At the height of the 2017 bull run, I came across a sobering post. It went something like this: there was a young man who acquired about 20 bitcoin early on. As the price went from $1,000 to almost $20,000 over the course of 2017, he felt rich beyond his wildest dreams and decided to travel a bit. At one point he was in Mexico in a nice hotel and partied by a rooftop pool. Things got out of hand, then he fell down to the street below and died. The author of this particular post was a friend of the man’s family and wanted to find out if there was any way to access the bitcoin. However, the young man used a passphrase-protected Trezor and hadn’t written the passphrase down anywhere. The bitcoin was thus lost along with the man’s life.
Bitcoin is a bearer instrument, meaning that it’s not sufficient for your survivors to be aware of your stack – they have to be able to access the keys. On the other hand, you don’t necessarily want your family having access to your bitcoin while you’re still alive. So there needs to be some sort of backup plan allowing for access management. Shamir backup allows precisely for this use case.
But before we get to the details of how Shamir backup works, let’s have a brief recap of what seed backups are.
In the humble beginnings of Bitcoin, it was a challenge to do backups properly. Before the invention of deterministic wallets, all the individual private keys had to be backed up, which could be hundreds of keys. Unsurprisingly, many bitcoin were lost due to this clunky backup process. In 2012, Pieter Wuille came up with the clever invention of Hierarchical Deterministic Wallets (HD wallets, standardized by BIP32) that made backups much easier – users now had to secure only one master seed, from which the individual private keys were then generated. A year later, BIP39 standardized the mnemonic seed – a group of words in particular order that fulfill the role of HD wallet backup. With mnemonic seed, backups became much easier, as there is little room for error when writing down ordinary words, as compared to writing down a random string of letters and numbers.
So nowadays you don’t actually back up your private key as such, but rather the recovery seed — usually in the form of 12 or 24 words in particular order. You may lose your phone or break your hardware wallet, but you will still be able to access your bitcoin if you have the recovery seed safely stored away.
Storing the recovery seed safely is the tricky part. We have to protect the seed from the following two risks:
- theft – the recovery seed has to be protected against misuse by strangers;
- loss – your bitcoin wealth shouldn’t depend on a single copy of the recovery seed, so that in case of an accident (flood, fire, etc.) you don’t lose your bitcoin.
While the risk of theft calls for as few copies as possible — preferably just one at your home — the risk of loss calls for the opposite. Having just one copy of your recovery seed is literally playing with fire. So you need to have several copies in a multitude of physical locations – but you need to be sure these won’t be misused even if found by a stranger. A plain recovery seed based on a single word list cannot meet this criteria.
Shamir’s secret sharing (SSS) is a cryptographic technique formulated in 1979 by the Israeli cryptographer Adi Shamir. The essence of Shamir’s scheme lies in the ability to back up, share and recover a secret through breaking up the secret into multiple shares that are individually useless and leak no information about the secret or the scheme setup.
There are two important parameters relevant to SSS: shares, or how many parts of the secret there are; and threshold, or how many shares we need to combine to recover the secret.
For example, a “3 out of 5 Shamir backup” means that the user created five shares when setting up the scheme and the threshold requirement to access the original secret is three…