Peeling Back the Layers: Splitcoin vs. the 25th Word
Updated: Feb 8, 2024
The rise of decentralized finance and cryptocurrency has made digital wallets a part of many investors' financial arsenals. The security of these wallets hinges upon cryptographic protocols and seed phrases, sequences of words that can restore access to digital assets. How these seed phrases are secured is vital, and herein lies the comparison between two mechanisms: Splitcoin and the Passphrase, also known as the 25th Word method.
Underlying Principles:
Splitcoin: A novel approach, Splitcoin permits users to manually encrypt their seed phrase, ensuring the app never accesses or requests the original phrase. Users create a vault for their seed phrase using a unique, auto-scrolling codebook. This codebook is locked and accessed through a unique vault key, which is split and stored across two to eight NFC-enabled physical coins or QR codes. To regain their seed phrase, users scan their coins and input a password, opening the vault and enabling them to manually decrypt the seed phrase.
Passphrase (25th Word): Rooted in simplicity, the 25th word system extends the original 24-word seed phrase by adding an additional word. This passphrase is like a final layer of encryption, known only to the user. However, while the system is straightforward, its robustness heavily depends on the chosen passphrase's complexity.
Cryptographic Robustness:
PBKDF2 with HMAC-SHA512: Widely utilized in cryptographic protocols, PBKDF2 is dependable. However, in terms of brute force resistance, particularly for a passphrase such as the 25th word, it reveals its flaws. PBKDF2 is horrendously parallelizable, implying that it can be simultaneously computed on multiple processors or on specialized hardware like ASICs. This makes brute force attacks by attackers with abundant resources more feasible. The potential vulnerability is exacerbated if users select easily guessable 25th words, given the lack of inherent complexity requirements.
Scrypt in Splitcoin: In contrast, Scrypt stands as a fortress against brute force strategies. Designed to be memory-intensive, it's resistant to parallelized computations, making it hard to run on specialized hardware. The Scrypt parameters for Splitcoin, specifically N=1048576 (RAM = 1 GB), r=8, and p=1, represent a robust configuration, requiring significant memory and computational resources to compute, thus enhancing resistance against brute-force and parallelized attacks. Further amplifying Splitcoin's security is Pesto, a rigorous password strength estimator ensuring that passwords used in the encryption process are not just long, but intrinsically complex and unpredictable. More detail on this topic can be found in the Splitcoin whitepaper.
The Real-World Scenario: Physical Compromise
Picture this: a dark alley, a misplaced wallet, and your meticulously recorded seed phrase falls into the hands of someone with nefarious intentions. If you're employing the 25th word mechanism, they now possess 24 out of the 25 keys to your cryptocurrency kingdom. The last key, that 25th word, is all that stands between them and your digital wealth.
Here's where the absence of complexity requirements for the passphrase unveils its vulnerable underbelly. With no mandates for a mix of uppercase, lowercase, symbols, and numbers, a user might opt for simplicity with passphrases like "love" or "treasure". Such words, being common in daily language or popular culture, are prime candidates for a brute-force dictionary attack. You might even use another password that has already been compromised!
Even more alarming is the potential susceptibility to social engineering tricks. Phishing campaigns can craftily elicit such information by pretending to be legitimate service providers or security alerts. These deceptive communications might request the user to "confirm" their 25th word for "security reasons" or any other seemingly valid pretense. Given the human propensity to trust and our occasional lapses in judgment, this can be an effective way for thieves to bypass the last layer of defense.
But let's shift the scenario to Splitcoin. This cryptographic architecture is designed with layered security in mind. Should a thief get their hands on the encrypted seed phrase, they'd quickly realize that the battle has only just begun. To decrypt the seed, they'd need a collection of physical coins - and not just any coins, but the exact set that corresponds to the user's unique encryption. Each coin is integral, much like pieces of an intricate jigsaw puzzle. But even with the coins, there's still the challenge of the exact password. Attempting to phish for this password becomes a daunting task. Unlike a simple 25th word, the password here is bolstered by the stringent Pesto requirements. And the physical nature of the coins adds another layer of security. It's difficult to phish for something tangible, like a coin. While an attacker can craft emails or messages to trick you into revealing a passphrase or password, they cannot digitally extract a physical item from you. Thus, the physicality of the coins acts as a barrier against online phishing attempts.
In essence, while the 25th word mechanism is akin to a door with a single lock, Splitcoin offers a fortified vault. Even if adversaries manage to breach the outer layer, they face successive, and increasingly formidable, barriers. This layered defense underscores the thoughtful and robust security design of Splitcoin.
Two Methods, One Goal
While both Splitcoin and the Passphrase method present unique strengths, they could be combined for those seeking an enhanced layer of protection. The differential effectiveness in security breach situations between the two methods doesn't necessarily preclude their simultaneous use for those aiming for "greater" security. However, this "greater" security is arguably unnecessary and not greater at all.
The 25th word, with its simplicity, may appeal to those looking for a straightforward extension to their seed phrase. However, its dependence on PBKDF2 with HMAC-SHA512 and the potential pitfalls of an uncomplicated passphrase render it more vulnerable. Splitcoin, with its multi-pronged approach, integrating Scrypt and Pesto, stands tall in cryptographic strength and resistance against both digital brute force and physical compromise. In the dynamic landscape of digital finance, where the stakes are ever-rising, Splitcoin emerges as a meticulously crafted bulwark, shielding users' assets with unparalleled resilience.
Comments