search

oed / seedsplit

Use shamirs secret sharing scheme to split a seed mnemonic for crypto wallets to multiple mnemonics.
MIT License
123 stars 30 forks source link

Divorce dizzy doctor and entropy size #7

Closed Shulyaka closed 6 years ago

Shulyaka commented 6 years ago

Hi,

I have noticed a few issues with the sharded phrases, which might be related and have a common cause, so I don't want to create a separate issue for each unless advised otherwise:

  1. The first word for a sharded phrase does not seem to be random enough, which is suspicious. The first 3 phrases always start with 'divorce', next 4 start with 'dizzy' and so on. The beginning of the phrase is either redundant or means the entropy is not random enough.
  2. The sharded phrase is longer than original one. As far as I understand Shamir's Secret Sharing, the sharded key should be of the same size as original key. Please see the 'minimal' property on Wikipedia: https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing#Properties. One of the implications of this is that you cannot use tools like cryptosteel mnemonic to store the sharded phrases.
  3. The sharded phrase seems to be an incorrect mnemonic phrase. This can be shown by trying to split the resulted phrase again.

Demonstration:

[denis@localhost ~]$ echo "any brain size about february pupil maximum model bright convince cabbage sister" | wc -w
12
[denis@localhost ~]$ echo "any brain size about february pupil maximum model bright convince cabbage sister" | seedsplit split -t 2 -s 3
Enter seed mnemonic:
divorce episode heavy wrong input bless media canoe tragic wagon feed town sugar fork
divorce nuclear split raw fantasy fury essay pyramid vendor smoke thumb detect write actress
divorce table project keep refuse empower husband step alert chest miss lunch bomb skirt
[denis@localhost ~]$ echo "divorce episode heavy wrong input bless media canoe tragic wagon feed town sugar fork" | wc -w
14
[denis@localhost ~]$ echo "divorce episode heavy wrong input bless media canoe tragic wagon feed town sugar fork" | seedsplit split -t 2 -s 3
Enter seed mnemonic:
readline.js:1021
            throw err;
            ^

Error: Invalid mnemonic
    at Object.mnemonicToEntropy (/usr/lib/node_modules/seedsplit/node_modules/bip39/index.js:65:37)
    at Object.split (/usr/lib/node_modules/seedsplit/lib/seedsplit.js:11:19)
    at result (/usr/lib/node_modules/seedsplit/bin/cli.js:29:36)
    at prompt.get (/usr/lib/node_modules/seedsplit/bin/cli.js:60:7)
    at /usr/lib/node_modules/seedsplit/node_modules/prompt/lib/prompt.js:336:32
    at /usr/lib/node_modules/seedsplit/node_modules/async/lib/async.js:154:25
    at assembler (/usr/lib/node_modules/seedsplit/node_modules/prompt/lib/prompt.js:333:9)
    at /usr/lib/node_modules/seedsplit/node_modules/prompt/lib/prompt.js:342:32
    at /usr/lib/node_modules/seedsplit/node_modules/prompt/lib/prompt.js:625:5
    at Interface.onLine (/usr/lib/node_modules/seedsplit/node_modules/read/lib/read.js:111:5)

Best regards, Denis Shulyaka

oed commented 6 years ago

Hey, thanks for the feedback

  1. That's right, the first bytes of the shard encodes the number of the shard, so it will always be the same or similar
  2. In most implementations of sss this is not the case, and I do not intend to do my own implementation
  3. Hm, yes this is probably because of the lenght!
Shulyaka commented 6 years ago

Hi Joel,

If you remove the number of the shard, would it make the sharded key the same length? Why do we need the shard number anyway? As far as I know, the shards can be used in any order. I can think of several advantages that this would provide if it works:

  1. Convenience: ability to use tools like cryptosteel mnemonic or generally anything else designed for a standard mnemonic phrase or entropy format
  2. Security: a thief who encounters a shard might look at it and think: "Aha, 'divorce', that's probably seedsplit used, let's look for more shards!"
  3. Plausible deniability: One might use a single shard as a wallet key and keep a small sum of money on it. If he is then unwillingly forced to reveal his key he can hand over this single shard, then deny that there are other shards and insists that it is all the money he has.
  4. Split shards even further to create a more complex scheme of trust. I.e. I will be able to share the shards between groups (several people from several groups) so that several shards are required to restore the original seed but members from a single group cannot do it alone and would require a cooperation from another group. I admit that's a rare use case but there might be more common that I just can't imagine right now.
oed commented 6 years ago

I'm not sure if it will work. If you decide to play around with it, let me know! Also, I'm planning on switching to this sss library in the future.

Shulyaka commented 6 years ago

Because the issue is actually in the underlying library, I suggest to close it here, at least for now. Thank you!