# 3.2: A Simple 2-out-of-2 Scheme

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\id}{\mathrm{id}}$$ $$\newcommand{\Span}{\mathrm{span}}$$

( \newcommand{\kernel}{\mathrm{null}\,}\) $$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$ $$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$ $$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\id}{\mathrm{id}}$$

$$\newcommand{\Span}{\mathrm{span}}$$

$$\newcommand{\kernel}{\mathrm{null}\,}$$

$$\newcommand{\range}{\mathrm{range}\,}$$

$$\newcommand{\RealPart}{\mathrm{Re}}$$

$$\newcommand{\ImaginaryPart}{\mathrm{Im}}$$

$$\newcommand{\Argument}{\mathrm{Arg}}$$

$$\newcommand{\norm}[1]{\| #1 \|}$$

$$\newcommand{\inner}[2]{\langle #1, #2 \rangle}$$

$$\newcommand{\Span}{\mathrm{span}}$$ $$\newcommand{\AA}{\unicode[.8,0]{x212B}}$$

$$\newcommand{\vectorA}[1]{\vec{#1}} % arrow$$

$$\newcommand{\vectorAt}[1]{\vec{\text{#1}}} % arrow$$

$$\newcommand{\vectorB}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vectorC}[1]{\textbf{#1}}$$

$$\newcommand{\vectorD}[1]{\overrightarrow{#1}}$$

$$\newcommand{\vectorDt}[1]{\overrightarrow{\text{#1}}}$$

$$\newcommand{\vectE}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash{\mathbf {#1}}}}$$

$$\newcommand{\vecs}[1]{\overset { \scriptstyle \rightharpoonup} {\mathbf{#1}} }$$

$$\newcommand{\vecd}[1]{\overset{-\!-\!\rightharpoonup}{\vphantom{a}\smash {#1}}}$$

$$\newcommand{\avec}{\mathbf a}$$ $$\newcommand{\bvec}{\mathbf b}$$ $$\newcommand{\cvec}{\mathbf c}$$ $$\newcommand{\dvec}{\mathbf d}$$ $$\newcommand{\dtil}{\widetilde{\mathbf d}}$$ $$\newcommand{\evec}{\mathbf e}$$ $$\newcommand{\fvec}{\mathbf f}$$ $$\newcommand{\nvec}{\mathbf n}$$ $$\newcommand{\pvec}{\mathbf p}$$ $$\newcommand{\qvec}{\mathbf q}$$ $$\newcommand{\svec}{\mathbf s}$$ $$\newcommand{\tvec}{\mathbf t}$$ $$\newcommand{\uvec}{\mathbf u}$$ $$\newcommand{\vvec}{\mathbf v}$$ $$\newcommand{\wvec}{\mathbf w}$$ $$\newcommand{\xvec}{\mathbf x}$$ $$\newcommand{\yvec}{\mathbf y}$$ $$\newcommand{\zvec}{\mathbf z}$$ $$\newcommand{\rvec}{\mathbf r}$$ $$\newcommand{\mvec}{\mathbf m}$$ $$\newcommand{\zerovec}{\mathbf 0}$$ $$\newcommand{\onevec}{\mathbf 1}$$ $$\newcommand{\real}{\mathbb R}$$ $$\newcommand{\twovec}[2]{\left[\begin{array}{r}#1 \\ #2 \end{array}\right]}$$ $$\newcommand{\ctwovec}[2]{\left[\begin{array}{c}#1 \\ #2 \end{array}\right]}$$ $$\newcommand{\threevec}[3]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \end{array}\right]}$$ $$\newcommand{\cthreevec}[3]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \end{array}\right]}$$ $$\newcommand{\fourvec}[4]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$$ $$\newcommand{\cfourvec}[4]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \end{array}\right]}$$ $$\newcommand{\fivevec}[5]{\left[\begin{array}{r}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$$ $$\newcommand{\cfivevec}[5]{\left[\begin{array}{c}#1 \\ #2 \\ #3 \\ #4 \\ #5 \\ \end{array}\right]}$$ $$\newcommand{\mattwo}[4]{\left[\begin{array}{rr}#1 \amp #2 \\ #3 \amp #4 \\ \end{array}\right]}$$ $$\newcommand{\laspan}[1]{\text{Span}\{#1\}}$$ $$\newcommand{\bcal}{\cal B}$$ $$\newcommand{\ccal}{\cal C}$$ $$\newcommand{\scal}{\cal S}$$ $$\newcommand{\wcal}{\cal W}$$ $$\newcommand{\ecal}{\cal E}$$ $$\newcommand{\coords}[2]{\left\{#1\right\}_{#2}}$$ $$\newcommand{\gray}[1]{\color{gray}{#1}}$$ $$\newcommand{\lgray}[1]{\color{lightgray}{#1}}$$ $$\newcommand{\rank}{\operatorname{rank}}$$ $$\newcommand{\row}{\text{Row}}$$ $$\newcommand{\col}{\text{Col}}$$ $$\renewcommand{\row}{\text{Row}}$$ $$\newcommand{\nul}{\text{Nul}}$$ $$\newcommand{\var}{\text{Var}}$$ $$\newcommand{\corr}{\text{corr}}$$ $$\newcommand{\len}[1]{\left|#1\right|}$$ $$\newcommand{\bbar}{\overline{\bvec}}$$ $$\newcommand{\bhat}{\widehat{\bvec}}$$ $$\newcommand{\bperp}{\bvec^\perp}$$ $$\newcommand{\xhat}{\widehat{\xvec}}$$ $$\newcommand{\vhat}{\widehat{\vvec}}$$ $$\newcommand{\uhat}{\widehat{\uvec}}$$ $$\newcommand{\what}{\widehat{\wvec}}$$ $$\newcommand{\Sighat}{\widehat{\Sigma}}$$ $$\newcommand{\lt}{<}$$ $$\newcommand{\gt}{>}$$ $$\newcommand{\amp}{&}$$ $$\definecolor{fillinmathshade}{gray}{0.9}$$

# $$3.2$$ A Simple 2-out-of-2 Scheme

Believe it or not, we have already seen a simple secret-sharing scheme! In fact, it might even be best to think of one-time pad as the simplest secret-sharing scheme.

##### Construction $$3.5$$ (2-out-of-2 TSSS)

Since it’s a 2-out-of-2 scheme, the only authorized set of users is $$\{1,2\}$$, so Reconstruct is written to expect both shares $$s_{1}$$ and $$s_{2}$$ as its inputs. Correctness follows easily from what we’ve already learned about the properties of XOR.

##### Example $$\PageIndex{1}$$

Example If we want to share the string $$m=1101010001$$ then the Share algorithm might choose \begin{aligned} s_{1} &:=0110000011 \\ s_{2} &:=s_{1} \oplus m \\ &=0110000011 \oplus 1101010001=1011010010 \end{aligned} Then the secret can be reconstructed by XORing the two shares together, via: $s_{1} \oplus s_{2}=0110000011 \oplus 1011010010=1101010001=m .$ Remember that this example shows just one possible execution of Share(1101010001), but Share is a randomized algorithm and many other values of $$\left(s_{1}, s_{2}\right)$$ are possible.

##### Theorem $$3.6$$

Construction $$3.5$$ is a secure 2-out-of-2 threshold secret-sharing scheme.

Proof

Let $$\Sigma$$ denote Construction 3.5. We will show that $$\mathcal{L}_{\mathrm{tsss}-\mathrm{L}}^{\Sigma} \equiv \mathcal{L}_{\mathrm{tsss}-\mathrm{R}}^{\Sigma}$$ using a hybrid proof.

 Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) As usual, the starting point is $$\mathcal{L}_{\mathrm{tsss}-\mathrm{L}}^{\Sigma}$$, shown here with the details of the secret-sharing scheme filled in (and the types of the subroutine ar guments omitted to reduce clutter). Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) It has no effect on the library’s behavior if we duplicate the main body of the library into 3 branches of a new if-statement. The reason for doing so is that the scheme generates $$s_{1}$$ and $$s_{2}$$ differently. This means that our proof will eventually handle the 3 different unauthorized sets $$(\{1\},\{2\}$$, and $$\emptyset$$ ) in fundamentally different ways. Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) The definition of $$s_{2}$$ has been changed in the first if-branch. This has no effect on the library’s behavior since $$s_{2}$$ is never actually used in this branch. Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) Recognizing the second branch of the if-statement as a one-time pad encryption (of $$m_{L}$$ under key $$s_{1}$$ ), we factor out the generation of $$s_{2}$$ in terms of the library $$\mathcal{L}_{\text {ots-L }}^{\text {OTP }}$$ from the one-time secrecy definition. This has no effect on the library’s behavior. Importantly, the subroutine in $$\mathcal{L}_{\text {ots-L }}^{\text {OTP }}$$ expects two arguments, so that is what we must pass. We choose to pass $$m_{L}$$ and $$m_{R}$$ for reasons that should become clear very soon. Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) We have replaced $$\mathcal{L}_{\text {ots-L }}^{\text {OTP }}$$ with $$\mathcal{L}_{\text {ots-R }}^{\text {OTP }}$$. From the one-time secrecy of one-time pad (and the composition lemma), this change has no effect on the library’s behavior. Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) A subroutine has been inlined; no effect on the library’s behavior. Figure $$\PageIndex{1}$$: Copy and Paste Caption here. (Copyright; author via source) The code has been simplified. Specifically, the branches of the if-statement can all be unified, with no effect on the library’s behavior. The result is $$\mathcal{L}_{\text {tsss-R }}^{\Sigma}$$.

We showed that $$\mathcal{L}_{\mathrm{tsss}-\mathrm{L}}^{\Sigma} \equiv \mathcal{L}_{\text {hyb-1 }} \equiv \cdots \equiv \mathcal{L}_{\text {hyb-5 }} \equiv \mathcal{L}_{\mathrm{tsss}-\mathrm{R}}^{\Sigma}$$, and so the secret-sharing scheme is secure.

We in fact proved a slightly more general statement. The only property of one-time pad we used was its one-time secrecy. Substituting one-time pad for any other one-time secret encryption scheme would still allow the same proof to go through. So we actually proved the following:

##### Theorem $$3.7$$

If $$\sum$$ is an encryption scheme with one-time secrecy, then the following 2-out-of-2 threshold secret-sharing scheme $$\mathcal{S}$$ is secure:

This page titled 3.2: A Simple 2-out-of-2 Scheme is shared under a CC BY-NC-SA 4.0 license and was authored, remixed, and/or curated by Mike Rosulek (Open Oregon State) via source content that was edited to the style and standards of the LibreTexts platform.