Abstract
A non-interactive publicly verifiable multi secret sharing (PVMSS) scheme is a secret sharing scheme that the dealer shares multiple secrets among the participants and anyone can verify the validity of the shares by using the public information. For the first time, we propose a new PVMSS scheme based on the homogeneous linear recursions (HLR) and discrete logarithms equality (DLEQ) protocol. Compared with the previous PVMSS schemes, it has better performance and various methods for the recovery phase. Moreover, we prove its security with a formal method.
Similar content being viewed by others
References
Bagherpour B., Zaghian A., Sajadieh M.: Sigma protocols for faster proof of simultaneous homomorphism relations. IET Inf. Secur. 13, 508–814 (2019).
Blakley G.R.: Safeguarding cryptographic keys. AFIPS Nat1 Comput. Conf. 48, 313–317 (1979).
Chen L., Gollmann D., Mitchell C., Wild P.: Secret Sharing with Reusable Polynomials, Information Security and Privacy, pp. 183–193. Springer, Berlin (1997).
Chor B., Goldwasser S., Micali S., Awerbuch B.: Verifiable Secret Sharing and Achieving Simultaneity in the Presence of Faults, pp. 383–395. FOCS’ 85 IEEE Computer Society, Washington (1985).
Das A., Adhikari A.: An efficient multi-use multi-secret sharing scheme based on hash function. Appl. Math. Lett. 23, 993–996 (2010).
Dehkordi M.H., Mashhadi S.: New efficient and practical verifiable multi-secret sharing schemes. Inf. Sci. 178, 2262–2274 (2008).
Dehkordi M.H., Mashhadi S.: An efficient threshold verifiable multi-secret sharing. Comput. Stand. Interfaces 30, 187–190 (2008).
Dehkordi M.H., Mashhadi S., Oraei H.: A proactive multi stage secret sharing scheme for any given access structure. Wirel. Pers. Commun. 104, 491–503 (2019).
Dehkordi M.H., Mashhadi S.: Verifiable secret sharing schemes based on non-homogeneous linear recursions and elliptic curves. Comput. Commun. 31, 1777–1784 (2008).
Dehkordi M.H., Oraei H.: How to construct a verifiable multi-secret sharing scheme based on graded encoding schemes. IET Inf. Secur. 13, 343–351 (2019).
Deng X., Wen W., Shi Z.: Threshold multi-secret sharing scheme based on phase-shifting interferometry. Opt. Commun. 387, 409–414 (2017).
Eslami Z., Ahmadabadi J.Z.: A verifiable multi-secret sharing scheme based on cellular automata. Inf. Sci. 180, 2889–2894 (2010).
Feldman P.: A Practical Scheme for Non-interactive Verifiable Secret Sharing, pp. 427–437. FOCS’ 87 IEEE computer society, Washington (1987).
Fiat A., Shamir A.: How to Prove Yourself: Practical Solutions to Identification and Signature Problems, Advances in Cryptology-CRYPTO’86. Lecture Notes in Compute Science, vol. 263, pp. 186–194 (1986).
Gan Y., Wang L., Pan P., Yang Y.: publicly verifiable secret sharing scheme with provable security against chosen secret attacks. Int. J. Distrib. Sens. Netw. 9, 902462 (2013).
Harn L., Hsu C.F.: \((t, n)\) Multi-secret sharing scheme based on bivariate polynomial. Wirel. Pers. Commun. 95, 1495–1504 (2017).
Harn L.: Efficient sharing (broadcasting) of multiple secrets. IEE Proc. Comput. Digit. Tech. 142, 237–240 (1995).
Harn L., Lin C.: Strong \((n, t, n)\) verifiable secret sharing scheme. Inf. Sci. 180, 3059–3064 (2010).
He J., Dawson E.: Multistage secret sharing based on one-way function. Electron. Lett. 30, 1591–1592 (1994).
Heidarvand S., Villar J.L.: Public verifiability of pairings in secret sharing schemes, SAC, pp. 294–308 (2008).
Hu C., Liao X., Cheng X.: Verifiable multi-secret sharing scheme based on LFSR sequence. Theor. Comput. Sci. 445, 52–62 (2012).
Hwang R.J., Chang C.C.: An on-line secret sharing scheme for multi-secrets. Comput. Commun. 21, 1170–1176 (1998).
Jia X., Wang D., Nie D., Luo X., Sun J.Z.: A new threshold changeable secret sharing scheme based on the Chinese Remainder Theorem. Inf. Sci. 473, 13–30 (2019).
Jhanwar M.P., Venkateswarlu A., Safavi-Naini R.: Paillier-based publicly verifiable (non-interactive) secret sharing. Des. Codes Cryptogr. 73, 529–546 (2014).
Li J., Wang X., Huang Z., Wang L., Xiang Y.: Multi-level multi-secret sharing scheme for decentralized e-voting in cloud computing. J. Parallel Distrib. Comput. 130, 91–97 (2019).
Lin C., Hu H., Chang C.C., Tang S.: A publicly verifiable multi-secret sharing scheme with outsourcing secret reconstruction. IEEE Access 6, 70666–70673 (2018).
Liu Y., Yang C., Wang Y., Zhu L., Ji W.: Cheating identifiable secret sharing scheme using symmetric bivariate polynomial. Inf. Sci. 453, 21–29 (2018).
Mashhadi S.: Secure publicly verifiable and proactive secret sharing schemes with general access structure. Inf. Sci. 378, 99–108 (2017).
Mashhadi S., Dehkordi M.H.: Two verifiable multi secret sharing schemes based on non-homogeneous linear recursion and LFSR public key cryptosystem. Inf. Sci. 294, 31–40 (2015).
Mashhadi S., Dehkordi M.H., Kiamari N.: Provably secure verifiable multi-stage secret sharing scheme based on monotone span program. IET Inf. Secur. 11, 326–331 (2017).
Pedersen T.P.: Non-interactive and Information-Theoretic Secure Verifiable Secret Sharing. Advances in Cryptology-CRYPTO’91, pp. 129–140 (1992).
Peng Q., Tian Y.: Publicly verifiable secret sharing scheme and its application with almost optimal information rate. Secur. Commun. Netw. 9, 6227–6238 (2016).
Peng Q., Tian Y.: A publicly verifiable secret sharing scheme based on multilinear Diffie-Hellman assumption. Int. J. Netw. Secur. 18, 1192–1200 (2016).
Rajabi B., Eslami Z.: A verifiable threshold secret sharing scheme based on lattices. Inf. Sci. 501, 655–661 (2019).
Schoenmakers B.: A Simple Publicly Verifiable Secret Sharing Scheme and Its Application to Electronic Voting, Advances in Cryptology-CRYPTO 99. Lecture Notes in Computer Science, pp. 148–164 (1999).
Shamir A.: How to share a secret. Commun. ACM 22, 612–613 (1979).
Shao J.: Efficient verifiable multi-secret sharing scheme based on hash function. Inf. Sci. 278, 104–109 (2014).
Sheikhi-Garjan M., Bahramian M., Doche Ch.: Threshold verifiable multi-secret sharing based on elliptic curves and Chinese remainder theorem. IET Inf. Secur. 13, 278–284 (2019).
Shen J., Liu D., Sun X., Wei F., Xiang Y.: Efficient Cloud-Aided Verifiable Secret Sharing Scheme with Batch Verification for Smart Cities. Future Generation Computer Systems, In press (2018).
Stadler M.: Publicly Verifiable Secret Sharing, Advances in Cryptology-EUROCRYPT 96. Lecture Notes in Computer Science, vol. 1070, pp. 190–199. Springer, Berlin (1996).
Tadayon M.H., Khanmohammadi H., Haghighi M.S.: Dynamic and verifiable multi-secret sharing scheme based on Hermite interpolation and bilinear maps. IET Inf. Secur. 9, 234–239 (2015).
Tian Y., Peng C., Ma J.: Publicly verifiable secret sharing schemes using bilinear pairings. Int. J. Netw. Secur. 14, 142–148 (2012).
Wu T.Y., Tseng Y.M.: A pairing-based publicly verifiable secret sharing scheme. J. Syst. Sci. Complex 24, 186–194 (2011).
Wu T.Y., Tseng Y.M.: Publicly verifiable multi-secret sharing scheme from bilinear parings. IET Inf. Secur. 7, 239–246 (2013).
Yang C.C., Chang T.Y., Hwang M.S.: A \((t, n)\) multi-secret sharing scheme. Appl. Math. Comput. 151, 483–490 (2004).
Yuan J., Li L.: A fully dynamic secret sharing scheme. Inf. Sci. 496, 42–52 (2019).
Zhang J., Zhang F.: Information-theoretical secure verifiable secret sharing with vector space access structures over bilinear groups and its applications. Future Gener. Comput. Syst. 52, 109–115 (2015).
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by C. Blundo.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendix A
Appendix A
Proof
Proof 1
Let \(\mathcal {A}\) be an adversary against the IND security of our PVMSS scheme. We are going to construct a probabilistic polynomial time distinguisher \(\mathcal {B}\) for the DDH assumption, which will use \(\mathcal {A}\) as a sub-routine as follow:
-
1.
\(\mathcal {C}\) starts the game \(\mathcal {G}_1\) and chooses a multiplicative group \(G_q\) of prime order q, according to the security parameter \(\lambda \). Then, \(\mathcal {C}\) chooses a random generator \(g \in G_q\).
-
2.
\(\mathcal {C}\) chooses \(x, y \in _R {\mathbb {Z}}_q\).
-
3.
\(\mathcal {C}\) computes \(\Gamma _0 = g^{xy}\) and chooses \(\Gamma _1 \in _R G_q\).
-
4.
\(\mathcal {C}\) chooses \(\upsilon \in _R \{0, 1\}\) and sends \((g, g^x, g^y, \Gamma _{\upsilon })\) to \(\mathcal {B}\).
-
(a)
\(\mathcal {A}\) starts the game \(\mathcal {G}_3\) and publishes \(P=\{p_1, \ldots , p_{n} \}\) as the set of participants and an integer \(t \le n\) as the threshold.
-
(b)
Using the Ini-phase of our non-interactive (l, t, n)-PVMSS scheme, \(\mathcal {B}\) obtains \(SP=(\lambda , \alpha , P, t, l, G_q, g, g_1, H)\), where \(P=\{p_1, \ldots , p_{n} \}\) is the set of participants and \(g_1=g^{x}\). Let \(l \ge t\). For each \(p_i \in P\), \(\mathcal {B}\) assigns a private key \(x_i \in _R {\mathbb {Z}}_q\) and computes \(y_i=(g_1)^{x_i}\) as the public key of \(p_i\). \(\mathcal {B}\) sends SP and \(\{y_i \}_{i=1}^{n}\) to \(\mathcal {A}\).
-
(c)
\(\mathcal {A}\) chooses \(B \subset P\) such that \(|B| \le t-1\). \(\mathcal {A}\) publishes B as the set of corrupted participants. Without loss of the generality suppose \(B=\{p_1, \dots , p_{t-1} \}\).
-
(d)
\(\mathcal {B}\) sends the private keys \(\{x_i \}_{i=1}^{t-1}\) to \(\mathcal {A}\).
-
(e)
\(\mathcal {A}\) chooses \(k_0, \ldots , k_{l-1} \in _R {\mathbb {Z}}_q\) and gives the set of secrets \(\{k_0, \ldots , k_{l-1} \}\) to \(\mathcal {B}\). \(\mathcal {B}\) follows the following procedure:
-
Choose one participant \(p_j \in \{p_1, \dots , p_{t-1} \}\) and set \(X_{j+l-1}=g^y\). Without loss of generality suppose \(p_j=p_1\).
-
Compute \(X_i=g^{k_i}\) for each \(i \in \{0, 1, \dots , l-1\}\).
-
Compute \(\lambda _{i,j}= \prod _{\{ e \in \{1, \dots , l\}, e \ne i \} } \frac{j-e}{i-e} \mod q\), for each \( i \in \{1, \dots , l\}\) and \(j \in \{l+1, \dots , n+2l-t-1\} \);
-
Compute \(X_j= \prod _{i \in \{1, \dots , l \} } (X_{i})^{ \alpha ^{-i} \lambda _{i,j} }\), for each \(j \in \{l+1, \dots , n+l-1\} \);
-
Compute \(G_i= (g_1)^{k_i}\) for each \(i \in \{0, \dots , l-1\}\) and set \(G_{l}=\Gamma _v\).
-
Compute \(G_j= \prod _{ i \in \{1, \dots , l\} } (G_{i})^{\alpha ^{-i} \lambda _{i,j} }\) for each \(j \in \{l+1, \dots , n+2l-t-1\} \).
-
Compute \(Y_i=(G_{i+l-1})^{x_i}\) for each \(i \in \{1, \dots , n\}\).
-
Set \( \delta _i=G_{n+l+i-1}\) for each \(i \in \{1, \dots , l-t\}\).
-
Choose \(b_1, \ldots , b_{n}, \zeta _1, \ldots , \zeta _{n} \in _R {\mathbb {Z}}_q\) and, for each \(i \in \{1, \dots , n\}\), define
$$\begin{aligned} \zeta _i=H(g || y_i || X_{i+l-1} || Y_i || (X_{i+l-1})^{b_i} g^{-\zeta } || Y_i^{b_i} y_i^{-\zeta }), \end{aligned}$$where \(\zeta =\zeta _1 \oplus \cdots \oplus \zeta _{n}\).
-
Save the defined values in the H-Table.
-
-
(f)
If \(\mathcal {A}\) requests from \(\mathcal {B}\) a hash query of a value e and H(e) has not been previously defined, then \(\mathcal {B}\) chooses a random value \(e' \in \{0, 1\}^{\lambda }\) and defines \(H(e)=e'\). \(\mathcal {B}\) then saves \(H(e)=e'\) in the H-Table and returns \(e'\) to \(\mathcal {A}\). If H(e) has previously been defined, then \(\mathcal {B}\) returns \(e'\), where \(H(e)=e'\) has beforehand been saved in the H-Table.
-
(g)
\(\mathcal {B}\) sends the following values to \(\mathcal {A}\),
$$\begin{aligned} (\{ \zeta _i\}_{i=1}^{n},\{b_i\}_{i=1}^{n}, \{X_i\}_{i=0}^{n+l-1}), \{Y_i\}_{i=1}^{n}, (\delta _{1}, \ldots , \delta _{l-t}). \end{aligned}$$\(\mathcal {A}\) can repeat the step (e) a polynomial number of times and asks the witness and the encrypted shares of different sets of secrets form \(\mathcal {B}\).
-
(h)
\(\mathcal {A}\) chooses two different sets of secrets \(K_0 = \{k_{0,0}, \ldots , k_{0,l-1} \}\) and \(K_1=\{k_{1,0}, \ldots , k_{1,l-1} \}\) and sends them to \(\mathcal {B}\).
-
(i)
\(\mathcal {B}\) chooses \(\tau \in _R \{0, 1\}\). Like the step (e) and based on the set of secrets \(K_{\tau }\), \(\mathcal {B}\) obtains a new witness \((\{ \zeta _i\}_{i=1}^{n}, \{b_i\}_{i=1}^{n}, \{X_i\}_{i=0}^{n+l-1})\), new encrypted shares \(\{Y_i\}_{i=1}^{n}\) and public values \(\delta _1, \dots , \delta _{l-t}\). Then, \(\mathcal {B}\) sends the witness, encrypted shares and public values to \(\mathcal {A}\).
-
(j)
\(\mathcal {A}\) can repeat the step (e) a polynomial number of times and asks the witness and the encrypted shares of different sets of secrets form \(\mathcal {B}\).
-
(k)
Finally, \(\mathcal {A}\) outputs a bit \(\tau '\).
-
(a)
-
5.
\(\mathcal {B}\) outputs a bit \(\upsilon '\) as follows:
-
If \(\tau = \tau '\) then \(\mathcal {B}\) decides \(\Gamma _{\upsilon }= g^{xy}\) and outputs \(\upsilon '=0\).
-
Otherwise \(\mathcal {B}\) decides \(\Gamma _{\upsilon } \ne g^{x y}\) and outputs \(\upsilon '=1\).
-
It can easily be verified that if \(\Gamma _{\upsilon }= g^{xy}\), then \(y=u_l=p(l) \alpha ^{l} \mod q\) and \((Y_1)^{x_1^{-1}}=\Gamma _{\upsilon }\) is the correct share of the participant \(p_1\). So, \(\mathcal {A}\) has \(t-1\) correct shares and will guess \(K_{\tau }\) with probability \(\frac{1}{2} + \eta (\lambda )\), where \(\eta (\lambda )\) is a non-negligible function. If \(\Gamma _{\upsilon } \ne g^{xy}\), then \(u_l\) is a random value from \({\mathbb {Z}}_q\) and \(\mathcal {A}\) has \(t-1\) random values as the shares of the participants of B. So, \(\mathcal {A}\) can guess \(K_{\tau }\) with probability \(\frac{1}{2}\). Therefore,
Using the relation 6, we have
Hence, \(\mathcal {B}\) can break the DDH assumption and \( \textsf {Adv}^{\mathrm {DDH}}_{\mathcal {B}} (\lambda ) \le \textsf {Adv}^{\mathrm {IND}}_{\mathcal {A}} (\lambda )\). \(\square \)
Proof
Proof 2
Suppose \(\mathcal {A}\) is an adversary that can obtain the secrets of our (l, t, n)-PVMSS scheme using \(t-1\) shares of the participants. We are going to construct a probabilistic polynomial time adversary \(\mathcal {B}\) that can break the CDH assumption. \(\mathcal {B}\) will use \(\mathcal {A}\) as a sub-routine as follow:
-
1.
\(\mathcal {C}\) starts the game \(\mathcal {G}_2\) and chooses a multiplicative group \(G_q\) of prime order q, according to the security parameter \(\lambda \). Then, \(\mathcal {C}\) chooses a random generator \(g \in G_q\).
-
2.
\(\mathcal {C}\) chooses \(x, y \in _R {\mathbb {Z}}_q\).
-
3.
\(\mathcal {C}\) sends \((g, g^x, g^y)\) to \(\mathcal {B}\).
-
\(\mathcal {A}\) publishes \(P=\{p_1, \ldots , p_{n} \}\) as the set of participants and an integer \(t \le n\) as the threshold.
-
Using the Ini-phase of our non-interactive (l, t, n)-PVMSS scheme, \(\mathcal {B}\) obtains \(SP=(\lambda , \alpha , P, t, l, G_q, g, g_1, H)\), where \(P=\{p_1, \ldots , p_{n} \}\) is the set of participants and \(g_1=g^{x}\). Without loss of generality suppose \(t \ge l\). \(\mathcal {B}\) sends SP to \(\mathcal {A}\).
-
\(\mathcal {A}\) chooses \(B \subset P\) such that \(|B| \le t-1\). \(\mathcal {A}\) publishes B as the set of corrupted participants. Without loss of generality suppose \(B=\{p_1, \dots , p_{t-1} \}\).
-
\(\mathcal {B}\) assigns a private key \(x_i \in {\mathbb {Z}}_q \) for each \(p_i \in B\) and computes \(y_i=(g_1)^{x_i}\) as the public key of \(p_i\). \(\mathcal {B}\) sends \(\{ x_i, y_i \}_{i=1}^{t-1}\) to \(\mathcal {A}\).
-
\(\mathcal {B}\) chooses \(u_{t}, \dots , u_{2t-2} \in _{R} {\mathbb {Z}}_q\) and computes \(\{ X_{i+t-1}=g^{u_{i+t-1}} \}_{i=1}^{t-1}\) and \(\{Y_i=(y_{i})^{u_{i+t-1}} \}_{i=1}^{t-1}\). \(\mathcal {B}\) sets \(X_0=g^{y}\).
-
\(\mathcal {B}\) computes \(\lambda _{i,j}= \prod _{ \{ e \in (\{0\} \cup \{t, \dots , 2t-2\}) \setminus \{i \} \} } \frac{j-e}{i-e} \mod q\) for each \(i \in \{0\} \cup \{t, \dots , 2t-2\}\) and \(j \in \{1, \dots , t-1\} \cup \{2t-1, \dots , n+t-1 \}\).
-
\(\mathcal {B}\) computes \(X_j= \prod _{\{ i \in \{0\} \cup \{t,\dots ,2t-2\} \} } (X_{i})^{\alpha ^{-i} \lambda _{i,j}}\) for each \(j \in \{1, 2, \dots \), \(t-1\} \cup \{2t-1, \dots , n+t-1\}\).
-
Now, \(\mathcal {B}\) deviates from the protocol by computing \(y_i=g^{w_i}\) as the public key of the participant \(p_i\), where \(w_i \in _R {\mathbb {Z}}_q\) and \(i =t, \dots , n\). For each \(i \in \{t, \dots , n\}\), \(\mathcal {B}\) computes \(Y_i=(X_i)^{w_i}\) as the encrypted share of \(p_i\) (note that, we have \(Y_i=(y_i)^{u_{i+t-1}}\) for each \(i \in \{t, \dots , n\}\), as required).
-
\(\mathcal {B}\) chooses \(b_1, \ldots , b_{n}, \zeta _1, \ldots , \zeta _{n} \in _R {\mathbb {Z}}_q\) and, for each \(i \in \{1, \dots , n\}\), defines
$$\begin{aligned} \zeta _i=H(g || y_i || X_{i+t-1} || Y_i || (X_{i+t-1})^{b_i} g^{-\zeta } || Y_i^{b_i} y_i^{-\zeta }), \end{aligned}$$where \(\zeta =\zeta _1 \oplus \cdots \oplus \zeta _{n}\).
-
\(\mathcal {B}\) saves the defined values in the H-Table. If \(\mathcal {A}\) requests from \(\mathcal {B}\) a hash query of a value e and H(e) has not been previously defined, then \(\mathcal {B}\) chooses a random value \(e' \in \{0, 1\}^{\lambda }\) and defines \(H(e)=e'\). \(\mathcal {B}\) then saves \(H(e)=e'\) in the H-Table and returns \(e'\) to \(\mathcal {A}\). If H(e) has previously been defined, then \(\mathcal {B}\) returns \(e'\), where \(H(e)=e'\) has beforehand been saved in the H-Table.
-
\(\mathcal {B}\) sends the public keys \(\{y_i \}_{i=t}^{n}\), encrypted shares \(\{ Y_i \}_{i=1}^{n}\) and the witness \((\{b_i\}_{i=1}^{n}, \{ \zeta _i \}_{i=1}^{n}, \{X_i\}_{i=0}^{n+t-1})\) to \(\mathcal {A}\).
-
Finally, \(\mathcal {A}\) outputs \(\{E_0, E_1, \dots , E_{l-1} \}\) as the set of secrets.
-
-
4.
\(\mathcal {B}\) outputs \(E_0\).
Since \(X_0=g^y\) we have \(y=p(0) \mod q\), where p(.) is a polynomial of degree \(t-1\) satisfying \(u_i=p(i) \alpha ^i \mod q\) for each \(i \in \{0, 1, \dots , n+t-1\}\). By \(g_1=g^x\), it can be said that \(E_0=g^{xy}\). Hence, \(\mathcal {B}\) can break the CDH assumption. \(\square \)
Rights and permissions
About this article
Cite this article
Mashahdi, S., Bagherpour, B. & Zaghian, A. A non-interactive (t, n)-publicly verifiable multi-secret sharing scheme. Des. Codes Cryptogr. 90, 1761–1782 (2022). https://doi.org/10.1007/s10623-022-01082-8
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10623-022-01082-8
Keywords
- Multi secret sharing
- Verifiable secret sharing
- Publicly verifiable secret sharing
- Publicly verifiable multi-secret sharing
- Homogeneous linear recursions