A lot of folks keep their private keys or backup phrase in one spot, but if you’ve got a good amount of coins or just want better security, plus maybe sharing assets with others, it’s worth looking into some alternatives.
Making things complicated and trying to set up your own secret systems has led to plenty of people losing all their Bitcoins since just one little mistake can lead to major issues.
Two options to think about are Multisig and Shamir Secret Sharing. There are other methods out there, but these two are definitely the most well-known, so I’ll break them down.
Shamir Secret Sharing (SSS)
Shamir Secret Sharing was invented back in 1979 by a cryptography whiz named Adi Shamir. It’s a way to split a secret into parts, with each participant getting a unique piece. You can share the secret with several people or stash it in different spots, needing a certain number of shares to put it back together. Like, you could have a 2-out-of-3 split, meaning any two shares can join forces to reconstruct the secret.
The catch with SSS is that it has a single point of failure when one person holds all the shares, which is explained better in a blog post by Jameson Lopp.
Pros:
- It’s generally more secure than just holding a single secret key, provided it’s done right.
- You don’t have to mess with getting multiple signatures from different devices for every single transaction like you do with multisig.
- The balance on the address stays hidden from others involved in SSS.
- It’s not on-chain, which is awesome for privacy.
- You won’t face extra fees when reconstructing the secret.
Cons:
- There’s that single point of failure.
- There are risks when generating and dividing the secret into parts.
- Participants can’t easily ...
Comparing Multisig and Shamir Secret Sharing
12 replies 97 views
falcon_wizardSenior Member
Posts: 123 · Reputation: 896
#2Mar 10, 2022, 04:45 PM
I believe that most of the cons of multisig setups will be solved after Schnorr signatures and Taproot get introduced. Schnorr signatures should improve privacy and others wont be able to see that funds were spent from a multisig address or who signed the spending transactions. The signature aggregation option will merge multiple signatures into one, which should have a positive affect on the fees. I assume the time for signing transactions will be lowered as well because there is now only one signature and not several of them, correct?
I am not sure about the 3rd con you mentioned:
If multiple signatures are merged into one and all participants have that new aggregated signature, what happens if individual private keys get lost?
A better question would be does signature aggregation take place before every transaction from a multisig setup or is that done only once?
I just edited the Trezor section of the Shamir Secret Snakeoil page with a little more detail about SLIP39. Apparently it's a way to split a seed phrase into a bunch of shares, and then split each of those shares into even more sub-shares. So 2 layers of shares.
What could this possibly be used for?
With two layers you will have at least 4 different shares that must be distributed to 4 people to fully distribute it. For both layers, one of two shares is required to get either the first level or the master key itself. In this particular split the key can be which obtained with at least 2 shares (Share 1->1 and Share 2->1 for example). And more than two shares are obviously supported in both layers (the standard allows up to 16 shares per layer) and this quickly explodes to dozens of shares, and each of those must be assigned to a different person, or else why are you using SSS in the first place?
The above was a mouthful to write, and given the standard is much more complex than this, I imagine someone's going to slip on ice while implementing this.
You clearly can not coordinate dozens of people to unlock a shared secret together. So, I am wondering whether SLIP39 has any practical use at all.
diamondhandsMember
Posts: 18 · Reputation: 229
#4Mar 11, 2022, 02:57 AM
but what's the point of using Shamir secret sharing instead of for example encrypting your seed? you have 2 "shares" one is the encrypted seed and the other one is the encryption key which you keep separately.
this way you are not concerend about the implementation and risks of it and you are also not concerend about the method not being safe because the encryption algorithm is strong and easier to implement (or already is implemented in all crypto libraries).
I've always held the opinion that SSS is useless if only one person holds all the shares, because at some point he/she will bring all the shares together for unscrambling and there's nothing stopping an attacker from seizing them all at that moment.
This isn't a differential disadvantage. For any secret sharing scheme, you need data generated at share generation, and for distributed share generation (e,g key wasn't born with a single point of failure) this means data stored from other parties. So in both cases you need to reliably store information generated at the time of wallet generation. Bonus, for multisig the information isn't secret--- you can go ahead and post it on your tumblr or whatever, while for secret sharing that data is secret and you could only post it on your tumblr after encrypting it.
In either case, you can just store this extra data with your private keys-- which would be a total non-issue except for the prevalence of stamped metal seed storage or whatever that has no extra room to store any data like that.
In any case, I have an *extremely* negative opinion of secret sharing as a freestanding system. The tradeoffs it provides are poor, as a result you find it mostly used/implemented by people who aren't thinking carefully, and as a result it doesn't provide its expected positive properties and often hurts security a lot. Essentially with SSS you are using an underlying cryptographic primitive directly, and pickup the expected bad outcomes from homebrew cryptography.
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil
Multisig and Shamir secret sharing are better when you want to distribute your keys to multiple people and locations, and anyone finding encrypted seed or key can extort password from you or try to brute force it if you used something like password or 1234.
Using Multisig for example they would need to have access to multiple locations and people to access your funds and that is not easy to accomplish.
That is true, and even if multiple people have the shares, at some point one main person still needs to collect them all at one place again for reconstruction.
OK, fair point, but you do agree that lack of privacy is disadvantage for current Multisig setup?
Some people simply don't want to go public about it.
Did you wrote or participated in writing of that Wikipedia Snakeoil article?
Check the revision history next to the (disabled or invisible) edit button, you can see that he wrote the whole article except for the Trezor section.
Oh, lot of Gmaxwells, I was right
Shamir Secret Sharing was updated by Trezor and branded as SLIP39, and they now use it as standard on new Trezor devices.
If you still don't understand the difference, pros and cons between BIP39, SLIP39, Mulstisig and use of Passphrases, I suggest watching this video from Crypto Guide:
https://youtu.be/iyfxO1IPTd8
I am also sharing another open source tool that can be used for converting BIP39 to SLIP39.
This can be used for devices that don't have support for SLIP39:
https://slip39.com/
https://github.com/pjkundert/python-slip39
PS
Be careful when using multisig or splitting your seed words in non-standard way, this is something I don't recommend to newbies.
SSSS is great. Definitely better and advanced approach than multi-sig.
What needs to be more researched is how to split the shards in the first place without a central point.
There are ways to do it on-chain using a scheme similar to Diffie-hellman key exchange.
No it is an inferior and less secure approach. Reiterating for those who didn't read: https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil
diamond_atlasSenior Member
Posts: 408 · Reputation: 1359
#13Mar 18, 2022, 08:10 PM
Seed splitting is bad idea that is not recommended by many Bitcoin experts. If people are newbies, they need to start with simple method for back up their wallets which is more doable in wallet recovery later.
Even you are an expert, seed splitting is still a risky method.
How to back up a seed phrase
Why seed splitting is a bad idea?
Shamir's Secret Sharing shortcomings
Related topics
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- New Optional Hourglass Implementation is Live 3
- Ways to earn some sats by contributing to bitcoin core development 5
- Exploring the Potential and Challenges of a Kardashev-Scale Bitcoin Network 3