Unexpectedly long shares of 59 words

trezor / python-shamir-mnemonic

MIT License

165 stars 59 forks source link

Unexpectedly long shares of 59 words #15

Closed jonathancross closed 4 years ago

jonathancross commented 4 years ago

When experimenting with this tool, I am getting shares that are 59 words long each.

I am using a BIP39 hex seed generated with this tool such as 057cc8d68a601e3e8d37c21765b2883e54e5539751a8b4f911ff1a7692d784eac3ca2657b1942e2f63b878d9dce30c61eeb298c74ccf73b1cd9e6e7da610e737 corresponding to the phrase focus list total arrow disease announce latin elbow adult inside ethics nasty.

shamir create --master-secret "057cc8d68a601e3e8d37c21765b2883e54e5539751a8b4f911ff1a7692d784eac3ca2657b1942e2f63b878d9dce30c61eeb298c74ccf73b1cd9e6e7da610e737" 3of5

Another SSSS tool from Ian Coleman (https://iancoleman.io/shamir39/) somehow produces shares of only 15 words long for the same 12 word seed phrase.

Am I doing something wrong here? Perhaps I misunderstood the expected BIP39 seed format?

matejcik commented 4 years ago

This is a reference implementation of SLIP39. Ian's tool is using their own draft standard Shamir39, which generates shares differently; AFAICT it is simply re-encoding the BIP39 mnemonic, as opposed to SLIP39 which encodes the underlying data directly. Because of how BIP39 produces the underlying data, the result is always 512-bit secret, which encodes to 59 words under SLIP39.

andrewkozlik commented 4 years ago

Firstly let me emphasize what matejcik already mentioned, that SLIP39 and Ian's Shamir39 are not compatible.

If your intent is to migrate a BIP39 mnemonic to SLIP39 shares, then what you are doing is correct and the length of the shares will indeed be 59 words because the BIP39 seed is 512 bits long. However, migrating a BIP39 mnemonic to SLIP39 shares is not recommended. One reason for this is that it bloats the number of words. It is better to randomly generate a new 128-bit seed (using "shamir create 3of5") and move any funds from the old BIP39 seed to the new SLIP39 seed.

If your intent is not migration from BIP39 to SLIP39, then just use "shamir create 3of5". In this case there is no reason to provide the --master-secret parameter.

jonathancross commented 4 years ago

Thank you for the follow up @andrewkozlik -- this helps tremendously. Yes, I was using the BIP39 seed rather than the raw seed (referred to simply as "Entropy" in Ian's BIP39 tool).

For anyone else coming across this:

Using a 128 bit seed reduces the number of words in each share to 20 -- much more manageable (even if longer than the 15 used in Ian's system). 256 bit seed = 33 words / share.

Cheers!