Secret Sharing: Difference between revisions

Secret Sharing is used to split a secret (usually a key) into several pieces which are then given to distinct persons so that some of these persons must cooperate to reconstruct the secret.

A Simple Approach

One simple approach to split a secret number ${\displaystyle D}$ into ${\displaystyle n}$ pieces ${\displaystyle D_1,D_2,}$…${\displaystyle ,D_n}$ such that any ${\displaystyle k}$ pieces are sufficient (and necessary) to reconstruct ${\displaystyle D}$ is using a ${\displaystyle k-1}$ polynomial.

When splitting the secret a random polynomial ${\displaystyle f(x)=a_0+a_{1}x+a_{2}x+}$…${\displaystyle +a_{k-1}{x}^{k-1}}$ with ${\displaystyle a_0=D}$ is generated. The ${\displaystyle D_i}$ are calculated as ${\displaystyle D_i=f(i)}$ for ${\displaystyle i=1,}$…${\displaystyle ,n}$.

Given any ${\displaystyle k}$ ${\displaystyle D_i}$ it is possible to interpolate the polynomial and calculate ${\displaystyle f(0)}$ which gives the original secret ${\displaystyle D}$.

Example

Let ${\displaystyle D=4}$, ${\displaystyle k=3}$, ${\displaystyle n=5}$, that is: The secret is split into 5 parts of which at least 3 are necessary to reconstruct the secret.

Now generate 2 random numbers ${\displaystyle a_1}$ and ${\displaystyle a_2}$, let's say: ${\displaystyle a_1=3}$, ${\displaystyle a_2=-1}$ which give the polynomial ${\displaystyle f(x)=4+3x-1x^2}$. Obviously that's a quadratic function and any 3 points on the function are sufficient to interpolate the function.

The image shows the resultant function (in red), the original secret (in green, at ${\displaystyle x=0}$) and the 5 new secret parts (in blue).

To reconstruct the original secret any 3 secret parts (let's say ${\displaystyle D_2,D_3}$ and ${\displaystyle D_5}$) are merged together:

Then the polynomial is interpolated and ${\displaystyle f(0)}$ computed:

Let's suppose we wanted to reconstruct the shared secret but only had two of the parts: ${\displaystyle D_2}$ and ${\displaystyle D_3}$. This gives two equations:

• ${\displaystyle 6=a_0+2a_1+4a_2}$
• ${\displaystyle 4=a_0+3a_1+9a_2}$

with three unknown variables thus allowing for infinitely many solutions which are all equally likely.

The image shows five of them (for ${\displaystyle a_2=-3}$, ${\displaystyle a_2=-2}$, ${\displaystyle a_2=-1}$, ${\displaystyle a_2=0}$ and ${\displaystyle a_2=1}$):