
Charlie's Combination 21 46 03 88 Random key  25 01 77 61  06 45 36 27 Alice's share = 2501 7761 Bob's share = 0645 3627 
For each additional share we must create an additional random key. If the secret information is to be split into 5 shares, we need 4 random shares and one result share. In such case, all random keys must be subtracted from the original information. An example with the secret value 2 and three shares. The three shares are two random shares, 6 and 9, and the result share:
2  6  9 = 7 because 2  6 = 12  6 = 6 and 6  9 = 16  9 = 7. The three split shares are therefore 6 9 7.
We can retrieve the original value by adding all shares (without carry): 6 + 9 + 7 = 2
We can also split text. First, we need to convert the text into numbers. This is done by assigning a number to each letter: Use the numbers 01 to 26 for the letters A to Z, 30 to 39 for the digits 0 to 9 and 00 for a space. This can be expanded to your requirements. The method of splitting does not require the lettertonumber conversion table to be secret! The text can be a password, instructions, account numbers, any type of code or even a complete text.
The secret password I N V I N C I B L E The converted text 09 14 22 09 14 03 09 02 12 05 Random key (share 1)  52 71 30 94 52 86 62 13 81 29  Result (share 2) 57 43 92 15 62 27 47 99 31 86 Alice's share = 5271 3094 5286 6213 8129 Bob's share = 5743 9215 6227 4799 3186 
To retrieve the secret information we simply add the shares together, again without carry, and convert the numbers back into letters.
We can also apply Secret Splitting with letters. It's similar to onetime pad with letters but not quite the same. We assign each letter a numerical value (eg. A=0, B=1 C=3 and so on through Z=25). Note that we start with A=0 and not A=1 to use the modulo 26! The difference with onetime pad is that we subtract the random key from the secret password instead of adding it. This way, we don't have to know which share is the one that has to be subtracted from the other share. Combining the shares back to the original is now simply performed by adding the letters.
The secret password I N V I N C I B L E 08 13 21 08 13 02 08 01 11 04 Random key (share 1) D X G J Z E C I A M  03 23 06 09 25 04 02 08 00 12  05 16 15 25 14 24 06 19 11 18 Result (share 2) F Q P Z O Y G T L S Alice's share = DXGJZ ECIAM Bob's share = FQPZO YGTLS 
We use modulo 26. Therefore, if a subtraction result is less than zero, we add 26. If the adding of the shares is more than 25 we subtract 26.
We can use a conversion table. To create a share by subtracting (subtract the random share from the secret information) we take for example N(13)  Z(25). Since the seult would be negative, we take the greatest value of N, that is 39. So, N(39)  Z(25) = 14(O). Of course, if it's not negative, we can subtract directly. To add the shares together we take Z(25) + O(14) = N(39).
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z  00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50  
Another possible aid to calculate the letters without the use of numbers is the Vigenere table (see onetime pad), but don't forget to use the table in the opposite direction (subtraction!): take the random letter (from the first share) in the column header and look below it for the secret information letter in that column. The second share is the row header on the left of that secret letter. To merge the shares, take the crossing of one share in the row header and the other share in the column header.
We can also apply Secret Splitting on computer data. To split any type of computer file we first have to generate a random share with the same size as the file. This random file will be the first share. The second share is created by XORing the original file and the random file. To retrieve the original file, the shares are XORed.
In the next example one byte is splitted into two shares.
Secret Data 01011010 XOR Table Random (share 1) XOR 11101011   0 XOR 0 = 0 Result (Share 2) 10110001 0 XOR 1 = 1 1 XOR 0 = 1 1 XOR 1 = 0 
We can also split data in more than two shares. For each new share we add another series of random bits and XOR them with the other shares.
Secret Data 10011100 Random (share 1) XOR 01001011 Random (share 2) XOR 11010001 Random (share 3) XOR 00101011  Result (Share 4) 00101101 
The software that applies Secret Splitting should be run on a secure computer and may not leave any traces after processing the shares. This includes secure deleting of the original file (not the normal delete function of your system, which doesn't actually delete the file). The Secret Splitting software should meet the same standards as quality encryption software regarding memory storage, secure file processing and generating quality random numbers (see requirements randomness in next section). Also, the shares should be stored securely on external media or, less advisable, other computers.
There are different types of Secret Sharing. Secret Splitting, as don this page, requires all shares in order to retrieve the secret information. This will cause problems when one share is lost. If you want to enable the reconstruction of the secret with fewer shares than the total number of shares, you will have to work with subsets. If, for example, Alice, Bob and John have shares, but two of them should be sufficient to retrieve the secret, you will need 3 different subsets (combinations of people) of 2 shares: AliceBob, AliceJohn and BobJohn. Of course, each subset requires its own random shares. The downside of subsets is that this quickly becomes impractical when the number of participating persons increases. For 3 out of 5 shares you need 10 subsets and for 3 out of 6 you already need 19 subsets. Therefore, this scheme is only suitable for a single set or a limited number of subsets. The advantage of this basic scheme, based on onetime pad, is that it can be performed with pencil and paper.
Secret Sharing with threshold allows the reconstruction of shares with a fixed number of shares, less than the total number of shares. You don't need subsets and each person receives a single share. If, for example, you have 5 shares with a threshold of 3, you will be able to retrieve the secret information with only 3 shares. Any 3 persons of a group of 5 can decide to disclose the secret. In contrast to Secret Splitting, the loss of one or more shares will not make reconstruction impossible, as long as at least the threshold number of shares remains. The threshold sharing schemes are either based on polynomial interpolation (Adi Shamir) or hyperplanes (George Blake). Unfortunately, these schemes required more complex calculations and are not suitable for use with pencil and paper.
We can see in the examples that onetime pad is applied. The difference with onetime pad is that we don't send a message and we don't destroy the random key after use. However, there are two important rules to obtain absolute security.
The first rule is that the random key must be truly random, just as with onetime pad encryption. To generate true randomness, there are some practical solutions. You could use five tensided dice (see right). With each throw, you have a new fivedigit group.
Never simply use normal sixsided dice by adding the value of the dice and discarding two values. This method is statistically unsuitable to produce values from 0 to 9 and thus absolutely insecure (the total of 7 will occur about 6 times more that the values 2 or 12).
Instead, use one black and one white die and assign a value to each of the 36 combinations, taking in account the order and colour of the dice (see table below). This way, each combination has a .0277 probability (1 on 36). We can produce three series of values between 0 and 9. The remaining 6 combinations (with a black 6) are simply disregarded, which doesn't affect the probability of the other combinations.
B W B W B W B W B W 1 + 1 = 0 2 + 1 = 6 3 + 1 = 2 4 + 1 = 8 5 + 1 = 4 1 + 2 = 1 2 + 2 = 7 3 + 2 = 3 4 + 2 = 9 5 + 2 = 5 1 + 3 = 2 2 + 3 = 8 3 + 3 = 4 4 + 3 = 0 5 + 3 = 6 1 + 4 = 3 2 + 4 = 9 3 + 4 = 5 4 + 4 = 1 5 + 4 = 7 1 + 5 = 4 2 + 5 = 0 3 + 5 = 6 4 + 5 = 2 5 + 5 = 8 1 + 6 = 5 2 + 6 = 1 3 + 6 = 7 4 + 6 = 3 5 + 6 = 9 THROWS WITH BLACK 6 ARE DISCARDED 
Another method is a lotto system with balls, numbered from 0 to 9. After extracting a number, that ball must be mixed again with the other balls before extracting the next number. Such methods are suitable for small amounts of random numbers, for instance splitting keys or passwords. If a large quantity of numbers is required, for instance to split computer files, the best solution is to purchase a hardware based PC card with random noise source. Note that the default computer RND function does not produce true randomness!
The second rule for absolute secure splitting is of course the physical separation of the individual shares. At least one of the shares should never be accessible to the owners of the other shares. The shares must always be protected in such way that a compromised share would be noticed. One possible way to store an individual share is a small sealed  glued  plastic container that needs to be broken in order to get access to the share (wrap the folded text in aluminium foil). Seals can be glued into the transparant container. A damaged container and thus compromised share would be noticed immediately. Of course, the plastic container must always be stored in a physically secure place. The owner could always perform a security verification and demand the holders of a share to show their undamaged share.
If the rules of randomness and physical separation are followed the secret information will be completely secure. It is mathematically proven that there's no way to retrieve the secret information, other than getting your hands on all required shares. Of course, if you have split the code of a combination lock, and it's a cheap five dollar lock, you will have fivedollarsecurity. It's useless to protect the key code of a safe if a simple crowbar can wring it open. On the other hand, if you split the combination of a safe deposit box in your bank, you can be pretty sure that no individual share owner can access that safe.
Finally, Secret Splitting has another very important property. Since this system is unbreakable, the loss of one share will always result in the definite loss of the secret information, unless the owner still has a copy of the original. There's no way back if a share is lost or destroyed by accident! It might be useful to have one extra copy of your share somewhere on another secure location. Also, when you have split secret information into shares, be sure to doublecheck the shares, and check them once again, when you intend to destroy the original!
© Copyright 2004  2014 Dirk
Rijmenants
Home 