What is "Secret Sharing"?

In cryptography, a secret sharing scheme is a method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own.

More formally, in a secret sharing scheme there is one dealer and n players. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of less than t players can. Such a system is called a (t,n)-threshold scheme.

A popular technique to implement threshold schemes uses polynomial interpolation ("Lagrange interpolation"). This method was invented by Adi Shamir in 1979. You can play around with a threshold scheme on the demo page.

Note that Shamir's scheme is provable secure, that means: in a (t,n) scheme one can prove that it makes no difference whether an attacker has t-1 valid shares at his disposal or none at all; as long as he has less than t shares, there is no better option than guessing to find out the secret.

Where is "Secret Sharing" used?

• Good passwords are hard to memorize. A clever user could use a secret sharing scheme to generate a set of shares for a given password and store one share in his address book, one in his bank deposit safe, leave one share with a friend, etc. If one day he forgets his password, he can reconstruct it easily. Of course, writing passwords directly into the address book would pose a security risk, as it could be stolen by an "enemy". If a secret sharing scheme is used, the attacker has to steal many shares from different places.
• "A dealer could send t shares, all of which are necessary to recover the original secret, to a single recipient, using t different channels. An attacker would have to intercept all t shares to recover the secret, a task which may be more difficult than intercepting a single message" (Wikipedia).
• The director of a bank could generate shares for the bank's vault unlocking code and hand them out to his employees. Even if the director is not available, the vault can be opened, but only, when a certain number of employees do it together. Here secret sharing schemes allow the employment of not fully trusted people.

What is "ssss"? Where can I download "ssss"?

ssss is an implementation of Shamir's secret sharing scheme for UNIX systems, especially developed for linux machines. The code is licensed under the GNU GPL. ssss does both: the generation of shares for a known secret and the reconstruction of a secret using user provided shares. The software was written in 2006 by B. Poettering, it links against the GNU libgmp multiprecision library (version 4.1.4 works well) and requires the /dev/random entropy source. Please send bug reports to ssss AT point-at-infinity.org.

There is a freshmeat page for ssss. A debian package is also available. If you are the lucky owner of a debian system just run apt-get update && apt-get install ssss to install ssss. Someone even ported (an outdated version of) ssss to Windows (but with a lightly too sloppy random number generation, in my opinion).

Download on the ssss homepage.

How is "ssss" used? Is there an online demonstration?

The generation of shares given a known secret is shown first. A (3,5)-threshold scheme is used, that is: 5 shares are generated, the secret can be reconstructed by any subset of size 3.

      % ssss-split -t 3 -n 5
      Generating shares using a (3,5) scheme with dynamic security level.
      Enter the secret, at most 128 ASCII characters: my secret root password
      Using a 184 bit security level.
      1-1c41ef496eccfbeba439714085df8437236298da8dd824
      2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
      3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
      4-468de7d6eb36674c9cf008c8e8fc8c566537ad6301eb9e
      5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
    

      % ssss-combine -t 3
      Enter 3 shares separated by newlines:
      Share [1/3]: 3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
      Share [2/3]: 5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
      Share [3/3]: 2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
      Resulting secret: my secret root password
    

If larger secrets are to be shared a hybrid technique has to be applied: encrypt the secret with a block cipher (using openssl, gpg, etc) and apply secret sharing to just the key. See the man page for more information about this topic.

Where is the manpage?