What makes Secure Shares secure is the property that, given that a hypothetical attacker has gotten hold of fewer Secure Shares than what has been set as the threshold for recovering the secret, your k, then knowing these Secure Shares still gives no information about the secret at all except for maybe about its size or length. (Learning about the length of the secret is not considered a problem in cases where the attacker already knows or guesses that the secret constitutes the access key to some cryptocurrency wallet, for instance, as these key lengths are fixed.) In other words, your k absolutely constitutes an "all or nothing" threshold. Compare that to what is commonly called key splitting. To this end, let us assume your key or, equivalently, your secret consists of nine digits like, say, 176507492. (That's just for the sake of discussion. You should never use such a simple passphrase for anything.) You may be tempted to create three splits of this key, namely, "176507...", "...507492", and "176...492". Any set of two of these splits is sufficient to recover your key, hence your "k" is 2. Now, notice that, if an attacker has gotten hold of only one of these splits, which is less than your "k", of course, then all that is left for the attacker is to guess three more digits, which works out to no more than 1000 guesses as 1000 is equal to 10 (as there are 10 possible digits) taken to the power of 3 (as there are only three digits left to guess). By getting hold of only one split, the problem of guessing your key has, thus, become exponentially simpler than the one of guessing it without having gotten hold of any split, as in that case the number of guesses can reach 10 taken to the power of 9. We can conclude that, just by getting hold of one of these splits, the attacker has practically gained almost all the information contained in the passphrase itself. By contrast, kn Secrets does most emphatically not operate according to the key splitting idea or any other naive idea of this kind. More specifically, the algorithm that is implemented in kn Secrets exploits a principle called polynomial interpolation over a finite field. What is crucial about this approach to creating Secure Shares is precisely that it avoids the partial-information problem that key splitting or any other method of this kind leads to.
To provide more intuition on how Secure Secret Sharing works, let us recall that modern cryptography essentially treats each piece of information as a number. Cryptographic practice usually requires numbers that have many digits, which means that they get very big in arithmetic terms, but there is nothing fundamental, cryptographically speaking, that distinguishes these very big numbers and mere single-digit numbers. We can, thus, simplify matters by assuming a single-digit number, say 3, is what constitutes your secret. The starting point, then, for Secure Secret Sharing consists of a certain transformation of the way in which your secret is looked at. According to this view, the secret can be represented not only directly as a number but also as the y value taken on by any polynomial f at some fixed value of x, say x = 0, as long as f(0) = 3. Examples of such polynomials are
All three of these polynomials yield y = 3 if x = 0. This change of viewpoint provides us with infinitely many representations of the secret in addition to its direct representation as a number. Now, Secure Secret Sharing exploits the following two properties:
Putting it all together, assume s is your secret, k is your recovery threshold, and n is the total number of Secure Shares of s that are to be generated. The principle behind Secure Secret Sharing is as follows:
In reality there are some technicalities because of which this scheme has to be somewhat refined and modified, but the idea remains the same even in the final analysis. — So that is really all there is about Secure Secret Sharing.
Yes, that's precisely true, kn Secrets implements Shamir's secret sharing. In other words, there is nothing special about kn Secrets in terms of technology. But that's a desirable property because kn Secrets is about providing security. The core idea of kn Secrets consists of implementing a known security algorithm in a way that is as straightforward to use and as transparent as possible. Inventing your own "security algorithm" so that it is really secure is usually very difficult — So it is a good thing that kn Secrets does not do this.
kn Secrets is not compatible in any way with any other implementation of Shamir's secret sharing that can be found on the Internet. These implementations differ from kn Secrets considerably with regard to many technical details. In particular, it is not possible to recover Secure Shares generated with kn Secrets using any other of the available implementations of Shamir's secret sharing.
No, kn Secrets only implements Shamir's secret sharing itself, not more than that. It's entirely up to users to determine whether employing the scheme really makes their secrets more secure from a holistic point of view taking into consideration all of their their individual, practical circumstances.
No, absolutely not. If you do not have the required number of Secure Shares left, then this situation is equivalent to having lost the entirety of your Secure Shares and, consequently, the secret itself (unless you cannot recover the secret in some other way). This property is the whole point about Shamir's secret sharing.
Well, sorry, no. No such trick has ever been discovered by the crypto community and most probably never will.
That's completely true, of course. If you worry about such attacks, then you could set aside some dedicated PC to compute Secure Shares or recover secrets from Secure Shares. This PC must never go online ever again once you have started using it in this role. (There must also be no data transfer via any other channel, for example, via USB stick.) Any old PC will probably do as performance requirements for running kn Secrets are low. Please note that, if you take this mode of attack seriously, then you must really not go online with your dedicated PC ever again, not even after having carried out a secure erase of every disk built into it, followed by reinstalling the operating system. That's because disk storage might not be the only permanent storage on your PC where malware might be able to stash your secrets or Secure Shares for hackers to be able to retrieve them later. Only once your secrets or Secure Shares have ceased to be of any value, for example, because you have emptied and nullified your cryptocurrency accounts that you secured using kn Secrets, it is secure for the dedicated PC to go online again.
This question is highly technical, so we are not going to explain to the casual reader what 'Tails' is. Having said that, yes, using Tails to work with the offline version probably constitutes one of the most secure ways of employing kn Secrets. The preferred method of going about it consists of copying the offline version of kn Secrets from a USB stick to the directory carrying the name 'Tor Browser', which ought to be located in the home directory of your Tails session. It should then be possible to use the Tor browser itself to open the file, index.html, and continue from there. Please note that Tails will probably not be able to access your printer, whence Secure Shares will have to be noted down with pen and paper instead of printing Secure Share PDF pages. — Transferring Secure Share PDF pages via any storage medium or a local (or maybe even non-local) network to some system from where they can be printed is highly insecure and must not be done under any circumstances. In any event, we recommend running Tails from a USB stick that is locked in read-only mode, just like copying kn Secrets from a second USB stick that is also locked in read-only mode. Needless to say, the computer on which all of this takes place must be physically disconnected from the Internet during the entire process. Please be aware of the fact that, while using Tails protects against the main operating system on your computer having been compromised, it does not protect against the computer hardware itself or the BIOS firmware having been compromised.
Tails is a highly secure operating system that can be run from a USB stick. Tails itself and all the necessary documentation can easily be found online, so we are referring to these resources.
No, kn Secrets in and of itself is not secure against this kind of attack. That's regardless of whether you use it in online or offline mode. We figure that, if you have to worry about attackers possessing sufficient resources to mount electromagnetic side-channel attacks, then you also have to worry about these same attackers redirecting their resources to steal your secrets in a variety of ways, for example, by breaking into your premises. Electromagnetic side-channel attacks usually require getting somewhat close to your system anyways. It then becomes a question of how to spend your own resources in a balanced manner to secure your secrets against different methods that might conceivably be used by attackers to try and steal them. If a cost-benefit calculation leads you to harden your premises against being broken into, for instance, then you might also want to spend resources on installing physical shielding that reduces the risk of your computer system leaking data in the electromagnetic spectrum. Such a balanced approach in the physical realm might be considered more coherent and secure than relying on software algorithms that inject computational noise into your system, so to speak, in an attempt to make electromagnetic side-channel attacks more difficult.
The quality of Secure Shares computed by kn Secrets depends wholly on the quality of the random numbers used in doing that. Browser-based crypto randomness is universally regarded as secure, but we must also face the fact that it actually depends on a complex browser/operating system/hardware technology stack that is difficult to comprehend fully and verify. It cannot solely be built into the browser, but it has to originate in sources of randomness built into the hardware. We have to trust these sources and every layer of operating and browser software on top of that before we are able to extract it in doing our computations. For this reason, we cannot bring ourselves to rely on browser-based randomness all the way or, to be more precise, not providing any option other than that.
The tabular presentation in Step 7 of making Secure Shares is programmed in a way that allows users to move their mouse cursor to mark just the BIP39 mnemonics of each individual Secure Share. On most operating systems, a right-click should then bring up a context menu that allows the user to copy just the mnemonics and nothing else to the clipboard. Please make sure to follow the security guidelines with regard to handling Secure Shares on your system if you want to do anything else with them other than noting them down with pen and paper.
At the risk of using some technical jargon, the philosophy behind kn Secrets consists of giving transparency total priority over obfuscation. The way in which kn Secrets achieves this goal consists of providing a pure, and rather straightforward, JavaScript implementation of the secret sharing algorithm up to and including using JavaScript (and user inputs, see above) for generating random numbers. Please note that, in keeping with prioritizing transparency, we make heavy use of JavaScript BigInt's — This design decision is particularly frowned upon by people who worry about electromagnetic side-channel attacks. Users are invited to refer to the JavaScript code itself if they would like to know more about how kn Secrets works. The JavaScript code is easy to get hold of by downloading the offline version of kn Secrets. It ought to be self-explanatory, so we will not provide any explanation that goes any further than what is written here.
JavaScript is a technology that allows Web pages to be active instead of just acting as passive graphical displays. JavaScript is used practically everywhere on the World Wide Web in a myriad of different ways for all kinds of purposes. In other words, whenever you use a browser to surf the Internet, regardless of which browser you use and which kind of device you are on, some site-specific JavaScript gets temporarily and invisibly installed and executed in your browser on almost all websites you visit. All you notice is a website doing "nice and interesting things" or just working. We do nothing more than to use JavaScript in a particular way that allows your browser to create Secure Shares or to recover secrets from Secure Shares. Browsers usually do provide the option to switch off JavaScript even though how to do that varies quite a lot and may be rather hidden. If you switch off JavaScript, then almost all websites bar the most simple ones will stop working partly or altogether. The fact that that does not happen when you surf the Internet, all but guarantees that you already have JavaScript switched on and that it's working inside of your browser.
Yes, there is a theoretical risk of your browser software itself having been compromised to effectively turn it into malware that can spy on you. (Here we distinguish malicious spying from just relaying general usage data back to the browser vendor. This kind of functionality is commonly regarded as legitimate. It is contained in many browsers, both commercial and non-commercial. Most browsers allow users to switch it off.) There is much discussion about whether the spying risk is real, in particular in connection with browsers that originate from for-profit companies, in cases where the company in question does not disclose the software code, in part or in entirety, that makes its browser work. We are not aware of any browser, commercial or not, ever actually having been proven to have been turned into spyware in the way just described. In any case we recommend switching to a browser that does not originate in closed-source form from a for-profit company. Non-commercial open-source browsers are readily available for all platforms. They are under constant scrutiny by the open-source community, so the risk of you receiving any such browser in a compromised state is low. At any rate, kn Secrets is designed in a way so that it works with all browsers, regardless of where they come from.
We are not going to speculate about whether or not quantum computers will ever become sufficiently powerful to render many common encryption methods obsolete. Just for the sake of argument, let us assume that, at some point, quantum computers have become sufficiently powerful to make that happen. In that case, your secrets will be moot unless they were generated using methods that are quantum-resistant. Whether or not you use Secure Secret Sharing to store your secrets will have no bearing on that. In other words, a quantum attack will be independent any use of Secure Secret Sharing to tackle the mere storage problem. It will rely on an ability to generate and test guesses as to what your secrets are. It will exploit that, up to bit lengths they can handle, quantum computers are exponentially better than conventional computers at creating and testing guesses, which is the reason why they are potentially capable of breaking encryption given that certain additional preconditions are met. (Unfortunately, most encryption schemes that are currently used for cryptocurrencies meet these preconditions.) We can say that your secrets will have ceased to be secret in the first place. The positive side of things is that, if your secrets have been created using methods that are quantum-resistant, then using Secure Secret Sharing to store them keeps that level of security, that is to say, Secure Secret Sharing preserves quantum resistance. The reason for that is a property that is called information-theoretic security. Secure Secret Sharing has this property. What it means is that Secure Secret Sharing cannot be broken even by an attacker who can bring infinite computing power to bear. Quantum computers, although exponentially more powerful than conventional computers, are still going to have only finite computing power (albeit at an unimaginable, astronomical scale), whence Secure Secret Sharing of quantum-resistant secrets enjoys the same level of information-theoretic security as these secrets themselves. You can then continue to use Secure Secret Sharing to tackle the pragmatic problem that is still the same for quantum-resistant and non-quantum-resistant secrets, which is that storing them in one piece in one place creates unitary points of failure in terms of the risk of your secrets getting stolen.
In the present context, a 'Shamir Shard' is the same as a Secure Share.
If you want to support kn Secrets, then we will be grateful if you could put up a link to it on your public Web pages or anywhere else where it might go viral.