ability to use m of n seeds for ledger #54
Comments
|
i did see some social medias around SLIP-0039 but am not familiar with it skim reading... looks pretty sweet |
thedavidmeister
changed the title
|
@jonathancross done |
|
Thanks @thedavidmeister |
|
Support is growing, there is now a browser based implementation. |
|
Hello - I understand this is a complex request but it would be great if someone could post an update on the current status, what are the barriers to implementation if any, etc. Thank you. |
|
yknow... it would almost be worthwhile as a standalone small device that performs cryptography on inputs and throws away the outputs after use or when powered off basically just to do the compute for paper wallet management, with no networking |
|
@thedavidmeister : Let's try to keep this focused on one topic (getting an app for SLIP-39). Devs are unlikely to even read (much less work on) a long feature request full of hopes, dreams and opinions. That being said, a wallet restored from SLIP-39 mnemonics on a Ledger Nano X, used to sign and then wiped is already what you are talking about.😉 |
|
devs aren't going to ignore a good idea just because there is a little noise in a github thread, if anything they tend to ignore 'stale' issues |
|
I'd also be interested to see the ability to do n-of-m secret sharing |
|
I wonder how many buy a Trezor just for that backup option? |
|
https://www.youtube.com/watch?v=pNK6UaZ6XjI short discussion re: multisig from around 30 mins in still... why no protection on the seed itself? |
|
Any ETA on when shamir secret sharing will supported? Why so much of delay? |
|
This would be awesome if supported by ledger! |
|
Any update on Shamir backup implementations? Devs said on the subreddit that they're working on the UX, but that was 6 months ago. |
|
other than a Trezor, has anyone used a hardware device that does shamir? partly because it's good to reference prior art when developing something new here, and partly because i want to buy something right now and it's been 2 years with no meaningful developments from ledger here |
|
Hi. There seems to be some recemt discussion on this issue here: |
|
is there an option for m of n seeds that doesn't have vendor lockin? |
|
@thedavidmeister what vendor lock in are you talking about? There are Open Source tools for working with the SLIP-39 shards, recreation of the wallet seed, etc. |
|
@jonathancross from the thread linked in the comment above mine:
|
|
It is really unfortunate that they did not make the seed phrases compatible between the two standards. I don't see this as vendor lock-in though -- all code is Open Source as well as the SLIP-39 spec. There are several software implementations as well (eg Electrum). So nobody is locked into using something from 1 company, but we are lacking hardware device support. This feature request is to get an app for the Ledger that supports SLIP-39 so users have multiple hardware devices that support it (reducing vendor lock-in risk). It may turn out that the community comes up with a better specification than SLIP-39 for doing sharding, but this is the best I know of so far. |
|
@jonathancross you telling me what my own feature request is for? 😆 whatever you call it, "not interoperable", "vendor lockin", @btchip the cofounder of ledger is publicly stating SLIP-39 will not be supported any time soon because of this compatibility issue if SLIP-39 is the best option great, but i don't really care as long as i get any reasonable airgapped "m of n" option it's been 2.5 years already with "no progress" 😞 frigging ridiculous to go to all this effort and have my seed sitting around in plain text somewhere |
Yeah I understand and agree! IMO, It seems like the future is multisig for m of n. Once Taproot is activated, they won't be any more expensive or less private than a normal single key transactions with the added security benefit that no single device ever holds all the key information. |
|
i pretty much only use ethereum, looking for a hw level chain agnostic solution here :) |
|
This comment: But the same comment also proposes a BIP39/SLIP39 integration that uses BIP39 mnemonics for Shamir's algorithm instead of SLIP-0039 master secrets: |
Correct, SLIP39 isn't designed to restore a BIP39 seed phrase. |
|
pretty please? |
|
Has there been any progress on this? It will likely be the deciding factor on my next hardware wallet choice. In the meantime I have queried this in the subreddit as a possible workaround for SLIP39 on the Ledger: |
|
and here: and maybe also here: |
No, not at the moment. I wanted the app to be more or less working fully before approachig the Ledger team. With the latest release v1.1.0 the app is now woking the way I want and tested on Nano S, Nano X and Nano S Plus. I will look to see what is involved in submitting an app to Ledger for approval...or rejection :-). Further improvements can be made e.g. changing the m-of-n threshold dynamically rather than the current hardcoded 2-of-3 threshold. But for now hopefully the app is good enough for submission to Ledger. |
|
The latest v1.2.0 release of the app-sskr-check Ledger app adds the ability to set the threshold and number of Shamir's Secret Shares generated. Here's a pretty little diagram showing the flows through the apps menus: ---
title: SSKR Check App Flow
---
flowchart LR
1 --- 2 --- 3 --- 4
subgraph 1[BIP39]
direction TB
1.1[Check BIP39]
1.1 --> 1.2.1[Enter 12 Words] --> 1.3{Validate BIP39 Phrases}
1.1 --> 1.2.2[Enter 18 Words] --> 1.3
1.1 --> 1.2.3[Enter 24 Words] --> 1.3
1.3 --> |Valid BIP39| 1.4
1.3 --> |Invalid BIP39| 1.3.1[Quit]
subgraph 1.4[Generate SSKR Shares]
direction TB
1.4.1[Select number of shares] --> 1.4.2[Select threshold] --> 1.4.3[Generate SSKR Shares] --> 1.4.4[Display SSKR Shares] --> 1.4.5[Quit]
end
end
subgraph 2[SSKR]
direction TB
2.1[Check SSKR] --> 2.2[Enter SSKR Shares] --> 2.3{Validate SSKR Shares}
2.3 --> |Valid SSKR| 2.4
2.3 --> |Invalid SSKR| 2.3.1[Quit]
subgraph 2.4[Generate BIP39 Phrases]
direction TB
2.4.1[Generate BIP39 Phrases] --> 2.4.2[Display BIP39 Phrases] --> 2.4.3[Quit]
end
end
subgraph 3[Version]
direction TB
3.1[Version]
end
subgraph 4[Quit]
direction TB
4.1[Quit]
end
|
|
@aido Great work! do you reckon your app is ready for use? As I understand it, your seed will not leave your Ledger. However, for the typical user, it would appear insane to install a little-known third-party app to perform this function. A clear explanation of installation instructions and threat model would go a long way -- including things like how to verify the hash on the binary etc. |
|
Hi @wisefool769 ,
Yes, I think my app is ready for use. I am still making small tweaks and minor changes from time to time but nothing that will break or change functionality too much
Correct
I agree.
Threat model? ... hmmm, one identified threat is "never trust an app written by a random guy on the internet". :-) But you've obviously spotted that one already. |
|
To add, having gotten Shamir's Secret Sharing working on Ledger devices I now plan to expand the app-sskr-check app and turn it into a "Seed Utility" tool. The app currently does BIP39 check, SSKR Check and SSKR Generate. In the future I also plan to add BIP85 funtionality so I can generate something like this. ---
title: One Seed to rule them all - Multi wallet
---
flowchart TB
1.1 --> |Backup| 1.2
1 --> |BIP85 Child 0| 2.1.1
1 --> |BIP85 Child 1| 2.1.2
1 --> |BIP85 Child 2| 2.2.1
1 --> |BIP85 Child 3| 2.2.2
1 --> |BIP85 Child 4| 2.3.1
1 --> |BIP85 Child 5| 2.3.2
1 --> |BIP85 Child 6| 2.4.1
1 --> |BIP85 Child 7| 2.4.2
subgraph 1[Parent]
direction TB
1.1[Root Seed]
subgraph 1.2[2-of-3 Shamir's Secret Shares]
direction BT
1.2.1[Share 1]
1.2.2[Share 2]
1.2.3[Share 3]
end
end
subgraph 2[Children]
direction TB
subgraph 2.1[Cold Wallet]
direction LR
2.1.1[BIP39 #1]
2.1.2[Password #1]
end
subgraph 2.2[Hardware Wallet]
direction LR
2.2.1[BIP39 #2]
2.2.2[Password #2]
end
subgraph 2.3[Lightning Wallet]
direction LR
2.3.1[BIP39 #3]
2.3.2[Password #3]
end
subgraph 2.4[Phone Wallet]
direction LR
2.4.1[BIP39 #4]
2.4.2[Password #4]
end
end
But that is off topic and beyond the scope of this issue. |
|
@aido What would your proposed "Seed utility tool" offer over something like the Seedtool CLI, which has had a few more eyes on it. |
|
I haven't thought that far ahead. But yes, maybe a subset of the tools provided by Seedtool CL ... but on an airgapped, secure device/hardware wallet. |
|
Oh I see, your "utility tool" would still run on-device. That makes sense. |
Indeed it is. app-sskr-check mitigates nearly all the concerns people seem to have about Ledger Recover. In light of Ledger's latest move I may have to reconsider app-sskr-check and my approach to Ledger in general. |
|
Here are some insane remarks from Pascal Guethier, CEO of ledger, for anyone reading this who would like context on why this thread is now "funny"
I'm genuinely wondering what the point of a Ledger even is now. Even if I don't enable the "service", nobody else knows whether I did or did not, so could reasonably assume it's worthwhile to attempt to steal my identity as long as they believe I have funds on a Ledger device. The side channel attacks on Trezor hardware always spooked me, but here we have closed source firmware that can export private keys, from a company that is openly selling corporate access to private keys, and (in my experience) periodically the devices seem to inexplicably brick themselves without firmware updates. @aido i really appreciate your hard work on this one ... where can we go from here? 😞 I'm tempted to just close this issue out and migrate to Trezor before this "convenience" becomes "default" and then "paywall". It's really sad that Ledger must have implemented SSS or something like it in the process of releasing this garbage, but still don't seem to be offering a simple M of N option for physical seed backups. I guess it will be even more difficult to get approval from that app submission now, if it is perceived as a competitor to a subscription service offered by the same company. |
|
Hi @thedavidmeister, I am not sure where to go from here either. I suggest leaving this issue open for now until the dust settles. |
|
I may start looking into AirGap insted of continuing with the sskr-check app. AirGap implements SSKR AND BIP85 which are two of the things I was trying to implement in a Ledger app ... until yesterday's announcement from Ledger, |
|
I think AirGap is still at the phase of planning to implement SSKR. Ledger still has the advantage of supporting certain good coins Airgap doesn't, e.g Monero and whatnot... |
|
Ledger are using Shamir's Secret Sharing as part of their Ledger Recover serrvice, I saw a comment somewhere that eventually the shards generated for Recover may be backed up using other methods. I really, really hope Ledger are not creating their own version of SSS that only works on Ledger devices i.e. vendor lock in. Ledger really should use an open, interoperable standard for SSS but I know they won't. |
|
(Ignoring the fact that we have trust issue with Ledger having access to keys) the situation is still not great and I can see why they didn't make it the consumer feature - because:
As far as I can tell there is no easy way to discriminate between the two backups. EDIT: seems like SSKR always starts with |
|
@dzid26 |
Yes, that is part of the CBOR header that identfies the data as a SSKR share. |
Yes I know. Regarding Airgap, as I said earlier:
Anyway, I just gave the reasons why we probably will not see user Shamir's backups. In a different world where SSKR was first - maybe, but we have slip-39 in the wild and the whole thing will be confusing to users. .... |
This link is now broken. I have tried adding I've tried compiling from source on OSX + homebrew + Docker but this fails to complete as there is no equivalent cross platform compiler. Updated : I have managed to install app-sskr-check on my NanoS (firmware SE 1.6.0, Microcontroller 1.12) but the app Can you advise why ? is it because I need to add a self signed certificate to NanoS, or because the firmware version is too old ? or perhaps because Installation steps for MacOSX 11.7.7 M1 ARM :
This is where I am stuck now, I when I attempt to run the |
|
Hi @InfiniteQE , See my response here: |
|
Thanks, with your assistance I have app SSKR Check loaded and running on a different NanoS with Firmware SE 2.0.0, this appears to be the minimum firmware version requirement. |
|
Phase 3 of Ledger's Open Source roadmap states that Ledger plan to provide tools that will allow an individual to implement their own shard backup provider. This may or may not make app-sskr-check obsolete. The Ledger Recover white paper shows that Ledger will be using a variant of Shamir's Secret Sharing called Pedersen Verifiable Secret Sharing.. My concern here is that Ledger will be the only hardware wallet using this flavour of Pedersen VSS so it may not be interoperable. Other standards already exist but Ledger now seem to have created their own non-interoperable one. One of the reasons for choosing SSKR for the app was because of its interoperability. I will be slowing down or even pausing development of app-sskr-check until I get a better idea of how Ledger plan to allow individuals implement their own shard backup. |
|
Almost 5 years after this issue was raised there may be hope that an application for generating Shamir's Secret Shares on a Ledger device may soon be available. The Seed Tool application that I wrote for generating Shamir's Secret Shares was recently function tested by Ledger. Apparently this went well so the next step in the process is a security audit. As I cannot bear the cost of an external audit myself Ledger are trying to find a way to take charge of the audit. They have a very limited bandwidth though, so need to find a slot. |
|
@aido Great to hear! I see you are not using SLIP-39 but rather Sharded Secret Key Reconstruction (SSKR) -- which is great! At this point I no longer support the SLIP-0039 approach as they missed the # 1 use case users are asking for: splitting a seed phrase into a reasonable number of shares and having the option to restore the original seed phrase. PS: we might want to rename this feature request or open a new one if SLIP-0039 is no longer the goal. |
thedavidmeister
changed the title
update: app-seed-tool
Looks like an app might be accepted.
#54 (comment)
https://github.com/aido/app-seed-tool
update: SLIP-0039 support
there is an emerging standard for shamir secret sharing for mnemonic codes SLIP-0039
https://github.com/satoshilabs/slips/blob/master/slip-0039.md
it would make sense to adopt the standard here
see the comments below for more information
original request
originally posted LedgerHQ/ledger-live-desktop#1722
i would like to be able to setup an m of n seed for my ledger using shamir secret sharing using a new, dedicated application on the ledger
i found this repo: https://github.com/oed/seedsplit
and these reddit threads:
but all the options offered require setting up an airgapped device and running 3rd party unaudited code
it makes sense to me that m of n seeds be able to be generated by the ledger itself, using audited code, without the seed needing to leave the device
without this option we must choose between a risky technical process or a physical risk in the storage of the seed
an official m of n seed would facilitate much more secure physical setups for many more users
i understand that this is a fairly advanced feature for most people, so probably shouldn't be the default behaviour, but would help others sleep better at night :)
ideally, once the m of n seed is created on the ledger, the seeds can be stored in physically separate locations, then the ledger wiped to remove even pin access, producing a very secure cold wallet
Part of the application
new application for ledger
The text was updated successfully, but these errors were encountered: