Splitting your 12 or 24 words mnemonic to multiple equal and fault tolerant split-mnemonics (Shares) using shamir secret sharing. Different from Slip39 as here we are safeguarding the seed words, not the derived master key. Problem is with Slip39: there is no way to go back to seed words from the derived master seed, hence it's not possible/easy to use it with any popular wallets.
Explanation of the problem and solution:
We are talking about equal shares here. When you split your seed manually you end up with pieces, but it will matter which one you lost because your splits are NOT equal. They are not shares but actually just pieces of the original seed (also making brute force theoretically/future possible).
Example of easy but sub-optimal manual split:
1-2-3-4 (4x3 words=12 words seed) split into three:
1-2
2-3
3-4
Now ff you loose ANY 1(!) of these you are done.
If you add a fourth it's better:
1-4
Now you can loose any ONE, but two right one is enough to reconstruct the whole seed just as earlier. Also one is enough to guess "only" 6 words which maybe feasable in the future. The right two (1and2, 2and3) is enough to have nine words. Guessing the remaining three words is easy TODAY.
Using Shares you can use a 3 of 4. Where you can loose ANY 1 but 3 would be needed to reconstruct the seed. Knowing one less than three shares would give you zero information hence brute force is impoosbile. You can go way up, like using 6 of 10 which gives you very high fault tolerance with low risk of seed-rebuild. Even knowing 5 of the 10 will not make brute force possible.
How to use to split
Download the zip and unzip to a folder (or the source Visual Studio 2019 solution c#).
Run BIP39Splitter.exe (.NET 5 desktop sdk needs to be installed)
You see to tabs Split and Merge
You enter/copy your seed to the yellow box. When seed is full it locks.
You set the share count and threshold (how many total and how many needed to restore)
Set the OPTIONAL password which must be provided to restore in addition to threshold share count
Seconds (default 30). How long should it try to find shorter outputs. (longer you set the shorter it gets - up to a point, like an hour or so)
Click "Do Split"
You will have the shares below which you can write down or copy to clipboard.
You can also test and select seeds and see the re-built result below.
*Each run will produce different shares because of the rng in shamir.
*It is not possible to rebuild lost shares (you can only rebuild the original seed until you have enough shares present).
How to use to merge
Go to Merge tab
Fill in the password (if used)
Type in the share words to the green field
Recognized words will be added to the blue field and full share will be automatically added to the list
When enough shares provided seed will be displayed at the bottom (or the progress/error messages)
How this implemantation works:
You type in your 12 or 24 words long BIP39 seed/mnemonic (be careful on what device!!!)
Select how many splits you want (2-15) and how many will be needed to restore the original seed (1-14).
Select OPTIONAL password (this in NOT your BIP passpharse, this encrypts the seed itself).
Example:
You have a 12 words seed which you want to store safely in 5 places with fault tolerancy. 3 of the 5 shares will be enough to rebuild the original seed. (plus the optional password)
Orignal Mnemonic:
venture whale soap pave enjoy bid skull journey exotic soon phone proof
Output Shares:
1. stage middle dune innocent acid chimney clog focus metal nut flat tissue era female advice senior
2. stage era draw run glue brass cruel token produce sort wide tragic real tray wagon exit
3. stage slush economy focus oak vote box cruel license belt slow shoot sock session elder panda
4. stage clump donor major grape glad network quote sort above mad rule left verify such gate
5. stage proof earth genre music middle river guess topic swim rebel outer adult spend harvest rapid
Advantages:
You can loose ANY 2 of the 5 and still be able to restore the original seed.
None of the share holders will have any knowledge of the seed nor any chance to restore it (eg. not weakening the seed)
Windows release available: https://github.com/GhostOfSatoshi/BitcoinSeedSplitter/releases
Be carefull NOT to set too low fault tolerancy level. For example: 9 of 10 works, but if you have only 8 of the Shares you won't be able to restore any part of your seed. You lost it all!
Multiple implementations and Linux exe would be a nice addition.
Implementation details:
You start with the bits from the original seed (all 12 or 24 words x 11 bits)
If password present: Get SHA256 hash of the ASCII password 100K times and XOR the seed with it
Do the Sahmier secret sharing
Translate all Shares to ShareMnemonic using the BIP39 wordlist
Share build-up:
11 bits: SplitID (to identify you use the right shares to reconstruct)
4 bits: ShareID (ID of current share)
4 bits: Threshold (how many shares are needed to reconstruct as Shamir merge actually merges any number of shares, but the results is junk of course)
8 bits: Length of data
X bits: Data
4-11 bits: CRC like in the original BIP39 seed (length depends on how many bits are optimal to get full bytes)
Safety considerations for enough sum you worry about
Only use this on air-gapped (Eg. no network AT ALL) computers.
This software won't save,cache,send or store anything. But the OS it's running on can (!).
Use on a clean install with least possible device connected (Screen, keyboard, mouse all wired) Write down the Shares MANUALLY (do not print as printers have memory/cache) Wipe or destroy the disk after.