Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 88FC0414 for ; Tue, 1 Jan 2019 19:45:18 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com [209.85.208.50]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 40054710 for ; Tue, 1 Jan 2019 19:45:17 +0000 (UTC) Received: by mail-ed1-f50.google.com with SMTP id g22so24634876edr.7 for ; Tue, 01 Jan 2019 11:45:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=zoMYLSRJyXKJt+rMaFSKmzQeJIxaeA7kpoNemB77qzE=; b=AApfOEZmI+pv1BNItHFyxCcXhTYApUqL2xQMOsQXBtjQdSpvUgy0pjaprWS5zUkCE6 S6HoOw4MxumfrmIRhbF3G6ns0b4NQE1lQqlqs85tySL6Qedz9mo5U36BPEIDkvRObBi0 1unV0zCBDzrZZjg9u8JNvhYNTeJcp7sZ30GMtS16WDkkrue9twc/QsLyw6WO/FeahUGJ KYs2oVd4pyjBCjwxNqS5jx7d0HxxCVCgccjkOJ2kT31TvMTD/hjRMViQEqXHkT2uKMLY U8oa11ahi3DTYAlcNAn92/xSx2efYQQZ2WT4xmdbdlJPzCWoP4yUL5RDdYZC84eFRH1N 0C6w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=zoMYLSRJyXKJt+rMaFSKmzQeJIxaeA7kpoNemB77qzE=; b=UZS1sVuESibMCJU0MSWWQaFCDo9pTVnB911EOra/u7ckwSm5f5OicTDZZrEExROPbU Pd0kmEv4Lshlt5qV5ZGwOJaEBRa5Q5eLoUe6rO6i1SuMEunPM9vBPyl8sLjrzW0FIg2d 45XHpR52VpxsHk8954uhB0MO4BifvCrmfWY1+4B93xLiLuRx/VTJl1p8aRMlF/Z7clyo Qf8Z3WP+/KasQsrLrvaURRTXkjSQVkLsn91AUGVF7K7OY3mRV24pKUQ7Lu0KqokUcUKs T/In6hY+PnOSWaSaAgcQGf9ihWd2OzVViDq4aKcXXa78B0z9mWI7lYYXYe0F4dWa0hhr 27IA== X-Gm-Message-State: AA+aEWa4fpZ4U/clerK3rdXPi+5ttNQ/u1hVmONxiWbA3sMbviJkfJ9p 8chgjTgQBHhAMMyFcznrrn8Z24ux X-Google-Smtp-Source: AFSGD/XB7NGNXAGulRcztSNQP3aGrKyQUyumS71UyKynJRW/GJoM+Ruk8Kj+FRvufmlR8/fRZwdRZQ== X-Received: by 2002:a50:84a9:: with SMTP id 38mr36524899edq.185.1546371915312; Tue, 01 Jan 2019 11:45:15 -0800 (PST) Received: from [192.168.43.146] ([92.184.100.219]) by smtp.googlemail.com with ESMTPSA id z40sm20346851edz.86.2019.01.01.11.45.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 01 Jan 2019 11:45:14 -0800 (PST) To: Alan Evans , Bitcoin Protocol Discussion References: <68330522-7e7c-c3b4-99a9-1c68ddb56f23@gmail.com> <743fb106-977e-1f34-47af-9fb3b8621e72@gmail.com> From: Aymeric Vitte Message-ID: <3ea2e92d-5be6-3331-5d6f-9c29d87e0546@gmail.com> Date: Tue, 1 Jan 2019 20:44:57 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:45.0) Gecko/20100101 Thunderbird/45.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------490158B149B2677DD3C55218" X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Wed, 02 Jan 2019 03:39:35 +0000 Subject: Re: [bitcoin-dev] BIP39 seeds X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Jan 2019 19:45:18 -0000 This is a multi-part message in MIME format. --------------490158B149B2677DD3C55218 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit You are simplifying too much what I am suggesting What I am suggesting is: set a derivation method for BIP39 like for BIP32 (having the seed for BIP32 and not the derivation path is just like having nothing) and use this derivation method from a "book" (a "book" being a book, a document, a link, an image, whatever your secret can be), based on the fact that you will easily find from this derivation method "valid" BIP39 seeds (even if BIP39 does not enforce anything regarding valid phrases, everything can be valid as you mention, and this does not help in fact) The derivation method will just define the way you select the words in the secret, and if everybody chooses the bible as the secret then this will not change the fact that it will be impossible to find the real seed without knowing the derivation path Then you don't need to write the seed, you can easily plausible deny it, you can easily pass it to the family (using a passphrase does not say to them where they are supposed to use it) "people lost"--> people think that there is some magic with BIP39 that will save them whatever they do (ie they don't even care of managing correctly the many easy to generate BIP39 seeds they are using) where they will always recover their seed and keys from BIP39/44/49, of course this does not work at all Le 31/12/2018 à 17:52, Alan Evans a écrit : > > Using some algorithm to take some input and generate a bip39 phrase > that you can use with any bip39 wallet sounds perfectly reasonable. > > I think any method that doesn't use real entropy, but some fake source > of randomness, such as a book is asking to be hacked and so is not a > reasonable idea. > > If an algorithm for book text to BIP39 sentence ever became well used, > common books will be systematically searched for accounts. People will > also choose their favourite passages, so I would expect to see collisions. > > You should also note that BIP39 does not need input that is from the > word list. You can use _any text as its input_, the word list and > checksum check is just recommended to be a warning, but again, text > chosen from public sources or common phrases is a bad idea for many > reasons. > > From BIP0039: > /> The conversion of the mnemonic sentence to a binary seed is > completely independent from generating the sentence. This results in > rather simple code; *there are no constraints on sentence structure* > and clients are free to implement their own wordlists or even whole > sentence generators, allowing for flexibility in wordlists for typo > detection or other purposes./ > /> Although using a mnemonic not generated by the algorithm described > in "Generating the mnemonic" section is possible, this is not advised > and software must compute a checksum for the mnemonic sentence using a > wordlist and issue a warning if it is invalid./ > > What you could do is use a regular true random BIP39 sentence in > conjunction with a phrase from a book as the "passphrase" giving you > that plausible deniability, right up to the point you put that in your > will or tell someone, i.e. for the "what if something happens to me" > case. Though I still think redirecting people to a book phase is risky > for this, e.g. books have editions, there may be a change in the key > place. > > From BIP0039:/ > / > /> The described method also provides plausible deniability, because > every passphrase generates a valid seed (and thus a deterministic > wallet) but only the correct one will make the desired wallet available./ > > Alan > > P.S. "I have seen many people completely lost with their wallets > because of [BIP39]": I would say "despite" not "because". These people > would have lost/miss recorded a BIP32 hex seed as well. > > > On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev > > wrote: > > > Le 26/12/2018 à 19:54, James MacWhyte a écrit : >> >> On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte >> > wrote: >> >> so, even with a tool like yours, they can be misleaded, for >> example trying a few words to replace the missing/incorrect >> one, get a valid seed and stay stuck with it forever trying >> to play with BIP44/49 to find their keys >> >> >> Just a small detail, but my tool actually looks up all the >> possible combinations and then finds which one has been used >> before by looking for past transactions on the blockchain. >> Therefore, it won't tell you your phrase is correct unless it is >> a phrase that has actually been used before (preventing what you >> described). > > I saw that your tool was querying blockchain.info > , but it cannot guess what derivation path > was used and if it is a standard one what addresses were used, and > even if successful it works only for bitcoin (so maybe it should > just output the ~1500 possible phrases and/or xprv, and be > completely offline, this is still doable for people) > >> >> Using some algorithm to take some input and generate a bip39 >> phrase that you can use with any bip39 wallet sounds perfectly >> reasonable. > > I forgot to mention that this can help also solving the "what if > something happens to me" case giving to the family the seed and > the parameter(s) for the derivation path, or an easy way to find > it (better than something like: remind this passphrase, take the > sha256 of it, then use some other stuff to find the encryption > algo, take n bytes of the hash, use it to decode my wallet or my > seed... and then everybody looking at you like crazy) > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > --------------490158B149B2677DD3C55218 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

