Topic: New backup of 20 words from Trezor. (Read 93 times)

I never used the word hacking.
I said that if you think that you or some other attacker can gain access like in your example, than show this real life example to Trezor devs.
They are going to reply you much better than most users in forum.

To me it sounded like you said that SLIP39 is weaker than BIP39 and can be exploited according to you.
I wrote before about changes with new Trezor HW devices, and there is always option to choose old BIP39.
It should be said that Trezor paper backups in new devices are all SLIP39, but it's not hard to use regular paper instead.

True, besides of this SLIP39 is not a standard ^(yet) for SSSS, (though,they try to make it standard ) and is not supported by most of HW from other developers. Thus should I have the opt between BIP39 and SLIP39 SEED phrases I would choose the latter. ^{(BTW, Foudation manufacturer of Passport devices argues that BIP39 12 word SEED phrase has to be the standard for all HW).}

Where did you read what I wrote about hacking SLIP39?
I just wrote that having access to one of the parts of the backup you can get information about share groups and the group threshold. If you do not understand this point, then create a multi-share backup using the converter, publish one part of it here, and I will provide you with information about share groups and the group threshold.

I'm not criticizing the SLIP39 standard, I created a post for people who buy a Trezor wallet and will be faced with choosing a backup type when setting it up.

The bit-representation of a "share mnemonic" isn't encrypted, the bits are encoded to words which is fairly easy to decode with a cheat table.
(but you probably just misused the term)

As you know, the "Group Count" (g) is the last 2bits of the 3rd word and the first 2bits of the fourth word
so I replied about decoding the mnemonic to actually see the 4-bit 'g' value for better accuracy.
Pretty much what you've described in the last sentence if you meant "3rd and 4th words". (a better option than checking the fourth word)

They have to follow the standard, otherwise, they'll have a proprietary implementation and their backup would be incompatible with other wallets that use SLIP39.

SLIP39 is generally much better and it is supported by other HW devices like Keystone, and software wallets like Electrum or Sparrow.
Trezor developers wouldn't switch to SLIP39 if they didn't think it was not better than BIP39, and they invented both of them btw.
If you think that you can crack SLIP39 because of the ''flaws'' than contact Trezor devs and get bounty from them.
Good luck

I wouldn't say that SLIP39 is safer than multisig setup since it has single point of failure, but it is good enough for most people.
Few years ago I compared Multisig Setup with Secrt Shamir Sharing aka SLIP39:
https://bitcointalksearch.org/topic/multisig-vs-shamir-secret-sharing-5328606

Fast forward and I wouldn't recommend multisig setup to most people for different reasons, it ads a lot of complexity and additional fees from transactions.

The attacker does not need to decrypt everything down to the bits, since the 3rd and 4th word contain information about share groups and the group threshold, source. In addition, as I wrote above, the fourth word can only have 4 options, so it can hardly be called a full-fledged 10-bit segment, information about the fourth word could easily be encoded using 2 bits (00, 01, 10, 11), but Trezor, for some reason, decided to do otherwise.
Also, an attacker does not have to contact the converter every time, but rather create several tables of correspondence between 3 and 4 words to possible backup options.

Okay, in that case, its minor advantage is its higher checksum bytes of 30bits compared to BIP39's entropy ÷ 32 bits (12words: 4bits or 24words: 8bits).
Yes, very minor since single backup isn't really the main reason for using SLIP39 anyways.

As for compatibility in case it has to be imported elsewhere, that was only an issue during its early adaptation,
But now, its fairly easy to find a tool or wallet that can restore SLIP39 mnemonics (not that it's recommended to do).

BTW,
If the attacker it tech savvy, he can decode the SLIP39 mnemonic to bits to see how many required mnemonics and how many backups you have.
That information is certain unlike judging just from the word which is a representation of a 10-bit segment.

I meant that a single-share backup of 20 words has no advantage over a backup of 12 words.

Getting that info isn't too helpful to an attacker in most scenarios if you stored your backup in separate locations.
Even though the attacker knows how many more backups are there, it's useless without a clue to where to find it.

You may be thinking of a "$5 wrench attack" where the attacker could torture the owner to tell the whereabouts of the other parts.

If you can, use multiple.
At least compared to a single backup, your bitcoins can still be safe in case one of the backup is compromised.

In their new wallets such as Trezor safe 3 or Trezor safe 5, the company suggests switching to the new 20-word SLIP39 backup. Whether to create a backup in the new format or to create it in the more familiar format of 12 or 24 words of BIP39 standard we will consider below.
By default, the user is offered to create a single-share backup of 20 words (with the option to upgrade to multi-share backup) or go straight to creating a multi-share backup.
The advantage of multi-share backup is that you split your secret phrase into several parts and set a threshold (minimum number of parts) to restore access to your funds and if an attacker gains access to one part, he will not be able to access your funds.

Still, if an attacker gains access to one part of the secret, he will be able to obtain information about the total number of parts into which your backup is divided and the minimum threshold.
This information is contained in the 3rd and 4th words of any of the parts.
For example, if you create a regular single-share backup, then the 3rd and 4th words will always be: academic academic.
In multi-share backup, the 4th word is responsible for the total number of parts:
For 2 parts: easy
For 3 parts: leader
For 4 parts: romp
For 5 parts: academic
For 6 parts: easy
For 7 parts: leader
For 8 parts: romp
And so on.
There are a total of 4 possible options for the fourth word. The number of minimum parts (threshold) required to restore access to funds can be determined by the third word using a converter.

Example: Let's say we have one part of the secret:

eraser senior beard leader blanket verify declare exercise rumor year submit custody spine expand document always round photo prevent sugar

Our fourth word is: leader, which means the total number of secrets can be 3. Now we launch the converter and generate phrases (click on the 128bits button), set 3 in Total shares, and select the minimum number of parts in Threshold. In our example, with Threshold equal to 2, we find in the second phrase the word: beard which is the 3rd word of our secret. If the searched word is not found, then set the Total Shares parameter to 7, since the 4th word: leader can also refer to a secret divided into 7 parts. And again we select the Threshold parameter in the search for a match of the third word. But, I don’t think in practice anyone will split their backup into more than 5 parts.

Thus, an attacker, having access to one part of your backup, will be able to assess his prospects. In this case, he will need to gain access to only one more part of the backup.

So should you switch to the new 20-word backup or continue to use the familiar 12 or 24 words?
In my opinion, switching to a single-share backup of 20 words makes sense only if in the future you decide to switch to multi-share backup, which will not be difficult to do with the help of Trezor suite.
In case of creating multi-share backup you need to understand what information an attacker will have when accessing one part of the backup. 
There are no other special advantages of a 20-word backup over a 12-word backup, in both cases random entropy of 128 bits is used.