Publicly verifiable secret sharing explained

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party (not just the participants of the protocol) can verify the validity of the shares distributed by the dealer.

The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.

Initiali

The PVSS scheme dictates an initialization process in which:

All system parameters are generated.
Each participant must have a registered public key.

Excluding the initialization process, the PVSS consists of two phases:

Distribution

1. Distribution of secret

shares is performed by the dealer

, which does the following:

The dealer creates

s₁,s₂...s_n

for each participant

P₁,P₂...P_n

respectively.

The dealer publishes the encrypted share

E_i(s_i)

for each

P_i

The dealer also publishes a string

proof_D

to show that each

E_i

encrypts

s_i

(note:

proof_D

guarantees that the reconstruction protocol will result in the same

2. Verification of the shares:

Anybody knowing the public keys for the encryption methods

E_i

, can verify the shares.

If one or more verifications fails the dealer fails and the protocol is aborted.

Reconstruction

1. Decryption of the shares:

The Participants

P_i

decrypts their share of the secret

s_i

using

E_i(s_i)

.(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting

E_i(s_i)

as long as a qualified set of participants are successful to decrypt

s_i

The participant release

s_i

plus a string

proof
	P_i

this shows the released share is correct.

2. Pooling the shares:

Using the strings

proof
	P_i

to exclude the participants which are dishonest or failed to decrypt

E_i(s_i)

Reconstruction

can be done from the shares of any qualified set of participants.

Chaum-Pedersen Protocol

A proposed protocol proving:

log
	_g1

h₁=

log
	_g2

h₂

The prover chooses a random

r\in

\boldsymbol{\Zeta}
	q^*

The verifier sends a random challenge

c\in_R\boldsymbol{\Zeta}_q

The prover responds with

s=r-cx(modq)

The verifier checks

\alpha₁=

	s
g
	1

	c
h
	1

and

\alpha₂=

	s
g
	2

	c
h
	2

Denote this protocol as:

dleq(g_1,h_1,g_2,h₂₎

A generalization of

dleq(g_1,h_1,g_2,h₂₎

is denoted as:

dleq(X,Y,g_1,h_1,g_2,h₂₎

where as:

	x₁
g
	1

	x₂
g
	2

and

	x₁
h
	1

	x₂
h
	2

The prover chooses a random

r_1,r₂\in

	*
Z
	q

and sends

t₁=

	r₁
g
	1

	r₂
g
	2

and

t₂=

	r₁
h
	1

	r₂
h
	2

The verifier sends a random challenge

c\in_R\boldsymbol{\Zeta}_q

The prover responds with

s₁=r₁-cx₁(modq)

s₂=r₂-cx₂(modq)

The verifier checks

t₁=X^c

	s₁
g
	1

	s₂
g
	2

and

t₂=Y^c

	s₁
h
	1

	s₂
h
	2

The Chaum-Pedersen protocol is an interactive method and needs some modification to be used in a non-interactive way:Replacing the randomly chosen

by a 'secure hash' function with

as input value.

References

Markus, Publicly Verifiable Secret Sharing
Be1999, pp.