# Shamir Secret Sharing (SSS)

A secret is divided into $n$ pieces. At least $t$ shares are required to construct the secret but no information about the secret is revealed from $t-1$ pieces or less.


1. Dealer $D$ picks a random $t-1$ degree polynomial $ y(x) = a_0 + a_1x + a_2x^2 + \ldots + a_{t-1}x^{t-1} $, where $ s = a_0 $

2. Dealer $D$ computes and **secretly** distributes the share $y(j)$ to each player $j$. 

3. We can compute the secret $ s = y(0) $ by using Lagrange interpolation when receiving the $t$ shares.

_Lagrange polynomial_: Given $t$ points, we can obtain the unique polynomial.

$$ y(x) = \sum_{i=1}^{t} y(i)l_i(x) $$
  
$$ l_i(x) = \prod_{1 \leq m \leq t, m \neq t} \frac{(x-x_m)}{(x_i-x_m)} = \frac{(x-x_1)}{(x_i-x_1)} \cdots \frac{(x-x_t)}{(x_i-x_t)} $$

## Example 

$(3,5)$-shamir secret sharing

$ s=11, p=17 $

$ y(x) = 11 + 8x + 7x^2 $ mod $17$

$ y(1) = 11 + 8 \times 1 + 7 \times 1^2 \equiv 9 $ mod $17$

$ y(2) = 11 + 8 \times 2 + 7 \times 2^2 \equiv 4 $ mod $17$

$ y(3) = 11 + 8 \times 3 + 7 \times 3^2 \equiv 13 $ mod $17$

$ y(4) = 11 + 8 \times 4 + 7 \times 4^2 \equiv 2 $ mod $17$

$ y(5) = 11 + 8 \times 5 + 7 \times 5^2 \equiv 5 $ mod $17$


$ s = y(1)\frac{(2)}{(2-1)}\frac{(3)}{(3-1)} + y(2)\frac{(3)}{(3-2)}\frac{(1)}{(1-2)} + y(3)\frac{(1)}{(1-3)}\frac{(2)}{(2-3)} = 9 \cdot 3 + 4 \cdot (-3) + 13 \cdot 1 $ mod $17 = 11$ 

## Reference

- [1] https://iancoleman.io/shamir/
- [2] https://pycryptodome.readthedocs.io/en/latest/src/protocol/ss.html
- [3] https://github.com/hashicorp/vault/tree/master/shamir

## SSS

In [1]:
F = FiniteField(17) 
P = F['x']

f = P("11 + 8x + 7x^2")
shares = [(x, f(x)) for x in range(1, 6)]                         # polynomial evaluation
shares

[(1, 9), (2, 4), (3, 13), (4, 2), (5, 5)]

In [2]:
recover = P.lagrange_polynomial(shares)
recover

7*x^2 + 8*x + 11

In [3]:
secret = recover(0)
secret

11

## Resharing

In [4]:
f1 = P("5x + 6x^2")

In [5]:
new_shares = [(x, f1(x)+f(x)) for x in range(1, 6)]              # polynomial evaluation
new_shares

[(1, 3), (2, 4), (3, 14), (4, 16), (5, 10)]

In [6]:
recover = P.lagrange_polynomial(new_shares)
recover

13*x^2 + 13*x + 11

In [7]:
recover(0)

11