Methods of encrypting monotonic access structures

We will present some ideas about sharing a secret in a monotonic access structure. We show the relations which occur between the method of encrypting a monotonic access structure with the use of basis sets or maximal unprivileged sets, and that based on a logical formula (used by Benaloh and Leichter in [ 1 ]). We will also give some facts connected with the problem of security, including the aspects of a hierarchy security in the structure. The method of encrypting a monotonic access structure using a family of basis sets or a family of maximal sets that cannot reconstruct the secret will be described in a general way. Some aspects of using the latter based on a logical formula will be also given. Any (general) access structure can be encrypted by each of them but the way of sharing a secret is quite diﬀerent and usually a speciﬁed method has to be chosen to achieve a desirable level of security and time complexity.


Introduction
The question of how to distribute a secret among a group of participants such that only certain subgroups, called privileged, could reconstruct it was answered in 1979 by Blakley [2] and Shamir [3]. The Shamir scheme with the threshold k frequently used allows to distribute a secret number s to n participants, such that any k or more entities can reconstruct it, but not fewer. This threshold scheme is denoted by (k,n). Typically it is realized by a polynomial f of the degree k − 1, in which the free term represents the secret value s, and the shares of n participants are nodes of the form (x, f (x)). With k of these nodes we can reconstruct the polynomial (corresponding system of equations would have a unique solution), so in particular we can read a free term. As we can see, in the threshold systems we do not choose which groups of participants are privileged and we have only some freedom in choosing k, that is the minimal size of a group that can reconstruct the secret. Ito, Seito, Nishizeki in their work [4] from 1987 described a general method of distributing a secret such that only previously chosen, privileged subsets can reconstruct it. Then in [1] Benaloh and Leichter proposed a simpler and more efficient way of sharing a secret for a monotonic access structure. They have also given an example of a family of base sets which was of type {{A, B}, {C, D}} that generates a monotonic access structure that cannot be realized by a generalized threshold scheme (in which each participant could receive several shares). This shows in particular, that if we want to have a freedom in choosing privileged sets for a monotonic access structure, we have to introduce some new ideas. One of the ideas, proposed in [1] which fulfills our requirements is based on a logical formula, the other one on a method using a family of maximal unprivileged sets, see also [5]. We will show some properties of the method in [1] and its relations to that based on the families of sets. We would also discuss efficiency and security issues.

Preliminaries
At the beginning we introduce some definitions and terminology. Let X = {P 1 , ..., P n } be a set of all entities and P (X) a set of all subsets of X. A family Γ of subsets, that can reconstruct the secret is an access structure, and the elements of that family are called privileged sets. We say that an access structure is monotonic if every superset of a privileged set is also in the access structure. A minimal element of an access structure Γ is a set in Γ such that its every proper subset is not in Γ. We call a family of minimal sets a basis of an access structure, which we will denote by B. On the other hand, every subset of P (X), which is not in Γ can be extended to the maximal set not in Γ. That kind of subset is called maximal and adequate family a family of maximal unprivileged sets, denoted by N. Theorem 1. One can determine a unique access structure by providing a family of basis sets B or by saying what family of maximal unprivileged sets N is.
Proof. It is clear that a family of basis sets uniquely determines an access structure. We will show that having a family of maximal unprivileged sets N Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 21:00:19 U M C S Methods of encrypting monotonic ...

51
we can uniquely reconstruct the basis. Assume otherwise, let B 1 and B 2 be two different bases determined by N. Without loss of generality we may assume that there exists B ∈ B 2 such that B/ ∈ B 1 . We have two possible cases: 1) B is a superset of certain B ∈ B 1 , i.e. B ⊆ B (but we do not have equality), then B is not in the access structure Γ 2 so we may extend B to the maximal unprivileged set, but sets from N obviously do not include basis sets so that cannot be true. 2) B is not a superset of any B ∈ B 1 , i.e. B is not in the access structure Γ 1 .
Similarly to that before, extension of B leads to the contradiction.
Instead of determining an access structure by giving a base one can also, as in [1], use a method with a logical formula consisting of a conjunction and disjunction but without negation (these are called monotonic logical formulas). Taking such a formula F on the variables indexed by a set P ,theaccess structure defined by F is the family of these subsets A of a set P for which F is true precisely when the variables indexed by A have a logical value 1.

Characterization of schemes
We will briefly show the way of distributing a secret proposed by Benaloh and Leichter [1] and the other method based on a family of basis sets or a family of maximal unprivileged sets, see also [5], then we will draw some attention to practical aspects of those methods.
A general method of sharing a secret described in [1] uses a monotonic logical formula. If s is a secret value that is going to be shared, we distribute it by going to more and more detailed parts of the formula (as we will see it in the example below) until we get to each participant. In particular, where we have disjunction, all of its components receive the same part of actually distributed part of a secret. Where we have conjunction, we divide randomly actually distributed part of a secret to a sum of s i that sums up to this part and each of the components of the conjunction receives s i . In this method of distributing a secret we may allow a threshold distribution, which means that when there is disjunction we use a threshold scheme with threshold 1 (which is equivalent to the method described earlier) and when there is conjunction of k components we use a threshold scheme with the threshold k. When using a threshold distribution for reconstruction, we have to remember identities of parts.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 21:00:19 U M C S As for example, we will distribute in a ring modulo m a secret value s ∈ {0, 1, ..., m − 1} to entities {1, 2, 3} with a structure defined by the formula (a 1 ∧a 3 )∨(a 2 ∧a 3 ). First we look at the disjunction so s is distributed to a 1 ∧a 3 and to a 2 ∧a 3 . Now looking at a 1 ∧a 3 we randomly divide s into two parts s 1 , s 2 such that s 1 +s 2 = s and give s 1 to entity 1 and s 2 to entity 3. Similarly, getting s 3 and s 4 such that s 3 +s 4 = s we distribute them to entities 2 and 3 respectively. It is also worth considering the formula ((a 1 ∨ a 2 ) ∧ a 3 ) ∨ (a 1 ∧ (a 2 ∨ a 3 ) ∧ a 4 ) defining an access structure, where firstly s is distributed to both components of disjunction, then in the left component it is divided into appropriate s 1 and s 2 where s 1 is given to entities 1 and 2, s 2 to entity 3 (here instead of dividing s into two parts we could use the Shamir scheme with threshold 2). In the right component of the formula s is divided randomly into s 3 , s 4 and s 5 which are distributed: s 3 to entity 1, s 4 to entities 2 and 3 and s 5 to entity 4 (here we could also use the Shamir scheme with threshold 3). We also notice that for a formula (a 1 ∨ a 2 ) ∧ (a 3 ∨ a 4 ) ∧ ... ∧ (a 2n−1 ∨ a 2n ) each entity would get only one number.
Let us now describe the generalized method of creating a monotonic access structure from a family of basis sets or a family of maximal unprivileged sets, see also [5]. Let us consider a set of all entities X = {P 1 ,...,P n } and an access structure Γ. Let us assume we have a family of k maximal unprivileged sets N = {N 1 ,...,N k }. We can think of it as it is given and it determines the family of basis sets B or firstly we had a basis and it determined N. We will distribute with the use of special function f subsets S i of S = {a 1 ,...,a k } to the participants. It means that entity P i will receive the value f (S i ). Function f is a function for which the following condition holds: where A, B are certain sets. Notice that the examples of functions for which this condition holds are identity on the subsets of S or f being the least common multiple, when S is a set of pairwise coprime numbers least common multiple is understood here as a function that takes on the input a set and returns a singleton consisting of an element being the least common multiple. This kind of function 'forgets' the repeated terms of inputs and we can use it in sharing a secret by giving to participants for shares the values of f in certain sets. Value of f in the sum of all sets used for the construction of shares would be a secret that is going to be distributed among participants. Our function f is publicly known and safety issues are connected with choosing the function. Reconstructing the secret will be performed by taking values as in the left hand side of the equation

53
for the process of reconstruction. Going back to distributing the shares to the participants, for each N i ∈ N, we connect a i with every entity of X except those which are in N i . So we have connected a subset S i ⊆ S with every participant P i . After computing the value f (S i ) that value is given to the participant P i as his share. Notice that participants from a selected basis set can reconstruct the secret, because taking B ∈ B and selecting any value a i , there would be participant B who received a i (if not then B ⊆ N for certain N ∈ N and it cannot happen). Because neither participants from the set N i ∈ N has received a i we may use it to set up safety conditions for our sharing scheme (depending on the chosen f ). For example for f being the least common multiple we may require elements of S to be appropriately large pairwise coprime numbers, larger than a certain threshold (safety) value, [5].

