

Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
In a secret sharing scheme there is a trusted authority TA and n users U . The TA has a secret value K called the secret or key. The TA uses a share generation algorithm to split K into n shares s 1 ; : : : ;U n . Each share s i is then transmitted to user U by a secure channel. The secret sharing protocol guarantees that two properties hold: i 1 ; : : : ; s n
Typology: Essays (high school)
1 / 2
This page cannot be seen from the preview
Don't miss anything!


In a secret sharing scheme there is a trusted authority TA and n users U 1 ,... , Un. The TA has a secret value K called the secret or key. The TA uses a share generation algorithm to split K into n shares s 1 ,... , sn. Each share si is then transmitted to user Ui by a secure channel. The secret sharing protocol guarantees that two properties hold:
Such a scheme is called an ( n , t ) threshold scheme.
For example, if the secret K is an integer between 0 and M − 1, then an ( n , n ) threshold scheme can be obtained by selecting s 1 ,... , sn − 1 uniformly at randomly between 0 and M − 1, and setting sn = K − ∑ n i =− i^1 si mod^ M. Now,
To understand how to implement a general ( n , t ) threshold scheme we need to understand some properties of polynomials modulo a prime p. While working modulo a prime p , we can add, subtract and multiply numbers, as well as divide numbers as long as we are not dividing by 0. So we can consider polynomials whose coefficients are elements modulo p. For example f ( x ) = x^2 + 2 x + 4 mod 5. It turns out that such polynomials have many of the same properties as polynomials with real coefficients:
Suppose that we are given the value of a polynomial P ( x ) of degree n at n + 1 points: P ( ai ) = bi for i = 1 to n + 1. How do we reconstruct the unique polynomial P ( x ) of degree n satisfying these n + 1 constraints?
Consider the following polynomials of degree n :
For i = 1 , 2 ,... , n + 1, define
∆ i ( x ) =
j 6 = i
( ai − a (^) j )
j 6 = i
( x − a (^) j ).
CS 161, Fall 2005, Notes 16 1
Notice that ∆ i ( ai ) = 1 and for 1 ≤ j ≤ n + 1, j 6 = i ∆( a (^) j ) = 0. It follows that the desired polynomial P ( x ) = (^) ∑ n i =+ 11 bi ∆ i ( x ).
The process we have just gone through—explicitly constructing a polynomial that passes through a number of given points—is called Lagrange interpolation.
If n = 3, and ai = i , for instance, then
∆ 1 ( x ) = (( 1 − 2 )( 1 − 3 ))−^1 ( x − 2 )( x − 3 ) = 2 −^1 ( x − 1 )( x − 2 ) ∆ 2 ( x ) = (( 2 − 1 )( 2 − 3 ))−^1 ( x − 1 )( x − 3 ) = (− 1 )−^1 ( x − 1 )( x − 3 ) ∆ 3 ( x ) = (( 3 − 1 )( 3 − 2 ))−^1 ( x − 1 )( x − 2 ) = 2 −^1 ( x − 1 )( x − 2 ).
Suppose the U.S. government finally decides that a nuclear strike can be initiated only if at least t > 1 major officials agree to it (what a “major official” is doesn’t really matter to us). We want to devise a scheme such that (1) any group of t of these officials can pool their information to figure out the launch code and initiate the strike but (2) no group of t − 1 or fewer can conspire to find the code. How can we accomplish this?
Suppose that there are n officials and that launch code is some natural number K. Let p be a prime number larger than n and s —we will work with numbers modulo p from now on.
Now pick a random polynomial f of degree t − 1 such that f ( 0 ) = K. The share si = f ( i ) for i = 1 to n.
CS 161, Fall 2005, Notes 16 2