Abstract

Threshold secret sharing is concerned with the splitting of a secret into shares and distributing them to some persons without revealing its information. Any ≤ persons possessing the shares have the ability to reconstruct the secret, but any persons less than cannot do the reconstruction. Linear secret sharing scheme is an important branch of secret sharing. The purpose of this paper is to propose a new polynomial based linear (, ) secret sharing scheme, which is based on Shamir’s secret sharing scheme and ElGamal cryptosystem. Firstly, we withdraw some required properties of secret sharing scheme after reviewing the related schemes and ElGamal cryptosystem. The designed scheme provides the properties of security for the secret, recoverability of the secret, privacy of the secret, and cheating detection of the forged shares. It has half computation overhead than the previous linear scheme.

1. Introduction

Information security has been a major concern over the past years in communication technology. The main concern has been how to make information confidential, authenticating and protecting it from being altered before reaching the receiver. Cryptography is part of the answer to these concerns [1]. The idea in cryptography is to prevent unauthorized use or alteration of information using mathematical tools. In a symmetric cryptosystem, this is achieved by using a shared secret key and in asymmetric cryptosystem it is achieved by using a pair of keys, public and private. The use of secret key or public and private key pair raised another problem of securely storing it. To address this problem, secret sharing schemes allow reliable storage without any risk [2, 3].

Threshold secret sharing is a method of splitting a secret into shares and distributing them to users such that the shares do not reveal any information about the secret [4]. In this care, the secret is a secret key, which needs to be stored securely. The secret is reconstructed easily if the authorized number of users combines their shares together. A subset of unauthorized users cannot reconstruct the secret or gain any information about the secret. The shares are sent to users using private channels so that each user should not have information of shares of the other users before reconstruction is done. Schemes that achieve this are called secret sharing schemes. Some schemes reveal the shares of all users who take part in secret reconstruction. In such schemes, users know all shares after the secret is reconstructed. This is called open reconstruction. While other schemes do not reveal the shares even after reconstruction is done for the reason that the shares may be reused. This is called closed reconstruction. Such schemes use a trusted third party to take the role of secret reconstruction as discussed by Martin [5].

Shamir introduced a (, ) threshold secret sharing scheme, which provides secure way of sharing a secret [6]. The scheme starts with secret information, which is divided into pieces of information called shares. The shares are distributed by a dealer to individuals, called users; each user gets at least a share. These shares do not reveal any information about the secret. The dealer is entrusted with sharing of the secret to users using share generation and distribution algorithms. No user knows the share of the others because distribution is done through secure channel. The secret is reconstructed by any authorized subset of users with cardinality using Lagrange interpolation.

Tompa and Woll exposed the weakness of Shamir’s scheme by introducing a cheating concept [7]. Malicious users present forged shares during reconstruction so that the honest users get an invalid secret. The cheaters will be able to reconstruct a valid secret since they know all correct shares. Therefore, Shamir’s scheme cannot withstand this attack even if there is only one cheater. Furthermore, they proposed an improved scheme which uses redundant shares to detect cheating so that malicious users are prevented. Redundant shares are extra shares used in reconstructing the secret other than the required threshold. Many schemes also solve the same problem of cheating detection [8–14].

Apart from cheating detection, there are schemes that identify cheaters in [15–20]. These schemes provide the method of identifying any forged share once it has been detected that cheating takes place. Identification is also good since it helps to recognize who the cheater is and can be removed from the system during the next sharing. Other schemes reconstruct the secret even though there are forged shares called robust secret sharing scheme (RSS) [21–23]. RSS prevents cheating by allowing the reconstruction of the correct secret even if some participants submit forged shares. However, the probability of recovering the secret in RSS depends on the number of forged shares submitted during reconstruction phase. Furthermore, some schemes verify shares and are called verifiable secret sharing schemes (VSS) [24, 25]. VSS also prevents cheating by verifying the shares received from the dealer. In VSS, users assume that the adversary may corrupt the dealer, as a result it is no longer trusted. Once user receives the share from the dealer, he (or she) shares it to other users and creates a check vector, which helps to identify cheaters. The user rejects the share if it does not agree to the check vector, otherwise accepts it.

To achieve cheating prevention, users are given a share of the secret plus additional information, which is used for cheating detection. This makes share size , ∀≤ - 1, to increase greatly as compared to the secret size. However, it is shown by Carpentier et al. that a lower bound for the problem should be given as ≥ / ε, where ε is the cheating probability [26]. The lower bound is based on the assumption that t - 1 cheaters somehow know the secret before they cheat a user . This is called Carpentieri, De Santis, and Vaccaro (CDV) assumption. However, Ogata and Kurosawa proposed a scheme that detects cheating based on the assumption that no cheating user knows the secret [27]. The scheme’s share size reaches the lower bound of ≥ ( - 1)/ε+1. This is called Ogata, Kurosawa, and Stinson (OKS) assumption.

Linear secret sharing schemes have been studied because of their application in multiparty computation and function sharing [28, 29]. The schemes are able to detect cheating behavior of malicious users during reconstruction of the secret; hence, an honest user cannot be fooled. Liu et al.’s scheme could be applied if system needs to share more than one secret [28]. Cramer et al.’s scheme depends its security on the universal hash function, which means that it is not unconditionally secure, where Lin and Harn’s scheme has been proved to be easily broken by a simple attack as pointed out by Ghodosi [30, 31]. Liu et al.’s scheme uses two polynomials to detect cheating during secret reconstruction and reduce the share size given to a user. Use of two polynomials increases the number of computations the scheme undergoes. As a result, there is an increased computation overhead.

