At the height of the 2017 bull run, I came across a sobering post. It went something like this: there was a young man who acquired about 20 bitcoin early on. As the price went from $1,000 to almost $20,000 over the course of 2017, he felt rich beyond his wildest dreams and decided to travel a bit. At one point he was in Mexico in a nice hotel and partied by a rooftop pool. Things got out of hand, then he fell down to the street below and died. The author of this particular post was a friend of the man’s family and wanted to find out if there was any way to access the bitcoin. However, the young man used a passphrase-protected Trezor and hadn’t written the passphrase down anywhere. The bitcoin was thus lost along with the man’s life.
Bitcoin is a bearer instrument, meaning that it’s not sufficient for your survivors to be aware of your stack - they have to be able to access the keys. On the other hand, you don’t necessarily want your family having access to your bitcoin while you’re still alive. So there needs to be some sort of backup plan allowing for access management. Shamir backup allows precisely for this use case.
But before we get to the details of how Shamir backup works, let’s have a brief recap of what seed backups are.
In the humble beginnings of Bitcoin, it was a challenge to do backups properly. Before the invention of deterministic wallets, all the individual private keys had to be backed up, which could be hundreds of keys. Unsurprisingly, many bitcoin were lost due to this clunky backup process. In 2012, Pieter Wuille came up with the clever invention of Hierarchical Deterministic Wallets (HD wallets, standardized by BIP32) that made backups much easier - users now had to secure only one master seed, from which the individual private keys were then generated. A year later, BIP39 standardized the mnemonic seed - a group of words in particular order that fulfill the role of HD wallet backup. With mnemonic seed, backups became much easier, as there is little room for error when writing down ordinary words, as compared to writing down a random string of letters and numbers.
So nowadays you don’t actually back up your private key as such, but rather the recovery seed — usually in the form of 12 or 24 words in particular order. You may lose your phone or break your hardware wallet, but you will still be able to access your bitcoin if you have the recovery seed safely stored away.
Storing the recovery seed safely is the tricky part. We have to protect the seed from the following two risks:
- theft - the recovery seed has to be protected against misuse by strangers;
- loss - your bitcoin wealth shouldn’t depend on a single copy of the recovery seed, so that in case of an accident (flood, fire, etc.) you don’t lose your bitcoin.
While the risk of theft calls for as few copies as possible — preferably just one at your home — the risk of loss calls for the opposite. Having just one copy of your recovery seed is literally playing with fire. So you need to have several copies in a multitude of physical locations - but you need to be sure these won’t be misused even if found by a stranger. A plain recovery seed based on a single word list cannot meet this criteria.
Shamir's secret sharing (SSS) is a cryptographic technique formulated in 1979 by the Israeli cryptographer Adi Shamir. The essence of Shamir’s scheme lies in the ability to back up, share and recover a secret through breaking up the secret into multiple shares that are individually useless and leak no information about the secret or the scheme setup.
There are two important parameters relevant to SSS: shares, or how many parts of the secret there are; and threshold, or how many shares we need to combine to recover the secret.
For example, a “3 out of 5 Shamir backup” means that the user created five shares when setting up the scheme and the threshold requirement to access the original secret is three shares. It doesn’t matter which three shares are used to recover the secret.
This means that Alice can back up her seed for example in the following way (assuming the 3 out of 5 Shamir backup):
- two shares at her home
- one share at a close friend’s house
- one share at her mom’s house
- one share in the bank safe deposit box
Of course the individual shares are in an analog form - written by hand on paper or stamped into a sheet of metal (using Cryptosteel, Cryptotag, or other similar solutions). Alice is well aware that she should never write down the shares on an internet-connected computer or keep a digital copy.
With this arrangement in place, Alice doesn’t have to worry about losing access to her bitcoin even if her house burns down, because she can regain access to it by collecting the remaining shares from her friend, her mother and the safe deposit box. She also doesn’t need to worry about theft because no single location meets the necessary threshold to access the coins.
Shamir’s secret sharing is thus a perfect solution to the theft/loss conundrum, as the isolated shares are useless by themselves, and Alice can even lose some of the shares without losing access to her bitcoin.
The original Shamir scheme has been around since 1979, but was only properly standardized for use in seed backups in late 2017. The standard is called SLIP-0039 : Shamir's Secret-Sharing for Mnemonic Codes and is fully open for anyone to study, share and implement in their products.
Inheritance Planning Using Shamir Backup
The same qualities that make Shamir backup powerful for everyday security also make it suitable for inheritance planning. When Alice has her recovery shares distributed as outlined above, the only thing she needs to do to ensure succession is to write down clear guidance for her survivors.
Now this may sound easy, but writing down the inheritance guide should be done with proper care. Here are the crucial dos and don'ts:
- don’t just tell your loved one about the Shamir scheme, write it down; if you only told someone, they would probably forget the details (or in the worst case scenario, the individual can die along with you in some accident);
- write the guide using pen and paper; never type it on your computer, never keep a digital copy;
- explain what Shamir backup is in the first place, and why the recovery should be carried out with utmost care (e.g. the shares should never be typed into a website, never sent to strangers “trying to help” over the internet);
- describe the total amount of shares, the threshold, and instructions for uncovering the locations of the shares;
- store the inheritance guide in a secure, controlled site that can be accessed by your loved ones in case of your death; your home safe may work the best, though the appropriate site depends on individual circumstances;
- do not make the bitcoin inheritance guide part of your last will - this may put the survivors in danger, as the last will is a publicly accessible document in some jurisdictions;
- update the inheritance guide should something change (e.g. the location of the shares);
And of course, if you have some bitcoin on hot wallets, exchange accounts or other services, you should inform your survivors about these too. Ideally, every single satoshi should be accessible by your loved ones in case something happens to you.
But perhaps the most important piece of advice is to put yourself in the shoes of a nocoiner. Because if your whole family isn’t sufficiently orange-pilled, chances are they will make fatal mistakes if they’re confused. So try to be as clear as possible about what you’ve left behind and how to access it safely, without falling prey to scammers, phishing attempts and so on. Consider recommending a trusted bitcoiner friend to help your family out. Be very careful with whom you recommend, but also know that if you don’t recommend anyone to your family, they may reach out to strangers on the internet. And even if your friend won’t prove himself as trustworthy as you thought, your family will have legal recourse against a known person, which wouldn’t be the case if they were scammed by a stranger.
Shamir Or Multisig?
Not everyone is a fan of Shamir backups. Some time ago, Jameson Lopp (Casa) wrote an analysis of the supposed Shamir shortcomings and recommended multisig optionsinstead. Lopp’s analysis is fair and should be addressed here.
First of all, it’s true the previous attempts at Shamir’s scheme for use in seed backups were sloppy, as Lopp pointed out. It’s a different matter with SLIP39, though. The standard was written in late 2017, but implemented in the Trezor wallet only in the summer of 2019. No vulnerability has been found in the two years before the first real-world implementation, neither in the two years following. And there is none, as the math behind the SLIP39 is simply correct. If it wasn’t, a vulnerability would have been found years ago.
Furthermore, Shamir backups and multisigs solve a slightly different use case. Shamir backups solve the problem of protecting the recovery seed. Multisigs offer enhanced security when transacting. The two can actually be combined: you can have a multisig scheme, where the recovery seed of each individual wallet is protected via Shamir backups.
Both multisig and Shamir backups rely on the physical remoteness of the elements (signing parties or Shamir shares) for their security. Setting up and using both plans is thus time consuming.
For Shamir, this isn’t such a problem, as you usually need to deal with your seed only when setting up your wallet and later on when performing a recovery (which can be years down the road).
For multisig schemes, users are faced with a practical coordination problem, as you depend on active, ongoing participation of physically remote parties whenever you need to sign transactions — which can be several times a month if not more often. While this is doable for formal organizations like hedge funds or corporations, it’s quite unworkable for individuals — unless they pay a third party who offers such service as their business.
The coordination problem can be mitigated by choosing a multisig setup where users hold the necessary threshold (e.g. 2-of-5) in their own home. Such a setup is more practical than the one where all the keys are physically distributed, but eliminates one of the advantages of multisigs - the inability to transact under duress. But to be fair, Shamir by itself also doesn’t protect against physical attack scenarios such as home intrusion, if the user has her Trezor set up and immediately available.
Multisigs still have many pitfalls when it comes to transaction verification and backing up the whole setup. These will hopefully be resolved with widely accepted industry standards in the future, but until that happens, they aren’t really usable for ordinary, non-technical hodlers. Shamir backups are usable and practical today.
Shamir backups are effective at preventing both theft and loss. They are also a smart way to pass bitcoin on for inheritance. In addition to creating the Shamir backup itself, inheritance planning requires clear written instructions for survivors. Shamir can be used in a multisig or on its own and is a practical solution to increase the level of security without the need for multiple wallets.
This is a guest post by Josef Tětek. Opinions expressed are entirely their own and do not necessarily reflect those of BTC, Inc. or Bitcoin Magazine.