Reddit Posts
Multi-Sig vs. Shamir Secret Sharing: Which Path Will You Choose to Safeguard Your Crypto?
My personal view on the PR disaster, from a Ledger co-founder and ex CEO
My personal view on the PR disaster, from a Ledger co-founder and ex CEO
SSS. Stake Sats Steadily! ☺️ its small but honest work. from tipping, game, giveaway, etc. While crypto make you lost life saving, but not life living ✨
I have a lot of reasons I don't like Ledger (I still own one), however, Shamir Secret Sharing is a super compelling reason to own a Trezor or a Keystone wallet instead.
-Fantasy Arena- New Metaverse game launch of this year!-On BSC-
-FANTASY ARENA-The biggest P2E-NFT game launch of this year!-On BSC-
🔮-FANTASY ARENA-🎮-The biggest P2E-NFT game launch of this year!🎮-On BSC-🔮
🔮 Fantasy Arena 🎮Welcome to the Metaverse 🔮 From Players, For Players 🎮 On BSC 🔮
🔮Fantasy Arena 🎮Welcome to the Metaverse, the biggest PlayToEarn Game launch this year! From Players, For Players 🎮 On BSC 🔮
BSC GameFi Platform StarSharks ($SSS) Launches Its First Metaverse Game: StarSharks.Warriors
🔮Fantasy Arena 🎮Welcome to the Metaverse, the biggest PlayToEarn Game launch this year! 🎮 On Bsc 🎮 By Players, For Players🔮
🔮-FANTASY ARENA-🎮The biggest P2E-NFT game launch of this year!🎮-On BSC-🔮
🔮Fantasy Arena - Metaverse🎮Welcome to the biggest PlayToEarn Game launch this year! 🎮 On Bsc 🎮 Of Players, For Players🔮
🔮Fantasy Arena Metaverse🎮Welcome to the biggest PlayToEarn Game launch this year! 🎮 On Bsc 🎮 Of Players, For Players🔮
🔮Fantasy Arena Metaverse🎮Welcome to the biggest PlayToEarn Nft Game launch this year! 🎮 On Bsc 🎮 Of Players, For Players🔮
🔮-FANTASY ARENA-🎮The biggest P2E-NFT game launch of this year!🎮-On BSC-🔮
🔮Fantasy Arena 🎮Welcome to the biggest PlayToEarn Nft Game launch this year! 🎮 On Bsc 🎮 Metaverse🔮
🔮Fantasy Arena 🎮Welcome to the biggest PlayToEarn Nft Game launch of this year! 🎮 On Bsc 🎮 Metaverse🔮
🔮Fantasy Arena Metaverse🎮Welcome to the biggest PlayToEarn Nft Game launch of this year! 🎮 On Bsc🔮
Mentions
The wallet is just a convenience. To start your digital security you need to figure out how you are going to create, store and protect the seed that generates your private keys. The protocol must be a well established standard otherwise you could be locked into a single vendor where your recovery could be pulled out leaving you digital assets unreachable. You want to consider both the security that protects your keys from being obtained by undesired actors as well as redundancy that insures you or your designated representative will be able to recover your keys even after a disaster. There are a few standards that help store seeds and keys. Perhaps the best known is the BIP39 word list. This is a start but it creates a single point of failure. If you loose this list you loose access to your keys. You can make multiple copies but each copy is a critical security risk if someone were to acquire one. You can encrypt your seed with a passphrase before creating the wordlist but this creates another single point of failure if you forget the passphrase. A better method is to use a Shamir Split Secret. SSS splits a secret into multiple parts where any N of those parts can be used to reconstruct the whole. This is like multi-sig but is completely offline so no added network fees. One standard track implementation like SSS is SLIP-0036. I don’t know if this has received enough scrutiny to assure it is safe and effective. How you split and store the parts to your master seed is your own decision. Keep in mind who will have access to each of the parts and who might collude to attempt to assemble the seed against your wishes. The parts can be stored in safes, safe deposit boxes, be escrowed with friends or family or even be escrowed with a law firm. Each part should probably be sealed in a tamper evident enclosure. A simple security envelope should be sufficient. If any part is found to be compromised you have to start over creating a new seed, new keys, move all your assets and re-evaluate who you escrow the keys with.
Multi-sig increases transaction fees. As an individual your primary concern will be losing your wallet keys. Recovery keys and backups should be top priority for anyone with a wallet. As your stack grows the risk of theft also grows. Each recovery key or backup of the master wallet key represents a potential attack vector to steal your stack. You will want to look at redundant distribution of the recovery keys using systems like SSS. When you get to the point where you need a management team to manage your stack then you should look at multi-sig.
not answering my question at all. im protecting myself from the rare case where my hardware wallet is run by bad actors and doesnt create random seeds. SSS does nothing in this scenario.
SSS shards are secure, but just splitting the 12 or 24 words into 3 chunks of 4 or 8 is a horrible idea, you’re right.
The technology you want is Shamir Secret Sharing. But the implementations for Bitcoin wallets seem to be proprietary which is not appropriate for long term backup. SSS allows you to split one master key into many sub keys where N of the sub keys are required to reconstruct the master key. I’m not familiar with all the offerings out there so perhaps somebody has a solution that does the right thing. What I know is the math and from that I can deduce what can be done. But the math can’t say what has been done. SSS is not multi-sig since it has the vulnerability that combining the sub keys always generates the master key so the hardware that does the combining has to be trusted not to leak the master key (Never use an online tool to generate, encode or decode keys these sites likely log every use and can easily determine if there is a real wallet behind the key). For archival storage you want to be able to recover your wallet master key from just the archived sub keys. Some tools want to store additional data with the keys. All you should need to reconstruct a wallet from scratch is the number N, a set of N sub keys, the index of each of those sub key and a device that follows the standard protocol. The first N sub keys or master could be keys you already have or generated with tools following bip39. Any additional sub keys will have a value dictated by the rest so bip39 would not be applicable. QR Codes could still be used to store the additional sub keys.
The of losing your coins because of an SSS screw up is greater than the risk of someone bruteforcing like 8 seed words or whatever
>there's no practical benefit compared to just splitting your plaintext seed. So you don't understand what SSS does. A split plaintext secret reveals a portion of the secret to whomever finds the share. For example, finding two shares of a three-way split secret reveals two thirds of the secret to the finder. An SSS-shared secret reveals NONE of the secret to whomever finds the share. All the way up to M-1, finding any number of shares of an M-of-N secret (for example, finding 4 shares of a 5-of-8 secret) reveals NONE of the secret to the finder.
If you're going to suggest researching a tooic, the least you could do is call the thing by its correct name: [Shamir’s Secret Sharing (SSS)](https://www.hypr.com/security-encyclopedia/shamirs-secret-sharing-sss)
True, it's very individual. It deepends on the kinds of risks you have in your personal life, and how comfortable you are with the practices and the ammount of money. In this example we're talking about securing at least $210,000. If you have $2000, that might be fine just being in a hot wallet on your Laptop. I can give some other examples that are easier: Single seed wallet, 3 metal plate backup sharded using SSS (Samshirs secret sharing). This is an ordinary wallet, but the backup is split into 3 pieces, such that you only need any 2 of 3 to re-create the wallet. The individual shards can be further sharded into 3 of 7 or other combinations to increase recoverability at no cost on stealability. You can store these with friends / family, safety deposit box etc. Your funds can't be stolen from a single compromized plate. Single seed wallet with passphrase. Single plate stored in safety deposit box or family. The security comes from using a long 25th word, that creates a new wallet. You must securely backup the passphrase somewhere separate. Multi-sig wallet, but the process is provided by turn-key services like Unchained, Casa, Nunchuck. Removes the complexity. But remember you always need separate wallets for spending and saving. You only ever send money from your savings to your spending wallet.
> So having the 2/3 (or 3/4, 5/7, etc etc) shares alone is not enough to recover? The Xpub would be needed along with the designated number of shares? Yes, you need the respective xpubs to recover a multisig wallet. A single sig seed split in shares (SSS) is something else though, it's just a method to save a seed in a certain way. SSS doesn't apply to how a seed was created and what type of seed it was etc. ] > Is the xpub needed to recover a SSS wallet? If it's a single sig wallet, then no. You can derive anything from the seed.
Splitting it up is a terrible idea. You will increase the chance to loose funds, since you doubled the chance of the wallet being destroyed (you only have to loose one piece!) The biggest chance of loosing funds is from loosing / destroying the backup. First thing to do is get it stamped into metal plate or "seed plate". Now it's fire, water and dog proof. If someone breaks into your house they'll probably go for your TV and PS5. As long as the seed is hidden it's not a problem. Another part to this is don't talk about your bitcoin stack, otherwise you will invite thieves that target you specifically. If you want to split up the seed consider using Multi-sig or Samshirs Secret Sharing (SSS). Both effectively split it into an m-of-n e.g. 2 of 3 split where you only need *any* two of 3 parts to recover funds. If you loose one, your still ok.
Couldn't get the image to work. I had to OCR the image file and then copy two of the SSS hashes. Copied the private key into my mycelium wallet. You could type it manually, but it was too frustrating when I knew there would be no money in it. Good edumacation anyway. I didn't know about SSS. Also, I didn't know mycelium wallet could do that. Great stuff anyway. Reason I read this Redit stuff, always learning good shit.
I tried messing around with the link you posted , could you go into a little more detail on what I am to do to make it work ? I uploaded a jpg pic of two of the 3 “private key shares” and I got nothing, I also tried pasting one of them into the “share” window that starts with “SSS-“ and that window just turned red.
>But storing half your seed phrase in a single location is going to be better than storing all your seed phrase in a single location. Store half you seed phrase weakens it as someone who obtains half only has 2048\^6 combinations to brute force. As you say if the whole seed phrase is stored and someone obtains it they have 0 brute forcing to do. However whilst you side step that part of the argument there is another of concern. Store the whole seed phrase in one location and it burns down (gets stolen etc), you have now have lost your keys. Store half each in two locations and one location burns down, you have now lost your keys and need to brute force 2048\^6 combinations to get it back. So we go back to what I originally said, either use Multisig or SSS via SLIP-0039 to implement n-of-m keys which addresses the issues of the two problems above.
BIP39 (the wordlist used for seed phrases) consists of 2048 words. Given a pass phrase of 12 you have 2048\^12 possible combinations that make up the phrase. If you split this seed phrase in half and an attacker gets half the phrase, they only have 2048\^6 combinations to brute force the remainder of the key. The proper way to do it is what I mentioned above as it does not weaken the phrase (the ability to brute force it) when one Multisig key or one share/part of the phrase using Shamirs Secret Sharing (SSS) is stolen. If you spend some time reading about how these work (Multisig and SSS) then you will understand the difference. Some people even [oppose the use of SSS](https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/).
SSS is shamir secret sharing. Long time known stuff. The device was mycelium company's gizmo. Clear from the logo. These are shares of the secret, not multisig. Do not put big money in until you know how things work.
Just my dipshit opinion: The SSS portfolio will do very nicely this year- Sol, Sei, and Sui. Sol has obviously done very well thus far and probably will continue to grow will all the dapps and airdrop opportunities, with Sei and Sui being labelled as the possible "Sol killers". Newer L1s always seem to perform well in bull markets, and those are two young ones with a lot of potential for growth. Whether any of them truly succeed long term is a toss up, but I think short-mid term gain a lot of adoption and users.
XOR is NOT the same thing as Shamir's Secret Sharing. XOR supports only N-of-N splits. SSS supports M-of-N, where any M shares are sufficient to recreate the secret. 2-of-3, 2-of-4, 3-of-7, 6-of-10, etc.
If you're hell-bent on seed splitting, look into Shamir's Secret Sharing. The fundamental difference between simple seed splitting and SSS is that with simple splitting, each share of a N-way split reveals 1/N of the secret to the shareholder. With SSS algorithms, each share of an N-way split reveals 0/N of the secret. The main drawback of SSS is that, to my knowledge, there are no agreed-upon SSS standards so unless you know EXACTLY how your implementation created the shares, you might not be able to recombine them years from now.
SSS is only available with Trezor right now, most wallet dont support it. So i would have to be a customer of Trezor, that just got the customer data leaked. Thats a leak of privacy. With DIY you can roll your own bits, make a seed, then split it. All offline without any coperation (ledger,trezor etc). I tried to calculate the time to bruteforce the 80 bits. Thats why i responded to you. Because my calculation didnt make it seem as stupid as you make it sound. So i was curious if i missed something. Seems like i didnt. I am aware of the compromise in brute-force-security and the risk is worth it for the value i get out of this (for me personally). Security measures depend on what the attack-vectors are
SSS's shortcomings by Jameson Loop: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/
You did not understand the OP. Your mental model is too focused on a single private key. There are multiple ways to self-custody and sign a transaction. Zengo's 2/2 MPC approach is similar to a SSS (Shamir Secret Sharing) scheme in mental model. However with a SSS, you would originate one private key in one location, and then split it. We don't do that for a number of reasons. See here about key generation and vulnerabilities with doing it one time in one place: [https://zengo.com/how-keys-are-made/](https://zengo.com/how-keys-are-made/) Instead, using MPC we independently generate two secret shares: One on your mobile device, and one on the remote server. Only your share (the Personal Share) can initiate and sign transactions, which leverage your device hardware's secure enclave or TEE. Together, these 2 secret shares do what a traditional private key (in one location) would do. And, if these 2 shares were ever to "come together" they would create a singular private key. (Which we would only let happen if Zengo were to go out of business, to ensure you can always access your assets. See more about Guaranteed Access here: [https://www.reddit.com/r/CryptoCurrency/comments/190s3uc/comment/kgvlqew/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/CryptoCurrency/comments/190s3uc/comment/kgvlqew/?utm_source=share&utm_medium=web2x&context=3) Here's the details of our MPC white paper on our github if you want to see the details: https://github.com/ZenGo-X/gotham-city/blob/master/white-paper/white-paper.pdf
Use Shamirs Secret Sharing (SSS) to encode your seed into multiple shares. Each share is worthless on its own. Do multiple trips and make sure to have only a single share on you. If it gets compromised, do it over again with a new encoding. Using 2 of 3 shares would allow for one share being compromised, but the other two would still allow for reconstruction of the seed (your seed). Make sure the process of creating your share is done offline. You can basically use any mode of transportation (memorizing, paper wallet, obfuscation etc.) as long as you are able to recognize when your share got compromised.
No. In your hacky setup an attacker could get either half of the 24 word seedphrase and compute the remaining half to steal all of your funds. You can't just divide the word list in two, you need proper cryptography to do this. It's called sharding a secret and there is an algorithm called Shamir's Secret Sharing or SSS.
Multisig is part of the bitcoin protocol. Splitting the seedphrase (aka Shamir's Secret Sharing) is a kind of roll your own security. With multisig, your secrets never need to be in the same place at the same time. With SSS you need to have all secrets together when it comes time to spend and this is a single point of failure. With m of n multisig, you need m private keys but n (all!) public keys.
Of course, however one of your central use cases is for less technical people to be able to restore the wallet. At some point you will have to settle between more secure and more accessible. SSS is a good balance.
Maybe not as secure as multisig but also consider Shamir's Secret Shares \[stamped in steel\](https://blockmit.com/english/guides/diy/make-cold-wallet-washers/) and stored in several secure locations. For some people one possible advantage of SSS over multisig is that only one wallet needs to be managed. SSS is arguably easier to understand also.
I think you're confused. Encrypting shards is not a feature of SSS and can cause additional issues. SSS involves breaking the seed phrase into parts (e.g.) 3 parts in plain text and storing them in separate geographical locations. Storing 3 or 4 separate full seed phrases for a 2/3, 3/3, 3/4 or 4/4 multisig wallet may be a preferable solution.
>The algorithm is public and open source and quite simple so even if they (Satoshilabs, maker of Trezor) went out of business you can get software to do the reconstruction and then put the seed on another device by another manufacturer. This is good to know. My one hangup about using SSS was the possible vendor lock-in risk, but it seems that's not a real issue. From what I've read, it's not possible to directly convert SLIP39 to BIP39, but there are software tools that will let you do the recovery somehow. It's not clear to me how difficult or secure such a recovery would be, but it does seem possible. Here's some info from Trezor: [https://github.com/satoshilabs/slips/blob/master/slip-0039.md#user-content-bip39compatibility](https://github.com/satoshilabs/slips/blob/master/slip-0039.md#user-content-bip39compatibility) >Some individuals have expressed a concern that the inability to convert SLIP-0039 shares to BIP-0039 may lead to vendor lock-in due to slow adoption of SLIP-0039 by hardware wallet vendors. This concern is unwarranted, since even if the conversion to BIP-0039 were possible and a user needed to recover their seed onto a device which does not support SLIP-0039, then they would need to use some conversion tool running on their computer. In that case they might as well simply recover their SLIP-0039 shares in a software wallet running on their computer and send all of their funds to a new seed on their new device. Thus the ability to convert shares to a BIP-0039 mnemonic makes no difference in this respect. Given that, I'm strongly leaning towards using SSS. I hate the idea of having a single physical copy of the seed phrase. That just seems so vulnerable to theft and loss. I know that multisig has advantages, but it seems more complicated. SSS feels like a good tradeoff between security and usability.
Thank you for the explanation. I would think that with all of the machinery that Trezor built around SSS, they could handle a solution built on multisig which saves all public keys with each private key. What would you think of a 2-of-2 solution. You could create multiple backups of each seed without having any backup as a single point of failure, and you avoid the problem of achieving a quorum without all pubkeys.
Why would Trezor go to all the trouble of implementing SSS in such a complicated way, rather than just providing similar functionality around multisig?
Most linux distros would have ssss installed or installable. At no point should you use any online tools for split or join SSS functions. NO WEBSITES.
Check out How they implement a custom SSS called Weighted Shamir Secret Shares No tricks here Thank you @Beaf_
Oh yeah that sarcasm wasn't executed very well. My bad. I'm poking fun at people that do have ability to access information on keeping their funds secure still don't do it. I agree holding the seed is ownership and that's the way to go. Keep it safe in your own possession. Or, I recently learned about [SSS](https://en.wikipedia.org/wiki/Shamir's_secret_sharing)... that sounds nice too...then you can have a recovered key if you lose it and you can get friends to help recover it.
Solid advice, although I prefer multisig over SSS.
FFS use shamir’s secret sharing. If you are the one and only person with the ability to create your private key, then you are the problem, not where you store it. Here’s a quick idea about what SSS does: it takes your seed phrase and splits it into as many parts as you like and asks you how many of those parts you think is the minimum you want to reconstruct your original key. You can refer to this as 4 of 7 or 2 of 5. So lets say it’s 3 of 7. That means that 7 of your most trusted friends will get a seed phrase - NONE of them individually can recreate your original seed phrase, but ANY 3 can. Let’s say you keep one phrase and assign the other 6 to people who don’t know each other or put one in a bank vault and another at home. Now you only ever need at most 2 other people to get your seed phrase back. You don’t even have to write it down! That means your whole house can burn down and you don’t need to worry about finding that one stupid piece of metal you put it on amongst the rubble. Download the offline version of Ian Coleman’s BIP39 tool and never look back.
The dev of PEPE, @degenharambe (aka Zach Testa), is a known serial shitcoin scammer (SSS) who’s behind multiple failed/rugged projects since 2021. He ran the same scam with all of them, 10 wallets, making purchases of $30-$50 seconds after coin went live. Blacklisting any address who bought within the first hours besides him and his accomplices. He finally hit with PEPE and it made him filthy rich. Check out his beautiful purple Lambo paid for by PEPE retail plebs.. https://imgur.com/a/IlRDFCx
SSS Rarity Trader spills it all
Secret Satoshi Society (SSS)
SSS isn't multisig, just dropping this here in case people get confused.
FROST is SSS v3 and does this. It basically inherits all the advantages of multi-sig and adds even more. This is gonna be huge for corporate adoption since they will be the ones with complicated 11 of 33 type signature schemes. Exciting to see it all get developed.
Spot or not spot? Thats all i need to know. Just throw me an S or NS. Or just the first syllable SSS or NNN
Using SSS is better method of key splitting. But consider that multisig allows you to sign the transaction and never combine the keys into a single point of failure. So you can have two or more signing devices and BOTH keys need to be compromised. With seed splitting you are just protecting the backup of a single seed. You are not protecting the signing key it's still just a single signature required. Consider if you have a house with two co-owners on the deed. You BOTH need to sign in order to sell the house. That's quite different than having a single person be able to sign but splitting their soul into 2 or more horcruxes.
Sure. Social recovery is a perfect way to keep your money safe and should be encouraged by HWW manufactures (see Trezor'S SSS scheme). The way Ledger did it screams government involvement.
So how was your training to be an SSS-class degenerate? Were you successful moving up from S-class reddit degen?
This latest firmware update literally leaks your seed phrase. It does not matter it's encrypted because it's 2/3 SSS and *you* don't hold 2/3 of the shards. If you held 2/3 this would all be a nonissue. Ledger has said governments can subpoena them or these 2/3 companies for your seed phrase. This service shouldn't be possible according to their own marketing. According to Ledger it was impossible for a firmware update to leak your seed phrase, and well. According to Ledger this update wouldn't be forced, and well... According to Ledger this can only happen if you press a button - trust me bro.
>then you have morons jumping from Ledger to Trezor that has the exact same recovery option I stopped reading there. You obviously have no clue if you think Ledger Recover is equivalent to Trezor's SSS option.
Which brings us back to my point that I don't think it's is encrypted. He said that the 3 companies cannot collude. I disagree. I don't think I can trust those companies. And he says they can be forced to give over your seed which makes me think it isn't encrypted. They're just using SSS and calling that encryption which it isn't. So if anyone gets hold of 2 of your shards they have your private key. I might be wrong and they might be encrypting it with their own key/passphrase (just wait till that gets leaked) and therefore only ledger can unencrypt it but I'm sceptical.
[Shamir's secret sharing](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing) Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information (the "secret") among a group so that the secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts (the "shares") from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.
Trezor doesn't have a secure chip. Its hardware is still a black box, so it can broadcast your seed using malicious chips/firmware and you have to trust Trezor (and their chip manufacturers) they're not doing this. Their firmware is open source. Because it doesn't have a secure enclave if your Trezor gets stolen someone is able to hack in and steal your keys.. Because it is open source there is no way to validate if you're using an official Trezor or official firmware.. Ledger can't open source because the company who makes their secure chip doesn't publicise their code, it is the industry standard. As a consequence you are able to verify if you have a real Ledger or not. IMO Ledger is the better of the two, still. If only because it's useless to a thief if stolen.. The risk assumptions, the trust in the company, is the same. These assumptions are there any time you use any (upgradable) hardware. You can DIY if you have an old computer or phone. Take it offline, learn to save a transaction as a file, take that file offline, sign the transaction message offline, and then broadcast that signed message online using a USB drive or by scanning its QR code. Now you have a cold hardware wallet which you control. It is not as *easy* as using a Ledger with Ledger Live but it is a lot more trustless, and not so difficult. You can also DIY social recovery using Argent or Loopring smart wallets and set up a 3/5 recovery using your own devices. Eg, your phone, computer, old phone, your friend, and customer support. This way if your house burns down and you still have your phone, with your friend and support you can recover your wallet. Without you it can't be recovered. You can set 11/13 or 1/2 or however you want. The issue with Ledger is they decided all your social guardians for you which is suspect and not ideal. There's nothing inherently wrong with social recovery and it is safer and more advised (by Vitalik and other core developers) than SSS/sharding which Ledger uses for its encryption. It's another option.
> If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button. No one should trust the device without an audited open source code.
If you don't opt in there are 0 companies with your SSS
(1) Simple if ledger is compelled by force (as an law action) are those SSS to bring access to some wallet it is possoble to gather Two of the required SSS (even w/o Ledger cooperation but of the custodians), is that truth? (2) If I own an ledger device, and I'm never signed for Seed Recovery, may I be forced to activate this feature so an adversary can legally request Ledger for access to my funds? ​ I you answered Yes to both, you know What I'll do with my ledger, if not, please elaborate WHY NONE OF (1) or (2) may happen. ​ NO LEDGER RESPONSE ON THIS YET.
>What an horrible mess. Yep. >So much anger, so much hate, and also so much insanity. That’s easily on ledger. >something went wrong and the Ledger Recover service was put in your face in the worst way possible. >It relies on the fact that you need to trust Ledger to provide with a firmware doing exactly what it is supposed to be doing. We no longer do and never will again. >So people started to think Ledger was a trustless solution, which is not the case. The word you’re looking for here is believe. Because a lie was tweeted by ledger. So some of us believed. Not “thought”. >Some amount of trust must be placed into Ledger to use their product. All of our trust. All of our funds at stake here. >If you don't trust Ledger, We no longer do and never will. >The mistake of some of the "power user" community (reddit, twitter...) is to become batshit crazy and start writing stuff like "there is a backdoor from day one" or "the governement has taken over Ledger". What’s “batshit crazy” is this entire hostile launch and the way ledger just seemed to unload this unwanted feature upon its customers seemingly with complete malice. >The hard truth, which has been confirmed by many experts who took the time to actually deep dive on the subject, is that nothing changed. Everything changed. >Absolutely nothing happened. The security model is the same than before you knew Ledger Recover existed. Then ledger has always been shit. >take a deep breath and actually think about the facts. The facts are, my funds are at stake because a shady ass French company is playing funny games. >If you think that Ledger did a terrible thing They did. >but at the end the real victims will be the noobs who in panic will try to offload their crypto from Ledger, make stupid mistakes and lose it all. Everyone who migrates from ledgers shitty platform will be safer by definition. >Ledger is still safe, Doubt. >there is no backdoor Doubt. >the Ledger Recover is not a conspiracy Conspiracy or just completely asinine business move, we don’t care. >If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button. We no longer trust either.
> If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button. I trusted that (perhaps foolishly) because I believed the "secure enclave that can't release the key", that we now know was bullshit. Ledger will never have my trust again. This is not a case where you get even a hint of a second chance. > The Recover code in the firmware is not a malicious code nor does it open a way to arbitrary extract the seed. "Trust us". NO.
SSS is not the problem here, it's sending these shards to a PC via USB and then to some random companies Ledger selected.
The [FAQ][https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true] doesn't appear to make sense. **Who has access to my wallet with Ledger Recover?** > In short, only you can access your wallet. When you subscribe to Ledger Recover, *a pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments*, with each fragment secured by a separate company—Coincover, Ledger and an independent backup service provider. Each of these encrypted fragments is useless on its own. When you want to get access to your wallet, 2 of the 3 parties will send fragments back to your Ledger device, reassembling them to build your private key. The way BIP39 works will well documented in the BIPs. * Some entropy is generated. * This is converted into a BIP39 seed phrase. * From the seed phrase you can get back to the entropy. * The seed phrase is turned into a seed. * The seed can not be turned back into the seed phrase. * The seed phrase is turned into the master private key. * The master private key can not be turned back into the seed. So I assume the pre-BIP39 is the original entropy. Bit it also says this. **What should I do with my recovery sheet once I subscribe to Ledger Recover?** > Ledger Recover can restore your private keys to your device, but it can't provide you with your Secret Recovery Phrase [BIP39 seed phrase]... So it must have encrypted and SSS the seed or master private key which are post-BIP39? I'm not interested in using these companies because I can't know that they wont work together to get my seed. My concern is, what happens if you connect the ledger to a compromised computer. That's the whole point of a HW wallet; to never give the private key to the computer. If my computer is compromised can an attacker get the ledger to give up these shards? But even if they can it's still encrypted? How is it encrypted? It must be encrypted with a passphrase or an encryption key. Back to the FAQ. **What if I lose my Ledger device that is associated with my Ledger Recover subscription?** > Simply get another Ledger device and follow the process to recover access to your wallet. So it's not tied to the ledger device is any way making it unlikely to be an encryption key. If it's a passphrase where does the ledger get the passphrase from? It would have to be inputted directly to the ledger to be secure. It would also need to be a strong passphrase. And if you need to remember or write down a strong passphrase you might as well just remember or write down the seed phrase. If the passphrase if feed to the ledger by the computer then couldn't an attacker give it his own passphrase making the encryption pointless?
You don't have to share them with people, you can hide them in different people. The advantage of SSS over sharing a part of your seed is entropy. If you have less shares than required, you have no advantage in guessing the seed and have to guess the total 128 or 256 bits, no matter how many shares are missing.
Read how SSS works. The call is the ”gimme my seed”, and you get the seed with all the parts needed to decrypt it right there. Your seed leaves the SE. Only way you can ”back it up”. Literally only way.
> Well seems Nano S is actually safer for now as the they cannot put the ledger recover in it. FYI it is possible that the reason they can't put ledger recover on the nano S is because it doesn't have the space to store the 3rd party keys and compute the SSS + encryption. The secure chip might well have been able to give up the private key all along with a firmware update.
I have stop recommending ledgers years ago for many reasons outside of this. While this feature is "optional" it does introduce code that handles the private keys with the express intention of handing them over in encrypted shards to regulated third parties. There are numerous concerns with this : 1) The fact that ledger isn't 100% open source means we cannot audit the "optional" feature to see if there is a bug or exploit that can lead to loss of funds 2) There are questions with government asset forfeiture or seizure where they can force the custodians of these SSS shards to freeze the funds and perhaps take your coins This is not helped by the fact that their terms and conditions linked in their own FAQ is a dead page offering no clarification https://www.coincover.com/l-terms-and-conditions 3) Even after their large marketing breach that placed most their clients at risk they are now encouraging you to give even more of your personal details(IDs) over for this feature that might be shared or stolen and place you at far greater risk 4) They have a history of placing profit over security with supporting many scam altcoins which greatly increases the attack surface and this just reinforces that
Firmware that can leak seed in form of SSS shards, not making it optional, rolling it out without announcement. I thinks it's very fair to say they fucked up multiple times, and there is no "only mistake".
What's to stop Ledger (or an attacker pretending to be Ledger) from rather than doing the SSS, just sending the keys directly and pretend to SSS it? You authorise it and bam, your keys are exposed. The fact that there is a way to enable the possibility of sending anything other than signed transactions off the device online means the device itself can be updated to do anything, including sending the seeds directly to an attacker. It's now a dead product on arrival. The only safe way to use the Ledger now is for offline signing only; you can never connect the Ledger to an online PC.
 Thank-SSS!
That's unfortunate, but I guess I wouldn't consider wallet A more secure than B because A implemented SSS. It might make managing seed phrases safer though, as long as the process is well understood.
This is what the original trezor used as their main recovery method, but it is not very good. With 24 word seed phrases you're reducing entropy from 256 bits down to 79 bits, which might be enough currently but not in the future. With 12 word seed phrases this is not safe at all. It's much better to use seed XOR or SSS.
>I expect this inflation to only accelerate with better technology to get gold out of the ground and sea. Its much worse than merely this. In 2026 Psyche satellite (already launched )will start reporting back to NASA the expected reality that there will a sudden hyper-inflationary spike in the volume of gold being mined in the near future https://www.jpl.nasa.gov/missions/psyche/ Since psyche 16 asteroid represents an example of an asteroid that is a core of an early planet thus metallic and estimated to contain around $700 quintillion dollars of precious metals (gold, platinum, etc..) or 93 billion dollars of precious metals per person. This is just one example of many future asteroids that will be mined and this is merely a single asteroid of many that are metallic. While mining will not start immediately, the markets will start pricing in the expectation of mining and nation states will start to slowly sell their gold reserves if they are wise enough flooding the market with cheap gold. Nation states will need an alternative asset to hedge against. > I only have to remember my Bitcoin private key and I can have my money in my head. Not only this is bearer assets like Bitcoin have similar security properties as gold if you have a single BIP39 seed backup written on paper or metal. Someone finds your gold or bitcoin backup than someone can steal your asset. Where Bitcoin improves on gold is the ability to secure itself beyond this with solutions like SSS, multisig , passphrases and Bitcoin vaults that gold lacks. This way merely finding your seed words is not enough to steal your bitcoin.
Hmm, difficult doesn't seem hard enough. Give me the SSS-tier difficulty.
Interesting take. While many teams are building to make seedphrase backups obsolete through MPC, SSS, AA etc. Reading the contrarian view to why seedphrases are important is healthy.
>BTC has never witnessed a macro economic environment like this before It is fairer to suggest the implosion of mtgox in 2014 and the 2017 blocksize wars was far more dangerous times for bitcoin than a global recession. The reality is that Bitcoin is much more secure now than years ago. >and is strongly correlated with the likes of the NSDQ. This is a very recent correlation due to newer institutional investors. Historically Bitcoin is an uncorrelated asset class and will lose that correlation in the next bull market I predict. The disinflationary schedule has a profound effect upon the market cycles in Bitcoin which is not found in equities. >what would this mean for BTC? None of us knows the perfect time to invest or can predict the price . The intelligentsia of the market is the combined knowledge of all humans and algorithms which is more than knowledge than anyone can have. Also bitcoin is so scarce that a single wealthy investor can significantly move the market in secret and unannounced. Rather than trying to time the market , let time work for you. **Time in the market will tend to beat timing the market** It is highly likely that a bull market will occur in mid to late 2024 due to the halving however. Bitcoin does not necessarily need new adoption to go through these market cycles of appreciation as the same buying pressure from existing users will cause these bull markets due to the disinflationary 4 year events. >The ‘institutions’ are not coming Institutions have been regularly investing in Bitcoin. https://bitcointreasuries.net/ It will not occur all at once and is a slow process , but bitcoin is so scarce that even a single institution can dramatically effect the price. >ESG compliance, Bitcoin has an important role in solving ESG compliance as it incentivizes investment into renewable energy and it uses waste energy. https://www.youtube.com/watch?v=nkeZVcGsva8 https://www.youtube.com/watch?v=bFYKq5Qe1Bs https://www.youtube.com/watch?v=1vROP40L9Bg https://www.youtube.com/watch?v=lCkHEqxDsYQ https://www.youtube.com/watch?v=qu156PvA-NI >‘We have seen this all before, Mt Gox etc’ No we haven’t. Never before has so much been lost by so man Mtgox was a much bigger event than these recent collapses by the % of people effected and the amount of Bitcoin stolen. > that the coming regulation is likely to be punitive in the extreme. Regulation will encourage more self custody which is a good thing for Bitcoin. >For retail it is highly likely that regulators will seek to control all on and off ramps making it near impossible to own or realise any gains. You don't need on and off ramps with Bitcoin but any regulations you speak about can often easily be dealt with, but you are being very vague here as to what you are suggesting will happen to address directly. >There will be no ETF, ever. This would actually be a great thing. An ETF is a double edged sword and we should encourage more self custody or at least multisig for institutional investors >Energy usage is an issue regardless of the facts of environmental impact . Fiat currency and PoS coins cost at least the same amount of resources to create , regulate and secure as Bitcoin. There is an inescapable reality for any asset or currency that as it increases in value the production costs and costs to secure increase as well . This is demonstrated in the economic axiom: MC=MR “Rent” always forces production costs (MC) to always equal sale prices (MR) PoS currencies and fiat are simply more abstract and complex forms or Proof of Work that use more human involvement (which uses tremendous amounts of resources and has a tremendous environmental impact) as a PoW coin like Bitcoin. Humans instead of ASICs are shouldering more of the work to create, regulate , and secure each of those currencies; This is "work" whether it involves burning electricity directly or food and electricity that humans consume to perform their work. This is an inescapable economic reality. The more valuable something is the more it will cost to secure it because the more effort will be made to steal and or control it. This applies to any currency or asset. This is also better understood with the dollar auction dilemma. In a hypothetical auction where a bidding war is fighting over the right to mint a 1 dollar bill how much do you think people will be willing to spend for this power ? >This is now leading to a declining hash rate. This is false. Hashrate has grown considerably over the last year- https://bitinfocharts.com/comparison/bitcoin-hashrate.html#3y >the only thing that has brought new people to the space is price speculation. You are being a bit hyperbolic here. The main thing that brings people into bitcoin is speculation, not only. Also after they learn more these people often end up appreciating bitcoin for multiple reasons over time. >what is the narrative that would bring new people to this space? 1) **Save money** - I like to save money with various services like lolli.com, ln.pizza ,foldapp.com,purse.io, or bitrefill.com (Bitcoin achieves this by credit and gift card arbitrage opportunities thus creating an efficiency) 2) **Digital Gold** - Bitcoin is very desirable and scarce and since it is an uncorrelated asset class your portfolio is better hedged to be a safer way of finding alpha 3) **Timestamping** - Tweetstamp, and opentimestamps are useful timestamping tools 4) **Insurance** - If my bank account or credit cards get lost or stolen or account is frozen Bitcoin is a great alternative to store value 5) **Censorship Resistance**- I can make donations to organizations like defense distributed or wikileaks even if their payment processors and banks are shutoff due to unethical political pressure 6) **Sovereignty** - As a Business I can accept value even if I am deplatformed or banned from banking 7) **Micro transactions** microtxs are simply not possible with fiat , where I can do so with my BTC lightning wallet 8) **Security** SSS and multisig with CLTV and other scripts allow for novel methods to secure ones wealth 9) **Privacy** with electronic fiat I have no privacy unlike with Bitcoin transactions where I am given a choice between privacy or transparency with each wallet 10) **Global** I can travel the world , rent hotels and buy plane tickets and withdraw local currency easily without fears of credit card fraud. I can send payments to employees in foreign countries easily 11) **Interesting and fun** It is fascinating mixture of technology, game theory, security, mathematics, politics, and economics that never bores me
If the premise is already not trusting banks by default, then no paid service to guard anything would be possible. Also if you do not trust anyone, giving copies to others would be a no go zone too. Unless you'd use a method to split up the seed into multiple parts but not even by splitting it simply into multiple parts, but more by using a method like Shamir Secret Sharing (SSS), where you can decide how many shares there are and how many are needed to restore the secret. Then you can distribute the parts all over the place, friends, family, wherever. It requires a set threshold of shares to be able to recombine into the origin seed.
> Floods and fire can’t destroy it. Floods and fire cannot destroy my metal seed backup either > If I lose the combination to the safe I can get a locksmith to open into it and retrieve the gold. You aren't supposed to only memorize the passphrase. This needs to be stored physically and separate than your 12-24 seed words >If I die, my heirs can open the safe and take the gold Its not difficult to transfer ownership of Bitcoin upon death. The simplest solution is to leave your seed words in a safety deposit box and your passphrase in your sealed records at home with your will. A Bank or third party would not be able to steal your bitcoin this way and transferability is easy. --------------- Without discussing the more complex forms of security in Bitcoin such as vaults,SSS, multisig , lets just keep it simple and discuss what a luddite can easily setup and understand as implemented in many hardware wallets. BIP 39 seed + passphrase + metal backup compared to gold. Bitcoin is superior to gold in many ways as a money but lets just ignore that for a moment and focus on securing gold. **Gold advantages over Bitcoin** Slightly less risk from edge cases like systemic problems with bitcoin, exploits/bugs found in the hardware wallet used to generate the private keys Simpler UX from storing and initial setup More trusted history but also more uncertainty due to risks in asset inflation from asteroid mining leading to rapid devaluation **Bitcoin advantages over gold** More than one backup can be created unlike with gold. Lose your gold bar/coins lose it altogether. Lose your bitcoin seed words , recover them with either your hardware wallet or 2nd backup. Backups lost/stolen do not lose your money as they are secured by a passphrase not located with the backup. You find the gold , you can steal the gold. Bitcoin is easier to securely travel with than cash or gold without being seized. xray machines find gold and dogs smell cash unlike with bitcoin. Bitcoin is easier to validate than gold. Gold coins need special tools like balancers/pingers and only work with a limited set of coins. These tools can cost hundreds of dollars and take time to verify unlike with bitcoin with a free wallet . Gold shops sell fake coins and tungsten bars , even certified gold can often be fake and testing them requires specialized equipment like ultrasound machines. large amounts of bitcoin can be secured in a very small amount of space unlike large amounts of gold which takes up space and is heavy which makes bitcoin easier to hide and transport
Its definitely a new category that blurs the definition of tangibility and property being a scarce digital "property" that could be considered an "intangible" digital property. Being digital means it has some superior properties as physical money like gold coins like instant global portability and ease of transfer ability. It is also easier to secure as you can use multisig/SSS or passphrases than gold coins. It also has better divisibility in a practical matter. Of course digital fiat also shares some of these properties being "intangible" but there are differences with certain advantages and tradeoffs to fiat being registered value and certain to bitcoin being a digital bearer money. What is interesting about this shift is the key aspect of gold that these older gold bugs appreciate about their investment , being tangible and physical commodity that can be used and held physically , is the same thing that newer generations reject and see as a burden or something that takes up space or inconvenient to store or secure.
>> Is there a way to have a 3-of-3 multisig, each party having 8 words of the key? > nothing about OP_CHECKMULTISIG suggests it's not possible No, OP's objective is not possible with multisig, which both of you are confusing with SSS.
First of all, don't memorize it if that's your only method. With practice, memorization is powerful, but it's not perfect. And the worst part of it is that there's no error detection in memorization. You may have swapped a few words around in your memory without noticing it and you will go about your life thinking you have the seed phrase memorized, because you can recite it at will, only to find out it's not correct when you eventually need it. My suggestion is to use Shamir's Secret Sharing (SSS) algorithm to split the seed in a number of fragments. With SSS you can create an n-of-m split, where you obtain *m* fragments and need at least *n* to recover the original data. An added advantage is that if an adversary recovers any number of fragments less than *n*, they have no brute force advantage over someone with no information. So maybe use a 3-of-4 scheme. One piece, you take with you when you move on a piece of paper. Just drop in the bottom of your bag or so. Plenty of people have random notes, receipts and other pieces of paper hanging out in their bags. Another piece, you send by post to your new address. Since your wife is already there, you can do that before you actually fly out. The third piece, you store in a cloud storage platform, encrypted (or not, with SSS an attacker gains no advantage of having a single fragment). And the fourth piece, you leave with a family member or friend at your old location, with instructions to mail it to you when you ask for it. Normally it won't be needed, because the 3 other fragments are enough. But if one of them is lost, here's your backup. You can modify or expand this scheme in whichever way works best for you. You could even leave most fragments with (unrelated) friends and only have them sent to you when you need the seed phrase.
>For one, gold and silver actually are pretty divisible. https://www.reddit.com/r/Bitcoin/comments/y4miuw/will_bitcoin_overtake_the_gold_as_no1_store_of/isfrpg9/ Also its not really practical to carry a heavy bag of silver coins around to spend >Gold has an advantage over BTC in terms of censorship in that it can be traded totally off-record. So can Bitcoin , in fact over 99% of bitcoin transactions occur offchain. >they could target node owners and even turn off the internet temporarily, halting all transactions. Turning off the internet has been attempted before from dictators and is not really practical. You also do not necessarily need the internet to transact in Bitcoin >There's nothing any government can practically do to stop people from trading fractional metals under the table, Its very easy to detect silver and gold with metal detectors or searches and not so with bitcoin >favor of gold as a store of value. yes, gold is a good store of value longterm. Short term gold has much longer bear markets losing purchasing power year after year much worse than bitcoin >remotely compromised in a way that physical gold doesn't, even if that chance is next to none. The security assumptions of cold wallets in bitcoin as very similar to bitcoin (hide gold vs hide 12 words on metal) for the simplest of backups . Of course bitcoin used with multisig, SSS, or a simple passphrase starts to become much more secure than gold for storage. >Bitcoin is a currency, and gold is money. Both are bearer assets. Bitcoin is money.
> Insurance, would not be necessarily improving your security, but insurance also encompasses covering the financial loss when an unlikely event happens. [...] Sure. You do understand that I was providing an alternative to insurance? A system that ensures the wallet won't be lost. > If you keep your seed phrase somewhere else you essentially create a second copy for access to your bitcoin. This gives the trusted party, in this case the custodial, full access to your funds. This is, invariably, increasing the risk. [...] No, it doesn't if you use a passphrase. The seed phrase alone isn't sufficient to access the wallet. > Yes, without passphrase, you get a different wallet. It is correct that there would be no direct access. But you just complicate the issue by having to keep your passphrase safe. If you choose an easy passphrase, the computational difficulty of guessing your wallet (providing you know the seed phrase) becomes something in the order of weeks/months instead of trillion years. If you choose a more complex and difficult passphrase, storage of your passphrase becomes the next issue. The human brain is ridiculously lousy at remembering exact stuff. A passphrase can be bruteforced but it's relatively easy to create one that is both memorizable and strong enough to defeat bruteforce attempts. Even the CIA/FBI is routinely stomped by passphrase encrypted hard drives. There are also solutions to the problem of forgetting the passphrase: 1) Store the passphrase in a location separate from the seed phrase (e.g. in a cloud storage or different physical location). 2) Test your passphrase routinely and move your BTC to a new wallet as soon as you realize that you forgot the passphrase. > So you need to get n parties together, and you need to trust them enough, ideally they do not know each other, to not collude with x-1 other parties in your SSS setup. It can be done. Depending on the size of x and n, however, Yep it can be done. > you essentially reduce the complexity to brute force attack the rest of the seed phrase... in a VERY significant way, it is not linear. Not knowing 12/24 words reduces the time it takes to brute force much more than half. Even if you were sloppy with the SSS, it's practically impossible to brute force a pass phrase even by knowing 12 words out of 24. I don't think there's ever been an instance of a 12 word pass phrase being brute forced. Even if it was possible, it would only realistically happen if you hand the secret to someone who is a programmer and has a lot of money to spend for an unknown reward. > This would just tell you when you got robbed. It does not provide extra security. If you would be able to catch this, between the tamper seal being discovered broken, and the thief moving the funds, you are dealing with a very, very stupid thief. Indeed. With a passphrase, the wallet's passphrase needs to be brute forced. A bad passphrase would still take months or years to brute force. The seal can tell you when it's time to move out your BTC from the wallet and therefore defeat any possible brute force attempts. In conclusion, the failure modes of the strategies I described are extremely unlikely. In comparison, the risk of losing the single copy of a wallet that is carried on one's person is huge. There are so many ways you could lose your wallet in that way, all with much higher probability that the backup methods I mentioned would fail. Robbery, seized by customs, dropped by accident, physically destroyed in accident, etc.
>to My no is llll km. JJ llll . Please session the car. N. . N. N n . . M. .m. .mm n .bnmnnm n. Nb. N nm m . . SAASAAA .. No . . M m m m .v .m .m. .mmm. Can v. . ,! . M m van. ,. SSS GOOD 3+@ A m
Why Multisig is better thank SSS- https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/ **Multisig with 3 hardware wallets**- https://www.youtube.com/watch?v=Sxo169CCfIc https://saleemrashid.com/2018/01/27/hardware-wallet-electrum-multisig/ --------------------------- **multisig with Caravan** https://www.youtube.com/watch?v=bfRzexEpTdI ------------------------ **multisig with Lily** https://www.youtube.com/watch?v=P5UIvCi9FSM --------------------------- **multisig with Electrum** https://bitcoinelectrum.com/creating-a-multisig-wallet/ ------------------------------ This is how a 2 of 3 multisig would be stored - Backup 1 12 word seed for sig 1+ MPKs or Xpubs for all 3 Backup 2 12 word seed for sig 2+ MPKs or Xpubs for all 3 Backup 3 12 word seed for sig 3+ MPKs or Xpubs for all 3 on 3 metal backups stored in 3 separate locations in a private and secure manner Before you trust this wallet send a small amount of BTC and manually recover it before sending more ---------------- **Multisig is advanced and most people would be better off with a hardware wallet using the passphrase feature**
Why does everybody who criticizes SSS always think that it’s being used for transactions? What about just securing a bit 39 passphrase? Or the 12 or 24 word seed phrase? Why do transactions have to enter into the equation at all?
Yes. If it's a concern then simply multiple copies of the mnemonic sentence is also an option (with seed extension against theft of course stored separately). SSS is just a fancy way of complicate one's life.
Could you please elaborate on how to create a SSS backup? And what is the cold wallet you have on the picture?
There are certain situations where Shamir's Secret Sharing Scheme has an advantage over MuSig, MuSig requires multiple wallets. If I just want to backup the seed phrase of a single wallet and store it securely in a redundant way then I would choose SSS (i.e. SSKR) over MuSig.
Please bear [Shamir's Secret Sharing shortcomings](https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/) in mind. Note the comment: *many attempts at SSS have been so weak a child's speak-n-spell could crack them* In order to overcome possible shortcomings in other implementations Blockchain Commons have develped a standard and interoperable implementation of Shamir's Secret Sharing Scheme called [SSKR](https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-011-sskr.md) and an accompanying library [bc-sskr](https://github.com/BlockchainCommons/bc-sskr).
[Why SSS is a bad idea](https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/) (a James Lopp blog entry on SSS including insightful quotes by Gregory Maxwell).
> Why would you use SSS vs a regular multisig? I wouldn't. SSS is "neat", but multisig is far superior. The biggest problem with SSS is that it requires constructing the mnemonic phrase (representing the private key) in one location in order to sign a transaction. With multisig, you can take an unsigned transaction to one physical location where a key is, sign the transaction and re-secure the key, and then take the partially-signed transaction to an entirely different location to get it signed by a different key. At no point is there a quorum of keys in the same place at the same time, so it's impossible for the quorum to be stolen or lost together or to sign unintended transactions. Can't do this with SSS.
I think I wouldn't use it in real life since having a well hidden 24 word seed phrase (including well hidden backups) plus a good passphrase (25th) is secure enough and doesn't make things unnecessary complex. Nevertheless playing with [Ian Coleman's SSS tool](https://iancoleman.net/shamir/) (yep, that's the guy with his famous [BIP39 tool](https://iancoleman.io/bip39/)) is quite astonishing and a hell of fun.
I find SSS to be far more conveluted, regardless of implementation. I have an achive that has my key inside, and I know the password. Simple!
I might be mistaken about their firmware, I can't remember the details. > I guess the other gripe I have with ledger is, they aren't bitcoin focused. They keep adding more shitcoins. I too hate this about ledger. > Also, I own 2 ledgers. One for me personally and one for my business. I can use Ledger Live to view the wallets/accounts on both at the same time. Their only capability to connect to your own node is experimental and it only allows you to connect one device, AND you have to run a sidecar app. My favorite hardware wallet is the ledger but I would use it only for signing, I would not use ledger live whatsoever. I would watch the wallet using Electrum and Electrum Personal Server. > Thinking about XOR seed phrases with a passphrase on the resolved private key. I prefer multisig over user space shenanigans such as XORing seed phrases, SSS, etc. You could still use a passphrase.
Early versions of RBF date back to Satoshi and the modern version was finished in BIP 125 in 2015 , thus them not research this for 7 years reflects gross incompetence. My guess is they are not so incompetent as you allude to and just are lying and blaming the mempool when their hot wallet was drained and they have a slower (correctly so) method of SSS or multisig to tx funds from their cold storage.
Or use a single hardware wallet that implements a version of Shamir Secret Sharing ([SSS](https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing)) e.g. [SSKR](https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-011-sskr.md) and store your steel share backups in multiple locations. See: https://www.reddit.com/r/ledgerwallet/comments/ibkls4/does\_ledger\_have\_plans\_to\_implement\_shamir\_secret/
You don't want to have access to a large sum by yourself in my opinion(Why would you), Geographically split the risk would be ideal. If you know what you are doing you can store your keys on the blockchain , you can translate your keys in a food recipe or anything : If you want to have proper security depending your needs , It's a question of accommodation which depends on your mental state and physical security. To eliminate central point of failure you can look into multisig/SSS if you value the need for more security. It might sound silly , at this point I prefer have no/losing access to my funds than a thief using barbarian tactics to get it .
add a passphrase *or* look into multi-sig *or* SSS, Odds are pretty much *impossible* OP.
Most people would be better off using the passphrase feature instead of multisig and doing the following: https://www.reddit.com/r/BitcoinBeginners/comments/g42ijd/faq_for_beginners/fouo3kh/ While this is technocally not multisig it simulates many of the benefits of multisig. Many people take for granted that loss in Bitcoin is often due to human error and one of the great weaknesses of multisig is concerns with typos and "bitrot" with the 3 Xpubs you need to write down that unfortunately are not represented as words like BIP39 that help prevent concerns of data integrity loss Here is information on various multisig solutions : Why Multisig is better thank SSS- https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/ **Multisig with 3 hardware wallets**- https://www.youtube.com/watch?v=Sxo169CCfIc https://saleemrashid.com/2018/01/27/hardware-wallet-electrum-multisig/ --------------------------- **multisig with Caravan** https://www.youtube.com/watch?v=bfRzexEpTdI ------------------------ **multisig with Lily** https://www.youtube.com/watch?v=P5UIvCi9FSM --------------------------- **multisig with Electrum** https://bitcoinelectrum.com/creating-a-multisig-wallet/ ------------------------------ This is how a 2 of 3 multisig would be stored - Backup 1 12 word seed for sig 1+ MPKs or Xpubs for all 3 Backup 2 12 word seed for sig 2+ MPKs or Xpubs for all 3 Backup 3 12 word seed for sig 3+ MPKs or Xpubs for all 3 on 3 metal backups stored in 3 separate locations in a private and secure manner Before you trust this wallet send a small amount of BTC and manually recover it before sending more ---------------- **Multisig is advanced and most people would be better off with a hardware wallet using the passphrase feature**
I agree. It depends a lot on the size of his stack. If he is holding 100 sats then nobody will bother. If it's 100 bitcoins then it's probably just a matter of time until they're gone. If his main device is compromised then the attacker has, at a minimum 1) 11 of the 12 seed words 2) the helpful description that the target posted above (which he should absolutely delete) of his setup and 3) any other info that the target has likely leaked. 1) alone is brute forceable. That "12th word" that the target has kept in his head, is that the 12th one sequentially (i.e. the checksum)? Apart from hacking, I would be worried about locking myself out of my coins through user error. Inheritance is also a problem. I have come to the conclusion that splitting up a seed phrase (e.g. SSS) is never a good idea. The same can be better accomplished with a passphrase and/or multisig.
Very bad idea. Use FULL mnemonic on one, passphrase on the other stored apart. SSS sucks too, XOR maybe a bit better. Multisig best but complicated.
I recommend STG, it is a new omnichain protocol connecting other Blockchains with each other. It has very good bridging capabilities already between ETH L1, BSC, AVAX, FTM, ARB, OPT, integration for SOL and LUNA on the horizon aswell as SSS current price around 2$ - 40 EOY not out of the question. Wanna know more? Read here: https://twitter.com/kamikaz_ETH/status/1506886786165112833?t=ozKYZsIdvO-zwPAW-6FceQ&s=19
This articles overstates the danger of implementing SSS. It boils down to: 1) *People make mistakes implementing it*- While this is true, there are free python libraries that correctly and securely implement SSS. 2) *It's open to side-channel attacks*- This is also true but the chances of this are remote since it would be so much easier to hack a private key using other modes of attack. Sure, if you have $100,000+ in bitcoin you should be using more secure methods but it's exponentially better that splitting your list of seed words in two.