Finding the maximal adversary structure from any given access structure

Finding the maximal adversary structure from any given access structure

Information Sciences 508 (2020) 329–342 Contents lists available at ScienceDirect Information Sciences journal homepage: www.elsevier.com/locate/ins...
Download PDF
573KB Sizes 0 Downloads 32 Views
Report

Information Sciences 508 (2020) 329–342

Contents lists available at ScienceDirect

Information Sciences journal homepage: www.elsevier.com/locate/ins

Finding the maximal adversary structure from any given access structure Chunming Tang a,b, Qiuxia Xu a,∗, Gengran Hu c a

School of Mathematics and Information Science, Guangzhou University, Guangzhou 510006, China Key Laboratory of Mathematics and Interdisciplinary Sciences of Guangdong Higher Education Institutes, Guangzhou University, Guangzhou 510006, China c School of Cyberspace, Hangzhou Dianzi University, Hangzhou, 310018, China b

a r t i c l e

i n f o

Article history: Received 21 July 2018 Revised 17 August 2019 Accepted 24 August 2019 Available online 29 August 2019 Keywords: Secret sharing Access structure Maximal adversary structure Binary tree

a b s t r a c t Secure multi-party computation is an important research area in cryptography, and the secret sharing scheme (SSS) is one of the main tools for constructing multi-party computation protocols. The access structure and the adversary structure are two important subsets of participants in an SSS. In general, the collection of all qualified subsets that can reconstruct the secret s, is known as an access structure, while no information regarding this secret is available to any unqualified subsets, and the collection of unqualified subsets is described as an adversary structure. The maximal adversary, which will become a qualified subset if any one participant not in this unqualified subset is added. At present, there is no effective algorithm to determine the maximal adversary structure for any given access structure. In this paper, we propose two algorithms to determine the maximal adversary structure from any given access structure, in which a binary tree is introduced to construct such algorithms. Moreover, a special type of access structure is established, from which the maximal adversary structure can be directly characterized, and the maximal adversary structure in this case is shown to be the largest when the number of participants of each qualified polynomial in the access structure is three. © 2019 Elsevier Inc. All rights reserved.

1. Introduction The secret sharing scheme (SSS), which was originally introduced by both Shamir [1] and Blakley [2] independently in 1979, is an important research area in modern cryptography. The SSS can divide secret information into several pieces and then distribute these pieces to different participants. Only qualified subsets can recover the secret, while no information regarding this secret is available to any unqualified subset. The collection of all such qualified subsets is known as an access structure. Without loss of generality, it is advisable to assume that the access structure is monotonic in the sense that, if the subset A of participants is in the access structure, any set containing A as a subset should also be a part of the access structure. Similarly, the collection of unqualified subsets is described as an adversary structure. The SSS is an important basic tool for constructing security protocols and cryptographic algorithms, including secure multi-party computation [3], key agreement [4,5], digital signatures [6,7], and key authentication [8,9]. It exhibits linear, additive homomorphic, and multiplicative properties. However, it can only be used to construct the equal privilege threshold ∗

Corresponding author. E-mail addresses: [email protected] (C. Tang), [email protected] (Q. Xu), [email protected] (G. Hu).

https://doi.org/10.1016/j.ins.2019.08.057 0020-0255/© 2019 Elsevier Inc. All rights reserved.

330

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

access structure. Thus, its use in practical applications is limited. Ito [10] introduced the concept of general secret sharing (GSS) and established a perfect SSS with a general access structure in 1987. An SSS with a general access structure is more flexible and easier to implement than the threshold access structure. Therefore, it has greater scope for practical applications. Benaloh and Leichter [11] further developed GSS and demonstrated that their scheme is perfect. Asmuth and Bloom [12] proposed a scheme based on the Chinese remainder theorem. In 1990, Simmons [13] constructed an SSS for a multilevel access structure. Brickell [14] established ideal secret sharing with a general access structure in the vector space. In 2007, Xu and Zha [15] studied new SSS methods to construct large monotone span programs from small monotone span programs, and they proposed a new GSS design. Li et al. [16] recently improved a type of SSS known as a ramp assignment scheme to realize general access structures. 1.1. Motivation for our idea In fact, a one-to-one relationship exists between linear codes and the monotone span program [17], which is the most basic tool for realizing a linear SSS. Every linear code can be used to construct an SSS, but determining the scheme access structure is a challenging problem. In 1981, McEliece and Sarwate [18] conducted a pioneering study on the SSS based on linear codes. They constructed a threshold scheme using a Reed–Solomon code and highlighted the equivalence between Shamir’s SSS and the Reed–Solomon code. Massey [19,20] used linear codes to construct SSSs and suggested that the main problem is characterizing the types of access structures that can be realized by linear codes. In 2013, Tang et al. [21] demonstrated that achieving the optimal linear code for any given access structure is equivalent to solving a system of quadratic equations constructed by the given access structure and corresponding adversary structure. Moreover, they established an algorithm to determine the optimal linear code. In recent years, Harn et al. [22] implemented a GSS based on classical secret sharing. They described how to acquire the minimal access structure and the corresponding maximal adversary structure for any access structure by means of a Karnaugh map. In Karnaugh maps [23], the cells are ordered in Gray code, and each cell position represents one combination of input conditions, while each cell value represents the corresponding output value. To derive the corresponding negative access structure (maximal adversary structure), all negative access instances need to be determined and the eligible groups are then covered by a secret sharing policy. However, the number of cells of the Karnaugh map increases exponentially with the number of participants; specifically, it is 2n , where n is the number of participants. Hence, elimination becomes increasingly difficult. The access structure and the adversary structure are two important subsets of participants in an SSS. At present, there is no effective algorithm to determine the corresponding maximal adversary structure for any given access structure. This study was inspired by the algorithm “Finding R from  ” of Tang et al. [21], who indicated that the complexity of this algorithm is still exponential, and the method of Harn et al., which uses a Karnaugh map to derive a minimal positive access subset (qualified subsets) and maximal negative access subset (unqualified subsets) [22]. 1.2. Set cover problem The set cover problem [24] (SCP) is a classical problem in combinatorics, computer science, operations research, and complexity theory. It is one of Karp’s 21 NP-complete problems that was shown to be NP-complete in 1972. The SCP is defined as follows: Given a set of elements {1, 2, . . . , n} (known as the universe) and a collection S of m sets whose union is equal to the universe, the set cover problem involves identifying the smallest sub-collection of S whose union is equal to the universe. For example, consider the universe U = {1, 2, 3, 4, 5} and the collection of sets S = {{1, 2, 3}, {2, 4}, {3, 4}, {4, 5}}. Clearly, the union of S is U. However, it can cover all elements with the following smallest number of sets: {{1, 2, 3}, {4, 5}}. More formally, given a universe U and a family S of subsets of U, a cover is a subfamily C ⊆ S of sets whose union is U. In the decisional version of the SCP, the input is a pair (U, S) and an integer k; the question is whether there is a set cover of size k or less. In the optimal version of the SCP, the input is a pair (U, S), and the task is to find a set cover that uses the least sets. However, the decisional version of the SCP is an NP-complete problem [25]. In 1994, Lund and Yannakakis [26] defined certain problems that are equivalent to the SCP, such as the hitting set problem, hypergraph transversal, the dominating set problem, and the minimum exact cover. Further, determining the maximal adversary structure from any given access structure can be regarded as a hitting set problem with no k-bound. 1.2.1. Hitting set Given a collection S of subsets of U(universe), the hitting set(HS) problem is to determine the smallest subset S ⊆ U that intersects (hits) every set in S. The formal definition of HS is given below. Let • S = {S1 , S2 , . . . , Sm } be a collection of subsets of U, where ∀Si ⊆ U, • k ∈ N. The hitting set problem is to determine the smallest subset S ⊆ U where |S | < k such that S ∩ S = ∅ for i = 1, 2, . . . , m. The hitting set problem can be solved by a polynomial-time algorithm if and only if P = NP [27]. In fact, the algorithm we propose using a binary tree as a medium is a part of this idea, where every polynomial Ti and the qualified polynomial(defined below) have at least one identical participant but no k-bound. Initially, we consider whether there is

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

331

a polynomial-time algorithm that determines the corresponding maximal adversary structure R for any given access structure. In other words, the question is how to obtain an algorithm for which the size of the output R is the smallest without redundancy. Considering alone R or  , as with hitting set problem, there is no polynomial-time algorithm for determining the smallest R unless P = NP . Further, the greedy algorithm is used to ensure that each path value Ti and each qualified polynomial are not mutually prime polynomials and the participants of Ti are the fewest. Our Contributions. The main contributions of this paper are as follows: 1. We propose two optimized algorithms to obtain the maximal adversary structure for any given access structure in a polynomial form. 2. A binary tree is introduced to construct the second algorithm, and it is combined with the greedy algorithm, which makes it more efficient. 3. We also present a special type of access structure from which the corresponding maximal adversary structure can be characterized, and we demonstrate that the maximal adversary structure in this case is the largest when the number of participants of each qualified polynomial in the access structure is three. Outline of Paper. The remainder of this paper is organized as follows. Section 2 introduces several basic preliminaries. Section 3 presents two algorithms to determine the maximal adversary structure for any given minimal access structure, and certain conclusions are drawn. Section 4 discusses a special minimal access structure and determines the size of the corresponding maximal adversary structure. Section 5 adopts the method of Tang et al. to realize the optimal linear code. Finally, Section 6 concludes the paper. 2. Preliminaries In the following subsections, we provide different definitions of secret sharing. 2.1. Classical definition Definition 1. Secret sharing is a cryptosystem consisting of a distribution algorithm and a reconstruction algorithm. The secret s is divided into n pieces s1 , s2 , . . . , sn to be shared among the participants P = { p1 , p2 , . . . , pn }, with si secretly distributed to pi such that (1) S ⊆ P is a qualified subset of participants if the secret s can be reconstructed by the shares {si | pi ∈ S}; (2) S ⊆ P is an unqualified subset of participants if the secret s cannot be reconstructed by the shares {si | pi ∈ S }. 2.2. Revised definition For a more convenient description, the collection of participants P = { p1 , p2 , . . . , pn } is denoted by X = {x1 , x2 , . . . , xn }, and we associate the subset of participants {x1 , x2 , . . . , xn } with monomials of n variables: b b x11 x22 . . . xbnn , where bi ∈ {0, 1} for i ∈ [1, n]. b

b

Suppose that Q = {x11 · x22 · · · · · xbnn | bi ∈ {0, 1}} is the collection of all monomials of X, and  = { f 1 , f2 , . . . , fm } is a subset of Q. More generally, we consider this type of monomials as a special polynomials. Without loss of generality, assume that there are no two polynomials fi , fj in  such that fi |fj . Then,  defines a unique access structure AS as follows: AS = {g| g ∈ Q, ∃ f ∈  s.t. f | g}. The polynomial g in AS is known as a qualified polynomial. Similarly, a polynomial g ∈ Q is known as an unqualified polynomial if ∀f ∈  such that fg. The collection NAS of all unqualified polynomials is the adversary structure of  . R ⊆ NAS is the maximal adversary structure if every polynomial g is in NAS but not in R, and there exists f in R such that g|f. Formal definitions of a minimal access structure and maximal adversary structure are provided below. Definition 2. (Minimal access structure and maximal adversary structure). Suppose that AS is the access structure of an SSS and NAS is the corresponding adversary structure: (1)  ⊆ AS is the minimal access structure of AS if, for all f in AS and xf in NAS, f ∈  . i (2) R ⊆ NAS is the maximal adversary structure of NAS if, for all f in NAS and f · xi in AS, f ∈ R. Remark 1. All the access structures mentioned below are minimal access structures. The qualified polynomials in  are always arranged in ascending order based on the number of participants in each qualified polynomial. Greedy algorithm. Slavık [28] A greedy algorithm is an algorithm that always makes the choice that appears to be optimal at that moment and then solves the subproblems that arise later. This means that a locally optimal solution may be provided at each stage with the expectation that this solution will lead to a globally optimal solution. The choice made by a greedy algorithm may depend on other choices that have been made thus far but not on future choices or all of the solutions to the subproblems. The algorithm sequentially makes one greedy choice after another, reducing each given problem to a smaller one.

332

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

3. Main algorithms for determining maximal adversary structure In this section, we present two algorithms from different perspectives to determine the corresponding adversary structure for any given access structure. The concept of Algorithm 1 is to identify the corresponding maximal unqualified polynomials after adding the qualified polynomials of the given access structure one by one, while that of Algorithm 2 is to decrease the number of participants gradually, one by one, as the binary tree depth increases. Algorithm 1 Determining R from  . Input:  = { f1 , f2 , . . . , fm } with participants {x1 , x2 , . . . , xn } Output: R 1: Initially R := {F (x )}; 2: for i from 1 to m do Rtemp := ∅; 3: for l from 1 to |R| do 4: if fi | R[l] then 5: 6: Rtemp := Rtemp ∪ { Rx[l] | x j divides fi }; j

7: 8: 9: 10: 11: 12:

else Rtemp := Rtemp ∪ {R[l]}; end if end for R := Max(Rtemp ); end for

Algorithm 2 Determining R from  . Input:  = { f1 , f2 , . . . , fm } with participants {x1 , x2 , . . . , xn } Output: R 1: Initially Rtemp = ∅, F (x ) = x1 · x2 . . . xn , i := 1, j := 1; 2: Set 11 :=  , determine the first path L1 : [x1 , l 1 ] → · · · → [x1k , lk1 ],and 11 , 21 ,. . . , k1 ,k1+1 , where k1+1 = ∅,compute T 1 1 1 F (x ) ˜ and add to Rtemp , k := k; T1

while k˜ > 0 do if l i˜ = 1 and 1 ∈ / l chil d ( i˜ ) then 4:

3:

k

5: 6: 7: 8: 9: 10: 11: 12: 13: 14: 15: 16: 17: 18:

k

set l i˜+1 := 0,  i˜+1 :=  i˜ ,xi˜+1 := xi˜ ; k k k k k for 1≤ j ≤ k˜ − 1 do

set  ij+1 :=  ij , xij+1 := xij , l ij+1 := l ij ; end for i+1 determine Li+1 : [xi1+1 , l1i+1 ]→. . . →[xi˜+1 , 0]→. . . →[xik+1  , lk ], k

and the corresponding node 1i+1 , . . . ,  i˜+1 ,  i˜+1 = Min(l chil d ( i˜ )), j := k˜ + 2; for k˜ + 1 < j ≤ k do compute  ij+1 = rchild ( ij+1   −1 );

k

k+1

k

end for x) compute T i+1 and add F (i+1 to Rtemp ; T ˜k := k , i := i + 1; else k˜ = k˜ − 1;

end if end while 21: Return R = Max (Rtemp ) 19:

20:

Let S be a subset of Q and g, f ∈ S. Minimizing S means removing g for f|g, which is denoted by Min(S); similarly, maximizing S means removing f for f|g, which is denoted by Max(S). 3.1. Algorithm 1 We propose an algorithm to determine the corresponding adversary structure, and we demonstrate that the set obtained by Algorithm 1 is equal to the maximal adversary structure of the given access structure.

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

333

3.1.1. Formal description Remark 2. F (x ) =

n 

x j and R[l] is the lth polynomial of R. To reduce storage requirements, the temporary set Rtemp is max-

j=1

imized after every second loop of the algorithm. In the following lemma, we demonstrate that the corresponding adversary structure is obtained by maximizing the temporary set Rtemp . Lemma 1. Suppose that NAS is the corresponding adversary structure of the access structure  and R is the maximal adversary structure. If U satisfies R ⊆ U ⊆ NAS, UM = R, where UM = Max(U ). Proof. Let ∀ g ∈ UM , g ∈ U. Then, there exists g ∈ UM such that g|g . As g , g ∈ NAS, g|g , and g ∈ R, and hence, R ⊆ UM . Let ∀ h ∈ R, h ∈ U. Then, there exists h ∈ R such that h|h . According to R ⊆ UM , h ∈ UM and h|h , which implies that h ∈ UM , and hence, UM ⊆ R.  Theorem 1. Suppose that NAS(i) is the adversary structure of the access structure  (i ) = { f1 , f2 , . . . , fi } with participants

{x1 , x2 , . . . , xn }, and R(i) is the corresponding maximal adversary structure of  (i) . Then, R(i ) ⊆ U (i ) ⊆ NAS(i ) ,

where U(i) is the temporary set Rtemp obtained after the end of the ith loop in Algorithm 1. Proof. Obviously, every polynomial in U(i) cannot be divisible by f1 , f2 , . . . , fi , and hence, U(i) ⊆ NAS(i) . Next, we use mathematical induction to prove that R(i) ⊆ U(i) . Assume that i = m − 1, R(m−1 ) ⊆ U (m−1 ) ⊆ NAS(m−1 ) holds. According to Lemma 1, R(m−1 ) = Max(U (m−1 ) ) Assume that i = m, U (m ) = U1(m ) ∪ U2(m ) , and R[l] is the lth polynomial in R(m−1 ) .

U1(m ) = {R[l] U2(m ) = {

R[l] xj

| R[l] ∈ R(m−1) s.t. fm  R[l]}, | R[l] ∈ R(m−1) s.t. fm | R[l], x j | fm },

where l ∈ [1, |R(m−1 ) | ], j ∈ [1, n]. According to the definition of the maximal adversary structure, ∀g ∈ R(m) , ∃ i ∈ [1, m] such that fi | g · xr for xr g. (1) If fi = fm , ∃ i ∈ [1, m − 1] such that fi | g · xr . According to the definition, g is in R(m−1 ) , which should be maintained when i = m, i.e., g ∈ U1(m ) . (2) If ∃ xr  g s.t. fm | g · xr , there exists xs g (s = r ) such that fi | g · xs for i ∈ [1, m − 1], which implies that fi | g · xr · xs . Hence, g · xr ∈ R(m−1 ) . ∃ R[l] ∈ R(m−1 ) s.t. g = Rx[l] ; hence, g ∈ U2(m ) . r

For

∀g ∈ R(m)

implies that

g ∈ Um ,

and therefore,

R(i) ⊆ U(i) ⊆ NAS(i) .



Correctness of Algorithm 1. Let U (i ) = Rtemp and R(i ) = Max(Rtemp ), where Rtemp is the set obtained by the ith loop of

Algorithm 1 for i ∈ [2, m]. In fact, there always exists R[l] ∈ R(i−1 ) such that fi |R[l], where R[l] is the lth polynomial in R(i−1 ) . Then, the polynomial in Rtemp is not divisible by any qualified polynomial in  (i) . According to Theorem 1, R(m) ⊆ Rtemp ⊆ NAS(m) and R(m ) = Max(Rtemp ) by Lemma 1, i.e., Max(Rtemp ) is the corresponding maximal adversary structure with  (m ) = { f1 , f2 , . . . , fm }. 3.1.2. Example Example 1. Let an access structure  = {x1 x2 , x2 x3 x4 , x3 x4 x5 x6 } be in an SSS with participants X = {x1 , x2 , x3 , x4 , x5 , x6 }. The corresponding maximal adversary structure R is as follows: (1) f1 = x1 x2 , f2 = x2 x3 x4 , f3 = x3 x4 x5 x6 , R = {x1 x2 x3 x4 x5 x6 }; (2) f1 |R[1], R[1] is replaced by x2 x3 x4 x5 x6 , x1 x3 x4 x5 x6 , R = Rtemp = {x2 x3 x4 x5 x6 , x1 x3 x4 x5 x6 }; (3) f2 |R[1] and f2 R[2]. R[1] is replaced by x3 x4 x5 x6 , x2 x4 x5 x6 , x2 x3 x5 x6 , and Rtemp = {x3 x4 x5 x6 , x2 x4 x5 x6 , x2 x3 x5 x6 , x1 x3 x4 x5 x6 }. Hence, R = Max(Rtemp ) = {x2 x4 x5 x6 , x2 x3 x5 x6 , x1 x3 x4 x5 x6 }. (4) f3 R[1], f3 R[2], and f3 |R[3]. R[3] is replaced by x1 x4 x5 x6 , x1 x3 x5 x6 , x1 x3 x4 x6 , x1 x3 x4 x5 , and Rtemp = {x2 x4 x5 x6 , x2 x3 x5 x6 , x1 x4 x5 x6 , x1 x3 x5 x6 , x1 x3 x4 x6 , x1 x3 x4 x5 }. R = Max(Rtemp ) Therefore, the corresponding maximal adversary structure R is

{x2 x4 x5 x6 , x2 x3 x5 x6 , x1 x4 x5 x6 , x1 x3 x5 x6 , x1 x3 x4 x6 , x1 x3 x4 x5 }.

334

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

3.2. Algorithm 2 In this section, we use a binary tree to obtain an algorithm for determining the maximal adversary structure, and we demonstrate that an equivalence exists between the paths of each node of the binary tree and the corresponding adversary structure. 3.2.1. Motivation First, we introduce a theorem that motivated us to construct this algorithm using a binary tree, which can also be used to demonstrate the correctness of this algorithm. Theorem 2. Suppose that  is any given access structure with participants {x1 , x2 , , xn },  = 1 ∪ 2 ∗1 xi , 1 = { f j | f j ∈ f

 , xi  f j }, and 2 = { x j | f j ∈  , xi | f j }, where 0 = Min(1 ∪ 2 ). R1 and R0 are the maximal adversary structures of  1 and i  0 with participants {x1 , x2 , , xn }{xi }, respectively. Then, the maximal adversary structure of  is R = Max(R1 ∪ R0 ∗ xi ), where R0 ∗ xi denotes multiplying each element of R0 by xi .

Proof. Let NAS be the adversary structure with  and R be the maximal adversary structure. According to Lemma 1, R ⊆ R1 ∪ R0 ∗ xi ⊆ NAS needs to be demonstrated. 1. First, R ⊆ R1 ∪ R0 ∗ xi : (a) For ∀g ∈ R and xi |g, according to Definition 2, ∃ xi  g s.t. f j | g · xi for ∀fj ∈  : if xi |fj , then

fj xi

f

implies that

g xi

∈ R0 , i.e., g ∈ R0 ∗ xi .

f

f

| xgi · xi , which implies that xij ∈ 2 ; and if xi fj , then f j | xg · xi , which implies that fj ∈  1 . i Hence, ∃ f j ∈ 1 ∪ 2 such that f j | xg · x j , and ∃ f j ∈ Min(1 ∪ 2 ) such that f j | f j ; then, f j | i

g xi

· xi . This

(b) For ∀g ∈ R and xi g, ∃ xi  g (xi = xi ) s.t. f j | g · xi for ∀fj ∈  , if xi fj , which implies that fj ∈  1 . According to Definition 2, g ∈ R1 . 2. Second, R1 ∪ R0 ∗ xi ⊆ NAS: (a) Assume that ∃g ∈ R0 ∗ xi (i.e., xg ∈ R0 ) and g ∈ NAS, ∃ fj ∈  such that fj |g: i

f

if xi |fj , then x j | xg and x j ∈ 2 . ∃ f j ∈ Min(1 ∪ 2 ) such that f j | x j , which implies that f j | xg , and hence, xg ∈ / i i i i i i R0 , which is a contradiction; if xi fj , then fj ∈  1 . As fj |g and f j | xg , ∃ f j ∈ Min(1 ∪ 2 ) such that f j | f j , which implies that f j | xg , and hence, g xi

∈ / R0 , which is a contradiction.

i

i

(b) Assume that ∃g ∈ R1 (xi g) and g ∈ NAS, ∃fj ∈  such that fj |g, which implies that xi fj ; hence, fj ∈  1 , which is a contradiction. Therefore, R ⊆ R1 ∪ R0 ∗ xi ⊆ NAS, and according to Lemma 1, the maximal adversary structure of  is R = Max(R1 ∪ R0 ∗ xi ).



Theorem 2 motivated us to construct a binary tree with  as the root node, where  0 is a left node of  and  1 is a right node of  . Similarly, the left and right subtree of each node can be found in turn until 1 appears in the leaf node (1 cannot be divisible by any xi ) and the right leaf node is an empty set. The key objective of Algorithm 2 is to obtain the path value from the root node. The following is the method for obtaining the paths and corresponding path values. 3.2.2. Obtain the path In fact, the algorithm obtained using the binary tree as a medium is a portion of the HS where every polynomial Ti and the qualified polynomial have at least one identical participant but no bound. b b Given the set of n participants {x1 , x2 , . . . , xn } and the access structure  = { f1 , f2 , . . . , fm }, Q = {x11 · x22 · · · · · xbnn | bi ∈ {0, 1}}, HS aims to determine the smallest subset; however, we would like to find the polynomial g ∈ Q such that gcd(fi , g) = 1 and the number of participants in g is the smallest. For example, if the set of participants is X = {x1 , x2 , x3 , x4 , x5 , x6 } and the access structure is  = {x1 x2 , x2 x3 x4 , x3 x4 x5 x6 }, any polynomial g ∈ {x1 x3 x4 , x1 x3 x5 , x1 x3 } satisfies gcd(fi , g) = 1, among which g = x1 x3 has the smallest number of participants. Our aim is to identify all g with the smallest number of participants such that gcd(fi , g) = 1 for any fi ∈  , and the maximal adversary structure of the given access structure can be obtained through F (gx ) . We use a binary tree with the access structure  as its root node and decreases the participants level by level. The concept of the algorithm is to determine all paths of the access structure and obtain the path values; finally, a full binary tree is constructed. The hitting set problem inspires us to make the algorithm more efficient by combining the greedy algorithm, which selects the most frequently appearing participant s in the set and ensures that the number of path values is the minimum. 1

‘∗ ’ denotes that multiply each polynomial in a set by participant.

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

335

The path of a node mentioned here means a route from this node to its sequential children until the final child’s right node is an empty set in the binary tree. The parent node is denoted by parent, while lchild and rchild denote the left and right nodes of parent, respectively. Candidate seed: Let  = { f1 , f2 , . . . , fm } be the node with participants {x1 , x2 , , xn }. xi is known as a candidate seed of  if it has the highest appearance frequency in f 1 , f2 , . . . , fm for i ∈ [1, n]. Path: Let 1i , 2i , . . . , ki −1 , ki , ki +1 be k + 1 nodes and ki +1 = ∅, where  ij+1 is a child of  ij for j ∈ [1, k]. For conve-

nience, xij represents a participant in {x1 , . . . , xn }. xi1 , xi2 , . . . , xik are candidate seeds of the nodes 1i , 2i , . . . , ki , respectively. Let l1i , l2i , . . . , lki ∈ {0, 1}:

Li : [xi1 , l1i ] → [xi2 , l2i ] → · · · → [xik , lki ] is known as the ith path of 1i that starts from the node 1i to its sequential children until the final child’s right node is an empty set in the binary tree, where k is the path length. In a full binary tree, every parent has a left child and right child. Every child obtained is related to the candidate seed of the parent: If l ij = 1, xij is a candidate seed of  ij to compute rchild( ij ). Then, rchild( ij ) = { fs | fs ∈  ij , xij  fs }.

If l ij = 0, xij is a candidate seed of  ij to compute lchild( ij ). Then, lchild( ij ) = { fis | fs ∈  ij }, xj

where is the candidate seed of  ij for j ∈ [1, k]. If a polynomial in the parent is not divisible by xij , the result is itself. In a full binary tree, all nodes have children except for the leaf nodes. Therefore, with the exception of the leaf nodes, all nodes have at least one path. Path value: Let a path of 1i be xij

Li : [xi1 , l1i ] → [xi2 , l2i ] → · · · → [xik , lki ], and the corresponding nodes be

1i , 2i , . . . , ki , ki +1 . k 

Ti =

j=1,l ij =1

xij is known as a path value of 1i .

Complement of path value: This value, computed by the product of all participants of the current node being divisible by a path value of the node, is referred to as the complement of the path value. Let

Li : [xi1 , l1i ] → [xi2 , l2i ] → · · · → [xik , lki ] be a path of 1i with participants {x1 , x2 , . . . , xn }, where  ij is the jth node for j ∈ [1, k + 1]. Assume that T i = xij · xij+1 · · · · · xik is a path value of  ij ; then, the complement of the path value of  ij is by

T i,

where F (x) is the product of all participants with {x1 , x2 , . . . , xn } \ {xi1 , xi2 , . . . , xij−1 }.

F  (x ) , Ti

denoted

Note: In this paper, the complement of the path value is always determined with the participants of the current node. In the following algorithm, if certain participants are the same most frequently appearing ones in a node, choose one of them. First path: In fact, there is a path that begins from the root node to the right leaf node such that each node is the right child of its parent. This path is used as the first path of the algorithm below. Let x11 , x12 , . . . , x1k be candidate seeds of k nodes 11 , 21 , . . . , k1 . l 1j = 1 for each j ∈ [1, k]. For example, [x11 , 1] → [x12 , 1] → · · · → [x1k , 1] is the first path of 11 and the corresponding nodes are 11 , 21 , . . . , k1+1 , where  1j+1 = rchild( 1j ) = { fi | fi ∈  1j , x1j  fi }.

Example 2. Let an access structure  = {x1 x2 , x2 x3 x4 , x3 x4 x5 x6 } be in an SSS with participants {x1 , x2 , x3 , x4 , x5 , x6 }. x3 is the candidate seed of  = 11 , 21 = rchild(11 ) = {x1 x2 } and x1 is the candidate seed of 21 , 31 = rchild(21 ) = ∅. Therefore, the first path is

[x3 , 1] → [x1 , 1], T1

= x1 · x3 . The first path is shown below (Fig. 1).

3.2.3. Formal description This section provides a detailed description of the manner in which the maximal adversary structure is determined from the given access structure.

336

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

Fig. 1. Example 2.

Algorithm 2 finally obtains a full binary tree. The left leaf nodes are 1, the right leaf nodes are empty, and there is no path below any leaf node. We present three cases for the path value of the nodes that have at least one leaf node as a child: Let T be the path value of a node, T(0) be the path value of its left child, and T(1) be the path value of its right child. If xj is the candidate seed of the node for computing its right child, then l j = 1; else, l j = 0. The path value is the product of all candidate seeds of each node with l j = 1. Case 1. If the left child of the node is a leaf node, the path value of the node is equal to the path value of its right child multiplied by xj , i.e., T = T (1 ) · x j . Case 2. If the right child of the node is a leaf node, the path value of the node is the union of the path value of its left child and the candidate seed of the node, i.e., T = T (0 ) ∪ {x j }. Case 3. If the right child and left child of the node are leaf nodes, the path value of the node is equal to the candidate seed of the node, i.e., T = {x j }. In general, the path value of each node has the corresponding complement of the path value. In a full binary tree, any leaf node has no path. However, to make the recursion work, the complement of the path value of a leaf node is defined as follows: 1. The complement of the path value of a left leaf node is set to an empty set, and 2. The complement of the path value of a right leaf node is set to the product of all the participants in the current node. Lemma 2. Suppose that T is the path value of a parent, T(0) is the path value of its left child, and T(1) is the path value of its right child. The complement of the path value of the parent satisfies T = T (0 ) ∗ x j ∪ T (1 ) , where T = T (0 ) ∪ T (1 ) ∗ x j , xj is a candidate seed of parent. Proof. Let the participants of the parent be {x1 , x2 , . . . , xn }, and let xj be the candidate seed of the parent. Therefore, the participants of the lchild(parent) and rchild(parent) are {x1 , x2 , . . . , xn }\{x j }, and F (x) is the product of the participants {x1 , x2 , . . . , xn }\{x j }. 1. For any Ti ∈ T, if xj |Ti , Ti ∈ T(1) ∗ xj . This implies that F  (x )·x j Ti

Ti xj

∈ T (1 ) . As the complement of

Ti xj

with rchild(parent) is

F  (x ) Ti xi r

∈ T (1 ) ,

is the complement of Ti with the parent, i.e., T (1 ) ⊆ T .

2. For any Ti ∈ T, if xj Ti , Ti ∈ T(0) . The complement of Ti for T(0) with the lchild(parent) is of Ti with the parent is

F  (x )·x Ti

j

F  (x ) Ti

∈ T (0 ) and the complement

∈ T , i.e., T (0 ) ∗ x j ∈ T .

Therefore, T = T (0 ) ∗ x j ∪ T (1 ) .



Lemma 3. Suppose that NAS is the adversary structure of the parent and R is the corresponding maximal adversary structure. NAS0 and NAS1 are the adversary structures of the lchild(parent) and rchild(parent), while R0 and R1 are the corresponding maximal adversary structures, respectively. Moreover, T , T (0 ) , and T (1 ) are the sets of the complement of the path value of the parent, lchild(parent), and rchild(parent), respectively. If R(0 ) ⊆ T (0 ) ⊆ NAS(0 ) and R(1 ) ⊆ T (1 ) ⊆ NAS(1 ) , R ⊆ T ⊆ NAS, where T = T (0 ) ∗ x j ∪ T (1 ) , and xj is the candidate seed of the parent. Proof. This proof is similar to that of Theorem 2. Refer to Theorem 2 for further details.



Lemma 4. For any leaf node in the full binary tree obtained by Algorithm 2, we have

R = T, where R is the maximal adversary structure of the node and T is the complement of the path value. Proof. According to Algorithm 2, when ‘1’ is in a node, it is minimized as the left node; however, any participant can be divisible by ‘1’. Therefore, the maximal adversary structure of each left leaf node is an empty set.

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

337

All the right leaf nodes are empty sets, meaning that no qualified polynomial exists in these nodes. Then, the corresponding maximal adversary structure with the access structure of the node is the product of all the participants of the current node. Therefore, according to the definition of the complement of the path value of the leaf node, R = T .  Correctness of Algorithm 2. Let T be the path value of the root node, T(0) be the path value of its left child, and T(1) be the path value of its right child. Furthermore, NAS is the adversary structure and R is the corresponding maximal adversary structure. Assume that xj is the candidate seed of the node. According to Lemma 4, the maximal adversary structure of any leaf node is equal to the complement of its path value. According to Lemma 3, by means of recursion from the leaf nodes to the root node, we have R ⊆ T ⊆ NAS. By Lemma 2, the complement of the path value of  satisfies T = T (0 ) ∗ x j ∪ T (1 ) . Therefore, according to Lemma 1, the maximal adversary structure of  is

R = Max(T ). In fact, from Lemma 4, the complement of any leaf node is equal to the maximal adversary structure of the node with the current participants. Then, the maximal adversary structure of  obtained by Algorithm 2 corresponds to that in Theorem 2 by recursion. 3.2.4. Example Example 3. Let an access structure

 = {x1 x2 , x2 x3 x4 , x3 x4 x5 x6 } be in an SSS with participants {x1 , x2 , x3 , x4 , x5 , x6 }. Then, its maximal adversary structure is as follows: i = 1, the first path L1 : [x3 , 1] → [x1 , 1], and the corresponding nodes are 11 =  , 21 = {x1 x2 }, 31 = ∅. The length of the path  k = 2, T 1 = x1 x3 , and Rtemp = {x2 x4 x5 x6 }.  k > 0, l 1 = 1, and 1 ∈ / l chil d ( 1 ) = {x }; hence, set l 2 = 0,  2 =  ,  2 = {x x }, and determine L2 : [x , 1] → [x , 0] → [x , 2

2

3

3

2

2

1

2

1 2

3

1

2

1]. The corresponding nodes are 12 =  , 22 = {x1 x2 }, 32 = {x2 }, and 42 = ∅. T 2 = x2 x3 , Rtemp = {x2 x4 x5 x6 , x1 x4 x5 x6 }, and k˜ = 3, i = 2. k˜ > 0, l 2 = 1, and 1 ∈ l chil d ( 2 ); k˜ = 2, l 2 = 0;  k = 1, l 2 = 1 and 1 ∈ / l chil d ( 2 ) = {x1 x2 , x2 x4 , x4 x5 x6 }. Hence, set l 3 = 0, 2

1

1

1

13 =  , determine L3 : [x3 , 0] → [x4 , 1] → [x1 , 1], and the corresponding nodes are 13 =  , 23 = {x1 x2 , x2 x4 , x4 x5 x6 }, 33 = {x1 x2 }, and 43 = ∅. T 3 = x4 x1 , Rtemp = {x2 x3 x5 x6 , x2 x4 x5 x6 , x1 x4 x5 x6 }, k˜ = 3, and i = 3. k˜ > 0, l33 = 1 and 1 ∈ / l chil d (33 ). Hence, set l34 = 0, 14 =  , 24 = {x1 x2 , x2 x4 , x4 x5 x6 }, and 34 = {x1 x2 }, determine L4 : [x3 , 0] → [x4 , 1] → [x1 , 0] → [x2 , 1], and the corresponding nodes are 14 =  , 24 = {x1 x2 , x2 x4 , x4 x5 x6 }, 34 = {x1 x2 }, 44 = {x2 }, and 54 = ∅. T 4 = x4 x2 , Rtemp = {x1 x3 x5 x6 , x2 x3 x5 x6 , x2 x4 x5 x6 , x1 x4 x5 x6 }, k˜ = 4, and i = 4. k˜ > 0, l44 = 1 and 1 ∈ l chil d (44 ); k˜ = 3, l34 = 0;  k = 2, l24 = 1 and 1 ∈ / l chil d (24 ). Hence, set l25 = 0, 15 =  , 25 = {x1 x2 , x2 x4 , x4 x5 x6 }, determine L5 : [x3 , 0] → [x4 , 0] → [x2 , 1] → [x5 , 1], and the corresponding nodes are 15 =  , 25 = {x1 x2 , x2 x4 , x4 x5 x6 }, 35 = {x2 , x5 x6 }, 45 = {x5 x6 }, and 55 = ∅. T 5 = x5 x2 , Rtemp = {x1 x3 x4 x6 , x1 x3 x5 x6 , x2 x3 x5 x6 , x2 x4 x5 x6 , x1 x4 x5 x6 }, k˜ = 4, and i = 5. k˜ = 4, l45 = 1, and 1 ∈ / l chil d (45 ). Hence, set l46 = 0, 16 =  , 26 = {x1 x2 , x2 x4 , x4 x5 x6 }, 36 = {x2 , x5 x6 }, 46 = {x5 x6 }, determine L6 : [x3 , 0] → [x4 , 0] → [x2 , 1] → [x5 , 0] → [x6 , 1], and the corresponding nodes are 16 =  , 26 = {x1 x2 , x2 x4 , x4 x5 x6 }, 36 = {x2 , x5 x6 }, 46 = {x5 x6 }, 56 = {x6 }, and 66 = ∅. T 6 = x6 x2 , Rtemp = {x1 x3 x4 x5 , x1 x3 x4 x6 , x1 x3 x5 x6 , x2 x3 x5 x6 , x2 x4 x5 x6 , x1 x4 x5 x6 }, k˜ = 5, and i = 6. k˜ = 5, l 6 = 1 and 1 ∈ l chil d ( 6 ); l 6 = 0; l 6 = 1 and 1 ∈ l chil d ( 6 ); l 6 = 0; l 6 = 0. 5

5

4

3

3

2

1

Therefore, R = Max(Rtemp ) = {x1 x3 x4 x5 , x1 x3 x4 x6 , x1 x3 x5 x6 , x2 x3 x5 x6 , x2 x4 x5 x6 , x1 x4 x5 x6 } (Fig. 2).

First, we consider whether there is a polynomial-time algorithm that determines a maximal adversary structure for any given access structure. However, determining the path value of a given access structure is the key aspect of Algorithm 2. Considering a maximal adversary structure along with the given access structure, there is no polynomial-time algorithm to determine it. Determine the path value in polynomial time if the hitting set maximal adversary structure is solved in polynomial time, i.e., P=NP. Algorithm 1 starts from all participants, examines each qualified polynomial in  one by one, and disables the current qualified polynomial by removing the necessary participants step by step. From Lemma 1 and Theorem 1, Rtemp is an intermediate set of the maximal adversary structure with certain redundancy. We would like to determine the algorithm such that the output R has as little redundancy as possible. In Algorithm 2, the left child of each node can be regarded as a minimal access structure with an SSS for the current participants. Further, the greedy algorithm is used to ensure that each path value Ti and each qualified polynomial are not mutually prime polynomials and the participants of Ti are the fewest such that the redundant polynomials are minimum.

338

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

Fig. 2. Example 3.

Harn et al. used the Karnaugh map to derive a minimal positive access subset and maximal negative access subset. As the number of cells of the Karnaugh map increases exponentially with the number of participants, it is not suitable for constructing algorithms. Only the method to derive a minimal positive access subset and maximal negative access subset is introduced; no specific algorithm has been given in [22]. In fact, the complexity of our main algorithms is exponential, as with the method of Tang et al. We construct two general algorithms. As the form of the given access structure is diversified, the authority of each participant in the access structure is different, which makes it difficult to determine all the minimum path values without redundancy. This is the motivation of the next section.

4. Disjoint access structure In this section, we discuss a special type of access structure where the number of participants is n, from which the corresponding adversary structure can be directly obtained without redundancy, and we demonstrate that in this case, the number of participants in the qualified polynomial is three and such a qualified polynomial reaches its maximum, i.e., the size of the maximal adversary structure is the largest. Definition 3. An access structure  is known as disjoint if, any fi , fj ∈  such that gcd ( fi , f j ) = 1 for i = j. Theorem 3. Suppose that the access structure  = { f1 , f2 , . . . , fm } with participants {x1 , x2 , . . . , xn } is disjoint. Ti is the product of m participants, where each participant is taken from a qualified polynomial fj , and let tj be the number of participants of fj . The maximal adversary structure of  is I = { F (Tx ) | Ti = x1s1 · x2s2 · · · · · xm sm , xs j | f j }, i m n   j and |I| = t j , where F (x ) = xk , xs j ∈ {x1 , x2 , . . . , xn } and |I| denotes the number of elements in I. j

k=1

j=1

Proof. Let  = { f1 , f2 , . . . , fm } with n participants and I = { F (Tx ) | Ti = x1s1 · x2s2 · · · · · xm sm , xs j | f j }, NAS be the adversary strucj

i

ture of  . Moreover, R is the maximal adversary structure thereof, where j ∈ [1, m] and sj ∈ [1, tj ]. Ti = x1s1 · x2s2 · · · · · xm sm . 1. For any fj ∈  , gcd(Ti , fj ) = xs j . This implies that gcd( F (Tx ) , f j ) = j

i

j

fj |

F (x )·xs Ti

j

, hence, according to the definition, I ⊆ R.

fj j

xs

j

j ; hence, f j  F (Tx ) , and F (Tx ) ∈ NAS. As any xs j  F (Tx ) and i

i

i

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

339

2. Suppose that there are t participants not in the unqualified polynomial g for g ∈ R, and t < m. As  is disjoint and | | = m, there must exist fj ∈  such that all participants thereof are in g, i.e., fj |g. However, g is an unqualified polynomial, which is a contradiction. Hence, t ≥ m. If t > m, there exists fj ∈  such that at least two participants xt  and xs thereof, xt  | f j and xs | f j , and xt   g and xs  g; then, f j  g · xt  . As  is disjoint, xt   fl for ∀fl ∈  . However, fl g and xt   fl ; then, fl  g · xt  , which is a contradiction with g ∈ R according to Definition 2. Therefore, t = m, which means that there are only m participants not in g and there is only one participant of fj that is not in g for ∀fj ∈  ; hence, R ⊆ I.  Example 4. Assume that a disjoint access structure is

 = {x1 x2 , x3 x4 , x5 x6 } in an SSS with participants {x1 , x2 , . . . , x6 }. This maximal adversary structure is R = {x2 x4 x6 , x2 x4 x5 , x2 x3 x5 , x2 x3 x6 , x1 x4 x6 , x1 x4 x5 , x1 x3 x6 , x1 x3 x5 }. Theorem 4. Suppose that S(n ) = {1 , 2 , . . . , k } is a set of all disjoint access structures with n participants, while H = {R1 , R2 , . . . , Rk } is a set of the corresponding maximal adversary structures of S(n). If #{t j | t j = 3} of  i reaches the maximum, the size of Ri in H is the largest: n

1. if n ≡ 0 (mod 3), |Ri | = 3 3 , 2. if n ≡ 1 (mod 3), |Ri | = 3 3. if n ≡ 2 (mod 3), |Ri | = 3

n−4 3 n−2 3

· 22 , and · 2.

where tj is the number of participants of fj for ∀fj ∈  i . Proof. Let i = { f1 , f2 , . . . , fm } with n participants be a disjoint access structure. According to Theorem 3, |Ri | =

m 

tj

j=1

where tj is the number of participants of fj for j ∈ [1, m], and t1 + t2 + · · · + tm = n. n e

|Ri | = t1 · t2 · · · · · tm ≤ ( t1 +t2 +m···+tm )m = ( mn )m . Let h(m ) = ln( mn )m . We have h (m ) = ln n − ln m − 1 = 0. Hence, when m =

and t1 = t2 = · · · = tm , t1 · t2 · · · · · tm is maximal. As e ≈ 2.71828 is not an integer, but every tj must be an integer, we assume that some of t j = 2 and the other t j = 3 (the number of some polynomial participants is two, and the other is three). n−3b

If #{t j | t j = 3} is b and #{t j | t j = 2} is a in  , because  is disjoint, we have 2a + 3b = n and |Ri | = 2 2 · 3b . Let n−3b b n 3 g(b) = log2 (2 2 · 3b ) = n−3 2 + b · log2 3 = 2 + (log2 3 − 2 ) · b, and as log2 3 − 32 > 0, we know that g(b) will be larger if b grows, i.e., #{t j | t j = 3} reaches the maximum, and |Ri | is the largest. n If n ≡ 0 (mod 3), all tj are equal to 3 and the size of Ri will reach the maximum |Ri | = 3 3 , where m = b = 3n . If n ≡ 1 (mod 3), the number of t j = 3 at most reaches If n ≡ 2 (mod 3), the largest number of t j = 3 is

n−2 3 ;

n−4 3 ;

thus, |Ri | = 3

thus, |Ri | = 3

n−2 3

n−4 3

· 22 .

· 2. 

5. Optimal linear codes In fact, every linear code can be used to construct an SSS, but determining the access structure of the scheme is a challenging problem. Tang et al. [21] demonstrated that achieving the optimal linear code for any given access structure is equivalent to solving a system of quadratic equations constructed from the given access structure and corresponding adversary structure. In this section, we introduce their method to determine whether the ideal linear code exists for the given access structure. If such a code does not exist, we determine the corresponding adversary structure from the given access structure, and the optimal linear codes is obtained with them. Let  = { f1 , f2 , . . . , fm } with participants {x1 , x2 , . . . , xn } be the given access structure. For convenience, the participants {x1 , x2 , . . . , xn } are denoted by {1, 2, . . . , n}, and xj |fi is denoted by j ∈ fi .  can be denoted by a matrix:



a11 ⎜ a21 =⎜ ⎝ ... am1

a12 a22 .. . am2

··· ··· .. . ···

a1n a2n .. . amn

⎞ ⎟ ⎟ ⎠

340

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

where aij = 0 if j ∈ fi ; otherwise, ai j = 0 for 1 ≤ i ≤ m, 1 ≤ j ≤ n. Similarly, a m × (n + 1 ) matrix H is defined as follows:



1 ⎜1 H = ⎜. ⎝ .. 1

a11 a21 .. . am1

a12 a22 .. . am2

··· ··· .. . ···



a1n a2n ⎟ .. ⎟ ⎠ . amn

where 1 is added to an all-one column vector of  . Let R = {g1 , g2 , . . . , gt } be the corresponding maximal adversary structure of  that we determine using the abovementioned algorithms. Define



1 ⎜1 G = ⎜. ⎝ .. 1

b11 b21 .. . bt1

b12 b22 .. . bt2

··· ··· .. . ···



b 1n b 2n ⎟ .. ⎟ ⎠ . btn

where bi j = 0 if j ∈ gi ; otherwise, bij = 0 and bij is an unknown for all j ∈ gi . Theorem 5. There is a linear code for a given access structure  = { f 1 , f2 , . . . , fm } if and only if the following system of quadratic equations, GHT = 0, has a solution for aij , j ∈ fi and bij , j ∈ gi over Fq with aij = 0 for j ∈ fi . 

Proof. Refer to Tang et al. [21] for further details.

According to the algorithm of Tang et al., if there exists an ideal linear code realizing a given access structure, the length of the code is equal to n + 1; if not, we can add one column step by step for H and G to obtain two new matrices, where the two added columns have the same forms as the columns of H and G, respectively. Refer to Tang et al. [21] for further details. Example 5. Determine the linear code over Fq5 for  = {(1, 2 ), (1,3), (2, 4)}, where the corresponding maximal adversary structure is R = { ( 1, 4 ), ( 2, 3 ), ( 3, 4 )}. Let

H=

1 1 1

a11 a21 0

a12 0 a32

0 a23 0



0 0 , G= a34



1 1 1

0 b21 b31

b12 0 b32

b13 0 0

0 b24 0



From Theorem 5,

⎧ 1 + b12 a12 = 0 ⎪ ⎪ ⎪1 + b13 a23 = 0 ⎪ ⎪ ⎪ ⎪1 + b12 a32 = 0 ⎪ ⎪ ⎨1 + b21 a11 = 0 1 + b21 a21 = 0

⎪ ⎪ 1 + b24 a34 = 0 ⎪ ⎪ ⎪ 1 + b31 a11 + b32 a12 = 0 ⎪ ⎪ ⎪ ⎪ ⎩1 + b31 a21 = 0 1 + b32 a32 = 0

There is no solution over Fq ; hence, an ideal linear code for realizing  does not exist. However, we can determine the optimal linear code by adding a column. (1)

H=

(2)

H=









1 1 1

a11 a21 0

a11 a21 0

a12 0 a32

0 a23 0

0 0 , G= a34

1 1 1

a11 a21 0

a12 0 a32

a12 0 a32

0 a23 0

0 0 , G= a34

1 1 1

1 1 1



0 b21 b31

0 b21 b31

b12 0 b32

b13 0 0

0 b24 0

0 b21 b31

b12 0 b32

b12 0 b32

b13 0 0

0 b24 0



C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

(3)

H=

(4)

H=









1 1 1

a11 a21 0

a12 0 a32

0 a23 0

0 a23 0

0 0 , G= a34

1 1 1

a11 a21 0

a12 0 a32

0 a23 0

0 0 a34

0 0 , G= a34

341

1 1 1

0 b21 b31

b12 0 b32

b13 0 0

b13 0 0

0 b24 0

1 1 1

0 b21 b31

b12 0 b32

b13 0 0

0 b24 0

0 b24 0





where ai j , ai j ∈ Fq , 1 ≤ i ≤ 3, 1 ≤ j ≤ 4, bi j , bi j ∈ Fq , 1 ≤ i ≤ 3, 1 ≤ j ≤ 4.

⎧ 1 + b12 a12 = 0 ⎪ ⎪ ⎪ 1 + b13 a23 = 0 ⎪ ⎪ ⎪ 1 + b12 a32 = 0 ⎪ ⎪ ⎪ ⎨1 + b21 a11 + b21 a11 = 0

⎧ 1 + b12 a12 + b12 a12 = 0 ⎪ ⎪ ⎪ 1 + b13 a23 = 0 ⎪ ⎪ ⎪ 1 + b12 a32 + b12 a32 = 0 ⎪ ⎪ ⎪ ⎨1 + b21 a11 = 0

(1 ) 1 + b21 a21 + b21 a21 = 0 (2 ) 1 + b21 a21 = 0 ⎪ ⎪ ⎪ ⎪ 1 + b a = 0 1 + b24 a34 = 0 24 34 ⎪ ⎪ ⎪ ⎪  a + b a + b a = 0 ⎪ ⎪ 1 + b 1 + b31 a11 + b32 a12 + b32 a12 = 0 ⎪ ⎪ 31 11 32 12 31 11 ⎪ ⎪  a + b a = 0 ⎪ ⎪ ⎪ ⎪ 1 + b =0 31 21 31 21 ⎩ ⎩1 + b31 a21  1 + b32 a32 = 0

⎧ 1+b a =0 ⎪ ⎪1 + b12 a12 + b a = 0 ⎪ 13 23 ⎪ 13 23 ⎪ ⎪ ⎪1 + b12 a32 = 0 ⎪ ⎪ ⎨1 + b21 a11 = 0

1 + b32 a32 + b32 a32 = 0

⎧ 1+b a =0 ⎪ ⎪1 + b12 a12 = 0 ⎪ 13 23 ⎪ ⎪ ⎪ ⎪1 + b12 a32 = 0 ⎪ ⎪ ⎨1 + b21 a11 = 0

(3 ) 1 + b21 a21 = 0 (4 ) 1 + b21 a21 = 0 ⎪ ⎪ ⎪ ⎪ 1 + b24 a34 = 0 1 + b24 a34 + b24 a34 = 0 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ 1 + b31 a11 + b32 a12 = 0 1 + b31 a11 + b32 a12 = 0 ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎪ ⎩1 + b31 a21 = 0 ⎩1 + b31 a21 = 0 1 + b32 a32 = 0

1 + b32 a32 = 0

There exist solutions for systems (1), (2) over Fq , but there is no solution for systems (3), (4) over Fq ; hence, there is an optimal linear code with length 6 in F6q for the access structure  . 6. Conclusion The access structure and the adversary structure are two important subsets of participants in an SSS, and they are the upper bound and the lower bound, respectively, to satisfy security requirements in an SSS. At present, there is no effective algorithm to determine the corresponding maximal adversary structure for any given access structure. This paper proposed two general algorithms to determine the corresponding maximal adversary structure from any given access structure in a polynomial form. And a binary tree combined with the greedy algorithm was introduced to construct these algorithms, however, they still are exponential when consider alone R or  . This motivates us to characterize R and  . The access structures were characterized by specific features, and we demonstrated that the corresponding maximal adversary structure can be obtained directly from the disjoint access structure, and the size of the maximal adversary structure in this case is the largest. In the future, we will investigate the consistent characteristics of an access structure and the corresponding adversary structure, and we plan to develop an improved polynomial-time algorithm accordingly. Declaration of Competing Interest None. Acknowledgements This research was supported in part by the Foundation of National Natural Science of China (grant numbers 61772147 and 61602143), Guangdong Province Natural Science Foundation of major basic research and Cultivation project (grant number 2015A030308016), Project of Ordinary University Innovation Team Construction of Guangdong Province (grant number 2015KCXTD014), Basic Research Major Projects of Department of education of Guangdong Province (grant number 2014KZDXM044) and Collaborative Innovation Major Projects of Bureau of Education of Guangzhou City (grant number 1201610 0 05) and the Innovation Research for the Postgraduates of Guangzhou University (grant number 2017GDJC-D02). The authors declare that they have no conflict of interest. We also thank Professor Shuhong Gao very much for his valuable suggestions on how to improve this paper.

342

C. Tang, Q. Xu and G. Hu / Information Sciences 508 (2020) 329–342

References [1] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612–613. [2] G.R. Blakley, et al., Safeguarding cryptographic keys, in: Proceedings of the National Computer Conference, vol. 48, 1979. [3] I. Damgård, V. Pastro, N. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in: Annual Cryptology Conference, Springer, 2012, pp. 643–662. [4] S.L. Chi, J.Y. Lee, L. Harn, A new threshold scheme and its application in designing the conference key distribution cryptosystem, Inf. Process. Lett. 32 (3) (1989) 95–99. [5] G. Sáez, Generation of key predistribution schemes using secret sharing schemes, Discrete Appl. Math. 128 (1) (2003) 239–249. [6] C.-T. Wang, C.-C. Chang, C.-H. Lin, Generalization of threshold signature and authenticated encryption for group communications, IEICE Trans. Fundam. Electron.Commun. Comput. Sci. 83 (6) (20 0 0) 1228–1237. [7] Y.-M. Tseng, J.-K. Jan, H.-Y. Chien, On the security of generalization of threshold signature and authenticated encryption, IEICE Trans. Fundam. Electron.Commun. Comput. Sci. 84 (10) (2001) 2606–2609. [8] X. Wang, F.-W. Fu, Multi-receiver authentication scheme with hierarchical structure, IET Inf. Secur. 11 (5) (2017) 223–229. [9] J. Zhang, X. Li, F.-W. Fu, Multi-receiver authentication scheme for multiple messages based on linear codes, in: International Conference on Information Security Practice and Experience, Springer, 2014, pp. 287–301. [10] M. Ito, Secret sharing scheme realizing general access structure, in: IEEE Globecom, 1987, 1987, pp. 99–102. [11] J. Benaloh, J. Leichter, Generalized secret sharing and monotone functions, in: Proceedings on Advances in Cryptology, Springer-Verlag, 1990, pp. 27–35. [12] C. Asmuth, J. Bloom, A modular approach to key safeguarding, IEEE Trans. Inf. Theory 29 (2) (1983) 208–210. [13] G.J. Simmons, How to (really) share a secret, in: Conference on the Theory and Application of Cryptography, Springer, 1988, pp. 390–448. [14] E.F. Brickell, Some ideal secret sharing schemes, in: Workshop on the Theory and Application of Cryptographic Techniques, Springer, 1989, pp. 468–475. [15] J. Xu, X. Zha, Secret sharing schemes with general access structure based on MSPs, J. Commun. 2 (1) (2007) 52–55. [16] Q. Li, X.X. Li, X.J. Lai, K.F. Chen, Optimal assignment schemes for general access structures based on linear programming, Des. Codes. Cryptogr. 74 (3) (2015) 623–644. [17] A. Beimel, Secret-sharing schemes: a survey, in: International Conference on Coding and Cryptology, Springer, 2011, pp. 11–46. [18] R.J. McEliece, D.V. Sarwate, On sharing secrets and reed-solomon codes, Commun. ACM 24 (9) (1981) 583–584. [19] J.L. Massey, Three Coding Problems, 2009 Report in Trondhjemsgade, 3. [20] J.L. Massey, Some applications of coding theory in cryptography, in: Codes and Ciphers: Cryptography and Coding IV, 1995, pp. 33–47. [21] C. Tang, S. Gao, C. Zhang, The optimal linear secret sharing scheme for any given access structure, J. Syst. Sci. Complexity 26 (4) (2013) 634–649. [22] L. Harn, C. Hsu, M. Zhang, T. He, M. Zhang, Realizing secret sharing with general access structure, Inf. Sci. 367 (2016) 209–220. [23] R.M. Karp, Reducibility among combinatorial problems, in: Complexity of computer computations, Springer, 1972, pp. 85–103. [24] U. Feige, A threshold of ln n for approximating set cover (preliminary version), in: Proceedings of the twenty-eighth annual ACM symposium on Theory of Computing, ACM, 1996, pp. 314–318. [25] K. Bernhard, J. Vygen, Combinatorial Optimization: Theory and Algorithms, third ed., 2005., Springer, 2008. [26] C. Lund, M. Yannakakis, On the hardness of approximating minimization problems, J. ACM 41 (5) (1994) 960–981. [27] L. Trevisan, Cs254: Computational complexity: lecture 2. stanford university, 2010. [28] P. Slavık, A tight analysis of the greedy algorithm for set cover, J. Algorithms 25 (2) (1997) 237–254.