Threshold Secret Sharing Requires a Linear Size Alphabet

. We prove that for every n and 1 < t < n any t -out-of- n threshold secret sharing scheme for one-bit secrets requires share size log( t + 1). Our bound is tight when t = n − 1 and n is a prime power. In 1990 Kilian and Nisan proved the incomparable bound log( n − t + 2). Taken together, the two bounds imply that the share size of Shamir’s secret sharing scheme (Comm. ACM ’79) is optimal up to an additive constant even for one-bit secrets for the whole range of parameters 1 < t < n . More generally, we show that for all 1 < s < r < n , any ramp secret sharing scheme with secrecy threshold s and reconstruction threshold r requires share size log(( r + 1) / ( r − s )). As part of our analysis we formulate a simple game-theoretic relaxation of secret sharing for arbitrary access structures. We prove the optimality of our analysis for threshold secret sharing with respect to this method and point out a general limitation.


Introduction
In 1979, Shamir [30] and Blakley [11] presented a method for sharing a piece of secret information among n parties such that any 1 < t < n parties can recover the secret while any t − 1 parties learn nothing about the secret.These methods are called (t, n)-threshold secret sharing schemes.This sharp threshold between secrecy and reconstruction is fundamental in applications where a group of mutually suspicious individuals with conflicting interests must cooperate.Indeed, threshold secret sharing schemes have found many applications in cryptography and distributed computing; see the extensive survey of Beimel [3] and the recent book of Cramer et al. [17].
Threshold secret sharing was generalized by Ito et al. [23] to allow more general structures of subsets to learn the secret, while keeping the secret perfectly hidden from all other subsets.The collection of qualified subsets is called an access structure.
A significant goal in secret sharing is to minimize the share size, namely, the amount of information distributed to the parties.Despite the long history of the subject, there are significant gaps between lower and upper bounds both for general access structures and for the special case of threshold structures.
Threshold access structures.For (t, n)-threshold access structures (denoted by THR n t ) and a 1-bit secret, Shamir [30] gave a very elegant and efficient scheme: the dealer picks a random polynomial of degree t − 1 conditioned on setting the free coefficient to be the secret, and gives the i-th party the evaluation of the polynomial at the point i.The computation is done over a field F of size q > n.
The correctness follows because one can recover the unique polynomial from any t points (and thus recover the secret).Security follows by a counting argument showing that given less than t points, all possibilities for the free coefficient are equally likely.The share of each party is an element in the field F that can be represented using log q ≈ log n bits (all our logarithms are base 2).The efficiency of this scheme makes it very attractive for applications.
A natural question to ask is whether log n-bit shares are necessary for sharing a 1-bit secret for threshold access structures.Kilian and Nisan [25] 4 showed that log n bits are necessary when t is not too large.Specifically, they showed a log(n − t + 2) lower bound on share size for (t, n)-threshold schemes.For large values of t, especially those close to n, their bound does not rule out schemes with shares much shorter than log n bits.Their bound leaves open the possibility that, in particular, (n − 1, n)-threshold schemes with two-bit shares exist.
Ramp schemes are a generalization of threshold schemes that allow for a gap between the secrecy and reconstruction parameters.In an (s, r, n)-ramp scheme, we require that any subset of at least r parties can recover the secret, while any subset of size at most s cannot learn anything about the secret. 5When r = s+1, an (s, r, n)-ramp scheme is exactly an (r, n)-threshold scheme.Ramp schemes, defined by Blakley and Meadows [10], are useful for various applications (see e.g.[31,15,27]) since if r − s is large, they can sometimes be realized with shorter shares than standard threshold schemes (especially in the case of long secret). 4Their result is unpublished and independently obtained (and generalized in various ways) by [14].The original argument of Kilian an Nisan appears in [14, Appendix A] and was referenced earlier in [4,2,5]. 5Another common definition (See [20,Definition 2.7] and [21,Example 2.11] for examples) for a ramp scheme is where the information about the secret increases with the size of the set.We focus only on the definition in which sets of size below a certain threshold have no information about the secret, while sets of size larger than some threshold can recover it.
Generalizing the lower bound of Kilian and Nisan, Cascudo et al. [14] showed that log((n − s + 1)/(r − s))-bit shares are necessary to realize an (s, r, n)-ramp scheme.When s = n − O(1), however, their share size bound is a constant independent of n.Paterson and Stinson [29] showed that this bound is tight for specific small values of s.
General access structures.For most access structures, the best known secret sharing schemes require shares of size 2 O(n) for sharing a 1-bit secret.Specifically, viewing the access structure as a Boolean indicator function for qualified subsets, the schemes of [23,9,24] result with shares of size proportional to the DNF/CNF size, monotone formula size, or monotone span program size of the function, respectively.Thus, even for many access structures that can be described by a small monotone uniform circuit, the best schemes have exponential size shares. 6n the other hand, the best known lower bound on share size for sharing an -bit secret is • n/ log n bits, by Csirmaz [19] (improving on [13]).
Bridging the exponential gap between upper and lower bounds is the major open problems in the study of secret sharing schemes.While it is widely believed that the lower bound should be exponential (see e.g.[2,3]), no major progress has been obtained in the last two decades.Moreover, a non-explicit linear lower bound is not known, that is, whether there exists an access structure that requires linear size shares. 7

Our results
Share size lower bound.We close the gap in share size for threshold secret sharing up to a small additive constant.We assume for simplicity that all parties are given equally long shares.
Theorem 1.For every n ∈ N and 1 < t < n, any (t, n)-threshold secret sharing scheme for a 1-bit secret requires shares of at least log(t + 1) bits.
The assumption 1 < t < n is necessary, as (1, n)-threshold and (n, n)threshold secret sharing schemes with share size 1 do exist.
Our bound is tight when t = n − 1 and n is the power of a prime; see Appendix A. By combining Theorem 1 with the lower bound of Kilian and Nisan, we determine the share size of threshold schemes up to a small additive constant.That is, we get that any such scheme requires shares of size Theorem 1 is a special case of the following theorem, which applies more generally to ramp schemes.Theorem 2. For every n ∈ N and 1 ≤ s < r < n, any (s, r, n)-ramp secret sharing scheme for a 1-bit secret requires shares of at least log((r + 1)/(r − s)) bits.
By combining Theorem 2 with the lower bound of [14], we get that any (s, r, n)ramp secret sharing scheme must have share size at least Proof technique and limitations.We prove our lower bounds by analyzing a new game-theoretic relaxation of secret sharing.Here, we focus on threshold schemes, although our argument also applies to ramp schemes.Given an access structure A and a real-valued parameter θ > 0 we consider the following zero-sum game G(A, θ): Alice and Bob pick sets A and B in the access structure A, respectively, and the payoff is (−θ) |A\B| , where A\B denotes set difference.We say Alice wins if she has a strategy with non-negative expected payoff, and Bob wins otherwise.
We show (in Lemma 2) that if Bob wins in the game G(A, 1/(q − 1)), then no secret sharing scheme with share size log q exists.We prove Theorem 2 by constructing such a strategy for Bob.
On the negative side, we show that our analysis is optimal for threshold access structures, so the lower bound in Theorem 1 is tight with respect to this method: Theorem 3.For all 1 < t < n and 0 < θ ≤ 1/t, Alice wins in the game G(THR n t , θ).
We also show that, for any total access structure A, this method cannot prove a lower bound exceeding log|min A| ≤ log n n/2 = n − Ω(log n), where min A = {A ∈ A : ∀B ∈ A, B ⊂ A} is the set of min-terms in A.

Related work
Known frameworks for proving lower bounds.The method of Csirmaz [19] is one of the only previously known general frameworks for proving lower bounds on share size in various access structures. 8Csirmaz's framework is a linear programming relaxation whose variables are the entropies of the joint distributions of the shares, one for each subset of the parties.Using several Shannon information inequalities, Csirmaz was able to prove an n/ log n lower bound on the entropy of shares (in a specific access structure) which, in turn, imply the same lower bound on share size (for a 1-bit secret).
We note that Csirmaz's framework does not give any non-trivial lower bounds on share size for sharing a 1-bit secret for the threshold access structure.Indeed, Csirmaz's method gives a lower bound on the information ratio of an access structure, 9 namely on the ratio between the size of the shares and the size of the secret, and for threshold schemes this ratio is 1 (using Shamir's scheme for a long enough secret; see Claim 5).Kilian and Nisan's [25] proof is the only known argument for threshold schemes and it does not seem to be useful for any other access structure, including the (t, n)-threshold access structures with t being close to n.
Csirmaz [19] showed that his framework cannot be used to show a super-linear lower bound on share size for any access structure.This claim was strengthened by Beimel and Orlov [8] who showed that certain additional "non-Shannon type" information inequalities cannot bypass the linear share size barrier (see [28] for a follow-up).
Linear schemes.A secret sharing scheme is linear if the reconstruction procedure is a linear function of the shares (over some abelian group).Most previously known schemes are linear (see [7,12,26] for exceptions) and super-polynomial lower bounds for linear schemes were given in [1,6,22] via its equivalence to monotone span programs [24].In a very recent work, Cook et al. [16] gave the first exponential lower bound for linear secret sharing schemes by giving an exponential lower bound for monotone span programs.
For linear (2, n)-threshold secret sharing schemes for a 1-bit secret, a log n lower bound on share size was proven by Karchmer and Wigderson [24].This was generalized by Cramer et al. [18] (via a duality argument) to get a lower bound as in Equaiton (1).For linear (s, r, n)-ramp secret sharing schemes, Cramer et al. obtained a lower bound as in Equation (2).We emphasize that our lower bounds match the lower bounds of [18] but are not restricted to linear (ramp) secret sharing schemes.

Access Structures and Secret Sharing
Let P {1, . . ., n} be a set of n parties.A collection of subsets A ⊆ 2 P is monotone (upward-closed) if for every B ∈ A and B ⊆ C it holds that C ∈ A. The collection is anti-monotone if for every B ∈ A and C ⊆ B it holds that C ∈ A. Definition 1.A (partial) access structure A = (S, R) is a pair of non-empty disjoint collections of subsets R and S of 2 P such that R is monotone and S is anti-monotone.Subsets in R are called qualified and subsets in S are called unqualified.
The access structure is total if R and S form a partition of 2 P .If A = (S, R) is total we write R ∈ A for R ∈ R and S ∈ A for S ∈ S. Our work is mostly about the following two types of access structures: -The threshold access structure THR n t is a total access structure over n parties in which any t parties can reconstruct and secrecy is guaranteed against any subset of t − 1 parties: -More generally, in the ramp access structure RAMP n s,r , any r parties can reconstruct and secrecy is guaranteed against any s parties: A secret sharing scheme involves a dealer who has a secret, a set of n parties, and a partial access structure A = (S, R).A secret sharing scheme for A = (S, R) is a method by which the dealer distributes shares to the parties such that any subset in R can reconstruct the secret from its shares, while any subset in S cannot reveal any information on the secret.We restrict our definition to 1-bit secrets.
Definition 2 (Secret sharing).A secret sharing scheme of a 1-bit secret for a partial access structure A = (S, R) over n parties over share alphabet Σ is a pair of probability distributions p 0 and p 1 over Σ n with the following properties: Reconstruction: For every R ∈ R the marginal distributions10 of p 0 and p 1 on the set R are disjoint.Secrecy: For every S ∈ S the marginal distributions of p 0 and p 1 on the set S are identical.
An implementation of a secret sharing scheme consists of a sharing algorithm that samples the shares from the probability distribution p 0 or p 1 depending on the value of the secret and of a reconstruction algorithm that recovers the secret from the joint values of the shares of any qualified subsets of parties.The disjointness requirement ensures that recovery by qualified subsets of parties is possible with probability 1.The secrecy requirement ensures that unqualified subsets of parties can extract no information about the secret.Thus, our definition is equivalent to the ones given, for example, in [2, Definition 3.6] and in [3, Definitions 2 and 3].

An alternative formulation of secret sharing.
Here is an equivalent formulation of secret sharing.For x ∈ Z n q , we use [x] to denote the set of non-zero entries of x, namely [x] = {i : x i = 0}, and [x] for the complementary set of zero entries.In this notation, [x − y] is the set of coordinates that x and y differ on and [x − y] is the set of coordinates that they agree on.A function φ S : Z n q → C is an S-junta if the value φ S (x 1 , . . ., x n ) is determined by the inputs x i : i ∈ S. Lemma 1.A secret sharing scheme of a 1-bit secret for a partial access structure A = (S, R) over share alphabet Z q exists if and only if there exists a function f : Z n q → R that is not identically zero satisfying the following properties: Reconstruction: For all x, y ∈ Z n q such that [x − y] ∈ R, f (x) • f (y) ≥ 0. Secrecy: For every S ∈ S and every S-junta φ S : Z n q → C, E[f (x)φ S (x)] = 0, where the expectation is over the uniform probability distribution of x ∈ Z n q .Proof.For a secret sharing scheme p 0 , p 1 , we set f (x) = p 0 (x) − p 1 (x).The functions p 0 and p 1 have disjoint support (otherwise even reconstruction by all parties is impossible) so f cannot be identically zero.The reconstruction implies that if [x−y] ∈ R, then at least one of p 0 and p 1 must assign zero probability to both x and y, so f (x) • f (y) equals either p 0 (x) • p 0 (y) or (−p 1 (x)) • (−p 1 (y)).In either case f (x) • f (y) ≥ 0. For secrecy, since p 0 and p 1 have the same marginals on S ∈ S, In the other direction, let p 0 (x) = C • max{f (x), 0} and let p 1 (x) = C • max{−f (x), 0} for a suitable scaling constant C > 0 that makes p 0 and p 1 be valid probability distributions (it exists since f is nonzero).We show reconstruction by contrapositive: If p 0 and p 1 did not have disjoint support on some set R ∈ R, there would exist x, y ∈ Z n q such that p 0 (x) > 0, p 1 (y) > 0, and [x−y] = R, implying f (x) > 0, f (y) < 0, and therefore f (x) • f (y) < 0. For secrecy, by construction we have f = (p 0 − p 1 )/C, so E[p0(x)φS(x)] = E[p1(x)φS(x)] for every test function φ S that only depends on coordinates in S ∈ S. Since no φ S can distinguish between p 0 and p 1 on S, the statistical distance between the marginal distribution of p 0 and p 1 on S is zero, so the two are identical.

A Zero-Sum Game and Proof of Theorem 2
Given a partial access structure A = (S, R) and a real parameter θ > 0 we define the following zero-sum game G(A, θ) between Alice and Bob.The actions are a set A ∈ S for Alice and a set B ∈ R for Bob.The payoff of the game is (−θ) |A\B| .We say Alice wins if she has a strategy with non-negative expected payoff and we say Bob wins if he has a strategy with negative expected payoff (the expectations are over the randomness of Alice and Bob, respecively).By von Neumann's minimax theorem the game has a unique winner.Lemma 2. If there exists a secret sharing scheme for A with alphabet size q ∈ N, then Alice wins in the game G(A, 1/(q − 1)).
Our proof of Lemma 2 uses Fourier analysis, which we briefly recall here.The characters of the group Z n q are the complex-valued functions χ a : Z n q → C, where a ranges over Z n q , defined as χ a (x) = ω a,x , ω = e 2πi/q .The characters are an orthonormal basis with respect to the inner product f, g = Ex[f (x) • g(x)] with x chosen uniformly from Z n q .The characters inherit the group structure: χ a • χ b = χ a+b and χ −1 a = χ a = χ −a .Every function f : Z n q → C can then be uniquely written as a linear combination f = a∈Z n q f (a) • χ a with the Fourier coefficients f (a) given by f Proof of Lemma 2. We show that Alice has a winning strategy.That is, we show that Alice has a strategy such that for every possible action of Bob, the expected payoff of the game is non-negative.
We identify the alphabet with the elements of the group Z q .Let f : Z n q → R be the function f (x) = p 0 (x) − p 1 (x).Alice plays set A with probability proportional to a : [a]=A | f (a)| 2 .By the secrecy part of Lemma 1, E[f (x) • χ a (x)] = 0 whenever [a] ∈ S, so Alice's strategy is indeed supported on sets outside S. Now let B be an arbitrary set in R. By the reconstruction part of Lemma 1 and the fact that f is real-valued, for every x ∈ Z q n and every z ∈ Z q n such that [z] = B, we have that Let x be uniform in Z n q and z be uniform in Z n q conditioned on [z] = B. Averaging over this distribution, we have where the first equality follows by writing f (x) and f (x − z) using their Fourier representation and using linearity of expectation, the second equality follows since x and z are independent and since Ex[χa(x) • χ b (x)] = 0 for a = b, and the last equality follows since z is chosen from a product distribution.
The expression E[ω aizi ] evaluates to one when i is in B (since z i is fixed to zero).Otherwise, z i is uniformly distributed over the set Z q \ {0} and \B| , and by Equation ( 3) Grouping all a's for which [a] = A, we get that Therefore, Alice's strategy has non-negative expected payoff with respect to every possible action of Bob.
Proof of Theorem 2. It is sufficient to prove Theorem 2 in the case n = r + 1: If a secret sharing scheme for RAMP n s,r existed, then a secret sharing for RAMP r+1 s,r over the same alphabet can be obtained by discarding the remaining n − r − 1 parties and their shares.
We now give a winning strategy for Bob in the game G(RAMP r+1 s,r , θ) for any θ > (r − s)/(s + 1).By Lemma 2 it then follows that no secret sharing scheme over an alphabet of size (r + 1)/(r − s) exists.
Bob's strategy is to uniformly choose a set B of size r (which is in R).Then for every set A ∈ S, either A ⊆ B and then |A \ B| = 0, or A ⊆ B and then |A \ B| = 1 (since B includes all parties except one).Thus, for every A ∈ S, the expected payoff is where the inequality follows since |A| ≥ s+1.If θ > (r−s)/(s+1) this expression is less than zero, i.e., Bob wins.
It is also possible to deduce Theorem 2 directly from Lemma 2 by showing the existence of a winning strategy for Bob in the game G(RAMP n s,r , θ) whenever θ > (r − s)/(s + 1) (rather than for G(RAMP r+1 s,r , θ), as we did above).Let R be a random subset of r + 1 parties.Bob's strategy has the form B = B 0 ∪ B 1 , where B 0 is a uniformly random subset of R of size r and B 1 is a random subset of R obtained by including each element independently with probability p = θ/(1+θ).The value of p is chosen so that a random variable that equals 1 with probability p and −θ with probability 1 − p is unbiased.
Let A, where |A| ≥ s + 1, be any action of Alice.For a fixed choice of R, if A \ R is nonempty, by our choice of probability p the expected payoff is zero.Otherwise, A is a subset of R, and by Equation (4) the expected payoff is at most −(s + 1) • θ + (r − s) < 0. Since the event A ⊆ R has positive probability the expected payoff is negative and Bob wins.

Limitations of the Game Relaxation
In the case of threshold access structures Theorem 2 shows that Bob has a winning strategy in the game G(THR n t , θ) whenever θ > 1/t.We now prove Theorem 3, which states that our analysis is optimal: There exists a winning strategy for Alice when θ ≤ 1/t.
We also prove Theorem 4: For every total access structure A over n parties, Alice has a winning strategy in G(A, θ) for every θ ≤ 1/(|A| − 1).As the proof of Theorem 4 is simpler we present that one first.We remark Theorem 4 can be generalized to any partial access structure (S, R) by replacing A by R in the proof.
Proof of Theorem 4. Alice's strategy is uniformly random over all minterms A ∈ min A.Then, for every B ∈ A and θ < 1, it holds that This is non-negative when θ ≤ 1/(|min A| − 1).
Proof of Theorem 3. Let a 0 , . . ., a n be the following sequence of integers: where k j is the coefficient of x j in the formal expansion of (x + 1) t • (1/θ − x).By expanding this expression according to the Binomial formula, we see that the numbers k 0 , . . ., k t are non-negative when θ ≤ 1/t because ≥ 0 for all 0 ≤ j ≤ t.Therefore a s is also non-negative for all s.
Alice plays set A with probability proportional to the number a |A| .We will prove that this is a winning strategy for Alice.When B = {1, . . ., n}, then EA[(−θ) |A\B| ] = 1 and Alice wins.Now let B ⊆ {1, . . ., n} be any set such that t ≤ |B| < n.Let The numbers a 0 , . . ., a n (as defined in the beginning of the proof) are defined by an order t homogeneous linear degree relation with constant coefficients whose characteristic equation is (x + 1) t • (1/θ − x) = 0.This equation has roots −1 (with multiplicity t) and 1/θ (with multiplicity 1).Therefore, where c 0 , . . ., c t−1 and C are constants determined by the initial conditions on a 0 , . . ., a t .We can now write Recall that g 0 is the generating function of w s which means that g 0 (z) = n s=0 w s • z s .So, the term n s=0 w s • θ −s equals g 0 (1/θ) = 0. To finish the proof, we show that n s=0 w s • s i • (−1) s = 0 for all i ≤ t − 1 (this implies that Alice's strategy has a 0 payoff, which means that she wins the game).Let g i (z) = z • g i−1 (z) for 1 ≤ i ≤ t − 1 where g i−1 is the derivative of g i−1 .On the one hand, since −1 is a root of g 0 of multiplicity t, g i (−1) = 0 for all i ≤ t − 1.On the other hand, g i (z) has the formal expansion n s=0 w s • s i • z s .Therefore, n s=0 w s • s i • (−1) s must equal zero.

Concluding Remarks
Theorem 1 requires that the shares given to all parties have the same length.Its proof extends easily to yield the following generalization: For every n, every 1 < t < n, and every (t, n)-threshold secret sharing scheme in which party i receives a log q i -bit share and q 1 ≤ q 2 ≤ • • • ≤ q n it must hold that In particular, inequality (6) implies that the average share size must be at least log (t + 1).We sketch the Proof in Appendix B. Kilian and Nisan [25] prove the same for (n − t + 1, n)-threshold access structures.By Theorem 3 our analysis of threshold secret sharing is tight within the game-theoretic relaxation that we introduce here.As the lower bound of Kilian and Nisan [25] is incomparable with ours, their analysis cannot be cast in terms of a winning strategy in our game.It is, however, possible to capture both our analysis and that of Kilian and Nisan by a single linear program.We performed computer experiments to investigate the feasibility of one such family of linear programs, but were unable to obtain better lower bounds on share size.
We do not know what is the best possible lower bound on share size that our method can give among all access structures on n parties.Theorem 1 shows a lower bound of log(n − 1) is attainable, while Theorem 4 shows that a lower bound of log n n/2 cannot be proved.The best possible bound is the logarithm of b n = min A max q : Bob wins in G(A, 1/(q − 1)) , where the minimum is taken over all access structures A on n parties.We can prove that if the payoff function is replaced by (−θ) |A B| , where is symmetric set difference, then the quantity analogous to b n is upper bounded by O(n 2 ).

a
s w s where w s = A : |A|=s j∈A θ j .The number w s can be represented as the coefficient of z s in the formal expansion of g 0 (z) = n j=1 (1 + θ j z).Since exactly |B| of the θ j 's equal 1 and the other n − |B| equal −θ, it follows that