@@ -33,35 +33,28 @@ In case sufficient `M` values are provided the points exactly define the polynom
...
@@ -33,35 +33,28 @@ In case sufficient `M` values are provided the points exactly define the polynom
## From entropy to mnemonic secrets
## From entropy to mnemonic secrets
The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field. We consider the master secret in a form which includes its own checksum:
The value to be encoded as the master secret must be a multiple of 8 bits. This is typically a wallet entropy, but may be another secret value which was uniformly chosen from its (key) space. The master secret is divided into `N` Shamir parts and `M` specifies how many of those parts do we need to reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field.
| master secret | 16-bit master secret checksum |
|---------------|-------------------------------|
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to `a_7`, the last bit maps to `a_0`). For each such field element, `N`-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
From this value, every byte is mapped to the specified field in a little-endian fashion (i.e. the first bit maps to `a_7`, the last bit maps to `a_0`). For each such field element, `N`-share field elements are generated and mapped back to bytes. Each participating party receives the following data:
| 5-bit index | 5-bit M threshold | variable-bit SSS part | 16-bit checksum |
| index | M threshold | set id | SSS part | checksum |
| 5 bits | 5 bits | 16 bits | same as master secret | 16-bit |
The index corresponds to the SSS part's `x` value (see the diagram above) and the SSS part is the corresponding `y` value.
Index and threshold are encoded as 5-bit integers and the value 00000 is considered as invalid in both cases.
The checksum field is a checksum of the whole share (i.e. index, threshold, SSS part).
* the `index` corresponds to the SSS part's `x` value (see the diagram above) and the SSS part is the corresponding `y` value
*`index` and `threshold` fields are encoded as 5-bit integers and the value 00000 is considered as invalid in both cases.
*`set id` field is a random 16-bit identifier which is the same for all shares and it's used for detection whether the shares belong together
* the `checksum` field is a CRC-16 checksum of the whole share (i.e. index, threshold, set id, SSS part)
This structure is then converted into a mnemonic passphrase by splitting it up by 10 bits which correspond as an index to the a word list containing exactly 1024 words (see below).
This structure is then converted into a mnemonic passphrase by splitting it up by 10 bits which correspond as an index to the a word list containing exactly 1024 words (see below).
The selection of 5-bit sizes for index/threshold values and 10-bit for wordlist index has a nice property that the first word of the mnemonic encodes exactly these two values. And, vice versa, only these two values determine the first word.
The selection of 5-bit sizes for index/threshold values and 10-bit for wordlist index has a nice property that the first word of the mnemonic encodes exactly these two values. And, vice versa, only these two values determine the first word.
## Checksum
For the checksums we use the leftmost 16 bits of a SHA-256 hash digest of the relevant payload.
## Passphrase
## Passphrase
When enough `M` secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.
When enough `M` secrets are provided the master secret is reconstructed. To allow an additional protection of the final seed using a passphrase we will use a key derivation function to compute the seed. If no passphrase is provided an empty string should be used as a passphrase.