Novel CRT-based Asymptotically Ideal Disjunctive Hierarchical Secret Sharing Scheme

No v el CR T-based Asymptotically Ideal Disjunctiv e Hierarc hical Secret Sharing Sc heme Hong ju Li 1 , 2 , Jian Ding 1 , 3 (  ), F uy ou Miao 2 , Cheng W ang 3 , Cheng Sh u 3 1 Sc ho ol of Mathematics and Big Data, Chaohu Universit y , Hefei 238024, China 2 Sc ho ol of Computer Science and T echnology , Universit y of Science and T ec hnology of China, Hefei 230026, China 3 Sc ho ol of Articial In telligence and Big Data, Hefei Universit y , Hefei 230000, China Abstract : Disjunctive Hier ar chic al Se cr et Sharing (DHSS) sc heme is a t yp e of secret sharing sc heme in which the set of all participan ts is partitioned in to disjoint subsets, and eac h subset is said to b e a level with dieren t degrees of trust and dierent thresholds. In this work, w e fo cus on the Chinese Remainder Theorem (CR T)-based DHSS schemes due to their abilit y to accommo date exible share sizes. W e p oin t out that the ideal DHSS sc heme of Y ang et al. (ISIT, 2024) and the asymptotically ideal DHSS scheme of Tiplea et al. (IET Information Security , 2021) are insecure. Consequen tly , existing CR T-based DHSS schemes either exhibit security a ws or hav e an information rate less than 1 2 . T o address these limitations, w e prop ose a CR T-based asymptotically p erfect DHSS sc heme that supp orts exible share sizes. Notably , our sc heme is asymptotically ideal when all shares are equal in size. Its information rate ac hieves one and it has computational securit y . Keyw ords : secret sharing, disjunctiv e hierarc hical secret sharing, asymptotically ideal secret sharing, Chinese Remainder Theorem, information rate 1 In tro duction Secret sharing (SS) is a cryptographic tec hnique used to distribute a secret among a group of participan ts [1, 2]. It consists of t w o fundamen tal phases: a share generation phase and a secret reconstruction phase. In the former, for any secret from the secret space, the dealer divides the secret in to multiple shares, and each participant receiv es a share from the dealer. In the latter, any authorized subset of participan ts can reconstruct the secret with their shares, and any giv en unauthorized subset of participan ts cannot do so. An SS scheme is said to b e p erfe ct if each unauthorized subset of participants learns This research was supp orted b y Research Pro ject of Chaohu Univ ersity under Gran ts No. KYQD- 202220, No. hxkt20250173, No. hxkt20250174, and Univ ersity Natural Science Researc h Pro ject of Anh ui Pro vince under Grant No. 2024AH051324.  Corresp onding author. E-mail addresses: 058072@ch u.edu.cn (H. Li), ding jian_happy@163.com (J. Ding), mfy@ustc.edu.cn (F. Miao), w angcheng@stu.hfuu.edu.cn (C. W ang), sh ucheng@stu.hfuu.edu.cn (C. Shu) 1 no information ab out the secret. The information r ate is a crucial eciency metric in SS sc hemes. It is dened as the ratio of the size of the secret space to the size of the maxim um share space. An SS sc heme is said to b e ide al if it is perfect and its information rate ac hieves one. It is w ell known that the maxim um information rate of p erfect SS sc hemes is one. A ( t, n ) -threshold scheme is an SS scheme in whic h an y t or more participan ts can re- construct the secret, but any group of less than t participants learns no information ab out the secret. This implies that the ( t, n ) -threshold sc heme establishes equal trust among all participan ts in the secret reconstruction phase. But in practical implemen tations, the shares of participants are often correlated with their organizational roles or p ositions. Disjunctive Hier ar chic al Se cr et Sharing (DHSS) schemes are particularly well-suited for this application scenario [3]. In a DHSS sc heme, the set of all participants is partitioned in to m disjoint subsets P 1 , P 2 , . . . , P m , referred to as levels. Eac h level has a distinct degree of trust and a corresp onding threshold t ℓ for ℓ ∈ { 1 , 2 , . . . , m } . The secret can b e reconstructed if and only if there is a n um b er ℓ ∈ { 1 , 2 , . . . , m } such that the total n umber of participants from the rst ℓ lev els meets or exceeds t ℓ . When a level P ℓ con tributes r ℓ participan ts for r ℓ < t ℓ , the remaining ( t ℓ − r ℓ ) participan ts can b e dra wn from higher lev els P 1 , P 2 , . . . , P ℓ − 1 . DHSS schemes hav e b een constructed from a v ariet y of mathematical to ols, including geometry [3], v ector spaces [4], Birkho interpolation [5], p olymatroids [6], the Chinese Remainder Theorem (CR T) for integer ring [7, 8, 9] and the CR T for p olynomial ring [10]. Among these metho ds, CR T-based DHSS schemes exhibit a natural adv an tage: an inherent exibility in assigning shares of v arying sizes to participan ts. This capabilit y mak es them particularly w ell-suited for hierarchical access structures. Therefore, w e fo cus on CR T-based DHSS schemes in this work. In 2014, Harn et al. [7] use the CR T for in teger ring to construct a DHSS scheme for the rst time. Ho wev er, Ersoy et al. [8] demonstrate that the scheme of Harn et al. [7] is insecure. They further prop ose a DHSS scheme based on the CR T for the in teger ring and hash functions. This sc heme is asymptotic al ly p erfe ct and computationally secure, as it publishes man y hash v alues. Its information rate is less than 1 2 . Tiplea et al. [9] also use the CR T for integer ring to construct an asymptotically p erfect DHSS scheme. Their scheme ac hieves an information rate approaching one, making it asymptotic al ly ide al . This asymptotic p erfectness stems directly from the use of CR T for in teger ring. Recently , Y ang et al. [10] construct an ideal DHSS sc heme using the CR T for the p olynomial ring for the rst time. Our c ontributions . W e p oin t out that the ideal DHSS sc heme of Y ang et al. [10] and the asymptotically ideal sc heme of Tiplea et al. [9] are insecure. W e further prop ose an asymptotically ideal DHSS sc heme with small share size. More sp ecically , w e mak e the 2 follo wing contributions: 1) F or clarit y , we present the attack metho d for the 2-lev el case of Y ang et al. scheme [10]. The same approac h can also b e applied to break the DHSS scheme of Tiplea et al. [9]. Consequently , existing CR T-based DHSS schemes either exhibit security aws or ha ve an information rate less than 1 2 . 2) W e prop ose a nov el asymptotically ideal DHSS scheme based on the CR T for p oly- nomial ring and one-w ay hash functions. Unlik e the unconditionally secure ideal schemes in [4, 5, 6], our sc heme ac hieves exible and smaller share sizes (see T able 1), although it pro vides computational security and requires publishing more v alues. Compared with the DHSS schemes in [7, 8, 9, 10], our sc heme is secure and asymptotically ideal at the same time. T able 1. Disjunctive hierarc hical secret sharing schemes, where t m is the sc heme’s biggest threshold, and |P ℓ | is the cardinality of the level P ℓ . Schemes Security Accommodate Perfectness Information Share size exible share sizes rate ρ [ 4 ] unconditional No Y es ρ = 1 mt 2 m log 2 p bits, (Scheme 2) p > max ℓ ∈{ 1 , 2 ,...,m } {|P ℓ |} [ 5 ](when t m unconditional No Y es ρ = 1 log 2 p bits, was small.) p > n + 1 t m ! ( t m − 2)( t m − 1) 2 + t m [ 6 ] unconditional No Y es ρ = 1 1 2 P m − 1 ℓ =1 t ℓ ( t ℓ − 1) log 2 p bits, p > max ℓ ∈{ 1 , 2 ,...,m } {|P ℓ |} [ 7 ] No Y es No ρ < 1 * [ 9 ] No Y es No ρ < 1 * [10] No Y es No ρ = 1 * [ 8 ] computational Y es Asymptotic ρ < 1 2 * Our scheme computational Y es Asymptotic ρ = 1 d 0 log 2 p bits, d 0 ≥ 1 , p > n Pap er or ganization . After some preliminaries in Section 2, the results of this work are organized as follows. In Section 3, w e analyze the security of the scheme of Y ang et al. [10]. In Section 4, w e present a nov el asymptotically ideal DHSS scheme, accompanied b y its security analysis. W e conclude in Section 5. 2 Preliminaries In this section, w e will in tro duce basic notions ab out secret sharing, Chinese Reminder Theorem (CR T) for p olynomial ring and the one-w ay hash function. 2.1 Secret sharing Let n, N 1 , N 2 b e p ositiv e integers such that N 1 < N 2 . Denote by [ n ] = { 1 , 2 , . . . , n } and [ N 1 , N 2 ] = { N 1 , N 1 + 1 , . . . , N 2 } . Let X and Y b e random v ariables, and let H ( X ) b e the 3 Shannon en tropy of X . Denote by H ( X | Y ) the conditional Shannon entrop y of X given Y . Denition 1 (Secret sharing scheme) . L et P = { P 1 , P 2 , . . . , P n } b e a gr oup of n p artici- p ants. A se cr et sharing scheme of n p articip ants c onsists of a shar e gener ation phase and a se cr et r e c onstruction phase, as shown b elow. 1) Shar e Gener ation Phase. F or any se cr et fr om the se cr et sp ac e S , the de aler applies the map SHARE : S × R 7→ S 1 × S 2 × · · · × S n to assign shar es to p articip ants fr om P , wher e S i is the shar e sp ac e of the p articip ant P i , and R is a set of r andom inputs. 2) Se cr et R e c onstruction Phase. A ny given authorize d subset A ⊆ P c an r e c onstruct the se cr et by using their shar es and the map RECON : Y P i ∈A S i 7→ S , while any given unauthorize d subset c annot r e c onstruct the se cr et. W e usually take the num b er i as the i -th participant P i in this work. This means that [ n ] = P . If any giv en unauthorized subset of participants learns nothing about the secret, the secret sharing sc heme is said to b e p erfect. Denition 2 (Information rate, [11]) . F or a se cr et sharing scheme of n p articip ants, its information r ate is dene d as ρ = H ( S ) max i ∈ [ n ] H ( S i ) , wher e S and S i ar e r andom variables c orr esp onding to the se cr et and the shar e of the i -th p articip ant, r esp e ctively. When S and S i ar e r andom and uniformly distribute d in the se cr et sp ac e S and e ach shar e s p ac e S i , it holds that ρ = log 2 |S | max i ∈ [ n ] log 2 |S i | , wher e |S | is the numb er of elements in the se cr et sp ac e, and |S i | is the numb er of elements in the shar e sp ac e of the i -th p articip ant. The information rate ρ of a p erfect secret sharing scheme satises ρ ≤ 1 . Sp ecically , a secret sharing sc heme is said to b e ideal if it is p erfect and has information rate one. 4 Denition 3 (Disjunctive hierarchical secret sharing scheme, [5]) . A ssume that a set P of n p articip ants is p artitione d into m disjoint subsets P 1 , P 2 , . . . , P m , namely, P = ∪ m ℓ =1 P ℓ , and P ℓ 1 ∩ P ℓ 2 = ∅ f or any 1 ≤ ℓ 1 < ℓ 2 ≤ m. F or a thr eshold se quenc e t 1 , t 2 , . . . , t m such that 1 ≤ t 1 < t 2 < · · · < t m ≤ n , the Disjunctive Hier ar chic al Se cr et Sharing (DHSS) scheme with the given thr eshold se quenc e is a se cr et sharing scheme such that the fol lowing c orr e ctness and privacy ar e satise d. 1) Corr e ctness. The se cr et c an b e r e c onstructe d by any given element of Γ , wher e Γ = {A ⊆ P : ∃ ℓ ∈ [ m ] such that |A ∩ ( ℓ [ w =1 P w ) | ≥ t ℓ } . 2) Privacy. The se cr et c annot b e r e c onstructe d by any given B / ∈ Γ . A DHSS scheme is said to b e ide al if it is p erfe ct and has an information r ate one. Denition 4 (Asymptotically ideal DHSS scheme, [14]) . F or a DHSS scheme with the se cr et sp ac e S and shar e sp ac es S i , i ∈ [ n ] , it is said to b e asymptotic al ly ide al if the fol lowing asymptotic p erfe ctness and asymptotic maximum information r ate ar e satise d. 1) A symptotic p erfe ctness. F or al l ϵ 1 > 0 , ther e is a p ositive inte ger σ 1 such that for al l B / ∈ Γ and |S | > σ 1 , the loss entr opy ∆( |S | ) = H ( S ) − H ( S | V B ) ≤ ϵ 1 , wher e H ( S ) 6 = 0 , and S , V B ar e r andom variables c orr esp onding to the se cr et and the know le dge of B , r esp e ctively. 2) A symptotic maximum information r ate. F or al l ϵ 2 > 0 , ther e is a p ositive inte ger σ 2 such that for al l B / ∈ Γ and |S | > σ 2 , it holds that max i ∈ [ n ] H ( S i ) H ( S ) ≤ 1 + ϵ 2 . 2.2 Chinese Reminder Theorem and one-w a y hash function Lemma 1 (CR T for p olynomial ring, [11, 12]) . L et F b e a nite eld and m 1 ( x ) , m 2 ( x ) , . . . , m n ( x ) ∈ F [ x ] b e p airwise c oprime p olynomials. Denote by M ( x ) = n Q i =1 m i ( x ) , M i ( x ) = M ( x ) /m i ( x ) , and λ i ( x ) ≡ M − 1 i ( x ) (mo d m i ( x )) . F or any given p olynomials y 1 ( x ) , y 2 ( x ) , . . . , y n ( x ) ∈ F [ x ] and a system of c ongruenc es y ( x ) ≡ y i ( x ) (mod m i ( x )) , for all i ∈ [ n ] , 5 it holds that y ( x ) ≡ n X i =1 λ i ( x ) M i ( x ) y i ( x ) (mod M ( x )) . If the de gr e e of y ( x ) satises deg( y ( x )) < deg( M ( x )) , the solution is unique and we denote it as y ( x ) = n X i =1 λ i ( x ) M i ( x ) y i ( x ) (mod M ( x )) . Denition 5 (One-w a y hash function, [13]) . A one-way hash function is a function that satises the fol lowing c onditions: (i) The function h ( · ) is publicly known. (ii) The input x of the function is of arbitr ary length, and the output h ( x ) is of a xe d length. (iii) Given h ( · ) and x , c omputing h ( x ) is e asy. (iv) Given an image y of the function of h ( · ) , it is har d to nd a message x such that h ( x ) = y , and given x and h ( x ) , it is har d to nd another message x ′ 6 = x such that h ( x ′ ) = h ( x ) . 3 Securit y analysis of Y ang et al. sc heme In this section, we review the sc heme of Y ang et al. [10], and present an attac k metho d to sho w that the ideal DHSS sc heme of Y ang et al. [10] and the asymptotically ideal DHSS sc heme of Tiplea et al. [9] are insecure. 3.1 Review of Y ang et al. scheme F or clarity in presentation, we rewrite the DHSS scheme of Y ang et al. with total levels m = 2 . Let P b e a set of n participants, and it is partitioned into 2 disjoint subsets P 1 and P 2 . Denote by n 1 = |P 1 | and n 2 = |P 2 | , then n = n 1 + n 2 . Let t 1 , t 2 b e thresholds suc h that 1 ≤ t 1 < t 2 ≤ n 2 and t 1 ≤ n 1 . The scheme of Y ang et al. consists of a share generation phase and a secret reconstruction phase. 1) Share Generation Phase . Let p b e a prime integer, and F p b e a nite eld with p elemen ts. • The dealer chooses a publicly known in teger d 0 ≥ 1 , and sets m 0 ( x ) = x d 0 ∈ F p [ x ] . The dealer selects publicly known pairwise coprime p olynomials m i ( x ) ∈ F p [ x ] , i ∈ [ n ] suc h that the following three conditions are satised. 6 (i) F or all i ∈ [ n ] , m 0 ( x ) and m i ( x ) are coprime. (ii) Denote by d i = deg ( m i ( x )) for i ∈ [ n ] , it holds that d 0 ≤ d 1 ≤ d 2 ≤ · · · ≤ d n . (iii) d 0 + n P i = n − t ℓ +2 d i ≤ t ℓ P i =1 d i for all ℓ ∈ { 1 , 2 } . • F or any giv en secret s ( x ) ∈ { g ( x ) ∈ F p [ x ] : deg ( g ( x )) < d 0 } , the dealer randomly c ho oses tw o p olynomials α ℓ ( x ) ∈ G ℓ = { g ( x ) ∈ F p [ x ] : deg( g ( x )) < ( t ℓ X i =1 d i ) − d 0 } , ℓ ∈ { 1 , 2 } . Let f ℓ ( x ) = s ( x ) + α ℓ ( x ) x d 0 for ℓ ∈ { 1 , 2 } , then the dealer computes c i ( x ) =    f 1 ( x ) (mod m i ( x )) , if i ∈ [ n 1 ] , f 2 ( x ) (mod m i ( x )) , if i ∈ [ n 1 + 1 , n ] , and sends eac h share c i ( x ) to the i -th participan t P i . • The dealer publishes w i ( x ) = ( f 2 ( x ) − c i ( x )) (mo d m i ( x )) for i ∈ [ n 1 ] . 2) Secret Reconstruction Phase . F or any A ⊆ P such that A ( ℓ ) = A ∩ ( ∪ ℓ w =1 P w ) , |A ( ℓ ) | ≥ t ℓ for some ℓ ∈ { 1 , 2 } , participants of A p o ol their shares and corresp onding public p olynomials to determine the p olynomial f ℓ ( x ) = X i ∈A ( ℓ ) λ i, A ( ℓ ) ( x ) M i, A ( ℓ ) ( x ) c ( ℓ ) i ( x ) (mod M A ( ℓ ) ( x )) , and reconstruct the secret s ( x ) = f ℓ ( x ) (mo d m 0 ( x )) , where M A ( ℓ ) ( x ) = Q i ∈A ( ℓ ) m i ( x ) , M i, A ( ℓ ) ( x ) = M A ( ℓ ) ( x ) /m i ( x ) , λ i, A ( ℓ ) ( x ) ≡ M − 1 i, A ( ℓ ) ( x ) (mo d m i ( x )) , and c ( ℓ ) i ( x ) =          c i ( x ) , if ℓ = 1 , i ∈ A ( ℓ ) ⊆ [ n 1 ] , c i ( x ) + w i ( x ) , if ℓ = 2 , i ∈ A ( ℓ ) ∩ [ n 1 ] , c i ( x ) , if ℓ = 2 , i ∈ A ( ℓ ) ∩ [ n 1 + 1 , n ] . 3.2 An attack metho d on the Y ang et al. sc heme In the sc heme of Y ang et al. [10] with total lev els m = 2 , we let P b e a set of n = 7 participants. It is partitioned into m = 2 disjoin t subsets P 1 = { P 1 , P 2 , P 3 } , P 2 = { P 4 , P 5 , P 6 , P 7 } such that n 1 = |P 1 | = 3 and n 2 = |P 2 | = 4 . Let t 1 = 2 , t 2 = 3 b e 7 the threshold sequence, and denote by B = { P 4 , P 5 } . Clearly , |B ∩ P 1 | = 0 < t 1 and |B ∩ ( S 2 w =1 P w ) | = 2 < t 2 . This sho ws that B / ∈ {A ⊆ P : ∃ ℓ ∈ { 1 , 2 } such that |A ∩ ( ℓ [ w =1 P w ) | ≥ t ℓ } . Y ang et al. claimed that participants of B learn no information ab out the secret. W e will pro ve that participants of B can reconstruct the secret with the follo wing three steps. Step 1 . P articipants of B obtain f 2 ( x ) − f 1 ( x ) ∈ F p [ x ] from public p olynomials. It is easy to chec k that deg ( f 1 ( x )) < t 1 P i =1 d i and deg ( f 2 ( x )) < t 2 P i =1 d i . Since t 1 < t 2 , then it holds that deg( f 2 ( x ) − f 1 ( x )) < t 2 P i =1 d i . F or i ∈ [ n 1 ] , it is known that c i ( x ) = f 1 ( x ) (mo d m i ( x )) . Since polynomials w i ( x ) = ( f 2 ( x ) − c i ( x )) (mo d m i ( x )) , i ∈ [ n 1 ] are public, then participan ts of B obtain w i ( x ) = ( f 2 ( x ) − f 1 ( x )) (mod m i ( x )) , i ∈ [ n 1 ] . Since P i ∈ [ n 1 ] d i > deg ( f 2 ( x )) , the p olynomial f 2 ( x ) − f 1 ( x ) ∈ F p [ x ] can b e determined by using CR T for p olynomial ring, namely , f 2 ( x ) − f 1 ( x ) = X i ∈ [ n 1 ] λ i, [ n 1 ] ( x ) M i, [ n 1 ] ( x ) w i ( x ) (mod M [ n 1 ] ( x )) where M [ n 1 ] ( x ) = Y i ∈ [ n 1 ] m i ( x ) , M i, [ n 1 ] ( x ) = M [ n 1 ] ( x ) /m i ( x ) , λ i, [ n 1 ] ( x ) ≡ M − 1 i, [ n 1 ] ( x ) (mod m i ( x )) . Step 2. P articipan ts of B can get f 1 ( x ) ∈ F p [ x ] from f 2 ( x ) − f 1 ( x ) ∈ F p [ x ] and their shares. F or an y i ∈ B , let u i ( x ) = ( f 2 ( x ) − f 1 ( x )) (mo d m i ( x )) , and then participants of B get c i ( x ) − u i ( x ) = f 2 ( x ) − ( f 2 ( x ) − f 1 ( x )) (mod m i ( x )) = f 1 ( x ) (mod m i ( x )) . Since P i ∈B d i > deg( f 1 ( x )) , then the p olynomial f 1 ( x ) ∈ F p [ x ] can b e determined b y using CR T for p olynomial ring, namely , f 1 ( x ) = X i ∈B λ i, B ( x ) M i, B ( x )( c i ( x ) − u i ( x )) (mod M B ( x )) where M B ( x ) = Y i ∈B m i ( x ) , M i, B ( x ) = M B ( x ) /m i ( x ) , λ i, B ( x ) ≡ M − 1 i, B ( x ) (mod m i ( x )) . Step 3. P articipan ts of B reconstruct the secret s ( x ) = f 1 ( x ) (mo d m 0 ( x )) . 8 Remark 1. In the scheme of Y ang et al. [10] with total levels m = 2 and n 1 ≥ t 2 , the se cr et c an b e r e c onstructe d by any B ⊆ P of c ar dinality |B | ≥ t 1 . In this c ase, the scheme of Y ang et al. is inse cur e, and it is not a DHSS scheme. Besides, we nd that the scheme of Y ang et al. is not p erfe ct if t 1 ≤ n 1 < t 2 . Remark 2. The same appr o ach c an b e applie d to br e ak the DHSS scheme of Tiple a et al. [9]. 4 A no v el asymptotically ideal DHSS sc heme In this section, we will construct a nov el asymptotically ideal DHSS sc heme b y using CR T for p olynomial ring and one-w a y hash functions. Our scheme is given in subsection 4.1, and w e analyze its security in subsection 4.2. 4.1 Our scheme Let P b e a group of n participan ts, and it is partitioned into m disjoint subsets P 1 , P 2 , . . . , P m . Let n ℓ = |P ℓ | and N ℓ = P ℓ w =1 n w for ℓ ∈ [ m ] . Denote by t 1 , t 2 , . . . , t m a threshold sequence such that 1 ≤ t 1 < t 2 < · · · < t m and t ℓ ≤ n ℓ for ℓ ∈ [ m ] . Let b x c b e the biggest in teger not more than x . Our scheme consists of a share generation phase and a secret reconstruction phase. 1) Share Generation Phase . Let p b e a prime integer, and F p b e a nite eld with p elemen ts. • Iden tities. The dealer chooses a publicly kno wn integer d 0 ≥ 1 , and sets m 0 ( x ) = x d 0 ∈ F p [ x ] . The dealer selects publicly known pairwise coprime p olynomials m i ( x ) ∈ F p [ x ] , i ∈ [ n ] suc h that the following three conditions are satised. (i) F or all i ∈ [ n ] , m 0 ( x ) and m i ( x ) are coprime. (ii) Denote by d i = deg ( m i ( x )) for i ∈ [ n ] , it holds that d 0 ≤ d 1 ≤ d 2 ≤ · · · ≤ d n . (iii) d 0 + n P i = n − t ℓ +2 d i ≤ t ℓ P i =1 d i for all ℓ ∈ [ m ] . • Shares . Let S = { g ( x ) ∈ F p [ x ] : deg( g ( x )) < d 0 } b e the secret space. Step 1. F or any s ( x ) ∈ S , the dealer randomly chooses p olynomials α ℓ ( x ) ∈ G ℓ = { g ( x ) ∈ F p [ x ] : deg( g ( x )) < ( t ℓ X i =1 d i ) − d 0 } , ℓ ∈ [ m ] . Let f ℓ ( x ) = s ( x ) + α ℓ ( x ) x d 0 for ℓ ∈ [ m ] . 9 Step 2. The dealer sends each share s i ( x ) to the i -th participan t, where s i ( x ) =    c i ( x ) , if i ∈ [ N m − 1 ] , f m ( x ) (mod m i ( x )) , if i ∈ [ N m − 1 + 1 , N m ] , and the p olynomials c i ( x ) = c i, 0 + c i, 1 x + · · · + c i,d i − 1 x d i − 1 ∈ F p [ x ] , i ∈ [ N m − 1 ] are randomly c hosen by the de aler. • Hierarc h y . Step 1. The dealer selects m publicly kno wn distinct one-wa y hash functions h 1 ( · ) , h 2 ( · ) , . . . , h m ( · ) . These functions take a v alue of any length as a input, and output a v alue of length b log 2 p c . F or an y i ∈ [ N m − 1 ] , denote b y H ℓ ( s i ( x )) = H ℓ ( c i ( x )) = h ℓ ( c i, 0 )+ h ℓ ( c i, 1 ) x + · · · + h ℓ ( c i,d i − 1 ) x d i − 1 ∈ F p [ x ] , ℓ ∈ [ m ] . Step 2. The dealer publishes w ( ℓ ) i ( x ) = ( f ℓ ( x ) − H ℓ ( s i ( x ))) (mod m i ( x )) for all ℓ ∈ [ m − 1] , i ∈ [ N ℓ ] , and w ( m ) i ( x ) = ( f m ( x ) − H m ( s i ( x ))) (mo d m i ( x )) for all i ∈ [ N m − 1 ] . 2) Secret Reconstruction Phase . F or any A ⊆ P suc h that A ( ℓ ) = A ∩ ( ∪ ℓ w =1 P w ) , |A ( ℓ ) | ≥ t ℓ for some ℓ ∈ [ m ] , participan ts of A compute f ℓ ( x ) = X i ∈A ( ℓ ) λ i, A ( ℓ ) ( x ) M i, A ( ℓ ) ( x ) s ( ℓ ) i ( x ) (mod M A ( ℓ ) ( x )) , and reconstruct the secret s ( x ) = f ℓ ( x ) (mo d m 0 ( x )) , where M A ( ℓ ) ( x ) = Q i ∈A ( ℓ ) m i ( x ) , M i, A ( ℓ ) ( x ) = M A ( ℓ ) ( x ) /m i ( x ) , λ i, A ( ℓ ) ( x ) ≡ M − 1 i, A ( ℓ ) ( x ) (mo d m i ( x )) , and s ( ℓ ) i ( x ) =          H ℓ ( s i ( x )) + w ( ℓ ) i ( x ) , if ℓ ∈ [ m − 1] , i ∈ A ( ℓ ) ⊆ [ N ℓ ] , H m ( s i ( x )) + w ( m ) i ( x ) , if ℓ = m, i ∈ A ( ℓ ) ∩ [ N m − 1 ] , s i ( x ) , if ℓ = m, i ∈ A ( ℓ ) ∩ [ N m − 1 + 1 , N m ] . 4.2 Securit y analysis of our sc heme W e will prov e the correctness, asymptotic p erfectness and asymptotic maximum informa- tion rate of our sc heme in this subsection. 10 Theorem 1 (Correctness) . The se cr et c an b e r e c onstructe d by any authorize d subset A ∈ {A ⊆ P : ∃ ℓ ∈ [ m ] such that |A ∩ ( ℓ [ w =1 P w ) | ≥ t ℓ } . Pr o of. Let A ⊆ P suc h that A ( ℓ ) = A ∩ ( ∪ ℓ w =1 P w ) , |A ( ℓ ) | ≥ t ℓ for some ℓ ∈ [ m ] . Without loss of generalit y , we assume that A ( ℓ ) = { i 1 , i 2 , . . . , i |A ( ℓ ) | } , i 1 < i 2 < · · · < i |A ( ℓ ) | , i |A ( ℓ ) | ∈ P ℓ and |A ( ℓ ) | ≥ t ℓ . W e will pro ve that the subset A ( ℓ ) is an authorized subset. By using the shares s i ( x ) , i ∈ A ( ℓ ) , the publicly kno wn one-wa y hash function h ℓ ( · ) , the publicly known p olynomials m i ( x ) , i ∈ A ( ℓ ) , and the publicly known p olynomials w ( ℓ ) i ( x ) = ( f ℓ ( x ) − H ℓ ( s i ( x ))) (mo d m i ( x )) for i ∈ A ( ℓ ) , participan ts of A ( ℓ ) compute s ( ℓ ) i ( x ) =          H ℓ ( s i ( x )) + w ( ℓ ) i ( x ) , if ℓ ∈ [ m − 1] , i ∈ A ( ℓ ) ⊆ [ N ℓ ] , H m ( s i ( x )) + w ( m ) i ( x ) , if ℓ = m, i ∈ A ( ℓ ) ∩ [ N m − 1 ] , s i ( x ) , if ℓ = m, i ∈ A ( ℓ ) ∩ [ N m − 1 + 1 , N m ] . for i ∈ A ( ℓ ) , and get the system of congruences                f ℓ ( x ) ≡ s ( ℓ ) i 1 ( x ) (mod m i 1 ( x )) , f ℓ ( x ) ≡ s ( ℓ ) i 2 ( x ) (mod m i 2 ( x )) , . . . f ℓ ( x ) ≡ s ( ℓ ) i |A ( ℓ ) | ( x ) (mod m i |A ( ℓ ) | ( x )) . Based on the CR T for p olynomial ring in Lemma 1, it holds that f ℓ ( x ) ≡ X i ∈A ( ℓ ) λ i, A ( ℓ ) ( x ) M i, A ( ℓ ) ( x ) s ( ℓ ) i ( x ) (mod M A ( ℓ ) ( x )) , where M A ( ℓ ) ( x ) = Q i ∈A ( ℓ ) m i ( x ) , M i, A ( ℓ ) ( x ) = M A ( ℓ ) ( x ) /m i ( x ) and λ i, A ( ℓ ) ( x ) ≡ M − 1 i, A ( ℓ ) ( x ) (mo d m i ( x )) . Since d 0 ≤ d 1 ≤ d 2 ≤ · · · ≤ d n , s ( x ) ∈ S , α ℓ ( x ) ∈ G ℓ , and f ℓ ( x ) = s ( x ) + α ℓ ( x ) x d 0 for ℓ ∈ [ m ] , the degree of the p olynomial f ℓ ( x ) satises deg ( f ℓ ( x )) < t ℓ X i =1 d i ≤ X i ∈A ( ℓ ) d i , where |A ( ℓ ) | ≥ t ℓ . F rom the CR T for p olynomial ring in Lemma 1, it holds that f ℓ ( x ) = X i ∈A ( ℓ ) λ i, A ( ℓ ) ( x ) M i, A ( ℓ ) ( x ) s ( ℓ ) i ( x ) (mod M A ( ℓ ) ( x )) , and the secret s ( x ) = f ℓ ( x ) (mo d m 0 ( x )) . 11 No w we will prov e the asymptotic p erfe ctness of our sc heme. Recall that f ℓ ( x ) = s ( x ) + α ℓ ( x ) x d 0 for ℓ ∈ [ m ] , where s ( x ) ∈ S = { g ( x ) ∈ F p [ x ] : deg ( g ( x )) < d 0 } and α ℓ ( x ) ∈ G ℓ = { g ( x ) ∈ F p [ x ] : deg ( g ( x )) < ( t ℓ P i =1 d i ) − d 0 } . As a result, the p olynomial f ℓ ( x ) is random and uniform in { f ℓ ( x ) ∈ F p [ x ] : deg( f ℓ ( x )) < t ℓ P i =1 d i } when s ( x ) ∈ S and α ℓ ( x ) ∈ G ℓ are random and uniform. Assume that the subset B ⊂ P is an unauthorized subset. Therefore, B / ∈ {A ⊆ P : ∃ ℓ ∈ [ m ] such that |A ∩ ( ℓ [ w =1 P w ) | ≥ t ℓ } , namely , B ∩ ( ∪ ℓ w =1 P w ) | < t ℓ for all ℓ ∈ [ m ] . P articipants of B kno w their shares, the upp er b ounds of the degrees of f ℓ ( x ) ∈ F p [ x ] , ℓ ∈ [ m ] , and all publicly kno wn p olynomials and one-w ay hash functions. Namely , the dealer will guess the secret by rst selecting ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x ) ∈ ( F p [ x ]) m satisfying the follo wing ve conditions, and then computing g m ( x ) (mo d m 0 ( x )) . (i) F or all ℓ ∈ [ m ] , it holds that deg ( g ℓ ( x )) < t ℓ P i =1 d i . (ii) g 1 ( x ) ≡ g 1 ( x ) ≡ · · · ≡ g m ( x ) (mo d m 0 ( x )) . (iii) It holds that g ℓ ( x ) ≡ ( w ( ℓ ) i ( x ) + H ℓ ( s i ( x ))) (mod m i ( x )) for all ℓ ∈ [ m − 1] , i ∈ B ∩ [ N ℓ ] , and g m ( x ) ≡ ( w ( m ) i ( x ) + H m ( s i ( x ))) (mo d m i ( x )) for all i ∈ B ∩ [ N m − 1 ] . Namely ,                    g 1 ( x ) ≡ ( w (1) i ( x ) + H 1 ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N 1 ] , g 2 ( x ) ≡ ( w (2) i ( x ) + H 2 ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N 2 ] , . . . g m − 1 ( x ) ≡ ( w ( m − 1) i ( x ) + H m − 1 ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 ] , g m ( x ) ≡ ( w ( m ) i ( x ) + H m ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 ] . (iv) F or i ∈ B ∩ [ N m − 1 + 1 , N m ] , it holds that g m ( x ) ≡ s i ( x ) (mo d m i ( x )) . (v) F or an y giv en i ∈ [ N m − 1 ] and i / ∈ B , there is a lev el P ℓ 1 suc h that i ∈ P ℓ 1 . There is a p olynomial e s i ( x ) ∈ F p [ x ] suc h that deg ( e s i ( x )) < d i , and H ℓ ( e s i ( x )) = ( g ℓ ( x ) − w ( ℓ ) i ( x )) (mo d m i ( x )) for all ℓ ∈ [ ℓ 1 , m ] . 12 Note that the conditions (iii) and (v) are used to mak e the p olynomials g 1 ( x ) , g 2 ( x ) , . . . , g m ( x ) satisfy publicly kno wn p olynomials w ( ℓ ) i ( x ) . Lemma 2. L et V B and V ′ B b e the c onditions (i) to (v) and (i) to (iv), r esp e ctively. F or al l ϵ 1 > 0 , ther e is a p ositive inte ger σ 1 such that for al l |S | = p d 0 > σ 1 , it has that 0 < H ( S | V ′ B ) − H ( S | V B ) < ϵ 1 , wher e V B and V ′ B ar e r andom variables c orr esp onding to V B and V ′ B , r esp e ctively. Pr o of. Recall that the shares s i ( x ) , i ∈ [ N m − 1 ] are randomly selected by the dealer and functions h ℓ ( · ) , ℓ ∈ [ m ] are distinct one-wa y hash functions. This shows that the condi- tion (v) can eliminate a group of p olynomials ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ ( F p [ x ]) m with a negligible probabilit y when |S | is big enough. Therefore, H ( S | V ′ B ) − H ( S | V B ) is negligible when |S | is big enough. This giv es the pro of. Denote b y F = { ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x ) ∈ ( F p [ x ]) m : the conditions (i) to (iv) are satisfied . } (1) F or an y given s ( x ) ∈ S , we will compute how man y p ossible ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ F such that s ( x ) = g m ( x ) (mo d m 0 ( x )) in Lemma 3. After that, w e will determine the cardinalit y of F in Lemma 4. Based on Lemmas 2, 3 and 4, we determine the conditional entrop y H ( S | V ′ B ) and give the pro of of the asymptotic p erfectness of our sc heme in Theorem 2. Lemma 3. Dene the mapping Φ by Φ : F 7→ S , ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) 7→ g m ( x ) (mod m 0 ( x )) . F or any s ( x ) ∈ S , let Φ − 1 ( s ( x )) = { ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ F : g m ( x ) ≡ s ( x ) (mod m 0 ( x )) } , then the c ar dinality of the set Φ − 1 ( s ( x )) is | Φ − 1 ( s ( x )) | = p θ , wher e θ = m X ℓ =1   t ℓ X i =1 d i − X i ∈B∩ [ N ℓ ] d i − d 0   ≥ 0 . 13 Pr o of. F or any s ( x ) ∈ S , and ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ Φ − 1 ( s ( x )) , it holds that                                g 1 ( x ) ≡ g 1 ( x ) ≡ · · · ≡ g m ( x ) ≡ s ( x ) (mod m 0 ( x )) , g 1 ( x ) ≡ ( w (1) i ( x ) + H 1 ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N 1 ] , g 2 ( x ) ≡ ( w (2) i ( x ) + H 2 ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N 2 ] , . . . g m − 1 ( x ) ≡ ( w ( m − 1) i ( x ) + H m − 1 ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 ] , g m ( x ) ≡ ( w ( m ) i ( x ) + H m ( s i ( x ))) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 ] , g m ( x ) ≡ s i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 + 1 , n ] . Namely ,                          g 1 ( x ) ≡ g 1 ( x ) ≡ · · · ≡ g m ( x ) ≡ s ( x ) (mod m 0 ( x )) , g 1 ( x ) ≡ s (1) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N 1 ] , g 2 ( x ) ≡ s (2) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N 2 ] , . . . g m − 1 ( x ) ≡ s ( m − 1) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 ] , g m ( x ) ≡ s ( m ) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N m ] . where s ( ℓ ) i ( x ) =          H ℓ ( s i ( x )) + w ( ℓ ) i ( x ) , if ℓ ∈ [ m − 1] , i ∈ B ∩ [ N ℓ ] , H m ( s i ( x )) + w ( m ) i ( x ) , if ℓ = m, i ∈ B ∩ [ N m − 1 ] , s i ( x ) , if ℓ = m, i ∈ B ∩ [ N m − 1 + 1 , N m ] . F rom Lemma 1 it holds that g ℓ ( x ) ≡ X i ∈ e B ( ℓ ) λ i, e B ( ℓ ) ( x ) M i, e B ( ℓ ) ( x ) s ( ℓ ) i ( x ) (mod M e B ( ℓ ) ( x )) , for ℓ ∈ [ m ] , where e B ( ℓ ) = { 0 } ∪ ( B ∩ [ N ℓ ]) , s ( ℓ ) 0 ( x ) = s ( x ) , M e B ( ℓ ) ( x ) = Q i ∈ e B ( ℓ ) m i ( x ) , M i, e B ( ℓ ) ( x ) = M e B ( ℓ ) ( x ) /m i ( x ) , and λ i, e B ( ℓ ) ( x ) ≡ M − 1 i, e B ( ℓ ) ( x ) (mo d m i ( x )) . Denote b y g ℓ, e B ( ℓ ) ( x ) = P i ∈ e B ( ℓ ) λ i, e B ( ℓ ) ( x ) M i, e B ( ℓ ) ( x ) s ( ℓ ) i ( x ) (mo d M e B ( ℓ ) ( x )) , then deg( g ℓ, e B ( ℓ ) ( x )) < deg( M e B ( ℓ ) ( x )) = X i ∈ e B ( ℓ ) d i , and g ℓ ( x ) ≡ g ℓ, e B ( ℓ ) ( x ) (mod M e B ( ℓ ) ( x )) . (2) Therefore, there is a p olynomial k ℓ, e B ( ℓ ) ( x ) ∈ F p [ x ] suc h that g ℓ ( x ) = g ℓ, e B ( ℓ ) ( x ) + k ℓ, e B ( ℓ ) ( x ) M e B ( ℓ ) ( x ) . 14 On the one hand, it holds that deg ( g ℓ ( x )) < t ℓ P i =1 d i from the denition of F in Expres- sion (1). Since deg( g ℓ, e B ( ℓ ) ( x )) < deg( M e B ( x )) , w e get that deg( k ℓ, e B ( ℓ ) ( x )) < t ℓ X i =1 d i − X i ∈ e B ( ℓ ) d i . (3) This implies that there are p θ ℓ dieren t choices for k ℓ, e B ( ℓ ) ( x ) , where θ ℓ = t ℓ X i =1 d i − X i ∈ e B ( ℓ ) d i = t ℓ X i =1 d i − X i ∈B∩ [ N ℓ ] d i − d 0 ≥ 0 . On the other hand, dieren t choices for k ℓ, e B ( ℓ ) ( x ) ∈ F p [ x ] with deg( k ℓ, e B ( ℓ ) ( x )) < θ ℓ cor- resp ond to dierent g ℓ ( x ) ∈ F p [ x ] satisfying deg( g ℓ ( x )) < t ℓ P i =1 d i and Expression (2), i.e., ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ F . Consequently , the cardinalit y of Φ − 1 ( s ( x )) is | Φ − 1 ( s ( x )) | = m Y ℓ =1 p θ ℓ = p P m i =1 θ ℓ = p θ , where θ = P m ℓ =1 t ℓ P i =1 d i − P i ∈B∩ [ N ℓ ] d i − d 0 ! ≥ 0 . Lemma 4. The c ar dinality of F is |F | = p θ + d 0 . Pr o of. F rom the pro of of Lemma 3, we get that for any ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ F , the follo wing system of congruences are satised.                          g 1 ( x ) ≡ g 1 ( x ) ≡ · · · ≡ g m ( x ) (mod m 0 ( x )) , g 1 ( x ) ≡ s (1) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N 1 ] , g 2 ( x ) ≡ s (2) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N 2 ] , . . . g m − 1 ( x ) ≡ s ( m − 1) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N m − 1 ] , g m ( x ) ≡ s ( m ) i ( x ) (mod m i ( x )) for all i ∈ B ∩ [ N m ] . where s ( ℓ ) i ( x ) =          H ℓ ( s i ( x )) + w ( ℓ ) i ( x ) , if ℓ ∈ [ m − 1] , i ∈ B ∩ [ N ℓ ] , H m ( s i ( x )) + w ( m ) i ( x ) , if ℓ = m, i ∈ B ∩ [ N m − 1 ] , s i ( x ) , if ℓ = m, i ∈ B ∩ [ N m − 1 + 1 , N m ] . Assume that s ( x ) ∈ S = { g ( x ) ∈ F p [ x ] : deg( g ( x )) < d 0 } . F rom Lemma 3, there are exactly p θ dieren t choices for ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ F suc h that g 1 ( x ) ≡ g 1 ( x ) ≡ · · · ≡ g m ( x ) ≡ s ( x ) (mod m 0 ( x )) . 15 Moreo ver, dieren t s ( x ) ∈ S corresp onds dieren t ( g 1 ( x ) , g 2 ( x ) , . . . , g m ( x )) ∈ F . Since the cardinalit y of S is p d 0 , then the cardinalit y of F is |F | = p d 0 · p θ = p θ + d 0 . Theorem 2 (Asymptotic p erfectness) . Our scheme is asymptotic al ly p erfe ct. Pr o of. F or any s ( x ) ∈ S and B / ∈ Γ , b y Lemmas 4 and 3 w e get the conditional probability Pr ( S = s ( x ) | V ′ B = V ′ B ) = | Φ − 1 ( s ( x )) | |F | = p θ p θ + d 0 = 1 p d 0 . Therefore, H ( S | V ′ B ) = − X B ⊂ [ n ] , B / ∈ Γ X s ( x ) ∈S Pr ( V ′ B = V ′ B ) Pr ( S = s ( x ) | V ′ B = V ′ B ) log 2 Pr ( S = s ( x ) | V ′ B = V ′ B ) = X B ⊂ [ n ] , B / ∈ Γ X s ( x ) ∈S Pr ( V ′ B = V ′ B ) 1 p d 0 log 2 p d 0 = X B ⊂ [ n ] , B / ∈ Γ Pr ( V ′ B = V ′ B ) log 2 p d 0 = log 2 p d 0 . Moreo ver, the secret in our sc heme is random and uniform, which means that H ( S ) = log 2 |S | = log 2 p d 0 = H ( S | V ′ B ) for any B / ∈ Γ . According to Lemma 2, for all ϵ 1 > 0 , there is a p ositiv e integer σ 1 suc h that for all |S | = p d 0 > σ 1 , it holds that 0 < H ( S ) − H ( S | V B ) = H ( S | V ′ B ) − H ( S | V B ) < ϵ 1 . As a result, our sc heme is asymptotically p erfect by Denition 4. Theorem 3. L et P b e a set of n p articip ants, and it is p artitione d into m disjoint subsets P 1 , P 2 , . . . , P m . F or a thr eshold se quenc e t 1 , t 2 , . . . , t m such that 1 ≤ t 1 < t 2 < · · · < t m ≤ n and t ℓ ≤ |P ℓ | for ℓ ∈ [ m ] , our scheme is a se cur e and asymptotic al ly p erfe ct DHSS scheme. F urthermor e, our scheme is an asymptotic al ly ide al DHSS scheme with an information one when d 0 = d 1 = · · · = d n . Pr o of. According to Denition 3, Theorem 1 and Theorem 2, w e get that our sc heme is a secure and asymptotically p erfect DHSS sc heme. Moreov er, it is known that s i ( x ) =    c i ( x ) , if i ∈ [ N m − 1 ] , f m ( x ) (mod m i ( x )) , if i ∈ [ N m − 1 + 1 , N m ] , 16 where c i ( x ) = c i, 0 + c i, 1 x + · · · + c i,d i − 1 x d i − 1 ∈ F p [ x ] , i ∈ [ N m − 1 ] , f m ( x ) = s ( x ) + α m ( x ) x d 0 , and α m ( x ) ∈ G m = { g ( x ) ∈ F p [ x ] : deg( g ( x )) < ( t m P i =1 d i ) − d 0 } . When d 0 = d 1 = · · · = d n , it is easy to chec k that every share space is the same as the secret space S = { g ( x ) ∈ F p [ x ] : deg ( g ( x )) < d 0 } , whic h implies that the information rate is ρ = 1 . A ccording to Denition 4, our sc heme is an asymptotically ideal DHSS sc heme with an information one when d 0 = d 1 = · · · = d n . Compared with the unconditionally secure and ideal DHSS schemes of [4, 5, 6], our sc heme is a computationally secure and asymptotically ideal DHSS scheme, but it permits distinct share sizes among participan ts. Sp ecically , let d 0 = d 1 = · · · = d n , then our sc heme’s share size is d 0 log 2 p bits for d 0 ≥ 1 and p > n , whic h is smaller than that of [4, 5, 6] (see T able 1). Compared with the DHSS sc hemes of [7, 8, 9, 10], our scheme is secure and asymptotically ideal at the same time. 5 Conclusion In this work, we giv e an attac k metho d on the ideal DHSS scheme of Y ang et al. [10] and the asymptotically ideal DHSS sc heme of Tiplea et al. [9]. W e further propose a no vel asymptotically ideal DHSS scheme. Compared with previous CR T-based DHSS scheme, our scheme is a secure and asymptotically ideal DHSS scheme with an information rate one. Ho w to reduce the num b er of public v alues is our future w ork. References [1] A. Shamir, How to share a secret, Communications of the ACM, vol.22, no.11, pp.612- 613, 1979. [2] G. R. Blakley , Safeguarding cryptographic k eys, in: 1979 In ternational W orkshop on Managing Requiremen ts Knowledge, MARK, New Y ork, NY, USA, pp. 313-318. IEEE, 1979. [3] G. J. Simmons, Ho w to (really) share a secret, in: Adv ances in Cryptology-Crypto’88, San ta Barbara, California, USA. Lecture Notes in Computer Science, v ol.403, pp.390- 448. Springer, 1988. [4] E. F. Brick ell, Some ideal secret sharing schemes, in: Adv ances in Cryptology- Euro crypt’89, Houthalen, Belgium. Lecture Notes in Computer Science, vol.434, pp.468-475. Springer, 1989. 17 [5] T. T assa, Hierarchical threshold secret sharing, Journal of Cryptology , vol.20, no.2, pp.237-264, 2007. [6] Q. Chen, C. T ang, and Z. Lin, Ecient explicit constructions of m ultipartite secret sharing sc hemes, IEEE T ransactions on Information Theory , vol.68, no.1, pp.601-631, 2022. [7] L. Harn, and F. MIAO, Multilevel threshold secret sharing based on the Chinese remainder theorem, Information Pro cessing Letters, v ol.114, no.9, 2014. 504-509. [8] O. Erso y , K. Kay a, and K. Kaskaloglu, Multilev el Threshold Secret and F unc- tion Sharing based on the Chinese Remainder Theorem, arXiv: 1605.07988, h [9] F. L. Tiplea, and C. C. Dragan, Asymptotically ideal Chinese remainder theorem- based secret sharing schemes for multilev el and compartmen ted access structures, IET Information Securit y , vol. 15, no. 4, pp. 282-296, 2021. [10] J. Y ang, S.-T. Xia, X. W ang, J. Y uan, and F.-W. F u, A p erfect ideal hierarc hical secret sharing sc heme based on the CR T for Polynomial Rings, in: 2024 IEEE In- ternational Symp osium on Information Theory (ISIT), A thens, Greece, pp.321-326. IEEE, 2024. [11] Y. Ning, F. Miao, W. Huang, K. Meng, Y. Xiong, and X. W ang, Constructing ideal secret sharing sc hemes based on Chinese Remainder Theorem, in: A dv ances in Cryptology - ASIACR YPT 2018, Brisbane, QLD, Australia. Lecture Notes in Computer Science, v ol. 11274, pp. 310-331. Springer, 2018. [12] J. Ding, P . Ke, C. Lin, and H. W ang, Ramp scheme based on CR T for p olynomial ring ov er nite eld, Journal of Systems Science and Complexity , v ol. 36, no.1, pp. 129-150, 2023. [13] R. C. Merkle. One W ay Hash F unctions and DES. A dv ances in Cryptol- ogy ,CR YPTO’89, LNCS435,PP . 428-466,1985£® [14] M. Quisquater, B. Preneel, and J. V andew alle, On the security of the threshold sc heme based on the Chinese remainder theorem, in: Public Key Cryptograph y , PK C 2002. Lecture Notes in Computer Science, v ol. 2274, pp.199-210. Springer, Berlin, Heidelb erg, 2002. 18