# slip-0039: Is f(0) now a starting, random point on the curve? #581

Closed
opened this Issue Apr 1, 2019 · 4 comments

Projects
None yet
3 participants

### Sharpiro commented Apr 1, 2019

 In this specification the shared secret is stored under index 255 instead of the usual index 0. The disadvantage of using index 0 for the shared secret is that 0 then cannot be used as the index value for a share, thus any shares with index value 0 have to be considered invalid. shamir-curve.svg I was wondering if `f(0)` should now be the starting, random point on the curve now that the secret is stored at `f(255)`. In which case, in the diagram the points would be, `x0, x1, x2, x3` rather than `x1, x2, x3, x4`.

Contributor

### andrewkozlik commented Apr 3, 2019

 I updated the diagram https://github.com/satoshilabs/slips/blob/0dba2a47414a3c4f41bc305ca8dc1e1ae6ef9c0e/slip-0039/shamir-curve.svg. Take a look if it makes more sense. It now illustrates the splitting of a secret into five shares.

Author

### Sharpiro commented Apr 3, 2019

 @andrewkozlik I have a few questions if you don't mind. The diagram below illustrates the splitting of a secret into five shares. I think it might be helpful to explicitly say what the value of M and T would be in the diagram rather than just "five shares". If that means M = 5, and I guess the value of T wouldn't be necessary for this diagram, but given that the diagram appears to have 5 points generated randomly (T−2), it seems like T would equal 7, which is greater than M, which doesn't make sense. We propose that given a secret, T−2 shares be generated randomly and the remaining shares be computed in such a way that f(255) encodes the shared secret and f(254) encodes the digest Would it make more since to replace 1 or more of the occurrences of "shares" with "points", as not all the points will be shared. Wouldn't "M" points be generated randomly with the constructed polynomial, rather than T-2?
Contributor

### andrewkozlik commented Apr 4, 2019

 I think it might be helpful to explicitly say what the value of M and T would be in the diagram rather than just "five shares". If that means M = 5, and I guess the value of T wouldn't be necessary for this diagram, but given that the diagram appears to have 5 points generated randomly (T−2), it seems like T would equal 7, which is greater than M, which doesn't make sense. Indeed M=5. Would it make more since to replace 1 or more of the occurrences of "shares" with "points", as not all the points will be shared. All occurrences of the word "shares" in the quoted paragraph refer to points which will be shared. Wouldn't "M" points be generated randomly with the constructed polynomial, rather than T-2? No, at most T-2 points can be generated randomly.
Author

### Sharpiro commented Apr 14, 2019

 @andrewkozlik Ok I didn't see that you had a reference implementation already. That was very helpful. I was doing secret splitting very differently, basically creating a random polynomial per byte, so it was very cool seeing you doing it in a completely different way. I see that you updated the diagram with `N` and `T` values which I think is helpful. It may also be helpful to somehow denote that point `f(0)` is a randomly generated point, where as the next 4 points are just being evaluated off that polynomial. Thanks