BenWestgate
commented
2 years ago This solves a threat model where you want recovery to absolutely require a third party or an international flight.
Example 1: 2 shares; local, international, threshold 2 4 sub-shares in country of residence, threshold 2 4 sub-shares abroad, threshold 2
Were it 4 of 8, the secret can be recovered without the flight. While 5-6 of 8 are easier to lose.
Example 2:
3 shares; personal, heir; executors, threshold 2 5 personal sub-shares, threshold 3 5 heir sub-shares, threshold 3 5 executor sub-shares, threshold 3
Were it 6 of 15, one betraying executor could collude with heir to inherit early or 5 betraying executors could steal one share from you or your heir to recover. This requires stealing 3. Raising threshold to 8 of 15 would be easier to lose; any of the 3 groups could then only lose 2 shares Total and recover rather than lose 2 Each and recover.
Trezor finally has developed SSS support (though it lacks some of the expansion and strong verification features we have -- their design where they use interpolation as part of their polynomial generation also looks a little strange). They've also implemented an interesting mode called "super shamir" where after creating key shards for your bitcoin key, you then further split the shards into sub-shards.
I suspect this was done in order to work around their 16-share limitation by making reconstruction more performant. But the interesting aspect of this feature is it allows you to create segregated groups of shard holders that may completely betray you and still would not gain any information.
However I'm not entirely convinced that this is solving a real threat model -- if you can confidently segregate
Npeople intoAgroup of sizeB, where you will never have inter-group betrayals above the threshold you could create the same amount of shares but use aB*2or higher threshold (the bound is probably lower depending on the thresholds of each group but this is the worst case).