How Shamir's Secret Sharing Works

How Shamir's Secret Sharing Works(ente.com)

49 points by subract 4 hours ago | 6 comments

_jackdk_ 1 hour ago |

This is such a cool technique, and you could even teach it in secondary schools as a neat thing computer scientists can do with polynomials.

Cider9986 1 hour ago |

Here is Ente's implementation: (https://2of3.ente.com/)

teravor 1 hour ago |

if the secret is large usually it's encrypted and the payload is distributed along with the shares of the key.

but you can also just use Reed-Solomon and split the payload, the difference with Shamir is that you lose information-theoretic security (you lose it the moment you use encryption anyway) and the payload also needs to undergo an all-or-nothing-transform (AONT).

AONT transforms the entire payload into an encrypted blob which also serves as its own key, a withheld piece is a de facto encryption key. this is required because Reed-Solomon can have pathological cases where pieces leak information.

colmmacc 1 hour ago | |

Reed-Solomon is an Erasure code, and I definitely wouldn't look to that for Secret Splitting. Those leakage models are gnarly. But if you want something else that is more general - there are Monotone Span Programs. Seriously underused.

teravor 1 hour ago | | |

    > Reed-Solomon is an Erasure code

which shares the same math as Shamir

    > Those leakage models are gnarly.

AONT solves that by making any leak other than the totality meaningless

compsciphd 1 hour ago |

before I learned of shamir secret sharing, I wondered why one couldn't do the same exact thing with a par2 like system (albiet with smaller pieces than a par2 system would traditionally have). i.e. you have X bits of data, you create Y*X/N sized recovery blocks (where Y > N). You hand each recovery block to individual users. and any N users can get together to recover the key and decrypt the contents.