slip-0039: check shares checksum before combining them

parent 0022472b
...@@ -58,7 +58,9 @@ Construction has the nice property that nonce transforms into exactly the first ...@@ -58,7 +58,9 @@ Construction has the nice property that nonce transforms into exactly the first
## Converting the mnemonic shares to master secret ## Converting the mnemonic shares to master secret
Once enough `M` secrets are provided, we can produce the master secret from the shares. First we derive the shares using `PBKDF2(PRF = HMAC-SHA256, Password = SSS, Salt = (N || I || M || C), iterations = 1, dkLen = 256 bits)` where `SSS`, `N`, `I`, `M`, `C` values are encoded as 6 words from the wordlist separated by exactly one space. Once enough `M` secrets are provided, we can produce the master secret from the shares. First, we check the checksum of each share and abort if they don't match. Implementations SHOULD NOT implement correction beyond potentially suggesting to the user where in the string an error might be found, without suggesting the correction to make.
Then we derive the shares using `PBKDF2(PRF = HMAC-SHA256, Password = SSS, Salt = (N || I || M || C), iterations = 1, dkLen = 256 bits)` where `SSS`, `N`, `I`, `M`, `C` values are encoded as 6 words from the wordlist separated by exactly one space.
The resulting output from `PBKDF2` is a multiple of 8 bits. We can use Shamir Secret Sharing and reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field. The resulting output from `PBKDF2` is a multiple of 8 bits. We can use Shamir Secret Sharing and reconstruct the master secret. We use `GF(256)` reduced by `x^8 + x^4 + x^3 + x + 1` (the Rijndael polynomial) as the underlying field.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment