* [bitcoin-dev] Proposal for an Informational BIP
@ 2021-05-08 15:21 BitPLATES® (Chris)
2021-05-09 7:24 ` Tobias Kaupat
[not found] ` <CAC0TF=m+Cg_LKz0vSuTb-xg6qY1GbeGMjaXa0bgoiLqtCbMikQ@mail.gmail.com>
0 siblings, 2 replies; 7+ messages in thread
From: BitPLATES® (Chris) @ 2021-05-08 15:21 UTC (permalink / raw)
To: bitcoin-dev
[-- Attachment #1: Type: text/plain, Size: 5359 bytes --]
Hi,
I'd like to submit an idea for review, as a potential informational BIP
(Bitcoin Improvement Proposal), describing an optional method of producing
a BIP39 passphrase, using only BIP39 'mnemonic' seed words.
The idea specifically refers to a method of introducing two-factor
authentication, to protect a Bitcoin wallet using only 24 seed words, and
therefore, providing plausible deniability about the existence of this
separate 2nd layer passphrase.
I've suggested the name 'quantum' passphrase to be used casually as a
unique identifier.
The data stored within a 'quantum' passphrase, is simultaneously the
minimum required data for reproducing a BIP39-compatible 24-word seed
mnemonic... hence, the name 'quantum' seems fitting, to reflect the
multiple simultaneous states of data.
Abstract...
This improvement proposal describes the use of twenty four, newly generated
BIP39 seed words, to produce a '25th-word' BIP39-compatible 'quantum'
passphrase.
Two-factor authentication (2FA) or (2 of 2 multi-signature) can be
implemented with a two-wallet setup:
The 1st Bitcoin wallet is protected by the seed words of the 2nd Bitcoin
wallet; inversely, the 2nd Bitcoin wallet is protected by the seed words of
the 1st Bitcoin wallet.
The 'quantum' passphrase offers an exponential increase in the level of
protection, as that offered by the original BIP39 mnemonic seed words
(≈2048^23 possible combinations).
ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected by
2048^23 to the power of 2048^23 possible combinations.
With existing computer capabilities, this level of protection is far
greater than required; however, this does provide a sufficient level of
protection for each separate layer of a two-factor Bitcoin wallet, should
any one layer be accidentally exposed.
This method of passphrase generation, consists of two parts:
1st - generating the BIP39 mnemonic seed words, using a BIP39-compatible
hardware wallet.
2nd - Converting these seed words into the 'quantum' passphrase, following
four simple rules, which most importantly, do not destroy the integrity of
the initial data.
Motivation...
The well established practice of preserving up to 24 seed words for the
purpose of reproduction of a Bitcoin wallet, suffers from a major flaw...
Exposure of these mnemonic seed words can cause catastrophic loss of funds
without adequate multi-factor protection.
Whilst it is recognised that a number of multi-factor solutions are
available (including the standard BIP39 passphrase, and hardware wallet
multi-signature functionality), this proposal aims to provide an extremely
safe and secure 'low-tech' option, that requires minimal (non-destructive)
adjustments to the seed words.
Furthermore, the 'quantum' passphrase offers a number advantages over the
existing methods of multi-factor protection:
Firstly, this method of creating a passphrase leaves no evidence of its
existence on any backup devices, providing plausible deniability in case of
coercion.
This is because the passphrase is easily created from a genuine 24 seed
word mnemonic; therefore, the physical backup of the passphrase can be
disguised as a simple Bitcoin wallet on a metal backup plate.
It presents a way of discouraging user-created words or sentences (also
known as 'brain-wallets'), which often provide a drastically reduced level
of passphrase security, unbeknown to many users.
The large amount of data required to produce a 'quantum' passphrase (up to
96 characters long), encourages the physical backup of the passphrase.
Furthermore, the use of BIP39-only words provides a higher degree of
standardization, which can help to avoid potential mistakes made by
creating unnecessarily complicated combinations of letters, numbers and
symbols. Increased complication (disorderly, and non-human-friendly), does
not always equal increased complexity (orderly, and more human-friendly),
or increased security.
As previously mentioned, a two-wallet configuration provides the user an
opportunity to safely split the two factors of protection (equivalent to a
2 of 2 'multi-sig' setup).
If a BIP39-compatible passphrase is created using a new set of 24 seed
words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or
10⁷⁶ possible combinations of words).
The strength of this 2nd factor solution, provides adequate
risk-management, when considering the production of multiple backup
devices, strategically stored in multiple geographical locations.
Generating the 'quantum' passphrase...
Following just four (non-destructive) BIP39-compatible rules, the 24 seed
words can also function as a 'quantum' passphrase:
1 . Only BIP39 words
(Standard list of 2048 English words - other languages should be compatible)
2 . Only the first four letters of each word
(BIP39 words require only this data for reproduction)
3 . Only upper case letters
(All alphabet references use this standard format)
4 . No spaces between words
(Spaces represent an additional unit of data, that is not recorded)
In essence, the 'quantum' passphrase is simply a single string of all 24
seed words, set out using the above rules.
I welcome a productive technical discussion.
Thanks,
Chris Johnston
[-- Attachment #2: Type: text/html, Size: 7212 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [bitcoin-dev] Proposal for an Informational BIP 2021-05-08 15:21 [bitcoin-dev] Proposal for an Informational BIP BitPLATES® (Chris) @ 2021-05-09 7:24 ` Tobias Kaupat 2021-05-09 8:29 ` BitPLATES (Chris) [not found] ` <CAC0TF=m+Cg_LKz0vSuTb-xg6qY1GbeGMjaXa0bgoiLqtCbMikQ@mail.gmail.com> 1 sibling, 1 reply; 7+ messages in thread From: Tobias Kaupat @ 2021-05-09 7:24 UTC (permalink / raw) To: BitPLATES® (Chris), Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 6785 bytes --] Hello Chris, Isn't your suggestion already covered by BIP39 since there is not restriction in how you choose your passphrase? It's up to any user to choose his password like you propose. I see your proposal more like a way to choose my password rather than anything that needs to be implemented somewhere. Don't I have plausible deniability already with any other password that I keep in mind, since the seed without the password is already a valid address? One issue might be, that the passphrase is part of the mnemonic. A hardware wallet needs the passphrase to generate the complete mnemonic (changing the password does change the resulting seed). Thus you get a chicken-egg problem, at least for some implementations. Probably you could use the restore feature to work around this - but it's one step more that should be mentioned. Kind regards Tobias BitPLATES® (Chris) via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> schrieb am Sa., 8. Mai 2021, 17:21: > Hi, > > I'd like to submit an idea for review, as a potential informational BIP > (Bitcoin Improvement Proposal), describing an optional method of producing > a BIP39 passphrase, using only BIP39 'mnemonic' seed words. > > The idea specifically refers to a method of introducing two-factor > authentication, to protect a Bitcoin wallet using only 24 seed words, and > therefore, providing plausible deniability about the existence of this > separate 2nd layer passphrase. > > I've suggested the name 'quantum' passphrase to be used casually as a > unique identifier. > > The data stored within a 'quantum' passphrase, is simultaneously the > minimum required data for reproducing a BIP39-compatible 24-word seed > mnemonic... hence, the name 'quantum' seems fitting, to reflect the > multiple simultaneous states of data. > > Abstract... > > This improvement proposal describes the use of twenty four, newly > generated BIP39 seed words, to produce a '25th-word' BIP39-compatible > 'quantum' passphrase. > > Two-factor authentication (2FA) or (2 of 2 multi-signature) can be > implemented with a two-wallet setup: > > The 1st Bitcoin wallet is protected by the seed words of the 2nd Bitcoin > wallet; inversely, the 2nd Bitcoin wallet is protected by the seed words of > the 1st Bitcoin wallet. > > The 'quantum' passphrase offers an exponential increase in the level of > protection, as that offered by the original BIP39 mnemonic seed words > (≈2048^23 possible combinations). > > ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected by > 2048^23 to the power of 2048^23 possible combinations. > > With existing computer capabilities, this level of protection is far > greater than required; however, this does provide a sufficient level of > protection for each separate layer of a two-factor Bitcoin wallet, should > any one layer be accidentally exposed. > > This method of passphrase generation, consists of two parts: > > 1st - generating the BIP39 mnemonic seed words, using a BIP39-compatible > hardware wallet. > > 2nd - Converting these seed words into the 'quantum' passphrase, following > four simple rules, which most importantly, do not destroy the integrity of > the initial data. > > Motivation... > > The well established practice of preserving up to 24 seed words for the > purpose of reproduction of a Bitcoin wallet, suffers from a major flaw... > Exposure of these mnemonic seed words can cause catastrophic loss of funds > without adequate multi-factor protection. > > Whilst it is recognised that a number of multi-factor solutions are > available (including the standard BIP39 passphrase, and hardware wallet > multi-signature functionality), this proposal aims to provide an extremely > safe and secure 'low-tech' option, that requires minimal (non-destructive) > adjustments to the seed words. > > Furthermore, the 'quantum' passphrase offers a number advantages over the > existing methods of multi-factor protection: > > Firstly, this method of creating a passphrase leaves no evidence of its > existence on any backup devices, providing plausible deniability in case of > coercion. > > This is because the passphrase is easily created from a genuine 24 seed > word mnemonic; therefore, the physical backup of the passphrase can be > disguised as a simple Bitcoin wallet on a metal backup plate. > > It presents a way of discouraging user-created words or sentences (also > known as 'brain-wallets'), which often provide a drastically reduced level > of passphrase security, unbeknown to many users. > > The large amount of data required to produce a 'quantum' passphrase (up to > 96 characters long), encourages the physical backup of the passphrase. > > Furthermore, the use of BIP39-only words provides a higher degree of > standardization, which can help to avoid potential mistakes made by > creating unnecessarily complicated combinations of letters, numbers and > symbols. Increased complication (disorderly, and non-human-friendly), does > not always equal increased complexity (orderly, and more human-friendly), > or increased security. > > As previously mentioned, a two-wallet configuration provides the user an > opportunity to safely split the two factors of protection (equivalent to a > 2 of 2 'multi-sig' setup). > > If a BIP39-compatible passphrase is created using a new set of 24 seed > words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or > 10⁷⁶ possible combinations of words). > > The strength of this 2nd factor solution, provides adequate > risk-management, when considering the production of multiple backup > devices, strategically stored in multiple geographical locations. > > Generating the 'quantum' passphrase... > > Following just four (non-destructive) BIP39-compatible rules, the 24 seed > words can also function as a 'quantum' passphrase: > > 1 . Only BIP39 words > (Standard list of 2048 English words - other languages should be > compatible) > > 2 . Only the first four letters of each word > (BIP39 words require only this data for reproduction) > > 3 . Only upper case letters > (All alphabet references use this standard format) > > 4 . No spaces between words > (Spaces represent an additional unit of data, that is not recorded) > > In essence, the 'quantum' passphrase is simply a single string of all 24 > seed words, set out using the above rules. > > I welcome a productive technical discussion. > > Thanks, > > Chris Johnston > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists•linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > [-- Attachment #2: Type: text/html, Size: 9256 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Proposal for an Informational BIP 2021-05-09 7:24 ` Tobias Kaupat @ 2021-05-09 8:29 ` BitPLATES (Chris) 2021-05-09 22:53 ` Tobias Kaupat 0 siblings, 1 reply; 7+ messages in thread From: BitPLATES (Chris) @ 2021-05-09 8:29 UTC (permalink / raw) To: Tobias Kaupat; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 10049 bytes --] Hi Tobias, In answer to your questions... "Isn't your suggestion already covered by BIP39 since there is not restriction in how you choose your passphrase?" - Correct, my idea is covered by BIP39, and therefore compatible with BIP39... I see the 'quantum' passphrase as an optional 'soft fork' leading towards a more restricted choice of characters, rather than the fuller, less restrictive choice of characters. "It's up to any user to choose his password like you propose. I see your proposal more like a way to choose my password rather than anything that needs to be implemented somewhere." - Correct also, my proposal is for an Informational BIP to educate users how to create a 'quantum' passphrase, which provides the same high degree of protection (2048^23 combinations) as the original 1st layer mnemonic seed words. Should their 24 seed words be compromised (or posted on the internet), this extreme level of protection would make it impossible to brute-force the wallet without the 'quantum' passphrase. "Don't I have plausible deniability already with any other password that I keep in mind, since the seed without the password is already a valid address?" - No, because an unrestricted passphrase may contain characters different to those allowed by the 'quantum' passphrase. Memorisation of the 2nd layer passphrase is very dangerous, whereby, an unfortunate accident could leave your family without access to their inherence. The 'quantum' passphrase encourages the use of multiple metal backup storage devices, but anything more that A-Z (upper case only), would not be disguised as a 24 word seed. Therefore, discovery of a backup device with the extra, unrestricted characters that don't also open a (sacrificial) wallet, will be recognised as a 2nd layer passphrase... This is when the $5 wrench is brought to the table to extract the 1st layer seed words. "One issue might be, that the passphrase is part of the mnemonic. A hardware wallet needs the passphrase to generate the complete mnemonic (changing the password does change the resulting seed). Thus you get a chicken-egg problem, at least for some implementations. Probably you could use the restore feature to work around this - but it's one step more that should be mentioned." - I'm not sure that I fully understand this last paragraph of your email, but just to be clear, the 'quantum' passphrase is made from the 24 seed words of a separate wallet. This is essentially the 2nd layer (or 2nd signing key) to add to the 1st layer (or 1st signing key) required to complete the full mnemonic, which then provides access to the passphrase-protected wallet. eg. The 1st Bitcoin wallet is protected by a 'quantum' passphrase, containing the seed words of the 2nd Bitcoin wallet; inversely, the 2nd Bitcoin wallet is protected by a 'quantum' passphrase, containing the seed words of the 1st Bitcoin wallet. Thank you for your thoughts. Regards, Chris On Sun, 9 May 2021, 08:24 Tobias Kaupat, <Tobias@kaupat-hh•de> wrote: > Hello Chris, > Isn't your suggestion already covered by BIP39 since there is not > restriction in how you choose your passphrase? > > It's up to any user to choose his password like you propose. I see your > proposal more like a way to choose my password rather than anything that > needs to be implemented somewhere. > > Don't I have plausible deniability already with any other password that I > keep in mind, since the seed without the password is already a valid > address? > > One issue might be, that the passphrase is part of the mnemonic. A > hardware wallet needs the passphrase to generate the complete mnemonic > (changing the password does change the resulting seed). Thus you get a > chicken-egg problem, at least for some implementations. Probably you could > use the restore feature to work around this - but it's one step more that > should be mentioned. > > > Kind regards > Tobias > > > > > BitPLATES® (Chris) via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> > schrieb am Sa., 8. Mai 2021, 17:21: > >> Hi, >> >> I'd like to submit an idea for review, as a potential informational BIP >> (Bitcoin Improvement Proposal), describing an optional method of producing >> a BIP39 passphrase, using only BIP39 'mnemonic' seed words. >> >> The idea specifically refers to a method of introducing two-factor >> authentication, to protect a Bitcoin wallet using only 24 seed words, and >> therefore, providing plausible deniability about the existence of this >> separate 2nd layer passphrase. >> >> I've suggested the name 'quantum' passphrase to be used casually as a >> unique identifier. >> >> The data stored within a 'quantum' passphrase, is simultaneously the >> minimum required data for reproducing a BIP39-compatible 24-word seed >> mnemonic... hence, the name 'quantum' seems fitting, to reflect the >> multiple simultaneous states of data. >> >> Abstract... >> >> This improvement proposal describes the use of twenty four, newly >> generated BIP39 seed words, to produce a '25th-word' BIP39-compatible >> 'quantum' passphrase. >> >> Two-factor authentication (2FA) or (2 of 2 multi-signature) can be >> implemented with a two-wallet setup: >> >> The 1st Bitcoin wallet is protected by the seed words of the 2nd Bitcoin >> wallet; inversely, the 2nd Bitcoin wallet is protected by the seed words of >> the 1st Bitcoin wallet. >> >> The 'quantum' passphrase offers an exponential increase in the level of >> protection, as that offered by the original BIP39 mnemonic seed words >> (≈2048^23 possible combinations). >> >> ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected by >> 2048^23 to the power of 2048^23 possible combinations. >> >> With existing computer capabilities, this level of protection is far >> greater than required; however, this does provide a sufficient level of >> protection for each separate layer of a two-factor Bitcoin wallet, should >> any one layer be accidentally exposed. >> >> This method of passphrase generation, consists of two parts: >> >> 1st - generating the BIP39 mnemonic seed words, using a BIP39-compatible >> hardware wallet. >> >> 2nd - Converting these seed words into the 'quantum' passphrase, >> following four simple rules, which most importantly, do not destroy the >> integrity of the initial data. >> >> Motivation... >> >> The well established practice of preserving up to 24 seed words for the >> purpose of reproduction of a Bitcoin wallet, suffers from a major flaw... >> Exposure of these mnemonic seed words can cause catastrophic loss of funds >> without adequate multi-factor protection. >> >> Whilst it is recognised that a number of multi-factor solutions are >> available (including the standard BIP39 passphrase, and hardware wallet >> multi-signature functionality), this proposal aims to provide an extremely >> safe and secure 'low-tech' option, that requires minimal (non-destructive) >> adjustments to the seed words. >> >> Furthermore, the 'quantum' passphrase offers a number advantages over the >> existing methods of multi-factor protection: >> >> Firstly, this method of creating a passphrase leaves no evidence of its >> existence on any backup devices, providing plausible deniability in case of >> coercion. >> >> This is because the passphrase is easily created from a genuine 24 seed >> word mnemonic; therefore, the physical backup of the passphrase can be >> disguised as a simple Bitcoin wallet on a metal backup plate. >> >> It presents a way of discouraging user-created words or sentences (also >> known as 'brain-wallets'), which often provide a drastically reduced level >> of passphrase security, unbeknown to many users. >> >> The large amount of data required to produce a 'quantum' passphrase (up >> to 96 characters long), encourages the physical backup of the passphrase. >> >> Furthermore, the use of BIP39-only words provides a higher degree of >> standardization, which can help to avoid potential mistakes made by >> creating unnecessarily complicated combinations of letters, numbers and >> symbols. Increased complication (disorderly, and non-human-friendly), does >> not always equal increased complexity (orderly, and more human-friendly), >> or increased security. >> >> As previously mentioned, a two-wallet configuration provides the user an >> opportunity to safely split the two factors of protection (equivalent to a >> 2 of 2 'multi-sig' setup). >> >> If a BIP39-compatible passphrase is created using a new set of 24 seed >> words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or >> 10⁷⁶ possible combinations of words). >> >> The strength of this 2nd factor solution, provides adequate >> risk-management, when considering the production of multiple backup >> devices, strategically stored in multiple geographical locations. >> >> Generating the 'quantum' passphrase... >> >> Following just four (non-destructive) BIP39-compatible rules, the 24 seed >> words can also function as a 'quantum' passphrase: >> >> 1 . Only BIP39 words >> (Standard list of 2048 English words - other languages should be >> compatible) >> >> 2 . Only the first four letters of each word >> (BIP39 words require only this data for reproduction) >> >> 3 . Only upper case letters >> (All alphabet references use this standard format) >> >> 4 . No spaces between words >> (Spaces represent an additional unit of data, that is not recorded) >> >> In essence, the 'quantum' passphrase is simply a single string of all 24 >> seed words, set out using the above rules. >> >> I welcome a productive technical discussion. >> >> Thanks, >> >> Chris Johnston >> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 13366 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Proposal for an Informational BIP 2021-05-09 8:29 ` BitPLATES (Chris) @ 2021-05-09 22:53 ` Tobias Kaupat 2021-05-10 6:30 ` BitPLATES (Chris) 0 siblings, 1 reply; 7+ messages in thread From: Tobias Kaupat @ 2021-05-09 22:53 UTC (permalink / raw) To: BitPLATES (Chris); +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 11147 bytes --] Hi Chris, thanks for the clarification. It makes sense so far. About the "chicken - egg" problem: When you generate a BIP39 mnemonic "A" without password, you get a Seed "As" from which you derive your private key. Using the same mnemonic with a passphrase will give you a different seed "As*" with a different private and public key. Now your process must look like: - Generate mnemonic A without password (will never be used) - Generate mnemonic B* using words from A as password - Generate mnemonic A* using words from B* as password That's just an implementation detail but might have impact on the actual process, depending on the wallet you are using. Hope it's clear. Kind regards Tobias BitPLATES (Chris) <bitplates@marketnetworks•co.uk> schrieb am So., 9. Mai 2021, 10:29: > Hi Tobias, > > In answer to your questions... > > "Isn't your suggestion already covered by BIP39 since there is not > restriction in how you choose your passphrase?" > > - Correct, my idea is covered by BIP39, and therefore compatible with > BIP39... I see the 'quantum' passphrase as an optional 'soft fork' leading > towards a more restricted choice of characters, rather than the fuller, > less restrictive choice of characters. > > "It's up to any user to choose his password like you propose. I see your > proposal more like a way to choose my password rather than anything that > needs to be implemented somewhere." > > - Correct also, my proposal is for an Informational BIP to educate users > how to create a 'quantum' passphrase, which provides the same high degree > of protection (2048^23 combinations) as the original 1st layer mnemonic > seed words. Should their 24 seed words be compromised (or posted on the > internet), this extreme level of protection would make it impossible to > brute-force the wallet without the 'quantum' passphrase. > > "Don't I have plausible deniability already with any other password that I > keep in mind, since the seed without the password is already a valid > address?" > > - No, because an unrestricted passphrase may contain characters different > to those allowed by the 'quantum' passphrase. Memorisation of the 2nd layer > passphrase is very dangerous, whereby, an unfortunate accident could leave > your family without access to their inherence. The 'quantum' passphrase > encourages the use of multiple metal backup storage devices, but anything > more that A-Z (upper case only), would not be disguised as a 24 word seed. > Therefore, discovery of a backup device with the extra, unrestricted > characters that don't also open a (sacrificial) wallet, will be recognised > as a 2nd layer passphrase... This is when the $5 wrench is brought to the > table to extract the 1st layer seed words. > > "One issue might be, that the passphrase is part of the mnemonic. A > hardware wallet needs the passphrase to generate the complete mnemonic > (changing the password does change the resulting seed). Thus you get a > chicken-egg problem, at least for some implementations. Probably you could > use the restore feature to work around this - but it's one step more that > should be mentioned." > > - I'm not sure that I fully understand this last paragraph of your email, > but just to be clear, the 'quantum' passphrase is made from the 24 seed > words of a separate wallet. This is essentially the 2nd layer (or 2nd > signing key) to add to the 1st layer (or 1st signing key) required to > complete the full mnemonic, which then provides access to the > passphrase-protected wallet. > > eg. The 1st Bitcoin wallet is protected by a 'quantum' passphrase, > containing the seed words of the 2nd Bitcoin wallet; inversely, the 2nd > Bitcoin wallet is protected by a 'quantum' passphrase, containing the seed > words of the 1st Bitcoin wallet. > > Thank you for your thoughts. > > Regards, > > Chris > > > On Sun, 9 May 2021, 08:24 Tobias Kaupat, <Tobias@kaupat-hh•de> wrote: > >> Hello Chris, >> Isn't your suggestion already covered by BIP39 since there is not >> restriction in how you choose your passphrase? >> >> It's up to any user to choose his password like you propose. I see your >> proposal more like a way to choose my password rather than anything that >> needs to be implemented somewhere. >> >> Don't I have plausible deniability already with any other password that I >> keep in mind, since the seed without the password is already a valid >> address? >> >> One issue might be, that the passphrase is part of the mnemonic. A >> hardware wallet needs the passphrase to generate the complete mnemonic >> (changing the password does change the resulting seed). Thus you get a >> chicken-egg problem, at least for some implementations. Probably you could >> use the restore feature to work around this - but it's one step more that >> should be mentioned. >> >> >> Kind regards >> Tobias >> >> >> >> >> BitPLATES® (Chris) via bitcoin-dev <bitcoin-dev@lists•linuxfoundation.org> >> schrieb am Sa., 8. Mai 2021, 17:21: >> >>> Hi, >>> >>> I'd like to submit an idea for review, as a potential informational BIP >>> (Bitcoin Improvement Proposal), describing an optional method of producing >>> a BIP39 passphrase, using only BIP39 'mnemonic' seed words. >>> >>> The idea specifically refers to a method of introducing two-factor >>> authentication, to protect a Bitcoin wallet using only 24 seed words, and >>> therefore, providing plausible deniability about the existence of this >>> separate 2nd layer passphrase. >>> >>> I've suggested the name 'quantum' passphrase to be used casually as a >>> unique identifier. >>> >>> The data stored within a 'quantum' passphrase, is simultaneously the >>> minimum required data for reproducing a BIP39-compatible 24-word seed >>> mnemonic... hence, the name 'quantum' seems fitting, to reflect the >>> multiple simultaneous states of data. >>> >>> Abstract... >>> >>> This improvement proposal describes the use of twenty four, newly >>> generated BIP39 seed words, to produce a '25th-word' BIP39-compatible >>> 'quantum' passphrase. >>> >>> Two-factor authentication (2FA) or (2 of 2 multi-signature) can be >>> implemented with a two-wallet setup: >>> >>> The 1st Bitcoin wallet is protected by the seed words of the 2nd Bitcoin >>> wallet; inversely, the 2nd Bitcoin wallet is protected by the seed words of >>> the 1st Bitcoin wallet. >>> >>> The 'quantum' passphrase offers an exponential increase in the level of >>> protection, as that offered by the original BIP39 mnemonic seed words >>> (≈2048^23 possible combinations). >>> >>> ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected >>> by 2048^23 to the power of 2048^23 possible combinations. >>> >>> With existing computer capabilities, this level of protection is far >>> greater than required; however, this does provide a sufficient level of >>> protection for each separate layer of a two-factor Bitcoin wallet, should >>> any one layer be accidentally exposed. >>> >>> This method of passphrase generation, consists of two parts: >>> >>> 1st - generating the BIP39 mnemonic seed words, using a BIP39-compatible >>> hardware wallet. >>> >>> 2nd - Converting these seed words into the 'quantum' passphrase, >>> following four simple rules, which most importantly, do not destroy the >>> integrity of the initial data. >>> >>> Motivation... >>> >>> The well established practice of preserving up to 24 seed words for the >>> purpose of reproduction of a Bitcoin wallet, suffers from a major flaw... >>> Exposure of these mnemonic seed words can cause catastrophic loss of funds >>> without adequate multi-factor protection. >>> >>> Whilst it is recognised that a number of multi-factor solutions are >>> available (including the standard BIP39 passphrase, and hardware wallet >>> multi-signature functionality), this proposal aims to provide an extremely >>> safe and secure 'low-tech' option, that requires minimal (non-destructive) >>> adjustments to the seed words. >>> >>> Furthermore, the 'quantum' passphrase offers a number advantages over >>> the existing methods of multi-factor protection: >>> >>> Firstly, this method of creating a passphrase leaves no evidence of its >>> existence on any backup devices, providing plausible deniability in case of >>> coercion. >>> >>> This is because the passphrase is easily created from a genuine 24 seed >>> word mnemonic; therefore, the physical backup of the passphrase can be >>> disguised as a simple Bitcoin wallet on a metal backup plate. >>> >>> It presents a way of discouraging user-created words or sentences (also >>> known as 'brain-wallets'), which often provide a drastically reduced level >>> of passphrase security, unbeknown to many users. >>> >>> The large amount of data required to produce a 'quantum' passphrase (up >>> to 96 characters long), encourages the physical backup of the passphrase. >>> >>> Furthermore, the use of BIP39-only words provides a higher degree of >>> standardization, which can help to avoid potential mistakes made by >>> creating unnecessarily complicated combinations of letters, numbers and >>> symbols. Increased complication (disorderly, and non-human-friendly), does >>> not always equal increased complexity (orderly, and more human-friendly), >>> or increased security. >>> >>> As previously mentioned, a two-wallet configuration provides the user an >>> opportunity to safely split the two factors of protection (equivalent to a >>> 2 of 2 'multi-sig' setup). >>> >>> If a BIP39-compatible passphrase is created using a new set of 24 seed >>> words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or >>> 10⁷⁶ possible combinations of words). >>> >>> The strength of this 2nd factor solution, provides adequate >>> risk-management, when considering the production of multiple backup >>> devices, strategically stored in multiple geographical locations. >>> >>> Generating the 'quantum' passphrase... >>> >>> Following just four (non-destructive) BIP39-compatible rules, the 24 >>> seed words can also function as a 'quantum' passphrase: >>> >>> 1 . Only BIP39 words >>> (Standard list of 2048 English words - other languages should be >>> compatible) >>> >>> 2 . Only the first four letters of each word >>> (BIP39 words require only this data for reproduction) >>> >>> 3 . Only upper case letters >>> (All alphabet references use this standard format) >>> >>> 4 . No spaces between words >>> (Spaces represent an additional unit of data, that is not recorded) >>> >>> In essence, the 'quantum' passphrase is simply a single string of all 24 >>> seed words, set out using the above rules. >>> >>> I welcome a productive technical discussion. >>> >>> Thanks, >>> >>> Chris Johnston >>> >>> >>> _______________________________________________ >>> bitcoin-dev mailing list >>> bitcoin-dev@lists•linuxfoundation.org >>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>> >> [-- Attachment #2: Type: text/html, Size: 14933 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [bitcoin-dev] Proposal for an Informational BIP 2021-05-09 22:53 ` Tobias Kaupat @ 2021-05-10 6:30 ` BitPLATES (Chris) 0 siblings, 0 replies; 7+ messages in thread From: BitPLATES (Chris) @ 2021-05-10 6:30 UTC (permalink / raw) To: Tobias Kaupat; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 12472 bytes --] Thank you for your reply Tobias, I don't think that the chicken-egg scenario is relevant, but please let me explain why: Wallet A = seed words (A) - add minimal funds as a canary/sacrificial wallet Wallet B = seed words (B) - add minimal funds as a canary/sacrificial wallet Wallet AB = seed words (A) + 'quantum' passphrase using seed words (B) - add 1/2 of main funds Wallet BA = seed words (B) + 'quantum' passphrase using seed words (A) - add 1/2 of main funds If the backup plate containing seed words (A) is compromised, then minimal funds are taken. If the backup plate containing seed words (B) is compromised, then minimal funds are taken. Both backup plates must remain geographically separated. Furthermore, backup plate (A) could be held by a 1st party, whilst backup plate (B) could be held by a 2nd party, as part of a 2 of 2 multi-factor (or multi-sig) setup. I hope this clarifies everything. Regards, Chris On Sun, 9 May 2021, 23:54 Tobias Kaupat, <Tobias@kaupat-hh•de> wrote: > Hi Chris, > thanks for the clarification. It makes sense so far. > > About the "chicken - egg" problem: > When you generate a BIP39 mnemonic "A" without password, you get a Seed > "As" from which you derive your private key. > Using the same mnemonic with a passphrase will give you a different seed > "As*" with a different private and public key. > Now your process must look like: > - Generate mnemonic A without password (will never be used) > - Generate mnemonic B* using words from A as password > - Generate mnemonic A* using words from B* as password > > That's just an implementation detail but might have impact on the actual > process, depending on the wallet you are using. > > Hope it's clear. > > Kind regards > Tobias > > > > BitPLATES (Chris) <bitplates@marketnetworks•co.uk> schrieb am So., 9. Mai > 2021, 10:29: > >> Hi Tobias, >> >> In answer to your questions... >> >> "Isn't your suggestion already covered by BIP39 since there is not >> restriction in how you choose your passphrase?" >> >> - Correct, my idea is covered by BIP39, and therefore compatible with >> BIP39... I see the 'quantum' passphrase as an optional 'soft fork' leading >> towards a more restricted choice of characters, rather than the fuller, >> less restrictive choice of characters. >> >> "It's up to any user to choose his password like you propose. I see your >> proposal more like a way to choose my password rather than anything that >> needs to be implemented somewhere." >> >> - Correct also, my proposal is for an Informational BIP to educate users >> how to create a 'quantum' passphrase, which provides the same high degree >> of protection (2048^23 combinations) as the original 1st layer mnemonic >> seed words. Should their 24 seed words be compromised (or posted on the >> internet), this extreme level of protection would make it impossible to >> brute-force the wallet without the 'quantum' passphrase. >> >> "Don't I have plausible deniability already with any other password that >> I keep in mind, since the seed without the password is already a valid >> address?" >> >> - No, because an unrestricted passphrase may contain characters different >> to those allowed by the 'quantum' passphrase. Memorisation of the 2nd layer >> passphrase is very dangerous, whereby, an unfortunate accident could leave >> your family without access to their inherence. The 'quantum' passphrase >> encourages the use of multiple metal backup storage devices, but anything >> more that A-Z (upper case only), would not be disguised as a 24 word seed. >> Therefore, discovery of a backup device with the extra, unrestricted >> characters that don't also open a (sacrificial) wallet, will be recognised >> as a 2nd layer passphrase... This is when the $5 wrench is brought to the >> table to extract the 1st layer seed words. >> >> "One issue might be, that the passphrase is part of the mnemonic. A >> hardware wallet needs the passphrase to generate the complete mnemonic >> (changing the password does change the resulting seed). Thus you get a >> chicken-egg problem, at least for some implementations. Probably you could >> use the restore feature to work around this - but it's one step more that >> should be mentioned." >> >> - I'm not sure that I fully understand this last paragraph of your email, >> but just to be clear, the 'quantum' passphrase is made from the 24 seed >> words of a separate wallet. This is essentially the 2nd layer (or 2nd >> signing key) to add to the 1st layer (or 1st signing key) required to >> complete the full mnemonic, which then provides access to the >> passphrase-protected wallet. >> >> eg. The 1st Bitcoin wallet is protected by a 'quantum' passphrase, >> containing the seed words of the 2nd Bitcoin wallet; inversely, the 2nd >> Bitcoin wallet is protected by a 'quantum' passphrase, containing the seed >> words of the 1st Bitcoin wallet. >> >> Thank you for your thoughts. >> >> Regards, >> >> Chris >> >> >> On Sun, 9 May 2021, 08:24 Tobias Kaupat, <Tobias@kaupat-hh•de> wrote: >> >>> Hello Chris, >>> Isn't your suggestion already covered by BIP39 since there is not >>> restriction in how you choose your passphrase? >>> >>> It's up to any user to choose his password like you propose. I see your >>> proposal more like a way to choose my password rather than anything that >>> needs to be implemented somewhere. >>> >>> Don't I have plausible deniability already with any other password that >>> I keep in mind, since the seed without the password is already a valid >>> address? >>> >>> One issue might be, that the passphrase is part of the mnemonic. A >>> hardware wallet needs the passphrase to generate the complete mnemonic >>> (changing the password does change the resulting seed). Thus you get a >>> chicken-egg problem, at least for some implementations. Probably you could >>> use the restore feature to work around this - but it's one step more that >>> should be mentioned. >>> >>> >>> Kind regards >>> Tobias >>> >>> >>> >>> >>> BitPLATES® (Chris) via bitcoin-dev < >>> bitcoin-dev@lists•linuxfoundation.org> schrieb am Sa., 8. Mai 2021, >>> 17:21: >>> >>>> Hi, >>>> >>>> I'd like to submit an idea for review, as a potential informational BIP >>>> (Bitcoin Improvement Proposal), describing an optional method of producing >>>> a BIP39 passphrase, using only BIP39 'mnemonic' seed words. >>>> >>>> The idea specifically refers to a method of introducing two-factor >>>> authentication, to protect a Bitcoin wallet using only 24 seed words, and >>>> therefore, providing plausible deniability about the existence of this >>>> separate 2nd layer passphrase. >>>> >>>> I've suggested the name 'quantum' passphrase to be used casually as a >>>> unique identifier. >>>> >>>> The data stored within a 'quantum' passphrase, is simultaneously the >>>> minimum required data for reproducing a BIP39-compatible 24-word seed >>>> mnemonic... hence, the name 'quantum' seems fitting, to reflect the >>>> multiple simultaneous states of data. >>>> >>>> Abstract... >>>> >>>> This improvement proposal describes the use of twenty four, newly >>>> generated BIP39 seed words, to produce a '25th-word' BIP39-compatible >>>> 'quantum' passphrase. >>>> >>>> Two-factor authentication (2FA) or (2 of 2 multi-signature) can be >>>> implemented with a two-wallet setup: >>>> >>>> The 1st Bitcoin wallet is protected by the seed words of the 2nd >>>> Bitcoin wallet; inversely, the 2nd Bitcoin wallet is protected by the seed >>>> words of the 1st Bitcoin wallet. >>>> >>>> The 'quantum' passphrase offers an exponential increase in the level of >>>> protection, as that offered by the original BIP39 mnemonic seed words >>>> (≈2048^23 possible combinations). >>>> >>>> ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected >>>> by 2048^23 to the power of 2048^23 possible combinations. >>>> >>>> With existing computer capabilities, this level of protection is far >>>> greater than required; however, this does provide a sufficient level of >>>> protection for each separate layer of a two-factor Bitcoin wallet, should >>>> any one layer be accidentally exposed. >>>> >>>> This method of passphrase generation, consists of two parts: >>>> >>>> 1st - generating the BIP39 mnemonic seed words, using a >>>> BIP39-compatible hardware wallet. >>>> >>>> 2nd - Converting these seed words into the 'quantum' passphrase, >>>> following four simple rules, which most importantly, do not destroy the >>>> integrity of the initial data. >>>> >>>> Motivation... >>>> >>>> The well established practice of preserving up to 24 seed words for the >>>> purpose of reproduction of a Bitcoin wallet, suffers from a major flaw... >>>> Exposure of these mnemonic seed words can cause catastrophic loss of funds >>>> without adequate multi-factor protection. >>>> >>>> Whilst it is recognised that a number of multi-factor solutions are >>>> available (including the standard BIP39 passphrase, and hardware wallet >>>> multi-signature functionality), this proposal aims to provide an extremely >>>> safe and secure 'low-tech' option, that requires minimal (non-destructive) >>>> adjustments to the seed words. >>>> >>>> Furthermore, the 'quantum' passphrase offers a number advantages over >>>> the existing methods of multi-factor protection: >>>> >>>> Firstly, this method of creating a passphrase leaves no evidence of its >>>> existence on any backup devices, providing plausible deniability in case of >>>> coercion. >>>> >>>> This is because the passphrase is easily created from a genuine 24 seed >>>> word mnemonic; therefore, the physical backup of the passphrase can be >>>> disguised as a simple Bitcoin wallet on a metal backup plate. >>>> >>>> It presents a way of discouraging user-created words or sentences (also >>>> known as 'brain-wallets'), which often provide a drastically reduced level >>>> of passphrase security, unbeknown to many users. >>>> >>>> The large amount of data required to produce a 'quantum' passphrase (up >>>> to 96 characters long), encourages the physical backup of the passphrase. >>>> >>>> Furthermore, the use of BIP39-only words provides a higher degree of >>>> standardization, which can help to avoid potential mistakes made by >>>> creating unnecessarily complicated combinations of letters, numbers and >>>> symbols. Increased complication (disorderly, and non-human-friendly), does >>>> not always equal increased complexity (orderly, and more human-friendly), >>>> or increased security. >>>> >>>> As previously mentioned, a two-wallet configuration provides the user >>>> an opportunity to safely split the two factors of protection (equivalent to >>>> a 2 of 2 'multi-sig' setup). >>>> >>>> If a BIP39-compatible passphrase is created using a new set of 24 seed >>>> words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or >>>> 10⁷⁶ possible combinations of words). >>>> >>>> The strength of this 2nd factor solution, provides adequate >>>> risk-management, when considering the production of multiple backup >>>> devices, strategically stored in multiple geographical locations. >>>> >>>> Generating the 'quantum' passphrase... >>>> >>>> Following just four (non-destructive) BIP39-compatible rules, the 24 >>>> seed words can also function as a 'quantum' passphrase: >>>> >>>> 1 . Only BIP39 words >>>> (Standard list of 2048 English words - other languages should be >>>> compatible) >>>> >>>> 2 . Only the first four letters of each word >>>> (BIP39 words require only this data for reproduction) >>>> >>>> 3 . Only upper case letters >>>> (All alphabet references use this standard format) >>>> >>>> 4 . No spaces between words >>>> (Spaces represent an additional unit of data, that is not recorded) >>>> >>>> In essence, the 'quantum' passphrase is simply a single string of all >>>> 24 seed words, set out using the above rules. >>>> >>>> I welcome a productive technical discussion. >>>> >>>> Thanks, >>>> >>>> Chris Johnston >>>> >>>> >>>> _______________________________________________ >>>> bitcoin-dev mailing list >>>> bitcoin-dev@lists•linuxfoundation.org >>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>>> >>> [-- Attachment #2: Type: text/html, Size: 16873 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CAC0TF=m+Cg_LKz0vSuTb-xg6qY1GbeGMjaXa0bgoiLqtCbMikQ@mail.gmail.com>]
* Re: [bitcoin-dev] Proposal for an Informational BIP [not found] ` <CAC0TF=m+Cg_LKz0vSuTb-xg6qY1GbeGMjaXa0bgoiLqtCbMikQ@mail.gmail.com> @ 2021-05-11 8:48 ` BitPLATES (Chris) [not found] ` <CAC0TF=meoUhRUMWmto8fxksse6G=66XJdxH8bvFfHENvVnS_+A@mail.gmail.com> 0 siblings, 1 reply; 7+ messages in thread From: BitPLATES (Chris) @ 2021-05-11 8:48 UTC (permalink / raw) To: Chris D'Costa; +Cc: Bitcoin Protocol Discussion [-- Attachment #1: Type: text/plain, Size: 7885 bytes --] Hi Chris, Thank you for your thoughts. Unfortunately, your analysis is incorrect. This is a non-destructive adaptation of the BIP39 standard, and is certainly not "rolling your own security". The 'quantum' passphrase is relying on the well established security of the existing BIP39 standard. There are 2048 possible words that can be chosen from the BIP39 word list. Therefore, to derive a seed from a string of 24 BIP39 words, is exactly the same as deriving a seed from the full 24 words: 2048 to the power of 23 combinations of security (not the power of 24 because of the checksum), or 10 to the power of 76 combinations. If you created your own combinations of words to make up a passphrase, this same degree of security would require 15 random words from the English dictionary (assuming 100,000 English words): 100,000 to the power of 15 = 10 to the power of 75 combinations. The other problem with this, is that you could not plausibly deny that it was a passphrase, whereas, using a 'quantum' passphrase allows you to backup your passphrase disguised as a 24 seed mnemonic. I hope this alleviates your concerns. All the best, Chris On Tue, 11 May 2021, 09:12 Chris D'Costa, <chrisjdcosta@gmail•com> wrote: > I think the biggest problem you have with this proposal is "rolling your > own security". > > Are you aware that the dictionary is designed such that the first four > letters are unique to each word? Taking those four letters and > concatenating them to a string basically means that I can derive your seed > from your supposedly secure "quantum" passphrase. It does not add to the > security - if anything it makes it worse. It would be orders of magnitude > worse than using a random password and encryption as most wallets have been > using for years. > > C > > On Sat, 8 May 2021 at 17:21, BitPLATES® (Chris) via bitcoin-dev < > bitcoin-dev@lists•linuxfoundation.org> wrote: > >> Hi, >> >> I'd like to submit an idea for review, as a potential informational BIP >> (Bitcoin Improvement Proposal), describing an optional method of producing >> a BIP39 passphrase, using only BIP39 'mnemonic' seed words. >> >> The idea specifically refers to a method of introducing two-factor >> authentication, to protect a Bitcoin wallet using only 24 seed words, and >> therefore, providing plausible deniability about the existence of this >> separate 2nd layer passphrase. >> >> I've suggested the name 'quantum' passphrase to be used casually as a >> unique identifier. >> >> The data stored within a 'quantum' passphrase, is simultaneously the >> minimum required data for reproducing a BIP39-compatible 24-word seed >> mnemonic... hence, the name 'quantum' seems fitting, to reflect the >> multiple simultaneous states of data. >> >> Abstract... >> >> This improvement proposal describes the use of twenty four, newly >> generated BIP39 seed words, to produce a '25th-word' BIP39-compatible >> 'quantum' passphrase. >> >> Two-factor authentication (2FA) or (2 of 2 multi-signature) can be >> implemented with a two-wallet setup: >> >> The 1st Bitcoin wallet is protected by the seed words of the 2nd Bitcoin >> wallet; inversely, the 2nd Bitcoin wallet is protected by the seed words of >> the 1st Bitcoin wallet. >> >> The 'quantum' passphrase offers an exponential increase in the level of >> protection, as that offered by the original BIP39 mnemonic seed words >> (≈2048^23 possible combinations). >> >> ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected by >> 2048^23 to the power of 2048^23 possible combinations. >> >> With existing computer capabilities, this level of protection is far >> greater than required; however, this does provide a sufficient level of >> protection for each separate layer of a two-factor Bitcoin wallet, should >> any one layer be accidentally exposed. >> >> This method of passphrase generation, consists of two parts: >> >> 1st - generating the BIP39 mnemonic seed words, using a BIP39-compatible >> hardware wallet. >> >> 2nd - Converting these seed words into the 'quantum' passphrase, >> following four simple rules, which most importantly, do not destroy the >> integrity of the initial data. >> >> Motivation... >> >> The well established practice of preserving up to 24 seed words for the >> purpose of reproduction of a Bitcoin wallet, suffers from a major flaw... >> Exposure of these mnemonic seed words can cause catastrophic loss of funds >> without adequate multi-factor protection. >> >> Whilst it is recognised that a number of multi-factor solutions are >> available (including the standard BIP39 passphrase, and hardware wallet >> multi-signature functionality), this proposal aims to provide an extremely >> safe and secure 'low-tech' option, that requires minimal (non-destructive) >> adjustments to the seed words. >> >> Furthermore, the 'quantum' passphrase offers a number advantages over the >> existing methods of multi-factor protection: >> >> Firstly, this method of creating a passphrase leaves no evidence of its >> existence on any backup devices, providing plausible deniability in case of >> coercion. >> >> This is because the passphrase is easily created from a genuine 24 seed >> word mnemonic; therefore, the physical backup of the passphrase can be >> disguised as a simple Bitcoin wallet on a metal backup plate. >> >> It presents a way of discouraging user-created words or sentences (also >> known as 'brain-wallets'), which often provide a drastically reduced level >> of passphrase security, unbeknown to many users. >> >> The large amount of data required to produce a 'quantum' passphrase (up >> to 96 characters long), encourages the physical backup of the passphrase. >> >> Furthermore, the use of BIP39-only words provides a higher degree of >> standardization, which can help to avoid potential mistakes made by >> creating unnecessarily complicated combinations of letters, numbers and >> symbols. Increased complication (disorderly, and non-human-friendly), does >> not always equal increased complexity (orderly, and more human-friendly), >> or increased security. >> >> As previously mentioned, a two-wallet configuration provides the user an >> opportunity to safely split the two factors of protection (equivalent to a >> 2 of 2 'multi-sig' setup). >> >> If a BIP39-compatible passphrase is created using a new set of 24 seed >> words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or >> 10⁷⁶ possible combinations of words). >> >> The strength of this 2nd factor solution, provides adequate >> risk-management, when considering the production of multiple backup >> devices, strategically stored in multiple geographical locations. >> >> Generating the 'quantum' passphrase... >> >> Following just four (non-destructive) BIP39-compatible rules, the 24 seed >> words can also function as a 'quantum' passphrase: >> >> 1 . Only BIP39 words >> (Standard list of 2048 English words - other languages should be >> compatible) >> >> 2 . Only the first four letters of each word >> (BIP39 words require only this data for reproduction) >> >> 3 . Only upper case letters >> (All alphabet references use this standard format) >> >> 4 . No spaces between words >> (Spaces represent an additional unit of data, that is not recorded) >> >> In essence, the 'quantum' passphrase is simply a single string of all 24 >> seed words, set out using the above rules. >> >> I welcome a productive technical discussion. >> >> Thanks, >> >> Chris Johnston >> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists•linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > [-- Attachment #2: Type: text/html, Size: 10842 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <CAC0TF=meoUhRUMWmto8fxksse6G=66XJdxH8bvFfHENvVnS_+A@mail.gmail.com>]
* Re: [bitcoin-dev] Proposal for an Informational BIP [not found] ` <CAC0TF=meoUhRUMWmto8fxksse6G=66XJdxH8bvFfHENvVnS_+A@mail.gmail.com> @ 2021-05-11 17:45 ` BitPLATES (Chris) 0 siblings, 0 replies; 7+ messages in thread From: BitPLATES (Chris) @ 2021-05-11 17:45 UTC (permalink / raw) To: Chris D'Costa, bitcoin-dev [-- Attachment #1: Type: text/plain, Size: 10004 bytes --] Hi Chris, I apologise if I did not make it clear enough, but the 24 seed words used to make the quantum passphrase are separate, newly generated 24 seed words, and not the same as those for the main wallet. With both layers (seed words + quantum passphrase) the security provided is (2048^23)^(2048^23). ie. 2048 to the power of 23, to the power of 2048 to the power of 23 possible combinations of words. The BIP39 passphrase is designed to prevent catastrophic loss of funds in the case of accidental seed word exposure. If both, seed words and quantum passphrase, are stored on two separate metal backup storage plates, in two separate locations, then the accidental disclosure of either one provides 2048^23 (or 10^76) possible combinations of words to decrypt. ie. The quantum passphrase provides the same degree of security, as the original 24 seed words. I hope this helps. Best regards, Chris On Tue, 11 May 2021, 17:54 Chris D'Costa, <chrisjdcosta@gmail•com> wrote: > "well established security of the existing BIP39 standard" > > You are basing your entire proposal on this basic misunderstanding. > > There is no inherent (or "existing") security in BIP39. All it does is > provide a standardised and convenient way to record, and recover a > private key from a readable seed phrase. In fact there are many language > versions of BIP39 dictionary. But really the worst part of the idea from a > security perspective is that it reveals the seed phrase. Even a simple > password to encrypt (whilst possibly weak) would still never so this! > > C > > > On Tue, 11 May 2021 at 10:48, BitPLATES (Chris) < > bitplates@marketnetworks•co.uk> wrote: > >> Hi Chris, >> >> Thank you for your thoughts. >> >> Unfortunately, your analysis is incorrect. >> >> This is a non-destructive adaptation of the BIP39 standard, and is >> certainly not "rolling your own security". >> >> The 'quantum' passphrase is relying on the well established security of >> the existing BIP39 standard. >> >> There are 2048 possible words that can be chosen from the BIP39 word >> list. Therefore, to derive a seed from a string of 24 BIP39 words, is >> exactly the same as deriving a seed from the full 24 words: >> >> 2048 to the power of 23 combinations of security (not the power of 24 >> because of the checksum), or 10 to the power of 76 combinations. >> >> If you created your own combinations of words to make up a passphrase, >> this same degree of security would require 15 random words from the English >> dictionary (assuming 100,000 English words): >> >> 100,000 to the power of 15 = 10 to the power of 75 combinations. >> >> The other problem with this, is that you could not plausibly deny that it >> was a passphrase, whereas, using a 'quantum' passphrase allows you to >> backup your passphrase disguised as a 24 seed mnemonic. >> >> I hope this alleviates your concerns. >> >> All the best, >> >> Chris >> >> >> On Tue, 11 May 2021, 09:12 Chris D'Costa, <chrisjdcosta@gmail•com> wrote: >> >>> I think the biggest problem you have with this proposal is "rolling your >>> own security". >>> >>> Are you aware that the dictionary is designed such that the first four >>> letters are unique to each word? Taking those four letters and >>> concatenating them to a string basically means that I can derive your seed >>> from your supposedly secure "quantum" passphrase. It does not add to the >>> security - if anything it makes it worse. It would be orders of magnitude >>> worse than using a random password and encryption as most wallets have been >>> using for years. >>> >>> C >>> >>> On Sat, 8 May 2021 at 17:21, BitPLATES® (Chris) via bitcoin-dev < >>> bitcoin-dev@lists•linuxfoundation.org> wrote: >>> >>>> Hi, >>>> >>>> I'd like to submit an idea for review, as a potential informational BIP >>>> (Bitcoin Improvement Proposal), describing an optional method of producing >>>> a BIP39 passphrase, using only BIP39 'mnemonic' seed words. >>>> >>>> The idea specifically refers to a method of introducing two-factor >>>> authentication, to protect a Bitcoin wallet using only 24 seed words, and >>>> therefore, providing plausible deniability about the existence of this >>>> separate 2nd layer passphrase. >>>> >>>> I've suggested the name 'quantum' passphrase to be used casually as a >>>> unique identifier. >>>> >>>> The data stored within a 'quantum' passphrase, is simultaneously the >>>> minimum required data for reproducing a BIP39-compatible 24-word seed >>>> mnemonic... hence, the name 'quantum' seems fitting, to reflect the >>>> multiple simultaneous states of data. >>>> >>>> Abstract... >>>> >>>> This improvement proposal describes the use of twenty four, newly >>>> generated BIP39 seed words, to produce a '25th-word' BIP39-compatible >>>> 'quantum' passphrase. >>>> >>>> Two-factor authentication (2FA) or (2 of 2 multi-signature) can be >>>> implemented with a two-wallet setup: >>>> >>>> The 1st Bitcoin wallet is protected by the seed words of the 2nd >>>> Bitcoin wallet; inversely, the 2nd Bitcoin wallet is protected by the seed >>>> words of the 1st Bitcoin wallet. >>>> >>>> The 'quantum' passphrase offers an exponential increase in the level of >>>> protection, as that offered by the original BIP39 mnemonic seed words >>>> (≈2048^23 possible combinations). >>>> >>>> ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected >>>> by 2048^23 to the power of 2048^23 possible combinations. >>>> >>>> With existing computer capabilities, this level of protection is far >>>> greater than required; however, this does provide a sufficient level of >>>> protection for each separate layer of a two-factor Bitcoin wallet, should >>>> any one layer be accidentally exposed. >>>> >>>> This method of passphrase generation, consists of two parts: >>>> >>>> 1st - generating the BIP39 mnemonic seed words, using a >>>> BIP39-compatible hardware wallet. >>>> >>>> 2nd - Converting these seed words into the 'quantum' passphrase, >>>> following four simple rules, which most importantly, do not destroy the >>>> integrity of the initial data. >>>> >>>> Motivation... >>>> >>>> The well established practice of preserving up to 24 seed words for the >>>> purpose of reproduction of a Bitcoin wallet, suffers from a major flaw... >>>> Exposure of these mnemonic seed words can cause catastrophic loss of funds >>>> without adequate multi-factor protection. >>>> >>>> Whilst it is recognised that a number of multi-factor solutions are >>>> available (including the standard BIP39 passphrase, and hardware wallet >>>> multi-signature functionality), this proposal aims to provide an extremely >>>> safe and secure 'low-tech' option, that requires minimal (non-destructive) >>>> adjustments to the seed words. >>>> >>>> Furthermore, the 'quantum' passphrase offers a number advantages over >>>> the existing methods of multi-factor protection: >>>> >>>> Firstly, this method of creating a passphrase leaves no evidence of its >>>> existence on any backup devices, providing plausible deniability in case of >>>> coercion. >>>> >>>> This is because the passphrase is easily created from a genuine 24 seed >>>> word mnemonic; therefore, the physical backup of the passphrase can be >>>> disguised as a simple Bitcoin wallet on a metal backup plate. >>>> >>>> It presents a way of discouraging user-created words or sentences (also >>>> known as 'brain-wallets'), which often provide a drastically reduced level >>>> of passphrase security, unbeknown to many users. >>>> >>>> The large amount of data required to produce a 'quantum' passphrase (up >>>> to 96 characters long), encourages the physical backup of the passphrase. >>>> >>>> Furthermore, the use of BIP39-only words provides a higher degree of >>>> standardization, which can help to avoid potential mistakes made by >>>> creating unnecessarily complicated combinations of letters, numbers and >>>> symbols. Increased complication (disorderly, and non-human-friendly), does >>>> not always equal increased complexity (orderly, and more human-friendly), >>>> or increased security. >>>> >>>> As previously mentioned, a two-wallet configuration provides the user >>>> an opportunity to safely split the two factors of protection (equivalent to >>>> a 2 of 2 'multi-sig' setup). >>>> >>>> If a BIP39-compatible passphrase is created using a new set of 24 seed >>>> words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, or >>>> 10⁷⁶ possible combinations of words). >>>> >>>> The strength of this 2nd factor solution, provides adequate >>>> risk-management, when considering the production of multiple backup >>>> devices, strategically stored in multiple geographical locations. >>>> >>>> Generating the 'quantum' passphrase... >>>> >>>> Following just four (non-destructive) BIP39-compatible rules, the 24 >>>> seed words can also function as a 'quantum' passphrase: >>>> >>>> 1 . Only BIP39 words >>>> (Standard list of 2048 English words - other languages should be >>>> compatible) >>>> >>>> 2 . Only the first four letters of each word >>>> (BIP39 words require only this data for reproduction) >>>> >>>> 3 . Only upper case letters >>>> (All alphabet references use this standard format) >>>> >>>> 4 . No spaces between words >>>> (Spaces represent an additional unit of data, that is not recorded) >>>> >>>> In essence, the 'quantum' passphrase is simply a single string of all >>>> 24 seed words, set out using the above rules. >>>> >>>> I welcome a productive technical discussion. >>>> >>>> Thanks, >>>> >>>> Chris Johnston >>>> >>>> >>>> _______________________________________________ >>>> bitcoin-dev mailing list >>>> bitcoin-dev@lists•linuxfoundation.org >>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >>>> >>> [-- Attachment #2: Type: text/html, Size: 13737 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-05-11 17:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-08 15:21 [bitcoin-dev] Proposal for an Informational BIP BitPLATES® (Chris)
2021-05-09 7:24 ` Tobias Kaupat
2021-05-09 8:29 ` BitPLATES (Chris)
2021-05-09 22:53 ` Tobias Kaupat
2021-05-10 6:30 ` BitPLATES (Chris)
[not found] ` <CAC0TF=m+Cg_LKz0vSuTb-xg6qY1GbeGMjaXa0bgoiLqtCbMikQ@mail.gmail.com>
2021-05-11 8:48 ` BitPLATES (Chris)
[not found] ` <CAC0TF=meoUhRUMWmto8fxksse6G=66XJdxH8bvFfHENvVnS_+A@mail.gmail.com>
2021-05-11 17:45 ` BitPLATES (Chris)
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox