On Cheating Immune Secret Sharing

The paper addresses the cheating prevention in secret sharing. We consider secret sharing with binary shares. The secret also is binary. This model allows us to use results and constructions from the well developed theory of cryp-tographically strong boolean functions. In particular, we prove that for given secret sharing, the average cheating probability over all cheating vectors and all original vectors, i.e., 1 n · 2 − n ∑ nc = 1 ∑ α ∈ V n ρ c , α , denoted by ρ , satisﬁes ρ ≥ 12 , and the equality holds if and only if ρ c , α satisﬁes ρ c , α = 12 for every cheating vector δ c and every original vector α . In this case the secret sharing is said to be cheating immune. We further establish a relationship be-tween cheating-immune secret sharing and cryptographic criteria of boolean functions. This enables us to construct cheating-immune secret sharing.


Introduction
Since its invention in 1978 by Blakley (Bla79) and Shamir (Sha79), secret sharing has evolved dramatically.Initially, it was designed to facilitate a distributed storage for a secret in an unreliable or insecure environment.Later, however, secret sharing has been incorporated into public key cryptography giving rise to the well-known concept of group or society oriented cryptography (see (Des88)).Now secret sharing is one of the basic cryptographic tools with variety of very interesting schemes based on algebraic or geometric structures.
Tompa and Woll (TW88) observed that Shamir secret sharing can be subject to cheating by dishonest participants who, at the recovery stage, may submit invalid shares to the combiner.Clearly, the combiner reconstructs an invalid secret and passes it to currently active participants.The honest participants are left with the invalid secret while the cheaters are able to recover the valid secret from the invalid one.This observation is true for all linear secret sharing.The cheating attack can also be extended for geometrical secret sharing.
Cheating prevention can be considered in the context of conditionally and unconditionally secure secret sharing.We focus our attention on unconditionally secure secret sharing.In this setting, cheating can be thwarted by 1365-8050 c 2004 Discrete Mathematics and Theoretical Computer Science (DMTCS), Nancy, France • share verification by the combiner -all invalid shares are identified and discarded.The key recovery goes ahead only if there are enough valid shares to recover the valid secret (see (Car95; CSV93; RBO89)), • discouraging cheaters from sending invalid shares to the combiner -this argument works if the cheater gains no advantage over honest participants.In other words, sending invalid share will result with recovery of an invalid secret which gives no clues to the cheater as to the value of the valid secret.This paper investigates this case of cheater prevention.
We intend to consider a class of secret sharing for which, a cheating participant is no better off than a participant who tries simply to guess a secret.Ideally, the probability of successful cheating should be equal to the probability of guessing the secret by a participant.To make our considerations explicit, we assume that secret and shares are binary.For this case we prove that there is a secret sharing, further in the work called cheating immune, that gives no advantage to a cheater making it, in a sense, immune against cheating.The cheating immunity was considered in (PZ01) and this paper continues this line of the study by investigating the connection between secret sharing and cryptographically strong boolean functions.The work is structured as follows.Section 2 introduces secret sharing in terms of its notions and notations.Section 3 gives necessary background for boolean functions.In Section 4, we describe a model which is further used to characterise cheating in secret sharing.The main results are given in Section 5. Section 6 explores the problem of constructing cheating-immune secret sharing.Section 7 concludes the work.

