summaryrefslogtreecommitdiff
path: root/67/a804eea3db51065572ae7216495a9c8bcd939d
blob: 3f9af3348f3333e31190a3258fb562695348b302 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
Delivery-date: Mon, 13 May 2024 08:29:20 -0700
Received: from mail-qt1-f184.google.com ([209.85.160.184])
	by mail.fairlystable.org with esmtps  (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	(Exim 4.94.2)
	(envelope-from <bitcoindev+bncBAABBSHDRCZAMGQEZSL45QA@googlegroups.com>)
	id 1s6Xc8-0008Ui-6c
	for bitcoindev@gnusha.org; Mon, 13 May 2024 08:29:20 -0700
Received: by mail-qt1-f184.google.com with SMTP id d75a77b69052e-43d1e3e7730sf57269011cf.2
        for <bitcoindev@gnusha.org>; Mon, 13 May 2024 08:29:19 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715614154; cv=pass;
        d=google.com; s=arc-20160816;
        b=hGSK6+A/qGPx1FYNLtt5NQk5tlrElaqS9Znxc3oWdgiH62KBPoIK+xpmmLDhuO4D7r
         /AR6orkKgf5RVLecC61R9CkynGuIdxtMVFmN+pJV1CFpNbOSDqlrXyWglAJmw/BpWB5H
         QAoZtOOZc/XxmyU7TflaeWdnXvEtsz1pPtBZmYMtI5jOfANSF6poHdjCp2WbYSN2LPXS
         1a7XxhAu/ZJxrMs64AFooKPl2h8805cC3ZPwi+hf7+3sHQfxdRzlKY954V6w/J03h/Uv
         QHFBCUHjSgn+X99ckCUZS0QcGp0pTNGDY7pgoTCcAS4v7l4yanQX3cKYUpPCEuCPnKFz
         E/9g==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date:sender
         :dkim-signature;
        bh=sABCvxs/gJlGnFb9qjaZP60PwyaD4LI7H9dDl/j9+zE=;
        fh=EhXfBvhHBG4Z/UXBLw1KJWiIfyF3v4aSH7zqt2xyBj8=;
        b=KI2+p/R0SQlCDIPZ1AQA14uSCULLUNkVV/hEAKWGnBk4ZePHmYt9GdEBalet8HVHVF
         VnI+wK+8Fo3Fw7AiNWY1RgueZkhiF1UApDGeZ6jtgJoFZL6OdBgBDpq9XAzs9qGMw7gz
         AQwOlXeIbJsst96XxAY9nJqu192XRYRc5vmEDY2nDMQwriWvBXKaDPq/jDSa/vzLIKab
         jHUxiu/ulsVzTC5dvIHUjA3Q7oEYKG5/RZYZcBpSQavfUCP7JqKhhoS5cpqnUgrpMV1e
         iyjuAn4P04xJP10SkccC1sZC3orELayZMDA0b31SiE5A9qAOKthF/rIqCT147pfUZPrq
         8zng==;
        darn=gnusha.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=G+09vxV4;
       spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1715614154; x=1716218954; darn=gnusha.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:sender:from:to:cc
         :subject:date:message-id:reply-to;
        bh=sABCvxs/gJlGnFb9qjaZP60PwyaD4LI7H9dDl/j9+zE=;
        b=EHNX+hOx5+tOcLGlVyJY/WOer0WSKc7fOr5gTC5ZEunzDqNHGKaId3TS2LM/2iECnY
         2DZDTXS+MQ2v7Gyry2+WVcipqlxvfGem0S5pg/rfama5khnx72heCwFs3+i7sIEkGR4D
         RMxibjrFqBlc8rPWu3A27gpdcrHCHQH/nqYYop0fofkC/m1Fmoy14HFFfQkSbHSYq4dL
         sStAbprgdSadkbhILhr7f2ODxEe2fZUEaeIRyd5DwRvjDEl+7kzOuTo06zhOrwLYrhU3
         nJkrwTOL+fYiJTpoa55KOjQ7i3kAkKdUVXXsn2ofKlm5GW54k9/D7YbpKMwzYFaF6mbc
         ZBHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1715614154; x=1716218954;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:x-original-authentication-results
         :x-original-sender:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:x-beenthere
         :x-gm-message-state:sender:from:to:cc:subject:date:message-id
         :reply-to;
        bh=sABCvxs/gJlGnFb9qjaZP60PwyaD4LI7H9dDl/j9+zE=;
        b=UoFmRa05seabFeSQRfqokzrpr0mR7MZTkV7VIGxQqjAIkerSP6rxFWGIXO2MDuhQrn
         nPLWnPF8ifHfEEEHPkdkiSzdrl7QIADB2T8bdugOJmfGeK1yr1MvOnN9sdLGuml9zV9H
         M+IUH+MGf7VU9D8AH9Jo1r3fynUTfD3PatGelHFawX6rX33DF9CHgp2p5jJ1n/vMO3Wu
         yIxwkKJDaY7/vWYtxpWg/JBRetmjhA0AzOqn1AVYWu6/I8lRAePS3thKpCvl4xaPDMIs
         OV8fFwQzYiUKjEVvh+RUvjVPaQq1rMlwmAzJ735h7cx+Gj/H0z40gW4PaF6F0eXgPkb6
         yXgA==
Sender: bitcoindev@googlegroups.com
X-Forwarded-Encrypted: i=2; AJvYcCVDogYn0yC6k1goTVwkqWD56rwGbstveuM/UvnuzVO1OvTyN00qD28w9nJLl+EZugzqC/5aq2/jXPgq9K/RqaLZ46sB6OI=
X-Gm-Message-State: AOJu0YwcYzMUcy040LG8dx0xyrs3y4BFoMMIeW5A2zRHzQ/w54fCQRAl
	w8tQlvnEUbeMK9A7wZlozugoy9Mm1vwZAf5Ly1sUK1d16XPAb6w0
X-Google-Smtp-Source: AGHT+IGTfwMXVr16jm6SSJZIo3yFMgtYaRd8GneXpB4/sJ+nfZOzLFNGkB04QbYVXkWp1wyQeTwwJw==
X-Received: by 2002:a05:622a:4109:b0:43a:b2a0:6e01 with SMTP id d75a77b69052e-43dfdae26acmr116687741cf.21.1715614153683;
        Mon, 13 May 2024 08:29:13 -0700 (PDT)
X-BeenThere: bitcoindev@googlegroups.com
Received: by 2002:a05:622a:188a:b0:43a:b15a:f8c9 with SMTP id
 d75a77b69052e-43decf07704ls69262841cf.0.-pod-prod-07-us; Mon, 13 May 2024
 08:29:12 -0700 (PDT)
X-Received: by 2002:a05:620a:25cd:b0:790:efb0:8095 with SMTP id af79cd13be357-792c75a5162mr27416585a.7.1715614152345;
        Mon, 13 May 2024 08:29:12 -0700 (PDT)
Received: by 2002:a05:620a:3947:b0:790:eff4:844b with SMTP id af79cd13be357-792bca7d096ms85a;
        Mon, 13 May 2024 06:40:50 -0700 (PDT)
X-Received: by 2002:a05:6122:1807:b0:4dc:b486:e4a5 with SMTP id 71dfb90a1353d-4df88139d7amr8122822e0c.0.1715607649288;
        Mon, 13 May 2024 06:40:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1715607649; cv=none;
        d=google.com; s=arc-20160816;
        b=q1JCt55zZGdOUrT6xTn6JRVWIj47FWAb5DPvt0K/wn8tIisp2mK36eQrKVkEfa/5P2
         n4hdNP4E/PhlNHZCrykc/NVkrwFopKqQDAx9t7F1WeO2hC6xVUiFPKD4XO4rSWxfi5Gh
         YxtB1QBIGdbhrA5ExAaFo7xWY+Lfp2YTY0C98zgbDZW84j3ki/AkBB5I3Vz5GU6c18Eo
         QSVpCutJ0hXgxavWHhfL/+9WkLZ/SZV/kMCQgHUFiosX1nJzAwjWFFU0glROVLoZisNs
         siWMSZfB+WcYBJaUZS5G5usab1BydQQJFa6imN6Vco7Vak4WinxgFGXlLNUOp1P5xW2H
         YJHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:dkim-signature;
        bh=5SaxWPXbQBuy78SOGPkGG5tiz/dfXhTq/vadbJpMO24=;
        fh=cahZDgTdN45RG3UsKThsxzoXgKY9yWPedXjgzYAIiH8=;
        b=qyZtRb+MzdCjnOLzUXdlbqp5AwPHsZBp1buVSFMWcAevfMaxJTe/ymnVf7/mzXtKmp
         4/m/ojKpLqz+PENSezxRj81w8FImGUG2qWqXuIpl0X+GsDPHMjNnwbvNTAZAYAXMzXI1
         lbPUHNJAkQ8bRsXruZwi0yJlzjNq7dJ4Rm3xm02QszMdtLbz30U2BHpx6AnyuTe9shBS
         hR1wC0BFe/gp+IhA6FFxJV7JtV2T3ntQk6Gb75lMu1Z+MURCtKEK+BQfvWhlG1+IMCbr
         X152b31hz43ktHtOkMdiMikYHOGs1C5SxccHjdjOjFAQ9Xn/VV75o+X6fwg5QK9sah7J
         RB7w==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@mail.wpsoftware.net header.s=default header.b=G+09vxV4;
       spf=pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Received: from mail.wpsoftware.net ([66.183.0.205])
        by gmr-mx.google.com with ESMTP id 71dfb90a1353d-4df7bf99effsi1030810e0c.2.2024.05.13.06.40.48
        for <bitcoindev@googlegroups.com>;
        Mon, 13 May 2024 06:40:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of apoelstra@wpsoftware.net designates 66.183.0.205 as permitted sender) client-ip=66.183.0.205;
Received: from camus (camus-andrew.lan [192.168.0.190])
	by mail.wpsoftware.net (Postfix) with ESMTPSA id EC324400F9;
	Mon, 13 May 2024 13:40:47 +0000 (UTC)
Date: Mon, 13 May 2024 13:40:46 +0000
From: Andrew Poelstra <apoelstra@wpsoftware.net>
To: Rama Gan <ganrama@proton.me>
Cc: "bitcoindev@googlegroups.com" <bitcoindev@googlegroups.com>
Subject: Re: [bitcoindev] Penlock, a paper-computer for secret-splitting BIP39
 seed phrases
Message-ID: <ZkIYXs7PgbjazVFk@camus>
References: <9bt6npqSdpuYOcaDySZDvBOwXVq_v70FBnIseMT6AXNZ4V9HylyubEaGU0S8K5TMckXTcUqQIv-FN-QLIZjj8hJbzfB9ja9S8gxKTaQ2FfM=@proton.me>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="WVG9KjvnRs+OL60e"
Content-Disposition: inline
In-Reply-To: <9bt6npqSdpuYOcaDySZDvBOwXVq_v70FBnIseMT6AXNZ4V9HylyubEaGU0S8K5TMckXTcUqQIv-FN-QLIZjj8hJbzfB9ja9S8gxKTaQ2FfM=@proton.me>
X-Original-Sender: apoelstra@wpsoftware.net
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@mail.wpsoftware.net header.s=default header.b=G+09vxV4;
       spf=pass (google.com: domain of apoelstra@wpsoftware.net designates
 66.183.0.205 as permitted sender) smtp.mailfrom=apoelstra@wpsoftware.net;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=wpsoftware.net
Precedence: list
Mailing-list: list bitcoindev@googlegroups.com; contact bitcoindev+owners@googlegroups.com
List-ID: <bitcoindev.googlegroups.com>
X-Google-Group-Id: 786775582512
List-Post: <https://groups.google.com/group/bitcoindev/post>, <mailto:bitcoindev@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:bitcoindev+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/bitcoindev
List-Subscribe: <https://groups.google.com/group/bitcoindev/subscribe>, <mailto:bitcoindev+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+786775582512+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/bitcoindev/subscribe>
X-Spam-Score: -0.8 (/)


--WVG9KjvnRs+OL60e
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline

On Sun, May 12, 2024 at 06:04:09PM +0000, 'Rama Gan' via Bitcoin Development Mailing List wrote:
> I am excited to introduce Penlock, a printable paper-computer that guides users
> through secret-splitting their BIP39 seed phrase without an electronic device. A
> beta release is now available for peer-reviewing and early testing:
> https://beta.penlock.io.
> 
> <snip>
>


Hi Rama,


Very interesting project. I have a few unordered thoughts about this:

* You have instructions for generating BIP39 seed words, but if the goal
  is to be compatible with existing setups, this really isn't necessary
  (or even desireable). If somebody is willing to generate a whole new
  seed and is willing to sweep their coins, they might as well just use
  codex32. (Perhaps they have an urgent need to do so, and cannot wait
  for codex32 support to arrive in mainstream wallets. Ok. But it's a
  pretty niche user who is panickedly updating their coins while having
  the patience to hand-compute things!)

* Furthermore, the "just grind checksum words til the string works"
  approach, while ergonomic for 12 words (16 iterations max), is
  unrealistic for 16 words (64 iterations) and basically impossible for
  24 words (256 iterations). Probably worth mentioning this.

* The math underlying this all seems sound -- you map BIP39 characters
  directly into the field of integers mod 29, then compute lines in this
  field. However, the resulting checksum is then as long as your
  original set of words. Again, probably ok for 12 words but
  unreasonable for 24. (BTW, we have an unofficial BIP39 compatibility
  layer for codex32 which has the same issue -- everything is horrible
  for the 24-word case. But it is possible to do, and I've done it.)

* However, the use of a characteristic-greater-than-2 field means that
  addition and subtraction are different operations and suddenly you
  need to be careful about the exact order in which your read things
  off the volvelles. It also makes recovering your share more
  complicated. I see that you currently have a table for the 2-of-3
  case where you read the volvelle in different ways depending on which
  shares you have. Clever, but this will not extend to 2-of-n and I
  suspect you'll basically need to implement the full "recovery wheel"
  from codex32 (or the "recovery tables" which are faster to use for the
  2-of-n case, though easier to use wrong).

  Recovery is not really that important because you only do it when
  you're going to put your seed into a computer, and in that case you
  might as well make the computer do the recovery for you, but it is
  unfortunate. Especially in this case where a stated goal is that the
  computer -won't- do anything for you because it doesn't know about the
  scheme.

* Furthermore, this encoding into GF29 is nonstandard. I think, for the
  checksum construction this doesn't matter -- if the encoding becomes
  lost then you can just forget about the checksum, and if it doesn't,
  then you have a pretty great checksum (which can recover any number of
  errors as long as they don't hit both the data and the checksum in the
  same place). My feeling is that it's probably a good idea for people
  to use your checksum scheme on top of their existing BIP39 words, but
  the splitting stuff I'm less comfortable with.

  Possibly you would rather just combine your checksum scheme with
  seedxor? Though seedxor has the unfortunate need to convert your data
  to binary before xoring, which is time-consuming and error-prone and
  not compatible with the checksum so you don't have any good way to
  catch or fix mistakes. (The "unofficial compatibility layer for
  codex32" I mentioned works this way as well and it's horrible. But as
  you say, for users who really don't want to sweep their coins, maybe
  they are willing to make ugly tradeoffs..) Though I believe that
  seedxor only works for 2-of-3 and cannot be generalized without making
  the scheme unrecognizable.

  Alternately, if you switched to a binary field, and chose a checksum
  whose target residue was 0 (normally *not* recommended because it
  allows some classes of errors, in particular prefixes of zeroes)
  (though it does not allow any more substitution or erasure errors,
  which is what we care about for short fixed-length like this) then
  you could use an addition volvelle in the same way, the computation
  would secretly be identical to the seedxor computation, and your
  checksum would be preserved by it. So this is another way in which you
  could try to make a "seedxor-compatible checksum". But by adding a
  multiplicaion wheel that can do Lagrange multipliers you could
  generalize it to 2-of-n in a "natural" way which would break seedxor
  compatibility only for people who wanted more than 3 shares, and
  possibly even only when actually using shares beyond the third..

  As a final note about seedxor, they have as a design goal that the
  shares look identical to full seeds; they preserve the broken bip39
  checksum, have no extra characters, etc. Personally I think this goal
  is terrible. If you are going to use obscure hand-computation tricks
  you are far more likely to lose your data (or forget how to manipulate
  it) than you are to be robbed by a thief who understands your scheme.

* More generally, you need to write up a specification and description
  of the math and maybe even a PDF :). I learned the scheme by
  reverse-engineering your Javascript, which is well-written and
  dependency-free, but still pretty abstract and indirect and anyway JS
  is not my language (nor is it likely to be the language for the
  typical hand-computer user). Sadly your volvelles also don't render
  properly in my browser (qutebrowser) which is chromium-based but maybe
  I have some settings wrong.



Best
Andrew


-- 
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

The sun is always shining in space
    -Justin Lewis-Webster

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZkIYXs7PgbjazVFk%40camus.

--WVG9KjvnRs+OL60e
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEkPnKPD7Je+ki35VexYjWPOQbl8EFAmZCGF0ACgkQxYjWPOQb
l8HWfggAk7e9s33d7qe/lzkePo5qB0Q/7TgETayepCcRZG939H7JAmWnybkStYSW
QyXkMxr3mlvEa59cbDMm/ZmSiXlYZVIfQpAz/E0PU0o/i4wPMRGKpl1vLgrbB7Bk
RM6A/XK+3nJwk9Du3F3l2ggC9cQ/VeWhd/RxwTAV/59hDprXeB33SkTGv7NR+Lm7
wyRNw8b1fQJP2z/uZ+ftS1uIXF7nn/aBR1ktiUq6NjO+uJsEY9S01YTKzdleTViA
YNu+jRFcDFoiiDPdOYgKUKIJtPnStLinobK5g04EcMAgH0AOFD4SzLsk5h8mhJIQ
iCCdc+U/yMhg4mWjNzJVm/SvO5bV9g==
=l9NU
-----END PGP SIGNATURE-----

--WVG9KjvnRs+OL60e--