If I want to get the value of s 1 − s 2 s_1 - s_2 s1−s2, can I just use the minus operation for the secrets s 1 s_1 s1 and s 2 s_2 s2.
No, subtraction is not directly supported by the homomorphic properties of Shamir Secret Sharing. While addition of shares yields the shares of the sum of secrets, simply subtracting shares does not yield the shares of the difference of secrets.
To compute the shares of s 1 − s 2 s_1 - s_2 s1−s2, you would need to do the following:
- Reconstruct s 1 s_1 s1 and s 2 s_2 s2 from their shares.
- Compute s 1 − s 2 s_1 - s_2 s1−s2 to get the actual difference.
- Share the difference s 1 − s 2 s_1 - s_2 s1−s2 using the secret sharing scheme to get new shares for the participants.
So subtraction requires reconstructing the original secrets, unlike addition which can be done directly on the shares while keeping the secrets encrypted. The homomorphic properties only support addition and scalar multiplication, not general subtraction.
The reason is that secret sharing schemes like Shamir’s are designed to make it difficult to reconstruct the actual secret values from shares alone. So operations that require knowing the secret values, like subtraction, cannot be done directly on the shares. Only operations that preserve the algebraic structure, like addition and scalar multiplication, are supported homomorphically.
Does this make sense? Let me know if you have any other questions!
How can I achieve the swap operation for two secrets such as s 1 , s 2 s_1,s_2 s1,s2 in one vector via its homomorphic properties of Shamir Secret Sharing?
You’re right that the basic homomorphic properties of Shamir secret sharing do not directly support a “swap” operation on two shares. However, there is a technique to achieve this using additive homomorphism. Here is the basic idea:
-
Represent the two secrets s 1 s_1 s1 and s 2 s_2 s2 as vectors: s 1 = [ s 11 , s 12 , . . . , s 1 n ] s_1 = [s_{11}, s_{12}, ..., s_{1n}] s1=[s11,s12,...,s1n] and s 2 = [ s 21 , s 22 , . . . , s 2 n ] s_2 = [s_{21}, s_{22}, ..., s_{2n}] s2=[s21,s22,...,s2n] where s i j s_{ij} sij is the share of secret s i s_i si held by participant j j j.
-
Define a “swapping” vector w = [ w 1 , w 2 , . . . , w n ] w = [w_1, w_2, ..., w_n] w=[w1,w2,...,wn] where w j = s 2 j − s 1 j w_j = s_{2j} - s_{1j} wj=s2j−s1j for all j j j. This vector represents the difference between the shares of the two secrets for each participant.
-
Compute the shares of the vector s 1 + w s_1 + w s1+w using the additivity property. This gives a new set of shares [ s 11 + w 1 , s 12 + w 2 , . . . , s 1 n + w n ] [s_{11} + w_1, s_{12} + w_2, ..., s_{1n} + w_n] [s11+w1,s12+w2,...,s1n+wn].
-
Distribute the new shares [ s 11 + w 1 , s 12 + w 2 , . . . , s 1 n + w n ] [s_{11} + w_1, s_{12} + w_2, ..., s_{1n} + w_n] [s11+w1,s12+w2,...,s1n+wn] to the participants.
-
Each participant can now subtract their individual w j w_j wj value from their new share to recover the share they should have received for secret s 2 s_2 s2.
-
The end result is that the shares for s 1 s_1 s1 have been transformed into the shares for s 2 s_2 s2, thereby achieving a “swap” of the two secrets in a homomorphic fashion.
The keys are: (1) Representing the secrets as vectors, (2) Defining a “difference” vector that represents swapping the secrets, (3) Using additive homomorphism to compute and distribute new shares, and (4) Having each participant locally subtract the difference to recover the swapped share.
Does this make sense? Let me know if you have any other questions!
The Answer from Perplexity
Shamir’s Secret Sharing scheme is an efficient secret sharing algorithm for distributing private information among a group so that the secret is split into multiple shares, which individually do not give any information about the secret. The shares are of the form ( x 0 , f ( x 0 ) ) , ( x 1 , f ( x 1 ) ) , … , ( x n − 1 , f ( x n − 1 ) ) (x_0,f(x_0)), (x_1,f(x_1)), \ldots , (x_{n-1},f(x_{n-1})) (x0,f(x0)),(x1,f(x1)),…,(xn−1,f(xn−1)) where the x i x_i xi are n n n distinct nonzero elements of a finite field F \mathbb F F, and f ( x ) f(x) f(x) is a polynomial of degree k − 1 k-1 k−1 with coefficients in F \mathbb F F [1].
To achieve the swap operation for two secrets such as s 1 , s 2 s_1,s_2 s1,s2 in one vector via the homomorphic properties of Shamir Secret Sharing, we can use the fact that Shamir’s Secret Sharing is ( + , + ) (+,+) (+,+)-homomorphic, which means that the addition of two polynomial secrets equals the Lagrange’s interpolation of the sum-of-shares for the same subset of shares[2].
To swap s 1 s_1 s1 and s 2 s_2 s2, we can add s 1 s_1 s1 and s 2 s_2 s2 to obtain s 1 + s 2 s_1+s_2 s1+s2, and then subtract s 1 s_1 s1 from s 2 s_2 s2 to obtain s 2 − s 1 s_2-s_1 s2−s1. We can then use Shamir’s Secret Sharing to split s 1 + s 2 s_1+s_2 s1+s2 and s 2 − s 1 s_2-s_1 s2−s1 into shares and distribute them among the parties. The parties can then locally compute the sum and difference of the shares, respectively, to obtain the shares for s 2 s_2 s2 and s 1 s_1 s1, respectively[1].
In summary, we can use Shamir’s Secret Sharing scheme to achieve the swap operation for two secrets such as s 1 , s 2 s_1,s_2 s1,s2 in one vector via its homomorphic properties. We can add s 1 s_1 s1 and s 2 s_2 s2 to obtain s 1 + s 2 s_1+s_2 s1+s2, and then subtract s 1 s_1 s1 from s 2 s_2 s2 to obtain s 2 − s 1 s_2-s_1 s2−s1. We can then use Shamir’s Secret Sharing to split s 1 + s 2 s_1+s_2 s1+s2 and s 2 − s 1 s_2-s_1 s2−s1 into shares and distribute them among the parties. The parties can then locally compute the sum and difference of the shares, respectively, to obtain the shares for s 2 s_2 s2 and s 1 s_1 s1, respectively[1].
Citations:
[1] https://crypto.stackexchange.com/questions/1483/how-do-you-find-a-single-cheater-in-shamir-secret-sharing
[2] https://crypto.stackexchange.com/questions/102465/shamirs-secret-sharing-homomorphism-for-different-degree-polynomials
By Perplexity at https://www.perplexity.ai/search/a1fda1b1-f078-48cd-93bd-efb478d8cbc0
7509
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
