New Bounds on the Information Rate of Secret ... - Semantic Scholar

New Bounds on the Information Rate of Secret Sharing Schemes 

Carlo Blundo, Alfredo De Santis, Antonio Giorgio Gaggia, Ugo Vaccaro Abstract

A secret sharing scheme permits a secret to be shared among participants in such a way that only quali ed subsets of participants can recover the secret, but any non-quali ed subset has absolutely no information on the secret. In this paper we derive new limitations on the information rate of secret sharing schemes, that measures how much information is being distributed as shares as compared to the size of the secret key, and the average information rate, that is the ratio between the secret size and the arithmetic mean of the size of the shares. By applying the substitution technique, we are able to construct many new examples of access structures where the information rate is bounded away from 1. The substitution technique is a method to obtain a new access structure by replacing a participant in a previous structure with a new access structure.

Index terms : Data Security, Cryptography, Secret Sharing, Entropy.

1 Introduction A secret sharing scheme is a method to distribute a secret s among a set of participants P in such a way that only quali ed subsets of P can reconstruct the value of s whereas any other (non-quali ed) subset of P cannot determine anything about the value of the secret. Blakley [2] and Shamir [15] initiated the study of secret sharing schemes, giving algorithm to realize (k; n) threshold schemes. A (k; n) threshold scheme allows a secret to be shared among n participants in such a way that any k of them can recover the secret, but any k ? 1 have absolutely no information on the secret. Subsequently, Ito, Saito, and Nishizeki [10] described a more general method of secret sharing. They showed how to realize a secret sharing scheme for any access structure. An access structure is the family of all subsets of participants that are quali ed to recover the secret. In case of (k; n) threshold schemes the access structure consists of all subsets of P that have size greater than or equal to k. Benaloh and Leichter [1] proposed a technique to realize a secret sharing scheme for any access structure more ecient than Ito, Partially supported by Italian Ministry of University and Scienti c Research in the framework of the project: \Algoritmi, Modelli di Calcolo e Strutture Informative" and by National Council of Research 

1

Saito and Nishizeki's methodology. They showed that there is a natural relation between the set of access structures and the set of monotone functions. An important issue in the implementation of secret sharing schemes is represented by the size of the shares to be given to participants. Indeed, the security of any system degrades as the amount of the information that must be kept secret increases; moreover, the distribution algorithm becomes inecient if the shares to be given to participants are too large. Thus, one of the basic problems in the eld of secret sharing schemes is to derive bounds on the size of the shares that must be distributed to the participants. Equivalently, if we de ne the information rate [7] of an access structure as the ratio between the size of the secret and that of the largest share given to any participant when using the best distribution algorithm, the problem is to derive upper and lower bound on the information rate. Unfortunately, there is a large gap between the known upper and lower bounds on the size of the shares. The best known upper bounds for general access structures are exponential in the number of participants (see [1] and [18]), this makes above algorithms impractical even for schemes with a small number of participants. The best known lower bound says that there exists a class of access structures for which the size of at least a share must be nearly twice the size of the secret [4]. In terms of information rate, the best lower bound is 1/2, whereas the best upper bound is polynomial Reducing the gap between these lower and upper bounds is one of the most important problem in the area of secret sharing. The main purpose of this paper is to provide a general technique to construct classes of access structures In this paper we derive new limitations on the information rate and the average information rate of secret sharing schemes. These bounds are obtained by using the entropy approach by [8] and [4]. We analyze the substitution technique which is a method to obtain a new access structure by replacing a participant in a previous structure with a new access structure. We show that a suitable application of the substitution technique permits to derive better and better upper bounds on the information rate and the average information rate.

2 Secret Sharing Schemes A secret sharing scheme permits a secret to be shared among a set P of n participants in such a way that only quali ed subsets of P can recover the secret, but any non-quali ed subset has absolutely no information on the secret. An access structure A is the set of all subsets of P that 2

can recover the secret.

De nition 2.1 Let P be a set of participants, a monotone access structure A on P is a subset A  2P ; such that A 2 A; A  A0  P ) A0 2 A: In this paper, we assume that there is always at least a subset of participants who can reconstruct the secret, i.e., A 6= ;.

De nition 2.2 Let P a set of participants and A  2P : The closure of A, cl(A), is the set cl(A) = fC jB

2 A and B  C  Pg:

For a monotone access structure A we have A = cl(A): Let S be the set of secrets, fpS (s)gs2S be a probability distribution on S , and let a secret sharing scheme for secrets in S be xed. For any participant P 2 P , let us denote by K (P ) the set of all possible shares given to participant P . Given a set of participants A = fPi ; : : :; Pir g  P , where i1 < i2 < : : : < ir , denote by K (A) = K (Pi ) 


 K (Pir ). Any secret sharing scheme for secrets in S and a probability distribution fpS (s)gs2S naturally induce a probability distribution on K (A), for any A  P . Denote such probability distribution by fpK A (a)ga2K (A). Finally denote by H (S ) the entropy of fpS (s)gs2S and by H (A) the entropy of fpK A (a)ga2K (A), for any A  P . In terms of the probability distribution on the secret and on the shares given to participants, we say that a secret sharing scheme is a perfect secret sharing scheme, or simply a secret sharing scheme, for the monotone access structure A  2P if 1

1

( )

( )

1. Any subset A  P of participants enabled to recover the secret can compute the secret: If A 2 A then for all a 2 K (A) with pK A (a) > 0 a unique secret s 2 S exists such that p(sja) = 1. ( )

2. Any subset A  P of participants not enabled to recover the secret have no information on the secret value: If A 62 A then for all s 2 S and for all a 2 K (A), it holds p(sja) = pS (s). Property 1: means that the value of the shares held by A 2 A completely determines the secret s 2 S . Notice that the Property 2: means that the probability that the secret is equal to s given that the shares held by A 62 A are a, is equal to the a priori probability that the secret is 3

s. Therefore, no amount of knowledge of shares of participants not quali ed to reconstruct the

secret enables a Bayesian opponent to modify an a priori guess regarding which the secret is. Following the approach of [8] and [11] we can restate above conditions 1. and 2. using the entropy function. We say that a secret sharing scheme is a sharing of the secrets in S among participants in P such that 10: Any quali ed subset can reconstruct the secret: Formally, for all A 2 A, it holds H (S jA) = 0. 20: Any non-quali ed subset has absolutely no information on the secret: Formally, for all A 62 A, it holds H (S jA) = H (S ). Notice that H (S jA) = 0 means that each set of values of the shares in A corresponds to a unique value of the secret. In fact, by de nition, H (S jA) = 0 is equivalent to the fact that for all a 2 K (A) with pK A (a) > 0 a unique s 2 S exists such that p(sja) = 1. Moreover, H (S jA) = H (S ) is equivalent to state that S and K (A) are statistically independent, i.e., for all a 2 K (A) and for all s 2 S , it holds p(sja) = pS (s) and therefore the knowledge of a gives no information about the secret. ( )

An important issue in the implementation of secret sharing schemes is the size of the shares, since the security of a system degrades as the amount of secret secret information increases. Thus, one of the basic problems in the eld of secret sharing schemes is to derive bounds on the amount of information that must be kept secret. When we are interested in limiting the maximum size of shares for each participant we use the information rate of A de ned as (A; PS; ) = max H (SH) (X ) X 2P for a given secret sharing scheme  and a non trivial probability distribution PS on the set of secrets S . This measure was introduced by Brickell and Stinson [7] when the probability distributions over the secret and the shares are uniform. In such a case the information rate (A) reduces to (A) = log jS j=maxXP log jX j; and corresponds to the ratio between the size of the secret (measured in bits) and that of the largest share given to any participant. The optimal information rate of the access structure A is de ned as (A) = sup max H (SH) (X ) X 2P T ;Q where T is the space of all secret sharing schemes for the access structure A and Q is the space of all non trivial probability distributions PS : 4

In many cases it is preferable to limit the sum of the size of shares given to all participants. In such cases the arithmetic mean of the H (X ), X 2 P , is a more appropriate measure. We de ne the average information rate as follows ~(A; PS ; ) = P HH(S(X) )=jPj X 2P for a given secret sharing scheme  and non trivial probability distribution PS on the set of secrets S . This measure was introduced in [3], [13], and [14] when an uniform probability distribution on the set of secrets and the set of shares is assumed. In such a case the averP age information rate e(A) reduces to e(A) = jP j log jS j= XP log jX j. The optimal average information rate of the access structure A is de ned as ~(A) = sup P HH(S(X) )=jPj: T ;Q X 2P where T is the space of all secret sharing schemes for the access structure A and Q is the space of all non trivial probability distributions PS : The following two lemmas have been proved by Capocelli, De Santis, Gargano, and Vaccaro [8]. We repeat their proofs for reader's convenience.

Lemma 2.1 Let A be an access structure. If Y 62 A and X [ Y 2 A then H (X jY ) = H (S ) + H (X jY S ). Proof: The conditional mutual information I (X ; S jY ) can be written either as H (X jY ) ? H (X jSY ) or as H (S jY ) ? H (S jXY ): Hence, H (X jY ) = H (S jY ) + H (X jY S ) ? H (S jXY ) = H (S ) + H (X jY S ): An immediate consequence of Lemma 2.1 is that for any P 2 P , it holds H (P )  H (S ).

Lemma 2.2 Let A be an access structure. If either X [ Y 62 A or X 2 A then, it holds H (Y jX ) = H (Y jXS ): Proof: The conditional mutual information I (Y ; S jX ) between Y and S given X can be written either as H (Y jX ) ? H (Y jXS ) or as H (S jX ) ? H (S jXY ). Hence, H (Y jX ) = H (Y jXS ) + H (S jX ) ? H (S jXY ): Since H (S jXY ) = H (S jX ), for either X [ Y 62 A or X 2 A, we have H (Y jX ) = H (Y jXS ): 5

3 A General Upper Bound Let A be an access structure on a set P of participants. Given a subset of participants P 0  P , we de ne the access structure induced by P 0 as the family of sets A[P 0] = fA 2 AjA  P 0g. A straightforward generalization of Theorem 3.3 of [7] is the following.

Theorem 3.1 Let A be an access structure on a set P 0 of participants. Then, (A)  Pmin  (A[P 0]): 0 P Theorem 3.1 has been the main tool to prove upper bounds on the information rate of several classes of access structures. For instance, Theorem 4.2 of [5], which proves that the optimal information rate of any access structure corresponding to the closure of the edge-set of a noncomplete multipartite graph, is upper bounded by 2=3, is obtained by applying Theorem 3.1 and by observing that any graph that is not complete multipartite contains, as induced subgraph at least one of the two access structure for which in [8] an upper bound of 2=3 on their optimal information rate has been provided. Other application of Theorem 3.1 are contained in [4]. It is clear that to fruitfully apply Theorem 3.1 it is crucial to have a \collection" of access structures for which non trivial upper bounds on their optimal information rates are known. The purpose of the following sections is to considerably enlarge the class of access structures for which non trivial upper bounds on their optimal information rates can be provided.

4 Cross Structures In this section we analyze a technique to construct new access structures by replacing a participant in previous structure with a new access structure. Let A be an access structure on a set of participants P . Let P be a participant in P . The substitution of P with another access structure is de ned as follows.

De nition 4.1 Let A1 and A2 be two access structures on the sets of participants P1 and P2, respectively. The substitution of A1 with A2 at P 2 P1 is the access structure A = (A1 n A1P ) [ C where

A1P = fA 2 A1jP 2 Ag 6

and

C = f(A n fP g) [ BjA 2 A1P ; B 2 A2g:

We denote the new access structure A with subst(A1 ; A2 ; P ). Note that the sets of participants need not to be disjoint.

Example 4.1 Let A1 = cl(fAB; BC; CDg), A2 = cl(fEF; FG; GH g): Then subst(A1 ; A2; B) is equal to cl(fAEF; AFG; AGH; EFC; FGC; GHC; CDg): De nition 4.2 Let A be an access structure on P and let P0 2 P be a participant. We de ne the set of all the groups of participants X  P n fP0 g such that X 62 A but X [ fP0 g 2 A as P0 -quali ed-for-A . First, a technical lemma.

Lemma 4.1 Let A1 and A2 be two access structures on disjoint sets of participants P1 and P2, respectively. Let  be a positive real number, let P0 2 P1 and let Z 2 P0 -quali ed-for-A1 . If for a group of participants X  P2 and for any secret sharing scheme for A2 , it holds H (X )  H (S ), then for any secret sharing scheme for A = subst (A1; A2; P0 ), it holds H (X jZ )  H (S ). Proof: Suppose by contradiction that there exists a probability distribution fpS (s)gs2S on S and a scheme  for A such that H (X jZ ) < H (S ). Consider the following scheme 2 for A2 when the probability distribution on S is fpS (s)gs2S : the dealer hands out to the participants the same shares he would distribute in the scheme for A to the participants in P2, then he makes public the shares z he would give to the participants in Z and nally he ignores the other shares. The reconstructing algorithm for 2 is the restriction of the reconstructing algorithm for  to the participants in P2 with the public information z . This is a secret sharing scheme for A2 , in fact since Z 2 P0 -quali ed-for-A1 , if Y 62 A2 then H (S jY Z ) = H (S ) and if Y 2 A2 then H (S jY Z ) = 0. By construction, for the scheme 2 it holds H (X ) < H (S ). Therefore we would nd a secret sharing scheme that contradicts the hypothesis.

De nition 4.3 Let A be an access structure on the set of participants P , let P1; P2 2 P such that fP1; P2g 2 A, and let A1 and A2 be two access structures on P1 and P2, respectively. We de ne the substitution of A with A1 and A2 at P1 and P2 , respectively, as doublesubst (A; A1; P1; A2; P2) = subst (subst (A; A1; P1); A2; P2)

7

De nition 4.4 We de ne a cross structure as an access structure A on P such that 1. there exist two participants P1 ; P2 2 P (cross participants) such that fP1 ; P2g 2 A; 2. there exist two sets D; A  P nfP1; P2g such that D [fP1g 62 A, D [fP2g 2 A, A [ D 62 A, and A [ fP1g 2 A.

Now, we prove the following \ampli cation" result.

Theorem 4.1 Let P1 and P2 be two disjoint sets of participants and let A1 and A2 be two access structures on P1 and P2, respectively. Let A be a cross structure on P such that P\ (P1 [P2) = ;: If there exist two positive real numbers  and and two subsets of participants X 2 A1 and Y 2 A2 such that for any secret sharing scheme for A1 and A2 , it holds H (X )  H (S ) and H (Y )  H (S ); then for any secret sharing scheme for A0 = doublesubst (A; A1 ; P1; A2; P2), it holds H (XY )  ( + + 1)H (S ); where P1 ; P2 are two cross participants in A. Proof: Let A and D be two sets of participants satisfying the condition 2. in De nition 4.4. Consider the conditional mutual information I (D; XY ) = H (D) ? H (DjXY ) = H (XY ) ? H (XY jD). We get H (XY ) = H (XY jD) + H (D) ? H (DjXY ) (1) Setting Z = A [ D then the hypotheses of Lemma 4.1 are satis ed, thus for any secret sharing scheme for A0, it holds H (X jD)  H (X jAD)  H (S ). Moreover, if we set Z = D [ X , by Lemma 4.1, one has that for any secret sharing scheme for A0 , it holds H (Y jXD)  H (S ). Hence,

H (XY jD) = H (X jD) + H (Y jXD)  ( + )H (S ):

It follows that

H (XY )  ( + )H (S ) + H (D) ? H (DjXY ) (from (1) and (2) ) = ( + )H (S ) + H (D) ? H (DjXY S ) (from Lemma 2.2)  ( + )H (S ) + H (D) ? H (DjY S ) (since H (DjXY S )  H (DjY S ) ) = ( + )H (S ) + H (D) + H (S ) ? H (DjY ) (from Lemma 2.1)  ( + + 1)H (S ) (since H (D)  H (DjY )). Thus, the theorem holds. 8

(2)

5 Multi-level paths In this section we describe a family of access structures and provide an upper bound on the optimal information rate and average information rate for each structure.

De nition 5.1 We de ne the 1-level path (denoted by ?1) as the structure on the set of participants P1 = fA; B; C; Dg such that ?1 = clfAB; BC; CDg. For n  2, we de ne the n-level path (denoted by ?n ) on a set of participants Pn as doublesubst (?1 ; A1; B; A2; C ), where ?1 , A1 and A2 are de ned on disjoint sets of participants and A1 and A2 are both isomorphic to ?n?1 . Note that by de nition ?1 is a cross structure and B and C are cross participants. For n  2 we de ne the n-level path as a multi-level path. Next lemma proves that there exists a group X of 2n participants in ?n such that for any secret sharing scheme for ?n , it holds H (X )  (2n+1 ? 1)H (S ).

Lemma 5.1 There exists a set X 2 ?n of 2n participants such that for any secret sharing scheme for ?n , it holds H (X )  (2n+1 ? 1)H (S ). Proof: The proof is by induction on the number n of levels. Let n = 1. Capocelli, De Santis, Gargano, and Vaccaro [8] proved that for ?1 , it holds H (BC )  3H (S ). Let n > 1 and suppose that the lemma is true for k  n, then we prove it for k = n + 1. Let A1 ; A2 be two structures isomorphic to ?n , de ned on P 0 and P 00, respectively. To obtain ?n+1 we substitute these structures for B and C in ?1 . Denote with X1 the set in A1 and X2 the set in A2 satisfying the hypotheses of lemma, that is

 X1 2 A1, with jX1j = 2n, such that for any secret sharing scheme for A1, it holds H (X1)  (2n+1 ? 1)H (S )  X2 2 A2, with jX2j = 2n, such that for any secret sharing scheme for A2, it holds H (X2)  (2n+1 ? 1)H (S ): Since X1 [ X2 2 A, by Theorem 4.1 we have that for any secret sharing scheme for A, it holds

H (X1X2)  (2n+1 ? 1 + 2n+1 ? 1 + 1)H (S ) = (2n+2 ? 1)H (S ): Since X1 and X2 are disjoint, one gets jX1 [ X2j = jX1j + jX2j = 2n+1 : Hence, the lemma holds.

9

Theorem 5.1 The optimal information rate (?n ) for ?n , n  1, satis es (?n )  12 + 2n+21 ? 2 :

Proof: From Lemma 5.1 we know that there exists a set of 2n participants X 2 ?n , X = fP1; : : :; P2n g, such that for any secret sharing scheme for ?n, it holds H (X )  (2n+1 ? 1)H (S ).

Since,

2n X H (P )  H (X );

i=1

it follows that there is a participant P in X such that

H (P )  2 2n? 1 H (S ): n+1

Thus,

n

(?n )  2n+12 ? 1 = 12 + 2n+21 ? 2 :

Hence, the theorem holds.

The sequence of upper bounds provided by Theorem 5.1 is decreasing with n and approaches to 1/2 as n increases. Notice that a lower bound on the entropy of a group of participants, provides an upper bound on the optimal average information rate. Indeed, let A be an access structure on P = fP1 ; : : :; Pn g, let X be a group of m participants, say the rst m in P , and let  be a positive real number such that for any secret sharing scheme for A, it holds H (X )  H (S ). Then, from Lemma 2.1, it follow that m Xn Xn H (P ) = X H (P ) + i=1

Hence, we have

i

i=1

i

i=m+1

H (Pi)  (n ? m + )H (S ):

~(A)  n + n ? m :

(3)

Next theorem proves an upper bound on the average information rate for ?n :

Theorem 5.2 The optimal average information rate ~(?n) for ?n , n  1, satis es ~(?n )  43 + 2n+41? 12 :

Proof: First we prove by induction on the number n of levels that the number of participants in ?n is jPn j = 4(2n ? 1) ? (2n ? 2): Let n = 1, it is easy to see that 10

jP1j = 4. Assume that jPkj = 4(2k ? 1) ? (2k ? 2) for k  n. We prove it for jPn+1j. To obtain ?n+1 we substitute for B and C in ?1 , two structures isomorphic to ?n so jPn+1j = 2jPnj +4 ? 2 = 2jPnj +2: By the inductive hypothesis we get jPn+1 j = 2(4(2n ? 1) ? (2n ? 2))+2 = 4(2n+1 ? 1) ? (2n+1 ? 2): Lemma 5.1 tells us that for each ?n there is a group X of 2n participants, with X 2 ?n , such that for any secret sharing scheme for ?n , it holds H (X )  (2n+1 ? 1)H (S ). From (3) we obtain the following upper bound on the average information rate of ?n

? 1) ? (2 ? 2) 3+ 1 : ~(?n )  4(2n ? 1)4(2 = n n +1 n n +4 ? (2 ? 2) + 2 ? 1 ? 2 4 2 ? 12 n

n

The sequence of upper bounds provided by Theorem 5.2 is decreasing with n and approaches to 3/4 as n increases.

6 Multi-level structures In this section we prove limitations on the information rate and the average information rate for multi-level structures that are access structures more general than n-level paths.

De nition 6.1 Let 1 be a cross structure on the set of participants P and X1; X2 be two cross participants in 1 : For k  2, we de ne the k-level structure based on 1 (denoted by k ) recursively as follow. Let A1 and A2 be two access structures both isomorphic to k?1 de ned on the sets of participants PA and PA where PA , PA , and P are pairwise disjoint sets. The k-level structure based on 1 is the structure on the set of participants Pk = (P n fX1; X2g) [ PA [ PA , obtained by substituting for X1 and X2 the access structures A1 and A2 . 1

1

1

1

2

1

2

1

2

For k  2 we de ne the k-level structure based on 1 as a multi-level structure. Next theorem prove an upper bound on the information rate for k , k  1.

Theorem 6.1 If there exists a set X 2 1 of n participants and a positive real number  such that for any secret sharing scheme for 1 , it holds H (X )  H (S ), then the optimal information rate (k ) for k , k  1, satis es k?1

 (k )  2k?1 2+ 2kn?1 ? 1 : 11

Proof: First we prove by induction on the number k of levels that for each k there exists a group A of 2k?1 n participants such that for any secret sharing scheme for k , it holds H (A)  (2k?1  + 2k?1 ? 1)H (S ). The claim holds for k = 1 by hypothesis. Suppose the claim is true for i  k , we prove it for i = k + 1. To obtain k+1 we take two structures A1 and A2

both isomorphic to k and substitute them for two cross participants X1; X2 in 1 . By the inductive hypothesis there exist Y 2 A1 and Z 2 A2 , with jY j = jZ j = 2k?1 n, such that for any secret sharing scheme for A1 and A2 , it holds H (Y )  (2k?1  + 2k?1 ? 1)H (S ) and H (Z )  (2k?1  + 2k?1 ? 1)H (S ): Thus by Theorem 4.1, for any secret sharing scheme for k+1 , the set A = Y [ Z satis es H (A)  (2(2k?1 + 2k?1 ? 1) + 1)H (S ) = (2k  + 2k ? 1)H (S ). Moreover, A = fP1 ; : : :; P2k n g. Since,

2k n X H (P )  H (A):

i

i=1

Then, there is a participant P in A such that k k H (P )  2  +2k2n ? 1 H (S ): Thus, k (k+1 )  2k  +2 2nk ? 1 : Hence, the theorem holds.

The sequence of upper bounds provided by Theorem 6.1 is decreasing with k and approaches to n=( + 1) as k increases. In fact it is easy to see that 2k?1 n lim = n : k!1 2k?1  + 2k?1 ? 1  + 1 In a similar way of Theorem 5.2 now it is possible to compute an upper bound on the average information rate of k , if we know a bound on the entropy of a group of participants. It is easy to prove by induction that if P is a set of n participants then jPk j = (2k ? 1)n ? (2k ? 2). We have seen, from the proof of Theorem 6.1, that if there exists a group of m participants X 2 1 and a positive real number  such that for any secret sharing scheme for 1, it holds H (X )  H (S ) then in each access structure k , k  2, there is a subset A of 2k?1 m participants such that for any secret sharing scheme for k , it holds H (A)  (2k?1  + 2k?1 ? 1)H (S ): From (3), we get k ? 1)n ? (2k ? 2) ~(k )  (2k ? 1)n ? (2k(2? 2) + 2k?1  + 2k?1 ? 1 ? 2k?1 m : 1

