Group Param

[willcl-ark]

Ref: https://github.com/trezor/python-shamir-mnemonic/blob/f1ccc2f18e60b742431e3e1a90cd527b558847c8/shamir_mnemonic/shamir_mnemonic.py#L532

Does this 'Groups' parameter mean that each share can be further sub-split into sub-shares, or am I confusing something?

To for example generate a standard 2of3 do I use code:

sm = shamir_mnemonic.ShamirMnemonic()
mnemonic = sm.generate_mnemonics(2, [(1,1), (1,1), (1,1)], b"secret phrase here")

or should I be using:

mnemonic = sm.generate_mnemonics(2, [(2,3), (2,3), (2,3)], b"secret phrase here")

This second seems to generate 3 x 3 fragments and I need 2 x (2 of 3) to recombine, right?

[willcl-ark]

Also before closing this (non) issue (sorry if this is not the best way to ask questions, please let me know if not!), I would be interested to know if this repository has had much cryptographical review and if/when it might be considered ready for public use?

[matejcik]

We use a two-level scheme, where you can specify M-of-N groups required, and each group can require K-of-L shares to complete.

To accomplish a simple 3-of-5 share, we recommend using 1-of-1 groups with 3-of-5 shares, i.e.: sm.generate_mnemonics(1, [(3, 5)], b"") This is also what the CLI tool does when generating this scheme, and what Trezor will use.

This code was written by our cryptographers, so yes, there's cryptographical review :) But no guarantees for the python code as to sidechannels etc.

[willcl-ark]

@matejcik many thanks for your reply. It raises only one more question to me; is there any practical or security difference between:

sm.generate_mnemonics(1, [(3, 5)], b"")

and

sm.generate_mnemonics(3, [(1,1), (1,1), (1,1), (1,1), (1,1)], b"")?

Both are going to result in a 3-of-5 requirement as far as I can tell, but one is by "groups" and one is by "shares", I think?

Now that I understand more I certainly agree that your suggestion to use 1 group of (3, 5) shares make most sense, but I am just wondering if groups and shares have the same security (I presume that they do)

[matejcik]

No security difference that I can think of. Each group reconstructs a Shamir share, which is then used to reconstruct the master secret. It doesn't matter where in the hierarchy you decide to do the split.

As for practical, there's two:

• SLIP-39 explicitly recommends using 1-of-1 groups with M-of-N shares. I.e., standards-wise, it's better if everyone does it this way.
• each share group has the same initial 3 words. So the M-of-N shares from the same group can be identified by the first 3 words. This is a UX feature and we're designing UIs around it. We assume that if the scheme is 1-of-1 groups, we can just drop the wording around "groups" and only talk about "shares needed". M-of-N groups explicitly talks about completing groups, etc.