Posts  / #POST-211274
REDDIT

Shamir Secret Sharing + AES-GCM file encryption tool - seeking cryptographic review

C
Jun 13, 2025 · 13:06

I've built a practical tool for securing critical files using Shamir's Secret Sharing combined with AES-256-GCM encryption. The implementation prioritizes offline operation, cross-platform compatibility, and security best practices.

# Core Architecture

1. Generate 256-bit AES key using enhanced entropy collection
2. Encrypt entire files with AES-256-GCM (unique nonce per operation)
3. Split the AES key using Shamir's Secret Sharing
4. Distribute shares as JSON files with integrity metadata

# Key Implementation Details

# Entropy Collection

Combines multiple sources including `os.urandom()`, PyCryptodome's `get_random_bytes()`, `time.time_ns()`, process IDs, and memory addresses. Uses SHA-256 for mixing and SHAKE256 for longer outputs.

# Shamir Implementation

Uses [PyCryptodome's](https://pypi.org/project/pycryptodome/) Shamir module over GF(2^(8).) For 32-byte keys, splits into two 16-byte halves and processes each separately to work within the library's constraints.

# Memory Security

Implements secure clearing with multiple overwrite patterns (0x00, 0xFF, 0xAA, 0x55, etc.) and explicit garbage collection. Context managers for temporary sensitive data.

# File Format

Encrypted files contain: metadata length (4 bytes) → JSON metadata → 16-byte nonce → 16-byte auth tag → ciphertext. Share files are JSON with base64-encoded share data plus integrity metadata.

# Share Management

Each share includes threshold parameters, integrity hashes, tool version, and a unique `share_set_id` to prevent mixing incompatible shares.

# Technical Questions for Review

1. **Field Choice:** Is GF(2^(8)) adequate for this use case, or should I implement a larger field for enhanced security?
2. **Key Splitting:** Currently splitting 32-byte keys into two 16-byte halves for Shamir. Any concerns with this approach vs. implementing native 32-byte support?
3. **Entropy Mixing:** My enhanced entropy collection combines multiple sources via SHA-256. Missing any critical entropy sources or better mixing approaches?
4. **Memory Clearing:** The secure memory implementation does multiple overwrites with different patterns. Platform-specific improvements worth considering?
5. **Share Metadata:** Each share contains tool version, integrity hashes, and set identifiers. Any information leakage concerns or missing validation?

# Security Properties

* Information-theoretic security below threshold (k-1 shares reveal nothing)
* Authenticated encryption prevents ciphertext modification
* Forward security through unique keys and nonces per operation
* Share integrity validation prevents tampering
* Offline operation eliminates network-based attacks

# Threat Model

* Passive adversary with up to k-1 shares
* Active adversary attempting share or ciphertext tampering
* Memory-based attacks during key reconstruction
* Long-term storage attacks on shares

# Practical Features

* Complete offline operation (no network dependencies)
* Cross-platform compatibility (Windows/macOS/Linux)
* Support for any file type and size
* Share reuse for multiple files
* ZIP archive distribution for easy sharing

# Dependencies

Pure Python 3.12.10 with PyCryptodome only. No external cryptographic libraries beyond the standard implementation.

# Use Cases

* Long-term key backup and recovery
* Cryptocurrency wallet seed phrase protection
* Critical document archival
* Code signing certificate protection
* Family-distributed secret recovery

The implementation emphasizes auditability and correctness over performance. All cryptographic primitives use established PyCryptodome implementations rather than custom crypto.

**GitHub:** [https://github.com/katvio/fractum](https://github.com/katvio/fractum)
**Security architecture docs:** [https://fractum.katvio.com/security-architecture/](https://fractum.katvio.com/security-architecture/)

Particularly interested in formal analysis suggestions, potential timing attacks, or implementation vulnerabilities I may have missed. The tool is designed for high-stakes scenarios where security is paramount.

Any cryptographer willing to review the Shamir implementation or entropy collection would be greatly appreciated!

# Technical Implementation Notes

# Command Line Interface

# Launch interactive mode (recommended for new users)
fractum -i

# Encrypt a file with 3-5 scheme
fractum encrypt secret.txt -t 3 -n 5 -l mysecret

# Decrypt using shares from a directory
fractum decrypt secret.txt.enc -s ./shares

# Decrypt by manually entering share values
fractum decrypt secret.txt.enc -m

# Verify shares in a directory
fractum verify -s ./shares

# Share File Format Example

{
"share_index": 1,
"share_key": "base64-encoded-share-data",
"label": "mysecret",
"share_integrity_hash": "sha256-hash-of-share",
"threshold": 3,
"total_shares": 5,
"tool_integrity": {...},
"python_version": "3.12.10",
"share_set_id": "unique-identifier"
}

# Encrypted File Structure

[4 bytes: metadata length]
[variable: JSON metadata]
[16 bytes: AES-GCM nonce]
[16 bytes: authentication tag]
[variable: encrypted data]