How to Share Secret Efficiently over Networks

In a secret-sharing scheme, the secret is shared among a set of shareholders, and it can be reconstructed if a quorum of these shareholders work together by releasing their secret shares. However, in many applications, it is undesirable for nonshareholders to learn the secret. In these cases, pairwise secure channels are needed among shareholders to exchange the shares. In other words, a shared key needs to be established between every pair of shareholders. But employing an additional key establishment protocol may make the secret-sharing schemes significantly more complicated. To solve this problem, we introduce a new type of secret-sharing, called protected secret-sharing (PSS), in which the shares possessed by shareholders not only can be used to reconstruct the original secret but also can be used to establish the shared keys between every pair of shareholders. Therefore, in the secret reconstruction phase, the recovered secret is only available to shareholders but not to nonshareholders. In this paper, an information theoretically secure PSS scheme is proposed, its security properties are analyzed, and its computational complexity is evaluated. Moreover, our proposed PSS scheme also can be applied to threshold cryptosystems to prevent nonshareholders from learning the output of the protocols.


Introduction
Secret-sharing schemes, first introduced by Shamir [1] and Blakley [2] in 1979, are very important techniques to ensure secrecy and availability of sensitive information.Moreover, they are widely used as building blocks in various cryptographic protocols, such as threshold cryptosystems, attributebased encryption, and multiparty computation.In a (, ) threshold secret-sharing scheme, the secret is divided into  shares so that it can only be recovered with  or more than  shares, but fewer than  shares cannot reveal any information of the secret.In the past few decades, many secret-sharing schemes have been proposed in the literature, and three major approaches can be used to design them: Shamir's approach [1] based on the univariate polynomial, Blakely's approach [2] based on the hyperplane geometry, and Mignotte/Asmuth-Bloom approach [3,4] based on the Chinese Remainder Theorem (CRT).
In the majority of existing secret-sharing schemes, it is simply assumed that shares are released by the shareholders in the secret reconstruction phase, and then anyone can reconstruct the secret using these revealed shares.But, in many cases, it is undesirable for nonshareholders to learn the secret.Considering the scenario where a famous billionaire sets up the will and shares it among his children using secret-sharing, the children are told that the will should not be read when the billionaire is alive and its contents should be kept strictly private among the family members.However, some paparazzi may want to learn the will after the billionaire passes away to make some head news.In this case, traditional secret-sharing schemes may not provide sufficient protection.To solve this problem, shareholders can use pairwise secure channels to exchange the shares so that the recovered secret is only available to shareholders but not to nonshareholders.If these secure channels are built using cryptographic methods, a shared key is required to be established between every pair of shareholders beforehand.However, employing an additional key establishment protocol may make the secret-sharing schemes significantly more complicated.

Security and Communication Networks
The same problem also arises if secret-sharing schemes are used as building blocks in some other cryptographic protocols.For example, threshold cryptography, first introduced by Desmedt [5], is the application of secret-sharing with public-key algorithms.Among various threshold cryptosystems, some are based on ElGamal [6,7], some are based on RSA [8][9][10][11], some are based on Elliptic Curves [12,13], and some are based on Pairing [14].In these protocols, shares are either used to generate a digital signature or used to decrypt a ciphertext.To prevent any nonshareholder from learning the outputs of the protocol, a shared key is also needed between every pair of shareholders.Similarly, employing an additional key establishment protocol in threshold cryptosystems can complicate the process significantly.
In this paper, we use bivariate polynomials to propose a new type of secret-sharing scheme, called protected secretsharing (PSS), in which shareholders can use their shares to achieve two purposes simultaneously: one is to reconstruct the original secret and the other is to establish a shared key between every pair of shareholders.Using these shared keys, shareholders can build pairwise secure channels among them to exchange the shares in the secret reconstruction phase.Therefore, PSS provides an efficient solution to protect the original secret from nonshareholders.Our proposed scheme is information theoretically secure, and it can be easily extended to threshold cryptosystems for the same purpose.
Note that although bivariate polynomials have been used to design many different types of secret-sharing schemes in the literature, for example, verifiable secret-sharing (VSS) [15][16][17], pairwise key distribution [18][19][20][21], and dynamic secret-sharing [22], the purpose of this work is different from the previous ones, and the types of employed bivariate polynomials are different as well.
The rest of paper is organized as follows.In Section 2, we review some secret-sharing schemes based on polynomials.In Section 3, we present the models for PSS, including the system model, the adversary model, and the security goals.Our proposed (, ) PSS scheme based on bivariate polynomials is introduced in Section 4. Its security and complexity analysis is described in Section 5. Finally, we conclude the paper in Section 6.

Review of Secret-Sharing Schemes Based on Polynomials
Shamir's (, ) secret-sharing scheme [1] is based on univariate polynomials.The dealer first randomly selects a polynomial () over Z  with degree at most  − 1, where  = (0) is the secret.Then the dealer evaluates the polynomial () at different points   to generate the shares (  ) for  = 1, 2, . . ., .Here,  is a large prime with  > , and   is some public information associated with each shareholder.In what follows in this paper, we assume that all computations are modulo  unless otherwise stated.In 1985, Chor et al. [23] have extended the notion of secret-sharing and they have proposed the first verifiable secret-sharing (VSS) scheme.The verifiability property allows shareholders to verify the validity of their received shares.If invalid shares were found, shareholders can request the dealer to regenerate new shares.In the literature, several (, ) VSS schemes [15,16,[24][25][26][27] are designed using bivariate polynomials.A bivariate polynomial with degree at most −1 can be represented as where  , ∈ Z  , ∀,  ∈ [0, −1].If the coefficients satisfy  , =  , , ∀,  ∈ [0,  − 1], such a polynomial is called a symmetric bivariate polynomial.Otherwise, it is called an asymmetric bivariate polynomial.In these VSS schemes, the dealer uses a symmetric bivariate polynomial (, ) to generate shares (  , ) for the shareholders, where  = 1, 2, . . ., .Each share (  , ) is a univariate polynomial with degree at most  − 1.Note that since (  ,   ) = (  ,   ), ∀,  ∈ [1, ], a pairwise key   = (  ,   ) = (  ,   ) can be established between the shareholders   and   .Therefore, a symmetric bivariate polynomial can enable two shareholders to establish a pairwise shared key.

System Model
Definition 1 (protected secret-sharing (PSS)).In a PSS, the received shares by shareholders can be used to serve two purposes simultaneously: (a) reconstruct the original secret and (b) establish pairwise shared keys among shareholders (note that these pairwise shared keys are used to build a secure channel between every pair of shareholders in order to exchange the shares in the secret reconstruction phase.Therefore, the reconstructed secret can be protected from any nonshareholder).
The players in our proposed scheme include a trusted dealer D,  shareholders { 1 ,  2 , . . .,   }, and some insider or outsider adversaries.We assume that all these players have unlimited computational power.Among the  shareholders, at least a portion  of them are assumed to be honest.
We assume that there exists a secure channel between the dealer and every shareholder, so that the shares can be securely distributed to shareholders.Moreover, we assume that every player is connected to a common authenticated broadcast channel C, so that any message sent through C can be heard by the other players.The adversaries cannot modify messages sent by an honest player through C, and they cannot prevent honest players from receiving messages from C. Note that these assumptions are widely used in existing secretsharing schemes.With these assumptions, we can focus our discussion on the key aspects of PSS without digging into the low level of technical details.Our purpose is to provide an efficient way to establish additional pairwise secret channels among shareholders without invoking a separate key establishment protocol.
Our proposed PSS scheme consists of two phases: (i) share generation and distribution by the dealer and (ii) secret reconstruction by shareholders.During the share generation and distribution phase, the dealer selects a random asymmetric bivariate polynomial to generate the shares for each shareholder, and every share consists of two univariate polynomials.These shares are sent to shareholders through the secure channels.During the secret reconstruction phase, each shareholder first uses her share to compute pairwise shared keys with the other shareholders.With these shared keys, pairwise secure channels can be established among the shareholders.After receiving the shares from the other shareholders through these secure channels, each shareholder can recover the original secret without leaking it to any nonshareholder.

Adversary Model.
We consider two types of adversaries in the proposed PSS scheme.
(i) Insider Adversary.The insider adversary is a legitimate shareholder who owns a share generated by the dealer.An insider adversary may work alone or collude with some other insider adversaries to learn the secret before it is supposed to be reconstructed or to recover invalid secret using fake shares.Note that when the secret is reconstructed, we assume that the insider adversaries can learn the secret, but they will not leak the secret to nonshareholders, for example, the outsider adversaries.
(ii) Outsider Adversary.The outsider adversary is an attacker who does not own any share generated by the dealer, but she may try to learn the secret that she is unauthorized to access.Note that this attack is possible in many existing secret-sharing schemes when the shares are exchanged in an insecure fashion during the secret reconstruction phase.

Security Goals.
In the security analysis, we demonstrate that the following security goals are satisfied in the proposed PSS scheme based on our assumptions.Definition 2 (correctness).If there exist a portion  > 2/3 of honest shareholders, the correct secret can always be reconstructed.And any insider adversary who uses fake share in the share reconstruction phase can be identified.Definition 3 (secrecy).If there exist a portion  > 1/2 of honest shareholders, the insider adversaries cannot learn any information of the secret before the secret is supposed to be reconstructed.Moreover, in the secret reconstruction phase, the traffic flows over the broadcast channel C reveal no information of the secret to the outsider adversary.
Note that the proposed PSS scheme aims to achieve information theoretical security.Hence, both of the above security goals do not rely on any computational assumption.

The Proposed PSS Scheme
In this section, we propose a (, ) PSS scheme using asymmetric bivariate polynomials.There are two major differences between shares generated by a univariate polynomial and by a bivariate polynomial: (1) the shares generated by a univariate polynomial are integers in Z  , but shares generated by a bivariate polynomial are univariate polynomials over Z  ; (2) the shares generated by a univariate polynomial can only be used to reconstruct the secret, but the shares generated by a bivariate polynomial not only can be used to reconstruct the secret but also can be used to establish pairwise keys among shareholders.

Share Generation and Distribution
Phase.At first, the dealer D selects a random asymmetric polynomial: where (, ) is with degree at most  − 1 in  and with degree at most ℎ − 1 in  (i.e., ℎ > ( − 1); we will explain this condition in the security analysis), where  = (0, 0) is the secret,  , ∈ Z  , and  is a large prime integer with  > .The dealer D computes a pair of shares (3) For each pair of shareholders, they use their shared keys to build a secure channel and then use this channel to exchange their Lagrange Components.For example, the shareholder   computes  , =

Security and Complexity Analysis
In this section, we first prove the correctness and secrecy of the proposed scheme; that is, neither type of adversaries can achieve its objectives based on our assumptions.Then, we briefly analyze the complexity of the proposed scheme.
Security and Communication Networks

Security Analysis
Theorem 4. The proposed scheme achieves the correctness property.That is, if there exist a portion  > 2/3 of honest shareholders, the correct secret can always be reconstructed.And any dishonest shareholder who uses fake share in the share reconstruction phase can be identified.
Proof.To prove this theorem, we first consider the situation that there are no dishonest shareholders.Then we justify why less than a portion of 1/3 dishonest shareholders cannot prevent the correct secret from being reconstructed.In step 2 of the secret reconstruction phase, each shareholder   uses her share  1  () to compute the Lagrange Component of the secret  as Since (, 0) is a univariate polynomial with degree at most  − 1, the secret  can be obtained in step 5 through Lagrange Interpolation as Therefore, if all shareholders are honest, the correct secret can be reconstructed.However, if there exist some dishonest shareholders, they may use fake shares in the secret reconstruction phase.In the proposed PSS scheme, the secret can be reconstructed by any subset of  or more than  shareholders.Hence, we assume that there are at most  − 1 dishonest shareholders.Otherwise, the dishonest shareholders working together will have the ability to reconstruct the secret.In this case, any polynomial (, 0) that passes  points agrees at most  − 1 points and it disagrees at least  −  + 1 points.In other words, these polynomials have a Hamming distance  −  + 1, and this distance can correct any number of errors that is less than ( −  + 1)/2 according to Coding Theory.Therefore, if  − 1 < ( −  + 1)/2, the correct secret can always be reconstructed.Note that  − 1 < /3 is another form of this inequality.To speed up the decoding process, either the Euclidean decoder or the Berlekamp-Massey decoder can be used.Moreover, if the correct secret is determined, the invalid shares can be identified as well.This is because any subset that contains invalid shares will interpolate into an incorrect secret.
Theorem 5.The proposed scheme satisfies the secrecy property.That is, the outsider adversaries cannot obtain any information of the secret.Moreover, if there exist a portion  > 1/2 of honest shareholders and the condition ℎ > ( − 1) holds, then  or more than  shares can recover the secret, but fewer than  shares cannot reveal any information of the secret.
Proof.Although the shareholders exchange information through the authenticated broadcast channel C in the secret reconstruction phase, all messages are encrypted.Based on the assumption that the asymmetric polynomial is randomly selected over Z  by the dealer D, the messages and the shared keys are all randomly distributed within the same space Z  .Moreover, since the messages are exchanged only once, one-time pad can be used here to encrypt these messages.Therefore, even if the outsider adversary has unlimited computational power, she cannot obtain any information of the secret.Next, we prove that if  > 1/2 and ℎ > ( − 1), the insider adversaries cannot learn the secret before it is reconstructed.Regarding the first inequality, it just simply states that there should be a majority of honest shareholders.Otherwise, the dishonest shareholders will have all the abilities that the honest ones have, that is, reconstruct the secret.Note that this requirement is widely used in most of the existing secret-sharing schemes.Regarding the second inequality, recall that the polynomial (, ) is an asymmetric polynomial of degree  − 1 in  and degree ℎ − 1 in .It contains ℎ different coefficient.In the proposed scheme, each share { 1  (),  2  ()} contains two univariate polynomials with degree ℎ − 1 in  and degree  − 1 in , respectively.In other words, each shareholder can use her share to establish at most  + ℎ linearly independent equations in terms of the coefficients of the bivariate polynomial (, ).When there are −1 colluded shareholders with their shares together, they can establish a total of ( + ℎ)( − 1) linearly independent equations.If the number of coefficients of the bivariate polynomial (, ) is larger than the number of equations available to the colluded shareholders, that is, ℎ > ( + ℎ)( − 1), the  − 1 dishonest shareholders cannot recover (, ).Hence, they cannot learn any information of the secret.Therefore, these two inequalities together ensure that fewer than  shares cannot reveal any information of the secret.

Complexity Analysis.
In this section, we analyze the complexity of our proposed scheme and compare it with the one in Shamir's secret-sharing scheme.Regarding the share generation and distribution phase, in our proposed PSS scheme, each share { 1  (),  2  ()} consists of two univariate polynomials: one is  − 1 degree in  and the other is ℎ − 1 degree in .Therefore,  + ℎ coefficients in Z  need to be transmitted from the dealer to each shareholder, and each shareholder needs to store these coefficients.The storage requirement for each shareholder is ( + ℎ)log 2  bits, where  is the modulus.In Shamir's secret-sharing scheme, each share is a single value in Z  .Therefore, only one value in Z  needs to be transmitted from the dealer to each shareholder, and the storage requirement for each shareholder is log 2  bits.Note that, when evaluating the polynomials, Horner's algorithm can be used to reduce the computational cost in both our proposed scheme and in Shamir's secret-sharing scheme.
Regarding the secret reconstruction phase, in step 1, each shareholder needs to compute pairwise shared keys with the other shareholders.Note that this step does not involve any interaction.Using Horner's algorithm, evaluating the polynomials of degree ℎ − 1 and degree  − 1 requires ℎ steps and  steps, respectively, where each step consists of one multiplication and one addition.In step 2, each shareholder needs to compute   =  1  (0)∏  =1, ̸ = (−  /(  −   )).Since  1  (0) is the constant coefficient of the polynomial  1  (), there is no need to compute this value.Therefore, the computational cost of evaluating   is identical to that in Shamir's secret-sharing scheme.Finally, there are  − 1 one-time pad encryptions in step 3 and  − 1 one-time pad decryptions in step 4. Based on the above analysis, the computational complexities are similar in both schemes.But, compared with Shamir's secret-sharing scheme, more information needs to be transmitted and stored by each shareholder in our proposed scheme.The price is paid to achieve an additional property that the recovered secret is not revealed to nonshareholders.This property is desirable in many applications and our proposed scheme achieves it even if the adversaries have unlimited computational power.Although including a pairwise key establishment protocol [18,28] with Shamir's secret-sharing scheme can protect the secret from nonshareholders as well, most pairwise key establishment protocols are computationally secure (not information theoretically secure) and the complexity of key establishment protocol will have a quadratic relationship with the number of shareholders participating in the secret reconstruction phase.
5.3.Some Future Works.In the last three decades, many fascinating works about secret-sharing have been proposed in the literature, and different types of secret-sharing schemes can provide different properties.For example, verifiable secret-sharing (VSS) scheme [15][16][17] not only allows the shareholders to verify the validity of their received shares in the share generation and distribution phase but also allows the verification of the revealed shares in the secret reconstruction phase.In proactive secret-sharing schemes [29][30][31], shareholders can refresh their shares periodically without the dealer being involved, so that the shares obtained by the adversaries will become obsolete after the shares are updated.Moreover, the threshold can be dynamically adjusted when some shareholders join in or leave.In multiple secret-sharing schemes [32][33][34], each shareholder can use her share to recover multiple secrets at different stages.In this paper, we have not considered these additional properties, and the existing secret-sharing schemes have not considered the issue of protecting the secret(s) from nonshareholders.Therefore, incorporating the ideas presented in this paper with these different types of secret-sharing schemes will be interesting, and we consider these further investigations as our future works.

Conclusion
A new type of secret-sharing, called protected secret-sharing (PSS), has been introduced in this paper.In a PSS scheme, the shareholders' shares not only can be used to recover the secret but also can be used to protect the shares against nonshareholders in the secret reconstruction phase.A (, ) PSS scheme using a bivariate polynomial is proposed, and we provide security and complexity analysis of the proposed scheme.Some possible future works are also discussed in the paper.Note that our method is generic enough to be directly applied with threshold cryptosystems for the same purpose.