Topic: SHA256 once & twice (Read 603 times)

I know most entropy estimation would have lower entropy bits due to repetitions. I was showing weakness of simple formula (both 2^N and N^2) for entropy estimation.

Yep, so the program didn't manage to guess that sequence of numbers and it was random (intentionally or not). Sample size can skew the results quite significantly, but I think the program can do more as well. If you were to do it over longer periods of time or take a bigger sample size, then you are more likely to tend towards the computer winning/losing. Anyways, anything above/below 50% shows a short term sequence so that is undesirable. If they took a bigger sample size or used a RNN the sequencing would actually be more obvious.

It's actually quite a simple solution and program which uses weighted average by organizing your inputs into matrices and uses it to weight and predict your next move. Hence, something like 10111000 will result in the computer giving the wrong answer every time after a few correct answers. Anyways, that's not the point, beating the algorithm isn't difficult. Having to beat the algorithm consistently without knowing what it does is more difficult for most.
 
Agreed. I still think that general users should still realize the possible risks and caveat for brainwallets.

Score   %   Leader
Man   43   50.00   -
Machine   43   50.00   -
#120   #121   #122   #123   #124   #125   #126   #127   #128   #129               
0   1   1   0   1   1   0   0   1   0               
1   1   0   0   1   0   0   1   1   1   

So I generated a 128 bit number by clicking 1s and 0s just using my head. 50/50. not the easiest thing to do but not impossible either.

By looking at the source code I could probably figure out how to improve my results even more. Because there is no way to define "random" to a computer so that it recognizes what is random and what isn't.

well i think we could all agree that brainwallets are just kind of a curiousity at this point since hd wallets have taken over and really that's what someone should be using. if they want more security then just add an extended passphrase to their seed.

Be my guest: http://www.loper-os.org/bad-at-entropy/manmach.html.

Your different phrases likely already exist in the dictionary and specific permutations of it are likely to be inter-linked with real life events. Your brain works in a way by association, so you are likely to think of something that you've already seen before. It is a natural phenomenon that has been studied and proven.

Yep. Dice rolls are sufficiently random given a large enough number because even with a 256bit entropy, your decrease in entropy can still make it sufficiently difficult.

I bet that if you use a sufficiently big random number generated by a CSPRNG and insert it into Brainwallet, it would still be secure. The whole point isn't about which KDF is stronger, because they're all going to become weaker as technological advances progress. The one thing that never really changes is that 2^256 or 2^128 is a very big key space and is likely unable to be exhausted. The same cannot be said about the improvement in speeds of KDFs.

Sure. Then you are making this entire process unnecessary difficult, and there is no guarantees of security. Why? How do you know your "iterations" or n values are sufficiently high? Not like I'll publish my most optimized implementation for everyone. It's really quite stupid to have to wait minutes to generate a single address.

Nope. Your keyspace is only 65 bits, you mentioned it yourself.

Your keyspace is only that if you use a passphrase that is completely random and sufficiently big. And yes, that is the whole point of warpwallet but if the input entropy is either:
1) Predictable
2) Short
, then I've got a better shot at cracking something as opposed to the costs.


Precisely why the whole argument revolves around brainwallet. Most people simply cannot make these kinds of passphrase. You underestimate the ability of humans to not think by experiences and association. Unfortunately, the reality is often very different from what you think. Search engines are not comprehensive and they are most definitely not a dictionary.

So a passphrase with a specific pattern.

Then you introduce another risk vector; how can you create that is
1) Sufficiently long
2) Sufficiently unique
3) and also prevent yourself from getting into an incident which induces amnesia or a form of it.
It is a risk that I would very much not have to face.

Sounds like the same problem that would occur with your memory problem. I'm not going to comment further about the memory issue, because things like these are certainly doable and there really isn't a need to memorize in the first place. If you want, you can certainly do it. You definitely don't need a brilliant memory, spaced memorization is surprisingly effectively, for what its worth.

---

If you trust that you can make a passphrase with sufficient entropy, then go ahead. You won't really know if it is secure until it gets hacked anyways. I, for one am definitely not doing something like this, especially with so much money on the line.

But they can generate 256 bit numbers using their brain and a pencil and paper by writing down a string of 1s and 0s. And that number has never been seen before. They can also think of phrases that do not exist on any book or search engine so no one ever thought of that phrase before. Since you don't know how an individual mind is biased, you can't use that to gain any idea into what passphrase they might have come up with.

You don't need to go down to the quantum level or use a computer to get randomness. in practice, when the rubber meets the road and for the purposes of generating bitcoin addresses, dice rolls can suffice. they might be a bit inconvenient but that's neither here nor there...

That's why you have to "upgrade". Someone that doesn't keep up on the current state of security might end up with a nasty surprise oneday no matter what method they used to generate their bitcoin address. For example, people that used Sha256 as a brainwallet. Hopefully they got the memo that this is a very insecure thing and their funds should be moved.

Well ideally in a software, the user could configure the # of iterations or difficulty level. Some people might want their difficulty level to be off the charts so that it takes 30 minutes on a top end computer to just generate the private key and address. Who's to say they are wrong? Bitcoin paper wallets are to be used one time anyway so it's not like someone should be needing to enter their passphrase and go through that intensive process except once to create and once to spend.



The key space is big enough. 2^256 almost. The algorithm is the only reasonable/feasible way an attacker has of determining my little private key out of that whole key space since it's so freaking huge. So the algorithm needs to punish the attacker for even trying. Punish him every time he tries to make a guess. That's kind of the theme behind warpwallet I would imagine.



Brainwallet passphrases are supposed to have some type of meaning to their owner. Otherwise it would not be possible to store it in their well, brain! you're confusing secrecy with randomness. A passphrase which is secret would be something that you cant search in google it doesn't show up in any searches. no one ever wrote down the phrase in a book, no one ever will except you. that's doable even though you don't think so.

Again, brainwallet passphrase is not supposed to be some random string of characters because get this: no one can remember that.

Well I disagree with that statement completely, as I've pointed out before that I find mnemonic seeds to be devoid of any meaning thus impossible to memorize. And trying to create meaning out of something that has no meaning is pointless because you will forget it soon enough. Not so with a brainwallet passphrase because in that situation you get to pick and choose your words and stuff so that it has some type of meaning to you.

Also let me throw in the opinion that mnemonic seeds are good for one thing and one thing only - for stamping in steel.

I don't know anyone that ever used that technique and I guarantee you it is more complicated than just trying to memorize 12 words. I saw that article in the past and it struck me as being overly complicated and not going to work.

How could anyone ever remember a story like this word for word? They're in for unwelcome suprise oneday when they forget the words to their convoluted and unintelligible "story".

I walk forward and open the first door on my right, a TV set sits in a dark room playing clips of a hurricane, as the same message scrolls across the screen, over and over, ‘Caution Today!’

Closing the door, I move on and open the next. I see Steve Jobs, the eager gadget artist, taking a sledgehammer to an IBM PC. He has a different view of what technology should be.

The third door opens and I look down upon a valley, with salmon skipping out of the water in droves. What are they whispering to each other, I wonder?

Behind the fourth door, I see a Swiss ski chalet, complete with bearskin rugs and roaring fire, as skiers sit down to lunch.

It is lowered by repetitions, 5x 'a'

That is kind of the problem isn't it?

Humans can't generate anything without bias. It is an inherent trait and the best that we can do is to try to approximate using known random substances. However, there is also another problem; most of the variables in nature is predictable, things like Radioactive decay with Heisenbergs Uncertainty can be approximated to be random but that isn't accessible in normal computers. That leaves us with urandom but even that isn't strictly random (random enough but still susceptible to minute interference), so you can't accurately measure entropy still.

Sure, but that doesn't prevent bruteforce from happening. Using a salt would just be a concatenation of the two components, which would prevent rainbow tables but nothing else.
I think that is well established, that KDFs like Scrypt is way better than SHA256 with brainwallet. Countering ASICs or bruteforce speedups with a parameter change doesn't do enough; you still leave tons of addresses vulnerable. Now, there is also a problem with resource scarcity in systems; if you increase the parameter far too high, you risk having certain users taking longer than normal to access their wallets.

Addressed this previously. ASICs has gone past the stage of only having a few MB of ram. If you increase it too much, you make it difficult and time consuming for certain people to get to their wallet. If your security is reliant on the algorithm rather than the keyspace, then I would urge you to reconsider and re-evaluate your risks.

Then isn't there a problem here? If there is a certain meaning to it, then it is probably not so random and that defeats the whole point of a brainwallet. So that leaves you with a single solution; using a random method to generate your passphrase. Then why bother going through brainwallet? Your mnemonic seed is far easier to memorize because there is a pre-defined word list and that you can easily construct a sentence with it.

Here: https://blog.trezor.io/how-to-memorize-a-seed-phrase-building-narratives-from-nonsense-a306e48dfb39. The entire point about these 12 words is to allow you to construct your own stanza. Also, the whole point about whether memorizing something would be effective has been discussed earlier in the thread as well.

Sure you can. If all possibilities are equally likely and there are 2^n of them then the entropy of the system is considered to be n-bits.

I doubt there's a rainbow table for it. And even if there was, just use salt.

It could be. it might not be. it all depends on how hard it is to enumerate all the possible 2^65 states. That's why using Sha256 as a brainwallet is not as secure as something like warpwallet. it takes longer to enumerate the states. i think some of the parameters like N=2^18 in scrypt you could increase if you wanted to make it even harder.

I doubt there's many addresses out there built with warpwallet but I dont think it would make a difference if there was. If ASICs get more powerful you can just bump up some of the paramters in scrypt like N. Put it out of reach for them once again.



Well for one thing it is impossible to memorize a 12 word mnemonic seed. Show me someone that has done that and 5 or 10 or 15 years later, they will have forgotten it for sure. Now a passphrase can be constructed such that it has some type of meaning to it so they are less likely to forgot it.

Right. That's one benefit. Is that you can actually memorize a passphrase. Good luck doing that with a meaningless string of 12 words.

No. The past 2 puzzles I've seen were scams that were trying to advertise a service through a fake puzzle. You have to check the Games and rounds board regularly since that's the place to post such things.

O, I have not seen that information. Warpwallet page is not up-to-date.
After your post, when I googled for the key, I found some old crackers: https://github.com/nachowski/warpwallet_cracker
Are you aware of any other "challenge" that kind or similar?

Since the address containing the reward is empty and the passphrase (HY4r0uWn) is revealed and we already know the private key (5J34oCttqfswmkGnX5NWrU19xkZPNu4a2bRJHW2UdiAU7QpTSsN), the challenge is well expired.
As for the speed, it takes about 8 seconds inside my browser (using 5% CPU) to compute it. The code is unoptimized and is not utilizing the whole computing power of my system. That should be a good starting point of how much effort it would take to brute force.

I think the challenge already expired (since 2018), but they did not update their website. Or it did not expire? Web site looks abandoned, but on other hand - domain is still registered and alive.
It would be fun to at least try to hack it, to see what is the possible performance today.

That is not what entropy means. There is no way to measure entropy because it is the degree of randomness and for which you can't see how random something really is. Passphrases are certainly not defined by entropy; you can have the most sophisticated and random passphrase that you can think of, but so long as there is a rainbow table that contains that permutation of it, then you're no better than just using correct horse battery staple.

65 bits of entropy is not a lot.

It has been 4 years and there are tons of ASICs that has shown capabilities of implementing memory hard algorithms. A challenge like this isn't really worth the time, because you're cracking only one specific address. If we have thousands of wallet like these, then there will be incentives to improve on those programs and we'll have even faster and more efficient bruteforcing.

Brainflayer was introduced many years after the inception of brainwallet and it has shown that Brainwallet was a very weak implementation. There is no guarantee that a better and more optimized program would surface in the future given enough traction.
Sure, you can but what would be the benefit of a brainwallet as compared to a simple 12 word mnemonic that is guaranteed to be random by implementation?

The only possible benefit that I can see using these implementation is if that for some reason you are able and willing to memorize a 20 character randomly generated passphrase rather than a 12 word mnemonic.

No I'm not saying it is not safe. It seems safe. Cracking a warp wallet is not like cracking a normal brainwallet. it's alot more time consuming and expensive in terms of computing resources. So you're not going to be able to crack an 8 character passphrase even without a salt to say nothing of one that has a salt. There's a reason why those last 2 challenges didn't get solved its probably because it is technologically infeasible. We know it's infeasible to do by brute force.

Well a 20 character passphrase I think gives a bit higher than 128 bits of security. That's because its universe of possibilities is greater than 2^128. So it's reasonable to assume that you can reach every single bitcoin address from using 20 character passphrases. But yeah, Bitcoin is limited to 128 bit security.



Well none of those links you shared shows anything having to do with warpwallet itself. so not sure what you're talking about...

What you are saying is the admission that using this method is not at all safe because a bitcoin private key is 256 bits and provides 128 bits of entropy. If you are reducing it to 65 (assuming your number is correct since I don't know how it is calculated) you are significantly reducing your key's security.

an 8 character passphrase has about 65 bits of entropy. a normal computer is not going to be able to crack that. plus if we salt the passphrase with the user's email address then they would have to know the person's email address to even get started. That makes things way more difficult.

If you use a 20 character passphrase that is more secure than bitcoin itself so yeah. you don't need to use salt. But if you do use salt, you don't need to use a 20 character passphrase. 10 would probably be plenty.

the only weakness i can see is it runs in a web browser. web browsers are an additional complication that is really unnecessary for a tool like this. and they introduce a potential source of error into the process. so it would be best to implement the software in some other programming language such as python so you could test it from a comand line. and see if it works. because web browsers change. they get updates and some of them go away. etc etc.


maybe so. haven't tried.

Look at Burden Of Proof. The only real evidence is that it is both time and resource consuming but it doesn't mean someone with decent resources won't crack it or if someone uses weaker than usual passphrase.

Brainwallet schemes are by no means sophisticated. You can probably replicate the entire scheme easily, because you're just essentially using Scrypt to generate a key. All you need to do is to determine the algorithm and the parameters. They are generally quite well-studied so you probably won't have any bugs.

Not necessarily.
You have to investigate to see whether the challenge was public enough to be seen by many people and most importantly whether the prize was high enough to encourage putting the effort in. It seems like the reward was high but I don't see that much effort put into breaking it, only 2 github repositories were found and they were weak implementations with no optimization whatsoever like this one: https://github.com/nachowski/warpwallet_cracker

which proves it is pretty secure. the drawback to something like warp wallet and really any sophistocated brainwallet scheme is you are trusting the software. do you really understand it well enough that if the software went away you would be able to do a clean room implementation of its algorithm so that you could use that instead? if not then that's honestly a bad sign.

for example how do you know it doesn't have a bug in it and so when you do your cleanroom implementation if it, your version doesn't have that bug so yours is technically correct but that's not going to help you recover your private key unless you can reduplicate that bug in yours which would be impossible most likely.

After the initial brainflayer fiasco, the original brainwallet was shut down. There were variations of it such as brainwallet.io and warpwallet which both uses Scrypt and salt to enhance the security. It wouldn't go as far as to say that they are uncrackable; given sufficient resources and common enough phrases and passphrase it can be crackable. The most infallible method is really to just use BIP39 or similar mnemonic systems.

There are ways to crack them and tools to do so. Just that they are significantly slower (and more expensive) than single round SHA256.