Abstract

Verifiable secret sharing is a special kind of secret sharing. In this paper, A secure and efficient threshold secret sharing scheme is proposed by using the plane parametric curve on the basis of the principle of secret sharing. And the performance of this threshold scheme is analyzed. The results reveal that the threshold scheme has its own advantage of one-parameter representation for a master key, and it is a perfect ideal secret sharing scheme. It can easily detect cheaters by single operation in the participants so that the probability of valid cheating is less than 1/p (where p is a large prime).

Keywords

Plane Parameter Curve, Threshold Scheme, Verifiable Secret Sharing, Cheater, Information Rate, Participating Members

Share and Cite:

1. Introduction

In the field of information security, as an important means of key management, the basic principle of secret sharing is to split the master key into many subkeys, and then distribute these subkeys to all members of the set $P=\left\{P_1,P_2,\cdots ,P_n\right\}$ composed of a limited number of participants. After some members of the authorization set show their subkeys, they can reconstruct the original master key through a series of calculations. But other members of the unauthorized set cannot recover the master key. Therefore, in essence, secret sharing is an operation process for the distribution, preservation and recovery of secret keys. Using the secure sharing scheme in the secret system can not only reduce the burden of the key holder due to the loss and damage of the system key, but also reduce the success rate of the adversary’s malicious attack on the key.

The earliest secret sharing is $\left(r,n\right)$ -threshold secret sharing, which was proposed by Shamir [1] and Blakley [2] respectively in 1979. Their $\left(r,n\right)$ -threshold secret sharing schemes are based on the $\left(r,n\right)$ -threshold access structure on the authorization set composed of at least r members. The difference is the $\left(r,n\right)$ -threshold scheme of Shamir is realized by constructing a polynomial function over a finite field, and distributing each numerical point coordinate on the function curve as a subkey to the members of each authorization set, and taking the constant term of the polynomial as the master key; The $\left(r,n\right)$ -threshold scheme of Blakley is realized by constructing n common hyperplanes in multidimensional space, the coordinates of each hyperplane are regarded as a subkey and distributed to the members of each authorization set, and the coordinates of the common intersection of these hyperplanes are regarded as the master key. The results show that the Shamir scheme with the algebraic method is a complete and ideal scheme, while the Blakley scheme with geometric method is a complete and nonideal scheme. Therefore, the information rate of the Blakley scheme is lower than that of the Shamir scheme, but it has the advantage that any subkey vector that can determine the master key point is linearly independent of each other, so it is difficult to guess. In addition to the number method proposed by Shamir and the shape method proposed by Blakley, the methods of constructing $\left(r,n\right)$ -threshold secret sharing scheme are followed by the method of Asmuth-Bloom [3] based on Chinese remainder theorem, the method of Karnin-Green-Hellman [4] based on matrix multiplication, and the design ideas of the above-mentioned threshold schemes are improved according to different application requirements, and a variety of variants of threshold schemes are proposed [5] [6] [7] [8].

The efficiency of a secret sharing scheme depends on its information rate. It is often said that the information rate of the secret sharing scheme is the ratio of the information amount of the master key to the information amount of the subkeys owned by the participating members. When the amount of information of the master key is a fixed value, from the standpoint of the dealer in charge of the master key, the less the amount of information given to the participating members, the better the security of the secret sharing scheme can be maintained. From the perspective of participants, it is easier to keep the subkey with less information than that with more information. Therefore, a good secret sharing scheme can reduce the amount of subkey information as much as possible. It can be seen that a high information rate is the pursuit of cryptographers. The higher the information rate of the secret sharing scheme, the smaller the degree of data diffusion is. Therefore, people hope to build a secret sharing scheme with the highest information rate. When the information rate reaches the value 1, the corresponding secret sharing scheme will become an ideal secret sharing scheme.

As a technical means, the secret sharing scheme based on a certain mathematical thinking method mentioned above can only solve the most basic problems in key management, but in the actual application environment, it cannot judge whether there is cheating behavior, and it is difficult to prevent some members of the secret sharing scheme from cheating by using a fake subkey to participate in the construction of the master key. Whether it is the cheating of a single member or the collusion of multiple members, it will cause other honest members to get the wrong master key, which will bring great threat and damage to the secret sharing scheme. Therefore, in order to solve the problem of cheating, people need to study how to set up the anti-cheating function of the secret sharing scheme.

As early as 1981, McEliece and Sarwate [9] designed a threshold secret sharing scheme to prevent cheating by using error-correcting code theory. This scheme enables $r+2e$ members with at most e cheaters to correctly construct the master key. If some parameter conditions are given, then the cheating prevention secret sharing scheme can detect the cheating behavior with high probability [10] [11] [12] [13]. If the cheater has supercomputing power, but the probability of success is not more than a small fixed percentage, so we can say that the secret sharing scheme is unconditionally secure in preventing deception [14]. At present, for the existing secret sharing schemes which can detect deception, when a member reconstructs and recovers the master key, it is generally necessary to use some mathematical verification formula to test the subkeys provided by all members one by one. In this way, we can find out which members are cheaters, but when all members are honest, the cost of the verification process is not reduced, which leads to unnecessary waste of resources. This paper proposes a verifiable secret sharing scheme based on the plane parameter curve. It only needs to put the subkeys provided by each member together and check once to determine whether there are cheaters in these members. If it exists, it will terminate the reconstruction immediately, otherwise, it will continue, which greatly improves the efficiency of the secret sharing scheme.

2. Design of the Secret Sharing Scheme

Let F_p be a finite field of p elements and p be a large prime number, let:

$F_p=\left\{0,1,2,\cdots ,p-1\right\}$, $F_p^{\ast }=F_p-\left\{0\right\}$.

The parametric curve $\Gamma$ on affine plane A²(F_p) is introduced:

$\Gamma :\{\begin{array}{l}x=f\left(t\right),\\ y=g\left(t\right),\end{array}$

where f(t) and g(t) are polynomials on F_p.

The parametric curve $\Gamma$ satisfies the following additional conditions:

1) For any $t\in F_p$, there is $\left(x,y\right)\in F_p^{\ast }\times F_p^{\ast }$.

2) For any $t_1,t_2\in F_p$, let:

$\{\begin{array}{c}{x}_1=f\left(t_1\right),\\ y_1=f\left(t_1\right),\end{array}\{\begin{array}{c}{x}_2=f\left(t_2\right),\\ y_2=f\left(t_2\right).\end{array}$

If $t_1\ne t_2$, then $x_1^{-1}{y}_1\ne x_2^{-1}{y}_2$.

Let D be the distributor of the subkeys, that is, the dealer, and $P=\left\{P_1,P_2,\cdots ,P_n\right\}$ be the set of n participating members.

Firstly, the dealer D secretly chooses the master key $k\in F_p$, decomposes k into r different numbers $k_1,k_2,\cdots ,k_r$ on $F_p^{\ast }$, that is, $k=k_1+k_2+\cdots +k_r$, $\left\{k_1,k_2,\cdots ,k_r\right\}\subset F_p^{\ast }$, and then constructs the homogeneous formula:

$\begin{array}{l}z=\phi \left(t\right)=k_1{x}^{r-1}+k_2{x}^{r-2}y+k_3{x}^{r-3}{y}^2+\cdots +k_r{y}^{r-1}\\ =k_1{f}^{r-1}\left(t\right)+k_2{f}^{r-2}\left(t\right)g\left(t\right)+k_3{f}^{r-3}\left(t\right)g^2\left(t\right)+\cdots +k_r{g}^{r-1}(\; t\; )\end{array}$

The dealer D secretly selects n different parameters on F_p to calculate $z_i=\phi \left(t_i\right)\mathrm{mod}p$ so that any r numbers of $z_1,z_2,\cdots ,z_n$ are mutually prime, that is, $\gcd \left(z_{i_1},z_{i_2},\cdots ,z_{i_r}\right)=1$.

The dealer D distributes $z_i$ to the corresponding i-th member $P_i\left(1\le i\le n\right)$ as his subkey.

If r participating members $P_{i_1},P_{i_2},\cdots ,P_{i_r}$ are going to reconstruct the master key k, they show their subkeys $z_{i_1},z_{i_2},\cdots ,z_{i_r}$ respectively, and establish the following linear equations on F_p,

$\{\begin{array}{l}{k}_1{x}_{i_1}^{r-1}+k_2{x}_{i_1}^{r-2}{y}_{i_1}+k_3{x}_{i_1}^{r-3}{y}_{i_1}^2+\cdots +k_r{y}_{i_1}^{r-1}=z_{i_1},\\ k_1{x}_{i_2}^{r-1}+k_2{x}_{i_2}^{r-2}{y}_{i_2}+k_3{x}_{i_2}^{r-3}{y}_{i_2}^2+\cdots +k_r{y}_{i_2}^{r-1}=z_{i_2},\\ ⋮\\ k_1{x}_{i_r}^{r-1}+k_2{x}_{i_r}^{r-2}{y}_{i_r}+k_3{x}_{i_r}^{r-3}{y}_{i_r}^2+\cdots +k_r{y}_{i_r}^{r-1}=z_{i_r}.\end{array}$ (1)

where $x_{i_j}=f\left(t_{i_j}\right),y_{i_j}=g\left(t_{i_j}\right),1\le j\le r$.

The system of equations is a linear system of equations consisting of r equations with r variables $\left(k_1,k_2,\cdot \cdot \cdot ,k_r\right)$ and the coefficient matrix H is a generalized Vander monde matrix on F_p, obviously, under the additional condition of parameter curve $\Gamma$, the matrix $H\ne 0$. Since $\gcd \left(H,p\right)=1$, the system of equations has a unique solution on F_p, that is:

$k_j=H_j{H}^{-1}\mathrm{mod}p,1\le j\le r$

where:

$\begin{array}{l}H=\left|\begin{array}{cccc}{x}_{i_1}^{r-1}& x_{i_1}^{r-2}{y}_{i_1}& \cdots & y_{i_1}^{r-1}\\ x_{i_2}^{r-1}& x_{i_1}^{r-2}{y}_{i_2}& \cdots & y_{i_2}^{r-1}\\ ⋮& ⋮& \ddots & ⋮\\ x_{i_r}^{r-1}& x_{i_r}^{r-2}{y}_{i_r}& \cdots & y_{i_r}^{r-1}\end{array}\right|,H_j=\left|\begin{array}{cccc}{x}_{i_1}^{r-1}& z_{i_1}& \cdots & y_{i_1}^{r-1}\\ x_{i_2}^{r-1}& z_{i_2}& \cdots & y_{i_2}^{r-1}\\ ⋮& ⋮& \ddots & ⋮\\ x_{i_r}^{r-1}& z_{i_r}& \cdots & y_{i_r}^{r-1}\end{array}\right|\\ \uparrow \\ \text{column}j\end{array}$

Then the r participating members calculate:

$k=\left(k_1+k_2+\cdots +k_r\right)\mathrm{mod}p,$

to recover the master key.

For this $\left(r,n\right)$ -threshold scheme, a problem can be raised: whether there are members who provide false subbeys in the stage of r participating members reconstructing the master key, that is, how each member can judge whether someone in other members has cheated and provided untrue subkeys, which requires the dealer to give parameter or parameter groups for verification, Let’s first introduce the following two lemmas.

Lemma 1. Let r ≥ 2, N and $a_i\left(i=1,2,\cdots ,r\right)$ be positive integers, and $\gcd \left(a_1,a_2,\cdots ,a_r\right)=1$. There is a positive integer $\varphi \left(a_1,a_2,\cdots ,a_r\right)$ only related to $a_1,a_2,\cdots ,a_r$ when $N>\varphi \left(a_1,a_2,\cdots ,a_r\right)$ the equation:

$a_1{b}_1+a_2{b}_2+\cdots +a_r{b}_r=N$ (2)

has a set of nonnegative integer solutions $\left(b_1,b_2,\cdots ,b_r\right)$.

Proof. Mathematical induction is used for r.

When r = 2 we choose $\varphi \left(a_1,a_2\right)=\left(a_1-1\right)\left(a_2-1\right)-1$, because:

$a_1{b}_1+a_2{b}_2=N$, (3)

where $\gcd \left(a_1,a_2\right)=1$, all solutions of Equation (3) can be expressed as:

$\{\begin{array}{l}{b}_1={b^{\prime }}_1+a_{2}u,\\ b_2={b^{\prime }}_2-a_{1}u,\end{array}$

where ${b^{\prime }}_1,{b^{\prime }}_2$ are a group of special solutions of Equation (3), and u is any integer.

Obviously, u can be taken so that $0\le b_2={b^{\prime }}_2-a_{1}u<a_1$, i.e. $0\le {b^{\prime }}_2-a_{1}u\le a_1-1$ when $N>\varphi \left(a_1,a_2\right)=a_1{a}_2-a_1-a_2$, the following is true:

$\left({b^{\prime }}_1+a_{2}u\right)a_1=N-\left({b^{\prime }}_2-a_{1}u\right)a_2>a_1{a}_2-a_1-a_2-\left(a_1-1\right)a_2=-a_1$,

that is:

${b^{\prime }}_1+a_{2}u>-1$.

Therefore, for the above u, there is:

$b_1={b^{\prime }}_1+a_{2}u\ge 0$.

So when $N>a_1{a}_2-a_1-a_2$ there is an integer solution $b_1\ge 0,b_2\ge 0$ in (3).

Let’s suppose that the lemma holds for r − 1 elements. It is proved that the lemma holds for r elements.

Let $\gcd \left(a_1,a_2,\cdots ,a_{r-1}\right)=d$, $a_i={a^{\prime }}_{i}d\left(1\le i\le r-1\right)$, and $\gcd \left(d,a_r\right)=1$ be obtained from $\gcd \left(a_1,a_2,\cdots ,a_r\right)=1$, therefore there exists $0\le c_r\le d-1$ such that $a_r{c}_r\equiv N\mathrm{mod}d$.

Let $b_r=c_r$, and from (2) we can get:

${a^{\prime }}_1{b}_1+{a^{\prime }}_2{b}_2+\cdots +{a^{\prime }}_{r-1}{b}_{r-1}=\frac{N-a_r{c}_r}{d}$ (4)

Since $\gcd \left({a^{\prime }}_1,{a^{\prime }}_2,\cdots ,{a^{\prime }}_r\right)=1$, by inductive assumption, there is an integer ${\varphi }^{\prime }\left({a^{\prime }}_1,{a^{\prime }}_2,\cdots ,{a^{\prime }}_{r-1}\right)$, when $\frac{N-a_r{c}_r}{d}\ge \frac{N-a_r\left(d-1\right)}{d}>{\varphi }^{\prime }\left({a^{\prime }}_1,{a^{\prime }}_2,\cdots ,{a^{\prime }}_{r-1}\right)$, the indefinite Equation (4) has a set of nonnegative integer solutions:

$b_1=c_1\ge 0,b_2=c_2\ge 0,\cdots ,b_{r-1}=c_{r-1}\ge 0$

That is, when $N>d{\varphi }^{\prime }\left({a^{\prime }}_1,{a^{\prime }}_2,\cdots ,{a^{\prime }}_{r-1}\right)+a_r\left(d-1\right)=\varphi \left(a_1,a_2,\cdots ,a_r\right)$, the indefinite Equation (2) has a set of nonnegative integer solutions $\left(b_1,b_2,\cdots ,b_r\right)$.

This completes the proof.

If we take $a_j=z_{i_j}\left(1\le j\le r\right),N=1+m\left(p-1\right)$, where m is a sufficiently large positive integer such that $N>\varphi \left(z_{i_1},z_{i_2},\cdots ,z_{i_r}\right)$ then the indefinite equation:

$z_{i_1}{b}_1+z_{i_2}{b}_2+\cdots +z_{i_r}{b}_r=1+m\left(p-1\right)$ (5)

has a set of nonnegative integer solution $b_1\ge 0,b_2\ge 0,\cdots ,b_r\ge 0$.

Dealer D selects a primitive root g of module p calculates:

${\delta }_1\equiv g^{b_1}\mathrm{mod}p,{\delta }_2\equiv g^{b_2}\mathrm{mod}p,\cdots ,{\delta }_r\equiv g^{b_r}\mathrm{mod}p.$

and then exposes array $\left(g,{\delta }_1,{\delta }_2,\cdots ,{\delta }_r\right)$ as the verification parameter group of participants.

Lemma 2. If a is the primitive root of module n, then $a^s\equiv a^t\mathrm{mod}n$ if and only if $s\equiv t\mathrm{mod}\phi \left(n\right)$, where $\phi \left(n\right)$ is an Euler function, and $\phi \left(p\right)=p-1$ when n is a prime p.

Proof. From the condition, we get $a^{s-t}\equiv 1\mathrm{mod}n$, so there is ${\delta }_n\left(a\right)|s-t$ where ${\delta }_n\left(a\right)$ is the exponent of a to module n, thus we get:

$s\equiv t\mathrm{mod}{\delta }_n\left(a\right)$.

Since a is the primitive root of module n, that is ${\delta }_n\left(a\right)=\phi \left(n\right)$, thus:

$s\equiv t\mathrm{mod}\phi \left(n\right)$.

The above proof process is reverible, which completes the proof of Lemma 2.

According to these two lemmas, we can get the following judgment theorem.

Theorem 1. For the subkey group $\left({\bar{z}}_{i_1},{\bar{z}}_{i_2},\cdots ,{\bar{z}}_{i_r}\right)$ provided by the participating member in P, if ${\delta }_1^{{\bar{z}}_{i_1}}{\delta }_2^{{\bar{z}}_{i_2}}\cdots {\delta }_r^{{\bar{z}}_{i_r}}\mathrm{mod}p\ne g$, then there must be cheaters in the participating member set.

Proof.

$z_{i_1}{b}_1+z_{i_2}{b}_2+\cdots +z_{i_r}{b}_r\equiv 1\mathrm{mod}\left(p-1\right)$

can be obtained, and:

$g^{z_{i_1}{b}_1+z_{i_2}{b}_2+\cdots +z_{i_r}{b}_r}\mathrm{mod}p=g$

can be obtained from Lemma 2.

If there is no cheater in the members, then:

$\left({\bar{z}}_{i_1},{\bar{z}}_{i_2},\cdots ,{\bar{z}}_{i_r}\right)=\left(z_{i_1},z_{i_2},\cdots ,z_{i_r}\right)$,

thus:

${\delta }_1^{{\bar{z}}_{i_1}}{\delta }_2^{{\bar{z}}_{i_2}}\cdots {\delta }_r^{{\bar{z}}_{i_r}}\mathrm{mod}p=g^{z_{i_1}{b}_1+z_{i_2}{b}_2+\cdots +z_{i_r}{b}_r}\mathrm{mod}p=g$.

According to the equivalent logical relationship between the original proposition and its converse proposition, we get that if the subkey group $\left({\bar{z}}_{i_1},{\bar{z}}_{i_2},\cdots ,{\bar{z}}_{i_r}\right)$ provided by the participating members satisfies ${\delta }_1^{{\bar{z}}_{i_1}}{\delta }_2^{{\bar{z}}_{i_2}}\cdots {\delta }_r^{{\bar{z}}_{i_r}}\mathrm{mod}p\ne g$, then $\left({\bar{z}}_{i_1},{\bar{z}}_{i_2},\cdots ,{\bar{z}}_{i_r}\right)\ne \left(z_{i_1},z_{i_2},\cdots ,z_{i_r}\right)$, it means that there must be cheaters in the participating members. This completes the proof of Theorem 1.

For example, let $g=13,p=19$, when $z_{i_1}=7,z_{i_2}=3,z_{i_3}=11$, there is $b_1=15,b_2=23,b_3=17$, so that $z_{i_1}{b}_1+z_{i_2}{b}_2+z_{i_3}{b}_3=361\equiv 1\left(\mathrm{mod}18\right)$.

At this time, there is:

${\delta }_1=g^{b_1}={13}^{15}\equiv 8\left(\mathrm{mod}19\right)$,

${\delta }_2=g^{b_2}={13}^{23}\equiv 14\left(\mathrm{mod}19\right)$,

${\delta }_3=g^{b_3}={13}^{17}\equiv 3\left(\mathrm{mod}19\right)$

and:

${\delta }_1^{z_{i_1}}{\delta }_2^{z_{i_2}}{\delta }_3^{z_{i_3}}=8^7\cdot {14}^3\cdot 3^{11}\equiv 13=g\left(\mathrm{mod}19\right)$.

If $P_{i_2}$ in the participant submits a false subkey ${\bar{z}}_{i_2}=2$, then:

${\delta }_1^{z_{i_1}}{\delta }_2^{{\bar{z}}_{i_2}}{\delta }_3^{z_{i_3}}=8^7\cdot {14}^2\cdot 3^{11}\equiv 5\ne g\left(\mathrm{mod}19\right)$.

3. Performance Analysis of the Secret Sharing Scheme

Theorem 2. The $\left(r,n\right)$ -threshold scheme is a complete and ideal secret sharing scheme.

Proof. If any r members $P_{i_1},P_{i_2},\cdots ,P_{i_r}$ take out their respective subkeys together, then we can build linear Equations (1). Obviously, there are r variables in this system of equations.

According to the corresponding relationship of each subkey, it is necessary for r members to join together to construct a linear system of equations containing r equations, so as to obtain the unique solution containing the master key and this solution also satisfies the equation generated by the subkeys held by other members. Therefore, at least members must be together to recover the shared master key k and less than r members cannot find the unique solution of the linear equations, so no information of the master key k can be obtained. In conclusion, the $\left(r,n\right)$ -threshold scheme is a complete secret sharing scheme.

Let S = F_p, master key $k\in S$, since each participant has only one subkey of secret value, and all values are in S, we can calculate the information rate [15]:

$\rho =\frac{{\log }_2\left|S\right|}{{\log }_2\left|S\right|}=1.$

So the $\left(r,n\right)$ -threshold scheme is also an ideal secret sharing scheme. It’s over.

Theorem 3. For this $\left(r,n\right)$ -threshold secret sharing scheme, the probability of success of h (1 ≤ h < r) cheaters in the participating members is $\frac{1}{p}-\frac{1}{p^h}$.

Proof. Suppose r members $P_{i_1},P_{i_2},\cdots ,P_{i_r}$ are about to reconstruct and recover the master key k in which there are h (1 ≤ h < r) cheaters.

Let $P_{i_1},P_{i_2},\cdots ,P_{i_h}$ be cheaters and $P_{i_{h+1}},P_{i_{h+2}},\cdots ,P_{i_r}$ be honest people. If $P_{i_1},P_{i_2},\cdots ,P_{i_h}$ use false data ${z^{\prime }}_{i_1},{z^{\prime }}_{i_2},\cdots ,{z^{\prime }}_{i_h}$ to impersonate the real subkeys $z_{i_1},z_{i_2},\cdots ,z_{i_h}$ respectively, and $P_{i_{h+1}},P_{i_{h+2}},\cdots ,P_{i_r}$ show their correct subkeys, then the equations to obtain the reconstructed master key k from the public information become:

$\{\begin{array}{l}{k}_1{x}_{i_1}^{r-1}+k_2{x}_{i_1}^{r-2}{y}_{i_1}+k_3{x}_{i_1}^{r-3}{y}_{i_1}^2+\cdots +k_r{y}_{i_1}^{r-1}={z^{\prime }}_{i_1},\\ ⋮\\ k_1{x}_{i_h}^{r-1}+k_2{x}_{i_h}^{r-2}{y}_{i_h}+k_3{x}_{i_h}^{r-3}{y}_{i_h}^2+\cdots +k_r{y}_{i_h}^{r-1}={z^{\prime }}_{i_h},\\ k_1{x}_{i_{h+1}}^{r-1}+k_2{x}_{i_{h+1}}^{r-2}{y}_{i_{h+1}}+k_3{x}_{i_{h+1}}^{r-3}{y}_{i_{h+1}}^2+\cdots +k_r{y}_{i_{h+1}}^{r-1}=z_{i_{h+1}},\\ ⋮\\ k_1{x}_{i_r}^{r-1}+k_2{x}_{i_r}^{r-2}{y}_{i_r}+k_3{x}_{i_r}^{r-3}{y}_{i_r}^2+\cdots +k_r{y}_{i_r}^{r-1}=z_{i_r},\\ {\delta }_1^{{z^{\prime }}_{i_1}}\cdots {\delta }_2^{{z^{\prime }}_{i_h}}{\delta }_2^{z_{i_{h+1}}}\cdots {\delta }_r^{z_{i_r}}\mathrm{mod}p=g.\end{array}$ (6)

Because the system of Equations (6) contains ${z^{\prime }}_{i_1},{z^{\prime }}_{i_2},\cdots ,{z^{\prime }}_{i_h}$, $k_1,k_2,\cdots ,k_r$ total of h + r unknown variables and r + 1 equations, so there are h − 1 free variables, so the system of Equations (6) has $p^{h-1}$ different solutions. Since all the possible subkey sets of cheaters $P_{i_1},P_{i_2},\cdots ,P_{i_h}$ contain $p^h$ elements, the probability of successful deception of $P_{i_1},P_{i_2},\cdots ,P_{i_h}$ is:

$\frac{p^{h-1}-1}{p^h}=\frac{1}{p}-\frac{1}{p^h}<\frac{1}{p}.$

It’s over.

It can be seen from Theorem 3 that for the threshold secret sharing scheme, when h = 1 the probability of success of deception is 0, that is, a single cheater will not succeed in deception; With the increasing number of success is also increasing; However, no matter how many cheaters there are, the probability of success of cheaters will not exceed 1/p.

4. Conclusion

At present, among some verifiable secret sharing schemes that have been published, the secret sharing schemes described in references [10] [11] are complete, but not ideal. Although the secret sharing scheme designed in references [12] [13] is perfect and ideal, it needs to test the subkeys of each participant one by one, resulting in the inefficiency of the scheme itself. In this paper, the plane parameter curve is used to construct the threshold secret sharing scheme, which can make the curve coordinates and the homogeneous formula of determining the master key expressed by the same parameter t, thus showing the advantages of the single parameter representation of the master key, reducing the amount of information contained in the subkeys, increasing the information rate, and making the secret sharing scheme more practical and easy to implement. The results show that the threshold scheme is not only complete, but also ideal; at the same time, it has verifiability. Through the one-time operation, we can judge whether there are cheaters in the participating members, and the probability of successful deception of the cheater will not exceed 1/p. Therefore, the secret sharing scheme is effective and unconditionally secure in preventing deception. Secret sharing has very important theoretical and practical significance in key management. We plan to study the next research topic. We will study the construction of a higher standard secret sharing scheme based on the parametric elliptic curve equation [16] [17] to further strengthen the security and effectiveness of secret sharing.

Conflicts of Interest

The author declares no conflicts of interest regarding the publication of this paper.

References