@@ -33,6 +33,7 @@ When any *T* points are provided, they exactly define the polynomial. The polyno
![curve](slip-0039/curve.png)
## Generating the mnemonic shares
The pre-master secret is divided into *N* Shamir parts and *T* specifies how many of those parts are needed to reconstruct the pre-master secret. Shamir's secret sharing scheme is applied seperately to each byte of the pre-master secret and GF(256) is used as the underlying finite field<sup>[1](#FiniteField)</sup>. Bytes are interpreted as elements of GF(256) using polynomial representation with operations modulo the Rijndael irreducible polynomial *x*<sup>8</sup> + *x*<sup>4</sup> + *x*<sup>3</sup> + *x* + 1, see [AES](https://doi.org/10.6028/NIST.FIPS.197) sections 3.2, 4.1 and 4.4.
We propose the following format of the shares:
...
...
@@ -57,6 +58,7 @@ This structure is then converted into a mnemonic code by splitting it up into 10
This construction yields a beneficial property where the identifier transforms into exactly the first three words of the mnemonic code, so the user can immediately tell whether the correct shares are being combined (i.e. they have to have the same first two words). Moreover, the forth word encodes exactly the index/threshold values, so for example share #2 of 3 required shares will always correspond to the same word.
## Checksum
The last three words of the mnemonic form a checksum and contain no information. Valid mnemonics MUST pass the criteria for validity specified by the Python3 code snippet below. The function `rs1024_verify_checksum` must return true when its arguments are:
-`hrp`: the human-readable part as a string
...
...
@@ -109,9 +111,11 @@ The passphrase should contain only printable ASCII characters (codepoints 32-126
The master secret can be used as the master seed *S* for Hierarchical Deterministic Wallets described in BIP-0032.
## Master secret derivation functions
Each of the master secret derivation functions uses the key derivation function PBKDF2<sup>[4](#KDFParam)</sup>. Whenever the random identifier value *id* or the threshold *T* is an input to PBKDF2, it is encoded in the following manner. The random identifier value is split into three 10-bit integers each encoded as two bytes in little-endian byte order. The threshold is encoded as one byte.
### Proposal 1: Feistel network
The master secret derivation function shall be a strong pseudorandom permutation (PRP)<sup>[5](#Security)</sup> based on the Luby-Rackoff construction. It shall consist of a four round Feistel network with PBKDF2 as the round function. The pre-master secret is first split into two equally long parts. `L` is the first *n*/2 bytes of the pre-master secret and `R` is the last *n*/2 bytes of the pre-master secret and processed as follows:
```
...
...
@@ -120,18 +124,23 @@ R = PMS[len(PMS)/2:]
for i in range(4):
(L, R) = (R, L xor F(i, R))
```
The master secret is then `R || L`.
The *i*-th round function `F(i, R)` is defined as follows:
```
F(i, R) = PBKDF2(PRF = HMAC-SHA256, Password = (passphrase || i), Salt = ("slip0039" || id || T || R), iterations = 5000, dkLen = n/2 bytes)
```
The value of *i* is encoded as one byte.
![feistel](slip-0039/feistel.png)
### Proposal 2: AES in CMC mode
AES in CMC mode shall be used as the master secret derivation function. The key derivation function PBKDF2 will be used to derive an AES symmetric key:
AES in CTR mode shall be used as the master secret derivation function. The key derivation function PBKDF2 will be used to derive an AES symmetric key and an initial counter value:
```
...
...
@@ -153,6 +163,7 @@ k = PBKDF2(PRF = HMAC-SHA256, Password = passphrase, Salt = ("slip0039" || id ||
iv = k[:16] # first 16 bytes
key = k[32:] # last 32 bytes
```
The master secret is the pre-master secret encrypted by AES in CTR mode:
```
...
...
@@ -160,11 +171,13 @@ S = AES.encrypt(mode=CTR, counter=iv, aeskey=key, PMS)
```
### Proposal 4: PBKDF2 only
The master secret shall be computed as:
`S = PBKDF2(PRF = HMAC-SHA256, Password = passphrase, Salt = ("slip0039" || id || T || PMS), iterations = 20000, dkLen = 256 bits)`
### Advantages and disadvantages
Each of the proposed derivation functions has its pros and cons, we tried to summarise the most important ones in the following table: