1 Introduction

The concept of secret sharing (SS) schemes was coined by Shamir [1] and Blakley [2] in 1979. Since then, it has attracted the interest of several researchers. SS has been found valuable in several applications such as witness encryption [3], secure communication [4], and access control [5]. In SS schemes, there are two significant role players, one is the dealer and another is the group of shareholders (participants). The dealer splits the secret into \( n \) parts and distributes these shares among \( n \) shareholders. These shareholders when combining their shares can recover the secret. The scheme is referred to as a thresholding scheme if the secret can be recovered by combining \( t \) out of \( n \)\( (t \le n) \) shares. However, less than \( t \) parts must not reveal any information about the secret. There are some drawbacks in the SS schemes presented in [1, 2] which may act as a constraint for practical usage:

  • Fake shares may be distributed by the malicious dealer, and in turn, secret reconstruction is not possible.

  • A deceitful shareholder may submit a fake/invalid share, which leads to incorrect share reconstruction, and the true secret would only be known to the deceitful shareholder.

  • Need of mutually trusted dealer for the generation and distribution of shares.

  • There is a requirement of the private channel for share distribution.

An advancement of SS schemes, known as verifiable secret sharing (VSS) schemes, came into the picture to handle the dishonesty of shareholders mainly or dealer. The dealer may be biased in the distribution of shares or the reconstruction of the secret.

In traditional SS schemes, it is assumed that the shareholders and the dealer are honest and reliable enough. Though in practical scenarios, the dealer does not trust the players completely, and consequently, it is reasonable to expect that players may not trust the dealer as well. To make SS verifiable, some auxiliary information is to be added that helps the shareholders to verify their respective shares. The shares are that shareholders do not accept the shares if they find them inconsistent or invalid. With the help of VSS schemes, it is possible for the shareholders to verify their shares without having access to the secret and even without revealing their shares. Other flavours of SS schemes include multiple [6], multilevel [7], weighted [8], and protected SS (PSS) schemes [9].

2 Related Work

In multiple SS schemes, there are multiple (say \( p \)) secrets instead of a single secret as in traditional SS schemes. To share \( p \) secrets, one approach is to run \( p \) instances of the simple scheme. However, this seems to be a very naïve way and not a desirable solution due to high computational complexity. So a scheme is desirable if single run [6] can share all \( p \) secrets. Recent work in this direction is done by Amroudi et al. [10], where authors obviate the need of a secure channel by encrypting the shares with the NTRU cryptosystem which is a lattice-based and reasonably fast approach. A multivariate polynomial’s coefficient is used to share the multi-secret with the verification of shares performed by using the hash function. Another work in this league is a scheme by Meng et al. [11] that uses cellular automata and the hash function for verifiability. Trust management without the dealer is achieved with the help of linear computations with the simultaneous use of parallel computation for efficiency. Another multiple SS scheme is proposed by Tentu et al. [12], where multiple secrets are distributed using discrete logarithm and quadratic residue problem. This scheme is used for the level-ordered access structure. Cheng et al. [13] proposed a verifiable multi-secret sharing based upon the Lagrange polynomial and the public key cryptosystem. They used a linear feedback shift register (LFSR)-based cryptosystem to enhance the efficiency of the scheme. The scheme provides reasonably good security with added efficiency. In recent past, Giri et al. [14] proposed a multi-scheme whose assumption is based upon the geometry in the finite field. The scheme is claimed to be secured as the shares which are shared with the participant, are not the actual values but the shadow values. Liu et al. [15] proposed a multi-secret scheme which proved the failure of asynchronous reconstruction of share given by the Harn and Hsu [16]. They also proved that by getting the reconstruction of any of the secret, rest of the secrets could be obtained illegitimately. They improved the abnormality of the scheme by taking the common pairwise key for a pair of shareholders.

In multilevel or hierarchical SS schemes [7], participants are divided into \( m \) different levels and a threshold is associated with each level. For secret recovery, a participant from the targeted level or higher level can contribute in the secret reconstruction. Zhong et al. [17] extended the idea of giving a shadow number to images. Shadow image as a share stops the cheating in the shareholder before the actual image is recovered. They extended the idea of a weighted scheme by giving the higher priority to the shareholder at a higher level; i.e. capabilities of shareholders at different levels are different.

In weighted SS schemes [8], a weight with a positive value is assigned to each participant. Secret reconstruction is possible only when the sum of weights of the authorised subset is equal to or greater than the threshold. In previously described schemes [1,2,3,4,5,6,7], each shareholder has unity weight. However, in this, different shareholders may be assigned different weights. The concept of such schemes can be applied directly when there is a need to give more rights to higher rank officials.

In SS schemes, traditionally, to avoid the chances of recovery of a secret by non-shareholders, secure pairwise channels are established among the shareholders via means of a shared key, which are used to exchange the shares. To reduce this computational inefficiency, Harn et al. [9] coined PSS scheme. In this, in addition to the secret reconstruction, the shared key is also established with the help of shares possessed by the shareholders in a pairwise manner. Though this scheme is computationally less efficient than the Shamir’s SS scheme, it can be used even if the adversary has unlimited computational power.

Another class of VSS schemes is known as publically VSS (PVSS) scheme [18, 19]. Such VSS schemes possess a unique property that anyone can verify that distributed shares are valid or not, i.e. maliciousness of the shareholders can be handled by this type of scheme. Shareholders receive a valid share but do not submit a valid one during reconstruction. A remarkable PVSS scheme was presented by Behnad et al. [20], where members of the participant can be proven by themselves, avoiding illegal member’s participation.

With the proliferation of big data and cloud computing technology and its associated requirement, homomorphic secret sharing schemes were proposed in the recent past. Though the concept of cryptographic homomorphism is ancient, it has been touched by various researchers from time to time. Li et al. in 2018 discussed the various cryptographic primitives which can be used for privacy preservation requirement of various online applications [21]. A scheme by Rajabi et al. [22], whose security is based upon the approximate shortest polynomial problem, exploits homomorphic as well as collision resistance property by taking appropriate Knapsack function. The verification of shares can also be done using public channels. Another variant of VSS is asynchronous verifiable SS (AVSS) scheme, where fault tolerance in multiparty computation can be handled. Basu et al. [23] proposed an optimistic AVSS scheme, where the pay-off cost of failure possesses linearity, i.e. proportional to the number of failures. A different approach which adds non-malleability to SS scheme was proposed by Goyal et al. [24]. With this scheme, if the shares are tempered, then either the original secret can be recovered, or the recovered secret is unrelated to the original secret.

By getting motivation from these requirements, our work proposes a hybrid-based VSS scheme using Chinese remainder theorem (CRT) that is based on hash functions [7, 25, 26]. The proposed scheme also stands against the dishonest dealer and shareholders. To rule out a typical dishonest strategy of leaking secret information in the valid shares, the concept of dealer leakage resilience is used by reducing the dealer’s powers of selecting random values on his own. In the results and analysis section, it is confirmed that the scheme adheres to the security requirement of VSS.

The rest of the paper is organised as follows: In Sect. 3, the preliminary background and applications of SS schemes are explained. Section 4 explains the proposed work. Next, Sect. 5 demonstrates the experimental results and also explains how the proposed scheme can be used for Defence application also. Further, Sect. 6 analyses the scheme against various security parameters, where the comparison is also made with the existing schemes. Finally, Sect. 7 concludes the paper.

3 Preliminary Background and Applications of SS Schemes

3.1 Background of SS Schemes

Simple SS schemes are not of much interest in practical scenarios. A threshold value plays an important role. Very first idea in this league is a scheme due to Adi Shamir [1] in 1979. In every SS scheme, there are two phases, one is share generation and another is secret reconstruction. Shamir’s scheme is based on Lagrange’s polynomial interpolation which satisfies the basic requirements of SS schemes. Shareholders can unlock the secret if \( t \) (out of \( n \)) or more shares are known. Shamir’s scheme is divided into two algorithms, namely share generation and share reconstruction.

3.1.1 Share Generation

In this, the dealer selects a polynomial \( f\left( x \right) \) (given by (1)) of degree \( t - 1 \) whose coefficients are randomly chosen from a finite field by the dealer,

$$ f\left( x \right) = a_{0} + a_{1} *x + a_{2} x^{2} + \cdots a_{t - 1} x^{t - 1} $$
(1)

Dealer computes a set of \( n \) shares \( \left\{ {f\left( 1 \right),f\left( 2 \right), \ldots ,f\left( n \right)} \right\} \) and distributes them among the participants through the private channels.

3.1.2 Secret Reconstruction

The secret reconstruction is not done until \( t \) parties are involved. For example, as a minimum two points are required to construct the equation of a line, three points are required for formulating a quadratic equation and similarly, \( t \) shares are combined to reconstruct equation of degree \( t - 1 \). According to Shamir’s scheme, the polynomial reconstruction is done using the Lagrange’s polynomial interpolation, i.e.

$$ f\left( x \right) = \sum\limits_{i = 1}^{t} {f\left( i \right)\prod\limits_{j = 1,j \ne i}^{t} {{{\left( {x - j} \right)} \mathord{\left/ {\vphantom {{\left( {x - j} \right)} {\left( {i - j} \right)}}} \right. \kern-0pt} {\left( {i - j} \right)}}} } $$
(2)

Another landmark work in this direction was presented by Blakey [2] in the same year where the scheme was based on hyperplane geometry. It can be summarised that as the secret is a specific point in space, each share corresponds to hyperplane and the number of planes intersecting (if more significant than the threshold) reveals the secret.

The notion of verifiability in SS schemes was first presented by Chor et al. [27], where verification of received share is done without any information about the secret. VSS schemes can be interactive and non-interactive [28], where non-interactive schemes are more efficient in comparison with the interactive ones. Initially, interactive schemes were presented in which the dealer and players communicate with each other to check the validity of the shares. This sometimes increases the overhead of the dealer as he has to communicate with \( N \) players. Later, non-interactive schemes were introduced which reduced the dealer’s overhead (communication). Max Mignotte [29] came with his seminal work in 1983 that was based on CRT and used a particular sequence of integers rather than using an interpolation polynomial for secret construction. Another popular construction is due to Feldman [30] which is verifiable and non-interactive one based on Shamir’s scheme. The security is based on discrete logarithm problem (DLP) which is assumed to be computationally secure. To make the scheme unconditionally secure, Pedersen [31] used a commitment to function in his scheme.

On the other hand, if the dealer can get commitment values and break DLP, he can distribute fake shares. In 2008, Kaya et al. [32] proposed another VSS scheme based on CRT and proved its security. They also proposed a joint random secret sharing (JRSS) and proactive SS scheme protocol. In 2010, Harn and Lin [33] defined \( (n,t,n) \) the SS scheme based on Pedersen’s schemes and presented the notion of strong VSS and \( t \) consistency. They also presented a robust \( (n,t,n) \) scheme based on Benaloh [34] scheme. Subsequently, in 2012 to 2014 Meng et al. [35] and Mahmoud [36, 37] proposed different VSS schemes. In the direction of PVSS, different schemes [18,19,20, 38,39,40,41,42,43,44,45] have been proposed from time to time with different capabilities.

3.2 Applications

There are various applications [3,4,5, 46] of SS schemes ranging from traditional to contemporary. SS schemes can be used for hierarchal organisations to share a single secret. The proposed scheme (Sect. 4) can be used to share multiple secrets in a multilevel environment with fulfilling the necessary security requirements. Other applications of SS are as follows:

Securing Cryptographic Keys play an essential role in any cryptosystem. In such cases, the key is split into different parts. Each part is termed as a share of the key, and these shares are distributed to all the participants who pool their shares for key construction.

Electronic Voting also called as E-Voting uses electronic systems for casting and counting votes. To avoid plausible dishonesty, SS schemes can be adopted in the E-Voting system. Each vote can be treated as a secret, and shares of the vote are distributed among the authorities who are counting the votes. Now only \( t \) authority can access the vote, and it cannot be manipulated by any \( t - 1 \) authorities. SS schemes add security and reliability to the E-Voting system. Another possible application of the electronic system is E-Auction. In this system, participants put an offer for the items and allocation is done based on their offered prices.

Similarly, SS can be used for Threshold Schemes for Multiple Servers as well. Shares are spread across multiple servers, and even \( t - 1 \) shares do not give any information. The scheme works even if one or two servers meet any failure and the secret can still be recovered.

Distributed Signatures is a mathematical way to authenticate a message. It is generally a hash code of the message, encrypted with a secret key. Sender puts his signature to authenticate the message. If there are multiple co-signers, each of them signs the message one by one according to the priority. However, this is not an efficient way because any co-signer can repudiate. The SS schemes can be adopted in such a scenario. Signing key acts as secret which is shared among all the co-signers. Each share is given to each co-signer, and no one is having complete control over the secret. Minimum \( t \) co-signers need to pool their shares for signing key construction. Thus, the scheme is secure and repudiation is not possible.

In the next section, a hybrid-based VSS scheme is proposed and in the subsequent sections, the results are analysed and compared with the existing VSS schemes.

4 Proposed Algorithm

The proposed scheme works for multiple secrets in the multilevel structured environment (hierarchal organisation). In this, the shareholders are divided into \( z \) levels \( \left( {L_{1} ,L_{2} , \ldots ,L_{Z} } \right) \) with \( L_{1} \) and \( L_{Z} \) as the highest and lowest levels, respectively. Each ith level is assumed to have \( N_{i} \) shareholders. For example, if \( N_{3} = 4 \) it implies that there are 4 shareholders at level 3. There is a dealer \( D \) who wants to share \( k \) secrets \( \left( {M_{0} ,M_{1} , \ldots ,M_{k - 1} } \right) \) among the shareholders, and let \( t \) be the threshold of the protocol. Whole protocol is divided into 2 phases: share generation and secret reconstruction. The essential conditions necessary for successful secret reconstruction are:

  • The secret can be reconstructed if there are \( t \) or more valid shares available.

  • The secret cannot be reconstructed if the number of shares is less than \( t \).

Each shareholder keeps \( k + t \) values as their shares which are used to reconstruct \( k \) secrets. The whole algorithm is explained as below:

4.1 Share Generation

Assume there are \( k \) secrets and all are from \( Z_{\text{p}}^{*} \) where \( p \) is a big prime.


Case 1 Intra-Level Secret Sharing

  • \( D \) forms a polynomial \( f(x) \) of a degree \( \left( {t + k - 1} \right) \) from \( Z_{\text{p}}^{*} \), i.e.

    $$ f\left( x \right) = \sum\limits_{i = 0}^{t + k - 1} {ai*x^{i} } \bmod p $$
    (3)

    where \( a_{0} = \,M_{0} ,\,a_{1} = \,M_{1} , \ldots ,\,a_{k - 1} = \,M_{k - 1} \,\, \) and \( a_{k} ,a_{k + 1} , \ldots ,a_{k + t - 1} \) are the private values given by the shareholders to the dealer through a private channel.

  • \( D \) selects an integer \( I_{0} \). For each level, a sequence of pairwise co-prime positive integers is selected and made public. Integers at each level equal to the number of shareholders at that level, i.e. \( \left( {I_{1}^{i} ,I_{2}^{i} , \ldots ,I_{{N_{i} }}^{i} } \right) \) with \( \left( {I_{1}^{i} < I_{2}^{i} < \cdots < I_{{N_{i} }}^{i} } \right) \) where \( i = 1,2, \ldots ,z \) and greatest common divisor (GCD) of \( I_{0} \) with every other selected integer should be 1.

  • \( D \) creates \( t + k \) shares of the polynomial, and for each share \( f(r) \), dealer forms \( f(r) + \delta_{{x,N_{i} }}^{i} * I_{0} \), where \( \delta_{{x,N_{i} }}^{i} \) is a random value selected by the dealer for share number \( x \) of shareholder \( N_{i} \) at \( i{\text{th}} \) level with \( x \) varying from \( 1 \) to \( t + k \). In \( N_{i} \), \( N \) is the number of shareholders at \( i{\text{th}} \) level. The value \( \delta_{{x,N_{i} }}^{i} \) is different for each level and each share. \( \left( {f(r) + \delta_{{x,N_{i} }}^{i} * I_{0} } \right) \) should lie between

    $$ \left( {I_{{N_{i - t + 2} }}^{i} *I_{{N_{i - t + 3} }}^{i} * \cdots *I_{{N_{i} }}^{i} } \right) < \left( {f\left( r \right) + \delta_{{x,N_{i} }}^{i} * I_{0} } \right) < \left( {I_{1}^{i} *I_{2}^{i} \cdots I_{t}^{i} } \right) $$
    (4)

    This is the threshold range for every level, and secrets should lie in this range; otherwise, the algorithm would be inconsistent, i.e. reconstruction can be possible by combing less than \( t \) shares. The value to be shared is \( S_{{x,N_{i} }}^{i} \): (\( S_{{x,N_{i} }}^{i} \) corresponds to share a number \( x \) of the shareholder \( N_{i} \) at \( i{\text{th}} \) level with \( x \) varying from \( 1 \) to \( t + k \)).

    $$ S_{{x,N_{i} }}^{i} = \left( {f\left( r \right) + \delta_{{x,N_{i} }}^{i} * I_{0} } \right)\,\bmod \,I_{{N_{i} }}^{i} $$
    (5)

  • Before distributing \( S_{{x,N_{i} }}^{i} \), \( D \) computes its hash values and these values are made public so that everyone can access it. Shareholders accept the share if and only if its hash value matches with the previous hash value published by the dealer otherwise discard it. This mechanism checks the dishonesty of the dealer and makes the scheme verifiable. Thus, the dealer is not able to distribute invalid shares.

  • The dealer distributes shares \( S_{{x,N_{i} }}^{i} \). Similarly, \( t + k \) polynomial values are shared among all the shareholders at each level.


Case 2 Inter-Level Secret Sharing

For inter-level SS, \( D \), needs to select another parameter \( I_{{N_{i,j} }}^{i} \), where the shareholder \( N_{i} \) contributes his share to \( j{\text{th}} \) level for secret reconstruction with.

$$ I_{t}^{j} < I_{{N_{i.j} }}^{i} < I_{{N_{j - t + 2} }}^{j} $$
(6)

Then, the dealer computes \( \Delta S_{{x,N_{i,j} }}^{i} \)

$$ \Delta S_{{x,N_{i,j} }}^{i} = f\left( r \right) + \delta_{{x,N_{i} }}^{i} * I_{0} \, - S_{{x,N_{i} }}^{i} $$
(7)

with a share of the shareholder in inter-level sharing as \( S_{{x,N_{i} }}^{i} + \Delta S_{{x,N_{i,j} }}^{i} \).

4.2 Secret Reconstruction

A system of equations is formed based on the distributed shares. Dealer \( D \) accepts shares only if the share is valid, which is verified using the hash value published by the \( D \) before. An equation which is formed which is given as:

  • Case 1 Intra-Level Secret Sharing

    $$ \delta_{{x,N_{i} }}^{i} * I_{0} \,\bmod \,I_{{N_{i} }}^{i} $$
    (8)

  • Case 2 Inter-Level Secret Sharing

    $$ S_{{x,N_{i} }}^{i} + \Delta S_{{x,N_{i,j} }}^{i} \bmod \,I_{{N_{i} ,N_{j} }}^{i} $$
    (9)

    Using CRT, a unique solution for \( X = f(r) + \delta x,i * I_{0} \), \( f\left( r \right) \) can be reconstructed by

    $$ f\left( r \right) = x\bmod \,I_{0} $$
    (10)

    After getting all the polynomial shares by CRT, the following equation is used to reconstruct the polynomial

    $$ \begin{aligned} f\left( x \right) & = \sum\limits_{i = 1}^{t} {f\left( i \right)\prod\limits_{j = 1,j \ne i}^{t} {{{\left( {x - j} \right)} \mathord{\left/ {\vphantom {{\left( {x - j} \right)} {\left( {i - j} \right)}}} \right. \kern-0pt} {\left( {i - j} \right)}}} \bmod p} \\ \,\,\,\,\,\,\,\,\,\,\,\, & = a_{0} + a_{1} \cdot x^{1} + \cdots a_{k + t - 1} \cdot x^{k + t - 1} \\ \end{aligned} $$
    (11)

    Thus, the authorised set of shareholders reconstructs the \( k \) secrets.

The proposed scheme is demonstrated in Fig. 1 which shows 3 levels with 3 shareholders at each level.

Fig. 1
figure 1

Proposed algorithm

Full size image

5 Results and Discussion

5.1 Experimental Results

The above proposed scheme described in Sect. 4 is implemented in C/C++ using GMP (GNU Multiple Precision) and NTL (Number Theory Library) libraries and tested on 3-GHz third-generation system. GMP is a free library which is multi-precision and can used for various types of operations on signed integers, floating point numbers, and rational numbers. The richness of function, friendly interface, and freely availability makes it so popular and useful. The limit of precision just depends upon machine not on the library. The application includes cryptography and its application, security over the internet, algebraic number theory, and many more. For better insight, implementation results are presented for small numbers and the algorithm is tested for large numbers as well. For demonstration, shareholders are divided into 3 levels \( \left( {z = 3} \right) \), namely \( L_{1} \), \( L_{2} \), and \( L_{3} \) with 3, 4, and 7 as the number of shareholders at respective levels, i.e. \( N_{1} = 3 \), \( N_{2} = 4 \), \( N_{3} = 7 \). The threshold (\( t \)) and the prime (\( p \)) being considered are 3 and 563, respectively. Number of secrets to be shared is 2 \( \left( {k = 2} \right) \), where \( K_{0} = 3 \) and \( K_{1} = 2 \) and the coefficient values provided by an authorised set of players are 2, 1, 0 (authorised set used for secret reconstruction comprises 3 players).

  1. (1)

    Dealer forms the polynomial of a degree \( t + k - 1 \) using the above values, i.e.

    $$ f\left( x \right) = 3 + 2*x \, + 2* \, x^{2} + \, 1* \, x^{3} + 0*x^{4} $$
    (12)
  2. (2)

    Dealer selects \( I_{0} = 863 \) and the sequence of pairwise co-prime integers selected for each level are

    • For level 1: \( I_{1} = 137 \), \( I_{2} = 139 \), \( I_{3} = 250 \), and threshold range for this level is (34750, 4760750)

    • For level 2: \( I_{1} = 293 \), \( I_{2} = 307 \), \( I_{3} = 313 \), \( I_{4} = 319 \), and threshold range for this level is (99847, 28154663)

    • For level 3: \( I_{1} = 229 \), \( I_{2} = 233 \), \( I_{3} = 239 \), \( I_{4} = 241 \), \( I_{5} = 277 \), \( I_{6} = 281 \), \( I_{7} = 283 \), and threshold range for this level is (79523, 12752323)

  3. (3)

    Dealer creates \( t + k \) shares: \( f\left( 1 \right) = 8 \), \( f\left( 2 \right) = 23 \), \( f\left( 3 \right) = 54 \), \( f\left( 4 \right) = 107 \), \( f\left( 5 \right) = 188 \), and selects \( \delta_{x,i} \) as a value for each level which is shown in Table 1.

    Table 1 \( \delta_{x,i} \) values selected by the dealer
    Full size table

Therefore, all 5 shares of a 1st shareholder are:

$$ \begin{aligned} & 8 + 550*863\bmod \,137 = 90 \\ & 23 + 558*863\bmod \,137 = 22 \\ & 54 + 510*863\bmod \,137 = 3 \\ & 107 + 620*863\bmod \,137 = 45 \\ & 188 + 456*863\bmod \,137 = 115 \\ \end{aligned} $$
(13)

Similarly, shares of other shareholders are calculated which are shown in Table 2.

Table 2 Shares of shareholders
Full size table

  • Case 1 Intra-Level Secret Sharing

While recovering the secret from level 2, 3 out of 4 shareholders need to contribute their shares. Say, first 3 are taking part in the protocol. Following the system of equations needs to be solved using CRT:

$$ \begin{aligned} & X = 111\bmod \, 2 9 3\\ & X = 144\bmod \, 3 0 7\\ & X = 292\bmod \, 3 1 3\\ \end{aligned} $$
(14)

This gives \( X = 8 \). In the same way, equations can be formed with other shares of the shareholders and results can be obtained accordingly.

  • Case 2 Inter-Level Secret Sharing

Considering secret reconstruction done at level 3, a 1st shareholder of each level is contributing their shares for reconstruction. Dealer selects two values (because 2 out of 3 shares belong to other levels) between 241 and 277 which are co-prime to one another. Say the values are 253 and 263; following system of equations is formed for secret recovery:

$$ \begin{aligned} & X = 90 + 55\bmod \,253 \\ & X = 111 + 124\bmod \,263 \\ & X = 156\bmod \,229 \\ \end{aligned} $$
(15)

Solving these equations using CRT, we get \( X = 8 \) and similarly other shares are obtained. Further, these values are used in Lagrange’s interpolation to reconstruct the polynomial

$$ f\left( x \right) = 3 + 2*x \, + 2* \, x^{2} + \, 1* \, x^{3} + 0*x^{4} $$
(16)

Moreover, the secrets are recovered.

5.2 Application of the Proposed Scheme

The proposed scheme can be advantageous to share multiple secrets in a multilevel environment (for organisations having hierarchal structures). Considering an example of Indian Army, suppose a Colonel is having some secrets (secret keys/passwords) and he is on leave or some special mission for some days. Practically, it is not advisable to hand over the secrets to a single officer (superior or subordinate). So, he would make shares of the secrets and hand it over to officers of various ranks. He may give some shares (these shares include shares formed by splitting multiple secrets to be circulated) to higher rank officers (Lieutenant Colonel or Brigadier) and others to peers or subordinates (Major, Captain and Lieutenant). Now, if an emergency arises for secret reconstruction at Captain level, then, the officer only at a peer or higher rank can contribute in share reconstruction. The secret is reconstructed, provided the threshold condition is satisfied. This algorithm can be used in the case when a higher rank officer (say Colonel) does not want entities or members at lower levels (Major, Captain, and Lieutenant) to recover secrets on their own without any member of lower levels. For this, he can set the threshold value more than the number of entities present at that (lower) level or another alternative is to provide more shares to entities at a higher level and less number of shares to entities at lower levels.

6 Security Analysis and Comparison

The proposed work is analysed in this section, and a comparison with some existing schemes is also performed.

6.1 Security Analysis

Traceability Algorithm is said to be traceable when it is possible to find out whether any participant during the reconstruction phase has submitted any invalid or fake share or not.

Proof Let \( f\left( i \right) \) be the original valid share and \( f^{\prime } \left( i \right) \) is the fake or invalid share. If any participant sends \( f^{\prime } \left( i \right) \) to the dealer instead of \( f\left( i \right) \), then the dealer does not accept the share because

$$ H\left( {f\left( i \right)} \right) \, \ne \, H\left( {f^{\prime } \left( i \right)} \right) $$
(17)

Here, \( H \) is one-way hash function and it is complicated to find 2 values that result in the same hash value. Thus, the algorithm is traceable.

Robustness Scheme is said to be robust if all the secrets can be recovered by pooling \( t \) or more shares. Use of Lagrange Interpolation has made the scheme more robust. Any \( t \) honest players can unlock the shared secret.

Confidentiality Scheme holds confidentiality if even \( t - 1 \) players are not able to reveal the secret. Assume \( t - 1 \) participants are available for secret recovery and product of their moduli is \( X^{\prime } \). These \( t - 1 \) shareholders use CRT to recover a secret. Suppose they obtained a value \( S^{\prime } \). The relation between the original secret and the recovered secret is

$$ S = S^{\prime } \, + \delta * \, X^{'} $$
(18)

Here, \( S \) is the original secret. Predicting the correct value of \( \delta \) to reach the original secret is very difficult. Thus, even with \( t - 1 \) shares, the scheme does not leak any information about the secret.

Consistency Algorithm holds consistency if any set of valid shares of the secret reveals the same secret. Here in the proposed algorithm, consistency is achieved due to Lagrange’s interpolation and whether the share is valid or not is verified through one-way hash function.

Dealer Leakage Resilient (DLR) Dealer is said to be dishonest if he subliminally leaks the information in the valid shares. This dishonest strategy allows the dealer to preserve consistency in the system and helps the attacker to unlock secret before reconstruction phase from the leaked information. The system exhibits DLR-VSS property if the attacker does not gain information about the secret before the reconstruction phase.

Proof The DLR-VSS property is achieved by taking the power of randomness from the dealer. The dealer does not have the capability of employing randomness in the system. By this, the dealer will no longer be able to hide information because no value is selected by his own choice.

Salted Hashing can be used in place of simple hashing. In salted hashing, a random number, referred as salt, is added to the share before using one-way hash functions. Salted hashing ensures that no two similar secrets yield similar hash codes. However, the only dealer can verify shares submitted by shareholders. It is assumed that the dealer is honest and he is not distributing invalid shares. When we randomise the hashes, rainbow tables, lookup tables, and reverse lookup tables are no more an effective tool. For the pre-computation of rainbow or lookup table, salt needs to be known in advance and this is not possible.

Another possible method to use salted hashing and still verification is possible from both ends, i.e. shareholders can verify shares before accepting it from dealer and dealer also can verify share before accepting it from shareholders before reconstruction phase. This can be achieved by treating salt (or random number) as one of the secrets. The constant term of the polynomial will be the salt, and degree of the polynomial is \( t + k \).

Knowledge of Number of Shares If \( t \) and \( k \) are not publicly known values, then, it is desirable that adversary must not get any information about some secrets (in case of multi-secret schemes) just by looking at the number of shares of each shareholder. This property is achieved by distributing \( t + k \) shares instead of \( k \) shares, and \( t \) and \( k \) are kept a secret, so adversary is not able to access these values. Table 3 shows the comparison of the schemes [7, 25, 26, 47,49,50] by security assumptions. The acronyms R, C, V, and T stand for robustness, confidentiality, consistency, and traceability, respectively.

Table 3 Comparisons through security property
Full size table

Table 3 shows that the proposed approach satisfies all the properties (R, C, V, and T) of VSS schemes. Therefore, it is confirmed that the scheme is verifiable.

In Table 4, the proposed algorithm is compared with other schemes [7, 25, 26, 47,48,50] by communication cost over secure and insecure channels. Communication cost over secure channels is analysed separately for both share distribution and share reconstruction. Here, \( n \), \( t \), and \( C \), respectively, denote the number of shareholders, threshold, and any constant number. Communication cost over a secure and insecure channel is calculated using \( p \) (1024 bits), \( q \)(1024 bits), and \( N = \,p*q \) (1184 bits). In addition to communication cost, security assumption of different schemes is also analysed.

Table 4 Comparison through communication cost
Full size table

In [7], variables \( n_{1} \), \( n_{2} \), and \( n_{3} \) used are some shareholders at different levels, where \( z \) is the total number of levels. This scheme is multilevel secret sharing and uses Chinese remainder theorem. Consider there are \( z \) levels. Here, dealer publishes sequences of co-prime numbers equal to the number of shareholders for each level which are of 1024 bits each. This adds to the communication cost of \( 1024\left( {n_{1} + n_{2} + \cdots n_{z} } \right) \) bits over insecure channels. Dealer computes shares for \( n \) shareholder and distributes them which are of 1024 bit each which makes the communication cost over the secure channel to \( 1024*n \) bits. Then, \( t \) shareholders collaborate to reconstruct the secret. Thus, the communication cost for reconstruction is \( 1024*t \) bits.

In [47], each participant selects his secret shadow of 1184 bits and sends it to the dealer through secure channel which makes the communication cost over the secure channel to \( 1184\,n \) bits. There are two possible cases, first is when \( t > k \), in this case, dealer forms polynomial of degree \( (t - 1) \). He creates shares of the polynomial of 160 bits each and publishes them \( (160*\,n) \). Dealer computes \( t \) values of 1024 bits that are used in verification phase and publishes them \( (1024*\,t) \). \( t \) shares of 160 bit each are pooled to recover the secret which makes cost of reconstruction as \( 160*\,t \). Second case arises, when \( t < k \). This time dealer forms polynomial of degree \( (k - 1) \). He creates shares of the polynomial of 160 bits each and publishes them \( (160*\,n) \). Dealer computes \( t \) value of 1024 bits that are used in verification phase and publishes them \( (1024*\,t) \). \( k \) shares of 160 bit each are pooled to recover the secret which makes cost of reconstruction to \( 160*\,k \) in the second scenario.

In [48], which is multi-secret sharing scheme, where each participant selects his secret shadow of 1184 bits and sends it to the dealer through secure channel which makes the communication cost over the secure channel to \( 1184\,*n \) bits. After some computation, dealer publishes a value of 1024 bits for each participant, which adds \( 1024\,*n \) bits to the communication cost over insecure channels (public channel); then, dealer uses public channel to distribute shares of 160 bits for each shareholder \( (160*\,n) \). \( t \) or \( k \) shareholders submit their shares for secret reconstruction. Thus, the reconstruction cost becomes \( 160*\,t \) if secrets are less than threshold and it is \( 160*\,k \), if secrets are more than threshold.

In [25], there are k secrets to be shared. There are two cases. In the first case, \( t > k \), in this dealer forms 2 polynomials of degree \( (t - 1) \). One is used to generate shares of multiple secrets, and other is used for verification phase. Dealer computes \( n \) shares of 160 bits each, to each polynomial and send it via secure channel to each shareholder which makes the communication cost over secure channel to \( (2n*160) \) bits. Then, he publishes (uses insecure channel) the one hash code for the two shares of constant length \( C \) which add \( C*\,n \) communication cost over insecure channels. Now, in the reconstruction phase, combiner/dealer combines \( t \) out of n shares of 160 bit each of 1st polynomial to recover the secret, that adds communication cost of \( 160*\,t \) 160*t over secure channel. In the second case, \( t < k \), here dealer forms polynomials of degree \( (k - 1) \). In this case, the communication cost for reconstruction of secrets is \( 160*\,k \).

In [49], it is also a multi-secret sharing scheme, where participants select their secret shadow of 1184 bits and send it to the dealer via insecure channel, which leads to cost of \( 1184*\,n \). Dealer publishes \( n \) values of 1184 bits \( (1184*\,n) \), which are used for verification. Dealer computes shares of 160 bits for the shareholders which are also published which makes the communication cost over in secure channel to \( 160*\,n \) bits. Then, \( t \) or \( k \) shares are collaborating to reconstruct secrets, which depend on the value of \( k \). Thus, the communication cost in reconstruction phase will be \( 160*t \) or \( 160*k \) bits over secure channel.

In Scheme [26], it is multi-secret sharing scheme which uses hashing for verification. The dealer sends a private value of 160 bits each, to each shareholder via secure channel which makes the communication cost over secure channel to \( 160*n \) bits. He publishes \( k \) shares of 160 bit each \( (160*n*k) \) and their hash codes of constant length \( (C*n*k) \) for each participant. Then, \( t \) shares of \( k \) secrets are combined for the reconstruction which makes cost of reconstruction to \( 160*k*t \).

Here in [50], each of \( n \) shareholders sends 2 private values via a secure channel, which are of 160 bit each, to form 2 polynomials makes \( 2n*160 \) cost over secure channel. Then, dealer generates and publishes (insecure channel) commitment value, each of 1024 bits for the \( 2n \) values, which leads to \( 2n*1024 \) cost over insecure channel. Now, dealer forms 2 polynomials, each of degree \( t - 1 \). After this, dealer computes \( n \) shares to from each polynomial and publishes them. This adds \( 2n*1024 \) bits to communication cost over insecure channel. In reconstruction phase, combiner/dealer combines \( t \) out of \( n \) shares of 1024 bits each to recover the secret that adds communication cost of \( 2t*1024 \) over secure channel.

In the proposed algorithm (multilevel and multiple secret SS scheme), \( z \) levels are considered with \( n_{i} \) shareholders for each level (\( i \) varying from 1 to \( z \)). Dealer forms a polynomial of degree \( t + k \), and for each level, publishes a sequence of co-prime numbers which are equal to the number of shareholders at that level \( \left( {\left( {n_{1} + n_{2} + \cdots + n_{z} } \right)*160\,{\text{bit}}} \right) \). Each shareholder sends a private value to the dealer through a secure channel which adds \( \left( {160*n} \right) \) bits to the communication cost. Dealer forms \( t + k \) shares of this polynomial and creates shares of a polynomial using CRT, and these shares which are of 160 bits, are distributed via a secure channel to shareholders \( \left( {160*\left( {t + k} \right)*\left( {n_{1} + n_{2} + \cdots + n_{z} } \right)} \right) \). He also publishes the hash code \( \left( {C*\left( {n_{1} + n_{2} + \cdots + n_{z} } \right)} \right) \) of all the shares for verification. In the reconstruction phase, \( t*k \) shares are used, which makes reconstruction cost \( 160*t*k \) bits.

Table 5 shows the comparison of our scheme with other schemes [7, 25, 26, 50, 51] concerning various parameters mentioned in the table. Some of the properties are explained below:

Table 5 Comparison through various parameters
Full size table

  • The scheme is multi-use if shares of participants are different for different secrets.

  • The algorithm can resist conspiracy attack if \( t - 1 \) corrupt shareholders cannot unlock the secret. A conspiracy-resistant scheme ensures that the reconstruction of recovered secret does not give information about open secrets.

  • Secretly Embedded Trapdoor with Universal Protection (SETUP) is a technique, where an attacker breaks the security of the system, secret information is leaked, but other parties of the protocol are not able to detect this malicious behaviour. All VSS schemes are not SETUP resilient.

  • The scheme is unconditionally secure if its security does not depend on any mathematical construct. It is said to be secure even if the adversary has unbounded computational power.

7 Conclusion and Future Directions

SS is an important sphere of Information Security and is attracting a lot of research interest these days. The primary objective is to develop efficient schemes that are secured and can be deployed practically. In this context, a hybrid-based VSS scheme is proposed in this paper which can be used to share multiple secrets in a multilevel environment. A single run of the scheme can share multiple secrets at different levels. The proposed algorithm holds for all requirements of VSS (Table 5), and the scheme is computationally efficient too (Table 4). The scheme also exhibits the property of dealer leakage resilience which is achieved by restricting the dealer to employ randomness. Consequently, the dealer is not able to hide secret information in the share of the shareholders. So, the proposed scheme to work in an environment where dealers and/or shareholders are not honest and also when they are not mutually trusted. Some promising future work directions are to find a method in which each level or layer can have different thresholds instead of a global threshold and also to find a way to distribute one master share instead of multiple shares for multiple secrets.