PVSS Implementation in Cardano SL
Publicly Verifiable Secret Sharing (PVSS) Scheme used in Cardano SL is based on
“SCRAPE: Scalable Randomness Attested by Public Entities”, paper
by Ignacio Cascudo and Bernardo David. Further we’ll refer to this paper’s pages,
 means the 6-th page.
What is PVSS
The core idea of VSS Scheme is an ability of participants to verify their own
shares, for successful reconstruction of the secret (previously distributed by a
dealer among the participants). But core idea of PVSS Scheme is that not just
the participants can verify their shares, but that anybody can verify that the
participants received correct shares. So it’s required (for our reconstruction
protocol) that participants not only release their shares but also that they
provide a proof of correctness for each share released (
t-out-of-n reconstruction scheme (
n is a number of
t is a threshold number, so any subset of
t+1 shares can be
used to successfully recover the secret.
So, the protocol consists of four fundamental phases (
Pi must generate its private key
SKi and register its public key
First of all, we prepare a new escrowing context. To do it we need a
value mentioned above and a list of public
of participants. Result of this operation is
value which includes:
Polynomial is a group of coefficient starting from the smallest degree (these coefficients are Scalar values).
Challenge is based on cryptographic hash.
Now commitments and encrypted shares can be published among participants. Due
the public nature of PVSS scheme anyone who knows public keys can verify
via hashes matching (
First of all, participant must decrypt encrypted
keys. To obtain DLEQ value, we use
As a result, we get
Its structure is the same as encrypted share.
Since decrypted share contains a proof, we can be sure that decrypted share is the same as encrypted one, there’s verification function for it. To do it we use DLEQ value and proof from the decrypted share. Actual verifying is a comparison of the hash of DLEQ points.
Now, if we have
t+1 decrypted shares we can recover a
Recovered secret can be verified as well, so we can be sure that secret recovered is the same escrow. To do it, we need not just a proof and a secret, but commitments as well (actually, the first one.
VSS certificate includes:
- Public key used for the VSS scheme (e.g. VSS key).
- Public key used for signing (e.g. signing key).
- Index of an expiry epoch (e.g. the last epoch when this certificate was valid).
- Signature of a pair
Ais a VSS key and
Bis an epoch index.
Initially, all stakeholders with enough stake to participate in randomness generation (we call them richmen) have their own certificates. When a new stakeholder having enough stake appears, or when an existing certificate expires, a new certificate should be generated and submitted to the network. Other nodes accept this certificate if it’s valid and if the node has enough stake. Certificates are stored in blocks.
Please note that VSS certificate must be stable before usage! If an epoch we
retrieve certificates for is the first one (i.e. has index
certificates are genesis
Otherwise stable certificate are non-expired certificates for the last known