Shamir secret sharing and information theoretic security
Sarad AV
jtrjtrjtr2001 at yahoo.com
Tue Feb 17 06:51:09 PST 2009
hi,
I was going through the wikipedia example of shamir secret sharing which says it is information theoretically secure.
http://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing
In the example in that url, they have a polynomial
f(x) = 1234 + 166.x + 94.x^2
they construct 6 points from the polynomial
(1,1494);(2,1942);(3,2578);(4,3402);(5,4414);(6,5615)
the secret here is S=1234. The threshold k=3 and the number of participants n=6.
If say, first two users collude then
1494 = S + c1 .1 + c2.1
1942 = S + c1 .2 + c2.2
clearly, one can start making inferences about the sizes of the unknown co-efficients c1 and c2 and S.
However, it is said in the URL above that Shamir secret is information theoretically secure
in the url below they say
http://en.wikipedia.org/wiki/Information_theoretic_security
"Secret sharing schemes such as Shamir's are information theoretically secure (and in fact perfectly secure) in that less than the requisite number of shares of the secret provide no information about the secret."
how can that be true? we already are able to make inferences.
Moreover say that, we have 3 planes intersecting at a single point in euclidean space, where each plane is a secret share(Blakely's scheme). With 2 plane equations, we cannot find the point of intersection but we can certainly narrow down to the line where the planes intersect. There is information loss about the secret.
from this it appears that Shamir's secret sharing scheme leaks information from its shares but why is it then considered information theoretically secure?
They do appear to leak information as similar to k-threshold schemes using chinese remainder theorem.
what am i missing?
Thanks,
Sarad.
More information about the cypherpunks-legacy
mailing list