RSA Laboratories - 3.6.12 What are some secret sharing schemes?

Shamir's secret sharing scheme [Sha79] is a threshold scheme based on polynomial interpolation. To allow any m out of n people to construct a given secret, an (m-1)-degree polynomial

f(x) = a₀ + a₁ x + ¼+ a_m-1 x^m-1

over the finite field GF(q) is constructed such that the coefficient a₀ is the secret and all other coefficients are random elements in the field; the field is known to all participants. Each of the n shares is a pair (x_i, y_i) of numbers satisfying f(x_i) = y_i and x_i ¹ 0. Given any m shares, the polynomial is uniquely determined and hence the secret a₀ can be computed. However, given m-1 or fewer shares, the secret can be any element in the field. Therefore, Shamir's scheme is a perfect secret sharing scheme (see Question 2.1.9).

Figure 3.1: Shamir's secret sharing scheme (click for a larger image)

A special case where m = 2 (that is, two shares are required for retrieval of the secret) is given in Figure 3.1. The polynomial is a line and the secret is the point where the line intersects with the y-axis. Namely, this point is the point (0,f(0)) = (0, a₀). Each share is a point on the line. Any two points determine the line and hence the secret. With just a single point, the line can be any line that passes the point, and hence the secret can be any point on the y-axis.

Blakley's secret sharing scheme [Bla79] is geometric in nature. The secret is a point in an m-dimensional space. n shares are constructed with each share defining an affine hyperplane in this space; an affine hyperplane is the set of solutions x = (x₁, ¼,x_m) to an equation of the form a₁ x₁ + ¼+ a_m x_m = b. By finding the intersection of any m of these planes, the secret (that is, the point of intersection) can be obtained. This scheme is not perfect, as the person with a share of the secret knows the secret is a point on his or her hyperplane. Nevertheless, this scheme can be modified to achieve perfect security [Sim92].

Figure 3.2: Blakley's scheme (click for a larger image)

A special case of Blakley's scheme is shown in Figure 3.2. This is based on a scenario where two shares are required to recover the secret, which means that a two-dimensional plane is used. The secret is a point in the plane. Each share is a line that passes through the point. If any two of the shares are put together, the point of intersection, which is the secret, can be easily derived.

Naor and Shamir [NS94] developed what they called visual secret sharing schemes, which are an interesting visual variant of the ordinary secret sharing schemes.

Roughly speaking, the problem can be formulated as follows: There is a secret picture to be shared among n participants. The picture is divided into n transparencies (shares) such that if any m transparencies are placed together, the picture becomes visible, but if fewer than m transparencies are placed together, nothing can be seen. Such a scheme is constructed by viewing the secret picture as a set of black and white pixels and handling each pixel separately (see [NS94] for more details). The schemes are perfectly secure and easily implemented without any cryptographic computation. A further improvement allows each transparency (share) to be an innocent picture (for example, a picture of a landscape or a picture of a building), thus concealing the fact that secret sharing is taking place.

Public-Key Cryptography Standards (PKCS) PKCS #1: RSA Cryptography Standard Section Index Foreword PKCS #3: Diffie-Hellman Key Agreement Standard PKCS #5: Password-Based Cryptography Standard Chapter 1 Introduction Chapter 2 Cryptography PKCS #6: Extended-Certificate Syntax Standard PKCS #7: Cryptographic Message Syntax Standard Chapter 3 Techniques in Cryptography Chapter 4 Applications of Cryptography PKCS #8: Private-Key Information Syntax Standard PKCS #9: Selected Attribute Types Chapter 5 Cryptography in the Real World Chapter 6 Laws Concerning Cryptography PKCS #10: Certification Request Syntax Standard PKCS #11: Cryptographic Token Interface Standard Chapter 7 Miscellaneous Topics Chapter 8 Further Reading PKCS #12: Personal Information Exchange Syntax Standard PKCS #13: Elliptic Curve Cryptography Standard Appendix A Mathematical concepts Appendix B Glossary PKCS #15: Cryptographic Token Information Format Standard PKCS Mailing Lists Appendix C References Workshops PKCS News Archives Guidelines for Contributions to the Public-Key Cryptography Standards (PKCS) One-Time Password Specifications (OTPS)	Home: Standards Initiatives: Public-Key Cryptography Standards (PKCS): PKCS #7: Cryptographic Message Syntax Standard: 3.6 Other Cryptographic Techniques 3.6.12 What are some secret sharing schemes? Shamir's secret sharing scheme [Sha79] is a threshold scheme based on polynomial interpolation. To allow any m out of n people to construct a given secret, an (m-1)-degree polynomial f(x) = a₀ + a₁ x + ¼+ a_m-1 x^m-1 over the finite field GF(q) is constructed such that the coefficient a₀ is the secret and all other coefficients are random elements in the field; the field is known to all participants. Each of the n shares is a pair (x_i, y_i) of numbers satisfying f(x_i) = y_i and x_i ¹ 0. Given any m shares, the polynomial is uniquely determined and hence the secret a₀ can be computed. However, given m-1 or fewer shares, the secret can be any element in the field. Therefore, Shamir's scheme is a perfect secret sharing scheme (see Question 2.1.9). Figure 3.1: Shamir's secret sharing scheme (click for a larger image) A special case where m = 2 (that is, two shares are required for retrieval of the secret) is given in Figure 3.1. The polynomial is a line and the secret is the point where the line intersects with the y-axis. Namely, this point is the point (0,f(0)) = (0, a₀). Each share is a point on the line. Any two points determine the line and hence the secret. With just a single point, the line can be any line that passes the point, and hence the secret can be any point on the y-axis. Blakley's secret sharing scheme [Bla79] is geometric in nature. The secret is a point in an m-dimensional space. n shares are constructed with each share defining an affine hyperplane in this space; an affine hyperplane is the set of solutions x = (x₁, ¼,x_m) to an equation of the form a₁ x₁ + ¼+ a_m x_m = b. By finding the intersection of any m of these planes, the secret (that is, the point of intersection) can be obtained. This scheme is not perfect, as the person with a share of the secret knows the secret is a point on his or her hyperplane. Nevertheless, this scheme can be modified to achieve perfect security [Sim92]. Figure 3.2: Blakley's scheme (click for a larger image) A special case of Blakley's scheme is shown in Figure 3.2. This is based on a scenario where two shares are required to recover the secret, which means that a two-dimensional plane is used. The secret is a point in the plane. Each share is a line that passes through the point. If any two of the shares are put together, the point of intersection, which is the secret, can be easily derived. Naor and Shamir [NS94] developed what they called visual secret sharing schemes, which are an interesting visual variant of the ordinary secret sharing schemes. Roughly speaking, the problem can be formulated as follows: There is a secret picture to be shared among n participants. The picture is divided into n transparencies (shares) such that if any m transparencies are placed together, the picture becomes visible, but if fewer than m transparencies are placed together, nothing can be seen. Such a scheme is constructed by viewing the secret picture as a set of black and white pixels and handling each pixel separately (see [NS94] for more details). The schemes are perfectly secure and easily implemented without any cryptographic computation. A further improvement allows each transparency (share) to be an innocent picture (for example, a picture of a landscape or a picture of a building), thus concealing the fact that secret sharing is taking place. Top of Page
		Email to a friend Print