I found vulnerability in the implementation of the scheme that allows an attacker to directly recover some content of share C with only shares A and B in a 3 of 5 threshold scheme. It works in most cases but not all depending on the entropy.
If a mnemonic phrase 'S' is split into 3 of 5 shares where shares 'A', 'B' and 'C' are sufficient to restore the secret 'S', if A and B only is used to restore a mnemonic phrase using the mnemonic tool and an output 'C' is generated, then the output 'C' is then put again to replace 'B' and to generate output 'D' and the process is repeated on and on, the outputs C, D,........... formulates the words that consists of C.
For example,
S = stuff execute bounce auto brisk orbit creek ticket miracle bleak desk audit
This passphrase was spit using the mnemonic tool and using a 3 of 5 threshold scheme in which A, B and C are sufficient to reproduce the secret 'S' where
A = lend green anchor album custom grape repeat easily inflict ring million plate
B = fuel shove embrace track photo truly cart supply action old fancy rent
C = buffalo eagle copy main orient toe brown clump draft negative split ride
When A and B are used to restore memonic we get A + B => D:
D = giggle abuse marine emotion stereo onion demand soft found foam wild dust
D doesn't have any words that C has but continuing the process
A + D => E
E = invest duty remove science angry crouch bitter target palm buffalo bulk twelve
WE HAVE 1 PHRASE 'BUFFALO'
A + E => F
F = quit fun robust viable toe fold city tragic view ladder powder meat
WE HAVE ANOTHER PHRASE 'TOE'
A + F => Non unique or invalid shares
D + B => Non unique or invalid shares
E + B => G
G = fiber later dynamic ride below stadium magnet alien lab high bachelor favorite
WE HAVE ANOTHER PHRASE 'RIDE'
F+B => Non unique or invalid shares
G+B => Non unique or invalid shares
D+ E => H
H = grab copy pulp large stomach donate gap canoe gloom chase often confirm
WE HAVE ANOTHER PHRASE 'COPY'
D + F => Non unique or invalid shares
D + G => Non unique or invalid shares
E + F => Non unique or invalid shares
E + G => Non unique or invalid shares
E + H => I
I = auto flavor eagle alley horror culture capital nose ranch beauty sure notice
WE HAVE ANOTHER PHRASE 'EAGLE'
E + I => J
J = vanish enlist paper junk off grunt typical october abuse jump absent cart
NOTHING HERE
J + I => K
K = breeze brown jump modify radio opinion auction magic indicate favorite disease define
WE HAVE ANOTHER PHRASE 'BROWN'
Each of the phrases below has at least one word that make up Share 'C' every other step gave the "Non unique or invalid shares" error. Meaning that the attacker has only very few words to play with and can get the mnemonic in no time.
Following this process the attacker was able to retrieve Six words including the check sum word. BUFFALO, EAGLE, COPY, TOE, BREEZE and the check sum word RIDE.
This vulnerability directly exposes the content of Share 'C' with only two known shares in a 3 of 5 scheme implementation.
My Email: oshinemmanuel27@gmail.com
BTC Address: bc1qep7ln5dn6wkmefkw2vmy2r68sw49sde78fvu5x
I found vulnerability in the implementation of the scheme that allows an attacker to directly recover some content of share C with only shares A and B in a 3 of 5 threshold scheme. It works in most cases but not all depending on the entropy. If a mnemonic phrase 'S' is split into 3 of 5 shares where shares 'A', 'B' and 'C' are sufficient to restore the secret 'S', if A and B only is used to restore a mnemonic phrase using the mnemonic tool and an output 'C' is generated, then the output 'C' is then put again to replace 'B' and to generate output 'D' and the process is repeated on and on, the outputs C, D,........... formulates the words that consists of C.
For example, S = stuff execute bounce auto brisk orbit creek ticket miracle bleak desk audit This passphrase was spit using the mnemonic tool and using a 3 of 5 threshold scheme in which A, B and C are sufficient to reproduce the secret 'S' where
A = lend green anchor album custom grape repeat easily inflict ring million plate
B = fuel shove embrace track photo truly cart supply action old fancy rent
C = buffalo eagle copy main orient toe brown clump draft negative split ride
When A and B are used to restore memonic we get A + B => D: D = giggle abuse marine emotion stereo onion demand soft found foam wild dust D doesn't have any words that C has but continuing the process
E = invest duty remove science angry crouch bitter target palm buffalo bulk twelve WE HAVE 1 PHRASE 'BUFFALO'
F = quit fun robust viable toe fold city tragic view ladder powder meat WE HAVE ANOTHER PHRASE 'TOE'
G = fiber later dynamic ride below stadium magnet alien lab high bachelor favorite WE HAVE ANOTHER PHRASE 'RIDE'
H = grab copy pulp large stomach donate gap canoe gloom chase often confirm WE HAVE ANOTHER PHRASE 'COPY'
I = auto flavor eagle alley horror culture capital nose ranch beauty sure notice WE HAVE ANOTHER PHRASE 'EAGLE'
J = vanish enlist paper junk off grunt typical october abuse jump absent cart NOTHING HERE
K = breeze brown jump modify radio opinion auction magic indicate favorite disease define WE HAVE ANOTHER PHRASE 'BROWN'
Each of the phrases below has at least one word that make up Share 'C' every other step gave the "Non unique or invalid shares" error. Meaning that the attacker has only very few words to play with and can get the mnemonic in no time.
Following this process the attacker was able to retrieve Six words including the check sum word. BUFFALO, EAGLE, COPY, TOE, BREEZE and the check sum word RIDE.
This vulnerability directly exposes the content of Share 'C' with only two known shares in a 3 of 5 scheme implementation.
My Email: oshinemmanuel27@gmail.com BTC Address: bc1qep7ln5dn6wkmefkw2vmy2r68sw49sde78fvu5x