 Our next speaker is a master student from the Netherlands. His name is Dan Sprenkels. He told me that he's maybe the youngest speaker in this Congress. So if you know anyone, any speaker younger than 23, just let him know so that he loses the contest. And please pull out pen and paper because this talk is a course Dan holds on his university. So this will be great at our course. Dan Sprenkels, we should train our secrets. Thank you Harold for introducing me and thanks for inviting me to this conference. So my name is Dan Sprenkels. I'm from the Robert University where I did a resource internship where I studied an algorithm called the sharing of secrets of Shamir. This presentation is a bit about sharing secrets of Shamir, but it's not something new. I'm going to talk about the implementation because I would like to pass a message here. First of all, I'm Dan Sprenkels. I studied at the University of Rambolt where I studied chemistry. And after finishing my bachelor in chemistry, I passed directly on the computer because it's much better. So on a regular day, I'm currently doing the implementation of elliptic curve cryptography. So I would like to share some of my knowledge with you on how cryptographic works in practice. The other people who are involved in this presentation are Peter Schwab, who is my supervisor, and Sean Mosspultz, who is the president of a company in Taiwan who works on blockchain and Bitcoin. So first of all, I don't know really what the method is, because I don't know really what the method is. I would love to ask you, who have heard of this? Don't throw your own crypto. Second question, who actually knows why we spend this all the time? Okay, so that's Billy, because I wanted to explain this. Well actually, I wanted to explain it. So really, your own crypto is a bad idea because it's not that easy. Inventing your own crypto, it's a bad idea because it's very difficult. And on the other hand, it's very easy to get involved. We can make a lot of mistakes very easily. And the second reason is because implementing your own crypto, as we saw yesterday in Philippe Stark's presentation, it's something very difficult. In the example he gave, a bit of content in the processor can completely compromise your security. And in the example he gave, it allows you to extract the private key from this simple bit of content. So in this presentation, I'm going to try to explain to you why it's very difficult to implement your own crypto. And why even the most simple algorithms, like the one you share with the secrets of Shamir, are vulnerable to this kind of implementation problem. So I'm going to start by talking a little bit about the theory. I'm going to show you this algorithm on paper, and then I'm going to talk about implementation. To summarize this, here's a presentation a little bit about the difficulty in this talk. The first part, I'm going to try to keep it easier to understand, and the second part will be a little bit harder, but I think everyone in this room will be able to understand. So first part. We have this problem. Everyone doesn't consider it a problem, but when we have a key, a key, and I often say the example of a private bitcoin key, because in the end, this key is a password, and you don't want to lose this key. So you have a private bitcoin key, and you want to keep it somewhere in Lyosur, because there are maybe millions of euros that are kept by this key. And what does that mean? A safe place in this context is, first of all, no one can compromise the secret of this key. So this secret must be a secret, and the second thing is you don't want to lose this secret because losing this secret means losing your money. And the easiest way to keep your keys is to give your keys to your owner, and you throw them up in the paper over there, or if you take somebody from Lyosur, like your spouse or your law lawyer, and you give it to them, but then you have this thing called a failure. So the point of failure is one way that you can easily go wrong. So in terms of giving it to one person, one entity, one entity, one entity, one entity, like a house burning down in Lyosur, because these are the big problems, and if you throw it in a house, this house can burn down, and if you give it to a person, this person will betray you. So in terms of giving it to one person, to split up your trust, to be able to give some entity or entity that we trust to keep it secure for us, that's why we keep comparing souls to this. But first, let me take these secret calls to think, how would we do this in a simple, down-straight-forward way? At first, I should just be okay, we have a key of maybe say 30 characters, and we just take the first 10 characters, and then the second 10 and the third 10, and we give the first 10 to a single person, the second 10 we give to another person, et cetera, but in the case of crypto keys, so in a Bitcoin wallet key, then if you've got the first two, it's quite easy to brute force, to have the last one. So this is not really secure. A more theoretical, more secure approach would be to use a kind of one-time-bad construction. Now, one-time-bad construction is where you generate a random key, and then the secret call base, we can generate two shares, that's all I call them, our shares A and B are randomly generated, and our randomly generated A and B, we generate another share C, by using the actual combination of M and A and B, where M, A and B, and M is the secret. And then to reconstruct the secret, we can compute the actual combination of A and B, so you can write it out, because C is M, A and B, and so it's A and B, it's null with the formula, and so we get M. But here, we only solved the single point of failure in the problem of confidentiality, but we know that if we do that, the secret will remain secure, but it doesn't solve the problem of losing one of these shares. So a backup of this secret if we lose this secret, it's a problem that doesn't solve anything. We want something better. And we have something better, and we have something better for about 40 years. So a secret sharing was published about 40 years ago, and it got published about 40 years ago, and it's based on the Schema-Sueil, which means that we can share a number of shares from a secret, and the parameters of our Schema define how many shares should be shared to restore the original secret. So we don't need all the secrets. We don't need all the shares with us. So we can distribute five shares and three of them will restore the original secret. And if we lose one or two shares, it's not a big deal. Also, this Schema is secure. It's all-used. It's a term that I don't like. It doesn't mean much. I like the term which is quite better. And if you don't have enough shares, then you won't be able to restore the original secret. So you won't be able to restore the original secret. And this is not like encryption where you can brute-force, where you don't know the key and you can brute-force. But in fact, the part that's missing is so large that it's impossible to do that. And in this case, even with millions and millions of years of computing, we can't always be able to rebuild the key, the secret, based on the parts we have. And this implies also that it's resistant that it can squant some computers. It's not given an advantage here. So here's an example. Let's say I got my secret message, my secret key, and I want to distribute this M to my friends. They only have their shares. They cannot do anything. And I will still be able to rebuild my original secret with the parts if I ever lose it. So I can distribute five of these parts by just computing them. And then each of my friends is there. I might lose my share. So I have a secret. I lost my shares back. Even if one part spoiled up, well, even if one part spoiled up, it would be a secret. In other cases, we can still restore the share. Because at the beginning, I said the threshold value was four. So in this case, four shares is enough to restore my secret. I just compute my secret. And I get back my M. So obviously this is easy to do. See this is a little bit of a math. Now let's do the mathematical aspect. It's pretty funny. It's a little bit difficult to understand, but I will explain it to you. So for a threshold scheme where we want to distribute M shares, the threshold of recombining the original secret is K. Then we construct a random polynomial of k minus 1. So k times the power k minus 1 up till k minus 1. But it's now in the lowest boundary as a random value. We will leave those so secret as a secret message. So this simplifies to just use the number. And then we've got this polynomial, so we've got this polynomial p and we start generating polynomial. So for x equals 1, x equals 1, x equals 2, x equals 3, et cetera, then we distribute these points and we distribute these points so that in the end we can use these points to reconstruct the secret. And in our case, when we got this polynomial, we got all the coefficients of this polynomial, we also have the lowest coefficient, so we take these points, we can make a system of equations like in linear algebra. And this system of equations, we can solve it by finding the values of x and y. And if we have enough points, we can find the original polynomial. And we can do it like this. And in practice, we use the interpolation of Lagrange to solve it. Look at Wikipedia what it is, but it's easy to explain, so I'm going to explain it quickly. So this may be a bit hard to understand, but I have images. First, we take 42 as our secret message. Then we generate a random polynomial, so the first coefficient will be 4 and the second will be minus 25. So you've got this nice parabola. We can put some points on this parabola. So that we... In our case, four points. And we saw here three coefficients, so try to... We see that if you only have two points to reconstruct the secret, well, we can just do one right. With two points, we can only do one right. And then you have random points on the weakest coefficient. And that doesn't give us our secret. But if you have a third point, there you can do a parabola and so you can do x equals 0 and you can get your secret message. So solving the system of equations is like filling in these x and y values and then you can solve this on a piece of paper and you can win it in five minutes and you will get your message, which is 42. So this is all good. Well, we know this thing is a secret, so nothing goes wrong. So solving the system of equations is like filling in these x and y values is like filling in these x and y values is like filling in these x and y values is like filling in these x and y values is like filling in these x and y values. So nothing goes wrong. So this thing is basically theoretically secure for confidentiality, which means if your secret is secret, it will remain secret. But nobody said you couldn't just do it. Nobody said you couldn't just do it. So what we want to do is we have a share at the first person's table and we will share with the share. We will make a share which looks like the original share an extra part which looks like the original share but which actually resolves another secret. So here is a polynomial of degree two, degree one. So this is just a line, take two points and if I generate another point and we generate a new line, we bring back a malicious secret then we get a new point which is not the original point and then we have another information about the original secret and another information which gives me a false secret. So how to solve this? Well there's two things to solve. The first thing I know the other point that was shared was x equals two so this gives me information about how I can make a specific slope to get a new value to get a new value. The second thing I know is that the secret is sharing this is not going to be the case in every time. I don't know something about the original so the solution would be to randomize the secret but you say you can't share anything and it's over you can't find anything we'll come back to it. This is part two the implementation. So this was my introduction now the implementation and this is where most normal cryptographers stop talking because we have this beautiful schema it works, we know how to use it and now it's not like implementation is magic implementation is easy and as a crypto engineer I would like to insist on the point that it's not always the easiest thing of this process. The story is that Bitmark a Taiwanese company asked a library a library for the secret of Shamir we asked what you want and we want it to be used on every platform Android, IOS maybe microcontrollers somewhere in the future so we think what libraries are out there so there is SSSS and GHR it's the most known and we look at the code and we need a code that is really, really secure and also secure against side channel resistance and also secure against side channel attacks and the problem is that it wasn't very portable on platforms or it had cache problems, timing problems or defects in this case and in our case it wasn't acceptable in our customer demand. It's not bad, it's good libraries but for our specifications it wasn't enough so we implemented it ourselves and so there were 4 challenges for the implementation which are the following although there were more but those were the challenges the most important and most interesting to explain the cryptographic implementation so the first thing is this integrity problem that we saw earlier in the last slide in our introduction how to encode our values because we used just values and not bytes or integers where you have to choose something how to prevent side channel attacks and how to make this fast because I like the code that goes fast and I like the challenges and I like the difficult things so the first part the integrity problem we could either render the values X or render the secret the values X it wasn't easy to render because we needed very big values and in our case the implementation the computation and so the security decreases with the number of parts that we give so instead of that we said we will render what goes inside the algorithm so we used terms called hybrid encryption which is called hybrid encryption so instead of using our message and putting it directly in the Shamir algorithm we instead generated a random key and we can then put it in the Shamir algorithm and we used it in Shema to encrypt our secret message and so in this case we don't have to take a text and put it in an algorithm what we normally use for numbers the most important thing we can use an algorithm which is used to encrypt the numbers so that's how it works we encrypt the secret we encrypt the secret with a encrypt and when we want to decrypt it we take the key part we get the key back by recombining the original key and we use this key to decrypt the original message and this way we will get back the secret and this way we will get back the secret so the second challenge how to encode our values it's hard to understand why this is so complicated why this is a problem the people who don't know how to say the finite fields this kind of thing but in fact the essential point is this we have these numbers and when we work with computers we can't just take any number because we are limited we are restricted we can use integers we have floats or bytes in our case we want to take a structure a mathematical structure in which we can compute numbers and we want to take the key and we want to map it to this structure and the most common thing we do in cryptography is we take a really large prime and we take this prime and we compute modulo in prime and this works really well for some places we need a prime order or a large order so we will map a structure that has 256 elements so when we have a structure that has exactly 256 elements then we can map a byte with one of these numbers and for the mathematician the bottom thing is what we use we use a finite field a finite number determined by the polynomial of Reinal and this allows us to do a very very effective optimization and it boils down to the fact that when we have every octet separately in our secret we can implement an algorithm for an octet and then we do a loop and for each of the octets we are going to do a secret sharing and this allows us to parallelize the octets and then I will show you how we do this first thing is a rule of cryptographic implementation so side channel attacks are attacks that are not attacks on the outputs of an algorithm so I put something in the algorithm and I can see what kind of output and I know if the output is something and I know if the output is something the side channels are a bit of a lot instead of taking the output of the property of the algorithm we can actually measure for example the timing we can measure how much time an algorithm takes and if we know that a key has a certain position then it will take more time to compute so we can measure the time of computing of the algorithm and if it takes a long time we will know that there is a 1 and if it takes a shorter time it is not a 1 it is a 0 so we can do this iteratively and do this many times and we can take a big statistic and put a lot of statistics in there and sometimes it is easy to crack the code so the first rule you should never make a branch in an algorithm make branches in an algorithm if you have a decision you go there or there so the statements if, if else the if and the or and the logic it is defended it is defended to make branches in this algorithm so the second thing similar to the first which uses a a particular thing it is an attack on cache timing memory the timing is different if this piece of information if this piece of memory is already in the cache of the CPU or if it has to be searched of the hard disk and so it can last a long time and we may have the possibility to give information to the attackers so the third thing and you have to know of instructions which are variable in the time of the CPU so on the Intel processors for example the division the multiplication instruction these are variable time instructions so if you look at the manual of some old CPU you also see that other instructions for example the multiplication can be variable time so you really have to look out for that and that kind of brings me to my final point how to do that in a high level language like C and how do we do it fast and so we will do that by the bit slicing the bit slicing is a fantastic technique so we have all these bytes and we share these bytes separately so what we can do we can parallelize the CPU on each byte and remember a CPU is made up only of logical instructions right? so we would be able to multiply and add using logical instructions so what we do is we take these bytes we take the first bit of every byte and we put it in the register and we take the second bit of every byte and we put it in another register and for every bit in these bytes we will put them in a separate register and at the end we will have 8 different registers that we have used so we will implement this algorithm instead of using normal operators like the division, the multiplication etc we will be using only logical bitwise operators like the bits bitswise bitswise bits and remember like this more to bits so this is just a really small part of how we see people add this and this is for example how we could do this so this thing we will do it in these circuits and when we finished in our case on a 32 bit platform we could do for example on old ARM processors so we have a much larger processor and with a 32 bit parallelization factor so this was a 32 bit platform if we use a 64 bit platform we could have a parallelization factor of 64 bits and on an AVX and even it works on CPUs that are not detected so let's see the whole thing at the end we have implemented this algorithm so we take this random number which is by the way one of these other challenges that I did not talk about and we generate a random key we can see a secret message and then and then we take this key and we visualize it and we can can compute our secret shares in parallel and then when we do this computation we actually have to undo the bit slice operation and that's our shares and we store our important secret it's just your way around we take our shares we bit our own we get our own we get our own we execute the recombination with an algorithm interpolation of the branch of course we have to undo the bit slice at the end and we use this key to decrypt and verify the original text so the performance is very good to finish these are kind of bench marks not genius because I didn't do I did this presentation I did a quick benchmark it's not the best but a loop takes 10 microseconds I have no idea why the rust bindings is better than the others if someone can tell me but in the end roughly 100,000 calls per second and it's really a good performance we don't really need to have a better performance but if we need half of the time I noticed the algorithm and not the secret sharing so we can optimize this and implement an even better encryption so we want to use Twitsalt and it's very good a very good implementation which is portable but it's not optimized for the performance so in the end what could have gone wrong what could have been wrong the first thing is it's something that we the crypto specialists we see this on stacks people think that the encryption of a secret will make it secure at the level of integrity because if it's encrypted people can't change it so they can't have another value but in the case of cryptography it's not the case integrity is only if you have an authentication of the message or in our case you use an authentication authentication the second thing that could have gone wrong is the timing attacks and the timing attacks are things that exist in a lot of implementations that can be done in a lot of implementations so this gives me the impression that the crypto engineers of this world don't really know about this crypto implementations and that there are very few crypto specialists otherwise there would be timing attacks all the time or we wouldn't have timing leaks in the description what was recently published in the paper so it's a problem and the last problem in this case it was the armory armory had a very safe bitcoin system and armory had given they didn't generate completely random polygons and that had pretty bad vulnerabilities since these keys weren't really random very bad implementations so we are in a very dangerous place ok here's a sidetrack this is something the most dangerous limited to crypto what most programmers don't think they don't think that their code is going to be used by everyone to do what they want and I think it's important to ask ourselves what does this software how is this software can it be used and how can this software be used by people with bad intentions who don't want to respect the rules and I'm telling you this because I think most developers will have to ask themselves this question more often in our case we distribute secrets to the masses to a good number of people and we distribute secrets to people and stuff so I don't even think that the malicious user is able to use a malicious user to use it to use our system to power most of the time centralized because most of the cases where it's dangerous is when there's a lot of control and this tool is able to decentralize this control but the second thing is that we seem responsible when we write the software when we write the library, the crypto when we write the code that will test Volkswagen we are responsible for what happens with this code so to come back I'm going to show you a little demo that will probably go wrong so I installed my key sharing tool yeah I'll try to so wait can I enlarge it? no that's better so how does it work? how does it work? we can do 5 secrets with a secret with a secret with a secret and what's my secret? let's see let's say I don't know Piranha, Acid and Acetone the acid of Piranha and Acetone can explode so we have secrets here so I'm going to copy and paste in my restoration script starting from the third one I'm not going to take the first one and I'm going to take the second to the fifth and you can see what's going on when it's missing yes it worked thank you god for the demo so during the intro of this presentation I told you, don't implement your own crypto and I hope that you may have seen a couple of reasons I've given you quite a few things about why implementing crypto is hard to do and so I'll say to you and I'm going to leave you with this message try to implement your own crypto try to implement it try to understand how it works but if you find yourself really sure about if you're not really sure you're not 100% sure what your implementation is and that your implementation is sure against all types of attacks if your implementation is not resistant to side attacks or if you have this unique bit of content in your processor so in that case put a huge warning message on top of your academic code it's academic code I did that to teach myself how to implement it but I'm not sure I haven't checked it so don't use that for whatever you need for real security so that's it these are some people I wanted to thank and my slides can be on my website if you want to see my slides you can find them on my website I have some if you want to if you want to read more I haven't registered my number so this number doesn't work and that's it do you have any questions? Dan Sprenkels thank you very much thank you any questions? please feel free to assemble behind the microphones and I will put you through then question on the audience question on the internet you can ask Angel in English so how are you sure that you didn't make any mistakes in your implementation? well that's the terrible thing in cryptographic implementation well I do have unit tests but the unit tests it's not always the solution to all the problems because the space is more large than what you need and in the case of my curve the only thing I can try to do is to prove each function and it's really error-prone it's easy to make mistakes but honestly I'm not 100% sure that my implementation doesn't have any errors I didn't make any mistakes I checked it for me and I'm quite sure but still I'm not 100% sure 100% and I think it's the case with all the codes that have to do with security in our domain first of all thank you for this very interesting presentation a technical question I saw in your demo that the parts are significantly bigger than the original my question is at what point the data volume is more important than the input volume does it depend on the number of parts required for the reconstruction let's review this presentation what we do we have this key and we have this point this value X so we have to add a single value for X an octave because we work with an octave and so it's 1, 2, 3 and this will be the first octave of our part then we take this key this key has to be generated and this key has to be generated for the encryption algorithm 256 bits these 32 octets and so it adds 32 extra octets so at the end we only have 33 octets which are added to our part but however the number of parts that we generate and the threshold the same number of octets in the part and looking at the secret part we can't guess the threshold was it your question question from the internet so Gailus on Twitter says thank you and the question is can we defend ourselves against social engineering attacks if someone tries to convince people to give the parts that's a good question that's something I haven't solved yet for myself because I don't have the environment of each person so what I recommend is generate 5 generate 5 generate 5 parts generate 5 parts and with a threshold of 5 to have the security you have to choose yourself who do you trust who can you trust your secret portions it's a question I can't answer for you a question about the the problem of integrity how exactly does your encryption solve the problem and is it a good question so here we have here we can avoid the secret because the original secret was a value we know and so what it does is it's random the value what the secret is so if we change a portion the value of the algorithm will be completely random because the original thing was completely random so what our algorithm does is in the Salsa 20 Polynome 3 or 5 in the description so it's going to use the authentication bit and it's going to say that it didn't pass the authentication test and it's going to say that it's a valid and so it's going to say no it doesn't work Mike one please hello it's similar to a previous question probably but it's going to be similar to a previous question but let's admit that I want to protect the Bitcoin wallet which is very important and I don't want to trust anyone is it an option I would like to avoid that 3 members of my family agree to recover my wallet is it an option to double the number and to give only 50% yes but it creates other problems because people lose the share they lose their portion so it's a trade off you have to weigh the poor and the against I'm going to tell you an anecdote that is an anecdote if you have your Bitcoin wallet and you want your inheritors to be able to inherit after your death so you choose to distribute your shares so they can reconstruct the secret after your death it's also an application but in your case if you have a system where you have yourself most of the shares in this case you always have the fact that if you lose those shares you also lose the secret those in your case maybe that's what you want I'll see please Doddick is asking if you're separating the message if you're separating the message in individual octets and then we apply SSS on each of these octets do we have a problem if the timelapse which is that the patterns in the data are not masked well that's also why we used this encryption scheme of numbers this hybrid scheme works on the whole on the whole of the message and the Shamir algorithm works on a key and there's nothing better because we generate the secret key in a completely random way well I come from a field which is a similar field where we have problems that look like that I work on the error correction codes and in my research there are many types of error correction for example verification code for the few of them and I can see similarities we could turn a little bit for a similar implementation so I did yes indeed and the reason for which we used this it's not for security considerations but because the Polinom Salsa 20 the implementation of Salsa 20 of Polinom 3 and 4 was already there so if I did that the secret sharing it's not the only algorithm that has numbers so there are others we also have Peterson and it's a secret sharing which solves the problem of integrity but which is more complex so that's probably what I would have used number 2 please hi great talk excellent presentation to talk about the implementation could you talk a little bit more about the relationship between the optimizations that are introduced by the compiler or the one introduced by the developer and the optimizations and the vulnerability my question is do you hate the optimizations of the compiler? well yes the compilators sometimes make good choices in the normal code but if I do something in C I want it to be like that so I don't want optimizations so I don't hate the compiler in C I choose to program in C and the really low level stuff I assemble them so yes they do not they don't have the obligation to take us to take us into consideration as a crypto engineer so what can I say maybe it's not bad to have an option you can say to the compiler yes I really want this thing I want the optimization but please don't think that this thing is not read in memory after this line that you have to initialize it to zero because I want this key value to be zero at the end so yes there are tricks with the compilers that we can do that we can use that's how we do it when we really need to say to the compiler yes we really want to do that we don't optimize most of the time Peter and I we look at the assembly code and we say ok they did it and so if it's really really critical we implement it in assembly and it's good what would be your advice to what would you recommend you said at the end you said to the people to implement their own crypto but we don't have enough crypto engineers to analyze and check if it's the right crypto so what can you say for people who implement their own crypto what should we do good question we you can always look at the assembly code you can always look at the assembly code and see what it gives the first two items that I showed you the first two items that I showed you don't do any branching don't do any look up because the compilers won't do any error if you don't do statement if they won't use any branching and most of the time they won't change an instruction they won't change the multiplication so if you have this kind of simple instruction instructions that are not that big a deal that's complex another thing is so it's important to do like that another thing it's not a good thing that I'm saying but there are a lot of not really good implementations not good on the market and if your implementation is better than what exists it's good right microphone number 4 please hi so what you said we don't have the fresh old if we have more or less shares if we are in a real world and that we distribute the parts to people in the family that we don't have the good number of parts to rebuild we don't have the money does it try to build a pool of bad degrees so it will build a pool of bad degrees and it will try to use the lowest coefficient to try to decrypt our secret and it won't work so if we have too many portions so the resolution of the equation will work so more portions will not be a bad thing there is just a problem which is if you have double portions so it won't work with the first error and that's one thing that I haven't resolved yet in a satisfying way okay number 3 hi thank you for the talk thank you for this presentation how is your code to be used how far are you ready to use the code you made in production I mean how much do you need is your code the code and the tools around how is it safe and ready to be used that's a dangerous question because if I say it's really safe people will use it if I say it's not safe it's my fault I did it and I checked it and I checked it and so other crypto engineers checked it and my methods were checked by other crypto engineers and the code I'm sure there will be no problem because the way we do this is by operating by operation by operation it's quite easy to do that in a correct way and go ahead thank you my question you're talking about optimization and I was thinking rather than using a large number to generate the end wouldn't it be better to use a number a little bigger than the secret yes but the deductions are difficult in a constant time in a constant time so if we do a modular reduction in the in the curve number conditional subtraction we do a conditional subtraction and this conditional subtraction will be done only when when numbers bigger than a number first or if there is an overflow during a subtraction a bit of overflow and this can be done easily in a software because we can do this in a constant time but it becomes more difficult when our prime is number first when our prime is not chosen at the time when we built the software also when this prime is not really regular so that's why there is this prime it's 2 to the power 255 minus 19 it's really easy to implement the crypto because it's easy to reduce because each number bigger than this we can do a square until the next prime and do an overflow and there we don't have a regular number this problem becomes difficult and we have to use another library which is not resistant to the lateral channel attack so if I understood the security of the global system depends on the integrity and the security of the machines on which we execute the calculations is it possible to distribute the calculations done in this algorithm the shamir secret yes there are tests yes indeed where you can compute these things separate on separate orders but we said in our implementation that the computer on which we do the calculations is sure because it also has the secret because if we trust the computer to have the secrets we can also trust it for the computer for the number no other question well thank you very much thank you it was the French translation to share our secrets from Dan Sprenkel