|
|
Line 1: |
Line 1: |
| '''Shamir's Secret Sharing''' is an [[algorithm]] in [[cryptography]] created by [[Adi Shamir]]. It is a form of [[secret sharing]], where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. | | s��chez os cheeux et assurez-ous qu'il est compl��tement sec. * Ex��cuter un peigne ou une brosse dans les cheeux pour d��m��ler les cheeux et le pr��parer pour le GHD. * Aant de chauffer le fer �� d��friser, essuyer tout r��sidu sur les plaques de fer plat aec un chiffon doux. * Mettez le gadget et laisser chauffer. temps de chauffage, l'int��gration technologique, les caract��ristiques et bien s?r le prix. Vous pouez choisir le fer plat Turbo qui est habilement con?u aec un profil l��ger et ergonomique qui le rend tr��s confortable et s? |
|
| |
|
| Counting on all participants to combine together the secret might be impractical, and therefore sometimes the ''threshold scheme'' is used where any <math>k</math> of the parts are sufficient to reconstruct the original secret.
| |
|
| |
|
| ==Mathematical definition==
| |
| The goal is to divide data <math>D</math> (e.g., a [[safe]] combination) into <math>n</math> pieces <math>D_1,\ldots,D_n</math> in such a way that:
| |
| # Knowledge of any <math>k</math> or more <math>D_i</math> pieces makes <math>D</math> easily computable.
| |
| # Knowledge of any <math>k-1</math> or fewer <math>D_i</math> pieces leaves <math>D</math> completely undetermined (in the sense that all its possible values are equally likely).
| |
|
| |
|
| This scheme is called <math>\left(k,n\right)</math> threshold scheme.
| | r pour le traitement durant le coiffage. Lorsque les fers plats Turbo sont con?us aec des fonctionnalit��s aanc��es, Ils ont fait beaucoup d'am��liorations et ont continu�� �� am��liorer la technologie faisant l'outil de cheeux plus maniables et il ya d'autres facteurs qui aident �� exceller GHD autres d��frisants dans le domaine de la concurrence. Introduit dans les ann��es , GHD a eu quelques fonctionnalit��s r��olutionnaires qui ont fait le traail de d��frisage moins intense aec des r��sultats ��tonnants. |
| If <math>k=n</math> then all participants are required to reconstruct the secret.
| |
|
| |
|
| ==Shamir's secret-sharing scheme==
| | Plus t?t que GHD il y aait d��frisants qui emploient des plaques d'aluminium et d'autres utilis��s apeur pour le m��me processus qui a ��t�� moins efficace que le GHD qui fut le premier �� introduire l'utilisation de plaques de c��ramique dans leurs d��frisants. Aucun autre mat��riau pourrait ��tre mieux que l'utilisation de la c��ramique comme il est le mat��riau id��al pour lisser les cheeux, Que son utilit�� du produit attire les femmes dans le monde entier? Vous pouez raiment ��rifier sa popularit�� sur les magasins populaires et les moteurs de recherche. |
| [[File:3 polynomials of degree 2 through 2 points.svg|thumb|right|One can draw an infinite number of polynomials of degree 2 through 2 points. 3 points are required to define a unique polynomial of degree 2. This image is for illustration purposes only — Shamir's scheme uses polynomials over a [[finite field]], not representable on a 2-dimensional plane.]]
| |
| The essential idea of [[Adi Shamir]]'s threshold scheme is that 2 [[Point (geometry)|point]]s are sufficient to define a [[Line (geometry)|line]], 3 points are sufficient to define a [[parabola]], 4 points to define a [[cubic function|cubic curve]] and so forth.
| |
| That is, it takes <math>k\,\!</math> points to define a [[polynomial]] of [[Degree_of_a_polynomial|degree]] <math>k-1\,\!</math>.
| |
|
| |
|
| Suppose we want to use a <math>\left(k,n\right)\,\!</math> threshold scheme to share our secret <math>S\,\!</math>, without loss of generality assumed to be an element in a [[finite field]] <math>F</math> of size <math>0 < k \le n < P</math> where <math>P</math> is a prime number.
| | Si ous regardez dans os esth��ticienne et cheeux styliste salons locaux, ous trouerez beaucoup de femmes qui luttent pour obtenir le look cheeux raides. Le style deient rebondir quand les c��l��brit��s comme ennifer Aniston et ennifer Lopez ont fait raiment populaire et sensible parmi les femmes en particulier aec les adolescents. un ami �� exiger est en fait un ami s?r! ��l��ment de co?t ne ous a pas emp��ch�� de la cigarette, mais il faut constamment donner l'auto-suggestion �� os pens��es, que ous pouez conserer beaucoup d'argent, en quittant la cigarette. |
|
| |
|
| Choose at random <math>k-1\,\!</math> coefficients <math>a_1,\cdots,a_{k-1}\,\!</math> in <math>F</math>, and let <math>a_0=S\,\!</math>. Build the polynomial <math>f\left(x\right)=a_0+a_1x+a_2x^2+a_3x^3+\cdots+a_{k-1}x^{k-1}\,\!</math>. Let us construct any <math>n\,\!</math> points out of it, for instance set <math>i=1,\cdots,n\,\!</math> to retrieve <math>\left(i,f\left(i\right)\right)\,\!</math>. Every participant is given a point (an integer input to the polynomial, and the corresponding integer output).
| | sans rabaisser les autres. Si ils ne peuent pas h��riter de ce globe, alors je ne moins que l'espoir qu'ils sont en mesure d'h��riter des ressources et la sagesse pour le cr��er. Et Im si malheureux pour deenir rappel�� que tous les plus de la nation, les jeunes de ce soir sera dit sans phrases incertains qui ils sont. une beaut�� hairstraightener GHD est un ultra polyalent et un gadget tout compris de coiffure. |
| Given any subset of <math>k\,\!</math> of these pairs, we can find the coefficients of the polynomial using [[curve fitting|interpolation]]. The secret is the constant term <math>a_0\,\!</math>.
| |
|
| |
|
| ==Usage==
| | Vous pouez utiliser otre styler GHD pour rendre os cheeux droite, lisse et soyeux. Mais ous pouez aussi utiliser otre [http://tinyurl.com/m63r8fp lisseur GHD] �� friser os cheeux. En faisant juste les mesures appropri��es de curling, Serrer Paiement \xamp, Serice �� la client��le impressionnante. |
| | |
| === Example ===
| |
| The following example illustrates the basic idea. Note, however, that calculations in the example are done using integer arithmetic rather than using [[finite field arithmetic]]. Therefore the example below does not provide perfect secrecy,{{Clarify|Why not?|date=July 2013}} and is not a true example of Shamir's scheme.
| |
| | |
| ====Preparation====
| |
| Suppose that our secret is 1234 <math>(S=1234)\,\!</math>.
| |
| | |
| We wish to divide the secret into 6 parts <math>(n=6)\,\!</math>, where any subset of 3 parts <math>(k=3)\,\!</math> is sufficient to reconstruct the secret. At random we obtain two (<math>k-1</math>) numbers: 166 and 94.
| |
| | |
| <math>(a_1=166;a_2=94)\,\!</math>
| |
| | |
| Our polynomial to produce secret shares (points) is therefore:
| |
| | |
| <math>f\left(x\right)=1234+166x+94x^2\,\!</math>
| |
| | |
| We construct 6 points from the polynomial:
| |
| | |
| <math>\left(1,1494\right);\left(2,1942\right);\left(3,2578\right);\left(4,3402\right);\left(5,4414\right);\left(6,5614\right)\,\!</math>
| |
| | |
| We give each participant a different single point (both <math>x\,\!</math> and <math>f\left(x\right)\,\!</math>).
| |
| | |
| ====Reconstruction====
| |
| In order to reconstruct the secret any 3 points will be enough.
| |
| | |
| Let us consider <math>\left(x_0,y_0\right)=\left(2,1942\right);\left(x_1,y_1\right)=\left(4,3402\right);\left(x_2,y_2\right)=\left(5,4414\right)\,\!</math>.
