Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 1FC82E8A for ; Wed, 26 Dec 2018 11:33:30 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id B5DDB189 for ; Wed, 26 Dec 2018 11:33:28 +0000 (UTC) Received: by mail-wm1-f47.google.com with SMTP id p6so15049039wmc.1 for ; Wed, 26 Dec 2018 03:33:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=y8yDjVTpIxtw2IjG3guoZkUAn0Gn18nqV+dkgjcTtdI=; b=jNgalPJVHIOMvM5kMu8wWicgRbEp0/Ow60AAkojgIpTs87r5D6jgBkLIOLl0u2G9mP KpUYeFmLUKNQqazq2A2u4m/3aTEDxNPg9UUI3u8fdcd6OsDofPps4XCb5yQ41pyWyQfT atyvGyk5jxSD3PXRaPOO0zSW6DdovVQpy7I1oT+13Rkrplq3LUR+RkZVDnmdQJa7lbKD dJh4f9hUxtS4QnKnQ1IopuOhSxMKDIHxnVWsu+mIMGVQvpxnc5L6teYgJeyRHsF3uc7G 7jXRjceKc9fbRhsr7Ul/Ji/gLORWD5jZvZlxE0tkzXRbTyZN+bYJPfs/9vWOos2GfWNp AOZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language; bh=y8yDjVTpIxtw2IjG3guoZkUAn0Gn18nqV+dkgjcTtdI=; b=s0Mnx5/P4KWak07A6+qDQXlDK8Fn7wylW4KnQegQ+8n/n+00GFfDyenuPSwlOvuJkm VLycbkfiSxKy4tSDCfwdfpylNG/JX1k2yr3Njj1RRuk+wsvDWqfq0GW2LnU0kkjGdJ/r wqwFKXbz9Qn6LPpi4haVwbChyFD5SpO6m4LDYQHX4ZPg1HxWzaejJ8Px+i1uMUrNFOSC uY37NMkw3ClRC1AVj0f/vi7vlvoa985RY0664BcOie1NRjfkjdGPViagBIDO5Y3dT5mW oP04+5Je9LJTK/ZpfuBrqsTMzMvgegPJ6qt5U5cnKgNuBHx7iDCO7JUDoUVZsxrJmEJw ksnA== X-Gm-Message-State: AA+aEWYEafQaOh3V4kmV2/T+IoCbWGhvzvB0ICuZEf3CZRVxwABE9JHD Qi7sap1rzL1aC86PuBdgzYSUL6Qo X-Google-Smtp-Source: ALg8bN55Py3CKO7ad7FWMKD9Mp5IAwK8FnL8EMIypX260aMvM8W3K3qBXyECnDv/sEcX5WuYv2VQkw== X-Received: by 2002:a7b:cb96:: with SMTP id m22mr18330106wmi.39.1545824006945; Wed, 26 Dec 2018 03:33:26 -0800 (PST) Received: from [192.168.1.10] (lfbn-nic-1-41-15.w2-15.abo.wanadoo.fr. [2.15.134.15]) by smtp.googlemail.com with ESMTPSA id i13sm24812280wrw.32.2018.12.26.03.33.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Dec 2018 03:33:26 -0800 (PST) To: James MacWhyte , Bitcoin Protocol Discussion References: <68330522-7e7c-c3b4-99a9-1c68ddb56f23@gmail.com> From: Aymeric Vitte Openpgp: preference=signencrypt Autocrypt: addr=vitteaymeric@gmail.com; prefer-encrypt=mutual; keydata= mQINBFdW8uABEAC7HJScbB2d/lmYoY5Cn9loEjJwfLs1LC3om030bWFGiH3Ceo5XeHUT94rw Pi+HaHU8ea94425SXIFsnqp/ouoT/8Ffn6vED0OoRmK0jE4fqDApXSpoL2mHX9PAGdUItMtD YrxBiBZNfMkctEsm4NrQ4TCvB3Yrm6Fc69inXJjUoYgPw5tHafEeI8Qwh0j99JZZDKcAqIra JF3MPc59rATz0qOJtRP9EpsPVFwjJe13zN6CHILwiVgrL8EtT5WKCVO6ATxh60LHi8+MwPxV V31zp/NNI5Hck+XocEMO98ZvUu9X8ZxmnOk/+9pBxXEwUqSGUNWdmPJLncpI23Usce3u/MOo M2C4T4rD4J0XrXiyBvbeTvwq4qVNlyggeWzlBH+YpEYgDctPq4gNh4eoTtAkf8URtBeke5bQ CGdaZt/jxv8nvmxs9V/iSyg5ldJLQktHStXOo0OZ7FEB2C6Ggtymm4hm2MHYg07Q1MGJrFLa oJZkJ3JeXnVsZMam7ypQtld6rRa96CvH+llXwux6aQ5hKdzmBBMQ10LlkZhkExgTawbeqdiG RMP2DjD5go6TPdAHS4NN34SBkrTWLqgWOjN/lnG77bbLnpMl0P+xBTuqw1oSXaDbcdHE2nGY lRno/ZZIfr+1Bq56DZLBX/WpnAT4f5WtofL4CxQM9SbG6byyewARAQABtCJBeW1lcmljIFZp dHRlIDxheW1lcmljQHBlZXJzbS5jb20+iQI/BBMBCAApBQJXVvLgAhsjBQkJZgGABwsJCAcD