# Publicly Verifiable Secret Sharing

In cryptography, a secret sharing scheme is **publicly verifiable** (PVSS) if it is a verifiable secret sharing scheme and if any party involved can verify the validity of the shares distributed by the dealer.

The method introduced here according to the paper by Chunming Tang, Dingyi Pei, Zhuo Liu, and Yong He is non-interactive and maintains this property throughout the protocol.

## Contents

## Initialization[edit]

The PVSS scheme dictates an initialization process in which:

- All system parameters are generated.
- Each participant must have a registered public key.

Excluding the initialization process, the PVSS consists of two phases:

## Distribution[edit]

1.Distribution of secret shares is performed by the dealer , which does the following:

- The dealer creates for each participant respectively.
- The dealer publishes the encrypted share for each .
- The dealer also publishes a string to show that each encrypts

(note: guarantees that the reconstruction protocol will result in the same .

2. Verification of the shares:

- Anybody knowing the public keys for the encryption methods , can verify the shares.
- If one or more verifications fails the dealer fails and the protocol is aborted.

## Reconstruction[edit]

1. Decryption of the shares:

- The Participants decrypts their share of the secret using .

(note: fault-tolerance can be allowed here: it's not required that all participants succeed in decrypting as long as a qualified set of participants are successful to decrypt ).

- The participant release plus a string this shows the released share is correct.

2. Pooling the shares:

- Using the strings to exclude the participants which are dishonest or failed to decrypt .
- Reconstruction can be done from the shares of any qualified set of participants.

## Chaums and Pedersen Scheme[edit]

A proposed protocol proving: :

- The prover chooses a random
- The verifier send a random challenge
- The prover responds with
- The verifier checks and

Denote this protocol as:

A generalization of is denoted as: where as: and :

- The prover chooses a random and sends and
- The verifier send a random challenge .
- The prover responds with , .
- The verifier checks and

The Chaums and Pedersen method is an interactive method and needs some modification to be used in a non-interactive way: Replacing the randomly chosen by a 'secure hash' function with as input value.

## Source[edit]

## See Also on BitcoinWiki[edit]