Information Sciences 501 (2019) 655–661

Contents lists available at ScienceDirect

Information Sciences
journal homepage: www.elsevier.com/locate/ins

A verifiable threshold secret sharing scheme based on lattices

Bahman Rajabi a, Ziba Eslami b,∗
a
Department of Mathematics, Shahid Beheshti University, G.C., Tehran, Iran
b
Department of Computer Science, Shahid Beheshti University, G.C., Tehran, Iran

a r t i c l e i n f o a b s t r a c t

Article history: The generalized compact knapsack function is defined as fa (x ) = i ai .xi , where a =
Received 14 November 2016 (a1 , . . . , am ) ∈ R for some ring R and x = (x1 , . . . , xm ) ∈ S for a specified subset S ⊂ R. It is
Revised 19 March 2018
known that, for appropriate choice of R and S, inverting this function is at least as hard as
Accepted 4 November 2018
solving certain worst-case problems on cyclic lattices. In this paper, we exploit collision-
Available online 5 November 2018
resistance as well as homomorphic properties of this function to propose a threshold ver-
Keywords: ifiable secret sharing scheme with two distinguished features: first, the security of the
Secret sharing scheme is completely based on lattice problems and second, upon receiving shares, partic-
Verifiability ipants can verify consistency of their shares with the secret without any communication.
Lattice
© 2018 Elsevier Inc. All rights reserved.
Post-quantum security
Collision resistant hash functions
Homomorphic functions

1. Introduction

Informally, secret sharing (SS) is a protocol in which a dealer distributes some shares of information about a secret s
among a set of N users (participants) such that only privileged subsets of them can recover the secret. In a threshold SS,
privileged subsets consist of every group of users of size at least a special integer number t. The first threshold secret
sharing schemes were proposed by Shamir [19] and Blakley [2] independently. These schemes are unconditionally secure
which means that forbidden subsets can find no information about the secret even with unlimited time and computing
power. Shamir’s threshold SS has been extensively studied and various categories of SS exist in the literatures [3,4,6,8–
12,14,16,21,23].
The possibility that the dealer itself or parties in a privileged subset are malicious introduces challenges to researchers.
Therefore, the notion of verifiable secret sharing (VSS) was introduced first by Chor et al. [4]. Later, Benaloh [1] proposed
an interactive VSS whereby it was possible to verify honesty of participants at the cost of some communication among
users and the dealer. However, participants were unable to verify whether the shares they received through the dealer
are consistent with the secret or not. In 1987, Feldman introduced the first practical non-interactive threshold-VSS [10].
Here, the dealer broadcasts users’s shares encrypted under a one way function which posses homomorphism property as
well. Therefore, no communication cost is needed for checking honesty of the submitted shares (through one-wayness) and
parties can verify consistency of their shares with the secret (through homomorphism property). Unfortunately, no non-
interactive VSS can achieve unconditional security. This is because the extra information published by the dealer, to achieve
shares-secret compatibility, reveals some information about the secret. In the case of Feldman’s scheme, the security is based
on the hardness of the Discrete Logarithm Problem (DLP).

∗
Corresponding author.
E-mail addresses: [email protected] (B. Rajabi), [email protected] (Z. Eslami).

https://doi.org/10.1016/j.ins.2018.11.004
0020-0255/© 2018 Elsevier Inc. All rights reserved.
656 B. Rajabi and Z. Eslami / Information Sciences 501 (2019) 655–661

