If hardware wallets have one Achilles’ heel, recovery seeds may be it. But Trezor’s SatoshiLabs has figured out a solution.
Hardware wallets are generally considered to be among the most secure solutions for storing bitcoin. As the private keys to sign transactions never leave the device, these keys are never exposed to the internet and can, therefore, not be hacked remotely. Even with physical access to the device, subtracting the keys is no straightforward job — if it’s possible at all. (This appears to be an ongoing cat-and-mouse game between security researchers.)
But even if we assume that they are secure, hardware wallets can still break, get lost, get stolen or become otherwise unusable. For these cases, users should keep a backup seed: a list of a couple of dozen words typically written down on a piece of paper, from which all the device’s private keys can be generated.
But what if the backup seed itself gets lost or — worse — stolen?
A New Way to Split Backup Seeds
A chain is only as strong as its weakest link, and a hardware wallet is only as secure as its backup seed. If the piece of paper is stolen, the thief can claim all the coins on the hardware wallet — without any advanced technical skills. If the backup seed is lost, it is, of course, of no help when the hardware wallet is also lost, stolen or destroyed — and the coins would be inaccessible forever.
After more than a year of development, Prague-based SatoshiLabs, the company behind the Trezor hardware wallet, has now introduced Shamir Backups. Based on Shamir’s Secret Sharing, a cryptographic algorithm created by well-known cryptographer Adi Shamir (the “S” in RSA, one of the first public key cryptosystems), Shamir Backups let users “split up” their backup seeds into several word lists or “shares.” The wallet’s private keys can then be recovered by combining some predetermined subset of the shares. SatoshiLabs’ Shamir Backups allow for the creation of up to 16 shares (and individual shares can be even further divided into sub-shares).
As a practical example, you could set up a two-out-of-three backup. In that case, you would generate three different word lists, and you would need any two of the three to restore your private keys. This way, you could, for example, distribute the three lists over three different locations, minimizing the risk that two of them are lost (say, in a fire) or stolen.
If an attacker manages to steal only one of three backup seeds, it would be of no use to them at all (as opposed to cutting a normal backup seed into multiple pieces; stealing some of these pieces could enable an attacker to guess or brute-force the remaining words). Meanwhile, if only one of the three shares is lost, the remaining two can be used to restore the wallet.
Shamir Backups are available for SatoshiLabs’ Trezor Model T, the company’s latest hardware wallet. Users who already have a Trezor Model T can opt to migrate to a Shamir Backup using this guide. New users can follow the regular setup guide. As an open standard (SatoshiLabs Improvement Proposal 0039), other wallet providers could opt to follow in SatoshiLabs’ footsteps and offer Shamir Backups down the road as well.