In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party involved can verify the validity of the shares distributed by the dealer.
Contents
The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.
Initialization
The PVSS scheme dictates an initialization process in which:
- All system parameters are generated.
- Each participant must have a registered public key.
Excluding the initialization process, the PVSS consists of two phases:
Distribution
1.Distribution of secret
(note:
2. Verification of the shares:
Reconstruction
1. Decryption of the shares:
(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting
2. Pooling the shares:
Chaums and Pedersen Scheme
A proposed protocol proving:
- The prover chooses a random
r ∈ Z q ∗ - The verifier send a random challenge
c ∈ R Z q - The prover responds with
s = r − c x ( m o d q ) - The verifier checks
α 1 = g 1 s h 1 c α 2 = g 2 s h 2 c
Denote this protocol as:
A generalization of
- The prover chooses a random
r 1 , r 2 ∈ Z q ∗ t 1 = g 1 r 1 g 2 r 2 t 2 = h 1 r 1 h 2 r 2 - The verifier send a random challenge
c ∈ R Z q - The prover responds with
s 1 = r 1 − c x 1 ( m o d q ) ,s 2 = r 2 − c x 2 ( m o d q ) . - The verifier checks
t 1 = X c g 1 s 1 g 2 s 2 t 2 = Y c h 1 s 1 h 2 s 2
The Chaums and Pedersen method is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen