Cryptography

Secret Sharing

A 2022 Fireblocks report: institutional crypto custody requires that no single employee or server ever holds a complete private key. Threshold ECDSA with Shamir's Secret Sharing at the foundation protects billions in digital assets. Secret sharing is not just academic theory - it is the backbone of modern key management for systems that cannot afford a single point of failure.

**HSM key ceremonies**: ICANN's DNSSEC root key is split into 7 shares held by 14 trusted community representatives worldwide. Recovering the root key requires physically flying the keyholders to a ceremony.
**Coinbase MPC wallets**: hot wallet private keys split with threshold ECDSA across multiple servers. No server ever holds the complete key.
**Apple CSAM detection**: Private Set Intersection MPC allows checking photo hashes against a known-CSAM database without Apple seeing user images.
**Ethereum 2.0 validators**: Distributed Key Generation (DKG) using VSS for validator key setup without a single trusted dealer.

Shamir's Secret Sharing

Shamir's Secret Sharing (1979) splits a secret S into n shares such that any t shares reconstruct S, but t-1 shares reveal nothing. The construction uses a random polynomial of degree t-1 over a finite field, with S as the constant term.

Shamir's scheme is information-theoretically secure: t-1 shares give zero information about S. Used in hardware wallets (BIP-39 + SLIP-39), HSM key recovery, and certificate authority key ceremonies.

What makes Shamir secret sharing information-theoretically secure (not just computationally)?

Threshold Schemes: Applications of t-of-n

Threshold cryptography extends secret sharing to computation: a t-of-n threshold scheme reconstructs not just a secret but performs a cryptographic operation (decryption, signing) without any party ever having the full private key.

Fireblocks uses threshold ECDSA for institutional crypto custody. Coinbase uses MPC wallets with t-of-n for hot wallet security. Neither service ever assembles the full private key on a single machine.

What security advantage does threshold ECDSA provide over storing a private key in an HSM?

Verifiable Secret Sharing (VSS)

Verifiable Secret Sharing (VSS) extends Shamir with commitments: each share can be verified against public commitments without reconstructing the secret. This prevents a malicious dealer from distributing inconsistent shares.

VSS is required in Distributed Key Generation (DKG) protocols where there is no single trusted dealer. Ethereum 2.0 uses DKG for validator key setup. Threshold signature schemes (FROST, GG20) use VSS internally.

Why is verifiable secret sharing needed in distributed key generation (DKG)?

Introduction to MPC: Computation Without Revealing Data

Multi-Party Computation (MPC) allows n parties to jointly compute a function f(x1,...,xn) where each party holds private input xi, and the output is revealed but no party learns anything about others inputs beyond what the output reveals.

Apple uses PSI (Private Set Intersection) to detect CSAM in iCloud Photos without revealing user images to Apple. Google uses PSI for password breach detection: checking if a password appears in breach databases without sending the password.

What does MPC guarantee about party privacy?

Summary

**Shamir secret sharing**: t-of-n threshold using a polynomial over a finite field. Information-theoretically secure: t-1 shares reveal nothing.
**Threshold cryptography**: extends sharing to operations - threshold ECDSA/BLS signs without assembling the private key. Used by Fireblocks, Coinbase.
**VSS (Verifiable Secret Sharing)**: adds commitments so each share can be verified without reconstruction. Required for DKG without a trusted dealer.
**MPC**: jointly compute f(x1,...,xn) without revealing inputs. PSI, private auctions, and secure joins are key applications.

Вопросы для размышления

If the ICANN DNSSEC root key is 5-of-7 threshold, how many keyholders would an attacker need to compromise to forge DNS records for any domain?
Shamir's scheme is information-theoretically secure but Feldman VSS is only computationally secure. Why does adding commitments weaken the security model?
Apple's CSAM detection uses PSI without learning user photos. Describe the protocol at a high level and its privacy limitations.

Связанные уроки

Shamir's Secret Sharing

Shamir's scheme is information-theoretically secure: t-1 shares give zero information about S. Used in hardware wallets (BIP-39 + SLIP-39), HSM key recovery, and certificate authority key ceremonies.

What makes Shamir secret sharing information-theoretically secure (not just computationally)?

Threshold Schemes: Applications of t-of-n

What security advantage does threshold ECDSA provide over storing a private key in an HSM?

Verifiable Secret Sharing (VSS)

Why is verifiable secret sharing needed in distributed key generation (DKG)?

Introduction to MPC: Computation Without Revealing Data

What does MPC guarantee about party privacy?

Summary

**Shamir secret sharing**: t-of-n threshold using a polynomial over a finite field. Information-theoretically secure: t-1 shares reveal nothing.

**Threshold cryptography**: extends sharing to operations - threshold ECDSA/BLS signs without assembling the private key. Used by Fireblocks, Coinbase.

**VSS (Verifiable Secret Sharing)**: adds commitments so each share can be verified without reconstruction. Required for DKG without a trusted dealer.

**MPC**: jointly compute f(x1,...,xn) without revealing inputs. PSI, private auctions, and secure joins are key applications.

Secret Sharing

Shamir's Secret Sharing

Threshold Schemes: Applications of t-of-n

Verifiable Secret Sharing (VSS)

Introduction to MPC: Computation Without Revealing Data

Summary

Related Topics

Вопросы для размышления

Связанные уроки

Secret Sharing

Shamir's Secret Sharing

Threshold Schemes: Applications of t-of-n

Verifiable Secret Sharing (VSS)

Introduction to MPC: Computation Without Revealing Data

Summary

Related Topics

Вопросы для размышления

Связанные уроки