Thank you all for your feedback.
Addressing some of what was mentioned here:
Starting with I can't find your source code and the site will not work if it's not connected to the internet so it's dangerous and insecure and until those are fixed nobody should use it.
-Dave
BSPO is designed to be usable offline, just print the encryption/decryption tables. That being said, you're right that the source code should be made open source, especially if people are to use the encryption table through the site. After cleaning up the code a bit, I'm happy to release it.
2. I checked PDF of encryption/decryption table, but i find the font is very small if people print it on legal/A4 paper size.
3. Take note while Electrum support BIP 39, it generate 12 words using it's own seed format. It'd be appreciated if you let visitor of your website know about that since you mention Electrum as example of software
2. - I'm aware the BSPO Full tables are very difficult to read in PDF (BSPO Lite font size seems sufficiently large - please let me know if you disagree with this opinion). If user demand requires, I'll reformat the table layout to landscape mode and increase font size.
3. - Thanks for this note, I wasn't aware of this.
I don't think this adds anything over a seed phrase/passphrase combo or a multi-sig wallet, while also losing the plausible deniability which comes with both of those.
With your system, you need 4 back ups in separate places - two of your encrypted seed phrase, and two of your decryption table. Compromise of one back up is insufficient to steal your funds, but compromise of one of each back up will lead to your funds being stolen. This is identical to a seed phrase/passphrase combo (which should have two back ups of the seed phrase and two back ups of the passphrase), or a 2-of-2 multi-sig wallet (which should have two back ups of each cosigner).
I appreciate the comparison against existing seed storage methods. However, I disagree with this analysis. Consider the seed/passphrase combo with two seed phrase backups and two passphrase backups. Let's call the seed phrases S1 and S2, and call the passphrases P1 and P2. Assuming you mean that the "backups" are replicas of eachother, if an attacker found S1, in order to compromise the underlying funds, they could also either find P1 OR P2. The same could be said regarding the discovery of S2.
Alternatively in BSPO, let's refer to the encrypted seed phrases as E1 and E2 and call their corresponding decryption table D1 and D2. If an attacker finds E1, they MUST find D1 in order to compromise the funds (D2 provides no information).
The 2-of-2 multi-sig wallet is also a different arrangement, one that is essentially equivalent to applying a single round of BSPO (which the simplified statistical analysis provided in the whitepaper shows, is a poor way to secure a seed phrase).
With a seed phrase/passphrase combo, if an attacker finds a copy of your seed phrase, they can access a base wallet which you can set up as a decoy, hiding the fact that you have a passphrased wallet at all. If they find a copy of your passphrase, you can easily deny it has anything to do with bitcoin at all (bonus points if you use that passphrase as a decryption key for some encrypted volume full of plausibly "sensitive" material). Similarly, if they find a copy of one seed phrase from a 2-of-2 multi-sig wallet, they can recover a standard single sig wallet with that seed phrase, which again, you can have set up as a decoy, hiding the fact you have a multi-sig wallet at all.
I note the point you make in your whitepaper about passphrases potentially being insecure if the user chooses an insecure one, but this is easily mitigated by simply not doing that.
I think you're right that users can cleverly come up with ways to make effective decoy wallets, especially if they choose cryptographically secure passphrases. The problem is counting on users to choose secure phrases and come up with clever ways to secure their own funds. This problem is not as trivial as it might sound, choosing a cryptographically secure passphrase typically means that passphrase is not easily remembered and should be written down. Once the passphrase is written down, you're effectively creating a similar setup to what's mentioned above (2-of-2 multi-sig equivalent, or if replicated, S1, S2, P1, P2 scenario). What BSPO offers in comparison is the ability to derive
multiple unique pairs of information where a full
unique pair must be obtained to compromise the underlying asset (as opposed to being able to access funds from any two pieces of information of differing types). It's a subtle difference, but one that makes some difference in security.
BSPO attempts to make the process of secure seed phrases relatively simple/fool-proof, but admittedly likely falls short in some ways - which is why this feedback is highly appreciated. Once again, thank you!