Characterisations of Ideal Threshold Schemes

We characterise ideal threshold schemes from different approaches. Since the characteristic properties are independent to particular descriptions of threshold schemes, all ideal threshold schemes can be examined by new points of view and new results on ideal threshold schemes can be discovered.


Introduction
Since 1979 when threshold schemes were introduced by Blakley (Bla79) and Shamir (Sha79), many papers in this area have been published.These papers are mostly about particular designs and applications of threshold schemes.
In this work, we are interested in characterisations of ideal threshold schemes rather than particular constructions.Of course, these characteristic properties do not depend on any form of any ideal threshold scheme.This enables us to look at any ideal threshold scheme from new points of view, and further find new results on ideal threshold schemes.
This work is structured as follows.The basic concepts of threshold schemes, and more generally, secret sharing schemes are introduced in Section 2.
In Section 3, we describe (weakly and strongly) perfect secret sharing schemes using defining matrices.By the original definition (BS92), an ideal threshold scheme is a strongly perfect threshold scheme for which the set of secrets and the set of shares have the same cardinality.
In Sections 4 and 5, we derive a series of properties of weakly perfect threshold schemes that are helpful for us to characterise ideal threshold schemes in Section 6 from different points of view.Consequently "strongly perfect" in the original definition of ideal threshold schemes can be replaced by "weakly perfect".
We further obtain more results on ideal threshold schemes in Section 7 including an application in cheating prevention.
In Section 8, we work on the threshold schemes whose set of secrets and set of shares are identical, and derive more characteristic properties of ideal threshold schemes.In Section 9, we find some bounds on the parameters of ideal threshold schemes.
In Section 10, we compare this work with other results.Conclusions close the work.

Access Structures
Secret sharing is a method to share a secret among a set of participants P = {P 1 , . . ., P n }.Let K denote the set of secrets and S denote the set of shares.The secret sharing includes two algorithms: the distribution algorithm (dealer) and the recovery algorithm (combiner).
The dealer assigns shares s 1 , . . ., s n , where the vector (s 1 , . . ., s n ) is called a share vector, to all the participants P 1 , . . ., P n , respectively.
Assume that the currently active participants are P j 1 , . . ., P j and that they submit their shares to the combiner in order to recover the secret.Their shares s j 1 , . . ., s j can determine a secret K ∈ K if and only if {P j 1 , . . ., P j } is a qualified subset of P, i.e., the set of currently active participants belongs to the access structure Γ.
Any access structure should be monotone, or more precisely, if A ∈ Γ and A ⊆ B ⊆ P then B ∈ Γ.
As shown in (BD91) and (BS92), we can describe secret sharing with the access structure Γ by an m × (n + 1) matrix M * in which no two rows are identical.The matrix M * has n + 1 columns indexed by 0, 1. . . ., n.The number m of rows of M * depends on a particular scheme.We index the m rows by 1, . . ., m.For a row of M * , the entry in the 0th position holds a secret and the entry in the ith position (i = 1, . . ., n) contains the corresponding share of P i .Denote the entry on the ith row and the jth column of M * by M * (i, j).
The matrix M * is called a defining matrix of secret sharing with the access scheme Γ.The matrix M obtained from M * by removing the 0th column is called the associated matrix of the scheme.
The dealer works in two stages.In the first stage, it creates the defining matrix M * for secret sharing with the access structure Γ.The matrix is made public.In the second stage, the dealer randomly chooses a row of the matrix M * .Let the row chosen be indexed by the integer i (1 ≤ i ≤ m).The secret is K = M * (i, 0) and shares are s j = M * (i, j), j = 1, . . ., n.The shares are distributed to the corresponding participants via secure channels.
Note that a defining matrix uniquely determines a secret sharing scheme but a secret sharing scheme has more defining matrices.
Permuting the rows of a defining matrix of secret sharing does not give a new scheme.
Permuting the columns of defining matrices of secret sharing is equivalent to changing the indices of participants.
It should be pointed out once again that a defining matrix of a secret sharing scheme is public.
The dealer chooses at random a single row of the matrix.The shares are communicated to the corresponding participants via secure channels so the share s i is known to the participant P i only (i = 1, . . ., n).
An access structure Γ = {A | #A ≥ t} is called a (t, n)-threshold access structure, where #X denotes the cardinality of the set X (i.e. the number of elements in the set X) and the integer t is called the threshold of secret sharing, where t ≤ n.
Secret sharing schemes with the (t, n)-threshold access structure are called (t, n)-threshold schemes.
Threshold schemes were first introduced by Blakley (Bla79) and Shamir (Sha79).Ito et al (ISN87) generalised threshold schemes for arbitrary access structure.

Perfect Secret Sharing And Ideal Secret Sharing
We say that secret sharing with the access structure Γ is perfect if the following two conditions are satisfied: (1) If A ∈ Γ then the participants in A can uniquely determine the secret by pooling their shares together.
(2) If A ∈ Γ then the participants from A can determine nothing about the secret (in an information theoretic sense).
As mentioned in (BS92), Conditions (1) and (2) can be translated into conditions that need to be satisfied in the context of the defining matrix.We list the translations as follows.
For any s j 1 , . . ., s j ∈ S and any K ∈ K, For the case of a (t, n)-threshold scheme, Conditions (a), (b), and (b') can be rewritten as follows: For any 1 ≤ i 0 ≤ m and any K ∈ K, there exists some i with 1 ≤ i ≤ m such that M * (i, j) = M * (i 0 , j) for all P j ∈ A and M * (i, 0) = K.
Definition 1 A secret sharing scheme satisfying (a) and (b) is called weakly perfect.Alternatively, a (t, n)-threshold scheme satisfying (c) and (d) is called weakly perfect.
In (BS92) the following definition is given.
Definition 2 A secret sharing scheme satisfying (a) and (b') is called strongly perfect, or more briefly perfect if no confusion occurs.Alternatively, a (t, n)-threshold scheme satisfying (c) and (d') is called strongly perfect, or more briefly perfect if no confusion occurs.
As mentioned in (BS92), for any strongly perfect secret sharing scheme, we have #K ≤ #S.In particular, if #K = #S holds for a strongly secret sharing scheme, from (BS92), we have the following definition.
Definition 3 An ideal secret sharing scheme is a strongly perfect secret sharing scheme satisfying #K = #S.Alternatively, an ideal threshold scheme is a strongly perfect threshold scheme satisfying #K = #S.
In this work we pay our attention to ideal threshold schemes.New results on weakly perfect threshold schemes in this work are helpful for characterising ideal threshold schemes.

Properties of Weakly Perfect Threshold Schemes (I)
It should be noted that the inequality #K ≤ #S also holds for any weakly perfect secret sharing scheme.The proof can be found from (PZ02).Then we state as follows.
Lemma 1 #K ≤ #S holds for any weakly perfect secret sharing scheme.
Lemma 2 Let a (t, n)-threshold scheme be weakly perfect.If #K = #S then its defining matrix M * has the following property.For any given t − 1 integers, Let M * contain precisely m rows.Thus M * be an m × (n + 1) matrix.We index the rows of M * by 1, . . ., m, and index the columns by 0, 1, . . ., n.Consider the m × t matrix M 0 , consisting of the t columns of M * indexed by 0, j 1 , . . ., j t−1 .
Let j t be an integer satisfying 1 ≤ j t ≤ n and j t ∈ { j 1 , . . ., j t−1 }.Without loss of generality, we assume that j t > j t−1 .Let M 1 denote a m × (t + 1) matrix consisting of the t + 1 columns of M * indexed by 0, j 1 , . . ., j t−1 , j t .
Corollary 1 Let a (t, n)-threshold scheme be weakly perfect.If #K = #S then its defining matrix M * has the following property.For any t given integers, 0 ≤ j 1 < • • • < j t ≤ n, the submatrix M of M * , consisting of t columns indexed by j 1 , . . ., j t , does not contain two identical rows.
Proof We prove the corollary by contradiction.Assume that M contains two identical rows then there exist integers i 0 and i such that i 0 = i and M * (i 0 , j 1 ) = M * (i , j 1 ), . . ., M * (i 0 , j t ) = M * (i , j t ).According to Lemmas 2 and 3, M * (i 0 , j) = M * (i , j), j = 0, 1, . . ., n.On the other hand, M * , as a defining matrix of a secret sharing, does not contain two identical rows.The contradiction proves that all the rows of M are mutually distinct.2

Properties of Weakly Perfect Threshold Schemes (II)
Weakly perfect threshold schemes have further properties.
Lemma 4 Let a (t, n)-threshold scheme be weakly perfect.If #K = #S then its defining matrix M * has the following property.For any t given integers, 1 ≤ j 1 < • • • < j t ≤ n, the submatrix M of M * , consisting of t columns indexed by j 1 , . . ., j t , contains any given row vector (s j 1 , . . ., s j t ) where each s j ∈ S. Thus M * be an m × (n + 1) matrix.We index the rows of M * by 1, . . ., m, and index the columns by 0, 1, . . ., n.
From the proof of Lemma 2, we know that #ℜ i = 1, i = 1, . . ., b, and then it is easy to find that ℜ 1 ∪ • • • ∪ ℜ b = S. Thus there exists some i t with 1 ≤ i t ≤ b such that ℜ i t = {s j t }.By the definition of ℜ i t , we know that (K i t , a j 1 , . . ., a j t−1 , s j t ) is a row of M .
Using the same arguments as above, we can prove that there exists some i t−1 with 1 Repeatedly, we can prove that there exists some i 1 with 1 ≤ i 1 ≤ b such that (K i 1 , s j 1 , . . ., s j t−2 , s j t−1 , s j t ) is a row of M .Therefore we have proved that (s j 1 , . . ., s j t ) is a row of M . 2 Lemma 5 Let a (t, n)-threshold scheme be weakly perfect.If #K = #S then its defining matrix M * has the following property.For any given t − 1 integers, 1 ≤ j 2 < • • • < j t ≤ n, the submatrix M of M * , consisting of t columns indexed by 0, j 2 , . . ., j t , contains any given row vector (K, s j 2 , . . ., s j t ) where K ∈ K and each s j ∈ S.
According to the property of M * , M 1 contains the row (K, s j 1 , . . ., s j ), where = t − 1, precisely once.Thus condition (d') is satisfied in Case i2.
Summarising cases i1 and i2, we conclude that the scheme is strongly perfect.(i) has been proved.
(ii) Let M be the submatrix of M * , consisting of t columns indexed by 1, . . ., t, M 0 be the submatrix of M * , consisting of t columns indexed by 0, 1, . . ., t − 1, and M 0 be the submatrix of M * , consisting of t − 1 columns indexed by 1, . . .,t − 1.We fix a 1 , . . ., a t−1 ∈ S. Due to the property of M * , for each s ∈ S, M contains the row (a 1 , . . ., a t−1 , s) precisely once.Thus M 0 contains the row (a 1 , . . ., a t−1 ) precisely #S times.On the other hand, due to the property of M * , for each K ∈ K, M 0 contains the row (K, a 1 , . . ., a t−1 ) precisely once.Thus M 0 contains the row (a 1 , . . ., a t−1 ) precisely #K times.It follows that #K = #S.We have proved (ii).
By definition, (i) and (ii) together imply that the scheme is ideal. 2 Theorem 3 For a (t, n)-threshold scheme, the following statements are equivalent: (i) the scheme is ideal, (ii) the scheme is weakly perfect and #K = #S, (iii) the scheme is strongly perfect and #K = #S, (iv) its defining matrix M * has the following property.For any given t integers, 0 ≤ j 1 < • • • < j t ≤ n, the submatrix of M * , consisting of t columns indexed by j 1 , . . ., j t , contains any given row vector (s j 1 , . . ., s j t ) (when j 1 > 0) and any given row vector (K, s j 2 , . . ., s j t ) (when j 1 = 0), where each s j ∈ S and K ∈ K, precisely once.
Proof According to Theorem 1, (ii) implies (iv).Due to Theorem 2, (iv) implies (i).By definition, (i) implies (iii).It is obvious that (iii) implies (ii).The proof is completed.2 From Lemma 1, #K ≤ #S holds for any weakly perfect threshold scheme.Thus due to Theorem 3, ideal threshold schemes are a critical case of weakly perfect threshold schemes when #K = #S.Therefore it is interesting that "strongly perfect" in Definition 3 can be replaced by "weakly perfect".
From (iv) of Theorem 3, we formulate the following conclusion: Corollary 3 A defining matrix of any ideal (t, n)-threshold scheme has the size b t × (n + 1) where b = #K = #S.In other words, any ideal (t, n)-threshold scheme has precisely b t possible shares vectors.

Other Properties with Applications
From the proof of Theorem 2, we know Corollary 4 If a (t, n)-threshold scheme is ideal then its defining matrix M * has the following property.For any (0 < ≤ t) integers, 0 ≤ j 1 < • • • < j ≤ n, the submatrix of M * , consisting of columns indexed by j 1 , . . ., j , contains all b possible rows each precisely b t− times, where #K = #S = b.In particular, the jth ( j = 1, . . ., n) column of M * contains all elements in S each precisely b t−1 times, and the 0th column of M * contains all elements in K each precisely b t−1 times.

More Characteristic Properties
If we simplify the condition #S = #K by S = K, the properties of ideal threshold schemes will be more interesting.
Orthogonal arrays were introduced more than fifty years ago as a combinatorial problem (Bus52).
Definition 4 An m × n matrix O with entries from b-set B is called an orthogonal array, denoted by (m, n, b,t), if any m × t submatrix of O contains all b t possible row vectors each precisely λ times.
Clearly m = λb t .The parameters m, t and λ are called the size, the strength and the index of the orthogonal array, respectively, while n is called the number of constraints and b is called the number of levels.
Lemma 6 An orthogonal array (m, n, b,t) with an index λ is an orthogonal array (m, n, b, ) with an index λb t− where is any integer with 1 ≤ ≤ t.
In particular, we can formulate the following corollary.
Corollary 7 Each column of an orthogonal array (m, n, b,t) with entries from a b-set B contains each element of B precisely λb t−1 times, where λ is the index of the orthogonal array.

Lemma 7
Let O 1 be an m × n 1 submatrix of an orthogonal array (m, n, b,t) with an index λ.If n 1 ≥ t then O 1 is an orthogonal array (m, n 1 , b,t) with an index λ.
In particular, orthogonal arrays with index λ = 1 are used in this work.
Definition 5 An orthogonal array with index λ = 1, i.e, an orthogonal array (b t , n, b,t) is called an orthogonal array (b t , n, b,t) of index unity.
Orthogonal arrays (b t , n, b,t) of index unity have many interesting properties.The following bounds on the number of constraints for orthogonal arrays (b t , n, b,t) were proved by Bush (Bus52): Lemma 8 For an orthogonal array (b t , n, b,t) of index unity, we have According to (iv) of Theorem 3, a defining matrix of an ideal (t, n)-threshold scheme with K = S, is an orthogonal array (b t , n + 1, b,t) of index unity.
We  Theorem 12 in Chapter 11 of (MS78) is a special case of Lemma 9 when both orthogonal array and code are linear.This implies that the entries in both array and code should be certain algebraic elements.Also the proof is based on coding theory.In contrast, Lemma 9 is more general and its proof does not require the set B to have any algebraic properties.
There exist many known optimal codes, for instance, cyclic codes of prime length, (some) global quadratic residue codes, Reed-Solomon codes, and more generally, MDS codes.The detailed description of such codes can be found from (MS78), (PH98), (Rom92).It should be noted that an optimal code is not necessarily an MDS code, as an MDS code is a special optimal code when all its codewords form a linear space.This requires the elements in the set B to have certain algebraic properties.
Lemma 10 There exists an ideal (t, n)-threshold scheme if and only if there exists an orthogonal array (b t , n + 1, b,t) of index unity where b = #K = #S.
Proof Due to (iv) of Theorem 3, the sufficiency is obvious.We only need to prove the necessity.Assume that there exists an ideal (t, n)-threshold scheme.Since #S = #K, there exists a mapping χ from K to S such that χ(K) = S, and χ(k ) = χ(k ) if k = k .Thus we obtain a new ideal threshold scheme from the given one by changing each k to χ(k).We note that in the new ideal threshold scheme the set of secrets is identical with the set of shares.According to (iv) of Theorem 3, any defining matrix M * of the new scheme is an orthogonal array (b t , n + 1, b,t). 2 According to Theorem 3, Lemma 9 and Lemma 10, we can state as follows.
Theorem 4 The following statements are equivalent: (i) there exists an ideal (t, n)-threshold scheme,

Condition ( 1 )
is corresponding to Condition a. Condition (2) has two translations: Condition (b) and Condition (b').It is easy to verify that (b') implies (b).
next briefly recall the concept of codes.Let B = {ε 1 , . . ., ε b } be a finite set and B n be the set of all strings of length n over B. Any nonempty subset ℑ of B n is called a b-ary block code.Each string in ℑ is called a codeword.The parameter n is called the length.If min{dist(ξ, η) | ξ, η ∈ ℑ, ξ = η} = d, where dist(ξ, η) denotes the Hamming distance between ξ and η, and #ℑ = R, then the code ℑ is called an (n, R, d) b code.Definition 6 Let N b (n, d) be the largest number R such that there exists an (n, R, d) b code.An (n, R, d) b code satisfying R = N b (n, d) is called optimal (Rom92).
For any (n, R, d) b code, the following inequality holds and it is known as the Singleton bound (MS78), (PH98),(Rom92),N b (n, d) ≤ b n−d+1(3) Lemma 9 A b t × n matrix O with entries from b-set B is an orthogonal array (b t , n, b,t) of index unity if and only if all the b t row vectors of O form an (n, b t , n − t + 1) b (optimal) code.Proof We first indicate that an (n, b t , n−t +1) b code ℑ must be optimal.In fact, #ℑ = b t and d= n−t +1.Thus #ℑ = b n−d+1 .According to (3), we have b n−d+1 = #ℑ ≤ N b (n, d) ≤ b n−d+1 .Thus #ℑ = N b (n,d) and thus we have proved that (n, b t , n − t + 1) b code is optimal.We now prove the necessity of the lemma.Assume that O is an orthogonal array (b t , n, b,t) of index unity.It is to verify that any two rows of O are the same in at most t − 1 corresponding coordinates.In other words, any two rows of O differ in at least n − t + 1 corresponding coordinates.Thus all the b t row vectors of O form an (n, b t , d) b code where d ≥ n − t + 1.On the other hand, from (3), we have bt = # ≤ N b (n, d) ≤ b n−d+1 and then t ≤ n − d + 1.From t ≤ n − d + 1 and d ≥ n − t + 1, we conclude that d = n − t + 1.This proves that is an (n, b t , n − t + 1) b code.We next prove the sufficiency of the lemma.Assume that all the b t rows of matrix O form an (n, b t , n − t + 1) b code.Then the Hamming distance between any two distinct row vectors is at least n − t + 1, in other words, any two distinct row vectors are the same in at most t − 1 coordinates.Therefore, all the b t row vectors of any b t × t submatrix O 1 of O are mutually distinct, in other words, O 1 contains all b t possible row vectors each precisely once.This proves that O is an orthogonal array (b t , n, b,t) of index unity.2