secret sharing schemes based on graphical codes
TRANSCRIPT
Cryptogr. Commun. (2014) 6:137–155DOI 10.1007/s12095-013-0092-z
Secret sharing schemes based on graphical codes
Ying Gao ·Romar dela Cruz
Received: 24 March 2013 / Accepted: 25 September 2013 / Published online: 19 October 2013© Springer Science+Business Media New York 2013
Abstract We study the access structure and multiplicativity of linear secret sharingschemes based on codes from complete graphs. First, we describe the access structureof the schemes based on cut-set and cycle codes. Second, we show that the class ofaccess structures based on odd cycles cannot be realized by ideal multiplicative linearsecret sharing schemes over any finite field. This can be seen as a contribution tothe characterization of access structures of ideal multiplicative schemes. The accessstructure based on odd cycles corresponds to the scheme based on the dual of theextended cycle code. Finally, we show that we can obtain ideal multiplicative linearsecret sharing scheme based on the dual of an augmented extended cycle code.
Keywords Secret sharing ·Linear code ·Matroid ·Graph
Mathematics Subject Classifications (2010) 94A62 · 94B05 · 05C50
1 Introduction
A secret sharing scheme is a protocol which involves a dealer (one who knows thesecret) distributing shares (piece of information related to the secret) to a group of
Y. Gao (B)School of Mathematics and Systems Science, Beihang University,LMIB of the Ministry of Education, Beijing 100191, People’s Republic of Chinae-mail: [email protected]
R. dela CruzDivision of Mathematical Sciences, School of Physical and Mathematical Sciences,Nanyang Technological University, 21 Nanyang Link, Singapore 637371, Singaporee-mail: [email protected]
R. dela CruzInstitute of Mathematics, College of Science, University of the Philippines Diliman,C.P. Garcia St., Quezon City, Philippines 1101e-mail: [email protected]
138 Cryptogr. Commun. (2014) 6:137–155
players. The distribution method is designed in such a way that only those playersubsets in the access structure can recover the secret. The first constructions of suchschemes were the threshold schemes of Blakley [5] and Shamir [22]. In a (t,n)-threshold scheme, any t out of n players can determine the secret. Massey presentedin [18] a construction of secret sharing schemes using linear codes. He also provedthat there is a correspondence between the minimal access structure and the set ofminimal codewords of the dual code.
One important application of secret sharing schemes is in the construction ofsecure protocols for multi-party computation (MPC). In a secure MPC protocol[12, 26], there are n players who jointly compute a function of their secret inputs.The protocol must guarantee the correctness of the output and the privacy of theinputs even when some of the players are corrupted. In [8], Cramer et al. showedhow to construct secure MPC protocols using linear secret sharing schemes (LSSS).The general idea is that first, secure computation of a function can be reduced tosecure addition and secure multiplication. Now, secure addition can be performedusing LSSS. To do secure multiplication, the authors in [8] introduced the concept ofmultiplicative LSSS.
A multiplicative LSSS can be constructed from any LSSS for the same accessstructure, though in general, the process involves doubling the share size [8]. It isan open problem to determine the cases in which the increase in the share sizeis necessary and the cases in which it is not. A special case of this problem isthe characterization of access structures that admit ideal multiplicative LSSS. Thisproblem was considered in [9, 21] for some self-dual access structures. Many authorsalso considered the construction of ideal multiplicative LSSS [7, 9, 16, 17, 19].Some examples are the Shamir threshold scheme, algebraic geometric secret sharingschemes and LSSS based on self-dual codes. The authors in [17] constructed idealmultiplicative LSSS based on graph connectivity. Most of these schemes belong tothe class of LSSS based on linear codes.
In this work, we continue the study of the multiplicativity of LSSS based on linearcodes. In particular, we consider the schemes based on some graphical codes. InSection 2, we give some background on secret sharing schemes and graphical codes.Some fundamental results on the connection of secret sharing schemeswith matroids,monotone span programs, and linear codes are presented in the Appendix. In Section3, we describe the access structure of LSSS based on cut-set and cycle codes. InSection 4, we study the access structure based on odd cycles and prove that it does notadmit any ideal multiplicative LSSS. This is the access structure of the scheme basedon the dual of the extended cycle code. This access structure have been consideredbefore in [3] in connection with computational complexity. In Section 5, we expandthe access structure based on odd cycles and show that it can be realized by idealmultiplicative LSSS. The access structure in Section 5 corresponds to the schemebased on the dual of an augmented extended cycle code.
2 Preliminaries
We let P = {P1, . . . , Pn} denote the set of n players and let D be the dealer. Thefamily of authorized or qualified subsets � ⊆ 2P is called the access structure of thescheme. The access structure satisfies the monotone increasing property, that is, if
Cryptogr. Commun. (2014) 6:137–155 139
A ∈ � and A ⊆ B, then B ∈ �. It follows that � is determined by theminimum accessstructure �− = {A ∈ � | ∀B ⊂ A ⇒ B /∈ �}. The collection of unqualified subsetsof players is called the adversary structure A = P \ �. The adversary structure ismonotone decreasing, that is, for any B ∈ A, A ⊆ B implies A ∈ A. Hence,A can bedescribed by the maximum adversary structure A+ = {A ∈ A | ∀B ⊃ A ⇒ B /∈ A}.We now present the definition of perfect secret sharing scheme.
Definition 1 [24] A perfect secret sharing scheme realizing the access structure � is amethod of sharing a secret among a set of playersP , in such a way that the followingtwo properties are satisfied:
i. If an authorized subset of players B ⊆ P pool their shares, then they candetermine the secret.
ii. If an unauthorized subset of players B ⊆ P pool their shares, then they candetermine nothing about the secret.
The information rate of a scheme is the ratio of the size of the secret andthe maximum size of the shares. It is well-known that for perfect schemes, theinformation rate is at most 1. A secret sharing scheme is called ideal if the informationrate is equal to 1. An access structure � is said to be ideal if it can be realized by anideal secret sharing scheme. Given an access structure �, we define the dual accessstructure as �⊥ = {A ⊆ P | A� = P \ A /∈ �}. An access structure � is said to be self-dual if it is equal to its dual.
2.1 Multiplicative linear secret sharing schemes
Let Fq be the finite field of order q, a prime power. We use the notation XT forthe transpose of a matrix X . In this paper, we only consider linear secret sharingschemes (LSSS for short) where the set of possible secrets is Fq and the set of possibleshares of every player Pi ∈ P is a vector space over Fq. We can describe LSSS usingmonotone span programs (see Appendix).
Informally speaking, an LSSS is multiplicative if each player Pi can, from hisshares of secrets a and b , compute a value ci, such that the product ab can becomputed as a linear combination of all the ci’s. It is strongly multiplicative if abcan be obtained using only values from honest players.
Definition 2 [8] An ideal MSPM is said to be multiplicative if there exists a vector r,called a recombination vector, such that for any two secrets s, s′ and respective sharevectors (x1, . . . , xn) = M(s,ρ)T , (x′1, . . . , x
′n) = M(s′,ρ ′)T where ρ,ρ ′ are random
vectors, it holds that
ss′ = 〈r, (x1x′1, . . . , yny′n)〉.
We say thatM is strongly multiplicative if for any player subset A that is rejected byM,MA� is multiplicative.
Definition 3 Let d ≥ 2 be an integer. An adversary structure A is called Qd if everyd sets in A cannot cover the whole player set P . For simplicity, when an adversarystructureA is Qd we also say that the corresponding access structure � = A� is Qd.
140 Cryptogr. Commun. (2014) 6:137–155
For example, the (t,n)-threshold access structure is Q2 if n ≥ 2t − 1 and is Q3 ifn ≥ 3t − 2. Multiplicative MSP is possible if and only if the access structure is of typeQ2, and strongly multiplicative MSP is possible if and only if the access structure isof type Q3 [8].
In this work, we consider ideal multiplicative LSSS. The Shamir (t,n)-thresholdscheme with n ≥ 2t− 1 is an example of such a scheme. Ideal multiplicative schemescan also be obtained from algebraic geometric LSSS [7] and LSSS based on self-dualcodes [9]. A construction for hierarchical access structures can be found in [16]. Theauthors in [17] and in [19] presented constructions of ideal multiplicative schemes ofsome access structures based on graphs. We show in Section 5 ideal multiplicativeschemes for a different graph-based access structures.
We will use the following alternative way to decide whether or not an ideal MSPis multiplicative [17]. First, we define an operation ∗ on any matrix.
Definition 4 Let P be an n× l matrix over Fq and suppose that pi = (p1i, . . . , pni)T
is the i-th column of P. Let P∗ be the matrix constituted by all the column vectorspi ∗ p j, 1 ≤ i ≤ j ≤ l, where pi ∗ p j = (p1i p1 j, . . . , pni pnj)T . Thus P∗ is a n× l(l+1)
2matrix given by
P∗ = ( p1 ∗ p1, p1 ∗ p2, . . . , p1 ∗ pl, p2 ∗ p2, p2 ∗ p3, . . . , p2 ∗ pl, . . . , pl ∗ pl).
In particular, suppose v = (v1, . . . , vl) ∈ Flq then v∗ is defined as
v∗ = (v1v1, v1v2, . . . , v2v2, . . . , v2vl, . . . , vlvl).
Proposition 1 [17] An ideal MSP (Fq,M,ε, ψ) is multiplicative if and only if thesystem of linear equations zM∗ = ε∗ is solvable. Moreover, the solution z is arecombination vector.
Given a LSSS realizing a Q2 access structure, it can be transformed into amultiplicative scheme for the same access structure [8]. In general, the transforma-tion involves doubling the size of the shares in the original scheme. It is an openproblem to determine the LSSS which do not require share expansion to obtain themultiplicative property.
A particular case of this problem is the characterization of access structures ofideal multiplicative LSSS. The (t,n)-threshold access structures with n ≥ 2t− 1 canbe realized by an ideal multiplicative LSSS (e.g. Shamir scheme). Given a self-dualaccess structure which can be realized by an ideal LSSS, the question of whetherit admits an ideal multiplicative scheme was studied in [9, 21]. It was shown in [9],using the relation between matroids and codes, that the answer is affirmative forsuch access structures which are bipartite. It was proven in [21] that such accessstructures with at most seven players admit an ideal multiplicative LSSS. We presentin Section 4 a family of access structures defined on odd cycles that cannot be realizedby an ideal multiplicative LSSS.
2.2 Graphs
Let G(V, E) be a connected undirected graph with vertex set V = {v1, . . . , vm} andedge set E = {e1, . . . , en}. Every subgraph G′ of G can be described by a binarycharacteristic vector g = (g1, · · · , gn), where gi = 1 if ei is an edge of G′ and gi = 0
Cryptogr. Commun. (2014) 6:137–155 141
otherwise, 1 ≤ i ≤ n. In this paper, we will not distinguish between a subgraphand its characteristic vector. Then symmetric difference of subgraphs amounts tothe addition of the corresponding characteristic vectors. The set of all subgraphs,including the empty graph ∅, forms an n-dimensional vector spaceW(G) over F2.
There are two well-known subspaces of W(G). The first one is the cut-set spaceor bond space of G which we denote by C(G). By a cut-set (or a bond), we mean aminimal edge cut of G. The elements of C(G) are the cut-sets and the union of edge-disjoint cut-sets. The second subspace is the cycle space C∗(G) of G. The cycle spaceis generated by all the cycles of the graph. Its elements are the cycles and the unionof edge-disjoint cycles.
Consider a spanning tree T of G. Each edge of G not in T will form a cycle withT and the characteristic vectors of these n−m+ 1 cycles are linearly independent.On the other hand, each edge of T is associated with a cut-set of G and these m− 1cut-sets are also linearly independent. Hence, the dimensions of C(G) and C∗(G) areat least m− 1 and n−m+ 1, respectively. It can be shown that a cycle and a cut-set have an even number of common edges. Thus, C(G) and C∗(G) are orthogonalto each other with respect to the inner product in the binary field. Since these aresubspaces of an n-dimensional vector space then the dimension of C(G) is equal tom− 1 and the dimension of C∗(G) is equal to n−m+ 1.
The incidence matrix H = (hij)m×n of G is defined over F2 by
hij ={
1 if vi ∈ e j0 otherwise
.
The incidence set of a vertex vi in G is the cut-set consisting of the set of edges thatare incident with v. This set can be represented by the row in the incidence matrix Hwhich corresponds to the vertex vi (called the incidence vector of vi). The incidencevectors of any m− 1 vertices of a connected m-vertex graph G form a basis of thecut-set space C(G).
For i = 1, . . . ,n, let Hi be the submatrix of H formed by removing the incidencevector of vi. We call Hi a reduced incidence matrix. Without loss of generality,we fix removing the vertex vm and then always use the notation Hm since anytransformation of the vertex set yields an isomorphic graph.
