TY - JOUR

T1 - Linear Secret-Sharing Schemes for Forbidden Graph Access Structures.

AU - Beimel, Amos

AU - Farràs, Oriol

AU - Mintz, Yuval

AU - Peter, Naty

N1 - DBLP License: DBLP's bibliographic metadata records provided through http://dblp.org/ are distributed under a Creative Commons CC0 1.0 Universal Public Domain Dedication. Although the bibliographic metadata records are provided consistent with CC0 1.0 Dedication, the content described by the metadata records is not. Content may be subject to copyright, rights of privacy, rights of publicity and other restrictions.

PY - 2022

Y1 - 2022

N2 - A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G=(V,E) if the parties are the vertices of the graph and the subsets that can reconstruct the secret are the pairs of vertices in E (i.e., the edges) and the subsets of at least three vertices. Secret-sharing schemes for forbidden graph access structures defined by bipartite graphs are equivalent to conditional disclosure of secrets (CDS) protocols. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes, which are schemes in which the secret can be reconstructed from the shares by a linear mapping. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and very dense graphs, closing the gap between upper and lower bounds. Given a sparse (resp. very dense) graph with n vertices and at most n1+β edges (resp. at least (n2)−n1+β edges), for some 0≤β<1 , we construct a linear secret-sharing scheme realizing its forbidden graph access structure with total share size O~(n1+β/2) . Furthermore, we construct linear secret-sharing schemes realizing these access structures in which the size of each share is O~(n1/4+β/4) . We also provide constructions achieving different trade-offs between the size of each share and the total share size. We prove that almost all forbidden graph access structures require linear secret-sharing schemes with total share size Ω(n3/2) ; this shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0≤β<1 there exist a graph with at most n1+β edges and a graph with at least (n2)−n1+β edges such that the total share size in any linear secret-sharing scheme realizing the associated forbidden graph access structures is Ω(n1+β/2) . Finally, we show that for every 0≤β<1 there exist a graph with at most n1+β edges and a graph with at least (n2)−n1+β edges such that the size of the share of at least one party in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n1/4+β/4) . This shows that our constructions are optimal (up to poly-logarithmic factors).

AB - A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G=(V,E) if the parties are the vertices of the graph and the subsets that can reconstruct the secret are the pairs of vertices in E (i.e., the edges) and the subsets of at least three vertices. Secret-sharing schemes for forbidden graph access structures defined by bipartite graphs are equivalent to conditional disclosure of secrets (CDS) protocols. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes, which are schemes in which the secret can be reconstructed from the shares by a linear mapping. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and very dense graphs, closing the gap between upper and lower bounds. Given a sparse (resp. very dense) graph with n vertices and at most n1+β edges (resp. at least (n2)−n1+β edges), for some 0≤β<1 , we construct a linear secret-sharing scheme realizing its forbidden graph access structure with total share size O~(n1+β/2) . Furthermore, we construct linear secret-sharing schemes realizing these access structures in which the size of each share is O~(n1/4+β/4) . We also provide constructions achieving different trade-offs between the size of each share and the total share size. We prove that almost all forbidden graph access structures require linear secret-sharing schemes with total share size Ω(n3/2) ; this shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0≤β<1 there exist a graph with at most n1+β edges and a graph with at least (n2)−n1+β edges such that the total share size in any linear secret-sharing scheme realizing the associated forbidden graph access structures is Ω(n1+β/2) . Finally, we show that for every 0≤β<1 there exist a graph with at most n1+β edges and a graph with at least (n2)−n1+β edges such that the size of the share of at least one party in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n1/4+β/4) . This shows that our constructions are optimal (up to poly-logarithmic factors).

U2 - 10.1109/TIT.2021.3132917

DO - 10.1109/TIT.2021.3132917

M3 - Article

VL - 68

SP - 2083

EP - 2100

JO - IEEE Transactions on Information Theory

JF - IEEE Transactions on Information Theory

SN - 0018-9448

IS - 3

M1 - 3

ER -