Linear (k, n) secret sharing scheme with cheating detection

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9: Published online 20 March 2016 in Wiley Online Library (wileyonlinelibrary.com) RESEARCH ARTICLE Linear (k, n) secret sharing scheme with cheating detection Yanxiao Liu* Xi an University of Technology, China ABSTRACT Linear (k, n) secret sharing scheme with the capability of detecting cheating is considered in this paper. Linear (k, n) secret sharing scheme is a class of (k, n) secret sharing, where all the n shares of a secret satisfy a linear relationship. It plays an important role in other cryptographic systems, such as multi-party computation and function sharing schemes. On the other hand, cheating problem in (k, n) secret sharing is an important issue, such that cheaters (dishonest players) submit forged shares during secret reconstruction to fool honest players. During decades of research on cheating prevention, vast (k, n) secret sharing schemes against cheating have been proposed. However, most of these schemes are not linear schemes because it contains redundant information in their shares to achieve cheating detection. Because linear (k, n) secret sharing is an important primitive in threshold cryptography, linear (k, n) secret sharing scheme with the capability of cheating detection is also worthwhile to be discussed. In this paper, we propose a linear (k, n) secret sharing scheme against cheating based on Shamir s original scheme, which possesses the following merits: (1) Our scheme is just a combination of two Shamir s schemes. Therefore, our scheme can be used in other threshold cryptographic systems, which are based on Shamir s scheme. (2) The size of share in the proposed scheme almost reaches its theoretic lower bound in (k, n) secret sharing with cheating detection. (3) In the phase of cheating detection, only one honest player can detect the cheating from other k 1 cheaters, which achieves a stronger detection effective than the previous linear secret sharing schemes against cheating. Copyright 2016 John Wiley & Sons, Ltd. KEYWORDS secret sharing; linear; cheating; detection *Correspondence Yanxiao Liu, Faculty of Computer Science and Engineering, XI AN University of Technology. liuyanxiao@xaut.edu.cn 1. INTRODUCTION Secret sharing scheme is a branch of threshold cryptography, which deals with secure storage of sensitive secret. In 1979, Shamir [1] introduced the landmark polynomial based (k, n) secret sharing scheme. In his scheme, a trusted dealer divides a secret into n shares and distributes each share to a player. Any set of k or more players can reconstruct the secret, but any set that contains less than k players cannot obtain any information about the secret. Because of the high efficiency of computing shares and reconstructing secret, Shamir s scheme was discussed most in the field of secret sharing. Linear secret sharing [2] is a special type of secret sharing where all shares satisfy a linear relationship. For instance, Shamir s scheme is just a linear secret sharing scheme. As we know, linear secret sharing scheme is an important tool to constructing other complicated cryptographic systems, such as multi-party computation [3 5], and function sharing schemes [6 9]. The cheating problem in (k, n) secret sharing is first proposed by Tompa and Woll [10] in They pointed that in the phase of secret reconstructing, dishonest players (cheaters) release forged shares, making the honest players reconstruct a fake secret. On the contrary, the cheaters can reconstruct the valid secret exclusively. It is obvious that Shamir s original (k, n) secret sharing scheme does not have the ability to resist such cheating, even one cheater can successfully fool all the other honest players. To safeguard the equities of honest players, secret sharing scheme with the capability of cheating prevention is indispensable. The simplest method to detect cheating is to publish a hash value w = H(s) of the secret s, then players can detect cheating by checking whether w equals to H(s * ) (where s * is the reconstructed secret). However, the security of this type of schemes is based on the hash function (or other math problems), it is not unconditional secure. During decades of discussion, vast unconditional secure secret sharing scheme with cheating prevention were proposed. The schemes [11 14] solved Copyright 2016 John Wiley & Sons, Ltd. 2115

2 Cheating detection in secret sharing Y. Liu the problem of cheating detection. As we know, in secret sharing scheme without cheating detection, the size of share can be the same as the size of secret (we use the symbols V and S to denote the sizes of share and secret, respectively). However, in those schemes capable of detecting cheating, the size of share V is expanded from the size of secret S. Meanwhile, the cheating has only a small success probability, in other words, the honest players can detect the cheating behavior with the probability 1. The other category of cheating prevention is to identify cheaters [15 18]. In those schemes, the honest players involved in secret reconstruction not only can detect the cheating behavior, but can also figure out the identities of all cheaters. However, in secret sharing schemes with cheater identification, the size of share V is much larger than those in secret sharing scheme capable of just detect cheating. Hence, we only focus on the problem cheating detection in our work. As we know, most secret sharing schemes with cheating prevention are not linear schemes. For instance, the secret sharing schemes [10,11,13,14,19] can detect cheating, and they are all based on Shamir s original linear secret sharing scheme. However, they are still not linear schemes because the shares in those schemes contain redundant information to achieving cheating detection. Therefore, the shares do not satisfy the linear relationship any more. Because linear (k, n) secret sharing is an important primitive in threshold cryptography, linear (k, n) secret sharing scheme with the capability of cheating prevention is also worthwhile to be discussed. In [20], Pieprzyk and Zhang proposed a linear secret sharing scheme against cheating. However, the cheating detection works only when there is a single cheater in secret reconstruction. In [21], Harn and Lin presented a linear secret sharing scheme that is secure against cheating from multiple cheaters. The restriction of Harn-Lin s scheme is that more than k players are required in secret reconstruction for cheating prevention. But later, the literature [22] showed that this scheme can be broken by an easy attack. In [23], a linear secret sharing scheme with cheating detection for a general access structure was proposed, and it can be applied on (k, n) secret sharing schemes. In this paper, we propose a new linear (k, n) secret sharing scheme against cheating based on Shamir s original scheme, which possesses the following merits: (1) Our schemes are just combination of two Shamir s schemes. Therefore, our schemes can be used in other threshold cryptographic systems, which are based on Shamir s scheme. (2) The size of share V in the proposed schemes reaches its theoretic lower bound in (k, n) secret sharing with cheating detection. (3) Only one honest player can detect the cheating from other k 1 cheaters, which achieves a stronger detection effective than the previous linear secret sharing schemes against cheating. In addition, we give an extension to our scheme where the successful cheating probability can be chosen regardless of the size of secret S. The rest of this paper is organized as follows. In Section 2, we give some preliminaries, including the definitions of secret sharing, linear secret sharing, and secret sharing with cheating detection. In Section 3, we list some previous results of cheating detection in secret sharing scheme. In Section 4, we propose our new linear (k, n) secret sharing scheme with cheating detection and make a comparison between our scheme and the scheme in [23]. In Section 5, we propose the revised version of the proposed scheme. We conclude in Section PRELIMINARIES 2.1. (k,n) Secret sharing schemes The participants of a (k, n) secret sharing scheme consist of a dealer D and n players P 1, P 2,..., P n. The model consists of two steps: Share Generation step and Secret reconstruction step. In step 1, a dealer D divides a secret s into n shares, v 1, v 2,..., v n, and each share v i, i = 1, 2,..., n is sent to a player P i secretly. In step 2, any qualified sets that contain at least k players can reconstruct the secret s. A(k, n) secret sharing scheme is a perfect scheme if it satisfies the following: (1) Any k or more players can reconstruct the secret correctly. (2) Any k 1 or less players cannot get any information on the secret. Here, we briefly introduce Shamir s original (k, n) secret sharing scheme. Let p be a prime number, and the secret s is in Z p. The Share Generation step and Secret reconstruction step of Shamir s scheme are described as follows. Share Generation step: Input a secret s 2 Z p. (1) The dealer D generates a random polynomial f (x) = a 0 + a 1 x + + a k 1 x k 1, a 0, a 1,..., a k 1 2 Z p such that a 0 = s. (2) The dealer D computes v i = f (i), i = 1, 2,..., n, and then distributes each share v i to the player P i privately. Secret reconstruction step: Input a list of shares (v i1, v i2,..., v il )(l k). Reconstruct the (k 1)-th degree polynomial f (x) from the l points (i 1, v i1 ), (i 2, v i2 ),..., (i l, v il ) using Lagrange interpolation f (x) = X l Y v iu u=1 w u x i w i u i w The secret is s = f (0). Obviously, Shamir s scheme is a perfect (k, n) secret sharing scheme. Here, we introduce the meaning of the size of share (secret) (denoted as V or S ). Let A be a set that consists of all possible shares (secrets), then the size of A is the size of the share (secret). For example, in Shamir s scheme, the sizes of share and secret are V = S =p. The information rate of a secret sharing scheme is the ratio between the length of the secret size and the length 2116 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

3 Y. Liu Cheating detection in secret sharing log S of the share size, =. When designing secret sharing scheme, the information rate is an important parameter log V to be taken account. A secret sharing scheme is said to be ideal if its information rate equals to 1, which is the maximum possible value of this parameter Linear secret sharing scheme Linear (k, n) secret sharing scheme is a special type of secret sharing scheme where all the n shares of a secret satisfy a linear relationship. The definition of linear secret sharing scheme is given as follows: Definition 1 ([20]). A (k, n) secret sharing scheme is a linear secret sharing scheme where the n shares, v 1, v 2,..., v n can be presented as follows. (v 1, v 2,..., v n )=(r 1, r 2,..., r k )H H is a public k n matrix whose any k k sub matrix is nonsingular. The vector (r 1, r 2,..., r k ) is randomly chosen by the dealer. According to the Definition 1, we can see that Shamir s (k, n) secret sharing scheme is a linear scheme. Let f (x) = a 0 + a 1 x + a 2 x a k 1 x k 1, the shares v i = f (i), i = 1, 2,..., n can be presented as (v 1, v 2,..., v n )=(a 0, a 1, a 2,..., a k 1 )H where h i,j = j i 1 (h i,j denotes the entry at ith row and jth column of matrix H). As we know, linear schemes can achieve higher information rate in all kinds of secret sharing schemes [23]. This is one of the reasons that we are interested in designing linear secret sharing schemes with cheating detection Secret sharing scheme with cheating detection It is easy to understand that secret sharing scheme with cheating detection is a category of secret sharing scheme where the honest players have the ability to detect cheating behavior in secret reconstruction. The model also consists of two steps: Share Generation step and Secret reconstruction step. The Share Generation step is just same as in the ordinary secret sharing scheme. However, Secret reconstruction step is different from the ordinary one, it takes a list of k shares as input, and outputs a secret s or a symbol?. Secret reconstruction step outputs? only when the cheating is detected. Otherwise, if the secret is verified to be valid, Secret reconstruction step outputs a secret s, all players accept this secret. The cheating is successful only a fake secret is verified to be valid. The successful cheating possibility is an important characteristic in a secret sharing scheme with cheating detection. Here, we give the description of the successful cheating possibility. Without loss of generality, we suppose P 1, P 2,..., P k participate in secret reconstruction, P 1, P 2,..., P t are t cheaters who aim to nfool honest oplay- ers P t+1, P t+2,..., P k. Suppose V c = v 0 1, v0 2,..., v0 t {v 1, v 2,..., v t } be a group of forged shares, and V h = {v t+1, v t+2,..., v k } be the valid shares of honest players. Let s 0 be the output of the Secret reconstructed step from the shares {V c, V h }, the successful cheating possibility is that = Pr[s 0 {s,?}], where s is the valid secret. 3. PREVIOUS WORKS ON CHEATING DETECTION The first secret sharing scheme with cheating detection is proposed by Tompa and Woll in [10]. In their scheme, a single honest player can detect cheating. Carpentieri, De Santis, and Vaccaro [12] first consider a cheating model in which k 1 cheaters who know the secret try to cheat another honest player. We call it CDV assumption. A lower bound of size of shares under CDV assumption was given as follows. Proposition 1 ([12]). In CDV assumption, the size of shares satisfies V S, where is the successful cheating probability. The scheme proposed in [10] can be proved secure against cheating in CDV assumption, where the size of shares is V = ( S 1)(k 1) 2. + k In [14], Ogata, Kurosawa, and Stinson proposed a new model that k 1 cheaters do not know the secret try to cheat another player, which is denoted as OKS assumption. A lower bound of size of shares in OKS assumption was also presented in [14]. Proposition 2. [14] In OKS assumption, the size of shares satisfies V S In [14], they also proposed an optimum scheme secure against cheating where the size of share meets the equality of the lower bound in Proposition 2. However, in [13], Obana and Araki pointed out a drawback of the scheme [14], such that the scheme in [14] is secure only if the secret is uniformly distributed, when there exists a secret that occurs with high probability, the successful cheating cheating probability would be larger than what is expected. Those schemes [11 14] capable of detecting cheating are not linear secret sharing schemes, they use some detection tools like hash functions to detect cheating. In [19], Pieprzyk and Zhang constructed a linear secret sharing scheme against cheating. In their scheme, the size of share V i is optimum, V = S, and the shares can be split into sub-shares to detect cheating. However, the cheating detection works only when there is one cheater in secret reconstruction. In [21], Harn and Lin extended Shamir s (k, n) secret sharing scheme into a cheating detection scheme when there are more than k shareholders in Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 2117

4 Cheating detection in secret sharing Y. Liu secret reconstruction. Because Shamir s scheme is a linear scheme, Harn-Lin s scheme is also a linear scheme, which is secure against cheating from multiple cheaters. But later, the literature [22] showed that this scheme can be broken by an easy attack. 4. PROPOSED SCHEME In this section, we propose a new linear (k, n) secret sharing scheme with cheating detection under OKS assumption. Because in OKS assumption, k 1 cheaters do not know the information on the secret, which is coincidence with the definition of (k, n) secret sharing, and the size of share under OKS assumption would be smaller than the size of share under CDV assumption. In addition, the cheaters already know the information on secret; somehow, they do not have to cheat in secret reconstruction. Instead, they can choose not participating in secret reconstruction at all. Therefore, cheating occurs more likely under OKS assumption than CDV assumption; accordingly, cheating detection under OKS assumption is more practical. Our proposed linear (k, n) secret sharing scheme with cheating detection is based on Shamir s scheme, and the cheating can be detected when there is only a single honest players. The Share Generation step and Secret reconstruction step of our scheme is described as follows, where p is a prime number. Notice in Secret reconstruction step, without loss of generality, we suppose the k involved players are just P 1, P 2,..., P k. Share Generation step: Input a secret s 2 Z p. (1) The dealer D chooses a random polynomial f (x) = a 0 + a 1 x + + a k 1 x k 1, a 0, a 1,..., a k 1 2 Z p such that a 0 = s. (2) The dealer D chooses a random value r 2 Z p and a polynomial g(x) = b 0 + b 1 x + + b k 1 x k 1, b 0, b 1,..., b k 1 2 Z p, where ra 0 + b 0 = 0 and ra 1 + b 1 =0. (3) The dealer D computes v i ={m i, d i }, i = 1, 2,..., n, where m i = f (i) and d i = g(i), and then distributes each share v i to the player P i privately. Secret reconstruction step: Input a list of shares (v 1, v 2,..., v k ). (1) Reconstruct f (x) from (1, m 1 ), (2, m 2 ),..., (k, m k ) using Lagrange interpolation. Reconstruct g(x) from (1, d 1 ), (2, d 2 ),..., (k, d k ) using Lagrange interpolation. (2) Let a 0, a 1, b 0, and b 1 be the coefficients of x 0 and x in f (x) and g(x), respectively. If there exist a common number r 2 Z p which satisfies that ra 0 +b 0 =0 and ra 1 + b 1 = 0, output s = f (0). Otherwise, f (0) is a invalid secret, the cheating is detected, outputs?. Observe that the share in proposed scheme is v i = (m i, d i ), where m i and d i are both shares of Shamir s (k, n) secret sharing scheme. As we illustrated previously, Shamir s scheme is a linear secret sharing scheme, our proposed scheme is also a linear (k, n) secret sharing scheme. The properties of our proposed scheme are analyzed in following theorems. In Theorem 1, we prove that our scheme is a perfect (k, n) secret sharing scheme. In the proposed scheme, the coefficients a 0, a 1, b 0, b 1 in f (x), g(x) have some relationships, it seems that some information about the secret would be leaked by these relationships. However, in the following Theorem 1, we will strongly prove that these relationships form a 0, a 1, b 0, b1 leak no information about the secret at all, and our scheme is a secure (k, n) threshold scheme. In Theorem 2, we discuss the property of cheating detection of our scheme. Theorem 1. Our proposed scheme is a perfect (k, n) secret sharing scheme. Proof. As we know, a secret sharing scheme is a perfect (k, n) threshold scheme when k or more shares can reconstruct the secret, and k 1 or less shares cannot get any information on the secret. In our scheme, the secret s is divided into n shares using Shamir s original (k, n) secret sharing scheme, it is obvious that k or more shares in our scheme can reconstruct the secret. Next, we demonstrate that k 1 shareholders cannot get any information on the secret. Because in the proposed scheme, a 0, a 1, b 0, and b 1 have the relationships that ra 0 + b 0 = 0 and ra 1 + b 1 = 0, most people would believe exhaustion may be the best method to obtain the secret. The method of exhaustion can be described as follows. Step 1. The k 1 shareholders try each possible share of the kth shareholders and can compute p corresponding polynomials f i (x) and p corresponding polynomials g j (x), i, j[1, p]. Step 2. If a polynomial f i (x) and g j (x) satisfy that ra b 0 0 = 0 and ra0 1 + b0 1 = 0 where a0 0, b0 0, a0 1, b0 1 are coefficients of x 0, x in f i (x) and g j (x). Then f i (x)andg j (x) are original polynomials selected by dealer, and s = f i (0) is the secret. Here, we show that the method of exhaustion cannot work in the proposed scheme. Suppose m * (k) is the share of kth shareholder, which is randomly selected, then the k 1 shareholders computes a k 1 degree polynomial f i (x) from (1, m 1 ), (2, m 2 ),..., (k 1,m k 1 ), k, m * k, a 0 0, a0 1 are the corresponding coefficients in f i (x). As described in the method of exhaustion previously, if there exist a k 1 degree polynomial g j (x) =b 0 0 +b0 1 x+,..., +b0 k 1 xk 1, which is inter- polated by (1, d 1 ), (2, d 2 ),..., (k 1, d k 1 ), k, d k *.(d k * could by any value in Z p ) satisfies that r 0 a 0 0 +b0 0 =0,r0 a 0 1 +b0 1 =0 (r 0 could be any value in Z p ), then s = f 0 (0) is the secret. Notice that we can regard b 0 0, b0 1,..., b0 k 1 and r0 as k +1 unknowns, and we can also establish k + 1 equations on these unknowns: g 0 (i) =d i, i = 1, 2,..., k 1,r 0 a b0 0 = 2118 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

5 Y. Liu Cheating detection in secret sharing 0, r 0 a b0 1 = 0. (Here, a0 0, a0 1 are known to the k 1 shareholders.) Therefore, all the unknowns b 0 0, b0 1,..., b0 k 1 can be obtained from these equations, we can also get the polynomial g 0 (x). In other words, when the k 1 shareholders try d k * = g0 (k) as the possible share of the kth shareholder, they will find f 0 (x) and g 0 (x) are the original polynomials selected by dealer. Based on this observation, using the method of exhaustion, the k 1 shareholders will find the each value in Z p may be the secret. Therefore, the method of exhaustion cannot work in the proposed scheme. Here, we use an example to show the method of exhaustion cannot work in proposed scheme. Suppose k = 4, and two k 1 degree polynomials f (x) = 1+3x+4x 2 +5x 3, g(x) = 4+5x + x 2 +3x 3 over Z 7 are selected by dealer. We can observe that 3a 0 + b 0 =0,3a 1 + b 1 = 0 from the polynomials. Let P 1.P 2, P 3, P 4 be the participants, during Share Generation Step, each of them get a share (m i = f (i), d i = g(i)) from dealer. For clarity, we list the share one by one: P 1 has (m 1 =6,d 1 = 6), P 2 has (m 2 =0,d 2 = 0), P 3 has (m 3 = 6,d 3 = 4) and P 4 has (m 4 = 5,d 4 = 1). Now, P 1.P 2, P 3 want to get the secret by exhaustion. As described previously, they can first assume the sub-share of P 4 is m * 4 = 0 and compute a polynomial f 0 (x) =6+ 2x +2x 2 +3x 3 using Lagrange interpolating. Next, they can try all possible sub-share d 4 * of P 4, and verify whether it is fit. When they try d 4 * = 2, the corresponding interpolating polynomial is g 0 (x) =3+x +2x 3. The coefficients a 0 0, a0 1, b0 0, and b0 1 satisfy that 3a0 0 + b0 0 =0,3a0 1 + b0 1 =0. Then they will believe that f 0 (x), g 0 (x) would be the original polynomials selected by dealer and s 0 = f 0 (0) = 6 is the secret. Obviously, they get the wrong secret. In fact, using the method of exhaustion, they will find each possible subshare m * 4 would be the correct sub-share of P 4. Because for each possible sub-share m * 4 there exists a sub-share d* 4 that satisfies the corresponding relationships. In sum, any k 1 participants cannot get any information about the secret. End of proof. In following theorem, we discuss the properties of cheating detection in proposed scheme, including the upper bound of cheaters that can be tolerated, the successful cheating probability, and the size of share. Theorem 2. When there are k 1cheaters in secret reconstruction phase, our proposed scheme can detect the cheating with the parameters S =p, = 1 p, V =p2 = S. Proof. Suppose P 1, P 2,..., P k participate in secret reconstruction phase, and P 1, P 2,..., P k 1 are k 1 cheaters who wish to fool P k. Assume the fake shares submitted by cheaters are v * i = (m i + m * i, d i + d i *), i = 1, 2,..., k 1, together with the share v k = (m k, d k ) of P k, one can get two polynomials f ** (x) = f (x) + f * (x), g ** (x) =g(x) +g * (x) insecret reconstruction step, where f * (x) = a * 0 + a* 1 x + + a* k 1 xk 1 and g * (x) = b * 0 + b* 1 x + + b* k 1 xk 1 are interpolated polynomials on the k points 1, m * 1, (2, m * 2 k ),..., 1,m * k 1,(k,0) and 1, d 1 *, 2, d 2 *,..., k 1,d k 1 *,(k, 0), respectively. Because f * (x) and g * (x) can be decided by cheaters exclusively, they can select a random number r * and satisfiy that r * a * 0 + b* 0 = 0,r* a * 1 + b* 1 = 0. According to our algorithm, if there exists a common number r 0, satisfying r 0 a 0 + a * 0 + b 0 + b * 0 =0,r0 a 1 + a * 1 + b 1 + b * 1 = 0, the cheating cannot be detected. We can easily observe that the cheating succeeds only when r * = r. As proved in Theorem 1, these k 1 cheaters have no information on r; the possibility of r * = r is 1 p. As a result, the successful cheating possibility is = 1 p. For other parameters, the secret s is chosen from Z p ; the size of secret is S =p. The share is a combination of two numbers in Z p, respectively; the size of share is V =p 2 = S. Notice, if the cheaters select a * 0 = a* 1 = b* 0 = b* 1 = 0, our scheme cannot detect the cheating behavior, but the honest player can also reconstruct the valid secret because f ** (0) = f (0) = a 0. Because the aim of cheating is making honest players get a fake secret, we can regard the cheating is failed in this case. End of proof. From the above analysis, we can conclude that, comparing with previous linear secret sharing scheme with cheating detection, our scheme has two primary advantages: (1) Our scheme can detect cheating from up to k 1 cheaters. (2) The size of share almost reaches its theoretical lower bound; the size of share V = S in our scheme is only one bit longer than the existing upper bound under OKS assumption. (Proposition 2) In [23], the authors proposed another linear secret sharing scheme with cheating detecting for a general access structure. When applying their approach in Shamir s secret sharing scheme, the process of cheating detection is quite similar to our scheme and can be briefly described as follows. The dealer chooses a secret s and distributes the shares m i, i = 1, 2,..., n of s to each player P i privately. In addition, the dealer computes e = s 2 and then generates n shares d i, i = 1, 2,..., n for e. Finally, the share of each player P i is v i =(m i, d i ). In secret reconstruction, the players reconstruct two values s *, e * using their shares; if e * =(s * ) 2, s * is the valid secret, else there exist cheaters in secret reconstruction. We can see that their scheme also consists of two of Shamir s secret sharing schemes and can also detect cheating from up to k 1 cheaters. However, comparing with their scheme, our proposed scheme has two advantages. One is that our scheme has higher probability to detect cheating behavior in secret reconstruction. In the proposed scheme, as analyzed previously, the successful cheating probability of k 1 cheaters is 1 p. However, in [23], the scheme verifies whether e * =(s * ) 2 to detect cheating. We can observe that e (which is selected by dealer) is a square number in Z p, and the size of all possible e is p 2, not p. If cheaters use randomly forged shares Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 2119

6 Cheating detection in secret sharing Y. Liu Table I. Comparison of linear secret sharing schemes with cheating detection. Size of share Maximum of cheaters that can detect Probability of successful cheating Harn s scheme V = S This scheme cannot detect cheating Pieprzyk s scheme V = S 1 p = 1 p Sergio s scheme V =2 S k 1 = 2 p Proposed scheme V = S k 1 = 1 p in secret reconstruction, the probability of e = (s * ) 2 is at least 2 p. In other words, the successful cheating probability in Scheme [23] is 2 p, which is two times higher than the probability in our proposed scheme. Correspondingly, in Scheme [23], the size of share can be presented as V =2 S, which has a higher share size expansion than the proposed scheme. The other advantage is that our scheme can save time in cheating detection. As described previously, their scheme requires one multiplication operation (s * ) 2 to detect cheating. In contrary, our scheme only contains addition operation in cheating detection, which is more efficient than their scheme. We give a comparison between our proposed scheme and other three linear secret sharing scheme with cheating detection in the following Table I, where p is the size of secret and k is the threshold value. 5. REVISED VERSION According to the above analysis, we conclude that our scheme can detect cheating of up to k 1 cheaters, and the successful cheating possibility is = 1 p. We can see that the successful cheating possibility is relevant to the size of the secret, when the prime number p is not large enough, the successful cheating possibility is not acceptable. Here, we give a revised version of our proposed scheme, where the successful cheating possibility can be randomly chosen and other parameters keep their characters in our original scheme. Revised version Share Generation step: Input a secret s 2 {0, 1, 2,..., p 1}. (1) The dealer D generates a random polynomial f (x) =a 0 + a 1 x + + a k 1 x k 1, a 0, a 1,..., a k 1 2 {0, 1, 2,..., p 1} such that a 0 = s. (2) For a specific successful cheating possibility, the dealer D selects a prime number q, which satisfies that > 1 q. The dealer random chooses a value r 2 {0, 1, 2,..., q 1} and a polynomial g(x) =b 0 +b 1 x+ + b k 1 x k 1, b 0, b 1,..., b k 1 2 {0, 1, 2,..., q 1}, where ra 0 + b 0 = 0(modq) and ra 1 + b 1 = 0(modq). (Generally, we assume q > p.) (3) The dealer D computes v i ={m i, d i }, i = 1, 2,..., n, where m i = f (i)(modp) and d i = g(i)(modq), and then distributes each share v i to a player P i. Secret reconstruction step: Input a list of shares (v 1, v 2,..., v k ). (1) Reconstruct f 0 (x) from (1, m 1 ), (2, m 2 ),..., (k, m k ) using Lagrange interpolation. Reconstruct g 0 (x) from (1, d 1 ), (2, d 2 ),..., (k, d k ) using Lagrange interpolation. (2) Let a 0 0, a0 1, b0 0, and b0 1 be the coefficients of x0 and x in f 0 (x) and g 0 (x), respectively. If there exists a common number r 0 2 {0, 1, 2,..., q 1} which satisfies that r 0 a b0 0 = 0(modq) and r0 a b0 1 = 0(modq), output s = f 0 (0). Otherwise, f 0 (0) is an invalid secret, the cheating is detected, outputs?. Using the similar analysis in Theorem 1, any k 1 cheaters cannot get any information on the number r. On the other hand, according to similar discussion in Theorem 2, the successful cheating possibility of k 1 cheaters equations to guessing the number r 2 {0, 1, 2,..., q 1}. Therefore, the successful cheating possibility is * = 1 q, which is irrelevant to the size of secret. For other parameters, the size of secret is S = p, the size of share is V =pq S. 6. CONCLUSION In this paper, we discuss the significance of detecting cheating in linear secret sharing schemes and construct a new (k, n) linear secret sharing scheme with the capability of cheating detection. Our proposed scheme has the following merits: (1) Our schemes are just combination of two of Shamir s schemes. Therefore, our schemes can be used in other threshold cryptographic systems, which are based on Shamir s scheme. (2) The size of share in the proposed schemes almost reaches its theoretic lower bound in (k, n) secret sharing with cheating detection. (3) Only one honest player can detect the cheating from other k 1 cheaters, which achieves a stronger detection effective than the previous linear secret sharing schemes against cheating. At last, we give a revised version where the successful cheating possibility can be chosen regardless of the size of secret. ACKNOWLEDGEMENTS This work is supported by both the National Natural Science Foundation of China under Grant No and the PhD research startup foundation of Xi an University of Technology, Grant No Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

7 Y. Liu Cheating detection in secret sharing REFERENCES 1. Shamir A. How to share a secret. Communications of the ACM 1979; 22(11): Karchmer M, Wigderson A. On span programs. Proceedings of 8-th Annual Structure in Complexity Theory Conference, San Diego, California, 1993; Chaum D, Crepeau C, Damgrad I. Multy-party unconditionally secure protocols. Proceedings of ACM STOC, Chicago, Illinois, 1988; Cramer R, Damgard I, Maurer U. General secure multi-party computation from any linear secret sharing scheme. Proceedings of EUROCRYPT 2000, LNCS 1807pp., Bruges, Belgium; Nikova V, Nikova S, Preneel B. Multi-party computation from any linear secret sharing scheme secure against adaptive adversary: the zero-erroe case. Proceedings of ACNS, Kuming, China, 2003; Asmuth C, Bloom J. A modular approach to key safeguarding. IEEE Transaction on Information Theory 1983; 29(2): Huang HF, Chang CC. A novel efficient (t, n) threshold proxy signature scheme. Information Science 2006; 176(10): Desmedt Y, Frankel Y. Threshold cryptosystems. Proceedings of CRYPTO, LNCS 435, San Diego, California, 1989; Desmedt Y, Frankel Y. Shared generation of authenticators and signatures. Proceedings of CRYPTO, LNCS 576, San Diego, California, 1992; Tompa M, Woll H. How to share a secret with cheaters. Journal of Cryptology 1989; 1(3): Araki T. Efficient (k, n) threshold secret sharing scheme secure against cheating from n 1 cheaters. Proceedings of ACISP, LNCS 4586, Townsville, Australia, 2007; Carpentieri M, De Santis M, Vaccaro U. Size of shares and probability of cheating in threshold schemes. Proceedings of EUROCRYPT, LNCS 765, Lofthus, Norway, 1993; Obana S, Araki T. Almost optimum secret sharing schemes secure against cheating for arbitrary secret distribution. Proceedings of ASIACRYPT, LNCS 4284, Shanghai, China, 2006; Ogata W, Kurosawa K, Stinson DR. Optimum secret sharing scheme secure against cheating. SIAM Journal on Discrete Mathematics 2006; 20(1): Carpentieri M. A perfect threshold secret sharing scheme to identify cheaters. Design Codes and Cryptography 1995; 5(3): Kurosawa K, Obana S, Ogata W. t-cheater identifiable (k, n) secret sharing schemes. Proceedings of CRYPTO, LNCS 563, San Diego, California, 1995; Obana S. Almost optimum t-cheater identifiable secret sharing schemes. Proceedings of EUROCRYPT, LNCS 6632, Tallinn, Estonia, 2011; Liu YX. Efficient t-cheater identifiable (k, n) secret sharing scheme for t b k 2 2 c. IET Information Security 2013; 8(1): Gennaro R, Jarecki S, Krawczyk H et al. Robust threshold DSS signatures. Proceedings of EURO- CRYPT, LNCS 1070, Saragossa, Spain, 1996; Pieprzyk J, Zhang XM. Cheating prevention in linear secret sharing. Proceedings of ACISP, LNCS 2384, Melbourne, Australia, 2002; Harn L, Lin C. Detection and identification of cheaters in (t, n) secret sharing scheme. Designs Codes and Cryptography 2009; 52(1): Ghodosi H. Comments on Harn-Lin s cheating detection scheme. Designs, Codes and Cryptography 2011; 60(1): Sergio C, Carles P, German S. Secret sharing schemes with detection of cheaters for a general access structure. Designs, Codes and Cryptography 2002; 25 (2): Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 2121