In terms of security, what you propose is significantly better than the “standard” method, i.e., “split your share words into two groups and store separately”.
The weakness of this method is lack of metadata:
there is no checksum on individual shares. that way the chance of a mistake is doubled, and it’s twice as hard to identify it
nothing indicates that the two shares go together (and in what manner). If you are storing multiple seeds, and mix up your shares, you will literally need to try every share with every other share in order to find your wallet.
that makes it difficult to make a generic user manual for such scheme. Even if this scheme was clearly supported and documented by Trezor, it’s going to be difficult to guide beginners through it – e.g., if you die suddenly and don’t leave instructions specific to your situation, Trezor couldn’t help your relatives too much beyond “look for some cards with words on them and try to combine them in some manner”.
The reason SLIP39 was created is to rectify the above:
every share has a strong checksum, so you can tell that you got it wrong,
all shares that belong together start with the same three words, making identification significantly easier,
every share encodes how many other shares you need,
making it easy to create good user experience and guide the users about their next steps.
With collision i mean that you get a number that is so near to the end of the number space, so that the possible options get reduced. (This could be mitigated with properly implemented secret sharing and is only relevant for my simplistic example)
Thank you
If the Trezor would perform the generation process and then let the user check it, this problem could be mitigated.
If the Trezor ask the user to make a test recovery it can make sure that the backup is correct. Independent of the backup methode used, i think every one should to at least one test recovery to make sure if the backup is correct.
If someone has more then one seed, he can write something like “seed 1”, “wallet 1” or something else that identifies them together on his backup cards.
This is a generell problem.
My solution for this would be:
One share is on multiple physical locations that my loved ones know.
The other share is in my Bitwarden account with emergency access enabled to give it to my loved ones if I am unable to access Bitwarden for some reason.
I think SLIP39 is great and a very good improvement for storing seeds, especially compared to just have one copy of a BIP39 seed on some piece of paper.
Here are some examples when BIP39 secret sharing would be needed:
Someone already has a BIP39 wallet and don’t want to move all his funds to the new SLIP39 wallet.
Someone wants to dice his seed by himself, which I think is not possible with SLIP39 ?
Someone wants the full security of a 23 words BIP39 seed (checksum not included) which leads to 1.44e+76 (1.44 × 10^76) combinations compared to 1.11e+43 combinations that you get out of 13 random words (checksums not included). I know that 1.11e+43 is extremely secure, but one maybe wants to get every extra possible in consideration of for things like quantum computers.
I fully understand if you think this isn’t good for newbies. But it would be very cool when this is an advanced options in the settings, for advanced users.
Could be put together with other advanced things like alternative displaying formats for balances (like mBTC, Finney and E numbers)
My point of view - if you take 13 of 20 words cutting-off unnecessary bits, then it is still wrong. Simply if you take relevant-only bits further, it is 128 vs. 256 bit, i.e. your last correction is still wrong
And you are not comparing same thing. To be equally right:
BIP39 12-words should be compared to SLIP39 20-words.
BIP39 24-words should be compared to SLIP39 33-words.
Personally, I would not re-create the wheel. Trezor Company already took the hard part to come up with such great improvement. It probably took some year to have word-wide reviews of such proposal. Can i compete with all the clever people around the world to come up with something better? Nope.
Simply if you are happy, stay with Single BIP39 or move forward and do something to level-up your backup resiliency with greatly improved SLIP39.
I fail to see, why to bother, when this work and proven implementation was already done in SLIP39. Probably there is a way to take your existing BIP39 seed, learn Shamir’s secret sharing (on wikipedia you find sample python code), create your own mapped world list, add checksum of your choice etc. So if you bring all m-of-n shares back together you will get original BIP39 seed, which you can enter for wallet recovery.
But can you do all these things in 15min like in case of already implemented SLIP39? Sure, if you have time and want to learn something in math and improve programing skill, then OK, go ahead
Your last correction is 2^130, but should strip off two more bits, i.e. should be 2^128.
You need to use trezorctl, but you are leaving recommended path here and you will “face issues” if you decide to buy something like Trezor Keep Metal etc.
Probably yes, if you still don’t mind the time use dice and reconstruct the surrounding words. SLIP39 is well documented. I had this on my mind (without dice, i believe in Trezor TrueRNG), because initially i wanted to increase iteration exponent just for fun and did not find the right option for changing iteration exponent by trezorctl (probably not implemented yet).
Would be cool if Trezor makes a simple option for BIP39 secret sharing.
But I understand if other things have higher priority.
Thank you
It looks like the entropy can arbitrary be selected? Are also thing like 25 word etc possible?
I am just curious.
How to enter the random words and make Trezor generate the checksums around it?
Or should I dice the seed, put it into an offline machine and then do this with python so that I get a valid SLIP39 seed in return and then be able to put it into a Trezor?
Hopefully not. If SLIP39 is superb and improved design addressing shortcomings of BIP39, then BIP39 should die You need to improve things and move forward, not to keep zombies alive Sure such change will take years and to speed things up, Trezor offers bonus for other vendors, who implement it.
Sure such change will take years and to speed things up, Trezor offers bonus for other vendors, who implement it.