Many researchers focused on studying the secret sharing schemes for graph-basedaccess structure with the minimal access structure being the collection of the pairsof players corresponding to edges, i.e., associate each player with a vertex of theunderlying graph, and any two players can recover the secret if there is an edgeconnecting them. See [23] and its references.
Another way to construct an access structure based on a graph G is first to asso-ciate each player with an edge and then consider certain subsets of the edge set E. Forexample, Karchmer and Wigderson [15] considered access structures based on theconnectivity of two designated vertices. For complete graphs, Liu et al. [17] consid-ered the set of all spanning trees while Beimel [3] considered the set of all odd cycles.
3 Secret sharing schemes based on cut-set and cycle codes
Let G(V, E) be a connected undirected graph with vertex set V = {v1, . . . , vm} andedge set E = {e1, . . . , en}. The cut-set space C(G) can be viewed as an [n,m− 1]
142 Cryptogr. Commun. (2014) 6:137–155
binary linear code (called the cut-set code). In addition, the reduced incidence matrixHm is a generator matrix for C(G). We can assume that Hm is a generator matrixin standard form, i.e. the first m− 1 columns form the identity matrix. Similarly, thecycle space C∗(G) is an [n, n−m+ 1] binary linear code (called the cycle code) andwe have C∗(G) = C⊥(G).
Now, let G = Km, the complete graph on m vertices. We consider the secretsharing schemes based on cut-set codes and cycle codes associated with Km. Notethat the coordinate positions are indexed by the edges of the graph. The dealer D isassociated with the edge corresponding to the first coordinate position and each ofthe n− 1 players is associated with the rest of the edges/coordinate positions. First,we describe the access structure of the secret sharing scheme based on the cut-setcode C(Km).
Proposition 2 Let vs and vt be the vertices of the edge corresponding to the f irstcoordinate position. In the secret sharing scheme based on C(Km), a set of shares{ci1 , ci2 , . . . , cir } can determine the secret if and only if the corresponding set of edgescontains a path from vs to vt.
Proof It follows from Lemma 7 that a set of shares {ci1 , ci2 , . . . , cir } can determinethe secret if and only if there exists a codeword z = (z0, . . . , zn−1) ∈ C⊥(Km) suchthat z0 = 1 and supp(z) ⊆ {0, i1, . . . , ir}. Since the dual code of C(Km) is the cyclecode C∗(Km) then the support of z corresponds to a cycle or a union of edge-disjointcycles. Therefore, a set of shares {ci1 , ci2 , . . . , cir } can determine the secret if and onlyif the corresponding set of edges contains a path from vs to vt. ��
The access structure realized by the secret sharing scheme based on C(Km) is theundirected s-t connectivity access structure �ustcon on Km. In [2], a MSP computing�ustcon was presented. By using Lemma 6, we can get a generator matrix of C(Km)
from the MSP.We give an example to embody the method of obtaining the access structures.
Example 1 Letm = 4 , n = 6, V = {v1, v2, v3, v4}, P = {P1, P2, P3, P4, P5, P6}. Con-sider the complete graph K4 (see Fig. 1).
Since each player is associated with an edge, without loss of generality, assumethat the dealer D is associated with the edge v1v4, i.e., P1 is the dealer. Thenaccording to Proposition 2, to get the access structure we need to find all thepaths from v1 to v4: v1 − v2 − v4, v1 − v3 − v4, v1 − v3 − v2 − v4, v1 − v2 − v3 − v4.
Fig. 1 Complete graph K4
Cryptogr. Commun. (2014) 6:137–155 143
Then the minimal access structure of of the secret sharing based on C(K4) is{{P2, P4}, {P3, P5}, {P2, P5, P6}, {P3, P4, P6}}.
Now, we consider the access structure of the secret sharing scheme based on thecycle code C∗(Km).
Proposition 3 Every nonzero codeword of the cut-set code C(Km) is minimal.
Proof By looking at the generator matrix Hm, we can see that for any two nonzerocodewords c1, c2 ∈ C(Km), supp(c1) ∩ supp(c2) is non-empty. The proposition nowfollows from Lemma 2.1 (5) in [1]. Actually, this means that C(Km) is a binaryintersecting code. ��
Corollary 1 In the secret sharing scheme based on C∗(Km), there are 2m−2 minimalauthorized sets and each player Pi belongs to 2m−3 out of 2m−2 minimal authorizedsets.
Proof The result follows from the preceding proposition and Proposition 2 in [10].��
If wewant to knowwhether we can getmultiplicative linear secret sharing schemesbased on the linear codes above, then the following propositions say that it is not thecase.
Proposition 4 Consider the access structure �ustcon based on the complete graph Km.Then �ustcon is not Q2.
Proof First, let the edge v1vm correspond to the dealer. Hence, to prove the propo-sition, we need to find two unauthorized sets of edges whose union cover the setE \ {v1vm}. Let A1 be the subset of E \ {v1vm} containing the edges incident with v1
but not with vm. Then A1 /∈ �ustcon since it does not contain a path from v1 to vm. LetA2 = E \ ({v1vm} ∪ A1). Then A2 is also not an authorized set. Now, A1 ∪ A2 is thewhole player set E \ {v1vm}. Therefore, �ustcon is not Q2. ��
Proposition 5 The access structure realized by the secret sharing scheme based on thecycle code C∗(Km) is not Q2 for m ≥ 4.
Proof Let � be the access structure realized by the secret sharing scheme based onC∗(Km) and let v1vm be the edge associated with the dealer. First, we note that A ⊆ Pis in the minimal access structure �− if and only if A ∪ {v1vm} is a bond (minimal cut-set) [4].
The secret sharing scheme based on C∗(K3) is a (1,2)-threshold scheme. Hence,the corresponding access structure is Q2 and we know that the corresponding Shamirscheme is ideal and multiplicative.
Now letm ≥ 4. Suppose, for a contradiction, that � is Q2. Then it follows that thedual access structure �⊥ ⊆ � (see [9]). Now, �⊥ is the access structure realized by thesecret sharing scheme based on C(Km). Let A ∈ �⊥ such that A ∪ {v1vm} is a 3-cycle.Then A /∈ �, contradicting the assumption that � is Q2. ��
144 Cryptogr. Commun. (2014) 6:137–155
4 Access structure based on odd cycles
We revisit a class of access structures which appears in [3] and where the minimalauthorized sets correspond to odd cycles. These access structures are related tothe dual of the extended cycle code and can be realized by multiplicative linearsecret sharing schemes (unlike in the case of the access structures in the previoussection). One drawback is that we will prove that there is no ideal multiplicativelinear secret sharing scheme over Fq that realize them. The negative result, though,is a contribution to the characterization of access structures which admit idealmultiplicative LSSS.
4.1 Definition and some properties
An edge-induced subgraph is a subset of the edges of a graph together with anyvertices that are their endpoints. We use G[S] to denote the edge-induced subgraphof G(V, E) whose edge set is S and whose vertex set is the subset of V consisting ofthose vertices incident with any edge in S.
A bipartite graph is a graph whose vertices can be divided into two disjoint setsU and V such that every edge connects a vertex in U to one in V. The next lemmais a characterization of bipartite graphs using odd cycles (cycles consisting of an oddnumber of vertices).
Lemma 1 [25] A graph is bipartite if and only if it contains no odd cycle.
Definition 5 Let Km be the complete graph with m vertices and let n be the numberof edges. For i = 1, . . . ,n, every player Pi is assigned to an edge. Define
�oc = {A ⊆ P | Km[A] contains an odd cycle}
Then �oc is an access structure.
It follows from the definition that the adversary structure is given by
Aoc = {B ⊆ P | Km[B] does not contain an odd cycle}.
We can see that �oc is monotone increasing whileAoc is monotone decreasing. UsingLemma 1, we can also define �oc and Aoc in terms of bipartite graphs.
Proposition 6 The adversary structureAoc is Qd if and only if m ≥ 2d + 1.
Proof The complete graph Km can be expressed as the union of k bipartite graphs ifand only ifm ≤ 2k (cf. [25]). The proposition now follows. ��
It follows from the proposition that for m ≥ 5, the access structure �oc on Km canbe realized by a multiplicative LSSS.
Cryptogr. Commun. (2014) 6:137–155 145
4.2 Appropriate matroid
Let G(V, E) be a connected undirected graph. By attaching a sign to each edge ofG, we obtain a signed graph Gs. The sign of a cycle is the product of the signs of itsedges.
The graphic matroid associated with G is the matroid M(G) on the edge set E(G)
whose circuits are the cycles of G. As a binary matroid, M(G) can be represented bythe vertex-edge incidence matrix H of G.
We consider two matroids defined on the edge set of a signed graph Gs. The liftmatroid L(Gs) is the matroid wherein a circuit is a positive cycle of Gs or the disjointunion of two negative cycles of Gs that meet in at most one vertex. The complete liftmatroid L0(Gs) is an extension of L(Gs) obtained by adding an extra point e0 (whichacts like a a negative loop) to E(Gs) (the point set of L(Gs)). A circuit of L0(Gs) is acircuit of L(Gs) or the union of e0 and a negative cycle.
Given M(G) and the incidence matrix H of G, we can obtain the binary repre-sentation of the complete lift matroid L0(Gs) [11]. First, we define the row incidencevector d of the signs of the edges. For i = 1, . . . , n, let di = 1 if the correspondingedge is negative, and 0 otherwise. The binary representation of L0(Gs) is given by
H′ =
⎡⎢⎢⎢⎣
1 d0... H0
⎤⎥⎥⎥⎦ .
Note that we can replace H by the reduced incidence matrix Hm.
Example 2 Let Gs be the complete graph Km with all edges negative, denoted by−Km. Suppose we add a negative loop e0 at the vertex vm. A circuit of L0(−Km) isthe disjoint union of two odd cycles that meet in at most one vertex or the union of e0
and an odd cycle. The binary representation of L0(−Km) is given by H′ above, withthe vector d equal to the all-one vector.
Based on the preceding example, we can see that L0(−Km) is the appropriatematroid for the access structure �oc on Km. Consider the extended cycle codeC∗(Km). The binary representation H′ with the matrix H replaced by Hm is a paritycheck matrix of C∗(Km). Hence, �oc is the access structure realized by the secretsharing scheme based on the dual of C∗(Km).
Next, we want to show that for m ≥ 4, L0(−Km) is only representable over a fieldwith characteristic 2. We will use the following proposition taken from [11] (Note:For the meaning of the concept of minor and F∗
7 , the reader may refer to [20].):
Proposition 7 Let Gs be a signed graph. Then L0(Gs) has an F∗7 minor using e0 if and
only if Gs contains −K4.
Corollary 2 For m ≥ 4, L0(−Km) is only representable over a f ield with characteris-tic 2.
Proof From the preceding proposition, L0(−Km) has an F∗7 minor using e0. If a
matroid is representable over a field Fq then its minor is also representable over
146 Cryptogr. Commun. (2014) 6:137–155
the same field. It is well-known that F∗7 can only be represented over a field with
characteristic 2. ��
Corollary 3 The access structure �oc def ined on Km, m ≥ 4, can only be realized byan ideal LSSS over a f ield of characteristic 2.
4.3 LSSS realizing the access structure based on odd cycles
By Lemma 5 and using the binary representation of the complete lift matroidL0(−Km), we get an ideal MSP realizing �oc over F2. We show that the same MSPcomputes �oc over any field of characteristic 2.
Proposition 8 Let Km be the complete graph on m vertices and Fq be a f ield ofcharacteristic 2. Suppose M is an (n×m) matrix over Fq def ined as: M = (
1T HTm
),
where 1 is the all-one row vector and Hm is a reduced incidence matrix of Km. ThenM(Fq,M,ε = (1, 0, . . . , 0)) is an ideal MSP computing the access structure �oc.
Proof Assume HTm = (hT
1 · · · hTm−1)where hi is the incidence vector of the vertex
vi. Given a secret s, the shares are generated by choosing m− 1 random valuesr1, . . . , rm−1 and then computing M(s, r1, . . . , rm−1)
T . If a participant correspondsto an edge (vk, vl) where k, l are both not equal to m then its share is given byxkl = s+ rk + rl. If a participant corresponds to an edge (vk, vm) then its share is givenby xkm = s+ rk.
Let A ⊆ P . Suppose A corresponds to an odd cycle. Then the first column ofMA have an odd number of 1’s while the other columns have an even number of0’s. Hence, taking the sum of the rows of MA gives us the target vector (1,0, . . . , 0).Therefore, A ∈ �oc.
Suppose A does not contain an odd cycle, or equivalently, A is bipartite. For asecret s, let {xkl : (vk, vl) ∈ A} be the set of shares of participants in A. We want toshow that the number of random values to generate the shares {xkl : (vk, vl) ∈ A}given the secret s is equal to the number of random values that generate the same setof shares given the secret s′ where s �= s′.
Since A is bipartite then we can partition the set of vertices corresponding to Ainto two sets V1,V2 such that for any edge in A, one of its endpoints is in V1 whilethe other is in V2. Choose one Vi which does not contain vm. Note that it is possiblethat vm is not contained in both V1 and V2. In this case, simply choose any set. Let V ′be the selected set. For i = 1, . . . ,m− 1, define r′i = ri + (s− s′) if vi ∈ V ′ and r′i = riotherwise. We will show that r′1, . . . , r
′m−1 generate the shares {xkl : (vk, vl) ∈ A}.
Let (vk, vl) be an edge in A where k, l are both not equal to m. Then only one ofthe endpoints, say vk, is in V ′. It follows that
x′kl = s′ + r′k + r′l = s′ + rk + (s− s′)+ rl = s+ rk + rl = xkl.
Suppose now that (vk, vm) is an edge in A. Then we have
x′km = s′ + r′k = s′ + rk + (s− s′) = s+ rk = xkm.
By construction, we can see that the MSP is ideal. ��
Cryptogr. Commun. (2014) 6:137–155 147
4.4 Multiplicativity
We now consider the question: Can the access structure �oc be realized by an idealmultiplicative LSSS? If m < 5 then we know from Proposition 6 that the adversarystructureAoc is not Q2. Hence, we assume thatm ≥ 5.
Proposition 9 Let Fq be a f ield of characteristic 2. Then the ideal MSP M(Fq,M,ε)
def ined in Proposition 8 is not multiplicative.
Proof By Proposition 1, the ideal MSP M(Fq,M,ε) is multiplicative if and only ifthe system of linear equations zM∗ = ε∗ is solvable. This means that r((M∗)T) =r((M∗)T , (ε∗)T) where r(.) denotes the rank of a matrix. Since M = (
1T HmT
),
then M∗ = (1T HT
m (HTm)
∗ ). It is not difficult to see that r(HT
m)∗) = n over Fq, so
r((M∗)T) = r(M∗) = n. We can check that r((M∗)T , (ε∗)T) = n+ 1. Therefore theMSPM(Fq,M,ε) is not multiplicative. ��
Proposition 10 The access structure �oc does not admit an ideal MLSSS over anyf ield.
Proof First, we consider the case over a field Fq of characteristic not equal to 2. ByCorollary 3, there is no ideal MLSSS realizing �oc over Fq.
Next, we consider the case over F2. We can deduce from Lemmas 3 and 6 that if anaccess structure can be realized by an ideal LSSS over F2 then this scheme is uniqueover F2. Hence, by Propositions 8 and 9, �oc does not admit an ideal MLSSS over F2.
Lastly, we look at the case over a nonbinary field Fq of characteristic 2. ByProposition 8, we have an ideal LSSS realizing �oc over Fq. Now Lemmas 4 and 6tell us that the ideal LSSS is unique. Thus, by Proposition 9, �oc does not admit anideal MLSSS over Fq. ��
5 Ideal multiplicative LSSS based on graphical codes
In this section, we present the ideal multiplicative LSSS that we were able to findby using the incidence matrix and Lemma 1. We describe the corresponding accessstructure in terms of graphs and we show the connection to some graphical codes.
5.1 Access structure
Let G(V, E) be a connected undirected graph with V = {v1, . . . , vm} and E ={e1, . . . , en}. Given F ⊆ E, we define dF(v) to be the number of edges in F incidentwith the vertex v. LetY be the collection of all F ⊆ E such that |F| is even and dF(vi)
is odd for 1 ≤ i ≤ m− 1.
Definition 6 Let Km be the complete graph with m vertices and let n be the numberof edges. For i = 1, . . . ,n, every player Pi is assigned to an edge. Define
�ocy = {A ⊆ P | Km[A] contains an odd cycle or Km[A] contains a set in Y}.Then �ocy is an access structure.
148 Cryptogr. Commun. (2014) 6:137–155
Based on the definition, �ocy satisfies the monotone increasing property.
Example 3 Consider the complete graph K4 (see Fig. 1). The minimal access struc-ture based on odd cycles is
�−oc = {{P1, P3, P5}, {P1, P2, P4}, {P2, P3, P6}, {P4, P5, P6}}
while the minimal access structure based on odd cycles and Y-sets is
�−ocy ={{P1, P3, P5}, {P1, P2, P4}, {P2, P3, P6}, {P4, P5, P6},
{P1, P6}, {P3, P4}, {P2, P5}}.We can check that the first one is not Q2 while the second one is Q2.
Proposition 11 The access structure �ocy satisf ies the following properties:
i. Let d ≥ 2 be an integer. If m ≥ 2d + 1 then the access structure �ocy is Qd.ii. If m ≥ 4 then the access structure �ocy is Q2 but is not self-dual.
Proof Since �oc ⊆ �ocy then the first part of the proposition follows from Proposi-tion 6. For the second part, first we recall that self-dual access structures coincidewith the minimally Q2 access structures [8]. We claim that Km contains a subset ofedges belonging to the set Y. Indeed, if m is odd then
{v1vm, v2vm, · · · , vm−1vm} ∈ Y
while ifm is even then
{v1v4, v1v5, · · · , v1vm, v2v3} ∈ Y.
Whenm ≥ 5, we have �oc is Q2 and �oc ⊂ �ocy, which means that �ocy is not minimal.Whenm = 4, we can directly check that �ocy is not self-dual. ��
5.2 Linear secret sharing scheme realizing �ocy
Proposition 12 Suppose M is an n× (m− 1)matrix over F2 given by
M =
⎛⎜⎜⎜⎝1+ h11+ h2...
1+ hm−1
⎞⎟⎟⎟⎠
T
,
where 1 is the all-one vector, hi is the incidence vector of vertex vi, 1 ≤ i ≤ m− 1, and+ is the usual binary vector addition. ThenM(F2,M,ε = (1, . . . , 1)) is an ideal MSPcomputing the access structure �ocy.
Proof Let A ⊆ P and for simplicity, we denote by Km[A] the subgraph inducedby the edges corresponding to A. We shall prove that A ∈ �ocy if and only ifε ∈ span(MA). Note that ε ∈ span(MA) if and only if there exists a recombinationvector w′ such that ε = w′MA. Equivalently, there exists an n-dimensional vector w
Cryptogr. Commun. (2014) 6:137–155 149
such that wM = ε and with wA = w′, wA = 0. This means that w(1+ hi)T = 1 for
i = 1, . . . ,m− 1. Now w(1+ hi)T = 1 if and only if:
(1) w · 1T = 1 and w · hiT = 0, or
(2) w · 1T = 0 and w · hiT = 1.
The first case means that Km[A] contains an odd cycle while the second case meansthat Km[A] contains a set in Y. ��
Consider again the extended cycle code C∗(Km). Let F ⊆ E be an element in theset Y and let f be the characteristic vector of the subgraph induced by F. We willaugment C∗(Km) by adjoining the vector (1, f ). We denote the resulting space byD(Km). The technique of augmenting graphical codes have been considered beforein [13, 14] to increase the number of codewords and to improve the decoding ofgraphical codes. The following proposition implies that the secret sharing schemebased on the dual of D(Km) realizes the access structure �ocy.
Proposition 13 A parity check matrix of D(Km) is given by
P =
⎛⎜⎜⎜⎝
1 1+ h1
1 1+ h2...
...
1 1+ hm−1
⎞⎟⎟⎟⎠ ,
where hi is the incidence vector of vertex vi, 1 ≤ i ≤ m− 1, and + is the usual binaryvector addition.
Proof First, note that it is not difficult to show that P(1, f )T = 0T . Let G be agenerator matrix of C∗(Km). We know that HmGT = 0 where Hm is the reducedincidence matrix and 0 is the zero matrix. Then a generator matrix of C∗(Km) is givenby G = (bT G) where the entries in the first column bT are the parity check bitsof the rows of G. We can then verify that PGT = 0. Therefore, P is a parity checkmatrix of D(Km). ��
5.3 Multiplicativity
Let M(F2,M,ε) be the ideal MSP constructed in Proposition 12. Since the graphis complete then the number of rows of M is n = m(m− 1)/2. Thus, M∗ is an n× nmatrix. Using Lemma 1, to prove that M is multiplicative, we need to show thatzM∗ = ε∗ is solvable. In particular, we are going to look at the rank of the matrix M∗.
Proposition 14 Let M(F2,M,ε) be the ideal MSP that computes the access structure�ocy. Then the system of linear equations zM∗ = ε∗ is solvable if and only if m ≡0, 1 mod 4.
150 Cryptogr. Commun. (2014) 6:137–155
Proof The matrix M∗ is column equivalent to the matrix J + (HTm)
∗, where J is then× n all-one matrix and Hm is the reduced incidence matrix. Let V = {v1, . . . , vm}.Without loss of generality, we label the edges as follows.
ei = vivm, 1 ≤ i ≤ m− 1
e(m−1)+i−1 = v1vi, 2 ≤ i ≤ m− 1
e(m−1)+(m−2)+i−2 = v2vi, 3 ≤ i ≤ m− 1
...
e(m−1)+(m−2)+···+(m−k)+i−k = vkvi, k+ 1 ≤ i ≤ m− 1
...
e(m−1)+···+2+1 = vm−2vm−1.
Then [(HTm)
∗]T can be expressed in the form(Im−1 P0 In−m+1
)where I is the
identity matrix, 0 is the zero matrix and P is an (m− 1)× (n−m+ 1) matrix, inwhich each row hasm− 2 nonzero entries and each column has 2 nonzero entries.
Let D be the row transformation matrix such that D[(HTm)
∗]T = In, then (M∗)Tis row equivalent to DJ + In. Note that the system of linear equations zM∗ = ε∗is equivalent to the system of linear equations D(M∗)T zT = D(ε∗)T where D is anonsingular matrix. We consider two cases.
(1) Whenm is even, i.e.,m− 2 is even, then D(ε∗)T = (ε∗)T , DJ = J, and
DJ + In =
⎛⎜⎜⎜⎜⎜⎝
0 1 1 . . . 11 0 1 . . . 11 1 0 . . . 1.......... . .
...
1 1 1 . . . 0
⎞⎟⎟⎟⎟⎟⎠ .
Since
r(DJ + In) ={n whenn is evenn− 1 whenn is odd
and r(DJ + In, (ε∗)T) = n, then the system of linear equations zM∗ = ε∗ issolvable if and only if n is even. Now, n is even if and only if m ≡ 0mod 4.
(2) Whenm is odd, i.e.,m− 2 is odd,
DJ =
⎛⎜⎜⎜⎜⎜⎜⎜⎜⎜⎜⎝
0 0 . . . 00 0 . . . 0....... . .
...
0 0 . . . 01 1 . . . 1....... . .
...
1 1 . . . 1
⎞⎟⎟⎟⎟⎟⎟⎟⎟⎟⎟⎠,
Cryptogr. Commun. (2014) 6:137–155 151
where there are m− 1 all-zero rows and there are n−m+ 1 all-one rows.Similarly,
D(ε∗)T = (0 0 . . . 0 1 1 . . . 1)T
where the vector at the right hand of the equation containsm− 1 zeros.Thus the system of linear equations zM∗ = ε∗ is equivalent to the system oflinear equations
(Im−1 0
J(n−m+1)×(m−1) E
)zT = D(ε∗)T ,
where
E =
⎛⎜⎜⎜⎜⎜⎝
0 1 1 . . . 11 0 1 . . . 11 1 0 . . . 1.......... . .
...
1 1 1 . . . 0
⎞⎟⎟⎟⎟⎟⎠ is an (n−m+ 1)× (n−m+ 1) square matrix.
Using a similar argument as in the previous case, we can see that whenm is odd,the system of linear equations zM∗ = ε∗ is solvable if and only if n is even. Thismeans thatm ≡ 1 mod 4. ��
Corollary 4 LetM(F2,M,ε) be the idealMSP that computes the access structure �ocy.ThenM is multiplicative if and only if m ≡ 0, 1 mod 4.
6 Conclusion
This paper dealt with linear secret sharing schemes based on the following codesfrom complete graphs: cut-set code, cycle code, dual of extended cycle code anddual of augmented extended cycle code. We described the access structures anddetermined whether the access structures admit ideal multiplicative linear secretsharing schemes. We showed that the access structure based on odd cycles, whichcorresponds to the scheme based on the dual of extended cycle code, does not admitany ideal multiplicative LSSS. We also showed that the ideal LSSS based on the dualof an augmented extended cycle code is multiplicative in some cases.
Acknowledgements The work of Y. Gao is supported in part by the National Natural ScienceFoundation of China by Grant 11101019 and the Fundamental Research Funds for the CentralUniversities in China (No. YWF-10-02-072). Part of the work was done while she was visitingNanyang Technological University. The work of R. dela Cruz is supported in part by the NTU PhDResearch Scholarship and the Merlion PhD Grant of the French Embassy in Singapore. He wouldlike to thank Telecom-ParisTech for its hospitality. The authors would like to thank Carles Padróand Huaxiong Wang for some helpful discussions, and the anonymous reviewers for their valuablecomments and suggestions.
152 Cryptogr. Commun. (2014) 6:137–155
Appendix A: Some definitions and basic results on SSS
We present in this appendix the relation between secret sharing schemes, monotonespan programs, matroids and linear codes.
A.1 Linear secret sharing schemes and monotone span programs
We describe the relation between LSSS and monotone span programs (MSP).
Definition 7 [15]AMonotone Span Program (MSP)M is a quadruple (Fq,M,ε, ψ),where M is a matrix over Fq with l rows and e ≤ l columns, ψ : {1, . . . , l} → {1, . . . , e}is a surjective (labelling) function and ε = (1,0, . . . , 0) ∈ F
eq is called a target vector.
The size ofM is defined as size(M) = l.
We can think ofψ as a function assigning one or more rows to a player inP . Giventhe matrix M of an MSP and a subset A of players, we denote by MA the matrix Mrestricted to those rows i such that ψ(i) ∈ A. Similarly, if w is an e-vector then we usethe notation wA for the restriction of w to the coordinates i such that ψ(i) ∈ A. Ingeneral, any nonzero vector can serve as a target vector for an MSP.
LSSS and MSP are equivalent [3, 15]. From an MSP M(Fq,M,ε, ψ), we canobtain a linear secret sharing scheme. To share a secret s ∈ F, the dealer first choosesat random a vector ρ ∈ F
e−1q then computes M(s,ρ)T . The ith coordinate of M(s,ρ)T
is given to player Pψ(i). A group of players can reconstruct the secret if and only if thetarget vector ε is in the linear span of the rows assigned to the members of the group.AnMSP is said to compute an access structure � when ε ∈ span(MA) if and only if Ais a member of �. We say that A is accepted byM if and only if A ∈ �, otherwise wesay thatA is rejected byM. Hence, when a set A is accepted byM, there exists a so-called recombination vector λ such that λMA = ε. Using the recombination vector λ,the following relations holds: 〈λ, (s,ρ)MT
A〉 = 〈λMA, (s,ρ)〉 = 〈ε, (s, ρ)〉 = s for anysecret s and vector ρ.
A.2 Secret sharing schemes and matroids
We discuss here the connection between access structures andmatroids. Thematerialhere on matroid theory is taken from [20]. There are many different but equivalentdefinitions for the concept of a matroid. Here we use the definition in terms of rankfunctions.
Let Q = {0, 1, · · · ,n} be a finite set and let 2Q denote the power set of Q. Amatroid F is a pair (Q, r) where r : P(Q) → Z is a rank function satisfying thefollowing three properties:
1. 0 ≤ r(X) ≤ |X| for every X ⊆ Q;2. r is monotone increasing: if X ⊆ Y ⊆ Q, then r(X) ≤ r(Y), and3. r is submodular: r(X ∪Y) + r(X ∩Y) ≤ r(X)+ r(Y) for every pair of subsets
X,Y of Q.
The subsets X ⊆ Q with r(X) = |X| are said to be independent. The bases ofthe matroid are the maximal independent sets. All bases have the same number ofelements, which is defined to be the rank of F . The dependent sets are those that are
Cryptogr. Commun. (2014) 6:137–155 153
not independent, and a circuit is a minimal dependent set. A matroid F is said to beconnected if, for every two points in Q (which is called the ground set), there exists acircuit containing them.
The next definition relates access structures and matroids (cf. [4]).
Definition 8 Let � be an access structure on n players {1, · · · , n} and let F = (Q, r)be a connected matroid. We say that the matroid F is appropriate for the accessstructure � if Q = {0, 1, · · · ,n} and
�− = {C \ {0} | 0 ∈ C and C is a circuit of F}.
An access structure is said to be connected if every player belongs to at leastone minimal qualified set. We can assume that the access structures considered inthis paper are connected. For a connected access structure, if there is a matroidappropriate for it, then the matroid is connected. Moreover, if a connected matroidis appropriate for an access structure, then that matroid is unique [4]. For an idealaccess structure, we have the following lemma from [6].
Lemma 2 If an access structure is ideal, then it has an appropriate matroid.
A matroid F = (Q, r) is said to be Fq-representable if there exists a matrix Gover Fq with n+ 1 columns (labelled 0, 1, . . . , n) such that for every X ⊆ Q, r(X)
is defined to be the rank of the submatrix formed by the columns ofG correspondingto X . A binarymatroid is one that is representable overF2. A rank-kmatroidF on ann+ 1-element set is called uniquely Fq-representable if all of the k× n+ 1 matricesrepresentingF overFq are equivalent.Wewill need the following well-known resultson binary matroids (cf. [20]).
Lemma 3 A binary matroid is uniquely F2-representable.
Lemma 4 If a binary matroid is representable over a f ield Fq, then it is uniquely Fq-representable.
Suppose we have an ideal access structure which has a representable appropriatematriod. The next two lemmas describe a relation between a matrix representationof the matroid and an MSP computing the access structure.
Lemma 5 Assume � is an ideal access structure for n players and F is the Fq-representable matroid appropriate for �. Let G = (g0 g1 · · · gn) be a representationof F over Fq, where gi is the ith column of G. Let M = (g1 · · · gn)
T, ε = gT0 , and ψ
the one-to-one map. Then the MSPM(Fq,M,ε, ψ) computes �.
Lemma 6 Assume � is an ideal access structure for n players and F is the Fq-representable matroid appropriate for �. Let M(Fq,M, ε, ψ) be an ideal MSPcomputing �. Then the matrix G = (εT MT) is a representation of F over Fq.
154 Cryptogr. Commun. (2014) 6:137–155
A.3 Linear secret sharing schemes and linear codes
Given a vector c = (c1, . . . , cn) in Fnq, its Hamming weight, wt(c), is the number of its
non-zero coordinates. The support of a vector c ∈ Fnq is given by supp(c) = {i : ci �=
0, 1 ≤ i ≤ n}. An [n,k, d] linear code C over Fq is a linear subspace of Fnq where k is
the dimension and d is the minimum Hamming weight. A generator matrix G for acode C is a matrix whose rows form a basis for C. For any linear code C, we denoteby C⊥ its dual under the usual inner product.
Definition 9 [1, 10, 18] For any two vectors c1, c2 ∈ Fnq, we say that c2 covers c1
if supp(c1) ⊆ supp(c2). A nonzero codeword of a linear code C is called a minimalcodeword if it covers only its scalar multiples but no other nonzero codewords.
Let C be an [n+ 1,k] linear code over Fq. Massey [18] presented the followingconstruction of an ideal LSSS over Fq:
1. Let s ∈ Fq be a secret and letG be a generatormatrix of C. Denote the ith columnof G by gi, i = 0, . . . , n.
2. The dealer D randomly selects a vector u ∈ Fkq such that u · g0 = s.
3. The dealer computes the corresponding codeword c = (c0, c1, . . . , cn) = uG(note that c0 = s). The share of Pi is ci, for i = 1, . . . , n.
The secret s can be determined by the set of shares {ci1 , ci2 , . . . , cir } if and only ifg0 is a linear combination of {gi1 , . . . , gir } where 1 ≤ i1 < · · · < ir ≤ n.
In [18], it was shown that there is a relationship between the minimal authorizedsets of the secret sharing scheme based on C and the minimal codewords of the dualcode C⊥.
Lemma 7 [18] Let C be an [n+ 1,k] linear code over Fq. In the secret sharing schemebased on C, the set {Pi1 , . . . , Pir } ⊆ P such that i1 < · · · < ir is a minimal authorizedset if and only if there exists a minimal codeword w = (w0, w1, . . . , wn) ∈ C⊥ such thatsupp(w) = {0, i1, . . . , ir} and w0 = 1.
Given an [n+ 1,k] linear code C over Fq, there is a unique matroid F on the setQ = {0, 1, . . . , n} associated with it. Any generator matrix of C is a representationover Fq of the matroid F . If � is the access structure realized by the secret sharingscheme based on C then F is the appropriate matroid for �. We note that arepresentable matroid can be associated with different codes.
References
1. Ashikhmin, A., Barg, A.: Minimal vectors in linear codes. IEEE Trans. Inform. Theory IT-44,2010–2017 (1998)
2. Beimel, A.: Secret sharing schemes: a survey. In: Coding and Cryptology, Third InternationalWorkshop, IWCC 2011. Lecture Notes in Computer Science, vol. 6639, pp. 11–46. Springer, NewYork (2011)
3. Beimel, A.: Secure Schemes for Secret Sharing and Key Distribution. Ph.D. dissertation,Technion-Israel Inst. Technol., Haifa, Israel (1996)
4. Beimel, A., Chor, B.: Universally ideal secret-secret sharing schemes. IEEE Trans. Inform.Theory IT-40, 786–794 (1994)
Cryptogr. Commun. (2014) 6:137–155 155
5. Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS NationalComputer Conference, pp. 313–317. AFIPS Press, Monval, NJ (1979)
6. Brickell, E., Davenport, D.: On the classification of ideal secret sharing schemes. J. Cryptol. 4,123–134 (1991)
7. Chen, H., Cramer, R.: Algebraic geometric secret sharing schemes and secure multi-party com-putations over small fields. In: Proceedings of 26th Annual IACR CRYPTO. Lecture Notes inComputer Science, vol. 4117, pp. 521–536. Springer, New York (2006)
8. Cramer, R., Damgärd, I., Maurer, U.: General secure multi-party computation from any linearsecret-sharing schemes. In: Proceedings of 19th Annual IACR EUROCRYPT. Lecture Notes inComputer Science, vol. 1807, pp. 316–334. Springer, New York (2000)
9. Cramer, R., Daza, V., Gracia, I., Urroz, J., Leander, G., Martí-Farré, J., Padró, C.: On codes,matroids, and secure multi-party computation from linear secret-sharing schemes. IEEE Trans.Inform. Theory IT-54, 2644–2657 (2008)
10. Ding, C., Yuan, J.: Covering and Secret Sharing with Linear Codes. In: Discrete Mathematicsand Theoretical Computer Science. Lecture Notes in Computer Science, vol. 2731, pp. 11–25.Springer, New York (2003)
11. Gerards, A., Schrijver, A.: Signed Graph – Regular Matroids – Grafts. Research Memorandum,Faculteit der Economische Wetenschappen, Tilburg University (1986)
12. Goldreich, O., Micali, S., Wigderson, A.: How to play ANY mental game. In: Proc. 19th annualACM Symposium on Theory of Computing, STOC’87, pp. 218–229. New York (1987)
13. Hakimi, S., Bredeson, J.: Graph-theoretic error-correcting codes. IEEE Trans. Inform. TheoryIT-14, 584–591 (1968)
14. Jungnickel, D., Vanstone, S.: Graphical codes revisited. IEEE Trans. Inform. Theory IT-43, 136–146 (1997)
15. Karchmer, M., Wigderson, A.: On span programs. In: Proc. 8th IEEE Structure in ComplexityTheory, pp. 102–111. IEEE Computer Society Press, Los Alamitos, CA (1993)
16. Kasper, E., Nikova, S., Nikov, V.: Strongly multiplicative hierarchical threshold secret sharing.In: Proc. 2nd Int. Conf. on Information Theoretic Security. Lecture Notes in Computer Science,vol. 4883, pp. 148–168. Springer, New York (2007)
17. Liu, M., Xiao, L., Zhang, Z.: Multiplicative linear secret sharing schemes based on connectivityof graphs. IEEE Trans. Inform. Theory IT-53, 3973–3978 (2007)
18. Massey, J.L.: Minimal codewords and secret sharing. In: Proc. 6th Joint Swedish-Russian Work-shop Inf. Theory, pp. 276–279. Molle, Sweden (1993)
19. Nikova, S., Nikov, V.: On multiplicative secret sharing schemes realizing graph access structures.In: International Workshop on Optimal Codes and Related Topics, pp. 194–199. Balchik, Bul-garia (2007)
20. Oxley, J.: Matroid Theory. Oxford Science Publications, Oxford University Press, New York(1992)
21. Padró, C., Gracia, I.: Representing small identically self-dual matroids by self-dual codes. SIAMJ. Discrete Math. 20, 1046–1055 (2006)
22. Shamir, A.: How to share a secret. Commun. ACM 22, 612–613 (1979)23. Stinson, D.: An explication of secret sharing schemes. Des. Codes Cryptogr. 2, 357–390 (1992)24. Stinson, D.: Cryptography Theory and Practice, 3rd edn. CRC Press, Boca Raton, FL (2005)25. West, D.: Introduction to Graph Theory, 2nd edn. Prentice Hall, New York (2001)26. Yao, A.: Protocols for secure computation. In: Proc. 23rd IEEE Symp. Foundation of Computer
Science, FOCS ’82, IL, pp. 160–164. Chicago (1982)