Author

Topic: I don't understand the seed management on Electrum (Read 415 times)

copper member
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
I loved you're video Cricktor Smiley

Thanks for all replies.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Haha, oh dear, got me, I knew something was fishy in my head. You're right...

Well, isn't that proof enough, that those big numbers are just beyond comprehension? (How can I get out of this situation??)
legendary
Activity: 2268
Merit: 18771
Even to reach half of the shown required computations shown in that video which might roughly be what's needed to "break" a 12-word mnemonic seed phrase should convince you that you simply can't brute-force a 12-word mnemonic seed phrase at all.
2128 is not half of 2256.

Half of 2256 is 2255. 2128 is 2128 times smaller than 2256. This is obviously exponentially smaller than just halving, but still orders of magnitude beyond what will ever be realistically possible to crack.
legendary
Activity: 2730
Merit: 7065
The list of 2048 words that Electrum uses in its recovery phrases is publicly known. Feel free to find any Bitcoin address with enough coins in it to make it worth your time, which is also something that is publicly available information, and start bruteforcing. Let us know how that works out for you. Since the network has gone live, no one has done it yet. People do have fears that quantum computers might one day be strong enough to find a private key from a public key, but even that is unimaginable right now. Bitcoin wouldn't be where it is today it its security was this fragile. 
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Dear OP, it's just difficult to grasp the magnitude of such big numbers, be it 2128 or worse 2256.

Have a look here: https://www.youtube.com/watch?v=S9JGmA5_unY

[I corrected my previous wording as I tricked myself with exponent arithmetic, sorry, didn't really spend a thought on it.]
To reach required computations for 2128 tries which might roughly be what's needed to "break" a 12-word mnemonic seed phrase should convince you that you simply can't brute-force a 12-word mnemonic seed phrase at all. There's likely not enough energy on earth or maybe the whole solar system to accomplish such a task, given you'd be able to harvest all of it in an efficient way for solely your cracking attempt.

As others already said, there's a huge huge difference to brute-force 2048*2048*2048 (equals 20483 or three mnemonic words) and 204812 (equals 12 mnemonic words). It's math and lack of computational power and energy!
legendary
Activity: 3472
Merit: 10611
There is no difference in security level of a mnemonic and a randomly generated private key. The minimum security level in bitcoin is 128 bits which a 128+ bit entropy provides. In other words there is no difference between brute forcing the 128 bit entropy and a bitcoin private key (the former is actually harder due to the longer route taken to create a private key).

The last part is actually dependent on the length of the derivation path, so it's quite long on Bitcoin Core and other wallets that use BIP44, but on Electrum it's quite short at only two paths and the paths are faily easy to predict if you have the master public key and/or just saw the address derived in the Electrum wallet somewhere.
When brute forcing a random private key all you have to do is a single EC point multiplication (or multiply once and then increment it by adding G).
But when brute forcing a mnemonic (regardless of the derivation path) you first have to perform a single SHA256 to verify its validity so that you can feed it to PBKDF2 (which performs a couple of thousands of SHA hashes) to derive the BIP32 seed then get started on the derivation path.
This is the main reason for the speed difference.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
For the moment I still don't understand.
[~snip~]
And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?

What prevents a person from having access to the wallet?

Your wallet private key is a number within a hugely big interval. Let's say bigger than the number of stars and planets in the universe.
And yes, if somebody finds out that number, you're screwed.

Just the chance is smaller than winning the big prize at lottery many times in a row (!).
The seed is indeed "just words". But keep in mind that being a rather big set of words in the list your seed words are taken from, and even more, a word can be used multiple times in your seed, makes it, again very (very-very-very) difficult to brute force it. So difficult that the electricity needed for the job doesn't worth it, no matter how many coins are in your wallet (!), plus it takes an awfully lot of time (many generations!). Again, the chances to "guess" or brute force it are extremely low.

Clearer?
legendary
Activity: 2268
Merit: 18771
What prevents a person from having access to the wallet?
Math.

The sheer size of the numbers we are dealing with here are incomprehensible. You are wondering about a single person or a single machine generating millions of seed phrases a second. Let's take that to the extreme. Let's say every single one of the 8 billion people in the entire world are generating and checking a billion seed phrases a second, and they all keep doing that for the next 1 million years. In that entire time, the entirety of the human race will have checked approximately 0.00000074% of all possible 12 word seed phrases.

So feel free to set up your computer to generate as many seed phrases as possible from now until the day you die. You will generate billions or even trillions of empty seed phrases, which will be akin to a single grain of sand from all the beaches on the planet.
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
Because when I delete my wallet and recreate it from the seed (the 12 words), all the transactions appear as well as all the addresses with funds. That's what scares me.

For the moment I still don't understand.
That is a feature of the seed. It is about as secure as your private key, because the number of permutations is similar with both.

Everything I say is wrong, it's just an example to popularize, same for the Pythonn, I can do it in C or other it was an example, not to be taken literally.
Nope. Unfortunately the most optimized code ever cannot bruteforce at millions, much less billions of times per second.

[1] https://btcrecover.readthedocs.io/en/latest/GPU_Acceleration/
Let
If my seed is :

word1 word2 word3

And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?

What prevents a person from having access to the wallet?
Nothing. However, you have correctly demonstrated why we have a 12 word seed instead of a 3 word seed.

A simple demonstration would be using the word list to randomly generate a 12 word seed and iterate through the permutations and determine the number of iterations it takes to find that exact set of 12 words. The problem is there are 2048^12 (5.4445179e+39) possible permutations of it. You need to iterate at a rate of (10^30) to be able to find a seed in 5 centuries. That would be a factor of 21 over a billion, which is impractical, especially given that we established that the overheads makes this a very inefficient process.
legendary
Activity: 2380
Merit: 5213
Yes, but why ? That the question of my post.
Because the seed phrase (whether it's BIP39 or an electrum's seed) has enough entropy and you can't brute force that.


Because when I delete my wallet and recreate it from the seed (the 12 words), all the transactions appear as well as all the addresses with funds. That's what scares me.
That's exactly how it should work.


And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?
If you manage to brute-force someone's seed phrase, you can access the fund. But the problem is that you can't brute-force the seed phrase.

Can you access a wallet if you brute-force its seed phrase? Yes.
Can you brute-force a seed phrase without any information about that? No.


What prevents a person from having access to the wallet?
Big entropy of the seed phrase.
copper member
Activity: 78
Merit: 15
BTC TRADER SINCE 2010

Whether there are 1626 words or 2048 words, it's impossible to access a funded wallet.

Yes, but why ? That the question of my post.

@ranochigo :

Because when I delete my wallet and recreate it from the seed (the 12 words), all the transactions appear as well as all the addresses with funds. That's what scares me.

For the moment I still don't understand.

Everything I say is wrong, it's just an example to popularize, same for the Pythonn, I can do it in C or other it was an example, not to be taken literally.

If my seed is :

word1 word2 word3

And I do a brute force, and the brute script tells me that the words : word1 word2 word3 are a valid wallet, it's over ?

What prevents a person from having access to the wallet?
legendary
Activity: 3038
Merit: 4418
Crypto Swap Exchange
There are not many words, 1625 is not much when you know the power of today's PCs. On my PC, with a Python script, I can test several billion possible combinations.

That's what I don't understand. If I test the combinations and find for example one that has funds, it's over for the portfolio, right?

It would be easy to take 12 random words from the list of 1625 words and test and then repeat and that several times per second.
Nope. Python is notoriously slow for loops and there are faster implementations out there. Depending on your type of loops or iterations, the actual rate will probably be far less than a couple of million per seconds.

There are actually tons of bottlenecks to be considered when you are bruteforcing seed phrases. First of all, you have to consider that various key stretching functions are used in the various steps of the process which slows it down significantly, because they are far more intensive than just generating random 12 word phrases. You are unlikely to really achieve speeds anywhere near feasible.

The other notable bottleneck is trying to find the addresses with any transaction history or funds. You have to get a set of all of the used addresses on the blockchain and search through it which involve both storage and computational complexity when you are searching thousands or billions of seeds per second.
legendary
Activity: 2380
Merit: 5213
There are not many words, 1625 is not much when you know the power of today's PCs.
Currently, electrum uses a list containing 2048 words. The list you are referring to is for the old version of electrum's seed phrase and contains 1626 words, not 1625.


That's what I don't understand. If I test the combinations and find for example one that has funds, it's over for the portfolio, right?
If you find a seed phrase which belongs to a funded wallet, you can spend the fund.


It would be easy to take 12 random words from the list of 1625 words and test and then repeat and that several times per second.
Whether there are 1626 words or 2048 words, it's impossible to access a funded wallet.
copper member
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
There are not many words, 1625 is not much when you know the power of today's PCs. On my PC, with a Python script, I can test several billion possible combinations.

That's what I don't understand. If I test the combinations and find for example one that has funds, it's over for the portfolio, right?

It would be easy to take 12 random words from the list of 1625 words and test and then repeat and that several times per second.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Dolnc if I test billions and billions of combinations, I can find a bomb ? there are not "that many words".


The answer is Maybe *subject to whether you can run billions of combos in the first place.

Hardware speed, and the expensiveness of creating a cluster, is why there is a ceiling to how many words can be unscrambled.
copper member
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
Thanks for you're reply Smiley

Yes, I know you have to know the words, but I know the words because they are here " https://github.com/spesmilo/electrum/blob/master/electrum/old_mnemonic.py "

Dolnc if I test billions and billions of combinations, I can find a bomb ? there are not "that many words".
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
There is no difference in security level of a mnemonic and a randomly generated private key. The minimum security level in bitcoin is 128 bits which a 128+ bit entropy provides. In other words there is no difference between brute forcing the 128 bit entropy and a bitcoin private key (the former is actually harder due to the longer route taken to create a private key).

The last part is actually dependent on the length of the derivation path, so it's quite long on Bitcoin Core and other wallets that use BIP44, but on Electrum it's quite short at only two paths and the paths are faily easy to predict if you have the master public key and/or just saw the address derived in the Electrum wallet somewhere.
legendary
Activity: 2702
Merit: 4002
Theoretically, if you generate your seeds in cold storage and in a safe environment, the cost and time of hacking those seeds makes it an unacceptable idea in practice. Therefore, the method of stealing your money is often in another form, such as:

 - Download a wallet from unknown sources.
 - social attack.
 - Viruses, Trojans.
 - Phishing links.

And other ways in which scammer accesses the seeds or the private key through you and not by trying to guess.
legendary
Activity: 3472
Merit: 10611
There is no difference in security level of a mnemonic and a randomly generated private key. The minimum security level in bitcoin is 128 bits which a 128+ bit entropy provides. In other words there is no difference between brute forcing the 128 bit entropy and a bitcoin private key (the former is actually harder due to the longer route taken to create a private key).
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
If you are randomly guessing 12 seed phrases you have 0 chance and 0 luck to get a wallet with funds you have more chance of winning on the lottery than trying to brute-force a 12 words seed.

Unless you are trying to brute-force a wallet with missing 1 to 4 words you have more chance to recover your own wallet by using some software like the one mentioned above.
But you can also use this tool "The FinderOuter, a bitcoin recovery tool"
legendary
Activity: 2744
Merit: 3097
Top Crypto Casino
There is software that allows you to brute-force this kind of manipulation. I've never tried it, for fear of a virus, but even if they are surely "safe", is it possible that a software finds my seed?
It depends on how much you remember from your seed. If only few words are missing (like 3 or 4 words) and you know their exact position, then recovering the seed using a good tool is possible. The more you remember the faster the tool will find your seed. Once it finds it, you can use it to recover your wallet and you will have full access to your coins.

I've seen many reputable members recommending BTCRecover, so I believe it's safe. 
legendary
Activity: 2380
Merit: 5213
Most seed phrases have an entropy of (I'm not sure how many words are used for the checksum so just found the entropy of the first 10 words): 1,298,074,214,633,706,907,132,624,082,305,024 (204810)
Given the method used by electrum for generating a seed phrase, even the last word contains 11 bits of entropy.
So, a 12 word seed phrase generated by electrum provides entropy of 204812.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
Most seed phrases have an entropy of (I'm not sure how many words are used for the checksum so just found the entropy of the first 10 words): 1,298,074,214,633,706,907,132,624,082,305,024 (204810)

This isn't as big as the keysize for private keys (unless you use a 256bit seed or you made your wallet a few years ago - it made different length seeds) but it's still very huge and uncrackable.

legendary
Activity: 2380
Merit: 5213
I use Electrum since many years ago, and I've always wondered how the seed is managed.
Your seed phrase actually represents a random number.


I explain, if for example I test several words in order, Can-I find the seed of my wallet?
That's impossible.


If I find it, I have access to all the funds right?
Yes, the seed phrase is all you need to access the fund.


There is software that allows you to brute-force this kind of manipulation. I've never tried it, for fear of a virus, but even if they are surely "safe", is it possible that a software finds my seed?
You can brute-force the seed phrase only if you know some words. For example, if you know 10 words, you can test all combinations and find the 2 missing words.
It's not that you can brute-force any seed phrase. A 12 word seed phrase generated by electrum provides 132 bits of entropy and it's secure enough.
copper member
Activity: 78
Merit: 15
BTC TRADER SINCE 2010
Hello,

I use Electrum since many years ago, and I've always wondered how the seed is managed.

I explain, if for example I test several words in order, Can-I find the seed of my wallet?

If I find it, I have access to all the funds right?

There is software that allows you to brute-force this kind of manipulation. I've never tried it, for fear of a virus, but even if they are surely "safe", is it possible that a software finds my seed?
Jump to: