# New bounds on the average information rate of secret-sharing schemes for graph-based weighted threshold access structures

(1)

## schemes for graph-based weighted threshold access structures

a,b,⇑,1

### , Hung-Lin Fu

b,2

a

Center for Basic Required Courses, National United University, Miaoli 36003, Taiwan

b

Department of Applied Mathematics, National Chaio Tung University, Hsinchu 30010, Taiwan

### i n f o

Article history: Received 23 July 2011

Received in revised form 13 March 2013 Accepted 25 March 2013

Available online 2 April 2013 Keywords:

Secret-sharing scheme Access structure Optimal information rate Optimal average information rate Weighted threshold access structure Complete multipartite covering

### a b s t r a c t

A secret-sharing scheme is a protocol by which a dealer distributes shares of a secret key among a set of n participants in such a way that only qualiﬁed subsets of participants can reconstruct the secret key from the shares they received, while unqualiﬁed subsets have no information about the secret key. The collection of all qualiﬁed subsets is called the access structure of this scheme. The information rate (resp. average information rate) of a secret-sharing scheme is the ratio between the size of the secret key and the maximum size (resp. average size) of the shares. In a weighted threshold scheme, each participant has his or her own weight. A subset is qualiﬁed if and only if the sum of the weights of participants in the subset is not less than the given threshold. Morillo et al.[19]considered the schemes for weighted threshold access structure that can be represented by graphs called k-weighted graphs. They characterized this kind of access structures and derived a result on the infor-mation rate. In this paper, we deal with the average inforinfor-mation rate of the secret-sharing schemes for these structures. Two sophisticated constructions are presented, each of which has its own advantages and both of them perform very well when n/k is large.

1. Introduction

A secret-sharing scheme is a protocol by means of which a dealer distributes a secret key among a set of participants P so that only qualiﬁed subsets of P can reconstruct the secret key whereas unqualiﬁed subsets of P have no information about the secret key. The family of all qualiﬁed subsets is called the access structure of the scheme. In practice, an access structure

has to be monotone which means any subset of P containing a qualiﬁed subset must also be qualiﬁed. The basisC0of an

access structure Cis the set of all minimal subsets in C. The access structureCis called the closure of C0, denoted as

C= Cl(C0). In addition,Cis r-homogeneous if the cardinality of each subset inC0is r.

The ﬁrst secret-sharing schemes were (t, n)-threshold schemes. These schemes were introduced by Shamir[22]and Blakley

[2]independently in 1979. The basis of the access structure for such a scheme consists of all t-subsets of the set P of

par-ticipants of size n. Related problems have received considerable attention since then. Secret-sharing schemes for various

access structures have been widely studied[2–7,9,12,15,19,20,22,24–26]. Many modiﬁed versions of secret-sharing schemes

with additional capacities were proposed[8,11,13,14,16,17,21,23,27]. The reader is referred to[1]for a comprehensive

sur-vey. Secret sharing has been an interesting branch of modern cryptography.

http://dx.doi.org/10.1016/j.ins.2013.03.047

⇑Corresponding author at: Center for Basic Required Courses, National United University, Miaoli 36003, Taiwan. E-mail addresses:hjlu@nuu.edu.tw,hht0936@seed.net.tw(H.-C. Lu).

1

Research supported in part by NSC 100-2115-M-239-001.

2

Research supported in part by NSC 100-2115-M-009-005-MY3.

Contents lists available atSciVerse ScienceDirect

## Information Sciences

(2)

One of the most important research directions regarding secret-sharing schemes is to establish bounds on the size of the shares given to the participants and thereby obtain bounds on the storage and communication complexity. There are two major tools to measure the efﬁciency of a secret-sharing scheme, namely the information rate and the average information rate of a scheme. The information rate of a secret-sharing scheme is the ratio between the length (in bits) of the secret key and the maximum length of the shares given to the participants. The average information rate of a secret-sharing scheme is the ratio between the length of the secret key and the average length of all shares given to the participants. In a practical implementation of a secret-sharing scheme, these rates are expected to be as high as possible. Therefore, researchers also concern about the highest rates a secret-sharing scheme can have for a given access structure. The optimal (average) infor-mation rate of an access structure is the maximum (average) inforinfor-mation rate over all secret-sharing schemes which realize that access structure.

Graph-based access structures have been widely studied during the past decades. In such an access structure, each vertex

of a graph G represents a participant and each edge represents a minimal qualiﬁed subset, that is, P ¼ VðGÞ andC= Cl(E(G)).

The optimal information rate (resp. optimal average information rate) of an access structure based on a graph G is denoted as

(G) (resp. ~

### q

ðGÞ). It is easy to see that

ðGÞ 6 ~

### q

ðGÞ 6 1 and that

### q

(G) = 1 if and only if ~

### q

ðGÞ ¼ 1. A secret-sharing scheme

with the information rate equal to one is then called an ideal secret-sharing scheme. An access structure is ideal if there

ex-ists an ideal secret-sharing scheme for it. Brickell and Devenport[6]have completely characterized ideal graph-based access

structures. For general graphs, Stinson[26]showed that

### q

ðGÞ P 2

dþ1where d is the maximum degree of G and ~

### q

ðGÞ P2mþn2n

where n = jV(G)j and m = jE(G)j. Due to the difﬁculty of the derivation of good results on general graphs, most efforts have

been focused on small graphs[5,12,15]and graphs with better structures[3,5,9,10,18,26].

Morillo et al.[19]considered the weighted threshold secret-sharing schemes. This is the case when every participant is

given a weight depending on his or her position in an organization. A set of participants is in the access structure if and only if the sum of the weights of all participants in the set is not less than the given threshold. Morillo et al. characterized weighted threshold access structures based on graphs and studied their optimal information rate. Since these access struc-tures are more applicable in real-life situation, an in-depth investigation can have a signiﬁcant contribution to the applica-tion of secret sharing. We are motivated to construct better secret-sharing schemes for them and have a more detailed analysis of the average information rate of our schemes.

This paper is organized as follows. Deﬁnitions, notations and basic known results are introduced in Section2. Morillo’s

characterization and constructions of secret-sharing schemes of graph-based weighted threshold access structures are

pre-sented in Section3. In Section4, we start with an observation on the structure of the graphs that represent weighted

thresh-old access structures, and then our ﬁrst construction is introduced. Subsequently, one more sophisticated construction is

presented in Section5. Finally, we give a comparison of these constructions in Section6.

2. Preliminaries

Let P be the set of all participants, K be the set of all secret keys,C#2Pbe the access structure and S be the set of all

possible shares. Given a secret key d 2 K, a dealer D gives to participant p a share sp,d2 Spwhere Spis the set of all shares

participant p receives from the dealer corresponding to all keys in K. A distribution rule is a function f : fDg [ P ! K [ S with f ðDÞ 2 K and f(p) 2 S for all p 2 P. f(D) is the secret key to be distributed and f(p) is the share participant p receives from the

dealer for key f(D). Let F be a collection of distribution rules and Fd¼ ff 2 F : f ðDÞ ¼ dg. We call F a perfect secret-sharing

scheme if the following two conditions are satisﬁed:

(i) Given any B 2Cand f ; g 2 F , if f(p) = g(p) for all p 2 B, then f(D) = g(D).

(ii) Given any B RCand any function g: B ? S, there exists a nonnegative integer k(g, B) such that, for each d 2 K,

jff 2 Fdjf ðpÞ ¼ gðpÞ;

### 8

p 2 Bgj ¼ kðg; BÞ:

The ﬁrst condition guarantees that the shares given to a qualiﬁed subset uniquely determine the secret key, while the second ensures that the shares given to an unqualiﬁed subset reveal no information about the secret key. When these

two conditions are made, we say that this secret-sharing scheme F realizes the access structureC. Since all schemes

men-tioned in this paper are perfect, we will simply use ‘‘secret-sharing scheme’’ for ‘‘perfect secret-sharing scheme’’ throughout

this paper. In a secret-sharing scheme F , the information rate, denoted

### q

ðF Þ, is deﬁned as

### qðF Þ ¼

log2jKj maxflog2jSpj : p 2 Pg

and the average information rate, denoted ~

### q

ðF Þ, is deﬁned as

~

### qðF Þ ¼

log2jKj 1 jPj P p2Plog2jSpj ¼PjPjlog2jKj p2Plog2jSpj :

(3)

Example 2.1. P ¼ fa; b; cg, C0= {{a, b}, {b, c}}, K ¼ GFð3Þ. Let F ¼ ffr;djr; d 2 GFð3Þg where fr,d(D) = d, fr,d(a) = fr,d(c) = r and

fr,d(b) = r + d. This scheme can be represented by the following table:

Note that each row in the table represents a distribution rule. One can easily check that this scheme is a secret-sharing

scheme and

ðF Þ ¼ ~

### q

ðF Þ ¼ 1 since K ¼ Sa¼ Sb¼ Sc¼ GFð3Þ. This scheme is in fact an ideal one.

In this paper, only graph-based access structures are considered. In this case,C= Cl(E(G)) is 2-homogeneous. The graphs

with optimal rate

(G) = 1 or ~

### q

ðGÞ ¼ 1 have been completely characterized by Brickell and Devenport.

Theorem 2.2 [6]. Suppose that G is a connected graph, then

### q

(G) = 1 if and only if G is a complete multipartite graph.

Example 2.1shows that

### q

(K1,2) = 1 since the access structure of the scheme is Cl(K1,2). For graphs that are not complete

multipartite graphs, Blundo et al.[5]have shown the following fact.

Theorem 2.3 [5]. Suppose that G is a connected graph that is not a complete multipartite graph, then

ðGÞ 62

3and ~

### q

ðGÞ 6 n nþ1

where n = jV(G)j.

When dealing with information rates, the following lemma is especially helpful. Lemma 2.4 [5]. If G0is an induced subgraph of graph G, then

(G) 6

### q

(G0).

Stinson[26]proposed a very useful decomposition construction which enables us to build up secret-sharing schemes for

larger graphs using smaller complete multipartite graph through complete multipartite coverings. A complete multipartite covering of a graph G is a collection of complete multipartite subgraphs {G1, G2, . . . , Gl} of G such that each edge of G belongs

to at least one subgraph Gi.

Theorem 2.5 [26]. Suppose that {G1, G2, . . . , Gl} is a complete multipartite covering of a graph G with V(G) = {1, 2, . . . , n}. Let

Ri= j{jji 2 V(Gj)}j and R = max16i6nRi. Then there exists a secret-sharing scheme for access structure Cl(E(G)) with information rate

### q

and average information rate ~

where

¼1 R and

### q

~¼ n Pn i¼1Ri ¼Pl n i¼1jVðGiÞj :

According to the theorem, in order to construct a secret-sharing scheme with higher information rate (resp. average infor-mation rate), we need a complete multipartite covering with less maximum number of occurrence of a vertex (resp. less total number of occurrences of the vertices) in the covering.

3. Weighted threshold secret-sharing scheme

Given a set of n participants P, a threshold t > 0 and a weight function w : P ! R with w(p) P 0 for all p 2 P, the

(t, n, w)-weighted threshold access structure consists of all subset A # P such that wðAÞ ¼Pp2AwðpÞ P t. Morillo et al.[19]

showed that any weighted access structure determined by a non-integer-valued weight function and a non-integer thresh-old can also be determined by an integer-valued weight function and an integer threshthresh-old. So, considering integer-valued weight functions is sufﬁcient in our problem. In the remainder of the paper, we assume that a weight function w is given.

An access structureC= Cl(C0) is said to be connected if for any participant p 2 P, there exists A 2C0such that p 2 A.

Through-out this paper, we consider 2-homogeneous connected weighted threshold access structure and exclude the case where any participant has zero-weight. This kind of access structure can be represented by a graph G. In this graph, there is a set C of vertices, each of which is adjacent to all other vertices in G. The weight of each vertex in C is higher than the weight of any vertex not in C. If C – V(G), removing C from the graph G produces a nonempty set A of isolated vertices, each of which has

lower weight than any other vertex not in A. If C [ A – V(G), the subgraph G0induced by V(G)n(C [ A) represents a

2-homo-geneous connected weighted threshold access structure C0

¼ fB # P n ðC [ AÞjwðBÞ P tg. Repeating these processes, the structure of G can be clearly characterized in the following theorem.

(4)

Theorem 3.1 [19]. Let G be a graph that represents the 2-homogeneous connected weighted threshold access structureC. Then, there exists a unique partition of the vertices of G,

P ¼ C1[ A1[ C2[ A2[    [ Ck[ Ak;

where Ci–; for i = 1, . . . , k, Ai–; if i = 1, . . . , k  1 and either Ak= ; and jCkj P 2 or jAkj P 2, such that the set of edges of G is

0¼ fu;

gju;

2 [k i¼1 Ci;u –

( ) [ ff

;pgj

### v

2 Ci; p 2 Aj; 1 6 i 6 j 6 kg:

They also showed that any graph with a partition described in Theorem 3.1 represents a 2-homogeneous connected weighted threshold access structure. A such graph is then called k-weighted where k is the parameter used in Theorem 3.1. Since the structure of a k-weighted graph is completely determined by the values jAij’s and jCij’s, i = 1, 2, . . . , k, we denote

the k-weighted graph by W(jA1j, . . . , jAkj, jC1j, . . . , jCkj). Observe that the subgraph induced bySli¼1ðAji[ CjiÞ where 1 6 j1<

-j2<    < jl6k is an l-weighted graph WðjAj1j; . . . ; jAjlj; jCj1j; . . . ; jCjljÞ. Morillo et al. gave a complete multipartite decomposition

for (2q 1)-weighted graph in which the maximum number of occurrence R of a vertex is not greater than q. Then, by Lemma

2.4, a lower bound on optimal information rate for k-weighted graph for all k follows.

