IDEMPOTENTS AND SECRET-SHARING SCHEMES

Garcı́a-Rubira J. M., (E), López-Ramos J. A., (E), Peralta J., (E)

Abstract. We propose a secret-sharing scheme in compartmented groups, i.e., the secret is

partitioned into shares in such a way that to recover the original information it is necessary
the concurrence of a number of parties of each group. To do that we use the decomposition
given by orthogonal idempotents existing in some (not-necessarily commutative) rings and
modules. The scheme introduced in this paper is perfect. We provide examples featuring
classical constructions such as cyclic codes as well as other no-commutative and even
infinite settings.
Key words and phrases. Secret-sharing, compartmented groups, idempotent.
Mathematics Subject Classification. Primary 94A62.

1 Introduction

In a secret-sharing scheme, a dealer has a secret which distributes to each of the n parties
(trustees) in the scheme, in such a way that k of them can recover the secret. If P denotes the
set of parties involved in the secret sharing, any Γ ⊂ 2P such that any subset of parties that
is in Γ can determine the secret and no subset in 2P − Γ can determine the secret is called
the access structure of the secret-sharing scheme. Since Blakley, [2], and Shamir, [9], gave the
first constructions of secret-sharing schemes, many are the authors who are interested in these
schemes. One of the designs proposed by Simmons in [10] is secret-sharing in compartmented
groups.
A compartmented ti -out of li secret-sharing scheme is a design where the secret is partitioned
in such a way that reconstruction of the secret requires a specified level of concurrence by the
participants in some specified number, perhaps all, of the compartments. Here ti denotes the
required concurrence of the i-th group of li trustees. In [3, Theorem 3] Brickell proposes a secret-
sharing scheme for compartmented groups based on vector spaces over a finite field GF (q). In
Aplimat - Journal of Applied Mathematics

[5] the authors use Shamir’s secret-sharing scheme over GF (q), [9], to give another solution to
the situation of compartmented groups, and extend it to a more general and compartmented
access structure not considered by Brickell in [3].
Here we introduce a secret-sharing scheme for compartmented groups based on idempotents
of a ring R (not necessarily commutative) to decompose a secret a in an R-module into partial
secrets ai , and each of these partial secrets are then distributed using a secret-sharing scheme
based on a generator matrix similar to that in [6].

2 Some mathematical background

Throughout this paper A will be a division ring and R will denote an associative A-algebra
with unit 1.

Definition 2.1 An element e ∈ R is said to be idempotent if e2 = e.

Definition 2.2 Two idempotents e1 , e2 are called orthogonal if e1 e2 = e2 e1 = 0.

The following properties of idempotents are easily shown.

Lemma 2.1 i) If e is idempotent, then (1 − e) is an idempotent orthogonal to e.

ii) If e is idempotent different from 1, then there is no f ∈ R such that ef = f e = 1.
iii) If e1 , e2 are orthogonal idempotents, then e1 + e2 is idempotent.

Definition 2.3 Afinite set of orthogonal idempotents in a ring R, {e1 , · · · , en } is said to be

complete if 1R = ni=1 ei .

Definition 2.4 A left R-module M is an additive abelian group jointly with an application
ρ : R × M → M (the product of elements of M by scalars) such that:
i) ρ(1, m) = m, ∀m ∈ M .
ii) ρ(r1 , ρ(r2 , m)) = ρ(r1 r2 , m), ∀r1 , r2 ∈ R, ∀m ∈ M .
iii) ρ(r1 , m) + ρ(r2 , m) = ρ(r1 + r2 , m), ∀r1 , r2 ∈ R, ∀m ∈ M .
iv) ρ(r, m1 ) + ρ(r, m2 ) = ρ(r, m1 + m2 ), ∀r ∈ R, ∀m1 , m2 ∈ M .
An additive subgroup N ⊆ M is an R-submodule of M if ρ(R × N ) ⊆ N .
Let M and L be left R-modules. An application ϕ : M → L is called an R-morphism if it is
linear for the sum of elements of M and for the product by scalars.

The above definition is basically the definition of R-vector space and a linear application
when R is a field. As in that case, ρ(r, m) is usually denoted rm. Right R-modules are defined
similarly.
Now, for a left R-module M , consider S = EndR (M ) the ring of R-morphisms of M (with
the sum and composition of morphisms). Then it is easy to see that M is a right S-module.
We note that if Mi , i = 1, 2 are R-submodules of M which are direct summands of M , then
the projections ei : M → Mi , i = 1, 2 are orthogonal idempotents in EndR (M ). Then we have:

38 volume 1 (2008), number 1

 Aplimat - Journal of Applied Mathematics

Proposition 2.2 Let M1 , · · · , Mn be R-submodules of an R-module M . Then M = M1 ⊕ · · · ⊕

Mn (direct sum of R-modules) if and only if there exists a complete set e1 , · · · , en of orthogonal
idempotents in EndR (M ) such that Mi = M ei , i = 1, · · · , n.

Definition 2.5 A left R-module M is called free of rank n if M is a direct sum of n copies of
R.

Definition 2.6 A left R-module M is called finitely generated if it is the image of a morphism
of modules Rn → M for some n ≥ 1.

For more details about idempotents, rings and modules in general, we refer to [1].

3 The secret-sharing scheme

Let R be a finitely generated A-algebra and N a finitely generated left R-module. Then N
is also finitely generated as an A-module, so let {b1 , · · · , bn } be a generating set for N as A-
module. Let us also assume that N has a decomposition N = N1 ⊕ · · · ⊕ Nl . Then, there exists
a complete set of orthogonal idempotents {e1 , · · · , el } in EndR (N ) such that IN = e1 + · · · + el
and Ni = N ei for i = 1, · · · , l. Therefore a = a1 + · · · + al with ai ∈ Ni , i = 1, · · · , l for every
a ∈ N . Since N is finitely generated as an A-module, then so are the Ni for i = 1, · · · , l. So
let {gi1 , · · · , giki } be a generating set for Ni , i = 1, · · · , l.
Now let the set of participants P be partitioned into l disjoint sets P1 , · · · , Pl .

Algorithm 1 - A compartmented secret-sharing scheme for Pi i = 1, · · · , l.

1. Given a secret s ∈ N , let s = s1 + · · · + sl with si ∈ Ni , i = 1, · · · , l. si , i = 1, · · · , l are

then partial secrets.

2. For every i = 1, · · · , l let {gi1 , · · · , giki } be a generating set for Ni . Now, gih = nj=1 rh,j i
bj ,
 n
with rh,j ∈ A, h = 1, · · · , ki . Then, si = j=1 si,j bj ,
i
ki
si,j ∈ A and let wj,1 i
, · · · , wj,k
i
i
be a solution to the the equations s i,j = i
h=1 xh rh,1 for
j = 1, · · · , n. Then we get that
⎛ ⎞
i
r1,1 · · · r1,n
i
⎜ .. ⎟ = (s , ∗, . . . , ∗)
i
(wj,1 , · · · , wj,k
i
i
) ⎝ ... . ⎠ i,j
rki ,1 · · · rki ,n
i i

i
3. For every i = 1, · · · , l and j = 1, · · · , n we get uij,h = ks=1 i
wj,s i
rs,h where uij,1 = si,j .
⎛ ⎞
ui1,j
⎜ ⎟
Then give the column vector ⎝ ... ⎠ to party j, j = 2, · · · , n of group i, i = 1, · · · , l,
uin,j
namely Pji .

volume 1 (2008), number 1 39

Aplimat - Journal of Applied Mathematics
⎛ ⎞
i
r1,1 · · · r1,n
i
⎜ .. ⎟ we get a matrix summary of
If we denote by Gi the generator matrix ⎝ ... . ⎠
rki ,1 · · · rki ,n
i i

our discussion then far as follows

⎛ ⎞ ⎛ Pji ⎞
i
w1,1 ... i
w1,k i
si,1 ui1,2 ··· ui1,j · · · ui1,n
⎜ i
w2,1 ... i
w2,k ⎟ ⎜ si,2 ui2,2 ··· ui2,j · · · ui2,n ⎟
⎜ i ⎟ ⎜ ⎟
⎜ .. .. ⎟ Gi = ⎜ .. .. ... .. ... .. ⎟
⎝ . . ⎠ ⎝ . . . . ⎠
i
wn,1 ... i
wn,k i
si,n uin,2 · · · un,j · · · un,n
i i

Remark 1 The scheme presented here may be used within a non-commutative or infinite set-
ting. For instance, an example of a non-commutative division ring is the so-called quaternion
algebra: given a field F of characteristic
= 2 and 0
= α, β ∈ F , the quaternion algebra (α, β) is
a four dimensional algebra over F with elements x, y such that x2 = α, y 2 = β and xy = −yx;
then {1, x, y, xy} is a basis.
n
Remark 2 We note that the original secret s has an expression s = h=1 yh bh , i.e., s =
(y1 , · · · , yn ), and each party in Pj , Pj receives (u1,j , · · · , un,j ) and therefore the length of the
i i i

received information equals the original.

Theorem 3.1 The secret-sharing scheme obtained from Algorithm 1 has a compartmented ac-
cess structure given by Γ = ⎛{A ⊆ ⎞ P : A ∩⎛Pi ∈ Γi ,⎞i = 1, ·⎛ · · , l}, being ⎞
i i i
r1,1 r1,j1 r1,j k
⎜ ⎟ ⎜ ⎟ ⎜ ⎟
Γi = {{j1 , · · · , jk } ⊆ Pi : ⎝ ... ⎠ ∈ < ⎝ ... ⎠ , · · · , ⎝ ... ⎠ >} is perfect, i.e., allows
rki i ,1 rki i ,j1 rki i ,jk
to recover the secret only if the set of cooperating parties A is in Γ.
⎛ ⎞
i
r1,1 · · · r1,n
i
⎜ .. ⎟ has rank t
Proof. Since Ni is finitely generated we get that the matrix ⎝ ... . ⎠ i
rki ,1 · · · rki ,n
i i

with 1 ≤ ti ≤ ki . Therefore, the first column of the above matrix, ri1 is alinear combination
ti
of some other ti columns, rihj , j = 1, · · · , ti . Then we get that ri1 = i i
j=1 rhj xj for some
xij ∈ A j = 1, · · · , ti .
i i ti i
Now, si,j = uij,1 = ks=1 i
wj,s i
rs,1 = ks=1 i
wj,s i
k=1 rs,hk xk =
ti ki i i i
 ti i i
k=1 ( s=1 wj,s rs,hk )xk = k=1 uj,k xk .
Therefore,
 if A ∈ Γ we get that A ∩ Pi ∈ Γi and so si,j may be recovered as above and
si = nj=1 si,j bj . If this is done for every i = 1, · · · , l then s = s1 + · · · + sl .
Consider now that A ∈ / Γ. Then A ∩ Pi ∈ / Γi for some i and so, si cannot be recovered since
some (perhaps all) si,j cannot be recovered.
In this casewe cannot get s. To  show this it is enough l to observe that if i is fixed and
 l  l
we have s = j=1,j=i sj then s = s j=1,j=i ej . But j=1,j=i ej is an idempotent and so it

40 volume 1 (2008), number 1

 Aplimat - Journal of Applied Mathematics

has not inverse. In that case we can try a brut force attack finding an element r ∈ N such
that rej = sj , j
= i (we are assuming that all ej , j
= i are known). But then, the sequence

a0 = r, an+1 = an +x( lj=1,j=i ej −IN ) for any x ∈ N verifies that an+1 ej = an ej +xej −xej = sj
for j
= i. Therefore, from an element r ∈ N verifying that rej = sj (j
= i) we get as many
elements as there are in Ni with the same property. So every sj is needed to recover s. 2

Remark 3 In this type of secret-sharing schemes, the setting, i.e., the ring or module where
the secret s is, is public and only the dealer knows exactly the access structure, including the
set of idempotents used to decompose the corresponding ring or module. We also point out that
even in case that all sj except one,namely si , are known, from the proof of the Theorem we

get that no information about the secret is available. Although s = lj=1,j=i sj is part of the
secret, there is an unknown part of the secret given by si and that can be any element in our
setting. From this point of view, the secret-sharing scheme is perfect. We have to take into
account that the only way to get some information about the secret is to know the idempotents
used to decompose the ring or module used as a setting and these are not used in the process of
recovering the secret.
In [4] the authors introduce the concept of linear code over a finite module. The above
secret-sharing for every sj can be viewed then as a classical secret-sharing scheme using linear
codes in that sense.
Once the shares si , i = 1, · · · , l has been distributed, the dealer can be eliminated and
be substituted by a set of dealers, one for group, who knows the corresponding idempotent
ei , i = 1, · · · , l. In this way the scheme becomes an extrinsic system ([10]), i.e., the recovering
of s does not depend exclusively on the values si , but also on the relation among all of them
that is, they add up to s.
Finally if the dealer keeps secret one of the shares then we get a prepositioned system ([10]),
i.e., the secret cannot be recovered while this is not available.

4 Examples

Example 1: A classical example. Let N = ZZ2 [x]/(x15 − 1). Then N is finitely generated with
{1, x, x2 , . . . , x14 } as a generating set and let {e1 = x14 + x13 + x11 + x10 + x7 + x5 + 1, e2 =
x14 + x13 + x12 + x11 + x9 + x7 + x6 + x3 , e3 = x14 + x13 + x12 + x11 + x9 + x8 + x7 + x6 +
x4 + x3 + x2 + x, e4 = x14 + x13 + x11 + x10 + x8 + x7 + x5 + x4 + x2 + x} be a complete set
of orthogonal idempotents. Now, if s = p(x) ∈ N is any secret to be shared, then the partial
secrets are s1 = se1 , s2 = se2 , s3 = se3 and s4 = se4 , which are distributed using the classical
cyclic codes generated by ei , i = 1, · · · , 4.

Example 2: Non-commutative examples. Let N = ZZ5 [S3 ] be the group ring over the symmetric
group S3 . Then N is a finitely generated left ZZ5 -module with the elements S3 as a generating
set. By means of the theory of Young diagrams (cf. [7, Ch. IV]) and using GAP we get a
complete set of orthogonal idempotents elements of N given by

volume 1 (2008), number 1 41

Aplimat - Journal of Applied Mathematics

e1 = () + (2, 3) + (1, 2) + (1, 2, 3) + (1, 3, 2) + (1, 3)

e2 = () + 4(2, 3) + 4(1, 2) + (1, 2, 3) + (1, 3, 2) + 4(1, 3)
e3 = 2() + 2(2, 3) + 3(1, 2) + 3(1, 2, 3)
e4 = 2() + 3(2, 3) + 2(1, 2) + 3(1, 3, 2)
In first place we choose as our set of orthogonal idempotents {e1 + e2 , e3 , e4 } which gives
the generator matrices G1 , G2 and G3 respectively:

1 0 0 1 1 0 1 1 4 4 0 0 1 4 1 4 0 0
0 1 1 0 0 1 0 1 0 4 1 4 0 0 1 1 4 4
As can be observed, G1 is not adequate for a secret-sharing scheme, and therefore its corre-
sponding partial secret should be kept secret by the dealer. Then, taking in count that we
cannot give the third and the second columns of G2 and G3 respectively, the access structure
would be given by:
Γ2 = {(x2 , x5 ), (x2 , x6 ), (x4 , x5 ), (x4 , x6 ), (x2 , x4 , x5 ), (x2 , x5 , x6 ), (x2 , x4 , x6 ),
(x4 , x5 , x6 ), (x2 , x4 , x5 , x6 )} and Γ3 = {(y3 , y4 ), (y3 , y5 ), (y3 , y6 ), (y4 , y5 ), (y4 , y6 ),
(y3 , y4 , y5 ), (y3 , y4 , y6 ), (y3 , y5 , y6 ), (y4 , y5 , y6 ), (y3 , y4 , y5 , y6 )}
Another option, in order to keep secret nothing by the dealer is to consider the complete
orthogonal set of idempotents, {e1 + e3 , e2 + e4 }, which gives the generator matrices G1 and G2
given by ⎡ ⎤ ⎡ ⎤
1 1 3 3 2 2 1 4 2 2 3 3
⎣ 0 1 1 0 4 2 ⎦ ⎣ 0 0 1 0 4 0 ⎦
0 0 1 1 3 3 0 0 0 1 0 4
In this case we cannot give the second column of G2 . Now the access structure is given by: Γ1 ,
which is formed by any group with three or more shares and
Γ2 = {(y3 , y5 ), (y4 , y6 ), (y3 , y4 , y5 ), (y3 , y5 , y6 ), (y3 , y4 , y6 ), (y4 , y5 , y6 ), (y3 , y4 , y5 , y6 )}
We can apply the same to any finite non-commutative group ring as
ZZp [G(k, q, r)], where G(k, q, r) =< x, y|xk = y q = 1, yx = xr y >, obtaining, with the idempo-
tents, generator matrices of metacyclic codes (cf. [8]).

Example 3: A non-commutative infinite example. Let N = Q[S I 3 ]. Using the same technique as
in Example 2 we get a complete set of orthogonal idempotents
e1 = 12 () − 12 (2, 3) + 16 (1, 2) + 16 (1, 2, 3) − 16 (1, 3, 2) − 16 (1, 3)
e2 = 12 () + 12 (2, 3) − 16 (1, 2) − 16 (1, 2, 3) + 16 (1, 3, 2) + 16 (1, 3)
which give the generator matrices G1 and G2
⎡ ⎤ ⎡ ⎤
1 −1 13 13 − 13 − 13 1 1 − 13 − 13 31 31
⎣ 0 0 1 −5 −1 5 ⎦ ⎣ 0 1 − 2 − 5 2 − 4 ⎦
3 3 3 3
0 0 0 1 0 −1 0 0 1 1 12 21
Now, with the 2nd column of G1 also secret we get the structure access Γ.

Acknowledgement
The authors are supported by Junta de Andalucı́a FQM 0211. The first author is also supported
by MTM2005-03227 and the second and third authors are also supported by TEC2006-12211-
C02-02

42 volume 1 (2008), number 1

 Aplimat - Journal of Applied Mathematics

References

[1] F.W. ANDERSON, and K.R. Fuller, Rings and Categories of Modules, (second edition).
Springer, 1992.
[2] G.R. BLAKLEY, Safeguarding cryptographic keys, in Proc. Amer. Fed. Inform. Proc. Soc.
1979 NCC, vol 48, pp. 313-317, June 1979.
[3] E. BRICKELL, Some Ideal Secret Sharing Schemes, in Advances in Cryptology-Proceedings
of CRYPTO’89 (J.-J. Quisquater and J. Vandewalle, eds.), vol. 434 of Lecture Notes in
Computer Science, pp. 468-475, Springer-Verlag, 1990.
[4] M. GREFERATH, A. NECHAEV, and R. WISBAUER, Finite Quasi-Frobenius Modules
and Linear Codes, Journal of Algebra and its Applications, vol. 3(3), pp. 247-272, 2004.
[5] H. GHODOSI, J. PIEPRZYK, and R. SAFAVI-NAINI, Secret Sharing in Multilevel and
Compartemented Groups, in ACISP’98 (C. Boyd and E. Dawson, eds.), vol. 1438 of Lecture
Notes in Computer Science, pp. 367-378, Springer-Verlag 1998.
[6] E.D. KARNIN, J.W. GREENE, and M.E. HELLMAN, On Secret Sharing Systems, IEEE
Transactions on Information Theory, vol 29 (1), pp. 35-41, Jan. 1983.
[7] C.W. CURTIS, I. REINER. Representation Theory of Finite Groups and Associative Alge-
bras, Wiley-Interscience, New York, 1962.
[8] R.E. SABIN, Metacyclic Error-Correcting Codes, AAECC, 6 pp. 191-210, 1995.
[9] A. SHAMIR, How to Share a Secret, Communications of the ACM, vol. 22, pp. 612-613,
Nov. 1979.
[10] G. SIMMONS, How to (Really) Share a Secret, in Advances in Cryptology-Proceedings
of CRYPTO’88 (S. Goldwasser, ed.), vol 403 of Lecture Notes in Computer Science, pp.
390-448, Springer-Verlag, 1990.
[11] The GAP Group, GAP – Groups, Algorithms, and Programming, Version 4.4 ; 2005,
(http://www.gap-system.org).

Current address

J.M. Garcı́a-Rubira
Departamento de Algebra y Análisis Matemático
Universidad de Almerı́a
04120 Almerı́a, Spain, e-mail: jgr836@ual.es
J.A. López-Ramos
Departamento de Algebra y Análisis Matemático
Universidad de Almerı́a
04120 Almerı́a, Spain, e-mail: jlopez@ual.es
J. Peralta
Departamento de Algebra y Análisis Matemático
Universidad de Almerı́a
04120 Almerı́a, Spain, e-mail: jperalta@ual.es

volume 1 (2008), number 1 43

Aplimat - Journal of Applied Mathematics

44 volume 1 (2008), number 1