]> Cisco Systems, Inc.

510 McCarthy Blvd. Milpitas CA 95035 US mcgrew@cisco.com http://www.mindspring.com/~dmcgrew/dam.htm

Consultant

praveenpatnala@yahoo.com

TR-Sys

Gerlinger Str. 12 Ditzingen D-71254 Germany ah@TR-Sys.de

General Cryptography Threshold secret sharing (TSS) provides a way to generate N shares from a value, so that any M of those shares can be used to reconstruct the original value, but any M-1 shares provide no information about that value. This method can provide shared access control on key material and other secrets that must be strongly protected. This note defines a threshold secret sharing method based on polynomial interpolation in GF(256) and a format for the storage and transmission of shares. It also provides usage guidance, describes how to test an implementation, and supplies test cases.

Threshold secret sharing (TSS) provides a way to generate N shares from a value, so that any M of those shares can be used to reconstruct the original value, but any M-1 shares provide no information about that value. This method does not rely on any assumptions about the complexity of solving a particular computational problem (such as factoring); it is information-theoretically secure. Each share is slightly longer than the original secret. In the context of secret sharing, the word "share" means a part of something, and "sharing" means the act of breaking up into parts. Readers may be confused if they think of "sharing" as meaning "giving to or possessing with others". TSS is especially useful whenever there is a need to ensure the availability of a secret, yet there is a simultaneous need to reduce the risk of compromise of the secret. By dividing the secret into multiple shares, and distributing each share to a different trusted entity, TSS reduces that risk while providing for the availability of the secret. At the time that the secret is divided into shares, the threshold defining a number of shares that are needed to reconstruct the secret is set. TSS can be applied to any secret key, such as one used to encrypt data at rest, or to any private key, such as the signing key used by a certificate authority. It can be used to create a "backup" copy of a key, to protect against the loss or corruption of an "active" copy of the key. Alternatively, TSS can be applied to a key, and then the original key can be deleted, as a means of enforcing shared access control on that key.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

A threshold secret sharing system provides two operations: one that creates a set of shares given a secret, and one that reconstructs the secret, given a set of shares. This section defines the inputs and outputs of these operations. The following sections describe the details of TSS based on a polynomial interpolation in GF(256).

This operation takes an octet string S, whose length is L octets, and a threshold parameter M, and generates a set of N shares, any M of which can be used to reconstruct the secret. The secret S is treated as an unstructured sequence of octets. It is not expected to be null-terminated. The number of octets in the secret may be anywhere from zero up to 2^16 (65,536). The threshold parameter M is the number of shares that will be needed to reconstruct the secret. This value may be any number between one and 255, inclusive. The number of shares N that will be generated MUST be between the threshold value M and 255, inclusive. The upper limit is particular to the TSS algorithm specified in this document. If the operation can not be completed successfully, then an error code should be returned.

The reconstruct operation reconstructs the secret from a set of shares. The number of shares N must be provided as a parameter. The only other parameter is the list of shares themselves. The shares should be treated as unstructured octet strings. If the operation could be completed successfully, then the secret value will be returned. If the operation can not be completed successfully, then an error code should be returned.

A finite field is a set of elements with associated addition, multiplication, subtraction, and division operations. Each of those operations acts on elements in the field, and returns an element in the field. This specification uses the field GF(256), and each element is represented as a single octet. There are many possible ways to represent a finite field; below we define the field arithmetic operations as having inputs and outputs that are octets. This fixes a particular representation, without explicitly defining it, and it avoids the issue of the bit-representation of octets. In this representation, the zero field element is the zero octet, and the unity field element is 0x01 (hexadecimal).

Each element of the field GF(256) is represented as an octet. In the following, each octet is represented as a hexadecimal number with a leading "0x", as in ANSI/ISO C. The representation of the finite field that we use is defined in terms of the addition, subtraction, multiplication, and division operations. We define these operations as taking two octets as input and returning a single octet as output. In order to distinguish GF(256) arithmetic from integer arithmetic, we denote addition and multiplication in GF(256) as (+) and (*), respectively. We also refer to the summation and product operations in GF(256) as GF_SUM and GF_PRODUCT, respectively. These operations are defined in terms of two tables, the EXP table () and the LOG table (), which define the exponential function and the logarithmic function, respectively. The ith elements of these tables are denoted as EXP[i] and LOG[i]. LOG takes a non-zero field element as input, and returns an integer, and EXP takes an integer and returns a field element. The addition operation returns the bitwise exclusive-or of its operands. The subtraction operation is identical, because the field has characteristic two. The multiplication operation takes two elements X and Y as input and proceeds as follows. If either X or Y is equal to 0x00, then the operation returns 0x00. Otherwise, the value EXP[ (LOG[X] + LOG[Y]) modulo 255] is returned. The division operation takes a dividend X and a divisor Y as input and computes X divided by Y as follows. If X is equal to 0x00, then the operation returns 0x00. If Y is equal to 0x00, then the input is invalid, and an error condition occurs. Otherwise, the value EXP[ (LOG[X] - LOG[Y]) modulo 255] is returned. The operation of raising a field element X to a power i, where i is a positive integer, is denoted as X^i, and it consists of multiplying X by itself i times.

