Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys [combined summary]


Individual post summaries: Click here to read the original discussion on the bitcoin-dev mailing list

Published on: 2014-08-14T19:23:16+00:00

Summary:

Jan Møller, in an email exchange, expressed his opinion that the current format of the Shared Secret Sharing (SSS) standard is over-engineered. He suggested that only the long format makes sense from a user experience standpoint and proposed that it is only slightly longer than the short version. After no objections were raised, the draft was revised to address this concern.The new version of the SSS standard allows for the shared secret to be encoded in various forms, such as SIPA or BIP38, instead of just a plain private key. This change has several benefits, including not needing to modify the specification for different types of content and encoding metadata together with the secret. The underlying field of the standard was also changed to GF(256), which is more advantageous for dealing with secrets of arbitrary length.To solve the issue of variable length and lack of control over the Base58 prefix, the magic prefix was moved outside of the Base58 encoded content. The application identifier 'SSS-' was introduced, followed by the Base58 encoding of the share. This change may be mildly controversial, and alternatives could be considered.A Java implementation of BIPSS based on a GF2^8 implementation can be found on Github. The use of three encoding formats in the SSS standard is considered over-engineered, with the long format being the only necessary option from a user experience perspective. A fork of Matt's proposal converted to GF(2^8) is also available on Github, which includes changes like allocating only six application/version bytes and using SHA-256 hash functions.The inclusion of a specific flag for testnet in SSS and BIP32 was discussed in email exchanges. It was agreed that such flags are unnecessary since they are not used for sending addresses. The convention so far has been to include a 'version' identifier to identify the purpose of the data, such as network meaning.There was a debate about the importance of testnet in Bitcoin Improvement Proposals (BIPs). Some argued that testnet exists for public testing involving multiple people and services, while others saw it as a tool for certain types of testing. It was noted that testnet is not normally addressed in BIPs, except for soft fork BIPs with compressed deployment schedules on testnet.The serialization of keys when using test chains was discussed, with some expressing that distinguishing serialization of keys is unnecessary. The difference between testnet and mainnet was emphasized as separate from bitcoin vs altcoin, but few altcoins understood this distinction.The issue of encoding the chain in WIF and BIP32 was debated, with some suggesting that it should be ignored as legacy. New BIPs should no longer carry this forward.Discussions also took place regarding the encoding of N-of-M shares. Suggestions were made to encode N-of-M in one byte and to use a bias of -1 for M encoding. Test vectors were updated accordingly.Tamas Blummer expressed his opinion that extra encoding for testnet is not necessary compared to many alt chains. He suggested that BIPs should remain chain agnostic.In an email exchange between Jan Møller and Gregory Maxwell, Møller expressed his concerns about BIP38 and suggested using Shamir's Secret Sharing instead. It is unclear if Møller provided a list of concerns about BIP38 or offered to do so upon request.Tamas Blummer argued that the wide variety of available chains supersedes the notion of main and testnet. He believes that what altcoins do is their own business and outside the scope of a BIP. He also questioned the need for a separate encoding for Bitcoin testnet private keys.Overall, the discussions revolved around simplifying the SSS standard, considering the use cases for testnet and altchains, and debating the encoding of keys and chains in various contexts.The complexity of using the binary extension field of GF(2^8) for secret sharing and data integrity applications was discussed. Some suggested that big-integer operations may be more practical, while others argued that implementing a complex system with many individually testable parts is easier than implementing a single complex part. Gregory Maxwell's implementation of his Bitcoin Improvement Proposal (BIP) is in C++ and uses the GMP library for big-integer arithmetic.There was a debate about the potential risks of obfuscating the parameters of the secret sharing process. Some expressed concerns about users accidentally mixing different types of fragments or distributing too many, which can lead to insecurity or difficulty in restoring their wallets. However, it was acknowledged that attackers may still be able to figure out the information despite the obfuscation.Matt Whitlock proposed an obfuscation method for the secret sharing process but ultimately decided against it based on the consensus of others. Alan Reiner disagreed with this tradeoff, stating that obfuscating something already considered secure at the expense of usability is not beneficial.

Updated on: 2023-08-01T08:17:21.054953+00:00