AgEGFQgCCQoLBBYCAwECHgECF4AACgkQKh17NCYnrDm3WhAAlYmgtSmtfqjBvQMqkmtqiQJA aZkzFZWt6+zroduHH5/Tp8jh73gFqCUyRrl/kcKvs2+XQhfrOwk1R6OScF25bpnrZSeuyJnZ MZu4T0P2tGS8YdddQvWUHMtI9ZnQRuYmuZT23/hgj1JnukuGvGLeY0yDUa1xFffPN39shp5X FPMcpIVOV3bs+xjAdsyfRyO3qJAD1FGiR7ggJeoaxUbKZ6NtcVUPPRMjVTKfopkuDwKY318m BE0epfxSZ/iRhsJ0/sREUWgbgq4/QvCFwBKzgz7fTikGmf8OELWSdofmXs7gOtmMc3el8fJu W8PVa/OsIQHDmwSzvxmE8ba5M8bdwOYEraTWFArIymAAtRXKxmuYpkqKfeSlbCwae3W+pgNT 8nKYRVAFlMtIxYkmPYyMTk9kCscmSqugGWbWdnqe/dhVaa31xa1qO1tDH24D2/tjCJRQt4Jk AEWNSmjCmjfeArMEFTGlZwMTAjVXErLSPbLOsZiZhD9sjvSbfzrtJiMli2h9+Dvds+AJk1PM O8LW7cCNyFoCk4OdAxzJHobZ25G+uy4NSQEHgxLC2iuh/tugz1tOHnQczPc/3AkVVI9A5DF1 gbVRBJh6rI7sAcwuR76uoOs0Rpp7r6I66xqU/5eq8g1OsJp89tw0ppSIa0YmaxNqQZ0l3rVX o/ZwpBjtNQS5Ag0EV1by4AEQANhlz3Ywff4dY1HTdn05v0wVUxZzW2PUih+96m6EhpUrD9BT vxriKtbgxm/zl+5YAlThbrk9f0QyVTHJ95Z1/M5qjuksP9Zn3qZ/8ylANDkN2s3z8Bq/LJA+ u7+APhMqyFWK0FqNCOogClvijiKPEzkU6tmDGO6wZ5pR/u8Fdq7DGQgwgyGZZc7qstte0M7l yx7bVRlPBqvd6kyX3YubQHzkctf46nFjiYZgKawdWFsA3PCdSBupbhixL5d/t1UK9ZTiQJcf 0uhHzT06qwolFrm/ugkLDHtE4Zo3BuKch47Sms8P2hJ08gABxeJHg0ZgkIUy/Xf4nHbDCBJw T8tE8pWYWA2ECiPNo0TOCMVOueEzISUNKINfCuFHSbMQU39hgt3ofxODbAjOiO3e/iu1ptck AkuVBdtjOBP4tHRGxVrbf5EuAV5U5xtiSxMwMgojg0GIXZjnT/8uvWqcLqtJILRMmmu+WNvD oxuiJzcTJhDai9oujmxQwcpMvgrBB89KSTDyitO5XVjZqaR7Zxvvn3rM4bAms/lotv9+pTyh spazTIxb80u0ifJ6y1RxAkxQCfWwps1i3VbsM6OKX78aUyOf5V4ihXF57M37tOqPRwFvz6a+ AIIhUNMTLo2H+o6Vw9qbX8SUxPHPs6YpJ8lWQJ9OMWHE+SbaDFAi/D5hYRubABEBAAGJAiUE GAEIAA8FAldW8uACGwwFCQlmAYAACgkQKh17NCYnrDmk4Q/9Fuu0h5HvIiO3ieYA2StdE7hO vv2THuesjJDsj6aQUTgknaxKptJogNe3dDyIT+FHxXmCw0Nrbm9Q3ryl80z/G9utfFNO3Gwc q31QW3n3LJHnpqdrV3WsRzT5NwJMVtiIAGRrX8ZomtarWHT0PeEHC2xBdFzRrJtmkrwer0Wc 0nBzD7vk1XEXC9nODbmlgsesoHFgRwQBst3wClCbX1gv8aSfxQNpaf9UBC8DmyrQ621UXpBo PvcFEtWxV44vJfP0WOLCCN0Pzv2F2I66iKo7VMqbr5jlNAXJN9I1hXb7qwYJmBC9j5oeEoqv A9d44WWpxrdAr8qih4Nv89k9+9F6NoqORY3FGuVDKiW8CVhCmGT7bIvNeyicVBZFipXqPcKL VFduO2c5Ubc2npMWLUF1k9JJc9tH75l3+F/0RbYVTzGAZ+zSaudwR6h8YiCN2DBZGZkJEZbh 3X/l6jtijMN/W9sPHyyKvm/TmeEC27S3TqZPZ8PUQLxZC70V6gMbenh01JdSQsn5t8Ru0RNh Blt0g7IyZyIKCE9b+TyzbYpX6qgqEBUHia5b0vyPtQacWQlZ8uqnghAqNkLluEsy7Q/7xG6M wXUYEDsFOmB9dKOzcAOIhpxlVjSKu5mzXJ11sEtE8nyF5NJ/riCA7FGcjlki3zIpzQUNo9v7 vXl2h6Tivlk= Message-ID: <743fb106-977e-1f34-47af-9fb3b8621e72@gmail.com> Date: Wed, 26 Dec 2018 12:33:27 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------B2D074D0D71ED954EAC38DC9" Content-Language: fr X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Thu, 27 Dec 2018 14:59:24 +0000 Subject: Re: [bitcoin-dev] BIP39 seeds X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Dec 2018 11:33:30 -0000 This is a multi-part message in MIME format. --------------B2D074D0D71ED954EAC38DC9 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Another drawback I think is that people are not using it as seeds, they just go to a wallet sw which proposes a new seed, write it somewhere, do something with the wallet and forget about it, go to another one, create another wallet, etc Apparently it is not very well known even here that the probabilities are very high to get a valid BIP39 seed even with 24 words, so, even with a tool like yours, they can be misleaded, for example trying a few words to replace the missing/incorrect one, get a valid seed and stay stuck with it forever trying to play with BIP44/49 to find their keys Probably what I am suggesting is not new (and therefore maybe not a good suggestion): given a secret seed (a book, a document, a link, etc) and a derivation path (an algo with secret parameter(s) to derive/order the words and select the valid bip39 sequences), you get your BIP39 seeds and don't have to write them Of course we don't have to use necessarilly BIP39 for this but this is what we have everywhere and this is what is compatible with it, then you could use the same or a fake written "not very well hidden" BIP39 seed to plausibly deny your real wallet Le 25/12/2018 à 01:30, James MacWhyte a écrit : > > > On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bitcoin-dev > > wrote: > > > I don't see very well why it's easier to write n words that you > cannot choose rather than a 32B BIP32 hex seed, and I have seen > many people completely lost with their wallets because of this > > > In practice it has quite a few qualities that make it a bit more > resilient for physical (written) storage. > > If a few letters of a word get rubbed off or otherwise become > illegible, it is pretty easy for a native speaker to figure out what > the word is supposed to be. Even a non-native speaker could look > through the word list and figure out which word fits. Missing > characters in a hex string require more advanced brute force > searching, which the average user isn't capable of. > > Additionally, having the bits grouped into words makes a more serious > recovery easier. If you lose one entire word, it can be brute forced > in about 5 minutes on a normal pc, even if you don't know which > position the missing word is in (I have published a tool that does > just this: https://jmacwhyte.github.io/recovery-phrase-recovery). If > you are missing two words, you can brute force it in about a week > (napkin math). > > If you were missing a random chunk of a hex string, I don't know how > you'd go about brute forcing that in a timely manner. > > As an aside, from a UX standpoint we've seen that the 12 words don't > *look* important so people don't take them seriously (and they get > lost). A hex string or equivalent would look more password-y, and > therefore would most likely be better protected by users. > > James --------------B2D074D0D71ED954EAC38DC9 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: 8bit

Another drawback I think is that people are not using it as seeds, they just go to a wallet sw which proposes a new seed, write it somewhere, do something with the wallet and forget about it, go to another one, create another wallet, etc

Apparently it is not very well known even here that the probabilities are very high to get a valid BIP39 seed even with 24 words, so, even with a tool like yours, they can be misleaded, for example trying a few words to replace the missing/incorrect one, get a valid seed and stay stuck with it forever trying to play with BIP44/49 to find their keys

Probably what I am suggesting is not new (and therefore maybe not a good suggestion): given a secret seed (a book, a document, a link, etc) and a derivation path (an algo with secret parameter(s) to derive/order the words and select the valid bip39 sequences), you get your BIP39 seeds and don't have to write them

Of course we don't have to use necessarilly BIP39 for this but this is what we have everywhere and this is what is compatible with it, then you could use the same or a fake written "not very well hidden" BIP39 seed to plausibly deny your real wallet

Le 25/12/2018 à 01:30, James MacWhyte a écrit :


On Mon, Dec 24, 2018 at 2:48 PM Aymeric Vitte via bitcoin-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:

I don't see very well why it's easier to write n words that you cannot choose rather than a 32B BIP32 hex seed, and I have seen many people completely lost with their wallets because of this

In practice it has quite a few qualities that make it a bit more resilient for physical (written) storage.

If a few letters of a word get rubbed off or otherwise become illegible, it is pretty easy for a native speaker to figure out what the word is supposed to be. Even a non-native speaker could look through the word list and figure out which word fits. Missing characters in a hex string require more advanced brute force searching, which the average user isn't capable of.

Additionally, having the bits grouped into words makes a more serious recovery easier. If you lose one entire word, it can be brute forced in about 5 minutes on a normal pc, even if you don't know which position the missing word is in (I have published a tool that does just this: https://jmacwhyte.github.io/recovery-phrase-recovery). If you are missing two words, you can brute force it in about a week (napkin math).

If you were missing a random chunk of a hex string, I don't know how you'd go about brute forcing that in a timely manner.

As an aside, from a UX standpoint we've seen that the 12 words don't *look* important so people don't take them seriously (and they get lost). A hex string or equivalent would look more password-y, and therefore would most likely be better protected by users.

James

  


--------------B2D074D0D71ED954EAC38DC9--