52 Things: Number 19: The Shamir secret sharing scheme.

52 Things: Number 19: The Shamir secret sharing scheme.

52件事：第19件：沙米尔秘密共享计划。

 

This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know' to do Cryptography: a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year.
这是一系列博客文章中的最新一篇，旨在解决“每个博士生都应该知道的52件事”做密码学：这是一组问题，旨在让博士生在第一年结束时了解他们应该知道什么。

 

The Shamir secret sharing scheme [3], is an algorithm invented by Adi Shamir to allow multiple parties to divide up a secret, such as a key, and when enough of those parts are combined the whole secret can be calculated.
Shamir秘密共享方案[3]是Adi Shamir发明的一种算法，允许多方分割一个秘密，例如密钥，当这些部分中有足够多的部分组合在一起时，就可以计算出整个秘密。

 

To put it slightly more formally, if we have a secret S and n parties, we can divide S into n parts and distribute those to the various parties. The secret can be divided in such a way that a threshold k can be set so that when k parts of the secret S are known then the whole secret can be calculated. If k−1 or less parts of S are known then S can't be calculated. This scheme is called a (k,n) threshold scheme.
更正式地说，如果我们有一个秘密的 S 和 n 政党，我们可以将 S 划分为 n 部分，并将其分配给各个政党。可以以这样的方式划分秘密，即可以设置阈值#4，使得当秘密 S 的 k 部分已知时，可以计算整个秘密。如果 S 的 k−1 或更少部分是已知的，那么 S 就无法计算。该方案被称为 (k,n) 阈值方案。

 

The best way to explain how this scheme is constructed is by means of an example. Assume we want to divide the secret S=1425 between 5 parties (n=5) and need 3 parts to be known to allow the secret to be computed. First we construct a polynomial[1] f(x) of order k−1=2 with random coefficients (say a1=64,a2=112) and constant S.
通过一个例子来解释这个方案是如何构建的。假设我们想要在 5 方（ n=5 ）之间划分秘密 S=1425 ，并且需要知道 3 部分以允许计算秘密。首先，我们构造具有随机系数（比如 a1=64,a2=112) 和常数 S ）的 k−1=2 阶多项式[1] f(x) 。

f(x)=S+a1x+a2x2=1425+64x+112x2

From this polynomial we can construct n=5 points, these points can then be distributed between our parties, one point per party.
根据这个多项式，我们可以构造 n=5 个点，然后这些点可以分布在我们的各方之间，每一方一个点。

 

P0=(1,1601),P1=(2,2001),P2=(3,2625),P3=(4,3473),P4=(5,4545)

 

If we assume that we know 3 of the 5 points, we can compute 3 Lagrange Polynomials[2], the sum of which, when multiplied by the associated yj values, gives f(x) and therefore gives us the secret S. For example if we know
如果我们假设我们知道 5 点中的 3 ，我们可以计算#2拉格朗日多项式[2]，当其和乘以相关的#3值时，得到#4，因此给出了秘密 S 。例如，如果我们知道

(x0,y0)=(2,2001),(x1,y1)=(3,2625),(x2,x3)=(5,4545)

Computing 3 Lagrange Polynomials gives
计算3个拉格朗日多项式给出

l0=x−x1x0−x1x−x2x0−x2=13x2−83x+5l1=x−x0x1−x0x−x2x1−x2=−12x2+72x−5l2=x−x0x2−x0x−x1x2−x1=16x2−56x+1∑j=02yjlj(x)=112x2+64x+1425.

As demonstrated, this method works fine. However, the eavesdropper is able to glean quite a lot of information about the secret S; since in the above we have worked with rational arithmetic.However, if we instead work in a finite field (so the secret and the polynomial are defined over a field of size q) then if any two or less parties come together they can learn nothing about the secret. 
如前所述，此方法效果良好。然而，窃听者能够收集到相当多的关于秘密 S 的信息；因为在上面我们已经使用了有理算术。然而，如果我们在有限域中工作（因此秘密和多项式是在大小为q的域上定义的），那么如果任何两个或更少的方走到一起，他们就无法了解秘密。

 

This is because for two such parties, say party one and party two, and any secret value S' from the field, there is always a degree two polynomial defined over the finite field which interpolates the three values (0,S'), (2,2001 mod q) and (3,2625 mod q).
这是因为对于两个这样的当事方，比如当事方一和当事方二，以及来自该域的任何秘密值S’，总是存在在有限域上定义的二次多项式，该多项式对三个值（0，S’）、（22001 mod q）和（32625 mod q）进行插值。