[Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys

Nikita Schmidt nikita at megiontechnologies.com
Thu Apr 3 12:41:06 UTC 2014


Matt Whitlock wrote:
> Okay, you've convinced me. However, it looks like the consensus here is
> that my BIP is unneeded, so I'm not sure it would be worth the effort
> for me to improve it with your suggestions.

I need your BIP.

We are going to implement SSS and we'd rather stick with something
publicly discussed, even if it has not formally become a BIP, than
invent our own stuff.

I'll go ahead and comment on the current proposal here.  BIP or no
BIP, I propose to finalise this spec anyway for those who want to
implement SSS now or in future.

I agree with the recently mentioned suggestion to make non-essential
metadata, namely key fingerprint and degree (M), optional.  Their
4-byte and 1-byte fields can be added individually at an
implementation's discretion.  During decoding, the total length will
determine which fields are included.

For example, as a compromise between usability and security, the
metadata can be supplied out-of-band, like in plain text accompanying
the Base-58 encoded share.

Encoding for the testnet is not specified.

Speaking of encoding, is it not wasteful to allocate three different
application/version bytes just for the sake of always starting with
'SS'?  It would be OK if it were accepted as a BIP, but merely as a
de-facto standard it should aim at minimising future chances of
collision.

I'd add a clause allowing the use of random coefficients instead of
deterministic, as long as the implementation guarantees to never make
another set of shares for the same private key or master seed.

What about using the same P256 prime as for the elliptic curve?  Just
for consistency's sake.

Also, I'm somewhat inclined towards using the actual x instead of j in
the encoding.  I find it more direct and straightforward to encode the
pair (x, y).  And x=0 can denote a special case for future extensions.
 There is no technical reason behind this, it's just for (subjective)
clarity and consistency.




More information about the bitcoin-dev mailing list