A Group Identification Protocol with Leakage Resilience of Secret Sharing Scheme

,


Introduction
e secret-sharing scheme, originally and independently introduced by Shamir [1] and Blakley [2], is a method in which a dealer selects a secret and distributes it as shares among a set of parties in the distribution stage. Only the predefined subsets of parties can reconstruct the secret from their shares, while others learning nothing about the secret in the reconstruction stage. ese subsets are called qualified, and the monotonic collection of qualified subsets is called an access structure of the secret-sharing scheme. As a basic primitive in cryptography, the secret-sharing scheme has been used widely in security applications and protocols, such as threshold cryptography [3], secure multiparty computation [4], cloud computing [5][6][7], oblivious transfer [8], and access control [9].
In general, in the secret-sharing scheme (n parties and access structures are known in advance), there are two types of access structures: threshold and nonthreshold. In the threshold access structure, at least t � t(n) qualified parties can reconstruct the secret key. In [10], the authors constructed an evolving secret-sharing scheme for a dynamic threshold access structure. In their scheme, the size of the qualified set increases if the number of parties increases. However, in the nonthreshold access structure, the size of the qualified set is not limited, i.e., any collection of the qualified subsets can reconstruct the secret key. If the nonthreshold access structure (a small monotonic span program) can be described, then an efficient secret-sharing scheme is realized [11]. For instance, given the forbidden graph access structure, Beimel et al. [12] proposed a linear secret-sharing scheme for forbidden graph access structures.

Secret-Sharing Scheme from Linear Codes.
ere is a natural correspondence between linear codes and a secretsharing scheme. McEliece and Sarwate noted the relationship between Shamir-Blakley's secret-sharing scheme and Reed-Solomon codes in [13]. Since then, several secretsharing schemes have been constructed in terms of linear error-correcting codes [14][15][16]. To construct a secret-sharing scheme from linear codes, Massey pointed out the relationship between the access structure and the minimal codewords of the dual code of the underlying code [17,18]. erefore, when designing a secret-sharing scheme based on linear codes, it is necessary to consider the open problem of how to determine the minimal codewords for certain linear codes. In this work, we assume that the codes and their dual codes are efficiently encodable and decodable, respectively. In this work, the relationship between secret-sharing scheme and linear codes is presented in Section 2.1.

Leakage-Resilient Secret-Sharing Scheme.
In the application of secret-sharing scheme realizing the access structure, some parties exist that might cheat others by providing false secret keys under the sharing control, and the information about the secret key is leaked. To avoid this situation, it is necessary to consider the challenge of protecting the secret key of the dealer and the shares of parties against information leakage, i.e., in previous work, most researchers generally used leakage-resilient cryptographic primitives [19][20][21][22][23][24] and leakage-resilient devices [25,26] to protect the security of the secret key. e cryptographic primitives and computational devices are said to be leakage-resilient if it remains secure in the presence of bounded-leakage of an internal (secret) state. In the work presented in [27], the authors defined the assumption that only the computation leaks information. In other words, there is no leakage without computation. However, this assumption does not guarantee security in the model because cold-boot attacks [28] may work [29]. erefore, motivated by the work of Dziembowski and Pietrzak [30], we describe the leakage assumptions considered in this work as follows: Independent leakage: the computation can be organized into rounds, and the leaks in each round are independent Bounded leakage: in each round, the number of leakages are bound to some parameters,whereas the total leakage bit is bounded by l Bounded domain: in fact, the leakage function takes as input only the secret state during the invocation Formally, in the bounded-leakage model, an attacker can repeatedly and adaptively access to a leakage oracle and learn information about the secret key, as long as the total number of information leaked is bounded by some parameter l. An attacker chooses a sequence of polynomial-time-computable leakage functions f i : 0, 1 { } |sk| ⟶ 0, 1 { } l i n i�1 and obtains f(state), where state is the party P's secret state information at the end beginning of each round i and i l i ≤ 1.

Our Contributions.
In this work, we construct a secretsharing scheme for a given access structure arising from linear correcting codes. According to the definitions of security models and attack models, we prove that our protocol is an n-prover zero-knowledge proof system in the random oracle model, which reveals that the secret key can be shared repeatedly without leaking any information in the case of a passive attacker. Additionally, our protocol is a leakage-resilient secret-sharing scheme (LRSS) in the bounded-leakage model, which shows that it is leakageresilient against (θ, n, l)-BCP.
In particular, as an application, our LRSS is a group identification scheme (GID-scheme); that is, all qualified parties can detect whether the dealer is cheating, and any verifier can detect whether unqualified parties are cheating. We also prove that our GID-scheme is leakage-resilient in the bounded-leakage model. e basic construction of our scheme relies on the following considerations: Assume that a private channel exists in the distribution protocol of our protocol between every party and the dealer and that all the parties have an individual broadcast channel Given the public key pk and l bits of secret key sk leakage, our protocol is performed between any probabilistic polynomial-time adversarial verifier V * and an honest prover P, maintaining informationtheoretic entropy and achieving security in the bounded-leakage model For any adversarial prover, the corresponding secret key of the emulated identity's public key should be known For one public key, the probability of an algorithm to find two distinct secret keys is negligible is paper is organized as follows. In Section 2, we introduce some definitions and lemmas that are used in this work. We describe how to construct our protocol in Section 3 and provide several proofs of the properties of our protocol in Section 4. As an application, we propose a group identification protocol in Section 5. Finally, we provide the conclusions and future work on this topic in Section 6.

Preliminaries
Here, we introduce the notations and basic definitions used throughout this work. Let N and R be sets of natural numbers and real numbers, respectively. We write [n] to indicate the set 1, . . . , n { } of natural numbers n ∈ N. Let |x| denote the binary length of x.

Secret-Sharing Scheme from Linear Codes and Security
Definitions. Let F q denote a finite field where q is a prime. We write F * q for the set of nonzero elements of F q ; then, F * q is a multiplicative cyclic group with q − 1 elements, and any element in F * q has order dividing q − 1. We use the symbol F n q to refer to an n-dimensional linear vector space over F q .

Complexity
Let "‖" denote the concatenation of finite vector (bold letter), i.e., x � ( Definition 1 (linear codes). An [n, k] code C is a k-dimensional linear subspace of F n q , which means that the sum of the two codewords of C is a codeword and that the product of any codeword by a field element is a codeword.
Let P n � P 1 , . . . , P n be a set of n parties. e definition of the access structure (monotone) is given as follows.
Definition 3 (access structure [31,32] is called an access structure, if it satisfies the monotone property, i.e., for any A ′ ∈ AS and A ′ ⊆ A ⊆ 2 P n , it holds A ∈ AS. Any subsets in AS are called qualified (or authorized), and the subsets that do not belong to AS are called unqualified (or unauthorized).
Definition 4 (secret-sharing scheme, SSS). Let Share be any probabilistic algorithm that takes as input a secret s ∈ S and returns n shares s � (s 1 , . . . , s n ). Let Recon be a deterministic algorithm that takes as input the shares of a subset Λ and output a possible secret. Note that S is the domain of the secret key. We say that an (n, t)-secret-sharing schemeSSS � (Share, Recon) over field F q for realizing an access structure AS, if it satisfies.
Correctness: for every secret s ∈ S and every qualified set, Λ ∈ AS with |Λ| ≥ t, and it has the equation Recon(s Λ , Λ) � s Security: for every unqualified set, Λ ∉ AS with |Λ| < t, and two arbitrary distinct secrets s (1) , s (2) ∈ S, s (1) Λ is identically distributed to s (2) Λ , where s ⟶ Share(s) and s Λ � s i i∈\Λ are the completed shares of parties in Λ Definition 5 (linear secret-sharing scheme, LSSS). An (n, t)-SSS � (Share, Recon) over field F q is linear if the codomain of Share is the vector space F n q , and Share is a F q -linear mapping and Share(s) is uniformly probability distributed over F n q for any s ∈ F q . Based on the work in [17], we use a linear codes to construct an SSS as follows. An [n + 1, k] code C is a linear subspace of F n+1 q . Note that G � (g 0 , g 1 , . . . , g n ) be the generator matrix for C, where g i ∈ F k q is the column vector of G, 0 ≤ i ≤ n. In the SSS � (Share, Recon) constructed from C, the secret s is an element of F q , n parties P 1 , P 2 , . . . , P n and a dealer D are involved. To compute the shares s 1 , . . . , s n of secret s, D performs the algorithm Share as follows.
To reconstruct the secret s, the algorithm Recon of SSS is performed as follows: recall the fact that the dual code C ⊥ of C can be defined using the following formula: Namely, a vector x ∈ F n+1 q belongs to C ⊥ if and only if x is orthogonal to Using equation (1), the secret s can be reconstructed from the shares s 1 , s 2 , . . . , s n .

Lemma
1. Assume that A � P c 1 , . . . , P c m ⊆ P n , 1 ≤ c 1 < · · · < c m ≤ n; then, the members in A can reconstruct the secret s with their own shares s c 1 , . . . , s c m if and only if the vector g 0 is a linear combination of g c 1 , . . . , g c m .
"⇐" Assume that g 0 is a linear combination of g c 1 , . . . , g c m ; then, there exists a c 1 , . . . , a c m ∈ F q such that en, the secret s is reconstructed by calculating e above mentioned SSS realizes that the access structure AS is defined as follows: where "span" means the linear space spanned by the element of the g i | P i ∈ A set. Based on Definition 4 and the work of [19], we present the security definition of SSS and the adversarial model in the following.
In this work, to model adversarial leakage attacks on a secret key s, the adversary has an opportunity to adaptively access a leakage oracle and obtains information about the secret key s. e formal definition of leakage oracle is given as follows.
□ Complexity Definition 6 (leakage oracle [20,22]). Let O λ,l sk (·) be a leakage oracle, which is parameterized by a prover's secret key sk, a leakage parameter l, and a security parameter λ. A query to the leakage oracle is constituted by a leakage function [n] , and the oracle responds with f j (sk). e oracle O λ,l sk (·) is restricted in the total number of l bits. For all queries received, O λ,l sk (·) only responds to the kth leakage query and computes the function f j (w) for at most poly(·) steps if k j�1 l j ≤ l, where 1 ≤ j ≤ k ≤ n. Otherwise, the oracle ignores the queries.
Remark 1. Note that l � 0 means that there is no information leaked to the simulator in an ideal setting, whereas l ≈ 1 means that a malicious adversary (or verifier) learns nothing from the protocol other than obtaining the validity of the proven statement and obtaining the leakage information from an honest user (or prover).

Definition 7 (l-bounded adversary). Let Θ be a subset of [n].
We say that an adversary A is l-bounded, if the corruption set P Θ : � P i i∈Θ selected by A satisfies the following property; for each P i ∈ P Θ , it holds that i∈Θ l i ≤ l, where l i denotes the length of the output of an arbitrary (leakage) Definition 8 (leakage-resilient secret sharing, LRSS). Let S be any secret key domain and AS be any access structure on parties P 1 , . . . , P n . We say an SSS realizing AS is , if for every leakage protocol Leak in (θ, n, l)-BCP, and for every pair of secrets s (1) , s (2) ∈ S, the following holds: where Θ denotes the subset of [n]. at is, the distribution of transcript learned by A on sharing s (1) is statistically closed to the distribution of transcript learned by A on sharing s (2) . In particular, an SSS � (Share, Rec) is said to be In our work, the notation (θ, n, l)-BCP) presented in Definition 4 is inspired by the work [33]. We give the program (θ, n, l)-bounded corrupted program (or (θ, n, l)-BCP) as follows. n parities P 1 , . . . , P n and θ ≤ n, where θ is an upper bound on the number of parties corrupted by adversary A in any round. Let l be the leakage bound. Let f be leakage function family . We write f(s) � (f 1 (s 1 ), . . . , f n (s n )) for the total leakage seen by adversary on the shares s � (s 1 , . . . , s n ) of secret s.
Leak is empty at the begining of leakage-protocol Leak is appended with the leakage and |Leak| ≤ l COMPUTE Leak←Leak(f(s Θ )) in each round, where s Θ : � s i i∈Θ and |Θ|⩽θ OUTPUT final transcript Leak as leakage

Zero-Knowledge
Definition 9 (negligible functions). A function μ: N ⟶ R is negligible if, for any positive polynomial poly(·), there exists N ∈ N such that, for all n > N, Definition 10 (probability ensemble). X denotes a countable set. An ensemble indexed by X indicates a sequence of random variables indexed by X. For instance, A � A i i∈X is an ensemble indexed by X, where each A i is a random variable.

Definition 11 (polynomial-time indistinguishability). Let
A � A n n∈n * and B � B n n∈n * be two difference ensembles indexed by n * . If holds for any probabilistic polynomial-time (PPT) algorithm D, any positive polynomial poly(·), and any sufficiently large n, then we say that A and B are indistinguishable in polynomial time.
In the following context, we use the terminology computationally indistinguishable instead of indistinguishability in polynomial time.
Definition 12. Let λ be a security parameter and let X � X(λ) and Y � Y(λ) be the ensemble sets. Let R be a witness relation associated with language L on X × Y, where L is defined as L � x: ∃ y s.t.(x, y) ∈ R . R is polynomially bounded (i.e., (x, y) ∈ R implies |y|⩽poly(|x|)) and recognized in polynomial time. Given x ∈ L, an element y ∈ Y such that (x, y) ∈ R is called a witness. Suppose that K is a PPT algorithm, which takes as input (1 λ ) and outputs pairs We write P and V to denote the prover and the verifier, respectively, where P and V are two interactive probabilistic polynomial turning machines.
Definition 13 (interactive proof system, [34]). A pair of interactive machines (P, V) is called an interactive proof system for a language L if machine V is PPT and the following two conditions hold: Complexity Now, we consider the interactive protocol consisting of infinitely powerful n machines P 1 , . . . , P n interacting with a PPT machine V. Definition 14 (multiprover interactive proof system [35]). We say that the interactive turning machines (P 1 , . . . , P n , V) in the n-prover model are called multiprover interactive proof system for language L, if an interactive PPT Turning machine V exists and the following two properties are satisfied: Completeness: for Definition 15 (multiprover computational zero-knowledge [34]). Let (P 1 , . . . , P n , V) be a multiprover interactive proof system with some language L. We say that Definition 15, the ensemble View (P 1 , . . . , P n , V * )(x) x∈L denotes the view (or output) of the interactive machine V * after interacting with n interactive machines P 1 , . . . , P n on common input x (namely, the transcript about the sequence of messages exchanged between V * and P 1 , . . . , P n ). M(x) { } x∈L denotes the output of M on input x. In this case, we call M is a simulator for the interaction of V * with P 1 , . . . , P n . e existence of M means that V * does not gain any more knowledge than M. Indeed, M does not access P 1 , . . . , P n and might not know whether P 1 , . . . , P n exists. However, it is able to simulate the interaction of V * with P 1 , . . . , P n .
Succinctly speaking, an interactive proof system (P 1 , . . . , P n , V) for language L is zero-knowledge if whatever can be efficiently computed by V after interacting with P 1 , . . . , P n on common input x ∈ L can also be directly computed by the simulator with input x.

Identification Schemes and Security Definitions.
In this section, we first recall the standard cryptographic concepts of -protocols presented in [36,37] and identification schemes (ID-scheme) presented in [20]. en, we present the formal security definitions of the ID-scheme. We write TR←(P(y), V)(x) to denote the transcript TR that was generated through an interactive protocol (P, V), where y is the private input of P and x is the common input of P and V. e notation Out V (z) denotes the output of V with input z ∈ TR. V outputs Out V (z) � 1 if he accepts the proof and Out V (z) � 0 otherwise. [36,37]). Let (P, V) be an interactive proof system for language L. e prover P takes as input x ∈ L and sends a witness y to verifier V. V takes as input the common input x and the received y, and it outputs 1 if |y| � poly(|x|) and (x, y) ∈ R.
A -protocol for the relation R is a 3-round interactive proof system (P, V) that can be described as follows: Step P1: P first sends a commitment α to V, i.e., α←P(x, y) Step V1: V responds with a challenge β based on α, i.e., β←V(x, α) Step P2: P returns with c based on β, i.e., c←P(x, y, α, β) Step Here, TR: � (α, β, c). A -protocol satisfies the following properties: , and P2 can be denoted by TR←(P(y), V)(x). 2-special soundness: sssume that an extractor Extor exists for every x ∈ L, given two valid transcripts e Extor takes as input (α, β, c, β ′ , c ′ ) and outputs a witness y for the relation R. Honest verifier zero-knowledge: for every PPT turning machine V * , a probabilistic algorithm M exists such that the two ensembles View (P, Definition 17 (identification scheme [20]). An identification scheme (ID-scheme) contains four PPT procedures ParGen, KeyGen, P, V . e concrete description is as follows: params←ParGen(1 λ ): the parameter generation procedure takes as input security parameter λ and returns the system parameters of the identification scheme, denoted by params. params are common to all users and issued to KeyGen, P, and V as inputs.
(pk, sk)←KeyGen(): the key generation procedure takes as input params and outputs the public key pk and secret key sk. P(pk, sk), V(TR, pk): P denotes a prover and V denotes a verifier. V returns a judgement b ∈ 0, 1 { } about P after executing the protocol. If b � 1, then V accepts P's identity. b � 0 otherwise.
To obtain a secure (group) ID-scheme, we define some security definitions and models.

(11)
Soundness: for any party P i ∉ AS and any PPT algorithm, the advantage of P ′ Pr params←ParGen 1 λ ; pk 1 , . . . , pk n ←KeyGen() is negligible, where the private input ϕ of P ′ (·) is an empty string and TR is defined in Definition 16 and i ∈ [m].
Before we formally define of the leakage-resilient IDscheme, we first consider two security games (illustrated in Table 1), which are inspired by the work presented in [20]. e first game called pre-emulation leakage security is simulated by the attack game ID λ prel (A) and allows the adversary A to send leakage queries before the emulation attack. e second game called arbitrary time leakage security is simulated by the attack game ID λ arbl (A) and allows the adversary A to adaptively execute leakage attacks at an arbitrary time during an emulation attack. e key generation phase and test phase are the same in the games ID λ prel (A) and ID λ arbl (A). e emulation phase is divided into two separate games according to the definitions of ID λ prel (A) and ID λ arbl (A), respectively.

Definition 19
(leakage-resilient ID-scheme). Let KeyGen, P, V be an ID-scheme, which is parameterized by security parameter λ and holds the property of completeness. We say that KeyGen, P, V is secure against the preemulation leakage l if the advantage of any PPT adversary A in the attack game ID λ prel (A) is negligible in λ. Additionally, it is secure against the arbitrary time leakage l if the abovementioned adversary A for the attack game ID λ arbl (A) is negligible in λ.

Protocol 1: e Basic Leakproof Secret-Sharing Scheme.
For self-containedness, we recall the leakproof secretsharing scheme [38] as follows. Let D be a dealer, V be a verifier, and P 1 , . . . , P n be n parties.
Initialization. In this stage, all the system parameters are generated. e dealer D obtains a public key corresponding to the public key encryption scheme Enc. In addition, suppose that D holds a private channel with every party and that D and every party keep a broadcast channel.
Distribution protocol. is protocol is divided into two steps: (1) Distribution of the shares: this step is executed by the dealer D. First, for the master secret key s, D generates n shares s 1 , . . . , s n of s and sends them to P 1 , . . . , P n through individual private channels. Second, D calculates Enc(s) and publishes it by his broadcast channel. (2) Verification of the shares: every party P j verifies the validity of share s j received from D, where j � 1, 2, . . . , n. If the verification condition is not satisfied, we will say that the dealer fails, and the protocol is aborted.
Proof protocol. is protocol is also divided into two steps: (1) Proof of the secret s: let Λ be any qualified subset for parties P 1 , . . . , P n . Each P i ∈ Λ holds the secret share s i ∈ s Λ . Parties in Λ run a multiprover zeroknowledge argument of knowledge with the verifier V prove that they indeed share the secret s. During this interactive proof process, Enc(s) is a common input of parties in Λ between V. (2) Verification of the secret s: to check whether every P i ∈ Λ keeps a valid secret s i , V verifies the following condition s � F(s Λ ), where F stands for some certain deterministic polynomial-time function.

Protocol 2: Secret-Sharing Scheme via Linear Codes.
In this section, we begin to describe how our secret-sharing scheme is constructed using linear codes in detail. First, suppose that we have obtained an access structure realized by linear codes C and that G is the corresponding generator matrix.
Initialization. Let λ be a security parameter and q be a large prime number, and p is a prime factor of q − 1. Let F q be a finite field. We write 〈g〉 to indicate a cyclic group generated by an element g ∈ F * q with order |〈g〉| � p and 〈g〉 ⊂ F * q . Let C be a linear code over F q with length n + 1; its generator matrix G � (g ij ) k×(n+1) , where 0 ≤ i ≤ k − 1, 0 ≤ j ≤ n. Table 1: Attack game for defining the pre-emulation leakage security and arbitrary time leakage security of ID λ prel (A) and ID λ arbl (A), respectively. Attack Game ID λ prel (A) Attack Game ID λ arbl (A) (1) Key generation phase: run two algorithms params←ParGen(1 λ ), (pk, sk)←KeyGen() and give (params, pk) to the adversary A (2) Test phase: the adversary A O λ,l sk (·),P(pk,sk) can access oracles O λ,l sk (·) (the leakage oracle) and P(pk, sk) (an honest prover oracle), where O λ,l sk (f) returns f(sk) (3) Emulation phase: this phase is divided into two separate games (i) For the game ID λ prel (A): the adversary A is not allowed to access oracles O λ,l sk (·) and honest prover oracle P. A performs an interactive protocol, denoted by (A, V(pk)) with an honest verifier V (ii) For the game ID λ arbl (A): the adversary A only gets access to the leakage oracle O λ,l sk (·) and performs the interactive protocol, denoted by (A O λ,l sk (·) , V(pk)) with an honest verifier V

Complexity
Let D be a dealer and P n � P 1 , P 2 , . . . , P n be a party set. V denotes a verifier with V ∉ P n . Assume that a private channel between the dealer D and each P j (j ∈ [n]) and a public channel between P j 1 and P j 2 exist, where j 1 ≠ j 2 and j 1 , j 2 ∈ [n]. In addition, the dealer D has a broadcast channel. We assume that the computing power of all individuals in this protocol is polynomial-time bound. e encryption algorithm Enc is defined as e dealer D randomly chooses s from F p and p > max s, n { }. e master private key sk � s and the public key pk � (p, q, g).
Distribution protocol. is protocol is divided into two steps: (1) Distribution of shares: D defines s 0 � s and calculates and publishes B 0 � Enc(s 0 ) by a broadcast channel.
To distribute the master secret key s among n parties P 1 , . . . , P n , D executes the algorithm Share of SSS � (Share, Recon) and gets s ⟵ Share(s). More precisely, the algorithm Share is described by the following program of SECRET DISTRIBUTION: GET a shares s � (s 1 , . . . , s n ) of secret s 0 � s en, D sends s 1 , . . . , s n to P 1 , . . . , P n , respectively.
(2) Verification of the shares: for each P j ∈ P n , let s j denote the private key sk j . Each P j ∈ P n performs the following program of SECRET VERIFICATION to check the validity of his own share for j ∈ [n]: REJECT the share s j and repeat the program Proof protocol. According to the abovementioned Distribution protocol, B 0 , p, q, g, and G are common inputs of parties in P n between V. Every party P j ∈ P n has a secret input s j for j ∈ [n]. Let P c m : � P c 1 , . . . , P c m be a size m subset of P n , and every party P c i has valid secret input s c i , where i ∈ [m], 1 ≤ c 1 < · · · < c m ≤ n. To reconstruct the secret s, for all of P c 1 , . . . , P c m , they need to determine the existence and uniqueness of the solutions to the system g 0 � d c 1 g c i + · · · + d c m g c m , where g 0 , g c 1 , . . . , g c m are the column vector of the generator matrix G of [n + 1, k] code C. e calculation is presented in Lemma 1. is protocol is divided into two steps: (1) Proof of the secret s: this step can be described as follows: Step P1: every party P c i ∈ P c m chooses a random r c i ∈ F p , computes that x c i � g r c i (mod q), and sends Step V1: V chooses a random number z ∈ 1, 2 { } and then sends z to all parties P c 1 , . . . , P c m Step P2: every party P c i ∈ P c m computes y c i � r c i − zd c i s c i (mod p) and then sends y (2) Verification of the secret s: Step V2: if it holds that g y c 1 +y c 2 +···+y c m B z 0 � m i�1 x c i (mod q), then V believes that P c 1 , . . . , P c m share the secret s satisfying B 0 � g s (mod q); otherwise, V rejects it.

Security Analysis of Protocol 2
In the following context, to illustrate and analyze the argument of our interactive protocol between parties P 1 , . . . , P n and verifier V, we use prover to replace party. x c i (mod q).

(13)
If the last equation in equation (13) is satisfied, then V believes that P c 1 , . . . , P c m share the secret s satisfying B 0 � g s (mod q).

Soundness.
To prove the property of soundness, we consider the following three settings.
In the first setting, for all of the P n � P 1 , . . . , P n , let P c 0 be the only one prover corrupted by adversary A. P c o pretends to be an honest prover P j ∈ P n , where i ∈ [n]. After interacting with V in Step P1, he randomly selects r i ∈ F p and computes x j � g r j (mod q); then, he sends x j to V. Next, V sends the challenge z to P c o , who randomly chooses y j ∈ F p , because he does not know the secret s j (held by the honest prover P j ), where j ∈ [n]. en, the success probability of equality Complexity g y 1 +y 2 +···+y n B z 0 � n j�1 x j (mod q) (14) is (1/q). If the interactive protocol executed for K times, the success probability is (1/q K ).
In the second setting, the adversary A chooses a subset of Θ ⊆ [n] with |Θ| � θ and get their shares. Let P Θ : � P c 1 , . . . , P c θ denote the subset of P n , the adversary A chooses to corrupt in consecutive rounds. e honest parties are denoted by P [n]\Θ . Assume that V knows the total number of all provers. Each P c i ∈ P Θ disguises himself as the honest provers P j ∈ P [n]\Θ to follow the interactive protocol with V, where i ∈ [θ], j ∈ [n]\Θ. In Step P1, P c i chooses a random element r c i ∈ F p , calculates x c i � g r c i (mod q), and sends x c i to V; in Step V1, V returns a challenge z ∈ 1, 2 { } to P c i ; in Step P2, after receiving the challenge z, P c i randomly chooses y c i from F p , since he does not know the secret key s c i of honest P j ; and in Step V2, V computes g y 1 +y 2 +···+y n B z 0 � n j�1 x i (mod q) (15) with probability (1/q). at is, the corrupted provers P c 1 , . . . , P c θ choose y c 1 , . . . , y c θ , respectively, such that with probability (1/q). If P [n]\Θ ∪P Θ and V sequentially perform the PROTOCOL 2 for K times, then the success probability of the following equality g y 1 +y 2 +···+y n B z 0 � n j�1 x j (mod q) (17) falls to (1/q K ).
In the third setting, the verifier V is not certain of the number of all provers. In this case, θ corrupted provers pretend to be ](≠θ) honest provers. Based on the proof of the second setting, we can prove that the prover set P [n]\Θ ∪ P c 1 , . . . , P c ] shares a secret s such that B 0 � g s (mod q) with the success probability (1/q K ).
In light of the foregoing, for all sufficiently large K, the probability (1/q K ) is negligible. Consequently, the property of soundness is matched.

Zero-Knowledge.
To prove the property of zeroknowledge, we consider passive scenarios according to the power of the adversary.
According to Definition 15, we can determine whether ensembles M(p, q, g, h, B 0 , G) and View (P 1 (c 1 s 1 ), . . . , P n (c n s n )), V(h)} are computational indistinguishability, and then the protocol which we constructed is zero-knowledge. Hence, to prove that M(p, q, g, h, B 0 , G) and View (P 1 (c 1 s 1 ), . . . , P n (c n s n )), V(h) (p, q, g, B 0 , G) are computational indistinguishability, we use a mathematical induction method to perform the following steps: (1) Let the probability of Out V η be denoted by q, g, B 0 , G) and the probability of Out V η be denoted by Pr P 1 ,...,P n ,V,η if Out V η ⊆View (P 1 (d 1 s 1 ),...,P n (d n s n )),V(h) (p,q,g,B 0 ,G).

eorems from PROTOCOL 2
Theorem 1. PROTOCOL 2 is an n-prover computational zero-knowledge proof system.
Proof. According to the context of Section 4.1 and Definition 15, PROTOCOL 2 satisfies completeness, soundness, and zero-knowledge. Consequently, PROTOCOL 2 is an n-prover computational zero-knowledge proof system. □ code. An adversary A is l-bounded. e corruption parties chosen by A is Suppose l: � max l i i∈Θ and const l � (2 l sin(π/2 l ) /q sin(π/q)) < 1 (when 2 l < q). If l i < l, then add "0" on the left of the codeword f i (d i ) such that the length of codeword is equal to the length of l. ere is where U n+1 is the uniform distribution on F n+1 q and ϵ � at is, Proof. Our secret-sharing scheme is a linear (also additive) secret-sharing scheme, and the detailed proof is similar to eorem 4.5 in [24]. Proof. Let C be an [n + 1, n] linear code. e secret s ∈ F q is shared into n shares s � (s 1 , . . . , s n ) such that s � n i�1 s i . Let f � (f 1 , . . . , f n ) be family of leakage functions where (0) is uniformly distributed on C and sample z ⟵ Share(0). Note that e � (1, 0, . . . , 0) and compute s · e � (s, 0, . . . , 0). en, we can obtain the coset of Share(0) for the distribution Share(s). For any secret s ∈ F q , there is For the uniform distrubtion U [n+1] over C, en, statistical distance between f ′ (Share(0)) and f ′ ( According to the triangle inequality |A − B| ≤ |A − X| + |X − B| and two secrets s (1) , s (2) ∈ F q , there is Complexity 9 Let the leakage protocol Leak is denoted by Leak Θ,f (s) � (s Θ , f(‖s Θ ‖s [n]\Θ )). en, where ε � (1/2)ql n . □

Group Identification via PROTOCOL 2
According to Def. 17 in Section 2.3 and PROTOCOL 2, we can construct a group identification protocol GID-scheme with the following properties: the valid identities can be believed by the verifier only for the qualified group members, not the unqualified members; the verifier gains nothing other than believing that the qualified members have valid identities. Let P n � P 1 , . . . , P n be a group set, and let (P n , V) be an n-prover interactive proof system. e GIDscheme ParGen, KeyGen, P n , V can be constructed by Table 2.
According to the work presented in [37,40], our GIDscheme is secure against (classical) passive attacks. , pk � pk 0 ∪ pk i � g sk i mod q} n i�1 } be a hard relation with key generator KeyGen. We write (P n , V) to denote the prover set and the verifier in a -protocol for R with 2-bit challenges. Suppose that the -protocol is complete, 2-special sound, and honest verifier zero-knowledge. en, our GID-scheme is secure against emulation under active attacks.
Proof. If we write (pk, sk)⟵KeyGen by the notation (x, y)⟵K(1 λ ) and the transcript (x i , t, y i ) by the notation (α i , β i , c i ), then the − protocol and our GID-scheme are equal, where i ∈ [n]. For details, see eorem 5 of [41].

Proof.
rough the contradiction assumption, in the preemulation leakage attack game ID λ prel A * there is an adversary A * with a nonnegligible advantage. en, we need to detect two different secret keys sk and sk * for a public key pk, for the randomly chosen params * , since params is not known. In fact, in the test phase, M randomly chooses the (pk, tsk) key pair and utilizes sk to model the leakage oracle O λ,l sk (·) and an honest prover oracle P for the adversary A * . Later, in the emulation phase, Mperforms A * twice (for attack games ID λ pre l A * , ID λ arb l A * ), with two distinct randomly chosen challenges β, β * . Because A * generates two valid transcripts (α, β, c), (α, β * , c) with a nonnegligible advantage, M can recover or find a secret key sk * by using these two transcripts, according to the 2-special soundness property of the -protocol.
We now need to analyze the probability of sk � sk * . Table 3 presents three experiments that are performed by the adversary A * . In experiment Ext 0 , A * obtains pk and can access the oracle O λ,l sk (·), P(pk, tsk); in experiment Ext 1 , A * obtains pk and only accesses the oracle P(pk, tsk); in experiment Ext 2 , A * only obtains pk. According to the construction of Ext 0 , Ext 1 , and Ext 2 , we obtain the following inequality: where H ∞ (X) � − log(max x∈X Pr X (x)) denotes the minientropy of a random variable X with probability distribution Pr X over X, and H ∞ (X | Ext) � − log(max A Pr A Ext(·) (x)) denotes the (average-) conditional mini-entropy of a random variable X conditioned on experiment Ext. e detailed proof of equation (27) can be found in [20]. Due to the above mentioned equation, M outputs sk � sk * with the upper bound of probability 2 − λ . erefore, M generates two different secure keys sk and sk * with a nonnegligible advantage.
For an arbitrary time leakage game ID λ arbl (A), in the emulation phase, M can access the leakage oracle with l * bits. Based on two distinct challenges, M performs the emulation phase twice; thus, the leakage bit is 2l * . Consequently, only l * � (1/2)l bits of arbitrary time leakage can be handled.

Comparisons with Other Schemes.
In this section, we compare our ID-scheme with several previous works. According to the construction of the GID-schemes, we summarize the main parameters in Table 4. e first column presents the compared related works. e second column indicates the size of the public parameters shared by all parties. e third and fourth columns indicate the size of the public key and secret key, respectively. e fifth column denotes the size of each party' s communication complexity. e last column shows the size of allowed leakage l, which was measured in bits. e comparison of schemes in Table 4 is summaried as follows: e Okamato λ m scheme in [42] uses m generators and can tolerate the leakage bit l � (1 − (1/m))|sk|, where λ denotes the security parameter.
is scheme only provides an adequate method for relative leakage1 − (1/m), not for large absolute leakage l, and it does not provide a proportional increase in communication complexity. As an extension of the Okamato λ m scheme, the researchers in [20] propose two schemes (DirProd λ n,m,t and ComDirProd λ n,m,t ), which add two additional parameters n (the number of Okamato λ m key pairs stored) and t (≈ O(mλ), the number of Okamato λ m keys used). DirProd λ n,m,t and ComDirProd λ n,m,t can tolerate leakage bits (1 − (1/m) − O(t/λ))|sk| and (1 − (1/m) − O (t/λ))|sk|, respectively. In [38], the authors constructed a leakproof SSS by using threshold SSS, and they also proved that the master secret s can be shared an arbitrary number of times. However, their schemes do not consider the security of the scenario where there is some information leaked.
Local LRLSS [24] provides a local leakage-resilience of (additive or (n, t)-Shamir) SSS over field F p (p is a large prime), which is secure under local leakage attacks when log(p/4) bits are leaked from every share. Inspired by the work of [38], in our scheme, we construct a secret-sharing scheme by using linear codes for realizing a access structure, in which the master key can be shared as many times as designed in the random oracle model. Moreover, our scheme is (θ, l, ϵ)-LRSS under the bounded-leakage model. Based on our LRSS scheme, we construct a GID-scheme, which is proven to be leakage-resilient under the attacks ID λ prel (A) and ID λ arbl (A).

Conclusions and Future Work
We proposed a secret-sharing scheme that realized access structure based on linear codes. According to the definitions of zero-knowledge proof system and security model, we proved that our protocol is a multiprover zero-knowledge proof system in the random oracle model. Our protocol is also leakage-resilient secret-sharing scheme (LRSS) in the bounded-leakage model. In our LRSS, the security is guaranteed even if the adversary learns leakage information is bounded by l bits. Moreover, we presented a GID-scheme from our LRSS scheme, and it is leakage-resilient under the leakage attacks ID λ prel (A) and ID λ arbl (A) in the bounded-leakage model. In our leakage-resilient GID-scheme, any authorized party sets can prove to the verifier that they share the secret key without leaking any information about their individual shares to adversary and can guarantee security even though l bits are retrieved by the malicious adversary; any authorized parties can prove themselves to keep the corresponding valid secret share.
In future work, we want to construct a practical dynamic secret-sharing scheme. In this dynamic secret-sharing scheme, there are more than one access structure, and we want to enable only one of them to be active to reconstruct the predefined secret.

Data Availability
No data were used to support this study. (i) A * holds the public key pk (ii) A * allows access to the leakage oracle O λ,l sk (·) and an honest prover oracle P(pk, tsk) (i) A * holds the public key pk (ii) A * only allows access to the honest prover oracle P(pk, tsk) (i) A * only obtains access to the public key pk  Table 2: Our GID-scheme. -params⟵ParGen(1 λ ): perform the Initialization of PROTOCOL 2 in Section 3, and set params � (B 0 , p, q, g, G) (i) (pk, sk)⟵KeyGen: execute the distribution protocol of PROTOCOL 2 in Section 3, and set sk � s 0 ∪ s i n i�1 and pk � pk 0 ∪ pk i � g sk i mod q n i�1 , where sk � s � s 0 , pk 0 � g s 0 mod q and sk i � s i for i ∈ [n] (ii) P, V: the PPT turning machines P, V run the following protocol: Step P1: for i ∈ [n], every P i chooses r i ∈ F q , and sends α i � g r i mod q to V Step V1: choose a random number β i ∈ 1, 2 { } and send the challenge β i to every P i . Set β i � z, for any i, j ∈ [n] Step P2: for i ∈ [n], every P i computes c i � r i − zd i sk i mod p and sends c i to V Step V2: for i ∈ [n], V accepts the identification of P i if and only if the transcript (α i , Disclosure is work is a major revision of a preprint of an article accepted by the International Symposium on Cyberspace Safety and Security (CSS 2019) and is subject to Complexity.

Conflicts of Interest
e authors declare that they have no conflicts of interest.