A year ago, Trezor has once again brought open-source innovation in the hardware wallet industry by creating a user-friendly adaptation of the Shamir’s Secret Sharing cryptographic algorithm for their Model T devices.
This secret sharing scheme was first described by Israeli cryptographer Adi Shamir in his 1979 research paper “How to Share a Secret” and has been under development by Satoshi Labs since December 2017, under codename SLIP 0039. But it took almost two more years until the “Shamir Backup” became publicly available under an intuitive interface.
To this day, it’s a unique feature (and major selling point) of the Trezor Model T – yet the system’s lack of adoption among hardware wallet manufacturers also translates in lower popularity. While all of today’s wallets use BIP 39 to generate deterministic seed phrases, the Shamir Backup still finds itself in a rather obscure niche.
What is the Shamir Backup?
In very simple terms, the Shamir Backup is the middle ground between a basic 12 or 24-word seed phrase and a more complex multisig setup. With the Trezor Model T, you can create up to 16 parts of 20 or 33 words each.
For example, you can create a 2 of 3 Shamir Backup which allows you to keep a share in your apartment, while taking the other ones at your friend’s house and your parents’ apartment. If you’re afraid that somebody might rob you and extort your coins, you make sure that there won’t be any means to unlock the coins in your house, and it takes extra effort to go to somebody else’s place and convince them to give their share (or steal it from them).
Trezor’s design also creates shares whose first 3 words are identical – this will help you to differentiate between setups and rebuild your private key with less effort.
These Shamir secret parts divide your private key and add complexity to the ways in which your bitcoins can be spent. Used in conjunction with a passphrase and a PIN, your security is going to receive a significant boost.
Shamir Backup vs Multisig
Unlike a multisig, the holders of these Shamir shares can’t make remote transactions: all parts derived from a Shamir backup must be registered on the same Trezor Model T. Therefore, all parties must meet in the same room or else send pictures of their 20 or 33 words (which is unrecommended due to the security risks it poses).
Therefore, multisigs are still better for organizations, companies, and setups in which partners need to hold a key which grants them power to access the funds. On the other hand, Shamir Backups are individualistic and centred around the needs of only one individual who splits his private key.
For example, Johnny B can do a 3 of 4 Shamir Backup and keep two shares in his home, one in his bank safe, and one in his lawyer’s office. The other two parties that have been entrusted with Shamir shares will never know what they’re holding, what kind of setup was made, and what it takes to potentially steal the funds. That’s why it’s called secret sharing – you give away parts, but only you know how to put them together and rebuild your secret.
It’s like spreading rumors so people memorize bits of information that they can’t put in the right context to find the meaning, just so you can forget them and later rediscover them via personal interactions (though practically doing something like this is a terrible idea for private keys, as proxy brain wallets are even riskier than using your own).
Shamir Backup vs Splitting Seed Phrase
You know what’s a terrible idea? Splitting your seed phrase/seed words/mnemonic. At some point, we all thought that it would be a good idea to take our 24 words and divide them for better security. But if somebody finds more than 3/4 of your words in their correct order, your wallet can become subject to brute force attacks – or even manual attempts in which all of the 2048 words in the BIP39 dictionary are tried in their right order.
Also, if you lose a single word from your seed phrase, you can kiss your coins goodbye (though you can try all the words in the dictionary and pray you get lucky before you get to the 2048th try).
On the other hand, if you have a 3 of 4 Shamir Backup and you lose one part consisting of 20 words, you can still recover your wallet with the remaining shares. And after you reconstruct your private key, it’s recommended to do another Shamir Backup which gives you back the lost share, so you don’t take the risk of taking permanent and irreversible financial damages in the event that you lose another piece of the backup.
The Shamir Secret Sharing scheme is superior in every way to the otherwise uninspired and short-sighted idea of splitting your seed phrase. Please don’t ever do it!
Shamir Backup Browsers: Use Tor!
The Trezor Bridge system only supports internet browsers such as Firefox, Chrome, and Brave. Alternatives such as Opera, Edge, Internet Explorer, and Safari will not work.
But with a simple 1-minute setup, you can log into your Trezor online wallet interface with the privacy-enhancing power of Tor: click on the address bar, type about:config, and then use the search bar to find a key named “network.proxy.no_proxies_on”. You might get a warning message about voiding the warranty, but just carry on – if anything goes wrong, you can simply reinstall the Tor browser.
Then you’ll have to add an exception to Tor, so that it can communicate with the Trezor Bridge: double click the suggested key and paste the following IP address and port: 127.0.0.1:21325.
After you click “OK”, you’re all set. Go to Trezor.io/wallet and everything will work just as well as it does on the sibling browser Mozilla Firefox – but with the added benefit of network-level privacy via IP obfuscation.
How Long Does It Take To Set Up Shamir Backup on Trezor Model T?
A rough estimate is 15 minutes. It all depends on the complexity of your setup (the number of parts and the threshold). If you do a 2 of 3 setup, it will probably take 10 minutes. But if you do a 15 of 16 configuration, it might take you up to an hour.
Just remember that this is not a race and you shouldn’t hurry for the sake of finishing fast. These Shamir shares are pieces of your private key, and your negligence can cost you. So treat this process seriously, as the Trezor Model T only makes you double check 3 random words of every part of 20. This means that there are 17 others that you can scramble or write down with a typo.
Verify Your Shamir Backup
In the “Advanced Settings” menu of Trezor Bridge, you can opt to manually check your recovery seed. This can be a great way to see if you’ve written down all the words correctly, and it’s a highly recommended step before depositing any funds on your Trezor.
You will have to use the on-screen keyboard on your Model T to write every word in its right order. It’s always good to practice your recovery and put your dexterity to the test, so you’re better prepared in times of emergency.
Establishing Your Threat Model
This is the most difficult part, since you have to reflect on your habits, issues, and ways in which they can be exploited by thieves or disasters. How likely is it for your house to get flooded or get set on fire? What is the crime rate in your neighborhood? Have you heard of robbed houses? Do you think you’re a target because you bragged about your bitcoins? Also, how many coins do you own?
Depending on these factors, you should determine the complexity of your setup. And if you need to securely move part of your private key outside of your house to minimize some risks, then the Shamir Backup offers you the best friend. You’ll just have to figure out the right amount of shares that you should generate, and the correct threshold.
To get an introduction to adversarial thinking and threat models, listen to this podcast interview with Peter Todd.
Are Paper Backups Enough For Your Shamir Backup?
Once again, this depends on your threat model. But if you’re going to hand pieces of paper to people you trust with shares of your Shamir Backup, then at least make sure that the paper is qualitative and at least covered in a layer of plastic to protect it from accidental flooding.
If you’re serious about your Shamir Backup shares and want to put them on something durable, use Billfodls by PrivacyPros. Just keep in mind that their steel plates can record up to 24 words, so you won’t be able to use them for 33-word Shamir Backups. However, this can change if there’s enough market demand.
But while steel plates are durable, giving them to somebody may raise suspicions and make them ask questions. From this point of view, paper is more discreet. So you should really consider your threat model and take into account the personality and values of whomever you choose to trust. Some will understand why you’re using steel plates, others will feel puzzled and start investigating.
Shamir on Top of a Multisig Key?
Yes, you can do a Shamir Backup on your multisig key. This adds a lot more complexity to your security model by making your key more difficult to sign. However, keep in mind that sometimes sophistication is the greatest enemy of good security and overcomplicating your setup may work against you if you don’t know what you’re doing and can’t replicate every step of the recovery process.
Do Shamir Backups Make Me Rely on Trezor Model T Hardware Wallets?
As of August 2020, Trezor is the only company which supports Shamir Backups on its hardware wallet. And the only device on which you can set up the backup and recover it is the Trezor Model T.
So from this point of view, you do need to get a Trezor device to benefit from the user friendliness and ease of the implementation.
But what’s going to happen if Trezor runs out of business and your Trezor Model T breaks? Does this mean that you can no longer recover your coins? Well, the answer is no. Before being a manufacturer of hardware devices, Trezor is a developer of free open source software.
So if you ever need to recover your Shamir Backup, you can run the latest version of the Python client on your computer. It’s more technical than the friendly user interface that Trezor provides on the Model T, but it’s the best way to use your funds no matter what happens to the company and its supply of hardware wallets.
Learn More About Trezor’s Shamir Backups from Co-Inventor Slush
Slush is a legend: he created Slush Pool when Satoshi Nakamoto was still around and gave him feedback, then went on to co-invent the world’s first hardware wallet and is still involved in groundbreaking ventures such as Tropic Square.
Most importantly, he is a strong believer in the power of open source software and make sure that his work and products get released under the same free licences that Satoshi has used for Bitcoin.
In S4 E8 of the Bitcoin Takeover Podcast, Slush talks about the Trezor hardware wallets and the role that the Shamir Backup plays in the grand scheme of things. Listen from minute 38 to discover the vision of the Trezor CEO.
Watch My Shamir Backup Tutorial
Donate to Bitcoin Takeover
If you found this article useful and would like to see more, then please consider making a donation to the project.
Alternatively, you can do Lightning donations via Tippin.
And if you’d rather send fiat, I also have a Patreon page which grants you some social benefits for every contribution.