Author

Topic: 12 Words + Passphrase == 12 other words? (Read 272 times)

legendary
Activity: 2604
Merit: 2353
November 27, 2024, 04:49:49 PM
#22
To be honest I don't understand the point of storing a the private key (the master private key actually I guess). Why not just using a seed without passphrase in this case. It would be more easily usable at least. It produces another weak point in addition, because someone finding your master private key will be able to steal your funds without needing your seed and your passphrase, so your funds can be stolen by 2 ways (with the master private key and with the seed and the passphrase) instead of only one.
legendary
Activity: 2366
Merit: 2054
November 25, 2024, 08:03:03 PM
#21
Save it also the private key if you want to be more secure and paranoid if the resulting address is different after adding Passphrase.

Because there are have possibility of negligence if someone uses an additional Passphrase, like forget an uppercase letter, symbols, numbers, etc.

Passphrase is sensitive, just a little bit wrong put . (dot) You will got the different address generated.

wallets cannot identify like we use passwords. the wallet will remain open like there's no mistake when put wrong passphrase
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
November 25, 2024, 04:03:04 PM
#20
The most five year old explanation I can offer to understand this is that collision of two Bitcoin Private Keys is like us randomly finding and picking up the same pebble on Earth.
Naa, it's more like two aliens pick the same atom in a super-cluster of galaxies by chance (and they don't start from the same location, let's assume they have Warp drive capabilities).  Grin Grin

Humans can't really comprehend such large numbers.

2256 is roughly ~1.16x1077

Our solar system has approx. 1057 atoms. Multiply by roughly 1011 for the atoms in our Milky Way galaxy (we're at about 1068 atoms now for our galaxy). Take a billion galaxies like ours and we're about in the same magnitude as possible private keys. Dang!
(I googled the numbers and if you need me to provide at least some source, then take this here...)


~~~
I was pretty sure it's the video from 3Blue1Brown and yes, it was it as expected and always nice to watch again and begin to wonder.
hero member
Activity: 560
Merit: 1060
November 25, 2024, 07:42:12 AM
#19
So while it is pretty scary to think that all of us Bitcoin users CAN generate another used Private Key at any given time using the one same Seed we have, this is so impossible that it is useless to fear such a collision.

I always like to send people this video, when they are afraid that their funds can get lost due to a collision or a brute-force attack.
I believe the best way to explain the vastness of the bitcoin's computation space, is to watch a video, because human brain is not able to fully understand numbers that are this big.
legendary
Activity: 882
Merit: 1873
Crypto Swap Exchange
November 24, 2024, 05:30:30 PM
#18
The most five year old explanation I can offer to understand this is that collision of two Bitcoin Private Keys is like us randomly finding and picking up the same pebble on Earth.  While it is possible, because it IS possible, the reality is that I will never find that exact one pebble you did.

Now if everybody started to look for it, the chances are higher of course.  Maybe if everybody is looking after the same set of a few hundred thousand pebbles, one day MAYBE somebody finds one of them.  But it is still almost impossible.

So while it is pretty scary to think that all of us Bitcoin users CAN generate another used Private Key at any given time using the one same Seed we have, this is so impossible that it is useless to fear such a collision.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
November 24, 2024, 03:04:01 PM
#17
~~~
The question is from which side you approach the potential hash collision.

Sure, if you look at only a 12-recovery words "seed" and no optional mnemonic passphrase you stretch an 128bit input space to a 512bit output space, but you only can have 2128 at best unique hashes, not any more.

It is possible that you simply can't find any exact match for a final 512bit PBKDF2 hash of a given 12-word "seed" with a particular mnemonic passphrase. That is, because you have potentially 2384 times more different "source" hashes than our "puny" 2128 that you can match at maximum.

Above illustrates one given sample of 12 recovery words with a specific non-empty mnemonic passphrase for which you try to find a 512bit hash match with any of the possible 2128 12 recovery word combinations without a mnemonic passphrase.

This may fail and there's no guarantee for a match, besides we don't have time and energy to exhaust the search space of 128bit magnitude.


If you approach the collision from the other side, i.e. a given 12 recovery words "seed" without mnemonic passphrase should be matched by any combination of 12 recovery words with a non-empty mnemonic passphrase, then a collision is mathematically guaranteed. Because the vastness of input space can easily exceed§ the hash output space of 2512 magnitude.

§ Reason: it's no problem to create more than 2384 different mnemonic passphrases times 2128 12-word combinations.

While the existance of a hash collision in this case is guaranteed, it's still practically impossible to find it, not enough time and energy in this part (or whole) of the universe to exhaust the search.
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
November 24, 2024, 12:45:21 PM
#16
Thank you guys for clear explanation. Love this forum, I'm in crypto for years, still I learn something new every day.
It is similar to importing a wallet using seed phrase and instead of using all the 12 words correctly is that you intentionally change one word which the wallet that will be imported is different. In this case, instead of changing one word is that there will be an extended word (passphrase) that will generate different wallet. If you want to explore it then you can try create a dummy wallet and use passphrase. You can use electrum for that where you can add custom words when adding a wallet.
legendary
Activity: 2604
Merit: 2353
November 24, 2024, 12:00:36 PM
#15
To be honest, I don't understand how a collision can happen if PBKDF2 literally stretches to 512bits, a initial entropy between 128 and 256 bits according to BIP39. That is to say the entropy of the seed without any passphrase. Maybe 2 seeds with a passphrase can create the same key at the end, but I highly doubt it could happen between 2 seeds witout passphrase or between a seed without passphrase and a seed with one.

https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
November 24, 2024, 11:22:19 AM
#14
It's a simple fact that hash collisions must occur when the input space is larger than the hash output space. Of course, it's usually not probable to execute an exhaustive search to find such a collision. We don't have the time and energy to even search something like a 128bit space exhaustively. And hash output space for RIPEMD160, SHA256 and of course SHA512 are completely out of reach, unless some major flaw is discovered and by the time those hash functions are known, it's not very likely to discover serious flaws.

In other words, it is practically easier for the universe to "end" than to collide with a set of private keys/seeds that you had created with or without a passphrase.
While the fate of the universe is a topic still to debate because we have no real clue what dark energy and/or dark matter could be, I'm not so much concerned about this boundary.

The life cycle of our sun will limit life on this planet way before anything else concerning the fate of the universe. Not so many cozy places in this solar system either.

I'm more worried that humanity will destroy itself or the habitability of this planet in much shorter time spans. Humanity is stupid enough to have create more than enough nukes and weapons to destroy habitability of the only place we currently can live on. And too many stupids still entertain war after war. What a great progress... (Sorry for this slight drift to off-topic)
hero member
Activity: 1120
Merit: 540
Duelbits - Play for Free | Win for Real
November 23, 2024, 03:59:34 PM
#13
What you are looking for is a hash collision after 2048 rounds of PBKDF2 (which uses HMAC-SHA512 as pseudo-random hash function).
The mnemonic recovery words (as UTF-8 NFKD) are used as password input and the optional mnemonic passphrase  (as UTF-8 NFKD) is used as salt, specifically "mnemonic" + optional passphrase with an empty string "" for optional passphrase when there is no optional passphrase provided. (Put in slightly other words from the BIP39 definition.)
So the salt is always something:
  • "mnemonic" as UTF-8 NFKD when there is no optional mnemonic passphrase
  • "mnemonic" as UTF-8 NFKD; replace with the used mnemonic passphrase

It's worth mentioning that the optional mnemonic passphrase could be everything within bounds of UTF-8, not limited to a single "word" or so.

