Kevin W. Wall wrote:
> Hi list...I have a question about Shamir's secret sharing.
> According to the _Handbook of Applied Cryptography_
> Shamir’s secret sharing (t,n) threshold scheme works as follows:
>     SUMMARY: a trusted party distributes shares of a secret S to n users.
>     RESULT: any group of t users which pool their shares can recover S.
>     The trusted party T begins with a secret integer S ≥ 0 it wishes
>     to distribute among n users.
>         (a) T chooses a prime p > max(S, n), and defines a0 = S.
>         (b) T selects t−1 random, independent coefficients defining the random
>             polynomial over Zp.
>         (c) T computes Si = f(i) mod p, 1 ≤ i ≤ n (or for any n distinct
>             points i, 1 ≤ i ≤ p − 1), and securely transfers the share Si
>             to user Pi , along with public index i.
> The secret S can then be computed by finding f(0) more or less by
> using Lagrangian interpolation on the t shares, the points (i, Si).
> The question that a colleague and I have is there any cryptographic
> purpose of computing the independent coefficients over the finite
> field, Zp ?

Yes, the information-theoretic security of the scheme depends on
performing the arithmetic in a finite field, and on the coefficients
being chosen randomly and independently in that field. In Shamir's
original paper:


the statement that "By construction, these p possible polynomials
are equally likely" depends on these conditions. I believe any finite
field will work, but Zp is the simplest option.

[Incidentally, if you're implementing this from Handbook of Applied
Cryptography, there's an erratum for that section (12.71):
"of degree at most t" in the paragraph after the Mechanism should be
"of degree less than t".]

David-Sarah Hopwood  ⚥

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to