A Rational Threshold Signature Model and Protocol Based on Different Permissions

This paper develops a novel model and protocol used in some specific scenarios, in which the participants of multiple groups with different permissions can finish the signature together. We apply the secret sharing scheme based on difference equation to the private key distribution phase and secret reconstruction phrase of our threshold signature scheme. In addition, our scheme can achieve the signature success because of the punishment strategy of the repeated rational secret sharing. Besides, the bit commitment and verification method used to detect players’ cheating behavior acts as a contributing factor to prevent the internal fraud. Using bit commitments, verifiable parameters, and time sequences, this paper constructs a dynamic game model, which has the features of threshold signature management with different permissions, cheat proof, and forward security.


Introduction
Secret sharing (SS) scheme, first proposed by Shamir [1] in the paper "How to share a secret, " is a significant method used for the important information management.There are other SS schemes presented by Blakeley [2] and Asmuth and Bloom [3].These (, )-threshold schemes above split the secret to  shares and distribute these shares to  legal players, meaning that all the players in the secret sharing system have the same permissions.However, in some specific situations, like in a company, managers and employees are supposed to have different authority in the confidential secret management.As a result, all the SS schemes are not suitable to be applied to such scenario.Later, many scholars devoted themselves to the weighted threshold SS schemes, which can solve the above problem.Shamir was concerned with weighted threshold SS in his paper "How to share a secret"-the president of a company has three shares, the vice presidents have two shares, and others have one share.Later, Morillo et al. [4] developed some main properties related to the information ratio, which measures a secret sharing system's security.After that, many researchers used their work to develop weight SS schemes, and some are with bipartite [5][6][7].Chan and Chang [8] developed a new (, )threshold scheme based on differential equations, which was completely different from the mechanism of weighted SS scheme and shared the same notion with Li [9].Instead of the traditional weighted threshold SS schemes, which have the symmetrical permissions limitation, they proposed ( 1 +  2 ,  1 +  2 )-threshold SS scheme that is based on homogeneous constant coefficient linear difference equation.In the scheme, all players are divided into two groups (denoted by , ) with the different secret management authority; just  1 players from  and  2 players from  can recover the original secret information.For example, a company divides its business secret into ( 1 +  2 ) shares, in which  1 shares are possessed by  1 specific employees and  2 shares are distributed to  2 managers.Any  1 employees and  2 managers can retrieve the business secret.
Threshold signature is based on SS, which was first proposed by Desmedt and Frankel [10] and based on RSA signature mechanism.Shamir [11] introduced the concept of signature authentication based on identity.Paterson and Schuldt [12] presented efficient identity-based signatures in the standard model.In this paper, to illustrate our model, we adopt Okamoto's signature method [13], which is based on the identification scheme and is provably secure.
Another important issue about the traditional SS scheme is that they are all based on the assumption that every player is either honest or malicious.However, in practice, players are more likely to be selfish, trying to maximize their own utility.Halpern and Teague [14] introduced the notion of rational secret sharing (RSS) in 2004 and presented a randomized protocol for a  ≥ 3,  > 3 SS scheme, which can achieve Nash equilibrium after repeated elimination of weakly dominated strategy.Gordon and Katz [15] improved Halpern's protocol to  ≥ 2,  > 2 conditions.The mechanism proposed by Maleka et al. [16] is called repeated rational secret sharing (RRSS), in which the distributor needs to do second-time segmentation of the secret shares and made the players share the subshares repeatedly.Maleka's method uses punishment strategies to prevent players from finking, which is different from Halpern and Teague's RSS protocol, in which some rounds of secret sharing are meaningless.
In this paper, we present a rational threshold signature model, in which the participants are divided into two sets with the different permissions.We adopt the SS scheme based on the difference equations to distribute shares and recover the original secrets.In the recover phrase, players exchange their subshares repeatedly based on Maleka's RRSS scheme.In our model, we use several modules to manage the functions, respectively.The parameter sequence generator is used to generate the parameters of the difference equations and parameter distributor is used to distribute the parameters to the participants as their shares.Rounds controller is used to generate the random number of rounds so that the players cannot know when the repeated games will end.Bit commitment module is utilized for the players to commit their own subshares and verify others' .Besides, when a player cheats in a specific round by sending the wrong subshare, the verifiable module can detect it and the protocol will be stopped so that nobody can acquire the secret.Maker constructs homogeneous constant coefficient linear differential equation:
The general term formula of homogeneous constant coefficient linear differential equation is Because coefficient determinant is nondegenerate second-order tensor, Any participant in set  makes  =  can obtain the system master key: (5) 2.2.Problems.The model mentioned above is a big innovation in the field of threshold structure; however, if applied directly to the threshold signature, while in practical use, some problems may exist as follows.
(1) The permissions in this model have limitations.The second component of ( 1 +  2 ,  1 + 1)-threshold shared structure on behalf of the second category participants with special privileges; these participants have excessive permissions, because anyone of them can represent the group.Thus, weexpand the second component into ( 1 +  2 ,  1 +  2 ) structure.Wei et al. 's scholars [17,18] at Shandong University have proposed the definition of such structure.However, when this scheme is implemented, its two groups both use the polynomial ring, which possesses the symmetrical nature, thus it will break the different privileges characteristic of the homogeneousconstant coefficient linear differential equation.This paper promotes ( 1 +  2 ,  1 + 1) structure based on homogeneous constant coefficient linear differential equation, extends permissions, in the meantime, and improves the original proposal.
(2) This model cannot resist conspiracy attacks, because of that when greater than or equal to the ( 1 ,0) threshold number of participants work out the constant vector group of equation ( 4), at the same time, the equation ( 2) is determined.Conspires can get the the private key of the participants of the first set, using the general term formula, and one copy of the private key of the second set's participant can be used to conjecture the others' private keys in the second set.
(3) The model cannot resist internal fraud.When put into practical use, the model does not have a verifiable, and the participants' fraud is undetectable.If there are no validation measures, the participants may run this protocol arbitrarily, or send their false shares, and these cannot be tolerated.
(4) The model has the dealer, who is the trusted third party.In the distributed network environment, the parameters is generated by a machine or by the secure multiparty computation.
(5) This model does not have the rational characteristics.
When the signature private keys are generated, and when the first set's participants compute the equation ( 2)-after computing the general term formula, the participants in the second set have no motive to expose their private key to the participants in the first set, after they generate their private keys.This loses fairness.

The Structure of Model.
The structure of the model is shown in Figure 1.
(1) Parameter Sequence Generator.Each time while in the signature step, the registers in parameters sequence generator dynamically generate the next state parameters according to the last state parameters.Each signature call the module once; the use of time series technology makes the model have forward security.The initial vector in parameter sequence generator is The iterative formulas of parameter sequence generator are as follows: Other parameters are generated like this way.
Theorem 1.The model has forward security.
Proof.On the completion of the last signature, in next signature step, the parameter sequence generator precompiled the iteration values in registers.After iteration, according to recurrence relations (7), the last data in registers will not exist.That is to say, this time's signature data in registers will cover the last data in them.According to the recurrence relations (7), if an attacker wants to get last data in registers, he or she must calculate mode square root: The mode square root in polynomial time is computationally infeasible, and the mode indices are random; attacker cannot predict.So the model has forward security.
(2) Rounds Controller.This model, which runs multiple rounds in the signature process, is a limited time repetitions dynamic game.It is vital in the model and controls the operation of the entire process.Here we use the idea of stochastic process [19] to construct model.

Theorem 2. The distribution of round obeys Poisson distribution with parameter 𝜆.
Proof.In the condition of time limited game process, note that the number of deceptions in each round is , with the probability satisfying the following formula: Participants' behavior is independent in each round.
Assuming the number of rounds has continuity, that is to say, the process of game is taken as continuous function with time, and it satisfies that This means that, the probability of cracking the system with  computational advantages can be negligible, when the threshold signature process is not performed.The model satisfies the four conditions mentioned above and meets the definition of Poisson process with  intensity.That is, Theorem 3. The expectations rounds of this model are , each time the model convergence time complexity is ().Proof.Differential equations are established for the rounds ( 0 ,  1 , . . .,  * ) respectively, based on the four conditions mentioned above The mathematical expectation is So the expectations rounds of this model are , each time the model convergence time complexity is ().
(3) Parameter Distributor.A machine can analog the behavior of distributor (maker) and can be a trusted server in the distributed network.
(4) Pedersen Bit Commitment Module.Pedersen bit commitment protocol [20] is a security protocol taken as commitment to the bit stream information.In each time of signature, the system generates coefficients of homogeneous constant coefficients differential equations, and the coefficients of algebraic curved () with order  2 − 1, which correspond to the participants in set .After storing the coefficients in the binary bits formation, we note them as form of   ( ∈  ∧   ∈ {0, 1}), in the form of bits stream.The parameter distributor is also attached with the bit commitment model to prevent it from attacks.
Theorem 4. The model can detect whether the parameter distributor is under attack or not.
Proof.The model adapts the Pedersen's bit stream commitment protocol.
To make bit stream and timestamp above hash process.The primitive element of group ( max{ 1 , 2 } ) is ; publish  =    (  ,) mod  max{ 1 , 2 } ( ∈  ∧   ∈ {0, 1}) .(15) The triple (,   , ) will be publish to the public, right after the end of the signature process.Set  and set  participants can verify commitment to make sure whether parameter distributor is being attacked or not.
(5) Verifiable Parameter Distribution Module.Using the idea of Feldman's [21] verification.First, publicize bivariate oneway function (, ).In each threshold signature process, parameter distributor generates polynomial with  1 −1 orders which corresponds to set  participants: Our model uses the primitive element in the finite fields (  1 ), which is  1 , to compute the number of the operation rounds, which is  * , according to the Poisson distribution with parameter , and then distribute the points sequence: Then it arbitrarily selects  1 − 1 points in the field of    1 (, ) except the ones in the equation ( 17), and publish them to the public.Then it saves the vector and calls Pedersen's bit commitment module.After that, it broadcasts: Send each participant in set : In the set , the parameter distributor generates the primitive element, which is  2 , in the infinite field ( 2 ), according to this polynomial with  2 − 1 orders: And then, with the rounds number  * noted before, the system distributes publish the points sequence: We adopt ( 2 ,  2 ) threshold structure constructed by matrix method. 2 players in set  participate in the repeated games and recover the secret  using the published  2 −  2 points.As a result, the players in set  can input  after they get the general term formula of homogeneous constant coefficient linear differential equation.

Save vector
And call Pedersen's bit commitment module.After that, it broadcasts: Send each participant in set : Theorem 5.The model is verifiable.
Proof.When distributing point's sequence and broadcasting corresponding authentication information, participants can simultaneously verify the information.
Set  participants verify Set  participants verify If the verification succeeds, participants can trust the information sent by others.(7) Okamoto Signature Module.After calculating the threshold signature private key, take TSK =   as the first private key component of the signature module, while the second private key component is generated by public key signature method; select private keys; and publicize public keys, respectively.The model adopts Okamoto signature algorithm to signature finally.
Theorem 6.The model can resist conspiracy attack.
Proof.The second component of the private key in Okamoto signature algorithm can avoid conspiracy attacks which are performed by using general term formula to get other participants' private keys when meeting the threshold condition to calculate homogeneous linear differential equations with constant coefficients general term formula in original model.The second component of everyone's private key has to be kept privately by each individual.On condition that the second component of the private key ensures the privacy, the threshold signature cannot be forged.Furthermore, we can establish a mechanism, that is when there is a dispute, the system will check every participant involving the process of signature arise disputes.

Improved Threshold Model.
We adopt ( 2 ,  2 ) threshold structure constructed by matrix method. 2 players in set  participate in the repeated games and recover the secret  using the published  2 −  2 points.As a result, the players in set  can input  after they get the general term formula of homogeneous constant coefficient linear differential equation.Make two field extensions: [ ( Expansion order of algebraic number field () is Remove the noise terms (0) and (0) to get coefficients information of homogeneous constant coefficient linear differential equation.The above game  can be calculated in polynomial time.

Dynamic Game Model
Definition 8. Computable complete and perfect information dynamic game with  1 +  2 elastic equilibrium will reach the equilibrium results, under the conditions that it satisfies the Definition 7 and that each participants is rational.That is, (  ,  − ) < ( (,all) .Define events as follows.
A: participant uses the advantage of Pr =  (0 <  < 1) to crack threshold signature private key.B: participant implements protocol.
C: participant takes honesty policy in round .D: participant takes fraud policy in round .
We denote the utility of departing from the protocol as  exception and denote the expected utility as ( exception ).We can get the equation as follows.Parameter distributor verifies, respectively, If  =  * and (37) holds, calculate (2), and then If  ̸ =  * and (37) does not hold, (0)  and   (0) equal the expected value and the protocol enters into the next round.
If  ̸ =  * and (37) does not hold, meanwhile, (0)  and   (0) do not equal the expected value, someone of the players have cheated.At this time, the parameter distributor can perceive the cheating behavior so that the player cannot obtain the signature private key.According to Theorem 10, the rational participants will not deceive.(40) is message sequence, and SHA is secure hash function.
We use the equation (41) to complete signature.
Validation process can use standard Okamoto algorithm.

Several Models
Comparison.Table 1 is several models comparison.The parameters range of this model uses the limiting form of (31), (32), (33), and (34).

Conclusion
This paper proposed computable complete and perfect information dynamic game with  1 +  2 elastic equilibrium, based on the homogeneous constant coefficient linear differential equation.We constructs a dynamic game model and protocol using time sequences, bit commitments, Feldman's verification menthod, and Okamoto's signature permissions.The model achieves two different threshold signature permissions.We proved that, during the game, no participant has the tendency of departing from normal operation, so that the model achieves the purpose of preventing fraud.Our method expands the idea of permission and overcomes five inherent problems in homogeneous constant coefficient linear differential equation.

2. 1 .
The Model of Li Bin Scholar.The model is outlined as follows.

Figure 1 :
Figure 1: The structure diagram of model.

4. 3 . 2 ?=
Threshold Signature Process.The Okamoto signature module is used to complete the feature of signature.Okamoto signature algorithm contains two private keys: the first is threshold signature private key just generated, and the second is each participator's signature private key in set  and set .Only after verification, parameter distributor can call Okamoto signature module.Two private key generation equations are as follows:TSK 1 =   ( >  1 +  2 ) , TSK 2 =  1 + 2 −1 ∏ =0 SHA()   .SHA () .
,  − ),  is multiple real variable function  : (  ,   ,   ,   ,   ,   ,   ) → (  ,  − ).The model converges to computable complete and perfect information dynamic game with  1 +  2 elastic equilibrium.Proof.Participants who accord with threshold signature conditions possess superiority of Pr =  (0 <  < 1).They can get threshold signature private key without the normal operation of the model.Definitions of utility functions are as follows: ): the utility that participant  gets signature private key and others do not get it in  round;  − (,) (0 ≤  ≤  * ): utility that participant  does not comply with the normal execution of the model when model run  round;  (,) (0 ≤  ≤  * ): utility that participant  complies with the normal execution of the model when model run  round;  ( * ,) : normal utility that participant  always complies with the operation of the model obtains threshold signature private key when model reaches the last one round;  − (,all) (0 ≤  ≤  * ): utility that all participants do not obtain the threshold signature private key.Illustrate that there are some participants had deceived cause model abnormal termination.