My masters thesis was on this! I created an app where you can store your data across all the common data storage providers (dropbox, google drive, onedrive, etc.) and used the secret sharing to aid with the encryption. The benefit was that:
- They could no longer read your data
- Additional redundancy (as you only need 2 to be available)
- Compared to other secure storage apps which rely on a master password, which if you forget, you are screwed, you could still use all the usual account recovery methods.
It seems like a cool idea, did you follow up with a product or an open source app?
Unfortunately no, as most uni students my code was utterly terrible and the app itself was more of a PoC. This was 10 years ago though and it's been on my mind since then, so i'll surely pick it up some point, perhaps after my current start up.
Done something similar for mine as well, although the word of the year that day was blockchain, so implemented the same onto Ethereum. It was a fun project, and Secret Sharing is quite an interesting topic!
Where is your thesis available?
I'm afraid it's not available as it wasn't published. To be honest there wasn't much more than what I posted there, it was quite a practical thesis and really more of a market analysis and practical implementation of a potential consumer product.
Currently doing a different startup, but certainly an idea for a future one.
Ah, dang. Thanks for responding anyway!
[flagged]
We use this technique in our team to distribute passphrases for our secondary secret stores (that contain instructions on how to access our primary secret stores) in a "democratically secure and safe" manner.
https://packages.debian.org/trixie/ssss is a nice and rather straightforward implementation.
This is such a cool technique, and you could even teach it in secondary schools as a neat thing computer scientists can do with polynomials.
I am a secondary math teacher and I do exactly this with my students. When working on retrieving the expression of an affine function, I tell them about Shamir'..., they choose a secret pin as the slope, generate two points, give them to two other students who have to pair together to find the pin again. The students are always very engaged.
I'm so glad it works. If you handwave at the generalisation to quadratics and higher polynomials, do the students follow it well? I assume you don't get into the finite field stuff, but it seems like it'd be cool to handwave at "there's actually other structures where most of this polynomial stuff works, even in somewhat weird ways".
It's the same idea as how GPS works. Fun to see someone's eyes light up when they get why that third satellite is needed to fix a 2D position.
(Actual GPS is a little more complicated than that because the real system needs accurate time information.)
Shamir saved my bottom once, by helping me reconstruct random password used for almost forgotten backup, suddenly needed to be restored at once. Thank God I distributed shares in my family, "just in case".
It's an incredible technique, when I came across it, it just changed the way I thought of solving giving out keys without "truly" giving them out. This gave me confidence for eternalvault.app, a project of mine.
Iāve been noodling over this exact business idea for a couple years! Part of my value prop was to make ops scale down to as close to zero as possible by having the encrypted data and most of the front end for accessing it live in S3 objects (or some similar mega-cheap object store). Aside from that, all you need is the dead manās switch mechanism. And the secret fragments would live on QR codes that bring you to the static SPA with one of the fragments already loaded up, prompting you to scan more to complete the decryption.
Good work doing it. I guess now I donāt have to. :D You may have gained a customer from this HN thread.
Indeed, that's precisely why I decided to ditch out of the subscription model and went into one time payment method, did the math and it made sense that I don't need a very heavy system apart from supporting the dead man switch trigger
Wrote my thoughts about that here: https://eternalvault.app/blog/why-we-are-adding-lifetime-pri...
And it feels good to know that there are people out thinking about this, makes me happy truly and if you want to try out the platform, welcome aboard, happy to walk through it if needed. :)
Thatās great, and exactly what I was thinking. In fact, you have to wrestle with the fact that if itās too cheap, people wonāt trust it.
One thing I had been thinking about was that itās important to be extremely open about the algorithms and infrastructure required, with a very transparent whitepaper on how it works (enthusiast level discussion of the technical details) and how you have designed the company to be extremely sustainable. I think your job is to convince people of two things: 1) this actually respects my privacy in a way I can verify myself (or lean on the technical expertise of other outside observers), 2) this company actually has a chance of surviving until I die.
If I can see those two things are true, a $199 lifetime purchase is a no-brainer (and that probably covers a dozen lifetime membersā operational costs). :D
Here is Ente's implementation: (https://2of3.ente.com/)
There's an implementation packaged up for most Linux distros: http://point-at-infinity.org/ssss
This is my favorite one yet, very user friendly. I only wish it was a bit more configurable. Ideally I'd be able to set up something like:
3 of 4: A B C D
- OR -
2 of 3: E F G
- AND -
1 of 1: H
Though there's something to be said for the simplicity of the current design.
that's just 3 shamir secret sharings.
key is protected by a 3 of 3 keys.
1 protected by 3 of 4 (i.e. SSS the key into a 3 of 4) 1 protected by 2 of 3 (i.e. SSS the key into a 2 of 3) 1 that just is.
so you take your original key and SSS into a 3 of 3.
you take part 1 and SSS into a 3 of 4, and take part 2 and SSS into a 2 of 3.
Yes, but a 3 of 4 SSS is not possible with the linked web page. It's also not user-friendly to expect non-technical users to manually go through multiple rounds of SSS in order to restore the original secret. Ideally it'd just be one page that clearly explains exactly what they need to provide and then restores the secret for them.
There are several browser-based versions which can be used online or downloaded to use offline.
https://bs.parity.io/ -- http://passguardian.com/ -- https://iancoleman.io/shamir/
I have noticed that not one of them is compatible with the other. I generated shares using `ssss` (https://manpages.ubuntu.com/manpages/trusty/man1/ssss-split....), and couldn't combine them on any of the three sites linked. That is a downside, isn't it? Do you know of a way to bypass that hurdle, other than packing resources together with the shares?
SSSS is not the official canonical file format for SSS. Shamir did not specify an official file format when he described his technique. Each implementation knows how to recombine its own shares. The web apps can be saved and used on any device.
Bruce Schneier described this in his seminal book Applied Cryptography, and HashiCorp Vault used to have an implementation in Go. On the practical side, I always wondered how large - in bits - the shares should be. One answer I got on a news group was "1 bit more than the actual key length". Nowadays, I wonder how the quantum computing threat would inform 1) share size choice and 2) pro/con Secret Sharing in general. Does anyone know?
You usually do secret sharing in a finite field because computers don't like real numbers. The size of your share is a point (x, y), x can be small (typically log n in case of n participants), y is a random point in the field.
Since Shamir Secret Sharing is information-theoretically secure (if you do not know k points from the k-out-of-n secret then all secrets are equally plausible even when bruteforcing), the bitsize of your field can be whatever you want (but obviously bigger than the bitsize of your secret, you can't hide 100 bits in a finite field of 5 elements).
Usually, you don't want an attacker to be able to bruteforce your secret (while the scheme is ITS, your secret typically isn't, e.g. the seed of your wallet), hence randomness can be added to your secret and the bitsize of the field is taken big enough to thwart these attacks.
Depending on your attack model, an 80-bits or 128-bits field is more than secure enough, hence a share bitsize slightly above 80 or 128 bits.
And regarding quantum computer, since the scheme is ITS no attacks can exist.
Plain vanilla Shamir is information-theoretic secure and is completely impervious to QC. I can take a 1-byte secret, make 'threshold of 10' Shamir shares from it, give you 9 of the 1-byte shares, and no computer in the universe can determine the secret. (In practice, Shamir systems need to add a MAC or checksum as an integrity check, so IRL they're a few bytes larger.)
I think hashicorp still have an implementation for vaults seal/unseal process. Unless something changed ofc
They still do indeed.
One point is that there is no reason for the entire secret to be one element of the underlying field, it can very well be a n-tuple of elements of a smaller field, with GF(2^8) being the somewhat obvious choice if you do not expect ridiculous numbers of shares, no need to deal with bignum math.
Years ago I build a little tool to run shamir secret sharing in the browser (can be used full offline, just download the page)
Ha! Years ago i downloaded your page and stored it in some usb disks along with my kdb keepass database and a share of my password.
I gave that to some members of my family and instruct them to give them to my wife in case I die.
Thanks a lot Sir.
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.