Secret sharing plays a significant role in information security. It has become one of the most important research areas in modern cryptography and has wide applications in many fields. Its theories models are rapidly developed. A secret sharing scheme allows a secret dealer to split a secret into secret shares and to distribute the secret shares among a group of participants in the way that only if a certain specified subset of the participants pooling together their shares can reconstruct the shared secret, while any unqualified subsets cannot obtain anything about the shared secret. Particularly, a (t,n)-threshold secret sharing scheme allows the secret to being shared by a secret dealer among n participants in such a way that any t or more participants gathering their secret shares together can recover the shared secrets, but t − 1 or fewer participants cannot obtain any knowledge about the shared secret. Two basic (t,n)-threshold secret sharing schemes based on Lagrange interpolating and affine geometry were proposed by Shamir  and Blakley  for the first time respectively in 1979. Since then, many constructions have been proposed     . They usually consist of two basic protocols, one is a distribution protocol in which the secret S is distributed by the secret dealer to participants, another is a reconstruction protocol in which the secret S is recovered by pooling the secret shares of a qualified subset of the participants.
In the original (t,n)-threshold secret sharing schemes, if there are r secrets to be shared among the same n participants, the secret dealer should run the (t,n)-threshold secret sharing scheme for r times. It results in a low efficiency. To solve the problem, Blundo et al.  introduced the concept of multi-secret sharing schemes according to the situation where the same set of shared control members shares more than one secret in 1993. This is an alternative way to improve the efficiency of secret sharing scheme, named multi-secret sharing scheme (MSS), which use same shares to reconstruct multiple shared secrets. There are various proposals of MSS scheme. For instance, MSS schemes proposed by   are based on polynomials, and MSS scheme proposed by  is based on elliptic curve of bilinear map, and MSS scheme proposed by  is based on cellular automata, and so on.
These secret sharing schemes are all based on an assumption that all participants are equal in status, right and dependability. However, the assumption is very hard to satisfy in fact. In many cases, participants have different access right. Padro et al.  researched secret sharing schemes with bipartite access structure. Bipartite access structure, informally, is that the set of participants can be divided into two parts in such a way which all participants in the same part play an equivalent role in the structure. Papers   gave -threshold secret sharing schemes with two kinds of different access rights which based on the solution structures of constant coefficients homogeneous linear difference equation and noncyclic polynomial sequence respectively. Further, people can consider in any access structure the partition that is derived from a suitable equivalence relation on the set of participants. Because of its practical interest, secret sharing for multipartite access structures has been studied by several authors   .
In all of the above-mentioned schemes, there is a drawback that some participants might have left the group and adversary might have corrupted more than (or ) participants. The security policy and adversary structure of a secret sharing scheme may change after the setup of the scheme and before the recovery of the shared secret. So it is desirable to design a bipartite threshold secret sharing scheme which allows the value n1 or n2 of threshold and number m1 or m2 of participants to change before the recovery of the secret, and which remains secure under these changes.
In this paper, we use the hypertangent plane and the hypernormal plane on the hypersphere to construct a -threshold multi-secret sharing scheme. This threshold scheme is ideal which not only the participants can join or leave the system dynamically but also the value of threshold is easy to change as well as multi-secret could be shared and renewed. In addition, the participants need not provide their real secret shares and the secret shares need not to be renewed when the shared secret is changed.
Organization of this paper is as follows. We introduce related notions and results in Section 2. In Section 3, we propose our construction by using geometric method. Section 4 details our validity analysis, security analysis and performance analysis respectively. We draw the conclusion in Section 5.
2. Definitions and Preliminaries
In this section we review some basic definitions and notations that will be used through the paper.
Definition 1. Let A, B be two groups of participants with difference access right such that , , . Set satisfying , . Each participant in A obtains a secret share respectively and each participant in B obtains a secret share respectively. The shared secret S can be restored only if at least n1 participants in group A and n2 participants in group B combine their secret shares. Then this method is called bipartite -threshold secret sharing scheme, where the number n1, n2 are called the value of threshold.
In this paper, Let , , where , are some participants. Let D be the secret dealer who distributes the secret shares among the participants, NB be an electronic proclamation board on which the secret dealer can write information but others cannot. All operations in this paper are carried out over finite field Zp, where p is a large prime satisfying . The following theorem is proposed in .
Theorem 1. Let p be an odd prime. If 2 is not quadratic residue module-p, then arbitrary can be expressed to sum of squares for arbitrany n+1 integer module-p.
Let be n+1 dimension Cartesian orthogonal coordinate system in real Euclidean space .
Definition 2. Assume that is a point of , , and let N denote the radius of hypersphere Σ. Then the spherical representation of hypersphere Σ is defined as follows:
where is the coordinate of arbitrary point on hypersphere Σ. is called the centre of hypersphere.
Definition 3. For , a R-continuously differentiable curve from (a,b) to is defined as vector function in  by
The derived vector of curve
is called the tangent vector at point t of curve .
If for all , we have , then is called the regular curve.
If for all , the coordinates of regular curve satisfy
Then curve is called the spherical curve of hypersphere .
To deal with multi-secret sharing problem, for , we pick a transform between and as follows:
In addition, let g be a primitive root of module-p, we define a bivariate function over Zp,
and a coordinate function over Zp,
3. Proposed Scheme
In this section, we propose a bipartite multi-secret sharing scheme based on hypersphere. In our scheme, a secret dealer is responsible for generating different secret share from the shared secrets . And then, only given secret share, the shared secrets can be reconstructed.
3.1. The Distribution of the Secret Shares
The secret dealer randomly selects m1 different secret share and number u1 from Zp, then distributes and to each participant Pi in group A through a secret channel as the secret share of these participants respectively. Similarly, m2 different secret shares and number u2 from Zp such that are selected by D to distribute to participants in group B through same secret channel.
Taking , without loss of generality, suppose that , then . We assume that t shared secrets are all from Zp where . By setting in (4), the secret dealer calculates
which yields a point .
The secret dealer chooses a positive integer to get a spherical representation of a hypersphere
where is the centre of this hypersphere.
The secret dealer chooses such that and a bivariate function like (5), together with the coordinate function (6) to calculate over Zp as follows:
follows from the spherical representation, that is , satisfies
which yields a point on ,
It is not difficult to get a hypertangent plane π of at :
Letting , one obtains a following equation of hypertangent plane π:
The secret dealer D make computation according to the secret share ki of the participant Pi in group A and value u1 as follows:
Thus, point is on the hypertangent plane π. There are m1 points in all. The secret dealer publishs , the coordinates of point U0, the expressions of the bivariate function and the coordinate function on NB.
The secret dealer D chooses a spherical curve on the hypersphere ,
Differentiating (9) it follows
The secret dealer D set with such that , which yields that
Then the secret dealer D can derive a hypernormal plane of curve at ,
where is a vector of the moving point coordinates.
Letting , , one gets the following equation of the hypernormal plane :
The secret dealer D chooses numbers such that , together with the bivariate function and the coordinate function as well as the secret share of m2 participants in group B to calculate over Zp as follows:
Hence the secret dealer D obtains altogether hyperplanes, those are and . At the same time the secret dealer D publishs and the coordinate of on NB.
3.2. Reconstruction of the Secrets
For arbitrary participants in group A gather their secret shares together, without loss of generality, suppose that they are . Each participant uses his private share and the public information on the NB to calculate respectively. Then these n cooperative participants substitute yij, Hi and the coordinate of U0 into the following undetermined expression
Which yields that the following system of equations:
Calculating and M in (12), they obtain the equation of hypertangent plane π about the hypersphere at point U0,
where is given by .
These n cooperative participants get a normal vector from (13), which derive the equation of normal line L about π at point U0 as follows:
where is a moving point coordinate vector.
Similarly, arbitrary n2 participants in group B gather their secret shares together, without loss of generality, suppose that they are who possess secret share respectively. They use and the public information on NB to obtain the following system of equations:
From (15) it follows and . By calculating , these n2 cooperative participants can obtain the equation of hypernormal plane about hypersphere ,
At last, these n1 cooperative participants in group A and that n2 cooperative participants in group B solve in common the following set of equations which consist of (14) and (16):
Which yields the centre coordinate of hypersphere , that is, . Then by solving the transformation formula (7), these participants can recover the shared secrets .
4. Analysis of the Scheme
4.1. Correctness Proof
If the secret dealer and the participants are all honest in this scheme, at least n1 participants in group A and at least n2 participants in group B get together to reconstruct the shared secrets during the execution of reconstruction algorithm. To obtain this conclusion, we need only to prove the following theorem.
Theorem 2. The hypernormal plane π of any spherical curve on a hypersphere always passes the centre of this hypersphere.
Proof. Let us put the spherical representation of as follows:
and let spherical curve be
Hence, we have
and there exist a tangent vector of arbitrary point on the spherical curve ,
Let the coordinate of moving point on the hypernormal plane at t0 be , then the equation of this hypernormal plane is
Differentiating , we have
Which implies that when , we get
Substituting (18) into (17) , we obtain the hypernormal plane as follows:
Obviously, it passes the centre of hypersphere.
This completes the proof.
In our scheme, since the normal line L of hypertangent plane π at U0 passes the centre of hypersphere too, it follows that the cross point of normal line L and hypernormal plane is the centre of hypersphere.
Theorem 3. The unique hypertangent plane π over Zp is determined by arbitary n different points of m1 points derived from the secret shares together with point U0.
Proof. The system of Equations (12) determined by n different points and the public point U0 can be modified as follows:
where M and are unknown numbers of this system.
The determinant of coefficient for (19) can be obtained that
where is the bivariate function over Zp and g is a primitive root of modulo-p.
For any , we have , hence . It follows from Gramer rule that (19) has a unique set of solutions M, . Thus, the unique hypertangent plane π over Zp. Can be determined by this set of solutions.
As a result, we obtain theorem.
Similarly, we can prove that the unique hypernormal plane over Zp is determined by arbitary n2 different points of m2 points derived from the secret shares together with public points .
The above theorem show a deterministic condition for the hypertangent plane or the hypernormal plane.
4.2. Security Analysis
The security of proposed scheme is based on the deterministic condition of hyperplane.
Theorem 4. Arbitrary n points in cannot determine unique hyperplane over Zp.
Proof. Suppose in existence n points (there is no harm in taking
) can determine a hyperplane π1. Then, we pick a point W which is out of π
It can be shown from the theorem 4 that or fewer participants in group A submiting their secret shares can only produce n1 points including U0 at most. So that they have no way of determining hypertangent plane π. Similarly, or fewer participants in group B have no way of determining hypernormal plane too. This shows that the less than n1 participants in group A or the less than n2 participants in group B gathering their secret shares together cannot recover the shared secrets .
In addition, it is not difficult for an attacker to get the public informations in the proposed scheme. Hwever, are product of the coefficient and the last coordinate value of points which are derived from the secret shares of m1 participants in group A and m2 participants in group B respectively. They are calculated by the equation of hyperplanes and the front n coordinate value of derived points. On the contrary, the front n coordinate value of derived points cannot be predicted by , that means the attacker could not obtain the shared secrets from the public informations on NB. Moreover, together with the bivariate function, calculating from respectively need to solve the discrete logarithm problem, As we know that the discrete logarithm problem is intractable, it is impossible for an attacker to obtain the participant’s secret share.
4.3. Performance Analysis
4.3.1. Information Rate of the Proposed Scheme
By the construction of proposed scheme, each share or is choosed from Zp，and the shared secrets from Zp too. It follows that ,where Kh is a set of possible secret shares of participants in group A or in group B, and S is a set of possible shared secrets. Hence, the information rate of this scheme is
This shows that the proposed scheme is ideal one.
4.3.2. Advantages of the Proposed Scheme
1) Multiple secrets can be reconstructed simultaneously within a secret sharing session.
2) Since the participants provide the derived points of secret shares but not the secret share during the reconstruction of secrets, it follows that the secret shares of participants are still kept confidential after recovering all of the secrets and the secret shares could be used to share a new set of secrets.
3) When a new participant joins the system, the secret dealer needs only to select a new secret share that its derived points is on the hyperplane to distribute to this new participant secretly. When we need to delete a participant, the dealer needs only to change the value of parameter u in the bivariate function to recompute hyperplane, whereas the remainder participants can share next secrets by same secret shares. So it is very easy that the participants can join or leave the system.
4) When the value of threshold n1 or n2 is changed, namely,
change into , let us put
and , the secret dealer needs only to turn the n+1 dimension space into a dimension space and go on according to the same scheme. Whereas there is no need to change the one’s own secret share for each participant.
The above advantages of this scheme are not provided by the secret sharing scheme with bipartite access structure   . In addition, the scheme uses hypersphere geometry to study, which is more intuitive and clear than the scheme   , and the method is more unique.
4.3.3. Computational Complexity
The only operations used in this scheme are linear combination operation, determinant operation and exponentiation operation, of which the former is negligible complexity. Obviously, the performance of the scheme mainly depends on the calculation of determinant, which is relatively easy to implement. If the determinant is computed by Wiedemann algorithm in , the performance of this scheme will be further improved. In the following, we count the number of times of exponentiation operations taken by the secret dealer and each participant.
1) In the distribution stage: the secret dealer D calculate over Zp altogether times and calculate over Zp altogether times.
2) In the reconstruction stage: authorized participants in group A calculate over Zp altogether n1 times and ones in group B calculate over Zp altogether n2 times.
Thus it can seen that the proposed scheme needs exponentiation operations. We remark that one exponentiation operation can be done in time . In that way, sharing and reconstructing the secrets can be done in all time . It is obvious that the proposed scheme satisfies the definition of a computationally efficient secret sharing scheme.
This scheme is more effective than other secret sharing schemes  -  on general access structure when sharing larger secrets. Assuming that the length of the secret shared is bits, a comparison is made between the scheme in  and the one in this paper. In the scheme in , the length of module-p should be at least bits. With the scheme in my paper, the shared secret can be divided into t sub-secrets, and then the t sub-secrets can be shared. Therefore, the length of module-p is 512 bits, which greatly reduces the computational complexity compared with the scheme in .
In this paper, an efficient bipartite -threshold multi-secret sharing
scheme is proposed, which is based on a hypersphere by using a geometric method, In this scheme, multi-secret could be shared and each participant needs only to hold one secret share in renewing the shared secrets without updating each participant’s secret share. Compared with the existing bipartite secret sharing scheme, it is easy to show that not only the participants can leave the system and new participants can be added into the system dynamically, but also the values of threshold n1, n2 can be changed. Therefore, the proposed scheme is very effective and practical.
 Fine, B., Moldenhauer, I.S. and Rosenberger, G. (2013) A Secret Sharing Scheme Based on the Closet Vector Theorem and a Modification to a Private Key Cryptosystem. Groups Complexity Cryptology, 5, 223-238.
 Wang, S.T., Tsai, Y.R. and Shen, C.C. (2011) Verifiable Threshold, Scheme in Multi-Secret Sharing Distributions upon Extensions of ECC. Wireless Personal Communications, 56, 173-182.
 Cheng, Q., Yin, Y., Xiao, K. and Hsu, C.-F. (2009) On Non-Representable Secret Sharing Matroids. Proceedings of the 5th International Conference on Information Security Practice and Experience, 5451, 124-135.