Fair and Efficient Robust Secret Sharing Scheme against Rushing Adversaries

Zhang, En; Yang, Renlin; Fan, Haiju; Qin, Leiyong

doi:https://doi.org/10.1155/2022/7926057

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2022 | Article ID 7926057 | https://doi.org/10.1155/2022/7926057

Fair and Efficient Robust Secret Sharing Scheme against Rushing Adversaries

En Zhang,^1,2Renlin Yang,¹Haiju Fan,¹and Leiyong Qin¹

Academic Editor: Wei Feng

Received28 Dec 2021

Revised06 Feb 2022

Accepted24 Feb 2022

Published02 May 2022

Abstract

Robust secret sharing (RSS) is an extension of secret sharing, which can reconstruct a secret correctly even if any shares are incorrect. The existing scheme would not effectively achieve fairness. Moreover, even for an optimal scheme, RSS still has the problem that one party is verified by multiple parties, leading to expensive communication costs. In this work, we construct a blockchain-aided RSS scheme that can ensure decentralization and fairness. The central building block for our scheme to handle a rushing adversary is a bulletin board we implement on the InterPlanetary File System. Furthermore, we design a monetary penalty mechanism to impose real penalties on corrupt parties. Each participant either uploads his share correctly or loses his deposit. In addition, our scheme eliminates considerable communication between participants. Compared with the previous schemes, our scheme has a lower communication complexity, which is close to . We conduct experiments to show the performance of our scheme. To our knowledge, this is the first implementation of a fair RSS scheme. For shares with a length of 128 bits, the time for each participant to execute the verification phase is 470 ms.

1. Introduction

Robust secret sharing (RSS) is an extension of secret sharing that was introduced by the seminal works of Shamir [1] and Blakley [2]. In a -out-of- RSS scheme, a dealer splits the secret into shares and sends these shares to participants. The secret can be reconstructed successfully even if shares are incorrect due to natural damage or being corrupted by an adversary. Robust secret sharing is widely used in practical scenarios, such as the following: (1) data storage: users store their data on multiple cloud servers. The privacy and integrity of these data cannot be damaged even if up to clouds collude. (2) Secure communication: when users send data over a communication network, the security and integrity of the users’ data are still guaranteed even if up to communication channels are controlled by an adversary.

Recently, research on the share size has made great progress, and the known optimal share size is close to . However, existing RSS schemes either require a trusted third party or require multiple interactions in the reconstruction phase, which causes expensive communication costs. In addition, previous RSS schemes cannot impose practical penalties on the corrupt party and cannot effectively achieve fairness. In this study, we solve the problems of centralization and fairness, and we improve the communication complexity to .

1.1. Related Work

Secret sharing was initially introduced by Shamir [1] and Blakley [2]. Many works consider stronger concepts based on the secret sharing, such as hierarchical secret sharing and threshold secret sharing [3–13]. Rabin et al. [14] first proposed the concept of robust secret sharing in 1989. In a robust secret sharing scheme, the number of corrupt parties is less than half of all participants. Therefore, the maximum corruption in a RSS scheme is set to . The failure probability of the reconstruction is negligible when the relationship between and becomes [15]. In 1997, Carlo et al. [16] analyzed the lower bound of the share size and the probability of deception in an RSS scheme.

Serge Fehr [15] proposed an RSS scheme and proved that the average bit length of a share is lower-bounded by the bit length of the secret. Compared with [14], Serge Fehr improved the message authentication code (MAC) algorithm to reduce the share size to , and the MAC algorithm that they used can verify the correctness of shares; however, their scheme cannot fight a rushing adversary. To solve this problem, Cevallos [17] constructed a new RSS scheme that can maintain security against a rushing adversary. Furthermore, the share size of their scheme is close to that of [15]. However, each participant needs to verify the shares of all other participants, which causes a high communication cost during the reconstruction phase. In addition, Cevallos reduced the length of the tag in the message authentication code; therefore, the probability of corrupt parties colluding together to pass the MAC authentication is not negligible.

Later, Bishop et al. [18] designed an essential optimal RSS scheme, and the share size of this scheme is . The scheme can successfully reconstruct the secret in the case of the maximum corruption. The basic idea behind their reconstruction phase is the minimum graph. The scheme used a graph algorithm to make a judgement on the participants, which can verify whether they are good or bad. The graph recognition algorithm can eventually collect the shares of all good participants. Allison Bishop innovatively eliminated the linear relationship between the share size and the number of participants. However, the scheme is not able to fight a rushing adversary that can choose incorrect authentication keys freely. Fehr and Yuan [19] proposed a new scheme that can fight a rushing adversary. In addition, the share size of this scheme is close to . The participants are required to submit shares in multiple rounds, which can limit the relationship between correct and incorrect shares. Unlike [18], participants do not need an authentication key for authentication. Each participant can verify whether his neighbour is good or bad. The algorithm eventually outputs a set that contains the shares of all good participants. In this way, the Solomon algorithm has enough redundant codes to reconstruct a secret efficiently. However, the algorithm has a high probability of success only if it starts with an honest party. In 2020, Fehr and Yuan [20] designed a new scheme that has the optimal share size, can guarantee safety against rushing adversaries, and can also run in polynomial time.

Regarding the share size, Bishop et al. [21] introduced a nearly optimal scheme that optimizes the share size to . In short, the scheme first fixes the original secret with the detection of algebraic manipulation (AMD) code [22]. The algorithm outputs a short list containing the correct keys, which allows the reconstruction phase of the scheme to efficiently identify error messages. Then, the scheme used the folded Reed–Solomon codes [23] to construct error-correcting codes. Compared with the existing Solomon code, the folded Reed–Solomon codes can construct error-correcting codes more efficiently. Unfortunately, the scheme cannot fight a rushing adversary. Manurangsi et al. [24] presented a new scheme that can fight a rushing adversary. The share size of the scheme is further optimized to . The reconstruction phase of the scheme is a two-step process. In the first round, each participant publishes his share. In the second round, the scheme uses a private MAC to verify whether each party has changed his share. If the party does not modify his share, the scheme labels him as good. Otherwise, the scheme labels him as bad. The reconstruction phase eventually outputs a set that contains all the good parties. Moreover, the scheme uses fixed-point recognition algorithms to make the second round more efficient. Finally, the participants can use this set to reconstruct the secret locally. However, the scheme still has the problem that one party is verified by multiple parties, which causes high communication costs.

We summarize the above schemes, as shown in Table 1. The above schemes either cannot provide security against rushing adversaries or have higher communication complexity. In addition, none of the above schemes can effectively achieve fairness.

1.2. Contribution

In this study, we construct a decentralized and fair RSS scheme based on smart contracts, and the share size of our scheme is close to . The flow of the scheme is shown in Figure 1, and the main contributions are as follows.

1.2.1. The Scheme Is Secure against Rushing Adversaries

We implemented a bulletin board on the InterPlanetary File System (IPFS) to broadcast all tags before the reconstruction phase. Because the tag cannot be changed, our scheme can easily verify whether the party has changed his share.

1.2.2. The Scheme Can Guarantee Fairness in Malicious Model

We implemented a monetary penalty mechanism, which can impose real penalties on corrupt parties. Each participant either uploads his share correctly or loses his deposit. This motivates all parties to be honest and ensures the fairness of our scheme.

1.2.3. The Communication Complexity of This Scheme Is Close to

We designed a smart contract with the functions of collecting, verifying, and broadcasting shares. Compared with the scheme of [19] (Eurocrypt 2019), we have a lower communication complexity.

1.2.4. This Is the First Implementation of a Fair RSS Scheme

We demonstrate the implementation of a fair and decentralized RSS scheme using the blockchain. For shares with a length of 128 bits, the time for each participant to run the verification phase is 470 ms.

1.3. Roadmap

The organization of the study is as follows: in Section 2, the preliminary of message authentication code, Reed–Solomon code, InterPlanetary File System, and Ethereum are introduced. Section 3 introduces our smart contract model, and Section 4 introduces our protocol. We analyze the security proof of the protocol in Section 5. We did the simulation experiment in Section 6. Finally, we present our conclusion in Section 7.

2. Preliminaries

2.1. Message Authentication Code

The message authentication code (MAC) can guarantee the integrity of the message and detect whether others have tampered with the message. Unconditionally secure MAC was invented by Carter and Wegman [25], and the definition is as follows.

Definition 1. A message authentication code for a finite message space composed of a specific function: . This MAC is secure if and only if it follows: for any and , any and , and a negligible function , there is as follows:The MAC authentication we used in this study is a key-dependent hash-based message authentication code (HMAC). Regarding the security of HMAC, researchers use various methods to attack it, such as collision attack and length extension attacks, but none of them have a good effect. Later, [26] gave a strict security proof about the HMAC and proved the close relationship between the security of HMAC and hash function. If the HMAC has security problems, then the bottom hash function must have security problems. Therefore, theoretically the security of HMAC is proved.

2.2. Reed–Solomon Code

The idea behind the Solomon code can be represented as polynomial, and it relies on an algebraic theory that any points can construct a polynomial of degree . In the first place, the sender has a message . There is a polynomial of degree in a finite field, which is constructed with data points. picks values at random. The polynomial codes the data point according to the corresponding value of each point such as . sends these values to the receiver , but these values can be corrupted for some reasons during transmission. Therefore, we added some additional data points called redundant codes. The final number of these data points that sends to is actually . starts decoding after receiving these data points. can compute the polynomial and reconstruct the raw data as long as receives sufficient number of values correctly. There are many decoding methods for the Solomon codes, among which the Berlekamp–Welch algorithm [27] can efficiently reconstruct the polynomial from . The error correction ability of this algorithm is related to the shortest Hamming distance . The algorithm can correct errors if the location of the error message is not known before the error correction. The algorithm can correct errors if the location of the error message is known before the error correction. Later, Gao [28] used fast Fourier transform (FFT) to greatly improve the decoding efficiency without reducing its error correction capability.

2.3. Blockchain

The blockchain is a distributed shared ledger and database, which was first proposed by Satoshi Nakamoto. The blockchain can store an ever-growing and unmodifiable list of records. These records are called blocks and are linked to previous blocks. Recently, the business models based on blockchain have developed rapidly. Researchers are exploring the blockchain business model in different fields, such as energy and physical products [29]. The development of the blockchain has made smart contracts possible. Blockchain-based smart contracts are computer programs executed by many nodes that can be tracked and immutable. Therefore, the design of smart contract must follow the principle of low cost. To enable smart contracts to perform more complex algorithms, off-chain smart contract frameworks are being developed [30].

2.4. InterPlanetary File System

The InterPlanetary File System (IPFS) is a distributed network transport protocol for storing and sharing files. A user uploads a file to an IPFS node and obtains a hash value . Other users can use to download the file directly from the IPFS node. In [31], Benet stated that the IPFS combines distributed hash tables, BitTorrent, Git, self-certified file systems, and the blockchain to save and transfer files. These systems bring significant characteristics to IPFS as follows:(i)Permanent and decentralized storage of documents.(ii)Users can use a specific hash value to find a stored file.(iii)The document modification history can be traced.

These characteristics give the IPFS great potential in the field of cryptography. Compared with the blockchain, the IPFS has a large advantage in storing large files. In this study, we implement a bulletin board on the IPFS that contains the tags of all participants’ shares, so that the corrupt party cannot cheat on the tags. Meanwhile, the share size is reduced to .

2.5. Security Model

The existing secure multiparty computing (MPC) protocol needs a security proof to ensure its security. In this study, ideal and real models are used as the security models of security proofs. The precise definition of the security model was proposed in [32], which argues that there is a trusted third party that can communicate securely with the participants and run the protocol honestly in an ideal world. The scheme is secure if participants’ output and view in the real model are indistinguishable from those in the ideal model. In this section, we will provide the exact definition of this model as follows:(i)Real World: in the real world, the honest party runs the scheme correctly. There is a malicious adversary that can corrupt any participants. All message from the corrupt party is determined by the adversary . In addition, can interact with at will to obtain some useful information. The input of the scheme generated by the participants is sent to directly, and the output of is returned to . Finally, outputs as the output of the real world.(ii)(ii)Ideal World: in an ideal world, there is a trusted third party that receives an input from the participant to safely compute function . A simulator can extract the behaviour of an adversary and receive the input of the honest party in the real world. The input of the scheme generated by is sent to the function directly, and the output of the function is returned to . Finally, outputs as the output of the ideal world.

3. The Smart Contract Model

Section 3 describes the smart contract model we designed, which includes each time point, the function of each module, and the transaction process of the smart contract, as shown in Figure 2.

A reconstruction scheme consists of two phases: the and the . Participants submit shares in two rounds during the , which limits the relationship between correct and incorrect shares. The includes and . The can check whether is correct, and the can check whether has been changed. We define some time points that are as follows: : all participants must pay deposit and register their eligibility to participate in the smart contract before . If the participant does not pay the deposit before , the scheme will be terminated. : for each , must upload to the smart contract before . If does not upload within the specified time, his deposit will be deducted. : for each , must upload to the smart contract before . If does not upload within the specified time, his deposit will be deducted.

The description of every phase is as follows.

3.1. Initialization

(1)For each , participant has share and cannot access others’ shares.(2)The smart contract defines a deposit . The value of is greater than the secret .(3) pays a deposit and registers to participate in the smart contract until he finds the transaction in the blockchain.

3.2. Submission Phase

(1): The smart contract broadcasts the transaction address of . submits . The smart contract stores the share and address of .(2): The smart contract broadcasts the transaction address of . submits . The smart contract stores the share and address of .(3)All participants wait for smart contract to broadcast the transaction addresses of and .(4)If the transaction addresses of and do not appear in the blockchain before and , respectively, the smart contract refunds the deposit.

3.3. Verification Phase

(1)RSC tag verification: the smart contract broadcasts the transaction address of and verifies whether is in .(2)RSC MAC verification: the smart contract broadcasts the transaction address of and verifies whether is established.

3.4. Broadcast and Refund Phase

After the verification phase, the smart contract can get the set , which contains all the honest parties and passive adversaries.

The smart contract broadcasts the transaction address of . For each , can use the transaction address to query transaction information. Meanwhile, the smart contract broadcasts the correct shares and returns the deposit to the party .

4.1. The Construction

Let be an arbitrary positive integer, and . This scheme randomly selects interpolation points in a field and . In addition, we use a HMAC algorithm with secret . Assume that the adversary can obtain the profit worth after breaking the RSS. The detailed steps of the RSS scheme are shown in Figure 3.

4.2. Analysis of the Construction

In the malicious model, there are always adversaries colluding to pass the MAC authentication of the protocol with the wrong shares, which makes the RSS cannot reconstruct the secret. In this section, we use the Chernoff bounds [33] to prove that this probability is small.

We define a set , which contains all corrupt parties. There are two types of corrupt parties we define. One type is the active corrupt party, and they will provide the wrong shares, which are represented by set and . The other type is the passive corrupt party, and they will provide the correct shares, which are represented by set and . Obviously, .

In the case of , even if all active corrupt parties have passed MAC authentication, the Solomon decoding algorithm can still reconstruct the correct secret, so we do not consider this situation. We only pay attention to in the case of .

Let be a random variable and . According to the Markov inequality [34], we have the following:where . We compute the Taylor expansion of , and assuming it is convergent:

The message about distribution can be encoded by . We limit the moment generating function of each to derive the Chernoff bounds.

Lemma 1. Given independent and random variables , where , then:

Proof. Before deriving the Chernoff bounds, we use the Bernoulli trial to complete the following lemma.

Lemma 2. Given a random variable , and , then

Proof. where , and then:From Lemmas 1 and 2, we start to derive the Chernoff bounds.

Corollary 1. Given independent and random variables , and , where , and , then:

Proof. Let . Applying (2), we can obtain the following:When , we have the following:Taking the logarithm of the , we can obtain the following:For any , there is , and then:

Theorem 1. For any positive integer t, any positive integer n = 2t+1, and any HMAC, the (n, t) robust secret sharing scheme has a small probability of failure with:

Proof. Consider corrupt parties as random variables . If passes HMAC authentication, . Otherwise, . . We can obtain the following:Applying Corollary 1, we have the following:

5. Security Proof

In this section, we present the secure analysis of the scheme.

Theorem 2. This scheme achieves perfect privacy.

Proof. There is a set that contains all the corrupt parties, and . First, we assume that the secret is randomly distributed and the phase is safely executed locally. Our purpose is to prove that the distribution of is not related to . Here, .
In our RSS scheme, the secret can only be reconstructed with more than participants. For each , they cannot reconstruct the secret even if all the corrupt parties join in the collusion. Therefore, is independent of . In addition, the values of and are selected randomly, so they are also not related to the secret . The label is generated by the MAC algorithm to verify the integrity of , so is independent of the shares because of the nature of “privacy over randomness.” is a hash value generated by the IPFS, so it is obviously independent of . In summary, the privacy of secret is guaranteed.

Theorem 3. RSS scheme based on smart contract is secure when any participants are corrupted.

Proof. The rushing adversary can determine how to change the share of corrupt parties after receiving the share of honest parties. In this study, we implemented a bulletin board on the IPFS to store all tags before the reconstruction phase. The rushing adversary cannot change the tags due to the immutable nature of IPFS. Because the tag cannot be changed, the probability that the rushing adversary passes the share verification phase is negligible if he changes the share. Therefore, our scheme can fight against a rushing adversary.
Let denote the RSS scheme based on smart contract and denote a function based on smart contract. There is a real-world scenario in which the participants can execute an RSS scheme. We built a simulator that can extract a probabilistic polynomial time (PPT) adversary’s operation in the real world such that . In addition, the adversary can corrupt any participants. First, we think that cannot obtain any information about the shares from the channel between dealer and other participants in the share distribution phase. The following section will prove the indistinguishability between the ideal world and the real world.
In the reconstruction phase, our scheme uses authenticated private channels. The simulator can extract the view and input of in the real world and can also simulate the input of honest participants in the real world. There are a set that contains all the corrupt parties and a set that contains all the honest parties. The capabilities of are as follows:(i)For each , accesses the smart contract and initiates the transaction . sends the transaction address to and receives . uploads these shares to the smart contract. Similarly, sends transaction to and receives . uploads to the smart contract.(ii)For each , accesses the smart contract and initiates the transaction . invokes and internally hands the transaction address as if it was sent by . outputs whatever outputs. If does not upload to the before , the smart contract can keep his deposit. Similarly, invokes and internally hands the transaction . outputs whatever outputs. If does not upload to the smart contract before , the smart contract can keep his deposit.(iii)For each , sends the transaction to the smart contract. If , loses his deposit . Similarly, sends the transaction to the smart contract. If , loses his deposit . If all the above transactions have been executed, then honestly sends the right shares.In an ideal world, the view of each corrupt party would be the same as that of each corrupt party in the real world due to the open and transparent nature of smart contracts. The privacy of shares is proved. The smart contract is deployed in the blockchain. cannot tamper with the smart contract and obtain the deducted deposit unless he can construct a new blockchain. Finally, the smart contract outputs the correct share for , and the honest parties are able to successfully reconstruct the original secret using Solomon’s algorithm. We can prove that

6. Performance Analysis

We compare our work with other RSS schemes and show the results in Table 2. Shamir [1] first proposed the concept of secret sharing. Cevallos et al. [17] improved the share size and optimized the share size to . However, a participant needs to verify all other participants and also needs to be verified by all other participants in the reconstruction phase, which causes a large communication cost. In 2015, Allison Bishop et al. [18] designed an essentially optimal RSS scheme, whose share size is close to the optimal . They innovatively eliminated the linear relationship between the share size and the number of participants, but their scheme cannot fight a rushing adversary. Fehr et al. [19] proposed a RSS scheme that can fight a rushing adversary. Unfortunately, their algorithm needs to start with an honest participant.

We ran our scheme on a local laptop that has the 64-bit Windows system, an Intel (R) Core (TM) i5-9300H CPU (2.40 GHz), and 16 GB of RAM. The scheme uses Solidity to program the smart contract. Solidity is a language that was created to implement smart contract. We compiled the smart contract via Ethereum’s official website and deployed it on the private chain that we created locally.

Every step of implementing the smart contract can be considered to be a transaction, which is open and transparent. Before the test, we set the security parameter to 128 bits. The parts we tested contain two rounds of the share submission phase, label verification phase, and MAC verification phase. The gas cost of each part is shown in Table 3. We use Figure 4 to vividly show the relationship between the gas cost and the number of participants. The figure shows that the gas cost is linearly related to the number of participants; the more participants there are, the more expensive it is to execute the smart contract.

The time cost of each part is shown in Table 4. It takes approximately 170 ms for label verification and approximately 300 ms for MAC verification. Similarly, we also use Figure 5 to illustrate the relationship between the time cost and the number of participants. The figure shows that the time cost is linearly related to the number of participants; the more participants there are, the more time it takes to execute the smart contract.

7. Conclusion

We proposed a new RSS scheme based on smart contracts that ensure fairness and decentralization. Compared with previous schemes, the communication complexity of our scheme is reduced to . Out scheme is secure against a rushing adversary. The previous discussion shows that our scheme can finally reconstruct the correct secret by means of the Solomon decoding algorithm even if any corrupt parties (less than ) submit the wrong shares.

Unfortunately, the cost of executing smart contracts is expensive when the number of shares is large. The scheme is applicable to the situation where the number of shares is less than . Our work can be improved as follows. We can extend RSS to hierarchical robust secret sharing scheme, which allows secret shares to be distributed to different levels of parties [35]. What is more, the RSS scheme can be applied in the situation where the number of shares is large [36]. Also, we can apply RSS in other fields such as robust secret image sharing and threshold private set intersection [37, 38].

Data Availability

No data were used to support this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Natural Science Foundation of China (20200115 and 62002103), the Science and Technology Research Project of Henan Province (212102210388 and 172102210045), Henan Province Soft Science Research Plan Projects (212400410109), and Soft Science Program of the State Intellectual Property Office of China: Normative research on the application of intellectual property protection of blockchain technology from the perspective of “Digital Nation”(SS21-B-11).

References

A. Shamir, “How to share a secret,” Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979.
View at: Publisher Site | Google Scholar
G. R. Blakley, “Safeguarding cryptographic keys,” in Proceedings of the AFIPS 1979 National Computer Conference, pp. 313–317, NY, USA, June 1979.
View at: Google Scholar
K. Kurosawa, S. Obana, and W. Ogata, “T-Cheater identifiable (k, n) threshold secret sharing schemes,” in Proceedings of the CRYPTO’95:15th Annual International Cryptology Conference, pp. 410–423, Santa Barbara, CA, USA, August 1995.
View at: Google Scholar
D. Aggarwal, I. Damgård, J. B. Nielsen et al., “Stronger leakage-resilient and non-malleable secret sharing schemes for general access structures,” in Proceedings of the CRYPTO 2019 39th Annual International Cryptology Conference, pp. 510–539, Santa Barbara, CA, USA, August 2019,.
View at: Google Scholar
I. Dinur, N. Keller, and O. Klein, “An optimal distributed discrete log protocol with applications to homomorphic secret sharing,” in Proceedings of the CRYPTO 2018:Part III 38th Annual International Cryptology Conference, pp. 213–242, Santa Barbara, CA, USA, August 2018.
View at: Google Scholar
V. Goyal and A. Kumar, “Non-malleable secret sharing for general access structures,” in Proceedings of the CRYPTO 2018, Part I 38th Annual International Cryptology Conference, pp. 501–530, Santa Barbara, CA, USA, August 2018.
View at: Google Scholar
O. Farràs, T. Hansen, T. Kaced, and C. Padró, “Optimal non-perfect uniform secret sharing schemes,” in Proceedings of the CRYPTO 2014 Part II 34rd International Cryptology Conference, pp. 217–234, Santa Barbara, CA, USA, August 2014.
View at: Google Scholar
J. B. Nielsen and M. Simkin, “Lower bounds for leakage-resilient secret sharing,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2020 Part I 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 556–577, Zagreb, Croatia, May 2020.
View at: Google Scholar
E. Boyle, L. Kohl, and P. Scholl, “Homomorphic secret sharing from lattices without FHE,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2019 38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 3–33, Darmstadt, Germany, May 2019.
View at: Google Scholar
S. Qin, Z. Tan, F. Zhou, J. Xu, and Z. Zhang, “A verifiable steganography-based secret image sharing scheme in 5g networks,” Security and Communication Networks,, vol. 2021, Article ID 6629726, 14 pages, 2021.
View at: Publisher Site | Google Scholar
Y. Wang, J. Chen, Q. Gong, X. Yan, and Y. Sun, “Weighted polynomial-based secret image sharing scheme with lossless recovery,” Security and Communication Networks,, vol. 2021, Article ID 5597592, 11 pages, 2021.
View at: Publisher Site | Google Scholar
K. Meng, F. Miao, Y. Ning, W. Huang, Y. Xiong, and C. Chang, “A proactive secret sharing scheme based on Chinese remainder theorem,” Frontiers of Computer Science,, vol. 15, no. 2, Article ID 152801, 2021.
View at: Publisher Site | Google Scholar
S. Zhang, J. Wang, Y. Zhang, B. Pei, and C. Lyu, “An efficient proactive secret sharing scheme for cloud storage,” in Proceedings of the Applied Cryptography and Network Security Workshops, pp. 346–357, Rome, Italy, October 2021.
View at: Google Scholar
T. Rabin and M. Ben-Or, “Verifiable secret sharing and multiparty protocols with honest majority (extended abstract),” in Proceedings of the 21st ACM STOC, pp. 73–85, ACM Press, Seattle, WA, USA, May 1989.
View at: Google Scholar
R. C. Serge, “Reducing the share size in robust secret sharing,” 2011, http://www.algant.eu/documents/theses/cevallos.pdf.
View at: Google Scholar
C. Blundo and A. D. Santis, “Lower bounds for robust secret sharing schemes,” Information Processing Letters, vol. 63, no. 6, pp. 317–321, 1997.
View at: Publisher Site | Google Scholar
A. Cevallos, S. Fehr, R. Ostrovsky, and Y. Rabani, “Unconditionally-secure robust secret sharing with compact shares,” in Proceedings of the EUROCRYPT 2012 31st Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 195–208, Cambridge, UK, April 2012.
View at: Google Scholar
A. Bishop, V. Pastro, R. Rajaraman, and D. Wichs, “Essentially optimal robust secret sharing with maximal corruptions,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2016 EUROCRYPT 2016, Part I 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 58–86, Vienna, Austria, May 2016.
View at: Google Scholar
S. Fehr and C. Yuan, “Towards optimal robust secret sharing with security against a rushing adversary,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2019, In: EUROCRYPT 2019, Part III;38th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 472–499, Darmstadt, Germany, May 2019.
View at: Google Scholar
S. Fehr and C. Yuan, “Robust secret sharing with almost optimal share size and security against rushing adversaries,” in Proceedings of the Theory of Cryptography-18th International ConferenceTCC 2020, Part III, pp. 470–498, Durham, NC, USA, November 2020.
View at: Google Scholar
M. Cheraghchi, “Nearly optimal robust secret sharing,” Designs, Codes and Cryptography, vol. 87, no. 8, pp. 1777–1796, 2019.
View at: Publisher Site | Google Scholar
R. Cramer, Y. Dodis, S. Fehr, C. Padró, and D. Wichs, “Detection of algebraic manipulation with applications to robust secret sharing and fuzzy extractors,” in Proceedings of the EUROCRYPT 2008 27th Annual International Conference on the Theory and Applications of Cryptographic Techniques, pp. 471–488, Istanbul, Turkey, April 2008.
View at: Google Scholar
V. Guruswami and A. Rudra, “Explicit codes achieving list decoding capacity: error-correction with optimal redundancy,” IEEE Transactions on Information Theory, vol. 54, no. 1, pp. 135–150, 2008.
View at: Publisher Site | Google Scholar
P. Manurangsi, A. Srinivasan, and P. N. Vasudevan, “Nearly optimal robust secret sharing against rushing adversaries,” in Proceedings of the Advances in Cryptology - CRYPTO 2020- 40th Annual International Cryptology Conference,Part III, pp. 156–185, Santa Barbara, CA, USA, August 2020.
View at: Google Scholar
M. N. Wegman and J. L. Carter, “New hash functions and their use in authentication and set equality,” Journal of Computer and System Sciences, vol. 22, no. 3, pp. 265–279, 1981.
View at: Publisher Site | Google Scholar
M. Bellare, “New proofs for NMAC and HMAC: security without collision-resistance,” in Proceedings of the CRYPTO'06: Proceedings of the 26th annual international conference on Advances in Cryptology, pp. 602–619, Santa Barbara, CA, USA, August 2006.
View at: Google Scholar
L. Welch and R. Scholtz, “Continued fractions and Berlekamp's algorithm,” IEEE Transactions on Information Theory, vol. 25, no. 1, pp. 19–27, 1979.
View at: Publisher Site | Google Scholar
S. Gao, “A new algorithm for decoding reed-solomon codes,” Communications, Information and Network Security, Springer, Boston, MA, 712.
View at: Google Scholar
Y. Xu, P. Ahokangas, S. Yrjölä, and T. Koivumäki, “The fifth archetype of electricity market: the blockchain marketplace,” Wireless Networks, vol. 27, no. 6, pp. 4247–4263, 2021.
View at: Publisher Site | Google Scholar
D. C. Sánchez, “Raziel: private and verifiable smart contracts on blockchains,” Tech. Rep., 2017, https://eprint.iacr.org/2017/878 Report 2017/878.
View at: Google Scholar
J. Benet, “IPFS - content addressed, versioned, P2P file system,” 2014, https://arxiv.org/abs/1407.3561.
View at: Google Scholar
O. Goldreich, Foundations of Cryptography: Basic Applications, Cambridge University Press, Cambridge, UK, 2004.
K. Chung, H. Lam, Z. Liu, and M. Mitzenmacher, “Chernoff-hoeffding bounds for Markov chains: generalized and simplified,” in Proceedings of the 29th International Symposium on Theoretical Aspects of Computer Science, STACS, Paris, France, March 2012.
View at: Google Scholar
V. Moulos, “A hoeffding inequality for finite state Markov chains and its applications to Markovian bandits,” in Proceedings of the IEEE International Symposium on Information Theory, ISIT, pp. 2777–2782, Los Angeles,CA, USA, June 2020.
View at: Publisher Site | Google Scholar
E. Zhang, M. Li, S.-M. Yiu, J. Du, J.-Z. Zhu, and G.-G. Jin, “Fair hierarchical secret sharing scheme based on smart contract,” Information Sciences, vol. 546, pp. 166–176, 2021.
View at: Publisher Site | Google Scholar
T. P. Thao, M. S. Rahman, M. Z. A. Bhuiyan, A. Kubota, S. Kiyomoto, and K. Omote, “Optimizing share size in efficient and robust secret sharing scheme for big data,” IEEE Trans. Big Data, vol. 7, no. 4, pp. 703–716, 2021.
View at: Publisher Site | Google Scholar
X. Yan, L. Liu, L. Li, and Y. Lu, “Robust secret image sharing resistant to noise in shares,” ACM Transactions on Multimedia Computing, Communications, and Applications, vol. 17, no. 1, p. 24, 2021.
View at: Publisher Site | Google Scholar
Y. Sun, Y. Lu, X. Yan, L. Liu, and L. Li, “Robust secret image sharing scheme against noise in shadow images,” IEEE Access, vol. 9, Article ID 23300, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 En Zhang et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

Fair and Efficient Robust Secret Sharing Scheme against Rushing Adversaries

Abstract

1. Introduction

1.1. Related Work

1.2. Contribution

1.2.1. The Scheme Is Secure against Rushing Adversaries

1.2.2. The Scheme Can Guarantee Fairness in Malicious Model

1.2.3. The Communication Complexity of This Scheme Is Close to

1.2.4. This Is the First Implementation of a Fair RSS Scheme

1.3. Roadmap

2. Preliminaries

2.1. Message Authentication Code

2.2. Reed–Solomon Code

2.3. Blockchain

2.4. InterPlanetary File System

2.5. Security Model

3. The Smart Contract Model

3.1. Initialization

3.2. Submission Phase

3.3. Verification Phase

3.4. Broadcast and Refund Phase

4. The Robust Secret Sharing Scheme

4.1. The Construction

4.2. Analysis of the Construction

5. Security Proof

6. Performance Analysis

7. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright