Unordered Multisecret Sharing Based on Generalized Chinese Remainder Theorem

Multisecret sharing schemes have been widely used in the area of information security, such as cloud storage, group authentication, and secure parallel communications. One of the issues for these schemes is to share and recover multisecret from their shareholders. However, the existing works consider the recovery of multisecret only when the correspondences between the secrets and their shares are definite. In this paper, we propose amultisecret sharing scheme to share and recover two secrets among the participants based on the generalized Chinese Remainder ,eorem (GCRT), where the multisecret and their shares are unordered. To overcome the leakage of information, we propose an improved scheme including the improved sharing phase and the recovery phase. ,e improved scheme has not only a more secure performance but also a lower computation complexity. ,e conditions for recovery failure and success are also explored.


Introduction
Secret sharing plays a critical role in numerous applications, such as in threshold cryptography, access control, cloud computing, data hiding, and digital watermarking [1][2][3]. In a secret-sharing scheme (SS), a dealer divides a secret into several pieces and then shares them among the shareholders. In 1979, Shamir and Blakley independently introduced the threshold schemes based on the interpolating polynomial in [4] and the linear projective geometry in [5], respectively. For a (t, n) SS with threshold t, a secret s is divided into n pieces to be sheared among n shareholders by a dealer. It shows that the secret can be recovered by any no less than t shares, while the recovery failure with fewer than t shares. Besides this kind of SS scheme, there are many other types, such as Mignotte's scheme [6], the Chinese Remainder eorem-(CRT-) based Asmuth-Bloom scheme [7] and its generalizations [8,9], and ramp secret-sharing scheme [10,11].
Naturally, a secret-sharing scheme can be generalized to the case of multiple secrets, i.e., multisecret sharing [12,13]. Several schemes for multisecret sharing have been proposed in [14][15][16][17][18][19][20][21][22]. According to the way of recovering, the existing works can be grouped into two categories. One is to recover multisecret in a stage-by-stage way, the other is to recover multisecret simultaneously. In [15], a one-way functionbased multistage secret-sharing scheme was proposed to share multisecret. e authors presented a public shift scheme to obtain the true pieces and then used the proper one-way function to reconstruct the secrets stage-by-stage in a predetermined order. For this scheme, it needs a large number of public values. An improved method was proposed in [16], where a less number of public values is needed. In fact, the scheme presented in [15] is actually of one-time use. To overcome this drawback, a one-way hash functionbased multiuse threshold secret-sharing scheme was proposed in [17]. In [18], a multistage multisecret-sharing scheme and a multilevel multisecret-sharing scheme are proposed, which are based on Mignotte's sequence and Asmuth's Bloom sequence, respectively. For the second category of the recovery method, multisecret is recovered simultaneously by a bivariate function [19][20][21]. One of the disadvantages is that the required function is hard to get, although the computational load can be reduced by optimizing some existing algorithms. In a word, this approach is inconvenient in practical applications.
All the above works consider the case when the correspondences between multisecret and elements in each share are definite. When the correspondences between multisecret and elements in each share are unclear, we say that the shares are unordered. Sharing and recovering multisecret are more challenging when the shares are unordered. For this type of sharing scheme, it is more safe since multisecret cannot be recovered directly from the given unordered shares. It is a generalization of single case and has a wide application in the scenarios of keeping some sensitive and important information, such as passwords of opening bank safes or launching missile [23,24]. is paper gives a novel scheme to share and recover multisecret from the unordered shares. Motivated by the works in [25][26][27], we propose a generalized CRT-based multisecret-sharing and recovering scheme. e proposed scheme is not a perfect SS since information can be leaked. To overcome this drawback, we propose an improved multisecret-sharing scheme. e improved scheme not only is more secure but also has a lower computation complexity. e rest of the paper is organized as follows. In Section 2, we introduce the unordered multisecret-sharing problem and then briefly recall the basic idea of the generalized CRT. In Section 3, we present a generalized CRT-based multisecretsharing scheme. In Section 4, we present the improved multisecret-sharing scheme. In Section 5, we conclude this paper.

Unordered Multisecret Sharing and the Generalized CRT
In this section, we first introduce the unordered multisecretsharing problem considered in this paper. en, we model the problem as the generalized CRT. Some existing results for the generalized CRT are also introduced. Consequently, the problem of recovering unordered multisecret sharing can be modeled as the generalized CRT that determines multiple integers from their residue sets. Traditional CRT tells us that an unknown integer can be uniquely recovered from its remainder modulo several given moduli, if and only if the unknown integer is less than the least common multiple (lcm) of the given moduli [28]. One of the generalization is to recover two unknown integers s 1 , s 2 from their remainders modulo several moduli. Different from the traditional CRT, the remainders of s 1 , s 2 modulo a given modulus are two remainders in a same set, which is called the residue set. ere are two differences between this kind of generalized CRT and the traditional CRT. One is that the correspondence between the integers s 1 , s 2 and their remainders in the residue sets is unknown. As the above example shows, for the first residue set 1, 3 { }, it is not known whether 1 is the remainder of 26 or 38 modulo 5. e other difference is how large the two integers can be uniquely determined from their residue sets for the given moduli, which will be explained below. For the traditional CRT, the largest integer that can be uniquely determined from its remainders for some given moduli is the least common multiple of all the moduli. However, this conclusion may not be true for the generalized CRT. Consider the above example again. If the two integers are less than lcm (5,7,11)  { }, and 4, 5 { } with moduli 5, 7, and 11, respectively. Hence, the two unknown integers s 1 , s 2 cannot be uniquely determined from the given residue sets when the two integers are restricted in range of (0, 385).

Model of the Unordered Multisecret Sharing.
In order to uniquely determine the two integers from their residue sets for some given moduli, the concept of the dynamic range was introduced [25], where the dynamic range is a range that any multiple integers within it can be uniquely determined from their residue set modulo the given moduli. In [26], the largest dynamic range of the two integers for the given moduli was obtained. For convenience of description, we denote the remainder of x modulo y as 〈x〉 y .
For any given modulus set M � m 1 , m 2 , . . . , m n , the largest dynamic range D(M) can be determined by the following results [26]. (1)

Unordered Multisecret-Sharing Scheme
In this section, we propose two algorithms, i.e., the unordered multisecret generation phase and the recovery phase. Some results of the proposed scheme are also given.

Unordered Multisecret Generation. Suppose that the shareholders have the public information
Note that the scheme of multisecret sharing is trivial when n ≤ 2, and we only consider n ≥ 3 in this paper. Let t be a positive integer satisfying t < n. e generation of n shares from two unordered secrets s 1 , s 2 contains two steps. First, determine the largest range of two secrets such that t shares or more than t shares can lead to a unique recovery of s 1 , s 2 . Second, obtain n shares U 1 , U 2 , . . . , U n by reducing s 1 , s 2 modulo moduli m 1 , m 2 , . . . , m n , respectively. For convenience, we denote Define It is not difficult to find that If not, i.e., n − i 0 + 1 ≥ t, then we have by the definition of D(M) in (2), which contradicts with (4). For convenience, we let and let en, two unordered secrets s 1 , s 2 can be selected in the range of (D L , D(M 2 )), i.e., Consequently, shares U i � r 1,i , r 2,i can be obtained by at is, To sum up, we have the following unordered multisecret generation phase for the pairwise coprime integers m 1 , m 2 , . . . , m n , which is shown in Table 1 below.

Unordered Multisecret
Recovery. Now, we consider the problem of recovering the two secrets s 1 , s 2 from the given Table 2 gives the generalized CRT-based algorithm to recover the two secrets.
Next theorem gives some results of the multisecretsharing scheme discussed above. Theorem 1. Let the two secrets s 1 , s 2 be defined in (9), and en, we have the following results.
(1) We consider the case when l � t 0 . For any t 0 � n − i 0 + 1 shares U i 1 , U i 2 , . . . , U i n− i 0+1 , we have the corresponding moduli m i 1 , m i 2 , . . . , m i n− i 0+1 . According to the definition of i 0 in (4), we have Note that lcm(M) ≤ If D(M 1 ) ≥ n j�i 0 m j , then we obtain from (8) that D L � D(M 1 ). From (9) and (13), we have If D(M 1 ) < n j�i 0 m j , then we obtain from (8) that D L � n j�i 0 m j . From (9) and (13), we have Security and Communication Networks 3 us, the two secrets s 1 , s 2 cannot be reconstructed from t 0 shares. For the case of the less than t 0 shares, the proof is obvious and it is omitted here.
(2) We consider the reconstruction of any l � t − 1 shares U i 1 , U i 2 , . . . , U i t− 1 that is different from the shares U n− t+2 , U n− t+3 , . . . , U n . For convenience, we denote M ′ � m i 1 , m i 2 , . . . , m i t− 1 and suppose without loss of generality.
Recall that m 1 < m 2 < · · · < m n . Hence, we have and then According to (2), we have By (8) and (9), we obtain According to the generalized CRT, we know that s 1 , s 2 cannot be recovered in the range of (0, D(M ′ )) from their shares U i 1 , U i 2 , . . . , U i l . For the case of l < t − 1, the conclusion also holds. Next, we consider the recovery of the two secrets in (0, lcm(M)). Let l shares be U i 1 � r 1,i 1 , r 2,i 1 , . . . , U i l � r 1,i l , r 2,i l . According to (11), we have Note that Hence, the two secrets s 1 and s 2 can be recovered separately by using the CRT when the remainders in the residue sets are properly ordered. More details can be seen in Remark 1 below.
Similar to the proof of (2) above, we can prove that the dynamic range M ″ satisfies Hence, s 1 , s 2 can be uniquely reconstructed from their shares U i 1 , U i 2 , . . . , U i t by the generalized CRT. For the case of more than t shares, the proof is obvious and it is omitted here.

Remark 1.
eorem 1 tells us that the two secrets cannot be recovered when the number of shares l ≤ t 0 , where t 0 is defined in (7). When l > t, the two secrets can be uniquely recovered by using the proposed generalized CRT. When t 0 < l < t, the two secrets cannot be successfully recovered. To be specific, the two secrets cannot be recovered in the range of (0, D(M)) in this case. In addition, the two secrets cannot be uniquely recovered in (0, lcm(M)) by using the CRT since the correspondences between the two secrets and the elements in each shareholder are unclear. It is clear that the remainder of s 1 or s 2 cannot be determined from any share U i . To recover s 1 and s 2 , we have 2 l− 1 possible cases of remainders with moduli m i : According to the CRT, s 1 and s 2 can be recovered only from the last tuples in the range of (0, lcm(M)). Now, we consider the computational complexity of the proposed scheme. According to Algorithm 2, we know that the computational complexity of each shareholder is O (1). For the proposed generalized CRT-based multisecret recovery algorithm, the computational complexity is O(12l). For the CRT algorithm, the computational complexity is O(2 l− 1 ) as discussed above.   (3) and (2), respectively Step 2. Determine i 0 by (4) Step 3. Determine D L by (8) Step 4. Select two unordered secrets s 1 , s 2 satisfying (9) Step 5. Obtain n shares U 1 , U 2 . . . , U n by (10) Example 1. Let us consider a two secret-sharing and recovering process when moduli are m 1 m 1 , m 2 , . . . , m 5 , respectively. Now, we consider the recovery of two secrets from l shareholders. We have three cases below.
Suppose that the two shares are U i 1 and U i 2 with 1 ≤ i 1 , i 2 ≤ 5. Clearly, Hence, the two secrets s 1 , s 2 cannot be recovered.  In other words, all these candidates have the same shares U 1 , U 2 , and U 3 with moduli m 1 , m 2 , and m 3 , respectively. Table 3 gives the illustration of recovering the two secrets for all cases, where Z n � 0, 1, . . . , n − 1 In this case, the two secrets can be uniquely determined. Suppose that the shares are U 1 , U 2 , U 3 , and U 4 . Next, we recover s 1 , s 2 by using the proposed generalized CRT algorithm.
Note  Table 2, we have q 1 � 10, q 2 � 5, q 3 � 8, and q 4 � 7. According to Step 3, we have ξ 1 � 824. By Step 4, we have k � 395, and then ξ 2 � 93. By Step 5, we have the quadratic equation x 2 − 824x + 169548 � 0. By solving it, we can obtain the two secrets: s 1 , s 2 � 398, 426 { }. From (11), we know that U i are the remainders of two secrets s 1 , s 2 modulo m i . By eorem 1, we know that the two secrets can be recovered after putting no less than t shares together without any other information. For example, in example 1, the two secrets can be recovered from any four shareholders directly by the generalized CRT. It is clear that each shareholder has partial information of the two secrets. In other words, the proposed multisecret-sharing scheme above is not a perfect SS. To overcome this drawback, we propose an improved multisecret-sharing scheme in the following.

Improved Unordered Multisecret-Sharing Scheme
In this section, we give an improved generalized CRT-based unordered multisecret-sharing scheme, which includes the improved unordered multisecret generation phase and recovery phase. Some results of the proposed scheme are also given.

Improved Unordered Multisecret Generation Phase.
Firstly, select an integer p satisfying where D L is defined in (8). en, the dealer transmits it secretly to secret combiner. Let two secrets be s 1 , s 2 and satisfy Consequently, select two positive integers α i satisfying Let en, the shares U i � r 1,i , r 2,i can be generated by at is, According to (29), the shares can be rewritten as Recall that the secrets of the first approach are leaked. For the improved approach, the obtained shares U i are 〈s 1 + α 1 p〉 m i , 〈s 2 + α 2 p〉 m i for i � 1, 2, . . . , n, which are different from the two secrets s 1 , s 2 . Hence, the secrets of each shareholder are not leaked.
In summary, we have the improved unordered multisecret-sharing algorithm for the pairwise coprime integers m 1 , m 2 , . . . , m n , which is shown in Table 4 below.

Improved Unordered Multisecret Recovery Phase.
Given l shares U i 1 , U i 2 . . . , U i l , where 1 ≤ i j ≤ n and l > t, then the two secrets s 1 , s 2 can be recovered by the generalized CRT-based algorithm, which is shown in Table 5 below.
It is not difficult to find that the proposed recovery algorithm has a computational complexity of O(12l), which is much smaller than the searching algorithm that has a Security and Communication Networks computational complexity of O(2 l− 1 ). Based on the above multisecret recovery phase, we have the following results. Theorem 2. Let s 1 , s 2 be two secrets satisfying (27), and let U i 1 , U i 2 , . . . , U i l be l shares defined in (32), where 1 ≤ i j ≤ n for j � 1, 2, . . . , n. en, we have the following results.
(1) If l ≤ t 0 , then s 1 , s 2 cannot be reconstructed, where t 0 is defined in (7). (2) If t 0 < l < t, then s 1 , s 2 cannot be uniquely determined.
(1) By eorem 1, we know that x 1 , x 2 � s 1 + α 1 p, s 2 + α 2 p cannot be reconstructed in this case. Hence, the two secrets s 1 , s 2 cannot be recovered.
Clearly, for any shares U i j , we have lcm(m i j ) < D L < x i for 1 ≤ i j ≤ 4, i � 1, 2. Hence, two integers x 1 , x 2 cannot be successfully reconstructed and hence the two secrets s 1 , s 2 cannot be recovered.
In this cases, the two integers x 1 , x 2 cannot be reconstructed from the two shares U i 1 , U i 2 in    Table 4: Improved unordered multisecret-sharing algorithm.

Conclusions
In this paper, we consider the problem of recovering unordered multisecret from some shares with unordered remainders. e main difference between this work and the previous ones is that the correspondence between the remainders in each share and the secrets is unknown in our work, while it is definite in previous works. A generalized CRT-based unordered multisecret-sharing scheme and recovery algorithm are proposed. e conditions for recovery failure and success are also explored. Furthermore, for making a perfect SS such that the secrets will not be leaked, an improved sharing and recovery approach is proposed.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare no conflicts of interest.