Now for OP's initial question: a hash collision after 2048 rounds of PBKDF2 is mathematically possible because the input space with an optional mnemonic passphrase exceeds the vastness of the output space of SHA512 (used in PBKDF2). There's no limitation to the size of the optional mnemonic passphrase, at least not by definition. You can therefore mathematically get any 512bits output after the 2048 rounds of PBKDF2. Because of this you could match the resulting binary seed (512bits) yielded after the PBKDF2 rounds for any 12 recovery words plus no mnemonic passphrase (for the latter the input space is vastly smaller than with an mnenmonic passphrase).

Is it probable to find such a collision? No, not at all. It's theoretically possible, practically it's impossible due to lack of time and energy.
This reminded me of a thread of mine where i made an assumption about private key collisions, basically the same question as the OP.

However, due to the time and energy spent, it's impossible today and may continue to be impractical in millions or billions of years and so on.

In other words, it is practically easier for the universe to "end" than to collide with a set of private keys/seeds that you had created with or without a passphrase.
sr. member
Activity: 448
Merit: 560
Crypto Casino and Sportsbook
November 23, 2024, 10:23:58 AM
#12
I am just wondering if 12 words + passphrase results in a private key, that can be found with completely different 12 words + no passphrase?
In the case of bitcoin and a couple of other cryptocurrencies using BIP39 (Mnemonic Seed) wallets the answer is simply NO.
A 12-word seed phrase combined with an optional passphrase (BIP39 extension) actually generates a unique private key. Changing the passphrase or using a completely different 12-word seed phrase will produce a distinct private key. It's a kinda straight forward process.

Private keys are hashed and gotten from the seed phrase and that means if you add a new word or even a new character the result of the hashing will also be altered. If I have a 12 word seed , it's a wallet seed yes but if I add say a word or two I'll get a new wallet since the private keys would be different. Meaning who has only the 12 words will not be able to spend funds in the wallet with custom seed.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
November 23, 2024, 09:21:47 AM
#11
What you are looking for is a hash collision after 2048 rounds of PBKDF2 (which uses HMAC-SHA512 as pseudo-random hash function).
The mnemonic recovery words (as UTF-8 NFKD) are used as password input and the optional mnemonic passphrase  (as UTF-8 NFKD) is used as salt, specifically "mnemonic" + optional passphrase with an empty string "" for optional passphrase when there is no optional passphrase provided. (Put in slightly other words from the BIP39 definition.)
So the salt is always something:
  • "mnemonic" as UTF-8 NFKD when there is no optional mnemonic passphrase
  • "mnemonic" as UTF-8 NFKD; replace with the used mnemonic passphrase

It's worth mentioning that the optional mnemonic passphrase could be everything within bounds of UTF-8, not limited to a single "word" or so.

Now for OP's initial question: a hash collision after 2048 rounds of PBKDF2 is mathematically possible because the input space with an optional mnemonic passphrase exceeds the vastness of the output space of SHA512 (used in PBKDF2). There's no limitation to the size of the optional mnemonic passphrase, at least not by definition. You can therefore mathematically get any 512bits output after the 2048 rounds of PBKDF2. Because of this you could match the resulting binary seed (512bits) yielded after the PBKDF2 rounds for any 12 recovery words plus no mnemonic passphrase (for the latter the input space is vastly smaller than with an mnenmonic passphrase).

Is it probable to find such a collision? No, not at all. It's theoretically possible, practically it's impossible due to lack of time and energy.
sr. member
Activity: 1491
Merit: 320
🐪
November 23, 2024, 06:22:30 AM
#10
Thank you guys for clear explanation. Love this forum, I'm in crypto for years, still I learn something new every day.


hero member
Activity: 560
Merit: 1060
November 23, 2024, 06:19:19 AM
#9
I am just wondering if 12 words + passphrase results in a private key, that can be found with completely different 12 words + no passphrase?

Thanks

To answer your question, every private that ever existed can be generated by the exact same seed phrase (12 words), combined with random passphrases.

I will do the ELI5 version of my answer.
In Bitcoin, a BIP39 seed phrase of 12 words is parsed through a hashing function, called PBKDF2, to generate all these key-pairs that you see in your wallet.
If you add any passphrase, then the PBKDF2 function will return something completely unique.
Since you have an unlimited number of passphrases that you can use (all characters are valid, all lengths are valid), then you can generate all the private keys in the world.
newbie
Activity: 2
Merit: 0
November 22, 2024, 09:26:43 PM
#8
OP, adding a custom word (a.k.a passphrase) to the 12/18/24 words seed will result in generating a completely different wallet (different addresses).

But since you said "different words", I assume you are asking about the possibilty of having a collusion! In that case, you can read this topic:
Wallet "overlap"

Wow, thanks! It answers my question
legendary
Activity: 2744
Merit: 3097
Top Crypto Casino
November 22, 2024, 06:33:07 PM
#7
OP, adding a custom word (a.k.a passphrase) to the 12/18/24 words seed will result in generating a completely different wallet (different addresses).

But since you said "different words", I assume you are asking about the possibilty of having a collusion! In that case, you can read this topic:
Wallet "overlap"

I didn't know that there is option like that, to generate different wallets depending on password. All wallet apps that I used had password protection to guard the access to app.
Although both of them are used to enhance the security of the wallet, they are completely different. A password is used to encrypt the wallet while a passphrase creates a different wallet.
legendary
Activity: 1526
Merit: 1359
November 22, 2024, 04:26:41 PM
#6
I didn't know that there is option like that, to generate different wallets depending on password. All wallet apps that I used had password protection to guard the access to app.

Could you share what wallet do you use?

I believe he is referring to the BIP39 passphrases. These are optional, extra words you can add to your seed phrase for even more security. Its different from your regular wallet password. You cant recover your wallet without this passphrase. People sometimes call it the "25th word," but it can actually be any phrase or set of characters.

As for the wallets, almost all the most popular wallets support it. For example, Trezor hardware wallet allows you to create one standard wallet (without a passphrase) and a number of secret (hidden) wallets depending on the additional passphrase. (Each new passphrase will generate a new unique wallet.)
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
November 22, 2024, 04:03:58 PM
#5
I didn't know that there is option like that, to generate different wallets depending on password. All wallet apps that I used had password protection to guard the access to app.

Could you share what wallet do you use?
Electrum, Sparrow, Bluewallet, Unstoppable wallets and many other wallets support passphrase. The passphrase is used to access the right keys and not the wallet precisely. If you lose the passphrase, it is like you lose the seed phrase as the coins will be lost.
sr. member
Activity: 630
Merit: 298
November 22, 2024, 03:59:20 PM
#4

I didn't know that there is option like that, to generate different wallets depending on password. All wallet apps that I used had password protection to guard the access to app.

Could you share what wallet do you use?

The Password you use when login to the wallet is not what is called the passphrase, the passphrase or custom word as some wallet called it is used to extend your seed phrase, for a 12 word seed phrase the passphrase is the 13th word as such with a passphrase extended to your seed phrase that particular wallet has different private key and addresses when the same seed phrase doesn’t have any passphrase,

Electrum and almost all reputable bitcoin wallets like BlueWallet, Sparrow wallet allows the extension of seed phrase with pass phrase, but it is different from the password or pin required to login into the wallet
sr. member
Activity: 1491
Merit: 320
🐪
November 22, 2024, 03:47:32 PM
#3
I am just wondering if 12 words + passphrase results in a private key, that can be found with completely different 12 words + no passphrase?

Thanks

I didn't know that there is option like that, to generate different wallets depending on password. All wallet apps that I used had password protection to guard the access to app.

Could you share what wallet do you use?
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
November 22, 2024, 03:18:34 PM
#2
The purpose of passphrase is to generate different keys and addresses that are entirely different from the keys and addresses that is generated if the passphrase is not included. It is not possible. The extended word is enough to make all the keys and addresses different.
newbie
Activity: 2
Merit: 0
November 22, 2024, 03:09:44 PM
#1
I am just wondering if 12 words + passphrase results in a private key, that can be found with completely different 12 words + no passphrase?

Thanks
Jump to: