Bipartite Threshold Multi-Secret Sharing Scheme Based on Hypersphere

Abstract

To address the problem that existing bipartite secret sharing scheme is short of dynamic characteristic, and to solve the problem that each participant can only use secret share once, this paper proposed a bipartite (n1+n2, m1+m2)-threshold multi-secret sharing scheme which combined cryptography and hypersphere geometry. In this scheme, we introduced a bivariate function and a coordinate function over finite field Zp to calculate the derived points of secret share, which can reconstruct the shared secrets by producing the intersection point of hypernormal plane and normal line on the hypertangent plane. At the initial stage the secret dealer distributes to each participant a secret share that can be kept secret based on the intractability of discrete logarithm problem and need not be changed with updating the shared secrets.Each cooperative participant only needs to submit a derived point calculated from the secret share without exposing this secret share during the process of reconstructing the shared secret. Analyses indicate that the proposed scheme is not only sound and secure because of hypersphere geometric properties and the difficulty of discrete logarithm problem, but also efficient because of its well dynamic behavior and the invariant secret share. Therefore, this bipartite threshold multi-secret sharing scheme is easy to implement and is applicable in practical settings.

Share and Cite:

Li, B. (2019) Bipartite Threshold Multi-Secret Sharing Scheme Based on Hypersphere. American Journal of Computational Mathematics, 9, 207-220. doi: 10.4236/ajcm.2019.94016.

1. Introduction

Secret sharing plays a significant role in information security. It has become one of the most important research areas in modern cryptography and has wide applications in many fields. Its theories models are rapidly developed. A secret sharing scheme allows a secret dealer to split a secret into secret shares and to distribute the secret shares among a group of participants in the way that only if a certain specified subset of the participants pooling together their shares can reconstruct the shared secret, while any unqualified subsets cannot obtain anything about the shared secret. Particularly, a (t,n)-threshold secret sharing scheme allows the secret to being shared by a secret dealer among n participants in such a way that any t or more participants gathering their secret shares together can recover the shared secrets, but t − 1 or fewer participants cannot obtain any knowledge about the shared secret. Two basic (t,n)-threshold secret sharing schemes based on Lagrange interpolating and affine geometry were proposed by Shamir [1] and Blakley [2] for the first time respectively in 1979. Since then, many constructions have been proposed [3] [4] [5] [6] [7]. They usually consist of two basic protocols, one is a distribution protocol in which the secret S is distributed by the secret dealer to participants, another is a reconstruction protocol in which the secret S is recovered by pooling the secret shares of a qualified subset of the participants.

In the original (t,n)-threshold secret sharing schemes, if there are r secrets to be shared among the same n participants, the secret dealer should run the (t,n)-threshold secret sharing scheme for r times. It results in a low efficiency. To solve the problem, Blundo et al. [8] introduced the concept of multi-secret sharing schemes according to the situation where the same set of shared control members shares more than one secret in 1993. This is an alternative way to improve the efficiency of secret sharing scheme, named multi-secret sharing scheme (MSS), which use same shares to reconstruct multiple shared secrets. There are various proposals of MSS scheme. For instance, MSS schemes proposed by [9] [10] are based on polynomials, and MSS scheme proposed by [11] is based on elliptic curve of bilinear map, and MSS scheme proposed by [12] is based on cellular automata, and so on.

These secret sharing schemes are all based on an assumption that all participants are equal in status, right and dependability. However, the assumption is very hard to satisfy in fact. In many cases, participants have different access right. Padro et al. [13] researched secret sharing schemes with bipartite access structure. Bipartite access structure, informally, is that the set of participants can be divided into two parts in such a way which all participants in the same part play an equivalent role in the structure. Papers [14] [15] gave $\left({n}_{\text{1}}+{n}_{\text{2}},{m}_{\text{1}}+{m}_{\text{2}}\right)$ -threshold secret sharing schemes with two kinds of different access rights which based on the solution structures of constant coefficients homogeneous linear difference equation and noncyclic polynomial sequence respectively. Further, people can consider in any access structure the partition that is derived from a suitable equivalence relation on the set of participants. Because of its practical interest, secret sharing for multipartite access structures has been studied by several authors [16] [17] [18].

In all of the above-mentioned schemes, there is a drawback that some participants might have left the group and adversary might have corrupted more than ${n}_{1}-1$ (or ${n}_{2}-1$ ) participants. The security policy and adversary structure of a secret sharing scheme may change after the setup of the scheme and before the recovery of the shared secret. So it is desirable to design a bipartite threshold secret sharing scheme which allows the value n1 or n2 of threshold and number m1 or m2 of participants to change before the recovery of the secret, and which remains secure under these changes.

In this paper, we use the hypertangent plane and the hypernormal plane on the hypersphere to construct a $\left({n}_{\text{1}}+{n}_{\text{2}},{m}_{\text{1}}+{m}_{\text{2}}\right)$ -threshold multi-secret sharing scheme. This threshold scheme is ideal which not only the participants can join or leave the system dynamically but also the value of threshold is easy to change as well as multi-secret could be shared and renewed. In addition, the participants need not provide their real secret shares and the secret shares need not to be renewed when the shared secret is changed.

Organization of this paper is as follows. We introduce related notions and results in Section 2. In Section 3, we propose our construction by using geometric method. Section 4 details our validity analysis, security analysis and performance analysis respectively. We draw the conclusion in Section 5.

2. Definitions and Preliminaries

In this section we review some basic definitions and notations that will be used through the paper.

Definition 1. Let A, B be two groups of participants with difference access right such that $A\cap B=\varphi$, $|A|={m}_{\text{1}}$, $|B|={m}_{\text{2}}$. Set ${n}_{\text{1}},{n}_{\text{2}}\in {Z}^{\ast }$ satisfying ${m}_{i}\ge \mathrm{max}\left\{|{n}_{1}-{n}_{2}|+1,{n}_{i}\right\}$, $i=\text{1},\text{2}$. Each participant in A obtains a secret share ${k}_{i}\left(1\le i\le {m}_{1}\right)$ respectively and each participant in B obtains a secret share ${\stackrel{¯}{k}}_{j}\left(1\le j\le {m}_{2}\right)$ respectively. The shared secret S can be restored only if at least n1 participants in group A and n2 participants in group B combine their secret shares. Then this method is called bipartite $\left({n}_{1}+{n}_{2},{m}_{1}+{m}_{2}\right)$ -threshold secret sharing scheme, where the number n1, n2 are called the value of threshold.

In this paper, Let $A=\left\{{P}_{1},{P}_{2},\cdots ,{P}_{{m}_{1}}\right\}$, $B=\left\{{\stackrel{¯}{P}}_{1},{\stackrel{¯}{P}}_{2},\cdots ,{\stackrel{¯}{P}}_{{m}_{2}}\right\}$, where ${P}_{i}\left(1\le i\le {m}_{1}\right)$, ${\stackrel{¯}{P}}_{j}\left(1\le j\le {m}_{2}\right)$ are some participants. Let D be the secret dealer who distributes the secret shares among the participants, NB be an electronic proclamation board on which the secret dealer can write information but others cannot. All operations in this paper are carried out over finite field Zp, where p is a large prime satisfying $p\equiv 3\mathrm{mod}4$. The following theorem is proposed in [19].

Theorem 1. Let p be an odd prime. If 2 is not quadratic residue module-p, then arbitrary ${N}^{2}\in \left[0,p\right)$ can be expressed to sum of squares for arbitrany n+1 integer module-p.

Let $\left[O;{x}_{1},{x}_{2},\cdots ,{x}_{n+1}\right]$ be n+1 dimension Cartesian orthogonal coordinate system in real Euclidean space ${R}^{n+1}$.

Definition 2. Assume that $Q\left({a}_{1},{a}_{2},\cdots ,{a}_{n+1}\right)$ is a point of ${R}^{n+1}$, $N\in {Z}_{p}$, and let N denote the radius of hypersphere Σ. Then the spherical representation of hypersphere Σ is defined as follows:

$\underset{i=1}{\overset{n+1}{\sum }}{\left({x}_{i}-{a}_{i}\right)}^{2}={N}^{2},$ (1)

where $\left({x}_{1},{x}_{2},\cdots ,{x}_{n+1}\right)$ is the coordinate of arbitrary point on hypersphere Σ. $Q\left({a}_{1},{a}_{2},\cdots ,{a}_{n+1}\right)$ is called the centre of hypersphere.

Definition 3. For $\left(a,b\right)\subset R$, a R-continuously differentiable curve $\Gamma$ from (a,b) to ${R}^{n+1}$ is defined as vector function in [20] by

$r=r\left(t\right)=\left({x}_{1}\left(t\right),{x}_{2}\left(t\right),\cdots ,{x}_{n}{}_{+1}\left(t\right)\right),$ (2)

where $t\in \left(a,b\right)$.

The derived vector of curve $\Gamma$

${r}^{\prime }\left(t\right)=\frac{\text{d}r\left(t\right)}{\text{d}t}=\left(\frac{\text{d}{x}_{1}\left(t\right)}{\text{d}t},\frac{\text{d}{x}_{2}\left(t\right)}{\text{d}t},\cdots ,\frac{\text{d}{x}_{n+1}\left(t\right)}{\text{d}t}\right)$ (3)

is called the tangent vector at point t of curve $\Gamma$.

If for all $t\in \left(a,b\right)$, we have ${r}^{\prime }\left(t\right)\ne 0$, then $\Gamma$ is called the regular curve.

If for all $t\in \left(a,b\right)$, the coordinates of regular curve $\Gamma$ satisfy

$\underset{i=1}{\overset{n+1}{\sum }}{\left({x}_{i}\left(t\right)-{a}_{i}\right)}^{2}={N}^{2}$,

Then curve $\Gamma$ is called the spherical curve of hypersphere $\sum$.

To deal with multi-secret sharing problem, for ${Z}_{p}\subset \left(a,b\right)$, we pick a transform between ${Z}_{p}^{t}$ and ${Z}_{p}^{n+1}$ as follows:

$\delta :\left({z}_{1},{z}_{2},\cdots ,{z}_{t}\right)↔\left({x}_{1},{x}_{2},\cdots ,{x}_{n+1}\right)$

such that

$\left\{\begin{array}{l}{x}_{1}={x}_{1}\left({z}_{1},{z}_{2},\cdots ,{z}_{t}\right),\\ {x}_{2}={x}_{2}\left({z}_{1},{z}_{2},\cdots ,{z}_{t}\right),\\ ⋮\\ {x}_{n+1}={x}_{n+1}\left({z}_{1},{z}_{2},\cdots ,{z}_{t}\right).\end{array}$ (4)

In addition, let g be a primitive root of module-p, we define a bivariate function over Zp,

$F\left(u,v\right)={g}^{u+v},$ (5)

and a coordinate function over Zp,

${y}_{i}{}_{j}={y}_{i1}^{j}\left(i=0,1,2,\cdots ;j=1,2,\cdots ,n+1\right)$. (6)

3. Proposed Scheme

In this section, we propose a bipartite multi-secret sharing scheme based on hypersphere. In our scheme, a secret dealer is responsible for generating ${m}_{\text{1}}+{m}_{\text{2}}$ different secret share from the shared secrets ${S}_{1},{S}_{2},\cdot \cdot \cdot ,{S}_{t}$. And then, only given ${n}_{1}+{n}_{2}$ secret share, the shared secrets can be reconstructed.

3.1. The Distribution of the Secret Shares

The secret dealer randomly selects m1 different secret share ${k}_{i}\left(1\le i\le {m}_{1}\right)$ and number u1 from Zp, then distributes ${k}_{i}$ and ${u}_{1}$ to each participant Pi in group A through a secret channel as the secret share of these participants respectively. Similarly, m2 different secret shares ${\stackrel{¯}{k}}_{j}\left(1\le j\le {m}_{2}\right)$ and number u2 from Zp such that ${u}_{1}\ne {u}_{2}$ are selected by D to distribute to participants in group B through same secret channel.

Taking $n=\mathrm{max}\left\{{n}_{1},{n}_{2}\right\}$, without loss of generality, suppose that ${n}_{1}\ge {n}_{2}$, then $n={n}_{1}$. We assume that t shared secrets ${s}_{1},{s}_{2},\cdots ,{s}_{t}$ are all from Zp where $1\le t\le n$. By setting $\left({z}_{1},{z}_{2},\cdots ,{z}_{t}\right)=\left({s}_{1},{s}_{2},\cdots ,{s}_{t}\right)$ in (4), the secret dealer calculates

$\left\{\begin{array}{l}{x}_{1}\left({s}_{1},{s}_{2},\cdots ,{s}_{t}\right)={a}_{1},\\ {x}_{2}\left({s}_{1},{s}_{2},\cdots ,{s}_{t}\right)={a}_{2},\\ ⋮\\ {x}_{n+1}\left({s}_{1},{s}_{2},\cdots ,{s}_{t}\right)={a}_{n+1},\end{array}$ (7)

which yields a point $Q\left({a}_{1},{a}_{2},\cdots ,{a}_{n+1}\right)\in {Z}_{p}^{n+1}$.

The secret dealer chooses a positive integer $N\in {Z}_{p}^{\ast }$ to get a spherical representation of a hypersphere

$\underset{i=1}{\overset{n+1}{\sum }}{\left({x}_{i}-{a}_{i}\right)}^{2}={N}^{2},$

where $Q\left({a}_{1},{a}_{2},\cdots ,{a}_{n+1}\right)$ is the centre of this hypersphere.

The secret dealer chooses ${k}_{0}\in {Z}_{p}$ such that ${k}_{0}\ne {k}_{i}\left(1\le i\le {m}_{1}\right)$ and a bivariate function like (5), together with the coordinate function (6) to calculate over Zp as follows:

$\begin{array}{l}{y}_{01}=F\left({u}_{1},{k}_{0}\right)={g}^{{u}_{1}+{k}_{0}},\\ {y}_{0j}={y}_{01}^{j},j=1,2,\cdots ,n.\end{array}$

${y}_{0}{}_{,n+1}\in {Z}_{p}$ follows from the spherical representation, that is , ${y}_{0}{}_{,n+1}\in {Z}_{p}$ satisfies

$\underset{i=1}{\overset{n+1}{\sum }}{\left({y}_{0i}-{a}_{i}\right)}^{2}={N}^{2}$,

which yields a point on $\sum$,

${U}_{0}\left({y}_{01},{y}_{02},\cdots ,{y}_{0,n+1}\right)$.

It is not difficult to get a hypertangent plane π of $\sum$ at ${U}_{0}$ :

$\underset{i=1}{\overset{n+1}{\sum }}\left({y}_{0i}-{a}_{i}\right)\left({x}_{i}-{y}_{0i}\right)=0$.

Letting ${\xi }_{i}={y}_{0i}-{a}_{i},M=\underset{i=1}{\overset{n+1}{\sum }}{y}_{0i}\left({y}_{0i}-{a}_{i}\right)$, one obtains a following equation of hypertangent plane π:

$\underset{i=1}{\overset{n+1}{\sum }}{\xi }_{i}{x}_{i}=M$. (8)

The secret dealer D make computation according to the secret share ki of the participant Pi in group A and value u1 as follows:

$\begin{array}{l}{y}_{i1}=F\left({u}_{1},{k}_{i}\right)={g}^{{u}_{1}+{k}_{i}},\text{\hspace{0.17em}}\text{\hspace{0.17em}}\left(1\le i\le {m}_{1}\right);\\ {y}_{ij}={y}_{i1}^{j}={g}^{\left({u}_{i}+{k}_{i}\right)j},\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\left(1\le i\le {m}_{1},1\le j\le n\right);\end{array}$

$\begin{array}{l}{y}_{i,n+1}=\left(M-\underset{j=1}{\overset{n}{\sum }}{\xi }_{j}{y}_{ij}\right){\xi }_{n+1}^{-1},\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\left(1\le i\le {m}_{1}\right);\\ {H}_{i}=M-\underset{j=1}{\overset{n}{\sum }}{\xi }_{j}{y}_{ij},\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\text{\hspace{0.17em}}\left(1\le i\le {m}_{1}\right);\end{array}$

${H}_{0}={\xi }_{n+1}{y}_{0,n+1}$.

Thus, point ${U}_{i}\left({y}_{i1},{y}_{i2},\cdots ,{y}_{i,n+1}\right)$ is on the hypertangent plane π. There are m1 points in all. The secret dealer publishs ${H}_{i}\left(0\le i\le {m}_{1}\right)$, the coordinates of point U0, the expressions of the bivariate function and the coordinate function on NB.

The secret dealer D chooses a spherical curve $\Gamma$ on the hypersphere $\sum$,

$r=r\left(t\right)=\left({x}_{1}\left(t\right),{x}_{2}\left(t\right),\cdots ,{x}_{n+1}\left(t\right)\right)$. (9)

Differentiating (9) it follows

${r}^{\prime }\left(t\right)=\left({{x}^{\prime }}_{1}\left(t\right),{{x}^{\prime }}_{2}\left(t\right),\cdots ,{{x}^{\prime }}_{n+1}\left(t\right)\right)$. (10)

The secret dealer D set $t={t}_{0}$ with ${t}_{0}\in {Z}_{p}$ such that ${x}_{1}\left({t}_{0}\right)\ne {y}_{01}$, which yields that

$r\left({t}_{0}\right)=\left({x}_{1}\left({t}_{0}\right),{x}_{2}\left({t}_{0}\right),\cdots ,{x}_{n+1}\left({t}_{0}\right)\right),$

${r}^{\prime }\left({t}_{0}\right)=\left({{x}^{\prime }}_{1}\left({t}_{0}\right),{{x}^{\prime }}_{2}\left({t}_{0}\right),\cdots ,{{x}^{\prime }}_{n+1}\left({t}_{0}\right)\right),$

Then the secret dealer D can derive a hypernormal plane $\stackrel{¯}{\pi }$ of curve $\Gamma$ at $t={t}_{0}$,

${r}^{\prime }\left({t}_{0}\right)\cdot \left(\rho -r\left({t}_{0}\right)\right)=0$,

That is,

$\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left({t}_{0}\right)\left({x}_{i}-{x}_{i}\left({t}_{0}\right)\right)=0$,

where $\rho =\left({x}_{1},{x}_{2},\cdots ,{x}_{n+1}\right)$ is a vector of the moving point coordinates.

Letting ${\stackrel{¯}{\xi }}_{i}={{x}^{\prime }}_{i}\left({t}_{0}\right)$, $\stackrel{¯}{M}=\underset{i=1}{\overset{n+1}{\sum }}{x}_{i}\left({t}_{0}\right){{x}^{\prime }}_{i}\left({t}_{0}\right)$, one gets the following equation of the hypernormal plane $\stackrel{¯}{\pi }$ :

$\underset{i=1}{\overset{n+1}{\sum }}{\stackrel{¯}{\xi }}_{i}{x}_{i}=\stackrel{¯}{M}$. (11)

The secret dealer D chooses numbers ${\gamma }_{i},{u}_{2}\in {Z}_{p}$ such that ${u}_{2}\ne {u}_{1},{\gamma }_{i}\ne {\stackrel{¯}{k}}_{h}\left(0\le i\le n-{n}_{2},1\le h\le {m}_{2}\right)$, together with the bivariate function and the coordinate function as well as the secret share ${\stackrel{¯}{k}}_{h}$ of m2 participants ${P}_{h}$ in group B to calculate over Zp as follows:

$\begin{array}{l}{\stackrel{¯}{y}}_{i1}=F\left({u}_{2},{\gamma }_{i}\right)={g}^{{u}_{2}+{\gamma }_{i}},\\ {\stackrel{¯}{y}}_{ij}={\stackrel{¯}{y}}_{i1}^{j}={g}^{\left({u}_{2}+{\gamma }_{i}\right)j},\\ {\stackrel{¯}{y}}_{\delta +h,1}=F\left({u}_{2},{\stackrel{¯}{k}}_{h}\right)={g}^{{u}_{2}+{\stackrel{¯}{k}}_{h}},\\ {\stackrel{¯}{y}}_{\delta +h,j}={\stackrel{¯}{y}}_{\delta +h,1}^{j}={g}^{\left({u}_{2}+{\stackrel{¯}{k}}_{h}\right)j},\end{array}$

$\begin{array}{l}{\stackrel{¯}{H}}_{i}=\stackrel{¯}{M}-\underset{j=1}{\overset{n}{\sum }}{\stackrel{¯}{\xi }}_{j}{\stackrel{¯}{y}}_{ij},\\ {\stackrel{¯}{y}}_{i,n+1}=\left(\stackrel{¯}{M}-\underset{j=1}{\overset{n}{\sum }}{\stackrel{¯}{\xi }}_{j}{\stackrel{¯}{y}}_{ij}\right){\stackrel{¯}{\xi }}_{n+1}^{-1},\\ {\stackrel{¯}{H}}_{\delta +h}=\stackrel{¯}{M}-\underset{j=1}{\overset{n}{\sum }}{\stackrel{¯}{\xi }}_{j}{\stackrel{¯}{y}}_{\delta +h,j},\\ {\stackrel{¯}{y}}_{\delta +h,n+1}=\left(\stackrel{¯}{M}-\underset{j=1}{\overset{n}{\sum }}{\stackrel{¯}{\xi }}_{j}{\stackrel{¯}{y}}_{\delta +h,j}\right){\stackrel{¯}{\xi }}_{n+1}^{-1}.\end{array}$

where $\delta =n-{n}_{2},0\le i\le \delta ,1\le h\le {m}_{2},1\le j\le n$.

Hence the secret dealer D obtains altogether ${m}_{2}+\delta +1$ hyperplanes, those are ${V}_{i}\left({\stackrel{¯}{y}}_{i1},{\stackrel{¯}{y}}_{i2},\cdots ,{\stackrel{¯}{y}}_{i,n+1}\right)$ and ${V}_{\delta +h}\left({\stackrel{¯}{y}}_{\delta +h,1},{\stackrel{¯}{y}}_{\delta +h,2},\cdots ,{\stackrel{¯}{y}}_{\delta +h,n+1}\right)$. At the same time the secret dealer D publishs ${\stackrel{¯}{H}}_{i},{\stackrel{¯}{H}}_{\delta +h}$ and the coordinate of ${V}_{i}\left(0\le i\le \delta \right)$ on NB.

3.2. Reconstruction of the Secrets

For arbitrary ${n}_{1}\left(=n\right)$ participants in group A gather their secret shares together, without loss of generality, suppose that they are ${P}_{i}\left(1\le i\le n\right)$. Each participant ${P}_{i}$ uses his private share ${k}_{i}$ and the public information on the NB to calculate ${y}_{ij}\left(1\le i\le n,1\le j\le n\right)$ respectively. Then these n cooperative participants substitute yij, Hi and the coordinate of U0 into the following undetermined expression

$\underset{j=1}{\overset{n}{\sum }}{\xi }_{j}{y}_{ij}+{H}_{i}=M,\text{\hspace{0.17em}}\text{\hspace{0.17em}}\left(0\le i\le n\right).$

Which yields that the following system of equations:

$\left\{\begin{array}{l}{y}_{01}{\xi }_{1}+{y}_{02}{\xi }_{2}+\cdots +{y}_{0n}{\xi }_{n}+{H}_{0}=M,\\ {y}_{11}{\xi }_{1}+{y}_{12}{\xi }_{2}+\cdots +{y}_{1n}{\xi }_{n}+{H}_{1}=M,\\ ⋮\\ {y}_{n1}{\xi }_{1}+{y}_{n2}{\xi }_{2}+\cdots +{y}_{nn}{\xi }_{n}+{H}_{n}=M.\end{array}$ (12)

Calculating ${\xi }_{i}\left(1\le i\le n\right)$ and M in (12), they obtain the equation of hypertangent plane π about the hypersphere $\sum$ at point U0,

$\underset{i=1}{\overset{n+1}{\sum }}{\xi }_{i}{x}_{i}=M.$ (13)

where ${\xi }_{n+1}$ is given by ${\xi }_{n+1}={H}_{0}{y}_{0,n+1}^{-1}$.

These n cooperative participants get a normal vector $\xi =\left({\xi }_{1},{\xi }_{2},\cdots ,{\xi }_{n+1}\right)$ from (13), which derive the equation of normal line L about π at point U0 as follows:

$\frac{{x}_{1}-{y}_{01}}{{\xi }_{1}}=\frac{{x}_{2}-{y}_{02}}{{\xi }_{2}}=\cdots =\frac{{x}_{n+1}-{y}_{0,n+1}}{{\xi }_{n+1}}$, (14)

where $\left({x}_{1},{x}_{2},\cdots ,{x}_{n+1}\right)$ is a moving point coordinate vector.

Similarly, arbitrary n2 participants in group B gather their secret shares together, without loss of generality, suppose that they are ${\stackrel{¯}{P}}_{j}\left(1\le j\le {n}_{2}\right)$ who possess secret share ${\stackrel{¯}{k}}_{j}$ respectively. They use ${\stackrel{¯}{k}}_{j}$ and the public information on NB to obtain the following system of equations:

$\left\{\begin{array}{l}{\stackrel{¯}{y}}_{01}{\stackrel{¯}{\xi }}_{1}+{\stackrel{¯}{y}}_{02}{\stackrel{¯}{\xi }}_{2}+\cdots +{\stackrel{¯}{y}}_{0n}{\stackrel{¯}{\xi }}_{n}+{\stackrel{¯}{H}}_{0}=\stackrel{¯}{M}\\ {\stackrel{¯}{y}}_{11}{\stackrel{¯}{\xi }}_{1}+{\stackrel{¯}{y}}_{12}{\stackrel{¯}{\xi }}_{2}+\cdots {+}_{1n}\stackrel{¯}{y}{\stackrel{¯}{\xi }}_{n}+{\stackrel{¯}{H}}_{1}=\stackrel{¯}{M},\\ ⋮\\ {\stackrel{¯}{y}}_{\delta 1}{\stackrel{¯}{\xi }}_{1}+{\stackrel{¯}{y}}_{\delta 2}{\stackrel{¯}{\xi }}_{2}+\cdots +{\stackrel{¯}{y}}_{\delta n}{\stackrel{¯}{\xi }}_{n}+{\stackrel{¯}{H}}_{\delta }=\stackrel{¯}{M},\\ {\stackrel{¯}{y}}_{\delta +1,1}{\stackrel{¯}{\xi }}_{1}+{\stackrel{¯}{y}}_{\delta +1,2}{\stackrel{¯}{\xi }}_{2}+\cdots +{\stackrel{¯}{y}}_{\delta +1,n}{\stackrel{¯}{\xi }}_{n}+{\stackrel{¯}{H}}_{\delta +1}=\stackrel{¯}{M},\\ ⋮\\ {\stackrel{¯}{y}}_{\delta +{n}_{2},1}{\stackrel{¯}{\xi }}_{1}+{\stackrel{¯}{y}}_{\delta +{n}_{2},2}{\stackrel{¯}{\xi }}_{2}+\cdots +{\stackrel{¯}{y}}_{\delta +{n}_{2},n}{\stackrel{¯}{\xi }}_{n}+{\stackrel{¯}{H}}_{\delta +{n}_{2}}=\stackrel{¯}{M}.\end{array}$ (15)

From (15) it follows ${\stackrel{¯}{\xi }}_{i}\left(1\le i\le n\right)$ and $\stackrel{¯}{M}$. By calculating ${\stackrel{¯}{\xi }}_{n+1}={\stackrel{¯}{H}}_{0}{y}_{0,n+1}^{-1}$, these n2 cooperative participants can obtain the equation of hypernormal plane $\stackrel{¯}{\pi }$ about hypersphere $\sum$,

$\underset{i=1}{\overset{n+1}{\sum }}{\stackrel{¯}{\xi }}_{i}{x}_{i}=\stackrel{¯}{M}.$ (16)

At last, these n1 cooperative participants in group A and that n2 cooperative participants in group B solve in common the following set of equations which consist of (14) and (16):

$\left\{\begin{array}{l}\frac{{x}_{1}-{y}_{01}}{{\xi }_{1}}=\frac{{x}_{2}-{y}_{02}}{{\xi }_{2}}=\cdots =\frac{{x}_{n+1}-{y}_{0,n+1}}{{\xi }_{n+1}},\\ \underset{i=1}{\overset{n+1}{\sum }}{\stackrel{¯}{\xi }}_{i}{x}_{i}=\stackrel{¯}{M}.\end{array}$

Which yields the centre coordinate of hypersphere $\sum$, that is, $\left({x}_{1},{x}_{2},\cdots ,{x}_{n+1}\right)=\left({a}_{1},{a}_{2},\cdots ,{a}_{n+1}\right)$. Then by solving the transformation formula (7), these participants can recover the shared secrets ${s}_{1},{s}_{2},\cdots ,{s}_{t}$.

4. Analysis of the Scheme

4.1. Correctness Proof

If the secret dealer and the participants are all honest in this scheme, at least n1 participants in group A and at least n2 participants in group B get together to reconstruct the shared secrets during the execution of reconstruction algorithm. To obtain this conclusion, we need only to prove the following theorem.

Theorem 2. The hypernormal plane π of any spherical curve $\Gamma$ on a hypersphere $\sum$ always passes the centre of this hypersphere.

Proof. Let us put the spherical representation of $\sum$ as follows:

$\underset{i=1}{\overset{n+1}{\sum }}{\left({x}_{i}-{a}_{i}\right)}^{2}={N}^{2},$

and let spherical curve $\Gamma$ be

$r\left(t\right)=\left({x}_{1}\left(t\right),{x}_{2}\left(t\right),\cdots ,{x}_{n+1}\left(t\right)\right)$.

Hence, we have

$\underset{i=1}{\overset{n+1}{\sum }}{\left({x}_{i}\left(t\right)-{a}_{i}\right)}^{2}={N}^{2},$

and there exist a tangent vector of arbitrary point $\left({x}_{1}\left({t}_{0}\right),{x}_{2}\left({t}_{0}\right),\cdots ,{x}_{n+1}\left({t}_{0}\right)\right)$ on the spherical curve $\Gamma$,

${r}^{\prime }\left({t}_{0}\right)=\left({{x}^{\prime }}_{1}\left({t}_{0}\right),{{x}^{\prime }}_{2}\left({t}_{0}\right),\cdots ,{{x}^{\prime }}_{n+1}\left({t}_{0}\right)\right)$.

Let the coordinate of moving point on the hypernormal plane at t0 be $\left({X}_{1},{X}_{2},\cdots ,{X}_{n+1}\right)$, then the equation of this hypernormal plane is

$\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left({t}_{0}\right)\left({X}_{i}-{x}_{i}\left({t}_{0}\right)\right)=0.$

It implies

$\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left({t}_{0}\right){X}_{i}-\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left({t}_{0}\right){x}_{i}\left({t}_{0}\right)=0$. (17)

Differentiating $\underset{i=1}{\overset{n+1}{\sum }}{\left({x}_{i}\left(t\right)-{a}_{i}\right)}^{2}={N}^{2}$, we have

$\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left(t\right)\left({x}_{i}\left(t\right)-{a}_{i}\right)=0.$

Which implies that when $t={t}_{0}$, we get

$\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left({t}_{0}\right){x}_{i}\left({t}_{0}\right)=\underset{i=1}{\overset{n+1}{\sum }}{a}_{i}{{x}^{\prime }}_{i}\left({t}_{0}\right)$. (18)

Substituting (18) into (17) , we obtain the hypernormal plane $\stackrel{¯}{\pi }$ as follows:

$\underset{i=1}{\overset{n+1}{\sum }}{{x}^{\prime }}_{i}\left({t}_{0}\right)\left({X}_{i}-{a}_{i}\right)=0.$

Obviously, it passes the centre $\left({a}_{1},{a}_{2},\cdots ,{a}_{n+1}\right)$ of hypersphere.

This completes the proof.

In our scheme, since the normal line L of hypertangent plane π at U0 passes the centre of hypersphere too, it follows that the cross point of normal line L and hypernormal plane $\stackrel{¯}{\pi }$ is the centre of hypersphere.

Theorem 3. The unique hypertangent plane π over Zp is determined by arbitary n different points of m1 points derived from the secret shares ${k}_{i}\left(1\le i\le {m}_{1}\right)$ together with point U0.

Proof. The system of Equations (12) determined by n different points and the public point U0 can be modified as follows:

$\left\{\begin{array}{l}-M+{y}_{01}{\xi }_{1}+{y}_{02}{\xi }_{2}+\cdots +{y}_{0n}{\xi }_{n}=-{H}_{0},\\ -M+{y}_{11}{\xi }_{1}+{y}_{12}{\xi }_{2}+\cdots +{y}_{1n}{\xi }_{n}=-{H}_{1},\\ ⋮\\ -M+{y}_{n1}{\xi }_{1}+{y}_{n2}{\xi }_{2}+\cdots +{y}_{nn}{\xi }_{n}=-{H}_{n},\end{array}$ (19)

where M and ${\xi }_{i}\left(1\le i\le n\right)$ are unknown numbers of this system.

The determinant of coefficient for (19) can be obtained that

$D=|\begin{array}{ccccc}-1& {y}_{01}& {y}_{02}& \cdots & {y}_{0n}\\ -1& {y}_{11}& {y}_{12}& \cdots & {y}_{1n}\\ -1& ⋮& ⋮& & ⋮\\ -1& {y}_{n1}& {y}_{n2}& \cdots & {y}_{nn}\end{array}|=-|\begin{array}{cccc}1& 1& \cdots & 1\\ {y}_{01}& {y}_{11}& \cdots & {y}_{n1}\\ {y}_{01}^{2}& {y}_{11}^{2}& \cdots & {y}_{n1}^{2}\\ ⋮& ⋮& & ⋮\\ {y}_{01}^{n}& {y}_{11}^{n}& \cdots & {y}_{n1}^{n}\end{array}|=-\underset{n\ge i＞j\ge 0}{\prod }\left({y}_{i1}-{y}_{j1}\right)\text{ }\text{ }.$

Since ${y}_{i1}=F\left({u}_{1},{k}_{i}\right)={g}^{{u}_{1}+{k}_{i}},$

${y}_{j1}=F\left({u}_{1},{k}_{j}\right)={g}^{{u}_{1}+{k}_{j}},$

where $F\left(u,v\right)$ is the bivariate function over Zp and g is a primitive root of modulo-p.

For any ${k}_{i}\ne {k}_{j}$, we have ${y}_{i1}\ne {y}_{j1}$, hence $D\ne 0$. It follows from Gramer rule that (19) has a unique set of solutions M, ${\xi }_{i}\left(1\le i\le n\right)$. Thus, the unique hypertangent plane π over Zp. Can be determined by this set of solutions.

As a result, we obtain theorem.

Similarly, we can prove that the unique hypernormal plane $\stackrel{¯}{\pi }$ over Zp is determined by arbitary n2 different points of m2 points derived from the secret shares ${\stackrel{¯}{k}}_{j}\left(1\le j\le {m}_{2}\right)$ together with $\delta +1$ public points ${V}_{i}\left(0\le i\le \delta \right)$.

The above theorem show a deterministic condition for the hypertangent plane or the hypernormal plane.

4.2. Security Analysis

The security of proposed scheme is based on the deterministic condition of hyperplane.

Theorem 4. Arbitrary n points in ${R}^{n}{}^{+\text{1}}$ cannot determine unique hyperplane over Zp.

Proof. Suppose in existence n points (there is no harm in taking ${U}_{0},{U}_{1},\cdots ,{U}_{n-1}$ ) can determine a hyperplane π1. Then, we pick a point W which is out of π 1 in ${R}^{n}{}^{+\text{1}}$ such that the coordinate vectors of ${U}_{0},{U}_{1},\cdots ,{U}_{n-1}$, W is linearly independent. By theorem 3, it is obvious that ${U}_{0},{U}_{1},\cdots ,{U}_{n-1}$, W can determine unique hyperplane π2 over Zp. Because W is out of π1, it follows that ${\pi }_{\text{1}}\ne {\pi }_{\text{2}}$. However, ${U}_{0},{U}_{1},\cdots ,{U}_{n-1}$ are on not only π1 but also π2. This is a contradiction. Thus, we completes the proof of theorem 4.

It can be shown from the theorem 4 that ${n}_{\text{1}}-\text{1}$ or fewer participants in group A submiting their secret shares can only produce n1 points including U0 at most. So that they have no way of determining hypertangent plane π. Similarly, ${n}_{\text{2}}-\text{1}$ or fewer participants in group B have no way of determining hypernormal plane $\stackrel{¯}{\pi }$ too. This shows that the less than n1 participants in group A or the less than n2 participants in group B gathering their secret shares together cannot recover the shared secrets ${S}_{\text{1}},{S}_{\text{2}},\cdots ,{S}_{t}$.

In addition, it is not difficult for an attacker to get the public informations ${H}_{i},{\stackrel{¯}{H}}_{j}$ in the proposed scheme. Hwever, ${H}_{i},{\stackrel{¯}{H}}_{j}$ are product of the coefficient ${\xi }_{n+1},{\stackrel{¯}{\xi }}_{n+1}$ and the last coordinate value of points which are derived from the secret shares of m1 participants in group A and m2 participants in group B respectively. They are calculated by the equation of hyperplanes and the front n coordinate value of derived points. On the contrary, the front n coordinate value of derived points cannot be predicted by ${H}_{i},{\stackrel{¯}{H}}_{j}$, that means the attacker could not obtain the shared secrets from the public informations on NB. Moreover, together with the bivariate function, calculating ${k}_{i},{\stackrel{¯}{k}}_{j}$ from ${y}_{01},{\stackrel{¯}{y}}_{01}$ respectively need to solve the discrete logarithm problem, As we know that the discrete logarithm problem is intractable, it is impossible for an attacker to obtain the participant’s secret share.

4.3. Performance Analysis

4.3.1. Information Rate of the Proposed Scheme

By the construction of proposed scheme, each share ${k}_{i}$ or ${\stackrel{¯}{k}}_{j}$ is choosed from Zp，and the shared secrets ${S}_{\text{1}},{S}_{\text{2}},\cdots ,{S}_{t}$ from Zp too. It follows that $|{K}_{h}|=|S|=p$,where Kh is a set of possible secret shares of participants in group A or in group B, and S is a set of possible shared secrets. Hence, the information rate of this scheme is

$\rho =\mathrm{min}\left\{{\rho }_{h}|{\rho }_{h}=\mathrm{lg}|S|/\mathrm{lg}|{K}_{h}|,1\le h\le {m}_{1}+{m}_{2}\right\}=p/p=1.$

This shows that the proposed scheme is ideal one.

4.3.2. Advantages of the Proposed Scheme

1) Multiple secrets can be reconstructed simultaneously within a secret sharing session.

2) Since the participants provide the derived points of secret shares but not the secret share ${k}_{i},{\stackrel{¯}{k}}_{j}$ during the reconstruction of secrets, it follows that the secret shares of participants are still kept confidential after recovering all of the secrets and the secret shares could be used to share a new set of secrets.

3) When a new participant joins the system, the secret dealer needs only to select a new secret share that its derived points is on the hyperplane to distribute to this new participant secretly. When we need to delete a participant, the dealer needs only to change the value of parameter u in the bivariate function to recompute hyperplane, whereas the remainder participants can share next secrets by same secret shares. So it is very easy that the participants can join or leave the system.

4) When the value of threshold n1 or n2 is changed, namely,

$\left({n}_{\text{1}}+{n}_{\text{2}},{m}_{\text{1}}+{m}_{\text{2}}\right)$ change into $\left({\stackrel{¯}{n}}_{1}+{\stackrel{¯}{n}}_{2},{m}_{1}+{m}_{2}\right)$, let us put

$n=\mathrm{max}\left({n}_{1},{n}_{2}\right)$ and $\stackrel{¯}{n}=\mathrm{max}\left({\stackrel{¯}{n}}_{1},{\stackrel{¯}{n}}_{2}\right)$, the secret dealer needs only to turn the n+1 dimension space into a $\stackrel{¯}{n}+1$ dimension space and go on according to the same scheme. Whereas there is no need to change the one’s own secret share for each participant.

The above advantages of this scheme are not provided by the secret sharing scheme with bipartite access structure [13] [14] [15]. In addition, the scheme uses hypersphere geometry to study, which is more intuitive and clear than the scheme [13] [14] [15], and the method is more unique.

4.3.3. Computational Complexity

The only operations used in this scheme are linear combination operation, determinant operation and exponentiation operation, of which the former is negligible complexity. Obviously, the performance of the scheme mainly depends on the calculation of determinant, which is relatively easy to implement. If the determinant is computed by Wiedemann algorithm in [19], the performance of this scheme will be further improved. In the following, we count the number of times of exponentiation operations taken by the secret dealer and each participant.

1) In the distribution stage: the secret dealer D calculate ${g}^{{u}_{1}}{}^{+{k}_{i}}$ over Zp altogether ${m}_{\text{1}}+\text{1}$ times and calculate ${g}^{{u}_{2}+{\stackrel{¯}{k}}_{j}}$ over Zp altogether ${m}_{2}+{n}_{1}-{n}_{2}+1$ times.

2) In the reconstruction stage: authorized participants in group A calculate ${g}^{{u}_{1}}{}^{+{k}_{i}}$ over Zp altogether n1 times and ones in group B calculate ${g}^{{u}_{2}+{\stackrel{¯}{k}}_{j}}$ over Zp altogether n2 times.

Thus it can seen that the proposed scheme needs ${m}_{\text{1}}+{m}_{\text{2}}+\text{2}\left(n+\text{1}\right)$ exponentiation operations. We remark that one exponentiation operation can be done in time $O\left({\left(\mathrm{log}p\right)}^{3}\right)$. In that way, sharing and reconstructing the secrets can be done in all time $O\left(\left({m}_{1}+{m}_{2}+2\left(n+1\right)\right){\left(\mathrm{log}p\right)}^{3}\right)$. It is obvious that the proposed scheme satisfies the definition of a computationally efficient secret sharing scheme.

This scheme is more effective than other secret sharing schemes [6] - [12] on general access structure when sharing larger secrets. Assuming that the length of the secret shared is $t×512$ bits, a comparison is made between the scheme in [6] and the one in this paper. In the scheme in [6], the length of module-p should be at least $t×512$ bits. With the scheme in my paper, the shared secret can be divided into t sub-secrets, and then the t sub-secrets can be shared. Therefore, the length of module-p is 512 bits, which greatly reduces the computational complexity compared with the scheme in [6].

5. Conclusion

In this paper, an efficient bipartite $\left({n}_{1}+{n}_{2},{m}_{1}+{m}_{2}\right)$ -threshold multi-secret sharing

scheme is proposed, which is based on a hypersphere by using a geometric method, In this scheme, multi-secret could be shared and each participant needs only to hold one secret share in renewing the shared secrets without updating each participant’s secret share. Compared with the existing bipartite secret sharing scheme, it is easy to show that not only the participants can leave the system and new participants can be added into the system dynamically, but also the values of threshold n1, n2 can be changed. Therefore, the proposed scheme is very effective and practical.

Conflicts of Interest

The authors declare no conflicts of interest regarding the publication of this paper.

 [1] Shamir, A. (1979) How to Share a Secret. Communications of the ACM, 22, 612-613. https://doi.org/10.1145/359168.359176 [2] Blakley, G. (1979) Safeguarding Cryptographic Keys. Proceedings of 1979 International Workshop on Managing Requirements Knowledge, 48, 313-317. https://doi.org/10.1109/MARK.1979.8817296 [3] McEliece, R.J. and Sarwate, D.V. (1981) On Sharing Secrets and Reed-Solomon codes. Communications of the ACM, 24, 583-584. https://doi.org/10.1145/358746.358762 [4] Asmuth, C. and Bloom, J.A. (1983) A Modular Approach to Key Safeguarding. IEEE Transactions on Information Theory, 29, 208-210. https://doi.org/10.1109/TIT.1983.1056651 [5] Karnin, E.D., Green, J.W. and Hellman, M.E. (1983) On Secret Sharing System. IEEE Transactions on Information Theory, 29, 35-41. https://doi.org/10.1109/TIT.1983.1056621 [6] Nojoumian, M. and Stinson, D.R. (2013) On Dealer-Free Dynamic Threshold Schemes. Advances in Mathematics of Communications, 7, 39-56. https://doi.org/10.3934/amc.2013.7.39 [7] Fine, B., Moldenhauer, I.S. and Rosenberger, G. (2013) A Secret Sharing Scheme Based on the Closet Vector Theorem and a Modification to a Private Key Cryptosystem. Groups Complexity Cryptology, 5, 223-238. https://doi.org/10.1515/gcc-2013-0012 [8] Blundo, C., Santis, A.D. and Crescenzo, G.D. (1995) Multi-Secret Sharing Schemes. Advances in Cryptology, 839, 150-163. [9] Shao, J., Zhang, J. and Zhao, R. (2007) A Practical Verifiable Multi-Secret Sharing Scheme. Computer Standards and Interfaces, 29, 138-141. https://doi.org/10.1016/j.csi.2006.02.004 [10] Dehkordi, M.H. and Mashhadi, S. (2008) New Efficient and Practical Verifiable Multi-Secret Sharing Schemes. Information Sciences, 178, 2262-2274. https://doi.org/10.1016/j.ins.2007.11.031 [11] Wang, S.T., Tsai, Y.R. and Shen, C.C. (2011) Verifiable Threshold, Scheme in Multi-Secret Sharing Distributions upon Extensions of ECC. Wireless Personal Communications, 56, 173-182. https://doi.org/10.1007/s11277-009-9875-0 [12] Eslami, Z. and Ahmadabadi, J.Z. (2010) A Verifiable Multi-Secret Sharing Scheme Based on Cellular Automata. Information Sciences, 180, 2889-2894. https://doi.org/10.1016/j.ins.2010.04.015 [13] Padro, C. and Saez, G. (2000) Secret Sharing Schemes with Bipartite Access Structure. IEEE Transactions on Information Theory, 46, 2596-2604. https://doi.org/10.1109/18.887867 [14] Li, B. (2006) Difference Secret Sharing Scheme Based on Special Access Right. Journal of Sichuan University, 43, 78-83. [15] Li, B. (2014) The Secret Sharing Scheme Based on Acyclic Polynomial Sequence. Journal of Sichuan University, 51, 423-427. [16] Marti, J.F. and Padro, C. (2007) On Secret Sharing Schemes, Matroids and Polymatroids. Proceedings of the Fourth Theory of Cryptography Conference Amsterdam, 4392, 253-272. [17] Ng, S.L. and Walker, M. (2001) On the Composition of Matroids and Ideal Secret Sharing Schemes. Designs, Codes and Cryptography, 24, 49-67. [18] Cheng, Q., Yin, Y., Xiao, K. and Hsu, C.-F. (2009) On Non-Representable Secret Sharing Matroids. Proceedings of the 5th International Conference on Information Security Practice and Experience, 5451, 124-135. [19] Wu, T.C. and He, W.H. (1995) A Geometric Approach for Sharing Secrets. Computers & Security, 14, 135-145. https://doi.org/10.1016/0167-4048(95)97047-E [20] Li, B. (2014) The Threshold Secret Sharing Scheme Based on Hyperspace Parameter Curve. Journal of Zhejiang University, 41, 518-522.