1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
|
Return-Path: <vizeet@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 6694DD78
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 22 Sep 2018 04:54:39 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-oi0-f65.google.com (mail-oi0-f65.google.com
[209.85.218.65])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0C7B0A8
for <bitcoin-dev@lists.linuxfoundation.org>;
Sat, 22 Sep 2018 04:54:37 +0000 (UTC)
Received: by mail-oi0-f65.google.com with SMTP id n1-v6so464132oic.4
for <bitcoin-dev@lists.linuxfoundation.org>;
Fri, 21 Sep 2018 21:54:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to
:cc; bh=B2HUvNfsSiSc6IAQ+4/TZsu86nxX+RENU9yucKzC/0k=;
b=rJI0BeOFdFiLj/4Jy3V7vYTCjNwLErLn6jTPOcaSPNbr0w6ZBXNvVaNe3cwmjF54qV
f09vX/4yvX5thGP0TlfofTPW627Llam8IMZ2D9uu1WwC372FVm58JxNQNGVmLdiT5suY
dMnPRjTEDLMNaWuxlkkvo9E69+V9I6um8CYLEvtXWzvqTPNZIo2m0pFAAa9j/59eSI6i
CfBKrJsASrEKUIU2aPH8VFs8xf4v3+uKfuB9zNtSyJ2eaiOZMnhEUd8qTDNQU0SvEp9V
O6InXG+wbY7KiqPCctA0GyifodKe+eDEgKgBSjVurSfQl1AQQ10/BD4yDMcB5QqwUjCd
tnDQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to:cc;
bh=B2HUvNfsSiSc6IAQ+4/TZsu86nxX+RENU9yucKzC/0k=;
b=AGHeH36810DeEBTTUPFqDUHj6ARs4pfoSDaPrP+rGkQKJ2Bcw9ZeF5OMv3NkFNP/nU
iYU6Tp0d+VdikGlW9nFujdY4anxsbytd9DWjqo6hGyociRAMU7+C3my5pTrS52ejYGMF
DS8FJSaoeJgGjOYSlBEypLHXH518vpD+g259mf/OzaBXvacqLeqFk9ThWECt4a1MiWNV
J8hwpa+jR5pxr9F7VZZw8lws93UNzUhsmV8SwWhgJPl3Y9nH2hOLrn48HKYFe8jEqHya
TGVV9gCki884X3Eu/XudVkUuW1C91pAHh+m6nZD3oJPUVsd3En7AeRPZ/Gt0KQP1hgZq
Qayw==
X-Gm-Message-State: APzg51Dlcxs45mmOSIBpWfcDXQgruCgZA0jI3JI3NDDFZzx7JNZqpeP+
fzqud4Xn45cGjZ6TZ0UlONI14dpfjJ2hEDBwuzQ=
X-Google-Smtp-Source: ANB0VdYyhi00fTtaroL5HvHy0yML6jDOXXX3biBxE6KHloPbuOD2Cn2UlOuKECeF9oyhl9xKl+UBJVL7h29lnu1ywXg=
X-Received: by 2002:aca:d846:: with SMTP id p67-v6mr359853oig.42.1537592077066;
Fri, 21 Sep 2018 21:54:37 -0700 (PDT)
MIME-Version: 1.0
References: <4e2c7b41-1e16-b89a-04d8-776f3469141a@satoshilabs.com>
<CACrqygCoqFMFLTpn5PSMR2_wSHnWsXSyZZ_jhk-FbvZHwwz4nA@mail.gmail.com>
In-Reply-To: <CACrqygCoqFMFLTpn5PSMR2_wSHnWsXSyZZ_jhk-FbvZHwwz4nA@mail.gmail.com>
From: vizeet srivastava <vizeet@gmail.com>
Date: Sat, 22 Sep 2018 10:24:24 +0530
Message-ID: <CAEmwXH=M0VsO3FeRr8PK+iuGmjTX5HYU68bVHxsV0kvdYtDGSQ@mail.gmail.com>
To: Christopher Allen <ChristopherA@lifewithalacrity.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000009026ab05766e8daa"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Sat, 22 Sep 2018 05:50:19 +0000
Subject: Re: [bitcoin-dev] SLIP-0039: Shamir's Secret-Sharing for Mnemonic
Codes
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Sep 2018 04:54:39 -0000
--0000000000009026ab05766e8daa
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I see one benefit which i am looking for. I may not need to use all public
keys in p2sh script instead i can use p2pkh and retrieve funds by using
threshold number of keys..so in case i loose a public key along with
private key i still may have other public key private key pairs to
retrieve. For me it sounds interesting. I need to understand how it is
going to get implemented in more detail.
On Sat 22 Sep, 2018, 9:53 AM Christopher Allen via bitcoin-dev, <
bitcoin-dev@lists.linuxfoundation.org> wrote:
> On Fri, Sep 21, 2018 at 11:18 AM Andrew Kozlik via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> We are currently writing a new specification for splitting BIP-32 master
>> seeds into multiple mnemonics using Shamir's secret sharing scheme. We
>> would be interested in getting your feedback with regard to the
>> high-level design of the new spec:
>> https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>> Please focus your attention on the section entitled "Master secret
>> derivation functions", which proposes several different solutions. Note
>> that there is a Design Rationale section at the very end of the
>> document, which should answer some of the questions you may have. The
>> document is a work in progress and we are aware that some technical
>> details have not been fully specified. These will be completed once the
>> high level design has been settled.
>>
>
> I and a number of companies & communities I am involved with are very
> interested in this.
>
> A challenge is that Shamir Secret Sharing has subtleties. To quote Greg
> Maxwell:
>
> > I think Shamir Secret Sharing (and a number of other things, RNGs for
> example), suffer from a property where they are just complex enough that
> people are excited to implement them often for little good reason, and th=
en
> they are complex enough (or have few enough reasons to invest significant
> time) they implement them poorly=E2=80=9D.
>
> Some questions for you:
>
> * What other teams or communities besides Trezor are committed to
> standardizing a Shamir Secret Sharing Scheme? I can say that the
> #RebootingWebOfTrust community (meeting again for the 7th time next week =
in
> Toronto https://rwot7.eventbrite.com) are very interested.
>
> * Where do you want to hold discussions on this? Do people object to
> having this discussion on this mailing list? Or should it be issues in
> SLIPS repo or on some other mailing list?
>
> * Presuming a successful split of secrets, I don=E2=80=99t know all the
> adversarial problems that are associated with recovery of a SSS. As this
> would be an interactive event, I presume an attacker can DOS a request to
> reassemble keys (so maybe some the of integrity of each share vs all is
> required). And of course there are the biggest problems: impersonation o=
f
> a reassembly request and a MitM of a reassembly request. Are there other
> attacks? Are you trying to mitigate any of these?
>
> Two comments:
>
> * The Lightning Network community has added to their BIP32 mnemonics the
> ability to have a birthday in the seed, to make it easier to scan the
> blockchain for keys, as well as a byte with some way to know how to deriv=
e
> keys paths for it. I don=E2=80=99t seee a BOLT for this (it was mentioned=
in
> https://bitcoin.stackexchange.com/questions/74805/what-is-birthday-in-the=
-context-of-bip39-lightning-seed-generation)
> I would suggest that you also get some of their latest thoughts and
> incorporate them.
>
> * I worked with Chris Vickery while at Blockstrham on various possible
> ways to improve mnemonic word lists. I=E2=80=99m not suggesting that you
> necessarily go as far as we did to try to create a mnemonic that is iambi=
c
> pentameter poetry (inspired by
> https://www.isi.edu/natural-language/mt/memorize-random-60.pdf), however,
> we did find sources for words that are concrete (for example table is mor=
e
> concrete than truth
> http://crr.ugent.be/papers/Brysbaert_Warriner_Kuperman_BRM_Concreteness_r=
atings.pdf
> ) or have strong emotional valence attachment (truth is more emotional th=
an
> table), both of which make can words more memorable. I also found lists o=
f
> words that are hard to pronounce unless you are English native, and
> eliminated them from my own list.
