Bruce Schneier described this in his seminal book Applied Cryptography, and HashiCorp Vault used to have an implementation in Go. On the practical side, I always wondered how large - in bits - the shares should be. One answer I got on a news group was "1 bit more than the actual key length". Nowadays, I wonder how the quantum computing threat would inform 1) share size choice and 2) pro/con Secret Sharing in general. Does anyone know?
proxysna 32 minutes ago [-]
I think hashicorp still have an implementation for vaults seal/unseal process. Unless something changed ofc
andreareina 12 minutes ago [-]
Do you remember why 1 bit more?
_jackdk_ 6 hours ago [-]
This is such a cool technique, and you could even teach it in secondary schools as a neat thing computer scientists can do with polynomials.
It's an incredible technique, when I came across it, it just changed the way I thought of solving giving out keys without "truly" giving them out.
This gave me confidence for eternalvault.app, a project of mine.
3eb7988a1663 3 hours ago [-]
Do the people who hold the root DNS keys do anything like this? Or is that too much complexity when a safe in a secure room works as an effective backup?
davkan 36 minutes ago [-]
They do something similar. Basically 5 people are needed in order to access the dns root keys plus some extra administrative/witness people. 3 Crypto Officers with smartcards to unlock the hsm, 2 other officials to unlock the vault that contains the hsm and the vault that contains safety deposit boxes with the smartcards. There are 7 crypto officers, of which any three will do.
if the secret is large usually it's encrypted and the payload is distributed along with the shares of the key.
but you can also just use Reed-Solomon and split the payload, the difference with Shamir is that you lose information-theoretic security (you lose it the moment you use encryption anyway) and the payload also needs to undergo an all-or-nothing-transform (AONT).
AONT transforms the entire payload into an encrypted blob which also serves as its own key, a withheld piece is a de facto encryption key. this is required because Reed-Solomon can have pathological cases where pieces leak information.
colmmacc 6 hours ago [-]
Reed-Solomon is an Erasure code, and I definitely wouldn't look to that for Secret Splitting. Those leakage models are gnarly. But if you want something else that is more general - there are Monotone Span Programs. Seriously underused.
teravor 6 hours ago [-]
> Reed-Solomon is an Erasure code
which shares the same math as Shamir
> Those leakage models are gnarly.
AONT solves that by making any leak other than the totality meaningless
sreekanth850 2 hours ago [-]
ente means mine in Malayalam language. it's said to be one of the toughest Indian language to learn. FYI.
alfirous 31 minutes ago [-]
Interesting, in Indonesia Ente means you. Derived from Arabic word Anta.
Fascinating how sometimes in different languages one word can have opposite meaning and the other times one word can have similar meaning.
compsciphd 6 hours ago [-]
before I learned of shamir secret sharing, I wondered why one couldn't do the same exact thing with a par2 like system (albiet with smaller pieces than a par2 system would traditionally have). i.e. you have X bits of data, you create Y*X/N sized recovery blocks (where Y > N). You hand each recovery block to individual users. and any N users can get together to recover the key and decrypt the contents.
namibj 3 hours ago [-]
Well in theory the base math is indeed the same; unfortunately though the "randomly chosen" part of shamir's secret sharing is fairly important to the security because information theoretic security of the scheme requires each fragment to be as large as the original secret by way of essentially including a desired count of random data blocks to the original before applying the reed-solomon-like erasure coding to it where now enough fragments to reconstruct the secret plus all random blocks have to be combined.
Also the way of usage of the erasure code has to be selected to not be leaking information but that's more of an issue of not picking a bad way of how to implement the basic concept here. Basically just a case of "do follow the instructions to shamir's secret sharing, don't do something different just because it's a popular way of implementing reed-Solomon".
Yes, you can just GF(256), but if you're worried I'd also just use a prime field instead.
6 hours ago [-]
calvinmorrison 4 hours ago [-]
something tangentially i am interested in is computing following the 'two person rule' for things like sudo. Yes I am logged into server X at terinal Y, and so is my co-worker and we both sign off on running command X
coryrc 2 hours ago [-]
Had something like this at Google. There's a service running as root (or equivalent) which receives your desired command to run, and it has to get authorization from another user for the specific command to run, then runs it. That makes sense at Google, because those are production machines and have access to LDAP and who is allowed to run a command on a machine is defined by an LDAP group and you would need two of them (or more?) and there's already existing management website this can be shoe-horned into.
Your environment is unlikely to have all of that already, so you'll need to figure out equivalents for all those. But I think you're going to need a local service running as root and it's going to need to be able to tell the difference between distinct human users, if you want secure. Just typos is way easier.
jerry1979 3 hours ago [-]
That sounds like you might want to look into digital signatures.
Vibe-coded a little playground where you can generate secrets, see the polynomial, combine the secrets, and in general, play around:
https://shamirs-secret-sharing.pagey.site
https://www.cloudflare.com/learning/dns/dnssec/root-signing-...
but you can also just use Reed-Solomon and split the payload, the difference with Shamir is that you lose information-theoretic security (you lose it the moment you use encryption anyway) and the payload also needs to undergo an all-or-nothing-transform (AONT).
AONT transforms the entire payload into an encrypted blob which also serves as its own key, a withheld piece is a de facto encryption key. this is required because Reed-Solomon can have pathological cases where pieces leak information.
Fascinating how sometimes in different languages one word can have opposite meaning and the other times one word can have similar meaning.
Yes, you can just GF(256), but if you're worried I'd also just use a prime field instead.
Your environment is unlikely to have all of that already, so you'll need to figure out equivalents for all those. But I think you're going to need a local service running as root and it's going to need to be able to tell the difference between distinct human users, if you want secure. Just typos is way easier.