1. Secret Sharing and its Application to
Electronic Voting
Akash Chandrayan (08d17015)
Appu R P (08D17007)
Prathamesh Dashpute (08D04007)
2. Secret sharing
Secret sharing refers to method for distributing a secret amongst
a group of participants, each of whom is allocated a share of the
secret. The secret can be reconstructed only when a sufficient
number of shares are combined together; individual shares are
of no use on their own.
5. Blakley’s Scheme
• Secret is encoded as a point in a space.
• Keys are given as hyper planes rotated around
the point in space. Therefore the intersection
of t hyper planes will be the key.
6. Problems with Blakley’s Scheme
• Not secure- If three keys are required having two
lets someone know the secret is on a line.
• Less space efficient- Keys are t times larger than
the original secret, where t is the number of keys
needed to get the secret.
7. Shamir’s Scheme
• Mathematically the goal is to divide some data
D into n pieces D1,…, Dn.
• The following criteria are met
• Knowledge of any k or more Di pieces makes D computable.
• Knowledge of any k-1 or fewer Di pieces leaves D completely
undetermined.
• This scheme is called (k , n) threshold scheme.
8. Shamir’s Scheme
• The scheme turns the secret into a polynomial
of degree k, where k is the number of keys
needed to get the secret.
9. Shamir’s Scheme
• Choose at random k-1 coefficients a1 ,…, ak-1
and let a0 be the secret.
f(x)=a0 +a1x+…+ ak-1 xk-1
• Select randomly any n points out of it (i , f(i)).
• Every participant is given a point.
10. Verifiable Secret Sharing(VSS)
In verifiable secret sharing (VSS) the object is to resist malicious players,
such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction
protocol
In publicly verifiable secret sharing (PVSS), it is an explicit goal that not just
the participants can verify their own shares, but that anybody can verify that
the participants received correct shares.
11. Publically Verifiable Secret Sharing(PVSS)
• Proof of correctness for each share released .
• No private channels between the dealer and the
participants are assumed.
• All communication is done over (authenticated)
public channels using public key encryption.
12. Model for non-interactive PVSS
Initialization
• Generation of system parameters.
• Registration of Participants.
The actual set of participants taking part in a run of the PVSS scheme must be
a subset of the registered participants.
Distribution
• The distribution of a secret s is performed by the dealer D.
• The dealer first generates the respective shares si for participant Pi
For each participant Pi the dealer publishes the encrypted share Ei(si).
• The dealer also publishes a string PROOFD to show that each Ei encrypts a
share si.
• The string PROOFD commits the dealer to the value of secret s, and it
guarantees that the reconstruction protocol will result in the same value s.
13. Model for non-interactive PVSS
Verification of the shares.
• Any party knowing the public keys for the encryption
methods Ei may verify the shares.
• For each participant Pi a non-interactive verification
algorithm can be run on PROOFD to verify that Ei(si) is
a correct encryption of a share for Pi.
If verifications fail => dealer fails, protocol is aborted.
14. Model for non-interactive PVSS
Reconstruction
The protocol consists of two steps:
1.Decryption of the shares.
The participants decrypt their shares si from Ei(si). It is not required
that all participants succeed in doing so, as long as a qualified set of
participants is successful. These participants release si plus a string
PROOFPi that shows that the released share is correct.
2. Pooling the shares.
The strings PROOFPi are used to exclude the participants which are
dishonest or fail to reproduce their share si correctly. Reconstruction of
the secret s can be done from the shares of any qualified set of
participants.
15. The Math
The prover knows α such that h1 = g1α and h2 = g2α :
1. The prover sends a1 = g1w and a2 = g2w to the verifier,
2. The verifier sends a random challenge c to the prover.
3. The prover responds with r = w − α c (mod q).
4. The verifier checks that a1 = g1rh1c and a2 = g1rh1c
16. The Math
Distribution & Verification
• Distribution of the shares. The dealer picks a random
polynomial p of degree at most t − 1 with coefficients in Zq
The dealer shows that the encrypted shares are consistent by
producing a proof of knowledge of the unique p(i), 1 <= i <= n,
satisfying
17. The Math
Reconstruction
• Decryption of the shares: Using its private key xi, each
participant finds the share Si = Gp(i) which comes from
• Proof :
19. Electronic Voting
• An election proceeds in two phases
– Ballot Casting- Voters post their vote in encrypted form.
The validity of the vote can be publically verified.
– Tallying- The talliers use their private keys to collectively
compute the final tally corresponding with the
accumulation of all valid ballots.
• Technically each voter will act as a dealer in
the PVSS scheme.
20. Ballot Casting
• A voter casts a vote v 0 or 1 and encrypts it as
U= Gs+v where s is a random number.
• The voter constructs a PROOFU showing that v
Ɛ {0,1} without revealing any information on v.
PROOFU refer to the value of C0=gs which is
also published.
21. Tallying
• The tallying protocol uses the reconstruction
protocol of special PVSS scheme and
homomorphic property.
• Accumulate all respective share and compute
the values Yi*, where j ranges over all voters.
22. Tallying
• Next each tallier Ai applies the reconstruction
protocol to the value Yi*, which will produce
• Combining with we obtain
• From this the tally can
be computed efficiently.
23. Example*
The following example illustrates a sample voting with 5 voters among which
2 are talliers. <Z*13,*13> is the cyclic group under which we shall be working.
Generators used are g=2 and G=7.Note that all the computations henceforth are mod 13
Private Public Vote S(random U (encrypted votes) gs
Keys Keys numbers)
1 7 0 7 6 11
2 10 1 8 8 9
3 5 1 1 10 2
4 9 0 2 10 4
5 11 0 11 2 7
The value of C0 = gs is published as part of the PVSS distribution protocol, and
shows that logG U = logg C0 OR logG U = 1 + logg C0 (Vote is 0 or 1)
24. Example contd.
Now since there are 2 talliers which implies that all the votes can be
combined iff all of them agrees to tally. For this to work, the curves used
would simply be straight lines with the constant term as the secret values s.
Polynomial pi(x) pi(1) pi(2)
3x+7 10 13
4x+8 12 16
x+1 2 3
11x+2 13 24
7x+11 18 25
Note that the voters do not publish pi(1) or pi(2). They publish Yij which is yipj(i)
yi is the public key of tallier i, since we have only 2 talliers, I have computed the values
of pi(1) and p2(2) in the table itself and avoided yipj(i) for clarity.
25. Example contd.
Next we compute the values of Y1* and Y2*.
Y1* = 7(10+12+2+13+18) = 755 = 6
Y2* = 10(13+16+3+24+25) = 1081 = 12
Now the values of S1 and S2 can be computed by respective talliers by using
their private keys x1 = 1 and x2 = 2.
Therefore S1 = (Y1*)1/x1 = 6 and S2 = (Y2*)1/x2 = 121/2 = 5.
Next comes the homomorphic combination of secrets by computing
λ1 = 2 , λ2 = -1 ; Gs = 62 . 5-1 = 9/2 = 9*7 = 63 = 11
26. Example contd.
Now lets combine the encrypted votes (Uj = Gjs+v)
Gs+v = 6*8*10*10*2 = 9600 = 6.
Almost there , Gs+v/Gs = Gv = 6/11 = 6*6 = 10, Gv = 10 => 7v = 10
=> v= 2 , because 49 (72 mod 13 = 10). Which verifies with the vote count
given in the table. That is it!
28. References*
• A Simple Publicly Verifiable Secret Sharing Scheme and its Application to Electronic
Voting - Berry Schoenmakers, Department of Mathematics and Computing
Science, Eindhoven University of Technology, P.O. Box 513, 5600 MB Eindhoven,
The Netherlands. berry@win.tue.nl | Springer-Verlag , 1999.
• How to share a secret. Commm. of ACM , volume 22 (1979).
• http://en.wikipedia.org/wiki/Secret_sharing
• http://www.cs.uml.edu/~zkissel/secretshare.html
• http://en.wikipedia.org/wiki/Secure_multiparty_computation
• http://www.proproco.co.uk/million.html
• http://www.cs.tau.ac.il/~bchor/Shamir.html
*were not mentioned during presentation