IoT-Applicable Generalized Frameproof Combinatorial Designs

Abstract

Secret sharing schemes are widely used to protect data by breaking the secret into pieces and sharing them amongst various members of a party. In this paper, our objective is to produce a repairable ramp scheme that allows for the retrieval of a share through a collection of members in the event of its loss. Repairable Threshold Schemes (RTSs) can be used in cloud storage and General Data Protection Regulation (GDPR) protocols. Secure and energy-efficient data transfer in sensor-based IoTs is built using ramp-type schemes. Protecting personal privacy and reinforcing the security of electronic identification (eID) cards can be achieved using similar schemes. Desmedt et al. introduced the concept of frameproofness in 2021, which motivated us to further improve our construction with respect to this framework. We introduce a graph theoretic approach to the design for a well-rounded and easy presentation of the idea and clarity of our results. We also highlight the importance of secret sharing schemes for IoT applications, as they distribute the secret amongst several devices. Secret sharing schemes offer superior security in lightweight IoT compared to symmetric key encryption or AE schemes because they do not disclose the entire secret to a single device, but rather distribute it among several devices.

1. Introduction

The Internet of Things (IoT) is a rapidly growing network of interconnected devices that communicate with each other to perform various tasks. As the number of IoT devices increases, so does the need for secure communication between them. Cryptography is an essential tool for securing IoT devices, and secret sharing schemes are one of the most promising cryptographic elements for IoT. For example, the Datachest application encrypts and stores sensitive data in commercial cloud storage systems using secret sharing [1]. The application uploads the data in encrypted form, and cryptographic keys are divided into shares. Each cloud receives one share, and this solution improves the security of users’ sensitive data in the cloud. In this paper, we identify the importance of applicability of secret sharing schemes to IoT, and pay particular attention to the value our proposed distribution design may introduce through frameproofness of the underlying scheme in such applications as well as possibilities for integrating multiple or multi-level systems without complete loss of distinction of the underlying individual systems.

A secret sharing scheme is a useful tool in modern cryptography. They are distinctive in distributing a secret amongst multiple devices, ensuring that no single device has access to the entire secret. This makes secret sharing schemes ideal for IoT applications where multiple devices need to work together to perform a task. For example, in a smart home system, multiple devices such as sensors, cameras, and smart locks need to communicate with each other to provide security and convenience to the homeowner. In secret sharing-based IoT (SBIoT), each cloud server is given a share constructed using a secret sharing scheme. A collection of servers can reconstruct the secret provided that they satisfy the reconstruction criteria of the underlying scheme (instead of privately owned keys in encryption-based schemes). Such a scheme enables processing without the need of decryption. Energy efficiency refers to the total energy consumption of an IoT network, which affects the lifetime of a network [2]. It is well-known that use of a ramp-type scheme improves the security and energy efficiency in SBIoT networks [3]. It provides better security against various types of attacks, including replay attack, modification attack, selective forwarding attack, and data leakages when a passive attacker is encountered. These benefits contribute to enhancing the overall security and performance of data transfer in SBIoT networks. Using a threshold scheme enhances personal information protection for eID cards by not storing any personal information per se in the card [4]. Instead, sensitive personal information is divided into two parts for distributed storage in the client and the eID card. This ensures safety even when eID cards are lost because none of the original information can be figured out from a single secret share. With this structure, no information whatsoever on the original can be known from only the secret share in the card.

Consider b players and a positive integer $\tau \le b$. Suppose a dealer distributes a secret to these b players such that any collection of $\tau$ players can reconstruct the secret with their shares, but no smaller collection of players can do so. This is called a $(\tau ,b)$-threshold secret sharing scheme with threshold $\tau$. If the dealer distributes shares to b players such that any collection of ${\tau }_1$ players can reconstruct the secret but no collection of ${\tau }_2$ or less players can do so (for ${\tau }_2<{\tau }_1\le b$), then it is called a $({\tau }_1,{\tau }_2,b)$-ramp scheme. Thus, if ${\tau }_1-{\tau }_2=1$, then it is a $({\tau }_1,b)$-threshold scheme. In this paper, we shall present a repairable ramp scheme, which we call a tensor design.

Secret sharing schemes also play a crucial role in ensuring secure data storage within cloud environments. These schemes involve the division of data into multiple shares, which are then stored on different servers. This approach provides a safeguard against any potential compromise of a single server, thereby maintaining the security of the data. In [5], the authors present an exploration of the comparative performance of Shamir’s secret sharing algorithm [6] and Rabin’s IDA [7] within a private cloud framework utilizing the OpenStack cloud infrastructure. The experimental results indicated that Shamir’s secret sharing algorithm outperformed Rabin’s IDA in terms of generating the shares and reconstructing the data. However, Rabin’s IDA exhibited a lower storage overhead when compared to Shamir’s secret sharing algorithm. These findings underscore the importance of considering various factors, such as generation time, reconstruction time, and storage requirements, when selecting an appropriate secret sharing scheme for secure data storage in cloud environments.

In their 2019 work, Stinson and Kacsmar [8] demonstrated non-ideal secret sharing schemes stemming from an ideal scheme (viz. Shamir scheme) as the base scheme. They presented a distribution design which was a threshold scheme with the ability to repair lost shares with a certain probability, and secure against any adversary with lesser players than the threshold. Our work further generalizes the domain over which our distribution designs are defined, in addition to providing it with easier secret reconstruction and share repairability, and securing it in more than one context. In short, we revisit the combinatorial design and some of its key properties first.

1.1. Combinatorial RTS

Consider the problem of securely reconstructing the lost share of a player by that player and a subset of the other players. A combinatorial solution to this problem was proposed by Stinson and Wei [9]. These schemes are termed combinatorial RTS. A repairable threshold scheme (RTS) is a $(\tau ,b)$-threshold scheme in which a subset of players can repair another player’s share in the event that their share is lost or corrupted, without the participation of the dealer who set up the scheme. The repairing protocol should not compromise the (unconditional) security of the threshold scheme.

1.2. A Drawback and an Idea of Extension

The combinatorial model proposed so far produces shares that are in a finite field ${\mathbb{F}}_q^k$. Whether we can extend this notion to an integer ring is the first question. In this work, we propose a method to construct a distribution design with entries from an integer ring, thus generalizing the domain. We further show that this is a ramp scheme and consequently give a method of secret reconstruction for it, which is significantly easier in comparison to [8]. The size of the authorized coalition that can recover the secret is significantly reduced in our framework. Example 3 will demonstrate the fact.

Repairability Problem

Techniques from network reliability theory are heavily used in reliability studies of these combinatorial repairable threshold schemes in a setting where players may not be available to take part in the repair of a given player’s share. Reference [8] deals with the problem of reliability of such schemes and reconstruction of secrets and repairing shares without participation of the dealer.

The scheme proposed in this paper produces a far more efficient share repairability, which is possible due to the generalized domain, and based heavily on the easier secret reconstruction mentioned beforehand.

1.3. Frameproofness

Moving forward with the concept of repairing shares, another similar possibility was recently explored, called framing. Instead of simply specifying the minimum size of a set of players that can access the secret, suppose the dealer defines the share distribution through some other process. Say $f:\mathbf{P}\to \{0,1\}$ (where $\mathbf{P}$ denotes the power set of the set of all players $\mathcal{P}$) such that any coalition of players $\mathcal{A}\subseteq \mathcal{P}$ can access the secret if and only if $f\left(\mathcal{A}\right)=1$ (thus, in a Shamir scheme, $f\left(\mathcal{A}\right)=1$ if and only if $\left|\mathcal{A}\right|\ge \tau$). If $\mathcal{A}\subseteq \mathcal{P}$ maps to 1 through f, then $\mathcal{A}$ is called an authorized coalition; if it maps to 0, then $\mathcal{A}$ is an unauthorized coalition.

Given such an access structure over a secret sharing scheme, suppose a coalition $\mathcal{A}$ of players can gain information about the share of a player $P\in \mathcal{P}\setminus \mathcal{A}$ dishonestly. Then $\mathcal{A}$ can wrongly accuse P of releasing information about the secret that only $\mathcal{A}$ is not authorized to access, i.e., $\mathcal{A}$ can frame P. Framing a player (or players) evidently undermines the security of any secret sharing scheme, as it allows a group of players to access extra information about the secret illegally. Thus, it is imperative to limit such capabilities and/or size of any such coalition when constructing a combinatorial RTS. The concept of frameproofness was examined by Desmedt et al. in their recent paper [10]. In this paper, we improve the extension scheme so that no framing is possible for any coalition of smaller size than the threshold. The question of what can be the minimum size of a coalition that can frame a player under this modification currently remains open.

2. Results

In this paper, we first introduce an operation, the Krönecker product of two matrices, extendable to a Krönecker product of two BIBDs. Following up with some properties of this operation, we present methods to solve two inherent problems with Krönecker products; firstly, the operation does not produce a BIBD from two BIBDs, and secondly, we resolve the issue of uniqueness that arises with the introduction of this operation. Our next theorem deals with the existence of secret reconstruction, which we prove by producing an algorithm. A probabilistic proof is given next.

An immediate consequence of our results on the new scheme is its extendability to multiple BIBDs. We discuss it briefly though a dealer’s algorithm. We proceed with an example to illustrate our algorithms further. We make considerable improvements on the method of share repair described in [8] for our proposed Krönecker product-induced BIBDs.

Next, we explore the concept of frameproofness for our proposed model and improve it significantly through certain changes in the model. We also prove existence of frameproofness of the modified scheme through results based on matchings of bipartite graphs.

Finally, we note the importance of secret sharing schemes in varied IoT applications, especially for their lightweight functionality, uniquely encapsulated through the non-accessibility of the full secret to any single entity, which we strengthen by frameproofness and can expand by incorporating multiple systems by our Krönecker product.

Organization of the Paper

Our paper starts with a brief review of the work performed by Stinson and Wei [9] in Section 3. We then move on to describe our construction, beginning with an introduction of the Krönecker product of two BIBDs in Section 4. We describe the secret reconstruction procedure for such an object illustrated through an example in Section 5. Next, we briefly describe the method of share repair and compute the corresponding repair probabilities, much like in [8], in Section 6. We then proceed to modify this scheme to give a frameproof construction in Section 7. Furthermore, we answer the question of existence of such a modified construction in Section 8. Finally, we draw the reader’s attention to the applicability of our results to secret sharing applications on the Internet of Things, especially in a secure, lightweight context, in Section 9.

3. Stinson and Wei’s Model [9]

The classical Shamir scheme is defined over a finite field ${\mathbb{F}}_q$$(q\ge b+1)$. It involves the following:

• an initialization phase, in which the dealer chooses distinct, non-zero public elements $x_1,x_2,\dots ,x_b$ from ${\mathbb{F}}_q$, and gives value $x_i$ to player $P_i$;
• a share distribution phase in which the dealer chooses a secret $K=a_0\in {\mathbb{F}}_q$, then secretly chooses $a_1,\dots ,a_{\tau -1}\in {\mathbb{F}}_q$ independently and uniformly at random, and finally computes the share $y_i=a\left(x_i\right)$ $\left(\mathrm{where} a\left(x\right):={\displaystyle \sum _{j=0}^{\tau -1}}{a}_j{x}^j\right)$ and gives it to player $P_i$.

The combinatorial solution proposed by Stinson and Wei [9] to the share repairability problem is based on an old technique by Benaloh and Leichter, namely, giving each player a subset of shares from an underlying threshold scheme called a base scheme (which is, say, a $(\sigma ,m)$-Shamir scheme over the base field ${\mathbb{F}}_q$). Each player is then given a certain subset of d of the m shares, by use of a set system (or design) consisting of b blocks of size d, defined on a set of m points. This design is termed the distribution design:

$$\left(\begin{array}{cccc}{y}_{11}& y_{12}& \cdots & y_{1d}\\ y_{21}& y_{22}& \cdots & y_{2d}\\ ⋮\\ y_{b1}& y_{b2}& \cdots & y_{bd}\end{array}\right),\left|{\left\{y_{ij}\right\}}_{\begin{array}{c}i\in \{1,2,\dots ,b\}\\ j\in \{1,2,\dots ,d\}\end{array}}\right|\le m.$$

(1)

The resulting expanded $(\tau ,b)$-threshold scheme consists of each player $P_i$ corresponding to a block $B_i\in \mathcal{B}$ of the distribution design. For each point $x\in B_i$, the player $P_i$ is given the subshare $s_x$. If X denotes the set of m points on which the design is defined and $\mathcal{B}=\{B_1,\dots ,B_b\}$ is the set of all blocks, then this forms an $(X,\mathcal{B})$-distribution design.

Definition 1. 

Suppose $2\le k<v$. A $(b,v,k,r,\lambda )$-balanced incomplete block design or a $(b,v,k,r,\lambda )$-BIBD is a design $(X,\mathcal{B})$ such that:

1. 

$\left|X\right|=v$;

2. 

each block $B\in \mathcal{B}$ contains exactly k points;

3. 

every pair of distinct points from X is contained in exactly λ blocks.

Observe that if each point occurs in exactly r blocks, then the parameters $b,v,k,r,\lambda$ of a BIBD satisfy the following relations [11]:

(i) 

$bk=vr$;

(ii) 

$\lambda (v-1)=r(k-1)$;

(iii) 

$b\ge v$ (and hence $r>k$).

Definition 2. 

We shall call a distribution design a tensor design if it simply satisfies property (i) above.

Design Properties

Next, we consider an example to demonstrate the fact that the object constructed in Section 4 is in fact a ramp scheme. For the purpose of computations, we recall some results from [8] on block designs.

Theorem 1 

(Replication Number). Every point in a $(v,k,\lambda )$-BIBD occurs in exactly $r=\frac{\lambda (v-1)}{k-1}$ blocks. The value r is termed the replication number of the scheme.

Theorem 2 

(Blocks and Block Size). A $(v,k,\lambda )$-BIBD has exactly

$b=\frac{vr}{k}=\frac{\lambda (v^2-v)}{k^2-k}$ blocks of size k.

4. Tensor Design Generated by Two BIBDs

Given two matrices $\mathcal{A}$ and $\mathcal{B}$, the usual matrix product operation can be carried out only when the column size of the left matrix $\mathcal{A}$ is equal to the row size of the right matrix $\mathcal{B}$. The Krönecker product can be applied on any two matrices, irrespective of their dimension. This operation has several applications in Linear Algebra, of which, we consider some properties that shall be useful for working with BIBDs.

4.1. Definition of the Krönecker Product

The Krönecker product of two matrices ${\mathcal{A}}_{b_1\times k_1}$ and ${\mathcal{B}}_{b_2\times k_2}$ is the block matrix

$$\mathcal{A}\otimes \mathcal{B}=\left(\begin{array}{cccc}{\mathfrak{a}}_{11}\mathcal{B}& {\mathfrak{a}}_{12}\mathcal{B}& \cdots & {\mathfrak{a}}_{1k_1}\mathcal{B}\\ {\mathfrak{a}}_{21}\mathcal{B}& {\mathfrak{a}}_{22}\mathcal{B}& \cdots & {\mathfrak{a}}_{2k_1}\mathcal{B}\\ ⋮\\ {\mathfrak{a}}_{b_{1}1}\mathcal{B}& {\mathfrak{a}}_{b_{1}2}\mathcal{B}& \cdots & {\mathfrak{a}}_{b_1{k}_1}\mathcal{B}\end{array}\right),$$

(2)

where ${\mathfrak{a}}_{ij}$ denotes the entry in the $i\mathrm{th}$ row and $j\mathrm{th}$ column of $\mathcal{A}$.

Observe that Krönecker products follow the associative property. Thus, for matrices $\mathcal{A}$, $\mathcal{B}$, and $\mathcal{C}$,

$$\left(\mathcal{A}\otimes \mathcal{B}\right)\otimes \mathcal{C}=\mathcal{A}\otimes \left(\mathcal{B}\otimes \mathcal{C}\right).$$

Another interesting property of Krönecker products is that they maintain structure over block matrices. Thus, if $\mathcal{A}$ is written as a block matrix

$$\left(\begin{array}{cccc}{\mathcal{A}}_{11}& {\mathcal{A}}_{12}& \cdots & {\mathcal{A}}_{1k}\\ {\mathcal{A}}_{21}& {\mathcal{A}}_{22}& \cdots & {\mathcal{A}}_{2k}\\ ⋮\\ {\mathcal{A}}_{b1}& {\mathcal{A}}_{b2}& \cdots & {\mathcal{A}}_{bk}\end{array}\right) \mathrm{for} \mathrm{some} b\le b_1 \mathrm{and} k\le k_1,$$

$$\mathrm{then} \mathcal{A}\otimes \mathcal{B}=\left(\begin{array}{ccccccc}{\mathcal{A}}_{11}\otimes \mathcal{B}& & {\mathcal{A}}_{12}\otimes \mathcal{B}& & \cdots & & {\mathcal{A}}_{1k}\otimes \mathcal{B}\\ {\mathcal{A}}_{21}\otimes \mathcal{B}& & {\mathcal{A}}_{22}\otimes \mathcal{B}& & \cdots & & {\mathcal{A}}_{2k}\otimes \mathcal{B}\\ ⋮\\ {\mathcal{A}}_{b1}\otimes \mathcal{B}& & {\mathcal{A}}_{b2}\otimes \mathcal{B}& & \cdots & & {\mathcal{A}}_{bk}\otimes \mathcal{B}\end{array}\right).$$

(3)

4.2. Krönecker Product of Two BIBDs

Let $\mathcal{A}$ and $\mathcal{B}$ be the share matrices generated by ramp schemes with, respectively, $b_1$ and $b_2$ blocks having shares of sizes $k_1$ and $k_2$. Suppose $\mathcal{A}$ and $\mathcal{B}$ also denote the $b_1\times k_1$ and $b_2\times k_2$ matrices corresponding to the two schemes. The Krönecker product of $\mathcal{A}\otimes \mathcal{B}$ is therefore

$$M=\left(\begin{array}{cccc}{\mathfrak{a}}_{11}\mathcal{B}& {\mathfrak{a}}_{12}\mathcal{B}& \cdots & {\mathfrak{a}}_{1k_1}\mathcal{B}\\ {\mathfrak{a}}_{21}\mathcal{B}& {\mathfrak{a}}_{22}\mathcal{B}& \cdots & {\mathfrak{a}}_{2k_1}\mathcal{B}\\ ⋮\\ {\mathfrak{a}}_{b_{1}1}\mathcal{B}& {\mathfrak{a}}_{b_{1}2}\mathcal{B}& \cdots & {\mathfrak{a}}_{b_1{k}_1}\mathcal{B}\end{array}\right)=\left(\begin{array}{c}{T}_1\\ T_2\\ ⋮\\ T_{b_1}\end{array}\right),$$

(4)

where $T_i$ ($i\in \{1,2,\dots ,b_1\}$) is the $i\mathrm{th}$ row-block submatrix of M containing rows $(i-1)b_2+1,(i-1)b_2+2,\dots ,i{b}_2$. If the share matrix $\mathcal{A}$ is defined over the field ${\mathbb{F}}_{p_1}$ and $\mathcal{B}$ over the field ${\mathbb{F}}_{p_2}$ for some primes $p_1$ and $p_2$, then we define the scalar multiplication by simple integer multiplication:

$$\begin{array}{ccc}\hfill {\mathbb{F}}_{p_1}\times {\mathbb{F}}_{p_2}& \to & \mathbb{Z}\hfill \\ \hfill \mathrm{such} \mathrm{that} (x_1,x_2)& \mapsto & x_1·x_2.\hfill \end{array}$$

The reason behind taking such a multiplication is that the product elements are not distinguishable from integers. Therefore, M is a matrix over the integer ring $\mathbb{Z}$.

At this point, the first observation that we make is that the Krönecker product $\mathcal{A}\otimes \mathcal{B}$ of two BIBDs $\mathcal{A}$ and $\mathcal{B}$ does not always produce a BIBD. To illustrate the fact, we start with a small example, and then we describe a method for resolving this issue. Also, the Krönecker product in general does not produce an injective mapping from ${\mathcal{M}}_{b_1\times k_1}\times {\mathcal{M}}_{b_2\times k_2}$ to the matrix space ${\mathcal{M}}_{b_1{b}_2\times k_1{k}_2}$. So it is hopeless to search for a secret reconstruction procedure from a given Krönecker product matrix. We shall thus impose a condition producing an injective map and in turn, ensuring the existence of secret reconstruction.

Consider an example of two $2-(4,3,2)$ Shamir schemes in ${\mathbb{F}}_5$ and ${\mathbb{F}}_7$ over the points $\{1,2,3,4\}$ and $\{1,2,3,5\}$ constructed using two polynomials modulo ${\mathbb{F}}_5$ and ${\mathbb{F}}_7$, respectively. These can be represented by share matrices $\mathcal{A}$ and $\mathcal{B}$, respectively, with $r_1=r_2=3$:

$$\mathcal{A}=\left(\begin{array}{ccc}1& 2& 3\\ 2& 1& 4\\ 3& 4& 2\\ 4& 3& 1\end{array}\right)\mathrm{and}\mathcal{B}=\left(\begin{array}{ccc}1& 2& 3\\ 2& 3& 5\\ 3& 5& 1\\ 5& 1& 2\end{array}\right).$$

(5)

The Krönecker product of the BIBDs $\mathcal{A}$ and $\mathcal{B}$ is as follows:

1	2	3	2	4	6	3	6	9
2	3	5	4	6	10	6	9	15
3	5	1	6	10	2	9	15	3
5	1	2	10	2	4	15	3	6
2	4	6	1	2	3	4	8	12
4	6	10	2	3	5	8	12	20
6	10	2	3	5	1	12	20	4
10	2	4	5	1	2	20	4	8
3	6	9	4	8	12	2	4	6
6	9	15	8	12	20	4	6	10
9	15	3	12	20	4	6	10	2
15	3	6	20	4	8	10	2	4
4	8	12	3	6	9	1	2	3
8	12	20	6	9	15	2	3	5
12	20	4	9	15	3	3	5	1
20	4	8	15	3	6	5	1	2

Hence, $\mathcal{A}\otimes \mathcal{B}$ has the parameters $b=16, v=12$, and $k=9$; the parameters r and $\lambda$ are not well-defined. Obviously, neither does this satisfy property 3 of a BIBD (Definition 1), nor the relation (i) of a tensor design (Definition 2). Lemmas 1–3 and Theorem 3 ensure that we always obtain a tensor design from a Krönecker product, and furthermore that we always obtain a secret reconstruction for such a share distribution scheme.

4.3. Some Results on the Krönecker Product of BIBDs

We now resolve these issues by defining some properties of a tensor design. Let $\mathcal{A}$ and $\mathcal{B}$ be share matrices defined on points $\{x_1,x_2,\dots ,x_n\}$ and $\{y_1,y_2,\dots ,y_m\}$, respectively. Let ${\mathcal{B}}_d$ be the same distribution scheme as $\mathcal{B}$, but on the points $\{y_1+d,y_2+d,\dots ,y_m+d\}$. The position of an element in the Krönecker product of these two matrices can be found by simple counting, and is stated in the following lemma:

Lemma 1. 

The product of $a_{ij}\in \mathcal{A}$ and $b_{kl}\in \mathcal{B}$ can be found in the row $(i-1)b_2+k$ (which is also the player number in the repair scheme represented by M), and the column $(j-1)k_2+l$ of M.

The next result helps ensure that $\mathcal{A}\otimes \mathcal{B}$ is indeed a BIBD:

Lemma 2. 

Let $\{x_1,x_2,\dots ,x_n\}$ and $\{y_1,y_2,\dots ,y_m\}$ be two collections of integers. Then there exists an integer d such that $\{x_1,x_2,\dots ,x_n\}$ and $\{y_1+d,y_2+d,\dots ,y_m+d\}$ have no multiplicative collisions of the type $x_i{y}_j=x_k{y}_l$ for $(i,j)\ne (k,l)$.

Proof. 

Set $d\ge \underset{\begin{array}{c}i,k\in \{1,2,\dots ,n\}\\ j,l\in \{1,2,\dots ,m\}\end{array}}{max}\{x_i{y}_j-x_k{y}_l\}+1$. Suppose $x_i(y_j+d)=x_k(y_l+d)$.

$$\begin{array}{ccc}\hfill \Rightarrow x_i{y}_j+x_{i}d& =& x_k{y}_l+x_{k}d\hfill \\ \hfill \Rightarrow (x_k-x_i)d& =& x_i{y}_j-x_k{y}_l\hfill \\ \hfill \Rightarrow d& =& \frac{x_i{y}_j-x_k{y}_l}{x_k-x_i};\hfill \end{array}$$

(6)

however, since $d\ge \underset{\begin{array}{c}i,k\in \{1,2,\dots ,n\}\\ j,l\in \{1,2,\dots ,m\}\end{array}}{max}\{x_i{y}_j-x_k{y}_l\}+1$, this is a contradiction. Therefore, $\{x_1,x_2,\dots ,x_n\}$ and $\{y_1+d,y_2+d,\dots ,y_m+d\}$ produce no multiplicative collisions. □

Lemma 3. 

Given a list of distinct elements $\{y_1,y_2,\dots ,y_m\}$, we can choose an integer $\widehat{d}$ such that $gcd(y_1+\widehat{d},y_2+\widehat{d},\dots ,y_m+\widehat{d})=1$.

Proof. 

Without loss of generality, we may assume $y_1<y_2<\cdots <y_m$. Let $l=gcd(y_1,y_2,\dots ,y_m)$ and fix $i<j$ in $\{1,2,\dots ,m\}$. Thus, $y_i=l{k}_i$ and $y_j=l{k}_j$ such that $k_i<k_j$. Choose $\widehat{d}$ such that $gcd(\widehat{d},l)=1$ and $gcd(\widehat{d}+y_i,k_j-k_i)=1$ for some j in $\{1,2,\dots ,m\}$. Now, $gcd(y_i+\widehat{d},y_j+\widehat{d})$=$gcd(l{k}_i+\widehat{d},l{k}_j+\widehat{d})$=$gcd(l{k}_i+\widehat{d},l(k_j-k_i))=1$. □

Theorem 3 

(Reconstruction from Tensor Designs). Consider a $(v_1,k_1,{\lambda }_1,b_1,r_1)$-BIBD $\mathcal{A}$ and a $(v_2,k_2,{\lambda }_2,b_2,r_2)$-BIBD $\mathcal{B}$.

1. 

The matrix $\mathcal{A}\otimes {\mathcal{B}}_d$ produces a tensor design (over the integer ring $\mathbb{Z}$) for a (public) integer d such that there are no multiplicative collisions of the type $x_i(y_j+d)=x_k(y_l+d)$ for $(i,j)\ne (k,l)$.

2. 

• If $gcd(x_1,x_2,\dots ,x_{v_1})=1$;
• if $gcd(y_1,y_2,\dots ,y_{v_2})=1$;

then $\mathcal{A}$ and $\mathcal{B}$ can be reproduced from a collection of players in the new scheme $\mathcal{A}\otimes {\mathcal{B}}_d$, hence enabling share repair and secret reconstruction.

This theorem can be generalized for finitely many such Krönecker products, and motivates us to present the following algorithm for a share distribution scheme.

Proof. 

The parameters of the Krönecker product $\mathcal{A}\otimes \mathcal{B}$ are $b=b_1{b}_2,v=v_1{v}_2,k=k_1{k}_2,r=r+1r+2,\lambda ={\lambda }_1{\lambda }_2$. Part 1 of the theorem therefore follows from Lemma 2, which ensures a well-defined value for r, and Lemma 3, which ensures a well-defined value for $\lambda$.

In order to prove part 2, we describe two ways to reproduce $\mathcal{A}$ and $\mathcal{B}$. Recall first that any ${\tau }_1$ rows of $\mathcal{A}$ produce all points of $\mathcal{A}$, and similarly ${\tau }_2$ rows for ${\mathcal{B}}_d$. Furthermore, we claim the following:

[I] 

A collection of players that has

(i)

${\tau }_2$ players from one row-block $T_i$ of M;

(ii)

at least one player from distinct ${\tau }_1-1$ row-blocks $T_j\ne T_i$ of the remaining $b_1-1$ row-blocks

can reconstruct the secret.

[II] 

Let $S_j$ ($j\in \{1,2,\dots ,b_2\}$) be the collection of players $\{P_{b_{2}k+j}:k\in \{0,1,\dots$$\dots ,b_1-1\left\}\right\}$. A collection of players that contains

(i)

${\tau }_1$ players from one $S_j$;

(ii)

at least one player from ${\tau }_2-1$$S_i$, $i\ne j$

can also reconstruct the secret.

We now present an algorithm to prove claim [I]; claim [II] follows similarly.

• The share of the $j\mathrm{th}$ player $P_{i·b_2-1+j}$ of the $i\mathrm{th}$ row-block $T_i$ is of the form

  $${\mathfrak{a}}_{i1}·\{{\mathfrak{b}}_{j1},{\mathfrak{b}}_{j2},\dots ,{\mathfrak{b}}_{j{k}_2}\},{\mathfrak{a}}_{i2}·\{{\mathfrak{b}}_{j1},{\mathfrak{b}}_{j2},\dots ,{\mathfrak{b}}_{j{k}_2}\},\dots ,{\mathfrak{a}}_{i{k}_1}·\{{\mathfrak{b}}_{j1},{\mathfrak{b}}_{j2},\dots ,{\mathfrak{b}}_{j{k}_2}\}.$$
  Fix any $i\in \{1,2,\dots ,b_1\}$ and choose $j_1,j_2,\dots ,j_{{\tau }_2}$ to ensure that
  $gcd({\mathfrak{b}}_{j_{1}1},{\mathfrak{b}}_{j_{1}2},\dots ,{\mathfrak{b}}_{j_1{k}_2},{\mathfrak{b}}_{j_{2}1},{\mathfrak{b}}_{j_{2}2},\dots ,{\mathfrak{b}}_{j_2{k}_2},\dots ,{\mathfrak{b}}_{j_{{\tau }_2}1},{\mathfrak{b}}_{j_{{\tau }_2}2},\dots ,{\mathfrak{b}}_{j_{{\tau }_2}{k}_2})=1$.
• Therefore, the values of ${\mathfrak{a}}_{i1},{\mathfrak{a}}_{i2},\dots ,{\mathfrak{a}}_{i{k}_1}$ become known. Divide ${\mathfrak{a}}_{i\alpha }{\mathfrak{b}}_{j_k\beta }$ by ${\mathfrak{a}}_{i\alpha }$ (for $\alpha \in \{1,2,\dots ,k_1\},\beta \in \{1,2,\dots ,k_2\}$ and $k\in \{1,2,\dots ,{\tau }_2\}$) to obtain ${\mathfrak{b}}_{j_{k}1},{\mathfrak{b}}_{j_{k}2},\dots ,{\mathfrak{b}}_{j_k{k}_2}$.
• Construct the complete matrix ${\mathcal{B}}_d$ using the shares of ${\tau }_2$ players of ${\mathcal{B}}_d$ that are now known. Hence construct $\mathcal{B}$.
• Using the values of the elements in ${\mathcal{B}}_d$, compute the values ${\mathfrak{a}}_{i^{\prime }1},{\mathfrak{a}}_{i^{\prime }2},\dots ,{\mathfrak{a}}_{i^{\prime }{k}_1}$ for ${\tau }_1-1$ indices $i^{\prime }$ that are distinct from each other as well as from i.
• Hence, construct $\mathcal{A}$ from the shares of ${\tau }_1$ players of $\mathcal{A}$ thus obtained.
• Finally compute the secret from $\mathcal{A}$ and $\mathcal{B}$.

□

This reconstruction algorithm is clearly better than the one in [8] in the sense that the size of the authorized coalition is smaller. In fact, the size of the authorized coalition, while not unique, has a lower bound in the number of players. The following section provides a proof that there is always a secret reconstruction for this scheme.

4.4. Proof of Existence of Secret Reconstruction

Let us redefine the problem in terms of random variables. Let $X_1,X_2,\dots ,X_n$ be sampled without replacement from the collection of all players. We assume a uniform probability distribution over the set of all players.

$$\begin{array}{ccc}\hfill \mathrm{Let}{I}_{i,j}& =& \left\{\begin{array}{cc}1\hfill & \mathrm{if} X_i\in S_j,i\in \left[n\right],j\in \left[b_2\right],\hfill \\ 0\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \\ \hfill \mathrm{Also}\mathrm{let}{J}_{i,k}& =& \left\{\begin{array}{cc}1\hfill & \mathrm{if} X_i\in T_k,i\in \left[n\right],k\in \left[b_1\right],\hfill \\ 0\hfill & \mathrm{otherwise}.\hfill \end{array}\right.\hfill \end{array}$$

We further define $n_k={\displaystyle \sum _{i=1}^n}{J}_{i,k}$ and $r_j={\displaystyle \sum _{i=1}^n}{I}_{i,j}$. Then the condition for reconstruction becomes

[I] 

 

(i)

$\underset{k\in \left[b_1\right]}{max}{n}_k\ge {\tau }_2$,

(ii)

$n_k\ge 1$ for at least ${\tau }_1$ indices k.

[II] 

 

(i)

$\underset{j\in \left[b_2\right]}{max}{r}_j\ge {\tau }_1$,

(ii)

$r_j\ge 1$ for at least ${\tau }_2$ indices j.

Let $E_1$ be the event that condition [I] is satisfied and $E_2$ be the event that condition [II] is satisfied. Also, let $D\left(n_0\right)$ be the event that $n\ge n_0$. We find an $n_0$ such that $Pr\left[E_1\cup E_2|n\ge n_0\right]\approx 1$. This is equivalent to $Pr\left[E_1^c\cap E_2^c|n\ge n_0\right]\approx 0$. In fact, it is sufficient to show $Pr\left[E_1^c|n\ge n_0\right]\approx 0$ and $Pr\left[E_2^c|n\ge n_0\right]\approx 0$.

As $E_1=E_1\left(i\right)\cap E_1\left(ii\right)$, $E_1^c=E_1{\left(i\right)}^c\cup E_1{\left(ii\right)}^c$,

$$\begin{array}{c}Pr\left[E_1^c|n\ge n_0\right]=Pr\left[E_1{\left(i\right)}^c\cup E_1{\left(ii\right)}^c|n\ge n_0\right]\hfill \\ =Pr\left[E_1^{(}i\left)c\right|n\ge n_0\right]+Pr\left[E_1{\left(ii\right)}^c|n\ge n_0\right]-Pr\left[E_1{\left(i\right)}^c\cap E_1{\left(ii\right)}^c|n\ge n_0\right]\end{array}$$

Lemma 4. 

$Pr\left[E_1{\left(i\right)}^c\cap E_1{\left(ii\right)}^c|n\ge ({\tau }_1-1)({\tau }_2-1)+1\right]=0$.

Proof. 

We observe that $E_1{\left(i\right)}^c$ is the event $\underset{k\in \left[b_1\right]}{max}{n}_k<{\tau }_2$ and $E_1{\left(ii\right)}^c$ is the event that $n_k\ge 1$ for at most ${\tau }_1-1$ indices k. Thus, if there are $({\tau }_1-1)({\tau }_2-1)+1$ players in a collection, then by the pigeonhole principle, either $E_1{\left(i\right)}^c$ or $E_1{\left(ii\right)}^c$ is violated. □

Lemma 5. 

$Pr\left[E_1{\left(i\right)}^c|n\ge \left({\tau }_2-1\right)b_1+1\right]=0$.

Proof. 

We observe that $E_1{\left(i\right)}^c$ is the event $\underset{k\in \left[b_1\right]}{max}{n}_k<{\tau }_2$ and there are $b_1$$n_k$s. Thus, if there are $({\tau }_2-1)b_1+1$ players in a collection, then by the pigeonhole principle, $E_1{\left(i\right)}^c$ is violated, since there is at least one $n_k$ with ${\tau }_2$ or more players. □

Lemma 6. 

$Pr\left[E_1{\left(ii\right)}^c|n\ge \left({\tau }_1-1\right)b_2+1\right]=0$.

Proof. 

We observe that $E_1{\left(ii\right)}^c$ is the event that $n_k\ge 1$ for at most ${\tau }_1-1$ indices k. By definition, each $n_k$ can have at most $b_2$ elements. Thus, any collection of $({\tau }_1-1)b_2+1$ players violates $E_1{\left(ii\right)}^c$. □

Lemma 7. 

$Pr\left[E_2{\left(i\right)}^c\cap E_2{\left(ii\right)}^c|n\ge ({\tau }_1-1)({\tau }_2-1)+1\right]=0$.

Proof. 

We observe that $E_2{\left(i\right)}^c$ is the event $\underset{j\in \left[b_2\right]}{max}{r}_j<{\tau }_1$ and $E_2{\left(ii\right)}^c$ is the event that $r_j\ge 1$ for at most ${\tau }_2-1$ indices j. Thus, if there are $({\tau }_1-1)({\tau }_2-1)+1$ players in a collection, then by the pigeonhole principle, either $E_2{\left(i\right)}^c$ or $E_2{\left(ii\right)}^c$ is violated. □

Lemma 8. 

$Pr\left[E_2{\left(i\right)}^c|n\ge \left({\tau }_1-1\right)b_2+1\right]=0$.

Proof. 

We observe that $E_2{\left(i\right)}^c$ is the event $\underset{j\in \left[b_2\right]}{max}{r}_j<{\tau }_1$ and there are $b_2$$r_j$s. Thus, if there are $({\tau }_1-1)b_2+1$ players in a collection, then by the pigeonhole principle, $E_2{\left(i\right)}^c$ is violated, since there is at least one $r_j$ with ${\tau }_1$ or more players. □

Lemma 9. 

$Pr\left[E_2{\left(ii\right)}^c|n\ge \left({\tau }_2-1\right)b_1+1\right]=0$.

Proof. 

We observe that $E_2{\left(ii\right)}^c$ is the event that $r_j\ge 1$ for at most ${\tau }_2-1$ indices j. By definition, each $r_j$ can have at most $b_1$ elements. Thus, any collection of $({\tau }_2-1)b_1+1$ players violates $E_2{\left(ii\right)}^c$. □

For $n_0=max\{\left({\tau }_2-1\right)b_1+1,\left({\tau }_1-1\right)b_2+1\}$, Lemmas 4–6 imply $Pr\left[E_1^c|n\ge n_0\right]=0$ and $n_0=max\{\left({\tau }_2-1\right)b_1+1,\left({\tau }_1-1\right)b_2+1\}$, and Lemmas 7–9 imply $Pr\left[E_2^c|n\ge n_0\right]=0$.

Note that the bound given here for the reconstruction number is tight, as we might expect. In the example presented in Section 5, the bound turns out to be 5, which matches all the bounds above. Corresponding counterexamples can be constructed to show that no smaller-sized general collection can complete the reconstruction. This result can be generalized for three or more designs. These results provide us with the tools to present a generalized scheme, which we do now.

4.5. A Generalized Share Distribution Scheme

• Dealer selects n (not necessarily distinct) BIBDs ${\mathcal{A}}_1,{\mathcal{A}}_2,\dots ,{\mathcal{A}}_n$, where for $i\in \{1,2,\dots ,n\}$, ${\mathcal{A}}_i$ is defined over points $\{x_1^i,x_2^i,\dots ,x_{v_i}^i\}$.
• Dealer finds an integer $d_1$ such that $gcd(x_1^1+d_1,x_2^1+d_1,\dots ,x_{v_1}^1+d_1)=1$.
• For $i\in \{2,\dots ,n\}$:
  • Dealer finds an integer $d_i$ (using Lemmas 2 and 3) such that $d_i$ breaks all pairwise multiplicative collisions and makes the gcd of all elements $x_l^j+d_j$ ($j\in \{1,\dots ,i-1\},l\in \{1,\dots ,v_j\}$) and $x_1^i+d_i,x_2^i+d_i,\dots ,x_{v_i}^i+d_i$ is 1.
• M←${\mathcal{A}}_1\otimes {\mathcal{A}}_2\otimes \cdots \otimes {\mathcal{A}}_n$.
• Dealer distributes each row i of M as share to player $P_i$ and outputs $(d_1,d_2,\dots ,d_n)$ publicly.

Note that by Theorem 3, M is a tensor design, and the algorithm in the proof of the theorem can be generalized for secret reconstruction of this scheme.

5. Example

Recall the previous example (5). Using the algorithm in Section 4.5, we produce a tensor design $\mathcal{A}\otimes {\mathcal{B}}_{21}$ using an integer $d=21$ satisfying Lemma 3. Representing the share matrix modified from $\mathcal{B}$ by ${\mathcal{B}}_{21}$ (and noting that both share matrices are undeclared), with $r_1=r_2=3$:

$${\mathcal{B}}_{21}=\left(\begin{array}{ccc}22& 23& 24\\ 23& 24& 26\\ 24& 26& 22\\ 26& 22& 23\end{array}\right),$$

(7)

we still have $b_1=4$, $b_2=4$, $k_1=3$, and $k_2=3$. Observe that ${\tau }_1=2$ and ${\tau }_2=2$ are the reconstruction numbers of $\mathcal{A}$ and $\mathcal{B}$, respectively. The Krönecker product of the two matrices $\mathcal{A}$ and ${\mathcal{B}}_{21}$, represented by the matrix M, is shown in Figure 1.

5.1. Secret Reconstruction

The matrix $\mathcal{A}\otimes {\mathcal{B}}_{21}$ in the above example produces interesting results.

• A collection of three players—exactly two from one of the sets $T_1,T_2.T_3,T_4$ and one from another—allows reconstruction of the secret. For example, consider the set of three players $\{P_1,P_2,P_5\}$. This set can reconstruct the secret:

  (i)

  $gcd(22,23,24,23,24,26)=1$; hence, the first row of $M_{\mathcal{A}}$ is $\left(123\right)$ and the first two rows of $M_{\mathcal{B}}$ are $\left(222324\right)$ and $\left(232426\right)$. As ${\tau }_2=2$, $M_{\mathcal{B}}$ can be obtained from its two rows.

  (ii)

  Now, observing $5=4·1+1$, we readily know $P_5$ uses the first row of $M_{\mathcal{B}}$ and the second row of $M_{\mathcal{A}}$; this yields the second row of $M_{\mathcal{A}}$, $\left(214\right)$. Since ${\tau }_1=2$ and we have two rows of $M_{\mathcal{A}}$, the whole matrix $M_{\mathcal{A}}$ is known.

• Any collection of three players—two from one of the sets $S_1,S_2,S_3,S_4$ and one from another—also allows reconstruction of the secret.
• Reconstruction of the secret is ensured for a collection of five or more players.

This idea can be generalized to a secret reconstruction algorithm in the general case.

6. Share Repair for a Krönecker Product-Induced Distribution Design

Let $\mathcal{A}$ and $\mathcal{B}$ be $(v_1,k_1,1)$- and $(v_2,k_2,1)$-BIBDs with $b_1$ and $b_2$ blocks, and replication numbers $r_1$ and $r_2$, respectively. Consider player $P_1$, whose share is the first block (i.e., row) of $\mathcal{A}\otimes \mathcal{B}$. Thus,

$$\begin{array}{c}\mathrm{share} \mathrm{of} P_1={\mathfrak{a}}_{11}{\mathfrak{b}}_{11}{\mathfrak{a}}_{11}{\mathfrak{b}}_{12}\cdots {\mathfrak{a}}_{11}{\mathfrak{b}}_{1k_2}|{\mathfrak{a}}_{12}{\mathfrak{b}}_{11}{\mathfrak{a}}_{12}{\mathfrak{b}}_{12}\cdots {\mathfrak{a}}_{12}{\mathfrak{b}}_{1k_2}|\cdots \hfill \\ \cdots |{\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{11}{\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{12}\cdots {\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{1k_2}=L_1|L_2|\cdots |L_{k_1}.\end{array}$$

Using the notations and method described in [8] (and making the same assumption that any player is available with a fixed probability p), the probability of availability of at least one repair set is

$$R\left(p\right)={\left(1-{\left(1-p\right)}^{r_1{r}_2}\right)}^{k_1{k}_2}.$$

(8)

$$\begin{array}{c}\mathrm{We} \mathrm{improve} \mathrm{this} \mathrm{method} \mathrm{significantly}. \mathrm{For} \mathrm{this}, \mathrm{observe} \mathrm{that} \mathrm{each} \mathrm{block} L_k\hfill \\ (k\in \{1,2,\dots , k_1\})(\mathrm{possibly} \mathrm{with} \mathrm{a} \mathrm{different} \mathrm{factor} {\mathfrak{a}}_{mi} \mathrm{for}\mathrm{some} m\in \{1,2,\dots \\ \hfill \dots , b_1\},i\in \{1,2,\dots , k_1\}, \mathrm{from} \mathcal{A}) \mathrm{occurs} \mathrm{in} \mathrm{the} \mathrm{shares} \mathrm{of} r_1-1 \mathrm{players} \mathrm{other} \mathrm{than} P_1.\end{array}$$

(9)

Furthermore, the share of $P_1$ can also be characterized as

$${\mathfrak{a}}_{11}{\mathfrak{b}}_{11}{\mathfrak{a}}_{11}{\mathfrak{b}}_{12}\cdots {\mathfrak{a}}_{11}{\mathfrak{b}}_{1k_2}|{\mathfrak{a}}_{12}{\mathfrak{b}}_{11}\cdots {\mathfrak{a}}_{12}{\mathfrak{b}}_{1k_2}|\cdots \cdots |{\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{11}\cdots {\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{1k_2};$$

$$\begin{array}{ccc}\hfill K_1& \hspace{1em}:=\hspace{1em}& {\mathfrak{a}}_{11}{\mathfrak{b}}_{11}{\mathfrak{a}}_{12}{\mathfrak{b}}_{11}\cdots {\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{11},\hfill \\ \hfill K_2& \hspace{1em}:=\hspace{1em}& {\mathfrak{a}}_{11}{\mathfrak{b}}_{12}{\mathfrak{a}}_{12}{\mathfrak{b}}_{12}\cdots {\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{12},\hfill \\ & ⋮& \\ \hfill K_{k_2}& \hspace{1em}:=\hspace{1em}& {\mathfrak{a}}_{11}{\mathfrak{b}}_{1k_2}{\mathfrak{a}}_{12}{\mathfrak{b}}_{1k_2}\cdots {\mathfrak{a}}_{1k_1}{\mathfrak{b}}_{1k_2}.\hfill \end{array}$$

$$\begin{array}{c}\mathrm{It} \mathrm{is} \mathrm{thus} \mathrm{clear} \mathrm{that} \mathrm{each} K_j(j\in \{1,2,\dots ,k_2\}) (\mathrm{possibly} \mathrm{with} \mathrm{a} \mathrm{different}\hfill \\ \hspace{1em}\mathrm{factor} {\mathfrak{b}}_{lj} \mathrm{for} \mathrm{some} l\in \{1,2,\dots ,b_2\}, \mathrm{from} \mathcal{B}) \mathrm{occurs} \mathrm{in} \mathrm{the} \mathrm{shares} \mathrm{of} r_2-1\\ \hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em} \mathrm{players} \mathrm{other} \mathrm{than} P_1.\end{array}$$

(10)

Let us assume that we have $t_1$ players of type (9) and $t_2$ players of type (10). Then

$$R_{(t_1,t_2)}^{*}\left(p\right)=R_{t_1}^{*}\left(p\right)R_{t_2}^{*}\left(p\right)R_{\delta }^{*}\left(p\right),$$

(11)

where

(i)

$t_1$ are selected from type (9);

(ii)

$t_2$ are selected from type (10);

(iii)

$\delta k_1{k}_2-t_1{k}_1-t_2(k_2-t_1)$ are selected independently, and

$$\begin{array}{ccc}\hfill R_{t_1}^{*}\left(p\right)& =& {\left(1-{(1-p)}^{r_1-1}\right)}^{t_1}\hfill \\ \hfill R_{t_2}^{*}\left(p\right)& =& {\left(1-{(1-p)}^{r_2-1}\right)}^{t_2}\hfill \\ \hfill R_{\delta }^{*}\left(p\right)& =& {\left(1-{(1-p)}^{(r_1-1)(r_2-1)}\right)}^{\delta }.\hfill \end{array}$$

Observe that $\delta =(k_1-t_2)(k_2-t_1)$. Therefore, the probability of at least one repair set being available in this case is

$$R^{*}\left(p\right)=\sum _{t_1,t_2}{R}_{t_1}^{*}\left(p\right)R_{t_2}^{*}\left(p\right)R_{\delta }^{*}\left(p\right).$$

Let $E^{*}\left(p\right)$ be the expected number of minimal repair sets. In general, this expected number is the product of the total number of possible repair sets and the probability of availability of each repair set. Ref. [8] sets $E\left(p\right)={\left(r_1{r}_2\right)}^{k_1{k}_2}$. We denote by $C(t_1,t_2)$, the number of partitions of a set of size $k_1{k}_2$ into three sets of sizes $t_1$, $t_2$ and $k_1{k}_2-t_1-t_2$. By an argument similar to the previous,

$$\begin{array}{ccc}\hfill E_{t_1}^{*}\left(p\right)& =& {(r_1-1)}^{t_1}{p}^{t_1},\hfill \\ \hfill E_{t_2}^{*}\left(p\right)& =& {(r_2-1)}^{t_2}{p}^{t_2}, \mathrm{and}\hfill \\ \hfill E_{\delta }^{*}\left(p\right)& =& {\left[(r_1-1)(r_2-1)\right]}^{\delta }{p}^{\delta }, \mathrm{so} \mathrm{that}\hfill \\ \hfill E_{(t_1,t_2)}^{*}\left(p\right)& =& C(t_1,t_2)E_{t_1}^{*}\left(p\right)E_{t_2}^{*}\left(p\right)E_{\delta }^{*}\left(p\right).\hfill \\ \hfill \mathrm{Hence}, E^{*}\left(p\right)& =& \sum _{t_1,t_2}C(t_1,t_2)E_{t_1}^{*}\left(p\right)E_{t_2}^{*}\left(p\right)E_{\delta }^{*}\left(p\right).\hfill \end{array}$$

Table 1. A comparison table showing probability of share repairability on three projective planes.

$\mathcal{A}$	$\mathcal{B}$	$\mathit{R}\mathbf{\left(}\mathit{p}\mathbf{\right)}$	${\mathit{R}}^{\mathbf{*}}\mathbf{\left(}\mathit{p}\mathbf{\right)}$
$(3,2,1)$	$(3,2,1)$	${(1-q^3)}^4$	$>{(1-q)}^4+\dots$
$(3,2,1)$	$(7,3,1)$	${(1-q^5)}^6$	$>{(1-q^2)}^6+\dots$
$(7,3,1)$	$(7,3,1)$	${(1-q^8)}^9$	$>{(1-q^4)}^9+\dots$

shows a comparison of share repair probability on three projective plains for two different methods.

7. Frameproofness

Consider matrix representations of two BIBDs $\mathcal{A}={\left({\mathfrak{a}}_{ij}\right)}_{\begin{array}{c}i\in \{1,\dots ,b_1\}\\ j\in \{1,\dots ,k_1\}\end{array}}$ and $\mathcal{B}={\left({\mathfrak{b}}_{ij}\right)}_{\begin{array}{c}i\in \{1,\dots ,b_2\}\\ j\in \{1,\dots ,k_2\}\end{array}}$, and their Krönecker product as depicted in Equation (4). We show here how the share of a player, say $P_1$, can be retrieved (i.e., player $P_1$ can be framed; see [10] for more details) by only two other players. For clarity, we mention here that the share of $P_1$ is

${\mathfrak{a}}_{11}{\mathfrak{b}}_{11},{\mathfrak{a}}_{11}{\mathfrak{b}}_{12},\dots ,{\mathfrak{a}}_{12}{\mathfrak{b}}_{11},{\mathfrak{a}}_{12}{\mathfrak{b}}_{12},\dots ,{\mathfrak{a}}_{13}{\mathfrak{b}}_{11},\dots$.

• There exist $(b_2-1)+(r_1-1)·b_2$ players that possess the element ${\mathfrak{a}}_{11}{\mathfrak{b}}_{ij}$ for some $i\in \{1,2,\dots ,b_2\}$ and $j\in \{1,2,\dots ,k_2\}$, since $r_1$ is the replication number of $\mathcal{A}$. Of these, $(r_1-1)·1$ players possess the first $k_2$ elements of the share, i.e., ${\mathfrak{a}}_{11}{\mathfrak{b}}_{11}{\mathfrak{a}}_{11}{\mathfrak{b}}_{12}\dots {\mathfrak{a}}_{11}{\mathfrak{b}}_{1k_2}$. If any of these players know the ratios $\frac{{\mathfrak{a}}_{12}}{{\mathfrak{a}}_{11}},\frac{{\mathfrak{a}}_{13}}{{\mathfrak{a}}_{11}},\dots$, then they could construct the entire share of $P_1$.
• Note that for $j\ne 1$, any of the $b_2-1$ players with shares

  $$\begin{array}{ccc}\hfill {\mathfrak{a}}_{11}{\mathcal{B}}_2\left|{\mathfrak{a}}_{12}{\mathcal{B}}_2\right|& \dots & |{\mathfrak{a}}_{1k_1}{\mathcal{B}}_2,\hfill \\ \hfill {\mathfrak{a}}_{11}{\mathcal{B}}_3\left|{\mathfrak{a}}_{12}{\mathcal{B}}_3\right|& \dots & |{\mathfrak{a}}_{1k_1}{\mathcal{B}}_3,\hfill \\ & ⋮& \\ \hfill {\mathfrak{a}}_{11}{\mathcal{B}}_{b_2}\left|{\mathfrak{a}}_{12}{\mathcal{B}}_{b_2}\right|& \dots & |{\mathfrak{a}}_{1k_1}{\mathcal{B}}_{b_2}\hfill \end{array}$$

  know these ratios.

Therefore, only two players—one from the $r_1-1$ players possessing ${\mathfrak{a}}_{11}{\mathfrak{b}}_{11}$ and one from the $b_2-1$ players possessing $\frac{{\mathfrak{a}}_{12}}{{\mathfrak{a}}_{11}},\frac{{\mathfrak{a}}_{13}}{{\mathfrak{a}}_{11}},\dots$—can reconstruct the entire share of player $P_1$, and hence, frame this player.

We try to address this problem by reducing the repetitive nature of shares of the participants. We shall do this by decreasing the size of each share, while retaining all the information that a player had in the previous construction (i.e., Equation (4)).

7.1. A Modified Scheme

Given two matrices $\mathcal{A}$ and $\mathcal{B}$ of the same dimension $r\times c$, we define the operation $\mathcal{A}\odot \mathcal{B}$ as the $r\times c$ matrix generated by position-wise products of elements of $\mathcal{A}$ and $\mathcal{B}$, i.e., if $\mathcal{A}=\left(\begin{array}{cccc}{\mathfrak{a}}_{11}& {\mathfrak{a}}_{12}& \cdots & {\mathfrak{a}}_{1c}\\ ⋮\\ {\mathfrak{a}}_{r1}& {\mathfrak{a}}_{r2}& \cdots & {\mathfrak{a}}_{rc}\end{array}\right)$ and $\mathcal{B}=\left(\begin{array}{cccc}{\mathfrak{b}}_{11}& {\mathfrak{b}}_{12}& \cdots & {\mathfrak{b}}_{1c}\\ ⋮\\ {\mathfrak{b}}_{r1}& {\mathfrak{b}}_{r2}& \cdots & {\mathfrak{b}}_{rc}\end{array}\right)$, then

$$\mathcal{A}\odot \mathcal{B}=\left(\begin{array}{cccc}{\mathfrak{a}}_{11}{\mathfrak{b}}_{11}& {\mathfrak{a}}_{12}{\mathfrak{b}}_{12}& \cdots & {\mathfrak{a}}_{1c}{\mathfrak{b}}_{1c}\\ ⋮\\ {\mathfrak{a}}_{r1}{\mathfrak{b}}_{r1}& {\mathfrak{a}}_{r2}{\mathfrak{b}}_{r2}& \cdots & {\mathfrak{a}}_{rc}{\mathfrak{b}}_{rc}\end{array}\right).$$

The operator ⊙ is well-behaved in the sense that it is commutative and respects scalar multiplication on integer-valued matrices.

Let $\pi :\{1,2,\dots ,b\}\to \{1,2,\dots ,b\}$ be a permutation. Given $i\in \{1,2,\dots ,b\}$ and $\pi \left(i\right)=j$, we define $\tilde{\pi }:\{1,2,\dots ,b\}\to \{1,2,\dots ,k\}$ as $\tilde{\pi }\left(i\right)=j(modk)$, for any integer $k\le b$. Now given BIBDs ${\mathcal{A}}_{b_1\times k_1}$ and ${\mathcal{B}}_{b_2\times k_2}$, we modify their Krönecker product by first choosing a permutation ${\pi }_1$ randomly from the set of all permutations over $\{1,2,\dots ,b_2\}$ and producing ${\tilde{\pi }}_1$. Then we produce ${\tilde{\pi }}_2$, ${\tilde{\pi }}_3$, …, ${\tilde{\pi }}_{k_1}$ by simple translations.

Next, we represent application of the function ${\tilde{\pi }}_l$ to the $m\mathrm{th}$ block matrix (of size $b_2\times k_2$) of block-row t in $\mathcal{A}\otimes \mathcal{B}$ by ${\theta }_{mt}=l$, and define matrix $N_{b_1{b}_2\times k_1{k}_2}=\left(n_{ij}\right)$ divided into blocks of size $b_2\times k_2$ similarly as $\mathcal{A}\otimes \mathcal{B}$ such that

$$\left\{\begin{array}{cc}{n}_{ij}=1\hfill & \mathrm{if} {\tilde{\pi }}_l\left(i\right)=j\hfill \\ n_{ij}=0\hfill & \mathrm{if} \mathrm{otherwise}\hfill \end{array}\right.,$$

where $n_{ij}$ is the element in the $i\mathrm{th}$ row and $j\mathrm{th}$ column of the $(m,t)\mathrm{th}$ block matrix of M. Finally, the $i\mathrm{th}$ row of matrix $\left(\mathcal{A}\otimes \mathcal{B}\right)\odot N$ produces the share of player $P_i$ ($i\in \{1,2,\dots ,b_1{b}_2\}$) by omitting the zeroes.

7.2. Example

Consider another example, where a $2-(4,3,2)$-BIBD and a $2-(5,4,3)$-BIBD over the points $\{1,2,3,4\}$ and $\{22,23,24,25,26\}$ are represented by matrices $\mathcal{A}$ and $\mathcal{B}$, respectively (note that $r_1=3,r_2=4$):

$$\mathcal{A}=\left(\begin{array}{ccc}1& 2& 3\\ 2& 3& 4\\ 3& 4& 1\\ 4& 1& 2\end{array}\right),\mathrm{and}{M}_{\mathcal{B}}=\left(\begin{array}{cccc}22& 23& 24& 25\\ 23& 24& 25& 26\\ 24& 25& 26& 22\\ 25& 26& 22& 23\\ 26& 22& 23& 24\end{array}\right).$$

(12)

Then $b_1=4$, $b_2=5$, $k_1=3$ and $k_2=4$; ${\tau }_1=2$ and ${\tau }_2=2$ are the reconstruction numbers of $\mathcal{A}$ and $\mathcal{B}$, respectively.

Modifying the matrix in Figure 2, as shown in Figure 3 and Figure 4, we obtain a scheme for which it is no longer possible to reconstruct the secret of the scheme in Figure 4 from just two players (as was possible in the example in Section 5). In fact, the proceeding section provides an algorithm for secret reconstruction from this scheme using ${\tau }_1+{\tau }_2$ players.

7.3. Secret Reconstruction for the Modified Scheme

• Choose a player $P_i^m$ (which is the $i\mathrm{th}$ player in the $m\mathrm{th}$ row-block of $\mathcal{A}\otimes \mathcal{B}$, or the $\left((m-1)b_2+i\right)\mathrm{th}$ player from the top), for any $m\in \{1,2,\dots ,b_1\}$ and $i\in \{1,2,\dots ,b_2\}$.
• Consider elements $a_{mt}{b}_{ij}$ in the share of player $P_i^m$, i.e., ${\theta }_{mt}=l$ and ${\tilde{\pi }}^l\left(i\right)=j$. For such an element $a_{mt}{b}_{ij}$, set $y=b_{ij}$ (note that the value $y\in \{y_1,y_2,\dots ,y_{v_2}\}$ is not known, but the positions at which the matrix $\mathcal{B}$ contains elements $b_{\widehat{i}\widehat{j}}=y$ is known).
• Construct set ${\mathcal{S}}_y\left\{\widehat{l}:\left({\tilde{\pi }}^{\widehat{l}}\left(\widehat{i}\right)=\widehat{j}\right)\wedge \left(b_{\widehat{i}\widehat{j}}=y\right)\right\}$. By Theorem 6, for a maximal set ${\mathcal{S}}_y$ (if not, then another value y may be chosen by selecting a different element $a_{m^{\prime }{t}^{\prime }}{b}_{i^{\prime }{j}^{\prime }}$) the set

  $$\begin{array}{ccc}\hfill \{a_{\widehat{m}\widehat{t}}& :& a_{\widehat{m}\widehat{t}}{b}_{\widehat{i}\widehat{j}}\in \mathrm{the} \mathrm{share} \mathrm{of} \mathrm{player}{P}_{\widehat{i}}^{\widehat{m}}\mathrm{such} \mathrm{that} b_{\widehat{i}\widehat{j}}=y\}\hfill \\ & =& \{x_1,x_2,\dots ,x_{v_1}\}\hfill \end{array}$$

  is the set of all values in $\mathcal{A}$.
• Construct matrix $\mathcal{A}$, since the positions of all values $x_1,x_2,\dots ,x_{v_1}$ in this matrix are now known.
• Compute $b_{i^{\prime }{j}^{\prime }}$ for $a_{m^{\prime }{t}^{\prime }}{b}_{i^{\prime }{j}^{\prime }}$∈ share of player $P_{i^{\prime }}^{m^{\prime }}$ using the known values $a_{m^{\prime }{t}^{\prime }}$ until all values $y_1,y_2,\dots ,y_{v_2}$ are known.
• Construct matrix $\mathcal{B}$, since the positions of all values $y_1,y_2,\dots ,y_{v_2}$ in this matrix are now known.
• Compute $\mathcal{A}\otimes \mathcal{B}$ from the two known matrices.

Thus, framing any player is not possible for just two other participants, and requires a much larger coalition.

8. Graphical Representation and Proof of Existence of Permutations

Matching in Bipartite Graphs

Given an undirected graph $\mathcal{G}$, a matching of $\mathcal{G}$ is a subgraph $\mathcal{M}$ containing all vertices of $\mathcal{G}$ such that each vertex in $\mathcal{M}$ has either 0 or 1 edge incident to it. $\mathcal{M}$ is a maximal matching of $\mathcal{G}$ if it is not a subgraph of any other matching of $\mathcal{G}$. Thus, adding even one more edge to a maximal matching $\mathcal{M}$ ensures that it is no longer a matching. The number of edges in a maximal matching of $\mathcal{G}$ is called the matching number of $\mathcal{G}$.

A perfect matching $\mathcal{M}$ of $\mathcal{G}$ is such that each vertex of $\mathcal{M}$ has an edge incident to it. Furthermore, a vertex cover of a graph $\mathcal{G}$ is a subgraph containing all edges of $\mathcal{G}$ such that every edge is incident to at least one vertex in the subgraph, and an edge cover of a graph $\mathcal{G}$ is a subgraph containing all vertices of $\mathcal{G}$ such that every vertex has at least one edge incident to it. Thus, if $\mathcal{G}$ has no isolated vertices, then the sum of the number of vertices in its minimal vertex cover and the number of edges in its minimal edge cover equals the total number of its vertices.

If the vertex set $\mathcal{V}$ of a graph $\mathcal{G}$ can be partitioned into two disjoint subsets as $\mathcal{V}=\mathcal{A}\bigsqcup \mathcal{B}$ such that any edge from a vertex in $\mathcal{A}$ can only be incident to a vertex in $\mathcal{B}$ and vice versa, then $\mathcal{G}$ is called a bipartite graph. Let us recall some interesting results on matching in bipartite graphs.

Theorem 4 

(König, [12]). In any bipartite graph, the number of edges in a maximum matching equals the number of vertices in a minimum vertex cover.

Theorem 5 

(Hall, [13]). Given a bipartite graph $\mathcal{G}=\left(\mathcal{V},\mathcal{E}\right)$ with $\mathcal{V}=\mathbf{A}\bigsqcup \mathbf{B}$, $\mathcal{G}$ has a matching of size $\left|\mathbf{A}\right|$ if and only if for every $S\subseteq \mathbf{A}$ we have $\left|N\right(S\left)\right|\ge \left|S\right|$, where $N\left(S\right)=\{b\in \mathbf{B}:\exists a\in Swith(a,b)\in \mathcal{E}\}$.

Figure 5 shows a bipartite graph for the tensor design.

Definition 3. 

A bipartite graph $\mathcal{G}=\left(\mathcal{V},\mathcal{E}\right)$ is said to induce a tensor design $\mathcal{B}$ if

• the vertex set $\mathcal{V}=\mathbf{P}\bigsqcup \mathbf{V}$ the disjoint union of the set of players $\mathbf{P}=\{P_1,\dots ,P_b\}$ and the set of points $\mathbf{V}=\{x_1,\dots ,x_v\}$ of $\mathcal{B}$;
• the edge set is the collection ${\bigcup }_{\begin{array}{c}i\in \left[b\right]\\ j\in \left[v\right]\end{array}}\{(P_i,x_j):x_j\in share of P_i\}$.

Theorem 6. 

Given a bipartite graph $\mathcal{G}$ inducing a tensor design $\mathcal{B}$, and given subsets $\delta \left(P_i\right)\subseteq N\left(P_i\right)$ of size s,

(i) 

If ${\bigcup }_{i\in \left[b\right]}\delta \left(P_i\right)=\mathbf{V}$, then reconstruction of the modified scheme ${(\mathcal{A}\otimes \mathcal{B})}_{\mathrm{modified}}$ is possible.

(ii) 

If $s\ge 1$, then (i) holds.

Proof. 

Assuming the usual notations for a tensor design, it is clear that in $\mathcal{G}$,

$$\begin{array}{c}\hfill |N\left(x_j\right)|=r\forall x_j\in \mathbf{V}\\ \hfill \left|N\right(P_{i_1}\cap P_{i_2}\left)\right|=\lambda \end{array}$$

(13)

From Equation (13) and the inclusion-exclusion principle,

$$|N\left(\{x_{i_1},\dots ,x_{i_m}\}\right)|\ge m(r-\lambda )$$

Since $r\ge \lambda$, Hall’s theorem (Theorem 5) implies $\mathcal{G}$ has a matching of size v, i.e., ${\bigcup }_{i\in \left[b\right]}\delta \left(P_i\right)=\mathbf{V}$. Thus, (i) holds by the reconstruction algorithm in Section 7.3. Now choose $\delta \left(P_i\right)$ such that each subset contains at least one point matched with $P_i$ in this matching, so that (ii) holds. This proves the theorem. □

9. Secret Sharing Schemes and the Internet of Things

Secret sharing schemes can be used to distribute the security key amongst numerous devices in an IoT system, ensuring that no single device has access to the entire key. They are also lightweight and require less computational power compared to other cryptographic elements. Additionally, their ability to detect and prevent attacks that attempt to modify or delete parts of the secret is particularly important in IoT applications where security is critical.

For example, in a healthcare IoT system, the security of patient data is of utmost importance. Secret sharing schemes can be used to distribute the patient data amongst multiple devices, ensuring that no single device has access to the entire data. Ref. [14] proposes an AI heuristic decision algorithm, utilizing a best-first search (BFS) approach. It effectively balances energy load and reduces communication overhead in smart healthcare technologies. The utilization of homomorphic secret sharing in IoT-based e-health applications provides various advantages in terms of privacy and security. It securely distributes secret pairs among medical nodes, ensuring the confidentiality of sensitive health data during transmission and storage within the network. This is achieved by encrypting data through homomorphic secret sharing, thereby preventing unauthorized access to medical data. Access to medical records is limited to authorized entities possessing the necessary secret keys to decrypt and utilize the shared data. Thus, the incorporation of homomorphic secret sharing adds an extra layer of protection against unauthorized modifications or alterations to medical records. A generalization of this scheme to multiple levels—possibly to combine data between different hospitals or chains of healthcare providers, different states within a country, or even different countries—can be easily achieved through the Krönecker product of the individual schemes used by each hospital system. The fields on which these schemes are based provide a perfect foundation for the homomorphism, which can be easily maintained by the integer ring over which the Krönecker product is then defined.

A frameproof tensor product of multiple distribution designs can be distinctly useful for lightweight IoT applications, as it allows for a multi-level or multi-system secret sharing scheme IoT implementation in a secure and efficient manner, while detecting and preventing any attempt to modify or delete parts of the secret data. This approach ensures that even if some levels are compromised, the overall security of the system(s) remains intact.

The wide range of applicability of our generalizations can be further seen in, say, the management of massive data, such as [15], which proposes a non-interactive approach for IoT data aggregation that utilizes additive secret sharing, addressing numerous challenges including privacy concerns, security risks, high communication overhead, and user interaction. The additive secret sharing effectively masks the original data, preventing malicious analysis by the servers. The scheme also supports offline mobile users, maintains privacy, and provides efficient algorithms for result verification. However, ref. [15] only splits the secret between two servers at a time. A frameproof tensor product can be smoothly applied in this context for connecting a large number of such systems, due to the underlying fields over which the secrets are split between servers in individual systems, as well as the generalized integer ring over which the tensor product is then defined.

Figure 6 shows an application of tensor design in multi-system IoT.

10. Conclusions and Future Work

In this paper, we have first generalized the concept of combinatorial RTS and then improved our secret sharing scheme by producing a frameproof one. We believe our results can be extended further to an arbitrary number of distribution designs. We also believe that the Krönecker product of BIBDs can be generalized to t-designs, and all corresponding results will hold for these. Furthermore, a frameproof modification for the generalized scheme also remains an open problem.

Furthermore, we have discussed the extensive scope of applicability for our proposed scheme in a diverse array of IoT contexts. A fascinating avenue for further investigation entails the examination of specific instances of these applications.