Asymptotically ideal Chinese remainder theorem ‐based secret sharing schemes for multilevel and compartmented access structures

Ferucio Laurenţiu Ţiplea, Department of Computer Science, Alexandru Ioan Cuza University of Iasi, Iasi 700506, Romania. Email: ferucio.tiplea@uaic.ro Abstract Multilevel and compartmented access structures are two important classes of access structures where participants are grouped into levels/compartments with different degrees of trust and privileges. The construction of secret sharing schemes for such access structures has been the attention of researchers for a long time. Two main approaches have been taken so far, one of them is based on polynomial interpolation and the other one is based on the Chinese Remainder Theorem (CRT). In this article the first asymptotically ideal CRT-based secret sharing schemes for (disjunctive, conjunctive) multilevel and compartmented access structures are proposed. Our approach is compositional and it is based on a variant of the Asmuth-Bloom secret sharing scheme where some participants may have public shares. Based on this, the proposed secret sharing schemes for multilevel and compartmented access structures are asymptotically ideal if and only if they are based on 1-compact sequences of co-primes. Possible applications for secret image and multi-secret sharing are pointed-out.


| INTRODUCTION AND PRELIMINARIES
Secret sharing schemes (SSS) are a fundamental tool in cryptography and information security. Their systematic study has been initated with the introduction of secret sharing for threshold access structures [1,2]. Threshold access structures are suitable when participants have the same degree of trust. However, many real-world applications need more complex access structures based on different degrees of trust and privileges associated to participants. Multilevel (also called hierarchical) [3,4] and compartmented [3] access structures are two important classes of access structures proposed to cope with this problem. In both of them, the set of participants is partitioned into groups called levels (in the case of multilevel access structures) or compartments (in the case of compartmented access structures). To these groups thresholds are assigned on that basis authorised sets are defined.
Designing secret sharing schemes for multilevel and compartmented access structure is of crucial importance. Two main approaches along this direction have been taken so far: one of them is based on polynomial interpolation and the other one is based on CRT. In this paper we will focus on the second approach.
CRT was intensively used in the design of secret sharing schemes [5][6][7][8][9][10][11][12][13][14][15][16][17][18]. As a standard procedure, a sequence of pair wise co-prime positive integers with special properties is first computed. Then, the private shares are obtained by dividing the secret or a secret-dependent quantity by the numbers in the sequence and collecting the remainders. To recover the secret, the CRT is applied on a number of congruences defined by some private shares.
The security of the CRT-based secret sharing schemes has been poorly understood for quite a long time. In 2002, Quisquater et al. [8] have introduced the concepts of asymptotic perfectness and asymptotic idealness, and initiated the study of

| Contribution
In this article, we continue the study of CRT-based secret sharing schemes by considering multilevel and compartmented access structures. Thus, we propose the first asymptotically ideal CRT-based secret sharing schemes for such access structures. To do that, a variant of the Asmuth-Bloom threshold secret sharing scheme is firstly introduced, that allows participants to publish some information about their private shares. We prove that this scheme is asymptotically ideal and then we use it to reason about the security of all the other schemes proposed in our paper. More precisely, we show that our schemes are asymptotically ideal if and only if they are based on 1-compact sequences of co-primes. Taking into account that these kind of sequences can be very efficiently generated (see our Section 5), we conclude that our schemes are not only the most secure but also among the most efficient CRT-based secret sharing schemes.

| Paper structure
Our paper is organised into seven sections. The rest of this section fixes the basic concepts and notation used through our paper. The second section is dedicated to the Asmuth-Bloom secret sharing scheme with public shares. Then, in the third section, we propose CRT-based secret sharing schemes for disjunctive and conjunctive multilevel, and compartmented, access structures. We also study their security. The fourth section discusses the possibility of changing the Asmuth-Bloom threshold secret sharing scheme with other threshold secret sharing schemes. The efficiency of implementing our schemes is the topic of the fifth section. An extensive discussion on the related work is taken in Section 6. We conclude the article in the last section.

| Preliminaries
The set of integers (positive integers) is denoted by Z (N). A positive integer a > 1 is a prime number if the only positive divisors of it are one and a. Given two integers a and b, the notation (a, b) stands for the greatest common divisor of a and b. The integers a and b are called co-prime if (a, b) = 1, and they are called congruent modulo n, denoted a ≡ b mod n or a ≡ n b, if n divides a − b (n is an integer too). The notation a = b mod n means that a is the remainder of the integer division of b by n. The set of all congruence classes modulo n is denoted Z n .
The Chinese Remainder Theorem (CRT) [21] states that, given a finite non-empty set I of positive integers and the integers b i and m i for all i ∈ I, the system of congruences has a unique solution modulo ∏ i∈I m i , provided that m i and m j are co-prime for any i, j ∈ I with i ≠ j.
Recall a few notations regarding the Shannon entropy (for details, the reader is referred to [22]). Given a random variable X with outcomes in a set V, the (Shannon) entropy of X, denoted H(X), is defined by with the mathematical convention 0 log 0 = 0 (P(X = v) is the probability mass function of the outcome v).
Given two random variables X and Y, H(XjY ) stands for the entropy of X conditioned by Y.

| ASMUTH-BLOOM SECRET SHARING WITH PUBLIC SHARES
We propose in this section a new variant of the Asmuth-Bloom secret sharing scheme [5]. The main idea is to partition the set U of participants into two disjoint subsets U 1 and U 2 (not necessarily both of them non-empty). The participants in U 1 receive private shares computed as in the Asmuth-Bloom secret sharing scheme. The participants in U 2 choose private shares by themselves and then make public some information about these shares.
We will prove that this new variant of the Asmuth-Bloom secret sharing scheme is asymptotically ideal if and only if it is based on 1-compact sequences of co-primes [10] (this is similar to the result established in [20] on the original Asmuth-Bloom secret sharing scheme).
Adding public shares to threshold secret sharing schemes might not appear relevant at a first sight. However, as we will see in Section 3, we are sometimes in the position of combining several Asmuth-Bloom secret sharing schemes with common participants. Each common participant will be assigned exactly one private share for one of the schemes. The private share will then be used to derive public shares for the other schemes, allowing the participant to take part in those schemes.

| Description of the scheme
We begin by fixing the terminology and notation on threshold access structures and sequences of co-primes.
A threshold access structure (TAS) is a triple (U, t + 1, Γ) consisting of a finite set U of participants, an integer t + 1 satisfying 0 < t + 1 ≤ jUj, and a set Γ defined by The integer t + 1 is called the threshold of the access structure, and each set A ∈ Γ is called an authorised set. Sometimes, Γ is called the (t + 1)-threshold access structure over U.
It is customary in secret sharing to consider the set U of participants of the form U = {1, …, n}. In such a case, Γ is also referred to as the (t + 1, n)-threshold access structure.
A sequence of co-primes is a sequence m 0 , m 1 , …, m n (sometimes written as a vector L = (m 0 , m 1 , …, m n ) or even L : m 0 , m 1 , …, m n ) of pair wise co-prime strictly positive integers, where n ≥ 1. The length of this sequence is n + 1. An element of this sequence is referred to as a co-prime.
An Asmuth-Bloom (t + 1, n)-threshold sequence of coprimes, where t and n are two integers with 0 < t + 1 ≤ n, is a sequence of co-primes m 0 , m 1 , …, m n that satisfies the following properties: One has to remark that the Asmuth-Bloom constraint also implies m 0 < m 1 . Now, we are in a position to introduce Scheme 1. Within it, (t + 1, Γ) is a threshold access structure over U = {1, …, n} We would like to emphasize that the private shares for participants in U 1 are computed by a modular reduction of the secret s 0 , while the private shares for participants in U 2 are randomly generated from the share space. One may also think as follows. For a participant i ∈ U 2 a secret value s is first computed as for participants in U 1 , namely s ¼ s 0 mod m i . Then, s is randomly split into two parts, s i and w i ; s i is kept as a private share, while w i is made public.
It is straightforward to prove the soundness of the secret reconstruction in scheme 1. Assume A ∈ Γ. Then, � The congruence w i ≡ (s 0 − s i ) mod m i is equivalent to the congruence s 0 ≡ (s i + w i ) mod m i , for all i ∈ U 2 . As a conclusion, the system (2) of congruences has the unique solution s 0 modulo ∏ i∈I m i � As s 0 ¼ s þ rm 0 < ∏ tþ1 i¼1 m i for some r ≥ 0, it follows s = s 0 mod m 0 .
When U 2 is the empty set in Scheme 1, the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U, Ø) is in fact the original Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over U [5].
An Asmuth-Bloom secret sharing scheme with public shares is an Asmuth-Bloom secret sharing scheme for some threshold access structure (t + 1, Γ) over a partition (U 1 , U 2 ) of a set U = {1, …, n} of participants. Scheme 1 is a generic secret sharing scheme in the sense that it consists of formal parameters. When these parameters are assigned specific values we obtain what is called a realization of Scheme 1. We will frequently make use of this terminology in the rest of the paper. Example 1. We present here a realization of SCHEME 1 with artificially small actual parameters. Let U = {1, 2, 3, 4, 5} be the set of participants, U 1 = {1, 2, 3}, U 2 = {4, 5}, and let t + 1 = 3 be the threshold. Consider the following Asmuth-Bloom (3, 5)-threshold sequence of co-primes 7; 17; 19; 23; 29; 31 (one may easily check that it fulfils the Asmuth-Bloom constraint).
To share the secret s ¼ 4 ∈ Z 7 , we first generate a random r, say r = 999, and compute s 0 = 4 + 7 ⋅ 999 = 6997. Then, � The participants in U 1 receive the private shares 10, 5, 5 (in this order) � The participants in U 2 may receive the private shares 11 and 19, while their public shares are 26 and 3 (in this order).

