New dynamic and verifiable multi-secret sharing schemes based on LFSR public key cryptosystem
Jing Yang, Fang-Wei Fu

TL;DR
This paper introduces two new verifiable multi-secret sharing schemes utilizing LFSR public key cryptosystem, addressing security flaws in previous schemes and offering shorter keys and dynamism.
Contribution
The paper proposes novel VMSS schemes based on LFSR cryptosystem that detect dealer deception and have shorter keys, improving security and efficiency.
Findings
Schemes detect dealer deception effectively.
Shorter private/public keys at same security level.
Schemes support dynamism.
Abstract
A verifiable multi-secret sharing (VMSS) scheme enables the dealer to share multiple secrets, and the deception of both participants and the dealer can be detected. After analyzing the security of VMSS schemes proposed by Mashhadi and Dehkordi in 2015, we illustrate that they cannot detect some deception of the dealer. By using nonhomogeneous linear recursion and LFSR public key cryptosystem, we introduce two new VMSS schemes. Our schemes can not only overcome the drawback mentioned above, but also have shorter private/public key length at the same safety level. Besides, our schemes have dynamism.
| Scheme | Initialization | Construction | Verification | Reconstruction |
| MS1[2] MS2[2] | RSA Diffie-Hellman | HLR RSA | RSA Diffie-Hellman | HLR or Lagrange Interpolation |
| LZZ1[6] | RSA | -degree polynomial or -degree polynomial RSA | RSA Diffie-Hellman | Lagrange Interpolation |
| LZZ2[6] | RSA | HLR RSA | RSA Diffie-Hellman | HLR or Lagrange Interpolation |
| MS[7] | LFSR PK cryptosystem | NLR LFSR PK cryptosystem | LFSR PK cryptosystem | NLR or Lagrange Interpolation |
| our schemes | LFSR PK cryptosystem | NLR LFSR PK cryptosystem | LFSR PK cryptosystem Diffie-Hellman | NLR or Lagrange Interpolation |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsCryptography and Data Security · Cryptography and Residue Arithmetic · Chaos-based Image/Signal Encryption
New dynamic and verifiable multi-secret sharing schemes based on LFSR public key cryptosystem
**Jing Yang1∗, Fang-Wei Fu1
-
- Chern Institute of Mathematics and LPMC, Nankai University*
Tianjin, 300071, P. R. China
∗Corresponding author: [email protected]**
Abstract A verifiable multi-secret sharing (VMSS) scheme enables the dealer to share multiple secrets, and the deception of both participants and the dealer can be detected. After analyzing the security of VMSS schemes proposed by Mashhadi and Dehkordi in 2015, we illustrate that they cannot detect some deception of the dealer. By using nonhomogeneous linear recursion and LFSR public key cryptosystem, we introduce two new VMSS schemes. Our schemes can not only overcome the drawback mentioned above, but also have shorter private/public key length at the same safety level. Besides, our schemes have dynamism.
Keywords: Verifiable multi-secret sharing; Nonhomogeneous linear recursion; LFSR public key cryptosystem; Key length; Dynamism
1 Introduction
With the rapid development of Internet, the secure storage and transmission of information have become more and more important. The security of the information depends on the security of the cryptosystem, which depends on the keys used in the system. It is obviously insecure to have only one key holder, therefore secret sharing was proposed to solve the problem by distributing the keys among several members, which is significant to not only prevent the overcentralization of the key management but also guarantee the integrity and confidentiality of the keys.
However, there are some problems in the initial secret sharing scheme:
(1) They can only share one secret once;
(2) They need secure channel to distribute shares;
(3) They cannot perceive the detective behavior of both the dealer and the participants;
(4) The shares held by participants cannot be reused;
(5) If participants join in or quit from the scheme, all the shares need to be updated;
(6) When the dealer changes the threshold, all the shares need to be altered.
In order to overcome the weakness of the original scheme, researchers have proposed several improved schemes in recent years. In 2004, Yang et al. presented a new multi-secret sharing scheme(YCH)[10]. Based on Feldman’s scheme [3], Shao et al. proposed an improved scheme [9] in 2005, which still needs a private channel. In 2006, Zhao et al. proposed an effective VMSS scheme (ZZZ) [11]. Since public key cryptography is utilized in the verification phase, the private channel is unnecessary.
In 2008, Massoud and Samaneh [2] presented two efficient VMSS schemes, which employ the intractability of the discrete logarithm and RSA cryptosystem [8] to modify the YCH scheme. For simplicity, we call the first scheme in [2] MS1 scheme, and the second scheme in [2] MS2 scheme. In 2016, Liu et al. [6] found that ZZZ scheme, MS1 scheme and MS2 scheme cannot resist cheating by the dealer, and proposed two modified schemes utilizing RSA encryption system. Similarly, we call the first scheme in [6] LZZ1 scheme, and the second scheme in [6] LZZ2 scheme. In 2015, Massoud and Samaneh proposed two new VMSS schemes (MS schemes) [7] by nonhomogeneous linear recursions and LFSR public key cryptosystem [4, 5]. Likewise, the two schemes have the same drawback as the schemes in [2], and we call the first scheme in [7] MS3 scheme, and the second scheme in [7] MS4 scheme.
In this work, we will present two new dynamic VMSS schemes using LFSR public key cryptosystem based on the MS schemes [7], which overcome the disadvantages of the previous schemes and have shorter key length than the schemes in [6]. Moreover, our schemes allow participants to join in or quit from the group optionally and let the dealer to change the number or value of shared secrets, even the threshold according to practical situation dynamically.
The rest of this paper is organized as follows. In Section 2, we review the nonhomogeneous linear recursion, the LFSR public key cryptosystem, and give the attack to MS schemes. In Section 3, we present our two schemes. We propose the security analysis in Section 4, while Section 5 gives the performance analysis. Finally, we conclude our schemes in Section 6.
2 Preliminaries
2.1 Linear recursion
In this subsection, we introduce the linear recursion briefly, which you can refer to[1] for a detailed description.
Definition 1**.**
A linear recursion is defined by the equations:
[TABLE]
where and are predefined real constants. is a positive variable, the degree of this linear recursion. If , the linear recursion is homogeneous. Otherwise, it is nonhomogeneous.
Definition 2**.**
For a linear sequence with dgree defined above, we give the following concepts:
(1) Auxiliary equation: .
(2) Generating function: .
Lemma 1**.**
We assume that sequence withe degree , and its auxiliary equation is , where . Then its generating function is
[TABLE]
where is a polynomial and
And where and are constants defined by
Our schemes use two examples of nonhomogeneous linear recursion shown as follows:
Theorem 1**.**
Utilizing to generate sequence , where have the following form:
[TABLE]
where are predefined real constants. Therefore where is a polynomial of with degree at most .
Proof.
Utilizing equation (1), we obtain
[TABLE]
[TABLE]
where is a polynomial with degree . Consequently,
[TABLE]
From Lemma 1, we can get , where is a at most -degree polynomial. ∎
Theorem 2**.**
Utilizing to generate sequence , where have the following form:
[TABLE]
where are predefined real constants. Therefore , where is a polynomial of with degree at most .
The proof of Theorem 2 can be completed by the method analogous to Theorem 1.
2.2 The LFSR public key cryptosystem
At first, we introduce the third-order LFSR sequence [4, 5]. Assuming that is irreducible which is the characteristic polynomial of the following LFSR sequences, where and is a prime.
Definition 3**.**
A sequence satisfies the following conditions:
[TABLE]
Then, we call is a third-order LFSR sequence whose characteristic polynomial is .
We denote as , as , then we have the following Lemma.
Lemma 2**.**
[4]Let over generate the three-order LFSR sequences . If , then for all positive integer and .
Definition 4**.**
(The LFSR public key cryptosystem) A sender generates the public key and private key by the following operation:
(1) selects two primes and , and computes . Notice that the next few steps are performed on and the period of the irreducible polynomial is ;
(2) selects such that , where ;
(3) computes such that ;
(4) publishes and as public key, then keeps as private key.
Enciphering:**
In order to send to the receiver, the sender generates as corresponding cipher text, where .
Deciphering:**
When receiving , the receiver can get the corresponding plain text by private key .
2.3 Attack to MS schemes
In this subsection, we give the attack to MS3 scheme, which is also true of MS4 scheme. Please refer to [7] for details of MS schemes. When recovering the secrets, they merely check the validity of by , where , however, the consistency between and is not checked. Thus, a malicious dealer can deceive the participants successfully, which means that:
When ,
(1) chooses a random and substitutes with to calculate the equations below:
[TABLE]
For , calculates ;
(2) calculates , and ;
(3) releases .
When ,
(1) chooses a random and considers the sequence generated by the equations below:
[TABLE]
For , calculates ;
(2) substitutes with to calculate , then calculates and respectively;
(3) releases .
In the reconstruction phase, because the replacement is barely perceptible by , those participants still provide real which conflicts with or generated by the dealer. Therefore, the recovered secrets are wrong. However, any at least honest participants exclusive of can reconstruct the shared secrets. Furthermore, if the dealer replaces more than one with invalid , the situation gets even worse. In conclusion, the MS schemes cannot resist attack by a malicious dealer.
3 The new VMSS schemes
To avoid the attack mentioned above, based on MS schemes [7], we present new VMSS schemes by examining consistency, which can detect deception of both participants and the dealer successfully.
3.1 Scheme 1
Scheme 1 utilizes the , the LFSR public key cryptosystem and the discrete logarithm problem.
3.1.1 Initialization phase
Suppose be the dealer, be participants, and be the threshold.
Initialization of :
(1) selects , of bit-length , where and are two strong primes. Then calculates of bit-length . Note that here is the security parameter of the LFSR public key cryptosystem.
(2) randomly selects two primes with bit-length more than , satisfying , and Q>\left({\begin{array}[]{*{20}{ccc}}k\\ i\end{array}}\right) for
(3) selects of of order satisfying that the discrete logarithm problem with base in is infeasible.
(4) releases to participants.
Initialization of participants:
(1) of identity selects two strong primes , , and then calculates . Note that the period of the irreducible polynomial in is , then all the computations are performed in .
(2) randomly selects an integer such that , for .
(3) calculates the integer satisfying .
(4) passes to with a public channel, and keeps its shadow secret.
releases .
Remark 1**.**
The released messages can be reused after this phase. In addition, cannot get any information about shadows, therefore these shadows are also reusable.
3.1.2 Construction phase
Let be secrets, where ). Then executes the steps as below to produce respective subshadow :
(1) selects for at random.
(2) randomly selects a constant satisfying and considers as below:
[TABLE]
(3) For , calculates .
(4) calculates .
(5) calculates and ,().
(6) releases .
Remark 2**.**
According to Lemma 2, we know that . If , we have , which means that
[TABLE]
3.1.3 Verification phase
In order to obtain the subshadow , calculates following formula:
[TABLE]
By the formulas below, our schemes can perform validity and consistency detection.
[TABLE]
[TABLE]
Once the equations above are satisfied, each is thought to be valid and in accord with released messages. If every verification succeeds, participants think that is not malicious.
3.1.4 Reconstruction phase
Suppose that at least participants utilize corresponding to reconstruct the secrets. Every can detect the validity of using the formulas as below:
[TABLE]
The following two methods can be utilized:
Method 1: Using valid subshadows and the released , they can get the formulas by Theorem 1:
[TABLE]
Solving the equations or utilizing the Lagrange interpolation, they get in .
Then, they obtain
[TABLE]
where .
Therefore, they reconstruct the secrets:
Method 2: If utilizing successive , they can calculate other by the formulas:
[TABLE]
Therefore, they reconstruct the secrets:
3.2 Scheme 2
Scheme 2 utilizes the , the LFSR public key cryptosystem and the discrete logarithm problem.
3.2.1 Initialization phase
The initialization phase in Scheme 2 is the same as Scheme 1.
3.2.2 Construction phase
Compared with Scheme 1 ,we substitute with the , and the rest is the same.
3.2.3 Verification phase
can calculate to obtain corresponding subshadow. By the formulas below, our schemes can perform validity and consistency detection.:
[TABLE]
[TABLE]
Once the equations above are satisfied, each is thought to be valid and in accord with released messages. If every verification succeeds, participants think that is not malicious.
3.2.4 Reconstruction phase
Suppose that at least participants utilize corresponding to reconstruct the secrets. Every can detect the validity of using the formulas as below:
[TABLE]
Method 1: Using valid subshadows and the released , they can get the formulas by Theorem 2:
[TABLE]
Solving the equations or utilizing the Lagrange interpolation, they get in .
Then, they obtain
[TABLE]
where .
Therefore, they reconstruct the secrets:
Method 2: If utilizing successive , they can calculate other by the formulas:
[TABLE]
Therefore, they reconstruct the secrets:
From the Figure 1, in MS schemes [7], every selects independently, and computes corresponding , then transmits it to . Thereafter, and can obtain secret share , where . However, whether the used in the generation of is the same as the one provided by is not verified.
While in our schemes, computes and maintains confidentiality of , then transmits to , where is relevant public key of . Then can get by , where . After that can calculate its subshadow by . We add the consistency detection between the and released messages to perceive malicious dealer.
4 Security analysis
The security analysis of our two schemes is analogous, so we take Scheme 1 as example. Generally, when it comes to the security of a VMSS scheme, there are three conditions to be satisfied.
(1) Correctness: Provided that all participants and their dealer behave authentically, at least participants can recover shared secrets successfully.
(2) Verifiability:
In the verification phase, any participant can detect dishonest operation by the dealer.
In the reconstruction phase, any other participants can detect a false subshadow by a malicious participant.
(3) Privacy: Corruption of at most participants cannot acquire any information of secrets.
4.1 Correctness
At first, in order to test the consistency of subshadow with the released messages, we must publish the predefined constant . When is unknown, the right side of the following equation is indeterminate.
[TABLE]
Secondly, we explain the reason why we employ the in Scheme 1. If we still use the original sequence [7], which is
[TABLE]
We suppose that the corrupted participants are with corresponding subshadows . Then the attacker can calculate the whole sequence since is released by the dealer . In other words, an attacker corrupting participants can get other honest participants’ subshadows, and the attacker can reconstruct the shared secrets successfully.
Thirdly, since we use in the construction phase, we need construct a polynomial with degree in the reconstruction phase as shown in the Theorem 1. There are indeterminate coefficients in , but we merely have subshadows. Besides the subshadows provided by honest participants, we need one more . Because are subshadows of participants , and are correlated with the shared secrets . Then is the only term satisfying the demand. Therefore, we release in the construction phase.
Finally, if the dealer and the participants are honest, any at least participants can reconstruct the shared secrets using the two methods mentioned in the Section 3.1.4.
Remark 3**.**
In fact, the aforementioned sequence has degree . In MS schemes [7], the constant is not released. Therefore, the designer must use a -degree to satisfy the requirement of a secure VMSS scheme.
To sum up, we employ the for the following reasons:
(1) The constant has to be released for verifying the consistency of subshadow with released messages.
(2) A -degree sequence is utilized and the term has to be released to make Scheme 1 be a secure VMSS scheme.
4.2 Verifiability
In the verification phase, if is valid, and succeeds in providing a false to , which means that , and
[TABLE]
Because , the possibility of can be neglected. Then we conclude that , which means that cannot distribute a false to successfully.
Besides, once a malicious succeeds in providing a false during the reconstruction phase, the other participants get , which implies . Then the dishonest can be discovered.
4.3 Privacy
Because and the discrete logarithm problem in with the base is hard, the attacker gets no helpful messages of from . If the attacker wants to obtain messages of from , where for , he must break the LFSR public key cryptosystem, which is impossible under our assumption.
Not mastering at least subshadows, the attacker cannot utilize the sequence to get . Then, the attacker gets nothing about shared secrets, namely .
Theorem 3**.**
The corruption of at most participants cannot obtain any helpful messages of the secrets.
Proof.
The attacker cannot obtain any helpful messages of the from and . Therefore, in order to obtain honest participants’ subshadows, the attacker can only utilize the at most corrupted participants’ subshadows. We might as well assume to be the malicious participants. The attacker can merely get the sequence from the formulas below by and released constant :
[TABLE]
There are linear equations, but variables . Then the attacker has to select the value of in randomly, which implies the probability to get other participants’ subshadows successfully is . Since , the probability is less than . Therefore, the corruption of at most participants cannot obtain any helpful messages of the secrets.
∎
5 Performance analysis
In this section, we compare some proposed VMSS schemes with ours from four aspects.
5.1 Computational cost
As for the computational cost, since the modular exponentiation costs the great amount of time, Table 1 displays the difference in some presented schemes and ours. And Table 2 demonstrates the cryptographic knowledge used in the four phases of these schemes.
From Table 1, we know that our schemes are the most effective in first two phases. Compared with the schemes in [6], our schemes replace the RSA encryption scheme by LFSR public key cryptosystem in the construction phase, which can be seen from Table 2. This replacement decreases the number of modular exponentiation used in the construction phase of our schemes. Since we append consistency check to detect the malicious dealer, our schemes need more modular exponentiations than the first two schemes and MS schemes [7] in the verification phase. Because the schemes in [7] do not utilize the modular exponentiation, we do not list it in Table 1.
5.2 Communication cost
We give the communication cost in the first two phases of some schemes in Table 3. It implies that new VMSS schemes are as effective as MS1, MS2, MS schemes in the first phase, but a little less effective in the second phase, owing to the fact that we request to provide released messages for detecting the malicious behavior of the dealer. The serious consequences of this shortage is showed in the Section 2.3.
5.3 Dynamism
In this subsection, we will illustrate how to process a dynamic update, cancel, and addition of the participants, the values of secrets and the threshold according to the actual situation.
Participants:
If a fresh participant wants to participate in the scheme, it computes , where and are strong primes. Then it chooses an integer and calculates the corresponding secret shadow , then sends to . Next calculates and , then releases them. When it comes to canceling a , merely eliminates . Once tries to utilize to recover the secrets, it is impossible not to be detected.
Secrets:
If wants to append a secret , he merely calculates and releases . Similarly, if wants to reduce a secret , he merely eliminates . When wants to alter the value of the secrets, the manipulation is completely evident.
Threshold:
In addition, as we analyzed in Section 4.1, our schemes are secure VMSS schemes. If wants to change the threshold of our schemes, he only need utilize a new sequence with a corresponding degree. For example, if we use the sequence with degree, our schemes are secure VMSS schemes, which is executable easily. Since the schemes in [7] are VMSS schemes, in order to compare them with ours, we also require that our schemes are secure VMSS schemes.
5.4 Performance characteristic
We analyze the performance characteristic of the schemes in [2, 6, 7] and our schemes in Table 4.
Characteristic 1: Recover multiple secrets simultaneously
Characteristic 2: Usage of the public channel
Characteristic 3: Detect deception of malicious
Characteristic 4: Detect deception of malicious
Characteristic 5: Change the shared secrets after an unsuccessful reconstruction phase
Characteristic 6: Recycle of the shadows with diverse
Characteristic 7: Recycle of the shadows when participants join in/quit from the group
Characteristic 8: The bit length of private key in a 1024-bit finite field
Characteristic 9: The bit length of public key in a 1024-bit finite field
From Table 4, MS1, MS2 and MS schemes cannot detect deception by malicious , while LZZ1, LZZ2 and our schemes can overcome the drawback. However, in a -bit finite field, the length of the private or public key in our schemes are denoted by only bits, while in [6] the length is three times longer to achieve the same safety level, which implies our schemes are more efficient and have lower consumption. Besides, in MS1 [2] scheme, the shadows of participants cannot be reused after reconstructing the secrets. Therefore, the participants have to operate the first phase repeatedly, while our schemes allow them to reuse shadows, which reduces the consumption of initialization.
6 Conclusion
Dynamic and verifiable multi-secret sharing schemes share multiple secrets among a set of participants and detect the deception by malicious participants and the dealer dynamically. Utilizing the nonhomogeneous linear recursion and LFSR public key cryptosystem, we propose two efficient dynamic and verifiable multi-secret sharing schemes.
First, our schemes conquer the drawback of MS schemes [7] by adding consistency check between the participants’ corresponding subshadows and released messages. Second, although our schemes have the same advantage as the schemes in [6], we have less computational cost. Furthermore, since we substitute the RSA encryption scheme by the LFSR public key cryptosystem, the private/public key length of our schemes is only one-third of the schemes in [6] for the same safety level.
The final analyses of the proposed schemes indicate that they are secure and effective VMSS schemes, permitting recovery of multiple secrets simultaneously, using the public channel, detecting deception of both a malicious dealer and participants, reusing the shadows, having dynamism attribute, and having shorter public/private key length.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Norman L. Biggs. Discrete Mathematics . Oxford University Press, Inc., New York, NY, USA, 2nd edition, 2002.
- 2[2] Massoud Hadian Dehkordi and Samaneh Mashhadi. New efficient and practical verifiable multi-secret sharing schemes. Information Sciences , 178(9):2262 – 2274, 2008.
- 3[3] Paul Feldman. A practical scheme for non-interactive verifiable secret sharing. In Proceedings of the 28th Annual Symposium on Foundations of Computer Science , SFCS ’87, pages 427–438, Washington, DC, USA, 1987. IEEE Computer Society.
- 4[4] Guang Gong and Lein Harn. Public-key cryptosystems based on cubic finite field extensions. IEEE Trans. Inf. Theor. , 45(7):2601–2605, November 1999.
- 5[5] Guang Gong, Lein Harn, and Huapeng Wu. The gh public-key cryptosystem. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas in Cryptography , pages 284–300, Berlin, Heidelberg, 2001. Springer Berlin Heidelberg.
- 6[6] Yanhong Liu, Futai Zhang, and Jie Zhang. Attacks to some verifiable multi-secret sharing schemes and two improved schemes. Inf. Sci. , 329(C):524–539, February 2016.
- 7[7] Samaneh Mashhadi and Massoud Hadian Dehkordi. Two verifiable multi secret sharing schemes based on nonhomogeneous linear recursion and lfsr public-key cryptosystem. Information Sciences , 294:31 – 40, 2015. Innovative Applications of Artificial Neural Networks in Engineering.
- 8[8] R. L. Rivest, A. Shamir, and L. Adleman. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM , 21(2):120–126, February 1978.
