Best Way to Encrypt Recovery Words for Wallet for Heirs?

Captain-Cryptory

newbie

Activity: 23

Merit: 853

Quote from: o_e_l_e_o on August 22, 2020, 05:22:02 AM

Or each part of the SSS will be able to be compromised,

It's hard to do almost impossible. AFAIK, no one has manage to do this so far. As it is stated any available SSS is a kind of break-resistant scheme at least for the setup the common user might have.

Quote from: o_e_l_e_o on August 22, 2020, 05:22:02 AM

in your hypothetical scenario each party can be talked in to giving away their share of the SSS, but they will know better than to give away their share of the multisig?

That's correct.

Captain-Cryptory

newbie

Activity: 23

Merit: 853

Quote from: o_e_l_e_o on August 22, 2020, 04:48:58 AM

I don't see how multisig or SSS stops that? If one malicious party manages to get their hands on all the other parts, then they can do whatever they like. This is true of any set up, be it SSS, multisig, or encryption.

Means all SSS parts but not SEEDs for wallets relevant to multisig. SEED is the sacral thing which can not be shared at any circumstances, everybody knows this, all the more heirs should do, as every next generation is in general more advanced. I see even to day z-generation is more advanced than, say, gen Y.

Captain-Cryptory

newbie

Activity: 23

Merit: 853

Quote from: bob123 on August 21, 2020, 06:48:21 AM

Which "if's" are you referring to ?

Say one heir will convince others to give him the missing parts (or get it by deception) and fuck all bodies off when making transaction. Is this possible scenario? Why, not. Multisig + SSS scheme will automatically prevents that.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: o_e_l_e_o on August 23, 2020, 11:28:17 AM

It needs to be secure, it needs to be open source for obvious reasons, and it needs to be easily replicated in case the implementation the person uses no longer exists when the heirs come to recombine their shares.

There are multiple secret sharing schemes which one could use. And for each there are open source implementations.
One could just choose one of them and not just hand out the shares, but also the source code and instructions.

How the mnemonic has to be encoded fully depends on the scheme and implementation. But IMO that's not a problem since all information can be included in the how-to.
Basically this all comes down to "Here is the source code, enter the data on the paper into the function".

Quote from: o_e_l_e_o on August 23, 2020, 11:28:17 AM

Would SLIP39 be the best bet?

I'd generally never do crypto in my browser / using javascript.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: bob123 on August 23, 2020, 10:39:57 AM

A secret sharing is superior to a simple split and encryption.

So if someone wanted to use a 3-of-3 secret sharing scheme, what is the best way to do it? It needs to be secure, it needs to be open source for obvious reasons, and it needs to be easily replicated in case the implementation the person uses no longer exists when the heirs come to recombine their shares.

Would SLIP39 be the best bet? Other than Trezor and Iancoleman, are there any other implementations of this available to use?

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: o_e_l_e_o on August 22, 2020, 04:48:58 AM

Depends which encryption algorithm you use, but if you are worried about this then simply split your 24 word seed in to two 12 word sections and encrypt them separately before handing them out your friends. A collusion between one friend and the will holder will at most reveal 12 words, meaning they would still need to brute force 12 more, which is essentially impossible.

So, this might apply to a 24 word mnemonic.
But a 12 word mnemonic, where 6 words are known is still unlikely to be bruteforced, means it is no longer impossible to do so.

Information leakage when 2 out of 3 parties collude is never good. A secret sharing is superior to a simple split and encryption.

Quote from: Captain-Cryptory on August 22, 2020, 05:49:52 AM

Quote from: o_e_l_e_o on August 22, 2020, 05:22:02 AM

in your hypothetical scenario each party can be talked in to giving away their share of the SSS, but they will know better than to give away their share of the multisig?

That's correct.

That's retarded.
It doesn't make any sense.

How is that one piece of information someone tells you to not give it away, secure in terms of that the said person won't give it away, but the other isn't ?
There is no logic behind it. It just over complicates things.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Captain-Cryptory on August 22, 2020, 05:04:53 AM

Means all SSS parts but not SEEDs for wallets relevant to multisig. SEED is the sacral thing which can not be shared at any circumstances, everybody knows this, all the more heirs should do

Correct me if I'm wrong, but as I'm reading it, in your hypothetical scenario each party can be talked in to giving away their share of the SSS, but they will know better than to give away their share of the multisig? Or each part of the SSS will be able to be compromised, but each part of the multisig will be store more securely?

I think that's a pretty big assumption to make. You either have to assume a party is smart enough to store all information securely and not give any of it away, or they aren't.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: bob123 on August 21, 2020, 08:26:03 AM

A collusion between the person having access to the will and therefore the decryption key, together with one of those two parties, will result in information leakage.
And this leakage might be enough to bruteforce the seed.

Depends which encryption algorithm you use, but if you are worried about this then simply split your 24 word seed in to two 12 word sections and encrypt them separately before handing them out your friends. A collusion between one friend and the will holder will at most reveal 12 words, meaning they would still need to brute force 12 more, which is essentially impossible.

Quote from: Captain-Cryptory on August 22, 2020, 04:21:12 AM

Say one heir will convince others to give him the missing parts (or get it by deception) and fuck all bodies off when making transaction. Is this possible scenario? Why, not. Multisig + SSS scheme will automatically prevents that.

I don't see how multisig or SSS stops that? If one malicious party manages to get their hands on all the other parts, then they can do whatever they like. This is true of any set up, be it SSS, multisig, or encryption.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: o_e_l_e_o on August 21, 2020, 08:03:30 AM

Collusion between two parties is impossible, as all three are required to decrypt the seed.

Not necessarily.

A collusion between the person having access to the will and therefore the decryption key, together with one of those two parties, will result in information leakage.
And this leakage might be enough to bruteforce the seed.

A 3 out of 3 secret sharing is not vulnerable to that.
A multisig together with a secret sharing scheme indeed seems pointless.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Complexity is the enemy of security. Setting up a multisig and SSS simultaneously is overly complex and does not solve any problem over my approach:

Encrypt your seed
Give the first half of the encrypted data to one friend, and the second half to another friend
Put the decryption key in your will

Collusion between two parties is impossible, as all three are required to decrypt the seed.
Privacy is maintained as you can use a full HD wallet and none of the three parties know your addresses prior to decryption.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ?? on ??

Well, always good to have a few options in store to have something to choose from.

Over complicating things rarely has a positive effect.

Quote from: ?? on ??

Mine which is composition of secret-sharing-scheme(SSS) and multisig wallet allows to mitigate some of numerous "if" the bare SSS couldn't cope with.

Which "if's" are you referring to ?
Where is the vulnerability when using a secret sharing scheme in comparison to using that scheme together with multisig?

Quote from: ?? on ??

However as it was pointed out by HCP even mine (not to mention bare SSS) would remained powerless against the specific cases that still possible due to the human nature.

If i am not mistaken, that's the reason why the secrets are divided into 2 groups which both include a human (prone to irrational thinking) and a bank safety deposit box.
Whether who gains access to that under which conditions is key here.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ?? on ??

Besides the mine solves his concern of possible collusion between heirs. Sure OP can figure out his own way.

This problem already is being solved by the secret sharing scheme.

Quote from: HCP on August 19, 2020, 06:48:53 PM

That's not exactly true... It wouldn't need to be 3-of-6. If the OP was using Electrum, they could create a 3-of-3 MultiSig wallet... using 3 seeds... instead of using 1 seed + 2 pubkeys. That way, their copy of the wallet would have all the private keys needed to be able to create/send transactions. It would be akin to having a "disabled" 2FA wallet.

OP could then give 1 seed to TrustedPersonA, 1 seed to TrustedPersonB and have 1 seed in Will. On death, the parties can then use the 3 seeds to recreate the wallet.

In the meantime, the OP could use the wallet as they wanted for everyday use... it's still an HD wallet, so OP would get new addresses etc. And wouldn't look any different to any other P2SH type wallet really. Granted, the OP would need to keep backups of all 3 seeds, but that's not really any more difficult than keeping a backup of 1 seed from a "standard" wallet... you're effectively just storing 36 words instead of 12 Tongue

That's what i actually was referring to with keeping a backup of all 3 shares.
It is either OP has access to the 3 shares being distributed or 3 out of 6 shares if each share has to be individual.
But somehow, i only was thinking about a single multisig address. Therefore the statement regarding the privacy. With a multisig wallet, the privacy obviously is not affected.

HCP

legendary

Activity: 2086

Merit: 4318

Quote from: ?? on ??

I remain skeptical that there’s at least one person who would give up his/her cut of heritage only for the reason of screwing others unless his/her portion is "penny"-worth. And then, we’re not talking about strangers but of heirs who are supposed to be related. If their cuts are equal they are supposed to sign transaction.

You'd think this would be the case... but I've personally seen the results of "estranged" relatives fighting over property/funds etc. following deaths and marriage breakups etc. It ain't pretty and sometimes people do very irrational things to cause other people pain. Undecided

(have you had a read through the reputation board lately? Roll Eyes

)

Obviously, it's not guaranteed that this will happen... it's just something to consider when going for an n-of-m multisig, where n==m... It only takes one keyholder to either lose their key, or refuse to sign, and the funds are effectively unrecoverable.

HCP

legendary

Activity: 2086

Merit: 4318

Quote from: ?? on ??

No need to have all 3 in one hand to distribute the fund.

DUH! Yeah... Of course, it's multisig, one person creates the transaction distributing funds evenly, and then everyone else signs it... Roll Eyes

However, I guess the opposite scenario is also true... if one party feels like being a complete ass, they can actually prevent everyone from getting any money by refusing to sign the transaction with their key... and before anyone says "why would someone deliberately sabotage their own chances of getting money by refusing to sign?"... trust me, I've seen people do a LOT worse out of pure spite Undecided

HCP

legendary

Activity: 2086

Merit: 4318

Quote from: bob123 on August 19, 2020, 12:10:50 PM

This would result in the circumstance that the BTC always need to be in the multisig wallet.

For OP to actually use the wallet he either needs
1) a "backup" of the private keys everyone has to actually access the funds or
2) a 3 out of 6 multisig with him having 3 keys.

Both is extremely impractical because he basically just has a single address to use.

The previously mentioned approaches are better in terms of privacy. OP can use as many addresses as he wants without affecting the security of the backup mechanism or his privacy when transacting.
I see downsides of your approach, but don't see any upside.

That's not exactly true... It wouldn't need to be 3-of-6. If the OP was using Electrum, they could create a 3-of-3 MultiSig wallet... using 3 seeds... instead of using 1 seed + 2 pubkeys. That way, their copy of the wallet would have all the private keys needed to be able to create/send transactions. It would be akin to having a "disabled" 2FA wallet.

OP could then give 1 seed to TrustedPersonA, 1 seed to TrustedPersonB and have 1 seed in Will. On death, the parties can then use the 3 seeds to recreate the wallet.

In the meantime, the OP could use the wallet as they wanted for everyday use... it's still an HD wallet, so OP would get new addresses etc. And wouldn't look any different to any other P2SH type wallet really. Granted, the OP would need to keep backups of all 3 seeds, but that's not really any more difficult than keeping a backup of 1 seed from a "standard" wallet... you're effectively just storing 36 words instead of 12 Tongue

The big problem I see with all of this... is the final distribution of funds. If all the funds are in one wallet, the party that gets all 3 seeds "first" could effectively take it all.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: ?? on ??

Say you have 3 heirs to whom you trust. Create 3-of-3 multisyg wallet (in fact you should create 3 wallets with 3 MPK, and the final multisig will be 4th) to authorize transaction and using any SSS split the multisig wallet's SEED into 3 parts, any 2 of which capable to restore SEED for multisig. Hand over to every heir the full SEED for his/her wallet and his/her part of the split SEED relevant to multisig wallet. If even 2 of 3 heirs will plot to steal the money for themselves they can’t do it without 3rd signing wallet.

This would result in the circumstance that the BTC always need to be in the multisig wallet.

For OP to actually use the wallet he either needs
1) a "backup" of the private keys everyone has to actually access the funds or
2) a 3 out of 6 multisig with him having 3 keys.

Both is extremely impractical because he basically just has a single address to use.

The previously mentioned approaches are better in terms of privacy. OP can use as many addresses as he wants without affecting the security of the backup mechanism or his privacy when transacting.
I see downsides of your approach, but don't see any upside.

bob123

legendary

Activity: 1624

Merit: 2481

I partially agree with o_e_l_e_o.

I'd like to suggest a few improvements:

Use an open source project from github which makes it easier to reconstruct the executable in X years.
Do not only include the source code / instruction in the will, but everyone having a share should know that. Just go for 3 out of 3 shares.
It doesn't necessarily have to be Shamirs secret sharing scheme. There are other cryptogrpahically secure sharing schemes available, such as Mignotte's or Asmuth-Bloom's scheme. Rather go for open source and reproducible, regardless whether it is Shamir's or an other secure scheme.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: Gyther on August 18, 2020, 02:22:57 PM

-snip-

You have already landed on the most crucial flaw when it comes to SSSS - multiple implementations which are not cross compatible with each other. Your entire set up is now entirely dependent on this one website you have chosen. Should there be a bug in the code,* then your shares may not be secure at all, or they may not recombine properly. Should the site go down and your USB stick corrupts or dies (not unlikely give the 50 year time frame you talk about), then your coins will be lost forever.

There's a good article here detailing the shortcomings of SSSS: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

*Is it even open source? All I can see on the site itself is the statement that it is "built upon" a GitHub repository which hasn't been updated in 3 years.

Gyther

newbie

Activity: 3

Merit: 0

@MagicByt3 Thank you. I found a website which would do Shadir's Secret Sharing in an offline browser: http://passguardian.com

I tested with the Edge and the Firefox Browsers and they seemed to both work offline and interoperably.

The main disadvantage I see with Shadir's Secret Sharing Scheme is that implementations seem to be various. I have not found an ability to get one implementation scheme to work with another. As such if I use Pass Guardian's scheme. Then that's the only option.

However, because it work's offline, a USB drive can be used to reconstruct the secret words. In addition, archive.org has a repository of passguardian.com, ex. https://web.archive.org/web/20200719040245/http://passguardian.com/ and as such, it should be feasible to get that to work as well and it worked when I tried it.

So yeah, I think I'm going to leave a link to passguardian and a web.archive.org version of passguardian in the instructions of the Will as well as a USB Drive with a the predownloaded offline webpage as well as a Downloadable Executable of a Web Browser ( just in case history changes and we aren't still using web browsers in 50 or so years when I die ).

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: PawGo on August 18, 2020, 10:05:41 AM

Exactly - you will need 3 parts to access the balance.

With your approach only 2 shares are required:

HW Wallet + Pin or
Mnemonic code + Password

And with a discovered vulnerability in the HW wallet, maybe only the HW wallet is enough.
You shoudn't treat a HW wallet as completely secure against someone who has a lot of time, technical knowledge and access to the device.

Topic: Best Way to Encrypt Recovery Words for Wallet for Heirs? (Read 417 times)