Yesterday I made a PR to a python crypto library to support key sizes larger than 16 bytes for Shamir secret sharing scheme.
Currently it supports 16 bytes, as follows:
$$
K = \{ 0, 1 \}^{128}
$$
$$
S_{128}(m, n, K) = s_1, ... , s_n
$$
To not change underlying function, and to support larger keys, I decided to split the key and run the function as many times as needs and concatenate the shares. 32 byte key example below using a limited 16 byte shamir split function.
$$
K = \{ 0, 1 \}^{256} = \{ 0, 1 \}^{128} | \{ 0, 1 \}^{128} = K_A | K_B
$$
$$
S_{128}(m, n, K_A) = s_{A1}, ... , s_{An}
$$
$$
S_{128}(m, n, K_B) = s_{B1}, ... , s_{Bn}
$$
$$
s_1 = s_{A1} | s_{B1}
$$
A couple people on the PR brought up that this is insecure, as you can attack each side in the case of 32 bytes, each side 16 bytes, means the key strength goes from 32 bytes (2**256) to 2 * (2 ** 128) = 2**129.
I don't believe this to be true, as there is no attack on one side that would let you know you've succeeded letting you proceed to the other side.
To take it the extreme, even if the shamir function only supported 1 byte (8 bit) key size, you would still maintain security doing the function in blocks and concatenating the resulting shares.
Let me know what you think.
