Thursday, 18 July Sitemap

Shamir Secure Secret Sharing

This is a JavaScript implementation of Adi Shamir's Secure Secret Sharing scheme. For an explanation of how the scheme works, see this blog post. This can be used to protect passwords or keys that you do not want people to know, but must be safe from loss. In this scheme, you can distribute n parts to different people, but the original secret can be regenerated by k of them (where k <= n). You can choose how many parts you require for your situation and what the quorum is to be. All outputs are in ASCII printable text for easy storage and distribution. All the calculations are performed in JavaScript within your browser and nothing is ever sent to our servers or stored anywhere.

To use this tool, simply select the number of parts and the quorum number that you would like (remember that only the quorum number of parts are required to regenerate the original secret). Then enter your secret in the top text box and click 'Encode'. The secret will now be split into the number of parts you selected before and displayed in the yellow text area. To regenerate the secret, enter at least the quorum number of parts in the yellow text area and click 'Decode'.

 Number of Shares:    Quorum:
Enter Secret:
Secure Shares:

Decoded Secret:

"The big lie of computer security is that security improves by imposing complex passwords on users. In real life, people write down anything they can't remember. Security is increased by designing for the way humans actually behave." - Jakob Nielsen

One way to use this would be to keep a copy of an administrator password or encryption key. You can choose how many parts to store and how many are required to regenerate the password or key. More parts and lower quorum will mean that you have a lot of redundancy, but will be less secure. Fewer parts and higher quorum will be more secure, but have less redundancy.

Note: The first character of the parts specifies the quorum (and will, therefore, be the same for all parts) and the second character is the x value used for that particular share. Do not remove these, otherwise you will not be able to regenerate your secret.


How this works

This works simply by defining a random curve, with your data as the free coefficient. The parts that are distributed are points on that curve. You need 2 points to uniquely define a straight line, 3 for a parabola, 4 for a cubic, etc. Your data can be regenerated by computing the Lagrange basis polynomials.

Warning: Although Shamir's scheme is cryptographically secure even if k-1 parts are known (i.e. one less than the quorum), this is not the case for this implementation because we use integer arithmatic (rings) and non-cryptographic random numbers. Due to this, it is important that you do not disclose the various parts, particularly if you have a low quorum.