Binary Symmetric Polynomial-Based Protected Fair Secret Sharing and Secure Communication over Satellite Networks

The rapid establishment of the low Earth orbit (LEO) satellite network in orbit has promoted the development of satellite communication technology. However, with the reduction of access conditions of satellite networks, the problems of data protection and secure communication have attracted extensive attention. A secret sharing scheme is a cryptographic technology that can disperse risks and tolerate intrusion by dividing and storing secrets. Using secret sharing technology in satellite communication can realize information security and data con ﬁ dentiality. However, if there are cheaters among the participants, existing secret sharing schemes cannot prevent cheaters from sharing secrets exclusively, even if they can detect attacks. For this reason, this paper proposes a satellite based on binary symmetric polynomials protected fair secret sharing and secure communication scheme. In satellite secret refactoring, this scheme can produce a shared session key between two participants, no other key agreement processes, and reduce the scheme in the shared secret and the actual communication satellite application complexity. Users use the session key to encrypt communication to improve security and resist external attacks. The safety and fairness of the scheme are proved against the four attack models. Compared with the existing schemes, the scheme has a lower cost of deception identi ﬁ cation on the premise of satisfying security and fairness. This scheme does not require any cryptographic assumptions and is unconditionally secure.


Introduction
A satellite network is a unified, organic system composed of various types of satellites in different orbits by maximizing the utilization efficiency of space information resources. It has the characteristics of comprehensive coverage, flexible networking, good transmission effect, and functional diversity, so it is often used in meteorology, scientific research, military, and environmental fields. However, the satellite network has a tremendous negative impact due to satellite node exposure, open channel, complex space environment, highly dynamic network topology, and high link error rate. Limited space-borne resources affect computing power, which will pose a significant threat to the security of satellite networks. Although Vaseghi et al. proposed a chaotic satellite image encryption algorithm in 2021, there are security proof problems [1]. Therefore, it is necessary to design an unconditional security-protected fair secret sharing scheme in the satellite network.
In 1979, Shamir and Blakley proposed a secret sharing scheme based on Lagrange interpolation polynomials and mapping geometry, respectively [2,3]. The traditional ðt, nÞ secret sharing scheme consists of secret distribution and secret reconstruction: (1) The distributor divides the shared secret into multiple secret shares by calculation and distributes them to participants, respectively. (2) Any participant set greater than or equal to the threshold can present the secret share to reconstruct the shared secret. The proposal of secret sharing provides a new idea for key management, but the traditional secret sharing scheme also has some security problems. In the process of reconstruction, the reconstructors are not completely honest. If the insider attacker shows the false child secret, then the honest participant restores the false secret, and the insider attacker can enjoy the secret to maximize the benefits. If the external attacker collects the subsecrets presented by the honest participants, it can also forge its identity and obtain the same attack effect as the internal attacker. The above spoofing attack raises the fairness issue of secret refactoring: (1) when there are internal or external attackers, all honest reconstructors can recover shared secrets, but attackers cannot reconstruct true shared secrets. (2) When there is no attacker, all refactorers can reconstruct true shared secrets.
One of the most common attacks on the satellite network is the information forgery attack. The attacker forges the illegally stolen data and sends it back to the uplink. The ground cannot distinguish whether the data is from the legitimate node, resulting in the error of the whole data communication. The problem of honest refactorers recovering false secrets arises in secret refactorings. Similarly, satellite communication is broadcast chiefly over a wide range, so if encryption protection technology is not adopted, it can easily lead to data leakage.
Because of the above cheating problems, Rabin and Ben introduced the validation vector to check the correctness of participants' secret shares and detect and identify cheaters [4]. In 1995, Carpentieri proposed a scheme based on the characteristics of reference [4] that reduced the additional verification vectors required by participants [5]. In 2009, Harn and Lin constructed a subsecret consistency deceiver detection and recognition algorithm and proved the scheme's feasibility under three attack models [6]. In 2011, Ghodosi pointed out that the deception detection and recognition algorithm in reference [6] was invalid under its limitations; after he improved the scheme conditions, the scheme with a medium or above the number of participants had high computational complexity for deception recognition [7]. In 2018, Liu et al. constructed two deception detection and recognition algorithms based on binary polynomials and proposed a scheme for nonreconstructors to participate in detection and recognition [8]. The spoofing detection and identification scheme will terminate the protocol immediately when spoofing is detected, which does not apply to the general situation. Secondly, although the cheater is detected and identified, it cannot be prevented from enjoying the shared secret exclusively, which does not meet the fairness of secret reconstruction. Tompa and Woll first proposed the fair secret sharing scheme in 1988 and hid the shared secret in a secret reconstruction sequence, and all participants did not know the location of the real secrets. In the synchronous reconstruction environment, the attacker can successfully attack only when the probability is 1/k, and the attacker correctly guesses the shared secret reconstruction location [9]. Therefore, this scheme is fair in a synchronous environment. In an asynchronous environment, an attacker can launch an attack and share the secret as long as the child's secret is presented last. In 1995, Lin and Harn used the scheme in reference [4] to verify subsecrets. In addition, the secret reconstruction sequence fs 1 , ⋯, s j , s j+1 , ⋯, s k g is constructed, in which s j = s, s j+1 = s ′ , s ′ , participants restore the secret to s j+1 = s′, the correct secret sharing is the previous s j , and the scheme meets the fairness in the asynchronous environment [10]. In 2013, Tian et al. used secret consistency and secret reconstruction sequences to construct a fair secret sharing scheme and proved the fairness of the scheme under noncollusive attacks, asynchronous and synchronous collusive attacks [11]. In 2014, Harn pointed out that reference [11] was neither safe nor fair in an asynchronous environment [12]. In 2015, Harn et al. constructed the secret reconstruction sequence and adopted the algorithm in reference [13] to share and reconstruct each secret sequence bit [14]. The scheme was fair and safe in an asynchronous environment. In 2016, Gu et al. proposed a fair secret sharing scheme based on binary symmetric polynomials to provide secure channels between participants. Still, discrete logarithms and hash functions are required to ensure security [15]. In 2017, Zhang et al. constructed a fair secret sharing scheme with absolute security by combining the deception detection and recognition algorithm and secret reconstruction in reference [6] and proved the fairness and security of the scheme under four attack models [16]. In 2019, Yang and Xing constructed a fair secret sharing scheme based on binary asymmetric polynomials and proved the fairness and security of the scheme under four standard attack models [17]. In 2019, Li et al. proposed an unconditional secret sharing scheme [18]. In 2020, Sun improved the recognition algorithm of reference [6] and proposed a fair secret sharing scheme with absolute security [19]. According to the research in reference [7], the security restriction conditions under the three attack models in references [16,19] are all wrong. Liu et al. proposed a blockchain-based anonymous authentication scheme for airground integrated networks, which increased the consumption of satellite resources [20].
Therefore, according to the above research progress, in order to adapt to the characteristics of limited satellite resources and narrow bandwidth, combined with the characteristics of low orbit satellite network with wide coverage, low propagation delay, and small transmission loss, this paper proposes an unconditionally secure protected fair secret sharing scheme based on binary symmetric polynomials. Combined with the IoT architecture of low orbit satellites proposed by Ding et al. [21], this scheme can effectively solve the problems of secret distribution and mutual communication in satellite networks [6,7]. The interplanetary link is formed by multiple low-orbit satellites, and the ground control center or mid-orbit satellites serve as the key distribution center. The users are all kinds of network users who need to provide services in the satellite network. The scheme has a low cost of deception detection and identification. It satisfies fairness and security under four standard attack models, which solves a series of security problems in a satellite network, such as intercepting data transmission by attackers, data leakage, and data tampering. Shamir's secret sharing [2,6]. The algorithm is briefly described as follows. t represents share, n represents the total number, s stands for secret share, and J represents the number of interpolation points.

Related Work
Input: t, n, J = fi 1 , ⋯, i j g, s i 1 , s i 2 , ⋯, s i j ,where j interpolation points ði 1 , s i 1 Þ, ⋯, ði j , s i j Þ are used to calculate the interpolation polynomial f ðxÞ, denoting the order of f ðxÞ as d. If d = t − 1, then secret s = f ð0Þ.
Output: no cheater, and the secret is s. There are cheaters.
If the participant set is J and the attacker set is GFðpÞ, reference [6] points out that deception detection will always succeed when ðJ − CÞ > ðt − 1Þ.

Carpentieri Deception Recognition
Algorithm. The scheme in this paper adopts the deceiver recognition algorithm proposed by Carpentieri, which is briefly described as follows [5].
q is a large prime number, q > n, and GFðqÞ are finite fields, and the secret s is selected on GFðqÞ. 1 , ⋯, d i,k−1 randomly selects on GFðqÞ. For any participant P j , the distributor randomly selects different nonnull values g j,i , i = 1, ⋯, n on GFðqÞ, calculates b j,i = g j,i d i,0 + α j d i,1 + ⋯+α k−1 j d i,k−1 , and distributes numerical pairs ðg j,i , b j,i Þ, i = 1, ⋯, n, i ≠ j to each participant P j .

Deception Identification.
After participants P i show their secret share d i , any participants P j can authenticate d i through an equation g j,i y 0 + α j y 1 + ⋯+α k−1 j y k−1 = b j,i . If d i is the solution vector of the equation, then P i is the honest participant, otherwise P i is identified as a cheater.

Solution Overview
As shown in Figure 1, this scheme is divided into two scenarios. Solid lines represent communication between users, while dotted lines represent sharing secrets between users. When two users communicate with each other, they cannot communicate with each other directly due to the complex and changeable environment, such as desert, gobi, and sea. First, the ground control center will randomly send the secret share of the unique IN for the participants to the middle Earth orbit (MEO), and then, the MEO will transmit it to the LEO through the intersatellite link. Because the low orbit satellite has the characteristics of wide coverage and good transmission effect, the LEO will send the secret share to two users. Under the condition of ensuring the reliability of each other, the users can generate the session key between each other according to the above scheme. Therefore, when users communicate, they can encrypt and decrypt through the session key; when particular users have a secret to share with ordinary users, a particular user sends a request to the ground control center, the ground control center will randomly to send the secret share of the unique IN for the participants to the MEO, and then, the MEO will transmit it to the LEO through the intersatellite link, and the LEO will send the secret share to ordinary users. After that, secret reconstruction can be started between users. When all cheaters are excluded, the ground control center responds to the special user. The particular user can achieve the purpose of secret sharing, which significantly improves the security of the session and reduces the time of generating the session key.

The Project Design
The scheme in this section adopts the deceiver recognition algorithm proposed by Carpentieri, which is briefly described as follows [5]. The subground control center D and the set of participants fP 1 , ⋯, P n g are defined, and the finite domain of order p is constructed, where pðp > nÞ is a large prime number, and the secret s is selected on GFðpÞ.

Deception Identification.
After the participant P i receives and presents his secret share d i via the satellite network, any participant P j ðj = 1, 2, ⋯, n, i ≠ jÞ can verify where y 0 , y 1 , ⋯, y k−1 is unknown. If d i is the solution vector of the equation, P i is identified as an honest participant, otherwise as a cheater. The scheme in this section includes two parts: secret satellite distribution and secret satellite reconstruction. The detailed process is given below.

Secret Distribution.
Assume that the ground control center is D, the threshold value of the scheme is t, and there are n participants fP 1 , P 2 , ⋯, P n g. D constructs the finite domain GFðpÞ of order p, and pðp > nÞ is a large prime number. The select secret s on GFðpÞ sets the security parameter v and executes the following algorithm: ⋯, v, i ≠ lÞ is the sequence bit value, and randomly generate a set of sequences: (i) Step2: take a i ði = 1, 2, ⋯, v, i ≠ lÞ as a constant term to generate a univariate polynomial: For the sequence l position, a l is used as a constant term to generate a bivariate symmetric polynomial of degree t − 1: where the unknown coefficient The remaining nkðt − 1Þ elements s i,k,1 , ⋯, s i,k,t−1 ð1 ≤ i ≤ n, 1 ≤ k ≤ vÞ are randomly selected on GFðpÞ, and v vectors are distributed to participant P i through the secure channel.
(i) Step 6: for sequence bit k = 1, 2, ⋯, v, select a nonzero value g j,i,k ði, j = 1, 2,⋯,n, i ≠ jÞ on a finite field GFðpÞ randomly for each participant P i , b j,i,k = g j,i,k s i,k,0 + ID j s i,k,1 + ⋯+ID t−1 j s i,k,t−1 mod p and distribute ðg j,i,k , b j,i,k Þ, i = 1, ⋯, n, i ≠ j to each participant P j over a secure channel.

Secret Refactoring.
Assuming the set of reconstructors R = fP 1 , ⋯, P m gðm ≥ tÞ, the reconstruction algorithm performs at most v rounds, denoted by P −i = R \ P i . Participants P i and P j calculate, respectively FðID i , ID j Þ mod p through F i ðyÞ mod p and F j ðyÞ mod p, which serves as the session key between ground users. After that, information exchange is carried out in symmetric encryption.
Case 1. Send round k secret quota. All refactorers P i perform the following algorithms: Step 1: if the algorithm takes k = 1 rounds, P i send a secret share s i,1 to P -i .
Step 2: the algorithm execution cycle is round k. If P i receives m − 1 secret shares of round k − 1 sent by P -i , the algorithm perform step 3. Otherwise, the attacker set C is output, and the algorithm is terminated.
Step3: P i calculates interpolation polynomial f k−1 ′ ðxÞ through the collected subsecret share s 1,k−1,1 , ⋯, s m,k−1,1 . If the polynomial f k−1 ′ ðxÞ is t − 1, the secret share of the wheel k is sent; otherwise, a spoofing attack exists. P i verifies the m − 1 subsecret share received by ðg i,j,k−1 , b i,j,k−1 Þ, if the verification is passed, P i will vote for P j ; otherwise, no vote will be given. If P j gets votes T < 2/m and P j is marked as a cheater, P j is removed from the secret reconstruction, and the cheater set C is entered. Those who voted for P j also enter the cheater set C. If jR \ Cj ≥ t, P i sends the k wheel secret share; otherwise, the protocol terminates and outputs the deceiver set C.

Case 2.
Receive round k secret share. All refactorers P i perform the following algorithms: Step 1: if P i receives all m − 1 secret shares of round k sent by P -i , the algorithm calculates interpolation polynomial f k ′ðxÞ through s 1,k,1 , s 2,k,1 , ⋯, s m,k,1 . If the polynomial f k ′ ðxÞ is of order t − 1, perform step 2. Otherwise, P i verifies m − 1 subsecret shares received by ðg i,j,k , b i,j,k Þ, and P i votes for P j . Otherwise, P i does not vote. If P j gets the votes that satisfy T < 2/m, P j is marked as a cheater, P j is removed from the secret reconstruction, and the cheater set C is entered. Those who voted for P j are also entered into the cheater set C. If jR \ Cj ≥ t, perform step 2, otherwise, the protocol terminates, and the spoofer set C is output.

Wireless Communications and Mobile Computing
Step 2: all the reconstructors in R \ C calculating the sequence bits, a k = f k ′ ð0Þ, if a k−1 < a k is satisfied, the reconstructors in R \ C send a request to the ground control center D, and D sends d to the reconstructors in R \ C. After any reconstructor in R \ C receives d, he reconstructs the secret through the equation s = a k−1 ⊕ d, and the agreement is terminated; otherwise, the secret share of the round k + 1 is sent.

Security Model.
Because the satellite fair secret sharing and secure communication scheme proposed in this section have protected characteristics, it is not necessary to consider any attack from external hostile users or satellites. The scheme is the same as the previous satellite's fair secret sharing and communication scheme. It is assumed that there is a secure channel between the ground control center and participants, so only security in secret reconstruction is considered. To better analyze the safety and fairness of the scheme, the scheme classifies internal hostile user or satellite attacks into the following four types of attacks.
Case 1. Noncooperative attack with synchronization (NCAS). When all refactorers participate in secret reconstruction, the secret share is synchronous. There is no collusion between internal hostile users or satellites, which means that the false secret share presented by the internal enemy can only be a random number from a finite field. And the false secret share is entirely independent of the secret share provided by other real refactorers.
Case 2. Noncooperative attack with as synchronization (NCAAS). When participating in secret reconstruction, all reconstructors show that the secret share is asynchronous, and there is no collusion between internal hostile users or satellites. The best attack idea for internal hostile users or satellites is to finally show the false secret share and collect as many real secret shares as possible.
Case 3. Collusion attack with synchronization (CAS). When all refactorers participate in secret reconstruction, the secret shares they show are synchronous, and there is collusion between internal hostile users or satellites. Internal hostile users or satellites can conspire to generate and produce false secret shares. When the number of false secrets constructed is greater than or equal to the threshold, the other honest reconstructors reconstruct the false secrets constructed by their internal enemies.

Case 4. Collusion attack with asynchronization (CAAS).
When all refactorings participate in secret refactoring, the secret share is asynchronous, and there is collusion between internal hostile users or satellites. Same as NCAAS, the best attack idea for internal hostile users or satellites is to choose to show the false secret share finally and collect as many real secret shares as possible before that. The false secret share of conspiracy presented will have a greater chance of attack success.

Safety
Analysis. This section gives a detailed security analysis of the scheme in this section. To clearly represent the security proof process of the scheme, the following assumptions and symbolic definitions are given: suppose the refactorer set is R = fP 1 , P 2 , ⋯, P n gðn ≥ tÞ, where P i and P j ði ≠ jÞ are arbitrary honest refactorers. A is defined as any internal deceiver. α is the number of internal fraudsters. m is the number of all refactorers. C is the set of identified internal fraudsters.

Theorem 1.
A correctly guesses that the probability that round k can reconstruct the shared secret is 1/v.
Proof. The real shared secret is hidden in the reconstruction sequence by the ground control center. A does not know the correct location and can only iterate the reconstruction in turn according to the reconstruction sequence. The probability of successfully guessing the real secret location is 1/v.

Theorem 2.
In this section's scheme reconstruction process, any cheater will be identified by the honest refactorer, and the fraud identification probability is 1 − 1/ðq − 1Þ.
Proof. Suppose the secret is reconstructed in the k round, and the share of the subsecret shown by the reconstructor ′ through the g j,i ∈ GFðqÞ − f0g sent by the distributor, P j has q − 1 validation equations, considering two equations: where g j,i,k ≠ g j,i,k ′ , if s i,k ′ and s i,k are the solutions of these two equations; the two equations are subtracted to obtain are contradictory, there is only one case of the equation satisfying the subsecret share of P j verifiable P i . Then, the probability that P i successfully deceives P j is at most 1/ðq − 1Þ, and the probability of being recognized by P j is not less than 1 − 1/ðq − 1Þ.
Proof. In 2011, Ghodosi pointed out that the spoofing detection scheme of reference [6] cannot successfully detect spoofing, regardless of whether the secret reconstruction protocol is asynchronous or synchronous [7]. Suppose that there are qðq ≥ 1Þ deceivers fP i1 , ⋯, P iq g and t − 1 honest reconstructors in the secret reconstruction process. The deceivers conspire to generate a random t − 1 degree polynomial gðxÞ. For any honest participant, P i meets the requirements of gðiÞ = 0. The deceiver calculates the false secret 5 Wireless Communications and Mobile Computing share gði1Þ, ⋯, gðiqÞ for himself, and he shows false secret shares to all honest people and the sum of true secrets hði1Þ, ⋯, hðiqÞ. When honest reconstructors receive false secret shares, their reconstructed polynomial is hðxÞ = f ðxÞ + gðxÞ. The deceiver can easily calculate the true shared secret f ð0Þ = hð0Þ − gð0Þ, while the honest reconstructor reconstructs the wrong secret hð0Þ. The highest degree of the false polynomial hðxÞ is t − 1, so consistency spoofing detection can be bypassed. If there are at least t honest reconstructors in the scheme, no matter how the deceiver constructs, the highest degree of the polynomial gðxÞ is at least t, which does not meet the consistency detection. To sum up, when m − α ≥ t, secret consistency can always successfully detect deception. Proof. In the case of NCAS, it is assumed that there is only a single deceiver A in the secret reconstruction process. According to the attack method in the proof of Theorem 3, the scheme in this section cannot detect deception because the highest degree of the false polynomial hðxÞ is t − 1, so the condition m − α ≥ t must be satisfied. Due to the lack of cooperation between attackers, arbitrary deceiver A assumes that the other reconstructors are honest and cannot obtain adequate information through collusion. Suppose that the false subsecret share constructed by A in round k is s i,k ′ ≡ ðs i,k,0 + s i,k,0 ′ , s i,k,1 ⋯,s i,k,t−1 Þ, according to Theorem 1, the probability that the false subsecret share presented by A is verified by the honest reconstructor is less than that of 1/ðq − 1Þ. So it cannot pass the verification and obtain the votes of other reconstructors, and the k rounds are not necessarily the location of the real secret in the reconstructed sequence. The probability of A successfully guessing the reconstruction location is 1/v. When the security parameter is large enough, the probability of A successfully cheating is negligible. To sum up, when m − α ≥ t, the scheme in this section is safe and fair under NCAS.

Theorem 5.
When m − α ≥ t, the scheme in this section is safe and fair under NCAAS.
Proof. In the case of NCAAS, it is assumed that there is only a single deceiver A in the secret reconstruction process. When m − α ≥ t, the number of honest reconstructors in H is not less than t. Because it is an asynchronous environment, the best attack strategy of A is to let the honest reconstructor show the real subsecret share first and then A reconstruct the secret polynomial f i ðxÞ through t − 1 real subsecret shares. Therefore, in the first l rounds of secret reconstruction, A chooses to show the real subsecret share. In the round l + 1, A found that the real secret reconstruction position was in the previous round, condition m − α ≥ t limits that A cannot attack in the way shown in the proof of Theorem 3. A can only randomly select random numbers on GFðqÞ to construct false subsecret share s i,k ′ ≡ ðs i,k,0 ′ , s i,k,1 ⋯,s i,k,t−1 Þ. At this time, the false subsecret share constructed by A cannot pass the consistency detection. The secret reconstruction enters the identification algorithm. A obtains the number of votes T < m/2 and is identified as a deceiver. It is removed from the reconstruction process and added to the attacker set C. Honest refactorers in jR \ Cj continue to execute the reconstruction protocol, requests d from D, and then reconstructs the real secret s = a l ⊕ d.
To sum up, when m − α ≥ t, the scheme is safe and fair under NCAAS. Theorem 6. When ðm − α ≥ tÞ ∪ ðm > 2ðα − 1ÞÞ, the scheme in this section is safe under CAS.
location. Therefore, in the first round l, A shows the real subsecret share. Until round l + 1, A reconstructs the secret polynomial f l+1 ðxÞ through the collected real subsecret share and finds that the real secret reconstruction position is in the previous round. It selects the two attack methods described in Theorem 6 to pass the consistency detection; when the condition ðm − α ≥ tÞ ∪ ðm > 2ðα − 1ÞÞ is satisfied, the honest refactor can execute the protocol normally. To sum up, when ðm − α ≥ tÞ ∪ ðm > 2ðα − 1ÞÞ, the scheme is safe and fair under CAAS.

Scheme Comparison and Performance Analysis
From the perspective of security fairness, reference [7] points out that Harn deception detection and identification has security problems [5]. But references [16,19] are not perfect based on Harn deception detection [6]. Under NCAS ðm > tÞ, NCAAS ðm − α < t − 1Þ ∩ ðm > tÞ, and CAS ðα < tÞ ∩ ðm > tÞ, the deceiver can successfully bypass the subsecret consistency detection algorithm through the attack method shown in Theorem 3. And the deceiver cannot be recognized by the honest reconstructor. Therefore, the restrictions listed in the above different scenarios should be changed m − α ≥ t.
Only in this way can the scheme be safe and fair. Under CAS and CAAS, when the number of honest reconstructors is close to that of deceivers, the scheme in this paper needs fewer participants than references [16,19]. The scheme in reference [11] cannot completely resist asynchronous attacks and synchronous collusion attacks. The schemes in references [14,15] only consider the fairness of secret reconstruction in an asynchronous environment but do not consider CAS and NCAS. And the schemes do not meet complete fairness, and both need a hash function to ensure security. When deception is detected, the scheme stops immediately, which is not applicable in the actual environment. Compared with the above scheme, the protocol will not terminate immediately when deception is detected, to ensure that honest participants can reconstruct satellite secrets. Secondly, the scheme does not need the protection of a similar hash function, meets unconditional security, and ensures secure communication.
From the perspective of scheme complexity, the scheme reconfiguration protocol in this section requires θðvÞ a round of secret reconfiguration protocols to achieve fairness, which is the same as the fair secret sharing scheme proposed in references [11,[14][15][16]19]. From the perspective of each round of reconfiguration protocol, each participant in this scheme receives k elements on GFðpÞ from D, and additional 2ðn − 1Þ elements, FðID i , yÞ mod p containing t elements for generating the session key, there are k + t + 2ðn − 1Þ in total. In the fair secret sharing scheme constructed for binary polynomials in reference [17], the additional verification elements a j,i,l and b j,i,l distributed to participants are nk. Each round D has to construct x binary asymmetric polynomials of order nk and distribute many additional elements. Compared with this, this scheme has a key free negotiation process between participants, fewer additional elements, and better communication and computational efficiency. Sun proposed an efficient deception recognition algorithm. The method of logic or operation between correctly labeled vectors is used to replace the m − t sub-Lagrange interpolation in reference [6], reducing the fraud identification overhead [19]. The scheme in this secret uses subsecret consistency for deception detection, which is the same as references [16,19], only Οð1Þ. The computational complexity of the deception identification algorithm of Harn and Lin is Οðm!Þ [6]. Similarly, the computational complexity of the deception identification algorithm in the scheme of Zhang et al. is also Οðm!Þ [16]. Although the deception identification algorithm in the Sun scheme reduces the overhead, the computational complexity is also Οðm!Þ [19]. The scheme deception identification algorithm in this paper only needs m − 1 times of solution verification operation of secret share polynomial, and the computational complexity is Ο ðmÞ. According to the discussion in reference [8], in the deception identification algorithm in reference [7], assuming threshold t = 6, the number of participants is required to be m ≥ 16, and the identification algorithm requires 2 64 times of the Shamir secret reconstruction operation. Therefore, the scheme of references [16,19] is not practical. To more intuitively represent the fraud detection and identification overhead between different schemes, suppose T p is the modular exponentiation operation time, T L ðmÞ is the interpolation operation time of m points, T H is the hash operation time, and T v is the polynomial solution verification operation time. As shown in Table 1, the scheme in this section is compared with other fair secret sharing schemes in detail.

Parameter Analysis
In Sections 4.1 and 4.2 of this paper, it can be seen that the threshold value is an important parameter affecting satellite secret distribution and satellite secret reconstruction. Furthermore, it has a crucial impact on the generation of binary symmetric polynomials and the order of interpolation polynomials. It can be seen from reference [23] that the security and reliability of the ðn, kÞ tthreshold secret sharing scheme are closely related to the key update cycle and the threshold value. Therefore, choosing the appropriate key update cycle and threshold is of great significance in improving the security of this scheme. 7.1. Key Update Cycle and Key Share Leakage Rate. When an attacker intercepts the shared secret share between satellite nodes, it is called key share leakage and PðtÞ is used to represent the distribution function of the key share leakage rate with time t: Figure 2 shows the probability distribution of key share leakage with the key update cycle T, x is λ, as can be seen from the figure, λ at the same time, the larger the key update cycle, the higher the key share leakage rate. In Figure 2, λ takes 0:02, 0:04, and 0:06, respectively, which are the corresponding values of PðtÞ. 7 Wireless Communications and Mobile Computing 7.2. Influence of Threshold on Network Security. Each node of the satellite network has different key shares. In a key update cycle, the probability of the key share being intercepted by the attacker is as follows: where P stands for network security, n = 40, λ = 0:015, the variation curve of P concerning k is given in Figure 3, and the values of T = 20, 30, 40, 50. As can be seen from the figure, when the key update period T remains unchanged, P will gradually increase with the increase of the threshold value k. when k increases to a certain extent, P approaches 1. When t is different, P corresponding to the same k value is also different. Therefore, it is necessary to increase the threshold value while increasing the key update cycle to improve network security. To improve the security and reliability of the ðn, kÞ threshold secret sharing scheme, it is necessary to set the key update cycle and threshold reasonably.

Conclusion
This paper proposes a protected secret sharing scheme for satellite networks based on binary symmetric polynomials, points out the conditional errors in references [15,17], and proves the complete security fairness under four attack models. Compared with the existing fair secret sharing schemes, this scheme has two characteristics: The first is verifiable multisecret sharing. This scheme can effectively ensure participants' effectiveness with secret shares before secret transmission. Secondly, suppose participants want to communicate with each other, after ensuring participants' effectiveness. In that case, participants can communicate through the key distributed by the distribution center to form a session key to resist the external attack of satellite communication node attackers. There is no need for additional key negotiation processes between participants to reduce the number of interactions to improve the    Wireless Communications and Mobile Computing performance of the satellite network. Thus, it can reduce the bit error rate of the link and ensure safe communication between users. At the same time, the scheme does not rely on any security assumptions, is unconditionally secure, and has low fraud detection and identification overhead, which reduces the cost of remote maintenance and management of satellite networks and improves reliability and security.

Data Availability
All data, models, and code generated or used during the study appear in the submitted article.

Conflicts of Interest
The authors declare that they have no conflicts of interest to report regarding the present study.