Topic: BitcoinSeedSplitter (Read 428 times)

@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.

His Slip39 mnemonic shares tool is only at experimental prototype stages and I don't see any new commits posted since December 2019, and his latest github commits are unrelated with this.
He is still posting commits for his Bip39 tool and latest one was at the end of February, so I would not call it abandoned project.

Abandoned project since 2017 (Ian moved to Slip39 which is not a seed backup option)

You misunderstand me. Ian Coleman's SLIP39 tool (https://iancoleman.io/slip39/) does indeed split a master private key (or other master secret) in to split phrases, but his Shamir39 tool (https://iancoleman.io/shamir39/) is different and does what your does, allowing you to split a seed phrase rather than a master key.

His specification is here: https://github.com/iancoleman/shamir39/blob/master/specification.md. There is obvious no cross-compatibility between your two tools since you both use different encoding schemes for things like the threshold number of shares and order/ID of each share, but I'm wondering you both generate actual share data in the same way?

The big difference that one can backup your seed (this version) SLIP39 can't. That's why I had to write this. I would have been much happier just using something out of the box myself.

With that in mind, what are the significant differences between your tool and Ian Coleman's Shamir39 tool which does the same thing - splitting a seed phrase in to split phrases? You can find his implementation here: https://iancoleman.io/shamir39/

My biggest issue with using something like this is that there is no standard implementation, so in addition to backing up each share you also need to back up the software itself, which is an additional risk.

@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.

Yes I did check out this in advance and tried to use/build a compatible solution. ...

Converting existing SLIP-0039 shares to a BIP-0039 mnemonic

This is not possible due to the overly coupled design of BIP-0039 and its use of a one-way derivation function. BIP-0039 works by first generating a high-entropy secret, then converting it to a mnemonic and finally using the mnemonic itself as input to PBKDF2 to derive the seed. This means that for any new scheme to be compatible with BIP-0039, it would have to be built on top of BIP-0039 with all of its now obsolete aspects. That includes the conversion of the high-entropy secret to the mnemonic using the old wordlist, which would have to be included in the implementation, unreasonably bloating its size. SLIP-0039 instead introduces a new decoupled design which is more feature-rich and allows maximum flexibility for future upgrades.

Some individuals have expressed a concern that the inability to convert SLIP-0039 shares to BIP-0039 may lead to vendor lock-in due to slow adoption of SLIP-0039 by hardware wallet vendors. This concern is unwarranted, since even if the conversion to BIP-0039 were possible and a user needed to recover their seed onto a device which does not support SLIP-0039, then they would need to use some conversion tool running on their computer. In that case they might as well simply recover their SLIP-0039 shares in a software wallet running on their computer and send all of their funds to a new seed on their new device. Thus the ability to convert shares to a BIP-0039 mnemonic makes no difference in this respect.

Yes I did check out this in advance and tried to use/build a compatible solution. The BIG problem with SLIP39 that they don't backup the seed words.

Rather than rolling your own, I recommend that you implement Trezor's Shamir Backup (https://trezor.io/shamir/). It is similar to what you are doing. The advantage is that you would be compatible with Trezor and you get to take advantage of all of their work.

Here are the details:

https://github.com/satoshilabs/slips/blob/master/slip-0039.md

I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.
Here is a small tool. Simple, but does the work.
https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them.

This way you can still have a password which you can keep in mind (or you and one olr more of your loved ones) and that way a thief can't access your seed even if gained access to enough shares. And it's possible to remember a good enough password because I hash 100K times, so brute forcing is VERY slow.

I'm saying that it doesn't have any huge difference with the way I described (that is horrible, I know). Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them. Sure, if you hide twelve words separately you can brute force if you only miss two. You could hide two pieces of paper with 6 words each. I don't know, but I wouldn't ever do that if I was afraid of being stolen. It could help me if I was on a group in which the majority of the members decided the funds' transactions, but there's already a way to do that. The one you mentioned, multisig.

@Gabrics, I'm not "badmouthing" your software, don't get me wrong. I checked your C# code, and it looks great. It does its job properly. I just want to understand why you should hide your coins with that dangerously fallible way. To me, it seems that the entire procedure is being more complicated than it should. I personally believe that it's more important to be able to spend your funds, than to get stolen.

I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

Multisig is much better option like I wrote in comparison topic Multisig VS Shamir Secret Sharing.

Hmm, I'm reading how it works. Would it be dumb to ask how can this help? Why would one want to split his seed phrase on different places? Also, how can you do that technically? I mean, how are the output shares calculated?

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

Feedback:

• Work on the UI. I can't run it if I don't open it with visual studio:  https://i.imgur.com/EpAYAbe.png
• Move this thread to Project Development.

Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?

Usage example: You have a 12 words seed which you want to store safely in 5 places with fault tolerancy. 3 of the 5 shares will be enough to rebuild the original seed. (plust the optional password)

Orignal Mnemonic: venture whale soap pave enjoy bid skull journey exotic soon phone proof

Output Shares:

stage middle dune innocent acid chimney clog focus metal nut flat tissue era female advice senior
stage era draw run glue brass cruel token produce sort wide tragic real tray wagon exit
stage slush economy focus oak vote box cruel license belt slow shoot sock session elder panda
stage clump donor major grape glad network quote sort above mad rule left verify such gate
stage proof earth genre music middle river guess topic swim rebel outer adult spend harvest rapid

Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?