[titzer]

Even just putting half the key on paper and not putting the rest could make brute-forcing the rest feasible. Even knowing just 1 bit makes brute-forcing 2x as easy. 8 bits? 256x easier, etc.

[_ihaque]

One would use a scheme like Shamir's secret sharing [1], not literally cutting the exact bits of the key into strips.

> To unlock the secret via Shamir's secret sharing, a minimum number of shares are needed. This is called the threshold, and is used to denote the minimum number of shares needed to unlock the secret. An adversary who discovers any number of shares less than the threshold will not have any additional information about the secured secret-- this is called perfect secrecy. In this sense, SSS is a generalisation of the one-time pad (which is effectively SSS with a two-share threshold and two shares in total).

[1] https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

[mananaysiempre]

(Shamir’s scheme is delightfully straightforward, but if polynomial interpolation over finite fields isn’t a thing you feel in your bones, try inventing an n-of-n-shares scheme that only uses xor and a random-number generator. Gb nyy ohg bar bs gur cnegvpvcnagf, tvir n puhax bs enaqbz qngn nf ybat nf gur frperg; gb gur ynfg bar, tvir gur kbe bs gur frperg naq gur enaqbz puhaxf. You probably don’t want that in production, but it’s nice to figure it out and even utterly simple to prove it secure, provided you understand the proof for one-time pads.)

[tejohnso]

This immediately came to mind as a possible tactic because polynomial interpolation is covered nicely in A Programmer's Introduction To Mathematics[1] which I started reading recently. Highly recommended.

[1]: https://pimbook.org/

[titzer]

Oh yeah, I know about that. I meant to intentionally release only part of the key specifically to make brute-forcing easier for your heirs. I mean, hey, they gotta work for it, you just give them a leg up! :)