hn-classics/_stories/2005/7980798.md

[Source](http://point-at-infinity.org/ssss/index.html "Permalink to ssss: Shamir's Secret Sharing Scheme")

# ssss: Shamir's Secret Sharing Scheme

# Shamir's Secret Sharing Scheme 

## What is "Secret Sharing"?

Citing from the [Wikipedia][1] article about [Secret Sharing][2]: 

> In [cryptography][3], a **secret sharing scheme** is a method for distributing a [_secret_][4] amongst a group of participants, each of which is allocated a _share_ of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own. 
> 
> More formally, in a secret sharing scheme there is one _dealer_ and _n_ _players_. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of _t_ (for _threshold_) or more players can together reconstruct the secret but no group of less than _t_ players can. Such a system is called a _(t,n)_-threshold scheme. 

A popular technique to implement threshold schemes uses [ polynomial interpolation][5] ("Lagrange interpolation"). This method was invented by [ Adi Shamir][6] in 1979\. You can play around with such a scheme on the [demo page][7]. 

Note that Shamir's scheme is provable secure, that means: in a _(t,n)_ scheme one can prove that it makes no difference whether an attacker has _t-1_ valid shares at his disposal or none at all; as long as he has less than _t_ shares, there is no better option than guessing to find out the secret. 

## Where is "Secret Sharing" used?

Some popular examples are: 

* Good passwords are hard to memorize. A clever user could use a secret sharing scheme to generate a set of shares for a given password and store one share in his address book, one in his bank deposit safe, leave one share with a friend, etc. If one day he forgets his password, he can reconstruct it easily. Of course, writing passwords directly into the address book would pose a security risk, as it could be stolen by an "enemy". If a secret sharing scheme is used, the attacker has to steal many shares from different places.

A typical application of this scenario is the secure implementation of an encrypted backup system. Assuming that data recoveries are needed rarely, backup data can be public key encrypted -- this can be done automatically and without user interaction -- while the private recovery key is protected via secret sharing. 
* "A dealer could send _t_ shares, all of which are necessary to recover the original secret, to a single recipient, using _t_ different channels. An attacker would have to intercept all _t_ shares to recover the secret, a task which may be more difficult than intercepting a single message" ([Wikipedia][2]). 
* The director of a bank could generate shares for the bank's vault unlocking code and hand them out to his employees. Even if the director is not available, the vault can be opened, but only, when a certain number of employees do it together. Here secret sharing schemes allow the employment of not fully trusted people. 

## What is "ssss"? Where can I download "ssss"?

ssss is an implementation of Shamir's secret sharing scheme for UNIX/linux machines. It is free software, the code is licensed under the [GNU GPL][8] v2. ssss does both: the generation of shares for a known secret and the reconstruction of a secret using user provided shares. The software was written in 2006 by B. Poettering, it links against the [GNU libgmp][9] multiprecision library (version 4.1.4 works well) and requires the `/dev/random` entropy source. 

[ssss-0.5.tar.gz][10] (SHA1: `3f8f5046c2c5c3a2cf1a93f0a9446681852b190e`)  
[ssss-0.4.tar.gz][11] (SHA1: `462a4309fabc02abf6f3470c5223f0aea44e2a05`)  
[ssss-0.3.tar.gz][12] (SHA1: `433590f2c132e0040b13d1c21a2bf55eead6929c`)  
[ssss-0.2.tar.gz][13] (SHA1: `bcfdf3212e461baaa5922193faa1aec2bfffbb9c`)  
[ssss-0.1.tar.gz][14] (SHA1: `66f8fca5793034fc42032f70de7f9195e4bb4bcd`)  

Some people reported compilation probems with ssss-0.5. This will be fixed in the upcoming release. If the code isn't processed correctly on your machine, replace line 351 of `ssss.c` by 
    
    
    int restore_secret(int n, void *A, mpz_t b[])

A manpage is available as [groff][15] and [html][16] version. 

Read the [HISTORY][17] file for the changes between the versions. There exists a [debian package][18] for ssss. New versions are announced via the [freshmeat page][19]. 

Someone contributed a [Windows port][20] of (an outdated version of) ssss (but with a lightly too sloppy random number generation, in my opinion). 

## How is ssss used? Is there an online demonstration?

The generation of shares given a known secret is shown first. A (3,5)-threshold scheme is used, that is: 5 shares are generated, the secret can be reconstructed by any subset of size 3. 
    
    
    % ssss-split -t 3 -n 5
    Generating shares using a (3,5) scheme with dynamic security level.
    Enter the secret, at most 128 ASCII characters: _my secret root password_
    Using a 184 bit security level.
    1-1c41ef496eccfbeba439714085df8437236298da8dd824
    2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665
    3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309
    4-468de7d6eb36674c9cf008c8e8fc8c566537ad6301eb9e
    5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0
    

  
These shares can be combined to recreate the secret: 
    
    
    % ssss-combine -t 3
    Enter 3 shares separated by newlines:
    Share [1/3]: _3-fa1c3a9c6df8af0779c36de6c33f6e36e989d0e0b91309_
    Share [2/3]: _5-4756974923c0dce0a55f4774d09ca7a4865f64f56a4ee0_
    Share [3/3]: _2-fbc74a03a50e14ab406c225afb5f45c40ae11976d2b665_
    Resulting secret: my secret root password
    

  
You can try it out on the [demo page][7]. 

If larger secrets are to be shared a hybrid technique has to be applied: encrypt the secret with a block cipher (using openssl, gpg, etc) and apply secret sharing to just the key. See the [man page][16] for more information about this topic. 

## Final notices

[seccure][21] is another crypto software by the same author. 

If ssss is of value for you, please consider donating:  

| ----- |
|  | BTC | BCH | ETH |  
| `BTC:1CCkmBSw8K1611HotBMEewi9sdTWYUmaxp` |  ![qrcode BTC address][22] |  ![qrcode BCH address][23] |  ![qrcode ETH address][24] |  
| `BCH:1KzYqW8eCYhYANd5f8DS5RpKpbMpz9eT7x` |  | | | 
| `ETH:0xb1af094e27704affa148ace75ee568f7752f7e45` | 

  

* * *

The text of this page is licensed under the [ GNU General Public License][8]. Copyright 2005-2018 by B. Poettering (`ssss AT point-at-infinity.org`).   
Last modified: Tue Jan 2 00:52:52 CEST 2018 

[1]: http://en.wikipedia.org/
[2]: http://en.wikipedia.org/wiki/Secret_sharing
[3]: http://en.wikipedia.org/wiki/Cryptography
[4]: http://en.wikipedia.org/wiki/Secrecy
[5]: http://en.wikipedia.org/wiki/Polynomial_interpolation
[6]: http://en.wikipedia.org/wiki/Adi_Shamir
[7]: http://point-at-infinity.org/ssss/demo.html
[8]: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
[9]: http://gmplib.org/
[10]: http://point-at-infinity.org/ssss/ssss-0.5.tar.gz
[11]: http://point-at-infinity.org/ssss/ssss-0.4.tar.gz
[12]: http://point-at-infinity.org/ssss/ssss-0.3.tar.gz
[13]: http://point-at-infinity.org/ssss/ssss-0.2.tar.gz
[14]: http://point-at-infinity.org/ssss/ssss-0.1.tar.gz
[15]: http://point-at-infinity.org/ssss.1
[16]: http://point-at-infinity.org/ssss.1.html
[17]: http://point-at-infinity.org/HISTORY
[18]: http://packages.debian.org/unstable/utils/ssss
[19]: http://freshmeat.net/projects/ssss/
[20]: http://www.seidlitz.ca/ssss/
[21]: http://point-at-infinity.org/seccure/
[22]: http://point-at-infinity.org/address-btc.png
[23]: http://point-at-infinity.org/address-bch.png
[24]: http://point-at-infinity.org/address-eth.png