This paper proposes a new linear (t, n) threshold secret sharing scheme based on a polynomial called polynomial based linear scheme (PBLS), which optimizes the number of computation overhead while maintaining security and privacy concerns. The goals that achieve security and privacy concerns (SP) of PBLS are(i)SP1: provide security of the secret.(ii)SP2: provide recoverability of the secret once shared.(iii)SP3: provide privacy of the secret and shares.(iv)SP4: provide cheating detection feasibility not only for one cheater but also t – 1 cheaters so that any malicious behavior could be detected.

The goal that achieves computation overhead (CO) of PBLS is(i)CO: reduce the number of polynomials used so that computational overhead is reduced as compared to Liu et al.’s scheme.

To achieve these goals, PBLS uses ElGamal cryptosystem and Shamir’s scheme as core operations. ElGamal cryptosystem helps to design a basic scheme, which is the initialization of PBLS. The basic scheme aims at hiding the secret during share generation phase, which can be revealed during cheating detection. PBLS applies Shamir’s secret sharing scheme to share the secret, which uses the polynomial such that the element hiding the secret becomes the coefficient of . Therefore, reconstruction of the secret in PBLS uses Lagrange interpolation, which comes up with the polynomial . Revealing the secret helps to detect cheating. PBLS has an advantage over Liu et al.’s scheme in the computation overhead concern. Furthermore, PBLS provides cheating detection feasibility, which is not available in Shamir’s scheme.

2. Preliminaries

This section provides some basic mathematical and cryptographic concepts, which are major tools in secret sharing schemes, and reviews related works. First of all, the definition of finite field is provided together with some properties [32–34]. Polynomials in a finite field and Lagrange interpolation are also discussed to give understanding on the concepts. ElGamal cryptosystem is briefly discussed because it is used in construction of basic scheme. After that, we review related works such as linear secret sharing schemes, access structure, and some previous schemes like Shamir’s and Liu et al.’s schemes [6, 14].

2.1. Basic Mathematical and Cryptographic Concepts

This section gives an overview of some mathematical concepts, which are useful in secret sharing like finite field, polynomial and Lagrange interpolation. For more details on finite field, refer to [32–34]. The section also gives an overview of ElGamal cryptosystem, which assists in construction of basic scheme.

2.1.1. Finite Field

Definition 1. A finite field is a finite set on which addition, subtraction, multiplication, and division are defined and the following axioms are satisfied.(1)Associative: for all a, b, and in , a + (b + c) = (a + b) + c and a · (b · c) = (a · b) · c.(2)Commutative: for all and b∈, a + b = b + a and a · b = b · a.(3)Existence of identity: there exists elements and ∈, such that a + e = e + a = a and = · a = a.(4)Existence of inverse: for every element a ∈, there exists an element -a such that a + (-a) = e. Similarly for every element a ∈, there exists an element a⁻¹∈ such that a · a⁻¹ = .(5)Distributive: for all a, b, and in , a · (b + c) = (a · b) + (a · c).Note that an element -a is called additive inverse and another element is called multiplicative inverse. An element is an additive identity and an element is multiplicative identity. In this paper, we take e = 0 and = 1.

Definition 2 (finite field of order p). Let be a prime. The set of integers = , 1, 2, …, p - with addition and multiplication performed modulo is a finite field of order and is denoted as = .

Proposition 3 (multiplicative inverse). Let be a prime. Element a∈, a ≠ 0 has a multiplicative inverse b = a⁻¹ such that a · b ≡ 1 p.

Definition 4 (group of units). Let be a prime. A group is a set that contains nonzero elements and is called a group of units.

2.1.2. Polynomials over Finite Field

Definition 5 (polynomial over ). Let be a field. Any expression where is an arbitrary positive integer which is called a polynomial over .

Definition 6 (degree of polynomial f(x)). Given a nonzero polynomial , where ≠ 0, the number is said to be the degree of f(x) denoted as deg f(x).

Definition 7 (equal polynomials). Let and , where ≠ 0 and ≠ 0 are two polynomials of degrees and m, respectively. The two polynomials are equal and write f(x) = (x), if t = m and = for all i = , 1, 2, …, .

Definition 8 (roots of a polynomial). An element α∈ is called a root of f(x) if f(α) = 0.

Proposition 9. A polynomial , ∈ of degree cannot have more than roots in the field .

2.1.3. Lagrange Interpolation

This is a method of reconstructing a polynomial from given known points. The polynomial constructed by Lagrange interpolation is called Lagrange interpolation polynomial, which is unique. To reconstruct the polynomial of degree t, t + 1 values are required, i.e., (, ) for all i = 0, 1, 2, …, t such that f() = .

Proposition 10. Let for all i = 0, 1, 2, …, t be distinct elements of and for all i = 0, 1, 2, …, t be arbitrary elements of. There exists no more than one polynomial f(x) of degree at most such that  f() = for all i = 0, 1, 2, …, t.

Theorem 11 (see [33]). Let , , …, be distinct elements of and , , …, be arbitrary elements of. There exists a unique polynomialof degree at most such that f() = for all i = 0, 1, 2, …, t.

Proof. We adopt the proof by Slinko [33]. The polynomial in Equation (2) was constructed as follows. First construct polynomials (x) of degree such that () = 1 and () = 0 for i ≠ j. These polynomials areThus, the polynomials (x), (x), …, (x) are constructed. Furthermore, we multiply by for i = 0, 1, 2, …, t and obtain the polynomials β₀g₀(x), β₁g₁(x), …, β_tg_t(x). Summing the polynomials β_ig_i(x) the desired polynomial f(x) is constructed as Equation (4).We set f() = as required. This polynomial is unique by Proposition 10.

2.1.4. ElGamal Cryptosystem

ElGamal cryptosystem is in a family of public key cryptography [35]. Public key cryptography uses public key and private key to encrypt and decrypt messages, respectively, such that knowledge of private key makes decryption easy. Without knowing the private key, it is impossible to decrypt a message in acceptable time. Security of ElGamal is based on discrete logarithm problem (DLP). Therefore, an attacker has to solve DLP to decrypt an intercepted message on ElGamal cryptosystem.

Definition 12 (finite field DLP (FFDLP)). Given a finite field , a primitive element of , and a nonzero element of , the FFDLP of to base g, written as log_g(b), is determining the least nonnegative integer such that d = gⁱ.

Three algorithms are used in ElGamal cryptosystem, which are key generation, encryption, and decryption. We assume Alice and Bob want to communicate over an insecure channel. They have to generate a public and private key pair for encryption and decryption as follows.

Key Generation. Bob will do the following steps:(i)Generate a large prime and a generator of a multiplicative group (ii)Select a random integer b ∈ such that 1 ≤ b ≤ p – 2(iii)Compute Y ≡ g^b mod p.

The public key for Bob is (p, g, Y) and is the private key. Bob publishes the public key so that if anyone wants to send an encrypted message to him, they can use it. Y is an element in , which has a multiplicative inverse in the group.

When Alice wants to send a message to Bob, she needs to use Bob’s public key to encrypt the message. The following are the steps she takes:

Encryption(i)Encode the message such that 1 ≤ M ≤ p – 1.(ii)Select a random exponent k.(iii)Compute = g^k and = M · Y^k.

The encrypted message sent to Bob is a pair (, ).

Once Bob receives the message, he uses his private key to decrypt it in the following way:

Decryption(i)Compute = g^-bk(ii)Compute M = · = g^-bk · M · g^bk.

The element is the multiplicative inverse of g^bk.

2.2. Related Works

This section reviews linear secret sharing schemes, access structure of secret sharing schemes, and some previous schemes like Shamir’s and Liu et al.’s schemes [6, 14]. Furthermore, the section discusses the strong and weak properties of the reviewed schemes.

2.2.1. Linear Secret Sharing Scheme

Linear (t, n) secret sharing scheme is a special type of secret sharing scheme where all the shares of the secret satisfy a linear relationship [6, 14]. The Definition 13 gives what linear secret sharing scheme is.

Definition 13 (linear secret sharing scheme). A (t, n) secret sharing scheme is a linear secret sharing scheme when the shares, , , …, can be presented as in Equation (5) where is a public t × n matrix whose any t × t submatrix is not singular. The vector (, , …, ) is randomly chosen by the dealer.

According to Definition 13, we can see that Shamir’s (t, n) secret sharing scheme is a linear scheme. LetThe shares = f(i), i = 1, 2, …, n can be presented as in Equation (7)where = jⁱ¹ ( denotes the entry at ith row and jth column of matrix H).

2.2.2. Access Structure

Assume that is the set of users where U = , , …, and is the dealer who facilitates secret sharing. An access structure is defined as follows.

Definition 14 (access structure). Let 2^U be the power set of the set of all users . The set Γ ⊆ 2^U of all authorized coalitions is called the access structure of the secret sharing scheme [33].
If a subset is in the access structure, all sets that contain that subset should also form part of the access structure. Let and be subsets of Γ such that X⊆ Y. An access structure Γ may be any subset of 2^U such that The condition in Equation (8) attached to access structure is called monotone property, which shows that if a smaller subset can know the secret, then any other larger set containing the subset will know it too.

Definition 15. Let Γ ⊆ 2^U be an access structure. A coalition C⊆ U is called minimal authorized coalition if it is authorized and any proper subset of is not authorized [33].
For example, if T⊂ C and C is the minimal authorized coalition, then is not authorized because < . The assumption is that every user is in at least one minimal coalition and otherwise is not useful in reconstructing the secret. In a linear (t, n) secret sharing scheme, the minimal coalition has subsets with users.

2.2.3. Shamir’s (t, n) Threshold Scheme

Shamir proposed a (t, n) threshold scheme that splits a secret s∈ S into shares, which are distributed to users [6]. Splitting is done by a dealer using an algorithm called share generation algorithm. The algorithm uses a polynomial f(x) of degree t - 1 to generate and distribute shares. The secret is reconstructed based on interpolating a polynomial using Lagrange interpolation, which is reconstructed by users. The users combine their shares to reconstruct a polynomial (x) of degree using reconstruction algorithm. The algorithm inputs the user’s identity and their share , which forms a point or an ordered pair (i, ) for all i = 1, 2, …, t and outputs the secret (0) = s. Shamir’s scheme has the following important properties.(i)Share size is exactly equal to secret size.(ii)If a new player joins or leaves, it is easy to add or delete shares without affecting the other shares.(iii)It is easy to change the shares of the same secret just by changing the polynomial without breaching any security.(iv)t - 1 users do not reveal any information about the secret.

However, Tompa and Woll discovered that the scheme cannot withstand cheating if there is an untrusted user during secret reconstruction [7]. As a result, Shamir’s scheme faces the following challenges during secret reconstruction.(i)Any malicious user can present a forged share without being noticed.(ii)It is difficult to detect if the reconstructed secret is invalid.(iii)A malicious user, once is successful in cheating other users, will be able to reconstruct the valid secret.

2.2.4. Cheating Prevention

Cheating prevention in secret sharing became a great concern after Tompa and Woll introduced cheating concept. As a result, many schemes with cheating prevention are proposed where some detect cheating, others identify cheaters, and so on. Some of the categories of cheating prevention are as follows.(i)Cheating detection: schemes provide the method to detect any forged share submitted for secret reconstruction by malicious user [7, 12]. The assumption is that the dealer is trusted.(ii)Cheater identification: schemes provide the method to detect and identify any forged share presented for secret reconstruction by a malicious user [15, 17]. The assumption is that the dealer is trusted.(iii)Robust secret sharing: schemes assume the dealer is trusted. Schemes can reconstruct a correct secret even if there are a number of forged shares presented by untrusted user [22].(iv)Verifiable secret sharing: schemes assume that the dealer is not trusted. Each user verifies the shares if valid using verification algorithm before reconstruction is done [9, 25].

2.2.5. Liu Et Al.’s Scheme

Liu et al. proposed a linear threshold secret sharing scheme, which is capable of cheating detection with share size ≥ / ε, where ε > 0 is the probability of cheating [14]. Liu et al.’s scheme is a combination of two Shamir’s schemes. Two polynomials are used to share a secret . Cheating detection is done by finding a random element r∈ during secret reconstruction.

Liu et al.’s scheme adopts Shamir’s scheme in sharing the secret. This means that most properties of Liu et al.’s scheme are similar to Shamir’s scheme. However, there are some properties, which Shamir’s scheme does not have. The properties include the following.(i)Share size given to each user is equal to or greater than the secret size, i.e., ≥ / ε.(ii)Detect cheating whenever a forged share is presented during reconstruction.

However, the scheme uses two polynomials to achieve the property of cheating detection, which makes number of computations to double as compared to Shamir’s scheme.

3. New Linear Secret Sharing Scheme

This section proposes a new linear (t, n) threshold secret sharing scheme called polynomial based linear scheme (PBLS), which is based on one polynomial to reduce computational overhead of Liu et al.’s scheme and improve security of Shamir’s scheme in terms of cheating detection. PBLS is capable of cheating detection for any forged shares presented for secret reconstruction with the help of the coefficients of in the polynomial (x). The coefficients are determined by a basic scheme which is an initialization of PBLS that adopts its properties from ElGamal cryptosystem. The security of PBLS is based on Shamir’s scheme and ElGamal cryptosystem. PBLS provides perfect secret sharing, which is a required feature in all secret sharing schemes. The designed properties of PBLS withdrawn from the previous schemes satisfy SP1, SP2, SP3, and SP4, and computation overhead concern of CO.

3.1. Fundamental Properties

Basic scheme and PBLS adopt their properties from already existing scheme of ElGamal and Shamir. This makes the security of basic scheme and PBLS similar to the security of Shamir’s scheme and ElGamal cryptosystem.

3.1.1. Properties of Basic Scheme

Basic scheme adopts its properties from ElGamal cryptosystem, which uses finite field elements to hide information [35]. The aim of basic scheme is to hide a secret in share generation phase but can be revealed when cheating detection is taking place. Secret hiding is done by multiplying a random element by the secret s ∈ S to produce for all r, s, and z∈. The secret is revealed when a multiplicative inverse of is multiplied by z.

Security of ElGamal cryptosystem depends on the hardness of FFDLP. Therefore, basic scheme adopts the same security as ElGamal cryptosystem. Propositions 18 and 19 give the properties of basic scheme. However, to understand these properties better, we first provide Definition 16 and Corollary 17 without proof. The proofs for definition and corollary can be obtained in [36].

Definition 16. a ≡ b mod if and only if and leave the same remainder when divided by p.

Corollary 17. The integer is the remainder when is divided by if and only if a ≡ c mod p, where 0 ≤ c < p.

The following are the properties of basic scheme.

Proposition 18. Let and r ∈ be a secret and a random element, respectively, and z ≡ s · r mod such that is prime. It has FFDLP difficulty to withdraw and from the element z∈.

Proof. Since elements and are field elements, the operation n = s · r ≡ z mod is a modulo multiplication. Thus is a remainder when divides the integer . Assume that there exists only one integer n, which leaves a remainder when , thenBy Corollary 17, n ≡ z mod . Therefore, t is unique. Let d = a · b such that a ≠ s ≠ r and b ≠ s ≠ r. By Definition 16, n ≡ d mod if and only if and leave the same remainder when they are divided by . ThusThis implies thatBut a ≠ s ≠ r and b ≠ s ≠ r. Therefore, t is not unique. This contradicts the fact that is the only integer that leaves a remainder when . Therefore n ≡ d mod , where d ≠ n. Element is a remainder whenever t · p divides such that d > t · p and such that n > t · p. Integers and contain different factors since they are not equal hence difficult to determine and from z, which is FFDLP.

Proposition 19. Let z ≡ s · r such that s∈ is a secret, r∈ is a random element, and is prime. It is impossible to determine from z, which is based on the difficulty of the fractional decomposition.

Proof. By Proposition 18, it is difficult to determine and from because does not reveal and . If we assume that we know the value of r, then it is possible to determine . Since is known, the multiplicative inverse of can be computed from finite field . Multiplying by r⁻¹ gives as follows:Knowledge of helps to determine . Therefore, by contrapositive, we cannot determine from z, which is based on the fractional decomposition difficulty.

It is noted that though FFDLP is applied in basic scheme, there is a difference with ElGamal cryptosystem. The difference is that basic scheme makes no use of exponentiation, which helps it to operate in polynomial time.

3.1.2. Properties of PBLS

Any secret sharing scheme should be secure from malicious users by denying them the opportunity to obtain the secret when the required number of users is not reached. At the same time, the secret should be able to be reconstructed after sharing. PBLS adopts its properties from Shamir’s secret sharing scheme, which shares a secret to users to be recovered by users where t ≤ n using a polynomial of degree t – 1, where the coefficients of and are and z, respectively. Therefore, all the properties for Shamir’s scheme also hold for PBLS. However, PBLS also consists of some properties of ElGamal cryptosystem because of the use of basic scheme. Two fundamental properties of designing PBLS, which are adopted from Shamir’s scheme, are given in Proposition 20 such that every secret sharing scheme has to be achieved.

Proposition 20 (SP1 and SP3). Let be the secret and the threshold. Any less than users cannot know the secret.

Proposition 21 (SP2). Let be the threshold of a secret sharing scheme. Any or more than users should be able to reconstruct the secret by combining their shares together.

Since Shamir’s scheme is linear that is shares of secret satisfy a linear relationship, PBLS is also linear. However, PBLS has a property of SP4 as in Proposition 22.

Proposition 22 (SP4). Let be the threshold of a secret sharing scheme and there are any less than forged shares used for secret reconstruction. The shares will be detected during secret reconstruction.

Any secret sharing scheme, which prevents cheating, must give to each participant shares whose sizes are at least the size of the secret plus log 1/ε, where ε is the probability of successful cheating [26]. The Proposition 23 gives a property of the share size of PBLS given to users.

Proposition 23. Let = (i), be the share given to each user. The share size of PBLS attains the bounds of ≥ /ε.

Any secret sharing scheme has a set of users who are allowed to make reconstruction of the secret called the access structure based on Definitions 14 and 15. Proposition 24 provides an access structure of PBLS.

Proposition 24. Let U = , , …, be the set of users. The access structure of PBLS is a set Γ ⊆ such that X⊆ Γ, where ≥ t.

Proof. The scheme uses Lagrange interpolation to come up with a polynomial f(x) of degree t - 1. By Theorem 11, t points are required to interpolate this polynomial. Thus any subset of or more than shares is authorized to reconstruct the secret.

PBLS is composed of basic scheme and Shamir’s scheme. However, exponentiation is not used in PBLS to reduce computation cost. Figure 1 shows the properties of ElGamal cryptosystem and Shamir’s secret sharing scheme and how they are adopted in basic scheme and PBLS.

Figure 1 

Adoption of ElGamal cryptosystem and Shamir’s scheme in PBLS.

3.1.3. Adversary Model

In any cryptographic application, an attacker has different goals to achieve for the attack mode to it. Secret sharing schemes face cheating attack, which was discovered by Tompa and Woll. Despite different applications of secret sharing schemes, a malicious user presents forged shares during secret reconstruction. Therefore, the following are some goals of cheaters in secret sharing schemes try to achieve:(i)To recover the valid secret while the honest users are unable to detect cheating [29]. In this case, honest users believe the secret to be valid.(ii)To recover the secret while the honest users are able to detect cheating [37]. The honest users will not have access to this secret; hence, they simply assist to reconstruct it without their knowledge.

There are two assumptions in which cheaters behave. These are OKS and CDV as discussed [26, 27]. CDV assumes that cheaters already know the secret to be reconstructed. They only aim at blocking the correct reconstruction of the secret while they already have the secret. Honest users will get the invalid secret. On the other hand, OKS assumes that the cheater does not know the secret to be reconstructed. The aim is to block the correct reconstruction of the secret, but at the end they should be able to get a valid secret. PBLS considers OKS assumption because the aim of secret sharing is that the secret should not be known before reconstruction.

Cheating becomes successful when cheaters managed to reconstruct a valid secret while honest users failed to detect that cheating takes place. PBLS makes sure that does not recover the secret whenever cheating detection is achieved. To prevent from learning the secret, a closed reconstruction is done where no user can see the share of the other users. This also prevents malicious users who communicate their shares during reconstruction after learning the shares of honest user as described by [38]. Such users are called rushing cheaters.

3.2. Proposed Schemes

This subsection proposes basic scheme and PBLS. Basic scheme has two algorithms, which are secret hiding and secret revealing. The secret is hidden with field element in secret hiding algorithm. It is revealed using the multiplicative inverse of the element in secret revealing algorithm. PBLS has three algorithms, which are share generation, secret reconstruction, and cheating detection.

3.2.1. Basic Scheme

This subsection proposes basic scheme, which is the basis for constructing PBLS proposed in Section 3.2.2. Basic scheme provides a conceptual process of how PBLS detects cheating during secret reconstruction. A secret is hidden by a field element and can be revealed by a multiplicative inverse of the element r.

Secret Hiding. Consider a finite field in which is a prime such that p - 1 has at least one large prime factor. If p - 1 has only small prime factors, then computing FFDLP is easy as pointed out by [5]. By Proposition 3, all nonzero elements in have a multiplicative inverse such that a · b ≡ 1 mod . A secret is also the field element as s∈. Any random number except 1 can be used to hide the secret . The algorithm for hiding the secret avoids using 1 because it is a multiplicative identity therefore cannot hide . After multiplying by s, a different field element is obtained. Hence Equation (13) follows

Algorithm 25 describes how a secret is hidden using field element in basic scheme.

Algorithm 25 (secret hiding). Input. Secret s
Output. Element z
Process(i)Choose a random element r∈.(ii)Compute by multiplying by s.(iii)Output element z∈.Figure 2 illustrates how Algorithm 25 works.
The element does not reveal any information of and in basic scheme.

Figure 2 

Secret hiding in basic scheme.

Secret Revealing. Whenever one wants the secret back, he (or she) simply computes the multiplicative inverse of r, given as , and multiplies it by to get the secret . Therefore, multiplying by multiplicative inverse of is the same as multiplying by r⁻¹ by . This means 1 is multiplied by to get a result as in Equation (14)

Algorithm 26 shows how to reveal the secret using the multiplicative inverse of r.

Algorithm 26 (secret revealing). Input. Elements and r
Output. Secret s
Process(i)Compute multiplicative inverse of element r, i.e., b = r⁻¹.(ii)Compute by multiplying by z.(iii)Output s.Figure 3 illustrates Algorithm 26: how revealing the secret occurs.

Figure 3 

Secret revealing in basic scheme.

Basic scheme requires to be kept secret so that the secret remains private and secure. Otherwise, any adversary will be able to compute the inverse of and reveal as is done in Algorithm 26. We demonstrate this with a dummy example below.

Example 27. Let p = 23 and s = 12. Secret can be hidden as follows. Choose a random element r = 7 ∈. Compute by multiplying by to obtain zThe secret 12 is hidden as 15. It is difficult for an adversary to know the secret 12 and the random 7 from 15 alone unless he (or she) solves FFDLP. The secret is revealed by computing b, the multiplicative inverse of rand computing by multiplying by zNote that in practice, p should be a large prime number for the scheme to be secure enough.

3.2.2. Polynomial Based Linear Scheme (PBLS)

In this subsection, a linear (t, n) threshold secret sharing scheme, PBLS, is proposed, which provides cheating detection based on basic scheme and Shamir’s secret sharing. We assume using two trusted third parties dealer and combiner C. D generates and distributes shares to users while collects any shares and reconstructs the secret. A trusted user can also be depending on the application. C does not reveal shares after reconstruction and hence performs a closed reconstruction. In addition, C performs cheating detection in secret reconstruction phase. PBLS has three algorithms, which are share generation, secret reconstruction, and cheating detection.

Share Generation. As Shamir’s scheme, share generation algorithm starts with setting public parameters, prime and threshold t. D chooses a random element from a finite field , then hides the secret using Algorithm 25. The output is element z∈. D computes b∈, a multiplicative inverse of . The element is sent to users on public channel while element becomes a coefficient of in polynomial f(x). To share the secret s, D chooses a random polynomial of degree t - 1, which has constraints of two coefficients, = s and = z. D computes f(i) for all i = 1, 2, …, n and distributes = (i, f(i)) to users where i = 1, 2, …, n. Algorithm 28 shows how shares are generated and distributed to users.

Algorithm 28 (share generation). Input. Secret s
Output. Secret shares where i = 1, 2, …, n
Process(i) D uses Algorithm 25 to compute z.(ii) D uses Algorithm 26 to compute b.(iii) D chooses a random polynomial f(x) of degree t - 1 over , i.e., such that = s and = z.(iv) D computes f(i) and distributes = (i, f(i)) and to for all i = 1, 2, …, n secretly.Figure 4 illustrates the share generation algorithm in PBLS.
Users cannot obtain information of the secret from without the knowledge of unless they have to solve FFDLP.

Figure 4 

Share generation in PBLS.

Secret Reconstruction. If the secret is required for use, any t ≤ n users combine their shares together to reconstruct it. The combiner can be one of the user or a trusted third party who does the reconstruction without revealing the shares. Users send their shares to together with b. C uses Lagrange interpolation to reconstruct the polynomial of degree t - 1 from at least points, i.e., (1, f(1)), (2, f(2)), … (i, f(i)) and the secret is f(0) if all users are honest. Figure 5 illustrates how secret reconstruction is done in PBLS.

Figure 5 

Secret reconstruction in PBLS.

Algorithm 29 (secret reconstruction). Input. Any list of shares
Output. Secret = s if there is no cheater or ≠ s if cheaters exist
Process(i) C reconstructs (x) from (i, ) using Lagrange interpolation (ii) C outputs polynomial (x) = + x + + … + x^t-1.By Theorem 11, the reconstructed polynomial (x) is unique and if there is no cheating then polynomial (x) is equal to polynomial f(x). Therefore, the secret is (0) = = = s.

Cheating Detection. It is important to check if there are forged shares presented during secret reconstruction. In this phase, PBLS uses basic scheme to reveal the secret since it is hidden in the coefficient of of the polynomial f(x). Consequently, the polynomial (x) should have the same coefficient. The secret is revealed by multiplying the coefficient of by a multiplicative inverse of an element . If the result gives term , then there is no cheating. Therefore, the secret is valid. Otherwise, some forged shares are used during reconstruction of the secret. Algorithm 30 shows how cheating detection is done.

Algorithm 30 (cheating detection). Input. Elements and b
Output. No cheating or cheating
Process (i)C computes b · z = .(ii)C outputs no cheating if holds or cheating otherwise.C uses Algorithm 30 to detect if forged shares were presented to reconstruct the secret. C uses multiply by to get . Once the output is not , then cheating took place, secret reconstruction halted, and the reconstructed secret was not valid. C sends to users a signal that secret reconstruction has failed. In cases where all users are honest, Algorithm 30 outputs no cheating. Consequently, the output Algorithm 29 valid and sends to each user, which shows that secret reconstruct is successful. A simple example below demonstrates how the new scheme works.

Example 31. Let p = 23. Given the secret s = 12, we can share it to n = 6 users such that any t = 4 of them can reconstruct the secret.
We use Algorithm 25 to hide the secret and select a random r ∈ as 15We also compute a multiplicative inverse of r.Let the random polynomial beThe shares given to users areEach user also receives 20 a multiplicative inverse of 15 ∈.
When the secret is required, any 4 users send their shares to to reconstruct the secret . Let , , , and send their shares to . We use Lagrange interpolation to reconstruct a polynomial (x). We find the (x) ∀i = , 1, 2, as discussed in Section 2.1.3Therefore, the polynomial (x) isThe polynomial (x) = 9x³ + 20x² + 19x +12 is the same used to share the secret. Cheating detection is done by multiplying 19 by 20, which gives 12. Assuming users , , and want to cheat . Let the forged shares be : (1, 8), : (3, 10), : (5, 17) and : (6, 7). C reconstructs a polynomialMultiplying 11 by 20 gives 12, which is not equal to 7. Cheating is detected by cheating detection algorithm in PBLS.

4. Analysis

This section provides the analysis of basic scheme and PBLS in terms of security and privacy with required features and computational overhead. We also compare the security, privacy, and computations in PBLS to Shamir’s scheme and Liu et al.’s scheme [6, 14]. PBLS achieves the required features for the secret sharing schemes like SP1, SP2, SP3, SP4, and CO. Proofs for these requirements are provided. For this, we first provide the proof for the security of basic scheme, which is used by PBLS to detect cheating. The section also provides the proof of how secure PBLS is against cheating based on the assumption of OKS because the aim of secret sharing is to make the secret not known to users until reconstruction.

4.1. Security and Privacy Analysis

This subsection provides the analysis on the security and privacy of PBLS and proves that the required features for secret sharing schemes are achieved. We show that PBLS achieves the following properties.(i)SP1: the secret is not known to all users and adversary before reconstruction.(ii)SP2: the secret can be reconstructed once it is shared to users.(iii)SP3: no less than required number of users can reconstruct the secret.(iv)SP4: this is based on OKS assumption, which provides the guarantee that no cheating can be successful in PBLS.

First, we show that basic scheme is secure from based on OKS adversary model in Section 3.1.3. At initialization of basic scheme, the secret is multiplied by a random element with an aim of hiding it. Two security issues rise up in this case:(i)security of in for the basic scheme and(ii)security of in the polynomial f(x).

Proposition 32 proves the security of basic scheme from any adversary, i.e., dishonest user or anyone who is not taking part in the secret sharing cannot obtain the secret without the knowledge of and its multiplicative inverse.

Proposition 32. Let be prime and z ≡ s · r such that s∈ and r ∈ are a secret and a random number, respectively. An adversary should solve FFDLP to obtain the secret from in basic scheme without the knowledge of and its multiplicative inverse.

Proof. We showed in Proposition 19 that an element cannot reveal any information about without the knowledge of . It was indicated that it is necessary to solve FFDLP to reveal from . Therefore, to know the secret from in basic scheme, one has to solve FFDLP. Basic scheme is secure from .

However, we also need to show that the secret cannot be revealed by in z, which is the polynomial used to distribute shares to users. Proposition 33 proves that basic scheme is secure in share generation algorithm.

Proposition 33. Let z, s, and as defined in Proposition 32 and be prime. An adversary should solve FFDLP to obtain the secret from in the polynomial f(x) even if multiplicative inverse of is known.

Proof. By Proposition 19, it is difficult to obtain from without the knowledge of . However, if is known, the secret can be obtained. During share generation all users have access to the multiplicative inverse of and their share; hence, it is possible to obtain the secret if is known. However, the secret and the element are coefficients of the polynomial, which are only known to the dealer. But the multiplicative inverse of cannot give information of and . This is the same as solving the FFDLP.

Security of secret sharing schemes depends on the private distribution of shares to user so that no user should know the shares of the other users. Therefore, each user has to receive the share from the dealer using a private channel. It is assumed that users do not communicate about their shares to each other unless they collaborate to cheat. Once the secret is divided, the shares do not show any information about the secret. As a result users do not have any information about the secret as assumed by OKS. In addition to this, shares are delivered privately to users and hence cannot know the share of the other users. Lemma 34 proves the fact of SP1 that users do not have access to the secret.

Lemma 34. Any secret share given to a participant in PBLS does not reveal the secret s.

Proof. In share generation, PBLS uses Shamir’s method to share the secret, which uses the polynomial f(x) of degree t - 1. Each share is evaluated from to give f(i) for all i > 0 such that is the identity of the user. The secret in the polynomial is f(0). Shares in Shamir’s scheme do not reveal any information of the secret. Since PBLS adopts Shamir’s method, the shares generated have the same security as those generated by Shamir’s scheme.

Lemma 34 proves that no single user can have access to the secret using only his (or her) share. However, the secret can be reconstructed if users pool in their shares together. Since the reconstruction is done by a trusted third party called combiner, no user is able to know the secret. However, the secret is obtained by the combiner. We now prove Proposition 35, which gives a proof on SP2 in PBLS.

Proposition 35. Let be the threshold. Any users can reconstruct the secret by combining their shares together in PBLS by using secret reconstruction algorithm.

Proof. Secret reconstruction in PBLS is done by interpolating the polynomial (x) by Lagrange interpolation. Given points (i, ) for all i =1, 2, …, t, interpolated polynomial as in Equation (19). We rewrite the Equation below for clarityBy Theorem 11 the polynomial (x) is unique which has degree t - 1. The dealer used Equation (18) to generate shares and we write itTherefore, the two polynomials in Equations (27) and (28) are equal. By Definition 7, = . So, = . Since is the secret, is also a secret, which has been reconstructed from shares. Therefore, the secret in PBLS can be reconstructed.

If shares can reveal the secret, then less than shares should not be able to show any information about the secret. This is the recommendation of a secret sharing scheme to be achieved, which is called privacy. Proposition 36 proves SP3 of PBLS such that less than the required threshold can neither recover the secret not gain information about the secret.

Proposition 36. Let be the threshold. Less than users cannot reconstruct or know any information of the secret in PBLS.

Proof. We need to show that t - 1 shares do not reveal any information about the secret. Assume t - 1 participants collude to recover the secret, which means they will have t - 1 points to interpolate a polynomial (x) of degree t - 1. However, these points will interpolate a polynomial of degree t - 2 as far as Theorem 11 is concerned, henceEquations (27) and (28) are not equal since they have different degrees. The fact that polynomial in Equation (29) is unique makes their coefficient differ as well. The other way is to try to solve a system of t - 1 equations with unknowns as shown in the matrix Equation (30). But it is impossible to solve such equations unless the t-th term is guessed. Thus, we need at least points to interpolate the polynomial, which might be not correct since the t-th share is secretly delivered to user. By Lemma 34, each share does not reveal the information about the secret. Therefore, t - 1 shares cannot reveal any information about the secret in PBLS.

During secret reconstruction, t - 1 users may collude to cheat the t-th user. Since the aim of the cheaters is to prevent the correct recovery of the secret at the same time they should be able to reconstruct the valid secret. This is avoided in PBLS because all shares from participating users are not revealed during secret reconstruction. Therefore, if t - 1 users communicated their shares, it will be difficult to reconstruct the secret without the t-th share as proved in Proposition 35. Furthermore, PBLS will be able to detect cheating if t - 1 or less shares are forged. Proposition 37 proves that no cheating can be successful in PBLS even if t - 1 forged shares were presented during secret reconstruction.

Proposition 37. Let be the threshold and t - 1 be forged shares presented to the combiner. The forged shares will be detected during secret reconstruction in PBLS.

Proof. Once fake shares are pooled to the combiner, the combiner uses Lagrange interpolation to compute a polynomial (x) of degree t - 1, which is unique; hence (x) ≠ f(x). After coming up with the polynomial, the combiner will use the multiplicative inverse of the random element r⁻¹∈ to verify the secret as follows: where is the coefficient of . This works by Proposition 3. Since forged shares are used in secret reconstruction, the interpolated polynomial (x) will not be equal to the polynomial used by the dealer in share generation algorithm; therefore, ≠ . Equation (31) will not work; thus z · r⁻¹ ≠ s. Therefore, cheating is detected in PBLS.

PBLS achieves the share size of = /ε such that ε > 0 is the probability for successful cheating. Theorem 38 provides the security of PBLS and a proof on the share size of PBLS [30–39].

Theorem 38. PBLS described in Section 3.2.2 realizing the access structure Γ is ε-secure against up to t - 1 cheaters who may somehow know the secret beforehand. Moreover, the share size is = = /ε, where ε = 1/p and denotes the share space of the i-th participant .

Proof. Since is prime, is a finite field. We let the secret to be bits long soFor successful cheating, an adversary has the sample space of . Hence the probability isSince every user receives f(i) and y, the share isSo = p and = p. Therefore,From Equations (32) and (33), This implies that From Equation (35)Suppose an honest participant having the share = ( h, f(h) ) belongs to the k-th compartment. For a valid but incorrect secret ∈ S to be accepted by , after parsing another check polynomial (x) with (0) = , the point (, g()) should lie on the polynomial (x). So, the successful cheating probability (PBLS, ) of cheaters against PBLS is defined asSince is a polynomial g(x) of degree t - 1 over from different constant term, ε = 1/p. This proves the theorem.

Propositions 35 and 36 indicate that PBLS is perfect since the secret can be recovered by the required threshold but not less. This is the same for Shamir’s scheme and Liu et al.’s scheme. Theorem 38 indicates that any cheating behavior can be detected, which is similar to Liu et al.’s scheme. Furthermore, PBLS and Liu et al.’s scheme have the same share size given to users. Therefore, PBLS and Liu et al.’s scheme have the same property of cheating detection.

We now compare the security and properties of PBLS with Shamir’s scheme and Liu et al.’s scheme. Table 1 shows that comparison of SPs and CO of these schemes.

Table 1 shows that the schemes have similar properties in terms of SP1, SP2, and SP3. However, Shamir’s scheme does not provide SP4. It also shows that PBLS achieves CO simultaneously. Even if PBLS provides good aspects in security and privacy, we need to mention that there is possibility that shareholders have some advantages over learning the secret since they have as mentioned in Algorithm 28. So, our future research should focus on devising a new scheme to solve this probability.

4.2. Computation Analysis

In this subsection, we analyze the computation overhead of PBLS and give a comparison to Shamir’s scheme and Liu et al.’s scheme. Three operations are used in this analysis, which are modulo addition (add), modulo multiplication (mul), and modulo inverse (inv). The analysis will consider all the two algorithms. However Algorithm 25 of basic scheme is not considered in this analysis since it is an initialization phase of PBLS.

4.2.1. Computations in PBLS

In PBLS, a share is computed from a polynomial f(x) of degree t - 1. Therefore, the polynomial has terms and t - 1 of them are multiplied by a variable . Each share requires modulo addition and modulo multiplication to be computed. Therefore, Table 2 shows computation in share generation of PBLS.