以圖為基礎的存取結構上的祕密分享機制之研究

國 立 交 通 大 學 理 學 院 應 用 數 學 系

碩 士 論 文

以圖為基礎的存取結構上的

祕密分享機制之研究

Perfect Secret Sharing Schemes

for Access Structures

Based on Graphs

研究生：林伯融

Student: Bo-Rong Lin

指導教授：傅恆霖

教授

呂惠娟

副教授

Advisor: Hung-Lin Fu and Hui-Chuan Lu

中 華 民 國 一 百 零 三 年 六 月

Perfect Secret Sharing Schemes

for Access Structures

Based on Graphs

以圖為基礎的存取結構上的

祕密分享機制之研究

研 究 生 : 林伯融 Student : Bo-Rong Lin 指導教授 : 傅恆霖 教授 Advisor : Hung-Lin Fu 呂惠娟 副教授 Hui-Chuan Lu

國 立 交 通 大 學

應 用 數 學 系

碩 士 論 文

A Dissertation

Submitted to Department of Applied Mathematics

College of Science

National Chiao Tung Universityv

in Partial Fulfillment of the Requirements

for the Degree of Master

in Applied Mathematics

June 2014

Hsinchu, Taiwan, Republic of China

中 華 民 國 一 百 零 三 年 六 月

· i ·

摘要

秘密分享機制（secret sharing scheme）是一個將秘密

分成許多份（share）分給所有的參與者，使得只有特定

被授權的子集（qualified subset）中的人所擁有的 shares

才可以重新建構出這個秘密; 而任意非授權子集中的人，

則無法由他們所擁有的 shares 中找出任何與秘密相關的

資訊的一種機制。其中，所有的授權子集所形成的集合

我們稱之為該機制的存取結構（access structure）

。

所謂以一個圖 G 為基礎的存取結構，是將圖 G 上

每一個點都視為一個參與者，而任意一個包含某個邊的

一些點所成的集合都是一個授權的子集。其中秘密分享

機制的訊息比率（information ratio）則是該秘密分享機

制下所有參與者所擁有的 shares 的最大長度與秘密的長

度的比值。而我們在這篇論文中所討論圖 G 的訊息比

率（information ratio of G）則是在以圖 G 為基礎的存

取結構中所能造出的所有秘密分享機制的訊息比率的

infimum。

在這篇論文中，我們求出了特定無窮圖類的訊息比

率的下界，並且利用向量空間的方式，完整造出這特定

無窮圖類中兩種特殊子圖類的秘密分享機制，並算出其

訊息比率的值皆為 2。如此便得出這二種子圖類的訊息

比率的上界。在某些情形下，此上界與我們推導的下界

是相當接近的，亦即我們構造的秘密分享機制是相當好

的。

· ii ·

Abstract

A perfect secret sharing scheme based on a graph G is

a randomized distribution of a secret among the vertices of

the graph so that the secret can be recovered from the

in-formation assigned to the endvertices of any edge, while the

total information assigned to an independent set of vertices

is independent (in statistical sense) of the secret itself.

The (worst case) information ratio of G is the largest

lower bound on the amount of information some vertex must

remember for each bit of the secret. Using entropy method,

we calculate a lower bound on the information ratio for an

infinite class of graphs we consider in this thesis. We also use

the generalized vector space construction to construct perfect

secret sharing schemes with information ratio 2 for two

sub-classes of graphs. This upper bounded is very close to our

lower bound in some circumstances, which means the secret

sharing schemes we construct are in fact very good.

· iii ·

誌謝

這篇論文能夠完成，首先要感謝的是我指導老師 傅

恆霖教授還有 呂惠娟副教授，感謝傅老師從一開始就提

供我一些往後研究可能會使用到的工具書去研讀，還建

議我研究的大方向並且介紹呂老師來幫助我完成論文。

感謝呂老師在每次要討論有關於我的研究時，都大老遠

開車來交大，並給予我許多的啟發與收穫，在最後幾週

更提供專業的意見和細心的修改我論文的每一個部分，

讓我的論文更加的充實。

此外我還要感謝同門的才維瀚學長、施智懷學長、

林逸軒學長、連敏筠學姊，在我每次報告的時候，都不

吝嗇的給予建議、指導，在口試前也都空出時間來幫助

我模擬口試，讓我可以調整口試內容，也謝謝我的同學

惠閔、伊婕、冠儒、博喻、凡軒、凱帆，記得每次都一

起討論作業到半夜，還有每次聚餐都開心的亂聊天，另

外還有交大數學系的系羽接納我這個外來的學長，讓我

可以在課業之餘還可以打球來放鬆一下。

最後感謝我的家人，不會強迫我做任何事情，並且

一直關心和照顧我，在我需要時也都會適時的伸出援

手，讓我可以專注於課業與研究。在此至上我最大的感

激，謝謝你們!

