Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: [INFO - DISCUSSION] Mnemonic Code Words (BIP39) (Read 135 times)

o_e_l_e_o
legendary
Activity: 2268
Merit: 18509
[INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 11, 2023, 10:26:44 AM
#7
Quote from: Cricktor on September 10, 2023, 04:41:19 PM
Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower?
It's certainly slower, but it definitely isn't slow and it definitely isn't considerably slower either. PBKDF2 is already pretty weak, and 2048 rounds is nothing. This is why tools like btcrecover can still check tens of thousand possible seed phrase combinations a second (even once you exclude those with an invalid checksum).

If you wanted actual protection against brute-force attacks, then you would need to up the iteration count to the millions or switch to an algorithm which is actually computational expensive. BIP39 survives without these things due to the initial entropy being at least 2128, not because it is difficult to attack.
ABCbits
legendary
Activity: 2856
Merit: 7410
Crypto Swap Exchange
Re: [INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 11, 2023, 09:05:34 AM
#6
Quote from: Cricktor on September 10, 2023, 04:41:19 PM
Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower?

While it makes brute-force slower, BIP 39 only state "The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function."[1].

Quote from: Cricktor on September 10, 2023, 04:41:19 PM
I don't know much about SHA-512 compared to SHA-256 in terms of computational complexity and expense, though.

Theoretically SHA-512 is computationally more complex. Although depending on the hardware and OS, SHA-512 might run faster[1-2].

[1] https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki#from-mnemonic-to-seed
[2] https://crypto.stackexchange.com/a/26340
[3] https://crypto.stackexchange.com/a/52646
Cricktor
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Re: [INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 10, 2023, 04:41:19 PM
#5
Aren't the 2048 rounds of HMAC-SHA-512 as PBKDF2 there to also make the derivation from the initial seed computationally expensive so that brute-forcing is rendered considerably slower? I don't know much about SHA-512 compared to SHA-256 in terms of computational complexity and expense, though.
pooya87
legendary
Activity: 3430
Merit: 10505
Re: [INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 08, 2023, 12:46:25 AM
#4
In the slide before last it is misleading to call PBKDF2 a "key stretching" function because although it is how PBKDF2 is categorized but key stretching algorithms are used to make a weak key more secure against brute force attacks.
In case of BIP39, the key (ie. the initial entropy) is not weak at all and it doesn't need to be secured. In other words PBKDF2 in this context is only used as a key derivation function not a key stretching function.
cygan
legendary
Activity: 3122
Merit: 7618
Cashback 15%
Re: [INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 07, 2023, 12:39:11 PM
#3
@BlackHatCoiner you are absolutely right. i was writing too fast again and already had other thoughts in my head before i wanted to finish the actual sentence/topic
have of course now improved - shame on me Lips sealed
BlackHatCoiner
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
Re: [INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 07, 2023, 12:02:50 PM
#2
Quote from: cygan on September 07, 2023, 11:56:32 AM
and how the wallet converts them into a binary 'seed'
It doesn't convert the mnemonics into a seed. It converts the seed into mnemonic. As you demonstrate in the slides, the computer firstly generates 128 + 4 bits, and converts these to mnemonic phrase.

Quote from: cygan on September 07, 2023, 11:56:32 AM
that is used to create encryption keys that are then used to execute cryptocurrency transactions.
The seed isn't used to create encryption keys, it is used to derive extended keys, which can be used to derive Bitcoin private keys.
cygan
legendary
Activity: 3122
Merit: 7618
Cashback 15%
Re: [INFO - DISCUSSION] Mnemonic Code Words (BIP39)
September 07, 2023, 11:56:32 AM
#1
bip39 is a design implementation that lays out how cryptocurrency wallets create the set of words (mnemonic codes) that make up a mnemonic set, and how the wallet converts the seed into mnemonic codes that are used to derive extended keys that can be used to derive private bitcoin keys. with these 4 foils i would like to bring you closer to this important topic. there are also numerous threads about it but to continue working on my 'slide threads' i decided to create a new one Grin
i hope that this topic will be well received by you and will appeal to more users

Quote
BIP: 39
  Layer: Applications
  Title: Mnemonic code for generating deterministic keys
  Author: Marek Palatinus <[email protected]>
          Pavol Rusnak <[email protected]>
          Aaron Voisine <[email protected]>
          Sean Bowe <[email protected]>
  Comments-Summary: Unanimously Discourage for implementation
  Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0039
  Status: Proposed
  Type: Standards Track
  Created: 2013-09-10
https://github.com/bitcoin/bips/blob/master/bip-0039.mediawiki



https://twitter.com/BTCillustrated
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: