Bitcoin Forum

I'm using a wallet which has 24 recovery words.  I want to make it so that my heirs can access the money while making it relatively difficult for those whom I trust with the recovery words to collaborate and steal the money for themselves.

Plan:
Divide Recovery Words into Part 1 and Part 2.  Give Half the Recover Words to Group A and Half to Group B

Group A (Recovery Words Part 1)
Bank 1 Safety Deposit Box
Close Cousin

Group B (Recovery Words Part 2)
Bank 2 Safety Deposit Box
Childhood Best Friend

The Twist:
Group A and Group B are not given the actual recovery words but actually just an encrypted phrase which when decrypted will reveal the recovery words.  Only my Will will stipulate the secret key needed to properly decrypt the encrypted Recovery Words for each half.  Only my immediate family will have a copy of my will and neither Bank nor close cousin nor childhood best friend will have a copy of the Will and thus they will be unable to collude.

I'm trying to find a simple yet robust and reproducible decryption algorithm to leave instructions to my heirs to be able to decrypt the phrases Group A and Group B will give them.  I'm thinking of AES 256 CBC .  I've found 3 websites which can decrypt the same phrase reliably, but I'm trying to find a downloadable Executable or VBA Macro which can also decrypt it and am having trouble finding something which can decrypt properly.  Any suggestions?

There is an interesting reading here almost on your subject, Using Locktime for inheritance planning, backups or gifts (https://bitcointalk.org/index.php?topic=5180850.0)
The transactions are time locked so people will have access after given time, so they will not have access on the time when your will enters into force.
I'm sure you will find some answers there.
In addition, here is already a company working on those timelocked transactions, read the Ann thread here > [ANN/PoC] Coldkey Cryptobond - FIRST Timelocked Physical Bitcoin (https://bitcointalk.org/index.php?topic=5228739.0)

You don't necessarily need to encrypt your mnemonic code this way.

A different approach would be to use a secret sharing scheme and divide the secret into 3 parts where at least 2 (or 3) are required.
Each group gets one part of the mnemonic, and the last one will be stored in your will.

This way, no information is being leaked with n-1 shares (where n is the required amount to unhide the secret).
With n = 3 (so 3 out of 3 sharing scheme), all shares are needed: Group A, Group B and the share from your will.


Not saying that you should use this approach. Just giving you some ideas and other possibilities.




Don't use websites for that.
The easiest would probably be to write 10 lines of python code to do that.

using secret sharing in place of encryption is crazy in my opinion. you are basically reducing the security of your key by 50% when you split it into two parts and that is a huge security reduction.
you also don't know what flaws the secret sharing algorithm may have or how optimized it could get in the future to recover such keys that also have 50% less security.

A secret sharing scheme has the property of not disclosing any information about the secret with less than the required amount of shares.
With N-1 shares where N is the amount of required shares, you don't gain any information about the secret at all.

A secret sharing scheme does not mean you split the words in two halves, since this indeed does reveal information about the secret.

I would agree something like Shamirs secret sharing would be the best option for splitting up your words.

Lets say I have 12 words.

example :


for this example we will use the online demo page for SSSS

(DO NOT USE THIS FOR LIVE FUNDS NEVER SHARE YOUR SEED TO ANY ONLINE SITE!)

http://point-at-infinity.org/ssss/demo.html

Lets say I chose a recover threshold of 2 shares from a 4 share split.

I enter the seed above into the SSSS tool and I am given 4 shares


Now there is no way for someone to recover the seed words without 2 of the above shares 2 / 4 to recover the seed.

if you pick any 2 of the above and enter them into the decode tool and recover the seed words.

I picked shares 1 and 4 to make the recovery.

https://i.imgur.com/jgj2qef.png
https://i.imgur.com/R0HOXnv.png

You can set any amount of share or any threshold to recover them.

If you decided to do this I would recommend downloading the source code for SSSS and running it in a offline environment.

And again DO NOT enter your seed with funds to the demo page of SSSS only use it as a reference.

OP wanted a system which would make it difficult for the cousin and friend to collaborate with each other and steal his coins. A 2-of-3 secret sharing scheme does not achieve that.

Bear in mind that whatever difficulties you are facing at the moment will also be faced by your cousin/friend when they try to decrypt the phrase you have given them. Depending on their technical knowledge, you may end up making it very difficult for them to recover your coins.

If it were me, I would simply use a reputable open source encryption program such as VeraCrypt or GNU Privacy Guard.

But a 3 out of 3 scheme does.



