## Shamir Secret Sharing

Shamir secret sharing is a $(t+1)$-out-of-$n$ secret sharing protocol. Given a secret value $s$, 
- define $f(X) = f_t X^t + \ldots + f_1 X + s$, where $f_t, \ldots, f_1 \leftarrow \mathbb{F}_p$ for some prime $p > n$
- give share $f(i)$ to $P_i$ ($i = 1, \ldots, n$)

To reconstruct, at least $t+1$ parties pool their points $(i, f(i))$ and reconstruct the polynomial $f$, e.g. as 

$$ \sum_i^{t+1} \ell_i \cdot f(i), \text{ where } \ell_i(X) = \frac{\Pi_{j \neq i} (X-x_j)}{\Pi_{j \neq i} (x_i-x_j)} $$ 

Then, evaluate $f(0) = s$.

In [1]:
import numpy as np
import random, sympy
import matplotlib.pyplot as plt

In [2]:
def eval_poly(coeffs, x):
    # coefficients from highest to lowest degree
    deg = len(coeffs)-1
    ans = 0
    for i in range(len(coeffs)):
        ans += coeffs[i]*x**(deg-i)
        
    return ans

In [3]:
def share(s, n, t, p):
    # check p
    if not sympy.isprime(p):
        print("p={} is not prime!".format(p))
        return
    if p <= n:
        print("p={} must be greater than n={}".format(p, n))
        return
        
    # check t
    if t >= n:
        print("t={} must be less than n={}".format(t, n))
        return
        
    coeffs = []
    for i in range(t):
        # sample coefficients from F_p = {0, ..., p-1}
        coeffs.append(random.randint(0,p-1))
        
    shares = []
    for i in range(n):
        shares.append((i+1, eval_poly(coeffs, i+1)))
        
    # plot the polynomial
    # plot the shares
    # plot the secret
        
    return shares