Secret Sharing Schemes

1. Secret Sharing Schemes CS 519 Cryptography and Network Security Instructor: Ali Aydin Selcuk Secret Sharing Schemes

2. Secret Sharing Schemes • Q: How would you distribute a secret among n parties, such that only t or more of them together can reconstruct it. (A “(t, n)-threshold scheme”) • Physical world analogy: A safe with a combination of locks, keys. • Some applications: • Storage of sensitive cryptographic keys • Command & control of nuclear weapons Secret Sharing Schemes

3. Secret Sharing Schemes (cont’d) E.g. An (n, n)-threshold scheme: To share a k-bit secret, the dealer D • generates n – 1 random k-bit numbers,yi, i = 1, 2,..., n – 1, • yn = K  y1 y2 ... yn-1., • gives the “share” yi to party Pi. This is a “perfect” SSS: A coalition of less than t can obtain no information about the secret. Q: How to generalize to arbitrary (t, n)? Secret Sharing Schemes

4. Background: Lagrangian Interpolation Fact: There exists a unique polynomial of degree ≤ m f(x) = amxm + am-1xm-1 + ... a1x + a0over any m+1 points (x0,y0), (x1,y1),..., (xm,ym). (Proof: The Vandermonde matrix V = [vij = xij | i,j = 0,1,...,m] is non-singular for distinct xis. Hence, V*a = y has a unique solution for any y = [y1, y2,..., ym].) Lagrange’s Interpolation Formula: The unique polynomial through (x0,y0), (x1,y1),..., (xm,ym) is given by f(x) = i=0 to m Lm,i(x) yiwhere Lm,i(x) = ji(x – xj) / ji(xi – xj) . Secret Sharing Schemes

5. Shamir’s Threshold Scheme Shamir’s (t, n)-threshold scheme: • D chooses prime p such that p  n+1, K  Zp; • generates distinct, random, non-zero xi  Zp, i=1,...,n; • generates random ai  Zp, i=1, 2,..., t – 1; • a0 = K, the secret; • f(x) = i=0 to t – 1 aixi mod p; • Pi’s share is (xi, f(xi)). Questions: • Why “prime”? • Why non-zero xis? • Why p  n+1 ? • Fact: Shamir’s scheme is a perfect SSS. Secret Sharing Schemes