I have been reading a lot about wallet security and this seems to be universally considered a bad idea (see for example this video or this answer), but I am struggling to see why it is not a good choice in some circumstances.
Let's say I have three moderately secure locations I can store information in - my own home and the homes of some close family, perhaps. I want to arrange things so access to the information at any two of those locations allows me to access my bitcoin, in case one location suffers natural disaster or theft, but I don't want anyone to be able to access my coins just by having access to one of those locations.
I create a wallet with a 24 word seed. I don't use Shamir's secret sharing algorithm, because I see this is widely advised against (see for example this article) and is a potential source of risk from cryptography I don't fully understand. Instead, I use a naive scheme I can perform entirely by hand where for each group of three words in the seed, I split them up like this:
Location A | Location B | Location C |
---|---|---|
word 1 | word 1 | |
word 2 | word 2 | |
word 3 | word 3 |
So each of the three locations has 2/3 of the words, i.e. 16 words. It's easy to confirm (by experiment, if necessary) that I can reconstruct the full seed from any two of the three locations.
If an attacker gets access to the words in a single location, they only need to guess eight words in order to access the funds. That's superficially 8*11=88 bits of entropy, but since the seed contains some checksum bits I will handwave this down to 80 bits in practice.
My understanding is that 80 bits is not considered incredibly secure, but it is not trivial to break either. If I consider my storage locations reasonably secure and don't expect targetted theft ("we know he has a lot of bitcoins, we are going to break in to steal the words from one location, we have a cluster of machines on standby to brute-force the missing words") but am just trying to protect myself against opportunistic theft ("we broke in to steal the household electronics and any cash lying around, but we also found these bitcoin seed words!"), is it ridiculous to consider this acceptable?
The obvious alternative would seem to be a 2-of-3 multisig scheme. If each of those wallets uses a 12 word seed, an attacker getting access to a single location has to guess 12 words or 128 bits of entropy, which is obviously stronger. On the other hand, with 2-of-3 multsig:
An attacker getting access to a single location will get a copy of the master public keys I have to store at each location and can therefore see the wallet balance and transactions, which may incentivise a targetted attack or compromise my privacy in other ways.
The need to store the master public keys in each location adds a level of complexity and risk to the backup. I am probably more likely to lose my bitcoin through a mistake than the actions of an attacker whatever scheme I choose. If the paper in any one location suffers minor damage, I might still be able to make out a seed word - it's English, after all, and I know it comes from a certain list of words - whereas the gibberish string of characters which is the master public key doesn't have this extra redundancy.
It feels like this seed-splitting scheme has its own set of tradeoffs, but it's not obvious to me that it is outright bad. What am I missing?
You can get bonuses upto $100 FREE BONUS when you:
π° Install these recommended apps:
π² SocialGood - 100% Crypto Back on Everyday Shopping
π² xPortal - The DeFi For The Next Billion
π² CryptoTab Browser - Lightweight, fast, and ready to mine!
π° Register on these recommended exchanges:
π‘ Binanceπ‘ Bitfinexπ‘ Bitmartπ‘ Bittrexπ‘ Bitget
π‘ CoinExπ‘ Crypto.comπ‘ Gate.ioπ‘ Huobiπ‘ Kucoin.
Comments