We all know Shamir’s -Secret Sharing Scheme: A dealer fixes a group and selects a random polynomial of degree at most over this group. He sets the constant coefficient equal to your secret , then distributes arbitrary evaluations of this polynomial as shares to the parties. Any subset of parties can pool their shares and reconstruct the polynomial via Lagrange interpolation.

What if we don’t want to trust the dealer nor the parties? Feldman’s Verifiable Secret Sharing Scheme allows the dealer to publish, in addition to the regular Shamir-shares, a generator of the group along with *proofs* or *commitments* for each coefficient of the polynomial . Each party can verify that his share is correct by testing whether

.

However, the shares are still private. What if we want *everyone* to be able to verify the correctness of all shares without knowing what the shares are? This is achieved by a Publicly Verifiable Secret Sharing Scheme, such as the one developed by Berry Schoenmaker, assuming the discrete log problem is hard.

Continue reading “A Publicly Verifiable Secret Sharing Scheme”