 Hello, my name is Uriel Farraz and I'm presenting the work Secret Sharing Schemes for almost all access structures. This is a joint work with Amos Weymann. In this presentation, first I will give an introduction to Secret Sharing Schemes and then we will see the results we got for Secret Sharing Schemes for almost all access structures and for almost all graphs. And then we will see some conclusions and no problems. Secret Sharing Schemes can be seen as a method to protect the secret in which we generate some shares from a secret. In order to facilitate the description of the scheme, we consider that there are some participants and each participant holds one of these shares and there's a special participant called the dealer who holds the secret. Then from the secret and some randomness, the dealer generates some shares and each participant gets one share and these shares are generated in such a way that some coalitions of participants can recover the secret from their shares. These subsets of participants are called authorized and the family of authorized subsets is the access structure of the scheme. Then we have other subsets that cannot get any information of the secret and these subsets are called forbidden subsets. When we say no information is in the information theory sense. In this talk, we only consider perfect schemes that are schemes in which every subset is either authorized or forbidden. And now we will see a simple Secret Sharing Scheme that will be useful to introduce some notation. So consider a case that we have a secret from a finite field. We have four participants and we want to share the secret in such a way that the only authorized subset is P. So all participants together can recover the secret but any subset of size 3 or less cannot obtain any information about the secret. So the dealer can choose three random elements from the finite field and give one random element to each participant for the last participant who will receive S minus the sum of the random elements. We can see here that all participants together can recover the secret by just summing their shares but any subset of size 3 or less cannot get any information about the secret. So in order to measure the efficiency of the schemes, we use the share size which is the logarithm of the size of the set of possible shares. Since each share is in FP, in this case the share size is log P. In some schemes the size of the shares may be different from different participants so in general we consider the max share size. In this case it's still log P. And in some cases we will also consider the total share size which is the sum of the share sizes that is for log P in this case. This scheme is linear over FP which means that the secret is in FP and shares are linear combinations of the secret and the randomness. Linear schemes have a multi-properties that are useful in cryptography and so this is a special family of schemes that will be considered also during the talk. Now we'll see some properties of the access structure. The access structure of a scheme is monitoring increasing because if we have an authorized subset any superset of this subset will also be authorized. Therefore the access structure is determined by the minimal access structure which is the family of minimal authorized subsets. In order to describe access structure in this presentation we'll use these pictures in which we have the power set of the set of participants and we painted red those subsets that are authorized. For this example the minimal access structure is the family of the subsets 1, 2, 3 and 3, 4. We'll go back to this description and we know that every monotone increasing family of subsets admits a secret sharing scheme so every monotone increasing family of subsets is the access structure of a scheme. Now we will present a general construction that is given a monotone increasing family of subsets we will construct a scheme realising this family. So given a monotone increasing family of subsets gamma what we can do is to share the secret independently for every subset A in gamma with the simple scheme we saw before that is we give a random element to each participant except for the last participant in A who will receive as minus the sum of the random elements. We can do it slightly better by sharing the secret independently only for those subsets in the minimal access structure. Now we analyse which is the share size of this construction. So if we want to share a secret that is just one bit we will take the previous scheme with fp equals f2 and since each participant may be in up to n-1 choose n over 2-1 minimal authorized subsets we have this upper bound on the max share size that is 2 to the n- small o of n. So an open problem in secret sharing is to find better constructions for general access structures. So idosaidon Nishijeki found the first general construction of secret sharing that is somehow similar to the one I presented before then Benelohan Leicester presented another technique to construct schemes for general access structure and also Briekel, Karsmer and Vichtersson but the upper bound was still on the share size was still the same. Recently Lyon-Bike-Untanatan presented a construction in which the share size is smaller and it was done by constructing the schemes with conditional disclosure of secret protocols. Then this work of Lyon-Bike-Untanatan was followed by other works and right now the best upper bound on the share size for general access structure is this upper bound and we also have lower bounds. So Sirmas proved that there is a family of access structures that have the property that any secret sharing scheme realizing one of these access structures must have share size N over log N or omega of N over log N. So this is the best lower bound we have for general access structure and so we have a huge gap between upper and lower bounds and we would like to know if we can reduce the upper bound or is that we can find better lower bounds. So that was our starting point and observe that the bounds we had presented before are upper bounds for the worst case that is upper bounds for all access structures. And to gain some understanding of this problem we studied the share size for almost all access structures and this is because in complexity theory many times almost all objects are the hardest and so we want to know if this is the case of secret sharing. And in this work we found better upper bounds on the share size for almost all access structures and almost all graph access structures and we also found better lower bounds for almost all access structures. And the main techniques and tools we used are robust conditional disclosure of secrets protocols which is a cryptographic primitive that was recently introduced and results on monotone Boolean functions, graphs and methods. Now we'll see the results we got for almost all access structures and what we found are better upper bounds on the share size for almost all access structures. And to do that we combined results by Korshunov about properties of monotone Boolean functions and the construction of Leuven by Kuntanathan I mentioned before that uses conditional disclosure of secret protocols and then we used different CDS protocols. Now I will give an idea of how we got this upper bound but before that I need to introduce some notation. I introduce fn that is the family of access structures with online parties and in general we say that almost all access structures satisfy a property queue if the limit one n tends to infinity of the access structures in fn that satisfy this property divided by the number of access structures in fn is one. So in order to find these results for almost all access structures we consider another family of access structures that is we call slice access structures and access structure is a slice access structure if all subsets of size greater than n over 2 plus 2 are authorized and subsets of size smaller than n over 2 minus 1 are forbidden and subsets of size between these two thresholds may be authorized or forbidden, there are no restrictions. So this situation is somehow illustrated in this picture where we have a region that is in red of authorized subsets and region wide with forbidden subsets and in between we have a being region in which we have subsets that are authorized or forbidden. So Korsunov found that almost all access structures are of this kind and moreover we know that each slice access structure admits a scheme with share size 2 to the big O of the square root of n log n this was found by Continental. So combining these two results we have that almost all access structures admit schemes with share size. These schemes we constructed here are not linear and we obtain in a similar way upper bounds for linear secretion schemes and it was by taking the same construction but with linear CDS protocols and taking multilinear CDS protocols we got multilinear schemes with a more type share size 2 to the big O of the square root of n log n and this is the table of the results we got. So multilinear schemes can be seen as a generalization of linear schemes and are schemes in which the secret is a sequence of elements from a finite field and the shares are generated by linear mappings and the amortar share size is the share size divided by the size of the secret which sometimes is also called information rating. We also got lower bounds and we proved that for almost all access structure the total share size of linear secretion schemes over fq is omega of 2 to the n over 3 minus small of n times log q for every finite field that is for almost all access structure it holds that for every finite field the total share size of linear secretion schemes have this restriction. We got this result by using counting arguments and a recent bound on the number of representable math rates and notice that there was a previous result that obtained the same lower bound but it was for each finite field. So this is the summary of the upper bounds and lower bounds we have for almost all access structures and all access structures. Now we go for results on graph secret sharing schemes but first we will have to introduce what are graph secret sharing schemes. So graph secret sharing schemes are schemes in which the minimal authorised subsets are of size 2. Since they are of size 2 the family of minimal authorised subsets defines a graph and so we talk about graph secret sharing schemes. So let G be an undirected graph we will define gamma G as the access structure in which the minimal authorised subsets are the edges of the graph and then schemes realising gamma G are called G secret sharing schemes. So we have an example here we have a graph with these three edges and the access structure determined by this graph is the access structure in which the minimal authorised subsets are the edges of the graph. So graph secret sharing schemes have been studied in many previous works and using the simple scheme we had before or the simple construction we had before we can construct a scheme in which the share size is n minus 1. Erdogan Piverr found a better construction in which the match share size is n over log n and the best lower bound is log n. So still for graph secret sharing we have a huge gap between upper bounds and lower bounds and we wanted to study the problem of optimising the share size for this family of access structures. In our work we introduced a family of schemes that are called GD secret sharing schemes that are schemes in which the minimal authorised subsets are GD secret sharing schemes are schemes in which the authorised subsets are those containing an edge of the graph G or subsets of size greater than t. So a subset is authorised if it contains an edge or its size is greater than t. For t equals 2 these schemes are also called forbidden graph secret sharing schemes and a key observation for our results is that if t is greater than the max size of the independent sets of the graph then gamma g union gamma t will be gamma g. It implies that GD secret sharing schemes will be G secret sharing schemes when t is greater than the max size of the independent sets of g. Now what we will see is how we got the upper bound on the share size for almost all graphs. So this is an example of GD secret sharing schemes so G is the same as before and this is the access structure of GD secret sharing schemes. So the access structure is the same except for this set that now is authorised because we took t to be 2 and so every subsets of size t is authorised. So in order to find our upper bounds we found a new connection between robust CDS protocols, which is a primitive introduced by upper bound, by NIR and PETA recently and GD secret sharing schemes. This connection extends the connection between CDS and forbidden graph secret sharing schemes that there was before and by means of this connection we found that for every graph there is a GD secret sharing scheme with max share size n to the small of 1 times t. And how we got an upper bound for almost all access structures so with this GD secret sharing scheme taking a small enough t and this was by observing that the size of maximal independent sets of random graphs is big O of log n and for this reason taking t to be big O of log n for almost all graphs GD secret sharing schemes realise gamma g, so gd schemes are g schemes. Therefore taking t to be big O of log n we have that almost all graphs admit schemes with max share size n to the small of 1. And these are the upper bounds we got again this construction this scheme is not linear and so we consider the linear case so we found also linear schemes for almost all graphs and multi-linear schemes and this is a complete picture of the situation so these are the upper bounds for almost all graphs and so we can see here that the upper bounds for almost all graphs are in between the upper bounds for forbidden graphs and for all graphs and the same happens for all them efficiency measures and also for the lower bounds and also another thing information here is that we found that almost all graphs require no admit schemes with information ratio O tilde of log n while there are graphs that require information ratio omega of square root of n and for that is for this case for the information rate of multi-linear schemes all graphs are not the hardest but this is something we cannot conclude from the other results we got from other efficiency measures we extended these results for graphs to specific families of graphs in particular to graphs from the GNP-Ardos journey distribution for which we presented upper bounds on the share size we provided better schemes for all very dense graphs improving previous constructions also we extended these instructions from graphs to hypergraphs and we found better secretionary schemes for access structures determined by k-hypergraphs that are hypergraphs in which hyperages are of size k and these are the results we got in this work and now we go for some conclusions and open problems so what we saw in this work is that for almost all access structures there exist secretionary schemes that are more efficient than the known schemes for the worst case and this is also the case for almost all graphs now we see some open problems one question is if there are all access structures are the hardest and if we can extend the upper bounds for almost all access structures to all access structures what we saw is that at least for the information ratio of multilinear schemes we cannot do it but the answer may differ for different efficiency measures and families of access structures another question is there a secretionary scheme for the amortized size for almost all access structures and this question is motivated by a recent result in which we found that slice one access structures admit schemes with amortized maximum size that is polynomial this big O of n squared and the last open question is that if we can extend this approach and these results to other cryptographic primitives with information theoretic security for instance to PSM protocols NPC protocols NPC protocols with some restrictions or private information retrieval and with these open problems I conclude the presentation of this work and thank you for your attention