This guide explains how to use Zegel's split-key feature to distribute trust across multiple parties, requiring a threshold number of parties to agree before a sealed file can be opened.
For the specification, see FORMAT_SPEC.md Section 6.3.
Shamir's Secret Sharing (SSS) is a cryptographic technique that splits a secret (in this case, the 32-byte Zegel master key) into N shares, of which any M shares are sufficient to reconstruct the original secret. Fewer than M shares reveal absolutely no information about the secret.
This is not computational security -- it is information-theoretic security. Even with unlimited computing power, M-1 shares give an attacker zero knowledge about the key.
The technique was published by Adi Shamir in 1979 and is based on polynomial interpolation over a finite field.
Split-key is useful in any scenario where no single person should have unilateral access to sensitive content:
- Business continuity: 2-of-3 split among CEO, CFO, and legal counsel. If one person is unavailable, the other two can still access the document.
- Board approval: 3-of-5 split among board members. A majority must agree to open the file.
- Dual control: 2-of-2 split between two officers. Both must be present to access the content.
- Escrow: 1-of-3 split (any single party can open). This is a backup/escrow scenario, not a security scenario.
- Disaster recovery: 3-of-7 split across geographically distributed offices.
Shamir's Secret Sharing uses polynomial evaluation over GF(256), the Galois Field with 256 elements.
For each byte of the 32-byte master key:
-
Construct a random polynomial of degree M-1:
f(x) = secret_byte + a1*x + a2*x^2 + ... + a_{M-1}*x^{M-1}where
a1, a2, ..., a_{M-1}are random coefficients. -
Evaluate at N points to produce N shares:
share_1 = (1, f(1)) share_2 = (2, f(2)) ... share_N = (N, f(N)) -
The secret is
f(0), which equalssecret_byte.
Given M shares, the master key is reconstructed using Lagrange interpolation at x=0 over GF(256):
f(0) = sum over i of (y_i * product over j!=i of (x_j / (x_j - x_i)))
All arithmetic (addition, multiplication, division) is performed in GF(256).
- Addition: XOR (
a + b = a XOR b) - Multiplication: Russian peasant algorithm with reduction by the irreducible polynomial
x^8 + x^4 + x^3 + x + 1(0x11B) - Inverse: Fermat's little theorem:
a^(-1) = a^254in GF(256)
Each share is exactly 33 bytes:
- 1 byte: x-coordinate (1 to 255)
- 32 bytes: y-values (one per byte of the master key)
The x-coordinate identifies the share. The y-values are the secret material.
# Generate a master key
zegel keygen -o master.key
# Seal a file with the master key
zegel seal document.pdf -k master.key -o document.zgl
# Split the key into 5 shares with threshold 3
zegel split-key -k master.key --threshold 3 --shares 5 -o shares/
# This creates:
# shares/share_1.key (33 bytes)
# shares/share_2.key (33 bytes)
# shares/share_3.key (33 bytes)
# shares/share_4.key (33 bytes)
# shares/share_5.key (33 bytes)Alternatively, seal and split in one step:
zegel seal document.pdf \
-k master.key \
-o document.zgl \
--split-key --threshold 3 --shares 5 \
--shares-output shares/This sets the FLAG_SPLIT_KEY flag and records M=3, N=5 in the extended header.
- Open the Zegel application and navigate to the Seal screen.
- Select the source file and enter the master key.
- Expand "Advanced Options."
- Enable "Split Key (M-of-N)."
- Set the threshold (M) and total shares (N).
- Click "Seal."
- The application produces the
.zglfile and N share files. - Distribute the share files to the designated parties.
# Reconstruct from any 3 of the 5 shares
zegel reconstruct shares/share_1.key shares/share_3.key shares/share_5.key -o recovered.key
# Verify and extract using the reconstructed key
zegel extract document.zgl -k recovered.key -o document.pdf- Open the Zegel application and navigate to the Verify or Extract screen.
- Load the
.zglfile. - The application detects the
FLAG_SPLIT_KEYflag and prompts for shares. - Load M share files (the application shows how many are needed based on the threshold).
- The key is reconstructed in memory.
- Verification and extraction proceed normally.
Any set of fewer than M shares reveals zero information about the master key. This is mathematically provable and does not depend on computational assumptions. Even a quantum computer with unlimited power cannot extract the key from M-1 shares.
No single party holds the complete key. Even if one share is compromised, the attacker gains nothing (assuming M > 1).
The M-of-N scheme is flexible:
- 2-of-3: Tolerates loss of 1 share. Requires agreement of 2 parties.
- 3-of-5: Tolerates loss of 2 shares. Requires agreement of 3 parties.
- 1-of-N: Any single share suffices (backup/escrow, not access control).
- N-of-N: All shares required (maximum security, minimum availability).
- It cannot identify which shares were used. All valid M-subsets produce the same key.
- It does not authenticate shareholders. Any party with a valid share can participate.
- It does not enforce who should participate. Access policy is external to the cryptographic mechanism.
Never send all shares through the same channel. Use a different secure channel for each share:
- In-person handoff (most secure)
- Separate encrypted email threads
- Different secure messaging platforms
- Physical media (USB drives) delivered separately
The entire purpose of splitting is to distribute trust. Storing all shares in the same system, backup, or location defeats this purpose completely.
Maintain a secure record of:
- Which share index (x-coordinate, 1 through N) was given to which party
- When each share was distributed
- Through which channel
- Contact information for each shareholder
This record should itself be protected, as it identifies the key holders.
For high-security scenarios, consider:
- Printing shares as QR codes on paper, stored in separate safes
- Engraving shares on metal plates for fire resistance
- Using tamper-evident envelopes
- Requiring notarized receipt of each share
To rotate shares without re-sealing the file:
- Reconstruct the master key from M existing shares.
- Generate a new set of N' shares (possibly with different M', N' values).
- Distribute the new shares.
- Securely destroy all old shares.
Note: the .zgl file itself is unchanged. Only the shares change.
Parties: CEO, CFO, Legal Counsel
Threshold: 2 (any two can open)
Total shares: 3
Use case: financial audit documents that must be accessible
even if one executive is unavailable. Two of the three
executives can always access the documents.
Parties: 5 Board Members
Threshold: 3 (majority required)
Total shares: 5
Use case: acquisition documents or strategic plans that
require board majority approval before access. A simple
majority (3 of 5) must agree to open the file.
Parties: Compliance Officer, Department Head
Threshold: 2 (both required)
Total shares: 2
Use case: highly sensitive HR documents that require
both parties to be present for access. Neither can act
unilaterally.
Parties: 7 regional offices
Threshold: 3 (any 3 offices)
Total shares: 7
Use case: disaster recovery key for an organization
with offices across multiple countries. Even if 4
offices are simultaneously unreachable, the remaining
3 can still recover the data.
These features can be combined. The canary padding is applied using the reconstructed master key. The recipient ID is stored in the extended header.
The FLAG_SPLIT_KEY and FLAG_PASSWORD_DERIVED flags are mutually exclusive in practice. If the master key is password-derived, split the password-derived key (not the password). The .zgl file stores split-key parameters in the extended header.
Selective disclosure tokens are generated using the master key. If the key is split, reconstruct it first, then generate disclosure tokens.
- FORMAT_SPEC.md Section 6.3 -- Specification
- Security Audit -- Split-key security model
- Canary Traps Guide -- Leak tracing
- Selective Disclosure Guide -- Partial sharing