12

Therefore, given a lower bound on the entropy of a group of participants we can compute a sequence of upper bounds on the average information rate of k , k  2, which is decreasing with k and converges to (2k ? 1)n ? (2k ? 2) 2(n ? 1) : lim = k k k ? 1 k ? 1 k ? 1 k!1 (2 ? 1)n ? (2 ? 2) + 2  + 2 ? 1 ? 2 m 2n +  ? m ? 1

References [1] J. C. Benaloh and J. Leichter, Generalized Secret Sharing and Monotone Functions, Proceedings of Crypto '88, Advances in Cryptology, Lecture Notes in Computer Science, Vol. 403, S. Goldwasser Ed., Springer{Verlag, Berlin, pp. 27{35, 1990. [2] G. R. Blakley, Safeguarding Cryptographic Keys, Proceedings of AFIPS 1979 National Computer Conference, Vol. 48, New York, NY, pp. 313{317, June 1979. [3] C. Blundo, Secret Sharing Schemes for Access Structures based on Graphs, Tesi di Laurea, University of Salerno, Italy, 1991, (in Italian). [4] C. Blundo, A. De Santis, L. Gargano, and U. Vaccaro, On the Information Rate of Secret Sharing Schemes, Proceedings of Crypto '92, Advances in Cryptology, Lecture Notes in Computer Science, E. Brickell Ed., Springer-Verlag, (to appear). [5] C. Blundo, A. De Santis, D. R. Stinson, and U. Vaccaro, Graph Decomposition and Secret Sharing Schemes, Proceedings of Eurocrypt '91, Advances in Cryptology, Lecture Notes in Computer Science, Vol. 658, R. Rueppel Ed., Springer-Verlag, pp. 1{24, 1993. [6] E. F. Brickell and D. M. Davenport, On the Classi cation of Ideal Secret Sharing Schemes, J. Cryptology, Vol. 4, No. 2, pp. 123{124, 1991. [7] E. F. Brickell and D. R. Stinson, Improved Bounds on the Information Rate of Perfect Secret Sharing Schemes, J. Cryptology, Vol. 5, No. 3, pp. 153{166, 1992. [8] R. M. Capocelli, A. De Santis, L. Gargano, and U. Vaccaro, On the Size of Shares for Secret Sharing Schemes, Proceedings of Crypto '91, Advances in Cryptology, Lecture Notes in Computer Science, J.Feigenbaum Ed., Springer-Verlag. To appear in J. Cryptology. [9] R. G. Gallager, Information Theory and Reliable Communications, John Wiley & Sons, New York, NY, 1968. [10] M. Ito, A. Saito, and T. Nishizeki, Secret Sharing Scheme Realizing General Access Structure, Proceedings of IEEE Global Telecommunications Conference, Globecom 87, Tokyo, Japan, pp. 99{102, 1987. [11] E. D. Karnin, J. W. Greene, and M. E. Hellman, On Secret Sharing Systems, IEEE Transactions on Information Theory, Vol. IT-29, no. 1, pp. 35{41, Jan. 1983. [12] W. A. Jackson, K. Martin, and G.J. Simmons, The Geometry of Shared Secret Schemes, Bullettin of ICA, Vol. 1, pp. 71{88, 1991. [13] K. M. Martin, Discrete Structures in the Theory of Secret Sharing, PhD Thesis, University of London, 1991. [14] K. M. Martin New Secret Sharing Schemes from Old, Submitted to Journal of Combin. Math. and Combin. Comp.

13

[15] A. Shamir, How to Share a Secret, Communications of the ACM, Vol. 22, n. 11, pp. 612{613, Nov. 1979. [16] C. E. Shannon, The Mathematical Theory of Communication, Bell. Syst. J., Vol. 27, pp. 379{423, 623{656, July/Oct. 1948. [17] G.J. Simmons, An Introduction to Shared Secret and/or Shared Control Schemes and Their Application, Contemporary Cryptology, IEEE Press, pp. 441{497, 1991. [18] D. R. Stinson, New General Lower Bounds on the Information Rate of Secret Sharing Schemes, Proceedings of Crypto '92, Advances in Cryptology, Lecture Notes in Computer Science, E. Brickell Ed., Springer-Verlag, (to appear). [19] D. R. Stinson, An Explication of Secret Sharing Schemes, Design, Codes and Cryptography, Vol. 2, pp. 357{390, 1992.

14