I believe there are valid concerns re Ledger Nano's seed recovery service, but I am also sure there is a
lot of misinformation going around. Specifically in claims like "they've put a back door into seed
phrases" - quotation from a CoinTelegraph article.
I still must look closer at Ledger's seed recovery service. However, it's fair for everyone to know that
there exist Cryptographic algorithms that allow Ledger to provide such a service WITHOUT putting a backdoor
in their devices .
Here is how Ledger is describing their service:
"When you subscribe to Ledger Recover, a
pre-BIP39 version of your private key is encrypted, duplicated and divided into three fragments,
with each fragment secured by a separate company—Coincover, Ledger and an independent backup
service provider. Each of these encrypted fragments is useless on its own. When you want to
get access to your wallet, 2 of the 3 parties will send fragments back to your Ledger device,
reassembling them to build your private key."
This sounds like a 2-of-3 secret sharing scheme, where a secret is broken into 3 shards and is
recovered by putting together any 2 shards. Shamir's secret sharing allows us to do just that!
In such a scheme each shard is cryptographically secure and cannot leak the private key.
But if two shards are combined, one would indeed get the private key hidden by these shards.
Sidenote: Shamir's secret sharing allows all kind of combinations for n-of-m schemes. For example,
one could have a 3-of-5 scheme. This would generate 5 shards but only require 3 shards to recompose
the secret.
So here is how, Ledger's service could work without a backdoor:
-
A user runs the secret sharing algorithm on his own device generating 3 shards.
-
The user transfers one shard to each of Coincover, Ledger and the independent backup service provider.
-
On recovery, the user authenticates himself and two of the service providers send their shard to the user's device.
-
The user's device performs secret recovery and gets back the private key.
So, Ledger does not need a sneaky backdoor to run this service. It only needs to install software that
runs a secret sharing scheme on the user's device. Providers like Coincover, Ledger and the backup
provider would not be able to see the private key unless they colluded together.
Is this secure enough? Is this consistent with the spirit of someone purchasing a hardware wallet?
These are very legitimate questions which I don't delve into. However, everyone should distinguish
facts from fiction.
The most positive aspect of this story is that many might start learning about the potential of
secret sharing schemes. Imagine, if instead of giving the secret shares to Coincover or Ledger,
one gave these to family members or close friends!