Secret Splitting

What is Secret Splitting

In short, give your secret code or password in the custody of multiple persons without disclosing the secret. The long version, Secret Splitting, also called Secret Sharing in cryptography, is a method to split numbers, text or computer data into two or more parts, also called keys or shares. All shares are required to retrieve the original information. It is mathematically impossible to obtain the original information if one of the shares is not available . The information, obtained from separate shares does not reveal any information or partial information about the original, and does not assist in any way in retrieving the original information. Therefore, Secret Splitting offers mathematically absolute security as long as the shares are separated. Of course, we cannot simply cut the secret information in two because this would reveal at least half of the original information and possibly lead to complete disclosure.

Where to use Secret Splitting

Secret Splitting is useful in situations where secret information should be in the custody of two or more individuals, without disclosing the secret information itself to the individuals. All individuals with a share of the secret information must agree upon merging all shares to retrieve the original information, and no single individual can obtain that information without the authorisation and the aid of all other individual holders of the remaining shares. And what's really great, more people with shares means more security, because more people have to agree on putting the shares together. That's just the opposite of sharing the secret itself, where more people means more risk.

This is interesting when several persons together have to take responsibility to access protected information or materials, or to access a secured device. One example is a person who has stored sensitive information or valuable goods in a safe and appoints two persons that will be able to open the safe in case of emergency. Both individuals receive a share and can only open the safe together and can never act individually. This can be a parent who has stored his money, documents or valuables in a safe, and splits the number combination to the safe. All children receive a share and in case of emergency or death of the parent they can only access the safe when all of them agree upon opening the safe. Another possible application for Secret Splitting is the protection of secret passwords to access confidential computer data, encrypted files, a digital lock to a room or to start or stop a device. A common example is a computer login password. The most extreme example would be a nuclear missile launch site, where at least two people must agree upon entering the code to push the Big Red Button.

Secret Splitting can be useful to reduce the risk of interception during the transmission of codes, keys or other data. One could for example send a code through different media to the recepient. A code, splitted into four shares, could be transmitted by e-mail, post, SMS on mobile phone and by telephone, and all of these shares on different moments in time. An eavesdropper would have to monitor and intercept all these ways of communication at the same time and for long periodes, requiring vast SIGINT-like recources. If the eavesdropper misses only one share it will be impossible to reconstruct the original code.

You can download the Secure Code Splitter, a practical template to split the code of your combination lock or key code.

How does Secret Splitting work

The principle of Secret Splitting is based on one-time pad encryption and is very simple but effective. Only one-time pad offers the absolute security, required to create the individual shares. One share is truly random and one share is the result of the random share subtracted from the original information. All calculations can be done by hand and Secret Splitting is therefore easy to apply by everyone without special knowledge of cryptography. Let us show the principle in a little example:

Charlie splits the secret number combination 21 46 03 88 from his safe. A random key is subtracted digit by digit, without carry, from the number combination(f.i. 4 - 9 = 14 - 9 = 5). Alice and Bob both receive one share of the information from Charlie. It's mathematically impossible for both Alice and Bob to retrieve the numbers unless they share their keys. Retrieving the original combination is done by simply adding the two shares without carry (f.i. 7 + 5 = 2 and not 12).

 Charlie's Combination     21 46 03 88    
 Random key              - 25 01 77 61
                           06 45 36 27 

 Alice's share = 2501 7761

 Bob's share   = 0645 3627

For each additional share we must create an additional random key. If the secret information is to be split into 5 shares, we need 4 random shares and one result share. In such case, all random keys must be subtracted from the original information. An example with the secret value 2 and three shares. The three shares are two random shares, 6 and 9, and the result share:

2 - 6 - 9 = 7 because 2 - 6 = 12 - 6 = 6 and 6 - 9 = 16 - 9 = 7. The three split shares are therefore 6 9 7.

We can retrieve the original value by adding all shares (without carry): 6 + 9 + 7 = 2

We can also split text. First, we need to convert the text into numbers. This is done by assigning a number to each letter: Use the numbers 01 to 26 for the letters A to Z, 30 to 39 for the digits 0 to 9 and 00 for a space. This can be expanded to your requirements. The method of splitting does not require the letter-to-number conversion table to be secret! The text can be a password, instructions, account numbers, any type of code or even a complete text.

 The secret password     I  N  V  I  N  C  I  B  L  E   
 The converted text     09 14 22 09 14 03 09 02 12 05    
 Random key (share 1) - 52 71 30 94 52 86 62 13 81 29
 Result (share 2)       57 43 92 15 62 27 47 99 31 86

 Alice's share = 5271 3094 5286 6213 8129

 Bob's share   = 5743 9215 6227 4799 3186

To retrieve the secret information we simply add the shares together, again without carry, and convert the numbers back into letters.

We can also apply Secret Splitting with letters. It's similar to one-time pad with letters but not quite the same. We assign each letter a numerical value (eg. A=0, B=1 C=3 and so on through Z=25). Note that we start with A=0 and not A=1 to use the modulo 26! The difference with one-time pad is that we subtract the random key from the secret password instead of adding it. This way, we don't have to know which share is the one that has to be subtracted from the other share. Combining the shares back to the original is now simply performed by adding the letters.

 The secret password     I  N  V  I  N  C  I  B  L  E   
                        08 13 21 08 13 02 08 01 11 04
 Random key (share 1)    D  X  G  J  Z  E  C  I  A  M
                      - 03 23 06 09 25 04 02 08 00 12
                        05 16 15 25 14 24 06 19 11 18
 Result (share 2)        F  Q  P  Z  O  Y  G  T  L  S

 Alice's share = DXGJZ ECIAM

 Bob's share   = FQPZO YGTLS

We use modulo 26. Therefore, if a subtraction result is less than zero, we add 26. If the adding of the shares is more than 25 we subtract 26.

We can use a conversion table. To create a share by subtracting (subtract the random share from the secret information) we take for example N(13) - Z(25). Since the seult would be negative, we take the greatest value of N, that is 39. So, N(39) - Z(25) = 14(O). Of course, if it's not negative, we can subtract directly. To add the shares together we take Z(25) + O(14) = N(39).

   A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z     
  00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
  26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 --

Another possible aid to calculate the letters without the use of numbers is the Vigenere table (see one-time pad), but don't forget to use the table in the opposite direction (subtraction!): take the random letter (from the first share) in the column header and look below it for the secret information letter in that column. The second share is the row header on the left of that secret letter. To merge the shares, take the crossing of one share in the row header and the other share in the column header.

Splitting Computer Data

We can also apply Secret Splitting on computer data. To split any type of computer file we first have to generate a random share with the same size as the file. This random file will be the first share. The second share is created by XOR-ing the original file and the random file. To retrieve the original file, the shares are XOR-ed.

In the next example one byte is splitted into two shares.

 Secret Data          01011010           XOR Table      
 Random (share 1) XOR 11101011          -----------
                      --------          0 XOR 0 = 0
 Result (Share 2)     10110001          0 XOR 1 = 1
                                        1 XOR 0 = 1
                                        1 XOR 1 = 0

We can also split data in more than two shares. For each new share we add another series of random bits and XOR them with the other shares.

 Secret Data          10011100    
 Random (share 1) XOR 01001011
 Random (share 2) XOR 11010001
 Random (share 3) XOR 00101011
 Result (Share 4)     00101101

The software that applies Secret Splitting should be run on a secure computer and may not leave any traces after processing the shares. This includes secure deleting of the original file (not the normal delete function of your system, which doesn't actually delete the file). The Secret Splitting software should meet the same standards as quality encryption software regarding memory storage, secure file processing and generating quality random numbers (see requirements randomness in next section). Also, the shares should be stored securely on external media or, less advisable, other computers.

Other Types of Sharing or Splitting

There are different types of Secret Sharing. Secret Splitting, as don this page, requires all shares in order to retrieve the secret information. This will cause problems when one share is lost. If you want to enable the reconstruction of the secret with fewer shares than the total number of shares, you will have to work with subsets. If, for example, Alice, Bob and John have shares, but two of them should be sufficient to retrieve the secret, you will need 3 different subsets (combinations of people) of 2 shares: Alice-Bob, Alice-John and Bob-John. Of course, each subset requires its own random shares. The downside of subsets is that this quickly becomes impractical when the number of participating persons increases. For 3 out of 5 shares you need 10 subsets and for 3 out of 6 you already need 19 subsets. Therefore, this scheme is only suitable for a single set or a limited number of subsets. The advantage of this basic scheme, based on one-time pad, is that it can be performed with pencil and paper.

Secret Sharing with threshold allows the reconstruction of shares with a fixed number of shares, less than the total number of shares. You don't need subsets and each person receives a single share. If, for example, you have 5 shares with a threshold of 3, you will be able to retrieve the secret information with only 3 shares. Any 3 persons of a group of 5 can decide to disclose the secret. In contrast to Secret Splitting, the loss of one or more shares will not make reconstruction impossible, as long as at least the threshold number of shares remains. The threshold sharing schemes are either based on polynomial interpolation (Adi Shamir) or hyperplanes (George Blake). Unfortunately, these schemes required more complex calculations and are not suitable for use with pencil and paper.

Keeping Secret Splitting secure

We can see in the examples that one-time pad is applied. The difference with one-time pad is that we don't send a message and we don't destroy the random key after use. However, there are two important rules to obtain absolute security.

The first rule is that the random key must be truly random, just as with one-time pad encryption. To generate true randomness, there are some practical solutions. You could use five ten-sided dice (see right). With each throw, you have a new five-digit group.

Never simply use normal six-sided dice by adding the value of the dice and discarding two values. This method is statistically unsuitable to produce values from 0 to 9 and thus absolutely insecure (the total of 7 will occur about 6 times more that the values 2 or 12).

Instead, use one black and one white die and assign a value to each of the 36 combinations, taking in account the order and colour of the dice (see table below). This way, each combination has a .0277 probability (1 on 36). We can produce three series of values between 0 and 9. The remaining 6 combinations (with a black 6) are simply disregarded, which doesn't affect the probability of the other combinations.

 B   W        B   W        B   W       B   W       B   W       
 1 + 1 = 0    2 + 1 = 6    3 + 1 = 2   4 + 1 = 8   5 + 1 = 4
 1 + 2 = 1    2 + 2 = 7    3 + 2 = 3   4 + 2 = 9   5 + 2 = 5
 1 + 3 = 2    2 + 3 = 8    3 + 3 = 4   4 + 3 = 0   5 + 3 = 6
 1 + 4 = 3    2 + 4 = 9    3 + 4 = 5   4 + 4 = 1   5 + 4 = 7
 1 + 5 = 4    2 + 5 = 0    3 + 5 = 6   4 + 5 = 2   5 + 5 = 8
 1 + 6 = 5    2 + 6 = 1    3 + 6 = 7   4 + 6 = 3   5 + 6 = 9

Another method is a lotto system with balls, numbered from 0 to 9. After extracting a number, that ball must be mixed again with the other balls before extracting the next number. Such methods are suitable for small amounts of random numbers, for instance splitting keys or passwords. If a large quantity of numbers is required, for instance to split computer files, the best solution is to purchase a hardware based PC card with random noise source. Note that the default computer RND function does not produce true randomness!

The second rule for absolute secure splitting is of course the physical separation of the individual shares. At least one of the shares should never be accessible to the owners of the other shares. The shares must always be protected in such way that a compromised share would be noticed. One possible way to store an individual share is a small sealed - glued - plastic container that needs to be broken in order to get access to the share (wrap the folded text in aluminium foil). Seals can be glued into the transparant container. A damaged container and thus compromised share would be noticed immediately. Of course, the plastic container must always be stored in a physically secure place. The owner could always perform a security verification and demand the holders of a share to show their undamaged share.

If the rules of randomness and physical separation are followed the secret information will be completely secure. It is mathematically proven that there's no way to retrieve the secret information, other than getting your hands on all required shares. Of course, if you have split the code of a combination lock, and it's a cheap five dollar lock, you will have five-dollar-security. It's useless to protect the key code of a safe if a simple crowbar can wring it open. On the other hand, if you split the combination of a safe deposit box in your bank, you can be pretty sure that no individual share owner can access that safe.

Finally, Secret Splitting has another very important property. Since this system is unbreakable, the loss of one share will always result in the definite loss of the secret information, unless the owner still has a copy of the original. There's no way back if a share is lost or destroyed by accident! It might be useful to have one extra copy of your share somewhere on another secure location. Also, when you have split secret information into shares, be sure to double-check the shares, and check them once again, when you intend to destroy the original!

More to Read

Copyright 2004 - 2016 Dirk Rijmenants