Post on 23-Aug-2020
Research ArticleA Rational Threshold Signature Model and Protocol Based onDifferent Permissions
Bojun Wang1 Cheng Cai1 and Quan Zhou2
1 School of Electronic and Computer Engineering Peking University Shenzhen 518055 China2 College of Computer Science and Technology Beijing University of Technology Beijing 100124 China
Correspondence should be addressed to Cheng Cai frankgt40gmailcom
Received 3 April 2014 Revised 1 July 2014 Accepted 4 July 2014 Published 23 July 2014
Academic Editor Young-Sik Jeong
Copyright copy 2014 Bojun Wang et al This is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited
This paper develops a novel model and protocol used in some specific scenarios in which the participants of multiple groupswith different permissions can finish the signature together We apply the secret sharing scheme based on difference equation tothe private key distribution phase and secret reconstruction phrase of our threshold signature scheme In addition our scheme canachieve the signature success because of the punishment strategy of the repeated rational secret sharing Besides the bit commitmentand verification method used to detect playersrsquo cheating behavior acts as a contributing factor to prevent the internal fraud Usingbit commitments verifiable parameters and time sequences this paper constructs a dynamic game model which has the featuresof threshold signature management with different permissions cheat proof and forward security
1 Introduction
Secret sharing (SS) scheme first proposed by Shamir [1] inthe paper ldquoHow to share a secretrdquo is a significant methodused for the important information management There areother SS schemes presented by Blakeley [2] and Asmuthand Bloom [3] These (119905 119899)-threshold schemes above splitthe secret to 119899 shares and distribute these shares to 119899 legalplayers meaning that all the players in the secret sharingsystem have the same permissions However in some specificsituations like in a company managers and employees aresupposed to have different authority in the confidentialsecret management As a result all the SS schemes are notsuitable to be applied to such scenario Later many scholarsdevoted themselves to the weighted threshold SS schemeswhich can solve the above problem Shamir was concernedwith weighted threshold SS in his paper ldquoHow to share asecretrdquomdashthe president of a company has three shares thevice presidents have two shares and others have one shareLater Morillo et al [4] developed some main propertiesrelated to the information ratio which measures a secretsharing systemrsquos security After that many researchers usedtheir work to develop weight SS schemes and some are with
bipartite [5ndash7] Chan and Chang [8] developed a new (119905 119899)-threshold scheme based on differential equations which wascompletely different from the mechanism of weighted SSscheme and shared the same notion with Li [9] Instead ofthe traditional weighted threshold SS schemes which havethe symmetrical permissions limitation they proposed (119905
1+
1199052 1198991+ 1198992)-threshold SS scheme that is based on homoge-
neous constant coefficient linear difference equation In thescheme all players are divided into two groups (denotedby 119860 119861) with the different secret management authorityjust 1199051players from 119860 and 119905
2players from 119861 can recover
the original secret information For example a companydivides its business secret into (119899
1+ 1198992) shares in which 119899
1
shares are possessed by 1198991specific employees and 119899
2shares
are distributed to 1198992managers Any 119905
1employees and 119905
2
managers can retrieve the business secretThreshold signature is based on SS which was first
proposed by Desmedt and Frankel [10] and based on RSAsignature mechanism Shamir [11] introduced the conceptof signature authentication based on identity Paterson andSchuldt [12] presented efficient identity-based signatures inthe standard model In this paper to illustrate our model we
Hindawi Publishing CorporationJournal of Applied MathematicsVolume 2014 Article ID 176085 9 pageshttpdxdoiorg1011552014176085
2 Journal of Applied Mathematics
adoptOkamotorsquos signaturemethod [13] which is based on theidentification scheme and is provably secure
Another important issue about the traditional SS schemeis that they are all based on the assumption that every playeris either honest ormalicious However in practice players aremore likely to be selfish trying to maximize their own utilityHalpern and Teague [14] introduced the notion of rationalsecret sharing (RSS) in 2004 and presented a randomizedprotocol for a 119905 ge 3 119899 gt 3 SS scheme which can achieve Nashequilibrium after repeated elimination of weakly dominatedstrategy Gordon and Katz [15] improved Halpernrsquos protocolto 119905 ge 2 119899 gt 2 conditions The mechanism proposed byMaleka et al [16] is called repeated rational secret sharing(RRSS) in which the distributor needs to do second-timesegmentation of the secret shares and made the players sharethe subshares repeatedly Malekarsquos method uses punishmentstrategies to prevent players from finking which is differentfrom Halpern and Teaguersquos RSS protocol in which somerounds of secret sharing are meaningless
In this paper we present a rational threshold signaturemodel in which the participants are divided into two setswith the different permissions We adopt the SS schemebased on the difference equations to distribute shares andrecover the original secrets In the recover phrase playersexchange their subshares repeatedly based on Malekarsquos RRSSscheme In our model we use several modules to manage thefunctions respectively The parameter sequence generator isused to generate the parameters of the difference equationsand parameter distributor is used to distribute the parametersto the participants as their shares Rounds controller isused to generate the random number of rounds so that theplayers cannot know when the repeated games will end Bitcommitment module is utilized for the players to committheir own subshares and verify othersrsquo Besides when a playercheats in a specific round by sending the wrong subsharethe verifiable module can detect it and the protocol will bestopped so that nobody can acquire the secret
2 Relative Works
21 The Model of Li Bin Scholar The model is outlined asfollows
Maker constructs homogeneous constant coefficient lin-ear differential equation
119886119899+
1199051
sum119894=1
119887119894119886119899minus119894
= 0 (119887119894isin 119885119902) (1)
Master key 119896 = 119886119873
(119873 gt 1198991)
Shadow keys of participants in set 119860 are (119886119894 1198871) (119894 =
0 1 1198991minus 1)
Shadow keys of participants in set 119861 are(119873 1198872 119887
1199051
)
The general term formula of homogeneous constantcoefficient linear differential equation is
119886119899=
1199051
sum119894=1
119888119894119891119894(119899) (2)
Because coefficient determinant is nondegeneratesecond-order tensor
Δ119905times119905
=
100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816
1198911(0) 119891
2(0) sdot sdot sdot 119891
119905(0)
1198911(1) 119891
2(1) sdot sdot sdot 119891
119905(1)
d
1198911(119905 minus 1) 119891
2(119905 minus 1) sdot sdot sdot 119891
119905(119905 minus 1)
100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816119905times119905
= 0 (3)
Participants in set 119860 calculate constant vector
119888 = (1198881 1198882 119888
1199051
)119879
(4)
Any participant in set 119861 makes 119899 = 119873 can obtain thesystem master key
119886119873
=
1199051
sum119894=1
119888119894119891119894(119873) (119873 gt 119899
1) (5)
22 Problems The model mentioned above is a big innova-tion in the field of threshold structure however if applieddirectly to the threshold signature while in practical usesome problems may exist as follows
(1) The permissions in this model have limitations Thesecond component of (119899
1+ 1198992 1199051
+ 1)-thresholdshared structure on behalf of the second categoryparticipants with special privileges these participantshave excessive permissions because anyone of themcan represent the group Thus weexpand the secondcomponent into (119899
1+ 1198992 1199051+ 1199052) structure Wei et
alrsquos scholars [17 18] at Shandong University haveproposed the definition of such structure Howeverwhen this scheme is implemented its two groupsboth use the polynomial ring which possesses thesymmetrical nature thus it will break the differentprivileges characteristic of the homogeneousconstantcoefficient linear differential equation This paperpromotes (119899
1+1198992 1199051+1) structure based on homoge-
neous constant coefficient linear differential equationextends permissions in the meantime and improvesthe original proposal
(2) This model cannot resist conspiracy attacks becauseof that when greater than or equal to the (119905
10) thresh-
old number of participants work out the constantvector group of equation (4) at the same time theequation (2) is determined Conspires can get the theprivate key of the participants of the first set usingthe general term formula and one copy of the privatekey of the second setrsquos participant can be used toconjecture the othersrsquo private keys in the second set
(3) Themodel cannot resist internal fraudWhen put intopractical use the model does not have a verifiable
Journal of Applied Mathematics 3
and the participantsrsquo fraud is undetectable If thereare no validation measures the participants may runthis protocol arbitrarily or send their false shares andthese cannot be tolerated
(4) The model has the dealer who is the trusted thirdparty In the distributed network environment theparameters is generated by amachine or by the securemultiparty computation
(5) This model does not have the rational characteristicsWhen the signature private keys are generated andwhen the first setrsquos participants compute the equation(2)mdashafter computing the general term formula theparticipants in the second set have no motive toexpose their private key to the participants in the firstset after they generate their private keys This losesfairness
3 Protocol Model
31 The Structure of Model The structure of the model isshown in Figure 1
(1) Parameter Sequence Generator Each time while in thesignature step the registers in parameters sequence generatordynamically generate the next state parameters accordingto the last state parameters Each signature call the moduleonce the use of time series technology makes the model haveforward security
The initial vector in parameter sequence generator is
1198861198790 = (119886
1198790
119899 1198861198790
119899minus1 119886
1198790
119899minus1199051
)119879
1198871198790 = (119887
1198790
1 1198871198790
2 119887
1198790
1199051
)119879
(6)
The iterative formulas of parameter sequence generatorare as follows
119886119879119894+1 = (119886
120588119879119894
119899 119886120588119879119894
119899minus1 119886
120588119879119894
119899minus1199051
)119879
mod 119902
(119894 ge 0 and 119894 isin 119885+ 120588isin119877119866119865(119902)
lowast
)
119887119879119894+1 = (119887
120588119879119894
1 119887120588119879119894
2 119887
120588119879119894
1199051
)119879
mod 119902
(119894 ge 0 and 119894 isin 119885+ 120588isin119877119866119865(119902)
lowast
)
(7)
Other parameters are generated like this way
Theorem 1 The model has forward security
Proof On the completion of the last signature in next sig-nature step the parameter sequence generator precompiledthe iteration values in registers After iteration according torecurrence relations (7) the last data in registers will not existThat is to say this timersquos signature data in registers will coverthe last data in them According to the recurrence relations
(7) if an attacker wants to get last data in registers he or shemust calculate mode square root
119886119879119894
119896=120588radic119886119879119894+1
119896mod 119902
(119894 ge 0 and 119894 isin 119885+ 119896 = 119899 119899 minus 119905
1and 120588isin119877119866119865(119902)
lowast
)
119887119879119894
119896=120588radic119887119879119894+1
119896mod 119902
(119894 ge 0 and 119894 isin 119885+ 119896 = 1 119905
1and 120588isin119877119866119865(119902)
lowast
)
(8)
The mode square root in polynomial time is computa-tionally infeasible and themode indices are random attackercannot predict So the model has forward security
(2) Rounds Controller This model which runs multiplerounds in the signature process is a limited time repetitionsdynamic game It is vital in the model and controls theoperation of the entire process Here we use the idea ofstochastic process [19] to construct model
Theorem 2 The distribution of round obeys Poisson distribu-tion with parameter 120582
Proof In the condition of time limited game process notethat the number of deceptions in each round is 119896 with theprobability satisfying the following formula
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896 (119896 isin 119885) (9)
Participantsrsquo behavior is independent in each roundAssuming the number of rounds has continuity that is to
say the process of game is taken as continuous function withtime
Pr1(119903 119903 + Δ119903) = Pr 119873 (119903 119903 + Δ119903) = 1
= 120582Δ119903 + 119900 (Δ119903) (120582 gt 0 and forallΔ119903 997888rarr 0)
infin
sum119894=2
Pr119894(119903 119903 + Δ119903) =
infin
sum119894=2
Pr 119873 (119903 119903 + Δ119903) = 119894
= 119900 (Δ119903) (120582 gt 0 and forallΔ119903 997888rarr 0)
(10)
and it satisfies that
119873(0) = 0 + 119900 (120576) (11)
This means that the probability of cracking the systemwith 120576 computational advantages can be negligible whenthe threshold signature process is not performed The modelsatisfies the four conditions mentioned above and meets thedefinition of Poisson process with 120582 intensity That is
119873(119903) minus 119873 (1199030) sim 120587 (120582 (119903 minus 119903
0)) (12)
Theorem 3 The expectations rounds of this model are 120582 eachtime the model convergence time complexity is 119874(120582)
4 Journal of Applied Mathematics
Class A participants
Rounds controller
Pedersen bit
commitment module
Parameter sequence
generator
Verifiable
parameter
distribution
module
Okamotosignaturemodule
Class Bparticipants
Parameter distributor
Figure 1 The structure diagram of model
Proof Differential equations are established for the rounds(1199030 1199031 119903lowast) respectively based on the four conditions
mentioned above
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896
=[120582 (119903 minus 119903
0)]119896
119896119890minus120582(119903minus119903
0)
(119903 119896 isin 119885)
(13)
The mathematical expectation is
119864 [119873 (119903) minus 119873 (1199030)] = 120582 (119903 minus 119903
0) (14)
So the expectations rounds of this model are 120582 each time themodel convergence time complexity is 119874(120582)
(3) Parameter Distributor Amachine can analog the behaviorof distributor (maker) and can be a trusted server in thedistributed network
(4) Pedersen Bit Commitment Module Pedersen bit commit-ment protocol [20] is a security protocol taken as commit-ment to the bit stream information In each time of signature
the system generates coefficients of homogeneous constantcoefficients differential equations and the coefficients ofalgebraic curved 119865(119909) with order 119899
2minus 1 which correspond
to the participants in set 119861 After storing the coefficients inthe binary bits formation we note them as form of 119898
119894(119894 isin
119885 and 119898119894isin 0 1) in the form of bits stream The parameter
distributor is also attached with the bit commitment modelto prevent it from attacks
Theorem 4 The model can detect whether the parameterdistributor is under attack or not
Proof The model adapts the Pedersenrsquos bit stream commit-ment protocol
Parameter distributor selects a random number120588isin119877119866119865(119901max119899
11198992)lowast timestamp information 119905 and secure
hash function119867(119898119894 119905) (119894 isin 119885 and 119898
119894isin 0 1)
To make bit stream and timestamp above hash processThe primitive element of group 119866119865(119901
max11989911198992) is 119892 publish
120575 = 119892120588119910119867(119898119894119905) mod 119901
max11989911198992
(119894 isin 119885 and 119898119894isin 0 1) (15)
The triple (120588119898119894 119905) will be publish to the public right after
the end of the signature process Set 119860 and set 119861 participants
Journal of Applied Mathematics 5
can verify commitment to make sure whether parameterdistributor is being attacked or not
(5) Verifiable Parameter Distribution Module Using the ideaof Feldmanrsquos [21] verification First publicize bivariate one-way function 119867(119909 119910) In each threshold signature processparameter distributor generates polynomial with 119899
1minus1 orders
which corresponds to set 119860 participants
119866 (119909) =
1198991minus1
sum119894=1
119906119894119909 mod 119901
1198991 (16)
Our model uses the primitive element in the finite fields119866119865(1199011198991) which is 119892
1 to compute the number of the operation
rounds which is 119903lowast according to the Poisson distributionwith parameter 120582 and then distribute the points sequence
(1199091119894 1199101119894) = (119867(119904
1119894 119892119903lowast
1) 119866 (119909
1119894)) (119894 = 0 1 119899
1minus 1)
(17)
Then it arbitrarily selects 1198991minus1199051points in the field of119865
1199011198991 (119909 119910)
except the ones in the equation (17) and publish them to thepublic
Then it saves the vector
1199041119894
(119894 = 0 1 21198991minus 1199051minus 1) (18)
and calls Pedersenrsquos bit commitment moduleAfter that it broadcasts
119881119894= 119892119906119894
1mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (19)
Send each participant in set 119860
TPK119894= [119886119894+ 119866 (0)] mod 119901
1198991
(119894 = 1 2 1198991 119886119894isin 119866119865(119902)
lowast
119866 (0) isin 119866119865(1199011198991)lowast
gt sup 119886119894)
(20)
In the set 119861 the parameter distributor generates the primitiveelement which is 119892
2 in the infinite field 119866119865(1199011198992) according
to this polynomial with 1198992minus 1 orders
119871 (119909) =
1198992minus1
sum119894=1
119897119894119909 mod 119901
1198992 (21)
And then with the rounds number 119903lowast noted before thesystem distributes publish the points sequence
(1199092119894 1199102119894) = (119867(119904
2119894 119892119903lowast
2) 119871 (119909
2119894))
(119894 = 0 1 1198992minus 1)
(22)
We adopt (1198992 1199052) threshold structure constructed by matrix
method 1199052players in set 119861 participate in the repeated games
and recover the secret 119878 using the published 1198992minus 1199052points
As a result the players in set 119860 can input 119878 after they get thegeneral term formula of homogeneous constant coefficientlinear differential equation
Save vector
1199042119894
(119894 = 0 1 21198992minus 1199052minus 1) (23)
And call Pedersenrsquos bit commitment moduleAfter that it broadcasts
119882119894= 119892119897119894
2mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (24)
Send each participant in set 119861
TPK119895= [119878 + 119871 (0)] mod 119901
1198992
(119895 = 1 2 1198992 119878 isin 119866119865(119901)
lowast
119871 (0) isin 119866119865(1199011198992)lowast
gt 119878) (25)
Theorem 5 The model is verifiable
Proof When distributing pointrsquos sequence and broadcastingcorresponding authentication information participants cansimultaneously verify the information
Set 119860 participants verify
119892119866(1199091119894)
1=
1198991minus1
prod119895=0
119881119909119895
1119894
119894mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (26)
Set 119861 participants verify
119892119871(1199092119894)
2=
1198992minus1
prod119895=0
119882119909119895
2119894
119894mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (27)
If the verification succeeds participants can trust the infor-mation sent by others
(6) Participants Participants in two different permissionstogether constitute the threshold structure (119899
1+ 1198992 1199051+ 1199052)
In addition |119860| = 1198991|119861| = 119899
2 and the threshold values are
|119860|threshold = 1199051and |119861|threshold = 119905
2
(7) Okamoto Signature Module After calculating the thresh-old signature private key take TSK = 119886
119878as the first private key
component of the signature module while the second privatekey component is generated by public key signature methodselect private keys and publicize public keys respectivelyThe model adopts Okamoto signature algorithm to signaturefinally
Theorem 6 The model can resist conspiracy attack
Proof The second component of the private key in Okamotosignature algorithm can avoid conspiracy attacks which areperformed by using general term formula to get other par-ticipantsrsquo private keys when meeting the threshold conditionto calculate homogeneous linear differential equations withconstant coefficients general term formula in original modelThe second component of everyonersquos private key has to bekept privately by each individual On condition that thesecond component of the private key ensures the privacy thethreshold signature cannot be forged Furthermore we canestablish a mechanism that is when there is a dispute thesystem will check every participant involving the process ofsignature arise disputes
6 Journal of Applied Mathematics
32 Improved Threshold Model We adopt (1198992 1199052) threshold
structure constructed by matrix method 1199052players in set 119861
participate in the repeated games and recover the secret 119878
using the published 1198992minus 1199052points As a result the players
in set 119860 can input 119878 after they get the general term formulaof homogeneous constant coefficient linear differential equa-tion
Make two field extensions
[119866119865 (1199011198991) 119866119865 (119902)]=[119866119865 (119901
1198991) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
[119866119865 (1199011198992) 119866119865 (119902)]=[119866119865 (119901
1198992) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
(28)
Expansion order of algebraic number field 119866119865(119902) is
1198761= [119866119865 (119901
1198991) 119866119865 (119902)] = 119899
1lowast [
119901 minus 1
119902]
1198762= [119866119865 (119901
1198992) 119866119865 (119902)] = 119899
2lowast [
119901 minus 1
119902]
(29)
Remove the noise terms 119871(0) and 119866(0) to get coefficientsinformation of homogeneous constant coefficient linear dif-ferential equation
33 Dynamic Game Model
Definition 7 TheComputable complete and perfect informa-tion dynamic game 120591 = [119875 119879 119860 119878 119877119867 119868 119874 119880] satisfies
Participants are noted as 119875 =
Simulator 119875119894 (Simulator represents the nature
and parameter distributor)The set of Types is 119879 = 119879
119894 (119879119894isin honesty fraud)
Actions set is 119860 = 119860119894 (119860119894isin honesty fraud)
Strategy set is 119878 = 119878119894120593 (119879
119894 119867119894 119868119894 119860119894) rarr 119878
119894
Rounds set is 119877 lt 119874(120582) and 119877 isin 119885+
Full history set 119867 = ℎ | ℎ = ⨁119896
119894=1119860119894 (119894 isin 119877 and 0 le
119896 le 119877) is depicted as game tree whose root is emptyhistory node 0The information set 119868 = 119868
119894 can be tested and is
perfectOutcome set is 119874 = 119874
119894120574 (119860
119894 119878119894) rarr 119874
119894
Utility function set is 119880 = 119880119894 120574 ∘ 120593
(119879119894 119867119894 119868119894 119860119894 119878119894 119874119894) rarr 119880
119894and satisfies 1205972119880
119894lt 0
The above game 120591 can be calculated in polynomialtime
Definition 8 Computable complete and perfect informationdynamic game with 119905
1+ 1199052elastic equilibrium will reach the
equilibrium results under the conditions that it satisfies theDefinition 7 and that each participants is rational That is119880(120590119894 120590minus119894) lt 119880(120590lowast
119894 120590minus119894) 120590 is multiple real variable function
120590 (119879119894 119867119894 119868119894 119860119894 119878119894 119874119894 119880119894) rarr 119880(120590
119894 120590minus119894)
Theorem 9 The model converges to computable completeand perfect information dynamic game with 119905
1+ 1199052elastic
equilibrium
Proof Participants who accord with threshold signature con-ditions possess superiority of Pr = 120576 (0 lt 120576 lt 1)They can getthreshold signature private key without the normal operationof the model Definitions of utility functions are as follows
119880++
(0119894) participantsrsquo ideal utility without the normal oper-
ation of the model to obtain the threshold signature privatekey
119880+
(119903119894)(0 le 119903 le 119903lowast) the utility that participant 119894 gets
signature private key and others do not get it in 119903 round119880minus
(119903119894)(0 le 119903 le 119903lowast) utility that participant 119894 does not
comply with the normal execution of the model when modelrun 119903 round
119880(119903119894)
(0 le 119903 le 119903lowast) utility that participant 119894 complies withthe normal execution of the model when model run 119903 round
119880(119903lowast119894) normal utility that participant 119894 always complies
with the operation of the model obtains threshold signatureprivate key when model reaches the last one round
119880minus
(119903all) (0 le 119903 le 119903lowast) utility that all participants do notobtain the threshold signature private key Illustrate that thereare some participants had deceived cause model abnormaltermination
Utility function satisfies the strong partial119880++(0119894)
gt 119880+(119903119894)
gt
119880(119903lowast119894)
gt 119880minus(119903all)
Define events as follows
A participant uses the advantage of Pr = 120576 (0 lt 120576 lt
1) to crack threshold signature private key
B participant implements protocol
C participant takes honesty policy in round 119903
D participant takes fraud policy in round 119903
We denote the utility of departing from the protocol as119880exception and denote the expected utility as 119864(119880exception) Wecan get the equation as follows
119880exception = 120576119880 (Pr (119860)) + (1 minus 120576)119880 (Pr (119861))
119880 (Pr (119861))
= 119880 (Pr (119861 | 119862)Pr (119862) + Pr (119861 | 119863)Pr (119863))
= 120582119880(119903lowast119894)
+ (1 minus 120582)
119903
sum119894=1
119880minus
(119903119894)
= 120582119880(119903lowast119894)
+ (1 minus 120582)
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
2 Journal of Applied Mathematics
adoptOkamotorsquos signaturemethod [13] which is based on theidentification scheme and is provably secure
Another important issue about the traditional SS schemeis that they are all based on the assumption that every playeris either honest ormalicious However in practice players aremore likely to be selfish trying to maximize their own utilityHalpern and Teague [14] introduced the notion of rationalsecret sharing (RSS) in 2004 and presented a randomizedprotocol for a 119905 ge 3 119899 gt 3 SS scheme which can achieve Nashequilibrium after repeated elimination of weakly dominatedstrategy Gordon and Katz [15] improved Halpernrsquos protocolto 119905 ge 2 119899 gt 2 conditions The mechanism proposed byMaleka et al [16] is called repeated rational secret sharing(RRSS) in which the distributor needs to do second-timesegmentation of the secret shares and made the players sharethe subshares repeatedly Malekarsquos method uses punishmentstrategies to prevent players from finking which is differentfrom Halpern and Teaguersquos RSS protocol in which somerounds of secret sharing are meaningless
In this paper we present a rational threshold signaturemodel in which the participants are divided into two setswith the different permissions We adopt the SS schemebased on the difference equations to distribute shares andrecover the original secrets In the recover phrase playersexchange their subshares repeatedly based on Malekarsquos RRSSscheme In our model we use several modules to manage thefunctions respectively The parameter sequence generator isused to generate the parameters of the difference equationsand parameter distributor is used to distribute the parametersto the participants as their shares Rounds controller isused to generate the random number of rounds so that theplayers cannot know when the repeated games will end Bitcommitment module is utilized for the players to committheir own subshares and verify othersrsquo Besides when a playercheats in a specific round by sending the wrong subsharethe verifiable module can detect it and the protocol will bestopped so that nobody can acquire the secret
2 Relative Works
21 The Model of Li Bin Scholar The model is outlined asfollows
Maker constructs homogeneous constant coefficient lin-ear differential equation
119886119899+
1199051
sum119894=1
119887119894119886119899minus119894
= 0 (119887119894isin 119885119902) (1)
Master key 119896 = 119886119873
(119873 gt 1198991)
Shadow keys of participants in set 119860 are (119886119894 1198871) (119894 =
0 1 1198991minus 1)
Shadow keys of participants in set 119861 are(119873 1198872 119887
1199051
)
The general term formula of homogeneous constantcoefficient linear differential equation is
119886119899=
1199051
sum119894=1
119888119894119891119894(119899) (2)
Because coefficient determinant is nondegeneratesecond-order tensor
Δ119905times119905
=
100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816
1198911(0) 119891
2(0) sdot sdot sdot 119891
119905(0)
1198911(1) 119891
2(1) sdot sdot sdot 119891
119905(1)
d
1198911(119905 minus 1) 119891
2(119905 minus 1) sdot sdot sdot 119891
119905(119905 minus 1)
100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816100381610038161003816119905times119905
= 0 (3)
Participants in set 119860 calculate constant vector
119888 = (1198881 1198882 119888
1199051
)119879
(4)
Any participant in set 119861 makes 119899 = 119873 can obtain thesystem master key
119886119873
=
1199051
sum119894=1
119888119894119891119894(119873) (119873 gt 119899
1) (5)
22 Problems The model mentioned above is a big innova-tion in the field of threshold structure however if applieddirectly to the threshold signature while in practical usesome problems may exist as follows
(1) The permissions in this model have limitations Thesecond component of (119899
1+ 1198992 1199051
+ 1)-thresholdshared structure on behalf of the second categoryparticipants with special privileges these participantshave excessive permissions because anyone of themcan represent the group Thus weexpand the secondcomponent into (119899
1+ 1198992 1199051+ 1199052) structure Wei et
alrsquos scholars [17 18] at Shandong University haveproposed the definition of such structure Howeverwhen this scheme is implemented its two groupsboth use the polynomial ring which possesses thesymmetrical nature thus it will break the differentprivileges characteristic of the homogeneousconstantcoefficient linear differential equation This paperpromotes (119899
1+1198992 1199051+1) structure based on homoge-
neous constant coefficient linear differential equationextends permissions in the meantime and improvesthe original proposal
(2) This model cannot resist conspiracy attacks becauseof that when greater than or equal to the (119905
10) thresh-
old number of participants work out the constantvector group of equation (4) at the same time theequation (2) is determined Conspires can get the theprivate key of the participants of the first set usingthe general term formula and one copy of the privatekey of the second setrsquos participant can be used toconjecture the othersrsquo private keys in the second set
(3) Themodel cannot resist internal fraudWhen put intopractical use the model does not have a verifiable
Journal of Applied Mathematics 3
and the participantsrsquo fraud is undetectable If thereare no validation measures the participants may runthis protocol arbitrarily or send their false shares andthese cannot be tolerated
(4) The model has the dealer who is the trusted thirdparty In the distributed network environment theparameters is generated by amachine or by the securemultiparty computation
(5) This model does not have the rational characteristicsWhen the signature private keys are generated andwhen the first setrsquos participants compute the equation(2)mdashafter computing the general term formula theparticipants in the second set have no motive toexpose their private key to the participants in the firstset after they generate their private keys This losesfairness
3 Protocol Model
31 The Structure of Model The structure of the model isshown in Figure 1
(1) Parameter Sequence Generator Each time while in thesignature step the registers in parameters sequence generatordynamically generate the next state parameters accordingto the last state parameters Each signature call the moduleonce the use of time series technology makes the model haveforward security
The initial vector in parameter sequence generator is
1198861198790 = (119886
1198790
119899 1198861198790
119899minus1 119886
1198790
119899minus1199051
)119879
1198871198790 = (119887
1198790
1 1198871198790
2 119887
1198790
1199051
)119879
(6)
The iterative formulas of parameter sequence generatorare as follows
119886119879119894+1 = (119886
120588119879119894
119899 119886120588119879119894
119899minus1 119886
120588119879119894
119899minus1199051
)119879
mod 119902
(119894 ge 0 and 119894 isin 119885+ 120588isin119877119866119865(119902)
lowast
)
119887119879119894+1 = (119887
120588119879119894
1 119887120588119879119894
2 119887
120588119879119894
1199051
)119879
mod 119902
(119894 ge 0 and 119894 isin 119885+ 120588isin119877119866119865(119902)
lowast
)
(7)
Other parameters are generated like this way
Theorem 1 The model has forward security
Proof On the completion of the last signature in next sig-nature step the parameter sequence generator precompiledthe iteration values in registers After iteration according torecurrence relations (7) the last data in registers will not existThat is to say this timersquos signature data in registers will coverthe last data in them According to the recurrence relations
(7) if an attacker wants to get last data in registers he or shemust calculate mode square root
119886119879119894
119896=120588radic119886119879119894+1
119896mod 119902
(119894 ge 0 and 119894 isin 119885+ 119896 = 119899 119899 minus 119905
1and 120588isin119877119866119865(119902)
lowast
)
119887119879119894
119896=120588radic119887119879119894+1
119896mod 119902
(119894 ge 0 and 119894 isin 119885+ 119896 = 1 119905
1and 120588isin119877119866119865(119902)
lowast
)
(8)
The mode square root in polynomial time is computa-tionally infeasible and themode indices are random attackercannot predict So the model has forward security
(2) Rounds Controller This model which runs multiplerounds in the signature process is a limited time repetitionsdynamic game It is vital in the model and controls theoperation of the entire process Here we use the idea ofstochastic process [19] to construct model
Theorem 2 The distribution of round obeys Poisson distribu-tion with parameter 120582
Proof In the condition of time limited game process notethat the number of deceptions in each round is 119896 with theprobability satisfying the following formula
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896 (119896 isin 119885) (9)
Participantsrsquo behavior is independent in each roundAssuming the number of rounds has continuity that is to
say the process of game is taken as continuous function withtime
Pr1(119903 119903 + Δ119903) = Pr 119873 (119903 119903 + Δ119903) = 1
= 120582Δ119903 + 119900 (Δ119903) (120582 gt 0 and forallΔ119903 997888rarr 0)
infin
sum119894=2
Pr119894(119903 119903 + Δ119903) =
infin
sum119894=2
Pr 119873 (119903 119903 + Δ119903) = 119894
= 119900 (Δ119903) (120582 gt 0 and forallΔ119903 997888rarr 0)
(10)
and it satisfies that
119873(0) = 0 + 119900 (120576) (11)
This means that the probability of cracking the systemwith 120576 computational advantages can be negligible whenthe threshold signature process is not performed The modelsatisfies the four conditions mentioned above and meets thedefinition of Poisson process with 120582 intensity That is
119873(119903) minus 119873 (1199030) sim 120587 (120582 (119903 minus 119903
0)) (12)
Theorem 3 The expectations rounds of this model are 120582 eachtime the model convergence time complexity is 119874(120582)
4 Journal of Applied Mathematics
Class A participants
Rounds controller
Pedersen bit
commitment module
Parameter sequence
generator
Verifiable
parameter
distribution
module
Okamotosignaturemodule
Class Bparticipants
Parameter distributor
Figure 1 The structure diagram of model
Proof Differential equations are established for the rounds(1199030 1199031 119903lowast) respectively based on the four conditions
mentioned above
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896
=[120582 (119903 minus 119903
0)]119896
119896119890minus120582(119903minus119903
0)
(119903 119896 isin 119885)
(13)
The mathematical expectation is
119864 [119873 (119903) minus 119873 (1199030)] = 120582 (119903 minus 119903
0) (14)
So the expectations rounds of this model are 120582 each time themodel convergence time complexity is 119874(120582)
(3) Parameter Distributor Amachine can analog the behaviorof distributor (maker) and can be a trusted server in thedistributed network
(4) Pedersen Bit Commitment Module Pedersen bit commit-ment protocol [20] is a security protocol taken as commit-ment to the bit stream information In each time of signature
the system generates coefficients of homogeneous constantcoefficients differential equations and the coefficients ofalgebraic curved 119865(119909) with order 119899
2minus 1 which correspond
to the participants in set 119861 After storing the coefficients inthe binary bits formation we note them as form of 119898
119894(119894 isin
119885 and 119898119894isin 0 1) in the form of bits stream The parameter
distributor is also attached with the bit commitment modelto prevent it from attacks
Theorem 4 The model can detect whether the parameterdistributor is under attack or not
Proof The model adapts the Pedersenrsquos bit stream commit-ment protocol
Parameter distributor selects a random number120588isin119877119866119865(119901max119899
11198992)lowast timestamp information 119905 and secure
hash function119867(119898119894 119905) (119894 isin 119885 and 119898
119894isin 0 1)
To make bit stream and timestamp above hash processThe primitive element of group 119866119865(119901
max11989911198992) is 119892 publish
120575 = 119892120588119910119867(119898119894119905) mod 119901
max11989911198992
(119894 isin 119885 and 119898119894isin 0 1) (15)
The triple (120588119898119894 119905) will be publish to the public right after
the end of the signature process Set 119860 and set 119861 participants
Journal of Applied Mathematics 5
can verify commitment to make sure whether parameterdistributor is being attacked or not
(5) Verifiable Parameter Distribution Module Using the ideaof Feldmanrsquos [21] verification First publicize bivariate one-way function 119867(119909 119910) In each threshold signature processparameter distributor generates polynomial with 119899
1minus1 orders
which corresponds to set 119860 participants
119866 (119909) =
1198991minus1
sum119894=1
119906119894119909 mod 119901
1198991 (16)
Our model uses the primitive element in the finite fields119866119865(1199011198991) which is 119892
1 to compute the number of the operation
rounds which is 119903lowast according to the Poisson distributionwith parameter 120582 and then distribute the points sequence
(1199091119894 1199101119894) = (119867(119904
1119894 119892119903lowast
1) 119866 (119909
1119894)) (119894 = 0 1 119899
1minus 1)
(17)
Then it arbitrarily selects 1198991minus1199051points in the field of119865
1199011198991 (119909 119910)
except the ones in the equation (17) and publish them to thepublic
Then it saves the vector
1199041119894
(119894 = 0 1 21198991minus 1199051minus 1) (18)
and calls Pedersenrsquos bit commitment moduleAfter that it broadcasts
119881119894= 119892119906119894
1mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (19)
Send each participant in set 119860
TPK119894= [119886119894+ 119866 (0)] mod 119901
1198991
(119894 = 1 2 1198991 119886119894isin 119866119865(119902)
lowast
119866 (0) isin 119866119865(1199011198991)lowast
gt sup 119886119894)
(20)
In the set 119861 the parameter distributor generates the primitiveelement which is 119892
2 in the infinite field 119866119865(1199011198992) according
to this polynomial with 1198992minus 1 orders
119871 (119909) =
1198992minus1
sum119894=1
119897119894119909 mod 119901
1198992 (21)
And then with the rounds number 119903lowast noted before thesystem distributes publish the points sequence
(1199092119894 1199102119894) = (119867(119904
2119894 119892119903lowast
2) 119871 (119909
2119894))
(119894 = 0 1 1198992minus 1)
(22)
We adopt (1198992 1199052) threshold structure constructed by matrix
method 1199052players in set 119861 participate in the repeated games
and recover the secret 119878 using the published 1198992minus 1199052points
As a result the players in set 119860 can input 119878 after they get thegeneral term formula of homogeneous constant coefficientlinear differential equation
Save vector
1199042119894
(119894 = 0 1 21198992minus 1199052minus 1) (23)
And call Pedersenrsquos bit commitment moduleAfter that it broadcasts
119882119894= 119892119897119894
2mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (24)
Send each participant in set 119861
TPK119895= [119878 + 119871 (0)] mod 119901
1198992
(119895 = 1 2 1198992 119878 isin 119866119865(119901)
lowast
119871 (0) isin 119866119865(1199011198992)lowast
gt 119878) (25)
Theorem 5 The model is verifiable
Proof When distributing pointrsquos sequence and broadcastingcorresponding authentication information participants cansimultaneously verify the information
Set 119860 participants verify
119892119866(1199091119894)
1=
1198991minus1
prod119895=0
119881119909119895
1119894
119894mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (26)
Set 119861 participants verify
119892119871(1199092119894)
2=
1198992minus1
prod119895=0
119882119909119895
2119894
119894mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (27)
If the verification succeeds participants can trust the infor-mation sent by others
(6) Participants Participants in two different permissionstogether constitute the threshold structure (119899
1+ 1198992 1199051+ 1199052)
In addition |119860| = 1198991|119861| = 119899
2 and the threshold values are
|119860|threshold = 1199051and |119861|threshold = 119905
2
(7) Okamoto Signature Module After calculating the thresh-old signature private key take TSK = 119886
119878as the first private key
component of the signature module while the second privatekey component is generated by public key signature methodselect private keys and publicize public keys respectivelyThe model adopts Okamoto signature algorithm to signaturefinally
Theorem 6 The model can resist conspiracy attack
Proof The second component of the private key in Okamotosignature algorithm can avoid conspiracy attacks which areperformed by using general term formula to get other par-ticipantsrsquo private keys when meeting the threshold conditionto calculate homogeneous linear differential equations withconstant coefficients general term formula in original modelThe second component of everyonersquos private key has to bekept privately by each individual On condition that thesecond component of the private key ensures the privacy thethreshold signature cannot be forged Furthermore we canestablish a mechanism that is when there is a dispute thesystem will check every participant involving the process ofsignature arise disputes
6 Journal of Applied Mathematics
32 Improved Threshold Model We adopt (1198992 1199052) threshold
structure constructed by matrix method 1199052players in set 119861
participate in the repeated games and recover the secret 119878
using the published 1198992minus 1199052points As a result the players
in set 119860 can input 119878 after they get the general term formulaof homogeneous constant coefficient linear differential equa-tion
Make two field extensions
[119866119865 (1199011198991) 119866119865 (119902)]=[119866119865 (119901
1198991) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
[119866119865 (1199011198992) 119866119865 (119902)]=[119866119865 (119901
1198992) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
(28)
Expansion order of algebraic number field 119866119865(119902) is
1198761= [119866119865 (119901
1198991) 119866119865 (119902)] = 119899
1lowast [
119901 minus 1
119902]
1198762= [119866119865 (119901
1198992) 119866119865 (119902)] = 119899
2lowast [
119901 minus 1
119902]
(29)
Remove the noise terms 119871(0) and 119866(0) to get coefficientsinformation of homogeneous constant coefficient linear dif-ferential equation
33 Dynamic Game Model
Definition 7 TheComputable complete and perfect informa-tion dynamic game 120591 = [119875 119879 119860 119878 119877119867 119868 119874 119880] satisfies
Participants are noted as 119875 =
Simulator 119875119894 (Simulator represents the nature
and parameter distributor)The set of Types is 119879 = 119879
119894 (119879119894isin honesty fraud)
Actions set is 119860 = 119860119894 (119860119894isin honesty fraud)
Strategy set is 119878 = 119878119894120593 (119879
119894 119867119894 119868119894 119860119894) rarr 119878
119894
Rounds set is 119877 lt 119874(120582) and 119877 isin 119885+
Full history set 119867 = ℎ | ℎ = ⨁119896
119894=1119860119894 (119894 isin 119877 and 0 le
119896 le 119877) is depicted as game tree whose root is emptyhistory node 0The information set 119868 = 119868
119894 can be tested and is
perfectOutcome set is 119874 = 119874
119894120574 (119860
119894 119878119894) rarr 119874
119894
Utility function set is 119880 = 119880119894 120574 ∘ 120593
(119879119894 119867119894 119868119894 119860119894 119878119894 119874119894) rarr 119880
119894and satisfies 1205972119880
119894lt 0
The above game 120591 can be calculated in polynomialtime
Definition 8 Computable complete and perfect informationdynamic game with 119905
1+ 1199052elastic equilibrium will reach the
equilibrium results under the conditions that it satisfies theDefinition 7 and that each participants is rational That is119880(120590119894 120590minus119894) lt 119880(120590lowast
119894 120590minus119894) 120590 is multiple real variable function
120590 (119879119894 119867119894 119868119894 119860119894 119878119894 119874119894 119880119894) rarr 119880(120590
119894 120590minus119894)
Theorem 9 The model converges to computable completeand perfect information dynamic game with 119905
1+ 1199052elastic
equilibrium
Proof Participants who accord with threshold signature con-ditions possess superiority of Pr = 120576 (0 lt 120576 lt 1)They can getthreshold signature private key without the normal operationof the model Definitions of utility functions are as follows
119880++
(0119894) participantsrsquo ideal utility without the normal oper-
ation of the model to obtain the threshold signature privatekey
119880+
(119903119894)(0 le 119903 le 119903lowast) the utility that participant 119894 gets
signature private key and others do not get it in 119903 round119880minus
(119903119894)(0 le 119903 le 119903lowast) utility that participant 119894 does not
comply with the normal execution of the model when modelrun 119903 round
119880(119903119894)
(0 le 119903 le 119903lowast) utility that participant 119894 complies withthe normal execution of the model when model run 119903 round
119880(119903lowast119894) normal utility that participant 119894 always complies
with the operation of the model obtains threshold signatureprivate key when model reaches the last one round
119880minus
(119903all) (0 le 119903 le 119903lowast) utility that all participants do notobtain the threshold signature private key Illustrate that thereare some participants had deceived cause model abnormaltermination
Utility function satisfies the strong partial119880++(0119894)
gt 119880+(119903119894)
gt
119880(119903lowast119894)
gt 119880minus(119903all)
Define events as follows
A participant uses the advantage of Pr = 120576 (0 lt 120576 lt
1) to crack threshold signature private key
B participant implements protocol
C participant takes honesty policy in round 119903
D participant takes fraud policy in round 119903
We denote the utility of departing from the protocol as119880exception and denote the expected utility as 119864(119880exception) Wecan get the equation as follows
119880exception = 120576119880 (Pr (119860)) + (1 minus 120576)119880 (Pr (119861))
119880 (Pr (119861))
= 119880 (Pr (119861 | 119862)Pr (119862) + Pr (119861 | 119863)Pr (119863))
= 120582119880(119903lowast119894)
+ (1 minus 120582)
119903
sum119894=1
119880minus
(119903119894)
= 120582119880(119903lowast119894)
+ (1 minus 120582)
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 3
and the participantsrsquo fraud is undetectable If thereare no validation measures the participants may runthis protocol arbitrarily or send their false shares andthese cannot be tolerated
(4) The model has the dealer who is the trusted thirdparty In the distributed network environment theparameters is generated by amachine or by the securemultiparty computation
(5) This model does not have the rational characteristicsWhen the signature private keys are generated andwhen the first setrsquos participants compute the equation(2)mdashafter computing the general term formula theparticipants in the second set have no motive toexpose their private key to the participants in the firstset after they generate their private keys This losesfairness
3 Protocol Model
31 The Structure of Model The structure of the model isshown in Figure 1
(1) Parameter Sequence Generator Each time while in thesignature step the registers in parameters sequence generatordynamically generate the next state parameters accordingto the last state parameters Each signature call the moduleonce the use of time series technology makes the model haveforward security
The initial vector in parameter sequence generator is
1198861198790 = (119886
1198790
119899 1198861198790
119899minus1 119886
1198790
119899minus1199051
)119879
1198871198790 = (119887
1198790
1 1198871198790
2 119887
1198790
1199051
)119879
(6)
The iterative formulas of parameter sequence generatorare as follows
119886119879119894+1 = (119886
120588119879119894
119899 119886120588119879119894
119899minus1 119886
120588119879119894
119899minus1199051
)119879
mod 119902
(119894 ge 0 and 119894 isin 119885+ 120588isin119877119866119865(119902)
lowast
)
119887119879119894+1 = (119887
120588119879119894
1 119887120588119879119894
2 119887
120588119879119894
1199051
)119879
mod 119902
(119894 ge 0 and 119894 isin 119885+ 120588isin119877119866119865(119902)
lowast
)
(7)
Other parameters are generated like this way
Theorem 1 The model has forward security
Proof On the completion of the last signature in next sig-nature step the parameter sequence generator precompiledthe iteration values in registers After iteration according torecurrence relations (7) the last data in registers will not existThat is to say this timersquos signature data in registers will coverthe last data in them According to the recurrence relations
(7) if an attacker wants to get last data in registers he or shemust calculate mode square root
119886119879119894
119896=120588radic119886119879119894+1
119896mod 119902
(119894 ge 0 and 119894 isin 119885+ 119896 = 119899 119899 minus 119905
1and 120588isin119877119866119865(119902)
lowast
)
119887119879119894
119896=120588radic119887119879119894+1
119896mod 119902
(119894 ge 0 and 119894 isin 119885+ 119896 = 1 119905
1and 120588isin119877119866119865(119902)
lowast
)
(8)
The mode square root in polynomial time is computa-tionally infeasible and themode indices are random attackercannot predict So the model has forward security
(2) Rounds Controller This model which runs multiplerounds in the signature process is a limited time repetitionsdynamic game It is vital in the model and controls theoperation of the entire process Here we use the idea ofstochastic process [19] to construct model
Theorem 2 The distribution of round obeys Poisson distribu-tion with parameter 120582
Proof In the condition of time limited game process notethat the number of deceptions in each round is 119896 with theprobability satisfying the following formula
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896 (119896 isin 119885) (9)
Participantsrsquo behavior is independent in each roundAssuming the number of rounds has continuity that is to
say the process of game is taken as continuous function withtime
Pr1(119903 119903 + Δ119903) = Pr 119873 (119903 119903 + Δ119903) = 1
= 120582Δ119903 + 119900 (Δ119903) (120582 gt 0 and forallΔ119903 997888rarr 0)
infin
sum119894=2
Pr119894(119903 119903 + Δ119903) =
infin
sum119894=2
Pr 119873 (119903 119903 + Δ119903) = 119894
= 119900 (Δ119903) (120582 gt 0 and forallΔ119903 997888rarr 0)
(10)
and it satisfies that
119873(0) = 0 + 119900 (120576) (11)
This means that the probability of cracking the systemwith 120576 computational advantages can be negligible whenthe threshold signature process is not performed The modelsatisfies the four conditions mentioned above and meets thedefinition of Poisson process with 120582 intensity That is
119873(119903) minus 119873 (1199030) sim 120587 (120582 (119903 minus 119903
0)) (12)
Theorem 3 The expectations rounds of this model are 120582 eachtime the model convergence time complexity is 119874(120582)
4 Journal of Applied Mathematics
Class A participants
Rounds controller
Pedersen bit
commitment module
Parameter sequence
generator
Verifiable
parameter
distribution
module
Okamotosignaturemodule
Class Bparticipants
Parameter distributor
Figure 1 The structure diagram of model
Proof Differential equations are established for the rounds(1199030 1199031 119903lowast) respectively based on the four conditions
mentioned above
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896
=[120582 (119903 minus 119903
0)]119896
119896119890minus120582(119903minus119903
0)
(119903 119896 isin 119885)
(13)
The mathematical expectation is
119864 [119873 (119903) minus 119873 (1199030)] = 120582 (119903 minus 119903
0) (14)
So the expectations rounds of this model are 120582 each time themodel convergence time complexity is 119874(120582)
(3) Parameter Distributor Amachine can analog the behaviorof distributor (maker) and can be a trusted server in thedistributed network
(4) Pedersen Bit Commitment Module Pedersen bit commit-ment protocol [20] is a security protocol taken as commit-ment to the bit stream information In each time of signature
the system generates coefficients of homogeneous constantcoefficients differential equations and the coefficients ofalgebraic curved 119865(119909) with order 119899
2minus 1 which correspond
to the participants in set 119861 After storing the coefficients inthe binary bits formation we note them as form of 119898
119894(119894 isin
119885 and 119898119894isin 0 1) in the form of bits stream The parameter
distributor is also attached with the bit commitment modelto prevent it from attacks
Theorem 4 The model can detect whether the parameterdistributor is under attack or not
Proof The model adapts the Pedersenrsquos bit stream commit-ment protocol
Parameter distributor selects a random number120588isin119877119866119865(119901max119899
11198992)lowast timestamp information 119905 and secure
hash function119867(119898119894 119905) (119894 isin 119885 and 119898
119894isin 0 1)
To make bit stream and timestamp above hash processThe primitive element of group 119866119865(119901
max11989911198992) is 119892 publish
120575 = 119892120588119910119867(119898119894119905) mod 119901
max11989911198992
(119894 isin 119885 and 119898119894isin 0 1) (15)
The triple (120588119898119894 119905) will be publish to the public right after
the end of the signature process Set 119860 and set 119861 participants
Journal of Applied Mathematics 5
can verify commitment to make sure whether parameterdistributor is being attacked or not
(5) Verifiable Parameter Distribution Module Using the ideaof Feldmanrsquos [21] verification First publicize bivariate one-way function 119867(119909 119910) In each threshold signature processparameter distributor generates polynomial with 119899
1minus1 orders
which corresponds to set 119860 participants
119866 (119909) =
1198991minus1
sum119894=1
119906119894119909 mod 119901
1198991 (16)
Our model uses the primitive element in the finite fields119866119865(1199011198991) which is 119892
1 to compute the number of the operation
rounds which is 119903lowast according to the Poisson distributionwith parameter 120582 and then distribute the points sequence
(1199091119894 1199101119894) = (119867(119904
1119894 119892119903lowast
1) 119866 (119909
1119894)) (119894 = 0 1 119899
1minus 1)
(17)
Then it arbitrarily selects 1198991minus1199051points in the field of119865
1199011198991 (119909 119910)
except the ones in the equation (17) and publish them to thepublic
Then it saves the vector
1199041119894
(119894 = 0 1 21198991minus 1199051minus 1) (18)
and calls Pedersenrsquos bit commitment moduleAfter that it broadcasts
119881119894= 119892119906119894
1mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (19)
Send each participant in set 119860
TPK119894= [119886119894+ 119866 (0)] mod 119901
1198991
(119894 = 1 2 1198991 119886119894isin 119866119865(119902)
lowast
119866 (0) isin 119866119865(1199011198991)lowast
gt sup 119886119894)
(20)
In the set 119861 the parameter distributor generates the primitiveelement which is 119892
2 in the infinite field 119866119865(1199011198992) according
to this polynomial with 1198992minus 1 orders
119871 (119909) =
1198992minus1
sum119894=1
119897119894119909 mod 119901
1198992 (21)
And then with the rounds number 119903lowast noted before thesystem distributes publish the points sequence
(1199092119894 1199102119894) = (119867(119904
2119894 119892119903lowast
2) 119871 (119909
2119894))
(119894 = 0 1 1198992minus 1)
(22)
We adopt (1198992 1199052) threshold structure constructed by matrix
method 1199052players in set 119861 participate in the repeated games
and recover the secret 119878 using the published 1198992minus 1199052points
As a result the players in set 119860 can input 119878 after they get thegeneral term formula of homogeneous constant coefficientlinear differential equation
Save vector
1199042119894
(119894 = 0 1 21198992minus 1199052minus 1) (23)
And call Pedersenrsquos bit commitment moduleAfter that it broadcasts
119882119894= 119892119897119894
2mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (24)
Send each participant in set 119861
TPK119895= [119878 + 119871 (0)] mod 119901
1198992
(119895 = 1 2 1198992 119878 isin 119866119865(119901)
lowast
119871 (0) isin 119866119865(1199011198992)lowast
gt 119878) (25)
Theorem 5 The model is verifiable
Proof When distributing pointrsquos sequence and broadcastingcorresponding authentication information participants cansimultaneously verify the information
Set 119860 participants verify
119892119866(1199091119894)
1=
1198991minus1
prod119895=0
119881119909119895
1119894
119894mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (26)
Set 119861 participants verify
119892119871(1199092119894)
2=
1198992minus1
prod119895=0
119882119909119895
2119894
119894mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (27)
If the verification succeeds participants can trust the infor-mation sent by others
(6) Participants Participants in two different permissionstogether constitute the threshold structure (119899
1+ 1198992 1199051+ 1199052)
In addition |119860| = 1198991|119861| = 119899
2 and the threshold values are
|119860|threshold = 1199051and |119861|threshold = 119905
2
(7) Okamoto Signature Module After calculating the thresh-old signature private key take TSK = 119886
119878as the first private key
component of the signature module while the second privatekey component is generated by public key signature methodselect private keys and publicize public keys respectivelyThe model adopts Okamoto signature algorithm to signaturefinally
Theorem 6 The model can resist conspiracy attack
Proof The second component of the private key in Okamotosignature algorithm can avoid conspiracy attacks which areperformed by using general term formula to get other par-ticipantsrsquo private keys when meeting the threshold conditionto calculate homogeneous linear differential equations withconstant coefficients general term formula in original modelThe second component of everyonersquos private key has to bekept privately by each individual On condition that thesecond component of the private key ensures the privacy thethreshold signature cannot be forged Furthermore we canestablish a mechanism that is when there is a dispute thesystem will check every participant involving the process ofsignature arise disputes
6 Journal of Applied Mathematics
32 Improved Threshold Model We adopt (1198992 1199052) threshold
structure constructed by matrix method 1199052players in set 119861
participate in the repeated games and recover the secret 119878
using the published 1198992minus 1199052points As a result the players
in set 119860 can input 119878 after they get the general term formulaof homogeneous constant coefficient linear differential equa-tion
Make two field extensions
[119866119865 (1199011198991) 119866119865 (119902)]=[119866119865 (119901
1198991) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
[119866119865 (1199011198992) 119866119865 (119902)]=[119866119865 (119901
1198992) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
(28)
Expansion order of algebraic number field 119866119865(119902) is
1198761= [119866119865 (119901
1198991) 119866119865 (119902)] = 119899
1lowast [
119901 minus 1
119902]
1198762= [119866119865 (119901
1198992) 119866119865 (119902)] = 119899
2lowast [
119901 minus 1
119902]
(29)
Remove the noise terms 119871(0) and 119866(0) to get coefficientsinformation of homogeneous constant coefficient linear dif-ferential equation
33 Dynamic Game Model
Definition 7 TheComputable complete and perfect informa-tion dynamic game 120591 = [119875 119879 119860 119878 119877119867 119868 119874 119880] satisfies
Participants are noted as 119875 =
Simulator 119875119894 (Simulator represents the nature
and parameter distributor)The set of Types is 119879 = 119879
119894 (119879119894isin honesty fraud)
Actions set is 119860 = 119860119894 (119860119894isin honesty fraud)
Strategy set is 119878 = 119878119894120593 (119879
119894 119867119894 119868119894 119860119894) rarr 119878
119894
Rounds set is 119877 lt 119874(120582) and 119877 isin 119885+
Full history set 119867 = ℎ | ℎ = ⨁119896
119894=1119860119894 (119894 isin 119877 and 0 le
119896 le 119877) is depicted as game tree whose root is emptyhistory node 0The information set 119868 = 119868
119894 can be tested and is
perfectOutcome set is 119874 = 119874
119894120574 (119860
119894 119878119894) rarr 119874
119894
Utility function set is 119880 = 119880119894 120574 ∘ 120593
(119879119894 119867119894 119868119894 119860119894 119878119894 119874119894) rarr 119880
119894and satisfies 1205972119880
119894lt 0
The above game 120591 can be calculated in polynomialtime
Definition 8 Computable complete and perfect informationdynamic game with 119905
1+ 1199052elastic equilibrium will reach the
equilibrium results under the conditions that it satisfies theDefinition 7 and that each participants is rational That is119880(120590119894 120590minus119894) lt 119880(120590lowast
119894 120590minus119894) 120590 is multiple real variable function
120590 (119879119894 119867119894 119868119894 119860119894 119878119894 119874119894 119880119894) rarr 119880(120590
119894 120590minus119894)
Theorem 9 The model converges to computable completeand perfect information dynamic game with 119905
1+ 1199052elastic
equilibrium
Proof Participants who accord with threshold signature con-ditions possess superiority of Pr = 120576 (0 lt 120576 lt 1)They can getthreshold signature private key without the normal operationof the model Definitions of utility functions are as follows
119880++
(0119894) participantsrsquo ideal utility without the normal oper-
ation of the model to obtain the threshold signature privatekey
119880+
(119903119894)(0 le 119903 le 119903lowast) the utility that participant 119894 gets
signature private key and others do not get it in 119903 round119880minus
(119903119894)(0 le 119903 le 119903lowast) utility that participant 119894 does not
comply with the normal execution of the model when modelrun 119903 round
119880(119903119894)
(0 le 119903 le 119903lowast) utility that participant 119894 complies withthe normal execution of the model when model run 119903 round
119880(119903lowast119894) normal utility that participant 119894 always complies
with the operation of the model obtains threshold signatureprivate key when model reaches the last one round
119880minus
(119903all) (0 le 119903 le 119903lowast) utility that all participants do notobtain the threshold signature private key Illustrate that thereare some participants had deceived cause model abnormaltermination
Utility function satisfies the strong partial119880++(0119894)
gt 119880+(119903119894)
gt
119880(119903lowast119894)
gt 119880minus(119903all)
Define events as follows
A participant uses the advantage of Pr = 120576 (0 lt 120576 lt
1) to crack threshold signature private key
B participant implements protocol
C participant takes honesty policy in round 119903
D participant takes fraud policy in round 119903
We denote the utility of departing from the protocol as119880exception and denote the expected utility as 119864(119880exception) Wecan get the equation as follows
119880exception = 120576119880 (Pr (119860)) + (1 minus 120576)119880 (Pr (119861))
119880 (Pr (119861))
= 119880 (Pr (119861 | 119862)Pr (119862) + Pr (119861 | 119863)Pr (119863))
= 120582119880(119903lowast119894)
+ (1 minus 120582)
119903
sum119894=1
119880minus
(119903119894)
= 120582119880(119903lowast119894)
+ (1 minus 120582)
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
4 Journal of Applied Mathematics
Class A participants
Rounds controller
Pedersen bit
commitment module
Parameter sequence
generator
Verifiable
parameter
distribution
module
Okamotosignaturemodule
Class Bparticipants
Parameter distributor
Figure 1 The structure diagram of model
Proof Differential equations are established for the rounds(1199030 1199031 119903lowast) respectively based on the four conditions
mentioned above
Pr119896(1199030 119903) = Pr 119873 (119903
0 119903) = 119896
=[120582 (119903 minus 119903
0)]119896
119896119890minus120582(119903minus119903
0)
(119903 119896 isin 119885)
(13)
The mathematical expectation is
119864 [119873 (119903) minus 119873 (1199030)] = 120582 (119903 minus 119903
0) (14)
So the expectations rounds of this model are 120582 each time themodel convergence time complexity is 119874(120582)
(3) Parameter Distributor Amachine can analog the behaviorof distributor (maker) and can be a trusted server in thedistributed network
(4) Pedersen Bit Commitment Module Pedersen bit commit-ment protocol [20] is a security protocol taken as commit-ment to the bit stream information In each time of signature
the system generates coefficients of homogeneous constantcoefficients differential equations and the coefficients ofalgebraic curved 119865(119909) with order 119899
2minus 1 which correspond
to the participants in set 119861 After storing the coefficients inthe binary bits formation we note them as form of 119898
119894(119894 isin
119885 and 119898119894isin 0 1) in the form of bits stream The parameter
distributor is also attached with the bit commitment modelto prevent it from attacks
Theorem 4 The model can detect whether the parameterdistributor is under attack or not
Proof The model adapts the Pedersenrsquos bit stream commit-ment protocol
Parameter distributor selects a random number120588isin119877119866119865(119901max119899
11198992)lowast timestamp information 119905 and secure
hash function119867(119898119894 119905) (119894 isin 119885 and 119898
119894isin 0 1)
To make bit stream and timestamp above hash processThe primitive element of group 119866119865(119901
max11989911198992) is 119892 publish
120575 = 119892120588119910119867(119898119894119905) mod 119901
max11989911198992
(119894 isin 119885 and 119898119894isin 0 1) (15)
The triple (120588119898119894 119905) will be publish to the public right after
the end of the signature process Set 119860 and set 119861 participants
Journal of Applied Mathematics 5
can verify commitment to make sure whether parameterdistributor is being attacked or not
(5) Verifiable Parameter Distribution Module Using the ideaof Feldmanrsquos [21] verification First publicize bivariate one-way function 119867(119909 119910) In each threshold signature processparameter distributor generates polynomial with 119899
1minus1 orders
which corresponds to set 119860 participants
119866 (119909) =
1198991minus1
sum119894=1
119906119894119909 mod 119901
1198991 (16)
Our model uses the primitive element in the finite fields119866119865(1199011198991) which is 119892
1 to compute the number of the operation
rounds which is 119903lowast according to the Poisson distributionwith parameter 120582 and then distribute the points sequence
(1199091119894 1199101119894) = (119867(119904
1119894 119892119903lowast
1) 119866 (119909
1119894)) (119894 = 0 1 119899
1minus 1)
(17)
Then it arbitrarily selects 1198991minus1199051points in the field of119865
1199011198991 (119909 119910)
except the ones in the equation (17) and publish them to thepublic
Then it saves the vector
1199041119894
(119894 = 0 1 21198991minus 1199051minus 1) (18)
and calls Pedersenrsquos bit commitment moduleAfter that it broadcasts
119881119894= 119892119906119894
1mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (19)
Send each participant in set 119860
TPK119894= [119886119894+ 119866 (0)] mod 119901
1198991
(119894 = 1 2 1198991 119886119894isin 119866119865(119902)
lowast
119866 (0) isin 119866119865(1199011198991)lowast
gt sup 119886119894)
(20)
In the set 119861 the parameter distributor generates the primitiveelement which is 119892
2 in the infinite field 119866119865(1199011198992) according
to this polynomial with 1198992minus 1 orders
119871 (119909) =
1198992minus1
sum119894=1
119897119894119909 mod 119901
1198992 (21)
And then with the rounds number 119903lowast noted before thesystem distributes publish the points sequence
(1199092119894 1199102119894) = (119867(119904
2119894 119892119903lowast
2) 119871 (119909
2119894))
(119894 = 0 1 1198992minus 1)
(22)
We adopt (1198992 1199052) threshold structure constructed by matrix
method 1199052players in set 119861 participate in the repeated games
and recover the secret 119878 using the published 1198992minus 1199052points
As a result the players in set 119860 can input 119878 after they get thegeneral term formula of homogeneous constant coefficientlinear differential equation
Save vector
1199042119894
(119894 = 0 1 21198992minus 1199052minus 1) (23)
And call Pedersenrsquos bit commitment moduleAfter that it broadcasts
119882119894= 119892119897119894
2mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (24)
Send each participant in set 119861
TPK119895= [119878 + 119871 (0)] mod 119901
1198992
(119895 = 1 2 1198992 119878 isin 119866119865(119901)
lowast
119871 (0) isin 119866119865(1199011198992)lowast
gt 119878) (25)
Theorem 5 The model is verifiable
Proof When distributing pointrsquos sequence and broadcastingcorresponding authentication information participants cansimultaneously verify the information
Set 119860 participants verify
119892119866(1199091119894)
1=
1198991minus1
prod119895=0
119881119909119895
1119894
119894mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (26)
Set 119861 participants verify
119892119871(1199092119894)
2=
1198992minus1
prod119895=0
119882119909119895
2119894
119894mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (27)
If the verification succeeds participants can trust the infor-mation sent by others
(6) Participants Participants in two different permissionstogether constitute the threshold structure (119899
1+ 1198992 1199051+ 1199052)
In addition |119860| = 1198991|119861| = 119899
2 and the threshold values are
|119860|threshold = 1199051and |119861|threshold = 119905
2
(7) Okamoto Signature Module After calculating the thresh-old signature private key take TSK = 119886
119878as the first private key
component of the signature module while the second privatekey component is generated by public key signature methodselect private keys and publicize public keys respectivelyThe model adopts Okamoto signature algorithm to signaturefinally
Theorem 6 The model can resist conspiracy attack
Proof The second component of the private key in Okamotosignature algorithm can avoid conspiracy attacks which areperformed by using general term formula to get other par-ticipantsrsquo private keys when meeting the threshold conditionto calculate homogeneous linear differential equations withconstant coefficients general term formula in original modelThe second component of everyonersquos private key has to bekept privately by each individual On condition that thesecond component of the private key ensures the privacy thethreshold signature cannot be forged Furthermore we canestablish a mechanism that is when there is a dispute thesystem will check every participant involving the process ofsignature arise disputes
6 Journal of Applied Mathematics
32 Improved Threshold Model We adopt (1198992 1199052) threshold
structure constructed by matrix method 1199052players in set 119861
participate in the repeated games and recover the secret 119878
using the published 1198992minus 1199052points As a result the players
in set 119860 can input 119878 after they get the general term formulaof homogeneous constant coefficient linear differential equa-tion
Make two field extensions
[119866119865 (1199011198991) 119866119865 (119902)]=[119866119865 (119901
1198991) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
[119866119865 (1199011198992) 119866119865 (119902)]=[119866119865 (119901
1198992) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
(28)
Expansion order of algebraic number field 119866119865(119902) is
1198761= [119866119865 (119901
1198991) 119866119865 (119902)] = 119899
1lowast [
119901 minus 1
119902]
1198762= [119866119865 (119901
1198992) 119866119865 (119902)] = 119899
2lowast [
119901 minus 1
119902]
(29)
Remove the noise terms 119871(0) and 119866(0) to get coefficientsinformation of homogeneous constant coefficient linear dif-ferential equation
33 Dynamic Game Model
Definition 7 TheComputable complete and perfect informa-tion dynamic game 120591 = [119875 119879 119860 119878 119877119867 119868 119874 119880] satisfies
Participants are noted as 119875 =
Simulator 119875119894 (Simulator represents the nature
and parameter distributor)The set of Types is 119879 = 119879
119894 (119879119894isin honesty fraud)
Actions set is 119860 = 119860119894 (119860119894isin honesty fraud)
Strategy set is 119878 = 119878119894120593 (119879
119894 119867119894 119868119894 119860119894) rarr 119878
119894
Rounds set is 119877 lt 119874(120582) and 119877 isin 119885+
Full history set 119867 = ℎ | ℎ = ⨁119896
119894=1119860119894 (119894 isin 119877 and 0 le
119896 le 119877) is depicted as game tree whose root is emptyhistory node 0The information set 119868 = 119868
119894 can be tested and is
perfectOutcome set is 119874 = 119874
119894120574 (119860
119894 119878119894) rarr 119874
119894
Utility function set is 119880 = 119880119894 120574 ∘ 120593
(119879119894 119867119894 119868119894 119860119894 119878119894 119874119894) rarr 119880
119894and satisfies 1205972119880
119894lt 0
The above game 120591 can be calculated in polynomialtime
Definition 8 Computable complete and perfect informationdynamic game with 119905
1+ 1199052elastic equilibrium will reach the
equilibrium results under the conditions that it satisfies theDefinition 7 and that each participants is rational That is119880(120590119894 120590minus119894) lt 119880(120590lowast
119894 120590minus119894) 120590 is multiple real variable function
120590 (119879119894 119867119894 119868119894 119860119894 119878119894 119874119894 119880119894) rarr 119880(120590
119894 120590minus119894)
Theorem 9 The model converges to computable completeand perfect information dynamic game with 119905
1+ 1199052elastic
equilibrium
Proof Participants who accord with threshold signature con-ditions possess superiority of Pr = 120576 (0 lt 120576 lt 1)They can getthreshold signature private key without the normal operationof the model Definitions of utility functions are as follows
119880++
(0119894) participantsrsquo ideal utility without the normal oper-
ation of the model to obtain the threshold signature privatekey
119880+
(119903119894)(0 le 119903 le 119903lowast) the utility that participant 119894 gets
signature private key and others do not get it in 119903 round119880minus
(119903119894)(0 le 119903 le 119903lowast) utility that participant 119894 does not
comply with the normal execution of the model when modelrun 119903 round
119880(119903119894)
(0 le 119903 le 119903lowast) utility that participant 119894 complies withthe normal execution of the model when model run 119903 round
119880(119903lowast119894) normal utility that participant 119894 always complies
with the operation of the model obtains threshold signatureprivate key when model reaches the last one round
119880minus
(119903all) (0 le 119903 le 119903lowast) utility that all participants do notobtain the threshold signature private key Illustrate that thereare some participants had deceived cause model abnormaltermination
Utility function satisfies the strong partial119880++(0119894)
gt 119880+(119903119894)
gt
119880(119903lowast119894)
gt 119880minus(119903all)
Define events as follows
A participant uses the advantage of Pr = 120576 (0 lt 120576 lt
1) to crack threshold signature private key
B participant implements protocol
C participant takes honesty policy in round 119903
D participant takes fraud policy in round 119903
We denote the utility of departing from the protocol as119880exception and denote the expected utility as 119864(119880exception) Wecan get the equation as follows
119880exception = 120576119880 (Pr (119860)) + (1 minus 120576)119880 (Pr (119861))
119880 (Pr (119861))
= 119880 (Pr (119861 | 119862)Pr (119862) + Pr (119861 | 119863)Pr (119863))
= 120582119880(119903lowast119894)
+ (1 minus 120582)
119903
sum119894=1
119880minus
(119903119894)
= 120582119880(119903lowast119894)
+ (1 minus 120582)
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 5
can verify commitment to make sure whether parameterdistributor is being attacked or not
(5) Verifiable Parameter Distribution Module Using the ideaof Feldmanrsquos [21] verification First publicize bivariate one-way function 119867(119909 119910) In each threshold signature processparameter distributor generates polynomial with 119899
1minus1 orders
which corresponds to set 119860 participants
119866 (119909) =
1198991minus1
sum119894=1
119906119894119909 mod 119901
1198991 (16)
Our model uses the primitive element in the finite fields119866119865(1199011198991) which is 119892
1 to compute the number of the operation
rounds which is 119903lowast according to the Poisson distributionwith parameter 120582 and then distribute the points sequence
(1199091119894 1199101119894) = (119867(119904
1119894 119892119903lowast
1) 119866 (119909
1119894)) (119894 = 0 1 119899
1minus 1)
(17)
Then it arbitrarily selects 1198991minus1199051points in the field of119865
1199011198991 (119909 119910)
except the ones in the equation (17) and publish them to thepublic
Then it saves the vector
1199041119894
(119894 = 0 1 21198991minus 1199051minus 1) (18)
and calls Pedersenrsquos bit commitment moduleAfter that it broadcasts
119881119894= 119892119906119894
1mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (19)
Send each participant in set 119860
TPK119894= [119886119894+ 119866 (0)] mod 119901
1198991
(119894 = 1 2 1198991 119886119894isin 119866119865(119902)
lowast
119866 (0) isin 119866119865(1199011198991)lowast
gt sup 119886119894)
(20)
In the set 119861 the parameter distributor generates the primitiveelement which is 119892
2 in the infinite field 119866119865(1199011198992) according
to this polynomial with 1198992minus 1 orders
119871 (119909) =
1198992minus1
sum119894=1
119897119894119909 mod 119901
1198992 (21)
And then with the rounds number 119903lowast noted before thesystem distributes publish the points sequence
(1199092119894 1199102119894) = (119867(119904
2119894 119892119903lowast
2) 119871 (119909
2119894))
(119894 = 0 1 1198992minus 1)
(22)
We adopt (1198992 1199052) threshold structure constructed by matrix
method 1199052players in set 119861 participate in the repeated games
and recover the secret 119878 using the published 1198992minus 1199052points
As a result the players in set 119860 can input 119878 after they get thegeneral term formula of homogeneous constant coefficientlinear differential equation
Save vector
1199042119894
(119894 = 0 1 21198992minus 1199052minus 1) (23)
And call Pedersenrsquos bit commitment moduleAfter that it broadcasts
119882119894= 119892119897119894
2mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (24)
Send each participant in set 119861
TPK119895= [119878 + 119871 (0)] mod 119901
1198992
(119895 = 1 2 1198992 119878 isin 119866119865(119901)
lowast
119871 (0) isin 119866119865(1199011198992)lowast
gt 119878) (25)
Theorem 5 The model is verifiable
Proof When distributing pointrsquos sequence and broadcastingcorresponding authentication information participants cansimultaneously verify the information
Set 119860 participants verify
119892119866(1199091119894)
1=
1198991minus1
prod119895=0
119881119909119895
1119894
119894mod 119901
1198991 (119894 = 0 1 119899
1minus 1) (26)
Set 119861 participants verify
119892119871(1199092119894)
2=
1198992minus1
prod119895=0
119882119909119895
2119894
119894mod 119901
1198992 (119894 = 0 1 119899
2minus 1) (27)
If the verification succeeds participants can trust the infor-mation sent by others
(6) Participants Participants in two different permissionstogether constitute the threshold structure (119899
1+ 1198992 1199051+ 1199052)
In addition |119860| = 1198991|119861| = 119899
2 and the threshold values are
|119860|threshold = 1199051and |119861|threshold = 119905
2
(7) Okamoto Signature Module After calculating the thresh-old signature private key take TSK = 119886
119878as the first private key
component of the signature module while the second privatekey component is generated by public key signature methodselect private keys and publicize public keys respectivelyThe model adopts Okamoto signature algorithm to signaturefinally
Theorem 6 The model can resist conspiracy attack
Proof The second component of the private key in Okamotosignature algorithm can avoid conspiracy attacks which areperformed by using general term formula to get other par-ticipantsrsquo private keys when meeting the threshold conditionto calculate homogeneous linear differential equations withconstant coefficients general term formula in original modelThe second component of everyonersquos private key has to bekept privately by each individual On condition that thesecond component of the private key ensures the privacy thethreshold signature cannot be forged Furthermore we canestablish a mechanism that is when there is a dispute thesystem will check every participant involving the process ofsignature arise disputes
6 Journal of Applied Mathematics
32 Improved Threshold Model We adopt (1198992 1199052) threshold
structure constructed by matrix method 1199052players in set 119861
participate in the repeated games and recover the secret 119878
using the published 1198992minus 1199052points As a result the players
in set 119860 can input 119878 after they get the general term formulaof homogeneous constant coefficient linear differential equa-tion
Make two field extensions
[119866119865 (1199011198991) 119866119865 (119902)]=[119866119865 (119901
1198991) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
[119866119865 (1199011198992) 119866119865 (119902)]=[119866119865 (119901
1198992) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
(28)
Expansion order of algebraic number field 119866119865(119902) is
1198761= [119866119865 (119901
1198991) 119866119865 (119902)] = 119899
1lowast [
119901 minus 1
119902]
1198762= [119866119865 (119901
1198992) 119866119865 (119902)] = 119899
2lowast [
119901 minus 1
119902]
(29)
Remove the noise terms 119871(0) and 119866(0) to get coefficientsinformation of homogeneous constant coefficient linear dif-ferential equation
33 Dynamic Game Model
Definition 7 TheComputable complete and perfect informa-tion dynamic game 120591 = [119875 119879 119860 119878 119877119867 119868 119874 119880] satisfies
Participants are noted as 119875 =
Simulator 119875119894 (Simulator represents the nature
and parameter distributor)The set of Types is 119879 = 119879
119894 (119879119894isin honesty fraud)
Actions set is 119860 = 119860119894 (119860119894isin honesty fraud)
Strategy set is 119878 = 119878119894120593 (119879
119894 119867119894 119868119894 119860119894) rarr 119878
119894
Rounds set is 119877 lt 119874(120582) and 119877 isin 119885+
Full history set 119867 = ℎ | ℎ = ⨁119896
119894=1119860119894 (119894 isin 119877 and 0 le
119896 le 119877) is depicted as game tree whose root is emptyhistory node 0The information set 119868 = 119868
119894 can be tested and is
perfectOutcome set is 119874 = 119874
119894120574 (119860
119894 119878119894) rarr 119874
119894
Utility function set is 119880 = 119880119894 120574 ∘ 120593
(119879119894 119867119894 119868119894 119860119894 119878119894 119874119894) rarr 119880
119894and satisfies 1205972119880
119894lt 0
The above game 120591 can be calculated in polynomialtime
Definition 8 Computable complete and perfect informationdynamic game with 119905
1+ 1199052elastic equilibrium will reach the
equilibrium results under the conditions that it satisfies theDefinition 7 and that each participants is rational That is119880(120590119894 120590minus119894) lt 119880(120590lowast
119894 120590minus119894) 120590 is multiple real variable function
120590 (119879119894 119867119894 119868119894 119860119894 119878119894 119874119894 119880119894) rarr 119880(120590
119894 120590minus119894)
Theorem 9 The model converges to computable completeand perfect information dynamic game with 119905
1+ 1199052elastic
equilibrium
Proof Participants who accord with threshold signature con-ditions possess superiority of Pr = 120576 (0 lt 120576 lt 1)They can getthreshold signature private key without the normal operationof the model Definitions of utility functions are as follows
119880++
(0119894) participantsrsquo ideal utility without the normal oper-
ation of the model to obtain the threshold signature privatekey
119880+
(119903119894)(0 le 119903 le 119903lowast) the utility that participant 119894 gets
signature private key and others do not get it in 119903 round119880minus
(119903119894)(0 le 119903 le 119903lowast) utility that participant 119894 does not
comply with the normal execution of the model when modelrun 119903 round
119880(119903119894)
(0 le 119903 le 119903lowast) utility that participant 119894 complies withthe normal execution of the model when model run 119903 round
119880(119903lowast119894) normal utility that participant 119894 always complies
with the operation of the model obtains threshold signatureprivate key when model reaches the last one round
119880minus
(119903all) (0 le 119903 le 119903lowast) utility that all participants do notobtain the threshold signature private key Illustrate that thereare some participants had deceived cause model abnormaltermination
Utility function satisfies the strong partial119880++(0119894)
gt 119880+(119903119894)
gt
119880(119903lowast119894)
gt 119880minus(119903all)
Define events as follows
A participant uses the advantage of Pr = 120576 (0 lt 120576 lt
1) to crack threshold signature private key
B participant implements protocol
C participant takes honesty policy in round 119903
D participant takes fraud policy in round 119903
We denote the utility of departing from the protocol as119880exception and denote the expected utility as 119864(119880exception) Wecan get the equation as follows
119880exception = 120576119880 (Pr (119860)) + (1 minus 120576)119880 (Pr (119861))
119880 (Pr (119861))
= 119880 (Pr (119861 | 119862)Pr (119862) + Pr (119861 | 119863)Pr (119863))
= 120582119880(119903lowast119894)
+ (1 minus 120582)
119903
sum119894=1
119880minus
(119903119894)
= 120582119880(119903lowast119894)
+ (1 minus 120582)
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
6 Journal of Applied Mathematics
32 Improved Threshold Model We adopt (1198992 1199052) threshold
structure constructed by matrix method 1199052players in set 119861
participate in the repeated games and recover the secret 119878
using the published 1198992minus 1199052points As a result the players
in set 119860 can input 119878 after they get the general term formulaof homogeneous constant coefficient linear differential equa-tion
Make two field extensions
[119866119865 (1199011198991) 119866119865 (119902)]=[119866119865 (119901
1198991) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
[119866119865 (1199011198992) 119866119865 (119902)]=[119866119865 (119901
1198992) 119866119865 (119901)] [119866119865 (119901) 119866119865 (119902)]
(28)
Expansion order of algebraic number field 119866119865(119902) is
1198761= [119866119865 (119901
1198991) 119866119865 (119902)] = 119899
1lowast [
119901 minus 1
119902]
1198762= [119866119865 (119901
1198992) 119866119865 (119902)] = 119899
2lowast [
119901 minus 1
119902]
(29)
Remove the noise terms 119871(0) and 119866(0) to get coefficientsinformation of homogeneous constant coefficient linear dif-ferential equation
33 Dynamic Game Model
Definition 7 TheComputable complete and perfect informa-tion dynamic game 120591 = [119875 119879 119860 119878 119877119867 119868 119874 119880] satisfies
Participants are noted as 119875 =
Simulator 119875119894 (Simulator represents the nature
and parameter distributor)The set of Types is 119879 = 119879
119894 (119879119894isin honesty fraud)
Actions set is 119860 = 119860119894 (119860119894isin honesty fraud)
Strategy set is 119878 = 119878119894120593 (119879
119894 119867119894 119868119894 119860119894) rarr 119878
119894
Rounds set is 119877 lt 119874(120582) and 119877 isin 119885+
Full history set 119867 = ℎ | ℎ = ⨁119896
119894=1119860119894 (119894 isin 119877 and 0 le
119896 le 119877) is depicted as game tree whose root is emptyhistory node 0The information set 119868 = 119868
119894 can be tested and is
perfectOutcome set is 119874 = 119874
119894120574 (119860
119894 119878119894) rarr 119874
119894
Utility function set is 119880 = 119880119894 120574 ∘ 120593
(119879119894 119867119894 119868119894 119860119894 119878119894 119874119894) rarr 119880
119894and satisfies 1205972119880
119894lt 0
The above game 120591 can be calculated in polynomialtime
Definition 8 Computable complete and perfect informationdynamic game with 119905
1+ 1199052elastic equilibrium will reach the
equilibrium results under the conditions that it satisfies theDefinition 7 and that each participants is rational That is119880(120590119894 120590minus119894) lt 119880(120590lowast
119894 120590minus119894) 120590 is multiple real variable function
120590 (119879119894 119867119894 119868119894 119860119894 119878119894 119874119894 119880119894) rarr 119880(120590
119894 120590minus119894)
Theorem 9 The model converges to computable completeand perfect information dynamic game with 119905
1+ 1199052elastic
equilibrium
Proof Participants who accord with threshold signature con-ditions possess superiority of Pr = 120576 (0 lt 120576 lt 1)They can getthreshold signature private key without the normal operationof the model Definitions of utility functions are as follows
119880++
(0119894) participantsrsquo ideal utility without the normal oper-
ation of the model to obtain the threshold signature privatekey
119880+
(119903119894)(0 le 119903 le 119903lowast) the utility that participant 119894 gets
signature private key and others do not get it in 119903 round119880minus
(119903119894)(0 le 119903 le 119903lowast) utility that participant 119894 does not
comply with the normal execution of the model when modelrun 119903 round
119880(119903119894)
(0 le 119903 le 119903lowast) utility that participant 119894 complies withthe normal execution of the model when model run 119903 round
119880(119903lowast119894) normal utility that participant 119894 always complies
with the operation of the model obtains threshold signatureprivate key when model reaches the last one round
119880minus
(119903all) (0 le 119903 le 119903lowast) utility that all participants do notobtain the threshold signature private key Illustrate that thereare some participants had deceived cause model abnormaltermination
Utility function satisfies the strong partial119880++(0119894)
gt 119880+(119903119894)
gt
119880(119903lowast119894)
gt 119880minus(119903all)
Define events as follows
A participant uses the advantage of Pr = 120576 (0 lt 120576 lt
1) to crack threshold signature private key
B participant implements protocol
C participant takes honesty policy in round 119903
