Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1C925117C for ; Fri, 21 Sep 2018 19:30:12 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f50.google.com (mail-oi0-f50.google.com [209.85.218.50]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0989EB0 for ; Fri, 21 Sep 2018 19:30:10 +0000 (UTC) Received: by mail-oi0-f50.google.com with SMTP id p84-v6so12352687oic.4 for ; Fri, 21 Sep 2018 12:30:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lifewithalacrity-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=b33vR+pLF5uAn5jtezCutV2v6ZnKPtqGvYiw/AynSRQ=; b=fb5HX2mMgzOjhoOrygGSH9DoV71LOkMeBnu/Jx0oe54xH/dsKPAEDiXDE0AlISv/2t W/mWcH8snw9tIIDbF0QJXGqMAeDO1ZT86m4PBwCOMza5gdN//Mkw0QFezC13D0352igS Ue/KgQkhwndk9wsWAgYiQGczkIlNivS7ovcKDydoEepbeQ0TSwVHXVaiws07mw5qmj37 eF88EmoWBkBxmlR5QCPagOZbA/VyXGgIxR5LP7CL8CfNAXWBIaA4jlUlesxz1aZ10FEI MqAgLNhxl30/yjSdmWDepv+lagWMvQ0xMF6asf0TLoa37pcvuvaOiI/VEDwqhXzMkI3g V+7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=b33vR+pLF5uAn5jtezCutV2v6ZnKPtqGvYiw/AynSRQ=; b=U4ZtalqwTbgqBA/jVEYo/wigrXnjbPV5CmVahWQp03OTYmduvGLv1S1gWX+Lb1t0tI njVRLKm0vnoXC5qeu07amev7QQGwu2oIFZDzdTdSMRLcDC0LQY5EtcgrgaECgbCv6s9+ JhmuJoqm9EvRqfe8dv44LXhXt2uJeQ5nFH/i9b2F+K7D6piEpDKGD5TYXAohymUKVDZH MFnCoiBLtUkxOm7S0TqwIa1BwY6Zr7JtrhslJK5N7tp9Nv8nzkZb2pFAE9l3qrZP/zdQ Uha093DArA4ELJ2Hsh0JIUS03YwlkHrnGUf4jbDgx3Jy13ap2RWjGHAaIlI56UlZ+Ger P6PQ== X-Gm-Message-State: APzg51DiD19JsUtU3F0nJMDpZK+cS1EKzqQhjPdtuSpBaW5U7UdM4+4U 3QbWf2nstNTus9J5wO/xZP3QDvDfIVgloKHilPpDd3oG X-Google-Smtp-Source: ANB0VdaYEgSxLO7lv8uwCFasWTuwuL8RIP2F080eXkaPDrQNWVgXpBXolXAZGZK1qjnAeu8mzTZ7PDdhss+JTUIWa4s= X-Received: by 2002:aca:b702:: with SMTP id h2-v6mr50139oif.66.1537558209864; Fri, 21 Sep 2018 12:30:09 -0700 (PDT) MIME-Version: 1.0 References: <4e2c7b41-1e16-b89a-04d8-776f3469141a@satoshilabs.com> In-Reply-To: <4e2c7b41-1e16-b89a-04d8-776f3469141a@satoshilabs.com> From: Christopher Allen Date: Fri, 21 Sep 2018 12:29:33 -0700 Message-ID: To: andrew.kozlik@satoshilabs.com, Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="000000000000eba866057666aafb" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 22 Sep 2018 04:22:56 +0000 Subject: Re: [bitcoin-dev] SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Sep 2018 19:30:12 -0000 --000000000000eba866057666aafb Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Sep 21, 2018 at 11:18 AM Andrew Kozlik via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > We are currently writing a new specification for splitting BIP-32 master > seeds into multiple mnemonics using Shamir's secret sharing scheme. We > would be interested in getting your feedback with regard to the > high-level design of the new spec: > https://github.com/satoshilabs/slips/blob/master/slip-0039.md > Please focus your attention on the section entitled "Master secret > derivation functions", which proposes several different solutions. Note > that there is a Design Rationale section at the very end of the > document, which should answer some of the questions you may have. The > document is a work in progress and we are aware that some technical > details have not been fully specified. These will be completed once the > high level design has been settled. > I and a number of companies & communities I am involved with are very interested in this. A challenge is that Shamir Secret Sharing has subtleties. To quote Greg Maxwell: > I think Shamir Secret Sharing (and a number of other things, RNGs for example), suffer from a property where they are just complex enough that people are excited to implement them often for little good reason, and then they are complex enough (or have few enough reasons to invest significant time) they implement them poorly=E2=80=9D. Some questions for you: * What other teams or communities besides Trezor are committed to standardizing a Shamir Secret Sharing Scheme? I can say that the #RebootingWebOfTrust community (meeting again for the 7th time next week in Toronto https://rwot7.eventbrite.com) are very interested. * Where do you want to hold discussions on this? Do people object to having this discussion on this mailing list? Or should it be issues in SLIPS repo or on some other mailing list? * Presuming a successful split of secrets, I don=E2=80=99t know all the adv= ersarial problems that are associated with recovery of a SSS. As this would be an interactive event, I presume an attacker can DOS a request to reassemble keys (so maybe some the of integrity of each share vs all is required). And of course there are the biggest problems: impersonation of a reassembly request and a MitM of a reassembly request. Are there other attacks? Are you trying to mitigate any of these? Two comments: * The Lightning Network community has added to their BIP32 mnemonics the ability to have a birthday in the seed, to make it easier to scan the blockchain for keys, as well as a byte with some way to know how to derive keys paths for it. I don=E2=80=99t seee a BOLT for this (it was mentioned i= n https://bitcoin.stackexchange.com/questions/74805/what-is-birthday-in-the-c= ontext-of-bip39-lightning-seed-generation) I would suggest that you also get some of their latest thoughts and incorporate them. * I worked with Chris Vickery while at Blockstrham on various possible ways to improve mnemonic word lists. I=E2=80=99m not suggesting that you necessa= rily go as far as we did to try to create a mnemonic that is iambic pentameter poetry (inspired by https://www.isi.edu/natural-language/mt/memorize-random-60.pdf), however, we did find sources for words that are concrete (for example table is more concrete than truth http://crr.ugent.be/papers/Brysbaert_Warriner_Kuperman_BRM_Concreteness_rat= ings.pdf ) or have strong emotional valence attachment (truth is more emotional than table), both of which make can words more memorable. I also found lists of words that are hard to pronounce unless you are English native, and eliminated them from my own list. Among the results of this was a new BIP-39 2048 word compatible word list filtered for memorability (concreteness & emotional valence) and suitability for iambic pentameter, which is located: https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/iamb= ic-wordlist.json =E2=80=A6which was created from the repo at https://github.com/ChristopherA/password_poem You can a number of other word lists that I=E2=80=99ve collected here https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/ If you want to replicate what we did with your own criteria, you may want to incorporate information from the CMU dictitionary http://www.speech.cs.cmu.edu/cgi-bin/cmudict, the top 5000 words https://github.com/ChristopherA/password_poem/blob/master/top5000.json, concrete word lists http://crr.ugent.be/papers/Concreteness_ratings_Brysbaert_et_al_BRM.txt and emotional words (valence) http://crr.ugent.be/archives/1003 =E2=80=94 Christopher Allen --000000000000eba866057666aafb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Fri, Sep 21, 2018 at 11:18 AM Andrew Kozlik via b= itcoin-dev <bit= coin-dev@lists.linuxfoundation.org> wrote:
We are currently writing a new specification for spli= tting BIP-32 master
seeds into multiple mnemonics using Shamir's secret sharing scheme. We<= br> would be interested in getting your feedback with regard to the
high-level design of the new spec:
https://github.com/satoshilabs/slips/bl= ob/master/slip-0039.md
Please focus your attention on the section entitled "Master secret
derivation functions", which proposes several different solutions. Not= e
that there is a Design Rationale section at the very end of the
document, which should answer some of the questions you may have. The
document is a work in progress and we are aware that some technical
details have not been fully specified. These will be completed once the
high level design has been settled.

I a= nd a number of companies & communities I am involved with are very inte= rested in this.=C2=A0

A challenge is that Shamir S= ecret Sharing has subtleties. To quote Greg Maxwell:

> I think Shamir Secret Sharing (and a number of other things, RNGs f= or example), suffer from a property where they are just complex enough that= people are excited to implement them often for little good reason, and the= n they are complex enough (or have few enough reasons to invest significant= time) they implement them poorly=E2=80=9D.

Some q= uestions for you:

* What other teams or commu= nities besides Trezor are committed to standardizing a Shamir Secret Sharin= g Scheme? I can say that the #RebootingWebOfTrust community (meeting again = for the 7th time next week in Toronto https://rwot7.eventbrite.com) are very interested.

* Where do you want to hold discussions on this? Do people o= bject to having this discussion on this mailing list? Or should it be=C2=A0= issues in SLIPS repo or on some other mailing list?=C2=A0

* Presuming a successful split of secrets, I don=E2=80=99t know all= the adversarial problems that are associated with recovery of a SSS. As th= is would be an interactive event, I presume an attacker can DOS a request t= o reassemble keys (so maybe some the of integrity of each share vs all is r= equired). And of course there are the biggest problems: =C2=A0impersonation= of a reassembly request and a MitM of a reassembly request. Are there othe= r attacks? Are you trying to mitigate any of these?

Two comments:

* The Lightning Network commun= ity has added to their BIP32 mnemonics the ability to have a birthday in th= e seed, to make it easier =C2=A0to scan the blockchain for keys, as well as= a byte with some way to know how to derive keys paths for it. I don=E2=80= =99t seee a BOLT for this (it was mentioned in=C2=A0https://bitcoin.stackexchange.com/questions/= 74805/what-is-birthday-in-the-context-of-bip39-lightning-seed-generation) =C2=A0I would suggest that you also get some of their latest thoughts an= d incorporate them.

* I worked with Chris Vickery = while at Blockstrham on various possible ways to improve mnemonic word list= s. I=E2=80=99m not suggesting that you necessarily go as far as we did to t= ry to create a mnemonic that is iambic pentameter poetry (inspired by https= ://www.isi.edu/natural-language/mt/memorize-random-60.pdf), however, we= did find sources for words that are concrete (for example table is more co= ncrete than truth http://crr.ugent.be/papers/Brysbaert= _Warriner_Kuperman_BRM_Concreteness_ratings.pdf ) or have strong emotio= nal valence attachment (truth is more emotional than table), both of which = make can words more memorable. I also found lists of words that are hard to= pronounce unless you are English native, and eliminated them from my own l= ist.=C2=A0

Among the results of this was a new BIP= -39 2048 word compatible word list filtered for memorability (concreteness = & emotional valence) and suitability for iambic pentameter, which is lo= cated:


=E2=80=A6which was crea= ted from the repo at

You can a number of other word lists th= at I=E2=80=99ve collected here https://github.com/ChristopherA/iam= bic-mnemonic/blob/master/word-lists/

If you wa= nt to replicate what we did with your own criteria, you may want to incorpo= rate information from the CMU dictitionary=C2=A0http://www.speech.cs.cmu.edu/cgi-bin/cmudict<= /a>, the top 5000 words=C2=A0https://github.com/ChristopherA/passwo= rd_poem/blob/master/top5000.json, =C2=A0concrete word lists ht= tp://crr.ugent.be/papers/Concreteness_ratings_Brysbaert_et_al_BRM.txt a= nd emotional words =C2=A0(valence)=C2=A0http://crr.ugent.be/archives/1003

= =E2=80=94 Christopher Allen







=
--000000000000eba866057666aafb--