1

Let's assume I have a truly random secret $s$ that is 256 bits long, and I want to use SSS with e.g. $(k=4,n=8)$. The normal approach is to set $a_0=s$ and choose $a_1 \ldots a_{k-1}$ randomly, resulting in 256 bit outputs for the points.

My question: Is there any loss in security by splitting $s$ into $k$ slices (in this example 4 slices holding 64 bits each), and using those slices as $a_0 \ldots a_{k-1}$ in the polynomial? I can then reduce p from e.g. 2^256-189 to 2^64-59 and have reduced the size of each point to about 64 bits.

AleksanderCH
  • 6,435
  • 10
  • 29
  • 62
Gec
  • 11
  • 3
  • It sounds like what you are suggesting is a variant of the “packed secret sharing” concept. Maybe have a look at that. – Guut Boy Jul 11 '19 at 13:32
  • @GuutBoy You are absolutely right, I've flagged my question as duplicate. Thank you for the pointer! Interesting to see that there are indeed weaknesses for $t<k$ corrupt participants. – Gec Jul 11 '19 at 13:52

0 Answers0