PVSS Implementation in Cardano SL

Publicly Verifiable Secret Sharing (PVSS) Scheme used in Cardano SL is based on a paper “A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting” by Berry Schoenmakers. Further we’ll refer to this paper’s pages, for example [6] means the 6th page.

This guide describes implementation details of pvss-haskell library used by cardano-sl library.

What is PVSS

The core idea of VSS Scheme is an ability of participants to verify their own shares, for successful reconstruction of the secret (previously distributed by a dealer among the participants). But core idea of PVSS Scheme is that not just the participants can verify their shares, but that anybody can verify that the participants received correct shares. So it’s required (for our reconstruction protocol) that participants not only release their shares but also that they provide a proof of correctness for each share released ([2]).

We use t-out-of-n reconstruction scheme ([6]), where n is a number of participants and t is a threshold number, so any subset of t+1 shares can be used to successfully recover the secret.

So, the protocol consists of three fundamental phases:

  1. initialization ([6]),
  2. distribution ([6]),
  3. reconstruction ([7]).


Each participant must generate its private key and register its public key.


First of all, we prepare a new escrowing context. To do it we need a threshold value mentioned above and a list of public keys of participants. Result of this operation is Escrow value which includes:

  1. Extra generator,
  2. Polynomial,
  3. Secret,
  4. Proof.

Extra generator is based on a Point (Elliptic Curve Point). We use prime256v1 elliptic curve, see RFC.

Polynomial is a group of coefficient starting from the smallest degree (these coefficients are Scalar values).

Secret is based on a Point as well, actually it’s the first element of polynomial mentioned above.

Proof is generated from a challenge, raw secret and DLEQ-parameters. Challenge is based on cryptographic hash.

After that we have to finish escrow creation. List of participants’ public keys is used to create encrypted shares and commitments. Encrypted share inсludes:

  1. Share ID.
  2. Value encrypted by participant’s public key.
  3. Proof that this share is valid ([6]).

Now commitments and encrypted shares can be published among participants. Due the public nature of PVSS scheme anyone who knows public keys can verify decrypted shares via hashes matching ([7]).


First of all, participant must decrypt encrypted share using keys pair with its private and public keys. To obtain DLEQ value, we use prime256v1 curve generator. As a result, we get DecryptedShare. Its structure is the same as encrypted share.

Since decrypted share contains a proof, we can be sure that decrypted share is the same as encrypted one, there’s verification function for it. To do it we use DLEQ value and proof from the decrypted share. Actual verifying is a comparison of the hash of DLEQ points.

Now, if we have t+1 decrypted shares we can recover a secret.

Recovered secret can be verified as well, so we can be sure that secret recovered is the same escrow. To do it, we need not just a proof and a secret, but commitments as well (actually, the first one).