on the information rate of secret sharing schemes
TRANSCRIPT
On the Information Rateof Secret Sharing Schemes�Carlo Blundo, Alfredo De Santis, Luisa Gargano, Ugo VaccaroDipartimento di Informatica ed Applicazioni, Universit�a di Salerno, 84081 Baronissi (SA), ItalyAbstractWe derive new limitations on the information rate and the average information rate of secretsharing schemes for access structure represented by graphs. We give the �rst proof of theexistence of access structures with optimal information rate and optimal average informationrate less that 1=2 + �, where � is an arbitrary positive constant. We also consider the problemof testing if one of these access structures is a sub-structure of an arbitrary access structureand we show that this problem is NP-complete. We provide several general lower bounds oninformation rate and average information rate of graphs. In particular, we show that any graphwith n vertices admits a secret sharing scheme with information rate ((logn)=n).1 IntroductionA secret sharing scheme is a method to distribute a secret s among a set of participants P in sucha way that only quali�ed subsets of P can reconstruct the value of s whereas any other subset ofP ; non-quali�ed to know s; cannot determine anything about the value of the secret. We brie yrecall the results on secret sharing schemes that are more closely related to the topics of this paper.Shamir [38] and Blackley [3] were the �rst to consider the problem of secret sharing and gavesecret sharing schemes where each subset A of P of cardinality jAj � k can reconstruct the secret,and any subset A of participants of cardinality jAj < k have absolutely no information on thesecret. These schemes are known as (n; k) threshold schemes; the value k is the threshold of thescheme and n is the cardinality of P .Ito, Saito and Nishizeki [27] considered a more general framework and showed how to realize asecret sharing scheme for any access structure. An access structure is a family of all subsets of Pwhich are quali�ed to recover the secret. In case of (n; k) threshold schemes the access structureconsists of all subsets of P that have cardinality greater than or equal to k. Their technique requiresthat the cardinality of set where the shares are taken be very large compared to the cardinalityof the set where the secret is chosen. Benaloh and Leichter [2] proposed a technique to realize asecret sharing scheme for any access structure which is more e�cient than Ito, Saito and Nishizeki'smethodology. Benaloh and Leichter showed that there are access structures in which any secretsharing scheme must give to some participant a share which is taken from a domain strictly largerthan that of the secret.Brickell and Davenport [14] analyzed ideal secret sharing schemes in terms of matroids. Anideal secret sharing scheme is a scheme for which the shares are taken from a set that has the�Partially supported by Italian Ministry of University and Research (M.U.R.S.T.) and by National Council forResearch (C.N.R.). 1
same cardinality of the set where the secret is chosen. In particular, in case the access structureconsists of only those subsets of participants containing an edge of a given graph G, Brickell andDavenport [14] proved that an ideal secret sharing scheme exists if and only if G is a completemultipartite graph. Equivalently, if we de�ne the information rate of an access structure as theratio between the size of the secret and that of the largest share given to any participant, Brickelland Davenport's result can be stated saying that a graph has information rate 1 if and only if it isa complete multipartite graph.The problem of establishing bounds on the size of the shares to be given to participants insecret sharing schemes, or equivalently on the information rate, is one of the basic problem inthe area and has received considerable attention by several researchers. The practical relevanceof this issue is based on the following observations: Firstly, the security of any system tends todegrade as the amount of information that must be kept secret, i.e., the shares of the participants,increases. Secondly, if the shares given to participants are too long, the memory requirements forthe participants will be too severe and, at the same time, the shares distribution algorithms willbecome ine�cient. Therefore, it is important to derive signi�cative upper and lower bounds onthe information rate for classes of access structures. Moreover, we point out that the best knownschemes to share secrets in general access structures require to generate shares of length exponentialin the length of the secret and no access structure is known for which a matching lower bound canbe proved. Hence, the problem of closing the gap between the lower bound and the upper boundon the information rate of general access structures is far from being settled.Brickell and Stinson [16] gave several upper and lower bounds on the information rate of accessstructures based on graphs. Stinson in [43] presented new lower bounds on general access structures.Capocelli, De Santis, Gargano, and Vaccaro [17] gave the �rst example of access structures withinformation rate bounded away from 1.Blundo, De Santis, Stinson, and Vaccaro [9] analyzed the information rate and the averageinformation rate of secret sharing schemes based on graphs. The average information rate is theratio between the secret size and the arithmetic mean of the size of the shares for such schemes.They proved the existence of a gap in the values of information rates for graphs, more preciselythey strengthened the above quoted result of Brickell and Davenport [14], proving that if a graphG with n vertices is not a complete multipartite graph then any secret sharing scheme for it hasinformation rate not greater than 2=3 and average information rate not greater than n=(n + 1):These upper bounds arise by applying entropy argument due to Capocelli, De Santis, Gargano,and Vaccaro [17].A discussion of the best bounds known so far and of our improvements is presented in thetechnical sections of the paper.The recent survey by Stinson [42] contains an uni�ed description of recent results in the areaof secret sharing schemes. For di�erent approaches to the study of secret sharing schemes, forschemes with \extended capabilities" as disenrollment, fault-tolerance, and pre-positioning and fora complete bibliography we recommend the survey article by Simmons [41].We also mention some \extended capabilities" of secret sharing schemes that have been studied.Papers [1] and [8] have addressed the problem of designing secret sharing schemes having the addi-tional feature that quali�ed minorities can forbid any other set of participants from reconstructingthe secret. These schemes are referred to as secret sharing schemes with \veto" capability. In-gemarsson and Simmons [26] solve the question of how to set up a secret sharing scheme in theabsence of a trusted party. Prepositioned schemes are studied in [40]. The idea of protectingagainst cheating by one or more participants is addressed in [32, 45, 37, 39, 15, 18]. In [4] theauthors investigated threshold schemes that permit disenrollment of participants. Secret sharingschemes in which the dealer has the feature of being able (after a preprocessing stage) to activate2
a particular access structure out of a given set and/or to allow the participants to reconstruct dif-ferent secrets (in di�erent time instants) by sending to all participants the same broadcast messagehave been analyzed in [6]. Schemes for sharing several non-independent secrets simultaneouslyhave been analyzed in [10]; whereas, schemes where di�erent secrets are associated with di�erentsubsets of participants are considered in [28] and [7]. Recently, Naor and Shamir [35] considered atype of cryptographic scheme that is able to decode concealed images without any cryptographiccomputation. They extended it into a visual variant of the (n; k) secret sharing problem.In this paper we derive new limitations on the information rate and the average informationrate for access structures represented by graphs. The paper is organized as follows. In Section 2 weformally de�ne secret sharing schemes using an information theoretical framework1. We also de�nethe optimal (average) information rate of an access structure A by using the entropy approach.In Section 3 we prove new upper bounds on the information rate and the average informationrate. These bounds are obtained by using the entropy approach introduced in [17] and are the bestpossible for the considered structures since we exhibit secret sharing schemes that meet the bounds.In particular, we give the �rst proof of the existence of access structures with information rate andaverage information rate strictly less that 2=3. This solves a problem of [9]. In Section 3.1 we alsoconsider the problem of e�ciently testing if one of these low{information{rate access structuresis a sub-structure of an arbitrary access structure. This is important since it would immediatelygive an e�cient way to get upper bounds on the information rate for classes of access structures.Unfortunately, we show that the above decision problem is NP{complete. In Section 4 we considerthe problem of �nding good lower bounds on the information rate and the average information ratefor access structures based on graphs and we give several general lower bounds that improve onpreviously known results. In particular, we show that any graph on n vertices of maximum degreed admits a secret sharing scheme with information rate 1=(dd=2e + 1 � dd=2e=n). We provide ascheme for any tree with n internal vertices having information rate equal to n=(2n� 1). Finally,we show that any graph with n vertices admits a secret sharing scheme with information rate((logn)=n) and any graph with n vertices and m edges admits of a secret sharing scheme withaverage information rate � n lognm log n2m � :2 Secret Sharing SchemesA secret sharing scheme permits a secret to be shared among a set P of n participants in such a waythat only quali�ed subsets of P can recover the secret, but any non-quali�ed subset has absolutelyno information on the secret. An access structure A is the set of all subsets of P that can recoverthe secret.De�nition 2.1 Let P be a set of participants, a monotone access structure A on P is a subsetA � 2Pn;; such that A 2 A; A � A0 � P ) A0 2 A:De�nition 2.2 Let P be a set of participants and A � 2P : The closure of A, denoted by cl(A), isthe set cl(A) = fCjB 2 A and B � C � Pg:1All the necessary information theoretical de�nitions are listed in Appendix A, together with the basic terminologyin graph theory. 3
For a monotone access structure A we have A = cl(A). All access structures considered in thispaper are monotone.Let S be the set of secrets, fpS(s)gs2S be a probability distribution on S, and let a secret sharingscheme � for secrets in S be �xed. For any participant P 2 P , let us denote by K(P ) the set of allpossible shares given to participant P . Suppose a dealer D wants to a share the secret s 2 S amongthe participants in P (we will assume that D 62 P). He does this by giving each participant P 2 Pa share from K(P ) chosen according to some, non necessarily uniform, probability distribution.Given a set of participants A = fPi1 ; : : : ; Pir g � P , denote by K(A) = K(Pi1 )� � � � �K(Pir ).We represent, as in [44], a secret sharing scheme � by a collection of distribution rules. Adistribution rule is a function f : P [ fDg ! K(P)[ Swhich satis�es the conditions f(D) 2 S and f(Pi) 2 K(Pi), for i = 1; 2; : : : ; n. A distribution rulef represents a possible distribution of shares to the participants, where f(D) is the secret beingshared, and f(Pi) is the share given to Pi. If F is a family of distribution rules and s 2 S, then Fs= ff 2 F : f(D) = sg is the family of all distribution rules having s as the secret. If s 2 S is thevalue of the secret that D wants to share, then D will randomly choose a distribution rule f 2 Fs,according to some probability distribution, and use f to distribute shares to the participants.The family of distribution rules F can also be depicted as a matrix M , each row of whichcorresponds to one distribution rule. One column of M will be indexed by D, and the remainingcolumns are indexed by the members of P .Any secret sharing scheme for secrets in S and a probability distribution fpS(s)gs2S naturallyinduce a probability distribution on K(A), for any A � P . Denote such probability distribution byfpK(A)(a)ga2K(A). Finally, denote by H(S) the entropy of fpS(s)gs2S and by H(A) the entropy offpK(A)(a)ga2K(A), for any A � P .In terms of the probability distribution on the secret and on the shares given to participants,we say that a secret sharing scheme is a perfect secret sharing scheme, or simply a secret sharingscheme, for the monotone access structure A � 2P if1. Any subset A � P of participants enabled to recover the secret can compute the secret:If A 2 A, then for all a 2 K(A) with pK(A)(a) > 0 there exists a unique secret s 2 S suchthat p(sja) = 1.2. Any subset A � P of participants not enabled to recover the secret has no information on thesecret value:If A 62 A, then for all s 2 S and for all a 2 A, it holds that p(sja) = pS(s).Property 1: means that the value of the shares held by A 2 A completely determines the secrets 2 S. Notice that the property 2: means that the probability that the secret is equal to s given thatthe shares held by A 62 A are a, is the same as the a priori probability of the secret s. Therefore,no amount of knowledge of shares of participants not quali�ed to reconstruct the secret enables aBayesian opponent to modify an a priori guess regarding which the secret is.Following the approach of [29], [31], and [17] we can restate above conditions 1. and 2. usingthe information measures listed in Appendix A. Therefore, we say that a secret sharing scheme isa sharing of the secrets in S among participants in P such that10: Any subset A � P of participants enabled to recover the secret can compute the secret:Formally, for all A 2 A, it holds that H(SjA) = 0.4
20: Any subset A � P of participants not enabled to recover the secret has no information on thesecret value:Formally, for all A 62 A, it holds that H(SjA) = H(S).Notice that H(SjA) = 0 means that each set of values of the shares in A corresponds to a uniquevalue of the secret. In fact, by de�nition, H(SjA) = 0 is equivalent to the fact that for alla 2 K(A) with pK(A)(a) > 0 a unique s 2 S exists such that p(sja) = 1. Moreover, H(SjA) = H(S)is equivalent to state that S and K(A) are statistically independent, i.e., for all a 2 K(A) and forall s 2 S; it holds that p(sja) = pS(s) and therefore the knowledge of a gives no information aboutthe secret.2.1 The Size of the SharesOne of the basic problems in the �eld of secret sharing schemes is to derive bounds on the amountof information that must be kept secret. This is important from the practical point of view sincethe security of any system degrades as the amount of secret information increases.Let P be a set of n participants and A � 2P be an access structure on P . Di�erent measures ofthe amount of secret information that must be distributed in a secret sharing scheme are possible.If we are interested in limiting the maximum size of shares for each participant (i.e., the maximumquantity of secret information that must be given to any participant), then a worst-case measureof the maximum of H(P ) over all P 2 P naturally arises. To analyze such cases we use theinformation rate of A de�ned below. Given a set of secrets S, a non-trivial probability distribution�S on S, and a �xed secret sharing scheme � for A, we de�ne�(A;�S ;�) = H(S)maxP2P H(P ) :This measure was introduced by Brickell and Stinson [16] when the probability distributionsover the secret and the shares are uniform. In such a case the information rate reduces tolog jSj=maxP2P log jK(P )j; and corresponds to the ratio between the size of the secret (measuredin bits) and that of the largest share given to any participant. The optimal information rate of theaccess structure A is then de�ned as:��(A) = supQ;T �(A;�S ;�);where Q is the space of all non-trivial probability distributions �S and T is the space of all secretsharing schemes for the access structure A. In [29] and [17] it has been proved that in any secretsharing scheme the relation H(P ) � H(S) holds for any P 2 P . Since H(P ) = H(S), for anyP 2 P , is the optimal situation we refer to such a scheme as an ideal scheme.In many cases it is preferable to limit the sum of the size of shares given to all participants.In such a case the arithmetic mean of the H(P ), for P 2 P , is a more appropriate measure. Wede�ne the average information rate as follows. Given a set of secrets S, a non-trivial probabilitydistribution �S on S, and a �xed secret sharing scheme � for A, we de�nee�(A;�S ;�) = H(S)PP2P H(P )=jPj:This measure was introduced in [5], [33], and [34] when an uniform probability distribution on the setof secrets is assumed. In such a case the average information rate reduces to jPj log jSj=PP2P log jK(P )j.5
Blundo, De Santis, Stinson, and Vaccaro [9] analyzed secret sharing schemes by means of this mea-sure, when the probability distributions over the secret and the shares are uniform. If the secretand the shares are chosen under a uniform probability distribution, considering previous measureis equivalent to consider the \average size" of the shares assigned to each participant to realizea secret sharing scheme. The optimal average information rate of the access structure A is thende�ned as: e��(A) = supQ;T e�(A;�S ;�);where Q is the space of all non-trivial probability distributions �S and T is the space of all secretsharing schemes for the access structure A.It is clear that, for the same secret sharing scheme and non-trivial probability distribution PSon the secret, the information rate � is no greater than the average information rate e�, that is e� � �and e� = � if and only if all H(P ); for P 2 P , have the same value. In case the access structure Acoincides with the closure of the edge-set of some graph G(V (G); E(G)), we will identify A withthe graph G. As done in [9] we denote, for a graph G; the optimal information rate with ��(G)and the average information rate with e��(G):Remark We will use the optimal information rate and optimal average information rate to provestrong non-existential results. In fact, any upper bound of the form ��(A) � r implies that for theaccess structure A there do not exists any secret sharing scheme that gives to participants shares ofsize r times the size of the secret, and this holds whatever the domain of the secret is and whateverthe probability distribution on the domain of the secret is. It is clear that the same measure doesnot give signi�cant results when dealing with existential results. In such a cases, that is when wewant to prove that secret sharing schemes with a given performance exist, we will explicitly mentionfor which domain of the secret and for which distribution on it the secret sharing scheme can beconstructed.2.2 Auxiliary ResultsIn this section we recall some auxiliary results. We will improve some of them in the next sectionsand we will use others in our constructions.Brickell and Stinson [16] proved the following lower bound on the information rate for any graphof maximum degree d. We denote with US the uniform probability distribution on the set of secretsS.Theorem 2.1 Let G be a graph with maximum degree d. Then for any set of secrets S of cardinalityq � 2, there exists a secret sharing scheme � with information rate�(G;US;�) = 1dd=2e+ 1 :In Section 3 we will show how to improve this bound for odd d: Blundo, De Santis, Stinson,and Vaccaro [9] proved the following result for trees.Lemma 2.1 Let G be a tree. Then for any set of secrets S of cardinality q � 2, there exists asecret sharing scheme � with information rate �(G;US;�) = 1=2.In Section 3 we will show how to improve this bound for any tree.The following results, proved in [9] and [44] will be used to obtain good secret sharing schemesfor graphs with maximum degree 3: 6
Theorem 2.2 Let Cn be a cycle of length n; n � 5: For any set of secrets S of cardinality q2, withq � n, a secret sharing scheme � for Cn exists with information rate �(Cn; US ;�) = 2=3.The following lemmas have been proved by Capocelli, De Santis, Gargano, and Vaccaro [17];we will use them to �nd new upper bounds on the information rate of access structures. Since theirproofs are simple, we report them for reader's convenience.Lemma 2.2 Let A be an access structure on a set P of participants and X; Y � P. Let Y 62 Aand X [ Y 2 A. Then H(X jY ) = H(S) +H(X jY S).Proof. The conditional mutual information I(X ;SjY ) can be written either asH(X jY )�H(X jYS)or as H(SjY ) � H(SjXY ): Hence, H(X jY ) = H(X jYS) + H(SjY ) � H(SjXY ). Because ofH(SjXY ) = 0 forX[Y 2 A andH(SjY ) = H(S) for Y 62 A, we haveH(X jY ) = H(S)+H(X jYS).Lemma 2.3 Let A be an access structure on a set P of participants and X; Y � P. If X [ Y 62 Athen H(Y jX) = H(Y jXS):Proof. The conditional mutual information I(Y; SjX) can be written either asH(Y jX)�H(Y jXS)or as H(SjX) � H(SjXY ). Hence, H(Y jX) = H(Y jXS) + H(SjX) � H(SjXY ). Because ofH(SjXY ) = H(SjX) = H(S), for X [ Y 62 A, we have H(Y jX) = H(Y jXS).Finally, we brie y recall a technique introduced in [9] to obtain lower bounds on the informationrate of a graph G.Suppose G is a graph, a complete multipartite covering (or CMC) of G is a set � = fG1; : : : ; Gtgwhere G1; : : : ; Gt are subgraphs of G, each edge of G occurs in at least one of the Gi's, and eachGi is a complete multipartite graph. Suppose �j = fGj1; : : : ; Gjnjg, j = 1; 2, are two CMCs ofG. For every vertex v and for j = 1; 2, de�ne Rjv = jfi : v 2 Gjigj. Then, we de�ne �1 � �2if R1v � R2v for all v 2 V (G). De�ne a CMC � to be minimal if there is no �0 6= � such that�0 � �. Let �j = fGj1; : : : ; Gjnjg, j = 1; : : :L, comprise a complete enumeration of the minimalCMCs of G. For every vertex v and for j = 1; : : :L de�ne Rjv = jfi : v 2 Gjigj and consider thefollowing optimization problem O(G):Minimize T subject to: aj � 0, 1 � j � LPLj=1 aj = 1T � PLj=1 ajRjv, v 2 V (G)In [9] it is proved that if T � is the optimal solution to O(G) then for any set of secrets S ofcardinality jSj = qL, for q � maxftji : 1 � j � L; 1 � i � njg, where tji the number of parts inGji, there exists a secret sharing scheme � with information rate �(G;US ;�) = 1=T �.7
3 Upper Bounds on the Information Rate and Average Infor-mation RateIn this section we will exhibit an access structure having optimal information rate less than 2/3.This solves an open problem in [9]. The result is obtained using the entropy approach of [17].Consider the graph ASk = (V (ASk); E(ASk)), k � 1, whereV (ASk) = fY0; X0; X1; : : : ; Xk; Xk+1; : : : ; X2kgand E(ASk) = f(Y0; X0); (X0; X1); : : : ; (X0; Xk); (X1; Xk+1); : : : ; (Xk; X2k)g:As an example, the graph ASk for k = 3 is depicted in Figure 1:a.X6X5X4 X3X2X1 X0X0X0X0Y0ss ssss TTTTT����� sss s sX6X5X4
Y0X0 X3X3X2X2X1X1 ss ssss ss %%%% eeeesssX6X5X4 X3X2X1 X0Y0@@@@%%%%% sss sssss1:a 1:b 1:cFigure 1Theorem 3.1 The optimal information rate of the graph ASk; k � 1; satis�es��(ASk) � 12 + 14k + 2 :Moreover, for any set of secrets S of cardinality qk+1, with q � 2, there exists a secret sharingscheme �1 such that �(ASk; US ;�1) = 1=2 + 1=(4k+ 2).The optimal average information rate of ASk; k � 1; satis�ese��(ASk) � 23 + 29k + 6 :Moreover, for any set of secrets S of cardinality jSj � 2 there exists a secret sharing scheme �2such that e�(ASk; US ;�2) = 2=3 + 2=(9k + 6).Proof: Consider the conditional entropy H(X1 : : :XkjY0). We haveH(X1 : : :XkjY0) = H(X1jY0) +H(X2jX1Y0) + � � �+H(XkjX1 : : :Xk�1Y0)(from (4) of Appendix A)� H(X1jY0Xk+1) +H(X2jX1Y0Xk+2) +H(X3jX1X2Y0Xk+3) + � � �+H(XkjX1 : : :Xk�1Y0X2k)(from (6) of Appendix A)� kH(S) (from Lemma 2.2 and (3) of Appendix A).8
On the other hand, we have alsoH(X1 : : :XkjY0) = H(X1 : : :XkjY0S) (from Lemma 2.3)� H(X0X1 : : :XkjY0S) (from (4) and (3) of Appendix A)� H(X0jY0S) +H(X1jX0S) + � � �+H(XkjX0S)(from (4) and (6) of Appendix A)= H(X0jY0)�H(S) + � � �+H(XkjX0)�H(S) (from Lemma 2.2)� H(X0) + � � �+H(Xk)� (k + 1)H(S) (from (5) of Appendix A):Therefore, we get H(X0) +H(X1) + : : :+H(Xk) � (2k+ 1)H(S): (1)From (1) it follows that there exists i 2 f0; 1; : : : ; kg such thatH(Xi) � 2k+ 1k + 1 H(S):Therefore, the optimal information rate ��(ASk) is upper bounded by��(ASk) � k + 12k + 1 = 12 + 14k + 2 :From (1) and from Lemma 2.2 it follows thatH(Y0) + 2kXi=0H(Xi) � (3k + 2)H(S):Therefore, the optimal average information rate of ASk is upper bounded by2k + 23k + 2 = 23 + 29k + 6 :Actually, 1=2 + 1=(4k + 2) is the true value of the optimal information rate. This value canbe attained by using the CMC technique presented in [9]. Consider the following two minimalcomplete multipartite coverings of ASk�1 = nfY0X0; X0X1; � � � ; X0Xkg; fX1Xk+1; � � � ; XkX2kgo�2 = nfY0X0g; fX0X1; X1Xk+1g; � � � ; fX0Xk; XkX2kgo:(An example of these two coverings of ASk is depicted in Figures 1:b and 1:c for k = 3.) Takingk copies of �1 and one copy of �2 there exists a secret sharing scheme �1 with information rate�(ASk ; US ;�1) = (k + 1)=(2k+ 1) for any set of secrets S of cardinality qk+1, for q � 2. Thus, theoptimal information rate of ASk is 1=2 + 1=(4k+ 2). The optimal average information rate equalto 2=3 + 2=(9k+ 6) is attained by either �1 or �2 for any set of secrets S of cardinality q � 2.In case the probability distribution on the set of secrets is the uniform one, we obtain thefollowing result, whose proof is immediate using Theorem 3.1 and inequality (2) of Appendix A.As customary, we measure both the size of the shares and the size of the secret with the logarithmof the cardinality of the sets from which they are taken, that is, by the number of bits necessaryto their representation. 9
Corollary 3.1 Suppose pS(s) = 1=jSj, for any s 2 S. Then any secret sharing scheme for theaccess structure ASk must give to at least a participant a share whose size is at least 2� 1=(k+ 1)times the size of the secret.Theorem 3.1 is a generalization of Theorem 4:1 of [17]. In fact if we choose k = 1 the accessstructure ASk is the closure of the edge-set of P3, the path on four vertices.In Appendix B are depicted all graphs on six vertices that have AS2 as induced subgraph and,therefore, have optimal information rate less than 3=5. It turns out that the optimal informationrate for all those graphs is equal to 3=5, and all but one have also an optimal average informationrate equal to 3=4.Using Theorem 3.1 we can show the existence of access structures having average informationrate less than 2/3, which represented the best upper bound known so far [17] on average informationrate.Consider the graph Mk; where V (Mk) = fX1; X2; : : : ; X2k+3; X2k+4g andE(Mk) = fX1X2g[fX2Xi; XiXk+i; Xk+iX2k+3j3 � i � k + 2g[fX2k+3X2k+4g:The graphM3 and a CMC that attains the optimal average information rate are depicted in Figure2. The following theorem holds.Theorem 3.2 The optimal average information rate for Mk; k � 1, satis�ese��(Mk) � 12 + 12k + 2 :Moreover, for any set of secrets S of cardinality jSj � 2 there exists a secret sharing scheme � suchthat e�(Mk; US ;�) = 1=2 + 1=(2k+ 2).Proof : From Lemma 2.2 we getH(X1) � H(S) andH(X2k+4) � H(S);whereas fromTheorem 3.1we have k+2Xi=2H(Xi) � 2k + 1and 2k+3Xi=k+3H(Xi) � 2k + 1:Thus, 2k+4Xi=1 H(Xi) � 4k + 4:Hence, e��(Mk) � k + 22k + 2 = 12 + 12k + 2 :It is easy to see that the following complete multipartite covering � of the graphMk meets previousbound. � = nfX1X2; X2X3; : : : ; X2Xk+2g;fX3Xk+3g; fX4Xk+4g; : : : ; fXk+2X2k+2g;fXk+3X2k+3; : : : ; X2k+2X2k+3; X2k+3X2k+4go:More precisely, there exists a secret sharing scheme � with average information rate �(Mk; US ;�) =(2k + 4)=(4k+ 4) for any set of secrets S of cardinality jSj � 2.10
ssssss@@@@���� �����@@@@@s ss sX1X2X3 X4 X5X6 X7 X8X9 X10 s
ssss s���� @@@@s ss sssssQQQQ####s sX10X9X6X6 X7X7 X8X8X3X3 X4X4 X5X5X2X1
2:a 2:bFigure 23.1 A NP -completeness ResultA close look to the proof of the upper bound in Theorem 3.1 shows that it can be applied alsoto any access structure A on 2k + 2 participants, Y0; X0; X1; : : : ; X2k; such that the set A-allowedde�ned as A-allowed = fY0X0g[fX0Xi; XiXk+ij1 � i � kgis in the access structure, i.e., A-allowed � A, but the set A-forbidden de�ned asA-forbidden = fX1X2 : : :XkY0g[fY0Xk+1g[fX1 : : :XiY0Xk+i+1j1 � i � k � 1ghas no intersection with the access structure, i.e., A-forbidden TA = ;. Let Bk be the set of allaccess structures which satisfy the above requirements. The sequence (X1; X2; : : : ; Xk) is calledthe children list of access structure A (the name is inspired by the fact that the set A-allowed hasthe form of a tree). To maintain simpler notation we denote a set fa1; a2; : : : ; ang by the sequencea1a2 : : : an. In case the access structure is the closure of a graph, the set A-forbidden can be writtenas A-forbidden-edges = fY0Xij1 � i � 2kg[fXiXj j1 � i < j � kg[fXiXk+j j1 � i < j � kg:Let A be an access structure on a set P of participants. Given a subset of participants P 0 � P , wede�ne the access structure induced by P 0 as the family of sets A[P 0] = fx 2 Ajx � P 0g. ExtendingTheorem 3.3 of [16] to general access structures and using Theorem 3.1 we can prove the followingtheorem.Theorem 3.3 Let A be an access structure on a set P of participants and P 0 � P. If A[P 0] 2 Bk,where k � 1, then the optimal information rates for A and A[P 0] satisfy��(A) � ��(A[P 0]) � 12 + 14k + 2 ;11
and optimal average information rate for A[P 0] satis�ese��(A[P 0]) � 23 + 29k + 6 :Above theorem gives an upper bound on the information rate of access structures given that theaccess structure induced by a subset of participants is in Bk. We will use above theorem to getupper bounds on the optimal information rate and on the optimal average information rate of severalgraphs with six vertices, extending the results of [9] that computed the information rate of all graphswith �ve vertices. Unfortunately, testing for above property in general is an hard computationalproblem, as we show that this is NP{complete. Let A be an access structure, a set C 2 A is aminimal set of A if A 62 A whenever A � C. De�ne the B{INDUCED{SUBSTRUCTURE problemas follows: Given a set of participants P , an access structure A de�ned by the family of minimalsets which can recover the secret and a positive integer k � 3, determine if there is a subset P 0 � Psuch that the induced access structure A[P 0] is in Bk.Theorem 3.4 B{INDUCED{SUBSTRUCTURE is NP{complete.Proof. (For de�nition of NP{complete problems and notation used in this proof, we refer the readerto [25].) It is easy to see that B{INDUCED{SUBSTRUCTURE 2 NP, since a nondeterministicalgorithm needs only guess participants Y0; X0; X1; : : : ; X2k; and check in polynomial time whetherthe set A-allowed is a subset of A and A-forbidden TA = ;.We transform 3SAT to B{INDUCED{SUBSTRUCTURE. Let U = fu1; u2; : : : ; uk�1g; k � 3;be a set of variables and C = fc1; c2; : : : ; cmg be a set of clauses, each containing 3 literals. We willconstruct an access structure A on a set P of participants, such that there is a subset of participantsP 0 � P and the induced access structure A[P 0] is in Bk if and only if C is satis�able.There are 4k participants in P : Four participants y0; x0; v; v0, and for each variable ui 2 U thereare four participants ui; ui; u0i; u0i in P .The access structure A consists of three components, i.e., A = A1 [A2 [A3. The family A1 isde�ned as A1 = fy0x0; x0v; vv0g[fx0ui; x0ui; uiu0i; ui ui0; uiui0; ui u0ij1 � i � k � 1g:Note that the pairs of participants in A1 have been chosen so that if there is a set P 0 � P suchthat A[P 0] 2 Bk, then: 1) y0; x0; v; v0 2 P 0; 2) for each pair fui; uig, i = 1; 2; : : : ; k� 1, exactly oneelement is in P 0; 3) for each pair fu0i; u0ig, i = 1; 2; : : : ; k� 1, exactly one element is in P 0.The set A2 is de�ned asA2 = fv0uiu0i�1; v0ui u0i�1; v0ui u0i�1; v0ui u0i�1j2 � i � k � 1g:Note that the de�nition of the set A2 implies that if there is a set P 0 � P such that A[P 0] 2 Bk,then any children list (w0; w1; w2; : : : ; wk�1) of A[P 0] satis�es w0 = v and wi 2 fui; uig, for i =1; 2; : : : ; k � 1. Should it be otherwise, a set A 2 A2 would belong to A[P 0] \ A-forbidden and wecould not have A[P 0] 2 Bk, getting a contradiction.The set A3 is de�ned asA3 = fli;1li;2li;3j li;1li;2li;3 are the complements of the 3 literals in ci 2 Cg:The construction can be accomplished in polynomial time. We now show that C is satis�able ifand only if there is a subset of participants P 0 � P whose induced access structure A[P 0] is in Bk.12
Suppose P 0 is a set of participants such that A[P 0] 2 Bk. Recalling the de�nition of A1, we have thatv 2 P 0 and for each pair fui; uig, i = 1; 2; : : : ; k�1, exactly one element is in P 0. Consider the truthassignment t : U ! fT; Fg de�ned as follows: If ui 2 P 0 then t(ui) = T , else t(ui) = F . Let ci 2 Cbe a clause consisting of literals wi;1; wi;2; wi;3. Since wi;1wi;2wi;3 is in A3, then the three elementswi;1; wi;2; wi;3 cannot be all in P 0, otherwise A[P 0] 62 Bk since fwi;1wi;2 wi;3g 2 A-forbidden. Ifwi;j 62 P 0, for j 2 f1; 2; 3g, then t(wi;j) = T and clause ci is satis�able.On the other hand, assume that t : U ! fT; Fg is a satisfying truth assignment for C. De�newi and w0i as follows: wi = ui and w0i = u0i if t(ui) = T , and wi = ui and w0i = u0i otherwise. Let P 0be the set fy0; x0; v; w1; w2; : : : ; wk�1; v0; w01; w02; : : : ; w0k�1g. Then, A[P 0] 2 Bk.As an example, let U = fu1; u2; u3g and C = ffu1; u2; u3g; fu1; u2; u3g; fu1; u2; u3g; fu1; u2; u3g;fu1; u2; u3gg. The set of participants is fy0; x0; v; v0; u1; u1; u01; u01; u2; u2; u02; u02; u3; u3; u03; u03g. Thegraph representing the set A1 is depicted in Figure 3. Sets A2 and A3 are equal to A2 =fv0u2u01; v0u2u01; v0u2u01; v0u2u01; v0u3u02; v0u3u02; v0u3u02; v0u3u02g and A3 = fu1 u2 u3; u1 u2u3; u1u2u3;u1u2 u3; u1u2u3g. There are three satisfying assignments for C: u1 = 0, u2 = 1, u3 = 0;u1 = 1, u2 = 0, u3 = 1; and u1 = 1, u2 = 1, u3 = 0. The sets of participants P 0 such thatA[P 0] 2 B4 are the following: fy0; x0; v; u1; u2; u3; v0; r1; r2; r3g, fy0; x0; v; u1; u2; u3; v0; r1; r2; r3g,and fy0; x0; v; u1; u2; u3; v0; r1; r2; r3g, where each ri can be either equal to u0i or to u0i.u03!!!!!!!!!!!!!!ssv v0 u3u03u3u02u2u02u2u01u1u01u1 x0y0 ss ssss ssss ss \\\\����lllllll����SSSS����\\\\ DDDDDD������ bbbbbbbbbb������ ��������� ss
Figure 34 Lower Bounds on Information Rate and Average InformationRateIn this section we will give several general lower bounds on the information rate and on the averageinformation rate of access structures represented by graphs. Our lower bounds are obtained, ascustomary, assuming an uniform probability distribution US on the set of secrets. We �rst recallthe following theorem by Brickell and Davenport in [14] stating that a complete bipartite graphadmits an ideal secret sharing scheme. Since we will use this result several times, we repeat theproof for the reader convenience2.Theorem 4.1 Let G be a complete bipartite graph. Then, for any set of secrets S of cardinalityq � 2, there exists an ideal secret sharing scheme � for G, i.e., �(G;US;�) = 1.2Actually, Brickell and Davenport proved the theorem for the general case of complete multipartite graphs, butwe use it only in the particular case of complete bipartite graphs.13
Proof. Let V1 and V2 be the parts of G. An ideal secret sharing for G can be constructed asfollows. Let q � 2 be an integer. Consider S = Zq. If the secret is s 2 S, then the dealer randomlychooses an element � 2 Zq and computes an element � 2 Zq such that s = � + � mod q. Thedealer gives the share � to all participants in V1 and the share � to all participants in V2. It isobvious that this realizes a secret sharing scheme with information rate equal to 1.We �rst improve on the bound of Theorem 2.1 for graphs with n vertices and odd maximumdegree d.Theorem 4.2 Let G = (V (G); E(G)) be a graph of n vertices and maximum degree d, d odd.Then, for any set of secrets S of cardinality qn, with q � 2, there exists a secret sharing scheme �with information rate �(G;US ;�) = 1dd=2e+ 1� dd=2e=n:Proof. For X 2 V (G) let Adj(X), Inc(X), degree one(X) be the following sets: Adj(X) = fY :(X; Y ) 2 E(G)g is the set of vertices adjacent to X . Inc(X) = f(X; Y ) : (X; Y ) 2 E(G)g is the setof edges incident toX . Finally, degree one(X) = fY 2 Adj(X) : jInc(Y )j = 1g is the set of verticesadjacent to X with degree 1. We will prove the theorem in the case jSj = 2n, the construction canbe easily extended to the general case jSj = qn and q � 2.For a vertex X 2 V (G) de�ne GX as the subgraph of G such that V (GX) = fXgSAdj(X) andE(GX) = Inc(X): The graph GX is a complete multipartite graph and by Theorem 4.1 thereis a secret sharing scheme for GX with information rate 1. Let G0 be the graph with verticesV (G0) = V (G)� (fXgSdegree one(X)) and edge-set E(G0) = E(G)� Inc(X): Assume that thesecret consists of a single bit. If we use the secret sharing scheme described in Theorem 3.8 of [16]for G0, then each vertex in Adj(X)TV (G0) gets at most d(d�1)=2e+1 bits while all other verticesget at most dd=2e+ 1 bits. We realize a secret sharing scheme for G by using both the scheme forGX and the scheme for G0. In the resulting scheme the vertex X receives only one bit, the verticesin Adj(X)TV (G0) receive at most d(d � 1)=2e + 2 bits, while all remaining vertices get at mostdd=2e+1 bits. Since d is odd then d(d�1)=2e+2 = dd=2e+1. Therefore, the above described secretsharing schemes for G gives to any predeterminated vertex only one bit, while all other vertices inG get at most dd=2e+ 1 bits. Now, assume that the secret consists of n bits. Consider the schemethat for each bit of the secret distributes it by choosing as a predetermined vertex X each vertex ofG in turn. The resulting secret sharing scheme, for a secret of n bits, gives to each vertex at most1 + (n� 1)(dd=2e+ 1) bits. The information rate of the scheme is equal to1dd=2e+ 1� dd=2e=n;and the theorem follows.For a graph G of maximum degree 3, the bound of Theorem 2.1 gives �(G;US ;�) = 1=3 whilethe bound of Theorem 4.2 gives �(G;US;�) = 1=(3�2=n). The following theorem gives an improvedbound.Theorem 4.3 Let G = (V (G); E(G)) be a graph of maximum degree 3 with n vertices. Then,for any set of secrets S of cardinality q2, with q � n, there exists a secret sharing scheme � withinformation rate �(G;US;�) = 2=5: 14
Proof. Consider a partition of the edge set E(G) in cycles C1; : : : ; Cr and trees T1; : : : ; Tm. Such apartition exists for any graph G. Indeed, removing all the cycles from the graph we are left with aforest of connected acyclic graphs. From Theorem 2.2 we know that, for any cycle of length n � 5and for any set of secrets S of cardinality q2, with q � n, there exits a secret sharing scheme withinformation rate equal to 2=3. For a secret of 2 log q bits, the scheme gives only 3 log q bits to allvertices of the cycle. If a cycle has length four then from Theorem 4.1 there exists an ideal secretsharing scheme for any set of secrets S of cardinality � 2; whereas if a cycle has length three, thenfrom the main theorem of [14] there exists an ideal secret sharing scheme for any set of secrets Sof cardinality � 3. From Theorem 2.1 we know that, for any set of secrets S of cardinality � 2,there is a secret sharing scheme for any tree with information rate equal to 1=2. For a secret of2 log q bits, the scheme given in [9] distributes only 2 log q bits to the leaves of the tree while allother vertices get 4 log q bits. We now realize a secret sharing scheme for G; by sharing a secretconsisting of 2 log q separately in each tree T1; : : : ; Tm and cycle C1; : : : ; Cr. A vertex of G of degreeone can only be a leaf of a tree so it receives 2 log q bits. If a vertex has degree two then either itbelongs to a cycle, receiving 3 log q bits, or it is an internal node of a tree and it receives 4 log qbits. If a vertex has degree three then it belongs to a cycle and it is the leaf of a tree, receiving5 log q bits in total. Any vertex of the graph cannot be an internal vertex of a tree and belong to acycle, would it be otherwise it should have degree four contradicting the hypothesis. Thus, we canconstruct a secret sharing scheme for G, giving to each vertex a share of at most 5 log q bits for asecret of 2 log q bits. This scheme has information rate 2=5.If the number of vertices in the graph G is known, then we can improve on the bound providedby Theorem 4.3 by employing the same technique used in Theorem 4.2. This gives an informationrate �(G;US;�) = 2=(5� c=n) for a constant c > 0.Applying the same reasoning of Theorem 4.3 to graphs of odd degree d, d � 5, leads to an infor-mation rate �(G;US;�) = 1=(1:5bd=2c+ 1) which is worse than previous constructions.Regardless of the degree, it is possible to obtain better bounds for trees. We recall that aninternal node is a vertex of degree greater than one.Theorem 4.4 Let G be a tree with n internal vertices. Then for any set of secrets S of cardinalityqn, with q � 2, there exists a secret sharing scheme � with information rate�(G;US;�) = n2n � 1 :Proof. We will prove the theorem in the case jSj = 2n, the construction can be easily extended tothe general case jSj = qn and q � 2. In [9] it was showed how to obtain a secret sharing schemefor any tree with information rate equal to 1=2. This scheme, for a secret consisting of a single bit,gives one bit to a predeterminated vertex X 2 V (G) and to all non-internal vertices, whereas eachother vertex gets two bits. Assume that the secret consists of n bits. Consider the scheme that foreach bit of the secret distributes it by choosing as a predetermined vertex X each vertex of G inturn. This scheme, for a secret of n bits, gives to each vertex at most 2(n� 1) + 1 = 2n� 1 bits.Thus �(G;US;�) = n2n � 1 :If only the number of vertices is known, what can we say on the information rate of a graphG? The maximum degree of G can be as bad as n � 1. Thus, the bound of [16] gives ��(G) �15
1=(d(n�1)=2e+1), while the bound of Theorem 4.2 gives ��(G) � 1=(d(n�1)=2e+1�d(n�1)=2e=n),if n is even.In this last part of the paper we present general lower bounds on the optimal information rateand optimal average information rate for any graph G with n vertices. The lower bounds areobtained by using known results on the covering of the edges of a graphs by means of completebipartite graphs.Tuza [46] proved that the edge-set of an arbitrary graph G can be covered by complete bipar-tite subgraphs G1(V (G1); E(G1)); : : : ; GT (V (GT ); E(GT)) such that TXi=1 jV (Gi)j � 3n2=2 logn +o(n2= logn). We now use again Theorem 4.1, namely that there exists a secret sharing scheme foreach Gi with information rate equal to 1. We can construct a secret sharing scheme for G by sharingthe secret separately in each Gi. In this way we need to generate a total of 3n2=2 logn+o(n2= logn)shares, each of them of the same size as the secret. Thus, we get that the average size of a sharegiven to any participant is less than 3n=2 logn + o(n= logn). Therefore, we get that the optimalaverage information rate for any graph G with n vertices is greater than n times the inverse of3n2=2 logn + f(n), where jf(n)j < �n2= logn, for all � > 0 and su�ciently large n. Thus, theaverage information rate is greater than 2 logn=3n+ g(n), where jg(n)j � (2�=3(�+ 3=2)) logn=n.Feder and Motwani [23] proved that the problem of partitioning the edges of a graph G intocomplete bipartite graphs such that the sum of the cardinalities of their vertex sets is minimizedis NP{complete. However, they proved that the edge set of a graph G = (V;E), with jV j = nand jEj = m can be partitioned into complete bipartite graphs with sum of the cardinalities oftheir vertex sets O(m log n2mlogn ), and presented an e�cient algorithm to compute such a partition.Using their result and again sharing the secret in each complete bipartite graph with Brickell andDavenport's algorithm, it follows that there is a secret sharing scheme with average informationrate at least ( n lognm log n2m ).Finally, we recall a result of Erd�os and Pyber [22] (see also [36]) which states that edges of agraph G with n vertices can be partitioned into complete bipartite graphs such that each vertexof G is contained by at most O(n= logn) complete bipartite graphs. This result, together withTheorem 4.1, directly implies that the optimal information rate of G is ��(G) = � lognn � :These results can be summarized in the following theorem.Theorem 4.5 Let G be a graph with n vertices and m edges. Then, for any set of secrets S ofcardinality q � 2 there exist secret sharing schemes �1 and �2 with average information ratee�(G;US ;�1) > 2 logn3n + o� lognn � ;and e�(G;US ;�2) = n lognm log n2m ! ;respectively. Moreover, there exists a secret sharing scheme �3 with information rate�(G;US;�3) = � lognn � :16
5 CommentsSince this paper was submitted in November 1992, some of the results in it have been improved.We brie y summarize some of these improvements now. Recently, using the information theoreticmethods developed by the authors, Csirmaz [19] proved that there exists an access structure onn participants whose information rate is upper bounded by logn=n; whereas van Dijk [21] provedthe existence of a graph-based access structure on n participants whose average information rateis upper bounded by 2= logn. It is proved in [44, Theorem 5.2] that the information rate for agraph on n vertices and maximum degree d is at least 2=(d+ 1). This improves Theorems 4.2 and4.3 for connected graphs. In [13] a construction technique is proposed to produce classes of accessstructures with information rate bounded away from 1.Finally, we mention that in the paper [11] it has been proved that if a secret sharing scheme �for the access strucure A is perfect when one assumes a given probability distribution on the setsof secrets, then � is perfect for any probability distribution on the sets of secrets. It is also provedthat for any access structure A, if X [ Y 2 A but Y =2 A then H(X) � log jSj+H(X jYS). Thislast result allows to directly derive lower bounds on the size of shares in secret sharing schemeswithout the necessity of resorting to the case in which the probability distribution on the set ofsecrets is uniform.AcknowledgmentsWe are indebted to professor Capocelli for his constant encouragement and support. We would liketo dedicate this paper to his memory as a sign of appreciation and love.We would like to thank L. Pyber for providing us reference [36] and A. Marchetti{Spaccamelaand E. Feuerstein for bringing to our attention reference [23]. Finally, we would like to thank theanonymous referees for their useful comments and suggestions that made the paper more readable.References[1] A. Beutelspacher, How to Say `No', in \Advances in Cryptology - EUROCRYPT 89", Quisquaterand Vandewalle Eds., \Lecture Notes in Computer Science", Vol. 434, Springer-Verlag, Berlin, pp.491{496, 1990.[2] J. C. Benaloh and J. Leichter, Generalized Secret Sharing and Monotone Functions, in \Advancesin Cryptology - CRYPTO 88", S. Goldwasser Ed., \Lecture Notes in Computer Science", Vol. 403,Springer-Verlag, Berlin, pp. 27{35, 1985.[3] G. R. Blakley, Safeguarding Cryptographic Keys, Proceedings AFIPS 1979 National Computer Con-ference, pp.313{317, June 1979.[4] B. Blakley, G. R. Blakley, A. H. Chan, and J. L. Massey, Threshold Schemes with Disenrollment, in\Advances in Cryptology - CRYPTO '92", \Lecture Notes in Computer Science", Vol. 740, E. BrickellEd., Springer-Verlag, Berlin, pp. 546{554, 1993.[5] C. Blundo, Secret Sharing Schemes for Access Structures based on Graphs, Tesi di Laurea, Universityof Salerno, Italy, 1991, (in Italian).[6] C. Blundo, A. Cresti, A. De Santis, and U. Vaccaro, Fully Dynamic Secret Sharing Schemes, in\Advances in Cryptology - CRYPTO 93", D.R. Stinson Ed., \Lecture Notes in Computer Science",Vol. 773, Springer-Verlag, Berlin, pp. 126{135, 1994.17
[7] C. Blundo, A. De Santis, G. Di Crescenzo, A. Giorgio Gaggia, and U. Vaccaro, Multi-Secret SharingSchemes, in \Advances in Cryptology { CRYPTO 94", Y. Desmedt Ed., \Lecture Notes in ComputerScience", Vol. 839, Springer-Verlag, Berlin, pp. 150{163, 1994.[8] C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, Secret Sharing Schemes with Veto Capabilities,in \Proceedings of the French-Israeli Workshop in Algebraic Coding", C. Cohen, S. Litsyn, A. Lobstein,and G. Z�emor Eds., \Lecture Notes in Computer Science", Vol. 781, Springer-Verlag, Berlin, pp. 82{89,1994.[9] C. Blundo, A. De Santis, D. R. Stinson, and U. Vaccaro, Graph Decomposition and Secret SharingSchemes, in \Advances in Cryptology { EUROCRYPT '92", R. Rueppel Ed., \Lecture Notes in Com-puter Science", Vol. 658, Springer-Verlag, Berlin, pp. 1{24, 1993. To appear in Journal of Cryptology.[10] C. Blundo, A. De Santis, and U. Vaccaro, E�cient Sharing of Many Secrets, \Proceedings of STACS'93 (10th Symp. on Theoretical Aspects of Computer Science)", P. Enjalbert, A. Finkel, K. W. WagnerEds., \Lecture Notes in Computer Science", Vol. 665, Springer{Verlag, Berlin, pp. 692{703, 1993.[11] C. Blundo, A. De Santis, and U. Vaccaro, manuscript in preparation.[12] C. Blundo, A. De Santis, and U. Vaccaro, Randomness in Distribution Protocols, to appear in \21stInternational Colloquium on Automata, Languages and Programming" (ICALP '94), Serge Abitebouland Eli Shamir Eds., \Lecture Notes in Computer Science".[13] C. Blundo, A. De Santis, A. Giorgio Gaggia, and U. Vaccaro, New Bounds on the Information Rateof Secret Sharing Schemes, IEEE Transactions on Information Theory, Vol. 41, 1995.[14] E. F. Brickell and D. M. Davenport, On the Classi�cation of Ideal Secret Sharing Schemes, Journalof Cryptology, Vol. 4, pp. 123{134, 1991.[15] E. F. Brickell and D. R. Stinson, The Detection of Cheaters in Threshold Schemes, SIAM J. on DiscreteMath., Vol. 4, pp. 502{510, 1991.[16] E. F. Brickell and D. R. Stinson, Some Improved Bounds on the Information Rate of Perfect SecretSharing Schemes, Journal of Cryptology, Vol. 5, pp. 153{166, 1992.[17] R. M. Capocelli, A. De Santis, L. Gargano, and U. Vaccaro, On the Size of Shares for Secret SharingSchemes, Journal of Cryptology, Vol. 6, pp. 157{168, 1993.[18] M. Carpentieri, A. De Santis, e U. Vaccaro, Size of Shares and Probability of Cheating in ThresholdSchemes, in \Advances in Cryptology { EUROCRYPT '93", T. Helleseth Ed., \Lecture Notes inComputer Science", Vol. 765, Springer-Verlag, Berlin, pp. 118{125, 1994.[19] L. Csirmaz, The Size of a Share Must be Large, to appear in \Advances in Cryptology { EUROCRYPT'94", A. De Santis Ed., \Lecture Notes in Computer Science", Springer-Verlag, Berlin.[20] I. Csisz�ar and J. K�orner, Information Theory. Coding Theorems for Discrete Memoryless Systems,Academic Press, 1981.[21] M. van Dijk, On the Information Rate of Perfect Secret Sharing Schemes, Preprint, 1994.[22] P. Erd�os and L. Pyber, unpublished.[23] T. Feder and R. Motwani, Clique Partition, Graph Compression and Speeding-up Algorithms, Pro-ceedings of the 23rd Annual ACM Symposium on Theory of Computing, New Orleans, pp. 123{133,1991.[24] R. G. Gallager, Information Theory and Reliable Communications, John Wiley & Sons, New York,NY, 1968. 18
[25] M. Garey and D. Johnson, Computers and Intractability: a Guide to the Theory of NP-Completeness,W. H. Freeman & Co., New York, 1979.[26] I. Ingemarsson and G. J. Simmons,A Protocol to Set up Shared Secret Schemes Without the Assistanceof a Mutually Trusted Party, in \Advances in Cryptology - CRYPTO 90", Menezes and Vanstone Eds.,\Lecture Notes in Computer Science", Vol. 473, Springer-Verlag, Berlin, pp. 266{282, 1991.[27] M. Ito, A. Saito, and T. Nishizeki, Secret Sharing Scheme Realizing General Access Structure, Proc.IEEE Global Telecommunications Conf., Globecom 87, Tokyo, Japan, 1987.[28] W.-A. Jackson, K. M. Martin, and C. M. O'Keefe, Multisecret Threshold Schemes, in \Advancesin Cryptology - CRYPTO '93", D.R. Stinson Ed., \Lecture Notes in Computer Science", Vol. 773,Springer-Verlag, Berlin, pp. 126{135, 1994.[29] E. D. Karnin, J. W. Greene, and M. E. Hellman, On Secret Sharing Systems, IEEE Trans. on Inform.Theory, vol. IT-29, no. 1, pp. 35{41, Jan. 1983.[30] D.E. Knuth and A.C. Yao, The Complexity of Nonuniform Random Number Generation, in \Algo-rithms and Complexity", J.F. Traub Ed., Academic Press, pp. 357{428, 1976.[31] S. C. Kothari, Generalized Linear Threshold Schemes, in \Advances in Cryptology - CRYPTO 84",G. R. Blakley and D. Chaum Eds., \Lecture Notes in Computer Science", Vol 196, Springer{Verlag,Berlin, pp. 231{241, 1985.[32] R. J. McEliece and D. V. Sarwate, On Sharing Secrets and Reed-Solomon Codes, Communications ofthe ACM, Vol. 24, 583{584, 1981.[33] K. M. Martin, Discrete Structures in the Theory of Secret Sharing, PhD Thesis, University of London,1991.[34] K. M. Martin, New Secret Sharing Schemes from Old, Journal of Combin. Math. and Combin. Com-put., Vol. 14, pp. 65{77, 1993.[35] M. Naor and A. Shamir, Visual Cryptography, to appear in \Advances in Cryptology { Eurocrypt'94", A. De Santis Ed., Lecture Notes in Computer Science, Springer-Verlag, Berlin.[36] L. Pyber, Covering the Edges of a Graph by ..., in Sets, Graphs and Numbers, Colloquia MathematicaSoc. J�anos Bolyai, L. Lov�asz, D. Mikl�os, T. Sz�onyi, Eds., North-Holland, pp. 583{610, 1992.[37] T. Rabin and M. Ben-Or, Veri�able Secret Sharing and Multiparty Protocols with Honest Majority,Proc. 21st ACM Symp. on Theory of Computing, pp. 73{85, 1989[38] A. Shamir, How to Share a Secret, Communications of the ACM, vol. 22, n. 11, pp. 612{613, Nov.1979.[39] G. J. Simmons, Robust Shared Secret Schemes or `How to be Sure you Have the Right Answer EvenThough you don't Know the Question', Congressus Numer., Vol. 68, pp. 215{248, 1989.[40] G. J. Simmons, Prepositioned Shared Secret and/or Shared Control Schemes, in \Advances in Cryp-tology { CRYPTO '89", \Lecture Notes in Computer Science", Vol. 434, Springer-Verlag, Berlin, pp.436{467, 1990.[41] G. J. Simmons, An Introduction to Shared Secret and/or Shared Control Schemes and Their Applica-tion, Contemporary Cryptology, IEEE Press, pp. 441{497, 1991.[42] D. R. Stinson, An Explication of Secret Sharing Schemes, Designs, Codes and Cryptography, Vol. 2,pp. 357{390, 1992. 19
[43] D. R. Stinson, New General Lower Bounds on the Information Rate of Secret Sharing Schemes, in\Advances in Cryptology { CRYPTO '92", E. Brickell, Ed., \Lecture Notes in Computer Science",Vol. 740, Springer-Verlag, Berlin, pp. 170{184, 1993.[44] D. R. Stinson, Decomposition Constructions for Secret Sharing Schemes, IEEE Trans. Inform. Theory,Vol. 40, pp. 118{125, 1994.[45] M. Tompa and H. Woll, How to Share a Secret with Cheaters, Journal of Cryptology, Vol. 1, pp.133{138, 1988.[46] Z. Tuza, Covering of Graphs by Complete Bipartite Subgraphs; Complexity of 0-1 matrices, Combina-torica, vol. 4, n. 1, pp. 111{116, 1984.
20
Appendix AIn this appendix we review the basic concepts of Information Theory we will use. For a completetreatment of the subject the reader is advised to consult [20] and [24]. We will also recall somebasic terminology from Graph Theory.Given a probability distribution fp(x)gx�X on a set X , we de�ne the entropy of X , H(X), asH(X) = �Xx�X p(x) log p(x)(all logarithms in this paper are of base 2). The entropy H(X) is a measure of the averageuncertainty one has about which element of the set X has been chosen when the choices of theelements fromX are made according to the probability distribution fp(x)gx�X . The entropy satis�esthe following property 0 � H(X)� log jX j; (2)where H(X) = 0 if and only if there exists x0 2 X such that p(x0) = 1; H(X) = log jX j if and onlyif p(x) = 1=jX j, for all x 2 X .Given two sets X and Y and a joint probability distribution fp(x; y)gx�X;y�Y on their cartesianproduct, the conditional entropy H(X jY ) is de�ned asH(X jY ) = �Xy�Y Xx�X p(y)p(xjy) logp(xjy):From the de�nition of conditional entropy it is easy to see thatH(X jY ) � 0: (3)If we have n + 1 sets X1; : : : ; Xn; Y , the entropy of X1 : : :Xn given Y can be expressed asH(X1 : : :XnjY ) = H(X1jY ) +H(X2jX1Y ) + � � �+H(XnjX1 : : :Xn�1Y ) (4)The mutual information I(X ; Y ) between X and Y is de�ned by I(X ; Y ) = H(X)� H(X jY ) =H(Y )�H(Y jX), since it is always non negative one getsH(X)� H(X jY ): (5)Given n + 2 sets X; Y; Z1; : : : ; Zn and a joint probability distribution on their cartesian product,the conditional mutual information I(X ; Y jZ1; : : : ; Zn) between X and Y given Z1; : : : ; Zn can bewritten as I(X ; Y jZ1; : : : ; Zn) = H(X jZ1; : : : ; Zn)�H(X jZ1; : : : ; ZnY ):Since the conditional mutual information is always non negative we getH(X jZ1; : : : ; Zn) � H(X jZ1; : : : ; ZnY ): (6)We now present some basic terminology from graph theory. A graph, G = (V (G); E(G)) consistsof a �nite non empty set of vertices V (G) and a set of edges E(G) � V (G) � V (G). Graphs donot have loops or multiple edges. We consider only undirected graphs. In an undirected graph thepair of vertices representing any edge is unordered. Thus, the pairs (X; Y ) and (Y;X) representthe same edge. To avoid overburdening the notation we often describe a graph G by the list ofall edges E(G): We will use reciprocally (X; Y ) and XY to denote the edge joining the vertices21
X and Y: G is connected if any two vertices are joined by a path. The complete graph Kn is thegraph on n vertices in which any two vertices are joined by an edge. The complete multipartitegraph Kn1;n2;:::;nt is a graph on Pti=1 ni vertices, in which the vertex set is partitioned into subsetsof cardinality ni (1 � i � t) called parts, such that XY is an edge if and only if X and Y are indi�erent parts. If G is a graph, then the graph G1 is said to be a subgraph of G if V (G1) � V (G)and E(G1) � E(G).
22
Appendix BIn this appendix we analyze all graphs who have optimal information rate less than 2=3 accord-ingly to Theorem 3.3. The schemes for these graphs are obtained by using the Multiple ConstructionTechnique [9] based on complete multipartite coverings of the graph. The optimal information rateis not greater than 3=5 and the optimal average information rate is less than or equal to 3=4 forall graphs from Theorem 3.3. All these results are summarized in Table 1, and the �rst CMC ofeach graph gives the scheme with average information rate showed in Table 1. Below are depictedsome of the minimal CMCs for 5 graphs on 6 vertices.�3 FDD EECC BA ssssss sss�2 EECC FDBBA s s s s sssss�1C BBA FDD E ssssssssEC FDBAG2 ssss ss �2 FE DC sss ll�� ssp BB BsAs ss�1 FE DC B DC A sss ss aa!!s ss sss ss FE DC B All��G1
�2FFDD ECCBA sssssss ssSS ���1 EFD CBBBA s s ssssss AA ��FD ECBA ss AAA ��� s sssG4 �1 �2 FFEE DC DC BA ssss s sssss ZZZZZ �����DFCE A BBB ssssssss ���@@@FE DC BAs ss rss@@@@ ,,,,G323
CsG5 s ��@@s s sssA B CD EF s ,,@@s ss s ss ssA B C CD D E EF s�1 �� @@s s s s sssA B C E FDD�2 s @@s ss��s s ssA B B C ED F F�3Bs ETable 1: Information Rate and Average Information RateGraph Information Rate Average Information RateG1; G2; G3; G4 �� = 3=5 e� � = 3=4G5 �� = 3=5 2=3 � e� � � 3=4
24