1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
|
Delivery-date: Tue, 14 May 2024 07:09:03 -0700
Received: from mail-oo1-f55.google.com ([209.85.161.55])
by mail.fairlystable.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
(Exim 4.94.2)
(envelope-from <bitcoindev+bncBAABB57ARWZAMGQE4LW47CA@googlegroups.com>)
id 1s6spz-0002i0-9w
for bitcoindev@gnusha.org; Tue, 14 May 2024 07:09:03 -0700
Received: by mail-oo1-f55.google.com with SMTP id 006d021491bc7-5b2791d5ce5sf5831907eaf.3
for <bitcoindev@gnusha.org>; Tue, 14 May 2024 07:09:03 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715695737; cv=pass;
d=google.com; s=arc-20160816;
b=KAbMJLzgKaXmTIYvfnJ++WHaGSeE1y8PNoK8cREd7i+uWwJv+ON6bif++oTpQozl9B
Du2jAhU7itWbWFxoHSIecHTAq58vaUaRO1ELfQtsZhopuXBW+JXJADYkzT4t046FtRfx
4dtoVizXG8bKQ/WNRA8ZWwLG44BVP3wwT+RuGn/HfEzcThcIINHdJh2BVV6I5oRi3t1P
rW7Vl0AEn7Lb2ZtZC2yoCpkcu8a8VwW4iMXKy2s2pv15QZKHymHSOo4N3pNtGLjd/fYA
lfQ6kBZII+I01btBcj8tpKGT3fp25mrmP+4qtHWUIporeImDH6P7nNGxdnLielP1luyu
cqiA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:in-reply-to:content-disposition
:mime-version:references:message-id:subject:cc:to:from:date:sender
:dkim-signature;
bh=Rg97YCL8OmeUJ704Fa+q0yaRX8MB1rMGQPijV6OdDHU=;
fh=SdWu6WQLXNWVt4ozjgi5504tLjCB1JaxVFamZkn6l9E=;
b=NaZYrQEU1majLwKn/qEr2/PzZHNm9+i6K0wiO/m1PVjCU0wvJt1v/NB01q6rJ0FYY9
F3YwgPMmJZ7BjVdagcU0rBwYUN0bXu4EjKEFxTJ2G91cZTM+dSa1sFIafCcjJFjr2AVB
PqCrplPIa+UxgRNxtXLK8jVGByMN+EOzhY5pgbC9+S/+XuxgQvrw0sazbCVAX35H0fYr
hiZa8hcLpLW5LNwHmT91Fx46n0HYiZqNI8Vt755fpdWugAxW3FXYNhrqXVSoBJn4uL9t
yUtmjzi8zG8+AdeJNg34bM9KYFLGiY8CDEZWJtfolvAu+ICXbVkQTZziPaBRLiwgK+Pg
RsWg==;
darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=OyUVLkS0;
spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1715695737; x=1716300537; darn=gnusha.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:content-disposition:mime-version
:references:message-id:subject:cc:to:from:date:sender:from:to:cc
:subject:date:message-id:reply-to;
bh=Rg97YCL8OmeUJ704Fa+q0yaRX8MB1rMGQPijV6OdDHU=;
b=ntuqpDQM7DUbmGODzwAqvwFqjgaBG/sHJ1W8hUcpTWNTFDdBGg5C+OzXEoFm5ofcCZ
DohoEzgOxz+kK48ptLdpYK9T79WRkKKBuVutFG8oWUd0xadW7T7X8P9Xb7O/W6VM1lia
6edPMosfVFmsSDVnB0XINmwzdPRo+YxAZLeO7MtUT38gO8T/6+yewVEqkyBK9X5o1rMT
k3BSKWNshAze/pA1nIt9WHBoNT0CmATuDjxZEnsuP2ac3Yxkz+dgHPWFAWVNPhFrzjiW
k5XmCY7JyIP7hZyqhiqeG/YUsyh7eyLkMVYKFYR7M8LLbVJIetXcFWh81EUEm+esDzaR
