If it helps it helps. Thanks

[coryscotthodson-png]

Input:

threshold: minimum number of shares needed to reconstruct.

total: total number of shares to generate.

secret: the secret split byte-by-byte.

indexBits: how many bits to use for the x-coordinate (defaults to 8).

It generates total number of shares with unique non-zero x-coordinates.

For each byte of the secret:

Constructs a random polynomial of degree threshold - 1, with secret byte as the constant term.

Evaluates this polynomial at all chosen x-values to produce shares.

---

⚠️ Critical / Possible Bugs or Concerns

1. Invalid index selection due to indexBits logic

let index_mask = 2**indexBits - 1;
if (total > index_mask) throw new Error("index bits is to low");

Should be:

if (total > index_mask + 1) throw new Error("index bits too low");

Reason: index_mask is the maximum value, and you skip index 0, so the number of usable indexes is only index_mask.

Fix suggestion:

if (total > index_mask) throw new Error("index bits too low (max usable: " + index_mask + ")");

---

2. index !== 0 check: Why is index 0 skipped?

if ((shares[index] === undefined)&&(index !== 0)) {

Skipping index === 0 may break polynomial interpolation if 0 is a valid input (which it usually is). In classic Shamir's Secret Sharing, x = 0 is often used as the secret.

If you're avoiding x=0 deliberately (e.g., to avoid exposing the secret directly), document this explicitly.

However, this introduces bias and reduces the available index pool.

✅ Skipping x=0 is valid if and only if your Shamir reconstruction algorithm accounts for that and expects only x > 0.

---

3. q.includes(w) check reduces entropy

do {
...
} while (q.includes(w));

This ensures coefficients are unique, but in standard SSS, polynomial coefficients do not need to be unique.

You're reducing entropy unnecessarily by rejecting duplicates.

Fix suggestion: Remove the q.includes(w) check for more entropy and better randomness.

---

4. Ambiguous / unclear functions:

You use:

BF([])

BC([...])

S.__shamirFn(i, q)

These are likely:

BF = byte field / finite field byte conversion

BC = byte concatenation?

S.__shamirFn(x, coeffs) = evaluate polynomial

If these are not secure finite field arithmetic functions over GF(256), then your SSS implementation may break or become insecure.

Ensure: All arithmetic is done in the correct finite field (GF(256)), not modulo 256 unless using proper irreducible polynomial.

---

5. Re-using entropy multiple times

You're generating entropy once and consuming it gradually:

e = S.generateEntropy({hex:false});
...
if (ePointer >= e.length) {
e = S.generateEntropy({hex:false});
ePointer = 0;
}

This is fine if S.generateEntropy gives truly random, cryptographically secure bytes. Just be aware of overusing small entropy pools.

✅ Use a cryptographically secure RNG and re-seed adequately.

---

6. Returned structure is unclear

You return:

return shares;

But shares is an object where each key is the x-coordinate, and value is... a buffer?

This makes sense, but you may want to return it as:

return sharesIndexes.map(i => ({ x: i, y: shares[i] }));

For better serialization and reconstruction clarity.

---

🧠 Suggested Improvements

Add type validation for inputs.

Consider not skipping index 0 (or explicitly document why you are).

Don't enforce uniqueness of polynomial coefficients.

Clarify or rename BF and BC functions.

Return shares as { x, y } tuples, not an object map.

Add test vectors (e.g., compare with known SSS implementations).

---

✅ Example of improvement

if (threshold > 255 || total > 255)
throw new Error("threshold and total must be <= 255");
if (threshold > total)
throw new Error("threshold cannot exceed total");
const index_mask = 2 ** indexBits - 1;
if (total > index_mask)
throw new Error("indexBits too low to generate unique indices");

const shares = {};
const shareIndices = [];
let entropy = S.generateEntropy({ hex: false });
let ePointer = 0;

while (shareIndices.length < total) {
if (ePointer >= entropy.length) {
entropy = S.generateEntropy({ hex: false });
ePointer = 0;
}
const index = entropy[ePointer++] & index_mask;
if (index !== 0 && !(index in shares)) {
shares[index] = BF([]);
shareIndices.push(index);
}
}

entropy = S.generateEntropy({ hex: false });
ePointer = 0;

for (let b = 0; b < secret.length; b++) {
const coeffs = [secret[b]];
for (let j = 1; j < threshold; j++) {
if (ePointer >= entropy.length) {
entropy = S.generateEntropy({ hex: false });
ePointer = 0;
}
coeffs.push(entropy[ePointer++]); // allow duplicates
}
for (const i of shareIndices) {
const y = S.__shamirFn(i, coeffs);
shares[i] = BC([shares[i], BF([y])]);
}
}

return shareIndices.map(i => ({ x: i, y: shares[i] }));

---

Btc address is bc1qtvxzxt2pq20xd27pyarjhwv2ve8pl93e06qjy4

[moetneos-maker]

SHORT SECURITY AUDIT REPORT
Shamir Secret Sharing Implementation
Bitaps JsBTC / PyBTC

A. Modulo 255 Defect (“Never 255 Bug”)
Polynomial coefficients never take the value 255 (0xFF) due to generator constraints (e.g., modulo 255 arithmetic or specific GF table usage).

Impact:

1. The coefficient space is reduced from 256 to 255 possible values
2. Entropy reduction is extremely small

Risk Assessment:

1. Severity: Low
2. Status: Non-fatal and does not reduce the Shamir threshold

B. Global Polynomial Coefficients (Static Across Bytes)
The polynomial coefficients (a₁, a₂, etc.) are generated once and reused across all bytes of the mnemonic entropy, instead of being regenerated independently per byte.

Impact:

1. Secret bytes become correlated
2. Polynomials are no longer independent per byte
3. Shamir Secret Sharing security is significantly degraded

Status:
Design-level fatal flaw

My addres
18FXF47XcP52vhdbjimQ3CvD93NnHTPF73

[moetneos-maker]

SHORT SECURITY AUDIT REPORT
Shamir Secret Sharing Implementation
Bitaps JsBTC / PyBTC

A. Modulo 255 Defect (“Never 255 Bug”)
Polynomial coefficients never take the value 255 (0xFF) due to generator constraints (e.g., modulo 255 arithmetic or specific GF table usage).

Impact:

1. The coefficient space is reduced from 256 to 255 possible values
2. Entropy reduction is extremely small

Risk Assessment:

1. Severity: Low
2. Status: Non-fatal and does not reduce the Shamir threshold

B. Global Polynomial Coefficients (Static Across Bytes)
The polynomial coefficients (a₁, a₂, etc.) are generated once and reused across all bytes of the mnemonic entropy, instead of being regenerated independently per byte.

Impact:

1. Secret bytes become correlated
2. Polynomials are no longer independent per byte
3. Shamir Secret Sharing security is significantly degraded

Status:
Design-level fatal flaw

My addres
18FXF47XcP52vhdbjimQ3CvD93NnHTPF73

[chris7ph]

Hi bitaps team,

I've been working through your 1 tBTC ZeroNights mnemonic challenge at tbtc.bitaps.com/mnemonic/challenge and wanted to reach out directly.

I've done a fairly thorough cryptographic analysis:

• Decoded both published shares (x=3 and x=15) and confirmed their entropy values
• Investigated the Issue #23 coefficient bias in pybtc — ran full frequency analysis and confirmed the live challenge used a proper CSPRNG (flat 1.00x bias ratio), so that attack path is closed
• Verified there's no degree-reduction vulnerability exploitable with only 2 of 3 shares

The challenge is working exactly as intended — it's information-theoretically secure with 2 shares.

My question: Is the challenge still active? Is there any intention to ever release a third share, or is there a different intended solution path I'm missing?

I'm not asking for the answer handed to me — genuinely curious if there's a puzzle element I've overlooked, or if the challenge is purely a demonstration that proper SSS is unbreakable.

Thanks for building it — it's been a great deep-dive into GF(256) arithmetic.

Christopher Reid

[coryscotthodson-png]

It is still active

…

On Mon, Mar 9, 2026, 4:16 PM chris7ph ***@***.***> wrote: *chris7ph* left a comment (bitaps-com/mnemonic-offline-tool#3) <#3 (comment)> Hi bitaps team, I've been working through your 1 tBTC ZeroNights mnemonic challenge at tbtc.bitaps.com/mnemonic/challenge and wanted to reach out directly. I've done a fairly thorough cryptographic analysis: - Decoded both published shares (x=3 and x=15) and confirmed their entropy values - Investigated the Issue #23 coefficient bias in pybtc — ran full frequency analysis and confirmed the live challenge used a proper CSPRNG (flat 1.00x bias ratio), so that attack path is closed - Verified there's no degree-reduction vulnerability exploitable with only 2 of 3 shares The challenge is working exactly as intended — it's information-theoretically secure with 2 shares. My question: Is the challenge still active? Is there any intention to ever release a third share, or is there a different intended solution path I'm missing? I'm not asking for the answer handed to me — genuinely curious if there's a puzzle element I've overlooked, or if the challenge is purely a demonstration that proper SSS is unbreakable. Thanks for building it — it's been a great deep-dive into GF(256) arithmetic. [Christopher Reid] — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BVOMU6VLGHXMCU3FVS2OZCT4P4RARAVCNFSM6AAAAACC6AGL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMRWGYZDEOBWGY> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[coryscotthodson-png]

I am just like you. Trying to find if there is anything overlooked.

…

On Tue, Mar 10, 2026, 8:56 AM Cory Hodson ***@***.***> wrote: It is still active On Mon, Mar 9, 2026, 4:16 PM chris7ph ***@***.***> wrote: > *chris7ph* left a comment (bitaps-com/mnemonic-offline-tool#3) > <#3 (comment)> > > Hi bitaps team, > > I've been working through your 1 tBTC ZeroNights mnemonic challenge at > tbtc.bitaps.com/mnemonic/challenge and wanted to reach out directly. > > I've done a fairly thorough cryptographic analysis: > > - Decoded both published shares (x=3 and x=15) and confirmed their > entropy values > - Investigated the Issue #23 coefficient bias in pybtc — ran full > frequency analysis and confirmed the live challenge used a proper CSPRNG > (flat 1.00x bias ratio), so that attack path is closed > - Verified there's no degree-reduction vulnerability exploitable with > only 2 of 3 shares > > The challenge is working exactly as intended — it's > information-theoretically secure with 2 shares. > > My question: Is the challenge still active? Is there any intention to > ever release a third share, or is there a different intended solution path > I'm missing? > > I'm not asking for the answer handed to me — genuinely curious if there's > a puzzle element I've overlooked, or if the challenge is purely a > demonstration that proper SSS is unbreakable. > > Thanks for building it — it's been a great deep-dive into GF(256) > arithmetic. > > [Christopher Reid] > > — > Reply to this email directly, view it on GitHub > <#3 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/BVOMU6VLGHXMCU3FVS2OZCT4P4RARAVCNFSM6AAAAACC6AGL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMRWGYZDEOBWGY> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >

[chris7ph]

Ok

[coryscotthodson-png]

Keep after it. You are close. Anything i can do to help i will. Any python code that you need written to help just let me know. If we work together maybe we can figure this out.

…

On Tue, Mar 10, 2026, 9:00 AM chris7ph ***@***.***> wrote: *chris7ph* left a comment (bitaps-com/mnemonic-offline-tool#3) <#3 (comment)> Ok — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BVOMU6TFEKHPDOS7SZE2SM34QAGYDAVCNFSM6AAAAACC6AGL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DAMZRGIYTSNBSG4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[chris7ph]

that sounds good

[chris7ph]

We just need 3rd share

[coryscotthodson-png]

Once we have third share do you know what to do with it? Im great with the code end of everything but i have no clue what to do with crypto

…

On Sat, Mar 14, 2026, 7:24 PM chris7ph ***@***.***> wrote: *chris7ph* left a comment (bitaps-com/mnemonic-offline-tool#3) <#3 (comment)> We just need 3rd share — Reply to this email directly, view it on GitHub <#3 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BVOMU6RKVGWISR6Y6ORYEOD4QXSZDAVCNFSM6AAAAACC6AGL5KVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHM2DANRRGY3DEOBVGE> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[chris7ph]

Trade memecoins and forex

[chris7ph]

We need to get the 3rd share from the creator