A Remark on Hierarchical Threshold Secret Sharing

– The main results of this paper are theorems which provide a solution to the open problem posed by Tassa [ 1 ]. He considers a speciﬁc family Γ v of hierarchical threshold access structures and shows that two extreme members Γ ∧ and Γ ∨ of Γ v are realized by secret sharing schemes which are ideal and perfect. The question posed by Tassa is whether the other members of Γ v can be realized by ideal and perfect schemes as well. We show that the answer in general is negative. A precise deﬁnition of secret sharing scheme introduced by Brickell and Davenport in [ 2 ] combined with a connection between schemes and matroids are crucial tools used in this paper. Brickell and Davenport describe secret sharing scheme as a matrix M with n +1 columns, where n denotes the number of participants, and deﬁne ideality and perfectness as properties of the matrix M . The auxiliary theorems presented in this paper are interesting not only because of providing the solution of the problem. For example, they provide an upper bound on the number of rows of M if the scheme is perfect and ideal.


Introduction
An idea of secret sharing was introduced independently by Blackley [3] and Shamir [4] in 1979. The basic idea is to distribute pieces of information (shares) about the secret among a finite set of participants, so that only some sets of them can recover the secret by pooling together their shares. Such a set of participants is said to be authorized. The family Γ of all authorized sets of participants is referred to as the access structure of the scheme.
Before we present a formal definition, we introduce some notions that will be used throughout this paper. Let P be a finite set of participants and for p ∈ P let S(p) denote the set of all possible shares which can be given to the participant p.I t i s sometimes convenient to consider a special participant p 0 (called a dealer) who shares a secret. We will use P o to denote P ∪{p 0 }. Obviously S = S(p 0 ) is the set of all possible secrets.
It is a trivial observation that an access structure Γ of a secret sharing scheme has the monotonicity property, i.e.
A ⊆ B, A ∈ Γ= ⇒ B ∈ Γ. (1) We define Γ min as the family of all minimal sets of Γ.
A secret sharing scheme is said to be connected if every participant is a member of a certain minimal authorized set. It is easy to see that if a secret sharing scheme is not connected, then the shares of a certain participant are useless. All secret sharing schemes considered in this paper are connected.
In practical implementation, secret sharing schemes are expected to be secure and easy in use. These requirements are satisfied if no information on secrets leaks to unauthorized sets and shares are as small as possible. Let us introduce the following definitions.
We say that secret sharing scheme is perfect if each unauthorized set of participants cannot reveal any information about the secret. It is not hard to show that for every perfect secret sharing scheme |S(p)|≥| S| for all p ∈ P . A secret sharing scheme is said to be ideal if |S(p)| = |S| for all p ∈ P . Without loss of generality we can assume that in ideal secret sharing schemes we have S = S(p) for every p ∈ P .
Obviously, when we have a fixed secret sharing scheme, we are able to describe its access structure. However, investigations concerning secret sharing scheme problems refer also to the situations where a family Γ ⊆ 2 P with monotonicity property is defined and the goal is to find a secret sharing scheme such that Γ is its access structure. In such a situation we say that Γ is realized by a secret sharing scheme. It is not easy to find a suitable scheme that realizes given monotone family of sets of participants if we require ideality and perfectness. A partial solution to this problem can be found in the following theorem. Theorem 1 ( [5]). For any monotone family Γ ⊆ 2 P there exists a perfect secret sharing scheme with Γ as its access structure.
Unfortunately, a perfect secret sharing scheme constructed by the authors of Theorem 1 for any Γ ⊆ 2 P is not ideal, each share is a vector with many entries. It is known that there exist monotone families of sets of participants which are not realized by a secret sharing scheme both ideal and perfect (see [6], p.33, Theorem 3).
The idea of hierarchical secret sharing, in which P is composed of levels: was introduced by Shamir in [4]. He considered a scheme for a weighted threshold access structure. That is, every participant has a weight (a positive integer) and a set is qualified if and only if its weight sum is at least a given threshold. Simmons in [7] Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/04/2022 11:34:14 U M C S studied the comparmented access structure: where {k i } l i=0 is a sequence of integers such that k 0 ≥ l i=1 k i , and the multilevel access structure: where {k i } l i=1 is a monotonically increasing sequence of integers. An access structure Γ ∨ was also considered by Tassa in [1], who called it a disjunctive access structure and in the same paper he studied a conjunctive access structure: Moreover, Tassa notices that the above access structures are two extreme members of a family {Γ v : v =1,...,l} of the hierarchical threshold access structures: ..,l}}. (6) The question posed by Tassa is whether the other members of Γ v can be realized by ideal and perfect schemes as well. We show that the answer in general is negative. It is worth pointing out that Farràs and Padró (see [8]) managed to characterize the ideal hierarchical access structures, that is, those admitting an ideal secret sharing scheme. Among other things, their work also contains an answer to the question of Tassa, however, our solution is different and simpler.

Secret sharing scheme as a matrix
Brickell and Davenport introduced in [2] the following general and precise definition of a secret sharing scheme. Definition 1. Secret sharing scheme with n participants is a matrix M with n +1 columns and entries from a finite set, such that no two rows of M are identical.
The first column of the matrix is assigned to p 0 , this is the column of secrets. The other columns are assigned to participants, they are columns of shares. The matrix M is publicly known and each participant knows which column belongs to him or her. Before we describe procedures of sharing a secret and pooling shares, we introduce a few useful notations. Let: • M(r, p) be the entry in row r and column p.
• M(r, A) be the row r restricted to the columns indexed by A, A ⊆ P o . • S(p) be the set of elements occurring in column p (it does not contradict the previous definition).
If the dealer wants to share out a secret s ∈ S(p 0 ) among the participants in P , he/she: Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/04/2022 11:34:14 U M C S (1) picks randomly a rowr in which M(r, p 0 )=s using the uniform distribution over all such rows; (2) gives the share α p := M(r, p) to the participant p for every p ∈ P using safe channel.
If participants in A ⊆ P want to recover the secret s ∈ S(p 0 ): (1) they pool their shares together; (2) they take one of the rows r such that α p := M(r, p) for all p ∈ A; (3) they assume that s = M(r, p 0 ) is the secret.
There is a question whether the value obtained by the participants is always the secret chosen by the dealer, i.e., when A is an authorized set of participants. In the matrix settings we are able to give precise definitions of notions mentioned in Section 1.
To do that, we need some additional notions.
We say that the participants in A ⊆ P have no information about the share given to or equivalently Otherwise, we say that A has some information about the share given to p. In these situations we write A p and A → p respectively. In the other words, A → p if for at least one vector v ∈ S(A) some values in S(p) cannot be taken as M(r, p) when M(r, A)=v.
We say that participants in A ⊆ P know the share given to a participant p ∈ P o \ A, Using the above notation a subset A ⊆ P is authorized if A ⇒ p 0 and the access structure can be described as Γ={A ⊆ P : Let us recall that a secret sharing scheme is said to be ideal if |S(p)| = |S(p 0 )| for all p ∈ P . The next theorem says that in ideal and perfect secret sharing schemes the partial information about someone's share never occurs.
denote the family of all dependent sets of M. It is obvious that if A ⊆ P is an authorized set, then A ∪{p 0 } is dependent. It can be seen easily that every minimal authorized set is independent.

Auxiliary results
In this section we shall prove some relations between the cardinalities of maximal unauthorized sets and independent ones. Let us denote throughout this paper q = |S|.
Theorem 3. If M is an ideal and perfect secret sharing scheme, then the number of rows in M is not greater than q |B|+1 for every maximal unauthorized set B ⊆ P .
Proof. Let M be an ideal and perfect secret sharing scheme and let B ⊆ P be a maximal unauthorized set. Suppose, contrary to our claim, that M has more than q |B|+1 rows. Then there exist two different rowsr,r in M such that Denote v = M(r, B)=M(r, B) ∈ S |B| . From the fact that no two rows of M are identical we obtain for a certain participant p ∈ P \ B. Obviously B ∪{p} is an authorized set, as B is a maximal unauthorized set. Thus for every vector (v, α) ∈ S(B ∪{p}) the secret is determined uniquely. Let us assume that the participants in B try to guess the secret testing all α ∈ S(p). Since M is an ideal scheme and for two different shares M(r, p) and M(r, p) the participants in B get the same secret M(r, p 0 )=M(r, p 0 ), there is at least one value of the secret which cannot be obtained in this way. This shows that B has some information on the secret, which implies that B is an authorized set, as M is a perfect scheme. This contradiction completes the proof.
Let us recall the following lemma which can be used for lower bound of the number of rows of a secret sharing matrix.  Proof. Let M be an ideal and perfect secret sharing scheme and let A and B be sets of participants described in the assumptions of the theorem. Since A is a minimal authorized set, from Lemma 1 we deduce that M has at least q |A| rows. On the other hand, according to Theorem 3 the number of rows in M does not exceed q |B|+1 . Hence q |A| ≤ q |B|+1 which implies the claim.
Lemma 2. Let M be an ideal and perfect secret sharing scheme. If A ⊆ P o is an independent set, then for every v ∈ S |A| there is a row r such that M(r, A)=v.
Proof. Let M be an ideal and perfect secret sharing scheme. We proceed by induction on k = |A|.F o rk =1the statement is true as the scheme is perfect. Let A = {p 1 ,...,p k } be an independent set with k ≥ 2. Let us note thatĀ = A \{p k } is also independent. Consider (α 1 ,...,α k−1 ,α k ) ∈ S k . By the induction hypothesis there is a rowr such that M(r,Ā)=( α 1 ,...,α k−1 ). Since A is independent, the participants inĀ have no information about the share given to p k , i.e., there is a row r such that M(r,Ā)=M(r,Ā) and M(r, p k )=α k . This completes the proof.
Let us recall that every minimal authorized set is independent, so the above lemma is a generalization of Lemma 1. The next theorem is strengthening of Corollary 1.
Theorem 4. Let M be an ideal and perfect secret sharing scheme. If A ⊆ P is an independent set, then |A|≤| B| +1 for every maximal unauthorized set B ⊆ P . Moreover, if A ⊆ P is unauthorized and independent, then |A|≤|B| for every maximal unauthorized set B ⊆ P .
Proof. The proof of the first statement is similar to the proof of Corollary 1instead of Lemma 1 we use Lemma 2.
To prove the second statement, we deduce from Lemma 2 that |S(A)| = q |A| . Since A is unauthorized, for every v ∈ S(A) and for every α ∈ S(p 0 ) there exists a row r such that M(r, A)=v and M(r, p 0 )=α. Hence M has at least q |A|+1 rows. We now apply Theorem 3 to obtain q |A|+1 ≤ q |B|+1 which implies the claim.

Secret sharing schemes and matroids
Before we present a connection between the secret sharing schemes and the matroids, we should recall one of many equivalent ways of defining matroids (see [9]).
A matroid M is an ordered pair (E, I) consisting of a finite set E and I⊆2 E satisfying the following conditions: (1) ∅∈I.
The number of elements of an arbitrary base of a matroid M is called the rank of M. A relation between the secret sharing scheme and the matroids is described in the following theorem. Let us recall that the connected matroid is a matroid (E, I) in which for any two different elements x, y ∈ E there exists a circuit C such that x, y ∈C . The matroid determined by dependent sets of a secret sharing scheme M will be called the matroid associated with the scheme M and denoted by M. Obviously, M is uniquely determined by M.

Hierarchical Threshold Secret Sharing Schemes
For given positive integers k<n ,a(k, n)-threshold secret sharing scheme is a scheme such that the set of participants P has n elements and the family Γ={A ⊆ P : |A|≥ k} is its access structure. There are many constructions of threshold secret sharing schemes. The most prominent one is the Shamir scheme [4] which is ideal and perfect. A finite field F q (q is a power of a prime) is both the set of secrets and the sets of shares of the scheme.
The entries of the matrix M of a (k, n)-threshold Shamir scheme are elements of a finite field F q . The participants p 0 ,p 1 ,...,p n are identified by different elements x 0 =0 ,x 1 ,...,x n ∈ F q . The rows of the matrix are labelled by polynomials over F q of degree less than k. For such a polynomial f the corresponding row of M equals (f (0),f(x 1 ),...,f(x n )). Obviously, f (0) is a secret. Every set of at least k participants can pool their shares together and using the Lagrange interpolation finds a unique polynomial of degree less than k which identifies a suitable row of the matrix and consequently, they determine the secret.
Tassa [1] considers the problem of secret sharing among a group of participants with the hierarchical structure. In such a setting P is composed of levels: Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/04/2022 11:34:14 The access structure is constructed in such a way that if A is an authorized set, then any participant in A ∩ P i can be replaced by a participant from P j with j ≤ i and the resulting set remains authorized. For every level i ∈{ 1,...,l} of the hierarchy a threshold k i is defined. It is assumed that 0 <k 1 <. . .<k l . A set A ⊆ P is said to satisfy the threshold property of level i (which we abbreviate to TP i )i f |A ∩ i s=1 P s |≥k i . The notation TP i (A) denotes that A satisfies TP i . The access structures considered by Tassa are the following: The main results described in [1] are the constructions of ideal and perfect secret sharing schemes that realize Γ ∧ and Γ ∨ . Moreover, Tassa notices that the above access structures are two extreme members of a family {Γ v : v =1,...,l} of the hierarchical threshold access structures: Indeed, Γ 1 =Γ ∨ and Γ l =Γ ∧ . The open problem posed by Tassa is whether there exists an ideal and perfect secret sharing scheme realizing Γ v for v ∈{2,...,l− 1}.W e shall show in Theorem 6 that in general the answer is negative.
Proof. Let us fix v ∈{2,...,l−1} and suppose that there exists ideal and perfect secret sharing scheme M that realizes Γ v .
We begin by proving that a rank of the associated matroid M is at most k l . Let us consider a set of participants A ⊆ P such that σ(A)=(t 1 ,t 2 ,...,t l ), where We will show that A is the maximal unauthorized set of participants. If 1 <j≤ v − 1 then If v ≤ j<lthen This shows that A does not satisfy TP j for j ≥ v,s oA is unauthorized. However, adding an arbitrary participant p ∈ P \ A to A makes it authorized as A ∪{p} fulfils TP j for all j ≤ v − 1 and j ≥ i if p ∈ P i . From the fact that |A| = k l − 1 and Theory 4 we deduce that the rank of the associated matroid M is at most k l . Our next goal is to show that a rank of the associated matroid M is equal exactly k l . We achieve it by indicating a minimal authorized set of participants with k l elements. Let us consider a set B 1 ⊆ P such that It is easily seen that B 1 fulfils TP i , for i = l − v +1,l − v +2,...,l. Moreover, any proper subset of B 1 , does not fulfil TP l . This shows that B 1 is a minimal authorized set, so it is an independent set in the associated matroid M. Thus we get that the rank of M is exactly k l and B 1 i sab a s e . Next we consider a set B 2 such that and show that B 2 is also a base in the associated matroid M. It is easy to check that it fulfils TP i for i =1 ,l− v +2,...,l, i.e., exactly for v values of i. Additionally, the set B 2 \{p} does not fulfil TP 1 or TP l accordingly to p ∈ P 1 ∩ B 2 or p ∈ P l−v+2 ∩ B 2 . Now we are in a position to apply Lemma 3. For p ∈ B 2 ∩ P 1 there exists p ∈ B 1 such that B 3 =( B 2 \{p}) ∪{p } is a base and consequently B 3 is independent. It is easy to see that σ(B 3 )=(k 1 − 1, 0,...,0 as B 1 ⊆ P l−v+1 . It is obvious that B 3 fulfils TP i only for i = l − v +2,...,l, which shows that B 3 is unauthorized. According to the second part of Theorem 4, we have k l = |B 3 |≤|A| = k l − 1. This contradiction finishes the proof.

Conclusions
In Theorem 6 we have proved that in general the problem of Tassa has negative solution, but still in some cases not covered by Theorem 6, the problem whether Γ v , v ∈{ 2,...,l − 1}, is realized as the access structure of an ideal and perfect secret sharing scheme remains open.
The information rate of a secret sharing scheme is defined by ρ := min i∈{1,...,n} where U i is a set of all possible shares of participant p i . If there does not exist an associated matroid of a secret sharing scheme, then the information rate of such a scheme is at most 2/3 (see [10]). The information rate of an access structure Γ is the supremum of the information rates of all secret sharing schemes realizing the access structure with a finite domain of shares. We do not know if Γ v , 2 ≤ v ≤ l − 1, can be realized by a secret sharing scheme for which an associated matroid exists. Summarising, the question is what is the actual information rate of Γ v for 2 ≤ v ≤ l−1.