| Security concepts and results
We will focus now on the security of the Asmuth-Bloom secret sharing scheme with public shares. The concepts and results we prove are natural extensions of the ones in [8,10,20].
Given m 0 , m 1 , …, m n a sequence of co-primes, (U 1 , U 2 ) a partition of U = {1, …, n}, I ⊆ U, and J ⊆ U 2 , consider three random variables X, Y I , and W J which take values as follows: The meaning of these variables is as follows: the variable X returns secret values s ∈ Z m 0 . An output of Y I gives information about the private shares of the participants in I ∩ U 1 and of the pairs (private share, public share) of the participants in I ∩ U 2 . Finally, an output w J of W J gives information on the public shares of the participants in J.
Given that these random variables define the loss of entropy Δ(y I ) with respect to y I ∈ Π I by Δðy I Þ ¼ HðXÞ − HðXjY I ¼ y I Þ; and the loss of entropy Δ(y I , w J ) with respect to y I ∈ Π I and w J ∈ Π J by Of course, Δ(y I , w J ) makes sense only for non-empty subsets J of U 2 \ I. Now we are ready to introduce the security concepts for the Asmuth-Bloom secret sharing scheme with public shares. We follow a similar line to the one in [8,10,20] and introduce the concepts of asymptotic perfectness, asymptotic information rate, and asymptotic idealness.
The asymptotic perfectness of a secret sharing scheme means that unauthorized sets of participants can obtain no information, in the asymptotic sense, about the secret. Definition 1. Let (U 1 , U 2 ) be a partition of U = {1, …, n}, t be an integer such that 0 < t + 1 ≤ n, and Γ be the (t + 1)threshold access structure over U. The Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U 1 , U 2 ) is called asymptotically perfect if, for any non-empty subset I ⊆ U with jIj ≤ t and any ϵ ∈ (0, 1), there exists m ≥ 0 such that for any Asmuth-Bloom (t + 1, n)-threshold sequence of co-primes m 0 , m 1 , …, m n with m 0 ≥ m, the following properties hold: � H(X) ≠ 0; � jΔðy I ; w U 2 −I Þj < ϵ, for any y I ∈ Π I and w U 2 −I ∈ Π U 2 −I .
If the information rate of the participants in a secret sharing scheme goes to r, we say that the information rate of the scheme goes to r. Definition 2. Let (U 1 , U 2 ) be a partition of U = {1, …, n}, t be an integer such that 0 < t + 1 ≤ n, and Γ be the (t + 1)-threshold access structure over U. We say that the information rate of the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U 1 , U 2 ) goes asymptotically to r, where r > 0 is a real number, if for any ϵ ∈ (0, 1) there exists m ≥ 0 such that for any Asmuth-Bloom (t + 1, n)-threshold sequence of co-primes m 0 , m 1 , …, m n with m 0 ≥ m and any 1 ≤ i ≤ n the following holds: Combining Definitions 1 and 2, we obtain: Definition 3. Let (U 1 , U 2 ) be a partition of U = {1, …, n}, t be an integer such that 0 < t + 1 ≤ n, and Γ be the (t + 1)-threshold access structure over U. The Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U 1 , U 2 ) is asymptotically ideal if it is asymptotically perfect and its information rate goes asymptotically to 1.
We prove next that the security of the Asmuth-Bloom secret sharing scheme with public shares is equivalent to the security of the original Asmuth-Bloom secret sharing scheme. We begin by a few results that establish a connection between the loss of entropy in the original Asmuth-Bloom secret sharing scheme and the Asmuth-Bloom secret sharing scheme with public shares. Lemma 1. Let (U 1 , U 2 ) be a partition of U = {1, …, n}, t be an integer such that 0 < t + 1 ≤ n, and Γ be the (t + 1)-threshold access structure over U The loss of entropy of the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U 1 , U 2 ), under the uniform distribution on the secret space, satisfies for any non-empty subset I ⊆ U, any J ⊆ U 2 \I, any Asmuth-Bloom (t + 1, n)-threshold sequence of coprimes m 0 , m 1 , …, m n , any y I ∈ Π I , and any w J ∈ Π J .
Proof: According to the definition of loss of entropy, it is sufficient to show that H(XjY I = y I ) = H(XjY I = y I , W J = w J ). This comes down to proving that, for any s ∈ Z m 0 , the following holds: When jIj≥ t + 1, both probabilities in Equation (4) are one because the secret is uniquely recovered by at least t + 1 participants.
Assume jIj ≤ t and J ≠ Ø. Let y I ðiÞ ¼ y i ∈ Z m i for i ∈ I ∩ U 1 , and y I ðiÞ ¼ ðy i ; w i Þ ∈ Z m i � Z m i for i ∈ I ∩ U 2 . Consider now the following systems of equations: and where z j is a variable for the private share of the participant j ∈ J (the participants in I do not know the private shares of the participants in J).
The only variable (non-determinate) of (5) is x, while the variables of (6) are x and z j for all j ∈ J. According to the way private shares where computed for participants in U 2 , z j may take any value in Z m j with equal probability, for all j ∈ J.
Any solution α to the system (5) leads to a unique solution (α, β J ) to the system (6) is a solution to the system (6), then α is a solution to the system (5). Moreover, for a given vector β J of solutions to the vector z J of variables, there exists exactly one solution α to x.
As a consequence, the number of solutions to (5) equals the number of solutions to (6), and the number of solutions to (5) with x = s equals the number of solutions to (6) with x = s. As the probabilities in (4) are computed as a fraction of the number of solutions with x = s by the total number of solutions, we deduce that (4) must hold. □ Lemma 2. For any realization of the Asmuth-Bloom secret sharing scheme with public shares there exists a realization with the same loss of entropy of the Asmuth-Bloom secret sharing scheme (without public shares) and vice-versa.
Proof: Let (U 1 , U 2 ) be a partition of U = {1, …, n}, t be an integer such that 0 < t + 1 ≤ n, and Γ be the (t + 1)-threshold access structure over U. If a sequence m 0 , m 1 , …, m n of co-primes defines a realization of the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U 1 , U 2 ), then the same sequence of coprimes defines a realization of the Asmuth-Bloom secret sharing scheme over U = U 1 ∪ U 2 . Given I ⊆ U, J ⊆ U 2 \ I, y I ∈ Π I , and w J ∈Π J , consider y 0 I ∈ ∏ i∈I Z m i defined as follows: It is clear that Δ(y I ) = Δ(y 0 I ) (the same system (6) of congruences is used to compute the loss of entropy both in the case when m 0 , m 1 , …, m n defines a realization of the Asmuth-Bloom secret sharing scheme with public shares for (t + 1, Γ) over (U 1 , U 2 ) and in the case when m 0 , m 1 , …, m n defines a realization of the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over U). Lemma one leads to Δ(y I , w J ) = Δ(y I ) and, therefore, Δ(y I , w J ) = Δ(y I 0 ). Vice-versa, if m 0 , m 1 , …, m n defines a realization of the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over U, then the same sequence of co-primes defines a realization of the Asmuth-Bloom secret sharing scheme for (t + 1, Γ) over (U 1 , U 2 ). Given I ⊆ U, J ⊆ U 2 \ I, consider y 0 I ∈ Π I defined as follows: To prove soundness of y I 0 we need to show w i ≡ (s 0 − y i ) mod m i , where s 0 is the secret used to define y I (i.e., y I (i) = s 0 mod m i ), for all i ∈ I ∩ U 2 . This is simply obtained as follows: Now, exactly as in the first part of the proof, using Lemma 1, we obtain for any w J ∈Π J . □ In [20], it was shown that the Asmuth-Bloom secret sharing scheme is asymptotically ideal if and only if it is based on 1-compact sequences of co-primes. We intend to prove the same result for the Asmuth-Bloom secret sharing scheme with private shares. Recall first a few concept and results from [20]. Definition 4. Let L = (m 0 , m 1 , …, m n ) be a sequence of co-primes.
For the sake of terminology, 1-compact sequences of coprimes will also be called compact sequences of co-primes.
Remark 1: For sufficiently large m 0 , k-compact sequences m 0 , m 1 , …, m n of co-primes with k > 1 satisfy the Asmuth- which shows that m 0 , m 1 , …, m n is an Asmuth-Bloom sequence of co-primes for sufficiently large m 0 . The Asmuth-Bloom secret sharing scheme (with or without public shares) can be changed by replacing the Asmuth-Bloom sequences of co-primes in the parameter setup phase by k-compact sequences of co-primes. We will refer to the scheme such obtained as being the Asmuth-Bloom secret sharing scheme (with or without public shares) based on kcompact sequences of co-primes.
The previous results and remarks do not depend on the sequence type of co-primes under which the Asmuth-Bloom secret sharing scheme (with or without public shares) is based on. That is, they all hold as well if the Asmuth-Bloom secret sharing scheme (with or without public shares) is based on k-compact sequences of co-primes.
The following important result was established in [20]. Theorem 1 [20]. Let k ≥ 1 be an integer.
1. The Asmuth-Bloom secret sharing scheme, under the uniform distribution on the secret space, is asymptotically perfect and its information rate goes asymptotically to k if and only if it is based on k-compact sequences of coprimes. 2. The Asmuth-Bloom secret sharing scheme is asymptotically ideal with respect to the uniform distribution on the secret space if and only if it is based on 1-compact sequences of co-primes.
As a conclusion, we obtain the following important results. Corollary 1: The Asmuth-Bloom secret sharing scheme with public shares is asymptotically ideal with respect to the uniform distribution on the secret space if and only if it is based on 1-compact sequences of co-primes.
Proof: Directly from Theorem 1 and Lemma 2. Remark 2: It was shown in [23] (Proposition 4.6.7 on page 118) that the Asmuth-Bloom secret sharing scheme is not asymptotically perfect if it is based on k-compact sequences of co-primes where k > 1 is real but not an integer.
In the view of Lemma 2, this remark holds true for the Asmuth-Bloom secret sharing scheme with public shares as well.
Remark 3: The utilization of compact sequences to define realisations of the Asmuth-Bloom secret sharing scheme (with or without public shares) instead of Asmuth-Bloom sequences of co-primes has not only the advantage of providing good security. It also provides important advantages when one wants to add new participants to or change the threshold of some current realization. Assume that we want to add a new participant to an Asmuth-Bloom secret sharing realization given by a compact sequence L of co-primes. We may assume that m 0 and θ are chosen so that the interval ðm 0 − m θ 0 ; m 0 þ m θ 0 Þ accommodates much larger sequences of co-primes than L (in practice, L might consist of a few hundred co-primes, while ðm 0 − m θ 0 ; m 0 þ m θ 0 Þ may easily accommodate sequences of tens of thousand co-primes). Therefore, what we have to do in order to add a new participant is to extend L by a new modulus. This can be simply done by repeatedly incrementing the last co-prime of L until a new co-prime is reached (see Algorithm 1 in Section 5 for details on how this can be done). For Asmuth-Bloom sequences, this methodology of adding new participants might easily violate the Asmuth-Bloom constraint and so, it might require the generation of a new Asmuth-Bloom sequence.
Changing the threshold of the scheme does not require modification of the current sequence of co-primes if it is compact (but it does if it is an Asmuth-Bloom sequence).

| APPLICATIONS
Threshold access structures are suitable when participants have the same degree of trust. However, many real-world applications need more complex access structures based on partitioning the participants into groups with different privileges. Multilevel (also called hierarchical) [3,4] and compartmented [3] access structures are two important classes of access structures proposed to cope with this problem. In both the set of participants is partitioned into groups called levels (in the case of multilevel access structures) or compartments (in the case of compartmented access structures). To these groups thresholds are assigned on whose basis authorised sets are defined.
In this section we illustrate how the Asmuth-Bloom secret sharing scheme with public shares can be used to define efficient CRT-based secret sharing schemes for multilevel and compartmented access structures.

| Multilevel access structures: the disjunctive case
In a multilevel access structure [3,4] the users are distributed on levels. A threshold is assigned to each level and the increasing order of thresholds defines a total order on levels.
The level with the least threshold is the highest privileged level, while the level with the highest threshold is the least privileged level. A participant in some level can act in any level less privileged than his/her own level. The disjunctive and the conjunctive access structures are two main approaches to define authorised sets in multilevel access structures. The first one is the topic of this sub-section, while the second one will be considered in the next sub-section.
A disjunctive multilevel access structure (DMAS) over a finite set U of participants [31] is a tuple ðU; t; ΓÞ, where: � U ¼ ðU 1 ; …; U q Þ is a partition of U into q ≥ 1 non-empty subsets called levels (the number of participants in U i is n i , for all 1 ≤ i ≤ q, and n is the number of all participants in U); � t ¼ ðt 1 þ 1; …; t q þ 1Þ is a vector of strictly positive integers called thresholds that satisfy 0 ≤ t 1 < ⋯ < t q and P ℓ i¼1 n i ≥ t ℓ þ 1 for all 1 ≤ ℓ ≤ q; ŢIPLEA AND DRĂGAN -287 � Γ is the set of all authorised sets defined by As one can see, the participants on the levels U 1 , …, U ℓ−1 can act as participants on level ℓ in the authorised sets A with jA ∩ ð∪ ℓ i¼1 U i Þj ≥ t ℓ þ 1, in order to recover the secret.
In what follows in this section, the notation for any DMAS ðU; t; ΓÞ over U is as above. Moreover, given A ⊆ U we abuse notation and write (i, j ) ∈ A instead of j ∈ A ∩ U i to denote the jth participant of U i .
We will provide CRT-based realisations of DMASs ðU; t; ΓÞ by sequences of co-primes of length n + 1 L : m 0 ; m 1;1 ; …; m 1;n 1 ; …; m q;1 ; …; m q;n q ð7Þ with the following two properties: 1. m 0 is the least element of the sequence L; 2. m i;1 < ⋯ < m i;n i , for all 1 ≤ i ≤ q.
The integer m i,j is the modulus associated to (i, j ). Two important notations with respect to the sequence L of co-primes and a level i, 1 ≤ i ≤ q, are in order: 1. L i denotes the sub-sequence of L given by 2. min(t i + 1, L i ) denotes the set of the least t i + 1 integers in L i \{m 0 }. Now we are able to describe our CRT-based secret sharing scheme for a DMAS ðU; t; ΓÞ (please see Scheme 2). The main idea is to give a private share to each participant (i, j ), and to compute public shares for (i, j ) on each level ℓ > i.
It is straightforward to prove the soundness of our CRT-DMAS secret sharing scheme (s ℓ is recovered as in the Asmuth-Bloom secret sharing scheme with public shares; then, s is obtained by modulo m 0 reduction).
Any DMAS ðU; t; ΓÞ gives rise to a level (t ℓ + 1)-threshold access structure Γ ℓ over ðU ℓ ; ∪ ℓ−1 i¼1 U i Þ, for each 1 ≤ ℓ ≤ q. Any realization of the CRT-DMAS for ðU; t; ΓÞ gives rise to a realization for the Asmuth-Bloom secret sharing scheme for (t ℓ + 1, Γ ℓ ) over ðU ℓ ; ∪ ℓ−1 i¼1 U i Þ, for all 1 ≤ ℓ ≤ q. Namely, this realization uses the sequence L ℓ of co-primes and takes into account the private shares of the participants on the levels U 1 , …, U ℓ , as well as the public shares on level ℓ of the participants in U 1 , …, U ℓ−1 .
The security of the CRT-DMAS secret sharing scheme can be similarly introduced as for the Asmuth-Bloom secret sharing scheme with public shares. The only thing we have to do is to redefine the ranges for the random variables Y I and W J . Thus, using the notation in Scheme 2, we assume that: An output of Y I gives information about the private shares and the public shares of the participants in I, while an output of W J gives information about the public shares of the participants in J. As an example, if y I is an output of Y I and (i, j ) ∈ I, then y I (i, j ) has the form y I ði; jÞ ¼ ðs i;j ; w iþ1 i;j ; …; w q i;j Þ (see Scheme 2 for notation).
Then, the loss of entropy, asymptotic perfectness, and asymptotic idealness can be defined as in Section 2.2. The next theorem establishes the security of our CRT-DMAS scheme.

Theorem 2 The CRT-DMAS secret sharing scheme is asymptotically ideal with respect to the uniform distribution on the secret space if and only if it is based on 1-compact sequences of co-primes.
Proof: We will prove first that, given a level 1 ≤ ℓ ≤ q and an unauthorized set A, the public information corresponding to the levels r ≠ ℓ do not leak any supplementary information to A in order to recover the secret s ℓ (using the same notation as in the CRT-DMAS scheme description).
The system of equations corresponding to A and to the level ℓ is While the system of equations corresponding to A in the entire scheme is as given below: If ðx ℓ ; ðz i;j jði; jÞ ∉ A; i ≤ ℓÞÞ is a solution to (9), then one may simply obtain a solution to (10) as follows: assign values to all variables z i,j with (i, j) ∉ A and i > ℓ, and then use CRT to get unique values for all x i with i ≠ ℓ. Moreover, distinct assignments to the variables z i, j as above give rise to distinct values for at least one variable x i with i ≠ ℓ (this follows from the CRT).
There is one more important property that we need, namely: distinct solutions to (9) leads to the same number of solutions to (10). Let α be the number of solutions to (10) obtained from a solution to (9), Sol(n) be the number of solutions to the system (n) of equations, and Solðn; x ℓ Þ ¼ s ℓ Þ be the number of solutions with x ℓ = s ℓ to the system (n) of equations, where n = 9, 10. Then, This property shows that the probability of computing s ℓ by means of (10) is exactly the probability of computing s ℓ by means of (9). Plugging this into the definition of loss of entropy, we obtain that the loss of entropy associated to A in the CRT-DMAS scheme when recovering s ℓ is exactly the loss of entropy associated to A in the Asmuth-Bloom scheme with public shares for the level ℓ.
As a consequence of the above discussion, we obtain: Fact 1: The CRT-DMAS secret sharing scheme for ðU; t; ΓÞ is asymptotically ideal if and only if the Asmuth-Bloom secret sharing schemes with public shares for its level threshold access structures, are all asymptotically ideal.
We need one more remark before developing the proof of the theorem, namely: Fact 2: A sequence L of co-prime integers as in (7) is 1compact if and only if the sub-sequences L i as in (8), Now, the proof of the theorem works as follows. If the CRT-DMAS secret sharing scheme for ðU; t; ΓÞ is based on 1compact sequences of co-primes, then the Asmuth-Bloom secret sharing schemes with public shares for its level threshold access structures are all based on 1-compact sequences of coprimes (Fact 2). Then, Corollary 1 shows that all these Asmuth-Bloom secret sharing schemes with public shares are asymptotically ideal, and Fact 1 leads to the asymptotic idealness of the CRT-DMAS secret sharing scheme for ðU; t; ΓÞ.
Conversely, if the CRT-DMAS secret sharing scheme for ðU; t; ΓÞ is asymptotically ideal, then the Asmuth-Bloom secret sharing schemes with public shares for the level threshold access structures are asymptotically ideal (Fact 1). Corollary 1 shows then that these schemes are based on 1-compact sequences of co-primes. We apply now Fact 2 and deduce that CRT-DMAS secret sharing scheme for ðU; t; ΓÞ is based on 1compact sequences of co-primes. □

| Multilevel access structures: the conjunctive case
Conjunctive multilevel access structures have been proposed in [25] under the name of hierarchical threshold access structures. The terminology of conjunctive access structures was coined in [26] to make distinction between them and disjunctive access structures (both conjunctive and disjunctive access structures being sub-families of the family of hierarchical access structures).
Unlike disjunctive access structures, authorised sets in conjunctive access structures must exceed each threshold level. This means that authorised sets must be able to recover all ŢIPLEA AND DRĂGAN level secrets. As a conclusion, conjunctive access structures are suitable when the master secret is firstly shared on levels and then, each level secret is shared to participants.
A conjunctive multilevel access structure (CMAS) over a finite set U of participants is a tuple ðU; t; ΓÞ, where: � U ¼ ðU 1 ; …; U q Þ is a partition of U into q ≥ 1 non-empty subsets called levels (the number of participants in U i is n i , for all 1 ≤ i ≤ q, and n is the number of all participants in U ); � t ¼ ðt 1 þ 1; …; t q þ 1Þ is a vector of strictly positive integers called thresholds that satisfy 0 ≤ t 1 < ⋯ < t q and n i ≥ t i + 1 for all 1 ≤ i ≤ q; � Γ is the set of all authorised sets defined by We further use the same terminology and notation as introduced in Section 3.1 to propose and analyse our CRTbased secret sharing scheme for conjunctive access structures (please see scheme 3).
It is straightforward to prove that our CRT-CMAS secret sharing scheme is sound. As with respect to its security, this can be defined as we did for the CRT-DMAS scheme. Then, we have the following result.

Theorem 3 The CRT-CMAS secret sharing scheme is asymptotically ideal with respect to the uniform distribution on the secret space if and only if it is based on 1-compact sequences of co-primes.
Proof: Recall first that the Karnin-Greene-Hellman secret sharing scheme is ideal (Theorem 41 in [27]). Therefore, when a secret s is shared into q pieces (see the CRT-CMAS scheme description), then: 1. Each share is uniformly at random distributed in the secret space (assuming that s is uniformly at random chosen from the secret space); 2. Less than q shares do not leak any information about s. Now, the proof follows a similar line to the proof of Theorem 2. □

| Compartmented access structures
A compartmented access structure (CAS) [3] over a finite set U of participants is a tuple ðU; t; t þ 1; ΓÞ, where: � U ¼ ðU 1 ; …; U q Þ is a partition of U into q ≥ 1 non-empty subsets called compartments (the number of participants in U i is n i , for all 1 ≤ i ≤ q, and n is the number of all participants in U); � t ¼ ðt 1 þ 1; …; t q þ 1Þ is a vector of strictly positive integers called thresholds that satisfy 0 < t i + 1 ≤ n i for all 1 ≤ i ≤ q; � t is a global threshold satisfying P q i¼1 ðt i þ 1Þ ≤ tþ 1 ≤ P q i¼1 n i ;

ŢIPLEA AND DRĂGAN
� Γ is the set of all authorised sets defined by The requirement '(∀1 ≤ i ≤ q) (jA ∩ U i j≥ t i + 1)' says that A should include enough participants from each compartment U i in order to recover some 'compartment secret'; the requirement 'jAj≥ t + 1' says that A should be large enough in order to recover some 'global secret'.
We will provide CRT-based realisations of CASs by sequences L of co-primes as in (7). Unlike the notation used in Section 3.1, the sub-sequence L i in this case is For any 1 ≤ i ≤ q. Moreover, define L q+1 = L. Now we are able to describe our proposal of a CRTbased secret sharing scheme for a CAS ðU; t; t þ 1; ΓÞ (please see SCHEME 4). The main idea is to split the secret into q + 1 pieces. The first q pieces must be reconstructed along the q level, while the last piece must be reconstructed on the level q + 1 where the threshold is t + 1. Due to the fact that a participant is allowed to recover the secret only on his level, each participant will have only two public shares, one to recover the secret on his level and the other one to recover the secret on the level q + 1.
It is straightforward to prove that our CRT-CAS secret sharing scheme is sound.
The security of the CRT-CAS secret sharing scheme is settled by the following theorem (the corresponding concepts are introduced as for the CRT-DMAS scheme). the Karnin-Greene-Hellman secret sharing scheme is ideal (Theorem 41 in [27]).

| EXTENSIONS
In Section 2, the Asmuth-Bloom secret sharing scheme has been extended so that some participants to the scheme can broadcast 'parts' of their shares as public information. We have proved that this scheme extension, called the Asmuth-Bloom secret sharing scheme with public information, is asymptotically ideal if and only if it is based on 1-compact sequences of co-primes. Although this extension might not be relevant for threshold access structures, it is, however, important because it allows a unitary and elegant development of asymptotically ideal CRT-based secret sharing schemes for multilevel and compartmented access structures (Section 3).
There is another well-known CRT-based secret sharing scheme for threshold access structures that is, asymptotically ideal when it is based on 1-compact sequences of co-primes. Namely, this is the Goldreich-Ron-Sudan (GRS) secret sharing scheme [11]. In this context, the question is whether or not this scheme can be extended to accommodate public shares and then if it can be used to develop asymptotically ideal CRTbased secret sharing schemes for multilevel and compartmented access structures. The answer to this question is positive and we will detail it here (please see Scheme 5). Let us recall first the GRS secret sharing scheme as it is described in [11]. Assume Γ is a (t + 1)-threshold access structure over a set U of n participants, where 0 < t + 1 ≤ n.
The correctness of the reconstruction step above is as follows: by solving the system (11) of congruences one obtains the unique solution s 0 modulo ∏ i∈A m i . As ∏ i∈A m i > m 0 ∏ t i¼1 m i and s 0 is a solution to the system (11) of congruences, it follows s = s 0 mod m 0 .
It has been shown in [11] that the GRS secret sharing scheme is asymptotically ideal if and only if it is based on 1compact sequences of co-primes.
The differences between the Asmuth-Bloom and GRS secret sharing schemes consists of: 1. The Asmuth-Bloom secret sharing scheme uses Asmuth-Bloom sequences of co-primes while the GRS secret sharing scheme uses strictly increasing sequences of coprimes; 2. The schemes make use of different probabilistic procedures in the secret sharing phase to map secrets from Z m 0 to integers into a larger space (∏ tþ1 i¼1 m i in the case of the Asmuth-Bloom scheme and m 0 ∏ t i¼1 m i in the case of the GRS scheme).
None of these two differences prevent the extension of the GRS scheme to accommodate public shares or its usability to develop secret sharing schemes for multilevel or compartmented access structures. Therefore, one may develop similar results to those in Sections 2 and 3 by simply replacing the Asmuth-Bloom secret sharing scheme by the GRS secret sharing scheme.
One may also think to use the Mignotte secret sharing scheme [6] instead of the Asmuth-Bloom secret sharing scheme in Section 2. Although this is possible, we do not recommend it because the Mignotte secret sharing scheme has poor security properties [10].

| IMPLEMENTATION ISSUES
The efficient implementation of the schemes proposed in this aticle depend on the efficiency of the following operations: 1. Generation of 1-compact sequences of co-primes; 2. Generation of random numbers; 3. Performing modular reduction; 4. Computing solutions to systems of congruences (by CRT).
Efficient algorithms are already known for the last three operations; as for the generation of compact sequences of coprimes, the following simple Algorithm 1 turns out to be quite efficient. We have coded this algorithm in C++ with the NTL library for large integers (http://www.shoup.net/ntl/) and we have performed a few tests on a laptop Intel Core I3 at 2.40 GHz with 4 GB RAM. We have counted the time needed to generate compact sequences of various lengths, the dispersion of the sequence (i.e., the maximum difference between two consecutive co-primes in sequence), and the average dispersion. The results are reported in Table 1. On our laptop, the generation of a 512-bit prime took on average 0.4509 s. This is more than the generation of a length 100 compact sequence of co-primes.

Algorithm 1 Generation of 1-compact sequences of co-primes
Due to the fact that the realisations of our secret sharing schemes are based on compact sequences of co-primes, adding new participants to or changing the thresholds in a given realization is very easy. The arguments are similar to the ones in Remark 3. Additionally, we remark that in a given realization based on a compact sequence L of co-primes we have imposed total orders only on the moduli of the participants on the same level; otherwise, the moduli may be interleaved. As a conclusion, if we want to add a new participant to the level i, we simply extend L to the right by a new co-prime. Changing any thresholds does not require modification of L.

| RELATED WORK
In this section, we discuss a previous work on the design of CRT-based secret sharing schemes for DMAS, CMAS, and CAS, and compare them with our proposed schemes. In a multi-secret sharing scheme, multiple secrets are shared and reconstructed in a pre-determined order. The authors of [16] apply the Harn-Fuyou scheme for multi-secret sharing. The secrets S 1 , …, S k to be shared are first processed, obtaining S 1 0 , …, S k 0 . Then, the latter are disjunctively multilevel shared through the Harn-Fuyou scheme. The issues encountered in the sharing phase are the same as sharing a single secret through the Harn-Fuyou scheme. Using our CRT-DMAS scheme instead of the Harn-Fuyou scheme eliminates the inconveniences.

| Conjunctive multilevel access structures
The only known so far CRT-based secret sharing scheme for conjunctive multilevel access structures was proposed in [13] by simply modifying their scheme for DMAS (see above). More precisely, for conjunctive multilevel access structures, the secret is firstly partitioned by the Karnin-Greene-Hellman scheme (which is perfect) and then each share is further shared in a similar way to the method presented above for disjunctive multilevel access structures. The scheme obtained in this way has the same disadvantages as those above. Our proposal in Section 3.2, which parallelises the CRT-DMAS scheme in Section 3.1, removes all these disadvantages as discussed above.

| Compartmented access structures
Compartmented access structures have been proposed in [3]. The first (and the only known so far) CRT-based secret sharing scheme for compartmented access structures was proposed in [24,29]. Its main idea is to associate two private shares to each participant. One of the shares is used to recover the participant's compartment secret while the other one is used to recover the global secret (please see Section 3.3 for more details). Moreover, the Mignotte secret sharing scheme [6] was employed in [24,29] in order to derive the compartmented scheme. Unfortunately, this scheme has the following disadvantages: 1. Being based on the Mignotte secret sharing scheme, its security is poor [10]. Even if we replace the Mignotte scheme by the Asmuth-Bloom scheme, the resulting scheme is not asymptotically perfect; moreover, its information rate is greater than two because each participant has two private shares.
2. The scheme uses sequences of co-primes for each compartment and another sequence of co-primes for all participants. That is, each participant has associated two distinct moduli and not only one as in the other CRT-based secret sharing schemes. 3. Adding new participants to or changing the thresholds of a given realization of the scheme is costly (as it was discussed in the previous paragraphs of this section).
Our scheme in Section 3.3 alleviates all these disadvantages. First, our scheme is based on compact sequences of coprimes and it is asymptotically ideal. The scheme uses just one sequence of co-primes of length n + 1, where n is the number of participants. Adding new participants to some realization of the scheme is very efficient and consists of generating new coprimes at the end of the sequence; changing the thresholds does not require modification of the sequence.

| CONCLUSIONS
The design of secret sharing schemes for multilevel and compartmented access structures attracted the researchers' attention since several years [3,4,12,13,16,18,[24][25][26][28][29][30]. The techniques used so far fall in one of the two classifications: polynomial interpolation techniques and CRT-based techniques. The first class of techniques usually lead to ideal schemes, while the second class may produce at most asymptotically ideal schemes. The CRT-based schemes (for multilevel and compartmented access structure) proposed miss a consistent security analysis or simply they are neither efficient nor secure (see our Section 6 for a detailed discussion).
Our article is the first one that proposes asymptotically ideal secret sharing schemes for multilevel and compartmented access structures. Moreover, we have shown that this level of security can be achieved if and only if the schemes are based on 1-compact sequences of co-primes. As these kind of sequences can very efficiently be generated (see our Section 5), we strongly believe that our schemes are among the most efficient schemes based on CRT.
There is one more innovative aspect that our paper brings. Namely, it introduces a variant of the Asmuth-Bloom secret sharing scheme where the participants may have public shares. These schemes can then be 'composed' in order to define secret sharing schemes for access structures where the participants are divided into groups. Moreover, the security of such schemes obtained easily follows from the security of the component schemes. This is a kind of compositional design and reasoning for secret sharing schemes.
As shown in Section 6, the Harn-Fuyou scheme was used for multilevel image sharing [12] and multi-secret sharing [16]. None of the schemes proposed in these papers can be asymptotically perfect, as the Harn-Fuyou scheme is imperfect. However, the Harn-Fuyou scheme can be replaced by any of our asymptotically perfect schemes. In this context, we wonder if compositional reasoning could be developed to deduce that asymptotically perfect schemes are obtained when we combine ŢIPLEA AND DRĂGAN