D participant takes fraud policy in round 119903
We denote the utility of departing from the protocol as119880exception and denote the expected utility as 119864(119880exception) Wecan get the equation as follows
119880exception = 120576119880 (Pr (119860)) + (1 minus 120576)119880 (Pr (119861))
119880 (Pr (119861))
= 119880 (Pr (119861 | 119862)Pr (119862) + Pr (119861 | 119863)Pr (119863))
= 120582119880(119903lowast119894)
+ (1 minus 120582)
119903
sum119894=1
119880minus
(119903119894)
= 120582119880(119903lowast119894)
+ (1 minus 120582)
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 7
times
119903
sum119894=1
[
[
110038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)]
]
119880exception
= 120576119880++
(0119894)+ (1 minus 120576)
times [
[
119880(119903lowast119894)
+ (1 minus 120582)
times
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
[119866119865 (119901) 119866119865 (119902)] =119901 minus 1
119902
(30)
In our protocol
119880exception lt 119880(119903lowast119894) (31)
Distribution function satisfies
119903lowast= 120595 (120582) (32)
The following formulas are met
120582 lt Φ lowast [
[
119880(119903lowast119894)
minus 120576119880++(0119894)
1 minus 120576
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all))]
]
(33)
in which
Φ = 1 times (119880(119903lowast119894)
minus
119903
sum119894=1
(1
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880+
(119903119894)
+(119866119865(119901)
lowast
minus 1)2
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
10038161003816100381610038161003816119866119865(119901)
lowast10038161003816100381610038161003816
119880minus
(119903all)))
minus1
(34)
The above equation can determine the range of param-eters selection so that the model converges to computablecomplete and perfect information dynamic game with 119905
1+ 1199052
elastic equilibrium
Theorem 10 The model can resist inner fraud
Proof According to Theorem 9 a rational participant willnot depart from the protocol execution in any round Themodel overcomes the sensitivity of backward induction andadopts mixed strategy equilibrium If participants adopteda deceptive strategy in the model execution of any roundthis caused the decrease in revenue of participants to 119880
minus
(119903all)When the protocol terminates punishment strategies can beused thus putting an end to deceiving behavior effectively Sothe model can prevent inner fraud
4 Protocol Procedure
41 Parameters Generation Process Determine the order ofset 119860 and set 119861 determine the threshold value according tothe requirements respectively Select big prime 119902 119901 meets119902 | (119901 minus 1) Select primitive element 119892
1in finite field 119866119865(1199011198991)
and 1198922in finite field 119866119865(1199011198992) The participants in set 119860 and
set 119861 select signature private key as the second component ofthe Okamoto signature respectively
Parameter sequence generator generates coefficient con-stants vector of homogeneous constant coefficient lineardifferential equation
1198860= (1198860
1 1198860
2 119886
0
119899minus1199051
) (1198860
119894isin 119885119902)
1198870= (1198870
1 1198870
2 119887
0
119899minus1199051
) (1198870
119894isin 119885119902)
(35)
Superscript represents signature number of times 0represents the first signature
42 Dynamic Games Process Rounds controller accordingto Poisson distribution with parameter 120582 secret generatesthreshold signature round 119903
lowast According to the number ofparticipants in set 119860 and set 119861 the threshold value generatescoefficient constants vector of polynomial 119866(119909) and 119871(119909)respectively
1199060= (1199060
1 1199060
2 119906
0
1198991
) (1199060
119894isin 1198851199021198991 )
1198970= (1198970
1 1198970
2 119897
0
1198992
) (1198970
119894isin 1198851199021198992 )
(36)
Superscript signature represents the number of rounds 0represents the first round
Parameter distributor according to (17) and (22) dis-tributes and publicizes points Participants in set 119860 and set119861 can use the verifiable parameter distribution module forverification If there is no cheating behavior the protocolcontinues to execute Otherwise the verifiable parameterdistributionmodule goes to the interrupt processing In everyround of the games the players in set 119860 and set 119861 use thepublished points sequence and generate 119866(0)
119903 and 119871(0)119903
respectively
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
8 Journal of Applied Mathematics
Table 1 Several models comparison
Model Verifiable Bitcommitment
Resistconspiracyattack
Forwardsecurity permission Convergence time Range of parameters
Halpern and Teague No No No No different 119874(5
1205723)(0 lt 120572 lt 1)
1205722
1205722 + (1 minus 120572)2119880+(120590119894 120590minus119894)
+(1 minus 120572)
2
1205722 + (1 minus 120572)2119880minus(120590119894 120590minus119894)
gt 119880(120590lowast119894 120590minus119894)
Gordon and Katz No No No No different 119874(1
120573)(0 lt 120573 lt 1) 120573 le
119880(120590lowast
119894 120590minus119894) minus 119880minus(120590119894 120590minus119894)
119880+(120590119894 120590minus119894) minus 119880minus(120590
119894 120590minus119894)
Computablecomplete andperfect informationdynamic game
Yes Yes Yes Yes different 119874(120582)(120582 gt 0) 120582 lt119880(119903lowast119894)
minus 120576119880++
(0119894)
(1 minus 120576) lowast 119880(119903lowast119894)
Parameter distributor verifies respectively
[TPK119894minus 119866119903(0)] mod 119901
1198991
= 119886119894
(119866119903(0) isin 119866119865(119901
1198991)lowast
gt sup 119886119894 119894 = 1 2 119899
1)
[TPK119895minus 119871119903(0)] mod 119901
1198992
= 119878
(119878 isin 119866119865(119901)lowast
and 119871119903(0) isin 119866119865(119901
1198992)lowast
gt 119878 119895 = 1 2 1198992)
(37)
If 119903 = 119903lowastand (37) holds calculate (2) and then
TSK = 119886S (119878 gt 1198991+ 1198992) (38)
If 119903 = 119903lowast and (37) does not hold119866(0)119903and 119871119903(0) equal the
expected value and the protocol enters into the next roundIf 119903 = 119903
lowast and (37) does not hold meanwhile 119866(0)119903
and 119871119903(0) do not equal the expected value someone of theplayers have cheated At this time the parameter distributorcan perceive the cheating behavior so that the player cannotobtain the signature private key According to Theorem 10the rational participants will not deceive
43 Threshold Signature Process The Okamoto signaturemodule is used to complete the feature of signature
Okamoto signature algorithm contains two private keysthe first is threshold signature private key just generated andthe second is each participatorrsquos signature private key in set119860and set 119861 Only after verification parameter distributor cancall Okamoto signature module Two private key generationequations are as follows
TSK1= 119886119878
(119904 gt 1198991+ 1198992)
TSK2=
1199051+1199052minus1
prod119894=0
SHA(119898)119878119870119894
(39)
Verify equation1199051+1199052minus1
prod119894=0
TSK1198751198701198942
= SHA (119898) (40)
119898 is message sequence and SHA is secure hash functionWe use the equation (41) to complete signature
(1205901 1205902 1205903) = Okamoto (TSK
1TSK2) (41)
Validation process can use standard Okamoto algorithm
44 Several Models Comparison Table 1 is several modelscomparison The parameters range of this model uses thelimiting form of (31) (32) (33) and (34)
5 Conclusion
This paper proposed computable complete and perfect infor-mation dynamic game with 119905
1+ 1199052elastic equilibrium based
on the homogeneous constant coefficient linear differen-tial equation We constructs a dynamic game model andprotocol using time sequences bit commitments Feldmanrsquosverification menthod and Okamotorsquos signature permissionsThe model achieves two different threshold signature per-missions We proved that during the game no participanthas the tendency of departing from normal operation sothat the model achieves the purpose of preventing fraudOur method expands the idea of permission and overcomesfive inherent problems in homogeneous constant coefficientlinear differential equation
Conflict of Interests
The authors declare that there is no conflict of interestsregarding the publication of this paper
Acknowledgments
This work is supported by the National Natural ScienceFoundation of China (No61170221) The authors appreciatethe help as well as the hard work of the editor
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Journal of Applied Mathematics 9
References
[1] A Shamir ldquoHow to share a secretrdquo Communications of theAssociation for Computing Machinery vol 22 no 11 pp 612ndash613 1979
[2] G Blakeley ldquoSafeguarding cryptographic keysrdquo in Proceedingsof the National Computer Conference pp 313ndash317 AFIPS PressNew York NY USA 1979
[3] CAsmuth and J Bloom ldquoAmodular approach to key safeguard-ingrdquo IEEE Transactions on InformationTheory vol 29 no 2 pp208ndash210 1983
[4] P Morillo C Padro G Saez and J L Villar ldquoWeighted thresh-old secret sharing schemesrdquo Information Processing Letters vol70 no 5 pp 211ndash216 1999
[5] C Padro and G Saez ldquoSecret sharing schemes with bipartiteaccess structurerdquo IEEE Transactions on InformationTheory vol46 no 7 pp 2596ndash2604 2000
[6] T Tassa and N Dyn ldquoMultipartite secret sharing by bivariateinterpolationrdquo Journal of Cryptology vol 22 no 2 pp 227ndash2582009
[7] O Farras J R Metcalf-Burton C Padro and L Vazquez ldquoOnthe optimization of bipartite secret sharing schemesrdquo DesignsCodes and Cryptography vol 63 no 2 pp 255ndash271 2012
[8] C-W Chan and C-C Chang ldquoA new (t n)-threshold schemebased on difference equationsrdquo in Combinatorics AlgorithmsProbabilistic and Experimental Methodologies pp 94ndash106Springer Berlin Germany 2007
[9] B Li ldquoDifferential secret sharing scheme based on special accesssecret sharing schemerdquo Journal of Sichuan University (NaturalScience) vol 43 no 1 pp 78ndash83 2006
[10] YDesmedt andY Frankel ldquoShared generation of authenticatorsand signaturesrdquo in Proceedings of Advances in Cryptology-CRYPTO 91 Santa Barbara Calif USA 1991 pp 457ndash469Springer Berlin Germany 1992
[11] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo inAdvances in Cryptology vol 196 of Lecture Notes inComputer Science pp 47ndash53 Springer Berlin Germany 1985
[12] K G Paterson and J C N Schuldt ldquoEfficient identity-based sig-natures secure in the standard modelrdquo in Information Securityand Privacy vol 4058 of Lecture Notes in Computer Science pp207ndash222 Springer Berlin Germany 2006
[13] T Okamoto ldquoProvable secure and practical identificationschemes and corresponding signature schemesrdquo in Advances inCryptology-CRYPTO rsquo92 vol 740 of Lecture Notes in ComputerScience pp 31ndash53 Springer Berlin Germany 1992
[14] J Halpern and V Teague ldquoRational secret sharing and mul-tiparty computation extended abstractrdquo in Proceedings of the36th Annual ACM Symposium on Theory of Computing (STOC04) pp 623ndash632 New York NY USA 2004
[15] S D Gordon and J Katz ldquoRational secret sharing revisitedrdquoin Security and Cryptography for Networks vol 4116 of LectureNotes in Computer Science pp 229ndash241 Springer Berlin Ger-many 2006
[16] S Maleka A Shareef and C P Rangan ldquoThe deterministicprotocol for rational secret sharingrdquo in Proceedings of the22nd IEEE International Parallel and Distributed ProcessingSymposium (IPDPS rsquo08) pp 1ndash7 IEEE April 2008
[17] D Wei and X Qiuliang ldquoSpecial permission-based rationalsecret sharing schemerdquo China Electronic Business Communica-tions Market no 2 pp 180ndash184 2009
[18] W Dong Secret sharing based on game theory and application ofthe theory [MS thesis] Shandong University 2011
[19] F Z Ben Stochastic Process Science Press Beijing China 2011[20] Q Weidong Crypto Graphic Protocols Foundation Higher
Education Press Beijing China 2009[21] P Feldman ldquoA practical scheme for non-interactive verifiable
secret sharingrdquo in Proceedings of the 28th IEEE Symposium onFoundations of Computer Science pp 427ndash437 1987
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of
Submit your manuscripts athttpwwwhindawicom
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical Problems in Engineering
Hindawi Publishing Corporationhttpwwwhindawicom
Differential EquationsInternational Journal of
Volume 2014
Applied MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Probability and StatisticsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Mathematical PhysicsAdvances in
Complex AnalysisJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
OptimizationJournal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
CombinatoricsHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Operations ResearchAdvances in
Journal of
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Function Spaces
Abstract and Applied AnalysisHindawi Publishing Corporationhttpwwwhindawicom Volume 2014
International Journal of Mathematics and Mathematical Sciences
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Algebra
Discrete Dynamics in Nature and Society
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Decision SciencesAdvances in
Discrete MathematicsJournal of
Hindawi Publishing Corporationhttpwwwhindawicom
Volume 2014 Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014
Stochastic AnalysisInternational Journal of