Verifiable Multi-Secret Sharing Schemes Based on XTR
arXiv:2011.08648v1 [cs.CR] 17 Nov 2020 • • I eu ierrcrin 1]t nraeteefiinyof efficiency respectively. the phase, increase reconstruction to nonhomoge- and construction [14] and the recursions homogeneous DM2 linear and the [12] neous employ (DM1 schemes which VMSS [13]), efficient of types new schem distrib sharing secret to Shamir’s interpolation [8], [1]. to Lagrange similar schemes are use which these still secrets, [11] all [10], However, verifiable [9], efficient. their make more to time first property and the Dehkordi for schemes 2007, [20] VMSS cryptosystem in into key public Then, RSA introduced does channel. [11] scheme security Mashhadi this a that need so [10] choose themselves not (ZZZ) participants by al. where shadows own et scheme, their VMSS Zhao [9] new 2006, Cao a In and proposed channel. still Shao private scheme 2005, a this in However, requires scheme, scheme. improved this an on presented Based [8]. al. et and [7] on. blockchain [6], [5], computation [4], multiparty scheme secure commitment [3], cryptography cryptography, threshold modern as such of applications many in components aucitrcie pi 9 05 eie uut1,2015 Yang.) 16, Jing August revised author: 2015; 19, April received Manuscript L OF JOURNAL I 1 r infiatt rtc ertky,wihaecritical are which keys, secret protect to significant are T -al [email protected] E-mail: China. Technol LP 300071, Security Tianjin, Data and University, and Mathematics Network of of Institute Laboratory Chern Key Tianjin the with is Fu Fang-Wei LPMC [email protected] and E-mail: Mathematics China. Technol 300071, Security of Tianjin, Data Institute University, and Network Chern of Laboratory the Key Tianjin with is Yang Jing ute,i 08 ekriadMshd rsne two presented Mashhadi and Dehkordi 2008, in Further, Yang by proposed was scheme VMSS efficient an 2004, In Abstract ulckysse,adcnrealize pha can verification and the system, in key check public de validity cannot adding 2008 by in schemes Mashhadi VMSS and Dehkordi by presented schemes simultaneously secrets multiple share which sufficiently, rpsdmn mrvmn cee.Aogalteeschemes these all Among schemes. improvement many proposed a civ h aescrt ee ihsotrparameters shorter with fe level linear security and same RSA the using achieve schemes can VMSS the with Compared prime. yaim hehl changeable. threshold dynamism, ne Terms Index changed. our be implement to to needs efficient threshold is the it Cryptogr that Curve means Elliptic which on changeable, based schemes those than operate NTRODUCTION swl-nw htsce hrn cee 1,[2] [1], schemes sharing secret that well-known is New cee ae nXRpbi e system key public XTR on based schemes A T Sce hrn a rpsdpiaiyi 99t ov h p the solve to 1979 in primarily proposed was sharing —Secret E LS IE,VL 4 O ,AGS 2015 AUGUST 8, NO. 14, VOL. FILES, CLASS X Vrfibemlisce hrn,XRpbi e ytm tr system, key public XTR sharing, multi-secret —Verifiable ( ,l m l, k, GF ( ) p 6 vrfibemlisce sharing multi-secret -verifiable ) euiyb opttosin computations by security igYn n agWiFu Fang-Wei and Yang Jing (Corresponding . g,Nankai ogy, Nankai ogy, n eciemlcosdae swl spriiat.B po By participants. as well as dealer malicious perceive and C and MC, yuigtaefnto.Wa’ oe u cee r uhsi much are schemes our more, What’s function. trace using by and , cee codn oteata iuto hnparticipant when situation actual the to according schemes py(C) nadto,orshmsaednmcadthresho and dynamic are schemes our addition, In (ECC). aphy ute et vroeti rwak u e cee r ae nXTR on based are schemes new Our drawback. this overcome to se so In e etsm iiu eair ftedae,w rps w new two propose we dealer, the of behaviors vicious some tect h eial ut-ertsaig(MS cee r stu are schemes (VMSS) sharing multi-secret verifiable the , ✦ daksitrgse LS)pbi e rpoytm,our cryptosystems, key public (LFSR) register shift edback T ulckysse a elz h euiylvlin level security the realize can system fact, GF In key cost. storage public communication the and reduce XTR [22], cost to system function computation trace data, key of of public use XTR full by make which schemes DM2 improve to to LZZ of level. length also security key same but public the dealer, and achieve private the the and of participants one-third LFSR use perceive both using only of not by deception can same schemes the schemes YF DM3 the cryptosystem. on key have based public [16] [21] modified (YF) proposed DM3 have schemes We and [19]. in mentioned [13] cryptosys- as key drawback DM2 public Similarly, RSA by tem. schemes new behaviors hostile presented dealer’s and some detect cannot schemes DM1 key public and private shorter have length. schemes 2015, recursions their in linear make key Then, to public nonhomogeneous data. LFSR new used the and [16] of cryptosystem (DM3) [15] validity Mashhadi (HLC) the and verify al. Dehkordi cryptosystem to key et public [18] Hu LFSR [17], time, and sequence operating LFSR the utilized reduce to order ,w eiwtennooeeu ierrcrin XTR recursion, linear nonhomogeneous the review we 2, be will which proposed properties our good of later. discussed many Therefore, optimization have the . schemes of cryptosystem VMSS case key special system public a key LFSR as public considered XTR be Further, can and ECC. same parameter than the of generation procedure achieve simpler key to has and cryptosystems level, than public security length key LFSR shorter and and needs RSA system cryptosystems key key public public XTR ECC, LFSR RSA, with Compared GF c ucin hre e aaees atkygeneration, key fast parameters, key shorter function, ace olmo e itiuin nrcn eae,researchers decades, recent In distribution. key of roblem nti ok epooetonvlVS schemes VMSS novel two propose we work, this In and ZZZ that found [19] (LZZ) al. et Liu Nevertheless, h eto hsppri raie sflos nSection In follows. as organized is paper this of rest The ( p ( 6 p ) 2 ) ycmuain in computations by ihu xlctcntutosof constructions explicit without GF ( p GF 2 ) where ( nigotta the that out inting p 6 ) where , ,scesor secrets s, pe to mpler p ld schemes died saprime. a is p sa is have 1 JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 2
public key system, and give the review and attack on DM2 where c,c0,c1, ··· ,ck−1 are constants in GF (q). Therefore, i k+1 schemes. In Sections 3 and 4, we propose our two new VMSS ui = p(i)(−1) , where p(i) = A0 + A1i + ··· + Ak+1i schemes respectively. We present the security analysis in and A0, A1, ··· , Ak+1 are in GF (q). Section 5, and in Section 6 we give the performance analysis. Theorem 2. Let GF (q) be a finite field, where q is a Finally, we conclude our schemes in Section 7. prime. Assume that the sequence (ui)i≥0 is defined by the following NLR equations:
2 PRELIMINARIES u0 = c0,u1 = c1, ··· ,uk−1 = ck−1, k 2.1 Nonhomogeneous linear recursion [NLR2] = k (2) (−1)j u = ci (i ≥ 0), In this subsection, we firstly introduce the linear recurring j i+k−j j sequence [14]. X=0 Definition 1. Let k be a positive integer, and where c,c0,c1, ··· ,ck−1 are constants in GF (q). Therefore, k+1 c,a1,a2, ··· ,ak be given elements of a finite field GF (q) ui = p(i), where p(i) = A0 + A1i + ··· + Ak+1i , and where q is a prime. If {ui}i≥0 satisfies the relation A0, A1, ··· , Ak+1 are in GF (q).
ui+k = akui+k−1 + ··· + a1ui + c (i =0, 1, ··· ) (∗), 2.2 The XTR public key system then {ui}i≥0 is called a kth-order linear recurring sequence in GF (q). In 2000, Lenstra and Verheul proposed the XTR public key system [22], utilizing the third-order LFSR sequence. Remark 1. Note that the terms u0,u1, ··· ,uk−1, which can determine the rest of the sequence uniquely, are referred Actually, XTR public key system belongs to LFSR sequence to as the initial values of the sequence. A relation of the form public key system [17], [18], [22]. (∗) is called a kth-order linear recurrence relation. If c=0, we Firstly, in 1999, Gong and Harn proposed LFSR public call (∗) a homogeneous linear recursion. Otherwise, (∗) is a key cryptosystem [17], [18], i.e., GH public key system, which is based on a third-order LFSR sequence generated nonhomogeneous linear recursion (NLR). 3 2 k by an irreducible polynomial f(x) = x − ax + bx − 1, For a kth-order linear recurring sequence {ui}i≥0, x + k−1 where a,b ∈ GF (p) and p is a prime. a1x + ··· + ak = 0 is called its auxiliary equation, and ∞ i Compared with LFSR public key cryptosystem, XTR U(x)=Σ uix is called its generating function. i=0 public key system requires b = ap where a ∈ GF (p2), anda Lemma 1. Let GF (q) be a finite field, where q is a prime. 6 ∗ 2 m1 m2 m q GF (p ) q|(p − p + 1) Suppose that (x − α ) (x − α ) ··· (x − α ) l =0 is the special group with order in where 1 2 l q > auxiliary equation of a kth-order linear recurring sequence and 3. In other words, the irreducible polynomial used in XTR public key system is f(x) = x3 − ax2 + apx − 1, {ui}i≥0 in GF (q), where m1 + m2 + ··· + ml = k. Then the where a ∈ GF (p2). Actually, XTR is the first method which generating function of {ui}i≥0 is utilizes computations on GF (p2) to achieve GF (p6) security R(x) GF (p6) U(x)= , without requiring explicit construction of . m1 m2 m (1 − α1x) (1 − α2x) ··· (1 − αlx) l Then we review some basic knowledge about the XTR public key system, which can be found in [22], [23]. where R(x) is a polynomial of x with deg(R(x)) < k in Definition 2. Let p > 3 and q > 3 be two primes, GF (q)[X]. 2 i i i satisfying p ≡ 2 (mod 3), and q|(p − p + 1). Let g be an Further, ui = p1(i)α1 + p2(i)α2 + ··· + pl(i)αl , where 6 ∗ 6 ∗ 2 mj−1 element with order q in GF (p ) , where GF (p ) is the pj (i)= A + A i + A i + ··· + Am −1 i , j =1, 2, ··· ,l. 0 1 2 j multiplicative group of the finite field GF (p6). Then, we Notice that A , A , ··· , Am −1 are undetermined constants 0 1 j refer to the subgroup
Definition 5. Given c = T r(g), cn ∈ T r(< g >), nN = lcm(#Ep1 (0, v), #Ep2 (0, v)), and #Ep(0, v) denotes the XTR-DL problem is to find 0 ≤ n < q such that the order (i.e., the number of points) of the elliptic curve n cn = T r(g ). Ep(0, v). The following theorem has been proved in [22], [23]. (2) For i =1, 2, ··· ,m, D calculates R0 = dQ and Bi = Theorem 4. The XTR-DL problem is equivalent to the dRi over EN (0, v). discrete logarithm problem in
The security of XTR public key system is based on where xBi and yBi are the x-coordinate and the y-coordinate constructing a one-way trapdoor function through XTR-DL of the point Bi over EN (0, v) respectively. problem. In order to achieve this goal, when we know the (4) D chooses an integer c (c < q) and considers a NLR values of T r(g) and n, we need to compute the values of defined by the following equations: T r(gn) efficiently, which has been solved by Lenstra and u = I ,u = I , ··· ,u = I , Verheul in [22]. 0 1 1 2 k−1 k k Finally, we give the definition of XTR public key system. k (3) (−1)ju = ci (mod q) (i ≥ 0). Definition 6. Let p > 3 and q > 3 be two primes such j i+k−j j that p ≡ 2 (mod 3) and q|(p2 − p + 1). Let g be an element X=0 6 ∗ in GF (p ) with order q, and {p,q,g,Tr(g)} be public (5) For k ≤ i ≤ m + l +3, D calculates ui. parameters. All the computations here are implemented in (6) D calculates yi = Ii − ui−1 for k plaintext M ∈ GF (p2) and a Verification phase secret random integer b (1 ciphertext c = (T r(gb), E), k Assume that at least k participants {Pi}i=1 use their k T r gbk k and the secret key , and ( ) can be computed by shares {Bi} to recover the secrets S1,S2, ··· ,Sl.A b i=1 Algorithm 2.3.7 [22] using k and T r(g ). Then, the plaintext participant Pi can check the validity of the secret shares bk −1 is M = E ∗ T r(g ) . provided by the other authorized participants by the steps as follows: 2.3 Review and attack on DM2 schemes eBj = Rj over EN (0, v) for j =1, 2, ··· , k and j 6= i. Recovery phase In this subsection, we review DM2 schemes [13] simply Assume that any k participants {P } use their shares which are based on ECC, and then provide a kind of attack i i∈I {B } to recover the secrets: on DM2 schemes. Because the two schemes in [13] are i i∈I (1) Calculate I = x + y for i ∈ I. similar, we take the type 1 scheme as an example. i Bi Bi (2) Calculate k terms {ui−1}i∈I in the equations (3) using the formulas as follows: 2.3.1 Review of DM2 schemes Initialization phase Ii if 1 ≤ i ≤ k, ui−1 = Let S1,S2, ··· ,Sl be l shared secrets among m partic- (Ii − yi ifkprime number such that k (3) Utilize k+2 pairs (i−1,ui−1)i∈I , (m+l+2,um+l+2), q > j = 1, 2, ··· , k k j for , where is the threshold of and (m + l +3,um+l+3) to construct the polynomial p(x) this scheme. with degree k +1: Firstly, the dealer D chooses two large primes p1 and x − X p x Y j q , p2, and calculates N = p1p2. Let v be an integer such that ( )= i (mod ) ′ ′ Xi − Xj 2 i∈I j∈I ,j=6 i gcd(27v ,N)=1. The elliptic curve EN (0, v) over the ring X Y ZN is the set of points (x, y) ∈ ZN × ZN satisfying the k+1 = A0 + A1x + ··· + Ak+1x (mod q). equation y2 ≡ x3 + v (mod N) together with the point at ′ ′ infinity ON . Notice we use (Xi, Yi) for i ∈ I where I = I ∪{m + l + Then, D considers Q ∈ EN (0, v) such that the discrete 2,m + l +3} to denote these k +2 pairs, respectively. logarithm problem is infeasible in cyclic group < Q >. (4) Calculate uj = p(j) for j = m +1,m +2, ··· ,m + l. Finally, D publishes {N,Q}. (5) Recover Sj = um+j + rj for j =1, 2, ··· ,l. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 4 2.3.2 Attack on DM2 schemes 3.1 Initialization phase Notice that when authorized participants recover the se- D represents the dealer. Let P = {P1, P2, ··· , Pm} be the crets, these participants only check the validity of Bi by collection of participants, and k (k ≤ m) be the threshold. whether eBi equals to Ri, while the consistence between At first, the dealer D performs the following operations: B u u i and { i} is not verified. Thus when the sequence { i} (1) D randomly chooses two primes p, q (p > 3,q > 3) or {yi} is generated in the construction phase, a malicious 2 ′ ′ with λ bits satisfying p ≡ 2 (mod 3), q|(p − p + 1) and D can substitute the true Bi = dRi with a fake Bi = dRi k ′ q> for j =0, 1, ··· , k. (Ri 6= Ri) over EN (0, v), which means that: j D e gcd(e,n )= ∗ (1) chooses a random integer such that N (2) D selects an element g of GF (p6) with order q 1 d ed ≡ de ≡ 1 (mod n ) and calculates such that N . satisfying that XTR-DL problem with the base g is infeasible. (2) For i =1, 2, ··· ,m, D calculates R = dQ and B = 0 i Then D computes T r(g). dR over E (0, v). i N (3) D chooses b ∈ Z (1
where xBi and yBi are the x-coordinate and the y-coordinate of the point Bi over EN (0, v) respectively. (4’) D selects an integer c (c < q) and considers the 3.2 Construction phase following formulas: ∗ Let S1,S2, ··· ,Sl ∈ GF (q) be l secrets. Then D generates u0 = I1,u1 = I2, ··· ,uk−1 = Ik, a subshadow ui for each participant Pi as follows: k (1) Randomly chooses c ∈ GF (q)∗ for i = k i (−1)j u = ci (mod q) (i ≥ 0). 0, 1, 2, ··· , k − 1. j i+k−j j=0 c GF q ∗ X (2) Chooses a random constant ∈ ( ) , considers D u k i m l [NLR1] presented by the following equations and computes Then calculates i for ≤ ≤ + +3. ′ ′ ′ ui for k ≤ i ≤ m + l +1: (5’) D replaces the Ii with Ii to calculate yi = Ii − ui−1, ′ where Ii 6= Ii, then calculates other yj = Ij −uj−1 (k < j ≤ u0 = c0,u1 = c1, ··· ,uk−1 = ck−1, m, j 6= i) and ri = Si − um+i (1 ≤ i ≤ l) correctly. ′ k (6’) D releases (R0,e,r1, r2, ··· , rl,yk+1,yk+2, ··· ,yi, [NLR1] = k i ui+k−j = c(−1) i (mod q)(i ≥ 0). ··· ,ym,um+l+2,um+l+3). j j=0 In the recovery phase, since Pi can not discover the X P B replacement, i still offers the true i that conflicts with (3) Computes zi = Si − um+i−1 (mod q) for i = the sequence {ui} or {yi} produced by the dealer as above. 1, 2, ··· ,l. So the recovered secrets are not valid. Nonetheless, at least k (4) Computes T r(gbxi ) by using T r(gxi ) and b, then participants without Pi can reconstruct secrets successfully. bxi Ei = T r(g ) ∗ ui−1 (mod q) for 1 ≤ i ≤ m. Actually, it is difficult to verify which Ii is substituted. So ui−1 2 (5) Computes Ti = g (mod p ) for 1 ≤ i ≤ m. DM2 schemes [13] cannot prevent this kind of malicious (6) Releases (E1, E2, ··· , Em,T1,T2, ··· ,Tm,z1,z2, ··· , behavior of the dealer. In addition, if more than one Ii is re- ′ zl,c,um+l,um+l+1). placed by the dealer with some invalid Ii, the circumstance is even more complex. 3.3 Verification phase 3 SCHEME 1 Each Pi can get its subshadow ui−1 by the following way. bx b In this section, in order to get rid of the drawback as men- At first, Pi can compute T r(g i ) by using xi and T r(g ) for tioned in Section 2.3.2, we propose a novel VMSS scheme by 1 ≤ i ≤ m. Then Pi will get ui−1 by using [NLR1], XTR public key system, discrete logarithm bxi −1 problem and XTR-DL problem. ui−1 = Ei ∗ T r(g ) (mod q), 1 ≤ i ≤ m. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 5
The validity and consistence of Pi’s subshadow ui−1 4.2 Construction phase with public messages can be checked as follows: In this phase, we replace [NLR1] with [NLR2], and the rest k is identical to Scheme 1. k i j ? c(−1) i 2 u0 = c0,u1 = c1, ··· ,uk−1 = ck−1, (Ti+1+k−j ) = g (mod p ), k j=0 [NLR2] = k Y (−1)j u = ci (mod q)(i ≥ 0). i+k−j ? j ui−1 2 j=0 Ti = g (mod p ). X If the verification succeeds, Pi thinks that its subshadow 4.3 Verification phase ui−1 is true and is consistent with public messages. If every Each Pi can get its subshadow ui−1 by computing ui−1 = verification succeeds, participants think that D is honest. bx −1 Ei ∗ T r(g i ) (mod q) for 1 ≤ i ≤ m. The validity and consistence of Pi’s subshadow ui−1 with public messages 3.4 Recovery phase can be checked as follows:
Suppose that at least k participants {Pi}i∈I (I ⊆ k k (−1)j {1, 2, ··· ,m}) use these subshadows {ui−1}i∈I to recover j ? ci 2 (Ti+1+k−j ) = g (mod p ), the shared secrets. Every Pi can check the validity of j=0 {uj−1|j ∈ I, j 6= i} as follows: Y
? ui−1 2 uj−1 ? 2 Ti = g (mod p ). g = Tj (mod p ), j ∈ I andj 6= i. If the verification succeeds, P thinks its subshadow u There are two ways to recover the secrets. From these i i−1 is true and is consistent with public messages. If every two ways, we can see that Scheme 1 is a (k,l,m)-threshold verification succeeds, participants think that D is honest. secret sharing schemes. Way 1: Owning k true subshadows {ui−1|i ∈ J ⊆ I, |J| = k} and the published {um+l,um+l+1}, they can use 4.4 Recovery phase Theorem 1 to get the following equations, where i ∈ J ′ = Assume that at least k participants {Pi}i∈I (I ⊆ J ∪{m + l +1,m + l +2}: {1, 2, ··· ,m}) use these subshadows {ui−1}i∈I to recover k+1 i−1 the shared secrets. Each Pi can check the validity of z0+z1(i−1)+···+zk+1(i−1) = ui−1(−1) (mod q). {uj−1|j ∈ I, j 6= i} as follows: Solving these k +2 equations or using Lagrange interpo- uj−1 ? 2 lation formulas, they have z0 = A0,z1 = A1, ··· ,zk+1 = g = Tj (mod p ), j ∈ I andj 6= i. Ak+1 in GF (q). Next, they get There are two ways to recover the secrets. From these two ways, we can see that Scheme 2 is also a (k,l,m)- − · · · − k+1 − i−1 ui−1 =(A0 +A1(i 1)+ +Ak+1(i 1) )( 1) (mod q) threshold secret sharing schemes. Way 1: Owning k true subshadows {u |i ∈ J ⊆ where i ∈{1, 2, ··· ,m + l +2}\J ′. i−1 I, |J| = k} and the published {u ,u }, they can use Finally, they recover the secrets: S = z + u m+l m+l+1 i i m+i−1 Theorem 2 to get the following equations, where i ∈ J ′ = (mod q), i =1, 2, ··· , l. J ∪{m + l +1,m + l +2}: Way 2: If owning k successive {ui−1,ui, ··· ,ui+k−2}, k+1 these participants can get uj (j = i+k−1,i+k, ··· ,m+l−1) z0 + z1(i − 1)+ ··· + zk+1(i − 1) = ui−1 (mod q). by the following equations: Solving these k +2 equations or using Lagrange interpola- k k tion formulas, they get z0 = A0,z1 = A1, ··· ,zk+1 = Ak+1 u = c(−1)nn (mod q) (n ≥ 0). j n+k−j in GF (q). j X=0 Next, they get Finally, they can recover the secrets: S = z + u i i m+i−1 u = A + A (i − 1)+ ··· + A (i − 1)k+1 (mod q) (mod q), i =1, 2, ··· , l. i−1 0 1 k+1 where i ∈{1, 2, ··· ,m + l +2}\J ′. Finally, they recover the secrets: Si = zi + um+i−1 4 SCHEME 2 (mod q), i =1, 2, ··· , l. In this section, in order to get rid of the drawback as men- Way 2: If owning k successive {ui−1,ui, ··· ,ui+k−2}, tioned in Section 2.3.2, we propose a novel VMSS scheme by these participants can get uj (j = i+k−1,i+k, ··· ,m+l−1) using [NLR2], XTR public key system, discrete logarithm by the following equations: problem and XTR-DL problem. k k (−1)ju = cn (mod q) (n ≥ 0). j n+k−j j 4.1 Initialization phase X=0 The initialization phase in Scheme 2 is the same as Scheme Finally, they can recover these secrets: Si = zi + um+i−1 1. (mod q), i =1, 2, ··· , l. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 6
5 SECURITY ANALYSIS DM2 schemes R The security of presented schemes is based on the nonhomo- 0 geneous linear recursion, XTR public key system, discrete logarithm problem and XTR-DL problem. Then we analyze P D our schemes from three aspects. i
5.1 Correctness Ri In this subsection, we discuss the correctness of our Pi : Ri = siQ,si is the secret shadow ofPi D : R0 = dQ, d is the secretshadow of D schemes. secret share : Bi = siR0 = dRi,Ii = xBi + yBi Theorem 5. If the dealer and correlated participants be- Ii, 1 ≤ i ≤ k have honestly, any k participants can reconstruct the shared subshadow ui−1 = (Ii − yi,k + 1 ≤ i ≤ m secrets. our schemes Proof. We can utilize two ways mentioned in Sections Ei 3.4 and 4.4 to recover those secrets. The correctness of Way 1 is based on solving k +2 simul-
taneous equations or using Lagrange interpolation polyno- Pi D mials with random k subshadows {ui−1|i ∈ J, |J| = k} and the published {um+l,um+l+1}. In Theorem 1 and Theorem k p x yi 2, there are +2 uncertain coefficients in ( ). Therefore, x Pi : yi=Tr(g i ) p(x) can be uniquely defined, which means that any autho- bx D : Ei = Tr(g i ) ∗ ui−1 k bx −1 rized participants can reconstruct the secrets. ui−1 = Ei ∗ Tr(g i ) The correctness of Way 2 is based on a nonhomoge- subshadow = ui−1, 1 ≤ i ≤ m neous linear recursion with degree k. Note that we require that the indices of these subshadows are successive. Since Fig. 1: The difference between DM2 schemes and our [NLR1] and [NLR2] are both nonhomogeneous linear re- schemes cursions with degree k, these participants have to compute k terms uj (j = i − 1, i, ··· ,i + k − 2) to obtain other uj′ ′ phase, where ui−1 is Pi’s valid subshadow. This implies that (j = i + k − 1,i + k, ··· ,m + l − 1), which means that they ′ ui−1 ui−1 2 can recover the shared secrets. Ti = g ≡ g (mod p ), and Remark 3. Next, we will discuss the reason why we k k publish {um+l,um+l+1} instead of other subshadows. i j c(−1) i 2 (Ti k−j ) = g (mod p ) At first, {u0,u1, ··· ,um−1} are subshadows of +1+ j=0 participants {P1, P2, ··· , Pm} respectively. Besides, Y {um,um+1, ··· ,um+l−1} are correlated to the shared or secrets {S1,S2, ··· ,Sl}. Then only um+l and um+l+1 not j k only can satisfy the requirement, but also will not disclose k (−1) j ci 2 any information about subshadows and secrets. (Ti+1+k−j ) = g (mod p ). j Y=0 ′ ′ 5.2 Verifiability Because ui−1,ui−1 ∈ GF (q), the probability of ui−1 6= ui−1 Theorem 6. In the construction phase, it is impossible for is negligible in the equations mentioned above, which the dealer to cheat participants. means that it is impossible for the dealer to cheat partici- Proof. From the Figure 1, in DM2 schemes [13], we pants successfully in the construction phase. know that each Pi chooses its secret shadow si, calculates Theorem 7. In the recovery phase, it is impossible for the Ri = siQ, and sends Ri to D. After that, D selects its secret participant Pi to cheat other participants and the dealer. ′ ′ shadow d to compute R0 = dQ, then transforms R0 to Proof. When a malicious Pi provides ui−1 (ui−1 6= ui−1) in the recovery phase, it implies that other participants can Pi. Hence, both D and Pi can calculate the secret share by ′ ui−1 ui−1 2 Bi = siR0 = dRi. Nevertheless, whether Bi used in the obtain Ti = g 6= g (mod p ), which means that the generation of {ui−1} is identical to that offered by Pi is not malicious participant can be found in the recovery phase. checked. Theorem 8. In the recovery phase, it is impossible for In contrast, in our schemes, Pi chooses xi and keeps it two conspirators Pi and Pj to collude to cheat other partic- x secret from D. Pi sends yi = T r(g i ) to the dealer, where yi ipants and the dealer. bxi is the public key of xi. Then D gets Ei = T r(g ) ∗ ui−1 by Proof. If Pi and Pj conspire, they exchange their secret choosing a random number b from (1, q − 2). After that, Pi key xi and xj privately. Thus Pi gets uj−1 and Pj gets ui−1, bxi −1 can compute T r(g ) by using its secret shadow xi and which means that they can pass through the verification b T r(g ). Finally, Pi obtains its subshadow by ui−1 = Ei ∗ phase. Nevertheless, all the participants have transmitted bx −1 T r(g i ) . Notice that we add consistence check between (IDi,yi) to the dealer D and D has released them in the ui−1 and public information so that the malicious dealer can initialization phase. In consequence, the published message be found. pair can guarantee that other participants and the dealer We assume that the dealer can provide a false Pi’s sub- will detect this conspiracy owing to the mismatch between ′ ′ shadow ui−1 (ui−1 6= ui−1) successfully in the construction IDi and uj−1 or IDj and ui−1 in the recovery phase. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 7 5.3 Privacy 6.2 Computational complexity Theorem 9. We assume that discrete logarithm problem, Next, we compare the computational complexity of the XTR-DL problem with the base g ∈ GF (p6)∗ is infeasible, presented schemes [12], [13], [15], [16], [19], [21] and our and XTR public key system is secure. Then, the adversary schemes. And we utilize the notations below in Table 2. cannot get anything about the secrets and subshadows. Because all the schemes listed here are multi-use secret Proof. From the description of our schemes, the public sharing schemes, which means that the initialization phase messages are as follows. of every scheme needs to be performed only once, we ignore (1) (IDi,yi) for i =1, 2, ··· ,m. the cost of this phase in the following part. To save space, in First, D has released yi (1 ≤ i ≤ m). If participants Table 3, we use Con, Ver, Rec to represent the construction Pj (j 6= i) or the dealer wants to derive secret key xi phase, verification phase, and recovery phase, respectively. x from yi = T r(g i ), which means that the XTR-DL problem Similarly, OS is on behalf of our schemes. In addition, we can be solved, it is impossible under our assumption. The also assume that there are m participants, l shared secrets, adversary cannot decrypt ui−1 from Ei without xi, so they and the threshold is k. cannot recover the secrets. (2)E1, E2, ··· , Em. 6.2.1 Construction phase bxi We have Ei = T r(g ) ∗ ui−1 (1 ≤ i ≤ m), where Ei In the Scheme 1 of HLC and LZZ, they employ the poly- is the XTR encryption of Pi’s subshadow ui−1. When the nomials of degree k − 1 or l − 1 to share secrets. However, adversary want to obtain ui−1 from Ei, they need to break DM1, DM2, DM3, YF, our schemes and the Scheme 2 of XTR public key system. Therefore, the adversary cannot get HLC, LZZ utilize the linear recursion. Because LZZ, YF and any useful information of subshadows and secrets under the our schemes can detect the malicious behavior of the dealer, assumption. all these three schemes need more computations than the (3)T1,T2, ··· ,Tm. others. ui−1 Ti = g (1 ≤ i ≤ m) have been released in the The differences of computations among these three construction phase. Because the security of our schemes is schemes lie in the different public key system used in them. based on the intractability of discrete logarithm problem 6 ∗ Because the trace function used in the XTR public key with the base g in the finite field GF (p ) , it is impossible system needs less time than modular multiplication compu- to get ui−1 from Ti under the assumption. tation used in RSA and LFSR public key cryptosystems, our k Theorem 10. Any − 1 or fewer participants cannot schemes are faster to implement than LZZ and YF schemes reconstruct these secrets. in this phase. Proof. We might consider the worst case. Assume that What’s more, the Scheme 1 of HLC and LZZ need two k P , P , , P there are exactly − 1 participants { i i+1 ··· i+k−2}, ways to deal with different cases, which are more complex k which means that they only have + 1 terms, i.e., to operate than the other schemes. Therefore, YF and our u ,u , ,u subshadows { i−1 i ··· i+k−3} and the published schemes are easier to run than LZZ. u ,u k { m+l m+l+1}. However, there are +2 undefined coeffi- Remark 4. Notice that we do not consider the cost of p x cients of ( ) mentioned in Theorem 1 and Theorem 2. Then trace function in Table 3. we cannot determine the polynomial p(x) uniquely. There- fore, it is impossible for them to recover other subshadows 6.2.2 Verification phase by using the corresponding nonhomogeneous linear recur- sions. Consequently, the secrets shared by the dealer cannot Except LZZ, YF and our schemes, the other schemes need be derived from k − 1 or fewer participants. less computations. Since these three schemes overcome the drawback mentioned before, they need more computations to verify the validity of shares. The serious consequences 6 PERFORMANCE ANALYSIS of the lack of these verification have been shown in Section 6.1 Public values 2.3.2. At first, we compare other proposed schemes [12], [13], [15], [16], [19], [21] with our schemes from the perspective of the 6.2.3 Recovery phase amount of public values, which is the main index to measure The recovery phase is the most time-consuming phase in the efficiency of VMSS schemes. these phases. In fact, all schemes mentioned here can use In Table 1, we use abbreviation OS to represent our Lagrange interpolation polynomial to recover the shared schemes. In order to compare these schemes, we assume that secrets. However, DM1, DM2, DM3, YF, our schemes and there are m participants, l shared secrets, and the threshold the Scheme 2 of HLC, LZZ can make use of linear recursions is k. to reconstruct secrets, which are much easier and faster to From Table 1, we know that LZZ, YF and our schemes construct than Lagrange interpolation polynomial. need more public values than the other schemes. However, Because a polynomial of degree n needs O(n2) time to except these three schemes, the other presented schemes construct by Lagrange interpolation, the recovery phase of cannot resist some malicious behaviors of the dealer as Scheme 1 of HLC and LZZ can be operated within O(k2) mentioned in Section 2.3.2. Further, our schemes make use (l ≤ k) or O(l2) (l > k) time. of XTR public key system, then we can achieve the same YF and our schemes have two ways to recover the security level as LZZ and YF schemes with shorter key secrets. As for the Way 1, YF schemes need O(k2) time, and length. Therefore, our schemes are relatively efficient among our schemes need O((k+1)2) time. Because we use different all these schemes. nonhomogeneous linear recursions from YF schemes, our JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 8 TABLE 1: Comparison of the amount of the public values in proposed schemes Scheme Amount of public values Public values {e,N,g,q,α}, Type1 2(m +3)+ l − k m l m DM1 [12] (r, {Gi}i=1, {ri}i=1, {yi}i=k+1) m {N,g,q,α}, {Ri}i=1 Type2 2(m +3)+ l − k l m (R0,f, {ri}i=1, {yi}i=k+1) m {N,Q}, {Ri}i=1 l m DM2 [13] Type1&2 2(m +3)+ l − k (R0,e, {ri}i=1, {yi}i=k+1, um+l+2,um+l+3) m {N, a, b}, {IDi,sei (a, b)}i=1 Scheme1 2m + l − k + 6 (se0 (a, b),s−e0 (a, b), d), HLC [15] m l−k ({Yi}i=1, {h(i)}i=1 ) m {N, a, b, α, q1}, {IDi,sei (a, b)}i=1 Scheme2 2m + l − k + 7 l m (se0 (a, b), d, {ri}i=1, {Yi}i=k+1) m {N,a,b,q1}, {IDi,sei (a, b)}i=1, DM3 [16] Type1&2 3m + l − k + 7 l m (se0 (a, b), d, {ri}i=1, {yi}i=k) m (λ,N,Q,q,g), {IDi,ei,Ni}i=1, 3m+k+5, when l ≤ m m k ({Ci} , {Hi} , {Ai} ) Scheme1 k i=1 i=1 i=1 LZZ [19] m (λ,N,Q,q,g), {IDi,ei,Ni}i=1, m m l−k 3m+3l−2k+5, when ({Ci}i=1, {Hi}i=1, {ηi}i=1 , l−k l l>k {f(ηi)}i=1 , {Ai}i=1) m (λ,N,Q,q,g,α), {IDi,ei,Ni}i=1 Scheme2 3m + l + 6 m m l ({Hi}i=1, {Ti}i=1, {Yi}i=1) m (λ,N,Q,q,g), {IDi,ei,Ni}i=1 m m l YF [21] Scheme1&2 3m + l + 7 ({Hi}i=1, {Ti}i=1, {yi}i=1, c,um+l) b m (λ,p,q,g,Tr(g),Tr(g )), {IDi,yi}i=1 m m l OS Scheme1&2 3m + l + 9 ({Ei}i=1, {Ti}i=1, {zi}i=1, c,um+l,um+l+1)
TABLE 2: Notations than homogeneous linear recursions. Nevertheless, if we Symbol Explanation utilize the same linear recursion in these three schemes, they
Te cost of one modular exponentiation will cost the same time in the recovery phase for Way 1. on some finite field 6.3 Dynamic attribute Tm cost of one modular multiplication on some finite field Then, we will show a dynamic update, deletion, addition cost of the Lagrange basis of i points, of the participants, the values of secrets and the threshold TL(i) where i ≥ 0 according to the actual situation. average cost of a scalar multiplication Participants: TM on the elliptic curve When a participants Pnew needs to be added in the scheme, P selects an integer x (1 < x < q) cost of obtaining a solution of i linear equations, new new new Tle(i) xnew where i ≥ 0 randomly and computes ynew = T r(g ), then trans- mits (IDnew,ynew) to the dealer. Next, D can compute bxnew unew−1 Enew = T r(g ) ∗ unew−1 (mod q) and Tnew = g (mod p2) where q|(p2 − p + 1), and it releases them later. schemes need more computations. The Way 2 is easier Similarly, when the scheme needs to delete a participant to implement than the first way, however it has stricter Pdel, D only erases (IDdel,ydel) from its list. Therefore, if condition, which means that corresponding participants’ Pdel wants to attack the scheme by its subshadow udel−1, indices must be consecutive. Since the nonhomogeneous the dealer will detect this malicious behavior. linear recursions used in YF and our schemes are both k- Secrets: k th order, these two schemes need terms of subshadows Once D wants to add a secret Sl+1 to the scheme, D can to determine the nonhomogeneous linear recursions used obtain zl+1 = Sl+1 − um+(l+1)−1 = Sl+1 − um+l. Likewise, in the construction phase, which means that they have the D can delete a secret Si by erasing zi = Si − um+i−1 from same computational complexity in the recovery phase for the list. If D wants to update the secrets, D only erases the Way 2. old secrets and then add the new one into the scheme by Remark 5. Compared with LZZ schemes using homo- corresponding operations mentioned above. geneous linear recursions, YF and our schemes need more Threshold: computations in Way 1, because these two schemes utilize Our schemes are secure (k,l,m)-VMSS schemes, because nonhomogeneous linear recursions which are more complex our schemes make use of a NLR of degree k. Therefore, if JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 9 TABLE 3: Comparison of the computational complexity in presented schemes Scheme Con Ver Rec
