以圖為基礎之存取結構上的秘密分享機制的平均訊息比率之研究

國

立 交 通 大 學

應 用 數 學 系

博士論文

以圖為基礎之存取結構上的秘密分享

機制的

平均訊息比率之研究

The Average Information Ratio of

Secret-Sharing Schemes for

Graph-Based Access Structures

研 究 生： 呂惠娟

指

_{導 教 授： 傅恆霖 教授}

The Average Information Ratio of

Secret-Sharing Schemes for

Graph-Based Access Structures

以圖為基礎之存取結構上的秘密分享

機制的

平均訊息比

率之研究

研 究 生： 呂惠娟

Student: Hui-Chuan Lu

指

_{導教授： 傅恆霖 教授 Advisor: Hung-Lin Fu}

國

立 交

通 大 學

應 用 數

學 系

博 士 論 文

A Dissertation

Submitted to Department of Applied Mathematics

College of Science

National Chiao Tung University

in Partial Fulfillment of the Requirements

for the Degree of

Doctor of Philosophy

in

Applied Mathematics

June 2013

Hsinchu, Taiwan, Republic of China

Abstract

A perfect secret-sharing scheme is a method of distributing a secret among a set of n participants in such a way that only qualified subsets of partici-pants can recover the secret and the joint share of the participartici-pants in any unqualified subset is statistically independent of the secret. The collection of all qualified subsets is called the access structure of the scheme. In a graph-based access structure, each vertex of a graph G represents a participant and each edge of G represents a minimal qualified subset. The information ratio of a perfect secret-sharing scheme realizing a given access structure is the ratio of the maximum length of the share given to a participant to the length of the secret, while the average information ratio is the ratio of the average length of the shares given to the participants to the length of the secret. The infimum of the (average) information ratio of all possible per-fect secret-sharing schemes realizing an access structure is called the optimal (average) information ratio of that access structure. In this thesis, we focus on the average information ratio of graph-based access structures.

In a weighted threshold scheme, each participant has his or her own weight. A subset is qualified if and only if the sum of the weights of par-ticipants in the subset is not less than the given threshold. Morillo et al. considered the scheme for a weighted threshold access structure that can be represented by a graph which is referred to as a k-weighted graph. They characterized this kind of access structures and derived a bound on the op-timal information ratio. In Chapter 2, we deal with the average information ratio of the secret-sharing schemes for these access structures. Two

sophisti-cated constructions are presented. Bounds on the average information ratio of them are derived. Each of our constructions has its own advantages and both of them perform very well when n/k is large.

Due to the difficulty of finding the exact values of the optimal information ratio and the optimal average information ratio, most results give bounds on them. Before 2007, apart from one specially defined class of graphs, the paths and cycles are the only infinite classes of graph-based access structures whose optimal information ratio and optimal average information ratio are known. Csirmaz and Tardos found the exact values of the optimal information ratio of all tree-based access structures in 2007. In 2009, Csirmaz and Ligeti de-termined the exact values of the optimal information ratio of broader classes of graph-based access structures.

Following in their footsteps, we devote our efforts to the discussion the optimal average information ratio of tree-based access structures in Chapter 3. We successfully determine the exact values of the optimal average infor-mation ratio of all tree-based access structures. Our idea also formulates a complicated problem in secret-sharing into a problem in Graph Theory with easy description.

Extending our work in Chapter 3, we are dedicated to the study the optimal average information ratio of the access structures based on bipartite graphs in Chapter 4. We determine the optimal average information ratio of some classes of bipartite graphs. In addition, we also give a bound on the optimal average information ratio of the rest classes of bipartite graphs. This bound is the best for some classes of bipartite graphs using our approach.

In the final chapter, we summarize our work in this thesis and introduce possible directions of future research.

摘

摘

摘

摘要

要

要

要

所 謂 祕密 分 享 機 制(secret-sharing scheme)的概 念 是 一 個 將 秘 密(secret)分 成 許 多 shares 給 所 有 參 與 者(participants)，使 得 只 有 授 權 子 集(qualified

subset)中的參與者將所分配到的 shares 組合起來才能重建出這個秘密，而

非授權子集(nonqualified subset) 中的參與者則無法從分配到的shares得到 任何有關這個秘密的任何資訊的機制。其中，所有授權子集所成的集合稱 為該 機制 的存 取 結構_{(access structure)}。一個存 取 結構 中所 有最 小授 權子 集所成的集合則稱為該存取結構的基底_(basis)。

所謂以圖_G為基礎的存取結構是指將圖_G中的每個點視為一個參與者而 且以圖_G的邊集合為基底的存取結構。在秘密分享的問題中被廣為討論的 訊 息 比 率(information ratio)與平 均 訊 息 比 率(average information ratio)則 分別定義為 參與者所分到 的share 的最大長 度與秘密的長度 的比值，以及 所有參與者 所分到的share 的平均長度與秘 密的長度的比值。一個存取結 構上所能構造出的所有秘密分享機制的(平均)訊息比率的infimum則稱為該 存取 結 構的 最佳(平 均)訊 息比 率(optimal (average) information ratio)。在 此論文中我們要探討的是以圖為基礎的存取結構的最佳平均訊息比率的問 題。 首先 我 們 討 論 權 重 門 檻 型 的 秘 密 分 享 機 制。 給 定 一 個 門 檻_(threshold) t > 0 與一個定義在參與者集合上的權重函數，若一子集中所有參與者的 權重和不小於給定的門檻 t，則該子集即為一個授權子集。這種授權子集 所成的存取結構稱為權重門檻型的存取結構。Morillo等人研究了可以用圖 表示的權重門檻型的存取結構並將此種圖稱為一個 k−權重圖(k−weighted graph)。他們清楚刻劃了這種圖的結構並推導了這種存取結構的最佳訊息 比率的一個上限。在本論文的第二章中，我們將探討 k−權重圖的最佳平

均訊息比率的問題。我們提出兩種秘密分享機制的構造方法並推導它們的 平均訊息比率的範圍。兩種構造方式的平均訊息比率都很低，且各有各的 優點。當參與者的個數趨近無窮時，我們構造的秘密分享機制的平均訊息 比率會趨近於最佳值 ₁。 由 於推 導 最佳 訊息 比 率與 最佳 平 均訊 息 比率 是相 當 困難 的問 題， 所以 大部分的結果都是提供上下限。在2007年之前被求出最佳訊息比率與最佳 平均訊息比率的無窮圖類只有paths和cycles，以及Blundo等人定義出的一

種圖類。Csirmaz 與 Tardos 在2007年求出了所有樹圖的最佳訊息比率的正 確值。而 Csirmaz 與 Ligeti 則在2009年求得了更廣的圖類的最佳訊息比率 正確值。 在 本論 文 的第 三章 與 第四 章中，我 們則 是 致力 於最 佳 平均 訊 息比 率的 正確值的研究。我們將在論文的第三章提出我們求出以圖為基礎的存取結 構的最佳平均訊息比率的正確值的做法。我們的方法將這個秘密分享方面 的複雜問題數學模式化為圖論上用簡單語言便能描述的_max-min的問題。 我們利用這個方法求出所有樹圖的最佳平均訊息比率的正確值，並提供一 個有系統的方法求出該值。 而在第四章中，我們更進一步討論二部圖(bipartite graph) 的最佳平均 訊息比率的問題。我們求出一個簡單 圖的任意 even-subdivision 與一些二 部圖類的最佳平均訊息比率的正確值。同時，對於尚未被求出最佳平均訊 息 比 率 的 正 確 值 的 二 部 圖， 我 們 也 推 導 了 一 個 最 佳 平 均 訊 息 比 率 的 上 下 限。對一些圖類而言，我們的給上下限是用我們的做法可以得到的最佳上 下限。 最 後在 第 五章， 我們 作 了簡 短 的總 整理 並 介紹 未來 可 以繼 續 努力 的研 究方向。

謝

謝

謝

謝誌

誌

誌

誌

身兼學生、老師、媽媽與家庭主婦多重身份，在這四年的博士班求學過程 中，時間永遠不夠用，壓力是如影隨形地未曾間斷過。若不是我身邊許許 多多貴人的大力相助，我無法獨立完成博士學位的追求。所以，我要藉由 這篇謝誌衷心感謝這些貴人的相助。 首先 要 感 謝 的是 我 的 指 導 教 授 傅 恆 霖教 授。 與 傅 老 師 結 緣， 是 讀博 士 班之前的事。當時只是透過同事吳順良老師的引介拜訪了傅老師，老師就 在許多方面給予很多指導與協助，讓我得以在幾年後順利的憑藉著作升等 副教授。甚至在我母親罹癌之後，也是透過傅老師的介紹轉到大林慈濟醫 院的胸腔科權威賴醫師的門診，使我的母親可以在她最後幾年的生命中獲 得良好的生活品質，安詳而有尊嚴的走完人生最後一程。傅老師對我的這 份恩情已是無以為報。進入博士班就讀之後，老師對我有更多的指導、協 助與照顧。在老師門下，我體認到老師不只是學術上的巨擘，也是最佳的 人生導師。老師不只在專業知識上給予很多教導與建議，老師無形的身教 更深深的影響著我們家族中的每個學生。我們學習到的不只是做研究的視 野，還有人生的態度與面對事物的謙卑。對老師一直以來的提攜與照顧的 恩情，心中的感謝實非言語所能形容。 接 下 來 要 感 謝翁 志 文 教 授， 早 在 我 博 士入 學 推 甄 口 試 答 不 出問 題 時， 翁 老 師 就 出 言 相 救 了。 過 去 四 年 修 了 多 門 翁 老 師 的 課， 每 一 門 課 都 獲 益 良多。翁老師做事親力親為、實事求是的務實態度讓我非常佩服，是我們 學習的最佳榜樣。另外，我也要感謝系主任陳秋媛教授。雖然沒機會修到 陳老師的課，但老師關愛學生與做事認真、細心、堅持的態度讓我非常敬 佩。感謝陳主任如此用心地把應數系經營得這麼好，讓我有個愉快的博士 求學歷程。還要感謝的是同事吳順良教授，當初要不是他的催促與幫忙並

引薦我認識傅老師，讓碩士畢業好幾年的我重新走上研究之路，我無法在 現在完成我攻讀博士的理想。還有系辦公室優雅的助理們盈吟、麗君與慧 珊，她們總是在我面對討厭的行政程序時大力幫忙，讓我節省很多麻煩， 真是感謝。 此外，也要感謝家族中許多學弟妹們，惠蘭、貓頭、敏筠、智懷、軒軒 ...等人。由於我對學校很多事情都不甚清楚，學弟妹們不僅跟我討論研究 上的問題，更是我學校事務的最佳諮詢者，他們總是在我最需要幫忙時給 予最大的協助，讓我省掉很多摸索的時間。除了家族學弟妹，還要特別感 謝在博士班入學口試時認識的光祥。在博一博二一起修課的時候，光祥真 的給我很多及時的協助與建議，讓碩士時不是離散領域的我得以在初入這 領域研讀時能順利跟上他們，並且得到最佳的學習效果。跟光祥一起經歷 了入學 口試、修 課 與準 備兩門 資 格考， 總 覺得 跟 光祥 有 特殊 的”革命 情感 ”，他幫 忙我 學到 很多。 除了 光祥 之外， 還要 感謝 當初 也一 起準 備資 格考 的鈺傑、忠逵與智懷，跟你們的討論給我很多啟發，讓我對所學知識有更 深的了解，很懷念當初一起討論的時光。 最 後， 當 然 要 感 謝我 親 愛 的 家 人。 先 要 感 謝我 兩 個 可 愛 的 孩 子 志群 與 季晴，你們的乖巧懂事，讓媽媽不用為你們煩心，可以安心的追求理想。 你 們 也 是 我 努 力 的 最 大 動 力 來 源。 而 貼 心 的 女 兒 季 晴， 永 遠 都 是 我 最 佳 的小秘書，論文口試的投影片多虧有她的幫忙才得以及時完成，而且她總 是跟媽媽一樣”龜毛”的細心地做到最好。此外，最感謝的還是我的先生心 漢，他無條件的包容與支持，是我向前努力的堅強後盾。在我蠟燭兩頭燒 時，他為我分擔家務與工作；在我壓力太大情緒低落時，他給我最佳的安 慰與倚靠的肩膀，讓我有了再重新振作的力量。我不知道上輩子種了什麼 善因，讓老天賜給我這個無可挑剔的人生伴侶！ 僅 將 這 本 博 士論 文 獻 給 我 的 家 人， 還 有我 在 天 上 的 父 母， 謝 謝 您們 賦 予我充分的智慧與堅強的意志—女兒博士畢業了！

Contents

English Abstract iii

Chinese Abstract v Acknowledgements vii Contents ix List of Figures xi 1 Introduction 1 1.1 Preliminaries . . . 2

1.2 Graph-Based Access Structures . . . 4

1.3 Approaches to the Derivation of Bounds on the Ratios . . . . 6

1.3.1 The Derivation of Upper Bounds . . . 6

1.3.2 The Derivation of Lower Bounds . . . 10

1.4 Known Reults on R(G) and AR(G) . . . 13

1.5 Overview of the Thesis . . . 15

2 Average Information Ratio of Weighted Threshold Secret-Sharing Schemes 17 2.1 Weighted Threshold Access Structures . . . 17

2.2 An Observation . . . 19

2.3 Construction (I) . . . 20

2.5 Concluding Remark . . . 34

3 Optimal Average Information Ratio for Trees 37

3.1 Our Approach to the Determination of the Exact Values of AR(G) . . . 37 3.2 The Exact Values of the Optimal Information Ratio of All Trees 39 3.3 The Evaluation of AR(T ) for Some Classes of Trees Using Our

Approach . . . 44 3.4 Concluding Remark . . . 45

4 The Average Information Ratio of Bipartite Graphs 47

4.1 Some Classes of Realizable Graphs . . . 47 4.2 A Bound on the Optimal Average Information Ratio of

Bipar-tite Graphs . . . 63 4.3 Concluding Remark . . . 70

5 Conclusion 71

5.1 Our Contribution . . . 71 5.2 Future Work . . . 72

List of Figures

2.1 The binary tree for Construction (I) . . . 22 2.2 The binary tree for Construction (II) . . . 29 2.3 A comparison of the results in the case when µ = 20. . . 35

2.4 A comparison of AR1 and AR2 in the case when µ = 20. . . . 36

Chapter 1

Introduction

Originally motivated by the problem of secure information storage, secret-sharing schemes have found numerous applications in cryptography and dis-tributed computing such as access control, attribute-based encryption and secure multiparty computations. A secret-sharing scheme involves a dealer who has a secret, a finite set P of participants and a collection Γ of subsets of P called the access structure. Each subset in Γ is a qualified subset. A secret-sharing scheme is a method by which the dealer distributes a secret among the participants in P such that only the participants in a qualified subset can recover the secret from the shares they received. If, in addition, the joint share of the participants in any unqualified subset is statistically independent of the secret, then the secret-sharing scheme is called perfect. We will use “secret-sharing scheme” for “perfect secret-sharing scheme” since only perfect ones are considered in the thesis. An access structure is natu-rally required to be monotone, that is, any subset of P containing a qualified subset must also be qualified. Therefore, an access structure is completely determined by the family of its minimal subsets. This family of the minimal subsets in Γ is called the basis of Γ.

Shamir [31] and Blakley [3] independently introduced the first kind of secret-sharing schemes called the (t, n)-threshold schemes in 1979. In such a scheme, the basis of the access structure consists of all t-subsets of the participant set of size n. Their work has raised a great deal of interest in

the research of many aspects of secret-sharing problems. Related problems have received considerable attention since then. Secret-sharing schemes for various access structures as well as many modified versions with additional capacities were widely studied [11, 12, 19, 21, 22, 24, 29]. The information ratio and the average information ratio of secret-sharing schemes have long been the main subjects of discussion. The information ratio of a secret-sharing scheme is the ratio of the maximum length (in bits) of the share given to a participant to the length of the secret, while the average informa-tion ratio of a secret-sharing scheme specifies the ratio of the average length of the shares given to the participants to the length of the secret. These ratios respectively represent the maximum and the average number of bits a participant has to remember for each bit of the secret. As opposed to them, some literature uses information rate and average information rate which are exactly the reciprocal of the information ratio and the average information ratio respectively. For lower storage and communication complexity, these ratios are expected to be as low as possible. The question of constructing secret-sharing schemes with the lowest ratios arose naturally. Given an ac-cess structure Γ, the infimum of the (average) information ratio of all possible secret-sharing schemes realizing this access structure Γ is referred to as the optimal (average) information ratio of Γ. It has been shown that, for general access structures, the infimum is not always a minimum [2]. The reader is referred to [1] and its references for a comprehensive survey and recent de-velopments in secret-sharing. Secret sharing has been an interesting branch of modern cryptography.

1.1

Preliminaries

Let P be the set of all participants and Γ ⊆ 2P _{be the access structure.}

We use Γ0 to denote the basis of Γ. Then Γ is called the closure of Γ0,

written Γ = Cl(Γ0). Let K be the set of all secrets and S be the set of all

share s ∈ Sp where Sp is the set of all shares participant p receives from the

dealer corresponding to all secrets in K. A distribution rule is a function f : {D} ∪ P → K ∪ S with f (D) ∈ K and f (p) ∈ S for all p ∈ P. f (D) is the secret to be distributed and f (p) is the share participant p receives from the dealer for secret f (D). Let F be a collection of distribution rules and

Fd = {f ∈ F : f (D) = d}. We call F a perfect secret-sharing scheme if the

following two conditions are satisfied:

i) Given any B ∈ Γ and f, g ∈ F , if f (p) = g(p) for all p ∈ B, then f (D) = g(D).

ii) Given any B /∈ Γ and any function g : B → S, there exists a

nonnega-tive integer λ(g, B) such that, for each d ∈ K,

|{f ∈ Fd|f (p) = g(p), ∀p ∈ B}| = λ(g, B).

The first condition guarantees that the shares given to a qualified subset uniquely determine the secret. The second ensures that the shares given to an unqualified subset reveal no information about the secret. When these two conditions are made, we say that this secret-sharing scheme F realizes the access structure Γ. Since all schemes mentioned in this thesis are perfect, we will simply use “secret-sharing scheme” for “perfect secret-sharing scheme” throughout. The information ratio of the secret-sharing scheme F , denoted

as RF, is defined as

RF =

max{log₂|Sp| : p ∈ P}

log2|K|

and the average information ratio of F , written as ARF, is

ARF =

P

p∈Plog2|Sp|

|P| log₂|K| .

The optimal information ratio and the optimal average information ratio of the access structure Γ are denoted as R(Γ) and AR(Γ), respectively. It is well known that R(Γ) ≥ AR(Γ) ≥ 1 and that R(Γ) = 1 if and only if

AR(Γ) = 1. A secret-sharing scheme with information ratio equal to one is then called an ideal secret-sharing scheme. An access structure is said to be ideal if there exist an ideal secret-sharing scheme for it.

Example 1.1.1. Consider the case where the set of participants P = {a, b, c},

the basis of the access structure Γ0 = {{a, b}, {b, c}} and the set of secret

K = GF (3). Define the set of distribution rules as F = {fr,d|r, d ∈ GF (3)}

where fr,d(D) = d, fr,d(a) = fr,d(c) = r and fr,d(b) = r + d, then this scheme

can be represented by the following table: D a b c 0 0 0 0 0 1 1 1 0 2 2 2 1 0 1 0 1 1 2 1 1 2 0 2 2 0 2 0 2 1 0 1 2 2 1 2

Note that each row in the table represents a distribution rule. One can easily

check that this scheme is a secret-sharing scheme and RF = ARF = 1 since

K = Sa = Sb = Sc = GF (3). This scheme is in fact an ideal one. Therefore,

Cl(Γ0) is an ideal access structure.

Reseachers have characterized many kinds of ideal access structures by taking advantage of the theory of matroid and linear algebra [8, 25, 26, 27]. In this thesis, we only consider graph-based access structures.

1.2

Graph-Based Access Structures

These structures have been widely studied during the past decades. In such an access structure, each vertex of a graph G represents a participant and each edge represents a minimal qualified subset, that is, P = V (G) and Γ =

Cl(E(G)). We shall introduce another definition of secret-sharing scheme next. The equivalence of this definition and the previous one has been shown in [1]. The information ratio and the average information ratio of a secret-sharing scheme can then be defined alternativly in a way that is especially convient for deriving lower bounds on R(G) and AR(G).

A secret-sharing scheme Σ for the access structure based on G is a

col-lection of random variables ζS and ζv for v ∈ V (G) with a joint distribution

such that

(i) ζS is the secret and ζv is the share of v;

(ii) if uv ∈ E(G), then ζu and ζv together determine the value of ζS;

(iii) if A ⊆ V (G) is an independent set in G, then ζS and the collection

{ζv|v ∈ A} are statistically independent.

Before introducing the alternative definition of the (average) information ratio, we recall some basic property of the Shannon entropy function. Given

a discrete random variable X with possible values {x1, x2, . . ., xn} and a

probability distribution {p(xi)}ni=1 , the Shannon entropy of X is defined as

H(X) = −Pn_i=1p(xi) log p(xi) which is a measure of the average uncertainty

associated with X. It holds that 0 ≤ H(X) ≤ log |X|. Note that H(X) takes

its minimum value 0 if there is a value xiof X with p(xi) = 1 and it attains its

maximum value log |X| if p is a uniform distribution [17]. Let us assume the probability distributions involved are uniform. Then the information ratio

of the scheme Σ can be defined as RΣ = maxv∈V (G){H(ζv)/H(ζS)} and the

average information ratio of Σ is ARΣ = (Pv∈V (G)H(ζv))/(|V (G)|H(ζS)).

For simplicity, with the same symbol G, we will denote both the graph as well as the access structure based on it. For example, “a secret-sharing scheme on G” refers to “a secret-sharing scheme for the access structure based on G”. Furthermore, the optimal information ratio, R(G), of G and the optimal average information ratio, AR(G), of G are the infimum of the information

ratio RΣ and the average information ratio ARΣ over all possible

[13] and that R(G) = 1 if and only if AR(G) = 1. A secret-sharing scheme

Σ on G with the optimal ratio RΣ = 1 or ARΣ = 1 is then called ideal. An

access structure G is ideal if there exists an ideal secret-sharing scheme on it.

The ideal graph-based access structures have been completely character-ized in terms of matroid by Brickell and Devenport .

Theorem 1.2.1 ([8]). Suppose that G is a connected graph, then R(G) = AR(G) = 1 if and only if G is a complete multipartite graph.

The basis of the access structure in Example 1.1.1 is in fact the complete

multipartite graph K1,2. This also shows that R(K1,2) = 1.

1.3

Approaches to the Derivation of Bounds

on the Ratios

In this section, we introduce the main tools for deriving upper bounds and lower bounds on R(G) and AR(G) for non-ideal graph-based access struc-tures.

1.3.1

The Derivation of Upper Bounds

By constructing a secret-sharing scheme Σ on a graph G, we naturally have

an upper bound RΣ (ARΣ) on the optimal (average) information ratio of G.

Stinson [34] has proposed a very useful method for constructing secret-sharing schemes for a graph from its complete multipartite covering. A complete

mul-tipartite covering of a graph G is a collection (multiset) Π = {G1, G2, . . . , Gl}

of complete multipartite subgraphs of G such that each edge of G belongs to at least one subgraph in this collection. Since ideal secret-sharing schemes

on all Gi’s are known, each vertex (participant) receives a share from the

secret-sharing scheme constructed on each Gi containing this vertex.

Stin-son’s ideal is to obtain the share of a vertex in the secret-sharing scheme for the whole graph by joining together the shares the vertex receives from

all secret-sharing schemes on the complete multipartite subgraphs containing it in the covering. This method has been a major tool for the derivatin of upper bounds on the optimal (average) information ratio of a graph. Let us introduce some important parameters of a complete multipartite covering of

a graph before stating Stinson’s method. The occurrence te of an edge e in

the covering Π is defined as te = |{j|e ∈ E(Gj)}| and the occurrence rv of

a vertex v is rv = |{j|v ∈ V (Gj)}|. The minimum edge occurrence of a

cov-ering Π is the minimum occurrence of an edge in Π, denoted as tΠ, and the

maximum vertex occurrence of a covering Π is the maximum occurrence of

a vertex in Π, denoted as rΠ. In dealing with the average information ratio,

the most important concern is the total occurrences of all vertices in Π. This number also represents the total of the vertex numbers of all subgraphs in this covering. We call it the vertex-number sum of the covering Π, written

as mΠ =Pl_i=1|V (Gi)|.

Theorem 1.3.1 ([34]). Suppose that Π = {G1, G2, . . . , Gl} is a complete

multipartite covering of a graph G with |V (G)| = n. Then there exists a

secret-sharing scheme Σ on G with information ratio RΣ and average

infor-mation ratio ARΣ where

RΣ= rΠ/tΠ and ARΣ = 1 tΠn X v∈V (G) rv = mΠ tΠn .

This theorem suggests that in order to construct a secret-sharing scheme with lower information ratio, we need a complete multipartite covering with less maximum vertex occurrence and larger minimum edge occurrence. How-ever, the problem of how many copies of each complete multipartite subgraph of G should we use to compose a covering(multiset) in order to reach to the

optimal value of the ratio rΠ/tΠ is a crucial issue to handle. Linear

pro-gramming technique plays an important role in solving this problem. We introduce the approach by Stinson [34] which is a modification of the version by Blundo et.al [7].

subgraphs of G. For v ∈ V (G), e ∈ E(G) and i = 1, 2, . . . , h, define cvi= ( 1, if v ∈ V (Gi); 0, if v 6∈ V (Gi) and bei = ( 1, if e ∈ E(Gi); 0, if e 6∈ E(Gi).

Suppose we construct a covering using αi copies of Gi, for i = 1, 2, . . . , h.

Then we have tΠ = mine∈E(G){Σhi=1αibei} and rΠ = maxv∈V (G){Σhi=1αicvi}.

The secret-sharing scheme Σ constructed via the covering has information

ratio RΣ = rΠ/tΠ. Since taking a scalar multiple of all the αi’s does not affect

the value of the ratio, we may allow the αi’s to be nonnegative rationals and

”normalize” them by stipulating that max

v∈V (G){Σ h

i=1αicvi} = 1.

Then our objective is to maximize tΠ. The linear programming problem can

describe as follows. (*)Maximize R subject to αi ≥ 0, 1 ≤ i ≤ h Σh i=1αicvi ≤ 1, v ∈ V (G) Σh i=1αibei ≥ R, e ∈ E(G)

By solving this linear programming problem, the optimal solution will

in-volve rational values of αi’s. We can make all the αi’s integral by multiplying

an appropriate integer. Then take the resulting integral combination of the

Gi’s as the covering. We demonstrate this process in the following example.

Example 1.3.2. Consider the access structure based on the graph G de-picted below.

The list L of complete multipartite subgraphs consists of the subgraphs

1 2 3 4 5 e1 e2 e3 e4 e5 e6 G : E(Gi) = {ei}, i = 1, 2, . . . , 6

E(G6+i) = {ei, ei+1}, i = 1, 2, . . . , 5

E(G12) = {e1, e5} E(G13) = {e1, e6} E(G14) = {e2, e6} E(G15) = {e4, e6} E(G16) = {e1, e2, e6} E(G17) = {e1, e5, e6} E(G18) = {e4, e5, e6} E(G19) = {e2, e3, e4, e6}

The optimal solution to the linear programming problem(*) is

αi =

(

1/3, if i ∈ {3, 7, 10, 17, 19};

0, otherwise

and R = 3/2. In this case, we have the desired covering Π consisting of one

copy of G3, G7, G10, G17 and G19. One can easily check the fact that tΠ = 2

and rΠ = 3.

Besides these major approaches, there are other results that may some-times serve as good tools in deriving upper bounds on R(G).

Lemma 1.3.3 ([9]). Suppose that u and v are two vertices of a graph G who have the same neighbors, then R(G) = R(G − v).

Complete multipartite coverings with tΠ> 1 are easpecially helpful when

results for average information ratio. In our approach, we use covering with

tΠ= 1. In this case, complete multipartie coverings with less vertex-number

sum are what we are aiming for in finding a good upper bound on AR(G). In the case when G is of girth not less than five, the stars are the only possible subgraphs to use in a complete multipartite covering. A complete multipartite covering in which each subgraph is a star is called a star covering. A star covering is indeed most useful for graphs of larger girth. It in general does not result in the least vertex-number sum for a graph of girth less than five. In Chapter 3 and 4, we are dealing with graphs with larger girth. A suitable star covering is our main tool to establish upper bounds on AR(G).

1.3.2

The Derivation of Lower Bounds

Finding lower bounds on the opitaml (average) information ratio is generally much more challenging. The only known tool to do this job is the informa-tion theoretic approach [4, 13]. Lower bounds are obtained by manipulating information equalities and inequalities. Adopting the result in [10], Blundo et al.[7] showed the following result.

Theorem 1.3.4 ([7]). Let G be a graph with V (G) = {vi|i = 1, 2, . . . , 4}. If

v1v2, v2v3, v3v4 ∈ E(G) and v1v4, v1v3 6∈ E(G). Then R(G) ≥ 3/2.

van Dijk also used the this approach to characterize graphs of order six whose information ratio is not less than 5/3.

Theorem 1.3.5 ([35]). Let G be a graph with V (G) = {vi|i = 1, 2, . . . , 6}.

If G satisfies both

(i) v1v2, v3v4, v5v6 ∈ E(G) and

(ii) v1v5, v1v6, v2v5, v2v6, v3v5, v3v6 6∈ E(G)

and at least one of the following conditions.

• v2v3, v3v4 ∈ E(G),

• v2v3, v2v4 ∈ E(G), or

• v3v4, v2v4 ∈ E(G).

Then R(G) ≥ 5/3.

When dealing with information ratio, the following lemma is especially helpful.

Lemma 1.3.6 ([7]). If G′ _{is an induced subgraph of a graph G, then R(G) ≥}

R(G′_).

Theorem 1.2.1 guarantees that the ideal graph-based access structures are exactly the complete multipartite graphs. By Theorem 1.3.4 and Lemma 1.3.6, the result for graphs which are not complte multipartite follows. Theorem 1.3.7 ([7]). Suppose that G is a connected graph which is not

complete multipartite, then R(G) ≥ 3₂ and AR(G) ≥ n+1_n where n = |V (G)|.

It shows that there is a gap in the inforamtion ratio between the ideal and non-ideal graph-based access structures.

In addition to these results, Blundo et al.[7] defined a so-called ”fun-dation” of a graph to cope with the optimal average information ratio of

graphs. The fundation of a graph G is a subgraph G0 of G which satisfies

(i) xy ∈ E(G0) if and only if there exist vertices w, z ∈ V (G) such that the

subgraph induced by {w, x, y, z} has edge set {wx, xy, yz} or {wx, xy, yz, xz}

and (ii) the edge set of G0 consist of all vertices in V (G) which are incident

with at least one edge in E(G). Then, they considered the linear program-ming problem.

(**)Minimize C = Σv∈V (G)av subject to

av ≥ 0, v ∈ V (G)

They obtain a lower bound with the optimal solution C∗ _{to this linear}

programming problem.

Theorem 1.3.8 ([7]). Let G0 be the fundation of a graph G and C∗ be the

optimal solution to the linear programming problem (**). Then

AR(G) ≥ C

∗_{+ |V (G)|}

|V (G)| .

Csirmaz [13] put the information theoretic approach in a neater way which is what we place much reliance on in Chpater 3.

Let Σ be a secret-sharing scheme in which ζS is the random variable of the

secret and each ζv is the random variable of the share of v, v ∈ V (G). Define

a real-valued function f as f (A) = H({ζv : v ∈ A})/H(ζS) for each subset

A ⊆ V (G), where H is the Shannon entropy. Then, RΣ = maxv∈V (G)f (v)

and ARΣ = 1_nP_{v∈V (G)}f (v), where n = |V (G)|. Using properties of the

entropy function and the definition of a secret-sharing scheme, one can show that f satisfies the following inequalities [13]:

(a) f (∅) = 0, and f (A) ≥ 0;

(b) if A ⊆ B ⊆ V (G), then f (A) ≤ f (B); (c) f (A) + f (B) ≥ f (A ∩ B) + f (A ∪ B);

(d) if A ⊆ B ⊆ V (G), A is an unqualified set and B is not, then f (A)+1 ≤ f (B);

(e) if neither A nor B is unqualified but A ∩ B is, then f (A) + f (B) ≥ 1 + f (A ∩ B) + f (A ∪ B).

A subset V0of V (G) is called connected if it induces a connected subgraph

of G. Csirmaz and Tardos [16] defined a core V0 of a graph G as a connected

subset V0 of V (G) satisfies that (i) each v ∈ V0 has a neighbor ¯v outside

an independent set in G. The neighbor ¯v in the definition is referred to as the designated outside neighbor of v throughout this thesis. By employing inequalities (a) to (e), they showed the following result .

Theorem 1.3.9 ([16]). Let V0 be a core of a graph G. If f is defined as

above, then P_v∈V0f (v) ≥ 2|V0| − 1.

Based on this fact, we will derive a lower bound on AR(G) and rewrite Theorem 1.3.1 as an upper bound on AR(G) of particular form in Chapter 3. Our approach to determining the exact value of AR(G) will then be introduced.

1.4

Known Reults on R(G) and AR(G)

For non-ideal graphs, Stinson’s [34] bound has been shown to be the best for general graphs among known upper bounds on R(G). The complete multipartite covering he used was a star covering. For a general graph G, let

Sv be the star on vertex set {v}SNG(v) having center v. Then Π = {Sv|v ∈

V (G)} form a star covering with minimum edge occurrence 2 and maximum vertex occurrence d + 1. By Theorem 1.3.1, Stinson [34] improved previous

results and showed that R(G) ≤ d+1₂ where d is the maximum degree of

G and AR(G) ≤ 2m+n_2n where n = |V (G)| and m = |E(G)|. Blundo et al

[4] defined an infinite class of graphs Hn and use the information theoretic

approach to show that R(Hn) ≥ d+1₂ . This result shows that Stinson’s result

on A(G) is tight. In addition, Stinson’s upper bound on AR(G) is also the best for general graph so far.

Due to the difficulty of the derivation of good results on general graphs, most efforts have been focused on small graphs [7, 23, 32, 33, 34, 35] and graphs with better structures [4, 7, 15, 17, 34]. Stinson [32, 33, 34], van Dijk[35] and Blundo et al. [7] used various combinations of the methods described in Section 1.3 to derive the exact velues or bounds on R(G) for all graphs of order not less than six. Stinson [32, 33, 34] and Blundo et al. [7]

have also found the exact velues or bounds on AR(G) for all graphs of order not less than five.

Let Cnand Pnbe the cycle and the path of length n, respectively. Stinson

[34] showed that R(Cn) = 3/2 for n ≥ 5 and R(Pn) = 3/2 for n ≥ 3, which

are direct results from the bound R(G) ≤ d+1₂ and Theorem 1.3.7. The values

of AR(Cn) = 3/2 for n ≥ 5 and AR(Pn) = _2(n+1)3n+δ for n ≥ 3 [7], where δ = 0

when n is even and δ = 1 when n is odd, come from constructing suitable star covering (Theorem 1.3.1) and the fundation of the graphs (Therem 1.3.8).

Morillo et al.[28] considered the weighted threshold secret-sharing schemes. This is the case when every participant is given a weight depending on his or her position in an organization. A set of participants is in the access structure if and only if the sum of the weights of all participants in the set is not less than the given threshold. They characterized the wieghted

thresh-old access structure that can be represented by a graph Gk which is called

k-weighted graphs, and constructed a complet multipartite covering ΠGk for

k = 2q_{− 1 with the maximum vertex occurrence r}

Π_Gk = q. By Lemma 1.3.6,

they obtained an upper bound ⌈log₂(k + 1)⌉ on R(Gk) for each value of k.

Before 2007, apart from the aforementioned class of graphs Hn defined

by Blundo et al.[4], the paths and cycles are the only infinite classes of graphs which have known exact values of the optimal information ratio and the optimal average information ratio. Csirmaz and Tardos’s [17] excellent work appeared in 2007. They determined the exact values of the optimal

information ratio of all trees as R(G) = 2 −_{c(T )}1 , where c(T ) is the maximum

size of a core in the tree T . They showed R(G) ≥ 2 − 1

c(T ) from Theorem

1.3.9 and obtained that R(G) ≤ 2 − _{c(T )}1 by constructing a star covering Π

with minimum edge occurrence tΠ = c(T ) and maximum vertex occurrence

rΠ= 2c(T ) − 1.

By generalizing this approach, Csirmaz and Ligeti [16] made an even greater achievement in 2009. They showed that R(G) = 2 − 1/d, where d is the maximum degree of G, for any graph G satisfying the following properties: (i) every vertex has at most one neighbor of degree one, (ii) vertices of degree

at least three are not connected by an edge, and (iii) the girth of G is at least six. This has been the greatest accomplishment regarding exact values of the information ratio of non-ideal graph-based access structures. During the past decades, the information ratio has apparently attracted a lot more attention than the average information ratio has. This is partly due to the complicated essence of treating the average inforamtion ratio. Despite the complexity, we devote our effort to the discussion of the average information ratio of graphs. Hope to make a contribution to the study of efficiency of secret-sharing schemes.

1.5

Overview of the Thesis

As mentioned above, Morillo et al. [28] characterized weighted threshold access structures based on graphs and studied their optimal information ratio. Since these access structures are more applicable in real-life situation, we are motivated to construct better secret-sharing schemes for them and have a more detailed analysis of the average information ratio of our schemes in Chapter 2. We start this chapter with Morillo’s characterization of the graphs that represent weighted threshold access structures and the upper bound on R(G) they have derived. We then present an observation on the structure of this kind of graphs. Subsequently, two sophisticated constructions of secret-sharing schemes are proposed and bounds on the average information ratio of these schemes are calculated. A comparison of the efficiency of them will be given in the final section of this chapter.

Next, we engage in the pursuit of the exact values of the optimal average information ratio of graphs in Chapter 3 and 4. We begin with completing the work of Csirmaz and Tardos’s [17] on the study of tree-based access structure by determinig the exact values of the optimal average information ratio of all trees in Chapter 3. Extending this result, we deal with bipartite graphs in Chapter 4. We obtain the exact values of the optimal average information ratio of some classes of bipartite graphs. For the rest classes

of bipartite graphs, a bound on the optimal average information ratio is provided subsequently. Our bound is the first one regarding the optimal average information ratio of bipartite graphs. This bound is the best possible for some classess of bipartite graphs using our approach. In the final chapter, we summarize our work in this thesis and introduce possible directions of future research.

Chapter 2

Average Information Ratio of

Weighted Threshold

Secret-Sharing Schemes

In this thesis, we only take care of graph-based access structures. The graphs considered in Chapter 2 and 3 are connected. Chapter 4 deals with bipartite graphs which may not be connected. In all chapters, each graph considered contains no isolated vertices.

2.1

Weighted Threshold Access Structures

Given a set of n participants P, a threshold t > 0 and a weight function

w : P → R with w(p) ≥ 0 for all p ∈ P, the (t, n, w)-weighted threshold

ac-cess structure consists of all subset A ⊆ P such that w(A) =P_p∈Aw(p) ≥ t.

Morillo et al. [28] showed that any weighted access structure determined by a non-integer-valued weight function and a non-integer threshold can also be determined by an integer-valued weight function and an integer thresh-old. Therefore, considering integer-valued weight functions is sufficient in our problem. In the remainder of the chapter, we assume that a weight function

w is given. An access structure Γ = Cl(Γ0) is called r-homogeneous if each

weighted threshold access structure and exclude the case where any partici-pant has zero-weight. This kind of access structure can be represented by a graph G. In this graph, there is a set C of vertices, each of which is adjacent to all other vertices in G. The weight of each vertex in C is higher than the weight of any vertex not in C. If C 6= V (G), removing C from the graph G produces a nonempty set A of isolated vertices, each of which has lower

weight than any other vertex not in A. If C ∪ A 6= V (G), the subgraph G′

induced by V (G)\(C ∪ A) represents a 2-homogeneous weighted threshold

access structure Γ′ _{= {B ⊆ P\(C ∪A)|w(B) ≥ t}. By repeating this process,}

Morillo et al. has a clear characteriztion of the structure of G in the following theorem.

Theorem 2.1.1 ([28]). Let G be a graph that represents the 2-homogeneous weighted threshold access structure Γ. Then, there exists a unique partition of the vertices of G,

P = C1∪ A1∪ C2∪ A2∪ · · · ∪ Ck∪ Ak,

where Ci 6= ∅ for i = 1, . . . , k, Ai 6= ∅ if i = 1, . . . , k − 1 and either Ak = ∅

and |Ck| ≥ 2 or |Ak| ≥ 2, such that the set of edges of G is

Γ0 = ( {u, v}    u, v ∈ k [ i=1 Ci, u 6= v ) ∪ {{v, p}|v ∈ Ci, p ∈ Aj, 1 ≤ i ≤ j ≤ k}.

They also showed that any graph with a partition described in Theorem 2.1.1 represents a 2-homogeneous weighted threshold access structure. Such a graph is then called k-weighted where k is the parameter used in Theorem 2.1.1. Since the structure of a k-weighted graph is completely determined by

the values |Ai|’s and |Ci|’s, i = 1, 2, . . . , k, we denote the k-weighted graph

by W (|A1|, . . . , |Ak|, |C1|, . . ., |Ck|). Observe that the subgraph induced by

Sl

i=1(Aji ∪ Cji) where 1 ≤ j1 < j2 < · · · < jl ≤ k is an l-weighted graph

W (|Aj1|, . . . , |Ajl|, |Cj1|, . . . , |Cjl|). Morillo et al. gave a complete

multipar-tite decomposition for (2q _{− 1)-weighted graph of which the minimum edge}

Then, by Lemma 1.3.6, a lower bound on the optimal information ratio for k-weighted graph, for all k, follows.

Theorem 2.1.2 ([28]). Let Γ = {A ⊆ P|w(A) ≥ t} be an access structure

that is represented by a k-weighted graph G. Then R(G) ≤ ⌈log₂(k + 1)⌉.

While dealing with information ratio, one can obtain upper bound of a graph from its subgraph using Lemma 1.3.6. However, for the average information ratio, we do not have the advantage to take. The complete mul-tipartite covering must be constructed for each value of k. For convenience, we make a slight modification to the notation given in Theorem 2.1.1. In the

case where Ak = ∅ and |Ck| ≥ 2, we move one (arbitrarily chosen) vertex

from Ckto Ak. Thus, none of Ai’s and Ci’s are empty in our model. Next, we

will present an observation on the construction of k-weighted graphs before introducing our constructions in the following sections.

2.2

An Observation

We observe that any k-weighted graph can be obtained by alternately ap-plying two graph operations starting with a single vertex. Let us introduce these operations first. By “splitting vertex v of a graph G into m vertices

v1, . . . , vm”, denoted Spt(v; {v1, . . . , vm}), we obtain a graph GSpt(v;{v1,...,vm})

whose vertex set is V (GSpt(v;{v1,...,vm})_{) = (V (G) − {v}) ∪ {v}

1, v2, . . . , vm}

and the edge set is E(GSpt(v;{v1,...,vm})_{) = E(G − v) ∪ {v}

iu|vu ∈ E(G) and

i = 1, 2, . . . , m}. If we further add all edges in {vivj|1 ≤ i < j ≤ m}

to E(GSpt(v;{v1,...,vm})_{), then we obtain a graph G}Exp(v;{v1,...,vm})_{. This}

re-sulting graph is said to be obtained by “expanding vertex v into m

ver-tices v1, . . . , vm from the original graph G and this operation is denoted by

Exp(v; {v1, . . . , vm}). In what follows, we use hV1, V2iG to denote the set of

edges {uv|u ∈ V1, v ∈ V2 and uv ∈ E(G)} for any two disjoint subsets of

vertices V1 and V2 in G.

Given a k-weighted graph G = W (a1, a2, . . . , ak, c1, c2, . . . , ck), where ai =

|Ai| and ci = |Ci|, we let Ai = {u1i, ui2, . . . , uiai} and Ci = {v

i

i = 1, 2, . . . , k. We explain how the given graph can be constructed start with a single vertex by splitting and expandingan in the following algorithm.

Algorithm;

G0 ← {u0}.

For i ← 1 to k do

Gi ← GExp(ui−1 0;Ci∪{u0})

Gi ← G Spt(u0;A∗i) i where A∗i = ( Ai∪ {u0}, if 1 ≤ i < k; Ak, if i = k.

Output the k-weighted graph Gk.

Theorem 2.2.1. The proposed algorithm produces the given k-weighted graph G from a single vertex.

Proof. Observe that the edges in hAi, Cji, j ≤ i, are produced by the

operation Spt(u0; A∗i) and edges in hCi, Cji, j < i, and within the part Ci are

all produced by Exp(u0, Ci∗). So, G is a subgraph of Gk. Next, the number

of edges produced in this algorithm is

k−1 X i=1  ci+ 1 2  + ci i−1 X j=1 cj + ai i X j=1 cj ! +  ck+ 1 2  + ck k−1 X j=1 cj+ (ak− 1) k X j=1 cj = k X i=1  ci+ 1 2  + ci i−1 X j=1 cj+ ai i X j=1 cj ! − k X j=1 cj = k X j=1  ci 2  + ci i−1 X j=1 cj + ai i X j=1 cj !

which is exactly the size of the given graph G. The proof is completed.

2.3

Construction (I)

Before we can literally describe our first construction, there are some more

we use K(V1, V2, . . . , Vl) to denote the complete multipartite graph with

partite sets V1, V2, . . . and Vl. Let Gl = W (|A1|, . . . , |Al|, |C1|, . . . , |Cl|) be

the l-weighted graph with vertex set (Sl_i=1Ai) ∪ (Sl_i=1Ci), l ≤ k.

De-fine Bl, l ≤ k, to be the graph obtained from Gl by removing all edges

connecting vertices in Sl_i=1Ci. Then Bl is a bipartite graph with

par-tite sets Sl_i=1Ai and S_i=1l Ci. Next, we use Ml1,l2 to denote the complete

multipartite graph K(C1, C2, . . . , Cl1−1, {v l1 1}, {v2l1}, . . . , {vlc1_l1}, ( Sl2 j=l1+1Cj)∪ (Sl2

j=l1Aj)), 1 ≤ l1 ≤ l2 ≤ k. In what follows, the complete multipartite

graph K(C1, C2, . . . , Cj−1, Aj−1, Aj) is written as Hj, 2 ≤ j ≤ k.

Lemma 2.3.1. ΠB

l is a complete multipartite covering of Bl where

ΠB_l =

(

{H2i, K(A2i, C2i)|i = 1, 2, . . . ,₂l}, if l is even;

{K(A1, C1), H2i+1, K(A2i+1, C2i+1)|i = 1, 2, . . . ,l−1₂ }, if l is odd.

Proof. When l is even, the edges in hA2i, CjiBl with j < 2i and the edges in

hA2i−1, CjiBl with j ≤ 2i − 1 appear in the subgraph H2i, for i = 1, 2, . . . ,

l 2,

while the edges in hA2i, C2iiBl appear in the subgraph K(A2i, C2i). The edges

of Bl are then all used up. For odd l, the argument is similar.

With these notations in mind, we are able to give our complete

multipar-tite covering Πk of Gk. Let Πk be obtained recursively by letting Π1 = {G1},

Π2 = {K({v11}, {v12}, . . . , {vc11}, A1), M2,2}, Π3 = {K({v 1 1}, {v21}, . . . , {v1c1}, A1), K({v3 1}, . . . , {vc33}, A3), M2,3} and, for k ≥ 4, Πk = Π B ⌊k+1₂ ⌋∪ n M_⌊k+1 2 ⌋+1,k o ∪ Π_⌊k 2⌋−1 where Π⌊ k

2⌋−1 is the complete multipartite covering of the (⌊

k 2⌋ − 1)-weighted subgraph W a_⌊k+1 2 ⌋+2, a⌊ k+1 2 ⌋+3, . . . , ak, c⌊ k+1 2 ⌋+2, c⌊ k+1 2 ⌋+3, . . . , ck  .

It can be easily checked that the edges of Gk which are not in B⌊k+1₂ ⌋

and W a_⌊k+1 2 ⌋+2, . . . , ak, c⌊ k+1 2 ⌋+2, . . . , ck  all lie in M_⌊k+1 2 ⌋+1,k. These three

subgraphs virtually make up the k-weighted graph Gk. We have the following

lemma.

Lemma 2.3.2. The collection Πk stated above is a complete multipartite

Our next goal is to evaluate the vertex-number sum mkof Πk. Due to the

complexity of the enumeration, we consider the reduced forms first. We call

G0

k = W (1, . . . , 1, 1, . . . , 1) the reduced form of a general k-weighted graph

W (a1, . . . , ak, c1, . . . , ck). We also let Bl0, Ml01,l2 and H

0

j be the graphs defined

in the same ways as Bl, Ml1,l2 and Hj respectively, except that ai’s and cj’s

involved are all set to be one. Then G0

kand Bk0have the complete multipartite

covering Π0

k and ΠB

0

k reduced from Πk and ΠBk respectively. Note here that

G0

k has 2k vertices. By applying suitable splitting and expanding operations

mentioned in Section 2.2 accordingly to the reduced form G0

k, one can recover

the general k-weighted graph W (a1, . . . , ak, c1, . . . , ck). For the description of

the evaluation of the vertex-number sum m0

k of Π0k, we introduce a specially

designed binary tree.

Gj G4j+6 B_j+2 B2j+5 G_(k-2)/2 k= (j+2)2x_-2 G_k l= (j+3)2x_-3

the first layer

(x=1) the x-th layer the second layer (x=2) j = 1, 2, 3 M_j+2,2j+2 M2j+4,4j+6 M_j+3,2j+3 M2j+6,4j+9 M_k/2+1,k G_2j+2 B2j+3 Bj+1 Bk/2 G_k+1 G_{l -1} G_2j+3 G_4j+7 G_4j+8 G_4j+9 B_(l+1)/2 M_(l+3)/2,l G_(l-3)/2 G_l

Figure 2.1: The binary tree for Construction (I)

Note that we have decomposed G0

k into B_⌊0k+1 2 ⌋ , M0 ⌊k+1₂ ⌋+1,k and G 0 ⌊k 2⌋−1 . Since ⌊k+1₂ ⌋ equals (⌊k 2⌋ − 1) + 1 or (⌊ k 2⌋ − 1) + 2, G 0

j can either go with Bj+10

and M0

G0

2j+3. By recursively repeating this process, we observe that all G0k’s can be

built up from some B0

l’s, Ml01,k’s and just G1, G2 and G3. We illustrate this

relation by means of a binary tree in Figure 2.1. In this tree, each path from the root represents the conformation of a k-weighted graph of the reduced

form in our covering. For example, the leftmost path from the root Gj to

G4j+6 represents that G02j+2 is composed of G0j, Bj+10 and Mj+2,2j+20 and then

G0

4j+6 is composed of G02j+2, B2j+30 and M2j+4,4j+60 . Hence the path shows

how G0

4j+6 is built up. The 2x paths of length x from the root give the

conformations of the 2x _{k-weighted graphs where k ranges from (j + 2)2}x_{− 2}

to (j + 3)2x_{− 3, j = 1, 2, 3.}

Theorem 2.3.3. Let Γ = {A ⊆ P|w(A) ≥ t} be an access structure

rep-resented by a k-weighted graph G0

k of reduced form, k1 = (j + 2)2x− 2 and

k2 = (j + 3)2x − 3, x ≥ 1, j = 1, 2, 3. If k1 ≤ k ≤ k2, then there exists a

secret-sharing scheme Σ for the access structure Γ whose average information

ratio ARΣ satisfies k2 1 + 58k1− 60 log2(kj+21+2) − 32 − δ (j) 1 24k1 ≤ ARΣ ≤ k 2 2 + 60k2− 84 log2(kj+32+2) − 37 − δ (j) 2 24k2 where (δ₁(j), δ₂(j)) =      (0, 0), if j = 1; (28, 24), if j = 2; (40, 44), if j = 3. Proof. Let m0 k and mB 0

l be the vertex-number sum of Π0k and ΠB

0 l respec-tively and mM0 l1,l2 be the order of M 0 l1,l2, then m M0 l1,l2 = 2l2 − l1 + 1. In Π B0 l ,

|V (K(Ci, Ai))| = |V (K2)| = 2 and |V (Hi0)| = i + 1 for each i. So mB

0 l can be evaluated as follows. mB_l 0 = (Pl 2 i=1|V (H2i0)| + |V (K(C2i, A2i)|, if l is even; Pl−1 2 i=1|V (H2i+10 )| + Pl−1 2

i=0|V (K(C2i+1, A2i+1))|, if l is odd;

=

(Pl

2

i=1((2i + 1) + 2), if l is even;

Pl−1 2 i=1(2i + 2) + Pl−1 2 i=02, if l is odd;

= ( 1 4(l 2_{+ 8l), if l is even;} 1 4(l 2_{+ 8l − 1), if l is odd;} (1) First, we consider G0

k1 whose composition process is shown by the

leftmost path of length x from the root. Adding up the orders of all subgraphs involved, we have m0_k1 = m0_j + x X i=1 mB_(j+2)20 i−1₋₁+ x X i=1 mM_(j+2)20 i−1_,(j+2)2i₋₂ =                            m0 j +14[(j + 1) 2_{+ 8(j + 1)]} +Px i=2 1 4[((j + 2)2 i−1_{− 1)}2_{+ 8((j + 2)2}i−1_{− 1) − 1]} +Px i=1 [2((j + 2)2i_{− 2) − (j + 2)2}i−1_{+ 1] , if j = 1, 3;} m0 j + x P i=1 1 4[((j + 2)2 i−1_{− 1)}2_{+ 8((j + 2)2}i−1_{− 1) − 1]} +Px i=1 [2((j + 2)2i_{− 2) − (j + 2)2}i−1_{+ 1] , if j = 2.} = m0_j + 1 12((j + 2)2 x₎2₊ 9 2(j + 2)2 x_{− 5x − ε}(j) 1 = 1 12(k1+ 2) 2₊9 2(k1+ 2) − 5 log2  k1+ 2 j + 2  − ˜ε(j)₁ = 1 12  k21 + 58k1− 60 log2  k1+ 2 j + 2  − 32 − δ₁(j)  , where ε(j)₁ = ( j2_+58j+109 12 , if j = 1, 3; j2_+58j+112 12 , if j = 2. and (˜ε(1)₁ , ˜ε(2)₁ , ˜ε(3)₁ ) = (12,43 3, 46 3 ).

In the second last step, we combine the value of ε(j)₁ with m0

1 = 2, m02 = 5

and m0

3 = 9 to calculate the value of ˜ε

(j)

1 . With this covering of G0k1, we

are able to construct a secret-sharing scheme with average information ratio

ARΣ1 =

m0_k1 2k1.

(2) We consider G0

k2 whose composition process is shown by the rightmost

m0_k2 = m0_j + x X i=1 mB_(j+3)20 i−1₋₁+ x X i=1 mM_(j+3)20 i−1_,(j+3)2i₋₃ =                            m0 j + x P i=1 1 4[((j + 3)2 i−1_{− 1)}2_{+ 8((j + 3)2}i−1_{− 1) − 1]} + x P i=1 [2((j + 3)2i− 3) − (j + 3)2i−1_{+ 1] , if j = 1, 3;} m0j +14[(j + 2) 2_{+ 8(j + 2)]} +Px i=2 1 4[((j + 3)2 i−1_{− 1)}2_{+ 8((j + 3)2}i−1_{− 1) − 1]} +Px i=1 [2((j + 3)2i_{− 3) − (j + 3)2}i−1_{+ 1] , if j = 2.} = m0_j + 1 12((j + 3)2 x₎2₊ 9 2(j + 3)2 x_{− 7x − ε}(j) 2 = 1 12  k22+ 60k2− 84 log2  k2+ 3 j + 3  − 37 − δ(j)₂  , where ε(j)₂ = ( j2_+60j+171 12 , j = 1, 3; j2_+60j+168 12 , j = 2.

With this covering of G0_k2, we have constructed a secret-sharing scheme

with average information ratio ARΣ2 =

m0 k2

2k0. The result then follows.

As a matter of fact, the vertex-number sum m0

k of each G0k can be

evalu-ated in a similar way. The resulting expression only slightly differs from the

ones for m0

k1 and m

0

k2 at some nonleading coefficients.

After dealing with the reduced forms we shall turn back to the general forms. Let us introduce some more notations to simplify our description. Let

~zl = (1 1 2 1 2 1 2 1 · · · 2 1), ~yl = (₂l + 1) ₂l ₂l (₂l − 1) (₂l − 1) · · · 2 2 1

and ~1l = (1 1 · · · 1) be three l-dimensional vectors. For l1 ≤ l2, let ~a(l1, l2) =

(al1 al1+1 al1+2 · · · al2) and ~c(l1, l2) = (cl1 cl1+1 cl1+2 · · · cl2) where ai = |Ai|

and ci = |Ci|, i = l1, l1+ 1, . . . , l2.

Lemma 2.3.4. For k = 3 · 2x_{− 2 and x ≥ 1, the vertex-number sum m}

k of

mk = x−1 X i=1  ~zk+2 2i + (i − 1)~1 k+2 2i  · ~a  (k + 2)(2i−1_{− 1)} 2i−1 + 1, (k + 2)(2i_{− 1)} 2i  + xak−3+ (x + 1)ak−2+ xak−1+ (x + 1)ak + x−1 X i=1  ~yk+2 2i + (i − 1)~1k+2 2i  · ~c  (k + 2)(2i−1_{− 1)} 2i−1 + 1, (k + 2)(2i_{− 1)} 2i  + (x + 1)ck−3+ (x + 1)ck−2+ xck−1+ (x + 1)ck.

Proof. Note that the expression for mk depends on all ai’s and ci’s, each

of whose coefficients represents the occurrence of the vertices of that part in

the covering Πk.

(1) First, let us examine the occurrence of vertices of Bl, whose partite sets

are Sl_i=1Ai and Sl_i=1Ci, in its covering ΠBl . For odd l, by Lemma 2.3.1, one

can easily see that the vertices in A1 have occurrence 1 (only in K(A1, C1)),

the vertices in A2j, j = 1, . . . ,l−1₂ , also have occurrence 1 (only in H2j+1)

and the vertices in A2j+1, j = 1, . . . ,l−1₂ , have occurrence 2 (in H2j+1 and

K(A2j+1, C2j+1)). Hence, the occurrences of the vertices in A1, A2, . . . , Al

are exactly the first l coordinates in ~zl+1. Similarly, the vertices in C1 have

occurrence l+1₂ (in K(A1, C1) and H2i+1’s, i = 1, . . . ,l−1₂ ), the vertices in C2j,

j = 1, . . . ,l−1

2 , have occurrence

l−1

2 − j + 1 (in H2i+1’s, i ≥ j) and the vertices

in C2j+1, j = 1, . . . ,l−1₂ , have occurrence l−1₂ − j + 1 (in H2i+1’s, i ≥ j + 1 and

K(A2j+1, C2j+1)). Hence, the occurrences of the vertices in C1, C2, . . . , Cl are

exactly the first l coordinates in ~yl+1− ~1l+1.

(2) Let us consider the value of mk now. We prove the result by induction

on x. When x = 1, m4 = a1+ 2a2+ a3+ 2a4+ 2c1+ 2c2+ c3+ 2c4 by direct

counting the occurrences of vertices in Π4. So, the result holds when x = 1.

Next, for k = 3 · 2x+1 _{− 2, G}

k = W (a1, . . . , ak, c1, . . . , ck) is composed of

B3·2x₋₁, M_3·2x_,3·2x+1₋₂ and G_3·2x₋₂. For convenience, denote M_3·2x_,3·2x+1₋₂ by

M for now. Observe that the vertices in Ai, 1 ≤ i ≤ 3 · 2x − 1, have the

same occurrences in Πk as they do in the covering ΠB3·2x₋₁ because they do

one more occurrences in Πk than they do in ΠB3·2x₋₁ because they also occur

in M. Notice that the vertices in A3·2x and C_3·2x only occur once in Π_k.

Besides, the vertices in Ai’s and Ci’s, i = 3 · 2x+ 1, . . . , k, also gain one more

occurrence in Πk than they do in the covering Π3·2x₋₂ of G_3·2x₋₂. Therefore,

by (1) and the induction hypothesis, we have

m3·2x+1₋₂ = ~z3·2x · ~a(1, 3 · 2x) + (~y_3·2x− ~1_3·2x) · ~c(1, 3 · 2x) + ~1_3·2x · ~c(1, 3 · 2x) + x−1 X i=1  ~z3·2x 2i +(i−1)~1 3·2x 2i +~1 3·2x 2i  · ~a  3·2x₍₂i−1₋₁₎ 2i−1 +1+3·2 x_,3·2x(2i−1) 2i +3·2 x 

+ (x+1)a3·2x_−5+3·2x + (x+2)a_3·2x_−4+3·2x + (x+1)a_3·2x_−3+3·2x + (x+2)a_3·2x_−2+3·2x

+ x−1 X i=1  ~y3·2x 2i +(i−1)~1 3·2x 2i +~1 3·2x 2i  · ~c  3·2x₍₂i−1₋₁₎ 2i−1 +1+3·2 x_,3·2x(2i−1) 2i +3·2 x  + (x+2)c3·2x_−5+3·2x + (x+2)c_3·2x_−4+3·2x+ (x+1)c_3·2x_−3+3·2x + (x+2)c_3·2x_−2+3·2x = ~z3·2x+1 2 · ~a  1,3 · 2 x+1 2  + ~y3·2x+1 2 · ~c  1,3 · 2 x+1 2  + x−1 X i=1  ~z3·2x+1 2i+1 + ((i+1)−1)~13·2x+1 2i+1  · ~a  3·2x+1₍₂i₋₁₎ 2i + 1, 3·2x+1₍₂i+1₋₁₎ 2i+1 

+ (x+1)a(3·2x+1₋₂₎₋₃+ (x+2)a_(3·2x+1₋₂₎₋₂ + (x+1)a_(3·2x+1₋₂₎₁ + (x+2)a_(3·2x+1₋₂₎

+ x−1 X i=1  ~y3·2x+1 2i+1 + ((i+1)−1)~13·2x+1 2i+1  · ~c  3·2x+1₍₂i₋₁₎ 2i + 1, 3·2x+1₍₂i+1₋₁₎ 2i+1  + (x+2)c(3·2x+1₋₂₎₋₃ + (x+2)c_(3·2x+1₋₂₎₋₂+ (x+1)c_(3·2x+1₋₂₎₁+ (x+2)c_(3·2x+1₋₂₎ = x X i=1  ~zk+2 2i + (i − 1)~1 k+2 2i  · ~a  (k + 2)(2i−1_{− 1)} 2i−1 + 1, (k + 2)(2i_{− 1)} 2i 

+ (x + 1)ak−3+ (x + 2)ak−2+ (x + 1)ak−1+ (x + 2)ak

+ x X i=1  ~yk+2 2i + (i − 1)~1k+2 2i  · ~c  (k + 2)(2i−1_{− 1)} 2i−1 + 1, (k + 2)(2i_{− 1)} 2i  + (x + 2)ck−3+ (x + 2)ck−2+ (x + 1)ck−1+ (x + 2)ck.

This lemma presents a sophisticated expression for mk in terms of ai’s

and ci’s. In what follows, we give the conditions on the values of ai’s and ci’s

under which mk attains its minimum value when n =Pk_i=1(ai+ ci) is fixed.

Thereby, the lowest possible average information ratio of the secret-sharing scheme constructed via this covering is obtained.

Theorem 2.3.5. Let Γ be a weighted threshold access structure represented

by a k-weighted graph G = W (a1, . . . , ak, c1, . . . , ck) of order n and k = 3·2x−

2. If ci = 1 for all i 6= k₂+ 1 and ai = 1 for all i /∈ T = {1, 2, 4, 6, . . . ,k₂ + 1}.

Then

AR(G) ≤ 12n + k

2_{+ 34k − 60 log}

2(k+23 ) − 32

12n .

Proof. Observe that only ck

2+1 and ai, i ∈ T , have coefficient equal to one in

the expression for mk in Lemma 2.3.4. So mkis minimized if ci = 1 for all i 6=

k

2+1 and ai = 1 for all i /∈ T since this expression for mkis linear. This case is

similar to the reduced form. So, we make an adjustment in the expression for

m0

k1 (with j = 1) in the proof of Theorem 2.3.3 to derive what we need here.

The vertex-number sum mk of this covering is m0k1+

P

i∈T ai+ck₂+1−(|T |+1).

Note that n = Pk_i=1(ai + ci) = P_i∈Tai + ck

2+1 + P i /∈Tai + P i6=k 2+1ci = P i∈T ai + ck₂+1 + (k − |T |) + (k − 1) = P i∈T ai + ck₂+1 + 2k − (|T | + 1).

Therefore, in this case mk = ₁₂1[k2 + 58k − 60 log2(k+23 ) − 32] + n − 2k =

1

12[12n + k

2_{+ 34k − 60 log}

2(k+23 ) − 32]. The average information ratio of the

secret-sharing scheme constructed with this covering attains its minimum

value mk

n and the proof is completed.

Our result appears to be quite good if k is relatively small compared with n. In fact, as k fixed, the ratio given in Theorem 2.3.5 asymptotically approaches “1” which is the optimal value for this ratio.

2.4

Construction (II)

Our second construction is similar to the first, while it performs better than

with Gl in the covering. With the notations used before, we define our

second covering eΠk of Gk = W (a1, . . . , ak, c1, . . . , ck) recursively as follows.

e Πi = Πi, i = 1, 2, 3. For k ≥ 4, eΠk = eΠ⌊k−1 2 ⌋∪ n M_⌊k−1 2 ⌋+1,k o ∪ eΠ_⌊k 2⌋ where the eΠ_⌊k

2⌋ is the complete multipartite covering of the ⌊

k 2⌋-weighted subgraph W ¯ = W  a_⌊k−1 2 ⌋+2, a⌊ k−1 2 ⌋+3, . . . , ak, c⌊ k−1 2 ⌋+2, c⌊ k−1 2 ⌋+3, . . . , ck  . It is obvious

that the edges not in the subgraphs Wa1, . . . , a_⌊k−1

2 ⌋, c1, . . . , c⌊ k−1 2 ⌋  and W ¯ all lie in M_⌊k−1

2 ⌋+1,k. So, eΠk is a complete multipartite covering of Gk.

Lemma 2.4.1. The collection eΠk is a complete multipartite covering of Gk

with minimum edge occurrence one.

G_j G4j G_j G2j+1 G_k/2 k= j 2x G_k l= (j+1)2x_-1

the first layer

(x=1) the x-th layer the second layer (x=2) j = 2, 3 Mj,2j M2j,4j M_j+1,2j+1 M2j+2,4j+3 M_k/2,k G_2j G2j-1 G_j-1 G_k/2-1 G_k+1 G_l-1 G_2j+1 G4j+1 G4j+2 G4j+3 G_(l-1)/2 M_(l+1)/2,l G_(l-1)/2 G_l

Figure 2.2: The binary tree for Construction (II)

In order to evaluate the vertex-number sum emk of eΠk, we consider the

reduced form first. Let eΠ0

k and em0k be the reduced version of eΠk and emk

respectively. In the covering eΠ0

k, we decompose G0k into G0_⌊k−1 2 ⌋ , M0 ⌊k−1 2 ⌋+1,k and G0 ⌊k 2⌋. Since ⌊ k−1 2 ⌋ equals ⌊ k 2⌋ − 1 or ⌊ k

and M0

j,2j to compose G02j or go with G0j and Mj+1,2j+10 to compose G02j+1.

Recursively, all G0

k’s can be obtained by using this process repeatly from

G1, G2, G3 and some Mi,k0 ’s. As we have done in Section 2.3, this relation is

depicted by a binary tree in Figure 2.2. The 2x_{paths of length x from the root}

give the conformations of the 2x _{k-weight graphs where 2}x+1 _{≤ k ≤ 3 · 2}x_{− 1}

or 3 · 2x _{≤ k ≤ 2}x+2 _{− 1.}

Theorem 2.4.2. Let Γ be an weighted threshold access structure represented

by a k-weighted graph G0

k of reduced form, k1 = j · 2x and k2 = (j + 1) · 2x− 1,

x ≥ 0, j = 2, 3. If k1 ≤ k ≤ k2, then there exists a secret-sharing scheme Σ

for the access structure Γ whose average information ratio ARΣ satifies

(3₂k1+ 2) log2k1+ δ(j)1 k1+ δ0(j) 2k1 ≤ ARΣ ≤ 3 2(k2+ 1) log2(k2+ 1) + δ(j)(k2+ 1) + 1 2k2 where (δ(j)_{, δ}(j) 1 , δ (j) 0 ) = ( (4 3 − 3 2log23, −1, 2), if j = 2; (−1,4 3 − 3 2log23, 5 − 2 log23), if j = 3.

Proof. Recall that M0

l1,l2 has order m M0 l1,l2 = 2l2− l1+ 1, em 0 i = m0i, i = 1, 2, 3. m0 1 = 2, m02 = 5, and m03 = 9. (1) First, we consider G0 k2. For each l = 2 i_{(j + 1) − 1, G} l is composed of two Gl−1 2 ’s and one M l+1 2 ,l. So em 0

k can be evaluated recursively as follows.

e m0 k2 = 2 em 0 2x−1_(j+1)−1+ 3 · 2x−1(j + 1) − 1 = 2xm0_j + x X i=1 (2i−1(3 · 2x−i(j + 1) − 1)) = 2x· m0_j + 3x · 2x−1(j + 1) − (2x− 1) = 3 · k2+ 1 2 log2  k2+ 1 j + 1  +m 0 j − 1 j + 1 · (k2+ 1) + 1 = 3 2(k2+ 1) log2(k2+ 1) + _m0 j − 1 j + 1 − 3 2log2(j + 1)  (k2+ 1) + 1 = 3 2(k2+ 1) log2(k2+ 1) + δ (j)_(k 2+ 1) + 1.

Hence, the secret-sharing scheme constructed with eΠ0

k2 has average

informa-tion ratio ARΣ2 =

e m0

k2

2k2.

(2) The composition process of G0

k1 is shown on the leftmost path of

length x from the root. Adding up the orders of all subgraphs involved, we

have em0 k1 = em 0 j + em0j−1+ Px−1 i=1 me02i_·j−1+ Px i=1mM 0

2i−1_j,2i_j. Making use of the

equation em0

2x_(j+1)−1 = 2x· m0_j+ 3x · 2x−1(j + 1) − (2x− 1) from the derivation

in (1), we can continue to evaluate em0

k1 according to the value of j as follows.

(i) If j = 3, e m0_3·2x = m0j + m0j−1+ x−1 X i=1 [2i· m0 j−1+ 3 · i · 2i−1· j − (2i− 1)] + x X i=1 (3 · 2i−1· j + 1) = m0₃+ m0₂+ m0₂(2x− 2) + 9((x−2)2x−1+ 1) − (2x− 1 − x) + 9(2x− 1) + x = 9x2x−1 + 4 · 2x+ 2x + 5 = 3k 2 log2k1+  4 3− 3 2log23  k1+ 2 log2k1+ (5 − 2 log23). (ii) If j = 2, e m0₂x+1 = m0j + m0j−1+ x−1 X i=1

[2i−1m03+ 3(i−1)2i−2· 4 − (2i−1−1)] +

x X i=1 (3 · 2i−1· j + 1) = 3x · 2x+ 2x+ 2x + 4 = 3 2k1log2k1− k1+ 2 log2k1+ 2. Hence em0 k1 = ( 3

2k1 + 2) log2k1 + δ1(j)k1 + δ0(j) and we have a secret-sharing

scheme with average information ratio ARΣ1 =

e m0

k1

2k1. The result follows

immediately.

Next, we give the expression for emk for a k-weighted graph of general