1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
|
Return-Path: <thealanevans@gmail.com>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id E7C67891
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 31 Dec 2018 16:52:37 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-ed1-f47.google.com (mail-ed1-f47.google.com
[209.85.208.47])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id D165A782
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 31 Dec 2018 16:52:36 +0000 (UTC)
Received: by mail-ed1-f47.google.com with SMTP id f9so22872593eds.10
for <bitcoin-dev@lists.linuxfoundation.org>;
Mon, 31 Dec 2018 08:52:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
h=mime-version:references:in-reply-to:from:date:message-id:subject:to;
bh=eYQU2kEWO1GPpaLc8A4c7EG2E9CkglfFfDneAIzVy5c=;
b=gSodXUUFoeNVak8ux+2q/bsJbJdlLJnCxIun/1+NoH+f2bUFbs4Bj0RqJDctZg4gYV
J1xNHO5OQH4A5YtyXQk0hw80gI1KO0gOi7bALPXdJSEn2HwbCQnc0AZsHPCuNGWch9hi
GOO/mtD+n6tIP+fSpWDkJSkc+Tg5qO+gD6wi+H7m8QNwdM0HF2gmPy9tnIpkswKEQgOk
bksns5UhTgEIV9zU4dWmmb4a0wRIqfQ6756eCAcV83RAGH8FD66RW9//5nqOIOSsoZqh
oFsGcHNxTKTfrdHCmyL1ht+NVznCIN0/fqkPrtyC20sRA+50wrMS9GP27s42W/xl1qAq
i0lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:mime-version:references:in-reply-to:from:date
:message-id:subject:to;
bh=eYQU2kEWO1GPpaLc8A4c7EG2E9CkglfFfDneAIzVy5c=;
b=QS2pB8SHhysaGskpYzNCSro+saBlKtS8bJBn+WxOtds51/OJANv339AuWg5TXnQHjY
afYcUCyZw3+Qf6GZHabJtENvLox4SHA8ROVTe2owY8ZTejxA0HosatfyGBVOema5cdK5
g2d7fGETV8qEgU8g/IbkmlrP7b6qc6Txs3h097s98uTF10OBFbwhd8KBMFSaRWXr1AYE
VbTGmsv0lIt/SQSHZ1f5qEdspC9nPOeUm0evLiIeBsezzOtUXMeNXxNtXCPHaeFzXbFm
JyDgmcAvHaE6Pw8k2M32sreu0ccpqUN4iLIr5y3WhA+a9zqQOZ2kkDnGtNKTwCJYVM6r
HOaA==
X-Gm-Message-State: AA+aEWYbpnF5kDxE7vAK8mxXJ4cfSUtiqTZbFp0YHbfkzwd+7kD/kih3
SHRANEZba5nQdalxCosdDOoaUOdnDDmYcMQQGGbccsBR
X-Google-Smtp-Source: AFSGD/VdVSbZXgIM4/YoThhOQxhhqsCsVRxHst9Yv6EVqDuVLesfFRmQUv/qoXRaUuVTkK1hSYsyx0viov5+5Tog2jI=
X-Received: by 2002:a17:906:59cf:: with SMTP id
m15-v6mr27333841ejs.199.1546275155248;
Mon, 31 Dec 2018 08:52:35 -0800 (PST)
MIME-Version: 1.0
References: <68330522-7e7c-c3b4-99a9-1c68ddb56f23@gmail.com>
<f2d73a92-e1c5-9072-e255-fa012a9f9d1b@satoshilabs.com>
<db184306-7ec0-322e-5637-7889b51f50bf@gmail.com>
<CAH+Axy6dKDOkE6cQYZUusTUxxOSwWchOWxYh6ZkhnOgXuELaYg@mail.gmail.com>
<743fb106-977e-1f34-47af-9fb3b8621e72@gmail.com>
<CAH+Axy7v=26P8=CJPUqymKOcromGz+zYZ2cb2KaASgXNPpE2tQ@mail.gmail.com>
<c91cd61b-3ec5-6c7a-c7e3-7ceb48539625@gmail.com>
In-Reply-To: <c91cd61b-3ec5-6c7a-c7e3-7ceb48539625@gmail.com>
From: Alan Evans <thealanevans@gmail.com>
Date: Mon, 31 Dec 2018 12:52:24 -0400
Message-ID: <CALPhJawf98+uqZXQRGH3Tjo1CnZJfE+CMw9J2ZqiHHmwDSdugQ@mail.gmail.com>
To: Aymeric Vitte <vitteaymeric@gmail.com>,
Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Content-Type: multipart/alternative; boundary="0000000000005a8aeb057e543d58"
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, HTML_MESSAGE,
RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
X-Mailman-Approved-At: Wed, 02 Jan 2019 03:39:35 +0000
Subject: Re: [bitcoin-dev] BIP39 seeds
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Dec 2018 16:52:38 -0000
--0000000000005a8aeb057e543d58
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
> Using some algorithm to take some input and generate a bip39 phrase that
you can use with any bip39 wallet sounds perfectly reasonable.
I think any method that doesn't use real entropy, but some fake source of
randomness, such as a book is asking to be hacked and so is not a
reasonable idea.
If an algorithm for book text to BIP39 sentence ever became well used,
common books will be systematically searched for accounts. People will also
choose their favourite passages, so I would expect to see collisions.
You should also note that BIP39 does not need input that is from the word
list. You can use *any text as its input*, the word list and checksum check
is just recommended to be a warning, but again, text chosen from public
sources or common phrases is a bad idea for many reasons.
From BIP0039:
*> The conversion of the mnemonic sentence to a binary seed is completely
independent from generating the sentence. This results in rather simple
code; there are no constraints on sentence structure and clients are free
to implement their own wordlists or even whole sentence generators,
allowing for flexibility in wordlists for typo detection or other purposes.=
*
*> Although using a mnemonic not generated by the algorithm described in
"Generating the mnemonic" section is possible, this is not advised and
software must compute a checksum for the mnemonic sentence using a wordlist
and issue a warning if it is invalid.*
What you could do is use a regular true random BIP39 sentence in
conjunction with a phrase from a book as the "passphrase" giving you that
plausible deniability, right up to the point you put that in your will or
tell someone, i.e. for the "what if something happens to me" case. Though I
still think redirecting people to a book phase is risky for this, e.g.
books have editions, there may be a change in the key place.
From BIP0039:
*> The described method also provides plausible deniability, because every
passphrase generates a valid seed (and thus a deterministic wallet) but
only the correct one will make the desired wallet available.*
Alan
P.S. "I have seen many people completely lost with their wallets because of
[BIP39]": I would say "despite" not "because". These people would have
lost/miss recorded a BIP32 hex seed as well.
On Thu, 27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev <
bitcoin-dev@lists.linuxfoundation.org> wrote:
>
> Le 26/12/2018 =C3=A0 19:54, James MacWhyte a =C3=A9crit :
>
>
> On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte <vitteaymeric@gmail.com>
> wrote:
>
>> so, even with a tool like yours, they can be misleaded, for example
>> trying a few words to replace the missing/incorrect one, get a valid see=
d
>> and stay stuck with it forever trying to play with BIP44/49 to find thei=
r
>> keys
>>
>
> Just a small detail, but my tool actually looks up all the possible
> combinations and then finds which one has been used before by looking for
> past transactions on the blockchain. Therefore, it won't tell you your
> phrase is correct unless it is a phrase that has actually been used befor=
e
> (preventing what you described).
>
> I saw that your tool was querying blockchain.info, but it cannot guess
> what derivation path was used and if it is a standard one what addresses
> were used, and even if successful it works only for bitcoin (so maybe it
> should just output the ~1500 possible phrases and/or xprv, and be
> completely offline, this is still doable for people)
>
>
> Using some algorithm to take some input and generate a bip39 phrase that
> you can use with any bip39 wallet sounds perfectly reasonable.
>
> I forgot to mention that this can help also solving the "what if somethin=
g
> happens to me" case giving to the family the seed and the parameter(s) fo=
r
> the derivation path, or an easy way to find it (better than something lik=
e:
> remind this passphrase, take the sha256 of it, then use some other stuff =
to
> find the encryption algo, take n bytes of the hash, use it to decode my
> wallet or my seed... and then everybody looking at you like crazy)
> _______________________________________________
> bitcoin-dev mailing list
> bitcoin-dev@lists.linuxfoundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
>
--0000000000005a8aeb057e543d58
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr">> Using some algorith=
m to take some input and generate a bip39 phrase that you can use with any =
bip39 wallet sounds perfectly reasonable.<div><br></div><div>I think any me=
thod that doesn't use real entropy, but some fake source of randomness,=
such as a book is asking to be hacked and so is not a reasonable idea.</di=
v><div><br></div><div>If an algorithm for book text to BIP39 sentence=C2=A0=
ever became well used, common books will be systematically searched for acc=
ounts. People will also choose their favourite passages, so I would expect =
to see collisions.</div><div><br></div><div>You should also note that BIP39=
does not need input that is from the word list. You can use <u>any text as=
its input</u>, the word list and checksum check is just recommended to be =
a warning, but again, text chosen from public sources or common phrases is =
a bad idea for many reasons.</div><div><br></div><div>From BIP0039:</div><d=
iv><i>>=C2=A0The conversion of the mnemonic sentence to a binary seed is=
completely independent from generating the sentence. This results in rathe=
r simple code; <b>there are no constraints on sentence structure</b> and cl=
ients are free to implement their own wordlists or even whole sentence gene=
rators, allowing for flexibility in wordlists for typo detection or other p=
urposes.</i></div><div><i>> Although using a mnemonic not generated by t=
he algorithm described in "Generating the mnemonic" section is po=
ssible, this is not advised and software must compute a checksum for the mn=
emonic sentence using a wordlist and issue a warning if it is invalid.</i><=
/div><div><br></div><div>What you could do is use a regular true random BIP=
39 sentence in conjunction with a phrase from a book as the "passphras=
e" giving you that plausible deniability, right up to the point you pu=
t that in your will or tell someone, i.e. for the "what if something h=
appens to me" case. Though I still think redirecting people to a book =
phase is risky for this, e.g. books have editions, there may be a change in=
the key place.</div><div><br></div><div>From BIP0039:<i><br></i></div><div=
><div><i>> The described method also provides plausible deniability, bec=
ause every passphrase generates a valid seed (and thus a deterministic wall=
et) but only the correct one will make the desired wallet available.</i></d=
iv></div><div><br></div><div>Alan</div><div><br></div><div>P.S. "I hav=
e seen many people completely lost with their wallets because of [BIP39]&qu=
ot;: I would say "despite" not "because". These people =
would have lost/miss recorded a BIP32 hex seed as well.</div><div><br></div=
></div></div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Thu, =
27 Dec 2018 at 11:02, Aymeric Vitte via bitcoin-dev <<a href=3D"mailto:b=
itcoin-dev@lists.linuxfoundation.org" target=3D"_blank">bitcoin-dev@lists.l=
inuxfoundation.org</a>> wrote:<br></div><blockquote class=3D"gmail_quote=
" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);=
padding-left:1ex">
=20
=20
=20
<div bgcolor=3D"#FFFFFF">
<p><br>
</p>
<div class=3D"gmail-m_2666405370637364976gmail-m_3262155170335802196moz=
-cite-prefix">Le 26/12/2018 =C3=A0 19:54, James MacWhyte a
=C3=A9crit=C2=A0:<br>
</div>
<blockquote type=3D"cite">
=20
<div dir=3D"ltr">
<div>
<div dir=3D"ltr" class=3D"gmail-m_2666405370637364976gmail-m_3262=
155170335802196gmail_signature">
<div dir=3D"ltr"><br>
</div>
</div>
</div>
<div class=3D"gmail_quote">
<div dir=3D"ltr">On Wed, Dec 26, 2018 at 11:33 AM Aymeric Vitte
<<a href=3D"mailto:vitteaymeric@gmail.com" target=3D"_blank"=
>vitteaymeric@gmail.com</a>>
wrote:<br>
</div>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor=3D"#FFFFFF">
<p>so, even with a tool like yours, they can be misleaded,
for example trying a few words to replace the
missing/incorrect one, get a valid seed and stay stuck
with it forever trying to play with BIP44/49 to find
their keys<br>
</p>
</div>
</blockquote>
<div><br>
</div>
<div>Just a small detail, but my tool actually looks up all
the possible combinations and then finds which one has been
used before by looking for past transactions on the
blockchain. Therefore, it won't tell you your phrase is
correct unless it is a phrase that has actually been used
before (preventing what you described).</div>
</div>
</div>
</blockquote>
<p>I saw that your tool was querying <a href=3D"http://blockchain.info"=
target=3D"_blank">blockchain.info</a>, but it cannot
guess what derivation path was used and if it is a standard one
what addresses were used, and even if successful it works only for
bitcoin (so maybe it should just output the ~1500 possible phrases
and/or xprv, and be completely offline, this is still doable for
people)</p>
<blockquote type=3D"cite">
<div dir=3D"ltr">
<div class=3D"gmail_quote">
<div><br>
</div>
<div>Using some algorithm to take some input and generate a
bip39 phrase that you can use with any bip39 wallet sounds
perfectly reasonable.</div>
</div>
</div>
</blockquote>
<p>I forgot to mention that this can help also solving the "what i=
f
something happens to me" case giving to the family the seed and
the parameter(s) for the derivation path, or an easy way to find
it (better than something like: remind this passphrase, take the
sha256 of it, then use some other stuff to find the encryption
algo, take n bytes of the hash, use it to decode my wallet or my
seed... and then everybody looking at you like crazy)<br>
</p>
</div>
_______________________________________________<br>
bitcoin-dev mailing list<br>
<a href=3D"mailto:bitcoin-dev@lists.linuxfoundation.org" target=3D"_blank">=
bitcoin-dev@lists.linuxfoundation.org</a><br>
<a href=3D"https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev" =
rel=3D"noreferrer" target=3D"_blank">https://lists.linuxfoundation.org/mail=
man/listinfo/bitcoin-dev</a><br>
</blockquote></div>
--0000000000005a8aeb057e543d58--
|
