kn Secrets

What makes Secure Shares secure is the property that, given that a hypothetical attacker has gotten hold of fewer Secure Shares than what has been set as the threshold for recovering the secret, your k, then knowing these Secure Shares still gives no information about the secret at all except for maybe about its size or length. (Learning about the length of the secret is not considered a problem in cases where the attacker already knows or guesses that the secret constitutes the access key to some cryptocurrency wallet, for instance, as these key lengths are fixed.) In other words, your k absolutely constitutes an "all or nothing" threshold. Compare that to what is commonly called key splitting. To this end, let us assume your key or, equivalently, your secret consists of nine digits like, say, 176507492. (That's just for the sake of discussion. You should never use such a simple passphrase for anything.) You may be tempted to create three splits of this key, namely, "176507...", "...507492", and "176...492". Any set of two of these splits is sufficient to recover your key, hence your "k" is 2. Now, notice that, if an attacker has gotten hold of only one of these splits, which is less than your "k", of course, then all that is left for the attacker is to guess three more digits, which works out to no more than 1000 guesses as 1000 is equal to 10 (as there are 10 possible digits) taken to the power of 3 (as there are only three digits left to guess). By getting hold of only one split, the problem of guessing your key has, thus, become exponentially simpler than the one of guessing it without having gotten hold of any split, as in that case the number of guesses can reach 10 taken to the power of 9. We can conclude that, just by getting hold of one of these splits, the attacker has practically gained almost all the information contained in the passphrase itself. By contrast, kn Secrets does most emphatically not operate according to the key splitting idea or any other naive idea of this kind. More specifically, the algorithm that is implemented in kn Secrets exploits a principle called polynomial interpolation over a finite field. What is crucial about this approach to creating Secure Shares is precisely that it avoids the partial-information problem that key splitting or any other method of this kind leads to.

To provide more intuition on how Secure Secret Sharing works, let us recall that modern cryptography essentially treats each piece of information as a number. Cryptographic practice usually requires numbers that have many digits, which means that they get very big in arithmetic terms, but there is nothing fundamental, cryptographically speaking, that distinguishes these very big numbers and mere single-digit numbers. We can, thus, simplify matters by assuming a single-digit number, say 3, is what constitutes your secret. The starting point, then, for Secure Secret Sharing consists of a certain transformation of the way in which your secret is looked at. According to this view, the secret can be represented not only directly as a number but also as the y value taken on by any polynomial f at some fixed value of x, say x = 0, as long as f(0) = 3. Examples of such polynomials are

• y = 2x + 3,
• y = 3(x**2) + 2x + 3, and
• y = 4(x**3) + 3(x**2) + 2x + 3.

All three of these polynomials yield y = 3 if x = 0. This change of viewpoint provides us with infinitely many representations of the secret in addition to its direct representation as a number. Now, Secure Secret Sharing exploits the following two properties:

1. A polynomial f is uniquely determined by pairs of the form (x, f(x)), given that the number of pairs available is at least one more than the degree of f. (Recall that the degree of f is the highest exponent that occurs in f. In our examples we have degrees of 1, 2, and 3.) The first polynomial from our examples, 2x + 3, is of degree 1, hence we would need two such pairs to determine it uniquely, e.g. like so: (-1, 1), (1, 5); The second polynomial, 3(x**2) + 2x + 3, is of degree 2, hence we would need three pairs, e.g. like so: (-2, 11), (-1, 4), (1, 8). The process of reconstructing a polynomial f from pairs of the form (x, f(x)) is called polynomial interpolation or Lagrange interpolation after the 18th/19th-century mathematician who invented it.
2. If the number of available pairs of the form (x, f(x)) is less than one more than the degree of f, then that provides no information about the polynomial — and hence your secret — at all, that is to say, there are infinitely many polynomials of the same degree that yield the same y value for any of the given x values. In the case of the first polynomial from our examples, for instance, given just one pair, say (2, 7), then there are infinitely many polynomials of degree 1 that also yield (2, 7) such as x + 5, 3x + 1, 5x - 3, etc. etc.

Putting it all together, assume s is your secret, k is your recovery threshold, and n is the total number of Secure Shares of s that are to be generated. The principle behind Secure Secret Sharing is as follows:

1. Choose a random polynomial f that is of degree k - 1 and has the property of f(0) = s, and use the pairs, (1, f(1)), (2, f(2)), ... (n, f(n)), as Secure Shares of s.
2. Given any subset of k of these pairs, use polynomial interpolation to reconstruct f and obtain s by computing the value taken on by f when applied to 0.
3. Given any subset of fewer than k of these pairs, no information about the secret is available at all.

In reality there are some technicalities because of which this scheme has to be somewhat refined and modified, but the idea remains the same even in the final analysis. — So that is really all there is about Secure Secret Sharing.

Yes, that's precisely true, kn Secrets implements Shamir's secret sharing. In other words, there is nothing special about kn Secrets in terms of technology. But that's a desirable property because kn Secrets is about providing security. The core idea of kn Secrets consists of implementing a known security algorithm in a way that is as straightforward to use and as transparent as possible. Inventing your own "security algorithm" so that it is really secure is usually very difficult — So it is a good thing that kn Secrets does not do this.

kn Secrets is not compatible in any way with any other implementation of Shamir's secret sharing that can be found on the Internet. These implementations differ from kn Secrets considerably with regard to many technical details. In particular, it is not possible to recover Secure Shares generated with kn Secrets using any other of the available implementations of Shamir's secret sharing.

No, kn Secrets only implements Shamir's secret sharing itself, not more than that. It's entirely up to users to determine whether employing the scheme really makes their secrets more secure from a holistic point of view taking into consideration all of their their individual, practical circumstances.

No, absolutely not. If you do not have the required number of Secure Shares left, then this situation is equivalent to having lost the entirety of your Secure Shares and, consequently, the secret itself (unless you cannot recover the secret in some other way). This property is the whole point about Shamir's secret sharing.

Well, sorry, no. No such trick has ever been discovered by the crypto community and most probably never will.

That's completely true, of course. If you worry about such attacks, then you could set aside some dedicated PC to compute Secure Shares or recover secrets from Secure Shares. This PC must never go online ever again once you have started using it in this role. (There must also be no data transfer via any other channel, for example, via USB stick.) Any old PC will probably do as performance requirements for running kn Secrets are low. Please note that, if you take this mode of attack seriously, then you must really not go online with your dedicated PC ever again, not even after having carried out a secure erase of every disk built into it, followed by reinstalling the operating system. That's because disk storage might not be the only permanent storage on your PC where malware might be able to stash your secrets or Secure Shares for hackers to be able to retrieve them later. Only once your secrets or Secure Shares have ceased to be of any value, for example, because you have emptied and nullified your cryptocurrency accounts that you secured using kn Secrets, it is secure for the dedicated PC to go online again.

This question is highly technical, so we are not going to explain to the casual reader what 'Tails' is. Having said that, yes, using Tails to work with the offline version probably constitutes one of the most secure ways of employing kn Secrets. The preferred method of going about it consists of copying the offline version of kn Secrets from a USB stick to the directory carrying the name 'Tor Browser', which ought to be located in the home directory of your Tails session. It should then be possible to use the Tor browser itself to open the file, index.html, and continue from there. Please note that Tails will probably not be able to access your printer, whence Secure Shares will have to be noted down with pen and paper instead of printing Secure Share PDF pages. — Transferring Secure Share PDF pages via any storage medium or a local (or maybe even non-local) network to some system from where they can be printed is highly insecure and must not be done under any circumstances. In any event, we recommend running Tails from a USB stick that is locked in read-only mode, just like copying kn Secrets from a second USB stick that is also locked in read-only mode. Needless to say, the computer on which all of this takes place must be physically disconnected from the Internet during the entire process. Please be aware of the fact that, while using Tails protects against the main operating system on your computer having been compromised, it does not protect against the computer hardware itself or the BIOS firmware having been compromised.

Tails is a highly secure operating system that can be run from a USB stick. Tails itself and all the necessary documentation can easily be found online, so we are referring to these resources.

No, kn Secrets in and of itself is not secure against this kind of attack. That's regardless of whether you use it in online or offline mode. We figure that, if you have to worry about attackers possessing sufficient resources to mount electromagnetic side-channel attacks, then you also have to worry about these same attackers redirecting their resources to steal your secrets in a variety of ways, for example, by breaking into your premises. Electromagnetic side-channel attacks usually require getting somewhat close to your system anyways. It then becomes a question of how to spend your own resources in a balanced manner to secure your secrets against different methods that might conceivably be used by attackers to try and steal them. If a cost-benefit calculation leads you to harden your premises against being broken into, for instance, then you might also want to spend resources on installing physical shielding that reduces the risk of your computer system leaking data in the electromagnetic spectrum. Such a balanced approach in the physical realm might be considered more coherent and secure than relying on software algorithms that inject computational noise into your system, so to speak, in an attempt to make electromagnetic side-channel attacks more difficult.

The quality of Secure Shares computed by kn Secrets indeed depends on the quality of the random numbers used in doing that. kn Secrets chiefly employs two sources of randomness stacked on top of each other. At the base, there is a third-party, cryptographically secure pseudo-random number generator that is open source and has been in the open as such unchallenged for a number of years, as far as we know. On top of this layer, random graphical points drawn by the user are employed in triggering this pseudo-random number generator. We assume that this staggered approach, on the whole, brings us sufficiently close to true randomness. A separate group of points is used for each random number required in computing Secure Shares. Each time Secure Shares are to be re-computed for any given secret, completely new points have to be provided by the user.

The tabular presentation in Step 7 of making Secure Shares is programmed in a way that allows users to move their mouse cursor to mark just the BIP39 mnemonics of each individual Secure Share. On most operating systems, a right-click should then bring up a context menu that allows the user to copy just the mnemonics and nothing else to the clipboard. Please make sure to follow the security guidelines with regard to handling Secure Shares on your system if you want to do anything else with them other than noting them down with pen and paper.

At the risk of using some technical jargon, the philosophy behind kn Secrets consists of giving transparency total priority over obfuscation. The way in which kn Secrets achieves this goal consists of providing a pure, and rather straightforward, JavaScript implementation of the secret sharing algorithm up to and including using JavaScript (and user inputs, see above) for generating random numbers. Please note that, in keeping with prioritizing transparency, we make heavy use of JavaScript BigInt's — This design decision is particularly frowned upon by people who worry about electromagnetic side-channel attacks. Users are invited to refer to the JavaScript code itself if they would like to know more about how kn Secrets works. The JavaScript code is easy to get hold of by downloading the offline version of kn Secrets. It ought to be self-explanatory, so we will not provide any explanation that goes any further than what is written here.

knsecrets.online has a sister website, PDFpage.net, that allows you to attach ("merge") PDF documents to each other in a privacy-friendly manner. It does so by letting your browser itself carry out the entire process i.e. everything is done without any uploads or tracking. PDFpage.net also provides the option of selecting individual pages that are to be merged. Please note that, in keeping with the security guidelines, using PDFpage.net requires loading it into your browser, followed by disconnecting your computer from the Internet, and clicking options whereby any given Secure Share PDF pages and your own PDF page(s) get merged as required. You also have to configure your browser so that the ensuing document is brought up in your previewer without ever placing it in the browser's default download location.

We are not going to speculate about whether or not quantum computers will ever become sufficiently powerful to render many common encryption methods obsolete. Just for the sake of argument, let us assume that, at some point, quantum computers have become sufficiently powerful to make that happen. In that case, your secrets will be moot unless they were generated using methods that are quantum-resistant. Whether or not you use Secure Secret Sharing to store your secrets will have no bearing on that. A quantum attack will simply circumvent any use of Secure Secret Sharing. In principle, it will rely on an ability to generate and test guesses as to what your secrets are. It will exploit that, up to bit lengths they can handle, quantum computers are exponentially better than conventional computers at creating and testing guesses, which is the reason why they are potentially capable of breaking encryption given that certain additional preconditions are met. (Unfortunately, most encryption schemes that are currently used for cryptocurrencies meet these preconditions.) We can say that your secrets will have ceased to be secret in the first place. The positive side of things is that, if your secrets have been created using methods that are quantum-resistant, then using Secure Secret Sharing to store them keeps that level of security, that is to say, Secure Secret Sharing preserves quantum resistance. The reason for that is a property that is called information-theoretic security. Secure Secret Sharing has this property. What it means is that Secure Secret Sharing cannot be broken even by an attacker who can bring infinite computing power to bear. Quantum computers, although exponentially more powerful than conventional computers, are still going to have only finite computing power (albeit at an unimaginable, astronomical scale), whence Secure Secret Sharing of quantum-resistant secrets enjoys the same level of information-theoretic security as these secrets themselves. You can then continue to use Secure Secret Sharing to tackle the pragmatic problem that is still the same for quantum-resistant and non-quantum-resistant secrets, which is that storing them in one piece in one place creates unitary points of failure in terms of the risk of your secrets getting stolen.