1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
|
Return-Path: <vitteaymeric@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 88FC0414
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 1 Jan 2019 19:45:18 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f50.google.com (mail-ed1-f50.google.com
[209.85.208.50])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 40054710
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 1 Jan 2019 19:45:17 +0000 (UTC)
Received: by mail-ed1-f50.google.com with SMTP id g22so24634876edr.7
for <bitcoin-dev@lists.linuxfoundation.org>;
Tue, 01 Jan 2019 11:45:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=subject:to:references:from:message-id:date:user-agent:mime-version
:in-reply-to; bh=zoMYLSRJyXKJt+rMaFSKmzQeJIxaeA7kpoNemB77qzE=;
b=AApfOEZmI+pv1BNItHFyxCcXhTYApUqL2xQMOsQXBtjQdSpvUgy0pjaprWS5zUkCE6
S6HoOw4MxumfrmIRhbF3G6ns0b4NQE1lQqlqs85tySL6Qedz9mo5U36BPEIDkvRObBi0
1unV0zCBDzrZZjg9u8JNvhYNTeJcp7sZ30GMtS16WDkkrue9twc/QsLyw6WO/FeahUGJ
KYs2oVd4pyjBCjwxNqS5jx7d0HxxCVCgccjkOJ2kT31TvMTD/hjRMViQEqXHkT2uKMLY
U8oa11ahi3DTYAlcNAn92/xSx2efYQQZ2WT4xmdbdlJPzCWoP4yUL5RDdYZC84eFRH1N
0C6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:subject:to:references:from:message-id:date
:user-agent:mime-version:in-reply-to;
bh=zoMYLSRJyXKJt+rMaFSKmzQeJIxaeA7kpoNemB77qzE=;
b=UZS1sVuESibMCJU0MSWWQaFCDo9pTVnB911EOra/u7ckwSm5f5OicTDZZrEExROPbU
Pd0kmEv4Lshlt5qV5ZGwOJaEBRa5Q5eLoUe6rO6i1SuMEunPM9vBPyl8sLjrzW0FIg2d
45XHpR52VpxsHk8954uhB0MO4BifvCrmfWY1+4B93xLiLuRx/VTJl1p8aRMlF/Z7clyo
Qf8Z3WP+/KasQsrLrvaURRTXkjSQVkLsn91AUGVF7K7OY3mRV24pKUQ7Lu0KqokUcUKs
T/In6hY+PnOSWaSaAgcQGf9ihWd2OzVViDq4aKcXXa78B0z9mWI7lYYXYe0F4dWa0hhr
27IA==
X-Gm-Message-State: AA+aEWa4fpZ4U/clerK3rdXPi+5ttNQ/u1hVmONxiWbA3sMbviJkfJ9p
8chgjTgQBHhAMMyFcznrrn8Z24ux
X-Google-Smtp-Source: AFSGD/XB7NGNXAGulRcztSNQP3aGrKyQUyumS71UyKynJRW/GJoM+Ruk8Kj+FRvufmlR8/fRZwdRZQ==
X-Received: by 2002:a50:84a9:: with SMTP id 38mr36524899edq.185.1546371915312;
Tue, 01 Jan 2019 11:45:15 -0800 (PST)
Received: from [192.168.43.146] ([92.184.100.219])
by smtp.googlemail.com with ESMTPSA id
z40sm20346851edz.86.2019.01.01.11.45.13
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 01 Jan 2019 11:45:14 -0800 (PST)
To: Alan Evans <thealanevans@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
References: <68330522-7e7c-c3b4-99a9-1c68ddb56f23@gmail.com>
<f2d73a92-e1c5-9072-e255-fa012a9f9d1b@satoshilabs.com>
<db184306-7ec0-322e-5637-7889b51f50bf@gmail.com>
<CAH+Axy6dKDOkE6cQYZUusTUxxOSwWchOWxYh6ZkhnOgXuELaYg@mail.gmail.com>
<743fb106-977e-1f34-47af-9fb3b8621e72@gmail.com>
<CAH+Axy7v=26P8=CJPUqymKOcromGz+zYZ2cb2KaASgXNPpE2tQ@mail.gmail.com>
<c91cd61b-3ec5-6c7a-c7e3-7ceb48539625@gmail.com>
<CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com>
From: Aymeric Vitte <vitteaymeric@gmail.com>
Message-ID: <3ea2e92d-5be6-3331-5d6f-9c29d87e0546@gmail.com>
Date: Tue, 1 Jan 2019 20:44:57 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:45.0) Gecko/20100101
Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com>
Content-Type: multipart/alternative;
boundary="------------490158B149B2677DD3C55218"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 02 Jan 2019 03:39:35 +0000
Subject: Re: [bitcoin-dev] BIP39 seeds
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jan 2019 19:45:18 -0000
This is a multi-part message in MIME format.
--------------490158B149B2677DD3C55218
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
You are simplifying too much what I am suggesting
What I am suggesting is: set a derivation method for BIP39 like for
BIP32 (having the seed for BIP32 and not the derivation path is just
like having nothing) and use this derivation method from a "book" (a
"book" being a book, a document, a link, an image, whatever your secret
can be), based on the fact that you will easily find from this
derivation method "valid" BIP39 seeds (even if BIP39 does not enforce
anything regarding valid phrases, everything can be valid as you
mention, and this does not help in fact)
The derivation method will just define the way you select the words in
the secret, and if everybody chooses the bible as the secret then this
will not change the fact that it will be impossible to find the real
seed without knowing the derivation path
Then you don't need to write the seed, you can easily plausible deny it,
you can easily pass it to the family (using a passphrase does not say to
them where they are supposed to use it)
"people lost"--> people think that there is some magic with BIP39 that
will save them whatever they do (ie they don't even care of managing
correctly the many easy to generate BIP39 seeds they are using) where
they will always recover their seed and keys from BIP39/44/49, of course
this does not work at all
Le 31/12/2018 à 17:52, Alan Evans a écrit :
> > Using some algorithm to take some input and generate a bip39 phrase
> that you can use with any bip39 wallet sounds perfectly reasonable.
>
> I think any method that doesn't use real entropy, but some fake source
> of randomness, such as a book is asking to be hacked and so is not a
> reasonable idea.
>
> If an algorithm for book text to BIP39 sentence ever became well used,
> common books will be systematically searched for accounts. People will
> also choose their favourite passages, so I would expect to see collisions.
>
> You should also note that BIP39 does not need input that is from the
> word list. You can use _any text as its input_, the word list and
> checksum check is just recommended to be a warning, but again, text
> chosen from public sources or common phrases is a bad idea for many
> reasons.
>
> From BIP0039:
> /> The conversion of the mnemonic sentence to a binary seed is
> completely independent from generating the sentence. This results in
> rather simple code; *there are no constraints on sentence structure*
> and clients are free to implement their own wordlists or even whole
> sentence generators, allowing for flexibility in wordlists for typo
> detection or other purposes./
> /> Although using a mnemonic not generated by the algorithm described
> in "Generating the mnemonic" section is possible, this is not advised
> and software must compute a checksum for the mnemonic sentence using a
> wordlist and issue a warning if it is invalid./
>
> What you could do is use a regular true random BIP39 sentence in
> conjunction with a phrase from a book as the "passphrase" giving you
> that plausible deniability, right up to the point you put that in your
> will or tell someone, i.e. for the "what if something happens to me"
> case. Though I still think redirecting people to a book phase is risky
> for this, e.g. books have editions, there may be a change in the key
> place.
>
> From BIP0039:/
> /
> /> The described method also provides plausible deniability, because
> every passphrase generates a valid seed (and thus a deterministic
> wallet) but only the correct one will make the desired wallet available./
>
> Alan
>
> P.S. "I have seen many people completely lost with their wallets
> because of [BIP39]": I would say "despite" not "because". These people
> would have lost/miss recorded a BIP32 hex seed as well.
>
>
> On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev
> <bitcoin-dev@lists.linuxfoundation.org
> <mailto:bitcoin-dev@lists.linuxfoundation.org>> wrote:
>
>
> Le 26/12/2018 à 19:54, James MacWhyte a écrit :
>>
>> On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte
>> <vitteaymeric@gmail.com <mailto:vitteaymeric@gmail.com>> wrote:
>>
>> so, even with a tool like yours, they can be misleaded, for
>> example trying a few words to replace the missing/incorrect
>> one, get a valid seed and stay stuck with it forever trying
>> to play with BIP44/49 to find their keys
>>
>>
>> Just a small detail, but my tool actually looks up all the
>> possible combinations and then finds which one has been used
>> before by looking for past transactions on the blockchain.
>> Therefore, it won't tell you your phrase is correct unless it is
>> a phrase that has actually been used before (preventing what you
>> described).
>
> I saw that your tool was querying blockchain.info
> <http://blockchain.info>, but it cannot guess what derivation path
> was used and if it is a standard one what addresses were used, and
> even if successful it works only for bitcoin (so maybe it should
> just output the ~1500 possible phrases and/or xprv, and be
> completely offline, this is still doable for people)
>
>>
>> Using some algorithm to take some input and generate a bip39
>> phrase that you can use with any bip39 wallet sounds perfectly
>> reasonable.
>
> I forgot to mention that this can help also solving the "what if
> something happens to me" case giving to the family the seed and
> the parameter(s) for the derivation path, or an easy way to find
> it (better than something like: remind this passphrase, take the
> sha256 of it, then use some other stuff to find the encryption
> algo, take n bytes of the hash, use it to decode my wallet or my
> seed... and then everybody looking at you like crazy)
>
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> <mailto:bitcoin-dev@lists.linuxfoundation.org>
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--------------490158B149B2677DD3C55218
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>You are simplifying too much what I am suggesting</p>
<p>What I am suggesting is: set a derivation method for BIP39 like
for BIP32 (having the seed for BIP32 and not the derivation path
is just like having nothing) and use this derivation method from a
"book" (a "book" being a book, a document, a link, an image,
whatever your secret can be), based on the fact that you will
easily find from this derivation method "valid" BIP39 seeds (even
if BIP39 does not enforce anything regarding valid phrases,
everything can be valid as you mention, and this does not help in
fact)</p>
<p>The derivation method will just define the way you select the
words in the secret, and if everybody chooses the bible as the
secret then this will not change the fact that it will be
impossible to find the real seed without knowing the derivation
path<br>
</p>
Then you don't need to write the seed, you can easily plausible deny
it, you can easily pass it to the family (using a passphrase does
not say to them where they are supposed to use it)<br>
<br>
"people lost"--> people think that there is some magic with BIP39
that will save them whatever they do (ie they don't even care of
managing correctly the many easy to generate BIP39 seeds they are
using) where they will always recover their seed and keys from
BIP39/44/49, of course this does not work at all<br>
<br>
<br>
<div class="moz-cite-prefix">Le 31/12/2018 à 17:52, Alan Evans a
écrit :<br>
</div>
<blockquote
cite="mid:CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div dir="ltr">
<div dir="ltr">> Using some algorithm to take some input
and generate a bip39 phrase that you can use with any bip39
wallet sounds perfectly reasonable.
<div><br>
</div>
<div>I think any method that doesn't use real entropy, but
some fake source of randomness, such as a book is asking
to be hacked and so is not a reasonable idea.</div>
<div><br>
</div>
<div>If an algorithm for book text to BIP39 sentence ever
became well used, common books will be systematically
searched for accounts. People will also choose their
favourite passages, so I would expect to see collisions.</div>
<div><br>
</div>
<div>You should also note that BIP39 does not need input
that is from the word list. You can use <u>any text as
its input</u>, the word list and checksum check is just
recommended to be a warning, but again, text chosen from
public sources or common phrases is a bad idea for many
reasons.</div>
<div><br>
</div>
<div>From BIP0039:</div>
<div><i>> The conversion of the mnemonic sentence to a
binary seed is completely independent from generating
the sentence. This results in rather simple code; <b>there
are no constraints on sentence structure</b> and
clients are free to implement their own wordlists or
even whole sentence generators, allowing for flexibility
in wordlists for typo detection or other purposes.</i></div>
<div><i>> Although using a mnemonic not generated by the
algorithm described in "Generating the mnemonic" section
is possible, this is not advised and software must
compute a checksum for the mnemonic sentence using a
wordlist and issue a warning if it is invalid.</i></div>
<div><br>
</div>
<div>What you could do is use a regular true random BIP39
sentence in conjunction with a phrase from a book as the
"passphrase" giving you that plausible deniability, right
up to the point you put that in your will or tell someone,
i.e. for the "what if something happens to me" case.
Though I still think redirecting people to a book phase is
risky for this, e.g. books have editions, there may be a
change in the key place.</div>
<div><br>
</div>
<div>From BIP0039:<i><br>
</i></div>
<div>
<div><i>> The described method also provides plausible
deniability, because every passphrase generates a
valid seed (and thus a deterministic wallet) but only
the correct one will make the desired wallet
available.</i></div>
</div>
<div><br>
</div>
<div>Alan</div>
<div><br>
</div>
<div>P.S. "I have seen many people completely lost with
their wallets because of [BIP39]": I would say "despite"
not "because". These people would have lost/miss recorded
a BIP32 hex seed as well.</div>
<div><br>
</div>
</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via
bitcoin-dev <<a moz-do-not-send="true"
href="mailto:bitcoin-dev@lists.linuxfoundation.org"
target="_blank">bitcoin-dev@lists.linuxfoundation.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p><br>
</p>
<div
class="gmail-m_2666405370637364976gmail-m_3262155170335802196moz-cite-prefix">Le
26/12/2018 à 19:54, James MacWhyte a écrit :<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div dir="ltr"
class="gmail-m_2666405370637364976gmail-m_3262155170335802196gmail_signature">
<div dir="ltr"><br>
</div>
</div>
</div>
<div class="gmail_quote">
<div dir="ltr">On Wed, Dec 26, 2018 at 11:33 AM
Aymeric Vitte <<a moz-do-not-send="true"
href="mailto:vitteaymeric@gmail.com"
target="_blank">vitteaymeric@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>so, even with a tool like yours, they can be
misleaded, for example trying a few words to
replace the missing/incorrect one, get a valid
seed and stay stuck with it forever trying to
play with BIP44/49 to find their keys<br>
</p>
</div>
</blockquote>
<div><br>
</div>
<div>Just a small detail, but my tool actually looks
up all the possible combinations and then finds
which one has been used before by looking for past
transactions on the blockchain. Therefore, it won't
tell you your phrase is correct unless it is a
phrase that has actually been used before
(preventing what you described).</div>
</div>
</div>
</blockquote>
<p>I saw that your tool was querying <a
moz-do-not-send="true" href="http://blockchain.info"
target="_blank">blockchain.info</a>, but it cannot guess
what derivation path was used and if it is a standard one
what addresses were used, and even if successful it works
only for bitcoin (so maybe it should just output the ~1500
possible phrases and/or xprv, and be completely offline,
this is still doable for people)</p>
<blockquote type="cite">
<div dir="ltr">
<div class="gmail_quote">
<div><br>
</div>
<div>Using some algorithm to take some input and
generate a bip39 phrase that you can use with any
bip39 wallet sounds perfectly reasonable.</div>
</div>
</div>
</blockquote>
<p>I forgot to mention that this can help also solving the
"what if something happens to me" case giving to the
family the seed and the parameter(s) for the derivation
path, or an easy way to find it (better than something
like: remind this passphrase, take the sha256 of it, then
use some other stuff to find the encryption algo, take n
bytes of the hash, use it to decode my wallet or my
seed... and then everybody looking at you like crazy)<br>
</p>
</div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:bitcoin-dev@lists.linuxfoundation.org"
target="_blank">bitcoin-dev@lists.linuxfoundation.org</a><br>
<a moz-do-not-send="true"
href="https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev"
rel="noreferrer" target="_blank">https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev</a><br>
</blockquote>
</div>
</blockquote>
<br>
</body>
</html>
--------------490158B149B2677DD3C55218--
|