Linear Secret-Sharing Schemes for Forbidden Graph Access Structures

A secret-sharing scheme realizes the forbidden graph access structure determined by a graph G = (V,E) if a pair of vertices can reconstruct the secret if and only if it is an edge in G. Secret-sharing schemes for forbidden graph access structures of bipartite graphs are equivalent to conditional disclosure of secrets protocols, a primitive that is used to construct attributed-based encryption schemes. We study the complexity of realizing a forbidden graph access structure by linear secret-sharing schemes. A secret-sharing scheme is linear if the reconstruction of the secret from the shares is a linear mapping. In many applications of secret-sharing, it is required that the scheme will be linear. We provide efficient constructions and lower bounds on the share size of linear secret-sharing schemes for sparse and dense graphs, closing the gap between upper and lower bounds: Given a sparse graph with n vertices and at most n edges, for some 0 ≤ β < 1, we construct a linear secret-sharing scheme realizing its forbidden graph access structure in which the total size of the shares is Õ(n). We provide an additional construction showing that every dense graph with n vertices and at least ( n 2 ) − n edges can be realized by a linear secretsharing scheme with the same total share size. Furthermore, for the above graphs we construct a linear secret-sharing scheme realizing their forbidden graph access structure in which the size of the share of each party is Õ(n). We prove matching lower bounds on the share size of linear secret-sharing schemes realizing forbidden graph access structures. We prove that for most forbidden graph access structures, the total share size of every linear secret-sharing scheme realizing these access structures is Ω(n); this shows that the construction of Gay, Kerenidis, and Wee [CRYPTO 2015] is optimal. Furthermore, we show that for every 0 ≤ β < 1 there exist a graph with at most n edges and a graph with at least ( n 2 ) − n edges, such that the total share size in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n). Finally, we show that for every 0 ≤ β < 1 there exist a graph with at most n ? The first and the forth authors are supported by ISF grants 544/13 and 152/17 and by the Frankel center for computer science. The second author is supported by the European Union through H2020-ICT-2014-1-644024 and H2020-DS-2015-1-700540, and by the Spanish Government through TIN2014-57364-C2-1-R. 2 A. Beimel, O. Farràs, Y. Mintz and N. Peter edges and a graph with at least ( n 2 ) −n edges, such that the size of the share of at least one party in any linear secret-sharing scheme realizing these forbidden graph access structures is Ω(n). This shows that our constructions are optimal (up to poly-logarithmic factors).