Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 6694DD78 for ; Sat, 22 Sep 2018 04:54:39 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-oi0-f65.google.com (mail-oi0-f65.google.com [209.85.218.65]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0C7B0A8 for ; Sat, 22 Sep 2018 04:54:37 +0000 (UTC) Received: by mail-oi0-f65.google.com with SMTP id n1-v6so464132oic.4 for ; Fri, 21 Sep 2018 21:54:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=B2HUvNfsSiSc6IAQ+4/TZsu86nxX+RENU9yucKzC/0k=; b=rJI0BeOFdFiLj/4Jy3V7vYTCjNwLErLn6jTPOcaSPNbr0w6ZBXNvVaNe3cwmjF54qV f09vX/4yvX5thGP0TlfofTPW627Llam8IMZ2D9uu1WwC372FVm58JxNQNGVmLdiT5suY dMnPRjTEDLMNaWuxlkkvo9E69+V9I6um8CYLEvtXWzvqTPNZIo2m0pFAAa9j/59eSI6i CfBKrJsASrEKUIU2aPH8VFs8xf4v3+uKfuB9zNtSyJ2eaiOZMnhEUd8qTDNQU0SvEp9V O6InXG+wbY7KiqPCctA0GyifodKe+eDEgKgBSjVurSfQl1AQQ10/BD4yDMcB5QqwUjCd tnDQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=B2HUvNfsSiSc6IAQ+4/TZsu86nxX+RENU9yucKzC/0k=; b=AGHeH36810DeEBTTUPFqDUHj6ARs4pfoSDaPrP+rGkQKJ2Bcw9ZeF5OMv3NkFNP/nU iYU6Tp0d+VdikGlW9nFujdY4anxsbytd9DWjqo6hGyociRAMU7+C3my5pTrS52ejYGMF DS8FJSaoeJgGjOYSlBEypLHXH518vpD+g259mf/OzaBXvacqLeqFk9ThWECt4a1MiWNV J8hwpa+jR5pxr9F7VZZw8lws93UNzUhsmV8SwWhgJPl3Y9nH2hOLrn48HKYFe8jEqHya TGVV9gCki884X3Eu/XudVkUuW1C91pAHh+m6nZD3oJPUVsd3En7AeRPZ/Gt0KQP1hgZq Qayw== X-Gm-Message-State: APzg51Dlcxs45mmOSIBpWfcDXQgruCgZA0jI3JI3NDDFZzx7JNZqpeP+ fzqud4Xn45cGjZ6TZ0UlONI14dpfjJ2hEDBwuzQ= X-Google-Smtp-Source: ANB0VdYyhi00fTtaroL5HvHy0yML6jDOXXX3biBxE6KHloPbuOD2Cn2UlOuKECeF9oyhl9xKl+UBJVL7h29lnu1ywXg= X-Received: by 2002:aca:d846:: with SMTP id p67-v6mr359853oig.42.1537592077066; Fri, 21 Sep 2018 21:54:37 -0700 (PDT) MIME-Version: 1.0 References: <4e2c7b41-1e16-b89a-04d8-776f3469141a@satoshilabs.com> In-Reply-To: From: vizeet srivastava Date: Sat, 22 Sep 2018 10:24:24 +0530 Message-ID: To: Christopher Allen , Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary="0000000000009026ab05766e8daa" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Sat, 22 Sep 2018 05:50:19 +0000 Subject: Re: [bitcoin-dev] SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Sep 2018 04:54:39 -0000 --0000000000009026ab05766e8daa Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable I see one benefit which i am looking for. I may not need to use all public keys in p2sh script instead i can use p2pkh and retrieve funds by using threshold number of keys..so in case i loose a public key along with private key i still may have other public key private key pairs to retrieve. For me it sounds interesting. I need to understand how it is going to get implemented in more detail. On Sat 22 Sep, 2018, 9:53 AM Christopher Allen via bitcoin-dev, < bitcoin-dev@lists.linuxfoundation.org> wrote: > On Fri, Sep 21, 2018 at 11:18 AM Andrew Kozlik via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> We are currently writing a new specification for splitting BIP-32 master >> seeds into multiple mnemonics using Shamir's secret sharing scheme. We >> would be interested in getting your feedback with regard to the >> high-level design of the new spec: >> https://github.com/satoshilabs/slips/blob/master/slip-0039.md >> Please focus your attention on the section entitled "Master secret >> derivation functions", which proposes several different solutions. Note >> that there is a Design Rationale section at the very end of the >> document, which should answer some of the questions you may have. The >> document is a work in progress and we are aware that some technical >> details have not been fully specified. These will be completed once the >> high level design has been settled. >> > > I and a number of companies & communities I am involved with are very > interested in this. > > A challenge is that Shamir Secret Sharing has subtleties. To quote Greg > Maxwell: > > > I think Shamir Secret Sharing (and a number of other things, RNGs for > example), suffer from a property where they are just complex enough that > people are excited to implement them often for little good reason, and th= en > they are complex enough (or have few enough reasons to invest significant > time) they implement them poorly=E2=80=9D. > > Some questions for you: > > * What other teams or communities besides Trezor are committed to > standardizing a Shamir Secret Sharing Scheme? I can say that the > #RebootingWebOfTrust community (meeting again for the 7th time next week = in > Toronto https://rwot7.eventbrite.com) are very interested. > > * Where do you want to hold discussions on this? Do people object to > having this discussion on this mailing list? Or should it be issues in > SLIPS repo or on some other mailing list? > > * Presuming a successful split of secrets, I don=E2=80=99t know all the > adversarial problems that are associated with recovery of a SSS. As this > would be an interactive event, I presume an attacker can DOS a request to > reassemble keys (so maybe some the of integrity of each share vs all is > required). And of course there are the biggest problems: impersonation o= f > a reassembly request and a MitM of a reassembly request. Are there other > attacks? Are you trying to mitigate any of these? > > Two comments: > > * The Lightning Network community has added to their BIP32 mnemonics the > ability to have a birthday in the seed, to make it easier to scan the > blockchain for keys, as well as a byte with some way to know how to deriv= e > keys paths for it. I don=E2=80=99t seee a BOLT for this (it was mentioned= in > https://bitcoin.stackexchange.com/questions/74805/what-is-birthday-in-the= -context-of-bip39-lightning-seed-generation) > I would suggest that you also get some of their latest thoughts and > incorporate them. > > * I worked with Chris Vickery while at Blockstrham on various possible > ways to improve mnemonic word lists. I=E2=80=99m not suggesting that you > necessarily go as far as we did to try to create a mnemonic that is iambi= c > pentameter poetry (inspired by > https://www.isi.edu/natural-language/mt/memorize-random-60.pdf), however, > we did find sources for words that are concrete (for example table is mor= e > concrete than truth > http://crr.ugent.be/papers/Brysbaert_Warriner_Kuperman_BRM_Concreteness_r= atings.pdf > ) or have strong emotional valence attachment (truth is more emotional th= an > table), both of which make can words more memorable. I also found lists o= f > words that are hard to pronounce unless you are English native, and > eliminated them from my own list. > > Among the results of this was a new BIP-39 2048 word compatible word list > filtered for memorability (concreteness & emotional valence) and > suitability for iambic pentameter, which is located: > > > https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/ia= mbic-wordlist.json > > > =E2=80=A6which was created from the repo at > > https://github.com/ChristopherA/password_poem > > You can a number of other word lists that I=E2=80=99ve collected here > https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/ > > If you want to replicate what we did with your own criteria, you may want > to incorporate information from the CMU dictitionary > http://www.speech.cs.cmu.edu/cgi-bin/cmudict, the top 5000 words > https://github.com/ChristopherA/password_poem/blob/master/top5000.json, > concrete word lists > http://crr.ugent.be/papers/Concreteness_ratings_Brysbaert_et_al_BRM.txt > and emotional words (valence) http://crr.ugent.be/archives/1003 > > =E2=80=94 Christopher Allen > > > > > > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --0000000000009026ab05766e8daa Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I see one benefit which i am looking for. I may not need = to use all public keys in p2sh script instead i can use p2pkh and retrieve = funds by using threshold number of keys..so in case i loose a public key al= ong with private key i still may have other public key private key pairs to= retrieve. For me it sounds interesting. I need to understand how it is goi= ng to get implemented in more detail.

<= div dir=3D"ltr">On Sat 22 Sep, 2018, 9:53 AM Christopher Allen via bitcoin-= dev, <bitcoin-d= ev@lists.linuxfoundation.org> wrote:
On Fri, Sep 21, 2018 at 11:18 AM Andrew Koz= lik via bitcoin-dev <bitcoin-dev@lists.linuxfoundatio= n.org> wrote:
We are = currently writing a new specification for splitting BIP-32 master
seeds into multiple mnemonics using Shamir's secret sharing scheme. We<= br> would be interested in getting your feedback with regard to the
high-level design of the new spec:
https://github.com/satoshila= bs/slips/blob/master/slip-0039.md
Please focus your attention on the section entitled "Master secret
derivation functions", which proposes several different solutions. Not= e
that there is a Design Rationale section at the very end of the
document, which should answer some of the questions you may have. The
document is a work in progress and we are aware that some technical
details have not been fully specified. These will be completed once the
high level design has been settled.

I a= nd a number of companies & communities I am involved with are very inte= rested in this.=C2=A0

A challenge is that Shamir S= ecret Sharing has subtleties. To quote Greg Maxwell:

> I think Shamir Secret Sharing (and a number of other things, RNGs f= or example), suffer from a property where they are just complex enough that= people are excited to implement them often for little good reason, and the= n they are complex enough (or have few enough reasons to invest significant= time) they implement them poorly=E2=80=9D.

Some q= uestions for you:

* What other teams or commu= nities besides Trezor are committed to standardizing a Shamir Secret Sharin= g Scheme? I can say that the #RebootingWebOfTrust community (meeting again = for the 7th time next week in Toronto https://rwot7.eventbrite.com) = are very interested.

* Where do you want to = hold discussions on this? Do people object to having this discussion on thi= s mailing list? Or should it be=C2=A0issues in SLIPS repo or on some other = mailing list?=C2=A0

* Presuming a successful split= of secrets, I don=E2=80=99t know all the adversarial problems that are ass= ociated with recovery of a SSS. As this would be an interactive event, I pr= esume an attacker can DOS a request to reassemble keys (so maybe some the o= f integrity of each share vs all is required). And of course there are the = biggest problems: =C2=A0impersonation of a reassembly request and a MitM of= a reassembly request. Are there other attacks? Are you trying to mitigate = any of these?

Two comments:

* The Lightning Network community has added to their BIP32 mnemonics= the ability to have a birthday in the seed, to make it easier =C2=A0to sca= n the blockchain for keys, as well as a byte with some way to know how to d= erive keys paths for it. I don=E2=80=99t seee a BOLT for this (it was menti= oned in=C2=A0https://bitcoin.stackexchange.com/questions/= 74805/what-is-birthday-in-the-context-of-bip39-lightning-seed-generation) =C2=A0I would suggest that you also get some of their latest thoughts an= d incorporate them.

* I worked with Chris Vickery = while at Blockstrham on various possible ways to improve mnemonic word list= s. I=E2=80=99m not suggesting that you necessarily go as far as we did to t= ry to create a mnemonic that is iambic pentameter poetry (inspired by https://www.isi.edu/natural-language/mt/mem= orize-random-60.pdf), however, we did find sources for words that are c= oncrete (for example table is more concrete than truth http://crr.ugent.be/papers/Brysbaert_= Warriner_Kuperman_BRM_Concreteness_ratings.pdf ) or have strong emotion= al valence attachment (truth is more emotional than table), both of which m= ake can words more memorable. I also found lists of words that are hard to = pronounce unless you are English native, and eliminated them from my own li= st.=C2=A0

Among the results of this was a new BIP-= 39 2048 word compatible word list filtered for memorability (concreteness &= amp; emotional valence) and suitability for iambic pentameter, which is loc= ated:

=E2=80=A6which was created from the repo at

You can a number of other word lists tha= t I=E2=80=99ve collected here https://github.com/ChristopherA/iambic-mnemonic/blob/master/word-lists/


=E2=80=94 Christopher Allen





_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundati= on.org/mailman/listinfo/bitcoin-dev
--0000000000009026ab05766e8daa--