Using a container is probably the best approach for people with little technical knowledge.
Although, one could argue that googling "AES decryption" or "secret sharing scheme X" shouldn't be too hard.

How many 'groups' you want to create? 3?
Why not load hardware wallet with your seed + add extra password + add pin?

Read the OP, and you'll know why.
This simply does not work the way OP wants/needs it.

It is about collaborated access to the funds, not multiple layers of security.

Exactly - you will need 3 parts to access the balance. Of course there is always a question which part should be given to someone or left at notary.
Another question is - what if one of 'owners' die first (or lost his 'piece') and if others will be able to access wallet at all.

With your approach only 2 shares are required:

• HW Wallet + Pin or
• Mnemonic code + Password

And with a discovered vulnerability in the HW wallet, maybe only the HW wallet is enough.
You shoudn't treat a HW wallet as completely secure against someone who has a lot of time, technical knowledge and access to the device.

@MagicByt3   Thank you.  I found a website which would do Shadir's Secret Sharing in an offline browser: http://passguardian.com

I tested with the Edge and the Firefox Browsers and they seemed to both work offline and interoperably.

The main disadvantage I see with Shadir's Secret Sharing Scheme is that implementations seem to be various.  I have not found an ability to get one implementation scheme to work with another.  As such if I use Pass Guardian's scheme.  Then that's the only option. 

However, because it work's offline, a USB drive can be used to reconstruct the secret words.  In addition, archive.org has a repository of passguardian.com, ex. https://web.archive.org/web/20200719040245/http://passguardian.com/ (https://web.archive.org/web/20200719040245/http://passguardian.com/) and as such, it should be feasible to get that to work as well and it worked when I tried it.

So yeah, I think I'm going to leave a link to passguardian and a web.archive.org version of passguardian in the instructions of the Will as well as a USB Drive with a the predownloaded offline webpage as well as a Downloadable Executable of a Web Browser ( just in case history changes and we aren't still using web browsers in 50 or so years when I die ).

You have already landed on the most crucial flaw when it comes to SSSS - multiple implementations which are not cross compatible with each other. Your entire set up is now entirely dependent on this one website you have chosen. Should there be a bug in the code,* then your shares may not be secure at all, or they may not recombine properly. Should the site go down and your USB stick corrupts or dies (not unlikely give the 50 year time frame you talk about), then your coins will be lost forever.

There's a good article here detailing the shortcomings of SSSS: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

*Is it even open source? All I can see on the site itself is the statement that it is "built upon" a GitHub repository which hasn't been updated in 3 years.

I partially agree with o_e_l_e_o.

I'd like to suggest a few improvements:

• Use an open source project from github which makes it easier to reconstruct the executable in X years.
• Do not only include the source code / instruction in the will, but everyone having a share should know that. Just go for 3 out of 3 shares.
• It doesn't necessarily have to be Shamirs secret sharing scheme. There are other cryptogrpahically secure sharing schemes available, such as Mignotte's or Asmuth-Bloom's scheme. Rather go for open source and reproducible, regardless whether it is Shamir's or an other secure scheme.

This would result in the circumstance that the BTC always need to be in the multisig wallet.

For OP to actually use the wallet he either needs
1) a "backup" of the private keys everyone has to actually access the funds or
2) a 3 out of 6 multisig with him having 3 keys.

Both is extremely impractical because he basically just has a single address to use.

The previously mentioned approaches are better in terms of privacy. OP can use as many addresses as he wants without affecting the security of the backup mechanism or his privacy when transacting.
I see downsides of your approach, but don't see any upside.

That's not exactly true... It wouldn't need to be 3-of-6. If the OP was using Electrum, they could create a 3-of-3 MultiSig wallet... using 3 seeds... instead of using 1 seed + 2 pubkeys. That way, their copy of the wallet would have all the private keys needed to be able to create/send transactions. It would be akin to having a "disabled" 2FA wallet.

OP could then give 1 seed to TrustedPersonA, 1 seed to TrustedPersonB and have 1 seed in Will. On death, the parties can then use the 3 seeds to recreate the wallet.

In the meantime, the OP could use the wallet as they wanted for everyday use... it's still an HD wallet, so OP would get new addresses etc. And wouldn't look any different to any other P2SH type wallet really. Granted, the OP would need to keep backups of all 3 seeds, but that's not really any more difficult than keeping a backup of 1 seed from a "standard" wallet... you're effectively just storing 36 words instead of 12 :P


The big problem I see with all of this... is the final distribution of funds. If all the funds are in one wallet, the party that gets all 3 seeds "first" could effectively take it all.

DUH! Yeah... Of course, it's multisig, one person creates the transaction distributing funds evenly, and then everyone else signs it... ::)

However, I guess the opposite scenario is also true... if one party feels like being a complete ass, they can actually prevent everyone from getting any money by refusing to sign the transaction with their key... and before anyone says "why would someone deliberately sabotage their own chances of getting money by refusing to sign?"... trust me, I've seen people do a LOT worse out of pure spite :-\

You'd think this would be the case... but I've personally seen the results of "estranged" relatives fighting over property/funds etc. following deaths and marriage breakups etc. It ain't pretty and sometimes people do very irrational things to cause other people pain. :-\ (have you had a read through the reputation board lately? ::))

Obviously, it's not guaranteed that this will happen... it's just something to consider when going for an n-of-m multisig, where n==m... It only takes one keyholder to either lose their key, or refuse to sign, and the funds are effectively unrecoverable.

This problem already is being solved by the secret sharing scheme.




That's what i actually was referring to with keeping a backup of all 3 shares.
It is either OP has access to the 3 shares being distributed or 3 out of 6 shares if each share has to be individual.
But somehow, i only was thinking about a single multisig address. Therefore the statement regarding the privacy. With a multisig wallet, the privacy obviously is not affected.

Over complicating things rarely has a positive effect.




Which "if's" are you referring to ?
Where is the vulnerability when using a secret sharing scheme in comparison to using that scheme together with multisig?



If i am not mistaken, that's the reason why the secrets are divided into 2 groups which both include a human (prone to irrational thinking) and a bank safety deposit box.
Whether who gains access to that under which conditions is key here.

Complexity is the enemy of security. Setting up a multisig and SSS simultaneously is overly complex and does not solve any problem over my approach:

Encrypt your seed
Give the first half of the encrypted data to one friend, and the second half to another friend
Put the decryption key in your will

Collusion between two parties is impossible, as all three are required to decrypt the seed.
Privacy is maintained as you can use a full HD wallet and none of the three parties know your addresses prior to decryption.

Not necessarily.

A collusion between the person having access to the will and therefore the decryption key, together with one of those two parties, will result in information leakage.
And this leakage might be enough to bruteforce the seed.

A 3 out of 3 secret sharing is not vulnerable to that.
A multisig together with a secret sharing scheme indeed seems pointless.

Depends which encryption algorithm you use, but if you are worried about this then simply split your 24 word seed in to two 12 word sections and encrypt them separately before handing them out your friends. A collusion between one friend and the will holder will at most reveal 12 words, meaning they would still need to brute force 12 more, which is essentially impossible.

I don't see how multisig or SSS stops that? If one malicious party manages to get their hands on all the other parts, then they can do whatever they like. This is true of any set up, be it SSS, multisig, or encryption.

Correct me if I'm wrong, but as I'm reading it, in your hypothetical scenario each party can be talked in to giving away their share of the SSS, but they will know better than to give away their share of the multisig? Or each part of the SSS will be able to be compromised, but each part of the multisig will be store more securely?

I think that's a pretty big assumption to make. You either have to assume a party is smart enough to store all information securely and not give any of it away, or they aren't.

So, this might apply to a 24 word mnemonic.
But a 12 word mnemonic, where 6 words are known is still unlikely to be bruteforced, means it is no longer impossible to do so.

Information leakage when 2 out of 3 parties collude is never good. A secret sharing is superior to a simple split and encryption.




That's retarded.
It doesn't make any sense.

How is that one piece of information someone tells you to not give it away, secure in terms of that the said person won't give it away, but the other isn't ?
There is no logic behind it. It just over complicates things.

So if someone wanted to use a 3-of-3 secret sharing scheme, what is the best way to do it? It needs to be secure, it needs to be open source for obvious reasons, and it needs to be easily replicated in case the implementation the person uses no longer exists when the heirs come to recombine their shares.

Would SLIP39 be the best bet? Other than Trezor and Iancoleman, are there any other implementations of this available to use?

There are multiple secret sharing schemes which one could use. And for each there are open source implementations.
One could just choose one of them and not just hand out the shares, but also the source code and instructions.

How the mnemonic has to be encoded fully depends on the scheme and implementation. But IMO that's not a problem since all information can be included in the how-to.
Basically this all comes down to "Here is the source code, enter the data on the paper into the function".



I'd generally never do crypto in my browser / using javascript.