Theory used by libgfshare

Simon McVittie

23rd April 2006

1 Introduction

libgfshare implements Shamir secret sharing [SHAMIR] over the field GF(2⁸), instead of GF(p) for a prime p as suggested by Shamir’s paper. This document aims to prove the security and integrity of this scheme.

Note that while I believe this document to be correct, I accept no responsibility for loss or damage caused by relying on the correctness of my proof.

2 Definitions

Let F be a field with multiplicative identity 1 and additive identity 0.

If A = {(a₁,b₁), ⋅⋅⋅ ,(a_n,b_n)}, with the a_i distinct nonzero elements of F and the b_i elements of F, indexed by I = {1,,n}, then define

∑ ∏ PA(x) = bj (x - ak)(aj - ak)-1 j∈I k∈I,k⁄=j

a polynomial of degree at most n - 1. (By distinctness of the a_i, the inverses required exist.) This is the Lagrange interpolating polynomial for the points in A.

3 Lemma 1

Let a₁, ⋅⋅⋅ ,a_t ∈ F be distinct and nonzero; let b₁,,b_t-1,c ∈ F be arbitrary. Then there exists b_t ∈ F such that if A = {(a₁,b₁),,(a_t,b_t)} then P_A(0) = c.

3.1 Proof

Let I = {1, ⋅⋅⋅ ,t}. We have

∑ ∏ -1 ∑ ∏ -1 PA(0) = bj - ak(aj - ak) = yj ak(ak - aj) j∈I k∈I,k⁄=j j∈I k∈I,k⁄=j

Let

⌊ ⌋ ⌊ ⌋ ∑ ∏ ∏ bt = ⌈c + bj ak(aj - ak)-1⌉ ⌈ a-k1(ak - at)⌉ j∈I,j⁄=t k∈I,k⁄=j k∈I,k⁄=t

Then

∑ ∏ ∏ PA (0) = bj ak(ak - aj)-1 + bt ak(ak - at)-1 j∈I,j⁄=t k∈I,k⁄=j k∈I,k⁄=t

∑ ∏ -1 ∑ ∏ - 1 = bj ak(ak - aj) - bj ak(ak - aj) + c j∈I,j⁄=t k∈I,k⁄=j j∈I,j⁄=t k∈I,k⁄=j

= c

as required.

4 Lemma 2

For any x₁, ⋅⋅⋅ ,x_t distinct and nonzero elements of F, and any y₁,,y_t,u arbitrary elements of F, let

X = {(x1,y1),⋅⋅⋅,(xt,yt)}

and

U = {(x1,y1),⋅⋅⋅,(xt- 1,yt-1),(u,PX (u))}

Then P_X = P_U,i.e.P_X(x) = P_U(x) for all x ∈ F.

4.1 Proof

Let S_a,b = {(x1,y1),⋅⋅⋅,(xt- 1,yt-1),(a,b)} . Then

∑ ∏ ∏ PSa,b(x) = yj(x- a)(xj - a)- 1 (x - xk)(xj - xk)-1 + b (x - xk)(a- xk)-1 j<t k⁄=j,k<t k<t

Hence if we let d_i,j = x_i -x_j and e_i = u-x_i (both of which are necessarily nonzero, by distinctness of the x_i and u) we have

∑ - 1 ∏ -1 ∏ -1 PX (u) = yjetdj,t ekdj,k + yt ekdt,k j<t k⁄=j,k<t k<t

and if we also let f_i = x - x_i,

P (x) = ∑ y (u- x)e-1 ∏ f d-1+ P (u)∏ f e- 1 U j<t j j k⁄=j,k<t k j,k X k<t kk

( ) ∑ ∏ { ∏ } { ∑ ∏ ∏ } PU (x) = yj(u - x)e-j 1 fkd-j,1k + fke-k1 yjetd-j1,t ekd-j,1l + yt eld-t1,l j<t k⁄=j,k<t k<t ( j<t l⁄=j,l<t l<t )

Expanding,

∑ { ∏ } PU (x ) = j<tyj(u- x)e-j1 k⁄=j,k<t fkd-j,1k +∑ y e d-1{∏ e d-1} {∏ f e-1} j{<∏t j t j,t l⁄=j,l<}t k j,l k<t k k +yt k<tekd-t,1kfke-k1

⌊ ({ )} ({ )} ⌋ PU(x) = ∑ yj⌈ (u - x)e- 1 ∏ fkd- 1 + etd-1fje-1 ∏ ekd- 1fke-1 ⌉ + yt∏ d- 1fk j<t j (k⁄=j,k<t j,k) j,t j ( k⁄=j,k<t j,k k ) k<t t,k

⌊ ⌋ ∑ ∏ [ ] ∏ = ⌈yj fkd-j1,k⌉ (u - x)e-j 1+ ete-j1d-j,t1fj + yt d-t1,kfk j<t k⁄=j,k<t k<t

Now

(u - x )e-j1 + ete-j1d-j1,tfj = (e-j1d-j1,t)[(u - x)dj,t + etfj]

-1 -1 = (ej dj,t)[(u - x)(xj - xt) +(u - xt)(x- xj)]

-1 -1 = (ej dj,t)(x - xt)(u- xj)

-1 = dj,tft

Hence

⌊ ⌋ P (x) = ∑ ⌈y ∏ f d-1⌉ [f d-1]+ y ∏ d-1f = P (x) U j<t jk⁄=j,k<t k j,k t j,t tk<t t,k k X

as required.

5 Construction

Let s be the number of “shares” and t be the required threshold to recover the shared secret (i.e. we construct a “t of s” share).

Given a secret f ∈ F we may construct a Lagrange interpolating polynomial P_X of degree no more than t - 1, with P_X(0) = f, as follows:

- choose distinct nonzero x₁, ⋅⋅⋅ ,x_s ∈ F

- choose arbitrary (and unpredictable) y₁, ⋅⋅⋅ ,y_t-1 ∈ F

- use Lemma 1 to select y_t such that X = {(x₁,y₁), ⋅⋅⋅ ,(x_t,y_t)} has the desired intercept f

To obtain additional shares, calculate y_t+1 = P_X(x_t+1), ⋅⋅⋅ ,y_s = P_X(x_s).

6 Alternate construction, as used in libgfshare

In libgfshare the construction used is as follows:

- construct a polynomial P by choosing arbitrary and unpredictable coefficients of x, ⋅⋅⋅ ,x^t-1 from F, and setting the coefficient of x⁰ to f: this therefore has the desired intercept f

- choose distinct nonzero x₁, ⋅⋅⋅ ,x_s ∈ F and evaluate y₁ = P(x₁),,y_s = P(x_s)

6.1 Proof of equivalence in a finite field F

Suppose F is finite, as is the case in libgfshare, and that in each construction, arbitrary choices are made from among all possible values in F.

In the alternate construction, given x₁, ⋅⋅⋅ ,x_t,f we choose a polynomial P(x) = f + m₁x + + m_t-1x^t-1 by choosing arbitrary coefficients m₁,,m_t-1 ∈ F, i.e. choosing arbitrarily from among the |F| ^t-1 distinct polynomials of degree no more than t - 1 with intercept f.

In the first construction, given x₁, ⋅⋅⋅ ,x_t,f we obtain a polynomial by choosing arbitrary y₁,,y_t-1 ∈ F. The polynomials chosen are necessarily distinct since no polynomial can pass through both (x_i,p) and (x_i,q) for any p≠q, so by choosing each y_i from among the |F | elements of F, we choose arbitrarily from a set of |F | ^t-1 distinct polynomials whose intercepts are all f.

Since there are only |F | ^t-1 such polynomials, each construction chooses arbitrarily from among the same set, and by the pigeonhole principle there exists a bijective mapping between sets of arbitrary y values in the first construction and sets of arbitrary coefficients in the second.

7 Theorem: With at least t pieces the secret is recoverable

Let B ⊂ {(x ,y),⋅⋅⋅,(x ,y )}
1 1 s s with |B| = t. Then P_B(0) = c.

Further, if B^′⊂ {(x ,y ),⋅⋅⋅,(x ,y )}
1 1 s s with |B^′| > t, then for every subset B of B^′ with |B| = t, P_B(0) = f.

7.1 Proof

The second part is trivially implied by the first.

Recall that X = {(x1,y1),⋅⋅⋅,(xt,yt)} and that P_X(0) = f. If B = X the result is true. If not, repeatedly apply Lemma 2 to replace an element of X not in B with an element of B not in X, preserving the value of P(0).

8 Theorem: With fewer than t pieces no information is gained

Let C ⊂ {(x1,y1),⋅⋅⋅,(xs,ys)} with |C| < t. Then for each d ∈ F, there exists D ⊃ C, |D| = t, such that d = P_D(0).

(In other words, any d ∈ F remains a possible value for the secret, so an attacker with fewer than t shares has gained no information.)

8.1 Proof

Let a_i, b_i be such that C = {(a1,b1),⋅⋅⋅,(an,bn)} , some n < t. Choose arbitrary a_n+1,,a_t and arbitrary b_n+1,,b_t-1. Let b_t be chosen by applying Lemma 1 with c := d. Then by choice of b_t, P_C(0) = d as required.

9 Implementation in GF(2⁸)

The program test_gfshare_isfield, compiled and run by make check, demonstrates that the calculations done by libgfshare are indeed performed in a field.

10 Attacks not addressed

This document has not addressed the following:

- Attacks based on the use of a predictable or partially predictable pseudorandom number generator might be possible.

- In the implementation used in libgfshare, the field F is the field of byte values, with addition being bitwise exclusive-or, and multiplication as usual; each byte of the secret is shared separately by applying this algorithm separately. This means that when a secret file is shared, the length in bytes of each share equals the length in bytes of the secret. If the length of the secret is itself secret, it should be padded to some standard length before sharing.

11 References

[SHAMIR] Adi Shamir, ”How to share a secret”, Communications of the ACM, 22(1), pp612–613, 1979. Available at http://www.cs.tau.ac.il/~bchor/Shamir.html

12 Copyright and disclaimer

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the ”Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED ”AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.