[bitcoindev] Announcing Penlock v1: Paper-Based Secret Splitting for BIP39 Seed Phrases - 'Rama Gan' via Bitcoin Development Mailing List

Bitcoin Development Mailinglist
 help / color / mirror / Atom feed

From: "'Rama Gan' via Bitcoin Development Mailing List" <bitcoindev@googlegroups.com>
To: "bitcoindev@googlegroups.com" <bitcoindev@googlegroups.com>
Subject: [bitcoindev] Announcing Penlock v1: Paper-Based Secret Splitting for BIP39 Seed Phrases
Date: Thu, 20 Nov 2025 09:04:24 +0000	[thread overview]
Message-ID: <GbNAPQX2Q4TzZvS6aWLPf3iy7z1yTXVrgnPpXazBjdcWH-zROBEBieE02r6GX128LM7mml6oTzAmlboV97EWpG1ujLcVZ6fx6uihUMXxCEo=@proton.me> (raw)

Hello everyone,

I am thrilled to announce the public release of Penlock!

The goal is achieved! If you have a printer, scissors, a craft knife,
and a pin, you can mechanically secret-split a 12-word seed phrase
in under two hours. This includes the entire process—learning,
printing, assembling, executing, and storing the shares.

Penlock is a printable paper calculator that guides you through
splitting a seed phrase into a 2-of-3 backup. It is open-source,
uses straightforward and robust cryptography, and includes various
fail-safes that protect against errors. A beta was announced on
this list last year, and the public release is now available at:
<https://v1.penlock.io/en/>

This release breaks backward-compatibility with the beta, allowing for
enhancements that make Penlock significantly easier to operate. Here
are the main improvements in v1:

- Faster Secret-Splitting: Penlock now focuses exclusively on producing
2-of-3 backups using its own paper-optimized splitting algorithm. The
previous iteration supported K-of-M splitting with Shamir Secret
Sharing, but at the cost of more complexity and a clunkier 2-of-3
process. Since 2-of-3 covers nearly all use cases, optimizing for it
seemed like the right approach.

- Backup Strategy Template: Penlock now suggests a generic, adaptable
backup strategy that helps set up offsite recovery and trust-minimized
inheritance. In short, each share is tied to a different type of
storage: Digital, Social, and (optionally) Legal. This ensures an
attacker would have to run two different types of attacks, and makes
it hard for a party holding one share to obtain a second one. You
can find more details at <https://v1.penlock.io/en/split#strategy>.

- On-Paper Error Correction: Penlock v1 introduces what I believe to
be the first on-paper error correction algorithm. Each BIP39 word is
extended with two pre-computed parity symbols, guaranteeing per-word
unambiguous correction of 1 error and detection of 2. In practice,
it's also possible to fix a word with two errors, though it requires
a little bit of patience.

- Easier Seed Phrase Generation: Penlock also offers BIP39 seed phrase
generation as an extra feature. The whole process has been redesigned
into one of the simplest ways to generate a seed phrase by hand.

Penlock was inspired by Codex32 from Andrew Poelstra and Russell
O'Connor. It's been a two-year quest to adapt their concept for BIP39
seed phrases, iterating toward the best UX I could craft without
compromising security. These improvements often required breaking
compatibility with previous versions, which made me reluctant to
propose a public version until the design stabilized into something
final.

I believe I have finally reached the best formula I can think of,
hence this release. The feedback so far has been very positive,
and I hope you find it interesting too! Please share any feedback or
questions, and let me know what you think!

Best,
Rama Gan

P.S.: Penlock's wheel also happens to be an interesting cryptographic
puzzle—can you reverse-engineer Penlock's secret splitting algorithm
just by looking at it?

-- 
You received this message because you are subscribed to the Google Groups "Bitcoin Development Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bitcoindev+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bitcoindev/GbNAPQX2Q4TzZvS6aWLPf3iy7z1yTXVrgnPpXazBjdcWH-zROBEBieE02r6GX128LM7mml6oTzAmlboV97EWpG1ujLcVZ6fx6uihUMXxCEo%3D%40proton.me.

                 reply	other threads:[~2025-11-20  9:49 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='GbNAPQX2Q4TzZvS6aWLPf3iy7z1yTXVrgnPpXazBjdcWH-zROBEBieE02r6GX128LM7mml6oTzAmlboV97EWpG1ujLcVZ6fx6uihUMXxCEo=@proton.me' \
    --to=bitcoindev@googlegroups.com \
    --cc=ganrama@proton.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox