Consider making shamir mnemonics BIP39 compatible on their own

[iancoleman]

Aside from the leading 'version' word in shamir mnemonics, it may be useful for them to be bip39 compatible. Currently they don't have a checksum so are reported as invalid by most bip39 software*

Inspired by https://www.reddit.com/r/btc/comments/6y5q11/shamir39_mashup_of_bip39_mnemonics_and_shamirs/dmkzzzs/

I like the idea. You could store some bitcoins on each of the Shamir39 shares to mislead a thief and as a honeypot to see if one of the parts has been compromised.

* See bip39 spec > Although using a mnemonic not generated by the algorithm described in "Generating the mnemonic" section is possible, this is not advised and software must compute a checksum for the mnemonic sentence using a wordlist and issue a warning if it is invalid.

[sir-lebowski]

+1

I also saw this on Reddit and think it’s a great idea.

Anyone willing to go through the trouble of splitting a key would greatly appreciate a bip39 compatible part.

The honeypot is exceptional and there is not a great reason to give up that you’re trying to Shamir something.

Input parts would be best if there were valid with or without the leading “shamir39” and One work longer to make a valid 39 checksum would be great!

[jhoenicke]

I'm not sure if it is useful to camouflage the shamir39 seed as normal bip39 seed. You would have to omit the configuration word, which makes it hard to recover the seed.

Maybe a better way is to not include M in the seed. If you combine too many shares, you will still get the same seed, but if you combine too few, you will get a different random seed. You could use these as honeypots and even see which shares leaked (although it requires a quadratic number of honeypots).

A checksum or even some ECC code on the other hand is useful. People make mistake writing down their seed. I would suggest some BCH or Reed-Solomon code over GF(2^11), so it can correct a wrong word.

[jamesoflol]

Just throwing in my 2c that I also don't see too much value in the camouflage/honeypot. As much as that is kinda cool, I'm not a huge fan of relying on obscurity as a security measure. Keeping in mind that it is serving two key security tenants: Confidentiality (no one else can get my coins) and Availability (I can definitely get to my own coins). That is to say, I'm a bit more worried that my future self will forget what the hell a shamir is, than I am that a burglar will be able to figure out what a shamir is, then find another of my hiding places, and steal my stuff all before I've noticed anyone came by at all.

[klingebj]

FYI - sharing at the suggestion of @gaillard https://github.com/klingebj/shamir_bip39_2039/issues/2

[stefek99]

I really like the idea.

Just like truecrypt with hidden volume - plausible deniability.

Great work, much appreciated.

[drhus]

definitely, a 39 checksum for the shares would be very useful, ( I have no strong opinion about including M in the seed or not but would be happy to see that as optional),

A case use is Me/You splitting his mnemonic for safestorage, but mulisig style use is more common. imagine 3 partners, each has his own seed/mnemonic while he could be using it day to day, that same mnemonic can be a share on shamir39 for the partnership fund or something..

[drhus]

I'm having a difficult time understand the value added of Shamir39 I mean why do we want the shares to be mnemonics exactly? is it just for simplicity of mnemonics writing down .. because end of the day if the shares not usable by itself, any SSSS library including Ian's one https://iancoleman.io/shamir/ should work just fine and can be used to split your BIP39 mnemonic.

[stefek99]

the value added of Shamir39 I mean why do we want the shares to be mnemonics exactly

RTFM:

A tool for converting BIP39 mnemonic phrases to shamir secret sharing scheme parts whilst retaining the benefit of mnemonics.

benefit of mnemonics

The reason to use Shamir39 over regular Shamir is mnemonicability.

[drhus]

exactly! while it's extremely difficult to memorize by heart tens of 256-bit pvt keys, and you don't want to save it written down to avoid SPOF, you go for a single mnemonic phrase seed which you could literally memorize by heart (if you wish to), Shamir39 shares wouldn't be used this way (no one will memorize by heart - standalone has no value nor significant risk) I'm arguing that vast vast majority would just copy/past their Shamir39 shares and probably handle less securely than if it was actually HD mnemonic that allows derived addresses, to be used as ID, wallet etc

[stefek99]

I'm not a prophet.

I'm not making statements on behalf of majority.

I'm usually consider a freak.

(note that I've used a pronoun I four times already)

Now goes the 5th time - I'd do exactly that - handle less securely - share with 5 friends, just like Facebook recovery mechanism. That's the whole point of handling them less securely...

[iancoleman]

why do we want the shares to be mnemonics

It's a simpler / shorter way to encode entropy (in this case shares of entropy). Otherwise you either have a) very long shares compared to the original mnemonic or b) random strings that are really only useful to computers (not humans) be it QR codes or binary files or base64 encoding or whatever.

if the shares not usable by itself, any SSSS library including Ian's one https://iancoleman.io/shamir/ should work just fine and can be used to split your BIP39 mnemonic.

True, any other ssss can be used.

But a mnemonic can be recorded with pen and paper more easily than a random sequence of characters. Errors can also be corrected. Mnemonics have many advantages, and in this tool those advantages translate directly to shamir shares. I think ssss is fine for computers, but mnemonics are far superior for manual recording / recovering of secrets / shares.

vast vast majority would just copy/past their Shamir39 shares

This is not true. This misses the entire point of mnemonics.

Most of your points are valid opinions but there are good reasons for using mnemonics for shares. Not all use cases require them, but for those which do it makes life much easier.

I'm always happy to consider adding features but it seems the criticisms put forth don't present any opportunity for changing or improving this tool.

[drhus]

It's a great tool and unique, I'm using It personally and recently professionally for the firm fund w/ 7partners, I didn't want to criticize but to express desire for adding the checksum so we have ssss with the elegancy of being able to use the shares as seeds

Ssss has planty of use especially bringing UX usability to mainstream -and my grandma :) Look how beautiful 2of3 scheme where 1 share with me, one share with exchange and one share with the 3ed party can be the ID ppl, the KYC firm,. Everytime I access the exchange online I enter my share and client side the wallet will be unlocked I will be able to use the exchange but they aren't custodian,n still I can recover my access what regular client would call (share) from the 3ed party , all these can happen underneath, adding the smooth email password recovery experience style to wallets online, safely..

Thank you again Ian

[jonathancross]

Satoshi Labs seems to be working on a standard for this: SLIP-0039 : Shamir's Secret-Sharing for Mnemonic Codes

[EDmitry]

The big benefit of this (Shamir39) proposal is an ability to still use and memorize 24-word seed. With SLIP-0039 it doesn't seem to be possible (https://github.com/trezor/python-shamir-mnemonic/issues/15).

[monperrus]

I love when @iancoleman writes "There are no alternative implementations, meaning you are totally dependent on this tool if you use it". Indeed, having a diversity of implementations is so important for reliability (recall the good old n-version programming).

FYI, there are some compatible implementations of Shamir+mnemonic, see

• https://github.com/iancoleman/slip39/issues/2
• https://github.com/iancoleman/slip39/issues/12

(comment updated based on issues on slip39)