arxiv:1604.01550v1 [cs.ds] 6 Apr 2016

A Multivariate Approach for Checking Resiliency in Access Control Jason Crampton 1, Gregory Gutin 1, Stéphane Pérennes 2, and Rémi Watrigant 1 1 Royal Holloway University of London, United Kingdom. 2 INRIA/I3S Sophia Antipolis, France. arxiv:1604.01550v1 [cs.ds] 6 Apr 2016 Abstract. In recent years, several combinatorial problems were introduced in the area of access control. Typically, such problems deal with an authorization policy, seen as a relation UR U R, where (u, r) UR means that user u is authorized to access resource r. Li, Tripunitara and Wang (2009) introduced the Resiliency Checking Problem (RCP), in which in addition to an authorization policy, we are given a subset of resources P R as well as integers s 0, d 1 and t 1. It asks whether upon removal of any set of at most s users, there still exist d pairwise disjoint sets of at most t users such that each set collectively has access to all resources in P. This problem possesses several parameters which appear to take small values in practice. We thus analyze the parameterized complexity of RCP with respect to these parameters, by considering all possible combinations of P, s, d, t. In every case, we are able to decide whether the problem is in FPT, XP, W[2]-hard, para-nphard or para-conp-hard. We also consider the restricted case where s = 0 for which we also determine the complexity for all possible combinations of the parameters, obtaining for some cases a best possible running time under the ETH. 1 Introduction 1.1 Context and definition of the problem Access control is a fundamental aspect of the security of any multi-user computing system. Typically, it is based on the idea of specifying and enforcing an authorization policy, identifying which interactions between a set of users U and a set of resources R are to be allowed by the system [9]. More formally, an authorization policy is defined as a relation UR U R, where (u, r) UR means that user u is authorized to access resource r. Quite recently, we have seen the introduction of resiliency policies, whose satisfaction indicates that a system will continue to function as intended in the absence of some number of authorized users [8, 10]. Li, Tripunitara and Wang s seminal work [8] introduces a number of problems associated with the satisfaction of a resiliency policy, motivated by practical purposes. Among others, they describe a situation where This research was partially supported by EPSRC grant EP/K005162/1. Gutin s research was also supported by Royal Society Wolfson Research Merit Award.

a system faces an emergency (e.g., a natural disaster), and some critical task needs to be performed in different sites by several teams of users. We thus require that each team has enough permissions (or ability) to carry out the task, while an upper bound on the size of teams can also be set (e.g., due to the limit of transportation means). For a user u U and a set of users V U, we define N UR (u) = {r R : (u, r) UR} the neighborhood of u and, by extension, N UR (V ) = u V N UR(u) the neighborhood of V, omitting the subscript UR if the authorization policy is clear from the context. Given an authorization policy UR U R, an instance of the Resiliency Checking Problem (RCP) is defined by a resiliency policy res(p, s, d, t), where P R, s 0, d 1 and t 1. We say that UR satisfies res(p, s, d, t) if and only if for every subset S U of at most s users, there exist d pairwise disjoint subsets of users V 1,..., V d such that for all i {1,..., d}: (i) V i S =, (ii) V i t, (iii) N(V i ) P. We now define the main problem we study in this paper: Resiliency Checking Problem (RCP) Input: UR U R, P R, s 0, d 1, t 1. Question: Does UR satisfy res(p, s, d, t)? Furthermore, we will adopt the bracket notation RCP used by Li et al. [8] to denote some restrictions of the problem, in which one or more parameters (among s, d and t) are fixed. In particular, we will consider the cases where s and d are respectively set to 0 and/or 1 (or other fixed positive values), while t might be set to, meaning that there is no constraint