Right, that's exactly the point, although I should have made it more explicit. The last chunk must contain as much information as the entire original message. But since any chunk could be the "last chunk," all chunks have to be at least as large as the original message.
But they needn't be the same size (well, depending on how you look at it). In some RSA threshold signatures, the secret key *d* is split into random integers within a range of {-*A*, ..., *A*} (for some *A* much bigger than the valid range of *d*) so that all the shares add up to *d*. Some shares may certainly be much smaller than others, and you could store them in fewer bits. But the fact that each key *could* be as large as *A* means you have no information about the secret key by knowing all but one share -- the last share could be large enough that adding it onto the current sum can yield every valid choice of *d* with equal probability.
However, if a participant publicly announced that his share of the secret could be stored in a very small number of bits, you may be able to get information about the secret if you have all the shares but his -- you may know that the secret *d* must lie in a smaller range of valid choices.
| [reply] |

I knew that my algorithm couldn't have been as spiffy as it seemed, and I knew that if I posted it, someone would be able to point me towards what I'm missing. :) Thank you for that.
If nothing else, though, this has certainly been an interesting and educational exercise. And, I've found out the correct term to google on for this class of software: "Key Sharing". I had googled all over the place to find out if someone had already done what I was trying to do, or found an even better scheme. Just didn't know the right terminology. That blasted self-taught thing bites me sometimes. ;-)
Thanks!!
--
Jason Klueber
jklueber@insightbb.com
/(bb)| ^b{2}/
--Shakespeare
| [reply] |