We first define how to share a single octet. The function f takes as input a single octet X that is not equal to 0x00, and an array A of M octets, and returns a single octet. It is defined as

Because the GF_SUM summation takes place over GF(256), each addition uses the exclusive-or operation, and not integer addition. Note that the successive values of X^i used in the computation of the function f can be computed by multiplying a value by X once for each term in the summation. To create N shares from a secret, with a threshold of M, the following procedure, or any equivalent method, is used: For each share, a distinct Share Index is generated. Each Share Index is an octet other than the all-zero octet. All of the Share Indexes used during a share generation process MUST be distinct. Each share is initialized to the Share Index associated with that share. For each octet of the secret, the following steps are performed. An array A of M octets is created, in which the array element A[0] contains the octet of the secret, and the array elements A[1], ..., A[M-1] contain octets that are selected independently and uniformly at random. For each share, the value of f(X,A) is computed, where X is the Share Index of the share, and the resulting octet is appended to the share. After the procedure is done, each share contains one more octet than does the secret. The share format can be illustrated as

where X is the Share Index of the share, and A, B, and C are arrays of M+1 octets; A[0] is equal to the first octet of the secret, B[0] is equal to the second octet of the secret, and so on.

We define the function L_i that takes as input an array U of M octets, and is defined as

Here the product runs over all of the values of j from 0 to M-1, excluding the value i. (This function is equal to ith Lagrange function, evaluated at zero.) The function L_i is defined for i from 0 to M-1, inclusive. (Note that the denominator in the above expression is never equal to zero as long as U[i] is not equal to U[j] whenever i is not equal to j.) We denote the interpolation function as I. This function takes as input two arrays U and V, each consisting of M octets, and returns a single octet; it is defined as

To reconstruct a secret from M shares, the following procedure, or any equivalent method, is used: If the number of shares provided as input to the secret reconstruction operation is greater than the threshold M, then M of those shares are selected for use in the operation. The method used to select the shares is arbitrary. If the shares are not equal length, then the input is inconsistent. An error should be reported, and processing must halt. The output string is initialized to the empty (zero-length) octet string. The octet array U is formed by setting U[i] equal to the first octet of the ith share. (Note that the ordering of the shares is arbitrary, but must be consistent throughout this algorithm.) The initial octet is stripped from each share. If any two elements of the array U have the same value, then an error condition has occurred; this fact should be reported, then the procedure must halt. For each octet of the shares, the following steps are performed. An array V of M octets is created, in which the array element V[i] contains the octet from the ith share. The value of I(U, V) is computed, then appended to the output string. The output string is returned. After the procedure is done, the string that is returned contains one fewer octet than do the shares.

A robust TSS system, or RTSS, is one that provides security even when one or more of the shares that are provided to the reconstruction algorithm may be crafted by a malicious adversary. In addition, an RTSS system will detect unintentional corruption of the shares. We provide robustness by adding a pre-processing step to the TSS share generation step, and a post-processing step to the TSS secret reconstruction step. The pre-processing consists of taking the secret S, then appending a hash H(S) to it. The post-processing step consists of verifying that the reconstructed secret has the form S || H(S), where the symbol || denotes the concatenation operation. The hash function must be collision-resistant; all RTSS implementations MUST support the SHA-256 hash algorithm . If the robust reconstruction operation fails, and the number of shares that are available is greater than the threshold, then the operation MAY be tried on a different set of shares. An RTSS system can perform an additional operation that verifies the validity of a set of shares. This operation has the same inputs as the Reconstruct operation. Its output consists of an indication whether or not the secret could be reconstructed, but the secret itself is not returned. This operation may be useful in a situation in where the availability of a secret must be verified, for example, as part of an audit.

We use a data format with the following fields, in order: This field contains 16 octets. It identifies the secret with which a share is associated. All of the shares associated with a particular secret MUST use the same value Identifier. When a secret is reconstructed, the Identifier fields of each of the shares used as input MUST have the same value. The value of the Identifier should be chosen so that it is unique, but the details on how it is chosen are out of scope of this document. This field contains a single octet that indicates the hash function used in the RTSS processing, if any. A value of zero indicates that no hash algorithm was used, no hash was appended to the secret, and no RTSS check should be performed after the reconstruction of the secret. Other values are defined in the table below. This field contains a single octet that indicates the number of shares required to reconstruct the secret. This field MUST be checked during the reconstruction process, and that process MUST halt and return an error if the number of shares available is fewer than the value indicated in this field. This field is two octets long. It contains the number of octets in the Share Data field, represented as an unsigned integer in network byte order. This field has a length that is a variable number of octets. It contains the actual share data. This format is illustrated in .

The correspondence between the Hash Algorithm Identifier field and the hash algorithm used in RTSS is defined by the table below. Each hash function outputs a fixed number of octets; the length of the output of each hash is indicated in the table. Hash Algorithm Hash Algorithm Identifier Length (octets) NULL_HASH 0 0 SHA-1 1 20 SHA-256 2 32 RESERVED 3-127 not applicable Vendor specific 128-255 not applicable

TSS and RTSS are suitable for the protection of long-term key material. In such applications, it is highly desirable to provide protection against the accidental corruption of the shares. This section defines data formats that can be used to protect shares. These formats are optional extensions to the basic TSS and RTSS systems.

To protect against the corruption of the filesystem that is holding the shares, a "magic number" can be used as the initial part of the share data format . A magic number is a constant data string that is chosen arbitrarily, but which is unlikely to appear in other contexts, and thus can be used to recognize a data format when it appears in an arbitrary data stream. The use of a magic number in the data format for a share greatly simplifies the task of finding a share after a filesystem has been corrupted. The 8-octet magic number f628f91b52023d11 (hexadecimal) SHOULD be used. The number was selected randomly from a uniform distribution.

To protect against data corruption in the underlying media, an error-correcting code (ECC) can be used. An ECC system consists of an encoding function, which maps the data to a codeword, and a decoding function, which maps a (possibly corrupted) codeword to the data. The simplest such code is a repetition code, in which multiple copies of the data are stored. In this specification, all ECCs must be systematic, that is, the data must appear as the initial bytes of the codeword. This property allows an implementation of the ECC to avoid the implementation of the full decoding algorithm. We use a data format that incorporates the following fields, in order: This field is four octets long. It contains an unsigned integer in network byte order that denotes the type of the encoding, i.e. the algorithm that was used during the encoding process. This field is four octets long. It contains an unsigned integer in network byte order that denotes the number of octets in the Data field. This field is four octets long. It contains an unsigned integer in network byte order that denotes the number of octets in the Redundancy field. This field has a length that is a variable number of octets, which is indicated by the Data Length field. It contains the data that is intended to be conveyed by the code. If no data corruption has occurred, then this field will contain the data that was originally encoded. This field has a length that is a variable number of octets, which is indicated by the Redundancy Length field. It contains information that can be used to check whether or not there are any errors in the Data field, and to correct some errors that may have occurred. This format is illustrated in .

If a code has a free parameter, the value of that parameter MUST be inferable from the values of the Data Length and Redundancy Length fields.

This section defines a format for a repetition code, which is a particular error correcting code that is conceptually simple and easy to implement. The value of the Encoding Type field is equal to 0000001 (hexadecimal). The Redundancy field contains R copies of the Data field, where R is an even number. The Redundancy Length is equal to the Data Length times R. The value of R MAY be equal to zero, in which case no error detection or correction is possible (but implementation is simple). The value of R SHOULD be at least two. For example, if the data that is encoded is equal to 68656c6c6f (hexadecimal), then the ECF data with R=2 would be

<- DL -><- RL -><- Data -><--- Redundancy ---> 00000001000000050000000a68656c6c6f68656c6c6f68656c6c6f ]]>

To check the Data field for errors, that field should be compared with each of its copies in the redundancy field. The Repetition Code can be decoded by using majority-logic decoding. Considering both the Data and Redundancy fields, there are R+1 (possibly corrupted) copies of the original data, where R+1 is an odd number. The decoding process independently considers each octet of the Data field, and the corresponding octets of the copies that appear in the Redundancy field. That is, the ith octet of the Data, plus octets i, L+i, 2L+i, ... , RL+i, are analyzed independent from all other octets, where L is the value of the Data Length field. The following algorithm is applied to these octets. The binary representation of each octet is considered. For each bit in that representation, if more of the copies have a "1" in that position than have a "0" in that position, then that position is decoded to the value "1"; otherwise, it is decoded to "0". This process is repeated for all of the bit position. After all of the bits in the octet have been decoded, the value of the ith octet in the output of the decoding algorithm is computed, using the same binary representation as before. For example, if the data that was encoded in the previous example was corrupted to the value

<- DL -><- RL -><- Data -><--- Redundancy ---> 00000001000000050000000a68656c6c2f68656c6cef68656c6c6f ** ** ** ]]>

then decoding would proceed as follows. The fifth octet of the Data field is equal to 2f, while the fifth and tenth octets of the Redundancy field are equal to ef and 6f, respectively. Using a bit representation with the most significant bit on the left, the octets and the "majority" octet are as follows:

Thus the fifth octet in the output of the decoding algorithm will be 6f.

This section summarizes the order of processing for when secret sharing is performed using the facilities for robustness (RTSS), error correction (ECC), and data recovery (Magic Number), and clarifies the relationships between data formats. This processing can be viewed as a layered model, as illustrated in . (Note that we have not adhered to a strictly layered model, for the sake of simplicity, since the format defined by RTSS is used after the shares are generated.) When RTSS is used, it is applied to the secret before the sharing operation (and is removed from the secret after the reconstruction operation). The RTSS data format MUST be used. When ECC is used, it is applied to the RTSS data after the sharing operation, so that the ECC Data field contains the entire RTSS Data Format. When a Magic Number is used, it is added after the ECC formatting is done, and it is prepended to the Error Correction Format.

Shares ]]>

In this implementation, the secret and the shares are octet strings. Each octet is treated as an element of the finite field GF(256 ). The share-generation algorithm is applied to each octet of the secret independently. Similarly, the octets are treated independently during the reconstruction of the secrets from the shares. Shamir's original description treats the secret as a large integer modulo a large prime number . The advantages of using a vector over GF(256) are that the computations are more efficient and the encoding is simpler. Multiplication and inversion over GF(256) can be done with two table lookups and two exors, using two fixed tables of 256 bytes each. One limitation of the GF(256) approach is that the number of shares that can be generated cannot be greater than 255; this limitation is unlikely to be important in practice, since fewer than ten shares are typically used. The reconstruction of the secret is done using Lagrange interpolation polynomials. This method is simple and easily tested. For large thresholds, this method is less efficient than an optimal method would be. However, performance is still good, and it is expected that the reconstruction of the secret will not be a performance-critical operation.

As with every crypto algorithm, it is essential to test an implementation of TSS or RTSS for correctness. This section provides guidance for such testing. The Secret Reconstruction algorithm can be tested using KATs. Test cases are provided in . The Share Generation algorithm cannot be directly tested using known-answer tests (KATs). It can be indirectly tested by generating secret values uniformly at random, then applying the Share Generation process to them to generate a set of shares, then applying the Share Reconstruction algorithm to the shares, then finally comparing the reconstructed secret to the original secret. Implementations SHOULD perform this test, using a variety of thresholds and secret lengths. The Share Index (the initial octet of each share) can never be equal to zero. This property SHOULD be tested. The random source must be tested to ensure that it has high min-entropy.

This section provides test cases that can be used to validate an implementation of the Secret Reconstruction algorithm. All values are in hexadecimal. The algorithm used in the test case. The secret value to be split into shares. The number of shares required to reconstruct a secret; above, this value is associated with the variable M. The number of shares included in the example; above, this value is associated with the variable N. A share index. Each test case has multiple share values, and each share is associated with a share index. A share value, which corresponds to the share index value immediately above it.

It is crucial for security that the source of randomness used in the share generation process by cryptographically strong; it MUST be suitable for generating cryptographic keys. provides guidance on the selection and implementation of random sources. A TSS implementation SHOULD be tested as described in . The confidentiality of the shares generated by TSS should be protected, since the exposure of too many shares will undermine the security of the system. Note that, in this regard, share values are more comparable to secret keys than to ciphertext.

This document has no actions for IANA.

Thanks to Brian Weis and Jack Lloyd for constructive feedback.

&rfc2119; &rfc4086;

In abstract algebra, a finite field is an algebraic structure for which the operations of addition, subtraction, multiplication and division are defined and satisfy certain axioms. The field GF(256) has exactly 256 elements in it. There is only one field with that number of elements, but there are many different ways in which the elements of the field can be represented. This document uses a polynomial representation in which the field polynomial is the unique irreducible polynomial with minimum weight of degree 8 over GF(2) , hence it is the 'canonical' choice for a polynomial base representation of GF(256). This field representation is also used by the Advanced Encryption Standard (AES).