How to reshare a secret

 

tl;dr: A t-out-of-n sharing of s can be reshared as a t-out-of-n. How? Each old player t-out-of-n reshares their share with the new players. Let H denote an agreed-upon set of t old players who (re)shared correctly. Then, each new player’s t-out-of-n share of s will be the Lagrange interpolation (w.r.t. H) across all the shares received from the old players.

Preliminaries: How to share a secret

This article assumes familiarity with Shamir secret sharing[^Shamir79], a technique that allows a dealer to “split up” a secret s amongst n players such that any subset of size t can reconstruct s yet no subset of size <t learns anything about the secret.

Shamir secret sharing

Recall that a secret sZp is t-out-of-n secret-shared as follows:

  1. The dealer encodes s as the 0th coefficient in a random degree-(t1) polynomial f(X): (2)f(X)=s+k=1t1fkXk, where each fk$Zp

  2. The dealer gives each player i[n], their share si of s as: (3)si=f(i)(4)=s+k=1t1fkik

  3. The shares [s1,s2,,sn] define the t-out-of-n sharing of s.

Lagrange polynomials

Recall the definition of a Lagrange polynomial w.r.t. to a set of evaluation points T. (5)i[n],Li(X)=kT,kiXkik The relevant properties of LiT(X) are that: (6)Li(i)=1,iT(7)Li(j)=0,i,jT,ij

Shamir secret reconstruction

Any subset T[n] of t or more players can reconstruct s by combining their shares as follows: (8)iTLiT(0)si=iTLiT(0)f(i)=f(0)=s

How to reshare a secret

Suppose the old players, who have a t-out-of-n sharing of s, want to reshare s with a set of n new players such that any t players can reconstruct s.

In other words, they want to t-out-of-n reshare s.

Importantly, they want to do this without leaking s or any info about the current t-out-of-n sharing of s. A technique for this, whose origins are (likely?) in the BGW paper1, is described by Cachin et al.2 and involves four steps:

  1. Each old player i first “shares their share” with the new n players: i.e., randomly sample a degree-(t1) polynomial ri(X) that shares their si: (9)ri(X)=si+k=1t1ri,kXk, where each ri,k$Zp

  2. Let zi,j denote the share of si for player j[n]. (10)zi,j=ri(j) Then, each old player i will send zi,j to each new player j[n].

  3. The new players agree3 on a set H of old players who correctly-shared their share si with all n new players.
    • This is certainly sufficient and easily achievable via PVSS3, but may not be necessary.
  4. Each new player j[n] interpolates their share zj of s as: (11)zj=iHLiH(0)zi,j(12)=iHLiH(0)ri(j)

And voilà: SUCH A BEAUTIFUL, SIMPLE PROTOCOL for secret resharing.

Why does this work?

It’s easy to see why if we reason about the underlying polynomial defined by the new players’ shares zj. Specifically, the degree-(t1) polynomial r(X) where r(0)=s: (13)r(x)=iHLiH(0)ri(X)(14)=iHLiH(0)(si+k=1t1ri,kXk)(15)=(iHLiH(0)f(i))+(iHLiH(0)(k=1t1ri,kXk))(16)=s+iHLiH(0)(k=1t1ri,kXk)(17)=defs+k=1t1rkXk

In other words, [s,r1,r2,,rt1] are the coefficients of the polynomial obtained from the linear combination of the ri(X)’s by the Lagrange coefficients LiH(0).

In more detail: (18)r(x)=s+(Li1H(0)(k=1t1ri1,kXk)+Li2H(0)(k=1t1ri2,kXk)+Li|H|H(0)(k=1t1ri|H|,kXk))

Let cij,k=defLijH(0)rij,k. Then, we can rewrite the above as: (19)r(x)=s+(k=1t1ci1,kXk+k=1t1ci2,kXk+k=1t1ci|H|,kXk) Let rk=defijHcij,k. Then, we can rewrite the above as: (20)r(x)=defs+k=1t1rkXk

And, as we saw in Equation 11 above, any new player j[n] can get their share of r(X) via: (21)zj=iHLiH(0)ri(j)(22)=r(j)

Acknowledgements

Big thanks to Benny Pinkas for pointing me to the BGW paper1 and for pointing out subtleties in what it means for an old player to correctly share their share.

  1. Completeness Theorems for Non-cryptographic Fault-tolerant Distributed Computation, by Ben-Or, Michael and Goldwasser, Shafi and Wigderson, Avi, in Proceedings of the Twentieth Annual ACM Symposium on Theory of Computing, 1988, [URL]  2

  2. Asynchronous Verifiable Secret Sharing and Proactive Cryptosystems, by Cachin, Christian and Kursawe, Klaus and Lysyanskaya, Anna and Strobl, Reto, in Proceedings of the 9th ACM Conference on Computer and Communications Security, 2002, [URL] 

  3. This step is non-trivial and is where most protocols work hard to achieve efficiency. For example, see 2. Publicly-verifiable secret sharing (PVSS) on a public bulletin board such as a blockchain is a simple (albeit naive) way of achieving this: there will be n PVSS transcripts, one for each-reshared si, and everyone can agree on the set H of valid transcripts.  2