-1

I've got working first part of SSS scheme so I can use some secret number as an input and generate some random polynomial function and create simple shares as pairs (xi, yi).

The task is how to get secret reconstructed from shares? We all know that we must do some clever math guessing to find coeffs. What are options or algorithms / approches to find coefs? What are the pros and cons of each? How whould it differ in finite fields?

Macko
  • 105
  • 4
  • 3
    Welcome to Cryptgraphy.SE SSS must work in finite fields. Are you want to describe us to recover the secret given the share? It is well-written in Wikipedia. If something not clear, you can ask about it. – kelalaka Dec 16 '21 at 22:20
  • I want to know especially in classic approch how to find coeffs of polynomial which was used at the moment of generating first shares. I know that there are one but it has some drawbacks in implementation - i mean gaussian. – Macko Dec 16 '21 at 22:26
  • Why do you care about the coefficients? Isn't the only thing you're interested in recovering is the secret? – poncho Dec 16 '21 at 22:29
  • Of course there is more: like easy of implementation, fast execution and not vulnerable to attacks (timing). Next step is to how mitigate issues in classic shamir approch - like evil share provider for reconstruction (how to encode share to be invulnarable to tampering). – Macko Dec 16 '21 at 22:34
  • Why do you need the timing attack? Construct the secret on a local off-line computer? There are academics works about SSS without dealer Shamir secret sharing with no dealer and Duckduckgo – kelalaka Dec 16 '21 at 22:40
  • So I forgot to mention main idea: knowing the coefs are crucial because I want to generate more shares from exiting ones. – Macko Dec 16 '21 at 22:42
  • Divide each share again with SSS? – kelalaka Dec 16 '21 at 22:57
  • if I divide each share again with SSS and use some of shares from first generated pool and some divided shares that means I can reconstruct my secret ? – Macko Dec 16 '21 at 23:06
  • If you have $t$ shares (where $t$ is the threshold), it is straight-forward to generate more shares without bothering to compute the internal coefficients. – poncho Dec 16 '21 at 23:06
  • wow, please describe it as simple as possible because only way I know was by solving linear equations – Macko Dec 16 '21 at 23:08
  • 1
    Well, you know the standard secret reconstruction logic takes a series of share $(x_1, y_1), (x_2, y_2), ..., (x_t, y_t)$, and returns the shared secret, which is the polynomial evaluated at 0. So, to construct the share at x coordinate $x'$, we take the artificial shares $(x_1 - x', y_1), (x_2 - x', y_2), ..., (x_t - x', y_t)$, and give that to the secret reconstruction logic - that gives you the original polynomial evaluated at $x'$, that is, the corresponding coordinate $y'$ - the new share is $(x', y')$. Rinse and repeat for all the additional shares you need – poncho Dec 16 '21 at 23:14
  • So generally this interpolation formula is working but interesting is that if i generate share that xi is in range [1..10] than for all combinations of share tuples I can find secret value. This is also true when I generate more shares [15...20] but interesting part is when I mix pairs from this 2 series than distant xi's gives wrong answer in interpolation. So I have bug in my code (which I don't think so) or Lagrange is very limited in interpolation. – Macko Dec 17 '21 at 01:48
  • So any ideas for replacing Lagrange interpolation ? – Macko Dec 17 '21 at 07:53
  • @poncho reconstruction is not working as expected: I prepared threshold number of points (shares) which they were generating on beginning, than I created new points (xn-x' ,yn) than I put them to my Interpolation function and calculate at x'. New shares have correct new xi but output from interpolation gives all of them same value. Can please provided example? – Macko Dec 21 '21 at 22:10
  • 1
    @Macko: "I put them to my Interpolation function and calculate at x'"; no, compute the Interpolation at 0 (that is, do precisely the standard secret-reconstruction logic) – poncho Dec 21 '21 at 22:11
  • @poncho Great! Yeah! It works like a charm :) and no doubles are used, no solving equations, this is what i wanted :) Thanks so much ... – Macko Dec 21 '21 at 22:34

1 Answers1

1

Let's use a threshold shape (, ) to share a secret value . - 1 random integers 1, 2, ..., − 1 are selected while 0 = . Based on these as factors, the polynomial is built. fx....

Based on this, we obtain random points (, ()) ∶ ≠ 0. Each point is communicated to one of the. Participants. For any subset of points, the polynomial can be reconstructed using the Lagrange interpolation. Having the polynomial (), for the value = 0 we get the value (0) = 0 that is the secret .

Note that for proper secrecy, all operations are done with elements of a finite field with size where first number, greater than all the coefficient values of the polynomial as well as the values t and n.

Pegasus
  • 112
  • 3
  • Is Lagrange interpolation better than gaussian elimination in finding polynomial coefficients? can describe how to do sample interpolation using Lagrange to find coefs? – Macko Dec 16 '21 at 23:05
  • Let be a polynomial of degree t: f (x) = a0 + a1x + ··· +atxt Can be reconstructed from t + 1 points (xi, f (xi)) with different sections (in a unique way), There are infinite degree polynomials of t passing through t such points. – Pegasus Dec 16 '21 at 23:15
  • Can u give all constraints when generating new shares for given secret: like threshold not less than 2? etc – Macko Dec 16 '21 at 23:19
  • New shares can be easily added without changing the old ones: Calculating new points. Note there can be more than 1 shares, also polynomial can be edited without need to change the secret. – Pegasus Dec 16 '21 at 23:27