Seedphrase Security - Max Fang's Notes

# Seedphrase Security ## Conclusions - [[Shamir Secret Sharing]] is insecure because it requires generating your seed in a computer rather than a hardware wallet, which is subject to malware risks - ==(AB|BC|AC) splitting + a passphrase is the best and most secure option.== - AB|BC|AC split is more secure than including the whole 24 words in each backup since an attacker who manages to find one of the backups has no additional work to do (rather than having to crack 88 bits). - It is much easier to break into a safe in someone's house than it is to crack 88 bits. - And it is much easier to break into one safe in someone's house than it is to break into two safes in two different houses - If it is discovered that a backup has been stolen or otherwise accessed, all funds should be swept to a new seed. You are required to move your funds to a new seed faster than: 1. An attacker with 1 backup can brute force the remaining 8 words 2. An attacker with 1 backup can go find another backup - ==However, AB|BC|AC split doesn't change the reality that that the funds can be stolen if an attacker manages to get their hands on 2 or more of the backups through some physical means. So most of the funds (except for the decoy) should remain encumbered by a passphrase.== - Additional benefits: - Adds plausible deniability + a decoy under duress - Adds much more entropy to the 88 bits, typically bringing you to beyond 128 bit security, or is a safeguard in case the original recovery phrase had low entropy. My password adds about 61 bits - [Guide to calculating the # of bits of entropy in a given password](https://www.pleacher.com/mp/mlessons/algebra/entropy.html) - ==However, using a passphrase introduces the risk of not being able to remember it. Take care to remember it, and review it from time to time.== ## Method 1: 24 word AB | BC | AC seedphrase split ### Setup - Under 2 of 3 multisig, each user has 16 words - => 8 words to brute force - => 80 (88-8 checksum) bits of entropy [according to this comment](https://www.reddit.com/r/Bitcoin/comments/bvw97m/chopping_a_seed_phrase_into_pieces_versus/ept2z4e) - => "If one check of a seed takes 1 nanosecond (a very conservative estimate) and an attacker controls 1 million cores it would still take over 600 years to bruteforce [$2^85$ bits of entropy]" - [a comment in the same Reddit thread](https://www.reddit.com/r/Bitcoin/comments/bvw97m/chopping_a_seed_phrase_into_pieces_versus/ept5zfh) ### "Chopping A Seed Phrase Into Pieces Versus Creating A Multisig Wallet" - Reddit Post https://www.reddit.com/r/Bitcoin/comments/bvw97m/chopping_a_seed_phrase_into_pieces_versus/ - Seed phrases are great for security because they can be managed without a computer - 2-of-2 is still basically impossible to crack. But 2-of-3 starts to get more questionable - "Shamir's secret sharing is (IMO) going to be the best way to minimise brute force risk & redundancy risk, though it will require use of additional software to split and recover the seed which will increase the risk of inputting your seed into malware. Tools are coming out soon which will make using Shamir's Secret Sharing far easier." [Comment](https://www.reddit.com/r/Bitcoin/comments/bvw97m/chopping_a_seed_phrase_into_pieces_versus/ept990u) ### Required bits of entropy Specified by RFC 4086 - "Randomness Requirements for Security" - 29 bits if only online attacks are expected - 96 bits for importat cryptographic keys - 56 bit DES encryption was broken in less than a day - 64 bit key was cracked in 4 years, 9 months, 23 days - 72 bit key can be cracked in 124.8 years using 2011 hardware according to distributed.net - 256 bits based on limitations from fundamental physics Source: [Password Strength - Wikipedia](https://www.wikiwand.com/en/Password_strength#/Required_bits_of_entropy) ### "Is 80 bits of key size considered safe against brute force attacks?" [Stack Overflow](https://crypto.stackexchange.com/questions/13299/is-80-bits-of-key-size-considered-safe-against-brute-force-attacks/13302#13302) - As of Feb 2021, Bitcoin mining ASICs can crash 2^93 - But it's unlikely that similar hardware exists for crunching [[BIP39]] seed words - Includes an answer that talks about quantum computing - 2^80 bits can be cracked in 2^40 by quantum computer - 2^256 requires cracking 2^128 using a quantum computer ### Redundant seed splitting vs passphrase" [Reddit](https://www.reddit.com/r/Bitcoin/comments/kj4yvz/redundant_seed_splitting_vs_passphrase/) #### Insightful comment https://www.reddit.com/r/Bitcoin/comments/kj4yvz/redundant_seed_splitting_vs_passphrase/ggv3lrc?utm_source=share&utm_medium=web2x&context=3 - "Having a passphrase doesn't reveal to an attacker that there is even anything other than the 24 word seed. Likewise someone can find the passphrase and not even know what it is. It could be a password for anything." - "You can have multiple passphrases and switch to a new one without redoing your seed backups." - "Passphrase also boosts the security of your physical device in terms of having plausible deniability, removes the possibility of faulty/malicious low entropy seed generation and also makes key extractions a non issue." - "You should include your passphrase as part of your backups, just not with the seed. I would also suggest diceware words, as this structure makes your backup more error resistant." ## "Why is Seed Splitting a Bad Idea?" by [[Andreas Antonopoulos]] https://www.youtube.com/watch?v=p5nSibpfHYE He doesn't present any good arguments as to why it is supposedly a bad idea Comments: - "I just totally disagree. The biggest risk for your seed is entering it into a normal general purpose computer (your PC). You never know what malware is there, even if you are very professional. That is why you use a hardware wallet. So for your backup you need a mechanism which does not need a computer to create or to restore. The 2 out of 3 scheme allows this SLIP39 does not!" - "Now to the numbers: [[BIP39]] uses 1/32 of encoded data as checksum." - "There are 2048 different words, each word encode 11 bits." - "The Checksum for 24 word seed is 8 bits, which is quite less than a word. This means if you brute force attack a part backup, you will find every 256 tries a result with a valid checksum. But this does not mean you found the seed." - "8 words are 2^88 or 88 bits to crack. Even if you assume you do spare the 8 checksum bits, this is still 80 bits to crack ==including accessing the blockchain== because an attacker will find 2^72 (2^80/2^8) wrong seeds!" - "So my result: 2 out of 3 is an easy to use and sufficient secure method for seed backup of a hardware wallet! A backup which weights and covers all risks (lost and disclosure) very well!" - "I would also like to add that physical safes are incredibly easy to get into to. Much easier than brute forcing 8 seed words. The argument about brute forcing doesn't make any sense anyway because the comparison is between storing all seed words vs 16 seed words. Where in one case you don't have to brute force anything at all. So saying "well brute forcing 8 seed words is too easy" doesn't make sense since brute forcing 0 words is even easier." - "The actual argument should be about how to store your seed words without people gaining access to them and physical safes are not great at this. Especially consumer relatively cheap safes. Extra passphares on top of the seed word is probably the real answer, even though you then have to store those as well. ==Heck the good thing about that is that you can store that passphrase a bit more liberally as long as nobody knows that's the passphrase for your hardware wallet.==" ## Method 2: [[Shamir Secret Sharing]] ![[Shamir Secret Sharing]] ## Don't take pictures of a paper seed phrase backup, even the back "Note that you should never take a photo of your seed phrase, or even the back of a seed phrase sheet. As no fewer than half a dozen of my observant followers pointed out to me, many of the words on the sheets could be recovered via careful manipulation of the image in order to see the indentations more clearly." Source: [[Jameson Lopp]] [blog](https://blog.keys.casa/bitcoin-seed-security-analysis/) ## See also - [[Multisignatures]]