DM1 [12] Te + kTm Te kTe + TL(k)
Way1 TL(k + 2) DM2 [13] 2TM + (k + 1)Tm TM Way2 Tle(k) Scheme1 Scheme1 3Te + kTm (l ≤ k) Te TL(k) (l ≤ k) HLC [15] 3Te + lTm (l>k) TL(l) (l>k) Scheme2 Scheme2 3Te + kTm TL(k)
Way1,2 TL(k) DM3 [16] 3Te + kTm Te Way3 Tle(k) Scheme1 Scheme1 Scheme1 2Te + kTm (l ≥ k) Te (l ≤ k) TL(k) (l ≤ k) LZZ [19] 2Te + lTm (l>k) 2Te (l>k) TL(l) (l>k) Scheme2 Scheme2 Scheme2 2Te + kTm 2Te TL(k) or Tle(k)
Way1 TL(k + 1) YF [21] 2Te + (k + 1)Tm 2Te Way2 Tle(k)
Way1 TL(k + 2) OS Te + (k + 1)Tm 2Te Way2 Tle(k)
D wants to change the threshold, D can replace the original in GF (p2). What’s more, the XTR public key system used NLR with a new degree, which means that our schemes are in our schemes can realize the security level in GF (p6) threshold changeable multi-secret sharing schemes. by computations in GF (p2). It has been proved that the security level of a 170-bit XTR is equivalent to a 340-bit 6.4 Performance feature LFSR public key cryptosystem or a 1024-bit RSA public key cryptosystem, which means that our schemes can achieve Finally, we analyze performance features of the the same security level as LZZ and YF schemes with shorter schemes in [12], [13], [15], [16], [19], [21] and our schemes in key size. Table 4. Therefore, our schemes are better schemes than the other • Feature 1: Reconstruct multiple secrets at the same time schemes mentioned in this section. • Feature 2: Utilize the public channel Remark 6. If we can use LFSR sequences with a higher • Feature 3: Resist the conspiracy attack order, such as sixth-order, to construct a new LRSR sequence • Feature 4: Update the secrets after an unsuccessful public key system applied to our schemes, then we will use recovery shorter key size. However, there is not necessarily a fast way • Feature 5: Reuse the shadows with different access to get the required parameters in the whole scheme. So we structure choose XTR public key system generated by a third-order • Feature 6: Reuse the shadows with different D LFSR sequence to construct our new VMSS schemes. • Feature 7: Perceive D’s deception • Feature 8: Perceive Pi’s deception • Feature 9: The bit length of private key in a 1024-bit 7 CONCLUSION finite field • Feature 10: The bit length of public key in a 1024-bit In this paper, we utilize XTR public key system to con- finite field struct two new efficient VMSS schemes which are improved From Table 4, we know that DM1 and DM2 schemes versions of the VMSS schemes proposed by Dehkordi and cannot resist conspiracy attack as analyzed in Theorem 8, Mashhadi in 2008. because the dealer does not construct the links between the Compared with the previous presented schemes, our identity messages and corresponding secret shadows of the schemes can detect the malicious dealer by adding verifi- specific participants. cation between participants’ subshadows and public mes- Notice that, except LZZ, YF and our schemes, the other sages. Even though LZZ and YF schemes have the same ad- schemes cannot perceive malicious dealer, since they lack vantages as our schemes, we use shorter key size to achieve verification between their participants’ subshadows and the same security level. In addition, our schemes are effi- public messages. cient to implement because they have dynamic attributes, Nevertheless, in a 1024-bit finite field, the length of our which means that our schemes can change the number of private key can be one-sixth of LZZ schemes, and one-third participants, the values of secrets and the threshold easily of YF schemes, which is about 170 bits. And the length of according to the practical situation. the public key can be one-third of LZZ schemes, and equal In conclusion, our schemes are computationally secure to YF schemes, which is about 340 bits. This is because the (k,l,m)-VMSS schemes which can share multiple secrets x private key xi is in GF (q), and the public key T r(g i ) is simultaneously, use the public channel, have verifiability, JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 10 TABLE 4: Performance feature Feature DM1 [12] DM2 [13] HLC [15] DM3 [16] LZZ [19] YF [21] OS 1 YES YES YES YES YES YES YES 2 YES YES YES YES YES YES YES 3 NO NO YES YES YES YES YES 4 NO NO NO NO NO NO NO 5 YES YES YES YES YES YES YES 6 YES YES YES YES YES YES YES 7 NO NO NO NO YES YES YES 8 YES YES YES YES YES YES YES 9 1024 1024 340 340 1024 340 170 10 1024 1024 340 340 1024 340 340 reuse subshadows, and are both dynamic and threshold [15] C. Hu, X. Liao, and X. Cheng, ”Verifiable multi-secret sharing changeable with shorter parameters. based on LFSR sequences,” Thero. Comput. Sci., vol. 445, no. 11, pp. 52-62, Aug. 2012. [16] S. Mashhadi and M. H. Dehkordi, ”Two verifiable multi secret sharing schemes based on nonhomogeneous linear recursion and ACKNOWLEDGMENTS LFSR public-key cryptosystem,” Inf. Sci., vol. 294, no. 10, pp. 31-40, Feb. 2015. This research is supported by the National Key Re- [17] G. Gong and L. Harn, ”Public-key cryptosystems based on cubic search and Development Program of China (Grant No. finite field extensions,” IEEE Trans. Inf. Theory, vol. 45, no. 7, pp. 2018YFA0704703), the National Natural Science Foundation 2601-2605, Nov. 1999. of China (Grant No. 61971243), the Fundamental Research [18] G. Gong and L. Harn, ”The GH public-key cryptosystem,” in Selected Areas in Cryptography (Lecture Notes in Computer Science). Funds for the Central Universities of China, and the Nankai Berlin, Germany: Springer-Verlag, 2001, pp. 284-300. Zhide Foundation. [19] Y. Liu, F. Zhang, and J. Zhang, ”Attacks to some verifiable multi- secret sharing schemes and two improved schemes,” Inf. Sci., vol. 329, no. 1, pp. 524-539, Feb. 2016. [20] R. L. Rivest, A. Shamir, and L. Adleman, ” A method for obtaining REFERENCES digital signatures and public-key cryptosystems,” Commun. ACM, [1] A. Shamir, ”How to share a secret”, Commun. ACM, vol. 22, no. 11, vol. 21, no. 2, pp. 120-126, Feb. 1978. pp. 612-613, 1979. [21] J. Yang and F. Fu, ”New dynamic and verifiable multi-secret IET Inf. [2] G. R. Blakley, ”Safeguarding cryptographic keys”, in Proc. 1979 sharing schemes based on LFSR public key cryptosystem,” Secur. AFIPS National Computer Conference. New York, USA: AFIPS Press, , vol. 14, no. 6, pp. 783-790, Nov. 2020. 1979, pp. 313-318. [22] A. K. Lenstra and E. R. Verheul, ”The XTR public key system,” in Advances in Cryptology-CRYPTO. Berlin, Germany: Springer-Verlag, [3] Y. Desmedt and Y. Frankel, ”Threshold cryptosystems,” in Advances 2000, pp. 1-19. in Cryptology-CRYPTO. Berlin, Germany: Springer-Verlag, 1989, pp. [23] A. K. Lenstra and E. R. Verheul, ”Key improvements to XTR,” 307-315. in Advances in Cryptology-ASIACRYPT. Berlin, Germany: Springer- [4] D. Boneh and M. Naor, ”Timed commitments,” in Advances in Verlag, 2000, pp. 220-233. Cryptology-CRYPTO. Berlin, Germany: Springer-Verlag, 2000, pp. 236-254. [5] R. Cramer, I. Damg˚ard , U. Maurer, ”General secure multi- party computation from any Linear secret-sharing scheme,” in Advances in Cryptology-EUROCRYPT. Berlin, Germany: Springer- Verlag, 2000, pp. 316-334. [6] R. Cramer, V. Daza, I. Gracia, J. J. Urroz, G. Leander, J. Mart´ı- Farr´eand C. Padr´o, ”On codes, matroids, and secure multiparty computation from linear secret-sharing schemes,” IEEE Trans. Inf. Theory, vol. 54, no. 6, pp. 2644-2657, Jun. 2008. [7] Y. Kim, R. K. Raman, Y. Kim, L. R. Varshney and N. R. Shanbhag, ”Efficient local secret sharing for distributed blockchain systems,” IEEE Commun. Lett., vol. 23, no. 2, pp. 282-285, Feb. 2019. [8] C. C. Yang, T. Y. Chang, and M. S. Hwang, ”A (t, n) multi-secret sharing scheme,” Appl. Math. Comput., vol. 151, no. 2, pp. 483-490, Apr. 2004. [9] J. Shao and Z. Cao, ” A new efficient (t, n) verifiable multi-secret sharing (VMSS) based on YCH scheme,” Appl. Math. Comput., vol. 168, no. 1, pp. 135-140, Sep. 2005. [10] J. Zhao, J. Zhang, and R. Zhao, ” A practical verifiable multi-secret sharing scheme,” Comput. Stand. & Interfaces, vol. 29, no. 1, pp. 138- 141, Jan. 2007. [11] M. H. Dehkordi and S. Mashhadi, ”An efficient threshold verifi- able multi-secret sharing,” Comput. Stand. & Interfaces, vol. 30, no. 3, pp. 187-190, Mar. 2008. [12] M. H. Dehkordi and S. Mashhadi, ”New efficient and practical Jing Yang received the B.S. degree in mathematics and applied math- verifiable multi-secret sharing schemes,” Inf. Sci., vol. 178, no. 9, ematics from Shandong Normal University, Jinan, China in 2015, and pp. 2262-2274, May. 2008. M.S. degree in Probability and Mathematical Statistics from Nankai Uni- [13] M. H. Dehkordi and S. Mashhadi, ”Verifiable secret sharing versity, Tianjin, China in 2019. She is currently a Ph.D. student advised schemes based on non-homogeneous linear recursions and elliptic by Prof. Fang-Wei Fu in Chern Institute of Mathematics and LPMC, curves,” Comput. Commun., vol. 178, no. 9, pp. 2262-2274, May. 2008. and Tianjin Key Laboratory of Network and Data Security Technology, [14] N. L. Biggs, Discrete Mathematics, 2nd ed. New York, USA: Oxford Nankai University, Tianjin, China. Her research interests include secret University Press, Inc., 2002. sharing, blockchain, and corresponding cryptography. JOURNAL OF LATEX CLASS FILES, VOL. 14, NO. 8, AUGUST 2015 11
Fang-Wei Fu received the B. S. degree in mathematics, the M. S. degree, and the Ph.D. degree in applied mathematics from Nankai University, Tianjin, China, in 1984, 1987 and 1990, respectively. Since April 2007, he has been with the Chern Institute of Mathematics, Nankai University, Tianjin, China, where he is a Professor. From June 1987 to April 2007, he was with the School of Mathematical Science, Nankai University, Tianjin, China, and became a Professor there in 1995. From February 2002 to March 2007, he was a Research Scientist with the Temasek Laboratories, National University of Singapore, Republic of Singapore. From November 1989 to November 1990, he visited the Department of Mathematics, University of Bielefeld, Germany. From October 1996 to October 1997, he visited the Institute for Experimental Mathematics, University of Duisburg-Essen, Germany. He also visited the Department of Information Engineering, The Chinese University of Hong Kong, Hong Kong, the Department of Mathematics, University of California, Irvine, USA, the Division of Mathematical Sciences, the School of Physical and Mathematical Sciences, Nanyang Technological University, Republic of Singapore. His current research interests include coding theory, cryptography, and information theory.