Xor or multisig

[o_e_l_e_o]

I mean think about it, you have to write down a nightmare like this

I never said it was easy. But yes, I have hand written xpubs like that before. Sure, it takes time, and it takes even longer to then type them back in to your computer from your hand written back up in order to check the accuracy, but you only have to do it once when you set up your wallet. I'm obviously not doing it for every wallet I own, but for a one off super safe cold storage wallet, I don't mind spending the time doing so. It's the same argument as when people say flipping a coin 256 times takes too long so cut corners and end up with some harebrained and insecure scheme instead.

But as I said, you can also opt to print off your xpubs with minimal additional risk. All the xpubs will be present on each electronic device which holds one of your multi-sig wallets anyway. So if you have a dumb printer, there is very little additional risk to plugging it in and spitting out however many copies of each xpub.

[1714795561]

1714795561

[1714795561]

1714795561

[1714795561]

1714795561

[1714795561]

1714795561

[Husires]

SSS is a poor choice for a wide number of reasons:
https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

Again, multi-sig remains the better choice, or even just a single sig wallet with an additional passphrase and multiple back ups.

This article talks about the comparison between SSS and multi-sig which I consider wrong. If we want to compare, we must compare SSS vs Xor OR any other split methods not multi-sig .
and by poor article use splitting the private key using SSS and not the wallet seed.
SSS can give a dynamic for multi-sig if hacking/add new members is happen and by changing the polynomial occasionally of multi-sig, xpubs can divided to new members without creating a new one.

[BlackHatCoiner]

But as I said, you can also opt to print off your xpubs with minimal additional risk.

That's a good idea. You print them, and then check in an airgapped device if they're printed correctly. The additional risk, I suppose, is privacy related?

All the xpubs will be present on each electronic device which holds one of your multi-sig wallets anyway.

I think it is more appropriate to hold a backup of the printed xpubs along with a seed phrase. There is an additional risk (again, privacy related) but you ensure that you only lose access to the xpubs if you've lost every single seed phrase (which would lock you out anyway).

[o_e_l_e_o]

This article talks about the comparison between SSS and multi-sig which I consider wrong.

I don't think so. Both systems have the same underlying goal - require the combination of multiple different back ups in order to spend the relevant coins.

and by poor article use splitting the private key using SSS and not the wallet seed.

Whether you are splitting a private key or a seed phrase using SSS is more or less irrelevant. The weaknesses and vulnerabilities are the same.

The additional risk, I suppose, is privacy related?

Correct. If one of your devices containing all your xpubs is compromised, then the attacker can view your wallets.

I think it is more appropriate to hold a backup of the printed xpubs along with a seed phrase.

You should absolutely back up the xpubs along with the seed phrases, but you don't need to back up every xpub with every seed phrase, which again protects your privacy in the event that an attacker discovers one of your back ups.

[Kryptowerk]

Yes you need to back up the xpubs, and yes that is a pain/error-prone to do by hand.

The more the xpubs, the more the pain and chances to mess it up somewhere. I triple checks addresses when I'm sending bitcoin to my cold storage, let alone what I'd do if I had to ensure it's the correct xpubs. I mean think about it, you have to write down a nightmare like this:

Code:

xpub6CnyhgdRermBTjxxY8RB2uW9WsziDfVM2suB4c3aAYH77hNMwLpqR8vktGY769i5oxFHSzRZqJjZX8Zmog7nYwCk8SqePofgARCcrfvWTnH
xpub6Dd32ygm66fDRv2eQScFSxZPuxM4TYGma8c6S3oyts8JnStQ8wNC1XTNtpavFaU8iEJswC5JT9vmjG1cugLVsqXP9QwqKZYjEiykksHYbsZ
xpub6DgDQmupKYNRCpnmHyTF4iseuwH9d3e3PVFR8hnjaCiJ12gfPCJzHfF3NtbJKTbrs8oUWi5QndV3UnyvcCcebWNxoteqhD6jZZcMsPKAkRV
xpub6CQwwygLeymu12sXMDDQ8sURu8QfrY5TNHetAd3GMo5FDP4aTWKqGvJLEQA7CZg76PdtMv3vszb8fDEjjq7e6K9KZznNhvbViDow4ynbjXE
xpub6EbPANACYCRBUToYADM6bVodkzxLNc2wJdnENHn7KVdDiH4tWeueh3pxKGnNuDdDi2VZm8wKez1XzEyP4yF5H8H4StEbt8gQPuoprWixcjd

By hand. Clean writing. About 560 characters, case sensitive. How come there hasn't been a mnemonic standard for xpubs?

I understand it sucks. And is prone to error, if done sloppily / hastily. However if you take your time it's not THAT big of a deal, even though uncomfortable and definitly an unfamiliar procedure.
However, good security always takes some work and attention to details, so yeah, I think this example is still manageable.

Agreed, a tool to convert back-and-forth from and to a mnemonic phrase would be nice to have.

[aesthete2022]

Correct. If one of your devices containing all your xpubs is compromised, then the attacker can view your wallets.

Why is that an issue?

[aesthete2022]

I guess it's a tradeoff. I would be happier copying and pasting the xpubs rather than writing them by hand, as the most likely way to lose access to funds is by losing the xpubs rather than coming under a sophisticated attack.

[Pmalek]

Why is that an issue?

It depends on what you personally consider an issue. It's not a problem in the sense that you will loose your bitcoin if someone gets hold of your xpub. You won't. But knowing the extended key provides knowledge of all child keys. In essence someone would have the means to track all addresses of your wallet. They would know how much you own and whenever you send or receive coins to addresses associated with that wallet. You have to judge yourself if someone else having that information is an issue for you or not.   

[o_e_l_e_o]

Why is that an issue?

As ETFbitcoin and Pmalek say, it's a privacy concern. Perhaps I don't want someone to be able to link every address in that wallet together under common ownership, or know the total amount of bitcoin in the wallet, or be able to watch all my future transactions, etc.

But, as I mentioned above, in order to even create the multi-sig wallet in the first place and generate addresses to send coins to, all your xpubs must be on the same device at some point. There is no other way around it. And so printing them out from that device presents very little additional risk to your privacy then the risks you have already exposed yourself to (and hopefully mitigated) by setting up the wallet in the first place. If you do it all on a live OS on a permanently airgapped computer and printed the xpubs using a dumb printer (i.e. one without internal memory or wireless hardware), then the risk of leaking your xpubs in such a manner is almost zero.

[NotATether]

a xor scheme, like you have one 12-word seed (A) and separate it into three 12-word seed (B,C,D), each of which is a new wallet. But the real one which you actually want to hide is the one (A) that can only be reconstucted by B,C,D.

Why don't you make it like the traditional XOR operation where you take two 12 word seeds (or any number of words seeds actually, as long as they have the same number of words), and then convert them back into entropy, apply the XOR operation on it, and then convert the entropy back into a mneumonic?

But then again, neither of these methods would actually provide any security, just obscurity.

[Saint-loup]

Why don't you make it like the traditional XOR operation where you take two 12 word seeds (or any number of words seeds actually, as long as they have the same number of words), and then convert them back into entropy, apply the XOR operation on it, and then convert the entropy back into a mneumonic?

But then again, neither of these methods would actually provide any security, just obscurity.

I disagree with you, hiding efficiently your seed is the most important thing in cryptocurrency security. And hiding your seed in several places isn't riskless, since the more places you use, the more likely your seed can be found by someone else. So you can't say being able to split your seed in several parts doesn't bring any security. Unfortunately this XOR method is not the best one since you need to take care of all the seed parts "(not M of N, always N of N)".
But other methods like the Shamir Secret Sharing Scheme or SLIP39 allow to get back your seed with only a subset of the shares. It is not meant to replace a multisig wallet since all seeds need to be reassembled by someone but it can be useful if you want to hide safely your seed in several places. For example, you can leave one share at a friend or parent home, he won't be able to do anything with it and if he loses it you will still be able to retrieve your seed thanks to the other shares (if you used a M of N scheme).

https://github.com/satoshilabs/slips/blob/master/slip-0039.md
https://github.com/trezor/python-shamir-mnemonic
https://iancoleman.io/slip39/

[o_e_l_e_o]

But other methods like the Shamir Secret Sharing Scheme or SLIP39 allow to get back your seed with only a subset of the shares.

SSS is a poor method to use for a number of reasons. It requires the necessary threshold of shares to be brought together in one place on one device to recreate the wallet in question, which creates a single point of failure and compromise. There is no standard implementation, meaning you are completely dependent on the software you used to generate your shares, and without a copy of that exact software, it may be entirely impossible to recreate your wallet. There is also no guarantee whatsoever that the software you are using is actually secure, and the vast majority of users will be unable to audit the code for themselves.

Have a read of the following for more information: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

A far more secure approach is to use multi-sig.

It is not meant to replace a multisig wallet since all seeds need to be reassembled by someone but it can be useful if you want to hide safely your seed in several places.

A multi-sig still allows you to hide your seed phrases in several places.

For example, you can leave one share at a friend or parent home, he won't be able to do anything with it and if he loses it you will still be able to retrieve your seed thanks to the other shares (if you used a M of N scheme).

Again, you can do this with multi-sig, without all the disadvantages that come with SSS.

[Saint-loup]

But other methods like the Shamir Secret Sharing Scheme or SLIP39 allow to get back your seed with only a subset of the shares.

SSS is a poor method to use for a number of reasons. It requires the necessary threshold of shares to be brought together in one place on one device to recreate the wallet in question, which creates a single point of failure and compromise. There is no standard implementation, meaning you are completely dependent on the software you used to generate your shares, and without a copy of that exact software, it may be entirely impossible to recreate your wallet. There is also no guarantee whatsoever that the software you are using is actually secure, and the vast majority of users will be unable to audit the code for themselves.

Have a read of the following for more information: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/

A far more secure approach is to use multi-sig.

It is not meant to replace a multisig wallet since all seeds need to be reassembled by someone but it can be useful if you want to hide safely your seed in several places.

A multi-sig still allows you to hide your seed phrases in several places.

For example, you can leave one share at a friend or parent home, he won't be able to do anything with it and if he loses it you will still be able to retrieve your seed thanks to the other shares (if you used a M of N scheme).

Again, you can do this with multi-sig, without all the disadvantages that come with SSS.

Well, if you are not aware of that, SLIP39 is precisely a standard implementation of SSS in fact.

This SLIP describes a standard and interoperable implementation of Shamir's secret sharing (SSS).

https://github.com/satoshilabs/slips/blob/master/slip-0039.md

Your article is a little bit outdated but it refers to it actually :

It is worth noting that there now exists a proposed standard for splitting Bitcoin seed phrases via SatoshiLabs Improvement Proposal 39. It was under development for nearly 2 years, appears to be well designed, and has been implemented in at least 4 programming languages.

As Jameson Lopp said above several implementations in several languages already exist. And FYI Electrum already supports it.



A multisig wallet has nothing to do with splitting a seed in reality. Daily users of Bitcoin can't use several wallets on several devices each time they(we) need to send a transaction, moreover I'm curious to know how you are making a LN transaction with a multisig wallet? In addition a split seed can be used to store different cryptocurrencies, not a multisig wallet.

[o_e_l_e_o]

Fair points, but the implementation issue is only a single weakness out of many and so it doesn't change the fact that SSS is a poor suggestion for all the other reasons. This mitigation also relies on individuals using that specific implementation, and not other experimental ones, such as the one listed on Ian Coleman.

A multisig wallet has nothing to do with splitting a seed in reality. Daily users of Bitcoin can't use several wallets on several devices each time they(we) need to send a transaction, moreover I'm curious to know how you are making a LN transaction with a multisig wallet? In addition a split seed can be used to store different cryptocurrencies, not a multisig wallet.

If you want a single sig wallet but with multiple back ups required to restore it, then I would say a seed phrase plus an additional passphrase is still superior to SSS. This set up can also be used to hold any altcoins which derive their keys via a seed phrase.

[Saint-loup]

Fair points, but the implementation issue is only a single weakness out of many and so it doesn't change the fact that SSS is a poor suggestion for all the other reasons. This mitigation also relies on individuals using that specific implementation, and not other experimental ones, such as the one listed on Ian Coleman.

A multisig wallet has nothing to do with splitting a seed in reality. Daily users of Bitcoin can't use several wallets on several devices each time they(we) need to send a transaction, moreover I'm curious to know how you are making a LN transaction with a multisig wallet? In addition a split seed can be used to store different cryptocurrencies, not a multisig wallet.

If you want a single sig wallet but with multiple back ups required to restore it, then I would say a seed phrase plus an additional passphrase is still superior to SSS. This set up can also be used to hold any altcoins which derive their keys via a seed phrase.

I don't understand why it would be "superior" as you say. When you are you using a passphrase you have 2 things to take care of : the seed and the passphrase, because if you lose one of them you can't access your funds anymore. It means you have 2 times more risk to lock your funds, than with a single seed. It's just like using this XOR function at the end, except you can choose your passphrase. If you use a split seed with a 2 of 3 scheme, you have 2 times less risk to lock your funds than with a single seed because you need to lose at least 2 seeds instead of one to lose access to your funds. It means you have 4 times less risk to lock your funds with a 2 of 3 split seed than with a seed and a passphrase. Without increasing the exposure of your real seed on top of that.
It allows you, for example to split a seed in a 2 of 4 shares scheme, in order to safely being able to store one seed at home, one seed online, one seed at a relative's home, and another one in a hole in the middle of a forest or wherever you want on earth(you will need to lose 3 seeds at the same time to lock your funds in this case).

[o_e_l_e_o]

When you are you using a passphrase you have 2 things to take care of : the seed and the passphrase, because if you lose one of them you can't access your funds anymore. It means you have 2 times more risk to lock your funds, than with a single seed.

You should have a minimum of two back ups of each part, which mitigates this issue.

It's just like using this XOR function at the end, except you can choose your passphrase.

XOR is risky for the reasons I mentioned in my first post in this thread. Predominantly, you are entirely dependent on the implementation you are using being safe, secure, and not disappearing in the future, whereas passphrases are now standard across all good wallets.

If you use a split seed with a 2 of 3 scheme, you have 2 times less risk to lock your funds than with a single seed because you need to lose at least 2 seeds instead of one to lose access to your funds. It means you have 4 times less risk to lock your funds with a 2 of 3 split seed than with a seed and a passphrase. Without increasing the exposure of your real seed on top of that.

Which is the same as using a multi-sig set up, which again, is standard across all good wallets, and does not have a single point of failure.

[Saint-loup]

When you are you using a passphrase you have 2 things to take care of : the seed and the passphrase, because if you lose one of them you can't access your funds anymore. It means you have 2 times more risk to lock your funds, than with a single seed.

You should have a minimum of two back ups of each part, which mitigates this issue.

It's just like using this XOR function at the end, except you can choose your passphrase.

XOR is risky for the reasons I mentioned in my first post in this thread. Predominantly, you are entirely dependent on the implementation you are using being safe, secure, and not disappearing in the future, whereas passphrases are now standard across all good wallets.

If you use a split seed with a 2 of 3 scheme, you have 2 times less risk to lock your funds than with a single seed because you need to lose at least 2 seeds instead of one to lose access to your funds. It means you have 4 times less risk to lock your funds with a 2 of 3 split seed than with a seed and a passphrase. Without increasing the exposure of your real seed on top of that.

Which is the same as using a multi-sig set up, which again, is standard across all good wallets, and does not have a single point of failure.

It mitigates this issue at the expense of another one unfortunately : the exposure one. By doing that you are doubling the risk that your seed will be found and hacked. With a split seed you don't have to store a copy of any share at any other place, each one can stay unique. If you split your seed in 4 elements like what you have currently, each one can be kept in one single place. And the safety of the accessibility of your funds would be better in addition, because if you use a 2 of 4 scheme you would need to lose at least 3 elements to lose the access of your funds. While with a seed and passphrase copied if you lose your 2 passphrase back ups or your 2 seeds, you will be locked.

Multisig wallets have not "a single point of failure" as you say, if you are using them with other people not knowing them each other, or if you are able to use them from several places(which is not convenient at all) but if you are only able to use your multisig wallets at the same place, they can be destroyed by a fire or another disaster, or be stolen by a burglar, each time you need to use them in the same way as a common seed. With a split seed you have only one seed to remember(the original one), so you don't need to bring them with you each time you need to use your wallet.  

[o_e_l_e_o]

And the safety of the accessibility of your funds would be better in addition, because if you use a 2 of 4 scheme you would need to lose at least 3 elements to lose the access of your funds. While with a seed and passphrase copied if you lose your 2 passphrase back ups or your 2 seeds, you will be locked.

So use multi-sig +/- a passphrase.

but if you are only able to use your multisig wallets at the same place, they can be destroyed by a fire or another disaster, or be stolen by a burglar, each time you need to use them in the same way as a common seed.

I have a 2-of-3 multi-sig wallet which I use in a single location as multi-sig between an airgapped laptop and a hardware wallet. The third set of keys only exists on paper. The three back ups are in different physical locations. I can use the wallet from a single place, while maintaining maximum protection against malware or compromise of one of my devices, while still having the redundancy you describe in the back ups. Additionally, I don't have any exposure to bad SSS implementations, weak share generation, or a single point of failure.

I see nothing that SSS provides that a multi-sig set up can't also provide, but I see many pitfalls in SSS. If the device you used to generate your SSS shares or to recombine them later is compromised, then your entire SSS system is useless. And if there was such a thing as a device which is 100% safe and completely immune to compromise, then you don't need SSS in the first place.

[Saint-loup]

And the safety of the accessibility of your funds would be better in addition, because if you use a 2 of 4 scheme you would need to lose at least 3 elements to lose the access of your funds. While with a seed and passphrase copied if you lose your 2 passphrase back ups or your 2 seeds, you will be locked.

So use multi-sig +/- a passphrase.

but if you are only able to use your multisig wallets at the same place, they can be destroyed by a fire or another disaster, or be stolen by a burglar, each time you need to use them in the same way as a common seed.

I have a 2-of-3 multi-sig wallet which I use in a single location as multi-sig between an airgapped laptop and a hardware wallet. The third set of keys only exists on paper. The three back ups are in different physical locations. I can use the wallet from a single place, while maintaining maximum protection against malware or compromise of one of my devices, while still having the redundancy you describe in the back ups. Additionally, I don't have any exposure to bad SSS implementations, weak share generation, or a single point of failure.

I see nothing that SSS provides that a multi-sig set up can't also provide, but I see many pitfalls in SSS. If the device you used to generate your SSS shares or to recombine them later is compromised, then your entire SSS system is useless. And if there was such a thing as a device which is 100% safe and completely immune to compromise, then you don't need SSS in the first place.

This means you are using 2 x 3 (6) seeds while a thief just needs to find 2 of them to be able to steal your funds. That's half more risky than using 4 shares of a split seed scattered in 4 different locations, and 2x times more risky than using a 2-of-3 split seed.

And if there was such a thing as a device which is 100% safe and completely immune to compromise, then you don't need SSS in the first place.

I don't understand what you mean, being 100% safe and completely immune to compromise, doesn't mean being immune to breakdowns and being indestructible... If your 100% safe device goes out of order or if you mistakenly delete your seed from it, SSS will help you, because your seed will still be safely stored elsewhere.

[o_e_l_e_o]

This means you are using 2 x 3 (6) seeds while a thief just needs to find 2 of them to be able to steal your funds. That's half more risky than using 4 shares of a split seed scattered in 4 different locations, and 2x times more risky than using a 2-of-3 split seed.

A m-of-n multi-sig provides the exact same redundancy in its back ups as an identical m-of-n SSS, without all the disadvantages of SSS. You can then add a passphrase on top of either system if you so choose.

If your 100% safe device goes out of order or if you mistakenly delete your seed from it, SSS will help you, because your seed will still be safely stored elsewhere.

If your device breaks down then any back up will recover your wallet, not just SSS. But the process of setting up SSS in the first place is vastly inferior to multi-sig, and to recover your SSS wallet you need to rely on your replacement device being free from compromise since it is a single point of failure, which is not the case for multi-sig.