Mathematical question about naive BIP39 Split Mnemonics

Hi guys,

I have a cryptological question. I know it doesn’t fit well here, but I know here are smart people around and I don’t have many social media accounts.

I saw a cool BIP39 tool by Ian Coleman: https://iancoleman.io/bip39/ but in one place it’s sugested to split a BIP39 mnemonic into 3 parts like this:

BIP39 Mnemonic
perfect unlock twenty worth govern rice flat congress office range zoo rescue maximum west audit 
never beauty motor club proud myself certain horn pepper

BIP39 Split Mnemonic (Seed Recovery Requires 2 Of 3 Cards)

Card 1: perfect XXXX XXXX worth govern rice flat congress XXXX range XXXX XXXX maximum 
XXXX XXXX never beauty motor club proud XXXX certain horn pepper

Card 2: perfect unlock twenty XXXX govern XXXX XXXX XXXX office range zoo rescue maximum 
west audit XXXX beauty XXXX XXXX proud myself certain horn XXXX

Card 3: XXXX unlock twenty worth XXXX rice flat congress office XXXX zoo rescue XXXX west 
audit never XXXX motor club XXXX myself XXXX XXXX pepper

Time to hack with only one card: 3830854 years

Now this seems dangerous to me. To me it looks like a single card has only very weak entropy - I think one BIP39 word is worth 11 bits of entropy and the last word is a checksum.

So card 1 + 3 have 88 bits of entropy minus what the checksum word gives you. I’m not sure, but it definitely lowers the entropy a great deal. Card 2 has only about 77 bits of entropy.

Why the heck does the program tell the “time to hack” so ridicously high? It seems to me like a big mistake.

I’m not sure but it seems to me that the checksum word could even lower the entropy of card 1 + 3 well below 80 bits, maybe even below 77 bits. So all in all I’d say it’s really not the optimal solution what this program suggests here.

1 Like

Have you tried asking Ian Coleman? :slight_smile:

Seeds can be split using the XOR method with zero loss of entropy. See this theoretical introduction: https://github.com/mmgen/mmgen/wiki/XOR-Seed-Splitting:-Theory-and-Practice

The MMGen wallet supports splitting and joining BIP39 mnemonics via the mmgen-seedsplit and mmgen-seedjoin commands. In your case, you’d just save your seed phrase in a file with the extension .bip39 and use it as the infile argument for these commands. This functionality will be part of the next stable release, but it’s already on the master branch, well tested and safe to use. Just clone from Github and install. If you have any additional questions, I can answer them here or on Reddit.

I’m not sure what this means. Is it 3830854 years on a todays computer or a 1 year on a computer that will be available in 3830853 years? How does Ian know what kind of computer will be available then?

Jokes aside, this is a bad idea. It reveals 2/3 of the seed on every card. The right way to do this is: Shamir's secret sharing - Wikipedia

Ian himself has a prototype of tool that does this: Shamir39 - Mnemonic Code Splitter but it’s not standardized in any way and you likely shouldn’t use it.

There is another implementation that is slightly more standardized: https://github.com/satoshilabs/slips/blob/master/slip-0039.md but it’s not a BIP standard. I did not found anything better though.

The MMGen XOR method seems to allow only N/N share reconstruction. I.e. if any single share is lost then the seed is gone.

1 Like

Haha, brilliant :smile:

If you find one card you still need 8 words. Cracking 8 words means 2048^8 combinations, or conservatively 10^25. The fastest ASIC right now can process 3 GH/s which comes out to, conservatively, 10^18 per year. So 10^25 / 10^18 = 10^7. Meaning you’d have to run the machine for 10 million years to go through all possibilities.
Did I miss anything?

True. The last word is a checksum with only 256 options, so that reduce the options with a factor of 10 roughly. So if you have the first two cards you would only have to weight 1 million years :stuck_out_tongue: