PVSS Implementation in Cardano SL
Publicly Verifiable Secret Sharing (PVSS) Scheme used in Cardano SL is based on a paper “A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic Voting” by Berry Schoenmakers. Further we’ll refer to this paper’s pages, for example
 means the 6th page.
What is PVSS
The core idea of VSS Scheme is an ability of participants to verify their own shares, for successful reconstruction of the secret (previously distributed by a dealer among the participants). But core idea of PVSS Scheme is that not just the participants can verify their shares, but that anybody can verify that the participants received correct shares. So it’s required (for our reconstruction protocol) that participants not only release their shares but also that they provide a proof of correctness for each share released (
t-out-of-n reconstruction scheme (
n is a number of participants and
t is a threshold number, so any subset of
t+1 shares can be used to successfully recover the secret.
So, the protocol consists of three fundamental phases:
- initialization (
- distribution (
- reconstruction (
Each participant must generate its private key and register its public key.
First of all, we prepare a new escrowing context. To do it we need a threshold value mentioned above and a list of public keys of participants. Result of this operation is
Escrow value which includes:
Polynomial is a group of coefficient starting from the smallest degree (these coefficients are Scalar values).
Now commitments and encrypted shares can be published among participants. Due the public nature of PVSS scheme anyone who knows public keys can verify decrypted shares via hashes matching (
First of all, participant must decrypt encrypted share using keys pair with its private and public keys. To obtain DLEQ value, we use
prime256v1 curve generator. As a result, we get DecryptedShare. Its structure is the same as encrypted share.
Since decrypted share contains a proof, we can be sure that decrypted share is the same as encrypted one, there’s verification function for it. To do it we use DLEQ value and proof from the decrypted share. Actual verifying is a comparison of the hash of DLEQ points.
Now, if we have
t+1 decrypted shares we can recover a secret.
Recovered secret can be verified as well, so we can be sure that secret recovered is the same escrow. To do it, we need not just a proof and a secret, but commitments as well (actually, the first one).