Bipartite Threshold Multi-Secret Sharing Scheme Based on Hypersphere ()
1. Introduction
Secret sharing plays a significant role in information security. It has become one of the most important research areas in modern cryptography and has wide applications in many fields. Its theories models are rapidly developed. A secret sharing scheme allows a secret dealer to split a secret into secret shares and to distribute the secret shares among a group of participants in the way that only if a certain specified subset of the participants pooling together their shares can reconstruct the shared secret, while any unqualified subsets cannot obtain anything about the shared secret. Particularly, a (t,n)-threshold secret sharing scheme allows the secret to being shared by a secret dealer among n participants in such a way that any t or more participants gathering their secret shares together can recover the shared secrets, but t − 1 or fewer participants cannot obtain any knowledge about the shared secret. Two basic (t,n)-threshold secret sharing schemes based on Lagrange interpolating and affine geometry were proposed by Shamir [1] and Blakley [2] for the first time respectively in 1979. Since then, many constructions have been proposed [3] [4] [5] [6] [7]. They usually consist of two basic protocols, one is a distribution protocol in which the secret S is distributed by the secret dealer to participants, another is a reconstruction protocol in which the secret S is recovered by pooling the secret shares of a qualified subset of the participants.
In the original (t,n)-threshold secret sharing schemes, if there are r secrets to be shared among the same n participants, the secret dealer should run the (t,n)-threshold secret sharing scheme for r times. It results in a low efficiency. To solve the problem, Blundo et al. [8] introduced the concept of multi-secret sharing schemes according to the situation where the same set of shared control members shares more than one secret in 1993. This is an alternative way to improve the efficiency of secret sharing scheme, named multi-secret sharing scheme (MSS), which use same shares to reconstruct multiple shared secrets. There are various proposals of MSS scheme. For instance, MSS schemes proposed by [9] [10] are based on polynomials, and MSS scheme proposed by [11] is based on elliptic curve of bilinear map, and MSS scheme proposed by [12] is based on cellular automata, and so on.
These secret sharing schemes are all based on an assumption that all participants are equal in status, right and dependability. However, the assumption is very hard to satisfy in fact. In many cases, participants have different access right. Padro et al. [13] researched secret sharing schemes with bipartite access structure. Bipartite access structure, informally, is that the set of participants can be divided into two parts in such a way which all participants in the same part play an equivalent role in the structure. Papers [14] [15] gave
-threshold secret sharing schemes with two kinds of different access rights which based on the solution structures of constant coefficients homogeneous linear difference equation and noncyclic polynomial sequence respectively. Further, people can consider in any access structure the partition that is derived from a suitable equivalence relation on the set of participants. Because of its practical interest, secret sharing for multipartite access structures has been studied by several authors [16] [17] [18].
In all of the above-mentioned schemes, there is a drawback that some participants might have left the group and adversary might have corrupted more than
(or
) participants. The security policy and adversary structure of a secret sharing scheme may change after the setup of the scheme and before the recovery of the shared secret. So it is desirable to design a bipartite threshold secret sharing scheme which allows the value n1 or n2 of threshold and number m1 or m2 of participants to change before the recovery of the secret, and which remains secure under these changes.
In this paper, we use the hypertangent plane and the hypernormal plane on the hypersphere to construct a
-threshold multi-secret sharing scheme. This threshold scheme is ideal which not only the participants can join or leave the system dynamically but also the value of threshold is easy to change as well as multi-secret could be shared and renewed. In addition, the participants need not provide their real secret shares and the secret shares need not to be renewed when the shared secret is changed.
Organization of this paper is as follows. We introduce related notions and results in Section 2. In Section 3, we propose our construction by using geometric method. Section 4 details our validity analysis, security analysis and performance analysis respectively. We draw the conclusion in Section 5.
2. Definitions and Preliminaries
In this section we review some basic definitions and notations that will be used through the paper.
Definition 1. Let A, B be two groups of participants with difference access right such that
,
,
. Set
satisfying
,
. Each participant in A obtains a secret share
respectively and each participant in B obtains a secret share
respectively. The shared secret S can be restored only if at least n1 participants in group A and n2 participants in group B combine their secret shares. Then this method is called bipartite
-threshold secret sharing scheme, where the number n1, n2 are called the value of threshold.
In this paper, Let
,
, where
,
are some participants. Let D be the secret dealer who distributes the secret shares among the participants, NB be an electronic proclamation board on which the secret dealer can write information but others cannot. All operations in this paper are carried out over finite field Zp, where p is a large prime satisfying
. The following theorem is proposed in [19].
Theorem 1. Let p be an odd prime. If 2 is not quadratic residue module-p, then arbitrary
can be expressed to sum of squares for arbitrany n+1 integer module-p.
Let
be n+1 dimension Cartesian orthogonal coordinate system in real Euclidean space
.
Definition 2. Assume that
is a point of
,
, and let N denote the radius of hypersphere Σ. Then the spherical representation of hypersphere Σ is defined as follows:
(1)
where
is the coordinate of arbitrary point on hypersphere Σ.
is called the centre of hypersphere.
Definition 3. For
, a R-continuously differentiable curve
from (a,b) to
is defined as vector function in [20] by
(2)
where
.
The derived vector of curve
(3)
is called the tangent vector at point t of curve
.
If for all
, we have
, then
is called the regular curve.
If for all
, the coordinates of regular curve
satisfy
,
Then curve
is called the spherical curve of hypersphere
.
To deal with multi-secret sharing problem, for
, we pick a transform between
and
as follows:
such that
(4)
In addition, let g be a primitive root of module-p, we define a bivariate function over Zp,
(5)
and a coordinate function over Zp,
. (6)
3. Proposed Scheme
In this section, we propose a bipartite multi-secret sharing scheme based on hypersphere. In our scheme, a secret dealer is responsible for generating
different secret share from the shared secrets
. And then, only given
secret share, the shared secrets can be reconstructed.
3.1. The Distribution of the Secret Shares
The secret dealer randomly selects m1 different secret share
and number u1 from Zp, then distributes
and
to each participant Pi in group A through a secret channel as the secret share of these participants respectively. Similarly, m2 different secret shares
and number u2 from Zp such that
are selected by D to distribute to participants in group B through same secret channel.
Taking
, without loss of generality, suppose that
, then
. We assume that t shared secrets
are all from Zp where
. By setting
in (4), the secret dealer calculates
(7)
which yields a point
.
The secret dealer chooses a positive integer
to get a spherical representation of a hypersphere
where
is the centre of this hypersphere.
The secret dealer chooses
such that
and a bivariate function like (5), together with the coordinate function (6) to calculate over Zp as follows:
follows from the spherical representation, that is ,
satisfies
,
which yields a point on
,
.
It is not difficult to get a hypertangent plane π of
at
:
.
Letting
, one obtains a following equation of hypertangent plane π:
. (8)
The secret dealer D make computation according to the secret share ki of the participant Pi in group A and value u1 as follows:
.
Thus, point
is on the hypertangent plane π. There are m1 points in all. The secret dealer publishs
, the coordinates of point U0, the expressions of the bivariate function and the coordinate function on NB.
The secret dealer D chooses a spherical curve
on the hypersphere
,
. (9)
Differentiating (9) it follows
. (10)
The secret dealer D set
with
such that
, which yields that
Then the secret dealer D can derive a hypernormal plane
of curve
at
,
,
That is,
,
where
is a vector of the moving point coordinates.
Letting
,
, one gets the following equation of the hypernormal plane
:
. (11)
The secret dealer D chooses numbers
such that
, together with the bivariate function and the coordinate function as well as the secret share
of m2 participants
in group B to calculate over Zp as follows:
where
.
Hence the secret dealer D obtains altogether
hyperplanes, those are
and
. At the same time the secret dealer D publishs
and the coordinate of
on NB.
3.2. Reconstruction of the Secrets
For arbitrary
participants in group A gather their secret shares together, without loss of generality, suppose that they are
. Each participant
uses his private share
and the public information on the NB to calculate
respectively. Then these n cooperative participants substitute yij, Hi and the coordinate of U0 into the following undetermined expression
Which yields that the following system of equations:
(12)
Calculating
and M in (12), they obtain the equation of hypertangent plane π about the hypersphere
at point U0,
(13)
where
is given by
.
These n cooperative participants get a normal vector
from (13), which derive the equation of normal line L about π at point U0 as follows:
, (14)
where
is a moving point coordinate vector.
Similarly, arbitrary n2 participants in group B gather their secret shares together, without loss of generality, suppose that they are
who possess secret share
respectively. They use
and the public information on NB to obtain the following system of equations:
(15)
From (15) it follows
and
. By calculating
, these n2 cooperative participants can obtain the equation of hypernormal plane
about hypersphere
,
(16)
At last, these n1 cooperative participants in group A and that n2 cooperative participants in group B solve in common the following set of equations which consist of (14) and (16):
Which yields the centre coordinate of hypersphere
, that is,
. Then by solving the transformation formula (7), these participants can recover the shared secrets
.
4. Analysis of the Scheme
4.1. Correctness Proof
If the secret dealer and the participants are all honest in this scheme, at least n1 participants in group A and at least n2 participants in group B get together to reconstruct the shared secrets during the execution of reconstruction algorithm. To obtain this conclusion, we need only to prove the following theorem.
Theorem 2. The hypernormal plane π of any spherical curve
on a hypersphere
always passes the centre of this hypersphere.
Proof. Let us put the spherical representation of
as follows:
and let spherical curve
be
.
Hence, we have
and there exist a tangent vector of arbitrary point
on the spherical curve
,
.
Let the coordinate of moving point on the hypernormal plane at t0 be
, then the equation of this hypernormal plane is
It implies
. (17)
Differentiating
, we have
Which implies that when
, we get
. (18)
Substituting (18) into (17) , we obtain the hypernormal plane
as follows:
Obviously, it passes the centre
of hypersphere.
This completes the proof.
In our scheme, since the normal line L of hypertangent plane π at U0 passes the centre of hypersphere too, it follows that the cross point of normal line L and hypernormal plane
is the centre of hypersphere.
Theorem 3. The unique hypertangent plane π over Zp is determined by arbitary n different points of m1 points derived from the secret shares
together with point U0.
Proof. The system of Equations (12) determined by n different points and the public point U0 can be modified as follows:
(19)
where M and
are unknown numbers of this system.
The determinant of coefficient for (19) can be obtained that
Since
where
is the bivariate function over Zp and g is a primitive root of modulo-p.
For any
, we have
, hence
. It follows from Gramer rule that (19) has a unique set of solutions M,
. Thus, the unique hypertangent plane π over Zp. Can be determined by this set of solutions.
As a result, we obtain theorem.
Similarly, we can prove that the unique hypernormal plane
over Zp is determined by arbitary n2 different points of m2 points derived from the secret shares
together with
public points
.
The above theorem show a deterministic condition for the hypertangent plane or the hypernormal plane.
4.2. Security Analysis
The security of proposed scheme is based on the deterministic condition of hyperplane.
Theorem 4. Arbitrary n points in
cannot determine unique hyperplane over Zp.
Proof. Suppose in existence n points (there is no harm in taking
) can determine a hyperplane π1. Then, we pick a point W which is out of π
1 in
such that the coordinate vectors of
, W is linearly independent. By theorem 3, it is obvious that
, W can determine unique hyperplane π2 over Zp. Because W is out of π1, it follows that
. However,
are on not only π1 but also π2. This is a contradiction. Thus, we completes the proof of theorem 4.
It can be shown from the theorem 4 that
or fewer participants in group A submiting their secret shares can only produce n1 points including U0 at most. So that they have no way of determining hypertangent plane π. Similarly,
or fewer participants in group B have no way of determining hypernormal plane
too. This shows that the less than n1 participants in group A or the less than n2 participants in group B gathering their secret shares together cannot recover the shared secrets
.
In addition, it is not difficult for an attacker to get the public informations
in the proposed scheme. Hwever,
are product of the coefficient
and the last coordinate value of points which are derived from the secret shares of m1 participants in group A and m2 participants in group B respectively. They are calculated by the equation of hyperplanes and the front n coordinate value of derived points. On the contrary, the front n coordinate value of derived points cannot be predicted by
, that means the attacker could not obtain the shared secrets from the public informations on NB. Moreover, together with the bivariate function, calculating
from
respectively need to solve the discrete logarithm problem, As we know that the discrete logarithm problem is intractable, it is impossible for an attacker to obtain the participant’s secret share.
4.3. Performance Analysis
4.3.1. Information Rate of the Proposed Scheme
By the construction of proposed scheme, each share
or
is choosed from Zp,and the shared secrets
from Zp too. It follows that
,where Kh is a set of possible secret shares of participants in group A or in group B, and S is a set of possible shared secrets. Hence, the information rate of this scheme is
This shows that the proposed scheme is ideal one.
4.3.2. Advantages of the Proposed Scheme
1) Multiple secrets can be reconstructed simultaneously within a secret sharing session.
2) Since the participants provide the derived points of secret shares but not the secret share
during the reconstruction of secrets, it follows that the secret shares of participants are still kept confidential after recovering all of the secrets and the secret shares could be used to share a new set of secrets.
3) When a new participant joins the system, the secret dealer needs only to select a new secret share that its derived points is on the hyperplane to distribute to this new participant secretly. When we need to delete a participant, the dealer needs only to change the value of parameter u in the bivariate function to recompute hyperplane, whereas the remainder participants can share next secrets by same secret shares. So it is very easy that the participants can join or leave the system.
4) When the value of threshold n1 or n2 is changed, namely,
change into
, let us put
and
, the secret dealer needs only to turn the n+1 dimension space into a
dimension space and go on according to the same scheme. Whereas there is no need to change the one’s own secret share for each participant.
The above advantages of this scheme are not provided by the secret sharing scheme with bipartite access structure [13] [14] [15]. In addition, the scheme uses hypersphere geometry to study, which is more intuitive and clear than the scheme [13] [14] [15], and the method is more unique.
4.3.3. Computational Complexity
The only operations used in this scheme are linear combination operation, determinant operation and exponentiation operation, of which the former is negligible complexity. Obviously, the performance of the scheme mainly depends on the calculation of determinant, which is relatively easy to implement. If the determinant is computed by Wiedemann algorithm in [19], the performance of this scheme will be further improved. In the following, we count the number of times of exponentiation operations taken by the secret dealer and each participant.
1) In the distribution stage: the secret dealer D calculate
over Zp altogether
times and calculate
over Zp altogether
times.
2) In the reconstruction stage: authorized participants in group A calculate
over Zp altogether n1 times and ones in group B calculate
over Zp altogether n2 times.
Thus it can seen that the proposed scheme needs
exponentiation operations. We remark that one exponentiation operation can be done in time
. In that way, sharing and reconstructing the secrets can be done in all time
. It is obvious that the proposed scheme satisfies the definition of a computationally efficient secret sharing scheme.
This scheme is more effective than other secret sharing schemes [6] - [12] on general access structure when sharing larger secrets. Assuming that the length of the secret shared is
bits, a comparison is made between the scheme in [6] and the one in this paper. In the scheme in [6], the length of module-p should be at least
bits. With the scheme in my paper, the shared secret can be divided into t sub-secrets, and then the t sub-secrets can be shared. Therefore, the length of module-p is 512 bits, which greatly reduces the computational complexity compared with the scheme in [6].
5. Conclusion
In this paper, an efficient bipartite
-threshold multi-secret sharing
scheme is proposed, which is based on a hypersphere by using a geometric method, In this scheme, multi-secret could be shared and each participant needs only to hold one secret share in renewing the shared secrets without updating each participant’s secret share. Compared with the existing bipartite secret sharing scheme, it is easy to show that not only the participants can leave the system and new participants can be added into the system dynamically, but also the values of threshold n1, n2 can be changed. Therefore, the proposed scheme is very effective and practical.