Linear Secret-Sharing Schemes for Forbidden Graph Access Structures.

Amos Beimel, Oriol Farràs, Yuval Mintz, Naty Peter

Research output: Contribution to journalArticlepeer-review

Abstract

A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G=(V,E) if the parties are the vertices of the graph and the subsets that can reconstruct the secret are the pairs of vertices in E (i.e., the edges) and the subsets of at least three vertices. Secret-sharing schemes for forbidden graph access structures defined by bipartite graphs are equivalent to conditional disclosure of secrets (CDS) protocols. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes, which are schemes in which the secret can be reconstructed from the shares by a linear mapping. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and very dense graphs, closing the gap between upper and lower bounds. Given a sparse (resp. very dense) graph with n vertices and at most n1+β edges (resp. at least (n2)−n1+β edges), for some 0≤β<1 , we construct a linear secret-sharing scheme realizing its forbidden graph access structure with total share size O~(n1+β/2) . Furthermore, we construct linear secret-sharing schemes realizing these access structures in which the size of each share is O~(n1/4+β/4) . We also provide constructions achieving different trade-offs between the size of each share and the total share size. We prove that almost all forbidden graph access structures require linear secret-sharing schemes with total share size Ω(n3/2) ; this shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0≤β<1 there exist a graph with at most n1+β edges and a graph with at least (n2)−n1+β edges such that the total share size in any linear secret-sharing scheme realizing the associated forbidden graph access structures is Ω(n1+β/2) . Finally, we show that for every 0≤β<1 there exist a graph with at most n1+β edges and a graph with at least (n2)−n1+β edges such that the size of the share of at least one party in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n1/4+β/4) . This shows that our constructions are optimal (up to poly-logarithmic factors).
Original languageEnglish
Article number3
Pages (from-to)2083-2100
Number of pages18
JournalIEEE Transactions on Information Theory
Volume68
Issue number3
DOIs
StatePublished - 2022

Fingerprint

Dive into the research topics of 'Linear Secret-Sharing Schemes for Forbidden Graph Access Structures.'. Together they form a unique fingerprint.

Cite this