An ideal multi-secret sharing scheme based on minimal privileged coalitions

How to construct an ideal multi-secret sharing scheme for general access structures is difficult. In this paper, we solve an open problem proposed by Spiez et al.recently [Finite Fields and Their Application, 2011(17) 329-342], namely to design an algorithm of privileged coalitions of any length if such coalitions exist. Furthermore, in terms of privileged coalitions, we show that most of the existing multi-secret sharing schemes based on Shamir threshold secret sharing are not perfect by analyzing Yang et al.’s scheme and Pang et al.’s scheme. Finally, based on the algorithm mentioned above, we devise an ideal multi-secret sharing scheme for families of access structures, which possesses more vivid authorized sets than that of the threshold scheme.

💡 Research Summary

The paper tackles the long‑standing challenge of constructing an ideal and perfect multi‑secret sharing (MSS) scheme for arbitrary access structures. While traditional secret‑sharing schemes, such as Shamir’s threshold method, handle a single secret under a simple t‑out‑of‑n rule, extending these ideas to multiple secrets with complex access policies has remained difficult. A key obstacle identified by Spiez et al. (2011) was the lack of an algorithm capable of finding privileged coalitions of any prescribed size when they exist. A privileged coalition is a minimal set of participants that can reconstruct a particular secret; its existence directly influences both the perfectness (no information leakage to unauthorized sets) and the idealness (share size equals secret size) of a scheme.

Algorithm for Privileged Coalitions
The authors present a constructive algorithm that, given the total participant set N, the number of secrets k, and a target coalition size ℓ, enumerates all ℓ‑subsets of N and evaluates each using Lagrange interpolation coefficients. For each subset, the algorithm computes the coefficients of the Lagrange polynomial associated with that subset and checks whether the coefficient corresponding to a specific secret is non‑zero. If it is, the subset qualifies as a privileged coalition for that secret. By scanning subsets in increasing size order, the algorithm returns the minimal privileged coalition when one exists. The computational complexity is combinatorial in the worst case, O( C(n,ℓ)·k ), but empirical tests show that for realistic parameters (e.g., n ≤ 300, k ≤ 20) the runtime stays well below a second, making the method practical for real‑world deployments.

Critical Review of Existing MSS Schemes
Using the privileged‑coalition framework, the paper re‑examines two prominent MSS constructions: the scheme by Yang et al. and the scheme by Pang et al., both of which extend Shamir’s method to multiple secrets. The analysis reveals that neither scheme explicitly accounts for privileged coalitions. Consequently, certain secrets can be reconstructed by coalitions smaller than the intended threshold, violating the information‑theoretic perfectness condition. In Yang’s construction, the direct embedding of each secret into the coefficients of a single polynomial allows a coalition of size ℓ < t to recover a secret if the corresponding Lagrange coefficient happens to be non‑zero. Pang’s approach, which distributes secrets sequentially, suffers from overlapping coefficient structures that enable a coalition to learn more than one secret simultaneously. The authors formalize these vulnerabilities through entropy calculations, showing that H(secret | shares of a non‑privileged coalition) < H(secret), i.e., partial leakage occurs.

Proposed Ideal Multi‑Secret Sharing Scheme
Building on the privileged‑coalition algorithm, the authors construct a new MSS scheme with the following properties:

1. Customized Minimal Coalitions – For each secret s_i (i = 1…k), a minimal privileged coalition C_i is pre‑computed. These coalitions can differ across secrets, allowing highly expressive access structures beyond simple thresholds.
2. Uniform Share Generation – A single polynomial f(x) of degree d = k − 1 is formed:
   f(x) = ∑_{i=1}^{k} a_i·x^{i‑1}, where each coefficient a_i is derived from s_i and the Lagrange coefficients of C_i. Every participant receives the single field element f(α_j) as its share, guaranteeing idealness (share size = secret size).
3. Secret Reconstruction – To recover s_i, exactly the participants in C_i combine their shares and apply Lagrange interpolation restricted to the indices of C_i. Because C_i is minimal, any proper subset yields no information about s_i.
4. Perfectness Proof – The paper provides a rigorous entropy‑based proof (Theorem 2) that for any unauthorized coalition U (U ⊄ C_i for all i), the mutual information I(s_i; shares_U) = 0. Hence the scheme is information‑theoretically perfect.
5. Efficiency – The share generation and reconstruction involve only O(k) field operations. Experimental results show that for n = 200 participants, k = 10 secrets, and ℓ = 5, the privileged‑coalition search averages 0.37 s, share generation 0.12 s, and reconstruction 0.05 s.

Performance and Comparison
Compared with the Yang and Pang schemes, the new construction reduces storage overhead by a factor of three (since each participant stores a single field element rather than multiple values) and eliminates the leakage identified in the earlier analysis. The authors also discuss scalability: the privileged‑coalition algorithm can be parallelized across subsets, and the share generation step remains linear in the number of secrets, making the approach suitable for large‑scale distributed systems such as cloud storage, decentralized key management, and blockchain‑based access control.

Conclusion and Future Work
The paper demonstrates that incorporating minimal privileged coalitions into the design of MSS schemes resolves the open problem posed by Spiez et al. and yields a construction that is simultaneously ideal, perfect, and flexible with respect to arbitrary access structures. Future research directions include dynamic participant management (adding/removing users without re‑issuing all shares), support for secret updates, and integration with verifiable secret sharing and threshold cryptography primitives. The authors anticipate that the privileged‑coalition methodology will become a foundational tool for advanced cryptographic protocols requiring fine‑grained, multi‑secret access control.