沙米尔秘密共享方案的工作原理

沙米尔秘密共享方案的工作原理
How Shamir's Secret Sharing Works

原始链接: https://ente.com/blog/how-shamirs-secret-sharing-works/

为了确保重要信息既安全又易于获取，阿迪·萨莫（Adi Shamir）在 1979 年提出了“萨莫秘密共享”（Shamir’s Secret Sharing）。这种数学方法可以将一个秘密拆分为多个片段（份额），只有达到预定数量的参与者才能将其还原。这一概念基于多项式几何：两点确定一条直线，三点确定一条抛物线，以此类推。通过将秘密设定为多项式与纵轴的交点（y轴截距），秘密本身得以隐藏。如果拥有的份额少于所需数量，则该直线或曲线无法确定，这意味着秘密的任何潜在取值都是等可能的。因此，碎片化的份额在未达到门槛时，无法提供关于秘密本身的任何信息。在 Ente 的“遗产工具包”（Legacy Kit）等现代应用中，这种数学原理为安全的账户恢复提供了坚实的基础。系统要求通过多个份额来重构密钥，而份额本身并非永久的“密钥”。这种机制确保了丢失单个碎片不会危及安全性，同时各个份额也可以作为更广泛、更安全的恢复流程的一部分进行撤销或管理。

Shamir 秘密共享（SSS）是一种精妙的密码学技术，它允许将“秘密”（如密码或加密密钥）拆分为多个唯一的“份额”。这些份额被分发给多个参与方，只有当这些份额的组合达到预设的阈值时，才能还原出该秘密。讨论要点如下： * **数学基础：** SSS 依赖于多项式插值；秘密被编码为多项式上的一个点，其他点则作为份额。由于该方案在信息论上是安全的，攻击者若拥有的份额少于所需数量，将无法获得关于秘密的任何信息，因此它甚至能抵御未来的量子计算威胁。 * **实际应用：** 用户讨论了其在灾难恢复、去中心化密码管理以及“双人授权”认证系统中的用途。许多开发者分享了他们构建概念验证应用和个人备份存储工具的经验。 * **教育价值：** 教育工作者使用 SSS 以生动有趣的方式向学生教授几何和代数知识。 * **实现：** 开发者们强调，尽管该方案在数学上很精妙，但在生产环境中使用时，必须谨慎处理有限域算术及完整性校验（如消息认证码 MAC），以检测损坏或恶意的份额。

原文

Some secrets are too important to trust to one person, and too important to lose if that person disappears.

A company wants three officers present before the master key is used. A family wants account recovery to need more than one envelope. A team wants a backup that survives a missing member without handing anyone the whole thing.

Adi Shamir (the S in RSA), published a way to do this in 1979. Split a secret into pieces so that some number of them can recover it, and any smaller number reveals nothing at all. Not "is hard to crack." Reveals nothing.

The core idea fits on a page.

Two points make a line

Start with something you already know: two distinct points determine exactly one straight line.

A single point does not. Infinitely many lines pass through one point, and each line crosses the vertical axis somewhere different.

Two points fix one line; one point allows infinitely many.

Now hide a secret where a line crosses the vertical axis. Say the secret is the number 7. Draw a random line through that height. The slope is not important. It is just randomness that hides the secret.

A line y = 2x + 7. The secret, 7, sits where it crosses the y-axis.

Give each person one point from the line. Nobody gets the line itself.

A person with one point can draw many possible lines through it. Each line implies a different secret. Their share is compatible with every possible answer, so it tells them nothing useful by itself.

Bob holds one share. Many candidate lines pass through it, each implying a different secret.

Put two points together and the line is fixed. Once you know the line, you can read the secret from where it crosses zero.

Alice and Bob's shares together pin down the line and reveal the secret.

That is a 2-of-n secret sharing scheme. You can create as many points as you want, but any two are enough to recover the line.

More people means more bend

For a higher threshold, use a curve with more bend.

A parabola needs three points to determine it. So if the secret is hidden where the parabola crosses the vertical axis, any three shares can recover the secret and any two cannot.

A parabola needs three points to determine; the secret sits at x = 0.

In general, a threshold of k uses a polynomial of degree k - 1.

2 shares: a line
3 shares: a parabola
4 shares: a cubic

Real implementations use finite-field arithmetic rather than graph paper, but the shape of the idea is the same. The secret is the value at zero. The random coefficients hide it. Each share is one point on the polynomial.

The useful part is not that the secret is hard to compute from too few shares. It is that too few shares contain no information about the secret. With one share missing, every possible secret is still possible.

Why we care

We use this idea in Ente's Legacy Kit.

Although, our problem was not just "how do we split a secret?", but also "how do we make recovery possible without turning the split secrets into a permanent recovery key?"

Legacy Kit uses Shamir's scheme as one layer inside a larger flow. The cards don't carry the recovery key. They reconstruct a separate secret locally, which then participates in a server-mediated recovery — so issued cards can be revoked, and a lost card is not a permanent liability.

This post is only the math behind the "any two, never one" part.