Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information (the "secret") among a group. The secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts (the "shares") from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.
Shamir's secret sharing is used in some applications to share the access keys to a master secret.
SSS is used to secure a secret in a distributed form, most often to secure encryption keys. The secret is split into multiple shares, which individually do not give any information about the secret.
To reconstruct a secret secured by SSS, a number of shares is needed, called the threshold. No information about the secret can be gained from any number of shares below the threshold (a property called perfect secrecy). In this sense, SSS is a generalisation of the one-time pad (which can be viewed as SSS with a two-share threshold and two shares in total).[1]
A company needs to secure their vault. If a single person knows the code to the vault, the code might be lost or unavailable when the vault needs to be opened. If there are several people who know the code, they may not trust each other to always act honestly.
SSS can be used in this situation to generate shares of the vault's code which are distributed to authorized individuals in the company. The minimum threshold and number of shares given to each individual can be selected such that the vault is accessible only by (groups of) authorized individuals. If fewer shares than the threshold are presented, the vault cannot be opened.
By accident, coercion or as an act of opposition, some individuals might present incorrect information for their shares. If the total of correct shares fails to meet the minimum threshold, the vault remains locked.
Shamir's secret sharing can be used to
SSS has useful properties, but also weaknesses[5] that means that it is unsuited to some uses.
Useful properties include:
Weaknesses include:
Adi Shamir, an Israeli scientist, first formulated the scheme in 1979.
The scheme exploits the Lagrange interpolation theorem, specifically that
k
k-1
Shamir's secret sharing is an ideal and perfect
\left(k,n\right)
S
n
S1,\ldots,Sn
k
Si
S
S
k
k-1
Si
S
S
k-1
0
S
k
If
n=k
S
Assume that the secret
S
a0
GF(q)
q
n
k-1
a1, … ,ak-1
GF(q)
f\left(x\right)=a0+a1x+a
| 3+ … +a | |
| k-1 |
xk-1
n
i=1,\ldots,n
\left(i,f\left(i\right)\right)
k
a0
a0=f(0)=
| k-1 | |
| \sum | |
| j=0 |
yj\prod\begin{smallmatrixm=0\ m\nej\end{smallmatrix}}k-1
| xm | |
| xm-xj |
k
(xi,yi)
f(0)
f(x)
The following example illustrates the basic idea. Note, however, that calculations in the example are done using integer arithmetic rather than using finite field arithmetic to make the idea easier to understand. Therefore, the example below does not provide perfect secrecy and is not a proper example of Shamir's scheme. The next example will explain the problem.
Suppose that the secret to be shared is 1234
(S=1234)
In this example, the secret will be split into 6 shares
(n=6)
(k=3)
k-1=2
This yields coefficients
(a0=1234;a1=166;a2=94),
a0
The polynomial to produce secret shares (points) is therefore:
f(x)=1234+166x+94x2
Six points
Dx-1=(x,f(x))
D0=(1,1494);D1=(2,1942);D2=(3,2578);D3=(4,3402);D4=(5,4414);D5=(6,5614)
Each participant in the scheme receives a different point (a pair of
x
f(x)
Dx-1
Dx
(1,f(1))
(0,f(0))
f(0)
In order to reconstruct the secret, any 3 points are sufficient
Consider using the 3 points
\left(x0,y0\right)=\left(2,1942\right);\left(x1,y1\right)=\left(4,3402\right);\left(x2,y2\right)=\left(5,4414\right)
Computing the Lagrange basis polynomials:
| \ell | ⋅ | ||||
|
| x-x2 | = | |
| x0-x2 |
| x-4 | ⋅ | |
| 2-4 |
| x-5 | = | |
| 2-5 |
| 1 | |
| 6 |
| |||||
| x | x+ |
| 10 | |
| 3 |
| \ell | ⋅ | ||||
|
| x-x2 | = | |
| x1-x2 |
| x-2 | ⋅ | |
| 4-2 |
| x-5 | =- | |
| 4-5 |
| 1 | |
| 2 |
| ||||
| x |
x-5
| \ell | ⋅ | ||||
|
| x-x1 | = | |
| x2-x1 |
| x-2 | ⋅ | |
| 5-2 |
| x-4 | = | |
| 5-4 |
| 1 | |
| 3 |
| ||||
| x |
Using the formula for polynomial interpolation,
f(x)
\begin{align} f(x)&
| 2 | |
| =\sum | |
| j=0 |
yj ⋅ \ellj(x)\\[6pt] &=y0\ell0(x)+y1\ell1(x)+y2\ell2(x)\\[6pt] &=1942\left(
| 1 | |
| 6 |
| |||||
| x | x+ |
| 10 | |
| 3 |
\right)+3402\left(-
| 1 | |
| 2 |
| ||||
| x |
x-5\right)+4414\left(
| 1 | |
| 3 |
| ||||
| x |
\right)\\[6pt] &=1234+166x+94x2 \end{align}
Recalling that the secret is the free coefficient, which means that
S=1234
Using polynomial interpolation to find a coefficient in a source polynomial
S=f(0)
Considering this, an optimized formula to use Lagrange polynomials to find
f(0)
f(0)=
| k-1 | |
| \sum | |
| j=0 |
yj\prod\begin{smallmatrixm=0\ m\nej\end{smallmatrix}}k-1
| xm | |
| xm-xj |
Although the simplified version of the method demonstrated above, which uses integer arithmetic rather than finite field arithmetic, works, there is a security problem: Eve gains information about
S
Di
Suppose that she finds the 2 points
D0=(1,1494)
D1=(2,1942)
k=3
S
n=6,k=3,f(x)=a0+a1x+ … +ak-1xk-1,a0=S,ai\inZ
f(x)
S
k:f(x)=S+a1x+ … +ak-1xk-1 ⇒ {}f(x)=S+a1x+a
| 2 | |
| 2x |
D0
x
f(x):1494=S+a11+a2
| 2 ⇒ {}1494=S+a | |
| 1 | |
| 1+a |
2
D1
x
f(x):1942=S+a12+a2
| 2 ⇒ {}1942=S+2a | |
| 2 | |
| 1+4a |
2
(1942-1494)=(S-S)+(2a1-a1)+(4a2-a2) ⇒ {}448=a1+3a2
a1=448-3a2
1494=S+(448-3a2)+a2 ⇒ {}S=1046+2a2
The above attack exploits constraints on the values that the polynomial may take by virtue of how it was constructed: the polynomial must have coefficients that are integers, and the polynomial must take an integer as value when evaluated at each of the coordinates used in the scheme. This reduces its possible values at unknown points, including the resultant secret, given fewer than
k
This problem can be remedied by using finite field arithmetic. A finite field always has size
q=pr
p
r
q
q>n
q
In practice this is only a small change. The order q of the field (i.e. the number of values that it has) must be chosen to be greater than the number of participants and the number of values that the secret
a0=S
p=q
For this example, choose
p=1613
f(x)=1234+166x+94x2\bmod{1613}
(1,1494);(2,329);(3,965);(4,176);(5,1188);(6,775)
This time Eve doesn't gain any information when she finds a
Dx
k
Suppose again that Eve finds
D0=\left(1,1494\right)
D1=\left(2,329\right)
n=6,k=3,p=1613,f(x)=a0+a1x+...+ak-1xk-1\mod{p},a0=S,ai\inN
f(x)
S
k
p
f(x)=S+a1x+...+a3-1x3-1\mod1613
D0
x
f(x):1494\equivS+a11+a212\pmod{1613} ⇒ {}1494\equivS+a1+a2\pmod{1613}
D1
x
f(x):1942\equivS+a12+a222\pmod{1613} ⇒ {}1942\equivS+2a1+4a2\pmod{1613}
(1942-1494)\equiv(S-S)+(2a1-a1)+(4a2-a2)\pmod{1613} ⇒ {}448\equiva1+3a2\pmod{1613}
a1\equiv448-3a2\pmod{1613}
p
a1
[448,445,442,\ldots]
p
3
a1\in[1,4,7,\ldots]
p
Also, even though Eve can conclude that
S\equiv1046+2a2\pmod{1613}
For purposes of keeping the code clearer, a prime field is used here. In practice, for convenience a scheme constructed using a smaller binary field may be separately applied to small substrings of bits of the secret (e.g. GF(256) for byte-wise application), without loss of security. The strict condition that the size of the field must be larger than the number of shares must still be respected (e.g., if the number of shares could exceed 255, the field GF(256) might be replaced by say GF(65536)).
See the bottom few lines for usage. Tested on Python 2 and 3."""
from __future__ import divisionfrom __future__ import print_function
import randomimport functools
_PRIME = 2 ** 127 - 1
_RINT = functools.partial(random.SystemRandom.randint, 0)
def _eval_at(poly, x, prime): """Evaluates polynomial (coefficient tuple) at x, used to generate a shamir pool in make_random_shares below. """ accum = 0 for coeff in reversed(poly): accum *= x accum += coeff accum %= prime return accum
def make_random_shares(secret, minimum, shares, prime=_PRIME): """ Generates a random shamir pool for a given secret, returns share points. """ if minimum > shares: raise ValueError("Pool secret would be irrecoverable.") poly = [secret] + [_RINT(prime - 1) for i in range(minimum - 1)] points = [(i, _eval_at(poly, i, prime)) for i in range(1, shares + 1)] return points
def _extended_gcd(a, b): """ Division in integers modulus p means finding the inverse of the denominator modulo p and then multiplying the numerator by this inverse (Note: inverse of A is B such that A*B % p
def _divmod(num, den, p): """Compute num / den modulo prime p
To explain this, the result will be such that: den * _divmod(num, den, p) % p
def _lagrange_interpolate(x, x_s, y_s, p): """ Find the y-value for the given x, given n (x, y) points; k points will define a polynomial of up to kth order. """ k = len(x_s) assert k
def recover_secret(shares, prime=_PRIME): """ Recover the secret from share points (points (x,y) on the polynomial). """ if len(shares) < 3: raise ValueError("need at least three shares") x_s, y_s = zip(*shares) return _lagrange_interpolate(0, x_s, y_s, prime)
def main: """Main function""" secret = 1234 shares = make_random_shares(secret, minimum=3, shares=6)
print('Secret: ', secret) print('Shares:') if shares: for share in shares: print(' ', share)
print('Secret recovered from minimum subset of shares: ', recover_secret(shares[:3])) print('Secret recovered from a different minimum subset of shares: ', recover_secret(shares[-3:]))
if __name__