In cryptography, a secret sharing scheme is a method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own.
More formally, in a secret sharing scheme there is one dealer and n players. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of less than t players can. Such a system is called a (t,n)-threshold scheme.
A popular technique to implement threshold schemes uses polynomial interpolation ("Lagrange interpolation"). This method was invented by Adi Shamir in 1979. You can play around with such a scheme on the demo page.
Note that Shamir's scheme is provable secure, that means: in a (t,n) scheme one can prove that it makes no difference whether an attacker has t-1 valid shares at his disposal or none at all; as long as he has less than t shares, there is no better option than guessing to find out the secret.
Good passwords are hard to memorize. A clever user could use a secret sharing scheme to generate a set of shares for a given password and store one share in his address book, one in his bank deposit safe, leave one share with a friend, etc. If one day he forgets his password, he can reconstruct it easily. Of course, writing passwords directly into the address book would pose a security risk, as it could be stolen by an "enemy". If a secret sharing scheme is used, the attacker has to steal many shares from different places.
A typical application of this scenario is the secure implementation of an encrypted backup system. Assuming that data recoveries are needed rarely, backup data can be public key encrypted -- this can be done automatically and without user interaction -- while the private recovery key is protected via secret sharing.
ssss is an implementation of Shamir's secret sharing scheme for UNIX/linux machines. It is free software, the code is licensed under the GNU GPL v2. ssss does both: the generation of shares for a known secret and the reconstruction of a secret using user provided shares. The software was written in 2006 by B. Poettering, it links against the GNU libgmp multiprecision library (version 4.1.4 works well) and requires the /dev/random entropy source.
ssss-0.4.tar.gz (SHA1: 462a4309fabc02abf6f3470c5223f0aea44e2a05)
ssss-0.3.tar.gz (SHA1: 433590f2c132e0040b13d1c21a2bf55eead6929c)
ssss-0.2.tar.gz (SHA1: bcfdf3212e461baaa5922193faa1aec2bfffbb9c)
ssss-0.1.tar.gz (SHA1: 66f8fca5793034fc42032f70de7f9195e4bb4bcd)
Some people reported compilation probems with ssss-0.5. This will be fixed in the upcoming release. If the code isn't processed correctly on your machine, replace line 351 of ssss.c by
int restore_secret(int n, void *A, mpz_t b)
Someone contributed a Windows port of (an outdated version of) ssss (but with a lightly too sloppy random number generation, in my opinion).
The generation of shares given a known secret is shown first. A (3,5)-threshold scheme is used, that is: 5 shares are generated, the secret can be reconstructed by any subset of size 3.
% ssss-split -t 3 -n 5 Generating shares using a (3,5) scheme with dynamic security level. Enter the secret, at most 128 ASCII characters: my secret root password Using a 184 bit security level. 1-1c41ef496eccfbeba439714085df8437236298da8dd824 2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665 3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309 4-468de7d6eb36674c9cf008c8e8fc8c566537ad6301eb9e 5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
% ssss-combine -t 3 Enter 3 shares separated by newlines: Share [1/3]: 3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309 Share [2/3]: 5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0 Share [3/3]: 2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665 Resulting secret: my secret root password
If larger secrets are to be shared a hybrid technique has to be applied: encrypt the secret with a block cipher (using openssl, gpg, etc) and apply secret sharing to just the key. See the man page for more information about this topic.
seccure is another crypto software by the same author.