ssss: Shamir's Secret Sharing Scheme

What is "Secret Sharing"?

Citing from the Wikipedia article about Secret Sharing:

In cryptography, a secret sharing scheme is a method for distributing a secret amongst a group of participants, each of which is allocated a share of the secret. The secret can only be reconstructed when the shares are combined together; individual shares are of no use on their own.

More formally, in a secret sharing scheme there is one dealer and n players. The dealer gives a secret to the players, but only when specific conditions are fulfilled. The dealer accomplishes this by giving each player a share in such a way that any group of t (for threshold) or more players can together reconstruct the secret but no group of less than t players can. Such a system is called a (t,n)-threshold scheme.

A popular technique to implement threshold schemes uses polynomial interpolation ("Lagrange interpolation"). This method was invented by Adi Shamir in 1979. You can play around with a threshold scheme on the demo page.

Where is "Secret Sharing" used?

Some popular examples are:

Good passwords are hard to memorize. A clever user could use a secret sharing scheme to generate a set of shares for a given password and store one share in his address book, one in his bank deposit safe, leave one share with a friend, etc. If he forgets his password one day, he can reconstruct it easily. Of course, writing passwords directly into the address book would pose a security risk, as it could be stolen by an "enemy". If a secret sharing scheme is used, the attacker has to steal many several shares from different places.
"A dealer could send t shares, all of which are necessary to recover the original secret, to a single recipient, using t different channels. An attacker would have to intercept all t shares to recover the secret, a task which may be more difficult than intercepting a single message" (Wikipedia).
The director of a bank could generate shares for the bank's vault unlocking code and hand them out to his employees. Even if the director is not available, the vault can be opened, but only, when a certain number of employees do it together. Here secret sharing schemes allow the employment of not fully trusted people.

What is "ssss"? Where can I download "ssss"?

ssss is an implementation of Shamir's secret sharing scheme for UNIX systems, tested only on linux machines until now. The code is licensed under the GNU GPL. ssss does both the generation of shares for a known secret and the reconstruction of a secret using user provided shares. The software was written in 2005 by B. Poettering, it links against the GNU libgmp multiprecision library (version 4.1.4 in my case) and requires the /dev/random entropy source. Please send bug reports to ssss AT point-at-infinity.org.

Download here: ssss-0.2.tar.gz, ssss-0.1.tar.gz

How is "ssss" used? Is there an online demonstation?

The generation of shares given a known secret is shown first. A (3,5)-threshold scheme is used, that is: 5 shares are generated, the secret can be reconstructed by any subset of size 3.

      % ssss split -t 3 -n 5
      Generating shares using a (3,5) scheme with a 128 bit security level.
      Enter the secret, at most 16 ASCII characters: secretrootpasswd
      1-d80c3e34d56c3685e5ae825e04f6b71f
      2-70708d35dd805d8d031a92ceafe4a3ff
      3-9aa4f16f76ded85877e661cab6d765f4
      4-eb890362ed68fb365b07a001789fac7e
      5-015d7f3846367ee32ffb530561ac6a67

These shares can be combined to recreate the secret:

      % ssss combine -t 3
      Share [1/3]: 2-70708d35dd805d8d031a92ceafe4a3ff
      Share [2/3]: 5-015d7f3846367ee32ffb530561ac6a67
      Share [3/3]: 3-9aa4f16f76ded85877e661cab6d765f4
      Resulting secret: secretrootpasswd

You can try out everything on the demo page.

What are the program's options?

      Syntax:
      ssss split -t threshold -n shares [-s level] [-w token] [-x] [-q]
      ssss combine -t threshold [-x] [-q] [-D]
      
      Commands:
      split: prompt the user for a secret and calculate a set of
      corresponding shares.
      
      combine: read in a set of shares and reconstruct the secret.
      
      Options:
      -t threshold
      the number of shares necessary to reconstruct the secret.
      
      -n shares
      the number of shares to be generated.
      
      -s level
      security level: the scheme's security level in bits. The security
      level is an upper bound for the length of the shared secret
      (shorter secrets are padded). Allowed values are 80, 112, 128,
      192, 256, 512 and 1024. The default is 128.
      
      -w token
      text token to name shares in order to avoid confusion in case you
      utilize secret sharing to protect several independent secrets. The
      generated shares are prefixed by these tokens.
      
      -x
      hex mode: use hexadecimal digits in place of ASCII characters for
      I/O. This is useful if you want to protect binary data, like
      block cipher keys.
      
      -q
      quiet mode: disable all unnecessary output. Useful in scripts.
      Note: the option -Q works like -q, but warnings are suppressed also.

      -D
      disable the diffusion layer added in version 0.2. This option is
      needed when the shares where generated with ssss version 0.1.

Last modified: Sun Jun 12 21:49:46 CEST 2005