(inspired by discussions with my colleagues Giorgos Zirdelis & Vishruti Ganesh; any mistakes are my own).
Consider the case of multiplication in 2-of-3 Shamir secret sharing. The goal is to compute the product of two secrets ; the parties should learn the product , but learn nothing else about and than could already be deduced from . After each party computes the product locally, they possess (in a sense) 3-of-3 Shamir shares of the product . As we’ll see below, however, if the parties reveal their shares without first re-randomizing, then information about the original secrets is leaked. Indeed, one of the parties is guaranteed to be within one bit of full knowledge of and .
We wish to compute the product of two secrets in 2-of-3 Shamir. Write for the evaluation point corresponding to the th party for . For simplicity, let’s store the secret as the constant term of the polynomial (so assume for all ). So two random polynomials such that are chosen by the dealer. Note that, because of the degree bound, these polynomials have only one root each! For all , the th party takes its share of and of and multiplies them locally, obtaining . Assume that the parties now reveal their shares . Then the product polynomial can be interpolated (since it is quadratic, and there are 3 parties, so 3 evaluations). So each of the parties now know . Since is a product of two linear polynomials, it has two roots, say and (not necessarily distinct). Each party can compute these roots from . By uniqueness of factorization, either is a root of and a root of , or vice versa. Since there are 3 evaluation points and only two roots, we can choose such that . Then party is only 1 bit of information away from full knowledge of the values of the secrets :
- if is a root of , then party knows two distinct points , on the graph of , and this fully determines ; is then a root of , and in a similar fashion is also determined.
- if instead is a root of (and so is a root of
q
) then the values of and are similarly fully determined.
It’s either one, or the other! That’s why party is “1-bit short” of full knowledge.
(Note that this can not be saved by the parties multiplying with the evaluation of their Lagrange polynomial before sharing, since these are public constants (and hence these multiplications can be undone)).