Towards Dynamic and Reliable Private Key Management for Hierarchical Access Structure in Decentralized Storage

With the widespread development of decentralized storage, it is increasingly popular for users to store their data to the decentralized database systems for the well-understood benefits of outsourced storage. To ensure the data privacy, systems commonly require users to securely keep their private keys. Thus, the secure storage of private keys is an important issue in these systems. However, existing key-management schemes commonly rely on a Trusted Third Party (TTP), which raises critical security concerns such as the single point of failure and Distributed Denial of Service (DDoS) attacks. In this paper, we propose HasDPSS, a secure and efficient blockchain-based key-management scheme for decentralized storage systems. It uses secret sharing, a lightweight cryptographic technique, to build the decentralized key-management scheme. Considering that the reliability of managing participants has inherent heterogeneity, we introduce the hierarchical access structure to achieve fine-grained key management. Meanwhile, to adapt the node churn of decentralized key management, HasDPSS enables a dynamic management committee to provide reliable services with a proactive refresh mechanism while protecting the integrity and security of private keys. In our design, we use the dimension switch method of polynomials in the evolving process to achieve the committee change of the hierarchical access structure. The reliability of participants is guaranteed by the customized commitment protocol and the immutable property of the blockchain. We thoroughly analyze security strengths and conduct extensive experiments to demonstrate the practicality of our design.


INTRODUCTION
Decentralized storage with privacy protection has emerged as a promising direction in revolutionizing existing outsourcing storage systems with centralized service providers.Such systems are typically based on blockchain [1] that employs cryptographic techniques to provide the security guarantee.Key management is an important component for providing security in decentralized storage.To preserve their privacy information, users are required to securely store their private keys.The loss of keys has severe and often irreversible consequences.Thus, the secure management of private keys is a principal foundation for these systems.
Key management has attracted much attention in recent years.A typical solution is to store keys in centralized key-management systems with a trusted third party [2].Such a practice seems attractive, but it raises critical privacy concerns.This method is contrary to the design intent of decentralized storage since the existence of the centralized party destroys the decentralization feature.It is thus practically valuable to explore how to securely store private keys for decentralized systems without centralized trust.
Some existing works have focused on applying cryptographic techniques as an attractive alternative to achieve decentralized key management schemes.Li et al. [3] presented a secure keymanagement scheme based on secret sharing technique, which enables users to delegate private keys to a decentralized management committee of multiple participants.In this design, each participant in the committee only holds a share of keys.However, the scheme cannot deal with security concerns arising from the issues of node churn and diversified credibility of committee members.For these reasons, some schemes [4,5] have been proposed to achieve proactive share updates, where each share can be updated periodically.
Recently, to solve the node churn issue, Maram et al. proposed CHURP [6], a decentralized secret-sharing scheme based on a dynamic committee, which is more practical for blockchain systems.However, CHURP only focuses on the situation where committee members have the same priority.It cannot adapt to the dynamic key-management committee with the hierarchical access structure.Hierarchical Access Structure (HAS) has been wildly used in practical applications and has attracted much attention [7,8].To achieve fine-grained key management, shares held by committee members at higher levels are more significant in this management structure.In practice, the reliability and priority of blockchain nodes has inherent heterogeneity.For example, in a blockchain system based on the consensus of Proof of Stake (PoS) [9], priorities of block packaging are according to the amount of cryptocurrencies held by each node.Thus, it is necessary to design a general key-management scheme that supports hierarchical access structure on decentralized storage systems.
There is a great challenge in implementing the dynamic keymanagement committee based on the hierarchical access structure.Existing schemes that support the dynamic committee [4,6] implement the change of committee members via secure Muti-Party Computation (MPC).The basic assumption of these schemes is that the key-management shares have the same priority.When the committee changes, a random number is generated by the new committee via MPC and added to the reconstructed new shares to distinguish between the old and new committee shares.However, these methods cannot work in a key-management committee with the hierarchical access structure.Simply adding the same random number to shares cannot guarantee that the set of new shares still satisfies the hierarchical access structure.To realize the dynamic committee in hierarchical access structure, the random values added to shares of different priorities must meet certain conditions.Meanwhile, for security purposes, the information of node priorities cannot be leaked during the committee change.
In this paper, we propose a decentralized key-management scheme, HasDPSS, which can achieve Dynamic Proactive Secret Sharing in Hierarchical access structure on blockchain.Specifically, HasDPSS employs a bivariate polynomial to share the secret , i.e., user's private key.The distribution of shares is based on the Birkhoff interpolation theorem to achieve hierarchical access structure.During the evolving process, when participants of a committee change, it uses the dimension switch method of polynomials to perform the committee switch.Considering the threat of time dimension, HasDPSS also realizes the proactive randomization of shares without TTP.HasDPSS introduces a hybrid communication model to bring more savings on communication for key management on blockchain.It consists of a co-design of on-chain and off-chain communication.Both communication overheads are lower than other schemes.To the best of our knowledge, HasDPSS is the first work to support dynamic committee in hierarchical access structure for key management.We highlight our contributions as follows: • We design a secure and reliable key-management scheme that supports dynamic committees with hierarchical access structure on blockchain.Compared to prior works, our design can securely handle committee membership changes while maintaining hierarchical management.
• We make hybrid on-chain and off-chain communications to boost communication efficiency in HasDPSS.We also present practical mechanisms to make our scheme more robust, achieving stronger security against a powerful and active adversary.• We implement a prototype and conduct comprehensive evaluations.Results demonstrate that our design achieves a low latency and practically affordable on-chain cost.

RELATED WORK
Secret sharing was proposed by Shamir [10].It is a polynomialbased decentralized secret-managing scheme, where the distribution and reconstruction of the secret are based on the Lagrange interpolation.In a (, ) threshold scheme [10], secret shares are distributed among  participants of committee, and only the authorized subset consisting of over  participants can reconstruct the secret.In recent years, it has been widely used in numerous practical applications, such as the Data Aggregation in Mobile Crowdsensing and Federated Learning.
Compared with Shamir's secret sharing scheme, the Proactive Secret Sharing (PSS) scheme proposed by Herzberg et al. [11] further enhances the security assumption.It introduces the time dimension and assumes a powerful adversary can constantly compromise the members of committee.Some studies have proposed improved PSS schemes for application in practice [12,13].PSS scheme and its variants assume that the powerful adversary can continuously compromise participants in committee.The members of committee proactively refresh the shares after a fixed epoch to withstand compromise, while maintaining the secret.However, most PSS schemes are accompanied by a significant amount of communication overhead that increases exponentially.
Hierarchical access structure for secret sharing has been proposed in [14].Tassa proposed Hierarchical Secret Sharing (HSS), and later secret sharing in HAS has been studied in many works [7,15,16].It is an important key management technique since it is specially designed for hierarchical organizations.Compared with PSS schemes, HSS schemes can realize multilevel and compartmented access structures.For example, Yuan et al. proposes a hierarchical scheme for multi-secret based on linear homogeneous recurrence relations in [8].In general, these schemes employ the integer polymatroids or the linear homogeneous recurrence.Most of these works only focus on hierarchical management and security guarantee of the committee inside, but ignore the security threat from external adversaries.Moreover, these schemes cannot handle the problem of node churn in blockchain systems.Most of those schemes that support dynamic committee have a significant amount of communication overhead that increases exponentially.

PRELIMINARIES 3.1 Hierarchical Access Structure
Let  = { 1 ,  2 , • • • ,   } be a set of  participants and consist of  levels.The set of participant in ()-th level is denoted by   , where  =  =0   and   ∩   =  for all 0 ≤  <  < .
Let  = ( 0 ,    threshold of each level.The access structure of hierarchical secretsharing scheme is described as follows: A secret-sharing scheme that achieves this access structure is a (K, )-hierarchical threshold scheme [14].The Birkhoff interpolation corresponding to the triplet ⟨, , ⟩ is to find a polynomial  () ∈   −1 [𝑥] satisfying  equalities
If the pair ⟨, ⟩ is regular, the set of equalities (2) has a unique solution for any choice of .

Lagrange Interpolation
Lagrange interpolation can be viewed as a special case of Birkhoff interpolation.The interpolation matrix in Lagrange interpolation has only one column, i.e., all data corresponds to the zeroth-order derivative.Specifically, given the points set satisfying  equalities as follows: For any choice of , the problem of Lagrange interpolation always has a unique solution.

PROBLEM STATEMENT 4.1 System Architecture
The basic service model of our design is illustrated in Fig. 1.We consider two parties in our design, namely users and the multi-level key-management committee.For privacy protection, the user's private key is submitted in encrypted form.Specifically, secret sharing, a lightweight cryptographic primitive is employed to encrypt the private key.Each share is expected to be received by a participant in the committee.We then have two basic assumptions: 1) participants of the committee differ in their levels of reliability; 2) they may periodically leave/join the committee or change their levels in hierarchical access structure.
HasDPSS adopts the hierarchical access structure [14], where the presence of higher-level participants is more important to the management of the private key.Let  denote the committee.We divide members of  into  different levels and  (, ) , and the number of nodes is at least 3  for level .We further define K ), and the managed key can be reconstructed only if the number of shares obtained from each level satisfies the parameter K of hierarchical access structure.
In a dynamic committee, time in HasDPSS is divided into a fixed interval of predefined length, called epoch.Fig. 2 shows the committee transition and the evolving process along time.In epoch  − 1, the committee, denoted  ( −1) , manages the private key  and transfers it to a new committee  ( ) at the end of the epoch.The evolving process depicted in Fig. 3 contains several protocols to achieve the committee transition.Our scheme is designed to support the dynamic committee in hierarchical access structure while keeping the integrity of the private key.
In practice, the same set of nodes actively participate in committees of different epochs, i.e., the nodes with deep color in Fig. 3.As the committees may intersect, here we logically separate their roles for clear and flexible architectural illustration.

Adversarial Model
Following prior work on the decentralized key management based on secret sharing [6], we consider a powerful adversary A in our design.The node may be caught by A at any time and be assumed to be corrupted until the end of each epoch.When the current epoch ends, A needs to regain control of the nodes.
We assume the adversary is computationally bounded and limit A to corrupt less than the thresholds  = ( 0 ,  1 , • • • ,  −1 ) of the nodes in committee, where   denote the threshold of level .It also reflects that nodes at higher level are harder to be corrupted.A gets the shares from corrupted nodes and may control nodes to deviate from the protocol arbitrarily.The number of shares held by A may exceed the threshold, but only less than  nodes of each level are controlled in each epoch (i.e., A may corrupt less than   nodes of level ).As noted above, shares need to be refreshed proactively to prevent leakage of the managed key.
Furthermore, observe that members of committees  ( −1) and  ( ) are active during the evolving process between the epoch  − 1 and .We further assume that A may corrupt less than  nodes in the evolving process and control up to (2 •  − 1) nodes of each level at this time.

Communication
On-chain processing incurs monetary costs, and simply putting all workload on chain is highly uneconomical.A co-design of onchain and off-chain computing is necessary.We aim to design a pragmatic key-management scheme with on-chain privacy, onchain efficiency, and on that basis also with the consideration of off-chain efficiency in HasDPSS.In addition, channels are assumed to be reliable both in on-chain and off-chain communication.

on-chain.
Our design is focused on the key-management scheme via a Public/Permissionless Blockchain, e.g., Ethereum.(The scheme is also appropriate for Permissioned Blockchains.)For such blockchains, users pay for writing but are free for reading.We assume that members of committee are available to the blockchain, and they can post or retrieve messages from the blockchain.Note that in our design, we do not consider the confirmation latency of the message.After a node posts a message on chain, it will be published within a finite and sufficiently small interval compared to the epoch, i.e., the access of blockchain is synchronous.This model is widely adopted in the literature [17,18].4.3.2off-chain.Similar to most of existing works on co-designing of off-chain and on-chain computing [19,20], it is assumed that nodes have a point-to-point channel with every other node.They can communicate with each other via high-speed links to satisfy the synchronicity off-chain.Note that the synchronicity is required only for performance, not for security, robustness or integrity.The adversary A cannot capture more nodes by slowing down the protocol execution temporarily via network latency.Compared to ℎ (e.g., a day, it is commonly adopted in proactive secretsharing schemes [6]), HasDPSS only requires a short period to perform the evolving process.Furthermore, suppose that there are total  nodes in the system.We write N to denote the set of nodes, in which each node is uniquely indexed by an integer  ∈ [1,  ].For initialization, each node generates its communication key pair and distributes the public key.Nodes use the Bilinear Pairing Instance Generator to generate a random bilinear group (, ,   , , ) ← (1  ), where  is the security parameter.Then selecting  randomly in  *  be the private key, and the public key of current node is  = , where  ≫  −1 .Such a design is common in construction of key pairs based on the bilinear pairing [21][22][23].

THE PROPOSED DESIGN
We now introduce the design rationale of HasDPSS and present how to realize the proactive secret sharing in HAS of a dynamic key-management committee through the dimension switch.In the following description, we consider that a user  wants to securely store its private key , and there are enough nodes with multi-level priorities in committee  registered on the blockchain system.

Design Rationale
Our design goal is to establish a blockchain-based secret-managing system with hierarchical access structure where users can securely store their private keys.
It is known that Shamir's (, )-threshold scheme [10] is perfect and ideal.Shares of the secret  are points at a univariate polynomial  () such that  (0) = .The scheme employs Lagrange interpolation to reconstruct .To achieve the dynamic committee, CHURP [6] employs a bivariate polynomial (, ) with the degree ⟨, 2⟩ such that (0, 0) =  to manage the secret and proposes the ℎ   protocol, a dimension switch process to transfer the secret  to a new committee.In that scheme, a share is a univariate polynomial (, ) or (, ) where  is the index of a node.
Inspired by the above designs, our idea to resolve the security threat is to similarly use a bivariate polynomial to construct the basic secret-sharing polynomial.Instead, to enable its hierarchical access structure, HasDPSS employs Birkhoff interpolation to reconstruct the managed key and redesigns the process of dimension switch.Taking a bivariate polynomial (, ) with the degree , shares of the key  are the univariate polynomial  ( ) (,   ) or  ( ) (  , ), where  and   respectively represent the level and the identification of node ,  ( ) (•) is the ()-th partial derivative of (, ) respect to the parameter  (we define  −1 = 0).The dimension switch process consists of three phases: Dimension Attenuation, Randomization and Dimension Recovery.Firstly, HasDPSS uses an attenuation protocol to switch the share  ( ) (,   ) to  ( ) (  , ).The attenuated share  ( ) (  , ) needs to be twice as many as the complete share  ( ) (,   ) when reconstructing the key .To realize the system proactive refresh, HasDPSS then generates a random polynomial  (, ) with the degree ⟨ − 1, 2 − 1⟩ such that  (0, 0) = 0.The polynomial  (, ) is added to (, ) during the Randomization phase.Note that the additional polynomial  (, ) does not affect the reconstruction of , but it randomizes the polynomial  (•) (, •) or  (•) (•, ) of current shares.The share will be recovered to the complete share  ( ) (,   ) with the degree ⟨ − 1, 0⟩ for the new committee in the last phase.
In addition, to detect and rule out the invalid shares during the evolving process, our idea is to craft a joint off-chain and onchain design to post the commitment of polynomial  or  on the blockchain, via customizing the Protocol.1 based on KZG Commitment [24], and the receiver verifies messages via this commitment.

System Initialization
The initialization stage of HasDPSS is mainly conducted by the user  and the initial/current committee noted  (0) .Protocol 2 illustrates the procedure of system initialization.Specifically,  uses its own server to compute and distribute the shares of the private key . firstly distributes the unique identification  for each node in N. The determinant of the interpolation matrix consisting of all nodes'  based on k is not equal to 0. The set  is the points at the ()-th partial derivative polynomial  ( ) (, ) of (, ) respect to the parameter , where (0, 0) =  and  =  −1  =0   .The node in  (0)   receives the set  and then employs the Lagrange interpolation to construct the polynomial  ( ) (, ) that is the share of the node.Using their shares, members of  (0) generate the commitments by the function  in Protocol 1 and post them on chain.

The Evolving Process
The evolving process consists of three protocols: Attenuation Protocol, Randomization Protocol and Recovery Protocol.Without loss of generality, we describe here the evolving process for epoch  − 1 to  in one round.

Phase 1. Dimension Attenuation.
HasDPSS employs the Attenuation Protocol to construct the attenuated share  ( ) (,   ) with the degree ⟨ − 1, 0⟩ as shown in Protocol 3. Firstly, the honest nodes in  ( −1) compute the points of current share and generate the corresponding witnesses using the function   in Protocol 1.The points and witnesses are sent to corresponding nodes in the new committee via the off-chain channel.Hereafter, all operations related with secret shares take place in  ( ) .The node needs to verify the validity of received points via the on-chain KZG commitment and chooses any ( − +1) verified points to construct the polynomial of attenuated share  ( ) (,   ) via the Lagrange interpolation.Note that the attenuated share held by the node at this time is temporary and will not be used to restore the complete share.The node does not need re-compute the commitment of attenuated share and post it on chain. .
Output: Initial share  ( ) ( , ) of each node in  ( ) .User  : Distribute  for each node in N; Generate the ()-th partial derivative polynomial   and  is the level of node  (•, ) .Then the set   is sent to  (•, ) with the witnesses. (•, ) needs to post the correspond commitment on chain.The receiving node  (•, ) first verifies the validity of all points and witnesses in each received message from  (•, ) .We denote Λ be the set consisting index of the verified message's sender.The verified messages are used to construct   (,   ). (•, ) only needs to compute (,   ) and adds it to the current attenuated share  ( ) (,   ).We use  ′( ) (,   ) to denote the randomized Compute  ( )   ← ( ′( ) (  , ),   ) and post it on chain; Dimension Recovery.Our communication model consists of onchain communication and off-chain communication.The on-chain communication is only used to post the commitments of shares in different phases.The adversary A learns no extra information from these commitments by the hiding property of the commitment scheme based on the discrete log assumption [24].Therefore, we only need to consider the secrecy of the off-chain communication.
In particular, we have following theorems.Proof.Recall that in our security design, the bivariate polynomial (, ) is used to share the managed key.For each level, it uses a different partial derivative of (, ) respected to the parameter  to represent shares.Therefore, the polynomials maintained by members of each level are different.Given , the key can be reconstructed only if the number of shares obtained from each level ) of hierarchical access structure.
Specifically, the complete shares of level  are different univariate polynomials  ( ) (  , ) with the degree ⟨ −  − 1⟩, where   is the identification of  and other parameter can be calculated as follow: For the lowest level  − 1, the share's polynomial with the degree ⟨ −1 − 1⟩, i.e., at least  −1 complete shares of level  − 1 can reconstruct the bivariate polynomial  ( ) (, ) and satisfy the access structure of our scheme.A now keeps  −1 − 1 complete shares in this level.Given the feature of hierarchical access structure, A can use the share from a higher level than  as an alternative.The proof for the other levels is similar.However, for the level 0, there are no other shares that can be used as an alternative for this level, A cannot use other shares to satisfy the access structure.
The attenuated shares of level  are polynomials  ( ) (,   ) with the degree ⟨2 −  − 1⟩.Using (4), we can calculate the degree of level 's polynomial is ⟨2 −1 − 1⟩.As the above description of the worst case, A may obtain (2 −1 − 2) attenuated shares, and only over (2 −1 ) attenuated shares can reconstruct the polynomial with the degree ) nodes of each level in epoch , A learns no information about the managed key in this phase from their obtained shares.
Proof.As the design of the Randomization phase, shares in new committee  ( ) are attenuated shares, and nodes realize the share randomization by exchanging their respective randomized polynomials (by points).In the former phase, A has obtained to generate the randomized polynomial  ( ) (,   ) and compute the share  ′( ) (,   ).
In the worst case, we assume that the shares caught by A in the Randomization phase are non-repetitive with the shares held from the corrupted node, i.e., A obtains 2 times of randomized attenuated shares.Recall the attenuated share with the degree ⟨2 −  − 1⟩, it needs at least 2 −1 shares of level  to satisfy the hierarchical access structure.A only keeps 2 −1 −2 shares of level .However, it may use the shares from a higher level to be an alternative, the highest level of access structure cannot be satisfied.□ ) nodes of each level in epoch , and at least one node is honest in the Randomization phase, A learns no information about the managed key in Dimension Recovery phase from obtained shares.Proof.In the previous phase, the randomized univariate polynomial  ( ) (, ) for node  ( ) (, ) are defined by bivariate polynomials  (, ) with the degree ⟨ − 1, 2 − 1⟩ from members of committee  ( ) .Therefore, as long as one node honestly generates a random and non-zero polynomial  (, ), the polynomial  ( ) (, ) is randomly generated to mask the share's polynomial, i.e., the complete share  ′( ) (, ) in new committee  ( ) is different with  ( ) (, ) in old committee.
In the design of HasDPSS, only satisfying the parameter K = ) of hierarchical access structure can steal the key.Although A has obtained { 0 − 1,  1 − 1, • • • ,  −1 − 1} complete shares  ( ) (, ) of each level before the evolving process beginning, they cannot be used to reconstruct the distribution polynomial together with  ′( ) (, ) in Committee  ( ) .□

EXPERIMENTS 7.1 Implementation
We implement the prototypes of HasDPSS and the comparative schemes with the same setting in Python.We compare the obtained results to show the superiority of HasDPSS.All the experiments are carried out on the machine with 2.60GHz Intel i7-6700HQ processors, 8 Cores and 16GB of RAM.The PBC library 1 is used to execute polynomial operations of bilinear mapping.Besides, we fixed the irrelevant parameter in the experiment according to Table 1, and each experiment is repeated 1000 times to obtain the average value for statistical confidence.The performance is shown in Fig. 4. We first fix the network size at 1000, and each increment of network hierarchy size is 1 until  reaches up to 10.A total of 10 sample points are selected for experiments.As shown in Fig. 4a, the fewer hierarchies lead to greater efficiency of share distribution.However, fewer hierarchies  will undermine the security benefits of hierarchical management, and too many hierarchies cause the same problem.Following the same settings in [7], it is reasonable to divide the 1000-size network into 10 levels.Fig. 4b illustrates that HasDPSS is almost unaffected by the changing conditions of .When the network hierarchy size  increases from 1 to 10, the communication overhead of share distribution decreases slightly from 30.52MB to 30.33MB.

Evaluation
In the same network with 10 levels, Fig. 4c and Fig. 4d show the overhead comparison and variation trend in different network sizes  .HasDPSS commonly requires more computing resources for share distribution, but less for communication than CHURP.Different from CHURP based on Lagrange interpolation, the Birkhoff interpolation-based scheme performs non-zero verification of the determinant for the interpolation matrix after generating identifications for nodes in N. Despite this, it only takes about 4.9 seconds for users to complete the calculation of share distribution for the 1000-size network with 10 levels, which can be acceptable.

Latency.
The latency is measured by the total execution time per epoch, including the process of computing and communication.
Fig. 5 describes the comparison of the latency of HasDPSS and CHURP under different conditions.When the number of nodes increases, the latency of HasDPSS does not increase greatly as shown in Fig. 5a.HasDPSS does not require full-node interaction in the process of switching attenuated and complete shares.The process is completed by the interaction of nodes at the same level.The performance of latency in HasDPSS is significantly better than that of CHURP for large committee sizes.HasDPSS outperforms CHURP in dwindling the latency by 34.51% with the committee of 100 nodes.An increase in the number of levels causes the latency to decrease significantly as shown in Fig. 5b.When the scale of committee is fixed, the more hierarchies divided, the fewer members of the same level, and the more obvious improvement in latency.

Communication
Overhead.We simulate on-chain communication through shared memory and use total bits of the data to measure on-chain efficiency.Following the most existing blockchain  transaction models, we measure on-chain communication overhead only in terms of writes.The off-chain communication overhead is measured as the total number of bits transmitted in P2P channels.Fig. 6a illustrates that the on-chain overhead of HasDPSS is on the same order of magnitude as the optimistic execution path of CHURP (Opt-CHURP), and significantly better than the pessimistic path of CHURP (Exp-CHURP).In practice, the scheme starts at the top tier a highly efficient optimistic path and falls back to the pessimistic path upon detection of adversarial misbehavior.The total on-chain overhead of CHURP will be in the middle of the two paths.HasDPSS outperforms Exp-CHURP in achieving an average communication overhead improvement of 88 times when varying committee size as shown in Fig. 6a.In addition, the cost of HasDPSS is not affected by network hierarchy sizes as shown in Fig. 6b.For a committee with 100 nodes, the cost will be fixed at 0.63MB.
We conduct comprehensive performance evaluations to show our design also accomplishes off-chain efficiency.Fig. 6d shows the high off-chain efficiency of HasDPSS.Even compared with the most optimistic path of CHURP, HasDPSS still has certain performance advantages.HasDPSS can also reduce the off-chain overhead by adjusting the number of levels.However, the reduction is not infinite, the communication overhead will tend to a constant value when the size of the network hierarchy is increasing.

Comparison with Other Schemes
We compare HasDPSS with the following advanced and representative secret-sharing schemes to illustrate the feature and performance of HasDPSS as shown in Table 2.
The first secret-sharing scheme supported hierarchical access structure has been proposed in 2007.Tassa [14] presents a method that divides the parties into different levels and each level of the parties has different shares.Since there is no shares or committees switching process, the scheme has no additional communication overhead except for share distribution.Mashhadi describes VPSS in [25], a verifiable and proactive secret sharing by using bilinear pairings and monotone span programs in the general linear access structure.Schultz et al. [4] proposes a new scheme named MPSS to do proactive secret sharing for a small-scale dynamic committee.In [26], Traverso et al. expanded above researches and proposed the verifiable and dynamic scheme named HTSS that is efficient and allowed to provide shares of equal size for all holders in the hierarchy.However, the application of MPSS and HTSS commonly comes with a large communication overhead.Moreover, the study [6] proposes CHURP, a CHUrn-Robust Proactive secret-sharing scheme for Blockchain, and performs an efficient handoff protocol to switch committees in the linear access structure.CHURP achieves similar proactive and dynamic goals as HasDPSS in asynchronous settings, but not for hierarchical access structure.

CONCLUSION
We presented HasDPSS towards building a dynamic and reliable blockchain-based key-management scheme for hierarchical access structure in decentralized storage.HasDPSS can provide secure and efficient management of private keys without relying on a centralized authority, where users can securely store their keys in a decentralized form.HasDPSS introduces an evolving process to securely transfer and refresh shares, which achieves both the dynamic hierarchical key-management committee and the robustness against a powerful and active adversary.We conducted extensive experiments, and results showed the practical performance of our design.For future work, it would be interesting to explore the dynamic changing of thresholds.The support for adding or removing hierarchies without reconstructing the share polynomial will be extended in follow-up research.

Figure 1 :
Figure 1: Architecture overview of secure key management.

Figure 2 :
Figure 2: Each epoch ends with an evolving process where the old committee transfers the key to a new committee.

Figure 3 :
Figure 3: The evolving process between two committees at the end of an epoch.

Theorem 1 .
If A corrupts less than  = ( 0 ,  1 , • • • ,  −1 ) nodes of each level in epoch  − 1 and epoch  respectively, it learns no information about the managed key in Dimension Attenuation phase from their obtained shares.
Communication overhead VS. the number of nodes in the network.

7. 2 . 1
Distribution Cost.In HasDPSS, users perform Protocol.2 to distribute shares for nodes in the initial committee.

Figure 5 :
Figure 5: Latency of Evolving Process

Figure 6 :
Figure 6: Communication Overhead of Evolving Process

Table 2 :
Feature comparison of schemes.