tss 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,1456 @@
1
+
2
+
3
+
4
+ Network Working Group D. McGrew
5
+ Internet-Draft Cisco Systems, Inc.
6
+ Intended status: Informational P. Patnala
7
+ Expires: September 4, 2010 Consultant
8
+ A. Hoenes
9
+ TR-Sys
10
+ March 3, 2010
11
+
12
+
13
+ Threshold Secret Sharing
14
+ draft-mcgrew-tss-03.txt
15
+
16
+ Abstract
17
+
18
+ Threshold Secret Sharing (TSS) provides a way to generate N shares
19
+ from a value, so that any M of those shares can be used to
20
+ reconstruct the original value, but any M-1 shares provide no
21
+ information about that value. This method can provide shared access
22
+ control on key material and other secrets that must be strongly
23
+ protected.
24
+
25
+ This note defines a threshold secret sharing method based on
26
+ polynomial interpolation in GF(256) and a format for the storage and
27
+ transmission of shares. It also provides usage guidance, describes
28
+ how to test an implementation, and supplies test cases.
29
+
30
+ Status of this Memo
31
+
32
+ This Internet-Draft is submitted to IETF in full conformance with the
33
+ provisions of BCP 78 and BCP 79.
34
+
35
+ Internet-Drafts are working documents of the Internet Engineering
36
+ Task Force (IETF), its areas, and its working groups. Note that
37
+ other groups may also distribute working documents as Internet-
38
+ Drafts.
39
+
40
+ Internet-Drafts are draft documents valid for a maximum of six months
41
+ and may be updated, replaced, or obsoleted by other documents at any
42
+ time. It is inappropriate to use Internet-Drafts as reference
43
+ material or to cite them other than as "work in progress."
44
+
45
+ The list of current Internet-Drafts can be accessed at
46
+ http://www.ietf.org/ietf/1id-abstracts.txt.
47
+
48
+ The list of Internet-Draft Shadow Directories can be accessed at
49
+ http://www.ietf.org/shadow.html.
50
+
51
+ This Internet-Draft will expire on September 4, 2010.
52
+
53
+
54
+
55
+ McGrew, et al. Expires September 4, 2010 [Page 1]
56
+
57
+ Internet-Draft Threshold Secret Sharing March 2010
58
+
59
+
60
+ Copyright Notice
61
+
62
+ Copyright (c) 2010 IETF Trust and the persons identified as the
63
+ document authors. All rights reserved.
64
+
65
+ This document is subject to BCP 78 and the IETF Trust's Legal
66
+ Provisions Relating to IETF Documents
67
+ (http://trustee.ietf.org/license-info) in effect on the date of
68
+ publication of this document. Please review these documents
69
+ carefully, as they describe your rights and restrictions with respect
70
+ to this document. Code Components extracted from this document must
71
+ include Simplified BSD License text as described in Section 4.e of
72
+ the Trust Legal Provisions and are provided without warranty as
73
+ described in the BSD License.
74
+
75
+
76
+ Table of Contents
77
+
78
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
79
+ 1.1. Conventions Used In This Document . . . . . . . . . . . . 3
80
+ 2. Operations . . . . . . . . . . . . . . . . . . . . . . . . . . 4
81
+ 2.1. Create Shares . . . . . . . . . . . . . . . . . . . . . . 4
82
+ 2.2. Reconstruct Secret . . . . . . . . . . . . . . . . . . . . 4
83
+ 3. Polynomial Interpolation over GF(256) . . . . . . . . . . . . 5
84
+ 3.1. Field Representation . . . . . . . . . . . . . . . . . . . 5
85
+ 3.2. Share Generation . . . . . . . . . . . . . . . . . . . . . 7
86
+ 3.3. Secret Reconstruction . . . . . . . . . . . . . . . . . . 8
87
+ 4. Robust Threshold Secret Sharing . . . . . . . . . . . . . . . 10
88
+ 4.1. RTSS Data Format . . . . . . . . . . . . . . . . . . . . . 10
89
+ 5. Error Correction and Data Recovery . . . . . . . . . . . . . . 13
90
+ 5.1. Data Recovery . . . . . . . . . . . . . . . . . . . . . . 13
91
+ 5.2. Error Correction . . . . . . . . . . . . . . . . . . . . . 13
92
+ 5.3. A Repetition Code . . . . . . . . . . . . . . . . . . . . 15
93
+ 6. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
94
+ 7. Design and Rationale . . . . . . . . . . . . . . . . . . . . . 18
95
+ 8. Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
96
+ 9. Test Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 20
97
+ 10. Security Considerations . . . . . . . . . . . . . . . . . . . 21
98
+ 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
99
+ 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 23
100
+ 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 24
101
+ 13.1. Normative References . . . . . . . . . . . . . . . . . . . 24
102
+ 13.2. Informative References . . . . . . . . . . . . . . . . . . 24
103
+ Appendix A. Mathematical Background . . . . . . . . . . . . . . . 25
104
+ Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26
105
+
106
+
107
+
108
+
109
+
110
+
111
+ McGrew, et al. Expires September 4, 2010 [Page 2]
112
+
113
+ Internet-Draft Threshold Secret Sharing March 2010
114
+
115
+
116
+ 1. Introduction
117
+
118
+ Threshold secret sharing (TSS) provides a way to generate N shares
119
+ from a value, so that any M of those shares can be used to
120
+ reconstruct the original value, but any M-1 shares provide no
121
+ information about that value. This method does not rely on any
122
+ assumptions about the complexity of solving a particular
123
+ computational problem (such as factoring); it is information-
124
+ theoretically secure. Each share is slightly longer than the
125
+ original secret.
126
+
127
+ In the context of secret sharing, the word "share" means a part of
128
+ something, and "sharing" means the act of breaking up into parts.
129
+ Readers may be confused if they think of "sharing" as meaning "giving
130
+ to or possessing with others".
131
+
132
+ TSS is especially useful whenever there is a need to ensure the
133
+ availability of a secret, yet there is a simultaneous need to reduce
134
+ the risk of compromise of the secret. By dividing the secret into
135
+ multiple shares, and distributing each share to a different trusted
136
+ entity, TSS reduces that risk while providing for the availability of
137
+ the secret. At the time that the secret is divided into shares, the
138
+ threshold defining a number of shares that are needed to reconstruct
139
+ the secret is set.
140
+
141
+ TSS can be applied to any secret key, such as one used to encrypt
142
+ data at rest, or to any private key, such as the signing key used by
143
+ a certificate authority. It can be used to create a "backup" copy of
144
+ a key, to protect against the loss or corruption of an "active" copy
145
+ of the key. Alternatively, TSS can be applied to a key, and then the
146
+ original key can be deleted, as a means of enforcing shared access
147
+ control on that key.
148
+
149
+ 1.1. Conventions Used In This Document
150
+
151
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
152
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
153
+ document are to be interpreted as described in [RFC2119].
154
+
155
+
156
+
157
+
158
+
159
+
160
+
161
+
162
+
163
+
164
+
165
+
166
+
167
+ McGrew, et al. Expires September 4, 2010 [Page 3]
168
+
169
+ Internet-Draft Threshold Secret Sharing March 2010
170
+
171
+
172
+ 2. Operations
173
+
174
+ A threshold secret sharing system provides two operations: one that
175
+ creates a set of shares given a secret, and one that reconstructs the
176
+ secret, given a set of shares. This section defines the inputs and
177
+ outputs of these operations. The following sections describe the
178
+ details of TSS based on a polynomial interpolation in GF(256).
179
+
180
+ 2.1. Create Shares
181
+
182
+ This operation takes an octet string S, whose length is L octets, and
183
+ a threshold parameter M, and generates a set of N shares, any M of
184
+ which can be used to reconstruct the secret.
185
+
186
+ The secret S is treated as an unstructured sequence of octets. It is
187
+ not expected to be null-terminated. The number of octets in the
188
+ secret may be anywhere from zero up to 65,534 (that is, two less than
189
+ 2^16).
190
+
191
+ The threshold parameter M is the number of shares that will be needed
192
+ to reconstruct the secret. This value may be any number between one
193
+ and 255, inclusive.
194
+
195
+ The number of shares N that will be generated MUST be between the
196
+ threshold value M and 255, inclusive. The upper limit is particular
197
+ to the TSS algorithm specified in this document.
198
+
199
+ If the operation can not be completed successfully, then an error
200
+ code should be returned.
201
+
202
+ 2.2. Reconstruct Secret
203
+
204
+ The reconstruct operation reconstructs the secret from a set of
205
+ shares.
206
+
207
+ The number of shares N must be provided as a parameter.
208
+
209
+ The only other parameter is the list of shares themselves. The
210
+ shares should be treated as unstructured octet strings.
211
+
212
+ If the operation could be completed successfully, then the secret
213
+ value will be returned.
214
+
215
+ If the operation can not be completed successfully, then an error
216
+ code should be returned.
217
+
218
+
219
+
220
+
221
+
222
+
223
+ McGrew, et al. Expires September 4, 2010 [Page 4]
224
+
225
+ Internet-Draft Threshold Secret Sharing March 2010
226
+
227
+
228
+ 3. Polynomial Interpolation over GF(256)
229
+
230
+ A finite field is a set of elements with associated addition,
231
+ multiplication, subtraction, and division operations. Each of those
232
+ operations acts on elements in the field, and returns an element in
233
+ the field. This specification uses the field GF(256), and each
234
+ element is represented as a single octet. There are many possible
235
+ ways to represent a finite field; below we define the field
236
+ arithmetic operations as having inputs and outputs that are octets.
237
+ This fixes a particular representation, without explicitly defining
238
+ it, and it avoids the issue of the bit-representation of octets. In
239
+ this representation, the zero field element is the zero octet, and
240
+ the unity field element is 0x01 (hexadecimal).
241
+
242
+ 3.1. Field Representation
243
+
244
+ Each element of the field GF(256) is represented as an octet. In the
245
+ following, each octet is represented as a hexadecimal number with a
246
+ leading "0x", as in ANSI/ISO C. The representation of the finite
247
+ field that we use is defined in terms of the addition, subtraction,
248
+ multiplication, and division operations. We define these operations
249
+ as taking two octets as input and returning a single octet as output.
250
+ In order to distinguish GF(256) arithmetic from integer arithmetic,
251
+ we denote addition and multiplication in GF(256) as (+) and (*),
252
+ respectively. We also refer to the summation and product operations
253
+ in GF(256) as GF_SUM and GF_PRODUCT, respectively.
254
+
255
+ The multiplication in GF(256) and its inverse operation (division)
256
+ are defined in terms of two tables, the EXP table (Figure 1) and the
257
+ LOG table (Figure 2), which define the exponential function and the
258
+ logarithmic function, respectively. The ith elements of these tables
259
+ are denoted as EXP[i] and LOG[i]. LOG takes a non-zero field element
260
+ as input, and returns an integer, and EXP takes an integer and
261
+ returns a field element.
262
+
263
+ The addition operation returns the bitwise exclusive-or of its
264
+ operands. The subtraction operation is identical, because the field
265
+ has characteristic two.
266
+
267
+ The multiplication operation takes two elements X and Y as input and
268
+ proceeds as follows. If either X or Y is equal to 0x00, then the
269
+ operation returns 0x00. Otherwise, the value EXP[ (LOG[X] + LOG[Y])
270
+ modulo 255] is returned.
271
+
272
+ The division operation takes a dividend X and a divisor Y as input
273
+ and computes X divided by Y as follows. If X is equal to 0x00, then
274
+ the operation returns 0x00. If Y is equal to 0x00, then the input is
275
+ invalid, and an error condition occurs. Otherwise, the value EXP[
276
+
277
+
278
+
279
+ McGrew, et al. Expires September 4, 2010 [Page 5]
280
+
281
+ Internet-Draft Threshold Secret Sharing March 2010
282
+
283
+
284
+ (LOG[X] - LOG[Y]) modulo 255] is returned.
285
+
286
+ The operation of raising a field element X to a power i, where i is a
287
+ positive integer, is denoted as X^i, and it consists of multiplying X
288
+ by itself i times.
