Linear Secret-Sharing Schemes for Forbidden Graph Access Structures

A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G=(V,E) if the parties are the vertices of the graph and the subsets that can reconstruct the secret are the pairs of vertices in E (i.e., the edges) and the subsets of at least three vertices. Secret-sharing schemes for forbidden graph access structures defined by bipartite graphs are equivalent to conditional disclosure of secrets (CDS) protocols. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes, which are schemes in which the secret can be reconstructed from the shares by a linear mapping. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and very dense graphs, closing the gap between upper and lower bounds. Given a sparse (resp. very dense) graph with n vertices and at most n 1+\β edges (resp. at least n 2-n1+\β edges), for some 0 ≤\β < 1, we construct a linear secret-sharing scheme realizing its forbidden graph access structure with total share size O (n1+\β/2). Furthermore, we construct linear secret-sharing schemes realizing these access structures in which the size of each share is O (n1+\β). We also provide constructions achieving different trade-offs between the size of each share and the total share size. We prove that almost all forbidden graph access structures require linear secret-sharing schemes with total share size Ω (n 3/2); this shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0 ≤\β < 1 there exist a graph with at most n 1+\β edges and a graph with at least n 2-n1+\β edges such that the total share size in any linear secret-sharing scheme realizing the associated forbidden graph access structures is Ω (n 1+\β). Finally, we show that for every 0 ≤\β < 1 there exist a graph with at most n1+\β edges and a graph with at least n 2-n1+\β edges such that the size of the share of at least one party in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω (n 1+\β). This shows that our constructions are optimal (up to poly-logarithmic factors).