A New Multi-stage Secret Sharing Scheme for Hierarchical Access Structure with Existential Quantifier

Multi-stage secret sharing scheme is practical in the case that there is a security system with m ordered checkpoints.It is natural to divide the m checkpoints into m different levels. There are m different secrets, and eachof them with a different importance corresponds to a checkpoint/level. The participants are also divided intom disjoint levels as they do in the hierarchical threshold access structure. Hierarchical threshold access structurewith the existential quantifier ( HTAS∃ ) does not cover the common practice that at least a few numbersof high-ranking participants are required to be involved in any recovery of the secret. The popular schemeswith hierarchical access structure were needed to check many matrices for non-singularity. We propose amulti-stage secret sharing scheme for HTAS∃ , and the tools are based on the linear homogeneous recurrencerelations (LHRRs) and one-way functions. We give the HTAS∃ a modification, so that this hierarchical accessstructure can satisfy the common practice. In our scheme, if the participants are divided into m levels, thereusually has m secrets. But before the (j − 1)-th secret is recovered, the j-th secret cannot be recovered. Ourscheme is a computational secure. The proposed scheme requires a share for each participant and the shareis as long as each secret. Our scheme has high efficiency by comparing with the state-of-the-art hierarchicalsecret sharing schemes.


Introduction
In a (t, n) threshold secret sharing scheme, the secret can be shared among n participants, and any t or more participants can obtain a qualified subset to recover the shared secrets by pooling their shares. If the participants of any unqualified subset cannot obtain any information about the shared secrets, then such scheme is called as the perfect scheme. The threshold secret sharing schemes proposed by Shamir [25] and Blakley [2] are two special cases where all the participants have the same authorities. Such threshold secret sharing schemes are restrictive in practice. Therefore, the schemes based on different access structure were proposed [3,22].
Hence, in order to improve the practicality of secret sharing, many researchers have focused on specific families of access structures, for example, bipartite access structures [22], compartmented access structure and hierarchical access structure [28]. Simmons proposed a multipartite access structure [26] and he gave the definition of the compartmented access structure and the hierarchical access structure. In these access structures, participants are divided into different levels, i.e., the participants have different authorities in the different levels, but the participants in the same level have the same role. After Simmons, Brickell proposed a method to construct an ideal secret sharing scheme for the multilevel and compartmented access structures [4], but the scheme is not efficient, for the exponential operations required to get nonsingular matrices. The definition of hierarchical access structure in [26] is as follows. Definition 1. Let P denote the set of the participants, where n = |P|. The set P is divided into disjoint levels 1 2 , ,..., m γ γ γ of the participants, P   (1) However, Tassa [27] pointed out that the common practice needed at least a few numbers of high-ranking participants to be involved in any recovery of the secret, even though high-ranking participants could be replaced by low-ranking participants. Therefore, a different definition of the hierarchical access structure was given by the replacement of the existential quantifier ∃ in (1) with the universal quantifier ∀ .
Later, scholars studied the hierarchical access structure with some other methods [7,10,11,12,13,14], but these schemes were not efficient or just gave a comprehensive characterization of the ideal multipartite access structures. But the definition (1) is very practical in a multi-stage secret sharing scheme, because if i m ∃ < satisfies (1), a qualified subset can recover from the first to the i-th secret. If we change the definition (1) into (2), the problem pointed out by Tassa can be avoided. We just need to set Multi-secret sharing is a generalization of secret sharing. There are two different types multi-secret sharing schemes. The first type is that the secrets are recovered at the same time [9,19,29]. The second type is that for the different importance of different secrets, these secrets are recovered in a different stage [5,15,17,18,21], i.e., the qualified subset can recover only one secret in each stage. Our scheme belongs to the second type, and the order of these secret are determined by the distributor. In 1994, He et al. [18] proposed a multi-stage secret sharing scheme based on one-way function. Later, Harn [17] gave a modification on [18] and proposed a scheme with ( ) k n -t public values, which had fewer public values than He et al.'s scheme. Chang et al. [5] pointed out that the two schemes [17][18] have the same shortcomings that these secrets cannot be recovered in the order that was determined by the distributor. For a multistage secret sharing scheme, the participants should show the combiners the pseudo shares depending on the shadows (original shares). So the multi-stage secret sharing scheme are usually based on the one-way function [5,17,18] or the factorization problem [28]. In the cryptographic system, the application of multistage secret sharing scheme is very useful in the lattice [23]. A multi-secret sharing scheme is claimed as multi-stage, if the recovered secrets can not leak any information about the unrecovered secrets. For this purpose, two security requirements are needed: 1 Each participant's shadow should be masked by the pseudo-shares during the recovery phase. 2 The recovery of a secret should not endanger another unrecovered secret.
In some firms or government services, the situation that different important things are stored in different warehouses may come up. For example, there are three warehouses to store ordinary files, important documents and confidential documents, respectively, i.e., the warehouse that store confidential documents has the highest security level. Fig.1 show the order of three different warehouses. If some employees want to get the ordinary files, they are not allowed to get all the three secrets, but have the secret of warehouse 1.
If the qualified participants want to open the warehouse 2, the warehouse 1 must be opened firstly, i.e., the qualified participants should recover two secrets, the first secret of warehouse 1 and the second secret of warehouse 2. The participants of a qualified subset do not have to open all the warehouses. The stuff that are stored in the warehouse 2 are more important than these stuff that are stored in the warehouse 1. Therefore, the secret corresponding to the warehouse 2 is more important than the secret corresponding to the warehouse 1. In this situation, the employees are divided into three disjoint levels 1 2 3 , , γ γ γ ′ ′ ′. The participants in 1 γ ′ just can recover the secret of warehouse 1 and the participants in 2 γ ′ can recover the secrets of warehouse 1 and warehouse 2, and so on. If we want to satisfy the common practice pointed out by Tassa [27], when the participants in 1 γ ′ want to recover the secret of warehouse 1, the participants in higher levels need to be involved in the recovery of it (the participants in higher levels belong to 3 But when the secret of warehouse 3 needs to be recovered, just the participants in 3 γ ′ can recover it, i.e., the last secret just can be recovered by the participants in the highest level. In our scheme, the importance of the secrets is ascending, i.e., 1 2 m key key key < < ⋅⋅⋅ < , Figure 1 The order of three different warehouses where " < " denotes that the importance is ascending. The importance of the participants in these levels is ascending too, and the participants play the same role in the same level, i.e., Our scheme is motivated to give an efficient multi-stage secret sharing scheme for the hierarchical access structure with the existential quantifier ∃ . If i m ∃ < satisfies (2), then the participants in the qualified subset are not allowed to recover all secrets (For example, if (2), the participants in the qualified subset are allowed to recover from the first to third secret). So it is natural to design a multi-stage secret sharing scheme by using access structure with the existential quantifier ∃. When these secrets are recovered in order, it is also natural to think that the secrets are hierarchical and each secret can be recovered by the participants of the corresponding level and the levels that are higher than the corresponding level. Even Brickell [4] gave an ideal scheme, the scheme is inefficient and there is a shortcoming pointed out by Tassa [27] in the hierarchical access structure with the existential quantifier ∃ [4,26].
It is asserted that the participants are semi-honest and the distributor is trusty in our scheme. The proposed scheme is based on two technologies, the linear homogeneous recurrence (LHR) relations [8,29] and the oneway functions [16,20]. Mashhadi and Dehkordi first introduced the linear homogeneous recurrence (LHR) relations to the threshold secret sharing schemes [8]. Later, Yuan et al. introduced it to dynamic secret sharing scheme [29]. But the participants are assumed to have the equal privilege in these schemes. Our main contributions are as follows. 1 We give a modification of the hierarchical access structure with existential quantifier [4] and solve the problem pointed out by Tassa. The problem was that the common practice needed at least a few numbers of high-ranking participants to be involved in any recovery of the secret. We just need to set some s i t to satisfy 2 Our scheme are more efficient than Brickell's scheme, since the exponential operations are not required for assigning identities and shares to the participants in the proposed scheme. Each participant only needs to hold a shadow during the whole scheme and each shadow is as long as the secret.
The remainder of this paper is organized as follows. Section 2 provides preliminaries of secret sharing scheme, linear homogeneous recurrence relation. Section 3 presents the proposed scheme. Section 4 shows the properties of the proposed scheme, and in this section, we also give the security analysis of our scheme and compare the existing popular works with the proposed scheme. Finally, Section 5 draws our conclusion.

Preliminary
In this section, we give a brief description of the secret sharing schemes and the LHR relations [29].

Secret Sharing Schemes
In the following section, we will give the definition of the perfect scheme, and the hierarchical access structure is also listed.

Definition 2.
A (t, n) threshold secret sharing scheme 6. In the Theorem 4, please add s and add space between "in the 7. In the Theorem 4, there is no the".

8.
In the Theorem 4, please add ■ secure." and P = |n|), satisfies the following two conditions, where S is the shared secret space, R is a set of random inputs, and i 2 For all B P ⊆ and | | , In the following section, the hierarchical access structure is briefly given as follows.
6. In the Theorem 4, please add space before b and add space between "in the field" and 7. In the Theorem 4, there is no line break a the".
where i t is threshold in the i-th stage.

Linear Homogeneous Recurrence Relations
We give a brief description of the linear homogeneous recurrence relations. A detailed description of the linear homogeneous recurrence relations can be found in [24] [29].
and q is a large prime.
If i α is a i s -fold root of the characteristic equation (1), then part of the general solution for this recurrence relation corresponding to i α is given as The general solution for the recurrence relation is given by

The Proposed Scheme
This section is the main part of the paper, which shows the design of our scheme. In the section, there two phrases, i.e., construction phase and recovery phase. In our scheme, there are n participants and a trusted distributor D, and the participants are semi-honest.
We label the mistakes into yellow color in the manuscript. Please check them.
6. In the Theorem 4, please add space before between " 1 1 k  " and " at most" ..., m key key key (m is the number of the disjoint subset of P) and the importance of the secrets is ascending, i.e., the level of 2 key is higher than that of 1 key and so on (that is to say, 1 2 m key key key < < ⋅⋅⋅ < , where "<" denotes the importance). Our scheme is based on the linear homogeneous recurrence relations over GF(q), where GF(q) is a finite field, and q is a large prime.
The basic idea of our scheme is given as follows. The distributor generates m linear homogeneous recurrence relations. All the m LHR relations have two different roots. The participants in 1 γ and 2 m i i γ =  initialize two LHR relations, respectively, and we call them the first sub-LHR relation and the second sub-LHR relation, respectively. Then we add them. Since the sum of the general terms of two sub-LHR relations is still the general term of a LHR relation, it is called the first LHR relation (This shows how a LHR relation is generated). The participants in 2 γ and 3 also initialize two LHR relations. According to the same method, we construct from the second to m LHR relation. The first secret

Construction Phase
The distributor D performs the following steps to distribute the secrets:    to initialize this LHR relation, and the LHR relation is called as second sub-LHR relation of the j-th LHR relation. This sub-LHR relation is as follows.

4.10
From the Theorem 1, the general term of (8) and (9) can be written as

Figure 2
Share generation and distribution process Remark 1. From the Theorem 1, we can determinate that ( ) j i h is the general term of a LHR relation, and we call it the j-th LHR relation. For the orders of two sub-LHR relations of the j-th relation are respectively. Therefore, the order of the j-th LHR relation is We call j t the threshold in the j-th stage. We name ( )

Remark 2. From the construction, we have that if
That is also to say, the participants in j γ can recover the j key without the help from the participants in the higher levels. When does not have to be satisfied. However, in the last LHR relation, That is also to say, the last secret is just shared among the participants in m γ .

Recovery Phase
In this subsection, the process of the secret recovery would be showed. A qualified subset does not have to recover all the m secrets. Therefore, suppose that a qualified subset can recover i secrets, i.e., the participants in the qualified subset can recover these secrets from the first to the i-th secret. The process of the recovery of the j-th secret is as follows, where We label the mistakes into yellow color in the manuscript.  6. In the Theorem 4, please add space before between " 1 1 k  " and " at m and add space between "in the field" and " "F F" ". 7. In the Theorem 4, there is no line break after "the participants exc the".

8.
In the Theorem 4, please add ■ after "Thus, we can say that our scheme secure." .
The j-th secret is hidden in the term ( ) By exchanging the shares, the participants in the qualified subset calculate the terms of the first sub-LHR relation of the j-th LHR relation, as given by: (10) According to Proposition 1,

Example
In this section, we show what are the conditions of the qualified subset and give a example to present the process of the construction phase. Suppose that the qualified subset A can recover two secrets That is to say, 1 , A should satisfy these conditions: The second secret is distributed as follows.
respectively, where the order of 2 ( ) p i is one and the order of 2 ( ) q i is also one.
3 D adds the two general terms and let the sum

The Properties of the Proposed Scheme
In this section, first, we give a security analysis of the proposed scheme. Then, we present the properties of our scheme.
In the below three paragraphs, we mainly give an analysis that shows why our scheme keeps secure for the unqualified subset. If the participants in an unqualified subset can recover a secret, we say that an unqualified subset can break our scheme. Since the proposed scheme is multi-stage, we just need to prove that the first secret is secure for the unqualified sub- α ≠ , we can get where the order of 1 ( ) p i is 1 1 k − . From the above, we know that public value 1 α does not leak any information except the characteristic equation. If the ( 1 1 k − )-order polynomial is not secure for the unqualified participants, i.e., the 1 1 k − points can determine a ( 1 1 k − )-order polynomial. From (16), we also infer that the 1  k − different terms and then can get 1 1 k − points of the polynomial 1 ( ) p i . Since the number of the roots of the 1 ( ) p i is 1 1 k − at most in the field F , we can say that 1 1 k − points can determine a ( 1 1 k − )-or-der polynomial. This is contradictory to our assumption. So the problem whether the participants from the unqualified subset B satisfying the above conditions can recover the first LHR relation can be seen as the problem that 1 1 k − points can determine the ( 1 1 k − )-order polynomial.
However, there is another case that a qualified subset wants to recover other secrets which are unqualified for them. For example, the subset B can recover from the first to j-th secret, but they want to recover the (j+1)-th and the (j+2)-th secret. We can infer that from the above proof, it is impossible, and the proof is as same as the above. But in the recovery phase, the participants exchange the pseudo shares. We can conclude that the probability of breaking our scheme is not greater than the probability of breaking the one-way function. Thus, we can say that our scheme is secure.

Performance
In our scheme, each participant just holds a shadow to share one secret or more than one secrets in the whole recovery process, because in the j-th stage, participant i P use the one-way function to generate his/ her pseudo share ( ) j i g s to construct the LHR relation, i.e., the participant i P just holds the shadow i s during the whole process. The shadow is as long as a secret.
If i t is set as So disjunctive access structure (1) is a trivial disjunctive access structure of (2). When While a secret can be recovered, except the last secret, a mini number of the participants whose corresponding level is higher than this secret should be involved. Therefore, when i t is sent as

Efficiency
In this paragraph, we discuss the efficiency of our scheme and give comparisons between the existing popular works [7,27]  In the next of this paragraph, we make the comparisons Tassa [27] and Chen et al. [7] with our scheme. Table 1 shows the comparisons.
From the Table 1, our scheme is computationally efficient than the existing popular works [7,28]. Even though it may be unfair or meaningless to compare the perfect scheme with the scheme of the computational security, these schemes with computational security are useful, when a weaker security can satisfy the practice and it is hard to find an efficient and perfect scheme. Even though there has more public values in the proposed scheme, our scheme is more efficient than the existing popular schemes.

Conclusion
Based on the linear homogeneous recurrence relations and one-way functions, we propose a multistage secret sharing scheme for the hierarchical access structure with the existential quantifier. Each participant just holds only a shadow during the whole scheme and the shadow is as long as the secret.
Our scheme overcomes the drawbacks that the distributor must perform possibly exponentially many checks when assigning identities and shares to the participants, if the schemes are based on Birkhoff interpolation. The proposed scheme also overcomes the drawbacks of Chen et al.'s scheme in which many matrices for non-singularity should be checked. Our scheme solves the problem pointed out by Tassa through setting In the future, we will try to design a perfect hierarchical secret sharing scheme Based on the LHR relations.