Pages:
Author

Topic: Why you cannot enter an arbitrary seed in Electrum - page 4. (Read 65098 times)

hero member
Activity: 686
Merit: 500
A pumpkin mines 27 hours a night
on what specific idea?   

Rolling your own Electrum seed with dice. It's a little bit different than diceware, because you effectively directly roll 12 Electrum seed words, and don't rely on some other entropy dimensions, but exactly on those offered by Electrum itself! I suggested it here: https://bitcointalksearch.org/topic/m.4502689
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
on what specific idea?   
hero member
Activity: 686
Merit: 500
A pumpkin mines 27 hours a night
What are your thoughts on this: http://www.sendspace.com/file/68tgbd
You have to roll your own seed. 5 dice for each word = 60 rolls, if a roll is invalid (i.e. under certain circumstances not applicable), roll again. IMO this should lead to a truly random seed, which can't be compromised by faulty or limited random number generators implementations. It's a bit cumbersome, but for long-term storage a decent decision.

Any downsides or potential risks I don't see?

This method is well known as Diceware - http://world.std.com/~reinhold/diceware.html

Good question! How Diceware (5 words with dice, dictionary size of 7776) compares to Electrum (12 words, from a dictionary of 1600) for practical purposes; to use as your master password?

The thing is: Yes, this is some variant of Diceware. But this page is specifically engineered for Electrum's seed-words. I'm no expert but somewhat familiar and experienced with typical problems when it comes to 'true' randomness or cryptographically secure keys. I'd really like a word from the developers on that specific idea as it seems really neat!
sr. member
Activity: 475
Merit: 252
Ok, so the next upcoming release is 2.0 and it won't accept those > 128 bit.
I'm wondering, why this change?

Thanks for your answers.
The GUI representation to users for the seed and how it is displayed/used is made with the least experienced user in mind.

The unexperienced user will likely think "OMG MOAR WORDS IS SAFER!!! PUT IN ALL TEH WORDZ!" and make a 500 word seed or something.

In reality, the entropy is capped at 160. So any words over a certain amount is worthless.

Not to mention that if users can choose the length of their seeds, some users will inevitably choose a 1 or 2 word seed, get their bitcoins stolen, and then post about it all over the internet.

If you have confidence in your ability to alter Electrum to create your own seed, and you can restore that seed properly. Go ahead.

But if you try to leave that seed to your family when you die or something, and they try to put it into Electrum after Electrum has already moved on to something else and only offers backwards compatibility to the one type of seed that was supported, then you better hope your family knows how to restore your seed manually, or alter Electrum in order to restore your seed.


If you want to roll dice and make your own entropy, use paper wallets with bitaddress.org.

I think there's also a site that you can download that will accept independantly generated seeds to create BIP32 extended private keys.
newbie
Activity: 43
Merit: 0

Yes that's correct. It can take an arbitrary size seed but it is not recommended unless you know what you are doing. See the caveat I wrote about on page 2:

https://bitcointalksearch.org/topic/m.6627649
The only caveat is that you can't do a restore from seed for this >128bit seed wallet under electrum 2.0+. You will be able to use the wallet file softcopy. But not restore from seed. The reason being that the seed format is changing and electrum won't know which seed version you are using just from the bare seed. The wallet file, OTOH,  contains the seed version.



Ok, so the next upcoming release is 2.0 and it won't accept those > 128 bit.
I'm wondering, why this change?

Thanks for your answers.

legendary
Activity: 3710
Merit: 1586

Quick question
I've done an experiment on electrum
I've started fresh and said "restoring from seed" where the seed is a 256 bit hexnumber (like the output of a sha256)
With that, I got 24 mnemonic words and a given set of 5 bitcoin addresses

Then, I deleted my wallet and started again, this time I've used the first 128 bit of that 256 bit hexnumber I've used earlier as the seed in the input GUI.
With that, I got the 12 mnemonic words, which matches the first 12 mnemonic words from the prior experiment.
I also got 5 Bitcoin addresses that differs entirely from the prior experiment.

So it seems like, although the Electrum documentation says it takes a 128 bit seed, that it actually can take more, leading to a different set of bitcoin addresses.

Can anyone explain what is going on?
And perhaps the documentation on Electrum's website could be updated to specify this.

Thanks

Yes that's correct. It can take an arbitrary size seed but it is not recommended unless you know what you are doing. See the caveat I wrote about on page 2:

https://bitcointalksearch.org/topic/m.6627649

newbie
Activity: 43
Merit: 0

Quick question
I've done an experiment on electrum
I've started fresh and said "restoring from seed" where the seed is a 256 bit hexnumber (like the output of a sha256)
With that, I got 24 mnemonic words and a given set of 5 bitcoin addresses

Then, I deleted my wallet and started again, this time I've used the first 128 bit of that 256 bit hexnumber I've used earlier as the seed in the input GUI.
With that, I got the 12 mnemonic words, which matches the first 12 mnemonic words from the prior experiment.
I also got 5 Bitcoin addresses that differs entirely from the prior experiment.

So it seems like, although the Electrum documentation says it takes a 128 bit seed, that it actually can take more, leading to a different set of bitcoin addresses.

Can anyone explain what is going on?
And perhaps the documentation on Electrum's website could be updated to specify this.

Thanks
legendary
Activity: 3710
Merit: 1586
If eggdescrambler wants a larger seed he should have one:

- Create a 256 bit random seed and output as hex:

Code:
openssl rand -hex 32

- Create a new electrum wallet, choose the restore function and paste in the hex seed.

The only caveat is that you can't do a restore from seed for this >128bit seed wallet under electrum 2.0+. You will be able to use the wallet file softcopy. But not restore from seed. The reason being that the seed format is changing and electrum won't know which seed version you are using just from the bare seed. The wallet file, OTOH,  contains the seed version.

That's all there is to it.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
I may be wrong, but it would seem like you can just choose the option "restore a wallet from its private seed" and then add more words to your 12 word seed.
Just make sure you know what you're doing though (read this thread in full and understand entropy) 


EDIT:
Maybe not.  I tried this and can't seem to get any receiving addresses, nor can I see
the master public key.  But I think there's a way to do it (review the thread).

But its pointless.

2^128 can't be brute-forced.   Even if you could do could try
a trillion trillion key combinations a second (and you cant),
it would take 8.9 million years to try all the combinations.

 
donator
Activity: 1218
Merit: 1079
Gerald Davis
However, if SHA256 on the original seed is done, this means the original seed could easily well be 256 bit instead of 128.
With 256 bit feed, it would be even more difficult brute force, in addition to the 100,000 times.

Well a hash can have any size input.  Why stop at 256 bit, why not 512 bit, or 1,024 bit, or 94832049823409238490238490324872 bits just to be super duper uper secure?

128 RANDOM bits is beyond brute force.  Electrum then engages in key stretching giving you 144 bit security.  Still I expect the author will allow infinitely sized seeds so people can engage in feel good security.

If you could perform 2^128 operations you could steal nearly half a million bitcoins right now from a handful of the top addresses right now.  Just checked and they are still there so I imagine your seed is safe.
newbie
Activity: 43
Merit: 0


With electrum, the 12 word seed is
run through an iterative loop... hashing
it 100,000 times through SHA-256,
so if you want to try to brute-force
the 2^128 combinations, each try
will take 100,000 times as long.



I might not have explained myself correctly.
Yes, I know the seed is for the wallet and contains multiple addresses, which was my original point.
I was talking about a brute force attack on the seed until one generates a set of addresses that the block chain shows as owning Bitcoin.

But I didn't get this earlier, a 100,000 times SHA256 of the original seed is done before addresses are taken. I see your point.
That's good.

However, if SHA256 on the original seed is done, this means the original seed could easily well be 256 bit instead of 128.
With 256 bit feed, it would be even more difficult brute force, in addition to the 100,000 times.

Thanks for the input.



legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
Hi JF
Thanks for the reply

Yes, but the seed should at least be a minimum of 160bit as are the Bitcoin address.
But ideally even more as you have multiple Bitcoin addresses derived from this single key.

Wouldn't it become enough profitable then for someone to keep generating seeds and looking it up against the blockchain until they find the seed of somebody else?
With bitcoin addresses, the task is quite harder since it's actually a hash of a public address (which is even larger than the 160 bit bitcoin address). Hence, the attacker has to work on all the possibilities of the private address - which is 256 bits, so even larger.
But with this seed, it's just 128 bit possibilities (2^128) (and even, divided by the number of wallets used to find one of them)


No, the seed is for your wallet, which contains many addresses.  
So that's a 1-to-many relationship.  Hence, you will have
less seeds than addresses.

There are many threads here on the forum discussing the
feasibility of cracking a private key.  Bottom line,
it can't really be done.  2^128 is simply too big a number.

Although there are 2^256 possible private keys,
if you know the public key (which is possible
only if a transaction was already sent from
the corresponding address), you can use
the elliptic curve math to find the private key
in 2^128 operations.  

Otherwise, if you don't know the public key
of an address, you're struck with a brute-force
approach, hoping for a hash collision
with probability on the order of 2^160.
(Something to do with RIPEMD-160,
although i'm not yet up to speed on
exactly how that last point works.)

With electrum, the 12 word seed is
run through an iterative loop... hashing
it 100,000 times through SHA-256,
so if you want to try to brute-force
the 2^128 combinations, each try
will take 100,000 times as long.

 





newbie
Activity: 43
Merit: 0
Hi JF
Thanks for the reply

Yes, but the seed should at least be a minimum of 160bit as are the Bitcoin address.
But ideally even more as you have multiple Bitcoin addresses derived from this single key.

Wouldn't it become enough profitable then for someone to keep generating seeds and looking it up against the blockchain until they find the seed of somebody else?
With bitcoin addresses, the task is quite harder since it's actually a hash of a public address (which is even larger than the 160 bit bitcoin address). Hence, the attacker has to work on all the possibilities of the private address - which is 256 bits, so even larger.
But with this seed, it's just 128 bit possibilities (2^128) (and even, divided by the number of wallets used to find one of them)
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
Hi Guys

I’m assuming the 128-bit seed could be increased to 256-bit instead. I would prefer this as it would be more secure.
What changes (code) would be required to have the Electrum wallet go from 128bit seed to 256-bit seed?


https://electrum.org/faq.html
Electrum uses a 128-bits random seed to generate your private keys. The seed can be represented as a 12-words mnemonic code. You do not need to perform regular backups, because your wallet can be recovered from the seed that you can memorize or write on paper.

Example:
hexadecimal: 431a62f1c86555d3c45e5c4d9e10c8c7
mnemonic: "constant forest adore false green weave stop guy fur freeze giggle clock"
There are 2128 possible seeds for a deterministic wallet in Electrum. For comparison, the total number of Bitcoin addresses is 2160.


Thanks


Hi Egg,

Welcome to the forum.

I had the exact same thoughts as you're having now.

Turns out:

1. Private keys "only" have maximum 160 bits of security anyway
and sometimes 128.

2. Electrum does a 100,000 round key-stretching hash,
effectively adding another 16 bits of security.  So,
you really have 144 bits, which is plenty.

So, plenty of security and nothin to worry about.

 Grin

JF
newbie
Activity: 43
Merit: 0
Hi Guys

I’m assuming the 128-bit seed could be increased to 256-bit instead. I would prefer this as it would be more secure.
What changes (code) would be required to have the Electrum wallet go from 128bit seed to 256-bit seed?


https://electrum.org/faq.html
Electrum uses a 128-bits random seed to generate your private keys. The seed can be represented as a 12-words mnemonic code. You do not need to perform regular backups, because your wallet can be recovered from the seed that you can memorize or write on paper.

Example:
hexadecimal: 431a62f1c86555d3c45e5c4d9e10c8c7
mnemonic: "constant forest adore false green weave stop guy fur freeze giggle clock"
There are 2128 possible seeds for a deterministic wallet in Electrum. For comparison, the total number of Bitcoin addresses is 2160.


Thanks
legendary
Activity: 3710
Merit: 1586
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
well  1600^12  < 2^128....

but i guess not by much.
legendary
Activity: 3710
Merit: 1586
My concern is that the 12 words might not be secure enough...

I guess as long as I can import a hex value and it gives me a seed of
words, it will work, right?

A seed generated by electrum is more secure than any hex you manually input however long the latter might be.

If you absolutely want more than 12 words then do it right. Use openssl to generate a random seed for you:

Code:
openssl rand -hex 32

Then use the restore wallet option to create a new wallet and enter the output of the above as seed.
legendary
Activity: 1302
Merit: 1008
Core dev leaves me neg feedback #abuse #political
My concern is that the 12 words might not be secure enough...

I guess as long as I can import a hex value and it gives me a seed of
words, it will work, right?
hero member
Activity: 715
Merit: 500
Bitcoin Venezuela
So, I've been trying this... I'm a bit confused...I chose some arbitary words , hex-encoded them , entered that hex code as the seed... and then viewed the seed, and the seed become like 45 words or 100 words even sometimes when viewed in electrum.  is this normal?  

(Even when I chose only words from the electrum passphrase dictionary, it still redid them... i chose 16 words and they become like 60 words)

In the current version, seeds are treated in groups of 3 words. ThomasV might explain how this affect what you are trying to do. The new version of the seeds will let you use larger seeds as it will be hashed.
Pages:
Jump to: