Pages:
Author

Topic: Idea for extremely paranoid people who want to create a bitcoin wallet (Read 422 times)

legendary
Activity: 2296
Merit: 2721
The latter can hardly be prevented
The easiest way to prevent such losses is just not to use such a technique in the first place.
[...]
I was in a similar situation back when I created my first wallet (~ 2013), so can definitely understand someone thinking they are adding an extra layer of security when you swap a word. My rationale at the time was as follows:
The then 12 words were kept in such a way that someone could have found them if necessary. I thought at that time if this already happens the person should at least have a hard time accessing my coins.

In addition, cryptography and probabilities are simply difficult to grasp for many people. The fact that a simple exchange of words does not result in a purely statistical increase in security is probably difficult to understand for people with little technical knowledge.



But you're right, of course: The risk of forgetting one's own algorithm and ending up without coins is much greater than that the original threat scenario (in my case, finding the words) occurs at all.
hero member
Activity: 560
Merit: 1060
There are standardized processes for a reason. Just use them.

Simple as that.

Additionally, those methods are ultra safe (if used properly). Custom methods are created to be safer, but they significantly decrease safety! 
legendary
Activity: 2268
Merit: 18711
The latter can hardly be prevented
The easiest way to prevent such losses is just not to use such a technique in the first place.

Whenever someone comes up with their own system, one of two things happen. They either end up with something which adds absolutely no extra security at all, or they end up locking themselves out of their wallets. A prime example is when people swap words around. They either swap two or three words which is absolutely trivial to brute force and is not secure at all, or they scramble their entire phrase, forget the order, and can't figure out their back up.

There are standardized processes for a reason. Just use them.
legendary
Activity: 2296
Merit: 2721
As you said OP, people worry about the wrong things.
They worry about being brute-forced, but they don't worry about losing their backup and they keep only one backup.
[...]
The losses of coins that I get told in my circle of friends and acquaintances usually have to do with scams, e.g. the Youtube channels with the title "Vitalik is giving away free ETH NOW!!!!" that were quite common until some time ago.
Closely followed by losses due to scams, however, is not so much the fact that there are no backups, but the fact that the backups are simply wrong, e.g. incorrectly written down mnemonic codes or private keys that are intentionally changed and "guaranteed to remember the change".

The latter can hardly be prevented - unless you tell someone about the change - but for the former, i.e. simply wrong backups, there is a quite simple solution:

After the setup (e.g. of a hardware wallet) you write down an address and reset the hardware wallet completely ... and then reinitialize it with the backup you wrote down. If the restore works, you can then send the coins to the respective wallet.




The fact that the backups are then often simply stored in a file folder for all to see is, of course, another issue here.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
Additionally, following BIP-39 is better than following a non-standard approach. Most of the time, people who try to implement something unique and non-standard end up losing money.
That's why you should always test your backups before funding any wallet.
hero member
Activity: 560
Merit: 1060
In fact BIP39 is designed to be a universal standard for wallet creation. It is not mandatory to use it, but it is convenient.

As you said OP, people worry about the wrong things.
They worry about being brute-forced, but they don't worry about losing their backup and they keep only one backup.
They worry about a wallet being compromised, but they don't worry about using airgapped devices.

However, doing this completely misses the point. The above seed phrase has exactly the same entropy as a seed phrase using the default wordlist - 132 bits. Increasing the size of the wordlist does not change the underlying entropy used to generate the seed phrase.

Additionally, following BIP-39 is better than following a non-standard approach. Most of the time, people who try to implement something unique and non-standard end up losing money.

legendary
Activity: 2268
Merit: 18711
I guess Electrum developer doesn't bother add extra checking or assume people wouldn't use custom words.
I don't think it is simply that they don't bother to check. Rather it is a deliberate decision.

Under "Motiviation" on the link you shared to the Electrum seed versioning system, it explains why the Electrum devs did not want to use a system which depended on a fixed wordlist and could instead be used with any wordlist, and more importantly could recover seed phrases without knowing the wordlist used. It uses the same wordlist as BIP39 as default I assume simply because it is well known and does have a number of advantageous features (such as each word having the first 4 characters be unique, excluding similar words, etc.), but they are quite clear they do not want to depend on any fixed wordlist, and therefore allow users to use their own custom wordlist of any length.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Personally i find it's surprising Electrum seems to use all 466K words rather than only first 2048 and even adjust total words accordingly. And lastly i wonder whether different version of Electrum have same behavior when you supply custom words.
Certainly it's been possible at least since Electrum moved away from using their own wordlist and moved to mirroring the BIP39 wordlist.

--snip--

That's interesting info. Personally i still find it's weird Electrum able to use more than 2048 words since in past word list used by Electrum use less than 2048 words[1]. I guess Electrum developer doesn't bother add extra checking or assume people wouldn't use custom words.

I do understand the underlying encoding procedure is same but the words are changed, and what if we remove all the words from BIP39 list and use the remaining ones to create a seed phrase for electrum, it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.

There's no encryption involved. And FYI, recovery words/seed/phrase generated by Electrum is based on Electrum Seed Version System[3], not BIP39[2].

[1] https://github.com/spesmilo/electrum/blob/5883aaf8ca2f79bf694d11ac6b63f5defd2a2c38/client/mnemonic.py#L23-L1650
[2] https://electrum.readthedocs.io/en/latest/seedphrase.html
[3] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki
legendary
Activity: 2268
Merit: 18711
I mean, if the words are not included in the BIP39 wordlist, it makes it more secure. Or isn't.
It is neither less secure nor more secure.

The thing to remember is that the words are simply an encoding of (in this case) 132 bits of entropy. The entropy is generated first. It is then encoded in to words primarily to make it human readable and easier to back up. You can encode the entropy any way you like - binary, hex, Base58, BIP39 wordlist, any other wordlist, and so on. The entropy doesn't change, only the way it is represented.

it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.
It is not encryption, it is simply representing the same data in a different format. But again, the security doesn't change.

And a question of seed phrase and pass phrase, the phrase you created by giving the wordlist of thesaurus, is it seed phrase or pass phrase? I mean in pass phrase we use our own preferred words. Or I am also missing something here.  Grin
In this scenario we are talking about using a custom wordlist to generate a seed phrase. But in general you are right - seed phrases are almost always generated using the fixed BIP39 wordlist, while passphrases are generated using any words, symbols, or strings we want.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
I do understand the underlying encoding procedure is same but the words are changed, and what if we remove all the words from BIP39 list and use the remaining ones to create a seed phrase for electrum, it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.
Seriously, does it really matter if something takes 10^3*10^12+3 or 10^3*10^33+3 years to bruteforce?
By the way, Electrum creates 132 bits of entrophy, 11 bits of entropy per word (12 words). If you increase the number of words in wordlist, like I offered and o_e_l_e_o demonstrated, the number of bits of entropy per word will increase and the number of words will decrease, like he generated 8 words instead of 12 words but his number of bits of entropy per word increased from traditional number 11 to 18.83.

Just read this line:
The math is quite interesting, if you want to work it out. Given a word list of 466k, then each word can encode log2(466,000) = 18.83 bits of entropy. For a 132 bit seed phrase, this needs 132/18.83 = 7.01 words, which has to be rounded up to 8. If you used a wordlist of 474,861 words, then you could generate a 7 word seed phrase for 132 bits.

So, this is a little trick and that's why opened a topic. People think that 2048 words are not enough and their public availability makes them a victim of hackers. Now, what about all the words that exists in English language? Sounds cool, right? Only some words from half a million words to generate your bitcoin wallet seed phrase. But in reality, if entropy is 132 bits, you will get 8 words instead of 12 words. Instead of increasing number of words, one should increase number of entropies and move from 128 bits to 256 but reality is that simply there is no reason. People are paranoid and are looking for false sense of increased security when there is absolutely zero danger. It's like living in New Zealand and collecting weapons to protect yourself from Dinosaurs attack. There are no dinosaurs, you don't need a weapon.
hero member
Activity: 1386
Merit: 513
Payment Gateway Allows Recurring Payments
However, doing this completely misses the point. The above seed phrase has exactly the same entropy as a seed phrase using the default wordlist - 132 bits. Increasing the size of the wordlist does not change the underlying entropy used to generate the seed phrase.
But is it not possible, that the words in your seed phrase (that you made by using the wordlist of thesaurus) are not included in the seed phrase of BIP39 wordlist. I mean, if the words are not included in the BIP39 wordlist, it makes it more secure. Or isn't.

I do understand the underlying encoding procedure is same but the words are changed, and what if we remove all the words from BIP39 list and use the remaining ones to create a seed phrase for electrum, it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.

And a question of seed phrase and pass phrase, the phrase you created by giving the wordlist of thesaurus, is it seed phrase or pass phrase? I mean in pass phrase we use our own preferred words. Or I am also missing something here.  Grin
legendary
Activity: 2268
Merit: 18711
So if I create a list of every combination from a to zzzzz, I get a very short seed:
Code:
julkt jtqbf hhocl qhtic bezsh kvgba
So 12,356,630 "words" gives 23.56 bits per word. 132/23.56 gives 5.6, which means 6 word seed phrases.

But I'm amazed Electrum can just restore this seed phrase without the seed words!
The important point to note is that an Electrum seed phrase is not converted back in to the entropy which generated it, or broken down in to bits, at any point. Unlike BIP39 which does require a fixed and known wordlist so it can convert your words back in to bits in order to verify the checksum, Electrum's version system simply hashes your words as they are and uses the first 8 or 12 bits of that hash.

After this, in order to actually start generating private keys, the next step (for both BIP39 and Electrum) is to feed your words as they are in to HMAC-SHA512, alongside salt of the word "mnemonic" (for BIP39) or "electrum" (for Electrum) concatenated with any passphrase. So again, no need for Electrum to convert your words back in to bits. (This is also why you can import BIP39 seed phrases with unknown wordlists in to Electrum. Electrum will warn you it is an unknown wordlist and it cannot verify the checksum since it cannot convert your words back in to bits in order to verify the checksum as I've explained above, but it can still feed those words in to HMAC-SHA512 and generate master keys and subsequent child keys.)

But yes, I'd highly recommend nobody does this. Understanding the principles of what is going on is all good, but you should always stick to the standardized methods.

It's 10 years from now and one of your words was Brabble.
And you go to recover your seed and it just does not work.
Doesn't matter for Electrum seed phrases  - Electrum does not need to know the wordlist used. For BIP39, even if every copy of the BIP39 wordlist was lost forever, you could still recover BIP39 seed phrases, you just wouldn't be able to verify the checksum.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Eliminating all the other technical bits about this you then wind up with the issue of what happens when the file changes and words are removed.
https://www.abc4.com/news/9-words-removed-from-the-dictionary/

It's 10 years from now and one of your words was Brabble.
And you go to recover your seed and it just does not work.
Sucks to be you.

Well worked on standards like BIP39 exist for a reason. This just makes a mess of it.

As per the theoretical calculation time taken to brute force the 24-word recovery seed from the BIP list is longer than the age of our universe which is expected to be around 14 billion years.

The universe is expected to last much longer then that. As in trillions of years.
Our solar system will be toast in about 10 billion years.

Either way does not matter. Still won't crack it in a lifetime.

-Dave
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
The math is quite interesting, if you want to work it out. Given a word list of 466k, then each word can encode log2(466,000) = 18.83 bits of entropy. For a 132 bit seed phrase, this needs 132/18.83 = 7.01 words, which has to be rounded up to 8. If you used a wordlist of 474,861 words, then you could generate a 7 word seed phrase for 132 bits.
This is quite interesting indeed. So if your word list gets long enough, you'll need less seed words. That might even make it easier to remember (if only I'd know what those words mean).
So if I create a list of every combination from a to zzzzz, I get a very short seed:
Code:
julkt jtqbf hhocl qhtic bezsh kvgba
With 12 million "words", Python consumes a few GB memory and takes a while to create a new seed phrase. I expect this to get worse with much longer lists.

Of course, this takes away the "error correction" you'd have by using a dictionary word, so it's not really useful. But I'm amazed Electrum can just restore this seed phrase without the seed words!
legendary
Activity: 2268
Merit: 18711
Personally i find it's surprising Electrum seems to use all 466K words rather than only first 2048 and even adjust total words accordingly. And lastly i wonder whether different version of Electrum have same behavior when you supply custom words.
Certainly it's been possible at least since Electrum moved away from using their own wordlist and moved to mirroring the BIP39 wordlist.

The math is quite interesting, if you want to work it out. Given a word list of 466k, then each word can encode log2(466,000) = 18.83 bits of entropy. For a 132 bit seed phrase, this needs 132/18.83 = 7.01 words, which has to be rounded up to 8. If you used a wordlist of 474,861 words, then you could generate a 7 word seed phrase for 132 bits.

Alternatively, you can go the other way and give Electrum a wordlist of two words, say 0 and 1, and it will generate a 132 "word" seed phrase. Tongue

You can see where Electrum works it out here: https://github.com/spesmilo/electrum/blob/6dfbdec73e97231c01b1a813ae293083a3dbd1cd/electrum/mnemonic.py#L208. Takes the length of the wordlist and calculates the log in base 2, giving the value bpw, or bits per word.
legendary
Activity: 2268
Merit: 18711
If you know how something happens and what logic does it follow, then repeat the same and crack every generated wallet that was following that logic.
I think we are disagreeing on semantics here rather than the underlying principles.

Of course you are correct in that you don't want a process which can easily be repeated to achieve identical results. But conversely, I do know exactly why Electrum picked each word in the seed phrase it generates for me - it uses randrange which in turns sources entropy from /dev/urandom. The entropy it receives from /dev/urandom will indeed be a cryptographically secure pseudorandom number, but I also know the processes that my OS uses to seed /dev/urandom.

This is an offtopic question. Are you really a doctor? The Sceptical Chymist said it somewhere I remember and I truly wonder if you are a doctor, how did you manage to be so knowledgeable in programming and physics.
Yes indeed! I just like to read, learn, and tinker.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
FWIW even if you change all the algorithms used to create the mnemonic to work with a much bigger entropy (eg. 2048 bit) with using the much bigger word list; in the end when you derive private keys from that entropy, those keys are still going to provide you with only 128-bits of security Tongue
"Only" Cheesy

That's the thing: there's no point for making up your own complicated schemes to create or store your private keys. All you're doing is creating a false sense of additional security, at the risk of making a fatal mistake which results in losing access to your Bitcoins.
legendary
Activity: 2380
Merit: 5213
If you know how something happens and what logic does it follow, then repeat the same and crack every generated wallet that was following that logic.
Take note that a random number generator uses known mathematical formulas for generating the random number, but the output is unpredictable.
Therefore, it's not that we don't know how electrum generates an entropy. We do know how electrum generates an entropy. The thing we don't know is the output.
hero member
Activity: 882
Merit: 792
Watch Bitcoin Documentary - https://t.ly/v0Nim
Overall, in our real, simple life, I would say that if we can generate combination of word seed phrases from a wordlist and we don't know how that happened or happens and we can't calculate how it chooses words, what logic it does follow, then we can call it random.
I would disagree with this. Not knowing how something happens or what logic it follows does not make it random. Rather, the opposite is true. We need to know exactly how it is generating entropy so we can confirm that it is indeed random (or at least, pseudorandom).
If you know how something happens and what logic does it follow, then repeat the same and crack every generated wallet that was following that logic.
You certainly don't know why Electrum chose 1st word, 19th word, 1331th word and so on to generate wallet when you clicked on generate button and you don't know why Electrum chose 49th word, 258th word, 231th... on your next click on generate button. If you knew, then it wouldn't be random or it still would be but such randomness would not be beneficial, we don't want predictable randomness, we want unpredictable one.


This is an offtopic question. Are you really a doctor? The Sceptical Chymist said it somewhere I remember and I truly wonder if you are a doctor, how did you manage to be so knowledgeable in programming and physics. You are truly a very educated person and it's really an honor to have you on this forum. I appreciate you!
legendary
Activity: 2268
Merit: 18711
Also, this quote from Radioactive decay wiki page sounds interesting
Radioactive decay is indeed a truly random process. We know from Bell's theorem that radioactive decay is not governed by "local hidden variables". In other words, we know that there are not events or process happening which we cannot measure or don't even know exist which are determining when such atoms decay. The decay of such atoms is indeed truly random, with the likelihood of decay at any given time dictated only by the half life of the isotope in question. The decay of such isotopes follows a Poisson distribution, the same as bitcoin mining.

Overall, in our real, simple life, I would say that if we can generate combination of word seed phrases from a wordlist and we don't know how that happened or happens and we can't calculate how it chooses words, what logic it does follow, then we can call it random.
I would disagree with this. Not knowing how something happens or what logic it follows does not make it random. Rather, the opposite is true. We need to know exactly how it is generating entropy so we can confirm that it is indeed random (or at least, pseudorandom).
Pages:
Jump to: