Secret Sharing: Difference between revisions

Secret Sharing is used to split a secret (usually a key) into several pieces which are then given to distinct persons so that some of these persons must cooperate to reconstruct the secret.

A Simple Approach

One simple approach to split a secret number ${\displaystyle D}$ into ${\displaystyle n}$ pieces ${\displaystyle D_{1},D_{2},}$…${\displaystyle ,D_{n}}$ such that any ${\displaystyle k}$ pieces are sufficient (and necessary) to reconstruct ${\displaystyle D}$ is using a ${\displaystyle k-1}$ polynomial.

When splitting the secret a random polynomial ${\displaystyle f(x)=a_{0}+a_{1}x+a_{2}x+}$…${\displaystyle +a_{k-1}x^{k-1}}$ with ${\displaystyle a_{0}=D}$ is generated. The ${\displaystyle D_{i}}$ are calculated as ${\displaystyle D_{i}=f(i)}$ for ${\displaystyle i=1,}$…${\displaystyle ,n}$.

Given any ${\displaystyle k}$ ${\displaystyle D_{i}}$ it is possible to interpolate the polynomial and calculate ${\displaystyle f(0)}$ which gives the original secret ${\displaystyle D}$.

Example

Let ${\displaystyle D=4}$, ${\displaystyle k=3}$, ${\displaystyle n=5}$, that is: The secret is split into 5 parts of which at least 3 are necessary to reconstruct the secret.

Now generate 2 random numbers ${\displaystyle a_{1}}$ and ${\displaystyle a_{2}}$, let's say: ${\displaystyle a_{1}=3}$, ${\displaystyle a_{2}=-1}$ which give the polynomial ${\displaystyle f(x)=4+3x-1x^{2}}$. Obviously that's a quadratic function and any 3 points on the function are sufficient to interpolate the function.

The image shows the resultant function (in red), the original secret (in green, at ${\displaystyle x=0}$) and the 5 new secret parts (in blue).

To reconstruct the original secret any 3 secret parts (let's say ${\displaystyle D_{2},D_{3}}$ and ${\displaystyle D_{5}}$) are merged together:

Then the polynomial is interpolated and ${\displaystyle f(0)}$ computed:

Let's suppose we wanted to reconstruct the shared secret but only had two of the parts: ${\displaystyle D_{2}}$ and ${\displaystyle D_{3}}$. This gives two equations:

• ${\displaystyle 6=a_{0}+2a_{1}+4a_{2}}$
• ${\displaystyle 4=a_{0}+3a_{1}+9a_{2}}$

with three unknown variables thus allowing for infinitely many solutions which are all equally likely.

The image shows five of them (for ${\displaystyle a_{2}=-3}$, ${\displaystyle a_{2}=-2}$, ${\displaystyle a_{2}=-1}$, ${\displaystyle a_{2}=0}$ and ${\displaystyle a_{2}=1}$):

${\displaystyle a_{0}}$	${\displaystyle a_{1}}$	${\displaystyle a_{2}}$
16	-7	1
10	-2	0
4	3	-1
-2	8	-2
-8	13	-3