slip-0039: drop master secret checksum, use random set id in shares, use crc-16 for checksum

slip-0039.md

@@ -33,35 +33,28 @@ In case sufficient `M` values are provided the points exactly define the polynom
 
 ## From entropy to mnemonic secrets
 
-The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field. We consider the master secret in a form which includes its own checksum:
-
-| master secret | 16-bit master secret checksum |
-|---------------|-------------------------------|
+The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field.
 
 From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to `a_7`, the last bit maps to `a_0`). For each such field element, `N`-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
 
-| 5-bit index | 5-bit M threshold | variable-bit SSS part | 16-bit checksum |
-|-------------|-------------------|-----------------------|-----------------|
-
-The index corresponds to the SSS part's `x` value (see the diagram above) and the SSS part is the corresponding `y` value.
-
-Index and threshold are encoded as 5-bit integers and the value 00000 is considered as invalid in both cases. 
+| index  | M threshold | set id  | SSS part              | checksum |
+|--------|-------------|---------|-----------------------|----------|
+| 5 bits | 5 bits      | 16 bits | same as master secret | 16-bit   |
 
-The checksum field is a checksum of the whole share (i.e. index, threshold, SSS part).
+* the `index` corresponds to the SSS part's `x` value (see the diagram above) and the SSS part is the corresponding `y` value
+* `index` and `threshold` fields are encoded as 5-bit integers and the value 00000 is considered as invalid in both cases.
+* `set id` field is a random 16-bit identifier which is the same for all shares and it's used for detection whether the shares belong together
+* the `checksum` field is a CRC-16 checksum of the whole share (i.e. index, threshold, set id, SSS part)
 
 This structure is then converted into a mnemonic passphrase by splitting it up by 10 bits which correspond as an index to the a word list containing exactly 1024 words (see below).
 
-| master secret | SSS part | share length           |
-|---------------|----------|------------------------|
-| 128 bits      | 144 bits | 170 bits = 17 words    |
-| 256 bits      | 272 bits | 298 bits = 30 words    |
+| master secret | share length           |
+|---------------|------------------------|
+| 128 bits      | 170 bits = 17 words    |
+| 256 bits      | 298 bits = 30 words    |
 
 The selection of 5-bit sizes for index/threshold values and 10-bit for wordlist index has a nice property that the first word of the mnemonic encodes exactly these two values. And, vice versa, only these two values determine the first word.
 
-## Checksum
-
-For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the relevant payload.
-
 ## Passphrase
 
 When enough `M` secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.