INFORMATION-THEORETICALLY SECURE STRONG
VERIFIABLE SECRET SHARING
Changlu Lin
State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China
Key Lab. of Network Security and Cryptology, Fujian Normal University, China
Key Lab. of Communication and Information System (Beijing Jiaotong University)
Beijing Municipal Commission of Education, China
Lein Harn
Department of Computer Science Electrical Engineering, University of Missouri-Kansas City, U.S.A.
Dingfeng Ye
State Key Lab. of Information Security, Graduate University of Chinese Academy of Sciences, China
Keywords:
Secret sharing, Verifiable secret sharing, Secret sharing homomorphism, t-consistency, Information-
theoretically secure.
Abstract:
In a (t, n) secret sharing scheme, a mutually trusted dealer divides a secret into n shares in such a way that any
t or more than t shares can reconstruct the secret, but fewer than t shares cannot reconstruct the secret. When
there is no mutually trusted dealer, a (n,t, n) secret sharing scheme can be used to set up a (t, n) secret sharing
because each shareholder also acts as a dealer to decide a master secret jointly and divide each selected secret
for others. A verifiable secret sharing (VSS) allows each shareholder to verify that all shares are t-consistent
(i.e. every subset of t of the n shares defines the same secret). In this paper, we show that (t, n)-VSS and
(n,t, n)-VSS proposed by Pedersen can only ensure that all shares are t-consistent; but shares may not satisfy
the security requirements of secret sharing scheme. Then, we introduce a new notion of strong VSS. A strong
VSS scheme can ensure that (a) all shares are t-consistent, and (b) all shares satisfy the security requirements
of secret sharing scheme. We propose two simple ways to convert Pedersen’s VSS schemes into strong VSS
schemes, which are information-theoretically secure. We also prove that our proposed VSS schemes satisfy
the strong verifiable property.
1 INTRODUCTIONS
Secret sharing schemes were introduced by both
Blakley (Blakley, 1979) and Shamir (Shamir, 1979)
independently in 1979 as a solution for safeguarding
cryptographic keys and have been studied extensively
in the literatures. In a secret sharing scheme, a secret
s is divided into n shares and shared among n share-
holders by a mutually trusted dealer in such a way
that any t or more than t shares can reconstruct this
secret, but fewer than t shares cannot reconstruct the
secret s. Such a scheme is called a (t, n) secret shar-
ing, denoted as (t, n)-SS.
In 1990, Ingemarsson and Simmon (Ingemars-
son and Simmons, 1991) first considered the secret
sharing scheme without the assistance of a mutually
trusted third party. When there is no mutually trusted
dealer, a (n,t, n) secret sharing scheme can be used to
set up a (t, n) secret sharing because each shareholder
also acts as a dealer to decide a master secret jointly
and divide each selected secret for others.
Shamir’s (t, n)-SS is based on the polynomial in-
terpolation and is information-theoretically secure.
However, since shareholders have no information
about the secret, each shareholder must uncondition-
ally trust that the received share is valid and the dealer
has not made any fault in computing shares. In 1985,
Chor et al. (Chor et al., 1985) extended the notion
233
Lin C., Harn L. and Ye D. (2009).
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING.
In Proceedings of the International Conference on Security and Cryptography, pages 233-238
DOI: 10.5220/0002222402330238
Copyright
c
SciTePress
of the original secret sharing and presented a new no-
tion of verifiable secret sharing (VSS). The property
of verifiability allows shareholders to verify that all
shares are t-consistent (i.e. every subset of t of the n
shares defines the same secret). VSS(Benaloh, 1986;
Feldman, 1987; Pedersen, 1992) is a fundamental tool
for many research areas in cryptography, such as se-
cure multi-party computation (Cramer et al., 2000)
and Byzantine agreement (Cachin et al., 2005). Re-
cent researches on VSS have studied asynchronous
VSS (Cachin et al., 2002), multi-secrets VSS (Dehko-
rdi and Mashhadi, 2008) and optimal round complex-
ity of VSS (Katz et al., 2008), etc.
There are VSS schemes based on some compu-
tational assumptions. For example, Feldman’s VSS
scheme (Feldman, 1987) is based on the discrete log-
arithm assumption. Later, Pedersen (Pedersen, 1992)
used a commitment scheme to remove the assumption
in Feldman’s VSS scheme to propose a VSS scheme
which is information-theoretically secure. However,
in Pedersen’s VSS scheme the dealer can succeed in
distributing incorrect shares if the dealer can solve the
discrete logarithm problem.
In this paper, we will show that (t, n)-VSS scheme
and (n, t, n)-VSS scheme proposed by Pedersen can
only ensure that all shares are generated by interpo-
lated polynomial with degree at most (t − 1). This
result only ensures that all shares are t-consistent,
but shares may not satisfy the security requirements
of secret sharing scheme. More specifically, Peder-
sen’s VSSs cannot guarantee that at least t shares are
needed to reconstruct the secret. Then, we introduce a
new notion of strong VSS. A strong VSS scheme can
ensure that (a) all shares are t-consistent, and (b) all
shares satisfy the security requirements of secret shar-
ing scheme. We propose two simple ways to convert
Pedersen’s VSS schemes into strong VSS schemes.
We also prove that our proposed VSS schemes satisfy
the strong verifiable property.
The Rest of this Paper is Organized as Follows. In
the next section, we provide some preliminaries. In
Section 3, we formally define and introducethe notion
of strong VSS scheme. In Section 4, we propose two
simple ways to convert Pedersen’s VSSs into strong
VSSs. We conclude in Section 5.
2 PRELIMINARIES
Shamir’s (t, n)-SS. In Shamir’s (t, n) scheme based
on Lagrange interpolating polynomial, there are n
shareholders, P = {P
1
, . . . , P
n
}, and a dealer D. The
scheme consists of two steps:
Scheme 1. Shamir’s (t, n) threshold scheme.
1. Share generation: dealer D does as follows.
• dealer D first picks a polynomial f (x) of degree (t −
1) randomly: f(x) = a
0
+ a
1
x + ··· + a
t−1
x
t−1
, in
which the secret s = a
0
= f(0) and all coefficients
a
0
, a
1
, . . . , a
t−1
are in a finite field F
p
= GF(p) with
p elements, where p is large prime.
• D computes all shares:
s
1
= f (1), s
2
= f(2), . . . , s
n
= f(n).
• Then, D outputs a list of n shares, (s
1
, s
2
, . . . , s
n
),
and distributes each share s
i
to corresponding share-
holder P
i
privately.
2. Secret reconstruction: with any t shares, (s
i
1
, . . . , s
i
t
),
where A = {i
1
, . . . , i
t
} ⊆ {1, 2, . . . , n} can reconstruct
the secret s as follows.
s = f (0) =
∑
i∈A
s
i
β
i
=
∑
i∈A
s
i
(
∏
j∈A−{i}
x
j
x
j
− x
i
),
where β
i
for i ∈ A are Lagrange coefficients.
We note that the above scheme satisfies basic se-
curity requirements of secret sharing scheme as fol-
lows: 1) with knowledge of any t or more than t
shares can reconstruct the secret s; and 2) with knowl-
edge of any fewer than (t − 1) shares cannot recon-
struct the secret s. Shamir’s scheme is information-
theoretically secure since the scheme satisfies these
two requirements without making any computational
assumption. For more information on this scheme,
readers can refer to the original paper (Shamir, 1979).
Secret Sharing Homomorphism. Benaloh (Be-
naloh, 1986) introduced the property of homomor-
phism in the secret sharing scheme to combine two
shares of two different secrets by just adding these
shares together.
Let S be the domain of a secret and T be the do-
main of shares corresponding to the secret. We say
that the function F
I
: T
t
→ S is an induced function
of the (t, n)-SS for each I ⊂ {1, 2, . . . , n} with |I| = t.
This function defines the secret s with any set of t
shares s
i
1
, . . . , s
i
t
as
s = F
I
(s
i
1
, . . . , s
i
t
), where I = {i
1
, . . . , i
t
}.
Definition 1 (Homomorphism (Benaloh, 1986)).
Let ⊕ and ⊗ be two binary functions on elements of
the set S and T , respectively. We say that a (t, n)-
SS has the (⊕, ⊗)-homomorphic property if for any
subset I, whenever
s = F
I
(s
i
1
, . . . , s
i
t
) and s
′
= F
I
(s
′
i
1
, . . . , s
′
i
t
),
then
s⊕ s
′
= F
I
(s
i
1
⊗ s
′
i
1
, . . . , s
i
t
⊗ s
′
i
t
).
SECRYPT 2009 - International Conference on Security and Cryptography
234
t-consistency. Benaloh (Benaloh, 1986) presented a
notion of t-consistency and proposed VSS to deter-
mine whether shares are t-consistent or not. We de-
scribe this notion as follows.
Definition 2 (t-consistency). A set of n shares
s
1
, s
2
, . . . , s
n
is said to be t-consistent, if any subset
of t of the n shares reconstructs the same secret.
Benaloh claimed that the shares s
1
, s
2
, . . . , s
n
in
Shamir’s (t, n)-SS are t-consistent if and only if the
interpolation of the points (1, s
1
), (2, s
2
), . . . , (n, s
n
)
yields a polynomial of degree at most (t − 1). This
implies that if the interpolated polynomial of n shares
is with degree at most (t − 1), then all shares are t-
consistent. However, the property of t-consistency
does not guarantee that all shares satisfy the secu-
rity requirements of a (t, n)-SS. For example, if the
interpolated polynomial of n shares is with degree
(t − 2), then all shares are (t − 1)-consistent and also
t-consistent. The polynomial with degree (t − 2), can
be reconstructed with only (t − 1) (but not t) shares.
This condition violates the security requirements of a
(t, n)-SS that at least t shares are needed to reconstruct
the secret.
It is easy to know that if all shares in Shamir’s
(t, n)-SS are generated by a polynomial with degree
exactly (t− 1), then (a) all shares are t-consistent, and
(b) all shares satisfy the security requirements of a
(t, n)-SS.
Pedersen’s VSS Scheme. We note that the disadvan-
tage in Feldman’s VSS scheme (Feldman, 1987) is
that the committed value c
0
= g
s
is publicly known
and the privacy of secret s depends on the diffi-
culty of solving the discrete logarithm problem. In
other words, Feldman’s scheme is computationally
secure. Pedersen (Pedersen, 1992) proposed a non-
interactive and information-theoretically secure VSS
scheme based on Feldman’s VSS scheme.
Let p and q be two large primes such that q|(p −
1), and g, h ∈ Z
∗
p
are two elements of order q. There
are n shareholders P = {P
1
, . . . , P
n
} and a dealer D
who will divide a secret s ∈ Z
q
. We describe Peder-
sen’s scheme in three steps.
Scheme 2. Pedersen’s (t, n) VSS scheme.
1. Share generation: dealer D does as follows.
• D first picks a polynomial f(x) of degree at most
(t − 1) randomly: f (x) = a
0
+ a
1
x+ ·· · + a
t−1
x
t−1
,
in which the secret s = a
0
= f(0) and all coefficients
a
0
, a
1
, . . . , a
t−1
are in Z
q
.
• D picks b
0
, b
1
, . . . , b
t−1
∈ Z
q
at random. Let k(x) =
b
0
+ b
1
x+ ··· + b
t−1
x
t−1
.
• D computes shares (s
i
,t
i
) for i = 1, . . . , n and each
coefficient’s commitment of added sum of polyno-
mials of f(x) and k(x) as follows:
(s
i
,t
i
) = ( f(i), k(i)), for i = 1, . . . , n, and
c
j
= g
a
j
h
b
j
(mod p), for j = 0, 1, . . . ,t −1.
• Then, D outputs a list of n shares
((s
1
,t
1
), . . . , (s
n
,t
n
)) and distributes each share
(s
i
,t
i
) to corresponding shareholder P
i
privately. D
also broadcasts c
0
, c
1
, . . . , c
t−1
.
2. Share verification: each shareholder P
i
, who has re-
ceived the share (s
i
,t
i
) and all broadcasted information,
can verify that share (s
i
,t
i
) defines a secret by testing
that
g
s
i
h
t
i
=
t−1
∏
j=0
c
i
j
j
(mod p). (1)
3. Secret reconstruction: it is same as Shamir’s scheme.
In Pedersen’s scheme, the value g
s
is not made
publicly known, that is, the secret s is embeddedin the
commitment c
0
= g
s
h
b
0
= g
s+ub
0
where b
0
is a ran-
dom number in Z
q
and u = log
g
h. Thus, no informa-
tion about the secret s is revealed even if an attacker
with unlimited computing power can solve u = log
g
h,
the attacker still gets no information about the secret
s. It implies that Pedersen’s scheme is information-
theoretically secure.
3 DEFINITION OF STRONG VSS
We claim that the verification algorithm in Pedersen’s
scheme can only guarantee that the degree of inter-
polated polynomial f(x) is at most (t − 1); but not
exactly (t − 1). Let u = log
g
h. Then, we get the fol-
lowing result from equation 1.
g
s
i
+ut
i
= g
f(i)+uk(i)
, (2)
for i = 0, 1, . . . , n. Thus, after successfully completing
Pedersen’s VSS, each shareholder can be convinced
that the degree of the polynomial d(x) = f(x) + uk(x)
is exactly (t − 1). Since polynomial d(x) is a combi-
nation of two polynomials, f(x) and k(x), each share-
holder can conclude that the degree of polynomial
f(x) is at most (t − 1). However, this result does
not guarantee that all shares satisfy the basic security
requirements mentioned in previous section. More
specifically, Pedersen’s VSS cannot guarantee that at
least t shares are needed to reconstruct the secret. For
example, if polynomial f(x) is with degree exactly
(t − 2) and the polynomial k(x) is with degree exactly
(t − 1), then shares of f(x) can be successfully verifi-
able according to Pedersen’s VSS. Since the polyno-
mial f(x) is with degree exactly (t − 2), any (t − 1)
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
235
(but not t) shares can reconstructed the secret. This
condition violates the basic security requirements that
at least t shares are needed to reconstruct the secret.
In summary, Pedersen’s VSS can only guarantee that
all shares are t-consistent; but shares may not satisfy
the security requirements of a secret sharing scheme.
In this section, we propose a new notion of strong ver-
ifiable secret sharing that ensures all shares are gener-
ated by a polynomial with degree exactly (t − 1). We
give the definition.
Definition 3 (Strong VSS). In a strong (t, n) verifi-
able secret sharing scheme, all shares are generated
by a polynomial with degree exactly (t − 1).
It is easy to understand that if all shares are gener-
ated by a polynomial with degree exactly (t −1), then
(a) all shares are t-consistent, and (b) all shares satisfy
the basic security requirements.
Remark 1. Feldman’s VSS scheme satisfies the defi-
nition of a strong VSS scheme.
4 OUR PROPOSED SCHEMES
4.1 Strong (t, n)-VSS
We use a public polynomial f
′
(x) and a secret polyno-
mial f(x) to generate real shares. This public polyno-
mial will play an important role to ensure all shares
are generated by a polynomial with degree exactly
(t − 1) in our proposed scheme. The secret sharing
homomorphism ensures that the secret s = F(0) =
f
′
(0) + f(0) can be reconstructed by shares with the
form as
s
i
= f
′
(i) + f(i).
Also, each share s
i
still remains to be a secret even
f
′
(i) is made publicly known.
There are n shareholders, P = {P
1
, . . . , P
n
}, and a
dealer D who will divide a secret s ∈ Z
q
. We describe
our (t, n)-VSS as follows.
Scheme 3. Our strong (t, n)-VSS scheme.
1. Share generation: dealer D does the following proce-
dures.
• D first picks two polynomial f
′
(x) and f (x) of de-
gree with exactly (t − 1) randomly: f
′
(x) = a
′
0
+
a
′
1
x + ·· · + a
′
t−1
x
t−1
and f(x) = a
0
+ a
1
x + ·· · +
a
t−1
x
t−1
, where all coefficients a
′
i
and a
i
for i =
0, 1, . . . , t − 1 are in Z
q
. We note that f (x) is kept
secret by the dealer and f
′
(x) is made publicly
known. Set F(x) = f
′
(x) + f (x), thus the secret
S = F(0) = f
′
(0) + f (0) = a
′
0
+ a
0
and F
i
= a
′
i
+ a
i
for i = 0, 1, . . . , t −1.
• D picks b
0
, b
1
, . . . , b
t−1
∈ Z
q
at random. Let k(x) =
b
0
+ b
1
x+ ··· + b
t−1
x
t−1
.
• D computes shares (s
i
,t
i
) and each coefficient’s com-
mitment of added sum of polynomials of F(x) and
k(x)as follows:
(s
i
,t
i
) = ( f(i), g(i)), for i = 1, . . . , n, and
c
j
= g
F
j
h
b
j
(mod p), for j = 0, 1, . . . ,t −1.
• Then, D outputs a list of n shares,
((s
1
,t
1
), . . . , (s
n
,t
n
)), and distributes each share
(s
i
,t
i
) to corresponding shareholder P
i
privately. D
also broadcasts c
0
, c
1
, . . . , c
t−1
.
• Each shareholder P
i
computes the real share S
i
= s
i
+
f
′
(i).
2. Share verification: each shareholder P
i
, who has share
(S
i
,t
i
) and all broadcasted information, can verify that
the real share S
i
defines a secret by testing that
g
S
i
h
t
i
=
t−1
∏
j=0
c
i
j
j
(mod p). (3)
3. Secret reconstruction: it is the same as Shamir’s
scheme.
Theorem 1. Our proposed (t, n)-VSS satisfies the def-
inition of a strong VSS scheme.
Proof 1. Following above (t, n)-VSS scheme success-
fully, each shareholder can be convinced that the de-
grees of polynomials G(x) = F(x) + k(x) is exactly
(t − 1). Thus, each shareholder can conclude that the
degree of polynomial F(x) = f
′
(x) + f(x) is at most
(t − 1). This conclusion is similar to the conclusion
of Pedersen’s scheme that ensures each shareholder
that the interpolated polynomial of all shares is with
degree at most (t − 1). Since the degree of the pub-
lic polynomial f
′
(x) is exactly (t − 1), each share-
holder can finally conclude that the degree of poly-
nomial F(x) is exactly (t − 1).
4.2 Strong (n, t, n)-VSS
In (t, n)-SS, there is a mutually trusted party who di-
vides the secret and distributes shares to sharehold-
ers. For some applications, it is impossible to iden-
tify such a mutually trusted dealer. In 1990, Inge-
marsson and Simmon (Ingemarsson and Simmons,
1991) first considered the secret sharing scheme with-
out the assistance of a mutually trusted third party.
The basic idea of their proposed (t, n)-SS is that there
are n dealers (or shareholders) who want to gener-
ate a master secret s jointly for some special appli-
cation. Each shareholder i first chooses a secret s
i
randomly and the master secret s is determined by
s =
∑
n
i=1
s
i
= s
1
+ · ·· + s
n
. Each shareholder shares
SECRYPT 2009 - International Conference on Security and Cryptography
236
his chosen secret s
i
with other shareholders using the
Shamir’s (t, n− 1)-SS. Then, any shareholder has re-
ceived (n − 1) shares from other shareholders. Any
subset of t of the n shareholders know their own cho-
sen secrets (i.e. t secrets) and work together to recon-
struct (n−t) other secrets. Thus, any subset of t of the
n shareholders can generate the master secret. Their
proposed secret scheme enables n users to set up a
(t, n)-SS without the assistance of a mutually trusted
dealer. This approach can be denoted as the model of
a (n, t, n)-SS, where n refers to the number of dealers
and shareholders.
In a (n,t, n)-SS, each shareholder also acts as a
dealer to generate master secret and sub-shares for
all other shareholders. This kind of secret sharing is
very difficult to set up especially when it involves a
large number of shareholders. In addition, since the
number of shares kept by each shareholder is pro-
portional to the number of shareholders involved in
(Ingemarsson and Simmons, 1991), the storage and
management of shares of each shareholder becomes
very complicated. When the number of sharehold-
ers becomes very large, the reasonable approach is to
divide shareholders into several groups. Each group
will then elect a mutually trusted dealer to represent
this group to join other dealers from other groups to
set up the secret sharing. The dealers are not mu-
tually trusted. In fact, the number of shareholders n
can be much larger than the number of dealers d (i.e.
d << n). This approach to manage a large number of
users can be found in many practical applications, for
example in Public-Key Infrastructure (PKI) (Housley
et al., 2002) for issuing public-key digital certificates
by Certificate Authorities (CA), and in ad-hoc net-
works (Zhou and Haas, 1999; Ma and Cheng, 2008)
for managing user registration by distributed registra-
tion centers, etc. This approach can be denoted as the
model of (d, t, n)-SS, where d is the number of deal-
ers, t is the threshold value and n is the number of
shareholders. Specially, when d = 1, (1, t, n)-SS be-
comes the original Shamir’s (t, n)-SS. This indicates
that (d, t, n)-SS is a generalization of (t, n)-SS.
In (n,t, n)-SS involving multiple dealers, the veri-
fiability is more desirable than in (t, n)-SS since these
dealers are mutually distrusted. Pedersen (Pedersen,
1992) presented a (n,t, n)-VSS. However, Pedersen’s
(n,t, n)-VSS, is not a strong VSS. In other words,
Pedersen’s scheme only ensures each shareholder that
the interpolated polynomial of all shares is with de-
gree at most (t − 1).
In this section, we propose a strong (n, t, n)-VSS
based on Pedersen’s (n,t, n)-VSS. We note that the
main difference between our proposed scheme and
the Pedersen’s scheme is that it requires each dealer
(shareholder) must pick a random polynomial with
degree exactly (t − 1) in our scheme. We will proof
that our proposed scheme is a strong VSS.
There are n dealers (shareholders),
P = {P
1
, . . . , P
n
}, who want to define a secret
s ∈ Z
q
and distribute it among themselves. We
describe our (n,t, n)-VSS as follows.
Scheme 4. Our strong (n,t, n)-VSS scheme.
1. Share generation: dealer (shareholder) P
w
does as fol-
lows.
• P
w
first picks a sub-polynomial f
w
(x) of degree ex-
actly (t − 1) randomly: f
w
(x) = a
w0
+ a
w1
x+ · ·· +
a
w(t−1)
x
t−1
, in which the sub-secret s
w
= a
w0
=
f
w
(0) and all coefficients w
w0
, a
w1
, . . . , a
wt−1
are in
Z
q
. We note that the master secret is s = s
1
+
s
2
+ ·· · + s
n
corresponding to the master polynomial
F(x) =
∑
n
w=1
f
w
(x).
• P
w
picks b
w0
, b
w1
, . . . , b
w(t−1)
∈ Z
q
at random. Let
k
w
(x) = b
w0
+ b
w1
x+ ··· + b
w(t−1)
x
t−1
.
• P
w
compute all sub-shares (s
wi
,t
wi
) and coefficient’s
commitment of f
w
(x) and k
w
(x) as follows:
(s
wi
,t
wi
) = ( f
w
(i), k
w
(i)), for i = 1, . . . , n, and
c
wj
= g
a
wj
h
b
wj
(mod p), for j = 0, 1, . . . ,t −1.
• Then, P
w
distributes each sub-share (s
wi
,t
wi
) to cor-
responding shareholder P
i
privately and broadcasts
c
w0
, c
w1
, . . . , c
w(t−1)
.
• After P
w
has received all sub-shares and broadcasted
information from others, P
w
computes the mas-
ter share (s
w
,t
w
) where s
w
= s
1w
+ s
2w
+ · ·· + s
nw
(mod q) and t
w
= t
1w
+t
2w
+ ··· + t
nw
(mod q). P
w
also computes c
j
= c
1j
c
2j
·· ·c
nj
(mod p) for j =
0, 1, . . . , t − 1.
2. Share verification: each shareholder P
w
who has ob-
tained the master share (s
w
,t
w
) and all commitment val-
ues c
j
for j = 0, 1, . . . , t − 1, can verify that all master
shares s
i
really define a secret by testing that
g
s
w
h
t
w
=
t−1
∏
j=0
c
w
j
j
(mod p). (4)
3. Secret reconstruction: it is same as Shamir’s scheme.
Remark 2. The property of secret sharing homo-
morphisms ensures that all master shares (s
w
,t
w
) for
w = 1, 2, . . . , n of the master polynomials, F(x) =
∑
n
w=1
f
w
(x) and K(x) =
∑
n
w=1
k
w
(x), are the additive
sum of all shares corresponding to sub-polynomials,
f
w
(x) and k
w
(x). In addition, it ensures that the size of
each master share is the same as the size of the master
secret.
Theorem 2. Our proposed (n, t, n)-VSS satisfies the
definition of a strong VSS scheme.
INFORMATION-THEORETICALLY SECURE STRONG VERIFIABLE SECRET SHARING
237
Proof 2. According to our discussion presented in sec-
tion 4.1, each shareholder can conclude that the de-
gree of master polynomial F(x) =
∑
n
w=1
f
w
(x) is at
most (t − 1) if our proposed (n, t, n)-VSS is success-
fully completed. This result is the same as Peder-
sen’s (t, n)-VSS. As long as the degree of the sub-
polynomial selected by the shareholder is exactly
(t − 1), this shareholder can therefore be convinced
that, the degree of the master polynomial F(x) must
be exactly (t − 1) due to linear property of polynomi-
als.
Remark 3. Our proposed (n, t, n)-VSS is almost the
same as Pedersen’s (n,t, n)-VSS. However, the main
difference between our proposed scheme and the Ped-
ersen’s scheme is that it requires each dealer (share-
holder) must pick random polynomials with degree
exactly (t − 1) in our scheme; but polynomials with
degree at most (t − 1) in Pedersen’s scheme. With
this difference, our scheme is a strong (n, t, n)-VSS;
but Pedersen’s scheme is not a strong (n, t, n)-VSS.
Pedersen’s scheme can only ensure that all shares are
t-consistent; but all shares may not satisfy the security
requirements of a secret sharing scheme. Our pro-
posed (n, t, n)-VSS can ensure that (a) all shares are
t-consistent, and (b) all shares satisfy the security re-
quirements of a secret sharing scheme.
5 CONCLUSIONS
In this paper, we first show that VSS schemes pro-
posed by Pedersen can only ensure that shares are
t-consistent, but shares may not satisfy the security
requirements of secret sharing scheme. Then, we in-
troduce a new notion of strong VSS. A strong VSS
scheme can ensure that (a) all shares are t-consistent
and (b) all shares satisfy the security requirements
of secret sharing scheme. Based on Pedersen’s VSS
schemes, we propose two VSS schemes, (t, n)-VSS
and (n, t, n)-VSS, which are information-theoretically
secure. We also provethat our proposed VSS schemes
satisfy the strong verifiable property.
REFERENCES
Benaloh, J. C. (1986). Secret sharing homomorphisms:
Keeping shares of a secret secret. In Proc. Crypto’86,
volume 263 of LNCS, pages 251–260. Springer-
Verlag.
Blakley, G. R. (1979). Safeguarding cryptographic keys. In
Proc. Nat. Computer Conf., volume 48, pages 313–
317. AFIPS Press.
Cachin, C., Kursawe, K., Lysyanskaya, A., and Strobl, R.
(2002). Asynchronous verifiable secret sharing and
proactive cryptosystems. In Proc. 9th ACM Conf.
Computer and Communications Security, pages 88–
97. ACM Press.
Cachin, C., Kursawe, K., and Shoup, V. (2005). Ran-
dom oracles in constantinople: practical asynchronous
byzantine agreement using cryptography. J. Cryptol-
ogy, 8(3):219–246.
Chor, B., Goldwasser, S., Micali, S., and Awerbuch, B.
(1985). Verifiable secret sharing and achieving simul-
taneously in the presence of faults. In Proc. 26th IEEE
Symp. on Foundations of Computer Science, pages
383–395. IEEE Society.
Cramer, R., Damg˚ard, I., and Maurer, U. (2000). Verifi-
able secret sharing and achieving simultaneously in
the presence of faults. In Proc. Eurocrypt’00, volume
1807 of LNCS, pages 316–334. Springer-Verlag.
Dehkordi, M. H. and Mashhadi, S. (2008). New efficient
and practical verifiable multi-secret sharing schemes.
Information Sciences, 178(9):2262–2274.
Feldman, P. (1987). A practical scheme for non-interactive
verifiable secret sharing. In Proc. 28th IEEE Symp.
on Foundations of Computer Science, pages 427–437.
IEEE Society.
Housley, R., Polk, W., Ford, W., and Solo, D. (2002). Inter-
net x.509 public key infrastructure certificate and cer-
tificate revocation list (crl) profile. rfc3280, ietf. Avail-
able: http://www.ipa.go.jp/security/rfc/RFC3280-
00EN.html.
Ingemarsson, I. and Simmons, G. J. (1991). A protocol to
set up shared secret schemes without the assistance of
a mutualy trusted party. In Proc. Eurocrypt’90, vol-
ume 472 of LNCS, pages 266–282. Springer-Verlag.
Katz, J., Koo, C., and Kumaresan, R. (2008). Improved the
round complexity of vss in point-to-point networks.
In Proc. ICALP 2008, Part II, volume 5126 of LNCS,
pages 499–510. Springer-Verlag.
Ma, C. and Cheng, R. (2008). Key management based
on hierarchical secret sharing in ad-hoc networks. In
Proc. Inscrypt 2007, volume 4990 of LNCS, pages
182–191. Springer-Verlag.
Pedersen, T. P. (1992). Non-interactive and information-
theoretic secure verfiable secret sharing. In Proc.
Crypto’91, volume 576 of LNCS, pages 129–140.
Springer-Verlag.
Shamir, A. (1979). How to share a secret. Commun. ACM,
22(11):612–613.
Zhou, L. and Haas, Z. J. (1999). Securing ad hoc networks.
IEEE Networks Magazine, 13(6):24–30.
SECRYPT 2009 - International Conference on Security and Cryptography
238