Dependencies
The methods of determining an access structure from a family of base sets and determining it with a monotonic logical formula are related and any access structure can be defined using each of them.
Theorem 2. Let F be any monotonic logical formula that defines an access structure Γ. Converting F to the disjunctive normal form (i.e. equivalent formula which is a disjunction of conjunction of the literals) and making reductions of a type (a ∨ b) ∧ a ⇔ a such that there are no clauses contained (as sets of literals) in other clauses, sets made of indices of clauses define a basis of Γ.
As a remark, the formula (a 1 ∨ a 2 ) ∧ a 3 is equivalent to (a 1 ∧ a 3 ) ∨ (a 2 ∧ a 3 )and so we can read the basis.
Proof. Let B' be a family of sets that were formed from the reduced disjunctive normal form, as described in the theorem. We will show that B' = B,w h e r eB is the family of basis sets of Γ.
For any B ∈ B setting variables indexed by the elements of B to 1 gives a value of F equal to 1 no matter what the values of other variables are. In particular, setting all other variables to 0 we conclude that there exists B ∈ B' such that B ⊆ B and because the sets from B' are also in the access structure Γw eh a v eB = B, which shows that B ⊆ B' Now, let us take any B ∈ B'. As we know, it is in the access structure and we will show that it does not contain properly any basis set (which is enough). There is a dual theorem for maximal, unprivileged sets.
Theorem 3. Let F be any monotonic logical formula that defines an access structure Γ. Writing F in a conjunctive normal form (i.e. logical formula which is a conjunction of disjunction of the literals) which is reduced such that there are no clauses contained (as sets of literals) in other clauses (using (a∧b)∨a ⇔ a), sets forming a family of maximal, unprivileged sets N are constructed by operation of choosing one clause of the formula and writing all indices except those that are indexing the chosen clause.
Proof. Let N' be a family of sets constructed as stated in the theorem. Any set N ∈ N' is not in the access structure because setting variables indexed by elements which are not in N to 0, i.e. all variables in a certain clause, we have the value of that clause equal to 0 so F is false. Let us call the clause selected for the construction of N by C. We will show that N is maximal. In each clause different from C we can find a variable indexed by an element of N , if not then there would exist a clause different from C which is contained (as a set) in the selected clause C and this cannot occur as the formula F is reduced. For that reason when we add any other element to N it would be from a selected clause and setting appropriate variables to 1 the formula F would be true.
Let us take any maximal unprivileged set N ∈ N. It is not in the access structure so the formula F is false when setting all variables indexed by N to 1 and others to 0. That means a certain clause has to have value 0 so there are not any variables indexed by N in that clause. Because of N being maximal all indices indexes apart from those indexing the mentioned clause are in N so N is in N'.
We also observe that having a basis B it is easy to construct a logical formula that defines the same access structure, similarly to a family of maximal, unprivileged subsets. These results indicate, for example, that after encoding the access structure using one of the described methods it may be possible to encode it using the other one.
Sometimes it is much easier to construct a monotonic access structure using a logical formula. For example if we have a group of n pairs of entities of the form (2i − 1, 2i)f o ri =1, 2,...,n and want to construct such a structure that for reconstruction of the distributed value s we need at least one entity from Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 21:00:19 U M C S each pair, then we can describe it shortly by a formula: The family of basis sets would consist of 2 n elements, in each there would be exactly one element of each pair. On the other hand, the family of maximal unprivileged sets would have n elements. Depending on a method of distributing a secret for a monotonic access structure the number of basis sets, maximal unprivileged sets or the number of parts from which the logical formula consists is important for the time complexity of the scheme.
Some aspects of hierarchical structure of the access structure including those connected with hiding places that entities take in the hierarchy may sometimes also be important. Looking from this perspective at the sharing schemes that were described, more suitable is the scheme which uses a family of maximal unprivileged sets and a function f being the least common multiple. For our set S of distributed values connected with entities we take a set of certain prime numbers or pairwise coprime numbers. An aspect of security in this case is based on the problem that it is hard to compute how many distinct prime divisors or distinct coprime parts (that come from the process of distributing the shares) does a composite number (here, the share) have. That is because each entity P i , intuitively speaking, is the more important (higher in the hierarchy) the larger is its set S i of distributed numbers connected to it (recall that the share of P i is the least common multiple of elements of S i , not the set S i itself). When distributing the prime numbers we have the problem of telling how many distinct prime divisors a composite number have, which is considered to be comparatively difficult for the problem of factorization of a composite number which, as we know, is considered to be hard. Distributing coprime parts instead of prime numbers is in that case even better. For security reasons one has to guarantee the proper size of shares and that shares are not divisible by one another. It can be achieved by modifying the family of basis sets as presented below.
We will consider the case when there is no entity that is able to reconstruct the secret by himself (which is a natural assumption while sharing a secret).
Theorem 4. Having a family of basis sets B such that no entity can reconstruct the secret by himself, it can be guaranteed that subsets S i connected with the entities in a process of distributing the shares are not contained in one another.
Proof. Let Γ be the access structure determined by the family of basis sets B. Looking at the elements of sets from the family B, if two entities P j Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 21:00:19 U M C S and P k are both the elements of a certain basis set, then their corresponding subsets S j and S k would not be contained in one another (in the family of maximal, unprivileged sets N there would be a set that contains entity P j and does not contain the entity P k , and the other set for which the opposite is true). On the other hand, if for entities P j and P k there is no basis set that these entities are the elements of, we add a new auxiliary entity P l to the set of entities and create a new basis set from the entities P j , P k , P l . The family of sets with the additional set is again a basis (the sets that previously were in B still do not contain proper subsets of the access structure because the only new sets in Γ are those that contain the new basis set). Due to this, all previous connections between entities have been preserved, and the additional entity is only auxiliary. We perform the described procedure for all such pairs of entities and create a new basis B'. After obtaining from B' the family of maximal unprivileged sets N' and distributing the shares as it was described, the condition from the theorem is fulfilled.

Example
Let us consider a set of entities {P 1 ,P 2 ,P 3 ,P 4 } and the family of basis sets B = {{P 1 ,P 2 }, {P 1 ,P 3 }, {P 2 ,P 3 }, {P 1 ,P 4 }}. One may easily see that the family of maximal unprivileged sets N = {{P 1 }, {P 2 ,P 4 }, {P 3 ,P 4 }}. The most privileged entity (highest in the hierarchy) is P 1 b e c a u s eh ec a n reconstruct the secret cooperating with any other entity. The least privileged entity is P 4 because he can reconstruct the secret only with P 1 .O n em a ya l s o see that after performing the steps described in the proof of the theorem above because the pairs of entities P 2 and P 4 , similarly P 3 and P 4 are not the elements of any basis sets, we obtain B' = {{P 1 ,P 2 }, {P 1 ,P 3 }, {P 1 ,P 4 }, {P 2 ,P 3 }, {P 2 ,P 4 ,P 5 }, {P 3 ,P 4 ,P 5 }} and N' = {{P 1 ,P 5 }, {P 2 ,P 4 }, {P 2 ,P 5 }, {P 3 ,P 4 }, {P 3 ,P 5 }, {P 4 ,P 5 }} where P 5 is the auxiliary entity.
While using logical formulas, the elements distributed (as shares) to a certain entity have a strictly specified meaning and so, in the process of reconstructing the secret value s we need to use the information about the access structure (for example which of the distributed elements one should use in the specified groups of entities to finally reconstruct s). This information may be used by a third party to gain knowledge about the access structure.

The ways of secret sharing in the monotonic access structures and possibilities of corruption
We will give and describe the ways the entity that constructs the monotonic access structure can share the information about it with the participants.

57
-The information about the possible groups of entities that can reconstruct the secret is publicly available for every entity in the structure.
-Every entity has the information only about the groups of participants with whom he can reconstruct the secret.
-The information about the possible privileged groups is given to a certain (trusted) external entity and the participants obtain incomplete information about privileged groups that they construct.
-The information about the privileged groups is given to a certain trusted external entity and every participant receives incomplete information about the privileged groups he is an element of.
First, the simplest method, in which information about the basis sets is publicly known is at the same time the least secure. Adversary, after corrupting any entity, gains the whole information about the hierarchical structure in the access structure. This information helps him choose the strategically best for him 'path of corruption', which after being performed, allows him to reconstruct the secret.
In the second method, entity has only partial information about the hierarchy in the structure and so strategies of an adversary after corrupting an entity are limited.
The third method uses an entity, who knows the whole family of basis sets. Entities even during the meetings would not be able to tell which privileged groups they are constructing (unless it is a meeting of such a group) because they do not know if the value they are reconstructing is the actual secret. The outer subject on the other hand, in some situations can disclose to entities information about the privileged groups. That is also helpful with protection against the corruption of entities, i.e. corrupted entities do not have the whole information about what other entities should be corrupted to reconstruct the secret.
In the fourth method each entity has even less knowledge about the family of basis sets. Planning the strategy of corrupting the entities of the structure is therefore even more difficult.
The third and fourth methods made use of an additional, external entity, after corruption of whom, we have the same situation as in the first method. His introduction, however, leads to new possibilities in using such a system, which may be interesting from the practical point of view. At some point though, the additional entity may adjudge that it is necessary to reveal to the certain group of entities the information that they can reconstruct the secret.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 21:00:19 U M C S 6. Security issues in sharing a secret So far we have shown some safety aspects connected with monotonic access structures. We will now present the others, that are known in the literature, however, it is important here to realize the fact of what should be taken into consideration while constructing an access structure. In particular, we will see what assumptions could be made about possible attacks on the structure.
Generally, examining a sharing system one introduces some models that allow him to prove within them certain issues connected with security of a system [6], [7]. Here, we will present some of those models and possible attacks and types of an adversary related to them. One usually considers two basic models of exchanging information. First, called cryptographic [7], assumes that everyone has access to the information that is being exchanged between the participants of the scheme. Security of the scheme in such a model has to be guaranteed by a computationally hard problem, which adversary would not be able to solve in a reasonable time. Then there is the information-theoretic model [8], [9], which assumes that entities communicate with the use of pairwise secure channels. In this case safety is guaranteed even if an adversary has unlimited computing power. Let us now look at the sharing scheme from the aspect of possible corruption that could be performed by the adversary. The important concept here is the idea of adversary structure, which is a family of sets of entities, that may be corrupted by an adversary (for example it may consist of all subsets of cardinality less than a threshold value t). Passive corruption means that the adversary only acquires information about shares of corrupted participants, who (if they want) can perform reconstruction of the secret correctly. The corruption is called active, when the adversary takes full control of corrupted participants and the rest (not corrupted participants) cannot say which of the others were corrupted. We may also distinguish types of adversaries as being static or adaptive. Static adversary corrupts a set of participants only once and during the time the set does not change. Adaptive adversary can corrupt new participants at any time during the protocol, based on the information he gathers during the time, as long as the total set of corrupted participants is in the adversary structure.
The most appropriate model of computation is selected and depends on the type of practical purpose of sharing scheme as well as the issues connected with its implementation, safety and computational efficiency, and after setting a type of adversary, the features of the system are examined.

Conclusions
We have presented some ideas which could be also taken into consideration when constructing another than the presented methods of sharing a secret in the access structure. As we have shown, at the more general level, a method of constructing the access structure from a family of basis sets or a family of maximal unprivileged sets, and a method using a logical formula are similar. They both allow to construct any general access structures and after coding the structure using one of them there is a possibility to code it using the other one (at least theoretical, because sometimes coding using the other structure would be computationally too complex). Going into details about the schemes, we saw that in certain situations often connected with security or time complexity it is better to use the specified one. This depends on what we are expecting from our sharing system. Some other aspects of constructing a sharing scheme may sometimes be important as well. One can see that in the Shamir scheme it is easy to dynamically add a new entity because we give him an argument (his identity) and the value in this argument of the polynomial that we use in the scheme. Looking at the method with a logical formula or with families of sets we should verify and make new connections of the new entity and the existing ones (that is because it is a general access structure). Therefore, analyzing a sharing system that one wants to create, one has to prepare earlier estimates of a number of entities, dynamics in the system i.e. the number of possible addition and removal of entities and methods of implementation related to them operations. One should also set the matters connected with security which are going to be the most important for the scheme. We have presented how different levels of security are acquired depending on how the entity that is constructing the access structure reveals the information about it to the participants. As we point out, gathering information about hierarchical structure may help the adversary in setting the most suitable path of corruption for him, after performing of which he reconstructs the secret. Hiding information about a hierarchical structure can be performed by choosing an appropriate method of sharing a secret (for example a method with the families of basis sets) and a proper way of distributing the information about the structure by the constructor of the access structure. Realizing and setting models of information exchange (cryptographic/information-theoretical) and possible types of corruption (active/passive) and types of an adversary (adaptive/static), as well as setting the adversary structure for our system are crucial (although usually clear from the purpose we want to use our structure for).