An Efficient Compartmented Secret Sharing Scheme Based on Linear Homogeneous Recurrence Relations

Multipartite secret sharing schemes are those that have multipartite access structures. +e set of the participants in those schemes is divided into several parts, and all the participants in the same part play the equivalent role. One type of such access structure is the compartmented access structure, and the other is the hierarchical access structure. We propose an efficient compartmented multisecret sharing scheme based on the linear homogeneous recurrence (LHR) relations. In the construction phase, the shared secrets are hidden in some terms of the linear homogeneous recurrence sequence. In the recovery phase, the shared secrets are obtained by solving those terms in which the shared secrets are hidden. When the global threshold is t, our scheme can reduce the computational complexity of the compartmented secret sharing schemes from the exponential time to polynomial time. +e security of the proposed scheme is based on Shamir’s threshold scheme, i.e., our scheme is perfect and ideal. Moreover, it is efficient to share the multisecret and to change the shared secrets in the proposed scheme.


Introduction
Shamir [1] and Blakley [2] proposed the threshold secret sharing schemes in 1979. eir schemes were based on the Lagrange interpolation algorithm and the linear projective geometry, respectively. In the (t, n) threshold secret sharing scheme, the secrets can be shared among n participants, and any t or more participants can recover the shared secrets by pooling their shares since greater than or equal to t participants (let P � P 1 , P 2 , . . . , P n be the set of the participants, where P i is the ith participant in the set P, 1 ≤ i ≤ n) can construct a qualified subset. Less than t participants cannot get the shared secrets since less than t participants cannot construct a qualified subset. If the participants of any unqualified subset cannot obtain any information about the shared secrets, then the scheme is called as the perfect scheme. We call the secret sharing scheme the ideal scheme, when each participant holds the share as long as the shared secret. e threshold secret sharing schemes proposed by Shamir and Blakley are only special cases when all the participants have the same authority. Many applications [3,4] were developed based on the secret sharing scheme.
is is the reason that the secret sharing scheme is still popular today.

Related Works.
e threshold secret sharing schemes have many limitations in some conditions. Hence, other access structures were proposed successively. Shamir proposed the weighted threshold secret sharing scheme [1]. e construction of this scheme is simple: take a threshold scheme and give as many shares as its weight to each participant. Nevertheless, the obtained scheme is not ideal anymore. In 1987, Ito et al. first proposed a scheme to achieve the secret sharing on the general access structure [5]. Simmons first proposed the multipartite access structure [6]. Brickell proposed a method to construct an ideal secret sharing scheme for the multilevel and compartmented access structures [7], but it is not efficient. e definition of the compartmented access structure can be found in Section 2.2.2. Computational complexity and storage space size are usually used to measure the efficiency of a scheme. e information rate is usually used to measure the efficiency of a secret sharing scheme. erefore, to improve the efficiency of the secret sharing scheme, many researchers focused on the study of specific families of access structures, such as graph-based access structures [8], weighted threshold access structures [9], bipartite access structures [10][11][12], tripartite access structures [13,14], and threshold access structures [15]. Especially Farràs and Martł-Farr gave a complete characterization of the ideal multipartite access structures [16]. e multipartite secret sharing scheme can be divided into two types. e one is the compartmented secret sharing scheme, and the other is the hierarchical secret sharing scheme.
Recently, there were some research studies on the compartmented access structure [17][18][19]. Tassa et al. proposed two types of the compartmented secret sharing schemes based on the bivariate Lagrange interpolation [20]. ough some of the existing schemes are proved to be ideal, the abovementioned methods are not efficient. Farràs and Martł-Farr used the matroids and the integer polymatroids to study the compartmented access structure [16,19], and it is easy to determine whether the secret sharing schemes are ideal or not by the matroids and the integer polymatroids. e problem that how to design a scheme to realize a compartmented access structure can be considered as the problem that how to find a representation of a matroid from the presentation of its associated polymatroid [21]. Chen et al. [21] proposed a compartmented secret sharing scheme based on the general polymatroid and the Gabidulin codes, but the scheme is also to try to obtain nonsingular matrices. Later, Chen et al. [22] gave another method based on the idea of Brickell [7], and this scheme also needed to check many matrices for nonsingularity. But Farràs and Martł-Farr [16,19] showed that it remains open whether or not there exist efficient algorithms to obtain the representations of multipartite matroids from representations of their associated polymatroids in general. Especially, the compartmented access structure is useful in some applications. For example, a company is divided into several departments. A decision of this company needs the approval of at least some persons in each department. at is to say, a decision requires the cooperation of all departments, and a minimum number of employees in each department needs to involve in it.
Mashhadi and Dehkordi first introduced the Linear Homogeneous Recurrence (LHR) relations to the (t, n) threshold secret sharing scheme [23]. Later, they introduced the linear nonhomogeneous recurrence (LNHR) relations to the secret sharing scheme [24]. But the participants have the equal authority, and the qualified subset A satisfies |A| ≥ t in Mashhadi and Dehkordis schemes. Yuan et al. [25] introduced the LHR relations to the hierarchical secret sharing scheme. ey reduced the computational complexity of the hierarchical secret sharing schemes from exponential time to polynomial time (O(n k m −1 log n)) (k m in [25] is different to it in our scheme). But there is no scheme that realizes the compartmented secret sharing scheme in polynomial time.
us, in this paper, we mainly discuss the compartmented access structure.

Our Contributions.
e motivation of our scheme is to design an efficient secret sharing scheme with the access structures which are more general than the threshold access structures. One of the key contributions is to introduce the LHR relations into the compartmented access structure, which divides the degree t of a polynomial into the low degrees of some polynomials, and each low degree equals to a fixed compartment threshold minus one. In the proposed scheme, the compartmented access structure is realized by using the linear homogeneous recurrence (LHR) relations. e LHR relations are suitable for the compartmented access structure since it has the ability to associate each compartment with a different polynomial. Another key contribution is to reduce the computational complexity of the compartmented secret sharing schemes from exponential time to polynomial time (O(n max(t i −1) log n)). It is easy to share multisecret in our scheme. Each participant holds a share that is as long as the secret. e security of the proposed scheme is based on Shamir's threshold scheme. e remainder of this paper is organized as follows. Section 2 introduces the basic knowledge of the linear homogeneous recurrence relations and secret sharing scheme. Section 3 gives the proposed scheme. In Section 4, we analyze the security of the proposed scheme. Section 5 discusses some important properties of the proposed scheme and its performance. Finally, Section 6 draws our conclusion.

Preliminary Knowledge
In this section, first of all, we introduce the basic mathematical knowledge used in the proposed scheme. A detailed description of the linear homogeneous recurrence relations can be found in [24][25][26][27][28]. We also give a brief description about the perfect scheme, ideal scheme, and the compartmented access structure.

Linear Homogeneous Recurrence Relations
Theorem 1 (Richard [26]). Let h 0 , h 1 , . . . , h j , . . . be a sequence of integers, and let α 1 , α 2 , . . . , α m be the distinct roots of the following characteristic equation of the linear homogeneous recurrence relation with constant coefficients: where a i ≠ 0, a i is selected over GF (q) (j ≥ t), and q is a large prime.
If α i is a t i -fold root of the characteristic equation of (1), then the part of the general solution of this recurrence relation corresponding to α i is given as Let f i (j) � c i1 + c i2 j + · · · + c it i j t i − 1 . So, we can get e general solution of the recurrence relation is 2 Security and Communication Networks where t � m i�1 t i .

then the general solution of the recurrence relation is
where Definition 2 (Richard [26]). Let h 0 , h 1 , . . . , h j , . . . be an infinite sequence of numbers. Its generating function is defined to be the infinite series: us, x j acts as a placeholder for h j . A finite sequence h 1 , . . . , h j can be regarded as the infinite sequence h 1 , . . . , h j , 0, 0, . . ., in which all but a finite number of terms equal 0. Hence, every finite sequence has a generating function: which is a polynomial.
Theorem 2 (Richard [26]). Suppose that the LHR sequence {h i } is defined as (1), and the characteristic equation a 1 x t− 1 + · · · + a t � x t has m different roots α 1 , α 2 , . . . , α m with multiplicities t 1 , t 2 , . . . , t m , where t 1 + t 2 + · · · + t m � t. en, the generating function of the sequence {h i } is where R(x) is a polynomial function of x with the degree at most t − 1. us, we can get where f i (j) is a polynomial function of j with the degree at most t i − 1. Conversely, given such polynomials, and there is a sequence h 0 , h 1 , . . . , h j , . . . satisfying a linear homogeneous recurrence relation with constant coefficients of order t of type (1) whose generating function is given by (5).

Secret Sharing Schemes.
In the following section, we will give the definition of the perfect scheme and ideal scheme, and the hierarchical access structure is also listed.

Perfect Scheme and Ideal Scheme
Definition 3. A (t, n) threshold secret sharing scheme : S × R ⟶ S 1 × S 2 × · · · × S n over M, where S is the shared secret space, R is a set of random inputs, and S i (1 ≤ i ≤ n) is the share space, satisfies the following two conditions: subset of the participants, |A| is the number of the participants in the subset A, S A denotes the information of the shares to be obtained by the participants in the subset A, and H is the entropy.
then the scheme is called as the perfect scheme.
Definition 4 (Tassa and Dyn [20]). Let P i denote the set of possible shares for the participant M i ∈ M. e information rate of the scheme is defined as where |S| denotes the size of the shared secret and | P i | denotes the size of the shares saved by the participant M i . If ρ � 1, the scheme is called as the ideal scheme.

Compartmented Access
Structure. n is used to denote the total number of the participants in the set P � P 1 , P 2 , . . . , P n , i.e., n � |P|. In the compartmented secret sharing scheme, the set P is divided into disjoint compartments c 1 , c 2 , . . . , c m , i.e., P � ∪ m i�1 c i and c i ∩ c j � ∅, i ≠ j. e participants in the same compartment play an equivalent role. Let t i be the compartment c i threshold.
e compartment c i contains k i participants, where n � Σ m i�1 k i and i ∈ 1, . . . , m { }. e qualified subset of the compartmented threshold secret sharing scheme contains at least t i participants from the compartment c i , where i ∈ 1, . . . , m { } and t i ≤ k i . In the proposed scheme, we suppose that the global threshold t is equal to m i�1 t i . e compartmented access structure AS is given by

The Proposed Scheme
Our scheme is based on the linear homogeneous recurrence relations. In the compartmented secret sharing, the set of participants is partitioned into compartments and the shared secrets can be recovered only if the number of participants from any compartment is greater than or equal to a fixed compartment threshold t i , and the total number of Security and Communication Networks 3 participants is greater than the global threshold t. In our scheme, we suppose that t � m i�1 t i . e proposed scheme consists of three phases, i.e., the initialization phase, the construction phase (share generation phase and share distribution phase), and the recovery phase. e basic idea of the proposed scheme is illustrated as follows. e system consists of some participants and a distributor. e distributor generates a LHR relation with m different roots, where m is the number of the disjoint compartment. en, the distributor chooses the shared secrets and hides the shared secrets in some terms of this LHR sequence. e difficulty of our scheme is how to generate this LHR relation. e recovery of the shared secrets is realized by solving the general term of the LHR sequence {h i }. en, the participants who want to recover the shared secrets should get those terms in which the shared secrets are hidden.

Initialization Phase.
In the proposed scheme, suppose that the compartmented access structure is monotone, that is, if there exists A and A ∈ AS (the access structure), ∀A ′ ∈ 2 P , and A⊆A ′ , then we can get A ′ ∈ AS. Ito et al. presented that if the access structure AS was monotone, then there existed a perfect secret sharing scheme for the access structure [29]. e proposed scheme requires a public bulletin board. Any person has the right to read or download the contents from the public bulletin board. Only the legitimate participants in the system can publish the information to the directory and modify or update the published content according to their own permissions. e proposed scheme is based on the LHR relation over GF(q), where q is a large prime and GF(q) is the finite field. s 1 , s 2 , . . . , s l denotes l shared secrets that can be shared among the participants. e distributor D selects x ij over GF(q) as the jth participant's ID in c i , where x ij ∈ GF(q)\ 1, 2, . . . , l { } (this makes sure that we can hide the shared secrets in the first terms h 1 , h 2 , . . . , h l of the sequence), i ∈ 1, . . . , m { } and j ∈ 1, . . . , k i . P ij denotes j-th participant in compartment c i , where j ∈ 1, . . . , k i . en, the distributor D publishes the ID on the public bulletin board.

Construction Phase.
e dealer D performs the following steps to generate the shares, distribute the shares, and hide the shared secrets in the first terms h 1 , h 2 , . . .
where the global threshold t is equal to m i�1 t i and i ∈ 1, 2, . . . , m { }.

(3) D computes f i (x ij ) and sends the share f i (x ij )
to P ij in compartment c i privately in a secure channel, where 1 ≤ i ≤ m and 1 ≤ j ≤ k i . is participant P ij keeps the share f i (x ij ). (4) After all the shares have been sent to the participants through f i , where 1 ≤ i ≤ m, the dealer D computes Let and q on the public bulletin board.

Remark 1. From
Step (3) above, we know that the polynomial f i corresponds to the compartment c i , and just greater or equal to t i participants in the compartment c i can recover the polynomial f i by pooling their shares.

Remark 2.
From eorem 1, we can determine that h j is the general solution of a LHR relation with degree t and the roots of the characteristic equation of this LHR relation are α 1 , α 2 , . . . , α m . e multiplicity of the root α i is t i .

Recovery Phase.
If the participants in the qualified subset want to recover the shared secrets s 1 , s 2 , . . . , s l , they should recover the polynomials f 1 , f 2 , . . . , f m firstly. From the construction phase, we know that the order of the polynomial f i is t i − 1. t i is equal to the fixed compartment c i threshold, and only the participants in the compartment c i can recover the polynomial f i . Since the order of f i is t i − 1, we need greater or equal to t i participants in the compartment c i to recover the polynomial f i . So, these participants in the qualified subset contain at least t i participants from the subset c i � P i1 , P i2 , . . . , P ik i , where 1 ≤ i ≤ m. Suppose that the subset A⊆P satisfies these conditions. A participant in the subset A can obtain the share of each participant by the exchange in the secure channel. Assume that the participants in the qualified subset A want to recover the shared secrets. In the subset A, t i participants from the compartment c i pool the shares, where 1 ≤ i ≤ m. By using these shares, these participants can determine the polynomial f i , where 1 ≤ i ≤ m. After all the polynomials f 1 , f 2 , . . . , f m have been obtained, from eorem 1 and the public parameters α 1 , α 2 , . . . , α m on the public bulletin board, the participants in the subset A can determine the general solution of the recurrence relation, that is, From (17), the participants in the subset A can compute h 1 , h 2 , ..., h l . From Step (6) of the construction phase, the participants in the subset A can obtain the shared secrets by

Example.
In this section, we give a example to show how the dealer D distributes the secrets in the construction phase and the participants recover the shared secrets in the recovery phase.

Recovery Phase.
Before the participants can recover the shared secrets, these participants should recover the two polynomials f 1 and f 2 firstly. For t 1 � 2 and t 2 � 3, a qualified subset must contain at least two participants from c 1 and three participants from c 2 . ese participants recover the shared secrets by exchanging their shares. We suppose two participants P 11 and P 13 from c 1 and three participants P 21 , P 23 , and P 24 from c 2 . e two polynomials are recovered as follows.
(1) Firstly, we show how the polynomial f 1 is recovered by P 11 and P 13 . For the two points (3, 7) and (5, 11), a polynomial can be determined by (2) Secondly, the polynomial f 2 is recovered by P 21 , P 23 , and P 24 . For the three points (7,17), (9,9), and (10, 8), a polynomial can be determined by � 17 (3) From the public values α 1 � 2 and α 2 � 1, these participants can get Note: from Section 3.4.2, Construction Phase, we know that the participants in the subset c 1 obtain the shares through f 1 and the participants in the subset c 2 get the shares through f 2 , respectively. us, the participants P 11 and P 13 just only can recover f 1 , and the participants P 21 , P 23 , and P 24 just only can recover f 2 . (4) ese participants compute h 1 � 11 and h 2 � 8. (5) From the public values y 1 and y 2 , these participants can obtain the two shared secrets through the following equation: so s 1 � 5 and s 2 � 6.

Security Analysis
In this section, we will analyze that the unqualified subset cannot obtain the shared secrets and prove that the public values α 1 , α 2 , . . . , α m cannot leak any information about the shared secrets. First, we give a proposition below.

Proposition 1. If α i is a t i -fold root of the characteristic equation of LHR relation and the general solution for this LHR relation is given by
then its coefficient c ik can be determined by t initial values by solving the linear system of equation, where t � m i�1 t i .
From (17), we know when the participants in a unqualified subset want to recover the shared secrets, they must recover every polynomial f i , 1 ≤ i ≤ m. Assume that the number of the participants is t − 1 in the unqualified subset.
If the total number of the participants in the unqualified subset is t − 1, where t � m i�1 t i , then there exists the situation that the number of the participants contained in some compartment c i is t i − 1.

Theorem 3.
e general term of a linear homogeneous recurrence relation is secure for the unqualified participants if and only if the polynomial is secure for the unqualified participants.
Proof. First, we give an analysis that the public values α 1 , α 2 , . . . , α m do not leak any information about the shared secrets. From the public values α 1 , α 2 , . . . , α m , the characteristic equation of a LHR relation can be determined, according to eorem 1. If a LHR relation is given, then the characteristic equation of this LHR relation can be determined and the root of the characteristic equation can be found. us, the public values α 1 , α 2 , . . . , α m do not leak any information except the characteristic equation of a LHR relation. From (4), we have For Corollary 1, h j ″ is also the general term of a LHR relation with t i degree, where the order of the polynomial f i (·) is t i − 1. We have supposed that the unqualified subset contains t − 1 participants and t i − 1 out of t − 1 is in c i (let the t i − 1 random terms be h i 1 , h i 2 , . . . , h i t i −1 ).
(⇒) Suppose that the general term of the linear homogeneous recurrence relation with t i degree is secure for the unqualified participants. From the above, we know that public value α i does not leak any information except the characteristic equation. If the polynomial with degree (t i − 1) is not secure for the unqualified participants, that is to say, the t i − 1 points can determine a polynomial with degree (t i − 1). From (5), we also infer that the t i − 1 values can determine the general term of a linear homogeneous recurrence relation with degree t i .
is is contradictory to our assumption. (⇐) Suppose that the polynomial with degree (t i − 1) is secure for the unqualified participants. If the general term of the linear homogeneous recurrence relation with degree t i is not secure for the unqualified participants, then t i − 1 random terms (h i 1 , h i 2 , . . . , h i t i −1 ) can determine the general term of the linear homogeneous recurrence relation. According to (24), we pick up t i − 1 different terms and then can get t i − 1 different points of the polynomial f i (j). Since the degree of the random polynomial f i (·) is t i − 1, we can say that t i − 1 points can determine a random polynomial with the degree t i − 1. is is contradictory to our assumption. erefore, when the participants in the unqualified subset want to obtain the shared secrets, our scheme is safe. Each share is sent through a secure channel, so we do not discuss about the shares' leakage.

Discussion
In our scheme, each participant just holds one share to recover the secrets s i , s 2 , . . . , s l in the whole recovery process. In this section, firstly, we prove that our scheme is perfect and ideal, and we also show that it is efficient to distribute multiple secrets. Secondly, we compare the popular schemes with our scheme.

Performance.
We first show that the proposed scheme is perfect. So, we should prove that, for all A⊆P and |A| < t, H(S|S A ) � H(S). Equivalently, we require that, for any shared secrets s and s ′ ∈ S and view A ∈ (S 1 × · · · × S n ), where A � P 1 , P 2 , . . . , P t−1 , and s is distributed by the linear homogeneous recurrence (LHR) relation (h j ). We use h j to denote the linear homogeneous recurrence relation. e other s ′ is distributed through the linear homogeneous recurrence (LHR) relation (h j ′ ). Since the number of the participants in the subset A is t − 1, there exists the situation that the number of the participants contained in some compartment c i is less than the threshold t i . We assume that the participants in the subset A can recover all the polynomials except f i . Suppose that two linear homogeneous recursive (LHR) sequences h j and h j ′ satisfy the following conditions, that is, the threshold of the compartment minus one, i.e., we divide the t-th degree polynomial into m different polynomials, and the sum of the degrees of m different polynomials is equal to t − m. It is more efficient to distribute or recover the shared secrets by using some polynomials with low degrees than to distribute/ recover the shared secrets by using a polynomial with a large degree, i.e., the computational complexity is reduced from time exponential time to O(n max(t i − 1) log n). Moreover, our scheme is efficient when we share the multisecret. Especially, when we want to change the shared secrets, we can find that the proposed scheme is more efficient than the existing popular multisecret sharing schemes that were not based on the linear homogeneous recurrence relations. In the proposed scheme, each participant only needs to hold one share in the whole process. e limitation of our scheme is that our scheme needs more public values.

Data Availability
No data were used to support the findings of the study.

Conflicts of Interest
e authors declare that they have no conflicts of interest.