By Josef Tětek — Acceptance of one’s own mortality is a sign of maturity. So is the recognition of the critical importance of securing one’s bitcoin legacy for posterity.
At the height of the 2017 bull run, I came across a sobering post. It went something like this: there was a young man who acquired about 20 bitcoin early on. As the price went from $1,000 to almost $20,000 over the course of 2017, he felt rich beyond his wildest dreams and decided to travel a bit.
At one point he was in Mexico in a nice hotel and partied by a rooftop pool. Things got out of hand, he fell down to the street below and died. The author of this particular post was a friend of the man’s family and wanted to find out if there was any way to access the bitcoin. However, the young man used a passphrase-protected Trezor and hadn’t written the passphrase down anywhere. The bitcoin was thus lost along with the man’s life.
Bitcoin is a bearer instrument, meaning that it’s not sufficient for your survivors to be aware of your stack — they have to be able to access the keys. On the other hand, you don’t necessarily want your family having access to your bitcoin while you’re still alive. So there needs to be some sort of backup scheme allowing for access management. Shamir backup allows precisely for this use case.
But before we get to the details of how Shamir backup works, let’s have a brief recap of what seed backups are.
Seed backups and why they matter
In the humble beginnings of Bitcoin, it was a challenge to create backups properly. Before the invention of deterministic wallets, all the individual private keys had to be backed up, which could be hundreds of keys.
Unsurprisingly, many bitcoins were lost due to this clunky backup process. In 2012, Pieter Wuille came up with the clever invention of Hierarchical Deterministic Wallets (HD wallets, standardized by BIP32) that made backups much easier — users now had to secure only one master seed, from which the individual private keys were then generated.
A year later, BIP39 standardized the mnemonic seed — a group of words in particular order that fulfill the role of HD wallet backup. With mnemonic seed, backups became much easier, as there is little room for error when writing down ordinary words, as compared to writing down a random string of letters and numbers.
So nowadays you don’t actually back up your private key as such, but rather the recovery seed — usually in the form of 12 or 24 words in a particular order. You may lose your phone or brick your hardware wallet, but you will still be able to access your bitcoin if you have the recovery seed safely stored away.
Storing the recovery seed safely is the tricky part. We have to protect the seed from the following two risks:
theft — the recovery seed has to be protected against misuse by strangers;
loss — your bitcoin wealth shouldn’t depend on a single copy of the recovery seed, so that in case of an accident (flood, fire etc.) you won’t lose your bitcoin.
While the risk of theft calls for as few copies as possible (preferably just one at your home), the risk of loss calls for the opposite. Having just one copy of your recovery seed is literally playing with fire. So you need to have several copies in a multitude of physical locations — but you need to be sure these won’t be misused even if found by a stranger. A plain recovery seed based on a single word list cannot meet this criteria.
Enter Shamir backup
Shamir’s secret sharing (SSS) is a cryptographic technique formulated in 1979 by the Israeli cryptographer Adi Shamir. The essence of Shamir’s scheme lies in the ability to back up, share and recover a secret through breaking up the secret into multiple shares that are individually useless and leak no information about the secret or the scheme setup.
There are two important parameters relevant to SSS: shares, or how many parts of the secret there are; and threshold, or how many shares we need to combine to recover the secret.
For example, a “3 out of 5 Shamir backup” means that the user created five shares when setting up the scheme and the threshold requirement to access the original secret is three shares. Itdoesn’t matter which three shares are used to recover the secret.
This means that Alice can back up her seed in the following way, for example, assuming a 3 out of 5 Shamir backup:
two shares at her home;
one share at a close friend’s house;
one share at her mom’s house;
one share in the bank safe deposit box.
Of course the individual shares are in analog form — written by hand on paper or stamped into a sheet of metal (using Cryptosteel, Cryptotag or other similar solutions). Alice is well aware that she should never write down the shares on an internet-connected computer or keep a digital copy.
With this arrangement in place, Alice doesn’t have to worry about losing access to her bitcoin even if her house burns down, because she can regain access to it by collecting the remaining shares from her friend, her mother and the safe deposit box. She also doesn’t need to worry about theft because no single location holds the necessary threshold of shares to access the coins.
Shamir’s secret sharing is thus a perfect solution to the theft and loss conundrum, as the isolated shares are useless by themselves, and Alice can even lose some of the shares without losing access to her bitcoin.
The original Shamir scheme has been around since 1979, but was only properly standardized for use in seed backups in late 2017. The standard is called SLIP-0039 : Shamir’s Secret-Sharing for Mnemonic Codes and is fully open for anyone to study, share and implement in their products.
Shamir backups based on SLIP-39 are used by Trezor (Model T), Unchained Capital’s Hermit wallet, and others have also started to adopt the standard.
Inheritance planning using Shamir backup
The same qualities that make Shamir backup powerful for everyday security also make it suitable for inheritance planning. When Alice has her recovery shares distributed as outlined above, the only thing she needs to do to ensure succession is to write down clear guidance for her survivors.
Now this may sound easy, but writing down the inheritance guide should be done with proper care. Here are the crucial dos and don’ts:
Don’t just tell your loved one about the Shamir scheme, write it down — if you only told someone, they would probably forget the details (or in the worst case scenario, the individual may die along with you in some accident);
Don’t make the bitcoin inheritance guide part of your last will — this may put the survivors in danger, as the last will is a publicly accessible document in some jurisdictions;
Do write the guide using pen and paper; never type it on your computer, never keep a digital copy;
Do explain what Shamir backup is in the first place, and why the recovery should be carried out with utmost care (e.g. the shares should never be typed into a website, nor sent to strangers “trying to help” over the internet);
Do describe the total amount of shares, the threshold, and instructions for uncovering the locations of the shares;
Do store the inheritance guide in a secure, controlled site that can be accessed by your loved ones in case of your death; your home safe may work the best, though the appropriate site depends on individual circumstances;
Do update the inheritance guide should something change — (e.g. the location of the shares);
And of course, if you have some bitcoin on hot wallets, exchange accounts or other services, you should inform your survivors about these too. Ideally, every single satoshi should be accessible by your loved ones in case something happens to you.
But perhaps the most important piece of advice is to put yourself in the shoes of a nocoiner. Because if your whole family isn’t sufficiently orange-pilled, chances are they will make fatal mistakes if they’re confused. So try to be as clear as possible about what you’ve left behind and how to access it safely, without falling prey to scammers, phishing attempts and so on.
Consider recommending a trusted bitcoiner friend to help your family out. Be very careful with whom you recommend, but also know that if you don’t recommend anyone to your family, they may reach out to strangers on the internet. And even if your friend doesn’t prove themselves as trustworthy as you thought, your family will have legal recourse against a known person, which wouldn’t be the case if they were scammed by a stranger.
Shamir or multisig?
Not everyone is a fan of Shamir backups. Some time ago, Jameson Lopp (Casa) wrote an analysis of the supposed Shamir shortcomings and recommended multisig schemes instead. Lopp’s analysis is fair and should be addressed here.
First of all, it’s true the previous attempts at Shamir’s scheme for use in seed backups were sloppy, as Lopp pointed out. It’s a different matter with SLIP39, though. The standard was written in late 2017, but implemented in the Trezor wallet only in the summer of 2019. No vulnerability was found in the two years leading to the first real-world implementation, nor in the two years following. And this means there are likely none to be found, as the math behind the SLIP39 is simply correct. If it wasn’t, a vulnerability would have been found years ago.
Furthermore, Shamir backups and multisigs solve slightly different use cases. Shamir backups solve the problem of protecting the recovery seed. Multisigs offer enhanced security when transacting. The two can actually be combined: you can have a multisig scheme, where the recovery seed of each individual wallet is protected via Shamir backups.
Both multisig and Shamir backups rely on the physical remoteness of the elements (signing parties or Shamir shares) for their security. Setting up and using both schemes is thus time consuming.
For Shamir, this isn’t such a problem, as you usually need to deal with your seed only when setting up your wallet and later on when performing a recovery (which may be years down the road).
For multisig schemes, users are faced with a practical coordination problem, as you depend on active, ongoing participation of physically remote parties whenever you need to sign transactions (which can be several times a month if not more often). While this is doable for formal organizations like hedge funds or corporations, it’s quite unworkable for individuals — unless they pay a third party who offers such service as their business.
Users can of course use multisig by holding all the keys themselves. The problem then lies in the practicality of such a setup: either all the keys are in one place (which does not increase the level of security), or the keys are geographically distributed, making transactions highly impractical.
Multisigs also still have manypitfalls when it comes to transaction verification and backing up the whole setup. These will hopefully be resolved with widely accepted industry standards in the future, but until that happens, they aren’t really usable for ordinary, non-technical hodlers. Shamir backups are usable and practical today.
Shamir backups are effective at preventing both theft and loss. They are also a smart way to pass bitcoin on for inheritance. In addition to creating the Shamir backup itself, inheritance planning requires clear written instructions for survivors. Shamir can be used in a multisig or on its own and is a practical solution to increase the level of security without the need for multiple wallets.