Today. Secret Sharing. Polynomials A polynomial P ( x ) = a d x d + a d − 1 x d − 1 ··· + a 0 . is specified by coefficients a d ,... a 0 . Share secret among n people. Polynomials. P ( x ) contains point ( a , b ) if b = P ( a ) . Secrecy: Any k − 1 knows nothing. Secret Sharing. Polynomials over reals : a 1 ,..., a d ∈ ℜ , use x ∈ ℜ . Roubustness: Any k knows secret. Polynomials P ( x ) with arithmetic modulo p : 1 a i ∈ { 0 ,..., p − 1 } Efficient: minimize storage. and P ( x ) = a d x d + a d − 1 x d − 1 ··· + a 0 ( mod p ) , for x ∈ { 0 ,..., p − 1 } . 1 A field is a set of elements with addition and multiplication operations, with inverses. GF ( p ) = ( { 0 ,..., p − 1 } , + ( mod p ) , ∗ ( mod p )) . Polynomial: P ( x ) = a d x 4 + ··· + a 0 Polynomial: P ( x ) = a d x 4 + ··· + a 0 ( mod p ) Two points make a line. P ( x ) Line: P ( x ) = a 1 x + a 0 = mx + b P ( x ) 3 x + 1 ( mod 5 ) Fact: Exactly 1 degree ≤ d polynomial contains d + 1 points. 2 Two points specify a line. Three points specify a parabola. x + 2 ( mod 5 ) Modular Arithmetic Fact: Exactly 1 degree ≤ d polynomial with arithmetic modulo prime p contains d + 1 pts. x P ( x ) = 0 . 5 x 2 − x + 0 . 1 P ( x ) = − . 3 x 2 + 1 x + . 1 P ( x ) = − 1 x + 3 P ( x ) = . 5 x + 0 x Finding an intersection. x + 2 ≡ 3 x + 1 ( mod 5 ) = ⇒ 2 x ≡ 1 ( mod 5 ) = ⇒ x ≡ 3 ( mod 5 ) Parabola: P ( x ) = a 2 x 2 + a 1 x + a 0 = ax 2 + bx + c 3 is multiplicative inverse of 2 modulo 5. Good when modulus is prime!! 2 Points with different x values.
3 points determine a parabola. 2 points not enough. Modular Arithmetic Fact and Secrets Modular Arithmetic Fact: Exactly 1 degree ≤ d polynomial with arithmetic modulo prime p contains d + 1 pts. Shamir’s k out of n Scheme: Secret s ∈ { 0 ,..., p − 1 } 1. Choose a 0 = s , and randomly a 1 ,..., a k − 1 . 2. Let P ( x ) = a k − 1 x k − 1 + a k − 2 x k − 2 + ··· a 0 with a 0 = s . 3. Share i is point ( i , P ( i ) mod p ) . P ( x ) = 0 . 5 x 2 − x + 1 P ( x ) = − . 3 x 2 + 1 x + . 5 P ( x ) = . 2 x 2 − . 5 x + 1 . 5 P ( x ) = − . 3 x 2 + 1 x + . 5 P ( x ) = − . 6 x 2 + 1 . 9 x − . 1 Roubustness: Any k shares gives secret. Knowing k pts = ⇒ only one P ( x ) = ⇒ evaluate P ( 0 ) . Secrecy: Any k − 1 shares give nothing. Knowing ≤ k − 1 pts = ⇒ any P ( 0 ) is possible. Fact: Exactly 1 degree ≤ d polynomial contains d + 1 points. 3 There is P ( x ) contains blue points and any ( 0 , y ) ! 3 Points with different x values. Delta Polynomials: Concept. There exists a polynomial... For set of x -values, x 1 ,..., x d + 1 . Modular Arithmetic Fact: Exactly 1 degree ≤ d polynomial with arithmetic modulo prime p contains d + 1 pts. 1 , if x = x i . Proof of at least one polynomial: Given points: ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x d + 1 , y d + 1 ) . ∆ i ( x ) = 0 , if x = x j for j � = i . (1) ? , otherwise . We will work with polynomials with arithmetic modulo p . ∆ i ( x ) = ∏ j � = i ( x − x j ) ∏ j � = i ( x i − x j ) . Given d + 1 points, use ∆ i functions to go through points? ( x 1 , y 1 ) , . . . , ( x d + 1 , y d + 1 ) . Numerator is 0 at x j � = x i . Will y 1 ∆ 1 ( x ) contain ( x 1 , y 1 ) ? Denominator makes it 1 at x i . Will y 2 ∆ 2 ( x ) contain ( x 2 , y 2 ) ? And.. Does y 1 ∆ 1 ( x )+ y 2 ∆ 2 ( x ) contain ( x 1 , y 1 ) ? and ( x 2 , y 2 ) ? P ( x ) = y 1 ∆ 1 ( x )+ y 2 ∆ 2 ( x )+ ··· + y d + 1 ∆ d + 1 ( x ) . See the idea? Function that contains all points? hits points ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x d + 1 , y d + 1 ) . Degree d polynomial! P ( x ) = y 1 ∆ 1 ( x )+ y 2 ∆ 2 ( x ) ... + y d + 1 ∆ d + 1 ( x ) . Construction proves the existence of a polynomial!
Example. From d + 1 points to degree d polynomial? Quadratic ∆ i ( x ) = ∏ j � = i ( x − x j ) ∏ j � = i ( x i − x j ) . For a quadratic polynomial, a 2 x 2 + a 1 x + a 0 hits ( 1 , 2 );( 2 , 4 );( 3 , 0 ) . For a line, a 1 x + a 0 = mx + b contains points ( 1 , 3 ) and ( 2 , 4 ) . Plug in points to find equations. Degree 1 polynomial, P ( x ) , that contains ( 1 , 3 ) and ( 3 , 4 ) ? P ( 1 ) = m ( 1 )+ b ≡ m + b ≡ 3 ( mod 5 ) Work modulo 5. P ( 1 ) = a 2 + a 1 + a 0 ≡ 2 ( mod 5 ) P ( 2 ) = m ( 2 )+ b ≡ 2 m + b ≡ 4 ( mod 5 ) ∆ 1 ( x ) contains ( 1 , 1 ) and ( 3 , 0 ) . P ( 2 ) = 4 a 2 + 2 a 1 + a 0 ≡ 4 ( mod 5 ) P ( 3 ) = 4 a 2 + 3 a 1 + a 0 ≡ 0 ( mod 5 ) ∆ 1 ( x ) = ( x − 3 ) 1 − 3 = x − 3 − 2 Subtract first from second.. = 2 ( x − 3 ) = 2 x − 6 = 2 x + 4 ( mod 5 ) . a 2 + a 1 + a 0 ≡ 2 ( mod 5 ) For a quadratic, a 2 x 2 + a 1 x + a 0 hits ( 1 , 3 );( 2 , 4 );( 3 , 0 ) . m + b ≡ 3 ( mod 5 ) 3 a 1 + 2 a 0 ≡ 1 ( mod 5 ) Work modulo 5. m ≡ 1 ( mod 5 ) 4 a 1 + 2 a 0 ≡ 2 ( mod 5 ) Find ∆ 1 ( x ) polynomial contains ( 1 , 1 );( 2 , 0 );( 3 , 0 ) . Subtracting 2nd from 3rd yields: a 1 = 1 . Backsolve: b ≡ 2 ( mod 5 ) . Secret is 2. a 0 = ( 2 − 4 ( a 1 )) 2 − 1 = ( − 2 )( 2 − 1 ) = ( 3 )( 3 ) = 9 ≡ 4 ( mod 5 ) ∆ 1 ( x ) = ( x − 2 )( x − 3 ) ( 1 − 2 )( 1 − 3 ) = ( x − 2 )( x − 3 ) = 3 ( x − 2 )( x − 3 ) 2 And the line is... a 2 = 2 − 1 − 4 ≡ 2 ( mod 5 ) . = 3 x 2 + 3 ( mod 5 ) x + 2 mod 5 . So polynomial is 2 x 2 + 1 x + 4 ( mod 5 ) Put the delta functions together. In general.. Another Construction: Interpolation! In general. Given points: ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x k , y k ) . For a quadratic, a 2 x 2 + a 1 x + a 0 hits ( 1 , 3 );( 2 , 4 );( 3 , 0 ) . Solve... Given points: ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x k , y k ) . Find ∆ 1 ( x ) polynomial contains ( 1 , 1 );( 2 , 0 );( 3 , 0 ) . Try ( x − 2 )( x − 3 ) ( mod 5 ) . ∆ i ( x ) = ∏ j � = i ( x − x j ) a k − 1 x k − 1 + ··· + a 0 ≡ y 1 ( mod p ) ∏ j � = i ( x i − x j ) . 1 Value is 0 at 2 and 3. Value is 2 at 1. Not 1! Doh!! a k − 1 x k − 1 + ··· + a 0 ≡ y 2 ( mod p ) So “Divide by 2” or multiply by 3. 2 ∆ 1 ( x ) = ( x − 2 )( x − 3 )( 3 ) ( mod 5 ) contains ( 1 , 1 );( 2 , 0 );( 3 , 0 ) . · Numerator is 0 at x j � = x i . · ∆ 2 ( x ) = ( x − 1 )( x − 3 )( 4 ) ( mod 5 ) contains (1,0);(2,1);(3,0). Denominator makes it 1 at x i . a k − 1 x k − 1 + ··· + a 0 ≡ y k ( mod p ) ∆ 3 ( x ) = ( x − 1 )( x − 2 )( 3 ) ( mod 5 ) contains (1,0);(2,0);(3,1 ). k And.. But wanted to hit ( 1 , 3 );( 2 , 4 );( 3 , 0 ) ! P ( x ) = y 1 ∆ 1 ( x )+ y 2 ∆ 2 ( x )+ ··· + y k ∆ k ( x ) . P ( x ) = 3 ∆ 1 ( x )+ 4 ∆ 2 ( x )+ 0 ∆ 3 ( x ) works. Will this always work? hits points ( x 1 , y 1 );( x 2 , y 2 ) ··· ( x k , y k ) . Same as before? As long as solution exists and it is unique! And... Construction proves the existence of the polynomial! ...after a lot of calculations... P ( x ) = 2 x 2 + 1 x + 4 mod 5 . Modular Arithmetic Fact: Exactly 1 degree ≤ d polynomial with The same as before! arithmetic modulo prime p contains d + 1 pts.
Uniqueness. Only d roots. Polynomial Division. Divide 4 x 2 − 3 x + 2 by ( x − 3 ) modulo 5. Lemma 1: P ( x ) has root a iff P ( x ) / ( x − a ) has remainder 0: P ( x ) = ( x − a ) Q ( x ) . 4 x + 4 r 4 Uniqueness Fact. At most one degree d polynomial hits d + 1 points. ----------------- Proof: P ( x ) = ( x − a ) Q ( x )+ r . Proof: x - 3 ) 4xˆ2 - 3 x + 2 Plugin a : P ( a ) = r . 4xˆ2 - 2x It is a root if and only if r = 0 . Roots fact: Any degree d polynomial has at most d roots. ---------- Assume two different polynomials Q ( x ) and P ( x ) hit the points. 4x + 2 Lemma 2: P ( x ) has d roots; r 1 ,..., r d then 4x - 2 P ( x ) = c ( x − r 1 )( x − r 2 ) ··· ( x − r d ) . R ( x ) = Q ( x ) − P ( x ) has d + 1 roots and is degree d . ------- Proof Sketch: By induction. Contradiction. 4 Induction Step: P ( x ) = ( x − r 1 ) Q ( x ) by Lemma 1. Q ( x ) has smaller Must prove Roots fact. degree so use the induction hypothesis. 4 x 2 − 3 x + 2 ≡ ( x − 3 )( 4 x + 4 )+ 4 ( mod 5 ) d + 1 roots implies degree is at least d + 1. In general, divide P ( x ) by ( x − a ) gives Q ( x ) and remainder r . Roots fact: Any degree d polynomial has at most d roots. That is, P ( x ) = ( x − a ) Q ( x )+ r Finite Fields Secret Sharing Minimality. Modular Arithmetic Fact: Exactly one polynomial degree ≤ d over GF ( p ) , P ( x ) , that hits d + 1 points. Proof works for reals, rationals, and complex numbers. Need p > n to hand out n shares: P ( 1 ) ... P ( n ) . Shamir’s k out of n Scheme: ..but not for integers, since no multiplicative inverses. For an b -bit secret, must choose a prime p > 2 b . Secret s ∈ { 0 ,..., p − 1 } Arithmetic modulo a prime p has multiplicative inverses.. Theorem: There is always a prime between n and 2 n . 1. Choose a 0 = s , and randomly a 1 ,..., a k − 1 . ..and has only a finite number of elements. Working over numbers within 1 bit of secret size. Minimality. 2. Let P ( x ) = a k − 1 x k − 1 + a k − 2 x k − 2 + ··· a 0 with a 0 = s . Good for computer science. With k shares, reconstruct polynomial, P ( x ) . 3. Share i is point ( i , P ( i ) mod p ) . Arithmetic modulo a prime m is a finite field denoted by F m or With k − 1 shares, any of p values possible for P ( 0 )! GF ( m ) . (Almost) any b -bit string possible! Roubustness: Any k knows secret. Intuitively, a field is a set with operations corresponding to addition, Knowing k pts, only one P ( x ) , evaluate P ( 0 ) . (Almost) the same as what is missing: one P ( i ) . multiplication, and division. Secrecy: Any k − 1 knows nothing. Knowing ≤ k − 1 pts, any P ( 0 ) is possible.
Recommend
More recommend
