Verifiable secret sharing

In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct.
The concept of verifiable secret sharing was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch.
In a VSS protocol a distinguished player who wants to share the secret is referred to as the dealer. The protocol consists of two phases: a sharing phase and a reconstruction phase.
Sharing: Initially the dealer holds secret as input and each player holds an independent random input. The sharing phase may consist of several rounds. At each round each player can privately send messages to other players and can also broadcast a message. Each message sent or broadcast by a player is determined by its input, its random input and messages received from other players in previous rounds.
Reconstruction: In this phase each player provides its entire view from the sharing phase and a reconstruction function is applied and is taken as the protocol's output.
An alternative definition given by Oded Goldreich defines VSS as a secure multi-party protocol for computing the randomized functionality corresponding to some secret sharing scheme. This definition is stronger than that of the other definitions and is very convenient to use in the context of general secure multi-party computation.
Verifiable secret sharing is important for secure multiparty computation. Multiparty computation is typically accomplished by making secret shares of the inputs, and manipulating the shares to compute some function. To handle "active" adversaries, the secret sharing scheme needs to be verifiable to prevent the deviating nodes from throwing off the protocol.

Feldman's scheme

A commonly used example of a simple VSS scheme is the protocol by Paul Feldman, which is based on Shamir's secret sharing scheme combined with any encryption scheme which satisfies a specific homomorphic property.
The following description gives the general idea, but is not secure as written.
First, a cyclic group G of prime order q, along with a generator g of G, is chosen publicly as a system parameter. The group G must be chosen such that computing discrete logarithms is hard in this group.
The dealer then computes a random polynomial P of degree t with coefficients in Z_q, such that, where s is the secret. Each of the n share holders will receive a value P,..., P modulo q. Any share holders can recover the secret s by using polynomial interpolation modulo q, but any set of at most t share holders cannot.
So far, this is exactly Shamir's scheme. To make these shares verifiable, the dealer distributes commitments to the coefficients of P modulo q. If P = s + a₁x +... + a_tx^t, then the commitments that must be given are:c₀ = g^s,c₁ = g^a₁,

...c_t = g^a_t.

Once these are given, any party can verify their share. For instance, to verify that modulo q, party i can check that
This scheme is, at best, secure against computationally bounded adversaries, namely the intractability of computing discrete logarithms. Pedersen proposed later a scheme where no information about the secret is revealed even with a dealer with unlimited computing power.

Baghery's hash-based scheme

A recent line of research has proposed a unified framework, for building practical VSS schemes that do not necessarily require homomorphic commitments —a key requirement in traditional constructions such as Feldman's and Pedersen's schemes. The framework allows instantiations with different commitment schemes, including post-quantum secure options such as hash-based commitments. This offers a flexible and efficient approach to build VSS schemes, in which the verifiability of shares is decoupled from the need for homomorphic commitments, which are often tied to assumptions like the Discrete Logarithm (DL) problem, known to be insecure against quantum adversaries. One instantiation of the new framework uses hash-based commitments and a random oracle to construct a hash-based VSS scheme based on Shamir's secret sharing.

Protocol Overview

Sharing Phase: Given a secure hash-based commitment scheme and a hash function, to share a secret value among parties with threshold, the dealer acts as follows:

# Following Shamir sharing, the dealer samples a random degree- polynomial over a filed or ring, with. Each of the parties will receive a value modulo ' as a share.
# To prove the validity of the shares, the dealer acts as follows:
## Samples another random degree- polynomial and random values from the same filed or ring.
## Computes a set of commitments for. Note that, the additional randomness is used when the secret does not have sufficient entropy, but it can be omitted when sharing a uniformly random secret. Each of the parties will also receive a value modulo ' as a share.
## Calculates a challenge value via a hash function and then computes a polynomial.
## Broadcasts the commitments along with as the proof and privately sends as the individual share to party. Verification Phase: Given an individual share and a proof, party verifies the correctness of it as below:
# Checks that is a valid degree- polynomial.
# Recomputes the challenge value, and verifies the commitment equation.

If the verification fails, similar to Feldman’s and Pedersen’s schemes, the party raises a complaint. If too many complaints are raised, the dealer is disqualified. In case of a complaint, the dealer can publicly reveal the disputed share to allow global verification. Honest parties can then collectively agree to either continue or disqualify the dealer.
This scheme supports the sharing of both low-entropy and high-entropy secrets. Moreover, since it relies solely on secure hash functions for commitments and on a random oracle, it plausibly achieves security even against quantum adversaries. Additionally, by using only lightweight cryptographic primitives, the scheme is considerably more efficient in practice compared to traditional VSS constructions based on number-theoretic assumptions.

Benaloh's scheme

Once n shares are distributed to their holders, each holder should be able to verify that all shares are collectively t-consistent.
In Shamir's secret sharing scheme the shares are t-consistent if and only if the interpolation of the points yields a polynomial degree at most.
Based on that observation, Benaloh's protocol can be shown to allow the share holders to perform the required validation while also verifying the dealer's authenticity and integrity.
A second observation is that given the degree of the sum of two polynomials F and G is less than or equal to t, either the degrees of both F and G are less than or equal to t, or both the degrees of F and G are greater than t. This claim is evident due to Polynomial function's Homomorphic property, examples:
case 1:

case 2:

the case that we canceled:

Interactive proof:
The following 5 steps verify the integrity of the dealer to the Share holders:

Dealer chooses polynomial P, distributes shares.
Dealer constructs a very large number of random polynomials of degree t, and distributes shares.
Share-holder chooses a random subset of polynomials.
Dealer reveals shares of the m chosen polynomials and sums of remaining sums then shares the result as well.
Each share-holder or verifier ascertains that all revealed polynomials are degree-t, and corresponds to its own known share.

The secret s remains safe and unexposed.
These 5 steps will be done in small number of iterations to achieve high probability result about the dealer integrity.
Diagnosis 1: Because the degree of polynomial is less than or equal to t and because the Dealer reveals the other polynomials, the degree of the polynomial P must be less than or equal to t.
Diagnosis 2: One of the parameters for the problem was to avoid exposing the secret which we are attempting to verify. This property is kept through the use of Algebra homomorphism to perform validation.

Secret ballot elections

Verifiable secret sharing can be used to build end-to-end auditable voting systems.
Using the technique of verifiable secret sharing one can satisfy the election problem that will be described here.
In the election problem each voter can vote either 0 or 1, and the sum of all votes will determine election's result. For the election to execute, it is necessary to make sure that the following conditions are fulfilled:

The voters' privacy should not be compromised.
The election administrator must verify that no voter committed fraud.

If using verifiable secret sharing, n tellers will replace the single election administrator. Each voter will distribute one share of its secret vote to every one of the n tellers. This way the privacy of the voter is preserved and the first condition is satisfied.
Reconstruction of the election's result is easy, if there exist enough tellers to discover polynomial P.
The interactive proof can be generalized slightly to allow verification of the vote shares. Each voter will prove to the tellers that his vote is legitimate using the five steps of the interactive proof.

Round-optimal and efficient verifiable secret sharing

The round complexity of a VSS protocol is defined as the number of communication rounds in its sharing phase; reconstruction can always be done in a single round. There is no 1-round VSS with, regardless of the number of players. The bounds on perfectly secure and efficient VSS protocols is given below.

Number of rounds	Security
1	t = 1, n > 4
2	n > 4t
3	n > 3t