A Lightweight Veriﬁable Secret Sharing in Internet of Things

—Veriﬁable Secret Sharing (VSS) is a fundamental tool of cryptography and distributed computing in Internet of Things. Since network bandwidth is a scarce resource, minimizing the number of veriﬁcation data will improve the performance of VSS. Existing VSS schemes, however, face limitations in meeting the number of veriﬁcation data and energy consumptions for low-end devices, which make their adoption challenging in resource-limited IoTs. To address above limitations, we propose a VSS scheme according to Nyberg’s one-way Accumulator for one-way Hash Functions (NAHFs). The proposed VSS has two distinguished features: ﬁrst, the security of the scheme is based on NAHFs whose computational requirements are the basic criteria for known IoT devices and, second, upon receiving only one veri- ﬁcation data, participants can verify the correctness of both their shares and the secret without any communication. Experimental results show that, compared to the Feldman scheme and Rajabi-Eslami scheme, the energy consumption of a participant in the proposed scheme is respectively reduced by at least 24% and 83% for a secret.


I. INTRODUCTION
The Internet of Things (IoT) is moving at such a rapid pace that there is rising demand for transforming our physical world into a complex and dynamic system of connected devices. These IoT devices will be widely used in smart homes, body/health monitoring, environmental monitoring, conditionbased maintenance, among many others. IoT is not a single technology. It is a combination of sensors, devices, networks, and software that works on a collaborative basis to achieve a common goal. Secure and reliable group communication has become critical in the IoT system. Group key agreement is widely employed for secure group communications in modern collaborative and group-oriented applications. The central challenge is secure and efficient group key management [1,2]. This is because these IoT devices have limited computing ability and the limitation of communication bandwidth. In this paper, we focus on the design of lightweight verifiable secret sharing (VSS) schemes in order to achieve the secret reconstruction among a set of IoT devices, where the reconstructed secret may be the group key of them.

A. Motivation for Lightweight VSS
To date, there are two main families of approaches that have been investigated to provide VSS to participants. The * Corresponding Author.
first approach provided verification data based on public key cryptography such as ASPP [3] in cyclic lattices and DLP [4]. The second approach to add verification capabilities to a scheme, was to use one-way functions to obtain fingerprints/ signatures of the involved data [5]. However, the existing schemes suffer from some major problems. Firstly, existing schemes face the challenge in very large-scale deployment of IoT devices. Since verification data grew linearly with either the number of participants [5] or the threshold value [3], their performance dropped sharply as the number of IoT devices grows. Note that network bandwidth is a scarce resource. Minimizing the number of public verification data will improve the performance of VSS. In this paper, we address this challenge and propose a VSS Scheme with only one verification data used to verify a secret and all of its shares.
In addition, for these low-cost, battery-powered IoT devices,the lightweight implementation of VSS schemes has emerged as a critical issue. Because public key cryptography uses some big integers to generate the verification data, it is much slower than symmetric key cryptography, requires more processing power, and generally increases energy consumptions of participants [6]. When the batteries are low, it may cause the IoT devices to function abnormally. Existing solutions require the public-key computation (e.g., Modular exponentiation) that is an expensive operation for IoT devices in real systems. In the VSS setting, it is a challenge to design a lightweight VSS scheme that minimizes the energy consumption of a participant. To our knowledge, this paper represents the first effort in this direction.

B. Our Contribution
In this paper, we propose a lightweight VSS scheme in IoT environments. The security of the proposed scheme is based on NAHFs which are implemented through the generic symmetry-based hash function and simple bit-wise operation. The proposed scheme dictates to generate only a NAHF value as the verification data which proves the validity of the shares for all participants. Thus, the communication cost of each participant is reduced. In addition, each participant validates a received share by running an NAHF operation. Hence, the proposed scheme is computationally efficient for each participant. Furthermore, the computation and communication costs of each participant remain unchange when the number of participants increases. That is, the proposed scheme provides the good scalability. Compared to the Feldman scheme [4] and Rajabi-Eslami scheme [3], the energy consumption of a participant in the proposed scheme is respectively reduced by at least 24% and 83% for a secret. To the best of our knowledge, the approach of this paper is the first such technique that the number of verification data is only one value in the VSS scheme.
The rest of the article is structured as follows. Related work is presented in Section II, Section III presents a brief review of NAHF, Shamir's (t, n) secret sharing and VSS. Section IV is dedicated to the proposed VSS scheme including the security model, construction and security aspects. The performance analysis and simulation experiments for the proposed scheme are respectively discussed in Section V and Section VI. Section VII concludes the paper.

II. RELATED WORK
The secret sharing (SS) scheme is used as a tool in IoT applications including continuous authentication [1] and key management in sensor networks [7]. Such a scheme allows one to share a secret s among a set P of participants. The participants are assigned different values called shares and only certain authorized subsets of them were able to recover the secret using these shares. A (t, n) threshold SS scheme was introduced by Shamir [8] and Blakley [9] independently in 1979. In such a scheme, the authorized subsets consisted of all subsets of P including at least t participants. The scheme was unconditionally secure which meaned that less than t participants found no information about the secret even with unlimited time and computing power. Then, many versions of SS were proposed to add some new features in the literatures [10].
A verifiable secret sharing (VSS) scheme is a generalization of a SS scheme [11], whose novelty is that everyone can verify whether the received share is a valid piece of the secret or not. The concept of VSS was first introduced by Chor et al [12] in 1985. Subsequently, based on "k-consistent" shares and interactive proof in [13], a VSS scheme was proposed to check the honesty of participants at the secret reconstruction phase. However, at the share generation phase, participants were unable to verify whether the shares they received from the dealer were valid. In 1987, a practical noninteractive VSS was proposed by Feldman [4,5] through a homomorphic one-way function v for verifying consistency of each share. Indeed, let v be a (+, ·)-homomorphic one- The dealer chose two primes p, q as public values and a generator g of a subgroup of order q of Z * p , where q divided p − 1, and q was the lowest possible integer satisfying g q ≡ 1 mod p. Then, it generated a share s j =f (x j ) mod q for each participant P j , and published the public verification coefficients A i = g ai mod p. Hence, the consistency of a share s j was verified by checking the equality Here, the homomorphic property of exponentiation function v(a)=g a mod p was used. In the case of Feldman's scheme, the security was based on the hardness of the discrete logarithm problem (DLP). In 2019, Rajabi and Eslami [3] proposed a generic threshold VSS construction, and then presented a non-interactive VSS with security based on hardness of the approximate shortest polynomial problem (ASPP) in cyclic lattices. In the work of Tsaloli et al. [14], by combining three different primitives (i.e., homomorphic hash functions, linearly homomorphic signatures, and threshold RSA signatures) as the baseline, an approach was proposed for protecting the secret data of clients and achieving public verifiability of the computed result. Recently, Koikara et al. [15] used a bilinear map to propose a publicly verifiable secret sharing (PVSS) scheme based on 3D-cellular automata. The VSS with bilinear pairings is not suitable for IoT systems because bilinear pairings are not friendly to lightweight devices [16]. In addition, the symmetry-based VSS is more suitable for the ultra-low energy devices as compared with the public key cryptographic approaches.
A new non-trapdoor accumulator for cumulative hashing was introduced by Nyberg [17]. This kind of accumulator is called a Nyberg's one-way Accumulator for one-way Hash Function (NAHF). In practice, the NAHF is effectively implemented by using the generic symmetry-based hash function and simple bit-wise operations. Oftentimes, this results in less memory requirements than digital signature-based solutions for verification problems. In 2017, Huang et al. [18] proposed a lightweight authentication scheme with dynamic group members in IoT environments. Here, based on a public secure NAHF, the proxy computed two accumulated hash values, W and R, which were used to verify whether the node was available and unrevoked. Recently, Fan et al. [19] presented a secure region-based handover scheme with user anonymity and fast revocation, where the region secret keys of the revoked users were accumulated by NAHFs. In the proposed scheme, the dealer generates the verification data with a NHAF such that the shares of participants can be publicly and efficiently verified. This enables us to add verification capability for participants using only one verification data.

III. PRELIMINARIES
In this section, we introduce some basic concepts of hash function, NHAF, secret sharing and VSS needed later

A. Notations
We shall use the following notations throughout the paper. A set with integers 1, 2, · · · , n, is written either {1, 2, · · · , n} or simply [n]. We denote by |x| the length of the binary string corresponding to x, and x the least integer that is greater than or equal to the given number x. Let P = {P 1 , P 2 , · · · , P n } be a set of n participants and D be the dealer. The threshold is denoted by t. Let Z p , Z q be two finite fields and Z * q = Z q \ {0}, where p is a prime modulus, q is a prime divisor of p − 1, and q ≥ n + 1. We let H : 1} rd be two one-way hash functions, where h is used to construct the required H, and r=|q|.

B. Nyberg's One-way Accumulator for One-way Hash Function
In this paper, we review the concept of Nyberg's one-way Accumulator for one-way Hash Function (NAHF).
Definition 1 (One-way hash function [17]). A family of oneway hash functions is an infinite set of functions h l : K l ×S l → V l having the following properties: (IJACSA) International Journal of Advanced Computer Science and Applications, Vol. 13, No. 5, 2022 (1) There exists a polynomial P such that for each integer l, h l (k, s) is computable in time P (l, |k|, |s|) for all k ∈ K l and all s ∈ S l .

(2)
There is no polynomial P such that there exists a probabilistic polynomial time algorithm which, for all sufficiently large l, when given l, a pair (k, s) ∈ K l × S l , and a s ∈ S l , find an k ∈ K l such that h l (k, s) = h l (k , s ) with probability greater than 1/P (l), where (k, s) is chosen uniformly among all elements of K l × S l and s is chosen uniformly form S l .
Definition 3 (Nyberg's one-way accumulator [17]). A family of one-way accumulators is a family of one-way hash functions with quasi-commutativity. The one-way accumulator by Nyberg [17] is constructed based on the generic symmetry-based hash function (e.g., SHA) and simple bit-wise operations. Compared to Benaloh's scheme [20], Nyberg's scheme is more efficient without employing asymmetric cryptographic operations.
Assume that N = 2 d is an upper bound to the number of items to be accumulated and r is an integer. Let s 1 , s 2 , · · · , s n be the accumulated items with different string sizes, and a set of the accumulated items S = {s 1 , s 2 , · · · , s n }, where n ≤ N .
is the bitwise operation AND. The NAHF is based on the one-way hash function h : {0, 1} * → {0, 1} rd . All that is required to specify the NAHF is hashing process and AND operation. The heart of an NAHF is the hashing process. The hashing process applies a hash function h to the input to produce a r-bit output. The hashing process is composed of the following operations.
• Hashing operation: Hash the accumulated item s i of the input and output a rd bits binary string v i =h(s i ).
• Transfer α: the NAHF does a transfer operation on the binary string v i which is divided into r blocks, The transfer of a block from a d-bit input to a bit output is performed as follows: If v i,j is a string of zero bits, it is replaced by In this way, we can transfer the accumulated item s i to a bit string, b i =α(h(s i )) ∈ {0, 1} r , which can be considered as the values of r independent binary random variables if h is an ideal hash function.
The NAHF on an accumulated item s i ∈ S with an accumulated key k ∈ {0, 1} r can be implemented using the AND operation described as H(k, . The proposed VSS relies on the following properties of the NAHF H(·, ·): • Quasi-commutativity: H(H(k, s 1 ), s 2 ) = H(H (k, s 2 ), s 1 ).
• Absorbency: • An item s i within the accumulated value Z can be verified by H(Z, s i ) = Z α(h(s i )) = Z.

C. Shamir's Threshold Secret Sharing
There are n participants, P = {P 1 , P 2 , · · · , P n } and a dealer D. In Shamir's secret sharing scheme [8], it consisted of two phases: the share distribution phase and the secret reconstruction phase. During share distribution, the secret was s = f (0), where f (x) was a polynomial of degree t − 1 with random coefficients (except for the constant term), computed over a finite field. The participant P j ∈ P holding shares knew s j = f (x j ), where x j was P j 's unique nonzero identifier, j ∈ [n]. In secret reconstruction, any t out of n participants, P j1 , · · · , P jt , were able to recover the secret s by using the Lagrange interpolation formula (1) or solving the following linear equations (2), where and . . .
jt . Note that the above coefficient matrix is a square Vandermonde matrix, which is invertible, since the x j s are distinct.

D. VSS
In a SS scheme, participants must trust that shares they receive are correct. In a VSS scheme, additional verification data are given that allow each participant to check whether its share is correct. Each message that must be checked contains additional verification data. The verification data are sent in the clear, and can be used by the recipient to determine whether the share in the message is correct. That is, recipients use them to check that a point, (x j , s j ), sent to it is on the polynomial f (x) and that the polynomial, f (x), used as the basis for the sent shares equals the secret at x =0. The VSS is able to resist the following two kinds of active attacks: (1)some shares are tampered before being sent to the participants in the secret distribution phase; (2)participants submit error shares to others in the secret reconstruction phase.

IV. A LIGHTWEIGHT (t, n) VSS SCHEME
In the section, a lightweight (t, n) VSS scheme is proposed. We discuss techniques involving the security model, construction and the security aspects of the proposed scheme.

A. The Security Model of Proposed Scheme
In this section, we give the definition of a noninteractive (t, n) VSS scheme. There are n participants, P = {P 1 , P 2 , · · · , P n }, and a dealer D. In the definition, there are four algorithms: share generation(SG), share verification(SHV), secret reconstruction(SR) and secret verification (SEV). The proposed scheme consists of the share distribution phase and the secret reconstruction phase. We define a noninteractive (t, n) VSS scheme as follows: A noninteractive (t, n) VSS scheme is a pair (share generation, secret reconstruction) of phases as follows.
• Share distribution: In this phase, on input a secret s and P j 's identity x j , D first runs SG algorithm to output a share for each participant and some verification data, where the shares are sent to the corresponding participants through a secure channel. Then, on input verification data and his share, each participant runs SHV algorithm to output accept or reject the share.
• Secret reconstruction: The input of this phase are the shares corresponding to a subset of participants. At first, the validity of each share is verified by other cooperating participants running SHV algorithm. Then, if the number of participants with valid shares is at least t, the secret can be computed by applying SR algorithm on the provided shares, and the recovered secret is verified by running SEV algorithm.
A non-interactive (t, n) VSS Scheme is called secure if it satisfies the following properties: • Threshold. Every secret can only be recovered by any t or more participants who have received the shares, and any subset of participants with less than t participants cannot obtain any information about the secret.
• Verifiability/reconstructability: Every participant can verify his share in the share generation phase. During the secret reconstruction phase, the participants can validate the received shares and check if a reconstructed secret is correct.
• Security. The VSS scheme must be able to resist up to t − 1 colluded inside adversaries. In addition, any outside adversary cannot impersonate to be a member by forging a valid value after knowing at most t − 1 values from other members. The VSS scheme is secure, if the adversary cannot obtain the shares in polynomial time.
In addition, the following properties for a VSS are very much tailored to IoT devices as participants: • Efficiency. The proposed scheme should have low calculation requirements and low communication costs at the participants to reduce their energy consumptions. This makes VSS for implementation on batterypowered IoT devices that have limited computing power.
• Scalability. Even if the number of participants in largescale deployments is big, the communication cost of the scheme should be kept small to reduce the cost of the supporting network infrastructure.
B. The Proposed (t, n) VSS Scheme Figure 1 shows the proposed (t, n) VSS scheme, where the combiner may be each participant in P . In the proposed

Share generation
Step 1: Dealer D chooses a (t − 1) degree polynomial f (x) = a o + a 1 x + · · · +a t−1 x t−1 , where a 0 = s is the secret in Z * q , and for i = 1, 2, · · · , t − 1, a i are picked uniformly from Z * q . The dealer distributes the share s j = f (x j ) to the corresponding participant P j secretly, where x j is P j 's unique nonzero identifier, j ∈ [n]. Then, based on an NAHF H, the dealer selects k as its long term secret key to compute the verification data V , and publishes H and V , where V = H(· · · H(H(k, s), s 1 ), · · · , s n ).
Step 2: After receiving s j , each participant P j checks if H(V, s j ) = V holds, j ∈ [n]. If true, P j confirms that the received share s j is correct; otherwise, it repeats the step 1.

Secret reconstruction
Step 3: The participant P j releases its share s j , and the combiner confirms the correctness of s j via H(V, s j ) = V .
Step 4: Assume that the combiner receives t correct shares s j1 , s j2 , · · · , s jt . The secret s is recovered by the formula (1) or solving equation (2). Then, the combiner validates the recovered secret s as H(V, s) = V . scheme, the algorithms SG, SHV, SR and SEV are the mathematical processes in the Step 1, 2, 3 and 4, respectively. The security of the scheme is based on an NAHF, which is quasicommutative and has the absorbency property.
The correctness of the proposed (t, n) VSS scheme is guaranteed by the following theorem 1 and 2. Proof 1. If the dealer D follows the scheme accurately, we have that V = H(· · · H(H(k, s), s 1 ), · · · , s n ). Based on the absorbency property of H, it is known that the share s n satisfies H(V, s n ) =V . In fact, H(V, s n ) = H(H(· · · H(H(k, s), s 1 ), · · · , s n ), s n ) = H(· · · H(H(k, s), s 1 ), · · · , s n ) = V , where the second equality holds for the absorbency property of H.
By using the absorbency property of H and equation (4), for the secret s we see that H(V, s) = V . This is because H(V, s) = H(H(H(· · · H(H(k, s 1 ), s 2 ), · · · , s n ), s), s) = H(H(· · · H(H(k, s 1 ), s 2 ), · · · , s n ), s) = V , where the second equality holds due to the absorbency property of H, and the third equality holds by equation (4). This completes the proof.
Remark 1. The correctness of algorithms H(V, s j ) =V and H(V, s) =V depends on the assumption that the output length, rd, of h satisfies (n + 1) The following theorems ensure the security of the proposed (t, n) VSS scheme.
Theorem 3. Assume that q is a large prime number. The share s j obtained by the polynomial f (x), has a uniform distribution on Z q , j ∈ [n].
Proof 3. Let A and X be two independent random variables defined on Z q . A basic result from the theory of random variables is that if A has a uniform distribution on Z q and X has an arbitrary distribution on Z q , then B 1 = A+X (mod q) and B 2 = A · X (mod q) have a uniform distribution on Z q , where X is chosen from Z * q in the latter case. If b 1 is chosen uniformly from all possible values of B 1 , the probability of B 1 = b 1 is given as: Similarly, when b 2 is chosen uniformly from all possible values of B 2 , we have It can be easily shown that the above argument can be extended to the random polynomial function f (x). Since a 0 , a 1 , · · · , a t−1 are uniformly distributed on Z q and x j is P j 's unique nonzero identifier, hence a 0 , a 1 x j , · · · , a t−1 x t−1 j are uniformly distributed on Z q . Then, f (x j ) = a 0 + a 1 x j + · · · + a t−1 x t−1 j is uniformly distributed on Z q . Therefore, s j = f (x j ) is uniformly distributed on Z q , that is, s j has a uniform distribution on Z q . Theorem 4. Under the assumption that H is a secure NAHF, the secret s and some shares s j cannot be obtained by an attacker from V , j ∈ [n].

Proof 4. Recall from Definition 3 that an NAHF
H is a oneway hash function with quasi-commutativity. Suppose the accumulated item s j is computed in the j-th iteration of V , thus, V = H(· · ·H(H(· · ·H(H(k, s), s 1 ), · · ·, s j ), s j+1 ), · · ·, s n ). Note that V = H(H(· · ·H(· · ·H(H(k, s), s 1 ), · · ·, s j+1 ), · · ·, s n ), s j ) = H(Q, s j ), where the first equality holds due to equation (3), and Q = H(· · ·H(· · ·H(H(k, s), s 1 ), · · ·, s j+1 ), · · ·, s n ). Furthermore, we have that H(V, s j )=V . We now need to prove that it is hard for the attacker presented with V to find (Q , s j ) such that V = H(Q , s j ). At this point, One-way property of H in Definition 1 ensures that this is computationally infeasible, that is, there is no polynomial P such that there exists a probabilistic polynomial time algorithm which finds an s j ∈ Z q such that V = H(Q , s j ) with probability greater than 1/P (l), where Q is chosen uniformly form {0, 1} r . Hence, it is computationally infeasible to find an s j such that H(V, s j ) = V , j ∈ [n]. Similarly,it is computationally infeasible to derive the share s from V .
Theorem 5. In the proposed VSS scheme, any subset of participants of size less than t cannot obtain any information about the secret s.

Proof 5.
Here, we consider the worst case, where t−1 participants take part in recovering the secret s. Any t−1 participants with different identities x j1 , · · · , x jt−1 cannot compute the secret s since they cannot solve the linear system of (t − 1) equations and t unknowns: s j l = s+a 1 ×x j l +· · ·+a t−1 ×x t−1 j l , l ∈ [t − 1], which has a degree of freedom, where a 0 = s. We can consider the coefficient, a t−1 , of the last term in f (x) as a free variable from Z q . In this case, the secret s has a unique representation as a linear combination of a t−1 and the shares {s j1 , · · · , s jt−1 }, where a t−1 is uniformly distributed over Z q . From the proof of Theorem 3, it follows that s has a uniform distribution over Z q . Hence, no information about the secret s can be extracted from these t − 1 shares.
Combining Theorem 3, 4 and 5, we have the following theorem: Theorem 6. The proposed (t, n) VSS scheme is secure under the assumption that H is a secure NAHF.

V. PERFORMANCE OF PROPOSED VSS SCHEME
In this section we present and discuss the efficiency and scalability for the proposed scheme in Section IV-B. We mainly consider the costs of an extension of the SS scheme to achieve verifiability. By decreasing the number of verification data, we improves on the previous VSS schemes [3,4]. We estimate the efficiency by counting the number of basic cryptographic operations required in the extension, and also calculate its communication cost. To evaluate the scalability of the proposed scheme, it suffices to show that the costs of each participant remain unchange in the increase in the size of the IOT network (i.e. the number of participants).
Bandwidth is a scarce resource. In a VSS, the communication cost is dominated by the sizes of both verification data and a share. From Table I, we see that in the proposed scheme, the communication costs of the D and P j are significantly lower than Feldman scheme and Rajabi-Eslami scheme since |q| is much less than |p| and mn 0 |p 0 | (see Section VI). In the proposed scheme, the verification data V is only a value in Z q , so is any share. Specifically, at the share generation phase, the dealer D broadcasts V to participants in P and transmits s j =f (x j ) to each participant P j , j ∈ [n], where |V | + n j=1 |s j | = r + n|q| bits. Upon receiving V and s j from D at the share generation phase, each P j obtains at least (t − 1) different shares s j θ from the others in P while sending s j to them at the secret reconstruction phase. Here, |V | + |s j | + t−1 θ=1 |s j θ | + |s j | = r + (t + 1)|q| bits. In the Feldman scheme [4], the verification data included t elements A 0 , · · · , A t−1 (see Section II) in Z p , and the size of each share was the same as the proposed scheme. Therefore, the communication costs at D and P j were n|q| + t|p| and t|p| + (t + 1)|q| bits, respectively. In the Rajabi-Eslami scheme [3], the verification data was composed of (n 0 − 1)-degree polynomials F (a[0]), · · · , F (a[t − 1]) in Z p0 and each share contained m polynomials in R p0 . Here, the polynomial ring R p0 = Z p0 [α]/(α n0 − 1), and D p0 was an appropriate subset of "small" elements of R p0 1 , where the dimension m > 1, the integer module p 0 ≥ 2 and an error distribution δ. Note that each share f (x j ) and the secret s were respectively 1 Zp 0 was the set of integers from 0 to p 0 − 1, Zp 0 [α] denoted the set of polynomials with coefficients in Zp 0 . Rp 0 containd all polynomials of degree less than n 0 with coefficients in Zp 0 , as well as two ring operations, which were polynomial addition and multiplication modulo α n 0 − 1. Each polynomial in Rp 0 had n 0 coefficients in Zp 0 , so there was a bijection between Rp 0 and Z n 0 p 0 . The compact knapsack problem over Rp 0 was defined in [21] as follows: given m = O(log 2 n 0 ) elements b 1 , · · · , bm ∈ Rp 0 and a target value c ∈ Rp 0 , found coefficients X 1 , · · · , Xm ∈ Dp 0 such that composed of m polynomials in R p0 and D p0 , and F (a[i]) was a polynomial in R p0 . Thus, the communication costs at D and P j were (t + nm)n 0 |p 0 | and (m(t + 1) + t)n 0 |p 0 | bits, respectively.
It is generally assumed that in an IoT system, the dealer or server has powerful computing resources and the computing power of IoT devices is limited [22]. Another advantage of proposed scheme is that the computation costs of participants are low since computational requirements are the basic criteria for known IoT devices. For each participant P j in the proposed scheme, its computation cost is (t + 1)T H + tT M , where H(V, s j ) , H(V, s j θ ) and H(V, s) are respectively computed for verifying s j , s j θ (θ ∈ [t − 1]) and the recovered s, and t multiplication operation in the Lagrange interpolation formula (1) are performed to recover s. Note that in Rajabi-Eslami scheme [3], T f = m(t − 1)T m , and T F = mT pm . This was because m polynomials with degree (t − 1) needed to be computed for each f (x j ) in R p0 and F (X) = m i=1 X i b i . From the experimental results in Section VI, we know that T M < T pe < T H < T e < T E . Table II shows that the computation cost of P j is the lowest in the proposed scheme. In contrast, the computation cost of D in the proposed scheme, where the time to compute V increases with n, increases due to the use of NAHF H. To compute s j = f (x j ) for each participant P j and verification data V , D needs to execute t − 1 multiplication operations for f (x j ) and n + 1 NAHF operations for V , j ∈ [n]. It means that the computation cost of D is n(t − 1)T M + (n + 1)T H . Furthermore, the proposed scheme provides the good scalability since the computation and communication costs of P j remain unchange when the number of participants increases.

VI. SIMULATION EXPERIMENTS
We further evaluate the performance of proposed scheme using simulation experiments. The experiments are conducted on an Intel(R) Core(TM) i7-6700 CPU@3.40 GHz machine with 8.00 GB memory and Windows7 using JDK1.8. We choose to focus on SHA-512 for hashing h in NAHF H with a 128 bit output, where N = 2 4 is an upper bound to the number of accumulated items. When N > 2 4 , we do this by selecting u = N/(2 4 ) different SHA-512 as Remark 1. For Feldman scheme, the parameters p, q were chosen as suggested (see page 21 in [23]), i.e.,|p|=1024bits, and |q|=160bits. As for Rajabi-Eslami scheme, according to the LWE parameters for hardware tests (see Table 4 in [24]), the corresponding parameters (n 0 , |p 0 |) = (128, 12). In addition, let m = 2. To give a detailed quantitative analysis, we assume   that participants are MICA2 motes, which work at 8 MHz with a 8-bit processor ATmega128L, and which adopt IEEE 802.15.4 standard. As described in Cao et al. [25], the power level of a MICA2 mote is U = 3.0 V, the current draw in active mode is I = 8.0 mA, the receiving current draw is I r = 10 mA, the transmitting current draw is I t =27 mA, and the data rate is r d = 12.4 kbps. The cost of receiving (or transmitting) one byte is E r = U I r (8/r d ) = 19.35µJ (or E t = U I t (8/r d ) = 52.26µJ). The parameters are fixed in all experiments. Experiment 1 examines the average time required to run an operation in Table II. With the above parameter settings, we consider the average value of over 160 trials for an operation. The results are as follows: T M = 0.0022milliseconds (ms), T H =0.0858(ms), T e =1.3445(ms), T pm =0.0169(ms), T E = 1.6071(ms). Especially, the average time performing the addition operation is 0.0007ms, which is negligible compared with the others. Experiment 2 examines the energy consumption of a participant. To compute the electrical energy consumed by a participant during t p seconds, we apply Joule's law as E = U It p . From Table II and Table I, we have that t p = (t + 1)T H + tT M = (t + 1) × 0.0858 + t × 0.0022 (ms), and (t + 1)|q| + r is equal to 4 + 40 bytes, where transmitting bytes are 20 and receiving bytes are t + 20. For P j , the energy cost of communication is 20 × E t + (t + 20) × E r =19.36t + 1432.2(µJ), and the energy cost of computation is 3×8×t p = 2.112t+2.0592(µJ). Thus, the energy consumption of P j is 21.472t+1434.2592(µJ) ≈ 0.0215t+1.4343(J). We find that the energy cost of computation is cheap compared to data communication. Again, we compare the energy consumption of P j in the proposed scheme with that of Feldman scheme and Rajabi-Eslami scheme. From Figure 2 (a), it is evident that the energy consumption of P j increases with the threshold value, but it is relatively stable in the proposed scheme. In particular, the proposed scheme makes P j have the smallest energy consumption. Note that given a threshold value t, the energy reduction is equal to the difference of the corresponding ordinate values of two schemes in Figure 2(a). For each participant P j , the results of energy reduction are shown in Figure 2(b). Compared with the Feldman scheme, the energy reduction of the proposed scheme is larger in the Rajabi-Eslami scheme, and the difference increases with t. Furthermore, Figure 2 (c) shows that, compared to the Feldman scheme and Rajabi-Eslami scheme, the energy consumption of P j in the proposed scheme is respectively reduced by at least 24% and 83% for a secret.

VII. CONCLUSION
In this paper, we give a lightweight (t, n) VSS scheme based on an NAHF [17]. Different from previous VSS schemes, the proposed scheme generates only a NAHF value as the verification data which proves the validity of the shares for all participants. This means that the scheme has less communication cost than previous approaches to achieve the share verification. Another important property is that the computation and communication costs of each participant remain unchange when the number of its participants increases. It is convenient for building a secure scalable IoT network. At the same time, because the correctness of each share can be efficiently checked, the new participant can verify whether his www.ijacsa.thesai.org