Beruflich Dokumente
Kultur Dokumente
TheMathematicsofSecretSharing
PostedonJune23,2014byj2kun
Heresasimplepuzzlewithaneatstory.Aricholdwomanisdraftingherwillandwantsto
distributeherexpansiveestateequallyamongsthervechildren.Butherchildrenarevery
greedy,andthewomanknowsthatifheleavesherwillunprotectedherchildrenwillresortto
nefariousmeasurestotrytogetmorethantheirfairshare.Inonefearfulscenario,sheworriesthat
theolderfourchildrenwillteamuptobullytheyoungestchildentirelyoutofhisclaim!She
desperatelywantsthemtocooperate,soshedecidestolockthewillaway,andthekeyisasecret
integer .Thequestionis,howcanshedistributethissecretnumbertoherchildrensothatthe
onlywaytheycanopenthesafeisiftheyareallpresentandwilling?
(h ps://jeremykun.les.wordpress.com/2013/08/estate.jpg)Amathematicalwaytosaythisis:how
(h ps://jeremykun.les.wordpress.com/2013/08/estate.jpg)Amathematicalwaytosaythisis:how
canshedistributesomeinformationtoherchildrensothat,givenalloftheirseparatepiecesof
information,theycanreconstructthekey,butforeverychoiceoffewerthan5children,thereis
nowaytoreliablyrecoverthekey?Thisiscalledthesecretsharingproblem.Moregenerally,say
wehaveaninteger calledthesecret,anumberofparticipants ,andanumberrequiredfor
reconstruction .Thenasecretsharingprotocolisthedataofamethodfordistributinginformation
andamethodforreconstructingthesecret.Thedistributingmethodisanalgorithm that
acceptsasinput andproducesasoutputalistof numbers .
Thesearethenumbersdistributedtothe participants.Thenthereconstructionmethodisa
function whichacceptsasinput numbers andoutputsanumber .Wewanttwo
propertiestohold:
Thequestionis:doesanecientsecretsharingprotocolexistforeverypossiblechoiceof
?Infactitdoes,andtheonewelldescribeinthispostisfarmoresecurethanthewordreliable
suggests.Itwillbesohardastobemathematicallyimpossibletoreconstructthesecretfrom
fewerthanthedesirednumberofpieces.IndependentlydiscoveredbyAdiShamirin1979
(h p://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.80.8910&rep=rep1&type=pdf),
theprotocolwellseeinthispostiswonderfullysimple,andaswedescribeitwellbuildupa
programtoimplementit.ThistimewellworkintheHaskellprogramminglanguage,andyou
candownloadtheprogram(h ps://github.com/j2kun/themathematicsofsecretsharing)from
thisblogsGithubpage(h ps://github.com/j2kun).Andnally,ashoutouttomyfriendKarishma
Chadha(h ps://www.linkedin.com/pub/karishmachadha/5b/728/241)whoworkedtogetherwith
meonthispost.SheknowsHaskellalotbe erthanIdo.
PolynomialInterpolation
Thekeytothesecretsharingprotocolisabeautifulfactaboutpolynomials.Specically,ifyou
giveme pointsintheplanewithdistinct values,thenthereisauniquedegree polynomial
thatpassesthroughthepoints.Justasimportantly(andasabyproductofthisfact),there
areinnitelymanydegree polynomialsthatpassthroughthesamepoints.Forexample,ifI
giveyouthepoints ,theonlyquadratic(degree2)polynomialthatpasses
throughallofthemis .
(h ps://jeremykun.les.wordpress.com/2013/08/interpolatingpolynomialexample.png)Theproof
thatyoucanalwaysndsuchapolynomialispre ypainless,soletstakeitslowlyandwritea
programaswego.Supposeyougivemesomelistof points andnotwo
valuesarethesame.Theproofhastwoparts.Firstwehavetoproveexistence,thatsomedegree
polynomialpassesthroughthepoints,andthenwehavetoprovethatthepolynomialisunique.
Theuniquenesspartiseasier,soletsdotheexistencepartrst.Letsstartwithjustonepoint
.Whatsadegreezeropolynomialthatpassesthroughit?Justtheconstantfunction
.Fortwopoints itssimilarlyeasy,sinceweallprobablyrememberfrom
basicgeometrythattheresauniquelinepassingthroughanytwopoints.Butletswritetheline
inaslightlydierentway:
Whywriteitthisway?Becausenowitshouldbeobviousthatthepolynomialpassesthroughour
twopoints:ifIplugin thenthesecondtermiszeroandthersttermisjust
,andlikewisefor .
Forexample,ifweregiven weget:
Nowthehardstepisgeneralizingthistothreepoints.Butthesuggestiveformabovegivesusa
hintonhowtocontinue.
Noticethatthenumeratorsofthetermstakeontheform ,thatis,aproduct
Noticethatthenumeratorsofthetermstakeontheform ,thatis,aproduct
excluding .Thus,alltermswillcanceloutto0ifweplug
in ,exceptoneterm,whichhastheform
Here,thefractionontherightsideofthetermcancelsoutto1when ispluggedin,leavingonly
,thedesiredresult.Nowthatwevewri enthetermsinthisgeneralproductform,wecaneasily
constructexamplesforanynumberofpoints.Wejustdoasumoftermsthatlooklikethis,onefor
each value.Trywritingthisoutasasummation,ifyoufeelcomfortablewithnotation.
Letsgofurtherandwriteanalgorithmtoconstructthepolynomialforus.Somepreliminaries:we
encodeapolynomialasalistofcoecientsindegreeincreasingorder,sothat is
representedby[1,3,0,5].
1 typePoint=(Rational,Rational)
2 typePolynomial=[Rational]Polynomialsarerepresentedinascendingdegreeorder
Thenwecanwritesomesimplefunctionsforaddingandmultiplyingpolynomials
1 addPoly::Polynomial>Polynomial>Polynomial
2 addPoly[][]=[]
3 addPoly[]xs=xs
4 addPolyxs[]=xs
5 addPoly(x:xs)(y:ys)=(x+y):(addPolyxsys)
6
7 multNShift::Polynomial>(Rational,Int)>Polynomial
8 multNShiftxs(y,shift)=
9 (replicateshift0)++(map((*)y)xs)
10
11 multPoly::Polynomial>Polynomial>Polynomial
12 multPoly[][]=[]
13 multPoly[]_=[]
14 multPoly_[]=[]
15 multPolyxsys=foldraddPoly[]$map(multNShiftys)$zipxs[0..]
Inshort,multNShiftmultipliesapolynomialbyamonomial(like ),and
multPolydoestheusualdistributionofterms,usingmultNShifttodomostofthehardwork.
Thentoconstructthepolynomialweneedonemorehelperfunctiontoextractallelementsofalist
exceptaspecicentry:
1 allBut::Integer>[a]>[a]
2 allButilist=snd$unzip$filter(\(index,_)>i/=index)$zip[0..]list
Andnowwecanconstructapolynomialfromalistofpointsinthesamewaywedid
mathematically.
1 findPolynomial::[Point]>Polynomial
2 findPolynomialpoints=
3 letterm(i,(xi,yi))=
4 letprodTerms=map(\(xj,_)>[xj/(xixj),1/(xixj)])$allButipoints
5 inmultPoly[yi]$foldlmultPoly[1]prodTerms
6 infoldladdPoly[]$mapterm$zip[0..]points
Herethesubfunctiontermconstructsthe thtermofthepolynomial,andtheremaining
Herethesubfunctiontermconstructsthe thtermofthepolynomial,andtheremaining
expressionaddsupalltheterms.Rememberthatduetoourchoiceofrepresentationtheawkward
1si ingintheformulasigniesthepresenceof .Andthatsit!Anexampleofitsusetoconstruct
:
1 *Main>findPolynomial[(1,2),(2,5)]
2 [(1)%1,3%1]
Nowthelastthingweneedtodoisshowthatthepolynomialweconstructedinthiswayis
unique.Heresaproof.
Thiscompletestheproof.Nowthatweknowthesepolynomialsexistandareunique,itmakes
sensetogivethemaname.Soforagivensetof points,calltheuniquedegree polynomial
thatpassesthroughthemtheinterpolatingpolynomialforthosepoints.
