\section{Introduction}

Understanding the complexity of \emph{security sharing} (hereafter referred as ``SS'') is an important task in theoretical computer science.

For general access structure, the complexity measure is often taken to be the ratio between total share size and secret size. Csirmaz \cite{csirmaz1997size} proved the best lower bounds $\Omega(\frac{n^2}{\log n})$ using information inequalities; for any access structure, Liu and Vaikuntanathan \cite{liu2018breaking} constructed a SS scheme with share size $2^{0.994n}$; The best upper bound is  $2^{0.637n}$, due to Applebaum et al. \cite{applebaum2019secret, applebaum2020better}.

Through the equivalence between linear SS scheme and monotone span programs (as shown by Beimel \cite{beimel1996secure}), Babai, G{\'a}l and Wigderson  \cite{babai1999superpolynomial} proved the first super-polynomial lower bound; Robere, Pitassi, Rossman and Cook \cite{robere2016exponential} proved an exponential bound for an explicit monotone function on the monotone span program size, which implies a lower bound on the total share size of any linear SS scheme realizing that access structure.

Compared with generic access structure SS, threshold SS is relatively well understood. Shamir \cite{shamir1979share} proposed a threshold SS using polynomial evaluation and interpolation, which can be implemented in time $O(n \cdot \mathrm{polylog}(n))$ if the secret length is $O(\log n)$.

One variant is \emph{near-threshold} SS scheme, where a $(\sigma, \rho)$-threshold SS requires that any set of at most $\sigma n$ parities learns nothing, and any set of at least $\rho n$ parties can recover the secret. Druk and Ishai \cite{druk2014linear} proved that, for near-threshold SS scheme, the shares are computably by linear-size logarithmic-depth circuits; the construction is based on the hash function construction by Ishai et al.  \cite{ishai2008cryptography}. Later, Cramer et al. \cite{cramer2015linear} constructed a near-threshold SS scheme with both linear-time sharing and reconstruction algorithm. By studying bounded indistinguishability, Bogdanov, Ishai, Viola and Williamson \cite{bogdanov2016bounded} showed that, for any $0 < \sigma < \rho \le 1$, $(\sigma, \rho)$-threshold SS is in $\mathrm{AC^0}$. Allowing slight relaxations on error probability, Cheng, Ishai, and Li \cite{cheng2017near} constructed near threshold SS in $\mathrm{AC^0}$ with better parameters.

Besides secret sharing, researchers are interested in understanding the computational complexity of other cryptographic primitives, including pairwise-independent hashing, one-way function (OWF), pseudorandom generators (PRG), encryption, etc. In \cite{applebaum2006cryptography}, Applebaum, Ishai and Kushilevitz proved that every ``moderately easy'' OWF (resp. PRG), say computable in $\mathrm{NC}^1$, can be compiled into a OWF (resp., ``low-stretch'' PRG) in which each output bit depends on at most 4 input bits. In \cite{ishai2008cryptography}, Ishai, Kushilevitz, Ostrovsky and Sahai proved that that pairwise-independent hash functions can be computed by $O(n)$-size $O(\log n)$-depth circuits. In \cite{fan2022exact}, Fan, Li and Yang proved that pseudorandom functions can be constructed in size $2n+o(n)$ for general $B_2$ circuits, and proved an unconditional $2n-O(1)$ lower bound.

There are similarities between SS and network coding. For example, Shah, Rashmi and Ramchandran \cite{shah2013secure} studied a SS model, where the connection between the dealer and participants form a graph --- two nodes can communicate if there is an edge between them. The goal is to minimize the communication cost. Shah et al. showed a necessary condition for the graph $G$ to possess a $(t, n)$-threshold SS scheme; on the other hand, they proposed a sufficient condition, for which they designed a $(t, n)$-threshold SS algorithm with communication complexity $\Theta(n)$.




\subsection{Our results}

The computation model is \emph{unrestricted} arithmetic circuits over a finite field $\mathbb{F}$ as illustrated by Figure \ref{fig:model}. We assume the secret is represented by an element in $\mathbb{F}$, and each share is also represented by an element in $\mathbb{F}$. To realize the distribution of $n$ shares for a $(t, n)$-SS scheme, the circuit will have $\ell$ inputs and $n$ outputs, where one input is the secret, and the remaining inputs are random elements in $\mathbb{F}$. The circuit is the most unrestricted one, in the sense that each gate can compute \emph{any} function, and is of unbounded fan-in. Thus we measure the size by the number of wires instead of gates. 

Our first result says, for computing the shares of some threshold SS scheme, the circuit must satisfy some superconcentrator-like connection properties. In terms of techniques, we use linear algebra to deal with linear SS schemes, and use information inequalities to prove the conditions for general SS schemes, linear or nonlinear.

\begin{theorem}
\label{thm:main_condition}
Let $C$ be an unrestricted arithmetic circuit computing $n$ shares of a $(t, n)$-SS scheme, where $C$ has $\ell$ inputs, and one input is the secret, denoted by $s$. Then, the following conditions must be satisfied:
\begin{itemize}
	\item circuit $C$, viewed as a graph, is a reversed $(\ell, n, t)$-concentrator;
	\item after removing the input $s$ (corresponding to the secret), the circuit, viewed as a graph, is a reversed $(\ell-1, n, t-1)$-concentrator.
\end{itemize}
\end{theorem}

Note that the connection properties are weaker than that of superconcentrators.

Our second result is a theorem in the reverse direction. We prove that any superconcentrator (in fact, any graph satisfying the aforementioned connection properties) can be turned into an arithmetic circuit computing the shares of a threshold SS scheme. The proof is inspired by network coding \cite{li2003linear}. Drucker and the author have used similar ideas to construct circuits encoding error-correcting codes \cite{Drucker2022}.

\begin{theorem}
\label{thm:main_construction}
For any directed acyclic graph with $t$ inputs and $n$ outputs satisfying the conditions in Theorem \ref{thm:main_condition}, by replacing each non-input vertex with an addition gates, and choosing the coefficients uniformly at random, with high probability, the circuit computes $n$ shares of a $(t, n)$-SS scheme, assuming the field is large enough.
\end{theorem}


For proving superlinear circuit lower bound, Valiant \cite{Val77} proposed the definition of superconcentrators, which is a directed acyclic graph satisfying ``strongest'' connection properties. Surprisingly, Valiant showed the existence of linear-size superconcentrator, thus dashed the possibility to prove superlinear circuit lower bound using connectivity properties. On the other hand, superconcentrators are highly connected graphs with no bottleneck on the information flow. We believe, superconcentrator will find more applications in computation, communication, and cryptography.

Our last result is a (non-explicit) construction of \emph{unbalanced} superconcentrators. Compared with the balanced case (i.e., the number of inputs equals the number of outputs) whose size bounds are well understood, unbalanced superconcentrators are unexplored.

\begin{theorem}
\label{thm:main_sc}
For any $m \ge n$, there exists an $(m, n)$-superconcentrator with $O(m)$ edges and in depth $\alpha(m, n) + O(1)$, where $\alpha(m, n)$ is the two-parameter inverse Ackermann function. 
\end{theorem}

Combining Theorem \ref{thm:main_construction} and \ref{thm:main_sc}, we conclude that $(t, n)$-threshold SS can be computed by linear size circuit in depth $O(\alpha(t, n))$. For example, when $n > t^{2.5}$, depth 2 is enough; when $n > t \log^{1.5} t$, depth 3 is enough. In terms of the number of arithmetic operations, the complexity of realizing the distribution of threshold SS schemes is surprisingly small.




\section{Background}

\subsection{Secret sharing scheme}

A \emph{secret sharing (SS) scheme} allows a dealer to distribute a secret among a group of participants such that
\begin{itemize}
	\item (Correctness) any authorized subset of participants can fully recover the secret, and
	\item (Privacy) any unauthorized subset of participants learns nothing about the secret.
\end{itemize}

One type of SS scheme that has been widely studied is \emph{$(t, n)$-threshold SS scheme}, where any subset of $t$ participants (among $n$ participants) can recover the secret, while any subset of at most $t-1$ participants learns nothing.

Fix a finite field $\mathbb{F}$. Represent the secret $s$ by an element in $\mathbb{F}$. (If the secret size is larger than the field size, one can divide the secret into small pieces, and apply the SS scheme to individual pieces separately.) Let $r_1, r_2, \dots$ be random elements in $\mathbb{F}$ that are used by some SS scheme, and let $R=\{r_1, r_2, \ldots\}$. A scheme is called a \emph{linear SS scheme} if each share is a linear combination of secret $s$ and $r_1, r_2, \ldots$ over field $\mathbb{F}$.


\subsection{Entropy and information inequalities}

Let $X$ be a random variable valued in a finite set, where $p(x) = \Pr[X = x]$. The \emph{entropy} of random variable $X$ is defined by
\begin{equation}
H(X) = - \sum_x p(x) \log p(x), 
\end{equation}
where $p(x) = \Pr[X = x]$. For random variables $X$ and $Y$, the \emph{conditional entropy} of $Y$ given $X$ is defined by
\begin{equation}
H(Y | X) = - \sum_{x, y} p(x, y) p(y | x),
\end{equation}
where $p(y | x) = \Pr[Y = y | X = x]$. One can verify $H(Y | X) = H(X, Y) - H(X)$ and $
H(Y | X) = \sum_x p(x) H(Y | X = x). 
$
The \emph{mutual information} between $X$ and $Y$ is defined by
\[
I(X; Y) = \sum_{x, y} p(x, y) \log \frac{p(x, y)}{p(x)p(y)}.
\]
We have $I(X; Y) = I(Y;X)$ and $I(X; Y) = H(X) - H(X | Y)$. The mutual information between $X$ and $Y$ conditioning on $Z$ is defined by
\[
I(X;Y | Z) = p(x, y, z) \log \frac{p(x, y | z)}{p(x | z) p(y | z)}.
\]
We have
$I(X;Y | Z) = H(X | Z) - H(X | Y, Z)$. A useful property is that $I(X;Y | Z)$ is always nonnegative.
We refer interested readers to \cite{yeung2002first} for a treatment on entropy functions and information inequalities.


It is well-known that the requirements in a SS scheme can be reformulated using entropy functions \cite{beimel2011secret}. Denote the secret by a random variable $S$; denote $n$ shares by random variables $Y_1, Y_2, \ldots, Y_n$. The SS scheme is a $(t, n)$-threshold SS scheme if and only if
\begin{itemize}
	\item (Correctness) for every $T = \{i_1, \ldots, i_t\} \subseteq [n]$ of size $t$,
	\begin{equation}
	\label{equ:h_cor}
	H(S | Y_T) = 0,
	\end{equation}
	where $Y_T$ denotes the vector $(Y_{i_1}, \ldots, Y_{i_t})$.
	\item (Privacy) for every $T \subseteq [n]$ of size $t-1$,
	\begin{equation}
	\label{equ:h_pri}
	H(S | Y_T) = H(S).
	\end{equation}
\end{itemize}


\subsection{Circuit model}

In the arithmetic circuit model, we assume
\begin{itemize}
	\item A secret is an element in a finite field $\mathbb{F}$.
	\item The distribution phase uses at most $\ell-1$ random elements (from finite field $\mathbb{F}$), denoted by inputs $r_1, \ldots, r_{\ell-1}$. For convenience, let $R = \{r_1, \ldots, r_{\ell-1}\}$. (As we will see, for the $(t, n)$-threshold SS scheme, the circuit must use at least $t-1$ random elements.)
	\item $n$ shares are computed by an arithmetic circuit over $\mathbb{F}$, where the circuit has $n$ outputs, denoted by $y_1, y_2, \ldots, y_n$.
	\item The fan-in of each gate is unbounded. Define the \emph{size} of the circuit to be the number of \emph{wires} instead of gates.
	\item For the lower bound that we will prove, we assume the arithmetic circuit is \emph{unrestricted}, i.e., a gate with fan-in $d$ can compute \emph{any} function from $\mathbb{F}^d$ to $\mathbb{F}$, and $d$ is unbounded. 
	\item For linear SS scheme, the circuit computes a linear transformation $X \mapsto MX$, where $X \in \mathbb{F}^\ell$ and $M$ is a $n \times \ell$ matrix. (However, the internal gates are not necessarily linear.)
	\item An arithmetic circuit is called \emph{linear} if each gate computes a linear function over $\mathbb{F}$. Obviously, a linear arithmetic circuit computes a linear transformation.
\end{itemize}

\begin{figure}[h]
\includegraphics[scale=0.4]{model.png}
\caption{unrestricted arithmetic circuit computing $n$ shares}
\label{fig:model}
\end{figure}


\subsection{Inverse Ackermann-type function}

Following Raz and Shpilka \cite{raz2001lower}, we define slowly-growing functions $\lambda_d(n)$. These are inverse Ackermann-type functions that are tailored for superconcentrators.

\begin{definition} For a function $f$, define $f^{(i)}$ to be the composition of $f$ with itself $i$ times, i.e., $f(i) = \underbrace{f\circ f\circ \ldots \circ f}_{i \text{ times}}$. Thus, $f^{(1)} = f$.

For a function $f: \mathbb{N} \to \mathbb{N}$ such that $f(n) < n$ for all $n > 1$, define
\[
f^*(n) = \min\{ i : f^{(i)}(n) \le 1 \}.
\]
\end{definition}

\begin{proposition} Let $f : \mathbb{N} \to \mathbb{N}$ be any function such that $f(n) < n$ for all $n > 1$. Then we have
\[
f^*(n) < f(n).
\]
\end{proposition}
\begin{proof}
Consider
\[
f(n), f^{(1)}(n), \ldots, f^{(i)}(n) = 1,
\]
where $i = f^*(n)$.
Since $n > f(n) > f^{(1)}(n) > \ldots > f^{(i)}(n) = 1$, we have $i \le f(n) - 1$.
\end{proof}

\begin{definition} \cite{raz2001lower} Let
\begin{eqnarray*}
	\lambda_1(n) &=& \lfloor \sqrt{n} \rfloor, \\
	\lambda_2(n) &=& \lceil \log(n) \rceil, \\
	\lambda_d(n) & = & \lambda_{d-2}^*(n).
\end{eqnarray*}
\end{definition}

As $d$ gets larger, the function $\lambda_d(n)$ becomes extremely slow-growing. It would be an exercise to prove
\begin{itemize}
\item $\lambda_2(n) = \Theta(\log n)$,
\item $\lambda_3(n) = \Theta(\log\log n)$,
\item $\lambda_4(n), \lambda_5(n) = \Theta(\log^*(n))$.
\end{itemize}

For studying the size bounds of unbalanced superconcentrators, we would need to define the two-parameter version of the inverse Ackermann function. We have not attempted to optimize the constants in the following definition.

\begin{definition} [Inverse Ackermann function] For any $m \ge n$, let
\begin{equation}
    \alpha(m, n) =
    \begin{cases}
      \min\{ d : \frac{m}{n} \ge \lambda_d(n) \}, & \text{if}\ m \ge 128 n, \\
      \min\{ d : \lambda_d(n) \le 4 \}, & \text{otherwise.}
    \end{cases}
\end{equation}


Denote $\alpha(n, n)$ by $\alpha(n)$, which is the one-parameter version of the inverse Ackermann function.
\end{definition}

In the literature there are many versions of the Ackermann function. As far as we know, different versions of the inverse Ackermann functions vary by at most a multiplicative constant factor.

For showing $\alpha(m, n)$ is well-defined and using it for the construction of unbalanced superconcentrators, we would need the following properties, whose proofs are in Appendix \ref{app:inverse_ack_properties}.

\begin{proposition}
\label{prop:u34d_ub}
	1. For any $n \ge 1$,
\[
\lambda_3(n) \le \log\log n + 2.
\]

2. For any $n \ge 1$,
\[
\lambda_4(n) \le 2 \log^*n.
\]

3. For any $d \ge 1$, for all $n \ge 4$,
\[
\lambda_d(n) \le n-2.
\]
\end{proposition}


\begin{proposition}
\label{prop:alpha_well_defined}
1. For any $d \ge 1$,
\[
\lambda_d(d) \le 4.
\]

2. For any $d \ge 1$, if $\lambda_d(n) \le C$, where $C \ge 128$, then
\[
\lambda_{d+2}(n)^2 \le C.
\]
\end{proposition}




\subsection{Concentrators and superconcentrators}

An \emph{$(m, n)$-network} is a directed acyclic graph with $m$ inputs and $n$ outputs.


\begin{definition} [$(m, n)$-superconcentrator \cite{Val77}]
	An $(m, n)$-network an \emph{$(m, n)$-superconcentrator} if for any equal-size $X \subseteq I$ and $Y \subseteq O$, there exist $|X| = |Y|$ vertex-disjoint paths connecting $X$ and $Y$.
\end{definition}

When $m = n$, tight bounds on the size of bounded-depth superconcentrator are known, achieved in a series of papers. 

\begin{table}[h!]
\begin{center}
\begin{tabular}{ |c|c|c| } 
\hline
Depth & Size  \\
\hline
2 & $\Theta(n \log^2 n / \log\log n)$ \cite{AP94}, \cite{RT00}  \\ 
3 & $\Theta(n \log\log n)$ \cite{AP94} \\ 
$d \ge 4$ & $\Theta(n \lambda_d(n))$ \cite{DDPW83}, \cite{Pud94}  \\ 
$\Theta(\alpha(n))$ & $\Theta(n)$ \cite{DDPW83}  \\ 
\hline
\end{tabular}
\caption{Superconcentrator size bounds.}
\label{table:sc_bounds}
\end{center}
\end{table}

Another relevant concept is \emph{concentrators}, which are critical building blocks for constructing superconcentrators.

\begin{definition}
\label{def:concentrator}
An \emph{$(m, n, c)$-concentrator} is an $(m, n)$-network, such that for any subset of $c$ inputs, there are $c$ vertex-disjoint paths connecting these $c$ inputs to outputs.
	
An $(m, n, n)$-concentrator is referred to as a full capacity concentrator, denoted as $(m, n)$-concentrator.
\end{definition}

An $(m, n)$-superconcentrator is obviously an $(m, n)$-concentrator. Concentrators are used as building blocks for the construction of superconcentrators.

Using a standard probabilistic argument, one can prove 

\begin{lemma}
\label{lem:linear_concentrator} \cite{pinsker1973complexity, DDPW83} For any $n \ge m$, $n \ge 1.1k$, and $m \ge k+1$, there exists depth-1 $(m, n, k)$-concentrator of size
\[
O\left(n \cdot \frac{\log(n/k)}{\log(m/k)}\right).
\]
\end{lemma}




\section{Graph-theoretic properties}

\subsection{Linear SS scheme}

In this section, we prove any arithmetic circuit computing the distribution of a \emph{linear} secret sharing scheme must satisfy some graph-theoretic properties (similar to, but weaker than that of superconcentrators).


We will prove the arithmetic circuit must satisfy the following graph-theoretic properties:
\begin{itemize}
	\item For any subset of outputs $T \subseteq [n]$ of size $t-1$, there are $t-1$ vertex-disjoint paths connecting $T$ and $R$.
	\item For any subset of outputs $T \subseteq [n]$ of size $t$, there exist $t$ vertex-disjoint paths connecting $T$ and inputs.
\end{itemize}

\begin{lemma}
\label{lem:tm1_paths}
	In the above model, if the circuit computes $n$ shares of some $(t, n)$-threshold secret sharing scheme, then for any subset $T$ of outputs of size $t-1$, there are $t-1$ vertex-disjoint paths connecting $T$ with ($t-1$ inputs from) $R$. Moreover, the $(t-1) \times (\ell-1)$ submatrix $M_{T, R}$ has rank $t-1$.
\end{lemma}
\begin{proof}
It suffices to prove the ``moreover'' part. Because if there do not exist $t-1$ vertex-disjoint paths, by Menger's theorem, we know there exists a subset of vertices of size at most $t-2$ whose removal will disconnect $T$ and $R$. Thus, after fixing $s$, all outputs in $T$ can be written as a function (not necessarily linear) in $R$, which implies that the number of distinct outputs $y_T$ is at most $|\mathbb{F}|^{t-2}$ (after fixing $s$). This contradicts to 
$\mathrm{rank} M_{T, R} = t-1$.

Suppose for contradiction that there exists some $T \subseteq [n]$ of size $t-1$ such that $\mathrm{rank} M_{T, R} < t-1$.

\textbf{Case 1:} $M_{T, 1} = \vec{0}$. In other words, the first input $s$ has no impact on outputs $T$. Since $\mathrm{rank}{M_{T, R}} < t-1$ and adding one extra column with all zeros does not change its rank, we have $\mathrm{rank}{M_{T}} < t-1$, where $M_T$ denotes the submatrix of $M$ consisting of all rows in $T$. Let us add one output to $T$, denoted by $T'$, such that $|T'| = t$. By linear algebra,
\[
\mathrm{rank}{M_{T'}} \le \mathrm{rank}{M_{T}} + 1 < t,
\]
which is not of full rank. (Note that $M_{T'}$ is a $t \times \ell$ matrix.) Thus, there exists a subset of $T'$, denoted by $T''$, such that $|T''| < t$ and $\mathrm{rank}{M_{T''}} = \mathrm{rank}{M_{T'}}$, which implies that participants in $T''$ would be able to recover the secret, assuming participants in $T'$ can recover the secret. This contradicts the definition of $(t, n)$-threshold secret sharing scheme.

\textbf{Case 2:} $M_{T, 1} \not= \vec{0}$. Note that
\[
\begin{pmatrix}
y_1 \\
y_2 \\
\vdots \\
y_n
\end{pmatrix}
=
M
\begin{pmatrix}
s \\
r_1 \\
\vdots \\
r_{\ell-1}
\end{pmatrix},
\]
where $M$ is an $n \times \ell$ matrix computed by the arithmetic circuit. Denote by $Y_T$ the vector indexed by rows in $T$. So we have
\begin{eqnarray*}
y_T
& = &
M_{T}
\begin{pmatrix}
s \\
r_1 \\
\vdots \\
r_{\ell-1}
\end{pmatrix} 
 =  M_{T, R} \begin{pmatrix}
r_1 \\
\vdots \\
r_{\ell-1}
\end{pmatrix}
+
sM_{T, 1}
\end{eqnarray*}
We assume for contradiction that $\mathrm{rank} M_{T, R} < t-1$.

\textbf{Case 2.1:} there exists $X \in \mathbb{F}^{\ell-1}$ such that $M_{T, R}X = M_{T, 1}$. In other words, the first column of $M_{T}$ is a linear combination of the remaining $\ell-1$ columns. By linear algebra, we have
\[
\mathrm{rank} M_{T} = \mathrm{rank} M_{T, R}.
\] 
Consider any superset of $T$ of size $t$, denoted by $T'$. By linear algebra, we have
\[
\mathrm{rank} M_{T'} \le \mathrm{rank} M_{T} + 1 < t.
\]
Using the same argument as Case 1, we know there exists a proper subset of $T'$ of size $t-1$ whose collation can recover the secret.

\textbf{Case 2.2:} there does not exist $X \in \mathbb{F}^{\ell-1}$ such that $M_{T, R}X = M_{T, 1}$. Let $d = \mathrm{rank} M_{T, R}$, which is less than $t-1$ by assumption. Observe that
\begin{itemize}
	\item The image of $X \mapsto M_{T, \{2, 3, \ldots, t\}} X$, where $X \in \mathbb{F}^{\ell-1}$, is a linear subspace of $\mathbb{F}^{t-1}$ of dimension $d$, denoted by $L \subseteq \mathbb{F}^{t-1}$.
	\item For distinct $s \in \mathbb{F}$, $sM_{T, 1} + L$ are disjoint. (Otherwise, $M_{T, 1}$ would be written as a linear combination of the columns in $M_{T, R}$.)
\end{itemize}
So we conclude the collation of $T$ can always recover $s$. Contradiction!
\end{proof}

\begin{lemma} In the above model, if the circuit computes $n$ shares of some $(t, n)$-threshold linear secret sharing scheme, then for any subset of outputs $T \subseteq [n]$ of size $t$, the following conditions are satisfied:
\begin{itemize}
	\item There are $t-1$ vertex-disjoint paths connecting $R$ and $T$. Moreover, $\mathrm{rank} M_{T, R} = t-1$.
	\item There are $t$ vertex-disjoint paths connecting inputs and $T$. Moreover, $\mathrm{rank} M_{T} = t$.
\end{itemize}
\end{lemma}
\begin{proof}	
Similar to Lemma \ref{lem:tm1_paths}, it suffices to prove the ``moreover'' part. By Lemma \ref{lem:tm1_paths}, we know for any $T' \subseteq T$ of size $t-1$, $\mathrm{rank} M_{T', R} = t-1$. Thus, we have
\[
\mathrm{rank} M_{T, R} \ge \mathrm{rank} M_{T', R} = t-1.
\]
On the other hand, $\mathrm{rank} M_{T, R} \le |T| = t$. We will prove $\mathrm{rank} M_{T, R} < t$.

Denote $n$ outputs by $Y = \begin{pmatrix}
		y_1 \\
		y_2 \\
		\vdots \\
		y_n
	\end{pmatrix}$, $\ell$ inputs by $X = \begin{pmatrix}
		s \\
		r_1 \\
		\vdots \\
		r_{\ell-1}
	\end{pmatrix}$, and $Y = MX$, where $M$ is a $n \times \ell$ matrix. For outputs $T \subseteq [n]$, we have
$
Y_T = M_{T}X,
$
where $M_T$ denotes the submatrix of $M$ indexed by rows $T$. Write
\begin{eqnarray*}
	Y_T & = & 
\begin{pmatrix}
		M_{T, 1} & M_{T, R} 
	\end{pmatrix}
	\begin{pmatrix}
		s \\
		X_R
\end{pmatrix}\\
& = & M_{T, 1}s + M_{T, R}X_R.
\end{eqnarray*}
If $\mathrm{rank} M_{T, R} = |T| = t$, $M_{T, R} X_R$ will be uniformly random in $\mathbb{F}^{t}$ (for $X_R \in \mathbb{F}^{\ell-1}$ is uniformly random), regardless of $s$. So participants in $T$ could not recover the secret $s$. This contradicts the definition of $(t, n)$-threshold secret sharing scheme.

We have shown that $\mathrm{rank} M_{T, R} = t - 1$. Thus the image of $X_R \mapsto M_{T, R} X_R$ is a $t-1$ dimensional vector space of $\mathbb{F}^t$, denoted by $L \subseteq \mathbb{F}^{t}$. Assume for contradiction that $\mathrm{rank} M_T = \mathrm{rank} M_{T, R} = t-1$, which implies that $M_{T, 1}$ can be written as linear combinations of the columns in $M_{T, R}$. So $Y_T$ will be a uniformly random element in $L$, regardless of $s$. Thus the coalition of participants in $T$ cannot recover the secret. Contradiction.
\end{proof}


\begin{comment}
, that is, there exists $R' \subseteq R$ of size $t-1$ such that 
$\mathrm{rank} M_{T, \{1\} \cup R'} = t$.

	Denote $n$ outputs by $Y = \begin{pmatrix}
		y_1 \\
		y_2 \\
		\vdots \\
		y_n
	\end{pmatrix}$, $t$ inputs by $X = \begin{pmatrix}
		s \\
		r_1 \\
		\vdots \\
		r_{t-1}
	\end{pmatrix}$, and $Y = MX$, where $M$ is a $n \times t$ matrix. For outputs $T \subseteq [n]$, we have
$
Y_T = M_{T}X,
$
where $M_T$ denotes the submatrix of $M$ indexed by rows $T$.

Let $i \in T$ be the smallest element, and $T' = T \setminus \{i\}$, and thus $|T'| = t-1$. Rewrite $Y_T = M_T X$ as
\[
\begin{pmatrix}
		y_i \\
		Y_{T'}
\end{pmatrix}
=
\begin{pmatrix}
		m_{i1} & M_{i, [t]} \\
		M_{T', 1} & M_{T', \{2, 3, \ldots, t\}} 
	\end{pmatrix}
	\begin{pmatrix}
		s \\
		R
\end{pmatrix},
\]
which is
\begin{eqnarray*}
y_i & = & m_{i1}s + M_{i, [t]}R, \\
Y_{T'} & = & M_{T', 1}s + M_{T', \{2,3, \ldots, t\}}R. \\
\end{eqnarray*}
By Lemma \ref{lem:tm1_paths}, we know $M_{T', \{2,3, \ldots, t\}}$ is of full rank. So
$$
R = M_{T', \{2,3, \ldots, t\}}^{-1} (Y_{T'} - M_{T', 1}s),
$$
and thus 
\begin{eqnarray*}
y_i & = & m_{i1}s + M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} (Y_{T'} - M_{T', 1}s) \\
& = & (m_{i1} - M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} M_{T', 1})s + M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} Y_{T'}.
\end{eqnarray*}
So $s$ is solvable if and only if $m_{i1} - M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} M_{T', 1} \not= 0$.


By linear algebra, we know 
\begin{eqnarray*}
& & \det \begin{pmatrix}
		m_{i1} & M_{i, [t]} \\
		M_{T', 1} & M_{T', \{2, 3, \ldots, t\}} 
\end{pmatrix} \\
& = &
\det M_{T', \{2, 3, \ldots, t\}} \det(m_{i1} - M_{i, [t]} M_{T', \{2, 3, \ldots, t\}}^{-1} M_{T', 1}),
\end{eqnarray*}
which is nonzero, as desired.
\end{comment}

\begin{comment}
In the arithmetic circuit model, we assume
\begin{itemize}
	\item A secret an element in a finite field $\mathbb{F}$.
	\item The scheme uses at most $t-1$ random elements (from field $\mathbb{F}$), denoted by inputs $r_1, \ldots, r_{t-1}$.
	\item The distribution is computed by a linear arithmetic circuit over $\mathbb{F}$
\end{itemize}
We will prove the circuit must satisfy the following connection property:
\begin{itemize}
	\item For any subset of outputs $T \subseteq [n]$ of size $t-1$, there must be $t-1$ vertex-disjoint paths connecting $r_1, r_2, \ldots, r_{t-1}$.
	\item For any subset of outputs $T \subseteq [n]$ of size $t$, there must be $t$ vertex-disjoint paths connecting $T$ with all $t$ inputs.
\end{itemize}

In this linear arithmetic circuit model, combined with the results in the previous section, we know that the graph-theoretic property is both necessary and sufficient (for large field $\mathbb{F}$).

\begin{lemma}
\label{lem:tm1_paths}
	In the above model, if the circuit computes the distribution of $(t, n)$-threshold secret sharing scheme, then for any subset of outputs $T \subseteq [n]$ of size $t-1$, there are $t-1$ vertex-disjoint paths connecting $r_1, \ldots, r_{t-1}$ with $T$. Moreover, the $(t-1) \times (t-1)$ submatrix $M_{T, \{2, 3, \ldots, t\}}$ is of full rank.
\end{lemma}
\begin{proof} The circuit computes a linear transformation $x \mapsto Mx$, where $M$ is an $n \times t$ matrix. Let $T \subseteq [n]$ of size $t-1$. Suppose for contradiction that there do not exist $t-1$ vertex-disjoint paths connecting inputs $r_1, \ldots, r_{t-1}$ to $T$. Thus there exist less than $t-1$ vertices whose removal would disconnect $r_1, \ldots, r_{t-1}$ and $T$. So every output in $T$ can be written as a linear function in the ``cut'' vertices, which implies that $\mathrm{rank} M_{T, \{2, 3, \ldots, t-1\}} < t-1$.

\textbf{Case 1:} $M_{T, 1} = \vec{0}$. In other words, the first input $x_1$ has no impact on outputs $T$. Since $\mathrm{rank}{M_{T, \{2, 3, \ldots, t\}}} < t-1$ and adding one extra column with all zeros does not change its rank, we have $\mathrm{rank}{M_{T, [t]}} < t-1$. Let us add one output to $T$, denoted by $T'$, such that $|T'| = t$. By linear algebra, $\mathrm{rank}{M_{T', [t]}}$ is at most $\mathrm{rank}{M_{T, [t]}} + 1 < t$, which is not of full rank. Thus, there exists a subset of $T'$, denoted by $S$, such that $|S| < t$ and $\mathrm{rank}{M_{S, [t]}} = \mathrm{rank}{M_{T', [t]}}$, which implies that participants $S$, $|S| < t$, would be able to recover the secret, assuming $T'$, $|T'| = t$, can recover the secret. This contracts to the definition of $(t, n)$-threshold secret sharing scheme.

\textbf{Case 2:} $M_{T, 1} \not= \vec{0}$. Note that
\[
\begin{pmatrix}
y_1 \\
y_2 \\
\vdots \\
y_n
\end{pmatrix}
=
M
\begin{pmatrix}
s \\
r_1 \\
\vdots \\
r_{t-1}
\end{pmatrix},
\]
where $M$ is an $n \times t$ matrix computed by the arithmetic circuit. Denote by $Y_T$ the vector indexed by rows in $T$. So we have
\begin{eqnarray*}
y_T
& = &
M_{T, [t]}
\begin{pmatrix}
s \\
r_1 \\
\vdots \\
r_{t-1}
\end{pmatrix} 
 =  M_{T, \{2,3,\ldots, t\}} \begin{pmatrix}
r_1 \\
\vdots \\
r_{t-1}
\end{pmatrix}
+
sM_{T, 1}
\end{eqnarray*}
We assume for contradiction that $\mathrm{rank} M_{T, \{2,3,\ldots, t\}}$ is less than $t-1$.

\textbf{Case 2.1:} there exists $R \in \mathbb{F}^{t-1}$ such that $M_{T, \{2,3,\ldots,t\}}R = M_{T, 1}$. In other words, the first column of $M_{T, [t]}$ is a linear combination of the remaining $t-1$ columns. By linear algebra, we have
\[
\mathrm{rank} M_{T, [t]} = \mathrm{rank} M_{T, \{2, 3, \ldots, t\}}.
\] 
Consider any superset of $T$ with size $t$, denoted by $T'$. By linear algebra, we have
\[
\mathrm{rank} M_{T', [t]} \le \mathrm{rank} M_{T, [t]} + 1 < t.
\]
Using the same argument as case 1, we know there exists a proper subset of $T'$ of size $t-1$ whose collation can recover the secret.

\textbf{Case 2.2:} there does not exist $R \in \mathbb{F}^{t-1}$ such that $M_{T, \{2,3,\ldots,t\}}R = M_{T, 1}$. Let $d = \mathrm{rank} M_{T, \{2, 3, \ldots, t\}}$, which is less than $t-1$ by assumption. Observe that
\begin{itemize}
	\item The image of $R \mapsto M_{T, \{2, 3, \ldots, t\}} R$, where $R \in \mathbb{F}^{t-1}$, is a linear subspace of $\mathbb{F}^{t-1}$ of dimension $d$, denoted by $L \subseteq \mathbb{F}^{t-1}$.
	\item For different $s \in \mathbb{F}$, $sM_{T, 1} + L$ are disjoint. (Otherwise, $M_{T, 1}$ would be written as a linear combination of the columns in $M_{T, \{2,3,\ldots,t\}}$.)
\end{itemize}
So we conclude the collation of $T$ can always recover $s$. Contradiction!
\end{proof}

\begin{lemma} In the above model, if the circuit computes the distribution of a $(t, n)$-threshold secret sharing scheme, then for any subset of outputs $T \subseteq [n]$ of size $t$, there are $t$ vertex-disjoint paths connecting $t$ inputs with $T$. Moreoever, $t \times t$ matrix $M_{T, [t]}$ is of full rank.
\end{lemma}
\begin{proof}
	Denote $n$ outputs by $Y = \begin{pmatrix}
		y_1 \\
		y_2 \\
		\vdots \\
		y_n
	\end{pmatrix}$, $t$ inputs by $X = \begin{pmatrix}
		s \\
		r_1 \\
		\vdots \\
		r_{t-1}
	\end{pmatrix}$, and $Y = MX$, where $M$ is a $n \times t$ matrix. For outputs $T \subseteq [n]$, we have
$
Y_T = M_{T}X,
$
where $M_T$ denotes the submatrix of $M$ indexed by rows $T$.

Let $i \in T$ be the smallest element, and $T' = T \setminus \{i\}$, and thus $|T'| = t-1$. Rewrite $Y_T = M_T X$ as
\[
\begin{pmatrix}
		y_i \\
		Y_{T'}
\end{pmatrix}
=
\begin{pmatrix}
		m_{i1} & M_{i, [t]} \\
		M_{T', 1} & M_{T', \{2, 3, \ldots, t\}} 
	\end{pmatrix}
	\begin{pmatrix}
		s \\
		R
\end{pmatrix},
\]
which is
\begin{eqnarray*}
y_i & = & m_{i1}s + M_{i, [t]}R, \\
Y_{T'} & = & M_{T', 1}s + M_{T', \{2,3, \ldots, t\}}R. \\
\end{eqnarray*}
By Lemma \ref{lem:tm1_paths}, we know $M_{T', \{2,3, \ldots, t\}}$ is of full rank. So
$$
R = M_{T', \{2,3, \ldots, t\}}^{-1} (Y_{T'} - M_{T', 1}s),
$$
and thus 
\begin{eqnarray*}
y_i & = & m_{i1}s + M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} (Y_{T'} - M_{T', 1}s) \\
& = & (m_{i1} - M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} M_{T', 1})s + M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} Y_{T'}.
\end{eqnarray*}
So $s$ is solvable if and only if $m_{i1} - M_{i, [t]} M_{T', \{2,3, \ldots, t\}}^{-1} M_{T', 1} \not= 0$.


By linear algebra, we know 
\begin{eqnarray*}
& & \det \begin{pmatrix}
		m_{i1} & M_{i, [t]} \\
		M_{T', 1} & M_{T', \{2, 3, \ldots, t\}} 
\end{pmatrix} \\
& = &
\det M_{T', \{2, 3, \ldots, t\}} \det(m_{i1} - M_{i, [t]} M_{T', \{2, 3, \ldots, t\}}^{-1} M_{T', 1}),
\end{eqnarray*}
which is nonzero, as desired.
\end{comment}



\subsection{Nonlinear SS scheme}

For \emph{nonlinear} SS scheme, the linear algebra argument does not work. In this section, we apply Shannon's information measures to prove the connection properties must hold for any, possibly nonlinear, SS schemes.

