[Cryptography] Review request: BIP39-native Shamir backup over GF(2053)

Sat May 23 00:47:01 EDT 2026

On Fri, May 22, 2026 at 12:36 PM Renato Schiavinato Lopez
<renato.lopez at grifortis.com> wrote:
>
> Following up on my own request, I would like to narrow the review
> focus to a specific cryptographic vulnerability concern that arose
> during offline discussions.
>
> In Section 7.2, I describe an optional "Reduced Mode" intended
> strictly for constrained manual transcription. To keep outputs within
> 11 bits (matching standard BIP39 dictionaries), this mode rejects any
> sampled polynomial f(x) if its evaluation at any active share index
> exceeds 2047.
>
> While standard Shamir over GF(2053) provides perfect secrecy, this
> rejection sampling introduces a bounded bias. I conservatively bounded
> the candidate-space reduction to a fraction of a bit per word (e.g.,
> <= 0.424 bits for a 24-word 3-of-5 scheme).
>
> My open question for the list:
>
> Given that a mnemonic consists of l in {12, 24} words, we have l
> independent polynomials sharing the same rejection-sampling
> constraint. If an adversary acquires k-1 shares, does this bounded
> bias open the door to a practical lattice-based attack (e.g., modeling
> it as a Hidden Number Problem and applying LLL basis reduction) to
> recover the remaining coefficients?
>
> If this leakage enables a lattice attack, the Reduced Mode must be
> removed entirely, leaving only the Full Mode (which does not restrict
> outputs and is theoretically immune).
>
> I would highly value any insights from those familiar with LLL
> applications on biased Shamir distributions.

Following up on my post about Reduced Mode bias and lattice attacks: I
had not quantified why the mode exists.

Reduced Mode targets ceremonies where someone hand-copies a share QR
onto a pre-printed template. Full Mode uses a 37×37 symbol, Reduced
Mode 29×29. Naive area math says ~39% smaller; that is a weak proxy.
Most cells are fixed (corner finders, timing, alignment, format
strips) or stay white; the real cost is black modules in the payload
region.

For a representative 24-word share QR with structure pre-printed: Full
~530 black marks, Reduced ~305 — about 43% fewer. Grid area alone
slightly understates that. Ballpark from reference encodings in the
current paper, not a timed study; a later revision will expand the
workload analysis.

This does not answer the lattice question. If bias enables recovery
from k-1 shares, drop Reduced Mode. If not, the trade-off is roughly
≤0.43 bits max bias (24-word topologies we emphasize) vs ~43% fewer
marks per share.

Feedback on both points is welcome.
Renato