A non-interactive (t, n)-publicly verifiable multi-secret sharing scheme

Abstract

A non-interactive publicly verifiable multi secret sharing (PVMSS) scheme is a secret sharing scheme that the dealer shares multiple secrets among the participants and anyone can verify the validity of the shares by using the public information. For the first time, we propose a new PVMSS scheme based on the homogeneous linear recursions (HLR) and discrete logarithms equality (DLEQ) protocol. Compared with the previous PVMSS schemes, it has better performance and various methods for the recovery phase. Moreover, we prove its security with a formal method.

Appendix A

Proof

Proof 1

Let \(\mathcal {A}\) be an adversary against the IND security of our PVMSS scheme. We are going to construct a probabilistic polynomial time distinguisher \(\mathcal {B}\) for the DDH assumption, which will use \(\mathcal {A}\) as a sub-routine as follow:

1. 1.

   \(\mathcal {C}\) starts the game \(\mathcal {G}_1\) and chooses a multiplicative group \(G_q\) of prime order q, according to the security parameter \(\lambda \). Then, \(\mathcal {C}\) chooses a random generator \(g \in G_q\).

2. 2.

   \(\mathcal {C}\) chooses \(x, y \in _R {\mathbb {Z}}_q\).

3. 3.

   \(\mathcal {C}\) computes \(\Gamma _0 = g^{xy}\) and chooses \(\Gamma _1 \in _R G_q\).

4. 4.

   \(\mathcal {C}\) chooses \(\upsilon \in _R \{0, 1\}\) and sends \((g, g^x, g^y, \Gamma _{\upsilon })\) to \(\mathcal {B}\).

   1. (a)

      \(\mathcal {A}\) starts the game \(\mathcal {G}_3\) and publishes \(P=\{p_1, \ldots , p_{n} \}\) as the set of participants and an integer \(t \le n\) as the threshold.

   2. (b)

      Using the Ini-phase of our non-interactive (l, t, n)-PVMSS scheme, \(\mathcal {B}\) obtains \(SP=(\lambda , \alpha , P, t, l, G_q, g, g_1, H)\), where \(P=\{p_1, \ldots , p_{n} \}\) is the set of participants and \(g_1=g^{x}\). Let \(l \ge t\). For each \(p_i \in P\), \(\mathcal {B}\) assigns a private key \(x_i \in _R {\mathbb {Z}}_q\) and computes \(y_i=(g_1)^{x_i}\) as the public key of \(p_i\). \(\mathcal {B}\) sends SP and \(\{y_i \}_{i=1}^{n}\) to \(\mathcal {A}\).

   3. (c)

      \(\mathcal {A}\) chooses \(B \subset P\) such that \(|B| \le t-1\). \(\mathcal {A}\) publishes B as the set of corrupted participants. Without loss of the generality suppose \(B=\{p_1, \dots , p_{t-1} \}\).

   4. (d)

      \(\mathcal {B}\) sends the private keys \(\{x_i \}_{i=1}^{t-1}\) to \(\mathcal {A}\).

   5. (e)

      \(\mathcal {A}\) chooses \(k_0, \ldots , k_{l-1} \in _R {\mathbb {Z}}_q\) and gives the set of secrets \(\{k_0, \ldots , k_{l-1} \}\) to \(\mathcal {B}\). \(\mathcal {B}\) follows the following procedure:

      • Choose one participant \(p_j \in \{p_1, \dots , p_{t-1} \}\) and set \(X_{j+l-1}=g^y\). Without loss of generality suppose \(p_j=p_1\).

      • Compute \(X_i=g^{k_i}\) for each \(i \in \{0, 1, \dots , l-1\}\).

      • Compute \(\lambda _{i,j}= \prod _{\{ e \in \{1, \dots , l\}, e \ne i \} } \frac{j-e}{i-e} \mod q\), for each \( i \in \{1, \dots , l\}\) and \(j \in \{l+1, \dots , n+2l-t-1\} \);

      • Compute \(X_j= \prod _{i \in \{1, \dots , l \} } (X_{i})^{ \alpha ^{-i} \lambda _{i,j} }\), for each \(j \in \{l+1, \dots , n+l-1\} \);

      • Compute \(G_i= (g_1)^{k_i}\) for each \(i \in \{0, \dots , l-1\}\) and set \(G_{l}=\Gamma _v\).

      • Compute \(G_j= \prod _{ i \in \{1, \dots , l\} } (G_{i})^{\alpha ^{-i} \lambda _{i,j} }\) for each \(j \in \{l+1, \dots , n+2l-t-1\} \).

      • Compute \(Y_i=(G_{i+l-1})^{x_i}\) for each \(i \in \{1, \dots , n\}\).

      • Set \( \delta _i=G_{n+l+i-1}\) for each \(i \in \{1, \dots , l-t\}\).

      • Choose \(b_1, \ldots , b_{n}, \zeta _1, \ldots , \zeta _{n} \in _R {\mathbb {Z}}_q\) and, for each \(i \in \{1, \dots , n\}\), define

        $$\begin{aligned} \zeta _i=H(g || y_i || X_{i+l-1} || Y_i || (X_{i+l-1})^{b_i} g^{-\zeta } || Y_i^{b_i} y_i^{-\zeta }), \end{aligned}$$

        where \(\zeta =\zeta _1 \oplus \cdots \oplus \zeta _{n}\).

      • Save the defined values in the H-Table.

   6. (f)

      If \(\mathcal {A}\) requests from \(\mathcal {B}\) a hash query of a value e and H(e) has not been previously defined, then \(\mathcal {B}\) chooses a random value \(e' \in \{0, 1\}^{\lambda }\) and defines \(H(e)=e'\). \(\mathcal {B}\) then saves \(H(e)=e'\) in the H-Table and returns \(e'\) to \(\mathcal {A}\). If H(e) has previously been defined, then \(\mathcal {B}\) returns \(e'\), where \(H(e)=e'\) has beforehand been saved in the H-Table.

   7. (g)

      \(\mathcal {B}\) sends the following values to \(\mathcal {A}\),

      $$\begin{aligned} (\{ \zeta _i\}_{i=1}^{n},\{b_i\}_{i=1}^{n}, \{X_i\}_{i=0}^{n+l-1}), \{Y_i\}_{i=1}^{n}, (\delta _{1}, \ldots , \delta _{l-t}). \end{aligned}$$

      \(\mathcal {A}\) can repeat the step (e) a polynomial number of times and asks the witness and the encrypted shares of different sets of secrets form \(\mathcal {B}\).

   8. (h)

      \(\mathcal {A}\) chooses two different sets of secrets \(K_0 = \{k_{0,0}, \ldots , k_{0,l-1} \}\) and \(K_1=\{k_{1,0}, \ldots , k_{1,l-1} \}\) and sends them to \(\mathcal {B}\).

   9. (i)

      \(\mathcal {B}\) chooses \(\tau \in _R \{0, 1\}\). Like the step (e) and based on the set of secrets \(K_{\tau }\), \(\mathcal {B}\) obtains a new witness \((\{ \zeta _i\}_{i=1}^{n}, \{b_i\}_{i=1}^{n}, \{X_i\}_{i=0}^{n+l-1})\), new encrypted shares \(\{Y_i\}_{i=1}^{n}\) and public values \(\delta _1, \dots , \delta _{l-t}\). Then, \(\mathcal {B}\) sends the witness, encrypted shares and public values to \(\mathcal {A}\).

   10. (j)

       \(\mathcal {A}\) can repeat the step (e) a polynomial number of times and asks the witness and the encrypted shares of different sets of secrets form \(\mathcal {B}\).

   11. (k)

       Finally, \(\mathcal {A}\) outputs a bit \(\tau '\).

5. 5.

   \(\mathcal {B}\) outputs a bit \(\upsilon '\) as follows:

   • If \(\tau = \tau '\) then \(\mathcal {B}\) decides \(\Gamma _{\upsilon }= g^{xy}\) and outputs \(\upsilon '=0\).

   • Otherwise \(\mathcal {B}\) decides \(\Gamma _{\upsilon } \ne g^{x y}\) and outputs \(\upsilon '=1\).

It can easily be verified that if \(\Gamma _{\upsilon }= g^{xy}\), then \(y=u_l=p(l) \alpha ^{l} \mod q\) and \((Y_1)^{x_1^{-1}}=\Gamma _{\upsilon }\) is the correct share of the participant \(p_1\). So, \(\mathcal {A}\) has \(t-1\) correct shares and will guess \(K_{\tau }\) with probability \(\frac{1}{2} + \eta (\lambda )\), where \(\eta (\lambda )\) is a non-negligible function. If \(\Gamma _{\upsilon } \ne g^{xy}\), then \(u_l\) is a random value from \({\mathbb {Z}}_q\) and \(\mathcal {A}\) has \(t-1\) random values as the shares of the participants of B. So, \(\mathcal {A}\) can guess \(K_{\tau }\) with probability \(\frac{1}{2}\). Therefore,

$$\begin{aligned} \begin{aligned}&\text {Pr}[v=v'] = \\&\text {Pr}[v=v' | \Gamma _v=g^{xy}] \text {Pr} [\Gamma _v=g^{xy}] + \text {Pr}[v=v' | \Gamma _v \ne g^{xy}] \text {Pr} [\Gamma _v \ne g^{xy}] = \\&\frac{1}{2} (\frac{1}{2} + \eta (\lambda ))+ \frac{1}{4}= \frac{1}{2} + \frac{1}{2} \eta (\lambda ). \end{aligned} \end{aligned}$$

(6)

Using the relation 6, we have

$$\begin{aligned} \begin{aligned} \textsf {Adv}^{\mathrm {DDH}}_{\mathcal {B}} (\lambda ) = | \text {Pr}[ v = v']- \frac{1}{2}| = \frac{1}{2} \eta (\lambda ) \le \textsf {Adv}^{\mathrm {IND}}_{\mathcal {A}} (\lambda ). \end{aligned} \end{aligned}$$

(7)

Hence, \(\mathcal {B}\) can break the DDH assumption and \( \textsf {Adv}^{\mathrm {DDH}}_{\mathcal {B}} (\lambda ) \le \textsf {Adv}^{\mathrm {IND}}_{\mathcal {A}} (\lambda )\). \(\square \)

Proof

Proof 2

Suppose \(\mathcal {A}\) is an adversary that can obtain the secrets of our (l, t, n)-PVMSS scheme using \(t-1\) shares of the participants. We are going to construct a probabilistic polynomial time adversary \(\mathcal {B}\) that can break the CDH assumption. \(\mathcal {B}\) will use \(\mathcal {A}\) as a sub-routine as follow:

1. 1.

   \(\mathcal {C}\) starts the game \(\mathcal {G}_2\) and chooses a multiplicative group \(G_q\) of prime order q, according to the security parameter \(\lambda \). Then, \(\mathcal {C}\) chooses a random generator \(g \in G_q\).

2. 2.

   \(\mathcal {C}\) chooses \(x, y \in _R {\mathbb {Z}}_q\).

3. 3.

   \(\mathcal {C}\) sends \((g, g^x, g^y)\) to \(\mathcal {B}\).

   • \(\mathcal {A}\) publishes \(P=\{p_1, \ldots , p_{n} \}\) as the set of participants and an integer \(t \le n\) as the threshold.

   • Using the Ini-phase of our non-interactive (l, t, n)-PVMSS scheme, \(\mathcal {B}\) obtains \(SP=(\lambda , \alpha , P, t, l, G_q, g, g_1, H)\), where \(P=\{p_1, \ldots , p_{n} \}\) is the set of participants and \(g_1=g^{x}\). Without loss of generality suppose \(t \ge l\). \(\mathcal {B}\) sends SP to \(\mathcal {A}\).

   • \(\mathcal {A}\) chooses \(B \subset P\) such that \(|B| \le t-1\). \(\mathcal {A}\) publishes B as the set of corrupted participants. Without loss of generality suppose \(B=\{p_1, \dots , p_{t-1} \}\).

   • \(\mathcal {B}\) assigns a private key \(x_i \in {\mathbb {Z}}_q \) for each \(p_i \in B\) and computes \(y_i=(g_1)^{x_i}\) as the public key of \(p_i\). \(\mathcal {B}\) sends \(\{ x_i, y_i \}_{i=1}^{t-1}\) to \(\mathcal {A}\).

   • \(\mathcal {B}\) chooses \(u_{t}, \dots , u_{2t-2} \in _{R} {\mathbb {Z}}_q\) and computes \(\{ X_{i+t-1}=g^{u_{i+t-1}} \}_{i=1}^{t-1}\) and \(\{Y_i=(y_{i})^{u_{i+t-1}} \}_{i=1}^{t-1}\). \(\mathcal {B}\) sets \(X_0=g^{y}\).

   • \(\mathcal {B}\) computes \(\lambda _{i,j}= \prod _{ \{ e \in (\{0\} \cup \{t, \dots , 2t-2\}) \setminus \{i \} \} } \frac{j-e}{i-e} \mod q\) for each \(i \in \{0\} \cup \{t, \dots , 2t-2\}\) and \(j \in \{1, \dots , t-1\} \cup \{2t-1, \dots , n+t-1 \}\).

   • \(\mathcal {B}\) computes \(X_j= \prod _{\{ i \in \{0\} \cup \{t,\dots ,2t-2\} \} } (X_{i})^{\alpha ^{-i} \lambda _{i,j}}\) for each \(j \in \{1, 2, \dots \), \(t-1\} \cup \{2t-1, \dots , n+t-1\}\).

   • Now, \(\mathcal {B}\) deviates from the protocol by computing \(y_i=g^{w_i}\) as the public key of the participant \(p_i\), where \(w_i \in _R {\mathbb {Z}}_q\) and \(i =t, \dots , n\). For each \(i \in \{t, \dots , n\}\), \(\mathcal {B}\) computes \(Y_i=(X_i)^{w_i}\) as the encrypted share of \(p_i\) (note that, we have \(Y_i=(y_i)^{u_{i+t-1}}\) for each \(i \in \{t, \dots , n\}\), as required).

   • \(\mathcal {B}\) chooses \(b_1, \ldots , b_{n}, \zeta _1, \ldots , \zeta _{n} \in _R {\mathbb {Z}}_q\) and, for each \(i \in \{1, \dots , n\}\), defines

     $$\begin{aligned} \zeta _i=H(g || y_i || X_{i+t-1} || Y_i || (X_{i+t-1})^{b_i} g^{-\zeta } || Y_i^{b_i} y_i^{-\zeta }), \end{aligned}$$

     where \(\zeta =\zeta _1 \oplus \cdots \oplus \zeta _{n}\).

   • \(\mathcal {B}\) saves the defined values in the H-Table. If \(\mathcal {A}\) requests from \(\mathcal {B}\) a hash query of a value e and H(e) has not been previously defined, then \(\mathcal {B}\) chooses a random value \(e' \in \{0, 1\}^{\lambda }\) and defines \(H(e)=e'\). \(\mathcal {B}\) then saves \(H(e)=e'\) in the H-Table and returns \(e'\) to \(\mathcal {A}\). If H(e) has previously been defined, then \(\mathcal {B}\) returns \(e'\), where \(H(e)=e'\) has beforehand been saved in the H-Table.

   • \(\mathcal {B}\) sends the public keys \(\{y_i \}_{i=t}^{n}\), encrypted shares \(\{ Y_i \}_{i=1}^{n}\) and the witness \((\{b_i\}_{i=1}^{n}, \{ \zeta _i \}_{i=1}^{n}, \{X_i\}_{i=0}^{n+t-1})\) to \(\mathcal {A}\).

   • Finally, \(\mathcal {A}\) outputs \(\{E_0, E_1, \dots , E_{l-1} \}\) as the set of secrets.

4. 4.

   \(\mathcal {B}\) outputs \(E_0\).

Since \(X_0=g^y\) we have \(y=p(0) \mod q\), where p(.) is a polynomial of degree \(t-1\) satisfying \(u_i=p(i) \alpha ^i \mod q\) for each \(i \in \{0, 1, \dots , n+t-1\}\). By \(g_1=g^x\), it can be said that \(E_0=g^{xy}\). Hence, \(\mathcal {B}\) can break the CDH assumption. \(\square \)