 All right, good afternoon everyone. So my name is Jorge Arce. I am a Blockchain and Cryptography Researcher at NetherMind. And today I want to tell you guys about Shamir's secret sharing with no ID numbers. But before we get into the problem we're trying to solve, we would like to have a bit of a review on what Shamir's secret sharing is all about. So for today, because this is a lightning talk, we're going to go with a simple example. So let's suppose you just got this great news. You just got the private key of a wallet that is holding a thousand ether. Here's the private key. Now do not actually input this into MetaMask or you will be very disappointed, okay? For secure long term storage of this seed phrase, you want to do the following because it's a lot of money, right? So you're gonna split the key into several 12 word seed phrases such that if you have two of those seed phrases then you have enough information for reconstruction. Furthermore, you want the secret to be accessible even if one of the pieces in which you like split the information gets lost. And there's a third property actually that I'm mentioning which is you would like it so that an attacker that has two of the pieces, no I'm sorry, if an attacker has one of the pieces but not two they cannot gain any information about your secret whatsoever. So you decide that you will create three pieces such that you need two of them to reconstruct the secret and technically we call this a two-three threshold scheme. This is what you're after. Okay, so how does this go? This is an old algorithm created by Shamir in 1979. We start with the seed phrase and the first thing we're gonna do is we're gonna turn this into a number. This is in binary. What we did is we took bit 39's 2048 word dictionary and we depending on the position of these words in that dictionary we assign a binary number to each of the words. Once you have that you're gonna take a good old XY plane and you're gonna take the secret. This is a number after all and you're gonna place it on the y-axis sort of like as an intercept. So that's stage one. After that you're gonna take a random straight line that passes through the secret. Why a straight line? Because this is the simplest example where you only need two pieces for reconstruction. If you wanted something more complex you would be using like a parabola or a higher order polynomial. But let's just stick with the straight line for now. So you have that straight line which you chose essentially at random and you're gonna pick three points on the line and those points are gonna be your shares. Now what happens is lines have this very nice geometric property that says that any two points on a line are enough to uniquely determine the properties of your straight line and in this context that translates to any two shares generate the correct secret. Just check it out. If I have those two points shares one and three let's assume that sure two got lost. You generate a straight line just as before and lo and behold the intersection with the y-axis is the secret that you were trying to conceal. And this is gonna be the same regardless of which two shares you have. It's independent of that right. You have share two and share three. You do the exact same thing. You get the same secret every time. So we got that nice redundancy property we're after. In this example and this is kind of unwieldy and a little bit hard to read, the shares are the following. The first one this is the binary that you get if you were to actually like get the coordinates of those points on the y-axis. Here's for the second point and here's for the third point. Notice that I am also labeling each of the shares with the corresponding x-values one two and three. Those are gonna be called the ID numbers. Now we don't like this. It's hard to read. So we're gonna use the bit 39 dictionary once more to turn this into words. Like so. And now that's more familiar. All right. So this is what Shamiro secret sharing is all about. But I want you to notice a special detail here, which is that, sorry my bad. I am keeping the ID numbers next to the shares. They must be labeled and this is crucial. If I were not to do that, like what would happen if I mis-wrote one of the ID numbers and I mis-labeled one of the many shares that I have. So if you come and check this example, let's say I have the second share and I make a mistake and I label it with a one instead of a two. Notice how the geometry of the situation is gonna change. Now this point is gonna be moved, slide it to the left. When you go ahead and try and do the reconstruction, oops, you're not gonna get the same straight line. You're gonna get something different. You get the wrong secret and that's a problem. This may not sound like a big deal, but keep in mind that you may be dealing with many shares at a time. You may be dealing with 12 points at a time. If the labels get lost, it can be a bit of a nuisance, like solving for all the possible permutations and trying to find which one is the correct one. So can we improve this? We are trying to circumvent the label in entirely. Can we encode the ID numbers in the seed phrase itself without having the need to add any extra words to the seed phrase? This would be nice because then I could just mix those seed phrases and no information would be lost, even if the label was incorrect. As it turns out, there's a peculiarity about bit 39 seed phrase standard that we can exploit to our advantage here. It turns out that not all the bits corresponding to the seed phrase carry independent information. There's a checksum hidden in here. In the particular case of 12 words, which is what we're dealing with, it turns out that the last four bits are not independent information. Like you took the seed phrase from the initial example, the one with 1,000 ether, you turned it into binary. And these four numbers, they do not carry independent information. What they do carry is a checksum. Go ahead and take all of the bits, except for the last four, compute shot 256 of that in binary, and you're going to get a hash. The first four bits of that hash are what you put in here. And this is there so that if you miswrite one of your words, then a wallet software can tell you that you messed up. We can use this to our advantage here, because given that that is not independent information, there is no need to include the checksum bits for shared generation or reconstruction. Let us go with this slightly different approach. We have this beautiful seed phrase once again. This is the binary encoding of it. And let's just discard this. We can do that without fear because this information can be regenerated whenever we want. Now you're going to do Shamir's secret sharing, the same like straight line, put the secret on the y-axis, choose a random line passing through it, on the non-check sum bits, so that the ones that actually carry information. And this time, once you do that, let's say that we get these shares. Once again, this is hard to read. We don't like this format. But before we can turn it into words, using the dictionary, we're going to need to fill in these gaps. Now here's the nice thing. These gaps are places where we can store extra information. For example, I could take these ID numbers and encode them into binary. And those will be the last four bits of each of my shares. That I can put in there. Now I turned this into a seed phrase once again, like all of those into seed phrases. And you would get these three shares. Notice that they do not have any labels anymore. You don't really need to. Because if you take the last word in each of those and you turn it into binary with the dictionary, for example, popular, this one ends in 001, meaning that this should be the first share. This one ends in 001.10, the encoding of chaos, meaning that this has to be the second entry. And likewise for this one. So this is a nifty little trick that you can use if you want to get rid of the labeling. There's other things you can do with that extra space for information. You could add a checksum to the shares themselves. That's something you could do. But we're choosing to do this because it seems like a convenient extra feature that we can add to Schumer's secret sharing. All right. So thank you very much for your attention. Right here. And here's some advertising on behalf of Netermind. You can enter our repo, I mean our GitHub Netermind ETH, and you'll find this repo research mnemonic. So this is a tool that we built with extra love to all the Ethereum community. If you guys want to use Schumer's secret sharing for your privacy purposes, for your 1000 ETH error drops or whatnot, I don't know if you guys are lucky, then you can use this tool. And yeah. So thank you so much. I am Jorge Arce, blockchain and cryptographer researcher at Netermind. If you have any questions or comments, I'm more than happy to take those. Thanks. Hi. Is it possible that when converting to shares, it no longer fits into 12 words and has to be like 13 words or something? That's a good question. So what can happen is we have four bits of wiggle room, right? That means that we can label as many as 16 shares. If you wanted to go above that, we would need extra bits. And you would need an extra word. So we don't really like that. That seems not very elegant. So what we do is we limit the functionality of this feature to, if you're dealing with 12 word seed phrases to 16 shares maximum, which in practice is a sensible restriction. We've seen that, like important multisakes all over the Ethereum community, they normally don't go over like 11 shares or whatnot. But if you were to use like a 24 seed phrase, for example, then you have more bits that you can use. I think you have like seven or eight bits for the encoding. And then you have like 256 shares that you can use. But yeah, that's a good question. And there's a limit on how many of these you can label, but the limit is sensible considering like the real world use cases. Thank you for the question.