Background
Secret sharing allows a group of participants P = {P 1 , . . ., P n } to collectively hold a secret K ∈ K , where K is a set of elements from which the secret is drawn.Secret sharing is created by a trusted algorithm called a dealer who for a given secret, generates a collection of shares s i ∈ S, where S is a set of shares.
Note that s i is given to P i , i = 1, . . ., n.The collective ownership of the secret is defined by the access structure of secret sharing.The access structure Γ is a collection of subgroups of P that are authorised to recover the secret.
An authorised group of participants A ∈ Γ is able to reconstruct the secret by invoking a trusted algorithm called combiner.The combiner always returns the valid secret if the group A submits their valid shares.If the group, however, is too small, i.e.A / ∈ Γ, then the algorithm returns a value which is not the valid secret (with an overwhelming probability).
In this work, we describe a secret sharing by a set of distribution rules (Sti95), where a distribution rule is a function f : P → S that represents possible distribution of shares to the participants.In other words, secret sharing is a set where F K is a distribution rule corresponding to the secret K. Equivalently, F can be presented in the form of distribution table T .The table has (n + 1) columns -the first one includes secrets and the other n ones list shares assigned to participants (P 1 , . . ., P n ), respectively.Each row of the distribution table specifies the secret for a collection of shares held by P .Note that F K can be seen as a part of the distribution table with rows whose first entry is K.This table is denoted by T K .
Most of practical secret sharing schemes are linear and therefore subject to an attack observed by Tompa and Woll (TW88).The attack permits a dishonest participant who at the pooling stage submits an invalid share, to recover the valid secret from an invalid one returned by the combiner.
An affine function f on V n is a function that takes the form of f (x 1 , . . ., , where ⊕ denotes the addition in GF(2), a j , c ∈ GF(2), j = 1, 2, . . ., n.The function f is called a linear function if c = 0.It is easy to verify that any nonzero affine function is balanced.Let , denote the scalar product of two vectors.There precisely exist 2 n linear functions on V n .We can denote all the 2 n linear functions by ϕ 0 , ϕ 1 , . . ., ϕ 2 n −1 , where ϕ j (x) = α j , x .
The Hamming weight of a vector α ∈ V n , denoted by HW (α), is the number of nonzero coordinates of α.The Hamming weight of a function f , denoted by HW ( f ), is the number of nonzero terms in the truth table of f .
The nonlinearity of a function f on V n , denoted by N f , is the minimal Hamming distance between f and all affine functions on V n , i.e., where ψ 1 , ψ 2 , . .., ψ 2 n+1 are all the affine functions on V n .High nonlinearity can be used to resist a linear attack.We know that N f ≤ 2 n−1 − 2 1 2 n−1 (MS78).Let f be a function on V n .We say that f satisfies the propagation criterion with respect to α if f (x) ⊕ f (x ⊕ α) is a balanced function, where x = (x 1 , . . ., x n ) ∈ V n and α = (a 1 , . . ., a n ) ∈ V n .Furthermore f is said to satisfy the propagation criterion of degree k if it satisfies the propagation criterion with respect to every nonzero vector α whose Hamming weight is not larger than k.(PLL + 91).The propagation properties were employed in selecting the S-boxes used in the cipher, which contributed to the strength of the cipher against various attacks including differential (BS91) and linear (Mat94) attacks.Note that the strict avalanche criterion (SAC) (WT86) is the same as the propagation criterion of degree one.
The concept of correlation immune functions was introduced by Siegenthaler (Sie84).Xiao and Massey gave an equivalent definition (CCCS91; XM88).A function where f (x) and β, x are regarded as real-valued functions.Correlation immune functions are used in the design of runningkey generators in stream ciphers to resist a correlation attack.A balanced kth-order correlation immune function is also called a k-resilient function.Due to Lemma 3 of (ZZ97), we can give a k-resilient function an equivalent definition: a function f is said to be k-resilient if f satisfies the property: for every subset { j 1 , . . ., j k } of {1, . . ., n} and every (a 1 , . . ., A special class of functions is called bent.There exist equivalent definitions of bent functions (Rot76).For example, a function f on V n is said to be bent if and only if f satisfies the propagation criterion with respect to every nonzero vector in V n .The sum of any bent function on V n and any affine function on V n is bent.Bent functions are not balanced and bent functions on V n exist only when n is even.Furthermore, it is well known that any bent function f on V n achieves the maximum nonlinearity, i.e., N f = 2 n−1 − 2 1 2 n−1 .

Model of Cheating
Given (n, n) threshold secret sharing defined by its distribution table T .We define a function f : V n → {0, 1} and fix an integer c; 1 ≤ c ≤ n, which points to the position (column) of the cheater P c in T .The vector δ c = (0, . . ., 0, 1, 0, . . ., 0) ∈ V n represents the cheating vector introduced by the cheater.Note that the cheater P c can only change his share on the c-th position (other positions are not changed assuming that other participants are honest).Let ρ c,α be the probability of successful cheating by P c , where α is a row of T indicating the secret and shares currently in use.A precise expression of ρ c,α will be given in next two paragraphs.In the work (PZ01), it was shown that for an arbitrary α, there is a vector α ′ ∈ V n such that either ρ c,α + ρ c,α ′ = 1 or ρ c,α = 1.This implies that the maximum cheating probability is always larger than or equal to 1 2 .Naturally one would expect that (a) max{ρ c,α |α ∈ V n , 1 ≤ c ≤ n} is as small as possible, and (b) is as small as possible (ideally, the both probabilities are equal to 1 2 ).In this paper we identify conditions for which (a) and (b) hold and as the result we introduce the concept of cheating-immune secret sharing.Furthermore we characterise cheating-immune secret sharing using cryptographic properties of boolean functions.Thus we are able to construct cheating-immune secret sharing that gives no advantage to a cheater over honest participants.
We introduce the following notations: • α = (s 1 , . . ., s n ) is the sequence of shares held by P and the secret K = f (α), • α * = (s 1 , . . ., s c−1 , 1 ⊕ s c , s c+1 , . . ., s n ) is the sequence of shares submitted to the combiner where P c modified her share.The sequence δ c = (0, . . ., 0, 1, 0, . . ., 0) contains all zero except the c-th position and represents modification done by the cheater, K * = f (α * ) is the invalid secret returned by combiner, taken from rows of T containing α and K which are consistent with the invalid secret returned by the combiner.The set determines the view of the cheater after getting back K * from the combiner, K} is the set of rows which contain the current share of P c and the valid secret K.
The function f is called defining function.To prevent cheaters from finding the correct secret (and effectively discourage them from cheating), one would wish to obtain Ω * α as big as possible for any α, while Ω * α ∩ Ω α as small as possible.The nonzero vector δ c = (0, . . ., 0, 1, 0, . . ., 0), where only the c-th coordinate is nonzero, is called the cheating vector.α = (s 1 , . . ., s n ) is called the original vector.The value of ρ c,α = #(Ω * α ∩ Ω α )/#Ω * α , where #X denotes the the number of elements in the set X, expresses the probability of cheater success with respect to α = (s 1 , . . ., s n ).As the original vector α = (s 1 , . . ., s n ) is always in Ω * α ∩ Ω α , the probability of successful cheating is always nonzero or ρ c,α > 0. The following result can be found in (PZ01): Theorem 1 Given secret sharing with its distribution table T and the defining function f on V n .Let c be any integer with 1 ≤ c ≤ n and α = (s 1 , . . ., s n ) be any vector in V n .Then there exists a vector α ′ ∈ V n such that ρ c,α + ρ c,α ′ = 1 otherwise ρ c,α = 1.
Theorem 1 implies that the maximum probability of successful cheating is always higher than or equal to 1 2 .
Given secret sharing with its distribution table T and the defining function f on V n .The value of is the average cheating probability over all original vectors in V n for a fixed cheating vector.The value of is the average cheating probability over all cheating vectors (with Hamming weight one) and all original vectors in V n .
It should be noticed that the definition of ρ depends on a particular defining function f .
Theorem 2 Given secret sharing with its distribution table T and the defining function f on V n .Then for each fixed integer c with 1 ≤ c ≤ n, we have ρ c ≥ 1 2 where the equality holds if and only if ρ c,α = 1 2 for each α ∈ V n .
Thus r 3 = 0. Since r 1 = r 2 = r 3 = 0, we know that r 4 = 2 n−1 .We compute ρ c : Summarising Cases 1 and 2, we have proved that ρ c ≥ 1 2 where the equality holds if and only if ρ c,α = 1 2 for each α ∈ V n .✷ Theorem 3 Given secret sharing with its distribution table T and the defining function f on V n .Then ρ ≥ 1 2 where the equality holds if and only if ρ c,α = 1 2 for each integer c with 1 ≤ c ≤ n and each α ∈ V n .

