Pages:
Author

Topic: Create a seed from a selection of words - page 3. (Read 1191 times)

jr. member
Activity: 35
Merit: 2
Sorry it's been almost 1 year since my last message, I sat down today again on the subject of Bitcoin.

In the meantime I have also looked at the tool lostWord again more closely it can validate good seeds and look which combinations are valid.

Success has not brought the whole of course but I have learned a lot. What I didn't understand yet is the path of the seed, e.g. m/0/0 is used by lostWord by default (P2PKH).

What exactly do these paths mean:
m/84'/0
m/44'/60
m/44'/0'
m/84'/0

So the question is which BIP fits to which path and which path did you use in the beginning?

What I understood is that the addresses are as follows:
P2PKH = 1xxxx addresses
P2WPKH = bc1xxxxx addresses
P2SH = 3xxxxx addresses

maybe you can help me a little bit in dealing with the m/0/0 etc..

What I have not yet understood is how entropy works and how I can use the highest possible bne to generate a lot of security I think I read that Trust Wallet for example only has an entropy of 8 or was it 32bit?

What about Conomi, Bitcoin Core, Electrum or BlueWallet? and should I use any of these programs to generate a secure wallet? The higher the entropy, the more secure it will be, even in the quantum computer age.
legendary
Activity: 3472
Merit: 10611
Keep in mind that security of revealed 24 words out of order is still not as high as security of a private key because you are revealing your entropy and 620,448,401,733,239,439,360,000 is 6e+23 whereas security of a bitcoin private key is 2128=3e+38.
legendary
Activity: 2268
Merit: 18748
It’s really insane that even if you know all the seed words the security of your private key is still this high.
Seed phrase, not private key.

It is only relatively secure if it is 24 words, which will essentially be impossible to bruteforce as outlined above. 12 scrambled words however are very easy to brute force, and can be done in minutes or hours depending on your hardware.

Either way, if you have accidentally revealed all or some of your seed phrase, even if scrambled, I'd still be moving everything to a brand new wallet as soon as I could, followed by re-examining my set up to figure out how I could have been so careless and insecure in the first place.
hero member
Activity: 1022
Merit: 642
Magic
-snip- That is 24*23*22*...*1=24! = 620,448,401,733,239,439,360,000
Thanks, then it would only be an average of 19,674 years for 1trillion combinations per second bruteforce speed for a disarranged 24-words seed then.
And only 479,001,600 combinations for a disarranged 12-word seed.

It’s really insane that even if you know all the seed words the security of your private key is still this high. Makes me laugh a bit about all this brute force attempts that don’t even know a single word  Cheesy
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
It sounds very interesting so as I understand it then these wallet.dat files were the keys and you don't have a password and all that needed?

yes. wallet.dat files contain a list of private keys. some pregenerated when 1st initialized, other keys added as needed when the pool of keys ran out.

early wallet.dat files did not have passord protection, it was added later.

Maybe you can compare that with a Google Authenticator or these YoubiKeys or whatever they are called, i.e. a key file?

google auth and yubikeys are whats called two factor authentication (2FA). totally different then a password, seed or keyfile.
jr. member
Activity: 35
Merit: 2
Thanks for the many texts. It sounds very interesting so as I understand it then these wallet.dat files were the keys and you don't have a password and all that needed?

I can hardly imagine that, but surely there was a program where you could load the key and then access your wallet?

Maybe you can compare that with a Google Authenticator or these YoubiKeys or whatever they are called, i.e. a key file?

I just started working in 2009 and was also very involved in development, including Web 2.0 and the development of Bootstrap from Twitter and the whole browser development by Google etc... I was very fascinated, I still wonder why I never what had heard of bitcoin. Kind of a shame, not necessarily because of performance but just because you missed something, sort of like everyone has a Nintendo and you never hear about it.
legendary
Activity: 3472
Merit: 10611
Early wallets were not deterministic. Whenever the wallet needed a new key it just called up its RNG and created a new random key. That means there were no seed or seed phrase in early days. After some time, due to possibility of flaws in RNGs and bugs in some implementations, deterministic key derivation (BIP32) was introduced and wallets slowly started switching to that. Shortly after, in order to make backups user friendly the concept of using mnemonics or seed phrase (BIP39) was introduced.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
As far as I remember the early Bitcoin Core wallet generated a pool of private keys, a fixed number of them. But frankly I don't know how those were generated and if by any deterministic way. If the key pool ran out of keys, the pool was extended by another fixed batch of fresh random keys. There was no 'visible' seed and Bitcoin Core doesn't use mnemonic seed words. Backup of a Bitcoin Core wallet was always file based: you had to backup the wallet file and restore your wallet from a file backup. This could lead to loss of funds if you restored a wallet file which contained a smaller key pool than your most recent wallet that you may have lost or which got corrupted or deleted.

For deterministic wallets nowadays Bitcoin Core uses a private key as seed and derives the keys and addresses of a HD wallet by BIP-32 mechanics. And descriptors should make, I say, an 'expected' key derivation easier/safer. (I'm still working on this topic to understand it as much as possible.)

Maybe Armory was one of the first wallets to implement some HD scheme where you were able to recover the wallet from some sort of seed numbers. Never used Armory myself, but I read a lot about it out of interest. Bitcoin Core's file based backup always made me feel uncomfortable, too digital and fixed to digital files.

And then there was the desaster with 'brain wallets', keys derived from hashing stuff that humans believed to be unique, secret and whatnot. That didn't go well for some Bitcoiners.
jr. member
Activity: 35
Merit: 2
What options were there in 2009 before bip39 was used?
Even now, BIP39 isn't a part of bitcoin rules and you always have to sign the transactions with your private key. A BIP39 wallet derives your private keys from your seed phrase and use them for making transactions.
In 2009, there was no seed phrase and people had to backup the wallet file or save their private keys.

How were wallets generated in the early days of Bitcoin? And were words used?
legendary
Activity: 2268
Merit: 18748
Your arguments don't sound correct to me although I don't claim to be good at this type of math. Here is a quote from Electrum docs though:
With the standard values currently used in Electrum, we obtain: 2^(132 + 11 - Cool = 2^135. This means that a standard Electrum seed is equivalent, in terms of hashes, to 135 bits of entropy.
The issue is j2002ba2 and that read the docs page are using different definitions of entropy.

Taking legacy Electrum phrases, then we all agree that the seed phrase encodes 132 bits of information. Two different scenarios then follow:

Electrum says "Well, only 1 in every 28 seed phrases will have the correct prefix, but for each one that does have the correct prefix, it requires 211 hashes to generate a master private key." And so they work out 132 - 8 + 11 to give 135 bits of entropy.

j2002ba2 on the other hand says "We start with 132 bits, but since we are discarding all but one of every 28 seed phrases, then that reduces the entropy to 124 bits, although it doesn't reduce the attack surface."



If you consider a BIP39 seed phrase, then you have 2128 phrases, and for each one you have to go through 2048 rounds of PBKDF2, giving 2128 * 2048 = 2139 hashes.
If you consider a legacy Electrum seed phrase, then you have 2132 phrases, and for each one you must hash it once to check the prefix, and then for one in every 256 (on average) you have to go through 2048 rounds of PBKDF2. This means 256 + 2048 = 2304 hashes for every 256 seed phrases, which is an average of 9 hashes per seed phrase, giving a total of 2132 * 9 = 2135.2 hashes.
legendary
Activity: 3472
Merit: 10611
~
Your arguments don't sound correct to me although I don't claim to be good at this type of math. Here is a quote from Electrum docs though:
With the standard values currently used in Electrum, we obtain: 2^(132 + 11 - 8) = 2^135. This means that a standard Electrum seed is equivalent, in terms of hashes, to 135 bits of entropy.
legendary
Activity: 2380
Merit: 5213
What options were there in 2009 before bip39 was used?
Even now, BIP39 isn't a part of bitcoin rules and you always have to sign the transactions with your private key. A BIP39 wallet derives your private keys from your seed phrase and use them for making transactions.
In 2009, there was no seed phrase and people had to backup the wallet file or save their private keys.
jr. member
Activity: 35
Merit: 2
here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:
I mean, BIP39 wasn't created until 5 years after that email, until about 3 years after Satoshi disappeared, and was created by a bunch of people who aren't Satoshi. BIP39 contains a huge number of common English words. You will find many such words in any text of sufficient length. You are not going to find a BIP39 wallet encoded in Satoshi's emails.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.
We actually discussed this before about a year ago here: https://bitcointalksearch.org/topic/m.57328109

The 8 bit prefix for legacy addresses and 12 bit prefix for segwit addresses which Electrum uses does not reduce the entropy of the seed phrase itself, since an attacker still has to check every seed phrase to see if it hashes to the correct prefix. However, it does mean that for 4095 out of 4096 seed phrases (for segwit), an attacker does not have to go through the 2048 rounds of PBKDF2.

First of all, thanks for the many people working on this thread, it shows how big this community is.

What options were there in 2009 before bip39 was used?
full member
Activity: 206
Merit: 447
There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.
If you have selected each word manually and randomly and you have 12 words then each word represents 11 bits which makes the total 12*11=132 bits.
Yes, it is 132 bits, but only if there's no checksum or required version.

Quote
Quote
Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.
That is incorrect. Electrum actually starts with a 132-bit entropy (as an int) then increments it until it finds a correct checksum. Address type does not affect the entropy size, it only affects what checksum is expected.
https://github.com/spesmilo/electrum/blob/abe3955d916521f37e06b96d8996b270413e175f/electrum/mnemonic.py#L190
It very much affects the entropy, since 255 (or 4095 in segwit case) possibilities are rejected (plus the valid BIP39 ones, about one in 16, another loss of additional 0.0931 bits of entropy). You end up with smaller pool of possible seeds, hence smaller entropy.

It seems that entropy is a very tricky subject for many people. I'll give an example. Let's have a hypothetical seed generator, which starts randomly, and increments until it reaches only one specific seed. This is exactly 0 bits of entropy. If the generator stops when it reaches one of 2 seeds, we get 1 bit entropy. If an attacker has no information about these seeds, then he has to scan the whole 256 bit range (or whatever size it is in this case).

So, valid electrum seeds do have less entropy - 123.9 bits for standard, and 119.9 bits for segwit. That doesn't mean it's much easier to crack versus BIP39. If my calculations are correct, it's about twice harder to find a valid Electrum segwit seed versus both Electrum standard and BIP39. (if we are given an address to compare to)

In information theory, the entropy of a random variable is the average level of "information", "surprise", or "uncertainty" inherent to the variable's possible outcomes.

Certainly only one in 24 seeds are valid for BIP39, in 28.09 for Electrum standard, and in 212.09 for Electrum segwit. Hence the entropy is lower.

One might argue, that the attacker sees 132 bits of entropy, since nothing is certain for him. Then this is true for BIP39 as well, although it is generated using 128 bit entropy. Looking the other way if one insists BIP39 to have 128 bits entropy, then Electrum standard has 123.9, and segwit 119.9.
legendary
Activity: 2268
Merit: 18748
here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:
I mean, BIP39 wasn't created until 5 years after that email, until about 3 years after Satoshi disappeared, and was created by a bunch of people who aren't Satoshi. BIP39 contains a huge number of common English words. You will find many such words in any text of sufficient length. You are not going to find a BIP39 wallet encoded in Satoshi's emails.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.
We actually discussed this before about a year ago here: https://bitcointalksearch.org/topic/m.57328109

The 8 bit prefix for legacy addresses and 12 bit prefix for segwit addresses which Electrum uses does not reduce the entropy of the seed phrase itself, since an attacker still has to check every seed phrase to see if it hashes to the correct prefix. However, it does mean that for 4095 out of 4096 seed phrases (for segwit), an attacker does not have to go through the 2048 rounds of PBKDF2.
legendary
Activity: 3472
Merit: 10611
There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.
If you have selected each word manually and randomly and you have 12 words then each word represents 11 bits which makes the total 12*11=132 bits.

Quote
Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.
That is incorrect. Electrum actually starts with a 132-bit entropy (as an int) then increments it until it finds a correct checksum. Address type does not affect the entropy size, it only affects what checksum is expected.
https://github.com/spesmilo/electrum/blob/abe3955d916521f37e06b96d8996b270413e175f/electrum/mnemonic.py#L190
jr. member
Activity: 35
Merit: 2
I would like to know if there is a possibility to create a 12 or 24 digit seed from a selection of words and not the whole 2048 words.
You can do that but human brain is known to be bad for creating random results, so I would not do this if you want to hold larger amount of coins.
You could use any eleven words you want and calculate last word to create entropy.
There is a website called seedpicker that can calculate everything for you, you can select any 23 words you want from all 2048 words and last word will be calculated.
This is open source tool, but use it carefully, read their guide and only do it if you know what you are doing:
https://seedpicker.net/calculator/last-word.html

I would prefer if the whole thing is open source and I can possibly create it on my computer without internet (maybe a github project based on python).
You could use iancoleman website totally offline, and it is even advised to be always used like that.
In your browser, select file save-as, and save this page as a file, than double click that file to open it in a browser on your offline computer:
https://iancoleman.io/bip39/

thank you that will help me, the website not find every time the right word but i see it is a very long way to go i search the 24 word of:
abstract version allow online one another digital provide solution still problem into record only pool long control best effort leave will what satoshi

the website find bonus as 24 word but there must be more working words.

here is what i try to: i have read the first email of satoshi and find out that he have many bip39 word inside the email, it looks a little bit like a puzzle or something:

https://i.postimg.cc/L6sMjPdy/satoshi-email-Kopie.jpg

i use all the light green words because they came only 1 time the multicolor are words with more than 1 each and the grey are words that looks like bip39 words.

maybe have someone more luck then me or can help me to find out if we find a wallet.

i also looks at the number of  the words the first 2 words are number 8 and 1943 maybe a year or something.

i try also the word from the beginning and jump over the double words it was:

main double prevent network proof power abstract version allow online payment direct

sorry my bad english
full member
Activity: 206
Merit: 447
Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.
Exactly, another solution would be doing something similar to what Electrum does. You select 12 words and then increment the last word until you get a valid checksum. As long as the selection process is really random the entropy you get is more than 128 bits.
Same for any other word count.
There cannot be more than 128 bits entropy in BIP39 12-words. There are not enough bits to represent it.

Electrum 12-word seeds have less than 128 bits entropy, IIRC it's slightly less than 132-8=124 for legacy addresses, and 132-12=120 for segwit addresses.

More entropy could be inserted, if you instead of using the 12 words directly mutate them with additional entropy. For example: make some letters lower case, while other upper case, change some words to "leet speak", etc. And then feed this into PBKDF2.

Of course, the easiest method of adding entropy is using password together with the seed.
legendary
Activity: 2268
Merit: 18748
This is open source tool, but use it carefully, read their guide and only do it if you know what you are doing:
https://seedpicker.net/calculator/last-word.html
First time I've looked at that site, but I don't like it I'm afraid.

Their method for generating the first 23 words does not specify that each raffle ticket needs to be returned to the bag/box for future draws. This reduces the entropy of the seed.
They always start the 24th word with "000" before appending the 8 bit checksum, again reducing the entropy of the seed.
They then show a P2WSH Zpub from derivation path m/48'/0'/0'/2'. I understand it is designed to be used in their specific wallet, but anyone taking that Zpub to another wallet will run in to a huge amount of trouble trying to recover their coins if they don't fully understand what they are doing.

If you want a website to tell you your 24th word (as opposed to manually calculating the checksum), then I would suggest generating 24 words in a properly random fashion and then just typing them all in to an offline version of Ian Coleman. If you then click on "Show entropy details", it will automatically swap your last word for the appropriate checksum word, but keeping the first 3 bits of entropy the same.
legendary
Activity: 3472
Merit: 10611
Which means that one must "preselect" another 3 bits. It would look like selecting the last word, taking it's 3 bits and then replace the last word by the final one.
Unfortunately you cannot finish the manual process after 23 words.
Other option is to see which of 8 "correct" last words you like the best.
Exactly, another solution would be doing something similar to what Electrum does. You select 12 words and then increment the last word until you get a valid checksum. As long as the selection process is really random the entropy you get is more than 128 bits.
Same for any other word count.
Pages:
Jump to: