Comparing Security Notions of Secret Sharing Schemes

Abstract

Different security notions of secret sharing schemes have been proposed by different information measures. Entropies, such as Shannon entropy and min entropy, are frequently used in the setting security notions for secret sharing schemes. Different to the entropies, Kolmogorov complexity was also defined and used in study the security of individual instances for secret sharing schemes. This paper is concerned with these security notions for secret sharing schemes defined by the variational measures, including Shannon entropy, guessing probability, min entropy and Kolmogorov complexity.

1. Introduction

A secret sharing scheme [1,2] is a protocol to share a secret among participants such that only specified subsets of participants can recover the secret. In considering the security notions of secret sharing schemes, some authors have introduced concepts of security for secret sharing schemes based on different information measures [3–7]. These information measures include four very important information measures: Shannon entropy, min entropy, Rényi entropy and Kolmogorov complexity. Shannon entropy is the most widely used information measure, which is used to prove bounds on the share size and on the information rate in secret sharing schemes [3–5]. Recently, min and Rényi entropies are also used in study of the security of secret sharing schemes [6,7].

Kolmogorov complexity K(x) [8–10], known as algorithmic information theory [11,12], measures the quantity of information in a single string x, by the size of the smallest program that generates it. It is well known that Kolmogorov complexity and entropy measure are different but related measures [13–15]. Measuring the security by Kolmogorov complexity offers us some new security criteria. Antunes et al. [16] gave a notion of individual security for cryptographic systems by using Kolmogorov complexity. Kaced [17] defined a normalized version of individual security for secret sharing schemes.

However these information measures are different. This means a scheme is secure based on one information measure but not secure based on another information measure [18]. Recently, several relations of security notions of cryptography have been studied. Iwamoto et al. [6] and Jiang [18] studied relations between security notions for the symmetric-key cryptography. In this paper, we are interested in relationships of security notions for secret sharing schemes. Antunes et al. [16] and Kaced [17] also studied relations between security notions for secret sharing schemes. However, their studies are between security notions based on Shannon entropy and Kolmogorov complexity. We study relationships of different security notions for secret sharing schemes under various information measures including Shannon entropy, guessing probability, min entropy and Kolmogorov complexity.

This paper is organized as follows: In Section 2, we review some definitions of entropy measures, Kolmogorov complexity and secret sharing schemes. In Section 3, we propose several security notions in entropies, and their relations. In Section 4, by using Kolmogorov complexity, security notions of secret sharing schemes are given, then are compared to entropy-based security in Section 5. Conclusions are presented in Section 6.

2. Preliminaries

In this paper, string means a finite binary string Σ^* := {0, 1}^*. |x| represents the length of a string x. For the cardinality of a set A we write |A|. Function log means the function log₂. ln(·) denotes the logarithm function with natural base e = 2.71828….

Let [n] := {1, 2, …, n} be a finite set of IDs of n users. For every i ∈ [n], let V_i be a finite set of shares of the user i. Similarly, let S be a finite set of secret information. In the following, for any subset U := {i₁, i₂, …, i_u} ⊂ [n], we use the notation $v_U:=\{v_{i_1},v_{i_2},\dots ,v_{i_u}\}$ and $V_U:\{V_{i_1},V_{i_2},\dots ,V_{i_u}\}$.

2.1. Entropy

Let $\mathrm{X}$ and $\mathrm{Y}$ be two finite sets. Let X and Y be two random variables over $\mathrm{X}$ and $\mathrm{Y}$, respectively. The probability that X takes on the value x from a finite or countably infinite set X is denoted by p_X(x); the mutual probability, the probability that both x and y occur, by p_XY (x, y) and the conditional probability, the probability that x occurs knowing that y has occurred by p_XY (x|y). For convenience, p_X(x), p_XY (x, y) and p_XY (x|y) are denoted by p(x), p(x, y) and p(x|y), respectively. Two random variables X and Y are independent if and only if p(x, y) = p(x) × p(y) for all x ∈ X and y ∈ Y.

The Shannon entropy [19] of a random variable X, defined by H(X) = −∑_x∊X p(x) log p(x), is a measure of its average uncertainty. The conditional Shannon entropy with respect to X given Y is defined as

$$H(X)=-{\displaystyle \sum _{y\in Y}p(y)H(X|Y=y).}$$

The Mutual information between X and Y is

$$I(X;Y)=H(X)-H(X|Y).$$

Guessing probability [20] of X, occurred by G(X) = max_x∈X p(x), is the success probability of correctly guessing the value of a realization of variable when using the best guessing strategy (guessing the most probable value of the range as the guess). Conditional guessing probability with respect to X given Y is defined as

$$G(X|Y)={\displaystyle \sum _{y\in Y}p(y)\underset{x\in X}{\max }p(x|y).}$$

Min-entropy [6,18,20] is a measure of success chance of guessing X, i.e.,

$$H_{\infty }(X)=-\log G(X)=-\log \underset{x\in X}{\max }p(x).$$

It can also be viewed as the worst case entropy compared to Shannon entropy which is an average entropy. The conditional min entropy with respect to X given Y is defined as

$$H_{\infty }(X|Y)=-\log G(X|Y)=-\log ({\displaystyle \sum _{y\in Y}p(y)\underset{x\in X}{\max }p(x|y)}).$$

2.2. Kolmogorov Complexity

In this subsection, some definitions and basic properties of Kolmogorov complexity are recalled below. We will use the prefix-free definition of Kolmogorov complexity. A set of strings A is prefix-free if there are not two strings x and y in A such that x is a proper prefix of y. For more details and attributions we refer to [11,12].

The conditional Kolmogorov complexity K(y|x) of y with condition x, with respect to a universal prefix-free Turing machine U, is defined by

$$K_U(y|x)=\min \{|p|:U(p,x)=y\}.$$

Let U be a universal prefix-free computer, then for any other computer F:

$$K_U(y|x)\le K_F(y|x)+c_F.$$

for all x, y, where c_F depends on F but not on x, y. The (unconditional) Kolmogorov complexity K_U(y) of y is defined as K_U(y|Λ) where Λ is the empty string. For convenience, K_U(y|x) and K_U(y) are denoted, respectively by K(y|x) and K(y).

The mutual algorithmic information between x and y is the quantity

$$I(x:y)=K(x)-K(x|y).$$

We consider x and y to be algorithmic independent whenever I(x : y) is zero.

2.3. Secret Sharing Schemes

Then, secret sharing schemes for general access structures are recalled below. For more details refer to [1,3,7,21,22].

Each set of shares is classified into either a qualified set or a forbidden set. A qualified set is the set of shares that can recover the secret. Let $\mathrm{Q}\subset 2^{[n]}$ and $ℱ\subset 2^{[n]}$ be families of qualified and forbidden sets, respectively. Then $\mathrm{\Gamma }:=(\mathrm{Q},ℱ)$ an access structure. An access structure is monotone if for all $Q\in \mathrm{Q}$, every $Q\subset Q^{\prime }$ satisfies $Q^{\prime }\in \mathrm{Q}$ and; for all $F\in ℱ$, every F ⊂ F′ satisfies $F^{\prime }\in ℱ$.

In particular, the access structure is called (t, n)-threshold access structure if it satisfies that $\mathrm{Q}:=\{Q:|Q|\ge t\}$ and $ℱ:=\{F:|F|\le t-1\}$. In this paper, the access structure is a partition of 2^[n], namely, $Q\cup F=2^{[n]}$ and $\mathrm{Q}\cap ℱ=\varnothing$.

Let ∏ = (S, V_[n], ∏_share, ∏_comb) be a secret sharing scheme for an access structure Γ, as defined below:

• S is set of secret information;
• V_[n] is set of shares for all users;
• ∏_share is an algorithm for generating shares for all users. It takes a secret s ∈ S on input and outputs (v₁, v₂, …, v_n) ∈ V_[n];
• ∏_comb is an algorithm for recovering a secret. It takes a set of shares v_Q, $Q\in \mathrm{Q}$, on input and outputs a secret s ∈ S.

In this paper, we assume that ∏ meets perfect correctness: for any secret s ∈ S, and for all shares ∏_share(s) = (v₁, v₂, …, v_n), it holds that ∏_comb(v_Q) = s for any subset $Q\in \mathrm{Q}$.

3. Information Theoretic Security of Secret Sharing Schemes

In this section, we first give the security notions of information theoretic security for secret sharing schemes based on Shannon entropy, guessing probability and min entropy, respectively, and then we discuss the relations between these security notions.

Definition 1. Let ∏ be a secret sharing scheme for an access structure Γ. We say ∏ is

• ε-Shannon security, if I(S; V_F) ≤ ε;
• ε-guess security, if G(S|V_F) − G(S) ≤ ε;
• ε-min security, if H_∞(S) − H_∞(S|V_F) ≤ ε

for any forbidden set$F\in ℱ$.

Now, we discuss the relations between above three security notions for secret sharing schemes. The following relations are important for the present paper.

Lemma 1. [11,18,20] Let X and Y be two random variables over$\mathrm{X}$ and$\mathrm{Y}$, respectively. Then

• G(X|Y) ≥ G(X).
• H(X|Y) ≤ H(X).
• H_∞(X|Y) ≤ H_∞(X).
• I(X; Y) ≥ (2/ ln 2)[G(X|Y) − G(X)]².
• |H_∞ (X) − H_∞ (X|Y)| ≥ (1/ ln 2)|G(X) − G(X|Y)|.
• H_∞ (X) − H_∞ (X|Y) ≥ I(X; Y), where X is uniformly random over$\mathrm{X}$.

From above lemma, several relations of security notions for the symmetric-key cryptography in [18]. Similarly, from above lemma, we obtain the following.

Theorem 1. Let ∏ be a secret sharing scheme for an access structure Γ.

• If ∏ is ε-Shannon security, then it is$\sqrt{\frac{1}{2}\epsilon \ln 2}$-guess security.
• If ∏ is ε-min security, then it is ε ln 2-guess security
• If ∏ is ε-min security and S is uniformly random over S, then ∏ is ε-Shannon security.

From this result, we can see that, for a secret sharing scheme, ε-Shannon and ε-min security both are stronger than ε-guess security. If we assume S is uniformly random, then, for a secret sharing scheme, ε-min security is stronger than ε-Shannon security.

In the following, using a modified example of threshold secret sharing scheme, we showed that a secret sharing scheme is ε-guess security does not imply it is ε-Shannon security.

Example 1. Let s, and v₁, v₂, …, v_n be binary strings with same length k. Assume that s and v₁, v₂, …, v_n−1 are independent. We generate v_n by v_n = s ⊕ v₁ ⊕ v₂ ⊕ … ⊕ v_n−1 where ⊕ denotes the exclusive OR operation. This scheme is (n, n)−threshold secret sharing scheme, called Karnin–Greene–Hellman scheme [5].

Let$\mathrm{S}={\{0,1\}}^k$, ${\mathrm{V}}_1={\{0,1\}}^{k-1}$, ${\mathrm{V}}_2={\{0,1\}}^k$ and${\mathrm{V}}_3={\{0,1\}}^{k-1}$. S is uniformly random over$\mathrm{S}$ and V₁ × V₂ is uniformly random over {0, 1}^k−1 × {0, 1}^k. To share s = s′|s″ for s′ ∈ {0, 1}^k−1 and s″ ∈ {0, 1}. Let$v_2=v_2^{\prime }|v_2^{″}$ where v′ ∈ {0, 1}^k−1 and v″ ∈ {0, 1}. And s′ and v₁, $v_2^{\prime }$ are independent. Let$v_2^{″}=s^{″}$ and$v_3=s^{\prime }\oplus v_1\oplus v_2^{\prime }$. Algorithm for recovering the secret is s = s′|s″ where$s^{\prime }=v_3\oplus v_1^{\prime }\oplus v_2$ and s′ = v₂″. This scheme is (3, 3)−threshold secret sharing scheme. It is easy to see that G(S|V₂, V₃) = G(S|V₁, V₃) = G(S|V₁, V₂) = 2^−(k−1) and hence |G(S|V_i, V_j) − G(S)| = 2^−k for 1 ≤ i < j ≤ 3. However, I(S; (V₂, V₃)) = H(S) − H(S|V₂, V₃) = k − (k − 1) = 1.

Next, we discuss the relationship between these security notions when ε = 0.

Theorem 2. If a secret sharing scheme is 0-Shannon security, then it is 0-min security. Moreover, if S is uniformly random over$\mathrm{S}$, then, for a secret sharing scheme, 0-min security, 0-guess security and 0-Shannon security are all equivalent.

However, a secret sharing scheme is 0-min security does not imply it is 0-Shannon security.

Example 2. [18]. Let$\mathrm{S}={\mathrm{V}}_1={\mathrm{V}}_2=\{0,\dots ,k-1\}$ for k ≥ 4. $p_{V_1}(1)=\dots =p_{V_1}(k-1)=1/(k+1)$ and$p_{V_1}(0)=2/(k+1)$. Let p_S(1) = … = p_S(k − 1) = 1/(2k − 2) and p_S(0) = 1/2. s and v₁ are independent. We generate v₂ by v₂ = v₁ + s(mod k). This scheme is (2, 2)−threshold secret sharing scheme. By max_s∈S P_S(s) = 1/2 and hence H_∞(S) = 1. By$p_{S|V_2}(s|v_2)=p_S(s)p_{V_2|S}(v_2|s)/p_{V_2}(v_2)$ then$p_{0|V_2}\ge 1/(2k+2)p_{V_2}$ while$p_{S|V_2}(s|v_2)\le 1/(k^2-1)p_{V_2}(v_2)$ for s ≠ 0. As k ≥ 4, for any v₂, we have that$p_{S|V_2}(0|v_2)>p_{S|V_2}(s|v_2)$ for s ≠ 0. So H_∞(S|V₂) = 1. H_∞(S|V₁) = H_∞(S) = 1 by s and v₁ are independent. So this scheme is 0-min security. But this scheme is not 0-Shannon security.

Some implications do not hold in general, but holds when S is uniformly random distribution. From above results, if S is uniformly random over $\mathrm{S}$, then for a secret sharing scheme, ε-min security is stronger than ε-Shannon security, ε-Shannon security is stronger than ε-guess security, and these three security notions are the same when ε = 0.

4. Individual Security of Secret Sharing Schemes

In this section, we first give the security notions of individual security for secret sharing schemes based on Kolmogorov complexity, and then we consider the size of the shares based on the new concept of security in secret sharing schemes.

Definition 2. Let ∏ be a secret sharing scheme for an access structure Γ. An instance (s, v₁, v₂, …; v_n) is

• Kolmogorov ε-security, if for any forbidden set$F\in ℱ$ it satisfies

  $$I(s;v_F)\le \epsilon ,i.e.,K(s)-K(s|v_F)\le \epsilon$$

  (1)
• normalized Kolmogorov ε-security, if for any forbidden set$F\in ℱ$ it satisfies

  $$I(s;v_F)\le \epsilon K(s),i.e.,K(s)-K(s|v_F)\le \epsilon K(s).$$

  (2)

We know that, in the notion of Kolmogorov ε-security, the security parameter ε of an instance is amount of information leakage, the maximal value of I(s; v_F) for any forbidden set F. However, for example, 50 leaked bits is big for a 100-bit secret, but is small for a 1000-bit secret. So, we give the notion of normalized Kolmogorov ε-security. The parameter ε in latter notion is information leak ratio, the maximal value of I(s; v_F) for any forbidden set F, divided by K(s).

The notion of normalized Kolmogorov ε-security can simply be understood as a normalized version of individual security.

In fact, for the same instance (s, v₁, v₂, …, v_n), the security parameter ε is small in a forbidden set F but I(s; v_F′ is a big variance in another forbidden set F′. It is worth noting that in Definition 2, for Kolmogorov ε-security, ε is a maximum value of $\{I(s;v_F);F\in ℱ\}$, more precisely, $\epsilon ={\sup }_{F\in ℱ}I(s;v_F)$. And for normalized Kolmogorov ε-security, ε is a maximum value of $\{I(s;v_F)/K(s);F\in ℱ\}$.

Now we discuss some results for Kolmogorov ε-security,

By I(s; v_F) ≤ I(s; v_F′) + O(1), if F ⊆ F′ (by K(x|y) ≤ K(x|y, z) + O(1)). We know that, up to a constant, the mutual algorithmic information between s and v_i is smaller than ε, because, for any i ∈ F, we have

$$I(s;v_i)=K(s)-K(s|v_i)\le K(s)-K(s|v_F)+O(1)\le \epsilon (k)+O(1).$$

Moreover, if access structure Γ is a (t; n)-threshold access structure, then in Definition 2(i), up to a constant, ε is a maximum value of {I(s; v_F); |F| = t − 1}, or equivalently, ε = sup_|F|=t−1 I(s; v_F).

We show some lower bounds of share sizes of secret sharing schemes.

Theorem 3. Let ∏ be a secret sharing scheme for an access structure Γ.

• If an instance (s, v₁, v₂, …, v_n) is Kolmogorov ε-security, then

  $$|v_i|\ge K(s)-\epsilon -O(1)$$

  for every i ∈ [n].
• If an instance (s, v₁, v₂, …, v_n) is normalized Kolmogorov ε-security, then

  $$|v_i|\ge (1-\epsilon )K(s)-O(1)$$

  for every i ∈ [n].

Proof. For any i ∈ [n], there exists a forbidden set $F\in ℱ$ such that i ∉ F and $F\cup \left\{i\right\}\in \mathrm{Q}$. Let p a shortest binary program that computes s from v_F. By ∏_comb(v_F, v_i) = s, we have p ≤ | ∏_comb| + |v_i|.

• If ∏ is Kolmogorov ε-security, K(s) − K(s|v_F) ≤ ε, then we have

  $$K(s)-\epsilon \le K(s|v_F)\le |{\displaystyle {\prod }_{comb}|+|v_i}|.$$

  Thus |v_i| ≥ K(s) − ε − O(1).
• If ∏ is normalized Kolmogorov ε-security, K(s) − K(s|v_F) ≤ εK(s), then

  $$K(s)-\epsilon K(s)\le K(s|v_F)\le |{\displaystyle {\prod }_{comb}|+|v_i}|.$$

  Thus |v_i| ≥ (1 − ε)K(s) − O(1).

From above theorem, we know that a string with high Kolmogorov complexity, or a nearly Kolmogorov random string, cannot be split among participants with small share sizes and high security parameter.

5. Information Theoretic Security Versus Individual Security

In this section, we establish some relations between information theoretic security and individual security for secret sharing schemes.

First, we know that, in a secret sharing scheme, the security parameter ε is small for some instances but is a big value for other instances. This means in a secret sharing scheme, it is difficult for every instance is (normalized) Kolmogorov ε-security and ε is a small value. So we consider the case of a secret sharing scheme that the probability of an instance with low security parameter is high, i.e., most of instances are (normalized) Kolmogorov ε-security and ε is a small value.

Definition 3. Let ∏ be a secret sharing scheme for an access structure Γ. ∏ is

• Kolmogorov (ε, δ)-security, if for any forbidden set F, it satisfies

  $$\underset{s\in \mathrm{S},v_F\in \times {\mathrm{V}}_F}{\mathrm{Pr}}[I(s;v_F|u)\le \epsilon ]\ge \delta .$$
• normalized Kolmogorov (ε, δ)-security, if for any forbidden set F, it satisfies

  $$\underset{s\in \mathrm{S},v_F\in \times {\mathrm{V}}_F}{\mathrm{Pr}}[I(s;v_F|u)\le \epsilon K(s)]\ge \delta .$$

  where u a distribution over$\mathrm{S}\times {\mathrm{V}}_F$.

The following relations between Kolmogorov complexity, entropy and mutual information are important for the present paper.

Lemma 2. [11,16] Let X, Y be random variables over$\mathrm{X}$, $\mathrm{Y}$. For any computable probability distribution u(x, y) over X × Y,

• 0 ≤ (∑_x,y u(x, y)K(x|y) − H(X|Y)) ≤ K(u) + O(1).
• I(X; Y) − K(u) ≤ ∑_x,y u(x, y)I(x : y) ≤ I(X;Y) + 2K(u). When u is given, then I(X; Y) =∑_x,y u(x, y)I(x : y|u) + O(1).

Here we give following relations between information theoretic security and individual security of Definition 3(i).

Theorem 4. For any (t, n)-threshold scheme ∏ where S is the set of secrets and V_[n] the set of all shares for all users, for any independent variables S, V_[n] over$\mathrm{S}$, ${\mathrm{V}}_{[n]}$ with distribution u. If ∏ is Kolmogorov (ε, δ)-security, then, up to a constant, it is ε + (1 − δ) log(|S|)-Shannon security and$\sqrt{\frac{1}{2}[\epsilon +(1-\delta )\log (|S|)]\ln 2}$-guess security.

Proof. For any forbidden set F, let Q be the set of Kolmogorov ε-security instances, i.e., $Q=\{(s,v_{[n]});I(s;v_F|u)\le \epsilon ,\forall F\in ℱ\}$. Then by Lemma 2, up to a constant,

$$\begin{array}{l}I(S;V_F)\le {\displaystyle \sum _{(s,v_{[n]})\in Q}u(s,v)}I(s:v_F|u)+{\displaystyle \sum _{(s,v_{[n]})\notin Q}u(s,v_F)I(x:y|u)}\\ \le \epsilon {\displaystyle \sum _{(s,v_{[n]})\in Q}u(s,v)}+{\displaystyle \sum _{(s,v_{[n]})\notin Q}u(s,v_F)}[K(s|u)-K(s|u_F,u)]\\ \le \epsilon +(1-\delta )\log (|S|).\end{array}$$

Then by Theorem 1, up to a constant, we have $|G(S)-G(S|V_F)|\le \sqrt{\frac{1}{2}[\epsilon +(1-\delta )\log (|S|)]\ln 2}$. □

Then we establish some relations between information theoretic security and normalized individual security of Definition 3(ii).

Theorem 5. For any (t, n)-threshold scheme ∏ where S is the set of secrets and V_[n] the set of all shares for all users, for any independent variables S, V_[n] over$\mathrm{S}$, ${\mathrm{V}}_{[n]}$ with distribution u. If ∏ is normalized Kolmogorov (ε, δ)-security, then, up to a constant, it is (1 +ε − δ) log(|S|)-Shannon security and$\sqrt{\frac{1}{2}(1+\epsilon -\delta )\log (|S|)\ln 2}$-guess security.

Proof. ∏ is normalized Kolmogorov (ε, δ)-security, then the probability that an instance is normalized Kolmogorov ε-security is at least δ, i.e., for any forbidden set F,

$$\underset{s\in \mathrm{S},v_F\in \times {\mathrm{V}}_F}{\mathrm{Pr}}[I(s;v_F|u)\le \epsilon K(s)]\ge \delta .$$

For any forbidden set F, let Q be the set of normalized Kolmogorov ε-security instances, i.e., $Q=\{(s,v_{[n]});I(s;v_F|u)\le \epsilon K(s),\forall F\in ℱ\}$. Then by Lemma 2, up to a constant,

$$\begin{array}{l}I(S;V_F)\le {\displaystyle \sum _{(s,v_{[n]})\in Q}u(s,v)}I(s:v_F|u)+{\displaystyle \sum _{(s,v_{[n]})\notin Q}u(s,v_F)I(x:y|u)}\\ \le \epsilon {\displaystyle \sum _{(s,v_{[n]})\in Q}u(s,v)}K(s|u)+{\displaystyle \sum _{(s,v_{[n]})\notin Q}u(s,v_F)}[K(s|u)-K(s|u_F,u)]\\ \le \epsilon \log (|S|)+(1-\delta )\log (|S|)\\ \le (1+\epsilon -\delta )\log (|S|).\end{array}$$

Then by Theorem 1, up to a constant, we have $|G(S)-G(S|V_F)|\le \sqrt{\frac{1}{2}(1+\epsilon -\delta )\log (|S|)]\ln 2}$. □

Comparing the Theorem 4 with Theorem 5, we have different relations between entropy-based security notions and two versions of individual security for secret sharing schemes.

6. Conclusions

Kolmogorov complexity and entropy measures are fundamentally different measures. They both are used in measuring the security for secret sharing schemes. In this paper, we study relations of several security notions for secret sharing schemes. First we consider three security notions of information theoretic security of secret sharing schemes, ε-Shannon and ε-min security both are stronger than ε-guess security, and ε-min security is stronger than ε-Shannon security when S is uniformly random. However, for a secret sharing scheme, 0-min security, 0-guess security and 0-Shannon security are the same when S is uniformly random. Then after giving the security notions of individual security for secret sharing schemes in the frame work of Kolmogorov complexity, we establish some relations between information theoretic security and two versions of individual security for secret sharing schemes, respectively.

In this paper, we only considered relations of several security notions for secret sharing schemes. Naturally, a more detailed discussion of connections with other security notions in other fields of cryptography, such as the security notions based on conditional Rényi entropies in [6,7], will be both necessary and interesting.