When you go from C1 to S1, you don't know nothing.
But when you go from S1 to C1, think differently, what practices would you, as a normal person, employ? I said it's simple and straightforward, but put in a little bit of interference like moving positions as well.
The next step is to verify the most promising approaches one by one, until you find some strings that are related to the topic, and you can be more sure of the remaining hidden information.
It's not really hard to derive backwards, the point is to understand the process of going forwards.
It's quite impossible to go from C1 to S1, so I guess going forwards is even more difficult to figure out than that.
Correct, it's 5 letters for each seed word, not 6 letters, you're one step closer.
But considering that there are 3-letter words, what would you do with them if you were coding them? Add placeholders, use a fixed-length structure? Or add length descriptors and use a variable-length structure?
Maybe try them all?
So it's impossible to use 6 letters for each seed word, right?
Why not? Say you have 12 rows. In the first two, you use 12 letters to note the rules (as it seems needed). The rest of rows are consisted of 60 letters. Given that we only need the first four letters of each word and its position, we would need 4*12 letters + 12 positions = 60.
But, I think you've said that we need more than just the words and their positions. Right?
No, in this scenario, complexity is just the enemy of usability (or ease of use?). As long as it is written on a piece of paper, then the custody of that piece of paper becomes a complex system.
Of course, we have some other methods, such as Shamir's secret-sharing (SSS), such as opening multiple safe deposit box services at banks in different countries, and then putting a copy in each safe deposit box... I'm just offering here another low-cost, unplugged, off-the-grid, third-party-independent solution that allows you to keep more backups, in secret, to prevent loss, damage, or theft, and to reduce the complexity of keeping this piece of paper on which the seed phrases are kept.
Although the process of writing down and restoring is more complicated, after all, it's a low-frequency operation, and that's an acceptable price to pay.
In fact, during the eight years of practice I've used this method to manage my strong passwords, I've encountered the same doubts: simple passwords are enough, to reuse them has no big problem, do you have to take out your PassCard and look up the table, reading a letter and entering it every time you enter a password?
Actually not, I will follow the rule of extracting plaintext when registering a new service account, write down the plaintext on a piece of paper, take out the PassCard, write down the corresponding ciphertext according to the fixed substitution rule, then enter the ciphertext, and then choose to remember the password. Just scribble it off afterward, tear it up, burn it down, and flush it. Since I know the rules are secure, and the software or browser doesn't know about my PassCard or any of the rules, it doesn't make any sense to just get a string of seemingly random characters, does it? It's only when I change devices and log back in or similar scenarios that I need to use the PassCard again to recover my login password, it's a matter of ease-of-use issue, not security one.
Of course, I recognize that a well-designed multi-signature scheme can greatly improve security when spending, but introducing a new co-signer is one more uncontrollable factor, and 3 co-signers with 3 master private keys and 3 seed phrases magnifies the problem of properly and stealthily storing the seed phrases by 3, doesn't it?
Imagine writing down the name of each wallet in a small notebook, with the corresponding seed phrase below in ciphertext, and then keeping a copy of the CipherCard in your safe with the rules for substitution encryption written on the back of the copy.
Again, I can tell the security of this setup. However, I believe it is more complex than needed, and complexity is the enemy of security. I think that a well-setup multi-sig could provide about the same levels of security, but with less complexity.
It's not actually relying on a third party, it's being indifferent to a third party, that's not the same thing, as if I had to lock every seed phrase card into a safe and now I can put it in a desk drawer and just put a piece of paper in the safe that explains the rules. In my experience, managing such a piece of paper can be much easier than managing a bunch of cards. Does it come down to the fact that I'm still relying on the safe?
You could even keep a picture of the CipherCard in Gmail's drafts folder, the rules in Outlook's drafts folder, and the ciphertext of the seed phrases in the drafts folder of all your email services, and then use another CipherCard to manage the passwords for all your mailboxes.
Doesn't that make sense?
In my view, if your setup has to rely on third parties, it isn't an ideal setup.