Design Flaw: Per-Byte Shamir Splitting of BIP-39 Mnemonics Causes Entropy Collapse and Non-Unique Reconstruction #65
Description
Summary
The current mnemonic splitting implementation applies Shamir’s Secret Sharing independently to each byte of the mnemonic entropy using GF(256). BIP-39 structure and checksum are restored only after share recombination. This design causes irreversible entropy loss and breaks the uniqueness guarantees normally expected from threshold secret sharing.
Below the threshold, a single set of shares corresponds to a very large equivalence class of valid BIP-39 mnemonics, making it impossible to uniquely recover the original mnemonic.
Technical Details
BIP-39 word indices require 11 bits of entropy.
The implementation operates on 8-bit field elements (GF(256)), truncating entropy prior to sharing.
Shamir is applied independently per byte, with no coupling across bytes.
For a (t=3) scheme, two shares provide only two equations for a degree-2 polynomial, leaving one full degree of freedom per byte.
During reconstruction, multiple byte values are consistent with the same shares.
BIP-39 checksum validation is applied after reconstruction, acting only as a filter and not as a constraint on the polynomial.
As a result, with fewer than t shares, the system admits exponentially many checksum-valid mnemonics, all consistent with the same shares.
Impact
Reconstruction below threshold is non-unique.
Different valid mnemonics can be produced from the same share set.
Any recovered mnemonic is merely one arbitrary representative of a large equivalence class.
This may mislead users into believing a correct secret was recovered when it was not.
Why This Matters
Threshold secret sharing is commonly expected to guarantee unique reconstruction at threshold and no meaningful information below threshold. While Shamir’s scheme itself remains sound, applying it independently to truncated mnemonic components violates these expectations in practice.
Recommendation
Apply Shamir to the entire entropy as a single element in a sufficiently large field, or
Use an established scheme designed for mnemonics (e.g., SLIP-39), which preserves entropy and structural integrity throughout sharing and reconstruction.
Scope
This is a design-level vulnerability, not a cryptographic break of Shamir’s Secret Sharing.
**_
Below the threshold, the implementation produces a large equivalence class of valid mnemonics rather than preserving uncertainty about a single secret.
_**