Russ Martin

May 14, 2012

Secret Sharing Schemes
Table of Contents
What is Secret Sharing?
Traditional Schemes
Shamirs
Simplified
Blakleys
Theory of More Efficient Schemes
Short Share Secret Sharing
Robust Secret Sharing
What is Secret Sharing
A method of distributing data between a group of
persons so that any subset of a specified size can
access the data, and a subset of size smaller can
not.
A (t,w) Threshold Scheme is a method of sharing
a key K among w participants in such a way that
any t participants can compute the value of K, but
no group of t-1 participants can
Definitions
Perfect Secret Sharing Scheme (PSS) A
scheme in which t-1 shares provide absolutely no
information on the hidden data
Information Rate Ratio of # of bits in the secret
being hidden to the # of bits in the size of each
share
1 is ideal, as the size of the shares are the size of
the secret
Must be less than or equal to 1 for any perfect
secret sharing scheme

Traditional Schemes Shamirs
Based on polynomial interpolation given t points
on the plane, only one polynomial q(x) degree of
t-1 exists that satisfies q(x) = y for all x
i
(the key
given to each participant).
K = the data being hidden by the scheme, in
numeric form
q(x) = a
0
+ a
1
x + + a
k-1
x
k-1
, where K = a
0

Shamirs Scheme Key Distribution
To Distribute data: Choose w unique elements in Z
p
,
where p>w. These are the x values.
For i in 1 to w: Give x
i
to each of the participants.
These x values are public
Choose t-1 values in Z
p
randomly. These values are
secret to the person distributing the shares. These are
the a values.
Privately give each member y = q(x) corresponding to
their x value, where



p x a K x q
j
t
j
j
mod ) (
1
1

Shamirs Scheme Key
Reconstruction
Goal is to solve for the a values used during
distribution, notably a
0
= K
With t participants, one can form t linear equations in
the form:

With t equations and t unknowns, there is a unique
solution.

1
1 1 0
... ) (

t
t
x a x a a x q
Shamirs Scheme - Example
p = 19, t = 3, w =4, x
i
= i
K = a
0
= 12
Randomly Choose a
1
= 14 , a
2
= 3


q(1) = 10, q(2) = 14 , q(3) = 5 , q(4) = 2
19 mod 3 14 12 ) (
2
x x x q
Shamirs Scheme Example
(Solving)
(1,2,3)



(1,3,4)




2 1 0
10 a a a
(1,2,4)



(2,3,4)

2 1 0
10 a a a
2 1 0
10 a a a
2 1 0
4 2 14 a a a
2 1 0
4 2 14 a a a
2 1 0
4 2 14 a a a
2 1 0
9 3 5 a a a
2 1 0
9 3 5 a a a
2 1 0
9 3 5 a a a
2 1 0
16 4 2 a a a
2 1 0
16 4 2 a a a
2 1 0
16 4 2 a a a
In all cases, Equations solve for
12, 14, and 3, the values chosen







Shamirs Scheme - Alternate
Reconstruction
Each participant computes a value of b for each
possible subset of participants they could reconstruct
the secret with.
This can be done prior to reconstruction, as all x
values are public


Once b values are computed, can be used for
reconstruction as such:

p
x x
x
b
j k t k
j k
k
j
mod
, 1

p y b K
t
j
j j
mod
1

Shamirs Scheme
Size of all shares are the size of the hidden key
(Information Rate = 1)
For t-1 people, forms a line of possible answers
providing no information, making this a PSS
If a person is more important, increase their
ability by giving them multiple shares
Recommended # of shares: w = 2t 1
Allows recovery with loss/destruction of t-1 shares,
but no reconstruction with same number
Simplified Shamirs Scheme
Works only with a (t,t) threshold scheme
Over any finite integer field Z
m

Randomly choose t-1 integers from i = 1 to t-1,
denoted y
1
y
t-1



y
i
= Shares given to participants

1
1
mod
t
i
i t
m y K y
Simplified Shamirs Scheme
Reconstruction:



With t-1 particpants, only can compute K-y
i
Still a PSS

t
i
i
m y K
1
mod
Traditional Schemes Blakleys
t different (t-1)-dimensional hyperplanes will
always intersect at exactly one point.
t = 3, 2-dimensional planes in the form a
1
x
1
+
a
2
x
2
+ a
t
x
t
= b
K = x
1

Blakleys Scheme - Distribution
Choose a prime p and F = finite, t-1 dimensional
field
Select a secret, random point x, where x
1
=K, rest
of values are random.
All a values are also random and public
Privately give each person y
i
= a
i1
x
1
+ a
i2
x
2
+
a
it
x
t
Forms a w x t matrix, with Ax = y
Blakleys Scheme - Reconstruction
Solve system of equations Ax = y, only with the t
users that are combining shares.
K = x
i

Blakleys Scheme
Not fully secure all participants know the point
exists on their plane
Public share is much larger than K t times in
magnitude. n*t a values are needed.
a values are not sensitive, may be public
Information Rate is 1

More Efficient Schemes
Note that for large secrets or number of
participants, there is a large amount of data
needed to be transferred
Ideally, size of each share would be equal to size
of the secret divided by the threshold
Since Information Rate is now greater than 1, it
can no longer be guaranteed to be a perfect
secret sharing scheme
Security can not be proved for any scheme with
shares shorter than secret, as there will be some
information revealed.
Computationally Secure Secret
Sharing Scheme
Proposed by Hugo Krawczyk
Computationally Secure No Information can be
efficiently computed from a single share
Polynomial Indistinguishability Two Probability
Distributions that cannot be told apart through
any polynomial-time algorithm
Can be applied to encryptions An encryption
function is computationally secure if for any pair
of messages M and M, their encryptions under
all possible keys are polynomially
indistinguishable
Computationally Secure Secret
Sharing Scheme
Applied to a Secret Sharing Scheme
Computationally Secure if for any pair of secrets of
same length S and S, the distribution of their
shares are polynomially indistinguishable
Information Dispersal Algorithm (IDA)
A split of a file F into n partitions, where m are
needed to reconstruct the original file.
Each partition size F/m, with a little redundancy
attached

Short Share Secret Sharing
Distribution
Encrypt the secret S using a random key in a
polynomially indistinguishable algorithm
Split the encrypted file into w fragments using IDA
Encode the key using a PSS to create w shares of the
key
Give each participant one part of the key and one part of
the encrypted file
Reconstruction:
Use IDA to reconstruct the file
Use PSS to recover the key
Decrypt the file using the key to uncover the secret
Share Size Size(File) / t + Size(Key)
Robust Secret Sharing
A scheme that can recover the secret with up to m
corrupted/malicious shares
m < t and t w-m
Same Distribution and Reconstruction of Short Share,
but signed shares
Sign file after encrypting, but before IDA
Sign each of the shares
Additional size of shares is not dependent on secret,
only the signing system
Downsides
Requires a public key signature verification system
Much more computationally complex
Entity distributing the secret needs to be known
Works Cited
[1]Stinson, Douglas R. Cryptography: Theory and
Practice. CRC Press 2006.
[2]Shamir, Adi. How to Share a Secret. November
1979.
[3]Krawczyk, Hugo. Secret Sharing Made Short.
1993.
[4]RSA Laboratories. What are some secret sharing
schemes?
[5]http://www.cs.bilkent.edu.tr/~selcuk/publications/
BSS_ISC08.pdf
Questions?