1

I am trying to do a homework in which implement a variation of this paper and I don't know how to generate a polynomial of degree $m-1$. This polynomial is used to generate the $y_0$ and $y_1$ values.

I am using JCE for doing the coding. What do I need to do to achieve this?

Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189
TheRookierLearner
  • 1,011
  • 1
  • 11
  • 15

1 Answers1

5

I assume you're referring to section 5 of the paper you linked to, which reads:

5 An instance using polynomials

In this section, we describe an instance of the technique of Section 4 using Shamir's secret sharing scheme [25]. In this scheme, $\mathrm{hpwd}_a$ is shared by choosing a random polynomial $f_a \in \mathbb Z_q[x]$ of degree $m - 1$ such that $f_a(0) = \mathrm{hpwd}_a$. The shares are points on this polynomial. We present the method in two steps, by first describing a simpler variation and then extending it in Section 5.4 to be more secure against an offline attack.

To choose a random polynomial $f(x) = c_k x^k + \dotsb + c_1 x + c_0$ of degree $k$ in the polynomial ring $\mathbb Z_q[x]$ simply means choosing $k+1$ random coefficients $c_0, c_1, \dotsb, c_k$ uniformly from the finite field $\mathbb Z_q$. However, the additional constraint that $f(0) = c_0$ should take a particular fixed value means that, in fact, only the $k$ coefficients $c_1, \dotsc, c_k$ can be chosen randomly, while the constant coefficient $c_0$ is fixed.

(Note that, using this procedure, there's a one in $q$ chance that $f$ will actually be of a degree lower than $k$, because $c_k = 0$ by chance. However, in the context of Shamir's secret sharing that's exactly what you want: the polynomial really should be randomly chosen from the set of polynomials of degree at most $k$ in $\mathbb Z_q[x]$ whose lowest coefficient has the desired secret value.)

Ps. A note on notation: $\mathbb Z_q$ here denotes the ring of integers modulo $q$, which is a field if and only if $q$ is prime. However, Shamir's secret sharing actually works in any finite field $\mathbb F_q$, which exist for all prime powers $q = p^n$. In particular, the characteristic-2 fields $\mathbb F_{2^n}$ are often convenient to work in, since their elements correspond naturally with $n$-bit bitstrings. The downside, of course, is that multiplication in finite fields of non-prime order is slightly trickier to implement (or, rather, that you're somewhat less likely to find an existing built-in implementation of it). For more details, see e.g. Galois fields in cryptography.

Community
  • 1
Ilmari Karonen
  • 46,700
  • 5
  • 112
  • 189