summaryrefslogtreecommitdiff
path: root/09/eded902d8c66c7e716d52c9971dc9cfa391047
blob: 356078eaa175e6437f7c87a95b75ee69db1f6353 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
Return-Path: <shatzakis@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 677A18CC
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue,  4 Dec 2018 21:39:33 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-qk1-f175.google.com (mail-qk1-f175.google.com
	[209.85.222.175])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id BE63E862
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue,  4 Dec 2018 21:39:31 +0000 (UTC)
Received: by mail-qk1-f175.google.com with SMTP id w204so10625306qka.2
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 04 Dec 2018 13:39:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=mime-version:references:in-reply-to:from:date:message-id:subject:to
	:cc; bh=5oTjzdwfNQ4hopxlNRU44pKQojT+16ctBEZ5scNLc9s=;
	b=YN+mfyGFbE4VJ8cYsdB+4ZIsdcDMBVCKhr2984HEmvO7cKF+2M4+V9bO6Lh8PEHFzG
	cH8KCb85pzziZbAaIReBl7W8v3EH9WSLDBMwjKjyiEfMizp8++3FoihpTUU86/NdqXNw
	m0HTGP+HNjX57UtkYYe7ui1adKFOiih4QUKl4NW759KcslV1OPhAnCIewZlxf4rdd3sT
	g27N5Jk72s6XqEvFzIOaBrlOFXGFM6KxtbrO+l+o0lljw7PfoZmJ7C0VpwXikMLzx50z
	qf9m/OaRNUp4r96f8y01TSC58d+jia/Lv1dhyjebQfAdvoHWLqcQMvSs8VeZIqv7Mf0v
	sF1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to:cc;
	bh=5oTjzdwfNQ4hopxlNRU44pKQojT+16ctBEZ5scNLc9s=;
	b=gDgWFDPMLNsohPNdKq87uBPEsbv64+gZIN6J9E2/2tfGwxZHA4h1LfBUnaguHY1Oxl
	K3GEoDiOO4NbEvogo3GxqwVDrQRTJehPoQbgdW97ACcC5Wtr0KQr7f0WiPK12ZLS5p3T
	fP6Kvwiijvh78Y5KlK6b5X8X4lCQf+3pKSH2n9idBh1mZokstQWBIyKQePvWakVahR8y
	84LMb0zeNTNg5uuG4wrK68y0WYKNs/E55s+pVv8Lgk1JIW/ZXvB346YVkT72zwdxB2h1
	R1nfQJAgOUkOml/Wiuo/r4lAwkIIflnRr83gzDLJgO3C3n2Tc1mhOfV8mKj5GJmzcZzq
	aTlg==
X-Gm-Message-State: AA+aEWYFdVHm1Y1rFAXIkckakKGfB436fxujOWQtDiPV4sf0y/ZO9LOR
	CbAOQZSzVaXz3LE/OZyd0FzNgyuzAFENLmYv1CM=
X-Google-Smtp-Source: AFSGD/XZPPOzSfA9+9a0eQSBz1kqLpLDn21Z9ax72owfzf9tilILCSguML8MWP4ZUE8ambBxxlB7PkipKyis7axpF2s=
X-Received: by 2002:a37:af85:: with SMTP id
	y127mr19256996qke.352.1543959570585; 
	Tue, 04 Dec 2018 13:39:30 -0800 (PST)
MIME-Version: 1.0
References: <CABsxsG234DhY8Lxn0UMgXG0YnPdyJ5__U9P-aweV9L=xw7hxyw@mail.gmail.com>
	<CA+ASnrGEbksc-YeKR7bKpAv5=rcWcg8BeR6XDVUzvJ9C76bGpA@mail.gmail.com>
	<CAH+Axy4=8SyRL5W9Av_6dDOp43Qd+Cdkf2XZnpf1i6zCT4Pemg@mail.gmail.com>
	<CABsxsG2qBVA-imReWJci4JA=S0MhVMq9+ezyMF7SEw7Hqqa-gQ@mail.gmail.com>
	<CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
In-Reply-To: <CALYX514jH_wYrONu=hpj924p98cEcHnyZLdu2jDt5tkhoKL9kw@mail.gmail.com>
From: Steven Hatzakis <shatzakis@gmail.com>
Date: Tue, 4 Dec 2018 23:39:17 +0200
Message-ID: <CABsxsG3HF1r0fTpnAY5Efw8AF6wxGtNfK0H3eAGhN-Wu2qhzpw@mail.gmail.com>
To: mike@sendwyre.com
Content-Type: multipart/alternative; boundary="000000000000c09b1f057c39193c"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Tue, 04 Dec 2018 21:57:45 +0000
Cc: bitcoin-dev@lists.linuxfoundation.org
Subject: Re: [bitcoin-dev] Proposal for Palindromic (Reversible) Mnemonics
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Dec 2018 21:39:33 -0000

--000000000000c09b1f057c39193c
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Michael, thanks for the feedback.
To answer your question, the motivation was partly that some applications
do not accept passphrases, making mnemonics less versatile in those cases
in terms of vault separation when logging in to those services, although I
agree in that specific context reversible mnemonics don't add further
security (like a passphrase can) but it shouldn't lessen security either
(in terms of entropy and bit-security).

Of course, If someone finds a plaintexts recovery phrase (i.e. hacker) then
there is no security to prevent the funds being moved out whether it is
reversible or not (unless again a passphrase was present, and even that can
be brute forced so protecting the words are key) unless it represented some
multi-sig key or was a Shamir secret share (such as is being proposed under
SLIP0039 by Satoshi Labs, and Ian Coleman hosts a prototype).

I think comparable to vanity addresses, reversible mnemonics could be part
novelty, but I do think there is also an actual utility. I am not
suggesting they are used 100% of the time, rather a user could choose to
generate one manually or check if their existing one is already reversible.
Those options could be provided at the software level and then it would be
up to the user to chose. Bottom line, I think that users who have smaller
amounts in hot wallets could find it useful to have reversible mnemonics
for switching from one service to another without having to access yet
another mnemonic. Whereas, for those creating them offline (cold storage)
it could provide an additional vault and additional passphrase options.
Here's an example:

Vault #1 normal mnemonic
Vault #2 normal mnemonic w/passphrase
Vault #3 reversed mnemonic
Vault #4 reversed mnemonic w/passphrase


Best regards,

Steven Hatzakis


On Tue, Dec 4, 2018 at 4:16 PM Michael Dunworth <mike@sendwyre.com> wrote:

> Cool idea, and appreciate the explainer surrounding it!
>
> What are the motivators to have it? Simplifying the recovery process
> (easier to remember?) - Would love to know more from that if you're happy
> to share! That'd help gauge the security considerations.
>
> Security thoughts:
> - Probability of guessing is one thing, probability of getting access to =
a
> keyword/phrase is another thing. So if the recovery/accessibility becomes=
 a
> motivator, that then can broaden the attack vectors pretty significantly.
> Which would result in a significant decrease in the security (IMO?).
> - Broadcasting the use of reversable mnemonics would become an attack
> vector potentially. Now any members of the security team or members withi=
n
> close proximity could learn that reversible phrases are used, and
> insulating this information from becoming public knowledge would become
> it's own security consideration. If it's already a 6.25% (1/16) chance
> they're reversible, I wouldn't want it publicly known that it's a 100%
> chance.
> - Feels like it could be useful in terms of a "duress password" although
> that might be implemented similarly to what Joseph mentioned where you
> would route the reverse phrase to somewhere other than the core assets.
>
> May be misunderstanding or have bad maths this early in the morning, but =
I
> think I'd be nervous to implement something like this without a pretty
> clear upside. Seems like it only adds additional risk?
>
> Thank you.
>
> Kind regards,
>
> Michael.
> =E1=90=A7
>
> On Tue, Dec 4, 2018 at 5:11 AM Steven Hatzakis via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> Thanks, James and Joseph, for the feedback,
>> It has been a fun experiment!
>>
>> I just want to note that the plausible deniability was not the motive bu=
t
>> just an example use-case, there are perhaps other use-cases that would b=
e
>> on the user to decide. I think having a mnemonic that is also reversible
>> could be useful for other reasons - convenience related perhaps.
>> *Re security:* I am still not convinced entirely that security is
>> reduced at all because one still has to search through all entropy in th=
e
>> range of 2^128 to see whether any of those are reversible (unless there =
is
>> a way to only search the field of 2^124 that are reversible, which I don=
't
>> think is possible because the hash-derived checksum cannot be determined
>> before hashing, only afterward). Therefore, security should still be 2^1=
28
>> for a 12-word mnemonic whether it is reversible or not (as one in every =
16
>> people that already have one (12-word) is reversible, they just might no=
t
>> realize it, so we can't say those are less secure).
>>
>> Best regards,
>>
>> On Tue, Dec 4, 2018 at 2:16 PM James MacWhyte <macwhyte@gmail.com> wrote=
:
>>
>>> I agree with Joseph. If you want plausible deniability, it would be
>>> better to simply hide the funds somewhere in the HD chain. Same if you =
want
>>> a second vault tied to the same phrase.
>>>
>>> You are reducing security by eliminating all entropy that doesn't fit
>>> the reversible criteria, although in practice it doesn't make a differe=
nce
>>> because the numbers are so big. However, it doesn't seem like a very us=
eful
>>> feature to have.
>>>
>>> Thanks for doing all that work though, it was fun to read about your
>>> idea and what you found out through experimenting!
>>>
>>> James
>>>
>>>
>>> On Mon, Dec 3, 2018 at 1:00 PM Joseph Gleason =E2=91=88 via bitcoin-dev=
 <
>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>
>>>> I have a suggestion.  If you are concerned about plausible deniability=
,
>>>> then it might make sense to just have the single mnemonic seed lead to=
 a
>>>> single xprv key (as usual) and then do a private key derivation from t=
hat
>>>> based on a password string.  The password can be simple, as it is base=
d on
>>>> the security of the seed, just as long as the user feels they need for
>>>> deniability.
>>>>
>>>> A simple reverse scheme like you describe would just be another thing =
a
>>>> person would know to check if given some seed so I don't see it as
>>>> providing much value, but I could be missing something.
>>>>
>>>> On Mon, Dec 3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev <
>>>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> I've developed a method to check if a mnemonic is also valid when the
>>>>> words are put into reverse order (not the entropy), where a given 12 =
or
>>>>> 24-word mnemonic could be valid both in little endian and big endian
>>>>> format. I've coined these "Palindromic Mnemonics", but perhaps more
>>>>> user-friendly is "reversible mnemonics."
>>>>>
>>>>> Purpose:
>>>>> A checksum-valid reversible mnemonic allows two separate vaults to be
>>>>> connected to the same mnemonic string of words, where all a users mus=
t do
>>>>> is enter the words in reverse order (the last word becomes first, sec=
ond to
>>>>> last becomes second, and so on) to access the secondary (reversed wor=
ds)
>>>>> vault. This utility could provide multiple use-cases, including relat=
ed to
>>>>> combinations with passphrases and plausible deniability, as well as
>>>>> conveniences for those wishing to use a separate vault tied to the sa=
me
>>>>> string of words.
>>>>>
>>>>> Security:
>>>>> For any randomly generated 12-word mnemonic (128-bits of security) th=
e
>>>>> chances of it also being reversible are 1/16 (I believe), as a total =
of 4
>>>>> bit positions must be identical (4 bits from the normal mnemonic and
>>>>> another 4 bits from the reversed string must match). For a 24-word
>>>>> mnemonic, those values increase to 8 bits which need to match 8 bits =
from
>>>>> the reversed string, leading to about 1 in every 256 mnemonics also b=
eing
>>>>> reversible. While the message space of valid reversible mnemonics sho=
uld be
>>>>> 2^124 for 12 words, that search must still be conducted over a field
>>>>> of 2^128, as the hash-derived checksum values otherwise prevent a way
>>>>> to deterministically find valid reversible mnemonics without first go=
ing
>>>>> through invalid reversible ones to check. I think others should chime=
 in on
>>>>> whether they believe there is any security loss, in terms of entropy =
bits
>>>>> (assuming the initial 128 bits were generated securely). I estimate a=
t most
>>>>> it would be 4-bits of loss for a 12-word mnemonic, but only if an att=
acker
>>>>> had a way to search only the space of valid reversible mnemonics (2**=
124)
>>>>> which I don't think is feasible (could be wrong?). There could also b=
e
>>>>> errors in my above assumptions, this is a work in progress and sharin=
g it
>>>>> here to solicit initial feedback/interest.
>>>>>
>>>>> I've already written the code that can be used for testing (on GitHub
>>>>> user @hatgit), and when run from terminal/command prompt it is pretty=
 fast
>>>>> to find a valid reversible mnemonics, whereas on IDLE in Python on a =
32-bit
>>>>> and 64-bit machine it could take a few seconds for 12 words and somet=
imes
>>>>> 10 minutes to find a valid 24-word reversible mnemonic.
>>>>> Example 12 words reversible (with valid checksum each way):
>>>>>
>>>>> limit exact seven clarify utility road image fresh leg cabbage hint
>>>>> canoe
>>>>>
>>>>> And Reversed:
>>>>>
>>>>> canoe hint cabbage leg fresh image road utility clarify seven exact
>>>>> limit
>>>>>
>>>>>
>>>>> Example 24 reversible:
>>>>>
>>>>> favorite uncover sugar wealth army shift goose fury market toe messag=
e
>>>>> remain direct arrow duck afraid enroll salt knife school duck sunny g=
runt
>>>>> argue
>>>>>
>>>>> And reversed:
>>>>>
>>>>> argue grunt sunny duck school knife salt enroll afraid duck arrow
>>>>> direct remain message toe market fury goose shift army wealth sugar u=
ncover
>>>>> favorite
>>>>>
>>>>>
>>>>> My two questions 1) are how useful could this be for
>>>>> you/users/devs/service providers etc.. and 2) is any security loss
>>>>> occurring and whether it is negligible or not?
>>>>>
>>>>> Best regards,
>>>>>
>>>>> Steven Hatzakis
>>>>> _______________________________________________
>>>>> bitcoin-dev mailing list
>>>>> bitcoin-dev@lists.linuxfoundation.org
>>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>>
>>>> _______________________________________________
>>>> bitcoin-dev mailing list
>>>> bitcoin-dev@lists.linuxfoundation.org
>>>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>>>
>>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
>
> --
> Michael Dunworth
> Co-Founder, CEO
>
>
>
> We're now Wyre, Inc! Read about the rebrand here
> <https://medium.com/@wyre/wyre-raises-5-8m-series-a-10e90718009b>.
>
> Wyre uses blockchain technology to help make your bank transfers faster
> than email.
>

--000000000000c09b1f057c39193c
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif"><br></div><div class=3D"gmail_default" style=3D"font-fa=
mily:arial,helvetica,sans-serif">Hi Michael, thanks for the feedback.=C2=A0=
</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif">To answer your question, the motivation=C2=A0was partly that some =
applications do not accept passphrases, making mnemonics less versatile in =
those cases in terms of vault separation when logging in to those services,=
 although I agree in that specific context reversible mnemonics don&#39;t a=
dd further security (like a passphrase can) but it shouldn&#39;t lessen sec=
urity either (in terms of entropy and bit-security).</div><div class=3D"gma=
il_default" style=3D"font-family:arial,helvetica,sans-serif"><br></div><div=
 class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">O=
f course, If someone finds a plaintexts recovery phrase (i.e. hacker) then =
there is no security to prevent the funds being moved out whether it is rev=
ersible or=C2=A0not (unless again a passphrase was present, and even that c=
an be brute forced so protecting the words are key) unless it represented s=
ome multi-sig key or was a Shamir secret share (such as is being proposed u=
nder SLIP0039 by Satoshi Labs, and Ian Coleman hosts a prototype).=C2=A0</d=
iv><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-s=
erif"><br></div><div class=3D"gmail_default" style=3D"font-family:arial,hel=
vetica,sans-serif">I think comparable to vanity addresses, reversible mnemo=
nics could be part novelty, but I do think there is also an actual utility.=
 I am not suggesting they are used 100% of the time, rather a user could ch=
oose to generate one manually or check if their existing one is already rev=
ersible. Those options could be provided at the software level and then it =
would be up to the user to chose. Bottom line, I think that users who have =
smaller amounts in hot wallets could find it useful to have reversible mnem=
onics for switching from one service to another without having to access ye=
t another mnemonic. Whereas, for those creating them offline (cold storage)=
 it could provide an additional vault and additional passphrase options. He=
re&#39;s an example:</div><div class=3D"gmail_default" style=3D"font-family=
:arial,helvetica,sans-serif">=C2=A0</div><div class=3D"gmail_default" style=
=3D"font-family:arial,helvetica,sans-serif">Vault #1 normal mnemonic=C2=A0<=
/div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans=
-serif">Vault #2 normal mnemonic w/passphrase</div><div class=3D"gmail_defa=
ult" style=3D"font-family:arial,helvetica,sans-serif">Vault #3 reversed mne=
monic</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetic=
a,sans-serif">Vault #4 reversed mnemonic w/passphrase</div><div class=3D"gm=
ail_default" style=3D"font-family:arial,helvetica,sans-serif"><br></div><di=
v class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif">=
<br></div><div><div dir=3D"ltr" class=3D"gmail_signature" data-smartmail=3D=
"gmail_signature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div style=3D"font=
-size:12.8px;font-family:arial,helvetica,sans-serif"><span>Best regards,</s=
pan></div><div style=3D"font-size:12.8px;font-family:arial,helvetica,sans-s=
erif"><span><br>Steven</span>=C2=A0<span>Hatzakis</span>=C2=A0</div><div st=
yle=3D"font-size:12.8px;font-family:arial,helvetica,sans-serif"><br></div><=
/div></div></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr=
">On Tue, Dec 4, 2018 at 4:16 PM Michael Dunworth &lt;<a href=3D"mailto:mik=
e@sendwyre.com">mike@sendwyre.com</a>&gt; wrote:<br></div><blockquote class=
=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padd=
ing-left:1ex"><div dir=3D"ltr">Cool idea, and appreciate the explainer surr=
ounding it!<div><br></div><div>What are the motivators to have it? Simplify=
ing the recovery process (easier to remember?) - Would love to know more fr=
om that if you&#39;re happy to share! That&#39;d help gauge the security co=
nsiderations.=C2=A0=C2=A0</div><div><br></div><div>Security thoughts:</div>=
<div>- Probability of guessing is one thing, probability of getting access =
to a keyword/phrase is another thing. So if the recovery/accessibility beco=
mes a motivator, that then can broaden the attack vectors pretty significan=
tly. Which would result in a significant decrease in the security (IMO?).</=
div><div>- Broadcasting the use of reversable mnemonics would become an att=
ack vector potentially. Now any members of the security team or members wit=
hin close proximity could learn that reversible phrases are used, and insul=
ating this information from becoming public knowledge would become it&#39;s=
 own security consideration. If it&#39;s already a 6.25% (1/16) chance they=
&#39;re reversible, I wouldn&#39;t want it publicly known that it&#39;s a 1=
00% chance.</div><div>- Feels like it could be useful in terms of a &quot;d=
uress password&quot; although that might be implemented similarly to what J=
oseph mentioned where you would route the reverse phrase to somewhere other=
 than the core assets.</div><div><br></div><div>May be misunderstanding or =
have bad maths this early in the morning, but I think I&#39;d be nervous to=
 implement something like this without a pretty clear upside. Seems like it=
 only adds additional risk?</div><div><br></div><div>Thank you.</div><div><=
br></div><div>Kind regards,</div><div><br></div><div>Michael.</div><div></d=
iv></div><div hspace=3D"streak-pt-mark" style=3D"max-height:1px"><img alt=
=3D"" style=3D"width:0px;max-height:0px;overflow:hidden" src=3D"https://mai=
lfoogae.appspot.com/t?sender=3DabWlrZUBzZW5kd3lyZS5jb20%3D&amp;type=3Dzeroc=
ontent&amp;guid=3Db3b8e394-140d-4ba3-aa6d-6858fce1ff51"><font color=3D"#fff=
fff" size=3D"1">=E1=90=A7</font></div><br><div class=3D"gmail_quote"><div d=
ir=3D"ltr">On Tue, Dec 4, 2018 at 5:11 AM Steven Hatzakis via bitcoin-dev &=
lt;<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blan=
k">bitcoin-dev@lists.linuxfoundation.org</a>&gt; wrote:<br></div><blockquot=
e class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc sol=
id;padding-left:1ex"><div dir=3D"ltr"><div style=3D"font-family:arial,helve=
tica,sans-serif">Thanks, James and Joseph, for the feedback,</div><div styl=
e=3D"font-family:arial,helvetica,sans-serif">It has been a fun experiment!=
=C2=A0<br></div><div style=3D"font-family:arial,helvetica,sans-serif"><br><=
/div><div style=3D"font-family:arial,helvetica,sans-serif">I just want to n=
ote that the plausible deniability was not the motive but just an example u=
se-case, there are perhaps other use-cases that would be on the user to dec=
ide. I think having a mnemonic that is also reversible could be useful for =
other reasons - convenience related perhaps.=C2=A0</div><div style=3D"font-=
family:arial,helvetica,sans-serif"><b>Re security:</b> I am still not convi=
nced entirely that security is reduced at all because one still has to sear=
ch through all entropy in the range of=C2=A02^128 to see whether any of tho=
se are reversible (unless there is a way to only search the field of 2^124 =
that are reversible, which I don&#39;t think is possible because the hash-d=
erived checksum=C2=A0cannot be determined before hashing, only afterward). =
Therefore, security should still be 2^128 for a 12-word mnemonic whether it=
 is reversible or=C2=A0not (as one in every 16 people that already have one=
 (12-word) is reversible, they just might not realize it, so we can&#39;t s=
ay those are less secure).=C2=A0</div><div style=3D"font-family:arial,helve=
tica,sans-serif"><br></div><div><div dir=3D"ltr" class=3D"m_-78506999819443=
82144m_4581092532363781964gmail_signature" data-smartmail=3D"gmail_signatur=
e"><div dir=3D"ltr"><div><div dir=3D"ltr"><div style=3D"font-size:12.8px;fo=
nt-family:arial,helvetica,sans-serif"><span>Best regards,</span></div></div=
></div></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On=
 Tue, Dec 4, 2018 at 2:16 PM James MacWhyte &lt;<a href=3D"mailto:macwhyte@=
gmail.com" target=3D"_blank">macwhyte@gmail.com</a>&gt; wrote:<br></div><bl=
ockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #=
ccc solid;padding-left:1ex"><div dir=3D"ltr">I agree with Joseph. If you wa=
nt plausible deniability, it would be better to simply hide the funds somew=
here in the HD chain. Same if you want a second vault tied to the same phra=
se.<div><br></div><div>You are reducing security by eliminating all entropy=
 that doesn&#39;t fit the reversible criteria, although in practice it does=
n&#39;t make a difference because the numbers are so big. However, it doesn=
&#39;t seem like a very useful feature to have.<div><br></div><div>Thanks f=
or doing all that work though, it was fun to read about your idea and what =
you found out through experimenting!</div><div><br clear=3D"all"><div><div =
dir=3D"ltr" class=3D"m_-7850699981944382144m_4581092532363781964m_666833030=
0381286486gmail_signature" data-smartmail=3D"gmail_signature"><div dir=3D"l=
tr"><div>James<br></div></div></div></div><br></div></div></div><br><div cl=
ass=3D"gmail_quote"><div dir=3D"ltr">On Mon, Dec 3, 2018 at 1:00 PM Joseph =
Gleason =E2=91=88 via bitcoin-dev &lt;<a href=3D"mailto:bitcoin-dev@lists.l=
inuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org=
</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:=
0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr">I =
have a suggestion.=C2=A0 If you are concerned about plausible deniability, =
then it might make sense to just have the single mnemonic seed lead to a si=
ngle xprv key (as usual) and then do a private key derivation from that bas=
ed on a password string.=C2=A0 The password can be simple, as it is based o=
n the security of the seed, just as long as the user feels they need for de=
niability.<div><br></div><div>A simple reverse scheme like you describe wou=
ld just be another thing a person would know to check if given some seed so=
 I don&#39;t see it as providing much value, but I could be missing somethi=
ng.</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Mon, Dec =
3, 2018 at 10:45 AM Steven Hatzakis via bitcoin-dev &lt;<a href=3D"mailto:b=
itcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.l=
inuxfoundation.org</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote=
" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><=
div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div><p =
style=3D"font-family:-apple-system,system-ui,&quot;Segoe UI&quot;,Helvetica=
,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;,=
&quot;Segoe UI Symbol&quot;;box-sizing:border-box;margin-bottom:16px;color:=
rgb(36,41,46);font-size:14px;margin-top:0px">Hi All,=C2=A0</p><p style=3D"f=
ont-family:-apple-system,system-ui,&quot;Segoe UI&quot;,Helvetica,Arial,san=
s-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;,&quot;Sego=
e UI Symbol&quot;;box-sizing:border-box;margin-bottom:16px;color:rgb(36,41,=
46);font-size:14px;margin-top:0px">I&#39;ve developed a method to check if =
a mnemonic is also valid when the words are put into reverse order (not the=
 entropy), where a given 12 or 24-word mnemonic could be valid both in litt=
le endian and big endian format. I&#39;ve coined these &quot;Palindromic Mn=
emonics&quot;, but perhaps more user-friendly is &quot;reversible mnemonics=
.&quot;</p><p style=3D"font-family:-apple-system,system-ui,&quot;Segoe UI&q=
uot;,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe U=
I Emoji&quot;,&quot;Segoe UI Symbol&quot;;box-sizing:border-box;margin-bott=
om:16px;margin-top:0px;color:rgb(36,41,46);font-size:14px"><span style=3D"b=
ox-sizing:border-box;font-weight:600">Purpose:</span><br style=3D"box-sizin=
g:border-box">A checksum-valid reversible mnemonic allows two separate vaul=
ts to be connected to the same mnemonic string of words, where all a users =
must do is enter the words in reverse order (the last word becomes first, s=
econd to last becomes second, and so on) to access the secondary (reversed =
words) vault. This utility could provide multiple use-cases, including rela=
ted to combinations with passphrases and plausible deniability, as well as =
conveniences for those wishing to use a separate vault tied to the same str=
ing of words.</p><p style=3D"font-family:-apple-system,system-ui,&quot;Sego=
e UI&quot;,Helvetica,Arial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;S=
egoe UI Emoji&quot;,&quot;Segoe UI Symbol&quot;;box-sizing:border-box;margi=
n-bottom:16px;margin-top:0px;color:rgb(36,41,46);font-size:14px"><span styl=
e=3D"box-sizing:border-box;font-weight:600">Security:</span><br style=3D"bo=
x-sizing:border-box">For any randomly generated 12-word mnemonic (128-bits =
of security) the chances of it also being reversible are 1/16 (I believe), =
as a total of 4 bit positions must be identical (4 bits from the normal mne=
monic and another 4 bits from the reversed string must match). For a 24-wor=
d mnemonic,=C2=A0those values increase to 8 bits which need to match 8 bits=
 from the reversed string, leading to about 1 in every 256 mnemonics also b=
eing reversible. While the message space of valid reversible mnemonics shou=
ld be 2^<span style=3D"box-sizing:border-box">124 for 12 words, that search=
 must still be conducted over a field of 2</span><span style=3D"box-sizing:=
border-box;font-weight:600">^</span>128, as the hash-derived checksum value=
s otherwise prevent a way to deterministically find valid reversible mnemon=
ics without first going through invalid reversible ones to check. I think o=
thers should chime in on whether they believe there is any security loss, i=
n terms of entropy bits (assuming the initial 128 bits were generated secur=
ely). I estimate at most it would be 4-bits of loss for a 12-word mnemonic,=
 but only if an attacker had a way to search only the space of valid revers=
ible mnemonics (2**124) which I don&#39;t think is feasible (could be wrong=
?). There could also be errors in my above assumptions, this is a work in p=
rogress and sharing it here to solicit initial feedback/interest.</p><p sty=
le=3D"font-family:-apple-system,system-ui,&quot;Segoe UI&quot;,Helvetica,Ar=
ial,sans-serif,&quot;Apple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;,&qu=
ot;Segoe UI Symbol&quot;;box-sizing:border-box;margin-bottom:16px;margin-to=
p:0px;color:rgb(36,41,46);font-size:14px">I&#39;ve already written the code=
 that can be used for testing (on GitHub user @hatgit), and when run from t=
erminal/command prompt it is pretty fast to find a valid reversible mnemoni=
cs, whereas on IDLE in Python on a 32-bit and 64-bit machine it could take =
a few seconds for 12 words and sometimes 10 minutes to find a valid 24-word=
 reversible mnemonic.=C2=A0</p>Example 12 words reversible (with valid chec=
ksum each way): <br><br>limit exact seven clarify utility road image fresh =
leg cabbage hint canoe<br><br>And Reversed:<br><br>canoe hint cabbage leg f=
resh image road utility clarify seven exact limit<br><br><br>Example 24 rev=
ersible:<br><br>favorite uncover sugar wealth army shift goose fury market =
toe message remain direct arrow duck afraid enroll salt knife school duck s=
unny grunt argue</div><div><br>And reversed:</div><div><br>argue grunt sunn=
y duck school knife salt enroll afraid duck arrow direct remain message toe=
 market fury goose shift army wealth sugar uncover favorite<p class=3D"m_-7=
850699981944382144m_4581092532363781964m_6668330300381286486m_-575678971359=
378551m_6711322012586516752gmail-p1" style=3D"margin:0px;font-variant-numer=
ic:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:11px=
;line-height:normal;font-family:Menlo;color:rgb(0,0,0)"><span class=3D"m_-7=
850699981944382144m_4581092532363781964m_6668330300381286486m_-575678971359=
378551m_6711322012586516752gmail-s1" style=3D"font-variant-ligatures:no-com=
mon-ligatures"><br></span></p><p style=3D"box-sizing:border-box;margin-bott=
om:16px;margin-top:0px"><span style=3D"color:rgb(36,41,46);font-family:-app=
le-system,system-ui,&quot;Segoe UI&quot;,Helvetica,Arial,sans-serif,&quot;A=
pple Color Emoji&quot;,&quot;Segoe UI Emoji&quot;,&quot;Segoe UI Symbol&quo=
t;;font-size:14px">My two questions 1) are how useful could this be for you=
/users/devs/service providers etc.. and 2) is any security loss occurring a=
nd whether it is negligible or not?</span><br></p><p style=3D"box-sizing:bo=
rder-box;margin-bottom:16px;margin-top:0px"><span style=3D"font-family:aria=
l,helvetica,sans-serif;font-size:12.8px">Best regards,</span></p></div><div=
><div dir=3D"ltr" class=3D"m_-7850699981944382144m_4581092532363781964m_666=
8330300381286486m_-575678971359378551m_6711322012586516752gmail_signature">=
<div dir=3D"ltr"><div dir=3D"ltr"><div style=3D"font-size:12.8px;font-famil=
y:arial,helvetica,sans-serif"><span><br>Steven</span>=C2=A0<span>Hatzakis</=
span>=C2=A0</div><div style=3D"font-size:12.8px;font-family:arial,helvetica=
,sans-serif"><span class=3D"gmail_default" style=3D"font-family:arial,helve=
tica,sans-serif"> </span></div></div></div></div></div></div></div></div></=
div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div></div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div><br clear=3D"all"><div><br></div>-- <br><div dir=3D"ltr"=
 class=3D"m_-7850699981944382144gmail_signature" data-smartmail=3D"gmail_si=
gnature"><div dir=3D"ltr"><div><div dir=3D"ltr"><div style=3D"font-family:a=
rial;font-size:small"><span style=3D"font-family:arial,helvetica,sans-serif=
">Michael Dunworth</span></div><div style=3D"font-family:arial;font-size:sm=
all"><span style=3D"font-family:arial,helvetica,sans-serif">Co-Founder, CEO=
</span></div><div style=3D"font-family:arial;font-size:small"><span style=
=3D"font-family:arial,helvetica,sans-serif"><br><img src=3D"http://www.send=
wyre.com/img/logo.png" width=3D"96" height=3D"31"><br></span></div><div sty=
le=3D"font-family:arial;font-size:small"><span style=3D"font-family:arial,h=
elvetica,sans-serif"><br></span></div><div style=3D"font-family:arial;font-=
size:small"><span style=3D"font-family:arial,helvetica,sans-serif">We&#39;r=
e now Wyre, Inc!=C2=A0<a href=3D"https://medium.com/@wyre/wyre-raises-5-8m-=
series-a-10e90718009b" style=3D"color:rgb(17,85,204)" target=3D"_blank">Rea=
d about the rebrand here</a>.</span></div><div style=3D"font-family:arial;f=
ont-size:small"><span style=3D"font-family:arial,helvetica,sans-serif"><br>=
</span></div><div style=3D"font-size:12.8px">Wyre uses blockchain technolog=
y to help make your bank transfers faster than email.</div></div></div></di=
v></div>
</blockquote></div></div>

--000000000000c09b1f057c39193c--