Shamir's Secret Sharing

Mathematical definition

The goal is to divide secret S (e.g., a safe combination) into n pieces of data S 1 , … , S n in such a way that:

1. Knowledge of any k or more S i pieces makes S easily computable.
2. Knowledge of any k − 1 or fewer S i pieces leaves S completely undetermined (in the sense that all its possible values are equally likely).

This scheme is called ( k , n ) threshold scheme. If k = n then all participants are required to reconstruct the secret.

Shamir's secret-sharing scheme

The essential idea of Adi Shamir's threshold scheme is that 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth. That is, it takes k points to define a polynomial of degree k − 1 .

Suppose we want to use a ( k , n ) threshold scheme to share our secret S , without loss of generality assumed to be an element in a finite field F of size P where 0 < k ≤ n < P ; S < P and P is a prime number.

Choose at random k − 1 positive integers a 1 , ⋯ , a k − 1 with a i < P , and let a 0 = S . Build the polynomial f ( x ) = a 0 + a 1 x + a 2 x 2 + a 3 x 3 + ⋯ + a k − 1 x k − 1 . Let us construct any n points out of it, for instance set i = 1 , ⋯ , n to retrieve ( i , f ( i ) ) . Every participant is given a point (an integer input to the polynomial, and the corresponding integer output). Given any subset of k of these pairs, we can find the coefficients of the polynomial using interpolation. The secret is the constant term a 0 .

Example

The following example illustrates the basic idea. Note, however, that calculations in the example are done using integer arithmetic rather than using finite field arithmetic. Therefore the example below does not provide perfect secrecy and is not a true example of Shamir's scheme. So we'll explain this problem and show the right way to implement it (using finite field arithmetic).

Preparation

Suppose that our secret is 1234 ( S = 1234 ) .

We wish to divide the secret into 6 parts ( n = 6 ) , where any subset of 3 parts ( k = 3 ) is sufficient to reconstruct the secret. At random we obtain two ( k − 1 ) numbers: 166 and 94.

( a 0 = 1234 ; a 1 = 166 ; a 2 = 94 )

Our polynomial to produce secret shares (points) is therefore:

f ( x ) = 1234 + 166 x + 94 x 2

We construct 6 points D x − 1 = ( x , f ( x ) ) from the polynomial:

D 0 = ( 1 , 1494 ) ; D 1 = ( 2 , 1942 ) ; D 2 = ( 3 , 2578 ) ; D 3 = ( 4 , 3402 ) ; D 4 = ( 5 , 4414 ) ; D 5 = ( 6 , 5614 )

We give each participant a different single point (both x and f ( x ) ). Because we use D x − 1 instead of D x the points start from ( 1 , f ( 1 ) ) and not ( 0 , f ( 0 ) ) . This is necessary because f ( 0 ) is the secret.

Reconstruction

In order to reconstruct the secret any 3 points will be enough.

Let us consider ( x 0 , y 0 ) = ( 2 , 1942 ) ; ( x 1 , y 1 ) = ( 4 , 3402 ) ; ( x 2 , y 2 ) = ( 5 , 4414 ) .

We will compute Lagrange basis polynomials:

ℓ 0 = x − x 1 x 0 − x 1 ⋅ x − x 2 x 0 − x 2 = x − 4 2 − 4 ⋅ x − 5 2 − 5 = 1 6 x 2 − 3 2 x + 10 3

ℓ 1 = x − x 0 x 1 − x 0 ⋅ x − x 2 x 1 − x 2 = x − 2 4 − 2 ⋅ x − 5 4 − 5 = − 1 2 x 2 + 7 2 x − 5

ℓ 2 = x − x 0 x 2 − x 0 ⋅ x − x 1 x 2 − x 1 = x − 2 5 − 2 ⋅ x − 4 5 − 4 = 1 3 x 2 − 2 x + 8 3

Therefore

f ( x ) = ∑ j = 0 2 y j ⋅ ℓ j ( x )

= 1234 + 166 x + 94 x 2

Recall that the secret is the free coefficient, which means that S = 1234 , and we are done.

Computationally Efficient Approach

Considering that the goal of using polynomial interpolation is to find a constant in a source polynomial S = f ( 0 ) using Lagrange polynomials "as it is" is not efficient, since unused constants are calculated.

An optimized approach to use Lagrange polynomials to find L ( 0 ) is defined as follows:

L ( 0 ) = ∑ j = 0 k − 1 f ( x j ) ∏ m = 0 m ≠ j k − 1 x m x m − x j

Problem

Although this method works fine, there is a security problem: Eve gains a lot of information about S with every D i that she finds.

Suppose that she finds the 2 points D 0 = ( 1 , 1494 ) and D 1 = ( 2 , 1942 ) , she still doesn't have k = 3 points so in theory she shouldn't have gained any more info about S . But she combines the info from the 2 points with the public info: n = 6 , k = 3 , f ( x ) = a 0 + a 1 x + ⋯ + a k − 1 x k − 1 , a 0 = S , a i ∈ N and she :

S ∈ [ 1046 , 1048 , … , 1342 , 1344 ] . She now only has 150 numbers to guess from instead of an infinite number of natural numbers.

Solution

This problem can be fixed by using finite field arithmetic in a field of size p ∈ P : p > S , p > n .

This is in practice only a small change, it just means that we should choose a prime p that is bigger than the number of participants and every a i (including a 0 = S ) and we have to calculate the points as ( x , f ( x ) ( mod p ) ) instead of ( x , f ( x ) ) .

Since everyone who receives a point also has to know the value of p so it may be considered to be publicly known. Therefore, one should select a value for p that is not too low.

Low values of p are risky because Eve knows p > S ⇒ S ∈ [ 0 , 1 , … , p − 2 , p − 1 ] , so the lower one sets p , the lower the number of possible values Eve has to guess from to get S .

For this example we choose p = 1613 , so our polynomial becomes f ( x ) = 1234 + 166 x + 94 x 2 mod 1613 which gives the points: ( 1 , 1494 ) ; ( 2 , 329 ) ; ( 3 , 965 ) ; ( 4 , 176 ) ; ( 5 , 1188 ) ; ( 6 , 775 )

This time Eve doesn't win any info when she finds a D x (until she has k points).

Suppose again Eve again finds D 0 = ( 1 , 1494 ) and D 1 = ( 2 , 329 ) , this time the public info is: n = 6 , k = 3 , p = 1613 , f ( x ) = a 0 + a 1 x + ⋯ + a k − 1 x k − 1 mod p , a 0 = S , a i ∈ N so she:

This time she can't stop because ( m 1 − m 2 ) could be any integer (even negative if m 2 > m 1 ) so there are an infinite amount of possible values for a 1 . She knows that [ 448 , 445 , 442 , . . . ] always decreases by 3 so if 1613 was divisible by 3 she could conclude a 1 ∈ [ 1 , 4 , 7 , … ] but because it's prime she can't even conclude that and so she didn't win any information.

Properties

Some of the useful properties of Shamir's ( k , n ) threshold scheme are:

1. Secure: Information theoretic security.
2. Minimal: The size of each piece does not exceed the size of the original data.
3. Extensible: When k is kept fixed, D i pieces can be dynamically added or deleted without affecting the other pieces.
4. Dynamic: Security can be easily enhanced without changing the secret, but by changing the polynomial occasionally (keeping the same free term) and constructing new shares to the participants.
5. Flexible: In organizations where hierarchy is important, we can supply each participant different number of pieces according to their importance inside the organization. For instance, the president can unlock the safe alone, whereas 3 secretaries are required together to unlock it.