- About this Journal ·
- Abstracting and Indexing ·
- Aims and Scope ·
- Annual Issues ·
- Article Processing Charges ·
- Articles in Press ·
- Author Guidelines ·
- Bibliographic Information ·
- Citations to this Journal ·
- Contact Information ·
- Editorial Board ·
- Editorial Workflow ·
- Free eTOC Alerts ·
- Publication Ethics ·
- Reviewers Acknowledgment ·
- Submit a Manuscript ·
- Table of Contents
International Journal of Distributed Sensor Networks
Volume 2013 (2013), Article ID 902462, 9 pages
Publicly Verifiable Secret Sharing Scheme with Provable Security against Chosen Secret Attacks
1State Key Laboratory of Networking and Switching Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
2School of Information, Guangdong Ocean University, Zhanjiang, Guangdong 524088, China
3Network Security Research Institute, National Institute of Information and Communications Technology, 4-2-1 Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan
Received 29 August 2012; Accepted 8 January 2013
Academic Editor: Wensheng Zhang
Copyright © 2013 Yuanju Gan et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Secret sharing is an important aspect of key management in wireless ad hoc and sensor networks. In this paper, we define a new secure model of secret sharing, use the Lagrange interpolation and the bilinear cyclic groups to construct an efficient publicly verifiable secret sharing scheme on the basis of this model, and show that this scheme is provably secure against adaptively chosen secret attacks (CSAs) based on the decisional bilinear Diffie-Hellman (DBDH) problem. We find that this scheme has the following properties: (a) point-to-point secure channels are not required in both the secret distribution phase and the secret reconstruction phase; (b) it is a noninteractive secret sharing system in that the participants need not communicate with each other during subshadow verification; and (c) each participant is able to share many secrets with other participants despite holding only one shadow.
A secret sharing scheme [1–8] allows the splitting of a secret into different pieces, called shares or shadows, which are given to a group of participants (or shareholders). Only a certain specified subset of the participants can reconstruct the secret easily by providing their shadows, while any unqualified subsets cannot obtain any knowledge about the secret. Secret sharing is useful for any important action whose initiation requires the collective decision of several designated participants, such as the launch of a missile, opening of a bank vault, or opening of a safety deposit box. Research on secret sharing is important for the key distribution of wireless ad hoc and sensor networks , both in theory and in practice.
In 1979, two basic secret sharing schemes were independently proposed by Shamir  and Blakley . They used two different methods to construct threshold secret sharing schemes. In Shamir’s scheme, a secret is divided into shadows by a dealer and shared among participants in such a way that it is possible to reconstruct the secret with any or more shadows but impossible to reconstruct the secret with fewer than shadows. This scheme is called a threshold secret sharing scheme. Early secret sharing schemes [1, 10] did not include the verification of the correctness of shadows; hence, if one or more participants are dishonest, the secret cannot be recovered correctly.
Verifiable secret sharing (VSS) was proposed in  to solve the problem of dishonest participants who want to deceive other honest participants or the problem of a dishonest dealer who distributes incorrect shadows to some participants. VSS has been an important area of cryptography research for the last two decades [5, 7, 8, 12–15]. Feldman  proposed a very practical VSS scheme in which the security is based on a discrete logarithm problem. In this scheme, a deterministic function of the secret is published; hence, it achieves only one-way security. Pedersen  proposed a VSS scheme that can withstand an unbounded passive adversary.
Stadler  proposed a publicly verifiable secret sharing (PVSS) scheme in which the validity of the shadows can be verified by anyone without knowledge of the shadows. In some PVSS schemes [5, 14], the verification procedure involves interactive proofs of knowledge. If these proofs are made noninteractive by means of the Fiat-Shamir technique , the security of the verification process would only be carried out in the random oracle model (ROM) . Transferring security analysis of cryptographical primitives from the random oracle model to the standard model (SM)  has always been a theoretically important task.
1.1. Related Work
In 2005, Ruiz and Villar  proposed a new PVSS scheme that has a higher level of secrecy, called indistinguishability (IND) of secrets based on the decisional composite residuosity assumption. In 2009, Heidarvand and Villar  gave two new secure definitions of publicly verifiable secret sharing, which capture the notion of indistinguishability of shared secrets. Then they proposed a non-interactive PVSS scheme against the attacks of indistinguishability of secrets in the standard model based on the decisional bilinear square assumption (DBS) which is a natural variant of the standard decisional bilinear Diffie-Hellman (DBDH) assumption. In 2010, Jhanwar  proposed a PVSS scheme whose level of security is called semantic security based on the -multi-sequence of exponents Diffie-Hellman problem. In 2011, Wu and Tseng  proposed a pairing-based PVSS scheme. For deducing the computational cost, they used the batch verification technique. They also showed that their scheme is a secure PVSS scheme under the bilinear Diffie-Hellman (BDH) assumption in the random oracle model. In fact, semantic security does not guarantee any level of secrecy if an adversary mounts an active attack. Therefore, it is very important to design a PVSS scheme against adaptively chosen secret attacks (CSAs) in the standard model.
Another important aspect of secret sharing is the problem of making the size of shadows of each participant as small as of making the size of shadows of each. A secret sharing scheme is ideal if the length of every shadow is the same as the length of the secret. This is the best possible situation. However, we would like to emphasize that it is also very important to reduce the number of secure channels used in a secret sharing scheme, especially in wireless ad hoc and sensor networks.
A secret sharing scheme contains at least two essential phases: a share distribution phase and a secret reconstruction phase. In the share distribution phase, a dealer chooses a secret, executes a secret distribution algorithm to generate shadows, and then sends the generated shadows to the participants through point-to-point secure channels. In the secret reconstruction phase, the participants belonging to a qualified subset of participants exchange shadows amongst themselves through point-to-point secure channels to reconstruct the secret. In a threshold secret scheme, there are secure channels in the share distribution phase and at least secure channels in the secret reconstruction phase. To reduce the number of secure channels to , Huaxiong and wong  constructed a threshold secret sharing scheme using partial broadcast channels.
1.2. Our Contributions
In this paper, we use the Lagrange interpolation and bilinear cyclic groups to construct a threshold PVSS scheme with IND-CSA security. Our scheme has the following features.(i)Public Verifiability: a dishonest dealer or participant is detected unconditionally. (ii)Security: the scheme has provable security against an IND-CSA (see the security model present in this paper) adversary in the standard model. The security relies on the hardness of the decisional bilinear Diffie-Hellman (DBDH) problem. (iii)Needless security channels: in both the setup and share distribution phases, these are no secure point-to-point communication channels between the dealer and the participants. Moreover, no secure point-to-point communication channels are used in the reconstruction phase of the extended scheme. (iv)Noninteractivity: the participants need not talk to each other during the secret reconstruction phase. An overview comparison of the major technique differences and the corresponding security level those of WT11’s  and HV09’s  PVSS schemes is given in Table 1.
1.3. Paper Organization
This paper is organized as follows. In Section 2, we describe the definition of bilinear maps and the decisional bilinear Diffie-Hellman problem. In Section 3, we describe the model of our PVSS scheme and the security model. In Section 4, we present our pairing-based PVSS scheme, and in Section 5, we prove its security. In Section 6, we analyze the performance of our scheme. In Section 7, we present an extended scheme that allows reconstruction of the secret through publicle channels. Finally, we give a conclusion in Section 8.
If is a set, denotes its size. The symbol “” denotes failure.
2.1. Bilinear Map
Let and be two cyclic groups of prime order . Here, we assume that is an additive cyclic group, and is a multiplicative cyclic group. A bilinear map is a map such that for and , it satisfies the following properties [22, 23]. (i)Bilinearity: .(ii)Nondegeneracy: unless .(iii)Computability: there is an efficient algorithm to compute .
The algorithm is a bilinear group generator that takes a secure parameter as input and outputs the descriptions of the groups , , and a bilinear map , where all group operations in and as well as map can be computed in polynomial time with . We posit that ) is the output of .
2.2. Decisional Bilinear Diffie-Hellman Assumption
Given a tuple for some uniformly chosen and as input to decide whether or not . The advantage of an algorithm solving the DBDH problem is defined as The DBDH problem is said to be -hard if there is no algorithm that can solve the DBDH problem within time with an advantage equal to at least .
2.3. Lagrange Interpolation
Let be a polynomial over with degree , and let be distinct points of . Then, given ,, one can reconstruct as where for any .
This section is dedicated to the definition of a threshold PVSS scheme and its security model.
3.1. Threshold PVSS Scheme without Secure Channels
Let be a set of participants. A dealer wants to share a secret among the participants of in such a way that any or more participants can recover the secret, while no participants can obtain any information about the secret.
A PVSS scheme is described by the following algorithms. (1)Setup : takes as input a secure parameter . (i)The dealer generates all public parameters of the scheme. (ii)Furthermore, every participant selects its channel protection key and publishes the corresponding public key . (iii)The dealer randomly picks a number as the main secret of the system and uses and the main secret to generate a main shadow for every participant and the system shadow verification key (SVK). (iv)For each , the dealer sends ’s main shadow to through public channels.(2)Secret distribution: the dealer randomly selects a secret that will be distributed to the participants. It calculates and publishes the secret commitment value (SCV) and the secret deriving value (SDV) of the secret . It then outputs . A participant can use and its main-shadow to obtain its subshadow of the secret by itself. (3)Verification : takes as inputs and of a secret. It is required that be publicle verifiable. Knowing only the publicly parameter, anyone may verify that is consistent with . If the verification fails, the verifier broadcasts a complaint about the dealer. (4)Reconstruction: this algorithm is composed of three subalgorithms.(a)Subshadow generation : takes as inputs and of a secret, a participant , ’s main shadow , and ’s channel protection key . To generate its sub-shadow, executes verification (). If the verification fails, is output. Otherwise, generates the sub-shadow from and using its main shadow and channel protection key . is then output. (b)Sub-shadow verification : takes as inputs of a secret, a participant and ’s verification key , and ’s sub-shadow . This algorithm checks whether is a valid sub-shadow with respect to and . If the verification fails, a complaint about the participant is broadcast. (c)Combine : takes as inputs and of a secret, a qualified set of participants, and a list of valid sub-shadows. Outputs a secret .
3.2. Security Model
The PVSS scheme described above must satisfy the following properties. (i)Correctness: if the dealer and the participants act honestly, any or more participants can reconstruct the secret correctly during the execution of the reconstruction algorithm. (ii)Verifiability: a successful verification of the SCV and SDV of a secret implies that the SCV and SDV are consistent. (iii)Privacy: the basic requirement is that it is impossible for any collusion of less than participants to obtain any information about a secret. Hereafter, we will use the notion of a CSA to define the security of the PVSS scheme. We mostly follow the notation from [19, 23], using a game between an adversary and a challenger .(i)Init. executes Setup () to obtain the public parameters and sends the public parameters to along with all of the shadow verification keys SVK. (ii)Phase 1. The adversary adaptively selects a secret and generates about the secret using the public parameters just as the dealer does. Moreover, the adversary is permitted to query a sub-shadow of a participant using .(iii)Sub-shadow query. On being input a participant , as well as and , executes the Sub-shadow generation sub-algorithm using and then forwards the resulting or to the adversary .(iv)Challenge. The adversary outputs a target set of participants , where . The challenger picks two random secrets and as well as a random bit . Then, executes the secret distribution algorithm to obtain for the secret and sends and all the sub-shadows of each to along with and . (v)Phase 2. The adversary continues to adaptively issue the subshadow query as in phase 1, but with the constraint that , and challenger responds similarly in phase 1. (vi)Guess. Finally, the adversary outputs a guess and wins the game if .
Definition 1 (IND-CSA security). A PVSS scheme has indistinguishability against adaptive CSA if, for any probabilistic polynomial-time (PPT) adversary , the advantage is negligible with respect to .
In this section, we present a concrete PVSS scheme and prove its security against CSA in the next section.
The dealer obtains the group parameters by executing the group generator algorithm . It then selects a random integer and publishes , on the system bulletin board (BB). Supposing that is the set of participants of the system, each participant may be uniquely identified by means of an index . After the dealer has announced the public parameters, each participant randomly selects an integer ( is ’s channel protection key) and calculates . Each participant keeps confidentially and sends to the dealer over public channels.
Having received all the , the dealer performs the following operations.(1)The dealer selects a random number and a random polynomial with degree , where is the threshold value and, for , . (2)The dealer computes and , where is the main shadow of the participant . (3)The dealer selects a collision-resistant hash function , where is the output length of . (4)The dealer sets the as the shadow verification key.(5)The dealer randomly selects .Finally, the dealer sends to the participant through public channels and publishes on the bulletin board.
The dealer wants to share a secret, which is a random element in . The form of the secret is , where is selected randomly from . Let be a bit string of length , let denote the th bit of , and let be the set of all for which . The dealer calculates and publishes the SCV and SDV as follows: The dealer either broadcasts to all participants or publishes on the BB. (’s real sub-shadow for the secret is . In order to achieve CSA security, in the reconstruction algorithm, no participant directly sends to other participants.) If the dealer wants to share a new secret, it just executes the secret distribution algorithm again and publishes appropriate information on the BB. However, the main shadow of need not be changed.
