Author

Topic: Is a hidden derivation path enough to keep Bitcoin secure after compromised ? (Read 254 times)

hero member
Activity: 1120
Merit: 540
Duelbits - Play for Free | Win for Real
You may want to correct the underlined part, because in your words it should've been "... a new seedphrase and passphrase ...".


I wonder how someone can detect if one of mnemonic recovery words (not one of the words but the whole, you label this seedphrase; I don't really like to call the recovery words a ...phrase, it's a bit too ambiguous for my taste) or mnemonic passphrase (the optional ...) has been compromised, except when you accidently enter them on an online device when that wasn't supposed to happen.

If both are compromised, your coins likely are gone already. You may be lucky, though, and quick action is advisable.
Thanks for the observation.

I agree with you, i also don't like to refer to it that way, but I end up not remembering at the time of posting and several names come up, i think the best one that fits in this case is mnemonic phrase, mnemonic code (or just mnemonic) or simply wallet backup, but most people simply call it "seed", although the words in the mnemonic are just the encoding of the real seed (which is in hex format).
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
If you think you have compromised both your seedphrase and passphrase, the best thing you can do is create a new passphrase and passphrase and transfer the funds to the new wallet and make sure this doesn't happen again.
You may want to correct the underlined part, because in your words it should've been "... a new seedphrase and passphrase ...".


I wonder how someone can detect if one of mnemonic recovery words (not one of the words but the whole, you label this seedphrase; I don't really like to call the recovery words a ...phrase, it's a bit too ambiguous for my taste) or mnemonic passphrase (the optional ...) has been compromised, except when you accidently enter them on an online device when that wasn't supposed to happen.

If both are compromised, your coins likely are gone already. You may be lucky, though, and quick action is advisable.


hero member
Activity: 1120
Merit: 540
Duelbits - Play for Free | Win for Real
To secure a potential compromisation of mnemonic recovery words, I'd rather add a strong mnemonic passphrase instead of a custom derivation path. Reason is that brute-forcing a mnemonic passphrase is more computationally expensive because you always have to go through the 2048x PBKDF2 rounds for every try. This is very likely much slower than walking through derivation path indices.
I agree with Cricktor, trying to reinvent the wheel instead of following established security standards, you run a greater risk of forgetting than of being stolen.

Derivation paths were not meant to be used for this purpose, if you want to add an extra layer of security, the best thing you can do is create an offline seedphrase and add a BIP39 passphrase with custom phrases and/or random character sets, never keep both items in the same place and also, never insert them into online environments (not that they will be hacked if your device is compromised with malware, but there is a risk).

If you think you have compromised both your seedphrase and passphrase, the best thing you can do is create a new seedphrase/mnemonic phrase and passphrase and transfer the funds to the new wallet and make sure this doesn't happen again.

If you want something more advanced than using a passphrase, you can look into using multisig wallets, where more than one signature and private keys are required to send funds, or use the BIP85 feature, which adds more elements to your security.

Remember that the more security elements, the greater the risk if you don't know how to manage it and don't have the habit of reviewing your backup scheme for an interval that your brain won't forget.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Quote


Code:
time = search space / RTX 4090 speed = 1.8x10^20 / 8.554x10^9 = 21042787000.23... seconds (667 years).

That speed exclude creating private child key from private parent key, but it should be negligible compared with converting private key to pubic key.

[1] https://bitcointalksearch.org/topic/m.63680043

It' s different  converting private key to pubkey with searching a UTXO linked to a every single addresses.

Good point, i forget about searching whether the generated address is on address/UTXO list. But FWIW you could create index/bloom filter and then load both list and index/bloom filter to RAM.

Most people if they were doing this to crack something like this are going to be using farms of the NVida Tesla cards. Not 3090 / 4090 / etc general use graphics cards.

You can rent the V100 cards in bulk for less then $0.15 per hour and that's today. It's only getting cheaper. So once again, if you are talking a large enough amount of $ then then it can be overcome.

Probably still not worth it on either side. Too much risk on the users side of forgetting the path. Look at the number of posts we have with people who tried something different and now can't get to their coins. And for the person finding the keys unless you KNOW that the owner has 10+BTC and is not going to know you got their seed and move it before they find it, too much risk.

Just my view as always.

-Dave
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Quote


Code:
time = search space / RTX 4090 speed = 1.8x10^20 / 8.554x10^9 = 21042787000.23... seconds (667 years).

That speed exclude creating private child key from private parent key, but it should be negligible compared with converting private key to pubic key.

[1] https://bitcointalksearch.org/topic/m.63680043

It' s different  converting private key to pubkey with searching a UTXO linked to a every single addresses.

Good point, i forget about searching whether the generated address is on address/UTXO list. But FWIW you could create index/bloom filter and then load both list and index/bloom filter to RAM.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Also, keep in mind if a hacker gets access to your machine and gets your seed there is a non zero possibility that they also have access to the rest of the information that would contain the derivation path.

And, there is also the possibility that even if they don't get that they may get some of your addresses. It would take a long time to find the path but as ABCBits pointed out it's not THAT long a time if you have or can rent enough GPU power.

-Dave
newbie
Activity: 0
Merit: 0
Quote


Code:
time = search space / RTX 4090 speed = 1.8x10^20 / 8.554x10^9 = 21042787000.23... seconds (667 years).

That speed exclude creating private child key from private parent key, but it should be negligible compared with converting private key to pubic key.

[1] https://bitcointalksearch.org/topic/m.63680043

It' s different  converting private key to pubkey with searching a UTXO linked to a every single addresses.
newbie
Activity: 0
Merit: 0
2. the title is a little bit bad, right.
You can edit it, for example: "Is a hidden derivation path enough to keep Bitcoin secure after compromised seed phrase?"

thank you for your opinoin.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
2. the title is a little bit bad, right.
You can edit it, for example: "Is a hidden derivation path enough to keep Bitcoin secure after compromised seed phrase?"
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
It takes 1.8x10^15 seconds to search for every address (even if it is a supercomputer) =58,454,204 years

What if my coin is at m/86'/0'/1096823754'/1/1189356152 address?

It takes 10 million years to discover, even if He is lucky.

It's still extremely long, but it should not be as long as your initial calculation. Single RTX 4090 can convert 8554 million private key to address every second[1].

Code:
time = search space / RTX 4090 speed = 1.8x10^20 / 8.554x10^9 = 21042787000.23... seconds (667 years).

That speed exclude creating private child key from private parent key, but it should be negligible compared with converting private key to pubic key.

[1] https://bitcointalksearch.org/topic/m.63680043
newbie
Activity: 0
Merit: 0
Your thread's title is sort of bad, because if you actually loose your private keys that control UTXOs, nothing prevents an attacker to spend your coins. Your mnemonic recovery words aren't your private keys!


I'm not so sure about the "impossible" part. If you hide your coins in some custom derivation path, an attacker has to exhaust the derivation path space if he doesn't have any clues about what derivation you've used.

When the attacker has your mnemonic recovery words then he only needs to perform the computationally somewhat expensive 2048x PBKDF2 rounds only once. Further derivations down the branches of the derivation path are far less expensive per index than the PBKDF2 rounds to get to the BIP32 root key derivation.

An attacker would've to build a database of Bitcoin addresses which hold UTXOs. Querying this database for any particular derivation path down from the BIP32 root key is surely a pain and likely not feasible for more than two unknown branches of the derivation path.

While BIP32 allows an index space of mostly 232 per index, which wallet software actually supports such custom derivation paths? You might discover "funny" bugs while exploring custom derivation paths.

To secure a potential compromisation of mnemonic recovery words, I'd rather add a strong mnemonic passphrase instead of a custom derivation path. Reason is that brute-forcing a mnemonic passphrase is more computationally expensive because you always have to go through the 2048x PBKDF2 rounds for every try. This is very likely much slower than walking through derivation path indices.

1. whatever it is BIP44 or BIP32, It doesn't do with database something like that, Hacker has to search every single addresses (one by one) to find valid UTXO. So it takes time.
2. the title is a little bit bad, right.  I don't use this dumb method.
legendary
Activity: 1624
Merit: 2594
Top Crypto Casino
I just wondered whether how long will it take to find the balance (or is it possible to find it).
The answer is "impossible"

The answer is not "impossible". It depends on your custom "security" method.

But there is no additional advantage to this method. You will have much greater security by extending the seed phrase with a custom passphrase, because in that case you are not limited to just a numerical index, but you can use any combination of characters or even whole words and phrases. And it protects all addresses in your wallet, not just one.

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
Your thread's title is sort of bad, because if you actually loose your private keys that control UTXOs, nothing prevents an attacker to spend your coins. Your mnemonic recovery words aren't your private keys!


I'm not so sure about the "impossible" part. If you hide your coins in some custom derivation path, an attacker has to exhaust the derivation path space if he doesn't have any clues about what derivation you've used.

When the attacker has your mnemonic recovery words then he only needs to perform the computationally somewhat expensive 2048x PBKDF2 rounds only once. Further derivations down the branches of the derivation path are far less expensive per index than the PBKDF2 rounds to get to the BIP32 root key derivation.

An attacker would've to build a database of Bitcoin addresses which hold UTXOs. Querying this database for any particular derivation path down from the BIP32 root key is surely a pain and likely not feasible for more than two unknown branches of the derivation path.

While BIP32 allows an index space of mostly 232 per index, which wallet software actually supports such custom derivation paths? You might discover "funny" bugs while exploring custom derivation paths.

To secure a potential compromisation of mnemonic recovery words, I'd rather add a strong mnemonic passphrase instead of a custom derivation path. Reason is that brute-forcing a mnemonic passphrase is more computationally expensive because you always have to go through the 2048x PBKDF2 rounds for every try. This is very likely much slower than walking through derivation path indices.
newbie
Activity: 0
Merit: 0
What if my coin is at m/86'/0'/1096823754'/1/1189356152 address?
Chances are the attacker will never find your coins. BUT: making up your one "encryption scheme" largely increases the chance of losing access yourself! What makes you think you'll remember 1096823754 and 1189356152 and their exact locations 5 years from now? Read how I lost and regained access to my made-up brainwallet: it's a risk.
If you want to add "something" extra on top of the seed words, why not extend the seed with a 13th (or 25th) custom passphrase? That's a much more standard method of adding time in case your seed gets compromised.

How to protect my coin even if the mnemonic/passphrases are robbed
To think about: what are the odds of getting robbed, and what are the odds of losing access yourself? This has always been the one compromise in Bitcoin I'm not entirely comfortable with.



Dear signature spammers, what's with the shitposting on the tech board without understanding or even reading what OP wrote?


you are absolutely right.
I don't use it like this m/86'/0'/1096823754'/1/1189356152

I just wondered whether how long will it take to find the balance (or is it possible to find it).
The answer is "impossible"
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
What if my coin is at m/86'/0'/1096823754'/1/1189356152 address?
Chances are the attacker will never find your coins. BUT: making up your one "encryption scheme" largely increases the chance of losing access yourself! What makes you think you'll remember 1096823754 and 1189356152 and their exact locations 5 years from now? Read how I lost and regained access to my made-up brainwallet: it's a risk.
If you want to add "something" extra on top of the seed words, why not extend the seed with a 13th (or 25th) custom passphrase? That's a much more standard method of adding time in case your seed gets compromised.

How to protect my coin even if the mnemonic/passphrases are robbed
To think about: what are the odds of getting robbed, and what are the odds of losing access yourself? This has always been the one compromise in Bitcoin I'm not entirely comfortable with.



Dear signature spammers, what's with the shitposting on the tech board without understanding or even reading what OP wrote?
newbie
Activity: 0
Merit: 0
I wonder that How can he send balance when he doesn't even know if the private key has a UTXO with or without a balance?
Hackers don't even know what purpose wallet the owner of the private key made with mnemonic (p2tr, p2wpkh, p2pkh, p2sh) so they can send the balance? Impossible
If your story is true, rather than arguing with me, you must move your bitcoin to a new wallet, then when you finished that transaction with confirmations from Bitcoin miners, you can return to this thread, and argue with me again.

You said what you lost is a wallet mnemonic seed, that means hacker has access to all private keys in that wallet.

Wallets, it's a chapter 5 in Mastering Bitcoin book. Reading it can help you understand about wallet mnemonic seed and a Hierarchical Deterministic (HD) key generation (BIP32).

HD wallet: a tree of keys generated from a single seed.

you don't understand what I mean.
if My bitcoin is at m/86'/0'/1096823754'/1/1189356152, you can not figure out my balance.
How do you find the UTXO unless I wouldn't say that?
sr. member
Activity: 854
Merit: 424
I stand with Ukraine!
I wonder that How can he send balance when he doesn't even know if the private key has a UTXO with or without a balance?
Hackers don't even know what purpose wallet the owner of the private key made with mnemonic (p2tr, p2wpkh, p2pkh, p2sh) so they can send the balance? Impossible
If your story is true, rather than arguing with me, you must move your bitcoin to a new wallet, then when you finished that transaction with confirmations from Bitcoin miners, you can return to this thread, and argue with me again.

You said what you lost is a wallet mnemonic seed, that means hacker has access to all private keys in that wallet.

Wallets, it's a chapter 5 in Mastering Bitcoin book. Reading it can help you understand about wallet mnemonic seed and a Hierarchical Deterministic (HD) key generation (BIP32).

HD wallet: a tree of keys generated from a single seed.
newbie
Activity: 0
Merit: 0
(Subtitle: How to protect my coin even if the mnemonic/passphrases are robbed)

If a hacker has acquired my mnemonic and passphrase, how does He look up the balance?
When a hacker has your wallet mnemonic seed, he can import it and steal your bitcoin. He does need to check all addresses in that wallet, if he import it and see bitcoin there, he will send your bitcoin to his wallet without need to know what addresses of yours have bitcoin. I meant he does not need to choose UTXOs for his sending.

If you are fearful that your wallet is hacked, and balance is still there, you must sweep your fund to a new wallet. Do it as fastest as possible because a hacker can do his job faster than you.


I wonder that How can he send balance when he doesn't even know if the private key has a UTXO with or without a balance?


Hackers don't even know what purpose wallet the owner of the private key made with mnemonic (p2tr, p2wpkh, p2pkh, p2sh) so they can send the balance?
The hacker needs to know the UTXO that the wallet has to specify the input of the transaction,
How can he create a transaction when he doesn't know UTXO?
sr. member
Activity: 448
Merit: 560
Crypto Casino and Sportsbook
Hacking most of the time is to steal funds. That's the more reason hackers target your keys or your seed phrase. Hackers need those keys to remove funds from your wallet since a transaction has to be signed with the keys for it to be valid on the Blockchain. If you feel your keys or funds are in jeopardy the first thing you need to do is make your funds change spending keys. And to do that you will need to sweep the funds from that wallet.

Immediately you notice, create a new wallet on another device that hasn't been compromised and move all the funds from the old wallet to the new one making sure your internet is good and you make use of a huge fee so it gets confirmed as quickly as possible. You don't want to risk a transaction like that being cancelled by the hackers.
hero member
Activity: 896
Merit: 586
Leading Crypto Sports Betting & Casino Platform
The moment a hacker gets access to your mnemonic and passphrase, it means that your bitcoin is gone because those are what anyone that understand wallet even if he's not a hacker needs to steal your coins by importing them on electrum wallet and there's nothing you can do to stop the thief, only if you are faster than the thief to sweep your funds to a new wallet, if he hasn't transferred the funds. Your post is only about someone trying to generate the same private keys as yours, that's when the chance of getting the same private is very tiny and can take 10 million years like you said. However, it's good to keep your back up seed phrase in a separate place from where you keep your backup pass phrase so that it will be impossible for anyone that has access to either your seed phrase or passphrase to have access to your wallet without the other.
sr. member
Activity: 336
Merit: 365
The Alliance Of Bitcointalk Translators - ENG>PID
If a hacker has acquired my mnemonic and passphrase, how does He look up the balance?

It takes 10 million years to discover, even if He is lucky

In summary of what you meant to say, using a unique derivation path and address index, will add extra security to your wallet? but then, your mnemonic and seedphrase already gotten by a hacker = lost funds.. there's may not be any explanation after that. It won't take couple of minutes for him to empty the wallet.. its just better to store your keys securely to avoid loss of funds..

Also, if you are also smart and fast, at the time the hacker had sent the funds and still awaiting confirmation, if the transaction was RBF enabled, you can decide to make a new transaction with higher fee and send it to another wallet which key is secured... But like I said, that's if you are aware during the time it happened..
sr. member
Activity: 854
Merit: 424
I stand with Ukraine!
(Subtitle: How to protect my coin even if the mnemonic/passphrases are robbed)

If a hacker has acquired my mnemonic and passphrase, how does He look up the balance?
When a hacker has your wallet mnemonic seed, he can import it and steal your bitcoin. He does need to check all addresses in that wallet, if he import it and see bitcoin there, he will send your bitcoin to his wallet without need to know what addresses of yours have bitcoin. I meant he does not need to choose UTXOs for his sending.

If you are fearful that your wallet is hacked, and balance is still there, you must sweep your fund to a new wallet. Do it as fastest as possible because a hacker can do his job faster than you.
newbie
Activity: 0
Merit: 0
(Subtitle: How to protect my coin even if the mnemonic/passphrases are robbed)

If a hacker has acquired my mnemonic and passphrase, how does He look up the balance?

Of course He is going to run the program,

Maybe there are all the balance in the first 2 to 30 addresses of the first account of each wallet type, right?

That is, if many people put it all in m/84'/0'/0/0~m/84'/0'/0'/0/20 (for example) as cold wallet default setting

Spotted my coin in an instant!

By the way, if I put the coin in a specific index of a specific account, will the hacker be able to find my coin???

In order to put two elements (a mnemonic and a passphrase) and find all the accounts and all the corresponding indexes, you need to browse all the addresses that the private key can have.

However, the number of addresses that a single private key can have is

Starting with the address varying depending on the wallet for what purpose (which may also be p2tr, p2wpkh, p2pkh, or Multisig1/1), there are number factors in the following cases.

In other words, in terms of the derived path of the HD wallet (based on bip44)

> m / purpose' / coin_type' / account' / change / address_index

Purpose: 44, 48, 49, 84, 86 (number 5) depending on wallet purpose
coin_type : Bitcoin 0
account : account (number 2^32)
change : ex/in : received address 0/ change address 1 (number 2)
address_index: address serial number (number 2^32)


To check the balance of all addresses that one private key has

5 x 2^32 x 2^32 = 1.8 x 10^20 addresses exist.

It takes 1.8x10^15 seconds to search for every address (even if it is a supercomputer) =58,454,204 years

What if my coin is at m/86'/0'/1096823754'/1/1189356152 address?

It takes 10 million years to discover, even if He is lucky.
Jump to: