Return-Path: Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 36DCEC0001 for ; Tue, 11 May 2021 08:49:03 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 2553E404B9 for ; Tue, 11 May 2021 08:49:03 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org X-Spam-Flag: NO X-Spam-Score: -2.588 X-Spam-Level: X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcmVVBnhFZRi for ; Tue, 11 May 2021 08:49:00 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 Received: from smtp.hosts.co.uk (smtp.hosts.co.uk [85.233.160.19]) by smtp4.osuosl.org (Postfix) with ESMTPS id E99C9404A1 for ; Tue, 11 May 2021 08:48:59 +0000 (UTC) Received: from mail-lf1-f41.google.com ([209.85.167.41]) by smtp.hosts.co.uk with esmtpsa (TLS1.3:TLS_AES_256_GCM_SHA384:256) (Exim) (envelope-from ) id 1lgO4V-0009vm-8n for bitcoin-dev@lists.linuxfoundation.org; Tue, 11 May 2021 09:48:57 +0100 Received: by mail-lf1-f41.google.com with SMTP id m11so11064727lfg.3 for ; Tue, 11 May 2021 01:48:55 -0700 (PDT) X-Gm-Message-State: AOAM5306WO5+fVr/7fmBpPT7MfVClFRvpz3TsFiEgVN3SH5vNVzgXwVw WxuvfxHoIryz6boQfAhquNLZzfHQwJpZQyOGhdk= X-Google-Smtp-Source: ABdhPJzTCHYLywOZ9aIHYMw2RGLakcBWUdKXyFdm8aiZCroblvKtA/sqV5ZDrktfy5dgVzARcbOdrhC7e/Z1tO6JyHc= X-Received: by 2002:a05:6512:3f84:: with SMTP id x4mr20231815lfa.10.1620722934593; Tue, 11 May 2021 01:48:54 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: "BitPLATES (Chris)" Date: Tue, 11 May 2021 09:48:44 +0100 X-Gmail-Original-Message-ID: Message-ID: To: "Chris D'Costa" Content-Type: multipart/alternative; boundary="000000000000cbc05a05c209f665" X-Mailman-Approved-At: Tue, 11 May 2021 09:02:11 +0000 Cc: Bitcoin Protocol Discussion Subject: Re: [bitcoin-dev] Proposal for an Informational BIP X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 May 2021 08:49:03 -0000 --000000000000cbc05a05c209f665 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Chris, Thank you for your thoughts. Unfortunately, your analysis is incorrect. This is a non-destructive adaptation of the BIP39 standard, and is certainly not "rolling your own security". The 'quantum' passphrase is relying on the well established security of the existing BIP39 standard. There are 2048 possible words that can be chosen from the BIP39 word list. Therefore, to derive a seed from a string of 24 BIP39 words, is exactly the same as deriving a seed from the full 24 words: 2048 to the power of 23 combinations of security (not the power of 24 because of the checksum), or 10 to the power of 76 combinations. If you created your own combinations of words to make up a passphrase, this same degree of security would require 15 random words from the English dictionary (assuming 100,000 English words): 100,000 to the power of 15 =3D 10 to the power of 75 combinations. The other problem with this, is that you could not plausibly deny that it was a passphrase, whereas, using a 'quantum' passphrase allows you to backup your passphrase disguised as a 24 seed mnemonic. I hope this alleviates your concerns. All the best, Chris On Tue, 11 May 2021, 09:12 Chris D'Costa, wrote: > I think the biggest problem you have with this proposal is "rolling your > own security". > > Are you aware that the dictionary is designed such that the first four > letters are unique to each word? Taking those four letters and > concatenating them to a string basically means that I can derive your see= d > from your supposedly secure "quantum" passphrase. It does not add to the > security - if anything it makes it worse. It would be orders of magnitude > worse than using a random password and encryption as most wallets have be= en > using for years. > > C > > On Sat, 8 May 2021 at 17:21, BitPLATES=C2=AE (Chris) via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Hi, >> >> I'd like to submit an idea for review, as a potential informational BIP >> (Bitcoin Improvement Proposal), describing an optional method of produci= ng >> a BIP39 passphrase, using only BIP39 'mnemonic' seed words. >> >> The idea specifically refers to a method of introducing two-factor >> authentication, to protect a Bitcoin wallet using only 24 seed words, an= d >> therefore, providing plausible deniability about the existence of this >> separate 2nd layer passphrase. >> >> I've suggested the name 'quantum' passphrase to be used casually as a >> unique identifier. >> >> The data stored within a 'quantum' passphrase, is simultaneously the >> minimum required data for reproducing a BIP39-compatible 24-word seed >> mnemonic... hence, the name 'quantum' seems fitting, to reflect the >> multiple simultaneous states of data. >> >> Abstract... >> >> This improvement proposal describes the use of twenty four, newly >> generated BIP39 seed words, to produce a '25th-word' BIP39-compatible >> 'quantum' passphrase. >> >> Two-factor authentication (2FA) or (2 of 2 multi-signature) can be >> implemented with a two-wallet setup: >> >> The 1st Bitcoin wallet is protected by the seed words of the 2nd Bitcoin >> wallet; inversely, the 2nd Bitcoin wallet is protected by the seed words= of >> the 1st Bitcoin wallet. >> >> The 'quantum' passphrase offers an exponential increase in the level of >> protection, as that offered by the original BIP39 mnemonic seed words >> (=E2=89=882048^23 possible combinations). >> >> ie. A Bitcoin wallet with a 2nd layer 'quantum'passphrase is protected b= y >> 2048^23 to the power of 2048^23 possible combinations. >> >> With existing computer capabilities, this level of protection is far >> greater than required; however, this does provide a sufficient level of >> protection for each separate layer of a two-factor Bitcoin wallet, shoul= d >> any one layer be accidentally exposed. >> >> This method of passphrase generation, consists of two parts: >> >> 1st - generating the BIP39 mnemonic seed words, using a BIP39-compatible >> hardware wallet. >> >> 2nd - Converting these seed words into the 'quantum' passphrase, >> following four simple rules, which most importantly, do not destroy the >> integrity of the initial data. >> >> Motivation... >> >> The well established practice of preserving up to 24 seed words for the >> purpose of reproduction of a Bitcoin wallet, suffers from a major flaw..= . >> Exposure of these mnemonic seed words can cause catastrophic loss of fun= ds >> without adequate multi-factor protection. >> >> Whilst it is recognised that a number of multi-factor solutions are >> available (including the standard BIP39 passphrase, and hardware wallet >> multi-signature functionality), this proposal aims to provide an extreme= ly >> safe and secure 'low-tech' option, that requires minimal (non-destructiv= e) >> adjustments to the seed words. >> >> Furthermore, the 'quantum' passphrase offers a number advantages over th= e >> existing methods of multi-factor protection: >> >> Firstly, this method of creating a passphrase leaves no evidence of its >> existence on any backup devices, providing plausible deniability in case= of >> coercion. >> >> This is because the passphrase is easily created from a genuine 24 seed >> word mnemonic; therefore, the physical backup of the passphrase can be >> disguised as a simple Bitcoin wallet on a metal backup plate. >> >> It presents a way of discouraging user-created words or sentences (also >> known as 'brain-wallets'), which often provide a drastically reduced lev= el >> of passphrase security, unbeknown to many users. >> >> The large amount of data required to produce a 'quantum' passphrase (up >> to 96 characters long), encourages the physical backup of the passphrase= . >> >> Furthermore, the use of BIP39-only words provides a higher degree of >> standardization, which can help to avoid potential mistakes made by >> creating unnecessarily complicated combinations of letters, numbers and >> symbols. Increased complication (disorderly, and non-human-friendly), do= es >> not always equal increased complexity (orderly, and more human-friendly)= , >> or increased security. >> >> As previously mentioned, a two-wallet configuration provides the user an >> opportunity to safely split the two factors of protection (equivalent to= a >> 2 of 2 'multi-sig' setup). >> >> If a BIP39-compatible passphrase is created using a new set of 24 seed >> words, it provides 76 degrees of extra complexity (ie. 1 with 76 zeros, = or >> 10=E2=81=B7=E2=81=B6 possible combinations of words). >> >> The strength of this 2nd factor solution, provides adequate >> risk-management, when considering the production of multiple backup >> devices, strategically stored in multiple geographical locations. >> >> Generating the 'quantum' passphrase... >> >> Following just four (non-destructive) BIP39-compatible rules, the 24 see= d >> words can also function as a 'quantum' passphrase: >> >> 1 . Only BIP39 words >> (Standard list of 2048 English words - other languages should be >> compatible) >> >> 2 . Only the first four letters of each word >> (BIP39 words require only this data for reproduction) >> >> 3 . Only upper case letters >> (All alphabet references use this standard format) >> >> 4 . No spaces between words >> (Spaces represent an additional unit of data, that is not recorded) >> >> In essence, the 'quantum' passphrase is simply a single string of all 24 >> seed words, set out using the above rules. >> >> I welcome a productive technical discussion. >> >> Thanks, >> >> Chris Johnston >> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> > --000000000000cbc05a05c209f665 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Chris,

Thank you for your thoughts.

Unfortunately, your analysis is incorrect.

This is a non-destructive adaptation of t= he BIP39 standard, and is certainly not "rolling your own security&quo= t;.

The 'quantum'= ; passphrase is relying on the well established security of the existing BI= P39 standard.

There are = 2048 possible words that can be chosen from the BIP39 word list. Therefore,= to derive a seed from a string of 24 BIP39 words, is exactly the same as d= eriving a seed from the full 24 words:

2048 to the power of 23 combinations of security (not the po= wer of 24 because of the checksum), or 10 to the power of 76 combinations.<= /div>

If you created your own = combinations of words to make up a passphrase, this same degree of security= would require 15 random words from the English dictionary (assuming 100,00= 0 English words):

100,00= 0 to the power of 15 =3D 10 to the power of 75 combinations.

The other problem with this, is that = you could not plausibly deny that it was a passphrase, whereas, using a = 9;quantum' passphrase allows you to backup your passphrase disguised as= a 24 seed mnemonic.

I h= ope this alleviates your concerns.

All the best,

Chris


On Tue, 11= May 2021, 09:12 Chris D'Costa, <chrisjdcosta@gmail.com> wrote:
I think the biggest problem you= have with this proposal is "rolling your own security".

Are you aware that the dictionary is designed such th= at the first four letters are unique to each word? Taking those four letter= s and concatenating them to a string basically means that I can derive your= seed from your supposedly secure "quantum" passphrase. It does n= ot add to the security - if anything it makes it worse. It would be orders = of magnitude worse than using a random password and encryption as most wall= ets have been using for years.

C

On Sat, 8 May 2021= at 17:21, BitPLATES=C2=AE (Chris) via bitcoin-dev <b= itcoin-dev@lists.linuxfoundation.org> wrote:
Hi,
=
I'd like to submit an idea for review, as a= potential informational BIP (Bitcoin Improvement Proposal), describing an = optional method of producing a BIP39 passphrase, using only BIP39 'mnem= onic' seed words.

Th= e idea specifically refers to a method of introducing two-factor authentica= tion, to protect a Bitcoin wallet using only 24 seed words, and therefore, = providing plausible deniability about the existence of this separate 2nd la= yer passphrase.

I've= suggested the name 'quantum' passphrase to be used casually as a u= nique identifier.

The da= ta stored within a 'quantum' passphrase, is simultaneously the mini= mum required data for reproducing a BIP39-compatible 24-word seed mnemonic.= .. hence, the name 'quantum' seems fitting, to reflect the multiple= simultaneous states of data.

=
Abstract...

This improvement proposal describes the use of twenty four, new= ly generated BIP39 seed words, to produce a '25th-word' BIP39-compa= tible 'quantum' passphrase.

Two-factor authentication (2FA) or (2 of 2 multi-signature) can= be implemented with a two-wallet setup:

<= div dir=3D"auto">The 1st Bitcoin wallet is protected by the seed words of t= he 2nd Bitcoin wallet; inversely, the 2nd Bitcoin wallet is protected by th= e seed words of the 1st Bitcoin wallet.

The 'quantum' passphrase offers an exponential incr= ease in the level of protection, as that offered by the original BIP39 mnem= onic seed words (=E2=89=882048^23 possible combinations).

ie. A Bitcoin wallet with a 2nd layer = 9;quantum'passphrase is protected by 2048^23 to the power of 2048^23 po= ssible combinations.

Wit= h existing computer capabilities, this level of protection is far greater t= han required; however, this does provide a sufficient level of protection f= or each separate layer of a two-factor Bitcoin wallet, should any one layer= be accidentally exposed.

This method of passphrase generation, consists of two parts:

1st - generating the BIP39 mnemonic = seed words, using a BIP39-compatible hardware wallet.

2nd - Converting these seed words into the &#= 39;quantum' passphrase, following four simple rules, which most importa= ntly, do not destroy the integrity of the initial data.

Motivation...

The well established practice of preserving up to 24 = seed words for the purpose of reproduction of a Bitcoin wallet, suffers fro= m a major flaw... Exposure of these mnemonic seed words can cause catastrop= hic loss of funds without adequate multi-factor protection.

Whilst it is recognised that a number= of multi-factor solutions are available (including the standard BIP39 pass= phrase, and hardware wallet multi-signature functionality), this proposal a= ims to provide an extremely safe and secure 'low-tech' option, that= requires minimal (non-destructive) adjustments to the seed words.

Furthermore, the 'quantum= 9; passphrase offers a number advantages over the existing methods of multi= -factor protection:

Firs= tly, this method of creating a passphrase leaves no evidence of its existen= ce on any backup devices, providing plausible deniability in case of coerci= on.

This is because the = passphrase is easily created from a genuine 24 seed word mnemonic; therefor= e, the physical backup of the passphrase can be disguised as a simple Bitco= in wallet on a metal backup plate.

It presents a way of discouraging user-created words or sentence= s (also known as 'brain-wallets'), which often provide a drasticall= y reduced level of passphrase security, unbeknown to many users.

The large amount of data required = to produce a 'quantum' passphrase (up to 96 characters long), encou= rages the physical backup of the passphrase.

Furthermore, the use of BIP39-only words provides a hi= gher degree of standardization, which can help to avoid potential mistakes = made by creating unnecessarily complicated combinations of letters, numbers= and symbols. Increased complication (disorderly, and non-human-friendly), = does not always equal increased complexity (orderly, and more human-friendl= y), or increased security.

As previously mentioned, a two-wallet configuration provides the user an= opportunity to safely split the two factors of protection (equivalent to a= 2 of 2 'multi-sig' setup).

If a BIP39-compatible passphrase is created using a new set of = 24 seed words, it provides 76 degrees of extra complexity (ie. 1 with 76 ze= ros, or 10=E2=81=B7=E2=81=B6 possible combinations of words).

The strength of this 2nd factor solut= ion, provides adequate risk-management, when considering the production of = multiple backup devices, strategically stored in multiple geographical loca= tions.

Generating the &#= 39;quantum' passphrase...

Following just four (non-destructive) BIP39-compatible rules, the 24 = seed words can also function as a 'quantum' passphrase:

1 . Only BIP39 words
(Standard list of 2048 English words - other languages should be = compatible)

2 . Only the= first four letters of each word
(BIP39 words requir= e only this data for reproduction)

3 . Only upper case letters
(All alphabet= references use this standard format)

4 . No spaces between words
(Spaces re= present an additional unit of data, that is not recorded)

In essence, the 'quantum' passphr= ase is simply a single string of all 24 seed words, set out using the above= rules.

I welcome a prod= uctive technical discussion.

Thanks,

Chris Johns= ton


_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundati= on.org/mailman/listinfo/bitcoin-dev
--000000000000cbc05a05c209f665--