Mind the Gap: Ceremonies for Applied Secret Sharing

Bailey Kacsmar 1 , Chelsea H. Komlo 2 , Florian Kerschbaum 3  and Ian Goldberg 4
  • 1 University of Waterloo,
  • 2 University of Waterloo,
  • 3 University of Waterloo,
  • 4 University of Waterloo,


Secret sharing schemes are desirable across a variety of real-world settings due to the security and privacy properties they can provide, such as availability and separation of privilege. However, transitioning secret sharing schemes from theoretical research to practical use must account for gaps in achieving these properties that arise due to the realities of concrete implementations, threat models, and use cases. We present a formalization and analysis, using Ellison’s notion of ceremonies, that demonstrates how simple variations in use cases of secret sharing schemes result in the potential loss of some security properties, a result that cannot be derived from the analysis of the underlying cryptographic protocol alone. Our framework accounts for such variations in the design and analysis of secret sharing implementations by presenting a more detailed user-focused process and defining previously overlooked assumptions about user roles and actions within the scheme to support analysis when designing such ceremonies. We identify existing mechanisms that, when applied to an appropriate implementation, close the security gaps we identified. We present our implementation including these mechanisms and a corresponding security assessment using our framework.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] Erinn Atwater and Ian Goldberg. Shatter Secrets: Using Secret Sharing to Cross Borders with Encrypted Devices. In Cambridge International Workshop on Security Protocols, pages 289–294. Springer, 2018.

  • [2] Erinn Atwater and Urs Hengartner. Shatter: Using Threshold Cryptography to Protect Single Users with Multiple Devices. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks, pages 91–102. ACM, 2016.

  • [3] James Ball. Unredacted US embassy cables available online after WikiLeaks breach. https://www.theguardian.com/world/2011/sep/01/unredacted-us-embassy-cables-online. Accessed 2019-05-29.

  • [4] James Ball. WikiLeaks publishes full cache of unredacted cables. https://www.theguardian.com/media/2011/sep/02/wikileaks-publishes-cache-unredacted-cables. Accessed 2019-05-29.

  • [5] Elana Beiser. Record Number of Journalists Jailed as Turkey, China, Egypt Pay Scant Price for Repression. Committee to Protect Journalists, 2017.

  • [6] Luís T.A.N. Brandão, Nicky Mouha, and Apostol Vassilev. NISTIR 8214 Threshold Schemes for Cryptographic Primitives. https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8214.pdf, 2019. Accessed 2019-05-24.

  • [7] Jon Callas, Lutz Donnerhacke, Hal Finney, David Shaw, and Rodney Thayer. OpenPGP Message Format. https://tools.ietf.org/html/rfc4880, November 2007.

  • [8] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Foundations of Computer Science, 2001. Proceedings. 42nd IEEE Symposium on, pages 136–145. IEEE, 2001.

  • [9] Marcelo Carlomagno Carlos, Jean Everson Martina, Geraint Price, and Ricardo Felipe Custódio. A Proposed Framework for Analysing Security Ceremonies. In SECRYPT, pages 440–445, 2012.

  • [10] Marcelo Carlomagno Carlos, Jean Everson Martina, Geraint Price, and Ricardo Felipe Custódio. An updated threat model for security ceremonies. In Proceedings of the 28th annual ACM symposium on applied computing, pages 1836–1843. ACM, 2013.

  • [11] Department of Homeland Affairs, Australian Government. The Assistance and Access Act 2018. https://www.homeaffairs.gov.au/about-us/our-portfolios/national-security/lawful-access-telecommunications/data-encryption. Accessed 2019-05-20.

  • [12] Rachna Dhamija, J Doug Tygar, and Marti Hearst. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems, pages 581–590. ACM, 2006.

  • [13] Benjamin Dowling and Kenneth G Paterson. A Cryptographic Analysis of the WireGuard Protocol. In International Conference on Applied Cryptography and Network Security, pages 3–21. Springer, 2018.

  • [14] Carl M. Ellison. Ceremony Design and Analysis. IACR Cryptology ePrint Archive, 2007:399, 2007.

  • [15] Paul Feldman. A practical scheme for non-interactive verifiable secret sharing. Annual Symposium on Foundations of Computer Science (Proceedings), pages 427–438, 11 1987.

  • [16] Diogo AB Fernandes, Liliana FB Soares, João V Gomes, Mário M Freire, and Pedro RM Inácio. Security Issues in Cloud Environments: A Survey. International Journal of Information Security, 13(2):113–170, 2014.

  • [17] Freedom of the Press Foundation. Sunder is a user-friendly graphical interface for Shamir’s Secret Sharing. https://github.com/freedomofpress/sunder, 2018. Accessed 2019-05-28.

  • [18] Freedom of the Press Foundation. Welcome to Sunder. https://sunder.readthedocs.io/en/latest/, 2018. Accessed 2019-05-28.

  • [19] Tilman Frosch, Christian Mainka, Christoph Bader, Florian Bergsma, Jörg Schwenk, and Thorsten Holz. How secure is TextSecure? In Security and Privacy (EuroS&P), 2016 IEEE European Symposium on, pages 457–472. IEEE, 2016.

  • [20] Ryan Gallagher and Glenn Greenwald. How the NSA Plans to Infect ‘Millions’ of Computers with Malware. The Intercept, 2014.

  • [21] Rosario Gennaro, Stanislaw Jarecki, Hugo Krawczyk, and Tal Rabin. Robust Threshold DSS Signatures. In EUROCRYPT, pages 354–371, 1996.

  • [22] Amir Herzberg, Stanisław Jarecki, Hugo Krawczyk, and Moti Yung. Proactive Secret Sharing Or: How to Cope With Perpetual Leakage. In Don Coppersmith, editor, Advances in Cryptology — CRYPT0’ 95, pages 339–352, Berlin, Heidelberg, 1995. Springer Berlin Heidelberg.

  • [23] Markus Jakobsson. The human factor in phishing. Privacy & Security of Consumer Information, 7(1):1–19, 2007.

  • [24] Javelin Strategy & Research. 2017 State of Authentication Report. https://fidoalliance.org/wp-content/uploads/The-State-of-Authentication-Report.pdf, 2017.

  • [25] Isis Agora Lovecruft and Henry De Valence. https://doc.dalek.rs/curve25519_dalek/, 2018.

  • [26] Taciane Martimiano, Jean Everson Martina, M Maina Olembo, and Marcelo Carlomagno Carlos. Modelling user devices in security ceremonies. In 2014 Workshop on Socio-Technical Aspects in Security and Trust, pages 16–23. IEEE, 2014.

  • [27] Jean Everson Martina, Túlio Cícero Salavaro de Souza, and Ricardo Felipe Custodio. Ceremonies Formal Analysis in PKI’s Context. In 2009 International Conference on Computational Science and Engineering, volume 3, pages 392–398. IEEE, 2009.

  • [28] Chris McGreal. Martin Luther King friend and photographer was FBI informant. The Guardian, 2010.

  • [29] Susan E. McGregor, Elizabeth Anne Watkins, Mahdi Nasrullah Al-Ameen, Kelly Caine, and Franziska Roesner. When the Weakest Link is Strong: Secure Collaboration in the Case of the Panama Papers. In 26th USENIX Security Symposium (USENIX Security 2017), pages 505–522, Vancouver, BC, 2017. USENIX Association.

  • [30] Ventzislav Nikov and Svetla Nikova. On Proactive Secret Sharing Schemes. In International Workshop on Selected Areas in Cryptography, pages 308–325. Springer, 2004.

  • [31] Rafail Ostrovsky and Moti Yung. How to Withstand Mobile Virus Attacks (Extended Abstract). In Proceedings of the Tenth Annual ACM Symposium on Principles of Distributed Computing, PODC ’91, pages 51–59, New York, NY, USA, 1991. ACM.

  • [32] Torben P. Pedersen. Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing. In Proceedings of the 11th Annual International Cryptology Conference on Advances in Cryptology, CRYPTO ’91, pages 129–140, London, UK, UK, 1992. Springer-Verlag.

  • [33] Trevor Perrin and Moxie Marlinspike. The Double Ratchet Algorithm. https://signal.org/docs/specifications/doubleratchet/, 2016.

  • [34] Kenneth Radke, Colin Boyd, Juan Gonzalez Nieto, and Margot Brereton. Ceremony analysis: Strengths and weaknesses. In IFIP International Information Security Conference, pages 104–115. Springer, 2011.

  • [35] Anjana Rajan, Lucy Qin, David W Archer, Dan Boneh, Tancrede Lepoint, and Mayank Varia. Callisto: A cryptographic approach to detecting serial perpetrators of sexual misconduct. In Proceedings of the 1st ACM SIGCAS Conference on Computing and Sustainable Societies, page 49. ACM, 2018.

  • [36] Joel Reardon. Secure Data Deletion. Springer International Publishing, Cham, 2016.

  • [37] Eric Rescorla. The Transport Layer Security (TLS) Protocol Version 1.3. https://tools.ietf.org/html/rfc8446, August 2018.

  • [38] Jerome H. Saltzer and Michael D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278–1308, Sep. 1975.

  • [39] Bruce Schneier. The Operating System That Can Protect You Even if You Get Hacked. https://freedom.press/news/the-operating-system-that-can-protect-you-even-if-you-get-hacked/, 2014. Accessed 2019-05-14.

  • [40] Bruce Schneier. Cell Phone Opsec. https://www.schneier.com/blog/archives/2015/04/cell_phone_opse.html, 2019. Accessed 2019-05-24.

  • [41] Adi Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979.

  • [42] Spin Research. https://github.com/spinresearch/rustysecrets, 2018.

  • [43] Frank Stajano. Pico: No More Passwords! In Proceedings of the 19th International Conference on Security Protocols, SP’11, pages 49–81, Berlin, Heidelberg, 2011. Springer-Verlag.

  • [44] Alma Whitten and J Doug Tygar. Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0. In USENIX Security Symposium, volume 348, 1999.


Journal + Issues