Shamir's Secret Sharing

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

Shamir's Secret Sharing (SSS) is an efficient secret sharing algorithm for distributing private information (the "secret") in such a way that no individual holds intelligible information about the secret. To achieve this, the secret is converted into parts (the "shares") from which the secret can be reassembled when a sufficient number of shares are combined but not otherwise. SSS has the unusual property of information theoretic security, meaning an adversary without enough shares cannot reconstruct the secret even with infinite time and computing capacity. A standard SSS specification[1] for cryptocurrency wallets has been widely implemented.

High-level explanation[edit]

SSS is used to secure a secret in a distributed way, most often to secure other encryption keys. The secret is split into multiple shares, which individually do not give any information about the secret.

To unlock a secret secured by SSS a minimum number of shares are needed, called the threshold. No additional information about the secret can be gained by examining any number of shares fewer than the threshold (a property called perfect secrecy). In this sense, SSS is a generalisation of the one-time pad (which can be viewed as SSS with a two-share threshold and two shares in total).

Application example[edit]

A company needs to secure their vault's code. A single person knowing the code could act dishonestly or be unavailable when the vaults needs to be opened. SSS can be used in this situation to generate shares from the vault's code which are distributed to executives in the Company. The selected threshold and number of shares given to each executive can be selected such that the vault is accessible only by (groups of) authorized individuals. If less than the threshold of shares were compromised, these shares alone would not be enough to determine the code.

Properties and weaknesses[edit]

SSS has useful properties, but also weaknesses[2] that mean there are some situations where it should not be used.

Useful properties include:

  1. Secure: The scheme has Information theoretic security.
  2. Minimal: The size of each piece does not exceed the size of the original data.
  3. Extensible: For any given threshold, shares can be dynamically added or deleted without affecting existing shares
  4. Dynamic: Security can be easily enhanced without changing the secret, but by changing the polynomial occasionally (keeping the same free term) and constructing new shares for the participants.
  5. Flexible: In organizations where hierarchy is important, each participant can be issued different numbers of shares according to their importance inside the organization. For instance, with a threshold of 3, the president could unlock the safe alone if given three shares, while three secretaries with one share each must combine their shares to unlock the safe.

Weaknesses include:

  1. No verifiable secret sharing: During the share reassembly process, SSS does not have a way to verify the correctness of each share being used. Verifiable secret sharing aims to verify that shareholders are honest and not submitting fake shares.
  2. Single point of failure: The secret must exist in one single place when it is split into shares, and again in one place when it is reassembled. These are attack points, and other schemes including multisignature eliminate at least one of these single points of failure.

History[edit]

Adi Shamir first formulated the scheme in 1979.[3]

Mathematical principle[edit]

The essential idea of the scheme is based on the Lagrange interpolation theorem, specifically that points is enough to uniquely determine a polynomial of degree less than or equal to . For instance, 2 points are sufficient to define a line, 3 points are sufficient to define a parabola, 4 points to define a cubic curve and so forth.

Mathematical formulation[edit]

Shamir's Secret Sharing is an ideal and perfect -threshold scheme based on polynomial interpolation over finite fields. In such a scheme, the aim is to divide a secret (for example, the combination to a safe) into pieces of data (known as shares) in such a way that:

  1. Knowledge of any or more shares makes easily computable. That is, the complete secret can be reconstructed from any combination of shares of data.
  2. Knowledge of any or fewer shares leaves completely undetermined, in the sense that the possible values for seem as likely with knowledge of up to shares as with knowledge of shares. The secret cannot be reconstructed with fewer than shares.

If , then every piece of the original secret is required to reconstruct the secret.

One can draw an infinite number of polynomials of degree 2 through 2 points. 3 points are required to uniquely determine a polynomial of degree 2. This image is for illustration purposes only — Shamir's scheme uses polynomials over a finite field, which are not easy to represent in a 2-dimensional plane.

Assume that the secret can be represented as an element of a finite field (where is larger than the number of shares being generated). Randomly choose elements, , from and construct the polynomial . Compute any points out on the curve, for instance set to find points . Every participant is given a point (a non-zero input to the polynomial, and the corresponding output).[4] Given any subset of of these pairs, can be obtained using interpolation, with one possible formula for doing so being , where the list of points on the polynomial is given as k pairs of the form . Note that is equal to the first coefficient of polynomial .

Example calculation[edit]

The following example illustrates the basic idea. Note, however, that calculations in the example are done using integer arithmetic rather than using finite field arithmetic to make the idea easier to understand. Therefore the example below does not provide perfect secrecy and is not a proper example of Shamir's scheme. The next example will explain the problem.

Preparation[edit]

Suppose that the secret to be shared is 1234 .

In this example, the secret will be split into 6 shares , where any subset of 3 shares is sufficient to reconstruct the secret. numbers are taken at random. Let them be 166 and 94.

This yields coefficients where is the secret

The polynomial to produce secret shares (points) is therefore:

Six points from the polynomial are constructed as:

Each participant in the scheme receives a different point (a pair of and ). Because is used instead of the points start from and not . This is necessary because is the secret.

Reconstruction[edit]

In order to reconstruct the secret, any 3 points are sufficient

Consider using the 3 points.

Computing the Lagrange basis polynomials:

Using the formula for polynomial interpolation, is:

Recalling that the secret is the free coefficient, which means that , and the secret has been recovered.

Computationally efficient approach[edit]

Using polynomial interpolation to find a coefficient in a source polynomial using Lagrange polynomials is not efficient, since unused constants are calculated.

Considering this, an optimized formula to use Lagrange polynomials to find is defined as follows:

Problem of using integer arithmetic[edit]

Although the simplified version of the method demonstrated above, which uses integer arithmetic rather than finite field arithmetic, works, there is a security problem: Eve gains information about with every that she finds.

Suppose that she finds the 2 points and . She still does not have points, so in theory she should not have gained any more information about . But she could combine the information from the 2 points with the public information: . Doing so, Eve could perform the following algebra:

  1. Fill the formula for with and the value of
  2. Fill (1) with the values of 's and
  3. Fill (1) with the values of 's and
  4. Subtract (3)-(2): and rewrite this as . Eve knows that so she starts replacing in (4) with 0, 1, 2, 3, ... to find all possible values for :
  5. After checking , she stops because would get negative values for with larger values of (which is impossible because ). Eve can now conclude
  6. Now, Eve can replace by (4) in (2): . Now, replacing in (6) by the values found in (5), she gets which leads her to the information:

Eve now only has 150 numbers to guess from instead of an infinite quantity of natural numbers.

Solution using finite field arithmetic[edit]

This is a polynomial curve over a finite field — the order of the polynomial has seemingly little to do with the shape of the graph.

Geometrically this attack exploits the fact that the order of the polynomial is known and thus gives information into the paths the polynomial take between known points. This reduces possible values of unknown points since the points must lie on a smooth curve, and the polynomial must have coefficients that are natural numbers.

This problem can be fixed by using finite field arithmetic. A field of size is used. The figure shows a polynomial curve over a finite field. In contrast to a smooth curve it appears disorganised and disjointed.

In practice this is only a small change. A prime must be chosen that is bigger than the number of participants and every (including ). The points on the polynomial must also be calculated as instead of .

Everybody who receives a point must also know the value of , so it is considered to be publicly known. Therefore, one should select a value for that is not too low to prevent attacks where somebody guesses every possible value for .

For this example, choose , so the polynomial becomes which gives the points:

This time Eve doesn't gain any information when she finds a (until she has points).

Suppose again that Eve finds and , and the public information is: . Attempting the previous attack, Eve can:

  1. Fill the -formula with and the value of and :
  2. Fill (1) with the values of 's and
  3. Fill (1) with the values of 's and
  4. Subtracts (3)-(2): and rewrites this as
  5. Using so she starts replacing in (4) with 0, 1, 2, 3, ... to find all possible values for :

This time she is not able to stop because could be any integer modulo (even negative if ) so there are possible values for . She knows that always decreases by 3, so if was divisible by she could conclude . However, is prime she can not conclude this. Thus, using a finite field avoids this possible attack.

Usage examples[edit]

Shamir's Secret Sharing is used in:

Python code[edit]

"""
The following Python implementation of Shamir's Secret Sharing is
released into the Public Domain under the terms of CC0 and OWFa:
https://creativecommons.org/publicdomain/zero/1.0/
http://www.openwebfoundation.org/legal/the-owf-1-0-agreements/owfa-1-0

See the bottom few lines for usage. Tested on Python 2 and 3.
"""

from __future__ import division
from __future__ import print_function

import random
import functools

# 12th Mersenne Prime
# (for this application we want a known prime number as close as
# possible to our security level; e.g.  desired security level of 128
# bits -- too large and all the ciphertext is large; too small and
# security is compromised)
_PRIME = 2 ** 127 - 1
# The 13th Mersenne Prime is 2**521 - 1

_RINT = functools.partial(random.SystemRandom().randint, 0)

def _eval_at(poly, x, prime):
    """Evaluates polynomial (coefficient tuple) at x, used to generate a
    shamir pool in make_random_shares below.
    """
    accum = 0
    for coeff in reversed(poly):
        accum *= x
        accum += coeff
        accum %= prime
    return accum

def make_random_shares(secret, minimum, shares, prime=_PRIME):
    """
    Generates a random shamir pool for a given secret, returns share points.
    """
    if minimum > shares:
        raise ValueError("Pool secret would be irrecoverable.")
    poly = [secret] + [_RINT(prime - 1) for i in range(minimum - 1)]
    points = [(i, _eval_at(poly, i, prime))
              for i in range(1, shares + 1)]
    return points

def _extended_gcd(a, b):
    """
    Division in integers modulus p means finding the inverse of the
    denominator modulo p and then multiplying the numerator by this
    inverse (Note: inverse of A is B such that A*B % p == 1). This can
    be computed via the extended Euclidean algorithm
    http://en.wikipedia.org/wiki/Modular_multiplicative_inverse#Computation
    """
    x = 0
    last_x = 1
    y = 1
    last_y = 0
    while b != 0:
        quot = a // b
        a, b = b, a % b
        x, last_x = last_x - quot * x, x
        y, last_y = last_y - quot * y, y
    return last_x, last_y

def _divmod(num, den, p):
    """Compute num / den modulo prime p

    To explain this, the result will be such that: 
    den * _divmod(num, den, p) % p == num
    """
    inv, _ = _extended_gcd(den, p)
    return num * inv

def _lagrange_interpolate(x, x_s, y_s, p):
    """
    Find the y-value for the given x, given n (x, y) points;
    k points will define a polynomial of up to kth order.
    """
    k = len(x_s)
    assert k == len(set(x_s)), "points must be distinct"
    def PI(vals):  # upper-case PI -- product of inputs
        accum = 1
        for v in vals:
            accum *= v
        return accum
    nums = []  # avoid inexact division
    dens = []
    for i in range(k):
        others = list(x_s)
        cur = others.pop(i)
        nums.append(PI(x - o for o in others))
        dens.append(PI(cur - o for o in others))
    den = PI(dens)
    num = sum([_divmod(nums[i] * den * y_s[i] % p, dens[i], p)
               for i in range(k)])
    return (_divmod(num, den, p) + p) % p

def recover_secret(shares, prime=_PRIME):
    """
    Recover the secret from share points
    (points (x,y) on the polynomial).
    """
    if len(shares) < 3:
        raise ValueError("need at least three shares")
    x_s, y_s = zip(*shares)
    return _lagrange_interpolate(0, x_s, y_s, prime)

def main():
    """Main function"""
    secret = 1234
    shares = make_random_shares(secret, minimum=3, shares=6)

    print('Secret:                                                     ',
          secret)
    print('Shares:')
    if shares:
        for share in shares:
            print('  ', share)

    print('Secret recovered from minimum subset of shares:             ',
          recover_secret(shares[:3]))
    print('Secret recovered from a different minimum subset of shares: ',
          recover_secret(shares[-3:]))

if __name__ == '__main__':
    main()

See also[edit]

References[edit]

  1. ^ Rusnak, Pavol; Kozlik, Andrew; Vejpustek, Ondrej; Susanka, Tomas; Palatinus, Marek; Hoenicke, Jochen (2017-12-18). "SLIP-0039 : Shamir's Secret-Sharing for Mnemonic Codes". GitHub. SatoshiLabs. Retrieved 2022-10-03. This SLIP describes a standard and interoperable implementation of Shamirs secret-sharing (SSS) and a specification for its use in backing up Hierarchical Deterministic Wallets described in BIP-0032.
  2. ^ Lopp, Jameson (2020-10-01). "Shamir's Secret Sharing shortcomings". Retrieved 2022-10-03. Variations of Shamir's Secret Sharing (SSS) have been implemented several times in the cryptocurrency space, only for developers to later realize that the additional complexity ended up reducing the security of the system.
  3. ^ Shamir, Adi (1979), "How to share a secret", Communications of the ACM, 22 (11): 612–613, doi:10.1145/359168.359176, S2CID 16321225
  4. ^ Knuth, D. E. (1997), The Art of Computer Programming, vol. II: Seminumerical Algorithms (3rd ed.), Addison-Wesley, p. 505.
  5. ^ "Seal/Unseal". Vault by HashiCorp. Retrieved 2022-10-02.
  6. ^ Staff, SDO Marketing (2017-08-16). "The Case for the Secret Sharing Scheme | OctopusBlog". Secret Double Octopus. Retrieved 2022-10-02.
  7. ^ "PreVeil Review". PCMAG. Retrieved 2022-10-02.
  8. ^ Tětek, Josef. "Protecting Your HODL Legacy: Shamir Backups And Inheritance Planning". Bitcoin Magazine - Bitcoin News, Articles and Expert Insights. Retrieved 2022-10-02.
  9. ^ SatoshiLabs (2019-09-05). "Dev Corner: A Detailed Guide to Shamir Backup". Medium. Retrieved 2022-10-02.
  10. ^ Serenity Shield. "New Era of Digital Protection" (PDF). Retrieved 2022-10-02.

Further reading[edit]

External links[edit]