@MISC{Novaro_secretsharing, author = {Arianna Novaro}, title = {Secret Sharing}, year = {} }

Share

OpenURL

Abstract

Secret sharing • Method for dividing a secret S into n pieces of information (shares or shadows) s1, s2,..., sn, where each si does not reveal anything about S. • The shares can be distributed among a group of participants or kept by a single person (depending on the purpose of the computation). • With k (or more) shares it is possible to easily recover the secret. • All possible values of S are equally likely for someone with knowledge of only x shares (with x < k). The (k, n)-threshold scheme • A particular type of access structure: a description of which subsets of participants are allowed to recover the secret. • Monotone: if a subset W of the set of participants is allowed to recover the secret, any superset of W is also allowed. • n: total number of participants (shares) • k: minimal number of participants (shares) needed to recover the secret. Properties (*) Possibility to add or remove any si without affecting the other shares, once k is fixed (floating number of participants); (*) Possibility to change the shares without changing the secret (for security reasons); (*) Possibility to get a hierarchical scheme giving a different number of shares to each participant, depending on his/her importance. Protocol Since any information can be expressed as a number (in our case: the secret S), polynomials can be used as a tool to achieve secret sharing with a (k, n)-threshold scheme. In fact, any polynomial q(x) of degree k − 1 can be determined if k points (x1, y1),..., (xk, yk) in the two dimensional plane are given. A polynomial q(x) of degree k − 1 is chosen: q(x) = a0 + a1x + · · ·+ ak−1xk−1 (1) We set the free term to be equal to the secret, i. e. S = a0; thus, S = q(0). We have that si = q(i). This means that pair(s) of the form (i, q(i)) will be given to each participant, and with k of them it will be possible to recover the secret.