Computer Standards & Interfaces 29 (2007) 138 – 141

www.elsevier.com/locate/csi

A practical verifiable multi-secret sharing scheme☆

Jianjie Zhao a , Jianzhong Zhang a , Rong Zhao b,⁎
a
College of Mathematics and Information Science, Shaanxi Normal University, Xi'an 710062, People's Republic of China
b
Natural Science Institute, Xi’an University of Technology, Xi’an 710048, People’s Republic of China

Received 23 January 2006; accepted 14 February 2006

Available online 6 March 2006

Abstract

C.-C. Yang, T.-Y. Chang, M.-S. Hwang [C.-C. Yang, T.-Y. Chang, M.-S. Hwang, A (t,n) multi-secret sharing scheme, Applied Mathematics
and Computation 151 (2004) 483–490] proposed an efficient multi-secret sharing scheme based on a two-variable one-way function in 2004. But
the scheme doesn't have the property of verification. A practical verifiable multi-secret sharing scheme, which is based on the YCH scheme and
the intractability of the discrete logarithm, is proposed in this paper. Our scheme solves the problems in the YCH scheme; each participant chooses
her/his own shadow by her/himself, so the system doesn't need a security channel and the cost of the system can be lowered. The scheme can be
used in practice widely.
© 2006 Elsevier B.V. All rights reserved.

Keywords: Cryptography; Verification; Multi-secret sharing; Security channel

1. Introduction 4) A malicious participant may provide a fake share to other

In order to keep the secret efficiently and safely, in 1979,
Shamir [10] and Blakley [11] first developed the concepts of
the secret sharing (SS) scheme. The former [10] is based on
the Lagrange interpolating polynomial, while the latter [11]
is based on the Linear projective geometry. However, as
these schemes are discussed, there are several common
drawbacks in both these secret sharing schemes [10,11] as
follows:
1) Only one secret can be shared during one secret sharing
process;
2) Once the secret has been reconstructed, it is required that the
dealer redistributes a fresh shadow over a security channel to
every participant;
3) A dishonest dealer may distribute a fake shadow to a certain
participant, and then that participant would subsequently
never obtain the true secret;
☆
This work is supported by National Science Foundation of China
No.10271069, Shaanxi Science Foundation of China No.2004A14 and
Postgraduate Initiative Foundation of Shannxi Normal University.
⁎ Corresponding author. Tel.: +8629 82042323.
E-mail address: zhaorongyou24@163.com (R. Zhao).
0920-5489/$ - see front matter © 2006 Elsevier B.V. All rights reserved.
doi:10.1016/j.csi.2006.02.004
participants, which may make the malicious participant the
only one who gets to reconstruct the true secret.
To solve the first problem, multi-secret sharing (MSS)
schemes have been proposed. In such schemes, several secrets
can be shared during one secret sharing process [1–3]. Such a
scheme is useful in several kinds of applications: Sometimes it
is required that several secrets be protected with the same
amount of data usually needed to protect one secret, etc.
In 2004, C.-C. Yang, T.-Y. Chang, M.-S. Hwang [12] pro-
posed a new MSS, which is based on the two-variable one-way
function [3].The scheme has the following merits:
1) It allows to reconstruct several secrets parallelly;
2) It is a multi-use scheme (the problem in Section 2 has been
solved);
3) The computation is efficient.
To overcome the drawbacks in Sections 3 and 4, scholars
proposed the verifiable secret sharing (VSS) schemes. A VSS
scheme allows participants to verify the validity of shares of the
other participants and her/himself. The first realization of VSS
was presented in Ref. [4] written by Chor et al. in 1985, then
many literatures [4–6] did several discussions. VSS plays an
 J. Zhao et al. / Computer Standards & Interfaces 29 (2007) 138–141 139

important role in the design of protocols for secure multi-party (2) k N t

computation. ➀ Choose a prime q and construct (k − 1) th degree
Thereafter, Harn [7] presented the verifiable multi-secret polynomial h(x) mod q, where 0 b P1,P2,⋯,Pk b q as
sharing (VMSS) scheme in 1995. But in their scheme, in follows:
order to verify whether the secret is valid, every participant hðxÞ ¼ P1 þ P2 x þ : : : þ Pk xk−1 mod q;
has to check n! / ((n − t)!t!) equations. In 1997, Chen et al. [8]
presented another VMSS scheme to improve some drawbacks ➁ Compute yi = h(f(r,si)) mod q for i = 1,2⋯,n;
in [7], but the cost of computing in it is still high. ➂ Compute h(i) mod q for i = 1,2,⋯,k − t;
The YCH scheme is a relatively efficient multi-secret scheme ➃ Publish (r,y1,y2,⋯,yn,h(1),h(2),⋯,h(k − t)).
at the present time. But it is a pity that this scheme doesn't have
the property of verification. The literature [13] has the verifiable 2.3. Recovery phase
property based on the YCH scheme, but in the two schemes,
because the shadows are chosen by the dealer, even if the dealer Without loss of generality, let M = {M1,M2,⋯,Mt}.members
is honest, the system also needs a security channel between the of M will recover the secrets P1,P2,⋯,Pk, they pool their shares
dealer and the participants so that the dealer can distribute the f(r,si) (for i = 1,2,⋯,t), then the polynomial h(x) mod q can be
shadows to the participants safely, it is a big-ticket system, the uniquely determined as follows:
scheme is unpractical. k Vt ð1Þ
To do away with the drawbacks above, we shall propose a Xt t
x−f ðr; sj Þ
new practical verifiable multi-secret sharing scheme, which is hðxÞ ¼
i¼1
yi j
j¼1; j pi
f ðr; si Þ−f ðr; sj Þ
mod q
based on the YCH scheme and the intractability of the discrete
logarithm [9]. The scheme will have the following properties: ¼ P1 þ P2 x þ : : : þ Pk xk−1 þ a1 xk þ a2 xkþ1 þ : : :
þ at−k xt−1 mod q
1) The system can identify the cheaters no matter if she/he is the
dealer or the participant; kNt ð2Þ
2) No security channel exists between the dealer and the par- X
t t
x−f ðr; sj Þ
ticipants, this property is of particular value to the system hðxÞ ¼
i¼1
yi j f ðr; s Þ−f ðr; s Þ mod q
j¼1; j p i i j
which is unlikely to exist in the security channel;
X
kt kt

3) It still has the properties of the YCH scheme.
The structure of the present work is as follows. In the next
section, we shall briefly review the YCH scheme. In Sections 3
and 4, we shall present our VMSS and make some discussions.
Finally, we shall present our conclusions in Section 5.
2. Brief review of the YCH scheme
2.1. Initialization phase
The scheme is a (t,n) threshold scheme, P1,P2,⋯,Pk denote k
secrets to be shared. Function f(r,s) denotes any two-variable
one-way function. In this phase, the dealer D randomly chooses
n secret shadows s1,s2,⋯,sn and distributes them to every par-
ticipant Mi by a security channel. Then D randomly chooses a
value r and computes f(r,si) for i = 1,2,⋯,n.
2.2. Construction phase
(1) k ≤ t
➀ Choose a prime q and construct (t − 1) th degree
polynomial h(x) mod q, where 0 b N,P1,P2,⋯,Pk,a1,a2,⋯,
at−k b q is as follows:
hðxÞ ¼ P1 þ P2 x þ : : : þ Pk xk−1 þ a1 xk þ a2 xkþ1 þ : : :
þ at−k xt−1 mod q;
j i−j mod q
x−j
þ hðiÞ
i¼1 j¼1; j pi
¼ P1 þ P2 x þ : : : þ Pk xk−1 mod q
3. Our scheme
3.1. Initialization phase
Our scheme notations P1,P2,⋯,Pk are the same as those of the
YCH scheme. In this phase, the dealer and the participants need
some intercommunication, but this can be done with a public
channel. Firstly, the dealer D chooses two strong primes, p and
q, N = pq. Both p and q should be so safe that anybody can't
factor N efficiently. Then the dealer randomly chooses an
integer g from the interval [N1 / 2, N] such that g is relatively
prime to p and q. Publish {g, N}.
Each participant Mi in M randomly chooses an integer si
from the interval [2,N] as her/his own secret shadow and
computes Ri = gsi mod N, then Mi provides Ri and her/his
identity number IDi, to the dealer D. D must ensure that Ri ≠ Rj
for all Mi ≠ Mj. Once Ri = Rj, D should demand these participants
to choose different secret shadows until Ris are different for
i = 1,2,⋯,n. Publish {(IDi,Ri)}.
3.2. Construction phase

➁ Compute yi = h(f(r,si)) mod q for i = 1,2⋯,n; (1) D randomly chooses an integer s0 from the interval [2,N]
➂ Publish (r,y1,y2,⋯,yn). such that s0 is relatively prime to (p − 1) and (q − 1). Then
140 J. Zhao et al. / Computer Standards & Interfaces 29 (2007) 138–141

Table 1
X
t t
x−IjV
Computation quantity
The computation for constructing
Our scheme
Yes
YCH scheme
Yes
hðxÞ ¼
i¼1
j I V−I Vmod Q
yi
j¼1;jpi i j
X kt kt
hðiÞj
the polynomial x−j
Verification algorithm Yes (optional) No þ mod Q
i¼1
i−j j¼1; j pi
D compute f(r, si) No Yes
D compute R0, Ii and f Yes No
Mi compute Ri Yes No ¼ P1 þ P2 x þ : : : þ Pk x k−1 mod Q

In the initialization phase, each participant chooses her/his

D computes f to make s0 × f = 1mod ϕ (N), where ϕ (N) is shadow by her/himself, so the dealer is absolutely impossible to
the Euler phi-function; become a cheater.
(2) Compute R0 = gs0 mod N and Ii = Ris0 mod N, i = 1,2,⋯,n.
(3) Publish {R0, f};
4. Performance analysis
k Vt ➀
4.1. Feasibility analysis
– Choose a prime Q and construct (t − 1)th degree polynomial
h(x)modQ, where 0 b P1,P2,⋯,Pk,a1,a2,⋯,at−k b Q as follows: Because our scheme's process of secret sharing is the same
hðxÞ ¼ P1 þ P2 x þ : : : þ Pk xk−1 þ a1 x k þ a2 x kþ1 þ : : : as the YCH scheme, we will just analyze the share generation
algorithm and the verification algorithm here.
þ at−k xt−1 mod Q;

– Compute yi = h(Ii) mod Q for i = 1,2,⋯,n;
– Publish (y1,y2,⋯,yn).
k Nt
– Choose a prime Q and construct (k − 1)th degree polynomial
h(x) mod Q, where 0 b N,P1,P2,⋯,Pk b Q as follows:
(1) The share generation algorithm: I′i = R0si mod N = gs0si , then
the participants can use the values published before to
reconstruct the Lagrange interpolation polynomial.
➁ (2) Verification algorithm: from the Euler Theorem
gϕ(N) = 1mod N and s0 × f = 1mod ϕ (N). If Mi isn't a
cheater, then I′i f = gsis0f mod N = gsi mod N = Ri, otherwise,
Mi is a cheater.

hðxÞ ¼ P1 þ P2 x þ : : : þ Pk xk−1 mod Q; 4.2. Security analysis

– Compute yi = h(Ii) mod Q for i = 1,2,⋯,n;
(1) If plotter E can use fewer points than t (when k ≤ t) or
– Compute h(i) mod Q for i = 1,2,⋯,k − t;
fewer points than t (when k N t) to reconstruct the
– Publish (y1,y2, ⋯,yn,h(1),h(2),⋯,h(k − t)).
polynomial h(x) mod Q, it is equal to E that has broken
through the Shamir's scheme successfully. The security of
3.3. Recovery and verification phase both the YCH scheme and the proposed scheme is based
on the security of the Shamir's scheme in this point.
Without loss of generality, let M = {M1,M2,⋯,Mt}.members of (2) The plotter E might try to derive the secret shadow si of
M will recover the secrets P1,P2,⋯,Pk. the participant Mi from the public information I′i and Ri.I′i
is computed by the formula I′i = R0si mod N, Ri is computed
(1) Mi computes I′i = R0si mod N to gain the share, where si is by the formula Ri = gsi mod N, which can be regarded as
the shadow of Mi; performing the discrete logarithm .As we know, the
(2) Anybody can verify I′i provided by Mi: If I′i f = Ri mod N, discrete logarithm is a NP-complete problem. The reuse
then I′i is true; otherwise I′i is false and Mi may be a of the secret shadow is secure.
cheater;
(3) Recover the secrets: The polynomial h(x) mod Q can be 4.3. Capability and computation quantity analysis
uniquely determined as follows:
Due to the fact that the proposed scheme increases the
k Vt ➀ verification algorithm, the computation quantity also increases
X
t t
x−IjV
hðxÞ ¼
i¼1
yi j
j¼1; j p i
IiV−IjV
mod Q
Table 2
Capability Our scheme YCH scheme
¼ P1 þ P2 x þ : : : þ Pk xk−1 þ a1 xk þ a2 xkþ1 þ : : :
The verification Yes No
þ at−k xt−1 mod Q No security channel Yes No
Reconstruct several secrets parallelly Yes Yes
kNt ➁ Reuse of the secret shadows Yes Yes
 J. Zhao et al. / Computer Standards & Interfaces 29 (2007) 138–141 141

unavoidably. Table 1 is for the comparison between these two
schemes.
Apparently, compared with the YCH scheme, to determine
the place where D makes the computation quantity increase R0,
Ii and f have to be computed. But the proposed scheme needs no
computation of f(r,si), so, as a general system, it is able to accept
such computation quantity. What's more, each participant
chooses her/his secret shadow by her/himself in our scheme, Mi
computes Ri, this also cuts the computation quantity of D. The
computation quantity of the verification algorithm in the pro-
posed scheme can also be accepted by the system.
Although the computation quantity increases, the capability
of the scheme improves obviously, we can see the properties in
Table 2.
In one word, our scheme realizes the safe secret sharing with
lesser cost.
5. Conclusion
In this paper, we present a practical VMSS scheme based on
the YCH scheme and the intractability of the discrete logarithm.
The scheme realizes the property of verification in the YCH
scheme, and still has the merits of the YCH scheme. In the
scheme, we increase the verification algorithm, the computation
quantity also increases unavoidably, but we also cut some
computation quantity in the former scheme that the system can
accept. In addition, our system doesn't need a security channel;
this change also cuts the cost of the system. The property is very
practical in the system which is unlikely to have a security
channel.
References
[7] L. Harn, Efficient sharing (broadcasting) of multiple secret, Computers and
Digital Techniques 142 (3) (1995) 237–240.
[8] L. Chen, D. Gollman, C.J. Mitchell, P. Wild, Secret sharing with reusable
polynomials, Proceedings of the Second Australisian Conference on
Information Security and Privacy-ACISP'97[C].ACISP, Australia, 1997.
[9] R.-J. Hwang, C.-C. Chang, An on-line secret sharing scheme for multi-
secrets, Computer Communications 21 (13) (1998) 1170–1176.
[10] A. Shamir, How to share a secret, Communications of the ACM 22 (11)
(1979) 612–613.
[11] G. Blakley, Safeguarding cryptographic keys, Proc AFIPS 1979 National
Computer Conference, AFIPS Press, New York, 1979, pp. 313–317.
[12] C.-C. Yang, T.-Y. Chang, M.-S. Hwang, A (t,n) multi-secret sharing
scheme, Applied Mathematics and Computation 151 (2004) 483–490.
[13] J. Shao, Z.-F. Cao, A new efficient (t,n) verificable multi-secret sharing
(VMSS) based on YCH scheme, Applied Mathematics and Computation
168 (2005) 135–140.
Jianjie Zhao received the B.S. in 2003. Now he is a
M.S. candidate at Shaanxi Normal University, Xi’ an,
P. R. China. His current research interests include
cryptography, information security.
Jianzhong Zhang received the M.S. in Shaanxi
Normal University and the ph D. in Xidian University,
Xi’ an, P. R. China. He is currently a professor with
College of Mathematics and Information Science,
Shaanxi Normal University. His research interests
include cryptography, information security, secure e-
commerce.

[1] H.-Y. Chien, J.-K. Tseng, A practical (t,n) multi-secret sharing scheme,
IEICE Transactions on Fundamentals of Electronics, Communications and
Computer 83-A (12) (2000) 2762–2765.
[2] J. He, E. Dawson, Multistage secret sharing based on one-way function,
Electronics Letters 30 (19) (1994) 1591–1592.
[3] J. He, E. Dawson, Multisecret-sharing scheme based on one-way function, Rong Zhao received the B.S. in 2003. Now she is a
Electronics Letters 31 (2) (1995) 93–95. M.S. candidate at Xi’ an University of Technology,
[4] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing Xi’ an, P. R. China. Her current research interests
and achieving simultaneity in the presence of faults, Proc. 26th IEEE include information processing technology, engineer-
Symp. FOCS, 1985, pp. 251–260. ing drawings management, image sharing.
[5] M. Tompa, H. Woll, How to share a secret with cheaters, Journal of
Cryptology 1 (1988) 133–138.
[6] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing
and achieving simultaneity in the presence of faults, Proceedings of the
26th IEEE Symposiumon the Foundations of Computer Science (FOCS),
1985, pp. 383–395.