1. Introduction

We consider a scenario where a set of secrets is shared among individuals connected by a communication network, in such a way that no individual holds all the secrets. In other words, several individuals have to cooperate in order to reconstruct the whole secret set.

Secret sharing schemes were first introduced and investigated in [1] and [2] . In an (m, k)-threshold scheme, a secret is divided into k shares in such a way that the secret can be reconstructed whenever at least m of the shares have been collected. Survey papers on secret sharing schemes and threshold schemes are [3] and [4] .

In this paper, we always assume m = k, i.e. it is necessary to collect all of the shares in order to reconstruct the secret. Subsets of the set of all secrets (called shares) are stored in the nodes of a communication network whose nodes and links are subject to failure with certain probability. One vertex is assumed to be the user node.

We consider two main problems:

- to calculate the reconstruction probability of the secrets, given an assignment of shares to vertices, and

- to assign shares to vertices such that the reconstruction probability of secrets gets as large as possible.

Papers closely related are [5] - [7] .

As the main contribution of this paper, we present an approximation algorithm for the determination of the reconstruction probability, as well as a heuristic for the near optimal placement of shares.

2. Shared Secret Schemes in Networks with Failures

2.1. The Model

In this paper, a communication network is modelled by a finite undirected graph G = (V,E), where V consists of n vertices, and E is the set of edges. Let a finite set of secrets be given, and let be a set of nonempty subsets (shares) of S. One node in V is supposed to be the user node. A shared secret scheme or secret sharing scheme on G is a 1-1 mapping

,

i.e. each of the selected shares is placed on some node of the graph other than the user node.

It is further assumed that the vertices as well as the edges of G may possibly fail, i.e. they work with a certain probability only, and that the states of all single vertices and edges are independent from each other. In this paper, this probability is assumed to equal a fixed p () for all vertices and all edges. The only exception is the user node; for technical reasons which will become clear later, it is assumed that always works.

The reconstruction probability of is the probability that the complete secret set S can be reconstructed by the user node, i.e. the probability that along paths using vertices and edges not having failed and starting from node, it is possible to collect all the secrets. It is obvious that as a function of p, the reconstruction probability is a polynomial. We denote this polynomial by r(p).

More formally, we call any subset a state. A state X is operational if the secrets can be reconstructed provided each element of X works. In these terms, the reconstruction probability is the probability that the vertices and edges not having failed constitute an operational state.

One problem is to determine the polynomial r(p). It can also be of interest to merely find the value for a given. Given the graph G, set of shares and probability value for all vertices and edges, another problem is to design a shared secret scheme (i.e. placement of shares on the vertices) such that becomes maximum.

2.2. Introductory Examples and Previous Results

The diagram in Figure 1 shows a graph consisting of eight vertices and twelve edges. As in all the examples of this paper, the node labelled “1” is the user node. Four secrets are given, and consists of the following six shares:

, , , , ,.

A shared secret scheme (i.e. placement of shares on vertices) is also shown in the diagram. The reconstruction probability polynomial turns out to be:

Hence, e.g., ¹.

Different variants of the model and related problems have been considered by many authors. Nearly all of the problems turn out to be NP-hard. In particular, it is easy to see that determining what we have called is a generalization of the graph reliability problem. For the basic results in this field, we refer to [8] and [9] ; a lattice-theo- retic approach described in [10] and [11] is the basis of [7] .

In [6] , is calculated by constructing minimal share spanning trees. Also, a simple share assignment algorithm is presented providing near-optimal share assignments efficiently. In this algorithm, the main strategy is to place large shares on vertices close to. As the following example shows, this does not always lead to optimal results:

For the same graph as in Figure 1, consider the share assignment shown in Figure 2. The two-element shares are placed on the neighbours of node 1. Surprisingly, this scheme is slightly less reliable than the one we considered in Figure 1. (An explanation for this will be given below.) In particular, it turns out that

with.

As usual, a subset C of is called a cut if is not operational, i.e. failure of all the elements of C makes it impossible for to reconstruct the complete secret set. A cut C is a mincut if it is inclusion minimal as a cut, i.e. no proper subset of C is a cut.

Mincuts play a central role in the rest of this paper. The dual approach based on inclusion-minimal operational sets (sometimes called minpaths) is used in [6] . For a survey on the roles of cuts and paths in network reliability, see [8] .

For s in S, call a subset C of an s-separator if failure of all the elements of C makes it impossible for to collect s. In this terminology, a cut is a subset which is an s-separator for at least one s in S. In [12] , an algorithm is described generating all minimal s-separators.

In the following, to make a clear distinction, and following the terminology of [13] , we call a subset of nodes a node separator if removing C disconnects G, i.e. the graph induced by is not connected; in this case, if s and t are nodes belonging to different components of, C can also be viewed as an s-t-separator.

To illustrate the notion of cuts for secret sharing schemes, we look at another example which was also considered in [6] . Figure 3 shows a graph consisting of eight vertices and eleven edges. As in the preceding examples, four secrets are given, and consists of the following six shares.

, , , , ,

A shared secret scheme is also shown in the diagram, with reconstruction polynomial

,

and.

In this example, there are no one-element mincuts. The mincuts consisting of two elements turn out to be the following:, , , , ,. Furthermore, there are 21 three-element mincuts, 33 four-element mincuts, 25 five- element mincuts, and only few mincuts containing six or more elements.

Figure 4 presents a slightly better placement of the shares on the nodes of (this example was also presented in [14] ). The reconstruction polynomial turns out to be

,

with. There are 5 two-element mincuts, 20 three-element mincuts, 32 four-element mincuts, 28 five-element mincuts, and only few larger ones.

3. Using Mincuts for Approximations

The following obvious fact is the basis of our approximation to.

Remark 1.

A state is not operational if and only if its complement contains at least one mincut, i.e. there is a mincut.

In other words, this means that equals the probability that all the elements of at least one mincut fail. Applying the inclusion-exclusion principle, this leads to a well-known formula which we rephrase as follows:

Theorem 1.

Let be the collection of all the mincuts of a shared secret scheme. Then

Proof:

Let represent the statement “fails” (i.e. each of its elements fails). Then by the above observation, we get:

By inclusion-exclusion, this leads to:

Using independence of the states of single elements, one finally gets the formula of the theorem.

If we now set

for, then obviously, is a sequence of approximations to, with To be more precise,

.

At this point, it is certainly plausible that if is close to 1.0, then tends to strongly depend on the number of mincuts of small cardinality.

As usual, we define.

For the above examples, let denote the set of mincuts with two or three elements. As approximation to we define

,

where the following notation is used: is the number of two-element mincuts in, is the number of three-element mincuts in, is the number of unions of two elements of that contain three elements, and is the number of unions of two elements of consisting of four elements.

Table 1 gives an overview on the secret sharing schemes considered in the examples. As can be seen, for these graphs of modest size, is quite a good approximation to the reconstruction probability,.

4. A Heuristic for Share Assignment Based on Node Separators

Once the relevance of mincuts for the reconstruction probability has become clear, we now turn to the question what makes a shared secret scheme have few mincuts. It turns out that, basically, there are two different effects that make a set X of vertices and edges a cut:

・ X is a node separator, and the complete secret set S cannot be reconstructed by only visiting vertices in its connected component

・ X contains all vertices that carry one specific secret

To illustrate this, let us look at the example of Figure 3 again. is a cut, since failure of the two vertices 3 and 4 disconnects the graph, and the complete secret set cannot be reconstructed by visiting only vertices in its connected component. Observe that is not a cut, although it disconnects the graph. On the other hand, does not disconnect the graph, but nevertheless is a cut, since none of the remaining vertices carries secret.

It is now possible to identify the reason why the shared secret scheme of Figure 4 has fewer two-element mincuts than the scheme shown in Figure 3: In the scheme shown in Figure 4, is a mincut “for two reasons”, namely it is a node separator, but it also constitutes a mincut since it contains all vertices carrying secret; opposed to this, the example of Figure 3 has the “additional” mincut.

From these observations, we conclude that when designing a shared secret scheme, it is advantageous to place “secret mincuts” on node separators of the graph.

The heuristic presented also tries to avoid assigning a share to a node lying “behind” another node which carries a larger share. This point is illustrated via the small example presented in Figure 5: the assignment in diagram (a) is obviously more reliable than the one in diagram (b), since placing share on node 5 in (b) “behind” on node 3 does not make any sense.

We are now ready to present our heuristic for share assignment. The main idea is to place large shares on nodes close to (as in [6] ), but to also take into account node separators close to. The restriction to node separators close to keeps the algorithm polynomial in the size of G, independent of the size and structure of.

We assume a graph with user node as well as a set of shares are given, with, , and. A secret sharing scheme (1-1 mapping)

,

is defined by iteration, according to the following algorithm.

We begin with precomputations consisting of three algorithms:

・ Algorithm BFS-tree

・ Algorithm separators

・ Algorithm list of shares

We next describe the algorithm for share assignment.

It is assumed that the algorithms BFS-tree, separators, and list of shares have been executed and have produced the numbering of nodes with, the set Minsep of separators close to, and the list Share list of all shares.

We next describe the algorithm for share assignment.

The algorithm share assignment assigns a share to the next node according to the following principles:

・ (1st priority) nodes inside node separators should carry common secrets

・ (2nd priority) nodes along paths in the BFS-tree should not carry common secrets

This algorithm (including the precomputations) is polynomial in n, the number of vertices of the graph.

It can be easily checked that for the examples considered above, the algorithm produces the share assignments with higher reconstruction probability.

5. Conclusion

The presented algorithm for share assignment in communication networks uses node separators of the underlying graphs. This algorithm produces better results than simply placing large shares close to the user node, as is suggested in previous publications. One interesting question for further research is that under which assumptions concerning the underlying graph and set of shares, the heuristic presented here results in an optimal placement of the shares on the nodes.

Acknowledgements

This research was supported by Fachhochschule Südwestfalen―University of Applied Sciences.

NOTES

¹In this paper, all calculations were done using Matlab.