http://en.zaoniao.it/index.php?action=history&feed=atom&title=Publicly_Verifiable_Secret_SharingPublicly Verifiable Secret Sharing - Revision history2026-05-15T12:36:22ZRevision history for this page on the wikiMediaWiki 1.32.0http://en.zaoniao.it/index.php?title=Publicly_Verifiable_Secret_Sharing&diff=2457&oldid=prevAdmin: Created page with "In cryptography, a secret sharing scheme is '''publicly verifiable''' (PVSS) if it is a verifiable secret sharing scheme and if any party involved can verify the v..."2019-03-23T07:27:28Z<p>Created page with "In <a href="/index.php?title=Cryptography&action=edit&redlink=1" class="new" title="Cryptography (page does not exist)">cryptography</a>, a <a href="/index.php?title=Secret_sharing&action=edit&redlink=1" class="new" title="Secret sharing (page does not exist)">secret sharing</a> scheme is '''publicly verifiable''' (PVSS) if it is a <a href="/index.php?title=Verifiable_secret_sharing&action=edit&redlink=1" class="new" title="Verifiable secret sharing (page does not exist)">verifiable secret sharing</a> scheme and if any party involved can verify the v..."</p>
<p><b>New page</b></p><div>In [[cryptography]], a [[secret sharing]] scheme is '''publicly verifiable''' (PVSS) if it is a [[verifiable secret sharing]] scheme and if any party involved can verify the validity of the shares distributed by the dealer.<br />
<br />
The method introduced here according to the paper by [http://eprint.iacr.org/2004/201.ps Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He] is non-interactive and maintains this property throughout the protocol.<br />
<br />
==Initialization==<br />
The PVSS scheme dictates an initialization process in which: <br />
#All system parameters are generated.<br />
#Each participant must have a registered public key.<br />
<br />
Excluding the initialization process, the PVSS consists of two phases:<br />
<br />
==Distribution==<br />
1.Distribution of secret <math>s</math> shares is performed by the dealer <math>D</math>, which does the following:<br />
* The dealer creates <math>s_{1},s_{2}...s_{n}</math> for each participant <math>P_{1},P_{2}...P_{n}</math> respectively.<br />
* The dealer publishes the encrypted share <math>E_{i}(s_{i})</math> for each <math>P_{i}</math>.<br />
* The dealer also publishes a string <math>\mathrm{proof}_{D}</math> to show that each <math>E_{i}</math> encrypts <math>s_{i}</math><br />
(note: <math>\mathrm{proof}_{D}</math> guarantees that the reconstruction protocol will result in the same <math>s</math>.<br />
<br />
2. Verification of the shares:<br />
* Anybody knowing the public keys for the encryption methods <math>E_{i}</math>, can verify the shares.<br />
* If one or more verifications fails the dealer fails and the protocol is aborted.<br />
<br />
==Reconstruction==<br />
1. Decryption of the shares:<br />
* The Participants <math>P_{i}</math> decrypts their share of the secret <math>s_{i}</math> using <math>E_{i}(s_{i})</math>.<br />
(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting <math>E_{i}(s_{i})</math> as long as a qualified set of participants are successful to decrypt <math>s_{i}</math>).<br />
* The participant release <math>s_{i}</math> plus a string <math>\mathrm{proof}_{P_{i}}</math> this shows the released share is correct.<br />
<br />
2. Pooling the shares:<br />
* Using the strings <math>\mathrm{proof}_{P_{i}}</math> to exclude the participants which are dishonest or failed to decrypt <math>E_{i}(s_{i})</math>.<br />
* Reconstruction <math>s</math> can be done from the shares of any qualified set of participants.<br />
<br />
==Chaums and Pedersen Scheme==<br />
A proposed protocol proving: <math>\log_{_{g1}}h_{1} = \log_{_{g2}}h_{2}</math> :<br />
#The prover chooses a random <math>r\in \boldsymbol{\Zeta}_{q^*} </math><br />
#The verifier send a random challenge <math>c \in _{R}\boldsymbol{\Zeta}_{q} </math><br />
#The prover responds with <math>s = r - c x(\mathrm{mod}\,q)</math><br />
#The verifier checks <math>\alpha_1 = g_{1}^s h_{1}^c </math> and <math>\alpha_2 = g_{2}^s h_{2}^c </math><br />
<br />
Denote this protocol as: <math>\mathrm{dleq}(g_1, h_1,g_2,h_2)</math><br /><br />
A generalization of <math>\mathrm{dleq}(g_1, h_1,g_2,h_2)</math> is denoted as: <math>\text{dleq}(X, Y, g_1, h_1,g_2,h_2)</math> where as: <math>X = g_{1}^{x_1}g_{2}^{x_2}</math> and <math>Y = h_{1}^{x_1}h_{2}^{x_2}</math>:<br />
#The prover chooses a random <math> r_1,r_2 \in Z_{q}^*</math> and sends <math>t_1 = g_{1}^{r_1} g_{2}^{r_2}</math> and <math>t_2 = h_{1}^{r_1} h_{2}^{r_2}</math><br />
#The verifier send a random challenge <math>c \in _{R}\boldsymbol{\Zeta}_{q} </math>.<br />
#The prover responds with <math>s_1 = r_1 - cx_1 (\mathrm{mod}\,q) </math> , <math>s_2 = r_2 - cx_2 (\mathrm{mod}\,q) </math>.<br />
#The verifier checks <math>t_1 = X^c g_{1}^{s_1}g_{2}^{s_2}</math> and <math>t_2 = Y^c h_{1}^{s_1}h_{2}^{s_2}</math><br />
<br />
The Chaums and Pedersen method is an interactive method and needs some modification to be used in a non-interactive way:<br />
Replacing the randomly chosen <math>c</math> by a 'secure hash' function with <math>m</math> as input value.<br />
<br />
<br />
==Source==<br />
[http://wikipedia.org/ http://wikipedia.org/]<br />
<br />
[[Category:Cryptography]]</div>Admin