Sage Journals: Discover world-class research

Abstract

Secret sharing is an important aspect of key management in wireless ad hoc and sensor networks. In this paper, we define a new secure model of secret sharing, use the Lagrange interpolation and the bilinear cyclic groups to construct an efficient publicly verifiable secret sharing scheme on the basis of this model, and show that this scheme is provably secure against adaptively chosen secret attacks (CSAs) based on the decisional bilinear Diffie-Hellman (DBDH) problem. We find that this scheme has the following properties: (a) point-to-point secure channels are not required in both the secret distribution phase and the secret reconstruction phase; (b) it is a noninteractive secret sharing system in that the participants need not communicate with each other during subshadow verification; and (c) each participant is able to share many secrets with other participants despite holding only one shadow.

1. Introduction

A secret sharing scheme [1–8] allows the splitting of a secret into different pieces, called shares or shadows, which are given to a group of participants (or shareholders). Only a certain specified subset of the participants can reconstruct the secret easily by providing their shadows, while any unqualified subsets cannot obtain any knowledge about the secret. Secret sharing is useful for any important action whose initiation requires the collective decision of several designated participants, such as the launch of a missile, opening of a bank vault, or opening of a safety deposit box. Research on secret sharing is important for the key distribution of wireless ad hoc and sensor networks [9], both in theory and in practice.

In 1979, two basic secret sharing schemes were independently proposed by Shamir [1] and Blakley [10]. They used two different methods to construct threshold secret sharing schemes. In Shamir's scheme, a secret s is divided into n shadows by a dealer and shared among n participants in such a way that it is possible to reconstruct the secret with any t or more shadows but impossible to reconstruct the secret with fewer than t shadows. This scheme is called a $(t, n)$ threshold secret sharing scheme. Early secret sharing schemes [1, 10] did not include the verification of the correctness of shadows; hence, if one or more participants are dishonest, the secret cannot be recovered correctly.

Verifiable secret sharing (VSS) was proposed in [11] to solve the problem of dishonest participants who want to deceive other honest participants or the problem of a dishonest dealer who distributes incorrect shadows to some participants. VSS has been an important area of cryptography research for the last two decades [5, 7, 8, 12–15]. Feldman [12] proposed a very practical VSS scheme in which the security is based on a discrete logarithm problem. In this scheme, a deterministic function of the secret is published; hence, it achieves only one-way security. Pedersen [13] proposed a VSS scheme that can withstand an unbounded passive adversary.

Stadler [16] proposed a publicly verifiable secret sharing (PVSS) scheme in which the validity of the shadows can be verified by anyone without knowledge of the shadows. In some PVSS schemes [5, 14], the verification procedure involves interactive proofs of knowledge. If these proofs are made noninteractive by means of the Fiat-Shamir technique [17], the security of the verification process would only be carried out in the random oracle model (ROM) [18]. Transferring security analysis of cryptographical primitives from the random oracle model to the standard model (SM) [19] has always been a theoretically important task.

1.1. Related Work

In 2005, Ruiz and Villar [15] proposed a new PVSS scheme that has a higher level of secrecy, called indistinguishability (IND) of secrets based on the decisional composite residuosity assumption. In 2009, Heidarvand and Villar [3] gave two new secure definitions of publicly verifiable secret sharing, which capture the notion of indistinguishability of shared secrets. Then they proposed a non-interactive PVSS scheme against the attacks of indistinguishability of secrets in the standard model based on the decisional bilinear square assumption (DBS) which is a natural variant of the standard decisional bilinear Diffie-Hellman (DBDH) assumption. In 2010, Jhanwar [20] proposed a PVSS scheme whose level of security is called semantic security based on the $(t, n)$ -multi-sequence of exponents Diffie-Hellman problem. In 2011, Wu and Tseng [2] proposed a pairing-based PVSS scheme. For deducing the computational cost, they used the batch verification technique. They also showed that their scheme is a secure PVSS scheme under the bilinear Diffie-Hellman (BDH) assumption in the random oracle model. In fact, semantic security does not guarantee any level of secrecy if an adversary mounts an active attack. Therefore, it is very important to design a PVSS scheme against adaptively chosen secret attacks (CSAs) in the standard model.

Another important aspect of secret sharing is the problem of making the size of shadows of each participant as small as of making the size of shadows of each. A secret sharing scheme is ideal if the length of every shadow is the same as the length of the secret. This is the best possible situation. However, we would like to emphasize that it is also very important to reduce the number of secure channels used in a secret sharing scheme, especially in wireless ad hoc and sensor networks.

A secret sharing scheme contains at least two essential phases: a share distribution phase and a secret reconstruction phase. In the share distribution phase, a dealer chooses a secret, executes a secret distribution algorithm to generate shadows, and then sends the generated shadows to the participants through point-to-point secure channels. In the secret reconstruction phase, the participants belonging to a qualified subset of participants exchange shadows amongst themselves through point-to-point secure channels to reconstruct the secret. In a $(t, n)$ threshold secret scheme, there are n secure channels in the share distribution phase and at least $O (t^{2})$ secure channels in the secret reconstruction phase. To reduce the number of secure channels to $O (t)$ , Huaxiong and wong [21] constructed a $(t, n)$ threshold secret sharing scheme using partial broadcast channels.

1.2. Our Contributions

In this paper, we use the Lagrange interpolation and bilinear cyclic groups to construct a $(t, n)$ threshold PVSS scheme with IND-CSA security. Our scheme has the following features. (i)

Public Verifiability: a dishonest dealer or participant is detected unconditionally.

(ii)

Security: the scheme has provable security against an IND-CSA (see the security model present in this paper) adversary in the standard model. The security relies on the hardness of the decisional bilinear Diffie-Hellman (DBDH) problem.

(iii)

Needless security channels: in both the setup and share distribution phases, these are no secure point-to-point communication channels between the dealer and the participants. Moreover, no secure point-to-point communication channels are used in the reconstruction phase of the extended scheme.

(iv)

Noninteractivity: the participants need not talk to each other during the secret reconstruction phase.

An overview comparison of the major technique differences and the corresponding security level those of WT11's [2] and HV09's [3] PVSS schemes is given in Table 1.

Table 1

Major technique differences and corresponding security level.

	WT11 [2]	HV09 [3]	Ours
Needless secure channels	No	No	Yes
Verify subshare in reconstruction	No	Yes	Yes
Assumption	BDH	DBS	DBDH
Security model	ROM	SM	SM
Security level	IND	IND	IND-CSA

1.3. Paper Organization

This paper is organized as follows. In Section 2, we describe the definition of bilinear maps and the decisional bilinear Diffie-Hellman problem. In Section 3, we describe the model of our PVSS scheme and the security model. In Section 4, we present our pairing-based PVSS scheme, and in Section 5, we prove its security. In Section 6, we analyze the performance of our scheme. In Section 7, we present an extended scheme that allows reconstruction of the secret through publicle channels. Finally, we give a conclusion in Section 8.

