).

In this case, the key predistribution schemes presented in[4] are optimal w-secure (1,k,n)-multithreshold schemes.

5. Optimal w-secure (2,3,n)-multithreshold schemes

In this section we present a construction of linear w-secure (2,3,n) multithreshold schemes, where 1 � w �n − 2, whose information ratio and randomness attain thelower bounds in Theorem 4.1. We define next a linear fam-ily of random variables and then we prove in Theorem 5.3that, under certain conditions, they define a multithresholdscheme with the required properties.

Definition 5.1. Consider integers w , n with n � 3 and1 � w � n − 2, a finite field K with |K| � n + 1, the setsU = {1, . . . ,n} and J = {P ⊆ U : |P | = 3}, and two n-tuplesx = (x1, . . . , xn) and y = (y1, . . . , yn) of distinct values in,respectively, K � {0} and K. Observe that there may bei, j ∈ U with xi = y j . For every i ∈ U , take λi = −xw

i and

the vector vi = (1, xi, x2i , . . . , xw−1

i ) ∈ Kw . Consider as wellthe vector spaces E = S2(Kw) × (Kw)∗ and F = (Kw)∗ .Finally, consider the linear maps (φi)i∈U and (πP )P∈J de-fined as follows.

• For every i ∈ U , take φi : E → F with φi(T , S) =T (vi, ·) + λi S .

• If P = {i, j,k} ∈ J with i < j < k, then πP : E → Kwith

O. Farràs et al. / Information Processing Letters 112 (2012) 667–673 671

πP (T , S) = yi · φi(T , S)(λk v j − λ j vk)

+ y j · φ j(T , S)(λi vk − λk vi)

+ yk · φk(T , S)(λ j vi − λi v j).

We define Σ(n, w,K,x,y) as the family of linear randomvariables defined by the linear maps ((φi)i∈U , (πP )P∈J ).

Some technicalities are needed in order to prove inTheorem 5.3 that, if the finite field K is large enough,there exist n-tuples x,y ∈ Kn such that Σ(n, w,K,x,y) isa w-secure (2,3,n) multithreshold scheme. Consider therational function L ∈ K(Z0, Z1, . . . , Z w) given by

L =w∑

i=1

(Z w

i ·∏

1� j�w, j =i

Z0 − Z j

Zi − Z j

).

Observe that L(zi, z1, . . . , zw) = zwi for every w-tuple

(z1, . . . , zw) of distinct values in K and for every i =1, . . . , w . Given B = {i1, . . . , iw} ⊆ U with i1 < i2 < · · · < iw

and an n-tuple X = (X1, . . . , Xn), we notate XB = (Xi1 , . . . ,

Xiw ).

Lemma 5.2. If |K| � (n2

)(n−2w

)(2w − 1) + 2, there exists an n-

tuple x of distinct values in K � {0} such that xwj L(xi,xB) −

xwi L(x j,xB) = 0 for every B ⊆ U with |B| = w and for every

i, j ∈ U � B with i = j.

Proof. For B ⊆ U and i, j ∈ U � B with |B| = w and i < j,consider

G B,i, j =( ∏

r,s∈B, r<s

(Xs − Xr)

)

· (X wj L(Xi, XB) − X w

i L(X j, XB)).

Observe that the denominator of the rational functionX w

j L(Xi, XB) − X wi L(X j, XB) is canceled by the product

of the terms Xs − Xr , and hence G B,i, j is a polynomialin K[X1, . . . , Xn]. Moreover, G B,i, j is a nonzero polyno-mial because monomials of the form X w

j Xi M(XB), where

0 � � w − 1, appear only from X wj L(Xi, XB), and at least

one of them is nonzero. Finally, observe that G B,i, j hasdegree at most 2w −1 on each variable. Consider the poly-nomial G ∈K[X1, . . . , Xn] defined by

G = X1 · · · Xn ·(∏

G B,i, j

),

where the last product runs over all B ⊆ U and i, j ∈ U − Bwith |B| = w and i < j. Clearly, G is a nonzero polynomialwith degree at most d = (n

2

)(n−2w

)(2w −1)+1 on each vari-

able. Since |K| � d + 1, there exists x ∈ Kn with G(x) = 0by Lemma 2.3. Clearly, the n-tuple x satisfies the requiredconditions. �Theorem 5.3. If w < n − 2 and |K| � max

{(n2

)(n−2w

)(2w −

1)+ 2,(n−1

w

)(n−w−12

)+n}

, or w = n − 2 and |K| � n + 1, thenthere exist n-tuples x, y such that Σ(n, w,K,x,y) is an optimalw-secure (2,3,n) multithreshold scheme.

Proof. We have to prove first that kerφA ⊆ kerπP for ev-ery A ⊆ P ⊆ U with |A| = 2 and |P | = 3. We can supposewithout loss of generality that A = {1,2} and P = {1,2,3}.It is not difficult to check that, for every (T , S) ∈ E ,

φ1(T , S)(λ3 v2 − λ2 v3) + φ2(T , S)(λ1 v3 − λ3 v1)

+ φ3(T , S)(λ2 v1 − λ1 v2) = 0.

Therefore, πP (T , S) = 0 if φ1(T , S) = φ2(T , S) = 0.Now we have to prove that kerφB +kerπP = E if B ⊆ U

is such that |B| = w and |B ∩ P | � 1. Since dim kerπP =dim E − 1, it is enough to prove that kerφB � kerπP .

For a set B ⊆ U with |B| = w , consider the only lin-ear form S B ∈ (Kw)∗ such that S B(vi) = −λi = xw

i forevery i ∈ B . Consider as well the symmetric bilinear formT B ∈ S2(Kw) defined by T B(u, v) = S B(u)S B(v) for every(u, v) ∈Kw ×Kw . Clearly, (T B , S B) ∈ kerφB .

Let f B ∈ K[X] be the polynomial of degree w − 1 de-fined by f B = α1 + α2 X + · · · + αw X w−1, where S B =∑w

i=1 αiei , that is, (α1, . . . ,αw) are the components of thelinear form S B ∈ (Kw)∗ in the canonical basis of (Kw)∗ .Observe that f B(xi) = S B(vi) for every i ∈ U .

Suppose that |B ∩ P | = 1. We can assume that P ={1,2,3} and P ∩ B = {3}. It is straightforward to check thatπP (T B , S B) = (y1 − y2)λ3(S B(v1) + λ1)(S B(v2) + λ2). Ob-serve that f B(xi) = xw

i for all i ∈ B . If S B(v1)+λ1 = 0, thenf B(x1) = xw

1 , and hence X w − f B would be a polynomialof degree w with w + 1 zeroes, a contradiction. Similarly,S B(v2) + λ2 = 0, and hence (T B , S B) /∈ kerπP .

At this point we have proved that Σ(n, w,K,x,y) isa w-secure (2,3,n) multithreshold scheme if w = n − 2.Observe that we only required that x,y are n-tuples of dis-tinct values in, respectively, K− {0} and K, and hence it isenough that |K|� n + 1.

Things are more complicated if w < n − 2. In this situa-tion we have to prove as well that (T B , S B) /∈ kerπP whenB ∩ P = ∅. Specifically, we prove that, given any n-tuplex whose existence is given by Lemma 5.2, there exists ann-tuple y of distinct values in K for which that conditionis satisfied. If P = {i, j,k} and B ⊆ U is such that |B| = wand B ∩ P = ∅, then

πP (T B , S B) = yi(

f B(xi) + λi)(

λk f B(x j) − λ j f B(xk))

+ y j(

f B(x j) + λ j)(

λi f B(xk) − λk f B(xi))

+ yk(

f B(xk) + λk)(

λi f B(x j) − λ j f B(xi)).

Therefore, there is a polynomial gP ,B ∈ K[Y1, . . . , Yn] suchthat πP (T B , S B) = gP ,B(y). We prove next that gP ,B isnonzero by checking the coefficient of Yk in this polyno-mial, which is equal to

(f B(xk) + λk

)(λi f B(x j) − λ j f B(xi)

)= (

f B(xk) + λk)(

xwj L(xi,xB) − xw

i L(x j,xB)) = 0.

We have applied here Lemma 5.2 and the fact that f B =L(X,xB). At this point, it is enough to prove that thereexists an n-tuple y of distinct values in K such thatgP ,B(y) = 0 for every P ∈ J and B ⊆ U with |B| = w andB ∩ P = ∅. Consider the nonzero polynomial g ∈K[Y1, . . . ,

Yn] defined by

672 O. Farràs et al. / Information Processing Letters 112 (2012) 667–673

g =( ∏

1�i< j�n

(Y j − Yi)

)·(∏

gP ,B

)

where the second product runs over all pairs (P , B) ofsets in the conditions above. Observe that the polynomialg has degree d = (n−1

w

)(n−w−12

) + n − 1 on each variable.Since |K| � d + 1, there exists y ∈ Kn with g(y) = 0 byLemma 2.3. Clearly, the n-tuple y satisfies the requiredconditions.

Observe that the information ratio of the schemeΣ(n, w,K,x,y) is σ = rank φi = dim F = w and its ran-domness is σT = dim E = (w+1

2

) + w . Therefore, the lowerbounds in Theorem 4.1 are attained. �6. A general construction

We present in this section a construction of w-secure(t,k,n)-multithreshold schemes for all possible values ofthe parameters (w, t,k,n). The information ratio and therandomness of these schemes do not attain the lowerbounds in Theorem 4.1, but no general construction withbetter values for these parameters has been presented be-fore. As we did in the previous section, we define next afamily of linear maps that will be proved to determine amultithreshold scheme.

Definition 6.1. Consider integers w , t , k, n with 1 � t �k � n and t − 1 � w � n − k + t − 1, a finite field Kwith |K| � n + 1, the sets U = {1, . . . ,n} and J = {P ⊆U : |P | = k}, and n distinct values x1, . . . , xn ∈ K � {0}.Take m = w − t + 2 and, for every i ∈ U , the vectorvi = (1, xi, x2

i , . . . , xm−1i ) ∈ Km . Consider as well the vector

spaces E = (Sk(Km))t and F = Sk−1(Km), and the linearmaps (φi)i∈U and (πP )P∈J defined as follows.

• For every i ∈ U , the linear map φi : E → F is given by

φi(T1, . . . , Tt) = T1(vi, . . .) + xi · T2(vi, . . .) + · · ·+ xt−1

i · Tt(vi, . . .).

• If P = {i1, . . . , ik} ∈ J , consider πP : E → K withπP (T1, . . . , Tt) = T1(vi1 , . . . , vik ).

Theorem 6.2. The linear family of random variables determinedby the linear maps introduced in Definition 6.1 forms a w-secure(t,k,n)-multithreshold scheme with information ratio and ran-domness

σ =(

w + k − t

k − 1

)and σT = t ·

(w + k − t + 1

k

),

respectively.

Proof. Let P be a set in J . Without loss of generality, wecan suppose that P = {1, . . . ,k}. Every user i ∈ P can com-pute

si,P = [φi(T1, . . . , Tt)

](v1, . . . , vi−1, vi+1, . . . , vk)

= T1(v1, . . . , vk) + xi · T2(v1, . . . , vk) + · · ·+ xt−1 · Tt(v1, . . . , vk).

i

Clearly, the values si,P are shares for the secret value kP =T1(v1, . . . , vk) in a (t,k)-threshold secret sharing scheme.Because of that, the participants in every t-subset A of Pcan recover the secret value kP . In particular, this impliesthat

⋂i∈A kerφi ⊆ kerπP for every A ∈ ΓP .

We prove next that⋂

i∈B kerφi + kerπP = E for ev-ery B ∈ �P . Since dim kerπP = dim E − 1, it is enoughto find a vector in

⋂i∈B kerφi that is not in kerπP . Take

B ∈ �P with |B| = w and a subset C ⊆ B � P with|C | = w − t + 1 = m − 1. Let F be the vector subspaceof Km spanned by the vectors (vi)i∈C . Clearly, the di-mension of F is equal to m − 1. Moreover, vi /∈ F ifi ∈ U � C . Take a nonzero linear form α ∈ F ⊥ ⊆ (Km)∗ .Observe that α(vi) = 0 if and only if i ∈ C . Consideras well the symmetric k-linear form T ∈ Sk(Km) definedby T (u1, . . . , uk) = α(u1) · · ·α(uk). Since T (v1, . . . , vk) = 0,the proof is completed by finding values μ1, . . . ,μt ∈ Ksuch that μ1 = 0 and T̂ = (μ1T , . . . ,μt T ) ∈ ⋂

i∈B kerφi .Obviously, φi(T̂ ) = 0 for every i ∈ C . On the other hand,φi(T̂ ) = (μ1 + μ2xi + · · · + μt xt−1

i ) · T (vi, . . .) for everyi ∈ B � C . The required values μ j ∈ K are obtained from∏

i∈B�C (X − xi) = μ1 + μ2 X + · · · + μt Xt−1. �7. Conclusions

Summarizing the results presented in this paper are thefollowing.

• We obtain a new general lower bound for the random-ness of threshold multisecret sharing schemes.

• We provide a new proof for the lower bound on theinformation ratio that was given in [10].

• We present a linear construction of optimal thresholdmultisecret sharing schemes for the case t = 2, k = 3and 1 � w � n − 2. Although an optimal constructionfor this case was previously presented in [1], ours ismuch simpler, and the proof is shorter.

• We present a general construction of multithresh-old schemes for all possible values of the parameters(w, t,k,n). In general, these are not optimal schemes,but it is the best known general construction.

References

[1] S.G. Barwick, W.-A. Jackson, An optimal multisecret threshold schemeconstruction, Des. Codes Cryptogr. 37 (2005) 67–389.

[2] G.R. Blakley, Safeguarding cryptographic keys, AFIPS Conference Pro-ceedings 48 (1979) 313–317.

[3] R. Blom, An optimal class of symmetric key generation systems, in:Advances in Cryptology, Eurocrypt ’84, in: Lecture Notes in Comput.Sci., vol. 209, 1984, pp. 335–338.

[4] C. Blundo, A. De Santis, A. Herzberg, S. Kutten, U. Vaccaro, M. Yung,Perfectly secure key distribution for dynamic conferences, in: Ad-vances in Cryptology, Crypto ’92, in: Lecture Notes in Comput. Sci.,vol. 740, 1993, pp. 471–486.

[5] E.F. Brickell, Some ideal secret sharing schemes, J. Combin. Math. andCombin. Comput. 9 (1989) 105–113.

[6] T.M. Cover, J.A. Thomas, Elements of Information Theory, John Wiley& Sons, 1991.

[7] O. Farràs, J. Martí-Farré, C. Padró, Ideal multipartite secret sharingschemes, J. Cryptology 25 (2012) 434–463.

[8] S. Fujishige, Polymatroidal dependence structure of a set of randomvariables, Information and Control 39 (1978) 55–72.

O. Farràs et al. / Information Processing Letters 112 (2012) 667–673 673

[9] S. Fujishige, Entropy functions and polymatroids—combinatorialstructures in information theory, Electron. Comm. Japan 61 (1978)14–18.

[10] W.-A. Jackson, K.M. Martin, C.M. O’Keefe, Multisecret thresholdschemes, in: Advances in Cryptology, Crypto ’93, in: Lecture Notesin Comput. Sci., vol. 773, 1994, pp. 126–135.

[11] W.-A. Jackson, K.M. Martin, C.M. O’Keefe, A construction for multise-cret threshold schemes, Des. Codes Cryptogr. 9 (1996) 287–303.

[12] E.D. Karnin, J.W. Greene, M.E. Hellman, On secret sharing systems,IEEE Trans. Inform. Theory 29 (1983) 35–41.

[13] J. Martí-Farré, C. Padró, On secret sharing schemes, matroids andpolymatroids, J. Math. Cryptol. 4 (2010) 95–120.

[14] B. Masucci, Sharing multiple secrets: Models, schemes and analysis,Des. Codes Cryptogr. 39 (2006) 89–111.

[15] C. Padró, I. Gracia, S. Martín Molleví, P. Morillo, Linear key predistri-bution schemes, Des. Codes Cryptogr. 25 (2002) 281–298.

[16] C. Padró, I. Gracia, S. Martín, P. Morillo, Linear broadcast encryptionschemes, Discrete Appl. Math. 128 (2003) 223–238.

[17] A. Shamir, How to share a secret, Commun. of the ACM 22 (1979)612–613.