Contents

Abstract (in Chinese) . . . i

Abstract (in English) . . . ii

Acknowledgement . . . iii Contents . . . iv 1 Introduction 1 1.1 Basic Notations . . . 2 1.2 A Lower Bound on R(G) . . . 3 1.3 An Upper Bound on R(G) . . . 4 2 Known Results 6 3 Main Results 9 3.1 A Lower Bound on R(Gk,n) . . . 10

3.2 A Construction of Perfect Secret Sharing Scheme on G0_k,n . . . 13

3.3 A Construction of Perfect Secret Sharing Scheme on G00_k,n . . . 18

Chapter 1

Introduction

Secret sharing scheme is a method for a dealer to distribute a secret data among a set of participants so that only qualified subsets are able to recover the data. If, in addition, unqualified subsets have no extra information, i.e. their joint shares is statistically independent of the secret, the scheme is called perfect. The access structure of the scheme is the collection of all qualified subsets. When the access structure is based on a graph, the vertices of the graph are the participants, and if a collection of vertices contains an edge, then it is qualified. The efficiency of a scheme is usually measured by how much information (in bits) a participant must remember in the scheme in the worst case, or in the average. The (worst case) information ratio of a graph G is the infimum of the information (in bits) a participant has to remember for each bit of the secret over all possible schemes based on G. In some literatures, the inverse of this number, called the information rate of G, is used in resemblance to the coding efficiency on noisy channels.

Determining the information ratio for a simple graph could be very challenging. Despite the difficulty, the ratios were exactly determined for several infinite families of graphs [4, 11, 12, 13]. Interestingly, almost all of these ratios are of the forms 2 − 1/k or 3/2 for some positive integer k. In this thesis we investigate the information ratio of another family of graphs. Our lower bound on the information ratio of this family

of graphs is also of the form 2 − 1_k for some integer k.

This thesis is organized as follows. In the rest sections of this chapter, we introduce our approaches for deriving lower bounds and upper bounds on R(G). In Chapter 2, some important known results are introduced. Our main results are presented in Chapter 3. First, in Section 3.1, we propose an infinite class of graphs Gk,n, and then

use the idea introduced in Section 1.2 to derive a lower bound on the information ratio of them. Subsequently, the constructions of the secret sharing schemes based on two subclasses of these graphs with information ratio 2 are introduced. The information ratio of our constructions is very closed to the lower bound we derive in Section 3.1 for large n. A concluding remark will be given in Section 3.4.

1.1

Basic Notations

Let G be a graph. A secret sharing scheme for the access structure base on G is a collection of random variable ζs and ζv for all vertices v in G with a joint distribution,

where ζs is the secret and ζv is the share of v. We called the secret sharing scheme

perfect whenever the following condition is satisfied. If vu is an edge of G, then ζv and

ζu together determine the value of the secret ζs uniquely; while if A is an independent

set in G, then the collection {ζv : v ∈ A} and ζs are statistically independent, i.e.

the collection {ζv : v ∈ A} provides no information about the secret.

Let A and B be two sets. We use AB in place of A∪B in this thesis. Using the usual (Shannon) entropy [9], A determines B if and only if the entropy of A and the entropy of AB are the same, while A and B are statistically independent if and only if the entropy of AB is the sum of the entropy of A and the entropy of B. Given a discrete random variable X with possible values {x1, x2, · · · , xn} and

−Pn

i=1p(xi) log p(xi) which is roughly the number of independent bits necessary to

encode the value of X. Applying this notation to secret sharing we see that the size of the share assigned to the participant v ∈ G is H(ζv), and the size of the secret is H(ζs).

Thus the information ratio of the secret sharing scheme P = {ζs, ζv : v ∈ V (G)} on

G is defined as

RP =

maxv∈GH(ζv)

H(ζs)

, and the information ratio of G is defined as

R(G) = inf nRP :

X

is a secret sharing scheme on Go.

1.2

A Lower Bound on R(G)

Let the distribution {ζv, ζs} be any perfect secret sharing scheme on G. Consider

the real-valued function f which assigns the value f (A) = H({ζv : v ∈ A})

H(ζs)

to the subset A of vertices. Using standard properties of the entropy function [9, 10, 14], the function f has the following properties.

(a) f (A) > 0, f (φ) = 0

(b) f (B) > f (A), when A ⊆ B ⊆ V (G) (c) f (A) + f (B) > f (A ∪ B) + f (A ∩ B)

(d) f (B) > f (A) + 1, when A ⊆ B ⊆ V (G), A is an independent set and B is not. (e) f (A)+f (B) > f (A∪B)+f (A∩B)+1, when A∩B is an independent set but A

Suppose there exists a real number r so that, for any real-valued function f satisfy-ing properties (a) to (e), the inequality maxv∈Gf (v) > r holds. Then, the information

ratio R(G) of G is at least r.

1.3

An Upper Bound on R(G)

Upper bounds are in general easier to find. One has to construct an appropriate scheme which reaches the given bound. We use some algebraic or geometric structures to build up the desired scheme. The following construction is a general one given in [6].

Let F be a finite-dimensional vector space over a finite field, and the secret and the participants are both (non-trivial) linear subspaces of F. Let Lv be the subspace

assigned to v ∈ G and Ls be the subspace assigned to the secret. These subspace

should have the following properties:

(i) If vu is an edge in G, then the linear span of Lv and Lu must contains Ls.

(ii) If {v1, v2, ..., vk} is an independent set of G, then the intersection of the

lin-ear span of {Lv1, Lv2, ..., Lvk} and Ls must be trivial. (i.e. the single element

subspace {0}.)

The dealer chooses an element from F randomly. The secret, i.e. the value of ζs, is

the orthogonal projection of this random element on Ls. The value of the share ζv of

participant v ∈ G is the orthogonal projection of the dealer’s element on Lv.

Now, if vu is an edge of G, by elementary linearly algebra, we know that the secret can be expressed as an appropriate linear combination of the shares. On the other hand, if {v1, v2, ..., vk} is an independent set of G, then the intersection of the linear

gives no information at all on the value of projection on the other.

Looking at this construction more carefully, the function f defined in Section 1.2 takes the same value as the ratio of the the dimensions of the corresponding subspaces, that is, f (A) = H({ζv : v ∈ A}) H(ζs) = dim(hLv : v ∈ Ai) dim(Ls) .

The amount of information (i.e. entropy) in the secret is proportional to the dimension of Ls, and the information v gets is proportional to the dimension of Lv.

Hence, the ratio of this construction P is RP = maxv∈Gdim(Lv) dim(Ls) . Therefore, we have R(G) 6 maxv∈Gdim(Lv) dim(Ls) .

Chapter 2

Known Results

In this chapter, we introduce several lemmas and known results.

Theorem 2.1. ([2]) Suppose that G is a connected graph, then R(G) = 1 if and only if G is a complete multipartite graph.

Lemma 2.2. ([3]) Suppose that u and v are two vertices of a graph G who have the same neighbors, then R(G) = R(G − v).

Theorem 2.3. ([1]) Let G be a graph with V (G) = {vi|i = 1, 2, ..., 4}. If v1v2, v2v3,

v3v4 ∈ E(G) and v1v4, v1v3 ∈ E(G). Then R(G) >/ 3₂.

van Dijk also used this approach to characterize graphs of order six whose infor-mation ratio is not less than 5

3.

Theorem 2.4. ([12]) Let G be a graph with V (G) = {vi|i = 1, 2, ..., 6}.

If G satisfies both

(i) v1v2, v3v4, v5v6 ∈ E(G) and

(ii) v1v5, v1v6, v2v5, v2v6, v3v5, v3v6 ∈ E(G)/

and at least one of the following conditions. • v2v4, v4v6 ∈ E(G)

• v2v3, v3v4 ∈ E(G)

• v2v3, v2v4 ∈ E(G) or

• v3v4, v2v4 ∈ E(G)

Then R(G) > 53.

Lemma 2.5. ([1]) If G0 _{is an induced subgraph of a graph G, then R(G) > R(G}0). Theorem 2.6. ([1]) Suppose that G is a connected graph which is not complete multipartite, then R(G) > 32.

Theorem 2.7. ([11]) Let Cnand Pnbe the cycle and the path of length n, respectively.

Then R(Cn) = 3 2 for n > 5, and R(Pn) = 3 2 for n > 3.

Theorem 2.8. ([5]) Let Gi ⊆ G be arbitrary (finite or infinite) subgraphs of G, and

assume that each edge of G is in at least k of the subgraphs. For a vertex v ∈ G define ri(v) = 0 if v /∈ G, and ri(v) = R(Gi), i.e. the information ratio of Gi otherwise.

Then

R(G) 6 sup

v∈G

P ri(v)

k .

Corollary 2.9. ([5]) If the maximal degree of G is d, then R(G) 6 (d + 1)/2. The following lemma will be frequently used in Section 3.1.

Lemma 2.10. ([6]) Let X be a subset of an independent set W , w ∈ W − X, a, b ∈ V , where V is the vertex set of a complete graph with n vertices, so that a is not connected to any vertex in X ∪ {w}, while b is connected to w. Then

A subset V0 of V (G) is called connected if it induces a connected subgraph of G.

Csirmaz and Tardas [8] defined a core V0 of a graph G as a connected subset V0 of G

satisfying the following two conditions:

(i) each v ∈ V0 has a neighbor ¯v outside V0 and is not adjacent to any other vertices

in V0, and

(ii) {¯v|v ∈ V0} is an independent set in G.

They had an important breakthrough on the study of the information ratio of graphs in 2007.

Theorem 2.11. ([8]) Let c(T ) be the maximum size of a core in the tree T , then R(T ) = 2 − 1

c(T ).

In 2009, Csirmaz and Ligeti [7] proved the following result which is so far the best on the information ratio of graphs.

Theorem 2.12. [7] Let d be the maximum degree of G and G satisfy the following properties:

(i) every vertex has at most one neighbor of degree one;

(ii) vertices of degree at least three are not connected by an edge, and (iii) the girth of G is at least six.

Then we have

R(G) = 2 − 1 d .

Chapter 3

Main Results

Throughout of this chapter we let Gk,nbe the graph with vertex set V (Gk,n) = {vi,j|

i = 1, 2, ..., k, j = 1, 2, ..., n} ∪ {w1, w2, ..., wn} and satisfy the following conditions.

(1) vi,jvi,m is an edge of Gk,n for each i ∈ {1, 2, ..., k} and j ∈ {1, 2, ..., n};

(2) wj is only connected to vi,j for each i and j.

Let us denote the set of vertices {vi1, vi2, ..., vin} as Vi for each i ∈ {1, 2, ..., k} and

{w1, w2, ..., wn} as W . Then the subgraph induced by Vi is a complete graph and W

is an independent set in Gk,n. For clearness, we show the structure of G3,4, in figure

3.1.

Note that in such a graph Gk,n, there may be some edges between Vi’s. No matter

whether Gk,n contains such edges or not, the derivation of the lower bound in Section

3.1 works. In addition, we use G0_k,n to denote the graph Gk,n which contains all edges

of the form vi,jv`,m for all i, ` ∈ {1, 2, ..., k} and j, m ∈ {1, 2, ..., n}. The Gk,n which

contains no edges between different Vi’s is written as G00k,n. We shall introduce the

constructions of perfect secret sharing schemes for graphs G0_k,n and G00_k,n in Section 3.2 and Section 3.3 respectively.

Figure 3.1: G3,4

3.1

A Lower Bound on R(G

)

Let f be the real-valued function defined in Section 1.2 which assigns non-negative values to subsets of vertices so that f satisfies properties (a)-(e) listed there. Our goal is to give the best possible lower estimate for maxv∈V (G)f (v). We will use Lemma 2.10.

to prove that the the information ratio of the graph Gk,n is not less than 2 − 2−n+1.

As it is customary, we leave out the {} and ∪ signs in the following discussion. For example, we write vX for the set {v} ∪ X.

Theorem 3.1. R(Gk,n) > 2 − 2−n+1.

Proof. For every i ∈ {1, 2, ..., k} and j ∈ {1, 2, ..., n}, using Lemma 2.10 with X = {φ}, a = vi,j, b = vi1, w = w1, we get

f (vi2) + f (vi1) > f (vi2w1) − f (w1) + 2 and

Adding up these inequalities, we have

f (vi,j) + f (vi2) + 2f (vi1) > f (vi,jw1) − f (w1) + f (vi2w1) − f (w1) + 2 + 2,

where 3 6 j 6 n.

Applying Lemma 2.7 to the right hand side of the inequality leads to f (vi3) + f (vi2) + 2f (vi1) > f (vi3w2w1) − f (w2w1) + 2 + 2 · 2 and

f (vi,j) + f (vi2) + 2f (vi1) > f (vi,jw2w1) − f (w2w1) + 2 + 2 · 2, where 4 6 j 6 n.

Adding up these inequalities and using Lemma 2.7 again, we get

f (vi4) + f (vi3) + 2f (vi2) + 4f (vi1) > f (vi4w3w2w1) − f (w3w2w1) + 2 + 2 · 2 + 2 · 22

and

f (vi,j) + f (vi3) + 2f (vi2) + 4f (vi1) > f (vi,jw3w2w1) − f (w3w2w1) + 2 + 2 · 2 + 2 · 22

, where 5 6 j 6 n.

Continuously doing this process, we will eventually arrive at the following inequality. f (vin) + f (vi(n−1)) + 2f (vi(n−2)) + 22f (vi(n−3)) + · · · + 2n−3f (vi2) + 2n−2f (vi1)

> f (vinwn−1· · · w2w1) − f (wn−1· · · w2w1) + 2 + 2 · 2 + · · · + 2 · 2n−2

> f (vinwn−1· · · w2w1) − f (wn−1· · · w2w1) + 2(2n−1− 1).

Let S = {wn−1· · · w2w1)}. Conditions (c) and (d) imply that

f (vinS) + f (wnS) > f (vinwnS) + f (S)

and

Adding these up and transpose f (S) we have f (vinS) − f (S) > 1. Hence, f (vinwn−1· · · w2w1) − f (wn−1· · · w2w1) + 2(2n−1− 1) > 1 + 2(2n−1− 1) = 2n− 1. Consequently, f (vin) + f (vi(n−1)) + 2f (vi(n−2)) + · · · + 2n−2f (vi1) > 2n− 1.

Observe that the inequality remain true after shifting vertices in Vi, that is

f (vin) + f (vi(n−1)) + 2f (vi(n−2)) + · · · + 2n−3f (vi2) + 2n−2f (vi1) > 2n− 1,

f (vi(n−1)) + f (vi(n−2)) + 2f (vi(n−3)) + · · · + 2n−3f (vi1) + 2n−2f (vin) > 2n− 1,

.. .

f (vi1) + f (vin) + 2f (vi(n−1)) + · · · + 2n−3f (vi3) + 2n−2f (vi2) > 2n− 1.

Adding them up, each f (vi,j) will have coefficient

1 + 1 + 2 + 4 + · · · + 2n−2 = 2n−1, hence the sum is

2n−1[f (vi1) + f (vi2) + · · · + f (vin)] > n(2n− 1), for all i = 1, 2, ..., k. Therefore, 2n−1 k X i=1 n X j=1 f (vi,j) > nk(2n− 1).

There must exist a vertex whose value is not less than (2n_{− 1)/2}n−1 _{= 2 − 2}−n+1_.

3.2

A Construction of Perfect Secret Sharing

Scheme on G

In this section we introduce our construction of perfect secret sharing scheme on G0_k,n whose information ratio is equal to 2.

Our constructions follow the ideal outlined in Section 1.3. In order to construct a perfect secret sharing scheme with ratio maxv∈Gdim(Lv)/dim(Ls), we start with a

high-dimensional vector space F, and assign linear subspaces to the vertices and the secret so that

• if vu is an edge of the graph, then the linear span of the subspaces Lv and Lu

contains the subspace Ls which is assigned to the secret, and

• if {v1, v2, ..., vk} is an independent set, then Span({Lv1, Lv2, ..., Lvk}) ∩ Ls = {0}.

In our construction, F is a d(kn + 1)-dimensional vector space and subspaces will be given as the linear span of certain vectors. We split these coordinates into kn + 1 groups of d coordinates each. Now, we need some more definition and notation to help us describe our construction. If x and y are two `-dimensional vectors, then xk is defined as the k`-dimensional vector obtained by repeating the coordinates of x k times. The vector x ⊕ y is 2`-dimensional vector obtained by concatenating vector y after x. For example , if x = (010) and y = (101), then x3 _{= (010010010) and}

y ⊕ x2 _{= (101010010).}

Construction 3.2. Let λ1, λ2, ..., λkm be km distinct integers, and let λx− λy be

denoted as λx,y.

The subspace Ls assigned to the secret is spanned by the following d vectors:

The subspace Lwj assigned to wj is spanned by the following d vectors: (0 · · · 0)k(j−1)⊕ (100 · · · 0)k_{⊕ (0 · · · 0)}k(n−j)+1_, (0 · · · 0)k(j−1)⊕ (010 · · · 0)k_{⊕ (0 · · · 0)}k(n−j)+1_, .. . (0 · · · 0)k(j−1)⊕ (00 · · · 01)k_{⊕ (0 · · · 0)}k(n−j)+1_.

Furthermore, the subspace Lvi,j assigned to vi,j is spanned by the following 2d vectors:

(100 · · · 0)k(j−1)⊕ (00 · · · 0)k⊕ (100 · · · 0)k(n−j)+1, (010 · · · 0)k(j−1)⊕ (00 · · · 0)k_{⊕ (010 · · · 0)}k(n−j)+1_, .. . (00 · · · 01)k(j−1)⊕ (00 · · · 0)k⊕ (00 · · · 01)k(n−j)+1, " _kn M m=1 (λk(j−1)+i,m00 · · · 0) # ⊕ (λk(j−1)+i00 · · · 0), " _kn M m=1 (0λk(j−1)+i,m0 · · · 0) # ⊕ (0λk(j−1)+i0 · · · 0), .. . " _kn M m=1 (00 · · · 0λk(j−1)+i,m) # ⊕ (00 · · · 0λk(j−1)+i).

Figure 3.2 shows the graphs G0_2,2 and we give our construction of secret sharing scheme on it in Example 3.3.

Example 3.3.

Ls = Span{(100100100100100), (010010010010010), (001001001001001)}

Figure 3.2: G0_2,2 Lw2 = Span{(000000100100000), (000000010010000), (000000001001000)} Lv1,1 = Span{(000000100100100), (000000010010010), (000000001001001), (λ1,100λ1,200λ1,300λ1,400λ100), (0λ1,100λ1,200λ1,300λ1,400λ10), (00λ1,100λ1,200λ1,300λ1,400λ1)} Lv2,1 = Span{(000000100100100), (000000010010010), (000000001001001), (λ2,100λ2,200λ2,300λ2,400λ200), (0λ2,100λ2,200λ2,300λ2,400λ20), (00λ2,100λ2,200λ2,300λ2,400λ2)} Lv1,2 = Span{(100100000000100), (010010000000010), (001001000000001), (λ3,100λ3,200λ3,300λ3,400λ300), (0λ3,100λ3,200λ3,300λ3,400λ30), (00λ3,100λ3,200λ3,300λ3,400λ3)}

Lv2,2 = Span{(100100000000100), (010010000000010), (001001000000001),

(λ4,100λ4,200λ4,300λ4,400λ400), (0λ4,100λ4,200λ4,300λ4,400λ40),

(00λ4,100λ4,200λ4,300λ4,400λ4)}

Theorem 3.4. Constriction 3.2. defines a perfect secret sharing scheme on G0_k,n with information 2.

Proof. To show that Construction 3.2. is a perfect secret sharing scheme on G0_k,n, we need to check the following conditions.

1. the span of Lw1, Lw2, ..., Lwn must be trivial,

2. the span of Lvi,j and Lwj must contain Ls,

3. the span of Lvi,j and {Lwm : m 6= j} intersects Ls in the trivial space {0}, and

4. the span of two different Lvi,j and Lvm,n should contain Ls.

Since the linear span of all subspaces Lwj’s contains those vectors where all

coor-dinates in the (kn + 1)-th group are zero and any non-trivial linear combination of Ls has non-zero coordinates in each group, we have

Span{Lw1, Lw2, ..., Lwn} ∩ Ls = {0},

The first requirement for the independent set W is satisfied.

To verify the second condition, for each ` ∈ {1, 2, ..., d}, the sum of the `-th gen-erating vector of Lvi,j and Lwj gives the `-th generating element of Ls. For example,

when ` = 1 ( (10 · · · 0)k(j−1)⊕ (00 · · · 0)k⊕ (10 · · · 0)k(n−j)+1 ) + ( (00 · · · 0)k(j−1)⊕ (10 · · · 0)k_{⊕ (00 · · · 0)}k(n−j)+1 ) =(1000 · · · 0)kn+1.

This implies that the linear span of Lvi,j and Lwj contains Ls as required.

Observe that the first d generating vectors in Lvi,j have all 0 in the (k(j −1)+1)-th

to the (kj)-th groups, and the other d generating vectors in Lvi,j have all 0 in the

(k(j − 1) + i)-th group. Hence the linear span of Lvi,j and all other Lwm’s with j 6= m

has all zero coordinates in this group and therefore contains only the zero element from Ls.

In order to have the last condition satisfied, subtracting the d+1 generating vector of Lvs,r from the d + 1 generating vector of Lvi,j with (i, j) 6= (s, r) gives

" _kn M m=1 (λk(j−1)+i,m00 · · · 0) # ⊕ (λk(j−1)+i00 · · · 0) − " _kn M m=1 (λk(r−1)+s,m00 · · · 0) # ⊕ (λk(r−1)+s00 · · · 0) =(λk(j−1)+i,k(r−1)+s00 · · · 0)kn+1 =λk(j−1)+i,k(r−1)+s(100 · · · 0)kn+1

The linear span of this vector contains the first generating vector of Ls. Since each

generating vector of Ls can be obtained in the same way, the last condition holds as

well.

With dim(Lvs) = d, dim(Lwj) = d and dim(Lvi,j) = 2d, we also know that the

per-fect secret sharing scheme we have constructed has information ratio 2. _ By Theorem 3.1. and Theorem 3.4. we have the following corollary.

Corollary 3.5.

3.3

A Construction of Perfect Secret Sharing

Scheme on G

Recall that in the graph G00_k,n defined at the beginning of this chapter, there is no edge between the vertices from different Vi’s.

Construction 3.6. Let λ1, λ2, ..., λkm be km distinct integers. For convenience, let

λx− λy be denoted by λx,y and

ai,j,m =

( λ

k(j−1)+i , where m = k(t − 1) + i for t = 1 · · · n

λk(j−1)+i,m , otherwise.

Assign to Ls the subspace spanned by the following d vectors:

(1000 · · · 0)kn+1, (0100 · · · 0)kn+1, (0010 · · · 0)kn+1, ..., (000 · · · 01)kn+1. Assign to Lwj the subspace spanned by the following d vectors:

(0 · · · 0)k(j−1)⊕ (100 · · · 0)k⊕ (0 · · · 0)k(n−j)+1, (0 · · · 0)k(j−1)⊕ (010 · · · 0)k_{⊕ (0 · · · 0)}k(n−j)+1_,

.. .

(0 · · · 0)k(j−1)⊕ (00 · · · 01)k⊕ (0 · · · 0)k(n−j)+1.

In addition, Lvi,j is assigned the subspace spanned by the following 2d vectors:

(100 · · · 0)k(j−1)⊕ (00 · · · 0)k_{⊕ (100 · · · 0)}k(n−j)+1_,

(010 · · · 0)k(j−1)⊕ (00 · · · 0)k_{⊕ (010 · · · 0)}k(n−j)+1_,

.. .

" _kn M m=1 (ai,j,m00 · · · 0) # ⊕ (λk(j−1)+i00 · · · 0), " _kn M m=1 (0ai,j,m0 · · · 0) # ⊕ (λk(j−1)+i00 · · · 0), .. . " _kn M m=1 (00 · · · 0ai,j,m) # ⊕ (λk(j−1)+i00 · · · 0).

Figure 3.3 shows the graphs G00_2,2 and we give our construction of secret sharing scheme on it in Example 3.7. Figure 3.3: G00_2,2 Example 3.7. Ls = Span{(100100100100100), (010010010010010), (001001001001001)} Lw1 = Span{(100100000000000), (010010000000000), (000000000000000)} Lw2 = Span{(000000100100000), (000000010010000), (000000001001000)}

Lv1,1 = Span{(000000100100100), (000000010010010), (000000001001001),

(a1,1,100a1,1,200a1,1,300a1,1,400λ100),

(0a1,1,100a1,1,200a1,1,300a1,1,400λ10),

(00a1,1,100a1,1,200a1,1,300a1,1,400λ1)}

Lv2,1 = Span{(000000100100100), (000000010010010), (000000001001001),

(a2,1,100a2,1,200a2,1,300a2,1,400λ200),

(0a2,1,100a2,1,200a2,1,300a2,1,400λ20),

(00a2,1,100a2,1,200a2,1,300a2,1,400λ2)}

Lv1,2 = Span{(100100000000100), (010010000000010), (001001000000001),

(a1,2,100a1,2,200a1,2,300a1,2,400λ300),

(0a1,2,100a1,2,200a1,2,300a1,2,400λ30),

(00a1,2,100a1,2,200a1,2,300a1,2,400λ3)}

Lv2,2 = Span{(100100000000100), (010010000000010), (001001000000001),

(a2,2,100a2,2,200a2,2,300a2,2,400λ400),

(0a2,2,100a2,2,200a2,2,300a2,2,400λ40),

(00a2,2,100a2,2,200a2,2,300a2,2,400λ4)}

Theorem 3.8. Constriction 3.6. defines a perfect secret sharing scheme on G00_k,n with information 2.

Proof. To show that Construction 3.6. is a perfect secret sharing scheme on G00_k,n, we need to check the following condition.

2. the span of Lvi,j and Lwj must contain Ls,

3. the span of Lvi,j and {Lwm : m 6= j} intersects Ls in {0},

4. the span of two different Lv and Lu, where v, u ∈ Vi, should contains Ls, and

5. the span of two different Lv and Lu, where v ∈ Vi and u ∈ Vj with i 6= j, should

be the trivial space {0}.

Note that Construction 3.6. is very similar to Construction 3.2, the only difference lies in the last d generating vectors of each Lvi,j for 1 6 i 6 k and 1 6 j 6 n. Hence

the first, second, and third conditions hold by the proof of Theorem 3.4. To verify that the forth condition holds as well, we observe that

( " _kn M m=1 (ai,j,m00 · · · 0) # ⊕ (λk(j−1)+i00 · · · 0) ) − ( " _kn M m=1 (ai,r,m00 · · · 0) # ⊕ (λk(r−1)+i00 · · · 0) ) = (λk(j−1)+i,k(r−1)+i00 · · · 0)kn+1 = (λk(j−1)+i,k(r−1)+i)(100 · · · 0)kn+1

The first generating vector of Ls can be obtained from the (d + 1)-th generating

vectors of Lvi,j and Lvi,r with j 6= r. The linear span of Lvi,j and Lvi,r contains the

generating vectors of Ls, hence the forth condition is also satisfied. To check the fifth

condition, one can easily verify that any generating vector of Ls cannot be generated

by the vectors in any two different vector subspaces Lvi,j and Lvs,r with s 6= i.

In this construction, Lvi,j is generated by 2d linearly independent vectors, Lwj

and Ls are both generated by d linearly independent vectors, thus dim(Lvi,j) = 2d

and dim(Lwj) = dim(Ls) = d. This shows that the information ratio of Construction

3.6. is also 2.

By Theorem 3.1. and Theorem 3.8. we have the following corollary. Corollary 3.9.

2 − 2−n+1 _{6 R(G}00_{k,n) 6 2.}

3.4

Concluding Remark

The lower bound of the information ratio in Corollary 3.5. and Corollary 3.9. are very close to the upper bound when n is sufficiently large. Hence Construction 3.2. and Construction 3.6. perform well for large n. However, we are not sure that if there exists a secret sharing scheme for any member of the family Gk,n whose information

ratio is strictly less than 2. For those members of Gk,n which contain some, but not

all, edges between different Vi’s, finding a general construction of Lvi,j is very difficult.

However if this kind of member has a symmetric structure, this job can be done by making modifications to the constructions we have given in Section 3.2 and Section 3.3.

Bibliography

[1] C. Blundo, A. De Santis, D. R. Stinson and U. Vaccaro, Graph decompositions and secrete sharing schemes, J. Cryptology, 8 (1995), pp 39-64.

[2] E. F. Brickell and D. M. Davenport, On the classification of ideal secret sharing schemes, J. Cryptology, 4 (1991), pp 123-134

[3] E. F. Brickell and D. R. Stinson, Some improved bounds on the information rate of perfect secret sharing schemes, J. Cryptology, 5 (1992), pp 153-166.

[4] L. Csirmaz: Secret sharing on infinite graphs, Studia Mathemat-ica HungarMathemat-ica, vol 44(2007) pp. 297-306 - available as IACR preprint http://eprint.iacr.org/2005/059.

[5] L. Csirmaz: Secret sharing schemes on graphs, Tatra Mt. Math. Publ 41 (2008) pp 1-18.

[6] L. Csirmaz, An impossibility result on graph secret sharing, Designs, Codes and Cryptography, 53 (2009),pp 195-209.

[7] L. Csirmaz and P. Ligeti, On an infinite families of graphs with information ratio2 − 1_k, Computing, 85 (2009), pp127-136.

[8] L. Csirmaz and G. Tardas, Exact bounds on tree based secret sharing schemes, Tatracrypt 2007, Slovakia

[9] I. Csisz´ar and J. K¨orner: Information Theory. Coding Theorems for Discrete Memoryless Systems, Academic Press, New York, 1981.

[10] F. Matus: Adhesivity of polymatroids, Discrete Mathematics, Vol 307(2007) 21, pp 2464-2477.

[11] D. R. Stinson, Decomposition constructions for secret sharing schemes, IEEE Transactions on Information Theory, 40 (1994), pp 118-125.

[12] M. van Dijk, On the information rate of perfect secret sharing schemes, Designs, Codes and Cryptography, 6 (1995), pp 143-169.

[13] M. van Dijk, T. Kevenaar, G. Schrijen, P. Tuyls: Improved constructions of secret sharing schemes by applying (λ,ω)-decompositions, Inf. Process. Lett. vol 99(4), 2006, pp.154-157.

[14] Z. Zhang, R. W. Yeung: On characterization of entropy function via information inequalities, IEEE Trans. Inform.Theory Vol 44, 1998, pp 1440-1452.