It's not so much *won't work* as *it depends*. "Shamir style" splitting of a seed could mean many things. Shamir's Secret Sharing Scheme is a SPECIFIC solution to the general problem of splitting a secret (such as a seed) into multiple shares *such that no share, by itself, reveals any part of the secret*. Contrast this with simple splitting, for example breaking a 24 word seed into three 8-word shares (for 3-of-3 splitting) or three 16-word shares (for 2-of-3 splitting) and giving them to trusted friends for safekeeping. A friend with one 1-of-3 share knows 1/3 of the secret. A friend with one 2-of-3 share knows 2/3 of the secret. We can use math to split a secret into shares such that each share by itself reveals NOTHING about the secret. The simplest solution, which works only for N-of-N splits, is to use XOR-based bitwise operations: Create N-1 strings of random bits exactly as long as the binary representation of the secret (excluding any checksum bits), then XOR all of those random strings with the secret. The result will appear just as random as each of the input strings. Only the result and each of the random strings TOGETHER reveal information about the secret. To reconstruct the secret, just XOR the result string with each of the inputs, in any order (which, if you think about it, proves there's nothing special about the "result" string; once you've calculated it it's just one of the N shares, same as every other). Coinkite's [Seed XOR](https://seedxor.com/) works this way, and while Seed XOR is implemented in firmware on their ColdCard wallets, they also make it available in PDF worksheets so you can do it completely offline, by hand, to prove to yourself that it works. The shortcoming of XOR secret splitting is that it only works for N-of-N splits. To do 2-of-3, 2-of-4, 3-of-5, etc., you need a more advanced algorithm. SSSS is one, but there are others. This is where vendor dependence becomes an issue: if you don't know which method the vendor used to split the secret, or if you don't know EXACTLY AND PROVABLY HOW they split the secret, you may run into trouble reconstructing the secret years down the road.
I have Sora(XOR)/Polaswap(PSWAP) and they sent an Open Letter to SriLanka to use it’s crypto. It’s one of the only cryptos with a Physical bank and it sells NOIR Wine to help fund the developers. Not tryna advertise, but it’s a crypto with good Tokenomics They release DEO Arena(Game) in 2 days or so.
Try not to choke on the orange pill too hard. The average Joe the Normie will not want to bother with passphrases and live the risk of losing access to their funds because of their error. There will always by cypherpunks who have their seed XOR distributed, run their own node etc., but for the vast majority of people the future is to hold their funds with centralized entities where their funds are insured from fraud and there are legal means to recover them (which is not the state of game currently with crypto pseudo-banks the likes of Celsius or BlockFi).
I might be mistaken about their firmware, I can't remember the details. > I guess the other gripe I have with ledger is, they aren't bitcoin focused. They keep adding more shitcoins. I too hate this about ledger. > Also, I own 2 ledgers. One for me personally and one for my business. I can use Ledger Live to view the wallets/accounts on both at the same time. Their only capability to connect to your own node is experimental and it only allows you to connect one device, AND you have to run a sidecar app. My favorite hardware wallet is the ledger but I would use it only for signing, I would not use ledger live whatsoever. I would watch the wallet using Electrum and Electrum Personal Server. > Thinking about XOR seed phrases with a passphrase on the resolved private key. I prefer multisig over user space shenanigans such as XORing seed phrases, SSS, etc. You could still use a passphrase.
Thanks, I was unaware of this. However it still appears to be a slice of their code... Just the bitcoin app that gets invoked from the parent app? I would also be very interested to find out their firmware is open source. I guess the other gripe I have with ledger is, they aren't bitcoin focused. They keep adding more shitcoins. Also, I own 2 ledgers. One for me personally and one for my business. I can use Ledger Live to view the wallets/accounts on both at the same time. Their only capability to connect to your own node is experimental and it only allows you to connect one device, AND you have to run a sidecar app. I can use Sparrow wallet with both ledgers and easily connect to my own node. I have a ColdCard mk4 in hand, but I'm deliberately moving very slowly setting this up because I want to be absolutely certain I have the right security strategy in place. Thinking about XOR seed phrases with a passphrase on the resolved private key.
Yes, coldcard makes it easier and they were the ones that introduced it afaik. But what makes it even cooler is how it isn't hardware dependent and can all be done on paper. It works with any hardware wallet is my point, but of course thank you coldcard and of course it can be easier to produce your seed XOR words with a coldcard. If you are looking for one, I definitely recommend it. If not, you can still use the seed XOR technique.
\> \[citation needed\] [https://www.rfc-editor.org/rfc/rfc6979#section-3.2](https://www.rfc-editor.org/rfc/rfc6979#section-3.2) You are right, it HMACs a blob carrying the private key at some point. You could maybe XOR R with the private key and try to extract bits of the key that way, across thousands of transactions. Then again the general recommendation is to never reuse addresses. Then again, a lot of people/exchanges don't abide by it >\_< \> Other than the signatures, there's probably some margin too with the order of inputs and outputs, and others. You can extract a few bits at a time to get the xprv after multiple transactions. Segwit let's you generate the txid prior to signing. But... you can still embed about anything you want in the witness data. Life is never so simple. \> Don't get me wrong, I understand that all that is nothing more than theoretical concerns, and that there are good reasons that the Ledger is closed source. Indeed, I prefer their more secure design over the alternatives (Trezor, Coldcard), but it'd be great if it could be fully open. I'm not defending Ledger here. I wouldn't use software manipulating private keys that isn't open source, regardless of what hardware it runs on. My point is that if you doubt the signer software, extracting the raw signed tx to decode with another piece of software is as good a sanity check you're going to get. This of course is only works in the context of offline signing.
It depends on what you expect of the passphrase. Imagine a physical key (the important parts of it) split into 2 parts. The bigger part of the key has most of what is needed to open a lock. Most setups are like this. If your passphrase is compromised, it's all good, the seed is impossible to guess but if someone gets your seed, the passphrase is as secure as a password to a website. It's often less than you think. So as long as you concede that the seed is still the most important part, it shouldn't be considered safe because of the passphrase, then you can treat the passphrase as a time delay protection. An attacker *will* break into your wallet, but the passphrase dictates how long it would take. As long as you get all of that, then you understand that the passphrase gives you the ability to empty the wallet before anyone else as long as you have a way to know when the seed has been compromised. If you will monitor the seed yearly, you need a very secure password. Song lyrics is not a great idea as that will probably be in a hackers dictionary attack tool (including variations) If you will monitor it weekly, it might be good enough as long as you take concerns seriously. I like seed XOR btw. It gives you 2 parts that are both hard as fuck to guess making it pretty versatile. Call Paula
I hear you, and I feel you. Too many of us go through the journey and the forget what it was like when they got involved. Everyone starts from zero, catches up, and then reads new articles thinking that everyone else is on the same page. The problem is that no one knows everything, there is still a lot to learn, and a lot of the new content coming out is often already known to many but re-written from a new angle or with more recent supporting data. Don't worry about the critics, they're just trying to make themselves feel better, to feel like they've made it past a milestone, but until they realise that they still know nothing, they haven't really learned what they think they have learned. My knowledge is not from any single source, and so I cannot recommend a single one, but I can try to list a few that I have seen recently or that I remember: - Hot to Cold wallets: https://www.youtube.com/watch?v=Aji_E9sw0AE - Reviews for seed backup products: https://jlopp.github.io/metal-bitcoin-storage-reviews/ - BTC Sessions does reviews of many warm (hardware) and hot wallets: https://www.youtube.com/channel/UChzLnWVsl3puKQwc5PoO6Zg - Seed XOR: https://seedxor.com/ - Shamir's secret sharing scheme & multi-sig: https://medium.com/clavestone/bitcoin-multisig-vs-shamirs-secret-sharing-scheme-ea83a888f033 - The extent to which someone can go to crack a hardware wallet: https://www.youtube.com/watch?v=dT9y-KQbqi4 Ultimately, you will need to learn a lot and take your time; honestly, keeping your funds with a custodian while you are learning and familiarising yourself with this new security paradigm is not a bad idea. Custodians can go bad at any time, but it's less likely that a custodian will go bad by the time you are ready for self custody, than it is likely that you lose or compromise your bitcoin trying to practice security without first learning and then practicing with small amounts first.
A tamper evident bag provides a simple way for the user to potentially identify whether someone has attempted to access the contents of the bag. Seed XOR seems like it can become pretty difficult to manage on top of multisig, it seems like it’s better suited for single sig. Most people don’t have enough physically secure locations to do multisig plus split their seeds into multiple parts. It also seems like it would make doing regular health checks of each seed more involved.
It seems like seed XOR would be more risky in the sense that you have to combine the pieces in 1 spot vs multisig you can go from location to location signing the transaction in a separate location on a separate device. Is there some advantage to seed XOR?
Coldcard Seed XOR is a plausibly deniable way of storing secrets in two or more parts that look and behave like the original secret. One 24-word seed phrase becomes two or more parts that are also BIP-39 compatible seed phrases. With Seed XOR, you can split the words you have already in your Coldcard, making two, three or four new seed phrases. You can also combine many seeds into one. Take any number of existing seeds you have, and combine them to make a new random wallet that is the XOR of their values – creating a new 24 word seed. These new seed words (parts) can be individually loaded with honeypot funds as each one is a unique 24 word seed phrase.You can store funds on the seeds of any part, and any subset of parts, which opens even more duress options. A honeypot in this instance is a decoy wallet used to mislead attackers and protect your main bitcoin stash. https://www.keepitsimplebitcoin.com/coldcard-seed-xor/ Note: You don’t have to have a ColdCard. There’s a worksheet you can use. https://seedxor.com/files/worksheet.pdf
seed phrase + passphrase is essentially a 2-of-2 setup. If you lose either part, you're locked out of your funds. I'd suggest either multisig that has extra redundancy or buying a few pairs of backup plates and doing [Seed XOR](https://seedxor.com/). Comparing self custody to a custodial retirement account is applies and oranges. Only one of them is unrecoverable if you experience a failure.
Here’s a small story of misfortune on your Wednesday.. I bought an XOR coin for £100 a year ago, I then watched it rise to £600 but didn’t sell, that coin is now worth £49, and I think it would cost me more in ETH fee’s to sell it than I’d get back for the coin.. happy Wednesday!!
Multi-sig is a tool. We usually say that there is a spectrum between Security <--- and ---> Convenience. The thing is, there is no such thing as absolute security, and removing too much convenience becomes a security risk. Making a spend 10 steps provides 10 ways you can make a mistake and the more times you spend, the more at risk your setup becomes. In some cases, you might expose enough to lower your security but not in any meaningful way, but over time, in a world where data is never lost, these small breaches may end up exposing the whole setup. So what do I think about multi-sig? It is a good system to help distribute the responsibility of security of funds across multiple people to secure a large sum of money, but we should never mix large pools of money with frequently moving pools of money. ALWAYS have a smaller wallet with which to do business with and a larger one for savings. This is basically the checking + savings account model, and it may sound obvious, but it isn't to many because we tend to think of Bitcoin as one thing that should be kept in one place for ease of mind. What do I think of nunchuk? It is a tool to help people coordinate by giving them private messaging and an automated way of signing transactions in collaboration. It brings back convenience but of course it also removes from security a little too. Bugs, hacks, etc on the software level can automatically leak data just like people can. The good news is that if you are not the most technical person, the software is 100x less likely to expose your security than yourself. This makes nunchuk a great tool to manage a multi-sig across people when your weakest link is not super technical. It enables families and businesses to reasonably have access to share responsibility over large funds. That is a great tool IMO. It just isn't a silver bullet. It also allows people who are scared to use Bitcoin share the responsibility with someone(s) who is more competent. What I dislike about multi-sig: Many people talk about the personal security you can gain by distributing the keys geographically. Multi-sig for an individual makes much less sense to me. If you are worried that someone might break into your home and steal your keys, then having the key fragmented is a good idea and splitting your backup manually is not secure. Multi-sig is a safe way to split your key, but there are other solutions too like Seed XOR or memorising long passphrases. Geographically distributing keys increases the risk of human error. If you need to travel physically to move funds, how do you ensure that you are not being tracked? You can make the key accessible online but surveillance is MUCH easier in a digital internet connected environment in the same way as access is much more convenient. In both realms, you have constant tracking and data collection: CCTV's vs Data sniffing of your internet activity. Both are constantly on, although not necessarily actively searched unless you are a person of interest. TLDR; nunchuk is great in theory. I need to play with it sometime in the future. I like that they are looking to get rid of the email integration since the Canada incident, but I raised this with them a while before and they didn't have the appetite back then. They said "you can use a fake or unique email, but we need it for secure messaging and account recovery" but when cooperating with family, that's not good enough, family isn't going to create fake emails with you. Look forward to seeing their non-email solution.
Leader starts a conversation by giving the hash of the last found block. The hash is the value that is found when a coin is successfully mined Every node that gets this message from the leader does a mathematical formula (very simplifying) finds a value and sends it back Leader is just chilling and waits till it gets f (almost always the failure tolerance allowance but I can’t be sure without seeing more) + 1 responses. For example if there’s 100 nodes, and f is 50, the leader waits till it has 51 responses. XOR is an operation that along with other things can help mix the values together so each one uniquely impacts the final one hash value. It can be really hard reading papers without a background in math/computer science. Don’t feel bad for trying to learn how. For a basic idea just semi-ignoring the the big equation parts can give a basic idea on the project. Work up to it as you can
No. I'd recommend a Trezor model T. Not unless you're comfortable with PSBT's, realize you'll need a software wallet intermediary, and understand you'll use an SD card when broadcasting a transaction from the Coldcard. Don't use it yet. Eventually I'm sure you'll come to it, as the security is ridiculous, and they keep innovating with amazing stuff like seed XOR, checksum calculations, BIP85, etcetera. [https://bip85.com](https://bip85.com) When you do get your knew hard wallet set up (whatever it is), definitely get its xPUB (master public key) and set up a *"watch only*" wallet on your iPhone or Galaxy. You can choose any wallet app you want, and just import the xPUB. Then you can see your hard wallet balance and activity. You won't be able to do anything with it though, just watch.
I only use Coldcards. Nothing on the market comes close to the security of those, and the company (CoinKite) is widely respected. Put it this way, even the Sinaloa Cartel prefers them. The duress PIN, brick PIN, and Seed XOR are excellent options, and the air-gapped nature nonpareil.
Your post wasn't clear on this. In a standard 24-word phrase the last word is a checksum which can be derived from the other 23 words. And then you said "associated with the private key" which could mean it's anything from a passphrase to a seed XOR. Your post isn't clear on what you're looking for.
Can someone help me with which coins to stake? Currently hold ETH / BTC / LINK / DOT / ZIL / XOR / EWT / BAT IM STAKING: EWT / ETH / DOT / ZIL Looking to stake next year when released, LINK / OCEAN & looking to scrap XOR What else should I be looking at?
1. Not sure why you think importing is dangerous? The seed would be viewed from current device and written only on paper for 5 minutes until imported into the coldcard. It's a standard process. 2. Yes I understand that XOR can be done in any order. If you read my question in more detail you'll see that I'm asking if the only way for a theif to obtain the seed from a 2 split XOR is by obtaining xor-part-1 and xor-part-2 or the seed itself (which wouldn't be written down because that's why you use a XOR)
> Can I import a seed from a different brand of hardware wallet to the Coldcard Yes, but don't. All hardware wallet security tenet is that your mnemonic seed never exists in digital form outside of your hardware wallet. So if you generated the mnemonic on Trezor and import it into Coldcard, that security assumption is broken. > When setting up seed XOR you can Choose to split a seed into 2, 3, or 4 parts. In this example say I choose a 2 part XOR split. When recombining to get the seed it says you may use A/B/C or C/A/B in any order to reconstruct the seed. XOR (⊕) can be done in any order, so A ⊕ B ⊕ C == B ⊕ A ⊕ C == C ⊕ ( B ⊕ A ) Having said that I like the other way around. You can take an existing Coldcard mnemonic seed and split it into 2-4 XOR mnemonic shares. Alternatively you can take 2-4 valid mnemonics and XOR those input mnemonics to generate your master mnemonic. This method can also be done by hand on paper (apart from the last checksum word) to confirm the maths.
>The algorithm you described above is scalar multiplication. Indeed. >115792089237316195423570985008687907853269984665640564039457584007908834671663, or 2^256 - 2^32 - 977, is the prime modulo. Indeed. This defines the set of numbers our curve's X and Y coordinates are from, as well as the meaning of arithmetic operators over them (+ - * / ^2, ...). > The generator, G, is referred to as the base point in the article. Indeed. Note that G is however not part of the mathmetical definition of the elliptic curve. It's just a point that needs to be chosen by convention for ECDSA (and other cryptographic algorithms that operate on elliptic curves) to work. >If there's a quick answer, how is P + Q calculated for a generic group? No, because it's part of the group definition. A group is simply a set of elements with an operation on that set, which satisfies certain properties. Typically, a certain symbol is used to refer to that operation, called the group operation; that symbol can be "+" or "*" or even something else based on the context, but it doesn't really matter what the symbol is as long as it's clear from the context. So "P + Q" in a generic group (assuming "+" is the symbol used for the group's operation) is simply "the result of doing the group thing on P and Q". "Addition over the integers" is a group, and + there refers to what you ordinarily call addition. "addition of vectors over GF(2)" is a group, and + there refers to what programmers would think of as XOR. "multiplication of non-zero integers modulo 17" is also a group, and while you'd typically use the "*" symbol for that, that too is just the group operation there. >If there is a quick answer, how is P + Q calculated for a generic elliptic curve? Yes! It is: draw a line through P and Q (i.e., an equation of the form `a*x + b*y + c = 0` which holds for the x,y coordinates of both P and Q), see where that line intersects the curve a thirds time, and then mirror that point around the X axis (i.e., negate its Y coordinate). What you get then is the result of the group operation on P and Q. To add a point to itself, a different rule is used: compute the tangent through that point to the curve, see where it intersects the curve, and then flip around the X axis. If you add a point to its own X-flipped version, you get infinity. If you add infinity to P, the result is just P. Thus, infinity acts like a "zero" element. The equation you give is correct for elliptic curves with formula of the form `y^2 = x^3 + a*x + b`, when adding a point not to itself and not to its X-flipped version. For doubling (adding a point to itself), a similar formula is used, but `C` is instead computed as ` 3*Px^2 / (2*Py + a)`. Note that `a=0` for `secp256k1`. Note that the "/" in your formula is not a normal division: it is the reverse operation of multiplication modulo. So when you write `a/b` that means: the value `c` for which it is the case that `a*c = b mod p` (with `p = 2^256 - 2^32 - 977`, as that's the modulus we're working with for coordinates). To compute that, you need a modular inversion. >Is the generator, G, tangent to the curve? No, a tangent is a line. G is a point on the curve. Its choice is more or less arbitrary; it's just that ECDSA needs some fixed special point on the curve that's part of the protocol definition. >For y^2 = x^3 + 2x + 3 (mod 97) and P = (3,6), why is 2P = (80,10), 3P = (80,87), and so on? If you use the formulas above to do doubling (i.e., `P + P`) of `(3,6)` you get `(80,10)`. If you then use the addition formula for `(3,6)` and `(80,10)` (i.e., `P + 2P`), you get `(80,87)`. If you then either double `(80,10)`, OR add `(80,87)` to `(3,6)` (i.e., `2P + 2P` or `3P + P`), you get `(3,91)`. This works because of associativity and commutativity of the elliptic curve group operation, and as a result we can just write `nP` to refer to "`P` added to itself `n` times". >Is 115792089237316195423570985008687907852837564279074904382605163141518161494337 the order of G? Indeed, if you add G to itself that many times, you'll get infinity. >It's said in the article that elliptic curves are groups. Are all elliptic curves groups? Indeed. Elliptic curve point addition is a group operation (it is fully defined, associative, there is a zero (=infinity), and every element has an inverse (=its X-flipped version), so it satisfies all group properties and therefore defines a group). >Does this "group" have anything to do with what you called "cryptographic group"? Yes, exactly. For cryptography which relies on the discrete logarithm hardness (as ECDSA, Schnorr, and a bunch of other protocols do), you need a group in which the discrete logarithm is hard. Certain Elliptic curves are a popular way of constructing such a group, but not the only one. Multiplication of integers modulo a large prime number is another way of achieving that, with certain caveats. It results in slower performance and bigger signatures/keys for the same security level though, so they're not as popular anymore. Now, it is not strictly needed that an *entire* elliptic curve is used as group. Sometimes you can select just a subset of the points, and the group law works just as well in that subset. `secp256k1` has no such subsets however - if you include any point, you must include all of them, so this is not necessary here. >Are elliptic curves Abelian Groups and therefore commutative? Yes. Maybe it's more correct to say it's the other way around: elliptic curve point addition is commutative, and thus the group you get from it is abelian.
Morning team, been looking through my portfolio’s and feel I need to get rid of a few coins I’m currently holding: ETH / BTC / DOT / LINK / EWT / ZIL / XOR I am tempted to move the ZIL / XOR into a coin like DOT? What do you think? Annoyingly I’m making quite a bit of ZIL from staking it, but just doesn’t seem to be doing a lot! Let me know what you think :)
According to Bitcoins white paper, it was designed as a currency that eliminates centralisation in the economy. This will prevent fraudulent activity by the big banks and to prevent another GFC. The monetary policy of Bitcoin prevents it being used a currency until the market cap is either large enough for price stability, or that markets are rational to prevent boom bust cycles. I don't believe the latter will occur. XOR token has been designed based on scientific research to be used as a currency to resolve these issues Bitcoin and other cryptocurrenies have. So why own XOR? The very same reason people purchase Bitcoin. They believe it will be accepted as a currency and that it's purchasing power will increase, just like XOR.
The token bonding curve introduces and removes XOR from circulation to meet the demand of the market. This ensures sustainable economic growth and price security of the token economy. It is important to note though that the token bonding curve does not guarantee stability of the price of XOR, but rather a measure of forward-guided price predictability. This will aid in merchants and society to accept it as a currency rather than a speculation.
You need to explain what you are trying to accomplish better. Here are some options. 1) 2 hardware wallets with the same seed phrase. These are just duplicates of each other. 2) 2 hardware wallets setup in some multisig configuration. (1 of 2, 2 of 2) for 2 of 2, you need both wallets to compete a transaction. 4) 2 wallets set up in an XOR configuration. This is where things start getting a bit complex. https://bitcoinmagazine.com/guides/how-to-use-coldcard-and-seed-xor 5) Use a passphrase. Of all these options, I recommend #5. Basically, using the same seed phrase, you provide one additional word that serves as the passphrase. The passphrase combines with your seed phrase to become an entirely unique private key. There is no wrong passphrase... You can use your passphrase along with any string you want and it will point you to an entirely unique wallet. You would never want to store your seed phrase with your passphrase. A cool technique you can employ is keeping a small amount of btc under the wallet that uses no passphrase at all, while your real stash is behind some complex passphrase. If someone gains access to your 24 word seed phrase, they would find a tiny amount of btc and think you just don't have very much btc and be on their way, all the while your real stack is safe behind your passphrase. It's important that the passphrase follow general password recommendations, as someone who gains access to your seed phrase could also launch a brute force dictionary attack against it, trying millions of common words, known passwords, and combinations to quickly scan different combinations in an attempt to locate your real stash.
In my scripts (Doubleslow Keystretcher) I am using existing key derivation functions that have been vetted and tested already (scrypt, Argon2) and also sha-512, sha3-512, XOR (just in case). It's much slower than the key stretching with the "seed extension" (also known as "extension word" and "passphrase") in the BIP39 specification (PBKDF2 using only 2048 iterations of HMAC-SHA512).
Ye but most are legit. I'm mostly on the ETH mainnet and the recent ENS airdrop was nice. For BSC, the transaction fee was what wouldn't me holding back like doing it in the ETH mainnet. I still have there airdrops like the VAL token from the XOR network to claim, but the transaction fee isn't worth it.
$XOR - honestly this should be a top 20 coin but they just don't have a good marketing strategy. They've developed the Polkaswap Dex (PSWAP) and have a multimillion dollar company behind them in Japan (Soramitsu) and a tie-in with an African state Bank. But as I say, nobody really knows they exist!
I really wish seed XOR would become more widely implemented so that recovering a split seed can be easy enough for someone unfamiliar with the tech. But yes, the "only downside" I mentioned ends up blocking many different use cases, and SLIP39 has very nifty extra conveniences. I just mentioned seed XOR in case you didn't know about it, as it somewhat shares the topic of your post. I wish I could help you with your specific question, but I can't.
I really like that for some use cases. Anything that avoids a single point of failure is welcome. And it is indeed very elegant. You can even calculate the checksum by hand, as some non-cryptographic checksum schemes are also based on XORs. Not doing K of N is a huge problem for many people though. Because the most common scheme I've seen seems to be 3-of-5 secrets, as this has lots of use cases. The first use case is, of course, that losing all your funds by losing a single seed might make it less safe than a single point of failure, although for a different reason. It creates a trade-off, because the more keys the higher the risk an individual key is lost, but the less keys the more it converges to a single point of failure. Given a set of estimated probabilities for each location, a K-of-N scheme can give you options with better total safety probabilities than the extremes 1-of-1 and N-of-N. A related use case beyond the safety issue is, of course, being able to recover the seed more easily when everything is fine and leaving the last seeds in more difficult locations only for emergencies. A second use case is to organize these more difficult locations to be something that would be available to your relatives when you die, like a bank vault or a closed will. This is very convenient for inheritances, and it can be mixed with other usual inheritance schemes (like timelocks, etc...). The third use case that comes to mind is that some of these secrets are often not even seeds, but seed groups, which can avoid collusion between people holding the seeds and mitigate the risk in seed groups you trust less not to lose the keys. For instance, maybe you don't have 5 people you trust a lot but maybe there are 3 people you trust a lot and 2 groups of people you don't fully trust individually but you can trust that not most of them will screw up. So I think I would probably use XOR if I'm in control of all seeds. But even in that case, because there's already a protocol for SPLIT-39, I think I'd rather use it because the protocol provides some extra conveniences, like conventions to be able to identify related seeds and seed groups without counting on the master key, checksums, etc. These conventions are very useful if someone else needs to recover the wallet for you, like in that second use case.
Slightly off topic, but have you heard of Coldcard's Seed XOR https://seedxor.com/ ? Just like the name sounds, it XORs your original mnemonic with a new random mnemonic, producing a third random one. By XORing them again, you get the original mnemonic back. In my opinion is a much more elegant and simple way to split a mnemonic, it can even be done by hand (but you'll need a computer to calculate the checksum if you want the splits to independently be valid mnemonics too). The only downside I see is that it can only do N of N splits (all parts are required to restore the secret), if doesn't do K of N (for example 2 of 3).
You don't need a Mk3. In fact you can easily XOR or One Time Pad split any BIP39 seed into "n of n" or "n of m" parts as described here: [Practical way to split a bip39 seed into a 2 out of 3](https://bitcoin.stackexchange.com/a/65434)
GREAT write-up. Not only does the author explain why each step is important from a security perspective, he lists the tradeoffs--e.g. the harder it is for an adversary to break your security, the harder it may be for your loved ones to access your Bitcoin if you die. Best of all, he includes steps (and worksheets!) you can follow to audit what the ColdCard is doing behind the scenes. Thank you, OP, for sharing this. I might have to upgrade to Mk3 devices so I can take advantage of that slick XOR seed splitting function!
Check out the reply in the post below. > One Time Pad or XOR is an elegant and information-theoretic secure  way to split a BIP39 seed. It's a method simple to describe (apt for a will) and easy to verify (trust only yourself). It can be computed with paper and pencil eliminating risks from malware. Best of all the resulting shares are themselves mnemonics thus easy to record. The method does not scale efficiently for n of m when m is large, but works well for n of n, 2 of 3 and possibly 3 of 5. https://bitcoin.stackexchange.com/questions/60540/practical-way-to-split-a-bip39-seed-into-a-2-out-of-3-factor-auth
This not a very secure method, because each of the three shares reveals 1/3 of your seed entropy. The secure way to split a seed phrase is by using either Shamir’s Secret Sharing or, even better, the mathematically trivial [XOR method](https://github.com/mmgen/mmgen/wiki/XOR-Seed-Splitting:-Theory-and-Practice). With these methods, none of the individual shares reveals anything about your seed.
The starting price for XOR on the TBC is just under $900, the price will increase $1 for every 1337 XOR bought. PSWAP is a reward token with a depreciating supply snd VAL is the validation reward token snd hold voting power in VAL DAO which gets funding through the Polkaswap finance model.
I don't want to use a passphrase. I'm actually using two steel plates with the XOR thing. In my mind, if I send that device to anyone, I need to consider any key that might have been on that device ever as compromised and shouldn't use it for anything, passphrase or not.
Not quite sure what you mean by ‘broken’ in this case but anyway. XOR is not an encryption, really. It’s meant to be reversible. Not only that, XOR does not have a fixed length output like true hashing algs, so it’s unreasonable to use in this application. Unlike XOR, actual hashing algs hold true as one-way functions, and that’s the main reason they are useful in these situations. Skipping over the mathematical details, they take an input, and return a fixed length output that is very, VERY unlikely to match the output of any other input. So it’s basically a unique identifier. If ‘hashing’ were broken, there would be much further reaching implications than BTC because it’s used literally everywhere.
Literally every single cryptographic function has been doing this since 1990. This is as much of a buzzword as "military-grade". >SAFE’s hash function is able to fully map any piece of data to 256-bit strings of characters, and the network can perform the XOR operation on the hash value in order to randomly create a unique distance to any other piece of data. This is not physical distance but a mathematical distance between two numbers. Literally every single cryptographic function has been doing this since 1990. This is as much of a buzzword as "military grade". >When you transfer a file to the network, such as a photo, it is broken down into pieces (shards), **hashed** and fully encrypted When you hash something, it is impossible to get the original data back. So either the team needs to improve their English, or it's just a scam full of buzzwords.
Consider not just the coin/token potential for increasing value, but also what opportunities are available with that coin/token through staking, LP's, etc. Personally, I like Kusama (part of Polkadot) and the ability to stake to earn ~14-17% more of that token annually using the fearless app. If you want to go further out the risk curve, have a look into Soramitsu, which have created the fearless app, Polkaswap (XOR, VAL, PSWAP), and the world's first CBDC for the bank of Cambodia: https://soramitsu.co.jp/
Not if you took the proper precautions and I am talking about when you generated your private key and set it up, you do so in a room away from all cameras and phones and electronics with no windows. You did it completely Offline on a hardware wallet, and rolled dice to generate a powerful over 256 bit encryption private key and then verified it using tails and python. You then torch the usb into a liquid and lock up all back ups and hard ware wallets in a secure safe with multi sig set up using XOR.
> DIP chips DIP only means dual inline package. Millions of chips are sold packaged in a DIP > SHA-256 shouldn't be that hard to implement at the lowest level, it involves bit shifting, mod 32 rotation, XOR, Choice, Majority, and mod 32 addition You're right, it's trivial. Originally, it was implemented by using the SHA-2 function in OpenSSL's libssl. After a while, some people foolishly decided it would be cool to make it faster, so they implemented it by moving the SHA-2 process to the GPU. Not seeing that this was foolish, and seeing that it "worked", made hashing faster, some other people went to the next step and implemented SHA-2 in FPGA. At the same time, a clever entrepreneur pre-sold the first generation of ASIC chips and used the customers' money to fund the development and the manufacture of the first batch In the intervening 8 years, the USA failed to succeed in this market and conceded the market to China. The entrepreneurs in China designed faster ASICs which used smaller and smaller logic gates which helped to keep down the heat emission and reduce the power consumption (now measured as Joules per terahash). They contracted the world's most advanced chip manufacturer, TSMC, to fabricate their ASICs with 16nm gates - the Antminer S9 (98J/TH) in 2017. By 2019, the S19 ASICs were down to 7nm and 30J/TH). In 2022 TSMC and/or Samsung will be fabricating 5nm Bitcoin mining ASIC chips for one or more of the Chinese manufacturers > what am I missing here? You're eight years late Your penny chips don't have a snowball's chance in hell of competing with the hash rates, low heat emission, low power consumption of next year's 5nm Bitcoin mining ASIC chips
Throwaway account: I am in a very insecure living situation. I devised a way to manually hash innocuous public data. This is not the method I use, but it is in this spirit. I start on a date that is personally meaningful to me: Then I go to a data source of random data that will be archived forever in multiple places: [https://www.usamega.com/powerball/results](https://www.usamega.com/powerball/results) My special date might be July 10, 2021 the third number is 29. 29 is odd. That is 1. The next week the third number is 52. This is even, that is 0. I then process forward from that date every week noting the one or zero. Every eleven bits gives me a word from the Bip39 word list: [https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt](https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt) When you get to your final word, there is a 1 in 16 chance you have a good checksum. Then just go up and down the list until you find the closest one that meets the checksum. Use a 13th word/password as you see fit. There is nothing in your living quarters to find. It will take you about 30 minutes to re-derive your key. Once you have the lottery numbers, the rest is done paper and pencil. There is security through obscurity here, however the adversary would need to know: * Your algorithm * Your random data source * Your seed date * Your 13th word You can see many ways to obscure this further. * Chose a different number ball each time in your own pattern, like 2-3-5-2-4 * Odd and even is flipped every N balls * Do this with two different lotteries and XOR your results If you choose and entropy source that should be archived as long as the internet exists then you have your seed obscured in the cloud. \---------------------- What are some other entropy sources that will be archived "forever" [https://www.baseball-reference.com/teams/NYY/1942.shtml](https://www.baseball-reference.com/teams/NYY/1942.shtml) Maybe you take the 1942 Yankees, alphabetized by first name. Then odd ages are 1 and even ages are 0. That is 31 bits. Pick 5 teams from different eras and you have a reproducible seed that is archived in the cloud. Even better, this kind of data is really innocuous in book form if you are a sports data fan. Now you have a way to derive your seed completely off-line (if you have the BIP list) ​ \------------ ​ There is tons of entropy out there, archived forever. It is far easier it memorize and algorithm like this than a seed phrase. Hell, I do not use these methods, but I suspect I will not forget them now. If I had real money on the line, I sure would not.