Topic: is securing recovery seed this way logical? (Read 267 times)

For making it more vulnerable to any possible hacks due to easily giving tracks to other people especially if they know you well better to use those random phrase generated since its more secure than creating your own but make sure that you stored your secret phrase on safe places where other people doesn't have any access towards it. Also think about other said here since it can make you realize that their methods mentioned is more safe rather than what you are thinking.

You are trying to invent a method which is ultimately less secure than using standard ways of storing your seed and additional passphrase.

Let's say you do it the way you explained.
You write down the seed with the words in a scrambled order on one piece of paper.
On the second paper, you write down the correct order of the words.

What did you get from that? Finding the note that shows the correct order of words is useless by itself. So far so good. But if someone found your seed, they could maybe brute-force it (even without knowing the correct order of words) to discover the correct order with the technology available today or one developed in the future. Maybe, the note with the scrambled seed is all that is needed for you to lose your coins to a well-prepared hacker.

If you used a recommended model with seed + passphrase, here is what you have.
You have your seed on one piece of paper. If someone found that, they still wouldn't have access to your wallet protected by the passphrase.
If someone finds the paper with your passphrase, they can't do anything with that alone without the seed. If you use a strong and long enough passphrase, it's impossible to brute-force it. Andreas Antonopoulos recommends using 4-6 random words as a passphrase. You can use 6, or 8, or 10... if you want.

If you compare the two models, you see that the 2nd one is better because finding either the seed or the passphrase alone gets you nowhere.
In your model, finding the seed could potentially lead to trouble. Why lower the security of your coins even by 1% if you can use standard recommendations?       

Because AES is not human readable. It's very tedious to write down a base64 text on paper and screwing up a single symbol will be catastrophic. While this method has all the conveniences of mnemonic seed format. After all, why people use these mnemonic seeds these days instead of printing out private keys like they used to? That's what OP wanted with their method, if they wanted to store their encrypted seed digitally, this would have been a different story.

But I personally prefer to store my seed unencrypted, because I think that the added complexity of managing a key and ciphertext and storing them in separate places is more likely to backfire in some way than someone getting to my unencrypted seed.

There is only a 1 in 16 chance that this would work for a 12 word seed phrase, and only a 1 in 256 chance that this would work for a 24 word seed phrase, given that the last word is the checksum. I suppose you could brute force seed phrases until you get one which fits your desired scheme, or far more simply (and far more securely) you just add an additional passphrase. Send some decoy amount of coins to the base wallet, and send you main stash to the hidden wallet protected by the additional passphrase.

Completely agree. I wouldn't trust a lot of people to add 24 sets of 2 numbers together without making a mistake. As soon as you add in the modulo operation, which the vast majority of people are completely unfamiliar with, then the chance of mistakes increases drastically. There are already a number of tried and tested methods for effectively requiring two factors to restore you wallet, namely encrypting the seed phrase, adding a passphrase, or using multi-sig. Choose one of these instead.

SLIP39 is adopted by Trezor and it isn't an experimental implementation, there is a standard for it. If done correctly, Shamir Secret Sharing gives you the benefits of having N-1 parts of your shares exposed without them of being any use for the attacker and plausible deniability as well. MultiSig can function the same, but the process is done on-chain while a passphrase doesn't give you sufficient redundancy.

That's a cool method and all that but there is a good chance to mess things up, for example if you look up wrong indexes for your words (eg. using 1 instead of 0 for first word) then the result will be wrong and you may have a very tough time recovering your coins in the future. If this is supposed to be done with code and automatically then why not use an actually safe encryption method such as AES? In the end you'll end up with 2 separate strings that have to be stored separately in 2 safe places.

I think this way, it does look like a puzzle which can make whoever find them try to solve it expecting a lot from it since it shows that you're trying to hide something, the idea that I thought of before is so simple but it might be risky, it is just to switch positions of the words, 2nd is 1st and 1st is 2nd, 4th is 3rd and so on, and I just throw like 10 or 20 bucks in there, so whoever find it would think they got it and I don't think they would try to do anything else.

The spent time of testing of different order of your seed phrase is worthy specially if it "can" be generated by some computer programs on a life-time scale of time, specially if the wallet has lots of funds on it.
I agree, and I support the fact that the higher the count of your phrases the harder it gets to decipher as it takes longer time and can't be easily brute forced by currnet existing computer.

Here's a better method.

1. Take your seed, replace the words with their positions in the word list.

2. Generate another random seeed, do the same as step 1, this will be your key.

3. Add the numbers for each word together with modular arithmetic. For example the first word in the seed is 1234 and the first word in the key is 999. The word list has 2048 words. So 1234+999 mod 2048 = 185

4. Do this for all words to get your ciphertext which will be another list of words.

5. To decrypt you need to subtract the numbers of key from the numbers of ciphertext. If you get a negative number, you need to add this number to the modulo. For example 185-999= -814 and then 2048-814=1234 the original number.

This method is a one-time pad, since the key is random and is as long as the message, the only way to crack it is to brute force it, which can't be done because it has the same security as the seed. So you can use it even with 12 word seed.

I do not know the importance of seed phrase split aside for inheritance reasons, if I do not want my heir to know the amount of bitcoin stored, I can just go for the option of shamir seed phrase split, aside this reason, I can not use it, they are even indicated as experimental prototype which is the reason it will be the last I can go for. I will prefer to use multisig in most cases or just add passphrase to my seed phrase and save it differently from my seed phrase.

I really don't like the seed splitting method. You are reducing the security to a minimum of 80 bits (depending on which card is found by an attacker), even with a 24 word seed phrase. I know we discussed in another thread recently regarding the incentive to attack seed phrases and how feasible it would be to crack 80 bits, but thinking long term this is not necessarily an unrealistic goal, particularly for a determined attacker and particularly as bitcoin's value increases.

Depending on what you are looking to achieve, I think either a passphrase with 128 bits of security or a multi-sig set up of your choice are both superior to seed splitting, particularly once Taproot removes the financial penalty of multi-sig addresses.

Has anyone heard about or tried in practice the Seed XOR method of seed phrase splitting previously? Personally, I haven't tried it yet but the reason it caught my attention is that the process of calculation can be done manually without additional online tools. You can split your real seed phrase into as many parts as you see fit, more importantly, you don't have to remember the right order to calculate it back because every order is right. These "fake" parts look like normal seed phrases and you can fund them with a small amount, which allows for plausible deniability. The only problem is that you have to keep all the parts safely because if you lose one you can't generate your original seed back. However, if you already have "working" seeds you can generate a new deterministic seed by XORing your existing phrases together.

Your method is fine. It is about what you're trying to achieve. Are you sure that you can secure both of them, the seeds and the order, such that you'll never ever lose them? Losing either of them is equivalent to losing the whole seed.

I would recommend a split seed system, not something like SSS but a simpler one. IanColeman does this in the form of a mnemonic card; https://iancoleman.io/bip39/. Where you need at least two of the cards to be able to recover the seeds. Unlike SSS, an additional card gives you an easier time to bruteforce it but it is still both time and resource intensive.

That is correct because it 1,295,295,050,649,600 times longer to guess the order of a 24-word phrase than it takes to guess the order of a 12-word phrase, and if the pooya87's estimate of a couple of seconds for a 12-word phrase is accurate, then it would take nearly a million centuries to find the order of a 24-word phrase.

Shamir's secret sharing is designed in such a way so that if you have any number less than the threshold number of shares, it is the same as having no information at all. In that example, you need three shares to recover the secret. Having two shares provides absolutely no information, and is the same as having no shares at all. Anyone trying to break that will be trying to brute force every possible 12 word seed phrase, which is obviously impossible.

However, Shamir's secret sharing is generally a poor method and is not recommended for a number of reasons: https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

Unscrambling 12 words is almost trivial while unscrambling 24 words is computationally impossible, provided no additional information, yes. But that does not mean this is a good way to back up your seed phrase or protect your wallets. If you are uncomfortable with simply backing up your seed phrase normally, then you should either use an additional passphrase or a multi-sig wallet, rather than trying to create your own method. I've lost track of the number of users who have come to the forum looking for help because they cannot recover from their own back ups after doing something non-standard like what you are proposing.

so if i mixing 24 recovery seed phrase it will ok but 12 word seed phrase is not secure for my method.

DannyHamilton had this theory :
So, you have 24 words.

That means that you have 24 possibilities for the word in position number 1.

If you try each of those words in position number 1, that leaves 23 words to try in position number 2.

Try the first word, with each of the other 23 in the second position, then try the second word with each of the other 23 in the second position, then the third word with each of the other 23 in the second position and so on.

When you've done that, you'll have tried:24 X 23 = 552 different possibilities.

Each of those 552 possibilities will have 22 remaining words that you can try in the third position.

So that's:
552 X 22 = 12144 possible combinations of 3 out of the 24 words.
(Notice that's the same as 24 X 23 X 22 = 12144)

Then for each of those 12144 possibilities will have 21 remaining words that you can try in the third position

That's:
12144 X 21 = 255024 possible combinations of 4 out of the 24 words.
(Notice that's the same as 24 X 23 X 22  X 21= 255024)

Perhaps you can see now that as we continue, by the time you try all the 24 word combinations of 24 words, the pattern will repeat all the way to:
24 X 23 X 22 X 21 X 20 X 19 X 18 X 17 X 16 X 15 X 14 X 13 X 12 X 11 X 10 X 9 X 8 X 7 X 6 X 5 X 4 X 3 X 2 X 1 = ?
In maths that pattern is called a "factorial" and is represented as:
24!

If you do that multiplication, you'll find that the total number of combinations you'll have to try will be:
620448401733239439360000

That's about 6.2 X 1023.

Lets assume that you have enough computing power to try 100 trillion combinations per second.

620448401733239439360000 combinations / 100000000000000 combinatins per second = 6204484017 seconds.

Since there are 60 seconds in a minute, that is:
6204484017 seconds / 60 seconds per minute = 103408066 minutes.

There are 60 minutes in an hour, so:
103408066 minutes / 60 minutes per hour = 1723467 hours.

There are 24 hours in a day...
1723467 hours / 24 hours per day = 71811 days.

There are about 365.25 days per year...
71811 days / 365.25 days per year = 196.6 years.

If you actually had the ability to try 100 trillion combinations per second, then it's going to take you nearly 200 years of trying non-stop 24 hours a day to try all the combinations.

If the number of attempts you can make per second is less, then obviously it's going to take you longer than that.

link: https://bitcointalksearch.org/topic/m.21044932

is this right?

If your recovery card indicates the order of words were lost, that makes you confused.

another way, you can split your seed to be 4 or over (with 3 Threshold) and you can write down 4 shares in another place also. (make sure you aren't careless)

https://github.com/satoshilabs/slips/blob/master/slip-0039.md
https://iancoleman.io/slip39/
https://wiki.trezor.io/Shamir_Backup

I don't know if someone found 2 shares can hack it, to make sure you have to try this chalenge. I tried and can't do it. there have 1 BTC on an address still there over 1 year, this means the challenge didn't been solved yet.

IMO, Adding a BIP39 passphrase is a better solution, info: https://en.bitcoin.it/wiki/Seed_phrase#Two-factor_seed_phrases
Your seed phrase on your main backup, and the passphrase on the other backup.

It is easy to find the right order of the words specially if the word count is small, for example the most used word count which is a 12 word mnemonic, the permutations to check is 12!=479,001,600 and it is trivial to check those in less than half an hour in slowest way on a CPU, while a parallel GPU rig solves this in a couple of seconds.

This is exactly why you should never "invent" your own cryptography.