Secret sharing scheme WITHOUT Shamir Secrete Sharing.

[Fearless_F]

Hello,

I am planning to use the following XOR scheme to divide a secret into only 2 shares (I do not want to use Shamir Secret Sharing for different reasons that are beyond the scope of this post).

Here's an example of the XOR scheme I have in mind.

SECRET   =  0 1 0 1 0 0 1 0 0 0 0 1  (…)  0 0 1 1 0

SHARE 1 =  TRUNC128 (SHA512 (SECRET))

         =  0 0 0 0 1 1 1 0 0 0 1 1  (…)  1 1 0 0 1

SHARE 2 =  SECRET ^ SHARE1

         =  0 1 0 1 0 0 1 0 0 0 0 1  (…)  0 0 1 1 0

         ^  0 0 0 0 1 1 1 0 0 0 1 1  (…)  1 1 0 0 1

        =  0 1 0 1 1 1 0 0 0 0 1 0  1 1 1 1 1

SECRET   =  SHARE1 ^ SHARE 2

       =  0 0 0 0 1 1 1 0 0 0 1 1  (…)  1 1 0 0 1

        ^  0 1 0 1 1 1 0 0 0 0 1 0  (…)  1 1 1 1 1

       =  0 1 0 1 0 0 1 0 0 0 0 1  (…)  0 0 1 1 0

I have a few questions about that XOR scheme as I am building a case for using it.

1) How resistant would such a scheme be to common attack vectors (brute force...)?

2) Are there any ways to evaluate what it (or how much it) would take to break that scheme?

3) Is that scheme already used in "notably safe applications"? If that is the case, which ones?

[pooya87]

SHARE 1 =  TRUNC128 (SHA512 (SECRET))

the thing about "secret" is that you want to be able to reconstruct it at some point so ALL your operations must be solvable in some way to go in the reverse direction and reach the original "secret". if you perform SHA512 on your secret and use that as input to the splitting operation it can no longer be constructed again.

for the rest of your questions it may be best if you ask them on https://crypto.stackexchange.com/

[o_e_l_e_o]

the thing about "secret" is that you want to be able to reconstruct it at some point so ALL your operations must be solvable in some way to go in the reverse direction and reach the original "secret". if you perform SHA512 on your secret and use that as input to the splitting operation it can no longer be constructed again.

He doesn't need to reverse the SHA512 hash in his set up.

His secret is (presumably) a 128 bit number. His first share just needs to be any random number, and he achieves this by taking 128 bits of the SHA512 hash. His second share can be generated by performing XOR with his original secret and his first share as inputs. Combining the two shares using XOR will generate the original secret.

Provided this is set up securely, then the only additional knowledge about your secret that an attacker with one share can gain is its length. Knowing one share does not give an attacker any other information about your secret, and so they would still need to brute force 2¹²⁸ combinations.

[hatshepsut93]

What you are proposing is not a secret sharing, it's a DIY encryption, which is always a bad idea. Secret sharing schemes create equal shares, and they allow n of m configurations, but in your example one of your "shares" is a key and the other is cyphertext.

I see your key is 128 bit long, but what is the length of your plaintext? If it's bigger than 128 bits and you just use the same key to encrypt all of it, then it's essentially a Vigenere cipher, which can be broken very easily. If your plaintext is exactly 128 bits, then it's more safe, but still it's worse than real encryption. If you are super paranoid about crypto algorithms for some reason, at least use one-time pad generated with strong RNG.

Also, your scheme is not secure against attacks involving pre-computed hashes, if someone would to get your SHARE 1.

3) Is that scheme already used in "notably safe applications"? If that is the case, which ones?

"Notably safe applications" don't use some homebrew crypto algorithms, they use the standard ones.

[Fearless_F]

Provided this is set up securely, then the only additional knowledge about your secret that an attacker with one share can gain is its length. Knowing one share does not give an attacker any other information about your secret, and so they would still need to brute force 2¹²⁸ combinations.

Thank you for your perfect understanding of what I am implementing. Could you please elaborate on what you mean by "Provided this is set up securely"?

[o_e_l_e_o]

All I meant was that it was set up in the same way you would generate any secret share, paper wallet, mnemonic seed, etc., to ensure that your secret isn't stolen in the process of you creating it. It should be done preferably on a permanently airgapped computer, but if that is not possible, then at the very least on a computer booted to a live OS from a USB drive or similar with the internet access disabled, printed using a "dumb" printer, with no one else around at the time, etc.

I would say that using any m-of-n secret share where m = n leaves you open to data loss though if you lose a single share, which is why most people would opt for using a setup where m < n. If I was going to do a 2-of-2 secret share, I would be making two copies of each secret, which kind of defeats the point in the first place. Why do a 2-of-2 and print each secret twice when you could do a 3-of-4 and have better security.

[Fearless_F]

All I meant was that it was set up in the same way you would generate any secret share, paper wallet, mnemonic seed, etc., to ensure that your secret isn't stolen in the process of you creating it. It should be done preferably on a permanently airgapped computer, but if that is not possible, then at the very least on a computer booted to a live OS from a USB drive or similar with the internet access disabled, printed using a "dumb" printer, with no one else around at the time, etc.

Instead, would it be possible to use an Android device booted to a live OS (from a USB stick)?

[o_e_l_e_o]

Instead, would it be possible to use an Android device booted to a live OS (from a USB stick)?

An Android device as in a mobile phone? It's not possible to boot a phone to a live OS as far as I am aware - pretty sure you need to do a clean install or "flash" of your desired OS, but please correct me if I'm wrong.

An old phone which you can wipe, install a clean OS, and keep permanently airgapped would be a good second option if you are unable to do it on an airgapped computer for any reason.

[Fearless_F]

Instead, would it be possible to use an Android device booted to a live OS (from a USB stick)?

An Android device as in a mobile phone? It's not possible to boot a phone to a live OS as far as I am aware - pretty sure you need to do a clean install or "flash" of your desired OS, but please correct me if I'm wrong.

Based on my initial research, I am afraid you are right... ;-)