© 2020 Blockchain Commons
Authors: Wolf McNally, Christopher Allen
Version: 1.0.1
Date: June 19, 2020
Revised: March 6, 2021
This BCR describes a standard and interoperable implementation of Shamir's SecretSharing (SSS). SSS splits a master secret, such as the master seed S for Hierarchical Deterministic Wallets described in BIP32, into unique parts which can be distributed among participants. A specified minimum number of parts is required to be supplied in order to reconstruct the original secret. Knowledge of fewer than the required number of parts does not leak information about the master secret.
This document defines the following UR types along with their corresponding CBOR tags:
| UR type | CBOR Tag |
|---|---|
| ur:sskr | #6.40309 |
These tags have been registered in the IANA Registry of CBOR Tags.
This document specifies a native CBOR encoding for Shamir Secret Sharing shards, as well as a Uniform Resource UR type sskr (CBOR tag #6.40309).
Note: This specification describes version 2 sskr, which differs from version 1 crypto-sskr only in the CBOR tag and UR type it uses. Version 1 crypto-sskr is deprecated, but may still be supported for backwards compatibility.
This specification is based on SLIP-39, developed by SatoshiLabs. The fields of the CBOR structure defined herein are based on SLIP-39, but this specification is NOT compatible with SLIP-39.
At first glance, BIP-39 and SLIP-39 both appear to be means of converting a binary seed to a set of backup words and back. You might assume you could simply convert a BIP-39 backup to a binary seed, from that binary seed to SLIP-39, and then use the SLIP-39 backup to recover the same wallet as the original BIP-39 backup, but this is NOT the case. This is because the SLIP-39 algorithm that SatoshiLabs uses in their Trezor wallet does not derive the master secret in the same way as their BIP-39 algorithm does.
As SLIP-39 is not round-trip compatible with BIP-39, and SLIP-39 is under the control of SatoshiLabs and does not appear to be a fully community-controlled standard, Blockchain Commons is no longer endorsing SLIP-39.
This proposal, SSKR, is an alternative to SLIP-39 that allows round-trips with BIP-39. We want to ensure that the same seed will result in the same derived keys using either BIP-39 or SSKR.
- This issue is being tracked here.
Unlike SLIP-39, which incorporates an integral algorithm for converting shards to and from a sequence of backup words, including a checksum, this proposal only specifies the CBOR encoding of such shards. The above goals and others including optimization for QR codes are delegated to the UR (Uniform Resource) and Bytewords specifications.
Also unlike SLIP-39, which incorporates an algorithm to encrypt the master secret according to a password, and also includes provisions for separately encrypting each share secret according to a set of separate passwords, SSKR elides this functionality. Blockchain Commons believes that encryption of master secrets and/or shares should be part of a separate specification applied at a higher level. That is, encryption of a master secret, if desired, should take place before being handed off to an algorithm like BIP-39 or SSKR. Share encryption, if desired should be applied after SSKR generates the shares, and before it combines them.
The following specification is written in Concise Data Definition Language CDDL.
It is desirable that shards be of minimal size to facilitate their distribution as sequences of Bytewords. We therefore pack most the metadata for the shard and the share data itself into a single byte string and express the structure as a CBOR byte string.
The single element of this structure is a byte string whose first five bytes consist of the data field below, followed by the share-value field.
These size optimizations still allow the encoded structure to be well-formed CBOR, be self-identifying, and contain a checksum (provided by Bytewords).
tagged-sskr = #6.40309(sskr)
sskr = bytes
Bit fields of data field:
pack the id, group and member data into 5 bytes:
76543210 76543210 76543210
76543210 76543210
----------------====----====----====----
identifier: 16
group-threshold: 4
group-count: 4
group-index: 4
member-threshold: 4
reserved (MUST be zero): 4
member-index: 4
The following is adapted from SLIP-39.
identifier(id) is a random 16-bit value which is the same for all shares and is used to verify that the shares belong together; it is also used as salt in the encryption of the master secret.group-threshold(Gt) indicates how many group shares are needed to reconstruct the master secret. The actual value is encoded as Gt = GT − 1, so a value of 0 indicates that a single group share is needed (GT = 1), a value of 1 indicates that two group shares are needed (GT = 2) etc.group-count(g) indicates the total number of groups. The actual value is encoded as g = G − 1.group-index(GI) is the x value of the group share.member-threshold(t) indicates how many member shares are needed to reconstruct the group share. The actual value is encoded as t = T − 1.member-index(I) is the x value of the member share in the given group.share-value(ps) corresponds to a list of the SSS part's f_k(x) values, 1 ≤ k ≤ n. Each f_k(x) value is encoded as a string of eight bits in big-endian order. The concatenation of these bit strings is the share value. Unlike SLIP-39 this value is not padded.- Unlike SLIP-39, we do not include a checksum at this level, because the Bytewords encoding provides a checksum.
- The original master secret:
7daa851251002874e1a1995f0897e6b1
- The SSKR shares for 2 groups: the first group requires 2 of 3 shares and the second group requires 3 of 5 shares. The group threshold is 2, meaning shares from both groups must be met.
- The SSS algorithm uses a random number generator to produce the shares, thus the algorithm is not expected the same shares every time for a given master secret.
All groups must be met.
Group 1
2 of 3 shares in this group must be met.
4bbf1101003e990c1f0435e2b33c721535c74603d0
4bbf1101010c8ba39a7502a325ed07b8d597d1b80f
4bbf1101025abd490ee65b6084859854ee67736e75
Group 2
3 of 5 shares in this group must be met.
4bbf11120044ef453f66923d32653b377de5c94b39
4bbf1112016ffb1b0cc5ab485f5a67136c802bc67b
4bbf111202a3763155fcfdb5887abce6ee69c4bbcd
4bbf11120388626f665fc4c0e545e0c2ff0c26368f
4bbf1112046334a0db7838a5c6c4d2dcb2e5b65911
- Breakdown of the third share above:
4bbf 1 1 0 1 0 2 5abd490ee65b6084859854ee67736e75
^---- identifier
^---- group-threshold - 1 = 2: 2 groups are required
^---- group-count - 1 = 2: total of 2 groups
^---- group-index = 0: this share is from the first group
^---- member-threshold - 1 = 2: 2 shares from this group are required
^---- reserved: MUST be zero
^---- member-index = 2: This is the third share of the group
^---- share-value: Same length as the master secret
If the SSKR share is to be displayed as standard ByteWords, the CBOR tag #6.40309 is used.
- Third share above (tagged) in CBOR diagnostic notation:
40309(
h'4bbf1101025abd490ee65b6084859854ee67736e75' / data (5) || share-value (16) /
)
- Encoded as binary using [CBOR-PLAYGROUND]:
d9 9d75 # tag(40309)
55 # bytes(21)
4bbf1101025abd490ee65b6084859854ee67736e75
- As a hex string:
d99d75554bbf1101025abd490ee65b6084859854ee67736e75
- As Bytewords:
tuna next keep gyro gear runs body acid also heat
ruby gala beta visa help horn liar limp monk gush
waxy into junk jolt keep lion leaf ruby purr
- All shares as Bytewords:
All groups must be met.
Group 1
2 of 3 shares in this group must be met.
tuna next keep gyro gear runs body acid able film nail barn cost aqua epic veto quad fern jump buzz epic slot frog apex taxi grim fern twin leaf
tuna next keep gyro gear runs body acid acid barn luau omit navy keep also omit data wave aunt redo toil miss tent redo bias fuel work king kick
tuna next keep gyro gear runs body acid also heat ruby gala beta visa help horn liar limp monk gush waxy into junk jolt keep lion leaf ruby purr
Group 2
3 of 5 shares in this group must be met.
tuna next keep gyro gear runs body brag able foxy webs free fish inky memo figs easy inch fair exam kiwi view solo gear eyes ruin tuna gala iris
tuna next keep gyro gear runs body brag acid jowl zero claw barn silk play fund hope heat into brew jazz lava down skew king sets very whiz crux
tuna next keep gyro gear runs body brag also omit keno each gyro zest zinc race logo kiln roof visa waxy iron sets rock swan leaf tent navy redo
tuna next keep gyro gear runs body brag apex logo iced jowl inky hope sets rust view free vast saga zoom barn days even many yoga wall curl what
tuna next keep gyro gear runs body brag aqua idea edge numb ugly keys exit open skew sets tied undo purr view ramp hawk body skew redo data unit
- Annotated Bytewords of last share above:
tuna next keep gyro
===================
Identifies that this is an SSKR share and the length of the data that follows.
gear runs
=========
Same for every share in split.
body brag
=========
Same for every share in group.
aqua
====
Unique for this share in group.
idea edge numb ugly keys exit open skew sets tied undo purr view ramp hawk body
===============================================================================
Share value, same length as master secret.
skew redo data unit
===================
Checksum.
If the SSKR share is to be encoded as a UR, the untagged CBOR is used.
- Third share above (untagged) in CBOR diagnostic notation:
h'4bbf1101025abd490ee65b6084859854ee67736e75' ; data (5) || share-value (16)
- Encoded as binary using [CBOR-PLAYGROUND]:
55 -- bytes(21)
4bbf1101025abd490ee65b6084859854ee67736e75
- As a hex string:
554bbf1101025abd490ee65b6084859854ee67736e75
- As a UR:
ur:sskr/gogrrsbyadaohtrygabavahphnlrlpmkghwyiojkjtkpmdkncfjp
- All shares as ur:sskr:
All groups must be met.
Group 1
2 of 3 shares in this group must be met.
ur:sskr/gogrrsbyadaefmnlbnctaaecvoqdfnjpbzecstfgaxtifpsskbfw
ur:sskr/gogrrsbyadadbnluotnykpaootdaweatrotlmsttrobsghbnurrh
ur:sskr/gogrrsbyadaohtrygabavahphnlrlpmkghwyiojkjtkpmdkncfjp
Group 2
3 of 5 shares in this group must be met.
ur:sskr/gogrrsbybgaefywsfefhiymofseyihfremkivwsogrespmclwepd
ur:sskr/gogrrsbybgadjlzocwbnskpyfdhehtiobwjzladnswkgtscfhfvt
ur:sskr/gogrrsbybgaootkoehgoztzcreloknrfvawyinssrksnmedtfmks
ur:sskr/gogrrsbybgaxloidjliyhessrtvwfevtsazmbndsenmywmbylpdy
ur:sskr/gogrrsbybgaaiaeenbuyksetonswsstduoprvwrphkbytlfzlyca
- Annotated Minimal Bytewords of last share above:
ur:sskr/go
=================
Identifies that this is an SSKR share and the length of the data that follows.
grrs
====
Same for every share in split.
bybg
====
Same for every share in group.
aa
==
Unique for this share in group.
iaeenbuyksetonswsstduoprvwrphkby
================================
Share value, same length as master secret.
tlfzlyca
========
Checksum.