Why you cannot enter an arbitrary seed in Electrum - page 6.

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: btcven on March 19, 2013, 05:30:05 PM

"Can someone with the list of words from the Electrum code get an electrum user's seed trough brute force? How can it be avoided?"

The list of words used by Electrum is public; everyone can read it: https://github.com/spesmilo/electrum/blob/master/lib/mnemonic.py
The security of your seed does not reside in a secret algorithm; Electrum is open source, anyone can see how it works.
Security is based on the length of your seed: your seed is safe because it is long enough to make brute force attacks impossible.

btcven

hero member

Activity: 715

Merit: 500

Bitcoin Venezuela

"Can someone with the list of words from the Electrum code get an electrum user's seed trough brute force? How can it be avoided?"

etotheipi

legendary

Activity: 1428

Merit: 1093

Core Armory Developer

Quote from: ThomasV on March 16, 2013, 04:54:41 PM

Electrum does not let you use an arbitrary sequence of words as seed. This is because humans are not good at generating really random phrases.

The seed generated by Electrum is a 128-bit random number. It is encoded as a sequence of 12 words, for the purpose of memorization. However, it is important to understand that it has 128-bits of entropy. A phrase generated by a human, or picked from a random book opened at a random page, will in general be much less random, and much more vulnerable to attacks. (and "much more" here means astronomically more).

In this type of attack, time is on the side of the attacker. It is perfectly possible for an attacker to try all the phrases existing in a large database of books, and some variants of those, until they find a wallet. In contrast, it is not possible to do the same with 2^128 random phrases.

As you may have noticed, it is possible to bypass this protection; if you restore your wallet from a hexadecimal string, any string length will be accepted. However, this will only work with hexadecimal inputs. Thus, if you absolutely insist on using an arbitrary phrase as seed, you will need to hex-encode it yourself. Consider this as a protection.

I approve of this message. This is why Armory uses a different alphabet, and uses checksums. Of course checksums are there for checking that data was entered correctly, but it also requires users to manually compute the checksums if they want to enter their own data. It's a nice protection from people just cramming "aaaaaaaaa..." into the wallet recovery screen.

Of course, Armory uses waaaay more than 128 bits of entropy, but I'll be bringing it down to 128 or 160 in the next release -- I was thinking 160 because I wanted to give a little margin in case your system does not have a high-quality entropy pool at creation time. This because I totally agree with ThomasV -- 128 bits is a nice, unbreakable value. Maybe in 1000 years when we have Dyson spheres around a few different stars for the purpose of collecting energy to break my wallet, they might break 128 bits.

ThomasV

legendary

Activity: 1896

Merit: 1353

Quote from: theymos on March 18, 2013, 12:02:46 PM

I agree that it is important to have a random, unguessable passphrase, but 12 random words with 128 bits of entropy is overkill. My passphrase utility allows you to safely use 6 random words.

We are not talking about an encryption passphrase here. We are talking about the entropy of Bitcoin addresses used by the client.
For this, 128 bits is not overkill. Bitcoin BIP 32 recommends to use at least 128 bits for this: https://en.bitcoin.it/wiki/BIP_0032
As an additional safety measure, Electrum adds a little bit of key stretching to generate the master key (100000 iterations of sha256, which is equivalent to adding a few extra bits of entropy to the seed)

theymos

administrator

Activity: 5222

Merit: 13032

I agree that it is important to have a random, unguessable passphrase, but 12 random words with 128 bits of entropy is overkill. My passphrase utility allows you to safely use 6 random words.

btcven

hero member

Activity: 715

Merit: 500

Bitcoin Venezuela

This is a good post to go to the http://electrum.org FAQs and Tutorials

ThomasV

legendary

Activity: 1896

Merit: 1353

Electrum does not let you use an arbitrary sequence of words as seed. This is because humans are not good at generating really random phrases.

The seed generated by Electrum is a 128-bit random number. It is encoded as a sequence of 12 words, for the purpose of memorization. However, it is important to understand that it has 128-bits of entropy. A phrase generated by a human, or picked from a random book opened at a random page, will in general be much less random, and much more vulnerable to attacks. (and "much more" here means astronomically more).

In this type of attack, time is on the side of the attacker. It is perfectly possible for an attacker to try all the phrases existing in a large database of books, and some variants of those, until they find a wallet. In contrast, it is not possible to do the same with 2^128 random phrases.

As you may have noticed, it is possible to bypass this protection; if you restore your wallet from a hexadecimal string, any string length will be accepted. However, this will only work with hexadecimal inputs. Thus, if you absolutely insist on using an arbitrary phrase as seed, you will need to hex-encode it yourself. Consider this as a protection.

Topic: Why you cannot enter an arbitrary seed in Electrum - page 6. (Read 65082 times)