bitcoin-dev

Penlock, a paper-computer for secret-splitting BIP39 seed phrases

Penlock, a paper-computer for secret-splitting BIP39 seed phrases

Original Postby Rama Gan

Posted on: May 16, 2024 07:43 UTC

Andrew Poelstra's communication sheds light on the implementation specifics and optimizations of a cryptographic scheme, referred to as 2-of-M, utilized within Penlock, a security-focused project.

By employing a mathematical approach where numbers are mapped using the formula n -> (2^n) % 29, Penlock achieves a more natural ordering of recovery symbols which is beneficial for computational efficiency. This method is detailed in the resources available at Penlock's GitHub repository (Penlock's SDK data) and further elaborated on their website (KofM Wheels explanation).

The email also delves into the practical aspects of utilizing this method, highlighting that under real-world conditions, the entire process from copying the seed phrase to correcting mistakes in the shares takes approximately 45 minutes. Recovery alone is quicker, taking about 20 minutes. A significant portion of this time is attributed to the inefficiencies of checksum verification and the inherent limitations of the BIP39 protocol, which is not as compact as could be desirable. In contrast, using Galois Field (29), it's possible to encode 128 bits within just 7 words, making the system far more efficient than BIP39's approach, which requires an additional 10 words due to its low information density.

The discussion points out that by adopting a more compact data format, the entire splitting process could be reduced to less than 30 minutes, with recovery and verification taking less than 15 minutes. This level of efficiency might be deemed acceptable by the general public. The email mentions a "solving window" concept, described as the distance between two shares, which contrasts with a Lagrange basis and can be determined from a single wheel that implements subtraction, as outlined on their 2ofM Wheel page.

Lastly, Poelstra hints at a potential oversight in optimization and invites further discussion to explore this possibility, indicating an openness to enhancing the system based on collaborative input and continued research into making secure cryptographic schemes more accessible and efficient for users.