Introduction

A recovery seed is a list of words in a specific order which store all the information needed to access all your cryptocurrencies, tokens, and digital identities associated with it.

When you create a new wallet, the Trezor will generate a fresh recovery seed and ask you to write it down on paper. That way if you ever lose your Trezor or if it becomes corrupted, you can recover your wallet using the paper backup.

However, anybody else who discovers your recovery seed can steal your cryptoassets, so your paper backup must be kept safe in the same way as physical valuables.

As a user you are facing two types of risk with your recovery seed:

1. The risk that it will be destroyed or lost and you will not be able to recover your wallet.

2. The risk that it will be stolen and your cryptoassets along with it.

If you are worried about loss or destruction, then you can simply make several copies and keep them in different places, e.g. one at home and one in a safe deposit box or with someone you fully trust. However, the more copies you make, the greater the risk of theft.

If you are more worried about theft than about destruction, then you can split your 12 word recovery seed in two halves and store the first 6 words separately from the last 6 words.

However, the more fragments you break your recovery seed into, the greater the risk that one of them will be destroyed and you won’t be able to reassemble the recovery seed.

Furthermore, if someone does steal, say, the first 6 words of your recovery seed, then given enough time and a fairly large amount of computing power they will be able to reveal the remaining words of your recovery seed by brute-force search.

As you can see, neither solution is able to address both risks at the same time. In fact each of these solutions only reduces one risk at the expense of increasing the other risk.

The solution we need is called a threshold secret sharing scheme.

This is a method of distributing a secret amongst a group of N participants, each of whom is allocated a share of the secret. The secret can be reconstructed only when a predetermined number of shares are combined together. The minimum number of shares required is called the threshold T. The secret sharing scheme is then referred to as a T-of-N scheme.

The advantage of using threshold secret sharing is that it allows us to find a middle ground between the two extreme solutions of either copying or fragmenting the recovery seed, and thus it allows us to balance the risk of loss and the risk of destruction.

As a rule of thumb, by increasing the threshold, we reduce the risk of loss by theft but increase the risk of loss by destruction. On the other hand, by increasing the number of shares we reduce the risk of loss by destruction but increase the risk of loss by theft. To balance between the two risks, it is best to use a 2-of-3 scheme or a 3-of-5 scheme.

Poor man’s threshold secret sharing

Say you would like to split your seed using a 2-of-3 scheme, so that you will have three shares stored in different places and if any one of them is destroyed, the remaining two can be used to recover your seed. Take for example the following BIP-0039 recovery seed:

robust pipe raise illness symptom crowd trip will slow assault recipe oven

You could split this recovery seed into three shares which might look like this:

There are four words missing in each share, but when any two shares are combined, you can always fill in the gaps. Now consider if a thief were to steal one of these shares, they would have to try and guess the missing words.

If your wallet is not protected by a passphrase, then on average the thief would need to search about half a trillion wallets. Of course that is not feasible by hand, but if the search is automated on a computer, it becomes an easy task.

Not to worry, for in 1979 the famous cryptographer Adi Shamir came up with a provably secure method of sharing secrets.

Shamir’s secret sharing to the rescue

What makes Shamir’s secret sharing scheme so great is that the knowledge of fewer than the required number of shares does not leak any information about the shared secret whatsoever.

This means that if you split your master seed using a 2-of-3 Shamir secret sharing scheme and a thief were to steal one of these shares, then they would be no better off with the one share than they were with zero shares (even in terms of brute-force attacks).

The mathematics behind this is based on polynomials. When creating the shares, a polynomial f of degree T−1 is constructed, such that f(0) is the shared secret. Each shareholder is given the evaluation f(x) for some positive integer index x, i.e. each shareholder knows one point (x, f(x)) lying on the graph of the polynomial.

When any T of these points are provided, they exactly define the polynomial and the value f(0) can then be computed. On the other hand, if only T−1 points are known, then the value f(0) could be anything. Thus T−1 shares give no information about the shared secret.

Standardization

Until now the wide adoption of Shamir’s secret sharing scheme has been hampered by an absolute lack of standardization. There are some tools available on the internet which implement Shamir’s Secret Sharing, but none of them is widely supported and they are mutually incompatible. The lack of standardization presents a risk of being unable to perform recovery in the future should the tooling change.

This is why SatoshiLabs, the makers of the Trezor hardware wallet, drove the effort to create a replacement for BIP-0039 which will support Shamir’s Secret Sharing. The new standard is called SLIP-0039 and it is free to be implemented by anyone, in the hopes that all future implementations of Shamir’s Secret Sharing will be interoperable.

What do the new shares look like?

A Shamir recovery share looks a lot like an ordinary recovery seed, just a list of words in a specific order. At first glance you will notice that Shamir recovery shares are longer than BIP-0039 recovery seeds. For 128-bit security each recovery share is 20 words in length, and for 256-bit security each is 33 words in length.

In comparison, recovery seeds are only 12 or 24 words respectively. The main reason for this is that Shamir recovery shares need to carry extra metadata and they also have a stronger checksum.

Believe it or not, entering a 20 word Shamir recovery share on your Trezor takes approximately the same amount of time as entering a 12 word recovery seed. This is because it uses a brand new set of words, which has been carefully crafted to ensure speedy entry on the Trezor Model T.

The new set of words consists of 1023 common English words and the word “satoshi”. Care has been taken to minimize the similarity between any two words both in terms of spelling and in terms of pronunciation in case the recovery share needs to be communicated verbally, e.g. read over the phone.

When you create a set of recovery shares you will notice that the first two or three words are always the same in each share. This helps you see that the shares belong together. It is useful in preventing shares from different sets from getting mixed up, e.g. in case you have some shares of your own and some shares that your friends gave you to hold for them.

The last three words of a recovery share serve as a checksum to make sure that the share was copied correctly. The checksum uses a Reed-Solomon code which can detect if you make a mistake in the recovery share, and it will not allow you to use the share until all errors are corrected. If you make an error in exactly one word of a recovery share, then the code makes it possible to locate which word it is.

Passphrase

Just like with BIP-0039 recovery seeds you can (and should) add extra protection to your master seed by using a secret passphrase which only you remember. Although the SLIP-0039 specification uses various checksums to ensure that you copied and combined your shares correctly, there is no way to verify that you used the correct passphrase.

At first glance this might appear like a flaw in the specification, but in fact it is an important and intentional feature which allows you to obtain different wallets from your recovery shares by using different passphrases. Thus you can use one passphrase to access your real wallet and another passphrase to access a decoy wallet.

If someone later coerces you into revealing your passphrase either by law or by force, then you can reveal the passphrase which accesses the decoy wallet and plausibly deny the existence of your real wallet, because there is no way for the coercer to prove that the decoy wallet is not the real one.

How can I start using Shamir Backup?

Shamir Backup is available to all owners of Trezor Model T.

You can find a step-by-step guide to creating a new wallet using Shamir Backup on our Wiki.

You might want to migrate your current wallet to a new one backed up with Shamir Backup, which is also possible, and follows the same steps as moving your funds to a wallet made with a freshly generated recovery seed.

What’s next?

One characteristic of Shamir’s secret sharing scheme is that all shares are equal. Thus if you need to distribute the amount of trust unevenly between shareholders, then some shareholders need to be given multiple shares.

Furthermore, you might want to restrict the combinations of shareholders which are able to reconstruct the secret, because some combinations of shareholders might be more likely to collude against you than others.

To facilitate this, SLIP-0039 allows adding one more level of complexity. You can first split your seed using Shamir’s Secret Sharing to create a set of first-level shares. Then you can split each of the first-level shares again using Shamir’s Secret Sharing to create the actual shares that will get distributed.

For example, say you want to be able to reconstruct your seed using 2 shares, which you will store at different locations. However, if one or both of these shares get destroyed, you also want to have a backup with your friends and family in such a way that 3 of your 5 friends together with 2 of your 6 family members are required in order to reconstruct your seed.

The additional level of complexity can easily accommodate such requirements. What happens is you first split your seed using a 2-of-4 scheme to obtain the first-level shares A, B, C, and D. You keep A and B for yourself and split C further using a 3-of-5 scheme to obtain five shares which you give out to your friends.

Similarly, you split D among your family members using a 2-of-6 scheme. Thus family members receive a greater amount of trust than friends, without having to give one person multiple shares. However, even if all six family members collude against you, they cannot obtain your seed without the help of at least three of your friends or without stealing one of your own shares.

Trezor now supports this feature in firmware version 2.1.8!