Recover EncryptedMasterSecrets from arbitrary sequences of Mnemonics

[pjkundert]

Recovering SLIP-39 EncryptedMasterSecrets from (possibly corrupted or otherwise attacked) sets of Mnemonics is the sole purpose of the SLIP-39 standard.

Verifying, grouping and vetting sets of mnemonics requires at least partial decoding of the mnemonic to extract identifier, extendable flag, group counts, thresholds, etc., so that only compatible mnemonics are considered. This is difficult to do "externally" to the SLIP-39 implementation.

Therefore, a robust API to recover one or more SLIP-39-encoded encrypted master secrets from a pool of collected mnemonics is not just useful, but critical to the proper operation of a SLIP-39 based recovery system.

Thus: I propose shamir_mnemonic.group_ems_mnemonics, which takes a sequence of Mnemonics (as either str or Share), and produces a sequence of EncryptedMasterSecrets and a dict of group indices and the list of Mnemonics used to recover the secret. It does so in a manner resilient to various corruptions or attacks, ignoring invalid, unrelated/incompatible or redundant Mnemonics.

Fixes #44

Furthermore, group_ems_mnemonics provides the ability to optionally expand 1 or more groups with additional mnemonics, or even replace a failed mnemonic group with a single-Share mnemonic. This allows recovery from SLIP-39 group failures (too many lost mnemonics), by:

• recovering the group using existing mnemonics (if sufficient) and re-generating the missing ones, or
• producing new ones compatible with the existing mnemonics to issue to new group participants, or
• replacing (or augmenting) the failed group with a new single-Share (1 of 1) mnemonic for the group.

All of these approaches are supported by the existing underlying cryptography of SLIP-39, assume no new extensions to the protocol, and will work with any set of existing SLIP-39 mnemonics.