Topic: Multisig VS Shamir Secret Sharing (Read 335 times)

Seed splitting is bad idea that is not recommended by many Bitcoin experts. If people are newbies, they need to start with simple method for back up their wallets which is more doable in wallet recovery later.

Even you are an expert, seed splitting is still a risky method.

How to back up a seed phrase
Why seed splitting is a bad idea?
Shamir's Secret Sharing shortcomings

No it is an inferior and less secure approach.  Reiterating for those who didn't read: https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

SSSS is great. Definitely better and advanced approach than multi-sig.
What needs to be more researched is how to split the shards in the first place without a central point.
There are ways to do it on-chain using a scheme similar to Diffie-hellman key exchange.

Shamir Secret Sharing was updated by Trezor and branded as SLIP39, and they now use it as standard on new Trezor devices.
If you still don't understand the difference, pros and cons between BIP39, SLIP39, Mulstisig and use of Passphrases, I suggest watching this video from Crypto Guide:
https://youtu.be/iyfxO1IPTd8

I am also sharing another open source tool that can be used for converting BIP39 to SLIP39.
This can be used for devices that don't have support for SLIP39:
https://slip39.com/
https://github.com/pjkundert/python-slip39

PS
Be careful when using multisig or splitting your seed words in non-standard way, this is something I don't recommend to newbies.

Oh, lot of Gmaxwells, I was right 

Check the revision history next to the (disabled or invisible) edit button, you can see that he wrote the whole article except for the Trezor section.

Multisig and Shamir secret sharing are better when you want to distribute your keys to multiple people and locations, and anyone finding encrypted seed or key can extort password from you or try to brute force it if you used something like password or 1234.
Using Multisig for example they would need to have access to multiple locations and people to access your funds and that is not easy to accomplish.


That is true, and even if multiple people have the shares, at some point one main person still needs to collect them all at one place again for reconstruction.


OK, fair point, but you do agree that lack of privacy is disadvantage for current Multisig setup?
Some people simply don't want to go public about it.


Did you wrote or participated in writing of that Wikipedia Snakeoil article?  

This isn't a differential disadvantage.  For any secret sharing scheme, you need data generated at share generation, and for distributed share generation (e,g key wasn't born with a single point of failure) this means data stored from other parties.  So in both cases you need to reliably store information generated at the time of wallet generation.   Bonus, for multisig the information isn't secret--- you can go ahead and post it on your tumblr or whatever, while for secret sharing that data is secret and you could only post it on your tumblr after encrypting it.

In either case, you can just store this extra data with your private keys--  which would be a total non-issue except for the prevalence of stamped metal seed storage or whatever that has no extra room to store any data like that.

In any case, I have an *extremely* negative opinion of secret sharing as a freestanding system.  The tradeoffs it provides are poor, as a result you find it mostly used/implemented by people who aren't thinking carefully, and as a result it doesn't provide its expected positive properties and often hurts security a lot.  Essentially with SSS you are using an underlying cryptographic primitive directly, and pickup the expected bad outcomes from homebrew cryptography.

 https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

I've always held the opinion that SSS is useless if only one person holds all the shares, because at some point he/she will bring all the shares together for unscrambling and there's nothing stopping an attacker from seizing them all at that moment.

but what's the point of using Shamir secret sharing instead of for example encrypting your seed? you have 2 "shares" one is the encrypted seed and the other one is the encryption key which you keep separately.
this way you are not concerend about the implementation and risks of it and you are also not concerend about the method not being safe because the encryption algorithm is strong and easier to implement (or already is implemented in all crypto libraries).

I just edited the Trezor section of the Shamir Secret Snakeoil page with a little more detail about SLIP39. Apparently it's a way to split a seed phrase into a bunch of shares, and then split each of those shares into even more sub-shares. So 2 layers of shares.

What could this possibly be used for?

With two layers you will have at least 4 different shares that must be distributed to 4 people to fully distribute it. For both layers, one of two shares is required to get either the first level or the master key itself.   In this particular split the key can be which obtained with at least 2 shares (Share 1->1 and Share 2->1 for example). And more than two shares are obviously supported in both layers (the standard allows up to 16 shares per layer) and this quickly explodes to dozens of shares, and each of those must be assigned to a different person, or else why are you using SSS in the first place?

The above was a mouthful to write, and given the standard is much more complex than this, I imagine someone's going to slip on ice while implementing this.

You clearly can not coordinate dozens of people to unlock a shared secret together. So, I am wondering whether SLIP39 has any practical use at all.

I believe that most of the cons of multisig setups will be solved after Schnorr signatures and Taproot get introduced. Schnorr signatures should improve privacy and others wont be able to see that funds were spent from a multisig address or who signed the spending transactions. The signature aggregation option will merge multiple signatures into one, which should have a positive affect on the fees. I assume the time for signing transactions will be lowered as well because there is now only one signature and not several of them, correct?

I am not sure about the 3rd con you mentioned:
If multiple signatures are merged into one and all participants have that new aggregated signature, what happens if individual private keys get lost?
A better question would be does signature aggregation take place before every transaction from a multisig setup or is that done only once?

Most people hold their private keys or backup phrase in single location, but if you have more coins or you just want to have better security or you share your wealth with other people you should consider some alternatives.
Complicating things and creating your own secret systems often resulted in people losing all their Bitcoins because one small mistake can create big problems.

Some of the options we have are Multisig and Shamir Secret Sharing and there are others but not so popular as this two I will compare here.

Shamir Secret Sharing (SSS)

Shamir Secret Sharing was created in 1979 by Israeli cryptographer Adi Shamir as a way to share a secret divided into part with each of them having unique part.
Secret can be shared with multiple people or locations with threshold for minimum number of shares needed for reconstruction, for example you can have 2-of-3 split and any combination of two splits can restore secret.
Problem with SSS is that there is single point of failure at the time when one person is holding all shares, and this is better explained in Jameson Lopp blog post


source

+Pros

- More secure and better than holding a single secret key (if done correctly).

- No need for multiple signatures from different devices for every transaction (like in multisig)

- Address balance is hidden from other participants in SSS.

- Not visible on-chain and this can be good for privacy.

- No extra fees when secret is reconstructed.

- Cons

- Single point of failure.

- Risks during generation and splitting the secret in multiple parts.

- There is no way for participants to verify security and if their part is really needed for secret reconstruction and spending of Bitcoins.

- SSS can only be used once, and after secret is reconstructed it can no longer be considered secure.

- There is no standard implementation (like for multisig)

---

Multisig

Multisig require more than one key to verify Bitcoin transaction, it exist for years and so far this is one of the best ways for increasing security of your funds and eliminating single point of failure.

If we look at Bitamps stats we can see that 20.3% of outputs are done with Multisig


source
 
+Pros

- No single point of failure.

- Participants can verify security.

- Native Bitcoin support as smart contract.

- Minimal setup risks and private keys are never revealed to other participants.

- You can use safely use Multisig multiple times.

- All participants can verify that Bitcoin is stored using multisig setup.

- Cons

- Multisig is visible onchain with all balances and that is not so great for privacy.

- There are extra fees for using Multisig and signatures for every transaction.

- You need to know public keys for other multisig participants in case they lose their private keys.

- Needs more time for signing and sending transactions.

---

I would always choose Multisig instead of Shamir Secret Sharing especially after Taproot activation, but SSS can still be used when someone is holding small personal fortune and they want to improve security and reduce risks.
SSS is better than simply holding single private keys in multiple locations or splitting your seed words in parts that I would never recommend doing.

Shamir Secret Sharing is available for hardware wallets like Trezor Model T with slip0039 or Cobo Vault, and you can read more about it in this resources:

- SSS wiki page
- A Detailed Guide to Shamir Backup
- Shamir Backup Trezor wiki
- Multisig vs SSS
- How & Why To Set Up A Shamir Backup On Trezor Model T
- How to Import or Create Shamir Backup with Cobo Vault

There is even one bitcoin wiki page calling Shamir Secret Sharing a Snakeoil