289
+
290
+ 0x01, 0x03, 0x05, 0x0f, 0x11, 0x33, 0x55, 0xff,
291
+ 0x1a, 0x2e, 0x72, 0x96, 0xa1, 0xf8, 0x13, 0x35,
292
+ 0x5f, 0xe1, 0x38, 0x48, 0xd8, 0x73, 0x95, 0xa4,
293
+ 0xf7, 0x02, 0x06, 0x0a, 0x1e, 0x22, 0x66, 0xaa,
294
+ 0xe5, 0x34, 0x5c, 0xe4, 0x37, 0x59, 0xeb, 0x26,
295
+ 0x6a, 0xbe, 0xd9, 0x70, 0x90, 0xab, 0xe6, 0x31,
296
+ 0x53, 0xf5, 0x04, 0x0c, 0x14, 0x3c, 0x44, 0xcc,
297
+ 0x4f, 0xd1, 0x68, 0xb8, 0xd3, 0x6e, 0xb2, 0xcd,
298
+ 0x4c, 0xd4, 0x67, 0xa9, 0xe0, 0x3b, 0x4d, 0xd7,
299
+ 0x62, 0xa6, 0xf1, 0x08, 0x18, 0x28, 0x78, 0x88,
300
+ 0x83, 0x9e, 0xb9, 0xd0, 0x6b, 0xbd, 0xdc, 0x7f,
301
+ 0x81, 0x98, 0xb3, 0xce, 0x49, 0xdb, 0x76, 0x9a,
302
+ 0xb5, 0xc4, 0x57, 0xf9, 0x10, 0x30, 0x50, 0xf0,
303
+ 0x0b, 0x1d, 0x27, 0x69, 0xbb, 0xd6, 0x61, 0xa3,
304
+ 0xfe, 0x19, 0x2b, 0x7d, 0x87, 0x92, 0xad, 0xec,
305
+ 0x2f, 0x71, 0x93, 0xae, 0xe9, 0x20, 0x60, 0xa0,
306
+ 0xfb, 0x16, 0x3a, 0x4e, 0xd2, 0x6d, 0xb7, 0xc2,
307
+ 0x5d, 0xe7, 0x32, 0x56, 0xfa, 0x15, 0x3f, 0x41,
308
+ 0xc3, 0x5e, 0xe2, 0x3d, 0x47, 0xc9, 0x40, 0xc0,
309
+ 0x5b, 0xed, 0x2c, 0x74, 0x9c, 0xbf, 0xda, 0x75,
310
+ 0x9f, 0xba, 0xd5, 0x64, 0xac, 0xef, 0x2a, 0x7e,
311
+ 0x82, 0x9d, 0xbc, 0xdf, 0x7a, 0x8e, 0x89, 0x80,
312
+ 0x9b, 0xb6, 0xc1, 0x58, 0xe8, 0x23, 0x65, 0xaf,
313
+ 0xea, 0x25, 0x6f, 0xb1, 0xc8, 0x43, 0xc5, 0x54,
314
+ 0xfc, 0x1f, 0x21, 0x63, 0xa5, 0xf4, 0x07, 0x09,
315
+ 0x1b, 0x2d, 0x77, 0x99, 0xb0, 0xcb, 0x46, 0xca,
316
+ 0x45, 0xcf, 0x4a, 0xde, 0x79, 0x8b, 0x86, 0x91,
317
+ 0xa8, 0xe3, 0x3e, 0x42, 0xc6, 0x51, 0xf3, 0x0e,
318
+ 0x12, 0x36, 0x5a, 0xee, 0x29, 0x7b, 0x8d, 0x8c,
319
+ 0x8f, 0x8a, 0x85, 0x94, 0xa7, 0xf2, 0x0d, 0x17,
320
+ 0x39, 0x4b, 0xdd, 0x7c, 0x84, 0x97, 0xa2, 0xfd,
321
+ 0x1c, 0x24, 0x6c, 0xb4, 0xc7, 0x52, 0xf6, 0x00
322
+
323
+ Figure 1: The EXP table. The elements are to be read from top to
324
+ bottom and left to right. For example, EXP[0] is 0x01, EXP[8] is
325
+ 0x1a, and so on. Note that the EXP[255] entry is present only as a
326
+ placeholder, and is not actually used in any computation.
327
+
328
+
329
+
330
+
331
+
332
+
333
+
334
+
335
+ McGrew, et al. Expires September 4, 2010 [Page 6]
336
+
337
+ Internet-Draft Threshold Secret Sharing March 2010
338
+
339
+
340
+ 0, 0, 25, 1, 50, 2, 26, 198,
341
+ 75, 199, 27, 104, 51, 238, 223, 3,
342
+ 100, 4, 224, 14, 52, 141, 129, 239,
343
+ 76, 113, 8, 200, 248, 105, 28, 193,
344
+ 125, 194, 29, 181, 249, 185, 39, 106,
345
+ 77, 228, 166, 114, 154, 201, 9, 120,
346
+ 101, 47, 138, 5, 33, 15, 225, 36,
347
+ 18, 240, 130, 69, 53, 147, 218, 142,
348
+ 150, 143, 219, 189, 54, 208, 206, 148,
349
+ 19, 92, 210, 241, 64, 70, 131, 56,
350
+ 102, 221, 253, 48, 191, 6, 139, 98,
351
+ 179, 37, 226, 152, 34, 136, 145, 16,
352
+ 126, 110, 72, 195, 163, 182, 30, 66,
353
+ 58, 107, 40, 84, 250, 133, 61, 186,
354
+ 43, 121, 10, 21, 155, 159, 94, 202,
355
+ 78, 212, 172, 229, 243, 115, 167, 87,
356
+ 175, 88, 168, 80, 244, 234, 214, 116,
357
+ 79, 174, 233, 213, 231, 230, 173, 232,
358
+ 44, 215, 117, 122, 235, 22, 11, 245,
359
+ 89, 203, 95, 176, 156, 169, 81, 160,
360
+ 127, 12, 246, 111, 23, 196, 73, 236,
361
+ 216, 67, 31, 45, 164, 118, 123, 183,
362
+ 204, 187, 62, 90, 251, 96, 177, 134,
363
+ 59, 82, 161, 108, 170, 85, 41, 157,
364
+ 151, 178, 135, 144, 97, 190, 220, 252,
365
+ 188, 149, 207, 205, 55, 63, 91, 209,
366
+ 83, 57, 132, 60, 65, 162, 109, 71,
367
+ 20, 42, 158, 93, 86, 242, 211, 171,
368
+ 68, 17, 146, 217, 35, 32, 46, 137,
369
+ 180, 124, 184, 38, 119, 153, 227, 165,
370
+ 103, 74, 237, 222, 197, 49, 254, 24,
371
+ 13, 99, 140, 128, 192, 247, 112, 7
372
+
373
+ Figure 2: The LOG table. The elements are to be read from top to
374
+ bottom and left to right. For example, LOG[1] is 0, LOG[8] is 75,
375
+ and so on. Note that the LOG[0] entry is present only as a
376
+ placeholder, and is not actually used in any computation.
377
+
378
+ 3.2. Share Generation
379
+
380
+ We first define how to share a single octet.
381
+
382
+ The function f takes as input a single octet X that is not equal to
383
+ 0x00, and an array A of M octets, and returns a single octet. It is
384
+ defined as
385
+
386
+ f(X, A) = GF_SUM A[i] (*) X^i
387
+ i=0,M-1
388
+
389
+
390
+
391
+ McGrew, et al. Expires September 4, 2010 [Page 7]
392
+
393
+ Internet-Draft Threshold Secret Sharing March 2010
394
+
395
+
396
+ Because the GF_SUM summation takes place over GF(256), each addition
397
+ uses the exclusive-or operation, and not integer addition. Note that
398
+ the successive values of X^i used in the computation of the function
399
+ f can be computed by multiplying a value by X once for each term in
400
+ the summation.
401
+
402
+ To create N shares from a secret, with a threshold of M, the
403
+ following procedure, or any equivalent method, is used:
404
+
405
+ For each share, a distinct Share Index is generated. Each Share
406
+ Index is an octet other than the all-zero octet. All of the Share
407
+ Indexes used during a share generation process MUST be distinct.
408
+
409
+ Each share is initialized to the Share Index associated with that
410
+ share.
411
+
412
+ For each octet of the secret, the following steps are performed.
413
+ An array A of M octets is created, in which the array element A[0]
414
+ contains the octet of the secret, and the array elements A[1],
415
+ ..., A[M-1] contain octets that are selected independently and
416
+ uniformly at random. For each share, the value of f(X,A) is
417
+ computed, where X is the Share Index of the share, and the
418
+ resulting octet is appended to the share.
419
+
420
+ After the procedure is done, each share contains one more octet than
421
+ does the secret. The share format can be illustrated as
422
+
423
+ +---------+---------+---------+---------+---------+
424
+ | X | f(X,A) | f(X,B) | f(X,C) | ... |
425
+ +---------+---------+---------+---------+---------+
426
+
427
+ where X is the Share Index of the share, and A, B, and C are arrays
428
+ of M octets; A[0] is equal to the first octet of the secret, B[0] is
429
+ equal to the second octet of the secret, and so on.
430
+
431
+ 3.3. Secret Reconstruction
432
+
433
+ We define the function L_i (for i from 0 to M-1, inclusive) that
434
+ takes as input an array U of M pairwise distinct octets, and is
435
+ defined as
436
+
437
+ U[j]
438
+ L_i(U) = GF_PRODUCT -------------
439
+ j=0,M-1, j!=i U[j] (+) U[i]
440
+
441
+ Here the product runs over all of the values of j from 0 to M-1,
442
+ excluding the value i. (This function is equal to ith Lagrange
443
+ function, evaluated at zero.) Note that the denominator in the above
444
+
445
+
446
+
447
+ McGrew, et al. Expires September 4, 2010 [Page 8]
448
+
449
+ Internet-Draft Threshold Secret Sharing March 2010
450
+
451
+
452
+ expression is never equal to zero because U[i] is not equal to U[j]
453
+ whenever i is not equal to j.
454
+
455
+ We denote the interpolation function as I. This function takes as
456
+ input two arrays U and V, each consisting of M octets, and returns a
457
+ single octet; it is defined as
458
+
459
+ I(U, V) = GF_SUM L_i(U) (*) V[i].
460
+ i=0,M-1
461
+
462
+ To reconstruct a secret from a set of shares, the following
463
+ procedure, or any equivalent method, is used:
464
+
465
+ If the number of shares provided as input to the secret
466
+ reconstruction operation is greater than the threshold M, then M
467
+ of those shares are selected for use in the operation. The method
468
+ used to select the shares can be arbitrary.
469
+
470
+ If the shares are not equal length, then the input is
471
+ inconsistent. An error should be reported, and processing must
472
+ halt.
473
+
474
+ The output string is initialized to the empty (zero-length) octet
475
+ string.
476
+
477
+ The octet array U is formed by setting U[i] equal to the first
478
+ octet of the ith share. (Note that the ordering of the shares is
479
+ arbitrary, but must be consistent throughout this algorithm.)
480
+
481
+ The initial octet is stripped from each share.
482
+
483
+ If any two elements of the array U have the same value, then an
484
+ error condition has occurred; this fact should be reported, then
485
+ the procedure must halt.
486
+
487
+ For each octet of the shares, the following steps are performed.
488
+ An array V of M octets is created, in which the array element V[i]
489
+ contains the octet from the ith share. The value of I(U, V) is
490
+ computed, then appended to the output string.
491
+
492
+ The output string is returned.
493
+
494
+ After the procedure is done, the string that is returned contains one
495
+ fewer octet than do the shares.
496
+
497
+
498
+
499
+
500
+
501
+
502
+
503
+ McGrew, et al. Expires September 4, 2010 [Page 9]
504
+
505
+ Internet-Draft Threshold Secret Sharing March 2010
506
+
507
+
508
+ 4. Robust Threshold Secret Sharing
509
+
510
+ A robust TSS system, or RTSS, is one that provides security even when
511
+ one or more of the shares that are provided to the reconstruction
512
+ algorithm may be crafted by a malicious adversary. In addition, an
513
+ RTSS system will detect unintentional corruption of the shares.
514
+
515
+ We provide robustness by adding a pre-processing step to the TSS
516
+ share generation step, and a post-processing step to the TSS secret
517
+ reconstruction step. The pre-processing consists of taking the
518
+ secret S, then appending a hash H(S) to it. The post-processing step
519
+ consists of verifying that the reconstructed secret has the form S ||
520
+ H(S), where the symbol || denotes the concatenation operation. The
521
+ hash function must be collision-resistant; all RTSS implementations
522
+ MUST support the SHA-256 hash algorithm [SHS].
523
+
524
+ If the robust reconstruction operation fails, and the number of
525
+ shares that are available is greater than the threshold, then the
526
+ operation MAY be tried on a different set of shares.
527
+
528
+ An RTSS system can perform an additional operation that verifies the
529
+ validity of a set of shares. This operation has the same inputs as
530
+ the Reconstruct operation. Its output consists of an indication
531
+ whether or not the secret could be reconstructed, but the secret
532
+ itself is not returned. This operation may be useful in a situation
533
+ in where the availability of a secret must be verified, for example,
534
+ as part of an audit.
