Use of --extendable/--no-extendable

[oliviera9]

Just looking for a confirmation...
From my understanding, if no passphrase is used, creating new backups with --no-extendable is equivalent to --extendable.

One has to use --extendable only when he is going to create a new backup for a master secret encrypted with a passphrase.

[andrewkozlik]

That is incorrect. No passphrase does not get any special treatment. It just means that an empty string is used for the passphrase. So --extendable and --no-extendable are not equivalent. Technical specification here.

One should always use --extendable. It has to do with the question of whether one wants to be able to create alternative backups of the same seed in the future.

[oliviera9]

I did this test:
generated 1of1 shares for a master secret, e.g. shamir create -S be278d88c624adb9dd59a25ba063fec8 -X 1of1
What I found is that shamir recover recovers the same master secret if I input two shares generated with -X. This does not happen when executing shamir recover -p inputting the same passphrase.
Instead, recovering using the same passphrase for two backups generated with -x returns the same secret.

$ # WITH -X
$ shamir create  -S be278d88c624adb9dd59a25ba063fec8 -X 1of1
Using master secret: be278d88c624adb9dd59a25ba063fec8
Group 1 of 1 - 1 of 1 shares required:
bike senior academic academic axis thorn hazard process slap benefit thorn shaft jump sympathy crystal arcade dismiss eyebrow regular always
$ # generate two backups for the same master secret
$ shamir create  -S be278d88c624adb9dd59a25ba063fec8 -X 1of1
Using master secret: be278d88c624adb9dd59a25ba063fec8
Group 1 of 1 - 1 of 1 shares required:
critical husband academic academic anxiety river smirk alpha duke inmate eclipse military dough express detailed device focus deadline hearing hamster
$ # recover from first backup with passphrase
$ shamir recover -p                                         
Enter a recovery share: bike senior academic academic axis thorn hazard process slap benefit thorn shaft jump sympathy crystal arcade dismiss eyebrow regular always

✓ 1 of 1 shares needed from group bike senior academic
Enter passphrase: 
Repeat for confirmation: 
SUCCESS!
Your master secret is: f59f4f309e88c5ce07f0880e004a7e4c
$ # recover from second backup with same passphrase
$ shamir recover -p
Enter a recovery share: critical husband academic academic anxiety river smirk alpha duke inmate eclipse military dough express detailed device focus deadline hearing hamster

✓ 1 of 1 shares needed from group critical husband academic
Enter passphrase: 
Repeat for confirmation: 
SUCCESS!
Your master secret is: 9b278255ca94e404aa43bbbc99f7754f
$ # recover without passphrase
$ shamir recover   
Enter a recovery share: bike senior academic academic axis thorn hazard process slap benefit thorn shaft jump sympathy crystal arcade dismiss eyebrow regular always

✓ 1 of 1 shares needed from group bike senior academic
SUCCESS!
Your master secret is: be278d88c624adb9dd59a25ba063fec8
$
$ shamir recover
Enter a recovery share: critical husband academic academic anxiety river smirk alpha duke inmate eclipse military dough express detailed device focus deadline hearing hamster

✓ 1 of 1 shares needed from group critical husband academic
SUCCESS!
Your master secret is: be278d88c624adb9dd59a25ba063fec8

$ # with -x
$ shamir create  -S be278d88c624adb9dd59a25ba063fec8 -x 1of1
Using master secret: be278d88c624adb9dd59a25ba063fec8
Group 1 of 1 - 1 of 1 shares required:
always describe academic academic cubic gravity segment priority nuclear liquid chemical merit numb easy class wits warmth species genre dominant
$ shamir create  -S be278d88c624adb9dd59a25ba063fec8 -x 1of1
Using master secret: be278d88c624adb9dd59a25ba063fec8
Group 1 of 1 - 1 of 1 shares required:
coding heat academic academic cubic gravity segment priority nuclear liquid chemical merit numb easy class wits warmth involve judicial worthy
$ shamir recover -p                                         
Enter a recovery share: always describe academic academic cubic gravity segment priority nuclear liquid chemical merit numb easy class wits warmth species genre dominant

✓ 1 of 1 shares needed from group always describe academic
Enter passphrase: 
Repeat for confirmation: 
SUCCESS!
Your master secret is: 8183231e2bc294c20487be75cc1895ea
$ shamir recover -p
Enter a recovery share: coding heat academic academic cubic gravity segment priority nuclear liquid chemical merit numb easy class wits warmth involve judicial worthy

✓ 1 of 1 shares needed from group coding heat academic
Enter passphrase: 
Repeat for confirmation: 
SUCCESS!
Your master secret is: 8183231e2bc294c20487be75cc1895ea

[oliviera9]

One should always use --extendable. It has to do with the question of whether one wants to be able to create alternative backups of the same seed in the future.

Wasn't this possible even before the introduction of the ext bit? I understand the rationale at point 10 here, but I don't see why this wasn't achievable in the previous SLIP version without the ext flag. One already could create a new backup with a different identifier, and now I still can create two backups with -X for the same master secret with different identifiers.

[matejcik]

One already could create a new backup with a different identifier, and now I still can create two backups with -X for the same master secret with different identifiers.

For the same master secret, yes, if the master secret is fixed.
I.e., if you start with a master secret that you encrypt by a passphrase (possibly empty) and split into shares, you can then regenerate that secret, encrypt it differently again with different passphrase, and recover it again.

The usage as a BIP32 wallet backup is different: here, the fixed value is the Encrypted Master Secret, and we consider any decryption with any passphrase to be valid.
IOW, for secret EMS and passphrase P0, result is wallet W0; for secret EMS and passphrase P1, result is wallet W1.
Without the ext bit, changing the identifier changes the decryption of the same EMS: passphrase P0 will give you wallet W3, passphrase P1 will give you W4.

[matejcik]

generated 1of1 shares for a master secret, e.g. shamir create -S be278d88c624adb9dd59a25ba063fec8 -X 1of1
What I found is that shamir recover recovers the same master secret if I input two shares generated with -X. This does not happen when executing shamir recover -p inputting the same passphrase.
Instead, recovering using the same passphrase for two backups generated with -x returns the same secret.

Right, exactly.
Remember, passphrase is also the argument to shamir create. You are not specifying it, means empty passphrase is used.

Two invocations of shamir create -X <MS> (no passphrase) yield two different EMSs.
Two invocations of shamir create -x <MS> (no passphrase) yield the same EMS twice.

[oliviera9]

I see! So, simply put, you want the EMS to be fixed so that recovering from different backups (different ids) with the same passphrase will return the same wallet, e.g. decoy wallet and real wallet.