C. Blundo, A. De Santis, L. Gargano, U. Vaccaro. On the information rate of secret sharing schemes. Advances in Cryptology - CRYPTO'92, Lecture Notes in Comput. Sci. 740 148--167.  Home/Search   Document Details and Download   Summary   Related Articles   Check

....one cannot apply simple counting arguments to show that this must indeed be the case. In fact, given the current knowledge, one cannot even rule out the possibility that all access structures can be efficiently realized. Several lower bounds on the share size of secret sharing were obtained [23, 16, 31, 28, 27]. The strongest current bound log n) 27] This bound applies to an explicit access structure. However, as noted above, there is a huge gap between these lower bounds and the best known upper bounds. 1.1 Linear vs. Nonlinear Secret Sharing Most previously known secret sharing schemes were ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. Theoretical Computer Science, 154(2):283--306, 1996.

....j denotes the size of the share of participant P i [Karnin et al. 82] Capocelli at el. 93] Kurosawa, Okada 96] More tight lower bounds of jV i j such that jV i j jSj which depend on the access structure have also been presented [Capocelli at el. 93] Blundo at el. 92b] Brickell, Stinson 92] Blundo at el. 92a] Stinson 92] This result means that every participants must hold very large information keeping secret. It will cost them much. If share size can be reduced then each participant save costs or obtains higher security with same cost. So, it is desired jV i j is as small as possible. We emphasize ....

....93] Kurosawa et al. proved that [Kurosawa, Okada 96] jV i j jSj (3) for any PSS. This is a more tight bound than eq. 2) because log 2 jSj H(S) For PSSs with certain Gamma s, more tight lower bounds on jV i j than eq. 3) is known [Capocelli at el. 93] Blundo at el. 92b] Brickell, Stinson 92] Blundo at el. 92a] Stinson 92] McEliece and Sarwate [McEliece, Sarwate 81] showed that Shamir s (k; n) threshold secret sharing scheme [Shamir 79] is closely related to Reed Solomon codes. A (d; k; n) ramp scheme is an NSS such that Gamma 1 = fA V j jAj kg; Gamma 2 = fB V j k Gamma d jBj kg; ....

Blundo, C., De Santis, A., Gargano, L., Vaccaro, U.: "On the information rate of secret sharing schemes"; Proc. of Crypto'92, Lecture Notes on Comput. Sci., 740, Springer Verlag (1992) 148--167

....to an edge if jAj = 2. It corresponds to a point if jAj = 1. We say that Gamma is a graphical access structure if Gamma is represented as a graph in this way. Gamma = ffP 1 ; P 2 g; fP 2 ; P 3 g; fP 3 ; P 4 gg is a graphical access structure. Blundo, De Santis, Gargano, and Vaccaro [10] showed another lower bound on jV i j for another graphical access structure on P = fP 1 ; P 2k 2 g (k 1) such as follows: if Gamma = f fP 1 ; P 2 g; fP 2 ; P 3 g; fP 2 ; P 4 g; fP 2 ; P k 2 g; fP 3 ; P k 3 g; fP 4 ; P k 4 g; fP k 2 ; P 2k 2 gg, then max i log jV i j ....

....fP 1 ; P 3 ; P 4 gg, ffP 1 ; P 2 g; fP 2 ; P 3 g; fP 1 ; P 3 ; P 4 gfP 2 ; P 4 gg, then log jV 2 j log jV 3 j = 3 log jSj. Also, there exists a PSS for the above Gamma which holds that log jV 2 j = log jV 3 j = 1:5 log jSj, for the first and the second structures. Proposition 2. 8: [10] P = fP 1 ; P 2k 2 g (k = 1) If Gamma = ffP 1 ; P 2 g; fP 2 ; P 3 g; fP 2 ; P 4 g; fP 2 ; P k 2 g; fP 3 ; P k 3 g; fP 4 ; P k 4 g; fP k 2 ; P 2k 2 gg, then max i log jV i j = 2k 1) k 1) log jSj for P i 2 P . 2.2 Entropy In this section, we review information ....

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro, "On the information rate of secret sharing schemes", Proc. of Crypto'92, Lecture Notes in Computer Science, 740, Springer Verlag, pp. 149--169, 1993.

....have been introduced in [4, 7, 18] in order to construct secret sharing schemes for some families of access structures, which provide lower bounds on the optimal information rate. Upper bounds have been found for several particular access structures by using some tools from Information Theory [2, 3, 8]. A general method to nd upper bounds was given in [2] and was generalized in [14] Nevertheless, both problems are far to be solved. There are some important open questions about the characterization of ideal access structures, and there exists a wide gap between the best known upper and lower ....

....on the optimal information rate for most access structures. Due to the diculty of nding a general solution, those problems have been studied in several particular classes of access structures: access structures on sets of four [17] and ve [12] participants, access structures de ned by graphs [2, 3, 4, 6, 7, 8, 18], bipartite access structures [14] and access structures with three or four minimal quali ed subsets [13] The ideal access structures in all these families have been completely characterized. The optimal information rate of almost all access structures on a set of at most ve participants has ....

[Article contains additional citation context not shown here]

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro. On the information rate of secret sharing schemes. Advances in Cryptology CRYPTO'92. Lecture Notes in Computer Science. 740, 148-167.

....and IV I denotes the size of the share of participant Pi [Karnin et al. 82] Capocelli at el. 93] Kurosawa, Okada 96] More tight lower bounds of IV I such that IV I which depend on the access structure have also been presented [Capocelli at el. 93] Blundo at el. 92b] Brickell, Stinson 92] Blundo at el. 92a] Stinson 92] This re suit means that every participants must hold very large information keeping secret. It will cost them much. If share size can be reduced then each participant save costs or obtains higher security with same cost. So, it is desired IV I is as small as possible. We emphasize ....

....PSS [Capocelli at el. 93] Kurosawa et al. proved that [Kurosawa, Okada 96] Il I l (3) for any PSS. This is a more tight bound than eq. 2) because log For PSSs with certain Fs, more tight lower bounds on Il than eq. 3) is known [Capocelli at el. 93] Blundo at el. 92b] Brickell, Stinson 92] Blundo at el. 92a] Stinson 92] McEliece and Sarwate [McEliece, Sarwate 81] showed that Shamir s (k, n) threshold secret sharing scheme [Shamir 79] is closely related to Reed Solomon codes. A (d, k, n) ramp scheme is an NSS such that rl: far V IIAI r2: B c V I d IBI F3: C c V I lCl d) ....

Blundo, C., De Santis, A., Gargano, L., Vaccaro, U.: "On the information rate of secret sharing schemes"; Proc. of Crypro'92, Lecture Notes on Cornput. Sci., 740, Springer Verlag (1992) 148-167

....have been introduced in [4, 7, 16] in order to construct secret sharing schemes for some families of access structures, which provide lower bounds on the optimal information rate. Upper bounds have been found for several particular access structures by using some tools from Information Theory [2, 3, 8]. 2 A general method to nd upper bounds was given in [2] and was generalized in [12] Nevertheless, both problems are far to be solved. There are some important open questions about the characterization of ideal access structures, and there exists a wide gap between the best known upper and ....

....access structures. Due to the diculty of nding a general solution, those problems have been studied in several particular classes of access structures: access structures on a set of four participants [15] access structures on a set of ve participants [11] access structures de ned by graphs [2, 3, 4, 6, 7, 8, 16]; and bipartite access structures [12] The ideal access structures in all these families have been completely characterized. The optimal information rate of almost all access structures on a set of at most ve participants has been determined. Bounds on the optimal information rate, which are ....

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro. On the information rate of secret sharing schemes. Advances in Cryptology CRYPTO'92. Lecture Notes in Computer Science. 740, 148-167.

