Strongly Multiplicative and 3-Multiplicative Linear Secret Sharing Schemes

Strongly Multiplicativ e and 3-Multiplicativ e Linear Secret Sharing Sc hemes Zhifang Zhang 1 , Mulan Liu 1 , Y eow Meng Chee 2 , San Ling 2 , and Huax iong W ang 2 , 3 1 Key Laboratory of Mathematics Mechanizatio n, Academy of Mathematics and Systems Science, Chinese Academy of Sciences, Beiji ng, China { zfz, mlliu } @ amss.ac.cn 2 Division of Mathematical Sciences, School of Physica l and Mathematical Sciences, Nany ang T echnological Universit y , Singap ore { ymchee, lingsan, hxwang } @ ntu.edu.sg 3 Cen tre for Advanced Computing - Algorithms and Cryptography Department of Computing Macquarie Universit y , Australia Abstract. Strongly multipli cative li near secret sharing schemes (LSSS) hav e b een a p ow erful to ol for constructing secure multi-party computa- tion proto cols. How ever, it remains op en whether or not ther e exist effi- cient c onstructions of str ongly multiplic ative LSSS fr om gener al LSSS . In this pap er, we prop ose th e new concept of a 3 -multipli c ative LSSS , and establish its relationship with strongly multiplicativ e LSSS. More pre- cisely , w e sho w that an y 3-m ultiplicative LSSS is a strongly multiplicativ e LSSS, but the con vers e is not true; and that an y strongly multiplic ative LSSS can b e efficientl y conv erted into a 3-multipli cative LSS S. F urther- more, w e apply 3-m ultiplicativ e LSSS to the computation of unbou n ded fan-in multiplication, which reduces its round complexit y to four (from five of the prev ious proto col based on strongly multiplica tive LSSS). W e also giv e tw o constructions of 3-multipli cative LSSS from Reed-Mu ller codes and algebraic geometric co d es. W e believe that the construction and verification of 3-multiplicativ e LSSS are easier than those of strongly multipli cative LSSS. This presents a step forwa rd in settling the op en problem of efficient constructions of strongly multiplicativ e LSSS from general LSSS. Keywords monotone span program, secure m ulti-party computation, strongly multipli cative linear secret sharing scheme 1 In t ro duction Secure mu lti-party computation (MPC) [16, 9] is a cry pto graphic primitive that enables n play ers to join tly compute an agre e d function o f their priv ate inputs in a secur e wa y , guar anteeing the co rrectness o f the outputs a s well as the priv acy of the play ers’ inputs, even when some players are malicio us. It ha s b ecome a funda- men tal to o l in cryptogra phy and distributed computation. Linear sec r et sha ring schemes (LSSS) play an imp ortant role in building MPC proto co ls. Cramer et al. [6] develop ed a generic method of constr uc ting MPC pr oto cols fro m LSSS. Assuming that the function to b e computed is r epresented as an arithmetic c ir - cuit over a finite field, their pr oto col ensur es that each player sha re his priv ate input through an L SSS, a nd then ev a luates the circuit gate by g ate. The main idea o f their proto col is to keep the in termediate r esults s e c retly shar e d among the play er s with the underlying LSSS. Due to the nature of linearity , secure additions (a nd linear op eratio ns) can b e easily achiev ed. F o r insta nce, if play er P i holds the sha re x 1 i for input x 1 and x 2 i for input x 2 , he can lo cally com- pute x 1 i + x 2 i which is a ctually P i ’s share for x 1 + x 2 . Unfortunately , the ab ov e homomorphic prop erty do es not hold for m ultiplication. In order to securely compute multiplications, Cramer et al. [6] int ro duced the concept of multiplic a- tive LSSS, where the pro duct x 1 x 2 can b e computed as a linear combination of the loca l pro ducts of sha res, that is, x 1 x 2 = P n i =1 a i x 1 i x 2 i for some constants a i , 1 ≤ i ≤ n . Since x 1 i x 2 i can b e lo cally computed by P i , the pro duct can then be securely computed through a linear combination. F urthermore, in order to resist a gainst an a ctive adversary , they defined str ongly mu ltiplicative L SSS, where x 1 x 2 can be computed as a linea r combination of the lo c al pro ducts of shares b y all play ers excluding any corr upted subset. Ther efore, m ultiplicativit y bec omes an imp or tant prop erty in constructing secure MPC proto cols. F or ex - ample, using strongly multiplicativ e LSSS, we ca n construct a n err or-free MPC proto col secure against an active adversary in the information-theo retic mo del [6]. Cr amer et al. [7] also g ave an efficient reco nstruction algor ithm for s trongly m ultiplicative L SSS that rec overs the secret even when the shar e s submitted by the corrupted players co nt ain err o rs. This implicit “ built-in” verifiability makes strongly multiplicative LSSS an attractive building blo ck for MPC proto cols. Due to their imp or tant role as the building blo cks in MPC proto cols, efficient constructions of multiplicativ e LSSS and stro ngly m ultiplica tive LSSS hav e b een studied by several a uthors in r ecent years. Cramer et al. [6] developed a generic metho d o f constructing a m ultiplica tive LSSS from any g iven LSSS with a double expansion of the sha res. Niko v et al. [14] studied how to securely compute multi- plications in a dua l LSSS, without blowing up the shares. F or so me sp ecific acce s s structures there exist very efficie n t m ultiplicativ e LSSS. Shamir’s thres ho ld se- cret sharing scheme is a well-known example of an ideal (strongly) m ultiplica tive LSSS. Besides , self-dual co des give rise to ideal multiplicativ e LSSS [7], and Liu et al. [12] pr ovided a fur ther class of ideal multiplicativ e LSSS for graph access structures. W e note that for strongly multiplicativ e LSSS, the k nown general construction is of exp onential complexity . K¨ asp er et al. [11] gav e so me efficient constructions for sp ecific a ccess structures (hierarchical threshold s tructures). It remains op en whether there exists an efficient tra nsformation from a general LSSS to a strongly multiplicativ e o ne. On the other hand, a ltho ugh in a multiplicativ e LSSS, mult iplication can be conv er ted into a linear co m bination of inputs from the players, ea ch play er ha s to r eshar e the pro duct of his shar es, that is , for 1 ≤ i ≤ n , P i needs to reshare the pro duct x 1 i x 2 i to secur ely compute the linear co mbination P n i =1 a i x 1 i x 2 i . This 2 resharing pro cess in volv es costly interactions among the players. F or ex a mple, if the play er s ar e to securely compute m ultiple m ultiplications, Q l i =1 x i , the simple sequential multiplication requir es interaction of r ound complexity pr op ortional to l . Using the tec hnique developed b y Bar-Ilan a nd Beaver [1], Cra mer et al. [4] recently show ed that the round co mplexity can b e sig nificantly reduced to a constant o f five for un b o unded fan-in multiplications. How ever, the metho d do es not seem efficient whe n l is small. F or example, c o nsidering x 1 x 2 and x 1 x 2 x 3 , extra rounds o f in ter actions se em una voidable for co mputing x 1 x 2 x 3 if we a pply the metho d of Cramer et al. [4 ]. 1.1 Our Con tribution In this pap er, we prop ose the concept o f 3-multiplicative LSSS. Roug hly sp eak- ing, a 3 -multip licative LSSS is a gene r alization of multiplicativ e LSSS, w he r e the pro duct x 1 x 2 x 3 is a linea r c o mbination o f the lo ca l pro ducts of shares. As one would exp ect, a 3-multiplicativ e LSSS achiev es better ro und complexity for the computation of Q l i =1 x i compared to a multiplicativ e LSSS, if l ≥ 3. Indeed, it is ea s y to see that computing the pr o duct Q 9 i =1 x i requires tw o rounds of in- teraction for a 3-multiplicativ e LSSS but four rounds for a multiplicativ e LSSS. W e also extend the conce pt of a 3-multiplicativ e LSSS to the mo re general λ - m ultiplicative LSSS, for all integers λ ≥ 3, and show that λ -multiplicativ e LSSS reduce the r ound complexity b y a factor of 1 log λ from multiplicativ e LSSS. In particular, 3-multiplicativ e LSSS reduce the co nstant r ound complexity of com- puting the unbounded fan- in multiplication from five to four , thus improving a result o f Cramer et al. [4]. More importa nt ly , w e show that 3-multiplicativ e LSSS a r e clo sely related to str ongly multiplicativ e LSSS. T he latter is known to b e a powerful to o l for constructing s ecure MPC pro to cols a gainst ac tive adversaries. Mor e precisely , we show the following: (i) 3-m ultiplicative LSSS a re also str ongly multiplicativ e; (ii) there exists an efficient a lg orithm that transforms a str ongly multiplicativ e LSSS int o a 3-multiplicativ e LSSS; (iii) an example o f a strong ly multiplicativ e LSSS that is not 3 -mult iplicative. Our res ults contribute to the s tudy of MPC in the following three a sp ects: – The 3-multiplicative LSSS o utper form strongly multiplicativ e LSSS with re- sp ect to round complexity in the constr uction of secure MPC pro to c ols. – The 3-multiplicative LSSS are easier to construct than strongly multiplica- tive LSSS. First, the existence of an efficient tra nsformation fro m a strongly m ultiplicative LSSS to a 3-multiplicativ e LSSS implies that e fficie n tly con- structing 3- multiplicative LSSS is no t a harder problem. Second, v erifica- tion of a stro ngly multiplicativ e LSSS require s chec k ing the linear co m bi- nations for all p os s ibilities of adversary sets, while the verification of a 3- m ultiplicative LSSS r equires only one chec k ing . W e give tw o co nstructions of LSSS based on Reed-Muller co des a nd algebra ic g eometric co des that can b e 3 easily verified for 3 -mult iplicativity , but it do es not seem easy to give direc t pro ofs of their strong multiplicativit y . – This work provides t wo po ssible directions tow a rd solving the op en pro blem of deter mining the existence of efficient cons tructions for strong ly mu ltiplica- tive LSSS. On the negative side, if we ca n prove that in the information- theoretic mo del and with p o lynomial size message ex changed, computing x 1 x 2 x 3 inevitably needs more rounds of in teractions than c o mputing x 1 x 2 , then w e can give a negative answer to this op en problem. On the p ositive side, if we can find an efficient cons truction fo r 3-multiplicativ e LSSS, which also results in strongly m ultiplica tive LSSS, then we will hav e a n affir mative answer to this op en pr oblem. 1.2 Organization Section 2 gives notations, definition of m ultiplicative LSSS, and general construc- tions for stro ng ly multiplicativ e LSSS. Section 3 defines 3- m ultiplicative LSSS. Section 4 s hows the relations hip b etw een 3- m ultiplicative LSSS and stro ngly mul- tiplicative LSSS. Section 5 gives tw o cons tructions of 3-multiplicativ e LSSS fro m error -corre cting co des, a nd Sec tion 6 discusses the implicatio ns of 3- m ultiplicative LSSS in MPC. Section 7 concludes the pap er. 2 Preliminaries Throughout this pap er, let P = { P 1 , . . . , P n } denote the set of n play e r s a nd let K be a finite field. In a se cret sharing scheme, the co llection of all subsets of play er s that are authorized to r ecov e r the secret is called its ac c ess structur e , and is denoted AS . An access structure p o ssesses the monoto ne as cending prop erty: if A ′ ∈ AS , then for all A ⊆ P with A ⊇ A ′ , we also hav e A ∈ AS . Similarly , the collection of subsets of play ers that ar e p os sibly corrupted is ca lled the adv ersary structur e , and is denoted A . An adversary structur e poss esses the monotone descending prop erty: if A ′ ∈ A , then for all A ⊆ P with A ⊆ A ′ , we also have A ∈ A . Owing to these monotone prope rties, it is often sufficient to consider the minimum ac c ess structure AS min and the maximum adversa ry st ru ctur e A max defined as follows: AS min = { A ∈ AS | ∀ B ⊆ P, we hav e B ( A ⇒ B 6∈ AS } , A max = { A ∈ A | ∀ B ⊆ P , we hav e B ) A ⇒ B 6∈ A} . In this paper , we co nsider the c omplete s ituation, that is, A = 2 P − AS . Mo reov er, an a dversary structure A is called Q 2 (resp ectively , Q 3 ) if any tw o (resp ectively , three) sets in A cannot cover the entire play er set P . F or simplicity , when an adversary str uctur e A is Q 2 (resp ectively , Q 3 ) we a lso say the corresp onding access s tr ucture AS = 2 P − A is Q 2 (resp ectively , Q 3 ). 4 2.1 Linear Secret Sharing Sc hemes and Monoto n e Span Programs Suppo se S is the secret- domain, R is the s et of random inputs, and S i is the share-do ma in o f P i , wher e 1 ≤ i ≤ n . Let S a nd R de no te ra ndom v ariables taking v alue s in S and R , resp ectively . Then Π : S × R → S 1 × · · · × S n is ca lled a se cr et sharing scheme (SSS) w ith respect to the access structure AS , if the following tw o c onditions are satisfied: 1. for all A ∈ AS , H ( S | Π ( S , R ) | A ) = 0; 2. for all B 6∈ AS , H ( S | Π ( S , R ) | B ) = H ( S ), where H ( · ) is the entrop y function. F urthermor e, the s ecret shar ing scheme Π is called line ar if we hav e S = K , R = K l − 1 , and S i = K d i for some positive integers l and d i , 1 ≤ i ≤ n , and the re construction of the secret can b e p erfor med by taking a linear co mbination of shares from the author ized play ers . The quantit y d = P n i =1 d i is ca lled the size of the LSSS. Karchmer and Wigders on [1 0] introduced mono to ne span progra ms (MSP) as a linea r model for computing monotone Boo lean functions . W e denote an MSP by M ( K , M , ψ , v ), wher e M is a d × l matrix ov er K , ψ : { 1 , . . . , d } → { P 1 , . . . , P n } is a surjective lab eling map, a nd v ∈ K l is a nonzero vector. W e call d the size of the MSP a nd v the tar get ve ctor . A monoto ne Bo o lean function f : { 0 , 1 } n → { 0 , 1 } satisfies f ( δ ′ ) ≥ f ( δ ) for any δ ′ ≥ δ , wher e δ = ( δ 1 , . . . , δ n ), δ ′ = ( δ ′ 1 , . . . , δ ′ n ) ∈ { 0 , 1 } n , and δ ′ ≥ δ means δ ′ i ≥ δ i for 1 ≤ i ≤ n . W e say that an MSP M ( K , M , ψ , v ) c omputes the monotone Bo ole an function f if v ∈ span { M A } if and only if f ( δ A ) = 1, where A is a set of play ers , M A denotes the ma trix co nstricted to the r ows lab eled by play ers in A , s pan { M A } deno tes the linear spa ce spanned by the row v ectors of M A , and δ A is the characteris tic vector of A . Theorem 1 (Beime l [2]). Supp ose AS is an ac c ess stru ctur e over P and f AS is the char acteristic function of AS , that is, f AS ( δ ) = 1 if and only if δ = δ A for some A ∈ AS . Then ther e exists an LSSS of size d that r e alizes AS if and only if ther e exists an MSP of size d that c omputes f AS . Since an MSP computes the same Bo olean function under linear tra nsforma- tions, we can alwa ys assume that the target vector is e 1 = (1 , 0 , . . . , 0). F rom an MSP M ( K , M , ψ , e 1 ) that co mputes f AS , we can derive a n LSSS rea lizing AS as follows: to share a secret s ∈ K , the dea ler ra ndomly selects ρ ∈ K l − 1 , computes M ( s, ρ ) τ and sends M P i ( s, ρ ) τ to P i as his share , where 1 ≤ i ≤ n and τ denotes the transp o se. The following prop erty of MSP is useful in the pro ofs of our r esults. Prop ositio n 1 (Karc hmer and Wigderson [10] ). L et M ( K , M , ψ , e 1 ) b e an MSP that c omputes a monotone Bo ole an function f . Then for al l A ⊆ P , e 1 6∈ span { M A } if and only if ther e ex ist s ρ ∈ K l − 1 such that M A (1 , ρ ) τ = 0 τ . 5 2.2 Multipli cativ e Linear Secret Sharing Sc hem es F rom Theorem 1, an LSSS ca n b e identified with its corr esp onding MSP in the following wa y . Le t M ( K , M , ψ , e 1 ) b e an LSSS r ealizing the access structure AS . Given t w o vectors x = ( x 1 , . . . , x d ), y = ( y 1 , . . . , y d ) ∈ K d , we define x ⋄ y to be the vector co nt aining all entries of the form x i · y j with ψ ( i ) = ψ ( j ). More precisely , let x = ( x 11 , . . . , x 1 d 1 , . . . , x n 1 , . . . , x nd n ) , y = ( y 11 , . . . , y 1 d 1 , . . . , y n 1 , . . . , y nd n ) , where P n i =1 d i = d , a nd ( x i 1 , . . . , x id i ), ( y i 1 , . . . , y id i ) are the entries distributed to P i according to ψ . Then x ⋄ y is the vector comp osed o f the P n i =1 d 2 i ent ries x ij y ik , where 1 ≤ j, k ≤ d i , 1 ≤ i ≤ n . F o r consistency , we w r ite the entries of x ⋄ y in some fixed order . W e als o define ( x ⋄ y ) τ = x τ ⋄ y τ . Definition 1 (Multipl icativit y). L et M ( K , M , ψ , e 1 ) b e an LSSS r e alizing the ac c ess structu r e AS over P . Then M is c al le d multiplicativ e if ther e exists a r e c ombination ve ct or z ∈ K P n i =1 d 2 i , such that for al l s, s ′ ∈ K and ρ , ρ ′ ∈ K l − 1 , we have ss ′ = z ( M ( s, ρ ) τ ⋄ M ( s ′ , ρ ′ ) τ ) . Mor e over, M is strongly multiplicativ e if for al l A ∈ A = 2 P − AS , M A is multiplic ative, wher e M A denotes the MSP M c onstricte d to the subset A = P − A . Prop ositio n 2 (Cramer et al. [ 6]). L et AS b e an ac c ess structu r e over P . Then t her e exists a multiplic ative (r esp e ctively, str ongly multiplic ative) LSSS r e- alizing AS if and only if AS is Q 2 (r esp e ctively, Q 3 ). 2.3 General Constructions of Strongly Multipli cativ e LSSS F or all Q 2 access structure AS , Cramer et al. [6] gave an efficient constructio n to build a mult iplicative LSSS fro m a ge ne r al LSSS realizing the same AS . It remains op en if we can efficiently co nstruct a strong ly m ultiplicative LSSS from an LSSS. Howev er , there are genera l constructions with exp onential complexity , as describ ed b elow. Since Shamir ’s threshold secret sharing s cheme is stro ngly multiplicativ e for all Q 3 threshold ac cess structur e, a prop er comp osition of Shamir ’s thr eshold secret shar ing s chemes results in a general constr uctio n for strongly multip lica- tive LSSS [6]. Here, we giv e another general construction based on m ultiplicative LSSS. Let AS be any Q 3 access s tr ucture and M ( K , M , ψ , e 1 ) b e an LSSS realizing AS . F or a ll A ∈ A = 2 P − AS , it is easy to see that M A realizes the r estricted access str ucture AS A = { B ⊆ A | B ∈ AS } . The access structure AS A is Q 2 ov er A b ecause AS is Q 3 ov er A ∪ A . Th us, w e can tra nsform M A int o a m ultiplicative LSSS following the general co ns truction of Cr amer et al. [6 ] to 6 obtain a strongly multiplicative LSSS realizing AS . The exa mple in Section 4.3 gives an illustration of this method. W e note that b oth co nstructions above give LSSS of exp onential sizes, and hence are no t efficient in general. 3 3-Multiplicativ e and λ -Multiplicativ e LSSS In this sec tio n, w e giv e an equiv a lent definition for (stro ngly) multiplicativ e LSSS. W e then define 3 -mult iplicative LSSS and g ive a necessar y a nd sufficient condition for its existence. The notion of 3 -multip licativity is als o extended to λ - m ultiplicativity for all integer λ > 1. Finally , we pr esent a gener ic (but inefficient) construction of λ -m ultiplicative LSSS. Under the same notatio ns used in Sectio n 2.2, it is str aightforw ard to see that we have an induced lab eling map ψ ′ : { 1 , . . . , P n i =1 d 2 i } → { P 1 , . . . , P n } on the entries of x ⋄ y , distributing the en try x ij y ik to P i , since both x ij and y ik are lab eled by P i under ψ . F or a n MSP M ( K , M , ψ , e 1 ), denote M = ( M 1 , . . . , M l ), where M i ∈ K d is the i -th column vector of M , 1 ≤ i ≤ l . W e co nstruct a new matrix M ⋄ as follows: M ⋄ = ( M 1 ⋄ M 1 , . . . , M 1 ⋄ M l , M 2 ⋄ M 1 , . . . , M 2 ⋄ M l , . . . , M l ⋄ M 1 , . . . , M l ⋄ M l ) . F or consistency , we als o deno te M ⋄ as M ⋄ M . O bviously , M ⋄ is a matrix ov er K with P n i =1 d 2 i rows a nd l 2 columns. F o r any tw o vectors u , v ∈ K l , it is easy to verify that ( M u τ ) ⋄ ( M v τ ) = M ⋄ ( u ⊗ v ) τ , where u ⊗ v denotes the tensor pro duct with its entries written in a proper order. Define the induced lab eling ma p ψ ′ on the r ows of M ⋄ . W e hav e the following prop osition. Prop ositio n 3. L et M ( K , M , ψ , e 1 ) b e an LSSS r e alizing the ac c ess s t ructur e AS , and let M ⋄ b e with the lab eling map ψ ′ . Then M is mu ltiplic ative if and only if e 1 ∈ span { M ⋄ } , wher e e 1 = (1 , 0 , . . . , 0) . Mor e over, M is str ongly mul- tiplic ative if and only if e 1 ∈ span { ( M ⋄ ) A } for al l A ∈ A = 2 P − AS . Pr o of. By Definition 1, M is mu ltiplicative if and only if ss ′ = z ( M ( s, ρ ) τ ⋄ M ( s ′ , ρ ′ ) τ ) for a ll s, s ′ ∈ K and ρ , ρ ′ ∈ K l − 1 . Obviously , M ( s, ρ ) τ ⋄ M ( s ′ , ρ ′ ) τ = M ⋄ (( s, ρ ) ⊗ ( s ′ , ρ ′ )) τ = M ⋄ ( ss ′ , ρ ′′ ) τ , (1) where ( ss ′ , ρ ′′ ) = ( s, ρ ) ⊗ ( s ′ , ρ ′ ). On the other ha nd, ss ′ = e 1 ( ss ′ , ρ ′′ ) τ . Thus M is m ultiplicativ e if and only if ( e 1 − z M ⋄ )( ss ′ , ρ ′′ ) τ = 0 . (2) Because of the a rbitrarines s of s, s ′ , ρ a nd ρ ′ , equality (2) holds if and only if e 1 − z M ⋄ = 0 . Thus e 1 ∈ span { M ⋄ } . The latter pa rt o f the prop osition can b e prov ed similarly .  7 Now we are ready to give the definition of 3-multiplicative LSSS. W e extend the diamond pro duct “ ⋄ ” and define x ⋄ y ⋄ z to b e the vector containing all ent ries of the form x i y j z k with ψ ( i ) = ψ ( j ) = ψ ( k ), where the entries of x ⋄ y ⋄ z are written in some fixed o rder. Definition 2 (3-Multi plicativit y). L et M ( K , M , ψ , e 1 ) b e an LSS S r e aliz- ing the ac c ess structur e AS . Then M is c al le d 3-multiplicativ e if ther e ex- ists a r e c ombination ve ctor z ∈ K P n i =1 d 3 i such that for al l s 1 , s 2 , s 3 ∈ K and ρ 1 , ρ 2 , ρ 3 ∈ K l − 1 , we have s 1 s 2 s 3 = z ( M ( s 1 , ρ 1 ) τ ⋄ M ( s 2 , ρ 2 ) τ ⋄ M ( s 3 , ρ 3 ) τ ) . W e can derive an equiv a lent definition for 3 -mult iplicative LSSS, similar to Prop ositio n 3 : M is 3 -multip licative if a nd only if e 1 ∈ span { ( M ⋄ M ⋄ M ) } . The following pro p o sition gives a necess ary and sufficient condition for the existence of 3-multiplicativ e LSSS. Prop ositio n 4. F or al l ac c ess stru ctur es AS , ther e exists a 3 -m u ltiplic ative LSSS r e alizing AS if and only if AS is Q 3 . Pr o of. Supp o se M ( K , M , ψ , e 1 ) is a 3-multiplicativ e LSSS rea lizing AS , and suppo se to the contrary , that AS is not Q 3 , so ther e exis t A 1 , A 2 , A 3 ∈ A = 2 P − AS such that A 1 ∪ A 2 ∪ A 3 = P . By Pr op osition 1 , there exists ρ i ∈ K l − 1 such that M A i (1 , ρ i ) τ = 0 τ for 1 ≤ i ≤ 3. Since A 1 ∪ A 2 ∪ A 3 = P , w e ha ve M (1 , ρ 1 ) τ ⋄ M (1 , ρ 2 ) τ ⋄ M (1 , ρ 3 ) τ = 0 τ , which contradicts Definition 2. On the other hand, a genera l construction for building a 3-multiplicativ e LSSS fr om a strongly multiplicativ e LSSS is given in the next section, thus sufficiency is guaranteed b y P rop osition 2 .  A trivial example of 3-multiplicative LSSS is Shamir’s threshold secre t shar - ing s cheme that realizes any Q 3 threshold access str uctur e. Using a n identical argument for the c ase of s trongly mu ltiplicative LSSS, we hav e a general con- struction for 3-multiplicativ e LSSS based on Shamir’s thres ho ld sec r et sharing schemes, with exp onential complexity . F or any λ vectors x i = ( x i 1 , . . . , x id ) ∈ K d , 1 ≤ i ≤ λ , w e define ⋄ λ i =1 x i to be the P n i =1 d λ i -dimensional vector whic h c o ntains e ntries of the form Q λ i =1 x ij i with ψ ( j 1 ) = · · · = ψ ( j λ ). Definition 3 ( λ -Multi plicativit y). L et M ( K , M , ψ , e 1 ) b e an LSSS r e alizing the ac c ess structure AS , and let λ > 1 b e an inte ger. Then M is λ -multiplicativ e if ther e exists a re c ombination ve ctor z such that for all s 1 , . . . , s λ ∈ K and ρ 1 , . . . , ρ λ ∈ K l − 1 , we have λ Y i =1 s i = z ( ⋄ λ i =1 M ( s i , ρ i ) τ ) . Mor e over, M is s trongly λ -m ultiplicative if for al l A 6∈ AS , the c onstricte d LS SS M A is λ -mu ltiplic ative. 8 Again, we can define a new matrix by taking the diamond pro duct of λ copies of M . This gives a n equiv a lence to (strongly) λ -multiplicativ e LSSS. Also, since Shamir’s thresho ld secret sharing scheme is trivially λ -mult iplicative a nd strongly λ -multiplicativ e, a prop er comp ositio n of Shamir’s threshold secret shar- ing s chemes results in a general cons truction for b o th λ -multiplicativ e LSSS and strongly λ -mu ltiplicative LSSS. Let Q λ be a straightforw ard extension of Q 2 and Q 3 , that is, an access structure AS is Q λ if the player set P cannot b e cov ered by λ sets in A = 2 P − AS . The following cor ollary is easy to pr ove. Corollary 1. L et AS b e an ac c ess structur e over P . Then ther e exists a λ - multiplic ative (r esp e ctively, str ongly λ -mult iplic ative) LSSS r e alizing AS if and only if AS is Q λ (r esp e ctively, Q λ +1 ). Since a λ -mult iplicative LSSS transforms the pro ducts o f λ ent ries into a linear com bination of the lo c a l pr o ducts of s hares, it ca n be used to simplify the secure computation of s equential m ultiplications. In particular, when compare d to using o nly the multiplicativ e prop erty (whic h corres po nds to the case whe n λ = 2), a λ -multiplicativ e LSSS c an lead to reduced round complexity by a fac tor of 1 log λ in certain cases. W e also p o int out that Q λ is not a neces sary condition for secur e compu- tation. Instead, the necessary condition is Q 2 for the pass ive adversary mo del, or Q 3 for the a ctive adversary mo del [6]. The conditio n Q λ is just a neces- sary condition for the existence of λ -m ultiplicativ e LSSS which can be use d to simplify computatio n. In pr a ctice, many threshold adversary structures satis fy the Q λ condition for s o me appropr iate integer λ , a nd the widely used Shamir ’s threshold secr et sharing s cheme is alrea dy λ -m ultiplicative. By using this λ - m ultiplicativity , we can g et mo r e efficient MPC proto co ls . How ever, since the sp ecial c a se λ = 3 shows a close rela tio nship with stro ngly multiplicativ e LSSS, a fundamental to ol in MPC, this pap er fo cuses on 3-multiplicative LSSS. 4 Strong Multiplicativity and 3-Multiplicativit y In this section, we show that strong m ultiplicativit y and 3-multip licativity are closely rela ted. O n the one ha nd, g iven a stro ng ly mult iplicative LSSS, ther e is a n efficient transformation that con verts it to a 3-multiplicativ e LSSS. On the other hand, we sho w that any 3-multiplicativ e LSSS is a strongly multiplicativ e LSSS, but the conv erse is not true. It should be noted that strong m ultiplica tiv ity , as defined, has a com binatorial nature. The definition of 3-multiplicativit y is essentially algebr aic, which is typically e a sier to verify . 4.1 F rom Strong Mul tiplicativity to 3-Multipl icativit y W e show a g eneral method to efficiently build a 3-multiplicativ e LSSS from a strongly multiplicative LSSS, for a ll Q 3 access str uctures. As an extension, the prop osed metho d can als o b e used to efficiently build a ( λ + 1)-multiplicative LSSS from a str ongly λ -mult iplicative LSSS. 9 Theorem 2. L et AS b e a Q 3 ac c ess stru ctur e and M ( K , M , ψ , e 1 ) b e a str ongly multiplic ative LSSS r e alizing AS . Supp ose that M has size d and | ψ − 1 ( P i ) | = d i , for 1 ≤ i ≤ n . Then ther e ex ists a 3 - multiplic ative LSS S for AS of size O ( d 2 ) . Pr o of. W e give a co nstructive pro of. Let M ⋄ be the matrix defined in Section 3, and ψ ′ be the induced la be ling map on the rows of M ⋄ . Then we hav e a n LSSS M ⋄ ( K , M ⋄ , ψ ′ , e 1 ) that realizes an acce s s structure AS ⋄ . Because M is stro ngly m ultiplicative, by P rop osition 3 w e ha ve e 1 ∈ span { ( M ⋄ ) A } fo r all A 6∈ AS . Therefore A ∈ AS ⋄ and it follows that AS ∗ ⊆ AS ⋄ , where AS ∗ denotes the dual access s tr ucture o f AS , defined by AS ∗ = { A ⊆ P | P − A 6∈ AS } . The equality (1) in the pro of of Pr op osition 3 shows that the diamond pr o duct of t w o s ha re vectors eq uals sharing the pro duct of the tw o secrets by the MSP M ⋄ ( K , M ⋄ , ψ ′ , e 1 ), that is, ( M ( s 1 , ρ ′ 1 ) τ ) ⋄ ( M ( s 2 , ρ ′ 2 ) τ ) = M ⋄ ( s 1 s 2 , ρ ) τ , for s ome ρ ′ 1 , ρ ′ 2 , ρ ∈ K l − 1 . Thu s, using a metho d s imilar to Nik ov et al. [14], we can get the pro duct ( s 1 s 2 ) · s 3 by sha r ing s 3 through the dual MSP of M ⋄ , denoted by ( M ⋄ ) ∗ . F urthermore , since ( M ⋄ ) ∗ realizes the dual a ccess structure ( AS ⋄ ) ∗ and ( AS ⋄ ) ∗ ⊆ ( AS ∗ ) ∗ = AS , we can build a 3-multiplicativ e LSSS by the union of M and ( M ⋄ ) ∗ , which realizes the acc e ss structure AS ∪ ( AS ⋄ ) ∗ = AS . Now following the same metho d of Cramer et al. and F ehr [6, 8], we prov e the requir e d result via the constructio n below. Compute the column vector v 0 as a so lution to the equation ( M ⋄ ) τ v = e 1 τ for v , and co mpute v 1 , . . . , v k as a ba s is of the solution spac e to ( M ⋄ ) τ v = 0 τ . Note that ( M ⋄ ) τ v = e 1 τ is so lv able be c ause e 1 ∈ span { ( M ⋄ ) A } for a ll A 6∈ AS , while ( M ⋄ ) τ v = 0 τ may only have the trivial solution v = 0 and k = 0 . Let M ′ =      m 11 · · · m 1 l . . . . . . . . . m d 1 · · · m dl v 0 v 1 · · · v k      , where    m 11 · · · m 1 l . . . . . . . . . m d 1 · · · m dl    = M and the bla nk s in M ′ denote zer os. Define a lab eling map ψ ′′ on the r ows of M ′ which lab els the fir s t d rows of M ′ according to ψ and the o ther P n i =1 d 2 i rows according to ψ ′ . As mentioned ab ov e, M ′ ( K , M ′ , ψ ′′ , e 1 ) obviously realizes the access str uc- ture AS . W e now verify its 3-multiplicativit y . Let N = ( v 0 , v 1 , . . . , v k ), a matrix over K with P n i =1 d 2 i rows and k + 1 columns. F or s i ∈ K and ρ i = ( ρ ′ i , ρ ′′ i ) ∈ K l − 1 × K k , 1 ≤ i ≤ 3, denote M ′ ( s i , ρ i ) τ = ( u i , w i ) τ , where u τ i = M ( s i , ρ ′ i ) τ and w τ i = N ( s i , ρ ′′ i ) τ . W e hav e u τ 1 ⋄ u τ 2 = ( M ( s 1 , ρ ′ 1 ) τ ) ⋄ ( M ( s 2 , ρ ′ 2 ) τ ) = M ⋄ ( s 1 s 2 , ρ ) τ , 10 where ( s 1 s 2 , ρ ) = ( s 1 , ρ ′ 1 ) ⊗ ( s 2 , ρ ′ 2 ). Then, ( u 1 ⋄ u 2 ) · w τ 3 = ( s 1 s 2 , ρ )( M ⋄ ) τ · N   s 3 ρ ′′ 3 τ   = ( s 1 s 2 , ρ )      1 0 · · · 0 0 0 · · · 0 . . . . . . . . . . . . 0 0 · · · 0        s 3 ρ ′′ 3 τ   = s 1 s 2 s 3 . It is ea sy to see that ( u 1 ⋄ u 2 ) · w τ 3 is a linea r combination of the entries from ( u 1 ⋄ u 2 ) ⋄ w 3 , and so is a linear combination o f the entries from M ′ ( s 1 , ρ 1 ) τ ⋄ M ′ ( s 2 , ρ 2 ) τ ⋄ M ′ ( s 3 , ρ 3 ) τ . Hence M ′ is a 3-multiplicativ e LSSS for AS . Obviously , the size of M ′ is O ( d 2 ), since d + P n i =1 d 2 i < d 2 + d.  If w e replace the matrix M ⋄ ab ov e by the diamo nd pro duct of λ copies of M , using a n identical a rgument, the construction from Theorem 2 g ives ris e to a ( λ + 1)-multiplicativ e LSSS fro m a s tr ongly λ -multiplicativ e LSSS. Corollary 2. L et AS b e a Q λ +1 ac c ess stru ctur e and M ( K , M , ψ , e 1 ) b e a str ongly λ -m u ltiplic ative LSSS r e alizing AS . Supp ose the size of M is d and | ψ − 1 ( P i ) | = d i , for 1 ≤ i ≤ n . Then t her e exists a ( λ + 1 ) -multiplic ative LSSS for AS of size O ( d λ ) . 4.2 F rom 3-Multipl icativit y to Strong M ultiplicativity Theorem 3. Any 3 -mu ltiplic ative LSSS is st r ongly multiplic ative. Pr o of. Let M ( K , M , ψ , e 1 ) b e a 3-multiplicativ e LSSS realizing the a ccess struc- ture AS ov er P . F or all A ∈ A = 2 P − AS , b y P rop osition 1, we can choose a fixed v ector ρ ′′ ∈ K l − 1 such that M A (1 , ρ ′′ ) τ = 0 τ . There exists a r ecombination vector z ∈ K P n i =1 d 3 i such that for a ll s, s ′ ∈ K and ρ , ρ ′ ∈ K l − 1 , we have ss ′ = z ( M ( s, ρ ) τ ⋄ M ( s ′ , ρ ′ ) τ ⋄ M (1 , ρ ′′ ) τ ) . Since M A (1 , ρ ′′ ) τ = 0 τ , and M A (1 , ρ ′′ ) τ is a co nstant vector for fixed ρ ′′ , the vector z ′ ∈ K P P i 6∈ A d 2 i that satisfies z ( M ( s, ρ ) τ ⋄ M ( s ′ , ρ ′ ) τ ⋄ M (1 , ρ ′′ ) τ ) = z ′ ( M A ( s, ρ ) τ ⋄ M A ( s ′ , ρ ′ ) τ ) can b e ea sily deter mined. Thus ss ′ = z ′ ( M A ( s, ρ ) τ ⋄ M A ( s ′ , ρ ′ ) τ ). Hence, M is strongly multiplicative.  11 Although 3-multiplicativ e LSSS is a subc lass of strongly m ultiplicative LSSS, one of the a dv antages of 3-multiplicativit y is that its verification admits a simpler pro cess. F o r 3 -multip licativity , we need only to chec k that e 1 ∈ span { ( M ⋄ M ⋄ M ) } , while s trong multiplicativit y r e q uires the verification of e 1 ∈ sp an { ( M ⋄ M ) A } for al l A 6∈ AS . Using a similar arg umen t, the following re s ults for ( λ + 1 )- multiplicativity can b e pr ov ed: (i) A ( λ + 1 )-mult iplicative LSSS is a strongly λ -multiplicativ e LSSS. (ii) A λ -multiplicativ e L SSS is a λ ′ -mult iplicative LSSS, where 1 < λ ′ < λ . 4.3 An Example of a Strongly Multi plicativ e LSSS that i s N ot 3-Multipl icativ e W e give an e x ample of a strongly multiplicativ e LSSS that is not 3-m ultiplicative. It follows that 3-m ultiplicative LSSS ar e strictly co nt ained in the class of strongly m ultiplicative LSSS. The construction pro ces s is as follows. Start with an LSSS that rea lizes a Q 3 access s tructure but is no t stro ngly multiplicativ e. W e then apply the general construction given in Section 2 .3 to convert it int o a str ongly m ultiplicative LSSS. The resulting LSSS is how ever not 3 -multiplicativ e. Let P = { P 1 , P 2 , P 3 , P 4 , P 5 , P 6 } b e the set of players. Consider the a ccess structure AS ov er P defined by AS min = { (1 , 2) , (3 , 4 ) , (5 , 6 ) , (1 , 5 ) , (1 , 6 ) , (2 , 6 ) , (2 , 5 ) , (3 , 6 ) , (4 , 5 ) } , where we use subscr ipt to denote the co r resp onding player. F or example, (1 , 2) denotes the subset { P 1 , P 2 } . It is easy to verify that the cor resp onding adversary structure is A max = { (1 , 3) , (1 , 4 ) , (2 , 3 ) , (2 , 4 ) , (3 , 5 ) , (4 , 6 ) } , and that AS is a Q 3 access structure. Let K = F 2 . Define the matrix M ov er F 2 with the labeling map ψ such that M P 1 =   1 0 1 0 0 0 0 0 1 0 0 0 0 0 1   , M P 2 =   0 0 1 0 0 0 0 0 1 0 0 0 0 0 1   , M P 3 =  1 1 0 0 0 0 0 0 0 1  , M P 4 =  0 1 0 0 0 0 0 0 1 0  , M P 5 =  1 1 1 0 0 1 0 0 1 0  , M P 6 =  0 1 1 0 0 1 0 0 0 1  . It can b e verified tha t the LSSS M ( F 2 , M , ψ , e 1 ) realizes the acces s structure AS . Moreov er, for all A ∈ A − { (1 , 3 ) , (1 , 4 ) } , the constricted LSSS M A is m ultiplicative. Thus in order to get a s trongly multiplicative LSSS, w e just need to expand M with multiplicativit y when constricted to b oth { P 2 , P 4 , P 5 , P 6 } and { P 2 , P 3 , P 5 , P 6 } . Firstly , consider the LSSS M constr icted to P ′ = { P 2 , P 4 , P 5 , P 6 } . Ob viously , M P ′ realizes the a ccess str uctur e AS ′ min = { (5 , 6) , (2 , 6) , (2 , 5) , (4 , 5) } , which is 12 Q 2 ov er P ′ . By the metho d of Cramer et al. [6], we c a n transform M P ′ int o the m ultiplicative LSSS M ′ P ′ ( F 2 , M ′ , ψ ′ , e 1 ) defined as follows: M ′ P 2 =         0 0 1 0 0 0 0 0 1 0 0 0 0 0 1 0 1 1 1 1 1 0 0 0 0 0 1         , M ′ P 4 =     0 1 0 0 0 0 0 0 1 0 0 1 1 1 1 0 0 0     , M ′ P 5 =     1 1 1 0 0 1 0 0 1 0 1 0 1 0 1 0 0 1 0 0     , M ′ P 6 =     0 1 1 0 0 1 0 0 0 1 1 0 0 1 0 0 0 0 0 1     , where the blanks in the matrices denote zeros . F or consistency , we define M ′ P 1 = ( M P 1 O 3 × 4 ) , M ′ P 3 = ( M P 3 O 2 × 4 ) , where O m × n denotes the m × n matrix of all zeros . It can b e verified that for the subset P ′′ = { P 2 , P 3 , P 5 , P 6 } , the cons tr icted LSSS M ′ P ′′ is indeed multiplicativ e. Therefore, M ′ ( F 2 , M ′ , ψ ′ , e 1 ) is a strongly mult iplicative LSSS realizing the ac - cess str ucture AS . F urthermore, it can be verified tha t M ′ is not 3-multiplicativ e (the verification involv es chec king a 44 3 × 729 matr ix using Matla b). The scheme M ( F 2 , M , ψ , v 1 ) giv en ab ov e is the first example o f an LSSS which realizes a Q 3 access s tr ucture but is not strong ly multiplicativ e. 5 Constructions for 3-m ultiplicativ e LSSS It is tempting to find efficien t constructions for 3-multiplicativ e LSSS. In general, it is a har d problem to construct LSSS with po lynomial size for any specified access structure, and it seems to b e an even har de r pr oblem to construct po lyno- mial size 3-multiplicativ e LSSS with general Q 3 access structures. W e mention t wo constructions for 3-multiplicativ e LSSS. These constr uctions a re generally inefficient , which ca n res ult in s chemes with exponential sizes. The t wo construc- tions a re: 1. The Cramer-Damg ˚ ard-Maur er construction based on Shamir’s threshold se- cret s haring scheme [6]. 