_{1}

^{*}

To address the problem that existing bipartite secret sharing scheme is short of dynamic characteristic, and to solve the problem that each participant can only use secret share once, this paper proposed a bipartite
_{(n1+n2, m1+m2)}-threshold multi-secret sharing scheme which combined cryptography and hypersphere geometry. In this scheme, we introduced a bivariate function and a coordinate function over finite field
Z
_{p} to calculate the derived points of secret share, which can reconstruct the shared secrets by producing the intersection point of hypernormal plane and normal line on the hypertangent plane. At the initial stage the secret dealer distributes to each participant a secret share that can be kept secret based on the intractability of discrete logarithm problem and need not be changed with updating the shared secrets.Each cooperative participant only needs to submit a derived point calculated from the secret share without exposing this secret share during the process of reconstructing the shared secret. Analyses indicate that the proposed scheme is not only sound and secure because of hypersphere geometric properties and the difficulty of discrete logarithm problem, but also efficient because of its well dynamic behavior and the invariant secret share. Therefore, this bipartite threshold multi-secret sharing scheme is easy to implement and is applicable in practical settings.

Secret sharing plays a significant role in information security. It has become one of the most important research areas in modern cryptography and has wide applications in many fields. Its theories models are rapidly developed. A secret sharing scheme allows a secret dealer to split a secret into secret shares and to distribute the secret shares among a group of participants in the way that only if a certain specified subset of the participants pooling together their shares can reconstruct the shared secret, while any unqualified subsets cannot obtain anything about the shared secret. Particularly, a (t,n)-threshold secret sharing scheme allows the secret to being shared by a secret dealer among n participants in such a way that any t or more participants gathering their secret shares together can recover the shared secrets, but t − 1 or fewer participants cannot obtain any knowledge about the shared secret. Two basic (t,n)-threshold secret sharing schemes based on Lagrange interpolating and affine geometry were proposed by Shamir [

In the original (t,n)-threshold secret sharing schemes, if there are r secrets to be shared among the same n participants, the secret dealer should run the (t,n)-threshold secret sharing scheme for r times. It results in a low efficiency. To solve the problem, Blundo et al. [

These secret sharing schemes are all based on an assumption that all participants are equal in status, right and dependability. However, the assumption is very hard to satisfy in fact. In many cases, participants have different access right. Padro et al. [

In all of the above-mentioned schemes, there is a drawback that some participants might have left the group and adversary might have corrupted more than n 1 − 1 (or n 2 − 1 ) participants. The security policy and adversary structure of a secret sharing scheme may change after the setup of the scheme and before the recovery of the shared secret. So it is desirable to design a bipartite threshold secret sharing scheme which allows the value n_{1} or n_{2 }of threshold and number m_{1} or m_{2} of participants to change before the recovery of the secret, and which remains secure under these changes.

In this paper, we use the hypertangent plane and the hypernormal plane on the hypersphere to construct a ( n 1 + n 2 , m 1 + m 2 ) -threshold multi-secret sharing scheme. This threshold scheme is ideal which not only the participants can join or leave the system dynamically but also the value of threshold is easy to change as well as multi-secret could be shared and renewed. In addition, the participants need not provide their real secret shares and the secret shares need not to be renewed when the shared secret is changed.

Organization of this paper is as follows. We introduce related notions and results in Section 2. In Section 3, we propose our construction by using geometric method. Section 4 details our validity analysis, security analysis and performance analysis respectively. We draw the conclusion in Section 5.

In this section we review some basic definitions and notations that will be used through the paper.

Definition 1. Let A, B be two groups of participants with difference access right such that A ∩ B = ϕ , | A | = m 1 , | B | = m 2 . Set n 1 , n 2 ∈ Z ∗ satisfying m i ≥ max { | n 1 − n 2 | + 1 , n i } , i = 1 , 2 . Each participant in A obtains a secret share k i ( 1 ≤ i ≤ m 1 ) respectively and each participant in B obtains a secret share k ¯ j ( 1 ≤ j ≤ m 2 ) respectively. The shared secret S can be restored only if at least n_{1} participants in group A and n_{2} participants in group B combine their secret shares. Then this method is called bipartite ( n 1 + n 2 , m 1 + m 2 ) -threshold secret sharing scheme, where the number n_{1}, n_{2 }are called the value of threshold.

In this paper, Let A = { P 1 , P 2 , ⋯ , P m 1 } , B = { P ¯ 1 , P ¯ 2 , ⋯ , P ¯ m 2 } , where P i ( 1 ≤ i ≤ m 1 ) , P ¯ j ( 1 ≤ j ≤ m 2 ) are some participants. Let D be the secret dealer who distributes the secret shares among the participants, NB be an electronic proclamation board on which the secret dealer can write information but others cannot. All operations in this paper are carried out over finite field Z_{p}, where p is a large prime satisfying p ≡ 3 mod 4 . The following theorem is proposed in [

Theorem 1. Let p be an odd prime. If 2 is not quadratic residue module-p, then arbitrary N 2 ∈ [ 0 , p ) can be expressed to sum of squares for arbitrany n+1 integer module-p.

Let [ O ; x 1 , x 2 , ⋯ , x n + 1 ] be n+1 dimension Cartesian orthogonal coordinate system in real Euclidean space R n + 1 .

Definition 2. Assume that Q ( a 1 , a 2 , ⋯ , a n + 1 ) is a point of R n + 1 , N ∈ Z p , and let N denote the radius of hypersphere Σ. Then the spherical representation of hypersphere Σ is defined as follows:

∑ i = 1 n + 1 ( x i − a i ) 2 = N 2 , (1)

where ( x 1 , x 2 , ⋯ , x n + 1 ) is the coordinate of arbitrary point on hypersphere Σ. Q ( a 1 , a 2 , ⋯ , a n + 1 ) is called the centre of hypersphere.

Definition 3. For ( a , b ) ⊂ R , a R-continuously differentiable curve Γ from (a,b) to R n + 1 is defined as vector function in [

r = r ( t ) = ( x 1 ( t ) , x 2 ( t ) , ⋯ , x n + 1 ( t ) ) , (2)

where t ∈ ( a , b ) .

The derived vector of curve Γ

r ′ ( t ) = d r ( t ) d t = ( d x 1 ( t ) d t , d x 2 ( t ) d t , ⋯ , d x n + 1 ( t ) d t ) (3)

is called the tangent vector at point t of curve Γ .

If for all t ∈ ( a , b ) , we have r ′ ( t ) ≠ 0 , then Γ is called the regular curve.

If for all t ∈ ( a , b ) , the coordinates of regular curve Γ satisfy

∑ i = 1 n + 1 ( x i ( t ) − a i ) 2 = N 2 ,

Then curve Γ is called the spherical curve of hypersphere ∑ .

To deal with multi-secret sharing problem, for Z p ⊂ ( a , b ) , we pick a transform between Z p t and Z p n + 1 as follows:

δ : ( z 1 , z 2 , ⋯ , z t ) ↔ ( x 1 , x 2 , ⋯ , x n + 1 )

such that

{ x 1 = x 1 ( z 1 , z 2 , ⋯ , z t ) , x 2 = x 2 ( z 1 , z 2 , ⋯ , z t ) , ⋮ x n + 1 = x n + 1 ( z 1 , z 2 , ⋯ , z t ) . (4)

In addition, let g be a primitive root of module-p, we define a bivariate function over Z_{p},

F ( u , v ) = g u + v , (5)

and a coordinate function over Z_{p},

y i j = y i 1 j ( i = 0 , 1 , 2 , ⋯ ; j = 1 , 2 , ⋯ , n + 1 ) . (6)

In this section, we propose a bipartite multi-secret sharing scheme based on hypersphere. In our scheme, a secret dealer is responsible for generating m 1 + m 2 different secret share from the shared secrets S 1 , S 2 , ⋅ ⋅ ⋅ , S t . And then, only given n 1 + n 2 secret share, the shared secrets can be reconstructed.

The secret dealer randomly selects m_{1} different secret share k i ( 1 ≤ i ≤ m 1 ) and number u_{1 }from Z_{p}, then distributes k i and u 1 to each participant P_{i} in group A through a secret channel as the secret share of these participants respectively. Similarly, m_{2} different secret shares k ¯ j ( 1 ≤ j ≤ m 2 ) and number u_{2} from Z_{p} such that u 1 ≠ u 2 are selected by D to distribute to participants in group B through same secret channel.

Taking n = max { n 1 , n 2 } , without loss of generality, suppose that n 1 ≥ n 2 , then n = n 1 . We assume that t shared secrets s 1 , s 2 , ⋯ , s t are all from Z_{p} where 1 ≤ t ≤ n . By setting ( z 1 , z 2 , ⋯ , z t ) = ( s 1 , s 2 , ⋯ , s t ) in (4), the secret dealer calculates

{ x 1 ( s 1 , s 2 , ⋯ , s t ) = a 1 , x 2 ( s 1 , s 2 , ⋯ , s t ) = a 2 , ⋮ x n + 1 ( s 1 , s 2 , ⋯ , s t ) = a n + 1 , (7)

which yields a point Q ( a 1 , a 2 , ⋯ , a n + 1 ) ∈ Z p n + 1 .

The secret dealer chooses a positive integer N ∈ Z p ∗ to get a spherical representation of a hypersphere

∑ i = 1 n + 1 ( x i − a i ) 2 = N 2 ,

where Q ( a 1 , a 2 , ⋯ , a n + 1 ) is the centre of this hypersphere.

The secret dealer chooses k 0 ∈ Z p such that k 0 ≠ k i ( 1 ≤ i ≤ m 1 ) and a bivariate function like (5), together with the coordinate function (6) to calculate over Z_{p} as follows:

y 01 = F ( u 1 , k 0 ) = g u 1 + k 0 , y 0 j = y 01 j , j = 1 , 2 , ⋯ , n .

y 0 , n + 1 ∈ Z p follows from the spherical representation, that is , y 0 , n + 1 ∈ Z p satisfies

∑ i = 1 n + 1 ( y 0 i − a i ) 2 = N 2 ,

which yields a point on ∑ ,

U 0 ( y 01 , y 02 , ⋯ , y 0 , n + 1 ) .

It is not difficult to get a hypertangent plane π of ∑ at U 0 :

∑ i = 1 n + 1 ( y 0 i − a i ) ( x i − y 0 i ) = 0 .

Letting ξ i = y 0 i − a i , M = ∑ i = 1 n + 1 y 0 i ( y 0 i − a i ) , one obtains a following equation of hypertangent plane π:

∑ i = 1 n + 1 ξ i x i = M . (8)

The secret dealer D make computation according to the secret share k_{i} of the participant P_{i} in group A and value u_{1} as follows:

y i 1 = F ( u 1 , k i ) = g u 1 + k i , ( 1 ≤ i ≤ m 1 ) ; y i j = y i 1 j = g ( u i + k i ) j , ( 1 ≤ i ≤ m 1 , 1 ≤ j ≤ n ) ;

y i , n + 1 = ( M − ∑ j = 1 n ξ j y i j ) ξ n + 1 − 1 , ( 1 ≤ i ≤ m 1 ) ; H i = M − ∑ j = 1 n ξ j y i j , ( 1 ≤ i ≤ m 1 ) ;

H 0 = ξ n + 1 y 0 , n + 1 .

Thus, point U i ( y i 1 , y i 2 , ⋯ , y i , n + 1 ) is on the hypertangent plane π. There are m_{1} points in all. The secret dealer publishs H i ( 0 ≤ i ≤ m 1 ) , the coordinates of point U_{0}, the expressions of the bivariate function and the coordinate function on NB.

The secret dealer D chooses a spherical curve Γ on the hypersphere ∑ ,

r = r ( t ) = ( x 1 ( t ) , x 2 ( t ) , ⋯ , x n + 1 ( t ) ) . (9)

Differentiating (9) it follows

r ′ ( t ) = ( x ′ 1 ( t ) , x ′ 2 ( t ) , ⋯ , x ′ n + 1 ( t ) ) . (10)

The secret dealer D set t = t 0 with t 0 ∈ Z p such that x 1 ( t 0 ) ≠ y 01 , which yields that

r ( t 0 ) = ( x 1 ( t 0 ) , x 2 ( t 0 ) , ⋯ , x n + 1 ( t 0 ) ) ,

r ′ ( t 0 ) = ( x ′ 1 ( t 0 ) , x ′ 2 ( t 0 ) , ⋯ , x ′ n + 1 ( t 0 ) ) ,

Then the secret dealer D can derive a hypernormal plane π ¯ of curve Γ at t = t 0 ,

r ′ ( t 0 ) ⋅ ( ρ − r ( t 0 ) ) = 0 ,

That is,

∑ i = 1 n + 1 x ′ i ( t 0 ) ( x i − x i ( t 0 ) ) = 0 ,

where ρ = ( x 1 , x 2 , ⋯ , x n + 1 ) is a vector of the moving point coordinates.

Letting ξ ¯ i = x ′ i ( t 0 ) , M ¯ = ∑ i = 1 n + 1 x i ( t 0 ) x ′ i ( t 0 ) , one gets the following equation of the hypernormal plane π ¯ :

∑ i = 1 n + 1 ξ ¯ i x i = M ¯ . (11)

The secret dealer D chooses numbers γ i , u 2 ∈ Z p such that u 2 ≠ u 1 , γ i ≠ k ¯ h ( 0 ≤ i ≤ n − n 2 , 1 ≤ h ≤ m 2 ) , together with the bivariate function and the coordinate function as well as the secret share k ¯ h of m_{2} participants P h in group B to calculate over Z_{p} as follows:

y ¯ i 1 = F ( u 2 , γ i ) = g u 2 + γ i , y ¯ i j = y ¯ i 1 j = g ( u 2 + γ i ) j , y ¯ δ + h , 1 = F ( u 2 , k ¯ h ) = g u 2 + k ¯ h , y ¯ δ + h , j = y ¯ δ + h , 1 j = g ( u 2 + k ¯ h ) j ,

H ¯ i = M ¯ − ∑ j = 1 n ξ ¯ j y ¯ i j , y ¯ i , n + 1 = ( M ¯ − ∑ j = 1 n ξ ¯ j y ¯ i j ) ξ ¯ n + 1 − 1 , H ¯ δ + h = M ¯ − ∑ j = 1 n ξ ¯ j y ¯ δ + h , j , y ¯ δ + h , n + 1 = ( M ¯ − ∑ j = 1 n ξ ¯ j y ¯ δ + h , j ) ξ ¯ n + 1 − 1 .

where δ = n − n 2 , 0 ≤ i ≤ δ , 1 ≤ h ≤ m 2 , 1 ≤ j ≤ n .

Hence the secret dealer D obtains altogether m 2 + δ + 1 hyperplanes, those are V i ( y ¯ i 1 , y ¯ i 2 , ⋯ , y ¯ i , n + 1 ) and V δ + h ( y ¯ δ + h , 1 , y ¯ δ + h , 2 , ⋯ , y ¯ δ + h , n + 1 ) . At the same time the secret dealer D publishs H ¯ i , H ¯ δ + h and the coordinate of V i ( 0 ≤ i ≤ δ ) on NB.

For arbitrary n 1 ( = n ) participants in group A gather their secret shares together, without loss of generality, suppose that they are P i ( 1 ≤ i ≤ n ) . Each participant P i uses his private share k i and the public information on the NB to calculate y i j ( 1 ≤ i ≤ n , 1 ≤ j ≤ n ) respectively. Then these n cooperative participants substitute y_{ij}, H_{i} and the coordinate of U_{0} into the following undetermined expression

∑ j = 1 n ξ j y i j + H i = M , ( 0 ≤ i ≤ n ) .

Which yields that the following system of equations:

{ y 01 ξ 1 + y 02 ξ 2 + ⋯ + y 0 n ξ n + H 0 = M , y 11 ξ 1 + y 12 ξ 2 + ⋯ + y 1 n ξ n + H 1 = M , ⋮ y n 1 ξ 1 + y n 2 ξ 2 + ⋯ + y n n ξ n + H n = M . (12)

Calculating ξ i ( 1 ≤ i ≤ n ) and M in (12), they obtain the equation of hypertangent plane π about the hypersphere ∑ at point U_{0},

∑ i = 1 n + 1 ξ i x i = M . (13)

where ξ n + 1 is given by ξ n + 1 = H 0 y 0 , n + 1 − 1 .

These n cooperative participants get a normal vector ξ = ( ξ 1 , ξ 2 , ⋯ , ξ n + 1 ) from (13), which derive the equation of normal line L about π at point U_{0} as follows:

x 1 − y 01 ξ 1 = x 2 − y 02 ξ 2 = ⋯ = x n + 1 − y 0 , n + 1 ξ n + 1 , (14)

where ( x 1 , x 2 , ⋯ , x n + 1 ) is a moving point coordinate vector.

Similarly, arbitrary n_{2} participants in group B gather their secret shares together, without loss of generality, suppose that they are P ¯ j ( 1 ≤ j ≤ n 2 ) who possess secret share k ¯ j respectively. They use k ¯ j and the public information on NB to obtain the following system of equations:

{ y ¯ 01 ξ ¯ 1 + y ¯ 02 ξ ¯ 2 + ⋯ + y ¯ 0 n ξ ¯ n + H ¯ 0 = M ¯ y ¯ 11 ξ ¯ 1 + y ¯ 12 ξ ¯ 2 + ⋯ + 1 n y ¯ ξ ¯ n + H ¯ 1 = M ¯ , ⋮ y ¯ δ 1 ξ ¯ 1 + y ¯ δ 2 ξ ¯ 2 + ⋯ + y ¯ δ n ξ ¯ n + H ¯ δ = M ¯ , y ¯ δ + 1 , 1 ξ ¯ 1 + y ¯ δ + 1 , 2 ξ ¯ 2 + ⋯ + y ¯ δ + 1 , n ξ ¯ n + H ¯ δ + 1 = M ¯ , ⋮ y ¯ δ + n 2 , 1 ξ ¯ 1 + y ¯ δ + n 2 , 2 ξ ¯ 2 + ⋯ + y ¯ δ + n 2 , n ξ ¯ n + H ¯ δ + n 2 = M ¯ . (15)

From (15) it follows ξ ¯ i ( 1 ≤ i ≤ n ) and M ¯ . By calculating ξ ¯ n + 1 = H ¯ 0 y 0 , n + 1 − 1 , these n_{2} cooperative participants can obtain the equation of hypernormal plane π ¯ about hypersphere ∑ ,

∑ i = 1 n + 1 ξ ¯ i x i = M ¯ . (16)

At last, these n_{1} cooperative participants in group A and that n_{2} cooperative participants in group B solve in common the following set of equations which consist of (14) and (16):

{ x 1 − y 01 ξ 1 = x 2 − y 02 ξ 2 = ⋯ = x n + 1 − y 0 , n + 1 ξ n + 1 , ∑ i = 1 n + 1 ξ ¯ i x i = M ¯ .

Which yields the centre coordinate of hypersphere ∑ , that is, ( x 1 , x 2 , ⋯ , x n + 1 ) = ( a 1 , a 2 , ⋯ , a n + 1 ) . Then by solving the transformation formula (7), these participants can recover the shared secrets s 1 , s 2 , ⋯ , s t .

If the secret dealer and the participants are all honest in this scheme, at least n_{1} participants in group A and at least n_{2} participants in group B get together to reconstruct the shared secrets during the execution of reconstruction algorithm. To obtain this conclusion, we need only to prove the following theorem.

Theorem 2. The hypernormal plane π of any spherical curve Γ on a hypersphere ∑ always passes the centre of this hypersphere.

Proof. Let us put the spherical representation of ∑ as follows:

∑ i = 1 n + 1 ( x i − a i ) 2 = N 2 ,

and let spherical curve Γ be

r ( t ) = ( x 1 ( t ) , x 2 ( t ) , ⋯ , x n + 1 ( t ) ) .

Hence, we have

∑ i = 1 n + 1 ( x i ( t ) − a i ) 2 = N 2 ,

and there exist a tangent vector of arbitrary point ( x 1 ( t 0 ) , x 2 ( t 0 ) , ⋯ , x n + 1 ( t 0 ) ) on the spherical curve Γ ,

r ′ ( t 0 ) = ( x ′ 1 ( t 0 ) , x ′ 2 ( t 0 ) , ⋯ , x ′ n + 1 ( t 0 ) ) .

Let the coordinate of moving point on the hypernormal plane at t_{0} be ( X 1 , X 2 , ⋯ , X n + 1 ) , then the equation of this hypernormal plane is

∑ i = 1 n + 1 x ′ i ( t 0 ) ( X i − x i ( t 0 ) ) = 0 .

It implies

∑ i = 1 n + 1 x ′ i ( t 0 ) X i − ∑ i = 1 n + 1 x ′ i ( t 0 ) x i ( t 0 ) = 0 . (17)

Differentiating ∑ i = 1 n + 1 ( x i ( t ) − a i ) 2 = N 2 , we have

∑ i = 1 n + 1 x ′ i ( t ) ( x i ( t ) − a i ) = 0 .

Which implies that when t = t 0 , we get

∑ i = 1 n + 1 x ′ i ( t 0 ) x i ( t 0 ) = ∑ i = 1 n + 1 a i x ′ i ( t 0 ) . (18)

Substituting (18) into (17) , we obtain the hypernormal plane π ¯ as follows:

∑ i = 1 n + 1 x ′ i ( t 0 ) ( X i − a i ) = 0 .

Obviously, it passes the centre ( a 1 , a 2 , ⋯ , a n + 1 ) of hypersphere.

This completes the proof.

In our scheme, since the normal line L of hypertangent plane π at U_{0} passes the centre of hypersphere too, it follows that the cross point of normal line L and hypernormal plane π ¯ is the centre of hypersphere.

Theorem 3. The unique hypertangent plane π over Z_{p} is determined by arbitary n different points of m_{1} points derived from the secret shares k i ( 1 ≤ i ≤ m 1 ) together with point U_{0}.

Proof. The system of Equations (12) determined by n different points and the public point U_{0 }can be modified as follows:

{ − M + y 01 ξ 1 + y 02 ξ 2 + ⋯ + y 0 n ξ n = − H 0 , − M + y 11 ξ 1 + y 12 ξ 2 + ⋯ + y 1 n ξ n = − H 1 , ⋮ − M + y n 1 ξ 1 + y n 2 ξ 2 + ⋯ + y n n ξ n = − H n , (19)

where M and ξ i ( 1 ≤ i ≤ n ) are unknown numbers of this system.

The determinant of coefficient for (19) can be obtained that

D = | − 1 y 01 y 02 ⋯ y 0 n − 1 y 11 y 12 ⋯ y 1 n − 1 ⋮ ⋮ ⋮ − 1 y n 1 y n 2 ⋯ y n n | = − | 1 1 ⋯ 1 y 01 y 11 ⋯ y n 1 y 01 2 y 11 2 ⋯ y n 1 2 ⋮ ⋮ ⋮ y 01 n y 11 n ⋯ y n 1 n | = − ∏ n ≥ i ＞ j ≥ 0 ( y i 1 − y j 1 ) .

Since y i 1 = F ( u 1 , k i ) = g u 1 + k i ,

y j 1 = F ( u 1 , k j ) = g u 1 + k j ,

where F ( u , v ) is the bivariate function over Z_{p} and g is a primitive root of modulo-p.

For any k i ≠ k j , we have y i 1 ≠ y j 1 , hence D ≠ 0 . It follows from Gramer rule that (19) has a unique set of solutions M, ξ i ( 1 ≤ i ≤ n ) . Thus, the unique hypertangent plane π over Z_{p}. Can be determined by this set of solutions.

As a result, we obtain theorem.

Similarly, we can prove that the unique hypernormal plane π ¯ over Z_{p} is determined by arbitary n_{2} different points of m_{2} points derived from the secret shares k ¯ j ( 1 ≤ j ≤ m 2 ) together with δ + 1 public points V i ( 0 ≤ i ≤ δ ) .

The above theorem show a deterministic condition for the hypertangent plane or the hypernormal plane.

The security of proposed scheme is based on the deterministic condition of hyperplane.

Theorem 4. Arbitrary n points in R n + 1 cannot determine unique hyperplane over Z_{p}.

Proof. Suppose in existence n points (there is no harm in taking U 0 , U 1 , ⋯ , U n − 1 ) can determine a hyperplane π_{1}. Then, we pick a point W which is out of π _{1} in R n + 1 such that the coordinate vectors of U 0 , U 1 , ⋯ , U n − 1 , W is linearly independent. By theorem 3, it is obvious that U 0 , U 1 , ⋯ , U n − 1 , W can determine unique hyperplane π_{2} over Z_{p}. Because W is out of π_{1}, it follows that π 1 ≠ π 2 . However, U 0 , U 1 , ⋯ , U n − 1 _{ }are on not only π_{1} but also π_{2}. This is a contradiction. Thus, we completes the proof of theorem 4.

It can be shown from the theorem 4 that n 1 − 1 or fewer participants in group A submiting their secret shares can only produce n_{1} points including U_{0} at most. So that they have no way of determining hypertangent plane π. Similarly, n 2 − 1 or fewer participants in group B have no way of determining hypernormal plane π ¯ too. This shows that the less than n_{1} participants in group A or the less than n_{2} participants in group B gathering their secret shares together cannot recover the shared secrets S 1 , S 2 , ⋯ , S t .

In addition, it is not difficult for an attacker to get the public informations H i , H ¯ j in the proposed scheme. Hwever, H i , H ¯ j are product of the coefficient ξ n + 1 , ξ ¯ n + 1 and the last coordinate value of points which are derived from the secret shares of m_{1} participants in group A and m_{2} participants in group B respectively. They are calculated by the equation of hyperplanes and the front n coordinate value of derived points. On the contrary, the front n coordinate value of derived points cannot be predicted by H i , H ¯ j , that means the attacker could not obtain the shared secrets from the public informations on NB. Moreover, together with the bivariate function, calculating k i , k ¯ j _{ }from y 01 , y ¯ 01 respectively need to solve the discrete logarithm problem, As we know that the discrete logarithm problem is intractable, it is impossible for an attacker to obtain the participant’s secret share.

By the construction of proposed scheme, each share k i or k ¯ j is choosed from Z_{p}，and the shared secrets S 1 , S 2 , ⋯ , S t from Z_{p} too. It follows that | K h | = | S | = p ,where K_{h} is a set of possible secret shares of participants in group A or in group B, and S is a set of possible shared secrets. Hence, the information rate of this scheme is

ρ = min { ρ h | ρ h = lg | S | / lg | K h | , 1 ≤ h ≤ m 1 + m 2 } = p / p = 1.

This shows that the proposed scheme is ideal one.

1) Multiple secrets can be reconstructed simultaneously within a secret sharing session.

2) Since the participants provide the derived points of secret shares but not the secret share k i , k ¯ j during the reconstruction of secrets, it follows that the secret shares of participants are still kept confidential after recovering all of the secrets and the secret shares could be used to share a new set of secrets.

3) When a new participant joins the system, the secret dealer needs only to select a new secret share that its derived points is on the hyperplane to distribute to this new participant secretly. When we need to delete a participant, the dealer needs only to change the value of parameter u in the bivariate function to recompute hyperplane, whereas the remainder participants can share next secrets by same secret shares. So it is very easy that the participants can join or leave the system.

4) When the value of threshold n_{1} or n_{2} is changed, namely,

( n 1 + n 2 , m 1 + m 2 ) change into ( n ¯ 1 + n ¯ 2 , m 1 + m 2 ) , let us put

n = max ( n 1 , n 2 ) and n ¯ = max ( n ¯ 1 , n ¯ 2 ) , the secret dealer needs only to turn the n+1 dimension space into a n ¯ + 1 dimension space and go on according to the same scheme. Whereas there is no need to change the one’s own secret share for each participant.

The above advantages of this scheme are not provided by the secret sharing scheme with bipartite access structure [

The only operations used in this scheme are linear combination operation, determinant operation and exponentiation operation, of which the former is negligible complexity. Obviously, the performance of the scheme mainly depends on the calculation of determinant, which is relatively easy to implement. If the determinant is computed by Wiedemann algorithm in [

1) In the distribution stage: the secret dealer D calculate g u 1 + k i over Z_{p} altogether m 1 + 1 times and calculate g u 2 + k ¯ j over Z_{p} altogether m 2 + n 1 − n 2 + 1 times.

2) In the reconstruction stage: authorized participants in group A calculate g u 1 + k i over Z_{p} altogether n_{1} times and ones in group B calculate g u 2 + k ¯ j over Z_{p} altogether n_{2} times.

Thus it can seen that the proposed scheme needs m 1 + m 2 + 2 ( n + 1 ) exponentiation operations. We remark that one exponentiation operation can be done in time O ( ( log p ) 3 ) . In that way, sharing and reconstructing the secrets can be done in all time O ( ( m 1 + m 2 + 2 ( n + 1 ) ) ( log p ) 3 ) . It is obvious that the proposed scheme satisfies the definition of a computationally efficient secret sharing scheme.

This scheme is more effective than other secret sharing schemes [

In this paper, an efficient bipartite ( n 1 + n 2 , m 1 + m 2 ) -threshold multi-secret sharing

scheme is proposed, which is based on a hypersphere by using a geometric method, In this scheme, multi-secret could be shared and each participant needs only to hold one secret share in renewing the shared secrets without updating each participant’s secret share. Compared with the existing bipartite secret sharing scheme, it is easy to show that not only the participants can leave the system and new participants can be added into the system dynamically, but also the values of threshold n_{1}, n_{2} can be changed. Therefore, the proposed scheme is very effective and practical.

The author declares no conflicts of interest regarding the publication of this paper.

Li, B. (2019) Bipartite Threshold Multi-Secret Sharing Scheme Based on Hypersphere. American Journal of Computational Mathematics, 9, 207-220. https://doi.org/10.4236/ajcm.2019.94016