[Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys

Matt Whitlock bip at mattwhitlock.name
Fri Apr 4 18:53:41 UTC 2014

On Friday, 4 April 2014, at 10:51 am, Gregory Maxwell wrote:
> On Fri, Apr 4, 2014 at 10:16 AM, Matt Whitlock <bip at mattwhitlock.name> wrote:
> > Honestly, that sounds a lot more complicated than what I have now. I made my current implementation because I just wanted something simple that would let me divide a private key into shares for purposes of dissemination to my next of kin et al.
> I suggest you go look at some of the other secret sharing
> implementations that use GF(2^8), they end up just being a couple of
> dozen lines of code. Pretty simple stuff, and they work efficiently
> for all sizes of data, there are implementations in a multitude of
> languages. There are a whole bunch of these.

Okay, I will.

> > Do you have a use case in mind that would benefit from byte-wise operations rather than big-integer operations? I mean, I guess if you were trying to implement this BIP on a PIC microcontroller, it might be nice to process the secret in smaller bites. (No pun intended.) But I get this feeling that you're only pushing me away from the present incarnation of my proposal because you think it's too similar (but not quite similar enough) to a threshold ECDSA key scheme.
> It lets you efficiently scale to any size data being encoded without
> extra overhead or having additional primes. It can be compactly
> implemented in Javascript (there are several implementations you can
> find if you google), it shouldn't be burdensome to implement on a
> device like a trezor (much less a real microcontroller).

Those are fair points.

> And yea, sure, it's distinct from the implementation you'd use for
> threshold signing. A threshold singing one would lack the size agility
> or the easy of implementation on limited devices.  So I do think that
> if there is to be two it would be good to gain the advantages that
> can't be achieved in an threshold ECDSA compatible approach.

I agree. I'll look into secret sharing in GF(2^8), but it may take me a few days.

More information about the bitcoin-dev mailing list