Topic: Idea for extremely paranoid people who want to create a bitcoin wallet (Read 387 times)

I was in a similar situation back when I created my first wallet (~ 2013), so can definitely understand someone thinking they are adding an extra layer of security when you swap a word. My rationale at the time was as follows:
The then 12 words were kept in such a way that someone could have found them if necessary. I thought at that time if this already happens the person should at least have a hard time accessing my coins.

In addition, cryptography and probabilities are simply difficult to grasp for many people. The fact that a simple exchange of words does not result in a purely statistical increase in security is probably difficult to understand for people with little technical knowledge.

---

But you're right, of course: The risk of forgetting one's own algorithm and ending up without coins is much greater than that the original threat scenario (in my case, finding the words) occurs at all.

Simple as that.

Additionally, those methods are ultra safe (if used properly). Custom methods are created to be safer, but they significantly decrease safety! 

The easiest way to prevent such losses is just not to use such a technique in the first place.

Whenever someone comes up with their own system, one of two things happen. They either end up with something which adds absolutely no extra security at all, or they end up locking themselves out of their wallets. A prime example is when people swap words around. They either swap two or three words which is absolutely trivial to brute force and is not secure at all, or they scramble their entire phrase, forget the order, and can't figure out their back up.

There are standardized processes for a reason. Just use them.

The losses of coins that I get told in my circle of friends and acquaintances usually have to do with scams, e.g. the Youtube channels with the title "Vitalik is giving away free ETH NOW!!!!" that were quite common until some time ago.
Closely followed by losses due to scams, however, is not so much the fact that there are no backups, but the fact that the backups are simply wrong, e.g. incorrectly written down mnemonic codes or private keys that are intentionally changed and "guaranteed to remember the change".

The latter can hardly be prevented - unless you tell someone about the change - but for the former, i.e. simply wrong backups, there is a quite simple solution:

After the setup (e.g. of a hardware wallet) you write down an address and reset the hardware wallet completely ... and then reinitialize it with the backup you wrote down. If the restore works, you can then send the coins to the respective wallet.

---

The fact that the backups are then often simply stored in a file folder for all to see is, of course, another issue here.

That's why you should always test your backups before funding any wallet.

In fact BIP39 is designed to be a universal standard for wallet creation. It is not mandatory to use it, but it is convenient.

As you said OP, people worry about the wrong things.
They worry about being brute-forced, but they don't worry about losing their backup and they keep only one backup.
They worry about a wallet being compromised, but they don't worry about using airgapped devices.


Additionally, following BIP-39 is better than following a non-standard approach. Most of the time, people who try to implement something unique and non-standard end up losing money.

I don't think it is simply that they don't bother to check. Rather it is a deliberate decision.

Under "Motiviation" on the link you shared to the Electrum seed versioning system, it explains why the Electrum devs did not want to use a system which depended on a fixed wordlist and could instead be used with any wordlist, and more importantly could recover seed phrases without knowing the wordlist used. It uses the same wordlist as BIP39 as default I assume simply because it is well known and does have a number of advantageous features (such as each word having the first 4 characters be unique, excluding similar words, etc.), but they are quite clear they do not want to depend on any fixed wordlist, and therefore allow users to use their own custom wordlist of any length.

That's interesting info. Personally i still find it's weird Electrum able to use more than 2048 words since in past word list used by Electrum use less than 2048 words[1]. I guess Electrum developer doesn't bother add extra checking or assume people wouldn't use custom words.


There's no encryption involved. And FYI, recovery words/seed/phrase generated by Electrum is based on Electrum Seed Version System[3], not BIP39[2].

[1] https://github.com/spesmilo/electrum/blob/5883aaf8ca2f79bf694d11ac6b63f5defd2a2c38/client/mnemonic.py#L23-L1650
[2] https://electrum.readthedocs.io/en/latest/seedphrase.html
[3] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

It is neither less secure nor more secure.

The thing to remember is that the words are simply an encoding of (in this case) 132 bits of entropy. The entropy is generated first. It is then encoded in to words primarily to make it human readable and easier to back up. You can encode the entropy any way you like - binary, hex, Base58, BIP39 wordlist, any other wordlist, and so on. The entropy doesn't change, only the way it is represented.

It is not encryption, it is simply representing the same data in a different format. But again, the security doesn't change.

In this scenario we are talking about using a custom wordlist to generate a seed phrase. But in general you are right - seed phrases are almost always generated using the fixed BIP39 wordlist, while passphrases are generated using any words, symbols, or strings we want.

Seriously, does it really matter if something takes 10^3*10^12+3 or 10^3*10^33+3 years to bruteforce?
By the way, Electrum creates 132 bits of entrophy, 11 bits of entropy per word (12 words). If you increase the number of words in wordlist, like I offered and o_e_l_e_o demonstrated, the number of bits of entropy per word will increase and the number of words will decrease, like he generated 8 words instead of 12 words but his number of bits of entropy per word increased from traditional number 11 to 18.83.

Just read this line:

So, this is a little trick and that's why opened a topic. People think that 2048 words are not enough and their public availability makes them a victim of hackers. Now, what about all the words that exists in English language? Sounds cool, right? Only some words from half a million words to generate your bitcoin wallet seed phrase. But in reality, if entropy is 132 bits, you will get 8 words instead of 12 words. Instead of increasing number of words, one should increase number of entropies and move from 128 bits to 256 but reality is that simply there is no reason. People are paranoid and are looking for false sense of increased security when there is absolutely zero danger. It's like living in New Zealand and collecting weapons to protect yourself from Dinosaurs attack. There are no dinosaurs, you don't need a weapon.

But is it not possible, that the words in your seed phrase (that you made by using the wordlist of thesaurus) are not included in the seed phrase of BIP39 wordlist. I mean, if the words are not included in the BIP39 wordlist, it makes it more secure. Or isn't.

I do understand the underlying encoding procedure is same but the words are changed, and what if we remove all the words from BIP39 list and use the remaining ones to create a seed phrase for electrum, it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.

And a question of seed phrase and pass phrase, the phrase you created by giving the wordlist of thesaurus, is it seed phrase or pass phrase? I mean in pass phrase we use our own preferred words. Or I am also missing something here. 

So 12,356,630 "words" gives 23.56 bits per word. 132/23.56 gives 5.6, which means 6 word seed phrases.

The important point to note is that an Electrum seed phrase is not converted back in to the entropy which generated it, or broken down in to bits, at any point. Unlike BIP39 which does require a fixed and known wordlist so it can convert your words back in to bits in order to verify the checksum, Electrum's version system simply hashes your words as they are and uses the first 8 or 12 bits of that hash.

After this, in order to actually start generating private keys, the next step (for both BIP39 and Electrum) is to feed your words as they are in to HMAC-SHA512, alongside salt of the word "mnemonic" (for BIP39) or "electrum" (for Electrum) concatenated with any passphrase. So again, no need for Electrum to convert your words back in to bits. (This is also why you can import BIP39 seed phrases with unknown wordlists in to Electrum. Electrum will warn you it is an unknown wordlist and it cannot verify the checksum since it cannot convert your words back in to bits in order to verify the checksum as I've explained above, but it can still feed those words in to HMAC-SHA512 and generate master keys and subsequent child keys.)

But yes, I'd highly recommend nobody does this. Understanding the principles of what is going on is all good, but you should always stick to the standardized methods.

Doesn't matter for Electrum seed phrases  - Electrum does not need to know the wordlist used. For BIP39, even if every copy of the BIP39 wordlist was lost forever, you could still recover BIP39 seed phrases, you just wouldn't be able to verify the checksum.

Eliminating all the other technical bits about this you then wind up with the issue of what happens when the file changes and words are removed.
https://www.abc4.com/news/9-words-removed-from-the-dictionary/

It's 10 years from now and one of your words was Brabble.
And you go to recover your seed and it just does not work.
Sucks to be you.

Well worked on standards like BIP39 exist for a reason. This just makes a mess of it.


The universe is expected to last much longer then that. As in trillions of years.
Our solar system will be toast in about 10 billion years.

Either way does not matter. Still won't crack it in a lifetime.

-Dave

This is quite interesting indeed. So if your word list gets long enough, you'll need less seed words. That might even make it easier to remember (if only I'd know what those words mean).
So if I create a list of every combination from a to zzzzz, I get a very short seed:
With 12 million "words", Python consumes a few GB memory and takes a while to create a new seed phrase. I expect this to get worse with much longer lists.

Of course, this takes away the "error correction" you'd have by using a dictionary word, so it's not really useful. But I'm amazed Electrum can just restore this seed phrase without the seed words!

Certainly it's been possible at least since Electrum moved away from using their own wordlist and moved to mirroring the BIP39 wordlist.

The math is quite interesting, if you want to work it out. Given a word list of 466k, then each word can encode log₂(466,000) = 18.83 bits of entropy. For a 132 bit seed phrase, this needs 132/18.83 = 7.01 words, which has to be rounded up to 8. If you used a wordlist of 474,861 words, then you could generate a 7 word seed phrase for 132 bits.

Alternatively, you can go the other way and give Electrum a wordlist of two words, say 0 and 1, and it will generate a 132 "word" seed phrase.

You can see where Electrum works it out here: https://github.com/spesmilo/electrum/blob/6dfbdec73e97231c01b1a813ae293083a3dbd1cd/electrum/mnemonic.py#L208. Takes the length of the wordlist and calculates the log in base 2, giving the value bpw, or bits per word.

I think we are disagreeing on semantics here rather than the underlying principles.

Of course you are correct in that you don't want a process which can easily be repeated to achieve identical results. But conversely, I do know exactly why Electrum picked each word in the seed phrase it generates for me - it uses randrange which in turns sources entropy from /dev/urandom. The entropy it receives from /dev/urandom will indeed be a cryptographically secure pseudorandom number, but I also know the processes that my OS uses to seed /dev/urandom.

Yes indeed! I just like to read, learn, and tinker.

"Only"

That's the thing: there's no point for making up your own complicated schemes to create or store your private keys. All you're doing is creating a false sense of additional security, at the risk of making a fatal mistake which results in losing access to your Bitcoins.

Take note that a random number generator uses known mathematical formulas for generating the random number, but the output is unpredictable.
Therefore, it's not that we don't know how electrum generates an entropy. We do know how electrum generates an entropy. The thing we don't know is the output.

If you know how something happens and what logic does it follow, then repeat the same and crack every generated wallet that was following that logic.
You certainly don't know why Electrum chose 1st word, 19th word, 1331th word and so on to generate wallet when you clicked on generate button and you don't know why Electrum chose 49th word, 258th word, 231th... on your next click on generate button. If you knew, then it wouldn't be random or it still would be but such randomness would not be beneficial, we don't want predictable randomness, we want unpredictable one.

---

This is an offtopic question. Are you really a doctor? The Sceptical Chymist said it somewhere I remember and I truly wonder if you are a doctor, how did you manage to be so knowledgeable in programming and physics. You are truly a very educated person and it's really an honor to have you on this forum. I appreciate you!

Radioactive decay is indeed a truly random process. We know from Bell's theorem that radioactive decay is not governed by "local hidden variables". In other words, we know that there are not events or process happening which we cannot measure or don't even know exist which are determining when such atoms decay. The decay of such atoms is indeed truly random, with the likelihood of decay at any given time dictated only by the half life of the isotope in question. The decay of such isotopes follows a Poisson distribution, the same as bitcoin mining.

I would disagree with this. Not knowing how something happens or what logic it follows does not make it random. Rather, the opposite is true. We need to know exactly how it is generating entropy so we can confirm that it is indeed random (or at least, pseudorandom).