Topic: Idea for extremely paranoid people who want to create a bitcoin wallet (Read 422 times)

I was in a similar situation back when I created my first wallet (~ 2013), so can definitely understand someone thinking they are adding an extra layer of security when you swap a word. My rationale at the time was as follows:
The then 12 words were kept in such a way that someone could have found them if necessary. I thought at that time if this already happens the person should at least have a hard time accessing my coins.

In addition, cryptography and probabilities are simply difficult to grasp for many people. The fact that a simple exchange of words does not result in a purely statistical increase in security is probably difficult to understand for people with little technical knowledge.

---

But you're right, of course: The risk of forgetting one's own algorithm and ending up without coins is much greater than that the original threat scenario (in my case, finding the words) occurs at all.

Simple as that.

Additionally, those methods are ultra safe (if used properly). Custom methods are created to be safer, but they significantly decrease safety! 

The easiest way to prevent such losses is just not to use such a technique in the first place.

Whenever someone comes up with their own system, one of two things happen. They either end up with something which adds absolutely no extra security at all, or they end up locking themselves out of their wallets. A prime example is when people swap words around. They either swap two or three words which is absolutely trivial to brute force and is not secure at all, or they scramble their entire phrase, forget the order, and can't figure out their back up.

There are standardized processes for a reason. Just use them.

The losses of coins that I get told in my circle of friends and acquaintances usually have to do with scams, e.g. the Youtube channels with the title "Vitalik is giving away free ETH NOW!!!!" that were quite common until some time ago.
Closely followed by losses due to scams, however, is not so much the fact that there are no backups, but the fact that the backups are simply wrong, e.g. incorrectly written down mnemonic codes or private keys that are intentionally changed and "guaranteed to remember the change".

The latter can hardly be prevented - unless you tell someone about the change - but for the former, i.e. simply wrong backups, there is a quite simple solution:

After the setup (e.g. of a hardware wallet) you write down an address and reset the hardware wallet completely ... and then reinitialize it with the backup you wrote down. If the restore works, you can then send the coins to the respective wallet.

---

The fact that the backups are then often simply stored in a file folder for all to see is, of course, another issue here.

That's why you should always test your backups before funding any wallet.

In fact BIP39 is designed to be a universal standard for wallet creation. It is not mandatory to use it, but it is convenient.

As you said OP, people worry about the wrong things.
They worry about being brute-forced, but they don't worry about losing their backup and they keep only one backup.
They worry about a wallet being compromised, but they don't worry about using airgapped devices.


Additionally, following BIP-39 is better than following a non-standard approach. Most of the time, people who try to implement something unique and non-standard end up losing money.

I don't think it is simply that they don't bother to check. Rather it is a deliberate decision.

Under "Motiviation" on the link you shared to the Electrum seed versioning system, it explains why the Electrum devs did not want to use a system which depended on a fixed wordlist and could instead be used with any wordlist, and more importantly could recover seed phrases without knowing the wordlist used. It uses the same wordlist as BIP39 as default I assume simply because it is well known and does have a number of advantageous features (such as each word having the first 4 characters be unique, excluding similar words, etc.), but they are quite clear they do not want to depend on any fixed wordlist, and therefore allow users to use their own custom wordlist of any length.

That's interesting info. Personally i still find it's weird Electrum able to use more than 2048 words since in past word list used by Electrum use less than 2048 words[1]. I guess Electrum developer doesn't bother add extra checking or assume people wouldn't use custom words.


There's no encryption involved. And FYI, recovery words/seed/phrase generated by Electrum is based on Electrum Seed Version System[3], not BIP39[2].

[1] https://github.com/spesmilo/electrum/blob/5883aaf8ca2f79bf694d11ac6b63f5defd2a2c38/client/mnemonic.py#L23-L1650
[2] https://electrum.readthedocs.io/en/latest/seedphrase.html
[3] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki

It is neither less secure nor more secure.

The thing to remember is that the words are simply an encoding of (in this case) 132 bits of entropy. The entropy is generated first. It is then encoded in to words primarily to make it human readable and easier to back up. You can encode the entropy any way you like - binary, hex, Base58, BIP39 wordlist, any other wordlist, and so on. The entropy doesn't change, only the way it is represented.

It is not encryption, it is simply representing the same data in a different format. But again, the security doesn't change.

In this scenario we are talking about using a custom wordlist to generate a seed phrase. But in general you are right - seed phrases are almost always generated using the fixed BIP39 wordlist, while passphrases are generated using any words, symbols, or strings we want.

Seriously, does it really matter if something takes 10^3*10^12+3 or 10^3*10^33+3 years to bruteforce?
By the way, Electrum creates 132 bits of entrophy, 11 bits of entropy per word (12 words). If you increase the number of words in wordlist, like I offered and o_e_l_e_o demonstrated, the number of bits of entropy per word will increase and the number of words will decrease, like he generated 8 words instead of 12 words but his number of bits of entropy per word increased from traditional number 11 to 18.83.

Just read this line:

So, this is a little trick and that's why opened a topic. People think that 2048 words are not enough and their public availability makes them a victim of hackers. Now, what about all the words that exists in English language? Sounds cool, right? Only some words from half a million words to generate your bitcoin wallet seed phrase. But in reality, if entropy is 132 bits, you will get 8 words instead of 12 words. Instead of increasing number of words, one should increase number of entropies and move from 128 bits to 256 but reality is that simply there is no reason. People are paranoid and are looking for false sense of increased security when there is absolutely zero danger. It's like living in New Zealand and collecting weapons to protect yourself from Dinosaurs attack. There are no dinosaurs, you don't need a weapon.

But is it not possible, that the words in your seed phrase (that you made by using the wordlist of thesaurus) are not included in the seed phrase of BIP39 wordlist. I mean, if the words are not included in the BIP39 wordlist, it makes it more secure. Or isn't.

I do understand the underlying encoding procedure is same but the words are changed, and what if we remove all the words from BIP39 list and use the remaining ones to create a seed phrase for electrum, it will use the same encryption method to create the seed phrase but it will be more safer than before, or I am missing something here.

And a question of seed phrase and pass phrase, the phrase you created by giving the wordlist of thesaurus, is it seed phrase or pass phrase? I mean in pass phrase we use our own preferred words. Or I am also missing something here. 

So 12,356,630 "words" gives 23.56 bits per word. 132/23.56 gives 5.6, which means 6 word seed phrases.

The important point to note is that an Electrum seed phrase is not converted back in to the entropy which generated it, or broken down in to bits, at any point. Unlike BIP39 which does require a fixed and known wordlist so it can convert your words back in to bits in order to verify the checksum, Electrum's version system simply hashes your words as they are and uses the first 8 or 12 bits of that hash.

After this, in order to actually start generating private keys, the next step (for both BIP39 and Electrum) is to feed your words as they are in to HMAC-SHA512, alongside salt of the word "mnemonic" (for BIP39) or "electrum" (for Electrum) concatenated with any passphrase. So again, no need for Electrum to convert your words back in to bits. (This is also why you can import BIP39 seed phrases with unknown wordlists in to Electrum. Electrum will warn you it is an unknown wordlist and it cannot verify the checksum since it cannot convert your words back in to bits in order to verify the checksum as I've explained above, but it can still feed those words in to HMAC-SHA512 and generate master keys and subsequent child keys.)

But yes, I'd highly recommend nobody does this. Understanding the principles of what is going on is all good, but you should always stick to the standardized methods.

Doesn't matter for Electrum seed phrases  - Electrum does not need to know the wordlist used. For BIP39, even if every copy of the BIP39 wordlist was lost forever, you could still recover BIP39 seed phrases, you just wouldn't be able to verify the checksum.

Eliminating all the other technical bits about this you then wind up with the issue of what happens when the file changes and words are removed.
https://www.abc4.com/news/9-words-removed-from-the-dictionary/

It's 10 years from now and one of your words was Brabble.
And you go to recover your seed and it just does not work.
Sucks to be you.

Well worked on standards like BIP39 exist for a reason. This just makes a mess of it.


The universe is expected to last much longer then that. As in trillions of years.
Our solar system will be toast in about 10 billion years.

Either way does not matter. Still won't crack it in a lifetime.

-Dave

This is quite interesting indeed. So if your word list gets long enough, you'll need less seed words. That might even make it easier to remember (if only I'd know what those words mean).
So if I create a list of every combination from a to zzzzz, I get a very short seed:
With 12 million "words", Python consumes a few GB memory and takes a while to create a new seed phrase. I expect this to get worse with much longer lists.

Of course, this takes away the "error correction" you'd have by using a dictionary word, so it's not really useful. But I'm amazed Electrum can just restore this seed phrase without the seed words!

Certainly it's been possible at least since Electrum moved away from using their own wordlist and moved to mirroring the BIP39 wordlist.

The math is quite interesting, if you want to work it out. Given a word list of 466k, then each word can encode log₂(466,000) = 18.83 bits of entropy. For a 132 bit seed phrase, this needs 132/18.83 = 7.01 words, which has to be rounded up to 8. If you used a wordlist of 474,861 words, then you could generate a 7 word seed phrase for 132 bits.

Alternatively, you can go the other way and give Electrum a wordlist of two words, say 0 and 1, and it will generate a 132 "word" seed phrase.

You can see where Electrum works it out here: https://github.com/spesmilo/electrum/blob/6dfbdec73e97231c01b1a813ae293083a3dbd1cd/electrum/mnemonic.py#L208. Takes the length of the wordlist and calculates the log in base 2, giving the value bpw, or bits per word.

I think we are disagreeing on semantics here rather than the underlying principles.

Of course you are correct in that you don't want a process which can easily be repeated to achieve identical results. But conversely, I do know exactly why Electrum picked each word in the seed phrase it generates for me - it uses randrange which in turns sources entropy from /dev/urandom. The entropy it receives from /dev/urandom will indeed be a cryptographically secure pseudorandom number, but I also know the processes that my OS uses to seed /dev/urandom.

Yes indeed! I just like to read, learn, and tinker.

"Only"

That's the thing: there's no point for making up your own complicated schemes to create or store your private keys. All you're doing is creating a false sense of additional security, at the risk of making a fatal mistake which results in losing access to your Bitcoins.

Take note that a random number generator uses known mathematical formulas for generating the random number, but the output is unpredictable.
Therefore, it's not that we don't know how electrum generates an entropy. We do know how electrum generates an entropy. The thing we don't know is the output.

If you know how something happens and what logic does it follow, then repeat the same and crack every generated wallet that was following that logic.
You certainly don't know why Electrum chose 1st word, 19th word, 1331th word and so on to generate wallet when you clicked on generate button and you don't know why Electrum chose 49th word, 258th word, 231th... on your next click on generate button. If you knew, then it wouldn't be random or it still would be but such randomness would not be beneficial, we don't want predictable randomness, we want unpredictable one.

---

This is an offtopic question. Are you really a doctor? The Sceptical Chymist said it somewhere I remember and I truly wonder if you are a doctor, how did you manage to be so knowledgeable in programming and physics. You are truly a very educated person and it's really an honor to have you on this forum. I appreciate you!

Radioactive decay is indeed a truly random process. We know from Bell's theorem that radioactive decay is not governed by "local hidden variables". In other words, we know that there are not events or process happening which we cannot measure or don't even know exist which are determining when such atoms decay. The decay of such atoms is indeed truly random, with the likelihood of decay at any given time dictated only by the half life of the isotope in question. The decay of such isotopes follows a Poisson distribution, the same as bitcoin mining.

I would disagree with this. Not knowing how something happens or what logic it follows does not make it random. Rather, the opposite is true. We need to know exactly how it is generating entropy so we can confirm that it is indeed random (or at least, pseudorandom).

That's a question, what is random? I suggest you to check this post: https://bitcointalksearch.org/topic/m.60219656
Also, this quote from Radioactive decay wiki page sounds interesting:
Those people don't know math and probably still believe in fairy tales. Human brain follows some logic, even if that logic sounds illogical for us So, human brain likes to follow certain path and when human thinks to generate a random word seed phrase, he or she always follows certain logic. For example, from 2048 wordlist, one human may say that let's take 7th word as a first word, then let's 2048th word, then 2047th word, then 1st word, then middle word. You see, there is a logic here and it's not random, it can't be random because human has to think to create something, human thinks how to create it, human is not a machine that can generate something without thinking about it, that's just impossible.

FWIW even if you change all the algorithms used to create the mnemonic to work with a much bigger entropy (eg. 2048 bit) with using the much bigger word list; in the end when you derive private keys from that entropy, those keys are still going to provide you with only 128-bits of security

For a 24 word seed phrase, the total number of combinations would be 2.96 x 10^79 and assuming we have a computer that can check 1 billion combinations per seconds, it takes 9.40 x 10^62 years to check all the combinations.
If the seed phrase is BIP39, the number of possible combinations would be 1.16 x 10^77 and it takes 3.67 x 10^60 years to check all those combinations.

There are errors in the calculations done by ChatGPT.

2048^24 isn't equal to 8.71 x 10^77
8.71 x 10^68 seconds isn't equal to 2.76 x 10^60 years.
2.76 x 10^60 years isn't 2.76 million trillion years.

As per the theoretical calculation time taken to brute force the 24-word recovery seed from the BIP list is longer than the age of our universe which is expected to be around 14 billion years.

I considered a system that can do 1 billion combinations per second then the time taken to brute force 24 word seed would be 2.76 million trillion years.

Calculations from chat GPT

why isn't it not possible original meme

Warning!, skip the video at 0.05.

I think the most important point is what "random" means? Some people think that the human brain is good at randomness, or for example, as long as the seed is long, I am safe. No one can guess a seed that is 12 words long, so I will generate it myself, but they are wrong. Randomness means a strong random number that represents a 128 bit key at least, that If the randomness is 32bit key, you are not safe, and so on. In short, if you do not understand how entropy works, then trying to rely on the human brain will cause you to lose your money. Use a good, open source wallet, and you can verify that the entropy is at least 128 bits long, then you are safe.

You can verify electrum code entropy from here ---> https://github.com/spesmilo/electrum/blob/3.3.8/electrum/mnemonic.py#L163

My "solution" is to tell them to try "hacking" someone else's wallet. Give it your best shot, enter as many of those words into new wallets as your keyboard can handle! Or use software for it, "hack" billions upon billions of seed phrases! The same with private keys: run vanitygen on the rich list for as long as you want. By doing so, maybe you'll convince yourself how secure Bitcoin really is.

That's what I am saying, however, people can't understand that there is absolutely no difference in real world whether you use 2048 public wordlist or all the words that exist in English language. But you have probably seen this more often than me that people are afraid they will lose their coins because someone bruteforces their wallet and the public availability of wordlist will make that process fast and smooth and so on. I know it's not true and I know that in both cases, entropy is the same. But if anyone has OCD and wants a relief, I found thesaurus as a solution They will have no more fear.

It's easily done. Just navigate to your Electrum installation folder, and go to \electrum\wordlist. First back up "english.txt", and then edit the original with your own wordlist. Job done.

I just pulled the wordlist from here and gave it a shot: https://github.com/dwyl/english-words. It has 466k words, and it worked just fine. I generated the following seed phrase:


Thanks to how Electrum works, you don't need to know my wordlist to recover that above seed phrase. You can import it in to any copy of Electrum just fine and recover the same wallet, which will give you the following address first:


However, doing this completely misses the point. The above seed phrase has exactly the same entropy as a seed phrase using the default wordlist - 132 bits. Increasing the size of the wordlist does not change the underlying entropy used to generate the seed phrase.

Thesaurus.com is a public website that provides people with over 550,000 synonyms in English language. There are 2048 words in BIP39 wordlist, that is used to create normal bitcoin wallets. While I have to say that there is absolutely no way someone can hack your wallet that was randomly created from BIP39 wordlist and contains 12 seeds, still, there are super paranoid people who even think that  24 words seed phrase can be hacked because it uses publicly available BIP39 wordlist. So, there are people who don't know math, don't want to learn and are stubborn.

So, I came up with an idea for these people. Let's scrape thesaurus.com and download its wordlist database. Since Electrum is an open-source and uses wordlist, I think it might be possible to generate a bitcoin randomly from your own wordlist. Let's put thesaurus 550,000 wordlist into your electrum and randomly generate 24 words seed phrase. I don't know if your computer crashes but I think you will feel relief.

---

Maybe my post feel like sarcasm but my message is, please, relax!
If you random generate 12 words seed phrase bitcoin address from BIP39 list, your wallet will never be hacked because it will take so much time that you, your bitcoins and probably universe won't exist by that time.
If you random generate 24 words seed phrase bitcoin address from BIP39 list, even if you reveal all of your words in unordered way, still, no one will be able to hack it. Do you understand what I am saying? Even if you reveal all of your seed phrases in an unordered way (It doesn't apply to 12 words seed), your wallet still won't be hacked till this universe exist.

So, please, just chill and relax, don't generate wordlist yourself, there is absolutely no necessity and you may do more harm than good. There is absolutely no case where someone's randomly generated wallet got hacked. In absolutely every case where bitcoins were lost, either the person didn't take security seriously and was infected with malware or just lost his/her keys, that's all.