Re: [bitcoindev] Penlock, a paper-computer for secret-splitting BIP39 seed phrases

[Andrew Poelstra <apoelstra@wpsoftware.net>]

[-- Attachment #1: Type: text/plain, Size: 3814 bytes --]

On Tue, May 14, 2024 at 12:03:45PM +0000, Rama Gan wrote:
> Hello Andrew,
> 
> Thank you for sharing your thoughts.
> 
> -   Penlock implements arithmetic operations differently than Codex32. Additions
>     and subtractions are implemented with a slider-wheel (only possible with
>     GF(P)); Multiplications and "divisions" are done with volvelles. There is
>     indeed a risk of using the slider-wheel in the wrong direction, and this is
>     mitigated by 2-of-N not using additions at all.
>

FYI even in GF(P), you can do multiplication and division using slide
wheels. I'm not sure if doing so would interfere with your other
multipurpose volvelle constructions. (Every nonzero number in your field
is 2^n for some n, so you can do multiplication/division by adding in
the exponent.)

The resulting slide wheel would not have a natural ordering.

> -   An experienced user can compute a 12-words checksum in 4mins, and verify its
>     correctness in 3 mins. Checksumming 24-word is quite doable, but then the
>     difficulty comes with the shares derivation part that takes close to an hour
>     and feels really tedious (again, for 24 words). For reference, an
>     experienced user can secret-split a 12-words sentence in 45 minutes. A
>     24-words sentence will more than double that due to getting tired and losing
>     focus.
>

The checksumming numbers are impressive but a little surprising -- in
codex32, "translation" is a process of similar complexity on fewer
characters and it takes me 5 minutes or so. Perhaps the difference is
that you can use a slide wheel with a natural ordering, while we are
using a slide chart? At some point I will work through your process and
see how it feels.

For what it's worth, codex32 quickchecks can be done in ~5 minutes as
well. Though of course they are much less powerful than your checksum.

Interesting that the splitting and recovery processes take such a long
time. But I guess this is explained by the large number of characters
produced by the checksum.

> -   The 2-of-(N<=26) case is handled with a variant of Shamir's algorithm that
>     can be fully implemented in a single wheel. I'm about to post a presentation
>     that will go into more details about that. For (K>=3)-of-M cases there's
>     indeed a recovery wheel, plus a volvelle that does translation+fusion on the
>     same side (see: https://beta.penlock.io/kofm-wheels.html).

Very cool. Though you say "single wheel" but you actually need two --
one to get the solving window and one to actually do the recovery. If I
understand correctly, the "solving window" is equivalent to a "recovery
symbol" in codex32.

If so, despite the simple interpretation as "the difference between the
shares", this object is secretly a Lagrange polynomial and you can
*also* compute it using a slide wheel rather than a full lookup-table
volvelle. (The reason for this is not so simple, and described in the
codex32 math companion [1] ... but possibly if you believe it's true you
can just "brute force" it without understanding why by just
progressively constructing a wheel, doing various recoveries and filling
in blank spaces by cross-referencing against your existing volvelle.)


[1] https://secretcodex32.com/docs/2023-08-23--math.pdf

-- 
Andrew Poelstra
Director, Blockstream Research
Email: apoelstra at wpsoftware.net
Web:   https://www.wpsoftware.net/andrew

The sun is always shining in space
    -Justin Lewis-Webster

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZkNqVZFNBNTq7mAL%40camus.

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]