On Tue, May 14, 2024 at 12:03:45PM +0000, Rama Gan wrote: > Hello Andrew, > > Thank you for sharing your thoughts. > > - Penlock implements arithmetic operations differently than Codex32. Additions > and subtractions are implemented with a slider-wheel (only possible with > GF(P)); Multiplications and "divisions" are done with volvelles. There is > indeed a risk of using the slider-wheel in the wrong direction, and this is > mitigated by 2-of-N not using additions at all. > FYI even in GF(P), you can do multiplication and division using slide wheels. I'm not sure if doing so would interfere with your other multipurpose volvelle constructions. (Every nonzero number in your field is 2^n for some n, so you can do multiplication/division by adding in the exponent.) The resulting slide wheel would not have a natural ordering. > - An experienced user can compute a 12-words checksum in 4mins, and verify its > correctness in 3 mins. Checksumming 24-word is quite doable, but then the > difficulty comes with the shares derivation part that takes close to an hour > and feels really tedious (again, for 24 words). For reference, an > experienced user can secret-split a 12-words sentence in 45 minutes. A > 24-words sentence will more than double that due to getting tired and losing > focus. > The checksumming numbers are impressive but a little surprising -- in codex32, "translation" is a process of similar complexity on fewer characters and it takes me 5 minutes or so. Perhaps the difference is that you can use a slide wheel with a natural ordering, while we are using a slide chart? At some point I will work through your process and see how it feels. For what it's worth, codex32 quickchecks can be done in ~5 minutes as well. Though of course they are much less powerful than your checksum. Interesting that the splitting and recovery processes take such a long time. But I guess this is explained by the large number of characters produced by the checksum. > - The 2-of-(N<=26) case is handled with a variant of Shamir's algorithm that > can be fully implemented in a single wheel. I'm about to post a presentation > that will go into more details about that. For (K>=3)-of-M cases there's > indeed a recovery wheel, plus a volvelle that does translation+fusion on the > same side (see: https://beta.penlock.io/kofm-wheels.html). Very cool. Though you say "single wheel" but you actually need two -- one to get the solving window and one to actually do the recovery. If I understand correctly, the "solving window" is equivalent to a "recovery symbol" in codex32. If so, despite the simple interpretation as "the difference between the shares", this object is secretly a Lagrange polynomial and you can *also* compute it using a slide wheel rather than a full lookup-table volvelle. (The reason for this is not so simple, and described in the codex32 math companion [1] ... but possibly if you believe it's true you can just "brute force" it without understanding why by just progressively constructing a wheel, doing various recoveries and filling in blank spaces by cross-referencing against your existing volvelle.) [1] https://secretcodex32.com/docs/2023-08-23--math.pdf -- Andrew Poelstra Director, Blockstream Research Email: apoelstra at wpsoftware.net Web: https://www.wpsoftware.net/andrew The sun is always shining in space -Justin Lewis-Webster -- You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group. To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/bitcoindev/ZkNqVZFNBNTq7mAL%40camus.