Comparing Security Notions of Secret Sharing Schemes

Different security notions of secret sharing schemes have been proposed by different information measures. Entropies, such as Shannon entropy and min entropy, are frequently used in the setting security notions for secret sharing schemes. Different to the entropies, Kolmogorov complexity was also defined and used in study the security of individual instances for secret sharing schemes. This paper is concerned with these security notions for secret sharing schemes defined by the variational measures, including Shannon entropy, guessing probability, min entropy and Kolmogorov complexity.


Introduction
A secret sharing scheme [1,2] is a protocol to share a secret among participants such that only specified subsets of participants can recover the secret.In considering the security notions of secret sharing schemes, some authors have introduced concepts of security for secret sharing schemes based on different information measures [3][4][5][6][7].These information measures include four very important information measures: Shannon entropy, min entropy, Rényi entropy and Kolmogorov complexity.Shannon entropy is the most widely used information measure, which is used to prove bounds on the share size and on the information rate in secret sharing schemes [3][4][5].Recently, min and Rényi entropies are also used in study of the security of secret sharing schemes [6,7].Kolmogorov complexity K(x) [8][9][10], known as algorithmic information theory [11,12], measures the quantity of information in a single string x, by the size of the smallest program that generates it.It is well known that Kolmogorov complexity and entropy measure are different but related measures [13][14][15].Measuring the security by Kolmogorov complexity offers us some new security criteria.Antunes et al. [16] gave a notion of individual security for cryptographic systems by using Kolmogorov complexity.Kaced [17] defined a normalized version of individual security for secret sharing schemes.
However these information measures are different.This means a scheme is secure based on one information measure but not secure based on another information measure [18].Recently, several relations of security notions of cryptography have been studied.Iwamoto et al. [6] and Jiang [18] studied relations between security notions for the symmetric-key cryptography.In this paper, we are interested in relationships of security notions for secret sharing schemes.Antunes et al. [16] and Kaced [17] also studied relations between security notions for secret sharing schemes.However, their studies are between security notions based on Shannon entropy and Kolmogorov complexity.We study relationships of different security notions for secret sharing schemes under various information measures including Shannon entropy, guessing probability, min entropy and Kolmogorov complexity.
This paper is organized as follows: In Section 2, we review some definitions of entropy measures, Kolmogorov complexity and secret sharing schemes.In Section 3, we propose several security notions in entropies, and their relations.In Section 4, by using Kolmogorov complexity, security notions of secret sharing schemes are given, then are compared to entropy-based security in Section 5. Conclusions are presented in Section 6.

Preliminaries
In this paper, string means a finite binary string Σ * := {0, 1} * .|x| represents the length of a string x.For the cardinality of a set A we write |A|.Function log means the function log 2 .ln(•) denotes the logarithm function with natural base e = 2.71828.... Let [n] := {1, 2, ..., n} be a finite set of IDs of n users.For every i ∈ [n], let V i be a finite set of shares of the user i.Similarly, let S be a finite set of secret information.In the following, for any subset

Entropy
Let X and Y be two finite sets.Let X and Y be two random variables over X and Y , respectively.The probability that X takes on the value x from a finite or countably infinite set X is denoted by p X (x); the mutual probability, the probability that both x and y occur, by p XY (x, y) and the conditional probability, the probability that x occurs knowing that y has occurred by p XY (x|y).For convenience, p X (x), p XY (x, y) and p XY (x|y) are denoted by p(x), p(x, y) and p(x|y), respectively.Two random variables X and Y are independent if and only if p(x, y) = p(x) × p(y) for all x ∈ X and y ∈ Y .The Shannon entropy [19] of a random variable X, defined by H(X) = − x∈X p(x) log p(x), is a measure of its average uncertainty.The conditional Shannon entropy with respect to X given Y is defined as H(X) = − y∈Y p(y)H(X|Y = y).
The Mutual information between X and Y is Guessing probability [20] of X, occurred by G(X) = max x∈X p(x), is the success probability of correctly guessing the value of a realization of variable when using the best guessing strategy (guessing the most probable value of the range as the guess).Conditional guessing probability with respect to X given Y is defined as Min-entropy [6,18,20] is a measure of success chance of guessing X, i.e., It can also be viewed as the worst case entropy compared to Shannon entropy which is an average entropy.The conditional min entropy with respect to X given Y is defined as

Kolmogorov Complexity
In this subsection, some definitions and basic properties of Kolmogorov complexity are recalled below.We will use the prefix-free definition of Kolmogorov complexity.A set of strings A is prefix-free if there are not two strings x and y in A such that x is a proper prefix of y.For more details and attributions we refer to [11,12].
The conditional Kolmogorov complexity K(y|x) of y with condition x, with respect to a universal prefix-free Turing machine U , is defined by Let U be a universal prefix-free computer, then for any other computer F : for all x, y, where c F depends on F but not on x, y.The (unconditional) Kolmogorov complexityK U (y) of y is defined as K U (y|Λ) where Λ is the empty string.For convenience, K U (y|x) and K U (y) are denoted, respectively by K(y|x) and K(y).
The mutual algorithmic information between x and y is the quantity We consider x and y to be algorithmic independent whenever I(x : y) is zero.

Secret Sharing Schemes
Then, secret sharing schemes for general access structures are recalled below.For more details refer to [1,3,7,21,22].
Each set of shares is classified into either a qualified set or a forbidden set.A qualified set is the set of shares that can recover the secret.Let Q ⊂ 2 [n] and F ⊂ 2 [n] be families of qualified and forbidden sets, respectively.Then Γ := (Q, F) an access structure.An access structure is monotone if for all In particular, the access structure is called (t, n)-threshold access structure if it satisfies that Q := {Q : |Q| ≥ t} and F := {F : |F | ≤ t − 1}.In this paper, the access structure is a partition of 2 [n] , namely, Q ∪ F = 2 [n] and , share , comb ) be a secret sharing scheme for an access structure Γ , as defined below: (i) S is set of secret information; (ii) V [n] is set of shares for all users; (iii) share is an algorithm for generating shares for all users.It takes a secret s ∈ S on input and outputs (iv) comb is an algorithm for recovering a secret.It takes a set of shares v Q , Q ∈ Q, on input and outputs a secret s ∈ S.
In this paper, we assume that meets perfect correctness: for any secret s ∈ S, and for all shares

Information Theoretic Security of Secret Sharing Schemes
In this section, we first give the security notions of information theoretic security for secret sharing schemes based on Shannon entropy, guessing probability and min entropy, respectively, and then we discuss the relations between these security notions.
Definition 1.Let be a secret sharing scheme for an access structure Γ .We say is Now, we discuss the relations between above three security notions for secret sharing schemes.The following relations are important for the present paper.
Lemma 1. [11,18,20] Let X and Y be two random variables over X and Y, respectively .Then , where X is uniformly random over X .
From above lemma, several relations of security notions for the symmetric-key cryptography in [18].Similarly, from above lemma, we obtain the following.
Theorem 1.Let be a secret sharing scheme for an access structure Γ.
(i) If is ε-Shannon security, then it is 1  2 ε ln 2 -guess security.(ii) If is ε-min security, then it is ε ln 2 -guess security (iii) If is ε-min security and S is uniformly random over S, then is ε-Shannon security.
From this result, we can see that, for a secret sharing scheme, ε-Shannon and ε-min security both are stronger than ε-guess security.If we assume S is uniformly random, then, for a secret sharing scheme, ε-min security is stronger than ε-Shannon security.
In the following, using a modified example of threshold secret sharing scheme, we showed that a secret sharing scheme is ε-guess security does not imply it is ε-Shannon security.
Example 1.Let s, and v 1 , v 2 , • • • , v n be binary strings with same length k.Assume that s and where ⊕ denotes the exclusive OR operation.This scheme is (n, n)−threshold secret sharing scheme, called Karnin-Greene-Hellman scheme [5].
S is uniformly random over S and V 1 × V 2 is uniformly random over {0, 1} k−1 × {0, 1} k .To share s = s |s for s ∈ {0, 1} k−1 and s ∈ {0, 1}.Let v 2 = v 2 |v 2 where v ∈ {0, 1} k−1 and v ∈ {0, 1}.And s and v 1 , v 2 are independent.Let v 2 = s and v 3 = s ⊕ v 1 ⊕ v 2 .Algorithm for recovering the secret is s = s |s where s = v 3 ⊕ v 1 ⊕ v 2 and s = v 2 .This scheme is (3, 3)−threshold secret sharing scheme.It is easy to see that G(S|V Next, we discuss the relationship between these security notions when ε = 0. Theorem 2. If a secret sharing scheme is 0-Shannon security, then it is 0-min security.Moreover, if S is uniformly random over S, then, for a secret sharing scheme, 0-min security, 0-guess security and 0-Shannon security are all equivalent.
However, a secret sharing scheme is 0-min security does not imply it is 0-Shannon security.
and p S (0) = 1/2.s and v 1 are independent.We generate v 2 by v 2 = v 1 + s( mod k).This scheme is (2, 2)−threshold secret sharing scheme.By max s∈S P S (s) = 1/2 and hence = 1 by s and v 1 are independent.So this scheme is 0-min security.But this scheme is not 0-Shannon security.Some implications do not hold in general, but holds when S is uniformly random distribution.From above results, if S is uniformly random over S, then for a secret sharing scheme, ε-min security is stronger than ε-Shannon security, ε-Shannon security is stronger than ε-guess security, and these three security notions are the same when ε = 0.

Individual Security of Secret Sharing Schemes
In this section, we first give the security notions of individual security for secret sharing schemes based on Kolmogorov complexity, and then we consider the size of the shares based on the new concept of security in secret sharing schemes.Definition 2. Let be a secret sharing scheme for an access structure Γ.An instance (ii) normalized Kolmogorov ε-security, if for any forbidden set F ∈ F it satisfies We know that, in the notion of Kolmogorov ε-security, the security parameter ε of an instance is amount of information leakage, the maximal value of I(s; v F ) for any forbidden set F .However, for example, 50 leaked bits is big for a 100-bit secret, but is small for a 1000-bit secret.So, we give the notion of normalized Kolmogorov ε-security.The parameter ε in latter notion is information leak ratio, the maximal value of I(s; v F ) for any forbidden set F , divided by K(s).
The notion of normalized Kolmogorov ε-security can simply be understood as a normalized version of individual security.
In fact, for the same instance (s, v 1 , v 2 , ..., v n ), the security parameter ε is small in a forbidden set F but I(s; v F is a big variance in another forbidden set F .It is worth noting that in Definition 2, for Kolmogorov ε-security, ε is a maximum value of {I(s; v F ); F ∈ F}, more precisely, ε = sup F ∈F I(s; v F ).And for normalized Kolmogorov ε-security, ε is a maximum value of {I(s; v F )/K(s); F ∈ F}.Now we discuss some results for Kolmogorov ε-security, ).We know that, up to a constant, the mutual algorithmic information between s and v i is smaller than ε, because, for any i ∈ F , we have Moreover, if access structure Γ is a (t; n)-threshold access structure, then in Definition 2(i), up to a constant, ε is a maximum value of {I(s; v F ); |F | = t − 1}, or equivalently, ε = sup |F |=t−1 I(s; v F ).
We show some lower bounds of share sizes of secret sharing schemes.
Theorem 3. Let be a secret sharing scheme for an access structure Γ.
for every i ∈ [n].
Proof.For any i ∈ [n], there exists a forbidden set F ∈ F such that i / ∈ F and From above theorem, we know that a string with high Kolmogorov complexity, or a nearly Kolmogorov random string, cannot be split among participants with small share sizes and high security parameter.

Information Theoretic Security Versus Individual Security
In this section, we establish some relations between information theoretic security and individual security for secret sharing schemes.
First, we know that, in a secret sharing scheme, the security parameter ε is small for some instances but is a big value for other instances.This means in a secret sharing scheme, it is difficult for every instance is (normalized) Kolmogorov ε-security and ε is a small value.So we consider the case of a secret sharing scheme that the probability of an instance with low security parameter is high, i.e., most of instances are (normalized) Kolmogorov ε-security and ε is a small value.Definition 3. Let be a secret sharing scheme for an access structure Γ. is (i) Kolmogorov (ε, δ)-security, if for any forbidden set F , it satisfies where u a distribution over S × V F .
Comparing the Theorem 4 with Theorem 5, we have different relations between entropy-based security notions and two versions of individual security for secret sharing schemes.

Conclusions
Kolmogorov complexity and entropy measures are fundamentally different measures.They both are used in measuring the security for secret sharing schemes.In this paper, we study relations of several security notions for secret sharing schemes.First we consider three security notions of information theoretic security of secret sharing schemes, ε-Shannon and ε-min security both are stronger than ε-guess security, and ε-min security is stronger than ε-Shannon security when S is uniformly random.However, for a secret sharing scheme, 0-min security, 0-guess security and 0-Shannon security are the same when S is uniformly random.Then after giving the security notions of individual security for secret sharing schemes in the frame work of Kolmogorov complexity, we establish some relations between information theoretic security and two versions of individual security for secret sharing schemes, respectively.
In this paper, we only considered relations of several security notions for secret sharing schemes.Naturally, a more detailed discussion of connections with other security notions in other fields of cryptography, such as the security notions based on conditional Rényi entropies in [6,7], will be both necessary and interesting.