Author: Russell O'Connor 2023-02-20 00:52:36
Published on: 2023-02-20T00:52:36+00:00
In a discussion on preventing an attack on Bitcoin seed phrases, Andrew Poelstra suggests the need for a MAC that Bob could use to input a secret value into the checksum for verifying shares. However, he does not see it possible with linear codes and proposes the use of a hash-based checksum like BIP39, which would be possible but not hand-computable. David A. Harding asks if there is a way to prevent this attack without compromising the code's properties, suggesting the use of extra data that Bob can carry around for verifying shares but is not needed for recovery. Unfortunately, Poelstra says this would not work, as Alice can still wreck seeds by flipping random tiles and "error correcting" them to get a new valid but incorrect seed. He also adds that as long as there is a clearly defined checksum at the end of a share, Alice will be able to mangle tiles and recompute the checksum at the end. A potential solution is proposed by recording a random initial tile configuration and running the LS47 algorithm to record the final tile configuration, creating a MAC for verification purposes.
Updated on: 2023-06-16T15:52:12.365736+00:00