206
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006
Secret Sharing Schemes From Three Classes of
Linear Codes
Jin Yuan and Cunsheng Ding, Senior Member, IEEE
Abstract—Secret sharing has been a subject of study for over
20 years, and has had a number of real-world applications. There
are several approaches to the construction of secret sharing
schemes. One of them is based on coding theory. In principle,
every linear code can be used to construct secret sharing schemes.
But determining the access structure is very hard as this requires
the complete characterization of the minimal codewords of the
underlying linear code, which is a difficult problem in general.
In this paper, a sufficient condition for all nonzero codewords of
a linear code to be minimal is derived from exponential sums.
Some linear codes whose covering structure can be determined
are constructed, and then used to construct secret sharing schemes
with nice access structures.
Index Terms—Cryptography, linear codes, secret sharing, covering problem, exponential sums.
I. INTRODUCTION
S
ECRET sharing schemes were introduced by Blakley [5]
and Shamir [17] in 1979. Since then, many constructions
have been proposed. The relationship between Shamir’s secret
sharing scheme and the Reed–Solomon codes was pointed
out by McEliece and Sarwate in 1981 [12]. Later, several
authors have considered the construction of secret sharing
schemes using linear error correcting codes [6], [8], [10], [11],
[14], [15]. Massey utilized linear codes for secret sharing and
pointed out the relationship between the access structure and
the minimal codewords of the dual code of the underlying code
[10], [11]. Unfortunately, determining the minimal codewords
is extremely hard for general linear codes. This was done only
for a few classes of special linear codes. In special cases, the
Ashikhmin–Barg lemma [2] (see Lemma 3 in this paper) is
very useful in determining the minimal codewords.
Several authors have investigated the minimal codewords for
certain codes and characterized the access structures of the secret sharing schemes based on their dual codes [16], [1], [2],
[18]. In this paper, we first characterize the minimal codewords
of certain linear codes using exponential sums, and then construct some linear codes suitable for secret sharing. Finally, we
determine the access structure of the secret sharing schemes
based on the duals of those linear codes.
Manuscript received May 14, 2004; revised July 7, 2005. This work of the
authors is supported by the Research Grants Council of the Hong Kong Special
Administrative Region, Project HKUST6183/04E, China.
The authors are with the Department of Computer Science, The Hong Kong
University of Science and Technology, Clear Water Bay, Kowloon, Hong Kong,
China (e-mail:[email protected]; [email protected]).
Communicated by A. E. Ashikhmin, Associate Editor for Coding Theory.
Digital Object Identifier 10.1109/TIT.2005.860412
II. A LINK BETWEEN SECRET SHARING SCHEMES AND
LINEAR CODES
is the total number
The Hamming weight of a vector in
of nonzero coordinates. An
code is a linear subwith dimension and minimum nonzero Hamming
space of
be a generator matrix of
weight . Let
code, i.e., the row vectors of generate the linear
an
subspace . For all the linear codes mentioned in this paper, we
always assume that no column vector of any generator matrix
is the zero vector. There are several ways to use linear codes to
construct secret sharing schemes. One of them is the following
described by Massey [10].
In the secret sharing scheme based on , the secret is an eleparticiment of , which is called the secret space, and
and a dealer are involved. The dealer is
pants
a trusted person.
In order to compute the shares with respect to a secret , the
dealer chooses randomly a vector
such that
. There are altogether
such vectors
. The dealer then treats as an information vector and
computes the corresponding codeword
and gives
Since
to participant
as share for each
.
, a set of shares
and
, determines the
.
secret if and only if is a linear combination of
Hence we have the following lemma [10].
be a generator matrix of an
Proposition 1: Let
code . In the secret sharing scheme based on , a set of shares
and
, determines the secret if and only if there is a codeword
(1)
in the dual code
, where
for at least one .
If there is a codeword of (1) in
, then the vector
is
a linear combination of
, say,
.
.
Then the secret is recovered by computing
If a group of participants can recover the secret by combining
their shares, then any group of participants containing this group
can also recover the secret. A group of participants is referred to
as a minimal access set if they can recover the secret with their
shares, while any of its proper subgroups cannot do so. Here,
a proper subgroup has fewer members than this group. In view
of these facts, we are only interested in the set of all minimal
0018-9448/$20.00 © 2006 IEEE
YUAN AND DING: SECRET SHARING SCHEMES FROM THREE CLASSES OF LINEAR CODES
access sets. To determine this set, we need the notion of minimal
codewords.
Definition 1: The support of a vector
is defined to be
. A codeword covers a codeword
if the support of contains that of .
If a nonzero codeword covers only its scalar multiples, but
no other nonzero codewords, then it is called a minimal codeword.
From Proposition 1 and the preceding discussions, it is clear
that there is a one-to-one correspondence between the set of
minimal access sets and the set of minimal codewords of the
whose first coordinate is . To determine the acdual code
cess structure of the secret sharing scheme, we need to determine only the set of minimal codewords whose first coordinate
is , i.e., a subset of the set of all minimal codewords. However,
in almost every case we should be able to determine the set of
all minimal codewords as long as we can determine the set of
minimal codewords whose first coordinate is . The covering
problem of a linear code is to determine the set of all its minimal codewords.
It is clear that the shares for the participants depend on the
of the code . However,
selection of the generator matrix
by Proposition 1, the selection of does not affect the access
structure of the secret sharing scheme. Therefore, in the sequel
we will call it the secret sharing scheme based on , without
mentioning the generator matrix used to compute the shares.
We say that a secret sharing scheme is democratic of degree
if every group of participants is in the same number of minimal
.
access sets, where
III. THE ACCESS STRUCTURE OF THE SECRET SHARING
SCHEMES BASED ON THE DUALS OF THE CODES
In Section II, we described the secret sharing scheme based
on a linear code . Naturally, we have also the secret sharing
scheme based on the dual code
. In this and later sections,
we consider only the secret sharing scheme based on the dual
code of a given linear code.
The following proposition describes properties of the min[7].
imal access sets of the secret sharing scheme based on
Note that the vectors ’s in this and later sections are not the
same as those in Section II.
Proposition 2: [7] Let
be an
code, and let
be its generator matrix, where all are
nonzero. If each nonzero codeword of is minimal, then in the
, there are altogether
secret sharing scheme based on
minimal access sets. In addition, we have the following.
is a scalar multiple of
, then
1 If
must be in every minimal access set. Such
participant
a participant is called a dictatorial participant.
, then
2 If is not a scalar multiple of
participant must be in
out of
minimal
access sets.
In view of Proposition 2, it is an interesting problem to construct codes whose nonzero codewords are all minimal. Such a
linear code gives a secret sharing scheme with the interesting
access structure described in Proposition 2.
207
IV. CHARACTERIZATIONS OF MINIMAL CODEWORDS
A. Sufficient Condition From Weights
If the weights of a linear code are close enough to each other,
then all nonzero codewords of the code are minimal, as described as follows.
code
Lemma 3: (Ashikhmin–Barg lemma [2]) In an
, let
and
be the minimum and maximum nonzero
weights, respectively. If
then all nonzero codewords of
are minimal.
The Ashikhmin–Barg lemma is quite useful in determining
the minimal codewords for special linear codes.
B. Sufficient and Necessary Condition Using Exponential
Sums
Let
, where is a prime and is a positive integer.
Throughout this paper, let denote the canonical additive character of , i.e.,
It is well known that each linear function from
to
can be written as
for some
. Hence, for any
linear code
with generator matrix , there exist
such that every codeword can be expressed
as
(2)
. On the other hand, for every
, the vector
for some
in (2) is in the code. Hence, any linear code has a trace form
of (2).
and
of ,
We now consider two nonzero codewords
. If
, then the two codewords would
where
be the number of cobe scalar multiples of each other. Let
be the number
ordinates in which takes on zero, and let
of coordinates in which both
and
take on zero.
. Clearly,
covers
if and only
By definition,
. Hence we obtain the following proposition.
if
Proposition 4: For all
for all
with
is minimal if and only if
.
We would use this proposition to characterize the minimal
codewords of the code . To this end, we would compute the
values of both
and
. But this is extremely hard in general. Thus, we would give tight bounds on them using known
bounds on exponential sums.
By definition
(3)
208
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006
Similarly
be of degree
Proposition 8: [9, Ch. 5] Let
with
and let be a nontrivial additive character
of . Then
(8)
(4)
Later we shall need the following bounds on incomplete exponential sums of rational functions [13].
In the expressions of
and
, when or
is fixed,
for some fixed , and
the inner sum for both is
is called an incomplete exponential sum in general. Note that
most known bounds on exponential sums are summed over the
and
.
whole , and may not be used to give bounds on
constitutes the range of
However, if the set
some function defined over , and each element in this range
is taken on the same number of times by this function, we will
and
using known bounds
be able to derive bounds on
on exponential sums. This will become clear in later sections.
Lemma 9: [13] Let be the finite field of elements and
characteristic , and let
be the quotient of
two polynomials with coefficients in that satisfies
(9)
, where
for any
is the algebraic closure of . Define
Let be the number of distinct roots of
in . If
notes a nontrivial additive character of , then we have
V. SOME BOUNDS ON EXPONENTIAL SUMS
(10)
The objective of this section is to introduce the following
bounds on exponential sums which will be needed later.
Definition 2: [9, Ch. 5] Let be a multiplicative and
additive character of . Then the Gaussian sum
defined by
It is well known that if both
and
an
is
Proposition 5: [9, Ch. 5] Let be a finite field with
,
where is an odd prime and is a positive integer. Let be the
and let
be the canonical additive
quadratic character of
character of . Then
(5)
Proposition 6: [9, Ch. 5] Let be a nontrivial additive chara positive integer, and
. Then
acter of
(6)
for any
with
.
Proposition 7: [9, Ch. 5] Let
acter of with odd, and let
with
. Then
be a nontrivial additive char-
is the quadratic character of
and
, otherwise.
when
, and
In fact, we need a special case of the above result, and state
it as follows.
(11)
where the sum
.
runs over all
excluding the zeros of
VI. SECRET SHARING SCHEMES FROM A CLASS OF
LINEAR CODES
In this section, we first describe a class of linear codes which
are a generalization of the irreducible cyclic codes [4], and then
describe the access structure of the secret sharing scheme based
on the duals of these codes. This section is a generalization of
some results in [7].
. Suppose
Definition 3: Let be a prime, and let
and
. Let be a primitive th root of
unity in
, and
with
. Define as
(12)
(7)
where
where
and
Lemma 10: Let be the finite field of elements and characteristic ; and let
be the quotient of two
that satisfies
polynomials with coefficients in
, and
has distinct roots in . If
denotes a nontrivial additive character of , then we have
are nontrivial,
if
if
de-
.
The following is called the Weil bound.
where
and
to .
is the trace function from
YUAN AND DING: SECRET SHARING SCHEMES FROM THREE CLASSES OF LINEAR CODES
The code of (12) has dimension , where
. It is not
, and it is a generalization of the irreducible cyclic
cyclic if
, the code is called nondegenerate. In
codes [4]. When
this section, we consider only the nondegenerate case.
We are interested in the secret sharing scheme based on the
. To analyze the access structure of the secret
dual code
sharing scheme, we would solve the covering problem of the
code under certain conditions.
Now we derive bounds on the
of (3) for the code . By
(3), we have
where
if
wise.
Applying the bound of (6), we have
and
209
scheme can be determined under conditions that are weaker than
that of (15). The reader is referred to [7] for details.
Open Problem 1: Solve the covering problem for the code
of (12) and determine the access structure of the secret sharing
when the condition of (15) is not met.
scheme based on
Before ending this section, we present a specific example of
the secret sharing scheme described above. We set
and
. Let be a primitive element of
and define
. We choose
and
. Then the code of (12)
nondegenerate code. Although the condition of
is a
(15) is not met, all nonzero codewords of are minimal. This
is because this condition is sufficient, but not necessary.
has parameters
and generator
The dual code
matrix
other-
(13)
and
denote the minimum and maxAs before, let
imum nonzero weights of . It follows from (13) that
In the secret sharing scheme based on
, 12 participants
and a dealer are involved. There are altogether
minimal access sets
(14)
By (14), we have that
if
(15)
It then follows from the Ashikhmin–Barg lemma (Lemma 3)
that every nonzero codeword of is minimal under the condition of (15). We remark that the condition of (15) is sufficient,
but not necessary.
By Proposition 2, the set of dictatorial participants in the seis
cret sharing scheme based on
and
(16)
Participant 7 is a dictatorial participant because it is involved
in every minimal access set. Hence, any group of participants
who can determine the secret must include participant 7. Each
is in
participant in the set
minimal access sets. If a group of participants can recover the secret, it must have at least six members
(50% of the total number of participants). Such a secret sharing
scheme could be useful in applications where the boss must be
involved in every decision making.
VII. SECRET SHARING SCHEMES FROM
QUADRATIC FORM CODES
.
whose cardinality is between and
Combining the discussions above and Proposition 2, we have
proved the following.
Let
Proposition 11: When the condition of (15) is met, all
nonzero codewords of are minimal. Furthermore, in the se, the set of possible dictatorial
cret sharing scheme based on
participants is given in (16), and each of the other participants
minimal access sets.
is involved in
1
2
3
Let
For two subclasses of the codes of (12), the covering problem
can be solved and the access structure of the secret sharing
be an odd prime,
. Let
. Consider
defined over . It is easily seen that
for any ;
;
and
when
.
Range
210
Let
, then
define a linear code
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006
. Write
. We
If
, let
, then by (21)
as
(17)
where
is the trace function from
to .
code, and analyzed
In [7], we proved that is an
even. In this section,
the weights of this code for the case
we determine its weights for the case odd, and describe the
access structure of the secret sharing scheme based on its dual
code.
,
Now we investigate the weights of . Note for any
by Proposition 7
(22)
Let
, and denote the canonical additive character and
and , respectively. Note that
quadratic character over by
for any
since is odd, one can easily prove that
. It follows from (22) and (5) that
(18)
. Then by (3)
Define
Then by (19) the code has three possible nonzero weights
(19)
To determine the weight of
By definition,
that
if
otherwise. We have
, we need to compute
.
is a th root of unity. Note
and
if
if
When
is even, because
(20)
It follows from (18) that
all nonzero codewords of are minimal.
is odd, because
When
all nonzero codewords of
(21)
In the case that is even, it is proved in [7] that the code has
the following four possible nonzero weights:
are minimal.
Proposition 12: If
and
, all nonzero codewords
of the quadratic form code are minimal. Furthermore, in the
secret sharing scheme based on
, the set of dictatorial participants is given by
which has cardinality at most
, and each of the other parminimal access sets.
ticipants is involved in
Proof: The first part follows from the earlier discussions.
because
The number of dictatorial participants is at most
the elements
are all distinct, and
. The remaining part of the conclusion follows
from Proposition 2.
We now consider the case that
then by (21)
is odd. If
,
Open Problem 2: Solve the covering problem for the code
of (17) and determine the access structure of the secret sharing
for the case
.
scheme based on
We now present an example of the secret sharing scheme described above. We choose
and
. Let be a
. Then
primitive element of
YUAN AND DING: SECRET SHARING SCHEMES FROM THREE CLASSES OF LINEAR CODES
Then the
of (17) is a
three-weight code with
.
nonzero weights
has parameters
and generator
The dual code
matrix
211
The code is different from the Goppa codes. Obviously, the
and the codeword length is
.
dimension of is at most
.
Now we give a condition on under which
Lemma 13:
when
(24)
Proof: It suffices to prove that if at least one of
is nonzero, cannot be the zero codeword. Suppose
are nonzero, where
The augmented code of
is a
code which is optimal.
, 11 participants
In the secret sharing scheme based on
and a dealer are involved. There are altogether
minimal access sets
Participant 1 is a dictatorial participant because it is involved
in every minimal access set. Hence, any group of participants
who can determine the secret must include participant 1.
is in
Each participant in the set
minimal access sets. If a group of participants can recover the secret, it must have at least six members
(54% of the total number of participants). Such a secret sharing
scheme could be useful in applications where the boss must be
involved in every decision making.
VIII. SECRET SHARING SCHEMES FROM THE
THIRD CLASS OF CODES
be
Let
Define
Write
pairwise distinct elements of
and
for other ’s. Then for any
where
For all
is a polynomial in
, we have
with degree at most
because all
are pairwise distinct. Thus, the condition of
Lemma 10 is satisfied.
be the canonical additive character of
. Then by
Let
Lemma 10
On the other hand, if is the zero codeword, the sum above
. Hence, the conclusion follows.
would be
Now we estimate the weights of . Let
zeros in the codeword , then
.
as
Using Lemma 10 we obtain that
Given
, for any
, let
Hence, we have proved the following.
We define a linear code as
Lemma 14: We have that
(23)
where
.
be the number of
212
IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 1, JANUARY 2006
Now we investigate the minimum distance
.
code
of the dual
Proposition 15: If
, then
.
. If
, from the construcProof: Obviously,
and
tion of , there must exist distinct elements
, such that for any
.
. Since
,
Then
.
this cannot hold for all . Therefore,
Proposition 16: If
recting codes. Our purpose is to use some existing classes of
error-correcting codes and those constructed in this paper to
construct secret sharing schemes with nice access structures.
The linear codes described in this paper may not be optimal, but
give secret sharing schemes with interesting access structures.
In this paper, we presented several open problems regarding
the covering problem of linear codes and the access structures of
secret sharing schemes based on linear codes. It would be nice
if these open problems could be settled in the near future.
and
(25)
then is a
code and all nonzero codewords of
are minimal. Furthermore, in the secret sharing scheme based on
every participant is in
out of
minimal
access sets. Hence, the secret sharing scheme is democratic of
degree at least .
Proof: Clearly, the condition of (25) implies that of (24).
Hence, under the condition of (25), has dimension . Under
this condition it is easily verified that
It then follows from the Ashikhmin–Barg lemma (Lemma 3)
that all nonzero codewords of are minimal. On the other hand,
by Proposition 15. The conclusion of this proposition
then follows from Proposition 2.
Open Problem 3: Solve the covering problem for the code
of (23) and determine the access structure of the secret sharing
when the condition of (25) is not met.
scheme based on
IX. CONCLUDING REMARKS
In this paper, under certain conditions, we solved the covering problem for three classes of linear codes and determined
the access structure of the secret sharing schemes based on their
dual codes. The access structures are of two types. In the first
type, there are a number of dictatorial participants who must
be involved in recovering the secret, and each of the remaining
participants is involved in the same number of minimal access
sets. These secret sharing schemes are not democratic, and could
be used in applications where a few dictatorial participants are
necessary. In the second type, every participant appears in the
same number of minimal access sets. The degree of democracy
is usually one or two. Secret sharing schemes with access structures of this type could be useful in applications where a small
threshold
degree of democracy is necessary. Note that a
secret sharing scheme is democratic of degree , which is useful
in applications where a high degree of democracy is required.
The information rate of the secret sharing schemes described in
this paper is one, the best possible.
The goal of this paper is not to construct error-correcting
codes, although we constructed several classes of error-cor-
ACKNOWLEDGMENT
The authors wish to thank the referees and the Associate Editor Alexei E. Ashikhmin for their constructive comments and
suggestions that much improved the paper.
REFERENCES
[1] A. Ashikhmin, A. Barg, G. Cohen, and L. Huguet, “Variations on minimal codewords in linear codes,” in Proc. Applied Algebra, Algebraic
Algorithms and Error-Correcting Codes (AAECC 1995) (Lecture Notes
in Computer Science). Berlin, Germany: Springer-Verlag, 1995, vol.
948, pp. 96–105.
[2] A. Ashikhmin and A. Barg, “Minimal vectors in linear codes,” IEEE
Trans. Inf. Theory, vol. 44, no. 5, pp. 2010–2017, Sep. 1998.
[3] L. D. Baumert and W. H. Mills, “Uniform cyclotomy,” J. Number
Theory, vol. 14, pp. 67–82, 1982.
[4] L. D. Baumert and R. J. McEliece, “Weights of irreducible cyclic codes,”
Inf. Control, vol. 20, no. 2, pp. 158–175, 1972.
[5] G. R. Blakley, “Safeguarding cryptographic keys,” in Proc. 1979 National Computer Conf., New York, Jun. 1979, pp. 313–317.
[6] C. Ding, D. Kohel, and S. Ling, “Secret sharing with a class of ternary
codes,” Theor. Comp. Sci., vol. 246, pp. 285–298, 2000.
[7] C. Ding and J. Yuan, “Covering and secret sharing with linear codes,” in
Discrete Mathematics and Theoretical Computer Science (Lecture Notes
in Computer Science). Berlin, Germany: Springer-Verlag, 2003, vol.
2731, pp. 11–25.
[8] E. D. Karnin, J. W. Greene, and M. E. Hellman, “On secret sharing systems,” IEEE Trans. Inf. Theory, vol. IT-29, no. 1, pp. 35–41, Jan. 1983.
[9] R. Lidl and H. Niederreiter, Finite Fields. Cambridge, U.K.: Cambridge Univ. Press, 1997.
[10] J. L. Massey, “Minimal codewords and secret sharing,” in Proc. 6th Joint
Swedish-Russian Workshop on Information Theory, Mölle, Sweden,
Aug. 1993, pp. 276–279.
[11]
, “Some applications of coding theory,” Cryptography, Codes and
Ciphers: Cryptography and Coding IV, pp. 33–47, 1995.
[12] R. J. McEliece and D. V. Sarwate, “On sharing secrets and reed-solomon
codes,” Commun. Assoc. Comp. Mach., vol. 24, pp. 583–584, 1981.
[13] C. Moreno and O. Moreno, “Exponential sums and Goppa codes,” in
Proc. Amer. Math. Soc., vol. 111, 1991, pp. 523–531.
[14] K. Okada and K. Kurosawa, “MDS secret sharing scheme secure against
cheaters,” IEEE Trans. Inf. Theory, vol. 46, no. 3, pp. 1078–1081, May
2000.
[15] J. Pieprzyk and X. M. Zhang, “Ideal threshold schemes from MDS
codes,” in Information Security and Cryptology—Proc. of ICISC
2002 (Lecture Notes in Computer Sceince). Berlin, Germany:
Springer-Verlag, 2003, vol. 2587, pp. 269–279.
[16] A. Renvall and C. Ding, “The access structure of some secret-sharing
schemes,” in Information Security and Privacy (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 1996, vol. 1172,
pp. 67–78.
[17] A. Shamir, “How to share a secret,” Commun. Assoc. Comp. Mach., vol.
22, pp. 612–613, 1979.
[18] J. Yuan and C. Ding, “Secret sharing schemes from two-weight codes,”
in Proc. R. C. Bose Centenary Symp. Discrete Mathematics and Applications, Kolkata, India, Dec. 2002.