Shamir Secret Sharing for Dead Man's Switches

1. The Trust Problem

Traditional dead man's switches require trusting a central provider. If you store an encrypted message with a service that releases it upon your incapacitation, you must trust that:

The service won't shut down before the trigger condition
The service won't be compromised by attackers
The service won't be compelled by authorities to release or suppress content
The service won't become malicious under new ownership

These are not paranoid concerns — they describe the actual failure modes of every centralized digital legacy service that has operated over the past two decades.

Shamir Secret Sharing eliminates this trust dependency by distributing cryptographic control across multiple independent parties, none of whom can act alone.

2. Mathematical Foundation

Shamir's Secret Sharing Scheme (1979) is based on polynomial interpolation. A secret S is encoded as the constant term of a random polynomial of degree k-1, where k is the reconstruction threshold.

2.1 Share Generation

To split a secret S into n shares with threshold k:

Choose k-1 random coefficients a₁, a₂, ..., aₖ₋₁
Construct polynomial f(x) = S + a₁x + a₂x² + ... + aₖ₋₁xᵏ⁻¹
Generate shares as points: (1, f(1)), (2, f(2)), ..., (n, f(n))

f(x) = S + a₁x + a₂x² + ... + aₖ₋₁xᵏ⁻¹ (mod p)

All arithmetic is performed in a finite field — either GF(2⁸) for byte-level operations or a prime field GF(p) where p > S.

2.2 Secret Reconstruction

Given any k shares, the secret is recovered via Lagrange interpolation:

S = f(0) = Σᵢ yᵢ · ∏ⱼ≠ᵢ (xⱼ / (xⱼ - xᵢ))

With fewer than k shares, the secret is information-theoretically secure — an attacker with k-1 shares learns nothing about S.

3. EchoLock Implementation

3.1 Parameters

Parameter	Value	Rationale
Total shares (n)	5	Practical guardian recruitment
Threshold (k)	3	Tolerates 2 unavailable/malicious guardians
Field	GF(2⁸)	Efficient byte-level operations
Secret size	32 bytes	AES-256 key

3.2 The Secret Being Shared

EchoLock does not split the message itself. Instead:

Message is encrypted with AES-256-GCM using a random 32-byte key
The AES key is split via Shamir into 5 shares
Encrypted message is published to Nostr (publicly visible but unreadable)
Each share is encrypted to its guardian's public key and stored on Nostr

This separation means:

Message ciphertext is public (can be replicated across relays)
No single party holds the decryption key
Guardians can verify they hold valid shares without learning the key

3.3 Share Distribution

// Client-side share generation and distribution
async function distributeShares(
  aesKey: Uint8Array,
  guardians: Guardian[]
): Promise {
  // Split 32-byte AES key into 5 shares, threshold 3
  const shares = shamirSplit(aesKey, 5, 3);
  
  for (let i = 0; i < guardians.length; i++) {
    // Encrypt share to guardian's Nostr pubkey via NIP-44
    const encryptedShare = await nip44Encrypt(
      shares[i],
      guardians[i].npub
    );
    
    // Publish to Nostr as kind:30079 event
    await publishShareStorage(
      switchId,
      guardians[i].npub,
      encryptedShare
    );
  }
}

4. Security Properties

4.1 Threshold Security

With a 3-of-5 threshold:

2 colluding guardians learn nothing about the secret
2 unavailable guardians don't prevent recovery
Any 3 guardians can reconstruct (including with user assistance)

4.2 Information-Theoretic Security

Shamir's scheme provides perfect secrecy: with k-1 shares, every possible secret is equally likely. This is stronger than computational security — it holds even against adversaries with unlimited computing power.

Critical Property

Unlike encryption (which could theoretically be broken with sufficient computation), Shamir shares below threshold reveal mathematically zero information about the secret.

4.3 Guardian Independence

Each guardian:

Holds exactly one share
Cannot determine if other guardians have released
Makes independent release decisions based on heartbeat monitoring
Cannot be compelled to release without revealing possession

5. Failure Mode Analysis

Scenario	Shares Available	Outcome
Normal operation	5	No release (heartbeats continue)
User incapacitated, all guardians respond	5	Recipients recover secret
User incapacitated, 2 guardians offline	3	Recipients recover secret
User incapacitated, 3 guardians offline	2	Recovery fails (insufficient shares)
2 guardians collude to steal	2	Learn nothing (below threshold)
Guardian + attacker collude	2	Learn nothing (below threshold)

6. Comparison to Alternatives

6.1 Multi-signature

Multi-sig (e.g., 3-of-5 Bitcoin multisig) requires all signing parties to coordinate simultaneously. Shamir shares can be collected asynchronously — recipients gather released shares over time, then reconstruct locally.

6.2 Key Escrow

Traditional escrow holds the complete key with a trusted party. Shamir eliminates the trusted party — no single entity ever possesses the key.

6.3 Time-Lock Encryption

Time-lock puzzles require continuous computation. Shamir + Nostr heartbeats provide human-verifiable time conditions without computational assumptions.

7. Implementation Notes

7.1 Field Choice

EchoLock uses GF(2⁸) (the Galois field with 256 elements) for efficiency. Each byte of the AES key is split independently. This allows:

Single-byte arithmetic (no big integer libraries)
Constant-time operations (side-channel resistance)
Efficient WebAssembly/JavaScript implementation

7.2 Share Verification

Guardians can verify share validity without reconstructing the secret using Feldman's Verifiable Secret Sharing extension. EchoLock publishes commitments Cᵢ = g^(aᵢ) allowing guardians to check their share against the polynomial commitment.

7.3 Share Refresh

Shares can be refreshed (re-randomized) without changing the underlying secret. This allows guardian rotation — replacing a compromised or unavailable guardian without requiring the user to re-encrypt their message.

8. Conclusion

Shamir Secret Sharing transforms the dead man's switch trust model. Instead of trusting one party completely, users distribute trust across multiple independent guardians. The mathematical properties guarantee that:

No subset below threshold learns anything
Any subset at or above threshold can reconstruct
The service provider is not a privileged party

Combined with Nostr's censorship-resistant messaging and Bitcoin's unforgeable timestamps, Shamir sharing enables dead man's switches that survive the elimination of their creator.