The problem of computing discrete logarithms has been studied for decades. The fastest classical algorithms have sub-
exponential runtime (in the main security parameter). On quantum computers, however, Shor’s algorithm [20] solves DLP
in polynomial time and threatens all schemes that are based on the hardness of this problem. Therefore, the field of post-
quantum cryptography is interested in a counterpart of Feldman’s non-interactive VSS scheme which is secure against such
attacks. Our goal here is to resolve this problem through lattices.
The existing literature on lattice-based VSS consists of only a few interactive schemes [5,18] and one non-interactive
(n, n ) − V SS [7]. In all of these schemes, shares-secret consistency can be checked in reconstruction phase. Therefore, the
problem of ensuring consistency, at the time of receiving shares, still remains untouched in them. However, to the best of
our knowledge, no non-interactive threshold VSS based on lattices exists. Our idea to solve this problem is to somewhat
follow Feldman’s idea and use a family of collision-resistant hash functions with homomorphism property. We employ a
special class of the generalized compact knapsack(GCK) functions (described in the abstract) proposed in [13] for our con-
struction.
In 2002, Micciancio [15] proposed a specific choice of R and S for which inverting GCK functions (for random a and x)
is at least as hard as solving certain worst-case problems on cyclic lattices. In 2006, Peikert and Rosen [17] showed that
Micciancio’s proposed functions are not collision-resistant but for a different choice of S ⊂ R, the GCK function is in fact
collision-resistant assuming it is infeasible to approximate the shortest vector in n-dimensional cyclic lattices up to factors
O(n). Later Micciancio and Lyubashevsky [13] changed the ring R and its subset S and proved that for their choice of R and
S, the GCK functions are collision-resistant based on the same assumption as in Micciancio [15]. In this paper, we employ
the GCK functions proposed by Micciancio and Lyubashevsky.
The organization of the paper is as follows. In Section 2, we explain preliminaries used throughout the paper. In Section 3,
we modify Feldman’s idea and propose a generic construction for threshold VSS. Section 4 covers security aspects of our
generic construction while Section 5 employs GCK functions for the construction of the first non-interactive lattice based
VSS. The last section concludes the paper.

2. Preliminaries

In this section, we briefly provide the definitions and assumptions used throughout the rest of the paper.

Definition 1. Collision resistant hash function: The function f: A → B is called a collision-resistant hash function if it satisfies
the following properties:

- |B| < 2|A|.

- For all polynomial time algorithms A, there exists a negligible function  such that for all sufficiently large values of
the security parameter n,
P r [ ( x 0 , x 1 ) ← A ( 1 n , f ) : x 0  = x 1 ∧ f ( x 0 ) = f ( x 1 )] ≤  ( n ) .

Definition 2. Pre-image resistant hash function: The function f: S → G is called pre-image resistant hash function if for all
polynomial time algorithms A, there exists a negligible function  such that for all sufficiently large values of the security
parameter n,
P r [x ← A(1n , f, y ) : f (x ) = y] ≤  (n ).
The following lemma expresses the relation between security properties of a hash function.

Lemma 1. If a hash function is collision-resistant then it is preimage-resistant.

Indeed, if there is an algorithm to find preimages for a hash function with non-negligible advantage, it can be used in a
probabilistic algorithm which can find collisions for the hash function with non-negligible advantage (for more detail [22]).

Definition 3. Homomorphic function Let f: S → G be a function and let + and ∗ be any two binary operators defined on the
sets S and G, respectively. f is called a homomorphic function if and only if
∀x, y ∈ S : f (x + y ) = f (x ) ∗ f (y )
Definition 4. Generalized compact knapsack function: The generalized compact knapsack function is defined as f a (x ) =

i ai .xi , where a = (a1 , . . . , am ) consists of m elements from some ring R and x = (x1 , . . . , xm ) consists of m coefficients from
a specified subset S ⊂ R.

In [13] Micciancio and Lyubashevsky proposed the ring Zp [x]/ < g > as R in GCK function for a prime number p and
monic, irreducible polynomial g. Let f, g ∈ Zp [x] and let ||g||∞ be the maximum of the absolute value of coefficient of the
function g. Define ||g|| f = ||g mod f ||∞ . Thus ||g||f could be a lot bigger than ||g||∞ . To have control on such growth, the
expansion factor of f is defined as follows:

Definition 5. The expansion factor of polynomial f (EF(f,k)):

EF ( f, k ) = max{||g|| f /||g||∞ : g ∈ Z p [x], deg(g) ≤ k(deg( f ) − 1 )}.
 B. Rajabi and Z. Eslami / Information Sciences 501 (2019) 655–661 657

The following theorem gives tight bounds for the expansion factor of certain polynomials.

Theorem 1 ([13]). If n, k ∈ N, then:

EF (xn − 1, k ) ≤ k
EF (xn−1 + xn−2 + . . . + 1, k ) ≤ 2k
EF (xn + 1, k ) ≤ k.

We also need definition of the following problem. Micciancio and Lyubashevsky showed that this problem can be reduced
to finding collisions for the GCK function. This reduction relates the security of our proposed VSS (Section 5) to the hardness
of solving certain worst-case lattice problem. More detail about lattices and the reduction can be found in [13,15,17].

Definition 6. Approximate Shortest Polynomial Problem ( f − SP Pγ (I )): Given an ideal I⊆Z[x]/ < f > where f is a monic poly-
nomial of degree n, we are asked to find a g ∈ I such that g = 0 and ||g|| f ≤ γ λ∞
1
(I ) where λ∞
1
(I ) is the minimum ||.||∞ of
{g mod f : g ∈ I}.

2.1. Non-interactive verifiable secret sharing

In this section, the definition of verifiable secret sharing and its security requirements are provided.
Let U = {U1 , . . . , UN } be the set of users and let D be the dealer. Then, a VSS protocol is a pair (distribution-verification,
reconstruction) of phases as follows.

Distribution-verification: In this phase, on input a secret s, D runs the generation algorithm and generates the share
corresponding to each user Ui and sends it through a secure channel to the users. The dealer also generates some
public information to enable users to verify the validity of shares. At the end of this phase, each user Ui ∈ U, on input
public information and his share, runs the verification algorithm to output a verification value vi ∈ {accept, reject}.
Reconstruction: The input of this phase are the shares corresponding to a subset of users. At first, the validity of each
share is verified by other cooperating users. Then, if the set of users with valid shares is a privileged set, the secret
can be computed by applying a reconstruction algorithm on the provided shares.

A non-interactive VSS protocol is called secure if it satisfies the following properties:

- Acceptance: If an honest user outputs “reject”, then all honest users also output “reject” after observing a fake share
and its public information. Moreover, if the dealer is not corrupt, then all honest users output “accept”.
- Verifiability/reconstructability: All subsets of users containing one privileged subset of users with valid shares recover the
same unique secret s . With the assumption of honesty of the dealer, we should have s = s, where s is the original
shared secret.
Privacy: If the dealer is not corrupt, then no forbidden subset of users is able to find the secret.

3. A generic threshold VSS conctruction

In this section, we will propose a generic construction for a threshold VSS scheme. This actually is a modification of
Shamir’s SS. This construction needs a family of collision resistant hash functions that preserve homomorphism property for
verification. In the next section, we show how to implement our generic construction using lattices.
Initilization: Let U = {U1 , U2 , . . . , UN } be the set of users, integer t be the threshold size of privileged subsets and A, B
be some sets with binary operators +, ∗, respectively. The dealer chooses a function F ∈ H uniformly at random where H
is a family of collision resistant hash functions from the set A to the set B which preserve homomorphism property. The
dealer chooses a random secret s, then encodes s to an element a0 ∈ A using some public method and chooses elements
a1 , . . . , at−1 ∈ A uniformly at random.
The dealer then forms the pseudo-polynomial function f : N → A where
f (x ) = a0 + a1 x + . . . + at−1 xt−1 .
The dealer broadcasts F (a0 ), F (a1 ), . . . , F (at−1 ), A and B publicly.
Distribution: The dealer computes f(i), F(f(i)) and securely sends f(i) to the user Ui as his share. The dealer broadcasts
F(f(i)).
Verification: In case of an honest dealer, the following relations hold for each 1 ≤ i ≤ N from homomorphism property of
function F (in other words, vi = “accept ” if and only if):

-f(i) ∈ A
t−1
-F ( f (i )) = F (a0 ) ∗ (F (a1 ))i ∗ . . . ∗ (F (at−1 ))i

This mean that every user can check the dealer’s honesty. If a user wants to take part in reconstruction phase, he has to
reveal his share. So by having this share, everyone can check this share’s compatibility with public information.
Reconstruction:: If t or more users reveal their shares, all coefficients of f will be reconstructed by using the Lagrange
interpolation formula and the secret s = a0 will be reconstructed.
658 B. Rajabi and Z. Eslami / Information Sciences 501 (2019) 655–661

4. Analysis of our scheme

In this section, we show that our generic construction is a (t, N ) − V SS and its verifiability works right under some
hardness assumption.

Lemma 2. If the function F is collision-resistant, then the proposed scheme is a (t, N ) − SS.

Proof. It is obvious that any subset of users with at least t members have enough information to reconstruct all coefficients
of f and therefore get the secret value a0 . Now suppose that an adversary A corrupts a subset T of users of size (at most) t −
1. We show that if there is a polynomial-time adversary A who can obtain f(i) for some i ∈ T with non-negligible advantage,
then it can be use to compromise collision-resistance of F.
Let New fV al denote the event that A can obtain f(i) for some i ∈ T. Define SA as the event that A can recover the secret
value a0 successfully. We have

P r (SA ) = P r (SA |New fV al )P r (New fV al ) + P r (SA |New fV al )P r (New fV al ).

Notice that P r (SA |New fV al ) = 1, because it is leaded to have values of f at t points. As for P r (New fV al ), A has to choose a
random element of A for some i ∈ T as f(i) which has probability |A1| . Therefore,

1
P r (SA ) = 1.P r (New fV al ) + P r (SA |New fV al ).
|A|

P r (SA ) = P r (New fV al ) + negl

P r (SA )  P r (New fV al )
This means that probability of recovering the secret is almost equal to the probability of finding f(i) for some i ∈ T. Now
consider the expriment Find preimage as follows:
Input: A collision-resistant hash function F, t − 1 querry for preimages of F ((f(ij ), F(f(ij ))) for t − 1 different ij ) and F(ai )
for some unknown ai ∈ A, 0 ≤ i ≤ t − 1.
Problem: Find a0 (which is preimage of F(a0 )).
So, it is obvious that Find preimage has non-negligible advantage by calling A. On the other hand, we assumed that
F is collision-resistant. Hence Lemma 1 implies that F is preimage resistant. This contradiction implies that there is no
polynomial time adversary A who can obtain f(i) for some i ∈ T with non-negligible advantage. 

Lemma 3. In the proposed scheme, if the function F is collision-resistant, then the dealer cannot cheat and pass wrong shares to
the users.

Proof. Without loss of generality, suppose that the dealer can successfully cheat and pass wrong share to Ui . This means
that Ui verifies and accepts the fake share Y with the public value F(Y) where Y = f(i) and the following hold as well:
Y ∈A

F (Y ) = F (a0 ) ∗ (F (a1 ))i ∗ . . . ∗ (F (at−1 ))i .

t−1

On the other hand, for the true share f(i), from homomorphism property of F we have
f (i ) ∈ A

F ( f (i )) = F (a0 ) ∗ (F (a1 ))i ∗ . . . ∗ (F (at−1 ))i .

t−1

Since the right hand side of both of the above equations are the same, hence their left hand side must be equal. This
means that Y = f (i ), F (Y ) = F ( f (i )) and the dealer has found a collision in the set A for the function F. This contradiction
completes the proof. 

Lemma 4. In the proposed scheme, if the function F is collision-resistant, then users cannot cheat and pass wrong share in
reconstruction phase.

Proof. Without loss of generality, suppose that Ui can successfully cheat and pass wrong share to some user Uj , i = j in the
reconstruction phase. Then the verification of Uj outputs true which means that the user Ui has succeeded in finding Y = f(i)
such that
Y ∈A

F (Y ) = F (a0 ) ∗ (F (a1 ))i ∗ . . . ∗ (F (at−1 ))i .

t−1
 B. Rajabi and Z. Eslami / Information Sciences 501 (2019) 655–661 659

Table 1
Comparison of the existing lattice based VSS schemes.

[5] [18] Ours

Verification approach Interactive Interactive Non-interactive

Hardness assumption SIS N c − SV P SPPγ (I)
Share/secret consistency checking Reconstruction Reconstruction Distribution
Multi-stage Yes Yes No
Public-value-size/secret-size k + 2N − t k×r N+t
1 r
Shares-size/secret-size k t log q
1

On the other hand, if the user were honest, we had

f (i ) ∈ A

F ( f (i )) = F (a0 ) ∗ (F (a1 ))i ∗ . . . ∗ (F (at−1 ))i .

t−1

So we have Y = f (i ), F (y ) = F ( f (i )). This contradicts collision-resistance of F. 

4.1. Complexity and communication analysis

In this section, we consider complexity and communication cost of our generic construction for a (t, N ) − V SS. Then,
we provide comparison with the existing literature, i.e [5,18]. Although [7] claims to be a non-interactive lattice based
(N, N ) − V SS, there are important issues about lattices which are ignored in it. Therefore, we believe [7] can not be regarded
as related in our comparison.
The proposed scheme is non-interactive, then the only required communication is for distributing shares among users
which the dealer sends to users and all the other values are broadcasted publicly (except secret values a0 , . . . , at−1 ). The
complexity and efficiency depend on complexity of computing F in each point and the defined binary operators on groups
A and B. The proposed construction needs computing F on N + t point to generate shares, but each verification needs to

compute F(f(i)) and t + t−1 j
j=1 i group operation of B.
We now compare our scheme with two existing lattice based VSS [5,18]. The results are summarized in Table 1. The com-
parison is done in terms of verification approach, underlying hardness assumptions, when share/secret consistency checking
is possible as well as quantities such as the ratio of public-value-size or share-size to the size of secret. In Table 1, k is the
number of secrets (in multi-stage schemes), r is max(N, tlog t) and q is a proper prime number for the scheme [18]. The no-
tations N c − SV P and SIS are abbreviation of Nc approximate shortest vector problem and short integer solution, respectively.
As can be seen in Table 1, our scheme is non-interactive and consistency checking is possible during distribution phase.
Moreover, the size of share in our scheme is the same as the size of the secret.

5. A (t, N ) − V S S based on lattices

In this section, we employ our generic construction to come up with security based on some worst-case problems on
cyclic lattices. We employ certain instantiations of the GCK functions proposed by Micciancio and Lyubashevsky to construct
a lattice-based (t, N ) − V SS.
Our proposed VSS: Initilization: Let {U1 , U2 , . . . , UN } be the set of users. Let g ∈ Zp [x] be an irreducible monic polynomial
Z p [x]
of degree n of the form xn−1 + xn−2 + . . . + 1 with expansion factor EF(g, 3) ≤ ε for integer number ε , R = <g> , D = {h ∈ R :
||h||g ≤ d
}
and S = {h ∈ R : ||h||g ≤ d} for some prime number p and some positive integer d. The Dealer chooses an
tNt ε
integer m, a secret s = [a0 ] ∈ Dm , [a1 ], . . . , [at−1 ] ∈ Dm and b = (b1 , b2 , . . . , bm ) ∈ Rm uniformly at random. The dealer forms
the pseudo-polynomial function f: Zp → Rm and a one-way function F: Dm → R as follows:

f (x ) = [a0 ] + [a1 ]x + . . . + [at ]xt−1 .


m
F (X = (X1 , X2 , . . . , Xm )) =< X.b >= Xi .bi .
i=1

The dealer broadcasts F ([a0 ] ), F ([a1 ] ), . . . , F ([at−1 ] ), d, p, t, N and g publicly. So every user knows the ring R and subset
S ⊂ R.
Share-distribution: The dealer computes f(i), F(f(i)) and securely sends to each user Ui his share f(i). the dealer broadcasts
F(f(i)).
660 B. Rajabi and Z. Eslami / Information Sciences 501 (2019) 655–661

Verification: In the case of dealer’s honesty the following relation for each 1 ≤ i ≤ N can be result from homomorphism
property of function F:
f (i ) ∈ Sm


t−1
F ( f (i )) = F ( [a j ] )i j .
j=0

This mean that every one can check dealer’s honesty. If a user Ui wants to take part in reconstruction phase, he has to
reveal his share. So by having his share, every one can check this user’s share compatibility with public information.
Reconstruction:: If t or more users reveal their shares, all f’s coefficient will be reconstructed by using Lagrange inter-
polation formula. So they can reconstruct the secret s = [a0 ].

5.1. Analysis of the lattice-based (t, N ) − V SS

The following lemma proved by Micciancio and Lyubashevsky explains the relation between lattice hard problems and
our assumption.

Lemma 5 ([13]). Let H be a generalized compact knapsack function for the ring R and subset S ⊂ R as in our proposed scheme
log( p)
(2d ) and p > ε 2dmn log (n). Then, for γ = 8ε dmn log (n ), there is a polynomial time reduction from f − SP Pγ (I )
1.5 2 2
with m > log
for any I to finding collision for a function h where h is chosen uniformly at random from H.

In the presented example of [13], integer d is fixed as 8. Recall that D = {h ∈ R : ||h||g ≤ d

tNt ε
}. Therefore, we need
to set d ≥ n2 for proper n such that [d/tNt ε ] be large enough to make exhaustive search infeasible in D. Assumptions of
log( p) p k log( p)
Lemma 5 imply that log (2d ) < m and m < ε 2 dn1.5 log(n ) . So if n is of order O(2 ) for some integer k, we have (k+1 ) log(2 ) < m <
p
but for our choice of g in the proposed scheme, ε = 6. Therefore, for large enough k and prime number p of order
23.5k .k.ε 2
25k , it can be seen that parameters p, n, m and d can be chosen consistently with the conditions of Lemma 5 such that d
is large enough. The only difference between our choice of parameters and those in [13] is that the runtime of reduction of
Lemma 5 for our choice of parameters will be of order O(n4 ) while the reduction runtime will be of order O(n) if d = 8 is
fixed.
Let 1 ≤ i ≤ N and let [a0 ], . . . , [at−1 ] be elements of Dm and f (x ) = [a0 ] + [a1 ]x + . . . + [at ]xt−1 so ||f||∞ grows at most to
the factor tNt ε . Then f(i) will be in Sm . So, we have the following theorem that is a direct result of Lemmas 2–5.

Theorem 2. For an appropriate choice of p, n, d, ε and m, our proposed (t, N ) − V SS scheme is secure and correct if f − SP Pγ (I )
problem is hard for the ring R.

6. Conclusion

In this paper, we employ a special class of the general compact knapsack functions to propose a non-interactive VSS with
security based on hardness of the Approximate Shortest Polynomial Problem in cyclic lattices.

References

[1] J.C. Benaloh, Secret sharing homomorphisms: keeping shares of a secret secret, in: Proceedings on Advances in cryptology–CRYPTO ’86, 1987,
pp. 251–260.
[2] G.R. Blakley, Safeguarding cryptographic keys, in: Proc. AFIPS’79 Nat. Computer Conf., 48, AFIPS Press, 1979, pp. 313–317.
[3] C. Blundo, D.R. Stinson, Anonymous secret sharing schemes, Discrete Appl. Math. 77 (1997) 13–28.
[4] B. Chor, S. Goldwasser, S. Micali, B. Awerbuch, Verifiable secret sharing and achieving simultaneity in the presence of faults, in: SFCS ’85: Proceedings
of the 26th Annual Symposium on Foundations of Computer Science, 1985, pp. 383–395.
[5] M.H. Dehkordi, R. Ghasemi, A lightweight public verifiable multi secret sharing scheme using short integer solution, in: Wireless Personal Communi-
cations, Springer, 2016, pp. 1459–1469.
[6] C.C. Dragan, F.L. Tiplea, Distributive weighted threshold secret sharing schemes, Inf. Sci. 339 (2016) 85–97.
[7] R.E. Bansarkhani, M. Meziani, An efficient lattice-based secret sharing construction, in: IFIP International Workshop on Information Security Theory
and Practice, Springer Berlin Heidelberg, 2012, pp. 160–168.
[8] Z. Eslami, J.Z. Ahmadabadi, A verifiable multi-secret sharing scheme based on cellular automata, Inf. Sci. 180 (2010) 2889–2894.
[9] Z. Eslami, S. Kabiri-Rad, A new verifiable multi-secret sharing scheme based on bilinear maps, Wirel. Pers. Commun 63 (2012) 459–467.
[10] P. Feldman, A practical scheme for non-interactive verifiable secret sharing, in: SFCS ’87: Proceedings of the 28th Annual Symposium on Foundations
of Computer Science, 1987, pp. 427–438.
[11] A. Herzberg, S. Jarecki, H. Krawczyk, M. Yung, Proactive secret sharing, or: How to cope with perpetual leakage, in: CRYPTO, in: LNCS, 1963, 1995,
pp. 339–352.
[12] C.F. Hsu, Q. Cheng, X. Tang, B. Zeng, An ideal multi-secret sharing scheme based on MSP, Inf. Sci. 181 (2011) 1403–1409.
[13] V. Lyubashevsky, D. Micciancio, Generalized compact knapsacks are collision resistant, in: Proc. of ICALP ’06, Springer, 2006.
[14] S. Mashhadi, M.H. Dehkordi, Two verifiable multi secret sharing schemes based on nonhomogeneous linear recursion and LFSR public-key cryptosys-
tem, Inf. Sci. 294 (2015) 31–40.
[15] D. Micciancio, Generalized compact knapsacks, cyclic lattices, and efficient one-way functions from worst-case complexity assumptions, Comput. Com-
plex. 16 (2007) 365–411. Preliminary versions in FOCS and ECCC TR04-095, (2002)
[16] N. Pakniat, M. Noroozi, Z. Eslami, Secret image sharing scheme with hierarchical threshold access structure, J. Vis. Commun. Image Represent. 25
(2014) 1093–1101.
 B. Rajabi and Z. Eslami / Information Sciences 501 (2019) 655–661 661

[17] C. Peikert, A. Rosen, Efficient collision-resistant hashing from worst-case assumptions on cyclic lattices, in: TCC 06, 2006, pp. 145–166.
[18] H. Pilaram, T. Eghlidos, An efficient lattice based multi-stage secret sharing scheme, IEEE Trans. Dependable Secure. Comput. (2015) 2–8.
[19] A. Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612–613. ACM
[20] P.W. Shor, Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM Rev. 41 (1999) 303–332.
[21] S.J. Shyu, k. Chen, Visual multiple secret sharing based upon turning and flipping, Inf. Sci. 181 (2011) 3246–3266.
[22] D. Stinson, Cryptography, Theory and Practice, third ed., CRC Press, Inc, 2005.
[23] T. Tassa, Hierarchical threshold secret sharing, J. Cryptol. 20 (2007) 237–264.