Secret Sharing Scheme with Share Verification Capability

Abstract

This paper examines the properties of classical secret sharing schemes used in information protection systems, including the protection of valuable and confidential data. It addresses issues such as implementation complexity, limited flexibility, vulnerability to new types of attacks, the requirements for such schemes, and analyzes existing approaches to their solutions. A new secret sharing scheme is proposed as a potential solution to these challenges. The developed scheme is based on multivariable functions. The shares distributed among participants represent the values of these functions. Secret reconstruction is reduced to solving a system of linear equations composed of such functions. The structure and mathematical foundation of the scheme are presented, along with an analysis of its properties. A key feature of the proposed scheme is the incorporation of functions aimed at authenticating participants and verifying the integrity of the distributed shares. The paper also provides a cryptanalysis of the scheme, evaluates its resistance to various types of attacks, and discusses the results obtained. Thus, this work contributes to the advancement of information security methods by offering a modern and reliable solution for the secure storage and joint use of secret data.

1. Introduction

In the modern era of rapid technological advancement and the widespread adoption of distributed computing systems, the issues of secure storage and management of sensitive information have become especially critical. Cryptographic keys, biometric templates, and commercial or governmental secrets all require robust protection that ensures both security and fault tolerance. One effective solution to this problem is the method of secret sharing. Within this approach, the confidential data is split into multiple parts (shares) and distributed among a predefined set of participants. The original secret can only be reconstructed by combining a sufficient number of shares held by trusted participants [1,2].

For example, in an IoT-based health monitoring system, biometric templates (such as fingerprints or Electrocardiography (ECG) signals) must be securely stored across distributed cloud repositories. The compromise of a single node may result in a severe leakage of confidential information or a system failure. The use of secret sharing schemes makes it possible to split such data into several parts and distribute them across different storage nodes, ensuring that compromising a single node does not enable reconstruction of the complete secret.

The concept of secret sharing was independently introduced in 1979 by Adi Shamir and George Blakley. Since then, numerous schemes have been developed based on various mathematical and cryptographic principles. These include methods based on polynomial interpolation, elliptic curves, homomorphic encryption, and post-quantum cryptographic ideas.

Secret sharing schemes have found applications in a wide range of information technology fields, including:

• Distributed key management systems;
• Multi-signature cryptocurrency wallets;
• Secure voting and electronic elections;
• Biometric systems utilizing biometric templates;
• Cloud and multiparty computation.

The main objective of secret sharing schemes is to protect sensitive data from the standpoint of information-theoretic security. Classical schemes have successfully addressed key problems of their time; however, over the years, certain limitations and vulnerabilities have become apparent due to evolving requirements [3].

Despite their theoretical soundness, classical secret sharing schemes are not always suitable for modern environments, such as Internet of Things (IoT) systems, cloud platforms, or architectures with flexible distributed storage policies. This calls for enhancing existing schemes or integrating them with contemporary cryptographic mechanisms.

Existing vulnerabilities and limitations of classical schemes [4,5]:

• Inefficient use of computational and memory resources: Classical schemes operate with polynomials over large fields, which makes them poorly suited for resource-constrained devices such as those used in IoT. Secret reconstruction via polynomial interpolation requires significant computational overhead.
• Limitations in ensuring network security: In classical schemes, the transmission of shares is not encrypted. If a certain number of shares (e.g., t or more) are intercepted, there is a risk that an adversary could reconstruct the secret.
• Difficulties with reuse: Classical schemes are generally designed for one-time use. If the secret changes, new shares must be generated, which complicates their use in dynamic systems such as cloud platforms or frequently updated IoT devices.
• Rigid participant structure: Many classical (t, n)-schemes assume a fixed number of participants and a strict reconstruction threshold. This limits their applicability in modern systems, which often require more flexible models—for instance, hierarchical or role-based structures where only administrators or designated groups are allowed to reconstruct the secret.
• Lack of authentication and integrity mechanisms: Classical schemes do not provide means to verify the correctness of shares. If invalid or forged shares are distributed, secret reconstruction becomes impossible. This has led to the development of Verifiable Secret Sharing (VSS) schemes.
• Limited compatibility with network infrastructure: Classical schemes are not fully integrated with mechanisms such as asymmetric encryption or digital signatures, which complicate their deployment in modern distributed environments.

Due to these limitations, active research is underway to develop more efficient and secure secret sharing schemes that meet the demands of modern distributed and dynamic computing environments.

This paper introduces a new secret sharing scheme that addresses several limitations of classical approaches by integrating participant authentication and share verification mechanisms. The use of a pseudorandom number generator (PRNG) enables dynamic and secure generation of the coefficient matrix without storing it explicitly, thus improving both security and efficiency. The scheme incorporates digital signatures to protect against replay attacks and unauthorized access, ensuring the integrity of the authentication process.

The structure of the paper is organized as follows. After reviewing related work in the field, the Section 3 introduces the mathematical foundations and operational details of the proposed scheme. This is followed by a detailed presentation of the scheme’s main components, including authentication, share generation, verification, and reconstruction. The Section 5 evaluates the correctness and security properties, supported by cryptographic analysis and performance comparison. The paper concludes with a summary of key findings.

2. Literature Review

In 1979, Israeli cryptographer Adi Shamir proposed a threshold secret sharing scheme based on polynomial interpolation over a finite field. This scheme became one of the first and most well-known (t, n) threshold schemes. A complete description is provided in the original work [6].

Shamir’s scheme has the following properties [7]:

• Confidentiality: With fewer than t shares (i.e., $m < t$), it is impossible to obtain any information about the original secret.
• Idealness: The size of each share is equal to the size of the confidential information itself.
• Scalability: The total number of participants n can be increased up to $\left|F\right|-1$ (where $F$ is the size of the field). However, the threshold t required for reconstruction remains fixed.
• Flexibility: Shares of different “weights” can be assigned to different subsets of participants, allowing for unequal influence in the reconstruction process.

Shamir’s secret sharing scheme offers a number of advantages, including information-theoretic security and implementation simplicity. However, in practical applications, it also presents certain drawbacks that must be considered when selecting cryptographic solutions [8].

The Blakley secret sharing scheme was proposed in 1979 by George Blakley. It became one of the first implementations of secret sharing algorithms based on geometric principles. In this scheme, the secret is interpreted as the coordinate of the intersection point of hyperplanes in an n-dimensional space. Each participant is given one hyperplane, and only the intersection of t or more such hyperplanes allows for the unambiguous reconstruction of the secret point [9].

Mathematically, the scheme is based on a system of linear equations that define the hyperplanes. If fewer than t equations are available, the system becomes underdetermined, making it impossible to reconstruct the secret—thus providing information-theoretic security.

Key properties of the scheme [10]:

• $(t,n)$-threshold structure: the secret can be reconstructed only when $t$ or more hyperplanes are available.
• Information-theoretic security: fewer than t equations reveal no information about the secret.
• Linearity: the reconstruction process reduces to solving a system of linear equations.

Advantages:

• Simple implementation using linear algebra techniques.
• Well suited for hardware implementations, especially in systems with a small number of participants.

Disadvantages:

• Susceptibility to numerical errors when operating over real numbers (it is preferable to use finite fields).
• Unequal share strength: knowledge of the equation’s coefficients reveals partial information about the corresponding hyperplane.

When the secret is fixed, parameters must be carefully chosen to avoid linear dependence between equations.

One of the key achievements in the field of secret sharing schemes is the work of Paul Feldman [11], who proposed a practical protocol for non-interactive VSS. In classical VSS schemes, verifying the correctness of a received share requires message exchange between participants, which limits their applicability in asynchronous or large-scale distributed systems. Feldman was the first to propose a scheme in which each share “authenticates itself” without requiring interactive verification. The core of Feldman’s scheme is a combination of Shamir’s threshold secret sharing and homomorphic encryption. The dealer encodes the secret as the free coefficient of a polynomial of degree t, while the remaining coefficients are chosen randomly. The polynomial values are then encrypted and distributed to the participants. To verify the correctness of their share, each participant uses the published ciphertexts of the coefficients and the homomorphic properties of the encryption—enabling local verification without communication with others.

The issue of resilience of secret sharing schemes against active cheating is an important direction in the development of cryptographic protocols. In the work by Toshinori Araki [12], a $(t, n)$ threshold scheme was proposed that can detect forgery even when up to $n - 1$ participants act maliciously in a coordinated way. This significantly extends the boundaries of robustness compared to earlier schemes, which assumed no more than $t - 1$ dishonest participants.

In this scheme, it becomes possible to detect forgery during secret reconstruction even if nearly all participants—except one—are involved in the attack. The author focuses not on preserving the secret under a collusion of t or more participants (which is impossible by definition of threshold schemes), but on mechanisms for detecting tampering with the reconstruction result—a key requirement for trusted computation protocols.

Classical secret sharing schemes, such as Shamir’s and Blakley’s (t, n) threshold models, allow reconstruction of the secret when at least t out of n participants are involved. However, most multi-secret sharing (MSS) schemes are vulnerable to insider participant attacks. A malicious party, without a valid share, can gain access to the secrets by interacting with other participants and collecting their shares [13].

To address these vulnerabilities, the authors introduce and formalize a new model—group-oriented multi-secret sharing (GOMSS) $(t, m, n)$ in which the recovery of each secret requires the participation of m valid participants, where $m \ge t$. This approach prevents IP attacks (Illegal Participant attack) and provides enhanced protection of the shared secrets.

An IP attack is a type of attack on secret sharing schemes in which a malicious actor, without possessing a valid share, imitates participation in the secret recovery process and attempts to gain access to the secret by interacting with honest participants. In most classical multi-secret sharing $(t, n)$–MSS schemes, a secret can be reconstructed as long as t or more participants are involved. However, these schemes often lack mechanisms for verifying the authenticity of participants. This enables a pseudo-participant without an actual share to take part in the reconstruction process by collecting information through interaction with legitimate members [14].

Likhachov and Oliynyk [15], a new n-threshold secret sharing scheme is proposed, based on the Goldwasser–Goldreich–Halevi (GGH) cryptosystem, which relies on lattice problems known for their resistance to quantum cryptanalysis. The secret message is encoded using a lattice defined by a “bad” basis (public key) and can be recovered only with the participation of all n parties, each possessing a part of the “good” (nearly orthogonal) basis. This work contributes to the development of quantum-resistant secret sharing protocols by combining the advantages of lattice-based cryptography and traditional secret sharing schemes. The proposed method can be applied in secure storage systems, distributed computing, and scenarios requiring high cryptographic resilience.

Alam et al. [16] focused on the development of a verifiable multi-secret sharing scheme with a hierarchical access structure, where participants are divided into levels with different threshold values. The authors utilize the YCH (Yang–Chang–Hwang) scheme, which allows for: efficient distribution of multiple secrets; parallel recovery; and reduced computational and communication overhead. The proposed scheme extends the capabilities of classical secret sharing schemes by providing high flexibility, scalability, and security. It is particularly relevant for applications involving multi-level access control and constrained computational resources.

Farahi, Noorallahzadeh and Vahedi [13] proposed two verifiable secret image sharing schemes (VESSIS) based on reversible cellular automata (RCA). It is demonstrated that the proposed schemes ensure high reconstruction quality and efficiency in terms of time and storage volume. These schemes have low computational complexity, making them suitable for use in IoT and mobile devices. The article contributes to the field of image protection by offering lightweight and verifiable sharing schemes that can be used in digital archiving, medical data, and secure communications.

3. Materials and Methods

3.1. Fundamentals of Cryptographic Secret Sharing

Cryptographic secret sharing is a method for storing confidential information by dividing it into several parts (shares). Each authorized participant receives one of these shares. The original (hidden) information can only be reconstructed by combining the shares of multiple participants. Individual participants or shareholders cannot extract or reconstruct the secret using their share alone without collaboration with others [16,17].

A cryptographic secret sharing scheme consists of three main components:

• A secret distributor (dealer);
• A finite set of n participants;
• An access structure $A$—a subset of all possible participant groups.

A group of participants that is sufficient to reconstruct the secret is called an authorized subset. The collection of all such subsets forms the access structure. A formal definition of a secret sharing scheme, along with a comprehensive analysis of its properties, is given in [18].

A secret sharing scheme consists of two main phases: distribution and reconstruction of the secret.

Secret distribution:

• The dealer divides the secret s into n shares.
• These shares are then distributed among the n participants.

Secret reconstruction:

• A group of t participants combines their shares to reconstruct the original secret.

Both phases—distribution and reconstruction—are based on well-defined mathematical procedures. When designing secret sharing schemes, special attention must be paid to their essential properties.

3.2. Properties of the Secret Separation Scheme

Secret sharing schemes possess a number of essential properties that determine their efficiency, security, and applicability in various cryptographic systems. The key properties are outlined below [19]:

• Correctness. When t or more valid shares are used, the secret must be successfully recovered, ensuring accurate reconstruction of the original information. This is a fundamental requirement that guarantees participants can deterministically reconstruct the secret once a sufficient number of shares is combined. If this condition is not met, the scheme loses its practical value.
• Security. One of the core features of secret sharing schemes (SSS) is the guarantee of confidentiality at the level of information-theoretic security. When correctly implemented, such schemes ensure that even partial knowledge of the shares reveals no information about the secret itself. In other words, any subset of fewer than t shares does not reduce the uncertainty of the secret—the probability of guessing it remains unchanged.
• Depending on the approach used, security can be:
  • Information-theoretic—the secret remains completely inaccessible even with unlimited computational power;
  • Computational—the secret cannot be feasibly recovered within a reasonable time using limited resources.

These properties make secret sharing schemes especially valuable in high-security environments such as distributed storage systems and blockchain platforms.

4.

Minimality. Each share should be as small as possible and must not exceed the size of the secret itself. Ideally, each participant stores only the minimal amount of information necessary for secret recovery, avoiding excessive data overhead.

5.

Equity. All participants are treated equally; no share holds a privileged position over others. This promotes decentralization and eliminates the need for a trusted intermediary.

6.

Scalability. The scheme should support increasing the number of participants n without requiring a complete recalculation of all shares or regeneration of the secret. This property is critical for flexible systems in which the participant set may change over time—for example, in corporate networks, blockchain platforms, or cloud storage environments.

7.

Reusability. The scheme should support repeated usage—for instance, allowing secret redistribution or updates without redesigning the entire system. This is particularly important for periodic key rotation, biometric template updates, and similar use cases.

8.

Error and fraud detection. Some extended schemes (such as VSS) include mechanisms to detect corrupted or tampered shares. This feature is crucial when participants may be untrustworthy and ensures that the secret can still be reconstructed correctly even under adverse conditions.

9.

Compatibility. A well-designed secret sharing scheme should integrate seamlessly with other cryptographic protocols, such as encryption, digital signatures, and secure multiparty computation.

These properties help in selecting the most suitable scheme, depending on the application domain, threat level, and system architecture. Modern requirements demand that a scheme simultaneously possess several key qualities—for example, strong security, scalability, and resistance to quantum attacks. This drives the development of new, more flexible and reliable schemes.

Modern secret sharing schemes are expected to meet the following requirements [20]:

• Security in the presence of active adversaries;
• Decentralization without the need for a trusted dealer;
• Resistance to quantum attacks;
• Minimal storage and computational overhead.

4. Description of the Proposed Scheme

With the rapid advancement of information technologies and the growing demand for data protection, the requirements for classical secret sharing schemes are also evolving. There is a clear need to modernize previously used schemes to align them with current security challenges and conditions. In this work, we examine two classical secret sharing schemes, highlighting their limitations, and propose a new scheme designed to meet the demands of modern security requirements.

4.1. Mathematical Foundation of the Proposed Scheme

The proposed secret sharing scheme is based on the use of linear functions of several variables defined over a finite field or a residue ring modulo $q$. Let $s_1, s_2,\dots , s_k\in {\mathbb{Z}}_q$ be the secrets to be shared, where $q$ is a preselected large prime number (or a power of two in certain implementations), $k$ is the reconstruction threshold, i.e., the minimum number of valid shares required to recover the secret.

Each participant’s share is computed as the value of a linear function of the following form:

$$f_i\left(s_1, s_2, \dots , s_k\right)= a_{i1}·s_1+a_{i2}·s_2+\cdots +a_{ik}·s_k mod q$$

(1)

where $a_{ij}\in {\mathbb{Z}}_q$ are coefficients generated based on the parameters of a PRNG shared among all participants. All coefficients must be pairwise distinct to avoid value collisions. All calculations are performed using modular arithmetic modulo $q$, which prevents overflow and ensures algebraic closure of operations. Meanwhile, $a_{ij}$ is a secret parameter and must not be disclosed.

For n participants, the following system of linear equations is formed:

$$\left\{\begin{array}{c}{a}_{11}{s}_1+a_{12}{s}_2+\cdots +a_{1k}{s}_k=y_1\\ a_{21}{s}_1+a_{22}{s}_2+\cdots +a_{2k}{s}_k=y_2\\ \dots \\ a_{n1}{s}_1+a_{n2}{s}_2+\cdots +a_{nk}{s}_k=y_n\end{array}\right.$$

(2)

where $y_i$ is the value of the linear function transmitted to the ith participant.

After distributing the secret, the coefficients of system (2) are discarded, but the PRNG parameters are preserved. For convenience, the coefficients of the system are prewritten into the matrix:

$$A=\left(\begin{array}{cccc}{a}_{11}& a_{12}& \dots & a_{1k}\\ a_{21}& a_{22}& \dots & a_{2k}\\ \dots & \dots & \dots & \dots \\ a_{n1}& a_{n2}& \dots & a_{nk}\end{array}\right)$$

(3)

To reconstruct the original secrets, any k linearly independent equations from this system must be selected. The coefficients are regenerated using the same PRNG parameters. The resulting system is then solved using standard linear algebra methods (e.g., using an inverse matrix or Gaussian elimination). This approach allows for accurate recovery of all $k$ components of the secret vector $\overrightarrow{s}=\left(s_1,s_2, \dots , s_k\right)$.

A key feature of the scheme is that the coefficient matrix $A\in {\mathbb{Z}}_q^{n\times k}$ is not stored explicitly. This design significantly enhances the cryptographic strength of the scheme by hiding the structure of the coefficients and preventing their disclosure even in the event of partial share compromise.

To ensure sufficient security and correctness, the modulus $q$ should be chosen as a large prime number, typically of size at least 128 bits. This prevents collisions during modular operations and provides enough entropy for securely encoding the secret vector. The threshold $k$ and the total number of participants $n$ are selected based on application requirements, with $k\ge 3, k<n$, and $n\le 100$ being typical choices in practical systems. PRNG used in the scheme must be both deterministic and cryptographically secure.

Thus, the mathematical basis of the scheme is a system of linear functions of several variables with operations modulo $q$. This ensures both compactness and implementation efficiency, as well as cryptographic robustness.

The proposed secret sharing process consists of three stages:

• Participant registration/authentication.
• Secret sharing.
• Secret reconstruction.

4.2. Participant Registration

The primary difference between the proposed scheme and classical secret sharing schemes is the integration of participant authentication and integrity verification mechanisms, which are typically not present in traditional approaches (Algorithm 1).

1.

To establish a secure connection, the dealer and the participant jointly generate a shared secret key ${SK}_i$ using the Diffie–Hellman algorithm.

2.

Next, the dealer computes a unique identifier ${UH}_i$ for the participant by applying a hash function to the coefficients of the corresponding row in the matrix:

$${UH}_i=hash\left(a_{i1}\right|\left|a_{i2}\right||\dots |\left|a_{ik}\right)$$

(4)

3.

The dealer then generates a digital signature of this identifier using the shared key:

$${sign}_{{UH}_i}=hash\left({UH}_i\right|\left|{SK}_i\right)$$

(5)

The SHA-256 algorithm is used as the hash function at all stages.

4.

After that, the dealer encrypts the code ${UH}_i$ using the key ${SK}_i$ and the lightweight encryption algorithm LBC-3 [21]:

$$C_{{UH}_i}=EncryptLBC({UH}_i,{SK}_i)$$

(6)

5.

The participant receives a pair of values: the encrypted code and its signature, i.e., $\left(C_{{UH}_i},{sign}_{{UH}_i}\right)$

6.

Upon receiving the message, the participant decrypts $C_{{UH}_i}$ using the same key ${SK}_i$:

$${UH}_i=DecryptLBC(C_{{UH}_i},{SK}_i)$$

(7)

Here, $DecryptLBC$ denotes the decryption operation of the LBC-3 algorithm.

7.

After recovering the identifier, the participant verifies its authenticity by checking the signature using Equation (5). If the verification succeeds, the code ${UH}_i$ is stored for subsequent operations.

Thus, the participant registration procedure in the secret sharing system is considered complete.

Algorithm 1. Participant registration

Input: a[n,k]

Output: UH_[n]

1: for i = 1 to n do

2:    SK[i] = GenerateKey()

3: for i = 1 to n do

4:    UH[i] = hash(a[i,1]||a[i,2]||…||a[i,k])

5:    signUH[i] = hash(UH[i]||SK[i])

6:    C_UH[i] = EncryptLBC(UH[i],SK[i])

7:    send signUN[i], C_UH[i]

8: for i = 1 to n do

9:   UH_[i] = DecryptLBC(C_UH[i], SK[i])

10: signUH_[i] = hash(UH_[i], SK[i])

11: if signUH[i] == signUH_[i] then

12:     save UH_[i]

13: else

14:     registration canceled

15: return UH_[n]

In IoT-based biometric authentication systems, such as those using fingerprints or ECG signals, there is a need for reliable distributed data storage. The proposed scheme supports dynamic authentication of participants, providing protection when new devices are added or compromised nodes are excluded. This approach enhances the system’s resilience against unauthorized access and the leakage of biometric information.

4.3. Participant Authentication

• The dealer requests the identification code ${UH}_i$ from the participant.
• The participant generates a digital signature ${sign}_{{UH}_i}$ according to Equation (5): ${sign}_{{UH}_i}=hash\left({UH}_i\right|\left|{SK}_i\right)$. Then, the participant sends a pair of values to the dealer: $\left({UH}_i{,sign}_{{UH}_i}\right)$.
• Upon receiving the data, the dealer verifies the authenticity of the signature by computing: ${sign}_{{UH}_i}^{\prime }=hash\left({UH}_i\right|\left|{SK}_i\right)$. The dealer then compares this value with the received signature: ${sign}_{{UH}_i}={sign}_{{UH}_i}^{\prime }-?$

If the verification is successful, the participant is considered authenticated, and their identifier ${UH}_i$ s added to the list of participants in the secret sharing scheme. This completes the authentication procedure (Algorithm 2).

Algorithm 2. Participant Authentication

Input: UH[n]

Output: AuthResult

1: for i = 1 to n do

2:    signUH_[i] = hash(UH_[i]||SK[i])

3:    send UH_[i], signUH_[i]

4: for i = 1 to n do

5:    signUH[i] = hash(UH_[i]||SK[i])

6:    if signUH[i] == signUH_[i] then

7:      AuthResult = “Participant successfully authenticated”

8:    else

9:      AuthResult = “Authentication canceled”

10: return AuthResult

4.4. Secret Sharing

1.

The dealer performs secret sharing by constructing a system of equations and computing each participant’s share $y_i$.

2.

The dealer then encrypts the share value using the corresponding secret key ${SK}_i$:

$$C_{y_i}=EncryptLBC(y_i,{SK}_i)$$

(8)

3.

To ensure integrity and authenticity, the dealer computes a hash-based signature (verification code) of the share:

$${SH}_i=hash\left(y_i\right|\left|{SK}_i\right)$$

(9)

4.

Each authenticated participant receives their encrypted share $C_{y_i}$ and verification code ${SH}_i$ from the dealer.

5.

Upon receiving the data, the participant decrypts their share:

$$y_i=DecryptLBC(C_{y_i},{SK}_i)$$

(10)

6.

After decryption, the participant verifies the authenticity of the received value by computing:

$${SH}_i^{\prime }=hash\left(y_i\right|\left|{SK}_i\right)$$

and comparing it with the received value: ${SH}_i={SH}_i^{\prime }-?$

If the signature matches, the participant accepts $y_i$ as authentic. At the end of this procedure, the participant retains the following values:

• Their share $y_i$;
• The identifier ${UH}_i$;
• The secret key ${SK}_i$.

• The pseudocode of the Secret Sharing scheme is given in Algorithm 3.

Algorithm 3. Secret Sharing

Input: a[n], S-secret

Output: ShareResult

1: for i = 1 to n do

2:    y[i] = ShareSecret(S)

3:    C_y[i] = EncryptLBC(y[i], SK[i])

4:    SH[i] = hash(y[i]||SK[i])

5:    send C_y[i], SH[i]

6: for i = 1 to n do

7:    y_[i] = DecryptLBC(C_y[i], SK[i])

8:    SH_[i] = hash(y_[i]||SK[i])

9:    if SH[i] == SH_[i] then

10:      save y_[i]

11:      ShareResult = “Secret sharing completed successfully”

12:    else

13:      ShareResult = “Secret sharing failed”

14: return ShareResult

4.5. Secret Reconstruction

• The participant is first authenticated according to the procedure described in Section 4.2.
• After successful authentication, the dealer requests the participant’s share $y_i$ and the corresponding verification code ${SH}_i$.
• The participant computes the verification code using Equation (9):

$${SH}_i=hash\left(y_i\right|\left|{SK}_i\right)$$

and sends the pair $\left(y_i,{SH}_i\right)$ to the dealer.

4.

Upon receiving the data, the dealer verifies the authenticity of the share by computing:

$${SH}_i^{\prime }=hash\left(y_i\right|\left|{SK}_i\right)$$

and comparing it with the received value: ${SH}_i={SH}_i^{\prime }-?$

If the signature matches, the share is considered authentic and accepted for the secret reconstruction process.

5.

Once the dealer obtains k valid shares, the original secret S is reconstructed. If a participant attempts to submit a forged share $y_i$, the signature verification will fail, and the share will be rejected. In such a case, the dealer excludes that participant from the reconstruction process and turns to another participant.

• The pseudocode of the Secret Reconstruction is given in Algorithm 4.

Algorithm 4. Secret Reconstruction

Input: a[n], y[k]

Output: ReconResult, S-secret

1: for i = 1 to n do

2:    if PartAuthentication(i) then

3:        SH_[i] = hash(y[i]||SK[i])

4:        send y[i], SH_[i]

5:        for i = 1 to n do

6:          SH[i] = hash(y[i]||SK[i])

7:          if SH[i] == SH_[i] then

8:            S = ReconSecret(y[i])

9:          else

10:          ReconResult = “Secret successfully restored”

11:          Exit

12:    ReconResult = “Secret restoration failed”

13:  else

14:    ReconResult = “Secret successfully restored”

15: return ReconResult

5. Discussion

5.1. Key Features of the Proposed Secret Sharing Scheme

• The scheme ensures both the confidentiality and integrity of the shared secret. The secret itself is not stored by either the dealer or the participants. The dealer retains only the initial parameters used to generate the coefficients and individual secret keys for each participant. The secret shares exchanged between the dealer and the participants are encrypted and accompanied by a digital signature. This protects against man-in-the-middle attacks, prevents data tampering, and secures the system from malicious participants. The scheme is resistant to fraudulent attempts, including collusion among participants. Even if participants collaborate to recover the secret, they cannot do so without knowledge of the coefficients. The robustness of the system largely depends on the honesty of the dealer, who serves as the main trusted entity.
• The scheme supports multi-secret sharing. The dealer can simultaneously split multiple secrets and distribute their shares among participants. Each share may contain fragments of several secrets, but the overall size of the share remains unchanged, thus preserving the scheme’s efficiency.
• Dynamic addition of new participants without re-sharing the entire secret. The proposed scheme allows new participants to be added without the need to redistribute the entire secret. This can be performed by: Temporarily reconstructing the secret $s=\left(s_1,s_2,\dots ,s_k\right),$ adding a new row to the coefficient matrix corresponding to the new participant, computing the individual share $y_i$ for that participant based on the added row. In this case, the previously distributed shares and the original secret remain unchanged. This feature is particularly useful in distributed or scalable systems where the participant set may change over time.

5.2. Potential Attack Scenarios and Scheme Resilience

Interception during registration. During participant registration, an adversary in the middle (Man-in-the-Middle attack) may attempt to intercept the encrypted identifier $C_{{UH}_i}$ and the digital signature ${sign}_{{UH}_i}$. However, without knowledge of the participant’s secret key ${SK}_i$, the adversary cannot decrypt ${UH}_i$—the unique identification code that should only be known to the participant. Therefore, the adversary will not be able to participate in secret reconstruction, as they lack the required ${UH}_i$.

Interception during authentication. During authentication, the participant sends $\left({sign}_{{UH}_i},{UH}_i\right)$ to the dealer. These values may be intercepted by an adversary. In theory, the adversary could impersonate the participant and be accepted by the dealer, thereby receiving the encrypted share $C_{y_i}$ and the verification code ${SH}_i$. However, without access to the secret key ${SK}_i$, the adversary will be unable to decrypt $C_{y_i}$ to obtain the actual share $y_i$ required for secret reconstruction. Consequently, when asked to provide the correct pair $\left(y_i,{SH}_i\right)$, the adversary will fail verification and be excluded from the process.

Interception during secret distribution. While shares are being transmitted, an adversary may intercept $C_{y_i}$ and ${SH}_i$, intending to use them later in the reconstruction process. However, during reconstruction, the dealer requests the decrypted share $y_i$ and its corresponding verification code ${SH}_i$ from the participant. Since the adversary does not possess the secret key ${SK}_i$, they cannot extract $y_i$ from $C_{y_i}$ and, therefore, cannot respond correctly to the dealer’s request. As a result, the dealer will detect the unauthorized party and exclude them from the reconstruction process. If necessary, the dealer can request the share from another participant, ensuring successful secret recovery even after exclusion.

5.3. Cryptanalysis of the Proposed Scheme

5.3.1. Threat Model

In this section, we define the threat model underlying the security analysis of the proposed scheme. We consider a passive adversary who does not interfere with communications (e.g., by modifying or injecting messages) but may eavesdrop on transmitted values. Within the scope of this analysis, it is assumed that a potential adversary is limited by the following conditions:

• May intercept up to $t < k$ secret shares $y_i$;
• May obtain or predict part of the coefficients of the matrix $A$, generated using the PRNG;
• May attempt to recover individual components of the secret or the entire vector $\overrightarrow{s}=(s_1,s_2,\dots ,s_k)$;
• Has no access to the parameters of the PRNG;
• Does not control the dealer’s actions.

The adversary’s goal is to compromise the confidentiality of the scheme by either recovering the secret or forging a valid share.

The adversary’s objective is to compromise the confidentiality of the scheme by either recovering the secret or forging a valid share. In a threshold secret sharing scheme with reconstruction parameter k, the interception of up to t = k − 1 shares represents the maximal level of exposure under which the secret remains unrecoverable. This scenario defines the upper bound of risk considered in the passive threat model.

5.3.2. Analysis of Resistance to Secret Recovery

Assume that each participant’s share is formed as a linear combination of the secret components: $y_i=(a_{i1}{s}_1+a_{i2}{s}_2+\cdots +a_{ik}{s}_k)mod\hspace{0.17em}\hspace{0.17em}q$, where $a_{ij}\in Z_q$ are coefficients generated by the PRNG.

Suppose an adversary has access to $t<k$ such equations and the corresponding rows of the coefficient matrix. In this case, the attacker has a system of $t$ linear equations with k unknowns. This system is underdetermined and has $q^{k-t}$ solutions over the field $Z_q$, making the recovery of the exact secret vector $\overrightarrow{s}$ computationally infeasible without additional information.

Even if the attacker obtains t linearly independent equations, the solution space remains exponentially large:

$$\left|A_t\right|=q^{n-t}$$

This makes the precise recovery of the secret vector $\overrightarrow{s}$ practically impossible in the absence of side-channel information.

Now consider the edge case in which the attacker gains access to the maximum number of linearly independent equations, $t=k-1$, from the system:

$$y_i={\sum }_{j=1}^k{a}_{ij}{s}_{j}mod q, i=1, 2, \dots , k-1,$$

along with the corresponding coefficient rows $a_{ij}\in Zq$. The attacker’s goal is to recover one or more components of the secret vector $\overrightarrow{s}=(s_1,s_2,\dots ,s_k)\in Z_q^k$.

This system consists of $k-1$ linear equations with $k$ unknowns over the finite field $Z_q$. The general solution of such a system forms a one-dimensional affine subspace—that is, a line in $Z_q^k$, parameterized by a single variable.

Thus, the attacker can express the solution set as:

$$\overrightarrow{s}={\overrightarrow{s}}_0+\lambda ·\overrightarrow{v}, \lambda \in Z_q$$

where ${\overrightarrow{s}}_0$ is a particular solution, and $\overrightarrow{v}$ is a nonzero vector from the null space of the coefficient matrix.

Probability of Secret Guessing. Suppose that an attacker chooses a random value of the parameter $\lambda \in Z_q$, thereby obtaining one of $q$ possible solutions.

Since there is only one correct secret among the q candidates, the probability of guessing one of the components s_i (even with knowledge of the remaining $k-1$ components) is: $P(true,s_i)={\displaystyle \frac{1}{q}}$.

If the attacker repeats the guessing attempts independently, the probability of success within r tries is given by $P_r=1-{(1-1/q)}^r$. This probability remains negligible for large values of $q$ (e.g., $q\ge 2^{128}$).

Even in the boundary case where $t=k-1$, the system remains underdetermined, and the solution space has cardinality $q$. Without additional information, recovering the exact secret vector is infeasible. The probability of correctly guessing any component of the secret vector remains $P={\displaystyle \frac{1}{q}}$, which makes such an attack practically impossible for sufficiently large $q$.

Therefore, the proposed scheme provides guessing-level cryptographic security comparable to that of Shamir’s scheme when fewer than $k$ shares are available.

5.4. Performance Evaluation

To assess the efficiency of the proposed secret sharing scheme based on linear functions and a PRG, a comparison was carried out with both classical and modern approaches—namely, Shamir’s scheme and Blakley’s scheme. The comparison covers both the theoretical computational complexity and the estimated practical execution times.

Table 1. Asymptotic complexity of operations (where n is the number of participants, $k$ is the reconstruction threshold, and $q$ is the modulus).

Scheme	Share Generation	Secret Reconstruction	Share Verification
Proposed Scheme	$O\left(nk\right)$	$O\left(k^3\right)$ (Gaussian elimination)	$O\left(logq\right)$
Shamir’s Scheme	$O\left(nk\right)$	$O\left(k^2\right)$ (interpolation)	Absent
Blakley’s Scheme	$O\left(nk\right)$	$O\left(k^2\right)$	Absent

presents asymptotic complexity estimates for the key stages of each scheme: share generation, secret reconstruction, and verification. To ensure an objective performance evaluation, the implementations were developed in C++ using the Microsoft Visual Studio integrated development environment. The experiments were carried out at the Information Security Laboratory, Institute of Information and Computational Technologies, Almaty, Kazakhstan on a system with the following specifications: Windows 10 Pro (version 22H2), 64-bit operating system, Intel(R) Core(TM) i5-7500T CPU @ 2.50 GHz, and 8.00 GB RAM.

Table 2. Empirical performance estimation (for $n=50$, $k=10$, $q=2^{128}$).

Scheme	Generation (ms)	Verification (ms)	Reconstruction (ms)
Proposed Scheme	0.5–1.0	1.0	2.5–5.0
Shamir’s Scheme	0.5–1.0	absent	1.5–2.0
Blakley’s Scheme	0.5–1.0	absent	3.0–6.0
YCH Scheme [16]	0.5 –1.0	3.9	3.5–6.5
VESSIS Scheme [17]	1.2–2.0	0.8–1.2	2.0–4.0

shows approximate execution times for the main stages. These estimates are based on simulation on a standard CPU with a clock speed of 2.5 GHz and typical execution times for basic operations (modular arithmetic, exponentiation, hashing).

The proposed scheme demonstrates high computational efficiency and good scalability, especially in the share generation and secret reconstruction stages. Unlike classical schemes, it supports built-in share authenticity verification and protects the coefficient structure using a PRNG, enhancing resistance to compromise. These features make the scheme well-suited for environments with limited resources and stringent cryptographic security requirements.

Table 3. Comparison of Security Properties of Secret Sharing Schemes.

Security Property	Shamir’s Scheme	Blakley’s Scheme	Proposed Scheme
Information-theoretic secrecy	+	+	+
Share authentication by participant	−	−	+
Share authentication by dealer	−	−	+
Participant authentication	−	−	+
Resistance to share forgery	−	−	+
Reusability without regenerating shares	−	−	+

below presents a comparative summary of essential security-related characteristics across three secret sharing schemes: Shamir’s scheme, Blakley’s scheme, and the proposed scheme. This comparison highlights the specific improvements offered by our design, particularly in terms of share authentication, participant verification, and resistance to forgery.

As shown in the table, the proposed scheme extends the security capabilities of classical approaches by incorporating multiple verification mechanisms and enabling practical resilience against forgery and unauthorized reconstruction. These properties significantly enhance their applicability in modern distributed.

6. Conclusions

The proposed secret sharing scheme combines implementation simplicity with a high level of security. By employing a deterministic PRNG and multivariate linear functions, it eliminates the need to store the coefficient matrix, which enhances both the system’s security and performance.

Built-in mechanisms for participant authentication and share verification further increase the scheme’s reliability, making it suitable for high-trust environments, including distributed computing systems and resource-constrained devices. All components of the scheme—from share generation to secret reconstruction—rely on well-established and widely implementable algorithms, facilitating practical deployment.

The scheme is resistant to cryptanalytic attacks provided the following conditions are met:

• A cryptographically secure PRNG is used;
• Coefficient generation parameters remain confidential;
• Linearly independent equations are selected correctly.

If fewer than k shares are intercepted, secret recovery remains impossible. The share verification mechanism ensures protection against forgery. Thus, the scheme achieves a high level of cryptographic robustness, approaching information-theoretic security under a constrained threat model. Since each share is authenticated, an attacker cannot recover the secret using falsified data. Moreover, the use of PRNG prevents the reconstruction of the coefficients even when some shares are known. As a result, the scheme is resilient to partial leakage and protected against replay attacks.

All computations are performed modulo q, which simplifies implementation. The scheme exhibits moderate computational complexity, and its core components—pseudorandom number generators, hash functions, and basic linear algebra routines—are commonly available in standard cryptographic libraries. This allows for implementation across various software and hardware platforms, including those with limited computational resources.

The share generation process consists of computing a linear function and one hash value, verification requires a single modular equality check, and secret recovery involves solving a system of k linear equations (using Gaussian elimination or matrix inversion). These characteristics yield linear complexity for both generation and reconstruction, making the scheme practical for real-world applications.

The strong points of the developed scheme are its high cryptographic resilience, achieved through the encryption of shares using individual keys, which prevents secret recovery without the corresponding key, and robust participant authentication based on unique hash identifiers and digital signatures, effectively mitigating replay and impersonation attacks. Resistance to man-in-the-middle attacks is ensured by the fact that intercepted data cannot be exploited without private keys at any stage, from registration to secret reconstruction. Additional protection is provided by the scheme’s collusion resistance mechanism, as the coefficients required for secret recovery are stored exclusively by the dealer and are never disclosed. The design incorporates proactive security features, enabling the replacement of compromised participants without affecting operational integrity, along with dynamic scalability, whereby shares for new participants can be generated without redistributing those already issued. This approach ensures long-term cryptographic robustness, flexibility, and system resilience under dynamic participant changes.

Overall, the proposed secret sharing method can be considered an efficient alternative to existing schemes, particularly in the context of secure distributed systems. The results presented open the door for further research, including parameter optimization and adaptation to specific tasks in the field of information security.

Beyond its theoretical contribution, the proposed scheme also has practical relevance for several domains. In IoT systems, its lightweight design and built-in verification mechanisms make it suitable for resource-constrained devices. In blockchain platforms, the ability to authenticate participants and the robustness against forgery strengthen trust in decentralized applications.

7. Future Work

It should be noted that the performance evaluation was carried out on a standard CPU platform to ensure comparability with classical schemes. While the obtained results confirm the computational efficiency of the proposed method, future experiments on real IoT devices and distributed cloud infrastructures are necessary to fully validate its applicability under resource-constrained conditions.

Another important direction for future research is the extension of the threat model to active adversaries acting in collusion. While the current study considers passive attackers intercepting fewer than k shares, in practice there may be scenarios where t − 1 participants collude to forge authentication or inject invalid shares.