Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Draft/Discussion] sssss4ss - super simple shamir secret sharing for seedsigner? #552

Open
VzxPLnHqr opened this issue May 2, 2024 · 8 comments

Comments

@VzxPLnHqr
Copy link

This is very much a rough draft, or even worse, just some notes. However I wanted to share them to see if there might be demand for a adding feature like this to seedsigner. Feedback and comments welcome!!

See the gist here: simple shamir secret sharing

TL;DR:

Shares are valid 24-word BIP39 mnemonics. The master secret is a valid 12-word BIP39 mnemonic.

From the user perspective everything they need to store and handle in the physical world is simply a valid BIP39 mnemonic thereby achieving maximum (currently) interoperability when it comes to loading stored entropy from the physical world into these devices.

Devices do not need to add share-specific scanning flow or learn how to recognize more types of QR codes since all shares are valid 24-word BIP39 mnemonics. Of course this has benefits and drawbacks. Maybe the drawbacks outweigh the benefits, but it has been an interesting exercise to think through regardless.

@VzxPLnHqr
Copy link
Author

As a quick example, take the following 3 shares which are each valid BIP39 24-word mnemonics,

> aim lamp birth embark airport convince pepper rib submit perfect uncover unfair legal polar mind unknown put health organ happy struggle current horse inmate
> cake occur sweet glow vicious model invest sick tennis input hero middle drastic cushion excess armor burst disease economy devote satoshi scrap game dust
> deal tray slot uncle sign toss hurdle beauty cheap imitate north zoo total discover siege travel nice future pudding furnace brief once miracle session

and any 2 of the 3 shares can be combined to recover the valid BIP39 12-word mnemonic

= abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about

Rather than use GF(2^128) as the underlying field for the secret sharing, for simplicity this example used the field Z_p where p = 2^128 - 159. As such, there is a probability of approximately 2^(-120) that a randomly selected bitstring of length 128 will be greater than p (so, in practice, this is not really an issue).

Here is the uncommented code and test demonstrating the above. If there is any interest, I would be happy to clean that code up with some comments so that it might be easier to use as a reference.

@BenWestgate
Copy link

Supporting Codex32 BIP93 would be better as the strings are easier to transcribe and type in.

@VzxPLnHqr
Copy link
Author

I do agree that supporting codex32 would probably be better, if nothing else because it (presumably) is more researched/tested than the concoction presented in the linked gist. But I am not sure I follow what you mean regarding the strings being easier to transcribe. Transcribing english words, at least for most people, is easier than transcribing a bech32 string I think.

Maybe we need a bech32 alphabet which consists of words, rather than single characters/symbols?

@BenWestgate
Copy link

But I am not sure I follow what you mean regarding the strings being easier to transcribe. Transcribing english words, at least for most people, is easier than transcribing a bech32 string I think.

Maybe we need a bech32 alphabet which consists of words, rather than single characters/symbols?

It's less characters. The average word in BIP39 is 5-6 characters so 60-72 vs 48. And BIP39 has no error correction, while codex32 can detect 8 substitutions and correct 4.

I wrote the first wallet software to create and recover codex32 seed backups: https://github.com/BenWestgate/Bails/

In my testing, I can write a 48 character codex32 string in 45 seconds and type it on a qwerty keyboard in 30 if I go fast and let the error correction fix any typo. It feels pretty ergonomic, I've had boomers test it as well with similar comparative ease vs bip39 mnemonics.

If it were absolutely required to use words (trying to turn a codex32 string into a brain wallet/share for example) the SLIP39 wordlist is 10-bits and can directly encode 2 bech32 characters. However writing and typing this is much more labor than 48 bech32 characters, but it would be easier to memorize these SLIP39 words in a pinch.

@VzxPLnHqr
Copy link
Author

I wrote the first wallet software to create and recover codex32 seed backups: https://github.com/BenWestgate/Bails/

Very cool! Thanks for sharing. Maybe trying to get a prototype of Codex32/BIP93 into seedsigner would be a good start then, like you suggested, especially since you have already implemented it.

In my testing, I can write a 48 character codex32 string in 45 seconds and type it on a qwerty keyboard in 30 if I go fast and let the error correction fix any typo. It feels pretty ergonomic ...

Interesting, and good to know you have had success with the testing. Did you find that there was a sweet spot as to the number of characters you would remember/transcribe at a time?

@BenWestgate
Copy link

Maybe trying to get a prototype of Codex32/BIP93 into seedsigner would be a good start then, like you suggested, especially since you have already implemented it.

BlockstreamResearch/codex32#58 (comment)

Interesting, and good to know you have had success with the testing. Did you find that there was a sweet spot as to the number of characters you would remember/transcribe at a time?

4 characters is a common standard that fits in the working memory of most.

Recommendations for wallet developers were compiled here:
https://github.com/BlockstreamResearch/codex32/blob/master/docs/wallets.md

There is no corresponding document of recommendations for creating codex32 backups electronically. I will write a draft for that soon.

@bcyng
Copy link

bcyng commented Sep 12, 2024

why not just support slip39 shares?

@VzxPLnHqr
Copy link
Author

why not just support slip39 shares?

As I said in the gist, it would be better to use something like codex32 or slip39 and would be great if devices like seedsigner had support for those.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants