In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party (not just the participants of the protocol) can verify the validity of the shares distributed by the dealer.
In verifiable secret sharing (VSS) the object is to resist malicious players, such as (i) a dealer sending incorrect shares to some or all of the participants, and (ii) participants submitting incorrect shares during the reconstruction protocol, cf.
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares.
Hence, it is explicitly required that (i) can be verified publicly.
The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.
The PVSS scheme dictates an initialization process in which: Excluding the initialization process, the PVSS consists of two phases: 1.
Distribution of secret
shares is performed by the dealer
{\displaystyle \mathrm {proof} _{D}}
guarantees that the reconstruction protocol will result in the same
Verification of the shares: 1.
Decryption of the shares: (note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting
as long as a qualified set of participants are successful to decrypt
Pooling the shares: A proposed protocol proving:
log
log
: Denote this protocol as:
{\displaystyle \mathrm {dleq} (g_{1},h_{1},g_{2},h_{2})}
A generalization of
{\displaystyle \mathrm {dleq} (g_{1},h_{1},g_{2},h_{2})}
is denoted as:
dleq
: The Chaum-Pedersen protocol is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen
by a 'secure hash' function with
as input value.