Verifiable secret sharing

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. (In standard secret sharing, the dealer is assumed to be honest.)[1] The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.[2]

In a VSS protocol a distinguished player who wants to share the secret is referred to as the dealer. The protocol consists of two phases: a sharing phase and a reconstruction phase.

Sharing: Initially the dealer holds secret as input and each player holds an independent random input. The sharing phase may consist of several rounds. At each round each player can privately send messages to other players and can also broadcast a message. Each message sent or broadcast by a player is determined by its input, its random input and messages received from other players in previous rounds.

Reconstruction: In this phase each player provides its entire view from the sharing phase and a reconstruction function is applied and is taken as the protocol's output.

An alternative definition given by Oded Goldreich defines VSS as a secure multi-party protocol for computing the randomized functionality corresponding to some (non-verifiable) secret sharing scheme. This definition is stronger than that of the other definitions and is very convenient to use in the context of general secure multi-party computation.

Verifiable secret sharing is important for secure multiparty computation. Multiparty computation is typically accomplished by making secret shares of the inputs, and manipulating the shares to compute some function. To handle "active" adversaries (that is, adversaries that corrupt nodes and then make them deviate from the protocol), the secret sharing scheme needs to be verifiable to prevent the deviating nodes from throwing off the protocol.

  1. ^ Krenn, Stephan; Loruenser, Thomas (2023). An Introduction to Secret Sharing: A Systematic Overview and Guide for Protocol Selection. doi:10.1007/978-3-031-28161-7. ISBN 978-3-031-28160-0. (also available at [1])
  2. ^ Chor, Benny; Goldwasser, Shafi; Micali, Silvio; Awerbuch, Baruch (1985). "Verifiable secret sharing and achieving simultaneity in the presence of faults". 26th Annual Symposium on Foundations of Computer Science (SFCS 1985). pp. 383–395. doi:10.1109/SFCS.1985.64. ISBN 0-8186-0644-4. S2CID 12004245.