New bounds on the average information rate of secret-sharing schemes for graph-based weighted threshold access structures

12  Download (0)

全文

(1)

New bounds on the average information rate of secret-sharing

schemes for graph-based weighted threshold access structures

Hui-Chuan Lu

a,b,⇑,1

, Hung-Lin Fu

b,2

a

Center for Basic Required Courses, National United University, Miaoli 36003, Taiwan

b

Department of Applied Mathematics, National Chaio Tung University, Hsinchu 30010, Taiwan

a r t i c l e

i n f o

Article history: Received 23 July 2011

Received in revised form 13 March 2013 Accepted 25 March 2013

Available online 2 April 2013 Keywords:

Secret-sharing scheme Access structure Optimal information rate Optimal average information rate Weighted threshold access structure Complete multipartite covering

a b s t r a c t

A secret-sharing scheme is a protocol by which a dealer distributes shares of a secret key among a set of n participants in such a way that only qualified subsets of participants can reconstruct the secret key from the shares they received, while unqualified subsets have no information about the secret key. The collection of all qualified subsets is called the access structure of this scheme. The information rate (resp. average information rate) of a secret-sharing scheme is the ratio between the size of the secret key and the maximum size (resp. average size) of the shares. In a weighted threshold scheme, each participant has his or her own weight. A subset is qualified if and only if the sum of the weights of participants in the subset is not less than the given threshold. Morillo et al.[19]considered the schemes for weighted threshold access structure that can be represented by graphs called k-weighted graphs. They characterized this kind of access structures and derived a result on the infor-mation rate. In this paper, we deal with the average inforinfor-mation rate of the secret-sharing schemes for these structures. Two sophisticated constructions are presented, each of which has its own advantages and both of them perform very well when n/k is large.

Ó 2013 Elsevier Inc. All rights reserved.

1. Introduction

A secret-sharing scheme is a protocol by means of which a dealer distributes a secret key among a set of participants P so that only qualified subsets of P can reconstruct the secret key whereas unqualified subsets of P have no information about the secret key. The family of all qualified subsets is called the access structure of the scheme. In practice, an access structure

has to be monotone which means any subset of P containing a qualified subset must also be qualified. The basisC0of an

access structure Cis the set of all minimal subsets in C. The access structureCis called the closure of C0, denoted as

C= Cl(C0). In addition,Cis r-homogeneous if the cardinality of each subset inC0is r.

The first secret-sharing schemes were (t, n)-threshold schemes. These schemes were introduced by Shamir[22]and Blakley

[2]independently in 1979. The basis of the access structure for such a scheme consists of all t-subsets of the set P of

par-ticipants of size n. Related problems have received considerable attention since then. Secret-sharing schemes for various

access structures have been widely studied[2–7,9,12,15,19,20,22,24–26]. Many modified versions of secret-sharing schemes

with additional capacities were proposed[8,11,13,14,16,17,21,23,27]. The reader is referred to[1]for a comprehensive

sur-vey. Secret sharing has been an interesting branch of modern cryptography.

0020-0255/$ - see front matter Ó 2013 Elsevier Inc. All rights reserved.

http://dx.doi.org/10.1016/j.ins.2013.03.047

⇑Corresponding author at: Center for Basic Required Courses, National United University, Miaoli 36003, Taiwan. E-mail addresses:hjlu@nuu.edu.tw,hht0936@seed.net.tw(H.-C. Lu).

1

Research supported in part by NSC 100-2115-M-239-001.

2

Research supported in part by NSC 100-2115-M-009-005-MY3.

Contents lists available atSciVerse ScienceDirect

Information Sciences

(2)

One of the most important research directions regarding secret-sharing schemes is to establish bounds on the size of the shares given to the participants and thereby obtain bounds on the storage and communication complexity. There are two major tools to measure the efficiency of a secret-sharing scheme, namely the information rate and the average information rate of a scheme. The information rate of a secret-sharing scheme is the ratio between the length (in bits) of the secret key and the maximum length of the shares given to the participants. The average information rate of a secret-sharing scheme is the ratio between the length of the secret key and the average length of all shares given to the participants. In a practical implementation of a secret-sharing scheme, these rates are expected to be as high as possible. Therefore, researchers also concern about the highest rates a secret-sharing scheme can have for a given access structure. The optimal (average) infor-mation rate of an access structure is the maximum (average) inforinfor-mation rate over all secret-sharing schemes which realize that access structure.

Graph-based access structures have been widely studied during the past decades. In such an access structure, each vertex

of a graph G represents a participant and each edge represents a minimal qualified subset, that is, P ¼ VðGÞ andC= Cl(E(G)).

The optimal information rate (resp. optimal average information rate) of an access structure based on a graph G is denoted as

q

(G) (resp. ~

q

ðGÞ). It is easy to see that

q

ðGÞ 6 ~

q

ðGÞ 6 1 and that

q

(G) = 1 if and only if ~

q

ðGÞ ¼ 1. A secret-sharing scheme

with the information rate equal to one is then called an ideal secret-sharing scheme. An access structure is ideal if there

ex-ists an ideal secret-sharing scheme for it. Brickell and Devenport[6]have completely characterized ideal graph-based access

structures. For general graphs, Stinson[26]showed that

q

ðGÞ P 2

dþ1where d is the maximum degree of G and ~

q

ðGÞ P2mþn2n

where n = jV(G)j and m = jE(G)j. Due to the difficulty of the derivation of good results on general graphs, most efforts have

been focused on small graphs[5,12,15]and graphs with better structures[3,5,9,10,18,26].

Morillo et al.[19]considered the weighted threshold secret-sharing schemes. This is the case when every participant is

given a weight depending on his or her position in an organization. A set of participants is in the access structure if and only if the sum of the weights of all participants in the set is not less than the given threshold. Morillo et al. characterized weighted threshold access structures based on graphs and studied their optimal information rate. Since these access struc-tures are more applicable in real-life situation, an in-depth investigation can have a significant contribution to the applica-tion of secret sharing. We are motivated to construct better secret-sharing schemes for them and have a more detailed analysis of the average information rate of our schemes.

This paper is organized as follows. Definitions, notations and basic known results are introduced in Section2. Morillo’s

characterization and constructions of secret-sharing schemes of graph-based weighted threshold access structures are

pre-sented in Section3. In Section4, we start with an observation on the structure of the graphs that represent weighted

thresh-old access structures, and then our first construction is introduced. Subsequently, one more sophisticated construction is

presented in Section5. Finally, we give a comparison of these constructions in Section6.

2. Preliminaries

Let P be the set of all participants, K be the set of all secret keys,C#2Pbe the access structure and S be the set of all

possible shares. Given a secret key d 2 K, a dealer D gives to participant p a share sp,d2 Spwhere Spis the set of all shares

participant p receives from the dealer corresponding to all keys in K. A distribution rule is a function f : fDg [ P ! K [ S with f ðDÞ 2 K and f(p) 2 S for all p 2 P. f(D) is the secret key to be distributed and f(p) is the share participant p receives from the

dealer for key f(D). Let F be a collection of distribution rules and Fd¼ ff 2 F : f ðDÞ ¼ dg. We call F a perfect secret-sharing

scheme if the following two conditions are satisfied:

(i) Given any B 2Cand f ; g 2 F , if f(p) = g(p) for all p 2 B, then f(D) = g(D).

(ii) Given any B RCand any function g: B ? S, there exists a nonnegative integer k(g, B) such that, for each d 2 K,

jff 2 Fdjf ðpÞ ¼ gðpÞ;

8

p 2 Bgj ¼ kðg; BÞ:

The first condition guarantees that the shares given to a qualified subset uniquely determine the secret key, while the second ensures that the shares given to an unqualified subset reveal no information about the secret key. When these

two conditions are made, we say that this secret-sharing scheme F realizes the access structureC. Since all schemes

men-tioned in this paper are perfect, we will simply use ‘‘secret-sharing scheme’’ for ‘‘perfect secret-sharing scheme’’ throughout

this paper. In a secret-sharing scheme F , the information rate, denoted

q

ðF Þ, is defined as

qðF Þ ¼

log2jKj maxflog2jSpj : p 2 Pg

and the average information rate, denoted ~

q

ðF Þ, is defined as

~

qðF Þ ¼

log2jKj 1 jPj P p2Plog2jSpj ¼PjPjlog2jKj p2Plog2jSpj :

(3)

Example 2.1. P ¼ fa; b; cg, C0= {{a, b}, {b, c}}, K ¼ GFð3Þ. Let F ¼ ffr;djr; d 2 GFð3Þg where fr,d(D) = d, fr,d(a) = fr,d(c) = r and

fr,d(b) = r + d. This scheme can be represented by the following table:

Note that each row in the table represents a distribution rule. One can easily check that this scheme is a secret-sharing

scheme and

q

ðF Þ ¼ ~

q

ðF Þ ¼ 1 since K ¼ Sa¼ Sb¼ Sc¼ GFð3Þ. This scheme is in fact an ideal one.

In this paper, only graph-based access structures are considered. In this case,C= Cl(E(G)) is 2-homogeneous. The graphs

with optimal rate

q

(G) = 1 or ~

q

ðGÞ ¼ 1 have been completely characterized by Brickell and Devenport.

Theorem 2.2 [6]. Suppose that G is a connected graph, then

q

(G) = 1 if and only if G is a complete multipartite graph.

Example 2.1shows that

q

(K1,2) = 1 since the access structure of the scheme is Cl(K1,2). For graphs that are not complete

multipartite graphs, Blundo et al.[5]have shown the following fact.

Theorem 2.3 [5]. Suppose that G is a connected graph that is not a complete multipartite graph, then

q

ðGÞ 62

3and ~

q

ðGÞ 6 n nþ1

where n = jV(G)j.

When dealing with information rates, the following lemma is especially helpful. Lemma 2.4 [5]. If G0is an induced subgraph of graph G, then

q

(G) 6

q

(G0).

Stinson[26]proposed a very useful decomposition construction which enables us to build up secret-sharing schemes for

larger graphs using smaller complete multipartite graph through complete multipartite coverings. A complete multipartite covering of a graph G is a collection of complete multipartite subgraphs {G1, G2, . . . , Gl} of G such that each edge of G belongs

to at least one subgraph Gi.

Theorem 2.5 [26]. Suppose that {G1, G2, . . . , Gl} is a complete multipartite covering of a graph G with V(G) = {1, 2, . . . , n}. Let

Ri= j{jji 2 V(Gj)}j and R = max16i6nRi. Then there exists a secret-sharing scheme for access structure Cl(E(G)) with information rate

q

and average information rate ~

q

where

q

¼1 R and

q

~¼ n Pn i¼1Ri ¼Pl n i¼1jVðGiÞj :

According to the theorem, in order to construct a secret-sharing scheme with higher information rate (resp. average infor-mation rate), we need a complete multipartite covering with less maximum number of occurrence of a vertex (resp. less total number of occurrences of the vertices) in the covering.

3. Weighted threshold secret-sharing scheme

Given a set of n participants P, a threshold t > 0 and a weight function w : P ! R with w(p) P 0 for all p 2 P, the

(t, n, w)-weighted threshold access structure consists of all subset A # P such that wðAÞ ¼Pp2AwðpÞ P t. Morillo et al.[19]

showed that any weighted access structure determined by a non-integer-valued weight function and a non-integer thresh-old can also be determined by an integer-valued weight function and an integer threshthresh-old. So, considering integer-valued weight functions is sufficient in our problem. In the remainder of the paper, we assume that a weight function w is given.

An access structureC= Cl(C0) is said to be connected if for any participant p 2 P, there exists A 2C0such that p 2 A.

Through-out this paper, we consider 2-homogeneous connected weighted threshold access structure and exclude the case where any participant has zero-weight. This kind of access structure can be represented by a graph G. In this graph, there is a set C of vertices, each of which is adjacent to all other vertices in G. The weight of each vertex in C is higher than the weight of any vertex not in C. If C – V(G), removing C from the graph G produces a nonempty set A of isolated vertices, each of which has

lower weight than any other vertex not in A. If C [ A – V(G), the subgraph G0induced by V(G)n(C [ A) represents a

2-homo-geneous connected weighted threshold access structure C0

¼ fB # P n ðC [ AÞjwðBÞ P tg. Repeating these processes, the structure of G can be clearly characterized in the following theorem.

(4)

Theorem 3.1 [19]. Let G be a graph that represents the 2-homogeneous connected weighted threshold access structureC. Then, there exists a unique partition of the vertices of G,

P ¼ C1[ A1[ C2[ A2[    [ Ck[ Ak;

where Ci–; for i = 1, . . . , k, Ai–; if i = 1, . . . , k  1 and either Ak= ; and jCkj P 2 or jAkj P 2, such that the set of edges of G is

C

0¼ fu;

v

gju;

v

2 [k i¼1 Ci;u –

v

( ) [ ff

v

;pgj

v

2 Ci; p 2 Aj; 1 6 i 6 j 6 kg:

They also showed that any graph with a partition described in Theorem 3.1 represents a 2-homogeneous connected weighted threshold access structure. A such graph is then called k-weighted where k is the parameter used in Theorem 3.1. Since the structure of a k-weighted graph is completely determined by the values jAij’s and jCij’s, i = 1, 2, . . . , k, we denote

the k-weighted graph by W(jA1j, . . . , jAkj, jC1j, . . . , jCkj). Observe that the subgraph induced bySli¼1ðAji[ CjiÞ where 1 6 j1<

-j2<    < jl6k is an l-weighted graph WðjAj1j; . . . ; jAjlj; jCj1j; . . . ; jCjljÞ. Morillo et al. gave a complete multipartite decomposition

for (2q 1)-weighted graph in which the maximum number of occurrence R of a vertex is not greater than q. Then, by Lemma

2.4, a lower bound on optimal information rate for k-weighted graph for all k follows.

Theorem 3.2 [19]. Let C¼ fA # PjwðAÞ P tg be an access structure that is represented by a k-weighted graph G. Then

q

ðGÞ P 1

dlog2ðkþ1Þe.

For the average information rate, we need to find complete multipartite coverings for k-weighted graphs for each value of

k. For convenience, we make a slight modification to the notation given in Theorem 3.1. In the case where Ak= ; and jCkj P 2,

we move one (arbitrarily chosen) vertex from Ckto Ak. So, in our model, none of Ai’s and Ci’s are empty. Now, we are ready for

our constructions. 4. Construction (I) 4.1. An observation

We observe that any k-weighted graph can be obtained by alternately applying two graph operations starting with a sin-gle vertex. Let us introduce these operations first. By ‘‘splitting vertex

v

of a graph G into m vertices

v

1, . . . ,

v

m’’, denoted S(

v

;

{

v

1, . . . ,

v

m}), we obtain a graph GSðv;fv1;...;vmgÞ¼ G where V(G⁄) = (V(G)  {

v

}) [ {

v

1,

v

2, . . . ,

v

m} and E(G⁄) = E(G 

v

) [

{

v

iujvu 2 E(G) and i = 1, 2, . . . , m}. If we further add the set of edges {

v

i

v

jj 1 6 i < j 6 m} to E(G⁄), then we obtain a graph

GEðv;fv1;...;vmgÞ. This graph is said to be obtained by ‘‘expanding vertex

v

into m vertices

v

1, . . . ,

v

mfrom the original graph G

and this operation is denoted by E(

v

; {

v

1, . . . ,

v

m}). For convenience, we use h V1, V2iGto denote the set of edges {u

v

ju 2 V1,

v

2 V2and u

v

2 E(G)} for any two disjoint subsets of vertices V1and V2in G.

Given a k-weighted graph G = W(a1, a2, . . . , ak, c1, c2, . . . , ck), we let Ai¼ ui1;ui2; . . . ;uiai

n o

and Ci¼

v

i1;

v

i2; . . . ;

v

ici

n o

, i = 1, 2, . . . , k. In what follows, we propose an algorithm showing how the given graph is constructed from a single vertex by splitting and expanding.

Algorithm 1 G0 {u0}. For i 1 to k do Gi GEðu0 ;Ci[fu0gÞ i1 Gi G Sðu0;AiÞ i where A  i ¼ Ai[ fu0g; if 1 6 i < k; Ak; if i ¼ k: 

Output the k-weighted graph Gk.

Theorem 4.1. The proposed algorithm produces the given k-weight graph G from a single vertex. Proof. The edges in hAi, Cji, j 6 i, are produced by the operation S u0;Ai

 

and edges in h Ci,Cji, j < i, and within the part Ciare all

produced by E u0;Ci

 

(5)

Xk1 i¼1 ciþ 1 2   þ ci Xi1 j¼1 cjþ ai Xi j¼1 cj ! þ ckþ 1 2   þ ck Xk1 j¼1 cjþ ðak 1Þ Xk j¼1 cj¼ Xk i¼1 ciþ 1 2   þ ci Xi1 j¼1 cjþ ai Xi j¼1 cj ! X k j¼1 cj¼ Xk j¼1 ci 2   þ ci Xi1 j¼1 cjþ ai Xi j¼1 cj !

which is exactly the size of the given G. Hence, the proof is completed. h 4.2. Construction (I)

Before we can literally describe our first construction, there are some more notations needed to be introduced. For any l disjoint sets of vertices V1, V2, . . . , Vl, we use K(V1, V2, . . . , Vl) to denote the complete multipartite graph with partite sets V1, V2,

. . .and Vl. Let Glbe the l-weighted graph with vertex set Sli¼1Ai

 

[ Sli¼1Ci

 

, l 6 k. Define Bl, l 6 k, to be the graph obtained

from Glby removing all edges connecting vertices inSli¼1Ci. Then Blis a bipartite graph with partite setsSli¼1AiandSli¼1Ci.

Next, we use Ml1;l2 to denote the complete multipartite graph K C1;C2; . . . ;Cl11;

v

l1 1 n o ;

v

l1 2 n o ; . . . ;

v

l1 cl1 n o ;  Sl2 j¼l1þ1Cj   [ Sl2 j¼l1Aj  

Þ, 1 6 l16l26k. In the following lemma, Hj stands for the complete multipartite graph K(C1,

C2, . . . , Cj1, Aj1, Aj), 2 6 j 6 k.

Lemma 4.2. PB

l is a complete multipartite covering of Blwhere

P

Bl ¼

H2i;KðA2i;C2iÞji ¼ 1; 2; . . . ;2l

; if l is even;

KðA1;C1Þ; H2iþ1;KðA2iþ1;C2iþ1Þji ¼ 1; 2; . . . ;l12

; if l is odd: (

Proof. When l is even, the edges in hA2i;CjiBl with j < 2i and in hA2i1;CjiBl with j 6 2i  1 appear in the subgraph H2i, for

i ¼ 1; 2; . . . ; l

2, while the edges in hA2i;C2iiBlappear in the subgraph K(A2i, C2i). The edges of Blare then all used up. For odd

l, the argument is similar. h

With these notations in mind, we are able to give our complete multipartite coveringPkof Gk. LetPkbe obtained

recur-sively by letting P1= {G1}, P2¼ K

v

11 ;

v

1 2 ; . . . ;

v

1 c1 n o ;A1   ;M2;2 n o , P3¼ K

v

11 ;

v

1 2 ; . . . ;

v

1 c1 n o ;A1   ; n K

v

3 1 ; . . . ;

v

3 c3 n o ;A3   ;M2;3g and, for k P 4;Pk¼PBbkþ1 2c[ Mb kþ1 2cþ1;k n o [Pbk

2c1wherePbk2c1is the complete multipartite

cov-ering of the bk 2c  1   -weighted subgraph W abkþ1 2cþ2;abkþ12cþ3; . . . ;ak;cbkþ12cþ2;cbkþ12cþ3; . . . ;ck  

. It is obvious that the edges of Gk

which are not in Bbkþ1

2cand W abkþ12cþ2; . . . ;ak;cbkþ12cþ2; . . . ;ck

 

all lie in Mbkþ1

2cþ1;k. These three subgraphs literally make up the

k-weighted graph Gk. We have the following lemma.

Lemma 4.3. The collectionPkstated above is a complete multipartite covering of Gk.

(6)

Our next goal is to find the sum mkof the orders of all subgraphs inPk. Due to the complexity of the enumeration, we

consider the reduced forms first. We call G0k¼ Wð1; . . . ; 1; 1; . . . ; 1Þ the reduced form of a general k-weighted graph W(a1,

-. -. -., ak, c1, . . . , ck). We also let B0l;M 0 l1;l2and H

0

j be the graphs defined in the same ways as Bl, Ml1;l2and Hjrespectively, except

that ai’s and cj’s involved are all set to be one. Then G0kand B 0

khave the complete multipartite coveringP

0 kandP

B0

k reduced

fromPkandPBkrespectively. Note here that G

0

khas 2k vertices. By applying suitable splitting and expanding operations

men-tioned in Section4.1to the reduced form G0

kaccordingly, one can recover the general k-weighted graph W(a1, . . . , ak, c1, . . . , ck).

For the evaluation of the sum m0

kof the orders of all subgraphs inP

0

k, we introduce a specially designed binary tree.

Note that we have decomposed G0k into B0

bkþ1 2c, M 0 bkþ1 2cþ1;kand G 0 bk 2c1. Since b kþ1 2c equals k2  1   þ 1 or k 2  1   þ 2; G0j can either go with B0 jþ1and M 0 jþ2;2jþ2to compose G 0 2jþ2or go with B 0 jþ2and M 0 jþ3;2jþ3to compose G 0

2jþ3. Recursively repeating this

process, all G0

k’s can be composed from some B

0 l’s, M

0

l1;k’s and just G1, G2and G3. We illustrate this relation by means of a

bin-ary tree inFig. 4.1. In this tree, each path from the root represents the conformation of a k-weighted graph of reduced form in

our covering. For example, the leftmost path from the root Gjto G4j+6represents that G02jþ2is composed of G

0 j;B 0 jþ1and M 0 jþ2;2jþ2

and then G04jþ6is composed of G

0 2jþ2;B

0

2jþ3and M

0

2jþ4;4jþ6. Hence the path shows how G 0

4jþ6is built up. The 2 x

paths of length x

from the root give the conformations of the 2xk-weighted graphs where k ranges from (j + 2)2x

 2 to (j + 3)2x 3,j = 1,2,3.

Theorem 4.4. LetC¼ fA # PjwðAÞ P tg be an access structure represented by a k-weighted graph G0k of reduced form, k1=

(j + 2)2x

 2 and k2= (j + 3)2x 3, x P 1, j = 1, 2, 3. If k16k 6 k2, then there exists a secret-sharing scheme for the access structure

Cwith average information rate ~

q

with

24k2 k22þ 60k2 84log2 k2þ2 jþ3    37  dðjÞ2 6

q

~6 24k1 k21þ 58k1 60log2 k1þ2 jþ2    32  dðjÞ1 where dðjÞ1;d ðjÞ 2   ¼ ð0; 0Þ; if j ¼ 1; ð28; 24Þ; if j ¼ 2; ð40; 44Þ; if j ¼ 3: 8 > < > : Proof. Let m0 kand mB 0

l be the sum of orders of all subgraphs inP

0 kandP B0 l respectively and mM 0 l1;l2be the order of M 0 l1;l2, then mM0 l1;l2¼ 2l2 l1þ 1. InP B0

l ;jVðKðCi;AiÞÞj ¼ jVðK2Þj ¼ 2 and jVðH0iÞj ¼ i þ 1 for each i. So when l is even, mB

0 l ¼ Pl 2 i¼1V H 0 2i   þ jVðKðC2i;A2iÞj ¼P l 2 i¼1ðð2i þ 1Þ þ 2Þ ¼14ðl 2 þ 8lÞ. When l is odd, mB0 l ¼ Pl1 2 i¼1jV H 0 2iþ1   j þPl12

i¼0jVðKðC2iþ1;A2iþ1ÞÞj ¼

Pl1 2 i¼1ð2i þ 2Þ þ Pl1 2 i¼02 ¼14ðl 2 þ 8l  1Þ. (1) First, we consider G0

k1whose composition process is shown by the leftmost path of length x from the root. Adding up

the orders of all subgraphs involved, we have

m0 k1¼ m 0 j þ Xx i¼1 mB0 ðjþ2Þ2i11þ Xx i¼1 mM0 ðjþ2Þ2i1;ðjþ2Þ2i2 ¼ m0 j þ14½ðj þ 1Þ 2 þ 8ðj þ 1Þ þX x i¼2 1 4½ððj þ 2Þ2 i1 1Þ2 þ 8ððj þ 2Þ2i1 1Þ  1 þX x i¼1 ½2ððj þ 2Þ2i 2Þ  ðj þ 2Þ2i1þ 1; if j ¼ 1; 3; m0 j þ Xx i¼1 1 4½ððj þ 2Þ2 i1  1Þ2þ 8ððj þ 2Þ2i1 1Þ  1 þX x i¼1 ½2ððj þ 2Þ2i 2Þ  ðj þ 2Þ2i1þ 1; if j ¼ 2: 8 > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > : ¼ m0 j þ 1 12ððj þ 2Þ2 x Þ2þ9 2ðj þ 2Þ2 x  5x 

e

ðjÞ 1 ¼ 1 12ðk1þ 2Þ2þ92ðk1þ 2Þ  5log2 k1þ2 jþ2    ~

e

ðjÞ 1 ¼1 12 k 2 1þ 58k1 60log2 kjþ21þ2    32  dðjÞ1 h i ; where

e

ðjÞ 1 ¼ j2þ58jþ109 12 ; if j ¼ 1; 3; j2 þ58jþ112 12 ; if j ¼ 2: ( and ~

e

ð1Þ 1 ; ~

e

ð2Þ 1 ; ~

e

ð3Þ 1   ¼ 12;43 3; 46 3   .

In the second last step, we combine the value of

e

ðjÞ

1 with m01¼ 2, m02¼ 5 and m03¼ 9 to calculate the value of ~

e

ðjÞ

1. With this

covering of G0k

1, we are able to construct a secret-sharing scheme with average information rate ~

q

2k1

m0 k1

(7)

(2) We consider G0

k2whose composition process is shown by the rightmost path of length x from the root. Similar to (1),

we have m0 k2¼ m 0 j þ Xx i¼1 mB0 ðjþ3Þ2i11þ Xx i¼1 mM0 ðjþ3Þ2i1;ðjþ3Þ2i3 ¼ m0 j þ Xx i¼1 1 4½ððj þ 3Þ2 i1 1Þ2 þ 8ððj þ 3Þ2i1 1Þ  1 þX x i¼1 2ððj þ 3Þ2i 3Þ  ðj þ 3Þ2i1þ 1 h i ; if j ¼ 1; 3; m0 j þ 1 4½ðj þ 2Þ 2 þ 8ðj þ 2Þ þX x i¼2 1 4 ððj þ 3Þ2 i1 1Þ2 þ 8ððj þ 3Þ2i1 1Þ  1 h i þX x i¼1 2ððj þ 3Þ2i 3Þ  ðj þ 3Þ2i1þ 1 h i ; if j ¼ 2: 8 > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > : ¼ m0 j þ121ððj þ 3Þ2 x Þ2þ9 2ðj þ 3Þ2 x  7x 

e

ðjÞ 2 ¼121 k 2 2þ 60k2 84log2 k2þ3 jþ3    37  dðjÞ2   ; where

e

ðjÞ 2 ¼ j2 þ60jþ171 12 ; j ¼ 1; 3; j2þ60jþ168 12 ; j ¼ 2: ( .

With this covering of G0k2, we have constructed a secret-sharing scheme with average information rate ~

q

2k0 m0

k2

. The result then follows.

As a matter of fact, each m0

kcan be evaluated in a similar way. The resulting expression only slightly differs from the ones

for m0

k1and m

0

k2at some nonleading coefficients.

After dealing with the reduced forms we shall turn back to the model of general forms. We start with introducing nota-tions. Let Zl¼ ð1 1 2 1 2 1 2 1    2 1Þ; yl¼ 2lþ 1  l 22l 2l 1   l 2 1      2 2 1  

and 1l¼ ð1 1    1Þ be three l-dimensional

vectors. For l16l2, let aðl1;l2Þ ¼ ðal1al1þ1al1þ2   al2Þ and cðl1;l2Þ ¼ ðcl1cl1þ1cl1þ2   cl2Þ where ai= jAij and ci= jCij, i = l1,

l1+ 1, . . . , l2.

Lemma 4.5. For k = 3  2x 2 and x P 1,

mk¼ Xx1 i¼1 Zkþ2 2i þ ði  1Þ1kþ2 2i    a ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i ! þ xak3þ ðx þ 1Þak2þ xak1 þ ðx þ 1Þakþ Xx1 i¼1 ykþ2 2i þ ði  1Þ1kþ2 2i    c ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i ! þ ðx þ 1Þck3þ ðx þ 1Þck2þ xck1þ ðx þ 1Þck:

Proof. Recall that the expression for mkdepends on all ai’s and ci’s, each of whose coefficients represents the occurrence of

the vertices of that part in the coveringPk.

(1) First, let us examine the occurrence of vertices of Bl, whose partite sets areSli¼1AiandSli¼1Ci, in its coveringPBl. For odd

l, byLemma 4.2, one can easily see that the vertices in A1have occurrence 1 (only in K(A1, C1)), the vertices in A2j,

j ¼ 1; . . . ;l1

2, also have occurrence 1 (only in H2j+1) and the vertices in A2j+1, j ¼ 1; . . . ;l12, have occurrence 2 (in H2j+1

and K(A2j+1,C2j+1)). Hence, the occurrences of the vertices in A1, A2, . . . , Alare exactly the first l coordinates in Zlþ1.

Sim-ilarly, the vertices in C1have occurrencelþ12 (in K(A1,C1) and H2i+1’s, i ¼ 1; . . . ;l12), the vertices in C2j, j ¼ 1; . . . ;l12, have

occurrencel1

2  j þ 1 (in H2i+1’s, i P j) and the vertices in C2j+1, j ¼ 1; . . . ;l12, have occurrencel12  j þ 1 (in H2i+1’s,

i P j + 1 and K(A2j+1, C2j+1)). Hence, the occurrences of the vertices in C1, C2, . . . , Clare exactly the first l coordinates

in ylþ1 1lþ1.

(2) Let us consider the value of mknow. We prove the result by induction on x. When x = 1, m4= a1+ 2a2+ a3+

2-4= a1+ 2a2+ a3+ 2a4+ 2c1+ 2c2+ c3+ 2c4by direct counting the occurrences of vertices inP4. So, the result holds

when x = 1. Next, for k = 3  2x+1 2,G

k= W(a1, . . . , ak, c1, . . . , ck) is composed of B32x1, M

32x;32xþ12 and G32x2. For

convenience, denote M32x;32xþ12 by M for now. Observe that the vertices in Ai, 1 6 i 6 3  2x 1 have the same

occurrences inPk as they do in the coveringPB32x

1because they do not lie in M and G32x2, while the vertices

(8)

Notice that the vertices in A32x and C32x only occur once inPk. Besides, the vertices in Ai’s and Ci’s, i = 3  2x+ 1,

-. -. -.,k, also gain one more occurrence inPkthan they do in the covering P32x2 of G32x2. Therefore, by (1) and

the induction hypothesis,

m32xþ12 ¼ Z32x að1; 3  2xÞ þ ðy32x 132xÞ  cð1; 3  2xÞ þ 132x cð1; 3  2xÞ þX x1 i¼1 Z32x 2i þ ði  1Þ132x 2i þ 132x 2i    a 3  2 x ð2i1 1Þ 2i1 þ 1 þ 3  2 x ;3  2 x ð2i 1Þ 2i þ 3  2 x !

þ ðx þ 1Þa32x5þ32xþ ðx þ 2Þa32x4þ32xþ ðx þ 1Þa32x3þ32xþ ðx þ 2Þa32x2þ32x

þX x1 i¼1 y32x 2i þ ði  1Þ132x 2i þ 132x 2i    c 3  2 x ð2i1 1Þ 2i1 þ 1 þ 3  2 x ;3  2 x ð2i 1Þ 2i þ 3  2 x ! þ ðx þ 2Þc32x5þ32xþ ðx þ 2Þc32x4þ32xþ ðx þ 1Þc32x3þ32xþ ðx þ 2Þc32x2þ32x ¼ Z32xþ1 2  a 1; 3  2xþ1 2 ! þ y32xþ1 2  c 1; 3  2xþ1 2 ! þX x1 i¼1 Z32xþ1 2iþ1 þ ðði þ 1Þ  1Þ132xþ1 2iþ1    a 3  2 xþ1ð2i  1Þ 2i þ 1; 3  2xþ1ð2iþ1 1Þ 2iþ1 !

þ ðx þ 1Það32xþ12Þ3þ ðx þ 2Það32xþ12Þ2þ ðx þ 1Það32xþ12Þ1þ ðx þ 2Það32xþ12Þ

þX x1 i¼1 y32xþ1 2iþ1 þ ðði þ 1Þ  1Þ132xþ1 2iþ1    c 3  2 xþ1ð2i  1Þ 2i þ 1; 3  2xþ1ð2iþ1 1Þ 2iþ1 ! þ ðx þ 2Þcð32xþ12Þ3þ ðx þ 2Þcð32xþ12Þ2þ ðx þ 1Þcð32xþ12Þ1þ ðx þ 2Þcð32xþ12Þ ¼X x i¼1 Zkþ2 2i þ ði  1Þ1kþ2 2i    a ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i !

þ ðx þ 1Þak3þ ðx þ 2Þak2þ ðx þ 1Þak1þ ðx þ 2Þak

þX x i¼1 ykþ2 2i þ ði  1Þ1kþ2 2i    c ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i ! þ ðx þ 2Þck3þ ðx þ 2Þck2þ ðx þ 1Þck1þ ðx þ 2Þck: 

This lemma presents a sophisticated expression for mkin terms of ai’s and ci’s. In what follows, we give the conditions on

the values of ai’s and ci’s under which mkattains its minimum value when n ¼Pki¼1ðaiþ ciÞ is fixed. Thereby, the highest

pos-sible average information rate via this covering is obtained.

Theorem 4.6. LetCbe a weighted threshold access structure represented by a k-weighted graph G = W(a1, . . . , ak, c1, . . . , ck) of

order n and k = 3  2x 2. If c

i= 1 for all i – k2þ 1 and ai= 1 for all i R T ¼ 1; 2; 4; 6; . . . ;k2þ 1

. Then ~

q

ðGÞ P 12n 12n þ k2þ 34k  60log2ðkþ23Þ  32 :

Proof. Observe that only ck

2þ1and ai, i 2 T, have coefficient equal to one in the expression for mkinLemma 4.5. So mkis

mini-mized if ci= 1 for all i –k2þ 1 and ai= 1 for all i R T since this expression for mkis linear. This case is similar to the reduced form.

So, we make an adjustment in the expression for m0

k1(with j = 1) in the proof ofTheorem 4.4to derive what we need here. The

sum mk of orders of subgraphs in this covering is m0k1þ

P i2Taiþ ck 2þ1 ðjTj þ 1Þ. Note that n ¼ Pk i¼1ðaiþ ciÞ ¼ P i2Taiþ ck 2þ1þ P iRTaiþPi–k 2þ1ci¼ P i2Taiþ ck 2þ1þ ðk  jTjÞ þ ðk  1Þ ¼ P i2Taiþ ck

2þ1þ 2k  ðjTj þ 1Þ. Therefore, in this case

mk¼121 k 2 þ 58k  60log2 kþ23    32 h i þ n  2k ¼ 1 12 12n þ k 2 þ 34k  60log2 kþ23    32 h i

. The average information rate of the

secret-sharing scheme constructed with this covering attains its maximum value n

mkand the proof is completed. h

Our result appears to be quite good if k is relatively small compared with n. In fact, as k fixed, the rate given inTheorem

4.6asymptotically approaches ‘‘1’’ which is the optimal value for the rate.

5. Construction (II)

Our second construction is similar to the first, while it performs better than Construction I when k P 31. The major

(9)

Gk= W(a1, . . . , ak, c1, . . . , ck) recursively as follows. ePi¼Pi;i ¼ 1; 2; 3. For k P 4, ePk¼ ePbk1 2c[ Mbk12cþ1;k n o [ ePbk 2cwhere the e Pbk

2c is the complete multipartite covering of the b

k

2c-weighted subgraph

W ¼ W abk1

2cþ2;abk12cþ3; . . . ;ak;cbk12cþ2;cbk12cþ3; . . . ;ck

 

. It is obvious that the edges not in the subgraphs

W a1; . . . ;abk1

2c;c1; . . . ;cbk12c

 

and W all lie in Mbk1

2cþ1;k. So, ePkis a complete multipartite covering of Gk.

Lemma 5.1. The collection ePkis a complete multipartite covering of Gk.

In order to evaluate the sum ~mkof the orders of all subgraphs in ePk, we consider the reduced form first. Let eP0kand ~m0kbe

the reduced version of ePkand ~mkrespectively. In the covering eP0k, we decompose G 0 kinto G 0 bk1 2c, M 0 bk1 2cþ1;kand G 0 bk 2c. Since b k1 2c equals bk 2c  1 or b2kc; G 0

j can either go with G

0 j1and M 0 j;2jto compose G 0 2jor go with G 0 j and M 0 jþ1;2jþ1to compose G 0 2jþ1.

Recur-sively, all G0k’s can be obtained by using this process repeatly from G1, G2, G3and some M0i;k’s. As we have done in Section4,

this relation is depicted by a binary tree inFig. 5.1. The 2xpaths of length x from the root give the conformations of 2x

k-weight graphs where 2x+16k 6 3  2x

 1 or 3  2x6k 6 2x+2 1.

Theorem 5.2. LetCbe an weighted threshold access structure represented by a k-weighted graph G0

k of reduced form, k1= j  2x

and k2= (j + 1)  2x 1, x P 0, j = 2, 3. If k16k 6 k2, then there exists a secret-sharing scheme for the access structureCwith

average information rate ~

q

with

2k2 3 2ðk2þ 1Þlog2ðk2þ 1Þ þ dðjÞðk2þ 1Þ þ 1 6

q

~6 2k1 3 2k1þ 2   log2k1þ dðjÞ1k1þ dðjÞ0 where dðjÞ;dðjÞ1;d ðjÞ 0   ¼ 4 3 3 2log23; 1; 2   ; if j ¼ 2; 1;4 3 3 2log23; 5  2log23   ; if j ¼ 3: (

Proof. Recall that M0

l1;l2has order m

M0

l1;l2¼ 2l2 l1þ 1, ~m

0

i ¼ m0i, i ¼ 1; 2; 3. m01¼ 2, m02¼ 5, and m03¼ 9.

(1) First, we consider G0k2. For each l = 2

i(j + 1)  1, G

lis composed of two Gl1

2’s and one Mlþ12;l. So ~m

0

kcan be evaluated

recur-sively as follows. ~ m0 k2¼ 2 ~m 0 2x1ðjþ1Þ1þ 3  2 x1 ðj þ 1Þ  1 ¼ 2xm0 j þ Xx i¼1 ð2i1ð3  2xiðj þ 1Þ  1ÞÞ ¼ 2x m0j þ 3x  2 x1 ðj þ 1Þ  ð2x 1Þ ¼ 3 k2þ 1 2 log2 k2þ 1 j þ 1   þm 0 j  1 j þ 1  ðk2þ 1Þ þ 1 ¼ 3 2ðk2þ 1Þlog2ðk2þ 1Þ þ m0 j  1 j þ 1  3 2log2ðj þ 1Þ ! ðk2þ 1Þ þ 1 ¼3 2ðk2þ 1Þlog2ðk2þ 1Þ þ dðjÞðk2þ 1Þ þ 1:

Hence, the secret-sharing scheme constructed with eP0

k2has average information rate ~

q

2k2

~ m0

k2

. Fig. 5.1. The binary tree for Construction (II).

(10)

(2) The composition process of G0

k1 is shown on the leftmost path of length x from the root. Adding up the orders of all

subgraphs involved, we have m~0

k1¼ ~m 0 j þ ~m0j1þ Px1 i¼1m~02ij1þ Px i¼1mM 0

2i1j;2ij. Making use of the equation

~ m0 2x ðjþ1Þ1¼ 2 x  m0 j þ 3x  2 x1

ðj þ 1Þ  ð2x 1Þ from the derivation in (1), we can continue to evaluate ~m0

k1 according

to the value of j as follows. (i) If j = 3, ~ m0 32x¼ m0j þ m0j1þ umi¼1x1½2i m0j1þ 3  i  2i1 j  ð2i 1Þ þ Xx i¼1 ð3  2i1 j þ 1Þ ¼ m0 3þ m 0 2þ m 0 2ð2 x  2Þ þ 9ððx  2Þ2x1þ 1Þ  ð2x 1  xÞ þ 9ð2x 1Þ þ x ¼ 9x2x1þ 4  2xþ 2x þ 5 ¼3k 2 log2k1þ 4 3 3 2log23   k1þ 2log2k1þ ð5  2log23Þ: (ii) If j = 2, ~ m0 2xþ1¼ m 0 j þ m 0 j1þ Xx1 i¼1 2i1m0

3þ 3ði  1Þ2i2 4  ð2i1 1Þ

h i þX x i¼1 ð3  2i1 j þ 1Þ ¼ 3x  2xþ 2xþ 2x þ 4 ¼3 2k1log2k1 k1þ 2log2k1þ 2: Hence ~m0 k1¼ 3 2k1þ 2  

log2k1þ dðjÞ1k1þ dðjÞ0 and we have a secret-sharing scheme with average information rate ~

q

1¼m2k~01 k1

. The

result follows immediately. h

Next, we give the expression for ~mkfor a k-weighted graph of general form.

Lemma 5.3. Let k = 2x (j + 1)  1, x P 0, j = 2, 3. If ~m

k¼Pki¼1

a

xj;iaiþPki¼1bxj;iciis the sum of the orders of all subgraphs in the

covering ePkof a k-weighted graph Gk= W(a1, . . . , ak, c1, . . . , ck). Then the values of

a

xj;i’s and b x

j;i’s can be obtained by the recursive

relations

a

x j;i¼

a

xj;kþ1 2þi  1 ¼

a

x1 j;i , b x j;i¼ b x j;kþ1 2þi¼ b x1 j;i þ 1 and

a

xj;kþ1 2 ¼ bxj;kþ1 2 ¼ 1; 1 6 i 6 k1

2 , with initial values

a

0 j;1¼

a

0 j;2¼ b 0 j;2¼ 1 and b0j;1¼

a

03;3¼ b 0 3;3¼ 2.

Proof. We prove this result by induction on x. When x = 0, k = j, the occurrences of the vertices in Ai’s and Ci’s in ePjare

exactly the initial values

a

0

j;i’s and b 0

j;i’s respectively. For x > 0, recall that Gkis composed of W1¼ Wða1; . . . ;a2x1

ðjþ1Þ1,

c1; . . . ;c2x1ðjþ1Þ1Þ, W2¼ Wða2x1ðjþ1Þþ1; . . . ;ak;c2x1ðjþ1Þþ1; . . . ;ckÞ and M ¼ M2x1ðjþ1Þ;2xðjþ1Þ1. Each vertex in

Ai;1 6 i 6k12 ¼ 2 x1

ðj þ 1Þ  1, has the same occurrence in ePkas it does in the covering of W1since it does not occur in either

W2or M. So,

a

xj;i¼

a

x1j;i . However, each vertex in Ci;1 6 i 6k12, gains one more occurrence in ePkthan it does in the covering

of W1because it also occurs in M. This is also true for vertices in Aiand Ci;kþ12 ¼ 2 x1

ðj þ 1Þ þ 1 6 i 6 k, because all of them

occur in graph M. Hence, we also have bx

j;i¼ b x1 j;i þ 1;

a

xj;kþ1 2þi ¼

a

x1 j;i þ 1 and b x j;kþ1 2þi¼ b x1

j;i þ 1 for 1 6 i 6k12. Besides, the

ver-tices in Akþ1

2 and Ckþ12 have occurrence one because they only appear in M. Hence,

a

x j;kþ1

2

¼ bx j;kþ1

2 ¼ 1. This proves that the

coef-ficients

a

x j;i’s and b

x

j;i’s satisfy the given recursive relations. h

Now, we consider the case when n ¼Pk

i¼1ðaiþ ciÞ is fixed. By evaluating the minimum value of ~mk, we obtain the highest

possible average information rate of a secret-sharing scheme constructed with this covering.

Theorem 5.4. LetCbe a weighted threshold access structure represented by a k-weighted graph G = W(a1, . . . , ak, c1, . . . , ck) of

order n and k = (j + 1)2x 1. If c

i= 1 for all i –kþ12 and ai= 1 for all i R T = {1, 2} [ {(j + 1)2i— i = 0, 1, . . . , x  1}. Then

~

q

ðGÞ P n

n þ3

2ðk þ 1Þlog2ðk þ 1Þ þ ðdðjÞ 2Þk þ ðdðjÞþ 1Þ

where d(j)is given inTheorem 5.2.

Proof. The argument is similar to the proof ofTheorem 4.6. From the relations given inLemma 5.3, among all the coefficients

of ai’s and ci’s, only

a

xj;i; i 2 T, and b x j;kþ1

2 are equal to one. So ~mkis minimized if ai= 1 for all i R T and ci= 1 for all i –

kþ1 2. We

modify the expression for m~0

k2 in the proof of Theorem 5.2 to meet what we need here. In this case,

~ mk¼ ~m0k2þ P i2Taiþ ckþ1 2  ðjTj þ 1Þ ¼ ~m 0

kþ n  2k ¼ n þ32ðk þ 1Þlog2ðk þ 1Þ þ ðdðjÞ 2Þk þ ðdðjÞþ 1Þ. The secret-sharing

scheme for this access structure has average information rate n

~ mk.

(11)

This result is also very good when k is relatively small compared with n. The rate also approaches ‘‘1’’ asymptotically as k fixed. After analyzing the average information rates produced from each of our constructions separately, we shall give a

com-parison of them in Section6. For a fair comparison, we consider the same class of k-weighted graphs where k = 3  2x 2. We

present the highest possible average information rate for this class as follows.

Theorem 5.5. LetCbe a weighted threshold access structure represented by a k-weighted graph Gk= W(a1, . . . , ak, c1, . . . , ck) of

order n and k = 3  2x 2. If ci= 1 for all i – k2and ai= 1 for all i R T = {1} [ {3  2i 1j i = 0, 1, . . . , x  1}. Then

~

q

ðG kÞ P n n þ 3 2k þ 2   log2ðk þ 2Þ  23þ 3 2log23   k þ2 3 2log23 :

Proof. Suppose Ski¼1Ai

 

[ Ski¼1Ci

 

is the vertex set of Gkwhere jAij = aiand jCij = ci, i = 1, 2, . . . , k. Denote {u} by A0and {

v

}

by C0. Let Ski¼0Ai

 

[ Ski¼0Ci

 

be the vertex set of the (k + 1)-weighted graph Gk+1= W(jA0j, a1, . . . , ak, jC0j, c1, . . . , ck) of order

n + 2 where k + 1 = 3  2x 1. Then G

k+1satisfies the criteria inTheorem 5.4, and the sum ~mkþ1of the orders of all subgraphs

in its covering ePkþ1is n þ 2 þ32ðk þ 2Þlog2ðk þ 2Þ þ ðdð2Þ 2Þðk þ 1Þ þ dð2Þþ 1. Now, observe that Gk= Gk+1 (A0[ C0) and the

collection of subgraphs obtained from ePkþ1by deleting u and

v

from each subgraphs in ePkþ1is exactly the complete

mul-tipartite covering ePk of Gk since Gk+1 is composed of W jA0j; a1; . . . ;ak

21;jC0j; c1; . . . ;ck21   ;Mk 2þ1;kþ1 (in Gk+1) and W ak 2þ1; . . . ;ak;ck2þ1; . . . ;ck  

and Gkis composed ofW a1; . . . ;ak

21;c1; . . . ;ck21   ;Mk 2;k (in Gk) and W a2kþ1; . . . ;ak;ck2þ1; . . . ;ck   .

From the relations inLemma 5.3, one can see that the occurrence of u in ePkþ1is one and the occurrence of

v

in ePkþ1is

bx2;1¼ x þ 2 ¼ log2 kþ23

 

þ 2. Hence, the sum m~k of the orders of all subgraphs in Pek is

~ mkþ1 1  log2 kþ23   þ 2   ¼ n þ 3 2k þ 2   log2ðk þ 2Þ  23þ32log23   k þ2

3 2log23. The result is then obtained. h

6. Conclusion

The weighted threshold access structure is a more applicable structure of secret-sharing schemes in reality. In the imple-mentation of such a scheme, the value of k represents the number of departments or divisions in an organization. Let ~

q

12nþk2þ34k60log12n 2ð Þkþ23 32

and ~

q

3 n

2kþ2

ð Þlog2ðkþ2Þð23þ32log23Þkþ232log23be the highest possible average information rate derived

from our two constructions inTheorems 4.6 and 5.5, respectively. Both rates perform very well when n/k is large. If k is

con-stant, both rates approaches ‘‘1’’ asymptotically. Let n =

l

k where

l

represents the average size of departments in the

orga-nization. When

l

is larger, both ~

q

1and ~

q

2become higher as well for each value of k.Fig. 6.1shows the behavior of Morillo’s

rate[19], ~

q

1and ~

q

2in the case when

l

= 20. As indicated in the figure, ~

q

1performs better than ~

q

2when k 6 30, whereas ~

q

2

becomes superior to ~

q

1for all k P 31. Actually, this fact remains true for all values of

l

. Therefore, Construction I is more

(12)

suitable for organizations with fewer departments, whereas Construction II performs especially well for organizations with more departments.

Dealing with average information rate is in general very tedious. In this work, we have demonstrated an approach to the analysis of complicated results.

References

[1] A. Beimel, Secret-sharing schemes: a survey, in: Proceedings of the 3rd International Workshop on Coding and Cryptology, Lecture Notes in Computer Science, vol. 6639, 2011, pp. 11–46.

[2] G.R. Blakley, Safeguarding cryptographic keys, in: Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies Proceedings, vol. 48, 1979, pp. 313–317.

[3] C. Blundo, A. De Santis, R. De Simone, U. Vaccaro, Tight bounds on the information rate of secret-sharing schemes, Designs, Codes and Cryptography 11 (1997) 107–122.

[4] C. Blundo, A. De Santis, A. Giorgio Gaggian, U. Vaccaro, New bounds on the information rate of secret-sharing schemes, IEEE Transactions on Information Theory 41 (1995) 549–554.

[5] C. Blundo, A. De Santis, D.R. Stinson, U. Vaccaro, Graph decompositions and secret-sharing schemes, Journal of Cryptology 8 (1995) 39–64. [6] E.F. Brickell, D.M. Davenport, On the classification of ideal secret-sharing schemes, Journal of Cryptology 4 (1991) 123–134.

[7] E.F. Brickell, D.R. Stinson, Some improved bounds on the information rate of perfect secret-sharing schemes, Journal of Cryptology 5 (1992) 153–166. [8] C.-C. Chang, Y.-H. Chen, H.-C. Wang, Meaningful secret sharing technique with authentication and remedy abilities, Information Sciences 181 (2011)

3073–3084.

[9] L. Csirmaz, An impossibiliuty result on graph secret sharing, Designs, Codes and Cryptography 53 (2009) 195–209. [10] L. Csirmaz, G. Tardos, Exact Bounds on Tree based Secret Sharing Schemes, Tatracrypt, Slovakia, 2007.

[11] M.H. Dehkordi, S. Mashhadi, New efficient and practical multi-secret sharing shemes, Information Sciences 178 (2008) 2262–2274. [12] M. van Dijk, On the information rate of perfect secret-sharing schemes, Designs, Codes and Cryptography 6 (1995) 143–169. [13] L. Harn, C. Lin, Strong (n, t, n) verifiable secret sharing sheme, Information Sciences 180 (2010) 3059–3064.

[14] C.-F. Hsu, Q. Cheng, X. Tang, B. Zeng, An ideal multi-secret sharing scheme based on MSP, Information Sciences 181 (2011) 1403–1409. [15] W.-A. Jackson, K.M. Martin, Perfect secret-sharing schemes on five participants, Designs, Codes and Cryptography 9 (1996) 267–286. [16] K. Kaya, A.A. Selcuk, Threshold cryptography based on Asmuth–Bloom secret sharing, Information Sciences 177 (2007) 4148–4160.

[17] C.Y. Lee, Y-S Yeh, D-J Chen, K-L Ku, A probability model for reconstructing secret sharing under the internet environment, Information Sciences 166 (1999) 109–127.

[18] H.-C. Lu, H.-L. Fu, The exact values of the optimal average information ratio of perfect secret-sharing schemes for tree-based access structure, Designs, Codes and Cryptography (2013),http://dx.doi.org/10.1007/s10623-012-9792-1.

[19] P. Morillo, C. Padro, G. Saez, J.L. Villar, Weighted threshold secret-sharing schemes, Information Processing Letters 704 (1999) 211–216. [20] C. Padro, G. Saez, Secret sharing schemes with bipartite access structure, IEEE Transactions on Information Theory 46 (7) (2000) 2596–2604. [21] A. Parakh, S. Kak, Space efficient secret sharing for implicit data security, Information Sciences 181 (2011) 335–341.

[22] A. Shamir, How to share a secret, Communications of the ACM 22 (1979) 612–613.

[23] S.J. Shyu, K. Chen, Visual multiple secret sharing based upon turning and flipping, Information Sciences 181 (2011) 3246–3266. [24] D.R. Stinson, An explication of secret-sharing schemes, Designs, Codes and Cryptography 2 (1992) 357–390.

[25] D.R. Stinson, New general lower bounds on the information rate of perfect secret-sharing schemes, in: E.F. Brickell, (Ed.), Advances in Cryptology – CRYPTO ’92, Lecture Notes in Computer Science vol. 740, 1993, 168–182.

[26] D.R. Stinson, Decomposition constructions for secret-sharing schemes, IEEE Transactions on Information Theory 40 (1994) 118–125.

數據

Fig. 4.1. The binary tree for Construction (I).
Fig. 4.1. The binary tree for Construction (I). p.5
Fig. 6.1. A comparison of the results in the case when l = 20.
Fig. 6.1. A comparison of the results in the case when l = 20. p.11

參考文獻