MathProgramming

TheMathematicsofSecretSharing

PostedonJune23,2014byj2kun
Heresasimplepuzzlewithaneatstory.Aricholdwomanisdraftingherwillandwantsto
distributeherexpansiveestateequallyamongsthervechildren.Butherchildrenarevery
greedy,andthewomanknowsthatifheleavesherwillunprotectedherchildrenwillresortto
nefariousmeasurestotrytogetmorethantheirfairshare.Inonefearfulscenario,sheworriesthat
theolderfourchildrenwillteamuptobullytheyoungestchildentirelyoutofhisclaim!She
desperatelywantsthemtocooperate,soshedecidestolockthewillaway,andthekeyisasecret
integer .Thequestionis,howcanshedistributethissecretnumbertoherchildrensothatthe
onlywaytheycanopenthesafeisiftheyareallpresentandwilling?

(h ps://jeremykun.les.wordpress.com/2013/08/estate.jpg)Amathematicalwaytosaythisis:how
(h ps://jeremykun.les.wordpress.com/2013/08/estate.jpg)Amathematicalwaytosaythisis:how
canshedistributesomeinformationtoherchildrensothat,givenalloftheirseparatepiecesof
information,theycanreconstructthekey,butforeverychoiceoffewerthan5children,thereis
nowaytoreliablyrecoverthekey?Thisiscalledthesecretsharingproblem.Moregenerally,say
wehaveaninteger calledthesecret,anumberofparticipants ,andanumberrequiredfor
reconstruction .Thenasecretsharingprotocolisthedataofamethodfordistributinginformation
andamethodforreconstructingthesecret.Thedistributingmethodisanalgorithm that
acceptsasinput andproducesasoutputalistof numbers .
Thesearethenumbersdistributedtothe participants.Thenthereconstructionmethodisa
function whichacceptsasinput numbers andoutputsanumber .Wewanttwo
propertiestohold:

Thereconstructionfunction outputs whengivenany ofthenumbersoutputby .

Onecannotreliablyreconstruct withfewerthan ofthenumbersoutputby .

Thequestionis:doesanecientsecretsharingprotocolexistforeverypossiblechoiceof
?Infactitdoes,andtheonewelldescribeinthispostisfarmoresecurethanthewordreliable
suggests.Itwillbesohardastobemathematicallyimpossibletoreconstructthesecretfrom
fewerthanthedesirednumberofpieces.IndependentlydiscoveredbyAdiShamirin1979
(h p://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.80.8910&rep=rep1&type=pdf),
theprotocolwellseeinthispostiswonderfullysimple,andaswedescribeitwellbuildupa
programtoimplementit.ThistimewellworkintheHaskellprogramminglanguage,andyou
candownloadtheprogram(h ps://github.com/j2kun/themathematicsofsecretsharing)from
thisblogsGithubpage(h ps://github.com/j2kun).Andnally,ashoutouttomyfriendKarishma
Chadha(h ps://www.linkedin.com/pub/karishmachadha/5b/728/241)whoworkedtogetherwith
meonthispost.SheknowsHaskellalotbe erthanIdo.

PolynomialInterpolation

Thekeytothesecretsharingprotocolisabeautifulfactaboutpolynomials.Specically,ifyou
giveme pointsintheplanewithdistinct values,thenthereisauniquedegree polynomial
thatpassesthroughthepoints.Justasimportantly(andasabyproductofthisfact),there
areinnitelymanydegree polynomialsthatpassthroughthesamepoints.Forexample,ifI
giveyouthepoints ,theonlyquadratic(degree2)polynomialthatpasses
throughallofthemis .
(h ps://jeremykun.les.wordpress.com/2013/08/interpolatingpolynomialexample.png)Theproof
thatyoucanalwaysndsuchapolynomialispre ypainless,soletstakeitslowlyandwritea
programaswego.Supposeyougivemesomelistof points andnotwo
valuesarethesame.Theproofhastwoparts.Firstwehavetoproveexistence,thatsomedegree
polynomialpassesthroughthepoints,andthenwehavetoprovethatthepolynomialisunique.
Theuniquenesspartiseasier,soletsdotheexistencepartrst.Letsstartwithjustonepoint
.Whatsadegreezeropolynomialthatpassesthroughit?Justtheconstantfunction
.Fortwopoints itssimilarlyeasy,sinceweallprobablyrememberfrom
basicgeometrythattheresauniquelinepassingthroughanytwopoints.Butletswritetheline
inaslightlydierentway:

Whywriteitthisway?Becausenowitshouldbeobviousthatthepolynomialpassesthroughour
twopoints:ifIplugin thenthesecondtermiszeroandthersttermisjust
,andlikewisefor .

Forexample,ifweregiven weget:

Pluggingin cancelsthesecondtermout,leaving ,andpluggingin

cancelstherstterm,leaving .

Nowthehardstepisgeneralizingthistothreepoints.Butthesuggestiveformabovegivesusa
hintonhowtocontinue.

Noticethatthenumeratorsofthetermstakeontheform ,thatis,aproduct
Noticethatthenumeratorsofthetermstakeontheform ,thatis,aproduct
excluding .Thus,alltermswillcanceloutto0ifweplug
in ,exceptoneterm,whichhastheform

Here,thefractionontherightsideofthetermcancelsoutto1when ispluggedin,leavingonly
,thedesiredresult.Nowthatwevewri enthetermsinthisgeneralproductform,wecaneasily
constructexamplesforanynumberofpoints.Wejustdoasumoftermsthatlooklikethis,onefor
each value.Trywritingthisoutasasummation,ifyoufeelcomfortablewithnotation.

Letsgofurtherandwriteanalgorithmtoconstructthepolynomialforus.Somepreliminaries:we
encodeapolynomialasalistofcoecientsindegreeincreasingorder,sothat is
representedby[1,3,0,5].

1 typePoint=(Rational,Rational)
2 typePolynomial=[Rational]Polynomialsarerepresentedinascendingdegreeorder

Thenwecanwritesomesimplefunctionsforaddingandmultiplyingpolynomials
1 addPoly::Polynomial>Polynomial>Polynomial
2 addPoly[][]=[]
3 addPoly[]xs=xs
4 addPolyxs[]=xs
5 addPoly(x:xs)(y:ys)=(x+y):(addPolyxsys)
6
7 multNShift::Polynomial>(Rational,Int)>Polynomial
8 multNShiftxs(y,shift)=
9 (replicateshift0)++(map((*)y)xs)
10
11 multPoly::Polynomial>Polynomial>Polynomial
12 multPoly[][]=[]
13 multPoly[]_=[]
14 multPoly_[]=[]
15 multPolyxsys=foldraddPoly[]$map(multNShiftys)$zipxs[0..]

Inshort,multNShiftmultipliesapolynomialbyamonomial(like ),and
multPolydoestheusualdistributionofterms,usingmultNShifttodomostofthehardwork.
Thentoconstructthepolynomialweneedonemorehelperfunctiontoextractallelementsofalist
exceptaspecicentry:
1 allBut::Integer>[a]>[a]
2 allButilist=snd$unzip$filter(\(index,_)>i/=index)$zip[0..]list

Andnowwecanconstructapolynomialfromalistofpointsinthesamewaywedid
mathematically.
1 findPolynomial::[Point]>Polynomial
2 findPolynomialpoints=
3 letterm(i,(xi,yi))=
4 letprodTerms=map(\(xj,_)>[xj/(xixj),1/(xixj)])$allButipoints
5 inmultPoly[yi]$foldlmultPoly[1]prodTerms
6 infoldladdPoly[]$mapterm$zip[0..]points

Herethesubfunctiontermconstructsthe thtermofthepolynomial,andtheremaining
Herethesubfunctiontermconstructsthe thtermofthepolynomial,andtheremaining
expressionaddsupalltheterms.Rememberthatduetoourchoiceofrepresentationtheawkward
1si ingintheformulasigniesthepresenceof .Andthatsit!Anexampleofitsusetoconstruct
:
1 *Main>findPolynomial[(1,2),(2,5)]
2 [(1)%1,3%1]

Nowthelastthingweneedtodoisshowthatthepolynomialweconstructedinthiswayis
unique.Heresaproof.

Supposetherearetwodegree polynomials and thatpassthroughthe givendata

points .Let ,andwewanttoshowthat isthe
zeropolynomial.Thisprovesthat isuniquebecausetheonlyassumptionswemadeatthe
beginningwerethat bothpassedthroughthegivenpoints.Nowsinceboth and aredegree
polynomials, isapolynomialofdegreeatmost .Itisalsotruethat
where .Thus,wehave(atleast) rootsofthis
degree polynomial.Butthiscanthappenbythefundamentaltheoremofalgebra!Inmore
detail:ifanonzerodegree polynomialreallycouldhave distinctroots,thenyoucould
factoritintoatleast lineartermslike .Butsincethereare
copiesof , wouldneedtobeadegree polynomial!Theonlywaytoresolvethis
contradictionisif isactuallythezeropolynomial,andthus , .

Thiscompletestheproof.Nowthatweknowthesepolynomialsexistandareunique,itmakes
sensetogivethemaname.Soforagivensetof points,calltheuniquedegree polynomial
thatpassesthroughthemtheinterpolatingpolynomialforthosepoints.

SecretSharingwithInterpolatingPolynomials

Onceyouthinktouseinterpolatingpolynomials,theconnectiontosecretsharingseemsalmost
obvious.Ifyouwanttodistributeasecretto peoplesothat ofthemcanreconstructitheres
whatyoudo:

1.Pickarandompolynomial ofdegree sothatthesecretis .

2.Distributethepoints .

Thenthereconstructionfunctionis:takethepointsprovidedbyatleast participants,usethemto
reconstruct ,andoutput .Thatsit!Step1mightseemhardatrst,butyoucanjustnotice
that isequivalenttotheconstanttermofthepolynomial,soyoucanpick random
numbersfortheothercoecientsof andoutputthem.InHaskell,
1 makePolynomial::Rational>Int>StdGen>Polynomial
2 makePolynomialsecretrgenerator=
3 secret:maptoRational(take(r1)$randomRs(1,(numerator(2*secret)))generator)

4
 4
5 share::Rational>Integer>Int>IO[Point]
6 sharesecretkr=do
7 generator<getStdGen
8 letpoly=makePolynomialsecretrgenerator
9 ys=map(evalpoly)$maptoRational[1..k]
10 return$zip[1..]ys

Inwords,weinitializetheHaskellstandardgenerator(whichwrapstheresultsinsideanIO
monad),thenweconstructapolynomialbyle ingtherstcoecientbethesecretandchoosing
randomcoecientsfortherest.AndfindPolynomialisthereconstructionfunction.

Finally,justtoushtheprogramoutali lemore,wewriteafunctionthatencodesordecodesa
stringasaninteger.
1 encode::String>Integer
2 encodestr=letnums=zip[0..]$map(toInteger.ord)str
3 integers=map(\(i,n)>shiftn(i*8))nums
4 infoldl(+)0integers
5
6 decode::Integer>String
7 decode0=""
8 decodenum=ifnum<0
9 thenerror"Can'tdecodeanegativenumber"
10 elsechr(fromInteger(num.&.127)):(decode$shiftnum(8))

Andthenwehaveafunctionthatshowsthewholeprocessinaction.
1 examplemsgkr=
2 letsecret=toRational$encodemsg
3 indopoints(numeratorx,numeratory))points
4 letsubset=takerpoints
5 encodedSecret=eval(findPolynomialsubset)0
6 putStrLn$show$numeratorencodedSecret
7 putStrLn$decode$numeratorencodedSecret

Andafunctioncall:
1 *Main>example"Helloworld!"105
2 10334410032606748633331426632
3 [(1,34613972928232668944107982702),(2,142596447049264820443250256658),(3,406048862884360219576198642966),
4 10334410032606748633331426632
5 Helloworld!

Security

Thenalquestiontoreallyclosethisproblemwithanicesolutionis,Howsecureisthis
protocol?Thatis,ifyoudidntknowthesecretbutyouhad numbers,couldyoundaway
torecoverthesecret,oh,say,0.01%ofthetime?

Pleasingly,theanswerisasolidno.Thisprotocolhassomethingwaystronger,whats
Pleasingly,theanswerisasolidno.Thisprotocolhassomethingwaystronger,whats
calledinformationtheoreticsecurity.Inlaymansterms,thismeansitcannotpossiblybebroken,
period.Thatis,withouttakingadvantageofsomeaspectoftherandomnumbergenerator,which
weassumeisasecurerandomnumbergenerator
(h p://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator).But
withthatassumptionthesecurityproofistrivial.Hereitgoes.

Pickanumber thatisntthesecret .Itsanynumberyouwant.Andsayyouonlyhave

ofthecorrectnumbers .Thenthereisanalnumber sothattheprotocol
reconstructs insteadof .Thisisnoma erwhichoftheunused valuesyoupick,noma er
what and numbersyoustartedwith.Thisissimplybecauseaddingin denesa
newpolynomial ,andyoucanuseanypointon asyour thnumber.

Hereswhatthismeans.Apersontryingtobreakthesecretsharingprotocolwouldhavenowayto
telliftheydiditcorrectly!Ifthesecretisamessage,thenabadreconstructioncouldproduceany
message.Ininformationtheoryterms,knowing ofthenumbersprovidesnoinformation
abouttheactualmessage.Inourstoryfromthebeginningofthepost,noma erhowmuch
computingpoweroneofthegreedychildrenmayhave,theonlyalgorithmtheyhavetoopenthe
safeistotryeverycombination.Themothercouldmakethecombinationhavelengthinthe
millionsofdigits,orevenbe er,themothercouldencodethewillasanintegeranddistributethat
asthesecret.Iimaginetherearesomeauthenticityissuesthere,sinceonecouldclaimtohave
reconstructedafalsewill,signaturesandall,butthereappeartobemeasurestoaccountforthis
(h p://en.wikipedia.org/wiki/Veriable_secret_sharing).

Onemightwonderifthisistheonlyknownsecretsharingprotocol,andtheanswerisno.
Essentially,anytimeyouhaveanexistenceanduniquenesstheoreminmathematics,andthe
objectsyoureworkingwithareecientlyconstructible,thenyouhavethepotentialforasecret
sharingprotocol.TherearetwomoreonWikipedia
(h p://en.wikipedia.org/wiki/Secret_sharing#Blakley.27s_scheme).Butpeopledontreallycareto
ndnewonesanymorebecausetheknownprotocolsareasgoodasitgets.

Onabroaderlevel,theexistenceofecientsecretsharingprotocolsisanimportantfactused
intheeldofsecuremultipartycomputation
(h p://en.wikipedia.org/wiki/Secure_multiparty_computation).Herethegoalisforagroup
ofindividualstocomputeafunctiondependingonsecretinformationfromallofthem,without
revealingtheirsecretinformationtoanyone.Aclassicexampleofthisistocomputetheaverageof
sevensalarieswithoutrevealinganyofthesalaries.ThiswasapuzzlefeaturedonCarTalk
(h p://www.cartalk.com/content/coneyislandcrabcakecompany),andithasacuteanswer.See
ifyoucangureitout.

Untilnexttime!

ThisentrywaspostedinAlgorithms,Cryptographyandtaggedcryptography,haskell,
polynomialinterpolation,secretsharing.Bookmarkthepermalink.
5thoughtsonTheMathematicsofSecretSharing

eightnoteight
June23,2014at9:58amReply
1.Ithinkitispopularlyknownasshamirssecretsharing.anditwasagreatawork(program)

Luis
June24,2014at9:21amReply
2.Anaiveideathatsparksreadingtherstlinesofyourpost.Takeaverylargenumberwith
20.000digitsandgives5000digitstoeachson.Nowiftheywanttogetthewilltheyhaveto
provethattheyknowthe20000digitsofthekey.Whatswrongwiththisversimpleandnaive
idea?

j2kun
June24,2014at9:35amReply
Inthisscenarioeverysonhasalotofinformationaboutthekey.Thebenetofthe
polynomialinterpolationsolutionisthateven3ofthe4sonsprovablyhavenoinformation
aboutthekey.Itsalsomuchmoreecient,andgeneralizestoanyand.

MikeLoukides(@mikeloukides)
June24,2014at11:13amReply
3.Heresaslightlydierentapproachthatseemssimpler.Isitdierentfromyours?

Foreachofthensons,assignanumberxi.(Youcanmakeitanintegertobenice.Ornot.)Use
thepolynomial
f(x)=(xx1)(xx2)(xxn),sothenumbersareallrootsofthepolynomial.
Thenthesecretisf(0),whichisjusttheproductofallthexns(witha+orsigna ached).Its
stillaninterpolatingpolynomial,butallthepointsareoftheform(xi,0),ratherthanbeingof
theform(i,yi).Givenn1rootsofannthdegreepolynomial,doyouhaveanyinformationthat
wouldletyouconstructthenthroot?

Intuitively,thisstrikesmeasthesameapproach.ButIsuspectmyintuitioniswrong.

j2kun
June24,2014at2:31pmReply
Idontbelievethishasthesameinformationtheoreticguaranteesforthefollowingreason.
Essentiallyyourmethodistohavethesecretbealargecompositenumber,andto
distributethefactorsofthenumber(youdontevenneedpolynomialstotalkaboutthis,as
youobserve;reconstructionisjustmultiplication).Butnoweveryindividualhasalotof
informationaboutthesecretkey;inparticulartheyknowmostofitsfactors!Thiscan
translatetoboundsonthekey,butitsobviousthatthismaynotgiveyouenoughto
ecientlybreaktheprotocol.Itdoesprove,however,thatitsaweakerprotocolthanthe
polynomialinterpolationmethod,sincethebenetthereisthattheparticipantsprovably
have*no*informationaboutthekey.Itsasubtledierence,andhopefullyinthefutureIll
have*no*informationaboutthekey.Itsasubtledierence,andhopefullyinthefutureIll
havemoreblogpostsdiscussingthevarioussecurityrequirementsmostcryptographic
protocolsrequiretobeconsideredsecure.Thepolynomialinterpolationprotocolhasthe
strongestpossiblefromorsecurity,whatsknownasperfectsecrecy.

BlogatWordPress.com.|TheContTheme.