summaryrefslogtreecommitdiff
path: root/66/2ece76f8fc96fc3bb2ce9fc1f7d1e2a3552356
blob: 4e60590d2c39ab79b075f4db6f7605f76d548927 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
Return-Path: <vitteaymeric@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 88FC0414
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue,  1 Jan 2019 19:45:18 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com
	[209.85.208.50])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 40054710
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue,  1 Jan 2019 19:45:17 +0000 (UTC)
Received: by mail-ed1-f50.google.com with SMTP id g22so24634876edr.7
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Tue, 01 Jan 2019 11:45:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
	h=subject:to:references:from:message-id:date:user-agent:mime-version
	:in-reply-to; bh=zoMYLSRJyXKJt+rMaFSKmzQeJIxaeA7kpoNemB77qzE=;
	b=AApfOEZmI+pv1BNItHFyxCcXhTYApUqL2xQMOsQXBtjQdSpvUgy0pjaprWS5zUkCE6
	S6HoOw4MxumfrmIRhbF3G6ns0b4NQE1lQqlqs85tySL6Qedz9mo5U36BPEIDkvRObBi0
	1unV0zCBDzrZZjg9u8JNvhYNTeJcp7sZ30GMtS16WDkkrue9twc/QsLyw6WO/FeahUGJ
	KYs2oVd4pyjBCjwxNqS5jx7d0HxxCVCgccjkOJ2kT31TvMTD/hjRMViQEqXHkT2uKMLY
	U8oa11ahi3DTYAlcNAn92/xSx2efYQQZ2WT4xmdbdlJPzCWoP4yUL5RDdYZC84eFRH1N
	0C6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:subject:to:references:from:message-id:date
	:user-agent:mime-version:in-reply-to;
	bh=zoMYLSRJyXKJt+rMaFSKmzQeJIxaeA7kpoNemB77qzE=;
	b=UZS1sVuESibMCJU0MSWWQaFCDo9pTVnB911EOra/u7ckwSm5f5OicTDZZrEExROPbU
	Pd0kmEv4Lshlt5qV5ZGwOJaEBRa5Q5eLoUe6rO6i1SuMEunPM9vBPyl8sLjrzW0FIg2d
	45XHpR52VpxsHk8954uhB0MO4BifvCrmfWY1+4B93xLiLuRx/VTJl1p8aRMlF/Z7clyo
	Qf8Z3WP+/KasQsrLrvaURRTXkjSQVkLsn91AUGVF7K7OY3mRV24pKUQ7Lu0KqokUcUKs
	T/In6hY+PnOSWaSaAgcQGf9ihWd2OzVViDq4aKcXXa78B0z9mWI7lYYXYe0F4dWa0hhr
	27IA==
X-Gm-Message-State: AA+aEWa4fpZ4U/clerK3rdXPi+5ttNQ/u1hVmONxiWbA3sMbviJkfJ9p
	8chgjTgQBHhAMMyFcznrrn8Z24ux
X-Google-Smtp-Source: AFSGD/XB7NGNXAGulRcztSNQP3aGrKyQUyumS71UyKynJRW/GJoM+Ruk8Kj+FRvufmlR8/fRZwdRZQ==
X-Received: by 2002:a50:84a9:: with SMTP id 38mr36524899edq.185.1546371915312; 
	Tue, 01 Jan 2019 11:45:15 -0800 (PST)
Received: from [192.168.43.146] ([92.184.100.219])
	by smtp.googlemail.com with ESMTPSA id
	z40sm20346851edz.86.2019.01.01.11.45.13
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 01 Jan 2019 11:45:14 -0800 (PST)
To: Alan Evans <thealanevans@gmail.com>,
	Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <68330522-7e7c-c3b4-99a9-1c68ddb56f23@gmail.com>
	<f2d73a92-e1c5-9072-e255-fa012a9f9d1b@satoshilabs.com>
	<db184306-7ec0-322e-5637-7889b51f50bf@gmail.com>
	<CAH+Axy6dKDOkE6cQYZUusTUxxOSwWchOWxYh6ZkhnOgXuELaYg@mail.gmail.com>
	<743fb106-977e-1f34-47af-9fb3b8621e72@gmail.com>
	<CAH+Axy7v=26P8=CJPUqymKOcromGz+zYZ2cb2KaASgXNPpE2tQ@mail.gmail.com>
	<c91cd61b-3ec5-6c7a-c7e3-7ceb48539625@gmail.com>
	<CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com>
From: Aymeric Vitte <vitteaymeric@gmail.com>
Message-ID: <3ea2e92d-5be6-3331-5d6f-9c29d87e0546@gmail.com>
Date: Tue, 1 Jan 2019 20:44:57 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:45.0) Gecko/20100101
	Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com>
Content-Type: multipart/alternative;
	boundary="------------490158B149B2677DD3C55218"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
	RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 02 Jan 2019 03:39:35 +0000
Subject: Re: [bitcoin-dev] BIP39 seeds
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jan 2019 19:45:18 -0000

This is a multi-part message in MIME format.
--------------490158B149B2677DD3C55218
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

You are simplifying too much what I am suggesting

What I am suggesting is: set a derivation method for BIP39 like for 
BIP32 (having the seed for BIP32 and not the derivation path is just 
like having nothing) and use this derivation method from a "book" (a 
"book" being a book, a document, a link, an image, whatever your secret 
can be), based on the fact that you will easily find from this 
derivation method "valid" BIP39 seeds (even if BIP39 does not enforce 
anything regarding valid phrases, everything can be valid as you 
mention, and this does not help in fact)

The derivation method will just define the way you select the words in 
the secret, and if everybody chooses the bible as the secret then this 
will not change the fact that it will be impossible to find the real 
seed without knowing the derivation path

Then you don't need to write the seed, you can easily plausible deny it, 
you can easily pass it to the family (using a passphrase does not say to 
them where they are supposed to use it)

"people lost"--> people think that there is some magic with BIP39 that 
will save them whatever they do (ie they don't even care of managing 
correctly the many easy to generate BIP39 seeds they are using) where 
they will always recover their seed and keys from BIP39/44/49, of course 
this does not work at all


Le 31/12/2018 à 17:52, Alan Evans a écrit :
> > Using some algorithm to take some input and generate a bip39 phrase 
> that you can use with any bip39 wallet sounds perfectly reasonable.
>
> I think any method that doesn't use real entropy, but some fake source 
> of randomness, such as a book is asking to be hacked and so is not a 
> reasonable idea.
>
> If an algorithm for book text to BIP39 sentence ever became well used, 
> common books will be systematically searched for accounts. People will 
> also choose their favourite passages, so I would expect to see collisions.
>
> You should also note that BIP39 does not need input that is from the 
> word list. You can use _any text as its input_, the word list and 
> checksum check is just recommended to be a warning, but again, text 
> chosen from public sources or common phrases is a bad idea for many 
> reasons.
>
> From BIP0039:
> /> The conversion of the mnemonic sentence to a binary seed is 
> completely independent from generating the sentence. This results in 
> rather simple code; *there are no constraints on sentence structure* 
> and clients are free to implement their own wordlists or even whole 
> sentence generators, allowing for flexibility in wordlists for typo 
> detection or other purposes./
> /> Although using a mnemonic not generated by the algorithm described 
> in "Generating the mnemonic" section is possible, this is not advised 
> and software must compute a checksum for the mnemonic sentence using a 
> wordlist and issue a warning if it is invalid./
>
> What you could do is use a regular true random BIP39 sentence in 
> conjunction with a phrase from a book as the "passphrase" giving you 
> that plausible deniability, right up to the point you put that in your 
> will or tell someone, i.e. for the "what if something happens to me" 
> case. Though I still think redirecting people to a book phase is risky 
> for this, e.g. books have editions, there may be a change in the key 
> place.
>
> From BIP0039:/
> /
> /> The described method also provides plausible deniability, because 
> every passphrase generates a valid seed (and thus a deterministic 
> wallet) but only the correct one will make the desired wallet available./
>
> Alan
>
> P.S. "I have seen many people completely lost with their wallets 
> because of [BIP39]": I would say "despite" not "because". These people 
> would have lost/miss recorded a BIP32 hex seed as well.
>
>
> On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev 
> <bitcoin-dev@lists.linuxfoundation.org 
> <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
>
>
>     Le 26/12/2018 à 19:54, James MacWhyte a écrit :
>>
>>     On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte
>>     <vitteaymeric@gmail.com <mailto:vitteaymeric@gmail.com>> wrote:
>>
>>         so, even with a tool like yours, they can be misleaded, for
>>         example trying a few words to replace the missing/incorrect
>>         one, get a valid seed and stay stuck with it forever trying
>>         to play with BIP44/49 to find their keys
>>
>>
>>     Just a small detail, but my tool actually looks up all the
>>     possible combinations and then finds which one has been used
>>     before by looking for past transactions on the blockchain.
>>     Therefore, it won't tell you your phrase is correct unless it is
>>     a phrase that has actually been used before (preventing what you
>>     described).
>
>     I saw that your tool was querying blockchain.info
>     <http://blockchain.info>, but it cannot guess what derivation path
>     was used and if it is a standard one what addresses were used, and
>     even if successful it works only for bitcoin (so maybe it should
>     just output the ~1500 possible phrases and/or xprv, and be
>     completely offline, this is still doable for people)
>
>>
>>     Using some algorithm to take some input and generate a bip39
>>     phrase that you can use with any bip39 wallet sounds perfectly
>>     reasonable.
>
>     I forgot to mention that this can help also solving the "what if
>     something happens to me" case giving to the family the seed and
>     the parameter(s) for the derivation path, or an easy way to find
>     it (better than something like: remind this passphrase, take the
>     sha256 of it, then use some other stuff to find the encryption
>     algo, take n bytes of the hash, use it to decode my wallet or my
>     seed... and then everybody looking at you like crazy)
>
>     _______________________________________________
>     bitcoin-dev mailing list
>     bitcoin-dev@lists.linuxfoundation.org
>     <mailto:bitcoin-dev@lists.linuxfoundation.org>
>     https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>


--------------490158B149B2677DD3C55218
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>You are simplifying too much what I am suggesting</p>
    <p>What I am suggesting is: set a derivation method for BIP39 like
      for BIP32 (having the seed for BIP32 and not the derivation path
      is just like having nothing) and use this derivation method from a
      "book" (a "book" being a book, a document, a link, an image,
      whatever your secret can be), based on the fact that you will
      easily find from this derivation method "valid" BIP39 seeds (even
      if BIP39 does not enforce anything regarding valid phrases,
      everything can be valid as you mention, and this does not help in
      fact)</p>
    <p>The derivation method will just define the way you select the
      words in the secret, and if everybody chooses the bible as the
      secret then this will not change the fact that it will be
      impossible to find the real seed without knowing the derivation
      path<br>
    </p>
    Then you don't need to write the seed, you can easily plausible deny
    it, you can easily pass it to the family (using a passphrase does
    not say to them where they are supposed to use it)<br>
    <br>
    "people lost"--&gt; people think that there is some magic with BIP39
    that will save them whatever they do (ie they don't even care of
    managing correctly the many easy to generate BIP39 seeds they are
    using) where they will always recover their seed and keys from
    BIP39/44/49, of course this does not work at all<br>
    <br>
    <br>
    <div class="moz-cite-prefix">Le 31/12/2018 à 17:52, Alan Evans a
      écrit :<br>
    </div>
    <blockquote
cite="mid:CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div dir="ltr">
          <div dir="ltr">&gt; Using some algorithm to take some input
            and generate a bip39 phrase that you can use with any bip39
            wallet sounds perfectly reasonable.
            <div><br>
            </div>
            <div>I think any method that doesn't use real entropy, but
              some fake source of randomness, such as a book is asking
              to be hacked and so is not a reasonable idea.</div>
            <div><br>
            </div>
            <div>If an algorithm for book text to BIP39 sentence ever
              became well used, common books will be systematically
              searched for accounts. People will also choose their
              favourite passages, so I would expect to see collisions.</div>
            <div><br>
            </div>
            <div>You should also note that BIP39 does not need input
              that is from the word list. You can use <u>any text as
                its input</u>, the word list and checksum check is just
              recommended to be a warning, but again, text chosen from
              public sources or common phrases is a bad idea for many
              reasons.</div>
            <div><br>
            </div>
            <div>From BIP0039:</div>
            <div><i>&gt; The conversion of the mnemonic sentence to a
                binary seed is completely independent from generating
                the sentence. This results in rather simple code; <b>there
                  are no constraints on sentence structure</b> and
                clients are free to implement their own wordlists or
                even whole sentence generators, allowing for flexibility
                in wordlists for typo detection or other purposes.</i></div>
            <div><i>&gt; Although using a mnemonic not generated by the
                algorithm described in "Generating the mnemonic" section
                is possible, this is not advised and software must
                compute a checksum for the mnemonic sentence using a
                wordlist and issue a warning if it is invalid.</i></div>
            <div><br>
            </div>
            <div>What you could do is use a regular true random BIP39
              sentence in conjunction with a phrase from a book as the
              "passphrase" giving you that plausible deniability, right
              up to the point you put that in your will or tell someone,
              i.e. for the "what if something happens to me" case.
              Though I still think redirecting people to a book phase is
              risky for this, e.g. books have editions, there may be a
              change in the key place.</div>
            <div><br>
            </div>
            <div>From BIP0039:<i><br>
              </i></div>
            <div>
              <div><i>&gt; The described method also provides plausible
                  deniability, because every passphrase generates a
                  valid seed (and thus a deterministic wallet) but only
                  the correct one will make the desired wallet
                  available.</i></div>
            </div>
            <div><br>
            </div>
            <div>Alan</div>
            <div><br>
            </div>
            <div>P.S. "I have seen many people completely lost with
              their wallets because of [BIP39]": I would say "despite"
              not "because". These people would have lost/miss recorded
              a BIP32 hex seed as well.</div>
            <div><br>
            </div>
          </div>
        </div>
      </div>
      <br>
      <div class="gmail_quote">
        <div dir="ltr">On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via
          bitcoin-dev &lt;<a moz-do-not-send="true"
            href="mailto:bitcoin-dev@lists.linuxfoundation.org"
            target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>&gt;
          wrote:<br>
        </div>
        <blockquote class="gmail_quote" style="margin:0px 0px 0px
          0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
          <div bgcolor="#FFFFFF">
            <p><br>
            </p>
            <div
class="gmail-m_2666405370637364976gmail-m_3262155170335802196moz-cite-prefix">Le
              26/12/2018 à 19:54, James MacWhyte a écrit :<br>
            </div>
            <blockquote type="cite">
              <div dir="ltr">
                <div>
                  <div dir="ltr"
class="gmail-m_2666405370637364976gmail-m_3262155170335802196gmail_signature">
                    <div dir="ltr"><br>
                    </div>
                  </div>
                </div>
                <div class="gmail_quote">
                  <div dir="ltr">On Wed, Dec 26, 2018 at 11:33 AM
                    Aymeric Vitte &lt;<a moz-do-not-send="true"
                      href="mailto:vitteaymeric@gmail.com"
                      target="_blank">vitteaymeric@gmail.com</a>&gt;
                    wrote:<br>
                  </div>
                  <blockquote class="gmail_quote" style="margin:0px 0px
                    0px 0.8ex;border-left:1px solid
                    rgb(204,204,204);padding-left:1ex">
                    <div bgcolor="#FFFFFF">
                      <p>so, even with a tool like yours, they can be
                        misleaded, for example trying a few words to
                        replace the missing/incorrect one, get a valid
                        seed and stay stuck with it forever trying to
                        play with BIP44/49 to find their keys<br>
                      </p>
                    </div>
                  </blockquote>
                  <div><br>
                  </div>
                  <div>Just a small detail, but my tool actually looks
                    up all the possible combinations and then finds
                    which one has been used before by looking for past
                    transactions on the blockchain. Therefore, it won't
                    tell you your phrase is correct unless it is a
                    phrase that has actually been used before
                    (preventing what you described).</div>
                </div>
              </div>
            </blockquote>
            <p>I saw that your tool was querying <a
                moz-do-not-send="true" href="http://blockchain.info"
                target="_blank">blockchain.info</a>, but it cannot guess
              what derivation path was used and if it is a standard one
              what addresses were used, and even if successful it works
              only for bitcoin (so maybe it should just output the ~1500
              possible phrases and/or xprv, and be completely offline,
              this is still doable for people)</p>
            <blockquote type="cite">
              <div dir="ltr">
                <div class="gmail_quote">
                  <div><br>
                  </div>
                  <div>Using some algorithm to take some input and
                    generate a bip39 phrase that you can use with any
                    bip39 wallet sounds perfectly reasonable.</div>
                </div>
              </div>
            </blockquote>
            <p>I forgot to mention that this can help also solving the
              "what if something happens to me" case giving to the
              family the seed and the parameter(s) for the derivation
              path, or an easy way to find it (better than something
              like: remind this passphrase, take the sha256 of it, then
              use some other stuff to find the encryption algo, take n
              bytes of the hash, use it to decode my wallet or my
              seed... and then everybody looking at you like crazy)<br>
            </p>
          </div>
          _______________________________________________<br>
          bitcoin-dev mailing list<br>
          <a moz-do-not-send="true"
            href="mailto:bitcoin-dev@lists.linuxfoundation.org"
            target="_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
          <a moz-do-not-send="true"
            href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"
            rel="noreferrer" target="_blank">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
        </blockquote>
      </div>
    </blockquote>
    <br>
  </body>
</html>

--------------490158B149B2677DD3C55218--