Score:1

Crypto

Is ($2^{256} + 297$) safe to use as modulus in Shamir Secret Sharing?

robb

6/28/24, 4:21 PM

The python code example on Wikipedia uses the 12th Mersenne Prime ($2 ^ {127} - 1$) as the modulus. I'd like to share a 32 byte secret. Is it safe to simply change the modulus to p = $2 ^ {256} + 297$?

133

1 + 5

secret-sharing

benrg

6/28/24, 8:17 PM

The answer to "is it safe" is yes, but if you're implicitly asking if it's a good solution to the problem of the message being larger than $2^{127}-1$, the answer is no. It's more efficient to divide the message into pieces, make shares of each piece, and concatenate them.

robb

7/1/24, 8:32 AM

I think in this case I prefer code clarity to execution time. I am very rarely reconstructing my secret from the shares as this is for a cold wallet.

Command Master

7/1/24, 9:17 AM

You can use $\text{GF}(2^{256})$ and then there would be no bias at all.

robb

7/1/24, 10:54 AM

I agree -- and there are some implementations available that do that: https://www.npmjs.com/search?ranking=popularity&q=shamir I just found them difficult to understand, and using a simple prime field is much more clear for me. This question was mostly about confirming that it doesn't create a security issue to exclude ~300 points. In case it is useful for someone else, here is the code I am using in typescript: https://github.com/ScieNFT/contracts/blob/main/tools/secretShares.ts

poncho

7/1/24, 11:09 PM

@CommandMaster: I would have suggested $GF(2^{256})$, however the python designers completely forgot to include a multiplication method in the base package; either finding a python library which supports it or coding it up yourself isn't *that* difficult; however I thought that was a bit too much work (and anyways, other than a few practical issues, there's nothing wrong with $2{256}+297$)

Score:6

Crypto

poncho

6/28/24, 4:50 PM

Is it safe to simply change the modulus to p = (2 ** 256 + 297)?

Shamir Secret Sharing can be safely done over any finite field, which includes any prime field (that is, where addition and multiplication are done modulo a prime).

$2^{256}+297$ is prime, and so using it as the modulus is safe.

One minor word of warning: for Shamir Secret Sharing to work, the secret coefficients (that is, the ones other than the linear term which is used as the shared secret) must be chosen randomly over the field. That is, if you use $p = 2^{256} + 297$, then you need to select them as random values between 0 and $p-1$. This isn't that difficult; you just need to keep that in mind.

+ 3

robb

6/28/24, 5:29 PM

I think I need my coefficients to be 32 bytes as well... I am choosing these as: ```const PRIME = BigNumber.from(2).pow(256).add(297); ethers.BigNumber.from(ethers.utils.randomBytes(32)).mod(PRIME); ``` so randomly chosen over most but not all of the field...

Myria

6/28/24, 6:36 PM

@robb The `.mod(PRIME)` is pointless when the maximum value 32 bytes can produce is $2^{256}-1$. (Unless the number is interpreted as signed, I suppose.) There is an extremely slight bias this way, because $2^{256}$ through $2^{256}+296$ can't happen, but most likely, this is negligible in a security evaluation.

robb

6/28/24, 6:45 PM

agreed -- this is just a holdover from when I transcoded from the python... thanks!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is ($2^{256} + 297$) safe to use as modulus in Shamir Secret Sharing?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.