How Shamir's Secret Sharing Works

▲ How Shamir's Secret Sharing Works(ente.com)

48 points by subract 4 hours ago | 6 comments

▲ _jackdk_ an hour ago | parent | next [-]

This is such a cool technique, and you could even teach it in secondary schools as a neat thing computer scientists can do with polynomials.

▲ Cider9986 an hour ago | parent | prev | next [-]

Here is Ente's implementation: (https://2of3.ente.com/)

▲ teravor an hour ago | parent | prev | next [-]

if the secret is large usually it's encrypted and the payload is distributed along with the shares of the key.

but you can also just use Reed-Solomon and split the payload, the difference with Shamir is that you lose information-theoretic security (you lose it the moment you use encryption anyway) and the payload also needs to undergo an all-or-nothing-transform (AONT).

AONT transforms the entire payload into an encrypted blob which also serves as its own key, a withheld piece is a de facto encryption key. this is required because Reed-Solomon can have pathological cases where pieces leak information.

▲ colmmacc an hour ago | parent [-]

Reed-Solomon is an Erasure code, and I definitely wouldn't look to that for Secret Splitting. Those leakage models are gnarly. But if you want something else that is more general - there are Monotone Span Programs. Seriously underused.

	▲	teravor an hour ago \| parent [-]
		`> Reed-Solomon is an Erasure code` which shares the same math as Shamir `> Those leakage models are gnarly.` AONT solves that by making any leak other than the totality meaningless

▲ compsciphd an hour ago | parent | prev [-]

before I learned of shamir secret sharing, I wondered why one couldn't do the same exact thing with a par2 like system (albiet with smaller pieces than a par2 system would traditionally have). i.e. you have X bits of data, you create Y*X/N sized recovery blocks (where Y > N). You hand each recovery block to individual users. and any N users can get together to recover the key and decrypt the contents.