Timed-release computational secret sharing and threshold encryption

Abstract

In modern cryptography, a secret sharing scheme is an important cryptographic primitive. In particular, Krawczyk proposed a computational secret sharing (CSS) scheme, which is a practical, simple secret sharing scheme. In this paper, we focus on a CSS scheme with timed-release functionality, which we call a timed-release computational secret sharing (TR-CSS) scheme. In TR-CSS, participants more than or equal to a threshold number can reconstruct a secret by using their shares only when the time specified by a dealer has come. Our main purpose is to realize a TR-CSS scheme in a generic and efficient way in terms of the share size. Specifically, we first introduce a model and formalization of security of TR-CSS. In addition, we propose two kinds of constructions of TR-CSS: the first one is a simple and generic construction starting from an identity-based key encapsulation mechanism (IB-KEM); the second one, which is a more efficient construction than the first one, is built using a specific IB-KEM as the underlying IB-KEM. As a result, we can regard TR-CSS as a natural extension of Krawczyk’s CSS in terms of both a model and constructions, and we finally succeed to add timed-release functionality to Krawczyk’s CSS with small overhead, which is almost optimal. Moreover, our proposal of TR-CSS is important for constructing threshold encryption and multiple encryption with timed-release functionality in a generic and efficient way. Dodis and Katz showed (i) a simple and generic construction of threshold encryption from multiple encryption; and (ii) a simple, elegant and generic construction of multiple encryption. By using TR-CSS, we can effectively apply the Dodis–Katz paradigm even in the context of timed-release security.

Appendices

Appendix 1: Definitions

We give several formal definitions.

1.1 Bilinear groups

A (symmetric) bilinear group generator \({\mathcal {G}}\) is an algorithm that takes a security parameter \(\kappa \) as input and outputs a bilinear group \((p, {\mathbb {G}}, {\mathbb {G}}_T, g, e)\), where p is a prime, \({\mathbb {G}}\) and \({\mathbb {G}}_T\) are multiplicative cyclic groups of order p, g is a (random) generator of \({\mathbb {G}}\), and e is an efficiently computable and non-degenerate bilinear map \(e: {\mathbb {G}}\times {\mathbb {G}}\rightarrow {\mathbb {G}}_T\) with the following bilinear property: For any \(u, u',v, v' \in {\mathbb {G}}\), \(e(uu',v)=e(u,v)e(u',v)\) and \(e(u,vv')=e(u,v)e(u,v')\), and for any \(u,v\in {\mathbb {G}}\) and any \(a\in {\mathbb {Z}}_p\), \(e(u^a,v)=e(u,v^a)=e(u,v)^a\).

1.2 Decisional bilinear Diffie–Hellman (DBDH) assumption

Let \({\mathcal {A}}\) be a PPT adversary and we consider \({\mathcal {A}}\)’s advantage against the DBDH problem as follows.

Definition 13

For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), the DBDH assumption relative to a generator \({\mathcal {G}}\) holds if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {DBDH}}_{{\mathcal {G}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\).

1.3 Multiple encryption

In ME, a plaintext is encrypted by using independent secret keys or distinct PKE schemes based on different computational assumptions. An ME scheme provides better security than a PKE scheme, since even if underlying assumptions of some component PKE schemes are broken or some of secret keys are leaked, the confidentiality can still be maintained by the remaining PKE schemes (for details, see [23, 35, 49]).

We adopt the model of ME shown by Dodis and Katz [23]. An ME scheme \({\varPi }_{\textsc {me}}\) consists of five-tuple algorithms (M.Gen, M.Enc, Split, M.Dec, M.Combine) defined as follows, where \({\mathcal {M}}_{\textsc {me}}\) is a set of plaintexts determined by a security parameter \(\kappa \).

• \((EK,{{\varvec{D}}}{{\varvec{K}}})\leftarrow \textsf {M.Gen}(1^{\kappa })\): A probabilistic algorithm for key generation. It takes a security parameter \(\kappa \) as input, and outputs a public key EK and secret keys \({{\varvec{D}}}{{\varvec{K}}}:=(DK_1,\ldots ,DK_n)\).

• \(C\leftarrow \textsf {M.Enc}_L(EK,M)\): A probabilistic algorithm for encryption. It takes a public key EK, a label L, and a plaintext \(M\in {\mathcal {M}}_{\textsc {me}}\) as input, and then outputs a ciphertext C.

• \({\varvec{C}}\leftarrow \textsf {Split}_L(EK,C)\): A deterministic algorithm for splitting a ciphertext. It takes a public key EK, a label L, and a ciphertext C as input, and outputs n ciphertext shares \({\varvec{C}}:=(C_1,\ldots ,C_n)\).

• \(M_i\) or \(\bot \leftarrow \textsf {M.Dec}(DK_{i},C_i)\): A deterministic algorithm for decryption. It takes a secret key \(DK_i\) and a ciphertext share \(C_i\) as inputs, and outputs a decryption share \(M_i\) or \(\bot \).

• M or \(\bot \leftarrow \textsf {M.Combine}({\varvec{M}})\): A deterministic algorithm for combining decryption shares. It takes all decryption shares \({\varvec{M}}:=(M_1,\ldots ,M_n)\) as input, and outputs the plaintext \(M\in {\mathcal {M}}_{\textsc {me}}\) or \(\bot \notin {\mathcal {M}}_{\textsc {me}}\).

In the above model, we assume that \({\varPi }_{\textsc {me}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all labels L, all \((EK,{{\varvec{D}}}{{\varvec{K}}})\leftarrow \textsf {M.Gen}(1^{\kappa })\) and all \(M\in {\mathcal {M}}_{\textsc {me}}\), it holds that

$$\begin{aligned}&M\leftarrow \textsf {M.Combine}(\varvec{DEC}(\textsf {Split}_L(EK,\textsf {M.Enc}_L(EK,M)))), \end{aligned}$$

where \(\varvec{DEC}({\varvec{C}}):=(\textsf {M.Dec}(DK_{1},C_1),\ldots ,\textsf {M.Dec}(DK_{n},C_n))\) for \((C_1,\ldots ,C_n)\leftarrow \textsf {Split}_L(EK,\) \(\textsf {M.Enc}_L(EK,M))\).

Table 1 Oracles in the IND-X game

We describe notions of indistinguishability against the following four attacks defined by Dodis and Katz [23]: multiple chosen plaintext attack (IND-MCPA), weak multiple chosen ciphertext attack (IND-wMCCA), multiple chosen ciphertext attack (IND-MCCA), and strong multiple chosen ciphertext attack (IND-sMCCA). Let \({\mathcal {A}}\) be a PPT adversary, and let X \(\in \){MCPA,wMCCA,MCCA,sMCCA}. Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-X security is defined by

Here, we require \(|M_{0}^*|=|M_{1}^*|\), and st is state information. \(\textit{Corrupt}(\cdot )\) is a corrupt oracle which takes an ID i as input, and then \({\mathcal {W}}\leftarrow {\mathcal {W}}\cup \{P_i\}\) and returns \(DK_i\). \({\mathcal {A}}\) can query to \(\textit{Corrupt}(\cdot )\) until \(|{\mathcal {W}}|=d\). In addition, \({\mathcal {O}}\) is an oracle corresponding to attacks (see Table 1). \({\mathcal {A}}\) is allowed to access the above oracle at most \(q_{c}\) times at any time, however it cannot submit the target ciphertext \(C^*\) to \({\mathcal {O}}\). In addition to this, we need to add two restrictions in the IND-sMCCA game. First, \({\mathcal {A}}\) cannot submit \((i, C_i^*)\), where \(C^*_i\in \varvec{C^*}\) and \(({\varvec{C}}^*,aux)\leftarrow \textsf {Split}_{L^*}(EK,C^*)\). Second, we need the weakly collision-resistant property, which means that any PPT adversary \({\mathcal {A}}\) cannot find \(C'\) such that \(\textsf {Split}_{L}^{(i)}(EK,C)=\textsf {Split}_{L}^{(i)}(EK,C')\) and \(C'\ne C\), where \(\textsf {Split}_{L}^{(i)}(EK,C)\) denotes the i-th output of \(\textsf {Split}_L(EK,C)\) (see [23] for the formal definition).

Definition 14

(Security of ME [23]) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), an ME scheme \({\varPi }_{\textsc {me}}\) is said to be \((d, q_{c}, \epsilon )\)-IND-X secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {IND-X}}_{{\varPi }_{\textsc {me}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\), where d is the maximum number of secret keys that \({\mathcal {A}}\) can obtain and \(q_{c}\) is the number of queries that \({\mathcal {A}}\) can issue to the oracle \({\mathcal {O}}\) in the IND-X game.

1.4 Public key encryption

We consider public key encryption (PKE) with labels as in [42]. Let \({\mathcal {M}}_{\textsc {pke}}\) be a set of plaintexts determined by a security parameter \(\kappa \). A PKE scheme \({\varPi }_{\textsc {pke}}\) consists of three-tuple algorithms (Gen, Enc, Dec) defined as follows.

• \((pk,sk)\leftarrow \textsf {Gen}(1^{\kappa })\): A probabilistic algorithm for key generation. It takes a security parameter \(\kappa \) as input and outputs a pair of a public key and a secret key (pk, sk).

• \(c\leftarrow \textsf {Enc}_L(pk,m)\): An algorithm for encryption. It takes the public key pk, a label L, and a plaintext \(m\in {\mathcal {M}}_{\textsc {pke}}\) as input, and outputs a ciphertext c.

• m or \(\bot \leftarrow \textsf {Dec}_L(sk,c)\): A deterministic algorithm for decryption. It takes the secret key sk, a label L, and a ciphertext C, and outputs a plaintext \(m\in {\mathcal {M}}_{\textsc {pke}}\) or \(\bot \notin {\mathcal {M}}_{\textsc {pke}}\).

We assume that \({\varPi }_{\textsc {pke}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all labels L, all \((pk,sk)\leftarrow \textsf {Gen}(1^\kappa )\), and all \(m\in {\mathcal {M}}_{\textsc {pke}}\), it holds that \(m\leftarrow \textsf {Dec}_L(sk,\textsf {Enc}_L(pk,m))\).

We describe the notion of indistinguishability against chosen plaintext attack (IND-CPA). Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CPA security is defined by

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information.

Definition 15

(IND-CPA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a PKE scheme \({\varPi }_{\textsc {pke}}\) is said to be \(\epsilon \)-IND-CPA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\mathsf {IND\textsf {-}CPA}}_{{\varPi }_{\textsc {pke}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\).

Moreover, by taking a decryption oracle into account we can also consider the notion of indistinguishability against chosen ciphertext attack (IND-CCA). Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CCA security is defined by

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information. In addition, \(\textit{Dec}(\cdot ,\cdot )\) is a decryption oracle which takes a pair of a ciphertext and a label c as input, and then returns \(\textsf {Dec}_{L}(sk,c)\). \({\mathcal {A}}\) is allowed to issue arbitrary queries to the above oracle in the chal stage, however, \({\mathcal {A}}\) cannot submit \(c^*\) to the oracle in the guess stage.

Definition 16

(IND-CCA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a PKE scheme \({\varPi }_{\textsc {pke}}\) is said to be \((q_{c}, \epsilon )\)-IND-CCA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\mathsf {IND\textsf {-}CCA}}_{{\varPi }_{\textsc {pke}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\), where \(q_{c}\) is the number of queries that \({\mathcal {A}}\) can issue to the oracle in the IND-CCA game.

1.5 One-time signature

Let \({\mathcal {M}}_{\textsc {ots}}\) be a set of messages determined by a security parameter \(\kappa \). A DS scheme \({\varPi }_{\textsc {ots}}\) consists of three-tuple algorithms (KG, Sign, Vrfy) defined as follows.

• \((vk,sigk)\leftarrow \textsf {KG}(1^{\kappa })\): It takes a security parameter \(\kappa \) and outputs a pair of a verification key and a signing key (vk, sigk).

• \(\sigma \leftarrow \textsf {Sign}(sigk,m)\): It takes the signing key sigk and a message \(m\in {\mathcal {M}}_{\textsc {ots}}\) and outputs a signature \(\sigma \).

• 1 or \(0\leftarrow \textsf {Vrfy}(vk,m,\sigma )\): It takes the verification key vk and a pair of a message and a signature \((m,\sigma )\), and then outputs 1 if it accepts them, otherwise it outputs 0.

We assume that \({\varPi }_{\textsc {ds}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all \((vk,sigk)\leftarrow \textsf {KG}(1^\kappa )\), and all \(m\in {\mathcal {M}}_{\textsc {ds}}\), it holds that \(1\leftarrow \textsf {Vrfy}(vk,m,\textsf {Sign}(sigk,m))\).

We describe the notion of strong unforgeability against a one-time attack (sUF-OT). Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the UF-CMA security is defined by

$$\begin{aligned} Adv^{\textsf {UF-CMA}}_{{\varPi }_{\textsc {ds}},{\mathcal {A}}}(\kappa ):= \Pr \left[ \begin{array}{l|l} \textsf {Vrfy}(vk,m^*,\sigma ^*)\rightarrow 1 &{} \ (vk,sigk)\leftarrow \textsf {KG}(1^\kappa ), \\ \wedge \ m^*\notin \{m_i\}_{i=1}^{q} &{} (m^*,\sigma ^*)\leftarrow {\mathcal {A}}^{\textit{Sign}(\cdot )}(vk) \end{array} \right] , \end{aligned}$$

where \(\textit{Sign}\) is a signing oracle which takes a message \(m\in {\mathcal {M}}_{\textsc {ots}}\) as input and returns \(\textsf {Sign}(sigk,m)\). \({\mathcal {A}}\) is allowed to access Sign only once. Formally, the OTS scheme is defined as follows.

Definition 17

(sUF-OT) If a DS scheme \({\varPi }_{\textsc {ds}}\) is \((1, \epsilon )\)-sUF-CMA secure, then it is also \(\epsilon \)-sUF-OT secure.

Appendix 2: Generic construction of (k, n)-TR-CSS from TR-PKE

We show a generic construction of a (k, n)-CSS scheme from a TR-PKE scheme. Before that, we describe a formal definition of TR-PKE. \({\mathcal {T}}\) is a set of time and \({\mathcal {M}}_{\textsc {tre}}\) is a set of plaintexts determined by a security parameter \(\kappa \). A TR-PKE scheme \({\varPi }_{\textsc {tpke}}\) consists of five-tuple algorithms (TR.Init, TRKeyGen, TR.Release, TR.Enc, TR.Dec) defined as follows:

• \((params,tsk)\leftarrow \textsf {TR.Init}(1^{\kappa })\): A probabilistic algorithm for setup. It takes a security parameter \(\kappa \) as input and outputs a public parameter params and time-server’s master secret key tsk.

• \((upk,usk)\leftarrow \textsf {TR.KeyGen}(params)\): An algorithm for key generation. It takes the public parameter params as input and outputs a pair of public key upk and a secret key usk.

• \(s_{t}\leftarrow \textsf {TR.Release}(tsk,t)\): An algorithm for time-signal generation. It takes the master secret key tsk and time \(t\in {\mathcal {T}}\) as input and outputs a time-signal \(s_{t}\) at time t.

• \(ct_{t}\leftarrow \textsf {TR.Enc}(params,upk,m,t)\): A probabilistic algorithm for encryption. It takes the public parameter params, a public key upk, time t, and a plaintext \(m\in {\mathcal {M}}_{\textsc {tre}}\) as input and then outputs a ciphertext \(ct_{t}\).

• m or \(\bot \leftarrow \textsf {TR.Dec}(params, usk, s_{t},ct_{t}, t)\): A deterministic algorithm for decryption. It takes the public parameter params, a secret key usk, a time-signal \(s_t\) at the specified time t, a ciphertext \(ct_{t}\), and the specified time t as input, and then outputs a plaintext \(m\in {\mathcal {M}}_{\textsc {tre}}\) or \(\bot \notin {\mathcal {M}}_{\textsc {tre}}\).

In the above model, we assume that \({\varPi }_{\textsc {tpke}}\) meets the following correctness property: For all \(\kappa \in {\mathbb {N}}\), all \((params,tsk)\leftarrow \textsf {TR.Init}(1^{\kappa })\), all \((upk,usk)\leftarrow \textsf {TR.KeyGen}(params)\), all \(t\in {\mathcal {T}}\), and all \(m\in {\mathcal {M}}_{\textsc {tre}}\), it holds that \(m\leftarrow \textsf {TR.Dec}(params, usk, \textsf {TR.Release}(tsk,t),\textsf {TR.Enc}(params,\) upk, m, t), t).

We describe two security notions: Indistinguishability against chosen plaintext attack (IND-CPA) and indistinguishability against chosen time and plaintext attack (IND-CTPA). The former is a security notion against a curious time-server.¹⁰ In fact, formalization of this notion is almost the same as the IND-CPA security of PKE. In the latter, we consider malicious receivers attempting to obtain information on the plaintext before its specified time. Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CPA security is defined by

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information.

Definition 18

(IND-CPA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a TR-PKE scheme \({\varPi }_{\textsf {tre}}\) is said to be \(\epsilon \)-IND-CPA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {IND-CPA}}_{{\varPi }_{\textsf {tre}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\).

Next, we define the IND-CTPA security. Let \({\mathcal {A}}\) be a PPT adversary, and \({\mathcal {A}}\)’s advantage against the IND-CTPA security is defined by

Here, we require \(|m_{0}^*|=|m_{1}^*|\), and st is state information. In addition, \({\mathcal {R}}(\cdot )\) is a time-signal generation oracle which takes time t as input, and then returns \(\textsf {TR.Release}(tsk,t)\). \({\mathcal {A}}\) is allowed to issue arbitrary queries to the above oracle in the chal stage, however, \({\mathcal {A}}\) cannot submit \(t^*\) to the oracle after deciding \(t^*\).

Definition 19

(IND-CTPA) For \({}^{\exists }\kappa _0 \in {\mathbb {N}}\) and \({}^{\forall }\kappa \ge \kappa _0\), a TR-PKE scheme \({\varPi }_{\textsc {tpke}}\) is said to be \((q_{ts}, \epsilon )\)-IND-CTPA secure if there exists a negligible \(\epsilon \) in \(\kappa \) such that \(Adv^{\textsf {IND-CTPA}}_{{\varPi }_{\textsc {tpke}},{\mathcal {A}}}(\kappa )<\epsilon \) holds for any PPT adversary \({\mathcal {A}}\), where \(q_{ts}\) is the number of queries that \({\mathcal {A}}\) can issue to the oracle in the IND-CTPA game.

We construct a (k, n)-TR-CSS scheme by using a TR-PKE scheme as follows. Let \({\varPi }_{\textsc {ss}}\)=(SS.Share, SS.Recon) be a (k, n)-SS scheme, \({\varPi }_{\textsc {ida}}\)=(IDA.Share, IDA.Recon) be a (k, n)-IDA, \({\varPi }_{\textsc {tpke}}\)=(TR.Init, TRKeyGen, TR.Release, TR.Enc, TR.Dec) be a TR-PKE scheme, and let \({\varPi }_{\textsc {dem}}\)=(E, D) be a DEM. Suppose that \({\mathcal {T}}\subset \hat{{\mathcal {T}}}\). Then, a (k, n)-TR-CSS scheme \({\varPi }_{\textsc {tcss}}\)=(Setup, Ext, Share, Recon) is constructed as follows.

• \((mpk,msk)\leftarrow \textsf {Setup}(1^{\kappa })\): Output \((mpk, msk ) := (params, tsk) \leftarrow \textsf {TR.Init} ( 1^{\kappa } ) \).

• \(ts^{(t)}\leftarrow \textsf {Ext}(msk, t)\): Output \(ts^{(t)}\leftarrow \textsf {TR.Release}(tsk,t)\).

• \((u_1^{(t)},\ldots ,u_n^{(t)})\leftarrow \textsf {Share}({\varGamma },mpk,s,t)\): Choose \(K\overset{\$}{\leftarrow }{\mathcal {K}}\) and \(C\leftarrow \textsf {E}(K,s)\). Compute \((upk,usk)\leftarrow \textsf {TRKeyGen}(params)\) and \(ct_t\leftarrow \textsf {TR.Enc}(params,upk,K,t)\). Generate \(({\tilde{u}}_{1},\) \(\ldots ,{\tilde{u}}_{n})\leftarrow \textsf {IDA.Share}(1^{\kappa },{\varGamma },C)\), \(({\hat{u}}_{1},\ldots ,{\hat{u}}_{n})\leftarrow \textsf {SS.Share}(1^{\kappa },{\varGamma },ct_t)\), and \((\acute{u}_{1},\ldots ,\acute{u}_{n})\leftarrow \textsf {SS.Share}(1^{\kappa },{\varGamma },usk)\). Output \(u_i^{(t)}:=({\tilde{u}}_{i},{\hat{u}}_{i},\acute{u}_i) \ (1 \le i \le n)\).

• \(s\leftarrow \textsf {Recon}({\hat{u}}_{{\mathcal {Q}}},ts^{(t)})\): Compute \(ct_t\leftarrow \textsf {SS.Recon}(1^{\kappa },{\hat{u}}_{{\mathcal {Q}}})\), \(usk\leftarrow \textsf {SS.Recon}(1^{\kappa },\acute{u}_{{\mathcal {Q}}})\), and \(C\leftarrow \textsf {IDA.Recon}(1^{\kappa },{\tilde{u}}_{{\mathcal {Q}}})\). Then compute \(K\leftarrow \textsf {TR.Dec}(params,usk,ts^{(t)},ct_t,t)\). Output \(s\leftarrow \textsf {D}(K,C)\).

The resulting (k, n)-TR-CSS scheme in the above construction is secure, if a given (k, n)-SS scheme is a (k, n)-PSS scheme, a given TR-PKE scheme meets IND-CTPA, and a given DEM meets FTG-CPA, as follows.

Proposition 6

If \({\varPi }_{\textsc {dem}}\) is \(\epsilon _1\)-FTG-CPA secure, \({\varPi }_{\textsc {ss}}\) is (k, n)-PSS, and \({\varPi }_{\textsc {tpke}}\) is \((q_{ts},\epsilon _2)\)-IND-CTPA secure, then the resulting (k, n)-TR-CSS scheme \({\varPi }_{\textsc {tcss}}\) in the above construction is a \((q_t,\delta _1,\delta _2)\)-(k, n)-TR-CSS scheme, where \(q_t=q_{ts}\), \(\delta _1\le \epsilon _1\) and \(\delta _2\le \epsilon _1+2\epsilon _2\).

We omit the proof of Proposition 6 since we can prove it in a similar way to the proof of Theorem 1.