[6862] in cryptography@c2.net mail archive
Re: secret-sharing code
daemon@ATHENA.MIT.EDU (Wei Dai)
Wed Mar 29 16:13:16 2000
Date: Wed, 29 Mar 2000 13:05:40 -0800
From: Wei Dai <weidai@eskimo.com>
To: Greg Rose <ggr@qualcomm.com>
Cc: Steve Bellovin <smb@research.att.com>, cryptography@c2.net
Message-ID: <20000329130539.J29936@eskimo.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <4.2.0.58.20000329141834.00bf5960@127.0.0.1>; from ggr@qualcomm.com on Wed, Mar 29, 2000 at 02:25:51PM +1000
On Wed, Mar 29, 2000 at 02:25:51PM +1000, Greg Rose wrote:
> I use Hal Finney's "secsplit". Google found it in a couple of places; it
> doesn't seem to have been updated since 1993. It doesn't do the more
> complicated schemes, just straight (m, k) splitting.
Crypto++ contains secret sharing code that was originally derived from
Hal's secsplit. (It's pretty much changed beyond recognition over the
years, but you can still see some resemblance in
RingOfPolynomialsOver<T>::InterpolateAt().) Hal's code does have a
potential security problem. Quoting from an earlier post of mine:
> If anyone is going to use this, keep in mind that it leaks some information
> about the secret you're sharing through the length extension. This happens
> because the the secret sharing polynomial is over GF(65521). So when a word
> (two bytes) to be shared is greater than or equal to 65521, it has to be
> encoded as two words each less than 65521.
This is solved in Crypto++ by using GF(2^32) instead. You can download
it from http://www.eskimo.com/~weidai/cryptlib.html.
