New Bailey Kacsmar, Chelsea H. Komlo, Florian Kerschbaum, and … · 2020. 8. 12. ·...

Proceedings on Privacy Enhancing Technologies ; 2020 (2):397–415

Bailey Kacsmar*, Chelsea H. Komlo*, Florian Kerschbaum, and Ian Goldberg

Mind the Gap: Ceremonies for Applied SecretSharingAbstract: Secret sharing schemes are desirable across avariety of real-world settings due to the security andprivacy properties they can provide, such as availabil-ity and separation of privilege. However, transitioningsecret sharing schemes from theoretical research to prac-tical use must account for gaps in achieving these prop-erties that arise due to the realities of concrete imple-mentations, threat models, and use cases. We presenta formalization and analysis, using Ellison’s notion ofceremonies, that demonstrates how simple variations inuse cases of secret sharing schemes result in the po-tential loss of some security properties, a result thatcannot be derived from the analysis of the underlyingcryptographic protocol alone. Our framework accountsfor such variations in the design and analysis of secretsharing implementations by presenting a more detaileduser-focused process and defining previously overlookedassumptions about user roles and actions within thescheme to support analysis when designing such cer-emonies. We identify existing mechanisms that, whenapplied to an appropriate implementation, close the se-curity gaps we identified. We present our implementa-tion including these mechanisms and a correspondingsecurity assessment using our framework.

Keywords: secret sharing, applied cryptography, proto-col analysis, ceremony analysis

DOI 10.2478/popets-2020-0033Received 2019-08-31; revised 2019-12-15; accepted 2019-12-16.

1 IntroductionThe security properties that theoretical secret sharingpurports to provide are particularly meaningful for high-

*Corresponding Author: Bailey Kacsmar: University ofWaterloo, E-mail: [email protected]*Corresponding Author: Chelsea H. Komlo: Universityof Waterloo, E-mail: [email protected] Kerschbaum: University of Waterloo, E-mail: [email protected] Goldberg: University of Waterloo, E-mail:[email protected]

risk users such as journalists, as demonstrated by thesecurity-critical effort required for the investigation andreporting of the Panama Papers [29]. However, whilethe security of theoretical secret sharing is well docu-mented in academic research, in practice, the securityguarantees are more complicated.

The descriptions in the literature of secret sharingschemes, which we additionally refer to as thresholdschemes, often lack sufficient evidence of the securityof real-world deployments of the schemes. This short-coming is due to the descriptions leaving a large num-ber of assumptions and decisions to the participants,as these are considered to be outside of the protocol.Just as the design of the highly successful TLS pro-tocol accounts for more real-world practicalities thanthe underlying Diffie-Hellman key exchange protocol,the practical use of threshold schemes, as we demon-strate, is no different. For example, although Shamir se-cret sharing (see Section 2) is information theoreticallysecure, ultimately the shares must be communicated toparticipants through a channel, which in most cases willrely on symmetric or asymmetric encryption, and there-fore rely on computational assumptions. Furthermore,unlike cryptographic protocols such as Diffie-Hellman,threshold schemes require significant user involvementand decisions at nearly every stage of the protocol. Con-sequently, analyzing the security of threshold schemesrequires assessing both the protocol and the actions anddecisions required of users.

Ellison [14] introduced the concept of a ceremonyin security analysis, which requires the inclusion ofboth the cryptographic protocol as well as any possibleuser actions or decisions in the security analysis. Sur-prisingly, the state of research literature for thresholdschemes does not include a complete, end-to-end, for-mal definition and assessment of the security of the cer-emony of threshold schemes. Without such definitions,deployments of threshold schemes lack the necessarystructure required for formal analysis as their flexibilityin terms of applications is broad.

Without strict boundaries for a specific threatmodel and use case, it is impossible to provide both ageneralized framework and a formal analysis for secretsharing ceremonies. This work provides a structure, in

Mind the Gap: Ceremonies for Applied Secret Sharing 398

the form of a framework, that can be used for a giventhreshold scheme to define and analyze its particularceremony, by structuring the ceremony as a series ofstages and steps as is necessary to assess the ceremony’send-to-end security. Although an unbounded number ofpossible user interactions exist, our framework can beused to guide the definition and formalization of theceremony. We identify ceremony-related issues, such asrequiring the dealer to delete sensitive material and therequirement for users to authenticate one another. Theceremony for an application, defined in terms of ourframework, accounts for the specific goals and adver-saries of the ceremony and therefore provides the neededstructure that must precede efforts to formally analyzea specific ceremony.

Contributions. We provide a framework to facili-tate the process of defining an accurate ceremony fora given threshold scheme; we then use this frameworkto assess the security of several threshold schemes, anddefine a lightweight set of improvements that are usefulto threshold schemes based on Shamir secret sharing.Our framework is useful for comparing different exist-ing secret sharing schemes; however, what it primarilyprovides is a structure for defining threshold scheme cer-emonies with the necessary details to perform a moreaccurate security analysis that accounts for the settingin which the threshold scheme is used. Overall, our con-tributions include:– a demonstration of the variability in the ceremony

of threshold schemes and how this variability canlead to gaps in the security properties achieved bythe threshold scheme;

– formalizations of the adversaries and of several usecases of threshold schemes used in practice;

– a framework to facilitate security analyses of thresh-old schemes used in real-world settings;

– exemplar applications of our ceremony frameworkvia security analyses of three threshold scheme casestudies; and

– techniques to close security gaps uncovered in ourabove analysis and an implementation of these im-provements in Rust.

Organization. This paper is organized as follows. Back-ground, motivation, and related work are Sections 2, 3,and 4 respectively. Section 5 is our framework for ouranalysis. Formalized ceremonies for two modes of op-eration for threshold schemes are in Sections 6 and 7.Section 8 summarizes our analysis for several thresh-old schemes, Section 9 is our improved ceremony andimplementation and our conclusion is Section 10.

Table 1. Parameters and additional notation used within ouranalysis

n number of participants

t threshold

s secret recovered by a (t, n)-threshold scheme

S secret space of a (t, n)-threshold scheme

D dealer

DP dealer that later becomes a participant

F sensitive information requiring protection

Base s = F

Ext s 6= F

Pr participant performing a recovery of s

U participant performing an update~C commitment used to validate any share

2 Threshold SchemesWe summarize the notation used throughout our anal-ysis in Table 1, including both notation standard to theliterature as well as new notation we introduce in latersections for the purpose of our analysis. Notably, wedenote the secret information that is protected by thethreshold scheme as F , while the secret input into thethreshold scheme is s. This differentiation will becomeimportant when we define modes of operation where Fcan either be equal to s, or distinct, as defined in Sec-tion 5.2.

In general, cryptographic secret sharing schemes en-able a group of n participants, possessing a secret s, todivide s into n shares. Before creating the n shares, athreshold value t is chosen such that a collection of tshares must be used to learn the value of s. A (t, n)-threshold scheme is a secret sharing scheme where n andt are positive integers such that t ≤ n, n representingthe number of participants, and t the desired threshold.

In a (t, n)-threshold scheme we designate a dealer Das the entity that selects the secret s and generates the nshares such that each of the n participants in the schemereceives a share that preserves the following properties:Reconstruction: any size-t subset of the n partici-

pants can compute the secret given their t shares,and

Secrecy: no subset of the n participants consisting oft−1 or fewer participants is able to gain any knowl-edge of the secret given their combined shares.


In a conventional (t, n)-threshold scheme, the set of nparticipants does not contain the dealer D. However, inour analysis we work in the setting where the dealer,now labeled a participant dealer DP , may continue tobe involved in the scheme as a participant, as typicallyoccurs in real-world practical settings.

While some variants of threshold schemes, such asthreshold signature schemes [21], allow participants touse their shares of s individually and to perform recon-struction only on the results, we focus our attention onthreshold schemes in which s is reconstructed directly.A well-known such construction, due to Shamir [41], dis-tributes points lying on a polynomial (of degree t − 1)as shares. We refer to this construction (summarizedin Appendix A) as classic Shamir secret sharing. Com-bining t of these shares using polynomial interpolationwould recover the secret; combining any smaller num-ber of shares does not leak any information about thesecret. The construction is information theoretically se-cure; that is, a Shamir threshold scheme can withstandadversaries with unlimited computational power.

3 MotivationThreshold schemes allow for a high degree of variabil-ity in user goals and potential adversaries, where evenslight variations significantly influence the security ofthe scheme overall. We describe two practical exam-ples, where both cases utilize an identical underlyingthreshold scheme protocol, however, the threat model,context, goals, and thus ceremony vary dramatically be-tween the two examples. For both examples, Alice, Bob,and Carol are journalists at the same organization.

Case One. Alice received highly sensitive files froma source. She fears external parties will act against her toprevent the distribution of the files, and wants to ensurethat even if an adversary succeeds at targeting her, theinformation can still be accessed by either herself ortrusted colleagues. She enlists the help of Bob and Carolin her efforts to preserve the availability of the files.

Alice acquires a laptop to encrypt and store the se-cret information. She inputs a key k into a tool thatimplements classic Shamir secret sharing using k as thesecret (s = k) and inputs her desired parameters t = 2and n = 3. The tool outputs the corresponding sharesand Alice messages Bob and Carol over an establishedcommunication channel. Alice sends one share to Boband one share to Carol. Bob and Carol confirm they re-ceived the share and each store their respective shares

on a USB, which is then stored in a chosen safe place.Alice stores the laptop containing the encrypted secretinformation in a safety deposit box at a bank.

Alice leaves the news organization and Bob, who haslost his share, is assigned the story. Fortunately, Aliceleft the organization on good terms, so Bob contactsAlice and Carol, requesting their shares. Bob retrievesthe laptop and decrypts the ciphertext using the keyrecovered from Alice and Carol’s shares.

Case Two. Alice has received a decryption key thatcorresponds to a publicly released ciphertext [3, 4]. Shefears external parties will attempt to distribute the keyin a way that could endanger individuals. Alice wantsto ensure the information remains confidential to thoseshe has not authorized (herself or her trusted colleaguesBob and Carol) to distribute it.

Alice meets Bob and Carol at a previously agreedupon location. Using an airgapped1 laptop, Alice inputsthe key from her source into a tool that implements clas-sic Shamir secret sharing, choosing t = 2, and n = 3. Af-ter the tool has output the corresponding shares, Alice,Bob, and Carol each save one share to their respectiveUSB. Finally, Alice deletes all information off of theairgapped laptop. Everyone keeps their respective USBdevices on their person at all times.

Alice’s USB is taken from her while crossing a bor-der. Fortunately the USB is insufficient to learn the se-cret data, however, Alice can meet Bob and Carol inperson to request their shares in order to recover thekey.

Observations. In both cases, Alice made a num-ber of choices, including selection of participants, selec-tion of communication methods, and selection of storagemechanisms. The choices Alice made affect the securityand privacy properties of each case. For instance, onlyCase Two requires the physical presence of each partic-ipant. Such a requirement may limit the availability ofthe information if an adversary had the power to preventparticipants from meeting up; for example, if the partic-ipants are initially separated by a geographical border.Furthermore, storing the encrypted data on the laptopcreates a single point of failure for an adversary target-ing the availability of the ciphertext.

The above examples demonstrate how the range ofchoices and prioritization impact the threshold schemeceremony. For instance, Case One preserves availabil-ity and prevents the information from being released

1 As a security mechanism, an airgapped laptop is protectedagainst connecting to the Internet.


preemptively, but still requires confidentiality, other-wise multiple copies of the information could simply bestored. More significantly, these examples highlight theneed to consider the ceremony of the threshold schemewhen performing a security analysis, factoring in boththe threat model that users operate within, along withhow users perform the actions required of the thresh-old scheme in context of their use case, such as whetherusers operate online or entirely offline. This crucial ob-servation motivates our next sections, where we formal-ize several ceremonies of threshold schemes as both pro-tocol and explicit user actions and decisions in the effortto more accurately assess the security of the thresholdscheme under consideration.

4 Related WorkCeremony Analyses of Security Tools. Our anal-ysis follows in the style of prior work analyzing cryp-tographic tools used in practice [13, 19], verifying secu-rity properties, and documenting decision paths takenby users when participating in cryptographic protocols.Our security analysis specifically includes the ceremonyperformed by end users [14], encompassing everythingout-of-band to a cryptographic protocol but required ofusers and thus subject to security consequences [12, 23].While prior ceremony analyses have been performed fora number of cryptographic protocols, the research lit-erature currently lacks a similar analysis assessing thesecurity of ceremonies for threshold schemes specifically.

Previous work on ceremony analysis includes speci-fying how to model users’ devices [26] and formal anal-ysis of Public-Key Infrastructures (PKIs) [27]. Whileframeworks have been proposed to assess the security ofexisting ceremonies such as that of Carlos et al. [9], ourframework specifically defines possible threshold schemeceremonies and facilitates their analysis.

In 2013, Carlos et al. [10] focused on threat model-ing within ceremonies, highlighting that threat modelsfor ceremonies must be adaptive. Threat models mustevolve to match varying user goals and contexts evenwhen these ceremonies utilize the same underlying pro-tocol. Radke et al. [34] highlight adaptive threat modelsas a weaknesses of ceremony analysis, as the context ofthe ceremony must be as well defined in order to accu-rately model potential adversaries and threats againstthe goals of end users to claim the ceremony as secure.As ceremony analysis of threshold schemes is highly de-pendent on users’ threat models, and as the threat mod-

els can differ depending on the user, context, or use case,instead of providing a narrow ceremony analysis for aspecific threat model, we present a generalized frame-work for performing a ceremony analyses of thresholdschemes in both theory and practice, across several com-mon real-world threat models.

Applications of Threshold Schemes. Sunder isan existing applied secret sharing tool created by Free-dom of the Press Foundation [18] to support journal-ists protecting long-term secrets such as the Snowdenarchives. Another tool building on secret sharing is Cal-listo, which provides a safety-in-numbers approach toexposing names of sexual abusers [35]. While these usecases give insight into the setting and application ofthreshold schemes used in practice, many other use casesof threshold schemes exist [1, 2, 43].

Shatter [2] is a framework for desktop and mobileplatforms that performs key sharing across a user’s de-vices. Shatter uses secret sharing to leverage users’ in-creasing numbers of devices by requiring a thresholdnumber of devices to provide consensus for actions suchas performing a login. Although Shatter uses secretsharing it is actually an example of a threshold signaturescheme. Nonetheless, it still shares a number of proper-ties with secret sharing schemes that make our analysisapplicable.

Shatter Secrets [1] is an advance on Shatter thatprovides protection to users’ data when crossing bor-ders. With Shatter Secrets, a user could encrypt theirprimary device and then distribute shares to theirfriends at their destination with the encryption key serv-ing as the secret s. Once over the border, the user withthe encrypted device visits t of their friends, physicallyNFC-taps their devices to retrieve the shares, recon-structs the secret, and decrypts their device.

Pico [43] stores shares on hardware tokens insteadof utilizing users’ existing devices. One explicit use caseof Pico is as a replacement for password managers as ituses public key cryptography challenge-response insteadof typical passwords. Pico exists as a mobile applicationand is intended to block a thief who has stolen fewerthan t tokens from violating confidentiality, while pre-serving availability as long as t tokens remain.

Secret Sharing Variants. Verifiable Secret Shar-ing (VSS) is a variant on threshold schemes in whichany participant can verify the integrity of their shareusing a public commitment. Well-known VSS schemesinclude Feldman’s [15] and Pedersen’s [32] schemes.

Proactive secret sharing, introduced by Ostrovskyand Young [31] and used in a secret-sharing scheme byHerzberg et al. [22], protects against a mobile adver-


sary. A mobile adversary can control a subset of playersover time, but the members belonging to this subsetcan change between epochs. To defend against such anadversary, proactive secret sharing relies on proactivelyupdating shares to enable a form of forward security.

5 A Framework for CeremonyAnalysis

In this section we present the components we need forperforming a ceremony analysis. We define thresholdscheme adversaries, distinguish two modes of operation,identify security goals, and provide additional terminol-ogy that we use throughout our analysis. We concludethis section with an outline of how to use our frameworkto produce a complete ceremony for a specific secretsharing protocol used in a specific setting and purpose.

5.1 Formalizing Threshold SchemeAdversaries

First, we formalize a range of possible adversariesagainst threshold schemes used in practice, and describethe possible capabilities and powers these adversariescan hold. We outline several conventional adversarialmodels and identify variations within each model.

Adversary Power.We define three levels of poweran adversary may possess. Although we utilize the terms‘high’, ’middle’, and ‘low’, these terms are simply pointsof reference for comprehension and are not intended asprescriptive classifications.

A high-powered adversary has the power and re-sources of a government actor. High-powered adver-saries can access state-of-the-art computing resourcesand have significant quantities of time and money attheir disposal. Such an adversary has the power to takelegal action, bounded only by the political environmentof that jurisdiction. For example, the NSA is known tomasquerade as well-known sites, installing malware ca-pable of exfiltrating data from a victim’s device [20],governments are known to use informants to infiltrateactivist groups (Martin Luther King Jr.’s friend andphotographer was an FBI informant [28]), and somecountries have proposed laws allowing legal orders re-quiring technology companies to work on behalf of thegovernment to provide access to encrypted devices [11].

A low-powered adversary has similar computational,temporal, and monetary resources as the participants

of the threshold scheme. A middle-powered adversaryexists somewhere between the powers of a governmentactor and the powers of the participants. Such an adver-sary has the same legal powers as a low-powered adver-sary, but may have the same money and time availableto them as a government actor.

Adversary Capabilities. We limit our analysisto the capabilities of the below-mentioned adversarialmodels. The adversaries may be participants in the cer-emony or outsiders. A previously trusted participantmay become an adversary at a later time in the pro-tocol. That is, we do not assume participant roles arestatic.

An honest-but-curious (HBC) adversary will not de-viate from the ceremony, but will try to learn as muchinformation as they can within the bounds of the cer-emony. An HBC adversary will view any informationthat is exposed to them, and may collude with otherparticipants in an effort to learn additional information.

A malicious adversary is not bound to any expecta-tion of behaviour, and she can participate both honestlyand dishonestly in the ceremony at will. A malicious ad-versary can impersonate other actors, elect to not par-ticipate in the ceremony, or participate disruptively by,for example, providing false shares and attempting todeceive other parties into providing the adversary withtheir shares.

