Near-Optimal Placement of Secrets in Graphs

We consider the reconstruction of shared secrets in communication networks, which are modelled by graphs whose components are subject to possible failure. The reconstruction probability can be approximated using minimal cuts, if the failure probabilities of vertices and edges are close to zero. As the main contribution of this paper, node separators are used to design a heuristic for the near-optimal placement of secrets sets on the vertices of the graph.


Introduction
We consider a scenario where a set of secrets is shared among individuals connected by a communication network, in such a way that no individual holds all the secrets.In other words, several individuals have to cooperate in order to reconstruct the whole secret set.
Secret sharing schemes were first introduced and investigated in [1] and [2].In an (m, k)-threshold scheme, a secret is divided into k shares in such a way that the secret can be reconstructed whenever at least m of the shares have been collected.Survey papers on secret sharing schemes and threshold schemes are [3] and [4].
In this paper, we always assume m = k, i.e. it is necessary to collect all of the shares in order to reconstruct the secret.Subsets of the set of all secrets (called shares) are stored in the nodes of a communication network whose nodes and links are subject to failure with certain probability.One vertex is assumed to be the user node.
We consider two main problems: to calculate the reconstruction probability of the secrets, given an assignment of shares to vertices, and to assign shares to vertices such that the reconstruction probability of secrets gets as large as possible.
As the main contribution of this paper, we present an approximation algorithm for the determination of the reconstruction probability, as well as a heuristic for the near optimal placement of shares.

The Model
In this paper, a communication network is modelled by a finite undirected graph G = (V,E), where V consists of n vertices, and E is the set of edges.Let a finite set , , , k S s s s =  of secrets be given, and let Σ be a set of nonempty subsets (shares) of S. One node u v in V is supposed to be the user node.A shared secret scheme or secret sharing scheme on G is a 1-1 mapping e. each of the selected shares is placed on some node of the graph other than the user node.
It is further assumed that the vertices as well as the edges of G may possibly fail, i.e. they work with a certain probability only, and that the states of all single vertices and edges are independent from each other.In this paper, this probability is assumed to equal a fixed p ( 0 1 p ≤ ≤ ) for all vertices and all edges.The only exception is the user node u v ; for technical reasons which will become clear later, it is assumed that u v always works.
The reconstruction probability of ( ) , , G S σ is the probability that the complete se- cret set S can be reconstructed by the user node, i.e. the probability that along paths using vertices and edges not having failed and starting from node u v , it is possible to collect all the secrets 1 2 , , , k s s s  .It is obvious that as a function of p, the reconstruction probability is a polynomial.We denote this polynomial by r(p).
More formally, we call any subset X V E ⊆ ∪ a state.A state X is operational if the secrets can be reconstructed provided each element of X works.In these terms, the reconstruction probability is the probability that the vertices and edges not having failed constitute an operational state.
One problem is to determine the polynomial r(p).It can also be of interest to merely find the value ( ) 0 r p for a given 0 p .Given the graph G, set Σ of shares and probability value 0 p for all vertices and edges, another problem is to design a shared secret scheme (i.e.placement of shares on the vertices) such that ( ) 0 r p becomes maximum.

Introductory Examples and Previous Results
The diagram in Figure 1 shows a graph 1 G consisting of eight vertices and twelve edges.As in all the examples of this paper, the node labelled "1" is the user node u v .
Four secrets 1 2 3 4 , , , s s s s are given, and Σ consists of the following six shares: , S s s = .A shared secret scheme (i.e.placement of shares on vertices) is also shown in the diagram.The reconstruction probability polynomial turns out to be: Hence, e.g., ( ) Different variants of the model and related problems have been considered by many authors.Nearly all of the problems turn out to be NP-hard.In particular, it is easy to see that determining what we have called ( ) r p is a generalization of the graph reliability problem.For the basic results in this field, we refer to [8] and [9]; a lattice-theo- retic approach described in [10] and [11] is the basis of [7].
In [6], ( ) r p is calculated by constructing minimal share spanning trees.Also, a simple share assignment algorithm is presented providing near-optimal share assignments efficiently.In this algorithm, the main strategy is to place large shares on vertices close to u v .As the following example shows, this does not always lead to optimal results: For the same graph 1 G as in Figure 1, consider the share assignment shown in Figure 2. The two-element shares are placed on the neighbours of node 1. Surprisingly, this scheme is slightly less reliable than the one we considered in Figure 1.(An explanation for this will be given below.)In particular, it turns out that ( ) e. failure of all the elements of C makes it impossible for u v to reconstruct the complete secret set.A cut C is a mincut if it is inclusion minimal as a cut, i.e. no proper subset of C is a cut.
Mincuts play a central role in the rest of this paper.The dual approach based on inclusion-minimal operational sets (sometimes called minpaths) is used in [6].For a survey on the roles of cuts and paths in network reliability, see [8].
For s in S, call a subset C of V E ∪ an s-separator if failure of all the elements of C makes it impossible for u v to collect s.In this terminology, a cut is a subset which is an s-separator for at least one s in S. In [12], an algorithm is described generating all minimal s-separators.
In the following, to make a clear distinction, and following the terminology of [13], we call a subset C V ⊆ of nodes a node separator if removing C disconnects G, i.e. the graph C G induced by \ V C is not connected; in this case, if s and t are nodes belonging to different components of C G , C can also be viewed as an s-t-separator.
To illustrate the notion of cuts for secret sharing schemes, we look at another example which was also considered in [6]. Figure 3  { }

S s s =
A shared secret scheme is also shown in the diagram, with reconstruction polynomial ( ) Furthermore, there are 21 three-element mincuts, 33 four-element mincuts, 25 fiveelement mincuts, and only few mincuts containing six or more elements.Figure 4 presents a slightly better placement of the shares on the nodes of 2 G (this example was also presented in [14]).The reconstruction polynomial turns out to be ( )   with ( ) 0.9 0.9398 r ≈ . There are 5 two-element mincuts, 20 three-element mincuts, 32 four-element mincuts, 28 five-element mincuts, and only few larger ones.

Using Mincuts for Approximations
The following obvious fact is the basis of our approximation to ( ) is not operational if and only if its complement contains at least one mincut, i.e. there is a mincut . In other words, this means that ( ) equals the probability that all the elements of at least one mincut fail.Applying the inclusion-exclusion principle, this leads to a well-known formula which we rephrase as follows: Theorem 1.
, , , t C C C  be the collection of all the mincuts of a shared secret scheme.Then Proof: Let i f represent the statement " i C fails" (i.e. each of its elements fails).Then by the above observation, we get: ( ) ( ) Using independence of the states of single elements, one finally gets the formula of the theorem.
If we now set , , , t r p r p r p  is a sequence of approximations to ( ) r p , with ( ) ( ).

t r p r p =
To be more precise, At this point, it is certainly plausible that if 0 p is close to 1.0, then ( ) 0 r p tends to strongly depend on the number of mincuts of small cardinality.
As usual, we define : 1 q p = − .: 1 0.5 app r p m q m q u q u q =− ⋅ − ⋅ + ⋅ + ⋅ ⋅ , where the following notation is used: 2 m is the number of two-element mincuts in Μ , 3 m is the number of three-element mincuts in Μ , 3 u is number of unions of two elements of Μ that contain three elements, and 4 u is the number of unions of two elements of Μ consisting of four elements.Table 1 gives an overview on the secret sharing schemes considered in the examples.As can be seen, for these graphs of modest size, ( ) is quite a good approximation to the reconstruction probability, ( ) 0.9 r .

A Heuristic for Share Assignment Based on Node Separators
Once the relevance of mincuts for the reconstruction probability has become clear, we now turn to the question what makes a shared secret scheme have few mincuts.It turns out that, basically, there are two different effects that make a set X of vertices and edges a cut: • X is a node separator, and the complete secret set S cannot be reconstructed by u v only visiting vertices in its connected component • X contains all vertices that carry one specific secret To illustrate this, let us look at the example of Figure 3 again.

{ }
3, 4 X = is a cut, since failure of the two vertices 3 and 4 disconnects the graph, and the complete secret set cannot be reconstructed by u v visiting only vertices in its connected component.
Observe that is not a cut, although it disconnects the graph.On the other hand, { }

2, 4 Z =
does not disconnect the graph, but nevertheless is a cut, since none of the remaining vertices carries secret 1 s .
It is now possible to identify the reason why the shared secret scheme of Figure 4 has fewer two-element mincuts than the scheme shown in Figure 3: In the scheme shown in Figure 4, { } 3, 4 is a mincut "for two reasons", namely it is a node separator, but it also constitutes a mincut since it contains all vertices carrying secret 2 s ; opposed to this, the example of Figure 3 has the "additional" mincut { }  We next describe the algorithm for share assignment.
The algorithm share assignment assigns a share to the next node according to the It can be easily checked that for the examples considered above, the algorithm produces the share assignments with higher reconstruction probability.

Conclusion
The presented algorithm for share assignment in communication networks uses node separators of the underlying graphs.This algorithm produces better results than simply placing large shares close to the user node, as is suggested in previous publications.One interesting question for further research is that under which assumptions concerning the underlying graph and set of shares, the heuristic presented here results in an optimal placement of the shares on the nodes.

shows a graph 2 G
consisting of eight vertices and eleven edges.As in the preceding examples, four secrets 1 2 3 4 , , , s s s s are given, and Σ consists of the following six shares.

Figure 2 .
Figure 2. Another share assignment on graph 1 G .

For
the above examples, let Μ denote the set of mincuts with two or three elements.As approximation
following principles: • (1st priority) nodes inside node separators should carry common secrets • (2nd priority) nodes along paths in the BFS-tree should not carry common secrets This algorithm (including the precomputations) is polynomial in n, the number of vertices of the graph.