Publicly Verifiable Secret Sharing Scheme with Provable Security against Chosen Secret Attacks

Secret sharing is an important aspect of key management in wireless ad hoc and sensor networks. In this paper, we define a new secure model of secret sharing, use the Lagrange interpolation and the bilinear cyclic groups to construct an efficient publicly verifiable secret sharing scheme on the basis of this model, and show that this scheme is provably secure against adaptively chosen secret attacks (CSAs) based on the decisional bilinear Diffie-Hellman (DBDH) problem. We find that this scheme has the following properties: (a) point-to-point secure channels are not required in both the secret distribution phase and the secret reconstruction phase; (b) it is a noninteractive secret sharing system in that the participants need not communicate with each other during subshadow verification; and (c) each participant is able to share many secrets with other participants despite holding only one shadow.


Introduction
A secret sharing scheme [1][2][3][4][5][6][7][8] allows the splitting of a secret into different pieces, called shares or shadows, which are given to a group of participants (or shareholders).Only a certain specified subset of the participants can reconstruct the secret easily by providing their shadows, while any unqualified subsets cannot obtain any knowledge about the secret.Secret sharing is useful for any important action whose initiation requires the collective decision of several designated participants, such as the launch of a missile, opening of a bank vault, or opening of a safety deposit box.Research on secret sharing is important for the key distribution of wireless ad hoc and sensor networks [9], both in theory and in practice.
In 1979, two basic secret sharing schemes were independently proposed by Shamir [1] and Blakley [10].They used two different methods to construct threshold secret sharing schemes.In Shamir's scheme, a secret  is divided into  shadows by a dealer and shared among  participants in such a way that it is possible to reconstruct the secret with any  or more shadows but impossible to reconstruct the secret with fewer than  shadows.This scheme is called a (, ) threshold secret sharing scheme.Early secret sharing schemes [1,10] did not include the verification of the correctness of shadows; hence, if one or more participants are dishonest, the secret cannot be recovered correctly.
Verifiable secret sharing (VSS) was proposed in [11] to solve the problem of dishonest participants who want to deceive other honest participants or the problem of a dishonest dealer who distributes incorrect shadows to some participants.VSS has been an important area of cryptography research for the last two decades [5,7,8,[12][13][14][15]. Feldman [12] proposed a very practical VSS scheme in which the security is based on a discrete logarithm problem.In this scheme, a deterministic function of the secret is published; hence, it achieves only one-way security.Pedersen [13] proposed a VSS scheme that can withstand an unbounded passive adversary.
Stadler [16] proposed a publicly verifiable secret sharing (PVSS) scheme in which the validity of the shadows can be verified by anyone without knowledge of the shadows.In some PVSS schemes [5,14], the verification procedure involves interactive proofs of knowledge.If these proofs are made noninteractive by means of the Fiat-Shamir technique [17], the security of the verification process would only be carried out in the random oracle model (ROM) [18].Transferring security analysis of cryptographical primitives from the random oracle model to the standard model (SM) [19] has always been a theoretically important task.
1.1.Related Work.In 2005, Ruiz and Villar [15] proposed a new PVSS scheme that has a higher level of secrecy, called indistinguishability (IND) of secrets based on the decisional composite residuosity assumption.In 2009, Heidarvand and Villar [3] gave two new secure definitions of publicly verifiable secret sharing, which capture the notion of indistinguishability of shared secrets.Then they proposed a noninteractive PVSS scheme against the attacks of indistinguishability of secrets in the standard model based on the decisional bilinear square assumption (DBS) which is a natural variant of the standard decisional bilinear Diffie-Hellman (DBDH) assumption.In 2010, Jhanwar [20] proposed a PVSS scheme whose level of security is called semantic security based on the (, )-multi-sequence of exponents Diffie-Hellman problem.In 2011, Wu and Tseng [2] proposed a pairingbased PVSS scheme.For deducing the computational cost, they used the batch verification technique.They also showed that their scheme is a secure PVSS scheme under the bilinear Diffie-Hellman (BDH) assumption in the random oracle model.In fact, semantic security does not guarantee any level of secrecy if an adversary mounts an active attack.Therefore, it is very important to design a PVSS scheme against adaptively chosen secret attacks (CSAs) in the standard model.
Another important aspect of secret sharing is the problem of making the size of shadows of each participant as small as of making the size of shadows of each.A secret sharing scheme is ideal if the length of every shadow is the same as the length of the secret.This is the best possible situation.However, we would like to emphasize that it is also very important to reduce the number of secure channels used in a secret sharing scheme, especially in wireless ad hoc and sensor networks.
A secret sharing scheme contains at least two essential phases: a share distribution phase and a secret reconstruction phase.In the share distribution phase, a dealer chooses a secret, executes a secret distribution algorithm to generate shadows, and then sends the generated shadows to the participants through point-to-point secure channels.In the secret reconstruction phase, the participants belonging to a qualified subset of participants exchange shadows amongst themselves through point-to-point secure channels to reconstruct the secret.In a (, ) threshold secret scheme, there are  secure channels in the share distribution phase and at least ( 2 ) secure channels in the secret reconstruction phase.To (iii) Needless security channels: in both the setup and share distribution phases, these are no secure point-topoint communication channels between the dealer and the participants.Moreover, no secure pointto-point communication channels are used in the reconstruction phase of the extended scheme.
(iv) Noninteractivity: the participants need not talk to each other during the secret reconstruction phase.
An overview comparison of the major technique differences and the corresponding security level those of WT11's [2] and HV09's [3] PVSS schemes is given in Table 1.

Paper
Organization.This paper is organized as follows.
In Section 2, we describe the definition of bilinear maps and the decisional bilinear Diffie-Hellman problem.In Section 3, we describe the model of our PVSS scheme and the security model.In Section 4, we present our pairing-based PVSS scheme, and in Section 5, we prove its security.In Section 6, we analyze the performance of our scheme.In Section 7, we present an extended scheme that allows reconstruction of the secret through publicle channels.Finally, we give a conclusion in Section 8.

Preliminaries
If  is a set, || denotes its size.The symbol "⊥" denotes failure.

Bilinear Map.
Let G and G 1 be two cyclic groups of prime order .Here, we assume that G is an additive cyclic group, and G 1 is a multiplicative cyclic group.A bilinear map (⋅ ⋅ ⋅) is a map G × G → G 1 such that for  ̸ = 0 ∈ G and ,  ∈ Z  \ {0}, it satisfies the following properties [22,23].
(iii) Computability: there is an efficient algorithm to compute (, ) for all ,  ∈ G.
The algorithm GG() is a bilinear group generator that takes a secure parameter  ∈ Z as input and outputs the descriptions of the groups G, G 1 , and a bilinear map  : , where all group operations in G and G 1 as well as map  can be computed in polynomial time with .We posit that  = (, , G, G 1 , (⋅ ⋅ ⋅)) is the output of GG().

Decisional Bilinear Diffie-Hellman Assumption.
Given a tuple , , ,  ∈ G for some uniformly chosen , ,  ∈ Z  \ {0} and  ∈ G 1 as input to decide whether or not  = (, ) abc .The advantage of an algorithm A solving the DBDH problem is defined as The DBDH problem is said to be (, )-hard if there is no algorithm that can solve the DBDH problem within time  with an advantage equal to at least .

Definitions
This section is dedicated to the definition of a (, ) threshold PVSS scheme and its security model.

3.1.
Threshold PVSS Scheme without Secure Channels.Let U = ( 1 , . . .,   ) be a set of  participants.A dealer wants to share a secret S among the participants of U in such a way that any  or more participants can recover the secret, while no  − 1 participants can obtain any information about the secret.
A PVSS scheme is described by the following algorithms.
(i) The dealer generates all public parameters of the scheme.(ii) Furthermore, every participant selects its channel protection key   and publishes the corresponding public key   .(iii) The dealer randomly picks a number as the main secret of the system and uses   ( = 1, 2, . . ., ) and the main secret to generate a main shadow   ( = 1, 2, . . ., ) for every participant and the system shadow verification key (SVK).(iv) For each   , the dealer sends   's main shadow   to   through public channels.
(2) Secret distribution: the dealer randomly selects a secret  that will be distributed to the participants.It calculates and publishes the secret commitment value (SCV)  1 and the secret deriving value (SDV)  2 of the secret .It then outputs ( 1 ,  2 ).A participant can use  1 and its main-shadow   to obtain its subshadow of the secret  by itself.
(3) Verification ( (iii) Privacy: the basic requirement is that it is impossible for any collusion of less than  participants to obtain any information about a secret.
Hereafter, we will use the notion of a CSA to define the security of the PVSS scheme.We mostly follow the notation from [19,23], using a game between an adversary A and a challenger C.
(i) Init.C executes Setup () to obtain the public parameters and sends the public parameters to A along with all of the shadow verification keys SVK.
(ii) Phase 1.The adversary adaptively selects a secret and generates ( 1 ,  2 ) about the secret using the public parameters just as the dealer does.Moreover, the adversary A is permitted to query a sub-shadow of a participant using ( 1 ,  2 ).
(iii) Sub-shadow query.On being input a participant   , as well as  1 and  2 , C executes the Sub-shadow generation sub-algorithm using ( 1 ,  2 ),   and   then forwards the resulting (,   ) or (, ⊥) to the adversary A.
is negligible with respect to .

Construction
In this section, we present a concrete (, ) PVSS scheme and prove its security against CSA in the next section.
After the dealer has announced the public parameters, each participant   randomly selects an integer   ∈ Z  \ {0} (  is   's channel protection key) and calculates   =    2 .Each participant keeps   confidentially and sends   to the dealer over public channels.
Having received all the   , the dealer performs the following operations.
(3) The dealer selects a collision-resistant hash function  : G → {0, 1}  , where  is the output length of .
Secret Distribution.The dealer wants to share a secret, which is a random element in G 1 .The form of the secret is S = ( 1 ,  2 )  , where  is selected randomly from Z  \ {0}.Let  be a bit string of length , let   denote the th bit of , and let V ⊆ {1, . . ., } be the set of all  for which   = 1.The dealer calculates and publishes the SCV  1 and SDV  2 as follows: The dealer either broadcasts ( 1 ,  2 ) to all participants or publishes ( 1 ,  2 ) on the BB.(  's real sub-shadow   for the secret S is ( 1 , −  ()  ).In order to achieve CSA security, in the reconstruction algorithm, no participant   directly sends   to other participants.)If the dealer wants to share a new secret, it just executes the secret distribution algorithm again and publishes appropriate information on the BB.However, the main shadow   of   need not be changed.
Verification.Given ( 1 ,  2 ), this algorithm first computes  = ( 1 ) and outputs "valid" or "invalid" according to the following: Reconstruction.Without loss of generality, let us assume that Γ = {1, . . ., } is a qualified subset of the set of participants, that is, it consists of at least  participants who want to collectively reconstruct the secret S. Each participant in Γ executes the following algorithms: (1) Sub-shadow generation ( At this point, every participant in Γ uses ( 1 ,  2 ,  1 ,  2 ) to reconstruct the secret S as follows:

Correctness.
If the dealer and the participants are honest, any  or more participants can reconstruct the secret during the execution of the reconstruction algorithm.The correctness of equalities ( 6), (9), and ( 10) is as follows.

Security
Theorem 2 (IND-CSA of PVSS).Suppose the hash function  is a universal collision-resistant one-way family.Then, the proposed PVSS scheme is secure against adaptive CSA under the intractability assumption of the DBDH problem.More specifically, if there is an adversary that can break the PVSS scheme within time T with probability at least , then there International Journal of Distributed Sensor Networks exists an algorithm that can solve the DBDH problem within time T  with probability at least   , where Here, T  denotes the time taken to answer all queries.
Proof.Suppose an adversary A breaks the PVSS scheme with advantage ADV IND-CSA A,,, > .Then we can devise an algorithm R that solves a random DBDH problem instance with advantage   ≥ (3/4).Algorithm R is given as input a group parameter  = (, , G, G 1 , (⋅ ⋅ ⋅)) and a random tuple (G, , , , , ), where  is a random element of G 1 or  = (, ) abc .The goal of algorithm R is to output 1 ("true") if  = (,) abc and 0 ("false") otherwise.Set  1 = ,  2 = ,  3 = .Algorithm R works by interacting with A in a game as follows: Init.Algorithm R does the following.
(1) Algorithm R chooses a set U containing  − 1 participants.Without loss of generality, let (2) Algorithm R selects a collision-resistant hash function  : G → {0, 1}  and computes the public keys for all participants in U as follows:   =    2 , for all  ∈ P and    ← Z  \ {0}, where   is the channel protection key of   .
(4) Algorithm R constructs the shadow verification key SVK as follows.
(i) For , it lets V ⊆ {1, . . ., } be the set of all  for which   = 1.(ii) It sets an integer  = 4 (where  is the maximum number of sub-shadow queries) and randomly chooses an integer  between 0 and .
(1) The algorithm R computes  = ( 1 ) and checks ( 2 , ) = (  + ∑ ∈V   ,  1 ).If the equality does not hold, R responds to A's query with (, ⊥).(2) Otherwise, R continues to check whether (V) = 0 holds.If it does hold, R aborts the game and randomly selects a bit as the answer to the DBDH problem.(3) Otherwise, there are two different cases as follows.
Challenge.Once the adversary A has completed phase 1, and sent a challenge set U * , where |U * | < , the algorithm R can form the following challenge information.Let  * = ( 3 ), so that there is ( * ) ≡ 0(mod).Then, algorithm R selects  as the secret and computes ( * 1 ,  * 2 ) as follows.
Thus, the secret  is of the required form as described in the scheme, whenever  = (, ) abc = ( 1 ,  2 )  .Algorithm R computes the sub-shadow of each  *  ∈ U * as follows: where  = ( * 1 ).At this point, algorithm R randomly selects a bit  ∈ {0, 1}, sets   = , and assigns a random value in the secret space G 1 to This completes the proof of Claim 1.

Guess.
Eventually, A outputs a guess bit   ∈ {0, 1} for .Based on the value of   , R concludes its own game by outputting a guess as follows.
(ii) Otherwise, R answers 0, meaning that  is a random element of G 1 .

Comparison
Now, let us compare our scheme to WT11 [2] and HV09 [3] in terms of computational cost and security.We firstly define the following notations.
(ii)   : The time taken to execute a scalar multiplication operation of point in G.
(iii)   : The time taken to execute a modular exponent operation in G 1 .
(v) ||: The output length of the hash function .
As is well known, the time taken to execute   ,   , and   is much greater than the other operations, so we will ignore the time consumption of the other operations, such as executing an addition operation of points in G.The details of the comparison are given in Table 2.In Table 3, we compare the communication cost of the dealer distributing a secret to the participants, and a participant sends its subshare to other participants.
From the comparison in Tables 2 and 3, one can see that our scheme achieves a higher level of security without significantly increasing the overall computational complexity and the communication cost.

Extension Scheme
In the basic scheme described previously, the secret reconstruction requires the presence of point-to-point secure channels among the participants.In this section, we remove this limitation without sacrificing any good property of the scheme.
Suppose that a participant   wants to send its subshadow through a public channel to a participant   .For this purpose,   randomly selects   ,  ∈ Z  \ {0}, uses   's public key   , and the following calculations are performed: Having collected  valid sub-shadows,   first computes  1 = ∑  =1  0   0 ,  2 = ∑  =1  0   1 and then reconstructs the secret S by computing ( 1 ,  1 )/( 2 ,  2 ) just as it does in the basic scheme.

Conclusion
In this paper, we proposed a (, ) threshold PVSS scheme.Under the decisional bilinear Diffie-Hellman assumption, we proved that our scheme has indistinguishability against adaptively chosen secret attacks in the standard model.In the secret distribution phase, the dealer can send the main shadow to a participant through public channels.When the participants exchange their sub-shadows in the secret reconstruction phase, point-to-point secure channels need not be established in the extended scheme.This scheme is fairly interesting for practical applications.

Table 1 :
Major technique differences and corresponding security level.
Sub-shadow verification ( 1 ,   , SVK  ,   ): takes as inputs  1 of a secret, a participant   and   's verification key SVK  , and   's sub-shadow   .This algorithm checks whether   is a valid sub-shadow with respect to SVK  and  1 .If the verification fails, a complaint about the participant   is broadcast.(c) Combine ( 1 ,  2 , Γ, Ω): takes as inputs  1 and  2 of a secret, a qualified set Γ ⊆ U of  participants, and a list Ω = ( 1 , . . .,   ) of  valid sub-shadows.Outputs a secret .Verifiability: a successful verification of the SCV and SDV of a secret implies that the SCV and SDV are consistent.
1 ,  2 ): takes as inputs  1 and  2 of a secret.It is required that  1 be publicle verifiable.Knowing only the publicly parameter, anyone may verify that  2 is consistent with  1 .If the verification fails, the verifier broadcasts a complaint about the dealer.(4) Reconstruction: this algorithm is composed of three subalgorithms.(a) Subshadow generation ( 1 ,  2 ,   ,   ,   ): takes as inputs  1 and  2 of a secret, a participant   ,   's main shadow   , and   's channel protection key   .To generate its sub-shadow,   executes verification ( 1 ,  2 ).If the verification fails, (, ⊥) is output.Otherwise,   generates the subshadow   from  1 and  2 using its main shadow   and channel protection key   .(,   ) is then output.(b) 3.2.Security Model.The PVSS scheme described above must satisfy the following properties.(i) Correctness: if the dealer and the participants act honestly, any  or more participants can reconstruct the secret correctly during the execution of the reconstruction algorithm.
Guess.Finally, the adversary A outputs a guess   ∈ {0, 1} and wins the game if  =   .
The adversary A outputs a target set of participants U * , where |U * | < .The challenger C picks two random secrets  0 and  1 as well as a random bit  ∈ {0, 1}.Then, C executes the secret distribution algorithm to obtain ( * 1 ,  * 2 ) for the secret   and sends ( * 1 ,  * 2 ) and all the sub-shadows of each  *  ∈ U * to A along with  0 and  1 .

Table 2 :
Computational cost and security.