Given , this algorithm first computes and outputs “valid” or “invalid” according to the following: Reconstruction
Without loss of generality, let us assume that is a qualified subset of the set of participants, that is, it consists of at least participants who want to collectively reconstruct the secret . Each participant in executes the following algorithms:(1)Sub-shadow generation : takes as inputs and a participant , ’s main shadow , and ’s channel protection key . To generate its sub-shadow, executes the verification () algorithm. If the verification fails, outputs () and exits. Otherwise, randomly selects and performs the following calculations: At this point, sends to the other participants in through secure channels. ( may use the method described in Section 7 to send through public channels.)(2)Sub-shadow verification : takes as inputs for a secret, a participant , and ’s verification key , ’s sub-shadow . Another participant computes and then checks If the checked equality does not hold, demands that sends again or declares that is a cheater. (3)Combine : takes as input and for a secret, a qualified subset of the set of participants that contains at least participants, and a list (where ) of valid subshadows. Each participant first computes the Lagrange coefficients , where , then calculates At this point, every participant in uses ) to reconstruct the secret as follows:
5. Security and Correctness
If the dealer and the participants are honest, any or more participants can reconstruct the secret during the execution of the reconstruction algorithm. The correctness of equalities (6), (9), and (10) is as follows.
Theorem 2 (IND-CSA of PVSS). Suppose the hash function is a universal collision-resistant one-way family. Then, the proposed PVSS scheme is secure against adaptive CSA under the intractability assumption of the DBDH problem. More specifically, if there is an adversary that can break the PVSS scheme within time with probability at least , then there exists an algorithm that can solve the DBDH problem within time with probability at least , where Here, denotes the time taken to answer all queries.
Proof. Suppose an adversary breaks the PVSS scheme with advantage . Then we can devise an algorithm that solves a random DBDH problem instance with advantage . Algorithm is given as input a group parameter and a random tuple , where is a random element of or . The goal of algorithm is to output 1 (“true") if and 0 (“false") otherwise. Set . Algorithm works by interacting with in a game as follows:
Init. Algorithm does the following.(1)Algorithm chooses a set containing participants. Without loss of generality, let . (2)Algorithm selects a collision-resistant hash function and computes the public keys for all participants in as follows: for all and , where is the channel protection key of . (3)Algorithm selects random integers , where and. There exists a polynomial of degree such that for all and . However, does not know the polynomial , because it does not know .(4)Algorithm constructs the shadow verification key SVK as follows. (i)If , since knows , he can compute the shadow verification key . (ii)If , computes the Lagrange coefficients , such that . Algorithm then sets which entails that , as required. (5)Algorithm follows Waters’  method to simulate it as follows.(i)For , it lets be the set of all for which .(ii)It sets an integer (where is the maximum number of sub-shadow queries) and randomly chooses an integer between 0 and . (iii)It chooses a random vector of length , where . (iv)It lets , and computes . (v)It chooses a random integer and a vector of length , where . (vi)It sets , . (vii)It defines , and (6)Algorithm sends to the adversary .
Phase 1. The adversary adaptively selects a secret and generates for the secret using the public parameters just as the dealer does. Then, adaptively issues a sub-shadow query of the form , where . For each such sub-shadow query the following applies.(1)The algorithm computes and checks . If the equality does not hold, responds to ’s query with . (2)Otherwise, continues to check whether holds. If it does hold, aborts the game and randomly selects a bit as the answer to the DBDH problem. (3)Otherwise, there are two different cases as follows. (i)If , computing is easy, because is equal to one of the , which are known to . Thus, randomly selects and performs the following calculations: sends the sub-shadow of to . (ii)If , randomly selects and performs the following calculations: where .
We claim that is a valid sub-shadow for . To see this, let ). Then we have Since is uniform in , the sub-shadow of the participant is a valid response to .
Challenge. Once the adversary has completed phase 1, and sent a challenge set , where , the algorithm can form the following challenge information. Let , so that there is . Then, algorithm selects as the secret and computes as follows. Thus, the secret is of the required form as described in the scheme, whenever .
Algorithm computes the sub-shadow of each as follows: (i)If , the sub-shadow of is , where . (ii)If , the sub-shadow of is where .
At this point, algorithm randomly selects a bit , sets , and assigns a random value in the secret space to . then sends to the adversary , where .
Claim 1. Our simulation does not abort with probability greater than 3/4.
Proof. Without loss of generality, let us assume that the adversary makes the maximum number of sub-shadow queries. For any sub-shadow query of a participant and the , we have This completes the proof of Claim 1.
Phase 2. The adversary continues to issue queries about a sub-shadow of the form , where and . Algorithm responds as in phase 1.
Guess. Eventually, outputs a guess bit for . Based on the value of , concludes its own game by outputting a guess as follows. (i)If , answers 1, meaning that . (ii)Otherwise, answers 0, meaning that is a random element of .
If the input satisfies , then ’s view is identical to its view in a real attack game, and therefore must satisfy . On the other hand, if the input of satisfies (where is uniform in ), then . Therefore, with and , we have According to Claim 1, we have that . This completes the proof of Theorem 2.
Now, let us compare our scheme to  and  in terms of computational cost and security. We firstly define the following notations.(i): The time taken to execute a bilinear pairing operation . (ii): The time taken to execute a scalar multiplication operation of point in . (iii): The time taken to execute a modular exponent operation in . (iv): The binary length of order . (v): The output length of the hash function .
As is well known, the time taken to execute , , and is much greater than the other operations, so we will ignore the time consumption of the other operations, such as executing an addition operation of points in . The details of the comparison are given in Table 2. In Table 3, we compare the communication cost of the dealer distributing a secret to the participants, and a participant sends its subshare to other participants.
From the comparison in Tables 2 and 3, one can see that our scheme achieves a higher level of security without significantly increasing the overall computational complexity and the communication cost.
7. Extension Scheme
In the basic scheme described previously, the secret reconstruction requires the presence of point-to-point secure channels among the participants. In this section, we remove this limitation without sacrificing any good property of the scheme.
Suppose that a participant wants to send its sub-shadow through a public channel to a participant . For this purpose, randomly selects , uses ’s public key , and the following calculations are performed: Then, sends to .
computes sets and then checks whether or not
Having collected valid sub-shadows, first computes and then reconstructs the secret by computing just as it does in the basic scheme.
In this paper, we proposed a threshold PVSS scheme. Under the decisional bilinear Diffie-Hellman assumption, we proved that our scheme has indistinguishability against adaptively chosen secret attacks in the standard model. In the secret distribution phase, the dealer can send the main shadow to a participant through public channels. When the participants exchange their sub-shadows in the secret reconstruction phase, point-to-point secure channels need not be established in the extended scheme. This scheme is fairly interesting for practical applications.
This work is supported by the National Natural Science Foundation of China (NSFC) Programs (nos. 61070251, 61003285, 61103198, and 61272534), the NSFC A3 Foresight Program (no. 61161140320), and the JSPS KAKENHI program (23500031).
- A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
- T.-Y. Wu and Y.-M. Tseng, “A pairing-based publicly verifiable secret sharing scheme,” Journal of Systems Science and Complexity, vol. 24, no. 1, pp. 186–194, 2011.
- S. Heidarvand and J. Villar, “Public verifiability from pairings in secret sharing schemes,” in Selected Areas in Cryptography, R. Avanzi, L. Keliher, and F. Sica, Eds., vol. 5381 of Lecture Notes in Computer Science, pp. 294–310, Springer, Berlin, Germany, 2009.
- A. Beimel and M. Franklin, “Weakly-private secret sharing schemes,” in Theory of Cryptography, S. Vadhan, Ed., vol. 4392 of Lecture Notes in Computer Science, pp. 253–269, Springer, Berlin, Germany, 2007.
- E. Fujisaki and T. Okamoto, “A practical and provably secure scheme for publicly verifiable secret sharing and its applications,” in Advances in Cryptology-EUROCRYPT '98, K. Nyberg, Ed., vol. 1403 of Lecture Notes in Computer Science, pp. 32–48, Springer, Berlin, Germany, 1998.
- R. J. Hwang and C. C. Chang, “An on-line secret sharing scheme for multi-secrets,” Computer Communications, vol. 21, no. 13, pp. 1170–1176, 1998.
- A. Patra, A. Choudhary, T. Rabin, and C. Rangan, “The round complexity of verifiable secret sharing revisited,” in Advances in Cryptology-CRYPTO 2009, S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 487–504, Springer, Berlin, Germany, 2009.
- R. Kumaresan, A. Patra, and C. Rangan, “The round complexity of verifiable secret sharing: the statistical case,” in Advances in Cryptology-ASIACRYPT 2010, M. Abe, Ed., vol. 6477 of Lecture Notes in Computer Science, pp. 431–447, Springer, Berlin, Germany, 2010.
- Hong Yu, Jingsha He, Ting Zhang, and Peng Xiao, “A group key distribution scheme for wireless sensor networks in the internet of things scenario,” International Journal of Distributed Sensor Networks, vol. 2012, 12 pages, 2012.
- G. R. Blakley, “Safeguarding cryptographic keys,” in Proceedings of the National Computer Conference, vol. 1 of Managing Requirements Knowledge, pp. 313–329, 1979.
- B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch, “Verifiable secret sharing and achieving simultaneity in the presence of faults,” in Proceedings of the 26th Annual Symposium on Foundations of Computer Science, pp. 383–395, 1985.
- P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” in Proceedings of the 28th Annual Symposium on Foundations of Computer Science, pp. 427–438, Los Angeles, Calif, USA, 1987.
- T. Pedersen, “Non-interactive and information-theoretic secure verifiable secret sharing,” in Advances in Cryptology-CRYPTO '91, J. Feigenbaum, Ed., vol. 576 of Lecture Notes in Computer Science, pp. 129–145, Springer, Berlin, Germany, 1992.
- B. Schoenmakers, “A simple publicly verifiable secret sharing scheme and its application to electronic voting,” in Advances in Cryptology-CRYPTO '99, M. Wiener, Ed., vol. 1666 of Lecture Notes in Computer Science, pp. 784–799, Springer, Berlin, Germany, 1999.
- A. Ruiz and J. L. Villar, “Publicly verifiable secret sharing from paillier's cryptosystems,” in Proceedings of the Western European Workshop on Research in Cryptology (WEWoRC '05), vol. 74 of Lecture Notes in Informatics, pp. 98–108, 2005.
- M. Stadler, “Publicly verifiable secret sharing,” in Advances in Cryptology-EUROCRYPT '96, U. Maurer, Ed., vol. 1070 of Lecture Notes in Computer Science, pp. 190–208, Springer, Berlin, Germany, 1996.
- A. Fiat and A. Shamir, “How to prove yourself: how to prove yourself: practical solutions to identification and signature problems,” in Advances in Cryptology-CRYPTO '86, A. Odlyzko, Ed., vol. 263 of Lecture Notes in Computer Science, pp. 186–204, Springer, Berlin, Germany, 1987.
- M. Bellare and P. Rogaway, “Random oracles are practical: a paradigm for designing efficient protocols,” in Proceedings of the 1st ACM Conference on Computer and Communications Security, pp. 62–73, ACM, November 1993.
- R. Cramer and V. Shoup, “A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack,” in Advances in Cryptology-CRYPTO '98, H. Krawczyk, Ed., vol. 1462 of Lecture Notes in Computer Science, pp. 13–29, Springer, Berlin, Germany, 1998.
- M. Jhanwar, “A practical (non-interactive) publicly verifiable secret sharing scheme,” in Information Security Practice and Experience, F. Bao and J. Weng, Eds., vol. 6672 of Lecture Notes in Computer Science, pp. 273–287, Springer, Berlin, Germany, 2011.
- W. Huaxiong and D. S. Wong, “On secret reconstruction in secret sharing schemes,” Information Theory, IEEE Transactions on 2008, vol. 54, no. 1, pp. 473–480, 2008.
- D. Boneh and M. Franklin, “Identity-based encryption from the weil pairing,” in Advances in Cryptology-CRYPTO 2001, J. Kilian, Ed., vol. 2139 of Lecture Notes in Computer Science, pp. 213–230, Springer, Berlin, Germany, 2001.
- D. Boneh and X. Boyen, “Efficient selective-ID secure identity-based encryption without random oracles,” in Advances in Cryptology-EUROCRYPT 2004, C. Cachin and J. Camenisch, Eds., vol. 3027 of Lecture Notes in Computer Science, pp. 223–239, Springer, Berlin, Germany, 2004.
- B. Waters, “Efficient identity-based encryption without random oracles,” in Advances in Cryptology-EUROCRYPT 2005, R. Cramer, Ed., vol. 3494 of Lecture Notes in Computer Science, pp. 557–557, Springer, Berlin, Germany, 2005.