Some Secret Sharing Based on Hyperplanes

Abstract

The secret sharing schemes (SSS) are widely used in secure multi-party computing and distributed computing, and the access structure is the key to constructing secret sharing schemes. In this paper, we propose a method for constructing access structures based on hyperplane combinatorial structures over finite fields. According to the given access structure, the corresponding secret sharing scheme that can identify cheaters is given. This scheme enables the secret to be correctly restored if the cheater does not exceed the threshold, and the cheating behavior can be detected and located.

1. Introduction

The concept of secret sharing schemes (SSS) was introduced in 1979 by Shamir [1] and Blakley [2]. These schemes allow a secret to be divided into several parts, which are then distributed among participants. Only specific subsets of participants, known as qualified subsets, can reconstruct the original secret, while no information about the secret is accessible to unqualified subsets. The collection of all qualified subsets forms what is referred to as the access structure.

An SSS is considered perfect if no information about the secret is leaked to unqualified subsets. If any unqualified subset is able to obtain partial or full information about the secret, the scheme is deemed non-perfect. An SSS is classified as linear if the shares are generated through a linear transformation, and it is ideal if the size of each share is exactly equal to that of the secret.

The study of secret sharing schemes remains a vital area of modern cryptography, serving as a foundational element in the development of security protocols and encryption algorithms. The ideal linear SSS has promising applications in various cryptographic protocols, including secure multi-party computation [3,4,5,6,7], attribute-based encryption [8], digital signatures [9], and threshold cryptography [10]. Consequently, efficient methods for constructing an ideal linear SSS are a crucial area of research.

It has been established that there is a one-to-one correspondence between linear codes and SSS [11], with linear codes being a crucial tool for realizing linear secret sharing schemes. In theory, every linear code can be utilized to create an SSS, but identifying the corresponding access structure for a given scheme remains a challenging task. Conversely, it is equally difficult to find an ideal secret sharing scheme for any arbitrary access structure. Researchers have explored various access structures and derived conclusions about the ideal secret sharing schemes that correspond to them.

In 1981, McEliece and Sarwate [12] made significant contributions to the study of SSSs based on linear codes, constructing a threshold scheme using Reed-Solomon codes and highlighting the equivalence between Shamir’s SSS and Reed-Solomon codes. Massey [13] noted that the primary challenge in using linear codes to construct SSSs is characterizing the types of access structures that can be achieved. Ito et al. [14] demonstrated that it is possible to construct linear secret sharing schemes for arbitrary access structures, although these schemes are inefficient, as the length of the key increases exponentially with the number of participants. In 2013, Tang et al. [15] showed that achieving an optimal linear code for a given access structure is equivalent to solving a quadratic system of equations formed by the access structure and its corresponding adversary structure. They also developed an algorithm to determine the optimal linear code. More recently, Harn et al. [16] introduced a general secret sharing scheme based on classical schemes and presented methods for using Karnaugh maps to identify minimal access structures and maximal adversary structures for a given access structure.

Despite these advancements, numerous challenges remain in relation to secret sharing schemes for given access structures. In this paper, we build on existing research and propose a method for constructing the corresponding access structure using difference sets and relative difference sets generated by hyperplanes. For these access structures, we employ polynomial codes to create ideal linear secret sharing schemes that can detect participants exhibiting deceptive behavior.

The structure of this paper is as follows. Section 2 presents a review of the notations and fundamental results related to difference sets. In Section 3, we introduce various families of access structures derived from the combinatorial properties of hyperplanes. Section 4 utilizes these access structures to design several secret sharing schemes. Finally, Section 5 provides a conclusion to the paper.

2. Preliminaries

2.1. Difference Sets

A k-element subset D of a group G is called a $(v,k,\lambda )$-difference set if the multiset

$$\Delta \left(D\right)=\{g_1{g}_2^{-1}\mid g_1,g_2\in D,g_1\ne g_2\}$$

contains every nonidentity element of G exactly $\lambda$ times, where G be a finite multiplicative group of order v. From a counting perspective, the parameters $(v,k,\lambda )$ of a difference set satisfy the relation $k(k-1)=\lambda (v-1)$. We assume $k\le v/2$ because if D is a $(v,k,\lambda )$-difference set, then its complement $G\setminus D$ forms a $(v,v-k,v-2k+\lambda )$-difference set in G. Typically, the trivial cases $k=0$ and $k=1$ are excluded.

Difference sets are significant in both theoretical and practical applications. In design theory, the concept of a $(v,k,\lambda )$-difference set in G is equivalent to the symmetric $(v,k,\lambda )$-design in G [17].

2.2. Relative Difference Sets

A k-element subset R of a group G that includes a normal subgroup U of order u is called a $(m,u,k,\lambda )$ relative difference set (RDS) in G relative to U if the multiset

$$\Delta \left(R\right)=\{g_1{g}_2^{-1}\mid g_1,g_2\in R,g_1\ne g_2\}$$

contains every element of $G\setminus U$ exactly $\lambda$ times, and does not include any element from U, where G be a finite multiplicative group of order $mu$. The subgroup U is referred to as the forbidden subgroup.

An $(m,u,k,\lambda )$ RDS in G relative to a normal subgroup U is equivalent to a square-divisible $(m,u,k,\lambda )$-design, where the group G acts regularly on both points and blocks [18].

From a counting perspective, the parameters $(m,u,k,\lambda )$ of an RDS satisfy the relation $k(k-1)=u\lambda (m-1)$. If $k=u\lambda$, the RDS is termed semi-regular, and its parameters are $(u\lambda ,u,u\lambda ,\lambda )$. Unlike difference sets, the complement $G\setminus R$ of an RDS is generally not an RDS. The trivial cases where $k=0$ and $k=1$ are typically excluded. A difference set can be seen as an RDS where $u=1$.

2.3. Group Ring

Difference sets are often analyzed within the framework of the group ring $\mathbb{Z}\left[G\right]$, which is the group ring of G over the integers $\mathbb{Z}$. The definition of a $(v,k,\lambda )$-difference set D in G can be expressed by the following equation in $\mathbb{Z}\left[G\right]$:

$$D{D}^{(-1)}=(k-\lambda )·1_G+\lambda G$$

Here, for convenience, we identify the sets D, $D^{(-1)}$, and G with the corresponding group ring elements:

$$D=\sum _{g\in D}g,D^{(-1)}=\sum _{g\in D}{g}^{-1},G=\sum _{g\in G}g,$$

and $1_G$ denotes the identity element of G.

Similarly, the definition of a $(m,u,k,\lambda )$ relative difference set (RDS) R in G relative to a normal subgroup U is equivalent to the equation:

$$R{R}^{(-1)}=k·1_G+\lambda (G-U)$$

in the group ring $\mathbb{Z}\left[G\right]$.

2.4. Characters

In the case of an abelian group, a character of G is a homomorphism from G to the multiplicative group of complex roots of unity. The set of all such characters, denoted by $\widehat{G}$, forms a group under pointwise multiplication, and this group is isomorphic to G. The identity element in this group is the trivial character, which maps every element of G to 1. The character sum of a character $\chi$ over a group ring element D corresponding to a subset of G is given by:

$$\chi \left(D\right)=\sum _{g\in D}\chi \left(g\right).$$

It is a well-established result that the character sum $\chi \left(D\right)$ equals 0 for all nontrivial characters $\chi$ of G if and only if D is a multiple of G, when considered as a group ring element. Additionally, the sum

$$\sum _{\chi \in \widehat{G}}\chi \left(g\right)$$

is nonzero if and only if $g=1_G$.

If a character $\chi$ is nontrivial on G but trivial on a subgroup U, it induces a nontrivial character $\psi$ on the quotient group $G/U$, defined by $\psi \left(gU\right)=\chi \left(g\right)$. This definition is well-defined because if $g_{1}U=g_{2}U$, then there exists an element $u\in U$ such that $g_1=u{g}_2$, and since $\chi \left(u\right)=1$ for all $u\in U$, the value of $\psi$ does not depend on the choice of representative.

The application of character sums to investigate difference sets in abelian groups was first introduced by Turyn in his groundbreaking work [19], and later this approach was expanded to generalized difference sets (RDSs).

Lemma 1

([19]). (i) A subset D of size k in an abelian group G of order v is a $(v,k,\lambda )$-difference set in G if and only if for every nontrivial character χ of G, we have $\left|\chi \left(D\right)\right|=\sqrt{k-\lambda }$.

(ii) A subset R of size k in an abelian group G of order $mu$, which contains a subgroup U of order u, is a $(m,u,k,\lambda )$-RDS in G relative to U if and only if for every nontrivial character χ of G, the following conditions hold:

$$\left|\chi \left(R\right)\right|=\left\{\begin{array}{cc}\sqrt{k}\hfill & \mathit{if}\chi \mathit{is}\mathit{nontrivial}\mathit{on}U,\hfill \\ \sqrt{k-u\lambda }\hfill & \mathit{if}\chi \mathit{is}\mathit{trivial}\mathit{on}U.\hfill \end{array}\right.$$

The character properties specified in Lemma 1 for a subset D or R necessitate that the parameters $k-\lambda$ and $\lambda$ (which are implicitly defined) must be integers.

3. Access Structures

3.1. Access Structures from Difference Sets

Let ${\mathbb{F}}_q$ be a finite field of order q, where q is a prime power.

Lemma 2.

Let ${\mathbb{F}}_q^{s+1}$ be a vector space of dimension $s+1$ over ${\mathbb{F}}_q$, where s be a positive integer. There are

$$\begin{array}{c}\hfill h={\left[\begin{array}{c}s+1\\ s\end{array}\right]}_q={\left[\begin{array}{c}s+1\\ 1\end{array}\right]}_q={\displaystyle \frac{q^{s+1}-1}{q-1}}\end{array}$$

subspaces

$$\begin{array}{c}\hfill H_0,H_1,\cdots ,H_{h-1}\end{array}$$

of ${\mathbb{F}}_q^{s+1}$ of dimension s, called hyperplanes. Let ${\mathbb{F}}_{q^{s+1}}$ be the additive group of ${\mathbb{F}}_q^{s+1}$ and consider $H_0,H_1,\cdots ,H_{h-1}$ as subgroups of ${\mathbb{F}}_{q^{s+1}}$. Let G be an arbitrary abelian group containing ${\mathbb{F}}_{q^{s+1}}$ as a central subgroup of index $h+1$, and let

$$\begin{array}{c}\hfill \{g_0,g_1,\cdots ,g_{h-1}\}\end{array}$$

be coset representatives of ${\mathbb{F}}_{q^{s+1}}$ in G. Then

$$\begin{array}{c}\hfill D=\sum _{i=0}^{h-1}{g}_i{H}_i\end{array}$$

is a McFarland difference set [20] in G, i.e,

$$\begin{array}{cc}\hfill & (v,k,\lambda )\hfill \\ \hfill & =(q^{s+1}({\displaystyle \frac{q^{s+1}-1}{q-1}}+1),q^s({\displaystyle \frac{q^{s+1}-1}{q-1}}),q^s({\displaystyle \frac{q^s-1}{q-1}})).\hfill \end{array}$$

Proof. 

The difference set is comprised of $h+1$ subsets of ${\mathbb{F}}_{q^{s+1}}$, namely the hyperplanes together with the empty set.

$$\begin{array}{cc}\hfill D{D}^{(-1)}& =\sum _{i,j=0}^{h-1}{g}_i{H}_i{H}_j{g}_j^{-1},\hfill \\ \hfill & =q^s\sum _{i=0}^{h-1}{g}_i{H}_i{g}_i^{-1}+q^{s-1}\sum _{i,j=0}^{h-1}{g}_i{g}_j^{-1}·{\mathbb{F}}_{q^{s+1}}.\hfill \\ \hfill & =q^s\sum _{i=0}^{h-1}{g}_i{H}_i{g}_i^{-1}+(h-1)(G-{\mathbb{F}}_{q^{s+1}})\hfill \\ \hfill & =q^s(h·1_{{\mathbb{F}}_{q^{s+1}}}+{\displaystyle \frac{q^s-1}{q-1}}·{\mathbb{F}}_{q^{s+1}}^{*})+(h-1)(G-{\mathbb{F}}_{q^{s+1}})\hfill \end{array}$$

Let $\chi$ be a nontrivial character of G and consider the character sum

$$\begin{array}{cc}\hfill & \chi \left(D\right)=\sum _{i=0}^{h-1}\chi \left(g_i\right)\chi \left(H_i\right),\hfill \\ \hfill & \chi \left(D{D}^{(-1)}\right)={\left|\chi \left(D\right)\right|}^2.\hfill \end{array}$$

(1) $\chi$ is nontrivial on ${\mathbb{F}}_{q^{s+1}}$ and nontrivial on G;

$$\begin{array}{c}\hfill \left|\chi \left(D\right)\right|=\sqrt{\chi \left(D{D}^{(-1)}\right)}=\sqrt{k-\lambda }=q^s.\end{array}$$

(2) $\chi$ is trivial on ${\mathbb{F}}_{q^{s+1}}$ and nontrivial on G;

$$\begin{array}{c}\hfill \left|\chi \left(D\right)\right|=q^s.\end{array}$$

From the above description, it is easy to judge from lemma 1(i) that such a construction produces a difference set.

Let

$$\begin{array}{c}\hfill \mathcal{B}=\{B_a=D+a\mid a\in G\},\end{array}$$

it is easy to know that the number of blocks in $\mathcal{B}$ is $\left|G\right|=v$, and $\left|B_a\right|=\left|D\right|=k$. In fact,

$$\begin{array}{cc}\hfill & ♯\{a\in G:g_1^{\prime }\in D+a,g_2^{\prime }\in D+a\}\hfill \\ \hfill & =♯\{a\in G:g_1^{\prime }-a\in D,g_2^{\prime }-a\in D\}\hfill \\ \hfill & =♯\{(x,y):x,y\in D,x-y=g_1^{\prime }-g_2^{\prime }(\ne 0)\}(\mathrm{take}x=g_1^{\prime }-a,y=g_2^{\prime }-a)\hfill \\ \hfill & =\lambda .\hfill \end{array}$$

It follows that $\mathcal{B}$ is a symmetric 2-$(v,k,\lambda )$ design on G. □

3.2. Access Structures from Semi-Regular Relative Difference Sets

Based on the properties of the above difference set, there is the following construction of semi-regular RDSs.

Lemma 3.

Let ${\mathbb{F}}_q^{s+1}$ be a vector space of dimension $s+1$ over ${\mathbb{F}}_q$, where s be a positive integer. There are

$$\begin{array}{c}\hfill h={\displaystyle \frac{q^{s+1}-1}{q-1}}\end{array}$$

subspaces

$$\begin{array}{c}\hfill H_0,H_1,\cdots ,H_{h-1}\end{array}$$

of ${\mathbb{F}}_q^{s+1}$ of dimension s, called hyperplanes. Let G be an arbitrary abelian group containing ${\mathbb{F}}_{q^{s+1}}$ as a central subgroup of index $h-1$, and let

$$\begin{array}{c}\hfill \{g_1,g_2,\cdots ,g_{h-1}\}\end{array}$$

be coset representatives of ${\mathbb{F}}_{q^{s+1}}$ in G. Then

$$\begin{array}{c}\hfill R=\sum _{i=1}^{h-1}{g}_i{H}_i\end{array}$$

is a semi-regular RDS in G relative to $H_0$, i.e.,

$$\begin{array}{cc}\hfill & (u\lambda ,u,u\lambda ,\lambda )\hfill \\ \hfill & =({({\displaystyle \frac{q^{s+1}-1}{q-1}}-1)}^2,{\displaystyle \frac{q^{s+1}-1}{q-1}}-1,{({\displaystyle \frac{q^{s+1}-1}{q-1}}-1)}^2,{\displaystyle \frac{q^{s+1}-1}{q-1}}-1).\hfill \end{array}$$

Proof. 

The RDS is comprised of $h-1$ subsets of ${\mathbb{F}}_{q^{s+1}}$, namely $h-1$ of the h hyperplanes.

(1) If a nontrivial character $\chi$ of ${\mathbb{F}}_{q^{s+1}}$ is trivial on $H_0$ then each subset provides a contribution to the character sum modulus of 0,

(2) If a nontrivial character $\chi$ of ${\mathbb{F}}_{q^{s+1}}$ is nontrivial on $H_0$ then one subset contributes $\sqrt{k}$ and the rest contribute 0.

This gives the required character sum modulus for characters of G which are nontrivial on ${\mathbb{F}}_{q^{s+1}}$. For nontrivial characters of G which are trivial on ${\mathbb{F}}_{q^{s+1}}$, the required character sum modulus of 0 is again a consequence of the subset sizes.

From the above description, it is easy to judge from lemma 1(ii) that such a construction produces a RDS.

Let

$$\begin{array}{c}\hfill \mathcal{B}=\{B_a=R+a\mid a\in G\}.\end{array}$$

it is easy to know that the number of blocks in $\mathcal{B}$ is $\left|G\right|=u^2\lambda$, and $\left|B_a\right|=\left|R\right|=k=u\lambda$.

It follows that $\mathcal{B}$ is a symmetric 2-$(u^2\lambda ,k,\lambda )$ design on G. □

4. Secret Sharing Scheme

4.1. Shamir Threshold Secret Sharing Scheme

Shamir threshold secret sharing scheme is mainly constructed by interpolation polynomial, and has one-to-one correspondence with RS code. $(k,n)$ threshold scheme is simple and satisfies linearity, so it is widely used.

Next, let’s briefly review the Shamir threshold secret sharing scheme

Shamir $(k,n)$-threshold scheme

Let $s\in {\mathbb{F}}_q$ be the main key, and there is a set $\{p_1,p_2,\cdots ,p_n\}$ of n participants, where $n\le q$.

(1) Key distribution:

i. The key management center D secretly selects (uniformly and randomly) $k-1$ elements $\{a_1,a_2,\cdots ,a_{k-1}\}$ in ${\mathbb{F}}_q$ and takes a polynomial in x as a variable

$$\begin{array}{c}\hfill f\left(x\right)=s+a_{1}x+\cdots +a_{k-1}{x}^{k-1}.\end{array}$$

ii. D selects n different non-zero elements $x_1,x_2,\cdots ,x_n$ in ${\mathbb{F}}_q$ and calculates the following

$$\begin{array}{c}\hfill y_i=f\left(x_i\right).\end{array}$$

iii. D secretly distributes $(x_i,y_i)$ to participant $p_i$.

(2) main key reconstruction:

Without losing generality, suppose that the participant set $\{p_1,p_2,\cdots ,p_k\}$ wants to reconstruct the main key s. Thus, they have a total of k point pairs:

$$\begin{array}{c}\hfill (x_1,y_1),(x_2,y_2),\cdots ,(x_k,y_k).\end{array}$$

Then, using the Lagreanger interpolation formula,

$$\begin{array}{c}\hfill f\left(x\right)=\sum _{j=1}^k{y}_j\prod _{1\le l\le k,l\ne j}{\displaystyle \frac{x-x_l}{x_j-x_l}}.\end{array}$$

This allows them to calculate the main key:

$$\begin{array}{c}\hfill s=f\left(0\right)=\sum _{j=1}^k{y}_j\prod _{1\le l\le k,l\ne j}{\displaystyle \frac{x_l}{x_j-x_l}}.\end{array}$$

Therefore, any k or more participants together can reconstruct the main key s, while less than k participants can get no information about s.

This is a method to recover the main key based on linear equations. For any k subkey, without loss of generality, denoted $(x_i,y_i)$, where $y_i=f\left(x_i\right)$, $i=1,\cdots ,k$. These k participants are able to obtain the following equations based on their mastery of the subkey set $\{(x_1,y_1),\cdots ,(x_k,y_k)\}$:

$$\begin{array}{cc}\hfill & y_1=f\left(x_1\right)=s+a_1{x}_1+\cdots +a_{k-1}{x}_1^{k-1},\hfill \\ \hfill & y_2=f\left(x_2\right)=s+a_1{x}_2+\cdots +a_{k-1}{x}_2^{k-1},\hfill \\ \hfill & y_3=f\left(x_3\right)=s+a_1{x}_3+\cdots +a_{k-1}{x}_3^{k-1},\hfill \\ \hfill & \cdots \hfill \\ \hfill & y_k=f\left(x_k\right)=s+a_1{x}_k+\cdots +a_{k-1}{x}_k^{k-1},\hfill \end{array}$$

which is equivalent to

$$\begin{array}{c}\hfill \left(\begin{array}{ccccc}1& x_1& x_1^2& \dots & x_1^{k-1}\\ 1& x_2& x_2^2& \dots & x_2^{k-1}\\ ⋮& ⋮& ⋮& \dots & ⋮\\ 1& x_{k-1}& x_{k-1}^2& \dots & x_{k-1}^{k-1}\\ 1& x_k& x_k^2& \dots & x_k^{k-1}\end{array}\right)·\left(\begin{array}{c}s\\ a_1\\ ⋮\\ a_{k-2}\\ a_{k-1}\end{array}\right)=\left(\begin{array}{c}{y}_1\\ y_2\\ ⋮\\ y_{k-1}\\ y_k\end{array}\right).\end{array}$$

The above coefficient matrix has rank k, and its corresponding transpose matrix is a Vandermonde matrix,

$$\begin{array}{c}\hfill \left(\begin{array}{cccc}1& 1& \dots & 1\\ x_1& x_2& \dots & x_k\\ ⋮& ⋮& \dots & ⋮\\ x_1^{k-2}& x_2^{k-2}& \dots & x_k^{k-2}\\ x_1^{k-1}& x_2^{k-1}& \dots & x_k^{k-1}\end{array}\right).\end{array}$$

Therefore, the unique solution $s, a_1,\cdots ,a_{k-1}$ of the equations containing k unknowns and k equations can be solved, so that the main key s can be recovered.

4.2. Construction of Secret Sharing Scheme Based on Given Access Structure

Let ${\alpha }_1,\cdots ,{\alpha }_n$ be n distinct elements of ${\mathbb{F}}_q$, where $1<n\le q$. For $1\le k\le n$, the RS codes for vector $\mathit{\alpha }=\left({\alpha }_1,\cdots ,{\alpha }_n\right)\in {\left({\mathbb{F}}_q\right)}^n$ is

$$\begin{array}{c}\hfill {RS}_k\left(\mathit{\alpha }\right):=\left\{\left(f\left({\alpha }_1\right),\cdots ,f\left({\alpha }_n\right)\right)\mid f\left(x\right)\in {\mathbb{F}}_q\left[x\right],degf\left(x\right)\le k-1\right\}.\end{array}$$

It is easy to know that ${RS}_k\left(\mathit{\alpha }\right)$ is a ${\left[n,k,n-k+1\right]}_q$-linear MDS code, and its corresponding dual code is also an MDS code.

In fact, the generator matrix for ${RS}_k\left(\mathit{\alpha }\right)$ is

$$\begin{array}{c}\hfill G_k\left(\mathit{\alpha }\right)=\left(\begin{array}{cccc}1& 1& \dots & 1\\ {\alpha }_1& {\alpha }_2& \dots & {\alpha }_n\\ ⋮& ⋮& \dots & ⋮\\ {\alpha }_1^{k-2}& {\alpha }_2^{k-2}& \dots & {\alpha }_n^{k-2}\\ {\alpha }_1^{k-1}& {\alpha }_2^{k-1}& \dots & {\alpha }_n^{k-1}\end{array}\right).\end{array}$$

In fact, the coefficient matrix of the threshold secret sharing scheme (after transposing) and the generator matrix of RS codes (the matrix composed of any k columns) are one-to-one corresponding.

Now, based on RS codes, we consider how to prevent some participants from cheating in the Shamir secret sharing scheme given the access structure.

Imagine l participants join forces, and m of them come up with forged subkeys. Can l participants find that any participant is cheating after joining forces? Furthermore, can they find out all m cheaters, point out the true subkeys of these cheaters, and work out the main keys?

Based on the access structure given in Section 3, the following results solve the above problems.

Theorem 1.

Consider a Shamir secret sharing scheme with a threshold of $k=q^s\left({\displaystyle \frac{q^{s+1}-1}{q-1}}\right)$ on G, where there are n participants, $2<k<n<\left|G\right|=q^{s+1}({\displaystyle \frac{q^{s+1}-1}{q-1}}+1)$.

When $l>k$, any l participants join forces, and if there are no more than $l-k$ cheaters, the l participants can detect someone cheating. If there are no more than ${\displaystyle \frac{l-k}{2}}$ cheaters, the l participants can identify all the cheaters, indicate the true subkeys of these cheaters, and calculate the main key.

Proof. 

Let the l participants joining forces be $A_{i_1},A_{i_2},\cdots ,A_{i_l}$, where $1\le i_1<i_2<\cdots <i_l\le n$. Consider the RS codes

$$\begin{array}{c}\hfill \mathcal{C}=\left\{{\mathit{c}}_f=(f\left(x_{i_1}\right),\cdots ,f\left(x_{i_l}\right))\mid f\left(x\right)\in {\mathbb{F}}_{q^{s+1}}\left[x\right],degf\left(x\right)\le k-1\right\}.\end{array}$$

Since linear code $\mathcal{C}$ is an MDS code with code length l and dimension k, the minimum distance of $\mathcal{C}$ is $d=l-k+1$.

The key control center makes G and $x_i$$(1\le i\le n)$ public, so after players $A_{i_1},A_{i_2},\cdots ,A_{i_l}$ joins forces, their $x_{i_1},x_{i_2},\cdots ,x_{i_l}$ is known. In addition, the code $\mathcal{C}$ is known to l participants after l participants join forces.

Now let the control center adopt polynomial $h\left(x\right)\in {\mathbb{F}}_{q^{s+1}}\left[x\right]$($degh\left(x\right)\le k-1$), then the main key is $h\left(0\right)$, and $\mathit{c}=(h\left(x_{i_1}\right),\cdots ,h\left(x_{i_l}\right)$ is the codeword in $\mathcal{C}$, where $h\left(x_{i_j}\right)$ is the subkey of players $h\left(x_{i_j}\right)$ ($1\le j\le l$).

If the l players join forces, $A_{i_1},A_{i_2},\cdots ,A_{i_l}$ each shows that their subkey is $b_1,b_2,\cdots ,b_l$, but m or less of them are forged. In other words, the Hamming distance between code word $\mathit{c}$ and vector $\mathit{b}=(b_1,b_2,\cdots ,b_l)$ is less than or equal to m. According to error-correcting code theory, when $m\le d-1=l-k$, it can be determined by the vector $\mathit{b}$ whether there is a participant cheating. When vector $\mathit{b}$ is a codeword in $\mathcal{C}$, there is no cheating, otherwise someone will be found cheating. Furthermore, if $m\le {\displaystyle \frac{d-1}{2}}={\displaystyle \frac{l-k}{2}}$, code $\mathcal{C}$ can correct the error of $\le {\displaystyle \frac{l-k}{2}}$, so the codeword $\mathit{c}$ can be recovered from vector $\mathit{b}$, all participants $A_{i_j}$ of $b_j\ne h\left(x_{i_j}\right)$ are cheaters, and the true subkey of $A_{i_j}$ should be $h\left(x_{i_j}\right)$. Since $l>t$, the main key $h\left(0\right)$ can be calculated by randomly taking t of these l players together with their real subkeys. □

Example 1.

Let $q=3$, $s=1$, then we can know that $\left|G\right|=q^{s+1}({\displaystyle \frac{q^{s+1}-1}{q-1}}+1)=45$, $k=q^s\left({\displaystyle \frac{q^{s+1}-1}{q-1}}\right)=12$. Let $n=18$, take $\{x_1,x_2,\cdots ,x_{18}\}=\{1,2,\cdots ,18\}$.

The key control center exposes $q=3$ and $\{x_1,x_2,\cdots ,x_{18}\}$ of 18 participants $A_1,A_2,\cdots ,A_{18}$, and takes $h\left(x\right)\in {\mathbb{F}}_9\left[x\right]$ ($degh\left(x\right)\le 11$) to calculate

$$\begin{array}{c}\hfill \left(h\right(1),\cdots ,h(18\left)\right)\end{array}$$

The control center sends the subkey $\left(h\right(1),\cdots ,h(18\left)\right)$ to participants $A_1,A_2,\cdots ,A_{18}$ respectively, and the main key is $h\left(0\right)$. But the polynomial $h\left(x\right)$ is kept secret from any participants.

Now let $l=15$ players

$$\begin{array}{c}\hfill A_1,A_2,A_3,A_4,A_5,A_6,A_7,A_8,A_9,A_{10},A_{11},A_{12},A_{13},A_{14},A_{15}\end{array}$$

join forces, they each show their own key, $A_2$ forged the fake sub-key. Since $m=1\le {\displaystyle \frac{l-k}{2}}$, the deceiver can be identified based on the 15 players. The method is to consider RS code

$$\begin{array}{cc}\hfill \mathcal{C}=& \{{\mathit{c}}_f=(f\left(1\right),f\left(2\right),f\left(3\right),f\left(4\right),f\left(5\right),f\left(6\right),f\left(7\right),f\left(8\right),f\left(9\right),\hfill \\ \hfill & f\left(10\right),f\left(11\right),f\left(12\right),f\left(13\right),f\left(14\right),f\left(15\right))\mid f\left(x\right)\in {\mathbb{F}}_9\left[x\right],degf\left(x\right)\le 11\}.\hfill \end{array}$$

The code length of the RS is $l=15$, the dimension is $k=12$, and the minimum distance is $d=l-k+1=4$, which can correct 1 error. The subkey presented by 15 players together gives vector $\mathit{b}$, which is 1 position different from the codeword $\mathit{c}$ in the code $\mathcal{C}$, so the codeword $\mathit{c}$ can be recovered from $\mathit{b}$ by the RS code $\mathcal{C}$. After the subkey of the deceiver is recovered, the main key can be calculated according to the formula.

Based on the access structure given by semi-regular RDSs in Section 3, the following secret sharing scheme is given.

Theorem 2.

Consider a Shamir secret sharing scheme with a threshold of $k={({\displaystyle \frac{q^{s+1}-1}{q-1}}-1)}^2$ on G, where there are n participants, $2<k<n<\left|G\right|={({\displaystyle \frac{q^{s+1}-1}{q-1}}-1)}^3$.

When $l>k$, any l participants join forces, and if there are no more than $l-k$ cheaters, the l participants can detect someone cheating. If there are no more than ${\displaystyle \frac{l-k}{2}}$ cheaters, the l participants can identify all the cheaters, indicate the true subkeys of these cheaters, and calculate the main key.

Proof. 

The proof is similar to the proof of Theorem 1, which is omitted here. □

Remark 1.

For reference, we list some known constructions of perfect ideal linear schemes and our new constructions in

Table 1. Some known classes of perfect ideal linear secret sharing schemes with field size.

Field Size	Explicit Constructions	References
${\eta }_1\left({\displaystyle \genfrac{}{}{0pt}{}{n+1}{k}}\right)$	No	[21]
$\left({\displaystyle \genfrac{}{}{0pt}{}{n+1}{k}}\right)$	No	[22]
$n_0^{\mid r\mid +1}$	Yes	[23]
${\left(max\left\{n_0,\mid r\mid +1\right\}\right)}^{T_1+1}$	Yes	[24]
$\left({\displaystyle \genfrac{}{}{0pt}{}{n}{k}}\right)$	No	[25]
${\left(1+n_0\right)}^{\mid r\mid -\mid t\mid +1}$	Yes	[23]
${\left(1+max\left\{n_0,\mid r\mid -\mid t\mid \right\}\right)}^{T_2}$	Yes	[24]
$q^{s+1}({\displaystyle \frac{q^{s+1}-1}{q-1}}+1)$.	Yes	[Theorem 1]
${({\displaystyle \frac{q^{s+1}-1}{q-1}}-1)}^3$.	Yes	[Theorem 2]

. It should be emphasized that we mainly use difference sets to construct the corresponding access structures, which is different from other literature in Table 1 using codes to construct the access structures. In addition, it is easy to see from Table 1 that for a given access structure with field size, we give two effective explicit constructs of perfect ideal linear secret sharing schemes. Under some conditions, the scope of our field size is larger, which can make the secret sharing schemes with more participants exist, therefore, our schemes have greater potential practical value. In addition, the scheme we constructed involves fewer application levels, which is also our next research task.

5. Conclusions

In this paper, we introduce a method for constructing access structures derived from hyperplane combinatorial structures over finite fields. For a given access structure, we present a corresponding secret sharing scheme designed to detect and identify cheaters. This scheme ensures that the secret can be accurately reconstructed as long as the number of cheaters does not surpass a predefined threshold, while also allowing for the detection and localization of any cheating activity.