Verifiable secret sharing

Last updated November 08, 2024

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. (In standard secret sharing, the dealer is assumed to be honest.)^[1] The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.^[2]

Sharing: Initially the dealer holds secret as input and each player holds an independent random input. The sharing phase may consist of several rounds. At each round each player can privately send messages to other players and can also broadcast a message. Each message sent or broadcast by a player is determined by its input, its random input and messages received from other players in previous rounds.

Reconstruction: In this phase each player provides its entire view from the sharing phase and a reconstruction function is applied and is taken as the protocol's output.

An alternative definition given by Oded Goldreich defines VSS as a secure multi-party protocol for computing the randomized functionality corresponding to some (non-verifiable) secret sharing scheme. This definition is stronger than that of the other definitions and is very convenient to use in the context of general secure multi-party computation.

Verifiable secret sharing is important for secure multiparty computation. Multiparty computation is typically accomplished by making secret shares of the inputs, and manipulating the shares to compute some function. To handle "active" adversaries (that is, adversaries that corrupt nodes and then make them deviate from the protocol), the secret sharing scheme needs to be verifiable to prevent the deviating nodes from throwing off the protocol.

Feldman's scheme

A commonly used example of a simple VSS scheme is the protocol by Paul Feldman,^[3] which is based on Shamir's secret sharing scheme combined with any encryption scheme which satisfies a specific homomorphic property (that is not necessarily satisfied by all homomorphic encryption schemes).

The following description gives the general idea, but is not secure as written. (Note, in particular, that the published value g^s leaks information about the dealer's secret s.)

First, a cyclic group G of prime order q, along with a generator g of G, is chosen publicly as a system parameter. The group G must be chosen such that computing discrete logarithms is hard in this group. (Typically, one takes an order-q subgroup of (Z/pZ)^×, where q is a prime dividing p − 1.)

The dealer then computes (and keeps secret) a random polynomial P of degree t with coefficients in Z_q, such that P(0) = s, where s is the secret. Each of the n share holders will receive a value P(1), ..., P(n) modulo q. Any t + 1 share holders can recover the secret s by using polynomial interpolation modulo q, but any set of at most t share holders cannot. (In fact, at this point any set of at most t share holders has no information about s.)

So far, this is exactly Shamir's scheme. To make these shares verifiable, the dealer distributes commitments to the coefficients of P modulo q. If P(x) = s + a₁x + ... + a_tx^t, then the commitments that must be given are:

c₀ = g^s,
c₁ = g^a₁,
...
c_t = g^a_t.

Once these are given, any party can verify their share. For instance, to verify that v = P(i) modulo q, party i can check that

$g^{v}=c_{0}c_{1}^{i}c_{2}^{i^{2}}\cdots c_{t}^{i^{t}}=\prod _{j=0}^{t}c_{j}^{i^{j}}=\prod _{j=0}^{t}g^{a_{j}i^{j}}=g^{\sum _{j=0}^{t}a_{j}i^{j}}=g^{P(i)}$ .

This scheme is, at best, secure against computationally bounded adversaries, namely the intractability of computing discrete logarithms. Pedersen proposed later a scheme^[4] where no information about the secret is revealed even with a dealer with unlimited computing power.

Benaloh's scheme

Once n shares are distributed to their holders, each holder should be able to verify that all shares are collectively t-consistent (i.e., any subset t of n shares will yield the same, correct, polynomial without exposing the secret).

In Shamir's secret sharing scheme the shares $s_{1},s_{2},...,s_{n}$ are t-consistent if and only if the interpolation of the points $(1,s_{1}),(2,s_{2}),...,(n,s_{n})$ yields a polynomial degree at most d = t − 1.

Based on that observation, Benaloh's protocol can be shown to allow the share holders to perform the required validation while also verifying the dealer's authenticity and integrity.

