Publicly verifiable secret sharing

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party (not just the participants of the protocol) can verify the validity of the shares distributed by the dealer.

In verifiable secret sharing (VSS) the object is to resist malicious players, such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol, cf. [CGMA85].
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares. Hence, it is explicitly required that (i) can be verified publicly.

— Berry Schoenmakers. A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting .

The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.

Initiali

The PVSS scheme dictates an initialization process in which:

  1. All system parameters are generated.
  2. Each participant must have a registered public key.

Excluding the initialization process, the PVSS consists of two phases:

Distribution

1. Distribution of secret s {\displaystyle s} shares is performed by the dealer D {\displaystyle D} , which does the following:

  • The dealer creates s 1 , s 2 . . . s n {\displaystyle s_{1},s_{2}...s_{n}} for each participant P 1 , P 2 . . . P n {\displaystyle P_{1},P_{2}...P_{n}} respectively.
  • The dealer publishes the encrypted share E i ( s i ) {\displaystyle E_{i}(s_{i})} for each P i {\displaystyle P_{i}} .
  • The dealer also publishes a string p r o o f D {\displaystyle \mathrm {proof} _{D}} to show that each E i {\displaystyle E_{i}} encrypts s i {\displaystyle s_{i}}

(note: p r o o f D {\displaystyle \mathrm {proof} _{D}} guarantees that the reconstruction protocol will result in the same s {\displaystyle s} .

2. Verification of the shares:

  • Anybody knowing the public keys for the encryption methods E i {\displaystyle E_{i}} , can verify the shares.
  • If one or more verifications fails the dealer fails and the protocol is aborted.

Reconstruction

1. Decryption of the shares:

  • The Participants P i {\displaystyle P_{i}} decrypts their share of the secret s i {\displaystyle s_{i}} using E i ( s i ) {\displaystyle E_{i}(s_{i})} .

(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting E i ( s i ) {\displaystyle E_{i}(s_{i})} as long as a qualified set of participants are successful to decrypt s i {\displaystyle s_{i}} ).

  • The participant release s i {\displaystyle s_{i}} plus a string p r o o f P i {\displaystyle \mathrm {proof} _{P_{i}}} this shows the released share is correct.

2. Pooling the shares:

  • Using the strings p r o o f P i {\displaystyle \mathrm {proof} _{P_{i}}} to exclude the participants which are dishonest or failed to decrypt E i ( s i ) {\displaystyle E_{i}(s_{i})} .
  • Reconstruction s {\displaystyle s} can be done from the shares of any qualified set of participants.

Chaum-Pedersen Protocol

A proposed protocol proving: log g 1 h 1 = log g 2 h 2 {\displaystyle \log _{_{g1}}h_{1}=\log _{_{g2}}h_{2}}  :

  1. The prover chooses a random r Z q {\displaystyle r\in {\boldsymbol {\mathrm {Z} }}_{q^{*}}}
  2. The verifier sends a random challenge c R Z q {\displaystyle c\in _{R}{\boldsymbol {\mathrm {Z} }}_{q}}
  3. The prover responds with s = r c x ( m o d q ) {\displaystyle s=r-cx(\mathrm {mod} \,q)}
  4. The verifier checks α 1 = g 1 s h 1 c {\displaystyle \alpha _{1}=g_{1}^{s}h_{1}^{c}} and α 2 = g 2 s h 2 c {\displaystyle \alpha _{2}=g_{2}^{s}h_{2}^{c}}

Denote this protocol as: d l e q ( g 1 , h 1 , g 2 , h 2 ) {\displaystyle \mathrm {dleq} (g_{1},h_{1},g_{2},h_{2})}
A generalization of d l e q ( g 1 , h 1 , g 2 , h 2 ) {\displaystyle \mathrm {dleq} (g_{1},h_{1},g_{2},h_{2})} is denoted as: dleq ( X , Y , g 1 , h 1 , g 2 , h 2 ) {\displaystyle {\text{dleq}}(X,Y,g_{1},h_{1},g_{2},h_{2})} where as: X = g 1 x 1 g 2 x 2 {\displaystyle X=g_{1}^{x_{1}}g_{2}^{x_{2}}} and Y = h 1 x 1 h 2 x 2 {\displaystyle Y=h_{1}^{x_{1}}h_{2}^{x_{2}}} :

  1. The prover chooses a random r 1 , r 2 Z q {\displaystyle r_{1},r_{2}\in Z_{q}^{*}} and sends t 1 = g 1 r 1 g 2 r 2 {\displaystyle t_{1}=g_{1}^{r_{1}}g_{2}^{r_{2}}} and t 2 = h 1 r 1 h 2 r 2 {\displaystyle t_{2}=h_{1}^{r_{1}}h_{2}^{r_{2}}}
  2. The verifier sends a random challenge c R Z q {\displaystyle c\in _{R}{\boldsymbol {\mathrm {Z} }}_{q}} .
  3. The prover responds with s 1 = r 1 c x 1 ( m o d q ) {\displaystyle s_{1}=r_{1}-cx_{1}(\mathrm {mod} \,q)} , s 2 = r 2 c x 2 ( m o d q ) {\displaystyle s_{2}=r_{2}-cx_{2}(\mathrm {mod} \,q)} .
  4. The verifier checks t 1 = X c g 1 s 1 g 2 s 2 {\displaystyle t_{1}=X^{c}g_{1}^{s_{1}}g_{2}^{s_{2}}} and t 2 = Y c h 1 s 1 h 2 s 2 {\displaystyle t_{2}=Y^{c}h_{1}^{s_{1}}h_{2}^{s_{2}}}

The Chaum-Pedersen protocol is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen c {\displaystyle c} by a 'secure hash' function with m {\displaystyle m} as input value.

  • le secret
  • sharing

References

  • Markus , Publicly Verifiable Secret Sharing
  • Be1999, pp.