Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id CB18011CF for ; Wed, 26 Sep 2018 13:44:20 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B053E773 for ; Wed, 26 Sep 2018 13:44:19 +0000 (UTC) Received: by mail-wm1-f45.google.com with SMTP id r1-v6so15180431wmh.0 for ; Wed, 26 Sep 2018 06:44:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=satoshilabs.com; s=google; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=kW/j8JIzO/aUyH8rP7MqV0VozKO7LdMbTvnrFZdZIP4=; b=TZbIdy/b+/swqkvjSS4432Bl9EzLVHzIDJ/eyU6yzuI9gFPn8dZOpRVAMOjt8+grBx pi6Kn8bEZ2U8gvKPTBm0NmiRJ7S8B3r41haJoWD1KIwpbm6HIUeNM+uy9YJjPCigd4iz YmQ2MX0L6m9c5OrHGfs53G8whGAqCkY1whyHBQq01T+yiHziHSs8qk5JngznRlFCbZp8 LmDwTJu5/HtbIIk4KBtWn4i1IKj8IR7I5sMsuMjXz9mdeiilaiS6tDfUWlKPiNkkPG3w 2ObXQ14HBjTraStEmE8vvdvfx9i+feaJb9QOnEd0Oba7Y4aWpUPDm98QaRNYfIbIF1QH wkJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=kW/j8JIzO/aUyH8rP7MqV0VozKO7LdMbTvnrFZdZIP4=; b=dpKZTY6wbC/eoW7pM3Y429zgACxFIZ1sejswe7QUcVfSURLemojze7bq3Nn0M9eWZz y3pQ2/d0vQbkI50d2U1543pV/R4NBnjOq2TLeIjVIaBnlYCstafuJuEWvcu9ESeRWwnp M6PxN97L94xATPyCPF6ywTILzVmGqmxd1/NnqrJiJ6L7BD/ImWVc6TZuIAfsER5JA3ci /QhDXQps6gk03nHAC4+r9z9NL3u6bDjs88kVr1u5vAotEWkoeiQ+gcBWhdnRdQzBTv7u daHd9dp7UOHi+Z9MIuORpH7GzxQ7kUaz0fpoy9w8jIy/qqG0rw2W7A0Hi5zp773xYQxV KCIw== X-Gm-Message-State: ABuFfojonI5d2YWKGjz6OletD/UwO/+TrsSbASn3nCVyM2ftxAt+QRJj MFuDArwyQG9L609dI2O7SFovQKLI4ws= X-Google-Smtp-Source: ACcGV62NS1pdGsCA2bxjsbvXngrnhsiCLPYK+wXbqHh5KUyScVPdWf5Q69l8EYl2IaNNd1HaFABS3Q== X-Received: by 2002:a1c:e386:: with SMTP id a128-v6mr2286195wmh.106.1537969458005; Wed, 26 Sep 2018 06:44:18 -0700 (PDT) Received: from [192.168.255.205] ([88.208.115.69]) by smtp.gmail.com with ESMTPSA id y128-v6sm5467637wmy.26.2018.09.26.06.44.16 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Sep 2018 06:44:17 -0700 (PDT) To: Ignacio Berrozpe , bitcoin-dev@lists.linuxfoundation.org References: <4e2c7b41-1e16-b89a-04d8-776f3469141a@satoshilabs.com> From: Andrew Kozlik Openpgp: preference=signencrypt Autocrypt: addr=andrew.kozlik@satoshilabs.com; keydata= xsFNBFt62C4BEAC+pOtoQthf9I0vZIfVPbebk/1i1Znw0AmbqZr36fqfdGcCdZ2gDJDLjisd QZVsHbZ4WAlFL5AKH2YJlwBrjxN+gTh0W231QTWUNGqOR2v61gBo3tBhxmr+9yP/iNuQpLCn E+P1hN6si9IkaxbqCVW6eUiexKsY4gK8RR6UgqJ73h/Y5p57NVpbuYvrKpFp17qEfKO0ToNC kSQzLZsOFRGZzbIp5dipPWDR04TbvliPR+Gn0HBnGC9wvfqFSlJiHxqB8GSCyviGXiGCOwAs SDEfr2yybxR/hnCURDm9jWX7Rv+1MSJzlRikQ/NFoLsH2FFRG5RPbRLGHBEeRioP5FcCtCsq rAvICud4Hvqm9FjjsIDL8YpKsRsC6VdphPVV2vggeDulMtl9jlZb38vMrQMyT5NnQr04oPmI DdD5puYcs1eoYhryOf4g6dEj/Zyndg9wXTQC6nXSTIFPEMNVv4aUwMr1z/pPW3f7zokIRc0a h/Kxn9kUe9UB5ASgH7UoKD13pPmf6XSEpwUVXGp97s7JmlaheN45a3odM9y3rn8doSdLacB2 dRKSBWaebYEnMitHpiBVdTCVYkbq35bblGYC/RURaGUBA/aGWv0ozPYq+7uJY4VJ1nz/T9fu g8Mes1Z03YAOoHP9uDZDa8Ops/9N7ygUzCqL/LWeQC5I6YdoyQARAQABzS1BbmRyZXcgS296 bGlrIDxhbmRyZXcua296bGlrQHNhdG9zaGlsYWJzLmNvbT7CwX0EEwEIACcFAlt62C4CGyMF CQlmAYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQUemaa1Zc2aTb9w/+MFYbXAbpYOVG 3m3kLtPnWVpMXOIWVoK1r4j5/J8L2oBjf6JD/br55ZU6VaE5RYwuAW9NfU6OqP0NVTARGXpH sf3p4mZ7W7FtwdkBm36//R9DN76eQXfu1GoyYjLTbF7KqbqQjckNVYNMx4kIIShID7nMasN7 Vt/zhB0jc8Ay5T5/5YynNqR0WQAw6dF979xHrKXuAvuJ0bSVU+tUaDm07jp09tB5nM2dUQGn vUh0D6aZYVhW+hO0tfWvY/RSwHP9+TdT0VH8sd8mFUM4TIT7fbdk4Ceq2oCy3/VusDQWQljQ AHXQ7mEJWeRX0XSACTU/337igFbW45AvJAy0bPL4wz8Jfm8x0W0f3x/U78yQIYsTFJIAba4U RKONJ0AxVGPIRy4jH1sddkP1xEgS4m3QjQGnlsjmjHcCX4gMlQLowJz5JQ4x/CnnGd8Aiki8 n4rrov0VDEwPQUdVSWHB9cIagAPfS7p6j7hVc51DyxMFwb7fkBcuEhwTd90TAo843igGVYbv 4xnvaUgGvvjZZcOjbfHwzUmhvCtJYW9GQjFfGcTmYHBaRvIQeNYLrrsGtpUj83qaUgwe1GAl u0RXB+YXUKM55MbvHBq0yABRku+AbGlqGzfm46giaFlqTxji3qjP/M44hOgbOqmDemfc9BDx iATyQgGry8TFZeAOGqXRd+7OwU0EW3rYLgEQAMpVn2xMtJuaH7fU9STafUCbSwzP3CS4wseD ijEeo/Pce46cqMNYx4u0AQBxwtIReDe9KSUugVUDkywsXIweZytY+RXYwV12bcxmStP06+LH 79UKDFN2DqsJRg5KzG91+fPIX4XnEpdufKy2EF6Isio8wlwfLCtJgrcXLLlSUXmavv+QNqU7 /HLT5gsSaIPUns8t+miZ2lHxMjKDJCbuWdWZymhZXc5e0sGkLVo0mq1CzjObyDuYyvXhAJZa jDFsMY9dF8iA5bIGmhAQmfEgQSxe6za60i/M92TNHKENb2x1rqXXr0ctjNd73TKPkOIVYPPx 0IBJiltC7BRExE7FSNc70JJxg3amJHlPPVtz/MkkiW8mLbJrcTTV1Zrq4U8Dm8ErNjA6L5Fc S6p/Z4F1ZlQFDdao5V24jGti2tpGbP7zQqkcieeoSh7luK8a5AfQy+Im2C4BgrHseCqpd8Ik Vfwmiy90nGtgScqn52fr18rWE3zfx5Uu7IbRPxLNL6VBfCeI+w2HkY0LTp3/iYvBZU6Dt12s Z2XYrwYuuf+Pf6CAuITyXjIEdaKPuYYrkxG5U5EFeefwhpQgmT2BH+Jgp9+4fuu6W8wQMYbt 7yXtm/Z1KI2tzZ/x006shhzG0b5hiJu5wf+vJxaREv3cnkPjGGXmLLMXerlXzPJys5hJ0lhx ABEBAAHCwWUEGAEIAA8FAlt62C4CGwwFCQlmAYAACgkQUemaa1Zc2aTPZxAAop/Zj3xA6f9M sl9hTAYdodSwXtXr1xdtRkciO0CitqSvBLB7xeohfHxfUa06aXyBNMA0jwIMIn4yjOD7jNOy 9cj5Alql644Dt0/fRVniSnV+b2ebfnbywa6jBIIR/FPq4nJaJ0AgzwJm/0OR7+1LOCONA72w tUCAvGyhM2c4yPYjULCKYPUlQPy5fKpGBggP3cbPZLH1gmEL61Ph27rejnW2XC1EL3J/BPcL ixKXk8po/x94qkV6f506isszuRmJBnAXzYa6lXNjpDySfXhrlspY1OJlR0CK+4D3nJiaePYt lh3LoJbqsuK/ERfiV8vsJRV/SENtjqTrd9tbb8Ab+3v6ilCYJ6mXUMOy0Jc1rGcOSGyH6JVz WHDzk/AvZbP9Uai/hDIskLFq5i/6fQY+uaKHKFrc9S2rQ8g1deKWqVZEGyUYA5ICkTUpHgJT IwZzFZyKmFzmI1f3gLh9hHKKLHrq/zv6myXCko6Tn2PyeNXyekmqKk4M61J7v9SJc0H2iVuR 0yVdBihwBDm18cA+a2T4u6NtQVtI4eIfA79aBF0IIJ/VbKxgFOjQmWWL1ej5BAdwA752f6rr rpSashtUuLDAcUnS6PKZK3qZltDAJeOhK+B2ejX7GPAVf5UYT1JB9pn9urN+C5v9aDPjyRrU ADdTkt305KgIVcafMVR1Brg= Message-ID: <476d1af6-2e65-961c-bcf7-74e21b207def@satoshilabs.com> Date: Wed, 26 Sep 2018 15:44:16 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------0BB8FC93556085D5B746D4CD" Content-Language: en-US X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 26 Sep 2018 13:51:19 +0000 Subject: Re: [bitcoin-dev] SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Sep 2018 13:44:20 -0000 This is a multi-part message in MIME format. --------------0BB8FC93556085D5B746D4CD Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Thank you for your input Ignacio. Looking at your proposal, I see that its main feature is that it makes one of the shares privileged in the sense that it must always take part in the reconstruction of the master secret, while the remaining shares follow the K-of-M scheme. This is an interesting idea. To answer your questions: > Your proposed work provides a way to split the pre-secret into SSS > shares, a format of encoding the shares, and finally several methods > to derive the master secret from the pre-secret. Would you envision > standarizing these different topics under the same proposal? We intend standardize the encoding format, splitting of the pre-master secret into shares and the derivation of the master secret from the pre-master secret in a single document. However, note that only one of the four proposed master secret derivation functions will be selected for the final version. > Also, have you thought of a way to deal with the existing legacy > privatekeys already encoded into BIP-0039, or stored in other formats, > and how to migrate them securely into a schema of encoded SSS shares? Three of the four proposed master secret derivation functions are symmetric, which means that they allow users to migrate any existing master secret (including a BIP-0039 mnemonic) to the new scheme. Thanks, Andrew Kozlik On 24.9.2018 21:49, Ignacio Berrozpe wrote: > Hi Andrew > > Please allow me to comment on your work, as I happened to publish an > article 5 months ago proposing SSS to split bitcoins private keys into > shares that could be encoded directly using BIP-0039 mnemonic words. > While cryptographically much simpler than your proposal, the proposal > had the characteristic that it could be applied directly to existing > private keys backups, by splitting the keys into SSS shares that could > benefit from the existing BIP-0039 mnemonic to encode directly the > shares. I thought it would be a simple path for hardware wallets > providers such as Trezor into providing a better/more secure > alternative the existing BIP-0039 privatekey backups of 24 words. > > The article can be found here, and I've enclosed a simplified version > > https://privatekeys.org/2018/04/24/k-of-m-private-key-generation-and-ba= ckup-in-bitcoin-wallets/ > > Mind two questions? Your proposed work provides a way to split the > pre-secret into SSS shares, a format of encoding the shares, and > finally several methods to derive the master secret from the > pre-secret. Would you envision standarizing these different topics > under the same proposal? Also, have you thought of a way to deal with > the existing legacy privatekeys already encoded into BIP-0039, or > stored in other formats, and how to migrate them securely into a > schema of encoded SSS shares? > > Best regards > Ignacio Berrozpe > > > > > > > > On Fri, Sep 21, 2018 at 8:18 PM Andrew Kozlik via bitcoin-dev > > wrote: > > Hello everyone, > > We are currently writing a new specification for splitting BIP-32 > master > seeds into multiple mnemonics using Shamir's secret sharing scheme.= We > would be interested in getting your feedback with regard to the > high-level design of the new spec: > https://github.com/satoshilabs/slips/blob/master/slip-0039.md > Please focus your attention on the section entitled "Master secret > derivation functions", which proposes several different solutions. > Note > that there is a Design Rationale section at the very end of the > document, which should answer some of the questions you may have. T= he > document is a work in progress and we are aware that some technical= > details have not been fully specified. These will be completed > once the > high level design has been settled. > > Thanks, > > Andrew Kozlik > TREZOR Team > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --------------0BB8FC93556085D5B746D4CD Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Thank you for your input Ignacio. Looking at your proposal, I see that its main feature is that it makes one of the shares privileged in the sense that it must always take part in the reconstruction of the master secret, while the remaining shares follow the K-of-M scheme. This is an interesting idea.

To answer your questions:

Your proposed work provides a way to split the pre-secret into SSS shares, a format of encoding the shares, and finally several methods to derive the master secret from the pre-secret. Would you envision standarizing these different topics under the same proposal?
We intend standardize the encoding format, splitting of the pre-master secret into shares and the derivation of the master secret from the pre-master secret in a single document. However, note that only one of the four proposed master secret derivation functions will be selected for the final version.

Also, have you thought of a way to deal with the existing legacy privatekeys already encoded into BIP-0039, or stored in other formats, and how to migrate them securely into a schema of encoded SSS shares?
Three of the four proposed master secret derivation functions are symmetric, which means that they allow users to migrate any existing master secret (including a BIP-0039 mnemonic) to the new scheme.

Thanks,
Andrew Kozlik


On 24.9.2018 21:49, Ignacio Berrozpe wrote:
Hi Andrew

Please allow me to comment on your work, as I happened to publish an article 5 months ago proposing SSS to split bitcoins private keys into shares that could be encoded directly using BIP-0039 mnemonic words. While cryptographically much simpler than your proposal, the proposal had the characteristic that it could be applied directly to existing private keys backups, by splitting the keys into SSS shares that could benefit from the existing BIP-0039 mnemonic to encode directly the shares. I thought it would be a simple path for hardware wallets providers such as Trezor into providing a better/more secure alternative the existing BIP-0039 privatekey backups of 24 words.

The article can be found here, and I've enclosed a simplified version


Mind two questions? Your proposed work provides a way to split the pre-secret into SSS shares, a format of encoding the shares, and finally several methods to derive the master secret from the pre-secret. Would you envision standarizing these different topics under the same proposal? Also, have you thought of a way to deal with the existing legacy privatekeys already encoded into BIP-0039, or stored in other formats, and how to migrate them securely into a schema of encoded SSS shares?

Best regards
Ignacio Berrozpe







On Fri, Sep 21, 2018 at 8:18 PM Andrew Kozlik via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
Hello everyone,

We are currently writing a new specification for splitting BIP-32 master
seeds into multiple mnemonics using Shamir's secret sharing scheme. We
would be interested in getting your feedback with regard to the
high-level design of the new spec:
https://github.com/satoshilabs/slips/blob/master/slip-0039.md
Please focus your attention on the section entitled "Master secret
derivation functions", which proposes several different solutions. Note
that there is a Design Rationale section at the very end of the
document, which should answer some of the questions you may have. The
document is a work in progress and we are aware that some technical
details have not been fully specified. These will be completed once the
high level design has been settled.

Thanks,

Andrew Kozlik
TREZOR Team


_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

--------------0BB8FC93556085D5B746D4CD--