BitcoinSeedSplitter

[Gabrics]

Hi,

I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.

Here is a small tool. Simple, but does the work.

Cheers,


https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

At the moment windows only, but .NET5 should make it easy to compile a version for Linux.

[1713990340]

1713990340

[1713990340]

1713990340

[ABCbits]

Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?

[ranochigo]

Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?

It's shamir secret sharing. Iancoleman's BIP39 uses this to split it up as a form of multi factor recovery.

[Charles-Tim]

Thanks for sharing. Do you mind sharing how it works? Is it similar with how RAID 5 works?

This is just like Shamir's secret sharing. Just like M-of-N in which M shares out of the N secrets can be used to recovered back the whole seed phrase. But Shamir's secret sharing will convert the seed phrase to alphabets and numbers, but this one on the OP board will convert the seed phrase to words instead of characters.

I have used Shamir's secret sharing before, but never used this one before, I got the idea from the link posted by the OP

Usage example: You have a 12 words seed which you want to store safely in 5 places with fault tolerancy. 3 of the 5 shares will be enough to rebuild the original seed. (plust the optional password)

Orignal Mnemonic: venture whale soap pave enjoy bid skull journey exotic soon phone proof

Output Shares:

stage middle dune innocent acid chimney clog focus metal nut flat tissue era female advice senior
stage era draw run glue brass cruel token produce sort wide tragic real tray wagon exit
stage slush economy focus oak vote box cruel license belt slow shoot sock session elder panda
stage clump donor major grape glad network quote sort above mad rule left verify such gate
stage proof earth genre music middle river guess topic swim rebel outer adult spend harvest rapid

[BlackHatCoiner]

Hmm, I'm reading how it works. Would it be dumb to ask how can this help? Why would one want to split his seed phrase on different places? Also, how can you do that technically? I mean, how are the output shares calculated?

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

Feedback:

• Work on the UI. I can't run it if I don't open it with visual studio:  https://i.imgur.com/EpAYAbe.png
• Move this thread to Project Development.

[Gabrics]

Indeed it is using Shamir sharing.
https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing

With a few I think nice additiion from Slip39.

Like adding the minimum share bits at the beginning and splitid (first word) to identify you have the right word. In addition checking for valid BIP39 input and output.

[Gabrics]

You need to share it in different places to avoid loosing it. To fire, theft. But if you store the seed phrase in any ONE place you are also subject of theft. I mean stealing your bitcoins by using the seed.

If you split your seed you can store it in several places without the theft risk.
You also gain fault tolerance. Like if you use 3 of 5 you can have two of the Shares lost yet you can still reconstruct you seed.

The shares itself are just medium sensitive as they are worthless one-by-one, without a quorum present.

Simply splitting the original 12 seed words to pieces makes you loose the whole seed if one of them is lost Also makes it possible/easier to break (theoretically/future). Especially if you are starting to use redundancy, eg. splittin the 12 words to 3x6 not 3x4. But even in this case you are not really NofM redundant because your splits are not equal (so it matters which one you lost).

Shares produced don't weaken the original difficulty and also add fault tolerance. A lot of fault tolerance actually. So if you have 3 safe places it is still better IMHO to store 2 of 3 Shares than 3x4 words (or any mix of them). For me storing the whole/large chucnk of the seed anywhere is way too risky.

Share calculation details is in the source, but I will add a brief to the original post.

Hmm, I'm reading how it works. Would it be dumb to ask how can this help? Why would one want to split his seed phrase on different places? Also, how can you do that technically? I mean, how are the output shares calculated?

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

Feedback:

• Work on the UI. I can't run it if I don't open it with visual studio:  https://i.imgur.com/EpAYAbe.png
• Move this thread to Project Development.

[dkbit98]

I would be careful using any shamir secret sharing because it has single point of failure and I don't think geo-distributed seed storage is much useful in this case.

Multisig is much better option like I wrote in comparison topic Multisig VS Shamir Secret Sharing.

[Charles-Tim]

Couldn't this work by simply writing x out of y words on ω papers? It could work on a twelve-words mnemonic with two words missing. (e.g 1 piece of paper out of 6)

I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.

Multisig is much better option like I wrote in comparison topic Multisig VS Shamir Secret Sharing.

I too will prefer multisig instead, but sharmir secret is standard also if you understand the basis, it is created in a way the shares can reconstruct back the seed phrase. But I get the point, that leaving seed phrase not going encrypted by having multiple private keys, but Shamir seed phrase encryption do work perfectly with SSS. I too will prefer multisig as it fulfills the purpose and not going beyond bitcoin wallet usage, also that multisig wallet is transparent unlike SSS.

But never mind me saying this thread is not about multisig wallets. Although it is a good alternative.

[BlackHatCoiner]

I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.

I'm saying that it doesn't have any huge difference with the way I described (that is horrible, I know). Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them. Sure, if you hide twelve words separately you can brute force if you only miss two. You could hide two pieces of paper with 6 words each. I don't know, but I wouldn't ever do that if I was afraid of being stolen. It could help me if I was on a group in which the majority of the members decided the funds' transactions, but there's already a way to do that. The one you mentioned, multisig.

@Gabrics, I'm not "badmouthing" your software, don't get me wrong. I checked your C# code, and it looks great. It does its job properly. I just want to understand why you should hide your coins with that dangerously fallible way. To me, it seems that the entire procedure is being more complicated than it should. I personally believe that it's more important to be able to spend your funds, than to get stolen.

[Gabrics]

Yes, but you have to have a backup. Even multisig is fallible if the thief finds all the signers. So theoretically nothing is 100%.

In the case of current BIP39SeedSplitter this is exactly why I added the optional password. This way you can still have a password which you can keep in mind (or you and one olr more of your loved ones) and that way a thief can't access your seed even if gained access to enough shares. And it's possible to remember a good enough password because I hash 100K times, so brute forcing is VERY slow. So in this case you have high fault tolerance because of the shares and perfect(ish) security because of the password. I also think that using shares also gives you some stenography like protection. I mean even if someone realizes that these words are seeds than what? I mean it is not a seed as nothing accepts it.

Indeed being careful not loosing access comes first. But safety comes second

I do not know if this question is ironically asked, but for it not to confuse newbies, I will add few comments. This is not a perfect method because hackers can brute force some missing parts of a seed phrase.

I'm saying that it doesn't have any huge difference with the way I described (that is horrible, I know). Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them. Sure, if you hide twelve words separately you can brute force if you only miss two. You could hide two pieces of paper with 6 words each. I don't know, but I wouldn't ever do that if I was afraid of being stolen. It could help me if I was on a group in which the majority of the members decided the funds' transactions, but there's already a way to do that. The one you mentioned, multisig.

@Gabrics, I'm not "badmouthing" your software, don't get me wrong. I checked your C# code, and it looks great. It does its job properly. I just want to understand why you should hide your coins with that dangerously fallible way. To me, it seems that the entire procedure is being more complicated than it should. I personally believe that it's more important to be able to spend your funds, than to get stolen.

[BlackHatCoiner]

This way you can still have a password which you can keep in mind (or you and one olr more of your loved ones) and that way a thief can't access your seed even if gained access to enough shares. And it's possible to remember a good enough password because I hash 100K times, so brute forcing is VERY slow.

I didn't know about that. This can actually be very interesting...

[Gabrics]

Also you can modify with a simple parameter for yourself you can make it a million or billion x hashing, just a parameter in the code.

You can use a simple password and a custom hash count (you do need a password as hashing doesn't happen with empty pw). But be careful not to outsmart yourself...

[o_e_l_e_o]

Whether you hide 6 pieces of paper containing 2 words each, or 6 shares, the thief can gain access to your funds if he/she ever finds many of them.

The difference is by using Shamir's Secret Sharing, as opposed to just writing different combinations of you words on different pieces of paper, the thief has to find many more of your shares.

Let's say, for example, you want to use a 2-of-3 set up. You write 8 of your 12 words on each of the 3 pieces of paper. One piece of paper is enough for the attacker to brute force your seed phrase. With SSS, they need two.
Let's say you use a 4-of-6 set up. You write 6 of your 12 words on each of the 6 pieces of paper. If an attacker gets lucky, the correct two pieces of paper are enough for them to steal your coins. If they get an unlucky combination, then they need three. With SSS, they need four.

With each additional share they need to compromise, you make it exponentially harder for them.

[odolvlobo]

I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.
Here is a small tool. Simple, but does the work.
https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

Rather than rolling your own, I recommend that you implement Trezor's Shamir Backup (https://trezor.io/shamir/). It is similar to what you are doing. The advantage is that you would be compatible with Trezor and you get to take advantage of all of their work.

Here are the details:

https://github.com/satoshilabs/slips/blob/master/slip-0039.md

[Gabrics]

Yes I did check out this in advance and tried to use/build a compatible solution. The BIG problem with SLIP39 that they don't backup the seed words.

What they backup is the derived master key from which there is no way to go back to the seed words. Because of this it is very hard/impossible to just feed the restored result to any/all wallets.

Also the derived master key has no CRC or else, so you don't know if you have the correct one or not (as far as I know).

I needed a BIP39Seed/Mnemonic splitter for fault-tolerant Geo-distributed seed storage.
Here is a small tool. Simple, but does the work.
https://github.com/GhostOfSatoshi/BitcoinSeedSplitter

Rather than rolling your own, I recommend that you implement Trezor's Shamir Backup (https://trezor.io/shamir/). It is similar to what you are doing. The advantage is that you would be compatible with Trezor and you get to take advantage of all of their work.

Here are the details:

https://github.com/satoshilabs/slips/blob/master/slip-0039.md

[o_e_l_e_o]

Yes I did check out this in advance and tried to use/build a compatible solution. The BIG problem with SLIP39 that they don't backup the seed words.

With that in mind, what are the significant differences between your tool and Ian Coleman's Shamir39 tool which does the same thing - splitting a seed phrase in to split phrases? You can find his implementation here: https://iancoleman.io/shamir39/

My biggest issue with using something like this is that there is no standard implementation, so in addition to backing up each share you also need to back up the software itself, which is an additional risk.

[dkbit98]

@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.

[odolvlobo]

Yes I did check out this in advance and tried to use/build a compatible solution. ...

Yes, you are right. Sorry for the poor advice. I forgot that SLIP-39 is incompatible with BIP-39. On the other hand, the designers argue that the incompatibility is not a major issue, but I don't completely agree with them.

Converting existing SLIP-0039 shares to a BIP-0039 mnemonic

This is not possible due to the overly coupled design of BIP-0039 and its use of a one-way derivation function. BIP-0039 works by first generating a high-entropy secret, then converting it to a mnemonic and finally using the mnemonic itself as input to PBKDF2 to derive the seed. This means that for any new scheme to be compatible with BIP-0039, it would have to be built on top of BIP-0039 with all of its now obsolete aspects. That includes the conversion of the high-entropy secret to the mnemonic using the old wordlist, which would have to be included in the implementation, unreasonably bloating its size. SLIP-0039 instead introduces a new decoupled design which is more feature-rich and allows maximum flexibility for future upgrades.

Some individuals have expressed a concern that the inability to convert SLIP-0039 shares to BIP-0039 may lead to vendor lock-in due to slow adoption of SLIP-0039 by hardware wallet vendors. This concern is unwarranted, since even if the conversion to BIP-0039 were possible and a user needed to recover their seed onto a device which does not support SLIP-0039, then they would need to use some conversion tool running on their computer. In that case they might as well simply recover their SLIP-0039 shares in a software wallet running on their computer and send all of their funds to a new seed on their new device. Thus the ability to convert shares to a BIP-0039 mnemonic makes no difference in this respect.

Perhaps, with some effort you could come up with a SSS protocol that is compatible with BIP-39 and propose it as a new BIP.

[Gabrics]

Mainly this is why it's on GitHub and fully open source. Anyone can create it's own or upload somewhere and/or store locally. Running on the latest .NET Core with no 3rd party dependency, so I am fairly certain it will run on windows for many years without an issue.

Also the main math is simple(-ish). So even if the GUI/framework changes it's easy to just copy paste the main functions to a new framework/GUI (this won't be needed for 5-10+ years I believe).

Alternatives would be great indeed. I will make a stand-alone webpage version soon (if someone else won't before). Will also be open source, so that will make the client count to two.

I believe the logic in the code what's the most important. I mean how the binary share is built from the seed. That's all there, no dependencies, just the code.

@Gabrics
What happens if your Bitcoin Seed Splitter tool is gone one day or not working? Someone could also create malicious app clone for stealing words.
Are there any alternatives we can use to restore our backup phrase and merge all splits or we are fully dependent only on your software.
This looks to me like one more single point of failure.