@@ -25,25 +25,25 @@ However, SSSS is not standardized today, making it possible for a future secret
...
@@ -25,25 +25,25 @@ However, SSSS is not standardized today, making it possible for a future secret
## Shamir's secret-sharing scheme
## Shamir's secret-sharing scheme
Shamir's secret-sharing scheme (SSSS) is a cryptographic mechanism how to divide a secret into N unique parts, where M of them are required to reconstruct the secret. First, a polynomial of N-1 degree is constructed and each party is given a corresponding point - a non-zero integer input to the polynomial and the corresponding output.
Shamir's secret-sharing scheme (SSSS) is a cryptographic mechanism how to divide a secret into `N` unique parts, where `M` of them are required to reconstruct the secret. First, a polynomial of `N-1` degree is constructed and each party is given a corresponding point - a non-zero integer input to the polynomial and the corresponding output.
In case sufficient M values are provided the points exactly define the polynomial. The polynomial's value of f(0) = S corresponds to the master secret. You may read more on SSSS on [Wikipedia](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
In case sufficient `M` values are provided the points exactly define the polynomial. The polynomial's value of `f(0) = S` corresponds to the master secret. You may read more on SSSS on [Wikipedia](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing).
## From entropy to mnemonic secrets
## From entropy to mnemonic secrets
The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into N Shamir parts and M specifies how many of those parts do we need to reconstruct the master secret. We use GF(256) reduced by x^8 + x^4 + x^3 + x + 1 (the Rijndael polynomial) as the underlying field. We consider the master secret in a form which includes its own checksum:
The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field. We consider the master secret in a form which includes its own checksum:
| master secret | 16-bit master secret checksum |
| master secret | 16-bit master secret checksum |
|---------------|-------------------------------|
|---------------|-------------------------------|
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to a_7, the last bit maps to a_0). For each such field element, N-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to `a_7`, the last bit maps to `a_0`). For each such field element, `N`-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
| 5-bit index | 5-bit M threshold | variable-bit SSSS part | 16-bit checksum |
| 5-bit index | 5-bit M threshold | variable-bit SSSS part | 16-bit checksum |
The index corresponds to the SSSS part's x value (see the diagram above) and the SSSS part is the corresponding y value.
The index corresponds to the SSSS part's `x` value (see the diagram above) and the SSSS part is the corresponding `y` value.
Index and threshold are encoding using the following scheme:
Index and threshold are encoding using the following scheme:
...
@@ -74,13 +74,13 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re
...
@@ -74,13 +74,13 @@ For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the re
## Passphrase
## Passphrase
When enough M secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.
When enough `M` secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.
Passphrase should contain only ASCII characters to achieve the best interoperability among various operating systems and wallet implementations.
Passphrase should contain only ASCII characters to achieve the best interoperability among various operating systems and wallet implementations.
We will use PBKDF2 (PRF = HMAC-SHA256, Password = master_secret, Salt = "SLIP0039" + passphrase, iterations = 20000, dkLen = 256 bits) as the key derivation function.
We will use `PBKDF2(PRF = HMAC-SHA256, Password = master_secret, Salt = "SLIP0039" + passphrase, iterations = 20000, dkLen = 256 bits)` as the key derivation function.
