(t,n) multi-secret sharing scheme extended from Harn-Hsu’s scheme

Multi-secret sharing scheme has been well studied in recent years. In most multi-secret sharing schemes, all secrets must be recovered synchronously; the shares cannot be reused any more. In 2017, Harn and Hsu proposed a novel and reasonable feature in multiple secret sharing, such that the multiple secrets should be reconstructed asynchronously and the recovering of previous secrets do not leak any information on unrecovered secrets. Harn and Hsu also proposed a (t,n) multi-secret sharing scheme that satisfies this feature. However, the analysis on Harn-Hsu’s scheme is wrong, and their scheme fails to satisfy this feature. If one secret is reconstructed, all the other unrecovered secrets can be computed by any t − 1 shareholders illegitimately. Another problem in Harn-Hsu’s work is that the parameters are unreasonable which will be shown as follows. In this paper, we prove the incorrectness of Harn-Hsu’s scheme and propose a new (t,n) multi-secret sharing scheme which is extended from Harn-Hsu’s scheme; our proposed scheme satisfies the feature introduced by Harn and Hsu.

Secret sharing scheme [1, 2] is a useful fundamental cryptographic protocol that can protect information security among a group of participants. In traditional (t,n) secret sharing scheme, each of the n participants keep a share of secret s in such a way that any t or more participants can reconstruct the secret s; less than t participants cannot get any information on s. Secret sharing scheme is a useful fundamental to other cryptographic protocols [3, 4]. Due to the low efficiency in secret reconstruction of traditional (t,n) secret sharing scheme (shares are used to reconstruct only one secret), multiple secret sharing becomes more popular in recent years [5–7] which can improve the use efficiency of the shares.

In most multiple secret sharing schemes, all secrets are reconstructed synchronously. This characteristic would limit its applications in some asynchronous systems. In [8], Harn and Hsu introduced a new feature such that in multiple secret sharing, the multiple secrets should have the capability to be reconstructed asynchronously. Multiple secret sharing scheme with this new feature would adapt higher secure requirement in some asynchronous systems; it can expand application background of multi-secret sharing. In [8], a (t,n) multi-secret sharing based on bivariate polynomial was also proposed to fit the new feature (many verifiable secret sharing schemes were based on bivariate polynomial [9, 10]). However, their scheme does not satisfy the new feature. Their analysis is incomplete and ignores a wise attack from inside attackers. In addition, the parameters in their scheme are not reasonable either.

In this paper, we propose a wise attack from inside attackers and prove Harn-Hsu’s scheme does not satisfy the new feature, and analysis why their parameters are unreasonable. Although their scheme does not work, the new feature of asynchronous secret reconstruction is worthwhile to be studied. Next, we introduce a new (t,n) multi-secret sharing scheme that can satisfy the new feature.

In [8], Harn and Hsu introduced a new secure requirement of multi-secret sharing scheme such that the secrets should be reconstructed asynchronously. The following definition concludes the secure model for this new feature:

Definition 1

In multiple-secret sharing scheme with asynchronous secret reconstruction, reconstructed secrets do not leak any information on the unrecovered secrets.

The proposed (t,n) multi-secret sharing scheme based on bivariate polynomial in [8] is briefly described below.

2.1 Harn-Hsu’s scheme

Share generation phase:

• A dealer selects a bivariate polynomial F(x,y) over GF(p), where the x has degree t − 1 and y has degree h − 1. The k multiple secrets are s₁ = F(1,0),S₂ = F(2,0),...,s _k = F(k,0). All the parameters satisfy th > (t + h)(t − 1) + (k − 1).

• The dealer computes f _i (x) = F(x,v _i ),g _i (y) = F(v _i ,y),i = 1,2,...,n and sends f _i (x),g _i (y) to each shareholder P _i as their shares. v _i is the identity of shareholder P _i which is public information to all shareholders.

Secret reconstruction phase:

• Let P₁,P₂,...,P _t be involved in this phase. Any pair of (P _i ,P _j ) computes a common pairwise key K _i,j = F(v _i ,v _j ) (v _i < v _j ) using their shares.

• For a secret s _r ∈[s₁,s₂,...,s _k ], each one of these t shareholders computes his Lagrange component on s _r respectively.

• Each shareholder P _i ,i = 1,2,...,k sends share information on s _r to other k − 1 shareholders P _j ,j = 1,2,...,k,j≠i using the secure channel which is built up by K _i,j .

• Each shareholder can reconstruct the secret s _r using the Lagrange formula.

There are two main contributions of the above scheme.

Contribution 1

The shares of shareholders cannot be only used to reconstruct secrets, but also to generate pairwise keys for each pair of shareholders. By transferring information using a secure channel which is built up by pairwise key, the scheme can resist attack from outsiders.

Contribution 2

In [8], it is also claimed that their scheme satisfies Definition 1. It is proved that even k − 1 secrets have been reconstructed; any t − 1 shareholders still cannot get any information on the last secret.

3.1 Proof of security in Harn-Hsu’s work

In [8], Contribution 2 is proved by the following theorem:

Theorem 1

In [8], all k multiple secrets can be reconstructed asynchronously such that t − 1 shareholders get no information of unrecovered secrets from reconstructed secrets.

Proof

The bivariate polynomial F(x,y) has th coefficients in total. On the other hand, each shareholder can establish t + h independent equations on those th coefficients from their shares; therefore, any t − 1 shareholder can build up (t − 1)(t + h) equations. Suppose k − 1 secrets have been recovered which means that k − 1 additional equations are built. Since the parameters t,h,k satisfy th > (t + h)(t − 1) + (k − 1), this means t − 1 shareholders cannot get enough independent equations on those th coefficients to recover F(x,y). As a result, the last secret cannot be reconstructed. □

3.2 Comments on Harn-Hsu’s work

In this part, we will show that the conclusion of above Theorem 1 is not correct. t − 1 shareholders do not need to reconstruct F(x,y) to compute unrecovered secrets; there exists a wise attack from these t − 1 shareholders.

Theorem 2

In Harn-Hsu’s work, any t − 1 shareholder can recover all k − 1 secrets with only one reconstructed secret.

Proof

The k multiple secrets in Harn-Hsu’s work is s₁ = F(1,0),s₂ = F(2,0),...,s _k = F(k,0). Let f(x) = F(x,0), then the k secrets are k points on the f(x) (s _i = f(i)) which is of degree t − 1. On the other hand, each shareholder receives a share g _i (y) = F(v _i ,y) from a dealer; he can compute a value g _i (0) = F(v _i ,0) = f(v _i ) which is also a point on f(x); t − 1 shareholders would have t − 1 points on f(x). Therefore, once a secret s _r is reconstructed, any t − 1 shareholder can obtain t − 1 + 1 = t points on a t − 1 degree polynomial f(x), then f(x) can be reconstructed by the Lagrange formula; all the other secrets s _i ,i = 1,2,...,k,i≠r are recovered by these t − 1 shareholders. □

In addition, Harn-Hsu’s scheme requires that th > (t + h)(t − 1) + (k − 1), which means the parameter h would be as large as t². In this case, the size of share g _i (y) = F(v _i ,y) for each shareholder is expanded too much comparing with other multi-secret sharing schemes which is also unreasonable in practical applications.

3.3 Proposed scheme

Although Harn-Hsu’s work fails to satisfy the feature of asynchronous secret reconstruction, this new feature is still reasonable and practical. In this part, we propose a new (t,n) multi-secret sharing scheme which is fit for the new feature. Our scheme is also based on a bivariate polynomial which is inspired by Harn-Hsu’s work.

3.3.1 Proposed scheme

Share generation phase:

• A dealer selects a bivariate polynomial F(x,y) over GF(p), where both x and y have degree t − 1. The t multiple secrets are s₁ = F(1,0),S₂ = F(2,0),...,s _t = F(t,0).

• The dealer computes f _i (x) = F(x,v _i ),i = 1,2,...,n and sends f _i (x) to each shareholder P _i as their shares. v _i is the identity of shareholder P _i which is public information to all shareholders.

Secret reconstruction phase:

• Let P₁,P₂,...,P _t be involved in this phase. For a secret s _r ∈[s₁,s₂,...,s _k ], each shareholder P _i computes and discloses a value e _i = f _i (r).

• The secret s _r can be reconstructed from e₁,e₂,...,e _t using the Lagrange formula: \(s_{r}~=~\sum ^{t}_{i~=~1}\left (e_{i}\prod ^{t}_{j~=~1,j\neq i}\frac {-~v_{j}}{v_{i}~-~v_{j}}\right)\)

Theorem 3

Our proposed scheme satisfies the feature of asynchronous secret reconstruction.

Proof

First we prove the correctness of our scheme. Each shareholder computes e _i = f _i (r) = F(r,v _i ), i = 1,2,...,t. Let g _r (y) = F(r,y) (g _r (y) is of degree t − 1), then each e _i is a point on g _r (y) since e _i = g _r (v _i ). Therefore g _r (y) can be reconstructed by these t points using the Lagrange formula. The secret s _r = F(r,0) = g _r (0) is computed by \(s_{r}~=~\sum ^{t}_{i~=~1}\left (e_{i}\prod ^{t}_{j~=~1,j\neq i}\frac {-~v_{j}}{v_{i}~-~v_{j}}\right)\).

Suppose t − 1 secrets s₁,s₂,...,s_{t − 1} have been recovered. In this case, any t − 1 shareholder obtains t − 1 points on polynomial f _s (x) = F(x,0). In order to recover secret s _t , these t − 1 shareholders need to obtain one more point on f _s (x). However, these t − 1 shareholders can build no more linear equation on the t coefficients of f _s (x) at all based on the property of asymmetric bivariate polynomial [5,6]. In other word, with t − 1 recovered secrets s₁,s₂,....,s_{t − 1}, any t − 1 shareholders will find that each value u∈GF(p) could be the last legal secret s _t , and they have equal probability such that \(\left \{Pr\left (u~=~s_{t}\right)~=~\frac {1}{p}\mid u\in GF(p)\right \}\). Therefore, t − 1 shareholders cannot reconstruct the secret s _t with all previous reconstructed secrets. □

In [8], each pair of shareholders computes a common pairwise key using their shares which can be used to build up a secure channel between any two shareholders. This secure channel can protect information from attack of outsiders. In the above scheme, no pairwise key exists and all t shareholders can share a common key to build up a secure platform. The security level from one common key is weaker than pairwise keys between any two shareholders. Therefore, we can improve our proposed scheme which is shown in the revised scheme below.

3.3.2 Revised scheme

Share generation phase:

• A dealer selects an asymmetric bivariate polynomial F(x,y) over GF(p), where both x and y have degree t − 1. The t multiple secrets are s₁ = F(1,0),S₂ = F(2,0),...,s _t = F(t,0).

• The dealer selects a symmetric bivariate polynomial G(x,y) over GF(p), where both x and y have degree t − 1.

• The dealer computes f _i (x) = F(x,v _i ),i = 1,2,...,n and sends f _i (x) to each shareholder P _i as their shares. v _i is the identity of shareholder P _i which is public information to all shareholders.

• The dealer computes u _i (x) = G(x,v _i ),i = 1,2,...,n and sends u _i (x) to each shareholder P _i

Secret reconstruction phase:

• Let P₁,P₂,...,P _t be involved in this phase. Each pair of (P _i ,P _j ) computes a common key K _i,j = G(v _i ,v _j ). (P _i can compute K _i,j by K _i,j = u _i (v _j ); P _j computes K _i,j by K _i,j = u _j (v _i ).) Then they build up a secure channel using K _i,j .

• Same as in the proposed scheme, but transmits information using secure channels.

The revised scheme satisfies both Contributions 1 and 2 in Harn-Hsu’s work, and the size of share is much smaller than their scheme. Comparisons between Harn-Hsu’s work and our schemes are shown in Table 1.

Both our proposed scheme and its revised version are reasonable and practical. In a system that requires high secure level, the revised version is more practical; otherwise, our proposed scheme has advantage in a system that requires higher computational efficiency and speed.

Asynchronous secret reconstruction is a reasonable and practical feature in (t,n) multi-secret sharing scheme which is first introduced by Harn-Hsu’s work [8] recently. However, in this paper, we prove that Harn-Hsu’s scheme does not satisfy this new feature. Once a secret is recovered by t shareholders, any t − 1 shareholder can reconstruct all the rest of the secrets illegitimately. Next, we propose a new (t,n) multi-secret sharing scheme which satisfies this new feature. In revised version, each pair of shareholders can compute a common pairwise key to build up a secure channel which is consistent with Harn-Hsu’s work.

In this work, we aim to point out the mistake of Harn-Hsu’s scheme and give a modification of their work to overcome the problem. The security analysis of Harn-Hsu’ work is only based on the property of interpolation polynomial.

Funding

The research presented in this paper is supported in part by the China National Natural Science Foundation (No. 61502384), Xi’an Science and Technology Project (No. 2017080CG/RC043(XALG004)), Industrial Science and Technology Project of Shaanxi Province (No. 2016GY-140), and Science Research Project of the Key Laboratory of Shaanxi Provincial Department of Education (No. 15JS078).

Availability of data and materials

Data sharing is not applicable to this article as no datasets were generated or analyzed during the current study.

Authors and Affiliations

1. Department of Computer Science and Engineering, Xi’an University of Technology, Xi’an, 710048, China

   Tong Zhang, Xizheng Ke & Yanxiao Liu

Contributions

TZ contributed in algorithm designing; XK was responsible for security analysis; YL carried out the writing. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Tong Zhang.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Reprints and permissions