Why is seed splitting a bad idea?
Speakers: Andreas Antonopoulos
Date: April 8, 2020
Transcript By: Michael Folkson
Tags: Bip32, Security problems
Media: https://www.youtube.com/watch?v=p5nSibpfHYE
This is something that is being discussed all the time especially on newbie forums. It really needs to be careful very carefully. A friend had the idea to achieve 2 out of 3 protection from my wallet seed by storing the seed in the following way:
Location 1: seed words 1-8 and 9-16 Location 2: seed words 1-8 and 17-24 Location 3: seed words 9-16 and 17-24
It sounds a lot like Shamir’s Secret Sharing scheme but easier. One location doesn’t reveal the whole seed but any of two of them are enough. Is this safe?
Absolutely not. Your friend is wrong. It is absolutely not safe to split your mnemonic into parts ever. Do not ever split your mnemonic phrase into parts and store those parts separately. A mnemonic phrase is for backup. You backup the entire phrase in multiple locations and that is both secure and resilient. If you need security from someone seeing your phrase you need to physically secure it with devices like storing it on steel in a sealed tamper evident device and putting it in a locked system like a safe or vault or a safety deposit box. If you are even more concerned about someone accessing your seed add a pass phrase which you also need to backup preferably on steel somewhere in a separate secure location as well. If you are super paranoid and you want to do some kind of scheme like this you need to use a standard such as SLIP39 which is a mechanism for producing Shamir’s Secret Sharing scheme split up into a mnemonic phrase that can be recombined in a k-of-n share system. For example, you can do a mnemonic phrase that splits 2-of-3 using SLIP 39. There is a fundamental difference between Shamir’s Secret Sharing scheme and what you describe. We will go through that difference in a second. You will see why this is not safe and it is also not that resilient.
Shamir’s Secret Sharing scheme uses a polynomial function to guarantee that if you have created a k-of-n scheme under Shamir, if you have any less than k, the quorum, it is entirely mathematically equivalent to having zero amount of information about the key. Meaning that adding a new share is the same as brute forcing the entire key space. This is really important to realize. We will see why in just a second. Let’s go back to the example you offered. One of your shares has keys 1 through 8 and then 9 through 16 and then 17 through 24. What you are describing here is splitting in 3 a 24 word mnemonic phrase that contains 256 bits of entropy. 256 bits of entropy cannot be brute forced. Let’s look at one of these shares. One of these shares is keys 1 through 8 or words 1 through 8 and 9 through 16. That means that that mnemonic phrase that you have created, that split of your mnemonic phrase contains 16 of 24 words. How many words are left out of that mnemonic phrase? 8. That means that there are 8 words missing. Even worse one of those words is actually a checksum. Meaning that one of those words can be guessed much more easily because only the one word that fits perfectly completes the checksum. You don’t need to even to check for balance on the mnemonic phrase by going to a blockchain. That is one of the advantages of mnemonic phrases but it is also one of weaknesses of the system that you have described. No matter how you do it one of these things, one of these pieces of paper will have the checksum word or the checksum word will be the one that is missing. In the first example the checksum word is missing. Effectively that means there are 7 words that contain key material in the missing share. How hard is it to crack or brute force 7 words? Is it 3 times easier than brute forcing all 24 words? It is only one third of the words so theoretically it would be 3 times easier? No not even close. This is an exponential. You are talking about brute forcing 80 bits instead of 256 bits. Brute forcing 80 bits is not 3 times easier or takes only one third of the time of brute forcing 2^256 bits of entropy. Brute forcing 80 bits of entropy is 2^176 times easier if I’m doing the math correct than brute forcing 256 bits. In fact brute forcing 80 bits in a dictionary where you already have the checksum and you can check if it works quickly is so easy that it can be done potentially with a cluster of machines in the next decade with someone who has enough computing power. You could do this with ASICs, you could do this FPGAs, you could do this with GPUs. Cracking 80 bit keys is considered only marginally secure. What you did is you just reduced the security of your mnemonic phrase from 256 bits to 80 bits which is a catastrophic reduction in security. Worse if you have some mistakes of you lose parts of this, this is not a very resilient system. Not only do you give an attacker the opportunity of getting your mnemonic phrase by simply looking in two places or brute forcing 8 words after they have found one of your mnemonic phrases, but you have also created a situation where if you lose two of them you are done. I think it would be much better if you used an actual Shamir’s Secret Sharing scheme but as if I’ve said many times before complexity is not just the enemy of security. In many cases it is the enemy of usability. Meaning that the more complex you make the scheme the more likely you are to run into trouble recovering your data and certainly your heirs will have tremendous difficulty recovering your data. The scheme you have described is not secure and is also not resilient. And is not a good scheme. The one you described is probably better than some of the others I’ve seen out there. I have received dozens of emails from people who are desperate for help because they split their phrase up and lost one part of it. All I can say is “I am really, really sorry. It is probably lost forever.” The worst thing is that for some of these people who are lucky it is brute forceable. But that means that they are going through all of this pain in trying to brute force it and they didn’t actually achieve better security because a determined and well equipped attacker could brute force just as fast as they can or faster. So they didn’t achieve security but they lost a lot in resilience. This is a terrible idea. Do not do it. Do not do DIY security. Do not do DIY cryptography. Use the standards that have been written by experts who are carefully balancing the need for resilience, the need for security and thinking about the threat model and how to appropriately address all of those risks in a way that is well documented, interoperable, standards based and predictable. That is a much better way to do this. Don’t do it.