Hierarchical secret sharing scheme for WSN based on linear homogeneous recurrence relations

Wireless sensor network is a key technology in the sensing layer of the Internet of Things. Data security in wireless sensor network is directly related to the authenticity and validity of data transmitted in the Internet of Things. Due to the large number and different types of nodes in wireless sensor networks, layered secret key sharing technology is increasingly used in wireless sensor networks. In a hierarchical secret sharing scheme, participants are divided into sections with different permissions for each team, but the same permissions for participants in the same team. In this article, we follow the approach of the hierarchical secret sharing scheme derived from the linear homogeneous recurrence relations. We design a hierarchical multi-secret sharing scheme for wireless sensor networks on the basis of the elliptic curve public key cryptosystem combined with the linear homogeneous recurrence relations. In the proposed scheme, we do not make sure that the participants are half-truthful. In addition, the participants’ shadows can be reused. Our scheme is computational security. Only one share from each member is required in our hierarchical multi-secret sharing scheme. It is more suitable for wireless sensor networks compared to the up-to-date schemes.


Introduction
In a secret sharing scheme of (t, n) threshold, 1 the secret is passed around in n participants, and when it is required, any t or more participants can retrieve the shared secrets by combining their shares. A handy case of secret sharing is the distributed storage of sensitive information. Such a solution is called perfect scheme if any participant of any ineligible subset does not have access to any information about the shared secrets. Shamir 1 and Blakley 2 raised the threshold secret sharing schemes, two exceptional cases where all the participants have the same privileges.
There are restrictions on threshold secret sharing schemes in reality. Therefore, to enhance the feasibility of secret sharing in practice, many researchers concentrate on particular sets of access structures, for instance, weighted threshold access structure, compartmented access structure, graph-based access structures, 3 bipartite access structures 4 and hierarchical access structure. 5 A large number of studies in our community have been focused on the protection (e.g. privacy, 6 security, 7 malicious behaviours) 8 of our lives, towards constructing a safer information environment. Shamir proposed the weighted threshold secret sharing scheme. 1 But the secret sharing scheme 1 is a trivial solution by assigning multiple shares to each participant according to its integral weight, which is inefficient. Simmons 9 presented a multipartite access structure, and the definitions of the compartmented access structure and the hierarchical access structure were given by him. After Simmons, Brickell 10 introduced an approach to give an ideal secret sharing scheme for the multilevel and compartmented access structures. The multipartite access structure can classically be divided into the hierarchical access structure and the compartmented access structure. 2, 11 Tassa 12 proposed some hierarchical threshold access structures rested on Birkhoff interpolation, and the interpolation matrix must satisfy Polya's condition. 12 Farras et al. 13 gave a comprehensive characteristic of the ideal multipartite access structures. Then the scholars investigated the hierarchical secret sharing schemes by using the findings on integer polymatroids in the solution given by Farras et al. 14 These techniques offered a characterization of the hierarchical access structures and by these techniques, there admits the ideal and perfect secret sharing scheme existing for the hierarchical access structures. 14, 15 Chen et al. 16 proposed a method to give an ideal scheme that implements the compartmented access structure by the general polymatroid-based method presented in Farras et al.'s solution 14 and the Gabidulin 17 codes. Chen et al. 18 proposed a method of implementing the multipartite access structure. Motivated by the integer polymatroids, the main idea of Chen et al.'s scheme 18 from Brickell 10 provides a polynomial-time algorithm to build such a matrix M, which makes all the determinants of those particular multi-matrices non-zero in certain limited domains.
The methods mentioned above do not introduce verifiability. Also, researchers have worked out verifiable resolutions for the classic secret sharing schemes. Motivated by Birkhoff interpolation, Traverso et al. 19 gave a verifiable hierarchical secret sharing method. But this method has the shortcomings of these schemes rested on Birkhoff interpolation. The drawback of the above hierarchical threshold access structure is that the distributor must perform exponential examinations when allocating identifications and shares to the members. Xu et al. 20 proposed an efficient compartmented secret sharing scheme. Yuan et al. 21 provided an ideal polynomial-time hierarchical secret sharing scheme based on linear homogeneous recurrence (LHR) relations. We present a verifiable hierarchical secret sharing scheme rested on Xu et al. 20 So, our method is more efficient than Traverso's solution. 19 The rest of the article focuses on the following sections. The second section leads to the secret sharing scheme, LHR relations, as well as Bilinear Pairing and Diffie-Hellman problem. The third section describes the system proposed in our article. In the fourth section, we demonstrate the security analysis of our solution, the significant attributes of our solution and show the comparisons with other solutions. In the fifth section, conclusions are provided.

Secret sharing schemes
In this part, we show the statement of the hierarchical access structure. Definition 1. A (t, n) threshold secret sharing scheme Q : S 3 R ! S 1 3 S 2 3 Á Á Á 3 S n over P (P is the aggregate of game participants, that is P = fP 1 , P 2 , :::, P n g and jPj = n), satisfying the two following conditions, in which S is the shared secret space, S i (1 ł i ł n) is the share space, and R is an aggregate of random feeds.
A brief overview of the hierarchical access structure is provided in the following section.

Definition 2.
Make n indicate the total number of participants. In the hierarchical secret sharing scheme, the participants P can be grouped into classes g 1 , g 2 , :::, g m of the participants, P = [ m i = 1 g i and g i \ g j = [ for all 1 ł i\j ł m: The class g i contains n i participants, in which i 2 f1, 2, :::, mg. Let K = fk i g m i = 1 be assorted in ascending sequence, 0\k 1 \k 2 \ Á Á Á \k m : The (K, n)À hierarchical threshold access structure is

LHR relations
We briefly describe the LHR relations. The LHR relations are introduced in detail in the studies by Xu and other peers. [22][23][24][25] Theorem 1. Let h 0 , h 1 , :::, h j , :::, be a series of numbers and a 1 , a 2 , :::, a m be the different roots of the following characteristic equation of the LHR relation with constant coefficients where a t 6 ¼ 0, a i is chosen over GF(q) ( j ø t), and q is a large prime. If a i is a t i -fold root of the characteristic equation (1), then the part of the resolution of the recurrence relation with respect to a i is given as For recursive relations, the usual solution is derived from the following where

Diffie-Hellman problem
Given a cycle additive group G = \g., with g being the generator and the order of G being the large prime q, 1. The problem of the discrete logarithm is defined as computing a, provided (g, ag), where 8a 2 Z q ; 2. The computational Diffie-Hellman (CDHP) problem is defined as computing (ab)g, provided (g, ag, bg), where 8a, b 2 Z q ; 3. The decisional Diffie-Hellman problem (DDHP) is defined as deciding whether (ab)g = cg, provided (g, ag, bg, cg), where 8a, b, c 2 Z q .
It is called the GDH group when DDHP is solvable in polynomial time, but no probabilistic algorithm can solve CDHP in the polynomial time with a nonnegligible advantage.

Bilinear pairing
Suppose that G 1 and G 2 are an additive group and a multiplicative group, respectively, with the same prime order q. Here q is a large prime. Let g be a generator of G 1 . Suppose that DDHP is easy in G 1 and hard in G 2 .
We assume CDHP in G 1 and the DDHP in G 2 are hard. We call it the cryptographic bilinear mapping, if a mappingê : G 1 3 G 1 ! G 2 satisfies the following properties: bQ 1 ) =ê(H 1 , Q 1 ) ab : 2. Non-degeneracy: If g is a generator of G 1 , then the generator of G 2 isê(g, g). In other words, if

The proposed scheme
In the following section, we show how the proposed scheme works. The proposed scheme is built upon the LHR relations and the elliptic curve public key cryptosystem (ECC). P = fP 1 , P 2 , :::, P n g denotes the set of the participants, where P i is the ith participant in the set, 1 ł i ł n. Our scheme is composed of three stages, namely, initialization stage, construction stage and recovery stage. In the initialization stage, we initialize some functions or parameters; in the construction stage, the shared secrets are hidden in these terms h 1 , :::, h l , and in the recovery stage, we recover the shared secrets by getting these terms h 1 , :::, h l first. The distributor is honest in our scheme. But the participants can be malicious, because in our scheme the participants can be detected if they provide fake pseudo shares. The distributor acts the role in the construction stage and the participants act the role in the recovery stage.
We first describe the main idea of the proposed scheme. The proposed scheme contains n participants and one dealer/distributor. Only one shadow s i 2 Z Ã q is held by each participant P i . The distributor selects m random LHR relations. In the construction stage, the participants in g 1 are used to construct m LHR relations and the participants in g i are used to build m À i + 1 LHR relations, where 2 ł i ł m. So some participants can be replaced by other participants who have the higher privilege. That is, the participants in g i can replace the participants in g iÀj , where i À j ø 1. Then, the distributor adds the m general terms of the m LHR relations. From Theorem 1, we know that the sum is a general term of an LHR relation and we denote this LHR relation as F-LHR relation. The distributor selects the shared secrets and keeps the shared secrets hidden in the first several terms of F-LHR relation. So in the recovery stage, the recovery of the shared secrets is achieved through resolving the general term of F-LHR relation. After that, we obtain the items that hide the shared secrets. The notations used are shown in Table 1.

Initialization stage
The proposed scheme is rested on the LHR relations in GF(q), where GF(q) is a finite field. key 1 , key 2 , :::, key l denote the l secrets that can be shared among the participants. The participant P i herself or himself chooses the shadow s i 2 Z Ã q , not the distributor (D) for the selection. In this way, it is possible to protect the key distributor from forgery.
1. An elliptic curve E over GF(q) is selected by D, in which q is a large prime. Assume that G 1 is an additive group with the order q. Assume that DDHP is simple and CDHP is tough in G 1 .
Suppose G 1 to be the elliptic curve. Assume G 2 to be a multiplicative group with the same order q. Supposê e : G 1 3 G 1 ! G 2 to be a bilinear mapping and the conditions in the section 'Bilinear pairing' can be satisfied.
2. D selects a generator g for G 1 . 3. These values fG 1 , g, qg are published/released by D.
Each participant P i chooses s i 2 Z Ã q to be the shadow for himself/herself and then calculates B i = s i g 2 G 1 , 1 ł i ł n. Each participant P i keeps s i and then securely sets B i to D. D should ensure that B i 6 ¼ B j , if i 6 ¼ j. In the case where B i = B j , these participants will then be asked by D to pick their shadows again. D releases (ID i , B i ), in which ID i is the participant P i 's identity. In the last part of this section, we define a doubleargument one-way function as given in the study by Chien et al. 11 Given random value r and value w, the f (r, w) represents a double-argument one-way function that is easily computed. In some cases, though, it is difficult to be computed: 1. Knowing f (r, w) and w, r is hard to be worked out. 2. Unknowing w, f (r, w) is hard to be worked out for any r. 3. Knowing f (r, w) and r, w is hard to be calculated. 4. Knowing f (r, w) and r, for r 0 6 ¼ r, f (r 0 , w) is hard to be calculated. 5. Knowing w, it is quite a challenge to get two such distinct characters r 2 and r 1 that

Construction stage
In the construction stage, the key distributor D first generates m different LHR sequences fh (1) i g, fh (2) i g, :::, fh ( j) i g, :::, fh (m) i g. In our scheme, k 1 , k 2 , :::, k m are the degrees of the characteristic equation of the i ) denotes the jth LHR relation. Figure 1 shows the construction stage, where g 1 + g 2 + Á Á Á + g mÀ1 denotes S mÀ1 i = 1 g i and Pshare denotes the pseudo share.
Theorem 2. The addition of two general terms of two different LHR relations is a general term of an LHR relation.
Proof of Theorem 2. Suppose that h (1) i and h (2) i are the general terms of two different LHR relations with the different degrees t 1 and t 2 , respectively, and assume i . So, it is only necessary to prove that h i is the general term of an LHR relation. From Theorem 1, we know h i is the generic term of an LHR relation, and t 1 + t 2 is the degree of the LHR relation (h i ).
The distributor D distributes the shares through the following procedure: 1. The distributor D randomly selects the integer r 1 , r 2 , :::, r m and publishes them.
3. The distributor D chooses m different integers a 1 , a 2 , :::, a m over GF(q) and publishes them, where each of them is non-zero. 4. D selects the value a 1 to make (x À a 1 ) k 1 = x k 1 + a 11 x k 1 À1 + Á Á Á + a 1k 1 = 0 as The ith participant in set P key i The ith shared secret The shadow hold by the ith participant P i s 0 2 Z Ã q The shadow hold by the distributor D g i The ith subset of the participant h i The ith term in the sequences fh i g n i = 0 and fh i g n i = 0 is written as fh i g in our scheme. In our scheme, we use h i to denote the general term q The large prime GF q ð Þ The finite field G 1 The additive group with the generator g and the order of G 1 is q G 2 The multiplicative group with the order q B 0 The share gs 0 was generated by distributor D and published B i The share gs i was generated by the ith participant and published R i The pseudo share s i B 0 f r, w ð Þ The double-parameter one-way function ðh ð jÞ i Þ The jth linear homogeneous recurrence relation r 1 , r 2 , :::, r m m random values the auxiliary function of an LHR relation, where q.a 1i and 1 ł i ł k 1 . 5. D computes the pseudo share R i = s 0 B i and I 1 i = f (r 1 , R i ), where i = 1, 2, :::, n 1 , and n 1 is the quantity of participants in the sub-group g 1 . 6. D considers the first LHR sequence which is defined as We use the participants in the sub-group g 1 to build the first LHR sequence. During the recovery stage, the general term of the first LHR sequence is allowed to be retrieved only by the participants in the sub-group g 1 .
and publishes y 1 i , where k 1 \i ł n 1 . 9. D continues to generate m À 1 LHR sequences.
The jth LHR sequence fh ( j) i g is generated as follows, for j 2 f2, 3, :::, mg. 9.1. D selects the value a j to make (x À a j ) k j = x kj + a j1 x kjÀ1 + Á Á Á + a jk j = 0 as an auxiliary function of an LHR relation, where q.a ji and 1 ł i ł k j . 9.2. D computes I j i = f (r j , R i ), where i = 1, 2, :::, n 1 + n 2 + Á Á Á + n j , and n 1 + n 2 + Á Á Á + n j is the number of the participants in the subset S j i = 1 g i , where n 1 + n 2 + Á Á Á + n j is denoted as N j . That is, j S j i = 1 g i j = n 1 + n 2 + Á Á Á + n j = N j . 9.3. D considers the jth LHR sequence fh ( j) i g, which is defined by We use the participants in the subset S j i = 1 g i to construct the jth LHR sequence. In the recovery stage, only the participants in the subset S j i = 1 g i can recover the general term of the jth LHR sequence.

D computes h ( j)
i , where k j ł i ł N j À 1. 9.5. D computes y j i = I j i À h ( j) iÀ1 and publishes y j i , where k j \i ł N j . 10. After the m LHR relations are generated, D combines them into an LHR relation. Let i . From Theorem 2, we can determine that h i is the general term of an LHR relation and the degree of this LHR relation (h i ) is k 1 + Á Á Á + k m . Since the degrees of these LHR relations (h (1) i ), :::, (h (m) i ) correspond to k 1 , ::, k m , respectively, so the sum of these degrees is k 1 + Á Á Á + k m . However, we define the threshold of the hierarchical secret sharing scheme as k m , because k m different participants can recover the shared secrets (Since at least k 1 participants from the subset g 1 , at least k 2 À k 1 participants from the subset g 2 and so on, and the last k m À k mÀ1 participants from the subset g m can recover the LHR relation (h i ), the threshold of the hierarchical secret sharing scheme is k 1 + (k 2 À k 1 ) + Á Á Á + (k m À k mÀ1 ) = k m ). 11. D computes d i = key i À h iÀ1 and publishes d i , where 1 ł i ł l. This means that we can hide the shared secrets in these terms h 0 , h 1 , :::, h lÀ1 .

Remark 1.
The double-parameter one-way function makes sure that for the same R i , the random values f (r j , R i ) and f (r k , R i ) are different, where k 6 ¼ j. This means that if some participants' pseudo shares are used to construct different LHR relations, the doubleparameter one-way function makes sure that for the same pseudo share, the random values are different.

Recovery stage
In this section, we present how the shared secrets are recovered. First, a proposition is given as follows.
Proposition 1. Provided that a i is a t i -fold root of the characteristic formula of an LHR relation and the general resolution of this LHR relation is obtained as its coefficient c ik can then be fixed by the t initial values, which is achieved by resolving the system of linear formulas, in which t = P m i = 1 t i : The participant P i can get every participant's pseudo share R j by exchanging in a qualified sub-group, where i 6 ¼ j. In the qualified sub-group, the participants need to recover m LHR sequences before obtaining the shared secrets. The jth LHR sequence is recovered as follows.
From the construction stage, we know that the order of the jth LHR relation is k j . We need at least k j participants when we are trying to recover the jth LHR sequence. But there are k jÀ1 participants from S jÀ1 i = 1 g i (if k jÀ1 participants use their pseudo shares to solve the general term h ( jÀ1) i of the (j-1)th LHR relation, they need to be combined to solve the general term h ( j) i of the jth LHR relation, where 2 ł j ł m). The other k j À k jÀ1 participants are from the subset g j .
With the use of those pseudo shares, the participants of the qualified sub-groups compute k j items of the jth LHR relation as follows Based on Proposition 1, k j points (i À 1, h ( j) iÀ1 =a iÀ1 j ) leads to the determination of the (k j À 1)th degree polynomial p j (x), and its definition is where A 2 f1, 2, :::, ng and the superscript of p(x) represents different polynomial. According to Theorem 1, h ( j) i = p j (i)a i j , in which p j (i) is a k j À 1 degree polynomial and i ø 0, we can have the general term h ( j) i . After obtaining m general terms of m LHR sequences fh (1) i g, fh (2) i g, :::, fh (m) i g, the general term h i is where the order of the LHR relation (h i ) is k 1 + Á Á Á + k m . But the global threshold is k m (If k j À k jÀ1 participants from the subsets g j use their pseudo shares to recover the general term h ( j) i , then they must use their pseudo shares to recover the general terms h ( j + 1) i , :::, h (m) i . For example, if k 1 participants from g 1 use their pseudo shares to recover the general term h (1) i , k 1 participants need to use their pseudo shares to recover the general terms from the second LHR sequences to the last LHR sequences. So the scheme needs at least k 1 + (k 2 À k 1 ) + Á Á Á + (k m À k mÀ1 ) = k m participants to recover the shared secrets). From d i = key i À h iÀ1 and the published value of d i , the shared secrets can be obtained by Remark 2. In the recovery stage, a participant P j can detect whether another participant P i is honest or not by the functionê. Ifê(g, R 0 i ) =ê(B 0 , B i ), then the participant P j can say that the participant P i is honest, becausê e(g, R

Illustrative sample
We present an example to demonstrate the proposed scheme and show how the LHR relation is useful in the hierarchical access structures in this section. For illustration convenience, we suppose that in a company there are n employees, and the employees are divided into two disjoint levels g 1 , g 2 , the managers and the employees (the authorities of the managers are higher than the employees). There are n 1 managers in the subset g 1 and n 2 employees in the subset g 2 , where n = n 1 + n 2 . At least k 2 staff of them can recover the shared secrets, among which at least k 1 are managers, where k 2 .k 1 . We select two values a 1 and a 2 , and make as two different auxiliary functions for the two different LHR relations. After the steps from 5 to 9.5 as described in the construction stage have been done (with m = 2 here), we can have We note that the distributor D uses n 1 managers' pseudo shares to generate the LHR sequence {h (1) i } and n 1 + n 2 staff members (include the managers and the employees) to generate the LHR sequence fh (2) i g. That is, only at least k 1 managers can solve the general term h (1) i of the sequence {h (1) i }. Still, at least k 2 staff members can solve the general term h (2) i of the sequence fh (2) i g, where k 1 out of k 2 are managers (Because the privilege of the managers is higher than the employees, they should combine the pseudo shares to solve the second general term h (2) i . If the employees are not enough, other managers except the k 1 can combine the employees to pool the pseudo shares to solve h (2) i .) We hide the shared secrets in these terms h 1 , :::, h l .
From the above, we can get that our scheme's global threshold is k 2 , because our scheme needs at least k 2 participants from g 1 S g 2 to recover the shared secrets.
The security analysis and discussion of our scheme In this section, we first present the possible attacks and prove that our scheme is secure. Then we show the performance of our scheme and compare it with the scheme by Traverso et al. 19

Security analysis
In this section, we call all of s i and R j share-related information, where s i is the shadow that is randomly selected by the participant or distributor himself or herself, B i = s i g (B i = s i g is public), R j = s 0 B j and 0 ł i ł n, 1 ł j ł n. First, we prove the security of the share-related information. Second, we prove the security for the participants in the unqualified subset. The security of the share-related information is easy to be proved.
Theorem 3. The share-related information is secure, provided the CDH-assumption is intractable.
Proof of Theorem 3. If the adversaries want to break the share-related information, they should obtain useful information from the public values B i = s i g, 0 ł i ł n. We assume that the adversaries can break the sharerelated information with the non-negligible probability E. That is, given s i g and s j g, the adversaries can get s i s j g or extract s i (or s j ) with the non-negligible probability E as well, where i 6 ¼ j. This contradicts the Diffie-Hellman problem. The adversaries may give a fake R 0 i , but the other honest participants can decide whetherê(g, R 0 i ) =ê(B 0 , B i ) is right or not (because DDHP is easy in G 1 ). If it matches, then the other honest participants can say that the value R 0 i is valid. Otherwise, it is invalid. Thus, the share-related information is secure.
In the following section, we demonstrate why the proposed solution is safe for a subset of participants who do not qualify. When participants in the ineligible subset want to recover the secrets, they must recover every LHR sequence. For illustration convenience, we suppose that the unqualified subset B satisfies the conditions as follows where 1 ł j ł m, t 2 f1, 2, :::, mg, k 0 = 0 and t 6 ¼ j: That is to say, the unqualified subset can recover other m À 1 sequences, except the jth LHR sequence. Since s i is chosen by himself/herself and I j i = f (r j , R i ), we can say that each I j i is uniformly chosen in Z Ã q , that is, for each I j i , all values in Z Ã q have the same probability. From the public value a j , the characteristic equation of an LHR relation can be determined, according to Theorem 1. If the relation of the sequences is given, the characteristic equation can be determined, and then the root of the characteristic equation can be found. Thus the public value a i discloses no information apart from characteristic equation of an LHR relation, 1 ł i ł m.  polynomials with (k j À 1) degree is safe to the unqualified participants. 20 Proof of Theorem 4. Assume that the k j order of the LHR relation is safe to the unqualified participants. Using equations (4), (6) and (2) and the public value a j 6 ¼ 0, we could obtain in which the degree of p j (i) is k j À 1. It is clear from the above that public value a j gives away no information except characteristic equation. If the polynomial with degree (k j À 1) is unsafe for unqualified participants, it means that the k j À 1 points can determine a polynomial with degree (k j À 1). We can also deduce from equation (7) that the k j À 1 value can obtain the LHR relation with the degree k j . This is contradicted with Proposition 1.
(() Assume that the polynomial with the degree (k j À 1) is safe for the unqualified participants. If the LHR relation with degree k j is insecure, then k j À 1 random terms (h ( j) i 1 , h ( j) i 2 , :::, h ( j) i k j À1 ) can determine the LHR sequences. Following equation (7), we select the distinct k j À 1 terms and then can obtain the k j À 1 points of the polynomial p j (i) with degree k j À 1. Then we can determine the polynomial p j (i). It can be said that the k j À 1 points could decide a polynomial with degree (k j À 1). This contradicts our assumptions. Therefore, the question of recovering the jth LHR relation from participants in the disqualified subset B that satisfies the aforementioned condition could be regarded as the question of whether k j À 1 points could decide the polynomial with the degree (k j À 1).
We can draw the conclusion that the possibility of cracking our scheme is no better than the possibility of cracking the Diffie-Hellman problem. Therefore, it can be considered that our scheme is safe.

Performances
From the section 'The proposed scheme' and the security analysis above, we conclude that the proposed scheme is a secure and verifiable hierarchical secret sharing scheme. In this section, we show some essential characteristics. In the proposed scheme, each participant's ID is posted on a publicly available message board, and each participant's shadow is selected by himself/herself over GF(q). Each participant can verify whether the pseudo-random shares of other participants are correct. Throughout the entire process, each participant only needs to hold one shadow, and the shared secrets are selected over GF(q). So the shadow held by a participant is as long as the shared secret.
Each participant obtain k m À 1 pseudo-random shares from the other participants, and each participant's communication and computation is the same (Since k m participants are required to recover the secrets, each participant needs to communicate with k m À 1 participants, so the times of the communication for each participant is k m À 1). The computation refers to recovering the secrets with the obtained pseudorandom shares (including their own and those obtained by exchanging with other participants). In the recovery stage, from equation (6), we know that computational complexity of our scheme depends on the degree of polynomial p m (x) (because the degree of the polynomial p m (x) is highest among these polynomials p i (x), where 1 ł i ł m) and the power of a constant a m . The computational complexity of the polynomial p m (x) is O(n k m À1 ) and the computational complexity of the power of a constant is O(logn). So the computational complexity of our scheme is O(n k m À1 logn).
In the case when the system needs to be reinitialized with the LHR relations, our scheme only needs to provide the new values r

Comparisons
In the solution by Traverso et al., 19 when allocating identities and shares to participants, the distributor must perform a potentially exponential number of checks. In our scheme, participants do not have to check the non-regularity of many matrices. They just need to construct m different LHR relations, find the general terms of them and add these terms. More precisely, we can conclude that the participants only need to do the evaluation calculation of polynomials and the summation calculation of different polynomials in our scheme by induction. The computational complexity of the polynomial is O(n k m À1 ) and the computational complexity of the power of a constant is O(logn). So the computational complexity of our scheme is O(n k m À1 logn) as given in the study by Yuan et al. 21 But more values should be published. So comparing to Traverso's et al. 19 scheme, our scheme is more efficient.

Conclusion
We present a hierarchical secret sharing scheme with the LHR relations and the ECC. The performance of the proposed method is also listed below. The LHR relations could be utilized for constructing a verifiable hierarchical secret sharing scheme. The participants' shadows are selected by themselves in the proposed scheme. Therefore, no deception exists between the distributor of the shared secrets and the participants. In the whole scheme, only one shadow is held by one participant, and the secret is the same length as the shadow. The proposed scheme is not required to keep a safe channel between the distributor and the participant. The participants cannot cheat each other.
Our scheme overcomes the drawbacks that the distributor will have to do potentially exponential multiple checks for distributing identifications and shadows to participants on the basis of Birkhoff interpolation. But our scheme needs more public values than the existing popular schemes.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship and/or publication of this article.