#### Abstract

Multisecret sharing schemes have been widely used in the area of information security, such as cloud storage, group authentication, and secure parallel communications. One of the issues for these schemes is to share and recover multisecret from their shareholders. However, the existing works consider the recovery of multisecret only when the correspondences between the secrets and their shares are definite. In this paper, we propose a multisecret sharing scheme to share and recover two secrets among the participants based on the generalized Chinese Remainder Theorem (GCRT), where the multisecret and their shares are unordered. To overcome the leakage of information, we propose an improved scheme including the improved sharing phase and the recovery phase. The improved scheme has not only a more secure performance but also a lower computation complexity. The conditions for recovery failure and success are also explored.

#### 1. Introduction

Secret sharing plays a critical role in numerous applications, such as in threshold cryptography, access control, cloud computing, data hiding, and digital watermarking [1–3]. In a secret-sharing scheme (SS), a dealer divides a secret into several pieces and then shares them among the shareholders. In 1979, Shamir and Blakley independently introduced the threshold schemes based on the interpolating polynomial in [4] and the linear projective geometry in [5], respectively. For a SS with threshold , a secret is divided into pieces to be sheared among shareholders by a dealer. It shows that the secret can be recovered by any no less than shares, while the recovery failure with fewer than shares. Besides this kind of SS scheme, there are many other types, such as Mignotte’s scheme [6], the Chinese Remainder Theorem- (CRT-) based Asmuth-Bloom scheme [7] and its generalizations [8, 9], and ramp secret-sharing scheme [10, 11].

Naturally, a secret-sharing scheme can be generalized to the case of multiple secrets, i.e., multisecret sharing [12, 13]. Several schemes for multisecret sharing have been proposed in [14–22]. According to the way of recovering, the existing works can be grouped into two categories. One is to recover multisecret in a stage-by-stage way, the other is to recover multisecret simultaneously. In [15], a one-way function-based multistage secret-sharing scheme was proposed to share multisecret. The authors presented a public shift scheme to obtain the true pieces and then used the proper one-way function to reconstruct the secrets stage-by-stage in a predetermined order. For this scheme, it needs a large number of public values. An improved method was proposed in [16], where a less number of public values is needed. In fact, the scheme presented in [15] is actually of one-time use. To overcome this drawback, a one-way hash function-based multiuse threshold secret-sharing scheme was proposed in [17]. In [18], a multistage multisecret-sharing scheme and a multilevel multisecret-sharing scheme are proposed, which are based on Mignotte’s sequence and Asmuth’s Bloom sequence, respectively. For the second category of the recovery method, multisecret is recovered simultaneously by a bivariate function [19–21]. One of the disadvantages is that the required function is hard to get, although the computational load can be reduced by optimizing some existing algorithms. In a word, this approach is inconvenient in practical applications.

All the above works consider the case when the correspondences between multisecret and elements in each share are definite. When the correspondences between multisecret and elements in each share are unclear, we say that the shares are unordered. Sharing and recovering multisecret are more challenging when the shares are unordered. For this type of sharing scheme, it is more safe since multisecret cannot be recovered directly from the given unordered shares. It is a generalization of single case and has a wide application in the scenarios of keeping some sensitive and important information, such as passwords of opening bank safes or launching missile [23, 24]. This paper gives a novel scheme to share and recover multisecret from the unordered shares. Motivated by the works in [25–27], we propose a generalized CRT-based multisecret-sharing and recovering scheme. The proposed scheme is not a perfect SS since information can be leaked. To overcome this drawback, we propose an improved multisecret-sharing scheme. The improved scheme not only is more secure but also has a lower computation complexity.

The rest of the paper is organized as follows. In Section 2, we introduce the unordered multisecret-sharing problem and then briefly recall the basic idea of the generalized CRT. In Section 3, we present a generalized CRT-based multisecret-sharing scheme. In Section 4, we present the improved multisecret-sharing scheme. In Section 5, we conclude this paper.

#### 2. Unordered Multisecret Sharing and the Generalized CRT

In this section, we first introduce the unordered multisecret-sharing problem considered in this paper. Then, we model the problem as the generalized CRT. Some existing results for the generalized CRT are also introduced.

##### 2.1. Problem of Unordered Multisecret Sharing

Suppose that we have a set of two secrets and shares . For each share , we have with modulus , where are the remainders of modulo a positive integer . Notice that the correspondences between the remainders in each share and their secrets are unknown. In other words, we cannot determine whether is the remainder of or modulo . For the recovery phase, the problem is how to efficiently recover the two secrets from the given shareholders?

##### 2.2. Model of the Unordered Multisecret Sharing

If multisecret is viewed as multiple unknown integers, then the pieces of shares are the remainders of multiple integer modulo some given moduli, where the correspondences between multiple integers and the remainders are unknown. Consequently, the problem of recovering unordered multisecret sharing can be modeled as the generalized CRT that determines multiple integers from their residue sets.

Traditional CRT tells us that an unknown integer can be uniquely recovered from its remainder modulo several given moduli, if and only if the unknown integer is less than the least common multiple (lcm) of the given moduli [28]. One of the generalization is to recover two unknown integers from their remainders modulo several moduli. Different from the traditional CRT, the remainders of modulo a given modulus are two remainders in a same set, which is called the residue set. For example, the remainders of modulo three moduli 5, 7, and 11 are the residue sets , , and , respectively. For this kind of generalized CRT, two integers should be simultaneously determined from their residue sets.

There are two differences between this kind of generalized CRT and the traditional CRT. One is that the correspondence between the integers and their remainders in the residue sets is unknown. As the above example shows, for the first residue set , it is not known whether 1 is the remainder of 26 or 38 modulo 5. The other difference is how large the two integers can be uniquely determined from their residue sets for the given moduli, which will be explained below. For the traditional CRT, the largest integer that can be uniquely determined from its remainders for some given moduli is the least common multiple of all the moduli. However, this conclusion may not be true for the generalized CRT. Consider the above example again. If the two integers are less than , then we have four candidates:, , , and , where all of them have the same residue sets , , and with moduli 5, 7, and 11, respectively. Hence, the two unknown integers cannot be uniquely determined from the given residue sets when the two integers are restricted in range of .

##### 2.3. Model of the Unordered Multisecret Sharing

In order to uniquely determine the two integers from their residue sets for some given moduli, the concept of the dynamic range was introduced [25], where the dynamic range is a range that any multiple integers within it can be uniquely determined from their residue set modulo the given moduli. In [26], the largest dynamic range of the two integers for the given moduli was obtained. For convenience of description, we denote the remainder of modulo as .

For any given modulus set , the largest dynamic range can be determined by the following results [26].

Proposition 1. *If for some positive integers , then*

Proposition 2. *Let pairwise coprime integers be . If , thenwhere is the complement of in .**As an example, we consider the largest dynamic range of the two modulus sets and . According to Propositions 1 and 2, we have and , respectively.*

#### 3. Unordered Multisecret-Sharing Scheme

In this section, we propose two algorithms, i.e., the unordered multisecret generation phase and the recovery phase. Some results of the proposed scheme are also given.

##### 3.1. Unordered Multisecret Generation

Suppose that the shareholders have the public information , where is pairwise coprime integer satisfying . Note that the scheme of multisecret sharing is trivial when , and we only consider in this paper. Let be a positive integer satisfying . The generation of shares from two unordered secrets contains two steps. First, determine the largest range of two secrets such that shares or more than shares can lead to a unique recovery of . Second, obtain shares by reducing modulo moduli , respectively. For convenience, we denote

Define

It is not difficult to find that

If not, i.e., , then we haveby the definition of in (2), which contradicts with (4). For convenience, we letand let

Then, two unordered secrets can be selected in the range of , i.e.,

Consequently, shares can be obtained by

That is,

To sum up, we have the following unordered multisecret generation phase for the pairwise coprime integers , which is shown in Table 1 below.

##### 3.2. Unordered Multisecret Recovery

Now, we consider the problem of recovering the two secrets from the given shares , where and . Table 2 gives the generalized CRT-based algorithm to recover the two secrets.

Next theorem gives some results of the multisecret-sharing scheme discussed above.

Theorem 1. *Let the two secrets be defined in (9), and let be shares with the corresponding modulus set , where for . Then, we have the following results.*(1)*If , then cannot be recovered, where is defined in (7).*(2)*If , then cannot be recovered in . Moreover, the two secrets cannot be uniquely recovered in , where .*(3)*If , then can be uniquely recovered.*

*Proof. *(1)We consider the case when . For any shares , we have the corresponding moduli . According to the definition of in (4), we have Note that . It follows that If , then we obtain from (8) that . From (9) and (13), we have If , then we obtain from (8) that . From (9) and (13), we have Thus, the two secrets cannot be reconstructed from shares. For the case of the less than shares, the proof is obvious and it is omitted here.(2)We consider the reconstruction of any shares that is different from the shares . For convenience, we denote and suppose without loss of generality. Recall that . Hence, we have and then According to (2), we have By (8) and (9), we obtain According to the generalized CRT, we know that cannot be recovered in the range of from their shares . For the case of , the conclusion also holds. Next, we consider the recovery of the two secrets in . Let shares be . According to (11), we have Note that Hence, the two secrets and can be recovered separately by using the CRT when the remainders in the residue sets are properly ordered. More details can be seen in Remark 1 below.(3)We consider shares , where . Let . Similar to the proof of (2) above, we can prove that the dynamic range satisfiesHence, can be uniquely reconstructed from their shares by the generalized CRT. For the case of more than shares, the proof is obvious and it is omitted here.

*Remark 1. *Theorem 1 tells us that the two secrets cannot be recovered when the number of shares , where is defined in (7). When , the two secrets can be uniquely recovered by using the proposed generalized CRT. When , the two secrets cannot be successfully recovered. To be specific, the two secrets cannot be recovered in the range of in this case. In addition, the two secrets cannot be uniquely recovered in by using the CRT since the correspondences between the two secrets and the elements in each shareholder are unclear. It is clear that the remainder of or cannot be determined from any share . To recover and , we have possible cases of remainders with moduli and and .

According to the CRT, and can be recovered only from the last tuples in the range of .

Now, we consider the computational complexity of the proposed scheme. According to Algorithm 2, we know that the computational complexity of each shareholder is . For the proposed generalized CRT-based multisecret recovery algorithm, the computational complexity is . For the CRT algorithm, the computational complexity is as discussed above.

*Example 1. *Let us consider a two secret-sharing and recovering process when moduli are , and . Set . By the definition of and in (3), we have and . By Proposition 2, we have and . Since , we have and then by Step 2 in Table 1. Let two secrets be , which are in the range of . Then, we have five shares , , , , and with moduli , respectively.

Now, we consider the recovery of two secrets from shareholders. We have three cases below.(1). Suppose that the two shares are and with . Clearly, Hence, the two secrets cannot be recovered.(2). Let be three shares, and let . In this case, the two secrets cannot be determined in since and . Moreover, the two secrets cannot be uniquely determined in . For example, given three shares , we have four candidates: . In other words, all these candidates have the same shares with moduli , respectively. Table 3 gives the illustration of recovering the two secrets for all cases, where .(3).In this case, the two secrets can be uniquely determined. Suppose that the shares are , and . Next, we recover by using the proposed generalized CRT algorithm.

Note that , , , , , , , , and . By Step 1 in Table 2, we have , , , and . According to Step 3, we have . By Step 4, we have , and then . By Step 5, we have the quadratic equation . By solving it, we can obtain the two secrets: .

From (11), we know that are the remainders of two secrets modulo . By Theorem 1, we know that the two secrets can be recovered after putting no less than shares together without any other information. For example, in example 1, the two secrets can be recovered from any four shareholders directly by the generalized CRT. It is clear that each shareholder has partial information of the two secrets. In other words, the proposed multisecret-sharing scheme above is not a perfect SS. To overcome this drawback, we propose an improved multisecret-sharing scheme in the following.

#### 4. Improved Unordered Multisecret-Sharing Scheme

In this section, we give an improved generalized CRT-based unordered multisecret-sharing scheme, which includes the improved unordered multisecret generation phase and recovery phase. Some results of the proposed scheme are also given.

##### 4.1. Improved Unordered Multisecret Generation Phase

Firstly, select an integer satisfyingwhere is defined in (8). Then, the dealer transmits it secretly to secret combiner. Let two secrets be and satisfy

Consequently, select two positive integers satisfying

Let

Then, the shares can be generated by

That is,

According to (29), the shares can be rewritten as

Recall that the secrets of the first approach are leaked. For the improved approach, the obtained shares are for which are different from the two secrets . Hence, the secrets of each shareholder are not leaked.

In summary, we have the improved unordered multisecret-sharing algorithm for the pairwise coprime integers which is shown in Table 4 below.

##### 4.2. Improved Unordered Multisecret Recovery Phase

Given shares , where and , then the two secrets can be recovered by the generalized CRT-based algorithm, which is shown in Table 5 below.

It is not difficult to find that the proposed recovery algorithm has a computational complexity of , which is much smaller than the searching algorithm that has a computational complexity of . Based on the above multisecret recovery phase, we have the following results.

Theorem 2. *Let be two secrets satisfying (27), and let be shares defined in (32), where for . Then, we have the following results.*(1)*If , then cannot be reconstructed, where is defined in (7).*(2)*If , then cannot be uniquely determined.*(3)*If , then can be uniquely reconstructed.*

*Proof. *(1)By Theorem 1, we know that cannot be reconstructed in this case. Hence, the two secrets cannot be recovered.(2)In this case, cannot be determined in and cannot be uniquely determined in . Hence, cannot be successfully recovered in .(3)In this case, can be uniquely reconstructed. Consequently, the two secrets can be recovered by

*Example 2. *Let us consider an example when moduli are

Let . Then, we have and . By (2), we obtain and . According to (4), we have , and then by (8). From (26), we obtain . Let . By Step 3, in Table 4, we select two secrets , which are satisfied with the condition in (27). By Step 4, we select and then obtain . By (30), we have four shares , , , and with moduli , and , respectively.

Now, we consider the recovery of two secrets from shareholders. We have three cases below.(1). Clearly, for any shares , we have for . Hence, two integers cannot be successfully reconstructed and hence the two secrets cannot be recovered.(2). In this cases, the two integers cannot be reconstructed from the two shares in as and . Moreover, cannot be uniquely determined in , where . Hence, cannot be successfully recovered in . For example, given two shares , we have two candidates: . In other words, all these candidates have the same shares. Table 6 gives all the cases of the reconstruction, where .(3).In this case, the two secrets can be uniquely recovered. Suppose that the shares are , and . By the proposed generalized CRT, we have and then .

#### 5. Conclusions

In this paper, we consider the problem of recovering unordered multisecret from some shares with unordered remainders. The main difference between this work and the previous ones is that the correspondence between the remainders in each share and the secrets is unknown in our work, while it is definite in previous works. A generalized CRT-based unordered multisecret-sharing scheme and recovery algorithm are proposed. The conditions for recovery failure and success are also explored. Furthermore, for making a perfect SS such that the secrets will not be leaked, an improved sharing and recovery approach is proposed.

#### Data Availability

No data were used to support this study.

#### Conflicts of Interest

The authors declare no conflicts of interest.

#### Acknowledgments

This research was funded in part by the National Natural Science Foundation of China (no. 61701086), Fundamental Research Funds for the Central Universities (no. ZYGX2016KYQD143), Natural Science Foundation of Fujian Province (nos. 2017J01761 and 2018J01537), and Project of Ministry of Science and Technology of Taiwan (no. MOST 106-2221-E-035-013-MY3).