What is Shamir’s Secret Sharing?
| KEY TAKEAWAYS: |
| — Shamir Secret Sharing (SSS) is a cryptographic technique that protects sensitive data by distributing data fragments across multiple parties. — In SSS, the secret can be extracted if a specific number of parties combine their shares, with no individual having full access to your data. — SSS is an excellent way to store highly sensitive data such as secret recovery phrases, encryption keys and more. |
Blockchain is one of the core technologies helping users gain true ownership over their financial assets. And at the heart of the blockchain lie cryptographic techniques that enable us to store and interact with private data across the internet safely.
But what is even more fascinating is that these cryptographic techniques don’t just help run the blockchain; they can also help its users store sensitive information safely. Shamir Secret Sharing is one such algorithm.
In this article, Ledger Academy will unpack the technicalities of Shamir’s Secret sharing algorithm and how it helps improve crypto security.
Let’s start with what secret sharing is.
Secret Sharing: What is it?
In cryptography, secret sharing refers to the general concept of dividing confidential information (a secret) into multiple parts or shares. By splitting the secret up, no single person has access to the full secret. Only when you combine the individual shares from each person, can you access the complete secret. Plus, with secret sharing, the information is also encrypted, meaning no single custodian has any usable knowledge about the secret, meaning they are no closer to guessing the secret than someone with no shares at all.
In short, secret sharing allows you to safeguard information with multiple custodians, who must each confirm they will reveal their portion of a secret. As such, it is widely used for safeguarding extremely sensitive information such as biometrics or even passcodes to control missiles.
Of course, this is extremely secure but has one fatal flaw: It requires every single custodian.
What happens if a custodian is on holiday. Or worse, what happens when a custodian dies? In practice, using secret sharing is only possible when you can guarantee every participant can play their part—which isn’t very practical.
So how do you share a secret securely and recover it without all of the custodians?
Shamir’s Secret Sharing
In 1979 Adi Shamir, the co-creator of the oldest and most famous encryption technique, RSA, published a paper titled “How to Share a Secret.” In this paper he explored a new solution for this problem: a cryptographic algorithm now called “Shamir’s Secret Sharing”.
Put simply, Shamir Secret Sharing Algorithm does not require all of the custodians to reconstruct the secret. That means should a custodian become unavailable, recovery would still be possible. Plus, it achieves this while still keeping the full secret hidden from custodians as long as they don’t meet the threshold.
In practice, it’s a little more technical than that though, so let’s see how it works:
How Shamir’s Secret Sharing Works
The main difference with other secret sharing methods is Shamir’s secret sharing’s use of share thresholds and encrypted distributed shares.
Share Threshold
Share threshold refers to the minimum number of shares required to unlock the main secret. This may differ from secret to secret. Essentially the threshold will be as many (or as little) custodians as needed. For example, if the share threshold is 2, anyone with less than 2 shares won’t be able to obtain any useful information from their shares.
Put simply, not all shares need to be present to unlock the main secret, and this has a few key benefits. Firstly, even if you lose access to some of the shares, the data is still recoverable as long as the number of custodians meets the threshold. Secondly, it also allows the secret owner to add, modify, or even remove shares without altering the original secret or alerting every custodian.
Encrypted Distributed Shares
One of the biggest risks of cryptographic secret sharing is trusting custodians you do not know. You have no idea if they might be malicious. They might even refuse to cooperate once they own a piece of the secret. Even worse, they may conspire as a group.
This is why SSS uses encryption to ensure each share doesn’t reveal anything about the overall secret. Using an encryption method called polynomial interpolation, SSS ensures that only the predefined number of custodians can unlock the secret. To clarify it guarantees that a secret is only unlocked if you know at least “n” out of “m” total variables using a specific algebraic equation.
This means the information in each fragment is encrypted so a single custodian has no tangible information to work with. Plus, it also means that without the number of fragments that meet the share threshold, each participant is no closer to knowing your secret than if they had no share. Even if the share threshold is seven, someone with six shares would have no idea how to reconstruct the secret.
Shamir’s Secret Sharing In Crypto
Shamir’s secret sharing in crypto mainly refers to fragmenting and sharing private keys or secret recovery phrases as a secure backup.
Let’s use a secret recovery phrase as an example. This sequence of 12 or 24 random words is a secret just like any other. As such, you can use Shamir Secret Sharing to create a backup of your crypto wallet.
There are a lot of reasons you might want to do this. Untrustworthy housemates and natural disasters are just the beginning of some of the troubles your secret hiding place could face. Even with a seemingly secure place to store your SRP, countless crypto users end up losing access to their accounts containing high value assets. It’s a familiar story, with some of the largest holdings of Bitcoin sitting in inactive wallets.
In short, if you lose the SRP, you lose access to your wallet. So having a secure way to regain access if something goes wrong is imperative.
With Shamir’s secret sharing you can create a secure backup of your SRP and trust it to multiple custodians. Essentially, it splits your SRP into multiple encrypted fragments and distributes it among multiple entities in a secure and encrypted manner. Individually, each fragment doesn’t hold much value, but if you collect enough fragments (enough to meet the threshold) it can be reconstructed.
How Shamir Secret Sharing Works With Ledger Recover
Ledger Recover is an optional paid subscription service which allows you to back up your wallet’s SRP using a specific variant of Shamir’s Secret Sharing, called Pedersen’s Verifiable Secret Sharing.
To explain, like its predecessor, PVSS also uses custodians and a share threshold.
So when Ledger Recover encrypts the entropy of your secret recovery phrase and fragments it, it is distributed to three custodians: Ledger, Coincover, and EscrowTech. Since the secret recovery phrase is first encrypted, no single custodian receives any tangible information about your real SRP, instead they each hold a single fragment which is useless on its own.
Then the share threshold is two; meaning you only need to retrieve your fragments from two of the three custodians when you want to recover your wallet. This means should any of the custodians shut down or become inactive, you can still recover your SRP.
But this is where PVSS differs from SSS. In short, PVSS also verifies the validity of the fragments received during reconstruction of the secret . Essentially, PVSS introduces additional variables alongside the creation of the secret which allows it to verify the fragments are consistent with the original secret. And it does so without revealing any intelligible information about the original secret. In short, this guarantees that custodians are sending the correct shares back during the secret’s reconstitution.
This is much more secure and verifiable than SSS, hence why Ledger chose this specific method for its secret recovery phrase backup service.
All in all, these pieces guarantee that the only person able to assemble these fragments is you—within the security of your Ledger device. To learn more about how Ledger Recover works, make sure you check out the Ledger Recover article.
Shamir Secret Sharing: How To Share Secrets Safely
Crypto’s core promise is self-custody, meaning only you have full control and ownership over your funds. However, your funds are only as safe as your secret recovery phrase. In a perfect world, the sheet of paper with your recovery phrase would be secure enough, but unfortunately, life isn’t always so kind.
Shamir’s Secret Sharing allows you to create a backup of an important secret—such as your SRP—and share it, all without worrying about revealing its contents. In short, SSS helps manage critical data better, removing a single point of failure by securely distributing secrets, while giving you all the benefits of self-custody.