on the size of the sets (which is actually equivalent to t = P, implying that we may assume henceforth that t P ). For instance, RCP s = 0 denotes the variant in which s is fixed to 0, i.e. we ask for the satisfaction of res(p, 0, d, t). In the remainder of the paper, we set p = P. Given an instance of RCP, we say that a set of d pairwise disjoint subsets of users V = {V 1,..., V d } satisfying conditions (ii) and (iii) above is a set of teams. For such a set of teams, we define U(V ) = d i=1 V i. Given U U, the restriction of UR to U is defined by UR U = UR (U R). Finally, a set of users S U is called a blocker set if for every set of teams V = {V 1,..., V d }, we have U(V ) S. Equivalently, observe that S is a blocker set if and only if UR U\S does not satisfy res(p, 0, d, t). Throughout the paper, we set [d] = {1,..., d} for any integer d 1, and we will often make use of the O (.) notation, which omits polynomial factors and terms. 1.2 Parameters As one can see in the definition above, an instance of RCP contains several parameters (namely s, d and t) which may be used for the complexity analysis of

the problem. An interesting point of the work of Li et al. [8] is the following: while the number of users in an organization can be quite large, the other parameters (s, d, t, and even p) are expected to take smaller values in practice. In their experiments, the maximum values used are n = 100, p = 10 and d = 7 (they only run experiments on the variant where t =, but, as we observed previously, we may set t = p). With this in mind, we exploit the theory of fixed-parameter tractability in order to settle the parameterized complexity of the problem. Given an instance x (of size x ) of a decision problem, coming with a parameter 1 k, we are interested in algorithms deciding whether x is positive or negative in polynomial time when k is bounded above by a constant. More precisely, if such an algorithm has running time O(f(k) x O(1) ) for some computable function f, then we will say that this algorithm is FPT, while if its running time is O( x f(k) ) for some computable function f, we will say that this algorithm is XP (an FPT algorithm is thus an XP algorithm). By extension, FPT (resp. XP) denotes the class of all problems for which an FPT (resp. XP) algorithm exists. Proving the NP-hardness of a problem in the case where a parameter k is bounded above by a constant immediately forbids the existence of any XP (and thus FPT) algorithm unless P = NP. In this case, we will say that this parameterized problem is para-np-hard. A similar definition can be given using conp and conp-hard instead of NP and NP-hard, respectively, leading to the para-conp-hard complexity class. In the following, para-(co)nphard thus denotes the union of para-np-hard and para-conp-hard. Finally, the W[i]-hierarchy of parameterized problems is typically used to rule out the existence of an FPT algorithm, under the widely believed conjecture that FPT W[1]. For more details about fixed-parameter tractability, we refer the reader to the recent textbook and monograph of [2] and [5], respectively. 1.3 Related work As one can expect, the RCP problem is strongly related to some known combinatorial problems. Indeed, one can observe that RCP s = 0, d = 1 is equivalent to the Set Cover problem, while RCP s = 0, t = can be reduced in a straightforward way from the Domatic Partition problem. Li et al. [8] obtained several (mainly negative) results for RCP in some restricted cases which can be summarized by the following theorem. Theorem 1 ([8]). We have the following: RCP, RCP d = 1 and RCP t = are NP-hard and are in conp NP. RCP s = 0, d = 1, RCP s = 0, t = are NP-hard. RCP d = 1, t = can be solved in linear time. In addition, they developed and implemented an algorithm for RCP which roughly consists in(i) enumerating all subsets of at most s users, and (ii) for some carefully chosen subsets S, determining the satisfaction of res(p, 0, d, t) for 1 Note that one can aggregate several parameters p 1,..., p m by defining k = p 1 + + p m, in which case we will say the parameter is (p 1,..., p m).

