#### Abstract

Secret sharing is a basic tool in modern communication, which protects privacy and provides information security. Among the secret sharing schemes, fairness is a vital and desirable property. To achieve fairness, the existing secret sharing schemes either require a trusted third party or the execution of a multiround protocol, which are impractical. Moreover, the classic scheme requires expensive computing in the secret verification phase. In this work, we provide an outsourcing hierarchical threshold secret sharing (HTSS) protocol based on reputation. In the scheme, participants from different levels can fairly reconstruct the secret, and the protocol only needs to run for one round. A cloud service provider (CSP) uses powerful computing resources to help participants complete homomorphic encryption and complex verification operations, and the CSP cannot be aware of any valuable information. The participants can obtain the secret with a small number of operations. To avoid collusion, we suppose that participants have their own reputation value, and they are punished or rewarded according to their behavior. The reputation value of a participant who deviates from the protocol will decrease; therefore, the participant will choose a cooperative strategy to obtain better payoffs. Lastly, our scheme is proved to be secure, and experiments indicate that our scheme is feasible and efficient.

#### 1. Introduction

Secret sharing is an important cryptographic primitive and has a widespread application in secure multiparty computation, image encryption, and attribute-based encryption. Secret sharing, an idea proposed by Shamir [1] and Blakley [2], allows a dealer to distribute different shares among a set of participants. The method guarantees any authorized subsets of t or more participants can reconstruct the secret. However, it is hard to guarantee that the dealer and participants are absolutely honest. To address this problem, verifiable secret sharing (VSS) schemes [3–5] guarantee additionally any cheating behavior can be detected, which can check the validity of shares. Subsequently, a series of protocols [6–9] is studied sharing multiple secrets at a time. In these schemes, participants only need to submit a pseudoshare rather than a real share to recover multiple secrets. Secret sharing has become an important research topic, and a large quantity of studies have been proposed. A multistage secret sharing scheme was introduced by Pilaram and Eghlidos [10], which was based on Lattice and could resist quantum attacks. Zhang et al. [11] presented an outsourcing secret sharing scheme based on homomorphic encryption, but the scheme could not effectively resist collusion. Recently, secret sharing has stronger privacy requirements. Although information about shares is leaked, the adversary still has no access to information about secret. Fehr and Yuan [12] constructed a robust secret sharing scheme with security against a rushing adversary. Benhamouda et al. studied leakage resilience of the MPC protocol [13]. A nonmalleable scheme concerning secret sharing was presented by Goyal and Kumar [14]. The scheme can resist adversary of someone who arbitrarily tampers with shares. Later, Goyal and Kumar [15] proposed nonmalleable secret sharing schemes for more general access structures.

In real life, everyone is not exactly equal in status or privileges. It would be an endless task to cite such living examples. For example, in a research and development department of a company, the shares of the private key of confidential files may be distributed among employees. Some are accountants, and some are department managers. The company’s policy requires 3 employees to be in attendance at the same time to open confidential files, but at least one of them must be a department manager. Such a setting requires a special secret sharing method. Therefore, the concept of HTSS was proposed. Tassa [16] introduced the structure of HTSS. In the scheme, a secret is shared among participants that are divided into different levels. Only participants who meet a certain level can reconstruct the secret. If the specific level is not met, the participants learn nothing about the secret. Later, Traverso et al. [17] proposed an HTSS scheme that supports verifiability and dynamics, which can add, remove, and renew shares. Recently, Mohamed and Arockia [18] introduced an HTSS scheme for color images. Bhattacharjee et al. [19] presented a hierarchical image scheme for bandwidth efficient transmission and offered a great degree of robustness in compressed sensing.

In the classic secret sharing scheme, fairness is a desirable property that guarantees each participant can gain the secret simultaneously. For the purpose of the goal, Tompa and Woll [20] firstly introduced a fair reconstruction scheme. The main idea of the scheme is to hide the real secret value, and the cheater has to guess the secret location. However, it is impractical for all participants to release their shares synchronously. A novel fair threshold scheme was presented by Tian et al. [21]. In the work, the real secret value was hidden in the sequence for the sake of decreasing the probability of the cheater achieving a successful guess. Combining the approach with game theory, Halpern and Teague [22] introduced a rational cryptographic protocol. In the rational scheme, the participants are rational players whose behavior aims are to maximize their profit. To achieve fairness, existing schemes require either a trusted third party or the execution of a multiround protocol, which are impractical.

The reputation system plays a key role in the online community, such as auction markets, trusted content delivery, and e-commerce. By publicizing the reputation value, participants can choose trusted peers with whom to cooperate. Reputation systems can effectively combat selfish, dishonest, and malicious behavior. Xiong and Liu [23] presented a detailed explanation. Combining with reputation systems, Zhang et al. [24] proposed a PSI protocol against social rational participants in which the parties who defect the PSI protocol will be penalized. Nojoumian and Stinson [25] introduced a socio-rational protocol. In this paper, participants are invited to execute an unknown number of protocols based on their reputation. Recently, a series of works were proposed. Litos and Zindros [26] created a reputation network in which the reputation value is quantifiable and expressed in monetary terms. Clark et al. [27] presented a dynamic, privacy-preserving decentralized reputation system.

At present, the vast amount of data stored in the cloud has led to explosive growth in the data volume. People are entering the era of big data, and everything will be digitized. According to the statistics of the Millet cloud storage service, the number of customers at the end of 2015 reached 97 million, with 46.5 billion photos and 504 million videos. It is estimated that by 2020, the global data volume will reach 44 ZB. At the same time, cloud outsourcing computing is also very common. More and more devices with poor computing power such as smart phones, pads, and sensors can outsource computing to a CSP with powerful computing power so that users can enjoy unlimited computing resources. However, in the face of outsourcing computing, users are reluctant to disclose their personal sensitive data. Therefore, we need to find a practical approach to implement an HTSS scheme.

##### 1.1. Our Contribution

We provide an outsourcing HTSS protocol based on reputation, as is demonstrated in Figure 1. In this protocol, secret shares are distributed to different levels of participants. The participants can obtain the secret fairly with a small quantity of operations. Expensive computing is outsourced to a CSP, and the CSP can gain nothing about the secret. Moreover, the reputation system can effectively prevent participants from colluding with the server. Compared with previous schemes, our scheme has the following advantages:(1)The participants are not required to always be online, which avoids multiple interactions between the participants and the server.(2)The protocol could accurately check the malicious behavior of the participants or the server.(3)Expensive computing is outsourced to a CSP. With the CSP’s computing power, the CSP can execute homomorphic encryption and complex verification operations, and the server can gain nothing about the secret.(4)Through a combination with the reputation system, we design a social game model for the hierarchical secret sharing scheme, which can resist collusion between the participant and the server. Assuming that participants have their own reputation value, they are punished or rewarded according to their behavior. Moreover, all participants are rational players whose behavior aims are to maximize their profit. The reputation value of a participant deviating from the protocol will decrease. In our model, a participant who chooses a cooperative strategy can obtain better payoffs. Therefore, each participant will honestly abide by the protocol.

We formally describe preliminaries in Section 2. We construct an outsourcing HTSS scheme based on reputation in Section 3. We indicate the security of the scheme in Section 4 and compare our scheme with previous schemes in Section 5. Finally, the conclusion of our paper is presented in Section 6.

#### 2. Preliminary

##### 2.1. Secret Sharing Homomorphisms

Benaloh [28] described the homomorphic property of secret sharing. For example, consider two secrets and , which are shared by polynomials and . If we add the shares , each of can be viewed as a subshare of secret . Suppose that is defined as the secret domain, and is defined as the share domain. A set of functions can be determined, where and . Given any set of values , the following equation can define the secret :

*Definition 1. *Suppose and are two operations on the secret domain and share domain , respectively. There arethen,From the above definition, Shamir’s polynomial is -homomorphic, which implies that the sum of the shares is equivalent to shares of the sum.

##### 2.2. Tassa’s Hierarchical Threshold Scheme

In HTSS, a set of participants are split into multiple levels , where is the highest level and is the lowest level. For all , there is , where . Supposing that is the number of participants associated with level , we can obtain . Then, we define a threshold associated with level , for , which satisfies . In addition, we set , , and . Therefore, the hierarchical access structure is described as follows:

Next, we describe in detail how the Birkhoff interpolation reconstructs the secret.

The Birkhoff interpolation problem is to find a polynomial that satisfies the equalities , where is the -th derivative of at position . Suppose that an authorized subset can reconstruct the secret. associated with is a matrix with binary entries. If there is participant with share , then the entry is set to “1”. In addition, we set and define as the -th derivative of . The matrix can be expressed as follows:

The polynomial can be reconstructed:in which we can obtain by replacing the -th column with the shares in the lexicographic order.

*Definition 2. *Let be a message space, be a share space, and be an access structure where is the threshold associated with level . Suppose that the pair is the identity of participant . Then, an HTSS scheme contains the *share phase* and *reconstruction phase*. *Share Phase*. A dealer outputs shares that is distributed to participant . *Reconstruction Phase*. An authorized subset of participants, which satisfies , can reconstruct the secret using Birkhoff interpolation.

