darconeous
commented
1 year ago Hi Taylor!
You make it sound like SSS is irredeemably complicated, but compared to ECC or RSA it's really not that bad. A basic understanding of it can be had with high-school algebra. The final step of performing the calculations over a Galois field is admittedly not high-school algebra, but I don't think it is really as opaque as you are making it out to be.
Your approach would work and would be secure enough for most applications, assuming you are using a modern strong hash function. You could even do away with the labels and just sort the shares by value when calculating the "quorum" key, which would make the individual "shares" one byte shorter.
However, Shamir Secret Sharing (Especially over $GF(256)$ )has some really nice properties that you don't get with your scheme. Some of these properties aren't entirely relevant in the way that I'm using it in this project, but I'll enumerate them here nonetheless:
- Provably as secure as a one-time pad. You can have mathematical certainty that the only information an attacker could have about the secret if they have less than the threshold number of shares is the length of the secret. The scheme you described can only ever be as strong as the hash function.
- No additional state, aside from the minimum number of shares and knowledge of the scheme being employed, needs to be kept to recover the secret. Your scheme isn't really using "shares" in the traditional sense because significant additional state (3 or 10 wrapped keys) is required in order to recover the secret. You could simply distribute that state with each share, but that would increase the size of your shares considerably.
- Scalable. For example, with the $GF(256)$ version, you can have up to 255 shares, with any proportion of them being the threshold. The math works exactly the same.
- It works even if you don't know the exact threshold. If, say, the threshold is 3, supplying 4 or 5 shares doesn't change the output.
SSS allows you to do weird and interesting things. For example, you could pin one or more of the shares (less than the threshold) to specific values. This would allow you to have some of the shares be actual memorable pass-phrases that don't need to be written down. You could do something similar with your scheme, but the additional state requirements present an additional burden since they cannot be memorized.
Overall, SSS has a lot going for it. You can't do much better in terms of the provable security of the scheme or the size of the shares.
taylortrimble
I'm writing this out because I've always wanted to describe this. Please feel free to ignore it.
Shamir's secret sharing involves a bunch of polynomial math I don't understand; every time I go to try and understand it I wonder what the point is, because I thought of a naive implementation for secret splitting in the common way it's done for protecting a root key.
Assumptions are: you want 3 shares with a quorum of 2, or 5 shares with a quorum of 3.
Process is:
You store the root key wrapped 3 or 10 times, but it's super simple and it's always made me wonder why anybody bothers with Shamir.