Author

Topic: Brute-forceable puzzle - free crypto for whoever manages to crack it [SOLVED] (Read 1031 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
IMO 7 days is quite short since he use free (?) API and single-thread software.
Because I gave out hints it's only 2 dates and in 1900-2021 range, to make it easy.

I already read the part where you gave those hint, but i still think it's quite short.

IMO 7 days is quite short since he use free (?) API and single-thread software.
Because I gave out hints it's only 2 dates and in 1900-2021 range, to make it easy.
I'm kinda surprised the Etherscan API wasn't rate limiting him. From my experience with APIs, most of them autoban your IP address if you hit them too many times. Sure, they throttle you to a few requests per minute at any rate. That was my original deterrence from making a Blockchair API calling script that running overnight.

The bitcoins still haven't been found yet, apparently, only the ethereum.

Etherscan docs (https://info.etherscan.com/api-return-errors/) only mention the limit is 5 calls/sec/IP. Even so, that means his script only can check up to 100 address/sec.
sr. member
Activity: 317
Merit: 275
This indeed was way too easy.
Because I made it easy enough to be cracked, hence the puzzle.

So, even [...] if it wouldn't be purely based on security through obscurity (which it does), it still would be a worthless scheme.
It's not. It's not cryptographically secure, but it's still quite secure, depending on how you use it:

With 2 dates in 1900-2021 range there are about 1 billion possibilities. With 3 dates it's 14 trillion, with 4 dates it's 158 quadrillion. Good luck cracking that.
legendary
Activity: 1624
Merit: 2481
I already read the part where you gave those hint, but i still think it's quite short.

This indeed was way too easy.

If the probability of winning is larger than negligible (smaller than the inverse of any polynomial function), it is not cryptographically secure and therefore is a bad encryptio scheme.
So, even if this mechanisms wouldn't leak plaintext bits (which it does) and if it wouldn't be purely based on security through obscurity (which it does), it still would be a worthless scheme.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
IMO 7 days is quite short since he use free (?) API and single-thread software.
Because I gave out hints it's only 2 dates and in 1900-2021 range, to make it easy.

I'm kinda surprised the Etherscan API wasn't rate limiting him. From my experience with APIs, most of them autoban your IP address if you hit them too many times. Sure, they throttle you to a few requests per minute at any rate. That was my original deterrence from making a Blockchair API calling script that running overnight.

The bitcoins still haven't been found yet, apparently, only the ethereum.
sr. member
Activity: 317
Merit: 275
IMO 7 days is quite short since he use free (?) API and single-thread software.
Because I gave out hints it's only 2 dates and in 1900-2021 range, to make it easy.
sr. member
Activity: 317
Merit: 275
Anyway, here's the write-up from the guy who cracked it and his code:

https://www.reddit.com/r/CryptoCurrency/comments/p2jkh3/how_i_solved_utoshiromiballzas_puzzle_in_just/
https://github.com/willhblackburn/brute-force-seedshift-puzzle-pub

The dates used to encrypt the seed words were:
1956-05-04
2014-08-28
(Hal Finney's birth & death)

Encrypted:
Code:
bacon bitter goddess sheriff differ kit sock stomach rhythm skill trade drastic
Original:
Code:
broom bike glove six devote jazz sunset stereo reunion solid toss disagree

Ethereum address: 0x9F316FAe2Bdb7cb6aa31B1776F0fe9041eFc2516
sr. member
Activity: 317
Merit: 275
BIP39 is neither security by obscurity nor does it leak plaintext bits.
It's an easy way to store your wallet's seed; it doesn't leak anything because it is "the leak". I employ this same simple and easy way to store the seed words, not random 100-300 character Base64 encrypted gibberish. You still don't get it.

These are neither 100-300 chars
Yes they are, 128 in the example above by AES256 encrypting 12 mnemonic words with the password "blabla". Are you blind or intentionally obtuse?

It doesn't make any sense to create a shitty and insecure shift-cipher (which has to be taught how to use) instead for example just a BIP39 passphrase. Most proper wallets can handle this.
Most wallets generate your 12-24 seed words for you, without the possibility of using a passphrase, so no. This is meant for those cases. So you've got 3 options: 1. write the seed words as is; 2. write them cryptographically securely encrypted as 100-300 character gibberish; 3. write them down not cryptographically securely encrypted but in easy human-readable BIP-39 words that are still realistically impossible to crack without knowing the method used, which still gives you plenty of time to recover your funds in case of theft. Do you get it now? (well there is the 4th option of buying a TREZOR/Ledger and moving all the funds there)
legendary
Activity: 1624
Merit: 2481
That is one reason why it is bad.
Another one is that it leaks bits of the plain text.

Any of these 2 reasons is enough to deem that as a bad design.
So BIP-39 is a stupid and bad idea, saving the wallet's key in an easy and human readable format?

BIP39 is neither security by obscurity nor does it leak plaintext bits.



Still not getting it and missing the point. Your alternative is to write down 100-300 random characters on a piece of paper (have fun with that) and then require your family to be above-average computer literate to be able to decrypt it.

These are neither 100-300 chars, nor is it too difficult for an average person to decrypt it using a 3-5 step instruction.

It doesn't make any sense to create a shitty and insecure shift-cipher (which has to be taught how to use) instead for example just a BIP39 passphrase. Most proper wallets can handle this.
That would be way more easy to use than either AES or your shift shit cipher.

In the end it comes down to two pieces which have to be stored: the secret and the (encrypted) data.
Whether this is your plaintext-leaking-mnemonic [data] with the instruction and dates [the secret] or simply the securely (non-leaking) BIP39 passphrase protected mnemonic [data] and the passphrase [the secret] doesn't matter. The difference is, one is secure while the other one isn't.
I'd even argue that the passphrase protected mnemonic is easier to handle for non-techy people than your garbage.
sr. member
Activity: 317
Merit: 275
I don't to visit any website. I know how AES works behind the scenes. I don't care what a random website outputs on an arbitrary input.
LOL.

No, it doesn't. Check openssl for example. It comes with literally every linux distro out there.
Yes it does. Windows does not come with it, so you have to download it or similar software. Stop pretending only Linux exists and that everyone uses or knows how to use Linux.

As shown in my previous post, a 12 word mnemonic results in 48 byte which can be easily represented by 48 characters.
openssl enc -k blabla -aes256 -base64 -e -in seedwords.txt -out encrypted_seedwords.txt:
That is one reason why it is bad.
Another one is that it leaks bits of the plain text.

Any of these 2 reasons is enough to deem that as a bad design.
So BIP-39 is a stupid and bad idea, saving the wallet's key in an easy and human readable format?

It's not.
Simply cryptanalysis and even bruteforcing is enough to break your "scheme".
Yes, after I provided the exact algorithm and hints to make it crackable. Once again:
If I just came here and said "crack this, it's encrypted, good luck lol", absolutely nobody would be able to do it, because the possibilities I could have used to encrypt it are endless. It'd be the same as trying to brute-force Satoshi's private keys.

Just stop pretending your "mechanism" is good. It is not even close to being acceptable.
Still not getting it and missing the point. Your alternative is to write down 100-300 random characters on a piece of paper (have fun with that) and then require your family to be above-average computer literate to be able to decrypt it. This is exactly why BIP-39 was made, to avoid having to do that, and to write down your wallet's key in an easy and human-readable format. But yes, a better and cryptographically secure (which mine isn't, and I never claimed it was) way would be if there was an accepted standard to convert AES encrypted text into BIP-39 words and write it down that way. But even this way would require extra computer knowledge to decrypt, not something your Average Joe would know how to do. Again, mine is simpler and can be done by hand. A trade-off for simplicity.
legendary
Activity: 1624
Merit: 2481
Go to https://aesencryption.net/ (something my or your mom would find on the internet), input the seed words, encrypt, count the number of characters.

I don't to visit any website. I know how AES works behind the scenes. I don't care what a random website outputs on an arbitrary input.



Your pRoPosEd method either involves a) external/online software to do

No, it doesn't. Check openssl for example. It comes with literally every linux distro out there.



b) storing it digitally in a file for easier copy-paste into said external software

Not true.


or c) writing down 100-300 random hard-to-read Base64 characters on a piece of paper, case-sensitive, and hoping for no human error when typing it into said external software (and on paper!).

As shown in my previous post, a 12 word mnemonic results in 48 byte which can be easily represented by 48 characters.



My method [...] and yes, security through obscurity [...]

That is one reason why it is bad.
Another one is that it leaks bits of the plain text.

Any of these 2 reasons is enough to deem that as a bad design.



A wrench attack is the only thing my method is really vulnerable to

It's not.
Simply cryptanalysis and even bruteforcing is enough to break your "scheme".


It might work for you, you can feel safe as much as you want.
Trust me, no one here cares about you and your coins.

Just stop pretending your "mechanism" is good. It is not even close to being acceptable.
sr. member
Activity: 317
Merit: 275
Why don't you just use BIP 39 passphrase, then save the seed words on crypto.txt without the passphrase itself?
Most wallets do not offer that possibility, they generate a 12, 15, 24 word wallet for you. Of course using TREZOR/Ledger with a passphrase is safer, but you could even use that AND date-shift encrypt it for EXTRA security.
sr. member
Activity: 317
Merit: 275
To be honestly, i couldn't care less about your approach and whether your mom will understand anything.

My only concern here is that others might believe this is a gOoD iDeA. That's the only reason i am commenting here. I absolutely don't care about you and your BTC.
So when you realize you're talking bullshit and making things up on the fly "jUsT uSe yOuR oS tO eNcRyPt tHe SeEd WoRdS" you just resort to petty remarks and say how you couldn't care less. Hurr durr. Just be honest and admit you're talking out of your ass.


AES is a Block Cipher which works on 16 bytes blocks.
Assuming a 12 word mnemonic code, that's 132 bit (=16.5 byte) which results in a 32 byte output. If you want to store the IV together with the cipher text, that would be another 16 byte resulting in 48 byte in total.
That's nowhere close to "100-300 gibberish characters".

A 24 word mnemonic would result in 16 more bytes (a total of 64 bytes).
Go to https://aesencryption.net/ (something my or your mom would find on the internet), input the seed words, encrypt, count the number of characters.

Now, instead of trying to call other people out on "not getting it" where "it" equals your shitty approach every sane person in the crypto scene wouldn't even touch with a stick, learn the fundamentals. Only then, we can start talking about encryption schemes and security in general.
But you actually still don't get it because you have your head so far up your rear end and you're entirely missing the point: the point is to write down the seed words on a piece of paper and also allow family members to easily access your wallet if anything happens to you. You can either write it down in plain-text, which is not a good idea because any thief finding the paper can steal your funds, or, encrypt the seed words in some way to prevent that from happening.

Your pRoPosEd method either involves a) external/online software to do, b) storing it digitally in a file for easier copy-paste into said external software, or c) writing down 100-300 random hard-to-read Base64 characters on a piece of paper, case-sensitive, and hoping for no human error when typing it into said external software (and on paper!). My method doesn't involve external software, you can encrypt/decrypt by hand, you can write it down in easy human-readable words, it can provide plausible deniability and yes, security through obscurity (you wouldn't know whether the seed words I wrote down are encrypted (or how), mistyped, or (as long as the last word is a valid checksum) if I send a small amount of decoy crypto to that wallet, that's all you'd think there is).

A wrench attack is the only thing my method is really vulnerable to, because it's obviously crypto seed words the paper holds (hence I also made this easy way to obfuscate the seed words by mapping them to their Traditional Chinese BIP-39 Unicode counterparts: https://github.com/mifunetoshiro/bip39_obfuscator), whereas AES encrypted gibberish gives you greater protection in this regard. A trade-off for easier and more human-friendly storing and recovering of crypto (the very reason why BIP-39 got made, lol.

And in any case, the only reason somebody was able to crack this puzzle was because I gave out the exact encryption algorithm and numerous hints to make it intentionally easier. If I just came here and said "crack this, it's encrypted, good luck lol", absolutely nobody would be able to do it, because the possibilities I could have used to encrypt it are endless. It'd be the same as trying to brute-force Satoshi's private keys.
legendary
Activity: 1624
Merit: 2481
Ok, encrypt
Code:
bacon bitter goddess sheriff differ kit sock stomach rhythm skill trade drastic
with password "bla" on Windows 10 without downloading external tools, and then also decrypt it. Let me see the how-to so even my mom can understand.

To be honestly, i couldn't care less about your approach and whether your mom will understand anything.

My only concern here is that others might believe this is a gOoD iDeA. That's the only reason i am commenting here. I absolutely don't care about you and your BTC.



You still don't get it. AES encrypting the seed words will produce 100-300 gibberish characters [...]

AES is a Block Cipher which works on 16 bytes blocks.
Assuming a 12 word mnemonic code, that's 132 bit (=16.5 byte) which results in a 32 byte output. If you want to store the IV together with the cipher text, that would be another 16 byte resulting in 48 byte in total.
That's nowhere close to "100-300 gibberish characters".

A 24 word mnemonic would result in 16 more bytes (a total of 64 bytes).

Now, instead of trying to call other people out on "not getting it" where "it" equals your shitty approach every sane person in the crypto scene wouldn't even touch with a stick, learn the fundamentals. Only then, we can start talking about encryption schemes and security in general.
sr. member
Activity: 317
Merit: 275
Who said anything about online services?

You do trust your Operating System, right? Then just use the built-in tools. As easy as that.

Ok, encrypt
Code:
bacon bitter goddess sheriff differ kit sock stomach rhythm skill trade drastic
with password "bla" on Windows 10 without downloading external tools, and then also decrypt it. Let me see the how-to so even my mom can understand.

And you also don't need 100-300 gibberish character, it seems you still didn't get it. Just read my last 2 posts again. You can use the same secret which in your case are a few dates. No additional characters.
You still don't get it. AES encrypting the seed words will produce 100-300 gibberish characters that you need to write down on a piece of paper, case-sensitive. Saving them in crypto.txt on my mother's computer is a bigger security risk, even though the encryption is better.
legendary
Activity: 1624
Merit: 2481
And risk using these online encryption/decryption services who may save the results and steal funds as well? With my method you can do it by hand, you don't need any script.

Who said anything about online services?

You do trust your Operating System, right? Then just use the built-in tools. As easy as that.



I think it's you who didn't get it... With my method you don't have to rely on any external software or use online services (and risk theft) to decrypt anything, you can do it by hand. And with my method you can simply write down 12-24 BIP-39 words, not random gibberish 100-300 characters. The point is to write them down on a piece of paper, not store them on a computer in crypto.txt that my mother has access to and can simply copy-paste it. That's just extra risk right there.

You don't need any external software. You can just use your OS.
And you also don't need 100-300 gibberish character, it seems you still didn't get it. Just read my last 2 posts again. You can use the same secret which in your case are a few dates. No additional characters.
The difference is that you don't use a worthless and non-secure mechanisms which leaks the plaintext (your mnemonic code), but a secure algorithm which is used all over the internet to secure messages.

If you don't trust AES, why don't you just use your stupid and insecure shift cipher to communicate with websites instead of TLS?

You have been warned. What you are doing is bad and insecure. And that is not an opinion, but a fact.
You gain almost zero usability but lose tons of security.

I understand that people who don't understand anything at all regarding security and cryptography believe to be able to create a secure mechanisms. Simply because they don't know better.
But the truth is, they can't. Believe it or not. We don't care whether you lose your money. The important part is that everyone else reading this knows that your mechanisms is insecure.
sr. member
Activity: 317
Merit: 275
So, what was the method used to solve the puzzle?
Waiting for a write-up from the guy who solved it.
sr. member
Activity: 317
Merit: 275
You didn't get it.

First, you could just write that down.
"Dear mother, decrypt the following thing by pasting it into the software called XXX on my PC: ..."

Second, that is not what i wrote.

Your secret data you have used for the shift cipher were some dates.
You could use exactly these dates (the secret information) as a key in an AES cipher. That would be already way more secure than your approach since it wouldn't leak anything about the plaintext at all.
And when decrypting, that is exactly the same effort (Taking secret info X and doing Y).
I think it's you who didn't get it... With my method you don't have to rely on any external software or use online services (and risk theft) to decrypt anything, you can do it by hand. And with my method you can simply write down 12-24 BIP-39 words, not random gibberish 100-300 characters. The point is to write them down on a piece of paper, not store them on a computer in crypto.txt that my mother has access to and can simply copy-paste it. That's just extra risk right there.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
So, what was the method used to solve the puzzle?
sr. member
Activity: 317
Merit: 275
Well if someone is not capable of filling out 2 textboxes in a UI (one with the words and the other with the passphrase used) then they also won't be able to use any other method such as your shift cipher which requires the same 2 inputs (mnemonic and a date)!
And risk using these online encryption/decryption services who may save the results and steal funds as well? With my method you can do it by hand, you don't need any script.
legendary
Activity: 3472
Merit: 10611
Yes, I'm sure my mom will figure that one out.
Well if someone is not capable of filling out 2 textboxes in a UI (one with the words and the other with the passphrase used) then they also won't be able to use any other method such as your shift cipher which requires the same 2 inputs (mnemonic and a date)!
legendary
Activity: 1624
Merit: 2481
See:
How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.

You didn't get it.

First, you could just write that down.
"Dear mother, decrypt the following thing by pasting it into the software called XXX on my PC: ..."

Second, that is not what i wrote.

Your secret data you have used for the shift cipher were some dates.
You could use exactly these dates (the secret information) as a key in an AES cipher. That would be already way more secure than your approach since it wouldn't leak anything about the plaintext at all.
And when decrypting, that is exactly the same effort (Taking secret info X and doing Y).
sr. member
Activity: 317
Merit: 275
So AES encrypt the seed words with a password, then encode the encrypted text as seed words, so to get my original seed words I have to 1st unencode the encrypted text and then decrypt the encrypted text with a password.

Yes, I'm sure my mom will figure that one out.
legendary
Activity: 3472
Merit: 10611
The point ot mnemonic keys is to be able to write them down easily on a piece of paper and recover them if needed, both by yourself and your family if anything happens to you. You really expect anyone to write down 100-300 random characters
There were no mnemonic at first, there were BIP32 which needed an octet string and could only produce a Base58 string that had 111 characters and was hard to write down. Then someone came up with the idea to encode that octet string as a set of words.

If you think writing down the encrypted result as Base64 (or different encodings like Base16, Base58, etc) is hard then you should focus on changing the encoding to something easier to write down instead of changing the encryption!
For example the Base64 you posted above is 80 bytes, encoding it as mnemonic is trivial, you just select a word list such as the 2048 words used by BIP39 then split the bits to small chunks that corresponds to the word list word count (11 bits) then print the corresponding words. That turns the 80 bytes into 59 words. (keep in mind the encrypted 256-bit mnemonic will be slightly bigger than 256-bit -or the same 24 words as BIP39- certainly not 640 bit).
Code:
71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=
ef54e341060f91a742abca9403a2eab7b1615011233d2ce00d26c103ab296ed0ff8fcbf7257a7d569728d07f2b4bf4cadbf20e312d1a1c5e502322e2846b8fd9d4a076829dc83adbf363bbdad34f753e
first 2 words
Code:
11101111010 10100111000
1914        1336
urban       poem
sr. member
Activity: 317
Merit: 275
The puzzle has been solved!

I will give out more details later!
sr. member
Activity: 317
Merit: 275
It is way less secure than using a strong cipher with the same secret data.
Your mechanism leaks bits of the plaintext, which is always bad.

You could have just used your 4 dates or whatever shit you are using and use a proper encryption cipher.
Then no single bits would have been leaked and you'd be pretty fine.
See:
How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.

