Shamir's secret sharing

The secret cannot be revealed unless a minimum number of the group's members act together to pool their knowledge.

To achieve this, the secret is mathematically divided into parts (the "shares") from which the secret can be reassembled only when a sufficient number of shares are combined.

SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen a sufficient number of shares.

To reconstruct a secret secured by SSS, a number of shares is needed, called the threshold.

No information about the secret can be gained from any number of shares below the threshold (a property called perfect secrecy).

If there are several people who know the code, they may not trust each other to always act honestly.

SSS can be used in this situation to generate shares of the vault's code which are distributed to authorized individuals in the company.

The minimum threshold and number of shares given to each individual can be selected such that the vault is accessible only by (groups of) authorized individuals.

If fewer shares than the threshold are presented, the vault cannot be opened.

By accident, coercion or as an act of opposition, some individuals might present incorrect information for their shares.

If the total of correct shares fails to meet the minimum threshold, the vault remains locked.Shamir's secret sharing can be used to SSS has useful properties, but also weaknesses[5] that means that it is unsuited to some uses.

[6] The scheme exploits the Lagrange interpolation theorem, specifically that

Shamir's secret sharing is an ideal and perfect

-threshold scheme based on polynomial interpolation over finite fields.

Every participant is given a point (a non-zero input to the polynomial, and the corresponding output).

Therefore, the example below does not provide perfect secrecy and is not a proper example of Shamir's scheme.

from the polynomial are constructed as: Each participant in the scheme receives a different point (a pair of

is: Recalling that the secret is the free coefficient, which means that

using Lagrange polynomials is not efficient, since unused constants are calculated.

Considering this, an optimized formula to use Lagrange polynomials to find

is defined as follows: Although the simplified version of the method demonstrated above, which uses integer arithmetic rather than finite field arithmetic, works, there is a security problem: Eve gains information about

Doing so, Eve could perform the following algebra: The above attack exploits constraints on the values that the polynomial may take by virtue of how it was constructed: the polynomial must have coefficients that are integers, and the polynomial must take an integer as value when evaluated at each of the coordinates used in the scheme.

This reduces its possible values at unknown points, including the resultant secret, given fewer than

This problem can be remedied by using finite field arithmetic.

The figure shows a polynomial curve over a finite field.

This time Eve doesn't gain any information when she finds a

, it does not provide any additional information, since the "wrapping around" behavior of modular arithmetic prevents the leakage of "S is even", unlike the example with integer arithmetic above.

For purposes of keeping the code clearer, a prime field is used here.

In practice, for convenience a scheme constructed using a smaller binary field may be separately applied to small substrings of bits of the secret (e.g. GF(256) for byte-wise application), without loss of security.

The strict condition that the size of the field must be larger than the number of shares must still be respected (e.g., if the number of shares could exceed 255, the field GF(256) might be replaced by say GF(65536)).