imagine two people who need to share a secret for example a numeric key.
the simplest solution is to make copies of that secret and share it.
but what happens when no single person should have full access to a secret,for example missile launch codes or passwords for large money transfers which may require multiple people to confirm.
in these situations we require some minimum number of people to come to a consensus before applying a key.
想象两个人需要共享一个秘密,例如数字密钥。
最简单的解决办法是复制并分享这个秘密。
但是,如果没有一个人可以完全访问某个秘密,例如导弹发射代码或大额资金转账的密码,而这可能需要多人确认,那么会发生什么情况呢。
在这些情况下,我们需要一些最低人数的人在应用密钥之前达成共识。
Approach to this problem is to split up the secret into pieces or shares and keep them secret from one another then combine the secret shares whenever they need to apply a secret key.the problem with this method is each half of the key gives away partial information about the secret to each person.
解决这个问题的方法是将秘密分成若干部分或共享,并相互保密,然后在需要应用密钥时将这些秘密共享合并起来。这种方法的问题是,密钥的每一半都会向每个人泄露有关该秘密的部分信息。
for example with an eight digit secret if one person knows the first four digits then they only need to guess through 10,000 possible combinations to find the key or ask someone with no information would
need to guess from 100 million possible combinations.
例如,对于一个8位数字的秘密,如果一个人知道前四位数字,那么他们只需要猜测10000个可能的组合就可以找到钥匙,或者要求没有信息的人从1亿个可能的组合中进行猜测。
recall that the definition of perfect secrecy from an information theory perspective requires that every possible key looked equally likely this.
this means that someone with one share is no more likely to guess the key than someone who doesn't have a share.
回想一下,从信息理论的角度来看,完美保密的定义要求每个可能的密钥看起来都同样可能。
这意味着拥有一份份额的人不会比没有份额的人更有可能猜出密钥
in order to prevent the information leaked, we need to introduce some randomness.
for example,if the secret was an image we could protect that secret by adding a random image to it resulting in an unrecognizable scrambled image.
then one person could take the random image,the other could take the scrambled image and when they need to recover the original image,they just subtract the random image from the scrambled image.
in this case ,the secret shares on their own contain no information about the original image,but together they recover it perfectly.
为了防止信息泄露,我们需要引入一些随机性。例如,如果秘密是一个图像,我们可以通过向其添加随机图像来保护该秘密,从而导致无法识别的加扰图像。
然后一个人可以拍摄随机图像,另一个人可以拍摄加扰图像,当他们需要恢复原始图像时,他们只需从加扰图像中减去随机图像。
在这种情况下,秘密共享本身不包含有关原始图像的信息,但它们一起完美地恢复了它。
that's the idea with images but we can do the same thing numerically——take the secret and add a random number to it using modular arithmetic which means we add the numbers digit by digit and if the result is 10 or above we only show the remainder and no carry operations occur,so 11 becomes a 1.
this allows the secret to be broken into random looking pieces which we can give to each person without either of them seeing the original secret.
one person gets the random number,the other gets the result of adding the secret to a random number or a random secret.
there is no way to extract the original number from what is available to either person.
for example if we take 5 plus 6 equals 1 and I give you only the 1,you have no information about what two numbers led to it.
so to determine the secret the 2 participants must come together and subtract their numbers to reverse the random process and recover the secret.
this simple procedure is known as a one-time pad and was proven to be perfectly secret by Claude Shannon.
这是图像的想法,但我们可以在数字上做同样的事情——获取秘密并使用模算术向其添加一个随机数,这意味着我们将数字逐位相加,如果结果为 10 或以上,我们只显示余数,不进行进位运算,所以 11 变成了 1。
这使得秘密可以被分解成随机的碎片,我们可以将这些碎片提供给每个人,而他们中的任何一个都不会看到原始秘密。
一个人得到随机数,另一个人得到将秘密与随机数或随机秘密相加的结果。
没有办法从任何一个人可用的数据中提取原始数字。例如,如果我们取 5 加 6 等于 1,而我只给你 1,你就不知道是哪两个数字导致的。
因此,为了确定秘密,两名参与者必须走到一起,减去他们的数字,以逆转随机过程,恢复秘密。这个简单的程序被称为一次性密码,并被 Claude Shannon 证明是完全秘密的。
but we aren't quite done yet because when we try this approach with many
participants we run into another problem.
using this method all shares are required to generate the secret if one
of the eight people go missing loses a key or decides not to cooperate the secret is then lost to everyone.
practically speaking this is not acceptable for many applications since
it has one point of failure.
in these cases what we need is a system where only some of the eight people need to come together to recover the secret.
for example we might require that at least five out of eight people come together.
但我们还没有完全完成,因为当我们对许多参与者尝试这种方法时,我们遇到了另一个问题。
使用这种方法,如果八个人中的一个人丢失了密钥或决定不合作,则需要所有共享来生成秘密,然后每个人都会丢失秘密。
实际上,这对于许多应用程序来说是不可接受的,因为它有一个故障点。
在这些情况下,我们需要的是一个系统,其中只有八个人中的一些人需要聚集在一起才能恢复秘密。
例如,我们可能要求至少八分之五的人聚在一起。
this problem was solved in 1979 by Adi Shamir who published a paper which tackled the problem of sharing a secret amongst multiple parties.
he expanded the idea geometrically by imagining the secret as a point in space and the shares as points along a secret random curve.
这个问题在 1979 年由 Adi Shamir 解决,他发表了一篇论文,解决了多方共享秘密的问题。
他通过将秘密想象成空间中的一个点,将份额想象成一条秘密随机曲线上的点,以几何方式扩展了这个想法。
for example imagine we have a secret number shared amongst three people
and we want to make sure that at least two are needed to recover the secret.
his key insight was to think about this number as a secret point in 2d space where the secret is a point on the y axis where the y coordinate of that point is a number we want to keep secret.
then we introduce randomness by selecting a random point in the 2d plane
and out of those two points we form a secret line.
this trick effectively expands the secret from a point to a line creating lots of redundancy out of which we can create as many shares as we wish
where each share is a point anywhere on the secret line.
例如,假设我们有一个在三个人之间共享的秘密号码,并且我们希望确保至少需要两个人才能恢复该秘密。
他的主要见解是将这个数字视为 2d 空间中的一个秘密点,其中秘密是 y 轴上的一个点-(0,334),该点的 y 坐标-334是我们想要保密的数字。然后我们通过在 2d 平面中选择一个随机点来引入随机性,并从这两个点中形成一条秘密线。
这个技巧有效地将秘密从一个点扩展到一条线,从而创建了大量冗余,我们可以从中创建任意数量的共享secret shares,其中每个共享是秘密线上任何位置的一个点。
now all we need is any two shares to recover the secret line.
once we know the line we can see where it intersects the y-axis and finally the y coordinate of that point is our secret.
现在我们只需要任何两shares来恢复秘密线。
一旦我们知道了这条线,我们就可以看到它与 y 轴的交点,最后那个点的 y 坐标就是我们的秘密。
with this method we can share a secret with as many people as we need which we call N and make sure that any two people can recover the secret known as a 2n scheme.
使用这种方法,我们可以与我们需要的尽可能多的人共享一个秘密,我们称之为 n,并确保任何两个人都可以恢复这个秘密,称为 2n 方案。
but if we want to increase the minimum number of people needed to recover a secret then we need to simply turn our line into a curve.
for example the simplest curve is a parabola which can be defined by three points.
但是如果我们想增加恢复秘密所需的最少人数,那么我们需要简单地将我们的线变成一条曲线。
例如,最简单的曲线是可以由三个点定义的抛物线。
to create a secret parabola we start with the secret point as before and then we generate two random points to define the secret curve.
then we can generate as many secret shares as we'd like along the curve.
为了创建一个秘密抛物线,我们像以前一样从秘密点开始,然后我们生成两个随机点来定义秘密曲线。然后我们可以沿着曲线生成任意数量的秘密份额。
recall that the equation for a parabola takes the following form and since this equation has three parameters a B and C we need any three points along the curve to solve for a given parameter.
so ignoring everything and given any three shares we can fully recover the curve and then we can solve for C which is the secret point or y-intercept to get back the secret number.
回想一下抛物线方程采用以下形式,并且由于该方程具有三个参数 A B 和 C,因此我们需要沿曲线的任意三个点来求解给定参数。
忽略一切,给定任意三个共享,我们可以完全恢复曲线,然后我们可以求解C,它是秘密点或y截距,以得到秘密数。
this is known as a 3n scheme since we need at least three shares to recover the secret.
这被称为3n方案,因为我们至少需要三个共享来恢复秘密。
if instead we want a minimum of four shares to define the secret then we'll need to move up to a cubic curve which will require four points to define.
and recover the secret in the same way using any four points.
this is known as a forensic eeeem
相反,如果我们想要最少四份来定义秘密,那么我们需要向上移动到三次曲线,这将需要四个点来定义。
并使用任何四个点以相同的方式恢复秘密。
finally we can generalize the scheme to work with any subset size K we desire by using a curve which is defined by K points.
then we can generate as many shares as we'd want defined by n.
leading to a KN sharing scheme where K is the minimum of shares to unlock a secret and that's it.
最后,通过使用由K个点定义的曲线,我们可以将该方案推广到任意大小的子集K。
然后,我们可以生成任意数量的共享,只要我们想用n来定义。
导致KN共享方案,其中K是解锁秘密的最小共享数,仅此而已。
in practice these same ideas apply when we work with integer coordinates and modulo operations instead of real numbers which makes the scheme practical to implement.
and because we have eficient algorithms for computing these curves,it makes this method a practical key management solution.
it is also interesting to notice that the methods we are using here rely on a well-known algorithm called a reed-solomon code.
reed-solomon codes were originally developed for erasure and error
correction where a transmission or message is broken up into n pieces and some of these pieces can be lost during transmission due to erasers which is the same as a loss share.
the reed-solomon code enables data reconstruction on the receiving end as long as K of the pieces arrive.
Plus, there are many other connections as well such as secure multi-party computation and data privacy which are widely used to this day.
all thanks to an elegant solution for how to share our secrets.
在实践中,当我们使用整数坐标和模运算而不是实数时,这些相同的想法也适用,这使得该方案易于实现。
由于我们有计算这些曲线的有效算法,这使得这种方法成为一种实用的密钥管理解决方案。
有趣的是,我们在这里使用的方法依赖于一种称为reed-solomon代码的著名算法。
reed-solomon代码最初是为擦除和纠错而开发的,其中一个传输或消息被分成n个片段,其中一些片段在传输过程中可能会由于与丢失份额相同的擦除器而丢失。
只要K个片段到达,里德-所罗门代码就可以在接收端进行数据重建。
此外,还有许多其他连接,如安全多方计算和数据隐私,至今仍被广泛使用。
这一切都要归功于一个关于如何分享我们秘密的优雅解决方案。
图文来源视频:
硬核科普 秘密共享方案 Secret Sharing Explained Visually_哔哩哔哩_bilibili
翻译均为百度翻译,大概能有个理解