Shamir’s Secret Sharing Scheme [SSSS]
Shamir’s Secret Sharing  is an algorithm used to divide a given master secret
n parts, such that
m parts are required in order to compute the original master secret. If only
m-1 parts are available, no information about the master secret is revealed. If the
m-of-n threshold scheme is
n = 2m-1 then we can still recover
MS even if
n/2 = m-1 of the
n pieces are destroyed. However, an adversary cannot reconstruct
MS even when he has compromised
n/2 = m-1 parts.
SSSS is based on polynomial interpolation: given
m points in the 2-dimensional plane
(x_1, y_1) … (x_m, y_m) there is only one function
q(x) of degree
m-1 such that
q(x_i) = y_i for all
i. In order to protect against the attacker acquiring information about
MS with every additional
D_i, we use finite field arithmetic with a field of size
p ∊ P: p > MS, p > n. Prime number
p must be close enough to the desired security level, because a too large
p leads to long cypher text, but a too small
p leads to compromised security.
n, we generate
m-1 random numbers
a_1, … a_[m-1] and build a polynomial with the secret as
a_0. The polynomial is thus
q(x) = a_0 + a_1*x + a_2*x^2 + … + a_[m-1]*x^[m-1].
Then we construct
D_[x-1] = (x, q(x) mod p) from the polynomial and each party gets a different point [both
n will be enough to compute the entire polynomial
q(x) with the Lagrange interpolation formula .
Simulated shared ownership
SSSS can distribute the knowledge of a secret across several different sub-secret, where each of the holders has full knowledge of his individual part. However, the dealer first generates a master secret, which he has full knowledge off. Thus the dealer has full access and property rights in the funds locked up by the master secret. The sub-secret holders thus have a simulated shared ownership, however, they rely on the good will of the dealer to not spend the funds on his own accord. The use case for SSSS is thus more to backup a private key among semi-trusted peers, but where the dealer and owner of the bitcoin has always full control himself. This is a vitally important differentiation compared to some secure key and signature aggregation , which generates non-simulated shared ownership.