>
> Among the results of this was a new BIP-39 2048 word compatible word list
> filtered for memorability (concreteness & emotional valence) and
> suitability for iambic pentameter, which is located:
>
>
> https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/ia=
mbic-wordlist.json
>
>
> =E2=80=A6which was created from the repo at
>
> https://github.com/ChristopherA/password_poem
>
> You can a number of other word lists that I=E2=80=99ve collected here
> https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/
>
> If you want to replicate what we did with your own criteria, you may want
> to incorporate information from the CMU dictitionary
> http://www.speech.cs.cmu.edu/cgi-bin/cmudict, the top 5000 words
> https://github.com/ChristopherA/password_poem/blob/master/top5000.json,
> concrete word lists
> http://crr.ugent.be/papers/Concreteness_ratings_Brysbaert_et_al_BRM.txt
> and emotional words (valence) http://crr.ugent.be/archives/1003
>
> =E2=80=94 Christopher Allen
>
>
>
>
>
>
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--0000000000009026ab05766e8daa
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"auto">I see one benefit which i am looking for. I may not need =
to use all public keys in p2sh script instead i can use p2pkh and retrieve =
funds by using threshold number of keys..so in case i loose a public key al=
ong with private key i still may have other public key private key pairs to=
retrieve. For me it sounds interesting. I need to understand how it is goi=
ng to get implemented in more detail.</div><br><div class=3D"gmail_quote"><=
div dir=3D"ltr">On Sat 22 Sep, 2018, 9:53 AM Christopher Allen via bitcoin-=
dev, <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org">bitcoin-d=
ev@lists.linuxfoundation.org</a>> wrote:<br></div><blockquote class=3D"g=
mail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-l=
eft:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr=
"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div =
dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"=
ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><d=
iv dir=3D"ltr"><div dir=3D"ltr">On Fri, Sep 21, 2018 at 11:18 AM Andrew Koz=
lik via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation=
.org" target=3D"_blank" rel=3D"noreferrer">bitcoin-dev@lists.linuxfoundatio=
n.org</a>> wrote:<br><div class=3D"gmail_quote"><blockquote class=3D"gma=
il_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:1px;border-le=
ft-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">We are =
currently writing a new specification for splitting BIP-32 master<br>
seeds into multiple mnemonics using Shamir's secret sharing scheme. We<=
br>
would be interested in getting your feedback with regard to the<br>
high-level design of the new spec:<br>
<a href=3D"https://github.com/satoshilabs/slips/blob/master/slip-0039.md" r=
el=3D"noreferrer noreferrer" target=3D"_blank">https://github.com/satoshila=
bs/slips/blob/master/slip-0039.md</a><br>
Please focus your attention on the section entitled "Master secret<br>
derivation functions", which proposes several different solutions. Not=
e<br>
that there is a Design Rationale section at the very end of the<br>
document, which should answer some of the questions you may have. The<br>
document is a work in progress and we are aware that some technical<br>
details have not been fully specified. These will be completed once the<br>
high level design has been settled.<br></blockquote><div><br></div><div>I a=
nd a number of companies & communities I am involved with are very inte=
rested in this.=C2=A0</div><div><br></div><div>A challenge is that Shamir S=
ecret Sharing has subtleties. To quote Greg Maxwell:</div><div><br></div><d=
iv>> I think Shamir Secret Sharing (and a number of other things, RNGs f=
or example), suffer from a property where they are just complex enough that=
people are excited to implement them often for little good reason, and the=
n they are complex enough (or have few enough reasons to invest significant=
time) they implement them poorly=E2=80=9D.</div><div><br></div><div>Some q=
uestions for you:</div><div><br></div><div><div>* What other teams or commu=
nities besides Trezor are committed to standardizing a Shamir Secret Sharin=
g Scheme? I can say that the #RebootingWebOfTrust community (meeting again =
for the 7th time next week in Toronto <a href=3D"https://rwot7.eventbrite.c=
om" target=3D"_blank" rel=3D"noreferrer">https://rwot7.eventbrite.com</a>) =
are very interested.</div><div><br></div></div><div>* Where do you want to =
hold discussions on this? Do people object to having this discussion on thi=
s mailing list? Or should it be=C2=A0issues in SLIPS repo or on some other =
mailing list?=C2=A0</div><div><br></div><div>* Presuming a successful split=
of secrets, I don=E2=80=99t know all the adversarial problems that are ass=
ociated with recovery of a SSS. As this would be an interactive event, I pr=
esume an attacker can DOS a request to reassemble keys (so maybe some the o=
f integrity of each share vs all is required). And of course there are the =
biggest problems: =C2=A0impersonation of a reassembly request and a MitM of=
a reassembly request. Are there other attacks? Are you trying to mitigate =
any of these?<br></div><div><br></div><div>Two comments:</div><div><br></di=
v><div>* The Lightning Network community has added to their BIP32 mnemonics=
the ability to have a birthday in the seed, to make it easier =C2=A0to sca=
n the blockchain for keys, as well as a byte with some way to know how to d=
erive keys paths for it. I don=E2=80=99t seee a BOLT for this (it was menti=
oned in=C2=A0<a href=3D"https://bitcoin.stackexchange.com/questions/74805/w=
hat-is-birthday-in-the-context-of-bip39-lightning-seed-generation" target=
=3D"_blank" rel=3D"noreferrer">https://bitcoin.stackexchange.com/questions/=
74805/what-is-birthday-in-the-context-of-bip39-lightning-seed-generation</a=
>) =C2=A0I would suggest that you also get some of their latest thoughts an=
d incorporate them.</div><div><br></div><div>* I worked with Chris Vickery =
while at Blockstrham on various possible ways to improve mnemonic word list=
s. I=E2=80=99m not suggesting that you necessarily go as far as we did to t=
ry to create a mnemonic that is iambic pentameter poetry (inspired by <a hr=
ef=3D"https://www.isi.edu/natural-language/mt/memorize-random-60.pdf" targe=
t=3D"_blank" rel=3D"noreferrer">https://www.isi.edu/natural-language/mt/mem=
orize-random-60.pdf</a>), however, we did find sources for words that are c=
oncrete (for example table is more concrete than truth <a href=3D"http://cr=
r.ugent.be/papers/Brysbaert_Warriner_Kuperman_BRM_Concreteness_ratings.pdf"=
target=3D"_blank" rel=3D"noreferrer">http://crr.ugent.be/papers/Brysbaert_=
Warriner_Kuperman_BRM_Concreteness_ratings.pdf</a> ) or have strong emotion=
al valence attachment (truth is more emotional than table), both of which m=
ake can words more memorable. I also found lists of words that are hard to =
pronounce unless you are English native, and eliminated them from my own li=
st.=C2=A0</div><div><br></div><div>Among the results of this was a new BIP-=
39 2048 word compatible word list filtered for memorability (concreteness &=
amp; emotional valence) and suitability for iambic pentameter, which is loc=
ated:</div><div><br></div><div>=C2=A0 =C2=A0 <a href=3D"https://github.com/=
ChristopherA/iambic-mnemonic/blob/master/word-lists/iambic-wordlist.json" t=
arget=3D"_blank" rel=3D"noreferrer">https://github.com/ChristopherA/iambic-=
mnemonic/blob/master/word-lists/iambic-wordlist.json</a>=C2=A0</div><div><b=
r></div><div>=E2=80=A6which was created from the repo at</div><div><br>=C2=
=A0 =C2=A0 <a href=3D"https://github.com/ChristopherA/password_poem" target=
=3D"_blank" rel=3D"noreferrer">https://github.com/ChristopherA/password_poe=
m</a><br></div><div><br></div><div>You can a number of other word lists tha=
t I=E2=80=99ve collected here <a href=3D"https://github.com/ChristopherA/ia=
mbic-mnemonic/blob/master/word-lists/" target=3D"_blank" rel=3D"noreferrer"=
>https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/</a=
></div><div><br></div><div>If you want to replicate what we did with your o=
wn criteria, you may want to incorporate information from the CMU dictition=
ary=C2=A0<a href=3D"http://www.speech.cs.cmu.edu/cgi-bin/cmudict" target=3D=
"_blank" rel=3D"noreferrer">http://www.speech.cs.cmu.edu/cgi-bin/cmudict</a=
>, the top 5000 words=C2=A0<a href=3D"https://github.com/ChristopherA/passw=
ord_poem/blob/master/top5000.json" target=3D"_blank" rel=3D"noreferrer">htt=
ps://github.com/ChristopherA/password_poem/blob/master/top5000.json</a>, =
=C2=A0concrete word lists <a href=3D"http://crr.ugent.be/papers/Concretenes=
s_ratings_Brysbaert_et_al_BRM.txt" target=3D"_blank" rel=3D"noreferrer">htt=
p://crr.ugent.be/papers/Concreteness_ratings_Brysbaert_et_al_BRM.txt</a> an=
d emotional words =C2=A0(valence)=C2=A0<a href=3D"http://crr.ugent.be/archi=
ves/1003" target=3D"_blank" rel=3D"noreferrer">http://crr.ugent.be/archives=
/1003</a></div><div><br></div><div>=E2=80=94 Christopher Allen</div><div><b=
r></div><div><br></div><div><br></div><div><br></div><div><br></div><div><b=
r></div><div><br></div></div></div></div></div></div></div></div></div></di=
v></div></div></div></div></div></div></div></div></div></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank" =
rel=3D"noreferrer">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer noreferrer" target=3D"_blank">https://lists.linuxfoundati=
on.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--0000000000009026ab05766e8daa--
|