A second observation is that given the degree of the sum of two polynomials F and G is less than or equal to t, either the degrees of both F and G are less than or equal to t, or both the degrees of F and G are greater than t. This claim is evident due to Polynomial function's Homomorphic property, examples:

case 1:

f_{1}=3x

,

f_{2}=11x^{6}

,

t=6

case 2:

f_{1}=18x^{7}

,

f_{2}=-18x^{7}

,

t=6

the case that we canceled:

f_{1}=2x^{2}+3x^{3}

,

f_{2}=x+x^{7}

,

t=6

Interactive proof:
The following 5 steps verify the integrity of the dealer to the Share holders:

Dealer chooses polynomial P, distributes shares (as per Shamir's secret sharing scheme).
Dealer constructs a very large number (k) of random polynomials $P_{1},...,P_{k}$ of degree t, and distributes shares.
Share-holder chooses a random subset of m < k polynomials.
Dealer reveals shares of the m chosen polynomials $P_{i_{1}},...,P_{i_{m}}$ and sums of remaining k − m sums $P+\textstyle \sum _{j={m+1}}^{k}P_{j}$ then shares the result as well.
Each share-holder or verifier ascertains that all revealed polynomials are degree-t, and corresponds to its own known share.

The secret s remains safe and unexposed.

These 5 steps will be done in small number of iterations to achieve high probability result about the dealer integrity.

Diagnosis 1: Because the degree of polynomial $P+\textstyle \sum _{j={m+1}}^{k}P_{j}$ is less than or equal to t and because the Dealer reveals the other $P_{i_{1}},...,P_{i_{m}}$ polynomials (step 4), the degree of the polynomial P must be less than or equal to t (second observation case 1, with height probability when these steps are repeated in different iterations).

Diagnosis 2: One of the parameters for the problem was to avoid exposing the secret which we are attempting to verify. This property is kept through the use of Algebra homomorphism to perform validation. (A set of random polynomials of degree at most t together with a set of sums of P and other polynomials of degree at most t gives no useful information about P.)

Secret ballot elections

Verifiable secret sharing can be used to build end-to-end auditable voting systems.

Using the technique of verifiable secret sharing one can satisfy the election problem that will be described here.

In the election problem each voter can vote either 0 (to oppose) or 1 (for support), and the sum of all votes will determine election's result. For the election to execute, it is necessary to make sure that the following conditions are fulfilled:

The voters' privacy should not be compromised.
The election administrator must verify that no voter committed fraud.

If using verifiable secret sharing, n tellers will replace the single election administrator. Each voter will distribute one share of its secret vote to every one of the n tellers. This way the privacy of the voter is preserved and the first condition is satisfied.

Reconstruction of the election's result is easy, if there exist enough k < n tellers to discover polynomial P.

The interactive proof can be generalized slightly to allow verification of the vote shares. Each voter will prove (in the distribution of the secret share phase) to the tellers that his vote is legitimate using the five steps of the interactive proof.

Round-optimal and efficient verifiable secret sharing

The round complexity of a VSS protocol is defined as the number of communication rounds in its sharing phase; reconstruction can always be done in a single round. There is no 1-round VSS with t > 1, regardless of the number of players. The bounds on perfectly secure (not relying on a computational hardness assumption) and efficient (polynomial time) VSS protocols is given below.

Number of rounds	Security
1	t = 1, n > 4
2	n > 4t
3	n > 3t

Bibliography

T. Rabin and M. Ben-Or, Verifiable secret sharing and multiparty protocols with honest majority. In Proceedings of the Twenty-First Annual ACM Symposium on theory of Computing (Seattle, Washington, United States, May 14–17, 1989). doi : 10.1145/73007.73014
Rosario Gennaro, Yuval Ishai, Eyal Kushilevitz, Tal Rabin, The Round Complexity of Verifiable Secret Sharing and Secure Multicast. In Proceedings of the thirty-third annual ACM symposium on Theory of computing ( Hersonissos, Greece, Pages: 580 - 589, 2001 )
Matthias Fitzi, Juan Garay, Shyamnath Gollakota, C. Pandu Rangan, and Kannan Srinathan, Round-Optimal and Efficient Verifiable Secret Sharing. Theory of Cryptography, Third Theory of Cryptography Conference, TCC 2006, ( New York, NY, USA, March 4–7, 2006 )
Oded Goldreich, Secure multi-party computation
Josh Cohen Benaloh, Secret Sharing Homomorphisms: Keeping Shares of a Secret. Proceedings on Advances in cryptology, CRYPTO '86. pp. 251–260, 1987

Related Research Articles

In mathematics, the Chinese remainder theorem states that if one knows the remainders of the Euclidean division of an integer n by several integers, then one can determine uniquely the remainder of the division of n by the product of these integers, under the condition that the divisors are pairwise coprime.

In computational complexity theory, NP is a complexity class used to classify decision problems. NP is the set of decision problems for which the problem instances, where the answer is "yes", have proofs verifiable in polynomial time by a deterministic Turing machine, or alternatively the set of problems that can be solved in polynomial time by a nondeterministic Turing machine.

In mathematics, and more specifically in computer algebra, computational algebraic geometry, and computational commutative algebra, a Gröbner basis is a particular kind of generating set of an ideal in a polynomial ring $K [x 1, ..., x n]$ over a field $K$ . A Gröbner basis allows many important properties of the ideal and the associated algebraic variety to be deduced easily, such as the dimension and the number of zeros when it is finite. Gröbner basis computation is one of the main practical tools for solving systems of polynomial equations and computing the images of algebraic varieties under projections or rational maps.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

Secret sharing refers to methods for distributing a secret among a group, in such a way that no individual holds any intelligible information about the secret, but when a sufficient number of individuals combine their 'shares', the secret may be reconstructed. Whereas insecure secret sharing allows an attacker to gain more information with each share, secure secret sharing is 'all or nothing'.

In computational complexity theory, a complexity class is a set of computational problems "of related resource-based complexity". The two most commonly analyzed resources are time and memory.

Secure multi-party computation is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where cryptography assures security and integrity of communication or storage and the adversary is outside the system of participants, the cryptography in this model protects participants' privacy from each other.

In computational complexity theory, the class IP is the class of problems solvable by an interactive proof system. It is equal to the class PSPACE. The result was established in a series of papers: the first by Lund, Karloff, Fortnow, and Nisan showed that co-NP had multiple prover interactive proofs; and the second, by Shamir, employed their technique to establish that IP=PSPACE. The result is a famous example where the proof does not relativize.

In cryptography, a verifiable random function (VRF) is a public-key pseudorandom function that provides proofs that its outputs were calculated correctly. The owner of the secret key can compute the function value as well as an associated proof for any input value. Everyone else, using the proof and the associated public key, can check that this value was indeed calculated correctly, yet this information cannot be used to find the secret key.

Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties, each having an elliptic-curve public–private key pair, to establish a shared secret over an insecure channel. This shared secret may be directly used as a key, or to derive another key. The key, or the derived key, can then be used to encrypt subsequent communications using a symmetric-key cipher. It is a variant of the Diffie–Hellman protocol using elliptic-curve cryptography.

In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently. It is not known how to prove (unconditional) hardness for essentially any useful problem. Instead, computer scientists rely on reductions to formally relate the hardness of a new or complicated problem to a computational hardness assumption about a problem that is better-understood.

Distributed key generation (DKG) is a cryptographic process in which multiple parties contribute to the calculation of a shared public and private key set. Unlike most public key encryption models, distributed key generation does not rely on Trusted Third Parties. Instead, the participation of a threshold of honest parties determines whether a key pair can be computed successfully. Distributed key generation prevents single parties from having access to a private key. The involvement of many parties requires Distributed key generation to ensure secrecy in the presence of malicious contributions to the key calculation.

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party can verify the validity of the shares distributed by the dealer.

In verifiable secret sharing (VSS) the object is to resist malicious players, such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol, cf. [CGMA85].
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares. Hence, it is explicitly required that (i) can be verified publicly.

Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information among a group. The secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.

In cryptography, homomorphic secret sharing is a type of secret sharing algorithm in which the secret is encrypted via homomorphic encryption. A homomorphism is a transformation from one algebraic structure into another of the same type so that the structure is preserved. Importantly, this means that for every kind of manipulation of the original data, there is a corresponding manipulation of the transformed data.

Byzantine fault tolerant protocols are algorithms that are robust to arbitrary types of failures in distributed algorithms. The Byzantine agreement protocol is an essential part of this task. The constant-time quantum version of the Byzantine protocol, is described below.

In cryptography, the unbalanced oil and vinegar (UOV) scheme is a modified version of the oil and vinegar scheme designed by J. Patarin. Both are digital signature protocols. They are forms of multivariate cryptography. The security of this signature scheme is based on an NP-hard mathematical problem. To create and validate signatures, a minimal quadratic equation system must be solved. Solving $m$ equations with $n$ variables is NP-hard. While the problem is easy if $m$ is either much much larger or much much smaller than $n$ , importantly for cryptographic purposes, the problem is thought to be difficult in the average case when $m$ and $n$ are nearly equal, even when using a quantum computer. Multiple signature schemes have been devised based on multivariate equations with the goal of achieving quantum resistance.

Proactive secret sharing is an underlying technique in Proactive Security Protocols. It is a method to update distributed keys (shares) in a secret sharing scheme periodically such that an attacker has less time to compromise shares and as long as the attacker visits less than a threshold or a quorum group, the system remains secure. This contrasts to a non-proactive scheme where if the threshold number of shares are compromised during the lifetime of the secret, the secret is compromised. The model which takes time constraints into account was originally suggested as an extension of the notion of Byzantine fault tolerance where redundancy of sharing allows robustness into the time domain (periods) and was proposed by Rafail Ostrovsky and Moti Yung in 1991. The method has been used in the areas of cryptographic protocols in secure multi-party computation and in threshold cryptosystems.

Network coding has been shown to optimally use bandwidth in a network, maximizing information flow but the scheme is very inherently vulnerable to pollution attacks by malicious nodes in the network. A node injecting garbage can quickly affect many receivers. The pollution of network packets spreads quickly since the output of honest node is corrupted if at least one of the incoming packets is corrupted.

Verifiable computing enables a computer to offload the computation of some function, to other perhaps untrusted clients, while maintaining verifiable results. The other clients evaluate the function and return the result with a proof that the computation of the function was carried out correctly. The introduction of this notion came as a result of the increasingly common phenomenon of "outsourcing" computation to untrusted users in projects such as SETI@home and also to the growing desire to enable computationally-weak devices to outsource computational tasks to a more powerful computation service, as in cloud computing. The concept dates back to work by Babai et al., and has been studied under various terms, including "checking computations", "delegating computations", "certified computation", and verifiable computing. The term verifiable computing itself was formalized by Rosario Gennaro, Craig Gentry, and Bryan Parno, and echoes Micali's "certified computation".

References

↑ Krenn, Stephan; Loruenser, Thomas (2023). An Introduction to Secret Sharing: A Systematic Overview and Guide for Protocol Selection. doi:10.1007/978-3-031-28161-7. ISBN 978-3-031-28160-0. (also available at )
↑ Chor, Benny; Goldwasser, Shafi; Micali, Silvio; Awerbuch, Baruch (1985). "Verifiable secret sharing and achieving simultaneity in the presence of faults". 26th Annual Symposium on Foundations of Computer Science (SFCS 1985). pp. 383–395. doi:10.1109/SFCS.1985.64. ISBN 0-8186-0644-4. S2CID 12004245.
↑ Feldman, Paul (1987). "A practical scheme for non-interactive verifiable secret sharing". 28th Annual Symposium on Foundations of Computer Science (SFCS 1987). pp. 427–438. doi:10.1109/SFCS.1987.4. ISBN 0-8186-0807-2. S2CID 16283693.
↑ Pedersen, Torben Pryds (1992). "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing". In Feigenbaum, Joan (ed.). Advances in Cryptology — CRYPTO '91. Lecture Notes in Computer Science. Vol. 576. Berlin, Heidelberg: Springer. pp. 129–140. doi: 10.1007/3-540-46766-1_9 . ISBN 978-3-540-46766-3.

Notes

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Krenn, Stephan; Loruenser, Thomas (2023). An Introduction to Secret Sharing: A Systematic Overview and Guide for Protocol Selection. doi:10.1007/978-3-031-28161-7. ISBN 978-3-031-28160-0. (also available at )

[2] Chor, Benny; Goldwasser, Shafi; Micali, Silvio; Awerbuch, Baruch (1985). "Verifiable secret sharing and achieving simultaneity in the presence of faults". 26th Annual Symposium on Foundations of Computer Science (SFCS 1985). pp. 383–395. doi:10.1109/SFCS.1985.64. ISBN 0-8186-0644-4. S2CID 12004245.

[3] Feldman, Paul (1987). "A practical scheme for non-interactive verifiable secret sharing". 28th Annual Symposium on Foundations of Computer Science (SFCS 1987). pp. 427–438. doi:10.1109/SFCS.1987.4. ISBN 0-8186-0807-2. S2CID 16283693.

[4] Pedersen, Torben Pryds (1992). "Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing". In Feigenbaum, Joan (ed.). Advances in Cryptology — CRYPTO '91. Lecture Notes in Computer Science. Vol. 576. Berlin, Heidelberg: Springer. pp. 129–140. doi: 10.1007/3-540-46766-1_9 . ISBN 978-3-540-46766-3.

[1]

[2]

[3]

[4]