Adversaries who compromise operating systems orhardware infrastructure are also a real threat to usersdefending against a high-powered adversary. However,this class of threats are out of scope for our analy-sis as details of physical infrastructure vary widely be-tween implementations. In practice, secret-sharing im-plementations should employ well-known device protec-tion techniques such as single-use strategies2 and usingsecure operating systems such as Qubes [39].

Adversary Goals. Here we identify goals for anactive adversary of threshold schemes.

Learning secret information. An adversary moti-vated to learn the sensitive information F can work togain knowledge of the secret or the shares, subsequentlyallowing the adversary to recover F .

Modifying secret information. An adversary maywish to modify F without detection, resulting in par-ticipants recovering information that is different thanthe original input into the threshold scheme.

2 One example of a single-use strategy is using “burner” phones.A burner phone is one that is newly purchased and used for ashort period, after which it is discarded. [40]


Preventing secret recovery. Adversaries may alsoseek to prevent others from accessing or disseminat-ing F . For example, an adversary seeking to hideinformation—such as a government seeking to preventpublic distribution of evidence of war crimes—can workto disrupt communication, destroy shares, or even todestroy the sensitive data F .

Causing harm to participants. In some countries,working with material that is prohibited can be a crime,putting all parties at risk [5]. An adversary may be moti-vated to harm the participants of the threshold scheme,and can seek to perform actions such as attributing own-ership of F to those participants.

5.2 Modes of Operation

We define two manners of use, termed ‘modes of opera-tion’, to manage the sensitive information F . The BaseMode is defined as a ceremony for classic Shamir se-cret sharing [41]. The Extended Mode is an extensionto Base Mode, and is documented to be used in practicein high-risk settings [1, 18].

Base. In the first mode of operation, the confiden-tial information, F , is small in size, such that each ofthe shares distributed to the participants can reason-ably be about the size of F . The secret s can then bethe information itself, s = F .

Extended. The second mode of operation, ad-dresses when the sensitive information is too large tobe used directly as the secret s. The Ext mode of op-eration is modeled after a common real-world use casedescribed in the documentation of the secret sharingtool Sunder [18]. In this case, the confidential data F isfirst encrypted and the encryption key is then used asinput as s into Base. After the secret s is reconstructed,additional steps must be taken to retrieve the data Fusing s as a key.

5.3 Identifying Security Goals

We next define several security goals that are commonlycited for implementations of threshold schemes used inpractice [2, 18]. The below identified goals are specificto the context and use case of threshold schemes in gen-eral. However, the context of the threshold scheme un-der consideration can impact the security goals for thescheme. We use this set of security goals for our analysis,but other analysts using our framework should identifythe security goals appropriate for their specific scheme.

Such goals are not limited to the ones listed here andmay include some of these goals, and others as well.1. t-Separation of Privilege:We define t-Separation

of Privilege as a specific case of the well-knownSeparation of Privilege security principle first in-troduced by Saltzer and Schroeder [38]. Thresholdschemes require t participants’ shares to perform arecovery of F , where t is the chosen threshold.

2. Availability: The secret information F is accessibleto honest participants so long as at least t validshares remain accessible. For Extended Mode theavailability of the encrypted version of F will beenforced by the choice of safe storage mechanism(see Section 5.5).

3. Information Theoretic Security: Even given un-limited computational power, adversaries inside oroutside the ceremony cannot access F while pos-sessing fewer than t shares.

4. Confidentiality: Adversaries outside of the pro-tocol cannot gain knowledge of F . Note that in areal-world setting this goal requires revocation ofparticipants to achieve confidentiality across epochswhere participants move from a trusted to an un-trusted state.

5. Integrity/Corruption Detection: Corruption ofan individual share or the sensitive information isdetected by honest participants before completingthe Reconstruction stage.

5.4 Threshold Ceremony Analysis Outline

We next describe our framework to structure our as-sessment of the security of threshold schemes in prac-tice, including both the protocol and ceremony of thethreshold scheme under consideration.Identify stages of the ceremony of the thresh-old scheme. Security ceremonies can be broken downinto components called stages. Fully specifying the com-plete ceremony and its component stages is the firststep towards evaluating the security of the thresholdscheme under consideration. We provide two formaliza-tions (Sections 6 and 7) as a skeletal frame of referencefor future analyses of threshold schemes derived fromShamir secret sharing.Define the threat model. First, define possible ad-versaries of the threshold scheme or of the users partici-pating in the scheme, including the adversaries’ goals. InSection 5.1, we demonstrate a range of possible adver-saries against threshold schemes. Second, determine thedesired security goals. We present several possible secu-


1. Ceremony identification and formalization(stages)

2. Threat Model (selection of adversaries and se-curity goals)

3. Mode of operation (identification of use cases)4. Evaluation of Security (assessment of security

goals relative to threat model)

Fig. 1. Framework for security analysis for threshold schemesderived from Shamir secret sharing

rity goals of threshold schemes in Section 5.3. At times,certain security goals may prove to be in conflict. Forexample, a system operating in Extended Mode that pri-oritizes availability over confidentiality might distributean encrypted ciphertext publicly in order to decreasethe possibility of destruction.Define the mode of operation. Threshold schemescan potentially allow for many modes of operation. Forexample, classic Shamir secret sharing can support boththe Base Mode and Extended Mode of operation. Toevaluate the security of a threshold scheme, a singlemode of operation must first be specified. If a schemesupports more than one mode of operation, the secu-rity evaluation should be performed once for each. Notethat transitioning between modes of operation for thesame, or updated, secret is not supported by such eval-uations as it introduces new potential attack vectors(including issues related to using shares at most once;see Section 5.5).Evaluate security goals against adversaries. Us-ing knowledge of adversary goals and capabilities alongwith the ceremony formalization, the security goals forthe system can be evaluated in the context of the givenmode of operation and threat model. For each stagein the threshold scheme, and for each step within astage, evaluate if the adversary’s capabilities can defeatthe system goal. If the adversary can defeat the systemgoal, this goal is considered unmet. See Figure 1 for anoverview of our framework.

5.5 Assumptions and Limitations

We maintain several assumptions for the purpose ofproviding a structured analysis and designing our frame-work. However, we acknowledge these assumptions maynot always hold in real-world settings.

Secure Communication and Storage. We em-phasize the existence and availability of a secure com-

munication channel as well as a mechanism for safe stor-age. Communicating and storing data securely are bothcritical to the security of a practical threshold scheme.

Safe storage is a storage mechanism such that datais guaranteed to be recoverable in the future. Such mech-anisms must avoid single points of failure such as due toserver crashes; preventing such failures requires storingcopies of the data on multiple servers, for example. Weassume a safe storage mechanism provides the proper-ties of availability to participants. We also assume thatif participants require authentication before accessingthe stored data, the safe storage mechanism can pro-vide this authentication mechanism.

Using Shares At Most Once. We maintain thatsecrets, and consequently shares, should be single-useas otherwise new security risks are introduced. For ex-ample, a multi-use setting requires the assumption thatthe participant performing the recovery securely deletesboth the secret and the collected shares from their localdevice after completing the recovery. If the recoveringparticipant breaks this trust and stores shares or thesecret information locally after the first recovery, theparticipant can bypass the step of gathering t−1 sharesfrom other participants in future recoveries. Further-more, a device containing t shares is a single point offailure—an appealing target for an adversary trying tolearn the secret.

Honesty of the Dealer. We assume that thedealer is honest both in the case of D and DP , as clas-sic Shamir secret sharing is trivially broken when thedealer is dishonest.

In the Extended Mode the dealer is also responsiblefor determining sufficient protection for the encryptedF in terms of the secure storage selected.

Erasure Assumption. For the purposes of ouranalysis, we work within the erasure assumption [8],which assumes that participants are able to securelyerase data when required. We recognize that if the era-sure assumption does not hold, then many of the se-curity properties we define are broken, as an adversarycould perform analysis post-hoc on stolen machines andrecover sensitive material.

Non-Collusion. Honest participants will not col-lude with external parties. For example, honest partici-pants will not attempt a recovery initiated by an unau-thorized person.


6 Base Mode StagesWe now more formally identify the possible choices andactions for users participating in a threshold scheme,and introduce a formalization for a general ceremonyof threshold schemes based on Shamir secret sharing.Starting with the Base Mode of operation, we presentthree stages consisting of share generation, share dis-tribution, and reconstruction. The ceremony frameworkfor the Base Mode of operation is outlined in Figure 2.

Classification of Steps. We annotate each stepin a stage to classify how participants are involved. Weannotate steps as Device for expected implementationactions, as Choice for user decisions, and as Action forexpected user actions.

6.1 Share Generation

The generation stage allows minimal variation andchoice from the user. In this stage, we assume a secrets has previously been selected. A dealer D possesses sand selects the values for t and n. The dealer may ormay not be a participant in the scheme. Regardless, thedealer provides t, n, and s to a tool that follows thesteps for Share Generation defined in Appendix A, re-sulting in the generation of n shares. After these shareshave been generated, the device should securely deleteall ri’s (which it created) while the dealer deletes allcopies of s.

The choices and actions required of the dealer atthis stage consist of selecting appropriate values for tand n.

Choice: Determine Parameters. When gener-ating shares, the dealer chooses the appropriate thresh-old and number of participants. As these choices arehighly context dependent, the dealer is trusted to makethese choices taking into account their respective threatmodel.

An adversary in this setting can leverage poor or un-informed choices of n and t to gain unauthorized accessto or prevent participants from accessing s. For exam-ple, an adversary hoping to prevent a group of journal-ists from accessing the sensitive information need onlydestroy x > n − t shares to prevent journalists fromaccessing the sensitive information in the future.

Choosing t and n requires identifying the trade-offin prioritization for availability and t-separation of priv-ilege or risk of collusion. A larger value for t (for fixedn) increases the number of participants that can collude

Share Generation1. Choice: The dealer chooses values for n and t.2. Device: Let the secret space be S = GF (q)`,

where q is a prime or a prime power, q ≥ n+ 1,and ` ≥ 1. Let s ∈ S be the secret.

3. Device: Selects t − 1 values independently anduniformly at random from S as r1, . . . , rt−1 andsets f : GF (q) → S as f(x) = rt−1 xt−1 +rt−2 x

t−2 + · · ·+ r1 x+ s.4. Device: Generates shares si = (ai, f(ai)) for 1 ≤

i ≤ n, where the ai are arbitrary distinct non-zero elements of GF (q).

5. Device: Delete ri’s.6. Action: Delete all copies of s.

Share Distribution1. Choice: Select n participants (possibly includ-

ing the dealer).2. Choice: Select a secure communication channel

(in person, Signal, etc.).3. Action: The dealer distributes si = (ai, f(ai))

to participant Pi for 1 ≤ i ≤ n.4. Action: Delete each si from the dealer’s device.

Exception is if the dealer is a participant andkeeps one share.

5. Choice: Each participant selects an appropriatestorage mechanism for their share.

6. Action: Each participant stores their share inthe selected storage mechanism.

Reconstruction1. Choice: Select a communication channel to

bring t or more shares together.2. Action: Pr and the contacted participants au-

thenticate one another.3. Choice: Contacted participants elect whether to

proceed and participate in a reconstruction.4. Action: If proceeding, a contacted participant

sends their share to Pr.5. Device: Combine the t or more shares using

polynomial interpolation to recover the secrets = f(0).

Fig. 2. Ceremony Framework for Base Mode of Operation

without learning the secret, while lower t increases thenumber of participants that can be unavailable whilestill keeping the secret in a recoverable state. The valueof n, on the other hand, is likely to be determined by


Table 2. Network Model: Properties of Communication Channels

=achieved; G#=potential loss; #=not achieved

Confidentiality Integrity Info. Theor. Sec.

In-person #

Signal #

TLS 1.3 #

PGP G# #

SMS # # #

context—specifically by how many trusted participantsare available, as opposed to n being easily chosen.

Action: Perform Secure Deletion. Secure dele-tion is always required when performing share genera-tion. Verification that secret material has been securelydeleted3 is difficult, thus for our analysis we work un-der the assumption of the erasure mode defined in Sec-tion 5.5. Achieving the desired security properties of thethreshold ceremony requires the dealer to delete s andall ri’s after generating shares. This fact demonstratesthe higher level of trust required in the dealer beyondthat of the other participants.

If the dealer fails to delete s and the ri’s off theirmachine it becomes an easy and highly profitable targetfor an adversary. This single point of failure allows theadversary to bypass reconstructing t shares and insteadtarget the dealer’s machine. Thus, the presence of s onthe machine of the dealer presents a formidable risk andunderscores the necessity of secure deletion.

6.2 Share Distribution

Share distribution determines who receives shares andhow the shares are transmitted to participants. The re-sponsibility of the dealer includes selection of partici-pants, selection of a secure communication channel, andtransmission of shares over this channel.

After receiving their share, a participant is respon-sible for selecting a safe storage mechanism for the shareuntil required for the Recovery stage. After all shares aredistributed, the dealer securely deletes all shares fromtheir device, with the exception of their own share, ifapplicable.

3 For further details on existing secure deletion solutions seethe analysis from Reardon [36].

Choice: Select Secure Channel. Shamir secretsharing assumes the existence of a secure communica-tion channel. However, the dealer holds responsibilityto assess and choose an appropriate channel where allaforementioned security properties hold. Unsurprisingly,users often struggle to make safe choices when usingsecurity-critical tools in similar contexts [44]. Communi-cation channels that could be used in practice which arenot information-theoretically secure include TLS [37],Signal [33],and PGP [7], while in-person communicationachieves information theoretic security. Notably, eachof these transmission methods achieve divergent secu-rity properties when used in a secret sharing ceremony.TLS and Signal support confidentiality and integrity as-suming that participants authenticate one another be-fore sending any messages. In-person communicationachieves confidentiality but does not support integrity,due to the lack of a defined integrity mechanism. WhilePGP encrypts data in transit, thereby achieving confi-dentiality at the moment data is transmitted, PGP isnot forward-secure. Consequently, PGP does not strictlypreserve confidentiality of future transmitted data in thecase that a user’s private key is compromised. Cellu-lar networks’ Short Message Service (SMS), while com-monly used for security protocols such as two-factor au-thentication [24], does not achieve any of our desiredproperties. We provide a summarized analysis of the se-curity properties of various channels in Table 2.

Choice: Select Participants. In a (t, n)-thresholdscheme, the dealer is responsible for selecting which par-ticipants are entrusted with shares. The dealer in somecases is also free to decide if they will become a par-ticipant dealer Dp and retain a share for themselves.Choosing appropriate participants is heavily context de-pendent and influenced by the users’ threat model.

Action: Perform Secure Deletion. As withShare Generation, there is a need for secure deletion.After distributing the shares the dealer must delete allshares that are not their own from their device. Failureto do so provides an adversary with a single target togain the secret s just as leaving the secret itself would.

6.3 Reconstruction

This stage occurs when a valid participant chooses toinitiate a recovery. The participant Pr performing therecovery contacts and authenticates other participants,who authenticate Pr as a valid participant. These par-ticipants then decide for themselves whether reconstruc-tion is appropriate and whether to participate at that


time. If so, they transmit their share over a secure chan-nel. Once Pr possesses t or more shares, Pr can performreconstruction using a tool for polynomial interpolationto extract the secret s.

Choice: Select Secure Channel. Performing arecovery of s assumes a secure communication channelto transmit shares from other participants to Pr.

Action: Perform Authentication. During recov-ery it is left to the participants to authenticate eachother even assuming a secure channel. For instance, theparticipants in the scheme need to know whether or notit is permissible for the initiating participant to performa recovery. In one example, from Section 3, Alice left theorganization and Bob determined it was okay to includeAlice in the recovery and contacted her. However, inanother setting we can imagine Alice left the organiza-tion and initiated a recovery by requesting a share fromCarol. Without a revocation mechanism, there is noth-ing preventing Alice from recovering the secret if Carolprovides her with a share. Therefore, even after losingauthorization, Alice can learn the secret and break con-fidentiality. Thus, in this latter setting, the ceremonyas stated is insecure. Such an insecurity is an exampleof how a ceremony secure in one case may be insecurein another, and so it is important to specify the cere-mony as part of the security analysis, as opposed to justanalyzing the underlying protocol. Additionally, we willaddress this particular insecurity in Section 9.

7 Extended Mode StagesThe Extended Mode is one possible extension of Shamirsecret sharing, and is a practical use case for users seek-ing to protect sensitive information that is large in size.For example, Sunder requires operating in the ExtendedMode when the secret is larger than 1MB [18].

We now formalize the choices and actions usersmust make in the Extended Mode. We introduce thestages Secret Preparation which is performed before theBase Mode Share Generation stage, and Extended Re-construction which is performed after the Base ModeReconstruction stage; see Figure 3 for an outline.

7.1 Secret Preparation

Secret Preparation begins with an existing plaintext anda secret key. Using this key, the plaintext is encryptedvia a symmetric encryption algorithm, and the output

Secret Preparation1. Device: Generate a secret key to be used as s.2. Device: Encrypt F using s and an appropriate

authenticated encryption algorithm.3. Choice: Select a safe storage mechanism for the

ciphertext.4. Action: Safely store the ciphertext.

Extended Reconstruction1. Action: Acquire ciphertext from selected safe

storage.2. Device: Use recovered s to decrypt the cipher-

text.

Fig. 3. Ceremony Framework Additions for Extended Mode ofOperation

of the ciphertext is stored using safe storage (see Sec-tion 5.5) for later use in the Reconstruction stage. Thissecret key is subsequently used as the input s into theShare Generation phase.

Action: Generate Secret Key. The sensitive in-formation F should be encrypted using the chosen au-thenticated encryption algorithm and a secret key gen-erated by the dealer. Note that authenticated encryp-tion does not provide end-to-end integrity against anattacker that is able to acquire s. In that event, anadversary could modify the stored ciphertext withoutdetection. We present a way to block this attack in Sec-tion 9.

Choice: Select Safe Storage. Even if s has beensuccessfully reconstructed, the user must have chosen areliable storage mechanism (see Section 5.5 for require-ments of safe storage) to recover the ciphertext of Fafter performing the Reconstruction stage.

7.2 Secret Recovery

After s is recovered in the Reconstruction stage, theparticipant initiating the recovery can retrieve the ci-phertext of F from the chosen storage location, use thesecret s as a key for the symmetric encryption algorithmfor decryption, and produce the original sensitive infor-mation F .

For this stage, the probability of successfully recov-ering F is dependent on choices made by the user in theSecret Preparation stage; for example, if the user didnot choose an adequate storage mechanism, the usermay fail to recover F in the Secret Recovery stage.


8 Application of CeremonyFramework Analysis

We now apply our ceremony framework to aid the secu-rity analysis of threshold schemes, as specified in Sec-tion 5. We present three case studies to highlight howseemingly straightforward implementations can achieveor miss assumed security goals.

8.1 Defined Threat Model

We maintain a specific threat model for our securityanalysis of each case study.

Adversaries.We assume a high-powered adversary(defined in Section 5.1) which has access to exceptionalcomputational power, time, and money, along with sig-nificant legal resources. We do not assume fixed rolesfor participants; a once-trusted participant can becomean adversary at a later time.

Security Goals. We evaluate each case studyagainst the sample security goals defined in Sec-tion 5.3. Specifically, we evaluate the security goals oft-separation of privilege, availability, information theo-retic security, confidentiality, and integrity against theabove-defined adversary.

8.2 Case Study One: Classic ShamirThreshold Scheme

Classic Shamir secret sharing is not a complete protocoland by extension not a complete ceremony. Unsurpris-ingly, classic Shamir secret sharing in isolation cannotachieve all desired security properties. A summary of theanalysis detailed below for classic Shamir secret sharing(and indeed all of the ceremonies we analyze) can befound in Table 3.

t-Separation of Privilege is achieved by classicShamir secret sharing. Within the Extended Mode, anadversary with access to the ciphertext still requires atminimum t shares to decrypt the ciphertext.

The loss of Availability in Extended Mode demon-strates how security properties can be lost when movingfrom Base Mode to a seemingly innocuous extension ofShamir secret sharing. In the Base Mode, availability ispreserved as long as t < n. In the Extended Mode, theloss of the ciphertext renders the secret unavailable, re-gardless of the number of shares that remain available.As the protocol does not define a safe storage mecha-

nism to protect against loss of the ciphertext, this be-comes a single point of failure.

Information theoretic security is achieved in the-ory by the mathematics of classic Shamir secret shar-ing. When evaluating the scheme in practice, we mustconsider the channel used to transmit shares to partici-pants. We grant a half-circle in the table for informationtheoretic security in Base Mode as the protocol can re-main entirely offline if desired, requiring shares to betransmitted in person or via a trusted physical chan-nel. However, when operating in online mode, sharesare transmitted over an online channel. As online com-munication channels rely on encryption protocols thatare not information theoretically secure, classic Shamirsecret sharing loses information theoretic security whenused with an online channel. Furthermore, as ExtendedMode requires a symmetric encryption algorithm, work-ing within the Extended Mode similarly is not informa-tion theoretically secure.

Confidentiality is not achieved in either the Base orExtended Mode of operation due to the lack of a revo-cation mechanism. Once shares have been distributed,classic Shamir secret sharing does not consider the casewhere a once-trusted participant moves to an untrustedstate, such as by voluntarily or involuntarily leaving anorganization. For example, nothing prevents a partici-pant who was fired, but possesses a valid share, fromparticipating in a future recovery protocol by colludingwith other participants who similarly may or may notbe currently within a trusted state in the organization.We therefore only grant half-circles in the table for all ofthese cases, as they only achieve confidentiality as longas there is no need for revocation.

Integrity of shares is not a goal that classic Shamirsecret sharing guarantees. In some settings, for example,t = 2 but four shares are available during the recon-struction phase, the correct secret can be determined ifa limited number (in this case, one) of shares is cor-rupted or maliciously changed. However, using thesetechniques for integrity requires raising the requirednumber of shares during reconstruction, as well as as-sumptions about the number of corrupted shares. Ide-ally, a separate integrity check for the shares would en-able the detection of corrupted shares directly. Oncedetected and identified, corrupted shares would be ex-cluded from the recovery and, if necessary, additionalvalidated shares could be included; we provide this func-tionality in our extensions in Section 9. Note that in theExtended Mode the ciphertext carries its own integritycheck, but that check is not entirely sufficient, as dis-cussed in Section 7.1.


Table 3. Ceremony Analysis Summary

=achieved; G#=ceremony dependent; #=not achieved

IT-Sec=Information Theoretic Security

Classic Shamir Sunder Ceremony Shatter Secrets Our Proactive VSS

Base Ext Base Ext Ext Base Ext

HBC MAL HBC MAL HBC MAL HBC MAL HBC MAL HBC MAL HBC MAL

t-Sep. Priv.

Availability # # G# G# # #

IT Sec. G# G# # # # # # # # # # # # #

Conf. G# G# G# G# G# G# G# G#

Integrity # # # # G# G# G# G#

8.3 Case Study Two: Sunder

Freedom of the Press Foundation’s tool Sunder [17, 18]is a desktop application for journalists to generate aconfigurable number of key shares for encrypted doc-uments. While this tool supports both Base and Ex-tended Modes of operation and can accommodate a widerange of threat models and ceremonies, we bound ouranalysis to the online setting with a high-risk threatmodel and high adversary capabilities. We define an ex-plicit ceremony for Sunder in Appendix B.

Sunder is a straightforward implementation of clas-sic Shamir secret sharing, and many of the securityproperties for classic Shamir secret sharing apply toSunder. In the secret-sharing implementation used bySunder [42], every character in the `-character secretprovided to Sunder becomes an input into a Shamirprotocol acting over the Galois Field GF (256). (Equiv-alently, the secret as a whole is treated as an elementof the vector space GF (256)`.) Each of the n shareswill then be ` bytes long. One deviation worth high-lighting is Sunder’s support for share integrity. The un-derlying cryptographic library [42] that Sunder utilizesprovides share integrity by generating a public-privateephemeral key pair to sign shares during the Gener-ation stage. Share signatures are validated during theRecovery stage to ensure both the validity of shares andalso that all shares are signed by the same public key.However, Sunder does not include document encryptionwithin the tool and thus does not support integrity vali-dation for the encrypted documents; consequently, Sun-der only partially attains integrity for Extended Mode.

Sunder can achieve confidentiality if no more than tparticipants holding valid shares leave the organization,

however, Sunder is limited to confidentiality without re-vocation and thus only has a half-circle in the table.

Finally, while Sunder provides availability in BaseMode, it leaves to the user the decision of how to storethe encrypted file in Extended Mode. If the file is notsafely stored, availability could be compromised.

8.4 Case Study Three: Shatter Secrets

Shatter Secrets [1] is an open-source protocol that usesShamir secret sharing of a key that encrypts a user’sdevice. Shatter secrets can be used to distribute shares(each encrypted with a key held by the user) to other de-vices and friends of the device owner such that a thresh-old number is required to decrypt the device. A deviceowner crossing an international border can encrypt theirdevice using Shatter Secrets such that they are unableto decrypt their device without the physical presenceof a threshold number of participants holding shares.We define an explicit ceremony for Shatter Secrets inAppendix C.

The shares in Shatter Secrets are themselves en-crypted by a key held by the primary data owner (ona secondary device). Violating confidentiality thus re-quires compromising the encrypted primary device, thesecondary device storing the share decryption key, anda sufficient number of the friends’ devices storing theencrypted shares. Specifically, unlike in Sunder, share-holders alone cannot recover the secret. Thus confiden-tiality of the device’s data is preserved. Availability ofthe device’s data, however, can be easily compromisedas authorities can seize the encrypted device (assumingthe device owner does not have a backup). Shatter Se-crets’ design does not adequately provide the property


of availability as it prioritizes confidentiality such thatthe device can be a single point of attack. The authen-ticated encryption of the shares themselves provide in-tegrity for the shares, but the integrity of the encrypteddevice depends on whether that encryption mechanismcan detect modifications to the ciphertext.

9 Lightweight IntegratableImprovements to Shamir SecretSharing

As can be seen from our example case studies, imple-mentations based on classic Shamir secret sharing havegaps limiting the security properties, such as confiden-tiality and integrity in Base Mode and availability inExtended Mode. To address these gaps, we introduce alightweight set of improvements which are fully compat-ible with classic Shamir secret sharing. These improve-ments are extensions to Shamir secret sharing and canbe applied to implementations of Shamir secret shar-ing. Using our framework for ceremony security analy-sis, we assess the security properties provided by theseimprovements within the Base and Extended Modes.

9.1 Overview

We define a lightweight Proactive Verifiable Secret Shar-ing (Proactive VSS) scheme and specify three newstages: Share Update, Share Validate, and GenerateCommitment. These stages provide participants withthe capability to update shares and revoke access toindividuals who are no longer trusted. Users can verifythe integrity of shares and verify the integrity of F .

We use the protocol and model of Herzberg etal. [22], in which adversarially controlled players duringan update stage count against both adjacent epochs.Alternatively, one could use the protocol and somewhatstronger adversarial model of Nikov and Nikova [30], atthe cost of requiring the dealer to select t knowing thatt−1 corrupted players could compromise the secret, butt are needed to reconstruct it.

Assumptions. Our commitment scheme assumes asufficiently random s, such as a key. If s is not sufficientlyrandom, several of our improvements can still be used;see Section 9.4.

Share Generation1. Steps 1–4 as before in Figure 22. Device: Generates a commitment ~C =〈φ0, . . . , φt−1〉, where φ0 = gs, and φj = grjfor 1 ≤ j ≤ t− 1.

3. Choice/Action: The dealer publishes ~C to atrusted public location all participants can ac-cess.

4. Steps 5–6 from Figure 2

Share Distribution1. Steps 1–6 unchanged from Figure 2

Share Validation1. Action: The participant fetches the commit-

ment ~C from its trusted public location.2. Device: Using φ0, . . . , φt−1 which constitute ~C,

the participant will then calculate ψ by evalu-ating

∏t−1j=0 φ

aij

j .3. Device: The participant can then validate the

correctness of her share by validating ψ is equalto gf(ai).

Share Updates1. Action: U executes the Share Generation stage,

with unchanged values for t and n, to generate anew polynomial h(x) where s=0. For each au-thorized participant holding a share ai, f(ai),use h(x) to generate a share as the updateui = (ai, h(ai)).

2. Action: U publishes the updated commitmentsto the trusted public location.

3. Action: U distributes the update ui =(ai, h(ai)) to the (authorized) participant withshare (ai, f(ai) for 1 ≤ i ≤ m, where m ≤ n.

4. Action/Device: Each participant will apply theshare update ui, to their share si to producesi = (ai, f(ai) + h(ai)).

Reconstruction1. Step 1 as before in Figure 22. Action/Device: Pr ensures the validity of each

share using the public commitment ~C.3. Step 2 from Figure 2

Fig. 4. An Improved Base Mode Ceremony via Verifiable Se-cret Sharing (VSS) and proactive share updates


9.2 Base Protocol Description

Our modifications can be used in conjunction with anexisting secret sharing implementation as demonstratedby the modifications to the stages indicated in Figure 4.

Modified Share Generation. In addition to theoriginal steps, the dealer D generates a commitment ~Cto the polynomial. The jth index of ~C is equal to grj ,where rj is the randomly selected coefficient, while thezeroth element in ~C is equal to gs. (Here, g is the gener-ator of a group in which the Decisional Diffie-Hellmanproblem is hard.) The dealer publishes ~C to a trustedlocation that every participant can access. Examples ofsuch a location include a commitment verification party,a public blockchain, or some other location all partic-ipants can reliably view in the same state. Note thatthe choice of trusted location is influenced by the pow-ers of an adversary—a trusted Twitter account couldbe effective against a low-powered adversary, but not ahigh-powered adversary.

Share Validation. Once ~C has been published,any participant Pi can validate the integrity of her sharesi = (ai, f(ai)), where f(ai) is the value generated forparticipant i using the assigned value ai and the dealer-selected function f . Validation requires first fetchingthe public commitment and computing ψ =

∏t−1j=0 φ

aij

j

where φ0 = gs, and φj = grj for 1 ≤ j ≤ t−1. Next, eachparticipant validates that gf(ai) is equal to ψ, wheref(ai) is taken from their respective share.

Share Updates. Share updates use commitmentsto zero to preserve the original secret value upon se-cret reconstruction. To perform an update on m shares,where t ≤ m ≤ n, the participant performing the updateassumes the temporary role of the updater U , where Ucan be any valid participant. If m < n, then there willbe shares that do not receive an update and thereforeare effectively revoked.

The updater U first generates m share updates andone commitment update. The set of share updates isgenerated by running the Share Generation stage withs = 0. (Let the polynomial used in this stage be h(x).)This step ensures that shares from a prior epoch cannotbe used in conjunction with updated shares in the nextepoch to reconstruct s. Thus, shares can be proactively“rotated” forward while protecting the original secret.

After Generation, U distributes them share updatesto the selected participants. Additionally, U must applythe commitment update to the original commitment byperforming pointwise multiplication between the origi-nal commitment to f(x) and a new commitment to thenew polynomial h(x). Consequently, U must be able to

Secret Preparation1. Steps 1–2 unchanged from Figure 32. Action: Generate integrity value for the cipher-

text.3. Choice: Select a safe storage mechanism for the

ciphertext.4. Action: Store the ciphertext.

Share Distribution+1. Steps 1–3 unchanged from Figure 22. Action: The dealer distributes ciphertext in-

tegrity value, along with a copy of the cipher-text, to Pi for 1 ≤ i ≤ n.

3. Steps 4–6 from Figure 24. Action: Each participant stores their copy of

the ciphertext integrity value with their share.

Extended Reconstruction1. Action: Acquire ciphertext from selected loca-

tion.2. Action: Verify integrity value.3. Device: Use recovered s to decrypt the cipher-

text.

Fig. 5. Improved Ceremony Framework for an ExtendedMode of Operation

safely access the commitment such that the commit-ment update can be securely applied.

Upon receiving a share update, each participant up-dates their share by computing (ai, f(ai)+h(ai)), wheresi = (ai, f(ai)) is their original share and ui = (ai, h(ai))is the received update. After computing the updatedshare each participant performs the Share Validationstage with their updated share and the updated com-mitment to ensure the integrity of their updated share.If share validation fails, the participant should deletethe updated share and continue with their old share. Ifthe new share is valid, the participant should delete theold share and store the updated share for future use.

Reconstruction. Reconstruction of s is as de-scribed in a classic Shamir threshold scheme. However,before recovering the secret, the participant performingthe recovery first executes the Share Validate stage foreach share. If a share is invalid, the Reconstruction stagerequires the acquisition of a replacement share such thata set of t valid shares is produced.


9.3 Extended Protocol Description

Figure 5 summarizes the additional steps of our im-proved extended mode ceremony for Secret Preparation,Share Distribution+, and Extended Reconstruction.

Secret Preparation. Secret Preparation now in-cludes the generation of a separate integrity value forthe ciphertext to be distributed in Share Distribution+.This can be as simple as a collision-resistant hash of theciphertext.

Share Distribution+. Additional steps are addedto the share distribution stage to enable ciphertext in-tegrity in the Reconstruction stage. In addition to theshares, the above integrity value is distributed to eachparticipant. Using a separate integrity primitive checkedby the reconstructor during the Reconstruction stageprotects integrity even against adversaries who know s.Each participant stores the integrity value along withtheir share in the selected safe storage mechanism.

Extended Reconstruction. Before decryptingthe ciphertext as required, the participant performingthe reconstruction checks their copy of the integrityvalue against the ciphertext.

9.4 Security and Limitations

We now apply our framework from Section 5 to assessthe use of our defined improvements. We maintain theidentical threat model and security goals as in our casestudies from Section 8. We assume a high-powered ad-versary and desire the security goals of t-Separation ofPrivilege, Availability, Information Theoretic Security,Confidentiality, and Integrity.

Our improvements (summarized in Figures 4 and 5)guarantee Availability, Confidentiality, and Integrity ofshares and the secret information for both the Base andExtended Modes of operation. Integrity is achieved dueto the use of a proactive VSS scheme for share verifi-cation. We will now discuss each security goal in moredepth and how it is achieved.

In Extended Mode, availability of the ciphertext isachieved via redundancy (defined in Step 2 of ShareDistribution+ in Figure 5). By distributing the cipher-text to each participant, n independent copies are madewhile only one is required to recover the secret F . Thisapproach falls within our assumed trust model, as givinga copy of the ciphertext to participants who are trustedwith a share does not result in additional powers or ca-pabilities for these participants. In this case, the safestorage mechanism becomes the set of participant de-

vices which store the copy of the ciphertext, achievingavailability via redundancy.

The ‘Share Updates’ stage allows for removing par-ticipants from participating in a future recovery. Re-moving participants enables the preservation of confi-dentiality with revocation.

For the Extended Mode, we require the dealerto distribute the ciphertext integrity value to eachparticipant, as defined in Figure 5 (Step 2 of ShareDistribution+). Distributing the ciphertext integrityvalue to each participant allows for any participant per-forming the Share Recovery stage to verify the integrityof the ciphertext while the integrity vector ~C is used toverify individual shares.

Requiring a Sufficiently Random Secret. Notethat the commitment scheme for Base Mode requires asufficiently random s. In the case that s is not suffi-ciently random, the entropy of s can be increased bymoving to the Extended Mode by encrypting the low-entropy secret with a high-entropy key. Alternatively,the dealer can pad s with a sufficiently large numberof random bits (e.g., 256 bits). As a final requirementon secrets and shares having sufficient entropy, we high-light the importance of generating secrets and shareson a machine with sufficient entropy sources to preventamplifying an adversary’s guessing attack [16].

9.5 Implementation

The techniques we employ in our implementation,specifically for proactive verified secret sharing, are de-rived from those of Herzberg et al. [22]. Our implemen-tation differs slightly from their Share Update function,which requires every server in the threshold scheme togenerate a new update value and distribute it to eachother server in the system. In our protocol, any partic-ipant may generate an update and send it (noninterac-tively) to the other participants; the correctness of theupdate can be verified from the commitments. Theseother participants may be online or offline. If they areoffline they will perform the update when they comeback online. If a participant does not trust an updatethey can initiate another update. Finally, we do not re-quire all participants to perform the update generation,or to be online. Therefore, our derived implementation(as initiated by any one participant) is noninteractive.

Our implementation is in Rust and uses curve25519-dalek [25] for group operations, which we make pub-licly available (https://crysp.uwaterloo.ca/software/vss/). Group operations are performed in Edwards form

https://crysp.uwaterloo.ca/software/vss/https://crysp.uwaterloo.ca/software/vss/


for speed and safety properties. The benefit of usingRust for our implementation is multi-language interop-erability and memory safety. Furthermore, our changescan be integrated with implementations of thresholdschemes in Rust such as RustySecrets [42] and Sunder[17].

10 ConclusionAlthough the theoretical study of secret sharing proto-cols began decades ago, the use of secret sharing schemesin practice remains poorly defined. Interest in standard-ization of practical implementations of threshold cryp-tography is growing, including by NIST [6]. However, toenable practical use, researchers and practitioners mustaccount for gaps in security that arise when movingfrom a theoretical setting to a real-world application.As a step towards practical secret sharing, we present aframework to facilitate the security analysis of thresholdschemes based on Shamir secret sharing. We distinguishbetween operating in a base or an extended mode of op-eration, and through case studies, we demonstrate thatvariations in the ceremony of secret sharing schemes canlead to changes in the fundamental security propertiesprovided to end users. Our framework can aid the de-sign and analysis of future implementations of secretsharing by providing a more detailed ceremony defini-tion and accounting for previously undefined assump-tions about adversaries, user roles, and user actions ordecisions within the scheme. Finally, we introduce andimplement a secret-sharing protocol with improved se-curity properties that can be directly integrated withexisting Shamir secret sharing implementations.

AcknowledgementsThe authors would like to thank the anonymous re-viewers for their insightful comments and feedback.We gratefully acknowledge the support of NSERC forgrants RGPIN-03858, RGPIN-05849, RGPAS-507908,CRDPJ-531191, CRDPJ-534381, and DGDND-00085,the NSERC Alexander Graham Bell Canada GraduateScholarship program, and the Royal Bank of Canadafor funding this research. This research was undertaken,in part, thanks to funding from the Canada ResearchChairs program.

References[1] Erinn Atwater and Ian Goldberg. Shatter Secrets: Using

Secret Sharing to Cross Borders with Encrypted Devices. InCambridge International Workshop on Security Protocols,pages 289–294. Springer, 2018.

[2] Erinn Atwater and Urs Hengartner. Shatter: Using ThresholdCryptography to Protect Single Users with Multiple Devices.In Proceedings of the 9th ACM Conference on Security &Privacy in Wireless and Mobile Networks, pages 91–102.ACM, 2016.

[3] James Ball. Unredacted US embassy cables available onlineafter WikiLeaks breach. https://www.theguardian.com/world/2011/sep/01/unredacted-us-embassy-cables-online.Accessed 2019-05-29.

[4] James Ball. WikiLeaks publishes full cache of unredactedcables. https://www.theguardian.com/media/2011/sep/02/wikileaks-publishes-cache-unredacted-cables. Accessed2019-05-29.

[5] Elana Beiser. Record Number of Journalists Jailed asTurkey, China, Egypt Pay Scant Price for Repression. Com-mittee to Protect Journalists, 2017.

[6] Luís T.A.N. Brandão, Nicky Mouha, and Apostol Vassilev.NISTIR 8214 Threshold Schemes for Cryptographic Primi-tives. https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8214.pdf, 2019. Accessed 2019-05-24.

[7] Jon Callas, Lutz Donnerhacke, Hal Finney, David Shaw,and Rodney Thayer. OpenPGP Message Format. https://tools.ietf.org/html/rfc4880, November 2007.

[8] Ran Canetti. Universally composable security: A newparadigm for cryptographic protocols. In Foundations ofComputer Science, 2001. Proceedings. 42nd IEEE Sympo-sium on, pages 136–145. IEEE, 2001.

[9] Marcelo Carlomagno Carlos, Jean Everson Martina, GeraintPrice, and Ricardo Felipe Custódio. A Proposed Frameworkfor Analysing Security Ceremonies. In SECRYPT, pages440–445, 2012.

[10] Marcelo Carlomagno Carlos, Jean Everson Martina, GeraintPrice, and Ricardo Felipe Custódio. An updated threatmodel for security ceremonies. In Proceedings of the 28thannual ACM symposium on applied computing, pages 1836–1843. ACM, 2013.

[11] Department of Homeland Affairs, Australian Govern-ment. The Assistance and Access Act 2018. https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryption.Accessed 2019-05-20.

[12] Rachna Dhamija, J Doug Tygar, and Marti Hearst. Whyphishing works. In Proceedings of the SIGCHI conferenceon Human Factors in computing systems, pages 581–590.ACM, 2006.

[13] Benjamin Dowling and Kenneth G Paterson. A Crypto-graphic Analysis of the WireGuard Protocol. In InternationalConference on Applied Cryptography and Network Security,pages 3–21. Springer, 2018.

[14] Carl M. Ellison. Ceremony Design and Analysis. IACRCryptology ePrint Archive, 2007:399, 2007.

[15] Paul Feldman. A practical scheme for non-interactive veri-fiable secret sharing. Annual Symposium on Foundations of

https://www.theguardian.com/world/2011/sep/01/unredacted-us-embassy-cables-onlinehttps://www.theguardian.com/world/2011/sep/01/unredacted-us-embassy-cables-onlinehttps://www.theguardian.com/media/2011/sep/02/wikileaks-publishes-cache-unredacted-cableshttps://www.theguardian.com/media/2011/sep/02/wikileaks-publishes-cache-unredacted-cableshttps://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8214.pdfhttps://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8214.pdfhttps://tools.ietf.org/html/rfc4880https://tools.ietf.org/html/rfc4880https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryptionhttps://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryptionhttps://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryption


Computer Science (Proceedings), pages 427–438, 11 1987.[16] Diogo AB Fernandes, Liliana FB Soares, João V Gomes,

Mário M Freire, and Pedro RM Inácio. Security Issues inCloud Environments: A Survey. International Journal ofInformation Security, 13(2):113–170, 2014.

[17] Freedom of the Press Foundation. Sunder is a user-friendlygraphical interface for Shamir’s Secret Sharing. https://github.com/freedomofpress/sunder, 2018. Accessed 2019-05-28.

[18] Freedom of the Press Foundation. Welcome to Sunder.https://sunder.readthedocs.io/en/latest/, 2018. Accessed2019-05-28.

[19] Tilman Frosch, Christian Mainka, Christoph Bader, FlorianBergsma, Jörg Schwenk, and Thorsten Holz. How secure isTextSecure? In Security and Privacy (EuroS&P), 2016 IEEEEuropean Symposium on, pages 457–472. IEEE, 2016.

[20] Ryan Gallagher and Glenn Greenwald. How the NSA Plansto Infect ‘Millions’ of Computers with Malware. The Inter-cept, 2014.

[21] Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and TalRabin. Robust Threshold DSS Signatures. In EUROCRYPT,pages 354–371, 1996.

[22] Amir Herzberg, Stanisław Jarecki, Hugo Krawczyk, andMoti Yung. Proactive Secret Sharing Or: How to Cope WithPerpetual Leakage. In Don Coppersmith, editor, Advances inCryptology — CRYPT0’ 95, pages 339–352, Berlin, Heidel-berg, 1995. Springer Berlin Heidelberg.

[23] Markus Jakobsson. The human factor in phishing. Privacy& Security of Consumer Information, 7(1):1–19, 2007.

[24] Javelin Strategy & Research. 2017 State of AuthenticationReport. https://fidoalliance.org/wp-content/uploads/The-State-of-Authentication-Report.pdf, 2017.

[25] Isis Agora Lovecruft and Henry De Valence.https://doc.dalek.rs/curve25519_dalek/, 2018.

[26] Taciane Martimiano, Jean Everson Martina, M MainaOlembo, and Marcelo Carlomagno Carlos. Modelling userdevices in security ceremonies. In 2014 Workshop on Socio-Technical Aspects in Security and Trust, pages 16–23. IEEE,2014.

[27] Jean Everson Martina, Túlio Cícero Salavaro de Souza, andRicardo Felipe Custodio. Ceremonies Formal Analysis inPKI’s Context. In 2009 International Conference on Compu-tational Science and Engineering, volume 3, pages 392–398.IEEE, 2009.

[28] Chris McGreal. Martin Luther King friend and photographerwas FBI informant. The Guardian, 2010.

[29] Susan E. McGregor, Elizabeth Anne Watkins, Mahdi Nasrul-lah Al-Ameen, Kelly Caine, and Franziska Roesner. Whenthe Weakest Link is Strong: Secure Collaboration in theCase of the Panama Papers. In 26th USENIX Security Sym-posium (USENIX Security 2017), pages 505–522, Vancou-ver, BC, 2017. USENIX Association.

[30] Ventzislav Nikov and Svetla Nikova. On Proactive SecretSharing Schemes. In International Workshop on SelectedAreas in Cryptography, pages 308–325. Springer, 2004.

[31] Rafail Ostrovsky and Moti Yung. How to Withstand MobileVirus Attacks (Extended Abstract). In Proceedings of theTenth Annual ACM Symposium on Principles of DistributedComputing, PODC ’91, pages 51–59, New York, NY, USA,1991. ACM.

[32] Torben P. Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Proceedingsof the 11th Annual International Cryptology Conference onAdvances in Cryptology, CRYPTO ’91, pages 129–140, Lon-don, UK, UK, 1992. Springer-Verlag.

[33] Trevor Perrin and Moxie Marlinspike. The Double RatchetAlgorithm. https://signal.org/docs/specifications/doubleratchet/, 2016.

[34] Kenneth Radke, Colin Boyd, Juan Gonzalez Nieto, and Mar-got Brereton. Ceremony analysis: Strengths and weaknesses.In IFIP International Information Security Conference, pages104–115. Springer, 2011.

[35] Anjana Rajan, Lucy Qin, David W Archer, Dan Boneh, Tan-crede Lepoint, and Mayank Varia. Callisto: A cryptographicapproach to detecting serial perpetrators of sexual miscon-duct. In Proceedings of the 1st ACM SIGCAS Conference onComputing and Sustainable Societies, page 49. ACM, 2018.

[36] Joel Reardon. Secure Data Deletion. Springer InternationalPublishing, Cham, 2016.

[37] Eric Rescorla. The Transport Layer Security (TLS) ProtocolVersion 1.3. https://tools.ietf.org/html/rfc8446, August2018.

[38] Jerome H. Saltzer and Michael D. Schroeder. The protec-tion of information in computer systems. Proceedings of theIEEE, 63(9):1278–1308, Sep. 1975.

[39] Bruce Schneier. The Operating System That Can ProtectYou Even if You Get Hacked. https://freedom.press/news/the-operating-system-that-can-protect-you-even-if-you-get-hacked/, 2014. Accessed 2019-05-14.

[40] Bruce Schneier. Cell Phone Opsec. https://www.schneier.com/blog/archives/2015/04/cell_phone_opse.html, 2019.Accessed 2019-05-24.

[41] Adi Shamir. How to share a secret. Communications of theACM, 22:612–613, 1979.

[42] Spin Research.https://github.com/spinresearch/rustysecrets, 2018.

[43] Frank Stajano. Pico: No More Passwords! In Proceedingsof the 19th International Conference on Security Protocols,SP’11, pages 49–81, Berlin, Heidelberg, 2011. Springer-Verlag.

[44] Alma Whitten and J Doug Tygar. Why Johnny Can’t En-crypt: A Usability Evaluation of PGP 5.0. In USENIX Secu-rity Symposium, volume 348, 1999.

A Shamir Secret SharingConstruction

Share Generation and Distribution1. Let the secret space be S = GF (q)`, where q is a

prime or a prime power, q ≥ n + 1, and ` ≥ 1. Lets ∈ S be the secret.

2. The dealer D selects t− 1 values independently anduniformly at random from S as r1, . . . , rt−1.

3. The dealer computes f : GF (q) → S as f(x) =rt−1 x

t−1 + rt−2 xt−2 + · · ·+ r1 x+ s.

https://github.com/freedomofpress/sunderhttps://github.com/freedomofpress/sunderhttps://sunder.readthedocs.io/en/latest/https://fidoalliance.org/wp-content/uploads/The-State-of-Authentication-Report.pdfhttps://fidoalliance.org/wp-content/uploads/The-State-of-Authentication-Report.pdfhttps://signal.org/docs/specifications/doubleratchet/https://signal.org/docs/specifications/doubleratchet/https://tools.ietf.org/html/rfc8446https://freedom.press/news/the-operating-system-that-can-protect-you-even-if-you-get-hacked/https://freedom.press/news/the-operating-system-that-can-protect-you-even-if-you-get-hacked/https://freedom.press/news/the-operating-system-that-can-protect-you-even-if-you-get-hacked/https://www.schneier.com/blog/archives/2015/04/cell_phone_opse.htmlhttps://www.schneier.com/blog/archives/2015/04/cell_phone_opse.html


4. The dealer generates shares si = (ai, f(ai)) for 1 ≤i ≤ n, where the ai are arbitrary distinct non-zeroelements of GF (q).

5. The dealer distributes si = (ai, f(ai)) to participantPi for 1 ≤ i ≤ n.

6. Delete ri’s from the device.Reconstruction1. A coalition of t participants combines their shares〈si = (xi, yi)〉ti=1 and performs polynomial in-terpolation to recover the secret s = f(0) =∑t

j=1 yj∏

1≤h≤t,h6=jxh

xh−xj .

B A Ceremony for SunderIn the following we define a ceremony based on the in-formation contained within the documentation for Sun-der [18]. We use our framework to define the ceremonyincluded in our analysis of Sunder. Note that we havere-categorized steps from our framework, for exampledevice to action, depending on Sunder’s implementationof each step.

B.1 Base Mode Stages

Share Generation1. Choice: The dealer chooses values for n and t.2. Device: Generates a signature keypair.3. Device: Generates n shares (of the secret s ∈

GF (256)`) si = (ai, f(ai)) for 1 ≤ i ≤ n, wherethe ai are arbitrary distinct non-zero elements ofGF (256). The shares are signed with the signaturekey.

4. Action: Delete all copies of s and the signature key.(The device retains the public verification key.)

Share Distribution1. Choice: Select n participants (possibly including the

dealer).2. Choice: Select a secure communication channel (in

person, Signal, etc.).3. Action: The dealer distributes si = (ai, f(ai)) along

with the public verification key to participant Pi for1 ≤ i ≤ n.

4. Action: Delete each si from the dealer’s device. Ex-ception is if the dealer is a participant and keepsone share.

5. Choice: Each participant selects an appropriatestorage mechanism for their share.

6. Action: Each participant stores their share in theselected storage mechanism.

Reconstruction1. Choice: Select a communication channel to bring t

or more shares together.2. Not Defined: Pr and the contacted participants au-

thenticate one another.3. Choice: Contacted participants elect whether to

proceed and participate in a reconstruction.4. Action: If proceeding, a contacted participant sends

their share to Pr.5. Device: Checks the signature on the received shares.6. Device: Combines the t or more valid shares using

polynomial interpolation to recover the secret s =f(0).

B.2 Extended Mode Stages

Secret Preparation1. Action: Generate a secret key to be used as s.2. Action: Encrypt F using s and an appropriate au-

thenticated4 encryption algorithm.3. Action: Store the ciphertext.

Extended Reconstruction1. Action: Acquire ciphertext from storage.2. Action: Use recovered s to decrypt the ciphertext.

C A Ceremony for ShatterSecrets

Shatter Secrets only has an Extended mode of opera-tion, which we define below. Shatter Secrets uses de-vices with Near Field Communication (NFC) capabilityin order to secret share a key s that is used to encrypta sensitive drive such as a laptop.

Secret Preparation1. Action: Generate a secret key to be used as s.2. Action: Encrypt the sensitive drive using s.

Share Generation1. Choice: The user chooses values for n and t.

4 Although we specify an authenticated encryption algorithm,this is not specified by Sunder.


2. Device: Generates a symmetric key.3. Device: Generates n shares (of the secret s ∈

GF (256)`) si = (ai, f(ai)) for 1 ≤ i ≤ n, wherethe ai are arbitrary distinct non-zero elements ofGF (256). The shares are encrypted using authenti-cated encryption using the symmetric key.

4. Action: Delete all copies of s. (The device retainsthe symmetric key.)

Share Distribution1. Choice: Select n participants.2. Choice: Select a secure communication channel (in

person, Signal, etc.).3. Action: The user distributes the encrypted share

E(si) to participant Pi for 1 ≤ i ≤ n.4. Action: Delete each si from the user’s device.5. Device: Each participant’s device stores their share.

Reconstruction1. Action: Meet participant with shares. NFC tap

user’s device to participant’s device to transfer en-crypted share. Repeat until t or more shares areretrieved.

2. Device: Decrypt each share with stored symmetrickey, discarding unsuccessful decryptions.

3. Device: Combine the t or more valid shares usingpolynomial interpolation to recover the secret s =f(0).

4. Device: Use recovered s to decrypt the sensitivedrive.

Mind the Gap: Ceremonies for Applied Secret Sharing1 Introduction2 Threshold Schemes3 Motivation4 Related Work5 A Framework for Ceremony Analysis5.1 Formalizing Threshold Scheme Adversaries5.2 Modes of Operation5.3 Identifying Security Goals5.4 Threshold Ceremony Analysis Outline5.5 Assumptions and Limitations

6 Base Mode Stages6.1 Share Generation6.2 Share Distribution6.3 Reconstruction

7 Extended Mode Stages7.1 Secret Preparation7.2 Secret Recovery

8 Application of Ceremony Framework Analysis8.1 Defined Threat Model8.2 Case Study One: Classic Shamir Threshold Scheme8.3 Case Study Two: Sunder8.4 Case Study Three: Shatter Secrets

9 Lightweight Integratable Improvements to Shamir Secret Sharing9.1 Overview9.2 Base Protocol Description9.3 Extended Protocol Description9.4 Security and Limitations9.5 Implementation

10 ConclusionA Shamir Secret Sharing ConstructionB A Ceremony for SunderB.1 Base Mode StagesB.2 Extended Mode Stages

C A Ceremony for Shatter Secrets

New Bailey Kacsmar, Chelsea H. Komlo, Florian Kerschbaum, and … · 2020. 8. 12. ·...

Documents

Transcript of New Bailey Kacsmar, Chelsea H. Komlo, Florian Kerschbaum, and … · 2020. 8. 12. ·...

New Bailey Kacsmar*, Chelsea H. Komlo*, Florian Kerschbaum, and … · 2020. 8. 12. ·...

Documents

Transcript of New Bailey Kacsmar*, Chelsea H. Komlo*, Florian Kerschbaum, and … · 2020. 8. 12. ·...

New Bailey Kacsmar, Chelsea H. Komlo, Florian Kerschbaum, and … · 2020. 8. 12. ·...

Transcript of New Bailey Kacsmar, Chelsea H. Komlo, Florian Kerschbaum, and … · 2020. 8. 12. ·...