Backing up private keys in a secure manner is not straightforward. Once a backup has been compromised you need to refresh all your key material.
For example, the disclosure of a private key of a Bitcoin wallet gives access to the coins inside. This makes it unattractive to store a complete backup of
your private key(s) with your bank or your spouse. The better option would be to split the key into multiple parts. The recommended way to do this securely is to use the Shamir secret sharing scheme. This talk provides a detailed breakdown of how the scheme works and explains how it is implemented in C in a new library called SSS.
Shamir secret sharing is a mechanism that securely splits private keys or
passwords into independent parts. These parts do not give away the secret on
their own. Instead, the user defines the minimal amount of shares needed to
restore the original secret. In this way, there is no need to trust a single
entity. Additionally, compromise or loss of one share does not mean a
compromise or loss of the entire secret. This makes it very suitable for
backing up private keys, such as Bitcoin keys. Shamir secret sharing can
also be used for passing on your secrets to your trusted successors, in case
you get hit by a bus.
In this talk, I will explain in detail how the scheme works. Although it is
provably secure for confidentiality, we will see how it fails for integrity
and how to fix that. While Shamir published his article almost 30 years ago,
most existing libraries for Shamir secret sharing are still implemented
poorly in terms of security and side-channel resistance.
I will talk about writing the definitive library for Shamir secret sharing.
We will choose suitable parameters and implement the scheme in C. We will
see a couple of tricks that cryptographers use for building fast algorithms
while still maintaining side-channel resistance. In the end, we (hope to)
have produced a robust algorithm ready for easy integration into your favorite
project.
Basic understanding of some mathematical topics (such as group theory) may
be helpful for this talk, but is not required.