[Cryptography] Review request: BIP39-native Shamir backup over GF(2053)

[Renato Schiavinato Lopez]

Following up on my own request, I would like to narrow the review
focus to a specific cryptographic vulnerability concern that arose
during offline discussions.

In Section 7.2, I describe an optional "Reduced Mode" intended
strictly for constrained manual transcription. To keep outputs within
11 bits (matching standard BIP39 dictionaries), this mode rejects any
sampled polynomial f(x) if its evaluation at any active share index
exceeds 2047.

While standard Shamir over GF(2053) provides perfect secrecy, this
rejection sampling introduces a bounded bias. I conservatively bounded
the candidate-space reduction to a fraction of a bit per word (e.g.,
<= 0.424 bits for a 24-word 3-of-5 scheme).

My open question for the list:

Given that a mnemonic consists of l in {12, 24} words, we have l
independent polynomials sharing the same rejection-sampling
constraint. If an adversary acquires k-1 shares, does this bounded
bias open the door to a practical lattice-based attack (e.g., modeling
it as a Hidden Number Problem and applying LLL basis reduction) to
recover the remaining coefficients?

If this leakage enables a lattice attack, the Reduced Mode must be
removed entirely, leaving only the Full Mode (which does not restrict
outputs and is theoretically immune).

I would highly value any insights from those familiar with LLL
applications on biased Shamir distributions.