SLIP-0039- How to compute Master Secret from PMS and vice versa

[Sharpiro]

Below are my notes/questions on the oddities of converting from Master Secret to PMS and back again.

I may just be unclear on two different share creation processes here. One process where a Master Secret is generated for the user, and another process where a user provides his own Master Secret. But I think it would help to clear these up and show the full steps for both.

• If a user provides a Master Secret, how does one compute the PMS?
  • Under the key derivation section, for recovery, the Secret is the encryption of the PMS
    • Is the MSDF-1(inverse) function under the create shares process somehow a decryption?
    • S = MSDF(PMS, P, id, T)
      • key = PBKDF2(passphrase, salt)
      • S = encrypt(key, PMS)
    • PMS = MSDF-1(S, P, id, T) // what is this function?
      • key = PBKDF2(passphrase, salt)
      • PMS = decrypt(key, S) // how would this work?
  • If a secret is provided at share creation, how is it derived from the PMS at share recovery through encryption, when the PMS is derived from the secret at creation? (confusing)

Sorry for creating several issues, but this is a very interesting topic to me, and I'd like to see this SLIP improve and be certified. This will be my last issue until all of the current SLIP-0039 issues are resolved.

[andrewkozlik]

The user can choose their master secret (e.g. if they are migrating a BIP-32 wallet from BIP-39 mnemonics to the new secret sharing scheme) or have one generated randomly. In both cases the process of share creation is the same. The master secret is encrypted using the passphrase and then split into shares using Shamir's secret sharing scheme. Each share is then encoded into mnemonics so that it can be written down easily.

We have recently made some major updates to the spec:

• Finally selected the master secret derivation function out of the three proposals which we had listed previously.
• Made the number of iterations in PBKDF variable.
• Added support for two-level secret sharing (this is unrelated to your question).
• Changed some terminology which will hopefully make things clearer:
  • "pre-master secret (PMS)" changed to "encrypted master secret (EMS)"
  • the master secret is denoted "MS" instead of "S"
  • "MSDF-1" changed to "Encrypt"
  • "MSDF" changed to "Decrypt"

So to answer your questions (I am using the new terminology):

• If a user provides a Master Secret, how does one compute the PMS?

The encrypted master secret is computed as EMS = Encrypt(MS, P, e, id), where e is the iteration exponent (a new feature).

• Under the key derivation section, for recovery, the Secret is the encryption of the PMS

The MS is the decryption of the EMS.

• Is the MSDF-1(inverse) function under the create shares process somehow a decryption?

MSDF-1 is now referred to as encryption.

• S = MSDF(PMS, P, id, T)
  • key = PBKDF2(passphrase, salt)
  • S = encrypt(key, PMS)

What you describe looks like Proposal 2 or 3 in the previous version of the spec. We decided to go with Proposal 1. See https://github.com/satoshilabs/slips/blob/master/slip-0039.md#decryption-of-the-master-secret

• PMS = MSDF-1(S, P, id, T) // what is this function?
  • key = PBKDF2(passphrase, salt)
  • PMS = decrypt(key, S) // how would this work?

As above, see https://github.com/satoshilabs/slips/blob/master/slip-0039.md#encryption-of-the-master-secret

• If a secret is provided at share creation, how is it derived from the PMS at share recovery through encryption, when the PMS is derived from the secret at creation? (confusing)

At share creation the EMS (previously called PMS) is derived from the master secret as EMS = Encrypt(MS, P, e, id). At share recovery the master secret is derived from the EMS as MS = Decrypt(EMS, P, e, id)

Sorry for the delayed response.

[Sharpiro]

thanks, i'll keep this in mind as I learn the new process