Ig9g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1715695737; x=1716300537;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:x-original-authentication-results
:x-original-sender:in-reply-to:content-disposition:mime-version
:references:message-id:subject:cc:to:from:date:x-beenthere
:x-gm-message-state:sender:from:to:cc:subject:date:message-id
:reply-to;
bh=Rg97YCL8OmeUJ704Fa+q0yaRX8MB1rMGQPijV6OdDHU=;
b=NUWj4/J4WTg4DiUOoqn1LFFYox3m7PNtF8PG84dS7RgLeelY6AthMX1HKqSuBvjUU9
oOWjzxwisoCxubYrpnhNBA+BHZVCGs83YfWUcAtg3igpdRitLqOWvXwp0o2mlblCuhhk
xcL58C4r/ZZlc8/oqZgscmD73MzTX+RrRhEeiGk9/1jCUlFSdydUg+OCbpMkwpoo6Jvp
j7z2L1eXzYGGBsZwZZ9oteWZKf2dBzS2hZdUfeTHiK5D3CP1vaYplk9W+2VHjPONDCKh
nsoqqkk+BoZO9TPW3jrI0eOMK8OtsKzgNZ8kyIKGaTOBvDdFm9xy1x2Hspo52Gryp3oV
GEnw==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVfxoXCwrbkDaOshazSvbjkyMXS5NqQFhsAQNSvcjwZTArNkDbc58M4Z7lvDVj/I2Nipj70fhm1HbXJJY5iLJ2cmpx/lWk=
X-Gm-Message-State: AOJu0Yz/1R2phkErhTGKlDIkO6G+Qwt5z+ZTrmWtrnt9niTCpWU5oOXF
A+eu2u59sgFMEsQavO23ZkDjJzDqjdrBSInPpmPdY7lBatyBGqbH
X-Google-Smtp-Source: AGHT+IH2HztxclxOVZkEBaoKVv3HpkVh6Ksqm9YTVn4e03c14CKLtlZ97DEpkQcq/bwLiwCZHHqyYA==
X-Received: by 2002:a4a:8c4c:0:b0:5b2:7997:809 with SMTP id 006d021491bc7-5b28195ee2fmr11126241eaf.5.1715695736822;
Tue, 14 May 2024 07:08:56 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a4a:8c63:0:b0:5ae:1f6c:8986 with SMTP id 006d021491bc7-5b26a7f80a9ls268751eaf.1.-pod-prod-03-us;
Tue, 14 May 2024 07:08:55 -0700 (PDT)
X-Received: by 2002:a05:6830:4392:b0:6eb:8065:4685 with SMTP id 46e09a7af769-6f0e91067efmr37138a34.2.1715695735247;
Tue, 14 May 2024 07:08:55 -0700 (PDT)
Received: by 2002:a05:6808:1495:b0:3c9:943d:23a2 with SMTP id 5614622812f47-3c996f01abdmsb6e;
Tue, 14 May 2024 06:42:48 -0700 (PDT)
X-Received: by 2002:a17:90b:314a:b0:2a6:f414:4e0b with SMTP id 98e67ed59e1d1-2b6ccd84692mr10404931a91.41.1715694166923;
Tue, 14 May 2024 06:42:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1715694166; cv=none;
d=google.com; s=arc-20160816;
b=H0LEb1dn/tDw8NFZqzATig/ZfixUUC8ha5+B33qvvKau85ng6bMkQ9pwoGcHTvSFmo
g0z3j8ebpx1QO8T+2Mbm+dk/MpLF/TZpMKy/MNr8u7cpvEwYlkumdFRQVzozw9bZCVBx
2An9khn9aCp0IK4UAgqi1VwNmRm3pVCsnhV2zwqk5CM0IXlmvtSnKm9BtM6Au2ityivh
3U6GAD+sH89pH9AEJJBIS6tnlcUcWzthMSFwo2EqH8MM6rcrBzjVKJMRRebXxe3AHFw/
rwurJGjuAox5J0C1qLZ9E6pDrHOAqosZGHypWdAzxtOK7x4+OS5ypJi/5uKLWSOpe1/J
2x8A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
h=in-reply-to:content-disposition:mime-version:references:message-id
:subject:cc:to:from:date:dkim-signature;
bh=vG5e5A7gM7XZUP6x4h3nPv2TnizASHxxaTL0/9g+xng=;
fh=cahZDgTdN45RG3UsKThsxzoXgKY9yWPedXjgzYAIiH8=;
b=VmHzwki6OLB94oFHpSTEJ/XeZNOeV4cswUuAM+wBKth91mepy4Xf12vb4shXX66YWU
OHevtePgSsHnkNfXpvpEM8LOqWECfmer0OfhaA87cDitrOEF1eYRuDAlAcsbAw6NEf/w
DjwHZd5xJHHyrEc1ka81tr/bW+yOd+roETyyCXkzHpF+8NpSFkZimLQ7lA4fe2MUrMiP
KYTqv8QY61UI8hLYh3q2QCzSwijr0LM7HgwsgO4JoFw+bexIg/nLRCsZ7xy6L6xQuIo0
Gqv8YP5V2gNv05EkJqEwhFmvtJjwWte+RLgxo6HGlyBBxAylBsMJ2xzZ2B8icsVCJx78
azqw==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=OyUVLkS0;
spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Received: from mail.wpsoftware.net ([66.183.0.205])
by gmr-mx.google.com with ESMTP id 98e67ed59e1d1-2b67188517bsi1103561a91.3.2024.05.14.06.42.46
for <bitcoindev@googlegroups.com>;
Tue, 14 May 2024 06:42:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) client-ip=66.183.0.205;
Received: from camus (camus-andrew.lan [192.168.0.190])
by mail.wpsoftware.net (Postfix) with ESMTPSA id 53AEC400F9;
Tue, 14 May 2024 13:42:46 +0000 (UTC)
Date: Tue, 14 May 2024 13:42:45 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Rama Gan <ganrama@proton.me>
Cc: "bitcoindev@googlegroups.com" <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Penlock, a paper-computer for secret-splitting BIP39
seed phrases
Message-ID: <ZkNqVZFNBNTq7mAL@camus>
References: <9bt6npqSdpuYOcaDySZDvBOwXVq_v70FBnIseMT6AXNZ4V9HylyubEaGU0S8K5TMckXTcUqQIv-FN-QLIZjj8hJbzfB9ja9S8gxKTaQ2FfM=@proton.me>
<ZkIYXs7PgbjazVFk@camus>
<GqYxqTBUgHl6yq1UAaOc2O9Ea4-5yKnM-jGZzGaKC19c-k3KcUN_Bo2e7XPYUrNaX3NMJC0tCMudgSl0_l1BCRUz4DIYBR1ecL2ifopzs98=@proton.me>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature"; boundary="FE8zGFBRSA20nZBj"
Content-Disposition: inline
In-Reply-To: <GqYxqTBUgHl6yq1UAaOc2O9Ea4-5yKnM-jGZzGaKC19c-k3KcUN_Bo2e7XPYUrNaX3NMJC0tCMudgSl0_l1BCRUz4DIYBR1ecL2ifopzs98=@proton.me>
X-Original-Sender: apoelstra@wpsoftware.net
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@mail.wpsoftware.net header.s=default header.b=OyUVLkS0;
spf=pass (google.com: domain of apoelstra@wpsoftware.net designates
66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)
--FE8zGFBRSA20nZBj
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
On Tue, May 14, 2024 at 12:03:45PM +0000, Rama Gan wrote:
> Hello Andrew,
>
> Thank you for sharing your thoughts.
>
> - Penlock implements arithmetic operations differently than Codex32. Additions
> and subtractions are implemented with a slider-wheel (only possible with
> GF(P)); Multiplications and "divisions" are done with volvelles. There is
> indeed a risk of using the slider-wheel in the wrong direction, and this is
> mitigated by 2-of-N not using additions at all.
>
FYI even in GF(P), you can do multiplication and division using slide
wheels. I'm not sure if doing so would interfere with your other
multipurpose volvelle constructions. (Every nonzero number in your field
is 2^n for some n, so you can do multiplication/division by adding in
the exponent.)
The resulting slide wheel would not have a natural ordering.
> - An experienced user can compute a 12-words checksum in 4mins, and verify its
> correctness in 3 mins. Checksumming 24-word is quite doable, but then the
> difficulty comes with the shares derivation part that takes close to an hour
> and feels really tedious (again, for 24 words). For reference, an
> experienced user can secret-split a 12-words sentence in 45 minutes. A
> 24-words sentence will more than double that due to getting tired and losing
> focus.
>
The checksumming numbers are impressive but a little surprising -- in
codex32, "translation" is a process of similar complexity on fewer
characters and it takes me 5 minutes or so. Perhaps the difference is
that you can use a slide wheel with a natural ordering, while we are
using a slide chart? At some point I will work through your process and
see how it feels.
For what it's worth, codex32 quickchecks can be done in ~5 minutes as
well. Though of course they are much less powerful than your checksum.
Interesting that the splitting and recovery processes take such a long
time. But I guess this is explained by the large number of characters
produced by the checksum.
> - The 2-of-(N<=26) case is handled with a variant of Shamir's algorithm that
> can be fully implemented in a single wheel. I'm about to post a presentation
> that will go into more details about that. For (K>=3)-of-M cases there's
> indeed a recovery wheel, plus a volvelle that does translation+fusion on the
> same side (see: https://beta.penlock.io/kofm-wheels.html).
Very cool. Though you say "single wheel" but you actually need two --
one to get the solving window and one to actually do the recovery. If I
understand correctly, the "solving window" is equivalent to a "recovery
symbol" in codex32.
If so, despite the simple interpretation as "the difference between the
shares", this object is secretly a Lagrange polynomial and you can
*also* compute it using a slide wheel rather than a full lookup-table
volvelle. (The reason for this is not so simple, and described in the
codex32 math companion [1] ... but possibly if you believe it's true you
can just "brute force" it without understanding why by just
progressively constructing a wheel, doing various recoveries and filling
in blank spaces by cross-referencing against your existing volvelle.)
[1] https://secretcodex32.com/docs/2023-08-23--math.pdf
--
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web: https://www.wpsoftware.net/andrew
The sun is always shining in space
-Justin Lewis-Webster
--
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZkNqVZFNBNTq7mAL%40camus.
--FE8zGFBRSA20nZBj
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmZDalQACgkQxYjWPOQb
l8GJ/Qf/bAquVNGQwQq2zqe4s73JTdrD3RQqb+UU/M9x1hy8KgcgtHHV61Gf+GBf
AOA5+/9b+GKs9WlaVvF15BP5wv+N4bCZgWfdqRjrBiABhjFInJhtL/2ZO5ZxnZqY
oz01WA3W/LX1SfgegWMRGYVXhy67sH7fLUwLThqYzoQCVYmeTUagdT94MT4sxSd1
KdegYQR8ZxA5esISaoO6osMt/AyqOM7I9ryVvN1mWDaWrDQbg2m118qm1jJ4EB8R
kzmGYl3tLITwKLLl63cwdYzJLdB17LkvYIPd90LqoRuZ+BMpDQt3t9z/+c5lk+Ap
iAODerKEXmyXTqUaMR9RHXHpoe8s5g==
=m2hl
-----END PGP SIGNATURE-----
--FE8zGFBRSA20nZBj--
|
