The exact values of the optimal average information ratio of perfect secret-sharing schemes for tree-based access structures

全文

(1)

DOI 10.1007/s10623-012-9792-1

The exact values of the optimal average information ratio

of perfect secret-sharing schemes for tree-based access

structures

Hui-Chuan Lu · Hung-Lin Fu

Received: 10 February 2012 / Revised: 15 December 2012 / Accepted: 18 December 2012 / Published online: 7 March 2013

© Springer Science+Business Media New York 2012

Abstract A perfect secret-sharing scheme is a method of distributing a secret among a set of participants such that only qualified subsets of participants can recover the secret and the joint shares of the participants in any unqualified subset is statistically independent of the secret. The set of all qualified subsets is called the access structure of the scheme. In a graph-based access structure, each vertex of a graph G represents a participant and each edge of G represents a minimal qualified subset. The information ratio of a perfect secret-sharing scheme is defined as the ratio between the maximum length of the share given to a participant and the length of the secret. The average information ratio is the ratio between the average length of the shares given to the participants and the length of the secret. The infimum of the (average) information ratios of all possible perfect secret-sharing schemes realizing a given access structure is called the (average) information ratio of the access structure. Very few exact values of the (average) information ratio of infinite families of access structures are known. Csirmaz and Tardos have found the information ratio of all trees. Based on their method, we develop our approach to determining the exact values of the average information ratio of access structures based on trees.

Keywords Secret-sharing scheme· Graph-based access structure · Average information ratio· Entropy · Star covering · Tree

Mathematics Subject Classification (2000) 05C70· 94A60 · 94A62 · 94A17

Communicated by C. Blundo. H.-C. Lu (

B

)

Center for Basic Required Courses, National United University, Miaoli36003, Taiwan e-mail: hjlu@nuu.edu.tw; hht0936@seed.net.tw

H.-C. Lu· H.-L. Fu

(2)

1 Introduction

A secret-sharing scheme is a method of distributing a secret among a set of participants in such a way that only qualified subsets of participants can recover the secret from the shares they receive. If, in addition, the joint shares of the participants in any unqualified subset is statistically independent of the secret, then the secret-sharing scheme is called perfect. Since all secret-sharing schemes considered in this paper are perfect, we will simply use “secret-sharing scheme” for “perfect secret-“secret-sharing scheme”. The access structure of a secret-“secret-sharing scheme is the collection of all qualified subsets in this scheme. It is required to be monotone which means any subset of participants containing a qualified subset must also be qualified. There are two major tools for measuring the efficiency of a secret-sharing scheme, namely, the information ratio and the average information ratio. The information ratio of a secret-sharing scheme is the ratio between the maximum length (in bits) of the share given to a participant and the length of the secret. The average information ratio of a secret-sharing scheme is the ratio between the average length of the shares given to the participants and the length of the secret. These ratios represent the maximum and average number of bits of information the participants must remember for each bit of the secret. The lower the ratios are, the lower storage and communication complexity the scheme has. Therefore, for a given access structure, constructing a secret-sharing scheme with the lowest above-mentioned ratios is one of the main goals of the research. The infimum of the (average) information ratios of all possible secret-sharing schemes realizing a access structure is referred to as the (average) information ratio of that access structure.

In 1979, Shamir [8] and Blakley [2] independently introduced the first kind of secret-sharing schemes called the(t, n)-threshold schemes in which the minimal qualified subsets are the t-subsets of the set of participants of size n. Related problems have then received considerable attention. Secret-sharing schemes for various access structures and many mod-ified versions of secret-sharing schemes with additional capacities were widely studied. The reader is referred to [1,7] and their references for recent developments on secret-sharing problems.

In the present paper, we only consider graph-based access structures. In such a structure, each vertex of a graph G represents a participant and each edge of G represents a minimal qualified subset. A secret-sharing scheme for the access structure based on G is a collection of random variablesξsandξvforv ∈ V (G) with a joint distribution such that

(i) ξsis the secret andξvis the share ofv;

(ii) if uv ∈ E(G), then ξuandξvtogether determine the value ofξs; and

(iii) if A⊆ V (G) is an independent set, then ξsand the collection{ξv|v ∈ A} are statistically

independent.

Given a discrete random variable X with possible values{x1, x2, . . . , xn} and a probability

distribution{p(xi)}ni=1, the Shannon entropy of X is defined as H(X) = −

n  i=1

p(xi) log p(xi),

which is a measure of the average uncertainty associated with the random variable X. It is well known that H(X) is a good approximation to the average number of bits needed to represent the elements in X faithfully. Using Shannon entropy, the information ratio of the secret-sharing scheme can be defined as R = maxv∈V (G){H(ξv)/H(ξs)} and

the average information ratio as A R = v∈V (G)H(ξv)/(|V (G)|H(ξs)). For

(3)

access structure based on G”. Also, “the information ratio (resp. the average infor-mation ratio) of the access structure based on G” is referred to as “the inforinfor-mation ratio (resp. the average information ratio) of G”, denoted as R(G) (resp. AR(G)). As mentioned above, R(G) = inf{R| is a secret-sharing scheme on G} and AR(G) =

inf{AR| is a secret-sharing scheme on G}. It is well known that R(G) ≥ AR(G) ≥ 1 and that R(G) = 1 iff AR(G) = 1. A secret-sharing scheme  with R = 1 or AR = 1 is

then called an ideal secret-sharing scheme. An access structure is ideal if there exists an ideal secret-sharing scheme on it. Determining the exact value of R(G) or AR(G) is extremely challenging. It is not easy even for small graphs sometimes. Due to the difficulty, most known results give bounds on R(G) and AR(G). Stinson [10] has shown the important bounds for general graphs: R(G) ≤ d+1

2 where d is the maximum degree of G and A R(G) ≤ 2m2n+n

where n = |V (G)| and m = |E(G)|. The exact values of R(G) and AR(G) are obtained only for very few specific graphs. Most graphs of order no more than five, and the cycles and paths have known exact values of the average information ratio [3,10]. Most graphs of order no more than six, and the cycles, paths and trees have known exact values of the information ratio [3,6,9–11]. The information ratio of a tree T was determined by Csirmaz and Tardos [6] as R(T ) = 2 −1k where k is the maximum size of a core in T. Based on their method, we develop our approach to the problem of determining the value of A R(T ) for any tree T. This paper is organized as follows. In Sect.2, some basic known results and definitions are introduced. Our results are presented in Sects.3,4and5. We derive a lower bound on A R(T ) and introduce our approach in Sect.3. Our main results are shown in Sect.4. Subsequently, in Sect.5, two examples are given to demonstrate our systematic way of evaluating A R(T ).

A concluding remark will be given in the final section.

2 Preliminaries

We introduce some basic known results on graph-based access structures first. The ideal graph-based access structures have been completely characterized by Brickell and Davenport. Theorem 1 ([4]) Suppose that G is a connected graph. Then R(G) = 1 if and only if G is

a complete multipartite graph.

We introduce the methods of deriving upper bounds and lower bounds on A R(G) for a non-ideal access structure G in what follows. By constructing a secret-sharing scheme on graph G, one can obtain an upper bound ARon the average information ratio A R(G). Stinson’s

decomposition construction [10] has been a major tool to do this job. This method enables us to build up secret-sharing schemes for graphs using complete multipartite coverings. A complete multipartite covering of a graph G is a collection of complete multipartite subgraphs Π = {G1, G2, . . . , Gl} of G such that each edge of G belongs to at least one subgraph in the

collection. The valueli=1|V (Gi)| is crucial for our discussion, we call it the vertex-number

sum of Π.

Theorem 2 ([10]) Suppose that{G1, G2, . . . , Gl} is a complete multipartite covering of a

graph G with V(G) = {1, 2, . . . , n}. Let Ri = |{ j|i ∈ V (Gj)}| and R = max1≤i≤nRi.

Then there exists a secret-sharing scheme on G with information ratio R and average information ratio A Rwhere

R= R and AR = 1 n n  i=1 Ri = 1 n l  i=1 |V (Gi)|.

(4)

The only main tool for establishing lower bounds on A R(G) is the information theoretic approach [5]. Let be a secret-sharing scheme in which ξs is the random variable of the

secret and eachξv is the one of the share ofv, v ∈ V (G). Define a real-valued function f as f(A) = H({ξv : v ∈ A})/H(ξs) for each subset A ⊆ V (G), where H is the Shannon

entropy. Then, A R = 1nv∈V (G) f(v), where n = |V (G)|. Using properties of the entropy function and the definition of a secret-sharing scheme, one can show that f satisfies the following inequalities [5]:

(a) f(∅) = 0, and f (A) ≥ 0;

(b) if A⊆ B ⊆ V (G), then f (A) ≤ f (B); (c) f(A) + f (B) ≥ f (A ∩ B) + f (A ∪ B);

(d) if A⊆ B ⊆ V (G), A is an unqualified set and B is not, then f (A) + 1 ≤ f (B); and (e) if neither A nor B is unqualified but A∩ B is, then f (A) + f (B) ≥ 1 + f (A ∩ B) +

f(A ∪ B).

Csirmaz and Tardos [6] defined a core V0 of a tree T as a subset V0of V(T ) such that

V0induces a connected subgraph of T and each vertex in V0has a neighbor outside it. They

also showed the following theorem.

Theorem 3 ([6]) Let V0be a core of a tree T. If f is defined as above, thenv∈V0 f(v) ≥

2|V0| − 1.

In the next section, we shall derive a lower bound on A R(T ) and rewrite Theorem2as an upper bound on A R(T ) of particular form. Our approach can then be introduced. 3 Lower bound and upper bound on AR(T)

Given a tree T, we let I N(T ) and L F(T ) be the sets of all internal vertices and leaves of T respectively. Denote|I N(T )| as in(T ) and |L F(T )| as l f (T ). In order to cope with the average information ratio, we extend the idea of a core of T. For T = K1,1, we define a

core cluster of T of size k as a partitionC = {V1, V2, . . . , Vk} of I N(T ) such that each

Vi, i ∈ {1, 2, . . . , k}, is a core of T. The size of a core clusterC is written as cC. We also

denote the minimum size of all core clusters of T as c(T ), called the core number of T. Note thatki=1Vimay not be a core of T, if so, then c(T ) = 1 for T = K1,1. In addition,

we naturally define that c(K1,1) = 0.

The idea of a core cluster helps us establish a lower bound on A R(T ). Theorem 4 If T = K1,1is a tree of order n, then AR(T ) ≥ n+in(T )−c

(T )

n .

Proof Suppose that is a secret-sharing scheme on T. Then the function f defined in Sect.2by the random variables from satisfies all the properties (a) to (e) and Theorem

3. LetC = {V1, V2, . . . , Vk} be a core cluster of T. By Theorem3and the definition of

a core cluster,v∈I N(T ) f(v) = ki=1v∈V

i f(v) ≥

k

i=1(2|Vi| − 1) = 2in(T ) − k.

Since T is connected, f(v) ≥ 1 for all v ∈ V (T ) [5].v∈V (T ) f(v) =v∈I N(T ) f(v) +



v∈L F(T ) f(v) ≥ 2in(T ) − k + l f (T ) = n + in(T ) − k. Thus we have AR ≥ 1n(n +

i n(T ) − k). Since the result holds for any secret-sharing scheme on T, we have AR(T ) ≥

1

n(n + in(T ) − c(T )).

On the other hand, as suggested in Theorem2, in order to construct a secret-sharing scheme with lower average information ratio, we need a complete multipartite covering with the least vertex-number sum. Since we are dealing with trees, and stars are the only complete

(5)

multipartite trees, star coverings with the least vertex-number sum are what we are aiming for. For a better description of our approach, given a star coveringΠ of T with vertex-number sum m, we define the deduction of Π, written dΠ, as dΠ = |V (T )| + in(T ) − m. A star covering with the largest deduction gives the least vertex-number sum. The largest value of the deductions over all star coverings of T is called the deduction of T and is denoted as d(T ). The following corollary is simply a rephrasement of Theorem2in terms of the deduction of T.

