Optimal Improvement Ratios of Multi-Secret Sharing Schemes Can Be Achieved

Secret sharing schemes (SSS) deal with activities relative to the secure distribution of a secret among a group of participants who then securely reconstruct the secret by collecting the shares which are held by individuals in qualified sets. A multi-secret sharing scheme (MSSS) is an extension of this where multiple secrets are shared simultaneously and where the performance is estimated using both the maximum improvement and average improvement ratios. In 2003, Crescenzo calculated a lower bound of maximum and average improvement ratios for a MSSS and proposed some special MSSS which achieve the lower bound of the maximum improvement ratio. Wang and Juan deployed a more flexible MSSS to achieve the optimal maxi-mum improvement ratio 2006. This paper provides evidence such that the optimal maximum improvement ratio and the optimal average improvement ratio may both be achieved through even simpler and more flexible MSSS through even simpler and more flexible multi-secret sharing schemes for any arbitrary n and m.


Introduction
Secret sharing was invented by Shamir [7] and Blakely [1] independently.A secret sharing scheme (SSS, for short) includes two algorithms (D, R); D refers to the distribution algorithm and R refers to the reconstruction algorithm.Formally, given a group of participants P = {P 1 , P 2 , …, P n }, the distribution algorithm is executed by a dealer who has been given a secret.The dealer then calculates the shares S i and distributes them to each participant P i .The reconstruction algorithm is executed by authorized subsets of participants who combine their shares to reconstruct the secret.A subset A of P is called a qualified subset and a secret can be reconstructed if every participant in A uses their shares and executes the reconstruction algorithm R. * 2 P is an access structure which is the set of all qualified subsets.
Let a secret K be chosen from K with the uniform distribution.p K denotes a probability distribution on K and p S(A) denotes a probability distribution on the shares S(A) given to a subset A P. A SSS is perfect if where H(K) and H(K|A) denote the entropy of p K and the conditional entropy of the joint probability distribution p KuS(A) , respectively.In other words, when a dealer distributes a shared S i to every participant P i , only qualified participants can reconstruct the secret K by using their shares.If we collect all the shares owned by nonqualified subsets, K cannot be reconstructed.Then we call this scheme is perfect which means that the nonqualified participants receive no information about the original secret.
Let S(P i ) denote the set of possible shares that P i might receive.U i = log|K| / log|S(P i )| denotes the information rate for P i .In general, the efficiency of a SSS (D, R) is measured by the information rate U defined as U = min{U i : A multi-secret sharing scheme (MSSS, for short) deals with m secrets s 0 , s 1 , …, s m-1 at the same time.The most efficient algorithm of each single SSS can be used for distributing shares and reconstructing the secret.In this case, it is called a basic MSSS (b-D, b-R) in which the size of given shares will increase according to the secrets.Notably, the issue of reducing the size of shares given to every participant becomes an important one.Generally, an Improvement Ratio (IR) is used to estimate the performance of a MSSS.Crescenzo [3] announced a MSSS and studied this issue in 2003.After that, Wang and Juan [10] gave the instances of MSSS to show that the optimal maximum improvement ratio can be achieved for any n > m in 2006.
This paper focuses on the optimal maximum improvement ratios and optimal average improvement ratios of MSSSs such that they can both be achieved in more flexible cases, most notably, for any arbitrary n and m.The next section will lay out Crescenzo's definitions and Wang and Juan's results.Section 3 proposed a MSSS, which extends the results of Crescenzo and Wang and Juan.The proposed scheme is proved to be secure and perfect in Section 4, conclusions are given.

Preliminaries
Maximum improvement ratio and average improvement ratio are two criteria which are used to estimate the performance of a MSSS.In a MSSS (D, R), the dealer distributes m secrets s 0 , s 1 , …, s m-1 with associated access structures A 0 , A 1 , …, A m-1 .The maximum improvement ratio (denoted by MaxIR) and the average improvement ratio (denoted by AvIR) are defined as follows Crescenzo [3]: .
where MaxShSize(A 0 , A 1 , …, A m-1 , (D, R)) and AvShSize(A 0 , A 1 , …, A m-1 , (D, R)) denote, respectively, the maximum size of shares and the total size of shares obtained by the qualified participants when executing the (D, R) algorithm.
Next, the optimal maximum improvement ratio (denoted by OpMaxIR) and the optimal average improvement ratio (denoted by OpAvIR) are defined for the access structures A 0 , A 1 , …, A m-1 as follows: The following theorems show the lower bounds and upper bounds of OpMaxIR and OpAvIR which are given by Crescenzo [3].Theorem 1 [3] Let m, n be positive integers and let A 0 , A 1 , …, A m-1 be access structures over a set of size n.It holds that OpMaxIR Theorem 2 [3] Let m be an integer.For any H > 0, there Theorem 3 [3] Let m be an integer.There exists an integer n and access structures A 0 , A 1 , …, A m-1 over a set of size n such that OpMaxIR(A 0 , A 1 , …, A m-1 ) = 1 / m.In order to prove Theorem 3, Crescenzo provides an instance of MSSS in which the max improvement ratio is equal to 1/m.He uses one particular access structure and an associative algorithm which are overly complicated and is forced to use some previous results in the literature.In this instance, for any positive integer m, the number of participant n = m + 6 d-1 , where d = 2(1 + ªlog mº) -1.For example, if m = 5, n will be 46661.Also, to understand this scheme, one must be familiar with the results of Blundo et al. [2], Dijk [4], and Stinson [8].Furthermore, the other access structures in [2,5,6,8] are not intuitive enough either.Wang and Juan [10] solved this problem and proposed two simple schemes which can directly achieve the lower bound of the OpMaxIR.Additionally, their result shows that the OpMaxIR can be achieved for all cases such that m only needs to be greater than n.
Theorem 4 [10] For any two positive integers n > m, there exist access structures A 0 , A 1 , …, A m-1 over a set of size n such that OpAvIR(A 0 , A 1 , …, A m-1 ) = 1 / m.The OpMaxIR is shown to be achievable in Theorem 3 and Theorem 4. Additionally, the OpAvIR is shown to be nearly achievable in Theorem 2. However, those existing schemes only obtained in some special cases.That is, for any two arbitrary positive integers n (the number of secrets) and m(the number of participants), it is still unknown whether the OpMaxIR and OpAvIR are achievable.Specifically, this paper solves this dilemma such that for any two arbitrary positive integers n and m, and builds a set of access structures with a pair of associative algorithms which obtains both the lower bounds of OpMaxIR and OpAvgIR at the same time.

The Proposed Scheme
Let m denote the number of secrets and n denote the number of participants.For convenience, the operations at the footnote are calculated in Z n-1 space (in modulo n -1) for the whole of this work.The m secrets s 0 , s 1 , …, s m-1 are selected from K. Note that is the "exclusive-or" operation and this paper defines the "general exclusiveor" operation as follows: Definition 1 Let I be a nonempty set and U be a universe.For each i I let A i U. Then I is called an index set (or set of indices), and each i I is called an index.Under these conditions, say A particular access structure is defined as follows.Let the participants P = {X 0 , X 1 , …, X n-2 , Y}.For i = 0, 1, …, m -1, there are two cases: 1) when n > m, access structure A i of secret s i is defined as: 2) when m t n, access structure A i of secret s i is defined as: ( ) (5)For 0 d j d n -2, send S j = {S 0,j , S 1,j , …, S m-1,j } to X j and send S y = {S 0,y , S 1,y , …, S m-1,y } to Y.When n d m: For 0 d i d n -2, the share S i of A i is given as same as the case of n > m; and for n -1 d i d m -1, the share S i is given as follows: (1)Select random numbers a i,1 , a i,2 , …, a i,n-1 from K. Let S i,i+j = a i,j for 1 d j d n -1.
(2)Let S i,0 = ( ) s i and S i,y = s i .

Reconstruction algorithm (b-R):
(1)If the shares in A i1 are collected, for 0 d i d m -1, s i can be reconstructed by using S i,i S y .(2)If the shares in A i2 are collected, for 0 d i d m -1, s i can be reconstructed by using operations to S i,k for all X k in A i2 .
According to the above algorithms, the results are as follows: Actually, for the same access structures A 0 , …, A m-1 of multi-secret s 0 , …, s m-1 , there exists an efficient MSSS (G-D, G-R) which is given:

An efficient MSSS (G-D, G-R) for A 0 , A 1 , …, A m-1 : Distribution algorithm (b-D):
When n > m: When n d m: In algorithm G-R (2), note that in the equation when reconstructing s i , if n > m, then let nc equal to n if n is odd; nc will be equal to n + 1 otherwise.The secret s i appears exactly nc -2 times and for any j z i, s j appears exactly nc -3 times.Since nc is always an odd number, after exclusive-or calculations, it results in s i .
According to the above algorithms, the results are as follows: AvShSize The published shares are over K D , where D shows as Table 1.Table 2 shows two examples.In (a), m = 4 and n = 5; in (b), m = 3 and n = 4.
Table 1.The The number of published shares D

Security Analysis
Whether the efficient MSSS can be secure and perfect must be proven.This study proves that, in addition to the fact that the subset belongs to the specific access structure, when collecting any other shares there is no way to reconstruct the original secret or even glean any information about the secret.Theorem 5 After executing the algorithm G-D, collect all the shares belong to the participants in any subset A of P that does not include A i1 and A i2 , there is no way to reconstruct the secret s i , and H(s i |A) = H(s i ).
Proof.According to the properties of , it is not satisfied with a combination rule.Consequently, there is no way in which four fundamental operations of arithmetic can cancel the information excluding s i but also the calculation is made more complicated.Notably, the inverse operation of is itself.Therefore, by using , whether one can obtain any information about s i when one collects all the shares in any subset A of P that does not include any qualified subset of A i .In this proof, we take into account the added unreal persons U 1 , U 2 , …, U k and random numbers Q 1 , Q 2 , …, Q k as real persons X n-2+l = P l and real secrets s m+l = Q l for 1 d l d k.Note that P = {X 0 , X 1 , …, X n-1 , Y}, and let nc and mc be the new number of participants and secrets, respectively.Now, nc = mc + 1 if mc is even and nc = mc + 2 otherwise.For any subset A P, A does not include all sets in A i1 or A i2 .According to the associative and commutative properties of , a series of exclusive-or operations can be taken when executing multiple exclusive-or operations.Therefore, we only have to prove that there is no way to reconstruct s i when executing exclusive-or operations for any subset of A. In other words, for any subset A of P, let , implies Y can reconstruct the secret alone, in another subset A which does not include A i1 or A i2 ; because there is only one participant in A, it is easy to verify that T z s i .Therefore, only 2 d |A| d nc -2 needs to be considered.Note that A i1 = {X i , Y} A, so we have the following three cases.Case 1.When |A| is even and X i A or when |A| is odd and X i A: Since each share of A contains s i except S i , there are even numbers of s i in A in this situation.Therefore, the s i will be cancelled after executing exclusive-or operations.Hence, it results T z s i .Case 2. When |A| is even and X i A (hence Y A): For any X j A, each S k contains s j for any X k A except S j .Thus, there is an odd number of s j .Since |A| t 2, then T there exists a number k {0, 1, …, nc -1} such that k z i and X k z A. For any X j A, each S j contains s k and there is an odd number of s k when calculating T. Therefore, it results T z s i .
According to these cases, if we take unreal persons and secrets to be real ones, we still have proven that under , excluding the specific access structures A i1 and A i2 , there is no possibility of reconstructing s i and no information has been revealed regarding the secret s i .Hence, it results H(s i |A) = H(s i ) for any secret s i .Therefore, we have proven that the proposed MSSS is perfect and secure.
The values of MaxIR and AvIR of (G-D, G-R) for the specific access structures A 0 , A 1 , …, A m-1 are given, and according to Theorem 1, Theorem 6 is concluded.Theorem 6 For any two positive integers m and n, there exist access structures A 0 , A 1 , …, A m-1 over a set of size n such that OpMaxIR(A 0 , A 1 , …, A m-1 )= 1/m, OpAvIR( A 0 , A 1 , …, A m-1 )= 1/m.

Conclusions
This paper has successfully proven that there exists a set of access structures and an associated MSSS which can achieve: OpAvIR(A 0 , …, A m-1 ) = 1/m, OpMaxIR(A 0 , …, A m-1 ) = 1/m.
Although this result may be largely of theoretical interest and the access structure will likely seldom be used in practical, it encourages further inquiry for any one that may attempt to design a MSSS.Specifically, when designing an efficient MSSS, the maximum and average improvement ratios should approach 1/m.Since the results in [3].are a special case (m is decided according to n), this work has extended (for both cases) and improved (for the case of OpAvIR) the results of [3] and [10].Therefore, this scheme is considered flexible, and thereby generally applicable, because the number of participants and secrets are independent.In conclusion, given a set of access structures for any number of participants and secrets, finding an associated MSSS which can achieve two optimal improvement ratios at the same time is possible.

1 .
When sharing secret s i for any 0 d i d m -1, two ideal schemes are proposed.At first, a basic MSSS is given.An ideal SSS (b-D, b-R) for A 0 , A 1 , …, A m-1 : Distribution algorithm (b-D): When n > m: (1) Select random numbers a i,1 , a i,2 , …, a i,n-3 from K. Let S i,i+j = a i,j for 1 d j d n -3 and 0 d i d m -1.(2) Select random number a i,n-2 and let S i,i = a i,n-2 for 0 d i d m -1.

( 2 )
1 d l d k and mc = m + k.For 0 d j d n -2, calculate S j = send S y to Y. (4) If n is even, add one unreal person U 1 and publish the value of

( 2 )
send S y to Y.Note that the shares sent to unreal persons are actually published.Reconstruction algorithm (G-R): (1)If the shares in A i1 are collected, for 0 d i d m -1, s i can be reconstructed by S i S y published shares if necessary.If the shares in A i2 are collected, for 0 d i d m -1,

Table 2 .
Shares in two examples.
(a) for m = 4 and n