* [bitcoin-dev] BIP39 seeds
@ 2018-12-21 23:58 Aymeric Vitte
2018-12-23 18:46 ` Pavol Rusnak
` (2 more replies)
0 siblings, 3 replies; 14+ messages in thread
From: Aymeric Vitte @ 2018-12-21 23:58 UTC (permalink / raw)
To: Bitcoin Dev
Has anybody already looked at this: given N randomly chosen words
belonging to a BIP39 2048 words dictionary, what is the probability to
get a "valid" BIP39 seed (ie with the right checksum)?
The result looks (very) surprising to me and might have some use cases,
just would like to know if this topic has already been discussed before
going further
--
Move your coins by yourself (browser version): https://peersm.com/wallet
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-21 23:58 [bitcoin-dev] BIP39 seeds Aymeric Vitte
@ 2018-12-23 18:46 ` Pavol Rusnak
2018-12-23 22:41 ` Aymeric Vitte
2018-12-24 14:58 ` Tiago Romagnani Silveira
2018-12-23 20:55 ` Eric Scrivner
2018-12-23 21:08 ` Jameson Lopp
2 siblings, 2 replies; 14+ messages in thread
From: Pavol Rusnak @ 2018-12-23 18:46 UTC (permalink / raw)
To: Aymeric Vitte, Bitcoin Protocol Discussion
On 22/12/2018 00:58, Aymeric Vitte via bitcoin-dev wrote:
> Has anybody already looked at this: given N randomly chosen words
> belonging to a BIP39 2048 words dictionary, what is the probability to
> get a "valid" BIP39 seed (ie with the right checksum)?
1:256 for 24 words
1:16 for 12 words
This ratio is not too great and will be improved in the upcoming SLIP39
standard: https://github.com/satoshilabs/slips/blob/master/slip-0039.md
--
Best Regards / S pozdravom,
Pavol "stick" Rusnak
CTO, SatoshiLabs
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-21 23:58 [bitcoin-dev] BIP39 seeds Aymeric Vitte
2018-12-23 18:46 ` Pavol Rusnak
@ 2018-12-23 20:55 ` Eric Scrivner
2018-12-23 21:08 ` Jameson Lopp
2 siblings, 0 replies; 14+ messages in thread
From: Eric Scrivner @ 2018-12-23 20:55 UTC (permalink / raw)
To: Aymeric Vitte, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1737 bytes --]
Quite interesting. Not familiar with prior art here, but would be
interested in what your results are showing if you’re willing to share?
On Sun, Dec 23, 2018 at 11:44 Aymeric Vitte via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Has anybody already looked at this: given N randomly chosen words
> belonging to a BIP39 2048 words dictionary, what is the probability to
> get a "valid" BIP39 seed (ie with the right checksum)?
>
> The result looks (very) surprising to me and might have some use cases,
> just would like to know if this topic has already been discussed before
> going further
>
> --
> Move your coins by yourself (browser version): https://peersm.com/wallet
> Bitcoin transactions made simple:
> https://github.com/Ayms/bitcoin-transactions
> Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
> Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
> Get the torrent dynamic blocklist: http://peersm.com/getblocklist
> Check the 10 M passwords list: http://peersm.com/findmyass
> Anti-spies and private torrents, dynamic blocklist:
> http://torrent-live.org
> Peersm : http://www.peersm.com
> torrent-live: https://github.com/Ayms/torrent-live
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--
Eric Scrivner
Remote Software Engineer
M: (760) 617-5067
Coinbase
<https://www.google.com/url?q=https%3A%2F%2Fwww.coinbase.com%2F&sa=D&sntz=1&usg=AFrqEzct8dGnZ3Hwf_fvfMFBfoF5ElGMfA>
San Francisco, CA, USA
[-- Attachment #2: Type: text/html, Size: 3911 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-21 23:58 [bitcoin-dev] BIP39 seeds Aymeric Vitte
2018-12-23 18:46 ` Pavol Rusnak
2018-12-23 20:55 ` Eric Scrivner
@ 2018-12-23 21:08 ` Jameson Lopp
2 siblings, 0 replies; 14+ messages in thread
From: Jameson Lopp @ 2018-12-23 21:08 UTC (permalink / raw)
To: Aymeric Vitte, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1773 bytes --]
I believe it would depend upon the entropy used for the seed, as that would
affect how many bits the checksum represents.
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#Generating_the_mnemonic
So for a 24 word / 256 bit mnemonic the checksum is 8 bits, thus there are
8 valid checksums and if you picked a random checksum from the wordlist of
2048 words you'd have a 1 in 256 chance of picking a valid one.
On Sun, Dec 23, 2018 at 1:44 PM Aymeric Vitte via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
> Has anybody already looked at this: given N randomly chosen words
> belonging to a BIP39 2048 words dictionary, what is the probability to
> get a "valid" BIP39 seed (ie with the right checksum)?
>
> The result looks (very) surprising to me and might have some use cases,
> just would like to know if this topic has already been discussed before
> going further
>
> --
> Move your coins by yourself (browser version): https://peersm.com/wallet
> Bitcoin transactions made simple:
> https://github.com/Ayms/bitcoin-transactions
> Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
> Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
> Get the torrent dynamic blocklist: http://peersm.com/getblocklist
> Check the 10 M passwords list: http://peersm.com/findmyass
> Anti-spies and private torrents, dynamic blocklist:
> http://torrent-live.org
> Peersm : http://www.peersm.com
> torrent-live: https://github.com/Ayms/torrent-live
> node-Tor : https://www.github.com/Ayms/node-Tor
> GitHub : https://www.github.com/Ayms
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 3352 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-23 18:46 ` Pavol Rusnak
@ 2018-12-23 22:41 ` Aymeric Vitte
2018-12-25 0:30 ` James MacWhyte
2018-12-24 14:58 ` Tiago Romagnani Silveira
1 sibling, 1 reply; 14+ messages in thread
From: Aymeric Vitte @ 2018-12-23 22:41 UTC (permalink / raw)
To: Pavol Rusnak, Bitcoin Protocol Discussion
Exactly
This is surprising, I would have expected the probabilities to be much
more lower
It just means that scanning whatever (secret) book, document, link, etc,
you will find easily BIP39 seeds, even of 24 words
So, it just means that you don't have to write your seed since you can
recover it that way, given a secret source and specific algo with custom
parameters, this could be used for plausible deniability also
For now I still dislike BIP39 and alike (because I don't see very well
why it's easier to write n words that you cannot choose rather than a
32B BIP32 hex seed, and I have seen many people completely lost with
their wallets because of this), but I could change my mind, and despite
of further improvements for this ratio, could what I am suggesting make
sense?
Le 23/12/2018 à 19:46, Pavol Rusnak a écrit :
> On 22/12/2018 00:58, Aymeric Vitte via bitcoin-dev wrote:
>> Has anybody already looked at this: given N randomly chosen words
>> belonging to a BIP39 2048 words dictionary, what is the probability to
>> get a "valid" BIP39 seed (ie with the right checksum)?
> 1:256 for 24 words
> 1:16 for 12 words
>
> This ratio is not too great and will be improved in the upcoming SLIP39
> standard: https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-23 18:46 ` Pavol Rusnak
2018-12-23 22:41 ` Aymeric Vitte
@ 2018-12-24 14:58 ` Tiago Romagnani Silveira
1 sibling, 0 replies; 14+ messages in thread
From: Tiago Romagnani Silveira @ 2018-12-24 14:58 UTC (permalink / raw)
To: Pavol Rusnak via bitcoin-dev
Why is this a SLIP and not a BIP?
Will it require a BIP39 seed, or will work with any seed format?
On 12/23/18 19:46, Pavol Rusnak via bitcoin-dev wrote:
> On 22/12/2018 00:58, Aymeric Vitte via bitcoin-dev wrote:
>> Has anybody already looked at this: given N randomly chosen words
>> belonging to a BIP39 2048 words dictionary, what is the probability to
>> get a "valid" BIP39 seed (ie with the right checksum)?
> 1:256 for 24 words
> 1:16 for 12 words
>
> This ratio is not too great and will be improved in the upcoming SLIP39
> standard: https://github.com/satoshilabs/slips/blob/master/slip-0039.md
>
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-23 22:41 ` Aymeric Vitte
@ 2018-12-25 0:30 ` James MacWhyte
2018-12-26 11:33 ` Aymeric Vitte
0 siblings, 1 reply; 14+ messages in thread
From: James MacWhyte @ 2018-12-25 0:30 UTC (permalink / raw)
To: vitteaymeric, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1605 bytes --]
On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
>
> I don't see very well why it's easier to write n words that you cannot
> choose rather than a 32B BIP32 hex seed, and I have seen many people
> completely lost with their wallets because of this
>
In practice it has quite a few qualities that make it a bit more resilient
for physical (written) storage.
If a few letters of a word get rubbed off or otherwise become illegible, it
is pretty easy for a native speaker to figure out what the word is supposed
to be. Even a non-native speaker could look through the word list and
figure out which word fits. Missing characters in a hex string require more
advanced brute force searching, which the average user isn't capable of.
Additionally, having the bits grouped into words makes a more serious
recovery easier. If you lose one entire word, it can be brute forced in
about 5 minutes on a normal pc, even if you don't know which position the
missing word is in (I have published a tool that does just this:
https://jmacwhyte.github.io/recovery-phrase-recovery). If you are missing
two words, you can brute force it in about a week (napkin math).
If you were missing a random chunk of a hex string, I don't know how you'd
go about brute forcing that in a timely manner.
As an aside, from a UX standpoint we've seen that the 12 words don't *look*
important so people don't take them seriously (and they get lost). A hex
string or equivalent would look more password-y, and therefore would most
likely be better protected by users.
James
[-- Attachment #2: Type: text/html, Size: 2147 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-25 0:30 ` James MacWhyte
@ 2018-12-26 11:33 ` Aymeric Vitte
2018-12-26 18:54 ` James MacWhyte
0 siblings, 1 reply; 14+ messages in thread
From: Aymeric Vitte @ 2018-12-26 11:33 UTC (permalink / raw)
To: James MacWhyte, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 2935 bytes --]
Another drawback I think is that people are not using it as seeds, they
just go to a wallet sw which proposes a new seed, write it somewhere, do
something with the wallet and forget about it, go to another one, create
another wallet, etc
Apparently it is not very well known even here that the probabilities
are very high to get a valid BIP39 seed even with 24 words, so, even
with a tool like yours, they can be misleaded, for example trying a few
words to replace the missing/incorrect one, get a valid seed and stay
stuck with it forever trying to play with BIP44/49 to find their keys
Probably what I am suggesting is not new (and therefore maybe not a good
suggestion): given a secret seed (a book, a document, a link, etc) and a
derivation path (an algo with secret parameter(s) to derive/order the
words and select the valid bip39 sequences), you get your BIP39 seeds
and don't have to write them
Of course we don't have to use necessarilly BIP39 for this but this is
what we have everywhere and this is what is compatible with it, then you
could use the same or a fake written "not very well hidden" BIP39 seed
to plausibly deny your real wallet
Le 25/12/2018 à 01:30, James MacWhyte a écrit :
>
>
> On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org
> <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>
>
> I don't see very well why it's easier to write n words that you
> cannot choose rather than a 32B BIP32 hex seed, and I have seen
> many people completely lost with their wallets because of this
>
>
> In practice it has quite a few qualities that make it a bit more
> resilient for physical (written) storage.
>
> If a few letters of a word get rubbed off or otherwise become
> illegible, it is pretty easy for a native speaker to figure out what
> the word is supposed to be. Even a non-native speaker could look
> through the word list and figure out which word fits. Missing
> characters in a hex string require more advanced brute force
> searching, which the average user isn't capable of.
>
> Additionally, having the bits grouped into words makes a more serious
> recovery easier. If you lose one entire word, it can be brute forced
> in about 5 minutes on a normal pc, even if you don't know which
> position the missing word is in (I have published a tool that does
> just this: https://jmacwhyte.github.io/recovery-phrase-recovery). If
> you are missing two words, you can brute force it in about a week
> (napkin math).
>
> If you were missing a random chunk of a hex string, I don't know how
> you'd go about brute forcing that in a timely manner.
>
> As an aside, from a UX standpoint we've seen that the 12 words don't
> *look* important so people don't take them seriously (and they get
> lost). A hex string or equivalent would look more password-y, and
> therefore would most likely be better protected by users.
>
> James
[-- Attachment #2: Type: text/html, Size: 4784 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-26 11:33 ` Aymeric Vitte
@ 2018-12-26 18:54 ` James MacWhyte
2018-12-27 11:04 ` Aymeric Vitte
0 siblings, 1 reply; 14+ messages in thread
From: James MacWhyte @ 2018-12-26 18:54 UTC (permalink / raw)
To: Aymeric VITTE; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 768 bytes --]
On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte <vitteaymeric@gmail•com>
wrote:
> so, even with a tool like yours, they can be misleaded, for example trying
> a few words to replace the missing/incorrect one, get a valid seed and stay
> stuck with it forever trying to play with BIP44/49 to find their keys
>
Just a small detail, but my tool actually looks up all the possible
combinations and then finds which one has been used before by looking for
past transactions on the blockchain. Therefore, it won't tell you your
phrase is correct unless it is a phrase that has actually been used before
(preventing what you described).
Using some algorithm to take some input and generate a bip39 phrase that
you can use with any bip39 wallet sounds perfectly reasonable.
[-- Attachment #2: Type: text/html, Size: 1271 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-26 18:54 ` James MacWhyte
@ 2018-12-27 11:04 ` Aymeric Vitte
2018-12-31 16:52 ` Alan Evans
0 siblings, 1 reply; 14+ messages in thread
From: Aymeric Vitte @ 2018-12-27 11:04 UTC (permalink / raw)
To: James MacWhyte; +Cc: Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1674 bytes --]
Le 26/12/2018 à 19:54, James MacWhyte a écrit :
>
> On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte <vitteaymeric@gmail•com
> <mailto:vitteaymeric@gmail•com>> wrote:
>
> so, even with a tool like yours, they can be misleaded, for
> example trying a few words to replace the missing/incorrect one,
> get a valid seed and stay stuck with it forever trying to play
> with BIP44/49 to find their keys
>
>
> Just a small detail, but my tool actually looks up all the possible
> combinations and then finds which one has been used before by looking
> for past transactions on the blockchain. Therefore, it won't tell you
> your phrase is correct unless it is a phrase that has actually been
> used before (preventing what you described).
I saw that your tool was querying blockchain.info, but it cannot guess
what derivation path was used and if it is a standard one what addresses
were used, and even if successful it works only for bitcoin (so maybe it
should just output the ~1500 possible phrases and/or xprv, and be
completely offline, this is still doable for people)
>
> Using some algorithm to take some input and generate a bip39 phrase
> that you can use with any bip39 wallet sounds perfectly reasonable.
I forgot to mention that this can help also solving the "what if
something happens to me" case giving to the family the seed and the
parameter(s) for the derivation path, or an easy way to find it (better
than something like: remind this passphrase, take the sha256 of it, then
use some other stuff to find the encryption algo, take n bytes of the
hash, use it to decode my wallet or my seed... and then everybody
looking at you like crazy)
[-- Attachment #2: Type: text/html, Size: 3295 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-27 11:04 ` Aymeric Vitte
@ 2018-12-31 16:52 ` Alan Evans
2019-01-01 19:44 ` Aymeric Vitte
2019-01-02 18:06 ` James MacWhyte
0 siblings, 2 replies; 14+ messages in thread
From: Alan Evans @ 2018-12-31 16:52 UTC (permalink / raw)
To: Aymeric Vitte, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 4322 bytes --]
> Using some algorithm to take some input and generate a bip39 phrase that
you can use with any bip39 wallet sounds perfectly reasonable.
I think any method that doesn't use real entropy, but some fake source of
randomness, such as a book is asking to be hacked and so is not a
reasonable idea.
If an algorithm for book text to BIP39 sentence ever became well used,
common books will be systematically searched for accounts. People will also
choose their favourite passages, so I would expect to see collisions.
You should also note that BIP39 does not need input that is from the word
list. You can use *any text as its input*, the word list and checksum check
is just recommended to be a warning, but again, text chosen from public
sources or common phrases is a bad idea for many reasons.
From BIP0039:
*> The conversion of the mnemonic sentence to a binary seed is completely
independent from generating the sentence. This results in rather simple
code; there are no constraints on sentence structure and clients are free
to implement their own wordlists or even whole sentence generators,
allowing for flexibility in wordlists for typo detection or other purposes.*
*> Although using a mnemonic not generated by the algorithm described in
"Generating the mnemonic" section is possible, this is not advised and
software must compute a checksum for the mnemonic sentence using a wordlist
and issue a warning if it is invalid.*
What you could do is use a regular true random BIP39 sentence in
conjunction with a phrase from a book as the "passphrase" giving you that
plausible deniability, right up to the point you put that in your will or
tell someone, i.e. for the "what if something happens to me" case. Though I
still think redirecting people to a book phase is risky for this, e.g.
books have editions, there may be a change in the key place.
From BIP0039:
*> The described method also provides plausible deniability, because every
passphrase generates a valid seed (and thus a deterministic wallet) but
only the correct one will make the desired wallet available.*
Alan
P.S. "I have seen many people completely lost with their wallets because of
[BIP39]": I would say "despite" not "because". These people would have
lost/miss recorded a BIP32 hex seed as well.
On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
>
> Le 26/12/2018 à 19:54, James MacWhyte a écrit :
>
>
> On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte <vitteaymeric@gmail•com>
> wrote:
>
>> so, even with a tool like yours, they can be misleaded, for example
>> trying a few words to replace the missing/incorrect one, get a valid seed
>> and stay stuck with it forever trying to play with BIP44/49 to find their
>> keys
>>
>
> Just a small detail, but my tool actually looks up all the possible
> combinations and then finds which one has been used before by looking for
> past transactions on the blockchain. Therefore, it won't tell you your
> phrase is correct unless it is a phrase that has actually been used before
> (preventing what you described).
>
> I saw that your tool was querying blockchain.info, but it cannot guess
> what derivation path was used and if it is a standard one what addresses
> were used, and even if successful it works only for bitcoin (so maybe it
> should just output the ~1500 possible phrases and/or xprv, and be
> completely offline, this is still doable for people)
>
>
> Using some algorithm to take some input and generate a bip39 phrase that
> you can use with any bip39 wallet sounds perfectly reasonable.
>
> I forgot to mention that this can help also solving the "what if something
> happens to me" case giving to the family the seed and the parameter(s) for
> the derivation path, or an easy way to find it (better than something like:
> remind this passphrase, take the sha256 of it, then use some other stuff to
> find the encryption algo, take n bytes of the hash, use it to decode my
> wallet or my seed... and then everybody looking at you like crazy)
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 6586 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-31 16:52 ` Alan Evans
@ 2019-01-01 19:44 ` Aymeric Vitte
2019-01-02 18:06 ` James MacWhyte
1 sibling, 0 replies; 14+ messages in thread
From: Aymeric Vitte @ 2019-01-01 19:44 UTC (permalink / raw)
To: Alan Evans, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 6074 bytes --]
You are simplifying too much what I am suggesting
What I am suggesting is: set a derivation method for BIP39 like for
BIP32 (having the seed for BIP32 and not the derivation path is just
like having nothing) and use this derivation method from a "book" (a
"book" being a book, a document, a link, an image, whatever your secret
can be), based on the fact that you will easily find from this
derivation method "valid" BIP39 seeds (even if BIP39 does not enforce
anything regarding valid phrases, everything can be valid as you
mention, and this does not help in fact)
The derivation method will just define the way you select the words in
the secret, and if everybody chooses the bible as the secret then this
will not change the fact that it will be impossible to find the real
seed without knowing the derivation path
Then you don't need to write the seed, you can easily plausible deny it,
you can easily pass it to the family (using a passphrase does not say to
them where they are supposed to use it)
"people lost"--> people think that there is some magic with BIP39 that
will save them whatever they do (ie they don't even care of managing
correctly the many easy to generate BIP39 seeds they are using) where
they will always recover their seed and keys from BIP39/44/49, of course
this does not work at all
Le 31/12/2018 à 17:52, Alan Evans a écrit :
> > Using some algorithm to take some input and generate a bip39 phrase
> that you can use with any bip39 wallet sounds perfectly reasonable.
>
> I think any method that doesn't use real entropy, but some fake source
> of randomness, such as a book is asking to be hacked and so is not a
> reasonable idea.
>
> If an algorithm for book text to BIP39 sentence ever became well used,
> common books will be systematically searched for accounts. People will
> also choose their favourite passages, so I would expect to see collisions.
>
> You should also note that BIP39 does not need input that is from the
> word list. You can use _any text as its input_, the word list and
> checksum check is just recommended to be a warning, but again, text
> chosen from public sources or common phrases is a bad idea for many
> reasons.
>
> From BIP0039:
> /> The conversion of the mnemonic sentence to a binary seed is
> completely independent from generating the sentence. This results in
> rather simple code; *there are no constraints on sentence structure*
> and clients are free to implement their own wordlists or even whole
> sentence generators, allowing for flexibility in wordlists for typo
> detection or other purposes./
> /> Although using a mnemonic not generated by the algorithm described
> in "Generating the mnemonic" section is possible, this is not advised
> and software must compute a checksum for the mnemonic sentence using a
> wordlist and issue a warning if it is invalid./
>
> What you could do is use a regular true random BIP39 sentence in
> conjunction with a phrase from a book as the "passphrase" giving you
> that plausible deniability, right up to the point you put that in your
> will or tell someone, i.e. for the "what if something happens to me"
> case. Though I still think redirecting people to a book phase is risky
> for this, e.g. books have editions, there may be a change in the key
> place.
>
> From BIP0039:/
> /
> /> The described method also provides plausible deniability, because
> every passphrase generates a valid seed (and thus a deterministic
> wallet) but only the correct one will make the desired wallet available./
>
> Alan
>
> P.S. "I have seen many people completely lost with their wallets
> because of [BIP39]": I would say "despite" not "because". These people
> would have lost/miss recorded a BIP32 hex seed as well.
>
>
> On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org
> <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>
>
> Le 26/12/2018 à 19:54, James MacWhyte a écrit :
>>
>> On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte
>> <vitteaymeric@gmail•com <mailto:vitteaymeric@gmail•com>> wrote:
>>
>> so, even with a tool like yours, they can be misleaded, for
>> example trying a few words to replace the missing/incorrect
>> one, get a valid seed and stay stuck with it forever trying
>> to play with BIP44/49 to find their keys
>>
>>
>> Just a small detail, but my tool actually looks up all the
>> possible combinations and then finds which one has been used
>> before by looking for past transactions on the blockchain.
>> Therefore, it won't tell you your phrase is correct unless it is
>> a phrase that has actually been used before (preventing what you
>> described).
>
> I saw that your tool was querying blockchain.info
> <http://blockchain.info>, but it cannot guess what derivation path
> was used and if it is a standard one what addresses were used, and
> even if successful it works only for bitcoin (so maybe it should
> just output the ~1500 possible phrases and/or xprv, and be
> completely offline, this is still doable for people)
>
>>
>> Using some algorithm to take some input and generate a bip39
>> phrase that you can use with any bip39 wallet sounds perfectly
>> reasonable.
>
> I forgot to mention that this can help also solving the "what if
> something happens to me" case giving to the family the seed and
> the parameter(s) for the derivation path, or an easy way to find
> it (better than something like: remind this passphrase, take the
> sha256 of it, then use some other stuff to find the encryption
> algo, take n bytes of the hash, use it to decode my wallet or my
> seed... and then everybody looking at you like crazy)
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> <mailto:bitcoin-dev@lists•linuxfoundation.org>
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
[-- Attachment #2: Type: text/html, Size: 10313 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2018-12-31 16:52 ` Alan Evans
2019-01-01 19:44 ` Aymeric Vitte
@ 2019-01-02 18:06 ` James MacWhyte
2019-01-04 0:02 ` Aymeric Vitte
1 sibling, 1 reply; 14+ messages in thread
From: James MacWhyte @ 2019-01-02 18:06 UTC (permalink / raw)
To: thealanevans, Bitcoin Protocol Discussion
[-- Attachment #1: Type: text/plain, Size: 1265 bytes --]
On Wed, Jan 2, 2019 at 3:40 AM Alan Evans via bitcoin-dev <
bitcoin-dev@lists•linuxfoundation.org> wrote:
>
> I think any method that doesn't use real entropy, but some fake source of
> randomness, such as a book is asking to be hacked and so is not a
> reasonable idea.
>
> If an algorithm for book text to BIP39 sentence ever became well used,
> common books will be systematically searched for accounts. People will also
> choose their favourite passages, so I would expect to see collisions.
>
>
I tend to have this conversation a lot ;) I'm not sure what Aymeric has in
mind, but my suggestions are for use by the small few who properly
understand how these things work. I am not suggesting blockchain.info
require every user to choose a book passage to use as their backup phrase!
There are so many small things that could be done to make a text input
unique. Choose the X number of words from the start of the Nth sentence.
Replace all punctuation with exclamation points. Combine two sentences from
different pages. It would be nigh impossible to brute force any of these,
and would require hints/instructions from the owner to recover.
But I admit if this is not intended for standardization, discussing it on
this mailing list is probably unwarranted.
[-- Attachment #2: Type: text/html, Size: 1767 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [bitcoin-dev] BIP39 seeds
2019-01-02 18:06 ` James MacWhyte
@ 2019-01-04 0:02 ` Aymeric Vitte
0 siblings, 0 replies; 14+ messages in thread
From: Aymeric Vitte @ 2019-01-04 0:02 UTC (permalink / raw)
To: James MacWhyte, Bitcoin Protocol Discussion, thealanevans
[-- Attachment #1: Type: text/plain, Size: 2638 bytes --]
What I have in mind is in my latest reply (difficult to have some kind
of fluent discussions on this list given the moderation and delayed posts)
I would just add that the derivation method (indeed something like what
you are sketching below) should estimate that there is enough entropy
from the secret, if not just throw
Le 02/01/2019 à 19:06, James MacWhyte via bitcoin-dev a écrit :
> On Wed, Jan 2, 2019 at 3:40 AM Alan Evans via bitcoin-dev
> <bitcoin-dev@lists•linuxfoundation.org
> <mailto:bitcoin-dev@lists•linuxfoundation.org>> wrote:
>
>
> I think any method that doesn't use real entropy, but some fake
> source of randomness, such as a book is asking to be hacked and so
> is not a reasonable idea.
>
> If an algorithm for book text to BIP39 sentence ever became well
> used, common books will be systematically searched for accounts.
> People will also choose their favourite passages, so I would
> expect to see collisions.
>
>
> I tend to have this conversation a lot ;) I'm not sure what Aymeric
> has in mind, but my suggestions are for use by the small few who
> properly understand how these things work. I am not suggesting
> blockchain.info <http://blockchain.info> require every user to choose
> a book passage to use as their backup phrase!
>
> There are so many small things that could be done to make a text input
> unique. Choose the X number of words from the start of the Nth
> sentence. Replace all punctuation with exclamation points. Combine two
> sentences from different pages. It would be nigh impossible to brute
> force any of these, and would require hints/instructions from the
> owner to recover.
>
> But I admit if this is not intended for standardization, discussing it
> on this mailing list is probably unwarranted.
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists•linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--
Move your coins by yourself (browser version): https://peersm.com/wallet
Bitcoin transactions made simple: https://github.com/Ayms/bitcoin-transactions
Zcash wallets made simple: https://github.com/Ayms/zcash-wallets
Bitcoin wallets made simple: https://github.com/Ayms/bitcoin-wallets
Get the torrent dynamic blocklist: http://peersm.com/getblocklist
Check the 10 M passwords list: http://peersm.com/findmyass
Anti-spies and private torrents, dynamic blocklist: http://torrent-live.org
Peersm : http://www.peersm.com
torrent-live: https://github.com/Ayms/torrent-live
node-Tor : https://www.github.com/Ayms/node-Tor
GitHub : https://www.github.com/Ayms
[-- Attachment #2: Type: text/html, Size: 5472 bytes --]
^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2019-01-04 0:02 UTC | newest]
Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-21 23:58 [bitcoin-dev] BIP39 seeds Aymeric Vitte
2018-12-23 18:46 ` Pavol Rusnak
2018-12-23 22:41 ` Aymeric Vitte
2018-12-25 0:30 ` James MacWhyte
2018-12-26 11:33 ` Aymeric Vitte
2018-12-26 18:54 ` James MacWhyte
2018-12-27 11:04 ` Aymeric Vitte
2018-12-31 16:52 ` Alan Evans
2019-01-01 19:44 ` Aymeric Vitte
2019-01-02 18:06 ` James MacWhyte
2019-01-04 0:02 ` Aymeric Vitte
2018-12-24 14:58 ` Tiago Romagnani Silveira
2018-12-23 20:55 ` Eric Scrivner
2018-12-23 21:08 ` Jameson Lopp
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox