Author: Gregory Maxwell 2018-01-17 15:31:44
Published on: 2018-01-17T15:31:44+00:00
In a recent post on bitcoin-dev, Ondřej Vejpustek made some statements regarding the similarity between RSA and Shamir Secret Sharing (SSS). In response, another member of the group pointed out that, while both systems are algebraically-based, SSS is fundamentally different in that it achieves information theoretic security. This means that, given any fixed threshold-1 set of shares, there is a value of the final remaining share which decodes to every possible message. The 2 of 2 case is cited as the simplest example of this principle, where message = share1 xor share2. For any given share1 or given share2 there exists a value of share2 or share1 respectively which yields every possible message. This principle does not change when additional conditionals are added to the system, meaning that SSS has perfect security within its limited scope. Any SSS tool should include a forgery utility which demonstrates this property, as being able to forge an alternative answer is one of the theoretical arguments for using SSS over computational secret sharing. The discussion also touched on the use of CRCs and error-correcting codes, noting that while they introduce redundancy into the message, the primary concern is the outer check value which protects the shares themselves and is sitting unprotected in plaintext. Using a proper code for this purpose could provide perfect detection of errors that align with words, such as transposing two words. Finally, the idea that complicated attacks are more secure than simple ones is refuted, and the suggestion to add a hash to the system is dismissed as unnecessary.
Updated on: 2023-05-20T04:40:22.104975+00:00