Ch12.

Secret Sharing Schemes

Imagine that you have made billions of ￡ $ from
Internet stocks, and you wish to leave your estate
to your 4 children. You like to divide it among them
in such a way that two of them have to get
together to reconstruct the real combination, i.e.,
someone who wants some of the inheritance must
somehow cooperate with one of the other children.
(t,w)=(2,4) - threshold scheme
 Definition
Let t≦w be positive integers.
A (t,w)-threshold scheme is a method of sha
ring a message M among a set of w partici
pants such that any subset consisting of t
participants can reconstruct the message
M, but no subsets of smaller size can reco
nstruct M.
 Shamir threshold scheme in 1979
Based on Lagrange interpolation polynomial
Also called Lagrange interpolation scheme

Choose a large prime p, the message M is

represented as a number (mod p)
s(x)≡M+s1x+s2x2+…+st-1xt-1 (mod p)
(xi,yi), i=1,2, …, w; yi≡s(xi) (mod p)
 Lagrange Interpolating Polynomials
Suppose that the function y=f(x) is known at the n+
1 points (x0,y0), (x1,y1), … (xn,yn), where a≤ x0
<x1 <x2 …< xn≤b, then there is a polynomial Pn
(xi)=yi, 0≤i≤n

n n  n x  xi 
Pn ( x)   yk Ln ,k ( x)   yk    mod p
k 0 k 0 i 0,i  k xk  xi 
 Computing Secret Value M

t  t
 xi 
M   yk    mod p
k 1  i 1, i  k x k  xi
 Simple Exercises from p.303-306
2. You set up a (2,30) Shamir threshold scheme,
working mod the prime 101. Two of the shares
are (1,13) and (3,12). Another person received
the share (2,*), what is the value of *?

3. In a (3,5) Shamir secret sharing scheme with

modulus p=17, the following were given to Alice,
Bob, Charles: (1,8), (3,10), (5,11). Calculate the
corresponding Lagrange interpolating
polynomial, and identify the secret.
 (Secret) Value Sharing
• A (k, n) threshold secret sharing should sa
tisfy the following requirements:
(1) A secret value M is used to generate n
shadows.
(2) Any ≧k shadows can reconstruct the
secret value M.
(3) Any ＜ k shadows can not get sufficient
information to reveal the secret value M.
 Secret Sharing (1/4)
• A (k, n) threshold polynomial can be written by
s(x) ≡ M+s1x+s2x2+…+sk-1xk-1 (mod p)
• Select n distinct integer x1,x2,…,xn form [0,p-1]
• Deliver (xi,s(xi)) to the i-th participant

p= a (large) prime number

M: secret value
s1,…,sk-1: randomly chosen from [0, p-1]
 Secret Sharing (2/4)
• To reveal the secret value M, we must collect
(at least k) ≧k shadows.
• Without loss of generality, we use
(x1,s(x1)),…, (xk,s(xk)) as k shadows.
• We can reveal the secret value M by using Lagra
nge interpolation.
k  k
x  xi 
s( x)   s( x j )   mod p
j 1 
 i 1,i  j x j  xi 

• where M=s(0)
 Secret Sharing (3/4)
Example:
• (k, n)=(2, 4)-threshold secret sharing
• M=9,p=17
• Given x1=1,x2=2,x3=3,x4=4
• A polynomial equation can be defined as
s(x) ≡ 9+13x mod 17
• Then s(1)=5, s(2)=1, s(3)=14, s(4)=10
• Four shadows: (1,5), (2,1), (3,14), (4,10)
 Secret Sharing (4/4)
Example
• We can get the equation by taking (1,5), (4,10)
by using Lagrange interpolation.
 x 1   x  4 
s x   10   5  mod17
 4 1   1  4 
• s(0)=9
 Secret Image Sharing
• A (k, n)-threshold secret image sharing ms
ut satisfy the following requirements:
(1)The secret image S is used to generate n
shadow images.
(2)Any ≧k shadow images can reconstruct t
he secret image.
(3)Any ＜ k shadow images can not get suffi
cient information to reveal the secret imag
e.
 Generation of Shadow Images
Pre-operation
 Scramble a Secret Image
Pre-operation:
• All gray levels are in the range [0,255]
• Let p=251
• Suppress all values larger than 250 to 250.
-The values are in the range 0~250
-A Lossy method
• Select a key P to create a permutation matrix.
-To decrease the correlation between any neighbori
ng pixels.
 Meaningless Shadow Images

Share
 Shadow Images Acquisition
• The equation can be written by
g(x)≡a0+a1x+a2x2+…+ak-1xk-1 mod 251
• Select n distinct secret keys x1,x2,…,xn.
• Deliver (xi,s(xi)) to the ith participant.
Get the Permutation Image
 Secret Image Reconstruction
• Without loss of generality, we have (x1,s(x
1)),(x2,s(x2)),…, (xk,s(xk)).

• Use Lagrange interpolation to reconstruct t

he image.
Flowchart of Recovery
An Example Without Permutation
 Experimental results
The (2,4)-threshold
on image Lenna
512x512,

Histogram of Lenna
The secret image The permutation image

(1,s(1)) (2,s(2)) (3,s(3)) (4,s(4))

 Security Analysis
• Without loss of generality, if we only have (k-1)
shadow images.
 y1 ≡ (a0+a1+…+ak-1) mod p

 y2 ≡ (a0+2a1+…+2k-1ak-1) mod p

 …

 y
k-1 ≡ (a0+(k-1)a1+…+(k-1)
(k-1)a ) mod p
k-1



512 x512
 1  k
The probability to get the right image is 
 251


 Property and Conclusion
• P=251
• A lossy method
• The size of each shadow image is 1/r of the secr
et image

• Fault-tolerance
• Use network hard disks for storage.
• Steganography
• …
 References
• W. Trappe and l.C. Washington, Introducti
on to Cryptography with Coding Theory, P
earson International Edition (2006)

• C.C. Thien and J.C. Lin, “Secret image sh

aring,” Computers & Graphics, vol. 26, no.
1, 765-770, 2002.