Secret sharing and duality

Laszlo Csirmaz

doi:10.1515/jmc-2019-0045

Artikel Open Access

Secret sharing and duality

Laszlo Csirmaz

Veröffentlicht/Copyright: 25. November 2020

Veröffentlicht von

Veröffentlichen auch Sie bei De Gruyter Brill

Manuskript einreichen Informationen für Autor*innen

Aus der Zeitschrift Journal of Mathematical Cryptology Band 15 Heft 1

Abstract

Secret sharing is an important building block in cryptography. All explicit secret sharing schemes which are known to have optimal complexity are multi-linear, thus are closely related to linear codes. The dual of such a linear scheme, in the sense of duality of linear codes, gives another scheme for the dual access structure. These schemes have the same complexity, namely the largest share size relative to the secret size is the same. It is a long-standing open problem whether this fact is true in general: the complexity of any access structure is the same as the complexity of its dual. We give a partial answer to this question. An almost perfect scheme allows negligible errors, both in the recovery and in the independence. There exists an almost perfect ideal scheme on 174 participants whose complexity is strictly smaller than that of its dual.

Keywords: secret sharing; ideal access structure; matroid; duality; matroid ports; almost entropic polymatroid

MSC 2010: 05B35; 94A15; 06D50; 94A62

1 Introduction

The complexity of a secret sharing scheme is the largest share size relative to the secret size. An access structure is ideal if it can be realized by a scheme of complexity 1. The open question that has been posed in many papers is if there exists an ideal structure whose dual is not ideal. And, more generally, if the optimal complexity of an access structure is preserved by duality. This paper gives a partial answer to these questions by using a different secret sharing model. This model allows negligible errors, both in secret recovery and in the independence; “almost” refers to this relaxed model. The construction of a secret sharing scheme whose almost complexity differs from its dual’s one is a tour de force connecting several different pieces of earlier results. Theorems 19 and 20 state the equivalence of secret sharing conjectures and matroid representation problems using the standard and the relaxed models, respectively. The final construction in Section 4 is based on the second theorem. Settling the duality conjecture in the standard model is an interesting research work, a possible direction is indicated in the last section.

We assume familiarity with secret sharing schemes, for an overview consult [1]. A significant portion of matroid and polymatroid theory is used. The standard textbook for matroids is [21], for polymatroids see [13] and works of F. Matúš [15, 16]. Nevertheless, most of the theorems and claims are proved here – a notable exception is F. Matúš result from [17].

Following the usual practice, sets and their subsets are denoted by capital letters, their elements by lower case letters. The union sign ∪ is frequently omitted as well as the curly brackets around singletons. Thus asP denotes the set {a, s} ∪ P. The set difference operator has lower priority than the union, thus aA−bB is ({a} ∪ A)−({b} ∪ B).

The paper is organized as follows. Section 2 introduces polymatroids, secret sharing, complexity measures, duality, and concludes with conjectures on the complexity of dual structures. Section 3 presents two questions on matroid representability and proves that they are equivalent to the conjectures. Section 4 gives a detailed account of Tarik Kaced’s result on almost entropic matroids [10], completing the tour. Some open problems are listed in Section 5. Two proofs are postponed to the Appendix: the first is on matroid circuits used in Claim 5, the second is the the MMRV entropy inequality used in the proof of Theorem 21.

2 Preliminaries

2.1 Polymatroids

A polymatroid 𝓜 = (f , M) is a non-negative, monotone and submodular function f defined on the collection of non-empty subsets of the finite set M. Here M is the ground set, and f is the rank function. If f takes nonnegative integer values only, then 𝓜 is integer; an integer polymatroid is a matroid if the rank of singletons are either zero or one. Polymatroids can be identified to vectors in the (2^|M| −1)-dimensional Euclidean space where the coordinates are indexed by subsets of M. The collection of polymatroids with ground set M is a full-dimensional pointed polyhedral cone denoted by Γ_M, see [23].

For a discrete random variable ξ its information content is measured by the Shannon entropy H(ξ), see [23]. Let ξ = 〈ξ_i : i ∈ M〉; be a collection of discrete random variables with some joint distribution. For a subset A ⊆ M, the subcollection 〈ξ_i : i ∈ A〉; is denoted by ξ_A. The conditional entropy of random variables ξ_A and ξ_B is H(ξ_A|ξ_B) = H(ξ_A∪B) − H(ξ_B) with value between zero an H(ξ_A). The value is zero if and only if ξ_A is determined completely by ξ_B, and equals H(ξ_A) if and only if the random variables ξ_A and ξ_B are independent.

As observed by Fujishige [7], the function A ↦ H(ξ_A) is a rank function of a polymatroid which we denote by 𝓜_ξ . The polymatroid 𝓜 is entropic if it can be got this way. The collection of entropic polymatroids on the ground set Mis ΓM⋆⊆ΓM. For |M| ≥ 3 the set ΓM⋆ is not closed (in the usual Euclidean topology). Polymatroids in the closure of ΓM⋆ are called almost entropic, or just aent. Aent polymatroids form a full-dimensional convex cone, and every internal point of this cone is entropic [17]. For |M| ≥ 4 there is a polymatroid in Γ_M with a positive distance from the aent cone [23]; and the aent cone is not polyhedral [18].

By an abuse of notation, we say that 𝓜 is an entropic matroid if 𝓜 is a matroid and for some positive real number λ the polymatroid λ𝓜 is entropic.

The singleton e ∈ M in the polymatroid (f , M) is a loop if it has rank zero. In terms of entropic polymatroid being a loop means that the variable ξ_e is deterministic: takes a single value with probability 1. If not mentioned otherwise, polymatroids in this paper have no loops.

With an eye on entropic polymatroids, disjoint subsets A, B of the ground set M are called independent if f(AB) = f(A)+f(B). If A and B are independent, A′ ⊆ A, B′ ⊆ B, then A′ and B′ are independent as well – this follows from the submodularity of the rank function. The single subset A is independent if any two disjoint subsets of A are independent. In other words, A is independent iff

f(A)=∑ {f(i):i∈A}.

A base is a maximal independent subset which contains no loops; a circuit is a minimal dependent subset. In a loopless polymatroid every independent set can be extended to a base, and every dependent set contains a circuit. In the case when 𝓜 is a matroid every base has the same number of elements, and this number equals the rank of the ground set M. Moreover every subset A ⊆ M contains an independent set of size f (A), and every subsets A ⊆ M with rank f (A) < |A| contains a circuit, see [21].

The polymatroid (f , M) is connected if for every partition of M into two non-empty sets A and B we have f(A) + f(B) > f(M), that is, A and B are not independent. Connected polymatroids have no loops. Indeed, if i ∈ M is a loop then f(M) = f(M−i), thus the partition M = {i} ∪ (M−i) contradicts the connectedness.

For an element i ∈ M, the private info of i is f(M) − f(M−i), as this is the amount of information which only i and nobody else in M has. If i has no private information, then we say that the polymatroid is tight at i. Tightening at i means that i is stripped off its private info resulting in the function f↓i defined as

f ↓ i : A ↦ f ( A ) if i ∉ A f ( A ) − ( f ( M ) − f ( M − i ) ) if i ∈ A .

Of course, (f↓i, M) is a polymatroid tight at i. If 𝓜 = (f , M) is tight at every i ∈ M then 𝓜 is tight. 𝓜↓ is the polymatroid got from 𝓜 after tightening at every element of its ground set (the result is independent of the order the elements are taken). Clearly, 𝓜 is tight if and only if 𝓜 = 𝓜↓. If 𝓜 is almost entropic then 𝓜↓ is almost entropic; this is a result of F. Matúš [20, Lemma 3]. In particular, the tight part of an entropic polymatroid is guaranteed to be almost entropic, but it is not necessarily entropic. A notable exception is the case of matroids: a matroid 𝓜 is entropic if and only if 𝓜↓ is entropic. It is so as if i is not tight, then 1 = f(M) − f(M−i) ≤ f(i) ≤ 1 thus i is independent from all subsets of M −i, thus the random variable representing i can be discarded.

2.2 Secret sharing

In a perfect secret sharing scheme there is a secret, and each participant from the finite set P receives a share such that certain subsets of participants can recover the secret from their joint shares, while other subsets – based on the value of their shares – should have no information on the secret. Subsets who can recover the secret are qualified, the qualified subsets form the access structure 𝒜 ⊆ 2^P. Sets not in 𝒜 are called forbidden or unqualified. An access structure is clearly upward closed. To avoid exceptional cases, 𝒜 is assumed to be non-empty (thus all participants together can recover the secret), and the empty set not to be in 𝒜 (there must be a secret at all).

The participant i ∈ P is important if there is an unqualified subset such that when i joins this subset, it becomes qualified. If i is not important, then it can join or leave any subset without affecting its status. Consequently the share of an unimportant participant does not play any role, unimportant participants can be discarded. The access structure 𝒜 is connected if every participant is important. This terminology comes from the relationship between access structures and polymatroids realizing them, see Claims 4 and 5 below. In the rest of the paper, if not mentioned otherwise, access structures are assumed to be connected.

There are several definitions of what perfect secret sharing schemes are. The following definition is considered to be the most general one encompassing all other natural notions [1]. P is the set of participants and s ∉ P denotes the secret. A distribution scheme is a collection of discrete random variables ξ = 〈ξ_i : i ∈ sP〉; with some joint distribution. The value of ξ_s is the secret, while the value of ξ_i is the share of participant i ∈ P. The secret must be non-trivial, namely it must take at least two different values with positive probability.

The distribution scheme ξ realizes an access structure if a) the collection of shares of a qualified subset determine the secret, and b) the collection of shares of an unqualified subset is independent of the secret. Let 𝓜_ξ = (f , sP) be the entropic polymatroid associated with ξ. Shares of the subset A ⊆ P determine the secret iff H(ξ_s|ξ_A) = 0, which translates to f (sA) = f(A). The same collection is independent of the secret if H(ξ_s|ξ_A) = H(ξ_s), which translates to f(sA) = f(A) + f(s). This justifies the following definition.

Definition (realizing an access structure). The polymatroid 𝓜 = (f , sP) realizes the access structure 𝒜 ⊆ 2^P if a) A ∈ 𝒜 if and only if f(sA) = f(A), and b) A ∉ 𝒜 if and only if f(sA) = f(A) + f(s). Polymatroids realizing an access structure are called secret sharing polymatroids.

The entropic polymatroid 𝓜_ξ realizes the access structure 𝒜 if and only if ξ is a distribution scheme realizing 𝒜. Indeed, if ξ is a distribution scheme then f(s) = H(ξ_s) is positive, thus one cannot have f(sA) = f(A) and f(sA) = f(A) + f(s) at the same time. Conversely, if 𝓜_ξ realizes 𝒜, then f(s) > 0 (otherwise both f(As) = f(A) and f (As) = f(A) + f(s) hold simultaneously), thus the secret is not trivial. Other conditions follow easily.

The proof of the following well-known fact illustrates the ease of reasoning when using polymatroids rather than using entropies directly.

Claim 1

Suppose 𝓜realizes 𝒜. Then f(i) ≥ f(s) for every important participant i ∈ P.

Proof

As i ∈ P is important, there is an unqualified subset A ⊆ P (A can be empty) such that iA is qualified. Then f(sA) = f(A) + f(s), and f(siA) = f(iA). Using that f(i) + f(sA) ≥ f(siA) and f(iA) ≥ f(A) (submodularity and monotonicity) one gets

f(i)≥f(siA)−f(sA)=f(iA)−(f(A)−f(s))≥f(s),

which proves the claim. □

All participants together can always determine the secret, thus f(sP) = f(P). This means that the secret has no private info. The private info of the participants does not help at all.

Claim 2

The polymatroid 𝓜realizes 𝒜 if and only if 𝓜↓ realizes 𝒜.

Proof

As observed above, the secret is tight, so let i ∈ P and 𝓜↓i = (f^*, sP) be the polymatroid after taking away the private info of i. For every A ⊆ P, either i is in both A and sA, or i is in none of them, thus

f⋆(sA)−f⋆(A)=f(sA)−f(A).

This means that if one of 𝓜 or 𝓜↓i realizes 𝒜, then the other does the same. the claim follows after tightening at each participant. □

Given an access structure it would be tempting to consider tight polymatroids only among those which realize it. But, as was mentioned at the end of Section 2.1, there is no guarantee that the tight part of an entropic polymatroid is also entropic.

Corollary 3

Suppose 𝒜 is connected, and 𝓜realizes 𝒜. If f(i) = f(s) then i ∈ P is tight.

Proof

By Claim 2 𝓜↓i = (f^*, sP) also realizes 𝒜. As i ∈ P is important, Claim 1 gives f^*(i) ≥ f(s). Now f^*(i) ≤ f(i) = f(s), thus f^*(i) = f(i) showing that i is tight. □

According to Claim 4 below, a polymatroid realizing a connected access structure must be connected. The converse is not true in general. In the special case when the polymatroid is a matroid the converse follows from some standard properties of matroid circuits [21].

Claim 4

Suppose the polymatroid 𝓜realizes the access structure 𝒜. If the access structure is connected, then 𝓜is connected.

Proof

Assume, by contradiction, that 𝓜 = (h, sP) is not connected, which means s A ∪ B , B / = ∅ is a partition of the ground set sP and h(sAB) = h(sA) + h(B). In other words, sA and B are independent, consequently subsets of sA and B are independent as well. Let b ∈ B and assume A′B′ is not qualified while A′bB′ is qualified with A′ ⊆ A and B′ ⊆ B−b. Then h(sA′B′) = h(A′B′) + h(s), from where

h(sA′)+h(B′)=h(sA′B′)=h(A′B′)+h(s)=h(A′)+h(B′)+h(s).

On the other hand, h(sA′bB′) = h(A′bB′), which gives

h(sA′)+h(bB′)=h(sA′bB′)=h(A′bB′)=h(A′)+h(bB′).

From the first line h(sA′) = h(A′) + h(s), while from the second h(sA′) = h(A′), a contradiction. □

Claim 5

Suppose 𝓜is a matroid which realizes the access structure 𝒜. If 𝓜is connected then so is the access structure 𝒜.

Proof

Using matroid terminology, A is dependent if h(A) < |A|, and A is a circuit if it is a minimal dependent set. If C is a circuit, then h(C) = |C| − 1 and for each i ∈ C, h(C−i) = |C| − 1. A circuit connects two points if it contains both of them.

Let the ground set of the matroid be sP and pick some a ∈ P. To show that a is important it is enough to find a circuit C connecting a and s. Indeed, let A = C−s, then a ∈ A and h(sA) = h(C) = h(C−s) = h(A), thus A is qualified. C is minimal dependent, thus sA−a = C−a is independent, and then h(sA−a) = h(s) + h(A−a) which means A−a is not qualified.

To finish the proof it suffices to quote the following result from matroid theory [21, Proposition 4.1.4]: a matroid is connected if and only if any two points can be connected by a circuit. For a quick proof see the Appendix. □

2.3 Complexity

Distribution schemes realizing an access structure scale up: taking n independent copies of the scheme all entropies are multiplied by n and the composite scheme still realizes the same access structure. Similarly, whether a polymatroid realizes an access structure or not is invariant for multiplying the polymatroid by any positive constant. When defining the efficiency one has to take into account this scalability. The usual way is to measure everything in multiples of the secret size. For example, if 𝓜 = (f , sP) is a secret sharing polymatroid, then the relative share size of participant i ∈ P is f (i)/f(s), and the (worst case) complexity of 𝓜 is

σ ( M ) = max { f ( i ) f ( s ) : i ∈ P } ,

Other complexity measures, not considered here, include average relative size, and the scaled total randomness. If 𝓜 realizes the connected access structure 𝒜, then σ(𝓜) ≥ 1 by Claim 1. Access structures where this lower bound is attained are called ideal.

Definition (ideal and almost ideal structures). The access structure 𝒜 is ideal if it can be realized by an entropic polymatroid with complexity 1. The access structure 𝒜 is almost ideal if it can be realized by an almost entropic polymatroid with complexity 1.

In general, the usual definition of the complexity of an access structure is the infimum of the complexity of all secret sharing schemes realizing it:

σ(A)=inf{σ(M):M is entropic and realizes A}.

Interestingly, there is a non-ideal (according to our definition) access structure with complexity 1, see [2, Section 6], thus the infimum here is not necessarily taken. The cone of almost entropic polymatroids is closed, see [17] or [23], thus an access structure with complexity 1 is almost ideal. It is an interesting open question whether the converse is true. When approximating an aent polymatroid by an entropic one, the only guarantee is that the rank functions differ by a small (negligible) amount. This means that qualified subsets can recover the secret with “overwhelming probability” only (as H(s|A) is not necessarily zero, only negligible), and unqualified subsets might get information on the secret (as H(s|A) can be strictly smaller than H(s)), but this information is negligible. This relaxation is investigated under the name probabilistic secret sharing see, e.g., [5] and [11]. The question is can we patch these imperfections by adding a small amount of entropy to the secret? For secret recovery the answer is yes, see [11]; for independence the author tends to believe that the answer is no.

Next to σ(𝒜) other complexity measures can be defined by considering other polymatroid classes. Realizing 𝒜 by an entropic polymatroid is the same as realizing it by a distribution scheme. Realizing by an almost entropic polymatroids instead means that one relaxes the strict requirements of recoverability and independence “up to a negligible amount”. Linearly representable polymatroids are important from both practical and theoretical point of view. Such polymatroids arise from linear error correcting codes [9], they are studied extensively and typically provide concise, efficient and low complexity schemes. We consider the following polymatroid classes, listed in decreasing order:

all polymatroids,
almost entropic polymatroids,
entropic polymatroids,
(conic hull of) linearly representable polymatroids.

Every access structure can be realized by a linearly representable polymatroid, thus every class gives a complexity notion on access structures. For classes a), c) and d) they are denoted by κ, σ, and λ [22]. For class b) we use σ¯ to indicate that we are considering the closure of entropic polymatroids. The earlier definition of σ(𝒜) is the same as given here.

κ ( A ) = inf { σ ( M ) : M realizes A } , σ ¯ ( A ) = inf { σ ( M ) : M is aent and realizes A } , σ ( A ) = inf { σ ( M ) : M is entropic and realizes A } , λ ( A ) = inf { σ ( M ) : M is linear and realizes A } .

For the same access structure these values increase (as less and less polymatroids are considered). Each pair of these measures is known to be separated except for σ and σ¯, see [1, 22].

2.4 Duals

Let P be the set of participants, and 𝒜 ⊆ 2^P be an access structure. The qualified subsets in the dual access structure 𝒜^⊥ are the complements of unqualified subsets of 𝒜:

A⊥={A⊆P:P−A∉A}.

Clearly, the dual of 𝒜^⊥ is 𝒜; ∅ ∉ 𝒜^⊥ and P ∈ 𝒜^⊥ as these are true for 𝒜.

Claim 6

𝒜 is connected if and only if 𝒜^⊥ is connected.

Proof

Suppose 𝒜 is connected, we show that 𝒜^⊥ is connected. The other direction follows from (𝒜^⊥)^⊥ = 𝒜. Let a ∈ P, and A ⊂ P unqualified in 𝒜 such that aA ∈ 𝒜. Such an A exists as 𝒜 is connected. Then a ∈ P−A, P−A is qualified in 𝒜^⊥ and (P−A)−a is not qualified in 𝒜^⊥, as required. □

Let 𝓜 = (f , M) be a polymatroid. Define the discrete measure μ on subsets of M by μ(i) = f(i). As the measure is additive, for every subset A ⊆ M we have

μ(A)=∑ {f(i):i∈A}.

The dual of the polymatroid 𝓜 is 𝓜^⊥ = (f^⊥, M) where the function f ^⊥ is defined for subsets of M as

f⊥:A↦f(M−A)+μ(A)−f(M).

By submodularity, f^⊥ is non-negative; submodularity holds by an easy inspection, thus 𝓜^⊥ is a polymatroid. If 𝓜 is integer-valued then so is 𝓜^⊥; moreover if 𝓜 is a matroid (the rank of a singleton is zero or one), then so is the dual.

Claim 7

𝓜 is connected if and only if 𝓜^⊥ is connected. b) 𝓜 realizes the access structure 𝒜 if and only if 𝓜^⊥ realizes 𝒜^⊥.

Proof

Suppose A ∪ B is a partition of M, then μ(A) + μ(B) = μ(M). By the definition of f ^⊥ we have

f⊥(A)+f⊥(B)−f⊥(M)=f(B)+f(A)−f(M).

If one of them is positive, then the other is positive, as required.
Let M = sP, A ⊆ P, then μ(sA) − μ(A) = μ(s) = f (s), thus

(f⊥(sA)−f⊥(A))+(f(sP−A)−f(P−A))=f(s).

If 𝓜 realizes 𝒜, then f (sP−A) − f(P−A) is either zero or f(s) depending on whether P−A ∈ 𝒜 or not. Consequently f ^⊥(sA)− f ^⊥(A) is either zero of f(s) depending on whether P−A ∉ 𝒜 or not. Thus f ^⊥ realizes 𝒜^⊥. The converse is similar. □

The dual polymatroid 𝓜^⊥ is always tight as

f⊥(M−i)=f(i)+μ(M−i)−f(M)=μ(M)−f(M)=f⊥(M).

Consequently the dual of 𝓜^⊥ is also tight, and if 𝓜 was not tight, the dual of 𝓜^⊥ cannot be the same as 𝓜. However, if 𝓜 is tight, then it equals 𝓜^⊥⊥, in particular 𝓜^⊥⊥⊥ = 𝓜^⊥ always true.

Claim 8

Suppose 𝓜 is tight. Then 𝓜^⊥⊥ = 𝓜, moreover 𝓜 and 𝓜^⊥ have the same value on singletons. b) For every polymatroid 𝓜,𝓜^⊥⊥ = 𝓜↓.

Proof

We start with the second claim. By the assumption, f(M) = f(M−i),

f⊥(i)=f(M−i)+μ(i)−f(M)=μ(i)=f(i),

as claimed. It means that μ^⊥(A) = μ(A), and then

f⊥(M−A)=f(A)+μ(M−A)−f(M),f⊥(M)=μ(M)−f(M),

thus

f⊥⊥(A)=f⊥(M−A)+μ⊥(A)−f⊥(M)=f(A)+μ(M−A)+μ(A)−μ(M)=f(A),

proving 𝓜^⊥⊥ = 𝓜.
It is enough to show that the dual of 𝓜 and the dual of 𝓜↓ are the same, from here the claim follows by a). In 𝓜↓i the rank of every set containing i ∈ M decreases by the same amount. In the expression

f(M−A)+μ(A)−f(M)

this amount is added once in the first two terms, and subtracted once in the last term, thus it cancels. □

2.5 Factor and principal extension

Let 𝓜 = (h, M) be a polymatroid. Partitions of the ground set M can be considered as equivalence classes of an equivalence relation on M. Let ≅ be an equivalence relation on M,N=M/≅ be the set of equivalence classes, and φ : M → N be the map which assigns to each element its equivalence class. The factor of 𝓜by ≅, denoted as M/≅, is the pair (g, N) where g assigns the value g : A ↦ h(φ⁻¹(A)) to subsets of N (that is, union of complete equivalence classes). It is clear that M/≅ is a polymatroid.

Let a ∈ M, and α ≥ 0 be a real number. The principal extension 𝓜_a_,α is a one-point extension of 𝓜 defined on the set M ∪ {a′} assigning the value

h:a′A↦min{h(A)+α,h(aA)}

to new subsets. It is a routine to check that the principal extension is a polymatroid [13]. Principal extension of an almost entropic polymatroid is almost entropic. This is an immediate consequence of (and actually, is equivalent to) a result of F. Matúš [17, Theorem 2], see also [20, Lemma 3]. We state this result without proof.

Theorem 9

(F. Matúš). If the polymatroid 𝓜is almost entropic, then so is the principal extension 𝓜_a_,α. □

Matúš’ proof guarantees the extension to be only almost entropic even if 𝓜 is entropic. In fact, there is an entropic polymatroid where some principal extension is not entropic.

Principal extensions can be used to “split atoms” of a polymatroid, which, in turn, will be used to prove that integer polymatroids are factors of matroids. Let us see the details. In what follows 𝓜 = (h, M) is a polymatroid.

Lemma 10

Let a ∈ M, and α₁, α₂ be non-negative numbers whose sum is h(a). There is a polymatroid 𝓜′ = (h′ , a₁a₂ ∪M−a) such that h′(a_i) = α_i, and 𝓜is a factor of 𝓜′ collapsing a₁ and a₂ to a. Moreover, 𝓜 is almost entropic if and only if so is 𝓜′.

Proof

Let 𝓜′ be the principal extension Ma,α1 adding the new point a₁, so that M′ = a₁ ∪ M; then let 𝓜′′ be the principal extension Ma,α2′ adding the new point a₂. Then for each A ⊆ M −a we have

h ″ ( A ) = h ( A ) , h ″ ( a 1 A ) = min { h ( A ) + α 1 , h ( a A ) } , h ″ ( a 2 A ) = min { h ( A ) + α 2 , h ( a A ) } , h ″ ( a 1 a 2 A ) = min { h ( A ) + α 1 + α 2 , h ( a A ) } .

As h(A) + α₁ + α₂ = h(A) + h(a) ≥ h(aA), we have h′′(a₁a₂A) = h(aA). This shows that 𝓜′′ restricted to the ground set a₁a₁ ∪ M −a is the required splitting. If 𝓜 is aent, then both 𝓜′ and 𝓜′′ are aent by Theorem 9. A restriction and a factor of an aent polymatroid is trivially aent, proving the last claim. □

Lemma 11

Let 𝓜 = (f , aN) be tight, and suppose 𝒩 = (g, a₁a₂N) splits a in 𝓜as g(a_i) = α_i. Then 𝒩^⊥ splits a in 𝓜^⊥ in the same way.

Proof

Let A ⊆ N, then g(A) = f(A) and g(a₁a₂A) = f(aA). Calculating g^⊥(A) one gets

g⊥(A)=g(a1a2N−A)+μ(A)−g(a1a2N)= =f(aN−A)+μ(A)−f(aN)=f⊥(A),

and similarly g^⊥(a₁a₂A) = f^⊥(aA). Finally,

g ⊥ ( a 1 A ) = g ( a 1 a 2 N − a 1 A ) + μ ( a 1 A ) − g ( a 1 a 2 N ) = g ( a 2 N − A ) + μ ( a 1 ) + μ ( A ) − f ( a N ) = min { f ( N − A ) + α 2 , f ( a N − A ) } + α 1 + μ ( A ) − f ( a N ) = min { f ( N − A ) + μ ( a A ) − f ( a N ) , f ( a N − A ) + μ ( A ) − f ( a N ) + α 1 } = min { f ⊥ ( a A ) , f ⊥ ( A ) + α 1 } ,

thus 𝒩^⊥ splits a as claimed as f^⊥(a) = f(a) = α₁ + α₂ using that 𝓜 is tight. □

Factors of a matroid are integer polymatroids. Helgason’s theorem [8] says that the converse is true: every integer polymatroid is a factor of some matroid. We need the following strengthening of this result.

Theorem 12

For each integer polymatroid 𝓜there is a matroid φ(𝓜) such that a) 𝓜 is a factor of φ(𝓜), b) 𝓜 is aent if and only if φ(𝓜) is aent, c) if 𝓜is tight, then φ(𝓜^⊥) is the dual of φ(𝓜).

Proof

Let 𝓜 be an integer polymatroid. The matroid φ(𝓜) is generated by a series of splitting. If all singletons have rank zero or one, then 𝓜 is a matroid, and we are done. Otherwise some a ∈ M has rank h(a) > 1. Using Lemma 10 split a into two with ranks 1 and h(a) − 1. All ranks in the split polymatroid 𝓜′ remain integer, and by Lemma 10 𝓜′ is aent if and only if 𝓜 is aent. Continue this way to get the matroid φ(𝓜). Clearly 𝓜 is a factor of φ(𝓜), and c) holds by Lemma 11. □

2.6 The duality conjecture

Fix the connected access structure 𝒜 ⊂ 2_P and consider all polymatroids on the ground set sP which realize 𝒜. We are interested in κ(𝒜), the minimal complexity of these polymatroids. By Claim 2 the search can be restricted to tight polymatroids. Suppose the infimum is attained by a tight polymatroid 𝓜. (It is attained as polymatroids form a closed set.) Claim 8 a) implies that 𝓜 and 𝓜^⊥ have the same complexity. According to Claim 7 b) 𝓜^⊥ realizes 𝒜^⊥, thus κ(𝒜^⊥) ≤ κ(𝒜). Applying the same reasoning to the dual structure we get κ(𝒜^⊥⊥)≤ κ(𝒜^⊥). As 𝒜^⊥⊥ and 𝒜 are the same, we have

Claim 13

For every access structure we have κ(𝒜) = κ(A^⊥). □

Every access structure can be realized by some linearly representable polymatroid, the complexity measure λ(𝒜) defines the infimum of the complexity of such representations. It is well-known that the conic hull of linearly representable polymatroids is a closed subset of the entropic polymatroids, and it is closed for taking duals. Therefore it is also closed for tightening by Claim 8 b). The corresponding complexity measure is λ(𝒜), and the same reasoning as above gives

Claim 14

For every access structure we have λ(𝒜) = λ(𝒜^⊥). □

Every explicitly defined access structure 𝒜 with known exact complexity value σ(𝒜) satisfies λ(𝒜) = σ(𝒜) = κ(𝒜) – consequently the same is true for the dual structure, and then σ(𝒜) = σ(𝒜^⊥). It is a long-standing open problem whether the statement similar to Claims 13 and 14 holds for the entropic complexity σ.

Conjecture 1

(complexity of dual structure). For every access structure we have σ(𝒜) = σ(𝒜^⊥).

The conjecture is probably not true, but even the particular case when 𝒜 is an ideal access structure resisted all efforts. Recall, that 𝒜 is ideal if it can be realized by an ideal entropic polymatroid, or, equivalently, by an ideal distribution scheme.

Conjecture 2

(dual of ideal structure). The dual of an ideal access structure is ideal.

Refuting the second conjecture does not necessarily refutes Conjecture 1 as the dual might be non-ideal while having complexity 1. In Section 3 we prove that Conjecture 2 is equivalent to a question about matroid representability. Using results of that section, and a construction by Tarik Kaced [10] the duality question for almost ideal schemes is settled.

3 Ideal structures and matroids

First we give a self-contained proof of a somewhat extended result of Blakley and Kabatianski [3, 19], which, in turn, extends a result of Brickell and Davenport [4] connecting ideal access structures and matroids. Using this connection we present a statement about matroid representability which is equivalent to Conjecture 2.

Fix the connected access structure A ⊂ 2^P and suppose the polymatroid 𝓜 = (f , sP) realizes it. Assume furthermore that 𝓜 has complexity 1, that is, the rank of all singletons equals f(s). The following lemmas establish some structural properties of 𝓜. In the lemmas A is a subset of P, a ∈ P, and s denotes the secret.

Lemma 15

Suppose A ∈ 𝒜 and A−a ∉ 𝒜. Then f(A) − f(A−a) = f(s).

Proof

By submodularity of the rank function f , we have

f(a)≥f(A)−f(A−a)=f(sA)−(f(sA−a)−f(s))=(f(sA)−f(sA−a))+f(s)≥f(s).

As f(a) = f(s), the conclusion follows. □

Lemma 16

Let a ∈ A′ ⊆ A, Suppose A−a and A′ are qualified and A′−a is not. Then f(A) = f(A−a).

Proof

For qualified subsets f(sA′) = f(A′), etc., for the unqualified subset f(sA′−a) = f(A′−a) + f(s). Thus

f(A)−f(A−a)=f(sA)−f(sA−a)≤f(sA′)−f(sA′−a)=(f(A′)−f(A′−a))−f(s)=0,

where the inequality follows from submodularity and the last equality from Lemma 15. Thus 0 ≤ f(A) − f(A−a) ≤ 0, proving the claim. □

Lemma 17

Suppose f(A) − f(A−a) = f(s), and a ∈ A′ ⊆ A. Then f(A′) − f(A′−a) = f(s).

Proof

By submodularity, f(A)−f(A−a) ≤ f(A′)−f(A′−a) ≤ f(a). As both sides equal f(s), the claim follows. □

Theorem 18

(Blakley–Kabatianski). Let 𝒜 ⊂ 2^P be a connected access structure and 𝓜 = (f , sP) be a polymatroid realizing 𝒜 such that f(a) = f(s) = 1 for all a ∈ P. Then 𝓜is a matroid which is uniquely determined by the access structure.

Proof

All singletons have rank 1, thus 𝓜 is a matroid if all ranks are integer. The basic idea is to show that for any subset A of the ground set sP one can find an element a of A such that f (A) − f(A−a) is either zero or one. The additional claim that 𝓜 is uniquely determined by 𝒜 follows from the fact that for the chosen element a ∈ A the value of f(A) − f(A−a) depends only on the access structure, and not on the particular realization.

If the subset contains the secret s, then f (sA)−f(A) is either zero or f (s) = 1 depending on whether A ∈ 𝒜 or A ∉ 𝒜, which settles this case. So assume A ⊆ P.

When A is qualified, then there are two cases. If A−a is not qualified for some a ∈ A, then Lemma 15 gives that this difference is f(s) = 1. If all A−a is qualified, then pick a minimal qualified A′ ⊆ A and use Lemma 16 with any a ∈ A′.

Thus assume A is unqualified. As 𝒜 is connected, there is an unqualified subset B such that AB is qualified (pick any element of A and let B show that this element is important). Choose such an unqualified B such that the set B−A has minimal cardinality, and within this constrain A ∩B has maximal cardinality. Then AB−k is unqualified for any k ∈ B−A (as otherwise B−A is not minimal), and aB is qualified for any a ∈ A−B (as otherwise A ∩B is not maximal). Fix a ∈ A−B. With any k ∈ B−A we have that AB is qualified, AB−k is not. Lemma 15 gives f(AB) − f(AB−k) = 1, and by Lemma 17, f(A′) − f(A′−k) = 1 for all k ∈ A′ ⊆ AB. By induction this gives both f(AB)−f (A) = |A−B| and f(AB−a)−f(A−a) = |A−B|. Therefore f(A)−f(A−a) = f(AB)−f(AB−a). Now AB is qualified. If AB−a is unqualified, then by Lemma 15 this difference is f (s) = 1. If AB−a is qualified, then f(AB) = f(AB−a) using Lemma 16 with A′ = aB. □

The main result of this section is the equivalence of a statement about matroid representability and Conjecture 2. Recall that 𝓜 is an entropic matroid if for some positive λ the polymatroid λ𝓜 is entropic.

Theorem 19

The following statements are equivalent.

The dual of every ideal access structure is ideal.
The dual of every entropic matroid is entropic.

Proof

Let us first make some simplifying assumptions. In a) the access structure can be assumed to be connected: simply forget about the unimportant participants, they will be unimportant in the dual structure. In b) the matroid can be assumed to be tight and connected. This is so as the matroids 𝓜 and 𝓜↓ are entropic at the same time: if i has a non-zero private info, then i is completely independent of the rest of the matroid. Furthermore, if 𝓜 is not connected, then it is an independent sum of the connected components, and then 𝓜^⊥ is the sum of the duals of the components.

The reduction from entropic matroids to tight entropic matroids was discussed briefly at the end of Section 2.1. In the proof of Theorem 20we need a similar reduction for almost entropic matroids which is provided by Matúš’ theorem, see [20].

a) →b) As remarked above, we may assume that the entropic matroid 𝓜 is tight and connected. Pick any element of its ground set and name it s, the remaining elements are in P. Since 𝓜 is connected, it has no loops, thus f(s) = 1. Define the access structure 𝒜 ⊂ 2^P by

A={A⊆P:f(sA)=f(A)}.

Clearly 𝓜 realizes this access structure, consequently 𝒜is ideal, and by Claim 5 it is also connected. By Claim 7 b), the dual matroid 𝓜^⊥ realizes 𝒜^⊥.

As 𝒜 is a connected ideal structure, assumption a) says that 𝒜^⊥ is ideal. Let 𝓜′ be the scaled entropic polymatroid which realizes 𝒜^⊥ with f′(s) = f′(a) = 1. As 𝒜^⊥ is connected by Claim 6, conditions of Theorem 18 hold. Consequently 𝓜′ is the unique matroid realizing 𝒜^⊥. As 𝓜^⊥ also realizes the same access structure, 𝓜′ and 𝓜^⊥ are the same matroids. Now 𝓜′ is a scaled version of an entropic polymatroid, thus 𝓜′ = 𝓜^⊥ is an entropic matroid, as was required.

b) → a) Let 𝒜 be an ideal connected access structure realized by the entropic polymatroid 𝓜^*. As 𝒜 is connected and ideal, we have f^*(i) = f^*(s) > 0 for all participants i ∈ P. Let λ = 1/f^*(s) and 𝓜 = λ𝓜^*. Then 𝓜 also realizes 𝒜 and f(i) = f(s) = 1 for all i ∈ P. By Corollary 3 𝓜 is tight, and by Theorem 18 𝓜 is a matroid. As 𝒜 is connected, by Claim 4 𝓜 is connected. Consequently 𝓜 is a tight, connected, entropic matroid which realizes the access structure 𝒜. By assumption b) 𝓜^⊥ is an entropic matroid, realizes 𝒜^⊥ by Claim 7 b); finally by Claim 8 a) 𝓜^⊥ and 𝓜 have the same value on singletons. Thus λ^⊥𝓜^⊥ is an entropic polymatroid for some positive λ^⊥, realizes 𝒜^⊥, and has complexity σ(𝓜^⊥) = σ(𝓜) = 1. Therefore 𝒜^⊥ is ideal. □

Almost entropic polymatroids form a closed cone, which means that positive multiples of an aent polymatroid are aent. Consequently the definition of almost entropic matroids does not require scaling as was the case for entropic matroids. The matroid 𝓜 is almost entropic if it is almost entropic as a polymatroid. Repeating the proof above word by word while replacing “ideal” by “almost ideal” and “entropic” by “almost entropic” everywhere one gets the following theorem.

Theorem 20

The following statements are equivalent.

The dual of every almost ideal access structure is almost ideal.
The dual of every almost entropic matroid is almost entropic. □

4 Duals of almost entropic matroids

We have almost all the pieces together to prove the main result:

Theorem 21

There is an almost ideal access structure whose dual is not almost ideal.

By Theorem 20 we need to exhibit an almost entropic matroid whose dual is not almost entropic. The existence of such a matroid was proved by Tarik Kaced [10, Theorem 2], this section is a detailed account of that result. The proof starts with the construction of an entropic polymatroid whose dual is not entropic. Using a continuity argument and linear scaling, one gets an integer polymatroid with the same properties. Theorem 12 established a connection between integer polymatroids and matroids which preserves duality and almost entropicity. To complete the tour apply this theorem to get the required matroid. Now let us see the details.

Finding an entropic polymatroid whose dual is not entropic was a long-standing open problem. The example below is due to Kaced [10]. The polymatroid is specified by a distribution on five binary random variables. To show that its dual is not entropic, Kaced used a 5-variable non-Shannon type information inequality, see [14, 16]. Such an inequality is a closed halfspace in the (2^|M| − 1)-dimensional space which a) contains all entropic points on its non-negative side (consequently all aent points as well), and b) cuts into the polymatroid cone Γ_M. Entropy inequalities are typically written using abbreviations originating in information theory. For disjoint subsets A, B, C we write

h ( A | B ) = h ( A B ) − h ( B ) , h ( A , B ) = h ( A ) + f ( B ) − h ( A B ) , h ( A , B | C ) = h ( A C ) + h ( B C ) − h ( A B C ) − h ( C ) ,

corresponding to conditional entropy, mutual information, and conditional mutual information, respectively. In any polymatroid these expressions are always non-negative. The MMRV inequality written for the singletons of the five-element set {abcde} is

(1) (h(a,b∣c)+h(b,c∣a)+h(c,a∣b))+(h(b,c∣d)+h(b,c∣e)+h(d,e)−h(b,c))≥0.

For a short proof that this inequality holds for aent polymatroids see the Appendix.

Claim 22

There is a tight, integer and aent polymatroid whose dual is not aent.

Proof

The distribution on five random variables ξ_a, . . . , ξ_e is specified in Table 1. Each of the variables takes either zero or one, there are only eight combinations with positive probability. The associated polymatroid 𝓜_ξ is entropic, the left hand side of (1) evaluates to 0.108494. The dual Mξ⊥ is not aent as the left hand side of (1) is -0.0715364.

Table 1

Distribution on five variables

ξ_a	ξ_b	ξ_c	ξ_d	ξ_e	Prob
0	0	0	0	0	0.077
0	0	1	1	0	0.182
0	1	0	0	1	0.182
0	1	1	0	0	0.077
1	0	0	0	0	0.105
1	0	1	0	0	0.136
1	1	0	0	0	0.136
1	1	1	0	0	0.105

The duality operation is continuous, thus duals of the polymatroids in a small neighborhood of 𝓜_ξ are still violating the MMRV inequality. The entropic polymatroid 𝓜_ξ is on the boundary of the aent cone (for example, d and e have no private info), but there is another polymatroid 𝓜′ arbitrarily close to 𝓜_ξ inside that cone. By [17] interior points of the aent cone are entropic. Take 𝓜′′ very close to 𝓜′ such that all coordinates rational. Let n be the smallest common denominator of the fractions in the coordinates. Coordinates in n𝓜′′ are integer. The dual of n𝓜′′ violates the MMRV as the dual of 𝓜′′ violates it, and the left hand side of (1) also multiplies by n. Finally, n𝓜′′ is entropic: to realize it take n independent copies of the random variables realizing 𝓜′′. The tight part of n𝓜′′ is integer and almost entropic, its dual is the same as the dual of n𝓜′′ by Claim 8 b), proving the claim.

Using the distribution ξ above, such an integer polymatroid can be constructed directly. For a subset A ⊆ 𝓜 define the the polymatroid r_A as

r A : I ↦ 1 if A ∩ I / = ∅ , 0 otherwise.

Clearly, λr_A is entropic for every positive λ. As A runs over all non-empty subsets of M these polymatroids are linearly independent and span a full-dimensional subcone of ΓM⋆ consisting of entropic polymatroids only [17]. The idea is that take a multiple of 𝓜_ξ (which is almost entropic), and use some linear combination of r _A’s to round up the coordinates to integer values. This idea works. The polymatroid

M = 50.03 M ξ + 0.3819594 r a b d + r a c d + r a b e + r a c e + 0.1741526 r b + r c + 0.0067674 r b c + 0.5112645 r a b c + 0.6235703 r b d + r c d + r b e + r c e + 0.0270848 r b c d + r b c e + 0.1012390 r a + 0.4887355 r a b + r a c + 0.3314441 r a d + r a e + 0.3356126 r a b c d + r a b c e + 0.4877698 r b c d e + 0.5648560 r a b c d e

is clearly entropic, and it is integer. This is so as the coefficients in this formula are the solutions of a system of linear equations yielding exact values. Table 2 shows the coordinates of 51𝓜_ξ (left column), the integer entropic polymatroid 𝓜 (middle column), and the tightening of 𝓜 (right column). The value of the MMRV inequality for the dual of 𝓜 is −1, thus 𝓜^⊥ is not almost entropic. As 𝓜^⊥ = (𝓜↓)^⊥, the tight part of 𝓜 is a tight, integer, aent polymatroid whose dual is not aent. □

Table 2

An integer entropic polymatroid

a	49.983219	55	37
b	50.030000	55	31
c	50.030000	55	31
d	34.242173	38	38
e	34.242173	38	38
ab	100.013219	107	65
ac	100.013219	107	65
ad	74.221223	81	63
ae	74.221223	81	63
bc	97.356052	105	57
bd	73.693026	80	56
be	73.693026	80	56
cd	73.693026	80	56
ce	73.693026	80	56
de	65.536972	72	72
abc	146.591925	155	89
abd	111.389648	119	77
acd	111.389648	119	77
abe	111.389648	119	77
ace	111.389648	119	77
ade	90.946998	99	81
bde	97.356052	105	81
cde	97.356052	105	81
bcd	113.024608	121	73
bce	113.024608	121	73
abcd	146.591925	155	89
abce	146.591925	155	89
abde	122.766078	131	89
acde	122.766078	131	89
bcde	128.693164	137	89
abcde	146.591925	155	89

Let the tight integer polymatroid provided by Claim 22 be 𝒩, and consider the matroid φ(𝒩) provided by Theorem 12. As 𝒩 is aent, φ(𝒩) is almost entropic; 𝒩^⊥ is not aent, thus φ(𝒩^⊥) is not aent. Consequently the matroid φ(𝒩) is aent and its dual, φ(𝒩^⊥), is not aent either – completing the proof of Theorem 21.

Using the tight almost-entropic polymatroid of Table 2 the construction in the proof of Theorem 19 gives an almost-ideal access structure on 174 participants (as the corresponding aent matroid has f (a)+ f (b)+ f(c)+ f(d) + f(e) = 175 atoms, one of them is the secret, others are the participants) whose dual is not almost-ideal. It is left to the interested reader to describe the qualified subsets for different choices of the secret.