UR U\S. Step (ii) is achieved by a SAT formulation of the problem and the use of an off-the-shelf SAT solver, while they develop a pruning strategy in order to avoid running the SAT solver for every set S. Quite surprisingly, they observe that the bottleneck of their algorithm lies in the second step, where an instance of RCP s = 0 has to be solved. This motivated us to focus on the parameterized complexity of RCP s = 0 separately. p, s, d, t 1.4 Contribution and organization of the paper Our goal in this paper is thus to determine the parameterized complexity of RCP and RCP s = 0 with respect to parameters p, t p, s p, p, s, d d, t, s, by d considering s, t d, t every possible combination of them. In each case, we aim to determine whether the problem is(i) in FPT, (ii) in XP but W[i]-hard for some i 1 or (iii) parap s d (co)np-hard. XP FPT p, s, t p, s, d p, d, t t para-np-hard s, d, t W[2]-hard FPT p, s, d, t p, s, t p, s, d p, d, t XP s, d, t FPT p, d, t XP p, d p, t d, t p, t p, s p, d s, d s, t d, t W[2]-hard p s t d para-(co)np-hard (a) RCP W[2]-hard p d t para-np-hard (b) RCP s = 0 Fig. 1: Schemas of the complexity of RCP and RCP s = 0 after the results obtainedfpt in thisp, d, paper. t XP p, d p, t d, t Figure 1 summarizes the (already known and) obtained results for RCP and RCP s = 0 withw[2]-hard respect to all possible combinations of the parameters specified previously. p An arrow A B means that A is a larger parameter than d t 1 B, in the sense para-np-hard that an FPT algorithm parameterized by B implies an FPT algorithm parameterized by A, and, conversely, any negative result mentioned previously parameterized by A implies the same negative result parameterized by B. Since (under classical complexity assumptions) a decision problem is either in one of the previous cases (i), (ii) or (iii), one can observe that the parameterized complexity of RCP (and thus RCP s = 0 ) is now completely determined with respect to all possible combinations of parameters p, d and t. In the next section, we report all our results for the general case RCP, namely: membership in XP parameterized by (s, d, t) (Theorem 2), 1

membership in FPT parameterized by p only. para-conp-hardness parameterized by (d, t) (Theorem 4), para-np-hardness parameterized by (s, t) (Theorem 5). Note that the para-np-hardness for (s, d) was already known (Theorem 1), as well as the W[2]-hardness for (s, d, t) (see explanation in Section 2.2). Section 3 contains all our results for the restricted case RCP s = 0 : we first provide an FPT algorithm parameterized by (d, p) with an optimal running time (under ETH) when d is fixed (Theorems 6 and 7). We also investigate the question of data (user) reductions and present positive and negative kernelization results depending on the considered variant: RCP s = 0 or RCP s = 0, t = (Theorem 8). Note that still concerning RCP s = 0, its W[2]-hardness for (d, t) is inherited from RCP, while the XP membership results from a brute-force enumeration of all subsets of users of size dt. We finally conclude the paper in Section 4. 2 The general case 2.1 Introduction and preliminaries First, observe that there exists a simple XP algorithm for RCP parameterized by (s, d, t). Indeed, recall that the problem actually aims to check whether there exists a set S U of size at most s such that for any set of teams V = {V 1,..., V d } we have S U(V ), and note that finding a set of teams is exactly the RCP s = 0 problem, which is in XP parameterized by (d, t). Hence, since U(V ) dt, by finding iteratively a set of teams and branching on each element to be removed from it (and included in the future blocker set), one can determine whether there exists a blocker set of size at most s in XP time parameterized by (s, d, t): Theorem 2. RCP is in XP when parameterized by (s, d, t) Despite its simplicity, this result is actually somehow tight. First, as we will see later (Section 2.2), RCP is W[2]-hard with this parameterization. In addition, considering a strict subset of {s, d, t} as a parameter makes the problem para-(co)np-hard (Theorems 1, 4 and 5). A way of going further is to replace t by p. Indeed, one can observe that we may always assume that t p. With this modification, we show in the next result how to get rid of parameters s and d by designing an FPT algorithm parameterized by p only. The idea of this algorithm is to use a system of linear inequalities, and to eliminate some variables of it. To do so, we use the so-called Fourier-Motzking elimination algorithm [3] which we now describe. Unless otherwise stated, all coefficients of the considered systems of linear equations belong to Q. We say that a system S of linear inequalities is consistent if and only if there is an assignment of variables for which all inequalities hold. Lemma 1. Let S be a system of m linear inequalities over a set of variables V, and let x V. Then it is possible to obtain, in time polynomial in m and V,

a system S of at most m 2 /4 inequalities over the set of variables V \ {x}, such that S and S are equivalent: S is consistent if and only if S is consistent. Proof. Let Q 1,..., Q m be the set of inequalities of S, V = {x 1,..., x n }. W.l.o.g. we show how to eliminate variable x n. To do so, let [m] = I I I be a partition of the inequalities depending on the sign of the coefficient of x n (we may assume that coefficient of x n is either 1, 0 or 1 in each inequality). More precisely: for all i I, inequality Q i is of the form x n b i n 1 j=1 aj i x j for all i I, inequality Q i is of the form x n b i n 1 j=1 aj i x j for all i I, the coefficient of x n in Q i is 0 (i.e. x n does not appear in Q i ) One can observe that we can obtain an equivalent system by replacing all inequalities in I I by the following formula: n 1 n 1 max{b i a j i x j} x n min{b i a j i x j} i I i I j=1 Which is, itself, equivalent to the conjunction of I I linear inequalities: for all i 1 I and all i 2 I, let Q i1,i 2 be the following inequality: j=1 n 1 n 1 b i1 a j i 1 x j b i2 a j i 2 x j j=1 By ( the foregoing, S is equivalent to the system S composed of inequalities I Q i1 I,i2 I i1,i 2 ). As desired, x n does not appear in S, and observe that S has at most m 2 /4 inequalities, the worst case being when I = I = m/2. j=1 We are now ready to prove the main result of this section. Theorem 3. RCP is FPT parameterized by p. Proof. Without loss of generality, we may assume P = R as well as N(u) for all u U. For all N P, let U N = {u U : N(u) = N} (notice that we might have U N = for some N P ). Roughly speaking, the idea of the algorithm relies on the fact that in order to construct a set of team or a blocker set, it is sufficient to know the size of its intersection with U N, for every N P. Let us define the following set whose elements will be called configurations: { } b C = {N 1,..., N b } : b t, N i P, i [b], N i = P. Then, for any N P, we note i=1 C N = {c = {N 1,..., N bc } C : N = N i for some i [b c ]}

the set of configurations involving N. Observe that since we assume t p, we have C = O(2 p2 ). The link between sets of teams and configurations comes from the following definition: given a set of teams V, we say that a team T V has configuration c = {N 1,..., N b }, b t if c = {N(u), u T }. In other words, c represents the distincts neighborhoods of users of T in P. First, we define a system of linear inequalities L over the set of variables X Z, where X = {x c : c C} and Z = {z N : z P } as follows: x c = d (1) c C c C N x c U N z N for every N P (2) An assignment of variables X (resp. Z) will be called valid if x c {0,..., d} for all c C (resp. z N {0,..., max{s, U N }} for all N P ). While we would be able to solve this system in FPT time parameterized by p, the reader might realize that doing so would not solve RCP directly. Nevertheless, the link between this system and our problem is the following: Lemma 2. res(p, s, d, t) is satisfiable iff L has a valid assignment of variables X for every valid assignment of variables Z such that N P z N s. Proof. Suppose first that res(p, s, d, t) is satisfiable, and let zn be a valid assignment for Z such that N P z N s. We now define a set of users S by picking, in an arbitrary manner, zn users in U N, for each N P (since zn max{s, U N }, such a set S must exist). Since S is a set of at most s users, there exists a set of teams V = {T 1,..., T d } such that U(V ) S =. Then, for each c C, let x c be the number of teams of V having configuration c. Clearly we have c C x c = d, and thus constraint (1) is satisfied. Then, for all N P, we may assume w.l.o.g. that T i U N 1 for all i {1,..., d}. Hence c C N x c equals U(V ) U N, which is the number of users of U N involved in some teams of V. Since U(V ) S =, we have c C N x c U N zn, and thus constraint (2) is also satisfied, i.e. L has a valid assignment of variables X. Conversely, let S U, S s. For each N P, define zn = S U N, which is thus a valid assignment of variables Z. Hence, there exists a valid assignment {x c : c C} of variables X. Then, for c = {N 1,..., N b } C, b t, consider a set of users T consisting of a user chosen arbitrarily in U Ni per each i [b]. By definition of a configuration, T is a team. Then, since for all N P, we have, by constraint (2), that c C N x c U N zn, it is possible to construct x c pairwise disjoint such team for each c C, each having an empty intersection with S. In other words, for every S U, S s, there exists a set of teams V such that U(V ) S =, and thus res(p, s, d, t) is satisfiable. The next step of the algorithm is to eliminate all variables X from the previous system, using the Fourier-Motzkin elimination algorithm described in Lemma 1. Since in our case L has 2 p + 2 inequalities (equation (1) is turned

into two inequalities), and since X = C = O(2 p2 ), applying the Fourier- Motzkin elimination for each variable of X successively, it is possible to obtain an equivalent system of linear inequalities L involving only variables Z, and having a number of inequalities bounded by a function of p only. If we denote by Q 1,..., Q r the inequalities of L, inequality Q i, i [r], has the following form: a i N z N b i N P where a i N, bi Q are constants for all N P, (depending on the instance, in particular on values of U N, N P ). By Lemma 2, one can test if res(p, s, d, t) is unsatisfiable by looking for an assignement of Z such that N P z N s which makes L unsatisfiable. Since L is unsatisfiable if and only if one inequality is false, it is sufficient to consider every inequality Q i independently, and to look for a valid assignment of variables Z such that z N s and a i N z N < b i N P One can observe that this problem is polynomial for each inequality Q i. Indeed, we can first pre-process all cases in which b > 0 or a N > 0 for some N P, and only solve remaining cases of the form: z N s N P N P d N z N B N P with d N, B Q + for all N P. We now have a Knapsack instance, for which a classical pseudo-polynomial algorithm allows us to conclude the proof. 2.2 Negative results It is worth pointing out that the reduction of [8, Lemma 3] proving the NPhardness of RCP s = 0, d = 1 actually proves the W[2]-hardness of this problem parameterized by t (from Set Cover parameterized by the size of the solution [5]). Another implication of this reduction is the para-np-hardness of RCP when parameterized by (s, d). We now complement this result by showing that RCP d = 1, t = τ is conp-hard for every fixed τ 3, implying para-conphardness of RCP parameterized by (d, t). Theorem 4. RCP d = 1, t = τ is conp-hard for every fixed τ 3. Proof. We reduce from the δ-hitting Set problem, in which we are given a ground set V = {v 1,..., v n }, a set S = {S 1,..., S m } with S j V and S j = δ for all j [m] and an integer k, and where the goal is to find a set C V of

size at most k and such that C S j for all j [m]. This problem is known to be NP-hard for every δ 2 [6]. Hence, let (V, S, k) be an instance of δ-hitting Set defined as above. For every j [m], fix an arbitrary ordering of S j, which can thus be seen as a tuple (v i1,..., v iδ ), allowing us to define S j [x] = v ix for all x [δ]. We define a set of users U = U V U S, where U V = {u V 1,..., u V n } and U S = {u S 1,..., u S m}. We then define a set of resources R = R V R S {r }, where R S } for all j [m], and where RV contains one resource rq V for every subset Q of δ 1 users of U V. We now define the authorization policy UR by giving N(u) for every u U. For every i [n], N(u V i ) is composed of {pj x : j [m], x [δ] such that S j [x] = v i } together with all resources rq V such that uv i / Q, for every subset Q of δ 1 users of U V. For all j [m], N(u S j ) is composed of r together with R S \ P j. To conclude the construction, we let P = R, t = δ + 1, d = 1, and s = k. Clearly this reduction can be done in polynomial time. The remainder consists in proving that every team (i.e. sets of at most t users having collectively access to all R) is of the form T j = {u V i 1,..., u V i δ, u S j } such that S j = {v i1,..., v iδ }. If this is true, then observe that since, for every = m j=1 P j with P j = {p j 1,..., pj δ j [m], user u S j only belongs to team T j, we will be able to suppose w.l.o.g. that it does not belong to any blocker set, and thus the set of all teams will be in one-to-one correspondence with the sets in S, implying that the obtained instance has a blocker set of size at most s (= k) if and only if there is a hitting set of size at most k. Let T U of size at most t. By construction, we need at least δ users from U V to have access to all resources in R V (indeed, every set Q of δ 1 users from U V has only access to R V \ {rq V S }), and we also need at least one user from U to have access to r. Hence, T U V = δ and T U S = {u S j } for some j [m]. Now, notice that u S j has access to all resources in R but P j, which implies that T U V must have collectively access to all resources in P j. However, this can only happen if T U V = {u V i 1,..., u V i δ }, where S j = {v i1,..., v iδ }, concluding the proof. We also settle the case of RCP parameterized by (s, t) (and thus RCP s = 0 parameterized by t). Theorem 5. RCP s = 0, t = 4 is NP-hard. Proof. We reduce from the 3-Dimensional Matching problem, in which we are given three sets X, Y and Z of n elements each, a set M X Y Z of hyperedges, and an integer k. The goal is to find M M with M k such that e, e M with e e, e = (x, y, z), e = (x, y, z ), we have x x, y y and z z (in that case, we will say that these two hyperedges are disjoint). We note m = M, X = {x 1,..., x n }, Y = {y 1,..., y n } Z = {z 1,..., z n }, and M = {e 1,..., e m }.

We then define the following set of resources: P = {r X 1,..., r X m} {r Y 1,..., r Y m} {r Z 1,..., r Z m} {r X, r Y, r Z, r } and a set of users U composed of U X, U Y, U Z and U, where, for all ω {X, Y, Z, }, we note U ω = {u ω 1,..., u ω n}. Then the authorization policy A is informally constructed as follows: for each hyperedge e j = {x i1, y i2, z i3 }, user u X i 1 (resp. u Y i 2, u Z i 3 ) has access to rj X (resp. rj Y, rz j ) and to r X (resp. r Y, r Z ), and user u j has access to all resources in P but rx j, ry j, rz j, r X, r Y and r Z. More formally, we have: A = {(u X i, r X j ) : x i belongs to e j, i [n], j [m]} {(u Y i, r Y j ) : y i belongs to e j, i [n], j [m]} {(u Z i, r Z j ) : z i belongs to e j, i [n], j [m]} {(u j, r ω h ) : ω {X, Y, Z}, j, h [m]j h} {(u ω i, r ω ) : i [n], ω {X, Y, Z}} {u j, r ) : j [m]} To conclude the construction, which can be done in polynomial time, we set d = k, and the resiliency policy is thus res(p, 0, d, 4). First, suppose that there exists a solution M for the 3-Dimensional Matching problem. Without loss of generality, assume that M = k, M = {e 1,..., e k }, and that e i = (x i, y i, z i ) for all i [k] (recall that all members of M are pairwise disjoint). Then, observe that for all i [k], user u i has access to all resources but ri X, ry i, rz i, r X, r Y and r Z. However, u X i has access to ri X and r X, user u Y i has access to ri Y and r Y, and user u Z i has access to ri Z and r Z. Hence, we have N({u X i, uy i, uz i, u i }) = P, and, since all members of M are pairwise disjoint, we thus constructed a set of teams for RCP s = 0, t = 4, or, in other words, res(p, 0, d, 4) is satisfiable. Conversely, suppose that there exist V 1,..., V d, pairwise disjoint subsets of U such that for all i [d], we have V i = 4 and N(V i ) = P. We first claim that for all i [d], V i intersects U X (resp. U Y, U Z and U ) on exactly one element. Indeed, otherwise, since V i = 4 and since all users in U X (resp. U Y, U Z, U ) have access to only r X (resp. r Y, r Z, r ) among {r X, r Y, r Z, r }, V i could not have access to all these resources. Thus, we know that for all i [d], we have V i = {u X i 1, u Y i 2, u Z i 3, u i 4 }, for some (i 1, i 2, i 3, i 4 ) [n] [n] [n] [m]. We claim that (x i1, y i2, z i3 ) = e i4. Indeed, observe that user u i 4 has access to all resources but ri X 4, ri Y 4, ri Z 4, r X, r Y and r Z. By construction, the only way for having N(V i ) = P is that user u X i 1 (resp. u Y i 2, u Z i 3 ) has access to resources ri X 4 (resp. ri Y 4, ri Z 4 ) or, in other words, that x i1 (resp. y i2, z i3 ) belongs to hyperedge e i4. Thus, there exists k pairwise disjoint hyperedges in M.

3 The case s = 0 We now turn to the particular case where s = 0. As we noted in Section 1, one motivation for studying this case is that it is the bottleneck of the algorithm of Li et al. [8] for RCP. Hence, we believe that designing efficient algorithms for this sub-case might help solving much larger instances of RCP than is possible currently. To this end, we now provide a complete characterization of the complexity when considering all possible combinations of parameters among p, d and t. We also investigate the question of reduction rules within the framework of kernelization, highlighting an interesting difference of behavior between RCP s = 0 and RCP s = 0, t =. 3.1 FPT algorithms The first algorithm is a dynamic programming-based approach similar to the one for Set Cover [5], in order to obtain an FPT algorithm for RCP s = 0 parameterized by (p, d). While this result was already known, given that RCP is itself FPT parameterized by p only, we provide for RCP s = 0 a better running time. In particular, as we will see later, a previous known reduction of Li et al. [8] actually proves that when d is fixed, the obtained running time is the best we can hope for, under the Exponential Time Hypothesis (ETH) 2. Theorem 6. RCP s = 0 can be solved in O (2 dp ) time. Proof. Let U = {u 1,..., u n }. We define a dynamic programming algorithm which, given any i [n] and any d-tuple of subsets of P (S 1,..., S d ), returns yes if there exist d mutually disjoint sets T 1,..., T d, each being a subset of {u 1,..., u i } and such that S j N(T j ) for all j [d], and returns no otherwise (in which case we will say that such an algorithm is correct). To do so, we define the following recursive formula DP. First, we set: DP (0, S 1,..., S d ) = 1 if and only if S j =, for all j [d]; DP (i,,..., ) = 1 for all i [n]. For the induction, let i [n] and S = (S 1,..., S d ) where S j P for all j [d]. Let J = {j [d] : S j }, and for all j J, define S j = (S 1,..., S j 1, S j \ N(u i ), S j+1,..., S d ). Finally, we set: DP (i, S) = DP (i 1, S) DP (i 1, S j ) j J Lemma 3. DP (i, S) is correct. 2 The ETH claims that SAT cannot be solved in O (2 o(n) ), where n is the number of variables in the CNF formula [7].

Proof. Suppose that T 1,..., T d are d mutually disjoint subsets of {u 1,..., u i } such that S j N(T j ) for all j [d]. We may assume that T j iff S j. Then, either u i / T j for all j [d], in which case DP (i 1, S) returns yes, or u i T j for some j [d], which implies S j and thus j J. In this case DP (i 1, S j ) returns yes. Conversely, if DP (i 1, S) return yes, then there exist d mutually disjoint sets T 1,..., T d, each being a subset of {u 1,..., u i 1 } (and thus a subset of {u 1,..., u i }), and such that S j N(T j ) for all j [d]. If DP (i 1, S j ) returns yes for some j J, then there exist d mutually disjoint sets T 1,..., T d, each being a subset of {u 1,..., u i } and such that S q N(T q ) for all q [d], q j, and S j \ N(u i ) N(T j ). In this case S j N(T j {u i }). Clearly, DP (n, P,..., P ) returns yes if and only if res(p, 0, d, t) is satisfiable. A table of size n2 dp is sufficient to store all intermediate results, while each step takes O(d) time, establishing the claimed running time. Li et al. [8] showed that RCP s = 0, t =, d = 3 is NP-hard, by a reduction from 3-Domatic Partition, which transforms a graph of n vertices into an instance (U, R, UR, res(p, 0, 3, )) with P = n. Since a 2 o(n) algorithm for 3- Domatic Partition would violate the ETH (by a linear reduction from SAT [1]), we have the following: Theorem 7. RCP s = 0, t =, d = 3 cannot be solved in 2 o(p) time unless the ETH fails. Hence, for fixed d, the algorithm described in Theorem 6 has an optimal running time. 3.2 User reductions We now focus on reduction rules which can be performed in polynomial time and result in an equivalent instance having a smaller number of users. More formally, we say that a (decision) problem has a kernel [5] of size f, for some computable function f : N N, if there exists a polynomial algorithm which, given an instance x with parameter k, outputs an instance x of size x with parameter k such that: (i) k k, (ii) x is positive if and only if x is positive, and (iii) x f(k). In the case of RCP s = 0 our aim is thus to obtain an equivalent instance with a number of users bounded by a function of d and t. While the role of t was so far of less interest for the complexity of the problem, we show that the problem behaves differently from the kernelization point of view, depending on whether t = or not. We first show that when t =, the problem admits a kernel with at most dp users. To do so, we will make use of the following: Lemma 4 (d-expansion Lemma [2]). Let d 1 be a positive integer and G = (A, B, E) be a bipartite graph with bipartition (A, B) and E A B such that for all b B, N(b). If B d A, then there exist non-empty vertex sets X A and Y B which can be found in time polynomial in the size of G, such that:

(i) N(Y ) X, and (ii) there is a d-expansion of X into Y : a collection M E (X Y ) such that every vertex of X is incident to exactly d edges of M, and exactly d X vertices of Y are incident to an edge of M. Theorem 8. RCP s = 0, t = admits a kernel with at most dp users. Proof. Suppose we are given an instance of RCP s = 0, t =. We present two reduction rules whose purpose is to decrease the number of users. For each of these rules, we will prove that the instance is positive iff the reduced instance is positive, in which case we will say that the rule is safe. Reduction Rule 1: if there exists u U with N(u) =, then delete u. Proof (of safeness). Simply observe that such a user cannot participate in any set of teams if the instance is positive, and, conversely, cannot turn a negative instance into a positive one if it is deleted. Reduction Rule 2: if there exist X P, Y U such that N(Y ) X and there is a d-expansion of X into Y, then delete X from P, Y from U, and (Y X) UR from UR. Proof (of safeness). If the instance is a positive one, then there exists a set of teams {V 1,..., V d }. Then, for all r P \ X, there does not exist u Y such that (u, r) UR, since N(Y ) X. Hence, N(V i \ Y ) P \ X, and thus {V 1 \ Y,..., V d \ Y } is a set of teams for the reduced instance, which is thus a positive one. Conversely, suppose that the reduced instance is a positive one: there exists V 1,..., V d, disjoints sets of users from U \ Y such that N(V i ) P \ X. Since there is a d-expansion of X into Y, for all r Y, there exists u r 1,... u r d Y such that (u r i, r) UR for all i [d], where ur i ur i for all r r and i i. Hence, for all i [d], if we set V i = V i {u r i all 1 i < j d, and N(V i instance as well, which proves that the rule is safe. : r Y }, we have V i V j = for ) P for all i [d], and thus we have a positive Since each reduction rule can be applied in polynomial time, and since each of them decreases the number of users by at least one, the algorithm runs in polynomial time. Finally, by Lemma 4, if none of the previous reduction rules applies, then U dp, and we thus have a kernel with at most dp users, as desired. As Li et al. [8] point out, RCP s = 0, d = 1 is equivalent to the Set Cover Problem. Known kernel lower bounds for this problem [4] lead to the following theorem, which is in sharp contrast to the previous case. Theorem 9. RCP s = 0, d = 1 (and thus RCP s = 0 ) does not admit a kernel with (p + t) O(1) users, unless conp NP/poly.

4 Conclusion and future work We considered RCP, a problem introduced recently in the area of access control that deals with the resiliency of a system. Given the large number of natural parameters in an instance of this problem, and given that these parameters are likely to take small values in practice, our goal was to provide a systematic analysis of the complexity of the problem using the framework of parameterized complexity. For all possible combinations of the natural parameters of the problem, we were able to settle the parameterized complexity of the problem. We also considered a restricted variant of the problem for which we gave some refined and tight complexity results as well as data reduction algorithms. A possible interesting further line of research would be to study resiliency aspects with respect to other problems. In the context of graphs for instance, we could define the problem of determining whether upon removal of at most s vertices, a given graph still satisfies some property given by another combinatorial problem, e.g. having a vertex cover of size k. We believe that considering structural parameterizations (together with s or not) might lead to interesting new results. As in our case, the complexity of such a new problem will certainly depend on the complexity of the considered underlying problem (i.e. the case s = 0). References 1. Nadia Creignou. The class of problems that are linearly equivalent to satisfiability or a uniform method for proving NP-completeness. Theoretical Computer Science, 145(1-2):111 145, 1995. 2. Marek Cygan, Fedor V. Fomin, Lukasz Kowalik, Daniel Lokshtanov, Dániel Marx, Marcin Pilipczuk, Michal Pilipczuk, and Saket Saurabh. Parameterized Algorithms. Springer, 2015. 3. George B Dantzig. Fourier-Motzkin elimination and its dual. Technical Report TR 72-18, Stanford University, 1072. 4. Michael Dom, Daniel Lokshtanov, and Saket Saurabh. Incompressibility through colors and IDs. In Automata, Languages and Programming, 36th International Colloquium, ICALP 2009, Rhodes, Greece, July 5-12, 2009, Proceedings, Part I, pages 378 389, 2009. 5. R. G. Downey and M. R. Fellows. Fundamentals of Parameterized Complexity. Texts in Computer Science. Springer, 2013. 6. M. R. Garey and D. S. Johnson. Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, 1979. 7. Russell Impagliazzo, Ramamohan Paturi, and Francis Zane. Which problems have strongly exponential complexity? J. Comput. Syst. Sci., 63(4):512 530, 2001. 8. Ninghui Li and Mahesh V. Tripunitara Qihua Wang. Resiliency policies in access control. ACM Trans. Inf. Syst. Secur., 12(4), 2009. 9. Ravi S. Sandhu, Edward J. Coyne, Hal L. Feinstein, and Charles E. Youman. Role-based access control models. IEEE Computer, 29(2):38 47, 1996. 10. Qihua Wang and Ninghui Li. Satisfiability and resiliency in workflow authorization systems. ACM Trans. Inf. Syst. Secur., 13(4):40, 2010.