The original article was published in July 2021. Keystone has implemented the SLIP39 "Shamir Backup" standard proposed by SatoshiLabs, which is now available on the Keystone hardware signer. This article explains this feature, its advantages and disadvantages, and provides warnings for users who want to try this feature. ## Consider the Threats Facing Your Seed Phrase Before understanding how to use Shamir Backup, let's take a step back and look at what types of threats a seed phrase backup might face, and what threats you should pay special attention to before deciding whether to use Shamir Backup (private key splitting scheme). Basically, there are three factors that threaten the security of your seed phrase backup: 1. Memory loss, if you memorize the seed phrase (brain wallet also faces this threat) 2. Physical backup being stolen or robbed 3. Physical backup being damaged due to accidents or disasters (such as fire and flood). There are many forms of this, such as being eaten by a dog at home, coffee spilled causing electronic device failure, or even house collapse due to earthquake. For the first factor, we strongly recommend not using memory as the only way to store your seed phrase, because the brain is not as reliable as you might think. Brain trauma can cause memory loss, aging can cause memory loss, Alzheimer's can make people forget everything. Natural impression fading can also distort memories over time. For the second factor, you should remember that the attacker might not be a stranger, but someone familiar, such as a relative or someone you asked to keep your seed phrase. Therefore, you must first consider the other party's integrity before entrusting your seed phrase to them. For the third factor, a very common solution is to make multiple copies of the seed phrase and store them in different places to avoid single point of failure. But remember, copying itself increases the risk from the second factor. This article calculates the related probabilities with some simple math. To achieve a better solution than simple copying, we introduce Shamir Backup. ## What is "Shamir Backup"? "Shamir Backup" allows you to split a set of seed phrases into several parts, and you can specify that a certain number of fragments can restore the complete seed phrase. The lower and upper limits for split and threshold quantities are both 2 and 16 - at minimum, you can split a set of seed phrases into 2 parts, requiring these 2 fragments to restore the seed phrase; at maximum, you can split into 16 parts, requiring 16 fragments to restore. Although this is more complex than a multisig wallet: when needing to restore the wallet, the remaining complete keys of a multisig wallet can sign immediately, while Shamir Backup requires a separate import step to restore the seed phrase before signing; but from a security perspective, it is equally good, or even better: if you split into 5 parts with a threshold of 3, you can still use the remaining 3 fragments to restore the wallet even if you lose 2 fragments. Shamir Backup looks similar to a multisig wallet, but instead of specifying the required number of signatures, you specify the number of backups (fragments) needed to restore a wallet. This makes it easier to distribute wallet backups using the Shamir private key splitting scheme. ## Disadvantages of Shamir Backup Like no system is impenetrable and no solution is 100% secure, there is no perfect solution for storing seed phrases. Shamir Backup also has its drawbacks. Understanding these drawbacks will help you make a better decision on whether to use this scheme to protect your seed phrase. ### Limited Wallet Support Keystone's Shamir Backup feature is an implementation of the SLIP39 standard proposed by SatoshiLabs. As of the writing of this article, only Keystone and Trezor hardware signers support such an implementation. This brings the first drawback - if your Keystone or Trezor device is damaged, you can't restore the seed phrase with other signers, you can only buy a new Keystone or Trezor signer. Users wanting to stop using Keystone and Trezor software wallets and switch to other software wallets also face the same problem - other software wallets do not yet support Shamir Backup. The widely adopted standard currently is the BIP39 seed phrase backup. (Translator's note: The important desktop software wallet Sparrow Wallet will start supporting the SLIP39 standard in its v2.0.0 version released in September 2024.) ### Complexity is the Enemy of Security There's an old saying: complexity is the enemy of security. Here, complexity is a relative concept that varies from person to person. As hardware signer developers, our responsibility is to create a user-friendly experience and reduce the complexity of getting started. But if you can't understand how it works, it's best not to use it, and stick to the standard recovery method you're familiar with. ## Advice for Users First Trying Shamir Backup The following is basic advice for users who want to use Shamir Backup. ### Practice Makes Perfect As mentioned earlier, although Keystone and Trezor have created a very smooth experience for setting up and restoring Shamir Backup, it still has some complexity. So it is strongly recommended that before transferring a large amount of BTC to a Shamir Backup wallet, you should first practice using it.Author: Keystone
Source: https://blog.keyst.one/why-keystone-implemented-shamir-backups-71e319f972a6
Keystone's bitcoin-only firmware also supports the Bitcoin testnet, so you can practice using the testnet without using real BTC.
Perform Regular Health Checks
As mentioned earlier, the threat models for seed word backups include: (1) Disaster destruction; (2) Theft. Although Shamir backups achieve a much better balance compared to simple copying, you still need to perform regular security checks.
Metal is Better Than Paper
When backing up your seed words, it's best to use better options. In the face of floods, fires, or even humid environments, metal backups are always better than paper backups.
Keystone's metal backup board, Keystone Tablet, is designed with a hole where you can put a padlock. If you choose a good padlock, it can bring additional security. Compared to paper backups, tampering is easier to identify on metal backups.
Carefully Select Trustworthy People
When you want to entrust some Shamir backup fragments to others, you need to carefully select the custodians. Usually, the best choices are family members or legal representatives bound by law and obligated to custody. (This is not financial or legal advice; please consult legal professionals before hiring legal custodians for Shamir backups.)
When sharing backups with family, ensure they understand that the object is very important and should be kept like their own secret to prevent loss or accidental damage. Legal custodians might store it in their office safe, or you could try placing one in a bank safety deposit box.
Also, note that people entrusted with Shamir backup fragments should not know who the other custodians are, otherwise they could collude and steal your money. Do not reveal the identities of custodians or limit the number of fragments they receive.
Consider Inheritance
When planning to use Shamir backups, it's always wise to let your heirs know how to use them, where you store the fragments, and who you've arranged to manage the fragments. This way, when an accident occurs, you can be confident that your heirs know how to access the funds in an emergency.
Conclusion
At Keystone, we always prioritize security and continuously provide better custody solutions. Our mission is to offer advanced security solutions when technology is available and help our users protect their wealth on the internet.
We also sincerely thank SatoshiLabs for their contribution to the industry and appreciate their competitive spirit of establishing common standards, so that peers can also use such standards to protect every user's funds.
(End)
