{"id":15558,"date":"2021-07-21T22:15:00","date_gmt":"2021-07-21T22:15:00","guid":{"rendered":"http:\/\/ci02889b8190002569"},"modified":"2021-07-21T22:15:00","modified_gmt":"2021-07-21T22:15:00","slug":"protecting-bitcoin-shamir-backup","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/protecting-bitcoin-shamir-backup","title":{"rendered":"Protecting Your HODL Legacy: Shamir Backups And Inheritance Planning"},"content":{"rendered":"<div id=\"bsf_rt_marker\"><\/div><p>At the height of the 2017 bull run, I came across a sobering post. It went something like this: there was a young man who acquired about 20 bitcoin early on. As the price went from $1,000 to almost $20,000 over the course of 2017, he felt rich beyond his wildest dreams and decided to travel a bit. At one point he was in Mexico in a nice hotel and partied by a rooftop pool. Things got out of hand, then he fell down to the street below and died. The author of this particular post was a friend of the man\u2019s family and wanted to find out if there was any way to access the bitcoin. However, the young man used a passphrase-protected Trezor and hadn\u2019t written the passphrase down anywhere. The bitcoin was thus lost along with the man\u2019s life.<\/p>\n<p>Bitcoin is a bearer instrument, meaning that it\u2019s not sufficient for your survivors to be aware of your stack &#8211; they have to be able to access the keys. On the other hand, you don\u2019t necessarily want your family having access to your bitcoin while you\u2019re still alive. So there needs to be some sort of backup plan allowing for access management. Shamir backup allows precisely for this use case.<\/p>\n<p>But before we get to the details of how Shamir backup works, let\u2019s have a brief recap of what seed backups are.<\/p>\n<h2>Seed Backup<\/h2>\n<p>In the humble beginnings of Bitcoin, it was a challenge to do backups properly. Before the invention of deterministic wallets, all the individual private keys had to be backed up, which could be hundreds of keys. Unsurprisingly, many bitcoin were lost due to this clunky backup process. In 2012, Pieter Wuille came up with the clever invention of Hierarchical Deterministic Wallets (HD wallets, standardized by <a href=\"https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0032.mediawiki\" target=\"_blank\" rel=\"noopener\">BIP32<\/a>) that made backups much easier &#8211; users now had to secure only one master seed, from which the individual private keys were then generated. A year later, <a href=\"https:\/\/github.com\/bitcoin\/bips\/blob\/master\/bip-0039.mediawiki\" target=\"_blank\" rel=\"noopener\">BIP39<\/a> standardized the mnemonic seed &#8211; a group of words in particular order that fulfill the role of HD wallet backup. With mnemonic seed, backups became much easier, as there is little room for error when writing down ordinary words, as compared to writing down a random string of letters and numbers.<\/p>\n<p>So nowadays you don\u2019t actually back up your private key as such, but rather the recovery seed \u2014 usually in the form of 12 or 24 words in particular order. You may lose your phone or break your hardware wallet, but you will still be able to access your bitcoin if you have the recovery seed safely stored away.<\/p>\n<p>Storing the recovery seed <em>safely <\/em>is the tricky part. We have to protect the seed from the following two risks:<\/p>\n<ul>\n<li>theft &#8211; the recovery seed has to be protected against misuse by strangers; <\/li>\n<li>loss &#8211; your bitcoin wealth shouldn\u2019t depend on a single copy of the recovery seed, so that in case of an accident (flood, fire, etc.) you don\u2019t lose your bitcoin.<\/li>\n<\/ul>\n<p>While the risk of theft calls for as few copies as possible \u2014 preferably just one at your home \u2014 the risk of loss calls for the opposite. Having just one copy of your recovery seed is literally playing with fire. So you need to have several copies in a multitude of physical locations &#8211; but you need to be sure these won\u2019t be misused even if found by a stranger. A plain recovery seed based on a single word list cannot meet this criteria.<\/p>\n<h2>Enter Shamir<\/h2>\n<p>Shamir&#8217;s secret sharing (SSS) is a cryptographic technique formulated in 1979 by the Israeli cryptographer Adi Shamir. The essence of Shamir\u2019s scheme lies in the ability to back up, share and recover a secret through breaking up the secret into multiple shares that are individually useless and leak no information about the secret or the scheme setup. <\/p>\n<p>There are two important parameters relevant to SSS: shares, or how many parts of the secret there are; and threshold, or how many shares we need to combine to recover the secret. <\/p>\n<p>For example, a \u201c3 out of 5 Shamir backup\u201d means that the user created five shares when setting up the scheme and the threshold requirement to access the original secret is three shares. It doesn\u2019t matter which three shares are used to recover the secret.<\/p>\n<p>This means that Alice can back up her seed for example in the following way (assuming the 3 out of 5 Shamir backup):<\/p>\n<ul>\n<li>two shares at her home<\/li>\n<li>one share at a close friend\u2019s house<\/li>\n<li>one share at her mom\u2019s house<\/li>\n<li>one share in the bank safe deposit box<\/li>\n<\/ul>\n<p>Of course the individual shares are in an analog form &#8211; written by hand on paper or stamped into a sheet of metal (using Cryptosteel, Cryptotag, or other similar solutions). Alice is well aware that she should never write down the shares on an internet-connected computer or keep a digital copy.<\/p>\n<p>With this arrangement in place, Alice doesn\u2019t have to worry about losing access to her bitcoin even if her house burns down, because she can regain access to it by collecting the remaining shares from her friend, her mother and the safe deposit box. She also doesn\u2019t need to worry about theft because no single location meets the necessary threshold to access the coins.<\/p>\n<p>Shamir\u2019s secret sharing is thus a perfect solution to the theft\/loss conundrum, as the isolated shares are useless by themselves, and Alice can even lose some of the shares without losing access to her bitcoin.<\/p>\n<p>The original Shamir scheme has been around since 1979, but was only properly standardized for use in seed backups in late 2017. The standard is called <a href=\"https:\/\/github.com\/satoshilabs\/slips\/blob\/master\/slip-0039.md\" target=\"_blank\" rel=\"noopener\">SLIP-0039 : Shamir&#8217;s Secret-Sharing for Mnemonic Codes<\/a> and is fully open for anyone to study, share and implement in their products.<\/p>\n<p>Shamir backups based on SLIP-39 are used by <a href=\"https:\/\/trezor.io\/?utm_source=bitcoinmagazine&amp;utm_medium=referral&amp;utm_campaign=2021-06_Shamir_Protecting_Your_HODL_Legacy&amp;utm_content=link\" target=\"_blank\" rel=\"noopener\">Trezor<\/a> (Model T), Unchained Capital\u2019s <a href=\"https:\/\/unchained-capital.com\/blog\/a-hermit-emerges\/\" target=\"_blank\" rel=\"noopener\">Hermit wallet<\/a>, and others have also started to adopt the standard.<\/p>\n<h2>Inheritance Planning Using Shamir Backup<\/h2>\n<p>The same qualities that make Shamir backup powerful for everyday security also make it suitable for inheritance planning. When Alice has her recovery shares distributed as outlined above, the only thing she needs to do to ensure succession is to write down clear guidance for her survivors. <\/p>\n<p>Now this may sound easy, but writing down the inheritance guide should be done with proper care. Here are the crucial dos and don&#8217;ts:<\/p>\n<ul>\n<li>don\u2019t just tell your loved one about the Shamir scheme, write it down; if you only told someone, they would probably forget the details (or in the worst case scenario, the individual can die along with you in some accident);<\/li>\n<li>write the guide using pen and paper; never type it on your computer, never keep a digital copy;<\/li>\n<li>explain what Shamir backup is in the first place, and why the recovery should be carried out with utmost care (e.g. the shares should never be typed into a website, never sent to strangers \u201ctrying to help\u201d over the internet);<\/li>\n<li>describe the total amount of shares, the threshold, and instructions for uncovering the locations of the shares;<\/li>\n<li>store the inheritance guide in a secure, controlled site that can be accessed by your loved ones in case of your death; your home safe may work the best, though the appropriate site depends on individual circumstances;<\/li>\n<li>do not make the bitcoin inheritance guide part of your last will &#8211; this may put the survivors in danger, as the last will is a publicly accessible document in some jurisdictions;<\/li>\n<li>update the inheritance guide should something change (e.g. the location of the shares);<\/li>\n<\/ul>\n<p>And of course, if you have some bitcoin on hot wallets, exchange accounts or other services, you should inform your survivors about these too. Ideally, every single satoshi should be accessible by your loved ones in case something happens to you.<\/p>\n<p>But perhaps the most important piece of advice is to put yourself in the shoes of a nocoiner. Because if your whole family isn\u2019t sufficiently orange-pilled, chances are they will make fatal mistakes if they\u2019re confused. So try to be as clear as possible about what you\u2019ve left behind and how to access it safely, without falling prey to scammers, phishing attempts and so on. Consider recommending a trusted bitcoiner friend to help your family out. Be very careful with whom you recommend, but also know that if you don\u2019t recommend anyone to your family, they may reach out to strangers on the internet. And even if your friend won\u2019t prove himself as trustworthy as you thought, your family will have legal recourse against a known person, which wouldn\u2019t be the case if they were scammed by a stranger. <\/p>\n<h2>Shamir Or Multisig?<\/h2>\n<p>Not everyone is a fan of Shamir backups. Some time ago, Jameson Lopp (Casa) wrote an analysis of the supposed <a href=\"https:\/\/blog.keys.casa\/shamirs-secret-sharing-security-shortcomings\/\" target=\"_blank\" rel=\"noopener\">Shamir shortcomings<\/a> and recommended multisig optionsinstead. Lopp\u2019s analysis is fair and should be addressed here. <\/p>\n<p>First of all, it\u2019s true the previous attempts at Shamir\u2019s scheme for use in seed backups were sloppy, as Lopp pointed out. It\u2019s a different matter with SLIP39, though. The standard was written in late 2017, but implemented in the Trezor wallet only in the summer of 2019. No vulnerability has been found in the two years before the first real-world implementation, neither in the two years following. And there is none, as the math behind the SLIP39 is simply correct. If it wasn\u2019t, a vulnerability would have been found years ago.<\/p>\n<p>Furthermore, Shamir backups and multisigs solve a slightly different use case. Shamir backups solve the problem of protecting the recovery seed. Multisigs offer enhanced security when transacting. The two can actually be combined: you can have a multisig scheme, where the recovery seed of each individual wallet is protected via Shamir backups. <\/p>\n<p>Both multisig and Shamir backups rely on the physical remoteness of the elements (signing parties or Shamir shares) for their security. Setting up and using both plans is thus time consuming. <\/p>\n<p>For Shamir, this isn\u2019t such a problem, as you usually need to deal with your seed only when setting up your wallet and later on when performing a recovery (which can be years down the road). <\/p>\n<p>For multisig schemes, users are faced with a practical coordination problem, as you depend on active, ongoing participation of physically remote parties whenever you need to sign transactions \u2014 which can be several times a month if not more often. While this is doable for formal organizations like hedge funds or corporations, it\u2019s quite unworkable for individuals \u2014 unless they pay a third party who offers such service as their business. <\/p>\n<p>The coordination problem can be mitigated by choosing a multisig setup where users hold the necessary threshold (e.g. 2-of-5) in their own home. Such a setup is more practical than the one where all the keys are physically distributed, but eliminates one of the advantages of multisigs &#8211; the inability to transact under duress. But to be fair, Shamir by itself also doesn\u2019t protect against physical attack scenarios such as home intrusion, if the user has her Trezor set up and immediately available. <\/p>\n<p>Multisigs still have <a href=\"https:\/\/medium.com\/shiftcrypto\/the-pitfalls-of-multisig-when-using-hardware-wallets-9b0e98e4c19c\" target=\"_blank\" rel=\"noopener\">many<\/a> <a href=\"https:\/\/medium.com\/shiftcrypto\/how-nearly-all-hardware-wallet-multisig-setups-are-insecure-be2991ad179e\" target=\"_blank\" rel=\"noopener\">pitfalls<\/a> when it comes to transaction verification and backing up the whole setup. These will hopefully be resolved with widely accepted industry standards in the future, but until that happens, they aren\u2019t really usable for ordinary, non-technical hodlers. Shamir backups are usable and practical today.<\/p>\n<p>&#8212;<\/p>\n<p>Shamir backups are effective at preventing both theft and loss. They are also a smart way to pass bitcoin on for inheritance. In addition to creating the Shamir backup itself, inheritance planning requires clear written instructions for survivors. Shamir can be used in a multisig or on its own and is a practical solution to increase the level of security without the need for multiple wallets.<\/p>\n<p><em>This is a guest post by Josef T\u011btek. Opinions expressed are entirely their own and do not necessarily reflect those of BTC, Inc. or <\/em>Bitcoin Magazine<em>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Awareness of one&#8217;s own mortality is a sign of maturity, as is the recognition of the critical importance of securing one\u2019s bitcoin.<\/p>\n","protected":false},"author":2569,"featured_media":8375,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[2950,329,833,895,330,1358],"class_list":{"0":"post-15558","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-adi-shamir","9":"tag-cryptography","10":"tag-inheritance","11":"tag-private-keys","12":"tag-security","13":"tag-shamir-backups"},"author_data":{"id":2569,"name":"Josef T\u011btek","nicename":"josef-tetek","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2025\/01\/josef-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/blockchain.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/15558","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2569"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=15558"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/15558\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/8375"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=15558"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=15558"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=15558"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}