2)2( −+≤Π tf
(5)
From (5) and lemma 5:
12)( −+≤Π≤ ttf
m
(6)
Finally, from Lemma 3 and (6) we get the result.
3.4 Cheater Identification and
Security Analysis
It is important for any secret sharing scheme to de-
tect cheating and to identify the cheater. There are
numerous works on this issue such as in Hwang et
al., 1999), (Tan et al., 1999). Therefore, we will not
address this issue here. However, in order to keep
the participants’ shadows secret after the cheater
identification process, there are some points, which
should be mentioned: The secret holder should use
the pseudo shadows
),(
i
srf instead of the real
shadows in generating the public values for cheater
identification. At the same time, with no knowledge
of the real shadows, the verifier should be able to
use the pseudo shadows in order to determine the
existence of a cheater. Hence, in the cheater identifi-
cation process, each participant polls his pseudo
shadow. Therefore, the real shadows will not be
disclosed by the properties of the one-way two-
variable function.
The security of our scheme can be analyzed
from the following different views:
a) Having 1−≤
′
tt pseudo shadows, only t
linearly independent vectors from
E
is found. Since
the characteristic set of
E
is determined by comput-
ing the row equivalent matrix
T
, and also in order
to find
T
(
IT
ctt
+× )(
]
S
), using t
vectors
would give no information about matrix
S in which
the secrets are stored. Because every new vector
from the remaining
tt
′
− vectors has a direct impact
on each element of
S .
b) Our scheme will not disclose the partici-
pant’s real shadows
i
s even after multiple secret
reconstruction. Even though pseudo shadows
),(
i
srf have been exposed among many co-
operating participants, the real shadows are well
protected by the properties of the one-way two-
variable function. Therefore in order to share next
p secrets, the secret holder only needs to randomly
choose a new integer
without redistributing every
participant’s secret shadow
i
s .
c) Given the public values ),...,,,(
21 n
r
,
an adversary has no way of determining
i
’s, with-
out having the pseudo shadows
),(
i
srf (as the
keys). Furthermore, encryption of less than
of the
i
s, according to part a, shall give no information
about the secrets.
4 PERFORMANCE
COMPARISON
In this section, we will shortly compare the perform-
ance of our scheme with other schemes, especially
Chien’s scheme.
In Chien’s scheme, the secret reconstruction
costs solving the simultaneous
)( tpn −+ linear
equations, while in our scheme, the dependence of
reconstruction process on
n is totally omitted.
Therefore, in the cases where
n is a relatively large
number, our scheme would be more efficient.
In our scheme the computations are performed
in
)2(
m
GF
where
m
2
could be smaller than the
secrets (if their decimal representation is as-
sumed). This would reduce the number of computa-
tional bit operations in some cases. For example,
according to (Koblitz, 1998) in a finite
field
)(
m
pGF , two elements can be divided or mul-
tiplied in
)(ln
2
qO (
m
pq = ) bit operations, and
one element can be raised to the
th
N power in
)))(ln((ln
2
qNO bit operations. So, obviously,
when
)ln(q is reduced by the factor
k
, the opera-
tions are reduced by the factor
2
k . In our scheme,
(for simplicity, suppose one secret threshold
scheme) we approximately (in step 2) reduced the
binary size of the field order (
)(log
2
q ) by
tm
S
and
instead there are
m
S
parallel processes (for each
block in each secret). So since the reduction in
each multiplication or division is by the factor
2
k (as defined above), a total reduction in the com-
putations is expected.
SECRYPT 2006 - INTERNATIONAL CONFERENCE ON SECURITY AND CRYPTOGRAPHY
448