next up previous contents
Next: 2.2.1.2 Sum Secret Sharing Up: 2.2.1 Secret Sharing Previous: 2.2.1 Secret Sharing

2.2.1.1 Shamir Secret Sharing

This classic 1979 result of Shamir allows a dealer D to distribute a secret value s to n players, such that at least $k\le n$ players is required to reconstruct the secret. The protocol is information theoretically secure, i.e., any fewer than kplayers cannot gain any information about the secret by themselves. The protocol itself is very straightforward:

Protocol 1 (Shamir Secret Sharing)    To share the secret s among players P1, P2, ..., Pn, such that k players are required to reconstruct the secret:
1.
Dealer D creates a random polynomial p(x) with degree k-1 and constant term s.
2.
Dealer D publicly chooses n random distinct evaluation points $x_j \ne 0$, and secretly distributes to each player Pj the share $\ensuremath{\mathrm{share}} _j(s) = p(x_j)$.
To reconstruct the secret from shares $\ensuremath{\mathrm{share}} _1(s)$, $\ensuremath{\mathrm{share}} _2(s)$, ..., $\ensuremath{\mathrm{share}} _k(s)$:
1.
Use Lagrange interpolation to find the unique polynomial p(x) such that $\deg p(x) < k$ and $p(x_j) = \ensuremath{\mathrm{share}} _j(s)$ for j=1, 2, ..., k.
2.
Reconstruct the secret to be p(0).$\Box$

The key observation here is that k points are required to uniquely determine a polynomial with degree less than k. As a result, if only k-1 evaluation points are known, then for any constant s' we can create a unique and equally likely polynomial of degree k-1 by requiring the point (0,s') to be on it. Thus, in our protocol kplayers can reconstruct the constant term s, but no smaller number can conspire to gain any information whatsoever. Reconstruction is done using Lagrange interpolation, a fairly standard technique. By performing $n\choose k$ reconstructions with the shares produced by each k-subset of players, Byzantine errors on the part of not too many players can be detected and corrected easily.

It is easy to extend Shamir secret sharing to let the players compute any linear combination of secrets without gaining information on intermediate results of the computation. To add two shared secrets together, the players need only add together individual shares at each evaluation point; to multiply a shared secret by a known scalar, just multiply each share by that scalar. It is more difficult, though still possible, to compute the product of two secrets, provided that at least half of the players follow the protocol correctly. Thus, it is possible to compute any ``arithmetic'' function (i.e., function involving only addition, subtraction, and multiplication) of secrets securely and robustly.

next up previous contents
Next: 2.2.1.2 Sum Secret Sharing Up: 2.2.1 Secret Sharing Previous: 2.2.1 Secret Sharing
Ken Shan (ken@digitas.harvard.edu), 1998-05-15