Secret sharing schemes for graph-based prohibited structures

P e r g a m o n

Computers Math. Applic. Vol. 36, No. 7, pp. 131-140, 1998 © 1998 Elsevier Science Ltd. All rights reserved Printed in Great Britain 0893-9659/98 $19.00 + 0.00 P I I : S0898-1221 (98)00177-1

Secret Sharing Schemes for

G r a p h - B a s e d Prohibited Structures

H U N G - M I N S U N *

D e p a r t m e n t of Information Management Chaoyang I n s t i t u t e of Technology 168, Gifeng E. Rd., Wufeng, Taichung County

Taiwan 413, R.O.C. hmsun@dscs2, csie. nctu. edu. tw

S H I U H - P Y N G S H I E H

D e p a r t m e n t of Computer Science and Information Engineering National Chiao Tung University

Hsinchu, Taiwan 30050, R.O.C. ssp@csie, nctu. edu. t w

(Received October 1996; accepted June 1997)

A b s t r a c t - - A secret sharing scheme for the prohibited structure is a method of sharing a master key among a finite set of participants in such a way that only certain prespecified subsets of participants cannot recover the master key. A secret sharing scheme is called perfect, if any subset of participants who cannot recover the master key obtains no information regarding the master key. In this paper, we propose an efficient construction of perfect secret sharing schemes for graph-based prohibited structures where a vertex denotes a participant and an edge does a pair of participants who cannot recover the master key. The information rate of our scheme is 2/n, where n is the number of participants. (~) 1998 Elsevier Science Ltd. All rights reserved.

K e y w o r d s - - C r y p t o g r a p h y , Data security, Information theory, Secret sharing scheme.

1 . I N T R O D U C T I O N

I n 1987, I t o et al. [1] d e s c r i b e d a g e n e r a l m e t h o d of s e c r e t s h a r i n g c a l l e d Secret Sharing Scheme (SSS) w h i c h allows a m a s t e r key t o b e s h a r e d a m o n g a finite set o f p a r t i c i p a n t s in s u c h a w a y t h a t o n l y c e r t a i n p r e s p e c i f i e d s u b s e t s of p a r t i c i p a n t s c a n recover t h e m a s t e r key. L e t P b e t h e set of p a r t i c i p a n t s . T h e set o f all s u b s e t s of P , d e n o t e d b y 2 P, is c a l l e d t h e p o w e r set o f P . W e use t h e n o t a t i o n X \ Y = {x I x E X a n d x ~ Y } t o d e n o t e t h e difference o f t w o sets X a n d Y. T h e c o l l e c t i o n of s u b s e t s of p a r t i c i p a n t s t h a t c a n r e c o n s t r u c t t h e m a s t e r k e y in t h i s w a y is c a l l e d access structure ( d e n o t e d b y F ) . T h e c o l l e c t i o n o f s u b s e t s o f p a r t i c i p a n t s t h a t c a n n o t r e c o n s t r u c t t h e m a s t e r k e y is c a l l e d prohibited structure ( d e n o t e d b y A ) [2]. T h e n a t u r a l r e s t r i c t i o n is t h a t r is m o n o t o n e i n c r e a s i n g a n d A is m o n o t o n e d e c r e a s i n g , t h a t is, if A E F a n d A C_ B C P , if A E A a n d B C_ A C_ P , then B ~ F, then B E A. a n d

*Author to w h o m all correspondence should be sent.

This work was supported in part by the National Science Council, Taiwan, under contract NSC-87-2213-E-324-003. Typeset by .A.A~-TEX 131

132 H.-M. SUN AND S.-P. SmEH

If A = 2 P \ F , then we say the structure (F, A) is complete [2]. In the special case where F = {A I A C P and IA] _> m} and A = {A ] A C P and ]A] _< m - 1}, the secret sharing scheme is called an (m, n)-threshold scheme [3,4], where IPI = n. Let K be the master key space and S be the share space. The information rate of the secret sharing scheme is defined to be the ratio between the master key size and the maximum size of the shares [5]. Here we use the notation p = log 2 ]Kl/log 21S] to denote the information rate. If a secret sharing scheme is to be practical, we do not want to have to distribute too much secret information as shares. Consequently, we want to make the information rate as high as possible. A secret sharing scheme is perfect if any set of participants in the prohibited structure A obtains no information regarding the master key [6-9]. Secret sharing schemes are classified into the following types.

TYPE I. A secret sharing scheme for the access structure r' is a method of sharing a master key among a finite set of participants in such a way t h a t only subsets of participants in F can recover the master key while other subsets cannot. T h a t is, A ( = 2 P \ F ) is implied.

TYPE II. A secret sharing scheme for the prohibited structure A is a method of sharing a master key among a finite set of participants in such a way t h a t only subsets of participants in A cannot recover the master key while other subsets can. T h a t is, F ( = 2 P \ A ) is implied.

TYPE III. A secret sharing scheme for the mixed structure (F, A) is a m e t h o d of sharing a master key among a finite set of participants in such a way that subsets of participants in F can recover the master key, but subsets of participants in A cannot recover the master key. T h a t is, the privileges of subsets in 2 P \ ( F U A) can be ignored. Any subset of participants in 2 P \ ( F U A) may either recover the master key or not. Note that, here F N A = O, and F U A C 2 P.

Given any access structure F, Ito et al. [1,8] showed t h a t there exists a perfect secret sharing scheme to realize the structure. Benaloh and Leichter [10] proposed a different algorithm to realize secret sharing schemes for any given monotone access structure. In both constructions, the information rate decreases exponentially as a function of n, the number of participants.

There are several performance and efficiency measures proposed for analyzing secret sharing schemes [5,11-14]. Their goal is to maximize the information rate of a secret sharing scheme. Brickell and Stinson [5] studied a perfect secret sharing scheme for graph-based access structure F where the monotone-increasing access structure F contains the pairs of participants corresponding to edges (the prohibited structure is implied to be the collection of subsets of participants corre- sponding to any independent set of the graph). T h e y proved that, for any graph G with n vertices having maximum degree d, there exists a perfect secret sharing scheme for the access structure based on G in which the information rate is at least 2/(d + 3). Stinson [14] improved the general result t h a t there exists a perfect secret sharing scheme realizing access structure based on G in which the information rate is at least 2/(d + 1). After that, van Dijk [12] showed t h a t Stinson's lower bound is tight because he proved that there exist graphs having maximum degree d such t h a t the optimal information rate is at most 2/(d + 1 - e), for all d _> 3 and E > 0. Secret shar- ing schemes for mixed structures (F, A) proposed by Shieh and Sun in 1994 [15] were based on the graph where F contains the pairs of participants corresponding to edges and A contains the pairs of participants corresponding to nonedges. T h e information rate of their scheme is 1/(2n), where n is the number of participants. In 1996, Sun and Shieh [16] improved the information rate of the secret sharing scheme to be 1/(n - 1).

In this paper, we study the perfect secret sharing scheme for a prohibited structure based on the graph where the monotone-decreasing prohibited structure A contains all participants and the pairs of participants corresponding to edges (the access structure is implied to be the union of {A [ A C P and IA[ _> 3} and the pairs of participants corresponding to nonedges of the graph). We propose an efficient perfect secret sharing scheme for the graph-based prohibited structure. The information rate of our scheme is 2/n, where n is the number of participants. Our scheme can be applied to the reduction of storage and computation loads on the key distribution server in a secure network.

Graph-Based Prohibited Structures 133 This paper is organized as follows. In Section 2, we give some preliminaries which will be used later on to construct the perfect secret sharing schemes of graph-based prohibited structures. In Section 3, we propose a construction of perfect secret sharing schemes for graph-based prohibited structures. An example of a perfect secret sharing scheme for the graph-based prohibited struc- ture is demonstrated in Section 4. In Section 5, we discuss the application of our construction. Finally, we conclude this paper in Section 6.

2. P R E L I M I N A R I E S

2.1. P e r f e c t (m, n) T h r e s h o l d S c h e m e s

The (m, n) threshold schemes were introduced by Blakley and Shamir in 1979 [3,4]. The main idea underlying an ( m , n ) threshold scheme is to divide the master key K into n shares Si's corresponding to n participants (1 < i < n) in such a way t h a t the master key K cannot be reclaimed unless m shares are collected. Apparently, the (m, n) threshold scheme is the special case of secret sharing schemes when the qualified subsets of participants are all subsets whose order are larger t h a n or equal to m and the nonqualified subsets of participants are all subsets whose order are less t h a n or equal to rn - 1.

A secret sharing scheme is perfect if any unqualified subset of participants provides no infor- mation about the shared secret K [6,8]. It means t h a t the prior probability p ( K = Ko) equals the conditional probability p ( K = Ko given any or less secret shares of an unqualified set). By using the entropy function H from [6,7,9], we can state the requirements for an (m, n) threshold scheme as follows:

(1) H ( K I S i , , . . . , S ~ , ~ ) = 0 ; (2) H ( K [ S ~ , , . . . , S i , , _ l ) = H ( K )

for an arbitrary set of m indices { i l , . . . ,ira} from { 1 , . . . ,n}.

As an example, we review the (m, n) threshold scheme proposed by Shimir [4] as follows. We assume t h a t the master key K is taken randomly from GF(q). Therefore, H ( K ) = log q. Let f ( x ) = am_iX m-1 + . . . + al x + K (rood q) be a polynomial of degree m - 1 over the finite field GF(q). The n share S~'s are computed from f ( x ) as follows:

Si = f ( i ) ( m o d q), i = 1 , . . . , n .

Obviously, given any m secret shares S ~ , . . . , S~,,, { i l , . . . , ira} C { 1 , . . . , n}, f ( x ) can be recon- structed from the Lagrange interpolating polynomial as follows [6]:

Thus, the master key K can be obtained by f(O). On the other hand, given any m - 1 secret shares Si~ , . . . , Si,~_ ~ , { i l , . . . , i r a - l } C { 1 , . . . , n } , f ( O ) can be written as follows:

f(0) = a + S~.,. b(mod q), where

a = E Si~" ~ - k - ~ ) and b = H (r,~--'ij'--)'

k=l j f l j # k j=l

Because S~,~ is uniformly distributed over G F ( q ) , H ( K [ S i l , . . . , S ~ _ I ) =

H(f(O) I &l,

. . . , S~,,,_ ~ ) = H ( a + S~,,, • b) = H ( S~,,, ) = logq = H ( K ) . Therefore, the (re, n) threshold scheme is perfect.

134 H.-M. SUN A N D S.-P. SHIEH

2.2. Perfect Secret Sharing Schemes for Mixed Structures (r, A)

In this section, we give a construction of perfect secret sharing schemes for mixed structures (F, A), where F = {P} and A = {A [ A C_ P and [A[ < [P[ - 2}. The secret sharing scheme will be used later on to construct the perfect secret sharing schemes for graph-based prohibited structures.

We assume t h a t the master key K = (K1,K2) is taken randomly from G F ( q ) x GF(q). It is clear t h a t H (K) = 2 log q. Let f (x) = an- 1 x n - 1 + . . . + a2x2 + K1 x + 1(2 (mod q) be a polynomial of degree n - 1 over the finite field GF(q). The n shares Sz's are computed from f ( x ) as follows:

Si = f ( i ) ( m o d q), i = 1 , . . . , n .

Obviously, given n secret shares S~, i = 1 , . . . , n, f ( x ) can be reconstructed from the Lagrange interpolating polynomial as follows [6]:

f ( x ) = S k . (mod q).

k--1 j = l , j ~ k

Thus, the master key K can be obtained from f ( x ) . On the other hand, given any n - 2 secret shares S~1,..., S~._2, { Q , . . . , in-2} c { 1 , . . . , n}, we can get the following relations:

• i~ -1 i n - I n - 4 i n - 1 n - 3 i n - 1 • n - 2 i l 1 i n - 4 1 i n - 3 1 in-2 1 a n - 1 a2 K1 K2 S ~ 4

S~,n- 3

(rood q).

Because there are n unknown variables, a n - l , . . . , a2, K1, K2, among these n - 2 equations, it is clear t h a t the total number of possible solutions for K = (K1,/(2) is q2. Hence, H ( K J S~1,..., Si,_2) = H ( K 1 , K 2 J S ~ I , . . . , S i , _ 2 ) = 21ogq = H ( K ) . Therefore, the secret sharing scheme for the mixed structure (F, A) is perfect.

3. C O N S T R U C T I O N O F P E R F E C T S S S F O R P R O H I B I T E D S T R U C T U R E S B A S E D O N G R A P H S

Let P be the set of participants, and G be a graph where a vertex denotes a participant in P and an edge denotes a pair of participants• In a perfect secret sharing scheme for the prohibited structure based of G, a pair of participants corresponding to an edge of G cannot obtain any information regarding the master key. In addition, we also assume t h a t each participant corresponding to a vertex of G cannot obtain any information regarding the master key. This is because t h a t if one participant is allowed to recover the master key by himself, we can assign the master key as his share and remove him from the graph G. The graph we consider here may include disconnected graphs and isolated vertices. A participant corresponding to an isolated vertex can be interpreted as t h a t he can recover the master key in cooperation with any participant in the graph except himself. We use E ( G ) to denote the set of edges of G; E(G) to denote the set of edges of G, where G is the complement of G; S to denote the set of pairs of participants corresponding to edges in E(G); R to denote the set of pairs of participants corresponding to edges in E(G). It is reasonable to restrict t h a t the prohibited structure and the access structure are monotone• Thus, given a graph G, the prohibited structure is denoted by A = {A I A C

Graph-Based Prohibited Structures 135 P and IA I = 1} U {A I A • S}, and then the access structure is decided by 2 P \ A = {A

IA

c_ P a n d l A I > 3 } U { A I A • R } .

In the following, we will use the conventional threshold schemes [3,4] to construct the perfect secret sharing schemes for graph-based prohibited structures. We assume t h a t all computations are over G F ( q ) where q is a prime.

Given a graph G for the prohibited structure, a perfect secret sharing scheme is constructed as follows. Assume t h a t P = { P l , p 2 , . . . ,P,,} is the set of participants corresponding to the vertices of the graph G. We first construct n + 1 conventional (2, n)-threshold schemes [3,4], named TS1, TS2 . . . . , and TSn+I. To avoid ambiguity, we call the master key and the shares of each T S i submaster key and subshares, respectively. For each (2, n) - T S i , let Ski be its submaster key and si,1, s i , 2 , . . . , si,n be its n subshares. Thus, given any two subshares, si,j and si,k(1 _< j < k < n), the submaster key Ski can be recovered, but less t h a n two subshares provide no information about Ski.

T h e master key of the secret sharing scheme for the prohibited structure based on the graph G is given by K = (K1, K2), which is protected by these submaster keys S k i , S k 2 , . . . , Skn, ,~kn+l in such a way t h a t all n + 1 submaster keys S k i , S k 2 , . . . , Skn, Skn+l collected together, the master key K can be recovered, but any n - 1 or less submaster keys provide no information regarding the master key. It is easy to construct such protection mechanism following the m e t h o d proposed in Section 2.2.

T h e share of participant pi is given by Si = ( a i , 1 , . . . , a i , t , . . . , ai,n, aim+i), where 1 < t < n + 1,

ai,t is e m p t y ai,t = St,i ai,t = Skt ai,t = St,i a~,t = S k t if t = i,

if t = n + 1 and Pt is an isolated vertex, if t = n + 1 and Pt is not an isolated vertex, i f t ~ i , t ~ n + l , and pipt is an edge of G, if t ~ i, t ~ n + 1, and pipt is not an edge of G. Thus, the constructed secret sharing scheme satisfies:

(1) if A E S, A obtains no information regarding the master key,

(2) if A C P and [A[ = 1, A obtains no information regarding the master key, (3) if A E R , A can recover the master key,

(4) if A C_ P and [A I > 3, A can recover the master key.

THEOREM 1. / f A E S, A obtains no information regarding the master key of the constructed secret sharing scheme for the prohibited structure based on the graph G.

PROOF. We assume t h a t A = {pi,pj}, where i ¢ j. T h e share o f p i is Si = (ai,l,ai,2,... ,ai,n+l) and the share o f p j is Sj = ( a j , l , a j , 2 , . . . , a j , n + l ) . Because A • S, Pipj is an edge of G. We conclude t h a t for any t, 1 < t < n + 1, one of the following four cases holds.

(1) ai,t = S k t and aj,t = S k t if t = n + 1, (2) ai,t = e m p t y and aj,t = s t j if t = i, (3) ai,t = st,i and aj,t = e m p t y if t = j ,

(4) ai,t = st# or Skt, and aj,t = std or Skt it t ¢ n + 1,t ~ i, and t ¢ j.

In Cases (1) and (4), the submaster key Skt can be recovered. In Case (2), ai,i and ai,i can obtain only one subshare si,j of the (2, n) - T S i . Therefore, Pi and pj get no information about the submaster key Ski. In Case (3), a~,j and aj,j can obtain only one subshare sj# of the (2, n) - T S i. Therefore, Pi and pj get no information about the submaster key S k i . Hence, Pi and pj can obtain only n - 1 submaster keys which provide no information regarding the master

136 H.-M. SUN AND S.-P. SHIEH

THEOREM 2. / f A C P and [A[ = 1, A obtains no information regarding the master key of the constructed secret sharing scheme for the prohibited structure based on the graph G.

PROOF. This means the case t h a t each participant obtains no information regarding the master key. We assume t h a t A -- {Pi} and the share o f p i is Si = ( a i , l , a i , 2 , . . . ,ai,n+l). I f p i is not an isolated vertex, then there exists a vertex pj such t h a t Pipj is an edge of G. From Theorem 1, we know t h a t {Pi, Pj } obtains no information regarding the m a s t e r key. Therefore, A = {Pi} obtains no information regarding the m a s t e r key.

If pi is not an isolated vertex, we conclude t h a t for any, t, 1 < t < n + 1, one of the following three cases holds.

(1) ai,t = st# if t = n + l; (2) ai,t = e m p t y if t = i; (3) ai,t = S k t if t ~ n + 1, t ~ i.

In Cases (1) and (2), Pi gets no information a b o u t the s u b m a s t e r key Skn+l and Ski. Hence, Pi can obtain only n - 1 s u b m a s t e r keys which provide no information regarding the master

key K . 1

THEOREM 3. If A 6 R , A can recover the master key of the constructed secret sharing scheme for the prohibited structure based on the graph G.

PROOF. We assume t h a t A = {pi,pj}, where i ¢ j . The share o f p i is Si = (ai,1, a i , 2 , . . . , ai,n+l) and the share of pj is Sj = (ai,1, a33.,..., aj,n+l). Because A E R , PiPj is an nonedge of G. We conclude t h a t for any t, 1 < t < n + 1, one of the following three cases holds.

(1) ai,t = e m p t y and aj,t = Skt if t = i; (2) ai,t : Skt and aj, t = e m p t y if t = j;

(3) ai,t = st# or Skt, and aj,t : 8t,j o r S k t if t ~ i, and t ~ j.

In Cases (1)-(3), the s u b m a s t e r key kt can be recovered. Thus, participant Pi and participant pj can recover all n + 1 s u b m a s t e r keys S k i , S k 2 , . . . , Skn+l, and hence, the m a s t e r key K . | THEOREM 4. iT/A C P and [A[ > 3, A can recover the m a s t e r key of the constructed secret sharing scheme for the prohibited structure based on the graph G.

PROOF. W i t h o u t loss of generality, we assume t h a t A = {Pi,Pi,Pk}, where i, j , and k are distinct. If there exists a pair of participants of A belongs to R , then t h e m a s t e r key can be recovered from T h e o r e m 3. All we need to consider is the case t h a t all PiPj, PiPk, and PiPk are edges of G. From T h e o r e m 1, we know t h a t Pi and pj can recover all s u b m a s t e r keys except Ski and Ski. Similarly, Pi and Pk can recover all submaster keys except Ski and Skk. Also, pj and Pk can recover all s u b m a s t e r keys except Ski and Skk. Therefore, Pi,Pj, and Pk can recover all s u b m a s t e r keys S k i , S k 2 , . . . , Skn+l, and hence, the master key K . l

T h e share of participant pi(= (ai,1,..., a i , t , . . . , ai,n, ai,,~+l)) is an (n + 1)-dimensional vector. Except t h a t ai,i is empty, every ai,j is over GF(q). Therefore, the size of the share is qn. Because the m a s t e r key K is equal to (K1, K2), the size of the m a s t e r key space is q2. It is clear t h a t the information rate of our secret sharing scheme for the graph-based prohibited structure is log q2/log q~ -- 2/n, where n is the number of participants.

4. A N E X A M P L E OF P E R F E C T SSS

F O R A P R O H I B I T E D S T R U C T U R E

We d e m o n s t r a t e the use of our method in the following example. In Figure 1, the graph G denotes the prohibited structure with six participants. Therefore, E(G) = {PiPs, PiPs, P2Ps, P2Ps, P3Ps, p3Ps } and E(-G) = {piP2, PIP4, PiPs, P2P3, P2P4, P3P4, P4Ps, P4P6, PsP6 }. T h e secret sharing scheme for the prohibited structure based on the graph G is constructed as follows. Let P =

Graph-Based Prohibited Structures PI P 6 o.. .,o --.. P 2 o- ... i . . . / ," . . . ill ; ? . / ) 5 i j . J " P3 /)4

Figure 1. Graph G with six participants.

137

{Pl, P2, P3, P4, Ps, P6 }. Thus,

S = { { P l , P 3 } , { P l , P 5 } , { P 2 , P 5 } , { P 2 , R 6 } , { R 3 , P 5 } , { R 3 , P 6 } } , and

R =

The prohibited structure

A = ~¢~p1}~p2}~p3}~p4}~{p5}~p6}~pbp3}~{p1~p5}~p2~p5}~{p2~p6~p3~p~}'~p3~p6}}.

The access structure

F : { { R I , p 2 } , { P l , P 4 } , { R I , P 6 } , { P 2 , p 3 } , { p 2 , p 4 } , { P 3 , R 4 } , { R 4 , P 5 } , { p 4 , P 6 } { R 5 , P 6 ) , {Pl,P2,P3},{Pl,P2,P4},{Pl,P2,PS},{BI,P2,P6},{Pl,P3,P4},{Pl,P3,Ps}, {P2,P3,P6},{P2,Pa,PS},{P2,P4,R6},{P2,P~,P6},{P3,P4,PS},{P3,P4,P6}, {Pl, P2, P4, P5 }, {Pl, P2, P4, P6 }, {Pl, P2, PS, P6 }1 {Pl, P3, P4, P5 }, {Pl, P3, P4, P6 }, {Pl , P3, P5, {P2,P4,Ps, {Pl,P2,P3, {Pl,P2,P3,

p6},{pl,v4,ps,p6},{ ,p3,v4,vs},{p2,p3,v4,v6},{v2,p3,vs,p },

P6}, {P3,P4,Ps,P6}, {Pl,P2,P3,P4,Ps}, {Pl,P2,P3,P4,P6}, Ps,P6},{Pl,P2,Pa,Ps,P6},{Pl,P3,P4,Ps,P6},{P2,P3,P4,Ps,P6},

Let TS1, T S 2 , . . . , and TS7 be seven (2,6)-threshold schemes. We assume that Ski is the

submaster key of T S i and s~,l, si,2,..., and si,6 are the subshares of TSi, for 1 < i < 7. Here we

use Shamir's method [4] to construct these threshold schemes. For each (2, 6) - TSi, let

f i ( x ) = ri . x + Ski(mod q)

be a secret polynomial of degree 1 over the finite field GF(q), where q is a prime. Let I D j denote

the identity of the participant pj. The six subshares si,1,...,si,6 are computed from f~(x) as

follows:

si,j = f i ( I D j ) ( m o d q), j = 1 . . . . ,6.

Obviously, given any two subshares, si,j and si,k, f i ( x ) can be reconstructed from the Lagrange

interpolating polynomial as follows [6]:

(x - IDk) (x - I D j ) (mod q).

138 H.-M. SUN AND S.-P. SHIEH

Thus, the submaster key

Ski(=

f~(0)) can be obtained, but less than two subshares provide no information about the submaster key.

The master key of the secret sharing scheme is given by K = (K1, K2) which is protected by these submaster keys

Ski, Sk2,... ,Sk7

in such a way that all seven submaster keys collected together, the master key K can be recovered, but any five or less submaster keys provide no information regarding the master key (see Section 2.2.). The shares of participants are given by:

S1 = (--, Sk2, s3,1, Sk4, s5,1, Sks, SkT)

$2 = (Ski,--, Sk~, Sk4, s5,2, s6,2, SkT)

$3 = <s1,3,

Sk2,--, Sk4,

s5,3,

s6,3, SkT>

$4 = (Ski, Sk2, Sk3,--, Sk5, Sks,

87,4)

$5 = (s,,s,

s2,5, s3,5, Sk4,--, Sks, Sk~>

$6 = (Ski, s2,6, s3,6, Sk4, Sks,--, SkT>

where ' - - ' , denotes e m p t y entry.

In the following, we demonstrate the constructed secret sharing scheme satisfies: (1) if A E S, A obtains no information regarding the master key;

(2) if A C_ P and [A[ = 1, A obtains no information regarding the master key; (3) if A E R , A can recover the master key;

(4) if A C_ P and [A[ > 3, A can recover the master key.

If A --- {Pl,P3} E A, A cannot recover

Ski

and

Sk3.

Therefore, A obtains no information about the master key K .

If A = {P4} E A, A cannot recover

Sk4

and

SkT.

Therefore, A obtains no information about the master key K .

If

A -- {Pl,p2} E

F, A can recover the master key K as follows.

(1) Participant PI can obtain

Sk2, Sk4, Sks,

and

Sk7

because he owns his share $1. (2) Participant P2 can obtain

Ski, Sk3, Sk4,

and

Sky

because he owns his share $2. (3) Participants Pl and P2 can recover

Sk5

from as,1 of S1 and s5,2 of $2.

Therefore, participants Pl and P2 can recover all seven submaster keys, and hence, the master key K.

If A = {Pl,P3,Ps} E F, A can recover the master key K as follows.

(1) Participant Pl can obtain

Sk2, Sk4, Sks,

and

Sk7

because he owns his share $1. (2) Participants P3 and Ps can recover

Ski

from Sl,3 of $3 and sl,s of Ss.

(3) Participants Pl and Ps can recover Sk3 from s3,1 of S1 and s3,s of $5. (4) Participants Pl and P3 can recover

Sks

from ss,1 of $1 and s5,3 of $3.

Therefore, participants Pl, P3, and Ps can recover all seven submaster keys, and hence, the master key K.

5. A P P L I C A T I O N

Our secret sharing scheme for graph-based prohibited structures can be employed in many applications in various areas, such as secure communication networks, and secure databases. It is particularly useful for access control (e.g., reading a file, or sending a message) in an environment where the number of participants is large, such as a large secure network. Consider a network system with n participants, where an access control policy is enforced by a Communication Granting Server (CGS) to restrict the communication between participants. A secure session key will be issued unless the sender requesting the key is allowed to communicate with the receiver. The access control matrix employed in conventional access control mechanisms can be used by the C G S to achieve the goal [17]. However, the C G S needs to store and search the large access control matrix of size O(n2). This size of information causes heavy storage and computation

Graph-Based Prohibited Structures 139 loads on t h e C G S w h e n n is large. I n t h e worst case, t h e storage a n d c o m p u t a t i o n loads m a y m a k e this design impractical.

I n c o n t r a s t , t h e secret sharing scheme for g r a p h - b a s e d p r o h i b i t e d s t r u c t u r e s is m o r e efficient. We can t r a n s f o r m t h e c o m m u n i c a t i o n relationships into a graph, where a v e r t e x denotes a par- t i c i p a n t a n d an edge does an illegal c o m m u n i c a t i o n . In t h e n e t w o r k system, each p a r t i c i p a n t holds a secret (e.g., his password). T h e secret can be t r a n s f o r m e d into t h e c o r r e s p o n d i n g share in t h e secret s h a r i n g scheme b y t h e c o m m u n i c a t i o n g r a n t i n g server. T h e t r a n s f o r m a t i o n needs to be o n e - w a y so t h a t it is c o m p u t a t i o n a l l y infeasible to c o m p u t e t h e secret f r o m t h e share. T w o p a r t i c i p a n t s present their secrets t o t h e C G S w h e n a t t e m p t i n g t o c o m m u n i c a t e . If t h e two corre- s p o n d i n g shares g e n e r a t e d b y t h e two secrets c a n successfully d e t e r m i n e t h e m a s t e r key, t h e C G S will r e t u r n a session key t o b o t h participants. This session key will be used as b o t h e n c r y p t i o n a n d d e c r y p t i o n keys for f u t u r e c o m m u n i c a t i o n between these two participants. I n t h e scheme, t h e C G S need n o t m a i n t a i n a large access control matrix, b u t only needs t o keep a single m a s t e r key.

6. C O N C L U S I O N S

I n this paper, we give a c o n s t r u c t i o n of perfect secret sharing schemes for mixed s t r u c t u r e s (F, A ) , where F = ( P } a n d A = ( A [ A C_ P a n d IAI <_ IPI - 2). Based on t h e p r o p o s e d perfect secret s h a r i n g schemes, we p r o p o s e an efficient c o n s t r u c t i o n of a perfect secret sharing scheme for g r a p h - b a s e d p r o h i b i t e d s t r u c t u r e s where a vertex denotes a p a r t i c i p a n t a n d an edge denotes a pair of p a r t i c i p a n t s w h o c a n n o t recover t h e m a s t e r key. T h e i n f o r m a t i o n r a t e of o u r scheme is 2 / n , where n is t h e n u m b e r of participants. We also present an application of o u r scheme to t h e reduction of storage a n d c o m p u t a t i o n loads o n the c o m m u n i c a t i o n granting server in a secure network.

R E F E R E N C E S

i. M. Ito, A. Saito and T. Nishizeki, Secret sharing scheme realizing general access structure, In Proceeding of I E E E Globecom '87, Tokyo, pp. 99-102, (1987).

2. W.A. Jackson, K.M. Martin and C.M. O'Keefe, Multisecret threshold schemes, In Advances in Cryptology- Crypto '93 Proceedings, Lecture Notes in Computer Science, Volume 773, pp. 126-135, Springer-Verlag, Berlin, (1994).

3. G.R. Blakley, Safeguarding cryptographic keys, In Proceeding of AFIPs 1979 National Computer Con]erence, New York, Volume 48, pp. 313-317, (1979).

4. A. Shamir, How to share a secret, Commun. of the ACM 22 (11), 612-613, (1979).

5. E.F. Brickell and D.R. Stinson, Some improved bounds on the information rate of perfect secret sharing schemes, Journal of Cryptology 5, 153-166, (1992).

6. D.E.R. Denning, Cryptography and Data Security, Addison-Wesley, Reading, MA, (1983). 7. R.W. Hamming, Coding and Information Theory, Prentice-Hall, Englewood Cliffs, N J, (1986).

8. M. Ito, A. Saito and T. Nishizeki, Multiple assignment scheme for sharing secret, Journal of Cryptolog~ 6, 15-20, (1993).

9. C.E. Shannon, Communication theory of secrecy systems, Computer Security Journal Vl (2), 7-66, (1990). 10. J. Benaloh and J. Leichter, Generalized secret sharing and monotone functions, In Advance8 in Cryptology- Crypto'88 Proceedings, Lecture Notes in Computer Science, Volume 403, pp. 27-35, Springer-Verlag, Berlin, (1990).

11. R.M. Capocelli, A. DeSantis, L. Gargano and U. Vaccaro, On the size of shares for secret sharing schemes, In Advances in Cryptology-Crypto'91 Proceeding, Lecture Notes in Computer Science, pp. 101-113, Springer- Verlag, Berlin, (1992).

12. M. van Dijk, On the information rate of perfect secret sharing schemes, Designs, Codes and Cryptography 6, 143-169, (1995).

13. D.R. Stinson, New general lower bounds on the information rate of secret sharing schemes, In Advance in Cryptology-CRYPTO'9~, Lecture Notes in Computer Science, Volume 740, pp. 168-182, (1993).

14. D.R. Stinson, Decomposition constructions for secret sharing schemes, IEEE Trans. Inform. Theory 40 (1), 118-125, (1994).

15. S.P. Shieh and H.M. Sun, On constructing secret sharing schemes, In Proceedings of the 1994 IEEE Interna- tional Conference of Computer Communications, Networking for Global Communications (INFOCOM'9~), pp. 1288-1292, (1994).

140 H.-M. SUN AND S.-P. SHIEH

16. H.M. Sun and S.P. Shieh, A n efficient construction of perfect secret sharing schemes for graph-based struc- tures, Computers Math. Applic. 31 (7), 129-135, (1996).

17. B.W. Lampson, Protection, In Proceeding of the 5 th Princeton STrop. of Info. Sci. and Syst., Princeton Univ., pp. 437-443, (March 1971); Reprinted in A C M Oper. Svst. Rev. 8 (1), 18-24, (January 1994).