Cheating-Immune Secret Sharing Scheme
Secret sharing resists cheating if either max{ρ c,α |α ∈ V n , 1 ≤ c ≤ n} is as small as possible, or ρ is as small as possible.As mentioned in Section 4, the maximum cheating probability is always larger than or equal to 1 2 .Due to Theorem 1, if ρ = 1 2 then the maximum cheating probability is equal to 1 2 .We now prove the converse.Assume that the maximum cheating probability is equal to 1 2 .We next prove that ρ c,α = 1 2 for each integer c with 1 ≤ c ≤ n and each α ∈ V n .Assume for contradiction that ρ c,α < 1 2 for some integer c with 1 ≤ c ≤ n and some α ∈ V n .According to Theorem 1, there exists another vector 2 .This contradicts the assumption that the maximum cheating probability is equal to 1 2 .The contradiction proves ρ c,α = 1 2 for each integer c with 1 ≤ c ≤ n and each α ∈ V n .In this case, clearly, ρ = 1 2 .Due to Theorems 2 and 3, we conclude Corollary 1 Given secret sharing with its distribution table T and the defining function f on V n .Then the following statements are equivalent: (iii) ρ c,α = 1 2 for each integer c with 1 ≤ c ≤ n and each α ∈ V n .A secret sharing is said to be cheating immune if it satisfies (i) or (ii) or (iii) of Corollary 1.
Cheating immunity of secret sharing can be investigated in the context of well-known characteristics of the defining function f such as correlation immunity and SAC.
Theorem 4 Given secret sharing with its distribution table T and the defining function f on V n .Then the secret sharing is cheating immune if and only if f is 1-resilient and satisfies the SAC.
Proof 3 We keep using the notations as in the proof of Theorem 2. Assume that the secret sharing is cheating immune.Let c be an integer with 1 ≤ c ≤ n.Using Corollary 1, ρ c,α = 1 2 for each α ∈ V n .Therefore, from the proof of Theorem 2, we have r 1 = r 2 = r 3 = r 4 .From r 1 +r 2 = r 3 +r 4 , we conclude that f (x 1 , . . ., x n )| x c =1 is balanced.Similarly from the fact r 1 + r 3 = r 2 + r 4 , we conclude that f (x 1 , . . ., x n )| x c =0 is balanced.Since c is arbitrarily in {1, . . ., n}, we have proved that f is 1-resilient.
On the other hand, since f satisfies the SAC, f (x) ⊕ f (x ⊕ δ c ) is balanced.From (6), we have r 1 + r 4 = r 2 + r 3 .Combing r 1 + r 2 = r 3 + r 4 , r 1 + r 3 = r 2 + r 4 and r 1 + r 4 = r 2 + r 3 , we conclude that r 1 = r 2 = r 3 = r 4 .From the proof of Theorem 2, we have proved that ρ c,α = 1 2 for each α ∈ V n .Since c is an arbitrarily integer with 1 ≤ c ≤ n, we have proved that the secret sharing is cheating immune.✷ Since resilient functions are balanced, the defining function of any cheating immune secret sharing must be balanced.

Construction of Cheating-Immune Secret Sharing Scheme
Based on Theorem 4, to construct an cheating-immune secret sharing scheme, we need a 1-resilient function on V n satisfying the SAC.
The following result can be found from the proof of Theorem 17 of the reference (SM00), that is an article on boolean functions with cryptographic properties.

Lemma 1 Let h be a bent function on V n−2 (n is even
where HW (a 1 , . . ., If we apply the function mentioned in Lemma 1 to Theorem 4, then we obtain an cheating-immune secret sharing with defining function whose nonlinearity is 2 n−1 − 2 1 2 n .Therefore we have the following conclusion: Theorem 5 Let n > 0 be an even integer.Then there exists a secret sharing with its distribution table T and the defining function f on V n such that (i) this secret sharing is cheating immune, (ii) the nonlinearity N f of f satisfies 2 n−1 − 2 1 2 n .For each secret sharing constructed in (PZ01), there always exists some integer c and some vector α ∈ V n such that ρ c,α > 1 2 .Therefore each secret sharing in (PZ01) is not cheating immune.

Conclusions
We have proved an interesting property of secret sharing.For given secret sharing, the average cheating probability over all cheating vectors and all original vectors, denoted by ρ, satisfies ρ ≥ 1 2 , and the equality holds if and only if the cheating probability ρ c,α satisfies ρ c,α = 1 2 for every cheating vector δ c and every original vector α.In this case the secret sharing is said to be cheating immune.We have found a relationship between cheating immune secret sharing and cryptographic criteria of boolean functions, and then we have successfully constructed cheating immune secret sharing using a highly nonlinear defining function.For simplicity, in this work we have considered cheating immune secret sharing where there is a single dishonest participant (or cheater).However this concept can be generalised for the case where there are many colluding cheaters.Future works include also the design of cheating immune secret sharing for a given access structure.