Papers
Topics
Authors
Recent
Search
2000 character limit reached

Publicly Verifiable Secret Sharing (PVSS)

Updated 10 July 2026
  • Publicly Verifiable Secret Sharing (PVSS) is a secret-sharing scheme that distributes a secret among participants and allows any observer to verify the correctness of share distribution and reconstruction without private information.
  • Classical constructions use Shamir polynomial sharing with public commitments and Diffie–Hellman style encryption to ensure that shares are consistent and verifiable by anyone.
  • Recent advances include lattice-based and post-quantum instantiations that incorporate non-interactive proofs and NIZKs, offering improved security and efficiency in public verification.

Publicly Verifiable Secret Sharing (PVSS) is a threshold secret-sharing primitive in which a dealer distributes a secret among participants so that any qualified subset can later reconstruct it, while any public verifier can check the correctness of the sharing and reconstruction process. In contrast to ordinary verifiable secret sharing (VSS), where verification is typically carried out by the shareholders themselves through complaint, dispute, or consistency procedures, PVSS makes the evidence of correctness publicly checkable from published information. Contemporary formulations place PVSS at the intersection of secret sharing, public verifiability, and non-interactive proofs, and identify applications in e-voting, distributed key generation, decentralized random number generation protocols, multi-party computation, and YOSO-style protocols (Minh et al., 19 Apr 2025).

1. Formal notion and relation to VSS

A threshold secret-sharing scheme distributes a secret ss among nn parties so that any set of at least t+1t+1 shares reconstructs ss, while any set of at most tt shares reveals nothing about ss. VSS strengthens this basic functionality to tolerate a malicious dealer by making the dealer’s commitment to a secret verifiable during sharing and recoverable during reconstruction. The survey literature characterizes VSS as a distributed commitment: during sharing, the dealer commits to a secret in a verifiable way, and during reconstruction, the committed value is recovered even if the dealer refuses to cooperate (Chandramouli et al., 2021).

PVSS adds a public proof layer to this picture. The operational distinction is that verification is not confined to the protocol participants: anyone can verify that the dealer shared correctly and that later revealed shares are valid. In a recent formalization, an (n,t)(n,t)-PVSS scheme with threshold t<n/2t<n/2 is specified as

PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),

with reconstruction from any subset SS satisfying nn0, and privacy against subsets of size nn1 (Minh et al., 19 Apr 2025).

For Shamir sharing, one useful formal object is the valid share language. The recent lattice-based treatment uses

nn2

where nn3 is a parity-check matrix for the Shamir code. This captures the statement that a vector of shares is a valid threshold-sharing vector and therefore reconstructs consistently from any qualified subset (Minh et al., 19 Apr 2025).

The conceptual relation between VSS and PVSS is therefore precise. VSS ensures that shareholders can verify consistency under active adversaries; PVSS preserves the same threshold privacy and reconstruction goals while requiring that the verification evidence itself be publicly checkable. The survey on perfectly-secure VSS does not formalize PVSS as a separate primitive, but it explicitly frames “publicly verifiable” as the setting in which not only the participants but also any outside observer can verify consistency from public information (Chandramouli et al., 2021).

2. Classical algebraic constructions

Classical PVSS schemes are typically built from Shamir-style polynomial sharing, public commitments to polynomial coefficients, and public-key encryption or masking of the individual shares. One representative construction works in a cyclic subgroup nn4 of prime order nn5, with nn6, generator nn7, and all computations performed in nn8. The dealer chooses a polynomial

nn9

where t+1t+10 is the secret and t+1t+11, and assigns each participant t+1t+12 the share

t+1t+13

The dealer then publishes commitments

t+1t+14

as well as

t+1t+15

which satisfy

t+1t+16

This equality is the public consistency condition tying each share to the committed polynomial (Shil et al., 2013).

In that scheme, each participant t+1t+17 chooses a private key

t+1t+18

and publishes the public key

t+1t+19

The dealer sends the encrypted share

ss0

Upon receiving ss1, the participant computes

ss2

and checks

ss3

The paper identifies this as a non-interactive verification procedure and describes the use of XOR with a Diffie–Hellman-style value as the central simplification of the encryption step (Shil et al., 2013).

Reconstruction is interpolation-based. After collecting ss4 valid shares, the secret is reconstructed as

ss5

with

ss6

The same work also presents an explicit membership proof and an explicit disputation protocol. In the membership protocol, a verifier sends ss7 for random ss8, the prover responds with

ss9

and the verifier computes

tt0

acceptance requires tt1. In the disputation procedure, a third party tt2 can determine whether the dealer or the participant is dishonest by checking relations involving the published commitments, the masked share, and the participant’s public key (Shil et al., 2013).

These classical schemes are usually analyzed under the Computational Diffie-Hellman assumption and the hardness of the Discrete Logarithm Problem in tt3. In the cited construction, recovering tt4 from tt5 requires computing tt6 from tt7 and tt8, which is presented as exactly the CDH problem, while recovering tt9 from ss0 requires solving discrete logarithm (Shil et al., 2013).

3. Alternative algebraic settings and neighboring primitives

PVSS has also been extended beyond the standard abelian discrete-log setting. One such line develops PVSS using non-abelian groups, motivated by conjugation-based cryptography and the hardness of the conjugacy search problem. In that setting, a public key takes the form

ss1

and the security assumption is that there is no fast algorithm for recovering ss2 from ss3 and ss4. The non-abelian adaptation describes a dealer publishing

ss5

for random ss6, after which the participant recovers the secret share as

ss7

The same paper also gives a non-abelian VSS construction in which a participant verifies its share by checking

ss8

and two participants can mutually verify consistency by checking

ss9

The platform group must be nonabelian, and the security basis is the hardness of the search conjugacy problem (Kahrobaei et al., 2014).

At the same time, not every “verifiable” secret-sharing proposal with public data is a standard PVSS scheme. A hash-based construction using a one-way hash function and a probabilistic homomorphic encryption function is explicitly a VSS variant rather than a true PVSS. In that scheme, the dealer forms

(n,t)(n,t)0

computes shares

(n,t)(n,t)1

broadcasts

(n,t)(n,t)2

with (n,t)(n,t)3, and maintains a public file containing (n,t)(n,t)4 and (n,t)(n,t)5. Each shareholder checks both the public hash

(n,t)(n,t)6

and a homomorphic consistency relation of the form

(n,t)(n,t)7

However, the verification is participant-side and depends on a dealer-maintained public file, so the paper is better described as shareholder-verifiable and hash-anchored rather than publicly verifiable in the standard PVSS sense (Parmar et al., 2012).

A second boundary case is access-structure hiding verifiable computational secret sharing. That construction defines algorithm families

(n,t)(n,t)8

and introduces an access-structure hiding property with perfect completeness, perfect soundness, and statistical hiding. The verification in that model is not public in the usual PVSS sense: it is performed by an authorized subset after reconstruction or while reconstructing, it uses trapdoor information and encodings held by the parties, and it does not attach dealer-published public proofs to each share. The paper therefore classifies itself most accurately as an access-structure-hiding verifiable secret sharing scheme with post-reconstruction verifiability rather than a conventional PVSS scheme (Sehrawat et al., 2020).

These examples clarify an important terminological boundary. PVSS is not simply any scheme that publishes some auxiliary data or enables some form of verification; the defining property is that arbitrary public verifiers can check share correctness from public information alone, without relying on shareholder secrets, dealer-maintained auxiliary files, or authorized-subset trapdoors (Parmar et al., 2012).

4. Integrity limitations of bounded finite-field commitments

A central integrity issue in PVSS and VSS arises when public verification is implemented with Feldman-style commitments bounded to a finite field. In the threshold setting described in the attack paper, each participant (n,t)(n,t)9 holds a private degree-t<n/2t<n/20 polynomial over t<n/2t<n/21,

t<n/2t<n/22

and the secret or decryption key is the sum of the constant terms, t<n/2t<n/23. To make shares verifiable, the participant publishes commitments

t<n/2t<n/24

for a generator t<n/2t<n/25. A recipient checks a received share t<n/2t<n/26 using

t<n/2t<n/27

Because the commitments are public, this consistency check can be performed by other participants and, in a PVSS interpretation, by outsiders as well (Lu et al., 2015).

The vulnerability comes from a mismatch between the field used for interpolation and the exponent arithmetic induced by t<n/2t<n/28. Reconstruction must happen in t<n/2t<n/29, but the multiplicative order of PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),0 divides PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),1. As a result, exponentiation forgets values modulo PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),2, not modulo PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),3. An adversarial participant can therefore publish honest-looking commitments for a chosen polynomial PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),4, but distribute false shares PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),5 satisfying

PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),6

Since PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),7 depends only on PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),8, each false share still satisfies

PVSS=(PVSS.Setup,PVSS.KeyGen,PVSS.KeyVer,PVSS.Share,PVSS.ShareVer,PVSS.Dec,PVSS.DecVer,PVSS.Combine),PVSS = (PVSS.Setup, PVSS.KeyGen, PVSS.KeyVer, PVSS.Share, PVSS.ShareVer, PVSS.Dec, PVSS.DecVer, PVSS.Combine),9

and therefore passes the public verification equation (Lu et al., 2015).

The effect is a direct break of reconstruction integrity. Threshold recovery requires enough true evaluations of the same polynomial in SS0; interpolation on the received SS1 values generally produces the wrong polynomial and thus the wrong constant term SS2. In the attack scenario, the adversary can intentionally withhold the genuine shares needed for reconstruction while supplying congruent-but-wrong shares that all verify, thereby causing denial of decryption-key assembly (Lu et al., 2015).

The paper’s claim is broad: any VSS or PVSS construction using finite-field-bounded exponentiation commitments of the form SS3 with share verification via SS4 is affected. The issue is not secrecy of the commitments; it is that the verification equation enforces equality only in the exponent modulo the group order, not equality of the field element actually being shared (Lu et al., 2015).

A mitigation suggested in the paper is to avoid verification commitments that are themselves reduced modulo the finite field, for example by using literal integer exponent values SS5 without reducing them modulo SS6. This removes the wraparound ambiguity enabling SS7. The drawback is size: such commitments become very large, on the order of SS8, that is, at least about 1024 bits in typical settings, making storage and distribution impractical (Lu et al., 2015).

5. Generic constructions and post-quantum instantiations

Recent work reformulates PVSS as a generic proof-carrying encryption of secret-sharing vectors and gives a standard-model instantiation under the Learning With Errors assumption. The generic construction starts from two ingredients: an IND-CPA public-key encryption scheme whose public key has a unique corresponding secret key, and NIZKs for three gap languages corresponding to key generation, encryption or sharing, and decryption. The protocol flow is as follows. During setup, public parameters are generated for the encryption scheme and for three NIZKs. During key generation, each participant produces SS9 and a proof nn00 that the key pair is valid. During sharing, the dealer computes a Shamir sharing

nn01

encrypts each share as

nn02

and proves that the ciphertexts are correct encryptions of a valid Shamir share vector. During decryption, participant nn03 decrypts nn04 to obtain nn05 and proves correctness publicly. Reconstruction uses

nn06

where

nn07

Public verifiers can run nn08, nn09, and nn10 without secret-key material (Minh et al., 19 Apr 2025).

The same work instantiates this framework using the lattice-based encryption scheme of Attrapadung, Choslovichit, Phong, and Susilo (ACPS09). The encryption has the form

nn11

for message nn12, with nn13. Decryption computes

nn14

and recovers nn15 from the decomposition nn16. The key-generation relation is

nn17

with nn18 short (Minh et al., 19 Apr 2025).

To avoid Fiat–Shamir and the random oracle model, the construction uses three trapdoor nn19-protocols and the compiler of Libert et al. to obtain NIZKs in the CRS model. For key generation, the language is

nn20

and the protocol is parallel-repeated nn21 times to obtain negligible soundness error. Analogous trapdoor nn22-protocols are built for share encryption and share decryption, with public checks including the parity-check condition

nn23

for valid Shamir-share vectors (Minh et al., 19 Apr 2025).

This line of work explicitly positions itself against earlier PVSS protocols whose security is either proven in the random oracle model or relies on factoring or discrete logarithm. Its main claim is that it provides the first post-quantum PVSS in the standard model, with a reasonable level of asymptotic efficiency. The reported high-level costs are communication roughly

nn24

for the non-proof parts and

nn25

for the proof parts, with computation roughly

nn26

for the non-proof parts and

nn27

for the proof parts. After parameter tuning, the modulus is derived as

nn28

The paper also notes that the scheme is less efficient than previous pairing-based or ROM-based PVSS because it must use binary challenges and parallel repetition nn29 times (Minh et al., 19 Apr 2025).

6. Applications, communication models, and design trade-offs

The application profile of PVSS is broad. Recent work identifies e-voting, distributed key generation, decentralized random number generation protocols, multi-party computation, and YOSO-style protocols as natural use cases, all of which benefit from threshold reconstruction together with publicly checkable correctness of both the sharing and the decryption phases (Minh et al., 19 Apr 2025).

The communication model matters because PVSS inherits many of the structural pressures already visible in VSS. The survey literature organizes perfectly-secure VSS into synchronous, asynchronous, and hybrid settings, and emphasizes lower bounds such as nn30 for perfectly-secure VSS in general, nn31 requiring nn32, and asynchronous sharing-phase AVSS requiring nn33. The same survey suggests that when public verifiability is realized through complaint rounds, broadcast, clique certificates, or publicly auditable consistency graphs, PVSS is likely to inherit the communication overhead and resilience constraints of those mechanisms (Chandramouli et al., 2021).

Several trade-offs follow from this literature. Public verifiability tends to require stronger commitments or proof-like public transcripts than ordinary VSS, because outsider verification cannot rely on the hidden joint view of the participants. At the same time, protecting secrecy while exposing verification evidence typically requires blinding, encryption, or zero-knowledge proofs. This suggests a recurring design tension among verifiability, privacy, communication overhead, and resilience. The survey on VSS presents bivariate polynomials, symmetric embeddings, blinding polynomials, broadcast or ACast, and error correction as recurring algebraic and protocol-level tools; the recent lattice-based PVSS work replaces interactive complaint resolution with public NIZKs attached to key generation, share encryption, and share decryption (Chandramouli et al., 2021).

A common misconception is that any scheme with verifiable shares and some public data is PVSS. The cited literature does not support that equivalence. Shareholder-side verification with a dealer-maintained hash file, or authorized-subset verification after reconstruction using trapdoor information, are both verifiable secret-sharing mechanisms, but they are not public verification in the standard cryptographic sense. Conversely, the finite-field commitment attack shows that even genuinely public verification can be unsound if the verification algebra does not match the field in which interpolation occurs. A plausible implication is that PVSS should be understood less as a single protocol family than as a design criterion: the public transcript must simultaneously certify share correctness, preserve threshold privacy, and remain faithful to the algebra in which reconstruction is defined (Parmar et al., 2012).

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Publicly Verifiable Secret Sharing (PVSS).