Secret sharing is a method proposed to solve the problem of key management. It is mainly used to prevent important information from being lost, destroyed, changed or falling into the wrong hands. It is an important subject in information security and cryptography. It is widely used in data management, financial network, e-commerce, e-government and many other fields  . The basic idea of secret sharing is to share the master key in a group of participants, which enables members of the authorized subset of participants to recover the master key through the subkey they get, while members of any participant’s unauthorized subset cannot recover the master key through the subkey they get.
As early as 1979, Shamir  and Blakley  proposed -threshold secret sharing scheme respectively. The algorithm given by Shamir system is based on polynomial interpolation, while Blakley system is based on finite geometry. The -threshold secret sharing scheme requires that any or more than members of participants cooperate to derive the master key, while no members cooperate to derive the master key. After these two masters, more secret sharing schemes have been proposed one after another, which are constructed by using mathematical knowledge and methods in different fields. For example, Article  uses Reed-Solomon code to construct secret sharing scheme, Article  uses Chinese Remainder Theorem to construct secret sharing scheme, Article  uses matrix operation on finite field to construct secret sharing scheme, Article  uses one-way function to construct secret sharing scheme, Article  uses vector space to construct secret sharing scheme, etc. Especially in recent years, people have made some gratifying achievements in the design and research of more complex secret sharing schemes    . It should be pointed out that there may be dishonest participants in the actual use of these schemes. In view of how to effectively prevent fraud, many authors have conducted in-depth research on them. In Article  - , different schemes of secret sharing that can prevent fraud are proposed respectively.
However, none of the schemes mentioned above gives the probability of successful fraud accurately. Moreover, some schemes are complex in design, lack of intuition and conciseness, and fail to grasp the design principles of secret sharing schemes. The design principle of secret sharing scheme is not only to ensure its correctness, but also to pay attention to its security and effectiveness. According to this principle, this paper designs a kind of secret sharing scheme based on certain projective transformation. This scheme uses the special projective transformation in projective space to build the relationship between the master key and the subkey, so that the dealer (that is, the subkey distributor) can find the subkey through the master key to distribute the participants. Members of the authorized subset can gather their subkeys to find the relationship between the components of the shadow subkey vector, and recover the shadow subkey together with the residual vector of the intersecting line equations formed by the projection plane of the shadow subkey point in the space, so as to synthesize the master key. The secret sharing scheme designed in this way accords with the idea of -threshold secret sharing, which is simple, intuitive, practical and easy to implement.
Organization of this paper is as follows. We introduce related definitions and preliminaries in Section 2. In Section 3, we propose our construction by using certain projective transformation method. Section 4 describes our security analysis and effectiveness analysis respectively. We draw the conclusion in Section 5.
2. Definitions and Preliminaries
If the projective plane is extended to the -dimensional projective space and the infinite point is regarded as a common point, then according to the projective coordinate system established in Article , we can get the -dimensional projective coordinate system .
Definition 1. Under the projective coordinate system , let the coordinate of point be and the coordinate of point be in the -dimensional projective space. If the transformation from point to point is
Then is called a projective transformation in the -dimensional projective space, where is called the transformation matrix of .
Because of , the projective transformation has inverse transformation, that is
Under projective transformation , if the coordinates of the original image point are known, then the coordinates of the unique image point can be obtained; conversely, if the coordinates of the image point are known, then the coordinates of the unique original image point can also be obtained.
be the equations of hyperplanes which are not parallel to each other in the -dimensional projective space. It means that the vector group composed of the normal vectors of these hyperplanes is linearly independent, so the intersecting line of these hyperplanes is unique, and the system of equations about the unknown number is
Since the determinant of coefficient matrix of this system of equations is not equal to zero, it can be seen from Gramer’s law that the system of Equations (4) can be reduced to
Equation (5) is the system of hyperplane intersecting line Equations (3), which consists of equations.
Definition 2. The system of equations composed of any equations in the system of hyperplane intersecting line Equations (5) is called a -residue of the system of this intersecting line equations, which can be expressed as
Obviously, -residue is determined by the constant , we call the vector composed of these constants the corresponding
-residual vector. There are -residues in a
system of hyperplane intersecting line equations.
For the convenience of this study, we might as well take the permutation , that is, the –residue is
the corresponding residual vector is .
For the -dimensional projective space, under the given projective coordinate system , let the plane coordinate of hyperplane be , and the point coordinate of space point be , using the combination sign , we analyze the geometric meaning of the following formula
If is regarded as a definite array and as a variable array, then formula (8) represents the algebraic condition of the motion of moving point on the definite hyperplane , and formula (8) is the equation of hyperplane . On the contrary, If is regarded as a definite array and as a variable array, then formula (8) represents the algebraic condition of the rotation of the moving hyperplane through the fixed point , at this time, formula (8) is the equation of point , that is, the equation of the hyperplane bundle with as its center. It can be seen that formula (7) as -residue is a part of hyperplane bundle equation of passing point .
Let be prime number and be the original root of , that is, generates all values from 1 to under module . Since , and the necessary and sufficient condition of (where denotes congruence with respect to prime number ) is , there is a unique for any that makes hold, is called the discrete logarithm of with as the base under module . The so-called discrete logarithm problem is such a mathematical problem: when is a large prime number, given the integer , it is easy to calculate ; on the contrary, given the integer , it is very difficult to calculate the integer , which makes hold.
We know that if is an -order matrix, let any -row and -column of are taken, and elements at the intersection of -row and -column form a -order determinant in the original order, then this -order determinant is a -order minor of matrix.
Definition 3. Let be a prime number, be a -element finite field, and be a -order matrix over . If and any -order minor of is not equal to zero, then matrix is a nonzero -submatrix.
When the transformation matrix is a nonzero -submatrix, the
corresponding projective transformation (1) is a special projective transformation. The scheme in this paper is based on this kind of projective transformation.
Theorem 1. Let be prime, be a -element finite field, and the -order matrix over be a nonzero -submatrix, where , . If is known in projective transformation (1), the coordinate of point can be determined by the -residual vector of the system of hyperplane intersecting line equations of any passing point and projective transformation (1).
Proof. From projective transformation (1), the following system of equations can be obtained.
The coefficient matrix of the system of equations composed of equations in front of the system of Equations (9) is
Because matrix is a nonzero -submatrix, so . In the coefficient determinant , let the algebraic cofactor of element be , let
represent the determinant after the j-th column element in is replaced, where .
from Gramer’s law.
Similarly, we can get
Put into the next equations in the system of Equations (9), and get the following system of equations about after finishing.
It is known that the -residue corresponding to the -residual vector is
The system of Equation (15) contains equations and the system of Equations (16) contains equations. Combining the system of Equations (15) with the system of Equations (16), a linear system of equations with equations and unknows is obtained. Since the coefficient determinant of this system of linear equations satisfies , there is only one set of solutions for this system of linear equations. According to Gramer’s law, can be obtained. Certificate completion.
If we change the condition “known ” of Theorem 1 to the more general condition “known ”, we can get the following more general theorem according to the similar proof method of Theorem 1.
Theorem 2. Let be prime, be a matrix over be a nonzero -submatrix, where , . If is known in projective transformation (1), the coordinat of point can be determined by the -residual vector of the system of hyperplane intersecting line equations of any passing point and projective transformation (1).
3. Composition of the Scheme
Based on the one to one mapping of projective transformation and the difficulty of solving the discrete logarithm problem, this paper proposes a verifiable threshold secret sharing scheme. In this scheme, the dealer who distributes the subkey needs a bulletin board (BB). Only the dealer can modify and update the content on the BB, and others can only read or download it. This scheme is composed of two parts: the distribution phase of the subkey and the reconstruction phase of the master key.
3.1. Distribution of Subkeys
At the beginning of this stage, the dealer needs to publish some system parameters. He first takes a large prime number , finds an original root of the module , let be the finite field of the module , the dealer takes a nonzero -submatrix over , and then publishes , and on the BB.
Let and be the set of participants. The master key is decomposed into different shadow subkeys by the
dealer over , i.e. . Then, in the -dimensional projective
space, the dealer calculates a –residual vector of the system of hyperplane intersecting line equations of space point with coordinate , publishes the -residual vector on the BB, and uses the projective inverse transformation (2) to find .
The dealer distributes as subkeys to participants , calculates , and publishes vector as verification information on the BB.
3.2. Reconstruction of Master Key
When any members of participants gather together to recover the master key , they need to verify each other’s subkeys. First calculate , then check whether the corresponding on the BB and are consistent. If they are consistent, the subkey submitted by members is true. Otherwise, if some submits a false subkey, the corresponding and are inconsistent.
The recovery process of the master key is shown below. Let’s set the transformation matrix to
After the verification is passed, the members calculate the following formula together
By projective transformation (1), a system of equations about unknown subkeys owned by the rest members of the participant set is generated, that is.
This system of equations is considered to be composed of equations with unknowns , by eliminating these , equations about unknowns can be obtained, where
. Combined with the -residue (16) corresponding to the -residual vector published on the BB, the following system of equations are formed,
It can be seen from Theorem 2 that the unique solution can be obtained by solving this system of equations, and then the master key can be recovered.
3.3. Give an Example
The implementation process of this scheme can be clearly shown by the following example.
In the initial stage, the dealer takes the prime number , sets as the finite field of module 11, the number of participants , the threshold value , and selects matrix
It is proved that and any 2-order minor of is not equal to zero, so is a nonzero 2-submatrix.
Set the master key . In the subkey distribution stage, the dealer decomposes into over and obtain shadow subkeygroup . Then, the inverse projective transformation (2) is used for the following calculation.
From the geometric meaning of point plane combination, the hyperplane beam equation with point as the beam center is
In formula (23), we take four linearly independent vectors about , which are , , , respectively, and then we get a system of equations of hyperplane intersecting line passing through point .
Take a 2-residue of this equations
its corresponding 2-residual vector is .
We know that 2 is the original root of module 11. Take and calculate , , , , respectively, so as to construct the verification information vector .
After the above preparations, the dealer distributes , , , , as subkeys to five participants , , , , , and publishes the prime number , the original root , the threshold value , the transformation matrix , the 2-residual vector and the verification information vector on the BB.
In the reconstruction phase of the master key, any three members of the five participants gather together. Let’s assume that , , gather together. They first verify whether the key , , they have taken out is true. They only need to calculate , , separately and compare the calculation results with the corresponding components in the verification information vector to see whether the three corresponding quantities are consistent. If the three corresponding quantities are all consistent, then , , is true. If there is inconsistency, then the corresponding members provide false subkey.
In the case of verifying that all the subkeys provided are correct, these three people use projective transformation (1) to list the following matrix equation,
Turn (26) into a system of linear equations
After eliminating , from (27), we get the following system of equations about the unknown number , , , , ,
Combined with the 2-residual vector on the BB extened system of Equations (28):
These three members solve the system of Equations (29), get , , , , , and then calculate to get the master key .
4. Analysis of the Scheme
Under the premise that the dealer is reliable in subkey distribution, the following conclusions are drawn.
Theorem 3. The scheme is a complete secret sharing scheme, and the information rate can be up to 1.
Proof. Any participants can establish a system of equations by presenting their subkeys. According to theorem 2. This system of equations can uniqely determine the coordinate of shadow subkey point . If less than participants gather togetuer to provide their subkeys. The number of equations in the system of equations with structure (20) is less than the number of the unknown number , such a system of equations has numerous solutions, and it is difficult to find the shadow subkey point . So less than participants can not recover the master key. The information rate of a secret
sharing scheme is defined as where , and
is the set of all possible subkeys that the participant may receive . In this scheme, each participant only needs to save a subkey belonging to , at this time, the information rate can reach the maximum value of 1. Certificate completion.
Theorem 4. The probability that the fraudster obtains the master key through public information is .
Proof. According to the design requirements of the scheme, the public information that fraudsters can obtain includes –order nonzero -submatrix , large prime number and its original root , verification vector , and -residual vector . If a fraudster solves , he will encounter a difficult discrete logarithm problem, If the fraudster passes the –residual system of equation (16) corresponding to the –residual vector, but the rank of the coefficient matrix of this system of equations is , which is smaller than the number of unknown numbers of the system of equations, then the fraudster cannot determin its unique solution. In conclusion, it is impossible for the fraudster to obtain the subkey of the participant, and thus the master key . In this way, the only way for fraudsters to obtain the master key is to guess randomly from , according to the knowledge of probability theory, it can be considered that the master key is selected with equal probability in , so the probability of guess success is very small, which is . Certificate completion.
In the practical scheme, the selected is a large prime number and is almost zero. According to Theorem 4, it is impossible to recover the master key only through the information on the BB. In addition, the fraud detection of this scheme is based on the difficulty of discrete logarithm problem. Anyone can verify whether the subkey provided by himself or others is correct through the verification vector , so this scheme is secure and antifraud.
When we analyze the efficiency of the scheme, we mainly depend on the number of power operations performed in the scheme. The less the number of power operations is, the higher the efficiency is. The design of this scheme is unique. In addition to the power operations in the verification process, other calculations are mainly some basic linear operations, matrix operations and determinant operations. The performance of the main body of the scheme mainly depends on the calculation of the determinant, which is also very convenient. Moreover, Wiedemann  proposes a kind of determinant probability algorithm, which can effectively improve the calculation of the determinant over the finite field. The algorithm using Wiedemann’s will further improve the operation performance of this scheme.
Verifiable secret sharing scheme is an important part of secure cryptographic protocol and an effective method to solve the safe storage, legal recovery and utilization of important sensitive information. Therefore, the research on verifiable secret sharing and its application has an important theoretical and application value. Based on the projective transformation in -dimensional projective space, a verifiable -threshold secret sharing scheme is proposed by using the structure of solutions of linear equations and the difficulty of discrete logarithm problem. Each participant can verify the correctness of the subkey provided by other participants before the master key is restored. The scheme can effectively identify the fraudsters, and the fraudsters can only cheat by guessing. The probability of successful fraud is only , and the maximum information rate of the scheme can be 1. Compared with the existing secret sharing scheme, the scheme has the advantages of exquisite design, small computation complexity and less secret information. The analysis shows that the scheme is a secure and effective scheme with practical application value. This scheme is based on the threshold access structure, how to use the idea of this paper to design its secure secret sharing scheme remains to be further explored.
 Fouque, P.A., Poupard, G. and Stern, J. (2000) Sharing Decryption in the Context of Voting or Lotteries. In: Proceeding of Financial Cryptography 2000, Springer Verlag, Berlin, 90-94.
 Bouyuklieva, S. and Varbanov, Z. (2011) Some Connections between Self-Dual Codes, Comlinatorial Designs and Secret Sharing Schemes. Advances in Mathematics of Communications, 5, 191-198.
 Ma, Z., Ma, Y. and Huang, X.H. (2020) Applying Cheating Identifiable Secret Sharing Scheme in Multimedia Security. EURASIP Journal on Image and Video Processing, 2020, Article No. 42.
 Maarek, Y.S., Berry, D.M. and Kaiser, G.E. (1991) An Information Retrieval Approach for Automatically Constructing Software Libraries. IEEE Transactions on Software Engineering, 17, 800-814.