The point ot mnemonic keys is to be able to write them down easily on a piece of paper and recover them if needed, both by yourself and your family if anything happens to you. You really expect anyone to write down 100-300 random characters (or even engrave them on metal plates) and then think your family members will know how to decrypt them? It's pretty much guaranteed your crypto is gone if you die if you use this approach. Some of us actually thought about these what-if scenarios to ensure our families get a piece of the pie if something happens to us.

Do whatever you want.. when storing 20$, no one will care. You could also just store it in plaintext.

But in the real world you wouldn't know how much crypto a wallet holds. What if it's thousands or millions?
sr. member
Activity: 317
Merit: 275
Could you confirm that coins are not BTC on the first address of the first account (m/44'/0'/0'/0/0)?
Yes, I can confirm that.
legendary
Activity: 1624
Merit: 2481
No, it's still safer than writing down your seed words in plain text, there's no debating this, otherwise this puzzle would already be solved.

It is way less secure than using a strong cipher with the same secret data.
Your mechanism leaks bits of the plaintext, which is always bad.

You could have just used your 4 dates or whatever shit you are using and use a proper encryption cipher.
Then no single bits would have been leaked and you'd be pretty fine.

With this however, you are wasting yours and our time.


Do whatever you want.. when storing 20$, no one will care. You could also just store it in plaintext.



The obscurity is still there

And security by obscurity is proven to be bad.
legendary
Activity: 952
Merit: 1386
Could you confirm that coins are not BTC on the first address of the first account (m/44'/0'/0'/0/0)?
I have processed all the dates in the range you mentioned and checked addresses but without result - so coins are somewhere else or I did something wrong...
sr. member
Activity: 317
Merit: 275
No, it's still safer than writing down your seed words in plain text, there's no debating this, otherwise this puzzle would already be solved.

The obscurity is still there, because in the real world you wouldn't know what method someone used to encrypt their seed words. Here in this controlled environment I gave out the exact algorithm used and hints and still nobody solved it. In the real world you wouldn't know any of this. If I just posted an encrypted seed word mnemonic here without the method I used and without any hints whatsoever it would be impossible to crack, same is when a thief comes across your encrypted mnemonic.

I know about using an extra passphrase, as I wrote on github:
Quote
The purpose of this is to be able to safely write down your mnemonic seed words, not having to worry about a thief stealing your private keys, and in case something happens to you, allow your family to regain access to your wallet without needing to know a complex passphrase (TREZOR/Ledger), as all they need to know is the dates you used and the method to decrypt the words (pretty easy if it's in-family birthdays). Gather them around the table and do a couple of examples by hand. If you have a TREZOR or Ledger hardware wallet, having a complex passphrase as the "25th" word is more secure, but the more complex the passphrase is, the easier it is for your family or even you to not remember it at all (unless you wrote it down, which is a security risk in itself). If something were to happen to you, having a simpler passphrase (such as names or birthdates) would make it easier for your family to remember and access your wallet, and you could use both a passphrase and encrypt the seed words with a date shift cipher for extra security.
MetaMask for example does not support the 13th/25th passphrase, so if someone has a MetaMask seed how would you safely write it down? Most wallets generate 12 or 24 seed words without the possibility of adding an extra passphrase, how would you safely write them down? My method works and is secure.
full member
Activity: 206
Merit: 450
It looks more like security through obscurity.

As I wrote on my github:
Quote
Note that the encrypted words/numbers are not cryptographically secure, as they can be bruteforced to get the original words, but they do give you some protection from the common thief and some extra time to react in case of theft, etc.
Is the above true? Yes. Is it safer than writing it down in plain text? Yes.

No. It was "safer" before you published it. Now it's no more. The obscurity is gone.

Way "safer" would be to use the dates as an additional passphrase, maybe as text and together with other words. This way you wouldn't need additional software, it already works, not only with BIP39, but electrum seeds as well.

sr. member
Activity: 317
Merit: 275
It looks more like security through obscurity.

As I wrote on my github:
Quote
Note that the encrypted words/numbers are not cryptographically secure, as they can be bruteforced to get the original words, but they do give you some protection from the common thief and some extra time to react in case of theft, etc.
Is the above true? Yes. Is it safer than writing it down in plain text? Yes.
full member
Activity: 206
Merit: 450
It is less than $500.

For 12 word BIP39 on average every 16th try will have a valid checksum. If I got it correctly there are only 2 dates 1900-2021, so the complexity is around 365.242*1212/16 = 226.9 PBKDF2. Single address derivation (the usual non-hardened) is about 10 times faster than PBKDF2. Generating all the master keys would take about 1-2 minutes on 4xV100 (amazon p3.8xlarge), but to develop and test it would cost much more time.

Not worth it.

Let's look at the "hardest" 12 word "encryption". If only valid dates are supplied (i.e. no 37th day of 185th month), then the complexity is 365.243*20483/16 = 254.5 PBKDF2. Going through all combinations would take ~461 years on 4xV100.

Of course this scheme has an enormous weakness - since the dates are to be easy remembered, then the range would be significantly smaller. For example 3 dates in interval 1900-2021 give complexity 242.3, or about 35 days on 4xV100. Inserting a memorable date from the past doesn't help either.

It looks more like security through obscurity.

sr. member
Activity: 317
Merit: 275
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
It does not matter - you create words by shifting and then you try to generate address - seed is correct and it works or incorrect - so you may skip it. I would not focus on that during shifting.
Still the questions are:
- which address (derivation path) should be used?
- what is the stake?
- why do we do it?

I definitely agree with the second point, IMO it's not worth the expenses paid for all this cracking material being used if the reward is less than say $500.
legendary
Activity: 952
Merit: 1386
Remember also that not all seed words generated are valid, the 12th/24th are checksums, so if it fails the checksum test it's obviously not the right mnemonic seed/date.

D'oh! And here we are trying to derive all seeds formed by the date shift combinations...  Embarrassed

I have no idea how I'm going to fit a checksum function in the code though.

It does not matter - you create words by shifting and then you try to generate address - seed is correct and it works or incorrect - so you may skip it. I would not focus on that during shifting.
Still the questions are:
- which address (derivation path) should be used?
- what is the stake?
- why do we do it?

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Remember also that not all seed words generated are valid, the 12th/24th are checksums, so if it fails the checksum test it's obviously not the right mnemonic seed/date.

D'oh! And here we are trying to derive all seeds formed by the date shift combinations...  Embarrassed

I have no idea how I'm going to fit a checksum function in the code though.
sr. member
Activity: 317
Merit: 275
Remember also that not all seed words generated are valid, the 12th/24th are checksums, so if it fails the checksum test it's obviously not the right mnemonic seed/date.
legendary
Activity: 952
Merit: 1386
It means it could be BTC or ETH or both.

Oh, so I gave up. I processed around 10% dates & BTC addresses - first ones from the seed in BIP44: m/44'/0'/0'/0/0, but if your coins could be anywhere and even we do not know which coins we look for - it is waste of energy.

Unfortunately, the BIP39 wordlist is the same for both BTC or ETH but the paths are different: For eth it's m/44'/60'/0'/0'/0.  Embarrassed Only the Coin Type (second) number changes with each coin so in the wacky situation he is also hiding e.g. LTC (and at this point I strongly doubt it's a meager amount less than $100 if it's stored across multiple cryptos) then you just have to change the coin type to the number for LTC paths to search it was well.

Yes, I know all of that, the problem is that first we must check if any generated address contains coins, so for each seed you must generate several addresses. Anyway - it is doable, generation of shifted seeds is easy, the problem lies in fact that you do not know what to generate from the given seed - too many possibilities. If it would be known that is it (for example) BTC on first address - it would make it easy. The knowledge that BTC is created using BIP44 is already a lot. But I do not want to waste time not knowing the stake.
Later maybe I will commit to github Worker I created (based on my LostWord program) to solve 'shifted' seeds.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
It means it could be BTC or ETH or both.

Oh, so I gave up. I processed around 10% dates & BTC addresses - first ones from the seed in BIP44: m/44'/0'/0'/0/0, but if your coins could be anywhere and even we do not know which coins we look for - it is waste of energy.

Unfortunately, the BIP39 wordlist is the same for both BTC or ETH but the paths are different: For eth it's m/44'/60'/0'/0'/0.  Embarrassed Only the Coin Type (second) number changes with each coin so in the wacky situation he is also hiding e.g. LTC (and at this point I strongly doubt it's a meager amount less than $100 if it's stored across multiple cryptos) then you just have to change the coin type to the number for LTC paths to search it was well.
legendary
Activity: 952
Merit: 1386
It means it could be BTC or ETH or both.

Oh, so I gave up. I processed around 10% dates & BTC addresses - first ones from the seed in BIP44: m/44'/0'/0'/0/0, but if your coins could be anywhere and even we do not know which coins we look for - it is waste of energy.
sr. member
Activity: 317
Merit: 275
It means it could be BTC or ETH or both.
legendary
Activity: 952
Merit: 1386
Remember that you don't know which crypto wallet this is, or if the award is only on one or more crypto wallets with the same seed words.

Does it mean that award is not on the first address (from first account)?
sr. member
Activity: 317
Merit: 275
Remember that you don't know which crypto wallet this is, or if the award is only on one or more crypto wallets with the same seed words.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Field day 2, so to get a list of addresses that could've been OP's challenge address, I went to the "outputs" database dumps of Blockchair and downloaded the spreadsheets for August 1 and July 31 (the former was not available until today hence the wait). It is a little slow, but the download speed is a manageable 10 minutes on a high-speed ethernet network.

The next step is to (1) filter out all the coinbase outputs, (2) filter all the non- pubkeyhash outputs and (3) filter out all outputs <= $10.

Then we filter outputs that are less than $100 because let's be honest, a challenge worth less than $100 are not worth solving Tongue when I applied this filter on the website it eliminated a surprisingly large number of transactions.

I am expecting to be left with some 10 thousand addresses which can then be placed in a bloom filter.

All spreadsheet software are either lagging or outright crash when I open the DB dump so I have to resort to dirty Python tricks again to apply the above.



How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

I'm sure even most developers have trouble doing that.
sr. member
Activity: 317
Merit: 275
How do I explain to my mother to AES decrypt "71TjQQYPkadCq8qUA6Lqt7FhUBEjPSzgDSbBA6spbtD/j8v3JXp9Vpco0H8rS/TK2/IOMS0aHF5QIyLihGuP2dSgdoKdyDrb82O72tNPdT4=" and ensure to type it out correctly?

Birthdays and anniversaries everyone remembers, and with 24 seed words you can shift it with up to 8 dates. Never said it's unbreakable, but it's not easy to break either, it gives you plenty of time to react in case of theft and it's simple enough by knowing the dates to do it by hand.
legendary
Activity: 3472
Merit: 10611
What's a safer and easier alternative to store your seed words and in case something happens to you, your loved ones can decrypt the words?
Encryption using a cryptographic strong encryption algorithm such as AES using a proper passphrase then creating proper backups from the encrypted result and the passphrase used and storing them separately.

Quote
Other than a complex passphrase on a Trezor/Ledger, which you would also need to write down in plain-text and make it a security risk?
Even though this is called "passphrase" but it is not encrypting anything, it is "extending" the seed phrase and should not be considered a proper security measure.


P.S. https://security.stackexchange.com/questions/18197/why-shouldnt-we-roll-our-own
sr. member
Activity: 317
Merit: 275
Shift ciphers aren't considered strong and should never be used to encrypt anything important such as a bitcoin mnemonic.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.
Is it safer than storing it in plain-text? Yes. Does it give you a lot of more time to react and move your coins in case someone breaks in and steals your written down seed words? Yes.

What's a safer and easier alternative to store your seed words and in case something happens to you, your loved ones can decrypt the words? Other than a complex passphrase on a Trezor/Ledger, which you would also need to write down in plain-text and make it a security risk?
legendary
Activity: 3472
Merit: 10611
Shift ciphers aren't considered strong and should never be used to encrypt anything important such as a bitcoin mnemonic.
Also whether or not someone solves this "puzzle" should not be used as an indication of security of this algorithm.
sr. member
Activity: 317
Merit: 275
Oh it does  Smiley it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call.
Hey, that's cheating!  Grin
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Timezone/country doesn't matter

Oh it does  Smiley it allows us to go to a block explorer and skim it for addresses inside transactions made between midnight (wherever your TZ is) and date of the OP so we can check the results against a list of addresses instead of making an expensive network call. This assumes you made the transaction today though, where "today" begins at midnight, your timzeone.

But if you don't tell us we can always assume it was made in Hawaii timezone (UTC-10) which isn't going to add too many extra addresses if we use its midnight as the starting point.  Wink

A few gems I'll post here; they are the basis for a client-server implementation I'm writing that'll let everyone share the load on their systems:

Server:

Code:
!/usr/bin/env python
# Python Network Programming Cookbook,
   Second Edition -- Chapter - 1
# This program is optimized for Python 2.7.12
   and Python 3.5.2.
# It may run on any other version with/without
  modifications.
 
import socket
import sys
import argparse
 
host = 'localhost'
data_payload = 2048
 
def echo_server(port):
    """ A simple echo server """
    # Create a UDP socket
    sock = socket.socket(socket.AF_INET,
                         socket.SOCK_DGRAM)
 
    # Bind the socket to the port
    server_address = (host, port)
    print ("Starting up echo server
            on %s port %s" % server_address)
 
    sock.bind(server_address)
 
    while True:
        print ("Waiting to receive message
                 from client")
        data, address = sock.
                        recvfrom(data_payload)
    
        print ("received %s bytes
                from %s" % (len(data), address))
        print ("Data: %s" %data)

        if data == "PROOFOFWORK":
            pass
          # validates via block explorer
        elif data == "GETWORK":
            # generate work and send it to client
        else:
            # unrecognized command

        if proof_of_work == true:
            message = "MATCH {} {} {}".format(address, pubkey, prvkey)
            # send this to all clients:

            for address in addressess:
                sent = sock.sendto(message, address)
        else:
        # Normally this would be whether the work is
        # the correct address or not but here we just
        # insert a dummy
            message = "NOTMATCH {} {} {}" .format(address, pubkey, prvkey);
            sent = sock.sendto(data, address)
    
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser
             (description='Seedshifter Cracker Server')
    parser.add_argument('--port', action="store", dest="port", type=int, required=True)
    given_args = parser.parse_args()  
    port = given_args.port
    echo_server(port)
 

Client:

Code:
#!/usr/bin/env python
# Python Network Programming Cookbook, Second Edition -- Chapter - 1
# This program is optimized for Python 2.7.12 and Python 3.5.2.
# It may run on any other version with/without modifications.
 
import socket
import sys
import argparse
 
host = 'localhost'
data_payload = 2048
 
def echo_client(port):
    """ A simple echo client """
    # Create a UDP socket
    sock = socket.socket(socket.AF_INET,
                         socket.SOCK_DGRAM)
 
    server_address = (host, port)
 
    while true:
        try:
    
            # Send data
            message = "GETWORK"
            sent = sock.sendto(message.encode
                  ('utf-8'), server_address)
    
            # Receive response
            message, server = sock.recvfrom(data_payload)
            # get head of message
            if message == "WORK"
                # perform work on GPU
            elif message == "FOUND"
                # record private key, public key and address and break
                break
            else:
                # ignore all unrecognized commands
          except Exception as e:
            break
    
    print ("Closing connection to the server")
    sock.close()
 
if __name__ == '__main__':
    parser = argparse.ArgumentParser
             (description='Seedshifter Cracker Client')
    parser.add_argument('--port', action="store", dest="port", type=int, required=True)
    given_args = parser.parse_args()  
    port = given_args.port
    echo_client(port)

It won't run as is though because this is just a skeleton I found in a book and slightly adapted to act as a PoW server, similar to the stratum servers used in mining.

EDIT:

I just tried querying Blockchair's API, it limits me to 10 records per call, ironically I went to buy an API key but their only payment processor is PayPal (!) I mean, not even CC, much less crypto.

So this means unless someone already has an API key it is technically infeasible to gather a large number of addresses.

I think this highlights one of the big problems with the current state of APIs, namely, there is no easy way to [pay to] query them in bulk, if you can even query them at all - and Blockchair is pretty much the only one with this feature (blockchain.info has a very very limited set of endpoints).
legendary
Activity: 952
Merit: 1386
I have a working solution - knowing address would make it much easier (faster), now I am stuck on creating list of addresses and checking them against addresses with balance (I must transfer file between machines etc.).
sr. member
Activity: 317
Merit: 275
748016^3 combinations of dates if we use years from 0-2048 and all months/days and ignore 1900-2021 range.

OP, which timezone/country are you in?

Did you move the coins in the address before or after you posted this challenge?
Timezone/country doesn't matter and I put the coins there before the challenge. The 2 dates I used are in 1900-2021 range, shifted in YYYY-MM-DD format from oldest to youngest date, so knowing that, the number of possible combinations lowers, because the 1st date you shift should always be older than the second. Smiley
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Doable...

Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?

748016^3 combinations of dates if we use years from 0-2048 and all months/days and ignore 1900-2021 range.

OP, which timezone/country are you in?

Did you move the coins in the address before or after you posted this challenge?



UPDATE:

using python datetime() + timedelta of 693595 gives 1900-01-01 and + 738154 gives 2021-21-31, so that is our range, and the difficulty is:

Code:
minv=693595
maxv=738154
print(maxv-minv)
print(pow(maxv-minv,3))
import math
print(math.log(pow(maxv-minv,3),2))

44559
88472094168879
46.330287706213426

i.e. unless you have hundreds of CPUs then it's not doable on CPU. However 2^46 can be tackled by one GPU.
sr. member
Activity: 317
Merit: 275
BIP44, and some more clues from Reddit: I used 2 dates from 1900-2021.
legendary
Activity: 952
Merit: 1386
Doable...

Could you at least say which address we should check (first?) and if it is BIP32 or BIP84 or... ?
sr. member
Activity: 317
Merit: 275
you should also include the address containing the funds and the amount of it. this puzzle may not even be worth the time for example if it contains some small amount of a shitcoin.
It's not a shitcoin wallet, and you wouldn't know how much (and of what) an encrypted wallet you found/stole contained either until you cracked it.

I'll just say it has more than $10.
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
Put 0,5 btc to adders, send from this adress 0.0000000001 btc to any address, wait and you see result.
legendary
Activity: 2128
Merit: 1293
There is trouble abrewing
Quote
x amount of crypto

you should also include the address containing the funds and the amount of it. this puzzle may not even be worth the time for example if it contains some small amount of a shitcoin.
sr. member
Activity: 317
Merit: 275
I saw this thread of "don't do's" on Reddit and decided to do the opposite; I will write down and post my mnemonic seed words for everyone to see:

Code:
bacon bitter goddess sheriff differ kit sock stomach rhythm skill trade drastic

There is an x amount of crypto I put there as an award for whomever manages to get ahold of it. It is encrypted with a date shift cipher using this script I wrote: Seedshift. I basically used 1-4 dates in YYYY-MM-DD format to shift the mnemonic words (modulo 2048 to wrap around the wordlist, you can do it manually without the script).

Basically you can brute-force my encrypted seed words by trying date combinations until you find the correct x ones I used and get the crypto prize.

This in itself could also be considered a real-time simulation of how long it would take for a potential thief (with programming background and who also magically knows it is encrypted with a date shift cipher) to steal my crypto before I manage to transfer it somewhere safe (and also to validate how safe and secure my method of storing my mnemonic seed words is).

So anyway, good luck to everyone and get crackin'!

Edit:
The puzzle got solved. See the write-up here: https://www.reddit.com/r/CryptoCurrency/comments/p2jkh3/how_i_solved_utoshiromiballzas_puzzle_in_just/
Jump to: