User:Garo/sandbox

Example
The following example illustrates the basic idea. Note, however, that calculations in the example are done using integer arithmetic rather than using finite field arithmetic. Therefore the example below does not provide perfect secrecy and is not a true example of Shamir's scheme. So we'll explain this problem and show the right way to implement it (using finite field arithmetic).

Preparation
Suppose that our secret is 1234 $$(S=1234)\,\!$$.

We wish to divide the secret into 6 parts $$(n=6)\,\!$$, where any subset of 3 parts $$(k=3)\,\!$$ is sufficient to reconstruct the secret. At random we obtain two ($$k-1$$) numbers: 166 and 94.

$$(a_1=166;a_2=94)\,\!$$

Our polynomial to produce secret shares (points) is therefore:

$$f\left(x\right)=1234+166x+94x^2\,\!$$

We construct 6 points $$D_{x-1}=(x, f(x))$$ from the polynomial:

$$D_0=\left(1,1494\right);D_1=\left(2,1942\right);D_2=\left(3,2578\right);D_3=\left(4,3402\right);D_4=\left(5,4414\right);D_5=\left(6,5614\right)\,\!$$

We give each participant a different single point (both $$x\,\!$$ and $$f\left(x\right)\,\!$$). Because we use $$D_{x-1}$$ instead of $$D_x$$ the points start from $$(1, f(1))$$ and not $$(0, f(0))$$. This is necessary because if one would have $$(0, f(0))$$ he would also know the secret ($$S=f(0)$$)

Reconstruction
In order to reconstruct the secret any 3 points will be enough.

Let us consider $$\left(x_0,y_0\right)=\left(2,1942\right);\left(x_1,y_1\right)=\left(4,3402\right);\left(x_2,y_2\right)=\left(5,4414\right)\,\!$$.

We will compute Lagrange basis polynomials:

$$\ell_0=\frac{x-x_1}{x_0-x_1}\cdot\frac{x-x_2}{x_0-x_2}=\frac{x-4}{2-4}\cdot\frac{x-5}{2-5}=\frac{1}{6}x^2-\frac{3}{2}x+\frac{10}{3}\,\!$$

$$\ell_1=\frac{x-x_0}{x_1-x_0}\cdot\frac{x-x_2}{x_1-x_2}=\frac{x-2}{4-2}\cdot\frac{x-5}{4-5}=-\frac{1}{2}x^2+\frac{7}{2}x-5\,\!$$

$$\ell_2=\frac{x-x_0}{x_2-x_0}\cdot\frac{x-x_1}{x_2-x_1}=\frac{x-2}{5-2}\cdot\frac{x-4}{5-4}=\frac{1}{3}x^2-2x+\frac{8}{3}\,\!$$

Therefore

$$f(x)=\sum_{j=0}^2 y_j\cdot\ell_j(x)\,\!$$

$$=1234+166x+94x^2\,\!$$

Recall that the secret is the free coefficient, which means that $$S=1234\,\!$$, and we are done.

Problem
Although this method works fine, there is a security problem: Eve wins a lot of information about $$S$$ with every $$D_i$$ that she finds.

Suppose that she finds the 2 points $$D_0=(1,1494)$$ and $$D_1=(2,1942)$$, she still doesn't have $$k=3$$ points so in theory she shouldn't have won anymore info about $$S$$. But she combines the info from the 2 points with the public info: $$n=6, k=3, f(x)=a_0+a_1x+\dots+a_{k-1}x^{k-1}, a_0=S, a_i\in\mathbb{N}$$ and she : 1. fills the $f(x)$-formula with $S$ and the value of $k: f(x)=S+a_1x+\dots+a_{3-1}x^{3-1}\Rightarrow{}f(x)=S+a_1x+a_2x^2$

2. fills (i) with the values of $D_0$'s $x$ and $f(x): 1494=S+a_{1}1+a_{2}1^2\Rightarrow{}1494=S+a_1+a_2$

3. fills (i) with the values of $D_1$'s $x$ and $f(x): 1942=S+a_{1}2+a_{2}2^2\Rightarrow{}1942=S+2a_1+4a_2$

4. does (iii)-(ii): $(1942-1494)=(S-S)+(2a_1-a_1)+(4a_2-a_2)\Rightarrow{}448=a_1+3a_2$ and rewrites this as $a_1=448-3a_2$

5. knows that $a_2\in\mathbb{N}$ so she starts replacing $a_2$ in (iv) with 0, 1, 2, 3, ... to find all possible values for $a_1$: After $a_2=149$ she stops because she reasons that if she continues she would get negative values for $a_1$ (which is impossible because $a_1\in\mathbb{N}$), she can now conclude $a_2\in[0,1,\dots,148,149]$
 * $a_2=0\rightarrow{}a_1=448-3\times0=448$
 * $a_2=1\rightarrow{}a_1=448-3\times1=445$
 * $a_2=2\rightarrow{}a_1=448-3\times2=442$
 * $\dots$
 * $a_2=148\rightarrow{}a_1=448-3\times148=4$
 * $a_2=149\rightarrow{}a_1=448-3\times149=1$

6. replaces $a_1$ by (iv) in (ii): $1494=S+(448-3a_2)+a_2\Rightarrow{}S=1046+2a_2$

7. replaces in (vi) $a_2$ by the values found in (v) so she gets $S\in[1046+2\times0,1046+2\times1,\dots,1046+2\times148,1046+2\times149]$ which leads her to the information: $$S\in[1046,1048,\dots,1342,1344]$$. She now only has 150 numbers to guess from instead of a infinitive number of natural numbers.

Solution
This problem can be fixed by using finite field arithmetic in a field of size $$p\in\mathbb{P}:p>S,p>n$$.

This is in practice only a small change, it just means that we should choose a prime $$p$$ that is bigger than both the secret and the number of participants and we have to calculate the points as $$(x, f(x)\pmod{p})$$ instead of $$(x, f(x))$$.

Everyone that receives a point also has to know the value of $$p$$ so it's publicly known so you should choose a value for $$p$$ that is not too low because Eve knows $$p>S\Rightarrow{}S\in{[0,1,\dots,p-2,p-1]}$$, so the lower you choose $$p$$, the lower the number of possible values Eve has to guess from to get $$S$$.

You should also not choose it too high because Eve knows that the chance for $$f(x)\pmod{p}=f(x)$$ increases with a higher $$p$$ and she can use the procedure from the original problem to guess $$S$$ (although now, instead of being sure of the 150 possible values, they just have a increased chance of being valid compared to the other natural numbers)

For this example we choose $$p=1613$$, so our polynomial becomes $$f\left(x\right)=1234+166x+94x^2\mod{1613}$$ which gives the points: $$\left(1,1494\right);\left(2,329\right);\left(3,965\right);\left(4,176\right);\left(5,1188\right);\left(6,775\right)$$

This time Eve doesn't win any info when she finds a $$D_x$$ (until she has $$k$$ points).

Suppose again Eve again finds $$D_0=\left(1,1494\right)$$ and $$D_1=\left(2,329\right)$$, this time the public info is: $$n=6, k=3, p=1613, f(x)=a_0+a_1x+\dots+a_{k-1}x^{k-1}\mod{p}, a_0=S, a_i\in\mathbb{N}$$ so she: 1. fills the $f(x)$-formula with $S$ and the value of $k$ and $p$: $f(x)=S+a_1x+\dots+a_{3-1}x^{3-1}\mod1613\Rightarrow{}f(x)=S+a_1x+a_2x^2-1613m_x: m_x\in\mathbb{N}$

2. fills (i) with the values of $D_0$'s $x$ and $f(x): 1494=S+a_{1}1+a_{2}1^2-1613m_1\Rightarrow{}1494=S+a_1+a_2-1613m_1$

3. fills (i) with the values of $D_1$'s $x$ and $f(x): 1942=S+a_{1}2+a_{2}2^2-1613m_2\Rightarrow{}1942=S+2a_1+4a_2-1613m_2$

4. does (iii)-(ii): $(1942-1494)=(S-S)+(2a_1-a_1)+(4a_2-a_2)+(1613m_2-1613m_1)\Rightarrow{}448=a_1+3a_2+1613(m_2-m_1)$ and rewrites this as $a_1=448-3a_2-1613(m_2-m_1)$

5. knows that $a_2\in\mathbb{N}$ so she starts replacing $a_2$ in (iv) with 0, 1, 2, 3, ... to find all possible values for $a_1$: This time she can't stop because $$(m_2-m_1)$$ could be any integer (even negative if $$m_2>m_1$$) so there are a infinite amount of possible values for $$a_1$$. She knows that $$[448,445,442,...]$$ always decreases by 3 so if $$1613$$ was divisible by $$3$$ she could conclude $$a_1\in[1, 4, 7, \dots]$$ but because it's prime she can't even conclude that and so she didn't win any information.
 * $a_2=0\rightarrow{}a_1=448-3\times0-1613(m_2-m_1)=448-1613(m_2-m_1)$
 * $a_2=1\rightarrow{}a_1=448-3\times1-1613(m_2-m_1)=445-1613(m_2-m_1)$
 * $a_2=2\rightarrow{}a_1=448-3\times2-1613(m_2-m_1)=442-1613(m_2-m_1)$
 * $\dots$