I have given a talk at the 34C3 conference in Leipzig. This page lists some information and links to my slides and recordings of the talk.

  • Date/time: 28 December 2017, 12:45
  • Duration: 45 minutes + 15 Q&A
  • Location: Saal Clarke
  • Recording: CCC media or YouTube
  • Slides: download


Backing up private keys in a secure manner is not straightforward. Once a backup has been compromised you need to refresh all your key material. For example, the disclosure of a private key of a Bitcoin wallet gives access to the coins inside. This makes it unattractive to store a complete backup of your private key(s) with your bank or your spouse. The better option would be to split the key into multiple parts. The recommended way to do this securely is to use the Shamir secret sharing scheme. This talk provides a detailed breakdown of how the scheme works and explains how it is implemented in C in a new library called SSS.

Shamir secret sharing is a mechanism that securely splits private keys or passwords into independent parts. These parts do not give away the secret on their own. Instead, the user defines the minimal amount of shares needed to restore the original secret. In this way, there is no need to trust a single entity. Additionally, compromise or loss of one share does not mean a compromise or loss of the entire secret. This makes it very suitable for backing up private keys, such as Bitcoin keys. Shamir secret sharing can also be used for passing on your secrets to your trusted successors, in case you get hit by a bus.

In this talk, I will explain in detail how the scheme works. Although it is provably secure for confidentiality, we will see how it fails for integrity and how to fix that. While Shamir published his article almost 40 years ago, most existing libraries for Shamir secret sharing are still implemented poorly in terms of security and side-channel resistance.

I will talk about writing the definitive library for Shamir secret sharing. We will choose suitable parameters and implement the scheme in C. We will see a couple of tricks that cryptographers use for building fast algorithms while still maintaining side-channel resistance. In the end, we (hope to) have produced a robust algorithm ready for easy integration into your favorite project.

Basic understanding of some mathematical topics (such as group theory) may be helpful for this talk, but is not required.