Self custody - split a 24 word seed phrase into 3 parts, as a mock multisig? \ stacker news ~bitcoin

Self custody - split a 24 word seed phrase into 3 parts, as a mock multisig?

1119 sats \ 15 comments \ @03352b4271 6 Nov 2023 bitcoin freebie

Each part would have 16 of the 24 words. With any two of them, you could rebuild the full seed. Then you'd store the 3 parts in 3 different locations.

Is there anything seriously wrong with this? It seems like a better idea - simple, easy to understand - than doing an actual 2 of 3 multi-sig.

Here's a few sources that discuss it. I'd love to hear some more opinions.

https://yewtu.be/watch?v=p5nSibpfHYE Andreas Antonopoulos is not a fan of this idea. But lots of comments say he's wrong.

https://medium.com/@HodlSafe/seed-splitting-standards-82624f2d4dc He posts a detailed critique of Andreas Antonopoulos' video above

https://bitcoin.stackexchange.com/questions/107380/why-is-it-bad-to-split-up-a-wallet-seed-redundantly Commenters seem open to the idea

https://old.reddit.com/r/BitcoinBeginners/comments/1136pt9/i_have_3_properties_what_if_i_split_my_seed/
https://old.reddit.com/r/Bitcoin/comments/kj4yvz/redundant_seed_splitting_vs_passphrase/ A few good discussions

view all related items

375 sats \ 0 replies \ @senf 6 Nov 2023

Just store the full seed, in order, and keep a separately backed up passphrase somewhere else.

23 sats \ 0 replies \ @sime 7 Nov 2023

Please please please looking into Shamir secret sharing. Rather than hacking this together partial shares, you can use specific tool for that.

21 sats \ 1 reply \ @chungkingexpress 6 Nov 2023

My understanding is that this is far less secure than an actual multisig. With just 2 or even 1 of the seed phrases "shards" the level of entropy in the seed significantly reduced.

I guess if you need the audibility and security of actual multisig then you will likely know, if not a 25th word will likely be enough.

0 sats \ 0 replies \ @03352b4271 OP 6 Nov 2023

With 2 pieces, of course, the seed phrase is completely exposed. That's the point, it's like a 2 of 3 multi-sig.

The first piece has the 1st and 2nd chunk of words. The second piece has the first and third chunk of words. The third piece has the second and third chunk of words.

Like this:

Location A  Location B  Location C
word 1      word 1      	
word 2                  word 2
            word 3      word 3

But if attackers find only 1 of the parts, you still have 80 bits of entropy. Here's a quote from one of the referenced articles:

My understanding is that 80 bits is not considered incredibly secure, but it is not trivial to break either. If I consider my storage locations reasonably secure and don't expect targetted theft ("we know he has a lot of bitcoins, we are going to break in to steal the words from one location, we have a cluster of machines on standby to brute-force the missing words") but am just trying to protect myself against opportunistic theft ("we broke in to steal the household electronics and any cash lying around, but we also found these bitcoin seed words!"), is it ridiculous to consider this acceptable?

111 sats \ 1 reply \ @Gar 6 Nov 2023

A few things to think about:

One should not have unilateral control over their main savings. There should be a social, spatial and temporal impediment to moving main funds.
Create your own 12 or 24 word seed phrase using your own physical entropy. See "retirement" attack and past RNG exploits.
Hardware wallets and word lists are conspicuous. Avoid traveling with them.
25th words are ok for security and good as accounts, but not as "Duress Passwords'. We need to stop promoting duress passwords. Attackers know of this strategy and they incentivize violent coercion.

0 sats \ 0 replies \ @BTC_DCAGUY_SIIM 8 Nov 2023

So you are saying only way is to remember the 12-24 words when traveling instead of hardware wallets?, mine looks like a usb key and is only the cash wallet not the long term savings one, would work as a decoy also, there is some pocket money there. If even police is trained to look for metal plates, what are the other options? BitBar? I don’t trust my brain enough, anyway I zapped you, all good and valid points. 🙏🏼

20 sats \ 4 replies \ @benthecarman 7 Nov 2023

DO NOT DO THIS

0 sats \ 3 replies \ @03352b4271 OP 7 Nov 2023

What are the risks?

61 sats \ 2 replies \ @benthecarman 7 Nov 2023

Your reducing the entropy needed to brute force your private key. Doing this is not a 2-of-3, it is a 1-of-3 plus some brute forcing.

You are not more clever than the cryptographers who made these tools. Seed words are designed to be used in whole, not to be split up. Doing so compromises the security

0 sats \ 1 reply \ @03352b4271 OP 7 Nov 2023

Aren't we still talking 80 bits of entropy, if an attacker found any one of the three parts?

I'm no expert, which is why I'm asking.

All the solutions I've seen have issues and trade-offs. This seems almost as good as multi-sig, and more importantly, something you can actually do without a huge amount of study and complexity.

10 sats \ 0 replies \ @benthecarman 7 Nov 2023

You will lose your bitcoin if someone finds one of the sets of words

0 sats \ 0 replies \ @ladyluck 7 Nov 2023

An effective saving approach

0 sats \ 1 reply \ @Eximpius 6 Nov 2023

you are describing a Shamir backup

10 sats \ 0 replies \ @03352b4271 OP 6 Nov 2023

Actually this is not Shamir's secret sharing.

Here's another quote from one of the referenced posts (https://bitcoin.stackexchange.com/questions/107380/why-is-it-bad-to-split-up-a-wallet-seed-redundantly):

"I create a wallet with a 24 word seed. I don't use Shamir's secret sharing algorithm, because I see this is widely advised against (see for example this article) and is a potential source of risk from cryptography I don't fully understand. Instead, I use a naive scheme I can perform entirely by hand where for each group of three words in the seed, I split them up like this:

Location A  Location B  Location C
word 1      word 1      	
word 2                  word 2
            word 3      word 3

So each of the three locations has 2/3 of the words, i.e. 16 words. It's easy to confirm (by experiment, if necessary) that I can reconstruct the full seed from any two of the three locations.

0 sats \ 0 replies \ @3026ce15ef 7 Nov 2023 freebie

XOR split BIP39 seed https://bitcoin.stackexchange.com/questions/60540/practical-way-to-split-a-bip39-seed-into-a-2-out-of-3-factor-auth