Is there a way of sharing a key without anyone knowing what the key is initially?

Question

I started learning about key sharing and Shamir secret sharing, I'm wondering whether you need someone who knows the key initially and then distributes it, is this step necessary or not?

In my case I have a group of people that run a permission blockchain (they are the consensus nodes) and I want all incoming transaction to be encrypted but the decryption part should be available only if a majority decides to construct the decryption key, but I don't want this decryption key to be known initially by anyone. Is it possible or not?

What did you not understand from the Wikipeida's article about the secret sharing and Shamir's Secret Sharing. By the way, currently, we have 386 question about [tag:secret-sharing], did you looked at them? — kelalaka, Jul 01 '20 at 12:31
@kelalaka i understand shamir secret sharing and i understand the math behind it, what i dont understand is it possible to have a secret sharing scheme without anyone having the secret key intially ? — ezio, Jul 01 '20 at 13:10
If you are only interested in sharing without dealers see How can we distribute Shamir's secret sharing scheme shares without a dealer?, Secret sharing - no dealer, modifiable, verifiable — kelalaka, Jul 01 '20 at 13:29

score 2 · Answer 1 · answered Jul 01 '20 at 13:35

2

You can use MPC in order to generate a key that is distributed amongst a set of users, without anyone knowing the key itself. This is a very standard MPC problem, and many different protocols can be used. For example, if you want to generate a key for ECIES encryption, then you can basically have each party $P_i$ choose a random $x_i\in\mathbb{Z}_q$ and send a commitment to $Q_i = x_i\cdot G$ along with a zero knowledge proof of knowledge of $x_i$. Then, after all commitments are received, all parties decommit and ZK proofs are verified. Finally, you define the public key to be $Q=\sum_{i=1}^n Q_i$. This will give you a plain additive sharing. You can use a similar idea to get a Shamir sharing as well.

answered Jul 01 '20 at 13:35

Yehuda Lindell

27,820
1
66
83

Can we remove the decommitment? – kelalaka Jul 01 '20 at 14:16
1

@kelalaka, in general no, otherwise an attacker can wait to see everyone else's $Q_i$ and then submit their own based on that. – Aman Grewal Jul 01 '20 at 15:29
Prof. If you have time, could you write a canonical answer to Secret sharing - no dealer, modifiable, verifiable. – kelalaka Jul 02 '20 at 13:18
@kelalaka I tried to give an answer. It is a very general question, so really the answer is - it can be done with MPC. In order to try to answer it directly for Secret Sharing, one would need a full paper. I hope this is what you were looking for, but please let me know if not. – Yehuda Lindell Jul 06 '20 at 10:23
Thanks a lot. Let me read it. FYI, when an answer is given the bounty owner is notified, too. – kelalaka Jul 06 '20 at 10:24

Is there a way of sharing a key without anyone knowing what the key is initially?

1 Answers1