Multisecret-sharing scheme with two-level security and its applications in Blockchain

A $(t,m)$-threshold secret sharing and multisecret-sharing scheme based on Shamir's SSS are introduced with two-level security using a one-way function. Besides we give its application in smart contract-enabled consortium blockchain network. The proposed scheme is thoroughly examined in terms of security and efficiency. Privacy, security, integrity, and scalability are also analyzed while applying it to the blockchain network.


INTRODUCTION
Let m, t ∈ N with 1 < t ≤ m.In secret sharing scheme, we divide the given data s, which is the secret, into m pieces, each of which is called as share.One can obtain s with the help of any t or more shares but not with t − 1 or less shares.Such scheme is called as a (t, m)-threshold secret sharing scheme.Various cryptosystems which are based on single key have many shortcomings.For example, if the key is maliciously or accidentally disclosed to the public, or if the key's owner is found to be untrustworthy [16], the entire system will be jeopardized, thus secret sharing schemes (SSS) are becoming essential nowadays; in fact, these are used heavily in electronic voting systems, cryptographic protocols, banking systems, etc.
In 1979, Blakley [3] and Shamir [13] introduced secret sharing scheme independently.To solve secret sharing problem, linear projective geometry was used in [3] whereas Lagrange interpolation polynomial was used in [13].After that, this topic got a lot of attention and researchers investigated various types of SSS, including On-line Schemes , Rational Schemes, Quantum Schemes, Chinese Remainder Schemes, Visual Schemes, Multiple Schemes, Proactive Schemes, Verifiable Schemes, Ideal Schemes, Linear Schemes, etc. in recent past.Multisecret-sharing schemes (MSS) are well-known among the secret sharing scheme families.As the name suggests, in MSS [5,19], we have multiple secrets to be shared instead of a single secret.
Blockchain is an open, decentralized, and distributed ledger that can record transactions among multiple parties in an efficient way.Each transaction is hashed (that is, digitally signed with cryptographically secured function) and then stored in blocks.Each block is linked with the previous block hash that makes it immutable.The concept of blockchain came into light in 2008, when a white paper [11] was published on virtual cryptocurrency Bitcoin by an anonymous person Satoshi Nakamoto.Later, it was made functional in 2009.To enhance the privacy and security of blockchain, smart contracts [10] were used.It was first introduced by Nick Szabo in [14].
In [12], the authors used Shamir's secret sharing scheme to distribute transaction data using private key encryption and distributed storage blockchain, keeping the data integrity intact.Similarly, in [8], the authors proposed local secret sharing and applied it on distributed storage blockchain with the aim of reducing the storage and communication cost.A few applications of secret sharing schemes on the blockchain network have also been proposed in various sectors like healthcare [15], smart city architecture [4], supply chain [18], etc.Their objective is to ensure the privacy and security of data from adversaries.
However, a secret sharing scheme has the limitation of dishonest dealers or participants, but none of them discussed about dishonest dealers and participants simultaneously.Also it is important to ensure that both the dealer's committee and participants (or miners) are honest.Since dealer plays the central role, it is assumed that the dealer must be honest.Also, in recent years, many blockchain based secret sharing schemes were introduced to outcome the limitation of dishonest participants.To protect the secret from attackers, many authors used the threshold t/m less than 1/2 [1,6,7,9,17].
In [2], the authors have discussed Dynamic Proactive Secret Sharing (DPSS) scheme, where dealers and participants keep on changing and it is based on honest majority.Then, they have discussed Evolving-Committee Proactive Secret Sharing (ECPSS) scheme, which is a combination of DPSS and committee-selection protocol.They assume that either PoW or Cryptographic sortition can be done to choose the desired committee.It decreases the probability of corrupt members in the committee and restricts the adversary to know about the committee.Then, they have defined Target-Anonymous Channels, which keep the receivers (participants who receive shares of the secret) anonymous.
In this manuscript, first we define SSS and MSS based on Shamir's SSS with twolevel security, where initially we check the honesty of participants.Further, only honest participants will get their share for the computation of the secret s.Then we apply our scheme on blockchain network.For this, we replace dealer with a team (or committee) of dealers, who need to prove their honesty using non-interactive zero-knowledge proofs before involving in the process of secret generation and distribution.Also, for the generation of a new block, a fresh committee will be formed, depending on the nodes involved in the transaction process.However, committee will have a predetermined minimum and maximum number of nodes and committee keeps on changing with the change in block.Moreover, m participants will be chosen in an anonymous way.Once any t out of them are able to retrieve the secret and validate the transactions, a new block will be formed and added to the chain.In this case, if there are a few cheating participants and they try to find the secret by involving themselves in the secret recovery process, even then they will not be able to proceed to find the secret unless they retrieve the correct encrypted value of the secret, where encryption is done using a one-way function.
The rest of the manuscript is arranged as follows.Section 2 includes preliminaries.In Section 3, we propose our scheme.Application of the scheme on blockchain network is discussed in section 4. In Section 5, we analyze our scheme on the basis of its efficiency and security.Also, we examine the privacy, security, integrity, and scalability of the scheme while applying it on blockchain in this section.Section 6 concludes the manuscript.

Definitions and Preliminaries
Definition 2.1.Secret sharing scheme is a way in which one (called dealer ) distributes the secret to multiple people (called participants) in such a way that they can collectively recover the secret but individually they can't.
Let the secret be distributed to m participants.If the secret can only be recovered by any t or more participants then t is said to be the threshold of the scheme, where 1 < t ≤ m.A (t, m)-threshold secret scheme is a scheme with threshold t and m participants.
Shamir's Secret sharing scheme [13]: In this scheme, Shamir has taken two entities: a dealer and a set of participants.Dealer is the one who knows the secret s and distributes their shares (pieces of the secret) to all participants in such a way that it follows the basic properties of SSS and its threshold.For this, he has constructed a polynomial f (x) of degree t − 1 such that constant term of the polynomial is s and the remaining coefficients are randomly generated.
• Secret distribution: Distribute (i, f (i)) to the i th participant, 1 ≤ i ≤ m.
• Secret recovery: Any t or more participants come together to combine their shares (i, f (i)) to compute the polynomial f (x) with the help of Lagrange interpolation polynomial.Definition 2.6.Distributed ledger is a type of database which records the data or information in such a way that it will be shared and replicated in its most updated form to all the members available on the decentralized network.Participants in the network agree on the consensus and update the database timely using cryptographic signature, which makes it auditable for the remaining members.
Definition 2.7.[20] A block is a container that contains a series of transactions.A block is divided into two components: block header and transaction counter.Block header contains the following.
• Block version: It indicates the validation rules for the block.
• Merkle tree root hash: The aggregate of hash value of all transactions.
• Timestamp: Current time in seconds/minutes since the starting of the network.
• nBits: It is related to the difficulty level for the computation of new hash and its size in bits.
• Nounce: A variable which keeps on increasing with every hash calculation and PoW done.
• Parent block hash: Hash value of the previous block.
Transaction counter contains the transactions.Maximum number of transactions that a block can contain depends on the size of the block, the size of each transaction, and the total number of transactions occurred in a fixed time interval.

Communication Channel
In previous secret sharing schemes, without testing the honesty of the participant, it is assumed that majority of them are honest and thus they become eligible to compute the secret.However the hypothesis of honest participants may fail.Here we have defined two steps secret sharing scheme where the first step is only for verifying if the active participants are honest or not.In this step, instead of sending the shares for the computation of the secret s, dealer(or system) shares the information (on similar lines as we have done in section 3.1 and 3.2 or using any available SSS) for the computation of H(s), where H is a one-way function.Once H(s) is computed correctly, the system shares the information, for the computation of the secret s, only to those participants, who participated in the computation of H(s) and then they can collectively compute the secret s.
We have proposed the secret sharing scheme by applying the above procedure on Shamir's SSS for the single secret s and for multi secret s = (s 1 , s 2 , . . ., s m ).

Set up Phase:
In this scheme, we have {P 1 , P 2 , P 3 , . . ., P m } as m participants and (t, m) is the threshold.Dealer D (can be replaced by the system S) chooses a i ∈ F * p , where p is a large prime such that m << p, to be the public key of P i respectively such that a i = a j for i = j.Let s ∈ F p be the secret.

Computing and distributing shares:
Dealer chooses a one-way function H, and random elements r 1 , r 2 , . . ., r t−1 ∈ F p , and then computes H(r 1 ), H(r 2 ), . . ., H(r t−1 ).He then generates the polynomials f (x) and h(x) as follows: Dealer then computes (h(a i ), f (a i )) and initially shares h(a i ) to the participant Dealer (for single secret) 5. Generate f (x) and h(x) by:

Recovering the secret:
Any t or more participants, upon receiving h(a i ) corresponding to their public key a i , can come forward to compute the polynomial h(x) by using Shamir's secret sharing scheme and then share its constant term H(s) to the system.System verifies H(s) and after confirming the honesty of minimum of t-participants, it reveals f (a i ) to only those t-participants P i , who take part in computation of h(x) and passes the honesty test.Then, they can finally recover the secret s.
Participants : t ←− minimum number of participants required to recover the secret 1.At least t participants interact with the system to find the secret.In this scheme, we have assumed the same set up as we have done in 3.1.1for single secret.Let s = (s 1 , s 2 , . . .s m ) be the secret such that s i ∈ F p .Also, the first k (1 < k ≤ t) bits of s are message bits and remaining m − k bits are parity bits with t ≤ m − 1.

Computing and distributing shares:
Dealer chooses a one-way function H.He computes s = m i=1 s i and makes it public.He then computes α i , and H(α i ) for each i ∈ {1, 2, . . ., t}, where He then generates the polynomials f (x) and h(x) as follows: Dealer then computes (h(a i ), f (a i )), where a i is the public key of i th participant P i and initially shares h(a i ) to the participant Dealer (for multi secret)

Recovering the secret:
Any t or more participants, upon receiving h(a i ) corresponding to their public key a i , can come forward to compute the polynomial h(x) by using Shamir's secret sharing scheme and then share it with the system.System verifies h(x) and after confirming the honesty of minimum of t-participants, it reveals f (a i ) to only those t-participants, who take part in the computation of h(x) and passes the honesty test.Then, they can recover the polynomial f (x).Once, f (x) is recovered, participants can compute Dealer then computes f (a i ) and h(a i ) for each i and share it with the system, which is displayed in the following Since h(x) is a polynomial of degree 4 and the active participants have its value at 5 distinct points, they use Lagrange Interpolation to compute the polynomial h(x).Participants will now share it with the system and after verifying, the system will share the corresponding values of the polynomial f (x) to respective the participants as follows.Participants will now compute the polynomial f (x) by the same method.Then, they compute s j = s − α j = 97 − α j ∀ 1 ≤ j ≤ 5. Since h(x) is a polynomial of degree 8 and the active participants have its value at 9 distinct points, they use Lagrange Interpolation to compute the polynomial h(x).Participants will now share it with the system and after verifying, the system will share the corresponding values of the polynomial f (x) to the respective participants as follows.Participants will now compute the polynomial f (x) by the same method.Then, they compute Since, only first 6 bits are message bits, thus required message is (3,5,7,9,11,3).
4 Multisecret-sharing scheme on a Blockchain Network

Blockchain Architecture
Blockchain is a chain of virtual blocks in which each block contains certain information along with its hash and the hash of the previous block.In this subsection, we will demonstrate how the blocks of blockchain are formed with the help of the proposed scheme.We impose a few assumptions and then define the structure of a blockchain network to efficiently apply this scheme as follows.
• Type of blockchain: We assume that our platform is smart contract-enabled consortium blockchain network with limited number of members, referred to as nodes.Each member is bound to follow the procedure written in smart contract and any kind of violation will lead to heavy penalty or cancellation of their participation.We refer any kind of exchange as transaction.
• Structure of block: Each block is divided into two sections: Block Header and Transaction Counter.Block Header further contains block version, Merkle tree root hash, timestamp, nBits, nounce (secret), and parent block hash.Transaction Counter stores the transactions.
• Generation of a block: We assume that a new block is generated after a finite predetermined time once the secret is recovered corresponding to all the transactions done in a fixed time interval.
• Channel: We have assumed our scheme as Evolving-Committee Proactive Secret Sharing Scheme and Channel as Target-Anonymous Channel, discussed in [2].
• Dealer: There will be a team (or committee) of dealers, which is freshly formed for the secret generation and validation of each new block.It will be chosen on the bases of transactions occurred and PoW done, where nodes need to prove the validity of their transaction, using non-interactive zero-knowledge proofs (i.e.without revealing any information about the transactions) and then generate the shares of the secret to be distributed.
• Secret generation and distribution: To generate the secret s B i for i-th block, dealers require the number of transactions in that particular time interval, the number of people involved in the transactions, transaction id's, and the total amount debited and credited.The secret will be distributed among random active nodes.
• Participants: Since, our scheme follows Target-Anonymous Channel, the participants (who receive the secret share) are anonymous.Secret share will be distributed to few active nodes (miners) anonymously and they required to collectively participate, compute the secret, and verify and validate the transactions (called as mining process).
If participants were not able to conclude (that the transaction is valid or not) within the predetermined time interval, it would be considered as validated and automatically be added to the block and no further questioning will be allowed.
• Secret recovery: A threshold of 50% is required to set, that is, at least 50% active nodes need to find the secret.Once they recover the secret, they need to verify and validate the transactions.
• Formation of block: Once, the transactions are validated, a new block will be formed and added to the longest available chain, containing all the validated transactions stored in it.
Example 4.1.We will show it with an example.
1. Assume that we have 100 participants in our blockchain network and each member is given the identity U i , 1 ≤ i ≤ 100.
2. A new block is generated after every τ • minutes, and the active nodes (miners) will be given τ 1 minutes to recover the secret that validates the transactions.
3. Let T i,j be the transaction ID of the j th transaction for the i th block.
4. Let T i be the concatenation of all the transaction IDs of the i th block.
6. Then U 1 , U 2 , U 3 , . . ., U 14 form the committee of dealers and they need to validate the transactions using zero-knowledge proof, before the generation of the secret.
7. Once, they all get convinced with all the transactions, they will reveal their transaction IDs and the amount credited or debited from their account.Finally, they generate the secret s B k for the k th block, where s B k = E(N trans , N peop , T k , A deb , A cred ) is a mtuple such that first t bits are message bits and remaining m − t bits are parity bits, N trans is number of transactions happened in that particular time interval, N peop is number of people involved in the transactions, T k is same as defined above, and A deb and A cred represents the total amount debited and credited respectively (note that A deb = A cred ), and E is the encryption function which maps 5-tuple to m-tuple.
8. Dealers will then submit s B k to the system and system will run our MSS and distribute the shares to random m participants (active nodes) using Target-Anonymous Channel.Any t nodes can compute the secret and then verify and validate the transactions within the given τ 1 minutes.9. Once, the verification and validation is done, a new block will be added to the chain using all the parameters required for block header and block generation.

Applications on various sectors
We can effectively apply our scheme on different sectors such as national security, healthcare, supply chain management, decision making process of a company, elections, etc., where a few crucial and confidential information is required to be shared with a group of people in such a way that no adversary will get any information about it.A few of them are mentioned below: 1. National security is a serious concern.Even a small attack or information leakage can have major consequences.Thus, we can use this scheme to protect the data.Also, authorities from different departments can communicate and take the decisions accordingly.For example, Nuclear Command Authority (NCA) of India, which is responsible for command, control and operational decisions regarding India's nuclear weapons programme, can interact with the Political Council headed by the Prime Minister of India and an Executive Council headed by the National Security Advisor, to take a decision regarding a nuclear test, in such a way that no outsider will get the information prior to the completion of the test.
2. If the board of directors of a company takes a crucial decision which can affect the overall growth of the company, then shareholders can verify if the decision taken by the board will add to the future growth of the company or not and they can question it accordingly.
3. In healthcare sector, patients can share their medical history (that includes medications, health issues, lab results etc.) with the hospital, termed as health information exchange (HIE) and hospital can further forward it to specialists and other relevant departments within it .Also, it helps in storing the electronic health record (EHR) of the patient.
4. To apply our scheme on supply chain, three basic entities: suppliers, enterprises, and market dealers can be considered.Enterprise can send their requirement and ask for the quotations from the suppliers in an encrypted form through blockchain platform.
Similarly, enterprises can share their product information and quotation with market dealers.

Analysis of Multisecret-sharing scheme
Now we show here that our scheme is secure by proving that any t − 1 or less participants can't retrieve the secret.If possible, we assume that t − 1 participants come together to compute the secret s.For this they initially require to compute the polynomial h(x).
Without loss of generality, we assume P 1 , P 2 , . . ., P t−1 are t−1 participants and (a i , h(a i )) are their respective shares.Also, h(x) is a polynomial of degree t − 1 with t coefficients.Thus we have a system of t − 1 linear equations in t variables; where A is a (t − 1) × t matrix.Since, all a ′ i s are distinct and it is a sub matrix of a Vandermonde matrix of size t × t, implies rank of A is t − 1.For every H 0 ∈ F p there exist unique H 1 , H 2 , . . ., H t−1 , which implies there are at least p solutions.Thus, our scheme is secure against the attack made by any t − 1 or less participants.Therefore, our scheme is perfect.

Analysis of the scheme on Blockchain Network
• Privacy: Dealers first need to convince each other regarding their valid transactions using zero-knowledge proof and then secret will be generated using the encryption of the transaction details.Moreover, the honesty of the participants will be tested.Thus this scheme maintains privacy.
• Integrity: Data is stored after two-level verification (using our scheme) in blockchain network and once it is recorded in a block, it can't be removed.Also, each block is linked with the previous block hash and any change in the transaction will lead to the change in the hash value of all preceding blocks.Thus, data stored is immutable and permanent.
• Security: In our blockchain network, all nodes will be treated equally and new nodes can join only after signing smart contract and a proper verification by active nodes.Further, they require to prove their honesty before getting any information (shares) of the secret.Also each block is added to the blockchain network only after verifying and validating it by at least t participants.Thus, it will provide security against double spending.Also, our scheme is secured against Finney attack, Race attack, 51% attack, and Sybil attack.
• Scalability: Scalability in blockchain refers to the ability of the platform to expand as per the requirement and support the increasing load of transactions and nodes in the network.
Performance of blockchain network is measured on the basis of average time taken by a transaction to validate.An increase in the number of nodes will lead to an increase in number of transactions, which will affect its performance.Each transaction require space to get stored in block.Moreover, blockchain is decentralized; thus each node is required enough space to store the data, which increases the storage and maintenance cost.Also every node must keep an updated record which will decrease the transmission speed.
To resolve these issues, we have designed our algorithm in such a way that there will be only limited number of nodes.Moreover, secret sharing data can be deleted after the secret gets recovered and block formation process is done.
Also to resolve the storage issue for every node, a few super computers can be installed which store the data in place of each node.It will also protect the network from single point of failure.However, nodes can be given access to that information.We can also use the method of sharding which involves splitting a blockchain into multiple pieces (called shards), and storing them at different places.It helps to manage the storage and cost problem with the increase in the number of transactions.
Moreover, limited number of nodes and limited transactions will enhance the speed of transmission and compacting multiple transactions into an m length secret will also reduce the storage requirement.
Since each transaction holder has already convinced other dealers regarding the validity of the transaction, we have assumed if participants were not able to conclude (that the transaction is valid or not) within a pre-determined time interval, it would be considered as validated and automatically be added to the block.In this way, we can some how reduce the scalability issue in our MSS based blockchain network.

Conclusion
In this manuscript, we introduce (t, m)-threshold secret sharing scheme and multisecretsharing scheme with two-level security based on Shamir's SSS using one-way function.Then we generalize the scheme to multi dealer (called as committee of dealers) to efficiently apply it to the blockchain network.

Definition 2 . 5 .
A function T : A → B is said to be one-way function if for any b ∈ B, it is computationally hard to find some a ∈ A such that T (a) = b in polynomial time.
j where 1 ≤ i ≤ t 5. Compute H(α 1 ), H(α 2 ), . . ., H(α t ) 6. Generate f (x) and h(x) by: table.System initially shares h(a i ) to P i for each i and any 5 or more participants can decrypt the polynomial h(x).Without loss of generality, assume P 1 , P 2 , P 3 , P 4 , P 5 come together to recover the polynomial h(x), then they have the following.
ExampleSystem initially shares h(a i ) to P i for each i and any 9 or more participants can decrypt the polynomial h(x).Without loss of generality, assume P 1 , P 2 , . . ., P 9 come together to recover the polynomial h(x), then they have the following.