2. Preliminaries

If S is a set, $| S |$ denotes its size. The symbol “⊥” denotes failure.

2.1. Bilinear Map

Let 𝔾 and $𝔾_{1}$ be two cyclic groups of prime order p. Here, we assume that 𝔾 is an additive cyclic group, and $𝔾_{1}$ is a multiplicative cyclic group. A bilinear map $e (\dots)$ is a map $𝔾 \times 𝔾 \to 𝔾_{1}$ such that for $P \neq 0 \in 𝔾$ and $α, β \in ℤ_{p} ∖ {0}$ , it satisfies the following properties [22, 23]. (i)

Bilinearity: $e (α P, β P) = e (P, P)^{α β}$ .

(ii)

Nondegeneracy: $e (P, P) \neq 1_{𝔾_{1}}$ unless $P = 1_{𝔾}$ .

(iii)

Computability: there is an efficient algorithm to compute $e (P, Q) for all P, Q \in 𝔾$ .

The algorithm $𝒢 𝒢 (λ)$ is a bilinear group generator that takes a secure parameter $λ \in ℤ$ as input and outputs the descriptions of the groups 𝔾, $𝔾_{1}$ , and a bilinear map $e : 𝔾 \times 𝔾 \to 𝔾_{1}$ , where all group operations in 𝔾 and $𝔾_{1}$ as well as map e can be computed in polynomial time with λ. We posit that $B = (p, P, 𝔾, 𝔾_{1}, e (\dots)$ ) is the output of $𝒢 𝒢 (λ)$ .

2.2. Decisional Bilinear Diffie-Hellman Assumption

Given a tuple $P, a P, b P, c P \in 𝔾$ for some uniformly chosen $a, b, c \in ℤ_{p} ∖ {0}$ and $T \in 𝔾_{1}$ as input to decide whether or not $T = e (P, P)^{a b c}$ . The advantage of an algorithm 𝒜 solving the DBDH problem is defined as

\begin{array}{l} | Pr [𝒜 (P, a P, b P, c P, e {(P, P)}^{a b c} = 1] \\ - Pr [𝒜 (P, a P, b P, c P, T) = 1] | . \end{array}

(1)

The DBDH problem is said to be

(t, ϵ)

-hard if there is no algorithm that can solve the DBDH problem within time t with an advantage equal to at least ϵ.

2.3. Lagrange Interpolation

Let $f (x) = \sum_{j = 0}^{t - 1} ‍ α_{j} x^{j}$ be a polynomial over $ℤ_{p}$ with degree $t - 1$ , and let $(x_{1}, f (x_{1})), (x_{2}, f (x_{2})), \dots, (x_{t}, f (x_{t}))$ be t distinct points of $f (x)$ . Then, given $(x_{1}, f (x_{1}))$ , $(x_{2}, f (x_{2})), \dots, (x_{t}, f (x_{t}))$ , one can reconstruct $f (x)$ as

\begin{matrix} f (x) = f (x_{1}) λ_{x_{1}}^{x} + f (x_{2}) λ_{x_{2}}^{x} + \dots + f (x_{t}) λ_{x_{t}}^{x}, \end{matrix}

(2)

where

\begin{matrix} λ_{x_{j}}^{x} = \frac{(x - x_{1}) \dots (x - x_{j - 1}) (x - x_{j + 1}) \dots (x - x_{t})}{(x_{j} - x_{1}) \dots (x_{j} - x_{j - 1}) (x_{j} - x_{j + 1}) \dots (x_{j} - x_{t})}, \end{matrix}

(3)

for any

1 \leq j \leq t

3. Definitions

This section is dedicated to the definition of a $(t, n)$ threshold PVSS scheme and its security model.

3.1. Threshold PVSS Scheme without Secure Channels

Let $𝒰 = (U_{1}, \dots, U_{n})$ be a set of n participants. A dealer wants to share a secret 𝒮 among the participants of 𝒰 in such a way that any t or more participants can recover the secret, while no $t - 1$ participants can obtain any information about the secret.

A PVSS scheme is described by the following algorithms. (1)

Setup $(λ)$ : takes as input a secure parameter λ.

(i)

The dealer generates all public parameters of the scheme.

(ii)

Furthermore, every participant selects its channel protection key $d_{i}$ and publishes the corresponding public key $D_{i}$ .

(iii)

The dealer randomly picks a number as the main secret of the system and uses $D_{i} (i = 1,2, \dots, n)$ and the main secret to generate a main shadow $Y_{i} (i = 1,2, \dots, n)$ for every participant and the system shadow verification key (SVK).

(iv)

For each $U_{i}$ , the dealer sends $U_{i}$ 's main shadow $Y_{i}$ to $U_{i}$ through public channels.

(2)

Secret distribution: the dealer randomly selects a secret S that will be distributed to the participants. It calculates and publishes the secret commitment value (SCV) $s_{1}$ and the secret deriving value (SDV) $s_{2}$ of the secret S. It then outputs $(s_{1}, s_{2})$ . A participant can use $s_{1}$ and its main-shadow $Y_{i}$ to obtain its subshadow of the secret S by itself.

(3)

Verification $(s_{1}, s_{2})$ : takes as inputs $s_{1}$ and $s_{2}$ of a secret. It is required that $s_{1}$ be publicle verifiable. Knowing only the publicly parameter, anyone may verify that $s_{2}$ is consistent with $s_{1}$ . If the verification fails, the verifier broadcasts a complaint about the dealer.

(4)

Reconstruction: this algorithm is composed of three subalgorithms.

(a)

Subshadow generation $(s_{1}, s_{2}, U_{i}, Y_{i}, d_{i})$ : takes as inputs $s_{1}$ and $s_{2}$ of a secret, a participant $U_{i}$ , $U_{i}$ 's main shadow $Y_{i}$ , and $U_{i}$ 's channel protection key $d_{i}$ . To generate its sub-shadow, $U_{i}$ executes verification ( $s_{1}, s_{2}$ ). If the verification fails, $(i, ⊥)$ is output. Otherwise, $U_{i}$ generates the sub-shadow $S_{i}$ from $s_{1}$ and $s_{2}$ using its main shadow $Y_{i}$ and channel protection key $d_{i}$ . $(i, S_{i})$ is then output.

(b)

Sub-shadow verification $(s_{1}, U_{i}, SV K_{i}, S_{i})$ : takes as inputs $s_{1}$ of a secret, a participant $U_{i}$ and $U_{i}$ 's verification key $SV K_{i}$ , and $U_{i}$ 's sub-shadow $S_{i}$ . This algorithm checks whether $S_{i}$ is a valid sub-shadow with respect to $SV K_{i}$ and $s_{1}$ . If the verification fails, a complaint about the participant $U_{i}$ is broadcast.

(c)

Combine $(s_{1}, s_{2}, Γ, Ω)$ : takes as inputs $s_{1}$ and $s_{2}$ of a secret, a qualified set $Γ \subseteq 𝒰$ of t participants, and a list $Ω = (S_{1}, \dots, S_{t})$ of t valid sub-shadows. Outputs a secret S.

3.2. Security Model

The PVSS scheme described above must satisfy the following properties. (i)

Correctness: if the dealer and the participants act honestly, any t or more participants can reconstruct the secret correctly during the execution of the reconstruction algorithm.

(ii)

Verifiability: a successful verification of the SCV and SDV of a secret implies that the SCV and SDV are consistent.

(iii)

Privacy: the basic requirement is that it is impossible for any collusion of less than t participants to obtain any information about a secret.

Hereafter, we will use the notion of a CSA to define the security of the PVSS scheme. We mostly follow the notation from [19, 23], using a game between an adversary 𝒜 and a challenger 𝒞.

(i)

Init. 𝒞 executes Setup (λ) to obtain the public parameters and sends the public parameters to 𝒜 along with all of the shadow verification keys SVK.

(ii)

Phase 1. The adversary adaptively selects a secret and generates $(s_{1}, s_{2})$ about the secret using the public parameters just as the dealer does. Moreover, the adversary 𝒜 is permitted to query a sub-shadow of a participant using $(s_{1}, s_{2})$ .

(iii)

Sub-shadow query. On being input a participant $U_{i}$ , as well as $s_{1}$ and $s_{2}$ , 𝒞 executes the Sub-shadow generation sub-algorithm using $(s_{1}, s_{2}), Y_{i}$ and $d_{i}$ then forwards the resulting $(i, S_{i})$ or $(i, ⊥)$ to the adversary 𝒜.

(iv)

Challenge. The adversary 𝒜 outputs a target set of participants $𝕌^{*}$ , where $| 𝕌^{*} | < t$ . The challenger 𝒞 picks two random secrets $T_{0}$ and $T_{1}$ as well as a random bit $δ \in {0,1}$ . Then, 𝒞 executes the secret distribution algorithm to obtain $(s_{1}^{*}, s_{2}^{*})$ for the secret $T_{δ}$ and sends $(s_{1}^{*}, s_{2}^{*})$ and all the sub-shadows of each $U_{i}^{*} \in 𝕌^{*}$ to 𝒜 along with $T_{0}$ and $T_{1}$ .

(v)

Phase 2. The adversary continues to adaptively issue the subshadow query as in phase 1, but with the constraint that $(s_{1}, s_{2}) \neq (s_{1}^{*}, s_{2}^{*})$ , and challenger 𝒞 responds similarly in phase 1.

(vi)

Guess. Finally, the adversary 𝒜 outputs a guess $δ^{'} \in {0,1}$ and wins the game if $δ = δ^{'}$ .

Definition 1 (IND-CSA security).

A $(t, n)$ PVSS scheme has indistinguishability against adaptive CSA if, for any probabilistic polynomial-time (PPT) adversary 𝒜, the advantage

\begin{matrix} AD V_{𝒜, t, n}^{IND-CSA} (λ) = Pr [δ = δ^{'}] - \frac{1}{2} \end{matrix}

(4)

is negligible with respect to λ.

4. Construction

In this section, we present a concrete $(t, n)$ PVSS scheme and prove its security against CSA in the next section.

Setup

The dealer obtains the group parameters $(p, P, 𝔾, 𝔾_{1}, e (\dots))$ by executing the group generator algorithm $𝒢 𝒢 (λ)$ . It then selects a random integer $γ \in ℤ_{p} ∖ {0}$ and publishes $(p, 𝔾, 𝔾_{1}, e (\dots)$ , $P, P_{2} = γ P)$ on the system bulletin board (BB). Supposing that $𝒰 = {U_{1}, \dots, U_{n}}$ is the set of participants of the system, each participant may be uniquely identified by means of an index $i \in {1, \dots, n}$ . After the dealer has announced the public parameters, each participant $U_{i}$ randomly selects an integer $d_{i} \in ℤ_{p} ∖ {0}$ ( $d_{i}$ is $U_{i}$ 's channel protection key) and calculates $D_{i} = d_{i} P_{2}$ . Each participant keeps $d_{i}$ confidentially and sends $D_{i}$ to the dealer over public channels.

Having received all the $D_{i}$ , the dealer performs the following operations. (1)

The dealer selects a random number $α \in ℤ_{p} ∖ {0}$ and a random polynomial $f (x) = α + \sum_{j = 1}^{t - 1} ‍ α_{j} x^{j}$ with degree $t - 1$ , where t is the threshold value and, for $j = 1, \dots, t - 1$ , $α_{j} \in ℤ_{p} ∖ {0}$ .

(2)

The dealer computes $P_{1} = α P$ and $Y_{i} = f (i) D_{i} (for i = 1, \dots, n)$ , where $Y_{i}$ is the main shadow of the participant $U_{i}$ .

(3)

The dealer selects a collision-resistant hash function $H : 𝔾 \to {0,1}^{l}$ , where l is the output length of H.

(4)

The dealer sets the $SVK = (f (1) P, f (2) P, \dots, f (n) P)$ as the shadow verification key.

(5)

The dealer randomly selects $u^{'}, u_{1}, u_{2}, \dots, u_{l} \in 𝔾$ .

Finally, the dealer sends

Y_{i}

to the participant

U_{i} (i = 1, \dots, n)

through public channels and publishes

(P_{1}, H, u^{'}, u_{1}, u_{2}, \dots, u_{l}, SVK)

on the bulletin board.

Secret Distribution

The dealer wants to share a secret, which is a random element in $𝔾_{1}$ . The form of the secret is $𝒮 = e (P_{1}, P_{2})^{k}$ , where k is selected randomly from $ℤ_{p} ∖ {0}$ . Let v be a bit string of length l, let $v_{i}$ denote the ith bit of v, and let $𝒱 \subseteq {1, \dots, l}$ be the set of all i for which $v_{i} = 1$ . The dealer calculates and publishes the SCV $s_{1}$ and SDV $s_{2}$ as follows:

\begin{matrix} s_{1} = k P, \\ v = H (s_{1}), \\ s_{2} = k (u^{'} + \sum_{i \in 𝒱} u_{i}) . \end{matrix}

(5)

The dealer either broadcasts

(s_{1}, s_{2})

to all participants or publishes

(s_{1}, s_{2})

on the BB. (

U_{i}

's real sub-shadow

S_{i}

for the secret 𝒮 is

e (s_{1}, - d_{i} f (i) D_{i})

. In order to achieve CSA security, in the reconstruction algorithm, no participant

U_{i}

directly sends

S_{i}

to other participants.) If the dealer wants to share a new secret, it just executes the secret distribution algorithm again and publishes appropriate information on the BB. However, the main shadow

Y_{i}

U_{i}

need not be changed.

Verification

Given $(s_{1}, s_{2})$ , this algorithm first computes $v = H (s_{1})$ and outputs “valid” or “invalid” according to the following:

\begin{matrix} e (s_{2}, P) = e (u^{'} + \sum_{i \in 𝒱} u_{i}, s_{1}) . \end{matrix}

(6)

Reconstruction

Without loss of generality, let us assume that $Γ = {1, \dots, t}$ is a qualified subset of the set of participants, that is, it consists of at least t participants who want to collectively reconstruct the secret 𝒮. Each participant in Γ executes the following algorithms: (1)

Sub-shadow generation $(s_{1}, s_{2}, U_{i}, Y_{i}, d_{i})$ : takes as inputs $s_{1}$ and $s_{2}$ a participant $U_{i}$ , $U_{i}$ 's main shadow $Y_{i}$ , and $U_{i}$ 's channel protection key $d_{i}$ . To generate its sub-shadow, $U_{i}$ executes the verification ( $s_{1}, s_{2}$ ) algorithm. If the verification fails, $U_{i}$ outputs ( $i, ⊥$ ) and exits. Otherwise, $U_{i}$ randomly selects $β_{i} \in ℤ_{p} ∖ {0}$ and performs the following calculations:

\begin{matrix} v = H (s_{1}), \\ μ_{i 1} = (- d_{i}) Y_{i} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}), \\ μ_{i 2} = β_{i} P . \end{matrix}

(7)

At this point,

U_{i}

sends

S_{i} = {μ_{i 1}, μ_{i 2}}

to the other participants in Γ through secure channels. (

U_{i}

may use the method described in Section 7 to send

S_{i} = {μ_{i 1}, μ_{i 2}}

through public channels.)

(2)

Sub-shadow verification $(s_{1}, U_{i}, SV K_{i}, S_{i})$ : takes as inputs $s_{1}$ for a secret, a participant $U_{i}$ , and $U_{i}$ 's verification key $SV K_{i}$ , $U_{i}$ 's sub-shadow $S_{i} = {μ_{i 1}, μ_{i 2}}$ . Another participant $U_{j} \in Γ$ computes $v = H (s_{1})$ and then checks

\begin{matrix} e (μ_{i 1}, P) = e (P_{2}, SV K_{i}) e (u^{'} + \sum_{j \in 𝒱} u_{j}, μ_{i 2}) . \end{matrix}

(8)

If the checked equality does not hold,

U_{j}

demands that

U_{i}

sends

(μ_{i 1}, μ_{i 2})

again or declares that

U_{i}

is a cheater.

(3)

Combine $(s_{1}, s_{2}, Γ, Ω)$ : takes as input $s_{1}$ and $s_{2}$ for a secret, a qualified subset $Γ \subseteq 𝒰$ of the set of participants that contains at least t participants, and a list $Ω = (S_{1}, \dots, S_{t})$ (where $S_{i} = {μ_{i 1}, μ_{i 2}}$ ) of t valid subshadows. Each participant $U_{i} \in Γ$ first computes the Lagrange coefficients $λ_{1}^{0}, λ_{2}^{0}, \dots, λ_{n}^{0} \in ℤ_{p}$ , where $λ_{i}^{0} = \prod_{j \neq i, j \in {1, \dots, t}} ((0 - j) / (i - j))$ , then calculates

\begin{matrix} μ_{1} = \sum_{i = 1}^{t} ‍ λ_{i}^{0} μ_{i 1}, \\ μ_{2} = \sum_{i = 1}^{t} ‍ λ_{i}^{0} μ_{i 2} . \end{matrix}

(9)

At this point, every participant in Γ uses

(s_{1}, s_{2}, μ_{1}, μ_{2}

) to reconstruct the secret 𝒮 as follows:

\begin{matrix} 𝒮 = \frac{e (s_{1}, μ_{1})}{e (s_{2}, μ_{2})} . \end{matrix}

(10)

5. Security and Correctness

5.1. Correctness

If the dealer and the participants are honest, any t or more participants can reconstruct the secret during the execution of the reconstruction algorithm. The correctness of equalities (6), (9), and (10) is as follows.

\begin{array}{l} e (μ_{i 1}, P) & = & e (- d_{i} Y_{i} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}), P) \\ = & e (P_{2}, f (i) P) e (u^{'} \sum_{j \in 𝒱} u_{j}, β_{i} P) \\ = & e (P_{2}, {SVK}_{i}) e (u^{'} + \sum_{j \in 𝒱} u_{j}, μ_{i 2}), \end{array}

(11)

\begin{array}{l} μ_{1} & = & \sum_{i = 1}^{t} λ_{i}^{0} μ_{i 1} \\ = & \sum_{i = 1}^{t} (λ_{i}^{0} (- d_{i}) Y_{i} + λ_{i}^{0} β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j})) \\ = & \sum_{i = 1}^{t} λ_{i}^{0} f (i) P_{2} + \sum_{i = 1}^{t} β_{i} λ_{i}^{0} (u^{'} + \sum_{j \in 𝒱} u_{j}) \\ = & α P_{2} + \sum_{i = 1}^{t} β_{i} λ_{i}^{0} (u^{'} \sum_{j \in 𝒱} u_{j}), \end{array}

(12)

\begin{array}{l} μ_{2} & = & \sum_{i = 1}^{t} λ_{i}^{0} μ_{i 2} \\ = & \sum_{i = 1}^{t} (β_{i} λ_{i}^{0}) P \end{array}

(13)

\begin{array}{l} δ & = & \frac{e (s_{1}, μ_{1})}{e (s_{2}, μ_{2})} \\ = & \frac{e (k P, α P_{2} + \sum_{i = 1}^{t} β_{i} λ_{i}^{0} (u^{'} + \sum_{j \in 𝒱} u_{j}))}{e (k u^{'} + k \sum_{i \in 𝒱} u_{i}, \sum_{i = 1}^{t} (β_{i} λ_{i}^{0}) P)} \\ = & \frac{e (k P, α P_{2}) e (k P, \sum_{i = 1}^{t} β_{i} λ_{i}^{0} (u^{'} + \sum_{j \in 𝒱} u_{j}))}{e (k P, \sum_{i = 1}^{t} β_{i} λ_{i}^{0} (u^{'} + \sum_{j \in 𝒱} u_{j}))} \\ = & e {(P_{1}, P_{2})}^{k} . \end{array}

(14)

5.2. Security

Theorem 2 (IND-CSA of PVSS).

Suppose the hash function H is a universal collision-resistant one-way family. Then, the proposed PVSS scheme is secure against adaptive CSA under the intractability assumption of the DBDH problem. More specifically, if there is an adversary that can break the PVSS scheme within time 𝒯 with probability at least ϵ, then there exists an algorithm that can solve the DBDH problem within time $𝒯^{'}$ with probability at least $ϵ^{'}$ , where

\begin{matrix} 𝒯^{'} = 𝒯 + 𝒯_{Q}, ϵ^{'} \geq \frac{3}{4} ϵ . \end{matrix}

(15)

Here,

𝒯_{Q}

denotes the time taken to answer all queries.

Proof.

Suppose an adversary 𝒜 breaks the PVSS scheme with advantage $AD V_{𝒜, t, n, q}^{IND-CSA} > ϵ$ . Then we can devise an algorithm ℛ that solves a random DBDH problem instance with advantage $ϵ^{'} \geq (3 / 4) ϵ$ . Algorithm ℛ is given as input a group parameter $B = (p, P, 𝔾, 𝔾_{1}, e (\dots))$ and a random tuple $(𝔾, P, a P, b P, c P, T)$ , where T is a random element of $𝔾_{1}$ or $T = e (P, P)^{a b c}$ . The goal of algorithm ℛ is to output 1 (“true”) if $T = e (P, P)^{a b c}$ and 0 (“false”) otherwise. Set $P_{1} = a P, P_{2} = b P, P_{3} = c P$ . Algorithm ℛ works by interacting with 𝒜 in a game as follows:

Init. Algorithm ℛ does the following. (1)

Algorithm ℛ chooses a set 𝕌 containing $t - 1$ participants. Without loss of generality, let $𝕌 = {U_{1}, \dots, U_{t - 1}} \subset 𝒰 = {U_{1}, \dots, U_{n}}$ .

(2)

Algorithm ℛ selects a collision-resistant hash function $H : 𝔾 \to {0,1}^{l}$ and computes the public keys for all participants in 𝒰 as follows: $D_{i} = d_{i} P_{2},$ for all $i \in 𝒫$ and $d_{i} \overset{R}{\leftarrow} ℤ_{p} ∖ {0}$ , where $d_{i}$ is the channel protection key of $U_{i}$ .

(3)

Algorithm ℛ selects $t - 1$ random integers $α_{i} \in ℤ_{p}$ , where $i = 1, \dots, t - 1,$ and $α_{t - 1} \neq 0$ . There exists a polynomial $f (x) \in ℤ_{p} [X]$ of degree $t - 1$ such that for all $U_{i} \in 𝕌, f (0) = a$ and $f (i) = α_{i}$ . However, ℛ does not know the polynomial f, because it does not know a.

(4)

Algorithm ℛ constructs the shadow verification key SVK as follows.

(i)

If $U_{i} \in 𝕌$ , since ℛ knows $f (i) = α_{i}$ , he can compute the shadow verification key $SV K_{i} = f (i) P = α_{i} P$ .

(ii)

If $U_{i} \notin 𝕌$ , ℛ computes the Lagrange coefficients $λ_{0}^{i}, λ_{1}^{i}, λ_{2}^{i}, \dots, λ_{k - 1}^{i} \in ℤ_{p}$ , such that $f (i) = λ_{0}^{i} f (0) + \sum_{j = 1}^{t - 1} ‍ λ_{j}^{i} f (j)$ . Algorithm ℛ then sets

\begin{matrix} SV K_{i} = λ_{0}^{i} a P + λ_{1}^{i} α_{1} P \dots + λ_{t - 1}^{i} α_{t - 1} P, \end{matrix}

(16)

which entails that

SV K_{i} = f (i) P

, as required.

(5)

Algorithm ℛ follows Waters' [24] method to simulate it as follows.

(i)

For v, it lets $𝒱 \subseteq {1, \dots, l}$ be the set of all i for which $v_{i} = 1$ .

(ii)

It sets an integer $m = 4 q$ (where q is the maximum number of sub-shadow queries) and randomly chooses an integer k between 0 and l.

(iii)

It chooses a random vector $\vec{x} = (x_{i})$ of length l, where $x_{i} \in {0, m - 1}$ .

(iv)

It lets $v^{'} = H (c P)$ , and computes $x^{'} = k m - \sum_{i \in v^{'}} ‍ x_{i}$ .

(v)

It chooses a random integer $h^{'} \in ℤ_{p}$ and a vector $\vec{h} = (h_{i})$ of length l, where $h_{i} \in ℤ_{p}$ .

(vi)

It sets $u^{'} = (p - k m + x^{'}) P_{2} + h^{'} P$ , $u_{i} = x_{i} P_{2} + h_{i} P$ .

(vii)

It defines $F (v) = (p - m k) + x^{'} + \sum_{i \in 𝒱} x_{i}$ , $J (v) = h^{'} + \sum_{i \in 𝒱} ‍ h_{i}$ and

\begin{matrix} K (v) = {\begin{cases} 0, & if x^{'} + \sum_{i \in 𝒱} x_{i} \equiv 0 (\mod m), \\ 1, & otherwise . \end{cases} \end{matrix}

(17)

(6)

Algorithm ℛ sends $(B, P, P_{1}, P_{2}, H, e (\dots), SV K_{i} (i = 1,2, \dots, n), u^{'}, u_{i} (i =$ $1, \dots, l))$ to the adversary 𝒜.

Phase 1. The adversary 𝒜 adaptively selects a secret $𝒮^{'} = e (P_{1}, P_{2})^{k^{'}}$ and generates $(s_{1}, s_{2})$ for the secret $𝒮^{'}$ using the public parameters ${P_{1}, P_{2}, e (\dots)}$ just as the dealer does. Then, 𝒜 adaptively issues a sub-shadow query of the form ${i, (s_{1}, s_{2})}$ , where $i \in {1, \dots, n}$ . For each such sub-shadow query the following applies. (1)

The algorithm ℛ computes $v = H (s_{1})$ and checks $e (s_{2}, P) = e (u^{'} + \sum_{i \in 𝒱} ‍ u_{i}, s_{1})$ . If the equality does not hold, ℛ responds to 𝒜's query with $(i, ⊥)$ .

(2)

Otherwise, ℛ continues to check whether $K (𝒱) = 0$ holds. If it does hold, ℛ aborts the game and randomly selects a bit as the answer to the DBDH problem.

(3)

Otherwise, there are two different cases as follows.

(i)

If $i \in {1, \dots, t - 1}$ , computing $μ_{i 1}, μ_{i 2}$ is easy, because $f (i)$ is equal to one of the $α_{1}, \dots, α_{t - 1}$ , which are known to ℛ. Thus, ℛ randomly selects $β_{i} \in ℤ_{p} ∖ {0}$ and performs the following calculations:

\begin{array}{l} μ_{i 1} = (- d_{i}) Y_{i} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}) \\ = α_{i} P_{2} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}), \\ μ_{i 2} = β_{i} P . \end{array}

(18)

ℛ sends the sub-shadow

S_{i} = (μ_{i 1}, μ_{i 2})

U_{i}

to 𝒜.

(ii)

If $i \notin {1, \dots, t - 1}$ , ℛ randomly selects $β_{i} \in ℤ_{p} ∖ {0}$ and performs the following calculations:

\begin{matrix} μ_{i 1} = \frac{- J (𝒱) λ_{0}^{i}}{F (𝒱)} P_{1} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}) + χ, \\ μ_{i 2} = β_{i} P + \frac{- λ_{0}^{i}}{F (𝒱)} P_{1}, \end{matrix}

(19)

where

χ = \sum_{j = 1}^{t - 1} ‍ λ_{j}^{i} α_{j} P_{2}

We claim that $S_{i} = {μ_{i 1}, μ_{i 2}}$ is a valid sub-shadow for ${i, (s_{1}, s_{2})}$ . To see this, let ${\tilde{β}}_{i} = β_{i} - (a λ_{0}^{i} / F (𝒱)$ ). Then we have

\begin{array}{l} μ_{i 1} & = & \frac{- J (𝒱) λ_{0}^{i}}{F (𝒱)} P_{1} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}) + χ \\ = & \frac{- j (𝒱) λ_{0}^{i}}{F (𝒱)} P_{1} + β_{i} F (𝒱) P_{2} + β_{i} J (𝒱) P + χ \\ = & α λ_{0}^{i} P_{2} + \frac{- α F (𝒱) λ_{0}^{i}}{F (𝒱)} P_{2} + \frac{- J (𝒱) λ_{0}^{i}}{F (𝒱)} P_{1} \\ = & + β_{i} F (𝒱) P_{2} + β_{i} J (𝒱) P + χ \\ = & α λ_{0}^{i} P_{2} + \frac{- α λ_{0}^{i}}{F (𝒱)} (F (𝒱) P_{2} + J (𝒱) P) \\ = & + β_{i} F (𝒱) P_{2} + β_{i} J (𝒱) P + χ \\ = & α λ_{0}^{i} P_{2} + \sum_{j = 1}^{t - 1} λ_{j}^{i} α_{j} P_{2} + (β_{i} - \frac{α λ_{0}^{i}}{(𝒱)}) \\ = & \times (F (𝒱) P_{2} + J (𝒱) P) \\ = & f (i) P_{2} + (β_{i} - \frac{α λ_{0}^{i}}{F (𝒱)}) (u^{'} + \sum_{j \in 𝒱} u_{j}) \\ = & f (i) (- d_{i}) D_{i} {\tilde{β}}_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}), \\ μ_{i 2} & = & β_{i} P + \frac{- λ_{0}^{i}}{F (𝒱)} P_{1} \\ = & β_{i} P + \frac{- a λ_{0}^{i}}{F (𝒱)} P = {\tilde{β}}_{i} P . \end{array}

(20)

Since

{\tilde{β}}_{i}

is uniform in

ℤ_{p}

, the sub-shadow

S_{i} = (μ_{i 1}, μ_{i 2})

of the participant

U_{i}

is a valid response to 𝒜.

Challenge. Once the adversary 𝒜 has completed phase 1, and sent a challenge set $𝕌^{*}$ , where $| 𝕌^{*} | < t$ , the algorithm ℛ can form the following challenge information. Let $v^{*} = H (P_{3})$ , so that there is $F (v^{*}) \equiv 0 (\mod p)$ . Then, algorithm ℛ selects T as the secret and computes $(s_{1}^{*}, s_{2}^{*})$ as follows.

\begin{matrix} s_{1}^{*} = P_{3}, \\ s_{2}^{*} = c J (v^{*}) P = c (u^{'} + \sum_{i \in 𝒱^{*}} u_{i}) . \end{matrix}

(21)

Thus, the secret T is of the required form as described in the scheme, whenever

T = e (P, P)^{a b c} = e (P_{1}, P_{2})^{c}

Algorithm ℛ computes the sub-shadow of each $U_{i}^{*} \in 𝕌^{*}$ as follows: (i)

If $U_{i}^{*} \in 𝕌$ , the sub-shadow of $U_{i}^{*}$ is $(μ_{i 1}^{*}, μ_{i 2}^{*}) =$ $(β_{i} a_{i} (u^{'} + \sum_{j \in 𝒱} ‍ u_{j}) P_{2}, β_{i} P)$ , where $v = H (s_{1}^{*})$ .

(ii)

If $U_{i}^{*} \notin 𝕌$ , the sub-shadow of $U_{i}^{*}$ is

\begin{matrix} μ_{i 1}^{*} = \frac{- J (𝒱) λ_{0}^{i}}{F (𝒱)} P_{1} + β_{i} (u^{'} + \sum_{j \in 𝒱} u_{j}) + \sum_{j = 1}^{t - 1} λ_{j}^{i} α_{j} P_{2}, \end{matrix}

(22)

\begin{matrix} μ_{i 2}^{*} = β_{i} P + \frac{- λ_{0}^{i}}{F (𝒱)} P_{1}, \end{matrix}

(23)

where

v = H (s_{1}^{*})

At this point, algorithm ℛ randomly selects a bit $δ \in {0,1}$ , sets $T_{δ} = T$ , and assigns a random value in the secret space $𝔾_{1}$ to $T_{1 - δ}$ . ℛ then sends $(s_{1}^{*}, s_{2}^{*}, T_{0}, T_{1}, S_{i}^{*} = (μ_{i 1}^{*}, μ_{i 2}^{*}))$ to the adversary 𝒜, where $i \in 𝕌^{*}$ .

Claim 1. Our simulation does not abort with probability greater than 3/4.

Proof. Without loss of generality, let us assume that the adversary 𝒜 makes the maximum number q of sub-shadow queries. For any sub-shadow query of a participant and the $v_{1}, v_{2}, \dots, v_{q} (\neq v^{*})$ , we have

\begin{array}{l} Pr [\bar{abort}] & = & Pr [⋀_{i = 1}^{q} K ((v_{i})) = 1] \\ = & 1 - Pr [⋁_{i = 1}^{q} K ((v_{i})) = 0] \\ \geq & 1 - \sum_{i = 1}^{q} Pr [K ((v_{i})) = 0] \\ = & 1 - \frac{q}{m} \\ = & \frac{3}{4} (for m = 4 q) . \end{array}

(24)

This completes the proof of Claim 1.

Phase 2. The adversary 𝒜 continues to issue queries about a sub-shadow of the form ${i, (s_{1}, s_{2})}$ , where $i \in {1, \dots, n}$ and $(s_{1}, s_{2}) \neq (s_{1}^{*}, s_{2}^{*})$ . Algorithm ℛ responds as in phase 1.

Guess. Eventually, 𝒜 outputs a guess bit $δ^{'} \in {0,1}$ for δ. Based on the value of $δ^{'}$ , ℛ concludes its own game by outputting a guess as follows. (i)

If $δ^{'} = δ$ , ℛ answers 1, meaning that $T = e (P, P)^{a b c}$ .

(ii)

Otherwise, ℛ answers 0, meaning that T is a random element of $𝔾_{1}$ .

If the input $(P, a P, b P, c P, T)$ satisfies $T = e (P, P)^{a b c}$ , then 𝒜's view is identical to its view in a real attack game, and therefore 𝒜 must satisfy $| Pr [δ = δ^{'}] - 1 / 2 | > ϵ$ . On the other hand, if the input of $(P, a P, b P, c P, T)$ satisfies $T \neq e (P, P)^{a b c}$ (where T is uniform in $𝔾_{1}$ ), then $Pr [δ = δ^{'}] = 1 / 2$ . Therefore, with $P \overset{R}{\leftarrow} 𝔾, a, b, c \overset{R}{\leftarrow} ℤ_{p}$ and $T \overset{R}{\leftarrow} 𝔾_{1}$ , we have

\begin{array}{l} | Pr [ℛ (𝔾, P, a P, b P, c P, e {(P, P)}^{a b c}) = 1] \\ - Pr [ℛ (𝔾, P, a P, b P, c P, T) = 1] | \\ \geq | (\frac{1}{2} \pm ϵ) - \frac{1}{2} | = ϵ . \end{array}

(25)

According to Claim 1, we have that

ϵ^{'} \geq (3 / 4) ϵ

. This completes the proof of Theorem 2.

6. Comparison

Now, let us compare our scheme to $WT 11$ [2] and $HV 09$ [3] in terms of computational cost and security. We firstly define the following notations. (i)

$T_{p}$ : The time taken to execute a bilinear pairing operation $e (\cdot, \cdot)$ .

(ii)

$T_{m}$ : The time taken to execute a scalar multiplication operation of point in 𝔾.

(iii)

$T_{e}$ : The time taken to execute a modular exponent operation in $𝔾_{1}$ .

(iv)

$| p |$ : The binary length of order p.

(v)

$| H |$ : The output length of the hash function H.

As is well known, the time taken to execute $T_{p}$ , $T_{m}$ , and $T_{e}$ is much greater than the other operations, so we will ignore the time consumption of the other operations, such as executing an addition operation of points in 𝔾. The details of the comparison are given in Table 2. In Table 3, we compare the communication cost of the dealer distributing a secret to the participants, and a participant sends its subshare to other participants.

Table 2

Computational cost and security.

	WT11 [2]	HV09 [3]	Our scheme
Setup	0	0	$(2 n + 1) T_{m}$
Secret distribution	$(4 n + t) T_{p} + n T_{m}$	$(n + t) T_{m}$	$2 T_{m}$
Verification	$(n + 3) T_{p} + n (t + 1) T_{m}$	$t T_{m} + 2 t T_{p}$	$2 T_{p}$
Subshadow generation	$T_{e}$	$T_{m}$	$3 T_{m}$
Sub-shadow verification	/	$2 (t - 1) T_{p}$	$3 (t - 1) T_{p}$
Combine	$t T_{e}$	$t T_{m} + T_{p}$	$2 T_{p} + 2 t T_{m}$

Secure level	IND	IND	IND-CSA

Table 3

Communication cost.

	WT11 [2]	HV09 [3]	Our scheme
Dealer distribution of a secret	$n (t + 4) \| p \|$	$n (t + n) \| p \|$	$n (2 \| p \| + \| H \|)$
Reconstruction of a secret	$t \| p \|$	$t \| p \|$	$2 t \| p \|$

From the comparison in Tables 2 and 3, one can see that our scheme achieves a higher level of security without significantly increasing the overall computational complexity and the communication cost.

7. Extension Scheme

In the basic scheme described previously, the secret reconstruction requires the presence of point-to-point secure channels among the participants. In this section, we remove this limitation without sacrificing any good property of the scheme.

Suppose that a participant $U_{i}$ wants to send its sub-shadow through a public channel to a participant $U_{j}$ . For this purpose, $U_{i}$ randomly selects $β_{i}, r \in ℤ_{p} ∖ {0}$ , uses $U_{j}$ 's public key $D_{j}$ , and the following calculations are performed:

\begin{matrix} v = H (𝒮_{1}), \\ υ_{i 1} = (- d_{i}) Y_{i} + β_{i} (u^{'} + \sum_{i \in 𝒱} u_{i}) + r D_{j}, \\ υ_{i 2} = β_{i} P, \\ υ_{i 3} = r P_{2} . \end{matrix}

(26)

Then,

U_{i}

sends

{υ_{i 1}, υ_{i 2}, υ_{i 3}}

U_{j}

$U_{j}$ computes

\begin{matrix} μ_{i 1} = υ_{i 1} - d_{j} υ_{i 3}, \end{matrix}

(27)

sets

\begin{matrix} μ_{i 2} = υ_{i 2}, \end{matrix}

(28)

and then checks whether or not

\begin{matrix} e (μ_{i 1}, P) = e (P_{2}, SV K_{i}) e (u^{'} + \sum_{i \in 𝒱} u_{i}, μ_{i 2}) . \end{matrix}

(29)

Having collected t valid sub-shadows, $U_{i}$ first computes $μ_{1} = \sum_{i = 1}^{t} ‍ λ_{i}^{0} μ_{i 0}, μ_{2} = \sum_{i = 1}^{t} ‍ λ_{i}^{0} μ_{i 1}$ and then reconstructs the secret 𝒮 by computing $e (s_{1}, μ_{1}) / e (s_{2}, μ_{2})$ just as it does in the basic scheme.

8. Conclusion

In this paper, we proposed a $(t, n)$ threshold PVSS scheme. Under the decisional bilinear Diffie-Hellman assumption, we proved that our scheme has indistinguishability against adaptively chosen secret attacks in the standard model. In the secret distribution phase, the dealer can send the main shadow to a participant through public channels. When the participants exchange their sub-shadows in the secret reconstruction phase, point-to-point secure channels need not be established in the extended scheme. This scheme is fairly interesting for practical applications.

Footnotes

Acknowledgments

This work is supported by the National Natural Science Foundation of China (NSFC) Programs (nos. 61070251, 61003285, 61103198, and 61272534), the NSFC A3 Foresight Program (no. 61161140320), and the JSPS KAKENHI program (23500031).

References

Shamir

How to share a secret

Communications of the ACM 1979 22 11 612 613

10.1145/359168.359176

T.-Y.

Tseng

Y.-M.

A pairing-based publicly verifiable secret sharing scheme

Journal of Systems Science and Complexity 2011 24 1 186 194

10.1007/s11424-011-8408-6

Heidarvand

Villar

Avanzi

Keliher

Sica

Public verifiability from pairings in secret sharing schemes

Selected Areas in Cryptography 2009 5381

Berlin, Germany

Springer

294 310 Lecture Notes in Computer Science

10.1007/978-3-642-04159-4_19

Beimel

Franklin

Vadhan

Weakly-private secret sharing schemes

Theory of Cryptography 2007 4392

Berlin, Germany

Springer

253 269 Lecture Notes in Computer Science

10.1007/978-3-540-70936-7_14

Fujisaki

Okamoto

Nyberg

A practical and provably secure scheme for publicly verifiable secret sharing and its applications

Advances in Cryptology-EUROCRYPT '98 1998 1403

Berlin, Germany

Springer

32 48 Lecture Notes in Computer Science

10.1007/BFb0054115

Hwang

R. J.

Chang

C. C.

An on-line secret sharing scheme for multi-secrets

Computer Communications 1998 21 13 1170 1176

10.1016/S0140-3664(98)00191-1

Patra

Choudhary

Rabin

Rangan

Halevi

The round complexity of verifiable secret sharing revisited

Advances in Cryptology-CRYPTO 2009 2009 5677

Berlin, Germany

Springer

487 504 Lecture Notes in Computer Science

10.1007/978-3-642-03356-8_29

Kumaresan

Patra

Rangan

Abe

The round complexity of verifiable secret sharing: the statistical case

Advances in Cryptology-ASIACRYPT 2010 2010 6477

Berlin, Germany

Springer

431 447 Lecture Notes in Computer Science

10.1007/978-3-642-17373-8_25

Hong Yu Jingsha He Ting Zhang Peng Xiao

A group key distribution scheme for wireless sensor networks in the internet of things scenario

International Journal of Distributed Sensor Networks 2012 2012 12

10.1155/2012/813594

10.

Blakley

G. R.

Safeguarding cryptographic keys

Proceedings of the National Computer Conference

1979

313 329 Managing Requirements Knowledge

10.1109/AFIPS.1979.98

11.

Chor

Goldwasser

Micali

Awerbuch

Verifiable secret sharing and achieving simultaneity in the presence of faults

Proceedings of the 26th Annual Symposium on Foundations of Computer Science

1985

383 395

10.1109/SFCS.1985.64

12.

Feldman

A practical scheme for non-interactive verifiable secret sharing

Proceedings of the 28th Annual Symposium on Foundations of Computer Science

1987

Los Angeles, Calif, USA

427 438

10.1109/SFCS.1987.4

13.

Pedersen

Feigenbaum

Non-interactive and information-theoretic secure verifiable secret sharing

Advances in Cryptology-CRYPTO '91 1992 576

Berlin, Germany

Springer

129 145 Lecture Notes in Computer Science

10.1007/3-540-46766-1_9

14.

Schoenmakers

Wiener

A simple publicly verifiable secret sharing scheme and its application to electronic voting

Advances in Cryptology-CRYPTO '99 1999 1666

Berlin, Germany

Springer

784 799 Lecture Notes in Computer Science

10.1007/3-540-48405-1_10

15.

Ruiz

Villar

J. L.

Publicly verifiable secret sharing from paillier's cryptosystems

Proceedings of the Western European Workshop on Research in Cryptology (WEWoRC '05)

2005

98 108 Lecture Notes in Informatics

16.

Stadler

Maurer

Publicly verifiable secret sharing

Advances in Cryptology-EUROCRYPT '96 1996 1070

Berlin, Germany

Springer

190 208 Lecture Notes in Computer Science

10.1007/3-540-68339-9_17

17.

Fiat

Shamir

Odlyzko

How to prove yourself: how to prove yourself: practical solutions to identification and signature problems

Advances in Cryptology-CRYPTO '86 1987 263

Berlin, Germany

Springer

186 204 Lecture Notes in Computer Science

10.1007/3-540-47721-7_12

18.

Bellare

Rogaway

Random oracles are practical: a paradigm for designing efficient protocols

Proceedings of the 1st ACM Conference on Computer and Communications Security

November 1993

New York, NY, USA

ACM

62 73

2-s2.0-0027726717

10.1145/168588.168596

19.

Cramer

Shoup

Krawczyk

A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack

Advances in Cryptology-CRYPTO '98 1998 1462

Berlin, Germany

Springer

13 29 Lecture Notes in Computer Science

10.1007/BFb0055717

20.

Jhanwar

Bao

Weng

A practical (non-interactive) publicly verifiable secret sharing scheme

Information Security Practice and Experience 2011 6672

Berlin, Germany

Springer

273 287 Lecture Notes in Computer Science

10.1007/978-3-642-21031-0_21

21.

Huaxiong

Wong

D. S.

On secret reconstruction in secret sharing schemes

Information Theory, IEEE Transactions on 2008 2008 54 1 473 480

2-s2.0-38349104231

10.1109/TIT.2007.911179

22.

Boneh

Franklin

Kilian

Identity-based encryption from the weil pairing

Advances in Cryptology-CRYPTO 2001 2001 2139

Berlin, Germany

Springer

213 230 Lecture Notes in Computer Science

10.1007/3-540-44647-8_13

23.

Boneh

Boyen

Cachin

Camenisch

Efficient selective-ID secure identity-based encryption without random oracles

Advances in Cryptology-EUROCRYPT 2004 2004 3027

Berlin, Germany

Springer

223 239 Lecture Notes in Computer Science

10.1007/978-3-540-24676-3_14

24.

Waters

Cramer

Efficient identity-based encryption without random oracles

Advances in Cryptology-EUROCRYPT 2005 2005 3494

Berlin, Germany

Springer

557 557 Lecture Notes in Computer Science

10.1007/11426639_7

	WT11 [2]	HV09 [3]	Our scheme
Dealer distribution of a secret	$n (t + 4) \| p \|$	$n (t + n) \| p \|$	$n (2 \| p \| + \| H \|)$
Reconstruction of a secret	$t \| p \|$	$t \| p \|$	$2 t \| p \|$

Publicly Verifiable Secret Sharing Scheme with Provable Security against Chosen Secret Attacks

Abstract

1. Introduction

1.1. Related Work

1.2. Our Contributions

1.3. Paper Organization

2. Preliminaries

2.1. Bilinear Map

2.2. Decisional Bilinear Diffie-Hellman Assumption

2.3. Lagrange Interpolation

3. Definitions

3.1. Threshold PVSS Scheme without Secure Channels

3.2. Security Model

Definition 1 (IND-CSA security).

4. Construction

5. Security and Correctness

5.1. Correctness

5.2. Security

Theorem 2 (IND-CSA of PVSS).

Proof.

6. Comparison

7. Extension Scheme

8. Conclusion

Footnotes

Acknowledgments

References