If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
<p>
Shamir secret sharing is a mechanism that securely splits private keys or
passwords into independent parts. These parts do not give away the secret on
their own. Instead, the user defines the minimal amount of shares needed to
restore the original secret. In this way, there is no need to trust a <em>single</em>
entity. Additionally, compromise or loss of one share does not mean a
compromise or loss of the entire secret. This makes it very suitable for
backing up private keys, such as Bitcoin keys. Shamir secret sharing can
also be used for passing on your secrets to your trusted successors, in case
you get hit by a bus.
</p>
<p>
In this talk, I will explain in detail how the scheme works. Although it is
provably secure for confidentiality, we will see how it fails for integrity
and how to fix that. While Shamir published his article almost 30 years ago,
most existing libraries for Shamir secret sharing are still implemented
poorly in terms of security and side-channel resistance.
</p>
<p>
I will talk about writing the definitive library for Shamir secret sharing.
We will choose suitable parameters and implement the scheme in C. We will
see a couple of tricks that cryptographers use for building fast algorithms
while still maintaining side-channel resistance. In the end, we (hope to)
have produced a robust algorithm ready for easy integration into your favorite
project.
</p>
<p>
Basic understanding of some mathematical topics (such as group theory) may
be helpful for this talk, but is not required.
</p>