Secret Sharing
Content
1. Secret SharingSecret shar Secret sharing ing (al secret et spli splittin tting g) re (also so cal called led secr refe fers rs to me meth thod odss fo forr di dist stri ribu buti ting ng a secret amongst a group of participants, each of whom is allocated a share a share of of the secret. The secret can be reconstructed only when a sufficient number, of possibly different types, of shares are combined together; individual shares are of no use on their own [1].
n cryptography, cryptography, a shared secret is a piece of data, !nown only to the parties involved, in a secure secure communicati communication on.. Th Thee sh shar ared ed se secr cret et ca can n be a password, password, a passphrase, passphrase, a big number or an array of randomly chosen bytes [1]. n one type of secret sharing scheme there is one dealer and and n players players.. The dealer gives a share of the secret to the players, but only when specific conditions are fulfilled will the players be able to reconstruct the secret from their shares. The The dealer accomplishes this by giving each player a share in such a way that any group of t (for (for threshold ) or more players can together reconstruct the secret but no group of fewer than t players players can. "uch a system is called a (t, n)#threshold n)#threshold scheme (sometimes it is written as an (n, t)#threshold t)#threshold scheme) [1]. "ecret sharing was invented independently by $di "hamir and and %eorge &la!ley in &la!ley in 1'' [1].
ach secret share is a plane, and the secret is the point at which three shares intersect. intersect. Two Two shares yield only a line intersection [*].
5
$ secure secret sharing scheme distributes shares so that anyone with fewer than t shares has no e+tra information about the secret than someone with shares [1]. -onsider for e+ample the secret sharing scheme in which the secret phrase password is divided into the shares pa######, ##ss####, ####wo##, and ######rd,. $ person with shares !nows only that the password consists of eight letters. /e would have to guess the password from 0* 2 0 billion possible combinations. $ person with one share, however, would have to guess only the si+ letters, from 0** 2 3 million combinations, and so on as more persons collude. -onse4uently, this system is not a secure secret sharing scheme, because a player with fewer than t secret#shares is able to reduce the problem of obtaining the inner secret without first needing to obtain all of the necessary shares [1].
Common to all unconditionally secure secret sharing schemes, there are limitations:
ach share of the secret must be at least as large as the secret itself. This result is based in information theory but can be understood intuitively. %iven t-1 shares, no information whatsoever can be determined about the secret. Thus, the final share must contain as much information as the secret itself. There is sometimes a wor!around for this limitation by first compressing the secret before sharing it, but this is often not possible because many secrets (!eys for e+ample) loo! li!e high#4uality random data and thus are hard to compress [0].
$ll secret sharing schemes use random bits. To distribute a one#bit secret among threshold t people, t-1 random bits are necessary. To distribute a secret of arbitrary length entropy of (t-1)*length is necessary [0].
2. Trival Secret Sharingt=1
t = 1 secret sharing is very trivial. The secret can simply be distributed to all n participants [0]. t=n
There are several (t, n) secret sharing schemes for t = n, when all shares are necessary to recover the secret5
6
1. ncode the secret as an arbitrary length binary number s. %ive to each player i (e+cept one) a random number pi with the same length as s. %ive to the last player the result of (s XOR p1 XOR p2 XOR ... XOR pn-1 ) where XOR is bitwise e+clusive or . The secret is the bitwise 678 of all the players9 numbers ( p). 0. $dditionally, (1) can be performed using any linear operator in anyfield. :or e+ample, here9s an alternative that is functionally e4uivalent to (1). et9s select 30#bit integers with well#defined overflow semantics (i.e. the correct answer is preserved, modulo 0<30). :irst, s can be divided into a vector of = 30#bit integers called v secret . Then (n#1) players are each given a vector of = random integers, player i receiving vi. The remaining player is given vn=(v secret - v1 - v2 - ... - vn-1 ). The secret vector can then be recovered by summing across all the player9s vectors [0].
1<t<n
The difficulty lies in creating schemes that are still secure, but do not re4uire all n shares. :or e+ample, imagine that the &oard of >irectors of a company would li!e to protect their secret formula. The president of the company should be able to access the formula when needed, but in an emergency any 3 of the 10 board members would be able to unloc! the secret formula together. This can be accomplished by a secret sharing sche me with t 2 3 and n 2 1?, where 3 shares are given to the president, and 1 is given to each board member [0].
3. Efficient Secret Sharing"hamir@s "cheme Aederson Berifiable "ecret "haring "cheme Coint#:eldman >D%
. !o" to share a secret 7
.1 Shamir#s Secret Sharing Scheme $ Shamir#s Secret Sharing is an algorithm in cryptography created by $di "hamir. t is a
form of secret sharing, where a secret is divided into parts, giving each participant its own uni4ue part, where some of the parts or all of them are needed in order to reconstruct the secret [1].
.2 %athematical definition The goal is to divide secret data
pieces of
in such a way that 5
1. Dnowledge of any 2.
(e.g., a safe combination) into
Dnowledge of any
or more
pieces ma!es
or fewer
easily computable.
pieces leaves
completely undetermined (in the
sense that all its possible values are e4ually li!ely).
This scheme is called
threshold scheme. f
then all participants are re4uired
to reconstruct the secret. The essential idea of $di "hamir9s threshold scheme is that 0 points are sufficient to define a line, 3 points are sufficient to define a parabola, E points to define a cubic curve and so forth. That is, it ta!es points to define a polynomial of degree . "uppose we want to use a threshold scheme to share our secret generality assumed to be an element in a finite field of siFe where
-hoose at random
and
, without loss of
is a prime number.
positive integers
with
&uild the polynomial
, and let
. . et us
construct any points out of it, for instance set to retrieve . very participant is given a point (an integer input to the polynomial, and the corresponding 8
integer output). %iven any subset of of these pairs, we can find the coefficients of the polynomial using interpolation. The secret is the constant term [1].
.3 E&le '. (reparation
"uppose that our secret is 103E
Ge wish to divide the secret into * parts
, where any subset of 3 parts
sufficient to reconstruct the secret. $t random we obtain two (
is
) numbers5 1** and 'E.
7ur polynomial to produce secret shares (points) is therefore5
Ge construct * points
from the polynomial5
Ge give each participant a different single point (both instead of
the points start from
if one would have
and
and not
he would also !now the secret (
[1].
). *econstruction
9
). &ecause we use . This is necessary because )
)i+liography [1] "hamir, $di (1''). /ow to share a secret. -ommunications of the $-= 00 (11) [0] DrawcFy!, /ugo (1''3) [3] =ar!us "tadler, Aublicly Berifiable "ecret "haring [E] Date, $ni!et; %oldberg, an (01). >istributed Arivate#Dey %en erators for dentity &ased -ryptography [?] %ennaro, 8osario; Carec!i, "tanislaw; DrawcFy!, /ugo; 8abin, Tal (0E =ay 0*). "ecure >istributed Dey %eneration for >iscrete#og &ased -ryptosystems [*] Gi!ipedia
17
n cryptography, cryptography, a shared secret is a piece of data, !nown only to the parties involved, in a secure secure communicati communication on.. Th Thee sh shar ared ed se secr cret et ca can n be a password, password, a passphrase, passphrase, a big number or an array of randomly chosen bytes [1]. n one type of secret sharing scheme there is one dealer and and n players players.. The dealer gives a share of the secret to the players, but only when specific conditions are fulfilled will the players be able to reconstruct the secret from their shares. The The dealer accomplishes this by giving each player a share in such a way that any group of t (for (for threshold ) or more players can together reconstruct the secret but no group of fewer than t players players can. "uch a system is called a (t, n)#threshold n)#threshold scheme (sometimes it is written as an (n, t)#threshold t)#threshold scheme) [1]. "ecret sharing was invented independently by $di "hamir and and %eorge &la!ley in &la!ley in 1'' [1].
ach secret share is a plane, and the secret is the point at which three shares intersect. intersect. Two Two shares yield only a line intersection [*].
5
$ secure secret sharing scheme distributes shares so that anyone with fewer than t shares has no e+tra information about the secret than someone with shares [1]. -onsider for e+ample the secret sharing scheme in which the secret phrase password is divided into the shares pa######, ##ss####, ####wo##, and ######rd,. $ person with shares !nows only that the password consists of eight letters. /e would have to guess the password from 0* 2 0 billion possible combinations. $ person with one share, however, would have to guess only the si+ letters, from 0** 2 3 million combinations, and so on as more persons collude. -onse4uently, this system is not a secure secret sharing scheme, because a player with fewer than t secret#shares is able to reduce the problem of obtaining the inner secret without first needing to obtain all of the necessary shares [1].
Common to all unconditionally secure secret sharing schemes, there are limitations:
ach share of the secret must be at least as large as the secret itself. This result is based in information theory but can be understood intuitively. %iven t-1 shares, no information whatsoever can be determined about the secret. Thus, the final share must contain as much information as the secret itself. There is sometimes a wor!around for this limitation by first compressing the secret before sharing it, but this is often not possible because many secrets (!eys for e+ample) loo! li!e high#4uality random data and thus are hard to compress [0].
$ll secret sharing schemes use random bits. To distribute a one#bit secret among threshold t people, t-1 random bits are necessary. To distribute a secret of arbitrary length entropy of (t-1)*length is necessary [0].
2. Trival Secret Sharingt=1
t = 1 secret sharing is very trivial. The secret can simply be distributed to all n participants [0]. t=n
There are several (t, n) secret sharing schemes for t = n, when all shares are necessary to recover the secret5
6
1. ncode the secret as an arbitrary length binary number s. %ive to each player i (e+cept one) a random number pi with the same length as s. %ive to the last player the result of (s XOR p1 XOR p2 XOR ... XOR pn-1 ) where XOR is bitwise e+clusive or . The secret is the bitwise 678 of all the players9 numbers ( p). 0. $dditionally, (1) can be performed using any linear operator in anyfield. :or e+ample, here9s an alternative that is functionally e4uivalent to (1). et9s select 30#bit integers with well#defined overflow semantics (i.e. the correct answer is preserved, modulo 0<30). :irst, s can be divided into a vector of = 30#bit integers called v secret . Then (n#1) players are each given a vector of = random integers, player i receiving vi. The remaining player is given vn=(v secret - v1 - v2 - ... - vn-1 ). The secret vector can then be recovered by summing across all the player9s vectors [0].
1<t<n
The difficulty lies in creating schemes that are still secure, but do not re4uire all n shares. :or e+ample, imagine that the &oard of >irectors of a company would li!e to protect their secret formula. The president of the company should be able to access the formula when needed, but in an emergency any 3 of the 10 board members would be able to unloc! the secret formula together. This can be accomplished by a secret sharing sche me with t 2 3 and n 2 1?, where 3 shares are given to the president, and 1 is given to each board member [0].
3. Efficient Secret Sharing"hamir@s "cheme Aederson Berifiable "ecret "haring "cheme Coint#:eldman >D%
. !o" to share a secret 7
.1 Shamir#s Secret Sharing Scheme $ Shamir#s Secret Sharing is an algorithm in cryptography created by $di "hamir. t is a
form of secret sharing, where a secret is divided into parts, giving each participant its own uni4ue part, where some of the parts or all of them are needed in order to reconstruct the secret [1].
.2 %athematical definition The goal is to divide secret data
pieces of
in such a way that 5
1. Dnowledge of any 2.
(e.g., a safe combination) into
Dnowledge of any
or more
pieces ma!es
or fewer
easily computable.
pieces leaves
completely undetermined (in the
sense that all its possible values are e4ually li!ely).
This scheme is called
threshold scheme. f
then all participants are re4uired
to reconstruct the secret. The essential idea of $di "hamir9s threshold scheme is that 0 points are sufficient to define a line, 3 points are sufficient to define a parabola, E points to define a cubic curve and so forth. That is, it ta!es points to define a polynomial of degree . "uppose we want to use a threshold scheme to share our secret generality assumed to be an element in a finite field of siFe where
-hoose at random
and
, without loss of
is a prime number.
positive integers
with
&uild the polynomial
, and let
. . et us
construct any points out of it, for instance set to retrieve . very participant is given a point (an integer input to the polynomial, and the corresponding 8
integer output). %iven any subset of of these pairs, we can find the coefficients of the polynomial using interpolation. The secret is the constant term [1].
.3 E&le '. (reparation
"uppose that our secret is 103E
Ge wish to divide the secret into * parts
, where any subset of 3 parts
sufficient to reconstruct the secret. $t random we obtain two (
is
) numbers5 1** and 'E.
7ur polynomial to produce secret shares (points) is therefore5
Ge construct * points
from the polynomial5
Ge give each participant a different single point (both instead of
the points start from
if one would have
and
and not
he would also !now the secret (
[1].
). *econstruction
9
). &ecause we use . This is necessary because )
)i+liography [1] "hamir, $di (1''). /ow to share a secret. -ommunications of the $-= 00 (11) [0] DrawcFy!, /ugo (1''3) [3] =ar!us "tadler, Aublicly Berifiable "ecret "haring [E] Date, $ni!et; %oldberg, an (01). >istributed Arivate#Dey %en erators for dentity &ased -ryptography [?] %ennaro, 8osario; Carec!i, "tanislaw; DrawcFy!, /ugo; 8abin, Tal (0E =ay 0*). "ecure >istributed Dey %eneration for >iscrete#og &ased -ryptosystems [*] Gi!ipedia
17
