|
In cryptography, a secret sharing scheme is verifiable if auxiliary information is included that allows players to verify their shares as consistent. More formally, verifiable secret sharing ensures that even if the dealer is malicious there is a well-defined secret that the players can later reconstruct. (In standard secret sharing, the dealer is assumed to be honest.) The concept of verifiable secret sharing (VSS) was first introduced in 1985 by Benny Chor, Shafi Goldwasser, Silvio Micali and Baruch Awerbuch. In a VSS protocol a distinguished player who wants to share the secret is referred to as the dealer. The protocol consists of two phases: a sharing phase and a reconstruction phase. Sharing: Initially the dealer holds secret as input and each player holds an independent random input. The sharing phase may consist of several rounds. At each round each player can privately send messages to other players and it can also broadcast a message. Each message sent or broadcast by a player is determined by its input, its random input and messages received from other players in previous rounds. Reconstruction: In this phase each player provides its entire view from the sharing phase and a reconstruction function is applied and is taken as the protocol's output. An alternative definition given by Oded Goldreich defines VSS as a secure multi-party protocol for computing the randomized functionality corresponding to some (non-verifiable) secret sharing scheme. This definition is stronger than that of the other definitions and is very convenient to use in the context of general secure multi-party computation. Verifiable secret sharing is important for secure multiparty computation. Multiparty computation is typically accomplished by making secret shares of the inputs, and manipulating the shares to compute some function. To handle "active" adversaries (that is, adversaries that corrupt nodes and then make them deviate from the protocol), the secret sharing scheme needs to be verifiable to prevent the deviating nodes from throwing off the protocol. ==Feldman’s scheme== A commonly used example of a simple VSS scheme is the protocol by Paul Feldman, which is based on Shamir's secret sharing scheme combined with any homomorphic encryption scheme. This scheme is, at best, secure for computationally bounded adversaries only. The following description gives the general idea, but is not secure as written. (Note, in particular, that the published value ''g''''s'' leaks information about the dealer’s secret ''s.'') First, a cyclic group ''G'' of prime order ''p'', along with a generator ''g'' of ''G'', is chosen publicly as a system parameter. The group ''G'' must be chosen such that computing discrete logarithms is hard in this group. (Typically, one takes a subgroup of (Z''q'') *, where ''q'' is a prime such that ''p'' divides ''q''-1.) The dealer then computes (and keeps secret) a random polynomial ''P'' of degree ''t'' with coefficients in Z''p'', such that ''P''(0)=''s'', where ''s'' is the secret. Each of the ''n'' share holders will receive a value ''P''(1), ..., ''P''(''n'') modulo ''p''. Any ''t''+1 share holders can recover the secret ''s'' by using polynomial interpolation modulo ''p'', but any set of at most ''t'' share holders cannot. (In fact, at this point any set of at most ''t'' share holders has no information about ''s''.) So far, this is exactly Shamir's scheme. To make these shares verifiable, the dealer distributes commitments to the coefficients of ''P''. If ''P''(''x'') = ''s'' + ''a''1''x'' + ... + ''a''''t''''x''''t'', then the commitments that must be given are: * ''c''0 = ''g''''s'', * ''c''1 = ''g''''a''1, * ... * ''c''''t'' = ''g''''a''''t''. Once these are given, any party can verify their share. For instance, to verify that ''v'' = ''P''(''i'') modulo ''q'', party ''i'' can check that . 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Verifiable secret sharing」の詳細全文を読む スポンサード リンク
|