Secret Sharing Mobile Password Manager

[PartlyFluked]

My team has been working informally on a project we call Splitpass, a mobile app for generating, storing, and distributing shared secrets.

The core functionality is for users to input a secret (in practice we imagine a cryptocurrency private key), which the app encrypts with Shamir's secret sharing algorithm. This generates a collection of secret shares, of which any subset of a predetermined threshold size will reconstruct the secret, and any fewer than that threshold gives no information. The app will then provide password-manager-like services for managing the secret shares, including tools to back up or distribute them. This includes BIP-39 style mnemonics, and QR codes. Later we intend to incorporate the Signal protocol to allow for encrypted messaging of shares.

Applications of this include redundant back-up of private keys, and estate management. For example, by creating a 3-of-5 secret sharing scheme and placing the shares in different locations, you are secure against the destruction or theft of up to two shares. By giving a collection of trusted individuals a share each, you provide a mechanism for them to recover the assets independently in case the issuer is unable to, while no individual is able to act unilaterally.

Due to the relative simplicity of the encryption algorithm, the authors intend to include a simplified educational mode which graphically demonstrates the decryption algorithm, and for which the results can be checked by hand. There is some interest from an Australian university in using this as part of a mathematics outreach program for high school students, pending development.

We intend to make Splitpass open source, free, and educational. We do not otherwise plan to monetise, and are applying for a grant to allow us to spend more time on development. Our team consists of two programmers with postgraduate educations, and a graphic designer with a history of mobile app development.

[amiller]

Can you draw any connections between this project and Zcash or privacy-preserving infrastructure? You mentioned BIP39. I think there is not currently any BIP39-like standard for z-brainwallets, i.e. z-addresses derived from a mnemonic. There's an open issue here tho: https://github.com/zcash/zcash/issues/2039 would you consider working on that to be in scope? This implementation looks relevant https://github.com/FiloSottile/zcash-mini

[b-g-goodell]

I like the idea of an independent, open source app that had authenticator/2FA capabilities and shared-secret generation capabilities, especially if this project helped introduce mnemonics and MFA in general into folks' security habits. Contributing BIP39-like mnemonics to z-addresses would ensure that the project is definitely in line with the zcash foundation's mission. This project seems to be a good contribution to decentralized public key infrastructures.

I would like to learn more about the intended scope, the budget and justification, etc.

[tromer]

Note that currently there is not even HD wallet (BIP32) support for z-addresses, but this is planned for the upcoming Sapling upgrade.

[tromer]

Googling for "secret sharing gui github" yields numerous projects that seem to provide a GUI for secret sharing. @PartlyLukerativ, can you explain how your proposal differs?

[PartlyFluked]

Thanks for the interest and questions!

@amiller The initial motivation for developing this tool was to add security and redundancy to the storage of cryptocurrency private keys, but really the secret can be arbitrary (up to a given length).

Aside from the utility for cryptocurrency holders in terms of security, there are confidentiality benefits too. As in one of the examples in the original post, this tool can be used to disintermediate the role of an estate planner by providing a way for a collection of trusted individuals to recover cryptoassets, providing a tangible improvement to the user's privacy.

Since our tool is designed for general purpose use, we would like to stick as closely as possible to the most widely used standard, which at the moment is BIP39. We can look into producing a proposal for a similar standard for Zcash, with conservative changes to the BIP39 model where necessary. As per @tromer's comments, this standard will be of more use once hierarchical deterministic wallets are implemented.

@b-g-goodell Our primary goal is the completion of a usable MVP, and only later to include features which rely on networking (such as MPC decryption) and less vital features such as the educational tutorial. An MVP consists of encryption, decryption, storage, and QR-based transfer of shares between devices. The biggest challenge we face is trying to streamline the UX through the encrypt/decrypt process, rather than technical aspects of implementation.

This started as a casual project, which we do not otherwise intend to monetise. We are seeking up to \$10,000 USD, primarily to subsidise part time (~2 days/week) labour of 3 people for up to 3 months, at a rate of \$20 USD/hour. We anticipate this will be enough time to complete the MVP, and make significant progress towards at least one of the networked or educational feature sets. The team will continue to work on the project voluntarily after funding expires, with the size of the grant determining the duration of focussed, funded development. We will publish the code as open-source once the project reaches maturity, regardless of the allocation of a grant.

@tromer Our mnemonic phrase encoding happens to secret shares, and not to the secrets themselves. Whether or not there exists a mnemonic phrase standard for the secret, we have a design choice in how we encode the shares. We mention BIP39 since it is the most popular standard for this kind of mnemonic encoding, and hence has the most widely available dictionaries, etc.

Many of these projects are desktop-based scripts for encoding and decoding shared secrets, with little consideration for storing or distributing the shares after the fact. We want to package encryption functionality, secure storage, and user friendly distribution tools into a mobile app. Most of the features we are adding to these secret sharing GUIs are common in cryptocurrency wallets, and are familiar to cryptocurrency users, even if the secret sharing mechanic itself is not.

In particular, our app will act like a password manager for storing the shares, and will feature integration with mnemonic phrases for user-friendly back-up, QR codes for user-friendly distribution, and later MPC to support decryption in adversarial environments.

[tromer]

The Zcash Foundation Grant Review committee has reviewed your pre-proposal, including the above discussion, to evaluate its potential and competitiveness relative to other proposals. Every pre-proposal was evaluated by at least 4 committee members .

The committee's opinion is that your pre-proposal is not a leading candidate for funding in this round, and the committee therefore does not invite you to submit a full proposal. This decision is advisory, and you can still choose to submit a full proposal by June 15th, following the detailed structure described in the Call for Proposals. Note that if the full proposal is substantially the same as discussion so far reflects, then it's unlikely to be chosen for funding; and if it isn't, then we encourage you to post a draft (or at least answer any open questions) as early as possible, to allow for community feedback. Regardless of your choice, we thank you for participation thus far.

[sonyamann]

No further discussion is expected on this issue, so I'm closing it.