Sage Journals: Discover world-class research

Abstract

Wireless sensor network is a key technology in the sensing layer of the Internet of Things. Data security in wireless sensor network is directly related to the authenticity and validity of data transmitted in the Internet of Things. Due to the large number and different types of nodes in wireless sensor networks, layered secret key sharing technology is increasingly used in wireless sensor networks. In a hierarchical secret sharing scheme, participants are divided into sections with different permissions for each team, but the same permissions for participants in the same team. In this article, we follow the approach of the hierarchical secret sharing scheme derived from the linear homogeneous recurrence relations. We design a hierarchical multi-secret sharing scheme for wireless sensor networks on the basis of the elliptic curve public key cryptosystem combined with the linear homogeneous recurrence relations. In the proposed scheme, we do not make sure that the participants are half-truthful. In addition, the participants’ shadows can be reused. Our scheme is computational security. Only one share from each member is required in our hierarchical multi-secret sharing scheme. It is more suitable for wireless sensor networks compared to the up-to-date schemes.

Keywords

Hierarchical secret sharing scheme elliptic curve public key cryptosystem linear homogeneous recurrence relations

Introduction

In a secret sharing scheme of $(t, n)$ threshold,¹ the secret is passed around in $n$ participants, and when it is required, any $t$ or more participants can retrieve the shared secrets by combining their shares. A handy case of secret sharing is the distributed storage of sensitive information. Such a solution is called perfect scheme if any participant of any ineligible subset does not have access to any information about the shared secrets. Shamir¹ and Blakley² raised the threshold secret sharing schemes, two exceptional cases where all the participants have the same privileges.

There are restrictions on threshold secret sharing schemes in reality. Therefore, to enhance the feasibility of secret sharing in practice, many researchers concentrate on particular sets of access structures, for instance, weighted threshold access structure, compartmented access structure, graph-based access structures,³ bipartite access structures⁴ and hierarchical access structure.⁵ A large number of studies in our community have been focused on the protection (e.g. privacy,⁶ security,⁷ malicious behaviours)⁸ of our lives, towards constructing a safer information environment. Shamir proposed the weighted threshold secret sharing scheme.¹ But the secret sharing scheme¹ is a trivial solution by assigning multiple shares to each participant according to its integral weight, which is inefficient. Simmons⁹ presented a multipartite access structure, and the definitions of the compartmented access structure and the hierarchical access structure were given by him. After Simmons, Brickell¹⁰ introduced an approach to give an ideal secret sharing scheme for the multilevel and compartmented access structures. The multipartite access structure can classically be divided into the hierarchical access structure and the compartmented access structure.^2,11

Tassa¹² proposed some hierarchical threshold access structures rested on Birkhoff interpolation, and the interpolation matrix must satisfy Polya’s condition.¹² Farras et al.¹³ gave a comprehensive characteristic of the ideal multipartite access structures. Then the scholars investigated the hierarchical secret sharing schemes by using the findings on integer polymatroids in the solution given by Farras et al.¹⁴ These techniques offered a characterization of the hierarchical access structures and by these techniques, there admits the ideal and perfect secret sharing scheme existing for the hierarchical access structures.^14,15 Chen et al.¹⁶ proposed a method to give an ideal scheme that implements the compartmented access structure by the general polymatroid-based method presented in Farras et al.’s solution¹⁴ and the Gabidulin¹⁷ codes. Chen et al.¹⁸ proposed a method of implementing the multipartite access structure. Motivated by the integer polymatroids, the main idea of Chen et al.’s scheme¹⁸ from Brickell¹⁰ provides a polynomial-time algorithm to build such a matrix $M$ , which makes all the determinants of those particular multi-matrices non-zero in certain limited domains.

The methods mentioned above do not introduce verifiability. Also, researchers have worked out verifiable resolutions for the classic secret sharing schemes. Motivated by Birkhoff interpolation, Traverso et al.¹⁹ gave a verifiable hierarchical secret sharing method. But this method has the shortcomings of these schemes rested on Birkhoff interpolation. The drawback of the above hierarchical threshold access structure is that the distributor must perform exponential examinations when allocating identifications and shares to the members. Xu et al.²⁰ proposed an efficient compartmented secret sharing scheme. Yuan et al.²¹ provided an ideal polynomial-time hierarchical secret sharing scheme based on linear homogeneous recurrence (LHR) relations. We present a verifiable hierarchical secret sharing scheme rested on Xu et al.²⁰ So, our method is more efficient than Traverso’s solution.¹⁹

The rest of the article focuses on the following sections. The second section leads to the secret sharing scheme, LHR relations, as well as Bilinear Pairing and Diffie–Hellman problem. The third section describes the system proposed in our article. In the fourth section, we demonstrate the security analysis of our solution, the significant attributes of our solution and show the comparisons with other solutions. In the fifth section, conclusions are provided.

Preliminary

Secret sharing schemes

In this part, we show the statement of the hierarchical access structure.

Definition 1

A $(t, n)$ threshold secret sharing scheme $Π : S \times R \to S_{1} \times S_{2} \times \cdot \cdot \cdot \times S_{n}$ over $P$ ( $P$ is the aggregate of game participants, that is $P = {P_{1}, P_{2}, . . ., P_{n}}$ and $| P | = n$ ), satisfying the two following conditions, in which $S$ is the shared secret space, $S_{i}$ $(1 \leq i \leq n)$ is the share space, and $R$ is an aggregate of random feeds.

A brief overview of the hierarchical access structure is provided in the following section.

Definition 2

Make $n$ indicate the total number of participants. In the hierarchical secret sharing scheme, the participants $P$ can be grouped into classes $γ_{1}, γ_{2}, . . ., γ_{m}$ of the participants, $P = \cup_{i = 1}^{m} γ_{i}$ and $γ_{i} \cap γ_{j} = Ø$ for all $1 \leq i < j \leq m .$ The class $γ_{i}$ contains $n_{i}$ participants, in which $i \in {1, 2, . . ., m}$ . Let $K = {k_{i}}_{i = 1}^{m}$ be assorted in ascending sequence, $0 < k_{1} < k_{2} < \cdot \cdot \cdot < k_{m} .$ The $(K, n) -$ hierarchical threshold access structure is

AS = {A \subset P : | A ⋂ (⋃_{j = 1}^{i} γ_{j}) | \geq k_{i}, \forall i \in {1, 2, . . ., m}}

LHR relations

We briefly describe the LHR relations. The LHR relations are introduced in detail in the studies by Xu and other peers.^22–25

Theorem 1

Let $h_{0}, h_{1}, . . ., h_{j}, . . .,$ be a series of numbers and $α_{1}, α_{2}, . . ., α_{m}$ be the different roots of the following characteristic equation of the LHR relation with constant coefficients

h_{j} = a_{1} h_{j - 1} + a_{2} h_{j - 2} + \cdot \cdot \cdot + a_{t} h_{j - t}

(1)

where $a_{t} \neq 0$ , $a_{i}$ is chosen over $GF (q)$ $(j \geq t)$ , and $q$ is a large prime.

If $α_{i}$ is a $t_{i}$ -fold root of the characteristic equation (1), then the part of the resolution of the recurrence relation with respect to $α_{i}$ is given as

\begin{matrix} F_{j}^{(i)} = c_{i 1} α_{i}^{j} + c_{i 2} j α_{i}^{j} + \cdot \cdot \cdot + c_{i t_{i}} j^{t_{i} - 1} α_{i}^{j} \\ = (c_{i 1} + c_{i 2} j + \cdot \cdot \cdot + c_{i t_{i}} j^{t_{i} - 1}) α_{i}^{j} \end{matrix}

Let $f_{i} (j) = (c_{i 1} + c_{i 2} j + \cdot \cdot \cdot + c_{i t_{i}} j^{t_{i} - 1})$ . We can have

F_{j}^{(i)} = f_{i} (j) α_{i}^{j}

For recursive relations, the usual solution is derived from the following

h_{j} = F_{j}^{(1)} + F_{j}^{(2)} + \cdot \cdot \cdot + F_{j}^{(m)}

where $t = \sum_{i = 1}^{m} t_{i}$

If $α_{1} = α_{2} = \cdot \cdot \cdot = α_{m} = α,$ then for the recurrence relation the general solution is

h_{j} = F_{j}

(2)

where

F_{j} = (c_{1} + c_{2} j + \cdot \cdot \cdot + c_{t} j^{t - 1}) α^{j}

Diffie–Hellman problem

Given a cycle additive group $G = < g >$ , with $g$ being the generator and the order of $G$ being the large prime $q$ ,

The problem of the discrete logarithm is defined as computing $a$ , provided $(g, ag)$ , where $\forall a \in Z_{q}$ ;

The computational Diffie–Hellman (CDHP) problem is defined as computing $(ab) g$ , provided $(g, ag, bg)$ , where $\forall a, b \in Z_{q}$ ;

The decisional Diffie–Hellman problem (DDHP) is defined as deciding whether $(ab) g = cg$ , provided $(g, ag, bg, cg)$ , where $\forall a, b, c \in Z_{q}$ .

It is called the GDH group when DDHP is solvable in polynomial time, but no probabilistic algorithm can solve CDHP in the polynomial time with a non-negligible advantage.

Bilinear pairing

Suppose that $G_{1}$ and $G_{2}$ are an additive group and a multiplicative group, respectively, with the same prime order $q$ . Here $q$ is a large prime. Let $g$ be a generator of $G_{1}$ . Suppose that DDHP is easy in $G_{1}$ and hard in $G_{2}$ . We assume CDHP in $G_{1}$ and the DDHP in $G_{2}$ are hard. We call it the cryptographic bilinear mapping, if a mapping $\hat{e} : G_{1} \times G_{1} \to G_{2}$ satisfies the following properties:

Bilinearity: $\forall H_{1}, Q_{1} \in G_{1}, \forall a, b \in Z_{q}$ , $\hat{e} (a H_{1}, b Q_{1}) = \hat{e} (H_{1}, Q_{1})^{ab} .$

Non-degeneracy: If $g$ is a generator of $G_{1}$ , then the generator of $G_{2}$ is $\hat{e} (g, g)$ . In other words, if $g \neq 0$ , then $\hat{e} (g, g) \neq 1$ .

Computability: $\forall H 1, Q 1 \in G_{1}$ , there is a polynomial-time algorithm to compute $\hat{e} (H_{1}, Q_{1})$ .

The proposed scheme

In the following section, we show how the proposed scheme works. The proposed scheme is built upon the LHR relations and the elliptic curve public key cryptosystem (ECC). $P = {P_{1}, P_{2}, . . ., P_{n}}$ denotes the set of the participants, where $P_{i}$ is the ith participant in the set, $1 \leq i \leq n$ . Our scheme is composed of three stages, namely, initialization stage, construction stage and recovery stage. In the initialization stage, we initialize some functions or parameters; in the construction stage, the shared secrets are hidden in these terms $h_{1}, . . ., h_{l}$ , and in the recovery stage, we recover the shared secrets by getting these terms $h_{1}, . . ., h_{l}$ first. The distributor is honest in our scheme. But the participants can be malicious, because in our scheme the participants can be detected if they provide fake pseudo shares. The distributor acts the role in the construction stage and the participants act the role in the recovery stage.

We first describe the main idea of the proposed scheme. The proposed scheme contains $n$ participants and one dealer/distributor. Only one shadow $s_{i} \in Z_{q}^{*}$ is held by each participant $P_{i}$ . The distributor selects $m$ random LHR relations. In the construction stage, the participants in $γ_{1}$ are used to construct $m$ LHR relations and the participants in $γ_{i}$ are used to build $m - i + 1$ LHR relations, where $2 \leq i \leq m$ . So some participants can be replaced by other participants who have the higher privilege. That is, the participants in $γ_{i}$ can replace the participants in $γ_{i - j}$ , where $i - j \geq 1$ . Then, the distributor adds the $m$ general terms of the $m$ LHR relations. From Theorem 1, we know that the sum is a general term of an LHR relation and we denote this LHR relation as $F$ -LHR relation. The distributor selects the shared secrets and keeps the shared secrets hidden in the first several terms of F-LHR relation. So in the recovery stage, the recovery of the shared secrets is achieved through resolving the general term of $F$ -LHR relation. After that, we obtain the items that hide the shared secrets. The notations used are shown in Table 1.

Table 1.

Notation table.

Notation	Description
$P = {P_{1}, P_{2}, . . ., P_{n}}$	The set of participants
$P_{i}$	The ith participant in set $P$
$ke y_{i}$	The ith shared secret
$s_{i} \in Z_{q}^{*}$	The shadow hold by the ith participant $P_{i}$
$s_{0} \in Z_{q}^{*}$	The shadow hold by the distributor $D$
$γ_{i}$	The ith subset of the participant
$h_{i}$	The ith term in the sequences ${h_{i}}_{i = 0}^{n}$ and ${h_{i}}_{i = 0}^{n}$ is written as ${h_{i}}$ in our scheme. In our scheme, we use $h_{i}$ to denote the general term
$q$	The large prime
$GF (q)$	The finite field
$G_{1}$	The additive group with the generator $g$ and the order of $G_{1}$ is $q$
$G_{2}$	The multiplicative group with the order $q$
$B_{0}$	The share $g s_{0}$ was generated by distributor $D$ and published
$B_{i}$	The share $g s_{i}$ was generated by the ith participant and published
$R_{i}$	The pseudo share $s_{i} B_{0}$
$f (r, w)$	The double-parameter one-way function
$(h_{i}^{(j)})$	The jth linear homogeneous recurrence relation
$r_{1}, r_{2}, . . ., r_{m}$	$m$ random values

Initialization stage

The proposed scheme is rested on the LHR relations in $GF (q)$ , where $GF (q)$ is a finite field. $ke y_{1}, ke y_{2}, . . ., ke y_{l}$ denote the $l$ secrets that can be shared among the participants. The participant $P_{i}$ herself or himself chooses the shadow $s_{i} \in Z_{q}^{*}$ , not the distributor $(D)$ for the selection. In this way, it is possible to protect the key distributor from forgery.

1. An elliptic curve $E$ over $GF (q)$ is selected by $D$ , in which $q$ is a large prime. Assume that $G_{1}$ is an additive group with the order $q$ . Assume that DDHP is simple and CDHP is tough in $G_{1}$ .

Suppose $G_{1}$ to be the elliptic curve. Assume $G_{2}$ to be a multiplicative group with the same order $q$ . Suppose $\hat{e} : G_{1} \times G_{1} \to G_{2}$ to be a bilinear mapping and the conditions in the section ‘Bilinear pairing’ can be satisfied.

2. $D$ selects a generator $g$ for $G_{1}$ .

3. These values ${G_{1}, g, q}$ are published/released by $D$ .

Each participant $P_{i}$ chooses $s_{i} \in Z_{q}^{*}$ to be the shadow for himself/herself and then calculates $B_{i} = s_{i} g \in G_{1}$ , $1 \leq i \leq n$ . Each participant $P_{i}$ keeps $s_{i}$ and then securely sets $B_{i}$ to $D$ . $D$ should ensure that $B_{i} \neq B_{j}$ , if $i \neq j$ . In the case where $B_{i} = B_{j}$ , these participants will then be asked by $D$ to pick their shadows again. $D$ releases $(I D_{i}, B_{i})$ , in which $I D_{i}$ is the participant $P_{i}$ ’s identity. In the last part of this section, we define a double-argument one-way function as given in the study by Chien et al.¹¹ Given random value $r$ and value $w$ , the $f (r, w)$ represents a double-argument one-way function that is easily computed. In some cases, though, it is difficult to be computed:

Knowing $f (r, w)$ and $w$ , $r$ is hard to be worked out.

Unknowing $w$ , $f (r, w)$ is hard to be worked out for any $r$ .

Knowing $f (r, w)$ and $r$ , $w$ is hard to be calculated.

Knowing $f (r, w)$ and $r$ , for $r' \neq r$ , $f (r', w)$ is hard to be calculated.

Knowing $w$ , it is quite a challenge to get two such distinct characters $r_{2}$ and $r_{1}$ that $f (r_{2}, w) = f (r_{1}, w)$ .

Construction stage

In the construction stage, the key distributor $D$ first generates $m$ different LHR sequences ${h_{i}^{(1)}}, {h_{i}^{(2)}}, . . ., {h_{i}^{(j)}}, . . ., {h_{i}^{(m)}}$ . In our scheme, $k_{1}, k_{2}, . . ., k_{m}$ are the degrees of the characteristic equation of the LHR relations $(h_{i}^{(1)}), (h_{i}^{(2)}), . . ., (h_{i}^{(j)}), . . .,$ $(h_{i}^{(m)})$ , where $(h_{i}^{(j)})$ denotes the jth LHR relation. Figure 1 shows the construction stage, where $γ_{1} + γ_{2} + \dots + γ_{m - 1}$ denotes $⋃_{i = 1}^{m - 1} γ_{i}$ and Pshare denotes the pseudo share.

Figure 1.

Construction stage.

Theorem 2

The addition of two general terms of two different LHR relations is a general term of an LHR relation.

Proof of Theorem 2

Suppose that $h_{i}^{(1)}$ and $h_{i}^{(2)}$ are the general terms of two different LHR relations with the different degrees $t_{1}$ and $t_{2}$ , respectively, and assume $h_{i} = h_{i}^{(1)} + h_{i}^{(2)}$ . So, it is only necessary to prove that $h_{i}$ is the general term of an LHR relation. From Theorem 1, we know $h_{i}$ is the generic term of an LHR relation, and $t_{1} + t_{2}$ is the degree of the LHR relation $(h_{i})$ .

The distributor $D$ distributes the shares through the following procedure:

1. The distributor $D$ randomly selects the integer $r_{1}, r_{2}, . . ., r_{m}$ and publishes them.

2. $D$ chooses $s_{0} \in Z_{q}^{*}$ , computes $B_{0} = s_{0} g \in G_{1}$ , makes sure $B_{0} \neq B_{i}$ and publishes $B_{0}$ , where $1 \leq i \leq n$ .

3. The distributor $D$ chooses $m$ different integers $α_{1}, α_{2}, . . ., α_{m}$ over $GF (q)$ and publishes them, where each of them is non-zero.

4. $D$ selects the value $α_{1}$ to make $(x - α_{1})^{k_{1}} = x^{k_{1}} + a_{11} x^{k_{1} - 1} + \cdot \cdot \cdot + a_{1 k_{1}} = 0$ as the auxiliary function of an LHR relation, where $q > a_{1 i}$ and $1 \leq i \leq k_{1}$ .

5. $D$ computes the pseudo share $R_{i} = s_{0} B_{i}$ and $I_{i}^{1} = f (r_{1}, R_{i})$ , where $i = 1, 2, . . ., n_{1}$ , and $n_{1}$ is the quantity of participants in the sub-group $γ_{1}$ .

6. $D$ considers the first LHR sequence which is defined as

{\begin{matrix} h_{0}^{(1)} = I_{1}^{1}, h_{1}^{(1)} = I_{2}^{1}, . . ., h_{k_{1} - 1}^{(1)} = I_{k_{1}}^{1}, \\ h_{i + k_{1}}^{(1)} + a_{11} h_{i + k_{1} - 1}^{(1)} + \cdot \cdot \cdot + a_{1 k_{1}} h_{i}^{(1)} = 0 \end{matrix} i \geq 0

(3)

We use the participants in the sub-group $γ_{1}$ to build the first LHR sequence. During the recovery stage, the general term of the first LHR sequence is allowed to be retrieved only by the participants in the sub-group $γ_{1}$ .

7. $D$ computes $h_{i}^{(1)}$ , where $k_{1} \leq i \leq n_{1} - 1$ .

8. $D$ computes $y_{i}^{1} = I_{i}^{1} - h_{i - 1}^{(1)}$ and publishes $y_{i}^{1}$ , where $k_{1} < i \leq n_{1}$ .

9. $D$ continues to generate $m - 1$ LHR sequences. The jth LHR sequence ${h_{i}^{(j)}}$ is generated as follows, for $j \in {2, 3, . . ., m}$ .

9.1. $D$ selects the value $α_{j}$ to make ${(x - α_{j})}^{k_{j}} = x^{k_{j}} + a_{j 1} x^{k_{j} - 1} + \cdot \cdot \cdot + a_{j k_{j}} = 0$ as an auxiliary function of an LHR relation, where $q > a_{ji}$ and $1 \leq i \leq k_{j}$ .

9.2. $D$ computes $I_{i}^{j} = f (r_{j}, R_{i})$ , where $i = 1, 2, . . ., n_{1} + n_{2} + \cdot \cdot \cdot + n_{j}$ , and $n_{1} + n_{2} + \cdot \cdot \cdot + n_{j}$ is the number of the participants in the subset $⋃_{i = 1}^{j} γ_{i}$ , where $n_{1} + n_{2} + \cdot \cdot \cdot + n_{j}$ is denoted as $N_{j}$ . That is, $| ⋃_{i = 1}^{j} γ_{i} | = n_{1} + n_{2} + \cdot \cdot \cdot + n_{j} = N_{j}$ .

9.3. $D$ considers the jth LHR sequence ${h_{i}^{(j)}}$ , which is defined by

{\begin{matrix} h_{0}^{(j)} = I_{1}^{j}, h_{1}^{(j)} = I_{2}^{j}, . . ., h_{k_{j} - 1}^{(j)} = I_{k_{j}}^{j}, \\ h_{i + k_{j}}^{(j)} + a_{11} h_{i + k_{j} - 1}^{(j)} + \cdot \cdot \cdot + a_{1 k_{j}} h_{i}^{(j)} = 0 \end{matrix} i \geq 0

(4)

We use the participants in the subset $⋃_{i = 1}^{j} γ_{i}$ to construct the jth LHR sequence. In the recovery stage, only the participants in the subset $⋃_{i = 1}^{j} γ_{i}$ can recover the general term of the jth LHR sequence.

9.4. $D$ computes $h_{i}^{(j)}$ , where $k_{j} \leq i \leq N_{j} - 1$ .

9.5. $D$ computes $y_{i}^{j} = I_{i}^{j} - h_{i - 1}^{(j)}$ and publishes $y_{i}^{j}$ , where $k_{j} < i \leq N_{j}$ .

10. After the $m$ LHR relations are generated, $D$ combines them into an LHR relation. Let $h_{i} = h_{i}^{(1)} + h_{i}^{(2)} + \cdot \cdot \cdot + h_{i}^{(m)}$ . From Theorem 2, we can determine that $h_{i}$ is the general term of an LHR relation and the degree of this LHR relation $(h_{i})$ is $k_{1} + \cdot \cdot \cdot + k_{m}$ . Since the degrees of these LHR relations $(h_{i}^{(1)}), . . ., (h_{i}^{(m)})$ correspond to $k_{1}, . ., k_{m}$ , respectively, so the sum of these degrees is $k_{1} + \cdot \cdot \cdot + k_{m}$ . However, we define the threshold of the hierarchical secret sharing scheme as $k_{m}$ , because $k_{m}$ different participants can recover the shared secrets (Since at least $k_{1}$ participants from the subset $γ_{1}$ , at least $k_{2} - k_{1}$ participants from the subset $γ_{2}$ and so on, and the last $k_{m} - k_{m - 1}$ participants from the subset $γ_{m}$ can recover the LHR relation $(h_{i})$ , the threshold of the hierarchical secret sharing scheme is $k_{1} + (k_{2} - k_{1}) + \cdot \cdot \cdot + (k_{m} - k_{m - 1}) = k_{m}$ ).

11. $D$ computes $d_{i} = ke y_{i} - h_{i - 1}$ and publishes $d_{i}$ , where $1 \leq i \leq l$ . This means that we can hide the shared secrets in these terms $h_{0}, h_{1}, . . ., h_{l - 1}$ .

Remark 1

The double-parameter one-way function makes sure that for the same $R_{i}$ , the random values $f (r_{j}, R_{i})$ and $f (r_{k}, R_{i})$ are different, where $k \neq j$ . This means that if some participants’ pseudo shares are used to construct different LHR relations, the double-parameter one-way function makes sure that for the same pseudo share, the random values are different.

Recovery stage

In this section, we present how the shared secrets are recovered. First, a proposition is given as follows.

Proposition 1

Provided that $α_{i}$ is a t_i-fold root of the characteristic formula of an LHR relation and the general resolution of this LHR relation is obtained as

h_{j} = \sum_{i = 1}^{m} (\sum_{k = 1}^{t_{i}} c_{ik} j^{k - 1}) α_{i}^{j}

its coefficient $c_{ik}$ can then be fixed by the $t$ initial values, which is achieved by resolving the system of linear formulas, in which $t = \sum_{i = 1}^{m} t_{i} .$

The participant $P_{i}$ can get every participant’s pseudo share $R_{j}$ by exchanging in a qualified sub-group, where $i \neq j$ . In the qualified sub-group, the participants need to recover $m$ LHR sequences before obtaining the shared secrets. The jth LHR sequence is recovered as follows.

From the construction stage, we know that the order of the jth LHR relation is $k_{j}$ . We need at least $k_{j}$ participants when we are trying to recover the jth LHR sequence. But there are $k_{j - 1}$ participants from $⋃_{i = 1}^{j - 1} γ_{i}$ (if $k_{j - 1}$ participants use their pseudo shares to solve the general term $h_{i}^{(j - 1)}$ of the (j-1)th LHR relation, they need to be combined to solve the general term $h_{i}^{(j)}$ of the jth LHR relation, where $2 \leq j \leq m$ ). The other $k_{j} - k_{j - 1}$ participants are from the subset $γ_{j}$ .

With the use of those pseudo shares, the participants of the qualified sub-groups compute $k_{j}$ items of the jth LHR relation as follows

h_{i - 1}^{(j)} = {\begin{matrix} I_{i}^{j} 1 \leq i \leq k_{j} \\ I_{i}^{j} - y_{i}^{j} k_{j} < i \leq n \end{matrix}

(5)

Based on Proposition 1, $k_{j}$ points $(i - 1, h_{i - 1}^{(j)} / α_{j}^{i - 1})$ leads to the determination of the $(k_{j} - 1) th$ degree polynomial $p^{j} (x)$ , and its definition is

\begin{matrix} p^{j} (x) = \sum_{i \in A} \frac{h_{i - 1}^{(j)}}{α_{j}^{i - 1}} Π_{j \in A}^{j \neq i} \frac{x - j + 1}{i - j} (mod q) \\ = c_{0} + c_{1} x + \cdot \cdot \cdot + c_{k_{j - 1}} x^{k_{j} - 1} (mod q) \end{matrix}

(6)

where $A \in {1, 2, . . ., n}$ and the superscript of $p (x)$ represents different polynomial. According to Theorem 1, $h_{i}^{(j)} = p^{j} (i) α_{j}^{i}$ , in which $p^{j} (i)$ is a $k_{j} - 1$ degree polynomial and $i \geq 0$ , we can have the general term $h_{i}^{(j)}$ . After obtaining $m$ general terms of $m$ LHR sequences ${h_{i}^{(1)}}, {h_{i}^{(2)}}, . . ., {h_{i}^{(m)}}$ , the general term $h_{i}$ is

h_{i}^{(1)} + h_{i}^{(2)} + \cdot \cdot \cdot + h_{i}^{(m)}

where the order of the LHR relation $(h_{i})$ is $k_{1} + \cdot \cdot \cdot + k_{m}$ . But the global threshold is $k_{m}$ (If $k_{j} - k_{j - 1}$ participants from the subsets $γ_{j}$ use their pseudo shares to recover the general term $h_{i}^{(j)}$ , then they must use their pseudo shares to recover the general terms $h_{i}^{(j + 1)}, . . ., h_{i}^{(m)}$ . For example, if $k_{1}$ participants from $γ_{1}$ use their pseudo shares to recover the general term $h_{i}^{(1)}$ , $k_{1}$ participants need to use their pseudo shares to recover the general terms from the second LHR sequences to the last LHR sequences. So the scheme needs at least $k_{1} + (k_{2} - k_{1}) + \cdot \cdot \cdot + (k_{m} - k_{m - 1}) = k_{m}$ participants to recover the shared secrets). From $d_{i} = ke y_{i} - h_{i - 1}$ and the published value of $d_{i}$ , the shared secrets can be obtained by $ke y_{i} = d_{i} + h_{i - 1}$ , $1 \leq i \leq l$ .

Remark 2

In the recovery stage, a participant $P_{j}$ can detect whether another participant $P_{i}$ is honest or not by the function $\hat{e}$ . If $\hat{e} (g, R_{i}^{'}) = \hat{e} (B_{0}, B_{i})$ , then the participant $P_{j}$ can say that the participant $P_{i}$ is honest, because $\hat{e} (g, R_{i}^{'}) = \hat{e} (g, B_{0})^{s_{i}} = \hat{e} (B_{0}, B_{i})$ and $B_{0}, B_{i}$ are public.

Illustrative sample

We present an example to demonstrate the proposed scheme and show how the LHR relation is useful in the hierarchical access structures in this section. For illustration convenience, we suppose that in a company there are $n$ employees, and the employees are divided into two disjoint levels $γ_{1}, γ_{2}$ , the managers and the employees (the authorities of the managers are higher than the employees). There are $n_{1}$ managers in the subset $γ_{1}$ and $n_{2}$ employees in the subset $γ_{2}$ , where $n = n_{1} + n_{2}$ . At least $k_{2}$ staff of them can recover the shared secrets, among which at least $k_{1}$ are managers, where $k_{2} > k_{1}$ . We select two values $α_{1}$ and $α_{2}$ , and make

\begin{matrix} {(x - α_{1})}^{k_{1}} = x^{k_{1}} + a_{11} x^{k_{1} - 1} + \cdot \cdot \cdot a_{1 k_{1}} = 0 \\ {(x - α_{2})}^{k_{2}} = x^{k_{2}} + a_{21} x^{k_{2} - 1} + \cdot \cdot \cdot a_{2 k_{2}} = 0 \end{matrix}

as two different auxiliary functions for the two different LHR relations. After the steps from 5 to 9.5 as described in the construction stage have been done (with $m$ = 2 here), we can have

h_{i} = h_{i}^{(1)} + h_{i}^{(2)}

where

\begin{matrix} h_{i}^{(1)} = (b_{1} + b_{2} i + \cdot \cdot \cdot + b_{k_{1}} i^{k_{1} - 1}) α_{1}^{i} \\ h_{i}^{(2)} = (c_{1} + c_{2} i + \cdot \cdot \cdot + c_{k_{2}} i^{k_{2} - 1}) α_{2}^{i} \end{matrix}

We note that the distributor $D$ uses $n_{1}$ managers’ pseudo shares to generate the LHR sequence { $h_{i}^{(1)}$ } and $n_{1} + n_{2}$ staff members (include the managers and the employees) to generate the LHR sequence ${h_{i}^{(2)}}$ . That is, only at least $k_{1}$ managers can solve the general term $h_{i}^{(1)}$ of the sequence { $h_{i}^{(1)}$ }. Still, at least $k_{2}$ staff members can solve the general term $h_{i}^{(2)}$ of the sequence ${h_{i}^{(2)}}$ , where $k_{1}$ out of $k_{2}$ are managers (Because the privilege of the managers is higher than the employees, they should combine the pseudo shares to solve the second general term $h_{i}^{(2)}$ . If the employees are not enough, other managers except the $k_{1}$ can combine the employees to pool the pseudo shares to solve $h_{i}^{(2)}$ .) We hide the shared secrets in these terms $h_{1}, . . ., h_{l}$ .

From the above, we can get that our scheme’s global threshold is $k_{2}$ , because our scheme needs at least $k_{2}$ participants from $γ_{1} ⋃ γ_{2}$ to recover the shared secrets.

The security analysis and discussion of our scheme

In this section, we first present the possible attacks and prove that our scheme is secure. Then we show the performance of our scheme and compare it with the scheme by Traverso et al.¹⁹

Security analysis

In this section, we call all of $s_{i}$ and $R_{j}$ share-related information, where $s_{i}$ is the shadow that is randomly selected by the participant or distributor himself or herself, $B_{i} = s_{i} g$ ( $B_{i} = s_{i} g$ is public), $R_{j} = s_{0} B_{j}$ and $0 \leq i \leq n$ , $1 \leq j \leq n$ . First, we prove the security of the share-related information. Second, we prove the security for the participants in the unqualified subset. The security of the share-related information is easy to be proved.

Theorem 3

The share-related information is secure, provided the CDH-assumption is intractable.

Proof of Theorem 3

If the adversaries want to break the share-related information, they should obtain useful information from the public values $B_{i} = s_{i} g$ , $0 \leq i \leq n$ . We assume that the adversaries can break the share-related information with the non-negligible probability $ϵ$ . That is, given $s_{i} g$ and $s_{j} g$ , the adversaries can get $s_{i} s_{j} g$ or extract $s_{i}$ (or $s_{j}$ ) with the non-negligible probability $ϵ$ as well, where $i \neq j$ . This contradicts the Diffie–Hellman problem. The adversaries may give a fake $R'_{i}$ , but the other honest participants can decide whether $\hat{e} (g, R_{i}^{'}) = \hat{e} (B_{0}, B_{i})$ is right or not (because DDHP is easy in $G_{1}$ ). If it matches, then the other honest participants can say that the value $R'_{i}$ is valid. Otherwise, it is invalid. Thus, the share-related information is secure.

In the following section, we demonstrate why the proposed solution is safe for a subset of participants who do not qualify. When participants in the ineligible subset want to recover the secrets, they must recover every LHR sequence. For illustration convenience, we suppose that the unqualified subset $B$ satisfies the conditions as follows

$B ⋂ (⋃_{i = 1}^{j - 1} γ_{i}) \geq k_{j - 1}$

$B ⋂ (⋃_{i = 1}^{j} γ_{i}) = k_{j} - 1$

$B ⋂ (⋃_{i = 1}^{t} γ_{i}) \geq k_{t}$

where $1 \leq j \leq m$ , $t \in {1, 2, . . ., m}$ , $k_{0} = 0$ and $t \neq j .$ That is to say, the unqualified subset can recover other $m - 1$ sequences, except the jth LHR sequence. Since $s_{i}$ is chosen by himself/herself and $I_{i}^{j} = f (r_{j}, R_{i})$ , we can say that each $I_{i}^{j}$ is uniformly chosen in $Z_{q}^{*}$ , that is, for each $I_{i}^{j}$ , all values in $Z_{q}^{*}$ have the same probability. From the public value $α_{j}$ , the characteristic equation of an LHR relation can be determined, according to Theorem 1. If the relation of the sequences is given, the characteristic equation can be determined, and then the root of the characteristic equation can be found. Thus the public value $α_{i}$ discloses no information apart from characteristic equation of an LHR relation, $1 \leq i \leq m$ .

Theorem 4

The $k_{j}$ degree of the LHR relation is safe to the unqualified participants when and only when the polynomials with $(k_{j} - 1)$ degree is safe to the unqualified participants.²⁰

Proof of Theorem 4

Assume that the $k_{j}$ order of the LHR relation is safe to the unqualified participants. Using equations (4), (6) and (2) and the public value $α_{j} \neq 0$ , we could obtain

h_{i}^{(j)} = p^{j} (i) α_{j}^{i} \Rightarrow h_{i} / α_{j}^{i} = p^{j} (i)

(7)

in which the degree of $p^{j} (i)$ is $k_{j} - 1$ . It is clear from the above that public value $α_{j}$ gives away no information except characteristic equation. If the polynomial with degree $(k_{j} - 1)$ is unsafe for unqualified participants, it means that the $k_{j} - 1$ points can determine a polynomial with degree $(k_{j} - 1)$ . We can also deduce from equation (7) that the $k_{j} - 1$ value can obtain the LHR relation with the degree $k_{j}$ . This is contradicted with Proposition 1.

(⇐) Assume that the polynomial with the degree $(k_{j} - 1)$ is safe for the unqualified participants. If the LHR relation with degree $k_{j}$ is insecure, then $k_{j} - 1$ random terms ( $h_{i_{1}}^{(j)}, h_{i_{2}}^{(j)}, . . ., h_{i_{k_{j} - 1}}^{(j)}$ ) can determine the LHR sequences. Following equation (7), we select the distinct $k_{j} - 1$ terms and then can obtain the $k_{j} - 1$ points of the polynomial $p^{j} (i)$ with degree $k_{j} - 1$ . Then we can determine the polynomial $p^{j} (i)$ . It can be said that the $k_{j} - 1$ points could decide a polynomial with degree $(k_{j} - 1)$ . This contradicts our assumptions. Therefore, the question of recovering the jth LHR relation from participants in the disqualified subset $B$ that satisfies the aforementioned condition could be regarded as the question of whether $k_{j} - 1$ points could decide the polynomial with the degree $(k_{j} - 1)$ .

We can draw the conclusion that the possibility of cracking our scheme is no better than the possibility of cracking the Diffie–Hellman problem. Therefore, it can be considered that our scheme is safe.

Performances

From the section ‘The proposed scheme’ and the security analysis above, we conclude that the proposed scheme is a secure and verifiable hierarchical secret sharing scheme. In this section, we show some essential characteristics. In the proposed scheme, each participant’s ID is posted on a publicly available message board, and each participant’s shadow is selected by himself/herself over $GF (q)$ . Each participant can verify whether the pseudo-random shares of other participants are correct. Throughout the entire process, each participant only needs to hold one shadow, and the shared secrets are selected over $GF (q)$ . So the shadow held by a participant is as long as the shared secret.

Each participant obtain $k_{m} - 1$ pseudo-random shares from the other participants, and each participant’s communication and computation is the same (Since $k_{m}$ participants are required to recover the secrets, each participant needs to communicate with $k_{m} - 1$ participants, so the times of the communication for each participant is $k_{m} - 1$ ). The computation refers to recovering the secrets with the obtained pseudo-random shares (including their own and those obtained by exchanging with other participants). In the recovery stage, from equation (6), we know that computational complexity of our scheme depends on the degree of polynomial $p^{m} (x)$ (because the degree of the polynomial $p^{m} (x)$ is highest among these polynomials $p^{i} (x)$ , where $1 \leq i \leq m$ ) and the power of a constant $α_{m}$ . The computational complexity of the polynomial $p^{m} (x)$ is $O (n^{k_{m} - 1})$ and the computational complexity of the power of a constant is $O (logn)$ . So the computational complexity of our scheme is $O (n^{k_{m} - 1} logn)$ .

In the case when the system needs to be reinitialized with the LHR relations, our scheme only needs to provide the new values $r_{1}^{'}, r_{2}^{'}, . . ., r_{m}^{'}$ without changing participants’ shadows. It is possible to obtain a further $I_{i} = f (r_{j}^{'}, R_{i})$ while not modifying the shadows.

Comparisons

In the solution by Traverso et al.,¹⁹ when allocating identities and shares to participants, the distributor must perform a potentially exponential number of checks. In our scheme, participants do not have to check the non-regularity of many matrices. They just need to construct $m$ different LHR relations, find the general terms of them and add these terms. More precisely, we can conclude that the participants only need to do the evaluation calculation of polynomials and the summation calculation of different polynomials in our scheme by induction. The computational complexity of the polynomial is $O (n^{k_{m} - 1})$ and the computational complexity of the power of a constant is $O (logn)$ . So the computational complexity of our scheme is $O (n^{k_{m} - 1} logn)$ as given in the study by Yuan et al.²¹ But more values should be published. So comparing to Traverso’s et al.¹⁹ scheme, our scheme is more efficient.

Conclusion

We present a hierarchical secret sharing scheme with the LHR relations and the ECC. The performance of the proposed method is also listed below. The LHR relations could be utilized for constructing a verifiable hierarchical secret sharing scheme. The participants’ shadows are selected by themselves in the proposed scheme. Therefore, no deception exists between the distributor of the shared secrets and the participants. In the whole scheme, only one shadow is held by one participant, and the secret is the same length as the shadow. The proposed scheme is not required to keep a safe channel between the distributor and the participant. The participants cannot cheat each other.

Our scheme overcomes the drawbacks that the distributor will have to do potentially exponential multiple checks for distributing identifications and shadows to participants on the basis of Birkhoff interpolation. But our scheme needs more public values than the existing popular schemes.

Footnotes

Handling Editor: Yanjiao Chen

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.

Funding

The author(s) disclosed receipt of the following financial support for the research, authorship and/or publication of this article: This work is supported by the National Natural Science Foundation of China under Grant No.61873069.

ORCID iD

Hongliang Zhu

References

Shamir

. How to share a secret. Commun ACM 1979; 22(11): 612–613.

Blakley

. Safeguarding cryptographic keys. In: Managing requirements knowledge, international workshop on IEEE computer society, New York, 4–7 June 1979, pp.313–317. New York: IEEE.

Blundo

De Santis

Stinson

, et al. Graph decompositions and secret sharing schemes. J Cryptol 1995; 8(1): 39–64.

Padró

Sáez

. Secret sharing schemes with bipartite access structure. IEEE Trans Inf Theory 2000; 46(7): 2596–2604.

Tassa

Dyn

. Multipartite secret sharing by bivariate interpolation. J Cryptol 2009; 22(2): 227–258.

, et al. CNN-based malware variants detection method for internet of things. IEEE Internet Things J 2021; 8(23): 16946–16962.

Chen

Liao

. Pulseedit: editing physiological signals in facial videos for privacy protection. IEEE Trans Inf Forensics Secur 2022; 17: 457–471.

Liao

Wang

, et al. Detecting compressed deepfake videos in social networks using frame-temporality two-stream convolutional network. IEEE Trans Circuits Syst Video Technol 2021; 32(3): 1089–1102.

Simmons

. How to (really) share a secret. In: Conference on the theory and application of cryptography, Santa Barbara, CA, 21–25 August 1988, pp.390–448. New York: Springer.

10.

Brickell

. Some ideal secret sharing schemes. In: Workshop on the theory and application of cryptographic techniques, Houthalen, 10–13 April 1989, pp.468–475. Berlin: Springer.

11.

Chien

Jan

Tseng

. A practical (t, n) multi-secret sharing scheme. IEICE Trans Fundam Electron Commun Comput Sci 2000; 83(12): 2762–2765.

12.

Tassa

. Hierarchical threshold secret sharing. J Cryptol 2007; 20(2): 237–264.

13.

Farras

Mart-Farré

Padró

. Ideal multipartite secret sharing schemes. In: Annual international conference on the theory and applications of cryptographic techniques, Barcelona, 20–24 May 2007, pp.448–465. New York: Springer.

14.

Farràs

Mart-Farré

Padró

. Ideal multipartite secret sharing schemes. J Cryptol 2012; 25(3): 434–463.

15.

Farras

Padró

. Extending brickell–davenport theorem to non-perfect secret sharing schemes. Des Codes Cryptogr 2015; 74(2): 495–510.

16.

Chen

Tang

Lin

. Efficient explicit constructions of compartmented secret sharing schemes. Des Codes Cryptogr 2019; 87(12): 2913–2940.

17.

Gabidulin

. Theory of codes with maximum rank distance. Probl Peredachi In 1985; 21(1): 3–16.

18.

Chen

Tang

Lin

. Efficient explicit constructions of multipartite secret sharing schemes. IEEE Trans Inf Theory 2021; 68(1): 601–631.

19.

Traverso

Demirel

Buchmann

. Dynamic and verifiable hierarchical secret sharing. In: International conference on information theoretic security, Tacoma, WA, 9–12 August 2016, pp.24–43. New York: Springer.

20.

Yuan

, et al. An efficient compartmented secret sharing scheme based on linear homogeneous recurrence relations. Secur Commun Netw 2021; 2021: 5566179.

21.

Yuan

Yang

Wang

, et al. A new efficient hierarchical multi-secret sharing scheme based on linear homogeneous recurrence relations. Inform Sci 2022; 592: 36–49.

22.

Yuan

, et al. A new multi-stage secret sharing scheme for hierarchical access structure with existential quantifier. Inf Technol Control 2021; 50(2): 236–246.

23.

Richard

. Introductory combinatorics. 5th ed. Beijing, China: China Machine Press, 2009, p.258.

24.

Dehkordi

Mashhadi

. New efficient and practical verifiable multi-secret sharing schemes. Inform Sci 2008; 178(9): 2262–2274.

25.

Yuan

. A fully dynamic secret sharing scheme. Inform Sci 2019; 496: 42–52.

Hierarchical secret sharing scheme for WSN based on linear homogeneous recurrence relations

Abstract

Keywords

Introduction

Preliminary

Secret sharing schemes

Definition 1

Definition 2

LHR relations

Theorem 1

Diffie–Hellman problem

Bilinear pairing

The proposed scheme

Initialization stage

Construction stage

Theorem 2

Proof of Theorem 2

Remark 1

Recovery stage

Proposition 1

Remark 2

Illustrative sample

The security analysis and discussion of our scheme

Security analysis

Theorem 3

Proof of Theorem 3

Theorem 4

Proof of Theorem 4

Performances

Comparisons

Conclusion

Footnotes

Declaration of conflicting interests

Funding

ORCID iD

References