Shamir's Secret Sharing

Shamir's Secret Sharing is an algorithm in cryptography. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.

Counting on all participants to combine together the secret might be impractical, and therefore we may use the "threshold scheme", as demonstrated by Liu's problem:"11 scientists are working on a secret project. They wish to lock up the documents in a cabinet so that the cabinet can be opened if and only if 6 or more of the scientists are present".

Mathematical definition

Formally, our goal is to divide some data $D$ (e.g., the safe combination) into $n,!$ pieces $D\_1,cdots,D\_n,!$ in such a way that:

# Knowledge of any $k,!$ or more $D\_i,!$ pieces makes $D,!$ easily computable.
# Knowledge of any $k-1,!$ or fewer $D\_i,!$ pieces leaves $D,!$ completely undetermined (in the sense that all its possible values are equally likely).

This scheme is called $left(k,n\; ight),!$ threshold scheme.If $k=n,!$ then all participants are required together to reconstruct the secret.

Shamir's secret-sharing scheme

The essential idea of Adi Shamir's threshold scheme is that 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth.That is, it takes $n+1,!$ points to define a polynomial of degree $n,!$.

Suppose we want to use $left(k,n\; ight),!$ threshold scheme to share our secret $S,!$ (without loss of generality, some number) where

Choose at random $left(k-1\; ight),!$ coefficients $a\_1,cdots,a\_\{k-1\},!$, and let $a\_0=S,!$. Build polynomial $fleft(x\; ight)=a\_0+a\_1x+a\_2x^2+a\_3x^3+cdots+a\_\{k-1\}x^\{k-1\},!$. Let us construct any $n,!$ points out of it, for instance set $i=1,cdots,n,!$ to retrieve $left(i,fleft(i\; ight)\; ight),!$. Every participant is given a point (a pair of input to the polynomial and output).Given any subset of $k,!$ of these pairs, we can find the coefficients of the polynomial by polynomial curve fitting, and then evaluate $a\_0,!$, which is the secret.

Usage

Example

Preparation

Suppose that our secret is our ATM code: 1234 $(S=1234),!$.

We wish to divide the secret into 6 parts $(n=6),!$, where any subset of 3 parts $(k=3),!$ is sufficient to reconstruct the secret. At random we obtain 2 numbers: 166, 94.

$(a\_1=166;a\_2=94),!$

Our polynomial to produce secret shares (points) is therefore:

$fleft(x\; ight)=1234+166x+94x^2,!$

We construct 6 points from the polynomial:

$left(1,1494\; ight);left(2,1942\; ight);left(3,2578\; ight);left(4,3402\; ight);left(5,4414\; ight);left(6,5614\; ight),!$

We give each participant a different single point (both $x,!$ and $fleft(x\; ight),!$).

Reconstruction

In order to reconstruct the secret any 3 points will be enough.

Let us consider $left(x\_0,y\_0\; ight)=left(2,1942\; ight);left(x\_1,y\_1\; ight)=left(4,3402\; ight);left(x\_2,y\_2\; ight)=left(5,4414\; ight),!$.

We will compute Lagrange basis polynomials:

$ell\_0=frac\{x-x\_1\}\{x\_0-x\_1\}cdotfrac\{x-x\_2\}\{x\_0-x\_2\}=frac\{x-4\}\{2-4\}cdotfrac\{x-5\}\{2-5\}=frac\{1\}\{6\}x^2-1frac\{1\}\{2\}x+3frac\{1\}\{3\},!$

$ell\_1=frac\{x-x\_0\}\{x\_1-x\_0\}cdotfrac\{x-x\_2\}\{x\_1-x\_2\}=frac\{x-2\}\{4-2\}cdotfrac\{x-5\}\{4-5\}=-frac\{1\}\{2\}x^2+3frac\{1\}\{2\}x-5,!$

$ell\_2=frac\{x-x\_0\}\{x\_2-x\_0\}cdotfrac\{x-x\_1\}\{x\_2-x\_1\}=frac\{x-2\}\{5-2\}cdotfrac\{x-4\}\{5-4\}=frac\{1\}\{3\}x^2-2x+2frac\{2\}\{3\},!$

Therefore

$f(x)=sum\_\{j=0\}^2\; y\_jcdotell\_j(x),!$

$=1942cdotleft(frac\{1\}\{6\}x^2-1frac\{1\}\{2\}x+3frac\{1\}\{3\}\; ight)+3402cdotleft(-frac\{1\}\{2\}x^2+3frac\{1\}\{2\}x-5\; ight)+4414cdotleft(frac\{1\}\{3\}x^2-2x+2frac\{2\}\{3\}\; ight),!$

$=1234+166x+94x^2,!$

Recall that the secret is the free coefficient, which means that $S=1234,!$, and we are done.

Properties

Some of the useful properties of Shamir's $left(k,n\; ight),!$ threshold scheme are:
# Secure: Information theoretic security.
# Minimal: The size of each piece does not exceed the size of the original data.
# Extensible: When $k,!$ is kept fixed, $D\_i,!$ pieces can be dynamically added or deleted (e.g., when scientists are fired or suddenly die) without affecting the other pieces.
# Dynamic: Security can be easily enhanced without changing the secret, but by changing the polynomial occasionally (keeping the same free term) and constructing new shares to the participants.
# Flexible: In organizations where hierarchy is important, we can supply each participant different number of pieces according to his importance inside the organization. For instance, the president can unlock the safe alone, whereas 3 secretaries are required together to unlock it.

ee also

* Secret sharing
* Lagrange polynomial
* Homomorphic secret sharing - A simplistic decentralized voting protocol.

References

*citation
last = Shamir
first = Adi
authorlink = Adi Shamir
title = How to share a secret
journal = Communications of the ACM
volume = 22
issue = 11
pages = 612-613
yeat = 1979
doi = 10.1145/359168.359176.

*citation|last=Liu|first=C. L.|authorlink=Chung Laung Liu|title=Introduction to Combinatorial Mathematics|publisher=McGraw-Hill|location=New York|year=1968.

*citation|last1=Dawson|first1=E.|last2=Donovan|first2=D.|year=1994|title=The breadth of Shamir's secret-sharing scheme|journal=Computers & Security|volume=13|pages=69–78.

*citation|last=Knuth|first=D. E.|authorlink=Donald Knuth|year=1997|title=The Art of Computer Programming|edition=3rd|volume=II: Seminumerical Algorithms|page=505|publisher=Addison-Wesley.

External links

* [http://charles.karney.info/misc/secret.html A perl implementaton of Shamir's Secret Sharing]
* [http://point-at-infinity.org/ssss/index.html ssss: A free (GPL) implementation of Shamir's Scheme]
* [http://sourceforge.net/projects/secretsharp/ Secret Sharp: A free (GPL) implementation of Shamir's Scheme for windows]