Secret sharing is an important aspect of key management in wireless ad hoc and sensor networks. In this paper, we define a new secure model of secret sharing, use the Lagrange interpolation and the bilinear cyclic groups to construct an efficient publicly verifiable secret sharing scheme on the basis of this model, and show that this scheme is provably secure against adaptively chosen secret attacks (CSAs) based on the decisional bilinear Diffie-Hellman (DBDH) problem. We find that this scheme has the following properties: (a) point-to-point secure channels are not required in both the secret distribution phase and the secret reconstruction phase; (b) it is a noninteractive secret sharing system in that the participants need not communicate with each other during subshadow verification; and (c) each participant is able to share many secrets with other participants despite holding only one shadow.
A secret sharing scheme [
In 1979, two basic secret sharing schemes were independently proposed by Shamir [
Verifiable secret sharing (VSS) was proposed in [
Stadler [
In 2005, Ruiz and Villar [
Another important aspect of secret sharing is the problem of making the size of shadows of each participant as small as of making the size of shadows of each. A secret sharing scheme is ideal if the length of every shadow is the same as the length of the secret. This is the best possible situation. However, we would like to emphasize that it is also very important to reduce the number of secure channels used in a secret sharing scheme, especially in wireless ad hoc and sensor networks.
A secret sharing scheme contains at least two essential phases:
In this paper, we use the Lagrange interpolation and bilinear cyclic groups to construct a
An overview comparison of the major technique differences and the corresponding security level those of WT11’s [
Major technique differences and corresponding security level.
WT11 [ |
HV09 [ |
Ours | |
---|---|---|---|
Needless secure channels | No | No | Yes |
Verify subshare in reconstruction | No | Yes | Yes |
Assumption | BDH | DBS | DBDH |
Security model | ROM | SM | SM |
Security level | IND | IND | IND-CSA |
This paper is organized as follows. In Section
If
Let
The algorithm
Given a tuple
Let
This section is dedicated to the definition of a
Let
A PVSS scheme is described by the following algorithms. The dealer generates all public parameters of the scheme. Furthermore, every participant selects its channel protection key The dealer randomly picks a number as the main secret of the system and uses For each
The PVSS scheme described above must satisfy the following properties.
Hereafter, we will use the notion of a CSA to define the security of the PVSS scheme. We mostly follow the notation from [
A
In this section, we present a concrete
The dealer obtains the group parameters
Having received all the The dealer selects a random number The dealer computes The dealer selects a collision-resistant hash function The dealer sets the The dealer randomly selects
Finally, the dealer sends
The dealer wants to share a secret, which is a random element in
Given
Without loss of generality, let us assume that
At this point, every participant in
If the dealer and the participants are honest, any
Suppose the hash function
Suppose an adversary
Algorithm Algorithm Algorithm Algorithm If If Algorithm For It sets an integer It chooses a random vector It lets It chooses a random integer It sets It defines Algorithm
The algorithm Otherwise, Otherwise, there are two different cases as follows. If If
where
We claim that
Algorithm If If
where
At this point, algorithm
If Otherwise,
If the input
Now, let us compare our scheme to
As is well known, the time taken to execute
Computational cost and security.
WT11 [ |
HV09 [ |
Our scheme | |
---|---|---|---|
Setup | 0 | 0 |
|
Secret distribution |
|
|
|
Verification |
|
|
|
Subshadow generation |
|
|
|
Sub-shadow verification |
|
|
|
Combine |
|
|
|
| |||
Secure level | IND | IND | IND-CSA |
Communication cost.
WT11 [ |
HV09 [ |
Our scheme | |
---|---|---|---|
Dealer distribution of a secret |
|
|
|
Reconstruction of a secret |
|
|
|
From the comparison in Tables
In the basic scheme described previously, the secret reconstruction requires the presence of point-to-point secure channels among the participants. In this section, we remove this limitation without sacrificing any good property of the scheme.
Suppose that a participant
Having collected
In this paper, we proposed a
This work is supported by the National Natural Science Foundation of China (NSFC) Programs (nos. 61070251, 61003285, 61103198, and 61272534), the NSFC A3 Foresight Program (no. 61161140320), and the JSPS KAKENHI program (23500031).