World Library  
Flag as Inappropriate
Email this Article

Publicly Verifiable Secret Sharing

Article Id: WHEBN0010928467
Reproduction Date:

Title: Publicly Verifiable Secret Sharing  
Author: World Heritage Encyclopedia
Language: English
Subject: Verifiable secret sharing
Publisher: World Heritage Encyclopedia

Publicly Verifiable Secret Sharing

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party involved can verify the validity of the shares distributed by the dealer.

In verifiable secret sharing (VSS) the object is to resist malicious players, such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol,cf. [CGMA85].
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares. Hence, it is explicitly required that i can be verified publicly.

— Berry Schoenmakers. A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting .

The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.


The PVSS scheme dictates an initialization process in which:

  1. All system parameters are generated.
  2. Each participant must have a registered public key.

Excluding the initialization process, the PVSS consists of two phases:


1.Distribution of secret s shares is performed by the dealer D, which does the following:

  • The dealer creates s_{1},s_{2}...s_{n} for each participant P_{1},P_{2}...P_{n} respectively.
  • The dealer publishes the encrypted share E_{i}(s_{i}) for each P_{i}.
  • The dealer also publishes a string \mathrm{proof}_{D} to show that each E_{i} encrypts s_{i}

(note: \mathrm{proof}_{D} guarantees that the reconstruction protocol will result in the same s.

2. Verification of the shares:

  • Anybody knowing the public keys for the encryption methods E_{i}, can verify the shares.
  • If one or more verifications fails the dealer fails and the protocol is aborted.


1. Decryption of the shares:

  • The Participants P_{i} decrypts their share of the secret s_{i} using E_{i}(s_{i}).

(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting E_{i}(s_{i}) as long as a qualified set of participants are successful to decrypt s_{i}).

  • The participant release s_{i} plus a string \mathrm{proof}_{P_{i}} this shows the released share is correct.

2. Pooling the shares:

  • Using the strings \mathrm{proof}_{P_{i}} to exclude the participants which are dishonest or failed to decrypt E_{i}(s_{i}).
  • Reconstruction s can be done from the shares of any qualified set of participants.

Chaums and Pedersen Scheme

A proposed protocol proving: \log_{_{g1}}h_{1} = \log_{_{g2}}h_{2} :

  1. The prover chooses a random r\in \boldsymbol{\Zeta}_{q^*}
  2. The verifier send a random challenge c \in _{R}\boldsymbol{\Zeta}_{q}
  3. The prover responds with s = r - c x(\mathrm{mod}\,q)
  4. The verifier checks \alpha_1 = g_{1}^s h_{1}^c and \alpha_2 = g_{2}^s h_{2}^c

Denote this protocol as: \mathrm{dleq}(g_1, h_1,g_2,h_2)
A generalization of \mathrm{dleq}(g_1, h_1,g_2,h_2) is denoted as: \text{dleq}(X, Y, g_1, h_1,g_2,h_2) where as: X = g_{1}^{x_1}g_{2}^{x_2} and Y = h_{1}^{x_1}h_{2}^{x_2}:

  1. The prover chooses a random r_1,r_2 \in Z_{q}^* and sends t_1 = g_{1}^{r_1} g_{2}^{r_2} and t_2 = h_{1}^{r_1} h_{2}^{r_2}
  2. The verifier send a random challenge c \in _{R}\boldsymbol{\Zeta}_{q} .
  3. The prover responds with s_1 = r_1 - cx_1 (\mathrm{mod}\,q) , s_2 = r_2 - cx_2 (\mathrm{mod}\,q) .
  4. The verifier checks t_1 = X^c g_{1}^{s_1}g_{2}^{s_2} and t_2 = Y^c h_{1}^{s_1}h_{2}^{s_2}

The Chaums and Pedersen method is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen c by a 'secure hash' function with m as input value.

See also


  • Markus Stadler, Publicly Verifiable Secret Sharing
  • Berry Schoenmakers, A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting, Advances in Cryptology—CRYPTO, 1999, pp. 148–164
This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.