Reddit Posts
Multi-Sig vs. Shamir Secret Sharing: Which Path Will You Choose to Safeguard Your Crypto?
My personal view on the PR disaster, from a Ledger co-founder and ex CEO
My personal view on the PR disaster, from a Ledger co-founder and ex CEO
SSS. Stake Sats Steadily! ☺️ its small but honest work. from tipping, game, giveaway, etc. While crypto make you lost life saving, but not life living ✨
I have a lot of reasons I don't like Ledger (I still own one), however, Shamir Secret Sharing is a super compelling reason to own a Trezor or a Keystone wallet instead.
-Fantasy Arena- New Metaverse game launch of this year!-On BSC-
-FANTASY ARENA-The biggest P2E-NFT game launch of this year!-On BSC-
🔮-FANTASY ARENA-🎮-The biggest P2E-NFT game launch of this year!🎮-On BSC-🔮
🔮 Fantasy Arena 🎮Welcome to the Metaverse 🔮 From Players, For Players 🎮 On BSC 🔮
🔮Fantasy Arena 🎮Welcome to the Metaverse, the biggest PlayToEarn Game launch this year! From Players, For Players 🎮 On BSC 🔮
BSC GameFi Platform StarSharks ($SSS) Launches Its First Metaverse Game: StarSharks.Warriors
🔮Fantasy Arena 🎮Welcome to the Metaverse, the biggest PlayToEarn Game launch this year! 🎮 On Bsc 🎮 By Players, For Players🔮
🔮-FANTASY ARENA-🎮The biggest P2E-NFT game launch of this year!🎮-On BSC-🔮
🔮Fantasy Arena - Metaverse🎮Welcome to the biggest PlayToEarn Game launch this year! 🎮 On Bsc 🎮 Of Players, For Players🔮
🔮Fantasy Arena Metaverse🎮Welcome to the biggest PlayToEarn Game launch this year! 🎮 On Bsc 🎮 Of Players, For Players🔮
🔮Fantasy Arena Metaverse🎮Welcome to the biggest PlayToEarn Nft Game launch this year! 🎮 On Bsc 🎮 Of Players, For Players🔮
🔮-FANTASY ARENA-🎮The biggest P2E-NFT game launch of this year!🎮-On BSC-🔮
🔮Fantasy Arena 🎮Welcome to the biggest PlayToEarn Nft Game launch this year! 🎮 On Bsc 🎮 Metaverse🔮
🔮Fantasy Arena 🎮Welcome to the biggest PlayToEarn Nft Game launch of this year! 🎮 On Bsc 🎮 Metaverse🔮
🔮Fantasy Arena Metaverse🎮Welcome to the biggest PlayToEarn Nft Game launch of this year! 🎮 On Bsc🔮
Mentions
Greetings Mantara-SSS. Your comment contained a referral link which directed to minepi.com/elhasnaoui00. This is in violation of Rule II - No Spam. As a consequence, you will be banned from r/CryptoCurrency. *** *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/CryptoCurrency) if you have any questions or concerns.*
My post was sarcasm! Splitting seed is in general not a good idea. With SSS and a treshold, it's different - there you don't compromise the strength of your keys, anybody holding any amount of shares below treshold is equal to having no information at all.
I’ll do respect to SSS and the plan you’ve laid out, these are overcomplicated and age poorly. For this example, I’ll be using a 12 word seed. Here’s a decent plan: Use a hardware wallet of your choice, create a 12 word seed. This is your Canary in the coal mine account. Fund this account with about $200. Add a passpharse (13th word) to this wallet. This is your secure account. Create a will with instructions on how to access the secure account, store the secure 13th with the will. This 13th word will be a word or series of numbers you do not document, something that’s impossible for you to forget. You do not disclose the scheme or method to anybody other than what’s been put into your will. Secure your 12 word seed using consumer grade security methods. These are your punched steel, stored with best friend, stored with trusted family, printed and placed in the back of a family, portrait, etc. Be as prolific as you like, within reason. Add a watching service for the Canary account that emails you on any changes to the balance (or manually check it yourself periodically) if the Canary account has any movement, you know your base 12 seeds are compromised and you need to rebuild.
The outcome is binary. Either your Bitcoin is stolen, or it isn't. With 8 words, there is plenty of safety margin, so SSS has no practical advantage. Now let's look at the disadvantage. Let's say twenty years from now your heirs inherit the plates. Will they figure out which SSS implementation did you use? Chances are, even you will forget it a few years from now.
> If your adversary can only brute force 5 words With todays technology. It’s undeniable that SSS is better than just what you said, you don’t need to be mad. We can say that your method is secure enough for now, but SSS is just better. You can choose to use a weaker method that is good enough, but you can not say that it have the same security as another proven to be more secure. My opinion is that if you will have all this work to stamp plates and whatever, why not to use 5 minutes more and use SSS?
You don’t need a wallet to support it, just use n parts and recreate the original key. SSS (n of m) is better because with less than n parts you have 0 clue of the original seed, having n-1 and 0 parts is literally the same. With your method, with n of m parts, if you have k parts you KNOW k/n of the original key. With your method, with just one location, you have 2/3 of the original seed exposed, which is less than ideal
Your argument would be better if you could provide a reason why SSS is better. One reason why SSS is worse is because few wallets support it. Another reason is that you need to stamp more words.
Do. Not. Split. Your. Seed. Use a passphrase or SSS. [This video](https://www.youtube.com/watch?v=p5nSibpfHYE) does an excellent job of explaining why seed splitting is an absolutely *terrible* idea. *Please* watch it.
SSS, Still got a few weeks of the same ol yr end gains too. Got a feeling theyr finally gonna fuck around & filthy rich us, huh? 🚀
Coinomi can sweep a private key in WIF, BIP38 and Mini formats (with and without password) but unfortunately it cannot reconstruct keys from SSS shares.
Android version of the app worked last time I checked. Emulate it if you don't have a real phone. And if it's standard SSS you can use ssss-combine in any linux distro.
He could use shamir’s secret sharing without compromising his plans. Not sure what happens if one of the multisig is absent (like dead?). With SSS you can split the seed with a threshold and not weakening your seed
Telegram = Home of SSS - Shitcoins, Scammers and Stupidity
All of your links criticize SSS, which I'm not using nor recommending, I wrote about it [here](https://www.reddit.com/r/Bitcoin/comments/1ep7ang/comment/lhl0eaf/). As long as 8 words is impossible to brute-force, it makes no sense to increase the complexity with SSS, even without taking implementations issues into account. The simple M of N scheme I'm recommending does not suffer from any of the criticisms in your links, and it is still better than multi-sig for individuals for the reasons I mentioned earlier (less fees, less complex, more practical). You still have not shown another way to protect yourself against both attackers and have yet to address my central points
You're welcome. As well as the SSS suggestion maybe use xpub to create a "watch only" wallet so you may check if coins ever move. If you own a Ledger device here's a handy app for securely generating the shares for you: [https://github.com/LedgerHQ/app-seed-tool](https://github.com/aido/app-seed-tool) This app can be safely installed from Ledger Live. Disclaimer: I am the author of this app so I am biased, :-) [https://www.ledger.com/blog/seed-tool-app](https://www.ledger.com/blog/seed-tool-app)
SSS seems like the only reasonable way to go with a larger amount of ner worth.
And what if someone gets your seed backup? Full seed backups are idiotic and while they made some sense when like one person per town had heard of Bitcoin, they are no longer secure. You MUST split your backup, either through just splitting a 24 word seed, a SSS implementation, or multisig.
>there is no open standard for SSS assembly/disassembly There is the interoperable and open SSKR standard : [https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-011-sskr.md](https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-011-sskr.md) Some hardware wallets currently use or plan to use SSKR. BIP39 provides decent security and splitting BIP39 phrases deliberately and needlessly diminishes that security.
Andreas is sometimes wrong as is the case in this video (which I already watched and disagreed with before). [This comment](https://www.youtube.com/watch?v=p5nSibpfHYE&lc=Ugy_mK8izbxEfaNcPgR4AaABAg) and many others under the video do a good job highlighting some of the issues. Another thing I have not seen brought up in the comments that Andreas gets wrong is that the checksum is not one of the 24 words, it is actually only a part of a word, which weakens his already weak argument. It is however a good security optimization to distribute your 3 backups so that the one missing the 8 words including the checksum is in your most secure location. As said, 8 words is impossible to brute force. Even if it were, the cost of brute forcing them would be magnitudes greater for the attacker than the reward he would get from it. It also takes time: you know one of your shares was compromised so you transfer your funds and the attacker's knowledge of the 16/24 words is now useless. The 16 words are in plaintext unlike with SSS, yes, but it literally does not matter if it is impossible to crack the other 8: the 16 words alone are useless. Another big thing is that there is no open standard for SSS assembly/disassembly. Trezor supports it for example, but that makes you dependent on the company if you want to recover your funds after losing your hardware wallet. You do not have this problem with the truly open BIP39 standard. Maybe in 10 years when there is an open standard for SSS with 0 complexity drawback, you might as well use that. For now using it brings disadvantages and no advantages.
No it is not. There is massive tangible benefit. Multisig materially enhances your security in that it can completely eliminate any central point of failure. SSS simply does not give that important benefit. The benefits of SSS over multisig are very nunanced and specific. Its not something to just advise everyone to do.
If you give advice, you should give reasons, otherwise it's nearly useless. Multisig is far better than SSS, so you shouldn't be recommending it except for very specific reasons that you aren't providing. This makes me assume you don't know what you're talking about
Km U Asks J Km K Km K Km K m K Km K K M K A Km K K K Km M M K K Q Km Dk Mm K Km K K Mk K K K M K Q K A K M Km K M Km Km Km Km Km Km Km M A A K K Km M M Km K Km Km K Km K Q AZA Zaza ßßZZZZZZZZZZzZZZZZZßßß ßßßßßßßßßßSsßßßßsßSSßßßßßßssßSßßSSßSsSSsSßßßßßSsSSsSsSsSSßßSSSSSßSSSßsßßSSsSssSSSSSsSSSSsSSSSSSsSSSSßßßSSSsSSSSSSSSSSSSSSSSSSSSSSSSssSSSSASSSSAaßßßSSSSSSSSSSSSSSSSSSsSSSsSSSSSSSSASAASSASsAsAßßSSSSSSssSSSSSSSSSsSSSSSSSSSSSSsSASSsSSSßÀSSSSSSSSsSsSSSASSASSSSSSSsSASSaSASSSsSSSSSSßSSsSsSSSSSSSSsSSSSSaAsSAASaSASSSSSSASSSSSSsSSASSSSSSASSSsSAAaAAASSSSSAaSSSASSSSSSSSASASaSAASASaSAsASASsSSSSSSSSASSSaSSasASSSSSSAAAsASSSSaASSSSSAASASASaAasSSSsASsSaaASSSSSAAsAAASSSASAAAAsasaAASSSASAASAsSAASASaAASASSSsa W
This has to be fake. I live in the Philippines and there is no announcement made by SSS or any news in the local media about this.
While this sounds good and all... I can't help question this. Why is it only Tether and Uquid talking about this? How come there are no information coming from SSS, the very government agency involved in Social Security in the Philippines?
You should definitely check Cypherock Cover - [https://www.cypherock.com/blogs/cypherock-cover](https://www.cypherock.com/blogs/cypherock-cover) They use tamper-proof hardware to secure the SSS shards but have a way to transfer the access of the Crypto without them in a position to compromise the assets.
Have a look at Super Sushi Samurai Has been up and running for 1 month - it's a Web3 game It has an autobattle mode and some mini games too https://sss.game/ Alternatively look for SSS on twitter to find all the official links and how to play You can expect to make 5-10$ a day using Telegram if you use funds to level up your character and pet to lvl10 Marketcap of game is ~$6m at present but will likely go higher as more and more people hear about the project
I disagree. MultiSig is arguably more secure bit is also a bit more complicated than SSS so risk of losing assets is increased. Also, MultiSig requires backing up seeds and also xpubs whereas SSS requires backing up only shares.
Yea, I have written it better several times. The OPs situation was 1 of 1 seed. Easy to loose or have stollen. Not a good situation. Storing multiple copies of the seed helps prevent loss but increases the theft opportunity. Adding a passphrase mitigates the theft risk but adds another single point of loss if you loose the passphrase. You could replicate storage of the passphrase, one that you remember and one kept sealed by the executor of your estate for instance. This is about as good as seed+passphrase gets. You can add complication like cutting up the seeds and passphrase and storing the parts in separate places but these complications greatly increase the chance of loosing access especially when you are no longer around. There is another protocol that offers an expanded option. You’ll find it sometimes listed as Shamir Secret Sharing. SSS allows you to split a secret into several parts where any fixed number of the parts reveals the secret whereas less than that number reveals nothing. This should eventually become a standard in all wallets. It’s only been around since the 70’s so maybe it just needs a little more time to mature.
The wallet is just a convenience. To start your digital security you need to figure out how you are going to create, store and protect the seed that generates your private keys. The protocol must be a well established standard otherwise you could be locked into a single vendor where your recovery could be pulled out leaving you digital assets unreachable. You want to consider both the security that protects your keys from being obtained by undesired actors as well as redundancy that insures you or your designated representative will be able to recover your keys even after a disaster. There are a few standards that help store seeds and keys. Perhaps the best known is the BIP39 word list. This is a start but it creates a single point of failure. If you loose this list you loose access to your keys. You can make multiple copies but each copy is a critical security risk if someone were to acquire one. You can encrypt your seed with a passphrase before creating the wordlist but this creates another single point of failure if you forget the passphrase. A better method is to use a Shamir Split Secret. SSS splits a secret into multiple parts where any N of those parts can be used to reconstruct the whole. This is like multi-sig but is completely offline so no added network fees. One standard track implementation like SSS is SLIP-0036. I don’t know if this has received enough scrutiny to assure it is safe and effective. How you split and store the parts to your master seed is your own decision. Keep in mind who will have access to each of the parts and who might collude to attempt to assemble the seed against your wishes. The parts can be stored in safes, safe deposit boxes, be escrowed with friends or family or even be escrowed with a law firm. Each part should probably be sealed in a tamper evident enclosure. A simple security envelope should be sufficient. If any part is found to be compromised you have to start over creating a new seed, new keys, move all your assets and re-evaluate who you escrow the keys with.
Multi-sig increases transaction fees. As an individual your primary concern will be losing your wallet keys. Recovery keys and backups should be top priority for anyone with a wallet. As your stack grows the risk of theft also grows. Each recovery key or backup of the master wallet key represents a potential attack vector to steal your stack. You will want to look at redundant distribution of the recovery keys using systems like SSS. When you get to the point where you need a management team to manage your stack then you should look at multi-sig.
not answering my question at all. im protecting myself from the rare case where my hardware wallet is run by bad actors and doesnt create random seeds. SSS does nothing in this scenario.
SSS shards are secure, but just splitting the 12 or 24 words into 3 chunks of 4 or 8 is a horrible idea, you’re right.
The technology you want is Shamir Secret Sharing. But the implementations for Bitcoin wallets seem to be proprietary which is not appropriate for long term backup. SSS allows you to split one master key into many sub keys where N of the sub keys are required to reconstruct the master key. I’m not familiar with all the offerings out there so perhaps somebody has a solution that does the right thing. What I know is the math and from that I can deduce what can be done. But the math can’t say what has been done. SSS is not multi-sig since it has the vulnerability that combining the sub keys always generates the master key so the hardware that does the combining has to be trusted not to leak the master key (Never use an online tool to generate, encode or decode keys these sites likely log every use and can easily determine if there is a real wallet behind the key). For archival storage you want to be able to recover your wallet master key from just the archived sub keys. Some tools want to store additional data with the keys. All you should need to reconstruct a wallet from scratch is the number N, a set of N sub keys, the index of each of those sub key and a device that follows the standard protocol. The first N sub keys or master could be keys you already have or generated with tools following bip39. Any additional sub keys will have a value dictated by the rest so bip39 would not be applicable. QR Codes could still be used to store the additional sub keys.
The of losing your coins because of an SSS screw up is greater than the risk of someone bruteforcing like 8 seed words or whatever
>there's no practical benefit compared to just splitting your plaintext seed. So you don't understand what SSS does. A split plaintext secret reveals a portion of the secret to whomever finds the share. For example, finding two shares of a three-way split secret reveals two thirds of the secret to the finder. An SSS-shared secret reveals NONE of the secret to whomever finds the share. All the way up to M-1, finding any number of shares of an M-of-N secret (for example, finding 4 shares of a 5-of-8 secret) reveals NONE of the secret to the finder.
If you're going to suggest researching a tooic, the least you could do is call the thing by its correct name: [Shamir’s Secret Sharing (SSS)](https://www.hypr.com/security-encyclopedia/shamirs-secret-sharing-sss)
True, it's very individual. It deepends on the kinds of risks you have in your personal life, and how comfortable you are with the practices and the ammount of money. In this example we're talking about securing at least $210,000. If you have $2000, that might be fine just being in a hot wallet on your Laptop. I can give some other examples that are easier: Single seed wallet, 3 metal plate backup sharded using SSS (Samshirs secret sharing). This is an ordinary wallet, but the backup is split into 3 pieces, such that you only need any 2 of 3 to re-create the wallet. The individual shards can be further sharded into 3 of 7 or other combinations to increase recoverability at no cost on stealability. You can store these with friends / family, safety deposit box etc. Your funds can't be stolen from a single compromized plate. Single seed wallet with passphrase. Single plate stored in safety deposit box or family. The security comes from using a long 25th word, that creates a new wallet. You must securely backup the passphrase somewhere separate. Multi-sig wallet, but the process is provided by turn-key services like Unchained, Casa, Nunchuck. Removes the complexity. But remember you always need separate wallets for spending and saving. You only ever send money from your savings to your spending wallet.
> So having the 2/3 (or 3/4, 5/7, etc etc) shares alone is not enough to recover? The Xpub would be needed along with the designated number of shares? Yes, you need the respective xpubs to recover a multisig wallet. A single sig seed split in shares (SSS) is something else though, it's just a method to save a seed in a certain way. SSS doesn't apply to how a seed was created and what type of seed it was etc. ] > Is the xpub needed to recover a SSS wallet? If it's a single sig wallet, then no. You can derive anything from the seed.
Splitting it up is a terrible idea. You will increase the chance to loose funds, since you doubled the chance of the wallet being destroyed (you only have to loose one piece!) The biggest chance of loosing funds is from loosing / destroying the backup. First thing to do is get it stamped into metal plate or "seed plate". Now it's fire, water and dog proof. If someone breaks into your house they'll probably go for your TV and PS5. As long as the seed is hidden it's not a problem. Another part to this is don't talk about your bitcoin stack, otherwise you will invite thieves that target you specifically. If you want to split up the seed consider using Multi-sig or Samshirs Secret Sharing (SSS). Both effectively split it into an m-of-n e.g. 2 of 3 split where you only need *any* two of 3 parts to recover funds. If you loose one, your still ok.
Couldn't get the image to work. I had to OCR the image file and then copy two of the SSS hashes. Copied the private key into my mycelium wallet. You could type it manually, but it was too frustrating when I knew there would be no money in it. Good edumacation anyway. I didn't know about SSS. Also, I didn't know mycelium wallet could do that. Great stuff anyway. Reason I read this Redit stuff, always learning good shit.
I tried messing around with the link you posted , could you go into a little more detail on what I am to do to make it work ? I uploaded a jpg pic of two of the 3 “private key shares” and I got nothing, I also tried pasting one of them into the “share” window that starts with “SSS-“ and that window just turned red.
>But storing half your seed phrase in a single location is going to be better than storing all your seed phrase in a single location. Store half you seed phrase weakens it as someone who obtains half only has 2048\^6 combinations to brute force. As you say if the whole seed phrase is stored and someone obtains it they have 0 brute forcing to do. However whilst you side step that part of the argument there is another of concern. Store the whole seed phrase in one location and it burns down (gets stolen etc), you have now have lost your keys. Store half each in two locations and one location burns down, you have now lost your keys and need to brute force 2048\^6 combinations to get it back. So we go back to what I originally said, either use Multisig or SSS via SLIP-0039 to implement n-of-m keys which addresses the issues of the two problems above.
BIP39 (the wordlist used for seed phrases) consists of 2048 words. Given a pass phrase of 12 you have 2048\^12 possible combinations that make up the phrase. If you split this seed phrase in half and an attacker gets half the phrase, they only have 2048\^6 combinations to brute force the remainder of the key. The proper way to do it is what I mentioned above as it does not weaken the phrase (the ability to brute force it) when one Multisig key or one share/part of the phrase using Shamirs Secret Sharing (SSS) is stolen. If you spend some time reading about how these work (Multisig and SSS) then you will understand the difference. Some people even [oppose the use of SSS](https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/).
SSS is shamir secret sharing. Long time known stuff. The device was mycelium company's gizmo. Clear from the logo. These are shares of the secret, not multisig. Do not put big money in until you know how things work.
Just my dipshit opinion: The SSS portfolio will do very nicely this year- Sol, Sei, and Sui. Sol has obviously done very well thus far and probably will continue to grow will all the dapps and airdrop opportunities, with Sei and Sui being labelled as the possible "Sol killers". Newer L1s always seem to perform well in bull markets, and those are two young ones with a lot of potential for growth. Whether any of them truly succeed long term is a toss up, but I think short-mid term gain a lot of adoption and users.
XOR is NOT the same thing as Shamir's Secret Sharing. XOR supports only N-of-N splits. SSS supports M-of-N, where any M shares are sufficient to recreate the secret. 2-of-3, 2-of-4, 3-of-7, 6-of-10, etc.
If you're hell-bent on seed splitting, look into Shamir's Secret Sharing. The fundamental difference between simple seed splitting and SSS is that with simple splitting, each share of a N-way split reveals 1/N of the secret to the shareholder. With SSS algorithms, each share of an N-way split reveals 0/N of the secret. The main drawback of SSS is that, to my knowledge, there are no agreed-upon SSS standards so unless you know EXACTLY how your implementation created the shares, you might not be able to recombine them years from now.
SSS is only available with Trezor right now, most wallet dont support it. So i would have to be a customer of Trezor, that just got the customer data leaked. Thats a leak of privacy. With DIY you can roll your own bits, make a seed, then split it. All offline without any coperation (ledger,trezor etc). I tried to calculate the time to bruteforce the 80 bits. Thats why i responded to you. Because my calculation didnt make it seem as stupid as you make it sound. So i was curious if i missed something. Seems like i didnt. I am aware of the compromise in brute-force-security and the risk is worth it for the value i get out of this (for me personally). Security measures depend on what the attack-vectors are
SSS's shortcomings by Jameson Loop: https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/
You did not understand the OP. Your mental model is too focused on a single private key. There are multiple ways to self-custody and sign a transaction. Zengo's 2/2 MPC approach is similar to a SSS (Shamir Secret Sharing) scheme in mental model. However with a SSS, you would originate one private key in one location, and then split it. We don't do that for a number of reasons. See here about key generation and vulnerabilities with doing it one time in one place: [https://zengo.com/how-keys-are-made/](https://zengo.com/how-keys-are-made/) Instead, using MPC we independently generate two secret shares: One on your mobile device, and one on the remote server. Only your share (the Personal Share) can initiate and sign transactions, which leverage your device hardware's secure enclave or TEE. Together, these 2 secret shares do what a traditional private key (in one location) would do. And, if these 2 shares were ever to "come together" they would create a singular private key. (Which we would only let happen if Zengo were to go out of business, to ensure you can always access your assets. See more about Guaranteed Access here: [https://www.reddit.com/r/CryptoCurrency/comments/190s3uc/comment/kgvlqew/?utm\_source=share&utm\_medium=web2x&context=3](https://www.reddit.com/r/CryptoCurrency/comments/190s3uc/comment/kgvlqew/?utm_source=share&utm_medium=web2x&context=3) Here's the details of our MPC white paper on our github if you want to see the details: https://github.com/ZenGo-X/gotham-city/blob/master/white-paper/white-paper.pdf
Use Shamirs Secret Sharing (SSS) to encode your seed into multiple shares. Each share is worthless on its own. Do multiple trips and make sure to have only a single share on you. If it gets compromised, do it over again with a new encoding. Using 2 of 3 shares would allow for one share being compromised, but the other two would still allow for reconstruction of the seed (your seed). Make sure the process of creating your share is done offline. You can basically use any mode of transportation (memorizing, paper wallet, obfuscation etc.) as long as you are able to recognize when your share got compromised.
No. In your hacky setup an attacker could get either half of the 24 word seedphrase and compute the remaining half to steal all of your funds. You can't just divide the word list in two, you need proper cryptography to do this. It's called sharding a secret and there is an algorithm called Shamir's Secret Sharing or SSS.
Multisig is part of the bitcoin protocol. Splitting the seedphrase (aka Shamir's Secret Sharing) is a kind of roll your own security. With multisig, your secrets never need to be in the same place at the same time. With SSS you need to have all secrets together when it comes time to spend and this is a single point of failure. With m of n multisig, you need m private keys but n (all!) public keys.
Of course, however one of your central use cases is for less technical people to be able to restore the wallet. At some point you will have to settle between more secure and more accessible. SSS is a good balance.
Maybe not as secure as multisig but also consider Shamir's Secret Shares \[stamped in steel\](https://blockmit.com/english/guides/diy/make-cold-wallet-washers/) and stored in several secure locations. For some people one possible advantage of SSS over multisig is that only one wallet needs to be managed. SSS is arguably easier to understand also.
I think you're confused. Encrypting shards is not a feature of SSS and can cause additional issues. SSS involves breaking the seed phrase into parts (e.g.) 3 parts in plain text and storing them in separate geographical locations. Storing 3 or 4 separate full seed phrases for a 2/3, 3/3, 3/4 or 4/4 multisig wallet may be a preferable solution.
>The algorithm is public and open source and quite simple so even if they (Satoshilabs, maker of Trezor) went out of business you can get software to do the reconstruction and then put the seed on another device by another manufacturer. This is good to know. My one hangup about using SSS was the possible vendor lock-in risk, but it seems that's not a real issue. From what I've read, it's not possible to directly convert SLIP39 to BIP39, but there are software tools that will let you do the recovery somehow. It's not clear to me how difficult or secure such a recovery would be, but it does seem possible. Here's some info from Trezor: [https://github.com/satoshilabs/slips/blob/master/slip-0039.md#user-content-bip39compatibility](https://github.com/satoshilabs/slips/blob/master/slip-0039.md#user-content-bip39compatibility) >Some individuals have expressed a concern that the inability to convert SLIP-0039 shares to BIP-0039 may lead to vendor lock-in due to slow adoption of SLIP-0039 by hardware wallet vendors. This concern is unwarranted, since even if the conversion to BIP-0039 were possible and a user needed to recover their seed onto a device which does not support SLIP-0039, then they would need to use some conversion tool running on their computer. In that case they might as well simply recover their SLIP-0039 shares in a software wallet running on their computer and send all of their funds to a new seed on their new device. Thus the ability to convert shares to a BIP-0039 mnemonic makes no difference in this respect. Given that, I'm strongly leaning towards using SSS. I hate the idea of having a single physical copy of the seed phrase. That just seems so vulnerable to theft and loss. I know that multisig has advantages, but it seems more complicated. SSS feels like a good tradeoff between security and usability.
Thank you for the explanation. I would think that with all of the machinery that Trezor built around SSS, they could handle a solution built on multisig which saves all public keys with each private key. What would you think of a 2-of-2 solution. You could create multiple backups of each seed without having any backup as a single point of failure, and you avoid the problem of achieving a quorum without all pubkeys.
Why would Trezor go to all the trouble of implementing SSS in such a complicated way, rather than just providing similar functionality around multisig?
Most linux distros would have ssss installed or installable. At no point should you use any online tools for split or join SSS functions. NO WEBSITES.
Check out How they implement a custom SSS called Weighted Shamir Secret Shares No tricks here Thank you @Beaf_
Oh yeah that sarcasm wasn't executed very well. My bad. I'm poking fun at people that do have ability to access information on keeping their funds secure still don't do it. I agree holding the seed is ownership and that's the way to go. Keep it safe in your own possession. Or, I recently learned about [SSS](https://en.wikipedia.org/wiki/Shamir's_secret_sharing)... that sounds nice too...then you can have a recovered key if you lose it and you can get friends to help recover it.
Solid advice, although I prefer multisig over SSS.
FFS use shamir’s secret sharing. If you are the one and only person with the ability to create your private key, then you are the problem, not where you store it. Here’s a quick idea about what SSS does: it takes your seed phrase and splits it into as many parts as you like and asks you how many of those parts you think is the minimum you want to reconstruct your original key. You can refer to this as 4 of 7 or 2 of 5. So lets say it’s 3 of 7. That means that 7 of your most trusted friends will get a seed phrase - NONE of them individually can recreate your original seed phrase, but ANY 3 can. Let’s say you keep one phrase and assign the other 6 to people who don’t know each other or put one in a bank vault and another at home. Now you only ever need at most 2 other people to get your seed phrase back. You don’t even have to write it down! That means your whole house can burn down and you don’t need to worry about finding that one stupid piece of metal you put it on amongst the rubble. Download the offline version of Ian Coleman’s BIP39 tool and never look back.
The dev of PEPE, @degenharambe (aka Zach Testa), is a known serial shitcoin scammer (SSS) who’s behind multiple failed/rugged projects since 2021. He ran the same scam with all of them, 10 wallets, making purchases of $30-$50 seconds after coin went live. Blacklisting any address who bought within the first hours besides him and his accomplices. He finally hit with PEPE and it made him filthy rich. Check out his beautiful purple Lambo paid for by PEPE retail plebs.. https://imgur.com/a/IlRDFCx
SSS Rarity Trader spills it all
Secret Satoshi Society (SSS)
SSS isn't multisig, just dropping this here in case people get confused.
FROST is SSS v3 and does this. It basically inherits all the advantages of multi-sig and adds even more. This is gonna be huge for corporate adoption since they will be the ones with complicated 11 of 33 type signature schemes. Exciting to see it all get developed.
Spot or not spot? Thats all i need to know. Just throw me an S or NS. Or just the first syllable SSS or NNN
Using SSS is better method of key splitting. But consider that multisig allows you to sign the transaction and never combine the keys into a single point of failure. So you can have two or more signing devices and BOTH keys need to be compromised. With seed splitting you are just protecting the backup of a single seed. You are not protecting the signing key it's still just a single signature required. Consider if you have a house with two co-owners on the deed. You BOTH need to sign in order to sell the house. That's quite different than having a single person be able to sign but splitting their soul into 2 or more horcruxes.
Sure. Social recovery is a perfect way to keep your money safe and should be encouraged by HWW manufactures (see Trezor'S SSS scheme). The way Ledger did it screams government involvement.
So how was your training to be an SSS-class degenerate? Were you successful moving up from S-class reddit degen?
This latest firmware update literally leaks your seed phrase. It does not matter it's encrypted because it's 2/3 SSS and *you* don't hold 2/3 of the shards. If you held 2/3 this would all be a nonissue. Ledger has said governments can subpoena them or these 2/3 companies for your seed phrase. This service shouldn't be possible according to their own marketing. According to Ledger it was impossible for a firmware update to leak your seed phrase, and well. According to Ledger this update wouldn't be forced, and well... According to Ledger this can only happen if you press a button - trust me bro.
>then you have morons jumping from Ledger to Trezor that has the exact same recovery option I stopped reading there. You obviously have no clue if you think Ledger Recover is equivalent to Trezor's SSS option.
Which brings us back to my point that I don't think it's is encrypted. He said that the 3 companies cannot collude. I disagree. I don't think I can trust those companies. And he says they can be forced to give over your seed which makes me think it isn't encrypted. They're just using SSS and calling that encryption which it isn't. So if anyone gets hold of 2 of your shards they have your private key. I might be wrong and they might be encrypting it with their own key/passphrase (just wait till that gets leaked) and therefore only ledger can unencrypt it but I'm sceptical.
[Shamir's secret sharing](https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing) Shamir's secret sharing (SSS) is an efficient secret sharing algorithm for distributing private information (the "secret") among a group so that the secret cannot be revealed unless a quorum of the group acts together to pool their knowledge. To achieve this, the secret is mathematically divided into parts (the "shares") from which the secret can be reassembled only when a sufficient number of shares are combined. SSS has the property of information-theoretic security, meaning that even if an attacker steals some shares, it is impossible for the attacker to reconstruct the secret unless they have stolen the quorum number of shares.
Trezor doesn't have a secure chip. Its hardware is still a black box, so it can broadcast your seed using malicious chips/firmware and you have to trust Trezor (and their chip manufacturers) they're not doing this. Their firmware is open source. Because it doesn't have a secure enclave if your Trezor gets stolen someone is able to hack in and steal your keys.. Because it is open source there is no way to validate if you're using an official Trezor or official firmware.. Ledger can't open source because the company who makes their secure chip doesn't publicise their code, it is the industry standard. As a consequence you are able to verify if you have a real Ledger or not. IMO Ledger is the better of the two, still. If only because it's useless to a thief if stolen.. The risk assumptions, the trust in the company, is the same. These assumptions are there any time you use any (upgradable) hardware. You can DIY if you have an old computer or phone. Take it offline, learn to save a transaction as a file, take that file offline, sign the transaction message offline, and then broadcast that signed message online using a USB drive or by scanning its QR code. Now you have a cold hardware wallet which you control. It is not as *easy* as using a Ledger with Ledger Live but it is a lot more trustless, and not so difficult. You can also DIY social recovery using Argent or Loopring smart wallets and set up a 3/5 recovery using your own devices. Eg, your phone, computer, old phone, your friend, and customer support. This way if your house burns down and you still have your phone, with your friend and support you can recover your wallet. Without you it can't be recovered. You can set 11/13 or 1/2 or however you want. The issue with Ledger is they decided all your social guardians for you which is suspect and not ideal. There's nothing inherently wrong with social recovery and it is safer and more advised (by Vitalik and other core developers) than SSS/sharding which Ledger uses for its encryption. It's another option.
> If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button. No one should trust the device without an audited open source code.
If you don't opt in there are 0 companies with your SSS
(1) Simple if ledger is compelled by force (as an law action) are those SSS to bring access to some wallet it is possoble to gather Two of the required SSS (even w/o Ledger cooperation but of the custodians), is that truth? (2) If I own an ledger device, and I'm never signed for Seed Recovery, may I be forced to activate this feature so an adversary can legally request Ledger for access to my funds? ​ I you answered Yes to both, you know What I'll do with my ledger, if not, please elaborate WHY NONE OF (1) or (2) may happen. ​ NO LEDGER RESPONSE ON THIS YET.
>What an horrible mess. Yep. >So much anger, so much hate, and also so much insanity. That’s easily on ledger. >something went wrong and the Ledger Recover service was put in your face in the worst way possible. >It relies on the fact that you need to trust Ledger to provide with a firmware doing exactly what it is supposed to be doing. We no longer do and never will again. >So people started to think Ledger was a trustless solution, which is not the case. The word you’re looking for here is believe. Because a lie was tweeted by ledger. So some of us believed. Not “thought”. >Some amount of trust must be placed into Ledger to use their product. All of our trust. All of our funds at stake here. >If you don't trust Ledger, We no longer do and never will. >The mistake of some of the "power user" community (reddit, twitter...) is to become batshit crazy and start writing stuff like "there is a backdoor from day one" or "the governement has taken over Ledger". What’s “batshit crazy” is this entire hostile launch and the way ledger just seemed to unload this unwanted feature upon its customers seemingly with complete malice. >The hard truth, which has been confirmed by many experts who took the time to actually deep dive on the subject, is that nothing changed. Everything changed. >Absolutely nothing happened. The security model is the same than before you knew Ledger Recover existed. Then ledger has always been shit. >take a deep breath and actually think about the facts. The facts are, my funds are at stake because a shady ass French company is playing funny games. >If you think that Ledger did a terrible thing They did. >but at the end the real victims will be the noobs who in panic will try to offload their crypto from Ledger, make stupid mistakes and lose it all. Everyone who migrates from ledgers shitty platform will be safer by definition. >Ledger is still safe, Doubt. >there is no backdoor Doubt. >the Ledger Recover is not a conspiracy Conspiracy or just completely asinine business move, we don’t care. >If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button. We no longer trust either.
> If you trust the device to sign a transaction only when you press a button, then you can trust the device to compute a SSS (a shard of the seed) only if you press a button. I trusted that (perhaps foolishly) because I believed the "secure enclave that can't release the key", that we now know was bullshit. Ledger will never have my trust again. This is not a case where you get even a hint of a second chance. > The Recover code in the firmware is not a malicious code nor does it open a way to arbitrary extract the seed. "Trust us". NO.
SSS is not the problem here, it's sending these shards to a PC via USB and then to some random companies Ledger selected.
The [FAQ][https://support.ledger.com/hc/en-us/articles/9579368109597?docs=true] doesn't appear to make sense. **Who has access to my wallet with Ledger Recover?** > In short, only you can access your wallet. When you subscribe to Ledger Recover, *a pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments*, with each fragment secured by a separate company—Coincover, Ledger and an independent backup service provider. Each of these encrypted fragments is useless on its own. When you want to get access to your wallet, 2 of the 3 parties will send fragments back to your Ledger device, reassembling them to build your private key. The way BIP39 works will well documented in the BIPs. * Some entropy is generated. * This is converted into a BIP39 seed phrase. * From the seed phrase you can get back to the entropy. * The seed phrase is turned into a seed. * The seed can not be turned back into the seed phrase. * The seed phrase is turned into the master private key. * The master private key can not be turned back into the seed. So I assume the pre-BIP39 is the original entropy. Bit it also says this. **What should I do with my recovery sheet once I subscribe to Ledger Recover?** > Ledger Recover can restore your private keys to your device, but it can't provide you with your Secret Recovery Phrase [BIP39 seed phrase]... So it must have encrypted and SSS the seed or master private key which are post-BIP39? I'm not interested in using these companies because I can't know that they wont work together to get my seed. My concern is, what happens if you connect the ledger to a compromised computer. That's the whole point of a HW wallet; to never give the private key to the computer. If my computer is compromised can an attacker get the ledger to give up these shards? But even if they can it's still encrypted? How is it encrypted? It must be encrypted with a passphrase or an encryption key. Back to the FAQ. **What if I lose my Ledger device that is associated with my Ledger Recover subscription?** > Simply get another Ledger device and follow the process to recover access to your wallet. So it's not tied to the ledger device is any way making it unlikely to be an encryption key. If it's a passphrase where does the ledger get the passphrase from? It would have to be inputted directly to the ledger to be secure. It would also need to be a strong passphrase. And if you need to remember or write down a strong passphrase you might as well just remember or write down the seed phrase. If the passphrase if feed to the ledger by the computer then couldn't an attacker give it his own passphrase making the encryption pointless?
You don't have to share them with people, you can hide them in different people. The advantage of SSS over sharing a part of your seed is entropy. If you have less shares than required, you have no advantage in guessing the seed and have to guess the total 128 or 256 bits, no matter how many shares are missing.
Read how SSS works. The call is the ”gimme my seed”, and you get the seed with all the parts needed to decrypt it right there. Your seed leaves the SE. Only way you can ”back it up”. Literally only way.
> Well seems Nano S is actually safer for now as the they cannot put the ledger recover in it. FYI it is possible that the reason they can't put ledger recover on the nano S is because it doesn't have the space to store the 3rd party keys and compute the SSS + encryption. The secure chip might well have been able to give up the private key all along with a firmware update.
I have stop recommending ledgers years ago for many reasons outside of this. While this feature is "optional" it does introduce code that handles the private keys with the express intention of handing them over in encrypted shards to regulated third parties. There are numerous concerns with this : 1) The fact that ledger isn't 100% open source means we cannot audit the "optional" feature to see if there is a bug or exploit that can lead to loss of funds 2) There are questions with government asset forfeiture or seizure where they can force the custodians of these SSS shards to freeze the funds and perhaps take your coins This is not helped by the fact that their terms and conditions linked in their own FAQ is a dead page offering no clarification https://www.coincover.com/l-terms-and-conditions 3) Even after their large marketing breach that placed most their clients at risk they are now encouraging you to give even more of your personal details(IDs) over for this feature that might be shared or stolen and place you at far greater risk 4) They have a history of placing profit over security with supporting many scam altcoins which greatly increases the attack surface and this just reinforces that
Firmware that can leak seed in form of SSS shards, not making it optional, rolling it out without announcement. I thinks it's very fair to say they fucked up multiple times, and there is no "only mistake".
What's to stop Ledger (or an attacker pretending to be Ledger) from rather than doing the SSS, just sending the keys directly and pretend to SSS it? You authorise it and bam, your keys are exposed. The fact that there is a way to enable the possibility of sending anything other than signed transactions off the device online means the device itself can be updated to do anything, including sending the seeds directly to an attacker. It's now a dead product on arrival. The only safe way to use the Ledger now is for offline signing only; you can never connect the Ledger to an online PC.
 Thank-SSS!
That's unfortunate, but I guess I wouldn't consider wallet A more secure than B because A implemented SSS. It might make managing seed phrases safer though, as long as the process is well understood.
This is what the original trezor used as their main recovery method, but it is not very good. With 24 word seed phrases you're reducing entropy from 256 bits down to 79 bits, which might be enough currently but not in the future. With 12 word seed phrases this is not safe at all. It's much better to use seed XOR or SSS.
>I expect this inflation to only accelerate with better technology to get gold out of the ground and sea. Its much worse than merely this. In 2026 Psyche satellite (already launched )will start reporting back to NASA the expected reality that there will a sudden hyper-inflationary spike in the volume of gold being mined in the near future https://www.jpl.nasa.gov/missions/psyche/ Since psyche 16 asteroid represents an example of an asteroid that is a core of an early planet thus metallic and estimated to contain around $700 quintillion dollars of precious metals (gold, platinum, etc..) or 93 billion dollars of precious metals per person. This is just one example of many future asteroids that will be mined and this is merely a single asteroid of many that are metallic. While mining will not start immediately, the markets will start pricing in the expectation of mining and nation states will start to slowly sell their gold reserves if they are wise enough flooding the market with cheap gold. Nation states will need an alternative asset to hedge against. > I only have to remember my Bitcoin private key and I can have my money in my head. Not only this is bearer assets like Bitcoin have similar security properties as gold if you have a single BIP39 seed backup written on paper or metal. Someone finds your gold or bitcoin backup than someone can steal your asset. Where Bitcoin improves on gold is the ability to secure itself beyond this with solutions like SSS, multisig , passphrases and Bitcoin vaults that gold lacks. This way merely finding your seed words is not enough to steal your bitcoin.
Hmm, difficult doesn't seem hard enough. Give me the SSS-tier difficulty.
Interesting take. While many teams are building to make seedphrase backups obsolete through MPC, SSS, AA etc. Reading the contrarian view to why seedphrases are important is healthy.
>BTC has never witnessed a macro economic environment like this before It is fairer to suggest the implosion of mtgox in 2014 and the 2017 blocksize wars was far more dangerous times for bitcoin than a global recession. The reality is that Bitcoin is much more secure now than years ago. >and is strongly correlated with the likes of the NSDQ. This is a very recent correlation due to newer institutional investors. Historically Bitcoin is an uncorrelated asset class and will lose that correlation in the next bull market I predict. The disinflationary schedule has a profound effect upon the market cycles in Bitcoin which is not found in equities. >what would this mean for BTC? None of us knows the perfect time to invest or can predict the price . The intelligentsia of the market is the combined knowledge of all humans and algorithms which is more than knowledge than anyone can have. Also bitcoin is so scarce that a single wealthy investor can significantly move the market in secret and unannounced. Rather than trying to time the market , let time work for you. **Time in the market will tend to beat timing the market** It is highly likely that a bull market will occur in mid to late 2024 due to the halving however. Bitcoin does not necessarily need new adoption to go through these market cycles of appreciation as the same buying pressure from existing users will cause these bull markets due to the disinflationary 4 year events. >The ‘institutions’ are not coming Institutions have been regularly investing in Bitcoin. https://bitcointreasuries.net/ It will not occur all at once and is a slow process , but bitcoin is so scarce that even a single institution can dramatically effect the price. >ESG compliance, Bitcoin has an important role in solving ESG compliance as it incentivizes investment into renewable energy and it uses waste energy. https://www.youtube.com/watch?v=nkeZVcGsva8 https://www.youtube.com/watch?v=bFYKq5Qe1Bs https://www.youtube.com/watch?v=1vROP40L9Bg https://www.youtube.com/watch?v=lCkHEqxDsYQ https://www.youtube.com/watch?v=qu156PvA-NI >‘We have seen this all before, Mt Gox etc’ No we haven’t. Never before has so much been lost by so man Mtgox was a much bigger event than these recent collapses by the % of people effected and the amount of Bitcoin stolen. > that the coming regulation is likely to be punitive in the extreme. Regulation will encourage more self custody which is a good thing for Bitcoin. >For retail it is highly likely that regulators will seek to control all on and off ramps making it near impossible to own or realise any gains. You don't need on and off ramps with Bitcoin but any regulations you speak about can often easily be dealt with, but you are being very vague here as to what you are suggesting will happen to address directly. >There will be no ETF, ever. This would actually be a great thing. An ETF is a double edged sword and we should encourage more self custody or at least multisig for institutional investors >Energy usage is an issue regardless of the facts of environmental impact . Fiat currency and PoS coins cost at least the same amount of resources to create , regulate and secure as Bitcoin. There is an inescapable reality for any asset or currency that as it increases in value the production costs and costs to secure increase as well . This is demonstrated in the economic axiom: MC=MR “Rent” always forces production costs (MC) to always equal sale prices (MR) PoS currencies and fiat are simply more abstract and complex forms or Proof of Work that use more human involvement (which uses tremendous amounts of resources and has a tremendous environmental impact) as a PoW coin like Bitcoin. Humans instead of ASICs are shouldering more of the work to create, regulate , and secure each of those currencies; This is "work" whether it involves burning electricity directly or food and electricity that humans consume to perform their work. This is an inescapable economic reality. The more valuable something is the more it will cost to secure it because the more effort will be made to steal and or control it. This applies to any currency or asset. This is also better understood with the dollar auction dilemma. In a hypothetical auction where a bidding war is fighting over the right to mint a 1 dollar bill how much do you think people will be willing to spend for this power ? >This is now leading to a declining hash rate. This is false. Hashrate has grown considerably over the last year- https://bitinfocharts.com/comparison/bitcoin-hashrate.html#3y >the only thing that has brought new people to the space is price speculation. You are being a bit hyperbolic here. The main thing that brings people into bitcoin is speculation, not only. Also after they learn more these people often end up appreciating bitcoin for multiple reasons over time. >what is the narrative that would bring new people to this space? 1) **Save money** - I like to save money with various services like lolli.com, ln.pizza ,foldapp.com,purse.io, or bitrefill.com (Bitcoin achieves this by credit and gift card arbitrage opportunities thus creating an efficiency) 2) **Digital Gold** - Bitcoin is very desirable and scarce and since it is an uncorrelated asset class your portfolio is better hedged to be a safer way of finding alpha 3) **Timestamping** - Tweetstamp, and opentimestamps are useful timestamping tools 4) **Insurance** - If my bank account or credit cards get lost or stolen or account is frozen Bitcoin is a great alternative to store value 5) **Censorship Resistance**- I can make donations to organizations like defense distributed or wikileaks even if their payment processors and banks are shutoff due to unethical political pressure 6) **Sovereignty** - As a Business I can accept value even if I am deplatformed or banned from banking 7) **Micro transactions** microtxs are simply not possible with fiat , where I can do so with my BTC lightning wallet 8) **Security** SSS and multisig with CLTV and other scripts allow for novel methods to secure ones wealth 9) **Privacy** with electronic fiat I have no privacy unlike with Bitcoin transactions where I am given a choice between privacy or transparency with each wallet 10) **Global** I can travel the world , rent hotels and buy plane tickets and withdraw local currency easily without fears of credit card fraud. I can send payments to employees in foreign countries easily 11) **Interesting and fun** It is fascinating mixture of technology, game theory, security, mathematics, politics, and economics that never bores me