Theorem 3.2 [19]. Let C¼ fA # PjwðAÞ P tg be an access structure that is represented by a k-weighted graph G. Then

### q

ðGÞ P 1

dlog2ðkþ1Þe.

For the average information rate, we need to ﬁnd complete multipartite coverings for k-weighted graphs for each value of

k. For convenience, we make a slight modiﬁcation to the notation given in Theorem 3.1. In the case where Ak= ; and jCkj P 2,

we move one (arbitrarily chosen) vertex from Ckto Ak. So, in our model, none of Ai’s and Ci’s are empty. Now, we are ready for

our constructions. 4. Construction (I) 4.1. An observation

We observe that any k-weighted graph can be obtained by alternately applying two graph operations starting with a sin-gle vertex. Let us introduce these operations ﬁrst. By ‘‘splitting vertex

### v

of a graph G into m vertices

1, . . . ,

m’’, denoted S(

;

{

1, . . . ,

### v

m}), we obtain a graph GSðv;fv1;...;vmgÞ¼ G where V(G⁄) = (V(G)  {

}) [ {

1,

2, . . . ,

### v

m} and E(G⁄) = E(G 

) [

{

### v

iujvu 2 E(G) and i = 1, 2, . . . , m}. If we further add the set of edges {

i

### v

jj 1 6 i < j 6 m} to E(G⁄), then we obtain a graph

GEðv;fv1;...;vmgÞ. This graph is said to be obtained by ‘‘expanding vertex

into m vertices

1, . . . ,

### v

mfrom the original graph G

and this operation is denoted by E(

; {

1, . . . ,

### v

m}). For convenience, we use h V1, V2iGto denote the set of edges {u

ju 2 V1,

2 V2and u

### v

2 E(G)} for any two disjoint subsets of vertices V1and V2in G.

Given a k-weighted graph G = W(a1, a2, . . . , ak, c1, c2, . . . , ck), we let Ai¼ ui1;ui2; . . . ;uiai

n o

and Ci¼

i1;

i2; . . . ;

### v

ici

n o

, i = 1, 2, . . . , k. In what follows, we propose an algorithm showing how the given graph is constructed from a single vertex by splitting and expanding.

Algorithm 1 G0 {u0}. For i 1 to k do Gi GEðu0 ;Ci[fu0gÞ i1 Gi G Sðu0;AiÞ i where A  i ¼ Ai[ fu0g; if 1 6 i < k; Ak; if i ¼ k: 

Output the k-weighted graph Gk.

Theorem 4.1. The proposed algorithm produces the given k-weight graph G from a single vertex. Proof. The edges in hAi, Cji, j 6 i, are produced by the operation S u0;Ai

 

and edges in h Ci,Cji, j < i, and within the part Ciare all

produced by E u0;Ci

 

(5)

Xk1 i¼1 ciþ 1 2   þ ci Xi1 j¼1 cjþ ai Xi j¼1 cj ! þ ckþ 1 2   þ ck Xk1 j¼1 cjþ ðak 1Þ Xk j¼1 cj¼ Xk i¼1 ciþ 1 2   þ ci Xi1 j¼1 cjþ ai Xi j¼1 cj ! X k j¼1 cj¼ Xk j¼1 ci 2   þ ci Xi1 j¼1 cjþ ai Xi j¼1 cj !

which is exactly the size of the given G. Hence, the proof is completed. h 4.2. Construction (I)

Before we can literally describe our ﬁrst construction, there are some more notations needed to be introduced. For any l disjoint sets of vertices V1, V2, . . . , Vl, we use K(V1, V2, . . . , Vl) to denote the complete multipartite graph with partite sets V1, V2,

. . .and Vl. Let Glbe the l-weighted graph with vertex set Sli¼1Ai

 

[ Sli¼1Ci

 

, l 6 k. Deﬁne Bl, l 6 k, to be the graph obtained

from Glby removing all edges connecting vertices inSli¼1Ci. Then Blis a bipartite graph with partite setsSli¼1AiandSli¼1Ci.

Next, we use Ml1;l2 to denote the complete multipartite graph K C1;C2; . . . ;Cl11;

l1 1 n o ;

### v

l1 2 n o ; . . . ;

### v

l1 cl1 n o ;  Sl2 j¼l1þ1Cj   [ Sl2 j¼l1Aj  

Þ, 1 6 l16l26k. In the following lemma, Hj stands for the complete multipartite graph K(C1,

C2, . . . , Cj1, Aj1, Aj), 2 6 j 6 k.

Lemma 4.2. PB

l is a complete multipartite covering of Blwhere

### P

Bl ¼

H2i;KðA2i;C2iÞji ¼ 1; 2; . . . ;2l

; if l is even;

KðA1;C1Þ; H2iþ1;KðA2iþ1;C2iþ1Þji ¼ 1; 2; . . . ;l12

; if l is odd: (

Proof. When l is even, the edges in hA2i;CjiBl with j < 2i and in hA2i1;CjiBl with j 6 2i  1 appear in the subgraph H2i, for

i ¼ 1; 2; . . . ; l

2, while the edges in hA2i;C2iiBlappear in the subgraph K(A2i, C2i). The edges of Blare then all used up. For odd

l, the argument is similar. h

With these notations in mind, we are able to give our complete multipartite coveringPkof Gk. LetPkbe obtained

recur-sively by letting P1= {G1}, P2¼ K

11 ;

1 2 ; . . . ;

### v

1 c1 n o ;A1   ;M2;2 n o , P3¼ K

11 ;

1 2 ; . . . ;

### v

1 c1 n o ;A1   ; n K

3 1 ; . . . ;

### v

3 c3 n o ;A3   ;M2;3g and, for k P 4;Pk¼PBbkþ1 2c[ Mb kþ1 2cþ1;k n o [Pbk

2c1wherePbk2c1is the complete multipartite

cov-ering of the bk 2c  1   -weighted subgraph W abkþ1 2cþ2;abkþ12cþ3; . . . ;ak;cbkþ12cþ2;cbkþ12cþ3; . . . ;ck  

. It is obvious that the edges of Gk

which are not in Bbkþ1

2cand W abkþ12cþ2; . . . ;ak;cbkþ12cþ2; . . . ;ck

 

all lie in Mbkþ1

2cþ1;k. These three subgraphs literally make up the

k-weighted graph Gk. We have the following lemma.

Lemma 4.3. The collectionPkstated above is a complete multipartite covering of Gk.

(6)

Our next goal is to ﬁnd the sum mkof the orders of all subgraphs inPk. Due to the complexity of the enumeration, we

consider the reduced forms ﬁrst. We call G0k¼ Wð1; . . . ; 1; 1; . . . ; 1Þ the reduced form of a general k-weighted graph W(a1,

-. -. -., ak, c1, . . . , ck). We also let B0l;M 0 l1;l2and H

0

j be the graphs deﬁned in the same ways as Bl, Ml1;l2and Hjrespectively, except

that ai’s and cj’s involved are all set to be one. Then G0kand B 0

khave the complete multipartite coveringP

0 kandP

B0

k reduced

fromPkandPBkrespectively. Note here that G

0

khas 2k vertices. By applying suitable splitting and expanding operations

men-tioned in Section4.1to the reduced form G0

kaccordingly, one can recover the general k-weighted graph W(a1, . . . , ak, c1, . . . , ck).

For the evaluation of the sum m0

kof the orders of all subgraphs inP

0

k, we introduce a specially designed binary tree.

Note that we have decomposed G0k into B0

bkþ1 2c, M 0 bkþ1 2cþ1;kand G 0 bk 2c1. Since b kþ1 2c equals k2  1   þ 1 or k 2  1   þ 2; G0j can either go with B0 jþ1and M 0 jþ2;2jþ2to compose G 0 2jþ2or go with B 0 jþ2and M 0 jþ3;2jþ3to compose G 0

2jþ3. Recursively repeating this

process, all G0

k’s can be composed from some B

0 l’s, M

0

l1;k’s and just G1, G2and G3. We illustrate this relation by means of a

bin-ary tree inFig. 4.1. In this tree, each path from the root represents the conformation of a k-weighted graph of reduced form in

our covering. For example, the leftmost path from the root Gjto G4j+6represents that G02jþ2is composed of G

0 j;B 0 jþ1and M 0 jþ2;2jþ2

and then G04jþ6is composed of G

0 2jþ2;B

0

2jþ3and M

0

2jþ4;4jþ6. Hence the path shows how G 0

4jþ6is built up. The 2 x

paths of length x

from the root give the conformations of the 2xk-weighted graphs where k ranges from (j + 2)2x

 2 to (j + 3)2x 3,j = 1,2,3.

Theorem 4.4. LetC¼ fA # PjwðAÞ P tg be an access structure represented by a k-weighted graph G0k of reduced form, k1=

(j + 2)2x

 2 and k2= (j + 3)2x 3, x P 1, j = 1, 2, 3. If k16k 6 k2, then there exists a secret-sharing scheme for the access structure

Cwith average information rate ~

### q

with

24k2 k22þ 60k2 84log2 k2þ2 jþ3    37  dðjÞ2 6

### q

~6 24k1 k21þ 58k1 60log2 k1þ2 jþ2    32  dðjÞ1 where dðjÞ1;d ðjÞ 2   ¼ ð0; 0Þ; if j ¼ 1; ð28; 24Þ; if j ¼ 2; ð40; 44Þ; if j ¼ 3: 8 > < > : Proof. Let m0 kand mB 0

l be the sum of orders of all subgraphs inP

0 kandP B0 l respectively and mM 0 l1;l2be the order of M 0 l1;l2, then mM0 l1;l2¼ 2l2 l1þ 1. InP B0

l ;jVðKðCi;AiÞÞj ¼ jVðK2Þj ¼ 2 and jVðH0iÞj ¼ i þ 1 for each i. So when l is even, mB

0 l ¼ Pl 2 i¼1V H 0 2i   þ jVðKðC2i;A2iÞj ¼P l 2 i¼1ðð2i þ 1Þ þ 2Þ ¼14ðl 2 þ 8lÞ. When l is odd, mB0 l ¼ Pl1 2 i¼1jV H 0 2iþ1   j þPl12

i¼0jVðKðC2iþ1;A2iþ1ÞÞj ¼

Pl1 2 i¼1ð2i þ 2Þ þ Pl1 2 i¼02 ¼14ðl 2 þ 8l  1Þ. (1) First, we consider G0

k1whose composition process is shown by the leftmost path of length x from the root. Adding up

the orders of all subgraphs involved, we have

m0 k1¼ m 0 j þ Xx i¼1 mB0 ðjþ2Þ2i11þ Xx i¼1 mM0 ðjþ2Þ2i1;ðjþ2Þ2i2 ¼ m0 j þ14½ðj þ 1Þ 2 þ 8ðj þ 1Þ þX x i¼2 1 4½ððj þ 2Þ2 i1 1Þ2 þ 8ððj þ 2Þ2i1 1Þ  1 þX x i¼1 ½2ððj þ 2Þ2i 2Þ  ðj þ 2Þ2i1þ 1; if j ¼ 1; 3; m0 j þ Xx i¼1 1 4½ððj þ 2Þ2 i1  1Þ2þ 8ððj þ 2Þ2i1 1Þ  1 þX x i¼1 ½2ððj þ 2Þ2i 2Þ  ðj þ 2Þ2i1þ 1; if j ¼ 2: 8 > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > : ¼ m0 j þ 1 12ððj þ 2Þ2 x Þ2þ9 2ðj þ 2Þ2 x  5x 

### e

ðjÞ 1 ¼ 1 12ðk1þ 2Þ2þ92ðk1þ 2Þ  5log2 k1þ2 jþ2    ~

### e

ðjÞ 1 ¼1 12 k 2 1þ 58k1 60log2 kjþ21þ2    32  dðjÞ1 h i ; where

### e

ðjÞ 1 ¼ j2þ58jþ109 12 ; if j ¼ 1; 3; j2 þ58jþ112 12 ; if j ¼ 2: ( and ~

ð1Þ 1 ; ~

ð2Þ 1 ; ~

### e

ð3Þ 1   ¼ 12;43 3; 46 3   .

In the second last step, we combine the value of

### e

ðjÞ

1 with m01¼ 2, m02¼ 5 and m03¼ 9 to calculate the value of ~

### e

ðjÞ

1. With this

covering of G0k

1, we are able to construct a secret-sharing scheme with average information rate ~

### q

2k1

m0 k1

(7)

(2) We consider G0

k2whose composition process is shown by the rightmost path of length x from the root. Similar to (1),

we have m0 k2¼ m 0 j þ Xx i¼1 mB0 ðjþ3Þ2i11þ Xx i¼1 mM0 ðjþ3Þ2i1;ðjþ3Þ2i3 ¼ m0 j þ Xx i¼1 1 4½ððj þ 3Þ2 i1 1Þ2 þ 8ððj þ 3Þ2i1 1Þ  1 þX x i¼1 2ððj þ 3Þ2i 3Þ  ðj þ 3Þ2i1þ 1 h i ; if j ¼ 1; 3; m0 j þ 1 4½ðj þ 2Þ 2 þ 8ðj þ 2Þ þX x i¼2 1 4 ððj þ 3Þ2 i1 1Þ2 þ 8ððj þ 3Þ2i1 1Þ  1 h i þX x i¼1 2ððj þ 3Þ2i 3Þ  ðj þ 3Þ2i1þ 1 h i ; if j ¼ 2: 8 > > > > > > > > > > > > > > > > > > < > > > > > > > > > > > > > > > > > > : ¼ m0 j þ121ððj þ 3Þ2 x Þ2þ9 2ðj þ 3Þ2 x  7x 

### e

ðjÞ 2 ¼121 k 2 2þ 60k2 84log2 k2þ3 jþ3    37  dðjÞ2   ; where

### e

ðjÞ 2 ¼ j2 þ60jþ171 12 ; j ¼ 1; 3; j2þ60jþ168 12 ; j ¼ 2: ( .

With this covering of G0k2, we have constructed a secret-sharing scheme with average information rate ~

### q

2k0 m0

k2

. The result then follows.

As a matter of fact, each m0

kcan be evaluated in a similar way. The resulting expression only slightly differs from the ones

for m0

k1and m

0

After dealing with the reduced forms we shall turn back to the model of general forms. We start with introducing nota-tions. Let Zl¼ ð1 1 2 1 2 1 2 1    2 1Þ; yl¼ 2lþ 1  l 22l 2l 1   l 2 1      2 2 1  

and 1l¼ ð1 1    1Þ be three l-dimensional

vectors. For l16l2, let aðl1;l2Þ ¼ ðal1al1þ1al1þ2   al2Þ and cðl1;l2Þ ¼ ðcl1cl1þ1cl1þ2   cl2Þ where ai= jAij and ci= jCij, i = l1,

l1+ 1, . . . , l2.

Lemma 4.5. For k = 3  2x 2 and x P 1,

mk¼ Xx1 i¼1 Zkþ2 2i þ ði  1Þ1kþ2 2i    a ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i ! þ xak3þ ðx þ 1Þak2þ xak1 þ ðx þ 1Þakþ Xx1 i¼1 ykþ2 2i þ ði  1Þ1kþ2 2i    c ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i ! þ ðx þ 1Þck3þ ðx þ 1Þck2þ xck1þ ðx þ 1Þck:

Proof. Recall that the expression for mkdepends on all ai’s and ci’s, each of whose coefﬁcients represents the occurrence of

the vertices of that part in the coveringPk.

(1) First, let us examine the occurrence of vertices of Bl, whose partite sets areSli¼1AiandSli¼1Ci, in its coveringPBl. For odd

l, byLemma 4.2, one can easily see that the vertices in A1have occurrence 1 (only in K(A1, C1)), the vertices in A2j,

j ¼ 1; . . . ;l1

2, also have occurrence 1 (only in H2j+1) and the vertices in A2j+1, j ¼ 1; . . . ;l12, have occurrence 2 (in H2j+1

and K(A2j+1,C2j+1)). Hence, the occurrences of the vertices in A1, A2, . . . , Alare exactly the ﬁrst l coordinates in Zlþ1.

Sim-ilarly, the vertices in C1have occurrencelþ12 (in K(A1,C1) and H2i+1’s, i ¼ 1; . . . ;l12), the vertices in C2j, j ¼ 1; . . . ;l12, have

occurrencel1

2  j þ 1 (in H2i+1’s, i P j) and the vertices in C2j+1, j ¼ 1; . . . ;l12, have occurrencel12  j þ 1 (in H2i+1’s,

i P j + 1 and K(A2j+1, C2j+1)). Hence, the occurrences of the vertices in C1, C2, . . . , Clare exactly the ﬁrst l coordinates

in ylþ1 1lþ1.

(2) Let us consider the value of mknow. We prove the result by induction on x. When x = 1, m4= a1+ 2a2+ a3+

2-4= a1+ 2a2+ a3+ 2a4+ 2c1+ 2c2+ c3+ 2c4by direct counting the occurrences of vertices inP4. So, the result holds

when x = 1. Next, for k = 3  2x+1 2,G

k= W(a1, . . . , ak, c1, . . . , ck) is composed of B32x1, M

32x;32xþ12 and G32x2. For

convenience, denote M32x;32xþ12 by M for now. Observe that the vertices in Ai, 1 6 i 6 3  2x 1 have the same

occurrences inPk as they do in the coveringPB32x

1because they do not lie in M and G32x2, while the vertices

(8)

Notice that the vertices in A32x and C32x only occur once inPk. Besides, the vertices in Ai’s and Ci’s, i = 3  2x+ 1,

-. -. -.,k, also gain one more occurrence inPkthan they do in the covering P32x2 of G32x2. Therefore, by (1) and

the induction hypothesis,

m32xþ12 ¼ Z32x að1; 3  2xÞ þ ðy32x 132xÞ  cð1; 3  2xÞ þ 132x cð1; 3  2xÞ þX x1 i¼1 Z32x 2i þ ði  1Þ132x 2i þ 132x 2i    a 3  2 x ð2i1 1Þ 2i1 þ 1 þ 3  2 x ;3  2 x ð2i 1Þ 2i þ 3  2 x !

þ ðx þ 1Þa32x5þ32xþ ðx þ 2Þa32x4þ32xþ ðx þ 1Þa32x3þ32xþ ðx þ 2Þa32x2þ32x

þX x1 i¼1 y32x 2i þ ði  1Þ132x 2i þ 132x 2i    c 3  2 x ð2i1 1Þ 2i1 þ 1 þ 3  2 x ;3  2 x ð2i 1Þ 2i þ 3  2 x ! þ ðx þ 2Þc32x5þ32xþ ðx þ 2Þc32x4þ32xþ ðx þ 1Þc32x3þ32xþ ðx þ 2Þc32x2þ32x ¼ Z32xþ1 2  a 1; 3  2xþ1 2 ! þ y32xþ1 2  c 1; 3  2xþ1 2 ! þX x1 i¼1 Z32xþ1 2iþ1 þ ðði þ 1Þ  1Þ132xþ1 2iþ1    a 3  2 xþ1ð2i  1Þ 2i þ 1; 3  2xþ1ð2iþ1 1Þ 2iþ1 !

þ ðx þ 1Það32xþ12Þ3þ ðx þ 2Það32xþ12Þ2þ ðx þ 1Það32xþ12Þ1þ ðx þ 2Það32xþ12Þ

þX x1 i¼1 y32xþ1 2iþ1 þ ðði þ 1Þ  1Þ132xþ1 2iþ1    c 3  2 xþ1ð2i  1Þ 2i þ 1; 3  2xþ1ð2iþ1 1Þ 2iþ1 ! þ ðx þ 2Þcð32xþ12Þ3þ ðx þ 2Þcð32xþ12Þ2þ ðx þ 1Þcð32xþ12Þ1þ ðx þ 2Þcð32xþ12Þ ¼X x i¼1 Zkþ2 2i þ ði  1Þ1kþ2 2i    a ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i !

þ ðx þ 1Þak3þ ðx þ 2Þak2þ ðx þ 1Þak1þ ðx þ 2Þak

þX x i¼1 ykþ2 2i þ ði  1Þ1kþ2 2i    c ðk þ 2Þð2 i1 1Þ 2i1 þ 1; ðk þ 2Þð2i 1Þ 2i ! þ ðx þ 2Þck3þ ðx þ 2Þck2þ ðx þ 1Þck1þ ðx þ 2Þck: 

This lemma presents a sophisticated expression for mkin terms of ai’s and ci’s. In what follows, we give the conditions on

the values of ai’s and ci’s under which mkattains its minimum value when n ¼Pki¼1ðaiþ ciÞ is ﬁxed. Thereby, the highest

pos-sible average information rate via this covering is obtained.

Theorem 4.6. LetCbe a weighted threshold access structure represented by a k-weighted graph G = W(a1, . . . , ak, c1, . . . , ck) of

order n and k = 3  2x 2. If c

i= 1 for all i – k2þ 1 and ai= 1 for all i R T ¼ 1; 2; 4; 6; . . . ;k2þ 1

. Then ~

### q

ðGÞ P 12n 12n þ k2þ 34k  60log2ðkþ23Þ  32 :

Proof. Observe that only ck

2þ1and ai, i 2 T, have coefﬁcient equal to one in the expression for mkinLemma 4.5. So mkis

mini-mized if ci= 1 for all i –k2þ 1 and ai= 1 for all i R T since this expression for mkis linear. This case is similar to the reduced form.

So, we make an adjustment in the expression for m0

k1(with j = 1) in the proof ofTheorem 4.4to derive what we need here. The

sum mk of orders of subgraphs in this covering is m0k1þ

P i2Taiþ ck 2þ1 ðjTj þ 1Þ. Note that n ¼ Pk i¼1ðaiþ ciÞ ¼ P i2Taiþ ck 2þ1þ P iRTaiþPi–k 2þ1ci¼ P i2Taiþ ck 2þ1þ ðk  jTjÞ þ ðk  1Þ ¼ P i2Taiþ ck

2þ1þ 2k  ðjTj þ 1Þ. Therefore, in this case

mk¼121 k 2 þ 58k  60log2 kþ23    32 h i þ n  2k ¼ 1 12 12n þ k 2 þ 34k  60log2 kþ23    32 h i

. The average information rate of the

secret-sharing scheme constructed with this covering attains its maximum value n

mkand the proof is completed. h

Our result appears to be quite good if k is relatively small compared with n. In fact, as k ﬁxed, the rate given inTheorem

4.6asymptotically approaches ‘‘1’’ which is the optimal value for the rate.

5. Construction (II)

Our second construction is similar to the ﬁrst, while it performs better than Construction I when k P 31. The major

(9)

Gk= W(a1, . . . , ak, c1, . . . , ck) recursively as follows. ePi¼Pi;i ¼ 1; 2; 3. For k P 4, ePk¼ ePbk1 2c[ Mbk12cþ1;k n o [ ePbk 2cwhere the e Pbk

2c is the complete multipartite covering of the b

k

2c-weighted subgraph

W ¼ W abk1

2cþ2;abk12cþ3; . . . ;ak;cbk12cþ2;cbk12cþ3; . . . ;ck

 

. It is obvious that the edges not in the subgraphs

W a1; . . . ;abk1

2c;c1; . . . ;cbk12c

 

and W all lie in Mbk1

2cþ1;k. So, ePkis a complete multipartite covering of Gk.

Lemma 5.1. The collection ePkis a complete multipartite covering of Gk.

In order to evaluate the sum ~mkof the orders of all subgraphs in ePk, we consider the reduced form ﬁrst. Let eP0kand ~m0kbe

the reduced version of ePkand ~mkrespectively. In the covering eP0k, we decompose G 0 kinto G 0 bk1 2c, M 0 bk1 2cþ1;kand G 0 bk 2c. Since b k1 2c equals bk 2c  1 or b2kc; G 0

j can either go with G

0 j1and M 0 j;2jto compose G 0 2jor go with G 0 j and M 0 jþ1;2jþ1to compose G 0 2jþ1.

Recur-sively, all G0k’s can be obtained by using this process repeatly from G1, G2, G3and some M0i;k’s. As we have done in Section4,

this relation is depicted by a binary tree inFig. 5.1. The 2xpaths of length x from the root give the conformations of 2x

k-weight graphs where 2x+16k 6 3  2x

 1 or 3  2x6k 6 2x+2 1.

Theorem 5.2. LetCbe an weighted threshold access structure represented by a k-weighted graph G0

k of reduced form, k1= j  2x

and k2= (j + 1)  2x 1, x P 0, j = 2, 3. If k16k 6 k2, then there exists a secret-sharing scheme for the access structureCwith

average information rate ~

### q

with

2k2 3 2ðk2þ 1Þlog2ðk2þ 1Þ þ dðjÞðk2þ 1Þ þ 1 6

### q

~6 2k1 3 2k1þ 2   log2k1þ dðjÞ1k1þ dðjÞ0 where dðjÞ;dðjÞ1;d ðjÞ 0   ¼ 4 3 3 2log23; 1; 2   ; if j ¼ 2; 1;4 3 3 2log23; 5  2log23   ; if j ¼ 3: (

Proof. Recall that M0

l1;l2has order m

M0

l1;l2¼ 2l2 l1þ 1, ~m

0

i ¼ m0i, i ¼ 1; 2; 3. m01¼ 2, m02¼ 5, and m03¼ 9.

(1) First, we consider G0k2. For each l = 2

i(j + 1)  1, G

lis composed of two Gl1

2’s and one Mlþ12;l. So ~m

0

kcan be evaluated

recur-sively as follows. ~ m0 k2¼ 2 ~m 0 2x1ðjþ1Þ1þ 3  2 x1 ðj þ 1Þ  1 ¼ 2xm0 j þ Xx i¼1 ð2i1ð3  2xiðj þ 1Þ  1ÞÞ ¼ 2x m0j þ 3x  2 x1 ðj þ 1Þ  ð2x 1Þ ¼ 3 k2þ 1 2 log2 k2þ 1 j þ 1   þm 0 j  1 j þ 1  ðk2þ 1Þ þ 1 ¼ 3 2ðk2þ 1Þlog2ðk2þ 1Þ þ m0 j  1 j þ 1  3 2log2ðj þ 1Þ ! ðk2þ 1Þ þ 1 ¼3 2ðk2þ 1Þlog2ðk2þ 1Þ þ dðjÞðk2þ 1Þ þ 1:

Hence, the secret-sharing scheme constructed with eP0

k2has average information rate ~

### q

2k2

~ m0

k2

. Fig. 5.1. The binary tree for Construction (II).

(10)

(2) The composition process of G0

k1 is shown on the leftmost path of length x from the root. Adding up the orders of all

subgraphs involved, we have m~0

k1¼ ~m 0 j þ ~m0j1þ Px1 i¼1m~02ij1þ Px i¼1mM 0

2i1j;2ij. Making use of the equation

~ m0 2x ðjþ1Þ1¼ 2 x  m0 j þ 3x  2 x1

ðj þ 1Þ  ð2x 1Þ from the derivation in (1), we can continue to evaluate ~m0

k1 according

to the value of j as follows. (i) If j = 3, ~ m0 32x¼ m0j þ m0j1þ umi¼1x1½2i m0j1þ 3  i  2i1 j  ð2i 1Þ þ Xx i¼1 ð3  2i1 j þ 1Þ ¼ m0 3þ m 0 2þ m 0 2ð2 x  2Þ þ 9ððx  2Þ2x1þ 1Þ  ð2x 1  xÞ þ 9ð2x 1Þ þ x ¼ 9x2x1þ 4  2xþ 2x þ 5 ¼3k 2 log2k1þ 4 3 3 2log23   k1þ 2log2k1þ ð5  2log23Þ: (ii) If j = 2, ~ m0 2xþ1¼ m 0 j þ m 0 j1þ Xx1 i¼1 2i1m0

3þ 3ði  1Þ2i2 4  ð2i1 1Þ

h i þX x i¼1 ð3  2i1 j þ 1Þ ¼ 3x  2xþ 2xþ 2x þ 4 ¼3 2k1log2k1 k1þ 2log2k1þ 2: Hence ~m0 k1¼ 3 2k1þ 2  

log2k1þ dðjÞ1k1þ dðjÞ0 and we have a secret-sharing scheme with average information rate ~

### q

1¼m2k~01 k1

. The

result follows immediately. h

Next, we give the expression for ~mkfor a k-weighted graph of general form.

Lemma 5.3. Let k = 2x (j + 1)  1, x P 0, j = 2, 3. If ~m

k¼Pki¼1

### a

xj;iaiþPki¼1bxj;iciis the sum of the orders of all subgraphs in the

covering ePkof a k-weighted graph Gk= W(a1, . . . , ak, c1, . . . , ck). Then the values of

### a

xj;i’s and b x

j;i’s can be obtained by the recursive

relations

x j;i¼

xj;kþ1 2þi  1 ¼

### a

x1 j;i , b x j;i¼ b x j;kþ1 2þi¼ b x1 j;i þ 1 and

### a

xj;kþ1 2 ¼ bxj;kþ1 2 ¼ 1; 1 6 i 6 k1

2 , with initial values

0 j;1¼

### a

0 j;2¼ b 0 j;2¼ 1 and b0j;1¼

### a

03;3¼ b 0 3;3¼ 2.

Proof. We prove this result by induction on x. When x = 0, k = j, the occurrences of the vertices in Ai’s and Ci’s in ePjare

exactly the initial values

### a

0

j;i’s and b 0

j;i’s respectively. For x > 0, recall that Gkis composed of W1¼ Wða1; . . . ;a2x1

ðjþ1Þ1,

c1; . . . ;c2x1ðjþ1Þ1Þ, W2¼ Wða2x1ðjþ1Þþ1; . . . ;ak;c2x1ðjþ1Þþ1; . . . ;ckÞ and M ¼ M2x1ðjþ1Þ;2xðjþ1Þ1. Each vertex in

Ai;1 6 i 6k12 ¼ 2 x1

ðj þ 1Þ  1, has the same occurrence in ePkas it does in the covering of W1since it does not occur in either

W2or M. So,

xj;i¼

### a

x1j;i . However, each vertex in Ci;1 6 i 6k12, gains one more occurrence in ePkthan it does in the covering

of W1because it also occurs in M. This is also true for vertices in Aiand Ci;kþ12 ¼ 2 x1

ðj þ 1Þ þ 1 6 i 6 k, because all of them

occur in graph M. Hence, we also have bx

j;i¼ b x1 j;i þ 1;

xj;kþ1 2þi ¼

### a

x1 j;i þ 1 and b x j;kþ1 2þi¼ b x1

j;i þ 1 for 1 6 i 6k12. Besides, the

ver-tices in Akþ1

2 and Ckþ12 have occurrence one because they only appear in M. Hence,

### a

x j;kþ1

2

¼ bx j;kþ1

2 ¼ 1. This proves that the

coef-ﬁcients

### a

x j;i’s and b

x

j;i’s satisfy the given recursive relations. h

Now, we consider the case when n ¼Pk

i¼1ðaiþ ciÞ is ﬁxed. By evaluating the minimum value of ~mk, we obtain the highest

possible average information rate of a secret-sharing scheme constructed with this covering.

Theorem 5.4. LetCbe a weighted threshold access structure represented by a k-weighted graph G = W(a1, . . . , ak, c1, . . . , ck) of

order n and k = (j + 1)2x 1. If c

i= 1 for all i –kþ12 and ai= 1 for all i R T = {1, 2} [ {(j + 1)2i— i = 0, 1, . . . , x  1}. Then

~

### q

ðGÞ P n

n þ3

2ðk þ 1Þlog2ðk þ 1Þ þ ðdðjÞ 2Þk þ ðdðjÞþ 1Þ

where d(j)is given inTheorem 5.2.

Proof. The argument is similar to the proof ofTheorem 4.6. From the relations given inLemma 5.3, among all the coefﬁcients

of ai’s and ci’s, only

### a

xj;i; i 2 T, and b x j;kþ1

2 are equal to one. So ~mkis minimized if ai= 1 for all i R T and ci= 1 for all i –

kþ1 2. We

modify the expression for m~0

k2 in the proof of Theorem 5.2 to meet what we need here. In this case,

~ mk¼ ~m0k2þ P i2Taiþ ckþ1 2  ðjTj þ 1Þ ¼ ~m 0

kþ n  2k ¼ n þ32ðk þ 1Þlog2ðk þ 1Þ þ ðdðjÞ 2Þk þ ðdðjÞþ 1Þ. The secret-sharing

scheme for this access structure has average information rate n

~ mk.

(11)

This result is also very good when k is relatively small compared with n. The rate also approaches ‘‘1’’ asymptotically as k ﬁxed. After analyzing the average information rates produced from each of our constructions separately, we shall give a

com-parison of them in Section6. For a fair comparison, we consider the same class of k-weighted graphs where k = 3  2x 2. We

present the highest possible average information rate for this class as follows.

Theorem 5.5. LetCbe a weighted threshold access structure represented by a k-weighted graph Gk= W(a1, . . . , ak, c1, . . . , ck) of

order n and k = 3  2x 2. If ci= 1 for all i – k2and ai= 1 for all i R T = {1} [ {3  2i 1j i = 0, 1, . . . , x  1}. Then

~

### q

ðG kÞ P n n þ 3 2k þ 2   log2ðk þ 2Þ  23þ 3 2log23   k þ2 3 2log23 :

Proof. Suppose Ski¼1Ai

 

[ Ski¼1Ci

 

is the vertex set of Gkwhere jAij = aiand jCij = ci, i = 1, 2, . . . , k. Denote {u} by A0and {

### v

}

by C0. Let Ski¼0Ai

 

[ Ski¼0Ci

 

be the vertex set of the (k + 1)-weighted graph Gk+1= W(jA0j, a1, . . . , ak, jC0j, c1, . . . , ck) of order

n + 2 where k + 1 = 3  2x 1. Then G

k+1satisﬁes the criteria inTheorem 5.4, and the sum ~mkþ1of the orders of all subgraphs

in its covering ePkþ1is n þ 2 þ32ðk þ 2Þlog2ðk þ 2Þ þ ðdð2Þ 2Þðk þ 1Þ þ dð2Þþ 1. Now, observe that Gk= Gk+1 (A0[ C0) and the

collection of subgraphs obtained from ePkþ1by deleting u and

### v

from each subgraphs in ePkþ1is exactly the complete

mul-tipartite covering ePk of Gk since Gk+1 is composed of W jA0j; a1; . . . ;ak

21;jC0j; c1; . . . ;ck21   ;Mk 2þ1;kþ1 (in Gk+1) and W ak 2þ1; . . . ;ak;ck2þ1; . . . ;ck  

and Gkis composed ofW a1; . . . ;ak

21;c1; . . . ;ck21   ;Mk 2;k (in Gk) and W a2kþ1; . . . ;ak;ck2þ1; . . . ;ck   .

From the relations inLemma 5.3, one can see that the occurrence of u in ePkþ1is one and the occurrence of

### v

in ePkþ1is

bx2;1¼ x þ 2 ¼ log2 kþ23

 

þ 2. Hence, the sum m~k of the orders of all subgraphs in Pek is

~ mkþ1 1  log2 kþ23   þ 2   ¼ n þ 3 2k þ 2   log2ðk þ 2Þ  23þ32log23   k þ2

3 2log23. The result is then obtained. h

6. Conclusion

The weighted threshold access structure is a more applicable structure of secret-sharing schemes in reality. In the imple-mentation of such a scheme, the value of k represents the number of departments or divisions in an organization. Let ~

### q

12nþk2þ34k60log12n 2ð Þkþ23 32

and ~

### q

3 n

2kþ2

ð Þlog2ðkþ2Þð23þ32log23Þkþ232log23be the highest possible average information rate derived

from our two constructions inTheorems 4.6 and 5.5, respectively. Both rates perform very well when n/k is large. If k is

con-stant, both rates approaches ‘‘1’’ asymptotically. Let n =

k where

### l

represents the average size of departments in the

orga-nization. When

### l

is larger, both ~

1and ~

### q

2become higher as well for each value of k.Fig. 6.1shows the behavior of Morillo’s

rate[19], ~

1and ~

### q

2in the case when

### l

= 20. As indicated in the ﬁgure, ~

### q

1performs better than ~

### q

2when k 6 30, whereas ~

### q

2

becomes superior to ~

### q

1for all k P 31. Actually, this fact remains true for all values of

### l

. Therefore, Construction I is more

(12)

suitable for organizations with fewer departments, whereas Construction II performs especially well for organizations with more departments.

Dealing with average information rate is in general very tedious. In this work, we have demonstrated an approach to the analysis of complicated results.

References

[1] A. Beimel, Secret-sharing schemes: a survey, in: Proceedings of the 3rd International Workshop on Coding and Cryptology, Lecture Notes in Computer Science, vol. 6639, 2011, pp. 11–46.

[2] G.R. Blakley, Safeguarding cryptographic keys, in: Proceedings of the National Computer Conference, 1979, American Federation of Information Processing Societies Proceedings, vol. 48, 1979, pp. 313–317.

[3] C. Blundo, A. De Santis, R. De Simone, U. Vaccaro, Tight bounds on the information rate of secret-sharing schemes, Designs, Codes and Cryptography 11 (1997) 107–122.

[4] C. Blundo, A. De Santis, A. Giorgio Gaggian, U. Vaccaro, New bounds on the information rate of secret-sharing schemes, IEEE Transactions on Information Theory 41 (1995) 549–554.

[5] C. Blundo, A. De Santis, D.R. Stinson, U. Vaccaro, Graph decompositions and secret-sharing schemes, Journal of Cryptology 8 (1995) 39–64. [6] E.F. Brickell, D.M. Davenport, On the classiﬁcation of ideal secret-sharing schemes, Journal of Cryptology 4 (1991) 123–134.

[7] E.F. Brickell, D.R. Stinson, Some improved bounds on the information rate of perfect secret-sharing schemes, Journal of Cryptology 5 (1992) 153–166. [8] C.-C. Chang, Y.-H. Chen, H.-C. Wang, Meaningful secret sharing technique with authentication and remedy abilities, Information Sciences 181 (2011)

3073–3084.

[9] L. Csirmaz, An impossibiliuty result on graph secret sharing, Designs, Codes and Cryptography 53 (2009) 195–209. [10] L. Csirmaz, G. Tardos, Exact Bounds on Tree based Secret Sharing Schemes, Tatracrypt, Slovakia, 2007.

[11] M.H. Dehkordi, S. Mashhadi, New efﬁcient and practical multi-secret sharing shemes, Information Sciences 178 (2008) 2262–2274. [12] M. van Dijk, On the information rate of perfect secret-sharing schemes, Designs, Codes and Cryptography 6 (1995) 143–169. [13] L. Harn, C. Lin, Strong (n, t, n) veriﬁable secret sharing sheme, Information Sciences 180 (2010) 3059–3064.

[14] C.-F. Hsu, Q. Cheng, X. Tang, B. Zeng, An ideal multi-secret sharing scheme based on MSP, Information Sciences 181 (2011) 1403–1409. [15] W.-A. Jackson, K.M. Martin, Perfect secret-sharing schemes on ﬁve participants, Designs, Codes and Cryptography 9 (1996) 267–286. [16] K. Kaya, A.A. Selcuk, Threshold cryptography based on Asmuth–Bloom secret sharing, Information Sciences 177 (2007) 4148–4160.

[17] C.Y. Lee, Y-S Yeh, D-J Chen, K-L Ku, A probability model for reconstructing secret sharing under the internet environment, Information Sciences 166 (1999) 109–127.

[18] H.-C. Lu, H.-L. Fu, The exact values of the optimal average information ratio of perfect secret-sharing schemes for tree-based access structure, Designs, Codes and Cryptography (2013),http://dx.doi.org/10.1007/s10623-012-9792-1.

[19] P. Morillo, C. Padro, G. Saez, J.L. Villar, Weighted threshold secret-sharing schemes, Information Processing Letters 704 (1999) 211–216. [20] C. Padro, G. Saez, Secret sharing schemes with bipartite access structure, IEEE Transactions on Information Theory 46 (7) (2000) 2596–2604. [21] A. Parakh, S. Kak, Space efﬁcient secret sharing for implicit data security, Information Sciences 181 (2011) 335–341.

[22] A. Shamir, How to share a secret, Communications of the ACM 22 (1979) 612–613.

[23] S.J. Shyu, K. Chen, Visual multiple secret sharing based upon turning and ﬂipping, Information Sciences 181 (2011) 3246–3266. [24] D.R. Stinson, An explication of secret-sharing schemes, Designs, Codes and Cryptography 2 (1992) 357–390.

[25] D.R. Stinson, New general lower bounds on the information rate of perfect secret-sharing schemes, in: E.F. Brickell, (Ed.), Advances in Cryptology – CRYPTO ’92, Lecture Notes in Computer Science vol. 740, 1993, 168–182.

[26] D.R. Stinson, Decomposition constructions for secret-sharing schemes, IEEE Transactions on Information Theory 40 (1994) 118–125.