SLIP39 + BIP39 + SSKR secret sizes

[alandefreitas]

Thank you for this great project.

This is not really an issue so I'm sorry if there's a better place for questions and I missed it.

I implemented this small variation of SLIP39 that would use BIP39 mnemonics directly instead of SLIP39 master keys that are incompatible with BIP39 and, by consequence, most wallets.

But I noticed the SLIP39/BIP39 secrets it generates are 20 words long and the secrets seedtool generates are 29 words long. Why is that? It might seem like a small difference, but this is a practical issue because capsules and steel plates often don't support 29 words.

[ChristopherA]

You will see from @ksedgwic example with dog tags you don’t need all the words to recover.

https://github.com/BlockchainCommons/crypto-commons/blob/629e78d61b106035055a2025d31efd73cecda5cf/Docs/sskr-cold-storage.md

I know you can drop the first two words as they are always tuna acid. Ken, which other tricks did you use?

[alandefreitas]

@ChristopherA Thanks! This example with dog tags is great. It seems like there are only 12 words in each tag. That's great. (And Sorry for using an issue for a discussion/question again)

Maybe seedtool SSKR, SLIP39, and BIP39 also use different dictionaries? It might just be a matter of using another encoding to get to 20 words only.

It looks like the shares are using byte words (they are 4 chars each) while SLIP39 shares use other mnemonics. Actually, it looks like SLIP39 uses yet another wordlist with 1024 words instead of the BIP39 2048 word lists. So it might be even less than 20 words in BIP39 encoding. This might sound silly, but engraving <20 words is a lot easier than engraving 29 words.

By the way, if you guys think there's something useful from this discussion we could implement, I can help implement any of these things. I just wouldn't open a PR out of nowhere. 😆 There's probably even room for opening another SLIP if you'd like. Creating conventions is very important for that kind of stuff, to ensure other people will be able to recover these seeds.

On another issue related to the example with dog tags; This might seem silly, but I'm a little worried about the interface, especially if adjusting some words here and there, like in the example. I mean, there's some chance someone else will need to recover the original seed (if using the secrets for an inheritance, for example) and this might be a problem if there are lots of ways to do that through the interface.

For instance, for a 2of3 secret seedtool gives me:

seedtool --in sskr                                                                                                
tuna acid epic gyro fair good able acid acid tomb eyes luck saga navy cost even king brew waxy onyx main poem game math navy play runs many cusp
tuna acid epic gyro fair good able acid also yurt redo crux cyan when blue need bulb frog data draw flew door girl wand task crux part list hard
5a305439f9344da2818061a443f08e08

and we need ctrl+d to finish while the other interface is:

python3 -m shamir_mnemonic.cli recover
Enter a recovery share: peaceful traffic academic acid dough clinic language eraser speak helpful artwork roster carbon eyebrow echo glad fragment tension miracle woman

● 1 of 2 shares needed from group peaceful traffic academic
Enter a recovery share: peaceful traffic academic agency ceramic deliver umbrella true reject mixture solution glance voice beaver member dragon glance desert steady nail

✓ 2 of 2 shares needed from group peaceful traffic academic
SUCCESS!
Your master secret is: d1cb13dbdd37dbef2f1cd811987c59cb
Your mnemonic is: spike flat want risk laundry wasp round only bag sentence biology obey

So the final BIP39 mnemonic is right there. I know this might seem very silly and I don't care about it myself at all. But I'm worried other people might not be able to recover the seed if they ever need to, which is a common use case of SSKR.

[alandefreitas]

It seems like there are only 12 words in each tag

Sorry. I just noticed it's two tags per share. So 24 words per share.

[alandefreitas]

On second thought, I just realized that most of this issue amounts to separating the concept of sskr secrets from its encoding. A command like seedtool --out sskr treats sskr as a way to encode the input. But both the shares and the master secret can be encoded any other way after splitting the secret. BIP39 might be shorter enough to store each secret in just one tag, steel plate, or cryptosteel capsule. While HEX or B58 might be even shorter if you really need to save space.

[wolfmcnally]

The important thing about storing things in permanent media like metal is to make them as self-describing as possible. I think effort to engrave should be a secondary consideration. SSKR shares stored as ByteWords are actually just a form encoding where each 4-character word represents 8 bits. There are only 256 possible words so the number of possible words is relatively small. They include various forms of error detection and correction so they are hard to mis-transcribe. They also encode CBOR (sort of like binary JSON) that gives their content structure, including tagging that makes them self-describing. I think one needs to consider giving up all of these benefits before choosing alternate methods, including messing with the actual sequence of ByteWords in each canonical SSKR share.

[ChristopherA]

I've also been investigating commissioning someone to create engraved plates where the initial common "self-describing" words are etched in advance, requiring you to only engrave the remainder yourself. Thus I believe we can get a single SSKR share down to 24 or 25 words (@wolfmcnally ?)

[wolfmcnally]

The only three words you could reliably pre-etch would be the first three tuna acid epic. The fourth word contains length and type information for the byte string that follows. It will be gyro iff the encoded secret is 16 bytes long.

[ChristopherA]

Given that many (but not all) pre-existing metal templates support 25 words (24 words plus BIP-38 passphrase), and tuna aside epic gyro is always the beginning of a 29 word 128-bit SSKR seed (larger seeds wouldn't fit anyhow), it seems like it is an acceptable compromise until someone offers a 29 (or 30) word metal template.

[alandefreitas]

Thanks a lot guys!