Key Re-sharing

Introduction

Multi-Party Computation (MPC) heaivly relies on the primitive of Shamir's secret sharing (SSS) for various use cases.
In this secret-sharing scheme a set of

n

parties would like to hold a secret in a distributed manner. The secret, which will be denoted

s

for the rest of this document, is an element of a field

Z_{p}

. It is important to mention that "distributed manner" means that party

i

will hold a piece of information, denoted

p_{i}

so that :

For each set of
$t + 1$ parties they will be able to retrieve, or make a certain MPC-driven computation on
$s$ .
Each set of up to
$t$ parties who choose to collude can learn nothing about
$s$ .

The parameters

t

and

n

are known prior to the sharing of the secret. In the basic setting of Shamir's secret sharing there is a trusted-dealer who send to each party

i

its corresponding

p_{i}

. So what is this

p_{i}

, and how does it look like?

DISCLAIMER: I may not be 100% algebraically accurate for the sake of both brevity convenience.

REMINDER: A polynomial

P (x)

is a function which can be expressed algebraically in the following form:

P (x) = \sum_{i = 0}^{k} a_{i} x^{i}

for some number

k

. The

a_{i}

are called "coefficients" and the largest number

i

such that

a_{i} \neq 0

is the "degree" of the polynomial. Note that in the case that all coefficients are zero, we consider the degree to be

\infty

Shamir's secret sharing utlizes one key algebraic property about polynomials known as the "unique interpolation theorem" which states that:

Given a set
$S = {(x_{0}, y_{0}), . . ., (x_{t}, y_{t})}$ of
$t + 1$ pairs of field elements, such that at least one
$y_{i} \neq 0$ , there exists a unique polynomial
$P_{S} (x)$ of degree at most
$t$ such that
$P_{S} (x_{i}) = y_{i}$ for all
$0 \leq i \leq t$ .

Therefore, given two distinct polynomials

P_{1} (x), P_{2} (x)

of degree at most

t

and a set of

t + 1

sample points

x_{0}, . . ., x_{t}

then for at least one

i

between

0

and

t

it must hold that

P_{1} (x_{i}) \neq P_{2} (x_{i})

. Thus, a set of

t + 1

evaluations of a polynomial is all that is required to reconstruct a polynomial

P (x)

. By "reconstructing" we mean deriving the coefficients

a_{i}

of the polynomial so we will be able to express the polynomial in the form

P (x) = \sum_{i = 0}^{t} a_{i} x^{i}

Polynomial Interpolation

Before diving into how the sharing is done, let's answer an even more fundamental question. Given those

t + 1

evaluations of a polynomial at points

x_{1}, . . ., x_{t + 1}

, how can it be practically reconstructed?
The reconstruction's smallest building blocks will be a set of degree

t

polynomials

π_{i}^{t} (x)

that satisfy for

x \in {x_{1}, . . ., x_{t + 1}}

the following

t + 1

constraints:

π_{i}^{t} (x) = {\begin{cases} 1 & x = x_{i} \\ 0 & x \neq x_{i} \end{cases}

Notice that for

x

values which are not one of

x_{1}, . . ., x_{t + 1}

the value of

π_{i}^{t} (x)

is not necessarily 0 and that there is exactly one polynomial who satisfies these constraints for every choice of

i

and

t

(according to the unique-interpolation theorem). Thus, the polynomial

π_{i}^{t} (x)

can be constructed with the following formula:

π_{i}^{t} (x) = \prod_{j = 1 j \neq i}^{t} \frac{x - x_{j}}{x_{i} - x_{j}}

.
This formula satisfies all our constraints:

If
$x = x_{i}$ then all factors of the formula will be
$1$ and thus
$π_{i}^{t} (x_{i}) = 1$ .
If
$x = x_{j}$ for
$j \neq i$ then at least one of the factors' numerator will be zero and thus
$π_{i}^{t} (x_{j}) = 0$ .

The actual coefficients of

π_{i}^{t} (x)

can be derived from this formula by programmatically multiplying the factors of the product.

Two observations that will allow us to reconstruct any polynomial from is samples on points

x_{1}, . . ., x_{t + 1}

are as follows:

Let
$P (x) = \sum_{i = 0}^{t} p_{i} x^{i}, Q (x) = \sum_{i = 0}^{t} q_{i} x^{i}$ be two distinct polynomials of degree
$\leq t$ , then their sum is also a polynomial of degree
$\leq t$ .

This one is correct because their sum can be expressed as a polynomial where coefficients are simply added:

P (x) + Q (x) = \sum_{i = 0}^{t} (p_{i} + q_{i}) x^{i}

Let
$P (x) = \sum_{i = 0}^{t} p_{i} x^{i}$ be a polynomial and let
$a \neq 0$ be a constant. Then the product
$a \cdot P (x)$ is also a polynomial.

Similarly to the previous this one is correct because the resulting polynomial is the same as the original polynomial with all coefficients just multiplied by

a

Great, now using these observations we can create a polynomial

P (x)

such that

P (x_{i}) = y_{i}

for all

0 \leq i \leq t

, we will give the polynomial and these explain why is satisfied these properties:

P (x) = \sum_{i = 0}^{t} y_{i} π_{i}^{t} (x)

First, according to the previous two observations and since each

π_{i}^{t} (x)

is a degree

\leq t

polynomial, by multiplying each

π_{i}^{t} (x)

by a constant

y_{i}

and summing them, the result is also a polynomial of degree

\leq t

.
Next, for each

x_{i}

we get that:

\begin{aligned} P (x_{i}) & = \sum_{j = 0}^{t} y_{j} π_{j}^{t} (x_{i}) \\ = y_{i} \cdot \overset{= 1}{\overset{⏞}{π_{i}^{t} (x_{i})}} + \sum_{j = 0 j \neq i}^{t} y_{j} \overset{= 0}{\overset{⏞}{π_{j}^{t} (x_{i})}} \\ = y_{i} \end{aligned}

By that achieving the requested interpolation.
This interpolation algorithm is known as "Lagrange Interpolation" and the

π_{i}^{t}

are often referred to as "Lagrange Polynomials".

The sharing goes as follows. The trusted dealer, who knows the secret

s

will generate a polynomial

F (x) = \sum_{i = 0}^{t} f_{i} x^{i}

of degree

t

such that

F (0) = f_{0} = s

and for

1 \leq i \leq t

the dealer will pick

f_{i}

randomly from the field

Z_{p}

. The dealer will send, for each party

i

between

1

and

n

its share

p_{i} = F (i)

. In other words, each party

i

has a share of the secret which is the polynomial

F

evaluated at point

i

So why is this even working? Since the polynomial

F

is of degree

t

, any set of

t + 1

parties will be able to derive

F

according the to unique interpolation theorem. However, for any set of

t

parties, they will not be able to learn anything about

F

s

since up to

p

different polynomials can be created that all agree with the evaluations of

F

given to these

t

parties, and each will be evaluated to a diffenret value at point

0

This is all fun, but at this point we have this trusted dealer which we must trust and who is accessible to the secret. In many MPC scenarios we want some secret

s

to never exist at a single point but still be able to make some computations based on its value. Therefore, we must find a way to get rid of the dealer.

In this section we will try to get rid of the dealer and still achieve the same effect of Shamir's secret sharing where a subset of

t + 1

out of

n

parties, each holding

p_{i}

- a share of a secret, can restore the secret, but without a dealer.
One question that must be asked at this point is what is the meaning of

s

? In particular, since no one knows

s

(since there is no dealer), what exactly are we trying to achieve?
Well, we will change our goal by a little bit so that instead of sharing an existing secret

s

held by the dealer, the parties will generate cooperatively a secret and share it between them without any party at any time holding the secret (or any information that may allow it to compute it efficiently).

This can be achieved in the following way. Party

i

(for all

1 \leq i \leq n

) will generate a local secret denoted

s_{i}

so that the final secret

s

shared among all parties will be

s = \sum_{i = 1}^{n} s_{i}

. To achieve this, each party

i

will share

s_{i}

between all parties by following the steps of the dealer from the previous section. To be explicit, it will randomly create a polynomial

F_{i} (x)

of degree at most

t

such that

F_{i} (0) = s_{i}

and send to party

j

a share of this secret denoted by

p_{i, j} = F_{i} (j)

. Now each party

j

who hold the secret shares

(p_{1, j}, . . ., p_{n, j}) = (F_{1} (j), . . ., F_{n} (j))

will sum all those shares to get

p_{j} = \sum_{i = 1}^{n} p_{i, j}

.
Since

F_{i} (x)

are all polynomials of degree

t

, their sum is also a polynomial of degree at most

t

denoted by

F (x) = \sum_{i = 1}^{n} F_{i} (x)

.
Notice that:

$p_{j}$ , the secret share of party
$j$ satisfies:
$p_{j} = \sum_{i = 1}^{n} p_{i, j} = \sum_{i = 1}^{n} F_{i} (j) = F (j)$
The shared final secret
$s$ satisfies:
$s = \sum_{i = 1}^{n} s_{i} = \sum_{i = 1}^{n} F_{i} (0) = F (0)$

Therefore, the parties ended in a state where each party holds a secret-share

p_{j}

which is the evaluation of a degree

\leq t

polynomial

F (x)

at point

j

and the shared secret is

s = F (0)

. From previous section we know that this allows each subset of parties of size

\geq t + 1

to compute the secret and any subset of

\leq t

parties will not be able to derive any information about the secret.

Without getting too much into details, the share

s

isn't exposed to any party along the way because if it did, it would imply the original secret-sharing algorithm from previous section to be insecure, but it is secure because of the unique-interpolation theorem.

Motivation

Now that we know just enough about how secret shares are generated, we consider the scenario in which a set of

n

parties have a secret shared among them so that each party

i

holds a share of the secret, denoted

p_{i} = F (i)

where

F (x)

is a polynomial of degree at most

t

and

F (0) = s

where

s

is the shared-secret which isn't known fully to any party.
The problem we want to solve is being able add party

n + 1

to the setup so that it will have its own share of the secret,

p_{n + 1} = F (n + 1)

while maintaining the demand that each set of

t + 1

parties will be able to make some MPC-driven computations on the secret and any set of up to

t

parties will not be able to do so.

The most naive approach is to gather all

n + 1

parties together, the original

n

parties will forget about their existing shares

p_{i}

and all parties will derive new shares

p_{i}^{'}

of a new secret

s^{'}

. This is dissatisfactory since we don't want the existing secret to change. On top of that, we would be happy if the solution will require as little communication as possible.

The solution

Party

n + 1

should obtain

p_{n + 1} = F (n + 1)

in a way that only it will learn

F (n + 1)

and no other party will learn anything about it. After obtaining this piece of information, the party will be able to collaborate with any set of

t

additional parties to perform MPC-driven computations on the secret.
The key observation which has driven us is:

If it only takes
$t + 1$ parties to compute the secret
$s = F (0)$ it shouldn't take more than
$t + 1$ parties to evaluate
$F (n + 1)$ and send it to party
$n + 1$ .

According to this mindset, it should be possible to achieve a solution where not all parties are required to add new party in the happy flow where none of the parties is malicious.

Naive Solution

One naive way in which a set of

t + 1

parties numbered

x_{1}, . ., x_{t + 1}

could have done this is so that party

i

will compute

Q_{i} = p_{x_{i}} \cdot π_{x_{i}}^{t} (n + 1)

and send it to the new party who will in turn sum those inputs to obtain

F (n + 1) = \sum_{i = 1}^{t + 1} Q_{i} = \sum_{i = 1}^{t + 1} (p_{x_{i}} \cdot π_{x_{i}}^{t} (n + 1))

.
However, this imposes a major security risk, since party

n + 1

receiving

Q_{i}

can divide it by

π_{x_{i}}^{t} (n + 1)

(notice that

π_{x_{i}}^{t}

is a publicly known polynomial) and obtain

y_{i}

for each

i

and thus reconstruct the polynomial

F (x)

with those

t + 1

shares and obtain the secret!
Therefore, we should look for another solution that doesn't violate the security requirements.

Correct Solution

Each party

i

out of the

t + 1

collaborating parties could locally compute their local additive share of

F (n + 1)

which is

Q_{i} = p_{x_{i}} \cdot π_{x_{i}}^{t} (n + 1)

. As mentioned earlier the sum of the

Q_{i}

s equals to the share of party

n + 1

which is

F (n + 1)

. (

△

)
Thus, we will think of their sum as a secret and we would like to share it. Recall that Shamir's Secret Sharing algorithm without a dealer allowed some parties to distribute a secret amongst them so that the shared secret will be the sum of the local secrets of all parties.
In our case the local secret of each party will be

Q_{i}

and running this algorithm where each party uses

Q_{i}

as the local secret will result in each party

i

holding the evalution of some polynomial

G (x)

at point

i

such that

G (0)

is the sum of all local secrets

Q_{i}

which equals to

F (n + 1)

which is the share of party

n + 1

(see

△

).
Each party will send their respective evaluation of the polynomial

G (i)

to party

n + 1

who will be able to reconstruct polynomial

G (x)

and compute

F (n + 1)

. Assuming Shamir's secret sharing without a dealer is secure, no party should be able to infer

G (0) = F (n + 1)

and party

n + 1

shouldn't be able to infer the secrets of the rest of the parties.

Key Re-sharing

Introduction

Shamir's Secret Sharing

Polynomial Interpolation

Sharing Algorithm

Shamir's Secret Sharing - Without a dealer

Motivation

The solution

Naive Solution

Correct Solution

Read more

One *Single* Trick To Lose Your Coins

FFT over Finite Fields

Two-Party Schnorr

ZK-hack Puzzle #3 - Writeup

One Single Trick To Lose Your Coins