slip-0039: drop master secret checksum, use random set id in shares, use crc-16 for checksum

parent 86b4f3f7
...@@ -33,35 +33,28 @@ In case sufficient `M` values are provided the points exactly define the polynom ...@@ -33,35 +33,28 @@ In case sufficient `M` values are provided the points exactly define the polynom
## From entropy to mnemonic secrets ## From entropy to mnemonic secrets
The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field. We consider the master secret in a form which includes its own checksum: The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field.
| master secret | 16-bit master secret checksum |
|---------------|-------------------------------|
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to `a_7`, the last bit maps to `a_0`). For each such field element, `N`-share field elements are generated and mapped back to bytes. Each participating party receives the following data: From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to `a_7`, the last bit maps to `a_0`). For each such field element, `N`-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
| 5-bit index | 5-bit M threshold | variable-bit SSS part | 16-bit checksum | | index | M threshold | set id | SSS part | checksum |
|-------------|-------------------|-----------------------|-----------------| |--------|-------------|---------|-----------------------|----------|
| 5 bits | 5 bits | 16 bits | same as master secret | 16-bit |
The index corresponds to the SSS part's `x` value (see the diagram above) and the SSS part is the corresponding `y` value.
Index and threshold are encoded as 5-bit integers and the value 00000 is considered as invalid in both cases.
The checksum field is a checksum of the whole share (i.e. index, threshold, SSS part). * the `index` corresponds to the SSS part's `x` value (see the diagram above) and the SSS part is the corresponding `y` value
* `index` and `threshold` fields are encoded as 5-bit integers and the value 00000 is considered as invalid in both cases.
* `set id` field is a random 16-bit identifier which is the same for all shares and it's used for detection whether the shares belong together
* the `checksum` field is a CRC-16 checksum of the whole share (i.e. index, threshold, set id, SSS part)
This structure is then converted into a mnemonic passphrase by splitting it up by 10 bits which correspond as an index to the a word list containing exactly 1024 words (see below). This structure is then converted into a mnemonic passphrase by splitting it up by 10 bits which correspond as an index to the a word list containing exactly 1024 words (see below).
| master secret | SSS part | share length | | master secret | share length |
|---------------|----------|------------------------| |---------------|------------------------|
| 128 bits | 144 bits | 170 bits = 17 words | | 128 bits | 170 bits = 17 words |
| 256 bits | 272 bits | 298 bits = 30 words | | 256 bits | 298 bits = 30 words |
The selection of 5-bit sizes for index/threshold values and 10-bit for wordlist index has a nice property that the first word of the mnemonic encodes exactly these two values. And, vice versa, only these two values determine the first word. The selection of 5-bit sizes for index/threshold values and 10-bit for wordlist index has a nice property that the first word of the mnemonic encodes exactly these two values. And, vice versa, only these two values determine the first word.
## Checksum
For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the relevant payload.
## Passphrase ## Passphrase
When enough `M` secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase. When enough `M` secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment