## FANDOM

573 Pages

Shamir's Secret Sharing is an algorithm in cryptography. It is a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret.

Counting on all participants to combine together the secret might be impractical, and therefore we sometimes use the threshold scheme where any $k$ of the parts are sufficient to reconstruct the original secret.

## Mathematical definitionEdit

Formally, our goal is to divide some data $D$ (e.g., the safe combination) into $n\,\!$ pieces $D_1,\ldots,D_n\,\!$ in such a way that:

1. Knowledge of any $k\,\!$ or more $D_i\,\!$ pieces makes $D\,\!$ easily computable.
2. Knowledge of any $k-1\,\!$ or fewer $D_i\,\!$ pieces leaves $D\,\!$ completely undetermined (in the sense that all its possible values are equally likely).

This scheme is called $\left(k,n\right)\,\!$ threshold scheme. If $k=n\,\!$ then all participants are required to reconstruct the secret.

## Shamir's secret-sharing schemeEdit

The essential idea of Adi Shamir's threshold scheme is that 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth. That is, it takes $k\,\!$ points to define a polynomial of degree $k-1\,\!$.

Suppose we want to use $\left(k,n\right)\,\!$ threshold scheme to share our secret $S\,\!$, without loss of generality assumed to be an element in a finite field $F$.

Choose at random $k-1\,\!$ coefficients $a_1,\cdots,a_{k-1}\,\!$ in $F$, and let $a_0=S\,\!$. Build the polynomial $f\left(x\right)=a_0+a_1x+a_2x^2+a_3x^3+\cdots+a_{k-1}x^{k-1}\,\!$. Let us construct any $n\,\!$ points out of it, for instance set $i=1,\cdots,n\,\!$ to retrieve $\left(i,f\left(i\right)\right)\,\!$. Every participant is given a point (a pair of input to the polynomial and output). Given any subset of $k\,\!$ of these pairs, we can find the coefficients of the polynomial using interpolation and the secret is the constant term $a_0\,\!$.

## UsageEdit

### Example Edit

The following example illustrates the basic idea. Note, however, that calculations in the example are done using integer arithmetic rather than using finite field arithmetic. Therefore the example below does not provide perfect secrecy, and is not a true example of Shamir's scheme.

#### PreparationEdit

Suppose that our secret is 1234 $(S=1234)\,\!$.

We wish to divide the secret into 6 parts $(n=6)\,\!$, where any subset of 3 parts $(k=3)\,\!$ is sufficient to reconstruct the secret. At random we obtain 2 numbers: 166, 94.

$(a_1=166;a_2=94)\,\!$

Our polynomial to produce secret shares (points) is therefore:

$f\left(x\right)=1234+166x+94x^2\,\!$

We construct 6 points from the polynomial:

$\left(1,1494\right);\left(2,1942\right);\left(3,2578\right);\left(4,3402\right);\left(5,4414\right);\left(6,5614\right)\,\!$

We give each participant a different single point (both $x\,\!$ and $f\left(x\right)\,\!$).

#### ReconstructionEdit

In order to reconstruct the secret any 3 points will be enough.

Let us consider $\left(x_0,y_0\right)=\left(2,1942\right);\left(x_1,y_1\right)=\left(4,3402\right);\left(x_2,y_2\right)=\left(5,4414\right)\,\!$.

We will compute Lagrange basis polynomials:

$\ell_0=\frac{x-x_1}{x_0-x_1}\cdot\frac{x-x_2}{x_0-x_2}=\frac{x-4}{2-4}\cdot\frac{x-5}{2-5}=\frac{1}{6}x^2-1\frac{1}{2}x+3\frac{1}{3}\,\!$

$\ell_1=\frac{x-x_0}{x_1-x_0}\cdot\frac{x-x_2}{x_1-x_2}=\frac{x-2}{4-2}\cdot\frac{x-5}{4-5}=-\frac{1}{2}x^2+3\frac{1}{2}x-5\,\!$

$\ell_2=\frac{x-x_0}{x_2-x_0}\cdot\frac{x-x_1}{x_2-x_1}=\frac{x-2}{5-2}\cdot\frac{x-4}{5-4}=\frac{1}{3}x^2-2x+2\frac{2}{3}\,\!$

Therefore

$f(x)=\sum_{j=0}^2 y_j\cdot\ell_j(x)\,\!$

$=1942\cdot\left(\frac{1}{6}x^2-1\frac{1}{2}x+3\frac{1}{3}\right)+3402\cdot\left(-\frac{1}{2}x^2+3\frac{1}{2}x-5\right)+4414\cdot\left(\frac{1}{3}x^2-2x+2\frac{2}{3}\right)\,\!$

$=1234+166x+94x^2\,\!$

Recall that the secret is the free coefficient, which means that $S=1234\,\!$, and we are done.

## PropertiesEdit

Some of the useful properties of Shamir's $\left(k,n\right)\,\!$ threshold scheme are:

1. Secure: Information theoretic security.
2. Minimal: The size of each piece does not exceed the size of the original data.
3. Extensible: When $k\,\!$ is kept fixed, $D_i\,\!$ pieces can be dynamically added or deleted without affecting the other pieces.
4. Dynamic: Security can be easily enhanced without changing the secret, but by changing the polynomial occasionally (keeping the same free term) and constructing new shares to the participants.
5. Flexible: In organizations where hierarchy is important, we can supply each participant different number of pieces according to his importance inside the organization. For instance, the president can unlock the safe alone, whereas 3 secretaries are required together to unlock it.