Sharing a secret
Hal Finney
hfinney at shell.portal.com
Fri Oct 22 09:38:17 PDT 1993
I will give a simple example of Shamir secret sharing. Suppose you have
some data D which you want to split up into n pieces such that any 2
of them are sufficient to reconstruct D. Shamir solves the problem for
any k of them being sufficient, but the case k=2 is especially simple.
Pick a random number m which will be the slope of a line. Take the
equation y = mx + D, and substitute x = 1, x = 2, ... x = n. Pass out
the y's for each value of x as the secret shares.
For example, if D=12, pick random m = 4, and pass out (1,16), (2,20),
(3,24), (4,28), and so on.
Now, suppose an enemy gets hold of one of these - say (2,20). What does
this tell him about the value of D? Nothing! D could be anything,
depending on the value of m.
But suppose we have two of these values - say (1,16) and (2,20). From
these it is easy to calculate m=4, and from that it is easy to see that
D=12. Two points determine a line.
In the actual Shamir scheme, integers mod a prime p are used, where p>D.
The math is basically the same. For k=3, a parabola is used instead of
a line, so that 3 points are needed; for k=4, a third-degree polynomial
is used, and for general k, a (k-1)-degree polynomial is used. In each
case, knowing k-1 points tells you nothing, because there will be a
(k-1)-degree polynomial that would pass through any possible value of
D.
Hal
More information about the cypherpunks-legacy
mailing list