tylerchambers.net

Secure 2 of 3 mnemonic splitting via OTP.

BitcoinBIP-39Crypto

⚠️ WARNING ⚠️

Splitting your mnemonic into multiple shares may provide additional physical security, but I do not recommend it for the average bitcoin user.

You are significantly more likely to botch your share setup, lose a share, etc. and lose access to ALL OF YOUR FUNDS than you are to see any benefit.


Let's say you have a 24 word BIP-39 mnemonic that can be used to derive the private keys to a bitcoin wallet containing your life savings.

You want to store the mnemonic in a distributed manner, splitting it into n shares, such that m of n shares need to be possessed to recreate the 24 words and derive the private key. For the sake of simplicity, let's say you want a 2 of 3 scheme.

When this comes up online, there are two methods that are commonly mentioned to accomplish this.

One way is to break your 24 word mnemonic phrase into three parts, and store them in physically different places. Like so:

Share 1 Share 2 Share 3
Words 1-8 Words 9-16 Words 1-8
Words 9-16 Words 17-24 Words 17-24

This works! You have 3 shares, and you need 2 of them to get the full 24 words. BUT- someone inevitably comes along in another comment and points out that this is a bad idea.

Using big words like "information-theoretic security" and "bits of entropy" they inform the reader that an attacker in possession of one share would only have to guess 8 words. What's worse, if the words are stored with their number, and the attacker realizes they have the 24th word of a standard mnemonic, they have a checksum to check their work against for the missing words.

Instead of simply splitting up the word list, they should be using something like Sharmir's Secret Sharing (SSS).

They point out an SSS utility is included in Tails OS, so they could boot up an offline machine, input their mnemonic, write down the shares, and hand them out. Or they could download Ian Coleman's SSS tool and use that offline for a more user friendly experience.

One method that is almost never mentioned, is a simple OTP. This has the benefit of being Information-theoretic secure, easy to describe in a will or similar, and can be computed with pencil and paper, entirely offline.

It's not scalable for a large number of shares like SSS, but for 2 of 3 it works very well.

Here's how it works.

Given our mnemonic phrase (S), we're going to generate a random secret (A) and compute an additional key value (B), such that A + B = S. Where + is element wise addition mod 2048.

Get a copy of the BIP-39 wordlist from github. Here is a printer friendly version.

Get a mnemonic phrase. For this example, we're going to be using the 3 word phrase. S = wink crawl gossip.

Note the index of each of your mnemonic's words in the list:
wink = 2014
crawl = 405
gossip = 807

Next, generate the random "key" phrase (A) the same length as your mnemonic. You can use something like Ian Coleman's BIP-39 mnemonic generator, BIP-39 Diceware, etc. Anything that uses the standard BIP-39 wordlist with good entropy will work.

For our example, I have generated A = rocket boat cup.

rocket = 1499
boat = 198
cup = 429

To calculate the second key (B), we will go word by word, subtracting the index mod 2048 of A from S.

  1. (wink - rocket) mod 2048 = B1
    (2014 - 1499) % 2048 = 515
    515 = document

  2. (crawl - boat) mod 2048 = B2
    (405 - 198) % 2048 = 207
    207 = boring

  3. (gossip - cup) mod 2048 = B3
    (807 - 429) % 2048 = 378
    378 = consider

So key B is document boring consider.

Let's see if we can use A and B to compute S. To do that, we just work backwards: S = A + B

  1. (rocket + document) mod 2048 = S1
    (1499 + 515) % 2048 = 2014
    2014 = wink

  2. (boat + boring) mod 2048 = S2
    (198 + 207) % 2048 = 405
    405 = crawl

  3. (cup + consider) mod 2048 = S3
    (429 + 378) % 2048 = 807
    807 = gossip

Great! It works! So given our two shares:

Share 1 Share 2
rocket document
boat boring
cup consider

We can compute our mnemonic: wink crawl gossip, making this a 2 of 2 split. Even better- someone in possession of Share 1 or Share 2 does not gain any additional information about our mnemonic phrase.

Now we can store Share 1 and Share 2 in geographically separate secure locations, and gain significant security for our mnemonic.

For a 2 of 3 setup, we would repeat the process 3x, each time generating a new random key (A). This will give us 3 random keys (A1, A2, A3) from which we will derive 3 keys (B1, B2, B3) such that:

A1 + B1 = S
A2 + B2 = S
A3 + B3 = S

When dividing the keys, do so like this:

Location 1 Location 2 Location 3
A1 A3 B2
A2 B1 B3

This ensures that none of the individual locations have enough information to computer your mnemonic (S), but any 2 together would.