tl;dr: A
Preliminaries: How to share a secret
This article assumes familiarity with Shamir secret sharing[^Shamir79], a technique that allows a dealer to “split up” a secret
Shamir secret sharing
Recall that a secret
-
The dealer encodes
as the 0th coefficient in a random degree- polynomial : -
The dealer gives each player
, their share of as: -
The shares
define the -out-of- sharing of .
Lagrange polynomials
Recall the definition of a Lagrange polynomial w.r.t. to a set of evaluation points
Shamir secret reconstruction
Any subset
How to reshare a secret
Suppose the old players, who have a
In other words, they want to
Importantly, they want to do this without leaking
-
Each old player
first “shares their share” with the new players: i.e., randomly sample a degree- polynomial that shares their : -
Let
denote the share of for player . Then, each old player will send to each new player . - The new players agree3 on a set
of old players who correctly-shared their share with all new players.- This is certainly sufficient and easily achievable via PVSS3, but may not be necessary.
- Each new player
interpolates their share of as:
And voilà: SUCH A BEAUTIFUL, SIMPLE PROTOCOL for secret resharing.
Why does this work?
It’s easy to see why if we reason about the underlying polynomial defined by the new players’ shares
In other words,
In more detail:
Let
And, as we saw in Equation
Acknowledgements
Big thanks to Benny Pinkas for pointing me to the BGW paper1 and for pointing out subtleties in what it means for an old player to correctly share their share.
-
Completeness Theorems for Non-cryptographic Fault-tolerant Distributed Computation, by Ben-Or, Michael and Goldwasser, Shafi and Wigderson, Avi, in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, 1988, [URL] ↩ ↩2
-
Asynchronous Verifiable Secret Sharing and Proactive Cryptosystems, by Cachin, Christian and Kursawe, Klaus and Lysyanskaya, Anna and Strobl, Reto, in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, [URL] ↩
-
This step is non-trivial and is where most protocols work hard to achieve efficiency. For example, see 2. Publicly-verifiable secret sharing (PVSS) on a public bulletin board such as a blockchain is a simple (albeit naive) way of achieving this: there will be
PVSS transcripts, one for each-reshared , and everyone can agree on the set of valid transcripts. ↩ ↩2