How do I identify the valid checksums for bip39 if I generate 11/12 of the word?

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

Quote from: Saint-loup on January 12, 2025, 09:39:44 AM

Actually, the von Neumann method even works with extremely biased coins, it will just take more time and tosses to get enough valid outcomes.

Yes, I knew that, but thanks for pointing it out and explanation, anyway. The "von Neumann" method only breaks if you had a coin that produces 100% a particular side. But then it's also apparent that by rule 2 you'd have to always discard the toss results and can't progress at all.

I just wouldn't feel comfortable to use a heavily biased coin for such tosses and therefore wrote that "slightly biased" is still fine with this method, even when "heavily biased" would've worked fine, too.

Probability stuff is somewhat non-intuitive, at least for my wet brain v1.0beta. Cheesy

Saint-loup

legendary

Activity: 2604

Merit: 2353

Quote from: Cricktor on January 11, 2025, 11:54:09 AM

You can achieve fair results even from slightly biased coins (or unknowingly biased tossing habits):

Quote from: https://en.wikipedia.org/wiki/Fair_coin#Fair_results_from_a_biased_coin

Toss the coin twice.
If the results match, start over, forgetting both results.
If the results differ, use the first result, forgetting the second.

Actually, the von Neumann method even works with extremely biased coins, it will just take more time and tosses to get enough valid outcomes.
Fundamentally, it just relies on basic probability laws :
p(HT) = p(H) x p(T) = p(TH) and p(H) + p(T) = 1
so
p(T) = 1 - p(H)

p(HT) = p(TH) = p(H) x (1 - p(H))

The probability is the same for HT and TH whatever p(H) and p(T) are. So even if p(H)=99%, we will get the exact same likelihood to get HT and TH. In the same way as for H and T with a perfect fair coin. Then if you only keep HT and TH you will likely get half HT and TH among all the retained tosses, and finally half H and T if you forget the second outcome.

So it's certainly the easisest safest method to create a seed if you use it along with Odolvlobo's procedure IMO.

Cricktor

hero member

Activity: 714

Merit: 1010

Crypto Swap Exchange

Quote from: LoyceV on January 11, 2025, 04:37:34 AM

I've seen discussions about bias in dice rolls or coin flips. For instance: Scientists Destroy Illusion That Coin Toss Flips Are 50–50, showing the coin "landed with the same side facing upward as before the toss 50.8 percent of the time". The article also shows ways to avoid this, but this small bias isn't something I'd worry about. No attacker is going to find out how you flipped a coin, and brute-force the entire 128 flips.

You can achieve fair results even from slightly biased coins (or unknowingly biased tossing habits):

Quote from: https://en.wikipedia.org/wiki/Fair_coin#Fair_results_from_a_biased_coin

Toss the coin twice.
If the results match, start over, forgetting both results.
If the results differ, use the first result, forgetting the second.

If you're very paranoid (or simply want to mask off any potential bias), you can XOR your "random sequence" of coin tosses with another supposedly "random sequence" that is produced by another method, like a CSPRNG or a HWRNG or rolling dice.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: apogio on January 11, 2025, 02:46:32 AM

CSPRNG is better than your hand.

My hand is a lot easier to verify than the random number generator inside a piece of hardware.

Quote

1. see that you flipped '1' too many times and decide to write a lie on paper that you flipped '0' somewhere in the middle, because it seems more random.
2. the opposite of (1)
3. get bored in the middle of the process and decide to add some bits by yourself.

That's just dumb Tongue

It's possible to do this properly, and you shouldn't do it if you don't understand randomness.

I've seen discussions about bias in dice rolls or coin flips. For instance: Scientists Destroy Illusion That Coin Toss Flips Are 50–50, showing the coin "landed with the same side facing upward as before the toss 50.8 percent of the time". The article also shows ways to avoid this, but this small bias isn't something I'd worry about. No attacker is going to find out how you flipped a coin, and brute-force the entire 128 flips.

apogio

hero member

Activity: 686

Merit: 1341

✔️ CoinJoin Wallet

Quote from: BobbysTransactions on January 10, 2025, 09:40:10 AM

Why is this not a more common way for generating 12 words?

CSPRNG is better than your hand.

When flipping a coin, you will unwillingly (probably) make one or more of the following mistakes:

1. see that you flipped '1' too many times and decide to write a lie on paper that you flipped '0' somewhere in the middle, because it seems more random.
2. the opposite of (1)
3. get bored in the middle of the process and decide to add some bits by yourself.

odolvlobo

legendary

Activity: 4522

Merit: 3426

Quote from: BobbysTransactions on January 10, 2025, 09:40:10 AM

If you select 12 words, there's a big probability that your seed phrase doesn't pass the checksum.
I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

Do this to simplify the process. It will give you the full 128 bits of entropy and should make finding the checksum easier:

1. After flipping 121 times to get the first 11 words, flip 7 more times to get a number between 0 and 127.
2. Multiply that number by 16.
3. Only one of the words that corresponds to that number or one of the 15 that follow will give you a valid seed phrase when used as the 12th word. Try each of them until you find one that works.

For example,

Flip 121 times to get 11 words: raccoon weird maze affair stomach fall whisper direct unveil chase enhance

Flip 7 times to get the number 101. 101 x 16 is 1616. Trying each of the words corresponding to numbers 1616 - 1631, you will find that 1619 "skill" works as the 12th word.

So, the phrase is: raccoon weird maze affair stomach fall whisper direct unveil chase enhance skill

This works because a 12-word phrase only has 4 bits of checksum, which means that once you have all the entropy bits, you only need to find the 1 out of 16 possible bit combinations that matches the correct checksum.

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: BobbysTransactions on January 10, 2025, 09:40:10 AM

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

There are a couple of problems with this idea.
The obvious one is that security-wise you want to generate at least 128 bits of entropy, so reducing it to something like 121 bits is not a good idea.

Additionally to do what you described, you need the hardware wallet to have had implemented a special procedure to first accept invalid and shorter mnemonic and brute force them to generate a valid one! Because that's what they have to do, to add the missing 11-bits or the missing word and check for validity, if it fails increment and repeat. They don't have such a feature as far as I know and there is no valid reason to implement such a feature either because then the wallet has to also implement another feature to determine which one of the permutations is the valid mnemonic because more than one word can be added to get a valid checksum and it could be a user trying to recover an already used mnemonic missing last word.

hosseinimr93

legendary

Activity: 2380

Merit: 5213

Quote from: BobbysTransactions on January 10, 2025, 09:40:10 AM

Why is this not a more common way for generating 12 words?

Your seed phrase represents a large random number and the standard method is that you first generate that random number.
There's nothing preventing you from going to the words list first directly. If you use a method in which words are selected completely randomly, you can achieve the same security.

Quote from: BobbysTransactions on January 10, 2025, 09:40:10 AM

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

With flipping the coin 121 times, you actually generate a random entropy. This means that you use the common method and the only difference is that you select the last 7 bits in a different way.
By common method, I mean generating the entropy and then go to the word list.

LoyceV

legendary

Activity: 3290

Merit: 16489

Thick-Skinned Gang Leader and Golden Feather 2021

Quote from: BobbysTransactions on January 10, 2025, 09:40:10 AM

Why is this not a more common way for generating 12 words?

Probably because it's a lot of work, and not recommended because people will start cherry-picking words to form a sentence.

Quote

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

Why stop flipping there, if you can keep flipping coins and find the nearest word that matches the checksum?

BobbysTransactions

newbie

Activity: 18

Merit: 5

Quote from: hosseinimr93 on September 25, 2022, 04:41:12 PM

If you select 12 words, there's a big probability that your seed phrase doesn't pass the checksum.
Instead, you can select 11 words and then try to find a word which lead to a valid BIP39 seed phrase. By valid, I mean it passes the checksum
This is completely feasible, but it's not a common method for generating a seed phrase.
If you insist on generating your seed phrase in this way, you should make sure that the words are picked 100% random.

Why is this not a more common way for generating 12 words?

I intend to flip a coin 121 times, convert to BIP39 words and then enter them into my HW with a random 12th word until it accepts the mnemonic as valid (passing checksum). This way I'm not relying on the HW RNG.

This seems to me to be much better than tyting to use tools like SeedSigner and https://iancoleman.io/bip39/.

BitcoinCanSaveUsAll

member

Activity: 104

Merit: 120

Hello, yes I was talking about botting into a USB drive tails OS on pc or laptop that already had an OS installed on it. But thank you for the clarification and additional pointers.

o_e_l_e_o

legendary

Activity: 2268

Merit: 18775

Quote from: BitcoinCanSaveUsAll on October 01, 2022, 09:57:34 PM

Question, what are your thoughts about putting into a Linux Tails Distribution on a Windows machine via a USB drive?

Do you mean running Tails as a virtual machine within Windows? Or do you mean bypassing Windows altogether and simply booting the computer from the Tails USB? I wouldn't recommend the former, but I suspect you are talking about the latter.

If you boot to Tails, therefore completely ignoring Windows, and never connect to the internet or any other methods of communication while within Tails, then this is certainly a safer option than simply using Windows, and a good option if you cannot dedicate a device to be permanently airgapped. It would be even better if you can physically disconnect any connectivity hardware (unplug Ethernet cables, disconnect WiFi modules, etc.) and better still if you can physically disconnect any persistent storage (such as your hard drive(s)) while you are using Tails. But obviously the best option would be if you can dedicate an old machine to do this on which will never boot Windows or go online ever again.

BitcoinCanSaveUsAll

member

Activity: 104

Merit: 120

Thank you for the suggestion. Question, what are your thoughts about putting into a Linux Tails Distribution on a Windows machine via a USB drive? I'm considering trying to use a persistent drive on a Tails distribution and not connect the Tails OS to any internet connection and then run it through this os. Are you aware of any possible security issues with this configuration? Thanks

o_e_l_e_o

legendary

Activity: 2268

Merit: 18775

Glad you got it all figured out.

For future, if you are planning on using this method (coin flips, calculate checksum, convert to seed phrase manually) to generate a seed phrase, then you should do it on a device which is permanently airgapped. That means it does not have an internet connection and it will never have an internet connection again. Even better if you physically remove things like the WiFi card and Bluetooth chip to ensure it has no wireless connectivity whatsoever. You should also make sure the device is completely clean, which means formatting it and installing a clean OS on it. If you are going through all this trouble anyway, then you would probably be better served simply installing a reputable open source Linux distro rather than Windows and Linux on top. There are a number of very easy to use Linux distros. Mint is probably the closest to Windows in terms of look and feel.

BitcoinCanSaveUsAll

member

Activity: 104

Merit: 120

That did it! Thank you very much! So in summary (for the future folks here) on a Windows terminal I had to run through a few hoops here to get things setup.

- I first had to enable Windows Subsystem for Linux

- I then downloaded Kali from the Microsoft store.

- Next I had to setup Kali and create a username and password.

- I next had to log into su via the sudo su command

- Finally I performed the apt-get install libdigest-sha-perl command on the WSL window in sudo su mode and it installed all the necessary commands needed to perform the following line that resulted in the correct SHA256 has of my binary input:

└─# echo -n "1111001010110001011100111100010111010101101010101111111111101011101110000000010 0001001011111111101011111111000100000010101111100" | shasum -a 256
-0
931258d717865a310cfc24a9161b21f4c0d02e0bb4cf12894516170a10e72339 ^-

Thanks again to everyone who helped me along here. It was very educational!

o_e_l_e_o

legendary

Activity: 2268

Merit: 18775

Quote from: BitcoinCanSaveUsAll on September 28, 2022, 04:27:46 PM

I'm wondering why the discrepancy is occurring with hosseinimr93's SHA256 digest as from what I understood from

Because the -0 argument tells it to run in bits mode, but in your command you are not feeding it a string of bits, but a string of bytes. You need to feed it the entropy in 0s and 1s as I said before:

Code:

echo -n "11110010101100010111001111000101110101011010101011111111111010111011100000000100001001011111111101011111111000100000010101111100" | shasum -a 256 -0

Try this command and see if you get the correct checksum.

BitcoinCanSaveUsAll

member

Activity: 104

Merit: 120

Hi again everyone,

I was hoping to get someone to double check the hash done on entropy in hex that I generated that is converted to F2B173C5D5AAFFEBB80425FF5FE2057C.

As per hosseinimr93's post, this translates to a SHA256 digest of 931258d717865a310cfc24a9161b21f4c0d02e0bb4cf12894516170a10e72339

Also, with the help of o_e_l_e_o , I was able to perform the following commands and was able to successfully load the Linux files into my Windows copy after logging into su:

apt-get install libdigest-sha-perl

I next performed the following commands but see a different SHA256 digest as noted below:

└─# echo -n F2B173C5D5AAFFEBB80425FF5FE2057C | shasum -a 256 -0
362695f3d7e699ecdae3536168fdc0f4e5696a1ee278c4800a626c0bac70746c ^-

I'm wondering why the discrepancy is occurring with hosseinimr93's SHA256 digest as from what I understood from
o_e_l_e_o :

"-a selects an algorithm, in this case 256. -0 tells it to read the input as bits, which is necessary when computing a checksum as above."

TIA

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: o_e_l_e_o on September 28, 2022, 02:32:44 PM

sha256sum won't work in this case, because it does not have an option to treat the input as bits.

My bad. I'm thinking in terms of hexadecimal. You can append the 128 bit number with a "9" and then convert the 132 bit number to ones and zeroes, can't you?

o_e_l_e_o

legendary

Activity: 2268

Merit: 18775

Quote from: BitcoinCanSaveUsAll on September 28, 2022, 12:49:45 PM

Perhaps these versions don't include the shasum command? Or perhaps the Windows versions don't?

Again, I have absolutely no idea about Windows, but on a pure Linux machine you could try the following command to install the necessary packages. It may or may not work on your Linux for Windows:

Code:

apt-get install libdigest-sha-perl

Quote from: BlackHatCoiner on September 28, 2022, 02:25:52 PM

I've had problems with shasum in the past. Try sha256sum

sha256sum won't work in this case, because it does not have an option to treat the input as bits.

Quote from: BlackHatCoiner on September 28, 2022, 02:25:52 PM

I'm not sure what o_e_l_e_o's command does. To me, echo -n "hello world" | shasum -a 256 -0 is executed normally, but it gives another result

-a selects an algorithm, in this case 256. -0 tells it to read the input as bits, which is necessary when computing a checksum as above.

BlackHatCoiner

legendary

Activity: 1512

Merit: 7340

Farewell, Leo

Quote from: BitcoinCanSaveUsAll on September 28, 2022, 12:49:45 PM

-bash: shasum: command not found

I've had problems with shasum in the past. Try sha256sum:

Code:

echo -n "hello world" | sha256sum

This will return you the SHA256 hash of the bytes of "hello world":

Code:

b94d27b9934d3e08a52e52d7da7dabfac484efe37a5380ee9088f7ace2efcde9  -

I'm not sure what o_e_l_e_o's command does. To me, echo -n "hello world" | shasum -a 256 -0 is executed normally, but it gives another result:

Code:

$ echo -n "hello world" | shasum -a 256 -0
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ^-

Edit: -0 means that it reads in bits mode. So, I presume that it treats the input as binary, and converts it later to bytes to hash it.

Topic: How do I identify the valid checksums for bip39 if I generate 11/12 of the word? (Read 791 times)