....The question whether there exist more efficient schemes, or if there exists a Boolean function that does not have (space ) efficient schemes is open. This problem is one of the most important open problems concerning secret sharing. Some weak lower bounds on the length of the shares were proved in [15, 2, 7, 9, 6, 20, 10]. The best lower bound was proved by Csirmaz [11] His proof shows that for every m there exists a Boolean function with m variables for which, in every secret sharing scheme, the sum of the lengths of the shares is Omega Gamma m = log m) times the length of the secret (for every finite set of ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the Information Rate of Secret Sharing Schemes. In E. F. Brickell, editor, Advances in Cryptology - CRYPTO '92 Proceedings, Lecture Notes in Computer Science 740, ((Springer-Verlag 1993) 148-- 167.

....one cannot apply simple counting arguments to show that this must indeed be the case. In fact, given the current knowledge, one cannot even rule out the possibility that all access structures can be efficiently realized. Several lower bounds on the share size of secret sharing were obtained [22, 15, 30, 27, 26]. The strongest current bound is n 2 = log n) 26] This bound applies to an explicit access structure. However, as noted above, there is a huge gap between these lower bounds and the best known upper bounds. 1.1 Linear vs. Nonlinear Secret Sharing Most previously known secret sharing ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. Theoretical Computer Science, 154(2):283--306, 1996.

....size of fragments for each participant (i.e. the maximum quantity of information that must be given to any participant) then a worst case measure of the maximum of H(G i ) over all P i 2 P naturally arises. Analogously to definition of information rate for secret sharing schemes presented in [2], we give the following definition. Definition 4. We define the information rate of an information dispersal algorithm Sigma for the access structure A, when the probability distribution on the set of files F is Pi F , as (A; Pi F ; Sigma ) H(F ) maxfH(G i ) 1 i ng : The ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, On the Information Rate of Secret Sharing Schemes, in "Advances in Cryptology - CRYPTO 92", Ed. E. Brickell, "Lecture Notes in Computer Science", Vol. 740, E. Brickell Ed., SpringerVerlag, pp. 149--169, 1993.

....a scheme an ideal scheme. Ideal schemes have been studied extensively; see for example [4, 5, 11, 9, 12] In the cases where ideal schemes do not exist, the objective is to construct a scheme with (average) information rate as close to one as possible. Research in this direction can be found in [6, 7, 2, 16, 10, 3, 17]. 1.2 Graph Access Structures The situation that has been studied the most is when the basis consists of the edges of a graph (i.e. the access structure has rank two) see [6, 2, 7, 3, 17] for example. If G is a graph, then we will denote the vertex set of G by V (G) and the edge set by E(G) ....

....(average) information rate as close to one as possible. Research in this direction can be found in [6, 7, 2, 16, 10, 3, 17] 1. 2 Graph Access Structures The situation that has been studied the most is when the basis consists of the edges of a graph (i.e. the access structure has rank two) see [6, 2, 7, 3, 17], for example. If G is a graph, then we will denote the vertex set of G by V (G) and the edge set by E(G) For a vertex v 2 V (G) the neighbourhood of v, denoted by N(v) consists of all vertices w such tath vw 2 E(G) If V 1 V (G) then the induced subgraph G[V 1 ] is defined to have vertex ....

[Article contains additional citation context not shown here]

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. Presented at CRYPTO '92.

....bound of the size of V i . Let jXj denotes the bit length of X. For simplicity, assume that S is uniformly distributed. Then, 10] showed that jV i j jSj for any PSS by extending the technique of [13] More tight lower bounds of jV i j which depend on the access structure have also been shown [10, 6, 9, 5, 15]. 3) The third question is what happens if jV i j = jSj. A PSS is called ideal if jV i j = jSj for all i. 8] characterized ideal PSSs in terms of a matroid. It is important that jV i j is as small as possible because, otherwise, the security of the system degrades. However, as mentioned in (2) ....

C.Blundo, A.De Santis, L.Gargano, U.Vaccaro, On the information rate of secret sharing schemes, Proceedings of Crypto'92, Lecture Notes on Comput. Sci., 740 (1992) 148--167

....edge if jAj = 2. It corresponds to a point if jAj = 1. We say that Gamma is a graphical access structure if Gamma Gamma is represented as a graph in this way. Gamma Gamma = ffP 1 ; P 2 g; fP 2 ; P 3 g; fP 3 ; P 4 gg is a graphical access structure. Blundo, De Santis, Gargano, and Vaccaro [10] showed another lower bound on jV i j for another graphical access structure on P = fP 1 ; P 2k 2 g (k = 1) such as follows: if Gamma Gamma = f fP 1 ; P 2 g; fP 2 ; P 3 g; fP 2 ; P 4 g; fP 2 ; P k 2 g; fP 3 ; P k 3 g; fP 4 ; P k 4 g; fP k 2 ; P 2k 2 gg, then max i ....

.... Gamma Gamma = ffP 1 ; P 2 g; fP 2 ; P 3 g; fP 1 ; P 3 ; P 4 gfP 2 ; P 4 gg, then log jV 2 j log jV 3 j = 3 log jSj. Also, there exists a PSS for the above Gamma Gamma which holds that log jV 2 j = log jV 3 j = 1:5 log jSj, for the first and the second structures. Proposition 2. 8: [10] P = fP 1 ; P 2k 2 g (k = 1) If Gamma Gamma = ffP 1 ; P 2 g; fP 2 ; P 3 g; fP 2 ; P 4 g; fP 2 ; P k 2 g; fP 3 ; P k 3 g; fP 4 ; P k 4 g; fP k 2 ; P 2k 2 gg, then max i log jV i j = 2k 1) k 1) log jSj for P i 2 P . 2.2 Entropy In this section, we review ....

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro, "On the information rate of secret sharing schemes", Proc. of Crypto'92, Lecture Notes in Computer Science, 740, Springer Verlag, pp. 149--169, 1993.

....in the access structure and the domain of secrets is S, then the domain of shares is of cardinality jSj (2 n ) The question is if there are more efficient schemes, or are most access structures not efficient and require large shares. Attempts to prove such lower bounds can be found in [7, 4, 11]. The best lower bound that was proved is jSj 2 Gammaffl for any constant ffl 0 [4] Let us focus on one approach to prove such lower bounds, and show that it fails. The secret sharing scheme of [1] uses a monotone formula, that describes the access structure, to build a secret sharing scheme. ....

....jSj (2 n ) The question is if there are more efficient schemes, or are most access structures not efficient and require large shares. Attempts to prove such lower bounds can be found in [7, 4, 11] The best lower bound that was proved is jSj 2 Gammaffl for any constant ffl 0 [4]. Let us focus on one approach to prove such lower bounds, and show that it fails. The secret sharing scheme of [1] uses a monotone formula, that describes the access structure, to build a secret sharing scheme. If the formula is of length L and the domain of secrets is S, then the domain of ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the Information Rate of Secret Sharing Schemes. In Advances in Cryptology - CRYPTO '92 proceeding, 1992.

.... PW95] Secret sharing: Secret sharing was originally suggested for threshold access structures by Shamir and Blakely [Sha79, Bla79] It was extended to arbitrary access structures in [ISN87] The issue of efficiency (i.e. share sizes) of such schemes has been considered in several papers (cf. [BD90, BDGV92, BC92]) Schemes suggested in [BL88] for structures represented by monotone formulas turn out to be important for our quorum systems. The most general access structures for which efficient secret sharing schemes are known is that of span programs [KW93] All our schemes fall into this category. Krawczyk ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. In Advances in Cryptology - CRYPTO'92 , LNCS 740, pages 148--167. Springer-Verlag, 1992.

....storage) The question of whether there exist more efficient schemes or if there exists a Boolean function with no (space )efficient scheme is open. This problem is one of the most important open problems concerning secret sharing. Some lower bounds on the length of the shares were proved in [23, 7, 12, 14, 11, 24] and [17] The best lower bound was proved by [15, 16] His proof gives, for every m, a Boolean function with m variables for which the sum of the lengths of the shares in every secret sharing scheme is Omega Gamma m 2 = log m) times the length of the secret (for every finite set of possible ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. In E. F. Brickell, editor, Advances in Cryptology - CRYPTO '92, Lecture Notes in Computer Science 740, (Springer-Verlag 1993) 148--167.

....vault or even opening a safety deposit box. Secret sharing schemes are also used in management of cryptographic keys and multi party secure protocols. 7.2. 1 Size of Shares The question of how much information one has to distribute to participants is addressed in [137] 138] 102] 99] and [100]. New techniques of constructing schemes by suitable decomposition of the access structure are presented. Moreover, it is proved that there are access structures for which there is a participant whose share of information has to be at least twice the secret size. The security of all the schemes ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. In E. Brickell, editor, Advances in Cryptology -- CRYPTO '92, number 740 in Lecture Notes in Computer Science, pages 149--169. Springer-Verlag, 1993. Revised version to appear in Theoretical Computer Science.

.... 36, 39] Secret sharing: Secret sharing (cf. 44] was originally suggested for threshold access structures by Shamir and Blakley [43, 5] It was extended to arbitrary access structures in [24] The issue of efficiency (i.e. share sizes) of such schemes has been considered in several papers (cf. [7, 6, 3]) Schemes suggested in [4] for structures represented by monotone formulas turn out to be important for our quorum systems. The most general access structures for which efficient secret sharing schemes are known is that of span programs [26] All our schemes fall into this category. Krawczyk [27] ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro. On the information rate of secret sharing schemes. In Advances in Cryptology -- CRYPTO'92, LNCS 740, pages 148--167. SpringerVerlag, 1992.

No context found.

C. Blundo, A. De Santis, L. Gargano and U. Vaccaro. On the information rate of secret sharing schemes. Lecture Notes in Computer Science 740 (1993), 149--169.

....of the secret (see [12] for a simple information theoretic proof) Moreover, there are access structures for which any corresponding secret sharing scheme must give to some participant a share of size strictly bigger than the secret size. Lower bounds on the size of shares can be found in [12] [5], and [6] The best lower bound on the size of shares that has been proved is dlog jSj 2 Gammaffl e, where jSj is the number of possible secrets and ffl is any constant 0 [5] Upper bounds on the size of shares have been given in [10] and [27] We also briefly mention some extended ....

....a share of size strictly bigger than the secret size. Lower bounds on the size of shares can be found in [12] 5] and [6] The best lower bound on the size of shares that has been proved is dlog jSj 2 Gammaffl e, where jSj is the number of possible secrets and ffl is any constant 0 [5]. Upper bounds on the size of shares have been given in [10] and [27] We also briefly mention some extended capabilities of secret sharing schemes that have been studied. The issue of protecting against cheating by one or more participants is addressed in [17] 29] 19] 24] and [11] The ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, On the Information Rate of Secret Sharing Schemes, in: Advances in Cryptology -- CRYPTO '92, E. Brickell (Ed.), Lectures Notes in Computer Science, vol. 740, pp. 149--169, 1993, Springer-Verlag.

....of the basic issue in the area of secret sharing schemes is that of estimating the information rate of the scheme, that is, the ratio between the size of the secret and that of the largest share given to any participant. This problem has received considerable attention in the last few years (e.g. [1, 5, 4, 10, 11, 13, 14, 22]) The practical relevance of this issue is based on the following observations: Firstly, the security of any system tends to degrade as the amount of information that must be kept secret, i.e. the shares of the participants, increases. Secondly, if the shares given to participants are too long, ....

....Therefore, it is important to derive significative upper and lower bounds on the information rate of secret sharing schemes. The main tool to prove upper bounds on the information rate of secret sharing schemes is the information theoretic approach introduced in [11] and further developed in [4, 5, 13, 14] 1 . However, the different results obtained so far seems to have used rather ad hoc proof techniques, limiting themselves to exhibit a particular access structure with small information rate. Therefore, it lacks a clear understanding of what makes an access structure to have necessarily small ....

[Article contains additional citation context not shown here]

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, On the Information Rate of Secret Sharing Schemes, in: Advances in Cryptology - CRYPTO 92, E. Brickell Ed., "Lecture Notes in Computer Science", vol.740, Springer-Verlag, Berlin, pp.149-169, 1993. Also to appear in Theoretical Computer Science.

....of the shares distributed to participants holds. Consider the set of participants P = fX 0 ; X 1 ; X 2 ; X n g and the access structure M n which is the closure of ffX 1 ; X 2 ; X n g; fX 0 ; X 1 g; fX 0 ; X 2 g; fX 0 ; X n Gamma1 gg. In a similar way of Theorem 4. 1 in [4] one can easily prove that for any n Gamma 2 indices i 1 ; i 2 ; i n Gamma2 2 f1; 2; n Gamma 1g, it holds that H(X 0 ) H(X i 1 ) H(X i n Gamma2 ) 2n Gamma 3)H(S) 1) The following theorem holds. Theorem 6.3 Let A = fA (k 1 ;P 1 ) A (k 2 ;P 2 ) g, with k 1 k 2 ....

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, On the Information Rate of Secret Sharing Schemes, in "Advances in Cryptology - CRYPTO '92", "Lecture Notes in Computer Science", Vol. 740, E. Brickell Ed., Springer-Verlag, pp. 149--169, 1993. To appear in Theoretical Computer Science.

....can be identified with the vertex set V (G) of a graph G = V (G) E(G) and the subsets of participants qualified to reconstruct the secret are only those containing an edge of G. Secret sharing schemes based on graph access structures have been extensively studied in several papers, such as [11, 12, 14, 6, 5, 34, 36]. We give both lower and upper bounds for infinite classes of access structures. Lower bounds are obtained using entropy arguments. We prove a general lower bound on the dealer s randomness for access structures based on graphs. As a result we obtain a general bound when the graph is the cycle Cn ....

....; P 2k g and E(G (k) f(P 0 ; P 0 0 ) P 0 0 ; P 1 ) P 0 0 ; P k ) P 1 ; P k 1 ) P k ; P 2k )g: Let AS k = cl(E(G (k) For k = 3, an example of this graph and one of its decompositions is given in Figure 1. This access structure was first considered in [5] to give an upper bound on the information rate of AS k . The following theorem holds. Theorem 6 Supposing the secret is chosen in S and jSj = 2 r , for some positive integer r, then the dealer s randomness (AS k ; jSj) satisfies (AS k ; jSj) r(k 1) Proof: The participants P 0 ; P 1 ; ....

[Article contains additional citation context not shown here]

C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, On the Information Rate of Secret Sharing Schemes, Theoretical Computer Science, Vol. 154 (1996), 283--306.

No context found.

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro. On the information rate of secret sharing schemes. Advances in Cryptology - CRYPTO'92, Lecture Notes in Comput. Sci. 740 148--167.

No context found.

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro. On the information rate of secret sharing schemes. Advances in Cryptology - CRYPTO'92, Lecture Notes in Comput. Sci. 740 148--167.

No context found.

C. Blundo, A. De Santis, L. Gargano, U. Vaccaro, On the Information Rate of Secret Sharing Schemes, in Advances in Cryptology { CRYPTO '92, Lecture Notes in Computer Science, Vol 740, E. Brickell ed, SpringerVerlag, Berlin, 1993, pp. 149-169.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC