Best Way to Encrypt Recovery Words for Wallet for Heirs?

[bob123]

Well, always good to have a few options in store to have something to choose from.

Over complicating things rarely has a positive effect.

Mine which is composition of  secret-sharing-scheme(SSS)  and multisig wallet allows to mitigate some of numerous "if"  the bare SSS couldn't cope with.

Which "if's" are you referring to ?
Where is the vulnerability when using a secret sharing scheme in comparison to using that scheme together with multisig?

However as it was pointed  out by HCP even mine  (not to mention bare SSS) would remained powerless against the specific cases that still possible due to the human nature.

If i am not mistaken, that's the reason why the secrets are divided into 2 groups which both include a human (prone to irrational thinking) and a bank safety deposit box.
Whether who gains access to that under which conditions is key here.

[o_e_l_e_o]

Complexity is the enemy of security. Setting up a multisig and SSS simultaneously is overly complex and does not solve any problem over my approach:

Encrypt your seed
Give the first half of the encrypted data to one friend, and the second half to another friend
Put the decryption key in your will

Collusion between two parties is impossible, as all three are required to decrypt the seed.
Privacy is maintained as you can use a full HD wallet and none of the three parties know your addresses prior to decryption.

[bob123]

Collusion between two parties is impossible, as all three are required to decrypt the seed.

Not necessarily.

A collusion between the person having access to the will and therefore the decryption key, together with one of those two parties, will result in information leakage.
And this leakage might be enough to bruteforce the seed.

A 3 out of 3 secret sharing is not vulnerable to that.
A multisig together with a secret sharing scheme indeed seems pointless.

[o_e_l_e_o]

A collusion between the person having access to the will and therefore the decryption key, together with one of those two parties, will result in information leakage.
And this leakage might be enough to bruteforce the seed.

Depends which encryption algorithm you use, but if you are worried about this then simply split your 24 word seed in to two 12 word sections and encrypt them separately before handing them out your friends. A collusion between one friend and the will holder will at most reveal 12 words, meaning they would still need to brute force 12 more, which is essentially impossible.

Say one heir will  convince others to give him the missing parts (or get it by deception) and fuck all bodies off when making transaction. Is this possible scenario? Why, not. Multisig + SSS scheme will automatically prevents that.

I don't see how multisig or SSS stops that? If one malicious party manages to get their hands on all the other parts, then they can do whatever they like. This is true of any set up, be it SSS, multisig, or encryption.

[o_e_l_e_o]

Means all SSS parts but not  SEEDs for wallets relevant to multisig.  SEED is the sacral thing which can not be shared at any circumstances, everybody knows this,  all the more  heirs should do

Correct me if I'm wrong, but as I'm reading it, in your hypothetical scenario each party can be talked in to giving away their share of the SSS, but they will know better than to give away their share of the multisig? Or each part of the SSS will be able to be compromised, but each part of the multisig will be store more securely?

I think that's a pretty big assumption to make. You either have to assume a party is smart enough to store all information securely and not give any of it away, or they aren't.

[bob123]

Depends which encryption algorithm you use, but if you are worried about this then simply split your 24 word seed in to two 12 word sections and encrypt them separately before handing them out your friends. A collusion between one friend and the will holder will at most reveal 12 words, meaning they would still need to brute force 12 more, which is essentially impossible.

So, this might apply to a 24 word mnemonic.
But a 12 word mnemonic, where 6 words are known is still unlikely to be bruteforced, means it is no longer impossible to do so.

Information leakage when 2 out of 3 parties collude is never good. A secret sharing is superior to a simple split and encryption.

in your hypothetical scenario each party can be talked in to giving away their share of the SSS, but they will know better than to give away their share of the multisig?

That's correct.

That's retarded.
It doesn't make any sense.

How is that one piece of information someone tells you to not give it away, secure in terms of that the said person won't give it away, but the other isn't ?
There is no logic behind it. It just over complicates things.

[o_e_l_e_o]

A secret sharing is superior to a simple split and encryption.

So if someone wanted to use a 3-of-3 secret sharing scheme, what is the best way to do it? It needs to be secure, it needs to be open source for obvious reasons, and it needs to be easily replicated in case the implementation the person uses no longer exists when the heirs come to recombine their shares.

Would SLIP39 be the best bet? Other than Trezor and Iancoleman, are there any other implementations of this available to use?

[bob123]

It needs to be secure, it needs to be open source for obvious reasons, and it needs to be easily replicated in case the implementation the person uses no longer exists when the heirs come to recombine their shares.

There are multiple secret sharing schemes which one could use. And for each there are open source implementations.
One could just choose one of them and not just hand out the shares, but also the source code and instructions.

How the mnemonic has to be encoded fully depends on the scheme and implementation. But IMO that's not a problem since all information can be included in the how-to.
Basically this all comes down to "Here is the source code, enter the data on the paper into the function".

Would SLIP39 be the best bet?

I'd generally never do crypto in my browser / using javascript.