Pages:
Author

Topic: A. Antonopoulos’ Take on Seed Splitting and Bruteforcing (Read 726 times)

legendary
Activity: 2268
Merit: 18771
-snip-
This is why I would prefer to use a 3-of-4 multi-sig in such a scenario. It has redundancy built in to it in case one family member loses their key or is otherwise unavailable or incapacitated, and it does not require complete trust in any one person or device. With shares being combined by the lawyer, then there is risk that either the lawyer or someone else who works for that person/company could access the completed secret, and there is risk that the device they use to combine the shares is compromised.

It also means a majority of people have to agree on how to split up your funds. With shares being combined by a lawyer, then which family member is in charge of your estate could simply choose to move all the coins to their own wallet. With a multi-sig at least 3 of the 4 must agree on how the funds are being split up.
legendary
Activity: 2730
Merit: 7065
My suggestion will be to obfuscate the seed, not to look like a seed, when you do split it. I have done this in a way that 4 family members will be able to put my seeds together, if something happens to me.
What if one or several of your family members losses their part of the seed/seeds? Is that when the fail safe that you mentioned at the end of your post will kick in?

They cannot do anything with their portion of the seed and my lawyer has the instructions in my "Will" to explain to them what to do. (Eg... make a sentence with the Seed and give the template to the lawyer to put it all together)
Will the lawyer know how to put the words together and arrange them from 1-12/24 or does he just keep the correct instructions (template)? I didn't understand if the lawyer is the one who is tasked to put the words in the correct order based on the info given to him by the inheritors. If he is, do you absolutely trust him with that information?   
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
My suggestion will be to obfuscate the seed, not to look like a seed, when you do split it. I have done this in a way that 4 family members will be able to put my seeds together, if something happens to me. They cannot do anything with their portion of the seed and my lawyer has the instructions in my "Will" to explain to them what to do. (Eg... make a sentence with the Seed and give the template to the lawyer to put it all together)

The fail safe will be to give an encrypted video to each of the family members, with instructions on what to do, if something happens with you. (The password to decrypt it, is with the lawyer and he does not know what the password is for)  Wink
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
Sha256 from 12 or 24 word is sha256. Not secure like 24 words, and 12 words too.
legendary
Activity: 2268
Merit: 18771
They have the same number of characters, but the second sequence should be much more difficult to crack. Or a I looking at it wrongly?   
No, you're absolutely right. Given two passphrases of the same length, then random characters (including lower and uppercase letters, numbers, and symbols) will have significantly more entropy than individual words. Two words would have around 150,0002 = 34 bits of entropy, whereas 10 random characters would have around 9510 = 65 bits.

The difference comes because such passphrases are rarely of the same length. 8 words might have around 40-50 characters in total, but very few people would use a passphrase of 50 random characters. To achieve a passphrase of >128 bits of security, you would need 20 random characters or 8 random words. Given the two following passphrases then:

.ujG&Yb!zVs[E`qS8\7@

wrong spoil drawing bottle underline ear dictate division

Most people will find it easier to remember (even although you shouldn't), write down, back up, and re-enter the words rather than the random characters.
legendary
Activity: 2730
Merit: 7065
Why use real words al all? It should be more secure using random letters, numbers, and special characters instead of real dictionary words. I have always wondered are the two examples below equally easy/difficult to bruteforce?

1. apple cup
2. !J-"g 5&b

They have the same number of characters, but the second sequence should be much more difficult to crack. Or a I looking at it wrongly?   
legendary
Activity: 2268
Merit: 18771
You've led me down a rabbit hole of Antonopoulos' YouTube videos now.

Here he is in 2018 suggesting using 8-10 words as a passphrase: https://www.youtube.com/watch?v=cAP2u6w_1-k&t=740s. So it seems in the last 3 years he has significantly reduced what he considers necessary for a passphrase.

For interest, if we take my number of ~150,000 words in the English language, then (assuming randomly chosen words) 4 words gives around 68.8 bits of entropy, whereas 10 words would give around 171.9 bits of entropy. I would say the former is too low, while the latter (although very secure) is probably unnecessarily high, given that bitcoin itself "only" has 128 bits of security. 7-8 words gives a range of around 120 - 137 bits of entropy, which is more in the region of being as secure as a 12 word seed phrase and incredibly difficult/impossible to brute force.

This is even more relevant when considering that most people using several words as a passphrase will not be using a truly random source of dictionary words. They will either be picking the "random" words manually and therefore not be random at all, or they will (even worse) be selecting words which have some meaning for them, are easy to remember, are linked in some way, etc.
legendary
Activity: 2730
Merit: 7065
Is there a possibility you perhaps misheard/misremember, and he actually said 4-6 words rather than a single word of 4-6 characters?
I misheard, you are right. It was my mistake. I watched through several videos to find the correct one. This is the video. At 7:15 he starts talking about the passphrase length and says: "a simple 4 to 6 word, random English word passphrase is sufficient" Due to the way he structured that sentence got me thinking that he was talking about characters and not words.

If you enable the subtitles, you will notice that they are different from what he said in the video. In the subtitles they wrote: "a simple (set) of 4 to 6 random English words is a sufficient passphrase".

Sorry Andreas! 
legendary
Activity: 2268
Merit: 18771
In one of his bitcoin for beginners series, he advocates for the use of passphrases as an extension to your seed. But he goes on to mention that a simple 4-6 letter English word is a strong-enough passphrase. I can't comment on how easy that could be brute-forced, but I am sure some of you will.
Do you have a link for the video in question? The errors I have discussed above are small errors, could be a simple mistake, and don't change the essence of the message he is delivering. This, on the other hand, is a significant error and terrible advice. Using a single English dictionary word limits your options to around 150,000, depending on the dictionary you are looking at. Looking at only 4-6 letter words and you are down below 50k. You only have to perform 2048 rounds of PBKDF2 and then a handful more hashes and EC multiplications to derive the first few addresses. A quick benchmark check on my not-very-powerful computer with btcrecover means I could brute force this in well under a minute.

I would be very surprised if he was giving out such poor advice. This isn't a simple slip up like the others - this is a fundamental misunderstanding of what constitutes a good passphrase. Is there a possibility you perhaps misheard/misremember, and he actually said 4-6 words rather than a single word of 4-6 characters?
legendary
Activity: 2730
Merit: 7065
I did see another video where he incorrectly stated (multiple times) that the BIP39 wordlist starts at "about" and ends at "zebra", though.
He sometimes makes mistakes or states incomplete information. In one of his bitcoin for beginners series, he advocates for the use of passphrases as an extension to your seed. But he goes on to mention that a simple 4-6 letter English word is a strong-enough passphrase. (I misheard. What he said is explained here). I can't comment on how easy that could be brute-forced, but I am sure some of you will.
legendary
Activity: 2268
Merit: 18771
but I'd be kinda surprised if Andreas actually made that mistake tbh.
He actually does state this incorrectly.

https://youtu.be/p5nSibpfHYE?t=280
Quote
because only the one word which fits perfectly completes the checksum

https://youtu.be/p5nSibpfHYE?t=311
Quote
that means there are 7 words which contain key material in the missing share - how hard is it to crack or brute force 7 words?

He does then go on to correctly state that it would be brute forcing 80 bits though. Whether or not he actually made a mistake or whether he was just "dumbing it down" for his viewers or not is another question. I did see another video where he incorrectly stated (multiple times) that the BIP39 wordlist starts at "about" and ends at "zebra", though.
HCP
legendary
Activity: 2086
Merit: 4363
I don't think A.A. was wrong, but OP used ambiguous language.
I didn't watch the stream... so I've no idea what words were actually used... but I'd be kinda surprised if Andreas actually made that mistake tbh.


Andreas also explains if someone where to find a part of Shamir's share and if that part is less than the quorum, it's like not having any information about the seed at all. That's the complete opposite of knowing 8 or 16 words as explained in the example in OP.
That's actually a very good point... by effectively encrypting the seed words, any share is rendered useless by itself (assuming you have more than 1 share! Tongue)... whereas, with just splitting up the seed words, the information is still "readable" and usable to mount an attack.
legendary
Activity: 3472
Merit: 10611
That's actually incorrect.
I'm feeling very lucky that I learned about Bitcoin in a community that corrects Antonopoulos!  Cheesy
I don't think A.A. was wrong, but OP used ambiguous language.
Quote
the last word of the phrase is the checksum, and since only one word fits in that position, it can be brute-forced much easier than the rest.
It probably wasn't saying "only one valid word can be placed there" but pointing out the fact that the last word in any X-word mnemonics represents less than 11 bits of entropy. So for example in case of 24 words you would be missing only 3 bits whereas if the first word was missing you were missing 11 bits. So it is faster to brute force the last word than it is any other word.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Besides, i doubt attacking Bitcoin will be top priority if government have one.
If we assume that ECDSA & ECIES can be broken, then I also doubt they would firstly attack Bitcoin. I guess they would keep it as a secret and read every message they were unable to. If quantum computing somehow brute forces in a way to be possible to find a RIPEMD-160 collision, then the thing changes. They could destroy Bitcoin whenever they wanted, which would then be an upheaval (not temporary!) for the crypto market.

That's actually incorrect.
I'm feeling very lucky that I learned about Bitcoin in a community that corrects Antonopoulos!  Cheesy
legendary
Activity: 2268
Merit: 18771
Andreas also explains if someone where to find a part of Shamir's share and if that part is less than the quorum, it's like not having any information about the seed at all. That's the complete opposite of knowing 8 or 16 words as explained in the example in OP. And if one part of the SSSS share is lost, the data would still be recoverable.
This is all correct. The whole point of a SSS Scheme is that any number of shares less than the threshold number reveals no information about the final secret. If you split a seed phrase in to m Shamir shares, and require n of those shares to recover the seed phrase, then anything up to n-1 shares reveals nothing and does not make brute forcing any easier; an attacker might as well have no shares and be trying to bruteforce every possible valid seed phrase.

The single point of failure with SSSS isn't in the compromise of a single share, though. When combining your shares to recover your seed phrase, you must bring them all together on a single device to do so. If that device is compromised, then your coins are lost. You are similarly at risk with the SSSS implementation that you use. There is not a standard implementation like there is with BIP39, so if the implementation you use is poorly designed than you could potentially leak enough information for an attacker to steal your coins.
legendary
Activity: 3472
Merit: 10611
~rival governments, etc.
Some governments actually use their own standardized cryptography. For example China has its own cryptography standards that includes hash algorithms, asymmetric cryptography, block ciphers, etc. I suppose they also have their own non-public algorithms to use for top secret stuff.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Fortunately, Quantum computer isn't magic which can brute force everything instantly. Besides, i doubt attacking Bitcoin will be top priority if government have one.

But breaking elliptic curves and RSA security will be.

Notice that the NSA are the first organization who get access to a particular new advancement in technology such as computers and most of the time they are using it for national security purposes i.e. they are trying to break encryption schemes, so everything from the NIST-issued P-*** curves to commercial sizes of RSA keys and SEC2 and curve25519 curves are at risk, basically anything that is used by businesses, rival governments, etc.
legendary
Activity: 2730
Merit: 7065
AA said that people should not complicate the back up procedure because when they lose one part of the complicated procedure, of the back up, they will lose the wallet.
Andreas also explains if someone where to find a part of Shamir's share and if that part is less than the quorum, it's like not having any information about the seed at all. That's the complete opposite of knowing 8 or 16 words as explained in the example in OP. And if one part of the SSSS share is lost, the data would still be recoverable.
HCP
legendary
Activity: 2086
Merit: 4363
AA explains how the last word of the phrase is the checksum, and since only one word fits in that position, it can be brute-forced much easier than the rest.
That's actually incorrect. For a 24 word seed there are actually 8 words that will be a "valid" checksum... not just one, because 3 bits out of the last 11 are actually entropy, not checksum.

It's "worse" for a 12 word seed... as only 4 bits of 11 are checksum... so 7 bits of entropy... so you're looking at 128 words that would be a valid checksum.


Of course... that doesn't really change the fact that it is still much easier to bruteforce this as it's only 8 words (128 words in the case of 12 word seed) instead of 2048... but it isn't quite as simple as "stop when we find the first word that makes a valid checksum", you'd still need to check the others.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
In a livestream for Crypto security Passwords and Authentication
AA said that people should not complicate the back up procedure because when they lose one part of the complicated procedure, of the back up, they will lose the wallet.

I don't understand the very advanced points in Bruteforcing but I will take the advice from AA in his previous livestream.
Could you point out the timestamp for which this is mentioned? The livestream is far too long and I can't find anything related to this when doing a quick scrub of the timeline.

The alternative to the scheme which is much simpler still gives sufficient redundancy if several pieces are lost, just like in Multisig where you have redundancy in terms of the signers which are not cooperative. Common seed splitting schemes are easily implemented and reproduced without the need for any complicated code.
Pages:
Jump to: