Author

Topic: [Electrum] a brainwallet in twelve words (Read 13336 times)

hero member
Activity: 644
Merit: 500
January 27, 2014, 05:23:28 AM
#40
"How does electrum ensure that each seed is unique and cannot be Brute-forced?"

First Electrum generates 128-bit random number using cryptogen. The seed is then derived from that number.

So yes, Electrun's seed is very safe.
member
Activity: 93
Merit: 10
January 08, 2013, 09:18:01 PM
#39
Was there every any more diligence on brainwallet.org? I thought I could download it like bitaddress and make use of it, but it does not seem to run offline?
legendary
Activity: 1896
Merit: 1355
December 12, 2012, 07:37:54 AM
#38
Even if a BTC private key is not a random number, it is unique and is longer (thus more secure). If it can't be guessed, why would it be bad to use as a seed?

I did not say it would be bad.

I use 128 bits because 128 bits is secure enough.
Now, if you want to have more entropy, the correct way to do it would be to first pick a random number of n bits, then derive the key from it.
A private key is not completely random, therefore its entropy is less than its length.

Note that even though Bitcoin private keys are 256 bits long, their hash used to create Bitcoin addresses is only 160 bits. So the actual level of security offered by Bitcoin addresses is 160 bits.
full member
Activity: 210
Merit: 100
December 12, 2012, 05:59:31 AM
#37
Quick question:

How does electrum ensure that each seed is unique and cannot be Brute-forced?

The seed is a 128 bits random number, generated by os.urandom()

The seed is represented as a sequence of words in order to facilitate memorization and storage, but it can as well be represented as a hexadecimal string, or as a number.
For some reason, people tend to perceive words as "less random" than numbers. That's an illusion.

The only thing that actually matters is the number of bits of entropy in your seed (128 bits is considered as very safe, and will probably remain safe until real quantum computers are invented), and the quality of your source of randomness (electrum does not use python's random module)


Quote
Wouldn't it make more sense to generate a Master BTC Private key and determine the random words from that key?

No, that does not make sense. A private key is not a random number.


Please excuse me while I ask again.
Even if a BTC private key is not a random number, it is unique and is longer (thus more secure). If it can't be guessed, why would it be bad to use as a seed?
legendary
Activity: 1896
Merit: 1355
December 12, 2012, 05:33:10 AM
#36
Quick question:

How does electrum ensure that each seed is unique and cannot be Brute-forced?

The seed is a 128 bits random number, generated by os.urandom()

The seed is represented as a sequence of words in order to facilitate memorization and storage, but it can as well be represented as a hexadecimal string, or as a number.
For some reason, people tend to perceive words as "less random" than numbers. That's an illusion.

The only thing that actually matters is the number of bits of entropy in your seed (128 bits is considered as very safe, and will probably remain safe until real quantum computers are invented), and the quality of your source of randomness (electrum does not use python's random module)


Quote
Wouldn't it make more sense to generate a Master BTC Private key and determine the random words from that key?

No, that does not make sense. A private key is not a random number.
full member
Activity: 210
Merit: 100
December 12, 2012, 05:13:39 AM
#35
Quick question:

How does electrum ensure that each seed is unique and cannot be Brute-forced?

Wouldn't it make more sense to generate a Master BTC Private key and determine the random words from that key?
full member
Activity: 225
Merit: 100
October 16, 2012, 12:38:05 PM
#34
First - I'm not a coder nor do I have any Python/GTK/QT knowledge. Keep this in mind while reading my response.  Wink

Quote
* A decent way to handle multiple wallets
From what I've seen up to now you need to restart the Electrum client to switch wallets; I would prefer a way that allows switching wallets within the running client by a mouse click or - even better - Electrum should be able to handle multiple wallets at the same time.

Several users requested this. I am not convinced that the benefits outweight the cost (increased complexity for the gui),
so my opinion is that it is fine to open several wallets simultaneously (I admit that will not let you merge their histories)
I understand that handling several wallets simultaneously would result in a major code change. But putting a extra button (maybe as a drop-down) that lists/loads other known wallets should be done fairly easy.

Quote
* Offline tx
It should be possible to create ("mktx") the tx_file from within the GUI of the offline client.
Same for the online client - it should be possible to access ("sendtx") the generated  tx_file from with the GUI.
And for the command line I'd love to see a "batch mode" - create a "sendmany" tx_file from a (csv) file.

it really depends on how it is implemented, but I don't see how to do this without making gui terribly complex.
I don't think two extra buttons ("Send to file" / "Load from file") on the "Send" tab should make the GUI "terribly" complex.

For all the other stuff
Quote
* Contacts/Addressbook
* Exchange rates
* The GUI should remember more settings (like preferred UI type, window position and size)
Thank you very much.
legendary
Activity: 1896
Merit: 1355
October 16, 2012, 10:12:49 AM
#33
I've been playing around with various Bitcoin clients (bitcoin-qt, armory, multibit, ...) latlely and so far Electrum seems to be the best choice for my needs.

As I cannot find any roadmap/planed feature list I would like to list some things I'd like to see someday:
thank you for the feedback


Quote
* A decent way to handle multiple wallets
From what I've seen up to now you need to restart the Electrum client to switch wallets; I would prefer a way that allows switching wallets within the running client by a mouse click or - even better - Electrum should be able to handle multiple wallets at the same time.

Several users requested this. I am not convinced that the benefits outweight the cost (increased complexity for the gui),
so my opinion is that it is fine to open several wallets simultaneously (I admit that will not let you merge their histories)

OTOH I will be glad to merge it, if someone comes up with an implementation that is clean and remains optional.
For example the gui could display multi-wallet features only if several wallets are passed with the -w option


Quote
* Offline tx
It should be possible to create ("mktx") the tx_file from within the GUI of the offline client.
Same for the online client - it should be possible to access ("sendtx") the generated  tx_file from with the GUI.
And for the command line I'd love to see a "batch mode" - create a "sendmany" tx_file from a (csv) file.

it really depends on how it is implemented, but I don't see how to do this without making gui terribly complex.


Quote
* Contacts/Addressbook
When adding a new contact why is not possible to set a label for it directly? Right now I've to save and edit the new entry to set a label for it.
Second "issue" with it - when changing a label all views should be adjusted on the fly. Right now the "Histrory" and "Recieve" view will display the old label until the client is restarted.
I agree, I will try to fix those.

Quote
* Exchange rates
If I don't care about fiat exchange rates it should be possible to disable the lookup.
But if I do care then the rates should always be displayed (on all GUI types, not only on the "light" one).
I agree

Quote
* The GUI should remember more settings (like preferred UI type, window position and size)
Some of this I've already seen in the latest Git code
yes, the current code does this.
full member
Activity: 225
Merit: 100
October 16, 2012, 07:16:08 AM
#32
I've been playing around with various Bitcoin clients (bitcoin-qt, armory, multibit, ...) latlely and so far Electrum seems to be the best choice for my needs.

As I cannot find any roadmap/planed feature list I would like to list some things I'd like to see someday:

* A decent way to handle multiple wallets
From what I've seen up to now you need to restart the Electrum client to switch wallets; I would prefer a way that allows switching wallets within the running client by a mouse click or - even better - Electrum should be able to handle multiple wallets at the same time.

* Offline tx
It should be possible to create ("mktx") the tx_file from within the GUI of the offline client.
Same for the online client - it should be possible to access ("sendtx") the generated  tx_file from with the GUI.
And for the command line I'd love to see a "batch mode" - create a "sendmany" tx_file from a (csv) file.

* Contacts/Addressbook
When adding a new contact why is not possible to set a label for it directly? Right now I've to save and edit the new entry to set a label for it.
Second "issue" with it - when changing a label all views should be adjusted on the fly. Right now the "Histrory" and "Recieve" view will display the old label until the client is restarted.

* Exchange rates
If I don't care about fiat exchange rates it should be possible to disable the lookup.
But if I do care then the rates should always be displayed (on all GUI types, not only on the "light" one).

* The GUI should remember more settings (like preferred UI type, window position and size)
Some of this I've already seen in the latest Git code
newbie
Activity: 57
Merit: 0
September 27, 2012, 08:51:31 AM
#31
I'm not talking about generating the public address from passphrase, but rather converting the Bitcoin address into a passphrase.   Parse every x characters, convert those characters to a number, and pick that number word from the dictionary.  List all the words you find in order, and you should get a passphrase that represents all the information that is in the public address.

Then, someone else could use the same software to turn that passphrase back into a Bitcoin address to send the passphrase BTC.


I just took a look at the word list that Electrum uses, only because I was interested which kinds of words they use. Then at the end of the list I noticed this comment:

# Note about US patent no 5892470: Here each word does not represent a given digit.
# Instead, the digit represented by a word is variable, it depends on the previous word.


And then I found this:

http://patents.justia.com/1999/05892470.html

Really? This is ridiculous. So if my word list looks like this:

words = [ "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "A", "B", "C", "D", "E", "F" ]

and I use this this list to convert a number I can get in trouble with Microsoft?   Wink
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 19, 2012, 07:23:55 PM
#30
But if you add some words to make 2048 then you could represent 12 bits. So 192 bits would be 16 words.

2048 words let you represent 11 bits.  2048 = 2^11.

I'd suggest using a list of 4096 words, each word gives you 12 bits, and so 16 words gives you the 160 (address) + 32 (checksum) bits you need for an address.
Oops, my bad. This is what I get for counting bits carelessly in my head.
Shorter list is better.
legendary
Activity: 2940
Merit: 1333
September 19, 2012, 07:14:29 PM
#29
But if you add some words to make 2048 then you could represent 12 bits. So 192 bits would be 16 words.

2048 words let you represent 11 bits.  2048 = 2^11.

I'd suggest using a list of 4096 words, each word gives you 12 bits, and so 16 words gives you the 160 (address) + 32 (checksum) bits you need for an address.

But if you used a 1048576 size word list you could represent 20 bits, which would be 10 words.

The official English scrabble word list has 267751 words, and most of them are pretty obscure.  We'd be very hard pressed to find over a million words that most people would even recognise as words.  I think we should use a relatively small set of very well known, relatively short, each to say, spell, and hear, unambiguous (neither bear nor bare) words.

Note that we only need 160 bits to communicate a bitcoin address.  32 extra bits are used as a checksum, which we should keep.  A list of 16 short words seems acceptable.

The other way to split it would be 12 words of 16 bits each.  2^16 = 65536.  A 65k word list is likely to be uglier though, including obscure words that are harder to spell.  As well as being harder to compile.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 19, 2012, 06:22:17 PM
#28
You'd need 15 words to represent a bitcoin address; more if you include a checksum (a very good idea, transpose two words without a checksum and you'd get a "black hole" address).

Creating a secure payment protocol so I can tell people "send payment to [email protected]" and be confident that I'll get the coins is very high on my priority list.

Wouldn't the number of words depend on the word list size?

With Electrum the word list size is 1626, which can represent 11 bits. But if you add some words to make 2048 then you could represent 12 bits. So 192 bits would be 16 words.

But if you used a 1048576 size word list you could represent 20 bits, which would be 10 words.

You also need the checksum to ensure that similar sounding words (assuming verbal communication) doesn't fail as not everyone can spell or be sure of word clarity. It's easier to choose 2048 words that don't miscommunicate than 1048576.

All you need to do to establish this is release an official word list so ordinal position is known.

legendary
Activity: 1896
Merit: 1355
September 19, 2012, 04:53:34 PM
#27
Creating a secure payment protocol so I can tell people "send payment to [email protected]" and be confident that I'll get the coins is very high on my priority list.

what do you have in mind here? bip 0015?
legendary
Activity: 1372
Merit: 1000
--------------->¿?
September 19, 2012, 02:54:27 PM
#26
You'd need 15 words to represent a bitcoin address; more if you include a checksum (a very good idea, transpose two words without a checksum and you'd get a "black hole" address).

Creating a secure payment protocol so I can tell people "send payment to [email protected]" and be confident that I'll get the coins is very high on my priority list.


Wow that would be very cool!
legendary
Activity: 1652
Merit: 2316
Chief Scientist
September 19, 2012, 02:25:20 PM
#25
You'd need 15 words to represent a bitcoin address; more if you include a checksum (a very good idea, transpose two words without a checksum and you'd get a "black hole" address).

Creating a secure payment protocol so I can tell people "send payment to [email protected]" and be confident that I'll get the coins is very high on my priority list.
sr. member
Activity: 270
Merit: 250
1CoinLabF5Avpp5kor41ngn7prTFMMHFVc
September 19, 2012, 12:43:29 PM
#24
Very cool!  Have you thought about implementing this for public Bitcoin addresses as well?  I think it would be easier to tell someone or remember, "send to 'pain apologize tired bar...' than '1OIh8Eeoighgelni3slghsg...'"

I'm not sure that's really possible.  Bitcoin addresses are hashes of public keys, which are created from the private keys.  You can generate the private key from a passphrase (so called 'brain wallets'), and derive the corresponding public keys and addresses from there, but I don't see how you can generate an address or a public key from a passphrase without also having the private key be derivable by everyone who knows the passphrase.

I'm not talking about generating the public address from passphrase, but rather converting the Bitcoin address into a passphrase.   Parse every x characters, convert those characters to a number, and pick that number word from the dictionary.  List all the words you find in order, and you should get a passphrase that represents all the information that is in the public address.

Then, someone else could use the same software to turn that passphrase back into a Bitcoin address to send the passphrase BTC.

It just makes it easier to tell someone an address.  Telling someone ~33 alphanumeric characters over the phone is next to impossible, but 8 words is easy.
legendary
Activity: 2940
Merit: 1333
September 19, 2012, 12:35:39 AM
#23
Very cool!  Have you thought about implementing this for public Bitcoin addresses as well?  I think it would be easier to tell someone or remember, "send to 'pain apologize tired bar...' than '1OIh8Eeoighgelni3slghsg...'"

I'm not sure that's really possible.  Bitcoin addresses are hashes of public keys, which are created from the private keys.  You can generate the private key from a passphrase (so called 'brain wallets'), and derive the corresponding public keys and addresses from there, but I don't see how you can generate an address or a public key from a passphrase without also having the private key be derivable by everyone who knows the passphrase.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 18, 2012, 07:39:18 PM
#22
Very cool!  Have you thought about implementing this for public Bitcoin addresses as well?  I think it would be easier to tell someone or remember, "send to 'pain apologize tired bar...' than '1OIh8Eeoighgelni3slghsg...'"
Using FirstBits would be a shorter easier way IMO.
sr. member
Activity: 270
Merit: 250
1CoinLabF5Avpp5kor41ngn7prTFMMHFVc
September 18, 2012, 07:36:13 PM
#21
Very cool!  Have you thought about implementing this for public Bitcoin addresses as well?  I think it would be easier to tell someone or remember, "send to 'pain apologize tired bar...' than '1OIh8Eeoighgelni3slghsg...'"
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 18, 2012, 07:26:42 PM
#20
I don't think it is possible at the moment. I find it annoying too; your patch will be welcome.
I'm just switching over to Electrum because the std client is now using 4GB of my SSD and I want that space back. So far it's looking awesome but there are a few things I'd like to tweak. I'll look at the code on gitHub and see what I can do. I'm new to GitHub but fairly proficient in Python.

Another thing I'd like is SOCKS proxy support, and that's easy to do in Python but depends on how network stuff is done.

the seed length is 128 bits. not sure how to map that into 'chars'
2^128 = 3.402823669×10³⁸ so that's very close to the space for 12 words from 1626 word dict. In terms of brute forcing I think it's roughly the same as using a 21 char password.

Can you comment on what data is visible on the network to the server? I see it says TCP mode and HTTP isn't clickable but is encryption or SSL used? I realize that the keys are not sent over the network but I'm wondering about side channel and contextual info. ie. an eavesdropper could monitor blockchain info retrieval and be able to piece together enough to know if further effort (breaking in to steal notebook) is worthwhile.

Having SOCKS support would allow using Electrum via a ssh tunnel more easily (eg. at web cafes or public access) providing protection from monitoring and MITM type attacks.

edit: Oh. I just read on another thread that genjix is now the dev for Electrum....
legendary
Activity: 1896
Merit: 1355
September 18, 2012, 07:28:09 AM
#19
Is there some way to make Electrum start in Pro Mode? It doesn't seem to remember mode and not window position either (one of my pet peeves!). It's kind of annoying to have to use the menu to switch mode every time started.
If not, then is it acceptable for me to contribute a patch on github that provides these options?

I don't think it is possible at the moment. I find it annoying too; your patch will be welcome.

Quote
Also, I take it that the seed "word" space is 1626^12 = 3.4154387×10³⁸ - seems like a big enough space roughly close to 64^21, or a 21 char password. Sound about right?

the seed length is 128 bits. not sure how to map that into 'chars'
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 18, 2012, 06:10:32 AM
#18
Is there some way to make Electrum start in Pro Mode? It doesn't seem to remember mode and not window position either (one of my pet peeves!). It's kind of annoying to have to use the menu to switch mode every time started.

If not, then is it acceptable for me to contribute a patch on github that provides these options?

Also, I take it that the seed "word" space is 1626^12 = 3.4154387×10³⁸ - seems like a big enough space roughly close to 64^21, or a 21 char password. Sound about right?
donator
Activity: 2772
Merit: 1019
September 01, 2012, 03:25:45 PM
#17
Just got this client, it looks cool. Of course I copied my words to a random notepad doc I was using for other stuff.

If I understand correctly what you did, I don't think that's a very good idea. An attacker having gained access to your drive could quite easily search for the words in lib/mnemonic.py and find your sentence pretty quickly.
sr. member
Activity: 420
Merit: 250
August 30, 2012, 06:00:42 PM
#16
Just got this client, it looks cool. Of course I copied my words to a random notepad doc I was using for other stuff.
legendary
Activity: 1896
Merit: 1355
August 01, 2012, 11:36:45 AM
#15
Maybe if you could generate grammatically correct (but likely nonsensical) sentences it would be more memorable?

loss of entropy aside, I believe that gramatically correct sentences are easier to learn, but they are also easier to forget.
if you make the effort to memorize a non-structured list you are more likely to remember it.

donator
Activity: 2772
Merit: 1019
Maybe if you could generate grammatically correct (but likely nonsensical) sentences it would be more memorable?

It's not hard to remember a "nonsensical" list of words. I use a trick: make some picture(s) in your mind, moving ones if you like. The weirder the pictures the better you'll remember the words.

I've been hiking with my girlfreind in Nepal for 3 weeks... while walking the whole day we got bored and we made up lists of words and kept repeating them... a childs game about packing your stuff and going on vacation. We both used this method and we had multiple lists of 100 words each memorized perfectly. After that got boring, we even managed to assign numbers from 0 to 99 to the words of one of the lists and memorized phone numbers using this code and the mentioned method of making a mental picture.
legendary
Activity: 1190
Merit: 1004
Maybe if you could generate grammatically correct (but likely nonsensical) sentences it would be more memorable?
legendary
Activity: 1708
Merit: 1011
Could mnemonic.py be used by any other client to produce a set of English words for a regularly produced address?  Thus being able to print out the 12 word sets of a regularly produced set of private keys for archival backup?
legendary
Activity: 1896
Merit: 1355
WARNING
A new website popped up, that lets users generate addresses from their Electrum or Armory seed: http://brainwallet.org/

Currently, it is not clear who created that website.
I previously thought it was Joric, but he just said he is not the author.

After a quick inspection, the javascript does not send your seed to a remote server.
However, nothing guarantees that the server will always send you the same javascript

In other words: this could very well be a phishing attempt.
If you ever used that website, move your funds to a new wallet immediately!

legendary
Activity: 1896
Merit: 1355
It lacks support for codes with trailing zero (it's quite likely if keys considered random, the existing generator uses "%032x").
Importing 0e590e7dcd80a54737e49d4f95db4fd and "blank delight sanctuary demand peach sharp knife never meant" gives different results.

thanks for spotting that. I just fixed it and released version 0.43e, whith the patch
member
Activity: 67
Merit: 130
April 19, 2012, 07:28:02 AM
#9
Code:
$ mnemonic.py 0e590e7dcd80a54737e49d4f95db4fd
blank delight sanctuary demand peach sharp knife never meant

$ mnemonic.py blank delight sanctuary demand peach sharp knife never meant
e590e7dcd80a54737e49d4f95db4fd

$ mnemonic.py e590e7dcd80a54737e49d4f95db4fd
perhaps ever trade eye creator feather tight bloom step

It lacks support for codes with trailing zero (it's quite likely if keys considered random, the existing generator uses "%032x").
Importing 0e590e7dcd80a54737e49d4f95db4fd and "blank delight sanctuary demand peach sharp knife never meant" gives different results.

legendary
Activity: 1896
Merit: 1355
April 11, 2012, 08:36:01 AM
#8
Code:
$ ~/Electrum-0.43c/mnemonic.py pain apologize tired bar change think off outside clear fear hit stir
ValueError: 'pain' is not in list

Worldist has changed and there is no 'pain' anymore. Doesn't seem very reliable  Smiley Better use rfc1751.

the sequence of word you quoted was used by me as a demonstration screenshot on the website.
the actual dictionary NEVER changed since the release of the software.
member
Activity: 67
Merit: 130
April 11, 2012, 05:34:36 AM
#7
Code:
$ ~/Electrum-0.43c/mnemonic.py pain apologize tired bar change think off outside clear fear hit stir
ValueError: 'pain' is not in list

Worldist has changed and there is no 'pain' anymore. Doesn't seem very reliable  Smiley Better use rfc1751.
legendary
Activity: 1288
Merit: 1080
March 13, 2012, 06:22:50 AM
#6
Nice, I don't know who exactly coind the term "brainwallet", but I like it Smiley
legendary
Activity: 1288
Merit: 1227
Away on an extended break
March 13, 2012, 02:13:39 AM
#5
thanks to this feature of Electrum, it is now cited in Forbes:

http://www.forbes.com/sites/jonmatonis/2012/03/12/brainwallet-the-ultimate-in-mobile-money/

oh, and the 2012 official buzzword to say this is "Brainwallet"
Cool! Now we just need "Brainmining" to work  Wink
legendary
Activity: 1896
Merit: 1355
March 13, 2012, 01:41:33 AM
#4
thanks to this feature of Electrum, it is now cited in Forbes:

http://www.forbes.com/sites/jonmatonis/2012/03/12/brainwallet-the-ultimate-in-mobile-money/

oh, and the 2012 official buzzword to say this is "Brainwallet"
legendary
Activity: 1288
Merit: 1080
November 26, 2011, 10:07:33 AM
#3
seems pretty cool
sr. member
Activity: 444
Merit: 313
November 10, 2011, 07:10:46 AM
#2
Very interesting. Reminds me of "correct horse battery staple" - http://xkcd.com/936/ .
legendary
Activity: 1896
Merit: 1355
November 09, 2011, 08:06:59 PM
#1
The new Electrum client uses mnemonic codes to represent random wallet seeds.
A seed is encoded with 12 words from a 1626 words dictionary.
If you lose your wallet, these 12 words are the only thing you need in order to recover it.

Screenshot:
Jump to: