On Abelian and Homomorphic Secret Sharing Schemes

Abstract

Homomorphic (resp. abelian) secret sharing is a generalization of ubiquitous linear secret sharing in which the secret value and the shares are taken from finite (resp. abelian) groups instead of vector spaces over a finite field. Homomorphic secret sharing was first defined by Benaloh and, later in the early nineties, Frankel and Desmedt presented some relevant results. Except for a few other related topics such as black-box secret sharing and secret sharing over rings, the subject has remained dormant for about three decades. The study of homomorphic secret sharing is resumed in this paper and three main results are presented: (1) mixed-linear schemes, a subclass of abelian schemes to be introduced in this paper, are more powerful than linear schemes in terms of the best achievable information ratio (the claim is proved for the port of a well-known almost entropic matroid), (2) the information ratios of dual access structures are equal for the class of abelian schemes and (3) every ideal homomorphic scheme can be transformed into an ideal linear scheme with the same access structure.

Appendices

A. Pontryagin Dual

For a vector space V over a field \(\mathbb {F}\), a basis \(\{v_1,\dots ,v_n\}\) gives a way to uniquely write any element \(v\in V\) as a linear combination \(v=c_1v_1+\dots +c_nv_n\), with \(c_i\)’s all in \(\mathbb {F}\). The map that sends v to \(c_i\) defines a linear map from V to \(\mathbb {F}\), called a functional on V. The space of all functionals on V is the dual vector space for V and has a basis given by the above functionals constructed from the given basis.

To extend these notions from vector spaces to finite (and more generally locally compact) abelian groups, Pontryagin devised the notion of a dual group, commonly known as the Pontryagin dual. For a finite abelian group G, the Pontryagin dual of G, denoted by \(\widehat{G}\), is the group of all homomorphisms from the group G to the multiplicative group of nonzero complex numbers. That is,

$$\begin{aligned} \widehat{G} = \{ \alpha : G\rightarrow \mathbb {C}^* | \alpha (0)=1, \alpha (a+b)= \alpha (a) \alpha (b) \}. \end{aligned}$$

Note that in fact the image of this homomorphism is inside the subgroup of the complex numbers of absolute value 1 (circle). If the group G is cyclic of order n, then \(\widehat{G}\) can be identified with the group of nth roots of unity. The reason is that any homomorphism is determined by its value on a generator of the group, which must be an nth root of unity. This way, one sees that the dual group in this case is isomorphic to itself (in a non-canonical way). This can be generalized to be valid for all finite abelian groups, because any such group is a direct sum of finite cyclic groups. Pontryagin showed that if for a locally compact abelian group G we take the dual once more, then the double dual \(\widehat{\widehat{G}}\) is canonically isomorphic to the original group G. And this was the beginning of the Fourier theory on locally compact abelian groups.

B. On Equivalent Definitions for Abelian RVs

In the following, we will show the four implications (i)\(\Rightarrow \)(ii)\(\Rightarrow \)(iii)\(\Rightarrow \)(iv)\(\Rightarrow \)(i) for abelian RVs given in Definition 2.6.

i\(\Rightarrow \)ii:

Let \(\mu _i:S\rightarrow S_i\) be a collection of homomorphisms as in (i), inducing a linear RV \(\varvec{X}=\mu (\varvec{S})\) where \(\mu : S\rightarrow \bigoplus _{i=1}^n S_i\) is the direct sum homomorphism defined by \(\mu (s)=\big (\mu _1(s),\ldots ,\mu _n(s)\big )\) and \(\varvec{S}\) is uniformly distributed on S. Let \(\varOmega _i=S_i\) and \(\varOmega \) be the image of this homomorphism. Clearly, \(\varvec{X}\) is uniformly distributed on \(\varOmega \) and hence we are in the setting of (ii).

ii\(\Rightarrow \)iii:

Let \(\varOmega \) be a subgroup of \(\bigoplus _{i=1}^n \varOmega _i\) as in (ii). Let \(U=\varOmega \) and \(U_i\) be the subgroup of \(\varOmega \) of those elements with i’th coordinate equal to zero. Then, by the first isomorphism theorem of groups, the image of the projection \(\pi _i: \varOmega \rightarrow \varOmega _i\) is isomorphic to the quotient group \(U/U_i\). More generally, for a subset \({A}\subseteq [n]\), the image of the projection \(\pi _{{A}}: \varOmega \rightarrow \bigoplus _{i\in {A}}\varOmega _i\) is isomorphic to the quotient group \(U/U_{A}\), where \(U_{{A}}=\bigcap _{i\in {A}}U_i\). Also, \(U/U_{A}\) is isomorphic to the group of all elements of the form \((u+U_1,\ldots ,u+U_n)\), for all \(u\in U\). Therefore, a uniform RV on \(\varOmega \) as in (ii) is equivalent to a uniform RV as in (iii).

iii\(\Rightarrow \)iv:

Let U and its subgroups \(U_1,\dots , U_n\) be given as in the case (iii). Let \(T=\widehat{U}\) and define \(T_i\) to be the subgroup of T of those homomorphisms that vanishes on \(U_i\); that is, \(T_{i}=\{\alpha \in \widehat{U}: \alpha (x)=0 \text { for every } x\in U_{i}\}\). Then, by Pontryagin duality, \(\widehat{T}\) is isomorphic to U and the map \(\widehat{T}\rightarrow \widehat{T}_i\) that sends \(\alpha \in \widehat{T}\) to \(\alpha |_{T_i}\) is equivalent to the projection \(U\rightarrow U/U_i\). More generally, for a subset \({A}\subseteq [n]\), the map \(\widehat{T}\rightarrow \bigoplus _{i\in {A}}\widehat{T}_i\) that sends \(\alpha \in \widehat{T}\) to \((\alpha |_{T_i})_{i\in {A}}\) is equivalent to the projection \(U\rightarrow U/U_{A}\), where \(U_{{A}}=\bigcap _{i\in {A}}U_i\). Also, as we mentioned earlier \(U/U_{A}\) is isomorphic to the group of all elements of the form \((u+U_1,\ldots ,u+U_n)\), for all \(u\in U\). Therefore, a uniform RV as in (iii) is equivalent to a uniform RV as in (iv).

iv\(\Rightarrow \)i:

Let T be a finite abelian group with its subgroups \(T_1,\dots , T_n\) as in (iv). Let \(S=\widehat{T}\) and \(S_i=\widehat{T}_i\) and let \(\mu _i:S\rightarrow S_i\) be the map that sends a homomorphism \(\alpha \in S\) to \(\alpha |_{T_i}\) (clearly, \(\alpha |_{T_i}\in S_i\)). Obviously the distribution induced by T and \(T_i\)’s as in (iv) is also definable by \(\big (\mu _1(\varvec{S}),\ldots ,\mu _n(\varvec{S})\big )\), where \(\varvec{S}\) is uniformly distributed on S. Therefore, we are in the setting of (i).

C. Proof of Theorem 3.25

The theorem follows by the following lemma. Part (i) has been proved by Frankel, Desmedt and Burmester in [40]. Part (ii) was proved in a subsequent work by Frankel and Desmedt in [39].

Lemma C.1

(Homomorphic SSS) Let \({\mathcal {A}}\) be an access structure with at least one minimal qualified subset of size at least two. Let \(\varOmega \subseteq \prod _{i\in Q}\varOmega _i\) be a homomorphic SSS for \({\mathcal {A}}\). Then,

1. (i)

   the secret space, \(\varOmega _0\), is an abelian group.

2. (ii)

   if \(\varOmega \) is ideal, then \(\varOmega _0\cong \varOmega _i\).

Proof

For a subset \(A\subseteq Q\), we have a projection map \(\pi _A\) from \(\prod _{i\in Q}\varOmega _i\) onto \(\prod _{i\in A} \varOmega _i\) and we use the notation \(\varOmega _A\) to denote the projection of the group \(\varOmega \) onto the components in A, i.e., \(\varOmega _A=\pi _A(\varOmega )\). Also, for \(x\in \varOmega \), we denote the projection on entries with indices in a subset \({A}\subseteq Q\) by \(x_A\); we use \(x_i\) for \(i\in Q\).

1. (i)

   We need to show that for all \(s_1,s_2\in \varOmega _0\), \(s_1\cdot s_2=s_2\cdot s_1\). Let \(e\in \varOmega \) be the identity element, that is, an element whose i component is the identity elements of the corresponding groups \(\varOmega _i\). Let \(A=\{j_1,j_2,\dots , j_k\}\) be a minimal set in \({\mathcal {A}}\) of size at least 2 and, for \(i=1,2\), let \(A_i=A\backslash \{j_i\}\). Since \(A_i\not \in {\mathcal {A}}\) and \(e\in \varOmega \), there are \(x(i)\in \varOmega \) such that \(x(i)_{A_i}=e_{A_i}\) and \(x(i)_0=s_i\). Then, since any element in a group commutes with the identity element, we have \((x(1)\cdot x(2))_A=(x(2)\cdot x(1))_A\), and since \(A\in {\mathcal {A}}\), we must have \((x(1)\cdot x(2))_0=(x(2)\cdot x(1))_0\), that is \(s_1\cdot s_2=s_2\cdot s_1\).

2. (ii)

   We first show that for a general homomorphic scheme \(\varOmega \) and for every \(i\in Q\), the secret group \(\varOmega _0\) is a sub-quotient of \(\varOmega _i\); that is, there is an into group homomorphism from a subgroup of \(\varOmega _i\) to \(\varOmega _0\). Let \(A\in {\mathcal {A}}\) be a minimal set of size at least two that contains i and \(A_i=A\backslash \{i\}\). Let \(\varOmega '_i\) be the kernel of the projection \(\pi '_{i}:\varOmega _A\rightarrow \varOmega _{A_i}\). Then, \(\varOmega '_i\) can be identified with a subgroup of \(\varOmega _i\). We show that the restriction of the reconstruction homomorphism \(R_A\) to \(\varOmega '_i\) is an onto homomorphism to \(\varOmega _0\). For any \(s\in \varOmega _0\) we need to find an element \(y\in \varOmega \) such that \(y_{A_i}=e_{A_i}\) and \(y_0=s\), since then \(y_A\in \varOmega _i'\) and \(R_A(y_A)=s\). This follows from the fact that \(A_i\not \in {\mathcal {A}}\).

   Therefore, there is an onto homomorphism from a subgroup \(\varOmega _i'\) of \(\varOmega _i\) onto \(\varOmega _0\). But for an ideal \(\varOmega \), since \(|\varOmega _i|=|\varOmega _0|\), we must have \(\varOmega _i'=\varOmega _i\) and the homomorphism must be an isomorphism, because an onto map between sets of the same size is also one to one. So all \(\varOmega _i\)’s are isomorphic to \(\varOmega _0\).

\(\square \)