Topic: Ian Coleman BIP39 Split-Mnemonic (Read 276 times)

There is another technique that could satisfy your requirements, i.e. preserve security strength and "human readable format": exclusive OR (XOR)/Vernam cipher (a.k.a. One Time Pad). Your secret "BIP-39 phrase" is encrypted into and two (or more) complementary ones. One could be stored in safety deposit box and the other in a separate location. Both of them would be needed to decrypt the 24 words. There is more information with examples at "github.com/GregTonoski/BIP39-XOR".

There is a SLIP39 tool here for turning a seed number in to m-of-n phrases: https://iancoleman.io/slip39/
And there is also a tool here for turning a phrase in to m-of-n phrases: https://iancoleman.io/shamir39/
However, as with the Shamir's Secret Sharing tool linked above, there are no standard implementations, and so if you cannot access Ian Coleman's site for any reason, then your shares become next to useless.

A better option might be to store your seed and passphrase entirely separately. If you were to choose a passphrase of 40 characters, randomly selected from the ASCII printable character set (95 characters), then it would be 262 bits of entropy, which is more than your seed phrase at 256 bits. As with the seed phrase, you would write this down on paper and not try to remember it. Provided you set this up in a secure fashion, if you store your seed and your passphrase separately, then any attacker finding only one can do absolutely nothing without either finding the other.

I have looked into the shamir schemes but unfortunately this is not a solution at the moment as the scheme is not compatible to split BIP39 Mnemonics into a human readable format (Writing down long strings of HEX by hand is not the best idea), It would need to be compatible with my Ledger. They are supposedly working on a SLIP39 implementation, like Trezor just released. This would be the ideal solution as it retains 128-bits of security even if 1 share is compromised.



You make a valid point and this makes sense, plus in theory the adversary would only need to produce a list of all valid combinations that pass checksum and skip checking each combination for a non-zero balance until he/she is brute-forcing the passphrase (which would be trivial at 12.9bits). Seems this method may be less secure when using a weak passphrase since the adversary would be able to bypass the key-stretching and address checking for the majority of the attack.


I already have my unencrypted 24-words in 3 completely separate locations. One of these copies is with a trusted 3rd party. Im not worried about the person who is caring for it compromising it, more from other people who may come across it (Thieves, Burglars, Snoopy Guests, Guests Children etc.) or if I was to leave a copy in a safety deposit box that it couldn't be compromised by malicious staff or security camera immediately. Id rather have some security from this then none. Adding a passphrase would only be an option if it was high entropy (over 85bits, anything under this would have less security then the missing 8 words), and then I would have the same issue of having to store the passphrase somewhere safe.


I really appreciate the responses  

This calculation is incorrect. It's not as simple as just adding 88 bits to 12 bits to reach 100 bits. The majority of seeds which could be brute-forced from knowing 16 out of 24 words won't be valid because the checksum will fail, and so there is no need for an attacker to then start brute-forcing diceware words for them - they can simply be discarded. It is more accurate to work out the length of time to brute-force 83 bits to calculate all possible seeds, and then the length of time to brute-force 12.9 bits for each seed.

Your estimation of 1 quintillion guesses per second is obviously way out of the current scope of computing power, but if you are looking decades down the line to potential inheritance, then who knows what will be possible. For illustration, reducing the entropy in the calculation from 100 bits to 83 bits, then your number of 40,000 years instead becomes around 4 months.

Shamir's Secret Sharing as mentioned by hatshepsut93 is another option, but be aware that there is no standard implementation of it. If you do use Ian Coleman's site do split your seed this way, you should be keeping a couple of copies of the code in various places in case his site and GitHub disappear from the internet in the future.

the problem with that method is that it is not an encryption technique and also you will have to have 3 completely separate, isolated and secure places to store each part at and it is not easy to have it. if you are just storing all at home, it is not safe and you can't trust any other person to store it with them either.

adding an extra string (known as passphrase in BIP39) could be a good idea to add another layer of security but i personally prefer simply encrypting the whole thing with AES using a very strong password and then storing that single result in a safe place and the password of it in another.

There are secret-splitting schemes that allow you to create shares in a way that doesn't compromise the security of your secret. Shamir's Secret Sharing is the most famous such scheme, and Ian Coleman has an online tool for it on his site - https://iancoleman.io/shamir/

So, why settle for a fraction of security if you can keep full security?

Hello BTCitcoiners, been lurking these forums for a few years. This is my first post.


 I have been looking for ways to secure my 24-word BIP39 backup. I am worried about the possibility of someone finding my seed and being able to access my funds, but also want a trusted 3rd party to be able to recover the coins with instructions incase the need arose. An interesting solution that has come up is using the Split BIP39 Mnemonic Scheme from the Ian Coleman Website secured with a BIP39 passphrase.

Basically here is how the Split BIP39 Mnemonic Scheme works:

  - Your 24 words are split into 3 Shares
  - Each Share contains 16 of 24 words,
  - The words are in order with the missing words replaced with XXXXX
  - You keep the Shares in different places
  - It takes 2 of 3 shares to recover the Mnemonic

Now my idea was to take the above scheme and also add a BIP39 passphrase in the form of a 3 word diceware Mnemonic. I would place 2 words on each Share so each share would represent 2/3 of the BIP39 Mnemonic and 2/3 the passphrase. (I would leave the seed associated with just the 24 words empty)

From my understanding, each word in the BIP39 sentence represents 11 bits of entropy (except the checksum) so the 8 missing words represent between 83-88 bits and the missing diceware word would represent 12.9bits. This would give each share approximately 100bits of entropy

Now if there was an adversary the could guess at a rate of 1 Quintillion times per second it would take ~40000 years to guess all possible permutations in the key space.


The efficiency of an adversary would also be greatly reduced by the key-stretching involved (PBKDF2 2048 iterations) and having to search the blockchain for a non-zero balance.

I would like to hear from some experts on the pros/cons of doing this, and if any of my assumptions are incorrect.

Tried to post in Technical Discussions but I am not allowed