Perfect Secret Sharing Schemes for Access Structures Based on Graphs

(1)

Perfect Secret Sharing Schemes for Access Structures Based on Graphs

Bo-Rong Lin

^∗

, Hui-Chuan Lu

^†

, Hung-Lin Fu

^∗

Abstract

A perfect secret sharing scheme based on a graph G is a randomized dis- tribution of a secret among the vertices of the graph so that the secret can be recovered from the information assigned to the endvertices of any edge, while the total information assigned to an independent set of vertices is independent (in statistical sense) of the secret itself.

The (worst case) information ratio of G is the infimum of the maximum amount of information some vertex must remember for each bit in the secret.

In this paper, using entropy method, we calculate a lower bound on the information ratio for an infinite class of graphs. We also construct perfect secret sharing schemes with information ratio 2 for these graphs. This upper bound is very close to our lower bound in some circumstances, which means the secret sharing schemes we construct are in fact very good.

∗Department of Applied Mathematics, National Chiao Tung University, Hsinchu, Taiwan 30010;

Email: [email protected]

†Center for Basic Required Courses, National United University, Miaoli, 36003, Taiwan; Email:

[email protected]. Research supported in part by MOST 104-2115-M-239-001.

(2)

1 Introduction and Preliminaries

Secret sharing scheme is a method for a dealer to distribute a secret data among a set of participants so that only qualified subsets are able to recover the data. If, in addition, unqualified subsets have no extra information, i.e. their joint shares are statistically independent of the secret, the scheme is called perfect. The access structure of the scheme is the collection of all qualified subsets. When the access structure is based on a graph, the vertices of the graph are the participants, and if a collection of vertices contains an edge, then it is qualified. The eﬃciency of a scheme is usually measured by how much information (in bits) a participant must remember in the scheme in the worst case, or on average. The (worst case) information ratio of a graph G is the infimum of the information (in bits) a participant has to remember for each bit of the secret over all possible schemes based on G.

Determining the information ratio for a simple graph could be very challenging.

Despite the diﬃculty, the ratios were exactly determined for several infinite families of graphs [2, 3, 4, 11, 12, 13]. Interestingly, almost all of these ratios are of the forms 2− ¹_k for some positive integer k. In this paper, we investigate the information ratio of another family of graphs. Our lower bound on the information ratio of this family of graphs is also of the form 2− ¹_k for some integer k.

This paper is organized as follows. In this section, we introduce some important known results and our approaches for deriving lower bounds and upper bounds on R(G). Our main results are presented in Section 2. First, we propose an infinite class of graphs G_k,n, and then use the idea introduced in Section 1.2 to derive a lower bound on the information ratio of them. Subsequently, the construction of the secret sharing scheme based on these graphs with information ratio 2 is proposed. The information ratio of our construction is very close to the lower bound we derive for

(3)

large n. A concluding remark will be given in Section 3.

1.1 Preliminaries

Let G be a graph. A secret sharing scheme for the access structure base on G is a collection of random variables ζs and ζv for all vertices v in G with a joint distribution, where ζ_s is the secret and ζ_v is the share of v such that if vu is an edge of G, then ζ_v and ζ_u together determine the value of the secret ζ_s uniquely. We call the secret sharing scheme perfect whenever one additional condition is satisfied, that is, if A is an independent set in G, then the collection {ζv : v ∈ A} and ζs are statistically independent.

Given a discrete random variable X with possible values {x1, x₂, . . . , x_n} and a probability distribution {p(xi)}ⁿ_i=1, the Shannon entropy [9] is defined as H(X) =

−∑_n

i=1p(x_i) log p(x_i) which is roughly the number of independent bits necessary to encode the value of X. We say that A determines B if and only if H(A) = H(A∪ B), A and B are statistically independent if and only if H(A∪ B) = H(A) + H(B). In the case of secret sharing, the size of the share assigned to the participant v ∈ V (G) is H(ζ_v), and the size of the secret is H(ζ_s). Thus the information ratio of the secret sharing scheme Σ ={ζs, ζv : v ∈ V (G)} on G is defined as

R_Σ = max_v_{∈V (G)}H(ζv) H(ζ_s) , and the information ratio of G is defined as

R(G) = inf{RΣ : Σ is a secret sharing scheme on G} .

(4)

1.2 A Lower Bound on R(G)

Let the distribution{ζv, ζ_s} be any perfect secret sharing scheme on G. Consider the real-valued function f which assigns the value

f (A) = H ({ζv : v ∈ A}) H(ζs)

to the subset A of vertices. Using standard properties of the entropy function [9, 10, 14], the function f has the following properties.

(a) f (A)> 0, f(ϕ) = 0,

(b) f (B)> f(A), when A ⊆ B ⊆ V (G),

(c) f (A) + f (B)> f(A ∪ B) + f(A ∩ B),

(d) f (B)> f(A) + 1, when A ⊆ B ⊆ V (G), A is an independent set and B is not,

(e) f (A) + f (B)> f(A ∪ B) + f(A ∩ B) + 1, when A ∩ B is an independent set but A and B are not.

Suppose there exists a real number r so that, for any real-valued function f sat- isfying properties (a) to (e), the inequality max_v_{∈V (G)}f ({v}) > r holds. Then, the information ratio R(G) of G is at least r.

1.3 An Upper Bound on R(G)

The information ratio of any perfect secret sharing scheme on G naturally makes an upper bound on R(G). We use some algebraic or geometric structures to build up the scheme. The following construction provides a general approach [6].

Let F be a finite-dimensional vector space over a finite field, and the secret and the participants are both (non-trivial) linear subspaces of F. Let Lv be the subspace

(5)

assigned to v ∈ V (G) and Ls be the subspace assigned to the secret. These subspaces should have the following properties:

(i) If vu is an edge in G, then the linear span of L_v and L_u must contain L_s.

(ii) If{v1, v₂, . . . , v_k} is an independent set of G, then the intersection of the linear span of {Lv1, Lv2, . . . , Lv_k} and Ls must be the trivial subspace {0}.

The dealer chooses an element fromF randomly. The secret, i.e. the value of ζs, is the orthogonal projection of this random element on L_s. The value of the share ζ_v of a participant v ∈ V (G) is the orthogonal projection of the dealer’s element on Lv. In this construction, if vu is an edge of G, the secret can be expressed as an appropriate linear combination of the shares of u and v. If{v1, v₂, . . . , v_k} is an independent set of G, then the projection of the dealer’s element on the linear span of{Lv1, Lv2, . . . , Lv_k} gives no information on the value of the projection on L_s.

The amount of information (i.e. entropy) in the secret is proportional to the dimension of L_s, and the information v gets is proportional to the dimension of L_v. Hence, the ratio of this construction Σ is

R_Σ = max_v_{∈V (G)}dim(L_v) dim(L_s) . Therefore, we have

R(G)6 max_v_{∈V (G)}dim(L_v) dim(L_s) .

1.4 Known Results

We present some of them which are related to our work.

Theorem 1.4.1. ([2]) Suppose that G is a connected graph, then R(G) = 1 if and only if G is a complete multipartite graph.

(6)

Theorem 1.4.2. ([1]) Suppose that G is a connected graph which is not complete

multipartite, then R(G)> ³₂.

Theorem 1.4.3. ([11]) Let C_n and P_n be the cycle and the path of length n, respec- tively. Then

R(C_n) = 3

2 for n> 5, and R(Pn) = 3

2 for n> 3.

Theorem 1.4.4. ([5]) Let G_i ⊆ G be arbitrary (finite or infinite) subgraphs of G, and assume that each edge of G is in at least k of the subgraphs. For a vertex v ∈ V (G), define r_i(v) = 0 if v /∈ V (Gi), and r_i(v) = R(G_i), otherwise. Then

R(G)6 sup

v∈V (G)

∑r_i(v)

k .

Corollary 1.4.5. ([5]) If the maximal degree of G is d, then R(G)6 (d + 1)/2.

The following lemma will be frequently used in Section 2.1.

Lemma 1.4.6. ([6]) Let X be a subset of an independent set W , w ∈ W − X. Let V be the vertex set of a complete graph with n vertices containing a and b so that a is not connected to any vertex in X∪ {w}, while b is connected to w. Then

[f ({a} ∪ X) − f(X)] + [f ({b} ∪ X) − f(X)] > f ({a, w} ∪ X) − f ({w} ∪ X) + 2.

A subset V₀ of V (G) is called connected if it induces a connected subgraph of G.

Csirmaz and Tardas [8] defined a core V₀ of a graph G as a connected subset V₀ of V (G) satisfying that each v ∈ V0 has a neighbor ¯v outside V₀ and is not adjacent to any other vertices in V₀, and {¯v|v ∈ V0} is an independent set of G. Applying this notion, the following breakthrough was obtained.

Theorem 1.4.7. ([8]) Let c(T ) be the maximum size of a core in the tree T , then

R(T ) = 2− 1 c(T ).

(7)

Later, Csirmaz and Ligeti [7] proved the following result which is so far the best on the information ratio of graphs.

Theorem 1.4.8. [7] Let d be the maximum degree of G and G satisfy the following

properties:

(i) every vertex has at most one neighbor of degree one,

(ii) vertices of degree at least three are not connected by an edge, and

(iii) the girth of G is at least six.

Then R(G) = 2− ¹_d.

2 Main Results

We start this section with the construction of a class of graphs whose information ratio can be well estimated.

Let G_k,nbe defined on{vij|i ∈ Zk and j ∈ Zn}∪{wj|j ∈ Zn} where Vi ={vix|x ∈ Zn} induces a complete graph of order n for each i∈ Zk and w_j is incident to v_ij for each i ∈ Zk and j ∈ Zn. For convenience, we take {1, 2, . . . , k} and {1, 2, . . . , n} for Zk

and Zn, respectively. Figure 2.1 is an example for k = 3 and n = 4.

Figure 2.1: G_3,4

(8)

Let f be a real-valued function which assigns non-negative values to subsets of vertices of G satisfying properties (a) - (e) listed in Section 1.2. By adapting the idea used in [6], we will derive a lower estimate for max_v_{∈V (G)}f (v), which makes a lower bound on the information ratio of the graph G_k,n. As it is customary, we leave out the {} and ∪ signs in the following discussion. For example, we write vX for the set {v} ∪ X.

Theorem 2.1. R(G_k,n)> 2 − 2⁻ⁿ⁺¹ for k ≥ 1 and n ≥ 1.

Proof. Since G_k,1 is a star and R(G_k,1) = 1, we may assume that n ≥ 2. For every i ∈ {1, 2, . . . , k} and j ∈ {1, 2, . . . , n}, using Lemma 1.4.6 with X = {ϕ}, a = vij, b = v_i1, w = w₁, we get

f (v_i2) + f (v_i1)> f(vi2w₁)− f(w1) + 2, and

f (v_ij) + f (v_i1)> f(vijw₁)− f(w1) + 2, where 36 j 6 n.

Adding up these inequalities, we have

f (v_ij) + f (v_i2) + 2f (v_i1)> f(vijw₁)− f(w1) + f (v_i2w₁)− f(w1) + 2 + 2, where 36 j 6 n.

Now, applying Lemma 1.4.6 to the right hand side of the inequality leads to

f (v_i3) + f (v_i2) + 2f (v_i1)> f(vi3w₂w₁)− f(w2w₁) + 2 + 2· 2, and

f (v_ij) + f (v_i2) + 2f (v_i1)> f(vijw₂w₁)− f(w2w₁) + 2 + 2· 2, where 4 6 j 6 n.

Adding up these inequalities and using Lemma 1.4.6 again, we get

f (v_i4) + f (v_i3) + 2f (v_i2) + 4f (v_i1)> f(vi4w₃w₂w₁)− f(w3w₂w₁) + 2 + 2· 2 + 2 · 2², and

f (v_ij) + f (v_i3) + 2f (v_i2) + 4f (v_i1)> f(vijw₃w₂w₁)− f(w3w₂w₁) + 2 + 2· 2 + 2 · 2²,

(9)

where 56 j 6 n.

By continuously doing this process, we will eventually arrive at the following inequality.

f (v_in) + f (v_i(n₋₁₎) + 2f (v_i(n₋₂₎) + 2²f (v_i(n₋₃₎) +· · · + 2ⁿ⁻³f (v_i2) + 2ⁿ⁻²f (v_i1)

> f(vinw_n₋₁· · · w2w₁)− f(wn−1· · · w2w₁) + 2 + 2· 2 + · · · + 2 · 2ⁿ⁻²

= f (v_inw_n₋₁· · · w2w₁)− f(wn−1· · · w2w₁) + 2(2ⁿ⁻¹− 1).

Now, from the properties (c) and (d) of f stated in Section 1.2, we have

f (v_inw_n₋₁· · · w2w₁)+f (w_nw_n₋₁· · · w2w₁)> f(vinw_nw_n₋₁· · · w2w₁)+f (w_n₋₁· · · w2w₁) and f (v_inw_nw_n−1· · · w2w₁)> f(wnw_n−1· · · w2w₁) + 1, which imply that

f (vinwn−1· · · w2w1)− f(wn−1· · · w2w1)> 1. Hence,

f (v_in) + f (v_i(n₋₁₎) + 2f (v_i(n₋₂₎) +· · · + 2ⁿ⁻²f (v_i1)> 2ⁿ− 1.

Observe that this inequality remains valid after shifting vertices in V_i ={vij|j ∈ {1, 2, . . . , n}}, that is,

f (v_in) + f (v_i(n₋₁₎) + 2f (v_i(n₋₂₎) +· · · + 2ⁿ⁻³f (v_i2) + 2ⁿ⁻²f (v_i1) > 2ⁿ− 1, f (v_i(n₋₁₎) + f (v_i(n₋₂₎) + 2f (v_i(n₋₃₎) +· · · + 2ⁿ⁻³f (v_i1) + 2ⁿ⁻²f (v_in) > 2ⁿ− 1,

...

f (v_i1) + f (v_in) + 2f (v_i(n₋₁₎) +· · · + 2ⁿ⁻³f (v_i3) + 2ⁿ⁻²f (v_i2) > 2ⁿ− 1.

Adding up these inequalities gives

2ⁿ⁻¹[f (v_i1) + f (v_i2) +· · · + f(vin)]> n(2ⁿ− 1), for all i = 1, 2, . . . , k,

and we have

2ⁿ⁻¹

∑k i=1

∑n j=1

f (v_ij)> nk(2ⁿ− 1).

(10)

Therefore, there must exist a vertex whose value is not less than (2ⁿ− 1)/2ⁿ⁻¹ = 2− 2⁻ⁿ⁺¹. The proof is completed.

In what follows, we provide a perfect secret sharing scheme on G_k,nwhose information ratio is 2. Our construction follows from the ideal outlined in Section 1.3. In order to construct a perfect secret sharing scheme with ratio max_v_{∈V (G)}dim(L_v)/ dim(L_s), we start with a high-dimensional vector space F, and assign linear subspaces to the vertices and the secret so that

• if vu is an edge of the graph, then the linear span of the subspaces Lv and L_u contains the subspace L_s, and

• if {v1, v₂, . . . , v_k} is an independent set, then Span ({Lv1, L_v₂, . . . , L_v_k}) ∩ Ls = {0}.

In our construction, F is a d(kn + 1)-dimensional vector space and subspaces will be given as the linear span of certain vectors. We shall split the coordinates of any vector into kn + 1 groups of d coordinates each. Now, we need some more definitions and notations to help us describe our construction. If x and y are two ℓ-dimensional vectors, then x^k is defined as the kℓ-dimensional vector obtained by repeating the coordinates of x for k times. The vector x⊕ y is 2ℓ-dimensional vector obtained by concatenating vector y after x. For example, if x = (010) and y = (101), then x³ = (010010010) and y⊕ x² = (101010010). Now, we are ready for the construction.

Construction 2.2. Let λ₁, λ₂, . . . , λ_kn be kn distinct integers. For convenience, let λ_x − λy be denoted by λ_x,y and, for i ∈ {1, 2, . . . , k}, j ∈ {1, 2, . . . , n} and m ∈ {1, 2, . . . , kn}, define

a_i,j,m =





λ_k(j_−1)+i, if m = k(t− 1) + i for t = 1, · · · , n; and λ_k(j_−1)+i,m, otherwise.

(11)

Assign to L_s the subspace spanned by the following d vectors:

e₁^kn+1, e₂^kn+1, e₃^kn+1, . . . , e_d^kn+1 where e₁ = (100· · · 0), . . . , etc.

Assign to L_w_j the subspace spanned by the following d vectors (

0 denotes (00 . . . 0) )

:

0^k(j⁻¹⁾⊕ e1k⊕ 0^k(n^−j)+1, 0^k(j⁻¹⁾⊕ e2k⊕ 0^k(n^−j)+1,· · · , 0^k(j⁻¹⁾⊕ edk⊕ 0^k(n^−j)+1.

In addition, L_v_ij is assigned the subspace spanned by the following 2d vectors:

e₁^k(j⁻¹⁾⊕ 0^k⊕ e1k(n−j)+1, e₂^k(j⁻¹⁾⊕ 0^k⊕ e2k(n−j)+1,· · · , edk(j−1)⊕ 0^k⊕ edk(n−j)+1, and

( _kn

⊕

m=1

a_i,j,me₁ )

⊕ λk(j−1)+ie₁, ( _kn

⊕

m=1

a_i,j,me₂ )

⊕ λk(j−1)+ie₂,· · · , ( _kn

⊕

m=1

a_i,j,me_d )

⊕ λk(j−1)+ie_d.

For clearness, we give an example with k = n = 2 and d = 3.

L_s = Span{(100100100100100), (010010010010010), (001001001001001)}

L_w₁ = Span{(100100000000000), (010010000000000), (001001000000000)}

L_w₂ = Span{(000000100100000), (000000010010000), (000000001001000)}

L_v_1,1 = Span{(000000100100100), (000000010010010), (000000001001001), (a_1,1,100a_1,1,200a_1,1,300a_1,1,400λ₁00),

(0a_1,1,100a_1,1,200a_1,1,300a_1,1,400λ₁0), (00a_1,1,100a_1,1,200a_1,1,300a_1,1,400λ₁)}

L_v_2,1 = Span{(000000100100100), (000000010010010), (000000001001001), (a_2,1,100a_2,1,200a_2,1,300a_2,1,400λ₂00),

(0a_2,1,100a_2,1,200a_2,1,300a_2,1,400λ₂0), (00a_2,1,100a_2,1,200a_2,1,300a_2,1,400λ₂)}

(12)

L_v_1,2 = Span{(100100000000100), (010010000000010), (001001000000001), (a1,2,100a1,2,200a1,2,300a1,2,400λ300),

(0a_1,2,100a_1,2,200a_1,2,300a_1,2,400λ₃0), (00a_1,2,100a_1,2,200a_1,2,300a_1,2,400λ₃)}

Lv2,2 = Span{(100100000000100), (010010000000010), (001001000000001), (a_2,2,100a_2,2,200a_2,2,300a_2,2,400λ₄00),

(0a_2,2,100a_2,2,200a_2,2,300a_2,2,400λ₄0), (00a2,2,100a2,2,200a2,2,300a2,2,400λ4)}

Theorem 2.3. Construction 2.2 defines a perfect secret sharing scheme on G_k,n with information ratio 2 for k ≥ 2 and n ≥ 1.

Proof. To show that Construction 2.2 defines a perfect secret sharing scheme on G_k,n, we need to check the following conditions:

1. the span of Lw1, Lw2, ..., and Lwn intersects Ls in {0}, 2. the span of L_v_ij and L_w_j must contain L_s,

3. the span of L_v_ij and {Lwm : m ̸= j} intersects Ls in{0},

4. the span of two diﬀerent L_v and L_u, where v, u ∈ Vi, should contain L_s, and

5. the span of two diﬀerent L_v and L_u, where v∈ Vi and u∈ Vj with i̸= j, should be the trivial space {0}.

First, since all coordinates in the (kn + 1)-th group of any vector in L_w_j are zero and any non-trivial vector in Ls has non-zero coordinates in that group, the first requirement for the independent set W is satisfied. Second, for each ℓ ∈ {1, 2, . . . , d}, the sum of the ℓ-th generating vectors of L_v_ij and L_w_j gives the ℓ-th generating vector

(13)

of L_s. The linear span of L_v_ij and L_w_j contains L_s as required. To verify that the third condition holds as well, we observe that the coordinates of the first d generating vectors of L_v_ij and any vector in L_w_m, m ̸= j, are all zero in the (k(j − 1) + 1)-th to the (kj)-th groups. For any distinct t₁, t₂ ∈ {k(j − 1) + ℓ : ℓ = 1, 2, . . . , k}, the coordinates in the t₁-th group and those in the t₂-th group are identical for any vector in Ls, while any linear combination of the latter d generating vectors of Lvij

can not produce a non-trivial vector with this property. Therefore, any vector in the intersection of Span{

L_v_ij, L_m : m̸= j}

and L_s must be the zero vector. Next, note that

( _kn

⊕

m=1

a_i,j,me_ℓ )

⊕ λk(j−1)+ie_ℓ− ( _kn

⊕

m=1

a_i,r,me_ℓ )

⊕ λk(r−1)+ie_ℓ = λ_k(j−1)+i,k(r−1)+ie_ℓ.

The ℓ-th generating vector of L_scan be obtained from the (d+ℓ)-th generating vectors of L_v_ij and L_v_ir with j ̸= r. The fourth condition is also satisfied. To check the fifth condition, one can easily verify that the generating vectors of L_v_ij and L_v_sr, s ̸= i, and those of L_s are linearly independent by some routine calculation.

In this construction, L_v_ij is generated by 2d linearly independent vectors, L_w_j and Ls are both generated by d linearly independent vectors, thus dim(Lvij) = 2d and dim(L_w_j) = dim(L_s) = d. This shows that the information ratio of the perfect secret sharing scheme defined in Construction 2.2 is 2.

Since R(G_1,n)≤ 2 has been shown in [6], we have the following corollary.

Corollary 2.4. 2− 2⁻ⁿ⁺¹ 6 R(Gk,n)6 2, for k ≥ 1 and n ≥ 1.

3 Concluding Remark

The lower bound of the information ratio in Corollary 2.4 is very close to the upper bound when n is suﬃciently large. Hence the perfect secret sharing scheme

(14)

defined in Construction 2.2 performs well for large n. However, we are not sure that if there exists a secret sharing scheme for a supergraph of G_k,n whose information ratio is strictly less than 2. We remark finally, if eG_k,n is obtained by joining all the edges between cliques, then similar argument also shows that there exists a construction of perfect sharing scheme based on eG_k,n such that its information ratio is 2.

References

[1] C. Blundo, A. De Santis, D. R. Stinson and U. Vaccaro, Graph decompositions and secrete sharing schemes, J. Cryptology, 8, 39-64 (1995).

[2] E. F. Brickell and D. M. Davenport, On the classification of ideal secret sharing schemes, J. Cryptology, 4, 123-134 (1991).

[3] E. F. Brickell and D. R. Stinson, Some improved bounds on the information rate of perfect secret sharing schemes, J. Cryptology, 5, 153-166 (1992).

[4] L. Csirmaz, Secret sharing on infinite graphs, Studia Mathematica Hungarica, vol 44, 297-306 (2007). - available as IACR preprint http://eprint.iacr.org/2005/059.

[5] L. Csirmaz, Secret sharing on infinite graphs, Tatra Mt. Math. Publ 41, 1-18 (2008).

[6] L. Csirmaz, An impossibility result on graph secret sharing, Designs, Codes and Cryptography, 53, 195-209 (2009).

[7] L. Csirmaz and P. Ligeti, On an infinite families of graphs with information ratio 2− ¹_k, Computing 85, 127-136 (2009).

[8] L. Csirmaz and G. Tardas, Optimal information rate of secret sharing schemes on trees, IEEE Transactions on Information Theory, 59(4), 2527-2530 (2013).

(15)

[9] I. Csisz´ar and J. K¨orner, Information Theory. Coding Theorems for Discrete Memoryless Systems, Academic Press, New York, 1981.

[10] F. Matus, Adhesivity of polymatroids, Discrete Mathematics, Vol 307, 21, 2464- 2477 (2007).

[11] D. R. Stinson, Decomposition constructions for secret sharing schemes, IEEE Transactions on Information Theory, 40, 118-125 (1994).

[12] M. van Dijk, On the information rate of perfect secret sharing schemes, Designs, Codes and Cryptography, 6, 143-169 (1995).

[13] M. van Dijk, T. Kevenaar, G. Schrijen and P. Tuyls, Improved constructions of secret sharing schemes by applying (λ, ω)-decompositions, Inf. Process. Lett. vol 99(4), 154-157 (2006).

[14] Z. Zhang and R. W. Yeung, On characterization of entropy function via information inequalities, IEEE Trans. Inform. Theory Vol 44, 1440-1452 (1998).