Secret sharing and duality

Secret sharing is an important building block in cryptography. All explicitly defined secret sharing schemes with known exact complexity bounds are multi-linear, thus are closely related to linear codes. The dual of such a linear scheme, in the sense of duality of linear codes, gives another scheme for the dual access structure. These schemes have the same complexity, namely the largest share size relative to the secret size is the same. It is a long-standing open problem whether this fact is true in general: the complexity of any access structure is the same as the complexity of its dual. We give an almost answer to this question. An almost perfect scheme allows negligible errors, both in the recovery and in the independence. There exists an almost perfect ideal scheme on 174 participants whose complexity is strictly smaller than that of its dual.


Introduction
The complexity of a secret sharing scheme is the largest share size relative to the secret size. An access structure is ideal if it can be realized by a scheme of complexity 1. The open question that has been posed in many papers is if there exists an ideal structure whose dual is not ideal. And, more generally, if the optimal complexity of an access structure is preserved by duality. This paper gives a partial answer to these questions by using a different secret sharing model. This model allows negligible errors, both in secret recovery and in the independence; "almost" refers to this relaxed model. The construction of a secret sharing scheme whose almost complexity differs from its dual's one is a tour de force connecting several different pieces of earlier results. Theorems 19 and 20 state the equivalence of secret sharing conjectures and matroid representation problems using the standard and the relaxed models, respectively. The final construction in Section 4 is based on the second theorem. Settling the duality conjecture in the standard model is an interesting research work, a possible direction is indicated in the last section.
We assume familiarity with secret sharing schemes, for an overview consult [1]. A significant portion of matroid and polymatroid theory is used. The standard textbook for matroids is [21], for polymatroids see [13] and works of F. Matúš [15,16]. Nevertheless, most of the theorems and claims are proved here -a notable exception is F. Matúš result from [17].
Following the usual practice, sets and their subsets are denoted by capital letters, their elements by lower case letters. The union sign ∪ is frequently omitted as well as the curly brackets around singletons. Thus asP denotes the set {a, s} ∪ P . The set difference operator has lower priority than the union, thus aA−bB is ({a} ∪ A)−({b} ∪ B).
The paper is organized as follows. Section 2 introduces polymatroids, secret sharing, complexity measures, duality, and concludes with conjectures on the complexity of dual structures. Section 3 presents two questions on matroid representability and proves that they are equivalent to the conjectures. Section 4 gives a detailed account of Tarik Kaced's result on almost entropic matroids [10], completing the tour. Some open problems are listed in Section 5. Two proofs are postponed to the Appendix: the first is on matroid circuits used in Claim 5, the second is the the MMRV entropy inequality used in the proof of Theorem 21.

Polymatroids
A polymatroid M = (f, M ) is a non-negative, monotone and submodular function f defined on the collection of non-empty subsets of the finite set M . Here M is the ground set, and f is the rank function. If f takes non-negative integer values only, then M is integer ; an integer polymatroid is a matroid if the rank of singletons are either zero or one. Polymatroids can be identified to vectors in the (2 |M| − 1)-dimensional Euclidean space where the coordinates are indexed by subsets of M . The collection of polymatroids with ground set M is a full-dimensional pointed polyhedral cone denoted by Γ M , see [23].
For a discrete random variable ξ its information content is measured by the Shannon entropy H(ξ), see [23]. Let ξ = ξ i : i ∈ M be a collection of discrete random variables with some joint distribution. For a subset A ⊆ M , the subcollection ξ i : i ∈ A is denoted by ξ A . The conditional entropy of random variables ξ A and ξ B is H(ξ A |ξ B ) = H(ξ A∪B )−H(ξ B ) with value between zero an H(ξ A ). The value is zero if and only if ξ A is determined completely by ξ B , and equals H(ξ A ) if and only if the random variables ξ A and ξ B are independent.
As observed by Fujishige [7], the function A → H(ξ A ) is a rank function of a polymatroid which we denote by M ξ . The polymatroid M is entropic if it can be got this way. The collection of entropic polymatroids on the ground set M is Γ * M ⊆ Γ M . For |M | ≥ 3 the set Γ * M is not closed (in the usual Euclidean topology). Polymatroids in the closure of Γ * M are called almost entropic, or just aent. Aent polymatroids form a full-dimensional convex cone, and every internal point of this cone is entropic [17]. For |M | ≥ 4 there is a polymatroid in Γ M with a positive distance from the aent cone [23]; and the aent cone is not polyhedral [18]. By an abuse of notation, we say that M is an entropic matroid if M is a matroid and for some positive real number λ the polymatroid λM is entropic.
The singleton e ∈ M in the polymatroid (f, M ) is a loop if it has rank zero. In terms of entropic polymatroid being a loop means that the variable ξ e is deterministic: takes a single value with probability 1. If not mentioned otherwise, polymatroids in this paper have no loops.
With an eye on entropic polymatroids, disjoint subsets A, B of the ground set M are called independent if f (AB) = f (A)+ f (B). If A and B are independent, A ′ ⊆ A, B ′ ⊆ B, then A ′ and B ′ are independent as well -this follows from the submodularity of the rank function. The single subset A is independent if any two disjoint subsets of A are independent. In other words, A is independent iff A base is a maximal independent subset which contains no loops; a circuit is a minimal dependent subset. In a loopless polymatroid every independent set can be extended to a base, and every dependent set contains a circuit. In the case when M is a matroid every base has the same number of elements, and this number equals the rank of the ground set M . Moreover every subset A ⊆ M contains an independent set of size f (A), and every subsets A ⊆ M with rank f (A) < |A| contains a circuit, see [21].
The For an element i ∈ M , the private info of i is f (M ) − f (M −i), as this is the amount of information which only i and nobody else in M has. If i has no private information, then we say that the polymatroid is tight at i. Tightening at i means that i is stripped off its private info resulting in the function f ↓i defined as Of course,

Secret sharing
In a perfect secret sharing scheme there is a secret, and each participant from the finite set P receives a share such that certain subsets of participants can recover the secret from their joint shares, while other subsets -based on the value of their shares -should have no information on the secret. Subsets who can recover the secret are qualified, the qualified subsets form the access structure A ⊆ 2 P . Sets not in A are called forbidden or unqualified. An access structure is clearly upward closed. To avoid exceptional cases, A is assumed to be non-empty (thus all participants together can recover the secret), and the empty set not to be in A (there must be a secret at all). The participant i ∈ P is important if there is an unqualified subset such that when i joins this subset, it becomes qualified. If i is not important, then it can join or leave any subset without affecting its status. Consequently the share of an unimportant participant does not play any role, unimportant participants can be discarded. The access structure A is connected if every participant is important. This terminology comes from the relationship between access structures and polymatroids realizing them, see Claims 4 and 5 below. In the rest of the paper, if not mentioned otherwise, access structures are assumed to be connected.
There are several definitions of what perfect secret sharing schemes are. The following definition is considered to be the most general one encompassing all other natural notions [1]. P is the set of participants and s / ∈ P denotes the secret. A distribution scheme is a collection of discrete random variables ξ = ξ i : i ∈ sP with some joint distribution. The value of ξ s is the secret, while the value of ξ i is the share of participant i ∈ P . The secret must be non-trivial, namely it must take at least two different values with positive probability.
The distribution scheme ξ realizes an access structure if a) the collection of shares of a qualified subset determine the secret, and b) the collection of shares of an unqualified subset is independent of the secret. Let M ξ = (f, sP ) be the entropic polymatroid associated with ξ. Shares of the subset A ⊆ P determine the secret iff H(ξ s |ξ A ) = 0, which translates to f (sA) = f (A). The same collection is independent of the secret if H(ξ s |ξ A ) = H(ξ s ), which translates to f (sA) = f (A) + f (s). This justifies the following definition. The proof of the following well-known fact illustrates the ease of reasoning when using polymatroids rather than using entropies directly.
Proof. As i ∈ P is important, there is an unqualified subset A ⊆ P (A can be empty) such that iA is qualified. Then f (sA) = f (A) + f (s), and f (siA) = f (iA). Using that f (i) + f (sA) ≥ f (siA) and f (iA) ≥ f (A) (submodularity and monotonicity) one gets which proves the claim.
All participants together can always determine the secret, thus f (sP ) = f (P ). This means that the secret has no private info. The private info of the participants does not help at all.

Claim 2. The polymatroid M realizes A if and only if M↓ realizes A.
Proof. As observed above, the secret is tight, so let i ∈ P and M↓i = (f * , sP ) be the polymatroid after taking away the private info of i. For every A ⊆ P , either i is in both A and sA, or i is in none of them, thus This means that if one of M or M↓i realizes A, then the other does the same. the claim follows after tightening at each participant.
Given an access structure it would be tempting to consider tight polymatroids only among those which realize it. But, as was mentioned at the end of Section 2.1, there is no guarantee that the tight part of an entropic polymatroid is also entropic.
Proof. By Claim 2 M↓i = (f * , sP ) also realizes A. As i ∈ P is important, According to Claim 4 below, a polymatroid realizing a connected access structure must be connected. The converse is not true in general. In the special case when the polymatroid is a matroid the converse follows from some standard properties of matroid circuits [21]. Proof. Assume, by contradiction, that M = (h, sP ) is not connected, which means sA ∪ B, B = ∅ is a partition of the ground set sP and h(sAB) = h(sA) + h(B). In other words, sA and B are independent, consequently subsets of sA and B are independent as well.
Let the ground set of the matroid be sP and pick some a ∈ P . To show that a is important it is enough to find a circuit C connecting a and s. Indeed, let A = C−s, then a ∈ A and h(sA) = h(C) = h(C−s) = h(A), thus A is qualified. C is minimal dependent, thus sA−a = C−a is independent, and then h(sA−a) = h(s) + h(A−a) which means A−a is not qualified.
To finish the proof it suffices to quote the following result from matroid theory [

Complexity
Distribution schemes realizing an access structure scale up: taking n independent copies of the scheme all entropies are multiplied by n and the composite scheme still realizes the same access structure. Similarly, whether a polymatroid realizes an access structure or not is invariant for multiplying the polymatroid by any positive constant. When defining the efficiency one has to take into account this scalability. The usual way is to measure everything in multiples of the secret size. For example, if M = (f, sP ) is a secret sharing polymatroid, then the relative share size of participant i ∈ P is f (i)/f (s), and the (worst case) complexity of M is Other complexity measures, not considered here, include average relative size, and the scaled total randomness. If M realizes the connected access structure A, then σ(M) ≥ 1 by Claim 1. Access structures where this lower bound is attained are called ideal.
Definition (ideal and almost ideal structures). The access structure A is ideal if it can be realized by an entropic polymatroid with complexity 1. The access structure A is almost ideal if it can be realized by an almost entropic polymatroid with complexity 1.
In general, the usual definition of the complexity of an access structure is the infimum of the complexity of all secret sharing schemes realizing it: Interestingly, there is a non-ideal (according to our definition) access structure with complexity 1, see [2, Section 6], thus the infimum here is not necessarily taken. The cone of almost entropic polymatroids is closed, see [17] or [23], thus an access structure with complexity 1 is almost ideal. It is an interesting open question whether the converse is true. When approximating an aent polymatroid by an entropic one, the only guarantee is that the rank functions differ by a small (negligible) amount. This means that qualified subsets can recover the secret with "overwhelming probability" only (as H(s|A) is not necessarily zero, only negligible), and unqualified subsets might get information on the secret (as H(s|A) can be strictly smaller than H(s)), but this information is negligible. This relaxation is investigated under the name probabilistic secret sharing see, e.g., [5] and [11]. The question is can we patch these imperfections by adding a small amount of entropy to the secret? For secret recovery the answer is yes, see [11]; for independence the author tends to believe that the answer is no.
Next to σ(A) other complexity measures can be defined by considering other polymatroid classes. Realizing A by an entropic polymatroid is the same as realizing it by a distribution scheme. Realizing by an almost entropic polymatroids instead means that one relaxes the strict requirements of recoverability and independence "up to a negligible amount". Linearly representable polymatroids are important from both practical and theoretical point of view. Such polymatroids arise from linear error correcting codes [9], they are studied extensively and typically provide concise, efficient and low complexity schemes. We consider the following polymatroid classes, listed in decreasing order: a) all polymatroids, b) almost entropic polymatroids, c) entropic polymatroids, d) (conic hull of) linearly representable polymatroids.
Every access structure can be realized by a linearly representable polymatroid, thus every class gives a complexity notion on access structures. For classes a), c) and d) they are denoted by κ, σ, and λ [22]. For class b) we useσ to indicate that we are considering the closure of entropic polymatroids. The earlier definition of σ(A) is the same as given here. For the same access structure these values increase (as less and less polymatroids are considered). Each pair of these measures is known to be separated except for σ andσ, see [1,22].

Duals
Let P be the set of participants, and A ⊆ 2 P be an access structure. The qualified subsets in the dual access structure A ⊥ are the complements of unqualified subsets of A: Clearly, the dual of A ⊥ is A; ∅ / ∈ A ⊥ and P ∈ A ⊥ as these are true for A.

Claim 6. A is connected if and only if
Let a ∈ P , and A ⊂ P unqualified in A such that aA ∈ A. Such an A exists as A is connected. Then a ∈ P −A, P −A is qualified in A ⊥ and (P −A)−a is not qualified in A ⊥ , as required.
Let M = (f, M ) be a polymatroid. Define the discrete measure µ on subsets of M by µ(i) = f (i). As the measure is additive, for every subset By submodularity, f ⊥ is non-negative; submodularity holds by an easy inspection, thus M ⊥ is a polymatroid. If M is integer-valued then so is M ⊥ ; moreover if M is a matroid (the rank of a singleton is zero or one), then so is the dual.
If one of them is positive, then the other is positive, as required.
The converse is similar.
The dual polymatroid M ⊥ is always tight as Proof. a) We start with the second claim. By the assumption, b) It is enough to show that the dual of M and the dual of M↓ are the same, from here the claim follows by a). In M↓i the rank of every set containing i ∈ M decreases by the same amount. In the expression this amount is added once in the first two terms, and subtracted once in the last term, thus it cancels. to new subsets. It is a routine to check that the principal extension is a polymatroid [13]. Principal extension of an almost entropic polymatroid is almost entropic. This is an immediate consequence of (and actually, is equivalent to) a result of F. Matúš [17,Theorem 2], see also [20,Lemma 3]. We state this result without proof. Matúš' proof guarantees the extension to be only almost entropic even if M is entropic. In fact, there is an entropic polymatroid where some principal extension is not entropic.

Factor and principal extension
Principal extensions can be used to "split atoms" of a polymatroid, which, in turn, will be used to prove that integer polymatroids are factors of matroids.
Factors of a matroid are integer polymatroids. Helgason's theorem [8] says that the converse is true: every integer polymatroid is a factor of some matroid. We need the following strengthening of this result.

The duality conjecture
Fix the connected access structure A ⊂ 2 P and consider all polymatroids on the ground set sP which realize A. We are interested in κ(A), the minimal complexity of these polymatroids. By Claim 2 the search can be restricted to tight polymatroids. Suppose the infimum is attained by a tight polymatroid M. Every access structure can be realized by some linearly representable polymatroid, the complexity measure λ(A) defines the infimum of the complexity of such representations. It is well-known that the conic hull of linearly representable polymatroids is a closed subset of the entropic polymatroids, and it is closed for taking duals. Therefore it is also closed for tightening by Claim 8 b). The corresponding complexity measure is λ(A), and the same reasoning as above gives The conjecture is probably not true, but even the particular case when A is an ideal access structure resisted all efforts. Recall, that A is ideal if it can be realized by an ideal entropic polymatroid, or, equivalently, by an ideal distribution scheme.

Conjecture 2 (dual of ideal structure). The dual of an ideal access structure is ideal.
Refuting the second conjecture does not necessarily refutes Conjecture 1 as the dual might be non-ideal while having complexity 1. In Section 3 we prove that Conjecture 2 is equivalent to a question about matroid representability. Using results of that section, and a construction by Tarik Kaced [10] the duality question for almost ideal schemes is settled.

Ideal structures and matroids
First we give a self-contained proof of a somewhat extended result of Blakley and Kabatianski [3,19], which, in turn, extends a result of Brickell and Davenport [4] connecting ideal access structures and matroids. Using this connection we present a statement about matroid representability which is equivalent to Conjecture 2.
Fix the connected access structure A ⊂ 2 P and suppose the polymatroid M = (f, sP ) realizes it. Assume furthermore that M has complexity 1, that is, the rank of all singletons equals f (s). The following lemmas establish some structural properties of M. In the lemmas A is a subset of P , a ∈ P , and s denotes the secret.

Lemma 15. Suppose A ∈ A and A−a / ∈ A. Then f (A) − f (A−a) = f (s).
Proof. By submodularity of the rank function f , we have As f (a) = f (s), the conclusion follows.
where the inequality follows from submodularity and the last equality from Lemma 15. Thus 0 ≤ f (A) − f (A−a) ≤ 0, proving the claim.
As both sides equal f (s), the claim follows. When A is qualified, then there are two cases. If A−a is not qualified for some a ∈ A, then Lemma 15 gives that this difference is f (s) = 1. If all A−a is qualified, then pick a minimal qualified A ′ ⊆ A and use Lemma 16 with any a ∈ A ′ .
Thus assume A is unqualified. As A is connected, there is an unqualified subset B such that AB is qualified (pick any element of A and let B show that this element is important). Choose such an unqualified B such that the set B−A has minimal cardinality, and within this constrain A∩B has maximal cardinality. Then AB−k is unqualified for any k ∈ B−A (as otherwise B−A is not minimal), and aB is qualified for any a ∈ A−B (as otherwise A ∩ B is not maximal). Fix a ∈ A−B. With any k ∈ B−A we have that AB is qualified, AB−k is not. a) The dual of every ideal access structure is ideal.
b) The dual of every entropic matroid is entropic.
Proof. Let us first make some simplifying assumptions. In a) the access structure can be assumed to be connected: simply forget about the unimportant participants, they will be unimportant in the dual structure. In b) the matroid can be assumed to be tight and connected. This is so as the matroids M and M↓ are entropic at the same time: if i has a non-zero private info, then i is completely independent of the rest of the matroid. Furthermore, if M is not connected, then it is an independent sum of the connected components, and then M ⊥ is the sum of the duals of the components. The reduction from entropic matroids to tight entropic matroids was discussed briefly at the end of Section 2.1. In the proof of Theorem 20 we need a similar reduction for almost entropic matroids which is provided by Matúš' theorem, see [20]. a) → b) As remarked above, we may assume that the entropic matroid M is tight and connected. Pick any element of its ground set and name it s, the remaining elements are in P . Since M is connected, it has no loops, thus f (s) = 1. Define the access structure A ⊂ 2 P by Clearly M realizes this access structure, consequently A is ideal, and by Claim 5 it is also connected. By Claim 7 b), the dual matroid M ⊥ realizes A ⊥ .
As A is a connected ideal structure, assumption a) says that A ⊥ is ideal. Let M ′ be the scaled entropic polymatroid which realizes A ⊥ with f ′ (s) = f ′ (a) = 1. As A ⊥ is connected by Claim 6, conditions of Theorem 18 hold. Consequently M ′ is the unique matroid realizing A ⊥ . As M ⊥ also realizes the same access structure, M ′ and M ⊥ are the same matroids. Now M ′ is a scaled version of an entropic polymatroid, thus M ′ = M ⊥ is an entropic matroid, as was required. b) → a) Let A be an ideal connected access structure realized by the entropic polymatroid M * . As A is connected and ideal, we have f * (i) = f * (s) > 0 for all participants i ∈ P . Let λ = 1/f * (s) and M = λM * . Then M also realizes A and f (i) = f (s) = 1 for all i ∈ P . By Corollary 3 M is tight, and by Theorem 18 M is a matroid. As A is connected, by Claim 4 M is connected. Consequently M is a tight, connected, entropic matroid which realizes the access structure A. By assumption b) M ⊥ is an entropic matroid, realizes A ⊥ by Claim 7 b); finally by Claim 8 a) M ⊥ and M have the same value on singletons. Thus λ ⊥ M ⊥ is an entropic polymatroid for some positive λ ⊥ , realizes A ⊥ , and has complexity σ(M ⊥ ) = σ(M) = 1. Therefore A ⊥ is ideal.
Almost entropic polymatroids form a closed cone, which means that positive multiples of an aent polymatroid are aent. Consequently the definition of almost entropic matroids does not require scaling as was the case for entropic matroids. The matroid M is almost entropic if it is almost entropic as a polymatroid. Repeating the proof above word by word while replacing "ideal" by "almost ideal" and "entropic" by "almost entropic" everywhere one gets the following theorem.
Theorem 20. The following statements are equivalent.
a) The dual of every almost ideal access structure is almost ideal.
b) The dual of every almost entropic matroid is almost entropic.

Duals of almost entropic matroids
We have almost all the pieces together to prove the main result: There is an almost ideal access structure whose dual is not almost ideal.
By Theorem 20 we need to exhibit an almost entropic matroid whose dual is not almost entropic. The existence of such a matroid was proved by Tarik Kaced [10,Theorem 2], this section is a detailed account of that result. The proof starts with the construction of an entropic polymatroid whose dual is not entropic. Using a continuity argument and linear scaling, one gets an integer polymatroid with the same properties. Theorem 12 established a connection between integer polymatroids and matroids which preserves duality and almost entropicity. To complete the tour apply this theorem to get the required matroid. Now let us see the details.
Finding an entropic polymatroid whose dual is not entropic was a longstanding open problem. The example below is due to Kaced [10]. The polymatroid is specified by a distribution on five binary random variables. To show that its dual is not entropic, Kaced used a 5-variable non-Shannon type information inequality, see [14,16]. Such an inequality is a closed halfspace in the (2 |M| − 1)dimensional space which a) contains all entropic points on its non-negative side (consequently all aent points as well), and b) cuts into the polymatroid cone Γ M . Entropy inequalities are typically written using abbreviations originating in information theory. For disjoint subsets A, B, C we write corresponding to conditional entropy, mutual information, and conditional mutual information, respectively. In any polymatroid these expressions are always non-negative. The MMRV inequality written for the singletons of the five-element set {abcde} is For a short proof that this inequality holds for aent polymatroids see the Appendix.

Claim 22.
There is a tight, integer and aent polymatroid whose dual is not aent.
Proof. The distribution on five random variables ξ a , . . . , ξ e is specified in Ta  The duality operation is continuous, thus duals of the polymatroids in a small neighborhood of M ξ are still violating the MMRV inequality. The entropic polymatroid M ξ is on the boundary of the aent cone (for example, d and e have no private info), but there is another polymatroid M ′ arbitrarily close to M ξ inside that cone. By [17] interior points of the aent cone are entropic. Take M ′′ very close to M ′ such that all coordinates rational. Let n be the smallest common denominator of the fractions in the coordinates. Coordinates in nM ′′ are integer. The dual of nM ′′ violates the MMRV as the dual of M ′′ violates it, and the left hand side of (1) also multiplies by n. Finally, nM ′′ is entropic: to realize it take n independent copies of the random variables realizing M ′′ . The tight part of nM ′′ is integer and almost entropic, its dual is the same as the dual of nM ′′ by Claim 8 b), proving the claim.
Using the distribution ξ above, such an integer polymatroid can be constructed directly. For a subset A ⊆ M define the the polymatroid r A as Clearly, λr A is entropic for every positive λ. As A runs over all non-empty subsets of M these polymatroids are linearly independent and span a fulldimensional subcone of Γ * M consisting of entropic polymatroids only [17]. The idea is that take a multiple of M ξ (which is almost entropic), and use some linear combination of r A 's to round up the coordinates to integer values. This idea works. The polymatroid M = 50.03M ξ + 0.3819594(r abd + r acd + r abe + r ace ) + 0.1741526(r b + r c ) + 0.0067674r bc + 0.5112645r abc + 0.6235703(r bd + r cd + r be + r ce ) + 0.0270848(r bcd + r bce ) + 0.1012390r a + 0.4887355(r ab + r ac ) + 0.3314441(r ad + r ae ) + 0.3356126(r abcd + r abce ) + 0.4877698r bcde + 0.5648560r abcde is clearly entropic, and it is integer. This is so as the coefficients in this formula are the solutions of a system of linear equations yielding exact values. Table 2 shows the coordinates of 51M ξ (left column), the integer entropic polymatroid M (middle column), and the tightening of M (right column). The value of the MMRV inequality for the dual of M is −1, thus M ⊥ is not almost entropic. As M ⊥ = (M↓) ⊥ , the tight part of M is a tight, integer, aent polymatroid whose dual is not aent.
Let the tight integer polymatroid provided by Claim 22 be N , and consider the matroid ϕ(N ) provided by Theorem 12. As N is aent, ϕ(N ) is almost entropic; N ⊥ is not aent, thus ϕ(N ⊥ ) is not aent. Consequently the matroid ϕ(N ) is aent and its dual, ϕ(N ⊥ ), is not aent either -completing the proof of Theorem 21.
Using the tight almost-entropic polymatroid of Table 2 the construction in the proof of Theorem 19 gives an almost-ideal access structure on 174 participants (as the corresponding aent matroid has f (a) + f (b) + f (c) + f (d) + f (e) = 175 atoms, one of them is the secret, others are the participants) whose dual is not almost-ideal. It is left to the interested reader to describe the qualified subsets for different choices of the secret.
According to Theorem 20, to construct a counterexample to Conjecture 2 we need an entropic matroid whose dual is not entropic. Entropic matroids (and their multiples) are always on the boundary of the aent cone; the boundary has  Table 2: An integer entropic polymatroid an intricate and complicated structure. There seems to be no other way to show that a matroid is entropic than giving the probability distribution explicitly. But it is not clear how to guarantee H(ξ A )/ H(ξ s ) to be an integer. No entropic matroid is known which is not a multiple of a linearly representable polymatroid. Finding such a matroid would be very interesting.

Conclusion and open problems
An almost ideal secret sharing scheme on 174 participants was constructed explicitly whose dual structure is not almost ideal. It was done by putting together several pieces of earlier works. The intricate connection between ideal secret sharing schemes and matroids was observed by Brickell and Davenport [4]. This connection is expressed in Theorem 18 extending a result of Blakley and Kabatiansky [3]; the presented proof is an adoption of the one from [19]. Entropic and almost entropic polymatroids have been studied intensively by Frantisek Matúš [15,16,17,18,20]; his insight of the structure of the entropic region was indispensable to this paper. And, of course, we were using the surprising result of Tarik Kaced [10] who settled an old conjecture by constructing an entropic polymatroid whose dual is not entropic. These results allowed us to solve the duality problem of ideal secret sharing schemes -is the dual of an ideal structure is ideal? -in a model slightly differing from the standard one, namely secret recovery and secret independence is required only "up to a negligible factor". This model has been studied earlier under the name of "probabilistic secret sharing", see [5,11,24]. The original problem remained unsolved.

Problem. Is the dual of an ideal structure is ideal?
A substantial obstacle attacking this problem was mentioned at the end of the previous section: every known entropic matroid is linearly representable.

Problem. Find an entropic matroid which is not linear.
A promising approach seems to be using subgroup representation for the matroid [6]. It requires substantial knowledge of the subgroup structure of noncommutative finite groups.
It is an interesting question how restrictive the probabilistic model is. If an access structure has complexity 1, then it is almost ideal (while not necessarily ideal [2]); this follows from the fact that the aent polymatroids form a closed cone [17]. The following problem asks about the converse of this implication.

Problem. Does every almost ideal access structure have complexity 1?
The question is equivalent to whetherσ(A) = 1 implies σ(A) = 1. As mentioned at the end of Section 2.3,σ and σ are not known to be separated.

Problem. Is there an access structure A withσ(A) strictly smaller than σ(A)?
This problem was raised in Section 2.3: can the imperfections allowed by the probabilistic model be patched by adding some small entropy to the secret and / or shares? This question has been considered by Kaced in [11], but remained unsolved. a) Suppose z ∈ C 1 ∩ C 2 . There is a circuit E ⊆ C 1 ∪ C 2 which avoids z (exchange property of circuits): Proof. As C 1 , C 2 are different circuits, h(C i ) = |C i |−1 and h(C 1 ∩C 2 ) = |C 1 ∩C 2 | as C 1 ∩ C 2 is a proper subset of a circuit. Using submodularity for C 1 and C 2 , Consequently h(C 1 C 2 −z) ≤ |C 1 C 2 −z| − 1, which means that C 1 C 2 −z is dependent, thus contains a circuit. b) Let x ∈ C 1 −C 2 , and z ∈ C 1 ∩ C 2 . There is a circuit in C 1 ∪ C 2 which contains x and avoids z. Proof. By induction on |C 1 ∪ C 2 |. By a) there is a circuit E ⊂ C 1 ∪ C 2 which avoids z. Then E ∩ (C 2 −C 1 ) is not empty, as E is dependent while E ∩ C 1 , as a proper subset of C 1 , is independent. If x ∈ E then we are done. If x / ∈ E, then pick z ′ ∈ E ∩ (C 2 −C 1 ). By a) there is circuit F ⊂ E ∪ C 2 which avoids z ′ . Use induction on C 1 and F . c) Let x ∈ C 1 −C 2 , y ∈ C 2 −C 1 , and C 1 ∩ C 2 = ∅. There is a circuit E ⊆ C 1 ∪ C 2 which contains x and y. Proof. By induction on |C 1 ∪ C 2 |. Let z ∈ C 1 ∩ C 2 . By b) there is a circuit E ⊂ C 1 ∪ C 2 which contains x and avoids z. If y ∈ E, then we are done. If y / ∈ E, then pick z ′ ∈ E ∩ (C 2 −C 1 ). By b) there is a circuit F ⊂ E ∪ C 2 such that y ∈ F and z ′ / ∈ F . Use induction on C 1 and F . This proves that ≈ is an equivalence relation. Any two points of the matroid are connected by a circuit if and only if there is only a single equivalence class for ≈. First assume that the matroid is connected, and by contradiction that The MMRV inequality (2) has been grouped into two parts. The first part depends only on ranks of subsets of abc, and the second part depends only on subsets of bcde. In other words, the value of the first (and second) part depends only on the marginal distribution ξ abc and ξ bcde , respectively. Σ denotes the collection of all distributions η = η a , . . . , η e where each of these five variables takes the same values as the corresponding variable does in ξ but with arbitrary joint probability. Consider the optimization problem of maximizing the entropy of η ∈ Σ under the constraints that certain marginal distributions are fixed: max η {H(η) : η ∈ Σ, η abc = ξ abc , η bcde = ξ bcde }.
As H(η) is a strictly convex function of the probabilities, this is a convex optimization problem with linear constraints, consequently it has a single unique optimal solution η * ∈ Σ. Considering the distribution with the maximal entropy is often referred to as the maximum entropy principle. As the marginals on abc and bcde of ξ and η * are the same, MMRV(M ξ ) = MMRV(M η * ). The extremal distribution η * has the additional property that η * a and η * de are independent given η * bc . This is so, as fixing the value of η * bc , one can redefine the distribution while keeping the probabilities on abc and on bcde fixed such that a and de becomes independent. This would increase the total entropy, thus a and de must be independent -giving the claimed conditional independence. Consequently the polymatroid M η * satisfies additionally h * (a, de|bc) = 0, and then MMRV(M η * ) ≥ 0, proving the theorem.