[Bitcoin-development] Presenting a BIP for Shamir's Secret Sharing of Bitcoin private keys

Matt Whitlock bip at mattwhitlock.name
Tue Apr 22 08:11:48 UTC 2014

On Tuesday, 22 April 2014, at 10:06 am, Jan Møller wrote:
> This is a very useful BIP, and I am very much looking forward to
> implementing it in Mycelium, in particular for bip32 wallets.
> To me this is not about whether to use SSS instead of multisig
> transactions. In the end you want to protect a secret (be it a HD master
> seed or a private key) in such a way that you can recover it in case of
> partial theft/loss. Whether I'll use the master seed to generate keys that
> are going to be used for multisig transactions is another discussion IMO.
> A few suggestions:
>  - I think it is very useful to define different prefixes for testnet
> keys/seeds. As a developer I use the testnet every day, and many of our
> users use it for trying out new functionality. Mixing up keys meant for
> testnet and mainnet is bad.

A fair point. I'll add some prefixes for testnet.

>  - Please allow M=1. From a usability point of view it makes sense to allow
> the user to select 1 share if that is what he wants.

How does that make sense? Decomposing a key/seed into 1 share is functionally equivalent to dispensing with the secret sharing scheme entirely.

> I have no strong opinions of whether to use GF(2^8) over Shamir's Secret
> Sharing, but the simplicity of GF(2^8) is appealing.

I'll welcome forks of my draft BIP. I don't really have the inclination to research GF(2^8) secret sharing schemes and write an implementation at the present time, but if someone wants to take my BIP in that direction, then okay.

More information about the bitcoin-dev mailing list