535
+
536
+ 4.1. RTSS Data Format
537
+
538
+ We use a data format with the following fields, in order:
539
+
540
+ Identifier. This field contains 16 octets. It identifies the secret
541
+ with which a share is associated. All of the shares associated
542
+ with a particular secret MUST use the same value Identifier. When
543
+ a secret is reconstructed, the Identifier fields of each of the
544
+ shares used as input MUST have the same value. The value of the
545
+ Identifier should be chosen so that it is unique, but the details
546
+ on how it is chosen are out of scope of this document.
547
+
548
+ Hash Algorithm Identifier. This field contains a single octet that
549
+ indicates the hash function used in the RTSS processing, if any.
550
+ A value of zero indicates that no hash algorithm was used, no hash
551
+ was appended to the secret, and no RTSS check should be performed
552
+ after the reconstruction of the secret. Other values are defined
553
+ in the table below.
554
+
555
+
556
+
557
+
558
+
559
+ McGrew, et al. Expires September 4, 2010 [Page 10]
560
+
561
+ Internet-Draft Threshold Secret Sharing March 2010
562
+
563
+
564
+ Threshold. This field contains a single octet that indicates the
565
+ number of shares required to reconstruct the secret. This field
566
+ MUST be checked during the reconstruction process, and that
567
+ process MUST halt and return an error if the number of shares
568
+ available is fewer than the value indicated in this field.
569
+
570
+ Share Length. This field is two octets long. It contains the number
571
+ of octets in the Share Data field, represented as an unsigned
572
+ integer in network byte order.
573
+
574
+ Share Data. This field has a length that is a variable number of
575
+ octets. It contains the actual share data.
576
+
577
+ This format is illustrated in Figure 3.
578
+
579
+ 0 1 2 3
580
+ 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
581
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
582
+ | |
583
+ | Identifier |
584
+ | |
585
+ | |
586
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
587
+ | Hash Alg. Id. | Threshold | Share Length |
588
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
589
+ : :
590
+ : Share Data :
591
+ : :
592
+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
593
+
594
+ Figure 3: Share Format.
595
+
596
+ The correspondence between the Hash Algorithm Identifier field and
597
+ the hash algorithm used in RTSS is defined by the table below. Each
598
+ hash function outputs a fixed number of octets; the length of the
599
+ output of each hash is indicated in the table.
600
+
601
+
602
+
603
+
604
+
605
+
606
+
607
+
608
+
609
+
610
+
611
+
612
+
613
+
614
+
615
+ McGrew, et al. Expires September 4, 2010 [Page 11]
616
+
617
+ Internet-Draft Threshold Secret Sharing March 2010
618
+
619
+
620
+ +-----------------+---------------------------+-----------------+
621
+ | Hash Algorithm | Hash Algorithm Identifier | Length (octets) |
622
+ +-----------------+---------------------------+-----------------+
623
+ | NULL_HASH | 0 | 0 |
624
+ | | | |
625
+ | SHA-1 [SHS] | 1 | 20 |
626
+ | | | |
627
+ | SHA-256 [SHS] | 2 | 32 |
628
+ | | | |
629
+ | RESERVED | 3-127 | not applicable |
630
+ | | | |
631
+ | Vendor specific | 128-255 | not applicable |
632
+ +-----------------+---------------------------+-----------------+
633
+
634
+
635
+
636
+
637
+
638
+
639
+
640
+
641
+
642
+
643
+
644
+
645
+
646
+
647
+
648
+
649
+
650
+
651
+
652
+
653
+
654
+
655
+
656
+
657
+
658
+
659
+
660
+
661
+
662
+
663
+
664
+
665
+
666
+
667
+
668
+
669
+
670
+
671
+ McGrew, et al. Expires September 4, 2010 [Page 12]
672
+
673
+ Internet-Draft Threshold Secret Sharing March 2010
674
+
675
+
676
+ 5. Error Correction and Data Recovery
677
+
678
+ TSS and RTSS are suitable for the protection of long-term key
679
+ material. In such applications, it is highly desirable to provide
680
+ protection against the accidental corruption of the shares. This
681
+ section defines data formats that can be used to protect shares.
682
+ These formats are optional extensions to the basic TSS and RTSS
683
+ systems.
684
+
685
+ 5.1. Data Recovery
686
+
687
+ To protect against the corruption of the filesystem that is holding
688
+ the shares, a "magic number" can be used as the initial part of the
689
+ share data format [FILESIG]. A magic number is a constant data
690
+ string that is chosen arbitrarily, but which is unlikely to appear in
691
+ other contexts, and thus can be used to recognize a data format when
692
+ it appears in an arbitrary data stream. The use of a magic number in
693
+ the data format for a share greatly simplifies the task of finding a
694
+ share after a filesystem has been corrupted.
695
+
696
+ The 8-octet magic number f628f91b52023d11 (hexadecimal) SHOULD be
697
+ used. The number was selected randomly from a uniform distribution.
698
+
699
+ 5.2. Error Correction
700
+
701
+ To protect against data corruption in the underlying media, an error-
702
+ correcting code (ECC) can be used. An ECC system consists of an
703
+ encoding function, which maps the data to a codeword, and a decoding
704
+ function, which maps a (possibly corrupted) codeword to the data.
705
+ The simplest such code is a repetition code, in which multiple copies
706
+ of the data are stored. In this specification, all ECCs must be
707
+ systematic, that is, the data must appear as the initial bytes of the
708
+ codeword. This property allows an implementation of the ECC to avoid
709
+ the implementation of the full decoding algorithm.
710
+
711
+ We use a data format that incorporates the following fields, in
712
+ order:
713
+
714
+ Encoding Type. This field is four octets long. It contains an
715
+ unsigned integer in network byte order that denotes the type of
716
+ the encoding, i.e. the algorithm that was used during the encoding
717
+ process.
718
+
719
+ Data Length. This field is four octets long. It contains an
720
+ unsigned integer in network byte order that denotes the number of
721
+ octets in the Data field.
722
+
723
+
724
+
725
+
726
+
727
+ McGrew, et al. Expires September 4, 2010 [Page 13]
728
+
729
+ Internet-Draft Threshold Secret Sharing March 2010
730
+
731
+
732
+ Redundancy Length. This field is four octets long. It contains an
733
+ unsigned integer in network byte order that denotes the number of
734
+ octets in the Redundancy field.
735
+
736
+ Data. This field has a length that is a variable number of octets,
737
+ which is indicated by the Data Length field. It contains the data
738
+ that is intended to be conveyed by the code. If no data
739
+ corruption has occurred, then this field will contain the data
740
+ that was originally encoded.
741
+
742
+ Redundancy. This field has a length that is a variable number of
743
+ octets, which is indicated by the Redundancy Length field. It
744
+ contains information that can be used to check whether or not
745
+ there are any errors in the Data field, and to correct some errors
746
+ that may have occurred.
747
+
748
+ This format is illustrated in Figure 4.
749
+
750
+ +--------------------------------+
751
+ | Encoding Type |
752
+ | (4 octets) |
753
+ +--------------------------------+
754
+ | Data Length |
755
+ | (4 octets) |
756
+ +--------------------------------+
757
+ | Redundancy Length |
758
+ | (4 octets) |
759
+ +--------------------------------+
760
+ | |
761
+ ~ Data ~
762
+ | (variable number of octets) |
763
+ | |
764
+ +--------------------------------+
765
+ | |
766
+ ~ Redundancy ~
767
+ | (variable number of octets) |
768
+ | |
769
+ +--------------------------------+
770
+
771
+ Figure 4: Error Correction Format.
772
+
773
+ If a code has a free parameter, the value of that parameter MUST be
774
+ inferable from the values of the Data Length and Redundancy Length
775
+ fields.
776
+
777
+
778
+
779
+
780
+
781
+
782
+
783
+ McGrew, et al. Expires September 4, 2010 [Page 14]
784
+
785
+ Internet-Draft Threshold Secret Sharing March 2010
786
+
787
+
788
+ 5.3. A Repetition Code
789
+
790
+ This section defines a format for a repetition code, which is a
791
+ particular error correcting code that is conceptually simple and easy
792
+ to implement.
793
+
794
+ The value of the Encoding Type field is equal to 0000001
795
+ (hexadecimal).
796
+
797
+ The Redundancy field contains R copies of the Data field, where R is
798
+ an even number. The Redundancy Length is equal to the Data Length
799
+ times R. The value of R MAY be equal to zero, in which case no error
800
+ detection or correction is possible (but implementation is simple).
801
+ The value of R SHOULD be at least two.
802
+
803
+ For example, if the data that is encoded is equal to 68656c6c6f
804
+ (hexadecimal), then the ECF data with R=2 would be
805
+
806
+ <- ET -><- DL -><- RL -><- Data -><--- Redundancy --->
807
+ 00000001000000050000000a68656c6c6f68656c6c6f68656c6c6f
808
+
809
+ To check the Data field for errors, that field should be compared
810
+ with each of its copies in the redundancy field.
811
+
812
+ The Repetition Code can be decoded by using majority-logic decoding.
813
+ Considering both the Data and Redundancy fields, there are R+1
814
+ (possibly corrupted) copies of the original data, where R+1 is an odd
815
+ number. The decoding process independently considers each octet of
816
+ the Data field, and the corresponding octets of the copies that
817
+ appear in the Redundancy field. That is, the ith octet of the Data,
818
+ plus octets i, L+i, 2L+i, ... , RL+i, are analyzed independent from
819
+ all other octets, where L is the value of the Data Length field. The
820
+ following algorithm is applied to these octets. The binary
821
+ representation of each octet is considered. For each bit in that
822
+ representation, if more of the copies have a "1" in that position
823
+ than have a "0" in that position, then that position is decoded to
824
+ the value "1"; otherwise, it is decoded to "0". This process is
825
+ repeated for all of the bit position. After all of the bits in the
826
+ octet have been decoded, the value of the ith octet in the output of
827
+ the decoding algorithm is computed, using the same binary
828
+ representation as before.
829
+
830
+ For example, if the data that was encoded in the previous example was
831
+ corrupted to the value
832
+
833
+ <- ET -><- DL -><- RL -><- Data -><--- Redundancy --->
834
+ 00000001000000050000000a68656c6c2f68656c6cef68656c6c6f
835
+ ** ** **
836
+
837
+
838
+
839
+ McGrew, et al. Expires September 4, 2010 [Page 15]
840
+
841
+ Internet-Draft Threshold Secret Sharing March 2010
842
+
843
+
844
+ then decoding would proceed as follows. The fifth octet of the Data
845
+ field is equal to 2f, while the fifth and tenth octets of the
846
+ Redundancy field are equal to ef and 6f, respectively. Using a bit
847
+ representation with the most significant bit on the left, the octets
848
+ and the "majority" octet are as follows:
849
+
850
+ hex binary
851
+ octet from Data 2f 00101111
852
+ octet from first copy ef 11101111
853
+ octet from second copy 6f 01101111
854
+ ----------------------------------------
855
+ majority 6f 01101111
856
+
857
+ Thus the fifth octet in the output of the decoding algorithm will be
858
+ 6f.
859
+
860
+
861
+
862
+
863
+
864
+
865
+
866
+
867
+
868
+
869
+
870
+
871
+
872
+
873
+
874
+
875
+
876
+
877
+
878
+
879
+
880
+
881
+
882
+
883
+
884
+
885
+
886
+
887
+
888
+
889
+
890
+
891
+
892
+
893
+
894
+
895
+ McGrew, et al. Expires September 4, 2010 [Page 16]
896
+
897
+ Internet-Draft Threshold Secret Sharing March 2010
898
+
899
+
900
+ 6. Format
901
+
902
+ This section summarizes the order of processing for when secret
903
+ sharing is performed using the facilities for robustness (RTSS),
904
+ error correction (ECC), and data recovery (Magic Number), and
905
+ clarifies the relationships between data formats. This processing
906
+ can be viewed as a layered model, as illustrated in Figure 5. (Note
907
+ that we have not adhered to a strictly layered model, for the sake of
908
+ simplicity, since the format defined by RTSS is used after the shares
909
+ are generated.)
910
+
911
+ When RTSS is used, it is applied to the secret before the sharing
912
+ operation (and is removed from the secret after the reconstruction
913
+ operation). The RTSS data format MUST be used.
914
+
915
+ When ECC is used, it is applied to the RTSS data after the sharing
916
+ operation, so that the ECC Data field contains the entire RTSS Data
917
+ Format.
918
+
919
+ When a Magic Number is used, it is added after the ECC formatting is
920
+ done, and it is prepended to the Error Correction Format.
921
+
922
+ Secret Secret
923
+ | ^
924
+ v |
925
+ +------------------+ +------------------+
926
+ | Append Hash | | Verify Hash |
927
+ +------------------+ +------------------+
928
+ | |
929
+ +------------------+ +------------------+
930
+ | Generate Shares | |Reconstruct Secret|
931
+ +------------------+ +------------------+
932
+ | |
933
+ +------------------+ +------------------+
934
+ | ECC Encoding | | ECC Decoding |
935
+ +------------------+ +------------------+
936
+ | |
937
+ +------------------+ +------------------+
938
+ | Add Magic Number | |Strip Magic Number|
939
+ +------------------+ +------------------+
940
+ | ^
941
+ v |
942
+ Shares ----------------> Shares
943
+
944
+ Figure 5: The combined processing model.
945
+
946
+
947
+
948
+
949
+
950
+
951
+ McGrew, et al. Expires September 4, 2010 [Page 17]
952
+
953
+ Internet-Draft Threshold Secret Sharing March 2010
954
+
955
+
956
+ 7. Design and Rationale
957
+
958
+ In this implementation, the secret and the shares are octet strings.
959
+ Each octet is treated as an element of the finite field GF(256). The
960
+ share-generation algorithm is applied to each octet of the secret
961
+ independently. Similarly, the octets are treated independently
962
+ during the reconstruction of the secrets from the shares.
963
+
964
+ Shamir's original description treats the secret as a large integer
965
+ modulo a large prime number [shamir]. The advantages of using a
966
+ vector over GF(256) are that the computations are more efficient and
967
+ the encoding is simpler. Multiplication and inversion over GF(256)
968
+ can be done with two table lookups and two exors, using two fixed
969
+ tables of 256 bytes each. One limitation of the GF(256) approach is
970
+ that the number of shares that can be generated cannot be greater
971
+ than 255; this limitation is unlikely to be important in practice,
972
+ since fewer than ten shares are typically used.
973
+
974
+ The reconstruction of the secret is done using Lagrange interpolation
975
+ polynomials. This method is simple and easily tested. For large
976
+ thresholds, this method is less efficient than an optimal method
977
+ would be. However, performance is still good, and it is expected
978
+ that the reconstruction of the secret will not be a performance-
979
+ critical operation.
980
+
981
+
982
+
983
+
984
+
985
+
986
+
987
+
988
+
989
+
990
+
991
+
992
+
993
+
994
+
995
+
996
+
997
+
998
+
999
+
1000
+
1001
+
1002
+
1003
+
1004
+
1005
+
1006
+
1007
+ McGrew, et al. Expires September 4, 2010 [Page 18]
1008
+
1009
+ Internet-Draft Threshold Secret Sharing March 2010
1010
+
1011
+
1012
+ 8. Testing
1013
+
1014
+ As with every crypto algorithm, it is essential to test an
1015
+ implementation of TSS or RTSS for correctness. This section provides
1016
+ guidance for such testing.
1017
+
1018
+ The Secret Reconstruction algorithm can be tested using Known Answer
1019
+ Tests (KATs). Test cases are provided in Section 9.
1020
+
1021
+ The Share Generation algorithm cannot be directly tested using a KAT.
1022
+ It can be indirectly tested by generating secret values uniformly at
1023
+ random, then applying the Share Generation process to them to
1024
+ generate a set of shares, then applying the Share Reconstruction
1025
+ algorithm to the shares, then finally comparing the reconstructed
1026
+ secret to the original secret. Implementations SHOULD perform this
1027
+ test, using a variety of thresholds and secret lengths.
1028
+
1029
+ The Share Index (the initial octet of each share) can never be equal
1030
+ to zero. This property SHOULD be tested.
1031
+
1032
+ The random source must be tested to ensure that it has high min-
1033
+ entropy.
1034
+
1035
+
1036
+
1037
+
1038
+
1039
+
1040
+
1041
+
1042
+
1043
+
1044
+
1045
+
1046
+
1047
+
1048
+
1049
+
1050
+
1051
+
1052
+
1053
+
1054
+
1055
+
1056
+
1057
+
1058
+
1059
+
1060
+
1061
+
1062
+
1063
+ McGrew, et al. Expires September 4, 2010 [Page 19]
1064
+
1065
+ Internet-Draft Threshold Secret Sharing March 2010
1066
+
1067
+
1068
+ 9. Test Cases
1069
+
1070
+ This section provides test cases that can be used to validate an
1071
+ implementation of the Secret Reconstruction algorithm. All values
1072
+ are in hexadecimal.
1073
+
1074
+ algorithm - The algorithm used in the test case.
1075
+
1076
+ secret - The secret value to be split into shares.
1077
+
1078
+ threshold - The number of shares required to reconstruct a secret;
1079
+ above, this value is associated with the variable M.
1080
+
1081
+ num. shares - The number of shares included in the example; above,
1082
+ this value is associated with the variable N.
1083
+
1084
+ share index - A share index. Each test case has multiple distinct
1085
+ share values, and each share is associated with a distinct share
1086
+ index.
1087
+
1088
+ share - A share value, which corresponds to the share index value
1089
+ immediately above it.
1090
+
1091
+
1092
+ algorithm = TSS
1093
+ secret = 7465737400
1094
+ threshold (M) = 2
1095
+ num. shares (N) = 2
1096
+ share index = 1
1097
+ share = B9FA07E185
1098
+ share index = 2
1099
+ share = F5409B4511
1100
+
1101
+
1102
+
1103
+
1104
+
1105
+
1106
+
1107
+
1108
+
1109
+
1110
+
1111
+
1112
+
1113
+
1114
+
1115
+
1116
+
1117
+
1118
+
1119
+ McGrew, et al. Expires September 4, 2010 [Page 20]
1120
+
1121
+ Internet-Draft Threshold Secret Sharing March 2010
1122
+
1123
+
1124
+ 10. Security Considerations
1125
+
1126
+ It is crucial for security that the source of randomness used in the
1127
+ share generation process by cryptographically strong; it MUST be
1128
+ suitable for generating cryptographic keys. [RFC4086] provides
1129
+ guidance on the selection and implementation of random sources.
1130
+
1131
+ A TSS implementation SHOULD be tested as described in Section 8.
1132
+
1133
+ The confidentiality of the shares generated by TSS should be
1134
+ protected, since the exposure of too many shares will undermine the
1135
+ security of the system. Note that, in this regard, share values are
1136
+ more comparable to secret keys than to ciphertext.
1137
+
1138
+
1139
+
1140
+
1141
+
1142
+
1143
+
1144
+
1145
+
1146
+
1147
+
1148
+
1149
+
1150
+
1151
+
1152
+
1153
+
1154
+
1155
+
1156
+
1157
+
1158
+
1159
+
1160
+
1161
+
1162
+
1163
+
1164
+
1165
+
1166
+
1167
+
1168
+
1169
+
1170
+
1171
+
1172
+
1173
+
1174
+
1175
+ McGrew, et al. Expires September 4, 2010 [Page 21]
1176
+
1177
+ Internet-Draft Threshold Secret Sharing March 2010
1178
+
1179
+
1180
+ 11. IANA Considerations
1181
+
1182
+ This document has no actions for IANA.
1183
+
1184
+
1185
+
1186
+
1187
+
1188
+
1189
+
1190
+
1191
+
1192
+
1193
+
1194
+
1195
+
1196
+
1197
+
1198
+
1199
+
1200
+
1201
+
1202
+
1203
+
1204
+
1205
+
1206
+
1207
+
1208
+
1209
+
1210
+
1211
+
1212
+
1213
+
1214
+
1215
+
1216
+
1217
+
1218
+
1219
+
1220
+
1221
+
1222
+
1223
+
1224
+
1225
+
1226
+
1227
+
1228
+
1229
+
1230
+
1231
+ McGrew, et al. Expires September 4, 2010 [Page 22]
1232
+
1233
+ Internet-Draft Threshold Secret Sharing March 2010
1234
+
1235
+
1236
+ 12. Acknowledgements
1237
+
1238
+ Thanks to Brian Weis and Jack Lloyd for constructive feedback.
1239
+
1240
+
1241
+
1242
+
1243
+
1244
+
1245
+
1246
+
1247
+
1248
+
1249
+
1250
+
1251
+
1252
+
1253
+
1254
+
1255
+
1256
+
1257
+
1258
+
1259
+
1260
+
1261
+
1262
+
1263
+
1264
+
1265
+
1266
+
1267
+
1268
+
1269
+
1270
+
1271
+
1272
+
1273
+
1274
+
1275
+
1276
+
1277
+
1278
+
1279
+
1280
+
1281
+
1282
+
1283
+
1284
+
1285
+
1286
+
1287
+ McGrew, et al. Expires September 4, 2010 [Page 23]
1288
+
1289
+ Internet-Draft Threshold Secret Sharing March 2010
1290
+
1291
+
1292
+ 13. References
1293
+
1294
+ 13.1. Normative References
1295
+
1296
+ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
1297
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
1298
+
1299
+ [RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
1300
+ Requirements for Security", BCP 106, RFC 4086, June 2005.
1301
+
1302
+ [SHS] "FIPS 180-3: Secure Hash Standard,", Federal Information
1303
+ Processing Standard (FIPS) http://csrc.nist.gov/
1304
+ publications/fips/fips180-2/fips180-3.pdf, 2008.
1305
+
1306
+ 13.2. Informative References
1307
+
1308
+ [FILESIG] Kessler, G., "File Signatures Table", Web
1309
+ page http://www.garykessler.net/library/file_sigs.html,
1310
+ 2007.
1311
+
1312
+ [POLY] Seroussi, G., "Table of Low-Weight Binary Irreducible
1313
+ Polynomials", Hewlett-Packard Computer Systems Laboratory
1314
+ Technical Report HPL-98-135, 1998.
1315
+
1316
+ [shamir] Shamir, A., "How to share a secret", Communications of the
1317
+ ACM (22): 612-613, 1979.
1318
+
1319
+
1320
+
1321
+
1322
+
1323
+
1324
+
1325
+
1326
+
1327
+
1328
+
1329
+
1330
+
1331
+
1332
+
1333
+
1334
+
1335
+
1336
+
1337
+
1338
+
1339
+
1340
+
1341
+
1342
+
1343
+ McGrew, et al. Expires September 4, 2010 [Page 24]
1344
+
1345
+ Internet-Draft Threshold Secret Sharing March 2010
1346
+
1347
+
1348
+ Appendix A. Mathematical Background
1349
+
1350
+ In abstract algebra, a finite field is an algebraic structure for
1351
+ which the operations of addition, subtraction, multiplication and
1352
+ division are defined and satisfy certain axioms.
1353
+
1354
+ The field GF(256) has exactly 256 elements in it. There is only one
1355
+ field with that number of elements, but there are many different ways
1356
+ in which the elements of the field can be represented. This document
1357
+ uses a polynomial representation in which the field polynomial is the
1358
+ unique irreducible polynomial with minimum weight of degree 8 over
1359
+ GF(2) [POLY], hence it is the 'canonical' choice for a polynomial
1360
+ base representation of GF(256). This field representation is also
1361
+ used by the Advanced Encryption Standard (AES).
1362
+
1363
+
1364
+
1365
+
1366
+
1367
+
1368
+
1369
+
1370
+
1371
+
1372
+
1373
+
1374
+
1375
+
1376
+
1377
+
1378
+
1379
+
1380
+
1381
+
1382
+
1383
+
1384
+
1385
+
1386
+
1387
+
1388
+
1389
+
1390
+
1391
+
1392
+
1393
+
1394
+
1395
+
1396
+
1397
+
1398
+
1399
+ McGrew, et al. Expires September 4, 2010 [Page 25]
1400
+
1401
+ Internet-Draft Threshold Secret Sharing March 2010
1402
+
1403
+
1404
+ Authors' Addresses
1405
+
1406
+ David A. McGrew
1407
+ Cisco Systems, Inc.
1408
+ 510 McCarthy Blvd.
1409
+ Milpitas, CA 95035
1410
+ US
1411
+
1412
+ Email: mcgrew@cisco.com
1413
+ URI: http://www.mindspring.com/~dmcgrew/dam.htm
1414
+
1415
+
1416
+ Praveen Patnala
1417
+ Consultant
1418
+
1419
+ Email: praveenpatnala@yahoo.com
1420
+
1421
+
1422
+ Alfred Hoenes
1423
+ TR-Sys
1424
+ Gerlinger Str. 12
1425
+ Ditzingen D-71254
1426
+ Germany
1427
+
1428
+ Email: ah@TR-Sys.de
1429
+
1430
+
1431
+
1432
+
1433
+
1434
+
1435
+
1436
+
1437
+
1438
+
1439
+
1440
+
1441
+
1442
+
1443
+
1444
+
1445
+
1446
+
1447
+
1448
+
1449
+
1450
+
1451
+
1452
+
1453
+
1454
+
1455
+ McGrew, et al. Expires September 4, 2010 [Page 26]
1456
+