- Permutation : π j ∈

Π n where Π n denotes the set of all permutations on

3 .

4. Randomly select a permutation π 0 ∈

{

1 , ..., n

}

Π n , and send π 0 to all players.

appears first in the permutation π l ∗ − 1 .Construct

n lists, denoted by L 1 , ..., L n ,where L i 0

5. Suppose i 0 ∈{

1 , ..., n

}

is of length l ∗ and the other n

−

1 lists

are of length l .For1

≤

i

≤

n and 1

≤

j

≤

l ,the j -th cell of L i contains: (Note

the list L i 0 ends after the l ∗ -th cell)

- Share of main : s ji and s ji ,where s ji (resp. s ji )isa( t, n )-share 4 of s j

(resp.

s j ).

- Share of index : I ji and I ji ,where I ji (resp. I ji )isa( t, n )-share of I j

(resp.

I j ).

- Share of permutation : π ji which is a ( t, n )-share of π j .

- Authentication information : The tags

1 ≤ h ≤ n,

h = i

{ Mac α j,i,h ( s ji ) , Mac α j,i,h ( s ji ) , Mac β j,i,h ( I ji ) , Mac β j,i,h ( I ji ) , Mac γ j,i,h ( π ji )

|

}

α j,h,i ,α j,h,i ,β j,h,i ,β j,h,i ,γ j,h,i

.Wenote

that the key α j,h,i is used to verify a tag of s jh andisstoredinthe j -th cell

of L i .

6. For 1

and the keys

{

|

1

≤

h

≤

n, h

= i

}

≤

i

≤

n , send the list L i to player P i .

Players' Protocol

Suppose k ( k ≥ t ) players are to jointly recover the secret. The recovering pro-

cess consists of at most l iterations. In the j -th iteration for 1

≤ j ≤ l ,ifthe

protocol does not end, the players do the following:

1. Recover s j . In the order determined by the permutation π j− 1 ,eachplayer

(say, P i ) sends to the other players ( s ji , Mac ( s ji )). Hereafter we usually omit

the key in the MAC because it is clearly determined by the message and the

receiver. Players verify the MACs after receiving messages. If all messages pass

the verification, then each player recovers s j .

2. Recover I j . Still in the order of π j− 1 players send their shares along with

MACs, and then recover I j .

3. Recover s j .Sameasabove.

4. Recover I j .Sameasabove.

5. Recover π j .Sameasabove.

In any of the above five steps, a player quits from the protocol at encountering

any one of the following situations.

- His list has run out. Then he quits and sets the secret to be the last value

he recovered. For example, if his list is of length l and the protocol does not

end after the first l iterations, then he quits in the ( l + 1)-th iteration and

sets s = s l .

3 Precisely, the permutation

π j

denotes an order in which players send messages in

the ( j + 1)-th iteration.

4 The share can be generated by Shamir's ( t, n )-threshold secret sharing scheme.