I've used shush to...

1. generate a key
2. encrypt a tarball containing a bitcoin private key among other things
3. split a 3 of 5 shamir of the key

bounty_files.zip contains 2 of the shards and the encrypted payload containing a private key for this address.

If you successfully break the AES or the shamir shares, then you can transfer ~$200 of BTC to your own wallet.

If you submit an issue explaining how you did it, or better yet how to fix it, I'll double the reward.

You're using SSS to split an AES key, and then encrypting a message (with AES-GCM) with the key you hope your recipients recover. This has a weakness that won't let me pilfer your Bitcoin private key from your zip file, but it will allow a different attack that might be relevant to your users' threat models.

A little bit of background: AES-GCM is not key- or message-committing.

What an attacker can do with this knowledge is substitute shares that will recover a different AES key, which will decrypt to a different plaintext. This is true because:

1. AES-GCM is not robust against random key replacement, and
2. SSS provides no integrity guarantees of the original key (due to its information-theoretic nature).

There's a few ways you can prevent this:

1. Commit HMAC-SHA256(some constant || nonce, key) alongside the ciphertext. This defeats the information theoretic security guarantees of SSS by providing an oracle they can query to validate that they have the correct key when performing the analysis, but that might not matter for this application.
2. Replace AES-GCM with AES-{CBC, CTR} (select appropriate) then HMAC-SHA256 of the ciphertext.

You can find related research here.

@soatok thank you for this thoughtful comment!

I considered CBC + hmac when building this originally (and trying to parse discussion threads about AES modes), but didn't have a clear understanding of the trade-offs. If I decide to version this tool, I'll re-issue the bounty.