Publicly verifiable secret sharing scheme

Question

In https://www.win.tue.nl/~berry/papers/crypto99.pdf, Schoenmakers proposes a publicly verifiable secret sharing scheme, that uses a non-interactive DLEQ proof to allow any participant to verify the shares of the secret (section 3.1 of the paper).

In "Distribution of the shares", it says "Applying Fiat-Shamir’s technique, the challenge $c$ for the protocol is computed as a cryptographic hash of $X_i , Y_i , a_{1i} , a_{2i} , 1 ≤ i ≤ n$."

And later, "Using $y_i , X_i , Y_i , r_i , 1 ≤ i ≤ n$ and $c$ as input, the verifier computes $a_{1i} , a_{2i}$ as

$$a_{1i} = g^{ri} X_i^c,$$ $$a_{2i} = y_i^{ri} Y_i^c ,$$

and checks that the hash of $X_i , Y_i , a_{1i} , a_{2i} , 1 ≤ i ≤ n$, matches $c$."

My question is: how can the challenge $c$ be used as input of the hash that computes itself (the challenge $c$), or am I misunderstanding?

tylo · Answer

Here's my understanding:

The input of the hash is $x_i,y_i,a_{1i},a_{2i}$.
The output of the hash is $c$.

The wording is '$c$ is computed as ...'

And later the verifier checks if $c$ matches the Output of the hash function used on the same input variables. If different values were used in the original run, the hash would differ.

So yes, you misunderstood the statement.

Publicly verifiable secret sharing scheme

One Answer

Add your own answers!

Ask a Question