Best Way to Encrypt Recovery Words for Wallet for Heirs?

[Gyther]

I'm using a wallet which has 24 recovery words.  I want to make it so that my heirs can access the money while making it relatively difficult for those whom I trust with the recovery words to collaborate and steal the money for themselves.

Plan:
Divide Recovery Words into Part 1 and Part 2.  Give Half the Recover Words to Group A and Half to Group B

Group A (Recovery Words Part 1)
Bank 1 Safety Deposit Box
Close Cousin

Group B (Recovery Words Part 2)
Bank 2 Safety Deposit Box
Childhood Best Friend

The Twist:
Group A and Group B are not given the actual recovery words but actually just an encrypted phrase which when decrypted will reveal the recovery words.  Only my Will will stipulate the secret key needed to properly decrypt the encrypted Recovery Words for each half.  Only my immediate family will have a copy of my will and neither Bank nor close cousin nor childhood best friend will have a copy of the Will and thus they will be unable to collude.

I'm trying to find a simple yet robust and reproducible decryption algorithm to leave instructions to my heirs to be able to decrypt the phrases Group A and Group B will give them.  I'm thinking of AES 256 CBC .  I've found 3 websites which can decrypt the same phrase reliably, but I'm trying to find a downloadable Executable or VBA Macro which can also decrypt it and am having trouble finding something which can decrypt properly.  Any suggestions?

[TheBeardedBaby]

There is an interesting reading here almost on your subject, Using Locktime for inheritance planning, backups or gifts
The transactions are time locked so people will have access after given time, so they will not have access on the time when your will enters into force.
I'm sure you will find some answers there.
In addition, here is already a company working on those timelocked transactions, read the Ann thread here > [ANN/PoC] Coldkey Cryptobond - FIRST Timelocked Physical Bitcoin

[bob123]

You don't necessarily need to encrypt your mnemonic code this way.

A different approach would be to use a secret sharing scheme and divide the secret into 3 parts where at least 2 (or 3) are required.
Each group gets one part of the mnemonic, and the last one will be stored in your will.

This way, no information is being leaked with n-1 shares (where n is the required amount to unhide the secret).
With n = 3 (so 3 out of 3 sharing scheme), all shares are needed: Group A, Group B and the share from your will.


Not saying that you should use this approach. Just giving you some ideas and other possibilities.

I've found 3 websites which can decrypt the same phrase reliably, but I'm trying to find a downloadable Executable or VBA Macro which can also decrypt it and am having trouble finding something which can decrypt properly.  Any suggestions?

Don't use websites for that.
The easiest would probably be to write 10 lines of python code to do that.

[BrewMaster]

using secret sharing in place of encryption is crazy in my opinion. you are basically reducing the security of your key by 50% when you split it into two parts and that is a huge security reduction.
you also don't know what flaws the secret sharing algorithm may have or how optimized it could get in the future to recover such keys that also have 50% less security.

[bob123]

using secret sharing in place of encryption is crazy in my opinion. you are basically reducing the security of your key by 50% when you split it into two parts and that is a huge security reduction.
you also don't know what flaws the secret sharing algorithm may have or how optimized it could get in the future to recover such keys that also have 50% less security.

A secret sharing scheme has the property of not disclosing any information about the secret with less than the required amount of shares.
With N-1 shares where N is the amount of required shares, you don't gain any information about the secret at all.

A secret sharing scheme does not mean you split the words in two halves, since this indeed does reveal information about the secret.

[DaCryptoRaccoon]

I would agree something like Shamirs secret sharing would be the best option for splitting up your words.

Lets say I have 12 words.

example :

Code:

horse cart battery staple world spent locked secret shares hidden coins forever

for this example we will use the online demo page for SSSS

(DO NOT USE THIS FOR LIVE FUNDS NEVER SHARE YOUR SEED TO ANY ONLINE SITE!)

http://point-at-infinity.org/ssss/demo.html

Lets say I chose a recover threshold of 2 shares from a 4 share split.

I enter the seed above into the SSSS tool and I am given 4 shares

Code:

1-3e0f282a2bf76286d1d3188cbc7e239b94a51e2640003be96fc16b8aa0eba4666bfb1e948dd68782194225571d48de621d888b9908ac82d7f1f6a30e694e467c60a93a113513ce56adc06bf7295125
2-97a7cec1b9189b697c0d17be038b117cb8e5370774a4101216867cdd820cc09d41cd9818303aab097f9eeaf3751d707a1e613b0b6d8147560181412701f0ba05b0fb8ea70fee64d22aac0c85bffbcd
3-0f3f9367374233cc18b8ed506927ff21a3252fe798c7f6bb3e448e109c51e33458201a63a49eb08fa22aaf90ad2e158de0c654854e9a042951ac1f3fd99aee2d00ca1d3519bafd51a877d1abcd9c6a
4-c4f603169cc768b627b109db7c6174b2e06565451dec47e4e4085273c7c2096b15a095014be2f21fb22775bba5b62c4a19b25a2fa7dacc55e16e8575d08d42f6105ee7cb7a1531db2474c26092ac04

Now there is no way for someone to recover the seed words without 2 of the above shares 2 / 4 to recover the seed.

if you pick any 2 of the above and enter them into the decode tool and recover the seed words.

I picked shares 1 and 4 to make the recovery.




You can set any amount of share or any threshold to recover them.

If you decided to do this I would recommend downloading the source code for SSSS and running it in a offline environment.

And again DO NOT enter your seed with funds to the demo page of SSSS only use it as a reference.

[o_e_l_e_o]

OP wanted a system which would make it difficult for the cousin and friend to collaborate with each other and steal his coins. A 2-of-3 secret sharing scheme does not achieve that.

I've found 3 websites which can decrypt the same phrase reliably, but I'm trying to find a downloadable Executable or VBA Macro which can also decrypt it and am having trouble finding something which can decrypt properly.  Any suggestions?

Bear in mind that whatever difficulties you are facing at the moment will also be faced by your cousin/friend when they try to decrypt the phrase you have given them. Depending on their technical knowledge, you may end up making it very difficult for them to recover your coins.

If it were me, I would simply use a reputable open source encryption program such as VeraCrypt or GNU Privacy Guard.

[bob123]

OP wanted a system which would make it difficult for the cousin and friend to collaborate with each other and steal his coins. A 2-of-3 secret sharing scheme does not achieve that.

But a 3 out of 3 scheme does.

If it were me, I would simply use a reputable open source encryption program such as VeraCrypt or GNU Privacy Guard.

Using a container is probably the best approach for people with little technical knowledge.
Although, one could argue that googling "AES decryption" or "secret sharing scheme X" shouldn't be too hard.

[PawGo]

How many 'groups' you want to create? 3?
Why not load hardware wallet with your seed + add extra password + add pin?

[bob123]

Why not load hardware wallet with your seed + add extra password + add pin?

Read the OP, and you'll know why.
This simply does not work the way OP wants/needs it.

It is about collaborated access to the funds, not multiple layers of security.

[PawGo]

Why not load hardware wallet with your seed + add extra password + add pin?

Read the OP, and you'll know why.
This simply does not work the way OP wants/needs it.

It is about collaborated access to the funds, not multiple layers of security.

Exactly - you will need 3 parts to access the balance. Of course there is always a question which part should be given to someone or left at notary.
Another question is - what if one of 'owners' die first (or lost his 'piece') and if others will be able to access wallet at all.

[bob123]

Exactly - you will need 3 parts to access the balance.

With your approach only 2 shares are required:

• HW Wallet + Pin or
• Mnemonic code + Password

And with a discovered vulnerability in the HW wallet, maybe only the HW wallet is enough.
You shoudn't treat a HW wallet as completely secure against someone who has a lot of time, technical knowledge and access to the device.

[Gyther]

@MagicByt3   Thank you.  I found a website which would do Shadir's Secret Sharing in an offline browser: http://passguardian.com

I tested with the Edge and the Firefox Browsers and they seemed to both work offline and interoperably.

The main disadvantage I see with Shadir's Secret Sharing Scheme is that implementations seem to be various.  I have not found an ability to get one implementation scheme to work with another.  As such if I use Pass Guardian's scheme.  Then that's the only option. 

However, because it work's offline, a USB drive can be used to reconstruct the secret words.  In addition, archive.org has a repository of passguardian.com, ex. https://web.archive.org/web/20200719040245/http://passguardian.com/ and as such, it should be feasible to get that to work as well and it worked when I tried it.

So yeah, I think I'm going to leave a link to passguardian and a web.archive.org version of passguardian in the instructions of the Will as well as a USB Drive with a the predownloaded offline webpage as well as a Downloadable Executable of a Web Browser ( just in case history changes and we aren't still using web browsers in 50 or so years when I die ).

[o_e_l_e_o]

-snip-

You have already landed on the most crucial flaw when it comes to SSSS - multiple implementations which are not cross compatible with each other. Your entire set up is now entirely dependent on this one website you have chosen. Should there be a bug in the code,* then your shares may not be secure at all, or they may not recombine properly. Should the site go down and your USB stick corrupts or dies (not unlikely give the 50 year time frame you talk about), then your coins will be lost forever.

There's a good article here detailing the shortcomings of SSSS: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

*Is it even open source? All I can see on the site itself is the statement that it is "built upon" a GitHub repository which hasn't been updated in 3 years.

[bob123]

I partially agree with o_e_l_e_o.

I'd like to suggest a few improvements:

• Use an open source project from github which makes it easier to reconstruct the executable in X years.
• Do not only include the source code / instruction in the will, but everyone having a share should know that. Just go for 3 out of 3 shares.
• It doesn't necessarily have to be Shamirs secret sharing scheme. There are other cryptogrpahically secure sharing schemes available, such as Mignotte's or Asmuth-Bloom's scheme. Rather go for open source and reproducible, regardless whether it is Shamir's or an other secure scheme.

[bob123]

Say you have 3 heirs to whom you trust. Create 3-of-3 multisyg wallet (in fact you should create 3 wallets with 3 MPK, and the final multisig will be 4th)  to authorize  transaction and using any SSS split the multisig wallet's SEED into 3 parts, any 2 of which capable to restore SEED for multisig. Hand over to every heir the full SEED for  his/her wallet and his/her part of the split SEED relevant to multisig wallet. If even 2 of 3 heirs will plot to steal the money for themselves  they can’t do it without 3rd signing wallet.

This would result in the circumstance that the BTC always need to be in the multisig wallet.

For OP to actually use the wallet he either needs
1) a "backup" of the private keys everyone has to actually access the funds or
2) a 3 out of 6 multisig with him having 3 keys.

Both is extremely impractical because he basically just has a single address to use.

The previously mentioned approaches are better in terms of privacy. OP can use as many addresses as he wants without affecting the security of the backup mechanism or his privacy when transacting.
I see downsides of your approach, but don't see any upside.

[HCP]

This would result in the circumstance that the BTC always need to be in the multisig wallet.

For OP to actually use the wallet he either needs
1) a "backup" of the private keys everyone has to actually access the funds or
2) a 3 out of 6 multisig with him having 3 keys.

Both is extremely impractical because he basically just has a single address to use.

The previously mentioned approaches are better in terms of privacy. OP can use as many addresses as he wants without affecting the security of the backup mechanism or his privacy when transacting.
I see downsides of your approach, but don't see any upside.

That's not exactly true... It wouldn't need to be 3-of-6. If the OP was using Electrum, they could create a 3-of-3 MultiSig wallet... using 3 seeds... instead of using 1 seed + 2 pubkeys. That way, their copy of the wallet would have all the private keys needed to be able to create/send transactions. It would be akin to having a "disabled" 2FA wallet.

OP could then give 1 seed to TrustedPersonA, 1 seed to TrustedPersonB and have 1 seed in Will. On death, the parties can then use the 3 seeds to recreate the wallet.

In the meantime, the OP could use the wallet as they wanted for everyday use... it's still an HD wallet, so OP would get new addresses etc. And wouldn't look any different to any other P2SH type wallet really. Granted, the OP would need to keep backups of all 3 seeds, but that's not really any more difficult than keeping a backup of 1 seed from a "standard" wallet... you're effectively just storing 36 words instead of 12


The big problem I see with all of this... is the final distribution of funds. If all the funds are in one wallet, the party that gets all 3 seeds "first" could effectively take it all.

[HCP]

No need to have all 3 in one hand to distribute the fund.

DUH! Yeah... Of course, it's multisig, one person creates the transaction distributing funds evenly, and then everyone else signs it...

However, I guess the opposite scenario is also true... if one party feels like being a complete ass, they can actually prevent everyone from getting any money by refusing to sign the transaction with their key... and before anyone says "why would someone deliberately sabotage their own chances of getting money by refusing to sign?"... trust me, I've seen people do a LOT worse out of pure spite

[HCP]

I remain skeptical that there’s at least one person who would give up his/her cut of heritage only for the reason of screwing others unless his/her portion is "penny"-worth. And then, we’re not  talking about strangers but of heirs who are supposed to be related. If their cuts are equal they are supposed to sign transaction.

You'd think this would be the case... but I've personally seen the results of "estranged" relatives fighting over property/funds etc. following deaths and marriage breakups etc. It ain't pretty and sometimes people do very irrational things to cause other people pain. (have you had a read through the reputation board lately? )

Obviously, it's not guaranteed that this will happen... it's just something to consider when going for an n-of-m multisig, where n==m... It only takes one keyholder to either lose their key, or refuse to sign, and the funds are effectively unrecoverable.

[bob123]

Besides the mine solves his concern   of possible collusion between heirs. Sure OP can figure out his own way.

This problem already is being solved by the secret sharing scheme.

That's not exactly true... It wouldn't need to be 3-of-6. If the OP was using Electrum, they could create a 3-of-3 MultiSig wallet... using 3 seeds... instead of using 1 seed + 2 pubkeys. That way, their copy of the wallet would have all the private keys needed to be able to create/send transactions. It would be akin to having a "disabled" 2FA wallet.

OP could then give 1 seed to TrustedPersonA, 1 seed to TrustedPersonB and have 1 seed in Will. On death, the parties can then use the 3 seeds to recreate the wallet.

In the meantime, the OP could use the wallet as they wanted for everyday use... it's still an HD wallet, so OP would get new addresses etc. And wouldn't look any different to any other P2SH type wallet really. Granted, the OP would need to keep backups of all 3 seeds, but that's not really any more difficult than keeping a backup of 1 seed from a "standard" wallet... you're effectively just storing 36 words instead of 12

That's what i actually was referring to with keeping a backup of all 3 shares.
It is either OP has access to the 3 shares being distributed or 3 out of 6 shares if each share has to be individual.
But somehow, i only was thinking about a single multisig address. Therefore the statement regarding the privacy. With a multisig wallet, the privacy obviously is not affected.