Pages:
Author

Topic: I think we have a problem with 12 seed recovery phrase (Read 370 times)

legendary
Activity: 3472
Merit: 4801
I don't think it's as small as the oxygen molecule example that I gave (though I've never tried to estimate it, so I suppose I could be mistaken about that), but it definitely is plenty small enough to also be considered "not possible" by any reasonable person.
The oxygen example is an extreme one.

Absolutely.

Even if everyone in the world did literally nothing but constantly generate new wallets for millions of years, we still wouldn't get a collision. It is safe to assume the chance of a random collision is zero, just as it is safe to assume the chance of randomly suffocating is zero.

Exactly. The whole point of the analogy is to demonstrate something that the average person IS willing to say is "impossible" while pointing out that the probability is NOT zero.

It's a real-life example that people can maybe sort of grasp.  Once they're willing to accept that there are SOME "non-zero" probabilities that are realistically "impossible", it becomes a bit easier to accept that the chance of a bitcoin address collision might be one of those types of "impossible".
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Unless you are meaning finding an individual private key which can be used as I've explained above in order to create a script with a hash which matches that of your multi-sig? And actually, since there are 296 private keys on average per address for the same reason, then I suppose the chance is in fact identical.
This is what I was thinking. You just explained it much better Smiley
legendary
Activity: 2268
Merit: 18711
As far as I know, any multisig can be brute-forced in the same way as a single address. To find a collision, you don't need to find all original private keys, you'll just need to find one that matches the other random private key you created.
I'm not sure I follow. Do you mean finding the ephemeral key used in signing? Finding an ephemeral key would only allow an attacker to calculate a single one of the private keys in the multi-sig, not all of them (assuming of course you do not reuse your k value across all your keys, which no good wallet software would do anyway).

You can still brute force multi-sig addresses in far less time than brute forcing all the individual private keys by simply finding any script which hashes to the same output as the multi-sig script. So for a P2SH output, where the script hash is RIPEMD160(SHA256(script)), then you have a script hash which is 160 bits, which is obviously far less than trying to brute force 256 bits.

Unless you are meaning finding an individual private key which can be used as I've explained above in order to create a script with a hash which matches that of your multi-sig? And actually, since there are 296 private keys on average per address for the same reason, then I suppose the chance is in fact identical.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Quote
realistically, bad programming and bad RNGs are probably going to cause more duplicate wallets from duplicate seeds than actually being able to brute force it or properly written software creating a duplicate seed just by random
See these brain wallets, or posted private keys that still receive funds.

Yes, but that is more an example of humans being humans and doing insecure things.

I was thinking more along the lines of some chip manufacturer doing something stupid in an otherwise good RNG and for some reason instead of spitting out one of close to trillions of possible numbers, spitting out one of 10.

Or some wallet that had some things set in testing that still made it into production so once again instead of just about infinite choices it's one of only a few.

Which is why I'll let others play with the 1st wallets that use the tropic square chip. Considering the people making it and their security choices I'll let others figure out what they missed in the 1st generation of their security chip. Because, you can be open source and auditable all you want. But, without specialized tools and knowledge you can't really know whats in the silicon. Which leads to the next thought, even with tons of people over a decade looking at their stuff, you still had spectre and meltdown hit so many processor manufacturers.

-Dave
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
It's probably worth pointing out that if you think a 12 word seed phrase is insecure, then swapping to 24 words doesn't change anything.
It gets even better when you realize every seed phrase can create every Bitcoin address (but you'll never be able to produce enough addresses to reach a collision).

Quote
Bitcoin private keys "only" provide 128 bits of security at most, regardless of the number of bits in the seed phrase used to generate them. If you think all private keys are insecure, then your best mitigation to this (other than learning the math to see why they are not insecure) would be to use a multi-sig set up.
Other than peace of mind, I don't see how this protects against collisions. As far as I know, any multisig can be brute-forced in the same way as a single address. To find a collision, you don't need to find all original private keys, you'll just need to find one that matches the other random private key you created. Not that it matters: you'll never find a collision.
With multisig, I'm more afraid of messing something up by myself, in which case it increases instead of decreases the risks.
legendary
Activity: 2268
Merit: 18711
Why only 128 bits? There is some factor in brute forcing I vaguely recall that cuts the attack time by half, whose name I can't seem to recall.
Because the most efficient way to attack a private key is not to blindly brute force 256 bits, but rather to solve the ECDLP and reverse the elliptic curve multiplication, calculating the private key from the known public key. Such an attack would require (at least for the foreseeable future) on average 2128 operations.

The security of the secp curves is defined in Standards for Efficient Cryptography. SEC 2: Recommended Elliptic Curve Domain Parameters. (Table at the bottom of page 4.)
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
It's probably worth pointing out that if you think a 12 word seed phrase is insecure, then swapping to 24 words doesn't change anything. Bitcoin private keys "only" provide 128 bits of security at most, regardless of the number of bits in the seed phrase used to generate them.

Why only 128 bits? There is some factor in brute forcing I vaguely recall that cuts the attack time by half, whose name I can't seem to recall.
legendary
Activity: 2268
Merit: 18711
I don't think it's as small as the oxygen molecule example that I gave (though I've never tried to estimate it, so I suppose I could be mistaken about that), but it definitely is plenty small enough to also be considered "not possible" by any reasonable person.
The oxygen example is an extreme one. Because I'm a nerd who loves this kind of stuff - some very rough calculations would put a small 5m*5m*3m room at 75,000 liters, 21% O2 gives 15,750 liters, with the molar gas volume of 22.4 liters at STP giving 703.125 moles of oxygen, times Avogadro's constant giving 4.234*1026 molecules of oxygen. If you give each molecule a 12.5% chance of being gathered in a specific corner of the room (given that there are 8 corners), then your chance of them all being gathered in same corner is going to be 0.125^(4.234*1026). My software won't calculate that number. I get as far as about 10-1,000,000,000 and then it gives up and says zero. Heh.

So yeah, a bit on the extreme side, but the principle is the same as I outlined above. Even if everyone in the world did literally nothing but constantly generate new wallets for millions of years, we still wouldn't get a collision. It is safe to assume the chance of a random collision is zero, just as it is safe to assume the chance of randomly suffocating is zero.



It's probably worth pointing out that if you think a 12 word seed phrase is insecure, then swapping to 24 words doesn't change anything. Bitcoin private keys "only" provide 128 bits of security at most, regardless of the number of bits in the seed phrase used to generate them. If you think all private keys are insecure, then your best mitigation to this (other than learning the math to see why they are not insecure) would be to use a multi-sig set up.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I don't think I'm alone in doing this.
Only 47.3 million out of all 1.16 billion used Bitcoin addresses are still funded. That's 4.08%. It doesn't matter much compared to how small the chance is of finding a duplicate.

Quote
realistically, bad programming and bad RNGs are probably going to cause more duplicate wallets from duplicate seeds than actually being able to brute force it or properly written software creating a duplicate seed just by random
See these brain wallets, or posted private keys that still receive funds.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Add the other point to think about is that even F through some bizarre are accountable bad luck your 128 bit entropy words were an exact match to an already existing wallet. Is there an active wallet? Or is it just a wallet that somebody created and then abandoned years ago. Maybe I'm a unique case camera but I probably have created used and then abandoned 50 plus wallets generated from 12 word seeds over the years. I have several hot wallets that I don't keep a lot of funds in, but I do like to have immediate available funds on several devices at a time that are all totally unrelated to each other. And when I'm done after what could be weeks or months, I archive out the seed and create a new one.

I don't think I'm alone in doing this. So yes you could find day's wallet #37. You get to see all my transactions from 2020. Have a blast with that.

Yes it's a privacy issue but it's not a real security issue.

realistically, bad programming and bad RNGs are probably going to cause more duplicate wallets from duplicate seeds than actually being able to brute force it or properly written software creating a duplicate seed just by random chance.

-Dave
legendary
Activity: 3472
Merit: 10611
One of the problems some people think a 12-word seed phrase is not safe is the number "12" since they think it is short. But what they don't know is what these words represent which is a randomly generated "entropy" that is 128 bits. And this size of entropy is strong enough that makes collisions impossible.

So when someone claims they changed the last word and found a valid seed with funds in it, this is not about changing a word out of 12 and getting lucky, it is about changing 7 bits in 128 bits and finding 2 collisions: first a 4 bit checksum collision (to get a valid mnemonic) and second is a 128 entropy collision (to find a funded wallet). This is obviously impossible.
legendary
Activity: 3472
Merit: 4801
I am just saying that it is theoretically possible.

There comes a point where probability gets SO small, that even though the mathematically calculatable number is a non-zero number, no reasonable person would ever use the words "possible" to describe it.

For example...

Oxygen molecules bounce around randomly in the atmosphere that we breathe. If you are in a large room, there are a VERY large number of arrangements of those oxygen molecules that are possible within that room.  Any single arrangement at a moment in time is just as likely as any other arrangement.  There are a VERY large number of arrangements that provide enough molecules in front of your face that you can breathe. There are a much smaller number of arrangements that result in all of the oxygen molecules gathering together in the corner of the room and you suffocating to death.

If you calculate the exact probability, then there is a non-zero probability at any moment that you will find yourself standing in a perfectly normal room with a perfectly normal amount of oxygen molecules, but still suffocate to death because those molecules just so happen to randomly be all gathered together in the corner.

Even though the mathematically calculated value is not exactly 0, it is SO SMALL that no reasonable person would say that it is "possible" for them to suffocate to death in a normal room with normal amounts of oxygen present due to this scenario.

We humans have a difficult time wrapping our heads around REALLY BIG (or really small) numbers. The probability of stumbling into someone else's randomly generated address or wallet (assuming that it was truly random) is MUCH MUCH MUCH smaller than the probability of winning the lottery. I don't think it's as small as the oxygen molecule example that I gave (though I've never tried to estimate it, so I suppose I could be mistaken about that), but it definitely is plenty small enough to also be considered "not possible" by any reasonable person.
hero member
Activity: 1022
Merit: 642
Magic

Saying it's theoretically possible doesn't help new Bitcoin users.

Well you actually got a point there, it may be a little bit weird to educate yourself about bitcoin to find people that tell you that it is theoretically possible that somebody can steal als your money if they are lucky enough.

So to clear that up: Bitcoin is safe!  Wink Just look at the exchange wallets, they wouldn't just put all their money in one wallet if they would worry about some dude randomly guessing the private key to those addresses.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
I am just saying that it is theoretically possible.
And I'm saying it's not possible Wink It's more of a philosophical discussion than technical.

Saying it's theoretically possible doesn't help new Bitcoin users. It's theoretically possible (and billions of times more likely!) to guess my creditcard and phone number, but it's still not going to happen.
hero member
Activity: 1022
Merit: 642
Magic

Based on math, I can rule this out. There's really no point in assuming something with a 0.0000000000000000000000000001% probability is going to happen.



You are completely right with your statements and its not only you, but me and basically everyone in the crypto world that does somehow bet his money on that this will not happen. I am just saying that it is theoretically possible. Same as it is theoretically possible that a cosmic ray hits a bit in a computer chip and changes the current value to another valid one. It is impossible until it then eventually still happens https://www.johndcook.com/blog/2019/05/20/cosmic-rays-flipping-bits/

Still don't get me wrong, I will still fully trust my money into the bitcoin network and don't see anything like this as a real threat since as I said most addresses are empty which makes this whole thing even more unlikely.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Even if it is highly unlikely, it is also highly unlikely to win in the lottery and still every month somebody wins it.
This is a bad analogy. It may be unlikely that you win the lottery, but it's very likely that someone wins it. Depending on the rules of the lottery it could even be a given that someone's going to win.
With random Bitcoin addresses, it's not only unlikely that you recreate an existing one, it's unlikely that anyone does it. It's so unlikely, it's safe to say it's not going to happen. I literally bet my money on this.

Quote
So you can never rule out that possibility 100%
Some people would argue that 99.9999999999999999999999999999% is certain enough. There are much larger risks that are much more likely to happen, and many of those events still don't happen.

Quote
that at some point in the next few hundred years somebody will randomly create a new wallet that was already previously used.
Based on math, I can rule this out. There's really no point in assuming something with a 0.0000000000000000000000000001% probability is going to happen.

Quote
So even if this highly unlikely event does happen, I think the chances are pretty high that it will not damage anybody.
It's simply irrelevant.
legendary
Activity: 3416
Merit: 1225
Well nice to hear, i do bad the maths, and also nice to hear the other guy is lying about it. This make me feel more secure. Thanks guys.

I'm not good in math but let's do common sense instead, so Bitcoin is already 12 years old and we have never heard of successfully hacking or cracking the 12-seed recovery phrase, even by pure luck, we're all going to be busted if someone can crack that 12 seed recovery phrase but because you've read in the telegram where all unusual stories are being told, I can assure you that guy is lying and do not know a thing about hacking.
hero member
Activity: 1022
Merit: 642
Magic
Even if it is highly unlikely, it is also highly unlikely to win in the lottery and still every month somebody wins it. So you can never rule out that possibility 100% that at some point in the next few hundred years somebody will randomly create a new wallet that was already previously used. What however then will be the case is, that most of the addresses that were used at some point are now completely empty or just have a dust balance. So even if this highly unlikely event does happen, I think the chances are pretty high that it will not damage anybody.
jr. member
Activity: 50
Merit: 8
Well nice to hear, i do bad the maths, and also nice to hear the other guy is lying about it. This make me feel more secure. Thanks guys.
legendary
Activity: 2268
Merit: 18711
He said to me, one guy in one group of telegram claim to open another person wallet charging his seed and changing only the last word by mistake, so i think like always pure luck
He's lying. Taking your own randomly generated seed phrase and changing the last word will never result in you stumbling across another active wallet.

Now we are 8.000 millions of person in the world imagine every person having 2/3 wallets and in a few years more we can have a lot more of population and that population increase very fast.
This is an utterly irrelevant number when compared to the number of valid seed phrases.

Let's say we have 8 billion people in the world. Instead of 2 or 3 wallets, let's say that every one of those 8 billion people is generating a thousand new wallets every second. Let's also say that each one of those 8 billion people continues to generate a thousand new wallets a second every second for a million years.

8 billion * 1,000 * 60 * 60 * 24 * 365 * 1,000,000 = 2.5*1026

Number of valid 12 word seed phrases = 3.4 * 1038

So in my scenario, after a million years we will have generated approximately 0.00000000007% of all possible seed phrases.

There will never be a seed phrase collision.
Pages:
Jump to: