A Fair (t, n)-Threshold Secret Sharing Scheme with Eﬀicient Cheater Identifying

. The fairness of secret sharing guarantees that, if either participant obtains the secret, other participants obtain too. The fairness can be threatened by cheaters who was hidden in the participants. To ef-ﬁciently and accurately identify cheaters with guaranteeing fairness, this paper proposes a fair ( t, n )-threshold secret sharing scheme with an eﬃ-cient cheater identifying ability. The scheme consists of three protocols which correspond to the secret distribution phase, secret reconstruction phase, and cheater identiﬁcation phase respectively. The scheme’s secret distribution strategy enables the secret reconstruction protocol to detect the occurrence of cheating and trigger the execution of the cheater iden-tiﬁcation protocol to accurately locate cheaters. Moreover, we prove that the scheme is fair and secure, and show that the cheater identiﬁcation algorithm has higher eﬃciency by comparing with other schemes.


Introduction
In the reconstruction phase of a (t, n)-threshold secret sharing scheme, dishonest participants can reconstruct the real secret because of receiving the valid secret shares.It's unfair for honest participants that they gain the wrong secret because of accepting the invalid secret shares [1].To address this issue, many researchers have come up with their solutions.Laih and Lee [2] proposed a vfair (t, n)-threshold secret sharing scheme, in which all participants do not have to show their secret shares simultaneously to recover the secret with the same probability, even if there are v(< t/2) dishonest participants.[3] and [5] further improved Laih scheme [2].In 2003, Tian [6] utilized the consistency of secret shares to detect attackers, and constructed a fair (t, n)-threshold scheme with the help of the schemes of Tompa and Woll [7].Harn and Lin [8] also used the consistency of secret share to design an algorithm to detect cheating behavior and identify cheaters.In 2014, Harn [9] pointed out that the research on asynchronous attack in scheme [6] was incorrect.In 2015, Harn [10] proposed a scheme that can resist asynchronous attacks of external attackers and internal attackers.In 2016, Liu [11] presented a Linear (t, n)-threshold secret sharing scheme in which there is only one honest participant can detect cheaters.Lin [12] constructed a secret sharing scheme which focuses on preventing cheating behavior rather than cheating detection.With the same purpose, in 2018 Liu [13] proposed a (t, n)-threshold secret image sharing scheme.In order to improve the efficiency of the verifiable secret sharing scheme, Mashhadi [14] and Cafaro [15] put forward their schemes respectively, but none of their schemes are unconditionally safe.In 2018, Liu and Yang [17] proposed a cheating identifiable secret sharing scheme by using the symmetric bivariate polynomial, but the scheme does not achieve fairness requirement of secret sharing.
In order to not only identify deception behavior but also efficiently and accurately locate cheaters, this paper propose a fair (t, n)-threshold secret sharing scheme which realizes the fairness through Distribution protocol and Reconstruction protocol, and achieves the efficiently cheaters identification through Cheater identification protocol.Moreover, the presented scheme is unconditional security because of not depending on any security assumptions, and is fair and secure based on four attack models.
The remainder of this paper is organized as follows.We introduce some preliminaries, in Section 2. In Section 3, we present a fair (t, n)-threshold secret sharing scheme with an efficient cheater identifying algorithm.In Section 4, we describe the fairness and security of the proposed scheme, followed by the performance analysis in Section 5. Finally, we conclude this paper.

Preliminaries
In this section, we briefly recall some fundamental backgrounds which are used in our scheme and then introduce the attack models of our scheme.

Shamir's (t, n)-secret sharing scheme
Shamir's (t, n)-threshold secret sharing scheme [16] is based on Lagrange interpolating polynomial, in which there are n participants P={P 1 ,• • • ,P n }, and a mutually trusted dealer D. The scheme consist of two algorithms: -Distribution algorithm: The dealer D first randomly generates a polynomial: Not difficult to find if the m secret shares are consistent, the corresponding scheme is fair.

Attack models
The aim of our scheme is holding the fairness and secure under the following four attack models.: -Non-cooperative attack with synchronisation (NCAS): All participants submit the secret shares simultaneously, and that there are no cooperations between dishonest parties.-Non-cooperative attack with asynchronisation (NCAAS): All participants present secret shares successfully and that there are no cooperations between dishonest parties.-Collusion attack with synchronisation (CAS): The malicious parties modify their secret shares to deceive the honest parties.We assume that all participants submit their secret shares at the same time.Under this assumption, only when the number of malicious parties is more extensive than or equal to the threshold value t, can the malicious parties successfully deceive the honest parties.-Collusion attack with asynchronisation (CAAS): The dishonest parties collaboratively modify their secret shares to deceive the honest parties.The participants asynchronously release their secret shares.The best option for dishonest participants is to submit their accordingly modified secret shares after all honest participants have submitted their secret shares.

Our schemes
In this section, we introduce our fair (t, n)-threshold secret sharing scheme which consists of three algorithms: distribution algorithm, reconstruction algorithm, and cheater identification algorithm.

Distribution
The dealer D wants to share a secret s among n participants D first randomly constructs an identifier sequence {a 1 , a 2 , • • • , a v } from Z q , and q is big prime integer.The sequence must satisfy: is randomly determined by D, and a l is related to finally recover s.And then, based on the sequence, D generates v random polynomials through which D calculates the secret share s i = (s i1 , • • • , s iv ) for the ith participant.The distribution protocol is shown as:

Distribution protocol
Input: the secret s, the parameter v.
Output: the secret shares 3. Construct v polynomials of (t − 1)-degree, like as follows:

Reconstruction
Suppose that m(≥ t) participants R = {P 1 , • • • , P m } cooperate to reconstruct s.Denoted by P −i = R/P i .The reconstruction protocol is shown below: Output: the set of cheaters A and the secret s.
1. 1th round: P i sends s i1 to P −i , and then performs Receive share(k).
2. kth (k from 2 to v) round: If P i receives all (k − 1)th items of secret shares sent by P −i , then uses {s

Cheater identification
To identify the participants who input fake shares, We use a mark vector represents a kind of choice of selecting t participants from m participants, so there are Each mark vector consists of m items, of which the value is 0 or 1, denoted by Therefore, each mark vector includes t 1 s and m − t 0 s.

Cheater identification protocol
Input: m, t, k, {s Output: the set of cheaters A.
All the m reconstruction participants do: , each participant yields the Lagrange interpolating polynomial f j k (x).Therefor, each participant can obtain . These values might different or the same.Find the most frequently occurring value in them, the value is the value of a k .4. And then extract the corresponding mark vectors from Use C succ denote the set of these corresponding mark vectors. 5. Perform Logic Or operation on C succ , the participants corresponding to the items whose values are 0 in the result mark vector are cheaters, and then add these participants to A, finally return A.

Security and correctness analysis
Theorem 1.In our proposed scheme, the probability that each participant successfully guesses the secret s is 1/v.
Proof.The dealer D hides the secret s into the polynomial f l (x), where l ∈ [1, v] is randomly chosen by D, therefore, the participants successfully guess the value of l with the probability 1/v.
) denotes all participants who take part in the secret reconstruction phase, P I = {P i1 , • • • , P iα } ⊆ P denotes the set of cheaters in P, P −I = P/P I denotes the set of honest participants in P.
Theorem 2. Under non-cooperative attack with synchronisation (NCAS), when m > t, our scheme is secure and fair.
Proof.NCAS assumes that all participants present shares at the same time and that there is no cooperation between cheaters.Suppose that in the k-round reconstruction stage, the cheaters in P I send invalid secret shares.Since there is no cooperation between the cheaters, their invalid secret shares can only be random numbers in Z q .When m > t, these secret shares could not pass the consistency test, and the attack is immediately detected.In order to restore s, the attackers in P I need to guess in which polynomial s is hidden and which honest participants are involved.According to Theorem 1, the maximum successful probability is 1/v.If v is large enough, the probability can be ignored.Therefore, under non-cooperative attack, when m > t, our scheme is secure and fair.Theorem 3.Under non-cooperative attack with asynchronisation (NCAAS), when {(m − α < t − 1)∩(m > t)}∪{m − α≥t + 1}, our scheme is secure and fair.
Proof.NCAAS assumes that all participants present shared shares successively without cooperation between attackers.A cheater' ideal attack is to show the secret share at the end, because he can obtain all the shares before others.When m − α ≥ t + 1, that is, there are no less than t + 1 honest participants, who show the secret shares firstly.Therefore, the attackers can reconstruct the correct polynomial f k (x) (suppose in k-round) based on t real secret shares, and then obtain the a k .The attackers can show the real secret shares in the first l rounds and show a fake secret share in (l + 1)th round.However, the fake secret share cannot pass the consistency test, and the attack behavior can be detected, which trigger the execution of cheater identification algorithm.The right identifier a l+1 can be reconstructed based on the m − α real secret shares, because m − α t > 1, the a l+1 is correct identifier which can be used to identify the attackers, therefore, the attackers could not gain d from the dealer to obtain s.When m − α < t + 1, for an attacker, even if he finally shows his secret share, he can only obtain at most t − 1 real secret shares, so he can not reconstruct any t − 1-degree polynomial, as a result he can not recover s.In order to detect attacks, m should greater than t.In conclusion, when {(m − α < t − 1)∩(m > t)}∪{m − α≥t + 1}, the proposed scheme is secure and fair.
Proof.CAS assumes that all participants present secret shares simultaneously and that multiple attackers conspire to attack the scheme.Suppose there are α cheaters in k-round.(i) When α ≥ t, if the number of honest participants is less than t, that is, m − α < t, then cheaters can cooperate to forge a set of invalid secret shares which can pass consistency detection.The specific process is as follows: Cheaters first use their secret shares to recover an interpolation polynomial, then utilize the polynomial to calculate the secret shares held by other honest participants, and then generate their false secret shares based on the secret shares of other honest participants.For example Finally, the secret shares shown by all participants as follows: These m secret shares can pass consistency detection when m−α ≥ t.The secret shares forged by the above method in (l +1)th round cannot pass consistency detection.By executing the identification algorithm, m real secret shares can used to reconstruct the correct identifier a l+1 at m − α t times, while t−1 real secret shares and an invalid secret share can be utilized to reconstruct a wrong identifier a l+1 at α + t − 1 t times.Therefore, we have Proof.The key to prove the correctness of the cheater identification protocol is to prove the most frequently occurring value in {a 0)} is the correct value of a k .In the cheater identification protocol, interpolating polynomials are reconstructed only based on t secret shares, therefore, only when the t secret shares are real can the correct value of a k be recovered.To guarantee the most frequently occurring value in {a 0)} is the correct value of a k , the following condition must be satisfied: We have, Since the inequality is always true, our cheater identification algorithm is correct.

Performance
The following two examples are given to respectively calculate the maximum number of attackers α max under the four types of attack models.Taking (7, n) threshold scheme as an example, assuming m = 9 and m = 11, where m is the number of participants who take part in the secret reconstruction phase.Under NCAS, according to Theorem 2, when m > t our scheme is secure and fair, so α max = 9.Similarly, under NCAAS, according to Theorem 3, when {(m − α < t − 1)∩(m > t)}∪{m − α≥t + 1} our scheme is secure and fair, which means α max = 9.From the analysis of Theorem 4, Under CAS, when } the proposed scheme is safe and fair, so α max = 6.According to the analysis of Theorem 5, Under CAAS, our scheme can defend at most 1 cheaters, as shown Table 1.Based on a similar analysis process, when m = 11, the values of α max are shown as in Table 1.Different from Tian and Peng's [18] scheme, our scheme does not depend on any security assumptions, it is a unconditional security scheme.Compared to Tian's [6], Harn's [9], Harn-Lin's [8] and Liu-Yang's [17] secret sharing schemes, our scheme achieves fairness but they do not have, as shown in Table 2.In [8], Harn and Lin proposed a secret sharing scheme that can identify cheaters.In their scheme, the correct secret needs to be confirmed and the secret share of each participant needs to be verified.In our scheme, we removed the process of validating each participant's secret share but achieves the same function of [8].Therefore, our scheme has higher operating efficiency than [8].

Conclusion
In this paper, we study the cheater identification issue and the fairness problem in the reconstruction phase of secret sharing, and propose a fair (t, n) secret sharing scheme including a efficient cheater identification algorithm.By comparing with the existing verifiable secret sharing schemes, it can be found that our scheme achieves fairness.Compared with the fair secret sharing scheme, our cheater identification algorithm has a lower computational complexity.Moreover, we analyzed the security of our proposed scheme under four different attack models.
in which the secret is s=a 0 and all the other coefficients a 1 , • • • , a t−1 are chosen from a finite field F, and then D computes the secret share s i = f (i) and sends it to the participant P i , , then all participants send the kth items of their secret shares and then perform Receive share(k).Otherwise, all participants utilize the cheater identification protocol and obtain the set A. If |P/A| ≥ t, then all participants ∈ P/A send the kth items of their secret shares and performs Receive share(k); otherwise, protocol is terminated.Procedure Receive share(k): Receiving the kth item of secret share 1.When P i has received all kth items of secret shares sent by P −i , he utilizes all these items {s 1 k , s 2 k , • • • , s m k } to compute the Lagrange interpolating polynomial f k (x).If the degree of f k (x) is t − 1, then P i performs step (b).Otherwise, all participants invoke the cheater identification protocol to identify the cheaters, and put them into the cheaters' set A. If |P/A| ≥ t, then the protocol turns to step b; otherwise, it is terminated.2. Calculate the identifier by using the secret share sent by all participants in P/A, a k = f k (0).If a k > a k−1 , then D sends d to all participants in P/A, and these participants can calculate s = a k−1 • d, and then the protocol is terminated; otherwise, all participants in P/A send the (k + 1)-th items of secret shares.
1 } denote honest participants, use {P t , P t+1 , • • • , P 2t−1 } denote cheaters.Cheaters can use their true secret share {s t k , s t+1 k , • • • , s 2t−1 k } to calculate the interpolation polynomial f k (x), so they can show the true secret shares in the first l rounds, and in (l + 1)th round, they can use f l+1 (x) to obtain other honest participants' secret shares {s 1 l+1 , • • • , s t−1 l+1 }, and calculate another (t−1)-degree polynomial f l+1 (x) by using secret shares {s 1 l+1 , s 2 l+1 , • • • , s t−1 l+1 } and a random value s t l+1 .And then, cheaters use f l+1 (x) to calculate t−1 invalid secret shares {s t l+1 , s t+1 l+1 under this condition, the invalid secret shares can be detected, and cheaters cannot obtain d from the dealer and recover s.But the honest participants can gain d and reconstruct s. (ii) If α < t, these α cheaters can not use their real secret shares to forge the invalid secret shares that can pass the consistency detection.When m > t, this attack can not pass the consistency detection.If cheaters want to reconstruct s, they can only guess the value of l, the probability of successfully guessing is only 1/v.From what has been discussed above, when{(α < t) ∩ (m > t)} ∪ {(α ≥ t) ∩ (m − α > α + t − 1)}, our scheme is secure and fair.Theorem 5.Under collusion attack with asynchronisation (CAAS), when m − α > α + t − 1, our scheme is secure and fair.Proof.CAAS assumes that all participants present secret shares successively and that multiple cheaters conspire to attack the scheme.For cheaters, the ideal mode of attack is to present the secret shares at the end, so that they can obtain the real secret shares presented by previous honest participants.When m − α ≥ t, there are not less than t honest participants, who first show the secret shares.Attackers use t − 1 real secret shares (according to the method of Theorem 4) to forge α invalid secret shares.Because m − α ≥ t, these invalid secret shares cannot pass consistency detection.By executing the identification algorithm, m − α − α > α + t − 1, these invalid secret shares can be detected, and cheaters cannot gain d from the dealer and reconstruct s.But the honest participants can obtain d and recover s.Therefore, when m − α > α + t − 1, the proposed scheme is secure and fair.

Table 2 .
Security comparison