Delivery-date: Tue, 14 May 2024 07:09:03 -0700 Received: from mail-oo1-f55.google.com ([209.85.161.55]) by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1s6spz-0002i0-9w for bitcoindev@gnusha.org; Tue, 14 May 2024 07:09:03 -0700 Received: by mail-oo1-f55.google.com with SMTP id 006d021491bc7-5b2791d5ce5sf5831907eaf.3 for ; Tue, 14 May 2024 07:09:03 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715695737; cv=pass; d=google.com; s=arc-20160816; b=KAbMJLzgKaXmTIYvfnJ++WHaGSeE1y8PNoK8cREd7i+uWwJv+ON6bif++oTpQozl9B Du2jAhU7itWbWFxoHSIecHTAq58vaUaRO1ELfQtsZhopuXBW+JXJADYkzT4t046FtRfx 4dtoVizXG8bKQ/WNRA8ZWwLG44BVP3wwT+RuGn/HfEzcThcIINHdJh2BVV6I5oRi3t1P rW7Vl0AEn7Lb2ZtZC2yoCpkcu8a8VwW4iMXKy2s2pv15QZKHymHSOo4N3pNtGLjd/fYA lfQ6kBZII+I01btBcj8tpKGT3fp25mrmP+4qtHWUIporeImDH6P7nNGxdnLielP1luyu cqiA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date:sender :dkim-signature; bh=Rg97YCL8OmeUJ704Fa+q0yaRX8MB1rMGQPijV6OdDHU=; fh=SdWu6WQLXNWVt4ozjgi5504tLjCB1JaxVFamZkn6l9E=; b=NaZYrQEU1majLwKn/qEr2/PzZHNm9+i6K0wiO/m1PVjCU0wvJt1v/NB01q6rJ0FYY9 F3YwgPMmJZ7BjVdagcU0rBwYUN0bXu4EjKEFxTJ2G91cZTM+dSa1sFIafCcjJFjr2AVB PqCrplPIa+UxgRNxtXLK8jVGByMN+EOzhY5pgbC9+S/+XuxgQvrw0sazbCVAX35H0fYr hiZa8hcLpLW5LNwHmT91Fx46n0HYiZqNI8Vt755fpdWugAxW3FXYNhrqXVSoBJn4uL9t yUtmjzi8zG8+AdeJNg34bM9KYFLGiY8CDEZWJtfolvAu+ICXbVkQTZziPaBRLiwgK+Pg RsWg==; darn=gnusha.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=OyUVLkS0; spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1715695737; x=1716300537; darn=gnusha.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:sender:from:to:cc :subject:date:message-id:reply-to; bh=Rg97YCL8OmeUJ704Fa+q0yaRX8MB1rMGQPijV6OdDHU=; b=ntuqpDQM7DUbmGODzwAqvwFqjgaBG/sHJ1W8hUcpTWNTFDdBGg5C+OzXEoFm5ofcCZ DohoEzgOxz+kK48ptLdpYK9T79WRkKKBuVutFG8oWUd0xadW7T7X8P9Xb7O/W6VM1lia 6edPMosfVFmsSDVnB0XINmwzdPRo+YxAZLeO7MtUT38gO8T/6+yewVEqkyBK9X5o1rMT k3BSKWNshAze/pA1nIt9WHBoNT0CmATuDjxZEnsuP2ac3Yxkz+dgHPWFAWVNPhFrzjiW k5XmCY7JyIP7hZyqhiqeG/YUsyh7eyLkMVYKFYR7M8LLbVJIetXcFWh81EUEm+esDzaR Ig9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715695737; x=1716300537; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:x-beenthere :x-gm-message-state:sender:from:to:cc:subject:date:message-id :reply-to; bh=Rg97YCL8OmeUJ704Fa+q0yaRX8MB1rMGQPijV6OdDHU=; b=NUWj4/J4WTg4DiUOoqn1LFFYox3m7PNtF8PG84dS7RgLeelY6AthMX1HKqSuBvjUU9 oOWjzxwisoCxubYrpnhNBA+BHZVCGs83YfWUcAtg3igpdRitLqOWvXwp0o2mlblCuhhk xcL58C4r/ZZlc8/oqZgscmD73MzTX+RrRhEeiGk9/1jCUlFSdydUg+OCbpMkwpoo6Jvp j7z2L1eXzYGGBsZwZZ9oteWZKf2dBzS2hZdUfeTHiK5D3CP1vaYplk9W+2VHjPONDCKh nsoqqkk+BoZO9TPW3jrI0eOMK8OtsKzgNZ8kyIKGaTOBvDdFm9xy1x2Hspo52Gryp3oV GEnw== Sender: bitcoindev@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCVfxoXCwrbkDaOshazSvbjkyMXS5NqQFhsAQNSvcjwZTArNkDbc58M4Z7lvDVj/I2Nipj70fhm1HbXJJY5iLJ2cmpx/lWk= X-Gm-Message-State: AOJu0Yz/1R2phkErhTGKlDIkO6G+Qwt5z+ZTrmWtrnt9niTCpWU5oOXF A+eu2u59sgFMEsQavO23ZkDjJzDqjdrBSInPpmPdY7lBatyBGqbH X-Google-Smtp-Source: AGHT+IH2HztxclxOVZkEBaoKVv3HpkVh6Ksqm9YTVn4e03c14CKLtlZ97DEpkQcq/bwLiwCZHHqyYA== X-Received: by 2002:a4a:8c4c:0:b0:5b2:7997:809 with SMTP id 006d021491bc7-5b28195ee2fmr11126241eaf.5.1715695736822; Tue, 14 May 2024 07:08:56 -0700 (PDT) X-BeenThere: bitcoindev@googlegroups.com Received: by 2002:a4a:8c63:0:b0:5ae:1f6c:8986 with SMTP id 006d021491bc7-5b26a7f80a9ls268751eaf.1.-pod-prod-03-us; Tue, 14 May 2024 07:08:55 -0700 (PDT) X-Received: by 2002:a05:6830:4392:b0:6eb:8065:4685 with SMTP id 46e09a7af769-6f0e91067efmr37138a34.2.1715695735247; Tue, 14 May 2024 07:08:55 -0700 (PDT) Received: by 2002:a05:6808:1495:b0:3c9:943d:23a2 with SMTP id 5614622812f47-3c996f01abdmsb6e; Tue, 14 May 2024 06:42:48 -0700 (PDT) X-Received: by 2002:a17:90b:314a:b0:2a6:f414:4e0b with SMTP id 98e67ed59e1d1-2b6ccd84692mr10404931a91.41.1715694166923; Tue, 14 May 2024 06:42:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715694166; cv=none; d=google.com; s=arc-20160816; b=H0LEb1dn/tDw8NFZqzATig/ZfixUUC8ha5+B33qvvKau85ng6bMkQ9pwoGcHTvSFmo g0z3j8ebpx1QO8T+2Mbm+dk/MpLF/TZpMKy/MNr8u7cpvEwYlkumdFRQVzozw9bZCVBx 2An9khn9aCp0IK4UAgqi1VwNmRm3pVCsnhV2zwqk5CM0IXlmvtSnKm9BtM6Au2ityivh 3U6GAD+sH89pH9AEJJBIS6tnlcUcWzthMSFwo2EqH8MM6rcrBzjVKJMRRebXxe3AHFw/ rwurJGjuAox5J0C1qLZ9E6pDrHOAqosZGHypWdAzxtOK7x4+OS5ypJi/5uKLWSOpe1/J 2x8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:dkim-signature; bh=vG5e5A7gM7XZUP6x4h3nPv2TnizASHxxaTL0/9g+xng=; fh=cahZDgTdN45RG3UsKThsxzoXgKY9yWPedXjgzYAIiH8=; b=VmHzwki6OLB94oFHpSTEJ/XeZNOeV4cswUuAM+wBKth91mepy4Xf12vb4shXX66YWU OHevtePgSsHnkNfXpvpEM8LOqWECfmer0OfhaA87cDitrOEF1eYRuDAlAcsbAw6NEf/w DjwHZd5xJHHyrEc1ka81tr/bW+yOd+roETyyCXkzHpF+8NpSFkZimLQ7lA4fe2MUrMiP KYTqv8QY61UI8hLYh3q2QCzSwijr0LM7HgwsgO4JoFw+bexIg/nLRCsZ7xy6L6xQuIo0 Gqv8YP5V2gNv05EkJqEwhFmvtJjwWte+RLgxo6HGlyBBxAylBsMJ2xzZ2B8icsVCJx78 azqw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=OyUVLkS0; spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net Received: from mail.wpsoftware.net ([66.183.0.205]) by gmr-mx.google.com with ESMTP id 98e67ed59e1d1-2b67188517bsi1103561a91.3.2024.05.14.06.42.46 for ; Tue, 14 May 2024 06:42:46 -0700 (PDT) Received-SPF: pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) client-ip=66.183.0.205; Received: from camus (camus-andrew.lan [192.168.0.190]) by mail.wpsoftware.net (Postfix) with ESMTPSA id 53AEC400F9; Tue, 14 May 2024 13:42:46 +0000 (UTC) Date: Tue, 14 May 2024 13:42:45 +0000 From: Andrew Poelstra To: Rama Gan Cc: "bitcoindev@googlegroups.com" Subject: Re: [bitcoindev] Penlock, a paper-computer for secret-splitting BIP39 seed phrases Message-ID: References: <9bt6npqSdpuYOcaDySZDvBOwXVq_v70FBnIseMT6AXNZ4V9HylyubEaGU0S8K5TMckXTcUqQIv-FN-QLIZjj8hJbzfB9ja9S8gxKTaQ2FfM=@proton.me> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="FE8zGFBRSA20nZBj" Content-Disposition: inline In-Reply-To: X-Original-Sender: apoelstra@wpsoftware.net X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=OyUVLkS0; spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net Precedence: list Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com List-ID: X-Google-Group-Id: 786775582512 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Score: -0.8 (/) --FE8zGFBRSA20nZBj Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline On Tue, May 14, 2024 at 12:03:45PM +0000, Rama Gan wrote: > Hello Andrew, > > Thank you for sharing your thoughts. > > - Penlock implements arithmetic operations differently than Codex32. Additions > and subtractions are implemented with a slider-wheel (only possible with > GF(P)); Multiplications and "divisions" are done with volvelles. There is > indeed a risk of using the slider-wheel in the wrong direction, and this is > mitigated by 2-of-N not using additions at all. > FYI even in GF(P), you can do multiplication and division using slide wheels. I'm not sure if doing so would interfere with your other multipurpose volvelle constructions. (Every nonzero number in your field is 2^n for some n, so you can do multiplication/division by adding in the exponent.) The resulting slide wheel would not have a natural ordering. > - An experienced user can compute a 12-words checksum in 4mins, and verify its > correctness in 3 mins. Checksumming 24-word is quite doable, but then the > difficulty comes with the shares derivation part that takes close to an hour > and feels really tedious (again, for 24 words). For reference, an > experienced user can secret-split a 12-words sentence in 45 minutes. A > 24-words sentence will more than double that due to getting tired and losing > focus. > The checksumming numbers are impressive but a little surprising -- in codex32, "translation" is a process of similar complexity on fewer characters and it takes me 5 minutes or so. Perhaps the difference is that you can use a slide wheel with a natural ordering, while we are using a slide chart? At some point I will work through your process and see how it feels. For what it's worth, codex32 quickchecks can be done in ~5 minutes as well. Though of course they are much less powerful than your checksum. Interesting that the splitting and recovery processes take such a long time. But I guess this is explained by the large number of characters produced by the checksum. > - The 2-of-(N<=26) case is handled with a variant of Shamir's algorithm that > can be fully implemented in a single wheel. I'm about to post a presentation > that will go into more details about that. For (K>=3)-of-M cases there's > indeed a recovery wheel, plus a volvelle that does translation+fusion on the > same side (see: https://beta.penlock.io/kofm-wheels.html). Very cool. Though you say "single wheel" but you actually need two -- one to get the solving window and one to actually do the recovery. If I understand correctly, the "solving window" is equivalent to a "recovery symbol" in codex32. If so, despite the simple interpretation as "the difference between the shares", this object is secretly a Lagrange polynomial and you can *also* compute it using a slide wheel rather than a full lookup-table volvelle. (The reason for this is not so simple, and described in the codex32 math companion [1] ... but possibly if you believe it's true you can just "brute force" it without understanding why by just progressively constructing a wheel, doing various recoveries and filling in blank spaces by cross-referencing against your existing volvelle.) [1] https://secretcodex32.com/docs/2023-08-23--math.pdf -- Andrew Poelstra Director, Blockstream Research Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZkNqVZFNBNTq7mAL%40camus. --FE8zGFBRSA20nZBj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmZDalQACgkQxYjWPOQb l8GJ/Qf/bAquVNGQwQq2zqe4s73JTdrD3RQqb+UU/M9x1hy8KgcgtHHV61Gf+GBf AOA5+/9b+GKs9WlaVvF15BP5wv+N4bCZgWfdqRjrBiABhjFInJhtL/2ZO5ZxnZqY oz01WA3W/LX1SfgegWMRGYVXhy67sH7fLUwLThqYzoQCVYmeTUagdT94MT4sxSd1 KdegYQR8ZxA5esISaoO6osMt/AyqOM7I9ryVvN1mWDaWrDQbg2m118qm1jJ4EB8R kzmGYl3tLITwKLLl63cwdYzJLdB17LkvYIPd90LqoRuZ+BMpDQt3t9z/+c5lk+Ap iAODerKEXmyXTqUaMR9RHXHpoe8s5g== =m2hl -----END PGP SIGNATURE----- --FE8zGFBRSA20nZBj--