Closed weissjeffm closed 6 years ago
JWWeatherman
commented
6 years ago you are not publishing this online. you are securing it in a safe location. the suggested solutions introduce too much complexity to be worth the benefits to security offered, but that is a judgement call.
weissjeffm
commented
6 years ago you are not publishing this online
That wasn't my assumption.
I'm assuming brute forcing 42 bits is cost effective (which I don't know)
I think this scheme is security by obscurity, -which can still be effective. What's preventing people from stealing your money is not knowing how to brute force the other 42 bits. If you want to rely on that and the biggest loss is $50k, I suppose that's acceptable.
Just know that you ARE partially relying on that. If you have a share at a bank, one at home, and one with a friend, just know that if ANY of the following turn on you, they've got your bitcoin: Bank employee, your maid, your friend. They do not need a second share.
I believe your users will think the above scenario is not possible, but you haven't shown that.
JWWeatherman
commented
6 years ago Sure, it is a risk to be balanced with many other risks such as the risk of making a mistake in the procedure.
I'm using my judgment to make a recommendation to "most people." If there was an easy way to reduce the risk further I would take advantage of it, but there is not.
If an attacker gets one share, they then have 16/24 words. I believe the overall entropy is 128 bits, if so, that leaves only 42 bits left to be brute forced. That's 4.3e12 combinations, which is definitely feasible, it's only a matter of cost. Mainly it depends on the key derivation function, and how expensive it is.
If you can show that it does indeed cost much more than $50k, then I think this advice is sound. (It has to cost much more than 50k because by next year bitcoin could be worth a lot more, and we want this storage to be definitely good for more than a few months).
If not, the next easiest thing is Shamir's Secret Sharing Scheme, which has lots of easily accessible implementations. The strength is that the shares split by SSSS contain no information at all, until you reach the threshold number of shares. In other words, if the secret is 128 bits, having one share means the attacker still has to brute force all of them. The only weakness there is that all the seed data is present in one place during creation.
To avoid that, multisig should be used. Electrum is a very accessible way to use that. However, to get the main benefit of multisig over SSSS, you would need to generate the different seeds on different machines. Most people don't really have that handy. This may not be worth it for the amounts you're talking about here.