Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

slip-0039: Is f(0) now a starting, random point on the curve? #581

Closed
Sharpiro opened this Issue Apr 1, 2019 · 4 comments

Comments

Projects
None yet
3 participants
@Sharpiro
Copy link

commented Apr 1, 2019

In this specification the shared secret is stored under index 255 instead of the usual index 0. The disadvantage of using index 0 for the shared secret is that 0 then cannot be used as the index value for a share, thus any shares with index value 0 have to be considered invalid.

shamir-curve.svg

I was wondering if f(0) should now be the starting, random point on the curve now that the secret is stored at f(255).

In which case, in the diagram the points would be, x0, x1, x2, x3 rather than x1, x2, x3, x4.

@andrewkozlik

This comment has been minimized.

Copy link
Contributor

commented Apr 3, 2019

I updated the diagram https://github.com/satoshilabs/slips/blob/0dba2a47414a3c4f41bc305ca8dc1e1ae6ef9c0e/slip-0039/shamir-curve.svg. Take a look if it makes more sense. It now illustrates the splitting of a secret into five shares.

@prusnak prusnak closed this Apr 3, 2019

@Sharpiro

This comment has been minimized.

Copy link
Author

commented Apr 3, 2019

@andrewkozlik

I have a few questions if you don't mind.

The diagram below illustrates the splitting of a secret into five shares.

  1. I think it might be helpful to explicitly say what the value of M and T would be in the diagram rather than just "five shares". If that means M = 5, and I guess the value of T wouldn't be necessary for this diagram, but given that the diagram appears to have 5 points generated randomly (T−2), it seems like T would equal 7, which is greater than M, which doesn't make sense.

We propose that given a secret, T−2 shares be generated randomly and the remaining shares be computed in such a way that f(255) encodes the shared secret and f(254) encodes the digest

  1. Would it make more since to replace 1 or more of the occurrences of "shares" with "points", as not all the points will be shared.

  2. Wouldn't "M" points be generated randomly with the constructed polynomial, rather than T-2?

@andrewkozlik

This comment has been minimized.

Copy link
Contributor

commented Apr 4, 2019

  1. I think it might be helpful to explicitly say what the value of M and T would be in the diagram rather than just "five shares". If that means M = 5, and I guess the value of T wouldn't be necessary for this diagram, but given that the diagram appears to have 5 points generated randomly (T−2), it seems like T would equal 7, which is greater than M, which doesn't make sense.

Indeed M=5.

  1. Would it make more since to replace 1 or more of the occurrences of "shares" with "points", as not all the points will be shared.

All occurrences of the word "shares" in the quoted paragraph refer to points which will be shared.

  1. Wouldn't "M" points be generated randomly with the constructed polynomial, rather than T-2?

No, at most T-2 points can be generated randomly.

@Sharpiro

This comment has been minimized.

Copy link
Author

commented Apr 14, 2019

@andrewkozlik

Ok I didn't see that you had a reference implementation already. That was very helpful. I was doing secret splitting very differently, basically creating a random polynomial per byte, so it was very cool seeing you doing it in a completely different way.

I see that you updated the diagram with N and T values which I think is helpful. It may also be helpful to somehow denote that point f(0) is a randomly generated point, where as the next 4 points are just being evaluated off that polynomial.

Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.