TY - GEN
T1 - Linear secret-sharing schemes for forbidden graph access structures
AU - Beimel, Amos
AU - Farràs, Oriol
AU - Mintz, Yuval
AU - Peter, Naty
N1 - Publisher Copyright:
© 2017, International Association for Cryptologic Research.
PY - 2017/1/1
Y1 - 2017/1/1
N2 - A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G = (V,E) if a pair of vertices can reconstruct the secret if and only if it is an edge in G. Secret-sharing schemes for forbidden graph access structures of bipartite graphs are equivalent to conditional disclosure of secrets protocols, a primitive that is used to construct attributed-based encryption schemes. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes. A secret-sharing scheme is linear if the reconstruction of the secret from the shares is a linear mapping. In many applications of secret-sharing, it is required that the scheme will be linear. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and dense graphs, closing the gap between upper and lower bounds: Given a sparse graph with n vertices and at most n1+β edges, for some 0 ≤ β < 1, we construct a linear secret-sharing scheme realizing its forbidden graph access structure in which the total size of the shares is (formula presented). We provide an additional construction showing that every dense graph with n vertices and at least (formula presented) edges can be realized by a linear secret-sharing scheme with the same total share size. We provide lower bounds on the share size of linear secret-sharing schemes realizing forbidden graph access structures. We prove that for most forbidden graph access structures, the total share size of every linear secret-sharing scheme realizing these access structures is Ω(n3/2), which shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0 ≤ β < 1 there exist a graph with at most n1+β edges and a graph with at least (formula presented) edges, such that the total share size of every linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n1+β/2). This shows that our constructions are optimal (up to poly-logarithmic factors).
AB - A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G = (V,E) if a pair of vertices can reconstruct the secret if and only if it is an edge in G. Secret-sharing schemes for forbidden graph access structures of bipartite graphs are equivalent to conditional disclosure of secrets protocols, a primitive that is used to construct attributed-based encryption schemes. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes. A secret-sharing scheme is linear if the reconstruction of the secret from the shares is a linear mapping. In many applications of secret-sharing, it is required that the scheme will be linear. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and dense graphs, closing the gap between upper and lower bounds: Given a sparse graph with n vertices and at most n1+β edges, for some 0 ≤ β < 1, we construct a linear secret-sharing scheme realizing its forbidden graph access structure in which the total size of the shares is (formula presented). We provide an additional construction showing that every dense graph with n vertices and at least (formula presented) edges can be realized by a linear secret-sharing scheme with the same total share size. We provide lower bounds on the share size of linear secret-sharing schemes realizing forbidden graph access structures. We prove that for most forbidden graph access structures, the total share size of every linear secret-sharing scheme realizing these access structures is Ω(n3/2), which shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0 ≤ β < 1 there exist a graph with at most n1+β edges and a graph with at least (formula presented) edges, such that the total share size of every linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n1+β/2). This shows that our constructions are optimal (up to poly-logarithmic factors).
KW - Conditional disclosure of secrets
KW - Monotone span program
KW - Secret-sharing
KW - Share size
UR - http://www.scopus.com/inward/record.url?scp=85033793491&partnerID=8YFLogxK
U2 - 10.1007/978-3-319-70503-3_13
DO - 10.1007/978-3-319-70503-3_13
M3 - Conference contribution
AN - SCOPUS:85033793491
SN - 9783319705026
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 394
EP - 423
BT - Theory of Cryptography - 15th International Conference, TCC 2017, Proceedings
A2 - Kalai, Yael
A2 - Reyzin, Leonid
PB - Springer Verlag
T2 - 15th International Conference on Theory of Cryptography, TCC 2017
Y2 - 12 November 2017 through 15 November 2017
ER -