Secret Sharing with PVSS
ShareSafe is available and ready to use. It allows users to leverage Publicly Verifiable Secret Sharing (PVSS).
What is it
Sharesafe: simple secret sharing
What is Publicly Verifiable Secret Sharing
Quickly, PVSS is a protocol to allow users to create (and verify) a secret made by
n participants. These
n participants only share their
n public keys to create a secret. They have decided that
m participants (0 <
n) are needed to retrieve the Secret.
n participants only share their secret keys. All or a subset are needed to recover the secret.
The generated/retrieved secret can be used for multiple purpose. One of them, the one used in
sharesafe, is for symmetric encryption.
i.e. if one want to send private data, it only needs the public key of the recipient. So now you can say that there is already asymmetric encryption for that and you would be right. PVSS here is interesting because you can add yourself in the scheme. The sender can set itself as a participant of share and can retrieve the same secret.
This is interesting because it provides us with a way to verify who participated to a given secret/share.
You can checkout the use case described in the README.md of sharesafe
How to use the CLI to generate private key
Create the keypair and share the public key
# generate to the standard output sharesafe key new # generate in a file sharesafe key new -o <generated-key-pair>
by default we are not setting a password for the secret. If you want to set a password, use
–password. By default the password is the empty string.
To export the public key:
# by default `sharesafe` will read the keypair from the standard input # and will write the exported public key to the standard output. sharesafe key export-public -i <generated-key-pair> -o <exported-public-key>
Create an encryption key
This command will create the shares for every participants, the commitments and the encryption key.
shareswill be needed to recover the secret later on. Only the secret key associated to the share can unlock the share;
- you will need the same amount as the
thresholdof unlocked shares to recover the secret;
commitmentscan be used to check the shares;
encryption-keyis the key generated from the secret.
This command will create a locked
share for every given
<public-key>: the name will be the input file name with the suffix replaced to
sharesafe pvss new --participant public-key1 \ --participant public-key2 \ --threshold=1 \ --commitments commitments \ -o encryption-key
Once you have generated the shares, you can simply share them Publicly (or not). Only the private key associated to the public key used to generate the share can unlock the share.
Verify a share against the commitments
sharesafe pvss verify -s <locked-share> -c commitments
Unlock the share
sharesafe pvss open-share -s <share-file> -k <private-key> -o <opened-share>
Recover the encryption key
sharesafe pvss recover -s $(cat <opened-share>) \ -o encryption-key.recovered
How to use the CLI for encryption
encryption-key is generated using Diffie-Hellman derivation from the PVSS secret. The encryption algorithm provided is
ChaChaPoly1305. It provides a default authentication of the ciphered content.
cat input-file | \ sharesafe cipher encrypt -k $(cat encryption-key) > input-file.encrypted
cat input-file.encrypted | \ sharesafe cipher decrypt -k $(cat encryption-key) > input-file
Originally published on primetype.co.uk
Sign up now and apply for roles at companies that interest you.
Engineers who find a new job through Functional Works average a 15% increase in salary.Start with GitHubStart with TwitterStart with Stack OverflowStart with Email