What is tontine?

Tontine is a secret-sharing implementation, which uses a modified version of Shamir's secret sharing scheme. Secret sharing allows N people to share data (the "secret"), such that any k of them can reconstruct it by combining their keys. Currently, tontine uses polynomials over the finite field GF(2⁸).

Tontine is written in C++, and uses the STL. While it was written using g++, it should work under most C++ compilers, with a few changes to the Makefile.

^ TOP

What are its goals?

Tontine was written with the following goals in mind:

• Keys should be indistinguishable from a random data stream, suitable for hiding using steganographic methods. There should be no wasted bits, no identifying headers, or other potential markers.
• It should not be readily apparent which keys fit together.

This is, of course, only as secure as your random number generator. While tontine defaults to using /dev/random, any file or executable which provides random data can be specified on the command line.

^ TOP

Why should I use tontine to protect my valuable data?

You shouldn't. Not yet, anyway. Tontine is severely alpha software. Feel free to use it, but don't depend on it.

^ TOP

Where can I get it?

The latest version (v0.3) is available here.

Version 0.1 is available here. Version 0.1 requires gmp-2.0.2 to compile. It also relies on /dev/random.

^ TOP

Why the name?

A tontine is an annuity shared by subscribers to a loan. The shares increase as subscribers die, until the last survivor gets all, or until a specified date when the survivors share the proceeds. Tontines were originated by Lorenzo Tonti of Naples, in France in the 1650s. It occured to me that secret sharing might have applications in this area. Also, I liked the name.

^ TOP

What's next?

• The data encapsulation present in version 0.1 is useful for discovering when keys do not properly encode a secret, and it would be useful to add that into the current version.
• This version is limited to 255 keys, because each key has to encode a unique point, and no key encodes with x=0. Ideally, GF(2ⁿ) could be used, instead of GF(2⁸), with n being chosen based on the number of keys desired.

^ TOP

Disclaimer?

EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.