You are simplifying too much what I am suggesting

What I am suggesting is: set a derivation method for BIP39 like for BIP32 (having the seed for BIP32 and not the derivation path is just like having nothing) and use this derivation method from a "book" (a "book" being a book, a document, a link, an image, whatever your secret can be), based on the fact that you will easily find from this derivation method "valid" BIP39 seeds (even if BIP39 does not enforce anything regarding valid phrases, everything can be valid as you mention, and this does not help in fact)

The derivation method will just define the way you select the words in the secret, and if everybody chooses the bible as the secret then this will not change the fact that it will be impossible to find the real seed without knowing the derivation path

Then you don't need to write the seed, you can easily plausible deny it, you can easily pass it to the family (using a passphrase does not say to them where they are supposed to use it)

"people lost"--> people think that there is some magic with BIP39 that will save them whatever they do (ie they don't even care of managing correctly the many easy to generate BIP39 seeds they are using) where they will always recover their seed and keys from BIP39/44/49, of course this does not work at all


Le 31/12/2018 à 17:52, Alan Evans a écrit :
> Using some algorithm to take some input and generate a bip39 phrase that you can use with any bip39 wallet sounds perfectly reasonable.

I think any method that doesn't use real entropy, but some fake source of randomness, such as a book is asking to be hacked and so is not a reasonable idea.

If an algorithm for book text to BIP39 sentence ever became well used, common books will be systematically searched for accounts. People will also choose their favourite passages, so I would expect to see collisions.

You should also note that BIP39 does not need input that is from the word list. You can use any text as its input, the word list and checksum check is just recommended to be a warning, but again, text chosen from public sources or common phrases is a bad idea for many reasons.

From BIP0039:
> The conversion of the mnemonic sentence to a binary seed is completely independent from generating the sentence. This results in rather simple code; there are no constraints on sentence structure and clients are free to implement their own wordlists or even whole sentence generators, allowing for flexibility in wordlists for typo detection or other purposes.
> Although using a mnemonic not generated by the algorithm described in "Generating the mnemonic" section is possible, this is not advised and software must compute a checksum for the mnemonic sentence using a wordlist and issue a warning if it is invalid.

What you could do is use a regular true random BIP39 sentence in conjunction with a phrase from a book as the "passphrase" giving you that plausible deniability, right up to the point you put that in your will or tell someone, i.e. for the "what if something happens to me" case. Though I still think redirecting people to a book phase is risky for this, e.g. books have editions, there may be a change in the key place.

From BIP0039:
> The described method also provides plausible deniability, because every passphrase generates a valid seed (and thus a deterministic wallet) but only the correct one will make the desired wallet available.

Alan

P.S. "I have seen many people completely lost with their wallets because of [BIP39]": I would say "despite" not "because". These people would have lost/miss recorded a BIP32 hex seed as well.


On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:


Le 26/12/2018 à 19:54, James MacWhyte a écrit :

On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte <vitteaymeric@gmail.com> wrote:

so, even with a tool like yours, they can be misleaded, for example trying a few words to replace the missing/incorrect one, get a valid seed and stay stuck with it forever trying to play with BIP44/49 to find their keys


Just a small detail, but my tool actually looks up all the possible combinations and then finds which one has been used before by looking for past transactions on the blockchain. Therefore, it won't tell you your phrase is correct unless it is a phrase that has actually been used before (preventing what you described).

I saw that your tool was querying blockchain.info, but it cannot guess what derivation path was used and if it is a standard one what addresses were used, and even if successful it works only for bitcoin (so maybe it should just output the ~1500 possible phrases and/or xprv, and be completely offline, this is still doable for people)


Using some algorithm to take some input and generate a bip39 phrase that you can use with any bip39 wallet sounds perfectly reasonable.

I forgot to mention that this can help also solving the "what if something happens to me" case giving to the family the seed and the parameter(s) for the derivation path, or an easy way to find it (better than something like: remind this passphrase, take the sha256 of it, then use some other stuff to find the encryption algo, take n bytes of the hash, use it to decode my wallet or my seed... and then everybody looking at you like crazy)

_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev

--------------490158B149B2677DD3C55218--