## 1 Introduction

With the rapid development of Internet, the secure storage and transmission of information have become more and more important. The security of the information depends on the security of the cryptosystem, which depends on the keys used in the system. It is obviously insecure to have only one key holder, therefore secret sharing was proposed to solve the problem by distributing the keys among several members, which is significant to not only prevent the overcentralization of the key management but also guarantee the integrity and confidentiality of the keys.

However, there are some problems in the initial secret sharing scheme:

(1) They can only share one secret once;

(2) They need secure channel to distribute shares;

(3) They cannot perceive the detective behavior of both the dealer and the participants;

(4) The shares held by participants cannot be reused;

(5) If participants join in or quit from the scheme, all the shares need to be updated;

(6) When the dealer changes the threshold, all the shares need to be altered.

In order to overcome the weakness of the original scheme, researchers have proposed several improved schemes in recent years. In 2004, Yang et al. presented a new multi-secret sharing scheme(YCH)[Yang:2004:MSS:2626452.2627067]. Based on Feldman’s scheme [Feldman:1987:PSN:1382440.1383000], Shao et al. proposed an improved scheme [Shao:2005:NEV:2614701.2615126] in 2005, which still needs a private channel. In 2006, Zhao et al. proposed an effective VMSS scheme (ZZZ) [Zhao:2007:PVM:1222223.1222354]. Since public key cryptography is utilized in the verification phase, the private channel is unnecessary.

In 2008, Massoud and Samaneh [HADIANDEHKORDI20082262] presented two efficient VMSS schemes, which employ the intractability of the discrete logarithm and RSA cryptosystem [Rivest:1978:MOD:359340.359342] to modify the YCH scheme. For simplicity, we call the first scheme in [HADIANDEHKORDI20082262] MS1 scheme, and the second scheme in [HADIANDEHKORDI20082262] MS2 scheme. In 2016, Liu et al. [Liu:2016:AVM:2869973.2870260] found that ZZZ scheme, MS1 scheme and MS2 scheme cannot resist cheating by the dealer, and proposed two modified schemes utilizing RSA encryption system. Similarly, we call the first scheme in [Liu:2016:AVM:2869973.2870260] LZZ1 scheme, and the second scheme in [Liu:2016:AVM:2869973.2870260] LZZ2 scheme. In 2015, Massoud and Samaneh proposed two new VMSS schemes (MS schemes) [MASHHADI201531] by nonhomogeneous linear recursions and LFSR public key cryptosystem [Gong:1999:PCB:2263211.2266021, 10.1007/3-540-45537-X_22]. Likewise, the two schemes have the same drawback as the schemes in [HADIANDEHKORDI20082262], and we call the first scheme in [MASHHADI201531] MS3 scheme, and the second scheme in [MASHHADI201531] MS4 scheme.

In this work, we will present two new dynamic VMSS schemes using LFSR public key cryptosystem based on the MS schemes [MASHHADI201531], which overcome the disadvantages of the previous schemes and have shorter key length than the schemes in [Liu:2016:AVM:2869973.2870260]. Moreover, our schemes allow participants to join in or quit from the group optionally and let the dealer to change the number or value of shared secrets, even the threshold according to practical situation dynamically.

The rest of this paper is organized as follows. In Section 2, we review the nonhomogeneous linear recursion, the LFSR public key cryptosystem, and give the attack to MS schemes. In Section 3, we present our two schemes. We propose the security analysis in Section 4, while Section 5 gives the performance analysis. Finally, we conclude our schemes in Section 6.

## 2 Preliminaries

### 2.1 Linear recursion

In this subsection, we introduce the linear recursion briefly, which you can refer to[Biggs:2002:DM:579088] for a detailed description.

###### Definition 1.

A linear recursion is defined by the equations:

where and are predefined real constants. is a positive variable, the degree of this linear recursion. If , the linear recursion is homogeneous. Otherwise, it is nonhomogeneous.

###### Definition 2.

For a linear sequence with dgree defined above, we give the following concepts:

(1) Auxiliary equation: .

(2) Generating function: .

###### Lemma 1.

We assume that sequence withe degree , and its auxiliary equation is , where . Then its generating function is

where is a polynomial and

And where and are constants defined by

Our schemes use two examples of nonhomogeneous linear recursion shown as follows:

###### Theorem 1.

Utilizing to generate sequence , where have the following form:

(1) |

where are predefined real constants. Therefore where is a polynomial of with degree at most .

###### Proof.

Utilizing equation (1), we obtain

where is a polynomial with degree . Consequently,

From Lemma 1, we can get , where is a at most -degree polynomial. ∎

###### Theorem 2.

Utilizing to generate sequence , where have the following form:

(2) |

where are predefined real constants. Therefore , where is a polynomial of with degree at most .

The proof of Theorem 2 can be completed by the method analogous to Theorem 1.

### 2.2 The LFSR public key cryptosystem

At first, we introduce the third-order LFSR sequence [Gong:1999:PCB:2263211.2266021, 10.1007/3-540-45537-X_22]. Assuming that is irreducible which is the characteristic polynomial of the following LFSR sequences, where and is a prime.

###### Definition 3.

A sequence satisfies the following conditions:

Then, we call is a third-order LFSR sequence whose characteristic polynomial is .

We denote as , as , then we have the following Lemma.

###### Lemma 2.

[Gong:1999:PCB:2263211.2266021]Let over generate the three-order LFSR sequences . If , then for all positive integer and .

###### Definition 4.

(The LFSR public key cryptosystem) A sender generates the public key and private key by the following operation:

(1) selects two primes and , and computes . Notice that the next few steps are performed on and the period of the irreducible polynomial is ;

(2) selects such that , where ;

(3) computes such that ;

(4) publishes and as public key, then keeps as private key.

Enciphering:

In order to send to the receiver, the sender generates as corresponding cipher text, where .

Deciphering:

When receiving , the receiver can get the corresponding plain text by private key .

### 2.3 Attack to MS schemes

In this subsection, we give the attack to MS3 scheme, which is also true of MS4 scheme. Please refer to [MASHHADI201531] for details of MS schemes. When recovering the secrets, they merely check the validity of by , where , however, the consistency between and is not checked. Thus, a malicious dealer can deceive the participants successfully, which means that:

When ,

(1) chooses a random and substitutes with to calculate the equations below:

For , calculates ;

(2) calculates , and ;

(3) releases .

When ,

(1) chooses a random and considers the sequence generated by the equations below:

For , calculates ;

(2) substitutes with to calculate , then calculates and respectively;

(3) releases .

In the reconstruction phase, because the replacement is barely perceptible by , those participants still provide real which conflicts with or generated by the dealer. Therefore, the recovered secrets are wrong. However, any at least honest participants exclusive of can reconstruct the shared secrets. Furthermore, if the dealer replaces more than one with invalid , the situation gets even worse. In conclusion, the MS schemes cannot resist attack by a malicious dealer.

## 3 The new VMSS schemes

To avoid the attack mentioned above, based on MS schemes [MASHHADI201531], we present new VMSS schemes by examining consistency, which can detect deception of both participants and the dealer successfully.

### 3.1 Scheme 1

Scheme 1 utilizes the , the LFSR public key cryptosystem and the discrete logarithm problem.

#### 3.1.1 Initialization phase

Suppose be the dealer, be participants, and be the threshold.

Initialization of :

(1) selects , of bit-length , where and are two strong primes. Then calculates of bit-length . Note that here is the security parameter of the LFSR public key cryptosystem.

(2) randomly selects two primes with bit-length more than , satisfying , and for

(3) selects of of order satisfying that the discrete logarithm problem with base in is infeasible.

(4) releases to participants.

Initialization of participants:

(1) of identity selects two strong primes , , and then calculates . Note that the period of the irreducible polynomial in is , then all the computations are performed in .

(2) randomly selects an integer such that , for .

(3) calculates the integer satisfying .

(4) passes to with a public channel, and keeps its shadow secret.

releases .

###### Remark 1.

The released messages can be reused after this phase. In addition, cannot get any information about shadows, therefore these shadows are also reusable.

#### 3.1.2 Construction phase

Let be secrets, where ). Then executes the steps as below to produce respective subshadow :

(1) selects for at random.

(2) randomly selects a constant satisfying and considers as below:

(3) For , calculates .

(4) calculates .

(5) calculates and ,().

(6) releases .

###### Remark 2.

According to Lemma 2, we know that . If , we have , which means that

#### 3.1.3 Verification phase

In order to obtain the subshadow , calculates following formula:

By the formulas below, our schemes can perform validity and consistency detection.

Once the equations above are satisfied, each is thought to be valid and in accord with released messages. If every verification succeeds, participants think that is not malicious.

#### 3.1.4 Reconstruction phase

Suppose that at least participants utilize corresponding to reconstruct the secrets. Every can detect the validity of using the formulas as below:

The following two methods can be utilized:

Method 1: Using valid subshadows and the released , they can get the formulas by Theorem 1:

Then, they obtain

where .

Therefore, they reconstruct the secrets:

Method 2: If utilizing successive , they can calculate other by the formulas:

Therefore, they reconstruct the secrets:

### 3.2 Scheme 2

Scheme 2 utilizes the , the LFSR public key cryptosystem and the discrete logarithm problem.

#### 3.2.1 Initialization phase

The initialization phase in Scheme 2 is the same as Scheme 1.

#### 3.2.2 Construction phase

Compared with Scheme 1 ,we substitute with the , and the rest is the same.

#### 3.2.3 Verification phase

can calculate to obtain corresponding subshadow. By the formulas below, our schemes can perform validity and consistency detection.:

Once the equations above are satisfied, each is thought to be valid and in accord with released messages. If every verification succeeds, participants think that is not malicious.

#### 3.2.4 Reconstruction phase

Suppose that at least participants utilize corresponding to reconstruct the secrets. Every can detect the validity of using the formulas as below:

Method 1: Using valid subshadows and the released , they can get the formulas by Theorem 2:

Solving the equations or utilizing the Lagrange interpolation, they get in .

Then, they obtain

where .

Therefore, they reconstruct the secrets:

Method 2: If utilizing successive , they can calculate other by the formulas:

Therefore, they reconstruct the secrets: