From: Jason on
Hi,

Say my secret is an n-bit number, under Shamir's scheme I need a
prime, the first prime larger than the secret, then I work in GF(p).
(Think that's correct)

Now in terms of a practical implementation, lets say im secret sharing
arbitrarily long data in 64-bit blocks. I have to assume my secret
could be all 64 bits, which means I will need a 65-bit prime.

What im trying to understand is what is the most efficient way to
share arbitrarily long data in small broken down blocks. i.e if I use
64-bit blocks then how big should my prime be to avoid bit-wasting.

Will 64-bit blocks with a 65-bit prime work ok? Or should I use 63-bit
blocks with a 64-bit prime. Because im working with 8-bit ASCII
secrets, it's obviously easier to work with 64-bit data blocks.

Please could someone give me some pointers on how to do this
correctly, ideally I want to hardcode a prime for my application
rather than searching for one bigger than the secret on each block.

Additionally how complex is it to compute shares in GF(p) from a
programming perspective? Will I have to use lookup tables? Any help
here is much appreciated, I'm not a mathematician and don't have
access to any field-calculation libraries for this project, so have to
do the calculations manually from the ground up.

Thanks for any help.
From: Maaartin on
On Jun 16, 10:10 pm, Jason <tntcod...(a)hotmail.com> wrote:
> Say my secret is an n-bit number, under Shamir's scheme I need a
> prime, the first prime larger than the secret, then I work in GF(p).
> (Think that's correct)

You need a GF, but not necessarily a prime. Since any input can be
written conveniently as a sequence of bytes, working with GF(256) is a
good idea. This limits you to 255 shares, but this should be enough
for most purposes (if not then switch to GF(2**16)). One advantage of
using GF(256) is that the secret doesn't get expanded.

> Now in terms of a practical implementation, lets say im secret sharing
> arbitrarily long data in 64-bit blocks. I have to assume my secret
> could be all 64 bits, which means I will need a 65-bit prime.
>
> What im trying to understand is what is the most efficient way to
> share arbitrarily long data in small broken down blocks. i.e if I use
> 64-bit blocks then how big should my prime be to avoid bit-wasting.
>
> Will 64-bit blocks with a 65-bit prime work ok? Or should I use 63-bit
> blocks with a 64-bit prime. Because im working with 8-bit ASCII
> secrets, it's obviously easier to work with 64-bit data blocks.

Whatever prime you use, you end either with unconvenient input or with
unconvenient output sizes. You loose only about 1.5% but it's a lot of
bit fiddling. Using GF(256) or GF(2**64) wastes nothing in your case.

> Please could someone give me some pointers on how to do this
> correctly, ideally I want to hardcode a prime for my application
> rather than searching for one bigger than the secret on each block.
>
> Additionally how complex is it to compute shares in GF(p) from a
> programming perspective? Will I have to use lookup tables?

For such a large prime you can hardly use lookup tables, and you need
none. The most complicated part is the division using extended
Eulerian algorithm.

For GF(256) everything can be done using two small tables with 256
entries each (one for discrete log and one for exponentiantion).

> here is much appreciated, I'm not a mathematician and don't have
> access to any field-calculation libraries for this project, so have to
> do the calculations manually from the ground up.

I implemented it once in Java, the GF256 class is 44 lines and the
SecretSharing is 66 lines. You can have it to you if you want to.
There's nothing Java specific there.
From: Jason on
On 16 June, 22:40, Maaartin <grajc...(a)seznam.cz> wrote:
> On Jun 16, 10:10 pm, Jason <tntcod...(a)hotmail.com> wrote:
>
> > Say my secret is an n-bit number, under Shamir's scheme I need a
> > prime, the first prime larger than the secret, then I work in GF(p).
> > (Think that's correct)
>
> You need a GF, but not necessarily a prime. Since any input can be
> written conveniently as a sequence of bytes, working with GF(256) is a
> good idea. This limits you to 255 shares, but this should be enough
> for most purposes (if not then switch to GF(2**16)). One advantage of
> using GF(256) is that the secret doesn't get expanded.
>
> > Now in terms of a practical implementation, lets say im secret sharing
> > arbitrarily long data in 64-bit blocks. I have to assume my secret
> > could be all 64 bits, which means I will need a 65-bit prime.
>
> > What im trying to understand is what is the most efficient way to
> > share arbitrarily long data in small broken down blocks. i.e if I use
> > 64-bit blocks then how big should my prime be to avoid bit-wasting.
>
> > Will 64-bit blocks with a 65-bit prime work ok? Or should I use 63-bit
> > blocks with a 64-bit prime. Because im working with 8-bit ASCII
> > secrets, it's obviously easier to work with 64-bit data blocks.
>
> Whatever prime you use, you end either with unconvenient input or with
> unconvenient output sizes. You loose only about 1.5% but it's a lot of
> bit fiddling. Using GF(256) or GF(2**64) wastes nothing in your case.
>
> > Please could someone give me some pointers on how to do this
> > correctly, ideally I want to hardcode a prime for my application
> > rather than searching for one bigger than the secret on each block.
>
> > Additionally how complex is it to compute shares in GF(p) from a
> > programming perspective? Will I have to use lookup tables?
>
> For such a large prime you can hardly use lookup tables, and you need
> none. The most complicated part is the division using extended
> Eulerian algorithm.
>
> For GF(256) everything can be done using two small tables with 256
> entries each (one for discrete log and one for exponentiantion).
>
> > here is much appreciated, I'm not a mathematician and don't have
> > access to any field-calculation libraries for this project, so have to
> > do the calculations manually from the ground up.
>
> I implemented it once in Java, the GF256 class is 44 lines and the
> SecretSharing is 66 lines. You can have it to you if you want to.
> There's nothing Java specific there.

Thanks very much, that helps a lot. If I can use GF(256) I can see it
will be ideal and simplify things no end as I can just share on a byte-
by-byte basis (0-255).

Is it definitely ok security wise to use GF(256)? It's just that
Shamir's paper originally recommended GF(p). I'm afraid I don't
currently understand fields well enough to know of any issues that may
arise from this?

I would really appreciate having a look at your Java implementation if
you have it handy somewhere.

Thanks again.

From: Maaartin on
On Jun 17, 12:06 am, Jason <tntcod...(a)hotmail.com> wrote:
> Thanks very much, that helps a lot. If I can use GF(256) I can see it
> will be ideal and simplify things no end as I can just share on a byte-
> by-byte basis (0-255).
>
> Is it definitely ok security wise to use GF(256)?

I'm no cryptographer, but I'm quite sure it doesn't matter. I hope,
others will comfirm.

> It's just that Shamir's paper originally recommended GF(p).

I can't tell why.

> I'm afraid I don't currently understand fields well enough to know
> of any issues that may arise from this?

When you have any field, you can use polynomials over it, and there's
nothing more in Shamir's secret sharing. It works, since given enough
shares you can uniquely determine the result. It's perfectly secure,
since missing a single share the result can be anything. There's no
cryptography there.

> I would really appreciate having a look at your Java implementation if
> you have it handy somewhere.

You can find it here:
http://dl.dropbox.com/u/4971686/100617/GF256.java.txt
http://dl.dropbox.com/u/4971686/100617/SecretSharing.java.txt
http://dl.dropbox.com/u/4971686/100617/SecretSharingTest.java.txt

Instead of the log and exp tables I allocated a multiplication table,
this could be easily changed if necessary. It's uncommented, so feel
free to ask.
From: Bryan on
Maaartin wrote:
> Jason wrote:
> > Is it definitely ok security wise to use GF(256)?
>
> I'm no cryptographer, but I'm quite sure it doesn't matter. I hope,
> others will comfirm.

Yes, as Maaartin wrote:

> When you have any field, you can use polynomials over it, and there's
> nothing more in Shamir's secret sharing. It works, since given enough
> shares you can uniquely determine the result. It's perfectly secure,
> since missing a single share the result can be anything.


--
--Bryan