Verifiable Rational Secret Sharing Scheme in Mobile Networks

Zhang, En; Yuan, Peiyan; Du, Jiao

doi:https://doi.org/10.1155/2015/462345

Mobile Information Systems

On this page

Abstract Introduction Preliminaries Conclusions Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2015 | Article ID 462345 | https://doi.org/10.1155/2015/462345

Verifiable Rational Secret Sharing Scheme in Mobile Networks

En Zhang,^1,2,3Peiyan Yuan,^1,3and Jiao Du⁴

Academic Editor: Francesco Gringoli

Received30 Jan 2015

Revised18 May 2015

Accepted27 May 2015

Published29 Jun 2015

Abstract

With the development of mobile network, lots of people now have access to mobile phones and the mobile networks give users ubiquitous connectivity. However, smart phones and tablets are poor in computational resources such as memory size, processor speed, and disk capacity. So far, all existing rational secret sharing schemes cannot be suitable for mobile networks. In this paper, we propose a verifiable rational secret sharing scheme in mobile networks. The scheme provides a noninteractively verifiable proof for the correctness of participants’ share and handshake protocol is not necessary; there is no need for certificate generation, propagation, and storage in the scheme, which is more suitable for devices with limited size and processing power; in the scheme, every participant uses her encryption on number of each round as the secret share and the dealer does not have to distribute any secret share; every participant cannot gain more by deviating the protocol, so rational participant has an incentive to abide by the protocol; finally, every participant can obtain the secret fairly (means that either everyone receives the secret, or else no one does) in mobile networks. The scheme is coalition-resilient and the security of our scheme relies on a computational assumption.

1. Introduction

1.1. Background

Secret sharing is playing a more and more important role in modern cryptography. In classical () secret sharing schemes [1, 2], a secret can be shared among participants. At least or more participants can reconstruct the secret, but or fewer participants cannot obtain anything about the secret. Recently, a series of secret sharing schemes were proposed in [3–6]. However, the works in [1–6] cannot prevent the dealer or players from cheating. For example, in Shamir’s scheme, we assume that one party does not broadcast his share, while exactly other players reveal their shares. He can still reconstruct the secret although his cheating can be detected by the scheme [7–9].

Motivated by the desire to develop more realistic models, the cryptographic community has significant interest in exploring protocols for rational secret sharing. Halpern and Teague [10] firstly introduced the notion of rational secret sharing. They pointed out that there exist many Nash equilibriums which, in some sense, are unreasonable. Therefore, they focus on one particular refinement of Nash equilibrium that is determined by iterated deletion of weakly dominated strategies. However, their protocols cannot work for 2 out of 2 secret sharing and require the online dealer. Later, a series of rational secret sharing schemes [11–20] were proposed. However, none of them are fully satisfactory. The works in [11–13] rely on secure multiparty computation which is strong. Kol and Naor’s scheme [14] has information theoretic security. However, their scheme fails to resist against coalitions. The works in [15, 16] require the involvement of some trusted external parties during the reconstruction phase which is difficult to find. The solution in [17] constructs a rational scheme based on repeated games. However, every player has high probability to learn the secret in his last round. The works of Lepinski et al. [19, 20] and Izmalkov et al. [15, 18] can guarantee fairness, prevent coalitions, and eliminate side information. However, their solutions rely on physical assumption such as secure envelopes and ballot boxes. The works in [10–14, 17, 21–25] assume the existence of broadcast channel which is not realistic. The works in [11–13, 19–27] need to exchange public keys associated with certificate management, including revocation, storage and distribution, and the computational cost of certificate verification. Nowadays, with the development of mobile network, a large percent of the world’s population now has access to mobile phones and incredibly fast mobile networks give users ubiquitous connectivity. New devices like smart phones and tablets are providing users with a lot of applications and services and have fundamentally changed our lives. However, smart phones and tablets are poor in computational resources such as processor speed, memory size, and disk capacity. A drawback of public key infrastructure (PKI) is that they are computationally very intensive, which makes them less suitable mobile phones. From the discussion above, it seems clear that all of above schemes cannot work in a mobile system.

1.2. Our Results

In this paper, we propose a verifiable rational secret sharing scheme in mobile networks. The major contribution of this work is as follows. We present a new verifiable random function for multiparty case, which provides a noninteractively verifiable proof for the correctness of participants’ share and handshake protocol is not necessary; there is no need for certificate generation, propagation, and storage in the scheme, which is more suitable for devices with limited size and processing power; the public key in our approach is based on each participant’s identity (e.g., telephone number or email address), which can be very much shorter as compared to the 1024 bits public key in RSA cryptosystem; in the scheme, every participant uses her/his encryption on number of each round as the secret share and the dealer does not have to distribute any secret share, which reduce the computational consumption and communicational overhead; the participants do not know whether the current round is a test round or not, and every participant cannot gain more by cheating. Finally, every player can obtain the secret fairly (means that either everyone receives the secret, or else no one does) in mobile networks. To the best of our knowledge, we propose the first rational secret sharing scheme over mobile networks.

1.3. Overview

The rest of this paper is organized as follows. In Section 2, the preliminary of game theory and cryptography for rational secret sharing are introduced. Section 3 introduces the rational secret scheme in mobile networks. In Section 4, we analyze the new scheme. Finally, we present our conclusions in Section 5.

2. Preliminaries

2.1. Basics of Game Theory

We begin by introducing some basic terminology of game theory in this section. For more details, please refer to [28].

Game theory aims to help us understand situations in which decision-makers interact. A strategic game consists of three components: (a) a set of players; (b) a set of actions for each player; (c) for each player, preferences over the set of action profiles.

Let be profile of players, denote the strategy employed by player , be a strategy profile of all players except for the player , and denote the strategy vector with ’s strategy changed to ; represents ’s preferences, which rational players wish to maximize.

Definition 1 (Nash equilibrium). Let be a game presented in normal form. A strategy profile is Nash equilibrium if, for all and every , it holds that Generally speaking, Nash equilibrium holds the idea that no rational party has an incentive to deviate from the protocol. Everyone is playing a best response to everyone else and no individual can do strictly better by moving away. The definition of Nash equilibrium is designed to model a steady state among experienced players. In a steady state, no player wishes to change her behavior, considering the other players’ behavior.
In a traditional secret sharing scheme, a player is thought as either honest or malicious. However, in a rational secret sharing scheme, it may make more sense to view the players, not as good or bad, but as rational individuals trying to maximize their own utility [10]. For any player , assume that any rational player prefers to get the secret rather than miss it. And secondarily, prefer that as few as possible of the other players get it.

Now, let we introduce the definition of computational -immune [13] in which utility functions take the security parameter as input.

Definition 2 (computational -immune). Let be an efficient protocol for a computing game and be a set of coalitions (subsets of players). Let be the set of sequences of random tapes for the first iterations that do not cause to end. A sequence is of the form where and is the random tape used by player in iteration .
The protocol is computational -immune if, for every coalition and every sequence of tapes used by the players in the first round, there exists a negligible function such that, for every player , every efficient (deviating) joint strategy for players in , and every efficient joint strategy for players in implementing , it holds that

2.2. Cryptographic Terminology

Definition 3 (bilinear pairing). Let and be multiplicative groups of prime order . is the generator of . A bilinear pairings is a map with the following properties.(1)Bilinear: for all and all , one has .(2)Nondegenerate: .(3)Computable: there is an efficient algorithm to compute for all and .We describe decisional bilinear Diffie-Hellman inversion assumption below.
Given as input, to distinguish from random. An algorithm has advantage in solving the -DBDHI problem if where and .
We say that the -DBDHI assumption holds in , if no -time algorithm has advantage at least in solving the -DBDHI problem in .

2.3. Verifiable Random Function from Identity-Based Key Encapsulation (IB-KEM)

Verifiable random function (VRF) was firstly introduced by Micali et al. [29]. A VRF is a pseudorandom function that provides a noninteractively verifiable proof for the correctness of its output, and the VRF has many useful applications. References [29–32], respectively, constructed a VRF. Next we briefly recall the VRF from a VRF-suitable IB-KEM [32].

The IB-KEM Scheme. An identity-based key encapsulation mechanism (IB-KEM) scheme allows a sender and a receiver to agree on a random session key . And it is defined by four algorithms: takes a security parameter as input and outputs a master key pairs (mpk, msk); KeyDer(msk, ID) uses the master secret key to compute for identity ID; computes a random session key and a ciphertext ; allows the receiver to decapsulate to get back a session key . An VRF-suitable IB-KEM scheme [33] is defined by the following algorithms.(i) is a probabilistic algorithm that takes in input a security parameter and outputs a master public key mpk and a master secret key msk. Let be bilinear groups of prime order . Additionally, let : denote the bilinear map. The description of contains a generator . Then the algorithm picks a random , sets , and outputs a master key pairs ().(ii)KeyDer(msk, ID): the key derivation algorithm uses the master secret key to compute a secret key for identity ID.(iii)Encap(mpk, ID): the encapsulation algorithm picks a random and computes a random session key using (mpk, ID). Moreover it uses (mpk, ID) to computes a ciphertext encrypted under the identity ID.(iv)Decap(, ) allows the possessor of to compute a session key from a ciphertext as follows: .

The VRF (Gen, Func, and Ver) Construction Is as follows(i) runs , chooses an arbitrary identity , where ID is the identity space, and computes . Then it sets and .(ii) computes and . It returns where is the output and is the proof.(iii) first checks if is a valid proof for by computing and checking if Then it checks the validity of by testing if . If both the tests are true, then the algorithm returns 1, otherwise it returns 0.

With a modification, we extend the VRF from a VRF-suitable IB-KEM [32] to multiparty case, and this can be used in our rational secret sharing schemes. Let be participants, be the identity of , where ID is the identity space, and be the private key of .(i) takes a security parameter , returns and computes . Then it sets and .(ii) computes and . It returns where the VRF output is and is the proof.(iii) checks if is a valid proof by computing and checking if . Then it checks the validity of by testing if . If both the tests are true, then the algorithm returns 1, otherwise it returns 0.

2.4. The Model of Security

Init. The adversary declares the identity set that he wants to be challenged.

Setup. The challenger runs the setup phase of the algorithm and tells the adversary the public parameter.

Phase 1. The adversary is allowed to issue queries for private keys for many identities , where .

Challenge. The adversary output a message . The challenger flips a random coin and obtains a session key . If , then is a correct form, otherwise is random. Finally, it sends to the adversary.

Phase 2. This goes exactly as phase 1.

Guess. The adversary outputs a guess of . The adversary wins if .

We define the advantage of an adversary in this game as .

3.1. System Parameters

Let be participants and be the secret. Assume is the identity of , where is the identity space and is a collision resistance hash function. Let be the private key of .

3.2. Protocol for Sharing Phase

Step 1. The dealer chooses an integer according to a geometric distribution with parameter . We discuss how to set below. The dealer computes and obtains .

Step 2. Choose a prime and construct two () degree polynomials. One is with the knowledge of pairs of as (4). The other is with the knowledge of pairs of as (5):

Step 3. The dealer chooses the minimum integers from for and computes and for .

Step 4. The dealer publishes the values ( for , value and for ), and sends to .

3.3. Protocols for Reconstruction Phase

Let be the set of the active participants and (, ) be the share of . In each iteration () the players execute the following steps.

Step 1. When , each of the active participants sends her share in the order for .

Step 2. receives the share from . If , is an invalid proof of , then, with the knowledge of pairs of and pairs of , the () degree polynomial can be uniquely determined as follows:We let . The secret can be obtained as and then output and terminate the protocols. If , is a valid proof of , then the protocol continues.

Step 3. With the knowledge of pairs of and pairs of , the () degree polynomial can be uniquely determined as follows:

Step 4. If for then the protocol goes to next iteration, else if , then , with the knowledge of pairs of and pairs of , the () degree polynomial can be uniquely determined as follows:Let . The secret can be obtained as . Then output and terminate the protocols.

4. Proof of Security

In this section, the poof of the security is discussed.

Theorem 4. If an adversary can break our scheme, then one can build a simulator to solve the -DBDHI assumption with a nonnegligible advantage.

Proof. We assume there exists an adversary that has nonnegligible advantage into breaking the protocol. Then we can build a simulator which is able to break the -DBDHI assumption with nonnegligible advantage.
Input to the Reduction. Algorithm receives a tuple , and output 1 if , or 0 otherwise.
Key Generation. Assume that tries to guess the challenge message . Let . Using the binomial theorem, it computes . Then define and compute the new base . Finally it computes , picks a random , and sets . Then it gives as the public key to .
Phase 1. The adversary is allowed to issue queries for private keys for many identities , where and . Consider the th query on message . If , then fails. Otherwise can compute the secret key as follows. Firstly it defines . Then it computes and returns it to as the private key of . With the knowledge of pairs of and pairs of , the simulator can construct the () degree polynomial by using the Lagrange interpolation polynomial. However, the coefficient of the is identical to that of the original scheme.
Challenge. The adversary output a message . If , then fails. Otherwise, the challenger can compute a session key in the following way. Let and compute . The simulator flips a random coin, , and sets a session key , if , then and is a correct form. Otherwise is a random, and so is . Finally, it sends to the adversary.
Phase 2. This goes exactly as phase 1.
Guess. The adversary outputs a guess of . returns as its guess as well.
For the sake of contradiction, suppose there exists a probabilistic polynomial time attacker can break the protocol with probability . Then we can build a simulator which is able to break the -DBDHI assumption with probability . (The output of is the same as the output of .) Because the -DBDHI assumption is hard to be solved, there is no any adversary that has nonnegligible advantage into breaking the protocol. This completes the proof.

Theorem 5. The above rational secret sharing scheme is computational -immune, and rational participant has an incentive to abide by the protocol.

Proof. Given the public values , the two () degree polynomials cannot be constructed by anyone. So, an adversary can learn nothing about the secret. Any or fewer participants cannot obtain the secret too. In the scheme, any rational participant can detect and determine who is cheating. Suppose that receives the share from . If , is an invalid proof of , and terminates the protocols. If , is a valid proof of , and continues the protocols. Assume that who is the member of the collusion does not know which round is . He can only guess the secret and get with probability , if the collusion does not participate in the scheme. On the contrary, he can guess a wrong secret and get with probability . So, when the collusion does not participate in the protocols, the expected utility of is as inThe participant will get utility , if the collusion participates in the protocols and aborts in real round with probability . Otherwise, the participant ’s utility is . Therefore, when the collusion deviates, the expected utility of is at mostWhen the collusion abides by the protocol, the utility of the participant is . So, rational collusion has an inventive not to deviate from the protocol if the protocol satisfiesWe denote the probability that players in can only have a negligible advantage over . There exists a negligible function such that for every it holds that We let denote the utility when allowing for the computationally secure. Then That is for every iteration and for all with , all , and any , no information about the secret is revealed. So, the scheme is computational -immune and rational player has an incentive to abide by the protocol.

5. Comparison

We compare the efficiency and security with previous rational secret sharing scheme as follows.

The work of Halpern and Teague [10] assumes the existence of simultaneous broadcast channels (SBC). Their schemes fail to resist against coalitions and have expected round complexity . The works in [11–13] rely on secure multiparty computation which are inefficient. The works of Kol and Naor [14] have shown how to avoid simultaneous broadcast, at the cost of increasing the round complexity. In addition, the scheme is not collusion-free, and the round complexity is and the works in [15, 16] require the involvement of some trusted external parties during the reconstruction phase which is difficult to find. The round complexity of Maleka et al. [17] is . The works of Izmalkov et al. [18] and Lepinski et al. [19, 20] rely on a physical assumption such as secure envelopes and ballot boxes. The works in [10–14, 17, 21–25] assume the existence of broadcast channel which is not realistic. The works in [11–13, 19–27] need handshake protocol and exchange public keys associated with certificate management, including distribution, storage, revocation, and the computational cost of certificate verification, which are relatively expensive and limit their practical application to mobile networks. In contrast with prior schemes, the round complexity is (the value of , , and is roughly the same) in our scheme, and we do not assume multiparty computations, physical assumption, or trust party, which is more practical; the scheme provides a noninteractively verifiable proof for the correctness of participants’ share and handshake protocol is not necessary; there is no need for certificate generation, propagation, and storage in the scheme, which is more suitable for devices with limited size and processing power; the public key in our approach is based on each participant’s identity which can be very much shorter as compared to the 1024 bits public key in RSA cryptosystem; in the scheme, every participant uses her encryption on number of each round as the secret share and the dealer does not have to distribute any secret share, which reduce the computational consumption and communicational overhead; the scheme can withstand the conspiracy attack and no player of the coalition can do better, even if the whole coalition cheats.

6. Conclusions

We propose a rational secret sharing scheme in mobile networks. The scheme, without needing to resort to broadcast channel, eliminates the online certificate authority and simplifies key management, which is more practical for devices of limited size and processing power, such as mobile phones. In addition, the scheme assumes neither the availability of a trusted party nor multiparty computations in the reconstruction phase. Moreover, the scheme can withstand the conspiracy attack and no player of the coalition can do better, even if the whole coalition cheats. So, rational players have no incentive to cheat in the scheme, and, finally, every player can obtain the secret fairly in mobile networks.

Conflict of Interests

The authors declare that there is no conflict of interests regarding the publication of this paper.

Acknowledgments

The authors would like to thank the anonymous referees for their suggestions. This work was supported by the National Natural Science Foundation of China (nos. 61170221, 11471104, U1204606, U1404601, and U1404602) and the Key Project of Education Department of Henan Province (no. 14A520032).

References

A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612–613, 1979.
View at: Publisher Site | Google Scholar
G. R. Blakeley, “Safeguarding cryptographic keys,” in Proceedings of the National Computer Conference, pp. 313–317, AFIPS Press, New York, NY, USA, 1979.
View at: Google Scholar
Y.-C. Hou, Z.-Y. Quan, C.-F. Tsai, and A.-Y. Tseng, “Block-based progressive visual secret sharing,” Information Sciences, vol. 233, no. 4, pp. 290–304, 2013.
View at: Publisher Site | Google Scholar
J. Herranz, A. Ruiz, and G. Sáez, “New results and applications for multi-secret sharing schemes,” Designs, Codes, and Cryptography, vol. 73, no. 3, pp. 841–864, 2014.
View at: Publisher Site | Google Scholar
J. Shao, “Efficient verifiable multi-secret sharing scheme based on hash function,” Information Sciences, vol. 278, pp. 104–109, 2014.
View at: Publisher Site | Google Scholar
M. Fatemi, R. Ghasemi, and T. Eghlidos, “Efficient multistage secret sharing scheme using bilinear map,” IET Information Security, vol. 8, no. 4, pp. 224–229, 2014.
View at: Publisher Site | Google Scholar
B. Chor, S. Goldwasser, S. Micali, and B. Awerbuch, “Verifiable secret sharing and achieving simultaneity in the presence of faults,” in Proceedings of the 26th Annual Symposium on Foundations of Computer Science, pp. 383–395, IEEE Computer Society, Portland, Ore, USA, October 1985.
View at: Publisher Site | Google Scholar
P. Feldman, “A practical scheme for non-interactive verifiable secret sharing,” in Proceedings of the 28th Annual Symposium on Foundations of Computer Science, pp. 427–437, IEEE, Los Angeles, Calif, USA, 1987.
View at: Google Scholar
T. P. Pedersen, “Distributed provers with applications to undeniable signatures,” in Advances in Cryptology—EUROCRYPT '91, vol. 547 of Lecture Notes in Computer Science, pp. 221–242, Springer, Berlin, Germany, 1991.
View at: Publisher Site | Google Scholar
J. Halpern and V. Teague, “Rational secret sharing and multiparty computation: extended abstract,” in Proceedings of the 36th Annual ACM Symposium on Theory of Computing, pp. 623–632, ACM Press, New York, NY, USA, June 2004.
View at: Google Scholar
S. D. Gordon and J. Katz, “Rational secret sharing, revisited,” in Security and Cryptography for Networks, vol. 4116 of Lecture Notes in Computer Science, pp. 229–241, Springer, Berlin, Germany, 2006.
View at: Publisher Site | Google Scholar
E. Zhang and Y. Q. Cai, “A new rational secret sharing scheme,” China Communications, vol. 7, no. 40, pp. 18–22, 2010.
View at: Google Scholar
G. Kol and M. Naor, “Cryptography and game theory: designing protocols for exchanging information,” in Theory of Cryptography: Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. Proceedings, vol. 4948 of Lecture Notes in Computer Science, pp. 320–339, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar
G. Kol and M. Naor, “Games for exchanging information,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing (STOC '08), pp. 423–432, ACM Press, May 2008.
View at: Google Scholar
S. Izmalkov, M. Lepinski, and S. Micali, “Verifiably secure devices,” in Theory of Cryptography: Proceedings of the 5th Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008, vol. 4948 of Lecture Notes in Computer Science, pp. 273–301, Springer, Berlin, Germany, 2008.
View at: Google Scholar
S. Micali and A. Shelat, “Purely rational secret sharing (extended abstract),” in Theory of Cryptography: 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15–17, 2009. Proceedings, vol. 5444, pp. 54–71, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar
S. Maleka, A. Shareef, and C. P. Rangan, “The deterministic protocol for rational secret sharing,” in Proceedings of the 22nd IEEE International Parallel and Distributed Processing Symposium (IPDPS '08), pp. 1–7, IEEE, Miami, Fla, USA, April 2008.
View at: Publisher Site | Google Scholar
S. Izmalkov, M. Lepinski, and S. Micali, “Rational secure computation and ideal mechanism design,” in Proceedings of the 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS '05), pp. 623–632, IEEE Press, New York, NY, USA, October 2005.
View at: Publisher Site | Google Scholar
M. Lepinski, S. Micali, and A. Shelat, “Collusion-free protocols,” in Proceedings of the 37th Annual ACM Symposium on Theory of Computing (STOC '05), pp. 543–552, ACM, Baltimore, Md, USA, May 2005.
View at: Publisher Site | Google Scholar
M. Lepinski, S. Micali, C. Peikert, and A. Shelat, “Completely fair SFE and coalition-safe cheap talk,” in Proceedings of the 23rd ACM Symposium on Principles of Distributed Computing (PODC '04), pp. 1–10, July 2004.
View at: Google Scholar
T. Isshiki, K. Wada, and K. Tanaka, “A rational secret-sharing scheme based on RSA-OAEP,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. 93, no. 1, pp. 42–49, 2010.
View at: Publisher Site | Google Scholar
Z. Zhang and M. Liu, “Rational secret sharing as extensive games,” Science China Information Sciences, vol. 56, no. 3, pp. 1–13, 2013.
View at: Publisher Site | Google Scholar
E. Zhang and Y. Q. Cai, “Collusion-free rational secure sum protocol,” Chinese Journal of Electronics, vol. 22, no. 3, pp. 563–566, 2013.
View at: Google Scholar
Y. Yang and Z. F. Zhou, “An efficient rational secret sharing protocol resisting against malicious adversaries over synchronous channels,” in Information Security and Cryptology, vol. 7763 of Lecture Notes in Computer Science, pp. 69–89, Springer, Berlin, Germany, 2013.
View at: Publisher Site | Google Scholar
Y. Tian, J. Ma, C. Peng, and Q. Jiang, “Fair (t, n) threshold secret sharing scheme,” IET Information Security, vol. 7, no. 2, pp. 106–112, 2013.
View at: Publisher Site | Google Scholar
G. Fuchsbauer, J. Katz, and D. Naccache, “Efficient rational secret sharing in standard communication networks,” in Theory of Cryptography: 7th Theory of Cryptography Conference, TCC 2010, Zurich, Switzerland, February 9–11, 2010. Proceedings, vol. 5978 of Lecture Notes in Computer Science, pp. 419–436, Springer, Berlin, Germany, 2010.
View at: Publisher Site | Google Scholar
E. Zhang and Y. Q. Cai, “Rational multi-secret sharing scheme in standard point-to-point communication networks,” International Journal of Foundations of Computer Science, vol. 24, no. 6, pp. 879–897, 2013.
View at: Publisher Site | Google Scholar
J. Katz, “Bridging game theory and cryptography: recent results and future directions,” in Theory of Cryptography: Fifth Theory of Cryptography Conference, TCC 2008, New York, USA, March 19–21, 2008. Proceedings, vol. 4948 of Lecture Notes in Computer Science, pp. 251–272, Springer, Berlin, Germany, 2008.
View at: Publisher Site | Google Scholar
S. Micali, M. Rabin, and S. Vadhan, “Verifiable random functions,” in Proceedings of the 40th IEEE Symposium on Foundations of Computer Science, pp. 120–130, IEEE Press, New York, NY, USA, 1999.
View at: Google Scholar
Y. Dodis, “Efficient construction of (distributed) verifiable random functions,” in Public Key Cryptography—PKC 2003, Y. G. Desmedt, Ed., vol. 2567 of Lecture Notes in Computer Science, pp. 1–17, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar
Y. Dodis and A. Yampolskiy, “A verifiable random function with short proof and keys,” in Public Key Cryptography—PKC 2005, vol. 3386 of Lecture Notes in Computer Science, pp. 416–431, Springer, Berlin, Germany, 2005.
View at: Google Scholar
M. Abdalla, D. Catalano, and D. Fiore, “Verifiable random functions from identity-based key encapsulation,” in Advances in Cryptology—EUROCRYPT 2009, vol. 5479 of Lecture Notes in Computer Science, pp. 554–571, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar
R. Sakai and M. Kasahara, “ID based cryptosystems with pairing on elliptic curve,” in Proceedings of the Symposium on Cryptography and Information Security, Report 2003/054, Cryptology ePrint Archive, 2003.
View at: Google Scholar

Copyright

Copyright © 2015 En Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

954

Downloads

924

Citations

Mobile Information Systems

Verifiable Rational Secret Sharing Scheme in Mobile Networks

Abstract

1. Introduction

1.1. Background

1.2. Our Results

1.3. Overview

2. Preliminaries

2.1. Basics of Game Theory

2.2. Cryptographic Terminology

2.3. Verifiable Random Function from Identity-Based Key Encapsulation (IB-KEM)

2.4. The Model of Security

3. The Rational Secret Sharing Scheme

3.1. System Parameters

3.2. Protocol for Sharing Phase

3.3. Protocols for Reconstruction Phase

4. Proof of Security

5. Comparison

6. Conclusions

Conflict of Interests

Acknowledgments

References

Copyright