Author

Topic: BitcoinSeedSplitter (Read 454 times)

full member
Activity: 193
Merit: 124
Just digging around
January 19, 2023, 03:10:43 PM
#28
It is open source, so it can't "just go away". You can compile yourself from github (free VS Code) and check the code too after just use the exe as long as you wish.

Indeed if you use a different software it can steal your coins, so you can follow step one.

I would use a clean install computer (without any network) and zero fill the disk after the splits has been created. I would also add a password to the seeds (so even with enough seeds + with knowledge what it is a thief can't rebuild).
I would also not print it on a printer. I would use steal plates made for seed words.


@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.

full member
Activity: 193
Merit: 124
Just digging around
April 16, 2021, 08:32:38 AM
#27
He wrote this in 2018, so I thought it's abandoned. Anyway, I still think that the features I mentioned trump compatibility. At least for me Wink

iancoleman commented on Feb 5, 2018
Agreed there are some inefficiencies and implementation-specific cruft that could be improved, but I'm on the cusp of decommissioning this tool in favour of SLIP-0039
https://github.com/satoshilabs/slips/blob/master/slip-0039.md



Abandoned project since 2017 (Ian moved to Slip39 which is not a seed backup option)

His Slip39 mnemonic shares tool is only at experimental prototype stages and I don't see any new commits posted since December 2019, and his latest github commits are unrelated with this.
He is still posting commits for his Bip39 tool and latest one was at the end of February, so I would not call it abandoned project.
legendary
Activity: 2212
Merit: 7064
April 16, 2021, 08:04:12 AM
#26
Abandoned project since 2017 (Ian moved to Slip39 which is not a seed backup option)

His Slip39 mnemonic shares tool is only at experimental prototype stages and I don't see any new commits posted since December 2019, and his latest github commits are unrelated with this.
He is still posting commits for his Bip39 tool and latest one was at the end of February, so I would not call it abandoned project.
full member
Activity: 193
Merit: 124
Just digging around
April 16, 2021, 06:39:30 AM
#25
I checked out and decided not to make this tool binary compatible to the aforementioned one for now.

The reasons:
1) Abandoned project since 2017 (Ian moved to Slip39 which is not a seed backup option)
2) The shares have no CRC which could lead to incorrect restored value as Shamir itself doesn't have CRC
3) Missing SplitID (unique ID at the beginning of each split run). This could lead to fatal issues if user error occurs. Eg. accidentally mixing shares from two splits (from the same seed) which won't re-build.
4) Needing the Shamir extra word at the beginning. This is not an error, but makes the share longer.
5) No password option

full member
Activity: 193
Merit: 124
Just digging around
April 15, 2021, 03:30:53 AM
#24
Indeed! I didn't see Ian's Shamir39 earlier. Will see if I can make mine binary compatible. That way we would have two basic implementations at least.




The big difference that one can backup your seed (this version) SLIP39 can't. That's why I had to write this. I would have been much happier just using something out of the box myself.
You misunderstand me. Ian Coleman's SLIP39 tool (https://iancoleman.io/slip39/) does indeed split a master private key (or other master secret) in to split phrases, but his Shamir39 tool (https://iancoleman.io/shamir39/) is different and does what your does, allowing you to split a seed phrase rather than a master key.

His specification is here: https://github.com/iancoleman/shamir39/blob/master/specification.md. There is obvious no cross-compatibility between your two tools since you both use different encoding schemes for things like the threshold number of shares and order/ID of each share, but I'm wondering you both generate actual share data in the same way?
legendary
Activity: 4466
Merit: 3391
April 14, 2021, 05:51:34 AM
#23
This repo also has code that will use SSS to split a mnemonic, though it is not as advanced as the others: https://github.com/odolvlobo/bip39
legendary
Activity: 2268
Merit: 18748
April 14, 2021, 04:24:30 AM
#22
The big difference that one can backup your seed (this version) SLIP39 can't. That's why I had to write this. I would have been much happier just using something out of the box myself.
You misunderstand me. Ian Coleman's SLIP39 tool (https://iancoleman.io/slip39/) does indeed split a master private key (or other master secret) in to split phrases, but his Shamir39 tool (https://iancoleman.io/shamir39/) is different and does what your does, allowing you to split a seed phrase rather than a master key.

His specification is here: https://github.com/iancoleman/shamir39/blob/master/specification.md. There is obvious no cross-compatibility between your two tools since you both use different encoding schemes for things like the threshold number of shares and order/ID of each share, but I'm wondering you both generate actual share data in the same way?
full member
Activity: 193
Merit: 124
Just digging around
April 14, 2021, 02:38:40 AM
#21
The big difference that one can backup your seed (this version) SLIP39 can't. That's why I had to write this. I would have been much happier just using something out of the box myself.

