I would like to suggest the development of a more conventional multisig mechanism, allowing individuals to create their own multisig configuration without solely relying on the Shamir Backup. I am not undermining the effectiveness of the Shamir method, but advocating for the ability to maintain the three seeds I have already memorized, without the obligation to create a Shamir Backup. I have possessed these seeds for years, and Trezor is hindering the establishment of an added layer of security by centralizing everything in the Shamir Backup. This exposes users who already have their own seeds to third-party technologies, which may pose security concerns. For instance, Electrum has encountered numerous issues.
It would be highly beneficial if Trezor utilized the interface and existing functionalities within the Shamir system to enable any generated seed to establish its own security layer using Trezor and the Trezor Suite, such as a 2-of-3 seeds or more. Please consider this new possibility and allow us to use our 12 or 24-word seeds to set up our own multisig configurations.
Multisig and shamir are fundamentally different tho.
Multisig depends on a chainâs capabilities to allow multiple private keys to be involved in an address and let multiple parties sign independently. Note that while these âpartiesâ can be backups and wallets in your control, they donât have to be.
For example you could have a company with a CEO, VP and accountant with a 2/3 setup and out of these 3, 2 would need to agree to EACH TRANSACTION by signing it. That could easily be across the globe too.
With shamir you just have one wallet which has a split backup, and when they come together and get restored you have one single wallet with full control over everything.
However due to the way slip39 only replaces bip39 and derivation continues from bip32 as normal a shamir wallet is, aside from the backup indistinguishable from a standard single wallet.
So what youâre asking for is a way to combine existing seed phrases in a way that gives you a new wallet?
Thatâs basically the exact opposite of what you should be doing.
Do you want a new wallet for yourself, with backup shared by multiple people and/or locations? Then you donât want to be giving out existing seeds, because that gives the people access to your existing wallets. Instead, create a new Shamir backup. Having one share reveals absolutely nothing about the wallet.
Do you want multiple people with multiple existing seeds to co-own a wallet? Then set up a multisig scheme like @My1 is saying. That allows everyone to co-sign a shared account under controlled conditions instead of giving everyone full rights to take the money and run.
Do you want to ⌠uhh ⌠combine three seeds that you have already memorized?? Why do that, instead of just picking one and using it?
Do you want to create a new wallet and back it up between several people, Shamir style, and at the same time keep one seed on yourself that allows you to fully recover it?
Make a SuperShamir with 1of1 + 3of5 groups. Back it up on cryptosteel like the rest of us, and if you want to memorize something, make a good strong randomly generated passphrase.
FWIW, memorizing key material is generally a bad idea. It makes you one unfortunate bang on the head away from losing all your money. Humans suck as storage media.
(It is technically possible to take your BIP39 seed and back it up via Shamir shares of 59 words each. This is not enabled on Trezor because, basically, we havenât yet figured out a way to do it without making it a perfect way to shoot yourself in the foot.
Which, to be perfectly honest, what you seem to be proposing is exactly that: a grand big opportunity to mess up catastrophically.)
I think choosing seeds generally isnt a good idea and in terms of how shamir works thatâs not how that works, just from the math of it.
in shamir (be it from trezor or not), you have one thing you start with, and select how you want to split that (as in how many shares needed of how many total, like 2/3)
as far as I know you cannot just make up shares and hope it goes well as the mathematical properties likely have to be set in advance by the splitting process.
I mean the math of shamir is likely way too advanced for me to understand but I cannot just make up some random numbers and declare them e.g. public and private key, because they need to have some mathematical relationship with each other, same with shamir shares.
frankly if SLIP39 would have shamirâd the BIP39 entropy instead of the BIP32 starting secret it would have been easy to convert between normal and shamir, but sadly that wasnt done, which could have been nice
but then again, if you have enough coins to warrant a shamir, making a new wallet can still be worth it, even if you need new metal backups
Letâs forget about it. It seems you havenât grasped the core of what Iâm saying. The reason Iâve never used Shamir is that I would never endorse a system that requires me to hand over my seed to anyone. In my view, nobody should even be aware that I possess a physical wallet. My intention was simply to create a wallet that would necessitate my three existing seeds, serving as an additional layer of security. But alright, it appears that only your team persists in the notion of sharing seeds with third parties. When I mentioned Shamir, it wasnât about the reference of giving seeds to anyone, regardless of whether they have access or not. It was about the use of 3 out of 2. Well, letâs drop it.
Do I understand you correctly that what youâre after is not âshardingâ but, essentially, using a single 36-word seed composed of your three 12-word seeds?
What would be the purpose of this scheme? If youâre the only one who knows all the seeds, why not simply pick one and use that?
In my perspective, yes, it does lead to exposure. In the future, someone who previously didnât understand the concept of a âseedâ sequence might now comprehend it, establishing a connection with me. Even though this person doesnât have access to the funds, there could be an implication that I hold assets in self-custody. However, thereâs no guarantee that this trusted individual might not hire someone to harm me and coerce me into transferring the funds.
I donât see the need to explain my purpose or the structure of my wallet, as it probably wonât happen anyway. It would be highly beneficial for me to have a single wallet that accepts three sets of 12 words! This would serve my needs very well. Thank you for your attention!
Just to provide full information: you can of course set up a 3-of-3 Shamir backup, where you generate 3 shares of 20 words each, do not give them to anyone, and all 3 shares are required to recover the wallet.
(Shamir itself doesnât require you to give out the shares, and, to be absolutely clear here, Trezor itself is not doing that either. The only person who gets the shares is the one who is setting up the backup. Whether you decide to give them out or not is completely up to you. The point of Shamir is that you can safely do it. But you donât have to. Another scenario is, for example, you burying the shares in multiple separate locations, so that even if one of the hiding spots is compromised, your wallet is still safe.)
If deniability is what youâre after (set up a decoy wallet on all three seeds, but only when combined your real stash is revealed), the standard solution to that is the passphrase feature. You can use the standard wallet as a decoy, and you can set up passphrase A as another decoy to give out under duress, while keeping passphrase B with the majority of your funds a secret.
While I can say with 100 % confidence that âlayering seedsâ is not going to become part of Trezor (itâs a UX nightmare, just look at how easy it is for people to lose funds just with passphrase alone), it might not be difficult to implement in custom firmware. You could do something as simple as modulo-addition of individual words: then any combination of seeds would produce a different seed (with failing checksum but that doesnât matter for this purpose).