Mersenne's laws

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party involved can verify the validity of the shares distributed by the dealer. 36 year-old Diving Instructor (Open water ) Vancamp from Kuujjuaq, spends time with pursuits for instance gardening, public listed property developers in singapore developers in singapore and cigar smoking. Of late took some time to go China Danxia.

The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.

Initialization

The PVSS scheme dictates an initialization process in which:

1. All system parameters are generated.
2. Each participant must have a registered public key.

Excluding the initialization process, the PVSS consists of two phases:

Distribution

1.Distribution of secret ${\displaystyle s}$ shares is performed by the dealer ${\displaystyle D}$, which does the following:

• The dealer creates ${\displaystyle s_1,s_2...s_n}$ for each participant ${\displaystyle P_1,P_2...P_n}$ respectively.
• The dealer publishes the encrypted share ${\displaystyle E_i(s_i)}$ for each ${\displaystyle P_i}$.
• The dealer also publishes a string ${\displaystyle {\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{o}\mathrm{f}}_D}$ to show that each ${\displaystyle E_i}$ encrypts ${\displaystyle s_i}$

(note: ${\displaystyle {\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{o}\mathrm{f}}_D}$ guarantees that the reconstruction protocol will result in the same ${\displaystyle s}$.

2. Verification of the shares:

• Anybody knowing the public keys for the encryption methods ${\displaystyle E_i}$, can verify the shares.
• If one or more verifications fails the dealer fails and the protocol is aborted.

Reconstruction

1. Decryption of the shares:

• The Participants ${\displaystyle P_i}$ decrypts their share of the secret ${\displaystyle s_i}$ using ${\displaystyle E_i(s_i)}$.

(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting ${\displaystyle E_i(s_i)}$ as long as a qualified set of participants are successful to decrypt ${\displaystyle s_i}$).

• The participant release ${\displaystyle s_i}$ plus a string ${\displaystyle {\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{o}\mathrm{f}}_{P_i}}$ this shows the released share is correct.

2. Pooling the shares:

• Using the strings ${\displaystyle {\mathrm{p}\mathrm{r}\mathrm{o}\mathrm{o}\mathrm{f}}_{P_i}}$ to exclude the participants which are dishonest or failed to decrypt ${\displaystyle E_i(s_i)}$.
• Reconstruction ${\displaystyle s}$ can be done from the shares of any qualified set of participants.

Chaums and Pedersen Scheme

A proposed protocol proving: ${\displaystyle {\log }_{{g1}_{}}{h}_1={\log }_{{g2}_{}}{h}_2}$ :

1. The prover chooses a random ${\displaystyle r\in {\mathrm{Z}}_{q^{*}}}$
2. The verifier send a random challenge ${\displaystyle c{\in }_R{\mathrm{Z}}_q}$
3. The prover responds with ${\displaystyle s=r-cx(\mathrm{m}\mathrm{o}\mathrm{d}q)}$
4. The verifier checks ${\displaystyle {\alpha }_1=g_1^s{h}_1^c}$ and ${\displaystyle {\alpha }_2=g_2^s{h}_2^c}$

Denote this protocol as: ${\displaystyle \mathrm{d}\mathrm{l}\mathrm{e}\mathrm{q}(g_1,h_1,g_2,h_2)}$
A generalization of ${\displaystyle \mathrm{d}\mathrm{l}\mathrm{e}\mathrm{q}(g_1,h_1,g_2,h_2)}$ is denoted as: ${\displaystyle \text{dleq}(X,Y,g_1,h_1,g_2,h_2)}$ where as: ${\displaystyle X=g_1^{x_1}{g}_2^{x_2}}$ and ${\displaystyle Y=h_1^{x_1}{h}_2^{x_2}}$:

1. The prover chooses a random ${\displaystyle r_1,r_2\in Z_q^{*}}$ and sends ${\displaystyle t_1=g_1^{r_1}{g}_2^{r_2}}$ and ${\displaystyle t_2=h_1^{r_1}{h}_2^{r_2}}$
2. The verifier send a random challenge ${\displaystyle c{\in }_R{\mathrm{Z}}_q}$.
3. The prover responds with ${\displaystyle s_1=r_1-c{x}_1(\mathrm{m}\mathrm{o}\mathrm{d}q)}$ , ${\displaystyle s_2=r_2-c{x}_2(\mathrm{m}\mathrm{o}\mathrm{d}q)}$.
4. The verifier checks ${\displaystyle t_1=X^c{g}_1^{s_1}{g}_2^{s_2}}$ and ${\displaystyle t_2=Y^c{h}_1^{s_1}{h}_2^{s_2}}$

The Chaums and Pedersen method is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen ${\displaystyle c}$ by a 'secure hash' function with ${\displaystyle m}$ as input value.

See also

• Verifiable secret sharing

References

• Markus Stadler, Publicly Verifiable Secret Sharing
• Berry Schoenmakers, A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting, Advances in Cryptology—CRYPTO, 1999, pp. 148–164