A New Efficient and Secure Secret Reconstruction Scheme (SSRS) with Verifiable Shares Based on a Symmetric Bivariate Polynomial

Secret sharing (SS) schemes have been widely used in secure computer communications systems. Recently, a new type of SS scheme, called the secure secret reconstruction scheme (SSRS), was proposed, which ensures that the secret can only be recovered by participants who present valid shares. In other words, if any outside adversary participated in the secret reconstruction without knowing any valid share, the secret cannot be recovered by anyone including the adversary. However, the proposed SSRS can only prevent an active attacker from obtaining the recovered secret, but cannot prevent a passive attacker from obtaining the secret since exchange information among participants is unprotected. In this paper, based on bivariate polynomials, we propose a novel design for the SSRS that can prevent both active and passive attackers. Furthermore, we propose a verification scheme which can verify all shares at once, i.e., it allows all shareholders to efficiently verify that their shares obtained from the dealer are generated consistently without revealing their shares and the secret. .e proposed scheme is really attractive for efficient and secure secret reconstruction in communications systems.


Introduction
Secret sharing (SS) schemes have been widely used in secure computer communications systems [1][2][3][4][5][6][7][8]. Blakley [9] and Shamir [10] independently introduced the concept of the secret sharing in 1979. In a (t, n) secret sharing (SS) scheme, the secret s is divided into n shares by a dealer and is shared among n shareholders such that any t or more than t shares can reconstruct the secret, but fewer than t shares cannot obtain any information about the secret s.
Shamir's (t, n) SS scheme used a linear polynomial. But, in practical applications, possible threats make Shamir's secret reconstruction scheme very complicated, especially when there are more than t participants in the secret reconstruction. One straightforward approach to ensure that all participants are shareholders is to use user authentication scheme among all participants at the beginning of the secret reconstruction. is approach is a time-consuming process since user authentication can authenticate one user at a time. In fact, only the dealer needs to know who is the shareholder initially. In the secret reconstruction, shareholders do not need to know each other. e secret can only be reconstructed successfully if all shares are legitimate. If all shares are legitimate shares, the secret can be reconstructed. On the other hand, if there is any illegitimate share, the secret cannot be reconstructed.
Recently, a new type of SS scheme called the secure secret reconstruction scheme [11] (SSR), which ensures that the secret can only be recovered by participants who present valid shares, has been developed. However, the scheme can only prevent an active attacker from obtaining the recovered secret, but cannot prevent a passive attacker from obtaining the secret since exchange information among participants is unprotected.
Chor et al. [12] proposed the notion of verifiable secret sharing (VSS) in which shareholders can verify that their shares are valid without revealing the secrecy of their shares and the secret. Based on security assumptions, there are two different types of VSSs, schemes that are computationally secure and unconditionally secure. Feldman [13] and Pedersen [14] VSSs are based on cryptographic commitment schemes. e security of Feldman's VSS is on the hardness of solving discrete logarithm, while the privacy of Pedersen's VSS is unconditionally secure and the correctness of the shares is based on a computational assumption. Benaloh [15] proposed an interactive VSS which is unconditionally secure. Stinson et al. [16] proposed an unconditionally secure VSS, and Patra et al. [17] proposed a generalized VSS scheme. Stadler [18] proposed the first publicly verifiable secret sharing (PVSS) scheme which allows each shareholder to verify the validity of all shares. Most noninteractive VSSs [13,14] can only verify the validity of his/her own share, but not of other shareholders' shares. PVSSs [18,19] use interactive proofs of knowledge. ese proofs can be made noninteractive using the Fiat-Shamir technique [20]. e security of Schoenmaker's PVSS [21] is based on the discrete-logarithm problem. e scheme is quite simple, but some noninteractive zero-knowledge proofs have been used. Peng and Wang's PVSS [22] uses a linear code, and Ruiz and Villar's PVSS [23] uses Pailler's cryptosystem [24]. ere are noninteractive PVSSs based on bilinear pairing [25,26]. We can see that most of these VSSs can only verify one share at a time and are computationally secure, which are based on computational assumptions.
In summary, let us briefly clarify differences among the SSR [11], VSS, and Changeable secret sharing scheme [27,28] (TCSS). ese three different schemes have different security features. According to Harn [11], in SSR, the secret can only be reconstructed successfully by all participated shareholders who contributed valid shares. In other words, SSR requires every participated shareholder to contribute a share and the secret cannot be reconstructed if there are fewer than the number of participants in the process. Note that this number may be larger than the threshold. In a VSS, shareholders can verify that their shares are generated consistently by a dealer without revealing their shares and the secret. In a TCSS, the threshold can be dynamically changed in the process. e motivation of our paper is to construct an efficient and secure secret reconstruction scheme with verifiable shares. e SSRS can prevent both active and passive attackers at the same time.
e scheme is unconditionally secure and can verify all shares at once. Our design is based on symmetric bivariate polynomials. e primary reason to adopt symmetric bivariate polynomials is that shares generated by a symmetric bivariate polynomial can be used to (a) verify all shares at once, (b) recover the secret, and (c) establish pairwise secret keys between shareholders to protect the exchange information in the secret reconstruction.
ere is no additional user authentication or key distribution needed. us, it is very efficient.
Following this line of research, in this paper, we propose a novel design for an efficient and secure secret reconstruction scheme with verifiable shares, where the SSRS can prevent both active and passive attackers. At the same time, our VSS allows all shareholders to verify that their shares obtained from the dealer are valid without revealing their shares and the secret, where shareholders just verify that shares are generated by a symmetric bivariate polynomial consistently. Here, we summarize the contributions of our paper.
(i) A secure secret reconstruction scheme based on symmetric bivariate polynomials is proposed (ii) e proposed secure reconstruction scheme can prevent both active and passive outside attacks (iii) An efficient VSS which verifies all shares generated by a symmetric polynomial consistently at once is proposed e rest of this paper is organized as follows: In the next section, we introduce some preliminaries. In section 3, we describe models of our proposed schemes including scheme description, adversaries, and properties. We propose our secure secret reconstruction with verifiable shares in section 4. e conclusion is included in section 5.

Review of SSs Based on Polynomials
In Shamir's (t, n) SS [9], the dealer selects a univariate polynomial, f(x), with degree t − 1 and f(0) � s where s is the secret. e dealer generates shares, f(x i )mod p, i � 1, 2, . . . , n for shareholders, where p is a prime with p > s and x i is the public information associated with each shareholder, U i . Each share, f(x i ), is an integer in GF(p) Shamir's (t, n) SS satisfies security requirements of a (t, n) SS.
at is, (a) with t or more than t shares can reconstruct the secret and (b) with fewer than t shares cannot obtain any information of the secret. Shamir's SS is unconditionally secure.
In Shamir's (t, n) SS, shareholders cannot verify the validity of their shares obtained from the dealer. In 1985, Chor et al. [12] extended the notion of SS and proposed the first verifiable secret sharing (VSS). Verifiability is the property of a VSS which allows shareholders to verify their shares. Invalid shares may be caused either by the dealer during share generation or by channel noise during transmission. VSS is performed by shareholders after receiving their shares from the dealer and before using their shares to reconstruct the secret. If invalid shares have been detected, shareholders can request the dealer to regenerate new shares.
ere are many (t, n) VSSs [29][30][31][32][33][34] using bivariate polynomials, denoted them as BVSSs. A bivariate polynomial with degree t − 1 can be represented as F(x, y) � t− 1 i�0 t− 1 j�0 a i,j x i y j nod p where a i,j ∈ GF(p). We can classify BVSSs into two types, the symmetric BVSSs, denoted as SBVSSs [30,32,34], and the asymmetric BVSSs, denoted as ABVSSs, [29,31,33]. If the coefficients satisfy a i,j � a j,i , ∀i, j ∈ [0, t − 1], it is a symmetric bivariate polynomial. Shares generated by a bivariate polynomial can be used to establish pairwise keys between any pair of shareholders. In all (t, n) SBVSSs, the dealer selects a bivariate polynomial, F(x, y) with degree t − 1 and F(0, 0) � s where s is the secret. e dealer generates shares, F(x i , y)modp, i � 1, 2, . . . , n, for shareholders, where p is a prime with p > s and x i is the public information associated with each shareholder, U i . Each share, F(x i , y) is a univariate polynomial with degree t − 1. Note that shares generated in an SBVSS satisfy F( can be established between the pair of shareholders, U i and U j . In a similar way, in a ABVSS, the dealer generates a pair of shares, F(x i , y)modp and F(x, x i )modp, i � 1, 2, . . . , n , for each shareholder and the pairwise secret key, F(x i , x j ) or F(x j , x i ), can also be established between the pair of shareholders, U i and U j .

Model
In this section, we describe the model of the proposed schemes including scheme description, adversaries, and properties.

Scheme Description.
We propose two schemes in this paper.

Scheme for Verification of Shares. A VSS enables
shareholders to verify that their shares of a ∀i, j ∈ [0, t − 1] SS are generated by the dealer consistently. In other words, without revealing the secret and the shares, shareholders can verify that any subset of t or more than t shares defines the secret, but any subset of fewer than t shares cannot define the secret. Benaloh [15] presented a notion of t-consistency and uses it to define the objective of a VSS. We include the notion given below. Definition 1. t-consistency: a set of n shares is said to be tconsistent if any subset of t of the n shares defines the same secret.
Harn and Lin [35] modified the definition of t-consistency and introduce a new notion, called strong t-consistency, which can satisfy the security requirements of a (t, n) SS.
Definition 2. Strong t-consistency: a set of n shares are said to be strong t-consistent (i.e., (t < n)) if (a) any subset of t or more than t of the n shares defines the same secret and (b) any subset of fewer than t of the n shares cannot define the same secret.
It is obvious that, in a polynomial-based SS, shares generated by a polynomial having exact t degree are strong tconsistent. Shares have the property of strong t-consistency satisfy the security requirements of a (t, n) SS. Verifying the property of strong t-consistency of shares is one of the objectives of our proposed VSS. In our proposed secure secret reconstruction, shares of shareholders are generated by a symmetric bivariate polynomial. us, shares can not only be used to recover the secret but also be used to establish pairwise secret keys between shareholders in the secret reconstruction. e second objective of our proposed VSS is to verify that shares are generated by a symmetric bivariate polynomial.
We assume that there are n shareholders, U i , for i � 1, 2, . . . , m participated in the VSS. ese shareholders want to make sure that their shares, s i , for i � 1, 2, . . . , m obtained from the dealer are strong t-consistent and generated by a symmetric bivariate polynomial. In the proposed VSS, each shareholder computes c i � F(s i ) as his/her released value, where F is a public function. ere is an algorithm, VSS, which allows users to verify that all released values are valid, i.e., e proposed VSS is different from most other VSSs which verify one share at a time, but our VSS verifies all shares at once. ere are only two possible outcomes of our proposed VSS, that are, either all shares are strong t-consistent and generated by a symmetric bivariate polynomial or there are inconsistent shares. us, the proposed VSS is sufficient if all shares are strong t-consistent and generated by a symmetric bivariate polynomial; however, if there are inconsistent shares, it can be treated as a preprocess before applying other VSS to identify invalid shares.

Scheme for Secure Secret Reconstruction.
First, we present the notion of a secure secret reconstruction scheme as defined in [11].
Definition 3. Secure secret reconstruction scheme [11]: is scheme ensures that the secret can only be recovered by participants who present valid shares. In other words, if any outside adversary participated in the secret reconstruction, the adversary cannot obtain the secret.
Shamir's secret reconstruction is a secure secret reconstruction if there are exact t participants since only if t valid shares of participants can recover the secret. When there are more than t participants in the secret reconstruction, it can cause a security. Since only t shares are needed to recover the secret, the adversary can still obtain the secret in the secret reconstruction. Employing a user authentication/VSS scheme in prior of the secret reconstruction can solve the security problem. However, this approach adds additional complexity. A secure secret reconstruction scheme is proposed in [11]. In the scheme, Lagrange components, which are linear combination of shares, are used to reconstruct the secret. e scheme uses the Lagrange component to protect the privacy of shares so the adversary cannot take advantage by releasing value last in the secret reconstruction. is scheme is a simple modification of Shamir's (t, n) SS scheme. However, the scheme can only prevent active attackers to obtain the recovered secret, but cannot prevent passive attackers. Our proposed SSRS can prevent both active and passive attackers.

Adversaries.
e adversaries in the secret reconstruction can be classified into two types, the outside adversaries and the inside adversaries. e outside adversaries are attackers who do not have any valid share generated by the dealer.
ere are two different types of attacks associated with outside adversaries, the active and passive attacks. e active attackers impersonate to be legitimate shareholders participating in the secret reconstruction. On the other hand, the passive attackers wiretapped the communication channels to obtain exchange information among participants in the secret reconstruction. If exchange information in the secret reconstruction is not protected in [11], the recovered secret can also be available to the attackers. In this paper, we propose a secure secret reconstruction scheme that can prevent both active and passive attackers. In our proposed scheme, shares of shareholders can not only be used to recover the secret but also used to protect the exchange information in the secret reconstruction. e inside adversaries are shareholders who own valid shares obtained from the dealer. e inside attackers may collude together to recover the secret by themselves. We analyze the security whether t − 1 inside adversaries can collude together to reveal the secret. Furthermore, we also need to assure that, in the verification of shares, shareholders cannot obtain other shareholders' shares and the secret.

Properties.
We discuss properties of two schemes separately.

Scheme for Verification of Shares.
We propose a VSS with the following properties: Correctness: the outcome of this proposed VSS is positive if all shares are t-threshold consistent; otherwise, there are inconsistent shares. Efficiency: if the outcome of the proposed scheme is negative, the proposed VSS can be treated as a preprocess of other VSS and used to identify inconsistent shares. us, the proposed VSS must be efficient. Security: the VSS must be able to protect the secrecy of shares and the secret in verification.

Scheme for Secure Secret Reconstruction.
We propose a secure secret reconstruction scheme with the following properties: Correctness: the scheme can satisfy the objective as specified in Definition 2. Efficiency: shares of shareholders obtained initially from a dealer can not only be used to recover the secret but also be used to establish pairwise shared keys of shareholders to protect the exchange information. ere is no additional user authentication or key distribution needed. Security: the scheme must satisfy following security requirements.
(a) Against active outside attack-the scheme can prevent any outsider to impersonate a shareholder participating in the reconstruction to obtain the secret (b) Against passive outside attack-the scheme can prevent any outsider to obtain the secret by monitoring the communication channels (c) Against colluded inside attack-the scheme can prevent up to t − 1 colluded insiders to recover the secret

The Proposed Schemes
In Shamir's (t, n) SS, additional key establishment protocol is needed to protect shares in the secret reconstruction; otherwise, any nonshareholders can also recover the secret. us, Shamir's (t, n) SS is not a protected secret sharing scheme. In this section, we proposed a (t, n) SS using a bivariate polynomial. ere is one major difference between shares generated by a univariate polynomial and by a bivariate polynomial. e shares generated by a univariate polynomial are integers in GF(p) but shares generated by a bivariate polynomial are univariate polynomials. Figure 1, and a concrete instantiation for Figure 1 is given in Figure 2.

Algorithms. We illustrate this scheme in
From secret sharing homomorphism, we know that the additive sum of shares of each shareholder is a share on the additive sum of polynomials, us, in the secret reconstruction scheme, the additive sum of shares of each shareholder is used to reconstruct the secret. e objective of our proposed VSS is to verify that all additive sums of two shares of each shareholder are generated by a polynomial satisfying two conditions: (a) the polynomial has h − 1 degree and (b) the polynomial is a symmetric polynomial. We illustrate this scheme in Figure 3, and a concrete instantiation for Figure 3 is given in Figure 4.
Assume that u (i.e., t ≤ u ≤ n) shareholders, U v 1 , U v 2 , . . . , U v u }, want to reconstruct the secret. We illustrate this scheme in Figure 5, and a concrete instantiation for Figure 5 is given in Figure 6.

Scheme for Verification of Shares
Correctness: from secret sharing homomorphism, we know that additive share v i (y) of each shareholder is a share on the polynomial, F 1 (x, y) + αF 2 (x, y)modp. Since polynomials F 1 (x, y) and F 2 (x, y) are both symmetric polynomials having h − 1 degree each, the additive sum of their polynomials, G(x, y) � F 1 (x, y) + αF 2 (x, y)modp, must also be a symmetric polynomial having h − 1 degree. On the other hand, if G(x, y) � F 1 (x, y) + αF 2 (x, y)modp is a symmetric polynomial having h − 1 degree, then it is most likely that the polynomial F 1 (x, y) + F 2 (x, y)mod p is also a symmetric polynomial having h − 1 degree. is result achieves our VSS objectives. 4 Mobile Information Systems Efficiency: our VSS is very efficient since it verifies all shares of secret at once using polynomial interpolation.
Security: in step 2, each released value of shareholder is v i (y) � s i,1 (y) + α s i,2 (y)mod p. It is impossible to obtain shares s i,1 (y) and s i,2 (y)mod p from the released

Shares generation
The dealer selects two h-1 degrees (i.e., with h = t. We will explain this condition later in Theorem 1) symmetric polynomials, F 1 (x, y) = ∑ ∑ a i , j x i y j nod p, and , s is the secret, and p is a prime with p > s. The dealer computes shares, s i,1 (y) = F 1 (x i , y) mod p and s i,2 (y) = F 2 (x i , y)mod p, for shareholders, U i , i = 1, 2, ..., n, where x i is the public information associated with each shareholder, U i .The dealer sends shares, s i,1 (y) and s i,2 (y), to shareholder U i secretly. Figure 1: Share generation.

Verification of shares
Step 1. All shareholders agree to a random integer, α ∈ GF (p).
Step 2. Each shareholder U i , uses his/her shares, s i,1 (y) and s i,2 (y), to compute v i (y) = s i, 1 (y) + α s i, 2 (y) mod p, and makes v i (y) available to other shareholders.
Step 3. After receiving all v i (y), i = 1, 2, ..., n, each shareholder computes y) is a symmetric polynomial having h-1 degree, all shares used to recover the secret have been verifiable; otherwise, there are inconsistent shares and new share generation is needed.

Verification of shares
Step 1. We can assume that all shareholders agree to a random integer, α = 2.
Step 3. A er receiving all v i (y), i = 1, 2, each shareholder U 1 and U 2 , can, respectively, compute G (x, y) = 5 + 4x + 4y + 5xy mod p. Here, we can see G (x, y) is a symmetric polynomial having 1st degree; hence, all shares used to recover the secret have been verified. Mobile Information Systems value. Furthermore, in step 3, the recovered polynomial, G(x, y) � F 1 (x, y) + αF 2 (x, y)modp, does not reveal the secrecy of individual polynomials, F 1 (x, y) and F 2 (x, y)mod p. us, the secret cannot be obtained in this VSS scheme.

Scheme for Secure Secret Reconstruction
Correctness: according to the Lagrange interpolation formula, we can get y). us, in step 4 of scheme 3, we get is concludes that, for any qualified subset, A � U v 1 , U v 2 , . . . , U v u ∈ Γ of shareholders can work together to recover the secret. Hence, it holds that H(s | A) � 0. Efficiency: in this scheme, each share, s i,j (y), j ∈ [1, 2], is a univariate polynomial with degree h − 1 us, each shareholder needs to store 2h coefficients of a univariate polynomial. e memory storage of each shareholder is 2h log 2 p bits, where p is the modulus. Horner's rule [24] can be used to evaluate polynomials. In the following discussion, we show the cost for computing

Secure secret reconstruction
Step 1. Each shareholder U vi uses his/her additive sum of shares, s vi (y) = s vi,1 (y) + s vi,2 (y), to compute pairwise shared keys, k i,j = s vi (x vj ) = F(x vi , x vj ), j = 1, 2, ..., u, j ≠ i, where k i,j is the secret key shared between shareholders, U vi and U vj .
After receiving cipher text, c i,j , j = 1, 2, ..., u, j ≠ i, from other shareholders, U vi computes D ki,j (c i,j ), j = 1, 2, ..., u, j ≠ i, where D ki,j (c i,j ) denotes the decryption of c i,j using the key k i,j .
Each shareholder U vi computes D ki,j (c i,j ) = w vj , j = 1, 2, ..., u, j ≠ i. Then, the secret is recovered by computing w 1 + w 2 = s = 4. Hence, the secret is securely and correctly reconstructed. evaluating a polynomial of degree h − 1 needs h − 1 multiplications and h additions. Since multiplication takes more time than addition, the performance is only addressed to the number of multiplications needed. e computational cost in step 2 of scheme 3 to compute w v i is to evaluate one polynomial. e computational cost in step 1 of scheme 3 to compute pairwise shared keys, where u is the number of shareholders participated in the secret reconstruction. Overall, the computational cost to reconstruct the secret of each shareholder is to compute uh multiplications. Security: in this section, we will first prove that the scheme meets the security requirements as discussed in Section 3.3. Against both active and passive inside attacks: in the proposed scheme, the information exchanged among shareholders is encrypted using pairwise shared keys. Since a nonshareholder does not own any share generated by the dealer, the nonshareholder cannot decrypt any cipher text. us, the recovered secret is not available to the nonshareholder. In other words, the nonshareholder obtains no information on s. Against colluded inside attack Theorem 1. With h � t, the proposed scheme satisfies both security requirements of a (t, n) SS. at is, (a) with t or more than t shares can recover the secret and (b) with fewer than t shares cannot recover the secret.
j x i y j nod p are symmetric polynomials with a i,j � a j,i and b i,j � b j,i , ∀i, j ∈ [0, h − 1] containing (h(h + 1)/2) different coefficients in each polynomial, there are h(h + 1) different coefficients in total. In the proposed scheme, each share, s i,j (y), j ∈ [1, 2], is a univariate polynomial with degree h − 1. In other words, each shareholder can use his shares, s i,1 (y) and s i,2 (y), to establish 2h linearly independent equations in terms of the coefficients of the polynomials.
On the other hand, when there are t or more than t shareholders trying to recover the secret, with their shares together, they can establish 2ht equations; at the same time, their shares contain 2C t 2 � t(t − 1) points on the bivariate polynomial. us, their shares can be used to establish 2ht − 2C t 2 linear independent equations in terms of the coefficients of the bivariate polynomials. If 2ht − 2C t 2 ≥ h(h + 1), these t or more than t shareholders can recover the bivariate polynomials. Since h � t, as specified in the share generation, we have 2ht − 2C t 2 ≥ h(h + 1). Hence, any t or more than t shareholders can recover the secret. □ Corollary 1. For any given threshold, t, the degree of the symmetric polynomial, F(x, y), can be t.

Proof.
e proof is straightforward. (1) e proposed secure secret reconstruction scheme with verifiable shares is unconditionally secure, which is based on symmetric bivariate polynomials. (2) e proposed VSS is different from most other VSSs which verify one share at a time; but our VSS verifies all shares at once. ere are only two possible outcomes of our proposed VSS, that is, either all shares are strong t-consistent and generated by a symmetric bivariate polynomial or there are inconsistent shares. us, the proposed VSS is sufficient if all shares are strong t-consistent and generated by a symmetric bivariate polynomial; however, if there are inconsistent shares, it can be treated as a preprocess before applying other VSS to identify invalid shares.
(3) Previous SSRS can only prevent active attackers to obtain the recovered secret, but cannot prevent passive attackers. Our proposed SSRS can prevent both active and passive attackers. (4) In our proposed SSRS, shares of shareholders are generated by a symmetric bivariate polynomial. e shares generated by a symmetric bivariate polynomial can be used to (a) verify all shares at once, (b) recover the secret, and (c) establish pairwise secret keys between shareholders to protect the exchange information in the secret reconstruction. ere is no additional user authentication or key distribution needed. us, it is very efficient.

Conclusions
A novel design for an efficient SSRS with verifiable shares is introduced in the paper. is SSRS uses bivariate polynomials to generate shares, where shares of shareholders can be used to (a) verify all shares at once, (b) recover the secret, and (c) establish pairwise secret keys between shareholders to protect the exchange information in the secret reconstruction. Moreover, we propose an efficient verification scheme which allows all shares to be verified at once. Security and performance analysis are also included. e

Mobile Information Systems
proposed scheme is more attractive to be applied in most communications systems.

Data Availability
e data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.