Secret sharing is a method by which a secret is split among a group, and requires certain threshold to meet where the members combine their respective shares for the secret to be reconstructed again.

Moreover, when a dealer distributes shares to $n$ players in such a way that at least $t(threshold)$ contributions are required to reconstruct the secret back, such a protocol is known as Threshold Secret Sharing $(t,n)$

Any secret sharing protocol has two methods: $(Share, Reconstruct)$, where:

- $Share$: dealer splits the secret and distributes individual shares to each member.
- $Reconstruct$: members combine their shares to reconstruct the secret back.

Properties as explained here:

**Binding**: once*share*is completed honestly, then there exists a value $r$ such that output of*reconstruct*is equal to $r$.**Validity**: if dealer distributes secret $s$ and perform*share*honestly, then value of*reconstruct*is equal to $s$.**Hiding**: if dealer is honest and no party hash begun*reconstruct*, then adversary can’t gain any information about $s$.

## Secure vs insecure secret sharing

When amount of work required to reconstruct the share isn’t affected by having knowledge of $0−k$ amount of shares, where $k<t$, then the scheme is deemed as secure.

Let’s take an example of *insecure sharing scheme*: let the secret consists of 10 bit key, and dealer distributes it to 5 members, each having 2 bits. Any external member with no knowledge will need $2_{10}$ guesses to get the key, while any 1 member will need $2_{8}$ and any member with k shares will only require $2_{10−2k}$ guesses.

Now, let’s define *secure secret sharing*. Let the secret be $s$ and suppose dealer hash to distribute this secret to $N$ members. Dealer samples $s_{i}∀i∈[1,N−1]$ uniformly such that $s_{N}=s⊕⨁_{i=1}s_{i}$, and distribute these shares to $N$ members. To reconstruct $s$ back, all $N$ shares are needed such that $s=⨁_{i=1}s_{i}$.

## $(t,n)$ TSS

Shamir Secret Sharing is a type of (t, n) threshold secret sharing where a degree $t−1$ polynomial is created and it’s evaluation on n points are shared with the members. Dealer has a secret $s$ which it wants to secretly share, it samples $t−1$ uniform elements $a_{1},a_{2},…,a_{t}∈F$ such that $f(X)=s+∑_{i=1}a_{i}X_{i}$, such that $f(0)=s$.

- Generating polynomial $f(x)$ of degree $k−1$ over a finite field $F_{p}$
- generating distinct shares: $s_{i}=x_{i},f(x_{i})$

Polynomial is of the form:

$f(x)=S+r_{1}x+⋯+r_{k−1}x_{k−1}$

These $r_{i}$ coefficients are randomly sampled and the points are generated which are the shares.

### reconstruct

To reconstruct the share back, any $t$ users can pool their shares, and use Lagrange polynomial interpolation to create the polynomial, evaluating it at $x=0$, will give the original share.

Putting $x=0$, gives us $f(0)=S$

Note that using integer domain here, compromises security of SSS, as then the adversary start gaining knowledge about the secret with each new share. That's why we use finite field with $∣F∣≫t$.

Things to prove:

- existence and uniqueness of Lagrange polynomial such that $f(x)=∑_{i=1}L_{i}y_{i}$, where $L_{i}$ is the $i_{th}$ Lagrange polynomial.
- prove that map proven above, $ϕ(p_{0},…,p_{f})=(p(z_{1}),p(z_{2}),…,p(z_{f+1}))$ for $Z={z_{1},…z_{f+1}}$ is a bijection of set of degree $f$ polynomials to their evaluations at the points in $Z$.
- prove binding, validity of SSS.
- prove hiding of SSS.

I am going to explain again the hiding property of SSS, but has a more formal description here, because it’s really interesting to define.

- Let’s take an adversary $A$ that passively control parties $b_{1},…,b_{f}$. This means adversary have access to their shares, i.e. $p(z_{1}),…,p(z_{f})$.
- our claim is that $ϕ$ maps the uniform distribution of $p_{0},…,p_{f}$ to $(p(z_{1}),…,p(z_{f+1}))$.
- Since, we know that honest dealer samples $p_{1},…,p_{f}$ uniformly, then probability of $p_{0},…,p_{f}=w_{0},…,w_{f}$, $w_{i}$ being any elements, is equal to $(∣F∣1 )_{f+1}$.
- we need to show $Pr[(p(z_{0})),p(z_{1}),…,p(z_{f})=(y_{0},y_{1},…,y_{f})]=(∣F∣1 )_{f+1}$
- this can be shown using $ϕ$ which is a bijection from $F_{f+1}→F_{f+1}$. Thus, distribution also follows from that.
- Now, since adversary doesn’t have knowledge of $p_{0}$ which is $p(0)=s$, distribution of adversary doesn’t change on the value of the secret. This means, whatever knowledge adversary gains from control of the $f$ members, it’s distribution isn’t affected by the secret value.

## Pitfalls

**Zero-share**: Common pitfalls occur during share generation as any shareholder who gets $x_{i}=0$ has its share as $0,S$, thus revealing the secret.**Non-unique shares:**when generating secret back, the protocol needs to evaluate $x_{m}−x_{j}x_{m} $ , and if $x_{m}=x_{j}(modq)$, then $x_{m}−x_{j}$ doesn’t exist and protocol fails.