I'm not a mathematician but here is my ELI5 understanding of it based on linked wikipedia article.
If you know the coordinates of any 2 points on a line you can recover the equation for that line.
The same is true for 3 points on a quadratic curve and 4 points on cubic curve, etc.
So if our secret is the number c we can put it in the equation for, say, a quadratic:
ax^2 + bx + c = 0
We can then give any number of people the coordinates for different single points on this curve.
None of these people know the equation but if any 3 of them share their coordinates they can work out the
equation and thus the value of c.
Just remember the caveat with the ELI5 explanation is that if I tell you the first two points on a parabola are (0,0) and (1,0) you will figure that the third point is more likely to be around (2,0) than, say, (2,2^30).
I could understand the integer arithmetic example they gave and I think you are pointing out how this is flawed security-wise (its use lies in explaining the method). This flaw is addressed by using finite field arithmetic but I did't understand that part too well.
Finite field arithmetic is basically what you would get if you were to reduce the integers to a set of finite size, but keep the arithmetic rules similar to what they were before. Using an infinite set like the integers is a bad idea because you can't have a uniform distribution over all the integers, and hence some members will be more likely than others, which leaks information. The special case of finite-field arithmetic we usually care about is GF(p), which is when the integers start at 0 and wrap around at p, where p is a prime number. We care about this because when p is prime, then we can ensure numbers are uniformly random in the range 0..p-1, which is something we need in order to guarantee information-theoretic security.
If you take it one step further and show how it still works modulo p, the algorithm serves as a great introduction to how and why finite fields are used in cryptography.
Shamir’s Secret Sharing is one of my favorite algorithm names. It sounds straight out of a D&D wizard spell list. Especially when you interpret it as ”sharing in secret” instead of ”sharing a secret”.
Greg Maxwell has suggested that quite a few implementations of SSS are broken: "FWIW, virtually every SSS thing I've seen out there is just wrong in at least some less serious way. In general I've found secret sharing to be part of a pretextual security practice that seldom helps users against realistic threats, and the thoughtlessness of using it is usually reflected in the implementation." - https://np.reddit.com/r/Bitcoin/comments/72dfy1/armory_walle...
Suppose I asked if there's a practical example of merkle trees in the wild. Someone answers, "of course: git." Then 7 troglodyte friends and I jump on github/gitlab/whatever (which is super easy because everyone already uses one of these user-friendly services that wrap around git) and immediately see how git helps us develop by leveraging merkle trees. We realize that the merkle trees are leveraged so that we can ensure (most of the time) data integrity in the history of our source code. Thanks, git!
Now suppose I asked if there's a practical example of SSS in the wild. Someone answers, "of course: ___." Then 7 troglodyte friends and I jump on ___ (which is super easy because everyone already uses one of these user-friendly services that wrap around ___)and immediately see how ___ helps us develop by leveraging SSS. We realize that SSS is leveraged so that we can ensure ___. Thanks, ___!
`poly_utils.py` in https://github.com/ethereum/research/tree/master/mimc_stark is a fairly simple one-file general-purpose library for arithmetic over prime fields, including multi-point evaluation and Lagrange interpolation; secret sharing and erasure coding are quite easy to implement with these primitives.
If you trust your seven friends, then you can use SSS to pass on digital assets after you die.
Decide on a policy. For example, 4 of your 7 friends need to agree that you've been dead/incapacitated for 90 days, and that once that happens they should give your digital assets to Recipient R (probably your next of kin). Pick a master passphrase that decrypts something interesting like a passphrase manager database file. Split the master passphrase using a 4-of-7 scheme. Distribute the seven shares to your seven friends (one to each friend). Now you know the passphrase manager won't be compromised before your death unless you are careless with the master passphrase, or four of your seven friends either collude, get hacked, or honor a legal demand to produce the shares.
This gets interesting when the digital-asset ownership is determined exclusively by cryptography. The money in your bank account is not such a thing (a suitably official-looking piece of paper will release your money to anyone), but Bitcoin or Ethereum definitely are (no court order or lead pipe can solve the discrete logarithm problem).
Such classes of assets are very new. So there are not yet any "practical examples in the wild" that an ordinary person would be likely to recognize.
"Paul Kane -- who lives in the Bradford-on-Avon area -- has been chosen to look after one of seven keys, which will 'restart the world wide web' in the event of a catastrophic event."
So in the event of a catastrophe, the key holders will restart the hierarchy by using a system no one else has seen but Bruce Schneier guesses is most likely SSS.
I was looking for an example a bit more concrete and inspectable than that.
It's amazing how this is a practical piece of math that can be understood with little more than a basic familiarity with polynomials. This is the kind of stuff I'd loved to have learned in middle school!
It was used in my college Discrete Math class (a version specifically aimed at Computer Science students) as an exercise in formally proving the properties of a real-life system. That was a fun lecture :-D
Reminds me a lot of my usenet newsgroup file sharing days and the PAR parity format. A file is split into say 200 pieces to fit within the limitations of a newsgroup post. Those 200 posts may or may not all make it to your usenet server, but an additional 10-20 parity files are also created such that you need to only find 200 total unique pieces to recreate the data.
It's different in that the data is totally readable other than the missing pieces (although practically unusable). The thing that blew my mind was just how a single parity file can fill a single gap regardless of where in the sequence of original files.
They can access the bank accounts, but can they legally perform any meaningful transaction with the data/money they access?
For example-- suppose that person dies and these 7 relatives access the account and wire themselves some money. With no other arrangements made, doesn't that constitute bank fraud?
On the flip side-- if the relatives also have to go through the time-consuming processes of meetings with an estate lawyer and bank managers in order to fulfill the wishes of the deceased, what function does the cryptography perform in this case?
Maybe your bank accounts are held in nominee officer shelf corps in offshore companies. I used an arbitrary example as a vehicle to show how the m of n could access info.
Yeah, I know of plenty of use-cases for it but I have never worked on a project that required a secret sharing capability. I'm too lazy to make a product just because I want to use a cool algorithm.
However, during the data retention debate in Norway I repeatedly pointed out that the only responsible way to implement the act would be to use secret sharing to ensure that a sufficient number of parties were involved when unlocking someone's private data.
Exactly. Consider the case where you require one and only one security officer that has one and only one key. In that scenario the security officer can escrow with encryption the key file using SSSS . You could then distribute the SSSS keys to various executives who could use quorum to retrieve the escrowed key.
I came across Shamir's Secret Sharing recently when thinking about how a partial password scheme might best be implemented. I even went as far as writing up an implementation of the cryptographic aspects.
NuCypher uses this on our proxy re-encryption scheme. You don't want a re-encryption key to be all together in one place, so we split it up using SSS and distribute the fragments. For cryptography beginners, this scheme is relatively easy to understand, describe, and prove.
In my undergraduate final year project, we used a "variation" of SSS called Thien-Lin Secret Sharing to enable bank locker security! Glad to see SSS being shared here!
