On publicly verifiable secret sharing schemes

Secret sharing allows a dealer to distribute shares of a secret to a set of parties such that only so-called authorised subsets of these parties can recover the secret, whilst forbidden sets gain at most some restricted amount of information. This idea has been built upon in verifiable secret sharing to allow parties to verify that their shares are valid and will therefore correctly reconstruct the same secret. This can then be further extended to publicly verifiable secret sharing by firstly considering only public channels of communication, hence imposing the need for encryption of the shares, and secondly by requiring that any party be able to verify any other parties shares from the public encryption. In this thesis we work our way up from the original secret sharing scheme by Shamir to examples of various approaches of publicly verifiable schemes. Due to the need for encryption in private communication, different cryptographic methods allow for certain interesting advantages in the schemes. We review some important existing methods and their significant properties of interest, such as being homomorphic or efficiently verifiable. We also consider recent improvements in these schemes and make a contribution by showing that an encryption scheme by Castagnos and Laguillaumie allows for a publicly verifiable secret sharing scheme to have some interesting homomorphic properties. To explore further we look at generalisations to the recently introduced idea of Abelian secret sharing, and we consider some examples of such constructions. Finally we look at some applications of secret sharing schemes, and present our own implementation of Schoenmaker’s scheme in Python, along with a voting system on which it is based

Non-Interactive and Information-Theoretic Secure Publicly Verifiable Secret Sharing

A publicly verifiable secret sharing scheme is more applicable than a verifiable secret sharing because of the property that the validity of the shares distributed by the dealer can be verified by any party. In this paper, we construct a non-interactive and information-theoretic publicly verifiable secret sharing by a computationally binding and unconditionally hiding commitment scheme and zero-knowledge proof of knowledge

A New PVSS Scheme with a Simple Encryption Function

A Publicly Verifiable Secret Sharing (PVSS) scheme allows anyone to verify the validity of the shares computed and distributed by a dealer. The idea of PVSS was introduced by Stadler in [18] where he presented a PVSS scheme based on Discrete Logarithm. Later, several PVSS schemes were proposed. In [2], Behnad and Eghlidos present an interesting PVSS scheme with explicit membership and disputation processes. In this paper, we present a new PVSS having the advantage of being simpler while offering the same features.Comment: In Proceedings SCSS 2012, arXiv:1307.8029. This PVSS scheme was proposed to be used to provide a distributed Timestamping schem

A Practical (Non-interactive) Publicly Verifiable Secret Sharing Scheme

A publicly verifiable secret sharing (PVSS) scheme, proposed by Stadler in \cite{DBLP:conf/eurocrypt/Stadler96}, is a VSS scheme in which anyone, not only the shareholders, can verify that the secret shares are correctly distributed. PVSS can play essential roles in the systems using VSS. Achieving simultaneously the following two features for PVSS is a challenging job: \begin{itemize} \item Efficient non-interactive public verification. \item Proving security for the public verifiability in the standard model. \end{itemize} In this paper we propose a $(t, n)$-threshold PVSS scheme which satisfies both of these properties. Efficiency of the non-interactive public verification step of the proposed scheme is optimal (in terms of computations of bilinear maps (pairing)) while comparing with the earlier solution by \cite{DBLP:conf/sacrypt/HeidarvandV08}. In public verification step of \cite{DBLP:conf/sacrypt/HeidarvandV08}, one needs to compute $2n$ many pairings, where $n$ is the number of shareholders, whereas in our scheme the number of pairing computations is $4$ only. This count is irrespective of the number of shareholders. We also provide a formal proof for the semantic security (IND) of our scheme based on the hardness of a problem that we call the $(n,t)$-multi-sequence of exponents Diffie-Hellman problem (MSE-DDH). This problem falls under the general Diffie-Hellman exponent problem framework \cite{DBLP:conf/eurocrypt/BonehBG05}

Optimistic Fair Exchange based on Publicly Verifiable Secret Sharing

In this paper we propose an optimistic two-party fair exchange protocol which does not rely on a centralized trusted third party. Instead, the fairness of the protocol relies on the honesty of part of the neighbor participants. This new concept, which is based on a generic verifiable secret sharing scheme, is particularly relevant in networks where centralized authority can neither be used on-line nor off-line

Publicly Verifiable Secret Sharing over Class Groups and Applications to DKG and YOSO

Publicly Verifiable Secret Sharing (PVSS) allows a dealer to publish encrypted shares of a secret so that parties holding the corresponding decryption keys may later reconstruct it. Both dealing and reconstruction are non-interactive and any verifier can check their validity. PVSS finds applications in randomness beacons, distributed key generation (DKG) and in YOSO MPC (Gentry et al. CRYPTO\u2721), when endowed with suitable publicly verifiable re-sharing as in YOLO YOSO (Cascudo et al. ASIACRYPT\u2722). We introduce a PVSS scheme over class groups that achieves similar efficiency to state-of-the art schemes that only allow for reconstructing a function of the secret, while our scheme allows the reconstruction of the original secret. Our construction generalizes the DDH-based scheme of YOLO YOSO to operate over class groups, which poses technical challenges in adapting the necessary NIZKs in face of the unknown group order and the fact that efficient NIZKs of knowledge are not as simple to construct in this setting. Building on our PVSS scheme\u27s ability to recover the original secret, we propose two DKG protocols for discrete logarithm key pairs: a biasable 1-round protocol, which improves on the concrete communication/computational complexities of previous works; and a 2-round unbiasable protocol, which improves on the round complexity of previous works. We also add publicly verifiable resharing towards anonymous committees to our PVSS, so that it can be used to efficiently transfer state among committees in the YOSO setting. Together with a recent construction of MPC in the YOSO model based on class groups (Braun et al. CRYPTO\u2723), this results in the most efficient full realization (i.e without assuming receiver anonymous channels) of YOSO MPC based on the CDN framework with transparent setup

Practical Non-interactive Publicly Verifiable Secret Sharing with Thousands of Parties

Non-interactive publicly verifiable secret sharing (PVSS) schemes enables (re-)sharing of secrets in a decentralized setting in the presence of malicious parties. A recently proposed application of PVSS schemes is to enable permissionless proof-of-stake blockchains to ``keep a secret via a sequence of committees that share that secret. These committees can use the secret to produce signatures on the blockchain\u27s behalf, or to disclose hidden data conditioned on consensus that some event has occurred. That application needs very large committees with thousands of parties, so the PVSS scheme in use must be efficient enough to support such large committees, in terms of both computation and communication. Yet, previous PVSS schemes have large proofs and/or require many exponentiations over large groups. We present a non-interactive PVSS scheme in which the underlying encryption scheme is based on the learning with errors (LWE) problem. While lattice-based encryption schemes are very fast, they often have long ciphertexts and public keys. We use the following two techniques to conserve bandwidth: First, we adapt the Peikert-Vaikuntanathan-Waters (PVW) encryption scheme to the multi-receiver setting, so that the bulk of the parties\u27 keys is a common random string. The resulting scheme yields $\Omega(1)$ amortized plaintext/ciphertext rate, where concretely the rate is $\approx 1/60$ for 100 parties, $\approx 1/8$ for 1000 parties, and approaching 1/2 as the number of parties grows. Second, we use bulletproofs over a DL-group of order about 256 bits to get compact proofs of correct encryption/decryption of shares. Alternating between the lattice and DL settings is relatively painless, as we equate the LWE modulus with the order of the group. We also show how to reduce the the number of exponentiations in the bulletproofs by applying Johnson-Lindenstrauss-like compression to reduce the dimension of the vectors whose properties must be verified. An implementation of our PVSS with 1000 parties showed that it is feasible even at that size, and should remain so even with one or two order of magnitude increase in the committee size