1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
|
Return-Path: <earonesty@gmail.com>
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 21021C002D
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 11 Jul 2022 13:18:29 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id EF62040997
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 11 Jul 2022 13:18:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org EF62040997
Authentication-Results: smtp4.osuosl.org;
dkim=pass (2048-bit key) header.d=q32-com.20210112.gappssmtp.com
header.i=@q32-com.20210112.gappssmtp.com header.a=rsa-sha256
header.s=20210112 header.b=hsrBlM0W
X-Virus-Scanned: amavisd-new at osuosl.org
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001,
HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001]
autolearn=no autolearn_force=no
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 4ho49oiL2aBE
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 11 Jul 2022 13:18:27 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4369640977
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com
[IPv6:2a00:1450:4864:20::22c])
by smtp4.osuosl.org (Postfix) with ESMTPS id 4369640977
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 11 Jul 2022 13:18:27 +0000 (UTC)
Received: by mail-lj1-x22c.google.com with SMTP id r9so6150524ljp.9
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 11 Jul 2022 06:18:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=q32-com.20210112.gappssmtp.com; s=20210112;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=F18bSB63TQsLGhGAozOcz3jFDbsbQTgTh8xJRlk/gCU=;
b=hsrBlM0WpdDq3yUydi0B9m0My9Y+FUcWI/5JU1/BJu7jVN+hMsygLnlPOoWJtNQmU4
YCHLNCaGHjhmaWVQZPPsykVNrnzaqEL6D1fmCPV+P4MnjYE58UhIqB4HG4F53rQwfLTF
4/qrqOUPpL7SlUcu4SBcjmmnveH81L7Y+V6Tqo243uUE8Tu31xy8UEuRLYoo/Za4IUm4
kn9EOfkQZg97zq18Bbka7/HzrljH0scmSgHC40yoP+kgqmycYkoHffmK8bbnh28moLjE
5/7bXK6PbfthhOyu2jLgicmRd675gx+jQbsBNgnhscyObNFMDNB0vvsc0QGM5ZVrfLKx
vWIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=F18bSB63TQsLGhGAozOcz3jFDbsbQTgTh8xJRlk/gCU=;
b=VNsJF4Pu4p0mFwWgcAvRPMlOVo1RIxIcDjKvxId8/ZSECKbe5/JZPvvEdYFh7A94d2
+F0RycKAPbeQSYGgE7i6suHF70lGgL7xO0Rjg9EFeMqXFRaj01DD3FzXgg6Qo/RHiDHs
FJ2SzL5qtjdQBsohKAAWMyctHfifootqTJ8jhaTWrbUIUSrKUJGe3/EWaUvw7N+yNDHc
dT7cJe3X/7YAfACWLWyk8IcRRJfjr8VcR5z6LIzAkPJb9Rtu/pB4MLWstKBDLvJu9ir3
a9nHadvEB1fxm/Dv9fvzQraLG7Dc62wnM28rS9440N0LSgOgKusyeGEshZMmYAz294En
ydTw==
X-Gm-Message-State: AJIora8r4IkhBpJDFmubzuA19LHIa8c8B6xCVAwOuNdFe/cHG3PF/kao
XCLwrkB2bJfIvJEaJ/LfyD1gcFIxSydbhH44zaGvzTA=
X-Google-Smtp-Source: AGRyM1sw/nItPFp+XefvxJcxjRO3TgcU10RH6mI+5uqlbQMyuSITlI7BLUtM0lGPm7AmzA9d524P7LtB7/M9j2ezrLk=
X-Received: by 2002:a05:651c:a0f:b0:25b:c834:4604 with SMTP id
k15-20020a05651c0a0f00b0025bc8344604mr10095643ljq.252.1657545504877; Mon, 11
Jul 2022 06:18:24 -0700 (PDT)
MIME-Version: 1.0
References: <3D3BFE9C-CFF3-49FF-840F-063B52C69A42@voskuil.org>
<164256450-0ee6752f92c0be297952fc72b59076df@pmq5v.m5r2.onet>
<CA+XQW1iKVRmEnyP-CGM2Fo4qHi3SQHUfjEmKftDdju-uxHViJg@mail.gmail.com>
<CAH+Axy4X+uQG5Vw0Efiz6AtNyK=++h-jDeZL1ZxpVJus8BVKeA@mail.gmail.com>
<CAJ4-pEA7WJpbExcsgdPWVNuZLrbDDhVYr37g6_6NSf7t41eB4w@mail.gmail.com>
<bf3b36b1-e999-43bf-88d4-3aab19d10e9d@www.fastmail.com>
<CAJowKgJq23W3yq91pF+xm6CMjOy+tXz=zxkMVRPqCY_zWsBdiQ@mail.gmail.com>
In-Reply-To: <CAJowKgJq23W3yq91pF+xm6CMjOy+tXz=zxkMVRPqCY_zWsBdiQ@mail.gmail.com>
From: Erik Aronesty <erik@q32.com>
Date: Mon, 11 Jul 2022 09:18:14 -0400
Message-ID: <CAJowKgLRMyXQ27-m9-ud9F8Qu=6dkcfJHjoxLJh4LKyU8Nf9pw@mail.gmail.com>
To: Anton Shevchenko <anton@sancoder.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="000000000000046fe005e387638a"
X-Mailman-Approved-At: Mon, 11 Jul 2022 13:59:03 +0000
Subject: Re: [bitcoin-dev] No Order Mnemonic
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 13:18:29 -0000
--000000000000046fe005e387638a
Content-Type: text/plain; charset="UTF-8"
Sorry, I totally forgot the checksum.
You can take my ops-per-second and multiply it by about 16 (because of the
4 check bits), making a delete + two swaps or 4 swaps, etc. still pretty
reasonable.
On Mon, Jul 11, 2022 at 9:11 AM Erik Aronesty <erik@q32.com> wrote:
> 1. You can swap two positions, and then your recovery algorithm can
> brute-force the result by trying all 132 possible swaps.
> 2. You can make a single deletion and only have to brute 2048
> 3. You can keep doing these, being aware that it becomes geometrically
> more difficult each time (deletion + swap = 270k ops)
> 4. A home PC can make 20k secpk256 operations per second per core, so try
> to keep your number under a few million ops and it's still a decent UX
> (under a minute)
>
>
> On Sat, Jul 9, 2022 at 8:01 PM Anton Shevchenko via bitcoin-dev <
> bitcoin-dev@lists.linuxfoundation.org> wrote:
>
>> I would say removing ordering from 12-word seed reduces 25 bits of
>> entropy, not 29. Additional 4 bits come from checksum (12 words encode 132
>> bits, not 128).
>>
>> My idea [for developing this project] was to feed its output to some kind
>> of AI story generator (GPT-3 based?) so a user can remember a story, not
>> ordered words. But as others pointed out, having 12 words without order is
>> probably good enough. So at this point there's not much sense of using the
>> proposed encoding. Unless a remembered story has wholes/errors. In this
>> case recovering few words would be easier with unordered encoding. Any
>> thoughts?
>>
>> -- Anton Shevchenko
>>
>>
>> On Sat, Jul 9, 2022, at 1:31 PM, Zac Greenwood via bitcoin-dev wrote:
>>
>> Sorting a seed alphabetically reduces entropy by ~29 bits.
>>
>> A 12-word seed has (12, 12) permutations or 479 million, which is
>> ln(469m) / ln(2) ~= 29 bits of entropy. Sorting removes this entropy
>> entirely, reducing the seed entropy from 128 to 99 bits.
>>
>> Zac
>>
>>
>> On Fri, 8 Jul 2022 at 16:09, James MacWhyte via bitcoin-dev <
>> bitcoin-dev@lists.linuxfoundation.org> wrote:
>>
>>
>> What do you do if the "first" word (of 12), happens to be the last word
>> in the list alphabetically?
>>
>>
>> That couldn't happen. If one word is the very last from the wordlist, it
>> would end up at the end of your mnemonic once you rearrange your 12 words
>> alphabetically.
>>
>> However!
>>
>> (@vjudeu) Choosing 11 random words and then sorting them alphabetically
>> before assigning a checksum would reduce entropy considerably. If you think
>> about it, to bruteforce the entire keyspace one would only need to come up
>> with every possible combination of 11 words + 1 checksum. I'm not the best
>> at napkin math, but I think that leaves you with around 10 trillion
>> combinations, which would only take a couple months to exhaust with
>> hardware that can do 1 million guesses per second.
>>
>>
>> James
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>>
>> _______________________________________________
>> bitcoin-dev mailing list
>> bitcoin-dev@lists.linuxfoundation.org
>> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>>
>
--000000000000046fe005e387638a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Sorry, I totally forgot the checksum.=C2=A0 =C2=A0<div><br=
></div><div>You can take my ops-per-second and multiply it by about 16 (bec=
ause of the 4 check bits), making a delete=C2=A0+ two swaps or 4 swaps, etc=
. still pretty reasonable.<div><div><br></div><div><br></div></div></div></=
div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On=
Mon, Jul 11, 2022 at 9:11 AM Erik Aronesty <<a href=3D"mailto:erik@q32.=
com">erik@q32.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote"=
style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);p=
adding-left:1ex"><div dir=3D"ltr"><div>1. You can swap two positions, and t=
hen your recovery algorithm can brute-force the result by trying all 132 po=
ssible swaps.<br></div><div>2. You can make a single deletion and only have=
to brute 2048<div>3. You can keep doing these, being aware that it becomes=
geometrically more difficult each time (deletion=C2=A0+ swap =3D 270k ops)=
</div></div><div>4. A home PC can make 20k secpk256=C2=A0operations per sec=
ond per core, so try to keep your number under a few million ops and it'=
;s still a decent UX (under a minute)</div><div><br></div></div><br><div cl=
ass=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Sat, Jul 9, 20=
22 at 8:01 PM Anton Shevchenko via bitcoin-dev <<a href=3D"mailto:bitcoi=
n-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxf=
oundation.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex"><u></u><div><div style=3D"font-family:helvetica,arial,sans-ser=
if"><div style=3D"font-family:helvetica,arial,sans-serif">I would say remov=
ing ordering from 12-word seed reduces 25 bits of entropy, not 29. Addition=
al 4 bits come from checksum (12 words encode 132 bits, not 128).<br></div>=
<div style=3D"font-family:helvetica,arial,sans-serif"><br></div><div style=
=3D"font-family:helvetica,arial,sans-serif">My idea [for developing this pr=
oject] was to feed its output to some kind of AI story generator (GPT-3 bas=
ed?) so a user can remember a story, not ordered words. But as others point=
ed out, having 12 words without order is probably good enough. So at this p=
oint there's not much sense of using the proposed encoding. Unless a re=
membered story has wholes/errors. In this case recovering few words would b=
e easier with unordered encoding. Any thoughts?<br></div></div><div style=
=3D"font-family:helvetica,arial,sans-serif"><br></div><div id=3D"gmail-m_-5=
237753648968162431gmail-m_-2905539887539807527sig127103648"><div>--=C2=A0 A=
nton Shevchenko<br></div></div><div style=3D"font-family:helvetica,arial,sa=
ns-serif"><br></div><div style=3D"font-family:helvetica,arial,sans-serif"><=
br></div><div>On Sat, Jul 9, 2022, at 1:31 PM, Zac Greenwood via bitcoin-de=
v wrote:<br></div><blockquote type=3D"cite" id=3D"gmail-m_-5237753648968162=
431gmail-m_-2905539887539807527qt"><div dir=3D"auto">Sorting a seed alphabe=
tically reduces entropy by ~29 bits.<br></div><div dir=3D"auto"><br></div><=
div dir=3D"auto">A 12-word seed has (12, 12) permutations or 479 million, w=
hich is ln(469m) / ln(2) ~=3D 29 bits of entropy. Sorting removes this entr=
opy entirely, reducing the seed entropy from 128 to 99 bits.<br></div><div =
dir=3D"auto"><br></div><div dir=3D"auto">Zac<br></div><div><div><br></div><=
div><div dir=3D"ltr"><br></div><div dir=3D"ltr">On Fri, 8 Jul 2022 at 16:09=
, James MacWhyte via bitcoin-dev <<a href=3D"mailto:bitcoin-dev@lists.li=
nuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.linuxfoundation.org<=
/a>> wrote:<br></div><blockquote style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr"><div d=
ir=3D"ltr"><br></div><div><blockquote style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"auto">Wha=
t do you do if the "first" word (of 12), happens to be the last w=
ord in the list alphabetically?<br></div></blockquote><div><br></div><div><=
div>That couldn't happen. If one word is the very last from the wordlis=
t, it would end up at the end of your mnemonic=C2=A0once you rearrange your=
12 words alphabetically.<br></div><div><br></div><div>However!=C2=A0<br></=
div></div><div><div><br></div><div>(@vjudeu) Choosing 11 random words and t=
hen sorting them alphabetically before assigning=C2=A0a checksum would redu=
ce entropy considerably. If you think about it, to bruteforce the entire ke=
yspace one would only need to come up with every possible combination of 11=
words=C2=A0+ 1 checksum. I'm not the best at napkin math, but I think =
that leaves you with around=C2=A010 trillion combinations, which would only=
take a couple months to exhaust with hardware that can do 1 million guesse=
s per second.<br></div></div></div></div><div dir=3D"ltr"><div><div><br></d=
iv><div><br></div><div>James<br></div></div></div><div>____________________=
___________________________<br></div><div> bitcoin-dev mailing list<br></di=
v><div> <a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"=
_blank">bitcoin-dev@lists.linuxfoundation.org</a><br></div><div> <a href=3D=
"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" rel=3D"nor=
eferrer" target=3D"_blank">https://lists.linuxfoundation.org/mailman/listin=
fo/bitcoin-dev</a><br></div></blockquote></div></div><div>_________________=
______________________________<br></div><div>bitcoin-dev mailing list<br></=
div><div><a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D=
"_blank">bitcoin-dev@lists.linuxfoundation.org</a><br></div><div><a href=3D=
"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" target=3D"=
_blank">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><=
br></div><div><br></div></blockquote><div style=3D"font-family:helvetica,ar=
ial,sans-serif"><br></div></div>___________________________________________=
____<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
</blockquote></div>
--000000000000046fe005e387638a--
|
