christophedavid.org | Shamir's "How to share a Secret"

<< PasswordMaker | index | Calibration images >>

Shamir's "How to share a Secret"

Here is a free implementation of Shamir's method, that can run

within a browser on any computer with an Adobe Flash Player
as a stand-alone cross-operating system desktop application on Windows, Mac OS X and Linux. See stand-alone version.

Type your secret and click 'Calculate':

Implementation details

The robustness of programs using cryptography and the related fields must reside in the keys and the algorithms, not in unpublished implementation tricks. More, implementation glitches can ruin demonstrated algorithms. Therefore, here are the details of this implementation so that one can (in)validate its robustness.

The program is written using Adobe Flex.
- All calculations are performed locally on the user computer by the Adobe Flash Player
- Strictly no information about the secret or the shares is transmitted over the internet
The random bytes used are produced using the following method
1. The internal random generator provided by the framework is used to generate a real number, which is converted to a string
2. This string is concatenated with a string representation of the current time
3. The SHA256 digest of this string is calculated
4. All bytes of this digest are XORed
5. The resulting value is used as the random byte
The symbols used below refer to the ones in How to Share a Secret
- n must be more than 1 and less than 256
- k must be more than 1 and less than n + 1
- p = 257
These choices imply that all resulting values are from 0 to 256
The shares are the concatenation of the hexadecimal representation of these values (two characters per value), with one exception for 256, which is represented as 'G0'.
All calculations are based on the ASCII value of the secret bytes
Each byte of the secret is processed totally independently from the others, with different random values for a₀, a₁, a₂, ...
Only printable characters having an ASCII code less than 128 are allowed in order to avoid any characters sets related issues

Shares structure:

The first value is x, which can also be considered as the share number
- 01033ED38FFE2E2F57CDE8BB
- 0203B095FF8FC8FEB41FF694
- 03030494C8D51FD0796A8FG0
- 040316D0EBCF35A6A7ADB4FE
- 05038848677D09803DE8648E
The second value is k (the quorum)
- 01033ED38FFE2E2F57CDE8BB
- 0203B095FF8FC8FEB41FF694
- 03030494C8D51FD0796A8FG0
- 040316D0EBCF35A6A7ADB4FE
- 05038848677D09803DE8648E
The third value is reserved. See below.
- 01033ED38FFE2E2F57CDE8BB
- 0203B095FF8FC8FEB41FF694
- 03030494C8D51FD0796A8FG0
- 040316D0EBCF35A6A7ADB4FE
- 05038848677D09803DE8648E
The remaining values are the D_i, one value (two characters) for each character of the secret
- 01033ED38FFE2E2F57CDE8BB
- 0203B095FF8FC8FEB41FF694
- 03030494C8D51FD0796A8FG0
- 040316D0EBCF35A6A7ADB4FE
- 05038848677D09803DE8648E

At the present time, the program implements strictly the Shamir's method. Some authors have proposed improvements, in particular by using variations that allow to detect individual invalid shares. One of them is Martin Tompa in How to Share a Secret with Cheaters.

In order to maintain the compatibility of the shares generated with the current version of ShareSecret and future ones that may provide such improvements, this byte is used as a "flag".

Currently, its Least Significant Bit is set to 0, meaning "no cheaters detection". It will be set to 1 when/if such a detection is implemented and the corresponding option is selected. The others bits are random. This means that this value is currently a random even number.

Here is the Scilab prototype used to get the maths right.

Availability:

It is my intention to keep allowing free usage of ShareSecret on this website.
However, should this website not be available for any reason, you will still be able to recover your secret using the stand-alone version (which you should definitely download while the site is still there...)
ShareSecret is freeware, provided as-is, and as such comes with no guarantees or support.

Stand-alone version:

Here is a cross-operating system version using Adobe AIR, available for Windows, Mac OS X and Linux. You need to install the Adobe AIR runtime.

Then you can install the AIR version of ShareSecret.

Known issues:

None

Road map:

Cheaters detection option

See also