imagine two people who need to share a secret for example a numeric key.
the simplest solution is to make copies of that secret and share it.
but what happens when no single person should have full access to a secret,for example missile launch codes or passwords for large money transfers which may require multiple people to confirm.
in these situations we require some minimum number of people to come to a consensus before applying a key.
想象兩個人需要共享一個秘密,例如數字密鑰。
最簡單的解決辦法是復制並分享這個秘密。
但是,如果沒有一個人可以完全訪問某個秘密,例如導彈發射代碼或大額資金轉賬的密碼,而這可能需要多人確認,那么會發生什么情況呢。
在這些情況下,我們需要一些最低人數的人在應用密鑰之前達成共識。
Approach to this problem is to split up the secret into pieces or shares and keep them secret from one another then combine the secret shares whenever they need to apply a secret key.the problem with this method is each half of the key gives away partial information about the secret to each person.
解決這個問題的方法是將秘密分成若干部分或共享,並相互保密,然后在需要應用密鑰時將這些秘密共享合並起來。這種方法的問題是,密鑰的每一半都會向每個人泄露有關該秘密的部分信息。
for example with an eight digit secret if one person knows the first four digits then they only need to guess through 10,000 possible combinations to find the key or ask someone with no information would
need to guess from 100 million possible combinations.
例如,對於一個8位數字的秘密,如果一個人知道前四位數字,那么他們只需要猜測10000個可能的組合就可以找到鑰匙,或者要求沒有信息的人從1億個可能的組合中進行猜測。
recall that the definition of perfect secrecy from an information theory perspective requires that every possible key looked equally likely this.
this means that someone with one share is no more likely to guess the key than someone who doesn't have a share.
回想一下,從信息理論的角度來看,完美保密的定義要求每個可能的密鑰看起來都同樣可能。
這意味着擁有一份份額的人不會比沒有份額的人更有可能猜出密鑰
in order to prevent the information leaked, we need to introduce some randomness.
for example,if the secret was an image we could protect that secret by adding a random image to it resulting in an unrecognizable scrambled image.
then one person could take the random image,the other could take the scrambled image and when they need to recover the original image,they just subtract the random image from the scrambled image.
in this case ,the secret shares on their own contain no information about the original image,but together they recover it perfectly.
為了防止信息泄露,我們需要引入一些隨機性。例如,如果秘密是一個圖像,我們可以通過向其添加隨機圖像來保護該秘密,從而導致無法識別的加擾圖像。
然后一個人可以拍攝隨機圖像,另一個人可以拍攝加擾圖像,當他們需要恢復原始圖像時,他們只需從加擾圖像中減去隨機圖像。
在這種情況下,秘密共享本身不包含有關原始圖像的信息,但它們一起完美地恢復了它。
that's the idea with images but we can do the same thing numerically——take the secret and add a random number to it using modular arithmetic which means we add the numbers digit by digit and if the result is 10 or above we only show the remainder and no carry operations occur,so 11 becomes a 1.
this allows the secret to be broken into random looking pieces which we can give to each person without either of them seeing the original secret.
one person gets the random number,the other gets the result of adding the secret to a random number or a random secret.
there is no way to extract the original number from what is available to either person.
for example if we take 5 plus 6 equals 1 and I give you only the 1,you have no information about what two numbers led to it.
so to determine the secret the 2 participants must come together and subtract their numbers to reverse the random process and recover the secret.
this simple procedure is known as a one-time pad and was proven to be perfectly secret by Claude Shannon.
這是圖像的想法,但我們可以在數字上做同樣的事情——獲取秘密並使用模算術向其添加一個隨機數,這意味着我們將數字逐位相加,如果結果為 10 或以上,我們只顯示余數,不進行進位運算,所以 11 變成了 1。
這使得秘密可以被分解成隨機的碎片,我們可以將這些碎片提供給每個人,而他們中的任何一個都不會看到原始秘密。
一個人得到隨機數,另一個人得到將秘密與隨機數或隨機秘密相加的結果。
沒有辦法從任何一個人可用的數據中提取原始數字。例如,如果我們取 5 加 6 等於 1,而我只給你 1,你就不知道是哪兩個數字導致的。
因此,為了確定秘密,兩名參與者必須走到一起,減去他們的數字,以逆轉隨機過程,恢復秘密。這個簡單的程序被稱為一次性密碼,並被 Claude Shannon 證明是完全秘密的。
but we aren't quite done yet because when we try this approach with many
participants we run into another problem.
using this method all shares are required to generate the secret if one
of the eight people go missing loses a key or decides not to cooperate the secret is then lost to everyone.
practically speaking this is not acceptable for many applications since
it has one point of failure.
in these cases what we need is a system where only some of the eight people need to come together to recover the secret.
for example we might require that at least five out of eight people come together.
但我們還沒有完全完成,因為當我們對許多參與者嘗試這種方法時,我們遇到了另一個問題。
使用這種方法,如果八個人中的一個人丟失了密鑰或決定不合作,則需要所有共享來生成秘密,然后每個人都會丟失秘密。
實際上,這對於許多應用程序來說是不可接受的,因為它有一個故障點。
在這些情況下,我們需要的是一個系統,其中只有八個人中的一些人需要聚集在一起才能恢復秘密。
例如,我們可能要求至少八分之五的人聚在一起。
this problem was solved in 1979 by Adi Shamir who published a paper which tackled the problem of sharing a secret amongst multiple parties.
he expanded the idea geometrically by imagining the secret as a point in space and the shares as points along a secret random curve.
這個問題在 1979 年由 Adi Shamir 解決,他發表了一篇論文,解決了多方共享秘密的問題。
他通過將秘密想象成空間中的一個點,將份額想象成一條秘密隨機曲線上的點,以幾何方式擴展了這個想法。
for example imagine we have a secret number shared amongst three people
and we want to make sure that at least two are needed to recover the secret.
his key insight was to think about this number as a secret point in 2d space where the secret is a point on the y axis where the y coordinate of that point is a number we want to keep secret.
then we introduce randomness by selecting a random point in the 2d plane
and out of those two points we form a secret line.
this trick effectively expands the secret from a point to a line creating lots of redundancy out of which we can create as many shares as we wish
where each share is a point anywhere on the secret line.
例如,假設我們有一個在三個人之間共享的秘密號碼,並且我們希望確保至少需要兩個人才能恢復該秘密。
他的主要見解是將這個數字視為 2d 空間中的一個秘密點,其中秘密是 y 軸上的一個點-(0,334),該點的 y 坐標-334是我們想要保密的數字。然后我們通過在 2d 平面中選擇一個隨機點來引入隨機性,並從這兩個點中形成一條秘密線。
這個技巧有效地將秘密從一個點擴展到一條線,從而創建了大量冗余,我們可以從中創建任意數量的共享secret shares,其中每個共享是秘密線上任何位置的一個點。
now all we need is any two shares to recover the secret line.
once we know the line we can see where it intersects the y-axis and finally the y coordinate of that point is our secret.
現在我們只需要任何兩shares來恢復秘密線。
一旦我們知道了這條線,我們就可以看到它與 y 軸的交點,最后那個點的 y 坐標就是我們的秘密。
with this method we can share a secret with as many people as we need which we call N and make sure that any two people can recover the secret known as a 2n scheme.
使用這種方法,我們可以與我們需要的盡可能多的人共享一個秘密,我們稱之為 n,並確保任何兩個人都可以恢復這個秘密,稱為 2n 方案。
but if we want to increase the minimum number of people needed to recover a secret then we need to simply turn our line into a curve.
for example the simplest curve is a parabola which can be defined by three points.
但是如果我們想增加恢復秘密所需的最少人數,那么我們需要簡單地將我們的線變成一條曲線。
例如,最簡單的曲線是可以由三個點定義的拋物線。
to create a secret parabola we start with the secret point as before and then we generate two random points to define the secret curve.
then we can generate as many secret shares as we'd like along the curve.
為了創建一個秘密拋物線,我們像以前一樣從秘密點開始,然后我們生成兩個隨機點來定義秘密曲線。然后我們可以沿着曲線生成任意數量的秘密份額。
recall that the equation for a parabola takes the following form and since this equation has three parameters a B and C we need any three points along the curve to solve for a given parameter.
so ignoring everything and given any three shares we can fully recover the curve and then we can solve for C which is the secret point or y-intercept to get back the secret number.
回想一下拋物線方程采用以下形式,並且由於該方程具有三個參數 A B 和 C,因此我們需要沿曲線的任意三個點來求解給定參數。
忽略一切,給定任意三個共享,我們可以完全恢復曲線,然后我們可以求解C,它是秘密點或y截距,以得到秘密數。
this is known as a 3n scheme since we need at least three shares to recover the secret.
這被稱為3n方案,因為我們至少需要三個共享來恢復秘密。
if instead we want a minimum of four shares to define the secret then we'll need to move up to a cubic curve which will require four points to define.
and recover the secret in the same way using any four points.
this is known as a forensic eeeem
相反,如果我們想要最少四份來定義秘密,那么我們需要向上移動到三次曲線,這將需要四個點來定義。
並使用任何四個點以相同的方式恢復秘密。
finally we can generalize the scheme to work with any subset size K we desire by using a curve which is defined by K points.
then we can generate as many shares as we'd want defined by n.
leading to a KN sharing scheme where K is the minimum of shares to unlock a secret and that's it.
最后,通過使用由K個點定義的曲線,我們可以將該方案推廣到任意大小的子集K。
然后,我們可以生成任意數量的共享,只要我們想用n來定義。
導致KN共享方案,其中K是解鎖秘密的最小共享數,僅此而已。
in practice these same ideas apply when we work with integer coordinates and modulo operations instead of real numbers which makes the scheme practical to implement.
and because we have eficient algorithms for computing these curves,it makes this method a practical key management solution.
it is also interesting to notice that the methods we are using here rely on a well-known algorithm called a reed-solomon code.
reed-solomon codes were originally developed for erasure and error
correction where a transmission or message is broken up into n pieces and some of these pieces can be lost during transmission due to erasers which is the same as a loss share.
the reed-solomon code enables data reconstruction on the receiving end as long as K of the pieces arrive.
Plus, there are many other connections as well such as secure multi-party computation and data privacy which are widely used to this day.
all thanks to an elegant solution for how to share our secrets.
在實踐中,當我們使用整數坐標和模運算而不是實數時,這些相同的想法也適用,這使得該方案易於實現。
由於我們有計算這些曲線的有效算法,這使得這種方法成為一種實用的密鑰管理解決方案。
有趣的是,我們在這里使用的方法依賴於一種稱為reed-solomon代碼的著名算法。
reed-solomon代碼最初是為擦除和糾錯而開發的,其中一個傳輸或消息被分成n個片段,其中一些片段在傳輸過程中可能會由於與丟失份額相同的擦除器而丟失。
只要K個片段到達,里德-所羅門代碼就可以在接收端進行數據重建。
此外,還有許多其他連接,如安全多方計算和數據隱私,至今仍被廣泛使用。
這一切都要歸功於一個關於如何分享我們秘密的優雅解決方案。
圖文來源視頻:
硬核科普 秘密共享方案 Secret Sharing Explained Visually_嗶哩嗶哩_bilibili
翻譯均為百度翻譯,大概能有個理解