bip39 icon indicating copy to clipboard operation
bip39 copied to clipboard

Published 20 hours ago verified publisher icon iancoleman

SLIP39 with Ledger: warning not to backup BIP39 entropy?

Open AnonymousAard opened this issue 3 years ago • 2 comments

As a Ledger owner wanting the benefits of SLIP39, is there any particular reason not to:

  • Type my seedphrase and passphrase into the BIP39 page
  • Enable the entropy checkbox and copy it
  • In the SLIP39 page paste the copied entropy as the master secret
  • Store generated SLIP39 shares
  • Destroy BIP39 seedphrase
  • Recover the entropy from the SLIP39 page at any time using the shares
  • Use the recovered entropy on the BIP39 page to generate my seedphrase and passphrase that will work on any hardware wallet natively

I appreciate the documentation warns of not backing up the entropy as it is unreliable, and instead to use the mnemonic, and I am wondering if this is just because human errors are more likely when transcribing mnemonics or if there is another reason not to use what seems like an interoperable solution?

AnonymousAard avatar Jul 04 '22 09:07 AnonymousAard

The Trezor wallet (and the SLIP39 Satoshilabs standard) implements SLIP39 in a way that is incompatible with your process. That is the warning about mainly.

In general, SLIP39 is a pretty good standard, but by design it is impossible to have both a BIP39 phrase and SLIP39 shares for the same BIP39 seed or BIP32 root key, because you would need reverse some hashing trying to go either from BIP39 or SLIP39 to the other.

What you do is a perfectly valid custom process though, but be sure you destroy the BIP39 phrase and you do all steps on an offline machine that is wiped before going online ever again.

wigy-opensource-developer avatar Jul 04 '22 14:07 wigy-opensource-developer

The Trezor wallet (and the SLIP39 Satoshilabs standard) implements SLIP39 in a way that is incompatible with your process. That is the warning about mainly.

In general, SLIP39 is a pretty good standard, but by design it is impossible to have both a BIP39 phrase and SLIP39 shares for the same BIP39 seed or BIP32 root key, because you would need reverse some hashing trying to go either from BIP39 or SLIP39 to the other.

What you do is a perfectly valid custom process though, but be sure you destroy the BIP39 phrase and you do all steps on an offline machine that is wiped before going online ever again.

Thank you for the input.

I have also been discussing this over on reddit with Crypto-Guide who made a video about Ian's program. He has raised the issue of how a passphrase cannot be used with this process. I did try inputting a passphrase to the BIP39 and SLIP39 pages but it seems there is no way to include one unless I am mistaken.

https://www.reddit.com/r/TREZOR/comments/vr44ds/slip39_solution_for_future_trezor_owner_current/

The barrier to this process now is that without a passphrase the hardware wallet will be vulnerable to glitching attacks. I could store the passphrase with each of the 3 SLIP39 shares but it seems like there must be a better way to do this.

AnonymousAard avatar Jul 04 '22 16:07 AnonymousAard