bitcoin-dev

Penlock, a paper-computer for secret-splitting BIP39 seed phrases

Penlock, a paper-computer for secret-splitting BIP39 seed phrases

Original Postby Andrew Poelstra

Posted on: May 13, 2024 13:40 UTC

In a detailed exploration of the project's approach to generating BIP39 seed words, several considerations arise concerning its practicality and compatibility with existing cryptographic setups.

The project’s methodology, particularly the option for users to generate new seeds and employ a manual checksum grinding process, raises questions about its appeal and feasibility, especially given the varying degrees of effort required for different word lengths. This process, while manageable for a 12-word seed, becomes significantly more cumbersome as the word count increases, highlighting a scalability issue in user experience.

The mathematical foundation of the project, which involves mapping BIP39 characters into integers mod 29 and computing lines within this field to generate checksums, is sound. However, the practicality of this approach diminishes with longer seed phrases due to the resultant increase in checksum length, complicating the recovery process. The project employs a non-standard encoding into GF(29), introducing complexities such as differing operations for addition and subtraction, which could complicate the implementation and usability of the scheme, particularly in scenarios requiring the recovery of seed shares.

The discussion extends to alternative methods such as combining the project's checksum scheme with other systems like seedxor, though compatibility issues are noted. Seedxor, for instance, requires binary data conversion, which is both time-consuming and prone to errors, and does not align well with the proposed checksum method. Suggestions are made to potentially adapt the project to work in tandem with seedxor by utilizing a binary field and adjusting the checksum target residue, thereby preserving checksum integrity through the computation process.

Finally, the importance of clear documentation and specification is emphasized, with an acknowledgment of the challenges faced in understanding the scheme through the available JavaScript implementation and related materials. The email suggests the need for a comprehensive write-up that details the mathematical underpinnings and practical applications of the project, possibly accompanied by a PDF guide, to aid in broader comprehension and adoption of the proposed system. Andrew Poelstra's insights conclude with personal reflections on the goals and aesthetics of secure seed generation, critiquing the emphasis on indistinguishability from full seeds and advocating for a balance between security, usability, and error resilience in cryptographic practices.