Corollary 5 ([10]) LetΠ be a star covering of a tree T of order n, then A R(T ) ≤n+ in(T ) − d

(T )

n .

Combining Theorem4and Corollary5, we have the following results.

Theorem 6 For any star coveringΠ of T and any core clusterCof T, cC ≥ dΠ. In particular, c(T ) ≥ d(T ).

Corollary 7 If there exists a star coveringΠ of T and a core cluster C of T such that dΠ = cC, then d(T ) = dΠ = cC = c(T ).

As indicated in these results, c(T ) = d(T ) makes a criterion for examining whether the upper bound and the lower bound on A R(T ) will match. In the next section, we will show that this equality holds for all trees.

4 The main results

Blundo et al. [3] gave an algorithm for producing a star covering of a tree T. We make a slight modification to it and restate it for completeness. Let NT(v) be the set of all neighbors

ofv in T and Svbe the star centered atv with NT(v) as its leaf set.

Algorithm;

Covering(T) Cover(v)

Letv ∈ I N(T ) A(v) ← NT(v) ∩ I N(T )

Π ← φ Π ← Π ∪ {Sv}

Cover(v) E(T ) ← E(T )\E(Sv)

Output the star coveringΠ V (T ) ← V (T )\((NT(v) ∩ L F(T )) ∪ {v})

for allv∈ A(v) do Cover(v)

Lemma 8 Let T be a tree. The star coveringΠ of T produced by Covering(T ) has deduction dΠ = 1 if T = K1,1and dΠ = 0 if T = K1,1.

Proof For T = K1,1, the initial vertex v and all leaves of T appear in exactly one star in Π.

All internal vertices but the initial one appear twice in the covering. So the vertex-number sum m= l f (T ) + 1 + 2(in(T ) − 1) = |V (T )| + in(T ) − 1, and we have dΠ = 1.

We shall refine this process and obtain star coverings with higher deductions next. A vertexv ∈ I N(T ) is called a critical vertex of T if NT(v)∩L F(T ) = ∅. In the structure

of a tree T, critical vertices play an important role in our discussion. We use XT to denote

the set of all critical vertices of T. Let KTbe the subgraph induced by XT andT(resp. YT)

be the set of all nontrivial (resp. trivial) components in KT. The set YT is in fact the set of all

(6)

and E⊆ E(T ), the graph T \Vis obtained by removing from T all vertices in Vas well as all edges incident to them. T\Eis resulted from removing all edges in Efrom T. Both T\Vand T\Emay contain isolated vertices.

Proposition 9 Let T = K1,1be a tree. IfT = ∅ and |YT| = y ≥ 0, then there exists a

star coveringΠ of T with deduction dΠ = y + 1.

Proof Let G be an arbitrary component in T\YT. If w1, . . . , wlare all of the vertices in YT

that are adjacent to some vertices in G, then we define ˜G as the subgraph of T induced by V(G) ∪ {w1, . . . , wl}. Let H = { ˜G|G is a component in T \YT} and Π˜Gbe the star covering

produced by algorithm Covering( ˜G). By the definition of YT, no ˜G is isomorphic to K1,1,

so dΠ˜G = 1 by Lemma8. Since˜G∈HE( ˜G) = E(T ), the covering Π =˜G∈HΠ˜G is a star covering of T with vertex-number sum

m =  ˜G∈H (|V ( ˜G)| + in( ˜G) − 1) = ⎛ ⎝V (T ) +  v∈YT (degT(v) − 1)⎠ + (in(T ) − y) − ⎛ ⎝ v∈YT degT(v) − (y − 1) ⎞ ⎠ = V (T ) + in(T ) − (y + 1).

Next, we consider the core number of T. For a tree T with XT = ∅, {I N(T )} is obviously

a core cluster of minimum size. The following lemma is straight forward. Lemma 10 Let T = K1,1be a tree. If XT = ∅, then c(T ) = 1.

Now, we introduce the way we decompose a tree in order to define a core cluster we need. Let V ⊆ V (T ). Given a vertex ¯v ∈ NT(v) ∩ I N(T ) for each v ∈ V, we set

E = {v ¯v|v ∈ V}. For each component G in T \E, let G+ be the subtree of T obtained by attaching to G all edges of the formv ¯v if ¯v ∈ V (G), then G+ = G if G does not contain any¯v. We also denote the collection of all G+’s, where G is a component in T\E, asH+(T, V, E). Observe that, if degT(v) = 2, then v ∈ L F(G+) for exactly two G+’s in the collectionH+(T, V, E).

Proposition 11 Let T = K1,1 be a tree. IfT = ∅ and |YT| = y ≥ 0, then c(T ) =

d(T ) = y + 1.

Proof It suffices to show that there is a core cluster of T of size y+ 1. For each v ∈ YT,

choose an arbitrary neighbor ofv as ¯v, then ¯v ∈ I N(T ). Let E= {v ¯v|v ∈ YT}. There are

y+ 1 subgraphs in H+(T, YT, E). Let H+(T, YT, E) = {G+0, G+1, . . . , G+y} where Gi’s,

i= 0, 1, . . . , y are the components in T \E. Note that any two vertices in YThave distance

at least two, so I N(G+i ) = ∅. Let Vi = I N(G+i ) ∪ {v|v ∈ V (Gi) ∩ YT and degT(v) = 2}.

We claim that{V0, V1, . . . , Vy} is a core cluster of T. First, each vertex u ∈ I N(T )\YT

belongs to exactly one I N(G+i ) and also exactly one Vi. Each v ∈ YT belongs to exactly

(7)

It belongs to exactly one I N(G+i ) and hence exactly one Vi. If degT(v) = 2, then v is a

leaf of exactly one component Giin T\Eand is a leaf of two subgraphs inH+(T, YT, E).

Hence it belongs to exactly one Vi and none of I N(G+j)’s, j = 0, 1, . . . , y. This shows

that{V0, V1, . . . , Vy} is a partition of I N(T ). Next, each Vi certainly induces a connected

subgraph of T. In addition, each v ∈ Vi∩ YT has a neighbor ¯v not in Vi. Each u ∈ Vi\YT

has a leaf neighbor in T which does not belongs to Vi. Hence, Vi is a core of T. Since we

have a core cluster of size y+ 1, the result then follows immediately by Proposition9and

Corollary7.

Before literally proving our main theorem, we examine the relation between the deductions of star coverings of subtrees inH+(T, V, E) and the deduction of a star covering of T more closely.

Lemma 12 Let V be an independent subset of I N(T ) and z = |{v ∈ V| degT(v) ≥ 3}|. For each v ∈ V, let ¯v be a nonleaf neighbor of v in T and E= {v ¯v|v ∈ V}. If there is a star coveringΠTof each T∈ H+(T, V, E) with deduction dΠT , then Π =



T∈H+(T,V,E)ΠTis a star covering of T with deduction dΠ = 

T∈H+(T,V,E)dΠT −z.

Proof DenoteH+(T, V, E) by H+for now. SinceT∈H+E(T) = E(T ), Π is a star covering of T. The vertex-number sum m of Π is

m =  T∈H+ (|V (T)| + in(T) − d ΠT ) = |V (T )| + |V| + in(T ) − (|V| − z) −  T∈H+ dΠT  = |V (T )| + in(T ) − ⎛ ⎝  T∈H+ dΠT  − z⎠ .

Now, we are in a position to present our main theorem. Theorem 13 Let T be a tree of order n, then c(T ) = d(T ) and

A R(T ) = n+ in(T ) − c(T )

n .

Proof We prove this result by induction on|XT|.

(1) If|XT| = 0 or 1, then T = ∅. The result holds by Proposition11.

(2) Suppose that|XT| ≥ 2. By Proposition11, we may assume thatT = ∅.

Choose a vertexv ∈ L F(T) for some T∈ T and let ¯v be the neighbor of v in T. There

are two subtrees G+0 and G+1 inH+(T, {v}, {v ¯v}), each of which is not a K1,1. Let G+0 be

the one not containing ¯v, then |XG+

0| < |XT| is obviously true. Since v ∈ L F(G +

1), it is

no longer a critical vertex of G+1, we also have |XG+

1| < |XT|. By induction hypothesis,

there exist a star covering Πi of G+i and a core cluster Ci = {Vi 1, Vi 2, . . . , Vi ki} with

dΠi = cCi = ki > 0, i = 0, 1. Then Π = Π0∪ Π1is a star covering of T. We construct a

core cluster of size dΠ next.

(i) If degT(v) ≥ 3, then dΠ= k0+ k1− 1 by Lemma12. Suppose thatv ∈ V01. Since V01

(8)

of G+0 becausev is critical both in T and in G+0. We may assume that v∈ V02. Now, let

C= {V01∪ V02, V03, . . . , V0k0, V11, . . . , V1k1}, then |C| = k0+ k1− 1. We claim thatC

is a core cluster of T. First note that I N(G+0) ∪ I N(G+1) = I N(T ) and any two sets in

Care disjoint. Each set inC\{V01∪ V02} is a core of G+0 or G+1, hence a core of T. For

V01∪ V02, ¯v is a neighbor of v in T not in V01∪ V02. Since v ∈ L F(T), vis not critical

and then has a leaf neighborv = v in G+0 (and in T ) not in V02, so v /∈ V01∪ V02and

V01∪ V02is qualified as a core of T. Therefore,Cis a core cluster of T of size dΠ.

(ii) If degT(v) = 2, then dΠ = k0+ k1by Lemma12. Sincev is a critical vertex of T, the

neighborv = ¯v in T is an internal vertex of G+0. We may assume that v ∈ V01. Let

C = {V01∪ {v}, V02, . . . , V0k0, V11, . . . , V1k1}, then |C| = k0+ k1. To show thatCis

a core cluster of T, it suffices to show that V01∪ {v} is a core of T. Note that vis not

critical in both G+0 and T. It has a leaf neighbor v = v not in V01∪ {v}. Besides, ¯v is a

neighbor ofv in T not in V01∪ {v}. V01∪ {v} is then a core of T. Therefore, T also has

a core cluster of size dΠin this case.

In both cases, we have c(T ) = d(T ), which implies that the lower bound and the upper bound of A R(T ) coincide. Hence, AR(T ) = n+in(T )−c(T )

n .

5 Some examples

In this section, we evaluate the average information ratio systematically for two infinite classes of trees using our approach.

The only infinite class of trees which has known average information ratio is the paths. By evaluating the core number, we can easily obtain the known result.

Proposition 14 ([10]) Let Pnbe a path of length n. Then

A R(Pn) = 3n 2(n+1), i f n is even; and 3n+1 2(n+1), i f n is odd.

Proof By Proposition11, we have c(P1) = 0, c(P2) = c(P3) = 1 and c(P4) = 2.

Observe thatPn = {Pn−4} for all n ≥ 5. Since any leaf of the Pn−4inPn has degree two

in Pn, from the proof of Theorem13, we have c(Pn) = c(Pn−4) + 2. Recursively, we have

c(Pn) = c(Pi) + 2k, if n= 4k + i, i = 1, 2, 3; and c(P4) + 2(k − 1), if n = 4k. = n 2, if n is even; and n−1 2 , if n is odd. Hence, A R(Pn) = (n + 1) + (n − 1) − c(P n) n+ 1 = 3n 2(n+1), if n is even; and 3n+1 2(n+1), if n is odd.

Next, we evaluate the average information ratio of complete q-ary trees. A complete q-ary tree with k levels is a rooted tree such that each nonleaf vertex has q children and the distance from the root to each leaf is k.

(9)

Proposition 15 Let Tkbe a complete q-ary tree with k levels, q≥ 2. Then A R(Tk) = ⎧ ⎨ ⎩ qk+2+2qk+1−q2−2q (q+1)(qk+1−1) , i f k i s even; and qk+2+2qk+1−q2−q−1 (q+1)(qk+1−1) , i f k is odd.

Proof By Proposition11, c(T1) = 1 and c(T2) = 2. Observe that Tk = {Tk−2} and

the Tk−2has qk−2 leaves, each of which has degree q+ 1 ≥ 3 in Tk. Since each leaf of

the Tk−2and its descendants in Tkcompose a T2, from the proof of Theorem13, we get

c(Tk) = c(Tk−2) + qk−2(c(T2) − 1) = c(Tk−2) + qk−2. Recursively, the core number

of Tkcan be evaluated as follows.

c(Tk) = qk−2+ qk−4+ · · · + q2+ c(T 2), if k is even; and qk−2+ qk−4+ · · · + q + c(T1), if k is odd. = ⎧ ⎨ ⎩ qk+q2−2 q2−1 , if k is even; and qk+q2−q−1 q2−1 , if k is odd. Therefore, A R(Tk) = qk+1−1 q−1 + qk−1 q−1 − c(Tk) qk+1−1 q−1 = ⎧ ⎨ ⎩ qk+2+2qk+1−q2−2q (q+1)(qk+1−1) , if k is even; and qk+2+2qk+1−q2−q−1 (q+1)(qk+1−1) , if k is odd. 6 Conclusion

We have proposed the idea of the deduction d(T ) and the core number c(T ) of a tree and showed that these values are the same, thereby proving the upper bound and the lower bound of the average information ratio of a tree coincide. By doing so, we also present a systematic way of evaluating the core number of a tree. Together with the result by Csirmaz and Tardos [6], we complete the work of evaluating the information ratio and the average information ratio of all trees.

In fact, the notions of the deduction and the core number can be extended to general graphs. The condition d(G) = c(G) makes a criterion for examining whether the upper bound and the lower bound on A R(G), for any G, will match. The idea formulates a complicated problem of secret-sharing schemes into a problem in graph theory with easy description. “For what kind of graphs will the identity be true?” is indeed an interesting question to investigate. One obvious restriction to set on G is that G must be of larger girth. A star covering generally does not serve as a complete multipartite covering with the least vertex-number sum for a graph of small girth. We have made some progress in the study of bipartite graphs of large girth. Finding a star covering whose deduction matches the size of a core cluster is in general very difficult. However, there have not been any bounds or asymptotic results on the complexity of the problem yet.

(10)

Acknowledgments The authors would like to express their deep gratefulness to the reviewers for their detail comments and valuable suggestions which lead to great improvement in the presentation of the paper. The work of Hui-Chuan Lu was supported in part by NSC 100-2115-M-239-001 and the work of Hung-Lin Fu was supported in part by NSC 97-2115-M-009-011-MY3.

References

1. Beimel A.: Secret-sharing schemes: a survey. In: Proceedings of 3rd International Workshop Coding and Cryptology, Lecture Notes in Computer Science, vol. 6639, pp. 11–46 (2011).

2. Blakley G.R.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference, 1979. American Federation of Information Processing Societies Proceedings, vol. 48, pp. 313–317 (1979). 3. Blundo C., De Santis A., Stinson D.R., Vaccaro U.: Graph decompositions and secret sharing schemes.

J. Cryptol. 8, 39–64 (1995).

4. Brickell E.F., Davenport D.M.: On the classification of ideal secret sharing schemes. J. Cryptol. 4, 123–134 (1991).

5. Csirmaz L.: The size of a share must be large. J. Cryptol. 10, 223–231 (1997).

6. Csirmaz L., Tardos G.: Exact bounds on tree based secret sharing schemes. Tatracrypt, Slovakia (2007). 7. Marti-Farré J., Padró C.: On secret sharing schemes, matroids and polymatroids. J. Math. Cryptol. 4,

95–120 (2010).

8. Shamir A.: How to share a secret. Commun. ACM 22, 612–613 (1979).

9. Stinson D.R.: An explication of secret sharing schemes. Des. Codes Cryptogr. 2, 357–390 (1992). 10. Stinson D.R.: Decomposition constructions for secret sharing schemes. IEEE Trans. Inform. Theory 40,

118–125 (1994).

11. van Dijk M.: On the information rate of perfect secret sharing schemes. Des. Codes Cryptogr. 6, 143–169 (1995).

數據

Updating...

參考文獻

Updating...