Can I use a 12 word seed extension and store it separately? - page 2.

xmready

copper member

Activity: 37

Merit: 14

Quote from: pooya87 on June 15, 2021, 10:05:29 PM

Let me put it this way:
We simply have a key derivation function that takes 2 inputs, A and B. If A is created from a 128 (or 132) bits of entropy and B has 0 entropy (no extension word) then your KDF is deriving its keys using that much entropy. If B also has 128 (or 132) bits of entropy then your KDF is deriving its keys using A + B bits of entropy.
Additionally we can say that in order to brute force this to get the BIP32 seed you'll have to generate and check both A and B so the entropy size is A+B.

If A + B = bits of entropy used by the key derivation function, then using a 256 bit seed = using a 128 bit seed + a 12 word extension. The resulting private keys are all 128 bits regardless.

Am I correct?

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: ranochigo on June 15, 2021, 09:54:56 PM

I might be a bit dense today, and hence deleted my previous post after realizing something. Cheesy

If I'm not wrong, the seed isn't extended by adding 'Electrum' to it. The salt is however, 'Electrum + passphrase' instead of 'mnemonic + passphrase'. If the seed can be used in the salt to produce a different 512bit output, wouldn't there still be a considerable increase in entropy as long as the ENT of the input < length of the output? I'm sure I'm missing something here.

Let me put it this way:
We simply have a key derivation function that takes 2 inputs, A and B. If A is created from a 128 (or 132) bits of entropy and B has 0 entropy (no extension word) then your KDF is deriving its keys using that much entropy. If B also has 128 (or 132) bits of entropy then your KDF is deriving its keys using A + B bits of entropy.
Additionally we can say that in order to brute force this to get the BIP32 seed you'll have to generate and check both A and B so the entropy size is A+B.

ranochigo

legendary

Activity: 3038

Merit: 4418

Crypto Swap Exchange

Quote from: BlackHatCoiner on June 15, 2021, 01:41:09 PM

Each electrum seed is already extended with the word “electrum”, if you choose to extend it more with another seed phrase it'd become “electrum”. So it doesn't double the entropy, instead, the entropy remains the same. What it does change is a salt. Once you're done with the seed generation and salt selection, the result is being put through a key derivation function called “PBKDF2”. But, you can of course do it, it'll provide around the same security for a human being.

Quote from: o_e_l_e_o on June 15, 2021, 02:47:56 PM

Quote from: xmready on June 15, 2021, 01:07:07 PM

Would this effectively double my entropy?

No.

I might be a bit dense today, and hence deleted my previous post after realizing something. Cheesy

If I'm not wrong, the seed isn't extended by adding 'Electrum' to it. The salt is however, 'Electrum + passphrase' instead of 'mnemonic + passphrase'. If the seed can be used in the salt to produce a different 512bit output, wouldn't there still be a considerable increase in entropy as long as the ENT of the input < length of the output? I'm sure I'm missing something here.

Quote from: xmready on June 15, 2021, 09:40:51 PM

My main motivation behind this post is to have my backup in two pieces to protect against a physical intrusion. A 24 word seed with higher entropy has no benefit over a 12 word seed if the physical backup is stolen. If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

Yes. I'll suggest using the method using Electrum console as mentioned above. You'll be covered under the checksum and won't have to mess with the passphrase as much. I'll consider Shamir secret sharing for some redundancy as well and split them up further.

DireWolfM14

copper member

Activity: 2338

Merit: 4543

Join the world-leading crypto sportsbook NOW!

Quote from: xmready on June 15, 2021, 09:40:51 PM

My main motivation behind this post is to have my backup in two pieces to protect against a physical intrusion. A 24 word seed with higher entropy has no benefit over a 12 word seed if the physical backup is stolen. If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

Of course you can store your extension separately from your seed, regardless of it's length or the origin of the words. As Leo mentioned above, it's actually recommended. If you want to, you can generate two 24-word seeds and store them separately.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: xmready on June 15, 2021, 09:40:51 PM

If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

With a 256 bit seed, are my addresses and keys still the same entropy as normal?

Yes. When the number of words change (12 vs 24) the size of your initial entropy is changing and the only thing difference is what goes into the key derivation function to derive your BIP32 seed. After that everything else is the same, and bitcoin private keys only have 128 bits of entropy no matter how you create them.

xmready

copper member

Activity: 37

Merit: 14

Quote from: DireWolfM14 on June 15, 2021, 09:27:42 PM

@xmready, I've used a 12-word seed as an extension in the past. When I was a younger bitcoiner I thought that would double my entropy, but I've since learned that it does not. Take a look at hosseinimr93's post above, he is showing you how to generate an honest-to-goodness 24-word seed with double the entropy of a standard 12-word seed. I also advise against using the same pool of words (i.e. Bip39 word list) for your extension, just to add an extra level of security.

My main motivation behind this post is to have my backup in two pieces to protect against a physical intrusion. A 24 word seed with higher entropy has no benefit over a 12 word seed if the physical backup is stolen. If I break the 24 word seed with 256 bits into two 12 word parts, can I safely store them in two separate locations like I can with the seed extension?

With a 256 bit seed, are my addresses and keys still the same entropy as normal?

DireWolfM14

copper member

Activity: 2338

Merit: 4543

Join the world-leading crypto sportsbook NOW!

@xmready, I've used a 12-word seed as an extension in the past. When I was a younger bitcoiner I thought that would double my entropy, but I've since learned that it does not. Take a look at hosseinimr93's post above, he is showing you how to generate an honest-to-goodness 24-word seed with double the entropy of a standard 12-word seed. I also advise against using the same pool of words (i.e. Bip39 word list) for your extension, just to add an extra level of security.

BitMaxz

legendary

Activity: 3374

Merit: 3095

BTC price road to $80k

Quote from: xmready on June 15, 2021, 05:34:10 PM

I never mentioned anything about another wallet owner. This thread is regarding a single owner setup.

Well, you can do that as well on Multisig wallet.
Just generate a standard wallet and make a backup of that 12-word seed and also the master public key. Now make a Multisig "2 of 2" wallets it will generate a new 12 words seed and then paste the master public key on "Enter consigner key". After successfully generated you must have a wallet with two 12 words seed phrase.

You can follow the guide from my post above to make a single setup wallet. Make sure you have a backup of them for future recovery.

xmready

copper member

Activity: 37

Merit: 14

Quote from: BitMaxz on June 15, 2021, 05:31:31 PM

So you mean you want them to split and have two seeds generated for two owners of the wallet?

I never mentioned anything about another wallet owner. This thread is regarding a single owner setup.

BitMaxz

legendary

Activity: 3374

Merit: 3095

BTC price road to $80k

Quote from: xmready on June 15, 2021, 04:48:48 PM

My reasoning is: if my 12 words are compromised via a physical intrusion, the extension stored in a separate location will guarantee that my wallet is not compromised. Simply splitting the 12 words in half and storing 6 words separately makes a brute force attack easier (I think). That is why I ask.

So you mean you want them to split and have two seeds generated for two owners of the wallet?

The extension is not actually your best choice for this the only solution for this is Multisig wallet with 2 of 2 multisig consists of 2 separate wallets
it will generate P2SH addresses after successfully generated a Multisig wallet.
I never heard someone was hacked or brute force by using MultiSig wallet so I'm sure this is the best option you looking for?
The only problem is that the transaction fees from this wallet are pretty expensive compared to the normal wallet that's the only disadvantage of this wallet but if your purpose is to make a wallet secured with a co-owner then MultiSig still the best option.

If you want to make a Multisigwallet you can follow this guide below

- https://bitcointalksearch.org/topic/guide-how-to-create-multisig-electrum-wallet-for-beginners-5039220

xmready

copper member

Activity: 37

Merit: 14

Quote from: BlackHatCoiner on June 15, 2021, 01:41:09 PM

Is there any specific reason why you want that method? Goin' with electrum's 136 bits is more than fine.

My reasoning is: if my 12 words are compromised via a physical intrusion, the extension stored in a separate location will guarantee that my wallet is not compromised. Simply splitting the 12 words in half and storing 6 words separately makes a brute force attack easier (I think). That is why I ask.

Quote from: BlackHatCoiner on June 15, 2021, 01:41:09 PM

Each electrum seed is already extended with the word “electrum”, if you choose to extend it more with another seed phrase it'd become “electrum”.

If each Electrum seed is already extended with the word "electrum", then why don't we have to input that as a seed extension when recovering a wallet with Electrum or another Electrum compliant wallet?

Quote from: BlackHatCoiner on June 15, 2021, 01:41:09 PM

So it doesn't double the entropy, instead, the entropy remains the same. What it does change is a salt. Once you're done with the seed generation and salt selection, the result is being put through a key derivation function called “PBKDF2”. But, you can of course do it, it'll provide around the same security for a human being.

Are you saying that an attacker would try to brute force the output of the PBKDF2 key derivation function, thus it would be the same difficulty? I would imagine if the attacker were trying to guess words and extension words, then it does double the difficulty.

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: BlackHatCoiner on June 15, 2021, 01:41:09 PM

First of all, electrum doesn't generate or imports 256 bits of entropy, but only 128, that's why it returns you only 12 words.

If someone wants to have a seed phrase with 256 bits of entropy, that can be done via console.

For generating a seed phrase with 256 bits of entropy, you can use the command below.

Code:

make_seed(256)

Or the following command if you want legacy addresses.

Code:

make_seed(256,"","standard")

After generating the seed phrase on console tab, you can create a new wallet with importing the 24-word seed.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: xmready on June 15, 2021, 01:07:07 PM

If I use Electrum to generate a 12 word seed, and then generate a new wallet with a different seed, can I use the first 12 words as the seed extension for the new wallet?

Yes.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Would this effectively double my entropy?

No.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Can I store the 12 word seed and the 12 word seed extension in two different places safely?

This is the only way you should store them. Storing both your seed phrase and your seed extension together renders the seed extension nearly pointless, since if an attacker compromises your back up they immediately have both and can take your coins.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Are there any major flaws in this method?

Not really. Using a seed extension is a good idea, and by using a randomly generated seed phrase as the extension you can be sure that it is complex enough to be resistant to brute forcing. The only issues would be human error - getting confused as to which is which, making a mistake when writing them down, etc.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Would using a multisig wallet be better?

That depends on what you are trying to achieve. A seed phrase with an extension provides protection against one of those two back ups being compromised, but doesn't protect against your wallet itself being compromised. It does however keep your transactions small, and can also give you plausible deniability (depending on how you use it). A 2-of-3 (for example) multi-sig protects against one of your back ups being compromised, and protects against one of your wallets being compromised, but requires more complex back ups and results in larger transaction sizes (although not for long once Taproot is activated).

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: xmready on June 15, 2021, 01:07:07 PM

If I use Electrum to generate a 12 word seed, and then generate a new wallet with a different seed, can I use the first 12 words as the seed extension for the new wallet? Would this effectively double my entropy?

If you take twelve randomly generated words and combine them with twelve different randomly generated words you don't exactly double your entropy. First of all, electrum doesn't generate or imports 256 bits of entropy, but only 128, that's why it returns you only 12 words.

Each electrum seed is already extended with the word “electrum”, if you choose to extend it more with another seed phrase it'd become “electrum”. So it doesn't double the entropy, instead, the entropy remains the same. What it does change is a salt. Once you're done with the seed generation and salt selection, the result is being put through a key derivation function called “PBKDF2”. But, you can of course do it, it'll provide around the same security for a human being.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Can I store the 12 word seed and the 12 word seed extension in two different places safely?

Yes, but whether you lose the extension or the seed, you'll lose your money.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Are there any major flaws in this method?

Is there any specific reason why you want that method? Goin' with electrum's 136 bits is more than fine.

Quote from: xmready on June 15, 2021, 01:07:07 PM

Would using a multisig wallet be better?

If you need to divide up the responsibility for possession of your funds among multiple people, you should use multisig, otherwise the 12 words are more than enough.

xmready

copper member

Activity: 37

Merit: 14

If I use Electrum to generate a 12 word seed, and then generate a new wallet with a different seed, can I use the first 12 words as the seed extension for the new wallet? Would this effectively double my entropy?
Can I store the 12 word seed and the 12 word seed extension in two different places safely?
Are there any major flaws in this method?
Would using a multisig wallet be better?

Topic: Can I use a 12 word seed extension and store it separately? - page 2. (Read 395 times)