Author: Pavol Rusnak 2018-01-08 12:39:20
Published on: 2018-01-08T12:39:20+00:00
The conversation between Gregory Maxwell and Pavol Rusnak on 08/01/18 was about the SLIP39 scheme. The original scheme used a bi-directional function to encode and decode keys in both directions using the passphrase. However, they found a theoretical problem that could allow an attacker to reconstruct the beginning of the master secret if they had knowledge of a few words from the beginning of shares. Therefore, they needed a new scheme without this issue. They also wanted the specification to be computable on devices like TREZOR on boot, which is why they used a weak KDF. The construction of the scheme could result in users getting a different private key if they enter the wrong passphrase. This was by design as it was necessary for plausible deniability, which is achieved in both BIP39 and SLIP39. Despite this, the lack of versioning made things harder to support new key-related features such as SegWit, and it seemed intentionally constructed in a way that will prevent interoperable use. The checksum algorithm used in the scheme was based on SHA2 and seemed pretty poor as it resulted in a fairly weak checksum that could easily accept an errored string. The metadata didn't make much affordance to help users avoid accidentally mixing shares from distinct sharings of the same key, but the checksum was supposed to prevent that. Finally, the specification might want to give some better advice about SSS since many people get it wrong in ways that degrade or destroy its properties. However, Pavol Rusnak was happy to see that there was no obvious way to abuse this one as a brainwallet scheme.
Updated on: 2023-06-12T23:36:03.091617+00:00