Role-Based Efficient Proactive Secret Sharing with User Revocation

Abstract

Proactive secret sharing (PSS), an extension of secret-sharing schemes, safeguards sensitive data in dynamic distributed networks by periodically refreshing shares to counter adversarial attacks. In our previous work, we constructed a non-interactive proactive secret scheme by integrating threshold homomorphic encryption (ThHE) while reducing the communication complexity to $O\left(n\right)$. Not only is refreshing shares important but revoking the shares of users who have left the system is also essential in practical dynamic membership scenarios. However, the previous work was insufficient for supporting explicit user revocation. This study strengthens the description of roles for authorized users and proposes a scheme to achieve non-interactive share refresh and dynamic user management. In each epoch, authorized users are classified into three roles: retain, newly join, and rejoin, and they receive a broadcast of the compact ciphertext encoding both the refresh information and the revocation instructions from the trusted center (dealer). Authorized users independently derive new shares through homomorphic computations, whereas revoked users are unable to generate new shares. Hash functions are used to bind revocation parameters to the cryptographic hashes of valid users in order to guarantee integrity during revocation, allowing for effective verification without compromising non-interactivity. Our new scheme not only extends the revocation structure but also preserves the $O\left(n\right)$ communication complexity.

1. Introduction

The $k$-out-of-$n$ threshold cryptography, such as the Shamir Secret-Sharing (SSS) [1] scheme, is a fundamental cryptographic primitive that shares a secret among n users. To obtain a secret from ciphertext with this system, k or more users need to collaborate, whereas fewer than k users cannot gain any information about the secret. The proactive secret-sharing (PSS) [2] scheme is a tool for ensuring long-term security in threshold systems by periodically refreshing shares and preventing adversaries from gradually accumulating k corrupted shares to reconstruct the secret.

However, the traditional implementation of PSS faces two major challenges. First, each refresh cycle requires numerous rounds of interaction among all valid users to generate new shares. This interaction incurs high bandwidth costs and causes vulnerabilities, such as synchronization delays. Second, the existing schemes assume a fixed set of users, making them unsuitable for dynamic environments in which users may join or leave. In practice, such as in a blockchain consortium where multiple committee members jointly manage the signing key of a threshold-controlled wallet, the key is split into n shares and requires a threshold number of valid shares to reconstruct. This mechanism prevents any single party from unilaterally controlling the wallet. In such scenarios, the ability to revoke a compromised user and refresh shares is essential. Without revoking compromised users, they might misuse their shares to reconstruct the secret or disrupt system operations. PSS schemes provide share-refresh mechanisms that renew the shares without altering the original secret, but this operation typically requires all the users to be involved. Consequently, an adversary can exploit compromised users to obtain new shares and attack the system. However, the current PSS protocols do not provide an efficient method for supporting non-interactive share refresh with user revocation. Therefore, we extend our previous work [3] with hash-based instructions to support dynamic user revocation.

Furthermore, we extend the concept of user revocation to dynamic membership management to support practical dynamic membership scenarios. Specifically, users are divided into valid users and revoked users accordingly across consecutive system epochs. Valid users are classified into three roles: retain, newly join, and rejoin. At the beginning of each epoch, the dealer determines the update scheme and broadcasts the information so that valid users can perform share refresh independently using threshold homomorphic computations, whereas revoked users cannot refresh shares. Our key contributions are as follows:

• A unified fresh revocation protocol. We extend the original non-interactive refresh mechanism by incorporating user-revocation capabilities, enabling simultaneous share refresh and valid-user-set updates through a single broadcast. In this process, a trusted dealer prepares and broadcasts a compact message containing the encrypted refresh arrays for share refresh and a hash-based valid-user set. Each user can independently refresh their shares by performing homomorphic computations on the encrypted arrays, whereas the shares of revoked users are rendered cryptographically invalid.
• Role-based dynamic membership management. In this study, users are categorized into three roles during each epoch to enable fine-grained dynamic user management:

  -

  Retain. Retain refers to those who are present in both epochs t and $t-1$. Such users refresh their shares by performing homomorphic computations on their shares and encrypted array $\Delta$.

  -

  Newly Join. In this paper, newly join refers to users who join the system for the first time in epoch t. These users are provided with the encrypted array $\mathrm{\Psi }$ to generate their shares for this epoch.

  -

  Rejoin. Rejoin refers to revoked users who are reauthorized at epoch t. In some practical multi-party scenarios, participants may temporarily leave the system due to reassignment. Treating each return as newly join would cause avoidable overhead. To address this issue, the proposed method provides an encrypted array $\mathrm{\Gamma }$ for those users who refresh their shares in a short absence.

• Security and efficiency. Homomorphic computations reduce dealer participation while maintaining consistency throughout refresh cycles. Our method enables dynamic threshold changes in each epoch, allowing the system to adjust its security level flexibly over time while ensuring consistent share generation. Even if a user is revoked after corruption, their past and future shares cannot be combined to reconstruct the secret. Cryptographic hashing ensures the integrity of a valid-user set and prevents unauthorized modifications.

2. Preliminaries

2.1. Shamir Secret Sharing (SSS)

SSS schemes were originally introduced by Shamir [1] and Blakery [4] independently in 1979 as a cryptography for dividing a secret m into n shares distributed among a set of authorized users. Such schemes are also called $(k, n)$-threshold schemes, in which any k or more than k shares can reconstruct the secret m, whereas subsets with fewer than k shares cannot gain any information about the secret. The threshold k is typically set to ${\displaystyle \frac{n}{2}}$ or ${\displaystyle \frac{n}{3}}$.

Definition 1 (Access Structure, Distribution Scheme).

Let $\mathbb{P}=\{1, 2, \dots , n\}$ be a finite set of user indices. An access structure is a monotone collection $\mathcal{A}$ of non-empty subsets of $\mathbb{P}$. Sets in $\mathcal{A}$ are called authorized, and sets not in $\mathcal{A}$ are called unauthorized.

In a $(k, n)$-threshold scheme, authorized sets are all sets whose size is larger than the threshold. Therefore, ${\mathcal{A}}_k=\{\mathcal{A} \subseteq \mathbb{P}:|\mathcal{A}| \ge k\}$, where $1 \le k \le n$ is an integer. Only subsets in ${\mathcal{A}}_k$ can reconstruct the secret.

Example 1. 

Consider a $(2 ,3)$-threshold scheme with user index set $\mathbb{P}=\{1, 2, 3\}$. The authorized sets are all subsets of $\mathbb{P}$ with a size of at least two: ${\mathcal{A}}_2=\{\{1, 2\},\{2, 3\},\{1, 3\},\{1, 2, 3\}\}$.

The $(k, n)$-threshold scheme consists of two main phases: share generation and reconstruction. In the share generation phase, the dealer generates a random polynomial $f\left(x\right)$ of degree $k-1$ over a finite field ${\mathbb{Z}}_p$, where p is a prime number. The secret m is embedded as the constant term, and the remaining $k-1$ coefficients are chosen randomly from ${\mathbb{Z}}_p$.

$$f\left(x\right)=m+{\alpha }_{1}x+{\alpha }_2{x}^2+\cdots +{\alpha }_{k-1}{x}^{k-1}modp.$$

(1)

where ${\alpha }_1,\dots ,{\alpha }_{k-1}\in {\mathbb{Z}}_p$.

$$f\left(0\right)=m.$$

(2)

In particular, the dealer calculates the sharing polynomial $f\left(x\right)$ at each user index $i\in \{1,\dots ,n\}$ to generate the shares and distribute them to each user i. As shown in Figure 1, each user i has the share $shar{e}_i$, where $shar{e}_i=(i, f\left(i\right))$, which corresponds to a point in the polynomial of sharing.

The SSS schemes divide the secret m into several shares, and each user only has a fragment of the secret. A single share or any collection of fewer than k shares does not reveal any information about the secret. This threshold property guarantees the information security.

The secret m can be reconstructed using the Lagrange interpolation formula when any authorized subset of at least k shares is available. Formally, given a set of shares $\mathcal{B}=\left\{shar{e}_1,\dots ,shar{e}_k\right\}$, the calculation is as follows:

$$\begin{array}{cc}\hfill f\left(x\right)=& {\displaystyle \frac{(x-x_2)(x-x_3)\cdots (x-x_k)}{(x_1-x_2)(x_1-x_3)\cdots (x_1-x_k)}}f\left(x_1\right)+\cdots +{\displaystyle \frac{(x_k-x_1)(x_k-x_2)\cdots (x_k-x_{k-1})}{(x_k-x_1)(x_k-x_2)\cdots (x_k-x_{k-1})}}f\left(x_k\right)\hfill \\ \hfill =& \sum _{j=1}^k\left(f\left(x_j\right)\prod _{l=1,l\ne j}^k{\displaystyle \frac{x-x_l}{x_j-x_l}}\right).\hfill \end{array}$$

(3)

Since $f\left(0\right)=m$, pick k shares and then calculate the secret m.

$$m=\sum _{i=1}^k\left(f\left(i\right)\prod _{j=1,j\ne i}^k{\displaystyle \frac{j}{j-i}}\right).$$

(4)

2.2. Proactive Secret Sharing

PSS [2,5,6,7,8,9,10] is an extension of SSS designed to address long-term security issues by periodically updating the shares without altering the original secret. The update process in PSS typically involves the following steps.

• Share Generation. The initial generation and distribution of shares employ SSS schemes, as detailed in Section 2.1.
• Share Refresh. During the refresh phase, each user generates refresh components for each participant, including themselves, and sends them to their corresponding users. Each user collects all of the received components along with their current share to refresh their share. This process updates the shares while preserving the original secret m.
• Reconstruction. The updated shares are combined to reconstruct the secret m using the Lagrange interpolation formula (3).

PSS enhances system security by periodically refreshing the shares, ensuring that the secret m remains unrecoverable unless the adversary compromises k shares within the same epoch. Even if k shares are collected during different epochs, the secret cannot be reconstructed. However, this approach requires each user to exchange update components with all others during every refresh, resulting in high communication overhead.

2.3. Hash Function

Cryptographic hash functions [11] are fundamental primitives in modern security protocols that provide fixed-length collision-resistant mappings from arbitrary inputs to bit-strings. A secure hash H must satisfy the following three core properties.

• Preimage Resistance. Given a digest y, it is computationally infeasible to find any x such that $H\left(x\right)=y.$
• Second Preimage Resistance. Given input x, it is infeasible to find a different $x^{\prime }\ne x$ with $H\left(x^{\prime }\right)=H\left(x\right)$.
• Collision Resistance. It is infeasible to find any pair $(x,x^{\prime }),x\ne x^{\prime }$ such that $H\left(x^{\prime }\right)=H\left(x\right)$.

In dynamic user management, hash functions play a crucial role in ensuring data authenticity and tampering resistance. They are used to bind public information, such as user lists, to compact and verifiable representations. For example, Merkle trees [12] leverage collision-resistant hash functions to enable efficient membership proofs in large sets, and cryptographic accumulators offer constant size commitments with support for membership verification. In this study, hash functions were employed to bind the authorized user information broadcast by the dealer in each epoch, ensuring data integrity during user revocation.

2.4. Homomorphic Encryption

Homomorphic encryption [13,14,15,16] enables computations to be performed directly on encrypted data without requiring decryption. In this study, we briefly review the BFV scheme [17,18] as an instantiation to explain how addition and multiplication operations are processed on encrypted data.

• BFV.Setup($1^{\lambda },1^L$): Given the security parameter $\lambda$ and a multiplicative depth L, choose a cyclotomic polynomial $\mathrm{\Phi }\left(x\right)=x^d+1$, where d is the power of 2. Choose the ciphertext modulus q and plaintext modulus p. Define $R=\mathbb{Z}\left[x\right]/\mathrm{\Phi }\left(x\right)$ as a polynomial ring of degree d with integer coefficients. Moreover, $R_q={\mathbb{Z}}_q\left[x\right]/\mathrm{\Phi }\left(x\right)$. Generate the error distribution $\chi$ and key distribution $\zeta$ over $R_q$. Finally, output $pp=\left(d, q, p, \zeta , \chi \right)$ as the public parameters. We assume all following algorithms implicitly take $pp$ as an input.
• BFV.KeyGen($pp$): Given public parameters $pp$, sample a secret $s\leftarrow \zeta$, an element $a\leftarrow R_q={\mathbb{Z}}_q\left[x\right]/\mathrm{\Phi }\left(x\right)$, and a small noise $e\leftarrow \chi$. Set the secret key as $sk=s$ and the public key as $pk=(b, a)\in R_q^2$, where $b=-as+e(modq)$.
• BFV.EvalKeyGen(s): Given the secret key s, generate the evaluation key as $ek=(\tilde{b},\tilde{a})$, where $\tilde{a}\leftarrow R_q^l$, $\tilde{e}\leftarrow {\chi }^l$, and set $\tilde{b}=\tilde{a}·s+\tilde{e}+g·s^2(modq)$, where $g=(1,G,G^2,\dots ,G^{l-1})$ is a fixed gadget vector with base G and l is the gadget dimension. Output $ek=(\tilde{b},\tilde{a})$.
• BFV.Enc($pk,\mu$): Given a public key $pk=(b,a)$ and a plaintext $\mu \in R_p$, sample a random $r\in \zeta$ and noise elements $e_0,e_1\leftarrow \chi$. Scale up the message using a factor $\mathrm{\Lambda }=⌊{\displaystyle \frac{q}{p}}⌋$. Output the ciphertext as $\mathbf{ct}=(c_0,c_1)\in R_q^2$, where $c_0=rb+e_0+\mathrm{\Lambda }\mu$ and $c_1=ra+e_1$.
• BFV.Dec($sk,\mathbf{ct}$): Given a ciphertext $\mathbf{ct}=(c_0,c_1)\in R_q^2$ and a secret key $sk=s$, output the result $\mu =⌊{\displaystyle \frac{p}{q}}(c_0+s{c}_1)⌉$.
• BFV.Add($\mathbf{ct},{\mathbf{ct}}^{\prime }$): To add two ciphertexts $\mathbf{ct},{\mathbf{ct}}^{\prime }\in R_q^2$, output the ciphertext ${\mathbf{ct}}_{add}=\mathbf{ct}+{\mathbf{ct}}^{\prime }(modq)$.
• BFV.Mult($ek,\mathbf{ct},{\mathbf{ct}}^{\prime }$): Given two ciphertexts $\mathbf{ct},{\mathbf{ct}}^{\prime }\in R_q^2$, compute first ${\widetilde{\mathbf{ct}}}_{mult}=({\tilde{c}}_0,{\tilde{c}}_1,{\tilde{c}}_2)\in R_q^3$ by ${\tilde{c}}_0=⌊{\displaystyle \frac{p}{q}}·\left(c_0{c}_0^{\prime }\right)⌉$, ${\tilde{c}}_1=⌊{\displaystyle \frac{p}{q}}·(c_0{c}_1^{\prime }+c_1{c}_0^{\prime })⌉$, and ${\tilde{c}}_2=⌊{\displaystyle \frac{p}{q}}·\left(c_1{c}_1^{\prime }\right)⌉$. Then, calculate ${\widetilde{\mathbf{ct}}}_{mult}$ with $ek=(\tilde{b},\tilde{a})$ as follows:

  -

  Apply gadget decomposition:

  $$g^{-1}\left(\widetilde{c_2}\right)=(u_0,\dots ,u^{l-1}).$$

  -

  Output the ciphertext.

  $${\mathbf{ct}}_{mult}=({\tilde{c}}_0,{\tilde{c}}_1)+\sum _i{u}_i·(\tilde{b}\left[i\right],\tilde{a}\left[i\right])\in R_q^2.$$

The following computation confirms the correctness of the decryption process:

$$\begin{array}{cc}\hfill c_0+c_{1}s=& (rb+e_0+\mathrm{\Lambda }\mu )+(ra+e_1)s\hfill \\ \hfill =& r(b+as)+(e_0+e_{1}s)+\mathrm{\Lambda }\mu \hfill \\ \hfill =& \tilde{e}+\mathrm{\Lambda }\mu (modq).\hfill \end{array}$$

(5)

for a small error $\tilde{e}=re+e_0+e_{1}s$, and then calculate message $\mu$.

$$⌊{\displaystyle \frac{p}{q}}(\tilde{e}+\mathrm{\Lambda }\mu )⌉=\mu (modp).$$

(6)

Furthermore, this study uses ThHE [19,20,21], a variant of homomorphic encryption designed to support multi-party computations. Threshold homomorphic encryption (ThHE) is a cryptographic primitive that combines the functionality of homomorphic encryption with threshold decryption. It allows ciphertext to be processed under encryption and decrypted jointly by a group of valid users such that any coalition of fewer than k users gains nothing about the secret.

In this study, we also instantiated the ThHE scheme based on the BFV. Therefore, we only describe the additional procedures required in ThHE as follows.

• ThHE.KeyGen($pp, k, n$): Given the public parameters $pp=(d, q, p, \zeta , \chi )$ by running BFV.Setup, output n secret keys ${\left\{s{k}_i\right\}}_{i=1}^n$ and a joint public key $pk$.
• ThHE.Enc($pk,\mu$): Encrypt the message $\mu$ under the public key $pk$ by BFV.Enc; output ciphertext $\mathbf{ct}=(c_0,c_1)\in R_q^2$.
• ThHE.Eval($\mathbf{ct}, {\mathbf{ct}}^{\prime }, f, pk, ek$): Given the joint public key $pk$ and evaluation key $ek$ by running BFV.EvalKeyGen, output the evaluated ciphertext ${\mathbf{ct}}_{eval}=f(\mathbf{ct},{\mathbf{ct}}^{\prime })$. Similar to the base BFV scheme, the evaluation function f can be either homomorphic addition or multiplication.
• PartDec($s{k}_i,\mathbf{ct}$): Given a ciphertext $\mathbf{ct}$ under $pk$ and a secret share of the key $s{k}_i=s_i$, generate a decryption component as ${\sigma }_i=(c_1{s}_i+p{e}_i^{\prime })$.
• Combine(${\sigma }_i$): Combine at least k partial decryption to reconstruct m as $c_0-{\sum }_i{\sigma }_i(modp)$.

In our framework, ThHE is used to enable non-interactive and secure refresh. Compared to SSS, we improve share generation by encrypting shares using ThHE. This allows each user to process the refresh computation independently. Moreover, performing on encrypted shares enhances the security of the system. Specifically, our proposal slightly modifies the conventional ThHE structure. Each secret key $s{k}_i$ is further distributed by threshold sharing among multiple users. The complete construction process is described in detail in Section 4.

2.5. NUSS

In our previous study, we proposed a non-interactive updatable secret sharing (NUSS) [3], which enables each authorized user to refresh their share independently. In NUSS, the dealer broadcasts an encrypted update array that encodes a new set of parameters for the new threshold. Each user then performs homomorphic computations on their exiting share using the encrypted array to generate a new share. This design allows NUSS to satisfy dynamic large-scale systems by minimizing communication overhead and ensuring secure share refresh.

The main components of NUSS are

• Setup. Given public parameters consisting of SSS and ThHE, the dealer generates share $shar{e}_i=(i,{\mathbf{ct}}_i)$ for each user i. Here, ${\mathbf{ct}}_i=$ ThHE.Enc($pk, f\left(i\right)$), where $f\left(i\right)$ is the computation of (1).
• Refresh. The refresh phase is divided into two parts depending on the entity involved: the dealer side and the user side.

  -

  Dealer side. Dealer generates and broadcasts the encrypted array ${\mathbf{ct}}_{array}$, which encodes the new parameters corresponding to the new threshold.

  -

  User side. Each user computes the new share by performing the following operations:

  $${\mathbf{ct}}_i^{new}=\mathrm{ThHE}.\mathrm{Add}(\mathrm{ThHE}.\mathrm{Mult}(i,{\mathbf{ct}}_{array}),{\mathbf{ct}}_i).$$

  (7)

  where ${\mathbf{ct}}_i$ is the old share and i is the user’s public index.

• Recover. By collecting new threshold number of shares and performing PartDec in ThHE, the requester can reconstruct the message.

NUSS improves the PSS by reducing communication rounds to a single broadcast from the dealer, making it suitable for dynamic and large-scale systems where minimizing data exchange is essential. Building on NUSS, this paper introduces dynamic membership management and optimizes the share-refresh process.

3. Design of Our Proposal

This section introduces the definitions and notations used in the study, followed by a description of the proposed extension of the NUSS framework with role-based dynamic membership management model.

3.1. Notations

The integers $k,n$ denote the threshold and total user number in $(k,n)$-SS scheme. For any integer n, $\left[n\right]=\{1,2,\dots ,n\}$. We assume the network is asynchronous, the system can tolerate up to v malicious users, and that $n>3v$. For simplicity, we assume $n=3v+1$. Furthermore, it supports the reconstruction of the threshold within $[v+1,2v+1]$, which means $k\in [v+1,2v+1)$. p and q are two prime numbers, where p is for plaintext modulus used in both SSS and ThHE and q is ciphertext modulus for ThHE. The integer t denotes the current epoch of the system. The threshold at epoch t denotes $k^{\left(t\right)}$, and $t_i$ refers to the epoch from user i’s current share. The tuple $({\alpha }_1^{\left(t\right)},\dots ,{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)})\in {\mathbb{Z}}_p^{k^{\left(t\right)}-1}$ represents the coefficients of the $(k,n)$-SS polynomial of degree k in epoch t. $H\left(x\right)$ is the hash function used for identity mapping.

Table 1. Parameter description.

Notation	Description
U	U denotes the user set.
$VS$	$VS$ denotes the valid-user set; $V{S}^{\left(t\right)}$ is $VS$ in epoch t.
$\Delta$, $\mathrm{\Psi }$, $\mathrm{\Gamma }$	Arrays broadcast by the dealer for share-refresh calculations.
$v{k}_i^{\left(t\right)}$	User i’s verification key in epoch t.

lists the symbols used in role-based processing.

In our prior work, we leveraged ThHE to design NUSS, thereby addressing the issues of information leakage and high communication complexity that plague traditional PSS. Specifically, by performing updates homomorphically on encrypted shares, NUSS achieves non-interactive share refresh while reducing the overall number of secure channels required. In this study, we extend the NUSS framework by introducing a dynamic membership module. Authorized users are classified into three roles (e.g., retain, newly join, and rejoin), and a hash function is employed to manage user identities and verify the user-revocation status without communication with other users. This extension enables NUSS to support user joins and revocations without sacrificing security or efficiency.

3.2. Dynamic Membership Models

Whereas the prior NUSS framework assumes a fixed set of users, practical distributed systems often face dynamic user management, including user join, revoke, and rejoin across different operational epochs. To address these challenges, we extend NUSS with a dynamic membership model that introduces user classification and update control mechanisms. In this model, users are categorized according to their status in each epoch. The dealer broadcasts distinct arrays for different user roles, and each user determines the appropriate update operation based on their own epoch of their current share. This process allows users to autonomously update their shares without additional interaction while ensuring that only valid users can participate in the update protocol.

Figure 2 illustrates the key components of the dynamic membership workflow and highlights potential threat points. The dealer broadcasts update information to reduce communication complexity, while defining three user roles enables dynamic membership management and ensures that only authorized users can refresh their shares independently.

3.2.1. Role-Based User Model

In each epoch t, the dealer maintains a list of valid users $V{S}^{\left(t\right)}$ and classifies all users into three roles according to their epoch:

• Retain ($U_{ret}$). Users who belong to both the current valid set $V{S}^{\left(t\right)}$ and the previous valid set $V{S}^{(t-1)}$, defined as $U_{ret}=V{S}^{\left(t\right)}\cap V{S}^{(t-1)}$. For each user $i\in U_{ret}$, the user i’s epoch $t_i$ satisfies $t_i+1=t_{VS}$, where $t_{VS}$ denotes the current epoch of $V{S}^{\left(t\right)}$. The dealer generates an array $\Delta$ for such users’ share refresh.
• Newly join ($U_{new}$). Users who join the system for the first time in the epoch t, defined as $U_{new}=V{S}^{\left(t\right)}\setminus {\cup }_{j=1}^{t-1}V{S}^{\left(j\right)}$, where ${\cup }_{j=1}^{t-1}V{S}^{\left(j\right)}$ denotes the union of all valid-user sets prior to epoch t. For each user $i\in U_{new}$, $t_i$ satisfies $t_i=t_{VS}$. The dealer generates array $\mathrm{\Psi }$ for such users’ share refresh.
• Rejoin ($U_{rej}$). Users who previously revoked but rejoin in the current epoch valid set $V{S}^{\left(t\right)}$, defined as $V{S}^{\left(t\right)}\cap RL$, where $RL$ is revocation list maintained by the dealer. For each user $i\in U_{rej}$, $t_i\le t_{VS}$. The dealer offers either $\mathrm{\Gamma }$ or $\mathrm{\Psi }$ for such users based on the duration of the user’s absence. Note that $\mathrm{\Psi }$ is the same array used for $U_{new}$. Users in $U_{rej}$ represent participants who experienced short absences and thus stayed within the secure refresh duration. Such users do not require full redistribution as users in $U_{new}$. Therefore, those shares can be refreshed using a specific array without incurring additional overhead.

Table 2. User roles.

Role	Descriptions	Epoch Relations 1	Array
$U_{ret}$	Users in $V{S}^{\left(t\right)}$. $U_{ret}=V{S}^{\left(t\right)}\cap V{S}^{(t-1)}$	$t_i+1=t_{VS}$	$\Delta$
$U_{new}$	Users added in $V{S}^{\left(t\right)}$. $U_{new}=V{S}^{\left(t\right)}\setminus \left({\cup }_{j=1}^{t-1}V{S}^{\left(j\right)}\right)$	$t_i=t_{VS}$	$\mathrm{\Psi }$
$U_{rej}$	Revoked users reauthorized. $V{S}^{\left(t\right)}\cap RL$ 2	$t_{VS}-t_i<⌊{\displaystyle \frac{k^{\left(t\right)}}{3}}⌉$	$\mathrm{\Gamma }$
		$t_{VS}-t_i>⌊{\displaystyle \frac{k^{\left(t\right)}}{3}}⌉$	$\mathrm{\Psi }$

Note: This table shows the roles of users in the valid-user set in epoch t. ¹ Epoch relations describe the relations between the epoch of each user role and the epoch of the valid set before the share refresh in epoch t is performed. ² $RL$ denotes revocation list maintained by dealer.

represents the three user roles and their corresponding arrays used for share refresh. A notable design is in the treatment of rejoining users. Like newly join users ($U_{new}$), rejoin users ($U_{rej}$) are not in the valid set $V{S}^{(t-1)}$ and thus cannot use the array $\Delta$ generated for retain users. This difference is crucial as the NUSS design assumes a uniform user role and provides only one single array for all users’ share refresh. However, rejoin users differ from newly join users in that they have old shares. To address this, the dealer provides different arrays based on the duration of the user’s absence. If the absence exceeds ${\displaystyle \frac{k^{\left(t\right)}}{3}}$, the user performs share refresh using $\mathrm{\Psi }$ as a newly join user. Otherwise, $\mathrm{\Gamma }$ is used for share refresh.

In this design, each user is associated with the corresponding array for share refresh, which is generated and broadcast by the dealer. The refresh process is subsequently performed by each user independently. Therefore, the communication complexity for share refresh is $O\left(n\right)$ as in NUSS.

3.2.2. Epoch-Based Scheme

The proposed method operates in discrete periods called epochs, during which the user membership remains stable. At the beginning of each epoch, a trusted participant, known as the dealer, broadcasts two components related to share refresh and user revocation: a set of arrays for share refresh and a list of valid users.

To support dynamic threshold policies, the protocol defines a non-decreasing threshold sequence $\kappa =\left(k^{\left(1\right)},k^{\left(2\right)},\dots \right)$, where $k^{\left(t\right)}\in \left[n\right]$ denotes the threshold used in epoch t.

Definition 2 (Dynamic Role-Based PSS with User Revocation). 

The protocol consists of a tuple of probabilistic polynomial time algorithms (Setup, Share, Refresh, Revoke, Recover).

• $\mathit{Setup}\left(1^{\lambda }\right)\to pp$: The $setup$ takes the security parameter and outputs the public parameters.
• $\mathit{Share}\left(pp\right)\to \{shar{e}_1^{\left(1\right)},\dots ,shar{e}_n^{\left(1\right)}\}$: Given the public parameters, $share$ generates and distributes initial shares for each user in the first epoch.
• $\mathit{Refresh}\left({\left\{shar{e}_i^{(t-1)}\right\}}_{i\in VS}\right)\to {\left\{shar{e}_i^{\left(t\right)}\right\}}_{i\in VS}$: $refresh$ allows valid users to update their shares from epoch $t-1$ to epoch t non-interactively.
• $\mathit{Revoke}(VS,i)$: Determines user membership status for the new epoch.
• $\mathit{Recover}\left({\left\{shar{e}_i^{\left(t\right)}\right\}}_{i\in \mathcal{B}}\right)\to m$: Reconstructs the secret from authorized set $\mathcal{B}$ from epoch t.

Building on NUSS, we introduce a revoke model that preserves the broadcast communication pattern and low complexity while maintaining secure non-interactive share refresh. Moreover, we use a hash function to ensure the integrity of the valid-user set ($VS$). The following section formally describes the proposed protocol algorithms.

4. Protocol Details and Construction

This section provides the detailed construction of the proposed protocol. Building on the definitions in Section 3, we elaborate on the concrete design of each algorithm in the protocol tuple (Setup, Share, Refresh, Revoke, Recover). The main idea is to upgrade the SSS scheme from $(k^{(t-1)},n)$ to $(k^{\left(t\right)},n)$, where $k^{(t-1)}\le k^{\left(t\right)}$ according to the non-decreasing threshold sequence $\kappa ={\displaystyle \left(k^{\left(1\right)},k^{\left(2\right)},\dots \right)}$. At the beginning of each epoch, the dealer broadcasts the valid-user list along with arrays for share refresh. Each user locally verifies their status and refreshes their share using homomorphic computations.

4.1. Setup Phase

The setup algorithm initializes the public parameters $pp$. Given a security parameter $\lambda$ and a multiplicative depth L, the dealer generates

$$pp=\left(k, n, p, q, d, \zeta , \chi , t, H\left(x\right)\right).$$

1.

SSS parameters.

• The plaintext modulus p is used to define the finite field ${\mathbb{Z}}_p$ for SSS and also as the plaintext space in ThHE.
• Fix the initial threshold k and total number of users n. Here, k denotes the initial threshold (e.g., $k=k^{\left(1\right)}$), which corresponds to the first element of the threshold sequence $\kappa =\left(k^{\left(1\right)},k^{\left(2\right)},\dots \right)$ defined in Section 3.2.

2.

ThHE parameters.

• Instantiate ciphertext modulus q and the polynomial ring $R_q={\mathbb{Z}}_q\left[X\right]/(X^d+1)$. Moreover, $\zeta$ and $\chi$ are distributions of ThHE keys and errors over polynomial ring $R_q$, respectively.
• p denotes the plaintext modulus of ThHE, where $p\ll q$.

3.

Public parameters instantiate a hash function $H:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda }$ and epoch t.

4.2. Share Generation

The share algorithm creates and distributes each user’s initial share and other components for epoch $t=1$. On the input of public parameters $pp=\left(k, n, p, q, d, \zeta , \chi , t, H\left(x\right)\right)$, the dealer processes the following:

1.

Polynomial Sampling: Sample ${\left\{{\alpha }_i^{\left(t\right)}\right\}}_{i\in [k^{\left(t\right)}-1]}\leftarrow {\mathbb{Z}}_p$ as the coefficients of polynomial for the initial epoch $t=1$ with secret $m\leftarrow {\mathbb{Z}}_p$.

$$f\left(x\right)=m+{\alpha }_1^{\left(t\right)}x+\cdots +{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}{x}^{k^{\left(t\right)}-1}modp.$$

(8)

2.

Share Computation: In SSS scheme, $f\left(i\right)$ is the share distributed to each user. In this proposal, each user $i\in \left[n\right]$ uses ThHE to reprocess the $f\left(i\right)\in {\mathbb{Z}}_p$.

• Dealer generates ThHE key pairs for n users: $\left((pk,s{k}_1),\dots ,(pk,s{k}_n)\right)$, where $s{k}_i=s_i$ and $pk=\left({\sum }_{i=1}^n\left({\eta }_{i}a{s}_i+e_i\right),a\right)$, by performing ThHE.KeyGen($pp$), where ${\eta }_i$ denotes i-th Lagrange coefficient.
• Reprocess $f\left(i\right)$ with $pk$:

  $${\mathbf{ct}}_i\leftarrow \mathrm{ThHE}.\mathrm{Enc}(pk,f\left(i\right)).$$

  (9)

3.

Distribute the share to i-th user:

$$shar{e}_i^{\left(1\right)}=\left(i,{\mathbf{ct}}_i,(pk,s{k}_i),H\left(x\right),1\right).$$

(10)

4.3. Revoke and Refresh

This section jointly describes the revoke and refresh algorithms since their operations are performed synchronously during each epoch. At the beginning of each epoch, the dealer generates the current valid-user set and the corresponding arrays for each role, then broadcasts them to network. Each user non-interactively determines their role by calculating the function $Rev$ and obtains their new share based on the broadcast message. The revoke and refresh algorithms are thoroughly explained below based on their different execution perspectives: the dealer side and the user side.

The following describes the operations performed by the dealer and the users during epoch t ($t>1$) in both revoke and refresh.

4.3.1. Dealer Side

The main task of dealer in revoke and refresh is to generate the data required for user operation.

1.

Revoke by dealer. The valid-user set $V{S}^{\left(t\right)}$ is determined by the dealer at epoch t, and each user ID i is encoded using a hash function.

$$h_{VS}^{\left(t\right)}=\left\{h_i^{\left(t\right)}\right|i\in VS\}.$$

(11)

where

$$h_i^{\left(t\right)}=H(i\parallel t).$$

(12)

2.

Refresh by dealer. In the refresh procedure, the dealer generates the arrays required for user share-refresh operations based on user roles, which are determined by the dealer. A new threshold $k^{\left(t\right)}$ is set for epoch t. The dealer’s operations in the refresh phase are described as follows.

• Generates new polynomial for new scheme $(k^{\left(t\right)},n)$:

  $$f^{\left(t\right)}\left(x\right)=m+{\alpha }_1^{\left(t\right)}x+\cdots +{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}{x}^{k^{\left(t\right)}-1}modp.$$

  (13)
• Generates arrays for share refresh. Based on each user’s epoch $t_i$ and the valid-user set’s epoch $t_{VS}$, the dealer computes the corresponding arrays, as shown in

  Table 3. Arrays for share refresh.

  Array	Descriptions
  $\Delta$	Array for users who are authorized in both epochs t and $t-1$. $\Delta =\left({\alpha }_1^{\left(t\right)}-{\alpha }_1^{(t-1)},\dots ,{\alpha }_{k^{(t-1)}-1}^{\left(t\right)}-{\alpha }_{k^{(t-1)}-1}^{(t-1)},{\alpha }_{k^{(t-1)}}^{\left(t\right)},\dots ,{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}\right)$.
  $\mathrm{\Psi }$	Refresh array for users who first joined in system at epoch t and rejoined users. $\mathrm{\Psi }=\left(m,{\alpha }_1^{\left(t\right)},\dots ,{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}\right)$.
  $\mathrm{\Gamma }$	Refresh array for rejoined users whose absence duration is less than ${\displaystyle \frac{k^t}{3}}$. $\mathrm{\Gamma }=\left({\alpha }_1^{\left(t\right)}-{\alpha }_1^{\left(t_i\right)},\dots ,{\alpha }_{k^{\left(t_i\right)}-1}^{\left(t\right)}-{\alpha }_{k^{\left(t_i\right)}-1}^{\left(t_i\right)},{\alpha }_{k^{\left(t_i\right)}}^{\left(t\right)},\dots ,{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}\right)$.

  Note: $\left\{{\alpha }_j^{\left(t\right)}\right\}$, $\left\{{\alpha }_j^{(t-1)}\right\}$, and $\left\{{\alpha }_j^{\left(t_i\right)}\right\}$ denote the coefficients in the SSS polynomial in different epochs.

  .

  -

  For retain users $i\in U_{ret}$, who hold valid shares from epoch $t-1$, the dealer computes the difference between the polynomial coefficients of epochs t and $t-1$ to construct the array $\Delta$.

  -

  For newly join users $i\in U_{new}$, the dealer generates the array $\mathrm{\Psi }$ for their share refresh. Unlike users in $U_{ret}$ or $U_{rej}$, these users do not possess any old shares. Therefore, the array $\mathrm{\Psi }$ contains the original secret m. Nevertheless, there is no concern about the information security as the broadcast message is encrypted by ThHE.

  -

  For each rejoin user $i\in U_{rej}$, the dealer selects the array based on the duration of the user’s absence, as defined in Table 2. If the difference between user’s last epoch $t_i$ ($t_i\ge 1$) and current epoch t exceeds the limitation (e.g., $t-t_i>{\displaystyle \frac{k^{\left(t\right)}}{3}}$), the users use $\mathrm{\Psi }$ for share refresh, which is for newly join users. Otherwise, the dealer provides $\mathrm{\Gamma }$ for refresh process.

• Reprocess those arrays by $pk$.

  $$\begin{array}{cc}\hfill {\mathbf{ct}}_{\Delta }\leftarrow & \mathrm{ThHE}.\mathrm{Enc}(pk,\Delta ),\hfill \\ \hfill {\mathbf{ct}}_{\mathrm{\Psi }}\leftarrow & \mathrm{ThHE}.\mathrm{Enc}(pk,\mathrm{\Psi }),\hfill \\ \hfill {\mathbf{ct}}_{\mathrm{\Gamma }}\leftarrow & \mathrm{ThHE}.\mathrm{Enc}(pk,\mathrm{\Gamma }).\hfill \end{array}$$

  (14)
• Distribute to network.

  $$\left(h_{VS}^{\left(t\right)},t,{\mathbf{ct}}_{\Delta },{\mathbf{ct}}_{\mathrm{\Psi }},{\mathbf{ct}}_{\mathrm{\Gamma }}\right).$$

  (15)

4.3.2. User Side

In epoch t, each user i independently performs revoke and refresh computations upon receiving the broadcast message. The details are explained as follows.

1.

Revoke by user. z is a global random number generated from the dealer. Each user i generates a random number $r_i$ and calculates the function $Rev$ to determine their status.

$$Rev(i,r_i)=z\prod _{j\in h_{VS}^{\left(t\right)},{\omega }_j\ne v{k}_i}\left({\omega }_j·(1-{\displaystyle \frac{{\omega }_j}{v{k}_i}})\right).$$

(16)

where ${\omega }_j=r_i+j$, $v{k}_i=r_i+H(i\parallel t)$.

It holds that, if and only if $Rev(i,r_i)=0$, i is valid user.

$$Rev(i,r_i)=\left\{\begin{array}{cc}0,\hfill & i\in VS,\hfill \\ others,\hfill & i\notin VS.\hfill \end{array}\right.$$

(17)

2.

Refresh is calculated by the user as follows.

• Encrypt user ID array $I=\left(i,i^2,\dots ,i^n\right)$ by $pk$:

  $${\mathbf{ct}}_I\leftarrow \mathrm{ThHE}.\mathrm{Enc}(pk,I).$$

  (18)
• Calculate the encryption of array ${\mathbf{ct}}_i^{ra}$ for user i’s share refresh.

  -

  If $i\in U_{ret}$:

  $${\mathbf{ct}}_i^{ra}\leftarrow Rev(i,r_i)+\mathrm{ThHE}.\mathrm{Mult}({\mathbf{ct}}_I,{\mathbf{ct}}_{\Delta }).$$

  (19)

  -

  If $i\in U_{new}$:

  $${\mathbf{ct}}_i^{ra}\leftarrow Rev(i,r_i)+\mathrm{ThHE}.\mathrm{Mult}({\mathbf{ct}}_I,{\mathbf{ct}}_{\mathrm{\Psi }}).$$

  (20)

  Here, since users in $U_{new}$ do not contain any old shares, ${\mathbf{ct}}_i$ is set as the encryption of zero.

  -

  If $i\in U_{rej}$: Use the corresponding broadcast message to generate the i’s refresh array ${\mathbf{ct}}_i^{ra}$. Since the threshold is not exposed to users, each user attempts to use the corresponding array. If the attempt using $\mathrm{\Gamma }$ fails, the user is treated as newly join and uses $\mathrm{\Psi }$ for share refresh.

  $${\mathbf{ct}}_i^{ra}\leftarrow Rev(i,r_i)+\mathrm{ThHE}.\mathrm{Mult}({\mathbf{ct}}_I,{\mathbf{ct}}_{\mathrm{\Gamma }}).$$

  (21)

• Compute the new encryption ${\mathbf{ct}}_i^{\prime }$ for user i in epoch t.

  $$\left(\begin{array}{ccc}1& 0& 0\\ 0& 1& {\mathbf{ct}}_i^{ra}\\ 0& 0& t\end{array}\right)\left(\begin{array}{c}i\\ {\mathbf{ct}}_i\\ 1\end{array}\right)=\left(\begin{array}{c}i\\ {\mathbf{ct}}_i^{\prime }\\ t\end{array}\right).$$

  (22)
• User i updates the share for epoch t as follows.

  $$shar{e}_i^{\left(t\right)}=\left(i,{\mathbf{ct}}_i^{\prime },(pk,s{k}_i),H\left(x\right),t\right).$$

  (23)

4.4. Recover Secret

Given a set of authorized user shares $\mathcal{B}$ for epoch t, where $\left|\mathcal{B}\right|\ge k^{\left(t\right)}$, the secret m is recovered as follows:

1.

Compute Lagrange coefficients. For user $i\in \mathcal{B}$, compute the Lagrange coefficient ${\eta }_i$.

2.

The ciphertext ${\mathbf{ct}}_{res}$ of m is generated by homomorphic computations.

$${\tau }_i\leftarrow \mathrm{ThHE}.\mathrm{Mult}({\eta }_i,{\mathbf{ct}}_i),$$

$${\mathbf{ct}}_{res}\leftarrow \mathrm{ThHE}.\mathrm{Add}\left({\tau }_1,\cdots ,{\tau }_{k^{\left(t\right)}}\right).$$

(24)

3.

Reconstruct the secret m.

$${\sigma }_i\leftarrow \mathrm{PartDec}(s{k}_i,{\mathbf{ct}}_{res}),$$

$$m\leftarrow \mathrm{Combine}\left({\left\{{\sigma }_i\right\}}_{i\in \mathcal{B}}\right).$$

(25)

It is worth emphasizing that, by broadcasting arrays for share refresh to the network, each user can independently perform the processes of revoke and refresh. This design reduces the requirements of secure channels and enables secure non-interactive updates. Furthermore, the integration of ThHE ensures data confidentiality during data transmission.

5. Protocol Properties

This section presents the key properties of the proposed scheme, including security assumptions, correctness of operations, and non-interactive update procedures.

5.1. Adversary Model and Security Assumptions

This section analyzes the security properties of the proposed scheme under a threshold adversary model. We consider a standard setting in which at most ${\displaystyle \frac{k^t}{3}}$ users can be malicious in epoch t, and all communications occur over authenticated channels. The adversary is computationally bounded but may obtain shares from revoked or corrupted users and can observe all public parameters, ciphertexts, and broadcast messages. Specifically, we focus on the following properties:

• Confidentiality. The secret m remains secure from unauthorized users, including revoked or corrupted participants.
• Correctness. Valid users can correctly update their shares and reconstruct the secret after refresh and revoke operations.
• Non-repudiation. Refresh and revoke procedures performed by users individually cannot be denied due to the utilization of authenticated channels and cryptographic integrity verifications.

These features are crucial for ensuring security and correctness as the set of authorized users changes periodically. The proposed scheme satisfies semantic security by ensuring that shares from different epochs cannot be combined to expose the secret m.

Assumption A1 (Semantic Security). 

The scheme guarantees revoked user exclusion. Specifically, the secret m remains secure as long as the $k^{\left(t\right)}$ shares are not in the same epoch, even if an adversary compromises them after the update of epoch t.

Assumption A2 (Security of Refresh). 

All refresh parameters (e.g., $\Delta ,\mathrm{\Psi }$) are encrypted under ThHE. Additionally, the integrity of $VS$ used in revoke function $Rev$ is protected by hash function.

Assumption A3 (Optimal Rejoin Threshold).

The rejoin limitation $⌊{\displaystyle \frac{k^{\left(t\right)}}{3}}⌉$ is supported by following arguments.

• BFT alignment. Ensures absence duration $t\left(\le ⌊{\displaystyle \frac{k^{\left(t\right)}}{3}}⌉\right)$ implies exposure to fewer than $⌊{\displaystyle \frac{n}{3}}⌉$ malicious participants, preserving system safety.
• Information-theoretic decay. When $t\left(\ge ⌊{\displaystyle \frac{k^{\left(t\right)}}{3}}⌉\right)$, the old share becomes obsolete. Adversaries cannot cross-correlate old and new shares to recover the secret.

Under the threshold assumption, no adversary can recover the secret m unless k users in the valid set collude. The system security is guaranteed by the information-theoretic protection of SSS, ThHE, and hash function, which together prevent any leakage of secret during the user revocation and share refresh.

5.2. Correctness

In this section, we prove the correctness of the refresh and revoke procedures by presenting the corresponding theoretical derivations.

1.

Refresh Correctness. The correctness of the scheme relies on the computations in refresh process. After each user receives the encryption of the array (e.g., $\Delta$), they perform the homomorphic computations on old share and arrays to obtain new share. For simplicity, we use a retain user i and the plaintext $f\left(i\right)$ to demonstrate the correctness instead of ThHE encrypted data.

• Proof of Refresh Correctness. 

  ${\left\{{\alpha }_i^{(t-1)}\right\}}_{i\in [k^{(t-1)}-1]}$ denotes the SSS polynomial coefficients of the shares in epoch $t-1$, and ${\left\{{\alpha }_i^{\left(t\right)}\right\}}_{i\in [k^{\left(t\right)}-1]}$ denotes coefficients in epoch t, where $k^{(t-1)},k^{\left(t\right)}\in \kappa$. The old share includes

  $$\begin{array}{c}\hfill f^{(t-1)}\left(i\right)=m+{\alpha }_1^{(t-1)}i+\dots +{\alpha }_{k^{(t-1)}-1}^{(t-1)}·i^{k^{(t-1)}-1}modp.\end{array}$$

  (26)

The array $\Delta$ refers to

$$\begin{array}{c}\hfill \Delta =({\alpha }_1^{\left(t\right)}-{\alpha }_1^{(t-1)},\dots ,{\alpha }_{k^{(t-1)}-1}^{\left(t\right)}-{\alpha }_{k^{(t-1)}-1}^{(t-1)},{\alpha }_{k^{(t-1)}}^{\left(t\right)},\dots ,{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}).\end{array}$$

(27)

Then, compute with $I=\left(i,i^2,\dots \right)$ to obtain plaintext ${\mathbf{ct}}_i^{ra}$ corresponding to ${\mathbf{pt}}_i^{ra}$.

$$\begin{array}{cc}\hfill {\mathbf{pt}}_i^{ra}=& ({\alpha }_1^{\left(t\right)}-{\alpha }_1^{(t-1)})·i+\cdots +({\alpha }_{k^{(t-1)}-1}^{\left(t\right)}-{\alpha }_{k^{(t-1)}-1}^{(t-1)})·i^{k^{(t-1)}-1}+\hfill \\ \hfill & {\alpha }_{k^{(t-1)}}^{\left(t\right)}·i^{k^{(t-1)}}+\cdots +{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}·i^{k^{\left(t\right)}-1}.\hfill \end{array}$$

(28)

Generate new share $f^{\left(t\right)}\left(i\right)$:

$$\begin{array}{cc}\hfill f^{\left(t\right)}\left(i\right)=& f^{(t-1)}\left(i\right)+{\mathbf{pt}}_i^{ra}\hfill \\ \hfill =& m+{\alpha }_1^{\left(t\right)}i+\cdots +{\alpha }_{k^{\left(t\right)}-1}^{\left(t\right)}·i^{k^{\left(t\right)}-1}.\hfill \end{array}$$

(29)

□

2.

Revoke Correctness. The revoke phase relies on epoch check and the function $Rev$, and the correctness is determined by the result of $Rev$.

• Proof of Revoke Correctness. 

  Let $r_i$ be a random number generated by user i. In epoch t, all users can receive the hash of valid set $h_{VS}^{\left(t\right)}$ in epoch t and a public random number z. User i’s verification key denotes $v{k}_i=r_i+H(i\parallel t)$. If $i\in VS$, there exists $j\in VS$ with $j=i$ such that

  $$1-{\displaystyle \frac{{\omega }_j}{v{k}_i}}=0,\mathrm{where}{\omega }_j=H(j\parallel t)+r_i.$$

  (30)

Therefore, $Rev=0$ if and only if $i\in VS$; otherwise, $Rev\ne 0$. □

5.3. Non-Interactivity

The update procedure, consisting of revoke and refresh, is fully non-interactive among valid users. The proposed method enables each user to independently complete the process without exchanging any information with others. This is achieved by performing homomorphic computations for share refresh and the proposed function $Rev$ for user revocation.

6. Evaluation

6.1. Parameter Setup and Complexity Comparison

In this work, we evaluate the share-refresh and user-revocation performance of the proposed method in different schemes.

Table 4. System parameters.

Fixed Parameters
Plaintext modulus (p)		65,537
Ciphertext modulus ($lo{g}_{2}q$)		101
Threshold Settings by Number of Users
	Number of users (n)	10	60	100
Threshold	Before update	4	20	34
	After update	5	21	35

presents the primary parameter settings used in the experiments for each sharing scheme and ThHE. For each number of users $n\in \{10,60,100\}$, the initial threshold was set to $⌊{\displaystyle \frac{n}{3}}⌉$. For simplicity, the threshold was increased by one after each update. The plaintext modulus p is 65537, and the ciphertext modulus q is expressed as $lo{g}_{2}q=101$. Moreover, our experiments are designed to examine the scalability of the refresh and revoke procedures; the ThHE parameters are kept fixed in all experiments.

Building on our previous work involving NUSS, we compare the communication complexity with well-known PSS schemes: CHUrn-Robust Proactive Secret Sharing (CHURP) [22] and Dynamic Proactive Secret Sharing for Confidential BFT Services (COBRA) [23]. CHURP is a protocol designed to optimize the share refresh in secret-sharing schemes by leveraging a hybrid on-chain and off-chain communication model to minimize communication costs. In our comparison, we focus on the off-chain communication component of the CHURP. Our proposed scheme maintains the same communication complexity $O\left(n\right)$ as NUSS while also embedding a dynamic user-revocation model.

Table 5. Comparison of communication complexity and revocation support in PSS schemes.

PSS Scheme	Communication Complexity	Update Type	Dynamic User Revocation Supported
CHURP [22]	$O\left(n^2\right)$	Interactive	No
COBRA [23]	$O\left(n^3\right)$	Semi-interactive	Partial
Proposed Method	$O\left(n\right)$	Non-interactive	Yes

presents a comparison of communication complexity and support for dynamic user revocation.

In the update phase (revoke + refresh), the dealer broadcasts two components: (i) a hash of $VS$ and (ii) ThHE encryption of array used for share refresh. Importantly, the size of this encrypted array is determined by the ThHE parameters and remains independent of the number of users. Based on Table 4, the size of one encrypted array was approximately 4.9KB. Since each user only extracts their corresponding array from the broadcast, the computation cost for refresh remains at 4.9 KB regardless of the total number of users.

Building on NUSS, we embed a role-based dynamic user management mechanism into the system. In each epoch, users are categorized into three roles based on their epochs, and the proposed function $Rev$ is used to verify user legitimacy. Importantly, our new proposal retains the $O\left(n\right)$ complexity by preserving the broadcast structure. Therefore, we focus our evaluation on the computational overhead introduced by the new components rather than comparing with other PSS schemes. We present results from both the user side and dealer side, highlighting the system efficiency impact of the role-based management and the proposed function $Rev$.

6.2. Performance Evaluation

In this study, we evaluated the performance of each user regarding computation time and data size in the revoke and refresh processes. In addition, we present the total operational duration of the system in different user role proportions to assist the dealer in optimizing user role allocation.

6.2.1. Evaluation on User Side

This study shows that the operations in revoke and refresh are fully non-interactive and that each user performs the computation independently based on the broadcast data. Therefore, we evaluate the computational cost on the user side by measuring the time latency and the data size for a single-role user. In addition, we present one broadcast array (e.g., $\Delta$) as an example to illustrate the evaluation results.

Example 2. 

Let T denote the time latency, where $T_i$ refers to the CPU processing time of user i. Specifically, $T_i$ consists of time for the revoke process, denoted as $T_{Rev}$, and refresh process, which involves one homomorphic addition and one homomorphic multiplication, as shown in (7), denoted as $T_{\mathit{ThHE.Add}+\mathit{ThHE.Mult}}.$ Therefore, the local computation time of each user can be expressed as follows.

$$T_i=T_{Rev}+T_{(\mathit{ThHE.Add}+\mathit{ThHE.Mult})}.$$

(31)

As shown in Figure 3, the user-side time latency for the revoke and refresh procedures remains stable across the three schemes $(4,10),(20,60)$, and $(34,100)$. In our previous study (NUSS), the refresh procedure relied on threshold homomorphic computations whose parameters were fixed for all schemes. As a result, the computational time and data size were identical across different schemes. In this work, we extend the previous construction by adding the user-revocation component. The revoke procedure relies on hash-based verification and does not involve the ThHE computation. Consequently, the increase in time latency due to revoke is minimal compared with the cost of the homomorphic computations.

Example 3. 

Let ${\mathit{size}}_i$ denote the data size required for user i to perform the revoke and refresh operations. ${\mathit{Size}}_{VS}$ denotes the data size associated with revoke, and ${\mathit{size}}_{{\mathbf{ct}}_{\Delta }}$ corresponds to refresh process. Here, Δ is used as an example to explain the details. The data size for local computation by each user can be described as follows.

$${\mathit{size}}_i={\mathit{size}}_{VS}+{\mathit{size}}_{{\mathbf{ct}}_{\Delta }}.$$

(32)

Figure 4 demonstrates that the message size involved in each user operation depends on both the membership scale and the ThHE parameters. As the number of users increases, the data size of one user operation also increases. The reason is the valid set $VS$ expands with increasing membership, resulting in a larger data size consumed by each individual user compared to NUSS.

6.2.2. Results Impact Dealer Update Strategy Setting

Figure 5 shows that the proportion of different user roles can significantly affect the computational cost. Specifically, in the $(20,60)$ scheme, mixed role configurations (retain, newly join, and rejoin) achieve lower total latency than single-role setups, indicating improved workload distribution. However, in a larger setting (e.g., $(34,100)$ scheme), the fully retain setup has better performance. Consequently, the dealer has the option to modify the membership strategy to optimize efficiency in accordance with the current user composition.

7. Conclusions

This study extends NUSS, a non-interactive PSS scheme based on ThHE, by introducing role-based user revocation using hash-based verification. The proposed method distinguishes users based on their role in facilitating dynamic membership management. With $O\left(n\right)$ complexity, the proposal provides that only authorized users can execute non-interactive share refresh while ensuring that revoked users can no longer reconstruct the secret. We note that the current study relies on a centralized setup to construct share refresh and user revocation more efficiently. As future work, we plan to explore decentralized frameworks, such as distributed key generation, to move toward a fully distributed design.