Secret sharing for a general access structure

Question

A secret sharing scheme is a method of distributing finite pieces of information (called shares $\alpha_i$) among a set of players $P=\{1,\ldots, k\}$ in such a way that only certain subsets of players $S \subseteq P$ (the authorized coalitions) can use their shares to compute certain piece of information $\sigma$ (called the secret). The subset $\mathcal{A} \subseteq 2^P$ consisting of all the authorized coalitions is called the access structure of the scheme.

An scheme is called $(t,k)$-threshold if its access structure consists of all the subsets of $P$ with $t$ or more elements. A well-known $(k,k)$-threshold scheme (where the only authorized coalition is the full set of players $P$) is described below.

$\oplus$-additive $(k,k)$-threshold scheme:

Let us fix the size ($N$ bits) of the space where the secret and the shares are located. Then:

1. encode the secret as a binary string $\sigma \in \{0,1\}^N$;

2. for $i= 1,\ldots, k-1$, (privately) give to the $i$-th player a random binary string $\alpha_i \in \{0,1\}^N$;

3. (privately) give to the $k$-th player the string $\alpha_k = \sigma \oplus \alpha_1 \oplus \alpha_2 \oplus \cdots \oplus \alpha_{k-1}$, where $\oplus$ denotes the standard component-wise addition modulo $2$ (aka.~$\mathsf{XOR}$).
4. Now, in order to recover the secret (for the authorized coalition $P$), it is enough to $\oplus$-add the full set of shares; whereas any non-full coalition will only obtain a random string (in $\{0,1\}^N$) after $\oplus$-adding the respective shares.

My question relates to the following naive attempt of generalization of the previous idea to a general access structure.

(Tentative) $\oplus$-additive general scheme:

Let $P = \{1, \ldots,k\}$, and let $\mathcal{A} \subseteq 2^{P}$ be an arbitrary access structure on $P$. Then,

1. encode the secret as a binary string $\sigma \in \{0,1\}^N$;
2. for $i= 1,\ldots, k$, (privately) give to the $i$-th player a random binary string $\alpha_i \in \{0,1\}^N$;

3. for every subset $S_j \subseteq 2^P$, let $\beta_j = \big(\bigoplus\nolimits_{\alpha_i \in S_j} \alpha_i\big) \oplus \sigma_j$ , where $\sigma_j$ is a random binary string in $\{0,1\}^N \setminus \{\sigma\}$ if $S_j \notin \mathcal{A}$, and $\sigma_j = \sigma$ if $S_j \in \mathcal{A}$; and make the correspondence $j \mapsto \beta_j$ publicly available.

4. Now, for any coalition $S_j \in \mathcal{A}$, the computation: $\big(\bigoplus\nolimits_{\alpha_i \in S_j} \alpha_i\big) \oplus \beta_j$ provides the secret if $S_j \in \mathcal{A}$, and a random string (different from the secret) otherwise.

My questions are:

1. does this second scheme have any irreparable flaws?
2. in the negative case, I suppose that this scheme is already known. Does it have a name? Do you know any reference to it?
3. in the (very improbable) case that the scheme is reasonable and not already studied, I would be grateful if someone can provide some feedback about its potential, weaknesses, etc.

Thanks!

Answer 1

Your step 3 seems designed to hide $\mathcal A$, which isn't a standard requirement of secret-sharing schemes. If you simplify it to produce an encoded string for each authorized coalition instead of for every subset of $P$, then you have what Wikipedia describes as the "trivial" scheme: the $(k,k)$-threshold scheme applied separately to each authorized coalition. The main thing making this impractical (as a $(t,k)$-threshold scheme) is that the space requirement is proportional to the number of authorized coalitions.