Why only one secret value with Shamir's secret sharing?

Question

Shamir's Secret Sharing works by sharing data points on a curve, whereby when you have the required number of data points, you can find the function of the curve and find out the secret, which is effectively f(0).

In the polynomial form of the function, the constant (the coefficient of $x^0$) is the secret information.

Could you treat the coefficients of the other powers of $x$ as secret values as well?

If so, are they just as secure / secret? Or is there some subtlety going on where you need fewer values to get the other coefficients?

It seems that if you had a cubic curve that you could have 4 secrets $S_i$, instead of 3 random numbers and one secret:

$$f(x) = S_1x^3 + S_2x^2+S_3x+S_4$$

Answer 1

What you're looking for is called packed secret sharing. It was introduced by Franklin & Yung in:

• Franklin, M. and Yung, M., Communication complexity of secure computation.. STOC 1992.

If you have a polynomial of degree $< d$, with at most $t$ corrupt parties, then you can use a single polynomial to hide $d - t$ secrets. It's not hard to see that you can't hide more secrets than this. To share $k$ secrets, you need $k$ degrees of freedom. The $d$ coefficients induce $d$ degrees of freedom, but each of the $t$ corrupt parties learns one linear constraint.

Note: in what you described in your post you have a polynomial of degree $< 4$ so if you take the standard Shamir setting of $t=3$ corrupt parties you can only hide the one secret value. While it is true that 3 shares together don't reveal any individual secret coefficient, they reveal linear relationships that constrain the secret coefficients to a 1-dimensional subspace.