“Every Dog Has His Day”: Competitive-Evolving-Committee Proactive Secret Sharing With Capability-Based Encryption

This article proposes a competitive-evolving-committee proactive secret sharing. Every participant in the system has the opportunity to become a member of the holding committee and have sufficient anonymity. During the life cycle of serving as the holding committee members, they only send one message in the protocol without excessive interaction, and achieve receiver strong anonymity with a capability-based encryption scheme different from most public-key encryption schemes, at present named RiddleEncryption, which is also proposed in this paper. In RiddleEncryption the sender does not need to pay attention to the specific identity of the receiver but focuses on what kind of capability the receiver should have. Nobody can determine this kind of capability at the beginning of the system establishment. This article aims at depositing a secret in a distributed manner (e.g., blockchain) without excessive trust and to emphasize more anonymity and capability. The scheme can be used in the dynamic groups, authentication management, rights abuse prevention, and so on.


INTRoDUCTIoN
Distributed systems pursue more rights for each node in the system.The supernodes in the distributed system which appear in some applications, such as the trusted third party, are contrary to the original intention of the distributed system which may cause excessive trust, single point of failure and be tracked.
Considering a scenario that a temporary group is required to do some downstream work depending on the group members capability.How can the dynamic groups be quickly formed?Generally, an authority may point out who the members are or finding some members who you already knew in the real world.But it may cause excessive trust of miss someone who do have such capability.It would be more secure and ideal if everyone had the opportunity to compete for the group members, which can also mitigate the burden of on single party.This article designed the scheme with the intention of depositing a secret (can be consider as the downstream work requirement) in a distributed manner (e.g., blockchain) without excessive trust and pursuing more anonymity and fairness.Firstly, every node has the opportunity to become the group member, and this group is not permanent, and it will change in the next round.Secondly, it is necessary to consider that people will not expect a single node that handle the downstream work because of the single point failure.So this article considers a group of participants to form groups, which can also be called as holding committee members, and each one holds a part of the secret (can be consider as the symbol of their capability), so put it together and they get the global secret.To resist the collusion attack, the holding committee members should not know who the other holding committee members are during the period of holding the part of the secret.Moreover, they only send one message when something needs to be done in a distributed manner (such as the center generate certificates for users, etc.In this scheme, center members only generate certificates in a distributed manner, and the master private key will not be reconstructed at any time).At the same time, from the attacker's perspective, they do not know who the current holding committee members are, so they cannot launch attacks such as DDoS (Distributed Denial of Service).
To form a dynamic committee, this article use SS (Secret Sharing), and the members of the previous round will send their share to the holding committee members of the next round.However, as long as a message has been sent, the node's identity will be exposed, and there is a risk of being attacked like DDoS.Then the node must complete the secret transmission when sending the message, and the sender needs to know the size of the holding committee in the next round and who they are in advance.Nevertheless, to ensure anonymity, the sender cannot know who they are in advance.So two problems need to consider: 1) How to determine the holding committee members' size to be shared in the next round?2) How to re-share the secret to the holding committee member in the next round without knowing each other's identity?
In response to the first problem, this article modified the random number generation protocol in Ouroboros (Kiayias et al., 2017).The number of the holding committee members can be determined by all participants in the system together.For the second problem, it means, the sender needs to know the public keys of the holding committee members in the next round, but at this time, these public keys cannot correspond to any receivers like ordinary public-key encryption schemes because this will follow the public key to find the node of the specific receiver and then the adversary can launch a DDoS attack.So this article proposed a capability-based encryption scheme named RiddleEncryption.This scheme is similar to the process of guessing a riddle.The public key acts as the clue of the riddle, and the private key acts as the answer to the riddle.All participants can participate in the process of guessing the riddle.If someone guesses the private key correctly, then he will be a holding committee member in the next round.Of course, this will involve difficult problem-solving.The specific parameters set will meet the balance of feasibility and security.In this way, the sender only needs to know what capability the receiver should have without identifying the specific person at all.
Moreover, this article uses the RiddleEncryption to construct the Competitive-Evolving-Committee Proactive Secret Sharing, and the "authority" in our scheme is obtained by oneself (by solving difficult problems in a limited environment), rather than being granted by a higher-level person in advance.Therefore everyone in the system has the opportunity to be the holding committee member by their capability, which means "Every dog has his day."

Background and Motivation
This subsection compares the strengths and limitations of various popular SS schemes, illustrates the problems of existing schemes with applications that can benefit from SS, and the motivation of using RiddleEncryption to construct our secret sharing scheme.
SS schemes can be broadly classified into three categories: basic SS, roles rights limitation SS, and techniques-based SS.Among them, basic SS can be further subdivided according to the features of shares.Roles rights limitation SS continues to be subdivided according to the roles' abilities, and techniques-based SS, which the authors have listed the studies with some similarity to this study for comparison.The specific type, rationale overview, strengths, limitations, and references of the involved methods are shown in Table 1.
Basic SS has the superiority of simple operation and can meet the long-term preservation of secret information in a relatively secure environment.For example, in preserving sensitive bank information, the authority will segregate the intranet from the extranet in multiple layers, and the number of users is huge, when the bank is suitable to use basic SS to meet the balance of confidentiality and efficiency.But if it is a sensitive business that requires multi-agency networking, basic SS is somewhat lacking.Examples include trusted voting systems and medical services.In the voting system, there are multiple attacks by adversaries, and it is necessary to achieve relative fairness and security in a specific scenario, so the ability of roles is limited, and roles rights limitation SS can be used as needed.Some difficult conditions require multiple specialist consultations, but patient information is very sensitive in this scenario, so the need for SS technology is more urgent.Various technique-based SS are designed according to different scenarios, mainly focusing on the recovery of target key (holding target key can recover secret information).
In summary, most of the existing SS schemes require a trusted third party and the participants are already designated in advance by some trusted channels.However, in areas such as medical information, federal learning, and probate security, the presence of a third party may lead to the disclosure of sensitive information, and the advanced designation of participants may lead to attacks such as DDoS, especially in probate security.While existing schemes that do not require trusted third parties have achieved some success, there are still some problems, such as trusted centers may be involved in the reconstruction or validation phase leading to information leakage (Pedersen, 1991), participants may be maliciously spoofed or attacked (W. & L., 2003) or trusted centers have security risks (Kaya & Selçuk, 2008).Therefore, approaches that do not require trusted third parties and do not rely on trusted channels need further research.Based on the assumption that no trusted third party is required, the assumption of trusted channel is wanted to be further removed, so the idea of RiddleEncryption is introduced in this paper to construct the SS scheme.

Related Work
Secret sharing was proposed by Shamir (Shamir, 1979) and Blakley (Blakley, 1979) in 1979, respectively, and aims to split confidential information and keep it by different participants, which can reconstruct the secret when a threshold of participants is exceeded.The authors can broadly classify SS schemes into three categories, as shown in Table 1.
Early SS schemes were mainly basic SS, classified according to share features: static (Asmuth C, 1983;Shamir, 1979), weighted (Tassa, 2007), and changeable shares (Blundo et al., 1996;A. Herzberg, 1997).This classification is mainly based on the idea that different roles of participants have different statuses, and thus the amount of confidential information in their hands is different.Due to the expansion of scenarios, such as the need for missiles, satellites, etc., the number of confidential information that needs to be shared becomes larger, thus according to the number of information to be shared can be divided into single (Asmuth C, 1983;Shamir, 1979) and multiple secrets (He & Dawson, 1994;Lin & Harn, 2012).As the time of SS use goes on, the secrets are prone to leakage for a long time, so the members' shares need to be updated periodically to fight against the mobile adversary, which can be divided into proactive (A. Herzberg et al., 1995;Ostrovsky & Yung, 1991) and dynamic SS (Blundo et al., 1996;Yuan & Li, 2019) according to the way the shares updated.However, it brings the problem of participant access difficult.
As SS empowers more businesses, limits are placed on the capabilities of participants in each granular domain to balance availability and security within the domain.Roles rights limitation SS can be further divided into computation power limitation (Sohrabi et al., 2020) and honesty limitation (Ogata et al., 2006).However, this type of SS scenario is more limited but achieves a high balance between usability and security in small scenarios.
Recently, various technique-based SS schemes have been devised with the further expansion of the scenario.For instance, grounded theory-based approaches such as the Lagrangian difference polynomial principle (Tassa, 2007) and Chinese Remainder Theorem (Asmuth C, 1983) are proposed.In order to improve the practicality of SS (Al-Qurashi & Gutub, 2018), counting-based SS comes into view.This method performs secret recovery by counting the number of ones in shares (Al-Ghamdi et al., 2019;AlKhodaidi & Gutub, 2020;A. Gutub et al., 2019b;A. Gutub & Al-Qurashi, 2020;Adnan Gutub & Taghreed AlKhodaidi, 2020), which avoids complicated calculations and increases  (Asmuth C, 1983;Shamir, 1979) Only one secret shared.Simple and secure.
Low efficiency when more confidential information.
Multiple secrets (He & Dawson, 1994;Lin & Harn, 2012) More than or equal to one secret shared.
Multiple confidential information shared in efficiency.
Hard balance between security and computation.
Weighted shares (Tassa, 2007) The amount of information carried by each share varies by roles.
Distinguishability of role responsibilities.
Prevents leakage due to long time storage.
Difficult access for participants and no protection against group cheating.
High improvement in efficiency and security level in small scenarios.
The scenario is too limited.
Honesty limitation (Ogata et al., 2006) Honest participants can recover secret, dishonest participants can not.
High verifiability and security.
Simple and high fault tolerance.
Slow calculation speed when more participant.

Simple and practical.
Shares limitation when need high tolerance.

Capability-based(Ours)
Select participants based on their capability to recover secret with no dealer.
High anonymity and prevents leakage due to long time storage.
Protocol is complex with limitation of associated time.
With the emergence of scenarios such as medical data management, probate management, and federal learning, the demand for SS solutions without trusted third parties and not relying on trusted channels has increased, while relevant SS research is still scarce.Dynamic PSS can be used to alleviate the problem.Calypso (Kokoris-Kogias, 2018) uses threshold encryption to construct DPSS for key management and confidential information storage.Dfinity (Hanke et al., 2018) implement randomness beacon in the dynamic committee, but the global secret needs to be updated in each round.However, in dynamic PSS, the determination of committee members is specified by the external output, not by the protocol itself.Therefore, Benhamouda and Gentry et al. (Benhamouda, 2020, November) proposed an Evolving-Committee PSS (ECPSS) scheme to determine the committee members by the protocol itself.The above studies can alleviate the assumption of trusted third parties or trusted channels, but methods to simultaneously meet the security needs of both still need further research.

Contribution
Firstly, this article proposed Competitive-ECPSS (Competitive-Evolving-Committee Proactive Secret Sharing) and gave an instantiation.Our scheme just uses one type of committee, which is the holding committee.It means that all the participants can compete for the holding committee members by themselves, without passively waiting for the nominator to select them, which can significantly increase the participants' enthusiasm.Moreover, everyone can determine the number of holding committees in the next round and the capabilities of the receivers in a distributed manner.
The reason why determine capability rather than specific identity is for the anonymity consideration; that is, the adversary cannot infer the specific node from the capability in advance to avoid being DDoS.Moreover, before sending a message, the members of the holding committee in the current round do not know each other.
Secondly, for achieving the above goals, this article proposed a capability-based encryption scheme, named RiddleEncryption and gave an instantiation that is different from the existing publickey encryption scheme.In the traditional public-key encryption scheme, the corresponding node can be found along with the public key, and then the adversary can launch a DDoS attack.
When one do not pay attention to who holds the public key and focus on the capability of the receivers, one may think of time-lock puzzles and attribute encryption, but RiddleEncryption is still different from them.In the term of time-lock puzzles, it emphasized "fixed period in the future" but this article emphasized "specific capability for the party".In the term of attribute encryption, the public key of it is based on attributes specified in advance.Some authorities have specified the specific attributes of each person at the beginning of the system establishment, and they are not strived based on the capability of the participants.Nevertheless, in RiddleEncryption, participants can become receivers as long as they have the capability to solve difficult problems (like the discrete logarithm problem) in specific situations.

organization
The structure of the rest article is as follows: Section 2 introduces some preliminary information.Section 3 introduces RiddleEncryption and its instantiation in detail.Section 4 introduces our Competitive-ECPSS and its instantiation in detail.Section 5 analyzes the correctness, complexity, parameters bound, and security of the Competitive-ECPSS.Section 6 gives some applications of our scheme.Section 7 concludes the paper.

PRELIMINARIES
In this section, this article will describe the background and definitions that will be used in our scheme.

Broadcast
The only communication method used in our scheme is the broadcast channel (with authentication), which is public, and both honest parties and adversaries participating in the protocol can obtain and send messages from the channel.Assuming that there is no delaying.Besides, this article does not assume the secure channel or the sender-anonymous channel because such assumption makes the realization of the anonymity of transmission simple, but in fact, establishing such a channel is hard.At the same time, in our scheme, the adversary is the mobile adversary, i.e., the adversary can see the messages in the broadcast channel and corrupt any sender, or they can launch a DDoS attack after knowing the identity of a specific node.The assumption used in our scheme is used in many proactive protocols and assuming that all parties can safely erase their own state and secret information.

Secret Sharing
This article uses t of n -secret sharing, which means sharing a secret s into n parties, and when t of shares get together can reconstruct the secret.For the instantiation, this article uses the Shamir secret sharing scheme.
Definition 1. (Secret Sharing) On the message space  , the t of n -secret sharing scheme Sh Re , ( ) has the following two properties: Correctness: Using Sh algorithm to generate correct share and choose any t of them can use Re algorithm to reconstruct m , i.e., ∀ ∈ m  , any participants set where l is security parameter, then the secret sharing is semantic secure.

ouroboros in our Scheme
Ouroboros (Kiayias et al., 2017) has constructed a safe and efficient way to generate random numbers in a distributed manner in the blockchain environment.This article transforms Ouroboros to applying the scheme in a distributed system rather than a blockchain environment.The following is the protocol after transformation.Remark.This approach does not lead to insecurity because Ouroboros has its own error correction capability and can meet the above expectations.Moreover, the adversary cannot affect the number and parameters of the next round because in Ouroboros, once the adversary does not like the number is chosen and wants to abort, the adversary will not be able to participate in the game without affecting other honest parties to execute the protocol.

ElGamal Encryption
ElGamal encryption was proposed in 1984 by T.ElGamal and this article uses it to instantiate the RiddleEncption and the CECPSS protocol.

Non-Interactive Zero-Knowledge Proofs
This article uses the standard definition of NIZK (Non-Interactive Zero-Knowledge Proofs) (Blum, 1988), using a common reference string.

oUR RIDDLEENCRyPTIoN SCHEME
In this section, this article will propose an encryption scheme based on the capability of the receiver.The framework of our RiddleEncryption scheme is shown in Figure 1.

Model and Definitions
, is a quaternion of algorithms as follows, assuming that the system is built under some difficult assumption t (like discrete logarithm problem, CDH and etc.): Setup λ ω , , , t answer pp ( ) → ( ) , where pp clue = and answer keeps secret.This is a randomized algorithm that takes a security parameter l , the desired puzzle difficulty w and the given time t to solve the puzzle which makes it possible to solve t under this difficulty (It is not always possible to solve the answer to a difficult problem within t , but there is a certain probability that the answer can be calculated).Produce public parameters pp that consists of an encryption key clue and a decryption key answer clue OWF Eval answer , .= ( ) .OWF (One way function) in Setup is a one-way function that satisfied t and w .This article requires Setup to be polynomial-time in l .By convention, the public parameters specify a plaintext space  and a ciphertext space  .This article assumes that  is efficiently sampleable.In GuessingRiddle, all participants can compete for receivers.At this time, participants can verify whether they have obtained the correct answer (by comparison with clue ) without interacting with the sender or a trusted third party.If the receiver needs to manipulate the plaintext further (for example, use the plaintext to issue a certificate to other users), it needs to generate a proof of knowledge of the answer to prove its own capability.If the participant only uses the decryption to obtain the plaintext as the ultimate goal, then he does not need to prove its capability to anyone, but it can also privately verify whether it has the capability specified by the sender (use answer comparing with clue ).
In a RE, the adversary has no advantage to access the decryption oracle.Obviously, it satisfies the IND-CPA (Indistinguishability under chosen-plaintext attack) security within the difficulty of w and the time t .
A RE has correctness, soundness, and receiver strong anonymity.
Correctness and Soundness.For correctness, it is necessary to ensure that everyone who guesses the answer in GuessingRiddle can correctly decrypt the ciphertext in the Dec stage.For soundness, it is necessary to ensure 1) If it is not the ciphertext obtained by clue in Enc, even if the answer , , Dec Receiver Strong Anonymity.This article calls the security property needed for a RE scheme receiver strong anonymity.The sender does not encrypt for a specific person when encrypting, but for people who have the capability to guess the riddle through clue within a specified time, so the sender will not know who the receiver is.However, the receiver can determine whether to fd the answer to the riddle through clue , without interacting with the sender to reveal his identity.That is to say, anyone who has the capability to guess the answer can be a receiver, and it is a negligible probability to determine the identity of the receiver through clue in advance to launch a DDoS attack.
Assume that A controls n Adv parties, and there are n total parties in the system who can guess the answer correctly in the same probability.This article defines the following game applied to an adversary    : , 0 1 Remark.Assuming that  can calculate the answer corresponding to the clue in the  0 stage.At this time,  can use this answer to compare with the n Adv parties controlled by  .If they have this answer , they are the receivers.However, apart from blindly guessing the identity of the wild parties (do not consider social engineering and other factors here),  has no other advantage to guess their identity.The bound of participants will be specifically defined in the analysis part.
At the same time, there is also a problem that after time t , some participants do not stop solving difficult problems.Although there is no way to enforce that participants stop trying to solve for m , the sender can update the plaintext sent after time t so that the original plaintext is no longer valuable, i.e., even after time t , the participant found the answer and decrypted the plaintext, the plaintext is meaningless.The original secret can be made invalid by key management technologies such as secret revocation.This update mechanism using in our Competitive-Evolving-Committee PSS and the analysis of the update time t update also described in the analysis part.

Construction by ElGamal Encryption
This section the authors use the ElGamal encryption scheme and NIZK to instantiate the RiddleEncryption to become RE ElGamal .

Setup t answer clue t c poly
For 1): Assuming that  can find the answer (using kangaroo algorithm or something else), then 1) means that  has already known clue g x = but got the inverse of g x¢ which implies the inverse algorithm (like kangaroo algorithm) fail to find the inverse in a high probability.It contrasts with the setting of the parameters (Details in Analysis).it indicates that  has other methods besides blind guessing to find the information of receivers who have never sent relevant messages.Unless the receivers have sent relevant messages,  cannot obtain more relevant information, so this contradicts with the scheme which defined receiver only sends one message once before receiving the secret but after initialization.The bound of participants will be specifically defined in Analysis.

oUR CoMPETITIVE-ECPSS SCHEME
This section will use the RiddleEncryption instantiated by the ElGamal encryption scheme, secret sharing, NIZK, and Ouroboros in our scheme to construct a Competitive-Evolving-Committee PSS scheme.The framework of the solution shows in Figure 2.

Model and Definitions
This section proposed a secret sharing scheme that holding members who can be generated independently without any other parties to nominate and also does not require centralized infrastructure such as PKI.The name of it is Competitive-ECPSS (CECPSS).Definition 7. A competitive-evolving-committee proactive secret sharing scheme consists of the following procedures: Trusted Setup(optional).Provide initial state for a universe of k 0 parties; Sharing.Among an initial holding committee of size k 0 , each of them choose a secret share where th is the threshold and s is the global secret.Committee-Competitive-Selection-Part1.(CCS-Part1)Determine system parameters which consist next round's holding committee members' public key but cannot map to the specific node and the size of the next round's holding committee in a distributed way.This protocol runs among all the participants in the system, whether they are holding committee members or not.Reconstruction.Take more than th shares from the current holding committee and reconstruct the global secret s if necessary, depending on the application scenario of the protocol.

Construction
Now the authors put everything described above together to form the Competitive-Evolving-Committee PSS Protocol (CECPSS) below.

ANALySIS FoR oUR CoMPETITIVE-ECPSS SCHEME
In this section, the authors give the correctness of the secret-sharing in Handover phase and the complexity and security proof of the Competitive-Evolving-Committee PSS.

Correctness
The global secret can be recover correctly by using Lagrangian interpolation.Let F r is the polynomial which shares the global secret s and l i is the Lagrange coefficients for F r , where i , K r is the size of the holding committee in the r -th round.
Let G i is the polynomial which is the r -th round holding committee members choose for the r + 1 -th round committee members and m i j , is the Lagrange coefficients for G i , where j 1 , K r+1 is the size of the holding committee in the r + 1 -th round.
Then have the global secret: where µ λ i j i , × is the Lagrange coefficients for the polynomial F r+1 , the correctness has been proved.

Complexity
Through the Construction part, it is easy to see that the communication complexity of the whole protocols is fixed polynomial with the security parameter, regardless of the number of rounds or the number of parties n total .According to the bound of the parties in the committee, there are only  l ( ) parties and each of them only send a single message for sending the puzzle.The computation complexity performed by each party depends on the methods they solving the difficult problems.

Bound of Time and the Number of Participants
To meet the feasibility and stability of the system, it is necessary to set the range of the parameter.
Theorem 2. (The bound of time t ) For the system where the underlying difficult problem is the discrete logarithm problem, the time it can be used to solve the discrete logarithm problem should be limited to 1 63 where N is the order of the group in the discrete logarithm problem.(B.Qi et al., 2020) The size of the interval in which the exponent is w and w is smaller than the largest computing power scale so far but w > ( ) Remark.Restricting t can make sure that at least one participant tries to guess on riddle within the time limit and in the typical scenarios not all the participants can guess the riddle.

Proof. Proof of Theorem 2
In a given time t, some participants are required to solve the discrete logarithm problem (DLP), and some participants cannot.In an extreme state, a single processor solves the DLP serially, which is a state that any participant can reach (as long as they have a PC).Therefore, to prevent everyone from solving the DLP, it is necessary to set the time shorter than the time complexity of the algorithm used by everyone.The more efficient algorithm for solving DLP serially is the Kangaroo algorithm, and its time complexity is 2 1 (Fowler & Galbraith, 2015;S. Galbraith et al., 2013).
At the same time, t cannot tend to 0. If so, no one can solve it.To ensure the system's feasibility, i.e., someone needs to be a member of the holding committee in the next round, so the time needs to be set longer than the time complexity of the fastest algorithm-solving DLP so far.The current efficient algorithm is an improvement of the Kangaroo algorithm, and its time complexity is 1 633 1 .Qi et al., 2020;Bin Qi et al., 2020).
For the interval size of w , considering the system's feasibility, i.e., it is possible to solve the exponent within time t .According to the conclusion given by the birthday paradox, w must be the magnitude that is easy to handle, so w is smaller than the most extensive scale that current computers can handle.At the same time, to prevent brute force cracking by a single processor, w > ( ) Remark.Although the article say " n th Adv < ", the adversary model is not weaker than the model of ECPSS.As in ECPSS, n Adv should be less than th; otherwise it is meaningless.

Proof. Proof of Theorem 3
The secret sharing used in the system is proactive secret sharing.According to its fault tolerance requirements, there are n th Adv < and n th total > ⋅ + 2 1 .The honest parties in the system succeed in solving the difficult problem with a probability of 1 / k , and the system can only continue when different honest parties find th answers, i.e., it is feasible.Therefore, there should not be too few honest parties, and the number of the honest parties required for th solutions to be found is Theorem 4. (The bound of time t update ) Re-enter the Trusted Setup phase after time o N k to update the global secret within a single malicious party, where N is the order of the group in the discrete logarithm problem and k 0 is the number of holding committee members in the Trusted Setup phase (Fowler & Galbraith, 2015;B. Qi et al., 2020) is the ith malicious party's time of solving the puzzle.This time may be short, so our scheme has limitation in the case of more parallel malicious parties.This will involve related technologies such as key destruction in key management, and this article does not discuss them in detail.

Proof. Proof of Theorem 4
Suppose that the adversary does not participate in the subsequent competition, and certification work after the previous round holding committee members announce ct i j round , for the first time but continues to violently solve different groups of DLPs just to crack the global secret, so as to obtain all the shares and then recover the global secret.Even if the adversary uses the fastest algorithm to crack, its solution
Then the construction is a Competitive-Evolving-Committee PSS scheme is secure in model with erasures and the broadcast channel.

Proof. Proof of Theorem 5
Assume the adversary chooses two global secrets s 0 , s 1 and then interacts with our CECPSS protocol.
If the adversary has a negligible advantage in guessing which of s 0 , s 1 was shared, the protocol is secure.The authors use hybrid techniques to do the proof.
H 0 (the real protocol): The challenger controls all the honest parties and holds the global secret and all the shares.
H 1 (NIZK soundness): When the challenger receives the proof from the adversary, then aborts.Because the challenger holds the global secret and all the shares, he can detect whether the proof is correct.Assume the adversary successfully cheat the challenger, there is It is contrast with the soundness of NIZK.
H 2 (NIZK zero-knowledge): The challenger using the simulator of the NIZK to generate the proof.When the adversary sees the proof, as the zero-knowledge of NIZK, the adversary has a negligible probability of distinguishing the real proof or the proof generated by the simulator.
H 3 (receiver strong anonymity of RE): When the challenger observes the honest parties are fewer than th , then aborts.As the setting of the parameters, the malicious parties which the adversary controls should be fewer than th .However, when it is more than th , it means the adversary gets the identity of the holding committee members from the message, which only be sent once so that the adversary can control the receivers.It is in contrast with the receiver strong anonymity of RE.
H 4 (RE secrecy): The challenger uses RE to encrypt ¢ s , which is different from s 0 and s 1 , and now the adversary has a negligible probability of distinguishing the ciphertext that is encrypted by ¢ s or by s 0 or s 1 .This is the basic semantic security of the encryption scheme.(Now, it has already ensured the malicious members are fewer than th ).
The authors can undo the changes in these hybrids, arriving at a game where the adversary gets s 1-b rather than s b .

Limitation
If there are n Adv > 1 malicious parties can solve the puzzle at the same time, then the update time will be t Max t t t n Adv = { } 1 2 , ,..., , where t i n is the i-th malicious party's time of solving the puzzle.This time may be short, so our scheme has limitations in the case of more parallel malicious parties.This will involve related technologies such as key destruction in key management, and the authors do not discuss them in detail.
Our scheme needs to update the secret periodically, which is the inherent flaw of it.The authors have given a simple solution, but it is not perfect enough, so in the next step, the authors will study more detailed strategies to solve this problem, which may involve secret updating and secret revocation technologies in the key management field.

APPLICATIoN
Dynamic Group.In some scenarios, specific group tasks need to be performed according to "capability".If only some participants are initially designated as group members, problems such as low work enthusiasm and lack of "capability" in the group may occur.Although there are also some researches on distributed tasks (Kate et al., 2009;Liu et al., 2007;Mwitende et al., 2020), there is no such competition mechanism of our scheme.Using our solution, the authors can make groups of "strong capability" participants within a specified time, so that the downstream work can be executed more efficiently.At the same time, in order to stimulate the continuous strengthening of "capability", dynamic grouping can prevent a certain degree of inaction within the group.
Authentication management.Nowadays, most websites need to register information with the server, but the adversary can know these server nodes somehow (like social engineering).If the adversary launches a DoS attack on the server or performs an off-database attack on its database, a large amount of personal information will leak.The essence of login is that the user needs an authorized certificate to prove that he is authenticated without storing so much sensitive information on a specific server.Then use our solution to allow users to register with a server group "floating" in cyberspace.The members of this group will be updated without storing too much sensitive information on a specific server.Moreover, since the group members are specified through competition, these group members will cherish the hard-won opportunities to maintain relevant information more seriously under the assumption of rational people.
Prevent abuse of rights.A decentralized system can improve the enthusiasm of participants through the protocol proposed in this article, forming a situation where "everyone is the backbone".Encourage the emphasis on "capability" rather than "right" to prevent abuse and arbitrary of rights.
Most places that require a trusted third party can be replaced by our solution so that everyone has the opportunity to become a member of a trusted third party, which providing opportunities for more people and being fairer and in addition, it can avoid the single point of failure and excessive trust.

CoNCLUSIoN AND FUTURE WoRK
The authors propose a Competitive-Evolving-Committee PSS with a competition mechanism and receiver strong anonymity using our capability-based encryption scheme RiddleEncryption and other primitives.Our secret sharing scheme is divided into 7 functions: Trusted Setup, Sharing, CCS-Part1, Handover-Part1, CCS-Part2, Handover-Part2, and Reconstruction.The main innovation is the CCS and Handover part, using RiddleEncryption, the core of the difficult problem solving, which competes with each participant's ability.It is a capability-based scheme.Holding committee members only send one message in the life cycle, and they can send it to the corresponding receiver who only knows the receiver's capabilities.Therefore, it will not reveal the identity of the receivers.
In the future, our RiddleEncryption scheme can be used not only for the construction of this secret-sharing scheme, but also as a primitive for other schemes that need to guarantee receiver anonymity.Competitive-Evolving-Committee PSS can be used as an alternative protocol to the current trusted third party and can also be used as the underlying foundation for other applications of secret sharing technology.Our solution can mitigate excessive trust, provide more anonymity and fairness, and minimize the risk of being attacked like DDoS.Therefore, it has a wide range of application scenarios, such as probate management, medical data sharing, and federal learning, etc.

ACKNoWLEDGMENT
2. Under the limited time t and the desired puzzle difficulty w , by comparing with clue , some participants can get the answer within the time t and proceed to the decryption phase.Participants who did not get an answer will get Fail and abort.Dec answer c m ,() → uses the answer guessing into the GuessingRiddle to decrypt c to get the plaintext m .Remark.
found the answer within the specified time t .(The participants don't know each other who found the answer, and the adversary can only know whether the participants under her control got the answer.),i.e.,  can guess correctly more than n n Adv total +  which means  need to guess all the receivers' identities correctly.Definition 6. (Receiver Strong Anonymity) A RE scheme RE Setup Enc GuessingRiddle Dec = ( ) , , , is receiver strong anonymity if, for every constant  > 0 , no feasible adversary can win the above game with non-negligible probability in l .
Theorem 1. RE ElGamal is a RE scheme with correctness, soundness, and receiver strong anonymity.Proof.Proof of Theorem 1Correctness: When the participants get the clue c, p ( ) and the parameters, after passing the NIZK p ro o f ve r i f i c a t i o n a n d t i m e t , s o m e o f t h e m wo rk o u t t h e answer a n d t h e n

For 2 )
: It contrasts with the correctness of ElGamal.Receiver Strong Anonymity: It is assumed that  can calculate the answer corresponding to the clue in the  0 stage.At this time,  can use this answer to compare with the n Adv parties controlled by A. If they have this answer , they are the receivers.However, if  has a non-negligible probability of guessing the receivers' IDs more than n n adv total +  with difficulty w and time t , then Previous round holding committee members re-share their share, encrypt the share and broadcast on the channel.Committee-Competitive-Selection-Part2.(CCS-Part2)Decide who is the holding committee member of the next round based on the capability of the participants in the next round using RiddleEncryption.The committee-competitive-selection process diagram shown in Figure 3. Handover-Part2.(H-Part2)}Next-round holding committee members decrypt the ciphertexts for them and get the share of them.
Figure 2. The framework of our Competitive-ECPSS t update : time to update the global secret; distributed nodes who want to participate in; Output: global secret reconstruction for specific scenarios; So before this time, return to the Start phase to update the global secret can avoid this attack.
i-th participant in the round -th round k round +1the number of participants in the round + 1 -th round » round+1 security parameter for Ouroboros protocol in the round + 1 of the RE systems parameters shares the global secret Ã in the r -th round is the r -th round holding committee members choose for the r + 1 -th round committee members

Table 1 . Secret Sharing Methods Comparison Type Specific Type Process Overview Strengths Limitations
 and a proof p for the statement that c is m encrypted by clue and clue is consistent with answer (Only as a check during transmission).
p takes a message m Î  and produces a ciphertext c Î 1.Many participants try to compete for the receiver position.If p is verified, it means that the sent ciphertext is meaningful and has not been tampered with.At this time, proceed to the next step.Otherwise, abort.

Figure 1. The framework of our RiddleEncryption scheme satisfies
the clue the receiver cannot decrypt correctly; 2) Participants who have not guessed the correct answer cannot decrypt correctly.More formally, Keep clue public and answer secret.different environments in the limited time t and the specific puzzle difficulty w .3. After time t , some participants get the answer (can check with clue by themselves) and others get Fail .The one who gets Fail aborts, and the one who gets the answer goes to the Dec phase.
p Î  * , p is a prime number in the ElGamal system, and the public key is y g mod p 4. Output clue and keep answer secret.RE ElGamal Encryption Input: clue and message m .Output: Ciphertext c and proof p .( ) → p , p is proven the statement that c is m encrypted by clue and clue is consistent with answer (Only NIZK ., , p ( ) , if output No then abort else go to next step.2. All the participants use discrete logarithm problem (DLP) solving algorithms in t .Because there is no single processor that can process a scale larger than poly t . Remark.If there are n Adv > 1 malicious parties can solve the puzzle at the same time, then the

Table 2 .
Continued continued on following page

Table 2 .
ContinuedChuyi Yan received the bachelor's degree from Beijing Forestry University in 2019.She is currently a Ph.D. student at the Institute of Information Engineering, Chinese Academy of Sciences.Her research interests include blockchain security, intrusion detection, cyber situation awareness, etc.
Haixia Xu is a professor in SKLOIS, Institute of Information Engineering, CAS.She writes and presents widely on issues of information security, cryptography, security protocol and blockchain.