Академический Документы
Профессиональный Документы
Культура Документы
www.elsevier.com/locate/csi
Abstract
C.-C. Yang, T.-Y. Chang, M.-S. Hwang [C.-C. Yang, T.-Y. Chang, M.-S. Hwang, A (t,n) multi-secret sharing scheme, Applied Mathematics
and Computation 151 (2004) 483–490] proposed an efficient multi-secret sharing scheme based on a two-variable one-way function in 2004. But
the scheme doesn't have the property of verification. A practical verifiable multi-secret sharing scheme, which is based on the YCH scheme and
the intractability of the discrete logarithm, is proposed in this paper. Our scheme solves the problems in the YCH scheme; each participant chooses
her/his own shadow by her/himself, so the system doesn't need a security channel and the cost of the system can be lowered. The scheme can be
used in practice widely.
© 2006 Elsevier B.V. All rights reserved.
j i−j mod q
3) It still has the properties of the YCH scheme. x−j
þ hðiÞ
i¼1 j¼1; j pi
The structure of the present work is as follows. In the next
section, we shall briefly review the YCH scheme. In Sections 3 ¼ P1 þ P2 x þ : : : þ Pk xk−1 mod q
and 4, we shall present our VMSS and make some discussions.
Finally, we shall present our conclusions in Section 5.
3. Our scheme
2. Brief review of the YCH scheme
3.1. Initialization phase
2.1. Initialization phase
Our scheme notations P1,P2,⋯,Pk are the same as those of the
The scheme is a (t,n) threshold scheme, P1,P2,⋯,Pk denote k YCH scheme. In this phase, the dealer and the participants need
secrets to be shared. Function f(r,s) denotes any two-variable some intercommunication, but this can be done with a public
one-way function. In this phase, the dealer D randomly chooses channel. Firstly, the dealer D chooses two strong primes, p and
n secret shadows s1,s2,⋯,sn and distributes them to every par- q, N = pq. Both p and q should be so safe that anybody can't
ticipant Mi by a security channel. Then D randomly chooses a factor N efficiently. Then the dealer randomly chooses an
value r and computes f(r,si) for i = 1,2,⋯,n. integer g from the interval [N1 / 2, N] such that g is relatively
prime to p and q. Publish {g, N}.
2.2. Construction phase Each participant Mi in M randomly chooses an integer si
from the interval [2,N] as her/his own secret shadow and
(1) k ≤ t computes Ri = gsi mod N, then Mi provides Ri and her/his
identity number IDi, to the dealer D. D must ensure that Ri ≠ Rj
➀ Choose a prime q and construct (t − 1) th degree for all Mi ≠ Mj. Once Ri = Rj, D should demand these participants
polynomial h(x) mod q, where 0 b N,P1,P2,⋯,Pk,a1,a2,⋯, to choose different secret shadows until Ris are different for
at−k b q is as follows: i = 1,2,⋯,n. Publish {(IDi,Ri)}.
hðxÞ ¼ P1 þ P2 x þ : : : þ Pk xk−1 þ a1 xk þ a2 xkþ1 þ : : :
þ at−k xt−1 mod q; 3.2. Construction phase
➁ Compute yi = h(f(r,si)) mod q for i = 1,2⋯,n; (1) D randomly chooses an integer s0 from the interval [2,N]
➂ Publish (r,y1,y2,⋯,yn). such that s0 is relatively prime to (p − 1) and (q − 1). Then
140 J. Zhao et al. / Computer Standards & Interfaces 29 (2007) 138–141
Table 1
X
t t
x−IjV
Computation quantity
The computation for constructing
Our scheme
Yes
YCH scheme
Yes
hðxÞ ¼
i¼1
j I V−I Vmod Q
yi
j¼1;jpi i j
X kt kt
hðiÞj
the polynomial x−j
Verification algorithm Yes (optional) No þ mod Q
i¼1
i−j j¼1; j pi
D compute f(r, si) No Yes
D compute R0, Ii and f Yes No
Mi compute Ri Yes No ¼ P1 þ P2 x þ : : : þ Pk x k−1 mod Q
– Compute yi = h(Ii) mod Q for i = 1,2,⋯,n; (1) The share generation algorithm: I′i = R0si mod N = gs0si , then
– Publish (y1,y2,⋯,yn). the participants can use the values published before to
reconstruct the Lagrange interpolation polynomial.
k Nt ➁ (2) Verification algorithm: from the Euler Theorem
gϕ(N) = 1mod N and s0 × f = 1mod ϕ (N). If Mi isn't a
– Choose a prime Q and construct (k − 1)th degree polynomial cheater, then I′i f = gsis0f mod N = gsi mod N = Ri, otherwise,
h(x) mod Q, where 0 b N,P1,P2,⋯,Pk b Q as follows: Mi is a cheater.
unavoidably. Table 1 is for the comparison between these two [7] L. Harn, Efficient sharing (broadcasting) of multiple secret, Computers and
schemes. Digital Techniques 142 (3) (1995) 237–240.
[8] L. Chen, D. Gollman, C.J. Mitchell, P. Wild, Secret sharing with reusable
Apparently, compared with the YCH scheme, to determine polynomials, Proceedings of the Second Australisian Conference on
the place where D makes the computation quantity increase R0, Information Security and Privacy-ACISP'97[C].ACISP, Australia, 1997.
Ii and f have to be computed. But the proposed scheme needs no [9] R.-J. Hwang, C.-C. Chang, An on-line secret sharing scheme for multi-
computation of f(r,si), so, as a general system, it is able to accept secrets, Computer Communications 21 (13) (1998) 1170–1176.
[10] A. Shamir, How to share a secret, Communications of the ACM 22 (11)
such computation quantity. What's more, each participant
(1979) 612–613.
chooses her/his secret shadow by her/himself in our scheme, Mi [11] G. Blakley, Safeguarding cryptographic keys, Proc AFIPS 1979 National
computes Ri, this also cuts the computation quantity of D. The Computer Conference, AFIPS Press, New York, 1979, pp. 313–317.
computation quantity of the verification algorithm in the pro- [12] C.-C. Yang, T.-Y. Chang, M.-S. Hwang, A (t,n) multi-secret sharing
posed scheme can also be accepted by the system. scheme, Applied Mathematics and Computation 151 (2004) 483–490.
Although the computation quantity increases, the capability [13] J. Shao, Z.-F. Cao, A new efficient (t,n) verificable multi-secret sharing
(VMSS) based on YCH scheme, Applied Mathematics and Computation
of the scheme improves obviously, we can see the properties in 168 (2005) 135–140.
Table 2.
In one word, our scheme realizes the safe secret sharing with
lesser cost.
Jianjie Zhao received the B.S. in 2003. Now he is a
M.S. candidate at Shaanxi Normal University, Xi’ an,
5. Conclusion P. R. China. His current research interests include
cryptography, information security.
In this paper, we present a practical VMSS scheme based on
the YCH scheme and the intractability of the discrete logarithm.
The scheme realizes the property of verification in the YCH
scheme, and still has the merits of the YCH scheme. In the
scheme, we increase the verification algorithm, the computation
quantity also increases unavoidably, but we also cut some
computation quantity in the former scheme that the system can
accept. In addition, our system doesn't need a security channel; Jianzhong Zhang received the M.S. in Shaanxi
Normal University and the ph D. in Xidian University,
this change also cuts the cost of the system. The property is very
Xi’ an, P. R. China. He is currently a professor with
practical in the system which is unlikely to have a security College of Mathematics and Information Science,
channel. Shaanxi Normal University. His research interests
include cryptography, information security, secure e-
References commerce.
[1] H.-Y. Chien, J.-K. Tseng, A practical (t,n) multi-secret sharing scheme,
IEICE Transactions on Fundamentals of Electronics, Communications and
Computer 83-A (12) (2000) 2762–2765.
[2] J. He, E. Dawson, Multistage secret sharing based on one-way function,
Electronics Letters 30 (19) (1994) 1591–1592.
[3] J. He, E. Dawson, Multisecret-sharing scheme based on one-way function, Rong Zhao received the B.S. in 2003. Now she is a
Electronics Letters 31 (2) (1995) 93–95. M.S. candidate at Xi’ an University of Technology,
[4] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing Xi’ an, P. R. China. Her current research interests
and achieving simultaneity in the presence of faults, Proc. 26th IEEE include information processing technology, engineer-
Symp. FOCS, 1985, pp. 251–260. ing drawings management, image sharing.
[5] M. Tompa, H. Woll, How to share a secret with cheaters, Journal of
Cryptology 1 (1988) 133–138.
[6] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing
and achieving simultaneity in the presence of faults, Proceedings of the
26th IEEE Symposiumon the Foundations of Computer Science (FOCS),
1985, pp. 383–395.