Advanced Data Security and Its Applications in Multimedia for Secure CommunicationView this Special Issue
Research Article | Open Access
En Zhang, Jun-Zhe Zhu, Gong-Li Li, Jian Chang, Yu Li, "Outsourcing Hierarchical Threshold Secret Sharing Scheme Based on Reputation", Security and Communication Networks, vol. 2019, Article ID 6989383, 8 pages, 2019. https://doi.org/10.1155/2019/6989383
Outsourcing Hierarchical Threshold Secret Sharing Scheme Based on Reputation
Secret sharing is a basic tool in modern communication, which protects privacy and provides information security. Among the secret sharing schemes, fairness is a vital and desirable property. To achieve fairness, the existing secret sharing schemes either require a trusted third party or the execution of a multiround protocol, which are impractical. Moreover, the classic scheme requires expensive computing in the secret verification phase. In this work, we provide an outsourcing hierarchical threshold secret sharing (HTSS) protocol based on reputation. In the scheme, participants from different levels can fairly reconstruct the secret, and the protocol only needs to run for one round. A cloud service provider (CSP) uses powerful computing resources to help participants complete homomorphic encryption and complex verification operations, and the CSP cannot be aware of any valuable information. The participants can obtain the secret with a small number of operations. To avoid collusion, we suppose that participants have their own reputation value, and they are punished or rewarded according to their behavior. The reputation value of a participant who deviates from the protocol will decrease; therefore, the participant will choose a cooperative strategy to obtain better payoffs. Lastly, our scheme is proved to be secure, and experiments indicate that our scheme is feasible and efficient.
Secret sharing is an important cryptographic primitive and has a widespread application in secure multiparty computation, image encryption, and attribute-based encryption. Secret sharing, an idea proposed by Shamir  and Blakley , allows a dealer to distribute different shares among a set of participants. The method guarantees any authorized subsets of t or more participants can reconstruct the secret. However, it is hard to guarantee that the dealer and participants are absolutely honest. To address this problem, verifiable secret sharing (VSS) schemes [3–5] guarantee additionally any cheating behavior can be detected, which can check the validity of shares. Subsequently, a series of protocols [6–9] is studied sharing multiple secrets at a time. In these schemes, participants only need to submit a pseudoshare rather than a real share to recover multiple secrets. Secret sharing has become an important research topic, and a large quantity of studies have been proposed. A multistage secret sharing scheme was introduced by Pilaram and Eghlidos , which was based on Lattice and could resist quantum attacks. Zhang et al.  presented an outsourcing secret sharing scheme based on homomorphic encryption, but the scheme could not effectively resist collusion. Recently, secret sharing has stronger privacy requirements. Although information about shares is leaked, the adversary still has no access to information about secret. Fehr and Yuan  constructed a robust secret sharing scheme with security against a rushing adversary. Benhamouda et al. studied leakage resilience of the MPC protocol . A nonmalleable scheme concerning secret sharing was presented by Goyal and Kumar . The scheme can resist adversary of someone who arbitrarily tampers with shares. Later, Goyal and Kumar  proposed nonmalleable secret sharing schemes for more general access structures.
In real life, everyone is not exactly equal in status or privileges. It would be an endless task to cite such living examples. For example, in a research and development department of a company, the shares of the private key of confidential files may be distributed among employees. Some are accountants, and some are department managers. The company’s policy requires 3 employees to be in attendance at the same time to open confidential files, but at least one of them must be a department manager. Such a setting requires a special secret sharing method. Therefore, the concept of HTSS was proposed. Tassa  introduced the structure of HTSS. In the scheme, a secret is shared among participants that are divided into different levels. Only participants who meet a certain level can reconstruct the secret. If the specific level is not met, the participants learn nothing about the secret. Later, Traverso et al.  proposed an HTSS scheme that supports verifiability and dynamics, which can add, remove, and renew shares. Recently, Mohamed and Arockia  introduced an HTSS scheme for color images. Bhattacharjee et al.  presented a hierarchical image scheme for bandwidth efficient transmission and offered a great degree of robustness in compressed sensing.
In the classic secret sharing scheme, fairness is a desirable property that guarantees each participant can gain the secret simultaneously. For the purpose of the goal, Tompa and Woll  firstly introduced a fair reconstruction scheme. The main idea of the scheme is to hide the real secret value, and the cheater has to guess the secret location. However, it is impractical for all participants to release their shares synchronously. A novel fair threshold scheme was presented by Tian et al. . In the work, the real secret value was hidden in the sequence for the sake of decreasing the probability of the cheater achieving a successful guess. Combining the approach with game theory, Halpern and Teague  introduced a rational cryptographic protocol. In the rational scheme, the participants are rational players whose behavior aims are to maximize their profit. To achieve fairness, existing schemes require either a trusted third party or the execution of a multiround protocol, which are impractical.
The reputation system plays a key role in the online community, such as auction markets, trusted content delivery, and e-commerce. By publicizing the reputation value, participants can choose trusted peers with whom to cooperate. Reputation systems can effectively combat selfish, dishonest, and malicious behavior. Xiong and Liu  presented a detailed explanation. Combining with reputation systems, Zhang et al.  proposed a PSI protocol against social rational participants in which the parties who defect the PSI protocol will be penalized. Nojoumian and Stinson  introduced a socio-rational protocol. In this paper, participants are invited to execute an unknown number of protocols based on their reputation. Recently, a series of works were proposed. Litos and Zindros  created a reputation network in which the reputation value is quantifiable and expressed in monetary terms. Clark et al.  presented a dynamic, privacy-preserving decentralized reputation system.
At present, the vast amount of data stored in the cloud has led to explosive growth in the data volume. People are entering the era of big data, and everything will be digitized. According to the statistics of the Millet cloud storage service, the number of customers at the end of 2015 reached 97 million, with 46.5 billion photos and 504 million videos. It is estimated that by 2020, the global data volume will reach 44 ZB. At the same time, cloud outsourcing computing is also very common. More and more devices with poor computing power such as smart phones, pads, and sensors can outsource computing to a CSP with powerful computing power so that users can enjoy unlimited computing resources. However, in the face of outsourcing computing, users are reluctant to disclose their personal sensitive data. Therefore, we need to find a practical approach to implement an HTSS scheme.
1.1. Our Contribution
We provide an outsourcing HTSS protocol based on reputation, as is demonstrated in Figure 1. In this protocol, secret shares are distributed to different levels of participants. The participants can obtain the secret fairly with a small quantity of operations. Expensive computing is outsourced to a CSP, and the CSP can gain nothing about the secret. Moreover, the reputation system can effectively prevent participants from colluding with the server. Compared with previous schemes, our scheme has the following advantages:(1)The participants are not required to always be online, which avoids multiple interactions between the participants and the server.(2)The protocol could accurately check the malicious behavior of the participants or the server.(3)Expensive computing is outsourced to a CSP. With the CSP’s computing power, the CSP can execute homomorphic encryption and complex verification operations, and the server can gain nothing about the secret.(4)Through a combination with the reputation system, we design a social game model for the hierarchical secret sharing scheme, which can resist collusion between the participant and the server. Assuming that participants have their own reputation value, they are punished or rewarded according to their behavior. Moreover, all participants are rational players whose behavior aims are to maximize their profit. The reputation value of a participant deviating from the protocol will decrease. In our model, a participant who chooses a cooperative strategy can obtain better payoffs. Therefore, each participant will honestly abide by the protocol.
We formally describe preliminaries in Section 2. We construct an outsourcing HTSS scheme based on reputation in Section 3. We indicate the security of the scheme in Section 4 and compare our scheme with previous schemes in Section 5. Finally, the conclusion of our paper is presented in Section 6.
2.1. Secret Sharing Homomorphisms
Benaloh  described the homomorphic property of secret sharing. For example, consider two secrets and , which are shared by polynomials and . If we add the shares , each of can be viewed as a subshare of secret . Suppose that is defined as the secret domain, and is defined as the share domain. A set of functions can be determined, where and . Given any set of values , the following equation can define the secret :
Definition 1. Suppose and are two operations on the secret domain and share domain , respectively. There arethen,From the above definition, Shamir’s polynomial is -homomorphic, which implies that the sum of the shares is equivalent to shares of the sum.
2.2. Tassa’s Hierarchical Threshold Scheme
In HTSS, a set of participants are split into multiple levels , where is the highest level and is the lowest level. For all , there is , where . Supposing that is the number of participants associated with level , we can obtain . Then, we define a threshold associated with level , for , which satisfies . In addition, we set , , and . Therefore, the hierarchical access structure is described as follows:
Next, we describe in detail how the Birkhoff interpolation reconstructs the secret.
The Birkhoff interpolation problem is to find a polynomial that satisfies the equalities , where is the -th derivative of at position . Suppose that an authorized subset can reconstruct the secret. associated with is a matrix with binary entries. If there is participant with share , then the entry is set to “1”. In addition, we set and define as the -th derivative of . The matrix can be expressed as follows:
The polynomial can be reconstructed:in which we can obtain by replacing the -th column with the shares in the lexicographic order.
Definition 2. Let be a message space, be a share space, and be an access structure where is the threshold associated with level . Suppose that the pair is the identity of participant . Then, an HTSS scheme contains the share phase and reconstruction phase. Share Phase. A dealer outputs shares that is distributed to participant . Reconstruction Phase. An authorized subset of participants, which satisfies , can reconstruct the secret using Birkhoff interpolation.
2.3. Social Game Model of Secret Sharing
Reputation systems can provide an incentive for honest behavior and help people decide who is trustworthy. Several reputation systems have been deployed in practical applications, such as encouraging compliance with e-commerce contracts. Next, we briefly review the related concepts and methods in .
Definition 3. Let be the trust value assigned by participant to during period . Let be the trust function computing the reputation of :The monotonically increasing function and the monotonically decreasing function are used to update reputation values recursively, that is, computing by . If participant has a choice of cooperating during period , then . If participant has a choice of defecting during period , then .
Subsequently, we review the payoff assumption. Let be ’s payoff by considering future action, let be ’s payoff by considering current action, let define whether the participant is aware of secret during period , and define . The generalized payoff assumptions of social games are as follows: (A) (B) (C)
Remark 1. A, B, and C have impact factors , , and , respectively, where .
LetWe can obtain the current payoff and the future payoff as follows:
3. The HTSS Scheme Based on Reputation
In this section, combining an outsourcing computation and the reputation system, we propose a novel outsourcing HTSS protocol based on reputation. In the protocol, t or more parties from different levels can recover the secret. The scheme contains five phases: an initialization phase, a secret distribution phase, an outsourcing phase, a reconstruction phase, and a reputation update phase. We formally defined some parameters during the initialization phase. In the secret distribution phase, a dealer distributes encrypted shares and broadcasts verification information and participants receive a random value and encrypted shares. Then, the participants send shares to a CSP, and the CSP returns the results to the participants where the CSP cannot be aware of any valuable information about the secret. Next, the participants can obtain the secret fairly in the reconstruction phase. Finally, we can update the participant’s reputation value. To avoid collusion, participants have their own reputation value and they are punished or rewarded according to their behavior. For example, if a participant wants to collude with the CSP and sends a collusion invitation to the CSP, then we can penalize the participant according to the reputation system.
3.1. Initialization Phase
Let and , such as , be two large primes, be a generator of the -th order subgroup of , and be a collision-resistant hash function.
A secret is shared among n-parties, and a set of parties denoted by are split into multiple levels . is the number of participants associated with level , and is the threshold associated with level , for . The pair is the identity of participant , for , , and .
3.2. Secret Distribution Phase
The trusted dealer distributes shares by performing the following stages: Step 1. The dealer randomly chooses coefficients and generates a polynomial with degree:where is a secret value, i.e., . The corresponding shares are , where is the -th derivative of the polynomial at position . Step 2. The dealer randomly chooses coefficients and generates a polynomial with degree:where distributed to all participants is a random value. The corresponding shares are . Step 3. According to the -homomorphic property, the sum of the shares is equivalent to the shares of the sum, and the dealer performs the following operation: Step 4. The dealer distributes to participant , for , , and . Step 5. The dealer broadcasts verification information:
3.3. Outsourcing Phase
Suppose that t or more participants from different levels commit their shares, and then they will perform the following stages: Step 1. An authorized subset of t participants sent to the CSP. Step 2. According to following equation, the CSP checks whether is correct:where . The CSP performs Step 3 if the above equation is held; otherwise, the protocol is terminated and the deception of participant will be disclosed. Step 3. The CSP uses Birkhoff interpolation to reconstruct with :
According to the above equation, the CSP can learn and send to participants.
3.4. Reconstruction Phase
Each participant can obtain the secret with a small amount of computation according to the following steps: Step 1. The participant can obtain the secret by . Step 2. The participant can verify secret according to the following equation:
If the equation is true, CSP’s calculation is correct; otherwise, it is wrong.
3.5. Reputation Update Phase
The reputation value updates as follows:
Case 1. If sends a collusion to and has a choice of colluding with , then the colluder earns , where and .
Case 2. If has a choice of not to collude with and broadcasts his malicious behavior, then ’s reputation value will increase. In contrast, ’s reputation value will decrease.
Case 3. If each participant has a choice of cooperating, then the reputation value will increase; otherwise, the reputation value will decrease.
4. Security Analysis
In the section, we give the analysis of the protocol.
Theorem 1. The outsourcing HTSS scheme is secure and any or fewer participants get nothing about the secret.
Proof. (a) Any or fewer participants get nothing about the secret.
In the scheme, any or fewer participants’ collusion from different levels cannot obtain the secret with their subshares for , , and because the Birkhoff interpolation requires values to determine the unique solution.
(b) The CSP cannot be aware of any valuable information about the secret.
The scheme protects the participant’s privacy, and the CSP does not know the participant’s input and output. An authorized subset of participants sends encrypted share to the CSP. Therefore, the CSP cannot be aware of any valuable information about the secret.
Theorem 2. The outsourcing HTSS scheme can verify malicious behavior, and the malicious behavior can be detected in time.
Proof. (a) The participants and the CSP can check invalid shares.
The public verification information can check shares whether is correct, and a commitment to the can be expressed by the following equation:Thus, the validity of can be checked:and the malicious behavior can be detected in time.
(b) The participants can verify the CSP’s calculation result.
The participants can verify the calculation result by a collision-resistant hash function. If , the participants can confirm that the CSP’s calculation is correct; otherwise, the result is incorrect. Moreover, the participants can detect the CSP’s malicious behavior in time.
Theorem 3. The scheme is a social Nash equilibrium and collusion-free if the rational participant chooses a cooperation strategy.
Proof. (a) The scheme is not secure if the participants collude with the CSP.
The scheme cannot resist collusion between the server and other participants. In the scheme, if receives the CSP’s collusion invitation and sends to the CSP, then the CSP can obtain the real secret instead of .
(b) Following the method in , we consider all participants are rational. Let define that participant chooses a cooperation strategy where and , let define that chooses a collusion strategy, let denote that all participants choose a cooperation strategy except for , and let denote that all the participants choose a cooperation strategy except for and .
If all the participants have a choice of cooperating denoted by , then the payoff functions for choosing cooperation strategy are and where .
If invites CSP to collude and the CSP has a choice of colluding with with a probability of 0.5, then the payoff functions for choosing colluding strategy are and where ; otherwise, if CSP has a choice of not to collude with with a probability of 0.5 and publishes his malicious behavior, then and , where . If the CSP invites to collude and has a choice of colluding with CSP, then and ; otherwise, if has a choice of not to collude with CSP and publishes his malicious behavior, then and . The payoff function of choosing a collusive strategy is , and the payoff function of choosing a cooperative strategy is . The payoff function of the CSP choosing a collusive strategy is , and the payoff function of the CSP choosing a cooperative strategy is . The payoff function of cooperative strategy is larger than that of collusive strategy. From the above statements, we can conclude that choosing cooperation is the optimal strategy.
5. Performance Analysis
We evaluated the prototype on a PC which has an Intel Core i7-6700 CPU (4-core 2.60 GHz) and 8 GB of RAM. To ignore network latency, we run the server and all clients on the same host. The times of the secret verification and secret reconstruction are given in Table 1. In Figure 2, the curve shows the reconstruction time of the scheme. According to the test results, the time varies from 2.17 ms to 2.74 ms. Figure 3 shows the time of the verification, and as the number of participant increases, the verification time increases exponentially. According to the test results, the time varies from 791.52 ms to 7370.42 ms. We conclude that the secret reconstruction requires less time than the verification algorithm.
In addition, we listed our comparison results in Table 2. Maleka et al.  analyzed a finite repeated game and an infinite repeated game, but the scheme could not effectively guarantee fairness. Traverso et al.  proposed an HTSS scheme that supports verifiability and dynamics, which can add, remove, and renew shares. Although the scheme can check invalid shares, the scheme cannot effectively guarantee fairness. A multistage secret sharing scheme was introduced by Pilaram and Eghlidos , which was based on Lattice and could resist quantum attacks. But this scheme requires a trusted third party. In order to achieve desire of fairness, Harn et al.  proposed a fair secret sharing scheme, but the scheme requires multiple protocol rounds and cannot be effectively applied to devices with poor computing capabilities.
In contrast, our scheme only needs to execute the protocol once. The participants only need to perform the decryption operation, and the communication cost is O (1). In the proposed scheme, complex operations such as homomorphic encryption and verification are outsourced to the CSP. Moreover, our scheme does not require participants to always be online.
Combining outsourcing computation and a reputation system, we provide an outsourcing HTSS protocol based on reputation. The participants can obtain the secret fairly with a small number of operations in this work. Expensive computing is outsourced to a CSP, and the CSP could learn nothing about the secret. The reputation system can effectively prevent participants from colluding with the server. Participants have their own reputation value, and they are punished or rewarded according to their behavior. Moreover, our protocol could accurately check the malicious behavior of the participants or the server and does not require multiple interactions between the participants and the server, which applies to cloud computing environments and mobile networks.
All data generated or analyzed during this study are included in this published article.
Conflicts of Interest
The authors declare that they have no conflicts of interest.
This work was supported by the National Natural Science Foundation of China (U1604156, 61772176, and 61602158) and Science and Technology Research Project of Henan Province (172102210045 and 192102210131).
- A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
- G. R. Blakley, “Safeguarding cryptographic keys,” in Proceedings of the American Federation of Information Processing Societies (AFIPS’79) National Computer Conference, vol. 48, pp. 313–317, CA, USA, February 1979.
- B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch, “Verifiable secret sharing and achieving simultaneity in the presence of faults,” in Proceedings of the 26th Annual Symposium on Foundations of Computer Science, pp. 383–395, IEEE, Portland, OR, USA, October 1985.
- P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” in Proceedings of the 28th Annual Symposium on Foundations of Computer Science, pp. 427–438, IEEE, Los Angeles, CA, USA, October 1987.
- T. P. Pedersen, “Distributed provers with applications to undeniable signatures,” in Advances in Cryptology-EUROCRYPT, pp. 221–242, Springer, Berlin, Germany, 1991.
- C. Blundo, A. De Santis, and U. Vaccaro, “Efficient sharing of many secrets,” in Proceedings of the Annual Symposium on Theoretical Aspects of Computer Science, pp. 692–703, Springer, Würzburg, Germany, February 1993.
- H.-Y. Chien, J.-K. Jan, and Y.-M. Tseng, “A practical (t, n) multi-secret sharing scheme,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 83, no. 12, pp. 2762–2765, 2000.
- L.-J. Pang and Y.-M. Wang, “A new (t, n) multi-secret sharing scheme based on Shamir’s secret sharing,” Applied Mathematics and Computation, vol. 167, no. 2, pp. 840–848, 2005.
- C.-C. Yang, T.-Y. Chang, and M.-S. Hwang, “A (t, n) multi-secret sharing scheme,” Applied Mathematics and Computation, vol. 151, no. 2, pp. 483–490, 2004.
- H. Pilaram and T. Eghlidos, “An efficient lattice based multi-stage secret sharing scheme,” IEEE Transactions on Dependable and Secure Computing, vol. 14, no. 1, pp. 2–8, 2017.
- E. Zhang, J. Peng, and M. Li, “Outsourcing secret sharing scheme based on homomorphism encryption,” IET Information Security, vol. 12, no. 1, pp. 94–99, 2018.
- S. Fehr and C. Yuan, “Towards optimal robust secret sharing with security against a rushing adversary,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Darmstadt, Germany, May 2019.
- F. Benhamouda, A. Degwekar, Y. Ishai, and T. Rabin, “On the local leakage resilience of linear secret sharing schemes,” in Proceedings of the Annual International Cryptology Conference, pp. 531–561, Springer, Santa Barbara, CA, USA, August 2018.
- V. Goyal and A. Kumar, “Non-malleable secret sharing,” in Proceedings of the 50th Annual ACM SIGACT Symposium on Theory of Computing (STOC), pp. 685–698, ACM, Los Angeles, CA, USA, June 2018.
- V. Goyal and A. Kumar, “Non-malleable secret sharing for general access structures,” in Proceedings of the Annual International Cryptology Conference, pp. 501–530, Springer, Santa Barbara, CA, USA, August 2018.
- T. Tassa, “Hierarchical threshold secret sharing,” Journal of Cryptology, vol. 20, no. 2, pp. 237–264, 2007.
- G. Traverso, D. Demirel, and J. Buchmann, “Dynamic and verifiable hierarchical secret sharing,” in Proceedings of the International Conference on Information Theoretic Security, pp. 24–43, Springer, Tacoma, WA, USA, August 2016.
- F. P. Mohamed and R. J. P. Arockia, “Hierarchical threshold secret sharing scheme for color images,” Multimedia Tools and Applications, vol. 76, no. 4, pp. 5489–5503, 2017.
- T. Bhattacharjee, S. P. Maity, and S. R. Islam, “Hierarchical secret image sharing scheme in compressed sensing,” Signal Processing: Image Communication, vol. 61, pp. 21–32, 2018.
- M. Tompa and H. Woll, “How to share a secret with cheaters,” Journal of Cryptology, vol. 1, no. 3, pp. 133–138, 1989.
- Y. Tian, C. Peng, Q. Jiang, and J. Ma, “Fair (t, n) threshold secret sharing scheme,” IET Information Security, vol. 7, no. 2, pp. 106–112, 2013.
- J. Halpern and V. Teague, “Rational secret sharing and multiparty computation,” in Proceedings of the Thirty-Sixth Annual ACM symposium on Theory of computing, pp. 623–632, ACM, Chicago, IL, USA, June 2004.
- L. Xiong and L. Liu, “Peertrust: supporting reputation-based trust for peer-to-peer electronic communities,” IEEE Transactions on Knowledge and Data Engineering, vol. 16, no. 7, pp. 843–857, 2004.
- E. Zhang, F. Li, B. Niu, and Y. Wang, “Server-aided private set intersection based on reputation,” Information Sciences, vol. 387, pp. 180–194, 2017.
- M. Nojoumian and D. R. Stinson, “Socio-rational secret sharing as a new direction in rational cryptography,” in Proceedings of the International Conference on Decision and Game Theory for Security, pp. 18–37, Springer, Budapest, Hungary, November 2012.
- O. S. T. Litos and D. Zindros, “Trust is risk: a decentralized financial trust platform,” in Proceedings of the International Conference on Financial Cryptography and Data Security, pp. 340–356, Springer, Sliema, Malta, April 2017.
- M. R. Clark, K. Stewart, and K. M. Hopkinson, “Dynamic, privacy-preserving decentralized reputation systems,” IEEE Transactions on Mobile Computing, vol. 16, no. 9, pp. 2506–2517, 2017.
- J. C. Benaloh, “Secret sharing homomorphisms: keeping shares of a secret,” in Proceedings of the Conference on the Theory and Application of Cryptographic Techniques, pp. 251–260, Springer, Santa Barbara, CA, USA, August 1986.
- S. Maleka, A. Shareef, and C. P. Rangan, “Rational secret sharing with repeated games,” in Proceedings of the International Conference on Information Security Practice and Experience, pp. 334–346, Springer, Sydney, Australia, April 2008.
- L. Harn, C. Lin, and Y. Li, “Fair secret reconstruction in (t, n) secret sharing,” Journal of Information Security and Applications, vol. 23, pp. 1–7, 2015.
Copyright © 2019 En Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.