2. The constructio n given in Subsection 4.1 based o n str ongly multiplicative LSSS. There exist, howev er , some efficient LSSS with sp ecific access structures that are multiplicativ e or 3-mult iplicative. F or instance, Shamir’s t out of n thresho ld 13 secret sharing schemes are m ultiplicative if n ≥ 2 t + 1, and 3-multiplicativ e if n ≥ 3 t + 1. On the other hand, secret sharing schemes fro m e r ror- correcting co des give go o d multiplicativ e pro pe r ties. It is well known that a secret sharing scheme from a linear err or-co rrecting co de is an LSSS. W e know that such an LSSS is m ultiplicative pr ovided the underly ing code is a self dual code [7]. The LSSS from a Reed-Solo mo n co de is λ -multiplicativ e if the corre s po nding a ccess structure is Q λ . In this section, we show the multiplicativit y of tw o o ther class es of secret sharing s chemes from er ror-c o rrecting co des: (i) sc hemes fro m Reed-Muller co des ar e λ -multiplicativ e LSSS; and (ii) sc hemes fro m alg e braic geo metric co des a re λ -multiplicativ e r amp LSSS. 5.1 A Construction from Ree d-Muller Co des Let v 0 , v 1 , . . . , v 2 m − 1 be all the points in the space F m 2 . The binary Reed-Muller co de R ( r, m ) is defined as follows: R ( r , m ) = { ( f ( v 0 ) , f ( v 1 ) , . . . , f ( v 2 m − 1 )) | f ∈ F 2 [ x 1 , . . . , x m ] , deg f ≤ r } . T ake f ( v 0 ) as the secret, and f ( v i ) as the s hare distributed to play er P i , 1 ≤ i ≤ 2 m − 1. Then R ( r, m ) g ives rise to an LSSS fo r the set of play ers { P 1 , . . . , P n } , with the secr et-domain b eing F 2 , where n = 2 m − 1. F or any three co dewords c i = ( s i , s i 1 , . . . , s in ) = ( f i ( v 0 ) , f i ( v 1 ) , . . . , f i ( v n )) ∈ R ( r, m ) , 1 ≤ i ≤ 3 , it is easy to see that c 1 ⋄ c 2 ⋄ c 3 = ( s 1 s 2 s 3 , s 11 s 21 s 31 , . . . , s 1 n s 2 n s 3 n ) = ( g ( v 0 ) , g ( v 1 ) , . . . , g ( v n )) ∈ R (3 r, m ) , where g = f 1 f 2 f 3 ∈ F 2 [ x 1 , . . . , x m ] and deg g ≤ 3 r . F rom basic r e s ults on Ree d- Muller co des [15], we know that R (3 r , m ) ha s dual co de R ( m − 3 r − 1 , m ) when m > 3 r , and the dual co de R ( m − 3 r − 1 , m ) trivia lly contains the co deword (1 , 1 , . . . , 1). It follows that s 1 s 2 s 3 = P n j =1 s 1 j s 2 j s 3 j , which shows that the LSSS from R ( r , m ) is 3-multiplicativ e when m > 3 r . Certainly , this L SSS is strong ly m ultiplicative. In general, we hav e the following result: Theorem 4. The LSS S c onstru cte d ab ove fr om R ( r , m ) is λ -mu ltiplic ative, pr o- vide d m > λr . 5.2 A Construction from Alge b raic Geo metric Co des Chen and Cr amer [3 ] cons tructed secret s ha ring schemes fro m alg ebraic g eo- metric (A G) co de s . These schemes ar e quasi-t hr eshold (or ra mp ) schemes, which means that a ny t out o f n play er s c a n recover the secret, and any fewer than 14 t ′ play er s hav e no information abo ut the secret, where t ′ ≤ t ≤ n . In this sec- tion, w e show tha t ra mp sc hemes fr om so me alg ebraic g eometric co des [3 ] are λ -m ultiplicative. Let χ b e an absolutely irreducible, pro jective, and nonsingular curve defined ov er F q with gen us g , a nd let D = { v 0 , v 1 , . . . , v n } be the s et o f F q -rational p oints on χ . Let G be a n F q -rational divisor with degree m satisfying supp ( G ) ∩ D = ∅ and 2 g − 2 < m < n + 1. Let F q denote the alg ebraic clo sure of F q , let F q ( χ ) denote the function field of the c urve χ , and let Ω ( χ ) denote all the differentials on χ . Define the linear spa ces: L ( G ) = { f ∈ F q ( χ ) | ( f ) + G ≥ 0 } , Ω ( G ) = { ω ∈ Ω ( χ ) | ( ω ) ≥ G } . Then the functional A G co de C L ( D , G ) and res idual AG co de C Ω ( D , G ) are resp ectively defined as follows: C L ( D , G ) = { ( f ( v 0 ) , f ( v 1 ) , . . . , f ( v n )) | f ∈ L ( G ) } ⊆ F n +1 q , C Ω ( D , G ) = { ( Re s v 0 ( η ) , R es v 1 ( η ) , . . . , R es v n ( η )) | η ∈ Ω ( G − D ) } ⊆ F n +1 q , where Res v i ( η ) denotes the res idue of η at v i . As ab ove, C Ω ( D , G ) induces an LSSS for the set of play ers { P 1 , . . . , P n } , where for every co deword ( f ( v 0 ) , f ( v 1 ) , . . . , f ( v n )) ∈ C Ω ( D , G ) = C L ( D , D − G + ( η )), f ( v 0 ) is the secret and f ( v i ) is P i ’s share, 1 ≤ i ≤ n . F or any λ co dewords c i = ( s i , s i 1 , . . . , s in ) = ( f i ( v 0 ) , f i ( v 1 ) , . . . , f i ( v n )) ∈ C L ( D , D − G + ( η )) , 1 ≤ i ≤ λ, it is easy to see that ⋄ λ i =1 c i = λ Y i =1 s i , λ Y i =1 s i 1 , . . . , λ Y i =1 s in ! ∈ C L ( D , λ ( D − G + ( η ))) . If 2 g − 2 < deg( λ ( D − G + ( η ))) < n , then C L ( D , λ ( D − G + ( η ))) has the dual co de C Ω ( D , λ ( D − G + ( η ))) = C L ( D , λG − ( λ − 1)( D + ( η ))). When deg( λG − ( λ − 1)( D + ( η ))) ≥ 2 g , C Ω ( D , λ ( D − G + ( η ))) has a codeword with a nonzer o fir s t co ordinate, implying Q λ i =1 s i = P n j =1 a j Q λ i =1 s ij for some constants a j ∈ F q . Thus, the LSSS induced by the A G co de C Ω ( D , G ) is λ - m ultiplicative. It is easy to see that if deg G = m ≥ ( λ − 1)( n − 1) λ + 2 g then w e hav e 2 g − 2 < deg( λ ( D − G + ( η ))) < n and deg ( λG − ( λ − 1 )( D + ( η ))) ≥ 2 g . Therefore, we hav e the following theorem. Theorem 5. L et χ b e an absolutely irr e ducible, pr oje ct ive, and nonsingular curve define d over F q with genus g , let D = { v 0 , v 1 , . . . , v n } b e the s et of F q - r ational p oints on χ . L et G b e an F q -r ational divisor with de gr e e m satisfying supp ( G ) ∩ D = ∅ and 2 g − 2 < m < n + 1 . Then t he LSSS induc e d by the AG c o de C Ω ( D , G ) is λ -multiplic ative, pr ovide d m ≥ ( λ − 1)( n − 1) λ + 2 g . 15 6 Implications of the Multiplicativit y of LSSS The prop erty of 3- m ultiplicativity implies stro ng multiplicativit y , and so is s uf- ficient for building MPC pr oto cols aga inst active adversaries. The co nditions for 3-multiplicativit y are easy to verify , while verification for strong multiplicativ- it y inv o lves chec king a n exp onential num ber of equations (ea ch subset in the adversary structure corr esp onds to an equation). With 3-multiplicativ e LSSS, or more g enerally λ -m ultiplicative LSSS, we can simplify lo cal computation for each player and reduce the r ound co mplex it y in MPC proto cols. F or example, using the technique of B ar-Ilan and Beav er [1], we can compute Q l i =1 x i , x i ∈ F q , in a constant num ber of rounds, indep endent of l . F or simplicity , we co nsider passive adversaries in the information-theor etic mo del. Supp ose for 1 ≤ i ≤ l , the shar e s o f x i , denoted by [ x i ], have already bee n distributed among the players. T o c ompute Q l i =1 x i , x i ∈ F q , we follo w the pro cess o f C r amer et al. [4]: (1) Generate [ b 0 ∈ R F ∗ q ] , [ b 1 ∈ R F ∗ q ] , . . . , [ b l ∈ R F ∗ q ] and [ b − 1 0 ] , [ b − 1 1 ] , . . . , [ b − 1 l ], where b i ∈ R F ∗ q means that b i is a random element in F ∗ q . (2) F or 1 ≤ i ≤ l , ea ch player computes [ b i − 1 x i b − 1 i ] from [ b i − 1 ] , [ b − 1 i ] and [ x i ]. (3) Recov er d i = b i − 1 x i b − 1 i from [ b i − 1 x i b − 1 i ] for 1 ≤ i ≤ l , and co mpute d = Q l i =1 d i . (4) Compute [ db − 1 0 b l ] from [ b − 1 0 ] , [ b l ] and d . It is ea sy to s e e that db − 1 0 b l = Q l i =1 x i . Using a strongly multiplicativ e LSSS, the above pro cess takes five rounds of in teractions as tw o r ounds are required in Step (2). How ever, if we use a 3 -mult iplicative L SSS instead, then only one ro und is needed for Step (2). Thus, 3-multiplicativ e LSSS reduce the round complexity of computing unbounded fan-in multiplication fro m five to four. This in turn simplifies the co mputation of many problems, suc h as p olynomia l ev aluation and so lving linear systems of e q uations. In general, the relationship b etw een λ -multiplicativ e LSSS and strongly λ - m ultiplicative LSSS can b e describ ed as follows: · · · ⊆ S M LS S S λ +1 ( M LS S S λ +1 ⊆ S M LS S S λ ( M LS S S λ ⊆ · · · , where M LS S S λ (resp ectively , S M LS S S λ ) denotes the clas s o f λ -multiplicative (resp ectively , stro ngly λ -multiplicative) LSSS. It is easy to see that S M LS S S λ ( M LS S S λ bec ause they ex ist under the co nditions Q λ +1 and Q λ , resp ectively . Since S M L S S S λ and M LS S S λ +1 bo th exist under the sa me necess a ry and sufficient condition of Q λ +1 , it is not straightf orward to see whether M LS S S λ +1 is strictly con tained in S M LS S S λ . F or λ = 2, w e already k now that M LS S S 3 ( S M LS S S 2 (Section 4.3). It would be interesting to find out if this is also true for λ > 2. W e hav e also given a n efficient tr ansformation fro m S M LS S S λ to M LS S S λ +1 . It remains o p en whether an efficien t tra nsformation fro m M LS S S λ to S M LS S S λ exists when the access structure is Q λ +1 . When λ = 2, this is a well-kno wn op en problem [6]. 16 7 Conclusions In this pap er, we prop os e the new concept of 3-m ultiplicative LSSS, whic h form a sub c lass of strong ly m ultiplicative LSSS. The 3-multiplicativ e LSSS are easier to construct compa red to stro ngly mult iplicative LSSS. They can a lso simplify the computation and reduce the round complexity in secure multipart y co mputation proto cols. W e believe that 3- m ultiplicative LSSS are a more appropr iate primi- tive as building blo cks for secure multipart y computatio ns, and des erve further inv estiga tion. W e stress that finding efficient constructions of 3 - mu ltiplicative LSSS for general a ccess structures remains an impo rtant op en problem. Ac kno wledgemen t The work of M. Liu and Z. Z hang is supp or ted in pa rt by the 973 pro ject o f China (No. 2 004CB3 1 8000 ). Part of the work was do ne while Z. Z hang was visiting Nany ang T echnological University supp orted by the Singa p o re Minis tr y of Education under Research Grant T206B22 04. The work o f Y. M. Chee, S. L ing, and H. W ang is suppo rted in pa rt by the Singap ore Natio nal Research F oundation under Research Gran t NRF-CRP2- 2007- 03. In addition, the w ork of Y. M. Chee is also s uppo rted in part by the Nany ang T echnological Univ ersity under Resear ch Grant M581100 40, and the work o f H. W ang is also suppo rted in part by the Australian Research Council under ARC Discov er y Pro ject DP066 5035. References 1. J. Bar-Ilan , D. Bea ver, Non-cryptographic fault-tolerant computing in constan t num b er of round s of interaction. PODC’89, pp. 201-209, 1989. 2. A. Beimel, Secure schemes for secret sharing an d key distribution. PhD thesis, T echnion - Israel Institute of T ec hnology , 1996. 3. H. Chen, R. Cramer, Algebraic geometric secret sharing sc hemes and secure multi-part y computations ov er small fields. CR YPTO’06, LNCS, vol. 4117, pp. 521-536, 2006. 4. R. Cramer, E. Kiltz, C. Padr´ o, A note on secure computation of the Moore- P enrose pseudoinver se and its spplication to secure linear algebra. CR YPTO’07, LNCS, vol. 4622, pp. 613-630, 2007. 5. H. Chen, R . Cramer, R. de Haan and I. Cascudo Pu eyo. Strongly multiplicative ramp schemes from high degree rational p oints on curves. EUROCR YPT’08, LNCS, vol. 4965, pp. 451-470, 2008. 6. R. Cramer, I. Damg ˚ ard, U. Maurer, General secure multi-part y compu tation from any linear secret-sh aring scheme. EUROCR YPT’00, LNCS, vol. 1807, pp. 316-334, 2000. 7. R. Cramer, V. Daza, I. Gracia, J. Urroz, G. Leander, J. Mart ´ ı-F arr´ e, C. Pa dr´ o, On co des, matroids and secure m ulti-party comput ation from linear secret shar- ing sc hemes. CR YPTO’05, LNCS, vo l. 3621, pp. 327-343, 2005. 17 8. S. F ehr, Efficient construction of th e dual span program. Master Thesis, th e Swiss F ederal Institu te of T echnolog y (ETH) Z ¨ uric h, 1999 http://homepage s.cwi.nl/ ∼ fehr/publicatio ns.html 9. O. Goldreich, S. Micali, A . Wigderson, How to play AN Y mental game. STOC’87, pp. 218-219, 1987. 10. M. Karc hmer, A. Wigderson, On span programs. Pro c. 8th Ann. Sy mp. Structure in Complexity Theory , pp. 102-111, 1993. 11. E. K¨ asp er, V. Niko v, S. Niko va , S trongly m ultiplicative h ierarc hical threshold se- cret sharing. In 2nd International Conference on Information Theoretic Security - ICITS 2007, LNCS, to app ear. 12. M. Liu, L, X iao, Z. Zh ang, Multiplicativ e linear secret sharing schemes based on connectivity of graphs. I EEE T ransactions on Information Theory 53(11), pp. 3973-3978 , 2007. 13. J. L. Massey , Minimal cod ew ords and secret sharing. Pro c. 6th Joint Sw edish- Russian W orkshop on In formation Theory , pp. 276-279, 1993. 14. V. Niko v, S. N iko v a, B. Preneel, On multiplicativ e linear secret sharing sc hemes. Indo crypt’03, LNCS, vol. 2904, pp. 135-147, 2003. 15. J. H. v an Lint, Introduction to codin g theory . 3rd edition, Graduate T exts in Mathematics 86, Springer, 1999. 16. A. Y ao, Protocols for secure computation. FOC S ’82, pp. 160-164, 1982. 18