Indeed, but that's why I uploaded it to github, someone can upload it to other sites. Also binary logic is available, so I believe even a novice programmer can build a tool to merge fairly fast (probably hours/days). Only thing which is a must have the BIP39 wordlist which is safe and widespread enough.


Yes I did check out this in advance and tried to use/build a compatible solution. The BIG problem with SLIP39 that they don't backup the seed words.
With that in mind, what are the significant differences between your tool and Ian Coleman's Shamir39 tool which does the same thing - splitting a seed phrase in to split phrases? You can find his implementation here: https://iancoleman.io/shamir39/

My biggest issue with using something like this is that there is no standard implementation, so in addition to backing up each share you also need to back up the software itself, which is an additional risk.
full member
Activity: 193
Merit: 124
Just digging around
April 14, 2021, 02:35:01 AM
#20
Mainly this is why it's on GitHub and fully open source. Anyone can create it's own or upload somewhere and/or store locally. Running on the latest .NET Core with no 3rd party dependency, so I am fairly certain it will run on windows for many years without an issue.

Also the main math is simple(-ish). So even if the GUI/framework changes it's easy to just copy paste the main functions to a new framework/GUI (this won't be needed for 5-10+ years I believe).

Alternatives would be great indeed. I will make a stand-alone webpage version soon (if someone else won't before). Will also be open source, so that will make the client count to two.

I believe the logic in the code what's the most important. I mean how the binary share is built from the seed. That's all there, no dependencies, just the code.



@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.

legendary
Activity: 4466
Merit: 3391
April 13, 2021, 03:51:51 PM
#19
Yes I did check out this in advance and tried to use/build a compatible solution. ...

Yes, you are right. Sorry for the poor advice. I forgot that SLIP-39 is incompatible with BIP-39. On the other hand, the designers argue that the incompatibility is not a major issue, but I don't completely agree with them.

Quote
Converting existing SLIP-0039 shares to a BIP-0039 mnemonic

This is not possible due to the overly coupled design of BIP-0039 and its use of a one-way derivation function. BIP-0039 works by first generating a high-entropy secret, then converting it to a mnemonic and finally using the mnemonic itself as input to PBKDF2 to derive the seed. This means that for any new scheme to be compatible with BIP-0039, it would have to be built on top of BIP-0039 with all of its now obsolete aspects. That includes the conversion of the high-entropy secret to the mnemonic using the old wordlist, which would have to be included in the implementation, unreasonably bloating its size. SLIP-0039 instead introduces a new decoupled design which is more feature-rich and allows maximum flexibility for future upgrades.

Some individuals have expressed a concern that the inability to convert SLIP-0039 shares to BIP-0039 may lead to vendor lock-in due to slow adoption of SLIP-0039 by hardware wallet vendors. This concern is unwarranted, since even if the conversion to BIP-0039 were possible and a user needed to recover their seed onto a device which does not support SLIP-0039, then they would need to use some conversion tool running on their computer. In that case they might as well simply recover their SLIP-0039 shares in a software wallet running on their computer and send all of their funds to a new seed on their new device. Thus the ability to convert shares to a BIP-0039 mnemonic makes no difference in this respect.

Perhaps, with some effort you could come up with a SSS protocol that is compatible with BIP-39 and propose it as a new BIP.
legendary
Activity: 2212
Merit: 7064
April 12, 2021, 08:47:53 AM
#18
@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.
legendary
Activity: 2268
Merit: 18748
April 12, 2021, 03:20:24 AM
#17
Yes I did check out this in advance and tried to use/build a compatible solution. The BIG problem with SLIP39 that they don't backup the seed words.
With that in mind, what are the significant differences between your tool and Ian Coleman's Shamir39 tool which does the same thing - splitting a seed phrase in to split phrases? You can find his implementation here: https://iancoleman.io/shamir39/

My biggest issue with using something like this is that there is no standard implementation, so in addition to backing up each share you also need to back up the software itself, which is an additional risk.
full member
Activity: 193
Merit: 124
Just digging around
April 12, 2021, 12:37:58 AM
#16
Yes I did check out this in advance and tried to use/build a compatible solution. The BIG problem with SLIP39 that they don't backup the seed words.

What they backup is the derived master key from which there is no way to go back to the seed words. Because of this it is very hard/impossible to just feed the restored result to any/all wallets.

Also the derived master key has no CRC or else, so you don't know if you have the correct one or not (as far as I know).

I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.
Here is a small tool. Simple, but does the work.
https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

Rather than rolling your own, I recommend that you implement Trezor's Shamir Backup (https://trezor.io/shamir/). It is similar to what you are doing. The advantage is that you would be compatible with Trezor and you get to take advantage of all of their work.

Here are the details:

https://github.com/satoshilabs/slips/blob/master/slip-0039.md


legendary
Activity: 4466
Merit: 3391
April 11, 2021, 10:38:32 PM
#15
I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.
Here is a small tool. Simple, but does the work.
https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

Rather than rolling your own, I recommend that you implement Trezor's Shamir Backup (https://trezor.io/shamir/). It is similar to what you are doing. The advantage is that you would be compatible with Trezor and you get to take advantage of all of their work.

Here are the details:

https://github.com/satoshilabs/slips/blob/master/slip-0039.md

legendary
Activity: 2268
Merit: 18748
April 11, 2021, 02:28:40 PM
#14
Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them.
The difference is by using Shamir's Secret Sharing, as opposed to just writing different combinations of you words on different pieces of paper, the thief has to find many more of your shares.

Let's say, for example, you want to use a 2-of-3 set up. You write 8 of your 12 words on each of the 3 pieces of paper. One piece of paper is enough for the attacker to brute force your seed phrase. With SSS, they need two.
Let's say you use a 4-of-6 set up. You write 6 of your 12 words on each of the 6 pieces of paper. If an attacker gets lucky, the correct two pieces of paper are enough for them to steal your coins. If they get an unlucky combination, then they need three. With SSS, they need four.

With each additional share they need to compromise, you make it exponentially harder for them.
full member
Activity: 193
Merit: 124
Just digging around
April 11, 2021, 08:12:34 AM
#13
Also you can modify with a simple parameter for yourself you can make it a million or billion x hashing, just a parameter in the code.

You can use a simple password and a custom hash count (you do need a password as hashing doesn't happen with empty pw). But be careful not to outsmart yourself... Wink
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
April 09, 2021, 02:31:10 PM
#12
This way you can still have a password which you can keep in mind (or you and one olr more of your loved ones) and that way a thief can't access your seed even if gained access to enough shares. And it's possible to remember a good enough password because I hash 100K times, so brute forcing is VERY slow.
I didn't know about that. This can actually be very interesting...
full member
Activity: 193
Merit: 124
Just digging around
April 09, 2021, 02:07:20 PM
#11
Yes, but you have to have a backup. Even multisig is fallible if the thief finds all the signers. So theoretically nothing is 100%.

In the case of current BIP39SeedSplitter this is exactly why I added the optional password. This way you can still have a password which you can keep in mind (or you and one olr more of your loved ones) and that way a thief can't access your seed even if gained access to enough shares. And it's possible to remember a good enough password because I hash 100K times, so brute forcing is VERY slow. So in this case you have high fault tolerance because of the shares and perfect(ish) security because of the password. I also think that using shares also gives you some stenography like protection. I mean even if someone realizes that these words are seeds than what? I mean it is not a seed as nothing accepts it.

Indeed being careful not loosing access comes first. But safety comes second Wink


I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.
I'm saying that it doesn't have any huge difference with the way I described (that is horrible, I know). Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them. Sure, if you hide twelve words separately you can brute force if you only miss two. You could hide two pieces of paper with 6 words each. I don't know, but I wouldn't ever do that if I was afraid of being stolen. It could help me if I was on a group in which the majority of the members decided the funds' transactions, but there's already a way to do that. The one you mentioned, multisig.

@Gabrics, I'm not "badmouthing" your software, don't get me wrong. I checked your C# code, and it looks great. It does its job properly. I just want to understand why you should hide your coins with that dangerously fallible way. To me, it seems that the entire procedure is being more complicated than it should. I personally believe that it's more important to be able to spend your funds, than to get stolen.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
April 09, 2021, 07:04:08 AM
#10
I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.
I'm saying that it doesn't have any huge difference with the way I described (that is horrible, I know). Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them. Sure, if you hide twelve words separately you can brute force if you only miss two. You could hide two pieces of paper with 6 words each. I don't know, but I wouldn't ever do that if I was afraid of being stolen. It could help me if I was on a group in which the majority of the members decided the funds' transactions, but there's already a way to do that. The one you mentioned, multisig.

@Gabrics, I'm not "badmouthing" your software, don't get me wrong. I checked your C# code, and it looks great. It does its job properly. I just want to understand why you should hide your coins with that dangerously fallible way. To me, it seems that the entire procedure is being more complicated than it should. I personally believe that it's more important to be able to spend your funds, than to get stolen.
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
April 09, 2021, 06:44:03 AM
#9
Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)
I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.

Multisig is much better option like I wrote in comparison topic Multisig VS Shamir Secret Sharing.
I too will prefer multisig instead, but sharmir secret is standard also if you understand the basis, it is created in a way the shares can reconstruct back the seed phrase. But I get the point, that leaving seed phrase not going encrypted by having multiple private keys, but Shamir seed phrase encryption do work perfectly with SSS. I too will prefer multisig as it fulfills the purpose and not going beyond bitcoin wallet usage, also that multisig wallet is transparent unlike SSS.

But never mind me saying this thread is not about multisig wallets. Although it is a good alternative.
legendary
Activity: 2212
Merit: 7064
April 09, 2021, 06:09:50 AM
#8
I would be careful using any shamir secret sharing because it has single point of failure and I don't think geo-distributed seed storage is much useful in this case.

Multisig is much better option like I wrote in comparison topic Multisig VS Shamir Secret Sharing.
full member
Activity: 193
Merit: 124
Just digging around
April 09, 2021, 05:32:28 AM
#7
You need to share it in different places to avoid loosing it. To fire, theft. But if you store the seed phrase in any ONE place you are also subject of theft. I mean stealing your bitcoins by using the seed.

If you split your seed you can store it in several places without the theft risk.
You also gain fault tolerance. Like if you use 3 of 5 you can have two of the Shares lost yet you can still reconstruct you seed.

The shares itself are just medium sensitive as they are worthless one-by-one, without a quorum present.

Simply splitting the original 12 seed words to pieces makes you loose the whole seed if one of them is lost Also makes it possible/easier to break (theoretically/future). Especially if you are starting to use redundancy, eg. splittin the 12 words to 3x6 not 3x4. But even in this case you are not really NofM redundant because your splits are not equal (so it matters which one you lost).

Shares produced don't weaken the original difficulty and also add fault tolerance. A lot of fault tolerance actually. So if you have 3 safe places it is still better IMHO to store 2 of 3 Shares than 3x4 words (or any mix of them). For me storing the whole/large chucnk of the seed anywhere is way too risky.

Share calculation details is in the source, but I will add a brief to the original post.



Hmm, I'm reading how it works. Would it be dumb to ask how can this help? Why would one want to split his seed phrase on different places? Also, how can you do that technically? I mean, how are the output shares calculated?

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

Feedback:

full member
Activity: 193
Merit: 124
Just digging around
April 09, 2021, 05:25:57 AM
#6
Indeed it is using Shamir sharing.
https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

With a few I think nice additiion from Slip39.

Like adding the minimum share bits at the beginning and splitid (first word) to identify you have the right word. In addition checking for valid BIP39 input and output.


legendary
Activity: 1512
Merit: 7340
Farewell, Leo
April 09, 2021, 05:11:36 AM
#5
Hmm, I'm reading how it works. Would it be dumb to ask how can this help? Why would one want to split his seed phrase on different places? Also, how can you do that technically? I mean, how are the output shares calculated?

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

Feedback:
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
April 09, 2021, 05:10:12 AM
#4
Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?
This is just like Shamir's secret sharing. Just like M-of-N in which M shares out of the N secrets can be used to recovered back the whole seed phrase. But Shamir's secret sharing will convert the seed phrase to alphabets and numbers, but this one on the OP board will convert the seed phrase to words instead of characters.

I have used Shamir's secret sharing before, but never used this one before, I got the idea from the link posted by the OP

Quote
Usage example: You have a 12 words seed which you want to store safely in 5 places with fault tolerancy. 3 of the 5 shares will be enough to rebuild the original seed. (plust the optional password)

Orignal Mnemonic: venture whale soap pave enjoy bid skull journey exotic soon phone proof

Output Shares:

stage middle dune innocent acid chimney clog focus metal nut flat tissue era female advice senior
stage era draw run glue brass cruel token produce sort wide tragic real tray wagon exit
stage slush economy focus oak vote box cruel license belt slow shoot sock session elder panda
stage clump donor major grape glad network quote sort above mad rule left verify such gate
stage proof earth genre music middle river guess topic swim rebel outer adult spend harvest rapid
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
April 09, 2021, 04:54:39 AM
#3
Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?
It's shamir secret sharing. Iancoleman's BIP39 uses this to split it up as a form of multi factor recovery.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
April 09, 2021, 04:48:19 AM
#2
Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?
full member
Activity: 193
Merit: 124
Just digging around
April 09, 2021, 04:25:40 AM
#1
Hi,

I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.

Here is a small tool. Simple, but does the work.

Cheers,


https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

At the moment windows only, but .NET5 should make it easy to compile a version for Linux.


Jump to: