Date: 25 May 2006

A practical and provably secure scheme for publicly verifiable secret sharing and its applications


A publicly verifiable secret sharing (PVSS) scheme, named by Stadler in [Sta96], is a special VSS scheme in which anyone, not only the shareholders, can verify that the secret shares are correctly distributed. The property of public verifiability is what the first proposed VSS scheme [CGMA85] incorporated but later protocols [GMW87, Fel87, Ped91] failed to include. PVSS can provide some interesting properties in the systems using VSS. For instance, it gives a practical solution to (k, l)-threshold VSS assuming no broadcast channel. Stadler proposed two PVSS protocols: one is as secure as the Decision-Diffie-Hellman problem and the other is not formally discussed about security. This paper presents a practical and provably secure PVSS scheme which is O(¦v¦) times more efficient than Stadler's PVSS schemes where ¦v¦ denotes the size of the secret. It can be incorporated into various cryptosystems based on the factoring and the discrete logarithm to transform them into publicly verifiable key escrow (PVKE) systems. In addition, those key escrow cryptosystems can be easily modified into the verifiable partial key escrow (VPKE) ones with the property of delayed recovery [BG97]. To the best of our knowledge, this is the first realization of a VPKE cryptosystem based on the factoring with the delayed recovery.