| |
| | |
| We will compute [[Lagrange polynomial|Lagrange basis polynomials]]:
| |
| | |
| <math>\ell_0=\frac{x-x_1}{x_0-x_1}\cdot\frac{x-x_2}{x_0-x_2}=\frac{x-4}{2-4}\cdot\frac{x-5}{2-5}=\frac{1}{6}x^2-\frac{3}{2}x+\frac{10}{3}\,\!</math>
| |
| | |
| <math>\ell_1=\frac{x-x_0}{x_1-x_0}\cdot\frac{x-x_2}{x_1-x_2}=\frac{x-2}{4-2}\cdot\frac{x-5}{4-5}=-\frac{1}{2}x^2+\frac{7}{2}x-5\,\!</math>
| |
| | |
| <math>\ell_2=\frac{x-x_0}{x_2-x_0}\cdot\frac{x-x_1}{x_2-x_1}=\frac{x-2}{5-2}\cdot\frac{x-4}{5-4}=\frac{1}{3}x^2-2x+\frac{8}{3}\,\!</math>
| |
| | |
| Therefore
| |
| | |
| <math>f(x)=\sum_{j=0}^2 y_j\cdot\ell_j(x)\,\!</math>
| |
| | |
| <math>=1234+166x+94x^2\,\!</math>
| |
| | |
| Recall that the secret is the free coefficient, which means that <math>S=1234\,\!</math>, and we are done.
| |
| | |
| ====Javascript example====
| |
| <!-- Don't try to standardize any styling in this example - it's purpose is to showcase language syntax, not provide some standard role model. -->
| |
| <div style="overflow:auto;">
| |
| <syntaxhighlight lang="javascript">
| |
| var prime = 257;
| |
| | |
| /*
| |
| * Split number into the shares
| |
| */
| |
| function split(number, available, needed)
| |
| {
| |
| var coef = [number, 166, 94], x, exp, c, accum, shares = [];
| |
| /* | |
| * Normally, we use the line:
| |
| * for(c = 1, coef[0] = number; c < needed; c++) coef[c] = Math.floor(Math.random() * (prime - 1));
| |
| * where (prime - 1) is the maximum allowable value.
| |
| * However, to follow this example, we hardcode the values:
| |
| * coef = [number, 166, 94];
| |
| * For production, replace the hardcoded value with the random loop
| |
| *
| |
| * For each share that is requested to be available, run through the formula plugging the corresponding coefficient
| |
| * The result is f(x), where x is the byte we are sharing (in the example, 1234)
| |
| */
| |
| for(x = 1; x <= available; x++)
| |
| {
| |
| /*
| |
| * coef = [1234, 166, 94] which is 1234x^0 + 166x^1 + 94x^2
| |
| */
| |
| for(exp = 1, accum = coef[0]; exp < needed; exp++)
| |
| accum = (accum + (coef[exp] * (Math.pow(x, exp) % prime) % prime)) % prime; // Modular math
| |
| /*
| |
| * Store values as (1, 1494), (2, 1942), (3, 2578), (4, 3402), (5, 4414) (6, 5614)
| |
| */
| |
| shares[x - 1] = [x, accum];
| |
| }
| |
| return shares;
| |
| }
| |
| | |
| /*
| |
| * Gives the decomposition of the gcd of a and b.
| |
| * Returns [x,y,z] such that x = gcd(a,b) and y*a + z*b = x
| |
| */
| |
| function gcdD(a,b) {
| |
| if (b == 0) return [a, 1, 0];
| |
| else {
| |
| var n = Math.floor(a/b), c = a % b, r = gcdD(b,c);
| |
| return [r[0], r[2], r[1]-r[2]*n];
| |
| }
| |
| }
| |
| | |
| /*
| |
| * Gives the multiplicative inverse of k mod prime.
| |
| * In other words (k * modInverse(k)) % prime = 1 for all 1 <= k < prime
| |
| */
| |
| function modInverse(k) {
| |
| k = k % prime;
| |
| var r = (k < 0) ? -gcdD(prime,-k)[2] : gcdD(prime,k)[2];
| |
| return (prime + r) % prime;
| |
| }
| |
| /*
| |
| * Join the shares into a number
| |
| */
| |
| function join(shares)
| |
| {
| |
| var accum, count, formula, startposition, nextposition, value, numerator, denominator;
| |
| for(formula = accum = 0; formula < shares.length; formula++)
| |
| {
| |
| /*
| |
| * Multiply the numerator across the top and denominators across the bottom to do Lagrange's interpolation
| |
| * Result is x0(2), x1(4), x2(5) -> -4*-5 and (2-4=-2)(2-5=-3), etc for l0, l1, l2...
| |
| */
| |
| for(count = 0, numerator = denominator = 1; count < shares.length; count++)
| |
| {
| |
| if(formula == count) continue; // If not the same value
| |
| startposition = shares[formula][0];
| |
| nextposition = shares[count][0];
| |
| numerator = (numerator * -nextposition) % prime;
| |
| denominator = (denominator * (startposition - nextposition)) % prime;
| |
| }
| |
| value = shares[formula][1];
| |
| accum = (prime + accum + (value * numerator * modInverse(denominator))) % prime;
| |
| }
| |
| return accum;
| |
| }
| |
| | |
| var sh = split(129, 6, 3) /* split the secret value 129 into 6 components - at least 3 of which will be needed to figure out the secret value */
| |
| var newshares = [sh[1], sh[3], sh[4]]; /* pick any any selection of 3 shared keys from sh */
| |
| | |
| alert(join(newshares));
| |
| </syntaxhighlight>
| |
| </div>
| |
| | |
| ==Properties==
| |
| Some of the useful properties of Shamir's <math>\left(k,n\right)\,\!</math> threshold scheme are:
| |
| # '''Secure''': [[Information theoretic security]].
| |
| # '''Minimal''': The size of each piece does not exceed the size of the original data.
| |
| # '''Extensible''': When <math>k\,\!</math> is kept fixed, <math>D_i\,\!</math> pieces can be dynamically added or deleted without affecting the other pieces.
| |
| # '''Dynamic''': Security can be easily enhanced without changing the secret, but by changing the polynomial occasionally (keeping the same free term) and constructing new shares to the participants.
| |
| # '''Flexible''': In organizations where hierarchy is important, we can supply each participant different number of pieces according to their importance inside the organization. For instance, the president can unlock the safe alone, whereas 3 secretaries are required together to unlock it.
| |
| | |
| ==See also==
| |
| * [[Secret sharing]]
| |
| * [[Lagrange polynomial]]
| |
| * [[Homomorphic secret sharing]] - A simplistic decentralized voting protocol.
| |
| * [[Two-man rule]]
| |
| | |
| ==References==
| |
| *{{citation
| |
| | last = Shamir
| |
| | first = Adi
| |
| | authorlink = Adi Shamir
| |
| | title = How to share a secret
| |
| | journal = Communications of the ACM
| |
| | volume = 22
| |
| | issue = 11
| |
| | pages = 612–613
| |
| | doi = 10.1145/359168.359176
| |
| | year = 1979}}.
| |
| | |
| *{{citation|last=Liu|first=C. L.|authorlink=Chung Laung Liu|title=Introduction to Combinatorial Mathematics|publisher=McGraw-Hill|location=New York|year=1968}}.
| |
| | |
| *{{citation|last1=Dawson|first1=E.|last2=Donovan|first2=D.|year=1994|title=The breadth of Shamir's secret-sharing scheme|journal=Computers & Security|volume=13|pages=69–78|doi=10.1016/0167-4048(94)90097-3}}.
| |
| | |
| *{{citation|last=Knuth|first=D. E.|authorlink=Donald Knuth|year=1997|title=[[The Art of Computer Programming]]|edition=3rd|volume=II: Seminumerical Algorithms|page=505|publisher=Addison-Wesley}}.
| |
| | |
| ==External links==
| |
| * [https://github.com/amper5and/secrets.js A proper Javascript implementation of Shamir's secret sharing scheme with open source (MIT) license]
| |
| * [http://point-at-infinity.org/ssss/ ssss: An open source (GPL) implementation of Shamir's Scheme] with [http://point-at-infinity.org/ssss/demo.html online demo]
| |
| * [http://charles.karney.info/misc/secret.html An open source (GPL) perl implementation of Shamir's Secret Sharing]
| |
| * [http://sourceforge.net/projects/secretsharp/ Secret Sharp: An open source (GPL) implementation of Shamir's Scheme for windows]
| |
| * [http://www.christophedavid.org/w/c/w.php/Calculators/ShamirSecretSharing Christophe David's web based implementation of Shamir's scheme 'How to share a Secret']
| |
| * [http://sourceforge.net/projects/secretsharejava/ Shamir's Secret Sharing in Java : An open source (LGPL) implementation of Shamir's scheme in Java]
| |
| * [http://www.dis.uniroma1.it/~damore/sss/ An open source implementation of the Shamir's Secret Sharing as open Web application, augmented by additional security features]
| |
| * [http://www.digital-scurf.org/software/libgfshare libgfshare: a secret sharing library in GF(2**8), opensource (MIT)]
| |
| * [http://www.asecuritysite.com/Encryption/shamir Web implementation of Shamir's method]
| |
| * [https://github.com/Archistar/archistar-smc Java library implementation of multiple secret sharing methods, opensource(LGPLv2)]
| |
| | |
| [[Category:Secret sharing]]
| |
| [[Category:Information-theoretically secure algorithms]]
| |
s��chez os cheeux et assurez-ous qu'il est compl��tement sec. * Ex��cuter un peigne ou une brosse dans les cheeux pour d��m��ler les cheeux et le pr��parer pour le GHD. * Aant de chauffer le fer �� d��friser, essuyer tout r��sidu sur les plaques de fer plat aec un chiffon doux. * Mettez le gadget et laisser chauffer. temps de chauffage, l'int��gration technologique, les caract��ristiques et bien s?r le prix. Vous pouez choisir le fer plat Turbo qui est habilement con?u aec un profil l��ger et ergonomique qui le rend tr��s confortable et s?
r pour le traitement durant le coiffage. Lorsque les fers plats Turbo sont con?us aec des fonctionnalit��s aanc��es, Ils ont fait beaucoup d'am��liorations et ont continu�� �� am��liorer la technologie faisant l'outil de cheeux plus maniables et il ya d'autres facteurs qui aident �� exceller GHD autres d��frisants dans le domaine de la concurrence. Introduit dans les ann��es , GHD a eu quelques fonctionnalit��s r��olutionnaires qui ont fait le traail de d��frisage moins intense aec des r��sultats ��tonnants.
Plus t?t que GHD il y aait d��frisants qui emploient des plaques d'aluminium et d'autres utilis��s apeur pour le m��me processus qui a ��t�� moins efficace que le GHD qui fut le premier �� introduire l'utilisation de plaques de c��ramique dans leurs d��frisants. Aucun autre mat��riau pourrait ��tre mieux que l'utilisation de la c��ramique comme il est le mat��riau id��al pour lisser les cheeux, Que son utilit�� du produit attire les femmes dans le monde entier? Vous pouez raiment ��rifier sa popularit�� sur les magasins populaires et les moteurs de recherche.
Si ous regardez dans os esth��ticienne et cheeux styliste salons locaux, ous trouerez beaucoup de femmes qui luttent pour obtenir le look cheeux raides. Le style deient rebondir quand les c��l��brit��s comme ennifer Aniston et ennifer Lopez ont fait raiment populaire et sensible parmi les femmes en particulier aec les adolescents. un ami �� exiger est en fait un ami s?r! ��l��ment de co?t ne ous a pas emp��ch�� de la cigarette, mais il faut constamment donner l'auto-suggestion �� os pens��es, que ous pouez conserer beaucoup d'argent, en quittant la cigarette.
sans rabaisser les autres. Si ils ne peuent pas h��riter de ce globe, alors je ne moins que l'espoir qu'ils sont en mesure d'h��riter des ressources et la sagesse pour le cr��er. Et Im si malheureux pour deenir rappel�� que tous les plus de la nation, les jeunes de ce soir sera dit sans phrases incertains qui ils sont. une beaut�� hairstraightener GHD est un ultra polyalent et un gadget tout compris de coiffure.
Vous pouez utiliser otre styler GHD pour rendre os cheeux droite, lisse et soyeux. Mais ous pouez aussi utiliser otre lisseur GHD �� friser os cheeux. En faisant juste les mesures appropri��es de curling, Serrer Paiement \xamp, Serice �� la client��le impressionnante.