Re: Questions about Shamir secret sharing
- From: mdw@xxxxxxxxxxxxxxxxxxxxxx (Mark Wooding)
- Date: 28 Sep 2006 19:14:29 +0100 (BST)
Dro Kulix <peter.s.may@xxxxxxxxx> wrote:
ss10001 is an experiment in implementing secret sharing as proposed by
Shamir[SHAMIR] by using 16-bit blocks of the secret to be shared and
evaluating polynomials modulo 65537.
I've seen implementations that did this, and they tend not to be
pretty. The problem is that you have to do something with the tiny
fraction of a bit left over after sharing (because the outputs are
more-or-less uniform over GF(2^{16} + 1)), so you end up pratting about
with the spare bits in a most irritating way.
You say that you've not understood the maths for doing the arithmetic in
GF(2^n). Having actually tried this, I can confidently say that the
resulting scheme is more space-efficient (because the shares are exactly
the same size as the original secret), easier to implement and
understand (because you don't have to do the strange contortions to
handle the overflow bits) and probably more efficient.
I'd suggest, in fact, that an interest in secret sharing is a good
motivation to learn about non-prime-order finite fields. Binary fields
(of the form GF(2^n)) in particular crop up all over the place in
interesting bits of cryptography.
My secret-sharing implementation works on individual bytes, using
arithmetic in GF(2^8). In this field, addition and subtraction are just
XOR; multiplication and division can be performed efficiently using log
and antilog tables. The tables are less than a kilobyte in size.
Shares are exactly the same size as the original secret.
Am I selling this idea to you? ;-)
The decrypter is suitable for solving shares generated from any of the
modes described below; the encrypter is currently designed to run in
OC mode. My intuition about the Shamir algorithm is not sufficient to
tell me whether OC mode provides sufficient security, or whether the
more conservative AC or the less intensive SR modes should be used
instead.
For security, you must share each slice independently. That is,
choosing fresh random coefficients for each slice -- your AC mode.
I think OC is totally insecure.
Suppose we have a system with a threshold of t (i.e., t people can
recombine the secret from their shares), and the secret is split into s
slices. The polynomials used for the sharing have degree t - 1. But
all but two of the coefficients are common between the slices; so in
fact there are 2 s + t - 2 unknowns in the system. If I can get t'
shares, I get t' s equations. One doesn't need particularly many slices
or shares before t' >= 2 + (t - 2)/s, and this becomes a problem.
-- [mdw]
.
- References:
- Questions about Shamir secret sharing
- From: Dro Kulix
- Questions about Shamir secret sharing
- Prev by Date: Re: Self-shrinking MT19937 as stream cipher
- Next by Date: EFS in Remote Server
- Previous by thread: Questions about Shamir secret sharing
- Next by thread: EFS in Remote Server
- Index(es):
Relevant Pages
|
