Shamir's Secret Sharing Scheme

What is "Secret Sharing"?

Citing from the Wikipedia article about Secret Sharing:

In cryptography, a secret sharing scheme is a method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own.

More formally, in a secret sharing scheme there is one dealer and n players. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of less than t players can. Such a system is called a (t,n)-threshold scheme.

A popular technique to implement threshold schemes uses polynomial interpolation ("Lagrange interpolation"). This method was invented by Adi Shamir in 1979. You can play around with such a scheme on the demo page.

Note that Shamir's scheme is provable secure, that means: in a (t,n) scheme one can prove that it makes no difference whether an attacker has t-1 valid shares at his disposal or none at all; as long as he has less than t shares, there is no better option than guessing to find out the secret.

Where is "Secret Sharing" used?

Some popular examples are:

• Good passwords are hard to memorize. A clever user could use a secret sharing scheme to generate a set of shares for a given password and store one share in his address book, one in his bank deposit safe, leave one share with a friend, etc. If one day he forgets his password, he can reconstruct it easily. Of course, writing passwords directly into the address book would pose a security risk, as it could be stolen by an "enemy". If a secret sharing scheme is used, the attacker has to steal many shares from different places.

  A typical application of this scenario is the secure implementation of an encrypted backup system. Assuming that data recoveries are needed rarely, backup data can be public key encrypted -- this can be done automatically and without user interaction -- while the private recovery key is protected via secret sharing.

• "A dealer could send t shares, all of which are necessary to recover the original secret, to a single recipient, using t different channels. An attacker would have to intercept all t shares to recover the secret, a task which may be more difficult than intercepting a single message" (Wikipedia).
• The director of a bank could generate shares for the bank's vault unlocking code and hand them out to his employees. Even if the director is not available, the vault can be opened, but only, when a certain number of employees do it together. Here secret sharing schemes allow the employment of not fully trusted people.

What is "ssss"? Where can I download "ssss"?

ssss is an implementation of Shamir's secret sharing scheme for UNIX/linux machines. It is free software, the code is licensed under the GNU GPL v2. ssss does both: the generation of shares for a known secret and the reconstruction of a secret using user provided shares. The software was written in 2006 by B. Poettering, it links against the GNU libgmp multiprecision library (version 4.1.4 works well) and requires the /dev/random entropy source.

ssss-0.5.tar.gz (SHA1: 3f8f5046c2c5c3a2cf1a93f0a9446681852b190e)
ssss-0.4.tar.gz (SHA1: 462a4309fabc02abf6f3470c5223f0aea44e2a05)
ssss-0.3.tar.gz (SHA1: 433590f2c132e0040b13d1c21a2bf55eead6929c)
ssss-0.2.tar.gz (SHA1: bcfdf3212e461baaa5922193faa1aec2bfffbb9c)
ssss-0.1.tar.gz (SHA1: 66f8fca5793034fc42032f70de7f9195e4bb4bcd)

Some people reported compilation probems with ssss-0.5. This will be fixed in the upcoming release. If the code isn't processed correctly on your machine, replace line 351 of ssss.c by

int restore_secret(int n, void *A, mpz_t b[])

A manpage is available as groff and html version.

Read the HISTORY file for the changes between the versions. There exists a debian package for ssss. New versions are announced via the freshmeat page.

Someone contributed a Windows port of (an outdated version of) ssss (but with a lightly too sloppy random number generation, in my opinion).

How is ssss used? Is there an online demonstration?

The generation of shares given a known secret is shown first. A (3,5)-threshold scheme is used, that is: 5 shares are generated, the secret can be reconstructed by any subset of size 3.

% ssss-split -t 3 -n 5
Generating shares using a (3,5) scheme with dynamic security level.
Enter the secret, at most 128 ASCII characters: my secret root password
Using a 184 bit security level.
1-1c41ef496eccfbeba439714085df8437236298da8dd824
2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
4-468de7d6eb36674c9cf008c8e8fc8c566537ad6301eb9e
5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0

These shares can be combined to recreate the secret:

% ssss-combine -t 3
Enter 3 shares separated by newlines:
Share [1/3]: 3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
Share [2/3]: 5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
Share [3/3]: 2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
Resulting secret: my secret root password

You can try it out on the demo page.

If larger secrets are to be shared a hybrid technique has to be applied: encrypt the secret with a block cipher (using openssl, gpg, etc) and apply secret sharing to just the key. See the man page for more information about this topic.

Final notices

seccure is another crypto software by the same author.

---

The text of this page is licensed under the GNU General Public License. Copyright 2005-2018 by B. Poettering (ssss AT point-at-infinity.org).
Last modified: Tue Jan 2 00:52:52 CEST 2018