Single vs Shamir vs Multisig, which is easiest to hack statistically?

[jeanluca]

I was trying to setup a hardware bitcoin-only wallet. I had, for the generation of the seed, 2 options: single and Shamir seed backup.

I noticed that the single seed had 24 words and the Shamir 20. This made me wonder which of them is hardest to guess/hack.

In case of a single, 24 words seed, one has to guess 24 words. But how does this work with Shamir? Suppose you have setup a Shamir with 3 shares and a threshold of 2. Do you have to guess 20, 40 or also 24 words (or something else) to hack it?

This also brings me to Multisig. If you require two seed to sign a transaction, does this mean that an attacker needs to guess 48 words in total, or can this whole multisig process be reduced to an other set 24 words?

[1714581030]

1714581030

[1714581030]

1714581030

[1714581030]

1714581030

[1714581030]

1714581030

[1714581030]

1714581030

[1714581030]

1714581030

[hosseinimr93]

A 24 word seed phrase provides 256 bits of entropy and it's secure enough. Note that even a 12 word seed phrase can give you enough secuirty.
If your shamir shares have 20 words each, your master secret should give you 128 bits of entropy and that's again enough.


Take note that whether you have a wallet with a single seed phrase or a wallet with Shamir backup, it's secure enough (assuming it's generated and used in the correct way) and you should choose which one to use depending on your needs.

I personally don't like Shamir, because all shares must be generated in a single device and you need to enter all the required shares in a single device whenever you want to make a transaction and if that device is compromised, you would lose all your fund.
Shamir may be a good option if you worry about your psychical backup being stolen but can't give you extra security against hackers.


I prefer a multi-signature wallet to a wallet with shamir backup. In a multi-signature wallet, the seed phrases can be generated in separate devices and you don't have to import all of them in a single device when you want to make a transaction.

[Charles-Tim]

Shamir secret sharing is secure than just 24 word seed phrase backups. If you have 3 shares but 2 threshold to be recover your seed phrases, that means an attacker will need 2 out of the 3 shares to recover the seed phrase. That makes it secure than having only 24 word seed phrase backup. But on this forum, established members do not recommend shamir secret sharing.

Multisig VS Shamir Secret Sharing

The better option to go for is a multisig wallet which you also mentioned. Assuming you have 2-of-3 multisig wallet, an attacker need the 1 public key and 2 private keys that can generate other public keys and signed  a transaction on the wallet inorder to compromised the wallet. Multisig is part of bitcoin improvement protocol and more secure than single signature wallet.

I am referring to offline backup, not about the wallet itself online. If you use a hardware wallet which has its private key offline and you are able to to secure your backup your seed phrase securely in two or three different locations, that is not bad at all. If you want to go for the option, we can guide you if you ask a question on this forum about the best way to create a multisig wallet like 2-of-3 multisig wallet.

Advice
For a single sig wallet, I will not advice you to use shamir secret sharing. You can use passphrase instead which is better. Also with passphrase on hardware wallet like Trezor, your wallet can not be physically attacked to reveal your seed phrase because physical attack on your Trezor can reveal your seed phrase to an attacker even if you use shamir secret sharing. But with the passphrase, different keys and addresses are generated which will not let the attacker to know your keys and addresses and not able to spend your coins. It is good to use a strong (longer passphrase) in a way it can not be brute forced.

If you lose your passphrase, just like your seed phrase, you will lose your coins.

Backup the seed phrase and passphrase differently in different locations.

[Medusah]

What hardware wallet do you use?  Your hardware wallet should have an option for multi-sig, which is better than SSS, because you do not need to merge the private keys into one device.  If you know how to use SSS, then it is more secure than single, because the attacker will need to compromise more than one places you keep the shares. 

But this does not seem to be your concern considering you were wondering which one is easier to "guess".  Both are practically equally improbable to guess... zero percent.

[hosseinimr93]

Shamir secret sharing is secure than just 24 word seed phrase backups. If you have 3 shares but 2 threshold to be recover your seed phrases, that means an attacker will need 2 out of the 3 shares to recover the seed phrase.

No. Brute-forcing a 24 word seed phrase is more difficult than brute-forcing a shamir backup with 20 words in each share.
A 24 word BIP39 seed phrase represents a 256 bits number. A shamir backup with 20 words in each share represents a 128 bits number called master secret.

What hardware wallet do you use?  

I think Trezor is the only hardware wallet that supports Shamir Secret Sharing.

[Charles-Tim]

What hardware wallet do you use?  Your hardware wallet should have an option for multi-sig, which is better than SSS, because you do not need to merge the private keys into one device.  If you know how to use SSS, then it is more secure than single, because the attacker will need to compromise more than one places you keep the shares. 

I will not recommend shamir secret sharing just as I posted above. Instead of shamir secret sharing, why not go for passphrase instead? I will recommend passphrase to extend the seed phrase to generate different keys and addresses entirely.

Shamir secret sharing is secure than just 24 word seed phrase backups. If you have 3 shares but 2 threshold to be recover your seed phrases, that means an attacker will need 2 out of the 3 shares to recover the seed phrase.

No. Brute-forcing a 24 word seed phrase is more difficult than brute-forcing a shamir backup with 20 words in each share.
A 24 word BIP39 seed phrase represents a 256 bits number. A shamir backup with 20 words in each share represents a 128 bits number called master secret.

What I meant about the backup is to backup the 24 words. If an offline attacker sees the 24 word seed phrase backup, it will compromise the wallet because he has the 24 word seed phrase. In this regard, shamir secret sharing is more secure. But because shamir secret is not recommended, I advice him to go for passphrase, or a multisig wallet.

[hugeblack]

We can make a comparison like:

 - Entropy: 24 words BIP39 represents 256 bits (secure) while SSS, 20 words represents 128 (secure).
 - Point of failure: Both have a single point of failure.
 - Losing words: In 24 words, losing some words means losing your money, while losing a secret may not mean losing access to your coins (relatively better, but there are better alternatives)
 - Standard: You can import 24 words in many open source software, while the SSS standard is not as widely adopted as 24 words.
 - Multiple users/places: Since they both have a single point of failure, collecting secrets or seeds once means trusting that device or person.


The best solution: Since 12 words gives good entropy and can be enhanced by adding a passphare (13th word) and/or using a multi-signature wallet is the best option.

[DaveF]

Either one is more then secure as others have pointed out.
The question becomes what would work better for you and your situation.

It's like asking what car would be better for you. Once we know that all modern cars with airbags and ABS and so on are safe enough the question then becomes use. Are you hauling a family around and need something large? Do you just need it to do short trips around town? And so on.

If you are making multiple transactions a day then neither are great and a hardware wallet is better.
Do you want others to be able to make transactions without others being around then you would need multisig or SSS

And so on.

-Dave

[cheezcarls]

Hands down to multi-sig wallet as the most secured one ads it requires multiple wallets to approve the transaction. Gnosis Safe is one of them, it’s just that for every wallet that is assigned to it needs to be loaded with gas fee to proceed with the transaction per blockchain.

I am using Ledger Nano S as my hardware wallet to store Bitcoin and other important assets (especially for emergency funds in case burner wallet gets compromised).

But what about those hardware wallets like Tangem to store BTC and other assets where it doesn’t need seed phrases but rather tapping it on the phone? What’s your take on this guys?

[Z-tight]

This also brings me to Multisig. If you require two seed to sign a transaction, does this mean that an attacker needs to guess 48 words in total, or can this whole multisig process be reduced to an other set 24 words?

Let's say you have a 2-of-3 multisig set up, it ought to be in 3 separate devices, and it's better if two out of the three devices are offline, if you create a multisig wallet in a single device, it defeats the purpose of setting up one in the first place. In this kind of set up you need two keys to spend the funds, but all the co-signer's master public keys to restore the wallet, so if you know exactly what you are doing and you can handle the many backups, it would be very difficult for an attacker to compromise your multisig wallet.

Gnosis Safe is one of them, it’s just that for every wallet that is assigned to it needs to be loaded with gas fee to proceed with the transaction per blockchain.

This is for Ethereum, and we are talking about BTC here and in this board generally.

But what about those hardware wallets like Tangem to store BTC and other assets where it doesn’t need seed phrases but rather tapping it on the phone? What’s your take on this guys?

I would not use this to store my BTC's, it's surely not recommended.

[pooya87]

Your question is like asking if space travel to Jupiter is easier or to Saturn (FYI Saturn is farther)! The answer is that it doesn't matter because we can't perform either one of these.

In case of Bitcoin, you can not "hack" a single key just like you can't "hack" a multisig but of course technically harder since it normally requires more than one key. However, the security you would have depends on how you use them. For example a single key generated on an airgap system and kept offline and safe will provide a far higher level of security compared to a multi-sig generated on a single online PC running Windows OS!

As for Shamir algorithm, I'd worry more about its implementation rather than whether you should use it or not. Since it is not very popular and it technically is for "secrete sharing" not secret storing, a broken implementation could lead to losses.

[Synchronice]

I was trying to setup a hardware bitcoin-only wallet. I had, for the generation of the seed, 2 options: single and Shamir seed backup.

I noticed that the single seed had 24 words and the Shamir 20. This made me wonder which of them is hardest to guess/hack.

In case of a single, 24 words seed, one has to guess 24 words. But how does this work with Shamir? Suppose you have setup a Shamir with 3 shares and a threshold of 2. Do you have to guess 20, 40 or also 24 words (or something else) to hack it?

This also brings me to Multisig. If you require two seed to sign a transaction, does this mean that an attacker needs to guess 48 words in total, or can this whole multisig process be reduced to an other set 24 words?

You should create 10/10 multisig wallet and 24 word seed for each wallet in order to be completely safe.
C'mon, 12 words seeds are more than safe for your wallet, the only danger will occur if you leak your seed phrases because it's easy to bruteforce wallet if you know all the list even if they are unordered. By the way, if you are afraid of that, then you should choose 24 words seed wallet. In case of 24 words, even if they are leaked unordered, no one can crack them.

But please, stick with 12 words seed wallet, it's as safe as 24 or 2000 words seed wallet. It is simply impossible to crack your wallet right now. You will have to worry about that when superior quantum computers appear on the market for an average user.

[tbct_mt2]

You should create 10/10 multisig wallet and 24 word seed for each wallet in order to be completely safe.

Common, you are going to extremes.

With that wallet, when you lose one co-signer wallet, you are done. Done means losing your bitcoin. I will not go with this extreme method.

Backup a single signature wallet safely is safe enough for me. If I want more, I will create 2/2 multisig wallet and backup safely, that is safer for me but I will not go with 10/10 multisig wallet.

[jeanluca]

I think multisig sounds perfect for my HODL strategy! I hope that my Keystone pro supports this!

Thanks a lot for all the replies, it was really helpful!!

[Cricktor]

There's no single strategy for self-custody. It depends what kind of risks you want or need to cover. Multisig is mostly considered a very safe option, but only if you fully understand and execute it properly.

If you have, you should have it, time and patience to read and study a lengthy PDF document on the subject of smart and safe custody which is available on the site https://www.smartcustody.com/, I'd say: go ahead and read it! (But don't buy the Ledger hardware crap the authors write about in that PDF. There are better hardware wallets out there. Ledger can't be trusted anymore, in my opinion.)

[Medusah]

No. Brute-forcing a 24 word seed phrase is more difficult than brute-forcing a shamir backup with 20 words in each share.

SSS is more difficult to brute-force, because it is an additional layer on top of all seed phrases.  If you want to find a seed phrase, then you need to search up to 2²⁵⁶.  If you want to brute-force a SSS, then you need to decode every possible valid mnemonic combination, all of which contain every possible message that could be encoded.  I am sure that is longer than 2²⁵⁶.

(I am assuming you know nothing about the seed phrase or the shamir shares)

[hosseinimr93]

SSS is more difficult to brute-force, because it is an additional layer on top of all seed phrases.  

It's not.
SLIP39 shares are derived from a random number which is called master secret.
In the case you want each of your shares to include 20 words, the master secret should be a 128 bit number and anyone who wants to brute-force your SLIP39 seed must brute force that 128 bit number.

[buwaytress]

Isn't the brute force issue (hack here) unnecessary though? If 12 words (lowest I know of) is already practically safe as has high enough entropy, then it's other risk vectors that need consideration, and how practical of a concern there are for you.

I used to be a fan of multisig too but have seen enough issues with others to know it's not necessarily less vulnerable to loss (more secure to hack, yes, but at the price of additional risk vector).

[Medusah]

It's not.

Sorry, you are correct.  I just checked the master secret is 128 bits.  I thought it was 256.

Isn't the brute force issue (hack here) unnecessary though?

Well, yes.  An analogy is this:  You cannot jump so high that you reach the moon, but it is absolutely more difficult to go so high that you leave the solar system.  Both are impossible to do, but compared to one another, the second is incredibly more difficult.

[apogio]

I think multisig sounds perfect for my HODL strategy! I hope that my Keystone pro supports this!

Thanks a lot for all the replies, it was really helpful!!

Just a few comments for your multisig setup.
All cosigners must be created and backed-up offline, otherwise there is no huge benefit with multisig.
Let's say you have a classic 2-of-3 system where 2 of the 3 cosigners are needed to sign a transaction.
In order for you to be able to send funds you need to have at minimum 2 of the 3 seed phrases and the 3rd XPUB.
Let's say that the cosigners are called A, B, C. Then I would create 3 backups (offline on paper) as follows:
Packet 1: Seed A + XPUB B
Packet 2: Seed B + XPUB C
Packet 3: Seed C + XPUB A
If you lose one of the packets then you can still recover your wallet because you will have the 2 seeds and the 3rd xpub.
If a thief steals one of the backups, they can't do anything. They won't even be able to monitor your transactions, since they will not have all the necessary XPUBs.
Keep in mind that the XPUBs are super important. If you only have 2 seeds and not the third XPUB, your wallet is lost forever.
All the packets need to be stored in separate places of course. Otherwise, there is no benefit at all.

Finally, avoid silly mistakes, like putting the seed on a device that is connected to the internet, or maintaining backups at the same place.

Multisig is in general the safest option, but if you make mistakes, then it won't help you more than a singlesig wallet. In general, human error is the only enemy here. If you have any question or hesitation ask here in this forum and make sure to "learn" before you "act". No rush!