##### 2.3. Social Game Model of Secret Sharing

Reputation systems can provide an incentive for honest behavior and help people decide who is trustworthy. Several reputation systems have been deployed in practical applications, such as encouraging compliance with e-commerce contracts. Next, we briefly review the related concepts and methods in [25].

*Definition 3. *Let be the trust value assigned by participant to during period . Let be the trust function computing the reputation of :The monotonically increasing function and the monotonically decreasing function are used to update reputation values recursively, that is, computing by . If participant has a choice of cooperating during period , then . If participant has a choice of defecting during period , then .

Subsequently, we review the payoff assumption. Let be ’s payoff by considering future action, let be ’s payoff by considering current action, let define whether the participant is aware of secret during period , and define . The generalized payoff assumptions of social games are as follows: (A) (B) (C)

*Remark 1. *A, B, and C have impact factors , , and , respectively, where .

LetWe can obtain the current payoff and the future payoff as follows:

#### 3. The HTSS Scheme Based on Reputation

In this section, combining an outsourcing computation and the reputation system, we propose a novel outsourcing HTSS protocol based on reputation. In the protocol, *t* or more parties from different levels can recover the secret. The scheme contains five phases: an initialization phase, a secret distribution phase, an outsourcing phase, a reconstruction phase, and a reputation update phase. We formally defined some parameters during the initialization phase. In the secret distribution phase, a dealer distributes encrypted shares and broadcasts verification information and participants receive a random value and encrypted shares. Then, the participants send shares to a CSP, and the CSP returns the results to the participants where the CSP cannot be aware of any valuable information about the secret. Next, the participants can obtain the secret fairly in the reconstruction phase. Finally, we can update the participant’s reputation value. To avoid collusion, participants have their own reputation value and they are punished or rewarded according to their behavior. For example, if a participant wants to collude with the CSP and sends a collusion invitation to the CSP, then we can penalize the participant according to the reputation system.

##### 3.1. Initialization Phase

Let and , such as , be two large primes, be a generator of the -th order subgroup of , and be a collision-resistant hash function.

A secret is shared among *n*-parties, and a set of parties denoted by are split into multiple levels . is the number of participants associated with level , and is the threshold associated with level , for . The pair is the identity of participant , for , , and .

##### 3.2. Secret Distribution Phase

The trusted dealer distributes shares by performing the following stages: *Step 1.* The dealer randomly chooses coefficients and generates a polynomial with degree:where is a secret value, i.e., . The corresponding shares are , where is the -th derivative of the polynomial at position . *Step 2.* The dealer randomly chooses coefficients and generates a polynomial with degree:where distributed to all participants is a random value. The corresponding shares are . *Step 3.* According to the -homomorphic property, the sum of the shares is equivalent to the shares of the sum, and the dealer performs the following operation: *Step 4.* The dealer distributes to participant , for , , and . *Step 5.* The dealer broadcasts verification information:

##### 3.3. Outsourcing Phase

Suppose that *t* or more participants from different levels commit their shares, and then they will perform the following stages: *Step 1.* An authorized subset of *t* participants sent to the CSP. *Step 2.* According to following equation, the CSP checks whether is correct:where . The CSP performs Step 3 if the above equation is held; otherwise, the protocol is terminated and the deception of participant will be disclosed. *Step 3.* The CSP uses Birkhoff interpolation to reconstruct with :

According to the above equation, the CSP can learn and send to participants.

##### 3.4. Reconstruction Phase

Each participant can obtain the secret with a small amount of computation according to the following steps: *Step 1.* The participant can obtain the secret by . *Step 2.* The participant can verify secret according to the following equation:

If the equation is true, CSP’s calculation is correct; otherwise, it is wrong.

##### 3.5. Reputation Update Phase

The reputation value updates as follows:

*Case 1. *If sends a collusion to and has a choice of colluding with , then the colluder earns , where and .

*Case 2. *If has a choice of not to collude with and broadcasts his malicious behavior, then ’s reputation value will increase. In contrast, ’s reputation value will decrease.

*Case 3. *If each participant has a choice of cooperating, then the reputation value will increase; otherwise, the reputation value will decrease.

#### 4. Security Analysis

In the section, we give the analysis of the protocol.

Theorem 1. *The outsourcing HTSS scheme is secure and any or fewer participants get nothing about the secret.*

*Proof. *(a) Any or fewer participants get nothing about the secret.

In the scheme, any or fewer participants’ collusion from different levels cannot obtain the secret with their subshares for , , and because the Birkhoff interpolation requires values to determine the unique solution.

(b) The CSP cannot be aware of any valuable information about the secret.

The scheme protects the participant’s privacy, and the CSP does not know the participant’s input and output. An authorized subset of participants sends encrypted share to the CSP. Therefore, the CSP cannot be aware of any valuable information about the secret.

Theorem 2. *The outsourcing HTSS scheme can verify malicious behavior, and the malicious behavior can be detected in time.*

*Proof. *(a) The participants and the CSP can check invalid shares.

The public verification information can check shares whether is correct, and a commitment to the can be expressed by the following equation:Thus, the validity of can be checked:and the malicious behavior can be detected in time.

(b) The participants can verify the CSP’s calculation result.

The participants can verify the calculation result by a collision-resistant hash function. If , the participants can confirm that the CSP’s calculation is correct; otherwise, the result is incorrect. Moreover, the participants can detect the CSP’s malicious behavior in time.

Theorem 3. *The scheme is a social Nash equilibrium and collusion-free if the rational participant chooses a cooperation strategy.*

*Proof. *(a) The scheme is not secure if the participants collude with the CSP.

The scheme cannot resist collusion between the server and other participants. In the scheme, if receives the CSP’s collusion invitation and sends to the CSP, then the CSP can obtain the real secret instead of .

(b) Following the method in [25], we consider all participants are rational. Let define that participant chooses a cooperation strategy where and , let define that chooses a collusion strategy, let denote that all participants choose a cooperation strategy except for , and let denote that all the participants choose a cooperation strategy except for and .

If all the participants have a choice of cooperating denoted by , then the payoff functions for choosing cooperation strategy are and where .

If invites CSP to collude and the CSP has a choice of colluding with with a probability of 0.5, then the payoff functions for choosing colluding strategy are and where ; otherwise, if CSP has a choice of not to collude with with a probability of 0.5 and publishes his malicious behavior, then and , where . If the CSP invites to collude and has a choice of colluding with CSP, then and ; otherwise, if has a choice of not to collude with CSP and publishes his malicious behavior, then and . The payoff function of choosing a collusive strategy is , and the payoff function of choosing a cooperative strategy is . The payoff function of the CSP choosing a collusive strategy is , and the payoff function of the CSP choosing a cooperative strategy is . The payoff function of cooperative strategy is larger than that of collusive strategy. From the above statements, we can conclude that choosing cooperation is the optimal strategy.

#### 5. Performance Analysis

We evaluated the prototype on a PC which has an Intel Core i7-6700 CPU (4-core 2.60 GHz) and 8 GB of RAM. To ignore network latency, we run the server and all clients on the same host. The times of the secret verification and secret reconstruction are given in Table 1. In Figure 2, the curve shows the reconstruction time of the scheme. According to the test results, the time varies from 2.17 ms to 2.74 ms. Figure 3 shows the time of the verification, and as the number of participant increases, the verification time increases exponentially. According to the test results, the time varies from 791.52 ms to 7370.42 ms. We conclude that the secret reconstruction requires less time than the verification algorithm.

In addition, we listed our comparison results in Table 2. Maleka et al. [29] analyzed a finite repeated game and an infinite repeated game, but the scheme could not effectively guarantee fairness. Traverso et al. [17] proposed an HTSS scheme that supports verifiability and dynamics, which can add, remove, and renew shares. Although the scheme can check invalid shares, the scheme cannot effectively guarantee fairness. A multistage secret sharing scheme was introduced by Pilaram and Eghlidos [10], which was based on Lattice and could resist quantum attacks. But this scheme requires a trusted third party. In order to achieve desire of fairness, Harn et al. [30] proposed a fair secret sharing scheme, but the scheme requires multiple protocol rounds and cannot be effectively applied to devices with poor computing capabilities.

In contrast, our scheme only needs to execute the protocol once. The participants only need to perform the decryption operation, and the communication cost is O (1). In the proposed scheme, complex operations such as homomorphic encryption and verification are outsourced to the CSP. Moreover, our scheme does not require participants to always be online.

#### 6. Conclusion

Combining outsourcing computation and a reputation system, we provide an outsourcing HTSS protocol based on reputation. The participants can obtain the secret fairly with a small number of operations in this work. Expensive computing is outsourced to a CSP, and the CSP could learn nothing about the secret. The reputation system can effectively prevent participants from colluding with the server. Participants have their own reputation value, and they are punished or rewarded according to their behavior. Moreover, our protocol could accurately check the malicious behavior of the participants or the server and does not require multiple interactions between the participants and the server, which applies to cloud computing environments and mobile networks.

#### Data Availability

All data generated or analyzed during this study are included in this published article.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work was supported by the National Natural Science Foundation of China (U1604156, 61772176, and 61602158) and Science and Technology Research Project of Henan Province (172102210045 and 192102210131).