Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
.. image:: https://badge.fury.io/py/shamir-mnemonic.svg :target: https://badge.fury.io/py/shamir-mnemonic
Reference implementation of SLIP-0039: Shamir's Secret-Sharing for Mnemonic Codes
This SLIP describes a standard and interoperable implementation of Shamir's secret sharing (SSS). SSS splits a secret into unique parts which can be distributed among participants, and requires a specified minimum number of parts to be supplied in order to reconstruct the original secret. Knowledge of fewer than the required number of parts does not leak information about the secret.
See https://github.com/satoshilabs/slips/blob/master/slip-0039.md for full specification.
This implementation is not using any hardening techniques. Secrets are passed in the open, and calculations are most likely trivially vulnerable to side-channel attacks.
The purpose of this code is to verify correctness of other implementations. It should not be used for handling sensitive secrets.
With pip from PyPI:
.. code-block:: console
$ pip3 install shamir-mnemonic[cli] # for CLI tool
From local checkout for development:
Install the Poetry tool, checkout
python-shamir-mnemonic
from git, and enter the poetry shell:
.. code-block:: console
$ pip3 install poetry
$ git clone https://github.com/trezor/python-shamir-mnemonic
$ cd python-shamir-mnemonic
$ poetry install
$ poetry shell
CLI tool is included as a reference and UX testbed.
Warning: this tool makes no attempt to protect sensitive data! Use at your own risk. If you need this to recover your wallet seeds, make sure to do it on an air-gapped computer, preferably running a live system such as Tails.
When the :code:shamir_mnemonic
package is installed, you can use the :code:shamir
command:
.. code-block:: console
$ shamir create 3of5 # create a 3-of-5 set of shares
$ shamir recover # interactively recombine shares to get the master secret
You can supply your own master secret as a hexadecimal string:
.. code-block:: console
$ shamir create 3of5 --master-secret=cb21904441dfd01a392701ecdc25d61c
You can specify a custom scheme. For example, to create three groups, with 2-of-3, 2-of-5, and 4-of-5, and require completion of all three groups, use:
.. code-block:: console
$ shamir create custom --group-threshold 3 --group 2 3 --group 2 5 --group 4 5
Use :code:shamir --help
or :code:shamir create --help
to see all available options.
If you want to run the CLI from a local checkout without installing, use the following command:
.. code-block:: console
$ python3 -m shamir_mnemonic.cli
The test vectors in vectors.json are given as a list of quadruples:
The master secret is encoded as a string containing two hexadecimal digits for each byte. If the string is empty, then attempting to combine the given set of mnemonics should result in error. The passphrase "TREZOR" is used for all valid sets of mnemonics.
.. default-role:: code
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog
, and this project adheres to
Semantic Versioning
.
0.3.0
_ - 2024-05-15Incompatible
- The `shamir` command no longer works out of the box. It is necessary to install the
`cli` extra while installing the package. See README for instructions.
Added
~~~~~
- Added BIP32 master extended private key to test vectors.
- Added support for extendable backup flag.
Changed
~~~~~~~
- The `shamir_mnemonic` package now has zero extra dependencies on Python 3.7 and up,
making it more suitable as a dependency of other projects.
- The `shamir` CLI still requires `click`. A new extra `cli` was introduced to handle
this dependency. Use the command `pip install shamir-mnemonic[cli]` to install the CLI
dependencies along with the package.
Removed
~~~~~~~
- Removed dependency on `attrs`.
.. _0.3.0: https://github.com/trezor/python-shamir-mnemonic/compare/v0.2.2...v0.3.0
`0.2.2`_ - 2021-12-07
---------------------
Changed
~~~~~~~
- Relaxed Click constraint so that Click 8.x is allowed
- Applied `black` and `flake8` code style
.. _0.2.2: https://github.com/trezor/python-shamir-mnemonic/compare/v0.2.1...v0.2.2
`0.2.1`_ - 2021-02-03
---------------------
.. _0.2.1: https://github.com/trezor/python-shamir-mnemonic/compare/v0.1.0...v0.2.1
Fixed
~~~~~
- Re-released on the correct commit
`0.2.0`_ - 2021-02-03
---------------------
.. _0.2.0: https://github.com/trezor/python-shamir-mnemonic/compare/v0.1.0...v0.2.0
Added
~~~~~
- Introduce `split_ems` and `recover_ems` to separate password-based encryption from the Shamir Secret recovery
- Introduce classes representing a share and group-common parameters
- Introduce `RecoveryState` class that allows reusing the logic of the `shamir recover` command
Changed
~~~~~~~
- Use `secrets` module instead of `os.urandom`
- Refactor and restructure code into separate modules
0.1.0 - 2019-07-19
------------------
Added
~~~~~
- Initial implementation
.. _Keep a Changelog: https://keepachangelog.com/en/1.0.0/
.. _Semantic Versioning: https://semver.org/spec/v2.0.0.html
FAQs
SLIP-39 Shamir Mnemonics
We found that shamir-mnemonic demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.