We all know Shamir’s -Secret Sharing Scheme: A dealer fixes a group
and selects a random polynomial
of degree at most
over this group. He sets the constant coefficient equal to your secret
, then distributes
arbitrary evaluations of this polynomial as shares to the
parties. Any subset of
parties can pool their shares and reconstruct the polynomial via Lagrange interpolation.
What if we don’t want to trust the dealer nor the parties? Feldman’s Verifiable Secret Sharing Scheme allows the dealer to publish, in addition to the regular Shamir-shares, a generator of the group
along with
proofs or commitments
for each coefficient of the polynomial
. Each party can verify that his share is correct by testing whether
.
However, the shares are still private. What if we want everyone to be able to verify the correctness of all shares without knowing what the shares are? This is achieved by a Publicly Verifiable Secret Sharing Scheme, such as the one developed by Berry Schoenmaker, assuming the discrete log problem is hard.
Continue reading “A Publicly Verifiable Secret Sharing Scheme”