psst is a system for storing secrets without a single point of failure. psst
helps the user to split a secret into up to four parts. Each part in isolation
reveals nothing about the secret (except its length). Any two parts combined
allow the secret to be restored.
The main goal of psst is simplicity. It is a system that can be used with just
pen, paper and a six-sided dice. psst is great for people who want to deeply
understand what they do and verify every step, and for anyone who has fun with
information theory and cryptography.
psst is a restricted case of
Shamir's Secret Sharing,
operating in GF(5) with a threshold of two. See the
Design Choices document for more information about that
choice.
- Download the
psstworksheet:
psstPDF (A4 paper)
psstPDF (US Letter) - Print the worksheet.
- Follow the instructions on the printed worksheet.
psst was built as a fun way to learn about topics like cryptography and
information theory. The Motivation document describes why
we made psst, and explains its pros and cons.
The Design Choices document explains and justifies all
the choices that went into designing psst.
In What Can Go Wrong, you can read about insecure
ways of using psst, and potential attacks against its users.
Where and How to Store Shares discusses what to
consider after someone has used psst, when they need a place to store their
secret shares.
The page Supplemental Materials contains tables that might be useful for some use cases, but did not fit onto the worksheet.
A number of other implementations if Shamir's Secret Sharing exist:
- SLIP-0039 is a scheme for hardware wallet seeds, supported by Trezor.
- SSKR is a generic crypto-focused scheme.
- EIP 3450 is an unfinished proposal focusing on BIP-39 seeds.
- ssss is a Unix utility.
Codex32 is another pen-and-paper method for
storing secrets. Compared to psst, it has more features (for example, it
includes a checksum) and requires more time. People who like pen-and-paper
computation will find Codex32's volvelle wheels interesting.
SeedXOR is a scheme that can be computed manually, like
psst. The main difference is that it only supports n-of-n schemes, for
example 2-of-2. If even one share is lost, the secret cannot be recovered.
BIP-39 Split Mnemonic is a simple 2-of-3 scheme implemented in
Ian Coleman's BIP-39 tool. It generates three
shares, each containing two thirds of the words in the seed phrase. The sets of
words overlap, so that any two shares contain the full phrase. Split Mnemonics
are much simpler to use than psst. On the other hand, each share only has a
third of the entropy of the full seed. For short seeds (e.g., 12 words), this is
only 42 bits, so the full seed can be brute-forced in relatively little time.
For 24-word seeds, the brute-force approach is prohibitively expensive.
For many use cases, it is better to avoid secret sharing altogether. For example, to securely store cryptocurrency, a multisig scheme has advantages. For a detailed discussion, refer to CasaBlog: Shamir's Secret Sharing Shortcomings.
For a good overview of considerations for storing secrets, see How to Back Up a Seed Phrase.
psst was started by Sjlver and builds on the
thinking of many others.
If you have fun using psst, you can send a tip:
- Bitcoin:
bc1q3hnhtgrse3etk52m626zxrkz0hah8hkag4et38 - Ethereum:
0xAF16c970cb2329E9c3B8f4E54e1e8580937f8406