In a VSS protocol a distinguished player who wants to share the secret is referred to as the dealer. The protocol consists of two phases: a sharing phase and a reconstruction phase.
Sharing: Initially the dealer holds secret as input and each player holds an independent random input. The sharing phase may consist of several rounds. At each round each player can privately send messages to other players and it can also broadcast a message. Each message sent or broadcasted by a player is determined by its input, its random input and messages received from other players in previous rounds.
Reconstruction: In this phase each player provides its entire view from the sharing phase and a reconstruction function is applied and is taken as the protocol's output.
An alternative definition given by Oded Goldreich defines VSS as a secure multi-party protocol for computing the randomized functionality corresponding to some (non-verifiable) secret sharing scheme. This definition is stronger than that of the other definitions and is very convenient to use in the context of general secure multi-party computation.
Verifiable secret sharing is important for secure multiparty computation. Multiparty computation is typically accomplished by making secret shares of the inputs, and manipulating the shares in order to compute some function. In order to handle "active" adversaries (that is, adversaries that corrupt nodes and then make them deviate from the protocol), the secret sharing scheme needs to be verifiable in order to prevent the deviating nodes from throwing off the protocol.
First, a cyclic group G of prime order p, along with a generator g of G, is chosen publicly as a system parameter. (Typically, one takes (a subgroup of) (Zq)×.) Assume the discrete logarithm problem is hard in G.
The dealer then computes (and keeps secret) a random polynomial P of degree t with coefficients in Zp, such that P(0)=s, where s is the secret. Each of the n share holders will receive a value P(1), ... , P(n) modulo p. Any t+1 share holders can recover the secret s by using polynomial interpolation modulo p, but any set of at most t share holders cannot. (In fact, at this point any set of at most t share holders has no information about s.)
So far, this is exactly Shamir's scheme. In order to make these shares verifiable, the dealer distributes commitments to the coefficients of P. If P(x) = s + a1x + ... + atxt, then the commitments that must be given are:
Once these are given, any party can verify their share. For instance, to verify that v = P(i) modulo p, party i can check that
The following 5 steps verify the integrity of the dealer to the Share holders:
The secret s remains safe and unexposed.
These 5 steps will be done in small number of iterations in order to achieve height probability result about the dealer integrity.
Diagnosis 1: Because the degree of polynomial is less than or equal to t and because the Dealer reveals the other polynomials (step 4), the degree of the polynomial P must be less than or equal to t (second observation case 1, with height probability when these steps are repeated in different iterations).
Diagnosis 2: One of the parameters for the problem was to avoid exposing the secret which we are attempting to verify. This property is kept through the use of Algebra homomorphism to perform validation. (a set of random polynomials of degree at most t together with a set of sums of P and other polynomials of degree at most t gives no useful information about P)
Using the technique of verifiable secret sharing one can satisfy the election problem that will be describe here.
In the election problem each voter can vote 0 (to oppose) or 1 (for favor), and the sum of all votes will determine election's result. In order for the election to execute, it is needed to make sure that the following conditions will fulfill:
If using verifiable secret sharing, n tellers will replace the single election administrator. Each voter will distribute one share of its secret vote to every one of the n tellers. This way the privacy of the voter is preserved and the first condition is satisfied.
Reconstruction of the election's result is easy, if there exist enough k
|Number of rounds||Security|
|1||t = 1, n > 4|
|2||n > 4t|
|3||n > 3t|
GER Killally and Richie Connor were partners in the firm ERA Gerard Killally Auctioneers. They admitted to making secret profits from two of four land deals they were involved in but denied making secret profits in relation to two more deals.
Jul 14, 2009; Deals made partners 'secret profits' GER Killally and Richie Connor were partners in the firm ERA Gerard Killally Auctioneers....
MINNESOTA REGULATORS FINE QWEST $25.6 MILLION PENALTY FOR MAKING SECRET AGREEMENTS COULD BE WAIVED.(Business)
Feb 05, 2003; Byline: Jeff Smith ROCKY MOUNTAIN NEWS Minnesota regulators on Tuesday fined Qwest Communications $25.6 million for making secret...