Secret sharing
From Wikipedia, the free encyclopedia
Secret sharing refers to any method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own.
More formally, in a secret sharing scheme there is one dealer and n players. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of fewer than t players can. Such a system is called a (t, n)threshold scheme (sometimes it is written as an (n, t)threshold scheme).
Secret sharing was invented by both Adi Shamir and George Blakley independently in 1979.
[edit] Motivation  A flawed secret sharing scheme
A secure secret sharing scheme distributes shares so that anyone with fewer than t shares has no extra information about the secret than someone with 0 shares. Consider the naive secret sharing scheme in which the secret phrase "password" is divided into the shares "pa," "ss," "wo," and "rd,". A person with 0 shares knows only that the password consists of eight letters. He would have to guess the password from 26^{8} = 208 billion possible combinations. A person with one share, however, would have to guess only the six letters, from 26^{6} = 308 million combinations, and so on as more persons collude. This system is not a secure secret sharing scheme, because a player with fewer than t shares gains significant information about the content of the secret. In a secure scheme, even a player missing only one share should still face 26^{8} = 208 billion combinations.
[edit] Limitations of secret sharing schemes
Several secret sharing schemes are said to be information theoretically secure and can be proved to be so, while others give up this unconditional security for improved efficiency while maintaining enough security to be considered as secure as other common cryptographic primitives. For example, they might allow arbitrarily large secrets to be protected by 128bit shares, since the 2^{128} possible shares are generally considered enough to stymie any conceivable presentday adversary.
Common to all unconditionally secure secret sharing schemes, there are limitations:
 Each share of the secret must be at least as large as the secret itself. This result is based in information theory, but can be understood intuitively. Given t1 shares, no information whatsoever can be determined about the secret. Thus, the final share must contain as much information as the secret itself.
 All secret sharing schemes use random bits. To distribute a onebit secret among threshold t people, t1 random bits are necessary. To distribute a secret of arbitrary length entropy of (t1)*length is necessary.
[edit] Trivial secret sharing
There are several (t, n) secret sharing schemes for t = n, when all shares are necessary to recover the secret:
 Encode the secret as an integer s. Give to each player i (except one) a random integer r_{i}. Give to the last player the number (s − r_{1} − r_{2} − ... − r_{n − 1}). The secret is the sum of the players' shares.
 Encode the secret as an arbitrary length binary number s. Give to each player i (except one) a random number the same length as the key p_{i}. Give to the last player the result of (s XOR p_{1} XOR p_{2} XOR ... XOR p_{i}) where XOR is bitwise XOR. The secret is the bitwise XOR of all the players' numbers (p).
When space efficiency is not a concern, these schemes can be used to reveal a secret to any desired subsets of the players simply by applying the scheme for each subset. For example, to reveal a secret s to any two of the three players Alice, Bob and Carol, create three different (2,2) secret shares for s, giving the three sets of two shares to Alice and Bob, Alice and Carol, and Bob and Carol. This approach quickly becomes impractical as the number of subsets increases, for example when revealing a secret to any 50 of 100 players, whereas the schemes described below allow secrets to efficiently be shared with a threshold of players.
[edit] A t ≠ n example
The difficulty lies in creating schemes that are still secure, but do not require all n shares. For example, imagine that the Board of Directors of CocaCola would like to protect Coke's secret formula. The president of the company should be able to access the formula when needed, but in an emergency any 3 of the 12 board members would be able to unlock the secret formula together. This can be accomplished by a secret sharing scheme with t = 3 and n = 15, where 3 shares are given to the president, and 1 is given to each board member.
[edit] Shamir's scheme
In this scheme, any t out of n shares may be used to recover the secret. The system relies on the idea that you can fit a unique polynomial of degree (t1) to any set of t points that lie on the polynomial. It takes two points to define a straight line, three points to fully define a quadratic, four points to define a cubic, and so on. The method is to create a polynomial of degree t1 with the secret as the first coefficent and the remaining coefficients picked at random. Next find n points on the curve and give one to each of the players. When at least t out of the n players reveal their points, there is sufficient information to fit an (t1)th degree polynomial to them, the first coefficient of the polynomial is the secret.
[edit] Blakley's scheme
Two nonparallel lines in the same plane intersect at exactly one point. Three "nonparallel" planes in space intersect at exactly one point. More generally, any n ndimensional hyperplanes intersect at a specific point. The secret may be encoded as any single coordinate of the point of intersection. If the secret is encoded using all the coordinates, even if they are random, then an insider (someone in possession of one or more of the ndimensional hyperplanes) gains information about the secret since he knows it must lie on his plane. If an insider can gain any more knowledge about the secret than an outsider can, then the system no longer has information theoretic security. If only one of the n coordinates is used, then the insider knows no more than an outsider (ie, that the secret must lie on the xaxis for a 2dimensional system). Each player is given enough information to define a hyperplane; the secret is recovered by calculating the planes' point of intersection and then taking a specified coordinate of that intersection.
Blakley's scheme in three dimensions: each share is a plane, and the secret is the point at which three shares intersect. Two shares are insufficient to determine the secret, although they do provide enough information to narrow it down to the line where both planes intersect. 
Blakley's scheme is less spaceefficient than Shamir's; while Shamir's shares are each only as large as the original secret, Blakley's shares are t times larger, where t is the threshold number of players. Blakley's scheme can be tightened by adding restrictions on which planes are usable as shares. The resulting scheme is equivalent to Shamir's polynomial system.
[edit] Secret Sharing using the Chinese Remainder Theorem
The Chinese Remainder Theorem can also be used in Secret Sharing, for it provides us with a method to uniquely determine a number S modulo k many relatively prime integers m_{1},m_{2},...,m_{k}, given that . There are two secret sharing schemes that make use of the Chinese Remainder Theorem, Mignotte's and AsmuthBloom's Schemes. They are threshold secret sharing schemes, in which the shares are generated by reduction modulo the integers m_{i}, and the secret is recovered by essentially solving the system of congruences using the Chinese Remainder Theorem.
[edit] Proactive secret sharing
If the players store their shares on insecure computer servers, an attacker could crack in and steal the shares. If it is not practical to change the secret, the uncompromised (Shamirstyle) shares can be renewed. The dealer generates a new random polynomial with constant term zero and calculates for each remaining player a new ordered pair, where the xcoordinates of the old and new pairs are the same. Each player then adds the old and new ycoordinates to each other and keeps the result as the new ycoordinate of the secret.
All of the nonupdated shares the attacker accumulated become useless. An attacker can only recover the secret if he can find enough other nonupdated shares to reach the threshold. This situation should not happen because the players deleted their old shares. Additionally, an attacker cannot recover any information about the original secret from the update files because they contain only random information.
The dealer can change the threshold number while distributing updates, but must always remain vigilant of players keeping expired shares.
[edit] Verifiable secret sharing
A player might lie about his own share to gain access to other shares. A verifiable secret sharing (VSS) scheme allows players to be certain that no other players are lying about the contents of their shares, up to a reasonable probability of error. Such schemes cannot be computed conventionally; the players must collectively add and multiply numbers without any individual's knowing what exactly is being added and multiplied. Tal Rabin and Michael BenOr devised a multiparty computing (MPC) system that allows players to detect dishonesty on the part of the dealer or on part of up to one third of the threshold number of players, even if those players are coordinated by an "adaptive" attacker who can change strategies in realtime depending on what information has been revealed.
[edit] Other uses and applications
A secret sharing scheme can secure a secret over multiple servers and remain recoverable despite multiple server failures. The dealer may treat himself as several distinct participants, distributing the shares between himself. Each share may be stored on a different server, but the dealer can recover the secret even if several servers break down as long as he can recover at least t shares; however, crackers that break into one server would still not know the secret as long as less than t shares are stored on each server.
A dealer could send t shares, all of which are necessary to recover the original secret, to a single recipient. An attacker would have to intercept all t shares to recover the secret, a task which is more difficult than intercepting a single file, especially if the shares are sent using different media (e.g. some over the Internet, some mailed on CD's).
For large secrets, it may be more efficient to encrypt the secret and then distribute the key using secret sharing.
Secret sharing is an important primitive in several protocols for secure multiparty computation.
[edit] See also
 Shamir's Secret Sharing
 Homomorphic secret sharing  A simplistic decentralized voting protocol.
 Byzantine fault tolerance
 Access structure
 Secure multiparty computation
 Visual cryptography
 Tontine
 Shared secret  Similar name but not the same thing as secret sharing.
 Secret Sharing using the Chinese Remainder Theorem
[edit] References
 Blakley, G. R. (1979). "Safeguarding cryptographic keys". Proceedings of the National Computer Conference 48: 313–317.
 Shamir, Adi (1979). "How to share a secret". Communications of the ACM 22 (11): 612–613. doi:. http://www.cs.tau.ac.il/~bchor/Shamir.html.
 Knuth, Donald (1997), Seminumerical Algorithms, The Art of Computer Programming, 2 (3 ed.), AddisonWesley, p. 505, ISBN 0201896842, OCLC 174593116
[edit] External links
 ssss: A free (GPL) implementation of Shamir's Scheme with online demo.
 Description of Shamir's and Blakley's schemes
 Patent for use of secret sharing for recovering PGP (and other?) pass phrases U.S. Patent 6,662,299
 A bibliography on secretsharing schemes
 Code signing systems using Shared Secret
 Christophe David's web based implementation of Shamir's scheme 'How to share a Secret'
 Software products from IBM, Sun, and Netscape, and hardware products from Safenet use secret sharing. There are libraries for secret sharing in several programming languages.