The computation model is, again, an unrestricted arithmetic circuit as illustrated by Figure \ref{fig:model}, which computes the shares of some $(t, n)$-threshold SS scheme. The inputs are $s$ and $R = \{r_1, r_2, \ldots, r_{\ell-1}$, where $s \in \mathbb{F}$ is the share, and $r_1, \ldots, r_{\ell-1} \in \mathbb{F}$ are the independently uniformly distributed in $\mathbb{F}$; the outputs are $y_1, \ldots, y_n$, representing $n$ shares.


Our goal is to prove, any circuit computing the shares of some $(t, n)$-threshold SS scheme must satisfy
\begin{itemize}
	\item For any subset of outputs $T \subseteq [n]$ of size $t-1$, there are $t-1$ vertex-disjoint paths connecting $R$ and $T$.
	\item For any subset of outputs $T \subseteq [n]$ of size $t$, there are $t$ vertex-disjoint paths connecting inputs (i.e., $R \cup \{s\}$) and $T$.
\end{itemize}

Our strategy is to formulate the \emph{connectivity requirements} as \emph{information inequalities}. Two critical observations are: one gate carries at most $\log |\mathbb{F}|$ units of information; if random variables $Y$ can be written as a function in random variables $X$, then $H(Y) \le H(X)$.
So, it suffices to prove
\begin{itemize}
	\item For any subset of outputs $T \subseteq [n]$ of size $t-1$, 
	\begin{equation}
	\label{equ:goal_tm1}
		H(Y_T | S) \ge (t-1) H(S).
	\end{equation}
	\item For any subset of outputs $T \subseteq [n]$ of size $t$,
    \begin{equation}
    \label{equ:goal_t}
    	H(Y_T) \ge t H(S).
    \end{equation}
\end{itemize}
Given \eqref{equ:h_cor} and \eqref{equ:h_pri}, it turns out inequalities \eqref{equ:goal_tm1} and \eqref{equ:goal_t} can be proved using Shannon-type inequalities \footnote{The information inequalities that can be implied by $I(X;Y | Z) \ge 0$ are called \emph{Shannon-type inequalities} \cite{yeung2002first}.}.
 
Before proving the information inequalities \eqref{equ:goal_tm1} and \eqref{equ:goal_t}, we need the following lemma.
 
\begin{lemma}
\label{lem:sum_nm1_nonnegative}
Let $Y_1, Y_2, \ldots, Y_n$ be random variables. We have
\[
\sum_{j \in [n]} H(Y_{[n] \setminus \{j\}}) - (n-1) H(Y_1, \ldots, Y_n) \ge 0. 
\]
\end{lemma}
\begin{proof} Write
\begin{eqnarray}
& & \sum_{j \in [n]} H(Y_{[n] \setminus \{j\}}) - (n-1) H(Y_1, \ldots, Y_n) \nonumber\\
& = & \sum_{j \in [n]} \left(H(Y_{[n] \setminus \{j\}}) - H(Y_1, \ldots, Y_n) \right) + H(Y_1, \ldots, Y_n). \label{equ:sum_j}
\end{eqnarray}
Note that
\begin{eqnarray*}
& & H(Y_1, Y_2, \ldots, Y_n) \\
& = & H(Y_1) + H(Y_2 | Y_1) + H(Y_3 | Y_1, Y_2) + \ldots + H(Y_n | Y_1, Y_2, \ldots, Y_{n-1}) \\
& \ge & H(Y_1 | Y_{[n] \setminus \{1\}}) + H(Y_2 | Y_{[n] \setminus \{2\}}) + \ldots + H(Y_n | Y_{[n] \setminus \{n\}}).
\end{eqnarray*}
Plugging it into \eqref{equ:sum_j}, we have
\begin{eqnarray*}
& & \sum_{j \in [n]} H(Y_{[n] \setminus \{j\}}) - (n-1) H(Y_1, \ldots, Y_n)\\
& \ge & \sum_{j \in [n]} \left(H(Y_{[n] \setminus \{j\}}) - H(Y_1, \ldots, Y_n) \right) + \sum_{j \in [n]} H(Y_j | Y_{[n] \setminus \{j\}}) \\
& = & \sum_{j \in [n]} \left(H(Y_{[n] \setminus \{j\}}) - H(Y_1, \ldots, Y_n) + H(Y_j | Y_{[n] \setminus \{j\}})\right) \\
& = & 0,
\end{eqnarray*}
which completes the proof.
\end{proof}
 
 \begin{theorem}
 \label{thm:m}
 Let $S, Y_1, Y_2, \ldots, Y_n$ be random variables satisfying
 \begin{itemize}
 	\item $H(S | Y_T) = H(S)$ for any $T \subseteq [n]$ of size $t-1$, and
 	\item $H(S | Y_T) = 0$ for any $T \subseteq [n]$ of size $t$.
 \end{itemize}
 Then, we have
 \[
 H(Y_T) \ge t H(S)
 \]
 for any $T \subseteq [n]$ of size $t$.	
 \end{theorem}
 \begin{proof} By \emph{symmetry}, without loss of generality, it suffices to prove $H(Y_1, \ldots, Y_t) \ge t H(S)$. 
 
 Write $H(Y_1, \ldots, Y_t) - t H(S)$ as
 \begin{eqnarray}
 & & H(Y_1, \ldots, Y_t) - t H(S)  \nonumber\\
 & = & \sum_{j \in [t]} \left( H(S, Y_{[t] \setminus \{j\}}) - H(Y_{[t] \setminus \{j\}}) - H(S) \right) - t\left( H(S, Y_{[t]}) - H(Y_{[t]})\right) \nonumber \\
 & & + \sum_{j \in [t]} \left( H(S, Y_{[t]}) - H(S, Y_{[t] \setminus \{j\}}) \right) \nonumber\\
 & & + \sum_{j \in [t]} H(Y_{[t] \setminus \{j\}}) - (t-1)H(Y_{[t]}) \nonumber \\
 & = & \sum_{j \in [t]} \left( H(S | Y_{[t] \setminus \{j\}}) - H(S) \right) - t H(S | Y_{[t]}) \label{term:m_t1} \\
 & & + \sum_{j \in [t]} H(Y_j | S, Y_{[t] \setminus \{j\}}) \label{term:m_t2} \\
 & & + \sum_{j \in [t]} H(Y_{[t] \setminus \{j\}}) - (t-1) H(Y_{[t]}). \label{term:m_t3}
 \end{eqnarray}
 The first term \eqref{term:m_t1} is zero by our conditions; the second term \eqref{term:m_t2} is clearly nonnegative; the third term \eqref{term:m_t3} is nonnegative by Lemma \ref{lem:sum_nm1_nonnegative}.
 Thus, we have $H(Y_1, \ldots, Y_t) - t H(S) \ge 0$, as desired.
 \end{proof}
 

\begin{theorem}
\label{thm:master_m1}
Let $S, Y_1, Y_2, \ldots, Y_n$ be random variables satisfying
 \begin{itemize}
 	\item $H(S | Y_T) = H(S)$ for any $T \subseteq [n]$ of size $t-1$, and
 	\item $H(S | Y_T) = 0$ for any $T \subseteq [n]$ of size $t$.
 \end{itemize}
Then, we have
\[
H(Y_T | S) \ge (t-1)H(S)
\]
for any $T \subseteq [n]$ of size $t-1$.
\end{theorem}
\begin{proof}
By symmetry, we assume $T = \{1,2,\ldots,t-1\}$ without loss of generality. Write $H(Y_T | S) - (t-1) H(S)$ as
\begin{eqnarray}
& & H(Y_{[t-1]} | S) - (t-1) H(S) \nonumber \\
& = & H(S, Y_{[t-1]}) - t H(S) \nonumber \\
& = & \sum_{j \in [t-1]} \left( H(S, Y_{[t]}) - H(S, Y_{[t] \setminus \{j\}}) \right) \nonumber \\
& & + \sum_{j \in [t]} \left( H(S, Y_{[t]\setminus\{j\}}) - H(Y_{[t]\setminus\{j\}}) - H(S) \right) \nonumber \\
& & - (t-1) \left( H(S, Y_{[t]}) - H(Y_{[t]}) \right) \nonumber \\
& & + \sum_{j \in [t]} H(Y_{[t] \setminus \{j\}}) - (t-1) H(Y_{[t]}) \nonumber \\
& = & \sum_{j \in [t-1]} H(Y_j | S, Y_{[t] \setminus \{j\}}) \label{term:m1_t1} \\
& & + \sum_{j \in [t]} \left( H(S | Y_{[t]\setminus\{j\}}) - H(S) \right) \label{term:m1_t2} \\
& & - (t-1) H(S | Y_{[t]}) \label{term:m1_t3} \\
& & + \sum_{j \in [t]} H(Y_{[t] \setminus \{j\}}) - (t-1) H(Y_{[t]}) \label{term:m1_t4},
\end{eqnarray}
where the term \eqref{term:m1_t1} is clearly nonnegative; terms \eqref{term:m1_t2} and \eqref{term:m1_t3} are zero due to our conditions; term \eqref{term:m1_t4} is nonnegative by Lemma \ref{lem:sum_nm1_nonnegative}. Thus, we have  $H(Y_{[t-1]} | S) - (t-1) H(S) \ge 0$, as desired.
\end{proof}

Now we are ready to prove our main result, which says any unrestricted arithmetic circuits computing the shares of some threshold SS scheme must satisfy certain connectivity properties.

\begin{theorem}
\label{thm:graph_properities_main}
In the above model as illustrated by Figure \ref{fig:model}, if the circuit computes the shares of some $(t, n)$-threshold SS scheme, the following conditions are satisfied:
\begin{itemize}
	\item for any $T \subseteq [n]$ of size $t-1$, there are $t-1$ vertex-disjoint paths connecting $R$ and $T$;
	\item for any $T \subseteq [n]$ of size $t$, there are $t$ vertex-disjoint paths connecting inputs and $T$.
\end{itemize}
\end{theorem}
\begin{proof} Assume for contradiction that, for some $T \subseteq [n]$ of size $t-1$, there are at most $t-2$ vertex-disjoint paths connecting $R$ and $T$. By Menger's theorem, there exists a subset of vertices, denoted by $C$, of size at most $t-2$, whose removal will disconnect $R$ and $T$.

By the definition of the cut set $C$, we know that after setting $S$ to a constant, the outputs $Y_T$ can be written as functions in the gates in $C$. By the basic properties of entropy function, we have
\[
H(Y_T | S = s) \le |C| \log \mathbb{F} \le (t-2) \log \mathbb{F}.
\]
Thus, 
\begin{eqnarray*}
	H(Y_T | S) & = & \sum_s\Pr[S = s] H(Y_T | S = s) \\
	& \le & \sum_s\Pr[S = s] (t-2) \log \mathbb{F} \\
	& = & (t-2) \log \mathbb{F}.
\end{eqnarray*}
On the other hand, by Theorem \ref{thm:master_m1}, we have $H(Y_T | S) \ge (t-1) H(S) = (t-1) \log \mathbb{F}$, by letting $S$ be uniformly random in $\mathbb{F}$. Contradiction!

The remaining part is similar to prove using Theorem \ref{thm:m}.
\end{proof}

The circuit, viewed as a graph, is an $(|R|+1, n, t)$-concentrator;
after removing input $s$ (as well as the incident edges), the remaining graph is an $(|R|, n, t-1)$-concentrator. First, note that there exist $O(n)$-size concentrators (moreover, superconcentrators). On the other hand, it is unclear what is the smallest size concentrator for \emph{fixed} depth (except for depth 1 \cite{Naka1982}). By Theorem \ref{thm:graph_properities_main}, lower bounds for bounded-depth \emph{concentrators} would imply circuit lower bound for threshold SS.



\section{SS scheme based on superconcentrator}

Given any $(t, n)$-superconcentrator $G$, we shall construct a $(t, n)$-threshold secret sharing scheme. The scheme is a linear secret sharing scheme over a sufficiently large finite field. We require $|\mathbb{F}| \gg d {n \choose t}$, where $d$ is the \emph{depth} of the superconcentrator.

\begin{figure}[h]
\includegraphics[scale=0.4]{circuit2.png}
\caption{arithmetic circuit realizing SS distribution}
\end{figure}

The secret sharing scheme has the following 3 phases:

\vspace{0.2cm}
\textbf{Setup:} Convert $G$ into an arithmetic circuit $C$ over field $\mathbb{F}$ by
\begin{itemize}
\item replacing each vertex with an addition gate, and
\item for every edge $e$, choosing a coefficient $c_e \in \mathbb{F}$ \emph{uniformly at random}.
\end{itemize}
One can easily check this linear arithmetic circuit computes a linear transformation $x \mapsto Mx$, where
$M = (m_{ij})$ is a $n \times t$ matrix. Here
\[
m_{i, j} = \sum_{ {v_1 = x_i, v_2, \ldots, v_\ell = y_j}} \prod_{i=1}^{\ell-1} c_{(v_i, v_{i+1})},
\]
where the sum ranges over all paths from the $j$th input $x_j$ to the $i$th output $y_i$.

\textbf{Sharing:} Feed the secret $s$ to input $x_1$, and set $x_2, \ldots, x_{t}$ uniformly at random. For every $i \in [n]$, send the $i$th output of the circuit to participant $P_i$.

In other words,
\[
\begin{pmatrix}
y_1 \\
y_2 \\
\vdots \\
y_n
\end{pmatrix}
=M
\begin{pmatrix}
s \\
r_2 \\
\vdots \\
r_t
\end{pmatrix},
\]
where $s \in \mathbb{F}$ is the secret, and $r_2, \ldots, r_t$ are uniformly random elements over $\mathbb{F}$.

\textbf{Reconstruction} Consider the coalition of any $t$ participants $T \subseteq [n]$, who receive $t$ shares, denoted by
\[
Y_T = M_T X = M_T \begin{pmatrix}
s \\
r_2 \\
\vdots \\
r_t
\end{pmatrix},
\]
where $X = (s, r_2, \ldots, r_t)^T$, and $M_T$ is a $t \times t$ submatrix of $M$ indexed by rows $T$. Assuming $M_T$ is invertible (as we will see shortly), we have $X = M_T^{-1} Y_T$. So the secret is exactly the first coordinate of $M_T^{-1} Y_T$.

\vspace{0.2cm}

\begin{lemma}
\label{lem:recover}
With probability at least $1 - \frac{d{n \choose t}}{|\mathbb{F}|}$, any $t$ participants can recover the secret.
\end{lemma}
\begin{proof}
It suffices to prove, with probability at least $1 - \frac{{n \choose t}}{|\mathbb{F}|}$, for all $T \subseteq [n]$ of size $t$, $\det(M_T) \not= 0$, where $M_T$ denotes the $t \times t$ submatrix indexed by rows $T$. Because if $M_T$ is invertible, we can recover the secret by computing $X = M_T^{-1} Y_T$, where $Y_T$ denotes the shares received by the $t$ participants.

\begin{claim} For any $T \subseteq [n]$ of size $t$, we have
\[
\Pr[\det(M_T) = 0] \le \frac{d}{|\mathbb{F}|}.
\]
\end{claim}
\begin{proof} (of the Claim) Viewing the coefficients $c_e$ as the indeterminates, $\det(M_T)$ is a polynomial in $\mathbb{F}[\{c_e : e \in E(G)\}]$.

Note that there are $t$ vertex-disjoint paths from inputs to $T$. Setting the variables along these $t$ vertex-disjoint paths to $1$, and leaving all variables zero, $\det(M_T)$ would evaluate to $\pm 1$. Thus, we claim the polynomial $\det(M_T)$ is nonzero.

Observe that the polynomial $\det(M_T)$ has total degree $\le d$, where $d$ is the depth of the circuit. By Schwartz-Zippel Lemma, we have
$
\Pr[\det(M_T) = 0] \le \frac{d}{|\mathbb{F}|}.
$
\end{proof}

Taking a union bound over all $T \subseteq [n]$ of size $t$, we have the desired conclusion.
\end{proof}


\begin{lemma}
\label{lem:zero_info}
With probability at least $1 - \frac{d{n \choose t-1}}{|\mathbb{F}|}$, any $t-1$ participants get zero information about the secret.
\end{lemma}
\begin{proof} 
Let $M_{T, \{2,3,\ldots,t\}}$ denote the $|T| \times (t-1)$ matrix indexed by rows $T$ and columns $2, 3, \ldots, t$, where $T \subseteq [n]$. For any $T \subseteq [n]$ of size $t-1$, we claim
\[
\Pr[\det M_{T, \{2,3,\ldots,t\}} = 0] \le \frac{d}{|\mathbb{F}|}.
\]
Viewing the coefficients $c_e$ as indeterminates over $\mathbb{F}$, $\det M_{T, \{2,3,\ldots,t\}}$ is a polynomial in $\{c_e : e \in E(G)\}$ of degree at most $d$. Since $G$ is a superconcentrator, there exist $t-1$ vertex-disjoint path connecting $x_2, \ldots, x_t$ and $y_i$, $i \in T$. Setting the variables $c_e$ on these $t-1$ paths to 1, and leaving all other variables 0, $\det M_{T, \{2,3,\ldots,t\}}$ would evaluate $\pm 1$. Thus, we claim  polynomial $\det M_{T, \{2,3,\ldots,t\}}$ is nonzero. The claim follows from Schwartz-Zipple Lemma.

Taking a union bound over all $T \subseteq [n]$ of size $t-1$, we know with probability at least $1 - \frac{d{n \choose t-1}}{|\mathbb{F}|}$, $\det M_{T, \{2,3,\ldots,t\}} \not= 0$ for all $T$.

Consider any $t-1$ participants indexed by $T$, who receive the following vector in the reconstruction phrase
\begin{eqnarray*}
y_T & = & M_{T, [t]} \begin{pmatrix}
s \\
r_2 \\
\vdots \\
r_t
\end{pmatrix} \\
& = & 
\begin{pmatrix}
M_{T,1}, & M_{T, \{2, \ldots, t\}}
\end{pmatrix}
\begin{pmatrix}
s \\
R
\end{pmatrix} \\
& = &
M_{T, 1}s + M_{T, \{2, \ldots, t\}}R,
\end{eqnarray*}
where $R = \begin{pmatrix}
r_2 \\
\vdots \\
r_t
\end{pmatrix}$. Since $M_{T, \{2, \ldots, t\}}$ is of full rank, we know $M_{T, \{2, \ldots, t\}}R$ is uniformly distributed in $\mathbb{F}^{t-1}$ when $R \in \mathbb{F}^{t-1}$ is uniformly distributed. Thus $M_{T, 1}s + M_{T, \{2, \ldots, t\}}R$ is uniformly distributed. Therefore, $t-1$ participants get zero information about the secret.
\end{proof}

Note that in the proof the Lemma \ref{lem:recover} and Lemma \ref{lem:zero_info}, only a weaker condition is required (compared to that of superconcentrators):
\begin{itemize}
\item For any subset of outputs  $T \subseteq [n]$ of size $t$, there are $t$ vertex-disjoint paths connecting inputs and $T$.
\item For any subset of outputs  $T \subseteq [n]$ of size $t-1$, there are $t-1$ vertex-disjoint paths connecting inputs $\{x_2, x_3, \ldots, x_t\}$ and $T$.
\end{itemize}
These conditions coincide with the conditions in Theorem \ref{thm:graph_properities_main}.

What we need is actually weaker than superconcentrator. In fact, a \emph{concentrator} (Definition \ref{def:concentrator}) would suffice. For example, take a reversed $(n, t-1)$-concentrator; add an extra input node $s$, and connect $s$ directly to all the $n$ outputs. As such, the aforementioned two conditions will be satisfied. Therefore, upper bounds on the size of concentrator would imply circuit upper bound for threshold SS (over large finite field). 





\section{Unbalanced superconcentrators}

Let $\mathrm{SC}_d(m, n)$ denote the size of the smallest depth-$d$ superconcentrator with $m$ inputs and $n$ outputs.

For secret sharing, we need \emph{unbalanced} superconcentrators, where the number of inputs is the threshold value $t$, and the number of outputs is the number of participants $n$.

From Table \ref{table:sc_bounds}, we know there exists a linear-size $(n, n)$-superconcentrator of depth $O(\alpha(n))$. By removing some inputs (and the incident edges), we get $O(n)$-size $(m, n)$-superconcentroator of depth $O(\alpha(n))$, for any $m \le n$. Size $O(n)$ is clearly optimal (up to a multiplicative constant), for we need at least $n$ edges incident to $n$ outputs. The question is, given $m, n$, can we achieve better depth than $O(\alpha(n))$?


\begin{definition} [Partial superconcentrator \cite{DDPW83}] An $(m, n)$-network is a $(p, q)$-partial superconcentrator if for any inputs $S \subseteq [m]$ and outputs $T \subseteq [n]$ with $|S| = |T| \in [q, p]$, there exist $|S| - q$ vertex-disjoint paths connecting $S$ and $T$.
\end{definition}

Let $\mathrm{SC}_d(m, n, p, q)$ denote the minimal size of an $(m, n)$-network of depth at most $d$ which is a $(p, q)$-partial superconcentartor.

\subsection{Depth 2}

In this subsection, we construct unbalanced superconcentrators of depth 2, which are used as building blocks for higher depth.

\begin{lemma}
\label{lem:depth2_partial_sc}
For any $r$, we have
\[
\mathrm{SC}_2(n, m, \frac{n}{r}, \frac{2}{3} \cdot \frac{n}{r}) = O(m \log m).
\]	
\end{lemma}
\begin{proof} As illustrated by Figure \ref{figure:sc_depth2}, we have $n$ inputs, $m$ outputs, and a middle layer with $\frac{4}{3} \cdot \frac{n}{r}$ vertices. The construction consists of two layers:
\begin{itemize}
	\item (top layer) $(n, \frac{4}{3} \cdot \frac{n}{r}, \frac{n}{r})$-concentrator.
	\item (bottom layer) reversed $(m, \frac{4}{3} \cdot \frac{n}{r}, \frac{n}{r})$-concentrator.
\end{itemize}

\begin{figure}[h]
\centering
\includegraphics[scale=0.4]{sc_depth2.png}
\caption{construction of depth-2 superconcentrator}
\label{figure:sc_depth2}
\end{figure}

Consider $S \subseteq [n]$ and $T \subseteq [m]$ of size $\frac{2}{3} \cdot \frac{n}{r} + \Delta$, where $0 \le \Delta \le \frac{1}{3} \cdot \frac{n}{r}$. By the definition of $(n, \frac{4}{3} \cdot \frac{n}{r}, \frac{n}{r})$-concentrator, we know $S$ is connected to $|S|$ vertices in the middle layer, denoted by $S'$, and $T$ is connected to $|T|$ vertices in the middle layer, denoted by $T'$. We have
\[
|S' \cap T'| \ge |S'| + |T'| - \frac{4}{3} \cdot \frac{n}{r} = 2 \Delta.
\]
Thus, $S$ and $T$ are connected by $2 \Delta$ vertex-disjoint paths. (In fact, $\Delta$ vertex-disjoint paths suffice.) So, we conclude the $(n, m)$-network is a $(\frac{n}{r}, \frac{2}{3} \cdot \frac{n}{r})$-partial superconcentrator.
\end{proof}

By taking the union of $O(\log n)$ parital superconcentrators, we can prove the following upper bound on depth-2 superconcentrator.

\begin{lemma}
\label{lem:sc_depth2_size}
For any $n \le m$, we have
\[
\mathrm{SC}_2(n, m) = O(m \log m \log n).
\]
\end{lemma}
\begin{proof} Letting $r = 1, \frac{3}{2}, \left(\frac{3}{2}\right)^2, \ldots, \left(\frac{3}{2}\right)^\ell$, where $\ell = \log_{\frac{3}{2}}n - 1$, we get $(n, \frac{n}{1.5})$, $(\frac{n}{1.5}, \frac{n}{1.5^2})$, $\ldots$, $(\frac{n}{1.5^{\ell-1}}, \frac{n}{1.5^\ell})$-partial superconcentrators, where each is of size $O(m \log m)$ by Lemma \ref{lem:depth2_partial_sc}.
	
Putting $\ell$ partial superconcentrators together (and merging their inputs and outputs), where $\ell = O(\log n)$, we get an $(n, m)$-superconcentrator of size $O(m \log m \log n)$.
\end{proof}

When $m \ge n^{2+\Omega(1)}$, we prove there exists depth-2 $(m, n)$-superconcentrator of linear size.

\begin{lemma}
\label{lem:sc_depth2_linear_size}
For any $\epsilon > 0$, if $m \ge n^{2+\epsilon}$,
\[
\mathrm{SC}_2(m, n) = O\left(\frac{m}{\epsilon}\right).
\]
\end{lemma}
\begin{proof}
Construct an $(n, m)$-network of depth 2 as illustrated by Figure \ref{figure:sc_depth2_linear}. In the middle, put $\frac{m}{r}$ vertices; the top layer is a depth-1 $(n, \frac{m}{r})$-superconcentrator, i.e., a complete graph; the bottom layer is a reversed $(m, \frac{m}{r}, \frac{m}{r^{1+\epsilon}})$-concentrator, where $\frac{m}{r^{1+\epsilon}} = n$, that is, $r = (\frac{m}{n})^{\frac{1}{1+\epsilon}}$.

\begin{figure}[h]
\centering
\includegraphics[scale=0.6]{d3_improved.png}
\caption{construction of linear-size depth-2 superconcentrator}
\label{figure:sc_depth2_linear}
\end{figure}

Let us verify the construction is indeed an $(m, n)$-superconcentrator. For any subset of outputs $Y$ of size $|Y| \le n$, $Y$ is connected to $|Y|$ vertices in the middle layer by the definition of $(m, \frac{m}{r}, n)$-concentrator. These $|Y|$ vertices in the middle layer are connected to any arbitrarily chosen $|Y|$ inputs, by the definition of complete graph. So the $(m, n)$-network is an $(m, n)$-superconcentrator.

Now we estimate the size of the network. The complete graph is of size
\begin{eqnarray*}
	n \cdot \frac{m}{r} & = & nm \left(\frac{n}{m}\right)^{\frac{1}{1+\epsilon}} \\

	& = & m \cdot \left(\frac{n^{2 + \epsilon}}{m}\right)^{\frac{1}{1+\epsilon}}\\
	& \le & m,
\end{eqnarray*}
when $m \ge n^{2 + \epsilon}$. By Lemma \ref{lem:linear_concentrator}, the $(m, \frac{m}{r}, \frac{m}{r^{1+\epsilon}})$-concentrator is of size
\[
O\left(m \frac{\log(r^{1+\epsilon})}{\log(r^\epsilon)}\right) = O\left(\frac{m}{\epsilon}\right).
\]
In total, the size is at most $O\left(\frac{m}{\epsilon}\right) + m = O\left(\frac{m}{\epsilon}\right)$.
\end{proof}


\subsection{Depth 3}

When $m \ge n (\log n)^{2 + \Omega(1)}$, we prove there exists depth-3 $(m, n)$-superconcentrator of linear size.

\begin{lemma}
\label{lem:d3_linear_sc}
For any $\epsilon > 0$, if $m \ge n (\log n)^{2 + \epsilon}$,
\[
\mathrm{SC}_3(m, n) = O\left( \frac{m}{\epsilon} \right).
\]	
\end{lemma}
\begin{proof}
When $m \ge n^3$, by Lemma \ref{lem:sc_depth2_linear_size}, we have
\[
\mathrm{SC}_3(m, n) \le \mathrm{SC}_2(m, n) \le O(m).
\]
Assume $m < n^3$ from now on.

\begin{figure}[h]
\centering
\includegraphics[scale=0.5]{d3_linear_sc.png}
\caption{construction of linear-size depth-3 superconcentrator}
\label{figure:sc_depth3_linear}
\end{figure}

We construct an $(n, m)$-network consisting of two parts as illustrated by Figure \ref{figure:sc_depth3_linear}. The top  is a depth-2 $(n, \frac{m}{r})$-superconcentrator; the bottom  is a reversed $\left(m, \frac{m}{r}, \frac{m}{r^{1+\epsilon/2}}\right)$-concentrator, where $\frac{m}{r^{1+\epsilon/2}} = n$, that is,
\[
r = \left( \frac{m}{n} \right)^{\frac{1}{1 + \epsilon/2}}.
\]

Let us verify the construction is an $(n, m)$-superconcentrator. Consider any subset of inputs $X \subseteq [n]$ and any subset of outputs $Y \subseteq [m]$, where $|X| = |Y|$. By the definition of $\left(m, \frac{m}{r}, n\right)$-concentrator, there is a matching between $Y$ and some $|Y|$ vertices in the second last layer, denoted by $Z$; by the definition of $(n, \frac{m}{r})$-superconcentrator, there are $|X|$ vertex-disjoint paths connecting $X$ and $Z$. Thus, there are $|X|$ vertex-disjoint paths connecting $X$ and $Y$.

We estimate the size of the $(n, m)$-network. By Lemma \ref{lem:sc_depth2_size}, the size of the depth-2 $(n, \frac{m}{r})$-superconcentrator is
\begin{eqnarray*}
O\left(\frac{m}{r} \cdot \log \frac{m}{r} \cdot \log n \right) & \le & O\left(\frac{m}{r} \cdot (\log n)^2\right) \\
& = & O\left(m \cdot \frac{(\log n)^2}{(\frac{m}{n})^{\frac{1}{1 + \epsilon/2}}}\right) \\
& \le & O(m),
\end{eqnarray*}
where the first step is because $\log \frac{m}{r} \le \log m \le 3 \log n$, and the last step holds because $\frac{m}{n} \ge  (\log n)^{2 + \epsilon}$, which implies that $(\frac{m}{n})^{\frac{1}{1 + \epsilon/2}} \ge (\log n)^2$. By Lemma \ref{lem:linear_concentrator}, the $(m, \frac{m}{r}, \frac{m}{r^{1+\epsilon/2}})$-concentrator is of size
\[
O\left(m \frac{\log(r^{1+\epsilon/2})}{\log(r^{\epsilon/2})}\right) = O\left(\frac{m}{\epsilon}\right).
\]
In total, the size is at most $O\left(\frac{m}{\epsilon}\right) + m = O\left(\frac{m}{\epsilon}\right)$.
\end{proof}


\subsection{Higher depth}

As we have shown, when $m \ge n^{2 + \Omega(1)}$, depth 2 is enough to achieve linear size; when $m \ge n (\log n)^{2 + \Omega(1)}$, depth 3 is enough; when $m$ is ``slightly larger'' than $n$, we would need higher depth.

In this subsection, we will prove for any $m \ge n$, depth $\alpha(m, n)+O(1)$ is enough, where $\alpha(m, n)$ is the two-parameter version of the inverse Ackermann function.


\begin{lemma}
\label{lem:depth_d_sc_size}
For depth $d \ge 3$,
\[
\mathrm{SC}_d(m, n) = O(m \lambda_d(n)).
\]
\end{lemma}
\begin{proof}
If $m \ge n^{2.5}$, by Lemma \ref{lem:sc_depth2_linear_size}, we have
\[
\mathrm{SC}_d(m, n) \le \mathrm{SC}_2(m, n) = O(m).
\]

If $m \le n^{2.5}$, we have
$
\lambda_d(m) \le \lambda_d(n^{2.5}).
$
When $d = 3$, $\lambda_d(n^{2.5}) = O(\log\log n^{2.5}) = O (\log \log n) = O(\lambda_3(n))$. When $d \ge 4$, we have
\begin{eqnarray*}
\lambda_d(n^{2.5}) & = & \min \{i : \lambda_{d-2}^{(i)}(n^{2.5}) \le 1 \} \\
& = & \lambda_d(\lambda_{d-2}(n^{2.5})) + 1 \\
& \le & \lambda_d(\lceil 2.5 \log n \rceil) + 1 \\
& \le & \lambda_d(n) + 1 \\
& = & O(\lambda_d(n)).
\end{eqnarray*}
So, when $m \le n^{2.5}$, we always have $\lambda_d(m) \le O(\lambda_d(n))$.


From Table \ref{table:sc_bounds}, we know there exist depth-$d$ $(m, m)$-superconcentrator of size $O(m \lambda_d(m))$.
Note that, by removing $m-n$ outputs and their incident edges, we are left with an $(m, n)$-superconcentrator. So we have
$
\mathrm{SC}_d(m, n) \le \mathrm{SC}_d(m, m) \le O(m \lambda_d(m)) \le O(m \lambda_d(n)).
$
\end{proof}


\begin{theorem}
\label{thm:general_d_linear_sc}
For depth $d \ge 3$, if $m \ge n \lambda_d^{1 + \epsilon}(n)$ for some $\epsilon > 0$, then
\[
S_{d+1}(m, n) = O\left(\frac{m}{\epsilon}\right).
\]
\end{theorem}
\begin{proof} Construct a depth-$(d+1)$ $(n, m)$-network as follows: put $\frac{m}{r}$ vertices on the second last layer; the first $d$ layers is an $(n, \frac{m}{r})$-superconcentrator; the last layer is a reversed $\left(m, \frac{m}{r}, \frac{m}{r^{1+\epsilon}}\right)$-concentrator, where $\frac{m}{r^{1+\epsilon}} = n$, i.e.,
\[
r = \left( \frac{m}{n} \right)^{\frac{1}{1 + \epsilon}}.
\]

We verify the $(n, m)$-network is an $(n, m)$-superconcentrator. Consider any subset of inputs $X \subseteq [n]$ and subset of outputs $Y \subseteq [m]$ of equal size. By the definition of $(m, \frac{m}{r}, n)$-concentrator, $Y$ is connected to $|Y|$ vertices on the second last layer (by disjoint edges), denoted by $Z$; by the definition of $(n, \frac{m}{r})$-superconcentrator, $X$ and $Z$ are connected by $|X|$ vertex-disjoint paths. Therefore, there are $|X| = |Y|$ vertex-disjoint paths connecting $X$ and $Y$.

We estimate the size of the $(n, m)$-network. By Lemma \ref{lem:depth_d_sc_size}, the size of the depth-$d$ $(n, \frac{m}{r})$-superconcentrator is of size
\begin{eqnarray*}
O\left(\frac{m}{r} \cdot \lambda_d(n)\right) & = & O\left( m \cdot \frac{\lambda_d(n)}{\left(\frac{m}{n}\right)^{\frac{1}{1 + \epsilon}}} \right) \\
& \le & O(m),
\end{eqnarray*}
where the last step is because $\frac{m}{n} \ge \lambda_d(n)^{1+\epsilon}$. By Lemma \ref{lem:linear_concentrator}, the $(m, \frac{m}{r}, \frac{m}{r^{1+\epsilon}})$-concentrator is of size
\[
O\left(m \frac{\log(r^{1+\epsilon})}{\log(r^\epsilon)}\right) = O\left(\frac{m}{\epsilon}\right).
\]
In total, the size is at most $O\left(\frac{m}{\epsilon}\right) + m = O\left(\frac{m}{\epsilon}\right)$.
\end{proof}


\begin{corollary} For any $m \ge n$, if $d \ge \alpha(m, n)+3$, we have
\[
\mathrm{SC}_d(m, n) = O(m).
\]
\end{corollary}
\begin{proof}
\textbf{Case 1:} $m \ge 128n$. By the definition of $\alpha(m, n)$, we have $\frac{m}{n} \ge \lambda_{\alpha(m, n)}(n)$. By Proposition \ref{prop:alpha_well_defined}, we have
$
	\frac{m}{n} \ge \lambda_{\alpha(m,n)+2}^2(n).
$
By Theorem \ref{thm:general_d_linear_sc}, we conclude
$
\mathrm{SC}_{\alpha(m,n)+3}(m, n) = O(m).
$

\textbf{Case 2:} $m < 128n$. If $\alpha(m, n) = 1$, we have $m \ge n \lfloor\sqrt{n} \rfloor$. By Lemma \ref{lem:d3_linear_sc}, we know $\mathrm{SC}_4(m, n) \le \mathrm{SC}_3(m, n) = O(m)$. If $\alpha(m, n) = 2$, we have $m \ge n \log n \ge n (2\log^* n)^2$. By Theorem \ref{thm:general_d_linear_sc}, $\mathrm{SC}_5(m, n) = O(m)$.

From now on, we assume $\alpha(m, n) \ge 3$. By the definition of $\alpha(m, n)$, we have $\lambda_{\alpha(m, n)}(n) \le 4$. By Lemma \ref{lem:depth_d_sc_size}, we have
\[
\mathrm{SC}_{\alpha(m,n)}(m, n) = O(m \lambda_{\alpha(m, n)}(n)) = O(m).
\]
\end{proof}

Combining the construction of linear-size superconcentrator and the random linear SS scheme, we conclude, if $n \ge t^{2 + \Omega(1)}$, depth 2 is enough for a linear-size arithmetic circuit to compute the shares of a $(n, t)$-threshold SS scheme; if $n \ge t (\log t)^{1 + \Omega(1)}$, depth 3 is enough; generally, depth $\alpha(m, n) + O(1)$ is enough.




\section{Conclusion}

In this paper, we study the circuit complexity of threshold SS. We prove any unrestricted arithmetic circuit computing the shares of a threshold SS scheme must satisfy some connection properties. On the other hand, any graph satisfying these connection properties (that are weaker than that of superconcentators) can be turned into an arithmetic circuit (which computes the shares of a threshold SS scheme), assuming the underlying field is large enough. Therefore, for large finite fields, we have characterized the circuit complexity of threshold SS in terms of graph-theoretic properties.

We (non-explicitly) construct unbalanced $(t, n)$-superconcentrators in linear size and depth $O(\alpha(t, n))$, where $\alpha(t, n)$ is the two-parameter version of the inverse Ackermann function. Combining with our previous results, it implies that threshold SS schemes can be realized by linear size arithmetic circuits in almost constant depth. 

It would be interesting to make the construction work for small fields, e.g., $\mathbb{F}_2$, and/or to make the construction explicit. Another open problem is to prove lower bounds for bounded-depth \emph{concentrators}, which would imply circuit lower bounds for threshold SS.




