A. Antonopoulos’ Take on Seed Splitting and Bruteforcing

[o_e_l_e_o]

Andreas also explains if someone where to find a part of Shamir's share and if that part is less than the quorum, it's like not having any information about the seed at all. That's the complete opposite of knowing 8 or 16 words as explained in the example in OP. And if one part of the SSSS share is lost, the data would still be recoverable.

This is all correct. The whole point of a SSS Scheme is that any number of shares less than the threshold number reveals no information about the final secret. If you split a seed phrase in to m Shamir shares, and require n of those shares to recover the seed phrase, then anything up to n-1 shares reveals nothing and does not make brute forcing any easier; an attacker might as well have no shares and be trying to bruteforce every possible valid seed phrase.

The single point of failure with SSSS isn't in the compromise of a single share, though. When combining your shares to recover your seed phrase, you must bring them all together on a single device to do so. If that device is compromised, then your coins are lost. You are similarly at risk with the SSSS implementation that you use. There is not a standard implementation like there is with BIP39, so if the implementation you use is poorly designed than you could potentially leak enough information for an attacker to steal your coins.

[1713537535]

1713537535

[1713537535]

1713537535

[BlackHatCoiner]

Besides, i doubt attacking Bitcoin will be top priority if government have one.

If we assume that ECDSA & ECIES can be broken, then I also doubt they would firstly attack Bitcoin. I guess they would keep it as a secret and read every message they were unable to. If quantum computing somehow brute forces in a way to be possible to find a RIPEMD-160 collision, then the thing changes. They could destroy Bitcoin whenever they wanted, which would then be an upheaval (not temporary!) for the crypto market.

That's actually incorrect.

I'm feeling very lucky that I learned about Bitcoin in a community that corrects Antonopoulos!  

[pooya87]

That's actually incorrect.

I'm feeling very lucky that I learned about Bitcoin in a community that corrects Antonopoulos! 

I don't think A.A. was wrong, but OP used ambiguous language.

the last word of the phrase is the checksum, and since only one word fits in that position, it can be brute-forced much easier than the rest.

It probably wasn't saying "only one valid word can be placed there" but pointing out the fact that the last word in any X-word mnemonics represents less than 11 bits of entropy. So for example in case of 24 words you would be missing only 3 bits whereas if the first word was missing you were missing 11 bits. So it is faster to brute force the last word than it is any other word.

[HCP]

I don't think A.A. was wrong, but OP used ambiguous language.

I didn't watch the stream... so I've no idea what words were actually used... but I'd be kinda surprised if Andreas actually made that mistake tbh.

Andreas also explains if someone where to find a part of Shamir's share and if that part is less than the quorum, it's like not having any information about the seed at all. That's the complete opposite of knowing 8 or 16 words as explained in the example in OP.

That's actually a very good point... by effectively encrypting the seed words, any share is rendered useless by itself (assuming you have more than 1 share! )... whereas, with just splitting up the seed words, the information is still "readable" and usable to mount an attack.

[o_e_l_e_o]

but I'd be kinda surprised if Andreas actually made that mistake tbh.

He actually does state this incorrectly.

https://youtu.be/p5nSibpfHYE?t=280

because only the one word which fits perfectly completes the checksum

https://youtu.be/p5nSibpfHYE?t=311

that means there are 7 words which contain key material in the missing share - how hard is it to crack or brute force 7 words?

He does then go on to correctly state that it would be brute forcing 80 bits though. Whether or not he actually made a mistake or whether he was just "dumbing it down" for his viewers or not is another question. I did see another video where he incorrectly stated (multiple times) that the BIP39 wordlist starts at "about" and ends at "zebra", though.

[Pmalek]

I did see another video where he incorrectly stated (multiple times) that the BIP39 wordlist starts at "about" and ends at "zebra", though.

He sometimes makes mistakes or states incomplete information. In one of his bitcoin for beginners series, he advocates for the use of passphrases as an extension to your seed. But he goes on to mention that a simple 4-6 letter English word is a strong-enough passphrase. (I misheard. What he said is explained here). I can't comment on how easy that could be brute-forced, but I am sure some of you will.

[o_e_l_e_o]

In one of his bitcoin for beginners series, he advocates for the use of passphrases as an extension to your seed. But he goes on to mention that a simple 4-6 letter English word is a strong-enough passphrase. I can't comment on how easy that could be brute-forced, but I am sure some of you will.

Do you have a link for the video in question? The errors I have discussed above are small errors, could be a simple mistake, and don't change the essence of the message he is delivering. This, on the other hand, is a significant error and terrible advice. Using a single English dictionary word limits your options to around 150,000, depending on the dictionary you are looking at. Looking at only 4-6 letter words and you are down below 50k. You only have to perform 2048 rounds of PBKDF2 and then a handful more hashes and EC multiplications to derive the first few addresses. A quick benchmark check on my not-very-powerful computer with btcrecover means I could brute force this in well under a minute.

I would be very surprised if he was giving out such poor advice. This isn't a simple slip up like the others - this is a fundamental misunderstanding of what constitutes a good passphrase. Is there a possibility you perhaps misheard/misremember, and he actually said 4-6 words rather than a single word of 4-6 characters?

[Pmalek]

Is there a possibility you perhaps misheard/misremember, and he actually said 4-6 words rather than a single word of 4-6 characters?

I misheard, you are right. It was my mistake. I watched through several videos to find the correct one. This is the video. At 7:15 he starts talking about the passphrase length and says: "a simple 4 to 6 word, random English word passphrase is sufficient" Due to the way he structured that sentence got me thinking that he was talking about characters and not words.

If you enable the subtitles, you will notice that they are different from what he said in the video. In the subtitles they wrote: "a simple (set) of 4 to 6 random English words is a sufficient passphrase".

Sorry Andreas! 

[o_e_l_e_o]

You've led me down a rabbit hole of Antonopoulos' YouTube videos now.

Here he is in 2018 suggesting using 8-10 words as a passphrase: https://www.youtube.com/watch?v=cAP2u6w_1-k&t=740s. So it seems in the last 3 years he has significantly reduced what he considers necessary for a passphrase.

For interest, if we take my number of ~150,000 words in the English language, then (assuming randomly chosen words) 4 words gives around 68.8 bits of entropy, whereas 10 words would give around 171.9 bits of entropy. I would say the former is too low, while the latter (although very secure) is probably unnecessarily high, given that bitcoin itself "only" has 128 bits of security. 7-8 words gives a range of around 120 - 137 bits of entropy, which is more in the region of being as secure as a 12 word seed phrase and incredibly difficult/impossible to brute force.

This is even more relevant when considering that most people using several words as a passphrase will not be using a truly random source of dictionary words. They will either be picking the "random" words manually and therefore not be random at all, or they will (even worse) be selecting words which have some meaning for them, are easy to remember, are linked in some way, etc.

[Pmalek]

<Snip>

Why use real words al all? It should be more secure using random letters, numbers, and special characters instead of real dictionary words. I have always wondered are the two examples below equally easy/difficult to bruteforce?

1. apple cup
2. !J-"g 5&b

They have the same number of characters, but the second sequence should be much more difficult to crack. Or a I looking at it wrongly?   

[o_e_l_e_o]

They have the same number of characters, but the second sequence should be much more difficult to crack. Or a I looking at it wrongly?   

No, you're absolutely right. Given two passphrases of the same length, then random characters (including lower and uppercase letters, numbers, and symbols) will have significantly more entropy than individual words. Two words would have around 150,000² = 34 bits of entropy, whereas 10 random characters would have around 95¹⁰ = 65 bits.

The difference comes because such passphrases are rarely of the same length. 8 words might have around 40-50 characters in total, but very few people would use a passphrase of 50 random characters. To achieve a passphrase of >128 bits of security, you would need 20 random characters or 8 random words. Given the two following passphrases then:

.ujG&Yb!zVs[E`qS8\7@

wrong spoil drawing bottle underline ear dictate division

Most people will find it easier to remember (even although you shouldn't), write down, back up, and re-enter the words rather than the random characters.

[COBRAS]

Sha256 from 12 or 24 word is sha256. Not secure like 24 words, and 12 words too.

[Kakmakr]

My suggestion will be to obfuscate the seed, not to look like a seed, when you do split it. I have done this in a way that 4 family members will be able to put my seeds together, if something happens to me. They cannot do anything with their portion of the seed and my lawyer has the instructions in my "Will" to explain to them what to do. (Eg... make a sentence with the Seed and give the template to the lawyer to put it all together)

The fail safe will be to give an encrypted video to each of the family members, with instructions on what to do, if something happens with you. (The password to decrypt it, is with the lawyer and he does not know what the password is for) 

[Pmalek]

My suggestion will be to obfuscate the seed, not to look like a seed, when you do split it. I have done this in a way that 4 family members will be able to put my seeds together, if something happens to me.

What if one or several of your family members losses their part of the seed/seeds? Is that when the fail safe that you mentioned at the end of your post will kick in?

They cannot do anything with their portion of the seed and my lawyer has the instructions in my "Will" to explain to them what to do. (Eg... make a sentence with the Seed and give the template to the lawyer to put it all together)

Will the lawyer know how to put the words together and arrange them from 1-12/24 or does he just keep the correct instructions (template)? I didn't understand if the lawyer is the one who is tasked to put the words in the correct order based on the info given to him by the inheritors. If he is, do you absolutely trust him with that information?   

[o_e_l_e_o]

-snip-

This is why I would prefer to use a 3-of-4 multi-sig in such a scenario. It has redundancy built in to it in case one family member loses their key or is otherwise unavailable or incapacitated, and it does not require complete trust in any one person or device. With shares being combined by the lawyer, then there is risk that either the lawyer or someone else who works for that person/company could access the completed secret, and there is risk that the device they use to combine the shares is compromised.

It also means a majority of people have to agree on how to split up your funds. With shares being combined by a lawyer, then which family member is in charge of your estate could simply choose to move all the coins to their own wallet. With a multi-sig at least 3 of the 4 must agree on how the funds are being split up.