BSPO - A Simple Method for Securing BIP39 Seed Phrases

[bipshuffle]

In the fallout of the FTX exchange, the importance of Bitcoin self-custody is more apparent than ever. However, self-custody comes with its own set of risks such as uninsured loss and theft.
To this end, we've designed and developed BSPO (hosted at https://bipshuffle.com), a free and simple method of securing BIP39 seed phrases. This method is applicable to most hardware/software non-custodial wallets, such a Trezor, Ledger, Exodus, MetaMask, and many others.

The overarching theme of this tool is that storing seed phrases in plain-text on a piece of paper is risky. You probably don’t feel comfortable storing a large portion of your cash savings at home, so why should you feel comfortable storing your Bitcoin savings in a single location?

Existing solutions to this dilemma generally require seed phrases to be digitally entered, which is also risky. BSPO provides a method of encrypting a seed phrase through simple tabular look-ups, which can be accomplished completely offline.

For more details, please see the whitepaper available at https://bipshuffle.com/whyusebspo
This is the first iteration of this tool. Please consider leaving feedback.

[1714662194]

1714662194

[1714662194]

1714662194

[ABCbits]

Few thoughts,
1. While it's interesting project, personally i see it as trade-off between security and ease of recoverability.
2. I checked PDF of encryption/decryption table, but i find the font is very small if people print it on legal/A4 paper size.
3. Take note while Electrum support BIP 39, it generate 12 words using it's own seed format. It'd be appreciated if you let visitor of your website know about that since you mention Electrum as example of software wallet.

[DaveF]

Starting with I can't find your source code and the site will not work if it's not connected to the internet so it's dangerous and insecure and until those are fixed nobody should use it.

Interesting concept but you are advising people to print it on paper and now requiring a multi-step process for recovery.

Since it's free it has that as a major advantage over a hardware wallet and some sort of metal seed holder. But, it's on paper which is vulnerable to a lot of damage.

Not a hit against what you are doing but IMO more secure seed storage is going to be better then a more complicated way to write a seed.

-Dave

[o_e_l_e_o]

I don't think this adds anything over a seed phrase/passphrase combo or a multi-sig wallet, while also losing the plausible deniability which comes with both of those.

With your system, you need 4 back ups in separate places - two of your encrypted seed phrase, and two of your decryption table. Compromise of one back up is insufficient to steal your funds, but compromise of one of each back up will lead to your funds being stolen. This is identical to a seed phrase/passphrase combo (which should have two back ups of the seed phrase and two back ups of the passphrase), or a 2-of-2 multi-sig wallet (which should have two back ups of each cosigner).

However, with your system, if an attacker finds your encrypted seed phrase or a decryption table, they will know they have found something to do with a seed phrase but will not be able to access any wallet at all (given an only 1 in 256 chance of randomly passing the checksum with a 24 word seed phrase), incentivizing them to either keep looking for your other back ups, or to just attack you directly.

With a seed phrase/passphrase combo, if an attacker finds a copy of your seed phrase, they can access a base wallet which you can set up as a decoy, hiding the fact that you have a passphrased wallet at all. If they find a copy of your passphrase, you can easily deny it has anything to do with bitcoin at all (bonus points if you use that passphrase as a decryption key for some encrypted volume full of plausibly "sensitive" material). Similarly, if they find a copy of one seed phrase from a 2-of-2 multi-sig wallet, they can recover a standard single sig wallet with that seed phrase, which again, you can have set up as a decoy, hiding the fact you have a multi-sig wallet at all.

I note the point you make in your whitepaper about passphrases potentially being insecure if the user chooses an insecure one, but this is easily mitigated by simply not doing that.

And as DaveF says: Where is your source code? This is something that must be examined and ran offline.

[bipshuffle]

Thank you all for your feedback.

Addressing some of what was mentioned here:

Starting with I can't find your source code and the site will not work if it's not connected to the internet so it's dangerous and insecure and until those are fixed nobody should use it.
-Dave

BSPO is designed to be usable offline, just print the encryption/decryption tables. That being said, you're right that the source code should be made open source, especially if people are to use the encryption table through the site. After cleaning up the code a bit, I'm happy to release it.

2. I checked PDF of encryption/decryption table, but i find the font is very small if people print it on legal/A4 paper size.
3. Take note while Electrum support BIP 39, it generate 12 words using it's own seed format. It'd be appreciated if you let visitor of your website know about that since you mention Electrum as example of software

2. - I'm aware the BSPO Full tables are very difficult to read in PDF (BSPO Lite font size seems sufficiently large - please let me know if you disagree with this opinion). If user demand requires, I'll reformat the table layout to landscape mode and increase font size.
3. - Thanks for this note, I wasn't aware of this.

I don't think this adds anything over a seed phrase/passphrase combo or a multi-sig wallet, while also losing the plausible deniability which comes with both of those.

With your system, you need 4 back ups in separate places - two of your encrypted seed phrase, and two of your decryption table. Compromise of one back up is insufficient to steal your funds, but compromise of one of each back up will lead to your funds being stolen. This is identical to a seed phrase/passphrase combo (which should have two back ups of the seed phrase and two back ups of the passphrase), or a 2-of-2 multi-sig wallet (which should have two back ups of each cosigner).

I appreciate the comparison against existing seed storage methods. However, I disagree with this analysis. Consider the seed/passphrase combo with two seed phrase backups and two passphrase backups. Let's call the seed phrases S1 and S2, and call the passphrases P1 and P2. Assuming you mean that the "backups" are replicas of eachother, if an attacker found S1, in order to compromise the underlying funds, they could also either find P1 OR P2. The same could be said regarding the discovery of S2.

Alternatively in BSPO, let's refer to the encrypted seed phrases as E1 and E2 and call their corresponding decryption table D1 and D2. If an attacker finds E1, they MUST find D1 in order to compromise the funds (D2 provides no information). 

The 2-of-2 multi-sig wallet is also a different arrangement, one that is essentially equivalent to applying a single round of BSPO (which the simplified statistical analysis provided in the whitepaper shows, is a poor way to secure a seed phrase).

With a seed phrase/passphrase combo, if an attacker finds a copy of your seed phrase, they can access a base wallet which you can set up as a decoy, hiding the fact that you have a passphrased wallet at all. If they find a copy of your passphrase, you can easily deny it has anything to do with bitcoin at all (bonus points if you use that passphrase as a decryption key for some encrypted volume full of plausibly "sensitive" material). Similarly, if they find a copy of one seed phrase from a 2-of-2 multi-sig wallet, they can recover a standard single sig wallet with that seed phrase, which again, you can have set up as a decoy, hiding the fact you have a multi-sig wallet at all.

I note the point you make in your whitepaper about passphrases potentially being insecure if the user chooses an insecure one, but this is easily mitigated by simply not doing that.

I think you're right that users can cleverly come up with ways to make effective decoy wallets, especially if they choose cryptographically secure passphrases. The problem is counting on users to choose secure phrases and come up with clever ways to secure their own funds. This problem is not as trivial as it might sound, choosing a cryptographically secure passphrase typically means that passphrase is not easily remembered and should be written down. Once the passphrase is written down, you're effectively creating a similar setup to what's mentioned above (2-of-2 multi-sig equivalent, or if replicated, S1, S2, P1, P2 scenario). What BSPO offers in comparison is the ability to derive multiple unique pairs of information where a full unique pair must be obtained to compromise the underlying asset (as opposed to being able to access funds from any two pieces of information of differing types). It's a subtle difference, but one that makes some difference in security.

BSPO attempts to make the process of secure seed phrases relatively simple/fool-proof, but admittedly likely falls short in some ways - which is why this feedback is highly appreciated. Once again, thank you!

[o_e_l_e_o]

Alternatively in BSPO, let's refer to the encrypted seed phrases as E1 and E2 and call their corresponding decryption table D1 and D2. If an attacker finds E1, they MUST find D1 in order to compromise the funds (D2 provides no information).

That's not a fair comparison. You are comparing having two identical seed phrase back ups and two identical passphrase back ups in the case of a single seed phrase/passphrase wallet, against having only two different encrypted seed phrase and two different decryption tables for two different wallets.

You should never only have one back up of any element of your set up. If you are using your system, then each wallet should have (at a minimum) two identical back ups of the encrypted seed phrase and two identical back ups of the decryption table. When you compare like for like, there is no difference in this regard between your system, seed phrase/passphrase, or 2-of-2 multi-sig.

The 2-of-2 multi-sig wallet is also a different arrangement, one that is essentially equivalent to applying a single round of BSPO (which the simplified statistical analysis provided in the whitepaper shows, is a poor way to secure a seed phrase).

Hard disagree. Not only is a multi-sig wallet a great way to secure your funds, but it also brings the significant benefit of avoiding a single point of failure by requiring at least two wallets on two different devices to sign any transaction.

What BSPO offers in comparison is the ability to derive multiple unique pairs of information where a full unique pair must be obtained to compromise the underlying asset (as opposed to being able to access funds from any two pieces of information of differing types).

I don't think this is different at all. With either a seed phrase/passphrase or a 2-of-2 multi-sig set up, it must obviously be a unique pair of back ups which are obtained in order to compromise the wallet. Obtaining the same seed phrase twice achieves nothing.

[hosseinimr93]

BSPO is designed to be usable offline, just print the encryption/decryption tables.

It seems that you didn't get DaveF.
Working offline means that the encryption/decryption table can be generated on an offline device and you don't need internet connection for that.
It's not possible to use your tool without internet connection.

[dkbit98]

How exactly can this method be used offline?
I just tried to do Reshuffle and I got presented with eternal google captchas that I couldn't solve after many attempts, that makes it unusable for me at the moment.
To make it work I would have to wait for some time, or use different browser until google decides i am human being and it lets me solve captchas.
For anything like this to be used, it must be released as Open Source and inspected by Bitcoin security experts, but I think it's adding extra complexity that could result in losing of coins.

[bipshuffle]

Alternatively in BSPO, let's refer to the encrypted seed phrases as E1 and E2 and call their corresponding decryption table D1 and D2. If an attacker finds E1, they MUST find D1 in order to compromise the funds (D2 provides no information).

That's not a fair comparison. You are comparing having two identical seed phrase back ups and two identical passphrase back ups in the case of a single seed phrase/passphrase wallet, against having only two different encrypted seed phrase and two different decryption tables for two different wallets.

You should never only have one back up of any element of your set up. If you are using your system, then each wallet should have (at a minimum) two identical back ups of the encrypted seed phrase and two identical back ups of the decryption table. When you compare like for like, there is no difference in this regard between your system, seed phrase/passphrase, or 2-of-2 multi-sig.

No, I'm comparing having two identical seed phrase back ups and two identical passphrase back ups in the case of a single seed phrase/passphrase wallet against having two different encrypted seed phrases and two different decryption tables for a SINGLE wallet. That's precisely what makes it advantageous. In both cases, four pieces of information exist in relation to a single wallet.
In the former case the four pieces are seeds S1 and S2 and passwords P1 and P2. In the latter case the four pieces are encrypted seeds E1 and E2 and decryption tables D1 and D2.
In the former case, finding (S1 and P1), (S1 and P2), (S2 and P1) or (S2 and P2) will result in compromised funds. In the latter case finding (E1 and D1) or (E2 and D2) results in compromised funds.
More generally, without BSPO - as the number of backups of seeds/passphrases increases the higher the probability that an attacker finds these pieces of information and funds are compromised whereas with BSPO, though the chance of theft does increase, it's not as dramatic.
Ultimately, which method is "better" depends on what you assume the relative prior probabilities of theft vs loss to be for each piece of information (following the basic statistical framework discussed in the whitepaper - and assuming the passphrase protected wallet uses a secure password.).

The 2-of-2 multi-sig wallet is also a different arrangement, one that is essentially equivalent to applying a single round of BSPO (which the simplified statistical analysis provided in the whitepaper shows, is a poor way to secure a seed phrase).

Hard disagree. Not only is a multi-sig wallet a great way to secure your funds, but it also brings the significant benefit of avoiding a single point of failure by requiring at least two wallets on two different devices to sign any transaction.

Operating under the assumption that the multi-sig wallet being used is derived from private keys from two different hierarchical wallets, I'd argue that indeed it's equivalent to a single round of BSPO in the sense that if either private key/wallet is lost in the multi-sig wallet, the underlying funds cannot be recovered (analogous to either the encrypted seed or decryption table being lost); but an attacker obtaining either private key gains no useful information just as an attacker finding either the encrypted seed or decryption table gains no useful information.

I don't think this is different at all. With either a seed phrase/passphrase or a 2-of-2 multi-sig set up, it must obviously be a unique pair of back ups which are obtained in order to compromise the wallet. Obtaining the same seed phrase twice achieves nothing.

See answer to first quote above. Not sure if we're talking across from eachother, or if there's a misunderstanding somewhere.

How exactly can this method be used offline?
I just tried to do Reshuffle and I got presented with eternal google captchas that I couldn't solve after many attempts, that makes it unusable for me at the moment.
To make it work I would have to wait for some time, or use different browser until google decides i am human being and it lets me solve captchas.
For anything like this to be used, it must be released as Open Source and inspected by Bitcoin security experts, but I think it's adding extra complexity that could result in losing of coins.

Apologies for the annoying captchas. Though there's no reasonable way (at least that I can conceive) that an attack could be conducted if someone downloads the tables, I agree that the code should be made open source and be available in a completely offline format (even if for no reason other than to verify that the shuffle method is sufficiently random).

While it's true font size of BSPO lite is bigger than BSPO full, personally i find both have small font size. At very least, i think font size of BSPO full should match BSPO lite's. And google reCAPTCHA before downloading the PDF is mildly annoying.

Noted. Thank you.

[bipshuffle]

You should never only have one back up of any element of your set up. If you are using your system, then each wallet should have (at a minimum) two identical back ups of the encrypted seed phrase and two identical back ups of the decryption table. When you compare like for like, there is no difference in this regard between your system, seed phrase/passphrase, or 2-of-2 multi-sig.

To your point though, in the same manner of equivalency discussed above, a 1-of-2 multi-sig wallet where each wallet is passphrase protected would be "equivalent" to 2 rounds of BSPO ((S1 and P1) or (S2 and P2) would be needed to unlock funds) - so thank you for pointing this out.
I suppose then a relevant question is -- "is applying BSPO twice easier than setting up a passphrase protected 1-of-2 multi-sig wallet?"

[NotATether]

I suppose then a relevant question is -- "is applying BSPO twice easier than setting up a passphrase protected 1-of-2 multi-sig wallet?"

Pretty much everything else is easier than setting up a multisig wallet to the average user, including learning university math. In case these people do manage to set one up, they will eventually shoot themselves in the foot later on when trying to recover their wallet.

Still though, unless users can run the code locally, there is a risk your site will go down and people don't be able to unscramble their seed phrases.

[o_e_l_e_o]

No, I'm comparing having two identical seed phrase back ups and two identical passphrase back ups in the case of a single seed phrase/passphrase wallet against having two different encrypted seed phrases and two different decryption tables for a SINGLE wallet. That's precisely what makes it advantageous. In both cases, four pieces of information exist in relation to a single wallet.
In the former case the four pieces are seeds S1 and S2 and passwords P1 and P2. In the latter case the four pieces are encrypted seeds E1 and E2 and decryption tables D1 and D2.
In the former case, finding (S1 and P1), (S1 and P2), (S2 and P1) or (S2 and P2) will result in compromised funds. In the latter case finding (E1 and D1) or (E2 and D2) results in compromised funds.

Again, the comparison is not fair because your system has less redundancy.

In the former I can lose either S1 and P2 or S2 and P1 and still recover my wallets just fine. In your system if I lose E1 and D2 or E2 and D1 then my wallets are irretrievably lost. Your system has a lower chance of theft balanced against a higher risk of loss. If you want to compare like-for-like, which requires at least 2 copies of every piece of information (as any good back up scheme should have), then there is no difference.

Operating under the assumption that the multi-sig wallet being used is derived from private keys from two different hierarchical wallets, I'd argue that indeed it's equivalent to a single round of BSPO in the sense that if either private key/wallet is lost in the multi-sig wallet, the underlying funds cannot be recovered (analogous to either the encrypted seed or decryption table being lost); but an attacker obtaining either private key gains no useful information just as an attacker finding either the encrypted seed or decryption table gains no useful information.

A multi-sig wallet could be made to be 2-of-3 or 3-of-5 precisely to mitigate this possibility.

[bipshuffle]

In the former I can lose either S1 and P2 or S2 and P1 and still recover my wallets just fine. In your system if I lose E1 and D2 or E2 and D1 then my wallets are irretrievably lost. Your system has a lower chance of theft balanced against a higher risk of loss. If you want to compare like-for-like, which requires at least 2 copies of every piece of information (as any good back up scheme should have), then there is no difference.

How would you recover your wallets having lost S1 and P2 or S2 and P1?

A multi-sig wallet could be made to be 2-of-3 or 3-of-5 precisely to mitigate this possibility.

Sure, but now the comparison is no longer apples to apples.

I'm not arguing that there aren't decent ways to secure wallets as of now. Shamir's Secret Sharing can also be used to cleverly store keys (even without multi-sig). I'm arguing that existing methods are either overly complex for the layman or have some sort of implicit insecurity such as having to digitally enter a seed phrase.

Pretty much everything else is easier than setting up a multisig wallet to the average user, including learning university math. In case these people do manage to set one up, they will eventually shoot themselves in the foot later on when trying to recover their wallet.

Still though, unless users can run the code locally, there is a risk your site will go down and people don't be able to unscramble their seed phrases.

The site being down makes no difference in decryption. Users should have/must have downloaded or printed their unique decryption tables ahead of time.

The importance of the tool being available offline is more to ensure the shuffle method is secure and that there's no monitoring of where users spend time looking at the encryption tables in browser(which could be used to statistically deduce the original seed phrase).

[hosseinimr93]

How would you recover your wallets having lost S1 and P2 or S2 and P1?

If you have lost S1 and P2, you still have S2 and P1. If you have lost S2 and P1, you still have S1 and P2.
Since S1=S2 and P1=P2, you actually have the seed phrase and passphrase of your  single-sig wallet and you can easily recover it.

[o_e_l_e_o]

How would you recover your wallets having lost S1 and P2 or S2 and P1?

Because S1 and S2 are both copies of the same seed phrase, and P1 and P2 are both copies of the same passphrase. Ideally I would have even more back ups than that, perhaps 3 of my seed phrase and 3 of my passphrase. I only need to recover any one S and one P to be able to access my coins, whereas with your system I must recover a specific pair otherwise my back ups are useless.

Shamir's Secret Sharing can also be used to cleverly store keys (even without multi-sig).

I wouldn't suggest using Shamir's Scheme for the reasons detailed here and here.

I'm arguing that existing methods are either overly complex for the layman or have some sort of implicit insecurity such as having to digitally enter a seed phrase.

I would agree that a good multi-sig is more complicated to set up, but I would argue that generating a passphrase and writing that down on paper (which everyone is already doing with their seed phrase) is significantly easier than your system.

I don't mean to disparage your idea, but as I said in my first post, I just don't think it adds anything over existing solutions.

[bipshuffle]

Because S1 and S2 are both copies of the same seed phrase, and P1 and P2 are both copies of the same passphrase. Ideally I would have even more back ups than that, perhaps 3 of my seed phrase and 3 of my passphrase. I only need to recover any one S and one P to be able to access my coins, whereas with your system I must recover a specific pair otherwise my back ups are useless.

Apologies - you're right based on the prior context. However, it's worth noting that the difference is that as you increase the number of backups, you're potentially making yourself more vulnerable to theft. Yes, you're decreasing the likelihood you lose your seed phrase, but you're increasing the chance someone stumbles upon it (any phrase and any password).

With BSPO, you increase redundancy with each pair of encrypted seed and table created, but the chance someone finds the specific pair is less than the chance of someone finding any pair of the former method.

I don't mean to disparage your idea, but as I said in my first post, I just don't think it adds anything over existing solutions.

Not at all, I really appreciate this feedback. Multi-sig wallets in particular are a solution I hadn't previously explored to much depth. 

[o_e_l_e_o]

Yeah, true enough. I guess everyone has to figure out for themselves their own risk profile, and whether they want more back ups providing greater redundancy against loss, or fewer back ups providing greater protection against accidental discovery. My own feeling is that if your back up is in a position to be accidentally discovered, then you have chosen a poor back up location and should think again. Anyone finding a back up should be doing it as result of a targeted attack, rather than random chance.

I would have some concerns with your system that someone would be tempted to store E1 and D2 in the same place since they are useless together, and E2 and D1 together for the same reason, to minimize the number of secure back up locations they need. But then if they lose just one back up location, such as due to a fire in their house, then they've lost everything.

[bipshuffle]

I would have some concerns with your system that someone would be tempted to store E1 and D2 in the same place since they are useless together, and E2 and D1 together for the same reason, to minimize the number of secure back up locations they need. But then if they lose just one back up location, such as due to a fire in their house, then they've lost everything.

Fair point, though the site does make sure to note "Store your two decryption tables and two seed phrases in four different locations.".
Of course, there will always be some who don't follow instructions to a tee.

Assuming a risk profile can definitely be used to determine the best storage method, though it's very difficult to accurately quantify. The hypothetical framework outlined in the whitepaper is admittedly overly simplistic; though I feel it provides some useful insight into a modeling approach that could be taken to a greater depth.

[SeeBiscuit]

Idk if it’s relevant but Solana is doing a seed vault in their new SMS phone.

Their seed vault is a separate OS from the phone, but it signs transactions and stuff.

Many questions to raise but putting hardware wallet capability into a phone is cool.

As far as good methods to store seeds, you can find a book and write down the page number each phrase word is on. Or something like that.