Re: Variations on Shamir secret sharing
- From: Mark Wooding <mdw@xxxxxxxxxxxxxxxx>
- Date: Mon, 5 Dec 2005 18:46:28 +0000 (UTC)
philip <trauring@xxxxxxxxx> wrote:
> Let's say you have six shares (let's call them A, B, C, D, E and F),
> where a minimum of three shares are required to reconstitute the
> secret. Is there a way to further divide the shares, such that for each
> share, there are ten possibilities for that share? For example, ten As,
> ten Bs, etc. Each is interchangeable with the other shares in it's own
> letter, but you couldn't reconstitute the secret from multiple shares
> within a letter.
What's the use? If you just want the shares to be distinguishable...
Let s_0, ... be the shares, generated according to a (3, 6)-sharing
scheme (or whatever you decide on). Generate a signing key S and
corresponding public verification key V. Issue the `share bundle'
sign_S(A, i, s_j) and a copy of V to shareholder i of share j. Destroy
the signing key S when done, along with the original secret and the
random numbers used for the share splitting. When you come to recombine
the shares, the shareholders can verify each other's signed
share-bundles, and can then make a record of which shares they all saw.
If you have secure hardware for doing the recombination then it's easier
for that to do the verification and produce a single (preferably signed)
record of the shareholders present.
This all assumes, of course, that shareholders don't swap share
bundles.
I still don't really see the use. If the shareholders will all be
physically present somewhere to do the recombination, they probably
ought to know who each other are already; if you're doing this
electronically, you'd best set up some kind of secure channel for each
shareholder, so something will keep a record of who the shareholders
were anyway.
> My second question is if it's possible to require one of the shares.
> Using the above example, let's say you need A, but any two other shares
> would work.
This wants a two-layer scheme. Use a (2, 2)-scheme: give A one share,
and split other using a (2, 5)-scheme among B, ..., F.
(Note that an (n, n)-sharing scheme can be done with old-fashioned XOR,
which is rather simpler than messing about with Shamir.)
> Lastly, a combination of the above approaches, where A is required and
> B-F are divided into multiple possible shares.
Combine the solutions in the most obvious way.
-- [mdw]
.
- References:
- Variations on Shamir secret sharing
- From: philip
- Variations on Shamir secret sharing
- Prev by Date: Re: PGP Lame question
- Next by Date: Re: PGP Lame question
- Previous by thread: Re: Variations on Shamir secret sharing
- Next by thread: Re: Variations on Shamir secret sharing
- Index(es):
Relevant Pages
|
