A Network Reliability Approach to the Analysis of Combinatorial Repairable Threshold Schemes

A repairable threshold scheme (which we abbreviate to RTS) is a $(\tau,n)$-threshold scheme in which a subset of players can"repair"another player's share in the event that their share has been lost or corrupted. This will take place without the participation of the dealer who set up the scheme. The repairing protocol should not compromise the (unconditional) security of the threshold scheme. Combinatorial repairable threshold schemes (or combinatorial RTS) were recently introduced by Stinson and Wei. In these schemes,"multiple shares"are distributed to each player, as defined by a suitable combinatorial design called the distribution design. In this paper, we study the reliability of these combinatorial repairable threshold schemes in a setting where players may not be available to take part in a repair of a given player's share. Using techniques from network reliability theory, we consider the probability of existence of an available repair set, as well as the expected number of available repair sets, for various types of distribution designs.


Introduction to combinatorial repairability
Suppose that τ and n are positive integers such that τ ≤ n. Informally, a (τ, n)threshold scheme is a method whereby a dealer chooses a secret and distributes a share to each of n players (denoted by P 1 , . . . , P n ) such that the following two properties are satisfied: reconstruction: Any subset of τ players can compute the secret from the shares that they collectively hold, and secrecy: No subset of τ − 1 players can determine any information about the secret.
We call τ the threshold of the scheme. In this paper, we are only interested in schemes that are unconditionally secure. That is, all security results are valid against adversaries with unlimited computational power.
The efficiency of secret sharing is often measured in terms of the information rate of the scheme, which is defined to be the ratio ρ = log 2 |K|/ log 2 |S| (where S is the set of all possible shares and K is the set of all possible secrets). That is, the information rate is the ratio of the size of the secret to the size of a share. For a threshold scheme, a fundamental result states that ρ ≤ 1.
We briefly describe a standard construction for threshold schemes with optimal information rate, namely, the classical Shamir threshold scheme [6]. The construction takes place over a finite field F Q , where Q ≥ n + 1.
1. In the Initialization Phase, the dealer, denoted by D, chooses n distinct, non-zero elements of F Q , denoted x i , 1 ≤ i ≤ n. The values x i are public. For 1 ≤ i ≤ n, D gives the value x i to player P i . 2. In the Share Distribution phase, D chooses a secret Then D secretly chooses (independently and uniformly at random) a 1 , . . . , a τ −1 ∈ F Q .
Finally, for 1 ≤ i ≤ n, D computes the share y i = a(x i ), where a j x j , and gives it to player P i .
The problem of share repairability has been considered by several authors in recent years (see Laing and Stinson [5] for a survey on this topic). The problem setting is that a certain player P (in a (τ, n)-threshold scheme, say) loses their share. The goal is to find a "secure" protocol involving P and a subset of the other players that allows the missing share y to be reconstructed. (Of course the dealer could simply re-send the share to P , but we are considering a setting where the dealer is no longer present in the scheme after the initial setup.) In general, we will assume secure pairwise channels linking pairs of players.
A combinatorial solution to this problem was proposed by Stinson and Wei [8]. These schemes are termed combinatorial RTS. The construction is based on an old technique from [1, Theorem 1], namely, giving each player a subset of shares from an underlying threshold scheme called a base scheme. 1 Suppose the base scheme is an (σ, m)-threshold scheme, say a Shamir scheme, implemented over a finite field F Q . We then give each player a certain subset of d of the m shares. A set system (or design) consisting of n blocks of size d, defined on a set of m points, will be used to do this. This design is termed the distribution design.
We will call the shares of the base (σ, m)-threshold scheme subshares. Each share in the resulting (τ, n)-threshold scheme, which we call the expanded scheme, consists of d subshares. Suppose the shares in the base scheme are denoted s 1 , . . . , s m , and suppose that the points in the distribution design are denoted 1, . . . , m. Each player P i corresponds to a block B i of the distribution design. For each point x ∈ B i , the player P i is given the subshare s x . The points in a block are indices of subshares received by a given player. The blocks are public information, while the values of the shares and subshares are secret.
We need to ensure that the relevant threshold property is satisfied for the expanded threshold scheme. We also need to be able to repair the share of any player in the expanded scheme by appropriately choosing a certain set of other players, who will then send appropriate subshares to the player whose share is being repaired.
Let the blocks in the distribution design be denoted B 1 , . . . , B n and let X denote the set of m points on which the design is defined. The desired threshold property for the expanded scheme will be satisfied provided that the following two conditions hold in the distribution design: (1) the union of any τ blocks contains at least σ points and (2) the union of any τ − 1 blocks contains at most σ − 1 points.
Summarizing, we have the following theorem from [8].  (1) and (2) are satisfied for the given distribution design. Then, if we use a base (σ, m)-threshold scheme in conjunction with the given distribution design, we obtain an expanded (τ, n)-threshold scheme.
1.1. Repairing a share. Now, suppose we want to repair the share for a player P corresponding to the block B . For each point x ∈ B , we find another block that contains x. The corresponding player can send the subshare s x corresponding to x to P . We illustrate the technique with an example.
Example 1.1. Suppose we start with a (9, 3, 1)-BIBD (an affine plane of order 3), which has n = 12 blocks of size d = 3. There are m = 9 points in the design. We associate a block of the design with each player: Each player gets d = 3 shares from a (5, 9)-threshold scheme, as specified by the associated block. This threshold scheme has nine shares, denoted s 1 , . . . , s 9 . Each block lists the indices of shares held by a given player; thus P 1 has the shares s 1 , s 2 and s 3 . Each block contains three points and the union of any two blocks contains at least five points. Thus (1) and (2) are satisfied for τ = 2 and σ = 5 and therefore the expanded scheme is a (2, 12)-threshold scheme. Now suppose P 1 wishes to repair their share. P 1 requires the subshares s 1 , s 2 and s 3 . The subshare s 1 can be obtained from P 4 , P 7 or P 10 ; the subshare s 2 can be obtained from P 5 , P 8 or P 11 ; and the subshare s 3 can be obtained from P 6 , P 9 or P 12 .
In general, it is not a requirement that the d subshares are obtained from d different blocks. For example, it could happen that d = 3, one block contributes two subshares, and one block contributes one subshare during the repairing process. See Section 3 for further discussion of this idea.
It is quite simple to analyze the security of combinatorial repairability. The main point to observe is that the information collectively held by any subset of players (after the repairing protocol is completed) consists only of their shares in the expanded scheme. They did not obtain any information collectively that they did not already possess before the execution of the repairing protocol. So, it is immediate that a set τ − 1 players cannot compute the secret after the repairing of a share occurs.
The paper [8] provides several constructions for combinatorial RTS. Different distribution designs are studied and analyzed according to various metrics. Here, we are only interested in repairability properties, so we do not address these other metrics.
1.2. Reliability. Given a player P in a combinatorial RTS, a subset of players that can repair P 's share is called a repair set for P . A repair set P for a player P is minimal if no proper subset of P is a repair set for P . In Example 1.1, there are 3 3 = 27 minimal repair sets for any given player.
We are interested in studying the situation where some of the players might not be available when asked to provide a subshare to repair another player's share. We will make the assumption that any player is available with a fixed probability p (and therefore unavailable with probability 1 − p). We also assume that the availability of any player is independent of the availability of any other player. A repair set is available if every player in the set is available.
In the above setting, we can ask two basic questions for a given player associated with a given distribution design: 1. What is the probability R(p) that there is at least one available repair set? 2. What is the expected number E(p) of available minimal repair sets? We illustrate these concepts by considering the distribution design presented in Example 1.1.

Example 1.2.
There is an available repair set for P 1 if and only if • at least one of P 4 , P 7 or P 10 is available, • at least one of P 5 , P 8 or P 11 is available, and • at least one of P 6 , P 9 or P 12 is available. Therefore, for P 1 , In fact, R(p) takes on the same value for any player in this RTS.
To compute the expected number of minimal repair sets, we observe that there are 27 minimal repair sets, each of which is available with probability p 3 . By linearity of expectation, E(p) = 27p 3 . Again, this value is the same for any player in the scheme.
1.3. Design theory definitions. We now review some standard definitions and basic results from design theory. Most of these results can be found in standard references such as [3].
contains exactly k points, and 3. every pair of distinct points from X is contained in exactly λ blocks. blocks. The value r is termed the replication number.
contains exactly k points, and 3. every set of t points from the set X occurs in exactly λ blocks.
Theorem 1.13. An inversive geometry exists for any d ≥ 2 if n is a prime power.

1.4.
Organization of the paper. The remaining sections of the paper are organized as follows. In Section 2, we study the reliability metrics for BIBDs. In Section 3, we turn to t-designs with t > 2, which have not previously been studied as distribution designs. After addressing the possible thresholds that can be obtained, we again consider the reliability metrics. Finally, Section 4 is a brief summary.

Using BIBDs as distribution designs
Stinson and Wei [8] examined several types of BIBDs with λ = 1 for use as distribution designs in combinatorial RTS. They studied the thresholds of these RTS as well as their efficiency with respect to storage, communication complexity and computational complexity. In this section, we study the reliability of these RTS using the measures defined in Section 1.2.
Before proceeding further, we define some notation that will be used in the rest of the paper.  Suppose (X, B) is a distribution design for a combinatorial RTS. For any fixed block B i ∈ B, let P i be the corresponding player in the RTS. Further, for any x j ∈ B i , define As in Section 1.2, we define R(p) to be the probability that there is at least one available repair set for a given player.
-BIBD that is used as a distribution design for a combinatorial RTS, and let P i be any player in the scheme. Then Proof. Let the block corresponding to P i be B i = {x 1 , . . . , x k }. Consider the sets C j , for 1 ≤ j ≤ k, as defined in Definition 2.1. Clearly |C j | = r − 1 for 1 ≤ j ≤ k and C j ∩ C j = ∅ if j = j .
The probability that at least one player in P j is available is 1 − (1 − p) r−1 . Then, since the sets P j are disjoint, the probability that at least one player in each P j is available is ( Now we consider the expected number of repair sets when using a (v, k, 1)-BIBD as a distribution design. Theorem 2.3. Suppose (X, B) is a (v, k, 1)-BIBD that is used as a distribution design for a combinatorial RTS, and let P i be any player in the scheme. Then The minimal repair sets are precisely the sets in P 1 × · · · × P k . The number of minimal repair sets is therefore (r − 1) k . The probability that a given minimal repair set is available is p k .
Let the minimal repair sets be enumerated as M 1 , . . . , M s , where s = (r − 1) k . For 1 ≤ i ≤ s, let the random variable X i be defined as Clearly E[X i ] = p k for all i. Define X = X 1 + X 2 + · · · + X s ; by linearity of expectation. Therefore, It would of course be possible to use a (v, k, λ)-BIBD as a distribution design even if λ > 1. Unfortunately, there do not seem to be general formulas, analogous to Theorems 2.2 and 2.3, for these designs.

Using t-designs as distribution designs
It is also possible to use t-(v, k, 1)-designs with t > 2 as distribution designs. This idea has not previously been discussed in the literature. One possible advantage over just using 2-designs is that blocks can intersect in more than one point, so a repair may be possible by contacting a smaller number of other players. Since blocks in a t-(v, k, 1)-design can intersect in up to t − 1 points, it follows that a repair can be carried out by contacting k t−1 other players, if they are available. First, we determine the thresholds that can be achieved, in particular, by Steiner quadruple systems and inversive geometries. Later in this section we analyze the reliability of the RTS derived from them.

Distribution designs and thresholds.
For a given distribution design, it is of interest to determine the thresholds that can be realized in an expanded scheme. This involves choosing values for τ and σ in such a way that (1) and (2) are satisfied, and then applying Theorem 1.1. We provide some results along this line in this section. We note that similar techniques were used in [8] for 2-designs. Proof. Let τ = 2 and σ = 6. It is clear that one block in an SQS(v) contains exactly four points. Two blocks contain at least six points, because two blocks intersect in at most two points. Therefore, (1) and (2) are satisfied when τ = 2 and σ = 6, and we obtain an expanded scheme with threshold 2. Now, we show how to construct RTS with threshold 3 from certain t-designs. Proof. Let τ = 2 and σ = 3k −3(t−1). Clearly the union of any two blocks contains at most 2k points. Now consider three blocks. If any two of these blocks have t − 1 points in common, and these three intersections are disjoint, then the three blocks contain 3k − 3(t − 1) points, which is the minimum possible. In order for (1) and (2) to be satisfied, we require 3k − 3(t − 1) ≥ 2k + 1, which is equivalent to k ≥ 3t − 2. If this inequality is satisfied, then the expanded scheme has threshold 3.
More generally, we have the following result, which has a similar proof. Theorem 3.3. A t-(v, k, 1)-design can be used as a distribution design to produce an RTS with threshold τ if k ≥ τ 2 (t − 1) + 1.
The inversive geometries allow us to construct RTS with any desired threshold. Taking t = 3 in Theorem 3.3, we have the following corollary. Corollary 1. A 3-(v, k, 1)-design can be used as a distribution design to produce an RTS with threshold τ if k ≥ τ (τ − 1) + 1.

3.2.
Reliability. In our analysis, to compute the reliability metrics for repair sets, we employ the use of cutsets from network reliability theory (see Colbourn [2] for basic results and terminology relating to network reliability). When using BIBDs as distribution designs, we were able to easily compute reliability formulas in Section 2 without the use of this methodology because the sets C j were disjoint. However, it is advantageous to use cutsets to analyze the reliability of the RTS constructed using distribution designs with t ≥ 3.
In this section, for brevity, we will conflate the notion of players and blocks and express all our arguments in terms of blocks of the distribution design (X, B). 3.3. Existence of available repair sets for t-(v, k, 1) designs. First, we consider Steiner quadruple systems, as a warmup. Then we generalize our formulas to arbitrary t-(v, k, 1) designs.
where p is the probability that a block is available. Then where r 1 = v−1 2 /3 and r 2 = v−2 1 /2 are the replication numbers of the SQS. Proof. From Lemma 3.6, a repair set exists if no C j fails, 1 ≤ j ≤ 4. Therefore, For 1 ≤ j ≤ 4, let E j denote the event that C j fails. We have We note the following.
Applying the principle of inclusion-exclusion, we have Therefore, The following can be proven in a similar manner.
where p is the probability that a block is available. Then , for 1 ≤ j ≤ t, are the replication numbers of the design, and Proof. We use similar notation as in the proof of Theorem 3.7. We compute Pr[at least one C j fails] = Pr[E 1 or E 2 or E 3 or E 4 or · · · or E k ].
Let e i denote the cardinality of the union of i of the sets C 1 , . . . , C k . We will apply the principle of inclusion-exclusion to compute the values of the e i 's. Note that we make use of the fact that no block intersects B in more than t − 1 points, so the intersection of t or more of the sets C 1 , . . . , C k is empty. Therefore, etc., where no sum contains terms past r t−1 . In general, Now that we have computed e i for each i, we can evaluate the probability that any number of C i 's fail. Recall that q = 1 − p, where p is the probability the player with that share is available. A second application of the principle of inclusion-exclusion yields the desired result: 3.4. Expected number of minimal repair sets for SQS. In general, we can determine the expected number of repair sets for a given distribution design if we know all the minimal repair sets. The following formula, which is proven in the same fashion as Theorem 2.3, can be used. Of course, for an arbitrary distribution design, there can be minimal repair sets of various sizes. For example, in the case of Steiner quadruple systems, minimal repair sets can be of size two, three or four.
We illustrate the computation of the expected number of available minimal repair sets on a particular design, namely, the SQS(10). The total number of choices for these two blocks is 3 × 3 × 3 = 27 (there are three subcases, and in each subcase there are three choices of each of the two blocks). Therefore, the expected number of minimal repair sets of size two is 27p 2 .
A minimal repair set of size four consists of four blocks having the following form: • a block containing 1, but none of 2, 4, 5 • a block containing 2, but none of 1, 4, 5 • a block containing 4, but none of 1, 2, 5 • a block containing 5, but none of 1, 2, 4.
There are two choices for each of these four blocks, so the total number of choices is 2 4 = 16. Therefore, the expected number of minimal repair sets of size four is 16p 4 . A minimal repair set of size three can have three possible forms: type pair-pair-pair:: three pairs intersecting in a point, e.g., 12, 14, 15. There are four configurations of this type. type pair-pair-point:: two pairs intersecting in a point, and a disjoint point e.g., 12, 14, 5. There are twelve configurations of this type. type pair-point-point:: one pair, and two disjoint points, e.g., 12, 4, 5. There are six configurations of this type.

Finally, we have
The general case of an SQS(v) is similar. We tabulate the expected number of minimal repair sets of the various types in the Table 1.
We can now combine the expected number of repair sets for each size and type to produce the expected number of repair sets, which we record in the following theorem.

Discussion and summary
The material in this paper is from the Masters Thesis of the first author [4].
We have introduced the problem of studying reliability of combinatorial RTS. We employed techniques from network reliability theory to aid in the derivation of some of our formulas. Perhaps this approach will prove useful in other combinatorial design problems that can be phrased in terms of network reliability.
A separate but related question is how to design efficient algorithms to actually find a repair set for various kinds of distribution designs. This problem is discussed in detail in [4] where algorithms are developed for the various types of designs we have considered. We note that different fault models for node failures (i.e., permanent vs transient faults) are discussed in [4]. Various metrics are also analyzed, such as storage requirements and communication complexity, as well as tradeoffs between these metrics.