According to Theorem 2, to construct a counterexample to Conjecture 2 we need an entropic matroid whose dual is not entropic. Entropic matroids (and their multiples) are always on the boundary of the aent cone; the boundary has an intricate and complicated structure. There seems to be no other way to show that a matroid is entropic than giving the probability distribution explicitly. But it is not clear how to guarantee H(ξ_A)/H(ξ_s) to be an integer. No entropic matroid is known which is not a multiple of a linearly representable polymatroid. Finding such a matroid would be very interesting.

5 Conclusion and open problems

An almost ideal secret sharing scheme on 174 participants was constructed explicitly whose dual structure is not almost ideal. It was done by putting together several pieces of earlier works. The intricate connection between ideal secret sharing schemes and matroids was observed by Brickell and Davenport [4]. This connection is expressed in Theorem 18 extending a result of Blakley and Kabatiansky [3]; the presented proof is an adoption of the one from [19]. Entropic and almost entropic polymatroids have been studied intensively by Frantisek Matúš [15, 16, 17, 18 20]; his insight of the structure of the entropic region was indispensable to this paper. And, of course, we were using the surprising result of Tarik Kaced [10] who settled an old conjecture by constructing an entropic polymatroid whose dual is not entropic. These results allowed us to solve the duality problem of ideal secret sharing schemes – is the dual of an ideal structure is ideal? – in a model slightly differing from the standard one, namely secret recovery and secret independence is required only “up to a negligible factor”. This model has been studied earlier under the name of “probabilistic secret sharing”, see [5, 11, 24]. The original problem remained unsolved.

Problem 1

Is the dual of an ideal structure is ideal?

A substantial obstacle attacking this problem was mentioned at the end of the previous section: every known entropic matroid is linearly representable.

Problem 2

Find an entropic matroid which is not linear.

A promising approach seems to be using subgroup representation for the matroid [6]. It requires substantial knowledge of the subgroup structure of non-commutative finite groups.

It is an interesting question how restrictive the probabilistic model is. If an access structure has complexity 1, then it is almost ideal (while not necessarily ideal [2]); this follows from the fact that the aent polymatroids form a closed cone [17]. The following problem asks about the converse of this implication.

Problem 3

Does every almost ideal access structure have complexity 1?

The question is equivalent to whether σ¯(A)=1 implies σ(𝒜) = 1. As mentioned at the end of Section 2.3, σ¯ and σ are not known to be separated.

Problem 4

Is there an access structure 𝒜 with σ¯(A) strictly smaller than σ(𝒜)?

This problem was raised in Section 2.3: can the imperfections allowed by the probabilistic model be patched by adding some small entropy to the secret and / or shares? This question has been considered by Kaced in [11], but remained unsolved.

Dedicated to the memory of Frantisek Matúš

Acknowledgement

The author would like to thank the encouragement and fruitful discussion at the Prague Stochastics Conference, 2019. He is particularly indebted to Oriol Farrás and Carles Padró. Special thanks to Gabor Tardos for figuring out the subtleties of Claim 5.

The research reported in this paper was supported by GACR project number 19-04579S, and partially by the Lendület program of the HAS.

References

[1] A. Beimel (2011), Secret-sharing schemes: a survey, in: IWCC 2011, volume 6639 of LNCS, Springer, 2011, pp 11-4610.1007/978-3-642-20901-7_2Suche in Google Scholar

[2] A. Beimel, N. Livne (2006) On matroids and non-ideal secret sharing In: Halevi S., Rabin T. (eds) Theory of Cryptography, volume 3876 of LNCS, Springer, Berlin, Heidelberg pp 482-50110.1007/11681878_25Suche in Google Scholar

[3] G. Blakley, G. Kabatianski (1995), On general perfect secret sharing schemes, in: LNCS 963, Advances in Cryptology, Proceedings of Crypto’95, Springer 1995, pp. 367–37110.1007/3-540-44750-4_29Suche in Google Scholar

[4] E. F. Brickell, D. M. Davenport (1991) On the classification of ideal secret sharing schemes, J. of Cryptology, vol 4 (73) pp 123-13410.1007/0-387-34805-0_25Suche in Google Scholar

[5] P. D’Arco, R. De Prisco. A. De Santis, A. Pérez del Pozo, U. Vaccaro (2018), Probabilistic Secret Sharing, in: 43rd International Symposium on Mathematical Foundations of Computer Science, MFCS 2018, Leibniz International Proceedings in Informatics, Schloss Dagstuhl–Leibniz-Zentrum fuer Informatik, Vol 117, pp 64:1–64:16Suche in Google Scholar

[6] T. H. chan, R. W. Yeung (2002), On a relation between information inequalities and group theory, IEEE Tran. Information Theory 57 pp 6364-637810.1109/TIT.2002.1013138Suche in Google Scholar

[7] S. Fujishige (1978), Polymatroidal dependence structure of a set of random variables. Information and Control 39 55–72.10.1016/S0019-9958(78)91063-XSuche in Google Scholar

[8] T. Helgason (1974) Aspects of the theory of hypermatroids, In: Berge C., Ray-Chaudhuri D. (eds) Hypergraph Seminar, Lecture Notes in Mathematics, vol 411. Springer, Berlin, Heidelberg10.1007/BFb0066195Suche in Google Scholar

[9] W. C. Huffman and V. Pless (2003), Fundamentals of error correcting codes, Cambridge University Press, 200310.1017/CBO9780511807077Suche in Google Scholar

[10] T. Kaced (2018), Information Inequalities are Not Closed Under Polymatroid Duality, IEEE Transactions on Information Theory, 64, pp 4379–438110.1109/TIT.2018.2823328Suche in Google Scholar

[11] T. Kaced (2011), Almost-perfect secret sharing, Information Theory Proceedings (ISIT), 2011 IEEE International Symposium on, pp 1603-160710.1109/ISIT.2011.6033816Suche in Google Scholar

[12] J. Katz, Y. Lindell (2007), Introduction to modern cryptography, Chapman & Hall/CRC10.1201/9781420010756Suche in Google Scholar

[13] L. Lovász (1982), Submodular functions and convexity. Mathematical Programming – The State of the Art (A. Bachem, M. Grötchel and B. Korte, eds.), Springer-Verlag, Berlin, 234–257.10.1007/978-3-642-68874-4_10Suche in Google Scholar

[14] K. Makarichev, Y. Makarichev, A. Romashchenko, N. Vereshchagin (2002), A new class of non-Shannon type inequalities for entropies. Communications in Information and Systems, vol 2, pp 147–16610.4310/CIS.2002.v2.n2.a3Suche in Google Scholar

[15] F. Matúš (1994), Probabilistic conditional independence structures and matroid theory: background. Int. Journal of General Systems 22 185–196.10.1080/03081079308935205Suche in Google Scholar

[16] F. Matúš (2007), Adhesivity of polymatroids, Discrete Mathematics 307 pp. 2464–247710.1016/j.disc.2006.11.013Suche in Google Scholar

[17] F. Matúš (2007), Two constructions on limits of entropy functions. IEEE Transactions on Information Theory 53, pp 320-330.10.1109/TIT.2006.887090Suche in Google Scholar

[18] F. Matúš (2007), Infinitely many information inequalities. Proceedings IEEE ISIT 2007, Nice, France, pp 41–44.10.1109/ISIT.2007.4557201Suche in Google Scholar

[19] F. Matúš (2012), Polymatroids and polyquantoids. in: Proceedings of WUPES’2012 (eds. J. Vejnarová and T. Kroupa) Mariánské Lázně, Prague, Czech Republic, pp 126-136.Suche in Google Scholar

[20] F. Matúš, L. Csirmaz (2016), Entropy region and convolution, IEEE Trans. Inf. Theory 62 6007–601810.1109/TIT.2016.2601598Suche in Google Scholar

[21] J.G. Oxley (1992) Matroid Theory, Oxford Science Publications. The Calrendon Press, Oxford University Press, New YorkSuche in Google Scholar

[22] C. Padró (2012), Lecture notes in secret sharing, Cryptology ePrint archive, report 2012/674Suche in Google Scholar

[23] R. W. Yeung (2002), A First Course in Information Theory, Kluwer Academic/Plenum Publishers, New York.10.1007/978-1-4419-8608-5Suche in Google Scholar

[24] Y. Yu, MWang (2011), A probabilistic secret sharing scheme for a compartmented access structure. In: International Conference on Information and Communications Security, pp 136-142. Springer, Berlin, Heidelberg,10.1007/978-3-642-25243-3_11Suche in Google Scholar

Appendix

Theorem 23

A matroid is connected if and only if any two points can be connected by a circuit.

Proof

Let 𝓜 = (h, M) be a matroid. Using matroid terminology, A is dependent if h(A) < |A|, and A is a circuit if it is a minimal dependent set. Every dependent set contains a circuit. Points x and y are connected, written as a ≈ b, if there is a circuit containing both of them. First we prove that ≈ is an equivalence relation: if x ≈ z and z ≈ y then x ≈ y. This is done in three steps. In claims a), b), c), C₁ and C₂ are different circuits.

a) Suppose z ∈ C₁ ∩ C₂. There is a circuit E ⊆ C₁ ∪ C₂ which avoids z (exchange property of circuits): Proof. As C₁, C₂ are different circuits, h(C_i) = |C_i| − 1 and h(C₁ ∩ C₂) = |C₁ ∩ C₂| as C₁ ∩ C₂ is a proper subset of a circuit. Using submodularity for C₁ and C₂,

h ( C 1 ∪ C 2 ) ≤ h ( C 1 ) + h ( C 2 ) − h ( C 1 ∩ C 2 ) = | C 1 | + | C 2 | − h ( C 1 ∩ C 2 ) − 2 = | C 1 | + | C 2 | − | C 1 ∩ C 2 | − 2 = | C 1 ∪ C 2 | − 2.

Consequently h(C₁C₂−z) ≤ |C₁C₂−z| − 1, which means that C₁C₂−z is dependent, thus contains a circuit.

b) Let x ∈ C₁−C₂, and z ∈ C₁ ∩ C₂. There is a circuit in C₁ ∪ C₂ which contains x and avoids z.

Proof

By induction on |C₁ ∪ C₂|. By a) there is a circuit E ⊂ C₁ ∪ C₂ which avoids z. Then E ∩ (C₂−C₁) is not empty, as E is dependent while E ∩ C₁, as a proper subset of C₁, is independent. If x ∈ E then we are done. If x ∉ E, then pick z′ ∈ E ∩ (C₂−C₁). By a) there is circuit F ⊂ E ∪ C₂ which avoids z′. Use induction on C₁ and F.

c) Let x ∈ C₁−C₂, y ∈ C₂−C₁, and C1∩C2/=0. There is a circuit E ⊆ C₁ ∪ C₂ which contains x and y.

Proof

By induction on |C₁ ∪ C₂|. Let z ∈ C₁ ∩ C₂. By b) there is a circuit E ⊂ C₁ ∪ C₂ which contains x and avoids z. If y ∈ E, then we are done. If y ∉ E, then pick z′ ∈ E ∩ (C₂−C₁). By b) there is a circuit F ⊂ E ∪ C₂ such that y ∈ F and z′ ∉ F. Use induction on C₁ and F.

This proves that ≈ is an equivalence relation. Any two points of the matroid are connected by a circuit if and only if there is only a single equivalence class for ≈. First assume that the matroid is connected, and by contradiction that A is a proper equivalence class of ≈. Consider the partition A ∪B where B is the complement of A. Choose the independent sets A′ ⊆ A and B′ ⊆ B such that h(A) = |A′| and h(B) = |B′|. As A and B are not independent, h(A′ ∪ B′) ≤ h(A ∪ B) < h(A) + h(B) = h(A′) + h(B′) = |A′| + |B′|, thus A′ ∪ B′ contains a circuit E. But E must intersect both A′ and B′ (as A′ and B′ are independent), contradicting that elements from A′ ⊆ A and from B′ ⊆ B are not connected.

Conversely, if the matroid is not connected, say the elements of the partition A ∪B are independent, then no circuit can intersect both A and B. Indeed, first the independence of A and B implies h(E) = h(E ∩ A) + h(E ∩ B) for all subsets E ⊆ M. Second, assume the circuit E intersects both A and B. Then E ∩ A and E ∩ B are independent (as proper subsets of E), and then

h ( E ) = h ( E ∩ A ) + h ( E ∩ B ) = | E ∩ A | + | E ∩ B | = | E | ,

a contradicting that E is dependent. □

Theorem 24

If ξ = 〈ξ_a, . . . , ξ_e〉; is a distribution on five elements, then the polymatroid 𝓜_ξ satisfies the MMRV inequality

(2) (h(a,b∣c)+h(b,c∣a)+h(c,a∣b))+(h(b,c∣d)+h(b,c∣e)+h(d,e)−h(b,c))≥0,

written as MMRV(𝓜_ξ)≥ 0.

Proof

Observe first that in any polymatroid 𝓜 = (h, M) the inequality

MMRV(M)+3h(a,de∣bc)≥0

always holds. This is so as expanding MMRV(𝓜) + 3h(a, de|bc) as a linear combination of rank values, and expanding the clearly non-negative sum below, the results are the same:

h(a,d∣b)+h(a,d∣c)+h(a,e∣b)+h(a,e∣c)+h(b,c∣ad)+h(b,c∣ae)+h(a,bc∣de)+h(d,e∣a)+h(a,e∣bcd) +h(a,d∣bce).

The MMRV inequality (2) has been grouped into two parts. The first part depends only on ranks of subsets of abc, and the second part depends only on subsets of bcde. In other words, the value of the first (and second) part depends only on the marginal distribution ξ_abc and ξ_bcde, respectively. Σ denotes the collection of all distributions η = 〈η_a, . . . , η_e〉; where each of these five variables takes the same values as the corresponding variable does in ξ but with arbitrary joint probability. Consider the optimization problem of maximizing the entropy of η ∈ Σ under the constraints that certain marginal distributions are fixed:

maxη{ H(η):η∈Σ,ηabc=ξabc,ηbcde=ξbcde }.

As H(η) is a strictly convex function of the probabilities, this is a convex optimization problem with linear constraints, consequently it has a single unique optimal solution η^* ∈ Σ. Considering the distribution with the maximal entropy is often referred to as the maximum entropy principle. As the marginals on abc and bcde of ξ and η^* are the same, MMRV(Mξ)=MMRV(Mη⋆). The extremal distribution η^* has the additional property that ηa⋆ and ηde⋆ are independent given ηbc⋆. This is so, as fixing the value of ηbc⋆, one can redefine the distribution while keeping the probabilities on abc and on bcde fixed such that a and de becomes independent. This would increase the total entropy, thus a and de must be independent – giving the claimed conditional independence. Consequently the polymatroid Mη⋆ satisfies additionally h^*(a, de|bc) = 0, and then MMRV(Mη⋆)≥0, proving the theorem. □

Received: 2019-10-02

Accepted: 2020-04-30

Published Online: 2020-11-25

This work is licensed under the Creative Commons Attribution 4.0 International License.

Artikel in diesem Heft

https://doi.org/10.1515/jmc-2019-0045

Schlagwörter für diesen Artikel

secret sharing; ideal access structure; matroid; duality; matroid ports; almost entropic polymatroid

Creative Commons

BY 4.0