Publicly Verifiable Secret Sharing

Last updated June 08, 2024

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party (not just the participants of the protocol) can verify the validity of the shares distributed by the dealer.

In verifiable secret sharing (VSS) the object is to resist malicious players, such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol, cf. [CGMA85].
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares. Hence, it is explicitly required that (i) can be verified publicly.
— Berry Schoenmakers. A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting .

The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.

Initiali

The PVSS scheme dictates an initialization process in which:

All system parameters are generated.
Each participant must have a registered public key.

Excluding the initialization process, the PVSS consists of two phases:

Distribution

1. Distribution of secret $s$ shares is performed by the dealer $D$ , which does the following:

The dealer creates $s_{1},s_{2}...s_{n}$ for each participant $P_{1},P_{2}...P_{n}$ respectively.
The dealer publishes the encrypted share $E_{i}(s_{i})$ for each $P_{i}$ .
The dealer also publishes a string $\mathrm {proof} _{D}$ to show that each $E_{i}$ encrypts $s_{i}$

(note: $\mathrm {proof} _{D}$ guarantees that the reconstruction protocol will result in the same $s$ .

2. Verification of the shares:

Anybody knowing the public keys for the encryption methods $E_{i}$ , can verify the shares.
If one or more verifications fails the dealer fails and the protocol is aborted.

Reconstruction

1. Decryption of the shares:

The Participants $P_{i}$ decrypts their share of the secret $s_{i}$ using $E_{i}(s_{i})$ .

(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting $E_{i}(s_{i})$ as long as a qualified set of participants are successful to decrypt $s_{i}$ ).

The participant release $s_{i}$ plus a string $\mathrm {proof} _{P_{i}}$ this shows the released share is correct.

2. Pooling the shares:

Using the strings $\mathrm {proof} _{P_{i}}$ to exclude the participants which are dishonest or failed to decrypt $E_{i}(s_{i})$ .
Reconstruction $s$ can be done from the shares of any qualified set of participants.

Chaum-Pedersen Protocol

A proposed protocol proving: $\log _{_{g1}}h_{1}=\log _{_{g2}}h_{2}$ :

The prover chooses a random $r\in {\boldsymbol {\mathrm {Z} }}_{q^{*}}$
The verifier sends a random challenge $c\in _{R}{\boldsymbol {\mathrm {Z} }}_{q}$
The prover responds with $s=r-cx(\mathrm {mod} \,q)$
The verifier checks $\alpha _{1}=g_{1}^{s}h_{1}^{c}$ and $\alpha _{2}=g_{2}^{s}h_{2}^{c}$

Denote this protocol as: $\mathrm {dleq} (g_{1},h_{1},g_{2},h_{2})$
A generalization of $\mathrm {dleq} (g_{1},h_{1},g_{2},h_{2})$ is denoted as: ${\text{dleq}}(X,Y,g_{1},h_{1},g_{2},h_{2})$ where as: $X=g_{1}^{x_{1}}g_{2}^{x_{2}}$ and $Y=h_{1}^{x_{1}}h_{2}^{x_{2}}$ :

The prover chooses a random $r_{1},r_{2}\in Z_{q}^{*}$ and sends $t_{1}=g_{1}^{r_{1}}g_{2}^{r_{2}}$ and $t_{2}=h_{1}^{r_{1}}h_{2}^{r_{2}}$
The verifier sends a random challenge $c\in _{R}{\boldsymbol {\mathrm {Z} }}_{q}$ .
The prover responds with $s_{1}=r_{1}-cx_{1}(\mathrm {mod} \,q)$ , $s_{2}=r_{2}-cx_{2}(\mathrm {mod} \,q)$ .
The verifier checks $t_{1}=X^{c}g_{1}^{s_{1}}g_{2}^{s_{2}}$ and $t_{2}=Y^{c}h_{1}^{s_{1}}h_{2}^{s_{2}}$

The Chaum-Pedersen protocol is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen $c$ by a 'secure hash' function with $m$ as input value.

Related Research Articles

In mathematics, especially in category theory and homotopy theory, a groupoid generalises the notion of group in several equivalent ways. A groupoid can be seen as a:

<span class="mw-page-title-main">Lie algebra</span> Algebraic structure used in analysis

In mathematics, a Lie algebra is a vector space $together with an operation called the Lie bracket, an alternating bilinear map, that satisfies the Jacobi identity. In other words, a Lie algebra is an algebra over a field for which the multiplication operation is alternating and satisfies the Jacobi identity. The Lie bracket of two vectors and is denoted . A Lie algebra is typically a non-associative algebra. However, every associative algebra gives rise to a Lie algebra, consisting of the same vector space with the commutator Lie bracket, .$

In electrochemistry, the Nernst equation is a chemical thermodynamical relationship that permits the calculation of the reduction potential of a reaction from the standard electrode potential, absolute temperature, the number of electrons involved in the redox reaction, and activities of the chemical species undergoing reduction and oxidation respectively. It was named after Walther Nernst, a German physical chemist who formulated the equation.

In mathematical analysis, Hölder's inequality, named after Otto Hölder, is a fundamental inequality between integrals and an indispensable tool for the study of $L p$ spaces.

In computer science, communicating sequential processes (CSP) is a formal language for describing patterns of interaction in concurrent systems. It is a member of the family of mathematical theories of concurrency known as process algebras, or process calculi, based on message passing via channels. CSP was highly influential in the design of the occam programming language and also influenced the design of programming languages such as Limbo, RaftLib, Erlang, Go, Crystal, and Clojure's core.async.

In topology, a covering or covering projection is a map between topological spaces that, intuitively, locally acts like a projection of multiple copies of a space onto itself. In particular, coverings are special types of local homeomorphisms. If $is a covering, is said to be a covering space or cover of, and is said to be the base of the covering, or simply the base . By abuse of terminology, and may sometimes be called covering spaces as well. Since coverings are local homeomorphisms, a covering space is a special kind of étale space.$

In mathematics, a congruence subgroup of a matrix group with integer entries is a subgroup defined by congruence conditions on the entries. A very simple example is the subgroup of invertible 2 × 2 integer matrices of determinant 1 in which the off-diagonal entries are even. More generally, the notion of congruence subgroup can be defined for arithmetic subgroups of algebraic groups; that is, those for which we have a notion of 'integral structure' and can define reduction maps modulo an integer.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party can prove to another party that a given statement is true, while avoiding conveying to the verifier any information beyond the mere fact of the statement's truth. The intuition underlying zero-knowledge proofs is that it is trivial to prove the possession of certain information by simply revealing it; the challenge is to prove this possession without revealing the information, or any aspect of it whatsoever.

The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of the Decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998, it is an extension of the ElGamal cryptosystem. In contrast to ElGamal, which is extremely malleable, Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a universal one-way hash function and additional computations, resulting in a ciphertext which is twice as large as in ElGamal.

In cryptography, a verifiable random function (VRF) is a public-key pseudorandom function that provides proofs that its outputs were calculated correctly. The owner of the secret key can compute the function value as well as an associated proof for any input value. Everyone else, using the proof and the associated public key, can check that this value was indeed calculated correctly, yet this information cannot be used to find the secret key.

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.

In cryptography, a ring signature is a type of digital signature that can be performed by any member of a set of users that each have keys. Therefore, a message signed with a ring signature is endorsed by someone in a particular set of people. One of the security properties of a ring signature is that it should be computationally infeasible to determine which of the set's members' keys was used to produce the signature. Ring signatures are similar to group signatures but differ in two key ways: first, there is no way to revoke the anonymity of an individual signature; and second, any set of users can be used as a signing set without additional setup.

<span class="mw-page-title-main">Classical group</span>

In mathematics, the classical groups are defined as the special linear groups over the reals $, the complex numbers and the quaternions together with special automorphism groups of symmetric or skew-symmetric bilinear forms and Hermitian or skew-Hermitian sesquilinear forms defined on real, complex and quaternionic finite-dimensional vector spaces. Of these, the complex classical Lie groups are four infinite families of Lie groups that together with the exceptional groups exhaust the classification of simple Lie groups. The compact classical groups are compact real forms of the complex classical groups. The finite analogues of the classical groups are the classical groups of Lie type . The term "classical group" was coined by Hermann Weyl, it being the title of his 1939 monograph The Classical Groups .$

Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information among a group. The secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.

Byzantine fault tolerant protocols are algorithms that are robust to arbitrary types of failures in distributed algorithms. The Byzantine agreement protocol is an essential part of this task. The constant-time quantum version of the Byzantine protocol, is described below.

ACE is the collection of units, implementing both a public key encryption scheme and a digital signature scheme. Corresponding names for these schemes — «ACE Encrypt» and «ACE Sign». Schemes are based on Cramer-Shoup public key encryption scheme and Cramer-Shoup signature scheme. Introduced variants of these schemes are intended to achieve a good balance between performance and security of the whole encryption system.

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of honest node is corrupted if at least one of the incoming packets is corrupted.

The Sakai–Kasahara scheme, also known as the Sakai–Kasahara key encryption algorithm (SAKKE), is an identity-based encryption (IBE) system proposed by Ryuichi Sakai and Masao Kasahara in 2003. Alongside the Boneh–Franklin scheme, this is one of a small number of commercially implemented identity-based encryption schemes. It is an application of pairings over elliptic curves and finite fields. A security proof for the algorithm was produced in 2005 by Chen and Cheng. SAKKE is described in Internet Engineering Task Force (IETF) RFC 6508.

Quantum secret sharing (QSS) is a quantum cryptographic scheme for secure communication that extends beyond simple quantum key distribution. It modifies the classical secret sharing (CSS) scheme by using quantum information and the no-cloning theorem to attain the ultimate security for communications.

References

Markus , Publicly Verifiable Secret Sharing
Be1999, pp.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.