SecretSharingwithInterpolatingPolynomials
Onceyouthinktouseinterpolatingpolynomials,theconnectiontosecretsharingseemsalmost
obvious.Ifyouwanttodistributeasecretto peoplesothat ofthemcanreconstructitheres
whatyoudo:
Thenthereconstructionfunctionis:takethepointsprovidedbyatleast participants,usethemto
reconstruct ,andoutput .Thatsit!Step1mightseemhardatrst,butyoucanjustnotice
that isequivalenttotheconstanttermofthepolynomial,soyoucanpick random
numbersfortheothercoecientsof andoutputthem.InHaskell,
1 makePolynomial::Rational>Int>StdGen>Polynomial
2 makePolynomialsecretrgenerator=
3 secret:maptoRational(take(r1)$randomRs(1,(numerator(2*secret)))generator)
4
4
5 share::Rational>Integer>Int>IO[Point]
6 sharesecretkr=do
7 generator<getStdGen
8 letpoly=makePolynomialsecretrgenerator
9 ys=map(evalpoly)$maptoRational[1..k]
10 return$zip[1..]ys
Inwords,weinitializetheHaskellstandardgenerator(whichwrapstheresultsinsideanIO
monad),thenweconstructapolynomialbyle ingtherstcoecientbethesecretandchoosing
randomcoecientsfortherest.AndfindPolynomialisthereconstructionfunction.
Finally,justtoushtheprogramoutali lemore,wewriteafunctionthatencodesordecodesa
stringasaninteger.
1 encode::String>Integer
2 encodestr=letnums=zip[0..]$map(toInteger.ord)str
3 integers=map(\(i,n)>shiftn(i*8))nums
4 infoldl(+)0integers
5
6 decode::Integer>String
7 decode0=""
8 decodenum=ifnum<0
9 thenerror"Can'tdecodeanegativenumber"
10 elsechr(fromInteger(num.&.127)):(decode$shiftnum(8))
Andthenwehaveafunctionthatshowsthewholeprocessinaction.
1 examplemsgkr=
2 letsecret=toRational$encodemsg
3 indopoints(numeratorx,numeratory))points
4 letsubset=takerpoints
5 encodedSecret=eval(findPolynomialsubset)0
6 putStrLn$show$numeratorencodedSecret
7 putStrLn$decode$numeratorencodedSecret
Andafunctioncall:
1 *Main>example"Helloworld!"105
2 10334410032606748633331426632
3 [(1,34613972928232668944107982702),(2,142596447049264820443250256658),(3,406048862884360219576198642966),
4 10334410032606748633331426632
5 Helloworld!
Security
Thenalquestiontoreallyclosethisproblemwithanicesolutionis,Howsecureisthis
protocol?Thatis,ifyoudidntknowthesecretbutyouhad numbers,couldyoundaway
torecoverthesecret,oh,say,0.01%ofthetime?
Pleasingly,theanswerisasolidno.Thisprotocolhassomethingwaystronger,whats
Pleasingly,theanswerisasolidno.Thisprotocolhassomethingwaystronger,whats
calledinformationtheoreticsecurity.Inlaymansterms,thismeansitcannotpossiblybebroken,
period.Thatis,withouttakingadvantageofsomeaspectoftherandomnumbergenerator,which
weassumeisasecurerandomnumbergenerator
(h p://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator).But
withthatassumptionthesecurityproofistrivial.Hereitgoes.
Hereswhatthismeans.Apersontryingtobreakthesecretsharingprotocolwouldhavenowayto
telliftheydiditcorrectly!Ifthesecretisamessage,thenabadreconstructioncouldproduceany
message.Ininformationtheoryterms,knowing ofthenumbersprovidesnoinformation
abouttheactualmessage.Inourstoryfromthebeginningofthepost,noma erhowmuch
computingpoweroneofthegreedychildrenmayhave,theonlyalgorithmtheyhavetoopenthe
safeistotryeverycombination.Themothercouldmakethecombinationhavelengthinthe
millionsofdigits,orevenbe er,themothercouldencodethewillasanintegeranddistributethat
asthesecret.Iimaginetherearesomeauthenticityissuesthere,sinceonecouldclaimtohave
reconstructedafalsewill,signaturesandall,butthereappeartobemeasurestoaccountforthis
(h p://en.wikipedia.org/wiki/Veriable_secret_sharing).
Onemightwonderifthisistheonlyknownsecretsharingprotocol,andtheanswerisno.
Essentially,anytimeyouhaveanexistenceanduniquenesstheoreminmathematics,andthe
objectsyoureworkingwithareecientlyconstructible,thenyouhavethepotentialforasecret
sharingprotocol.TherearetwomoreonWikipedia
(h p://en.wikipedia.org/wiki/Secret_sharing#Blakley.27s_scheme).Butpeopledontreallycareto
ndnewonesanymorebecausetheknownprotocolsareasgoodasitgets.
Onabroaderlevel,theexistenceofecientsecretsharingprotocolsisanimportantfactused
intheeldofsecuremultipartycomputation
(h p://en.wikipedia.org/wiki/Secure_multiparty_computation).Herethegoalisforagroup
ofindividualstocomputeafunctiondependingonsecretinformationfromallofthem,without
revealingtheirsecretinformationtoanyone.Aclassicexampleofthisistocomputetheaverageof
sevensalarieswithoutrevealinganyofthesalaries.ThiswasapuzzlefeaturedonCarTalk
(h p://www.cartalk.com/content/coneyislandcrabcakecompany),andithasacuteanswer.See
ifyoucangureitout.
Untilnexttime!
ThisentrywaspostedinAlgorithms,Cryptographyandtaggedcryptography,haskell,
polynomialinterpolation,secretsharing.Bookmarkthepermalink.
5thoughtsonTheMathematicsofSecretSharing
eightnoteight
June23,2014at9:58amReply
1.Ithinkitispopularlyknownasshamirssecretsharing.anditwasagreatawork(program)
Luis
June24,2014at9:21amReply
2.Anaiveideathatsparksreadingtherstlinesofyourpost.Takeaverylargenumberwith
20.000digitsandgives5000digitstoeachson.Nowiftheywanttogetthewilltheyhaveto
provethattheyknowthe20000digitsofthekey.Whatswrongwiththisversimpleandnaive
idea?
j2kun
June24,2014at9:35amReply
Inthisscenarioeverysonhasalotofinformationaboutthekey.Thebenetofthe
polynomialinterpolationsolutionisthateven3ofthe4sonsprovablyhavenoinformation
aboutthekey.Itsalsomuchmoreecient,andgeneralizestoanyand.
MikeLoukides(@mikeloukides)
June24,2014at11:13amReply
3.Heresaslightlydierentapproachthatseemssimpler.Isitdierentfromyours?
Foreachofthensons,assignanumberxi.(Youcanmakeitanintegertobenice.Ornot.)Use
thepolynomial
f(x)=(xx1)(xx2)(xxn),sothenumbersareallrootsofthepolynomial.
Thenthesecretisf(0),whichisjusttheproductofallthexns(witha+orsigna ached).Its
stillaninterpolatingpolynomial,butallthepointsareoftheform(xi,0),ratherthanbeingof
theform(i,yi).Givenn1rootsofannthdegreepolynomial,doyouhaveanyinformationthat
wouldletyouconstructthenthroot?
Intuitively,thisstrikesmeasthesameapproach.ButIsuspectmyintuitioniswrong.
j2kun
June24,2014at2:31pmReply
Idontbelievethishasthesameinformationtheoreticguaranteesforthefollowingreason.
Essentiallyyourmethodistohavethesecretbealargecompositenumber,andto
distributethefactorsofthenumber(youdontevenneedpolynomialstotalkaboutthis,as
youobserve;reconstructionisjustmultiplication).Butnoweveryindividualhasalotof
informationaboutthesecretkey;inparticulartheyknowmostofitsfactors!Thiscan
translatetoboundsonthekey,butitsobviousthatthismaynotgiveyouenoughto
ecientlybreaktheprotocol.Itdoesprove,however,thatitsaweakerprotocolthanthe
polynomialinterpolationmethod,sincethebenetthereisthattheparticipantsprovably
have*no*informationaboutthekey.Itsasubtledierence,andhopefullyinthefutureIll
have*no*informationaboutthekey.Itsasubtledierence,andhopefullyinthefutureIll
havemoreblogpostsdiscussingthevarioussecurityrequirementsmostcryptographic
protocolsrequiretobeconsideredsecure.Thepolynomialinterpolationprotocolhasthe
strongestpossiblefromorsecurity,whatsknownasperfectsecrecy.
BlogatWordPress.com.|TheContTheme.